simple_auth-magic_link 0.0.1 → 0.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1db6e4dd1f065742e9b94a0e1c617b26fb72546c8b492ba555563586c62d3bea
-  data.tar.gz: 2cd9d5f2496cdd1f38acc16b01dd218caba4ffca1f983118939fc6b85455102f
+  metadata.gz: eaaaefbf87386dc65f459af3b70eb63836b21d6fc0656b5d3f74604de02ccc09
+  data.tar.gz: 4c0ec412f551cdc7ab743d47473a76b754fa29fe294300fa9e41d320cddbb70b
 SHA512:
-  metadata.gz: 76dcc931ee1084fae469bef697184761b644249ff636735dcaa3bf124d1966cea33b5d6ef2d47f46210b0a74be3bfed8bdf5d70c8cdfd5cf5260ffc8645f1088
-  data.tar.gz: 97f72c2ab9dcf34c7c360798c2421ec99c9d8e496614882b5dbb1f23619b597ade34042888ace29fb94558892ebfa86282387006116b59ff064f71b73ff579b8
+  metadata.gz: 8ef24d5c24be96ab1a52b010c42d1b5e3dd42cd76134f243e0d54d636003999e106f93085a91d4e0c754c6baf90bc47ad85623d7a729f74fcfeab58e63e489bd
+  data.tar.gz: 872c526193ac7343a9d4e26aca66933e0efecfe91ae4097f21272d26f55201b17761a787cb3a0d74f94c3561529b6317d7705aba5907b1e9cea2b5cd233d116b

data/.github/workflows/ruby-tests.yml

@@ -19,18 +19,19 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ruby: ["2.7", "3.0", "3.1"]
+        ruby: ["3.2", "3.3"]
         gemfile:
           - Gemfile
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - uses: actions/cache@v3
         with:
           path: vendor/bundle
           key: >
-            ${{ runner.os }}-${{ matrix.ruby }}-gems-${{ hashFiles(matrix.gemfile) }}
+            ${{ runner.os }}-${{ matrix.ruby }}-gems-${{
+            hashFiles(matrix.gemfile) }}
 
