securial 0.6.1 → 0.8.0

data/lib/generators/securial/install/templates/securial_initializer.erb

@@ -11,7 +11,7 @@ Securial.configure do |config|
   config.log_to_stdout = true # Enable or disable logging to STDOUT
 
   # Set log level for file logger: :debug, :info, :warn, :error, :fatal, or :unknown
-  config.log_file_level = :info
+  config.log_file_level = :debug
 
   # Set log level for stdout logger
   config.log_stdout_level = :debug
@@ -60,7 +60,7 @@ Securial.configure do |config|
   ## Set the password reset email subject
   # This is the subject line that will be used for the password reset
   # email. The default is "Password Reset Instructions".
-  config.password_reset_email_subject = "Password Reset Instructions"
+  config.mailer_forgot_password_subject = "Password Reset Instructions"
 
   ## Set the minimum password length
   # This is the minimum length that a password must have

data/lib/generators/securial/scaffold/templates/controller.erb

@@ -29,6 +29,7 @@ module Securial
 
     def destroy
       @<%= singular_table_name %>.destroy
+      head :no_content
     end
 
     private

data/lib/generators/securial/scaffold/templates/routes.erb

@@ -2,7 +2,7 @@ Securial::Engine.routes.draw do
   defaults format: :json do
     get "/status", to: "status#show", as: :status
 
-    namespace Securial.admin_namespace do
+    namespace Securial.protected_namespace do
       # Placeholder for admin-specific routes. Add routes here as needed.
       # For example:
       # resources :users, only: [:index, :show]

data/lib/securial/auth/auth_encoder.rb

@@ -1,56 +1,55 @@
+require "jwt"
+
 module Securial
   module Auth
     module AuthEncoder
-      class << self
-        def encode(session)
-          return nil unless session && session.class == Securial::Session
-
-          base_payload = {
-            jti: session.id,
-            exp: expiry_duration.from_now.to_i,
-            sub: "session-access-token",
-            refresh_count: session.refresh_count,
-          }
-
-          session_payload = {
-            ip: session.ip_address,
-            agent: session.user_agent,
-          }
-
-          payload = base_payload.merge(session_payload)
-          begin
-            JWT.encode(payload, secret, algorithm, { kid: "hmac" })
-          rescue JWT::EncodeError => e
-            raise Errors::AuthEncodeError, "Failed to encode session: #{e.message}"
-          end
+      module_function
+
+      def encode(session)
+        return nil unless session && session.class == Securial::Session
+
+        base_payload = {
+          jti: session.id,
+          exp: expiry_duration.from_now.to_i,
+          sub: "session-access-token",
+          refresh_count: session.refresh_count,
+        }
+
+        session_payload = {
+          ip: session.ip_address,
+          agent: session.user_agent,
+        }
+
+        payload = base_payload.merge(session_payload)
+        begin
+          ::JWT.encode(payload, secret, algorithm, { kid: "hmac" })
+        rescue JWT::EncodeError
+          raise Securial::Error::Auth::TokenEncodeError
         end
+      end
 
-        def decode(token)
-          begin
-          decoded = JWT.decode(token, secret, true, { algorithm: algorithm, verify_jti: true, iss: "securial" })
-          rescue JWT::DecodeError => e
-            raise Securial::Auth::Errors::AuthDecodeError, "Failed to decode session token: #{e.message}"
-          end
-          decoded.first
+      def decode(token)
+        begin
+          decoded = ::JWT.decode(token, secret, true, { algorithm: algorithm, verify_jti: true, iss: "securial" })
+        rescue JWT::DecodeError
+          raise Securial::Error::Auth::TokenDecodeError
         end
+        decoded.first
+      end
 
-        private
-
-        def secret
-          # Config::Validation.validate_session_secret!(Securial.configuration)
-          Securial.configuration.session_secret
-        end
+      def secret
+        Securial.configuration.session_secret
+      end
 
-        def algorithm
-          # Config::Validation.validate_session_algorithm!(Securial.configuration)
-          Securial.configuration.session_algorithm.to_s.upcase
-        end
+      def algorithm
+        Securial.configuration.session_algorithm.to_s.upcase
+      end
 
