searls-auth 0.2.0 → 1.0.0

data/app/views/searls/auth/shared/_login_fields.html.erb

@@ -0,0 +1,11 @@
+<div>
+  <%= f.label :email %>
+  <%= f.email_field :email, required: true, value: params[:email], data: searls_auth_helper.email_field_stimulus_data %>
+</div>
+<% if Searls::Auth.config.auth_methods.include?(:password) %>
+  <div>
+    <%= f.label :password %>
+    <%= f.password_field :password, autocomplete: "current-password" %>
+  </div>
+<% end %>
+

data/app/views/searls/auth/shared/_register_fields.html.erb

@@ -0,0 +1,15 @@
+<div>
+  <%= f.label :email %>
+  <%= f.email_field :email, value: params[:email], required: true, data: searls_auth_helper.email_field_stimulus_data %>
+</div>
+<% if Searls::Auth.config.auth_methods.include?(:password) %>
+  <div>
+    <%= f.label :password %>
+    <%= f.password_field :password, autocomplete: "new-password" %>
+  </div>
+  <div>
+    <%= f.label :password_confirmation %>
+    <%= f.password_field :password_confirmation, autocomplete: "new-password" %>
+  </div>
+<% end %>
+

data/config/routes.rb

@@ -9,4 +9,15 @@ Searls::Auth::Engine.routes.draw do
   get "login/verify", to: "verifications#show", as: :verify
   post "login/verify", to: "verifications#create"
   get "login/verify_token", to: "verifications#create", as: :verify_token
+  match "email/resend_verification", via: [:get, :patch], to: "email_verifications#resend", as: :resend_email_verification
+  get "email/pending_verification", to: "registrations#pending_email_verification", as: :pending_email_verification
+
+  get "email/verify", to: "email_verifications#show", as: :verify_email
+
+  resource :settings, only: [:edit, :update]
+
+  get "password/reset", to: "requests_password_resets#show", as: :password_reset_request
+  post "password/reset", to: "requests_password_resets#create"
+  get "password/reset/edit", to: "resets_passwords#show", as: :password_reset_edit
+  patch "password/reset", to: "resets_passwords#update", as: :password_reset_update
 end

data/lib/searls/auth/authenticates_user.rb

@@ -1,18 +1,23 @@
 module Searls
   module Auth
     class AuthenticatesUser
-      Result = Struct.new(:success?, :user, :exceeded_short_code_attempt_limit?, keyword_init: true)
+      def initialize
+        @parses_time_safely = ParsesTimeSafely.new
+      end
+      Result = Struct.new(:success?, :user, :exceeded_email_otp_attempt_limit?, :email_unverified?, keyword_init: true)
 
-      def authenticate_by_short_code(short_code, session)
-        if session[:searls_auth_short_code_verification_attempts] > Searls::Auth.config.max_allowed_short_code_attempts
-          return Result.new(success?: false, exceeded_short_code_attempt_limit?: true)
+      def authenticate_by_email_otp(email_otp, session)
+        if session[:searls_auth_email_otp_verification_attempts] > Searls::Auth.config.max_allowed_email_otp_attempts
+          return Result.new(success?: false, exceeded_email_otp_attempt_limit?: true)
         end
 
-        if session[:searls_auth_short_code_generated_at].present? &&
-            Time.zone.parse(session[:searls_auth_short_code_generated_at]) > Searls::Auth.config.token_expiry_minutes.minutes.ago &&
-            short_code == session[:searls_auth_short_code] &&
-            (user = Searls::Auth.config.user_finder_by_id.call(session[:searls_auth_short_code_user_id])).present?
-          Searls::Auth.config.after_login_success&.call(user)
+        generated_at_value = session[:searls_auth_email_otp_generated_at]
+        if generated_at_value.present? &&
+            (generated_at = parse_otp_timestamp(generated_at_value)) &&
+            generated_at > email_otp_expiry_cutoff &&
+            email_otp == session[:searls_auth_email_otp] &&
+            (user = Searls::Auth.config.user_finder_by_id.call(session[:searls_auth_email_otp_user_id])).present?
+          Searls::Auth.config.after_login_success.call(user)
           Result.new(success?: true, user: user)
         else
           Result.new(success?: false)
@@ -23,12 +28,51 @@ module Searls
         user = Searls::Auth.config.user_finder_by_token.call(token)
 
