searls-auth 0.0.1

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+
+require "standard/rake"
+require "tldr/rake"
+
+task default: [:tldr, "standard:fix"]

data/app/controllers/searls/auth/base_controller.rb

@@ -0,0 +1,35 @@
+require "securerandom"
+
+module Searls
+  module Auth
+    class BaseController < ApplicationController # TODO should this be ActionController::Base? Trade-offs?
+      helper Rails.application.helpers
+      helper Rails.application.routes.url_helpers
+
+      protected
+
+      def searls_auth_config
+        Searls::Auth.config
+      end
+
+      def attach_short_code_to_session!(user)
+        session[:email_auth_short_code_user_id] = user.id
+        session[:email_auth_short_code] = SecureRandom.random_number(1000000).to_s.rjust(6, "0")
+        session[:email_auth_short_code_generated_at] = Time.current
+      end
+
+      def reset_expired_short_code
+        if session[:email_auth_short_code_generated_at].present? &&
+            Time.zone.parse(session[:email_auth_short_code_generated_at]) < Searls::Auth.config.token_expiry_minutes.minutes.ago
+          clear_short_code_from_session!
+        end
+      end
+
+      def clear_short_code_from_session!
+        session.delete(:email_auth_short_code_user_id)
+        session.delete(:email_auth_short_code_generated_at)
+        session.delete(:email_auth_short_code)
+      end
+    end
+  end
+end

data/app/controllers/searls/auth/logins_controller.rb

@@ -0,0 +1,44 @@
+module Searls
+  module Auth
+    class LoginsController < BaseController
+      before_action :reset_expired_short_code
+
+      def show
+        render searls_auth_config.login_view, layout: searls_auth_config.layout
+      end
+
+      def create
+        user = searls_auth_config.user_finder_by_email.call(params[:email])
+
+        if user.present?
+          attach_short_code_to_session!(user)
+          EmailsLink.new.email(
+            user:,
+            redirect_path: params[:redirect_path],
+            redirect_subdomain: params[:redirect_subdomain],
+            short_code: session[:email_auth_short_code]
+          )
+          flash[:notice] = "Login details sent to #{params[:email]}"
+          redirect_to verify_path(
+            redirect_path: params[:redirect_path],
+            redirect_subdomain: params[:redirect_subdomain]
+          )
+        else
+          flash.now[:error] = "We don't know that email. <a href=\"#{register_path(
+            email: params[:email],
+            redirect_path: params[:redirect_path],
+            redirect_subdomain: params[:redirect_subdomain]
+          )}\">Sign up</a> instead?".html_safe
+          render searls_auth_config.login_view, layout: searls_auth_config.layout, status: :unprocessable_entity
+        end
+      end
+
+      def destroy
+        ResetsSession.new.reset(self, except_for: [:has_logged_in_before])
+
+        flash[:notice] = "You've been logged out."
+        redirect_to login_path
+      end
+    end
+  end
+end

data/app/controllers/searls/auth/registrations_controller.rb

@@ -0,0 +1,35 @@
+module Searls
+  module Auth
+    class RegistrationsController < BaseController
+      def show
+        render searls_auth_config.register_view, layout: searls_auth_config.layout
+      end
+
+      def create
+        result = CreatesUser.new.call(params)
+
+        if result.success?
+          attach_short_code_to_session!(result.user)
+
+          redirect_params = {
+            redirect_path: searls_auth_config.resolve(
+              :redirect_path_after_register,
+              result.user, params, request, main_app
+            )
+          }
+
+          EmailsLink.new.email(
+            user: result.user,
+            short_code: session[:email_auth_short_code],
+            **redirect_params
+          )
+          flash[:notice] = "Verification email sent to #{params[:email]}"
+          redirect_to verify_path(**redirect_params)
+        else
+          flash.now[:error] = result.error_messages
+          render searls_auth_config.register_view, layout: searls_auth_config.layout, status: :unprocessable_entity
+        end
+      end
+    end
+  end
+end

