rodauth 0.10.0 → 1.0.0

data/lib/rodauth/features/password_complexity.rb

@@ -0,0 +1,89 @@
+# frozen-string-literal: true
+
+module Rodauth
+  PasswordComplexity = Feature.define(:password_complexity) do
+    depends :login_password_requirements_base
+
+    auth_value_method :password_dictionary_file, nil
+    auth_value_method :password_dictionary, nil
+    auth_value_method :password_character_groups, [/[a-z]/, /[A-Z]/, /\d/, /[^a-zA-Z\d]/]
+    auth_value_method :password_min_groups, 3
+    auth_value_method :password_max_length_for_groups_check, 11
+    auth_value_method :password_max_repeating_characters, 3
+    auth_value_method :password_invalid_pattern, Regexp.union([/qwerty/i, /azerty/i, /asdf/i, /zxcv/i] + (1..8).map{|i| /#{i}#{i+1}#{(i+2)%10}/})
+    auth_value_method :password_not_enough_character_groups_message, "does not include uppercase letters, lowercase letters, and numbers"
+    auth_value_method :password_invalid_pattern_message, "includes common character sequence"
+    auth_value_method :password_in_dictionary_message, "is a word in a dictionary"
+
+    auth_value_methods(
+      :password_too_many_repeating_characters_message
+    )
+
+    def password_meets_requirements?(password)
+      super && \
+        password_has_enough_character_groups?(password) && \
+        password_has_no_invalid_pattern?(password) && \
+        password_not_too_many_repeating_characters?(password) && \
+        password_not_in_dictionary?(password)
+    end
+
+    def post_configure
+      super
+      return if singleton_methods.map(&:to_sym).include?(:password_dictionary)
+
+      case dictionary_file = password_dictionary_file
+      when false
+        return
+      when nil
+        default_dictionary_file = '/usr/share/dict/words'
+        if File.file?(default_dictionary_file)
+          words = File.read(default_dictionary_file)
+        end
+      else
+        words = File.read(password_dictionary_file)
+      end
+
+      return unless words
+
+      require 'set'
+      dict = Set.new(words.downcase.split)
+      self.class.send(:define_method, :password_dictionary){dict}
+    end
+
+    private
+
+    def password_has_enough_character_groups?(password)
+      return true if password.length > password_max_length_for_groups_check
+      return true if password_character_groups.select{|re| password =~ re}.length >= password_min_groups
+      @password_requirement_message = password_not_enough_character_groups_message
+      false
+    end
+
+    def password_has_no_invalid_pattern?(password)
+      return true unless password_invalid_pattern
+      return true if password !~ password_invalid_pattern
+      @password_requirement_message = password_invalid_pattern_message
+      false
+    end
+
+    def password_not_too_many_repeating_characters?(password)
+      return true if password_max_repeating_characters < 2
+      return true if password !~ /(.)(\1){#{password_max_repeating_characters-1}}/ 
+      @password_requirement_message = password_too_many_repeating_characters_message
+      false
+    end
+
+    def password_too_many_repeating_characters_message
+      "contains #{password_max_repeating_characters} or more of the same character in a row"
+    end
+
+    def password_not_in_dictionary?(password)
+      return true unless dict = password_dictionary
+      return true unless password =~ /\A(?:\d*)([A-Za-z!@$+|][A-Za-z!@$+|0134578]+[A-Za-z!@$+|])(?:\d*)\z/
+      word = $1.downcase.tr('!@$+|0134578', 'iastloleastb')
+      return true if !dict.include?(word)
+      @password_requirement_message = password_in_dictionary_message
+      false
+    end
+  end
+end

