shieldify 0.1.2.pre.alpha

data/lib/shieldify/models/email_authenticatable/confirmable.rb

@@ -0,0 +1,159 @@
+# frozen_string_literal: true
+
+module Shieldify
+  module Models
+    module EmailAuthenticatable
+      # This module implements email confirmation using tokens. It generates confirmation tokens
+      # when registering or changing a user's email address, enabling confirmation through a secure process.
+      # Includes functionality to automatically send confirmation instructions and manage email confirmations.
+      # When changing an email, the new one is automatically marked as pending confirmation,
+      # requiring the user to verify their access to the new email to complete confirmation.
+      # Additionally, it provides methods to check the expiration of confirmation tokens.
+      #
+      # @example Including the module in a User model
+      #   class User < ApplicationRecord
+      #     include Shieldify::Models::EmailAuthenticatable::Confirmable
+      #   end
+      #
+      # @see #confirm_email
+      # @see #regenerate_and_save_email_confirmation_token
+      # @see #send_email_confirmation_instructions
+      # @see #email_confirmation_token_expired?
+      # @see #pending_email_confirmation?
+      # @see #confirmed?
+      # @see .confirm_email_by_token
+      # @see .resend_email_confirmation_instructions_to
+      # @see .add_error_to_empty_user
+      module Confirmable
+        extend ActiveSupport::Concern
+
+        included do
+          # @!attribute [rw] skip_email_confirmation_callbacks
+          #   @return [Boolean] Allows selectively skipping email confirmation callbacks.
+          attr_accessor :skip_email_confirmation_callbacks
+
+          before_save :generate_email_confirmation, unless: -> { skip_email_confirmation_callbacks? || !email_changed? }
+          after_save(
+            :send_email_confirmation_instructions,
+            unless: -> { skip_email_confirmation_callbacks? || !unconfirmed_email? }
+          )
+        end
+
+        # Confirms the email if there is a pending email confirmation.
+        # This method updates the user's email to the unconfirmed email and clears the confirmation tokens.
+        #
+        # @return [Boolean] true if the email was successfully confirmed, false otherwise
+        def confirm_email
+          return false unless pending_email_confirmation?
+
+          self.skip_email_confirmation_callbacks = true
+
+          self.email = unconfirmed_email
+          self.unconfirmed_email = nil
+          self.email_confirmation_token = nil
+          self.email_confirmation_token_generated_at = nil
+
+          save do |result|
+            self.skip_email_confirmation_callbacks = nil
+
+            result
+          end
+        end
+
+        # Regenerates the email confirmation token and saves the user record.
+        #
+        # @return [Boolean] true if the token was successfully regenerated and saved, false otherwise
+        def regenerate_and_save_email_confirmation_token
+          generate_email_confirmation_token && save
+        end
+
+        # Sends email confirmation instructions to the unconfirmed email.
+        #
+        # @return [void]
+        def send_email_confirmation_instructions
+          params = { user: self, email_to: unconfirmed_email, token: email_confirmation_token, action: :email_confirmation_instructions }
+          Shieldify::Mailer.with(params).base_mailer.deliver_now
+        end
+
+        # Checks if the email confirmation token has expired.
+        #
+        # @return [Boolean] true if the token has expired, false otherwise
+        def email_confirmation_token_expired?
+          return true unless email_confirmation_token_generated_at
+
+          email_confirmation_token_generated_at < 24.hours.ago
+        end
+
+        # Checks if there is a pending email confirmation.
+        #
+        # @return [Boolean] true if there is a pending email confirmation, false otherwise
+        def pending_email_confirmation?
+          unconfirmed_email.present? && email_confirmation_token.present?
+        end
+
+        # Checks if the email has been confirmed.
+        #
+        # @return [Boolean] true if the email is confirmed, false otherwise
+        def confirmed?
+          email.present?
+        end
+
+        def skip_email_confirmation_callbacks?
+          @skip_email_confirmation_callbacks
+        end
+
+        private
+
+        def generate_email_confirmation
+          self.unconfirmed_email = email
+          self.email = email_was
+
+          generate_email_confirmation_token
+        end
+
+        def generate_email_confirmation_token
+          self.email_confirmation_token = SecureRandom.hex(16)
+          self.email_confirmation_token_generated_at = Time.current
+        end
+
+        class_methods do
+          def confirm_email_by_token(token)
+            user = find_by_email_confirmation_token(token)
+
+            return add_error_to_empty_user(:email_confirmation_token, :invalid) if user.blank?
+
+            if user.email_confirmation_token_expired?
+              msg = I18n.t('shieldify.models.email_authenticatable.confirmable.email_confirmation_token.errors.expired')
+              user.errors.add(:email_confirmation_token, msg)
+
+              return user
+            end
+
+            user.confirm_email
+            user
+          end
+
+          def resend_email_confirmation_instructions_to(email)
+            user = find_by_unconfirmed_email(email)
+
+            return add_error_to_empty_user(:unconfirmed_email, :not_found) if user.nil?
+
+            user.regenerate_and_save_email_confirmation_token
+            user
+          end
+
+          def add_error_to_empty_user(param, error)
+            user = new
+
+            user.errors.add(
+              param.to_sym,
+              I18n.t("shieldify.models.email_authenticatable.confirmable.#{param.to_sym}.errors.#{error.to_sym}")
+            )
+
+            user
+          end
+        end
+      end
+    end
+  end
+end