data/app/controllers/searls/auth/verifications_controller.rb

@@ -0,0 +1,64 @@
+module Searls
+  module Auth
+    class VerificationsController < BaseController
+      before_action :reset_expired_short_code
+
+      def show
+        render searls_auth_config.verify_view, layout: searls_auth_config.layout
+      end
+
+      def create
+        auth_method = params[:short_code].present? ? :short_code : :token
+        authenticator = AuthenticatesUser.new
+        result = case auth_method
+        when :short_code
+          authenticator.authenticate_by_short_code(params[:short_code], session)
+        when :token
+          authenticator.authenticate_by_token(params[:token])
+        end
+
+        if result.success?
+          session[:user_id] = result.user.id
+          session[:has_logged_in_before] = true
+          if params[:redirect_subdomain].present? && params[:redirect_subdomain] != request.subdomain
+            redirect_to generate_full_url(
+              params[:redirect_path],
+              params[:redirect_subdomain]
+            ), allow_other_host: true
+          elsif params[:redirect_path].present?
+            redirect_to params[:redirect_path]
+          else
+            redirect_to searls_auth_config.resolve(:default_redirect_path_after_login,
+              result.user, params, request, main_app)
+          end
+        elsif auth_method == :short_code
+          flash[:error] = "We weren't able to log you in with that code. Try again?"
+          render searls_auth_config.verify_view, layout: searls_auth_config.layout, status: :unprocessable_entity
+        else
+          flash[:error] = "We weren't able to log you in with that link. Try again?"
+          redirect_to login_path(
+            redirect_path: params[:redirect_path],
+            redirect_subdomain: params[:redirect_subdomain]
+          )
+        end
+      end
+
+      def destroy
+        ResetsSession.new.reset(self,
+          except_for: searls_auth_config.preserve_session_keys_after_logout)
+
+        flash[:notice] = "You've been logged out."
+        redirect_to login_path
+      end
+
+      private
+
+      def generate_full_url(path, subdomain)
+        port = request.port
+        port_string = (port == 80 || port == 443) ? "" : ":#{port}"
+
+        "#{request.protocol}#{subdomain}.#{request.domain}#{port_string}#{path}"
+      end
+    end
+  end
+end

data/app/helpers/searls/auth/application_helper.rb

@@ -0,0 +1,82 @@
+module Searls
+  module Auth
+    class HelperMethods
+      def initialize(view_context)
+        @view_context = view_context
+      end
+
+      def routes
+        Searls::Auth::Engine.routes.url_helpers
+      end
+
+      def login_path(**kwargs)
+        routes.login_path(forwardable_params.merge(kwargs))
+      end
+
+      def login_url(**kwargs)
+        routes.login_url(forwardable_params.merge(kwargs))
+      end
+
+      def register_path(**kwargs)
+        routes.register_path(forwardable_params.merge(kwargs))
+      end
+
+      def register_url(**kwargs)
+        routes.register_url(forwardable_params.merge(kwargs))
+      end
+
+      def login_stimulus_controller
+        "searls-auth-login"
+      end
+
+      def email_field_stimulus_data
+        {
+          action: "change->searls-auth-login#updateEmail"
+        }
+      end
+
+      def otp_stimulus_controller
+        "searls-auth-otp"
+      end
+
+      def otp_field_stimulus_data
+        {
+          action: "paste->searls-auth-otp#pasted input->otp#caret click->searls-auth-otp#caret keydown->searls-auth-otp#caret keyup->searls-auth-otp#caret",
+          searls_auth_otp_target: "input"
+        }
+      end
+
+      def enable_turbo?
+        params[:redirect_subdomain].blank? || params[:redirect_subdomain] == request.subdomain
+      end
+
+      def attr_for(model, field_name)
+        model.attributes[field_name.to_s]
+      end
+
+      def rpad(s, spacer = " ", times = 1)
+        "#{s}#{spacer * times}"
+      end
+
+      private
+
+      def forwardable_params
+        {
+          email: params[:email],
+          redirect_path: params[:redirect_path],
+          redirect_subdomain: params[:redirect_subdomain]
+        }.compact_blank
+      end
+
+      def params
+        @view_context.params
+      end
+    end
+
+    module ApplicationHelper
+      def searls_auth_helper
+        @__searls_auth_helper ||= HelperMethods.new(self)
+      end
+    end
+  end
+end

