4 |
5 | This is a Rails library which provides applications with a database-backed user
6 | sessions. This ensures that user sessions can be invalidated from the server and
7 | users activity can be easily tracked.
8 |
9 | The "traditional" way of simply setting a user ID in your session is insecure
10 | and unwise. If you simply do something like the example below, it means that anyone
11 | with access to the session cookie can login as the user whenever and wherever they wish.
12 |
13 | To clarify: while by default Rails session cookies are encrypted, there is
14 | nothing to allow them to be invalidated if someone were to "steal" an encrypted
15 | cookie from an authenticated user. This could be stolen using a MITM attack or
16 | simply by stealing it directly from their browser when they're off getting a coffee.
17 |
18 | ```ruby
19 | if user = User.authenticate(params[:username], params[:password])
20 | # Don't do this...
21 | session[:user_id] = user.id
22 | redirect_to root_path, :notice => "Logged in successfully!"
23 | end
24 | ```
25 |
26 | The design goals behind Authie are:
27 |
28 | - Any session can be invalidated instantly from the server without needing to make
29 | changes to remote cookies.
30 | - We can see who is logged in to our application at any point in time.
31 | - Sessions should automatically expire after a certain period of inactivity.
32 | - Sessions can be either permanent or temporary.
33 |
34 | ## Installation
35 |
36 | As usual, just pop this in your Gemfile:
37 |
38 | ```ruby
39 | gem 'authie', '~> 4.0'
40 | ```
41 |
42 | You will then need add the database tables Authie needs to your database. You
43 | should copy Authie's migrations and then migrate.
44 |
45 | ```
46 | rake authie:install:migrations
47 | rake db:migrate
48 | ```
49 |
50 | ## Usage
51 |
52 | Authie is just a session manager and doesn't provide any functionality for your authentication or User models. Your `User` model should implement any methods needed to authenticate a username & password.
53 |
54 | ### Creating a new session
55 |
56 | When a user has been authenticated, you can simply set `current_user` to the user
57 | you wish to login. You may have a method like this in a controller.
58 |
59 | ```ruby
60 | class SessionsController < ApplicationController
61 |
62 | def create
63 | if user = User.authenticate(params[:username], params[:password])
64 | create_auth_session(user)
65 | redirect_to root_path
66 | else
67 | flash.now[:alert] = "Username/password was invalid"
68 | end
69 | end
70 |
71 | end
72 | ```
73 |
74 | ### Checking whether user's are logged in
75 |
76 | On any subsequent request, you should make sure that your user is logged in.
77 | You may wish to implement a `login_required` controller method which is called
78 | before every action in your application.
79 |
80 | ```ruby
81 | class ApplicationController < ActionController::Base
82 |
83 | before_action :login_required
84 |
85 | private
86 |
87 | def login_required
88 | return if logged_in?
89 |
90 | redirect_to login_path, :alert => "You must login to view this resource"
91 | end
92 |
93 | end
94 | ```
95 |
96 | ### Accessing the current user (and session)
97 |
98 | There are a few controller methods which you can call which will return information about the current session:
99 |
100 | - `current_user` - returns the currently logged in user
101 | - `auth_session` - returns the current auth session
102 | - `logged_in?` - returns a true if there's a session or false if no user is logged in
103 |
104 | ### Catching session errors
105 |
106 | If there is an issue with an auth session, an error will be raised which you need
107 | to catch within your application. The errors which will be raised are:
108 |
109 | - `Authie::Session::InactiveSession` - is raised when a session has been de-activated.
110 | - `Authie::Session::ExpiredSession` - is raised when a session expires.
111 | - `Authie::Session::BrowserMismatch` - is raised when the browser ID provided does
112 | not match the browser ID associated with the session token provided.
113 | - `Authie::Session::HostMismatch` - is raised when the session is used on a hostname
114 | that does not match that which created the session
115 |
116 | The easiest way to rescue these to use a `rescue_from`. For example:
117 |
118 | ```ruby
119 | class ApplicationController < ActionController::Base
120 |
121 | rescue_from Authie::Session::ValidityError, :with => :auth_session_error
122 |
123 | private
124 |
125 | def auth_session_error
126 | redirect_to login_path, :alert => "Your session is no longer valid. Please login again to continue..."
127 | end
128 |
129 | end
130 | ```
131 |
132 | ### Logging out
133 |
134 | In order to invalidate a session you can simply invalidate it.
135 |
136 | ```ruby
137 | def logout
138 | auth_session.invalidate
139 | redirect_to login_path, :notice => "Logged out successfully."
140 | end
141 | ```
142 |
143 | ### Default session length
144 |
145 | By default, a session will last for however long it is being actively used in
146 | browser. If the user stops using your application, the session will last for
147 | 12 hours before becoming invalid. You can change this:
148 |
149 | ```ruby
150 | Authie.config.session_inactivity_timeout = 2.hours
151 | ```
152 |
153 | This does not apply if the session is marked as persistent. See below.
154 |
155 | ### Persisting sessions
156 |
157 | In some cases, you may wish users to have a permanent sessions. In this case,
158 | you should ask users after they have logged in if they wish to "persist" their
159 | session across browser restarts. If they do wish to do this, just do something
160 | like this:
161 |
162 | ```ruby
163 | def persist_session
164 | auth_session.persist
165 | redirect_to root_path, :notice => "You will now be remembered!"
166 | end
167 | ```
168 |
169 | By default, persistent sessions will last for 2 months before requring the user
170 | logs in again. You can increase (or decrease) this if needed:
171 |
172 | ```ruby
173 | Authie.config.persistent_session_length = 12.months
174 | ```
175 |
176 | ### Accessing all user sessions
177 |
178 | If you want to provide users with a list of their sessions, you can access all
179 | active sessions for a user. The best way to do this will be to add a `has_many`
180 | association to your User model.
181 |
182 | ```ruby
183 | class User < ActiveRecord::Base
184 | has_many :sessions, :class_name => 'Authie::SessionModel', :as => :user, :dependent => :destroy
185 | end
186 | ```
187 |
188 | ### Storing additional data in the user session
189 |
190 | If you need to store additional information in your database-backed database
191 | session, then you can use the following methods to achieve this:
192 |
193 | ```ruby
194 | auth_session.set :two_factor_seen_at, Time.now
195 | auth_session.get :two_factor_seen_at
196 | ```
197 |
198 | ### Invalidating all but current session
199 |
200 | You may wish to allow users to easily invalidate all sessions which aren't their
201 | current one. Some applications invalidate old sessions whenever a user changes
202 | their password. The `invalidate_others!` method can be called on any
203 | `Authie::Session` object and will invalidate all sessions which aren't itself.
204 |
205 | ```ruby
206 | def change_password
207 | @user.change_password(params[:new_password])
208 | auth_session.invalidate_others!
209 | end
210 | ```
211 |
212 | ### Sudo functions
213 |
214 | In some applications, you may want to require that the user has recently provided
215 | their password to you before executing certain sensitive actions. Authie provides
216 | some methods which can help you keep track of when a user last provided their
217 | password in a session and whether you need to prompt them before continuing.
218 |
219 | ```ruby
220 | # When the user logs into your application, run the see_password method to note
221 | # that we have just seen their password.
222 | def login
223 | if user = User.authenticate(params[:username], params[:password])
224 | create_auth_session(user, see_password: true)
225 | redirect_to root_path
226 | end
227 | end
228 |
229 | # Before executing any dangerous actions, check to see whether the password has
230 | # recently been seen.
