Implement advanced login

Author: khin-alu

app/assets/stylesheets/application.bootstrap.scss

@@ -191,3 +191,16 @@ input {
     }
   }
 }
+
+.checkbox {
+  margin-top: -10px;
+  margin-bottom: 10px;
+  span {
+    margin-left: 20px;
+    font-weight: normal;
+  }
+}
+#session_remember_me {
+  width: auto;
+  margin-left: 0;
+}

app/controllers/sessions_controller.rb

@@ -6,6 +6,7 @@ def create
     user = User.find_by(email: params[:session][:email].downcase)
     if user && user.authenticate(params[:session][:password])
       reset_session
+      params[:session][:remember_me] == "1" ? remember(user) : forget(user)
       log_in user
       redirect_to user
     else
@@ -15,7 +16,7 @@ def create
   end
 
   def destroy
-    log_out
+    log_out if logged_in?
     redirect_to root_url, status: :see_other
   end
 end

app/helpers/sessions_helper.rb

@@ -1,13 +1,33 @@
 module SessionsHelper
+
   # Logs in the given user.
   def log_in(user)
     session[:user_id] = user.id
+    # Guard against session replay attacks.
+    # See https://bit.ly/33UvK0w for more.
+    session[:session_token] = user.session_token
+  end
+
+  # Remembers a user in a persistent session.
+  def remember(user)
+    user.remember
+    cookies.permanent.encrypted[:user_id] = user.id
+    cookies.permanent[:remember_token] = user.remember_token
   end
 
-  # Returns the current logged-in user (if any).
+  # Returns the user corresponding to the remember token cookie.
   def current_user
-    if session[:user_id]
-      @current_user ||= User.find_by(id: session[:user_id])
+    if (user_id = session[:user_id])
+      user = User.find_by(id: user_id)
+      if user && session[:session_token] == user.session_token
+        @current_user = user
+      end
+    elsif (user_id = cookies.encrypted[:user_id])
+      user = User.find_by(id: user_id)
+      if user && user.authenticated?(cookies[:remember_token])
+        log_in user
+        @current_user = user
+      end
     end
   end
 
@@ -16,9 +36,17 @@ def logged_in?
     !current_user.nil?
   end
 
+  # Forgets a persistent session.
+  def forget(user)
+    user.forget
+    cookies.delete(:user_id)
+    cookies.delete(:remember_token)
+  end
+
   # Logs out the current user.
   def log_out
+    forget(current_user)
     reset_session
     @current_user = nil
   end
-end
+end

app/models/user.rb

@@ -1,16 +1,44 @@
 class User < ApplicationRecord
+  attr_accessor :remember_token
   before_save { self.email = email.downcase }
   validates :name, presence: true, length: { maximum: 50 }
   VALID_EMAIL_REGEX = /\A[\w+\-.]+@[a-z\d\-.]+\.[a-z]+\z/i
   validates :email, presence: true, length: { maximum: 255 },
                     format: { with: VALID_EMAIL_REGEX },
-                    uniqueness: { case_sensitive: false }
+                    uniqueness: true
   has_secure_password
   validates :password, presence: true, length: { minimum: 6 }
-
   # Returns the hash digest of the given string.
   def User.digest(string)
-    cost = ActiveModel::SecurePassword.min_cost ? BCrypt::Engine::MIN_COST : BCrypt::Engine.cost
+    cost = ActiveModel::SecurePassword.min_cost ? BCrypt::Engine::MIN_COST :
+      BCrypt::Engine.cost
     BCrypt::Password.create(string, cost: cost)
   end
+  # Returns a random token.
+  def User.new_token
+    SecureRandom.urlsafe_base64
+  end
+  # Remembers a user in the database for use in persistent sessions.
+  def remember
+    self.remember_token = User.new_token
+    update_attribute(:remember_digest, User.digest(remember_token))
+    remember_digest
+  end
+
+  # Returns a session token to prevent session hijacking.
+  # We reuse the remember digest for convenience.
+  def session_token
+    remember_digest || remember
+  end
+
+  # Returns true if the given token matches the digest.
+  def authenticated?(remember_token)
+    return false if remember_digest.nil?
+    BCrypt::Password.new(remember_digest).is_password?(remember_token)
+  end
+
+  # Forgets a user.
+  def forget
+    update_attribute(:remember_digest, nil)
+  end
 end