data/app/javascript/controllers/searls_auth_login_controller.js

@@ -0,0 +1,37 @@
+import { Controller } from '@hotwired/stimulus'
+
+export default class SearlsAuthLoginController extends Controller {
+  static values = {
+    email: String,
+    emailFieldName: {
+      type: String,
+      default: 'email'
+    },
+    timeZoneFieldName: {
+      type: String,
+      default: 'time_zone'
+    }
+  }
+
+  connect () {
+    this.emailValue = window.sessionStorage.getItem('__searls_auth_email') || undefined
+    if (this.emailValue) {
+      this.element.querySelector(`[name=${this.emailFieldNameValue}]`).value = this.emailValue
+    }
+
+    this.#setTimeZoneFieldMaybe()
+  }
+
+  updateEmail (e) {
+    debugger
+    this.emailValue = e.currentTarget.value
+    window.sessionStorage.setItem('__searls_auth_email', this.emailValue)
+  }
+
+  #setTimeZoneFieldMaybe () {
+    const hiddenField = this.element.querySelector(`[name=${this.timeZoneFieldNameValue}]`)
+    if (hiddenField) {
+      hiddenField.value ||= Intl.DateTimeFormat().resolvedOptions().timeZone
+    }
+  }
+}

data/app/javascript/controllers/searls_auth_otp_controller.js

@@ -0,0 +1,21 @@
+import { Controller } from '@hotwired/stimulus'
+
+export default class SearlsAuthOtpController extends Controller {
+  static targets = ['input']
+
+  pasted (e) {
+    const content = e.clipboardData?.getData('text')
+    if (content && content.trim().match(/^\d{6}$/)) {
+      this.inputTarget.value = content.trim()
+      this.inputTarget.closest('form').requestSubmit()
+    }
+  }
+
+  // Maybe not every design needs this but mine does: hide the caret if it's after the end of the max length
+  caret () {
+    const shouldHideCaret = this.inputTarget.maxLength === this.inputTarget.selectionStart &&
+      this.inputTarget.maxLength === this.inputTarget.selectionEnd
+
+    this.inputTarget.style.caretColor = shouldHideCaret ? 'transparent' : ''
+  }
+}

data/app/mailers/searls/auth/base_mailer.rb

@@ -0,0 +1,8 @@
+module Searls
+  module Auth
+    class BaseMailer < ApplicationMailer # TODO should this be ActionMailer::Base? Trade-offs?
+      helper Searls::Auth::ApplicationHelper
+      include Searls::Auth::ApplicationHelper
+    end
+  end
+end

data/app/mailers/searls/auth/login_link_mailer.rb

@@ -0,0 +1,24 @@
+module Searls
+  module Auth
+    class LoginLinkMailer < BaseMailer
+      def login_link
+        @config = Searls::Auth.config
+        @user = params[:user]
+        @token = params[:token]
+        @redirect_path = params[:redirect_path]
+        @redirect_subdomain = params[:redirect_subdomain]
+        @short_code = params[:short_code]
+
+        mail(
+          to: format_to(@user),
+          subject: "Your #{searls_auth_helper.rpad(@config.app_name)} login code is #{@short_code}",
+          template_path: @config.mail_login_template_path,
+          template_name: @config.mail_login_template_name
+        ) do |format|
+          format.html { render layout: @config.mail_layout }
+          format.text
+        end
+      end
+    end
+  end
+end

