sessions 0.1.2 → 0.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f088a81ac84fec5df0bfd521c3d4012fa6a91a4a84e22e997e22d18ef1658b1b
-  data.tar.gz: d50021247992ad1bef65b9a4d5f678146e774501b6adaa0af87840ec1e8ce988
+  metadata.gz: 2c9417a89572ea4f860d64648e8d085b9074dd4914d3078dbdf6e116c5087d10
+  data.tar.gz: fda35041ba991b3dbfd4c4789eedd16f17c42764805f6fba633e956920796e6b
 SHA512:
-  metadata.gz: ab013f9e59218a51e6f580deaa8d1bf01e45a4fd22eded95d91e1d4e2ba434d433bceedddf06d349dcfdfa63fd2b3678c8aaa9742729353da439e6e01778115e
-  data.tar.gz: 10eabd4758d01e1cf0ed44df351f8182dfe27c80f4fec7ee2024f0500da199a1ca356c77c72d444efface0c56f091f9d1312c9d46a2c2bd80ea77a6115fe94a9
+  metadata.gz: 428832edcb252f835b89a351f30459e9a884a288622d988df050356e5cd4322eafb70f070f9ae91b418451bdd4adfad111c2ab984eb9e2fe86950651266b7a23
+  data.tar.gz: d56946f36346faa79f2c27c12bd69fa954018425ba85d852e98abce8b69c79d472f973c71a73e33a324598f1ddd5bb1ec058c5a5a6d34778748d0c4fc7f03111

data/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## 0.1.3 (2026-06-21)
+
+Production-found hardening for Hotwire Native / Devise remember-me startup flows, plus compatibility and generated admin-schema fixes.
+
+- **Remembered Warden logins on non-document requests are deferred until the first document navigation.** A native iOS path-configuration fetch like `/native/configurations/ios/v1.json` can carry the remember-me cookie before the WebView entry page loads; the gem now keeps that login pending instead of recording a misleading `RailsFast/... CFNetwork/...` row/event, then records the real WebView/native device on the HTML request with the original `remembered` auth detail.
+- **Remembered restores for an already-live device now reattach to the existing row.** iOS WebView startup bursts can run several remembered document requests before the app settles; if the signed device cookie already names a live row for the same user/scope, the gem reuses it, writes no duplicate login event, and validates the tokenless Warden session against that same signed device cookie on later fetches. A destroyed row still kicks normally.
+- **Internal same-device superseding is quiet housekeeping again.** Replacing an abandoned same-browser row no longer writes a user-facing `revoked` / `superseded` event; remote revocations, password-change revocations, expiry and logout still write their normal trail entries.
+- **Pre-gem adoption also waits for a document request.** Existing authenticated sessions no longer get adopted from background JSON/native HTTP requests before the actual browser/WebView request can name the device.
+- **Trackdown integration duck-types optional fields.** `sessions` now tolerates older `trackdown` releases that do not expose `region` or coordinate methods, preserving valid country/city data instead of swallowing the whole geo result.
+- **`sessions_events.app_build` is now part of the trail schema.** Fresh installs get the column, login/logout/revocation events copy it from the registry row, and `rails generate sessions:upgrade` adds it for existing installs so the generated Madmin resource matches the database.
+- **Password-bearing non-idempotent requests classify as password logins.** This covers Devise password-reset/update flows that sign the user in with `PATCH` instead of `POST`, avoiding misleading `auth_method: "unknown"` rows.
+
 ## 0.1.2 (2026-06-16)
 
 Production-found hardening for Devise/Warden adoption, the path that turns already-authenticated pre-gem sessions into registry rows.

data/README.md

@@ -98,14 +98,14 @@ That's it. Every sign-in from now on lands on the devices page and in the trail
 
 ### Upgrading
 
-Existing apps upgrading from 0.1.0 or 0.1.1 should copy the upgrade migration and run it:
+Existing apps upgrading from 0.1.0, 0.1.1, or 0.1.2 should copy the upgrade migrations and run them:
 
 ```bash
 rails generate sessions:upgrade
 rails db:migrate
 ```
 
-This adds `sessions.adoption_key`, the portable unique guard that makes pre-gem session adoption atomic under concurrent native-app request bursts. Fresh installs already get it from `sessions:install`.
+This adds `sessions.adoption_key` (for installs before 0.1.2), the portable unique guard that makes pre-gem session adoption atomic under concurrent native-app request bursts, and `sessions_events.app_build` (for installs before 0.1.3), which keeps the event trail and generated madmin resource in sync. Fresh installs already get both from `sessions:install`.
 
