Add Rodauth::Rails.authenticate constraint

It improves upon the existing `Rodauth::Rails.authenticated` constraint by additionally requiring the existence of the account record in the database. It also has clearer naming, communicating that it requires authentication, and doesn't just check if the account is authenticated (like Devise's `authenticated` constraint).
janko · Aug 4, 2023 · f6deb8e · f6deb8e
1 parent b378bce
commit f6deb8e
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 15 deletions.
diff --git a/README.md b/README.md
@@ -236,7 +236,7 @@ level. You can do this via the built-in `authenticated` routing constraint:
 ```rb
 # config/routes.rb
 Rails.application.routes.draw do
-  constraints Rodauth::Rails.authenticated do
+  constraints Rodauth::Rails.authenticate do
     # ... authenticated routes ...
   end
 end
@@ -249,7 +249,7 @@ called with the Rodauth instance:
 # config/routes.rb
 Rails.application.routes.draw do
   # require multifactor authentication to be setup
-  constraints Rodauth::Rails.authenticated { |rodauth| rodauth.uses_two_factor_authentication? } do
+  constraints Rodauth::Rails.authenticate { |rodauth| rodauth.uses_two_factor_authentication? } do
     # ...
   end
 end
@@ -260,7 +260,7 @@ You can specify a different Rodauth configuration by passing the configuration n
 ```rb
 # config/routes.rb
 Rails.application.routes.draw do
-  constraints Rodauth::Rails.authenticated(:admin) do
+  constraints Rodauth::Rails.authenticate(:admin) do
     # ...
   end
 end

diff --git a/lib/rodauth/rails.rb b/lib/rodauth/rails.rb
@@ -57,8 +57,17 @@ def model(name = nil, **options)
         Rodauth::Model.new(app.rodauth!(name), **options)
       end
 
-      # routing constraint that requires authentication
+      # Routing constraint that requires authenticated account.
+      def authenticate(name = nil, &condition)
+        lambda do |request|
+          rodauth = request.env.fetch ["rodauth", *name].join(".")
+          rodauth.require_account
+          condition.nil? || condition.call(rodauth)
+        end
+      end
+
       def authenticated(name = nil, &condition)
+        warn "Rodauth::Rails.authenticated has been deprecated in favor of Rodauth::Rails.authenticate, which additionally requires existence of the account record."
         lambda do |request|
           rodauth = request.env.fetch ["rodauth", *name].join(".")
           rodauth.require_authentication

diff --git a/test/rails_app/config/routes.rb b/test/rails_app/config/routes.rb
@@ -10,7 +10,7 @@
     get :roda
   end
 
-  constraints Rodauth::Rails.authenticated do
+  constraints Rodauth::Rails.authenticate do
     get "/authenticated" => "test#root"
   end
 end
diff --git a/test/rodauth_test.rb b/test/rodauth_test.rb
@@ -50,33 +50,37 @@ class RodauthTest < UnitTest
     Rails.env = "test"
   end
 
-  test "builds authenticated constraint" do
-    Account.create!(email: "[email protected]", password: "secret")
+  test "builds authenticate constraint" do
+    account = Account.create!(email: "[email protected]", password: "secret", status: "verified")
 
     rodauth = Rodauth::Rails.rodauth
     rodauth.scope.env["rodauth"] = rodauth
+    request = rodauth.request
 
-    error = assert_raises(Rodauth::InternalRequestError) { Rodauth::Rails.authenticated.call(rodauth.request) }
+    error = assert_raises(Rodauth::InternalRequestError) { Rodauth::Rails.authenticate.call(request) }
     assert_equal :login_required, error.reason
 
     rodauth.account_from_login("[email protected]")
     rodauth.login_session("password")
-    assert_equal true, Rodauth::Rails.authenticated.call(rodauth.request)
+    assert_equal true, Rodauth::Rails.authenticate.call(request)
 
     rodauth.add_recovery_code
     rodauth.session.delete(:two_factor_auth_setup)
-    error = assert_raises(Rodauth::InternalRequestError) { Rodauth::Rails.authenticated.call(rodauth.request) }
+    error = assert_raises(Rodauth::InternalRequestError) { Rodauth::Rails.authenticate.call(request) }
     assert_equal :two_factor_need_authentication, error.reason
 
     rodauth.send(:two_factor_update_session, "recovery_codes")
-    assert_equal true, Rodauth::Rails.authenticated.call(rodauth.request)
+    assert_equal true, Rodauth::Rails.authenticate.call(request)
 
-    constraint = Rodauth::Rails.authenticated { |rodauth| rodauth.authenticated_by.include?("otp") }
-    assert_equal false, constraint.call(rodauth.request)
+    constraint = Rodauth::Rails.authenticate { |rodauth| rodauth.authenticated_by.include?("otp") }
+    assert_equal false, constraint.call(request)
 
     rodauth.scope.env["rodauth.admin"] = rodauth.scope.env.delete("rodauth")
-    constraint = Rodauth::Rails.authenticated(:admin)
-    assert_equal true, constraint.call(rodauth.request)
+    assert_equal true, Rodauth::Rails.authenticate(:admin).call(request)
+
+    capture_io { account.destroy } # silence composite primary key warnings
+    error = assert_raises(Rodauth::InternalRequestError) { Rodauth::Rails.authenticate(:admin).call(request) }
+    assert_equal :login_required, error.reason
   end
 
   test "returns current account if logged in" do