data/app/views/searls/auth/layouts/mailer.html.erb

@@ -0,0 +1,54 @@
+<!DOCTYPE html>
+<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office">
+  <head>
+    <meta charset="utf-8">
+    <meta http-equiv="x-ua-compatible" content="ie=edge">
+    <meta name="color-scheme" content="light">
+    <meta name="supported-color-schemes" content="light only">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <meta name="format-detection" content="telephone=no, date=no, address=no, email=no, url=no">
+    <meta name="x-apple-disable-message-reformatting">
+    <title><%= message.subject %></title>
+  </head>
+  <body style="background-color: <%= Searls::Auth.config.email_background_color %>;">
+    <div role="article" aria-roledescription="email" aria-label="<%= message.subject %>" lang="en">
+      <table border="0" cellpadding="0" cellspacing="0" style="font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif; background-color: <%= Searls::Auth.config.email_background_color %>; color: #111827;" width="100%">
+        <tr>
+          <td height="96" align="center">
+            <% if Searls::Auth.config.email_banner_image_path.present? %>
+              <% banner_img = image_tag(
+                email_image_data_url(Searls::Auth.config.email_banner_image_path),
+                style: "height: 48px;"
+              ) %>
+              <% if Searls::Auth.config.app_url.present? %>
+                <%= link_to Searls::Auth.config.app_url, style: "text-align: center;" do %>
+                  <%= banner_img %>
+                <% end %>
+              <% else %>
+                <div style="text-align: center;">
+                  <%= banner_img %>
+                </div>
+              <% end %>
+            <% end %>
+          </td>
+        </tr>
+        <tr>
+          <td align="center">
+            <table width="<%= content_for?(:width) ? yield(:width) : 480 %>" border="0" cellpadding="0" cellspacing="0" style="padding-left: 0.5rem; padding-right: 0.5rem; box-shadow: 0 10px 15px -3px rgba(0, 0, 0, 0.1), 0 4px 6px -2px rgba(0, 0, 0, 0.05); border-radius: 0.75rem; background-color: white; width: 100%; max-width: <%= content_for?(:width) ? yield(:width) : 480 %>px;">
+              <tr>
+                <td>
+                  <%= yield %>
+                </td>
+              </tr>
+            </table>
+          </td>
+        </tr>
+        <tr>
+          <td height="32">
+            <%= yield :footer %>
+          </td>
+        </tr>
+      </table>
+    </div>
+  </body>
+</html>

data/app/views/searls/auth/login_link_mailer/login_link.html.erb

@@ -0,0 +1,37 @@
+<%= content_for :width, 480 %>
+  <p>
+    <% if (user_name = searls_auth_helper.attr_for(@user, @config.user_name_field)).present? %>
+      Hello, <strong><%= user_name %></strong>!
+    <% else %>
+      Hello!
+    <% end %>
+  </p>
+<p style="margin-top: 1rem;">
+  You can click the button below to log in to your account:
+  <div style="margin-top: 2rem; text-align: center;">
+    <%= link_to verify_token_url({
+      token: @token,
+      redirect_path: @redirect_path,
+      redirect_subdomain: @redirect_subdomain
+    }.compact_blank) do %>
+      <span style="width: 70%; box-shadow: 0 10px 15px -3px rgba(0, 0, 0, 0.1), 0 4px 6px -2px rgba(0, 0, 0, 0.05); display: inline-block; padding-left: 2rem; padding-right: 2rem; padding-top: 1rem; padding-bottom: 1rem; font-size: 1.5rem; font-weight: 700; border-radius: 0.75rem; background-color: <%= @config.email_button_color %>; color: white;">Log in</span>
+    <% end %>
+    <div style="margin-top: 0.5rem; font-size: 0.875rem; color: #6b7280;">
+      (This link will expire in <%= @config.token_expiry_minutes %> minutes.)
+    </div>
+  </div>
+</p>
+<p style="margin-top: 2rem;">
+  Alternatively, you can type or paste the following code into your browser:
+  <div style="margin-top: 2rem; text-align: center;">
+    <span id="one-time-code" style="width: 70%; display: inline-block; padding-left: 2rem; padding-right: 2rem; padding-top: 1rem; padding-bottom: 1rem; font-size: 1.5rem; font-weight: 700; border: 1px solid; border-radius: 0.75rem; background-color: #f3f4f6; border-color: #e5e7eb;">
+      <%= @short_code %>
+    </span>
+    <div style="margin-top: 0.5rem; font-size: 0.875rem; color: #6b7280;">
+      (So will this code.)
+    </div>
+  </div>
+</p>
+<p style="margin-top: 2rem; font-size: 0.875rem; color: #6b7280;">
+  p.s. Didn't try to log in? You can safely ignore this email. If this keeps happening, please <%= link_to "let us know", "mailto:#{@config.support_email_address}" %>.
+</p>