 ## What `sessions` does (and doesn't) do
 

data/lib/generators/sessions/templates/add_app_build_to_sessions_events.rb.erb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+# v0.1.3 upgrade: events mirror the registry's native app build so generated
+# madmin resources never reference a missing sessions_events.app_build column.
+class AddSessionsAppBuildToSessionsEvents < ActiveRecord::Migration<%= migration_version %>
+  def change
+    add_column :sessions_events, :app_build, :string unless column_exists?(:sessions_events, :app_build)
+  end
+end

data/lib/generators/sessions/templates/create_sessions_events.rb.erb

@@ -52,6 +52,7 @@ class CreateSessionsEvents < ActiveRecord::Migration<%= migration_version %>
       t.string :device_model
       t.string :app_name
       t.string :app_version
+      t.string :app_build
 
       # Geo via trackdown (soft dependency). lat/lng precision-reduced per
       # config.geo_precision (2 decimals ≈ 1km) — privacy now,

data/lib/generators/sessions/upgrade_generator.rb

@@ -25,6 +25,8 @@ module Sessions
       def create_upgrade_migrations
         migration_template "add_adoption_key_to_sessions.rb.erb",
                            File.join(db_migrate_path, "add_sessions_adoption_key_to_#{table_name}.rb")
+        migration_template "add_app_build_to_sessions_events.rb.erb",
+                           File.join(db_migrate_path, "add_sessions_app_build_to_sessions_events.rb")
       end
 
       def display_post_upgrade_message
@@ -32,7 +34,7 @@ module Sessions
         say "\nTo complete the upgrade:"
         say "  1. Review the generated migration."
         say "  2. Run 'rails db:migrate'."
-        say "     ⚠️  Deploy the migration before relying on adoption hardening.", :yellow
+        say "     ⚠️  Deploy the migrations before relying on adoption hardening or app-build event columns.", :yellow
       end
 
       private

data/lib/sessions/adapters/warden.rb

@@ -27,6 +27,11 @@ module Sessions
       # Key inside `warden.session(scope)` holding [row_id, raw_token].
       SESSION_KEY = "sessions"
 
+      # Rememberable can restore a user on background/native JSON requests
+      # before the browser/WebView has actually navigated. Defer the row
+      # until a document request can name the user-visible device.
+      PENDING_LOGIN_KEY = "sessions.pending_login"
+
       # Sticky per-scope flag: a login recorded with `sessions_skip: true`
       # must not be kicked by the fetch validation later (session_limitable's
       # third skip layer).
@@ -104,11 +109,23 @@ module Sessions
 
           next unless row_accepts?(record)
 
+          auth = Sessions::Classifier.classify(warden.request)
+          if deferred_login_request?(warden.request, auth)
+            stash_pending_login(warden, scope, auth)
+            next
+          end
+
+          if (row = remembered_existing_row(record, warden, scope, auth))
+            attach_existing_row(row, warden, scope)
+            next
+          end
+
+          warden.session(scope).delete(PENDING_LOGIN_KEY)
           create_row_for(record, warden, scope)
         end
       end
 
-      def create_row_for(record, warden, scope, suppress_login_event: false, attributes: {})
+      def create_row_for(record, warden, scope, suppress_login_event: false, skip_supersede: false, attributes: {})
         token = Sessions.generate_token
         request = warden.request
         model = Sessions.session_model
@@ -125,6 +142,7 @@ module Sessions
           end
         end
         row.sessions_suppress_login_event = suppress_login_event
+        row.sessions_skip_supersede = skip_supersede
         Sessions.with_request(request) { row.save! }
 
         warden.session(scope)[SESSION_KEY] = [row.id, token]
@@ -143,12 +161,20 @@ module Sessions
           session_data = warden.session(scope)
           next :skip if session_data[SKIP_SESSION_KEY]
 
-          session_data[SESSION_KEY]
+          {
+            login: session_data[SESSION_KEY],
+            pending_login: session_data[PENDING_LOGIN_KEY]
+          }
         end
         return if data == :skip
 
-        if data.nil?
-          adopt_preexisting_session(record, warden, scope)
+        session_token = data && data[:login]
+        if session_token.nil?
+          if data && data[:pending_login]
+            activate_pending_login(record, warden, scope, data[:pending_login])
+          else
+            adopt_preexisting_session(record, warden, scope)
+          end
           return
         end
 