231 | def change_password
232 | if auth_session.recently_seen_password?
233 | # Allow the user to change their password as normal.
234 | else
235 | # Redirect the user a page which allows them to re-enter their password.
236 | # The method here should verify the password is correct and call the
237 | # see_password method as above. Once verified, you can return them back to
238 | # this page.
239 | redirect_to reauth_path(:return_to => request.fullpath)
240 | end
241 | end
242 | ```
243 |
244 | By default, a password will be said to have been recently seen if it has been
245 | seen in the last 10 minutes. You can change this configuration if needed:
246 |
247 | ```ruby
248 | Authie.config.sudo_session_timeout = 30.minutes
249 | ```
250 |
251 | ### Working with two factor authentication
252 |
253 | Authie provides a couple of methods to help you determine when two factor
254 | authentication is required for a request. Whenever a user logs in and has
255 | enabled two factor authentication, you can mark sessions as being permitted.
256 |
257 | You can add the following to your application controller and ensure that it runs
258 | on every request to your application.
259 |
260 | ```ruby
261 | class ApplicationController < ActionController::Base
262 |
263 | before_action :check_two_factor_auth
264 |
265 | def check_two_factor_auth
266 | if logged_in? && current_user.has_two_factor_auth? && !auth_session.two_factored?
267 | # If the user has two factor auth enabled, and we haven't already checked it
268 | # in this auth session, redirect the user to an action which prompts the user
269 | # to do their two factor auth check.
270 | redirect_to two_factor_auth_path
271 | end
272 | end
273 |
274 | end
275 | ```
276 |
277 | Then, on your two factor auth action, you need to ensure that you mark the auth
278 | session as being verified with two factor auth.
279 |
280 | ```ruby
281 | class LoginController < ApplicationController
282 |
283 | skip_before_action :check_two_factor_auth
284 |
285 | def two_factor_auth
286 | if user.verify_two_factor_token(params[:token])
287 | auth_session.mark_as_two_factored
288 | redirect_to root_path, :notice => "Logged in successfully!"
289 | end
290 | end
291 |
292 | end
293 | ```
294 |
295 | ## Storing IP address countries
296 |
297 | Authie has support for storing the country that an IP address is located in whenever they are saved to the database. To use this, you need to specify a backend to use in the Authie configuration. The backend should respond to `#call(ip_address)`.
298 |
299 | ```ruby
300 | Authie.config.lookup_ip_country_backend = proc do |ip_address|
301 | SomeService.lookup_country_from_ip(ip_address)
302 | end
303 | ```
304 |
305 | ## Instrumentation/Notification
306 |
307 | Authie will publish events to the ActiveSupport::Notification instrumentation system. The following events are published
308 | with the given attributes.
309 |
310 | - `set_browser_id.authie` - when a new browser ID is set for a user. Provides `:browser_id` and `:controller` arguments.
311 | - `cleanup.authie` - when session cleanup is run. Provides no arguments.
312 | - `touch.authie` - when a session is touched. Provides `:session` argument.
313 | - `see_password.authie` - when a session sees a password. Provides `:session` argument.
314 | - `mark_as_two_factor.authie` - when a session has two factor credentials provided. Provides `:session` argument.
315 | - `session_start.authie` - when a session is started. Provides `:session` argument.
316 | - `session_invalidate.authie` - when a session is intentionally invalidated. Provides `:session` argument with session model instance.
317 | - `browser_id_mismatch_error.authie` - when a session is validated when the browser ID does not match. Provides `:session` argument.
318 | - `invalid_session_error.authie` - when a session is validated when invalid. Provides `:session` argument.
319 | - `expired_session_error.authie` - when a session is validated when expired. Provides `:session` argument.
320 | - `inactive_session_error.authie` - when a session is validated when inactive. Provides `:session` argument.
321 | - `host_mismatch_error.authie` - when a session is validated and the host does not match. Provides `:session` argument.
322 |
323 | ## Differences for Authie 4.0
324 |
325 | Authie 4.0 introduces a number of changes to the library which are worth noting when upgrading from any version less than 4.
326 |
327 | - Authie 4.0 removes the impersonation features which may make a re-appearance in a futre version.
328 | - All previous callback/events have been replaced with standard ActiveSupport instrumentation notifications.
329 | - `Authie::SessionModel` has been introduced to represent the instance of the underlying database record.
330 | - Various methods on Authie::Session (more commonly known as `auth_session`) have been renamed as follows.
331 | - `check_security!` is now `validate`
332 | - `persist!` is now `persist`
333 | - `invalidate!` is now `invalidate`
334 | - `touch!` is now `touch`
335 | - `set_cookie!` is now `set_cookie` and is now a private method and should not be called directly.
336 | - `see_password!` is now `see_password`
337 | - `mark_as_two_factored!` is now `mark_as_two_factored`
338 | - A new `Authie::Session#reset_token` has been added which will generate a new token for a session, save it and update the cookie.
339 | - When starting a session using `Authie::Session.start` or `create_auth_session` you can provide the following additional options:
340 | - `persistent: true` to mark the session as persistent (i.e. give it an expiry time)
341 | - `see_password: true` to set the password seen timestamp at the same time as creation
342 | - If the `extend_session_expiry_on_touch` config option is set to true (default is false), the expiry time for a persistent session will be extended whenver a session is touched.
343 | - When making a request, the session will be touched **after** the action rather than before. Previously, the `touch_auth_session` method was added before every action and it both validated the session and touched it. Now, there are two separate methods - `validate_auth_session` which is run before every action and `touch_auth_session` runs after every action. If you don't want to touch a session in a request you can either use `skip_around_action :touch_auth_session` or call `skip_touch_auth_session!` anywhere in the action.
344 | - A new config option called `session_token_length` is available which allows you to change the length of the random token used for sessions (default 64).
345 |
--------------------------------------------------------------------------------
/authie.gemspec:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | require File.expand_path('lib/authie/version', __dir__)
4 |
5 | # rubocop:disable Gemspec/RequireMFA
6 | Gem::Specification.new do |s|
7 | s.name = 'authie'
8 | s.description = 'A Rails library for storing user sessions in a backend database'
9 | s.summary = s.description
10 | s.homepage = 'https://github.com/adamcooke/authie'
11 | s.licenses = ['MIT']
12 | s.version = Authie::VERSION
13 | s.files = Dir.glob('{lib,db}/**/*')
14 | s.require_paths = ['lib']
15 | s.authors = ['Adam Cooke']
16 | s.email = ['me@adamcooke.io']
17 |
18 | s.add_dependency 'activerecord', '>= 6.1', '< 9.0'
19 | end
20 | # rubocop:enable Gemspec/RequireMFA
21 |
--------------------------------------------------------------------------------
/bin/appraisal:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env ruby
2 | # frozen_string_literal: true
3 |
4 | #
5 | # This file was generated by Bundler.
6 | #
7 | # The application 'appraisal' is installed as part of a gem, and
8 | # this file is here to facilitate running it.
9 | #
10 |
11 | ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../Gemfile", __dir__)
12 |
13 | bundle_binstub = File.expand_path("bundle", __dir__)
14 |
15 | if File.file?(bundle_binstub)
16 | if File.read(bundle_binstub, 300).include?("This file was generated by Bundler")
17 | load(bundle_binstub)
18 | else
19 | abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
20 | Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.")