-        def expiry_duration
-          # Config::Validation.validate_session_expiry_duration!(Securial.configuration)
-          Securial.configuration.session_expiration_duration
-        end
+      def expiry_duration
+        Securial.configuration.session_expiration_duration
       end
+
+      private_class_method :secret, :algorithm, :expiry_duration
     end
   end
 end

data/lib/securial/auth/session_creator.rb

@@ -1,19 +1,22 @@
 module Securial
   module Auth
     module SessionCreator
-      class << self
-        def create_session(user, request)
-          return nil unless user && user.persisted? && request.is_a?(ActionDispatch::Request)
+      module_function
 
-          user.sessions.create!(
-            user_agent: request.user_agent,
-            ip_address: request.remote_ip,
-            refresh_token: SecureRandom.hex(64),
-            last_refreshed_at: Time.current,
-            refresh_token_expires_at: 1.week.from_now,
-          ).tap do |session|
-            Current.session = session
-          end
+      def create_session!(user, request)
+        valid_user = user && user.is_a?(Securial::User) && user.persisted?
+        valid_request = request.is_a?(ActionDispatch::Request)
+
+        return nil unless valid_user && valid_request
+
+        user.sessions.create!(
+          user_agent: request.user_agent,
+          ip_address: request.remote_ip,
+          refresh_token: Securial::Auth::TokenGenerator.generate_refresh_token,
+          last_refreshed_at: Time.current,
+          refresh_token_expires_at: 1.week.from_now,
+        ).tap do |session|
+          Current.session = session
         end
       end
     end

data/lib/securial/auth/token_generator.rb

@@ -0,0 +1,26 @@
+require "openssl"
+require "securerandom"
+
+module Securial
+  module Auth
+    module TokenGenerator
+      class << self
+        def generate_refresh_token
+          secret = Securial.configuration.session_secret
+          algo = "SHA256"
+
+          random_data = SecureRandom.hex(32)
+          digest = OpenSSL::Digest.new(algo)
+          hmac = OpenSSL::HMAC.hexdigest(digest, secret, random_data)
+
+          "#{hmac}#{random_data}"
+        end
+
+        def generate_password_reset_token
+          token = SecureRandom.alphanumeric(12)
+          "#{token[0, 6]}-#{token[6, 6]}"
+        end
+      end
+    end
+  end
+end

data/lib/securial/auth.rb

@@ -0,0 +1,12 @@
+require "securial/auth/auth_encoder"
+require "securial/auth/session_creator"
+require "securial/auth/token_generator"
+
+module Securial
+  module Auth
+    # This is a placeholder for the Auth module.
+    # It can be used to include authentication-related methods or constants
+    # that are not specific to encoding or session creation.
+    # Currently, it serves as a namespace for the AuthEncoder and SessionCreator modules.
+  end
+end

data/lib/securial/config/configuration.rb

@@ -1,33 +1,52 @@
-require_relative "../helpers/_index"
+require "securial/config/validation"
+require "securial/helpers/regex_helper"
+
 module Securial
   module Config
-    VALID_SESSION_ENCRYPTION_ALGORITHMS = [:hs256, :hs384, :hs512].freeze
-    VALID_TIMESTAMP_OPTIONS = [:all, :admins_only, :none].freeze
-    VALID_RESPONSE_KEYS_FORMATS = [:snake_case, :lowerCamelCase, :UpperCamelCase].freeze
-    VALID_SECURITY_HEADERS = [:strict, :default, :none].freeze
-
     class Configuration
-      def self.config_attributes # rubocop:disable Metrics/MethodLength
+      def self.default_config_attributes # rubocop:disable Metrics/MethodLength
         {
+          # General configuration
+          app_name: "Securial",
+
+          # Logger configuration
           log_to_file: !Rails.env.test?,
           log_to_stdout: !Rails.env.test?,
-          log_file_level: :info,
+          log_file_level: :debug,
           log_stdout_level: :debug,
+
+          # Roles configuration
           admin_role: :admin,
+
           session_expiration_duration: 3.minutes,
           session_secret: "secret",
           session_algorithm: :hs256,
+          session_refresh_token_expires_in: 1.week,
+
+          # Mailer configuration
           mailer_sender: "no-reply@example.com",
-          password_reset_email_subject: "SECURIAL: Password Reset Instructions",
+          mailer_sign_up_enabled: true,
+          mailer_sign_up_subject: "SECURIAL: Welcome to Our Service",
+          mailer_sign_in_enabled: true,
+          mailer_sign_in_subject: "SECURIAL: Sign In Notification",
+          mailer_update_account_enabled: true,
+          mailer_update_account_subject: "SECURIAL: Account Update Notification",
+          mailer_forgot_password_subject: "SECURIAL: Password Reset Instructions",
+
+          # Password configuration
           password_min_length: 8,
           password_max_length: 128,
-          password_complexity: Securial::RegexHelper::PASSWORD_REGEX,
+          password_complexity: Securial::Helpers::RegexHelper::PASSWORD_REGEX,
           password_expires: true,
           password_expires_in: 90.days,
           reset_password_token_expires_in: 2.hours,
           reset_password_token_secret: "reset_secret",
-          timestamps_in_response: :all,
+
+          # Response configuration
           response_keys_format: :snake_case,
+          timestamps_in_response: :all,
+
+          # Security configuration
           security_headers: :strict,
           rate_limiting_enabled: true,
           rate_limit_requests_per_minute: 60,
@@ -37,13 +56,12 @@ module Securial
       end
 
