searls-auth 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5e2b6983e76f48e3663946462d67f0dfdf62914aa8187c29a332111f430335f2
-  data.tar.gz: 0cfbab5b379a053ff0f23406e25c045caa6d7ca2c249330d0ac24b459e6f1ecf
+  metadata.gz: 608a7738fece38d0fce18f906f68c5d91122aaf2d274cdcf48dba6b770c04069
+  data.tar.gz: 76d7b5e89479236705a1cb866d7358016510fa9899dffd2474fe9139cfc688bf
 SHA512:
-  metadata.gz: 820ae8d2258753dd6e7f2f9bea7054537f0242aacc5218f220cc3a83d639a11a5204bcca728a95ec06e4ae8094994609abf0859f5df8162684a56c42bd27757b
-  data.tar.gz: 9d6f9469c3c4d99cd42f0b410f89934951924c605cff3fe9bf7490064d790d1a814b20e154574de45d525b325acaac6ccd793496f2ffbc83645042e4f2a0268f
+  metadata.gz: c23b8352aaeec522b1878bf3b32c721cd14d06ef31b306a23fcb7e8b1ca1b3659a39904409e30c4492724289057b1a4594486e7878d01304b2830a7ed39e3ecf
+  data.tar.gz: 387b365eb74882a67258552f0da17d58913d001ea574fcf4d4c2b0c1487aeac939e6431e210c0b8bbb1471c00bfd01591e3f6aa6969520cee7727850a4d8552f

data/CHANGELOG.md

@@ -1,5 +1,13 @@
 ## [Unreleased]
 
+## [0.2.0] - 2025-09-11
+
+* Add `auth_methods` configuration with default `[:email_link, :email_otp]`
+
+## [0.1.1] - 2025-04-27
+
+* Improve error message when token generation fails due to a token not being configured on the user model
+
 ## [0.1.0] - 2025-04-26
 
 * Add `max_allowed_short_code_attempts` configuration, beyond which the code is erased from the session and the user needs to login again (default: 10)

data/LICENSE.txt

@@ -653,7 +653,7 @@ Also add information on how to contact you by electronic and paper mail.
   If the program does terminal interaction, make it output a short
 notice like this when it starts in an interactive mode:
 
-    Fine Ants Copyright (C) 2016 Justin Searls
+    searls-auth (C) 2025 Searls LLC
     This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
     This is free software, and you are welcome to redistribute it
     under certain conditions; type `show c' for details.