@@ -160,9 +186,13 @@ module Sessions
         # never break authentication: fail OPEN, let the request through
         # untracked, try again next request.
         begin
-          id, token = data
+          id, token = session_token
           found = Sessions.session_model.find_by(id: id)
-          row = found if found&.sessions_token_matches?(token)
+          row = if found&.sessions_token_matches?(token)
+                  found
+                elsif token.nil? && existing_row_session?(found, record, scope, warden.request)
+                  found
+                end
         rescue StandardError => e
           Sessions.warn("warden.fetch failed open: #{e.class}: #{e.message}")
           return
@@ -190,6 +220,7 @@ module Sessions
       def adopt_preexisting_session(record, warden, scope)
         Sessions.safely("warden.adopt") do
           next unless row_accepts?(record)
+          next unless document_request?(warden.request)
 
           # IDEMPOTENT, because a client that can't persist cookies re-enters
           # adoption on EVERY request: the SESSION_KEY we write rides a
@@ -212,11 +243,141 @@ module Sessions
         end
       end
 
+      def activate_pending_login(record, warden, scope, pending_login)
+        Sessions.safely("warden.pending_login") do
+          next unless row_accepts?(record)
+          next unless document_request?(warden.request)
+
+          if (row = pending_existing_row(record, warden, scope, pending_login))
+            attach_existing_row(row, warden, scope)
+            warden.session(scope).delete(PENDING_LOGIN_KEY)
+            next row
+          end
+
+          row = create_row_for(record, warden, scope, attributes: pending_login_attributes(pending_login))
+          warden.session(scope).delete(PENDING_LOGIN_KEY)
+          row
+        end
+      end
+
+      def deferred_login_request?(request, auth)
+        remembered_login?(auth) && !document_request?(request)
+      end
+
+      def remembered_login?(auth)
+        detail = auth[:detail].to_h
+        detail["remembered"] || detail[:remembered]
+      rescue StandardError
+        false
+      end
+
+      def stash_pending_login(warden, scope, auth)
+        warden.session(scope)[PENDING_LOGIN_KEY] = login_auth_attributes(auth).transform_keys(&:to_s)
+      end
+
+      def login_auth_attributes(auth)
+        {
+          auth_method: auth[:method],
+          auth_provider: auth[:provider],
+          auth_detail: auth[:detail].presence
+        }.compact
+      end
+
+      def pending_login_attributes(attributes)
+        attributes.to_h.slice("auth_method", "auth_provider", "auth_detail")
+      rescue StandardError
+        {}
+      end
+
+      def pending_existing_row(record, warden, scope, pending_login)
+        auth = { detail: pending_login.to_h["auth_detail"] || {} }
+        remembered_existing_row(record, warden, scope, auth)
+      end
+
+      def remembered_existing_row(record, warden, scope, auth)
+        return unless remembered_login?(auth)
+
+        device_id = device_id_from_request(warden.request)
+        return if device_id.blank?
+
+        rows = Sessions.session_model.where(user: record, device_id: device_id)
+        rows = rows.where(scope: scope.to_s) if Sessions.session_model.column_names.include?("scope")
+        rows.order(created_at: :desc).first
+      rescue StandardError
+        nil
+      end
+
+      def attach_existing_row(row, warden, scope)
+        warden.session(scope)[SESSION_KEY] = [row.id, nil]
+        Sessions.safely("warden.remembered_existing.touch") { row.touch_last_seen!(warden.request) }
+        row
+      end
+
+      def existing_row_session?(row, record, scope, request)
+        return false unless row
+
+        device_id = device_id_from_request(request)
+        return false if device_id.blank?
+        return false unless row.try(:device_id) == device_id
+        return false unless row.user == record
+        return false if row.respond_to?(:scope) && row.scope.present? && row.scope != scope.to_s
+
+        true
+      rescue StandardError
+        false
+      end
+
+      def device_id_from_request(request)
+        return unless request.respond_to?(:cookie_jar)
+
+        request.cookie_jar.signed[Sessions::DEVICE_COOKIE].presence
+      rescue StandardError
+        nil
+      end
+
+      def document_request?(request)
+        return true unless request
+        return false if non_document_path?(request)
+
+        accept = request_header(request, "HTTP_ACCEPT").to_s
+        return true if accept.empty? || accept == "*/*"
+        return true if accept.match?(%r{\btext/html\b|\bapplication/xhtml\+xml\b|\btext/vnd\.turbo-stream\.html\b})
+        return false if accept.match?(%r{\b(?:application|text)/(?:[\w.+-]+\+)?json\b})
+        return false if request_header(request, "HTTP_X_REQUESTED_WITH").to_s.casecmp("XMLHttpRequest").zero?
+
+        if request.respond_to?(:format)
+          format = request.format
+          return true if format.respond_to?(:html?) && format.html?
+          return false if format.respond_to?(:json?) && format.json?
+        end
+
+        true
+      rescue StandardError
+        true
+      end
+
+      def non_document_path?(request)
+        path = if request.respond_to?(:path)
+                 request.path
+               elsif request.respond_to?(:path_info)
+                 request.path_info
+               end
+        File.extname(path.to_s).delete(".").casecmp("json").zero?
+      end
+
+      def request_header(request, key)
+        if request.respond_to?(:get_header)
+          request.get_header(key)
+        elsif request.respond_to?(:env)
+          request.env[key]
+        end
+      end
+
       def create_adopted_row(record, warden, scope, adoption_key:)
         attributes = { auth_detail: { "adopted" => true } }
         attributes[:adoption_key] = adoption_key if adoption_key_column?
 