       def initialize
-        self.class.config_attributes.each do |attr, default|
-          instance_variable_set("@#{attr}", default)
+        self.class.default_config_attributes.each do |attr, default_value|
+          instance_variable_set("@#{attr}", default_value)
         end
-        validate!
       end
 
-      config_attributes.each_key do |attr|
+      default_config_attributes.each_key do |attr|
         define_method(attr) { instance_variable_get("@#{attr}") }
 
         define_method("#{attr}=") do |value|

data/lib/securial/config/validation/logger_validation.rb

@@ -0,0 +1,29 @@
+require "securial/error"
+
+module Securial
+  module Config
+    module Validation
+      module LoggerValidation
+        class << self
+          LEVELS = %i[debug info warn error fatal unknown].freeze
+
+          def validate!(securial_config)
+            allowed_options = {
+              log_to_file: [securial_config.log_to_file, [true, false], "boolean"],
+              log_to_stdout: [securial_config.log_to_stdout, [true, false], "boolean"],
+              log_file_level: [securial_config.log_file_level, LEVELS, "symbol"],
+              log_stdout_level: [securial_config.log_stdout_level, LEVELS, "symbol"],
+            }
+
+            allowed_options.each do |attr, (value, allowed, type)|
+              unless allowed.include?(value)
+                allowed_values = type == "symbol" ? allowed.map { |v| ":#{v}" }.join(", ") : allowed.join(", ")
+                raise Securial::Error::Config::LoggerValidationError, "#{attr} must be a #{type}. Allowed values: #{allowed_values}. Received: #{value.inspect}"
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/securial/config/validation/mailer_validation.rb

@@ -0,0 +1,24 @@
+require "securial/error"
+
+module Securial
+  module Config
+    module Validation
+      module MailerValidation
+        class << self
+          def validate!(securial_config)
+            if securial_config.mailer_sender.blank?
+              error_message = "Mailer sender is not set."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::MailerValidationError, error_message
+            end
+            if securial_config.mailer_sender !~  URI::MailTo::EMAIL_REGEXP
+              error_message = "Mailer sender is not a valid email address."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::MailerValidationError, error_message
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/securial/config/validation/password_validation.rb