data/app/views/searls/auth/login_link_mailer/login_link.text.erb

@@ -0,0 +1,20 @@
+<% if (user_name = searls_auth_helper.attr_for(@user, @config.user_name_field)).present? %>
+Hi, <%= user_name %>!
+<% else %>
+Hello!
+<% end %>
+
+You can log in to your <%= searls_auth_helper.rpad(@config.app_name) %>account at this URL:
+
+<%= verify_token_url({
+  token: @token,
+  redirect_path: @redirect_path,
+  redirect_subdomain: @redirect_subdomain
+}.compact_blank) %>
+
+Alternatively, you can type or paste the following code into your browser:
+
+<%= @short_code %>
+
+Didn't try to log in? You can safely ignore this email.<%= " If this keeps
+happening, please let us know at #{@config.support_email_address}" if @config.support_email_address.present? %>

data/app/views/searls/auth/logins/show.html.erb

@@ -0,0 +1,20 @@
+<h1>Log In</h1>
+
+<div style="background: rgba(255,0,0, 0.1)">
+  <%= flash[:error] %>
+</div>
+<div style="background: rgba(0,0,255, 0.1)">
+  <%= flash[:notice] %>
+</div>
+
+<%= form_with url: login_path, method: :post, data: {controller: searls_auth_helper.login_stimulus_controller} do |f| %>
+  <%= f.hidden_field :redirect_path, value: params[:redirect_path] %>
+  <%= f.hidden_field :redirect_subdomain, value: params[:redirect_subdomain] %>
+  <%= f.email_field :email, required: true, value: params[:email], data: searls_auth_helper.email_field_stimulus_data %>
+  <%= f.submit "Log in" %>
+<% end %>
+
+<p>
+  Not registered yet? <%= link_to "Sign up", searls_auth_helper.register_path %> instead!
+</p>
+

data/app/views/searls/auth/registrations/show.html.erb

@@ -0,0 +1,19 @@
+<h1>Create your account</h1>
+
+<div style="background: rgba(255,0,0, 0.1)">
+  <%= flash[:error] %>
+</div>
+<div style="background: rgba(0,0,255, 0.1)">
+  <%= flash[:notice] %>
+</div>
+
+<%= form_with url: register_path, data: {controller: searls_auth_helper.login_stimulus_controller} do |f| %>
+  <%= f.hidden_field :redirect_path, value: params[:redirect_path] %>
+  <%= f.hidden_field :redirect_subdomain, value: params[:redirect_subdomain] %>
+  <%= f.email_field :email, value: params[:email], required: true, data: searls_auth_helper.email_field_stimulus_data %>
+  <%= f.submit "Register" %>
+<% end %>
+
+<p>
+  Already have an account? <%= link_to "Log in", searls_auth_helper.login_path %> instead.
+</p>

data/app/views/searls/auth/verifications/show.html.erb

@@ -0,0 +1,23 @@
+<h1>Check your email!</h1>
+<p>
+  In the next few moments, you should receive an email that will provide you
+  two ways to log in: a link and a six-digit code that you can enter below.
+</p>
+<%= form_with(url: verify_path, method: :post, data: {
+    # Don't use turbo on cross-domain redirects
+    turbo: searls_auth_helper.enable_turbo?
+  }) do |f| %>
+  <%= f.hidden_field :redirect_path, value: params[:redirect_path] %>
+  <%= f.hidden_field :redirect_subdomain, value: params[:redirect_subdomain] %>
+  <div data-controller="<%= searls_auth_helper.otp_stimulus_controller %>">
+    <%= f.text_field :short_code,
+      maxlength: 6,
+      inputmode: "numeric",
+      pattern: "\\d{6}",
+      autocomplete: "one-time-code",
+      title: "six-digit code that was emailed to you",
+      data: searls_auth_helper.otp_field_stimulus_data
+    %>
+  </div>
+  <%= f.submit "Log in" %>
+<% end %>