21 | end
22 | end
23 |
24 | require "rubygems"
25 | require "bundler/setup"
26 |
27 | load Gem.bin_path("appraisal", "appraisal")
28 |
--------------------------------------------------------------------------------
/bin/console:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env ruby
2 | # frozen_string_literal: true
3 |
4 | require 'bundler/setup'
5 | require 'authie'
6 |
7 | require 'irb'
8 | IRB.start(__FILE__)
9 |
--------------------------------------------------------------------------------
/bin/rspec:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env ruby
2 | # frozen_string_literal: true
3 |
4 | #
5 | # This file was generated by Bundler.
6 | #
7 | # The application 'rspec' is installed as part of a gem, and
8 | # this file is here to facilitate running it.
9 | #
10 |
11 | require "pathname"
12 | ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile",
13 | Pathname.new(__FILE__).realpath)
14 |
15 | bundle_binstub = File.expand_path("../bundle", __FILE__)
16 |
17 | if File.file?(bundle_binstub)
18 | if File.read(bundle_binstub, 300) =~ /This file was generated by Bundler/
19 | load(bundle_binstub)
20 | else
21 | abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
22 | Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.")
23 | end
24 | end
25 |
26 | require "rubygems"
27 | require "bundler/setup"
28 |
29 | load Gem.bin_path("rspec-core", "rspec")
30 |
--------------------------------------------------------------------------------
/bin/rubocop:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env ruby
2 | # frozen_string_literal: true
3 |
4 | #
5 | # This file was generated by Bundler.
6 | #
7 | # The application 'rubocop' is installed as part of a gem, and
8 | # this file is here to facilitate running it.
9 | #
10 |
11 | require "pathname"
12 | ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile",
13 | Pathname.new(__FILE__).realpath)
14 |
15 | bundle_binstub = File.expand_path("../bundle", __FILE__)
16 |
17 | if File.file?(bundle_binstub)
18 | if File.read(bundle_binstub, 300) =~ /This file was generated by Bundler/
19 | load(bundle_binstub)
20 | else
21 | abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
22 | Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.")
23 | end
24 | end
25 |
26 | require "rubygems"
27 | require "bundler/setup"
28 |
29 | load Gem.bin_path("rubocop", "rubocop")
30 |
--------------------------------------------------------------------------------
/db/migrate/20141012174250_create_authie_sessions.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | class CreateAuthieSessions < ActiveRecord::Migration[6.1]
4 | def change
5 | create_table :authie_sessions do |t|
6 | t.string :token, :browser_id
7 | t.bigint :user_id
8 | t.boolean :active, default: true
9 | t.text :data
10 | t.datetime :expires_at
11 | t.datetime :login_at
12 | t.string :login_ip
13 | t.datetime :last_activity_at
14 | t.string :last_activity_ip, :last_activity_path
15 | t.string :user_agent
16 | t.timestamps null: true
17 | end
18 | end
19 | end
20 |
--------------------------------------------------------------------------------
/db/migrate/20141013115205_add_indexes_to_authie_sessions.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | class AddIndexesToAuthieSessions < ActiveRecord::Migration[6.1]
4 | def change
5 | add_column :authie_sessions, :user_type, :string
6 | add_index :authie_sessions, :token, length: 10
7 | add_index :authie_sessions, :browser_id, length: 10
8 | add_index :authie_sessions, :user_id
9 | end
10 | end
11 |
--------------------------------------------------------------------------------
/db/migrate/20150109144120_add_parent_id_to_authie_sessions.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | class AddParentIdToAuthieSessions < ActiveRecord::Migration[6.1]
4 | def change
5 | add_column :authie_sessions, :parent_id, :bigint
6 | end
7 | end
8 |
--------------------------------------------------------------------------------
/db/migrate/20150305135400_add_two_factor_auth_fields_to_authie.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | class AddTwoFactorAuthFieldsToAuthie < ActiveRecord::Migration[6.1]
4 | def change
5 | add_column :authie_sessions, :two_factored_at, :datetime
6 | add_column :authie_sessions, :two_factored_ip, :string
7 | add_column :authie_sessions, :requests, :integer, default: 0
8 | add_column :authie_sessions, :password_seen_at, :datetime
9 | end
10 | end
11 |
--------------------------------------------------------------------------------
/db/migrate/20170417170000_add_token_hashes_to_authie_sessions.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | class AddTokenHashesToAuthieSessions < ActiveRecord::Migration[6.1]
4 | def change
5 | add_column :authie_sessions, :token_hash, :string
6 | end
7 | end
8 |
--------------------------------------------------------------------------------
/db/migrate/20170421174100_add_index_to_token_hashes_on_authie_sessions.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | class AddIndexToTokenHashesOnAuthieSessions < ActiveRecord::Migration[6.1]
4 | def change
5 | add_index :authie_sessions, :token_hash, length: 10
6 | end
7 | end
8 |
--------------------------------------------------------------------------------
/db/migrate/20180215152200_add_host_to_authie_sessions.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | class AddHostToAuthieSessions < ActiveRecord::Migration[6.1]
4 | def change
5 | add_column :authie_sessions, :host, :string
6 | end
7 | end
8 |
--------------------------------------------------------------------------------
/db/migrate/20220502180100_add_two_factor_required_to_sessions.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | class AddTwoFactorRequiredToSessions < ActiveRecord::Migration[6.1]
4 | def change
5 | add_column :authie_sessions, :skip_two_factor, :boolean, default: false
6 | end
7 | end
8 |
--------------------------------------------------------------------------------
/db/migrate/20230627165500_add_countries_to_authie_sessions.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | class AddCountriesToAuthieSessions < ActiveRecord::Migration[6.1]
4 | def change
5 | add_column :authie_sessions, :login_ip_country, :string
6 | add_column :authie_sessions, :two_factored_ip_country, :string
7 | add_column :authie_sessions, :last_activity_ip_country, :string
8 | end
9 | end
10 |
--------------------------------------------------------------------------------
/gemfiles/.bundle/config:
--------------------------------------------------------------------------------
1 | ---
2 | BUNDLE_RETRY: "1"
3 |
--------------------------------------------------------------------------------
/gemfiles/rails_7.1.gemfile:
--------------------------------------------------------------------------------
1 | # This file was generated by Appraisal
2 |
3 | source "https://rubygems.org"
4 |
5 | gem "appraisal", "2.4.1"
6 | gem "rails", "~> 7.1.0"
7 | gem "rspec"
8 | gem "rspec-core"
9 | gem "rspec-expectations"
10 | gem "rspec-mocks"
11 | gem "rspec-rails"
12 | gem "rubocop"
13 | gem "simplecov"
14 | gem "simplecov-console"
15 | gem "solargraph"
16 | gem "sqlite3"
17 | gem "timecop"
18 |
19 | gemspec path: "../"
20 |
--------------------------------------------------------------------------------
/gemfiles/rails_7.2.gemfile:
--------------------------------------------------------------------------------
1 | # This file was generated by Appraisal
2 |
3 | source "https://rubygems.org"
4 |
5 | gem "appraisal", "2.4.1"
6 | gem "rails", "~> 7.2.0"
7 | gem "rspec"
8 | gem "rspec-core"
9 | gem "rspec-expectations"
10 | gem "rspec-mocks"
11 | gem "rspec-rails"
12 | gem "rubocop"
13 | gem "simplecov"
14 | gem "simplecov-console"
15 | gem "solargraph"
16 | gem "sqlite3"
17 | gem "timecop"
18 |
19 | gemspec path: "../"
20 |
--------------------------------------------------------------------------------
/gemfiles/rails_8.0.gemfile:
--------------------------------------------------------------------------------
1 | # This file was generated by Appraisal
2 |
3 | source "https://rubygems.org"
4 |
5 | gem "appraisal", "2.4.1"
6 | gem "rails", "~> 8.0.0"
7 | gem "rspec"
8 | gem "rspec-core"
9 | gem "rspec-expectations"
10 | gem "rspec-mocks"
11 | gem "rspec-rails"
12 | gem "rubocop"
13 | gem "simplecov"
14 | gem "simplecov-console"
15 | gem "solargraph"
16 | gem "sqlite3"
17 | gem "timecop"
18 |
19 | gemspec path: "../"
20 |
--------------------------------------------------------------------------------
/lib/authie.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | require 'authie/version'
4 | require 'authie/config'
5 | require 'authie/error'
6 | require 'authie/user'
7 |
8 | require 'authie/engine' if defined?(Rails)
9 |
--------------------------------------------------------------------------------
/lib/authie/config.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | module Authie
4 | class Config
5 | attr_accessor :session_inactivity_timeout
6 | attr_accessor :persistent_session_length
7 | attr_accessor :sudo_session_timeout
8 | attr_accessor :browser_id_cookie_name
9 | attr_accessor :session_token_length
10 | attr_accessor :extend_session_expiry_on_touch
11 | attr_accessor :lookup_ip_country_backend
12 | attr_accessor :serialize_coder
13 |
14 | def initialize
15 | set_defaults
16 | end
17 |
18 | def lookup_ip_country(ip)
19 | return nil if @lookup_ip_country_backend.nil?
