verify_it 0.2.0 → 0.4.0.beta

data/app/controllers/verify_it/verifications_controller.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module VerifyIt
+  class VerificationsController < ApplicationController
+    VALID_CHANNELS = %i[sms email].freeze
+
+    before_action :validate_resolvers_configured!
+
+    # POST /send  { channel: "sms"|"email" }
+    def create
+      record = resolve_record
+      return render json: { error: "Unauthorized" }, status: :unauthorized if record.nil?
+
+      channel    = resolve_channel
+      identifier = resolve_identifier(record, channel)
+      result     = VerifyIt.send_code(to: identifier, record: record, channel: channel, context: {})
+
+      if result.success?
+        payload = { message: I18n.t("verify_it.responses.sent") }
+        payload[:code] = result.code if VerifyIt.configuration.test_mode
+        render json: payload, status: :created
+      elsif result.rate_limited?
+        render json: { error: I18n.t("verify_it.errors.rate_limited") }, status: :too_many_requests
+      else
+        render json: { error: I18n.t("verify_it.errors.#{result.error || :delivery_failed}") },
+               status: :unprocessable_entity
+      end
+    end
+
+    # POST /confirm  { channel: "sms"|"email", code: "123456" }
+    def verify
+      record = resolve_record
+      return render json: { error: "Unauthorized" }, status: :unauthorized if record.nil?
+
+      channel    = resolve_channel
+      identifier = resolve_identifier(record, channel)
+      result     = VerifyIt.verify_code(to: identifier, code: params[:code].to_s, record: record)
+
+      if result.success?
+        render json: { message: I18n.t("verify_it.responses.verified") }, status: :ok
+      elsif result.locked?
+        render json: { error: I18n.t("verify_it.errors.locked") }, status: :too_many_requests
+      elsif result.rate_limited?
+        render json: { error: I18n.t("verify_it.errors.rate_limited") }, status: :too_many_requests
+      else
+        render json: { error: I18n.t("verify_it.errors.#{result.error || :invalid_code}") },
+               status: :unprocessable_entity
+      end
+    end
+
+    private
+
+    def validate_resolvers_configured!
+      unless VerifyIt.configuration.current_record_resolver
+        raise ConfigurationError, "VerifyIt: configure current_record_resolver to use HTTP endpoints."
+      end
+      return if VerifyIt.configuration.identifier_resolver
+
+      raise ConfigurationError, "VerifyIt: configure identifier_resolver to use HTTP endpoints."
+    end
+
+    def resolve_record = VerifyIt.configuration.current_record_resolver.call(request)
+
+    def resolve_channel
+      ch = params[:channel]&.to_sym
+      VALID_CHANNELS.include?(ch) ? ch : VerifyIt.configuration.delivery_channel
+    end
+
+    def resolve_identifier(record, channel) = VerifyIt.configuration.identifier_resolver.call(record, channel)
+  end
+end

data/config/locales/en.yml

@@ -0,0 +1,16 @@
+en:
+  verify_it:
+    responses:
+      sent: "Verification code sent."
+      verified: "Successfully verified."
+    errors:
+      rate_limited: "Too many attempts. Please try again later."
+      invalid_code: "The code you entered is invalid."
+      code_not_found: "No active verification code found. Please request a new one."
+      locked: "Your account is temporarily locked due to too many failed attempts."
+      delivery_failed: "Failed to deliver verification code. Please try again."
+    sms:
+      default_message: "%{code} is your verification code."
+    email:
+      default_subject: "Your verification code"
+      default_message: "Your verification code is %{code}."

data/config/routes.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+VerifyIt::Engine.routes.draw do
+  post "send",    to: "verifications#create",  as: :send_verification
+  post "confirm", to: "verifications#verify",  as: :confirm_verification
+end

data/lib/generators/verify_it/install/install_generator.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require "rails/generators/base"
+require "rails/generators/migration"
+
+module VerifyIt
+  module Generators
+    class InstallGenerator < Rails::Generators::Base
+      include Rails::Generators::Migration
+
+      source_root File.expand_path("templates", __dir__)
+
+      desc "Creates a VerifyIt initializer, mounts the engine in routes, " \
+           "and generates a migration when using database storage."
+
+      class_option :storage, type: :string, default: "memory",
+                             desc: "Storage backend to use: memory, redis, or database"
+
+      def self.next_migration_number(dirname)
+        next_num = current_migration_number(dirname) + 1
+        ActiveRecord::Migration.next_migration_number(next_num)
+      end
+
+      def create_initializer
+        template "initializer.rb.erb", "config/initializers/verify_it.rb"
+      end
+
+      def mount_engine
+        route 'mount VerifyIt::Engine, at: "/verify_it"'
+      end
+
+      def generate_migration
+        return unless storage == "database"
+
+        migration_template "create_verify_it_tables.rb",
+                           "db/migrate/create_verify_it_tables.rb"
+      end
+
+      private
+
+      def storage
+        options[:storage]
+      end
+    end
+  end
+end

data/lib/{verify_it/templates/migration.rb.erb → generators/verify_it/install/templates/create_verify_it_tables.rb}