         if user.present?
-          Searls::Auth.config.after_login_success&.call(user)
+          Searls::Auth.config.after_login_success.call(user)
+          Result.new(success?: true, user: user)
+        else
+          Result.new(success?: false)
+        end
+      end
+
+      def authenticate_by_password(email, password, session)
+        user = Searls::Auth.config.user_finder_by_email.call(email)
+        return Result.new(success?: false) if user.blank?
+
+        configuration = Searls::Auth.config
+
+        if requires_verification?(configuration) && !configuration.email_verified_predicate.call(user)
+          return Result.new(success?: false, email_unverified?: true)
+        end
+
+        begin
+          ok = configuration.password_verifier.call(user, password)
+        rescue NameError
+          return Result.new(success?: false) # controller will map to misconfiguration message
+        end
+
+        if ok
+          configuration.after_login_success.call(user)
           Result.new(success?: true, user: user)
         else
           Result.new(success?: false)
         end
       end
+
+      private
+
+      def requires_verification?(configuration)
+        configuration.email_verification_mode == :required
+      end
+
+      def email_otp_expiry_cutoff
+        minutes = Searls::Auth.config.email_otp_expiry_minutes
+        Time.zone.now - (minutes * 60)
+      end
+
+      def parse_otp_timestamp(value)
+        @parses_time_safely.parse(value)
+      end
     end
   end
 end

data/lib/searls/auth/builds_target_redirect_url.rb

@@ -0,0 +1,72 @@
+require "uri"
+
+module Searls
+  module Auth
+    class BuildsTargetRedirectUrl
+      def build(request, params)
+        path = normalize_path(params[:redirect_path])
+        host = resolve_host(request, params[:redirect_subdomain])
+
+        if host == request.host && path.present?
+          path
+        elsif host != request.host
+          absolute_url(request, host, path)
+        end
+      end
+
+      private
+
+      def normalize_path(raw)
+        if !raw.nil? && !(v = raw.to_s.strip).empty?
+          v = v.sub(%r{\Ahttps?://[^/?#]+}i, "")
+          "/#{v}".sub(%r{\A/+/}, "/")
+        end
+      end
+
+      def resolve_host(request, subdomain)
+        s = normalize_subdomain(subdomain)
+        cur = request.subdomain.presence
+        return request.host if s.nil? || s == cur || (s == "" && cur.nil?)
+        return root_host(request) || request.host if s == "" && cur
+        base = root_host(request) || request.host
+        "#{s}.#{base}"
+      end
+
+      def normalize_subdomain(raw)
+        return "" if raw.is_a?(String) && raw.strip.empty?
+        if (v = raw.to_s.downcase).present?
+          v if /\A[a-z0-9-]+\z/.match?(v)
+        end
+      end
+
+      def root_host(request)
+        request.domain.presence || begin
+          host = URI.parse(request.base_url).host
+          sub = request.subdomain.to_s
+          if sub.empty?
+            host
+          else
+            pref = "#{sub}."
+            host.start_with?(pref) ? host.delete_prefix(pref) : host
+          end
+        end
+      end
+
+      def absolute_url(request, host, path)
+        uri = URI.parse(request.base_url)
+        uri.host = host
+        if path && !path.empty?
+          m = path.match(/\A([^?#]*)(?:\?([^#]*))?(?:#(.*))?\z/)
+          uri.path = m[1]
+          uri.query = m[2]
+          uri.fragment = m[3]
+        else
+          uri.path = ""
+          uri.query = nil
+          uri.fragment = nil
+        end
+        uri.to_s
+      end
+    end
+  end
+end