20 |
21 | @lookup_ip_country_backend.call(ip)
22 | end
23 |
24 | def set_defaults
25 | @session_inactivity_timeout = 12.hours
26 | @persistent_session_length = 2.months
27 | @sudo_session_timeout = 10.minutes
28 | @browser_id_cookie_name = :browser_id
29 | @session_token_length = 64
30 | @extend_session_expiry_on_touch = false
31 | @lookup_ip_country_backend = nil
32 | @serialize_coder = ActiveRecord::Coders::YAMLColumn
33 | end
34 | end
35 |
36 | class << self
37 | def config
38 | @config ||= Config.new
39 | end
40 |
41 | def configure(&block)
42 | block.call(config)
43 | config
44 | end
45 |
46 | def notify(event, args = {}, &block)
47 | ActiveSupport::Notifications.instrument("#{event}.authie", args, &block)
48 | end
49 | end
50 | end
51 |
--------------------------------------------------------------------------------
/lib/authie/controller_delegate.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | require 'securerandom'
4 | require 'authie/session'
5 | require 'authie/config'
6 | require 'authie/session_model'
7 |
8 | module Authie
9 | # The controller delegate implements methods that can be used by a controller. These are then
10 | # extended into controllers as needed (see ControllerExtension).
11 | class ControllerDelegate
12 | attr_accessor :touch_auth_session_enabled
13 |
14 | # @param controller [ActionController::Base]
15 | # @return [Authie::ControllerDelegate]
16 | def initialize(controller)
17 | @controller = controller
18 | @touch_auth_session_enabled = true
19 | end
20 |
21 | # Sets a browser ID. This must be performed on any page request where AUthie will be used.
22 | # It should be triggered before any other Authie provided methods. This will ensure that
23 | # the given browser ID is unique.
24 | #
25 | # @return [String] the generated browser ID
26 | def set_browser_id
27 | until cookies[Authie.config.browser_id_cookie_name]
28 | proposed_browser_id = SecureRandom.uuid
29 | next if Authie::SessionModel.where(browser_id: proposed_browser_id).exists?
30 |
31 | cookies[Authie.config.browser_id_cookie_name] = {
32 | value: proposed_browser_id,
33 | expires: 5.years.from_now,
34 | httponly: true,
35 | secure: @controller.request.ssl?
36 | }
37 | Authie.notify(:set_browser_id,
38 | browser_id: proposed_browser_id,
39 | controller: @controller)
40 | end
41 | proposed_browser_id
42 | end
43 |
44 | # Validate the auth session to ensure that it is current validate and raise an error if it
45 | # is not suitable for use.
46 | #
47 | # @return [Authie::Session, false]
48 | def validate_auth_session
49 | return false unless logged_in?
50 |
51 | auth_session.validate
52 | end
53 |
54 | # Touch the session to update details on the latest activity.
55 | #
56 | # @return [Authie::Session, false]
57 | def touch_auth_session
58 | yield if block_given?
59 | ensure
60 | auth_session.touch if @touch_auth_session_enabled && logged_in?
61 | end
62 |
63 | # Return the user for the currently logged in user or nil if no user is logged in
64 | #
65 | # @return [ActiveRecord::Base, nil]
66 | def current_user
67 | return nil unless logged_in?
68 |
69 | auth_session.session.user
70 | end
71 |
72 | # Create a new session for the given user. If nil is provided as a user, the existing session
73 | # will be invalidated.
74 | #
75 | # @return [Authie::Session, nil]
76 | def create_auth_session(user, **kwargs)
77 | if user.nil?
78 | invalidate_auth_session
79 | return nil
80 | end
81 |
82 | @auth_session = Authie::Session.start(@controller, user: user, **kwargs)
83 | end
84 |
85 | # Invalidate the existing auth session if one exists. Return true if a sesion has been invalidated
86 | # otherwise return false.
87 | #
88 | # @return [Boolean]
89 | def invalidate_auth_session
90 | return false unless logged_in?
91 |
92 | auth_session.invalidate
93 | @auth_session = nil
94 | true
95 | end
96 |
97 | # Is anyone currently logged in? Return true if there is an auth session present.
98 | #
99 | # Note: this does not check the validatity of the session. You must always ensure that the `validate`
100 | # or `touch` method is invoked to ensure that the session that has been found is active.
101 | #
102 | # @return [Boolean]
103 | def logged_in?
104 | auth_session.is_a?(Session)
105 | end
106 |
107 | # Return an auth session that has been found in the current cookies.
108 | #
109 | # @return [Authie::Session]
110 | def auth_session
111 | return @auth_session if instance_variable_defined?('@auth_session')
112 |
113 | @auth_session = Authie::Session.get_session(@controller)
114 | end
115 |
116 | private
117 |
118 | def cookies
119 | @controller.send(:cookies)
120 | end
121 | end
122 | end
123 |
--------------------------------------------------------------------------------
/lib/authie/controller_extension.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | require 'authie/controller_delegate'
4 |
5 | module Authie
6 | module ControllerExtension
7 | class << self
8 | def included(base)
9 | base.helper_method :logged_in?, :current_user, :auth_session if base.respond_to?(:helper_method)
10 |
11 | base.before_action :set_browser_id, :validate_auth_session
12 | base.around_action :touch_auth_session
13 |
14 | base.delegate :set_browser_id, to: :auth_session_delegate
15 | base.delegate :validate_auth_session, to: :auth_session_delegate
16 | base.delegate :touch_auth_session, to: :auth_session_delegate
17 | base.delegate :current_user, to: :auth_session_delegate
18 | base.delegate :create_auth_session, to: :auth_session_delegate
19 | base.delegate :invalidate_auth_session, to: :auth_session_delegate
20 | base.delegate :logged_in?, to: :auth_session_delegate
21 | base.delegate :auth_session, to: :auth_session_delegate
22 | end
23 | end
24 |
25 | private
26 |
27 | def auth_session_delegate
28 | @auth_session_delegate ||= Authie::ControllerDelegate.new(self)
29 | end
30 |
31 | def skip_touch_auth_session!