-        create_row_for(record, warden, scope, suppress_login_event: true, attributes: attributes)
+        create_row_for(record, warden, scope, suppress_login_event: true, skip_supersede: true, attributes: attributes)
       rescue ActiveRecord::RecordNotUnique
         adopted_row(record, scope, adoption_key: adoption_key)&.tap do |row|
           Sessions.safely("warden.adopt.touch") { row.touch_last_seen!(warden.request) }

data/lib/sessions/classifier.rb

@@ -77,7 +77,7 @@ module Sessions
         from_omniauth(request) ||
         from_warden(request) ||
         from_google_sign_in(request) ||
-        from_password_post(request) ||
+        from_password_request(request) ||
         blank
     rescue StandardError => e
       Sessions.warn("auth classification failed: #{e.class}: #{e.message}")
@@ -176,10 +176,11 @@ module Sessions
       nil
     end
 
-    # A POST that exchanged a password for a session IS a password login —
-    # covers the omakase SessionsController and hand-rolled password forms.
-    def from_password_post(request)
-      return unless request.respond_to?(:post?) && request.post?
+    # A non-idempotent request that exchanged a password for a session IS a
+    # password login — covers the omakase SessionsController, hand-rolled
+    # password forms, and Devise password-reset PATCHes that sign the user in.
+    def from_password_request(request)
+      return unless credential_request?(request)
 
       params = request.params
       return unless params.is_a?(Hash) || params.respond_to?(:[])
@@ -190,6 +191,18 @@ module Sessions
       nil
     end
 
+    def credential_request?(request)
+      method = if request.respond_to?(:request_method)
+                 request.request_method
+               elsif request.respond_to?(:method)
+                 request.method
+               end
+
+      !%w[GET HEAD OPTIONS].include?(method.to_s.upcase)
+    rescue StandardError
+      false
+    end
+
     def password_param?(params)
       return true if params["password"].present?
 

data/lib/sessions/geolocation.rb

@@ -79,13 +79,15 @@ module Sessions
 
     def columns_from(result)
       return {} unless result
-      return {} if result.country_code.to_s.empty?
+
+      country_code = location_value(result, :country_code)
+      return {} if country_code.to_s.empty?
 
       {
-        country_code: result.country_code,
-        country_name: presence(result.country_name),
-        city: presence(result.city),
-        region: presence(result.region)
+        country_code: country_code,
+        country_name: presence(location_value(result, :country_name)),
+        city: presence(location_value(result, :city)),
+        region: presence(location_value(result, :region))
       }.compact
     end
 
@@ -93,17 +95,25 @@ module Sessions
     # config.geo_precision (2 decimals ≈ 1km — privacy now,
     # impossible-travel math later).
     def coordinates_from(result)
-      return {} unless result.respond_to?(:latitude) && result.latitude
+      latitude = location_value(result, :latitude)
+      longitude = location_value(result, :longitude)
+      return {} if latitude.nil? || longitude.nil?
 