data/lib/rodauth/features/password_expiration.rb

@@ -0,0 +1,111 @@
+# frozen-string-literal: true
+
+module Rodauth
+  PasswordExpiration = Feature.define(:password_expiration) do
+    depends :login, :change_password
+
+    error_flash "Your password has expired and needs to be changed"
+    error_flash "Your password cannot be changed yet", 'password_not_changeable_yet'
+
+    redirect :password_not_changeable_yet 
+    redirect(:password_change_needed){"#{prefix}/#{change_password_route}"}
+
+    auth_value_method :allow_password_change_after, 0
+    auth_value_method :require_password_change_after, 90*86400
+    auth_value_method :password_expiration_table, :account_password_change_times
+    auth_value_method :password_expiration_id_column, :id
+    auth_value_method :password_expiration_changed_at_column, :changed_at
+    auth_value_method :password_changed_at_session_key, :password_changed_at
+    auth_value_method :password_expiration_default, false
+
+    auth_methods(
+      :password_expired?,
+      :update_password_changed_at
+    )
+
+    def get_password_changed_at
+      convert_timestamp(password_expiration_ds.get(password_expiration_changed_at_column))
+    end
+
+    def check_password_change_allowed
+      if password_changed_at = get_password_changed_at
+        if password_changed_at > Time.now - allow_password_change_after
+          set_redirect_error_flash password_not_changeable_yet_error_flash
+          redirect password_not_changeable_yet_redirect
+        end
+      end
+    end
+
+    def set_password(password)
+      update_password_changed_at
+      session[password_changed_at_session_key] = Time.now.to_i 
+      super
+    end
+
+    def account_from_reset_password_key(key)
+      if a = super
+        check_password_change_allowed
+      end
+      a
+    end
+
+    def update_password_changed_at
+      ds = password_expiration_ds
+      if ds.update(password_expiration_changed_at_column=>Sequel::CURRENT_TIMESTAMP) == 0
+        # Ignoring the violation is safe here, since a concurrent insert would also set it to the
+        # current timestamp.
+        ignore_uniqueness_violation{ds.insert(password_expiration_id_column=>account_id)}
+      end
+    end
+
+    def require_current_password
+      if authenticated? && password_expired? && password_change_needed_redirect != request.path_info
+        set_redirect_error_flash password_expiration_error_flash
+        redirect password_change_needed_redirect
+      end
+    end
+
+    def password_expired?
+      if password_changed_at = session[password_changed_at_session_key]
+        return password_changed_at + require_password_change_after < Time.now.to_i
+      end
+
+      account_from_session
+      if password_changed_at = get_password_changed_at
+        set_session_value(password_changed_at_session_key, password_changed_at.to_i)
+        password_changed_at + require_password_change_after < Time.now
+      else
+        set_session_value(password_changed_at_session_key, password_expiration_default ? 0 : 2147483647)
+        password_expiration_default
+      end
+    end
+
+    private
+
+    def after_close_account
+      super if defined?(super)
+      password_expiration_ds.delete
+    end
+
+    def before_change_password_route
+      check_password_change_allowed
+      super
+    end
+
+    def after_create_account
+      if account_password_hash_column
+        update_password_changed_at
+      end
+      super if defined?(super)
+    end
+
+    def after_login
+      require_current_password
+      super
+    end
+
+    def password_expiration_ds
+      db[password_expiration_table].where(password_expiration_id_column=>account_id)
+    end
+  end
+end

data/lib/rodauth/features/password_grace_period.rb

@@ -0,0 +1,46 @@
+# frozen-string-literal: true
+
+module Rodauth
+  PasswordGracePeriod = Feature.define(:password_grace_period) do
+    auth_value_method :password_grace_period, 300
+    auth_value_method :last_password_entry_session_key, :last_password_entry
+
+    def modifications_require_password?
+      return false unless super
+      !password_recently_entered?
+    end
+
+    def password_match?(_)
+      if v = super
+        @last_password_entry = set_last_password_entry
+      end
+      v
+    end
+
+    private
+
+    def after_create_account
+      super if defined?(super)
+      @last_password_entry = Time.now.to_i
+    end
+
+    def after_reset_password
+      super if defined?(super)
+      @last_password_entry = Time.now.to_i
+    end
+
+    def update_session
+      super
+      session[last_password_entry_session_key] = @last_password_entry if defined?(@last_password_entry)
+    end
+
+    def password_recently_entered?
+      return false unless last_password_entry = session[last_password_entry_session_key]
+      last_password_entry + password_grace_period > Time.now.to_i
+    end
+
+    def set_last_password_entry
+      session[last_password_entry_session_key] = Time.now.to_i
+    end
+  end
+end