data/lib/searls/auth/config.rb

@@ -1,7 +1,26 @@
 module Searls
   module Auth
+    # Numeric config keys coerced to Integer and required to be > 0
+    NUMERIC_FIELDS = [
+      :email_otp_expiry_minutes,
+      :max_allowed_email_otp_attempts
+    ].freeze
+
+    # Core hooks that must always be callable
+    HOOK_FIELDS = [
+      :user_finder_by_email,
+      :user_finder_by_id,
+      :user_finder_by_token,
+      :user_initializer,
+      :token_generator,
+      :email_verified_predicate,
+      :email_verified_setter,
+      :validate_registration,
+      :after_login_success
+    ].freeze
     Config = Struct.new(
       :auth_methods, # array of symbols, e.g., [:email_link, :email_otp]
+      :email_verification_mode, # :none, :optional, :required
       # Data setup
       :user_finder_by_email, # proc(email)
       :user_finder_by_id, # proc(id)
@@ -9,28 +28,44 @@ module Searls
       :user_initializer, # proc(params)
       :user_name_method, # string
       :token_generator, # proc()
-      :token_expiry_minutes, # integer
+      :password_verifier, # proc(user, password)
+      :password_setter, # proc(user, password)
+      :password_reset_token_generator, # proc(user)
+      :password_reset_token_finder, # proc(token)
+      :before_password_reset, # proc(user, params, controller)
+      :password_reset_enabled, # boolean
+      :email_verified_predicate, # proc(user)
+      :email_verified_setter, # proc(user, time = Time.current)
+      :password_present_predicate, # proc(user)
       # Controller setup
       :preserve_session_keys_after_logout, # array of symbols
-      :max_allowed_short_code_attempts, # integer
+      :max_allowed_email_otp_attempts, # integer (email OTP attempts)
+      :email_otp_expiry_minutes, # integer
       # View setup
       :layout, # string
       :login_view, # string
       :register_view, # string
       :verify_view, # string
+      :pending_email_verification_view, # string
+      :password_reset_request_view, # string
+      :password_reset_edit_view, # string
       :mail_layout, # string
       :mail_login_template_path, # string
       :mail_login_template_name, # string
+      :mail_password_reset_template_path, # string
+      :mail_password_reset_template_name, # string
+      :mail_email_verification_template_path, # string
+      :mail_email_verification_template_name, # string
       # Routing setup
       :redirect_path_after_register, # string or proc(user, params, request, routes), all new registrations redirect here
-      :default_redirect_path_after_login, # string or proc(user, params, request, routes), only redirected here if redirect_path param not set
+      :redirect_path_after_login, # string or proc(user, params, request, routes), only redirected here if redirect_path param not set
+      :redirect_path_after_settings_change, # string or proc(user, params, request, routes), post-settings updates redirect here
       # Hook setup
       :validate_registration, # proc(user, params, errors = []), must return an array of error messages where empty means valid
       :after_login_success, # proc(user)
       # Branding setup
       :app_name, # string
       :app_url, # string
-      :support_email_address, # string
       :email_banner_image_path, # string
       :email_background_color, # string
       :email_button_color, # string
@@ -39,24 +74,220 @@ module Searls
       :flash_error_after_register_attempt, # string or proc(error_messages, login_path, params)
       :flash_notice_after_login_attempt, # string or proc(user, params)
       :flash_error_after_login_attempt_unknown_email, # string or proc(register_path, params)
+      :flash_error_after_login_attempt_invalid_password, # string or proc(params)
+      :flash_error_after_login_attempt_unverified_email, # string or proc(resend_email_verification_path, params)
+      :flash_notice_after_login_with_unverified_email, # string or proc(resend_email_verification_path, params)
+      :flash_error_after_password_misconfigured, # string or proc(params)
+      :flash_error_after_password_reset_token_invalid, # string or proc(params)
+      :flash_error_after_password_reset_password_mismatch, # string or proc(params)
+      :flash_error_after_password_reset_password_blank, # string or proc(params)
+      :flash_error_after_password_reset_not_enabled, # string or proc(params)
       :flash_notice_after_logout, # string or proc(params)
-      :flash_notice_after_verification, # string or proc(user, params)
+      :flash_notice_after_login, # string or proc(user, params)
+      :flash_notice_after_verification_email_resent, # string or proc(params)
+      :flash_notice_after_email_verified, # string or proc(user, params)
+      :flash_notice_after_password_reset_email, # string or proc(params)