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1

data/README.md

@@ -35,14 +35,14 @@ setting these options directly to `SimpleAuth::MagicLink`:
 
 ```ruby
 SimpleAuth::MagicLink.tap do |magic_link|
-  # Optional. By default uses <https://github.com/fnando/haikunate>
-  magic_link.code = -> { SecureRandom.hex(10) }
+  # Optional. By default 6 random numbers.
+  magic_link.code = -> { Array.new(6) { SecureRandom.random_number(0..9) }.join }
 
   # Optional. By default, links expires 3 minutes from now.
   magic_link.ttl = 1.minute
 
   # Optional. By default, uses "default".
-  magic_link.purpose = :generic
+  magic_link.purpose = :default
 
   # Required. The lambda that will be used to generate the magic link.
   # This will require the default url options like in
@@ -71,20 +71,28 @@ Then, you can create magic links by using
 
 After you create a link, you can send it by email by using `magic_link.url`.
 
+> [!IMPORTANT]
+>
+> Save `magic_link.id` on the session. This id will be used later on to ensure
+> that the link was generated on the same browser/device.
+
 To verify the magic link, you can use
-`email = SimpleAuth::MagicLink.verify(request.original_url, **options)`, where
-options can be:
+`email = SimpleAuth::MagicLink.verify(url: request.original_url, id: session[:magic_link_id], **options)`,
+where options can be:
 
 - `purpose`: required. The purpose of the code being verified.
 
 If the url is valid (i.e. it hasn't been tempered and it hasn't expired), then
-you'll get the email tied to the token back. Otherwise, you'll get `nil`. Notice
-that verified tokens are automatically removed upon verification.
+you'll get the email tied to the token back. Otherwise, you'll get `nil`.
+
+> [!NOTE]
+>
+> Verified magic links are automatically removed upon verification.
 
 You can also verify the magic link by using just the code (maybe you sent this
 by SMS instead). In this case, you need to call something like
-`email = SimpleAuth::MagicLink.verify_code(code, **options)`. It expects the
-same options as `SimpleAuth::MagicLink.verify`.
+`email = SimpleAuth::MagicLink.verify_code(code:, id: session[:magic_link_id], **options)`.
+It expects the same options as `SimpleAuth::MagicLink.verify`.
 
 To remove expires links, use `SimpleAuth::MagicLink.clean!`.
 
@@ -94,9 +102,10 @@ something like this:
 
 1. User fills in log-in form with email address
 2. You call `magic_link = SimpleAuth::MagicLink.create!(email: params[:email])`
-3. You then pass this in to your mailer with something like
+3. You persist the magic link id with `session[:magic_link_id] = magic_link.id`
+4. You then pass this in to your mailer with something like
    `Mailer.login(magic_link).send_later`
-4. On your mailer, you can then have access to the user email via
+5. On your mailer, you can then have access to the user email via
    `magic_link.email`, the code via `magic_link.code` and the signed url via
    `magic_link.url`.
 

data/lib/simple_auth/magic_link/code_verifier.rb

@@ -2,13 +2,32 @@
 
 module SimpleAuth
   module MagicLink
-    class CodeVerifier < Verifier
-      def self.call(code, purpose, time)
-        new.call(code, purpose, time)
+    class CodeVerifier
+      def self.call(id:, code:, purpose:, time:)
+        new.call(id:, code:, purpose:, time:)
       end
 
-      def call(code, purpose, time)
-        verify_model(code, purpose, time)
+      def call(id:, code:, purpose:, time:)
+        verify_model(wanted_id: id, actual_code: code, purpose:, time:)
+      end
+
+      def secure_compare(a, b)
+        ActiveSupport::SecurityUtils.secure_compare(a, b)
+      end
+
+      def verify_model(wanted_id:, actual_code:, purpose:, time:)
+        magic_link = MagicLink.model.find_by(id: wanted_id)
+
+        return unless magic_link
+        return unless secure_compare(magic_link.code, actual_code.to_s)
+        return unless magic_link.expires_at >= time
+        return unless secure_compare(magic_link.purpose, purpose.to_s)
+
+        return unless magic_link
+
+        magic_link.destroy!
+
+        magic_link.email
       end
     end
   end

data/lib/simple_auth/magic_link/model.rb

@@ -16,7 +16,7 @@ module SimpleAuth
           url,
           key: MagicLink.keyring.current_key.encryption_key,
           expires: expires_at,
-          params: {code:, purpose:}
+          params: {id:}
         )
       end
     end

data/lib/simple_auth/magic_link/verifier.rb

@@ -3,28 +3,31 @@
 module SimpleAuth
   module MagicLink
     class Verifier
-      def self.call(url, purpose, time)
-        new.call(url, purpose, time)
+      def self.call(id:, url:, purpose:, time:)
+        new.call(id:, url:, purpose:, time:)
       end
 
-      def call(url, purpose, time)
+      def call(id:, url:, purpose:, time:)
         return unless SignedURL.verified?(url, key: MagicLink.encryption_key)
 
         uri = URI(url)
         params = Rack::Utils.parse_query(uri.query)
-        code = params.fetch("code")
+        actual_id = params.fetch("id")
 