32 | auth_session_delegate.touch_auth_session_enabled = false
33 | end
34 | end
35 | end
36 |
--------------------------------------------------------------------------------
/lib/authie/engine.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | module Authie
4 | class Engine < ::Rails::Engine
5 | engine_name 'authie'
6 |
7 | initializer 'authie.initialize' do |_app|
8 | ActiveSupport.on_load :active_record do
9 | require 'authie/session'
10 | end
11 |
12 | ActiveSupport.on_load :action_controller do
13 | require 'authie/controller_extension'
14 | include Authie::ControllerExtension
15 | end
16 | end
17 | end
18 | end
19 |
--------------------------------------------------------------------------------
/lib/authie/error.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | module Authie
4 | class Error < StandardError
5 | end
6 | end
7 |
--------------------------------------------------------------------------------
/lib/authie/rack_controller.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | # If you're dealing with your authentication in a middleware and you only have
4 | # access to your rack environment, this will wrap around rack and make it look
5 | # close enough to an ActionController to work with Authie
6 | #
7 | # Usage:
8 | #
9 | # controller = Authie::RackController.new(@env)
10 | # controller.current_user = user
11 |
12 | module Authie
13 | class RackController
14 | attr_reader :request
15 |
16 | def initialize(env)
17 | @env = env
18 | @request = ActionDispatch::Request.new(@env)
19 | set_browser_id
20 | end
21 |
22 | def cookies
23 | @request.cookie_jar
24 | end
25 |
26 | # Set a random browser ID for this browser.
27 | def set_browser_id
28 | until cookies[:browser_id]
29 | proposed_browser_id = SecureRandom.uuid
30 | unless SessionModel.where(browser_id: proposed_browser_id).exists?
31 | cookies[:browser_id] = { value: proposed_browser_id, expires: 20.years.from_now }
32 | end
33 | end
34 | end
35 |
36 | def current_user=(user)
37 | Session.start(self, user: user)
38 | end
39 |
40 | def current_user
41 | auth_session.user if auth_session.is_a?(Session)
42 | end
43 |
44 | def auth_session
45 | @auth_session ||= Session.get_session(self)
46 | end
47 | end
48 | end
49 |
--------------------------------------------------------------------------------
/lib/authie/session.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | require 'authie/session_model'
4 | require 'authie/error'
5 | require 'authie/config'
6 | require 'active_support/core_ext/module/delegation'
7 |
8 | module Authie
9 | class Session
10 | # The underlying session model instance
11 | #
12 | # @return [Authie::SessionModel]
13 | attr_reader :session
14 |
15 | # A parent class that encapsulates all session validity errors.
16 | class ValidityError < Error
17 | attr_reader :session
18 |
19 | def initialize(message, session = nil)
20 | super(message)
21 | @session = session
22 | end
23 | end
24 |
25 | # Raised when a session is used but it is no longer active
26 | class InactiveSession < ValidityError; end
27 |
28 | # Raised when a session is used but it has expired
29 | class ExpiredSession < ValidityError; end
30 |
31 | # Raised when a session is used but the browser ID does not match
32 | class BrowserMismatch < ValidityError; end
33 |
34 | # Raised when a session is used but the hostname does not match
35 | # the session hostname
36 | class HostMismatch < ValidityError; end
37 |
38 | # Initialize a new session object
39 | #
40 | # @param controller [ActionController::Base] any controller
41 | # @param session [Authie::SessionModel] an Authie session model instance
42 | # @return [Authie::Session]
43 | def initialize(controller, session)
44 | @controller = controller
45 | @session = session
46 | end
47 |
48 | # Validate that the session is valid and raise and error if not
49 | #
50 | # @raises [Authie::Session::BrowserMismatch]
51 | # @raises [Authie::Session::InactiveSession]
52 | # @raises [Authie::Session::ExpiredSession]
53 | # @raises [Authie::Session::HostMismatch]
54 | # @return [Authie::Session]
55 | def validate
56 | validate_browser_id
57 | validate_active
58 | validate_expiry
59 | validate_inactivity
60 | validate_host
61 | self
62 | end
63 |
64 | # Mark the current session as persistent. Will set the expiry time of the underlying
65 | # session and update the cookie.
66 | #
67 | # @raises [ActiveRecord::RecordInvalid]
68 | # @return [Authie::Session]
69 | def persist
70 | @session.expires_at = Authie.config.persistent_session_length.from_now
71 | @session.save!
72 | set_cookie
73 | self
74 | end
75 |
76 | # Invalidates the current session by marking it inactive and removing the current cookie.
77 | #
78 | # @raises [ActiveRecord::RecordInvalid]
79 | # @return [Authie::Session]
80 | def invalidate
81 | @session.invalidate!
82 | cookies.delete(:user_session)
83 | self
84 | end
85 |
86 | # Touches the current session to ensure it is currently valid and to update attributes
87 | # which should be updatd on each request. This will raise the same errors as the #validate
88 | # method. It will set the last activity time, IP and path as well as incrementing
89 | # the request counter.
90 | #
91 | # @raises [Authie::Session::BrowserMismatch]
92 | # @raises [Authie::Session::InactiveSession]
93 | # @raises [Authie::Session::ExpiredSession]
94 | # @raises [Authie::Session::HostMismatch]
95 | # @raises [ActiveRecord::RecordInvalid]
96 | # @return [Authie::Session]
97 | def touch
98 | @session.last_activity_at = Time.now
99 | if @controller.request.ip != @session.last_activity_ip
100 | @session.last_activity_ip_country = Authie.config.lookup_ip_country(@controller.request.ip)
101 | end
102 | @session.last_activity_ip = @controller.request.ip
103 |
104 | @session.last_activity_path = @controller.request.path
105 | @session.requests += 1
106 | extend_session_expiry_if_appropriate
107 | @session.save!
108 | Authie.notify(:touch, session: self)
109 | self
110 | end
111 |
112 | # Mark the session's password as seen at the current time
113 | #
114 | # @raises [ActiveRecord::RecordInvalid]
115 | # @return [Authie::Session]
116 | def see_password
117 | @session.password_seen_at = Time.now
118 | @session.save!
119 | Authie.notify(:see_password, session: self)
120 | self
121 | end
122 |
123 | # Mark this request as two factored by setting the time and the current
124 | # IP address.
125 | #
126 | # @raises [ActiveRecord::RecordInvalid]
127 | # @return [Authie::Session]
128 | def mark_as_two_factored(skip: nil)
129 | @session.two_factored_at = Time.now
130 | @session.two_factored_ip = @controller.request.ip
131 | @session.two_factored_ip_country = Authie.config.lookup_ip_country(@controller.request.ip)
132 | @session.skip_two_factor = skip unless skip.nil?
133 | @session.save!
134 | Authie.notify(:mark_as_two_factor, session: self)
135 | self
136 | end
137 |
138 | # Starts a new session by setting the cookie. This should be invoked whenever
139 | # a new session begins. It usually does not need to be called directly as it
140 | # will be taken care of by the class-level start method.
141 | #
142 | # @return [Authie::Session]
143 | def start
144 | set_cookie
145 | Authie.notify(:session_start, session: self)
146 | self
147 | end
148 |
149 | # Resets the token for the currently active session to a new string
150 | #
151 | # @return [Authie::Session]
152 | def reset_token
153 | @session.reset_token
154 | set_cookie
155 | self
156 | end
157 |
158 | private
159 |
160 | def set_cookie(value = @session.temporary_token)
161 | cookies[:user_session] = {
162 | value: value,
163 | secure: @controller.request.ssl?,
164 | httponly: true,
165 | expires: @session.expires_at
166 | }
167 | Authie.notify(:cookie_updated, session: session)
168 | true
169 | end
170 |
171 | def cookies
172 | @controller.send(:cookies)
173 | end
174 |
175 | def validate_browser_id
176 | if cookies[:browser_id] != @session.browser_id
177 | Authie.notify(:browser_id_mismatch_error, session: self)
178 | invalidate
179 | raise BrowserMismatch.new('Browser ID mismatch', self)
180 | end
181 |
182 | self
183 | end
184 |
185 | def validate_active
186 | unless @session.active?