data/README.md

@@ -1 +1,111 @@
 # searls-auth
+
+This gem provides a Ruby on Rails engine that implements a minimal, opinionated, and pleasant email-based authentication system. It has zero other dependencies, which is the correct number of dependencies.
+
+For a detailed walk-through with pictures and whatnot, check out this [example app README](/example/simple_app/README.md). Below you'll find the basic steps for getting started.
+
+## Install it
+
+Add it to your Gemfile and `bundle` it:
+
+```ruby
+gem "searls-auth"
+```
+
+## Mount it
+
+Next, you need to mount the gem's Engine to host any of the authentication controllers and mailers.
+
+You can mount the engine at whatever you path you like (mounting it to "/" can result in some goofy behavior, so maybe not that one). I just do "/auth" because I'm boring:
+
+```ruby
+# config/routes.rb
+Rails.application.routes.draw do
+  # …
+  mount Searls::Auth::Engine => "/auth"
+  # …
+end
+```
+
+If you run your development server and visit [http://localhost:3000/auth/login](http://localhost:3000/auth/login), you should see an ugly login page. (If things look really goofy, it's because the gem defaults to your app's `"application"` layout).
+
+## Secure it
+
+If you've got a `User` model with an `email` attribute, you're two-thirds of the way to this thing working. All you need now is to associate [a secure token](https://api.rubyonrails.org/classes/ActiveRecord/TokenFor/ClassMethods.html#method-i-generates_token_for) with the model named `:email_auth`.
+
+```ruby
+# app/models/user.rb
+class User < ApplicationRecord
+  # …
+  generates_token_for :email_auth, expires_in: 30.minutes
+  # …
+end
+```
+
+(You can [name all these things whatever you want](#configure-it), but this is what searls-auth will assume by default.)
+
+I'm writing this README as I add searls-auth to my new [POSSE Party](https://posseparty.com) app. As soon as I added the above line I visited [http://localhost:3000/auth/login](http://localhost:3000/auth/login), typed in my email, hit "Log in", and saw this email get sent (thanks to [letter_opener](https://github.com/ryanb/letter_opener)):
+
+![A default searls-auth login email](https://github.com/user-attachments/assets/07114dae-a95b-49bd-ba57-92042c62c1b7)
+
+When I pasted in the six-digit code into the (also ugly) default verification page, it auto-submitted the form. That's because my has a vanilla [import maps](https://guides.rubyonrails.org/working_with_javascript_in_rails.html#import-maps) configuration, the least-bad of the various JavaScript ordeals Rails has on offer. (Don't use import maps? Then I leave figuring out how to load the gem's [Stimulus controllers](app/javascript/controllers/searls_auth_login_controller.js) as an exercise to the reader.)
+
+I repeated the process to ensure the "magic link" also would have worked by visiting [http://localhost:3000/auth/logout](http://localhost:3000/auth/logout) and then clicking the link.
+
+## Configure it
+
+Almost every user-facing thing searls-auth does is configurable, because authentication is an _intimate and precious_ thing that every application must find a way to tweak, brand, and confuse.
+
+To configure things, create an initializer:
+
+```
+touch config/initializers/searls_auth.rb
+```
+
+And paste this into it as a starting point:
+
+```ruby
+Rails.application.config.after_initialize do
+  Searls::Auth.configure do |config|
+    # You can find the defaults here-ish:
+    # https://github.com/searlsco/searls-auth/blob/main/lib/searls/auth.rb#L14
+    #
+    # The expected type of each option is documented inline here-ish:
+    # https://github.com/searlsco/searls-auth/blob/main/lib/searls/auth/config.rb#L3
+    #
+    # (Note that many options can take a proc or a value, which you may want)
+    #
+    # Override any option like this:
+    # config.app_name = "POSSE Party"
+  end
+end
+```
+As stated in the comment above, you can find each configuration and its default value in the code.
+
+### Choose your login methods
+
+By default, users can log in either by clicking a magic link or by entering a 6‑digit code they receive via email. This is controlled by the `auth_methods` configuration:
+
+```ruby
+# config/initializers/searls_auth.rb
+Rails.application.config.after_initialize do
+  Searls::Auth.configure do |config|
+    # Defaults:
+    config.auth_methods = [:email_link, :email_otp]
+
+    # Link-only (no code in emails, no OTP input shown):
+    # config.auth_methods = :email_link
+
+    # Code-only (no link in emails; OTP input shown):
+    # config.auth_methods = :email_otp
+  end
+end
+```
+
+One reason you might want to disable e-mail OTP is that it exposes your users to [a pretty easy-to-implement man-in-the-middle attack](https://blog.danielh.cc/blog/passwords).
+
+## Use it
+
+Of course, having a user be "logged in" or not doesn't mean anything if your application doesn't do anything with the knowledge. Users that are logged in will have `session[:user_id]` set to the value of the logged-in user's ID. Logged out users won't have anything set to `session[:user_id]`. What you do with that is your job, not this gem. (Wait, after 20 years does this mean I finally understand the difference between authentication and authorization? Better late than never.)
+
+If this is your first rodeo and you just read the previous paragraph and thought, _yeah, but now what?_, check out the tail end of the [example app README](/example/simple_app/README.md#5-require-authentication-for-appropriate-actions), which shows an approach that a lot of apps use.

data/app/controllers/searls/auth/logins_controller.rb

@@ -11,7 +11,12 @@ module Searls
         user = searls_auth_config.user_finder_by_email.call(params[:email])
 
         if user.present?
-          attach_short_code_to_session!(user)
+          if searls_auth_config.auth_methods.include?(:email_otp)
+            attach_short_code_to_session!(user)
+          else
+            clear_short_code_from_session!
+          end
+
           EmailsLink.new.email(
             user:,
             redirect_path: params[:redirect_path],

data/app/controllers/searls/auth/verifications_controller.rb

@@ -8,13 +8,27 @@ module Searls
       end
 
       def create
-        auth_method = params[:short_code].present? ? :short_code : :token
+        auth_method = params[:short_code].present? ? :email_otp : :email_link
+        if auth_method == :email_otp && !searls_auth_config.auth_methods.include?(:email_otp)
+          flash[:error] = searls_auth_config.resolve(:flash_error_after_verify_attempt_invalid_link, params)
+          return redirect_to searls_auth.login_path(
+            redirect_path: params[:redirect_path],
+            redirect_subdomain: params[:redirect_subdomain]
+          )
+        end
+        if auth_method == :email_link && !searls_auth_config.auth_methods.include?(:email_link)
+          flash[:error] = searls_auth_config.resolve(:flash_error_after_verify_attempt_invalid_link, params)
+          return redirect_to searls_auth.login_path(
+            redirect_path: params[:redirect_path],
+            redirect_subdomain: params[:redirect_subdomain]
+          )
+        end
         authenticator = AuthenticatesUser.new
         result = case auth_method
-        when :short_code
+        when :email_otp
           log_short_code_verification_attempt!
           authenticator.authenticate_by_short_code(params[:short_code], session)
-        when :token
+        when :email_link
           authenticator.authenticate_by_token(params[:token])
         end
 
