securial 0.7.0 → 0.8.0

data/lib/securial/auth/auth_encoder.rb

@@ -1,3 +1,5 @@
+require "jwt"
+
 module Securial
   module Auth
     module AuthEncoder
@@ -20,17 +22,17 @@ module Securial
 
         payload = base_payload.merge(session_payload)
         begin
-          JWT.encode(payload, secret, algorithm, { kid: "hmac" })
-        rescue JWT::EncodeError => e
-          raise Errors::AuthEncodeError, "Failed to encode session: #{e.message}"
+          ::JWT.encode(payload, secret, algorithm, { kid: "hmac" })
+        rescue JWT::EncodeError
+          raise Securial::Error::Auth::TokenEncodeError
         end
       end
 
       def decode(token)
         begin
-          decoded = JWT.decode(token, secret, true, { algorithm: algorithm, verify_jti: true, iss: "securial" })
-        rescue JWT::DecodeError => e
-          raise Securial::Auth::Errors::AuthDecodeError, "Failed to decode session token: #{e.message}"
+          decoded = ::JWT.decode(token, secret, true, { algorithm: algorithm, verify_jti: true, iss: "securial" })
+        rescue JWT::DecodeError
+          raise Securial::Error::Auth::TokenDecodeError
         end
         decoded.first
       end

data/lib/securial/auth/session_creator.rb

@@ -3,13 +3,16 @@ module Securial
     module SessionCreator
       module_function
 
-      def create_session(user, request)
-        return nil unless user && user.persisted? && request.is_a?(ActionDispatch::Request)
+      def create_session!(user, request)
+        valid_user = user && user.is_a?(Securial::User) && user.persisted?
+        valid_request = request.is_a?(ActionDispatch::Request)
+
+        return nil unless valid_user && valid_request
 
         user.sessions.create!(
           user_agent: request.user_agent,
           ip_address: request.remote_ip,
-          refresh_token: SecureRandom.hex(64),
+          refresh_token: Securial::Auth::TokenGenerator.generate_refresh_token,
           last_refreshed_at: Time.current,
           refresh_token_expires_at: 1.week.from_now,
         ).tap do |session|

data/lib/securial/auth/token_generator.rb

@@ -0,0 +1,26 @@
+require "openssl"
+require "securerandom"
+
+module Securial
+  module Auth
+    module TokenGenerator
+      class << self
+        def generate_refresh_token
+          secret = Securial.configuration.session_secret
+          algo = "SHA256"
+
+          random_data = SecureRandom.hex(32)
+          digest = OpenSSL::Digest.new(algo)
+          hmac = OpenSSL::HMAC.hexdigest(digest, secret, random_data)
+
+          "#{hmac}#{random_data}"
+        end
+
+        def generate_password_reset_token
+          token = SecureRandom.alphanumeric(12)
+          "#{token[0, 6]}-#{token[6, 6]}"
+        end
+      end
+    end
+  end
+end

data/lib/securial/auth.rb

@@ -1,10 +1,12 @@
-require "securial/auth/errors"
-require_relative "auth/auth_encoder"
-require_relative "auth/session_creator"
+require "securial/auth/auth_encoder"
+require "securial/auth/session_creator"
+require "securial/auth/token_generator"
 
 module Securial
   module Auth
-    # This module serves as a namespace for authentication-related components.
-    # It requires all key auth files: Errors, AuthEncoder, SessionCreator.
+    # This is a placeholder for the Auth module.
+    # It can be used to include authentication-related methods or constants
+    # that are not specific to encoding or session creation.
+    # Currently, it serves as a namespace for the AuthEncoder and SessionCreator modules.
   end
 end