@@ -1,6 +1,4 @@
-# frozen_string_literal: true
-
-class CreateVerifyItTables < ActiveRecord::Migration[7.0]
+class CreateVerifyItTables < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version %>]
   def change
     create_table :verify_it_codes do |t|
       t.string :identifier, null: false

data/lib/{verify_it → generators/verify_it/install}/templates/initializer.rb.erb

@@ -1,16 +1,20 @@
 # frozen_string_literal: true
 
 VerifyIt.configure do |config|
-<% if storage_type == "redis" %>
+  # Required: set a secret key to hash verification codes before storage.
+  # It is not required to use the Rails secret key base.
+  config.secret_key_base = Rails.application.secret_key_base
+
+<% if storage == "redis" -%>
   config.storage = :redis
   config.redis_client = Redis.new(url: ENV.fetch("REDIS_URL", "redis://localhost:6379/0"))
-<% elsif storage_type == "database" %>
+<% elsif storage == "database" -%>
   config.storage = :database
-<% else %>
+<% else -%>
   # config.storage = :memory  # default
-<% end %>
+<% end -%>
 
-  # Required: configure your delivery channel(s)
+  # Required: configure your delivery channel(s).
   config.email_sender = ->(to:, code:, context:) {
     # VerificationMailer.send_code(to, code, context).deliver_now
   }
@@ -19,7 +23,17 @@ VerifyIt.configure do |config|
     # e.g. Twilio, Vonage, etc.
   }
 
-  # Optional overrides (sensible defaults are set automatically):
+  # Required: resolve the current authenticated record from a request.
+  config.current_record_resolver = ->(request) {
+    # User.find_by(id: request.session[:user_id])
+  }
+
+  # Required: resolve the delivery identifier (phone/email) from the record and channel.
+  config.identifier_resolver = ->(record, channel) {
+    # channel == :sms ? record.phone_number : record.email
+  }
+
+  # Optional overrides (shown with defaults):
   # config.code_length = 6
   # config.code_ttl = 300
   # config.code_format = :numeric

data/lib/verify_it/code_generator.rb

@@ -16,17 +16,17 @@ module VerifyIt
     end
 
     def self.generate_numeric(length)
-      Array.new(length) { rand(0..9) }.join
+      Array.new(length) { SecureRandom.random_number(10) }.join
     end
 
     def self.generate_alphanumeric(length)
       chars = ("0".."9").to_a + ("A".."Z").to_a
-      Array.new(length) { chars.sample }.join
+      Array.new(length) { chars.sample(random: SecureRandom) }.join
     end
 
     def self.generate_alpha(length)
       chars = ("A".."Z").to_a
-      Array.new(length) { chars.sample }.join
+      Array.new(length) { chars.sample(random: SecureRandom) }.join
     end
   end
 end

data/lib/verify_it/code_hasher.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require "openssl"
+
+module VerifyIt
+  # Hashes verification codes with HMAC-SHA256 before storage.
+  #
+  # Using a secret key makes offline brute-force of the small OTP keyspace
+  # infeasible even if the storage layer is compromised.
+  module CodeHasher
+    # @param code [String] the plaintext verification code
+    # @param secret [String] the HMAC secret (config.secret_key_base)
+    # @return [String] hex-encoded HMAC-SHA256 digest
+    # @raise [ArgumentError] if secret is nil or empty
+    def self.digest(code, secret:)
+      if secret.nil? || secret.to_s.empty?
+        raise ArgumentError,
+              "VerifyIt requires secret_key_base to be configured. " \
+              "Set config.secret_key_base in your initializer."
+      end
+
+      OpenSSL::HMAC.hexdigest("SHA256", secret.to_s, code.to_s)
+    end
+  end
+end

data/lib/verify_it/configuration.rb

@@ -19,7 +19,20 @@ module VerifyIt
                   :on_verify_failure,
                   :namespace,
                   :test_mode,
-                  :bypass_delivery
+                  :bypass_delivery,
+                  :secret_key_base,
+                  :current_record_resolver,
+                  :identifier_resolver
+
+    def validate!
+      if secret_key_base.nil? || secret_key_base.to_s.strip.empty?
+        raise ConfigurationError, "VerifyIt: secret_key_base must be configured before use."
+      end
+
+      return unless test_mode && defined?(Rails) && Rails.env.production?
+
+      raise ConfigurationError, "VerifyIt: test_mode must not be enabled in production."
+    end
 