@@ -36,7 +50,7 @@ module Searls
             redirect_to searls_auth_config.resolve(:default_redirect_path_after_login,
               result.user, params, request, main_app)
           end
-        elsif auth_method == :short_code
+        elsif auth_method == :email_otp
           if result.exceeded_short_code_attempt_limit?
             clear_short_code_from_session!
             flash[:error] = searls_auth_config.resolve(

data/app/mailers/searls/auth/login_link_mailer.rb

@@ -11,7 +11,7 @@ module Searls
 
         mail(
           to: format_to(@user),
-          subject: "Your #{searls_auth_helper.rpad(@config.app_name)}login code is #{@short_code}",
+          subject: mail_subject,
           template_path: @config.mail_login_template_path,
           template_name: @config.mail_login_template_name
         ) do |format|
@@ -19,6 +19,17 @@ module Searls
           format.text
         end
       end
+
+      private
+
+      def mail_subject
+        methods = Searls::Auth.config.auth_methods
+        if methods.include?(:email_otp) && @short_code.present?
+          "Your #{searls_auth_helper.rpad(@config.app_name)}login code is #{@short_code}"
+        else
+          "Your #{searls_auth_helper.rpad(@config.app_name)}login link"
+        end
+      end
     end
   end
 end

data/app/views/searls/auth/login_link_mailer/login_link.html.erb

@@ -6,32 +6,36 @@
       Hello!
     <% end %>
   </p>
-<p style="margin-top: 1rem;">
-  You can click the button below to log in to your account:
-  <div style="margin-top: 2rem; text-align: center;">
-    <%= link_to verify_token_url({
-      token: @token,
-      redirect_path: @redirect_path,
-      redirect_subdomain: @redirect_subdomain
-    }.compact_blank) do %>
-      <span style="width: 70%; box-shadow: 0 10px 15px -3px rgba(0, 0, 0, 0.1), 0 4px 6px -2px rgba(0, 0, 0, 0.05); display: inline-block; padding-left: 2rem; padding-right: 2rem; padding-top: 1rem; padding-bottom: 1rem; font-size: 1.5rem; font-weight: 700; border-radius: 0.75rem; background-color: <%= @config.email_button_color %>; color: white;">Log in</span>
-    <% end %>
-    <div style="margin-top: 0.5rem; font-size: 0.875rem; color: #6b7280;">
-      (This link will expire in <%= @config.token_expiry_minutes %> minutes.)
+<% if Searls::Auth.config.auth_methods.include?(:email_link) %>
+  <p style="margin-top: 1rem;">
+    You can log in by clicking this button:
+    <div style="margin-top: 2rem; text-align: center;">
+      <%= link_to verify_token_url({
+        token: @token,
+        redirect_path: @redirect_path,
+        redirect_subdomain: @redirect_subdomain
+      }.compact_blank) do %>
+        <span style="width: 70%; box-shadow: 0 10px 15px -3px rgba(0, 0, 0, 0.1), 0 4px 6px -2px rgba(0, 0, 0, 0.05); display: inline-block; padding-left: 2rem; padding-right: 2rem; padding-top: 1rem; padding-bottom: 1rem; font-size: 1.5rem; font-weight: 700; border-radius: 0.75rem; background-color: <%= @config.email_button_color %>; color: white;">Log in</span>
+      <% end %>
+      <div style="margin-top: 0.5rem; font-size: 0.875rem; color: #6b7280;">
+        (This link will expire in <%= @config.token_expiry_minutes %> minutes.)
+      </div>
     </div>
-  </div>
-</p>
-<p style="margin-top: 2rem;">
-  Alternatively, you can type or paste the following code into your browser:
-  <div style="margin-top: 2rem; text-align: center;">
-    <span id="one-time-code" style="width: 70%; display: inline-block; padding-left: 2rem; padding-right: 2rem; padding-top: 1rem; padding-bottom: 1rem; font-size: 1.5rem; font-weight: 700; border: 1px solid; border-radius: 0.75rem; background-color: #f3f4f6; border-color: #e5e7eb;">
-      <%= @short_code %>
-    </span>
-    <div style="margin-top: 0.5rem; font-size: 0.875rem; color: #6b7280;">
-      (So will this code.)
+  </p>
+<% end %>
+<% if Searls::Auth.config.auth_methods.include?(:email_otp) && @short_code.present? %>
+  <p style="margin-top: 2rem;">
+    You can log in by entering this code:
+    <div style="margin-top: 2rem; text-align: center;">
+      <span id="one-time-code" style="width: 70%; display: inline-block; padding-left: 2rem; padding-right: 2rem; padding-top: 1rem; padding-bottom: 1rem; font-size: 1.5rem; font-weight: 700; border: 1px solid; border-radius: 0.75rem; background-color: #f3f4f6; border-color: #e5e7eb;">
+        <%= @short_code %>
+      </span>
+      <div style="margin-top: 0.5rem; font-size: 0.875rem; color: #6b7280;">
+        (So will this code.)
+      </div>
     </div>
-  </div>
-</p>
+  </p>
+<% end %>
 <p style="margin-top: 2rem; font-size: 0.875rem; color: #6b7280;">
   p.s. Didn't try to log in? You can safely ignore this email. If this keeps happening, please <%= link_to "let us know", "mailto:#{@config.support_email_address}" %>.
 </p>

