standard_id 0.26.1 → 0.26.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a44aeb31a30319f06f305078bc0d9f0f5c20eff095680f3414085a7fb031c39c
|
|
4
|
+
data.tar.gz: 05bb225c7724ece28d0702345fe8f0560bef3e69d972a4b5f82ee3f97a304048
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4d796392613832ea4987009991eb1c191936a492cfe60e69964ee28416c9e6c5715263499bf12045563bf9d861996f07fc6eca0def955e776dbf25cbb4f2b833
|
|
7
|
+
data.tar.gz: e12e0634851c73da51edff7433392bf44ce721fbc078dc993cee9f6035bec336ca60b38c2d0897e9a0478075d32ff9984c0ecfb1063882a9cfcf814501a2e75b
|
|
@@ -16,8 +16,26 @@ module StandardId
|
|
|
16
16
|
before_action -> { Current.scope = :web if defined?(::Current) }
|
|
17
17
|
before_action :require_browser_session!
|
|
18
18
|
|
|
19
|
+
# The authentication guard (require_browser_session!) RAISES when a page
|
|
20
|
+
# requires a session that's missing / expired / revoked, rather than
|
|
21
|
+
# redirecting. The API base controller rescues the same errors; the web
|
|
22
|
+
# flow must too, or an unauthenticated request to a protected page (e.g.
|
|
23
|
+
# /sessions) surfaces as a 500 instead of bouncing to login. Expired and
|
|
24
|
+
# revoked sessions are InvalidSessionError subclasses.
|
|
25
|
+
rescue_from StandardId::NotAuthenticatedError,
|
|
26
|
+
StandardId::InvalidSessionError,
|
|
27
|
+
with: :redirect_unauthenticated_to_login
|
|
28
|
+
|
|
19
29
|
private
|
|
20
30
|
|
|
31
|
+
# Bounce an unauthenticated web request to the login page, preserving the
|
|
32
|
+
# original destination (the guard already stored return_to_after_authenticating;
|
|
33
|
+
# redirect_to_login also carries it as a ?redirect_uri= param).
|
|
34
|
+
def redirect_unauthenticated_to_login(_error)
|
|
35
|
+
store_location_for_redirect
|
|
36
|
+
redirect_to_login
|
|
37
|
+
end
|
|
38
|
+
|
|
21
39
|
# Read a top-level query/form param expected to be a scalar String, returning
|
|
22
40
|
# nil for absent/blank values OR if Rails parsed it as an Array/Hash (e.g. from
|
|
23
41
|
# `?redirect_uri[]=a&redirect_uri[]=b`). Without this guard, `redirect_to` is
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
module StandardId
|
|
2
|
+
# Mailer delivery job that suppresses ActiveJob argument logging.
|
|
3
|
+
#
|
|
4
|
+
# The gem's mailers carry sensitive data in their params — the passwordless
|
|
5
|
+
# OTP code (PasswordlessMailer) and the password-reset URL/token
|
|
6
|
+
# (PasswordResetMailer). `deliver_later` serializes those params as the
|
|
7
|
+
# delivery job's arguments, and ActiveJob's log subscriber prints job
|
|
8
|
+
# arguments in plaintext on enqueue/perform — so the OTP/token would land in
|
|
9
|
+
# the application logs (readable by anyone with log access).
|
|
10
|
+
#
|
|
11
|
+
# Setting `log_arguments = false` keeps the arguments out of the logs without
|
|
12
|
+
# changing delivery behaviour. (The params still travel inside the serialized
|
|
13
|
+
# job payload until the job runs — a far higher access bar than logs, and
|
|
14
|
+
# short-lived — but they never reach the log stream.)
|
|
15
|
+
class SecureMailDeliveryJob < ActionMailer::MailDeliveryJob
|
|
16
|
+
self.log_arguments = false
|
|
17
|
+
end
|
|
18
|
+
end
|
|
@@ -1,5 +1,10 @@
|
|
|
1
1
|
module StandardId
|
|
2
2
|
class ApplicationMailer < ActionMailer::Base
|
|
3
|
+
# Use a delivery job that doesn't log its arguments — the gem's mailers pass
|
|
4
|
+
# sensitive params (OTP code, password-reset token) that ActiveJob would
|
|
5
|
+
# otherwise print in plaintext. Applies to all StandardId mailers.
|
|
6
|
+
self.delivery_job = StandardId::SecureMailDeliveryJob
|
|
7
|
+
|
|
3
8
|
default from: "from@example.com"
|
|
4
9
|
layout "mailer"
|
|
5
10
|
end
|
data/lib/standard_id/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: standard_id
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.26.
|
|
4
|
+
version: 0.26.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jaryl Sim
|
|
@@ -169,6 +169,7 @@ files:
|
|
|
169
169
|
- app/jobs/standard_id/cleanup_expired_refresh_tokens_job.rb
|
|
170
170
|
- app/jobs/standard_id/cleanup_expired_sessions_job.rb
|
|
171
171
|
- app/jobs/standard_id/password_reset_delivery_job.rb
|
|
172
|
+
- app/jobs/standard_id/secure_mail_delivery_job.rb
|
|
172
173
|
- app/mailers/standard_id/application_mailer.rb
|
|
173
174
|
- app/mailers/standard_id/password_reset_mailer.rb
|
|
174
175
|
- app/mailers/standard_id/passwordless_mailer.rb
|