app/views/sessions/new.html.erb

@@ -7,6 +7,10 @@
         <%= f.email_field :email, class: 'form-control' %>
         <%= f.label :password %>
         <%= f.password_field :password, class: 'form-control' %>
+        <%= f.label :remember_me, class: "checkbox inline" do %>
+        <%= f.check_box :remember_me %>
+        <span>Remember me on this computer</span>
+        <% end %>
         <%= f.submit "Log in", class: "btn btn-primary" %>
         <% end %>
         <p>New user? <%= link_to "Sign up now!", signup_path %></p>

db/migrate/20250919152057_add_remember_digest_to_users.rb

@@ -0,0 +1,5 @@
+class AddRememberDigestToUsers < ActiveRecord::Migration[8.0]
+  def change
+    add_column :users, :remember_digest, :string
+  end
+end

db/schema.rb

@@ -0,0 +1,17 @@
+require "test_helper"
+
+class SessionsHelperTest < ActionView::TestCase
+  def setup
+    @user = users(:michael)
+    remember(@user)
+  end
+
+  test "current_user returns right user when session is nil" do
+    assert_equal @user, current_user
+    assert is_logged_in?
+  end
+  test "current_user returns nil when remember digest is wrong" do
+    @user.update_attribute(:remember_digest, User.digest(User.new_token))
+    assert_nil current_user
+  end
+end

test/helpers/sessions_helper_test.rb

@@ -1,12 +1,12 @@
 require "test_helper"
 
-class UsersLogin < ActionDispatch::IntegrationTest
+class UsersLoginTest < ActionDispatch::IntegrationTest
   def setup
     @user = users(:michael)
   end
 end
 
-class InvalidPasswordTest < UsersLogin
+class InvalidPasswordTest < UsersLoginTest
   test "login path" do
     get login_path
     assert_template "sessions/new"
@@ -22,7 +22,7 @@ class InvalidPasswordTest < UsersLogin
   end
 end
 
-class ValidLogin < UsersLogin
+class ValidLogin < UsersLoginTest
   def setup
     super
     post login_path, params: { session: { email: @user.email,
@@ -64,4 +64,45 @@ class LogoutTest < Logout
                   count: 0
     assert_select "a[href=?]", user_path(@user), count: 0
   end
+
+  test "login with valid information followed by logout" do
+    post login_path, params: { session: { email: @user.email,
+                                         password: "password" } }
+    assert is_logged_in?
+    assert_redirected_to @user
+    follow_redirect!
+    assert_template "users/show"
+    assert_select "a[href=?]", login_path, count: 0
+    assert_select "a[href=?]", logout_path
+    assert_select "a[href=?]", user_path(@user)
+    delete logout_path
+    assert_response :see_other
+    assert_not is_logged_in?
+    assert_redirected_to root_url
+    # Simulate a user clicking logout in a second window.
+    delete logout_path
+    follow_redirect!
+    assert_select "a[href=?]", login_path
+    assert_select "a[href=?]", logout_path,
+                  count: 0
+    assert_select "a[href=?]", user_path(@user), count: 0
+  end
+  test "should still work after logout in second window" do
+    delete logout_path
+    assert_redirected_to root_url
+  end
+end
+
+class RememberingTest < UsersLoginTest
+  test "login with remembering" do
+    log_in_as(@user, remember_me: "1")
+    assert_not cookies[:remember_token].blank?
+  end
+  test "login without remembering" do
+    # Log in to set the cookie.
+    log_in_as(@user, remember_me: "1")
+    # Log in again and verify that the cookie is deleted.
+    log_in_as(@user, remember_me: "0")
+    assert cookies[:remember_token].blank?
+  end
 end

test/integration/users_login_test.rb

@@ -56,4 +56,7 @@ def setup
     @user.password = @user.password_confirmation = "a" * 5
     assert_not @user.valid?
   end
+  test "authenticated? should return false for a user with nil digest" do
+    assert_not @user.authenticated?("")
+  end
 end