+      :flash_notice_after_password_reset, # string or proc(user, params)
       :flash_error_after_verify_attempt_exceeds_limit, # string or proc(params)
-      :flash_error_after_verify_attempt_incorrect_short_code, # string or proc(params)
+      :flash_error_after_verify_attempt_incorrect_email_otp, # string or proc(params)
       :flash_error_after_verify_attempt_invalid_link, # string or proc(params)
+      :flash_notice_after_settings_update, # string or proc(user, params)
+      :flash_error_after_settings_current_password_missing, # string or proc(params)
+      :flash_error_after_settings_current_password_invalid, # string or proc(params)
+      :auto_login_after_password_reset, # boolean
       keyword_init: true
     ) do
       # Get values from values that might be procs
       def resolve(option, *args)
-        if self[option].respond_to?(:call)
-          self[option].call(*args)
-        else
-          self[option]
+        key = option.to_sym
+        value = public_send(key)
+        value.respond_to?(:call) ? value.call(*args) : value
+      end
+
+      def password_reset_enabled?
+        auth_methods.include?(:password) && password_reset_enabled
+      end
+
+      def password_present?(user)
+        predicate = password_present_predicate
+        return false if predicate.nil?
+
+        predicate.call(user)
+      end
+
+      def validate!
+        validate_auth_methods!
+        validate_email_verification_mode!
+        validate_numeric_options!
+        validate_core_hooks!
+        validate_password_settings!
+        validate_default_user_hooks!
+      rescue => e
+        unless [
+          "PG::UndefinedTable",
+          "ActiveRecord::NoDatabaseError",
+          "ActiveRecord::StatementInvalid"
+        ].include?(e.class.inspect)
+          # don't validate when connection isn't esstablished
+          raise
+        end
+      end
+
+      private
+
+      def validate_auth_methods!
+        normalized = Array(auth_methods).map(&:to_sym)
+        self.auth_methods = normalized
+        allowed = [:password, :email_link, :email_otp]
+        raise Searls::Auth::Error, "auth_methods cannot be empty; enable at least one of :password, :email_link, or :email_otp" if normalized.empty?
+        unknown = normalized - allowed
+        if unknown.any?
+          raise Searls::Auth::Error, "Unknown auth_methods: #{unknown.inspect}. Allowed: #{allowed.inspect}"
+        end
+      end
+
+      def validate_email_verification_mode!
+        mode_value = email_verification_mode
+        mode = mode_value.respond_to?(:to_sym) ? mode_value.to_sym : :none
+        self.email_verification_mode = mode
+        auth_methods
+        # Allow email verification regardless of email auth methods; verification emails are separate
+      end
+
+      def validate_password_settings!
+        methods = auth_methods
+        return unless methods.include?(:password)
+
+        using_default_hooks =
+          password_verifier.equal?(Searls::Auth::DEFAULT_CONFIG[:password_verifier]) &&
+          password_setter.equal?(Searls::Auth::DEFAULT_CONFIG[:password_setter])
+
+        if using_default_hooks && defined?(::User)
+          missing = []
+          missing << "User#authenticate" unless ::User.method_defined?(:authenticate)
+          has_password_digest_method = ::User.method_defined?(:password_digest)
+          has_password_digest_column = ::User.respond_to?(:column_names) && ::User.column_names.include?("password_digest")
+          missing << "users.password_digest" unless has_password_digest_method || has_password_digest_column
+          if missing.any?
+            raise Searls::Auth::Error, "Password login requires #{missing.join(" and ")}. Add bcrypt/has_secure_password or override password hooks."
+          end
+        end
+
+        ensure_callable!(:password_reset_token_generator)
+        ensure_callable!(:password_reset_token_finder)
+        ensure_callable!(:before_password_reset)
+        ensure_callable!(:password_present_predicate)
+        self.auto_login_after_password_reset = !!auto_login_after_password_reset
+        self.password_reset_enabled = true if password_reset_enabled.nil?
+        self.password_reset_enabled = !!password_reset_enabled
+      end
+
+      def validate_numeric_options!
+        NUMERIC_FIELDS.each do |key|
+          raw = public_send(key)
+          coerced = begin
+            Integer(raw)
+          rescue ArgumentError, TypeError
+            raise Searls::Auth::Error, "#{key} must be an integer"
+          end
+          if coerced < 1
+            raise Searls::Auth::Error, "#{key} must be >= 1"
+          end
+          public_send("#{key}=", coerced)
         end
       end
 