data/app/views/searls/auth/login_link_mailer/login_link.text.erb

@@ -4,17 +4,22 @@ Hi, <%= user_name %>!
 Hello!
 <% end %>
 
-You can log in to your <%= searls_auth_helper.rpad(@config.app_name) %>account at this URL:
+<% if Searls::Auth.config.auth_methods.include?(:email_link) %>
+You can log in by visiting this URL for your <%= searls_auth_helper.rpad(@config.app_name) %>account:
 
 <%= searls_auth.verify_token_url({
   token: @token,
   redirect_path: @redirect_path,
   redirect_subdomain: @redirect_subdomain
 }.compact_blank) %>
+<% end %>
+
+<% if Searls::Auth.config.auth_methods.include?(:email_otp) && @short_code.present? %>
 
-Alternatively, you can type or paste the following code into your browser:
+You can log in by entering this code:
 
 <%= @short_code %>
+<% end %>
 
 Didn't try to log in? You can safely ignore this email.<%= " If this keeps
 happening, please let us know at #{@config.support_email_address}" if @config.support_email_address.present? %>

data/app/views/searls/auth/verifications/show.html.erb

@@ -1,24 +1,24 @@
 <h1>Check your email!</h1>
+<% parts = { email_link: "a link", email_otp: "a six-digit code" }.slice(*Searls::Auth.config.auth_methods).values %>
 <p>
-  In the next few moments, you should receive an email that will provide you
-  two ways to log in: a link and a six-digit code that you can enter below.
+  In the next few moments, you should receive an email with <%= parts.to_sentence %> to log in.
 </p>
-<%= form_with(url: searls_auth.verify_path, method: :post, data: {
-    # Don't use turbo on cross-domain redirects
-    turbo: searls_auth_helper.enable_turbo?
-  }) do |f| %>
-  <%= f.hidden_field :redirect_path, value: params[:redirect_path] %>
-  <%= f.hidden_field :redirect_subdomain, value: params[:redirect_subdomain] %>
-  <div data-controller="<%= searls_auth_helper.otp_stimulus_controller %>">
-    <%= f.label :short_code, "Code" %>
-    <%= f.text_field :short_code,
-      maxlength: 6,
-      inputmode: "numeric",
-      pattern: "\\d{6}",
-      autocomplete: "one-time-code",
-      title: "six-digit code that was emailed to you",
-      data: searls_auth_helper.otp_field_stimulus_data
-    %>
-  </div>
-  <%= f.submit "Log in" %>
+
+<% if Searls::Auth.config.auth_methods.include?(:email_otp) %>
+  <%= form_with(url: searls_auth.verify_path, method: :post, data: { turbo: searls_auth_helper.enable_turbo? }) do |f| %>
+    <%= f.hidden_field :redirect_path, value: params[:redirect_path] %>
+    <%= f.hidden_field :redirect_subdomain, value: params[:redirect_subdomain] %>
+    <div data-controller="<%= searls_auth_helper.otp_stimulus_controller %>">
+      <%= f.label :short_code, "Code" %>
+      <%= f.text_field :short_code,
+        maxlength: 6,
+        inputmode: "numeric",
+        pattern: "\\d{6}",
+        autocomplete: "one-time-code",
+        title: "six-digit code that was emailed to you",
+        data: searls_auth_helper.otp_field_stimulus_data
+      %>
+    </div>
+    <%= f.submit "Log in" %>
+  <% end %>
 <% end %>