data/lib/rodauth/features/recovery_codes.rb

@@ -0,0 +1,240 @@
+# frozen-string-literal: true
+
+module Rodauth
+  RecoveryCodes = Feature.define(:recovery_codes) do
+    depends :two_factor_base
+
+    additional_form_tags 'recovery_auth'
+    additional_form_tags 'recovery_codes'
+
+    before 'add_recovery_codes'
+    before 'view_recovery_codes'
+    before 'recovery_auth'
+    before 'recovery_auth_route'
+    before 'recovery_codes_route'
+
+    after 'add_recovery_codes'
+
+    button 'Add Authentication Recovery Codes', 'add_recovery_codes'
+    button 'Authenticate via Recovery Code', 'recovery_auth'
+    button 'View Authentication Recovery Codes', 'view_recovery_codes'
+
+    error_flash "Error authenticating via recovery code.", 'invalid_recovery_code'
+    error_flash "Unable to add recovery codes.", 'add_recovery_codes'
+    error_flash "Unable to view recovery codes.", 'view_recovery_codes'
+
+    notice_flash "Additional authentication recovery codes have been added.", 'recovery_codes_added'
+
+    redirect(:recovery_auth){"#{prefix}/#{recovery_auth_route}"}
+    redirect(:add_recovery_codes){"#{prefix}/#{recovery_codes_route}"}
+
+    view 'add-recovery-codes', 'Authentication Recovery Codes', 'add_recovery_codes'
+    view 'recovery-auth', 'Enter Authentication Recovery Code', 'recovery_auth'
+    view 'recovery-codes', 'View Authentication Recovery Codes', 'recovery_codes'
+
+    auth_value_method :add_recovery_codes_param, 'add'
+    auth_value_method :invalid_recovery_code_message, "Invalid recovery code"
+    auth_value_method :recovery_codes_limit, 16
+    auth_value_method :recovery_codes_column, :code
+    auth_value_method :recovery_codes_id_column, :id
+    auth_value_method :recovery_codes_label, 'Recovery Code'
+    auth_value_method :recovery_codes_param, 'recovery-code'
+    auth_value_method :recovery_codes_table, :account_recovery_codes
+
+    auth_cached_method :recovery_codes
+
+    auth_value_methods(
+      :recovery_codes_primary?
+    )
+
+    auth_methods(
+      :add_recovery_code,
+      :can_add_recovery_codes?,
+      :new_recovery_code,
+      :recovery_code_match?,
+      :recovery_codes
+    )
+
+    route(:recovery_auth) do |r|
+      require_login
+      require_account_session
+      require_two_factor_setup
+      require_two_factor_not_authenticated
+      before_recovery_auth_route
+
+      r.get do
+        recovery_auth_view
+      end
+
+      r.post do
+        if recovery_code_match?(param(recovery_codes_param))
+          before_recovery_auth
+          two_factor_authenticate(:recovery_code)
+        end
+
+        set_field_error(recovery_codes_param, invalid_recovery_code_message)
+        set_error_flash invalid_recovery_code_error_flash
+        recovery_auth_view
+      end
+    end
+
+    route(:recovery_codes) do |r|
+      require_account
+      unless recovery_codes_primary?
+        require_two_factor_setup
+        require_two_factor_authenticated
+      end
+      before_recovery_codes_route
+
+      r.get do
+        recovery_codes_view
+      end
+
+      r.post do
+        if two_factor_password_match?(param(password_param))
+          if can_add_recovery_codes?
+            if param_or_nil(add_recovery_codes_param)
+              transaction do
+                before_add_recovery_codes
+                add_recovery_codes(recovery_codes_limit - recovery_codes.length)
+                after_add_recovery_codes
+              end
+              set_notice_now_flash recovery_codes_added_notice_flash
+            end
+