data/lib/shieldify/models/email_authenticatable/registerable.rb

@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+module Shieldify
+  module Models
+    module EmailAuthenticatable
+      # This module provides registration functionality for users, including email normalization,
+      # validation of email and password, and methods for registering a user and updating their
+      # email and password.
+      #
+      # @example Including the module in a User model
+      #   class User < ApplicationRecord
+      #     include Shieldify::Models::EmailAuthenticatable::Registerable
+      #   end
+      #
+      # @see .register
+      # @see #update_password
+      # @see #update_email
+      # @see #send_email_changed_notification
+      # @see #send_password_changed_notification
+      module Registerable
+        extend ActiveSupport::Concern
+
+        included do
+          before_validation :normalize_email
+
+          validates :email, presence: true, if: -> { password.present? && new_record? }
+          validates :email, format: { with: Shieldify::Configuration.email_regexp }, if: -> { email.present? }
+          validates :email, uniqueness: true, if: -> { email.present? }
+
+          validates :password, presence: true, if: -> { email.present? && new_record? }
+          validate :password_complexity, if: -> { password.present? }
+          validates :password, length: { minimum: 8 }, if: -> { password.present? }
+        end
+
+        class_methods do
+          # Registers a new user with the given email and password.
+          #
+          # @param email [String] The email of the user.
+          # @param password [String] The password of the user.
+          # @param password_confirmation [String] The password confirmation.
+          # @return [User] The newly registered user.
+          def register(email:, password:, password_confirmation:)
+            user = new(email: email, password: password, password_confirmation: password_confirmation)
+            user.save
+            user
+          end
+        end
+
+        # Updates the user's password if the current password is valid.
+        #
+        # @param current_password [String] The current password of the user.
+        # @param new_password [String] The new password.
+        # @param password_confirmation [String] The new password confirmation.
+        # @return [User] The user with the updated password, or with errors if the update failed.
+        def update_password(current_password:, new_password:, password_confirmation:)
+          if authenticate(current_password)
+            if update(password: new_password, password_confirmation: password_confirmation)
+              send_password_changed_notification if Shieldify::Configuration.send_password_changed_notification
+            end
+          else
+            errors.add(
+              :current_password,
+              I18n.t("shieldify.models.email_authenticatable.registerable.password.errors.invalid")
+            )
+          end
+        
+          self
+        end
+
+        # Updates the user's email if the current password is valid.
+        #
+        # @param current_password [String] The current password of the user.
+        # @param new_email [String] The new email.
+        # @return [User] The user with the updated email, or with errors if the update failed.
+        def update_email(current_password:, new_email:)
+          if authenticate(current_password)
+            if update(email: new_email)
+              send_email_changed_notification if Shieldify::Configuration.send_email_changed_notification
+            end
+          else
+            errors.add(
+              :password,
+              I18n.t("shieldify.models.email_authenticatable.registerable.password.errors.invalid"))
+          end
+        
+          self
+        end
+
+        private
+
+        def send_email_changed_notification
+          Shieldify::Mailer.with(user: self, email_to: email, action: :email_changed).base_mailer.deliver_now
+        end
+
+        def send_password_changed_notification
+          Shieldify::Mailer.with(user: self, email_to: email, action: :password_changed).base_mailer.deliver_now
+        end
+
+        def normalize_email
+          self.email = email.downcase.strip if email.present?
+        end
+
+        def password_complexity
+          return if password.blank?
+          regex = Shieldify::Configuration.password_complexity
+
+          unless password.match?(regex)
+            errors.add(
+              :password,
+              I18n.t("shieldify.models.email_authenticatable.registerable.password_complexity.format")
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/lib/shieldify/models/email_authenticatable.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Shieldify
+  module Models
+    # This module provides email authentication functionality for users. It includes methods to authenticate
+    # users by their email and password, and uses `has_secure_password` for secure password handling.
+    #
+    # @example Including the module in a User model
+    #   class User < ApplicationRecord
+    #     include Shieldify::Models::EmailAuthenticatable
+    #   end
+    #
+    # @see .authenticate_by_email
+    module EmailAuthenticatable
+      extend ActiveSupport::Concern
+
+      included do
+        # Adds methods to set and authenticate against a BCrypt password. This mechanism requires you to have a
+        # password_digest attribute.
+        has_secure_password(validations: false)
+      end
+
+      class_methods do
+        # Authenticates a user by their email and password.
+        #
+        # @param email [String] The email of the user.
+        # @param password [String] The password of the user.
+        # @return [User] The authenticated user if the credentials are correct, or a new user object with errors if not.
+        def authenticate_by_email(email:, password:)
+          user = find_by(email: email)
+
+          return user if user&.authenticate(password)
+
+          user ||= new
+          user.errors.add(:email, "invalid email or password")
+          user
+        end
+      end
+    end
+  end
+end