@@ -0,0 +1,91 @@
+require "securial/error"
+
+module Securial
+  module Config
+    module Validation
+      module PasswordValidation
+        class << self
+          def validate!(securial_config)
+            validate_password_reset_subject!(securial_config)
+            validate_password_min_max_length!(securial_config)
+            validate_password_complexity!(securial_config)
+            validate_password_expiration!(securial_config)
+            validate_password_reset_token!(securial_config)
+          end
+
+          private
+
+          def validate_password_reset_token!(securial_config)
+            if securial_config.reset_password_token_secret.blank?
+              error_message = "Reset password token secret is not set."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::PasswordValidationError, error_message
+            end
+            unless securial_config.reset_password_token_secret.is_a?(String)
+              error_message = "Reset password token secret must be a String."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::PasswordValidationError, error_message
+            end
+            unless securial_config.reset_password_token_expires_in.is_a?(ActiveSupport::Duration) && securial_config.reset_password_token_expires_in > 0
+              error_message = "Reset password token expiration must be a valid ActiveSupport::Duration greater than 0."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::PasswordValidationError, error_message
+            end
+          end
+
+          def validate_password_reset_subject!(securial_config)
+            if securial_config.mailer_forgot_password_subject.blank?
+              error_message = "Password reset email subject is not set."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::PasswordValidationError, error_message
+            end
+            unless securial_config.mailer_forgot_password_subject.is_a?(String)
+              error_message = "Password reset email subject must be a String."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::PasswordValidationError, error_message
+            end
+          end
+
+          def validate_password_min_max_length!(securial_config)
+            unless securial_config.password_min_length.is_a?(Integer) && securial_config.password_min_length > 0
+              error_message = "Password minimum length must be a positive integer."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::PasswordValidationError, error_message
+            end
+            unless securial_config.password_max_length.is_a?(Integer) && securial_config.password_max_length >= securial_config.password_min_length
+              error_message = "Password maximum length must be an integer greater than or equal to the minimum length."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::PasswordValidationError, error_message
+            end
+          end
+
+          def validate_password_complexity!(securial_config)
+            if securial_config.password_complexity.nil? || !securial_config.password_complexity.is_a?(Regexp)
+              error_message = "Password complexity regex is not set or is not a valid Regexp."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::PasswordValidationError, error_message
+            end
+          end
+
+          def validate_password_expiration!(securial_config)
+            unless securial_config.password_expires.is_a?(TrueClass) || securial_config.password_expires.is_a?(FalseClass)
+              error_message = "Password expiration must be a boolean value."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::PasswordValidationError, error_message
+            end
+
+            if securial_config.password_expires == true && (
+              securial_config.password_expires_in.nil? ||
+              !securial_config.password_expires_in.is_a?(ActiveSupport::Duration) ||
+              securial_config.password_expires_in <= 0
+              )
+              error_message = "Password expiration duration is not set or is not a valid ActiveSupport::Duration."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::PasswordValidationError, error_message
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/securial/config/validation/response_validation.rb

@@ -0,0 +1,37 @@
+require "securial/error"
+
+module Securial
+  module Config
+    module Validation
+      module ResponseValidation
+        class << self
+          VALID_TIMESTAMP_OPTIONS = %i[all admins_only none].freeze
+          VALID_RESPONSE_KEYS_FORMATS = %i[snake_case lowerCamelCase UpperCamelCase].freeze
+
+          def validate!(securial_config)
+            validate_response_keys_format!(securial_config)
+            validate_timestamps_in_response!(securial_config)
+          end
+
+          private
+
+          def validate_response_keys_format!(securial_config)
+            unless VALID_RESPONSE_KEYS_FORMATS.include?(securial_config.response_keys_format)
+              error_message = "Invalid response_keys_format option. Valid options are: #{VALID_RESPONSE_KEYS_FORMATS.map(&:inspect).join(', ')}."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::ResponseValidationError, error_message
+            end
+          end
+
+          def validate_timestamps_in_response!(securial_config)
+            unless VALID_TIMESTAMP_OPTIONS.include?(securial_config.timestamps_in_response)
+              error_message = "Invalid timestamps_in_response option. Valid options are: #{VALID_TIMESTAMP_OPTIONS.map(&:inspect).join(', ')}."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::ResponseValidationError, error_message
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/securial/config/validation/roles_validation.rb

@@ -0,0 +1,32 @@
+require "securial/error"
+
+module Securial
+  module Config
+    module Validation
+      module RolesValidation
+        class << self
+          def validate!(securial_config)
+            if securial_config.admin_role.nil? || securial_config.admin_role.to_s.strip.empty?
+              error_message = "Admin role is not set."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::RolesValidationError, error_message
+            end
+
+            unless securial_config.admin_role.is_a?(Symbol) || securial_config.admin_role.is_a?(String)
+              error_message = "Admin role must be a Symbol or String."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::RolesValidationError, error_message
+            end
+
+            admin_role_downcase = securial_config.admin_role.to_s.downcase
+            if admin_role_downcase == "account" || admin_role_downcase == "accounts"
+              error_message = "The admin role cannot be 'account' or 'accounts' as it conflicts with the default routes."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::RolesValidationError, error_message
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/securial/config/validation/security_validation.rb