data/lib/securial/config/configuration.rb

@@ -1,24 +1,39 @@
-require "securial/helpers"
+require "securial/config/validation"
+require "securial/helpers/regex_helper"
+
 module Securial
   module Config
-    VALID_SESSION_ENCRYPTION_ALGORITHMS = [:hs256, :hs384, :hs512].freeze
-    VALID_TIMESTAMP_OPTIONS = [:all, :admins_only, :none].freeze
-    VALID_RESPONSE_KEYS_FORMATS = [:snake_case, :lowerCamelCase, :UpperCamelCase].freeze
-    VALID_SECURITY_HEADERS = [:strict, :default, :none].freeze
-
     class Configuration
-      def self.config_attributes # rubocop:disable Metrics/MethodLength
+      def self.default_config_attributes # rubocop:disable Metrics/MethodLength
         {
+          # General configuration
+          app_name: "Securial",
+
+          # Logger configuration
           log_to_file: !Rails.env.test?,
           log_to_stdout: !Rails.env.test?,
           log_file_level: :debug,
           log_stdout_level: :debug,
+
+          # Roles configuration
           admin_role: :admin,
+
           session_expiration_duration: 3.minutes,
           session_secret: "secret",
           session_algorithm: :hs256,
+          session_refresh_token_expires_in: 1.week,
+
+          # Mailer configuration
           mailer_sender: "no-reply@example.com",
-          password_reset_email_subject: "SECURIAL: Password Reset Instructions",
+          mailer_sign_up_enabled: true,
+          mailer_sign_up_subject: "SECURIAL: Welcome to Our Service",
+          mailer_sign_in_enabled: true,
+          mailer_sign_in_subject: "SECURIAL: Sign In Notification",
+          mailer_update_account_enabled: true,
+          mailer_update_account_subject: "SECURIAL: Account Update Notification",
+          mailer_forgot_password_subject: "SECURIAL: Password Reset Instructions",
+
+          # Password configuration
           password_min_length: 8,
           password_max_length: 128,
           password_complexity: Securial::Helpers::RegexHelper::PASSWORD_REGEX,
@@ -26,8 +41,12 @@ module Securial
           password_expires_in: 90.days,
           reset_password_token_expires_in: 2.hours,
           reset_password_token_secret: "reset_secret",
-          timestamps_in_response: :all,
+
+          # Response configuration
           response_keys_format: :snake_case,
+          timestamps_in_response: :all,
+
+          # Security configuration
           security_headers: :strict,
           rate_limiting_enabled: true,
           rate_limit_requests_per_minute: 60,
@@ -37,13 +56,12 @@ module Securial
       end
 
       def initialize
-        self.class.config_attributes.each do |attr, default|
-          instance_variable_set("@#{attr}", default)
+        self.class.default_config_attributes.each do |attr, default_value|
+          instance_variable_set("@#{attr}", default_value)
         end
-        validate!
       end
 
-      config_attributes.each_key do |attr|
+      default_config_attributes.each_key do |attr|
         define_method(attr) { instance_variable_get("@#{attr}") }
 
         define_method("#{attr}=") do |value|

data/lib/securial/config/validation/logger_validation.rb

@@ -0,0 +1,29 @@
+require "securial/error"
+
+module Securial
+  module Config
+    module Validation
+      module LoggerValidation
+        class << self
+          LEVELS = %i[debug info warn error fatal unknown].freeze
+
+          def validate!(securial_config)
+            allowed_options = {
+              log_to_file: [securial_config.log_to_file, [true, false], "boolean"],
+              log_to_stdout: [securial_config.log_to_stdout, [true, false], "boolean"],
+              log_file_level: [securial_config.log_file_level, LEVELS, "symbol"],
+              log_stdout_level: [securial_config.log_stdout_level, LEVELS, "symbol"],
+            }
+
+            allowed_options.each do |attr, (value, allowed, type)|
+              unless allowed.include?(value)
+                allowed_values = type == "symbol" ? allowed.map { |v| ":#{v}" }.join(", ") : allowed.join(", ")
+                raise Securial::Error::Config::LoggerValidationError, "#{attr} must be a #{type}. Allowed values: #{allowed_values}. Received: #{value.inspect}"
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/securial/config/validation/mailer_validation.rb

@@ -0,0 +1,24 @@
+require "securial/error"
+
+module Securial
+  module Config
+    module Validation
+      module MailerValidation
+        class << self
+          def validate!(securial_config)
+            if securial_config.mailer_sender.blank?
+              error_message = "Mailer sender is not set."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::MailerValidationError, error_message
+            end
+            if securial_config.mailer_sender !~  URI::MailTo::EMAIL_REGEXP
+              error_message = "Mailer sender is not a valid email address."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::MailerValidationError, error_message
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/securial/config/validation/password_validation.rb