187 | invalidate
188 | Authie.notify(:invalid_session_error, session: self)
189 | raise InactiveSession.new('Session is no longer active', self)
190 | end
191 |
192 | self
193 | end
194 |
195 | def validate_expiry
196 | if @session.expired?
197 | invalidate
198 | Authie.notify(:expired_session_error, session: self)
199 | raise ExpiredSession.new('Persistent session has expired', self)
200 | end
201 |
202 | self
203 | end
204 |
205 | def validate_inactivity
206 | if @session.inactive?
207 | invalidate
208 | Authie.notify(:inactive_session_error, session: self)
209 | raise InactiveSession.new('Non-persistent session has expired', self)
210 | end
211 |
212 | self
213 | end
214 |
215 | def validate_host
216 | if @session.host && @session.host != @controller.request.host
217 | invalidate
218 | Authie.notify(:host_mismatch_error, session: self)
219 | raise HostMismatch.new("Session was created on #{@session.host} but accessed using #{@controller.request.host}",
220 | self)
221 | end
222 |
223 | self
224 | end
225 |
226 | def extend_session_expiry_if_appropriate
227 | return if @session.expires_at.nil?
228 | return unless Authie.config.extend_session_expiry_on_touch
229 |
230 | # If enabled, sessions with an expiry time will automatiaclly be incremented
231 | # whenever a page is touched. The cookie will also be updated as appropriate.
232 | @session.expires_at = Authie.config.persistent_session_length.from_now
233 | set_cookie
234 | end
235 |
236 | class << self
237 | # Create a new session within the given controller for the
238 | #
239 | # @param controller [ActionController::Base]
240 | # @param user [ActiveRecord::Base] user
241 | # @param persistent [Boolean] create a persistent session
242 | # @return [Authie::Session]
243 | def start(controller, user:, persistent: false, see_password: false, **params)
244 | cookies = controller.send(:cookies)
245 | SessionModel.active.where(browser_id: cookies[:browser_id]).each(&:invalidate!)
246 |
247 | session = SessionModel.new(params)
248 | session.user = user
249 | session.browser_id = cookies[:browser_id]
250 | session.login_at = Time.now
251 | session.login_ip = controller.request.ip
252 | session.login_ip_country = Authie.config.lookup_ip_country(session.login_ip)
253 | session.host = controller.request.host
254 | session.user_agent = controller.request.user_agent
255 | session.expires_at = Time.now + Authie.config.persistent_session_length if persistent
256 | session.password_seen_at = Time.now if see_password
257 | session.save!
258 |
259 | new(controller, session).start
260 | end
261 |
262 | # Lookup a session for a given controller and return the session
263 | # object.
264 | #
265 | # @param controller [ActionController::Base]
266 | # @return [Authie::Session]
267 | def get_session(controller)
268 | cookies = controller.send(:cookies)
269 | return nil if cookies[:user_session].blank?
270 |
271 | session = SessionModel.find_session_by_token(cookies[:user_session])
272 | return nil if session.blank?
273 |
274 | session.temporary_token = cookies[:user_session]
275 | new(controller, session)
276 | end
277 |
278 | delegate :hash_token, to: SessionModel
279 | delegate :cleanup, to: SessionModel
280 | end
281 |
282 | # Backwards compatibility with Authie < 4.0. These methods were all available on sessions
283 | # in previous versions of Authie. They have been maintained for backwards-compatibility but
284 | # will be removed entirely in Authie 5.0.
285 | alias check_security! validate
286 | alias persist! persist
287 | alias invalidate! invalidate
288 | alias touch! touch
289 | alias set_cookie! set_cookie
290 | alias see_password! see_password
291 | alias mark_as_two_factored! mark_as_two_factored
292 |
293 | # Delegate key methods back to the underlying session model. Previous behaviour in Authie
294 | # exposed all methods on the session model. It is useful that these methods can be accessed
295 | # easily from this session proxy model so these are maintained as delegated methods.
296 | delegate :active?, to: :session
297 | delegate :browser_id, to: :session
298 | delegate :expired?, to: :session
299 | delegate :expires_at, to: :session
300 | delegate :first_session_for_browser?, to: :session
301 | delegate :first_session_for_ip?, to: :session
302 | delegate :get, to: :session
303 | delegate :inactive?, to: :session
304 | delegate :invalidate_others!, to: :session
305 | delegate :last_activity_at, to: :session
306 | delegate :last_activity_ip, to: :session
307 | delegate :last_activity_ip_country, to: :session
308 | delegate :last_activity_path, to: :session
309 | delegate :login_at, to: :session
310 | delegate :login_ip, to: :session
311 | delegate :login_ip_country, to: :session
312 | delegate :password_seen_at, to: :session
313 | delegate :persisted?, to: :session
314 | delegate :persistent?, to: :session
315 | delegate :recently_seen_password?, to: :session
316 | delegate :requests, to: :session
317 | delegate :set, to: :session
318 | delegate :temporary_token, to: :session
319 | delegate :token_hash, to: :session
320 | delegate :two_factored_at, to: :session
321 | delegate :two_factored_ip, to: :session
322 | delegate :two_factored_ip_country, to: :session
323 | delegate :two_factored?, to: :session
324 | delegate :skip_two_factor?, to: :session
325 | delegate :update, to: :session
326 | delegate :update!, to: :session
327 | delegate :user_agent, to: :session
328 | delegate :user, to: :session
329 | end
330 | end
331 |
--------------------------------------------------------------------------------
/lib/authie/session_model.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | require 'active_record'
4 | require 'securerandom'
5 | require 'authie/config'
6 |
7 | module Authie
8 | class SessionModel < ActiveRecord::Base
9 | attr_accessor :temporary_token
10 |
11 | self.table_name = 'authie_sessions'
12 |
13 | belongs_to :parent, class_name: 'Authie::SessionModel', optional: true
14 |
15 | scope :active, -> { where(active: true) }
16 | scope :asc, -> { order(last_activity_at: :desc) }
17 | scope :for_user, ->(user) { where(user_type: user.class.name, user_id: user.id) }
18 |
19 | # Attributes
20 | serialize :data, type: Hash, coder: Authie.config.serialize_coder
21 |
22 | before_validation :shorten_strings
23 | before_create :set_new_token
24 |
25 | # Return the user that
26 | def user
27 | return unless user_id && user_type
28 | return @user if instance_variable_defined?('@user')
29 |
30 | @user = user_type.constantize.find_by(id: user_id)
31 | end
32 |
33 | # Set the user
34 | def user=(user)
35 | @user = user
36 | if user
37 | self.user_type = user.class.name
38 | self.user_id = user.id
39 | else
40 | self.user_type = nil
41 | self.user_id = nil
42 | end
43 | end
44 |
45 | def expired?
46 | expires_at.present? &&
47 | expires_at < Time.now
48 | end
49 |
50 | def inactive?
51 | expires_at.nil? &&
52 | last_activity_at.present? &&
53 | last_activity_at < Authie.config.session_inactivity_timeout.ago
54 | end
55 |
56 | def persistent?