+            self.recovery_codes_button = add_recovery_codes_button
+          end
+
+          before_view_recovery_codes
+          add_recovery_codes_view
+        else
+          if param_or_nil(add_recovery_codes_param)
+            set_error_flash add_recovery_codes_error_flash
+          else
+            set_error_flash view_recovery_codes_error_flash
+          end
+
+          set_field_error(password_param, invalid_password_message)
+          recovery_codes_view
+        end
+      end
+    end
+
+    attr_accessor :recovery_codes_button
+
+    def two_factor_need_setup_redirect
+      super || (add_recovery_codes_redirect if recovery_codes_primary?)
+    end
+
+    def two_factor_auth_required_redirect
+      super || (recovery_auth_redirect if recovery_codes_primary?)
+    end
+
+    def two_factor_auth_fallback_redirect
+      recovery_auth_redirect
+    end
+
+    def two_factor_remove
+      super
+      recovery_codes_remove
+    end
+
+    def two_factor_authentication_setup?
+      super || (recovery_codes_primary? && !recovery_codes.empty?)
+    end
+
+    def otp_auth_form_footer
+      "#{super if defined?(super)}<p><a href=\"#{recovery_auth_route}\">Authenticate using recovery code</a></p>"
+    end
+
+    def otp_lockout_redirect
+      recovery_auth_redirect
+    end
+
+    def otp_lockout_error_flash
+      "#{super if defined?(super)} Can use recovery code to unlock."
+    end
+
+    def otp_add_key
+      super if defined?(super)
+      add_recovery_codes(recovery_codes_limit - recovery_codes.length)
+    end
+
+    def sms_confirm
+      super if defined?(super)
+      add_recovery_codes(recovery_codes_limit - recovery_codes.length)
+    end
+
+    def otp_remove
+      super if defined?(super)
+      unless recovery_codes_primary?
+        recovery_codes_remove
+      end
+    end
+
+    def sms_disable
+      super if defined?(super)
+      unless recovery_codes_primary?
+        recovery_codes_remove
+      end
+    end
+
+    def recovery_codes_remove
+      recovery_codes_ds.delete
+    end
+
+    def recovery_code_match?(code)
+      recovery_codes.each do |s|
+        if timing_safe_eql?(code, s)
+          recovery_codes_ds.where(recovery_codes_column=>code).delete
+          if recovery_codes_primary?
+            add_recovery_code
+          end
+          return true
+        end
+      end
+      false
+    end
+
+    def can_add_recovery_codes?
+      recovery_codes.length < recovery_codes_limit
+    end
+
+    def add_recovery_codes(number)
+      return if number <= 0
+      transaction do
+        number.times do
+          add_recovery_code
+        end
+      end
+      remove_instance_variable(:@recovery_codes)
+    end
+
+    def add_recovery_code
+      # This should never raise uniqueness violations unless the recovery code is the same, and the odds of that
+      # are 1/256**32 assuming a good random number generator.  Still, attempt to handle that case by retrying
+      # on such a uniqueness violation.
+      retry_on_uniqueness_violation do
+        recovery_codes_ds.insert(recovery_codes_id_column=>session_value, recovery_codes_column=>new_recovery_code)
+      end
+    end
+
+    private
+
+    def new_recovery_code
+      random_key
+    end
+    
+    def recovery_codes_primary?
+      (features & [:otp, :sms_codes]).empty?
+    end
+
+    def _recovery_codes
+      recovery_codes_ds.select_map(recovery_codes_column)
+    end
+
+    def recovery_codes_ds
+      db[recovery_codes_table].where(recovery_codes_id_column=>session_value)
+    end
+  end
+end