tiny_auth 2.0.0 → 3.0.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ff3ff4ff25d9895b64f12d3e506d3c4ebba61c5c0ba702afc37501aeb13dc956
-  data.tar.gz: 6f71e8f393807eb1b5ab944d720982a7b14e4cbb43a00f2ede0f822ad8cb85cc
+  metadata.gz: 2647d2fe76d8180529cfa176c812f50723d643c37e649ab80a57820ace588f46
+  data.tar.gz: e9abd283be1c37c8eaeebd884e9ac6bba07ee25f2d433b37e560397a7e8b50a5
 SHA512:
-  metadata.gz: d8d987c6ca4ef3387d245a9f4e6a263729a928839466617b227db3592d96ffce8605513fbf78f63d33802de18712c36a97b04f8961570a7fb3e57c45e2101341
-  data.tar.gz: 72c2cee4eb4bc47dbe50dfa55473d3ae3be6eca231ebbd5581d000c633dfffe204c79493f9171a51087cffa419135ef3392ebe09416623b42c70a569e8787445
+  metadata.gz: c550af99cb5fc1b38e1ad68f287a2f0f1b19df3ba8b3c7fa33a4506bacf904717294d6acb9da376a2309d29aac4152d14fa1a04f1a44dbc9b8171f99c92fa4a2
+  data.tar.gz: 571ef546820aed2fc724ea2bbd1871107c6a83257467599fefeed34b270014b610af027680e8bab07cb1d41d70cd7f85013341e39bb0c6265e2ec2ff287b3bb8

data/README.md

@@ -16,17 +16,17 @@ And then execute:
 
 ## Usage
 
+### `TinyAuth::Model`
+
 First, create a table to store your users:
 
 ```ruby
 create_table :users do |t|
   t.string :email, null: false
   t.string :password_digest, null: false
-  t.string :reset_token_digest
-  t.datetime :reset_token_expires_at
-
+  t.integer :token_version, null: false, default: 0
   t.index :email, unique: true
-  t.index :reset_token_digest, unique: true
+  t.index [:id, :token_version], unique: true
 end
 ```
 
@@ -35,41 +35,95 @@ Your model should look like this:
 ```ruby
 class User < ApplicationRecord
   include TinyAuth::Model
-  has_secure_password
 end
 ```
 
-Now, you're ready to authenticate!
+#### `#generate_token(purpose: :access, expires_in: 24.hours)`
+
+Generate a token. The token is generated from the user's `id` and their `token_version`.
+
+If the `token_version` changes, all previously issued tokens will be revoked. Anytime the
+user's password changes, this will happen automatically.
 
 ```ruby
-user = User.find_by_email("user@example.com")
-user = User.find_by_credentials("user@example.com", "password")
+irb> user.generate_token
+"eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJ..."
+
+irb> user.generate_token(purpose: :reset, expires_in: 1.hour)
+"eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJ..."
+```
+
+#### `#invalidate_tokens`
+
+Increments the `#token_version`, but does not apply the change to the database.
+
+#### `#invalidate_tokens!`
 
-token = user.generate_token
-user = User.find_by_token(token)
+Increments the `#token_version` and applies the change to the database.
 
-reset_token = user.generate_reset_token
-user = User.exchange_reset_token(reset_token)
+#### `.find_by_email(email)`
+
+Find a user by their email address. The query will disregard casing.
+
+```ruby
+irb> User.find_by_email("user@example.com")
+#<User id: 1, email: "user@example.com">
 ```
 
-Oh, and you can add authentication to your controllers:
+#### `.find_by_credentials(email, password)`
+
+Find a user by their email, then check that the password matches.
+
+If the email doesn't exist, `nil` will be returned. If the password doesn't match, `nil` will be returned.
 
 ```ruby
-class ApplicationController < ActionController::Base
-  include TinyAuth::Controller.new(model: User)
+irb> User.find_by_credentials("user@example.com", "testing123")
+#<User id: 1, email: "user@example.com">
+
+irb> User.find_by_credentials("user@example.com", "")
+nil
+
+irb> User.find_by_credentials("", "")
+nil
+```
+
+#### `.find_by_token(token, purpose: :access)`
+
+Find a user by their token. If the user can't be found, `nil` will be returned.
+
+```ruby
+irb> User.find_by_token(token)
+#<User id: 1, email: "user@example.com">
 
-  before_action :authenticate_user
+irb> User.find_by_token(reset_token, purpose: :reset)
+#<User id: 1, email: "user@example.com">
 
-  def index
-    if user_signed_in?
-      render json: {id: current_user.id}
-    else
-      head :unauthorized
-    end
-  end
+irb> User.find_by_token("")
+nil
+```
+
+### `TinyAuth::Controller`
+
+```ruby
+class ApplicationController < ActionController::Base
+  include TinyAuth::Controller.new(model: User)
 end
 ```
 