       precision = Sessions.config.geo_precision
       {
-        latitude: result.latitude.to_f.round(precision),
-        longitude: result.longitude.to_f.round(precision)
+        latitude: latitude.to_f.round(precision),
+        longitude: longitude.to_f.round(precision)
       }
     rescue StandardError
       {}
     end
 
+    def location_value(result, attribute)
+      result.public_send(attribute) if result.respond_to?(attribute)
+    rescue StandardError
+      nil
+    end
+
     def presence(value)
       value.nil? || value.to_s.empty? || value.to_s == "Unknown" ? nil : value
     end

data/lib/sessions/models/concerns/model.rb

@@ -57,7 +57,7 @@ module Sessions
 
       # Set on adopted rows (sessions that predate the gem) so adoption
       # doesn't fabricate a `login` event in the trail.
-      attr_accessor :sessions_suppress_login_event
+      attr_accessor :sessions_suppress_login_event, :sessions_skip_supersede
 
       before_create :sessions_enrich
       after_create_commit :sessions_record_login
@@ -335,22 +335,22 @@ module Sessions
 
     def sessions_record_login
       Sessions.safely("record_login") do
-        if sessions_suppress_login_event
-          # Suppressed writes (adoption) skip the trail event, dedup and
-          # the new-device hook — but never the cap: it's the hard limit on
-          # LIVE rows, and a misbehaving client looping through adoption
-          # must hit it like everyone else.
-          sessions_enforce_cap!
-          next
-        end
-
         # Same browser signing in again (abandoned session, expired
         # remember-me, browser update — anything) replaces its old row
         # instead of stacking a duplicate device. Runs BEFORE new-device
         # detection on purpose: the trail (which survives the superseded
         # row) is what remembers known devices, so dedup never causes
         # false "new device" alerts.
-        Sessions.safely("supersede") { sessions_supersede_previous_rows! }
+        Sessions.safely("supersede") { sessions_supersede_previous_rows! } unless sessions_skip_supersede
+
+        if sessions_suppress_login_event
+          # Suppressed writes skip the trail event and the new-device hook
+          # — but never the cap: it's the hard limit on LIVE rows, and a
+          # misbehaving client looping through adoption/remembered refreshes
+          # must hit it like everyone else.
+          sessions_enforce_cap!
+          next
+        end
 
         new_device = Sessions.safely("new_device") { sessions_new_device? } || false
 
@@ -401,9 +401,9 @@ module Sessions
     # The dedup half of browser continuity: prior live rows for the SAME
     # user on the SAME browser install are superseded by this login. A
     # quiet destroy on purpose — no on_session_revoked hook, no
-    # remember-me rotation (this is housekeeping, not a security event;
-    # the trail records it as revoked/:superseded). Scoped to the user:
-    # a shared computer with two accounts keeps both rows.
+    # remember-me rotation, no trail event (this is housekeeping, not a
+    # security event). Scoped to the user: a shared computer with two
+    # accounts keeps both rows.
     def sessions_supersede_previous_rows!
       return if try(:device_id).blank?
 
@@ -438,6 +438,8 @@ module Sessions
         next if user.nil? || user.destroyed?
 
         reason = revocation_reason&.to_sym
+        next if reason == :superseded
+
         event_name = case reason
                      when :logout then "logout"
                      when :expired then "expired"
@@ -483,6 +485,7 @@ module Sessions
         device_model: try(:device_model),
         app_name: try(:app_name),
         app_version: try(:app_version),
+        app_build: try(:app_build),
         country_code: try(:country_code),
         country_name: try(:country_name),
         city: try(:city),

data/lib/sessions/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Sessions
-  VERSION = "0.1.2"
+  VERSION = "0.1.3"
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: sessions
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.1.3
 platform: ruby
 authors:
 - rameerez
 bindir: exe
 cert_chain: []
-date: 2026-06-16 00:00:00.000000000 Z
+date: 2026-06-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -164,6 +164,7 @@ files:
 - lib/generators/sessions/install_generator.rb
 - lib/generators/sessions/madmin_generator.rb
 - lib/generators/sessions/templates/add_adoption_key_to_sessions.rb.erb
+- lib/generators/sessions/templates/add_app_build_to_sessions_events.rb.erb
 - lib/generators/sessions/templates/add_sessions_columns.rb.erb
 - lib/generators/sessions/templates/create_sessions.rb.erb
 - lib/generators/sessions/templates/create_sessions_events.rb.erb