57 | !!expires_at
58 | end
59 |
60 | def activate!
61 | self.active = true
62 | save!
63 | end
64 |
65 | def invalidate!
66 | active_now = active?
67 | self.active = false
68 | save!
69 | Authie.notify(:session_invalidate, session: self) if active_now
70 | true
71 | end
72 |
73 | def set(key, value)
74 | self.data ||= {}
75 | self.data[key.to_s] = value
76 | save!
77 | end
78 |
79 | def get(key)
80 | (self.data ||= {})[key.to_s]
81 | end
82 |
83 | def invalidate_others!
84 | self.class.where('id != ?', id).active.for_user(user).each(&:invalidate!)
85 | end
86 |
87 | # Have we seen the user's password recently in this sesion?
88 | def recently_seen_password?
89 | !!(password_seen_at && password_seen_at >= Authie.config.sudo_session_timeout.ago)
90 | end
91 |
92 | # Is two factor authentication required for this request?
93 | def two_factored?
94 | !!(two_factored_at || parent_id)
95 | end
96 |
97 | # Is this the first session for this session's browser?
98 | def first_session_for_browser?
99 | self.class.where('id < ?', id).for_user(user).where(browser_id: browser_id).empty?
100 | end
101 |
102 | # Is this the first session for the IP?
103 | def first_session_for_ip?
104 | self.class.where('id < ?', id).for_user(user).where(login_ip: login_ip).empty?
105 | end
106 |
107 | # Reset a new token for the session and return the new token
108 | #
109 | # @return [String]
110 | def reset_token
111 | set_new_token
112 | save!
113 | temporary_token
114 | end
115 |
116 | private
117 |
118 | def shorten_strings
119 | self.user_agent = user_agent[0, 255] if user_agent.is_a?(String)
120 | self.last_activity_path = last_activity_path[0, 255] if last_activity_path.is_a?(String)
121 | end
122 |
123 | def set_new_token
124 | self.temporary_token = SecureRandom.alphanumeric(Authie.config.session_token_length)
125 | self.token_hash = self.class.hash_token(temporary_token)
126 | end
127 |
128 | class << self
129 | # Find a session from the database for the given controller instance.
130 | # Returns a session object or :none if no session is found.
131 |
132 | # Find a session by a token (either from a hash or from the raw token)
133 | def find_session_by_token(token)
134 | return nil if token.blank?
135 |
136 | active.where(token_hash: hash_token(token)).first
137 | end
138 |
139 | # Cleanup any old sessions.
140 | def cleanup
141 | Authie.notify(:cleanup) do
142 | # Invalidate transient sessions that haven't been used
143 | active.where('expires_at IS NULL AND last_activity_at < ?',
144 | Authie.config.session_inactivity_timeout.ago).each(&:invalidate!)
145 | # Invalidate persistent sessions that have expired
146 | active.where('expires_at IS NOT NULL AND expires_at < ?', Time.now).each(&:invalidate!)
147 | end
148 | true
149 | end
150 |
151 | # Return a hash of a given token
152 | def hash_token(token)
153 | Digest::SHA256.hexdigest(token)
154 | end
155 | end
156 | end
157 | end
158 |
--------------------------------------------------------------------------------
/lib/authie/user.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | module Authie
4 | module User
5 | def self.included(base)
6 | base.has_many :user_sessions, class_name: 'Authie::SessionModel', as: :user, dependent: :delete_all
7 | end
8 | end
9 | end
10 |
--------------------------------------------------------------------------------
/lib/authie/version.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | module Authie
4 | VERSION_FILE_ROOT = File.expand_path('../../VERSION', __dir__)
5 | VERSION = if File.file?(VERSION_FILE_ROOT)
6 | File.read(VERSION_FILE_ROOT).strip.sub(/\Av/, '')
7 | else
8 | '0.0.0.dev'
9 | end
10 | end
11 |
--------------------------------------------------------------------------------
/release-please-config.json:
--------------------------------------------------------------------------------
1 | {
2 | "bootstrap-sha": "23c79175d75dc85cf0b059d9b33d8da8928e0384",
3 | "packages": {
4 | ".": {
5 | "release-type": "ruby",
6 | "changelog-path": "CHANGELOG.md",
7 | "bump-minor-pre-major": true,
8 | "bump-patch-for-minor-pre-major": true,
9 | "draft": false,
10 | "prerelease": false,
11 | "changelog-sections": [
12 | {
13 | "type": "feat",
14 | "section": "Features"
15 | },
16 | {
17 | "type": "feature",
18 | "section": "Features"
19 | },
20 | {
21 | "type": "fix",
22 | "section": "Bug Fixes"
23 | },
24 | {
25 | "type": "perf",
26 | "section": "Performance Improvements"
27 | },
28 | {
29 | "type": "revert",
30 | "section": "Reverts"
31 | },
32 | {
33 | "type": "docs",
34 | "section": "Documentation"
35 | },
36 | {
37 | "type": "style",
38 | "section": "Styles"
39 | },
40 | {
41 | "type": "chore",
42 | "section": "Miscellaneous Chores"
43 | },
44 | {
45 | "type": "refactor",
46 | "section": "Code Refactoring"
47 | },
48 | {
49 | "type": "test",
50 | "section": "Tests"
51 | },
52 | {
53 | "type": "build",
54 | "section": "Build System"
55 | },
56 | {
57 | "type": "ci",
58 | "section": "Continuous Integration"
59 | }
60 | ]
61 | }
62 | },
63 | "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json"
64 | }
65 |
--------------------------------------------------------------------------------
/spec/dummy/Rakefile:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | # Add your own tasks in files placed in lib/tasks ending in .rake,
4 | # for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
5 |
6 | require_relative 'config/application'
7 |
8 | Rails.application.load_tasks
9 |
--------------------------------------------------------------------------------
/spec/dummy/app/controllers/application_controller.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | class ApplicationController < ActionController::Base
4 | end
5 |
--------------------------------------------------------------------------------
/spec/dummy/app/controllers/pages_controller.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | class PagesController < ApplicationController
4 | def index
5 | render plain: 'Hello world!'
6 | end
7 |
8 | def authenticated
9 | render plain: "Hello #{current_user.username}!"
10 | end
11 |
12 | def request_count
13 | render plain: "Count: #{auth_session.requests}"
14 | end
15 |
16 | def logged_in
17 | if logged_in?
18 | render plain: 'Logged in'
19 | else
20 | render plain: 'Not logged in'
21 | end
22 | end
23 |
24 | def error
25 | 1 / 0
26 | end
27 |
28 | def no_touching
29 | skip_touch_auth_session!
30 | render plain: 'Blah'
31 | end
32 | end
33 |
--------------------------------------------------------------------------------
/spec/dummy/bin/rails:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env ruby
2 | # frozen_string_literal: true
3 |
4 | APP_PATH = File.expand_path('../config/application', __dir__)
5 | require_relative '../config/boot'
6 | require 'rails/commands'
7 |
--------------------------------------------------------------------------------
/spec/dummy/bin/rake:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env ruby
2 | # frozen_string_literal: true
3 |
4 | require_relative '../config/boot'
5 | require 'rake'
6 | Rake.application.run
7 |
--------------------------------------------------------------------------------
/spec/dummy/bin/setup:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env ruby
2 | # frozen_string_literal: true
3 |
4 | require 'fileutils'
5 |
6 | # path to your application root.