+The example above would generate the following methods based on the model's name:
+
+#### `#authenticate_user`
+
+This method should be called in a `before_action`. If an `Authorization` header is found, it will attempt to locate a user.
+
+#### `#current_user`
+
+An accessor that can be used to obtain access to the authenticated user after calling `authenticate_user`.
+
+#### `#user_signed_in?`
+
+A convenience method to determine if a user is signed in.
+
 ## Contributing
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/rzane/tiny_auth. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.

data/bin/console

@@ -0,0 +1,16 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "irb"
+require "active_record"
+require "tiny_auth"
+
+require_relative "../spec/support/schema"
+require_relative "../spec/support/models"
+
+TinyAuth.secret = "supersecret"
+ActiveRecord::Base.logger = ActiveSupport::Logger.new(STDOUT)
+
+User.create!(email: "user@example.com", password: "testing123")
+
+IRB.start(__FILE__)

data/docs/UPGRADING.md

@@ -0,0 +1,17 @@
+# Upgrading
+
+## 2.x to 3.x
+
+- Change all occurences of `generate_reset_token` to use `generate_token`.
+- Change all occurences of `exchange_reset_token` to use `find_by_token`.
+- Add a new migration:
+
+```ruby
+change_table :users do |t|
+  t.remove :reset_token_digest
+  t.remove :reset_token_expires_at
+
+  t.integer :token_version, null: false, default: 0
+  t.index [:id, :token_version], unique: true
+end
+```

data/lib/tiny_auth.rb

@@ -1,42 +1,25 @@
-require "openssl"
-require "tiny_auth/model"
 require "tiny_auth/controller"
+require "tiny_auth/model"
+require "tiny_auth/verifier"
 require "tiny_auth/version"
 
 module TinyAuth
   class << self
-    # A secret that is used for hashing tokens.
-    #
-    # If `Rails` is defined, it will attempt to use
-    # `Rails.application.secret_key_base`.
-    #
-    # @raise [RuntimeError]
-    # @return [String]
-    def secret
-      @secret || secret_key_base || missing_secret!
-    end
-
-    # Configure the secret that is used for hashing tokens.
+    # Configure the secret used to sign and verify tokens.
     # @param secret [String]
     def secret=(secret)
-      @secret = secret
+      @verifier = Verifier.new(secret)
     end
 
-    # Create a hash from a value using the secret
-    # @param value [String]
-    # @return [String]
-    def hexdigest(value)
-      OpenSSL::HMAC.hexdigest("SHA256", secret, value)
-    end
-
-    private
-
-    def secret_key_base
-      Rails.application.secret_key_base if defined? Rails
-    end
-
-    def missing_secret!
-      raise "You need to configure TinyAuth.secret"
+    def verifier # :nodoc:
+      @verifier || raise("Secret has not been configured")
     end
   end
 end
+
+begin
+  require "rails/railtie"
+rescue LoadError
+else
+  require "tiny_auth/railtie"
+end

data/lib/tiny_auth/model.rb

@@ -1,12 +1,12 @@
 require "active_record"
-require "globalid"
 require "active_support/core_ext/numeric/time"
-require "active_support/core_ext/securerandom"
 
 module TinyAuth
   module Model
     def self.included(base)
       base.extend ClassMethods
+      base.has_secure_password
+      base.before_save :invalidate_tokens, if: :password_digest_changed?
     end
 
     module ClassMethods
@@ -14,7 +14,7 @@ module TinyAuth
       # @param email [String]
       # @return [ActiveRecord::Base,nil]
       def find_by_email(email)
-        find_by arel_table[:email].lower.eq(email.downcase)
+        find_by(arel_table[:email].lower.eq(email.downcase))
       end
 