@@ -0,0 +1,56 @@
+require "securial/error"
+
+module Securial
+  module Config
+    module Validation
+      module SecurityValidation
+        class << self
+          VALID_SECURITY_HEADERS = %i[strict default none].freeze
+
+          def validate!(securial_config)
+            validate_security_headers!(securial_config)
+            validate_rate_limiting!(securial_config)
+          end
+
+          private
+
+          def validate_security_headers!(securial_config)
+            unless VALID_SECURITY_HEADERS.include?(securial_config.security_headers)
+              error_message = "Invalid security_headers option. Valid options are: #{VALID_SECURITY_HEADERS.map(&:inspect).join(', ')}."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SecurityValidationError, error_message
+            end
+          end
+
+          def validate_rate_limiting!(securial_config) # rubocop:disable Metrics/MethodLength
+            unless securial_config.rate_limiting_enabled.is_a?(TrueClass) || securial_config.rate_limiting_enabled.is_a?(FalseClass)
+              error_message = "rate_limiting_enabled must be a boolean value."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SecurityValidationError, error_message
+            end
+
+            return unless securial_config.rate_limiting_enabled
+
+            unless securial_config.rate_limit_requests_per_minute.is_a?(Integer) && securial_config.rate_limit_requests_per_minute > 0
+              error_message = "rate_limit_requests_per_minute must be a positive integer when rate limiting is enabled."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SecurityValidationError, error_message
+            end
+
+            unless securial_config.rate_limit_response_status.is_a?(Integer) && securial_config.rate_limit_response_status.between?(400, 599)
+              error_message = "rate_limit_response_status must be an HTTP status code between 4xx and 5xx."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SecurityValidationError, error_message
+            end
+
+            unless securial_config.rate_limit_response_message.is_a?(String) && !securial_config.rate_limit_response_message.strip.empty?
+              error_message = "rate_limit_response_message must be a non-empty String."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SecurityValidationError, error_message
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/securial/config/validation/session_validation.rb

@@ -0,0 +1,87 @@
+require "securial/error"
+
+module Securial
+  module Config
+    module Validation
+      module SessionValidation
+        class << self
+          VALID_SESSION_ENCRYPTION_ALGORITHMS = %i[hs256 hs384 hs512].freeze
+
+          def validate!(securial_config)
+            validate_session_expiry_duration!(securial_config)
+            validate_session_algorithm!(securial_config)
+            validate_session_secret!(securial_config)
+            validate_session_refresh_token!(securial_config)
+          end
+
+          private
+
+          def validate_session_expiry_duration!(securial_config)
+            if securial_config.session_expiration_duration.nil?
+              error_message = "Session expiration duration is not set."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SessionValidationError, error_message
+            end
+            if securial_config.session_expiration_duration.class != ActiveSupport::Duration
+              error_message = "Session expiration duration must be an ActiveSupport::Duration."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SessionValidationError, error_message
+            end
+            if securial_config.session_expiration_duration <= 0
+              Securial.logger.fatal("Session expiration duration must be greater than 0.")
+              raise Securial::Error::Config::SessionValidationError, "Session expiration duration must be greater than 0."
+            end
+          end
+
+          def validate_session_algorithm!(securial_config)
+            if securial_config.session_algorithm.blank?
+              error_message = "Session algorithm is not set."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SessionValidationError, error_message
+            end
+            unless securial_config.session_algorithm.is_a?(Symbol)
+              error_message = "Session algorithm must be a Symbol."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SessionValidationError, error_message
+            end
+            unless VALID_SESSION_ENCRYPTION_ALGORITHMS.include?(securial_config.session_algorithm)
+              error_message = "Invalid session algorithm. Valid options are: #{VALID_SESSION_ENCRYPTION_ALGORITHMS.map(&:inspect).join(', ')}."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SessionValidationError, error_message
+            end
+          end
+
+          def validate_session_secret!(securial_config)
+            if securial_config.session_secret.blank?
+              error_message = "Session secret is not set."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SessionValidationError, error_message
+            end
+            unless securial_config.session_secret.is_a?(String)
+              error_message = "Session secret must be a String."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SessionValidationError, error_message
+            end
+          end
+
+          def validate_session_refresh_token!(securial_config)
+            if securial_config.session_refresh_token_expires_in.nil?
+              error_message = "Session refresh token expiration duration is not set."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SessionValidationError, error_message
+            end
+            if securial_config.session_refresh_token_expires_in.class != ActiveSupport::Duration
+              error_message = "Session refresh token expiration duration must be an ActiveSupport::Duration."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SessionValidationError, error_message
+            end
+            if securial_config.session_refresh_token_expires_in <= 0
+              Securial.logger.fatal("Session refresh token expiration duration must be greater than 0.")
+              raise Securial::Error::Config::SessionValidationError, "Session refresh token expiration duration must be greater than 0."
+            end
+          end
+        end
+      end
+    end
+  end
+end