data/config/importmap.rb

@@ -0,0 +1,2 @@
+pin "controllers/searls_auth_login_controller", to: "controllers/searls_auth_login_controller.js"
+pin "controllers/searls_auth_otp_controller", to: "controllers/searls_auth_otp_controller.js"

data/config/routes.rb

@@ -0,0 +1,12 @@
+Searls::Auth::Engine.routes.draw do
+  get "register", to: "registrations#show"
+  post "register", to: "registrations#create"
+
+  get "login", to: "logins#show"
+  post "login", to: "logins#create"
+  get "logout", to: "logins#destroy"
+
+  get "login/verify", to: "verifications#show", as: :verify
+  post "login/verify", to: "verifications#create"
+  get "login/verify_token", to: "verifications#create", as: :verify_token
+end

data/lib/searls/auth/authenticates_user.rb

@@ -0,0 +1,32 @@
+module Searls
+  module Auth
+    class AuthenticatesUser
+      Result = Struct.new(:success?, :user, keyword_init: true)
+
+      def authenticate_by_short_code(short_code, session)
+        user = Searls::Auth.config.user_finder_by_id.call(session[:email_auth_short_code_user_id])
+
+        if session[:email_auth_short_code_generated_at].present? &&
+            Time.zone.parse(session[:email_auth_short_code_generated_at]) > Searls::Auth.config.token_expiry_minutes.minutes.ago &&
+            user.present? &&
+            short_code == session[:email_auth_short_code]
+          Searls::Auth.config.after_login_success&.call(user)
+          Result.new(success?: true, user: user)
+        else
+          Result.new(success?: false)
+        end
+      end
+
+      def authenticate_by_token(token)
+        user = Searls::Auth.config.user_finder_by_token.call(token)
+
+        if user.present?
+          Searls::Auth.config.after_login_success&.call(user)
+          Result.new(success?: true, user: user)
+        else
+          Result.new(success?: false)
+        end
+      end
+    end
+  end
+end

data/lib/searls/auth/config.rb

@@ -0,0 +1,47 @@
+module Searls
+  module Auth
+    Config = Struct.new(
+      # Data setup
+      :user_finder_by_email, # proc (email)
+      :user_finder_by_id, # proc (id)
+      :user_finder_by_token, # proc (token)
+      :user_initializer, # proc (params)
+      :user_name_field, # string
+      :token_generator, # proc ()
+      :token_expiry_minutes, # integer
+      # Controller setup
+      :preserve_session_keys_after_logout, # array of symbols
+      # View setup
+      :layout, # string
+      :login_view, # string
+      :register_view, # string
+      :verify_view, # string
+      :mail_layout, # string
+      :mail_login_template_path, # string
+      :mail_login_template_name, # string
+      # Routing setup
+      :redirect_path_after_register, # string or proc, all new registrations redirect here
+      :default_redirect_path_after_login, # string or proc, only redirected here if redirect_path param not set
+      # Hook setup
+      :validate_registration, # proc (user, params, errors = []), must return an array of error messages where empty means valid
+      :after_login_success, # proc (user)
+      # Branding setup
+      :app_name, # string
+      :app_url, # string
+      :support_email_address, # string
+      :email_banner_image_path, # string
+      :email_background_color, # string
+      :email_button_color, # string
+      keyword_init: true
+    ) do
+      # Get values from values that might be procs
+      def resolve(option, *args)
+        if self[option].respond_to?(:call)
+          self[option].call(*args)
+        else
+          self[option]
+        end
+      end
+    end
+  end
+end