       # Find a resource by their email address and password
@@ -29,47 +29,38 @@ module TinyAuth
 
       # Finds a resource by a token
       # @param token [String]
+      # @param purpose [Symbol] defaults to `:access`
       # @return [ActiveRecord::Base,nil]
-      def find_by_token(token)
-        resource = GlobalID::Locator.locate_signed(token, for: :access)
-        resource if resource.kind_of?(self)
-      rescue ActiveRecord::RecordNotFound
-      end
-
-      # Finds a resource by their reset token and nillifies `reset_password_digest`
-      # and `reset_token_expires_at` fields
-      # @param token [String]
-      # @return [ActiveRecord::Base,nil]
-      def exchange_reset_token(token)
-        digest = TinyAuth.hexdigest(token)
-        not_expired = arel_table[:reset_token_expires_at].gt(Time.now)
-        resource = where(not_expired).find_by(reset_token_digest: digest)
-        resource&.reset_token_digest = nil
-        resource&.reset_token_expires_at = nil
-        resource
+      def find_by_token(token, purpose: :access)
+        id, token_version = TinyAuth.verifier.verify(token, purpose: purpose)
+        find_by(id: id, token_version: token_version)
+      rescue ActiveSupport::MessageVerifier::InvalidSignature
       end
     end
 
-    # Generates a stateless token for a resource
+    # Generates a token for this resource.
     # @param expires_in [ActiveSupport::Duration] defaults to 24 hours
-    def generate_token(expires_in: 24.hours)
-      to_signed_global_id(expires_in: expires_in, for: :access).to_s
+    # @param purpose [Symbol] defaults to `:access`
+    # @return [String]
+    def generate_token(purpose: :access, expires_in: 24.hours)
+      TinyAuth.verifier.generate(
+        [id, token_version],
+        purpose: purpose,
+        expires_in: expires_in
+      )
     end
 
-    # Generates a reset token for a resource. A hashed version of the token
-    # is stored in the database
-    # @param expires_in [ActiveSupport::Duration] defaults to 2 hours
-    def generate_reset_token(expires_in: 2.hours)
-      token = SecureRandom.base58(24)
-      digest = TinyAuth.hexdigest(token)
-      expiry = expires_in.from_now
-
-      update_columns(
-        reset_token_digest: digest,
-        reset_token_expires_at: expiry
-      )
+    # Invalidate all tokens for this resource. The token version will
+    # be incremented and written to the database.
+    # @return [self]
+    def invalidate_tokens!
+      increment!(:token_version)
+    end
 
-      token
+    # Invalidate all tokens for this resource. The token version will
+    # be incremented, but it will not be written to the database.
+    def invalidate_tokens
+      increment(:token_version)
     end
   end
 end

data/lib/tiny_auth/railtie.rb

@@ -0,0 +1,7 @@
+module TinyAuth
+  class Railtie < Rails::Railtie # :nodoc:
+    initializer "tiny_auth" do |app|
+      TinyAuth.secret = app.key_generator.generate_key("tiny_auth")
+    end
+  end
+end

data/lib/tiny_auth/verifier.rb

@@ -0,0 +1,16 @@
+require "base64"
+require "active_support/message_verifier"
+
+module TinyAuth
+  class Verifier < ActiveSupport::MessageVerifier # :nodoc:
+    private
+
+    def encode(data)
+      ::Base64.urlsafe_encode64(data)
+    end
+
+    def decode(data)
+      ::Base64.urlsafe_decode64(data)
+    end
+  end
+end

data/lib/tiny_auth/version.rb

@@ -1,3 +1,3 @@
 module TinyAuth
-  VERSION = "2.0.0"
+  VERSION = "3.0.0.rc1"
 end

data/tiny_auth.gemspec

@@ -26,7 +26,6 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency "activerecord", "~> 6.0"
   spec.add_dependency "activesupport", "~> 6.0"
-  spec.add_dependency "globalid", "~> 0.4"
 
   spec.add_development_dependency "bundler", "~> 2.0"
   spec.add_development_dependency "rake", "~> 10.0"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tiny_auth
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 3.0.0.rc1
 platform: ruby
 authors:
 - Ray Zane
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-05-26 00:00:00.000000000 Z
+date: 2021-05-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord
@@ -38,20 +38,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '6.0'
-- !ruby/object:Gem::Dependency
-  name: globalid
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.4'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.4'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -137,9 +123,13 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- bin/console
+- docs/UPGRADING.md
 - lib/tiny_auth.rb
 - lib/tiny_auth/controller.rb
 - lib/tiny_auth/model.rb
+- lib/tiny_auth/railtie.rb
+- lib/tiny_auth/verifier.rb
 - lib/tiny_auth/version.rb
 - tiny_auth.gemspec
 homepage: https://github.com/rzane/tiny_auth
@@ -148,7 +138,7 @@ licenses:
 metadata:
   homepage_uri: https://github.com/rzane/tiny_auth
   source_code_uri: https://github.com/rzane/tiny_auth
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -159,13 +149,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
-signing_key: 
+rubygems_version: 3.2.3
+signing_key:
 specification_version: 4
 summary: Bare-minimum authentication for APIs
 test_files: []