data/lib/searls/auth/config.rb

@@ -1,13 +1,14 @@
 module Searls
   module Auth
     Config = Struct.new(
+      :auth_methods, # array of symbols, e.g., [:email_link, :email_otp]
       # Data setup
-      :user_finder_by_email, # proc (email)
-      :user_finder_by_id, # proc (id)
-      :user_finder_by_token, # proc (token)
-      :user_initializer, # proc (params)
+      :user_finder_by_email, # proc(email)
+      :user_finder_by_id, # proc(id)
+      :user_finder_by_token, # proc(token)
+      :user_initializer, # proc(params)
       :user_name_method, # string
-      :token_generator, # proc ()
+      :token_generator, # proc()
       :token_expiry_minutes, # integer
       # Controller setup
       :preserve_session_keys_after_logout, # array of symbols
@@ -21,11 +22,11 @@ module Searls
       :mail_login_template_path, # string
       :mail_login_template_name, # string
       # Routing setup
-      :redirect_path_after_register, # string or proc, all new registrations redirect here
-      :default_redirect_path_after_login, # string or proc, only redirected here if redirect_path param not set
+      :redirect_path_after_register, # string or proc(user, params, request, routes), all new registrations redirect here
+      :default_redirect_path_after_login, # string or proc(user, params, request, routes), only redirected here if redirect_path param not set
       # Hook setup
-      :validate_registration, # proc (user, params, errors = []), must return an array of error messages where empty means valid
-      :after_login_success, # proc (user)
+      :validate_registration, # proc(user, params, errors = []), must return an array of error messages where empty means valid
+      :after_login_success, # proc(user)
       # Branding setup
       :app_name, # string
       :app_url, # string
@@ -53,6 +54,10 @@ module Searls
           self[option]
         end
       end
+
+      def auth_methods
+        Array(self[:auth_methods]).map(&:to_sym)
+      end
     end
   end
 end

data/lib/searls/auth/emails_link.rb

@@ -4,12 +4,31 @@ module Searls
       def email(user:, short_code:, redirect_path: nil, redirect_subdomain: nil)
         LoginLinkMailer.with(
           user:,
-          token: Searls::Auth.config.token_generator.call(user),
-          short_code:,
+          token: (Searls::Auth.config.auth_methods.include?(:email_link) ? generate_token!(user) : nil),
+          short_code: (Searls::Auth.config.auth_methods.include?(:email_otp) ? short_code : nil),
           redirect_path:,
           redirect_subdomain:
         ).login_link.deliver_later
       end
+
+      private
+
+      def generate_token!(user)
+        Searls::Auth.config.token_generator.call(user)
+      rescue KeyError => e
+        raise Error, <<~MSG
+          Secure token generation for user failed!
+
+          Message: #{e.message}
+          User: #{user.inspect}
+
+          This can probably be fixed by adding a line like this to your #{user.class.name} class:
+
+            generates_token_for :email_auth, expires_in: 30.minutes
+
+          Otherwise, you may want to override searls-auth's "token_generator" setting with a proc of your own.
+        MSG
+      end
     end
   end
 end

data/lib/searls/auth/version.rb

@@ -1,5 +1,5 @@
 module Searls
   module Auth
-    VERSION = "0.1.0"
+    VERSION = "0.2.0"
   end
 end

data/lib/searls/auth.rb

@@ -12,6 +12,7 @@ module Searls
     class Error < StandardError; end
 
     DEFAULT_CONFIG = {
+      auth_methods: [:email_link, :email_otp],
       # Data setup
       user_finder_by_email: ->(email) { User.find_by(email:) },
       user_finder_by_id: ->(id) { User.find_by(id:) },

data/script/setup

@@ -5,10 +5,5 @@ set -e
 bundle
 
 cd example/simple_app
-bundle
-bin/rake db:setup
-export PLAYWRIGHT_CLI_VERSION=$(bundle exec ruby -e 'require "playwright"; puts Playwright::COMPATIBLE_PLAYWRIGHT_VERSION.strip')
-PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1 yarn add -D "playwright@$PLAYWRIGHT_CLI_VERSION"
-yarn run playwright install chromium
-
+./script/setup
 cd ../..

data/script/test

@@ -7,7 +7,7 @@ bundle exec rake
 
 echo "-----> Testing example/simple_app"
 cd example/simple_app
-bin/rake
+./script/test
 cd ../..
 
 echo "-----> Looks good! 🪩"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: searls-auth
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Justin Searls
@@ -84,7 +84,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.7
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Searls-flavored login for Rails apps
 test_files: []