     def initialize
       # Default values
@@ -41,6 +54,9 @@ module VerifyIt
       @namespace = nil
       @test_mode = false
       @bypass_delivery = false
+      @secret_key_base = nil
+      @current_record_resolver = nil
+      @identifier_resolver = nil
     end
   end
 end

data/lib/verify_it/engine.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require "rails/engine"
+
+module VerifyIt
+  class Engine < ::Rails::Engine
+    isolate_namespace VerifyIt
+
+    initializer "verify_it.i18n" do
+      config.i18n.load_path += Dir[Engine.root.join("config", "locales", "**", "*.yml").to_s]
+    end
+
+    initializer "verify_it.active_record" do
+      ActiveSupport.on_load(:active_record) do
+        include VerifyIt::Verifiable
+      end
+    end
+  end
+end

data/lib/verify_it/storage/database_storage.rb

@@ -5,9 +5,7 @@ module VerifyIt
     class DatabaseStorage < Base
       def initialize
         # Verify ActiveRecord is available
-        unless defined?(::ActiveRecord)
-          raise StandardError, "ActiveRecord is required for DatabaseStorage"
-        end
+        raise StandardError, "ActiveRecord is required for DatabaseStorage" unless defined?(::ActiveRecord)
 
         # Load models only when needed
         require_relative "models/code"
@@ -130,10 +128,13 @@ module VerifyIt
         scope = scope.for_record(record) if record
         scope.delete_all
 
-        # Delete attempts
+        # Delete attempts for this identifier
         scope = Models::Attempt.for_identifier(identifier)
         scope = scope.for_record(record) if record
         scope.delete_all
+
+        # Purge all globally expired attempt records
+        Models::Attempt.cleanup_expired
       end
 
       private
@@ -146,8 +147,8 @@ module VerifyIt
 
       def find_attempt(identifier:, record:, attempt_type:)
         scope = Models::Attempt
-          .for_identifier(identifier)
-          .where(attempt_type: attempt_type)
+                .for_identifier(identifier)
+                .where(attempt_type: attempt_type)
 
         scope = scope.for_record(record) if record
         scope.first

data/lib/verify_it/storage/memory_storage.rb

@@ -118,10 +118,10 @@ module VerifyIt
       end
 
       def cleanup(identifier:, record:)
+        keys_to_delete = %w[code attempts send_count].map do |suffix|
+          build_key(identifier: identifier, record: record, suffix: suffix)
+        end
         @mutex.synchronize do
-          keys_to_delete = @data.keys.select do |key|
-            key.include?(identifier.to_s) && (record.nil? || key.include?(record.class.name))
-          end
           keys_to_delete.each { |key| @data.delete(key) }
         end
       end

data/lib/verify_it/storage/models/attempt.rb

@@ -14,9 +14,9 @@ module VerifyIt
         scope :active, -> { where("expires_at > ?", Time.now) }
         scope :expired, -> { where("expires_at <= ?", Time.now) }
         scope :for_identifier, ->(identifier) { where(identifier: identifier) }
-        scope :for_record, ->(record) do
+        scope :for_record, lambda { |record|
           where(record_type: record.class.name, record_id: record.id)
-        end
+        }
         scope :verification_type, -> { where(attempt_type: "verification") }
         scope :send_type, -> { where(attempt_type: "send") }
 

data/lib/verify_it/storage/models/code.rb

@@ -13,9 +13,9 @@ module VerifyIt
         scope :active, -> { where("expires_at > ?", Time.now) }
         scope :expired, -> { where("expires_at <= ?", Time.now) }
         scope :for_identifier, ->(identifier) { where(identifier: identifier) }
-        scope :for_record, ->(record) do
+        scope :for_record, lambda { |record|
           where(record_type: record.class.name, record_id: record.id)
-        end
+        }
 
         def expired?
           expires_at <= Time.now

data/lib/verify_it/storage/models/identifier_change.rb

@@ -9,9 +9,9 @@ module VerifyIt
         validates :identifier, presence: true
         validates :created_at, presence: true
 
-        scope :for_record, ->(record) do
+        scope :for_record, lambda { |record|
           where(record_type: record.class.name, record_id: record.id)
-        end
+        }
         scope :recent, ->(window) { where("created_at > ?", Time.now - window) }
 
         def self.cleanup_old(window)

data/lib/verify_it/verifiable.rb

@@ -18,9 +18,7 @@ module VerifyIt
         verify_method = "verify_#{channel}_code"
         cleanup_method = "cleanup_#{channel}_verification"
 
-        if method_defined?(send_method)
-          raise ArgumentError, "Method #{send_method} is already defined on #{name}"
-        end
+        raise ArgumentError, "Method #{send_method} is already defined on #{name}" if method_defined?(send_method)
 
         define_method(send_method) do |context: {}|
           identifier = send(attribute)