@@ -0,0 +1,91 @@
+require "securial/error"
+
+module Securial
+  module Config
+    module Validation
+      module PasswordValidation
+        class << self
+          def validate!(securial_config)
+            validate_password_reset_subject!(securial_config)
+            validate_password_min_max_length!(securial_config)
+            validate_password_complexity!(securial_config)
+            validate_password_expiration!(securial_config)
+            validate_password_reset_token!(securial_config)
+          end
+
+          private
+
+          def validate_password_reset_token!(securial_config)
+            if securial_config.reset_password_token_secret.blank?
+              error_message = "Reset password token secret is not set."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::PasswordValidationError, error_message
+            end
+            unless securial_config.reset_password_token_secret.is_a?(String)
+              error_message = "Reset password token secret must be a String."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::PasswordValidationError, error_message
+            end
+            unless securial_config.reset_password_token_expires_in.is_a?(ActiveSupport::Duration) && securial_config.reset_password_token_expires_in > 0
+              error_message = "Reset password token expiration must be a valid ActiveSupport::Duration greater than 0."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::PasswordValidationError, error_message
+            end
+          end
+
+          def validate_password_reset_subject!(securial_config)
+            if securial_config.mailer_forgot_password_subject.blank?
+              error_message = "Password reset email subject is not set."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::PasswordValidationError, error_message
+            end
+            unless securial_config.mailer_forgot_password_subject.is_a?(String)
+              error_message = "Password reset email subject must be a String."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::PasswordValidationError, error_message
+            end
+          end
+
+          def validate_password_min_max_length!(securial_config)
+            unless securial_config.password_min_length.is_a?(Integer) && securial_config.password_min_length > 0
+              error_message = "Password minimum length must be a positive integer."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::PasswordValidationError, error_message
+            end
+            unless securial_config.password_max_length.is_a?(Integer) && securial_config.password_max_length >= securial_config.password_min_length
+              error_message = "Password maximum length must be an integer greater than or equal to the minimum length."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::PasswordValidationError, error_message
+            end
+          end
+
+          def validate_password_complexity!(securial_config)
+            if securial_config.password_complexity.nil? || !securial_config.password_complexity.is_a?(Regexp)
+              error_message = "Password complexity regex is not set or is not a valid Regexp."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::PasswordValidationError, error_message
+            end
+          end
+
+          def validate_password_expiration!(securial_config)
+            unless securial_config.password_expires.is_a?(TrueClass) || securial_config.password_expires.is_a?(FalseClass)
+              error_message = "Password expiration must be a boolean value."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::PasswordValidationError, error_message
+            end
+
+            if securial_config.password_expires == true && (
+              securial_config.password_expires_in.nil? ||
+              !securial_config.password_expires_in.is_a?(ActiveSupport::Duration) ||
+              securial_config.password_expires_in <= 0
+              )
+              error_message = "Password expiration duration is not set or is not a valid ActiveSupport::Duration."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::PasswordValidationError, error_message
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/securial/config/validation/response_validation.rb

@@ -0,0 +1,37 @@
+require "securial/error"
+
+module Securial
+  module Config
+    module Validation
+      module ResponseValidation
+        class << self
+          VALID_TIMESTAMP_OPTIONS = %i[all admins_only none].freeze
+          VALID_RESPONSE_KEYS_FORMATS = %i[snake_case lowerCamelCase UpperCamelCase].freeze
+
+          def validate!(securial_config)
+            validate_response_keys_format!(securial_config)
+            validate_timestamps_in_response!(securial_config)
+          end
+
+          private
+
+          def validate_response_keys_format!(securial_config)
+            unless VALID_RESPONSE_KEYS_FORMATS.include?(securial_config.response_keys_format)
+              error_message = "Invalid response_keys_format option. Valid options are: #{VALID_RESPONSE_KEYS_FORMATS.map(&:inspect).join(', ')}."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::ResponseValidationError, error_message
+            end
+          end
+
+          def validate_timestamps_in_response!(securial_config)
+            unless VALID_TIMESTAMP_OPTIONS.include?(securial_config.timestamps_in_response)
+              error_message = "Invalid timestamps_in_response option. Valid options are: #{VALID_TIMESTAMP_OPTIONS.map(&:inspect).join(', ')}."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::ResponseValidationError, error_message
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/securial/config/validation/roles_validation.rb

@@ -0,0 +1,32 @@
+require "securial/error"
+
+module Securial
+  module Config
+    module Validation
+      module RolesValidation
+        class << self
+          def validate!(securial_config)
+            if securial_config.admin_role.nil? || securial_config.admin_role.to_s.strip.empty?
+              error_message = "Admin role is not set."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::RolesValidationError, error_message
+            end
+
+            unless securial_config.admin_role.is_a?(Symbol) || securial_config.admin_role.is_a?(String)
+              error_message = "Admin role must be a Symbol or String."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::RolesValidationError, error_message
+            end
+
+            admin_role_downcase = securial_config.admin_role.to_s.downcase
+            if admin_role_downcase == "account" || admin_role_downcase == "accounts"
+              error_message = "The admin role cannot be 'account' or 'accounts' as it conflicts with the default routes."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::RolesValidationError, error_message
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/securial/config/validation/security_validation.rb