-      def auth_methods
-        Array(self[:auth_methods]).map(&:to_sym)
+      def validate_core_hooks!
+        HOOK_FIELDS.each { |key| ensure_callable!(key) }
+      end
+
+      def ensure_callable!(key)
+        value = public_send(key)
+        return if value.respond_to?(:call)
+
+        raise Searls::Auth::Error, "#{key} must be callable when password authentication is enabled"
+      end
+
+      def ensure_callable_optional!(key)
+        value = public_send(key)
+        return if value.nil? || value.respond_to?(:call)
+
+        raise Searls::Auth::Error, "#{key} must be callable when provided"
+      end
+
+      # If any hooks still reference the default `User` implementation, make
+      # sure a compatible `User` exists and exposes the fields/methods our
+      # defaults assume (id, email, token helpers, etc.).
+      def validate_default_user_hooks!
+        hooks_pointing_at_user = [
+          :user_finder_by_email,
+          :user_finder_by_id,
+          :user_finder_by_token,
+          :user_initializer,
+          :token_generator
+        ].select { |k| public_send(k).equal?(Searls::Auth::DEFAULT_CONFIG[k]) }
+
+        return if hooks_pointing_at_user.empty?
+
+        # Enforce these checks only when ActiveModel is present (e.g., Rails).
+        return unless defined?(::ActiveModel)
+
+        unless defined?(::User)
+          raise Searls::Auth::Error,
+            "Default hooks assume a `User` model. Define `User` (Active Record/Active Model) or override: #{hooks_pointing_at_user.inspect}"
+        end
+
+        # Proceed with concrete, per-hook capability checks.
+
+        # One-off validations for each default hook
+        if public_send(:user_finder_by_id).equal?(Searls::Auth::DEFAULT_CONFIG[:user_finder_by_id])
+          unless ::User.respond_to?(:find_by)
+            raise Searls::Auth::Error, "Default :user_finder_by_id expects User.find_by(id: ...) to exist."
+          end
+          unless ::User.method_defined?(:id)
+            raise Searls::Auth::Error, "Default :user_finder_by_id expects a `User#id` attribute."
+          end
+        end
+
+        if public_send(:user_finder_by_email).equal?(Searls::Auth::DEFAULT_CONFIG[:user_finder_by_email])
+          unless ::User.respond_to?(:find_by)
+            raise Searls::Auth::Error, "Default :user_finder_by_email expects User.find_by(email: ...) to exist."
+          end
+          has_email_method = ::User.method_defined?(:email)
+          has_email_column = ::User.respond_to?(:column_names) && ::User.column_names.include?("email")
+          unless has_email_method || has_email_column
+            raise Searls::Auth::Error, "Default :user_finder_by_email expects a `users.email` attribute."
+          end
+        end
+
+        if public_send(:user_finder_by_token).equal?(Searls::Auth::DEFAULT_CONFIG[:user_finder_by_token])
+          unless ::User.respond_to?(:find_by_token_for)
+            raise Searls::Auth::Error, "Default :user_finder_by_token expects User.find_by_token_for(:email_auth, token) (Rails signed_id API)."
+          end
+        end
+
+        if public_send(:user_initializer).equal?(Searls::Auth::DEFAULT_CONFIG[:user_initializer])
+          unless ::User.respond_to?(:new)
+            raise Searls::Auth::Error, "Default :user_initializer expects `User.new(email: ...)` to work."
+          end
+          begin
+            probe = ::User.new
+            has_email_setter = probe.respond_to?(:email=)
+            has_email_column = ::User.respond_to?(:column_names) && ::User.column_names.include?("email")
+            unless has_email_setter || has_email_column
+              raise Searls::Auth::Error, "Default :user_initializer expects a writable email attribute on User."
+            end
+          rescue ArgumentError
+            # e.g., custom initialize signature
+            raise Searls::Auth::Error, "Default :user_initializer expects `User.new` with keyword args to be permissible."
+          end
+        end
+
+        if public_send(:token_generator).equal?(Searls::Auth::DEFAULT_CONFIG[:token_generator])
+          unless ::User.method_defined?(:generate_token_for)
+            raise Searls::Auth::Error, "Default :token_generator expects `user.generate_token_for(:email_auth)` (Rails signed_id API)."
+          end
+        end
       end
     end
   end