data/lib/shieldify/railtie.rb

@@ -0,0 +1,52 @@
+module Shieldify
+  class Railtie < ::Rails::Railtie
+    initializer 'shieldify.add_routes' do |app|
+      app.routes.prepend do
+        get 'shfy/users/email/:token/confirm', to: 'users/emails#show', as: :users_email_confirmation
+        # post 'shfy/users/email/reset_password', to: 'users/emails/reset_passwords#create'
+        # put 'shfy/users/email/:token/reset_password', to: 'users/emails/reset_passwords#update'
+        # get 'shfy/users/access/:token/unlock', to: 'users/access#show'
+      end
+    end
+
+    initializer 'shieldify.configure_warden' do |app|
+      app.middleware.use Warden::Manager do |manager|
+        manager.strategies.add(:email, Shieldify::Strategies::Email)
+        manager.strategies.add(:jwt, Shieldify::Strategies::Jwt)
+
+        manager.default_strategies :email, :jwt
+
+        manager.default_strategies :email
+        manager.scope_defaults :default, store: false
+        manager.failure_app = ->(env) { Shieldify::FailureApp.call(env) }
+      end
+    end
+
+    initializer 'shieldify.insert_middleware', after: :load_config_initializers do |app|
+      app.middleware.insert_after Warden::Manager, Shieldify::Middleware
+    end
+
+    initializer 'shieldify.require' do
+      require_relative '../../app/models/jwt_session'
+      require_relative '../../app/controllers/users/emails_controller'
+    end
+
+    initializer 'shieldify.active_record' do
+      ActiveSupport.on_load(:active_record) do
+        include Shieldify::ModelExtensions
+      end
+    end
+
+    initializer 'shieldify.action_mailer' do |app|
+      ActiveSupport.on_load(:action_mailer) do
+        include app.routes.url_helpers
+      end
+    end
+
+    initializer 'shieldify.include_controller_helpers' do
+      ActiveSupport.on_load(:action_controller_api) do
+        include Shieldify::Controllers::Helpers
+      end
+    end
+  end
+end

data/lib/shieldify/strategies/email.rb

@@ -0,0 +1,48 @@
+module Shieldify
+  module Strategies
+    class Email < Warden::Strategies::Base
+      def valid?
+        json_body['email'].present? && json_body['password'].present?
+      end
+
+      def authenticate!
+        user = User.authenticate_by_email(email: json_body['email'], password: json_body['password'])
+        return fail!("Unauthorized: #{user.errors.full_messages.join(", ")}") unless user.errors.empty?
+
+        handle_user_authentication(user)
+      end
+
+      private
+
+      def json_body
+        request.body.rewind
+        JSON.parse(request.body.read) rescue {}
+      end
+
+      def handle_user_authentication(user)
+        JwtService.encode(user.id) do |success, token, jti, error|
+          if success
+            process_jwt_token(user, token, jti)
+          else
+            fail!("JWT token generation failed: #{error}")
+          end
+        end
+      end
+
+      def process_jwt_token(user, token, jti)
+        jwt_token = user.jwt_sessions.create(jti: jti)
+        if jwt_token.persisted?
+          set_jwt_to_header(token)
+          success!(user)
+        else
+          fail!("Failed to save JWT token: #{jwt_token.errors.full_messages.join(", ")}")
+        end
+      end
+
+      def set_jwt_to_header(token)
+        env['auth.jwt'] ||= {}
+        env['auth.jwt'] = token
+      end
+    end
+  end
+end