@@ -0,0 +1,56 @@
+require "securial/error"
+
+module Securial
+  module Config
+    module Validation
+      module SecurityValidation
+        class << self
+          VALID_SECURITY_HEADERS = %i[strict default none].freeze
+
+          def validate!(securial_config)
+            validate_security_headers!(securial_config)
+            validate_rate_limiting!(securial_config)
+          end
+
+          private
+
+          def validate_security_headers!(securial_config)
+            unless VALID_SECURITY_HEADERS.include?(securial_config.security_headers)
+              error_message = "Invalid security_headers option. Valid options are: #{VALID_SECURITY_HEADERS.map(&:inspect).join(', ')}."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SecurityValidationError, error_message
+            end
+          end
+
+          def validate_rate_limiting!(securial_config) # rubocop:disable Metrics/MethodLength
+            unless securial_config.rate_limiting_enabled.is_a?(TrueClass) || securial_config.rate_limiting_enabled.is_a?(FalseClass)
+              error_message = "rate_limiting_enabled must be a boolean value."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SecurityValidationError, error_message
+            end
+
+            return unless securial_config.rate_limiting_enabled
+
+            unless securial_config.rate_limit_requests_per_minute.is_a?(Integer) && securial_config.rate_limit_requests_per_minute > 0
+              error_message = "rate_limit_requests_per_minute must be a positive integer when rate limiting is enabled."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SecurityValidationError, error_message
+            end
+
+            unless securial_config.rate_limit_response_status.is_a?(Integer) && securial_config.rate_limit_response_status.between?(400, 599)
+              error_message = "rate_limit_response_status must be an HTTP status code between 4xx and 5xx."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SecurityValidationError, error_message
+            end
+
+            unless securial_config.rate_limit_response_message.is_a?(String) && !securial_config.rate_limit_response_message.strip.empty?
+              error_message = "rate_limit_response_message must be a non-empty String."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SecurityValidationError, error_message
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/securial/config/validation/session_validation.rb

@@ -0,0 +1,87 @@
+require "securial/error"
+
+module Securial
+  module Config
+    module Validation
+      module SessionValidation
+        class << self
+          VALID_SESSION_ENCRYPTION_ALGORITHMS = %i[hs256 hs384 hs512].freeze
+
+          def validate!(securial_config)
+            validate_session_expiry_duration!(securial_config)
+            validate_session_algorithm!(securial_config)
+            validate_session_secret!(securial_config)
+            validate_session_refresh_token!(securial_config)
+          end
+
+          private
+
+          def validate_session_expiry_duration!(securial_config)
+            if securial_config.session_expiration_duration.nil?
+              error_message = "Session expiration duration is not set."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SessionValidationError, error_message
+            end
+            if securial_config.session_expiration_duration.class != ActiveSupport::Duration
+              error_message = "Session expiration duration must be an ActiveSupport::Duration."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SessionValidationError, error_message
+            end
+            if securial_config.session_expiration_duration <= 0
+              Securial.logger.fatal("Session expiration duration must be greater than 0.")
+              raise Securial::Error::Config::SessionValidationError, "Session expiration duration must be greater than 0."
+            end
+          end
+
+          def validate_session_algorithm!(securial_config)
+            if securial_config.session_algorithm.blank?
+              error_message = "Session algorithm is not set."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SessionValidationError, error_message
+            end
+            unless securial_config.session_algorithm.is_a?(Symbol)
+              error_message = "Session algorithm must be a Symbol."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SessionValidationError, error_message
+            end
+            unless VALID_SESSION_ENCRYPTION_ALGORITHMS.include?(securial_config.session_algorithm)
+              error_message = "Invalid session algorithm. Valid options are: #{VALID_SESSION_ENCRYPTION_ALGORITHMS.map(&:inspect).join(', ')}."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SessionValidationError, error_message
+            end
+          end
+
+          def validate_session_secret!(securial_config)
+            if securial_config.session_secret.blank?
+              error_message = "Session secret is not set."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SessionValidationError, error_message
+            end
+            unless securial_config.session_secret.is_a?(String)
+              error_message = "Session secret must be a String."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SessionValidationError, error_message
+            end
+          end
+
+          def validate_session_refresh_token!(securial_config)
+            if securial_config.session_refresh_token_expires_in.nil?
+              error_message = "Session refresh token expiration duration is not set."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SessionValidationError, error_message
+            end
+            if securial_config.session_refresh_token_expires_in.class != ActiveSupport::Duration
+              error_message = "Session refresh token expiration duration must be an ActiveSupport::Duration."
+              Securial.logger.fatal(error_message)
+              raise Securial::Error::Config::SessionValidationError, error_message
+            end
+            if securial_config.session_refresh_token_expires_in <= 0
+              Securial.logger.fatal("Session refresh token expiration duration must be greater than 0.")
+              raise Securial::Error::Config::SessionValidationError, "Session refresh token expiration duration must be greater than 0."
+            end
+          end
+        end
+      end
+    end
+  end
+end