data/lib/searls/auth/creates_user.rb

@@ -11,13 +11,21 @@ module Searls
           Searls::Auth.config.user_initializer.call(params)
 
         if user.persisted?
-          Result.new(nil, false, ["An account already exists for that email address. <a href=\"#{login_path(**forwardable_params(params))}\">Log in</a> instead?".html_safe])
+          Result.new(nil, false, ["An account already exists for that email address. <a href=\"#{login_path(**forwardable_params(params))}\">Log in</a> instead?"])
         elsif (errors = Searls::Auth.config.validate_registration.call(user, params, [])).any?
           Result.new(nil, false, errors)
-        elsif user.save
-          Result.new(user, true)
         else
-          Result.new(user, false, simplified_error_messages(user))
+          if params[:password].present?
+            Searls::Auth.config.password_setter.call(user, params[:password])
+            if params[:password_confirmation].present? && user.respond_to?(:password_confirmation=)
+              user.password_confirmation = params[:password_confirmation]
+            end
+          end
+          if user.save
+            Result.new(user, true)
+          else
+            Result.new(user, false, simplified_error_messages(user))
+          end
         end
       end
 

data/lib/searls/auth/delivers_password_reset.rb

@@ -0,0 +1,18 @@
+module Searls
+  module Auth
+    class DeliversPasswordReset
+      Result = Struct.new(:success?, keyword_init: true)
+
+      def deliver(user:, redirect_path: nil, redirect_subdomain: nil)
+        token = Searls::Auth.config.password_reset_token_generator.call(user)
+        PasswordResetMailer.with(
+          user:,
+          token:,
+          redirect_path:,
+          redirect_subdomain:
+        ).password_reset.deliver_later
+        Result.new(success?: true)
+      end
+    end
+  end
+end

data/lib/searls/auth/emails_link.rb

@@ -1,11 +1,11 @@
 module Searls
   module Auth
     class EmailsLink
-      def email(user:, short_code:, redirect_path: nil, redirect_subdomain: nil)
+      def email(user:, email_otp:, redirect_path: nil, redirect_subdomain: nil)
         LoginLinkMailer.with(
           user:,
           token: (Searls::Auth.config.auth_methods.include?(:email_link) ? generate_token!(user) : nil),
-          short_code: (Searls::Auth.config.auth_methods.include?(:email_otp) ? short_code : nil),
+          email_otp: (Searls::Auth.config.auth_methods.include?(:email_otp) ? email_otp : nil),
           redirect_path:,
           redirect_subdomain:
         ).login_link.deliver_later

data/lib/searls/auth/emails_verification.rb

@@ -0,0 +1,33 @@
+module Searls
+  module Auth
+    class EmailsVerification
+      def email(user:, redirect_path: nil, redirect_subdomain: nil)
+        EmailVerificationMailer.with(
+          user:,
+          token: generate_token!(user),
+          redirect_path:,
+          redirect_subdomain:
+        ).verification_email.deliver_later
+      end
+
+      private
+
+      def generate_token!(user)
+        Searls::Auth.config.token_generator.call(user)
+      rescue KeyError => e
+        raise Error, <<~MSG
+          Secure token generation for user failed!
+
+          Message: #{e.message}
+          User: #{user.inspect}
+
+          This can probably be fixed by adding a line like this to your #{user.class.name} class:
+
+            generates_token_for :email_auth, expires_in: 30.minutes
+
+          Otherwise, you may want to override searls-auth's "token_generator" setting with a proc of your own.
+        MSG
+      end
+    end
+  end
+end

data/lib/searls/auth/parses_time_safely.rb

@@ -0,0 +1,34 @@
+require "active_support/time"
+
+module Searls
+  module Auth
+    class ParsesTimeSafely
+      def parse(input)
+        return nil if input.nil?
+
+        case input
+        when String
+          parse_string(input)
+        when Integer, Float
+          Time.at(input).in_time_zone
+        else
+          if input.respond_to?(:in_time_zone)
+            input.in_time_zone
+          else
+            parse_string(input.to_s)
+          end
+        end
+      rescue ArgumentError, TypeError, NoMethodError
+        nil
+      end
+
+      private
+
+      def parse_string(s)
+        if !(stripped = s.strip).empty?
+          Time.zone.parse(stripped)
+        end
+      end
+    end
+  end
+end

data/lib/searls/auth/railtie.rb

@@ -13,7 +13,6 @@ module Searls
 
       # Initialize configuration defaults
       initializer "searls.auth.configure" do |app|
-        # Set up any configuration defaults here
       end
     end
   end