7 | APP_ROOT = File.expand_path('..', __dir__)
8 |
9 | def system!(*args)
10 | system(*args) || abort("\n== Command #{args} failed ==")
11 | end
12 |
13 | FileUtils.chdir APP_ROOT do
14 | # This script is a way to set up or update your development environment automatically.
15 | # This script is idempotent, so that you can run it at any time and get an expectable outcome.
16 | # Add necessary setup steps to this file.
17 |
18 | puts '== Installing dependencies =='
19 | system! 'gem install bundler --conservative'
20 | system('bundle check') || system!('bundle install')
21 |
22 | # puts "\n== Copying sample files =="
23 | # unless File.exist?("config/database.yml")
24 | # FileUtils.cp "config/database.yml.sample", "config/database.yml"
25 | # end
26 |
27 | puts "\n== Preparing database =="
28 | system! 'bin/rails db:prepare'
29 |
30 | puts "\n== Removing old logs and tempfiles =="
31 | system! 'bin/rails log:clear tmp:clear'
32 |
33 | puts "\n== Restarting application server =="
34 | system! 'bin/rails restart'
35 | end
36 |
--------------------------------------------------------------------------------
/spec/dummy/config.ru:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | # This file is used by Rack-based servers to start the application.
4 |
5 | require_relative 'config/environment'
6 |
7 | run Rails.application
8 | Rails.application.load_server
9 |
--------------------------------------------------------------------------------
/spec/dummy/config/application.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | require_relative 'boot'
4 |
5 | require 'action_controller/railtie'
6 |
7 | # Require the gems listed in Gemfile, including any gems
8 | # you've limited to :test, :development, or :production.
9 | Bundler.require(*Rails.groups)
10 | require 'authie/engine'
11 |
12 | module Dummy
13 | class Application < Rails::Application
14 | config.load_defaults Rails::VERSION::STRING.to_f
15 |
16 | # For compatibility with applications that use this config
17 | config.action_controller.include_all_helpers = false
18 |
19 | # Configuration for the application, engines, and railties goes here.
20 | #
21 | # These settings can be overridden in specific environments using the files
22 | # in config/environments, which are processed later.
23 | #
24 | # config.time_zone = "Central Time (US & Canada)"
25 | # config.eager_load_paths << Rails.root.join("extras")
26 | end
27 | end
28 |
--------------------------------------------------------------------------------
/spec/dummy/config/boot.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | # Set up gems listed in the Gemfile.
4 | ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../../Gemfile', __dir__)
5 |
6 | require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])
7 | $LOAD_PATH.unshift File.expand_path('../../../lib', __dir__)
8 |
--------------------------------------------------------------------------------
/spec/dummy/config/database.yml:
--------------------------------------------------------------------------------
1 | # SQLite. Versions 3.8.0 and up are supported.
2 | # gem install sqlite3
3 | #
4 | # Ensure the SQLite 3 gem is defined in your Gemfile
5 | # gem "sqlite3"
6 | #
7 | default: &default
8 | adapter: sqlite3
9 | pool: <%= ENV.fetch("RAILS_MAX_THREADS") { 5 } %>
10 | timeout: 5000
11 |
12 | development:
13 | <<: *default
14 | database: ':memory:'
15 |
16 | # Warning: The database defined as "test" will be erased and
17 | # re-generated from your development database when you run "rake".
18 | # Do not set this db to the same as development or production.
19 | test:
20 | <<: *default
21 | database: ':memory:'
22 |
23 | production:
24 | <<: *default
25 | database: ':memory:'
26 |
--------------------------------------------------------------------------------
/spec/dummy/config/environment.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | # Load the Rails application.
4 | require_relative 'application'
5 |
6 | # Initialize the Rails application.
7 | Rails.application.initialize!
8 |
--------------------------------------------------------------------------------
/spec/dummy/config/environments/test.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | require 'active_support/core_ext/integer/time'
4 |
5 | # The test environment is used exclusively to run your application's
6 | # test suite. You never need to work with it otherwise. Remember that
7 | # your test database is "scratch space" for the test suite and is wiped
8 | # and recreated between test runs. Don't rely on the data there!
9 |
10 | Rails.application.configure do
11 | # Settings specified here will take precedence over those in config/application.rb.
12 |
13 | # Turn false under Spring and add config.action_view.cache_template_loading = true.
14 | config.cache_classes = true
15 |
16 | # Eager loading loads your whole application. When running a single test locally,
17 | # this probably isn't necessary. It's a good idea to do in a continuous integration
18 | # system, or in some way before deploying your code.
19 | config.eager_load = true
20 |
21 | # Configure public file server for tests with Cache-Control for performance.
22 | config.public_file_server.enabled = true
23 | config.public_file_server.headers = {
24 | 'Cache-Control' => "public, max-age=#{1.hour.to_i}"
25 | }
26 |
27 | # Show full error reports and disable caching.
28 | config.consider_all_requests_local = true
29 | config.action_controller.perform_caching = false
30 | config.cache_store = :null_store
31 |
32 | # Raise exceptions instead of rendering exception templates.
33 | config.action_dispatch.show_exceptions = false
34 |
35 | # Disable request forgery protection in test environment.
36 | config.action_controller.allow_forgery_protection = false
37 |
38 | # Store uploaded files on the local file system in a temporary directory.
39 | # config.active_storage.service = :test
40 |
41 | # config.action_mailer.perform_caching = false
42 |
43 | # Tell Action Mailer not to deliver emails to the real world.
44 | # The :test delivery method accumulates sent emails in the
45 | # ActionMailer::Base.deliveries array.
46 | # config.action_mailer.delivery_method = :test
47 |
48 | # Print deprecation notices to the stderr.
49 | config.active_support.deprecation = :stderr
50 |
51 | # Raise exceptions for disallowed deprecations.
52 | config.active_support.disallowed_deprecation = :raise
53 |
54 | # Tell Active Support which deprecation messages to disallow.
55 | config.active_support.disallowed_deprecation_warnings = []
56 |
57 | # Raises error for missing translations.
58 | # config.i18n.raise_on_missing_translations = true
59 |
60 | # Annotate rendered view with file names.
61 | # config.action_view.annotate_rendered_view_with_filenames = true
62 | end
63 |
--------------------------------------------------------------------------------
/spec/dummy/config/initializers/filter_parameter_logging.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | # Be sure to restart your server when you modify this file.
4 |
5 | # Configure parameters to be filtered from the log file. Use this to limit dissemination of
6 | # sensitive information. See the ActiveSupport::ParameterFilter documentation for supported
7 | # notations and behaviors.
8 | Rails.application.config.filter_parameters += %i[
9 | passw secret token _key crypt salt certificate otp ssn
10 | ]
11 |
--------------------------------------------------------------------------------
/spec/dummy/config/routes.rb:
--------------------------------------------------------------------------------
1 | # frozen_string_literal: true
2 |
3 | Rails.application.routes.draw do
4 | get '/', to: 'pages#index'
5 | get '/authenticated', to: 'pages#authenticated'
6 | get '/logged_in', to: 'pages#logged_in'
7 | get '/request_count', to: 'pages#request_count'
8 | get '/error', to: 'pages#error'
9 | get '/no_touching', to: 'pages#no_touching'
10 | end
11 |
--------------------------------------------------------------------------------
/spec/dummy/public/404.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | You may have mistyped the address or the page may have moved.
63 |If you are the application owner check the logs for more information.
65 |Maybe you tried to change something you didn't have access to.
63 |If you are the application owner check the logs for more information.
65 |If you are the application owner check the logs for more information.
64 |