data/lib/shieldify/strategies/jwt.rb

@@ -0,0 +1,78 @@
+module Shieldify
+  module Strategies
+    class Jwt < Warden::Strategies::Base
+      def valid?
+        request.env['HTTP_AUTHORIZATION'].present?
+      end
+
+      def authenticate!
+        token = extract_token_from_header
+        return fail!("Authorization token not provided") unless token
+
+        JwtService.decode(token) do |success, payload, error|
+          if success
+            authenticate_with_payload(payload)
+          else
+            fail!("Invalid token: #{error}")
+          end
+        end
+      end
+
+      private
+
+      def extract_token_from_header
+        request.env['HTTP_AUTHORIZATION']&.split(' ')&.last
+      end
+
+      def authenticate_with_payload(payload)
+        user = find_user(payload['sub'])
+        return unless user
+
+        jwt_session = find_jwt_session(user, payload['jti'])
+        return unless jwt_session
+
+        if token_expired_halfway?(payload['exp'])
+          refresh_token(user, jwt_session)
+        else
+          success!(user)
+        end
+      end
+
+      def find_user(user_id)
+        user = User.find_by(id: user_id)
+        fail!("Invalid token: user not found") unless user
+        user
+      end
+
+      def find_jwt_session(user, jti)
+        jwt_session = user.jwt_sessions.find_by(jti: jti)
+        fail!("Invalid token: session not found") unless jwt_session
+        jwt_session
+      end
+
+      def token_expired_halfway?(exp)
+        halfway_time = exp - (exp - Time.now.to_i) / 2
+        Time.now.to_i >= halfway_time
+      end
+
+      def refresh_token(user, jwt_session)
+        JwtService.encode(user.id) do |success, new_token, new_jti, error|
+          if success
+            jwt_session.update!(jti: new_jti)
+            set_jwt_to_header(new_token)
+            success!(user)
+          else
+            fail!("JWT token generation failed: #{error}")
+          end
+        end
+      end
+
+      def set_jwt_to_header(token)
+        env['auth.jwt'] ||= {}
+        env['auth.jwt'] = token
+      end
+    end
+  end
+end
+
+

data/lib/shieldify/version.rb

@@ -0,0 +1,3 @@
+module Shieldify
+  VERSION = "0.1.2-alpha"
+end

data/lib/shieldify.rb

@@ -0,0 +1,74 @@
+require "warden"
+require "shieldify/failure_app"
+require "shieldify/model_extensions"
+require "shieldify/controllers/helpers"
+require "shieldify/strategies/email"
+require "shieldify/strategies/jwt"
+require "shieldify/middleware/authentication"
+require "shieldify/middleware"
+require "shieldify/version"
+require "shieldify/railtie"
+
+module Shieldify
+  class Configuration
+    include Singleton
+
+    # Default mailer sender.
+    mattr_accessor :mailer_sender
+    @@mailer_sender = "shieldify@example.com"
+
+    # Default mailer sender.
+    mattr_accessor :reply_to
+    @@reply_to = "shieldify@example.com"
+
+    # Email regex used to validate email formats.
+    mattr_accessor :email_regexp
+    @@email_regexp = URI::MailTo::EMAIL_REGEXP
+
+    # Password complexity regex
+    # Explanation of the regular expression:
+    # - (?=.*\d) ensures there is at least one digit
+    # - (?=.*[a-z]) ensures there is at least one lowercase letter
+    # - (?=.*[A-Z]) ensures there is at least one uppercase letter
+    # - (?=.*[@$#!%*?&]) ensures there is at least one of these special characters
+    # - \S{8,} ensures the password is at least 8 characters in length and contains no spaces
+    mattr_accessor :password_complexity
+    @@password_complexity = /\A(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@$#!%*?&])\S{6,}\z/
+
+    # Used to send notification to the original user email when their email is changed.
+    mattr_accessor :send_email_changed_notification
+    @@send_email_changed_notification = true
+
+    # Used to enable sending notification to user when their password is changed.
+    mattr_accessor :send_password_changed_notification
+    @@send_password_changed_notification = true
+
+    # Number of authentication tries before locking an account.
+    mattr_accessor :maximum_attempts
+    @@maximum_attempts = 20
+
+    # The parent mailer for internal mailers.
+    mattr_accessor :parent_mailer
+    @@parent_mailer = "ActionMailer::Base"
+
+    # JWT related
+    mattr_accessor :jwt_secret
+    @@jwt_secret = "whatever"
+
+    mattr_accessor :jwt_issuer
+    @@jwt_issuer = "Shieldify"
+
+    mattr_accessor :jwt_exp
+    @@jwt_exp = 24.hours.from_now.to_i
+  end
+
+  def self.setup
+    yield Configuration.instance
+  end
+end
+
+require "shieldify/models/email_authenticatable"
+require "shieldify/models/email_authenticatable/registerable"
+require "shieldify/models/email_authenticatable/confirmable"
+require "shieldify/jwt_service"
+require "shieldify/mailer"

data/lib/tasks/shieldify_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :shieldify do
+#   # Task goes here
+# end