-        verify_model(code, purpose, time)
+        verify_model(wanted_id: id, actual_id:, purpose:, time:)
       end
 
-      def verify_model(code, purpose, time)
-        magic_link = MagicLink
-                     .model
-                     .where("expires_at >= ?", time)
-                     .find_by(
-                       code_digest: MagicLink.keyring.digest(code),
-                       purpose:
-                     )
+      def secure_compare(a, b)
+        ActiveSupport::SecurityUtils.secure_compare(a, b)
+      end
+
+      def verify_model(wanted_id:, actual_id:, purpose:, time:)
+        magic_link = MagicLink.model.find_by(id: wanted_id)
+
+        return unless magic_link
+        return unless secure_compare(magic_link.id.to_s, actual_id.to_s)
+        return unless magic_link.expires_at >= time
+        return unless secure_compare(magic_link.purpose, purpose.to_s)
 
         return unless magic_link
 

data/lib/simple_auth/magic_link/version.rb

@@ -2,6 +2,6 @@
 
 module SimpleAuth
   module MagicLink
-    VERSION = "0.0.1"
+    VERSION = "0.0.3"
   end
 end

data/lib/simple_auth/magic_link.rb

@@ -3,7 +3,6 @@
 require "active_record"
 require "attr_keyring"
 require "defaults"
-require "haikunate"
 require "url_signature"
 require "rails/engine"
 
@@ -22,9 +21,7 @@ module SimpleAuth
     end
 
     def self.default_code
-      lambda do
-        Haikunate.call(variant: -> { SecureRandom.hex(3) })
-      end
+      -> { Array.new(6) { SecureRandom.random_number(0..9) }.join }
     end
 
     def self.encryption_key
@@ -54,22 +51,29 @@ module SimpleAuth
       )
     end
 
+    # Verify whether a url is valid or not.
+    # The provided `id` must match whatever is set on the url.
+    # Ideally, this `id` is saved on the user's session and compared whenever
+    # the user visits the link. This is the only way you can ensure that the
+    # url hasn't be generated on a different device.
     def self.verify(
-      url,
+      id:,
+      url:,
       time: Time.current,
       purpose: MagicLink.purpose,
       verifier: Verifier
     )
-      verifier.call(url, purpose, time)
+      verifier.call(id:, url:, purpose:, time:)
     end
 
     def self.verify_code(
-      code,
+      id:,
+      code:,
       time: Time.current,
       purpose: MagicLink.purpose,
       verifier: CodeVerifier
     )
-      verifier.call(code, purpose, time)
+      verifier.call(id:, code:, purpose:, time:)
     end
 
     def self.restore_defaults!

data/simple_auth-magic_link.gemspec

@@ -37,14 +37,13 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency "activerecord"
   spec.add_dependency "attr_keyring"
+  spec.add_dependency "cgi"
   spec.add_dependency "defaults"
-  spec.add_dependency "haikunate"
   spec.add_dependency "simple_auth"
   spec.add_dependency "url_signature"
   spec.add_development_dependency "minitest"
   spec.add_development_dependency "minitest-utils"
   spec.add_development_dependency "mocha"
-  spec.add_development_dependency "pry-meta"
   spec.add_development_dependency "rails"
   spec.add_development_dependency "rake"
   spec.add_development_dependency "rubocop"

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: simple_auth-magic_link
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.3
 platform: ruby
 authors:
 - me@fnando.com
-autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-02-01 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord
@@ -39,7 +38,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: defaults
+  name: cgi
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -53,7 +52,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: haikunate
+  name: defaults
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -136,20 +135,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: pry-meta
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -277,11 +262,10 @@ metadata:
   rubygems_mfa_required: 'true'
   homepage_uri: https://github.com/fnando/simple_auth-magic_link
   bug_tracker_uri: https://github.com/fnando/simple_auth-magic_link/issues
-  source_code_uri: https://github.com/fnando/simple_auth-magic_link/tree/v0.0.1
-  changelog_uri: https://github.com/fnando/simple_auth-magic_link/tree/v0.0.1/CHANGELOG.md
-  documentation_uri: https://github.com/fnando/simple_auth-magic_link/tree/v0.0.1/README.md
-  license_uri: https://github.com/fnando/simple_auth-magic_link/tree/v0.0.1/LICENSE.md
-post_install_message:
+  source_code_uri: https://github.com/fnando/simple_auth-magic_link/tree/v0.0.3
+  changelog_uri: https://github.com/fnando/simple_auth-magic_link/tree/v0.0.3/CHANGELOG.md
+  documentation_uri: https://github.com/fnando/simple_auth-magic_link/tree/v0.0.3/README.md
+  license_uri: https://github.com/fnando/simple_auth-magic_link/tree/v0.0.3/LICENSE.md
 rdoc_options: []
 require_paths:
 - lib
@@ -296,8 +280,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.5
-signing_key:
+rubygems_version: 4.0.3
 specification_version: 4
 summary: Passwordless sign-in for simple_auth.
 test_files: []