rodauth 0.10.0 → 1.0.0

data/lib/rodauth/features/remember.rb

@@ -0,0 +1,200 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Remember = Feature.define(:remember) do
+    depends :confirm_password
+
+    notice_flash "Your remember setting has been updated"
+    error_flash "There was an error updating your remember setting"
+    view 'remember', 'Change Remember Setting'
+    additional_form_tags
+    button 'Change Remember Setting'
+    before
+    before 'load_memory'
+    after
+    after 'load_memory'
+    redirect
+
+    auth_value_method :remember_cookie_options, {}
+    auth_value_method :extend_remember_deadline?, false
+    auth_value_method :remember_period, {:days=>14}
+    auth_value_method :remembered_session_key, :remembered
+    auth_value_method :remember_deadline_interval, {:days=>14}
+    auth_value_method :remember_id_column, :id
+    auth_value_method :remember_key_column, :key
+    auth_value_method :remember_deadline_column, :deadline
+    auth_value_method :remember_table, :account_remember_keys
+    auth_value_method :remember_cookie_key, '_remember'
+    auth_value_method :remember_param, 'remember'
+    auth_value_method :remember_remember_param_value, 'remember'
+    auth_value_method :remember_forget_param_value, 'forget'
+    auth_value_method :remember_disable_param_value, 'disable'
+    auth_value_method :remember_remember_label, 'Remember Me'
+    auth_value_method :remember_forget_label, 'Forget Me'
+    auth_value_method :remember_disable_label, 'Disable Remember Me'
+
+    auth_methods(
+      :add_remember_key,
+      :clear_remembered_session_key,
+      :disable_remember_login,
+      :forget_login,
+      :generate_remember_key_value,
+      :get_remember_key,
+      :load_memory,
+      :logged_in_via_remember_key?,
+      :remember_key_value,
+      :remember_login,
+      :remove_remember_key
+    )
+
+    route do |r|
+      require_account
+      before_remember_route
+
+      r.get do
+        remember_view
+      end
+
+      r.post do
+        remember = param(remember_param)
+        if [remember_remember_param_value, remember_forget_param_value, remember_disable_param_value].include?(remember)
+          transaction do
+            before_remember
+            case remember
+            when remember_remember_param_value
+              remember_login
+            when remember_forget_param_value
+              forget_login 
+            when remember_disable_param_value
+              disable_remember_login 
+            end
+            after_remember
+          end
+
+          set_notice_flash remember_notice_flash
+          redirect remember_redirect
+        else
+          set_error_flash remember_error_flash
+          remember_view
+        end
+      end
+    end
+
+    def load_memory
+      return if session[session_key]
+      return unless cookie = request.cookies[remember_cookie_key]
+      id, key = cookie.split('_', 2)
+      return unless id && key
+
+      unless (actual = active_remember_key_ds(id).get(remember_key_column)) && timing_safe_eql?(key, actual)
+        forget_login
+        return
+      end
+
+      session[session_key] = id
+      account = account_from_session
+      session.delete(session_key)
+
+      unless account
+        remove_remember_key(id)
+        forget_login
+        return 
+      end
+
+      before_load_memory
+      update_session
+
+      set_session_value(remembered_session_key, true)
+      if extend_remember_deadline?
+        active_remember_key_ds(id).update(remember_deadline_column=>Sequel.date_add(Sequel::CURRENT_TIMESTAMP, remember_period))
+        remember_login
+      end
+      after_load_memory
+    end
+
+    def remember_login
+      get_remember_key
+      opts = Hash[remember_cookie_options]
+      opts[:value] = "#{account_id}_#{remember_key_value}"
+      opts[:expires] = convert_timestamp(active_remember_key_ds.get(remember_deadline_column))
+      ::Rack::Utils.set_cookie_header!(response.headers, remember_cookie_key, opts)
+    end
+
+    def forget_login
+      ::Rack::Utils.delete_cookie_header!(response.headers, remember_cookie_key, remember_cookie_options)
+    end
+
+    def get_remember_key
+      unless @remember_key_value = active_remember_key_ds.get(remember_key_column)
+       generate_remember_key_value
+       transaction do
+         remove_remember_key
+         add_remember_key
+       end
+      end
+      nil
+    end
+
+    def disable_remember_login
+      remove_remember_key
+    end
+
+    def add_remember_key
+      hash = {remember_id_column=>account_id, remember_key_column=>remember_key_value}
+      set_deadline_value(hash, remember_deadline_column, remember_deadline_interval)
+
+      if e = raised_uniqueness_violation{remember_key_ds.insert(hash)}
+        # If inserting into the remember key table causes a violation, we can pull the 
+        # existing row from the table.  If there is no invalid row, we can then reraise.
+        raise e unless @remember_key_value = active_remember_key_ds.get(remember_key_column)
+      end
+    end
+
+    def remove_remember_key(id=account_id)
+      remember_key_ds(id).delete
+    end
+
+    def clear_remembered_session_key
+      session.delete(remembered_session_key)
+    end
+
+    def logged_in_via_remember_key?
+      !!session[remembered_session_key]
+    end
+
+    private
+
+    def after_logout
+      forget_login
+      super if defined?(super)
+    end
+
+    def after_close_account
+      remove_remember_key
+      super if defined?(super)
+    end
+
+    def after_confirm_password
+      super
+      clear_remembered_session_key
+    end
+
+    attr_reader :remember_key_value
+
+    def generate_remember_key_value
+      @remember_key_value = random_key
+    end
+
+    def use_date_arithmetic?
+      extend_remember_deadline? || db.database_type == :mysql
+    end
+
+    def remember_key_ds(id=account_id)
+      db[remember_table].where(remember_id_column=>id)
+    end
+
+    def active_remember_key_ds(id=account_id)
+      remember_key_ds(id).where(Sequel.expr(remember_deadline_column) > Sequel::CURRENT_TIMESTAMP)
+    end
+  end
+end

data/lib/rodauth/features/reset_password.rb

@@ -0,0 +1,207 @@
+# frozen-string-literal: true
+
+module Rodauth
+  ResetPassword = Feature.define(:reset_password) do
+    depends :login, :email_base, :login_password_requirements_base
+
+    notice_flash "Your password has been reset"
+    notice_flash "An email has been sent to you with a link to reset the password for your account", 'reset_password_email_sent'
+    error_flash "There was an error resetting your password"
+    error_flash "There was an error requesting a password reset", 'reset_password_request'
+    view 'reset-password', 'Reset Password'
+    additional_form_tags
+    additional_form_tags 'reset_password_request'
+    before 
+    before 'reset_password_request'
+    after
+    after 'reset_password_request'
+    button 'Reset Password'
+    button 'Request Password Reset', 'reset_password_request'
+    redirect
+    redirect :reset_password_email_sent
+    
+    auth_value_method :reset_password_deadline_column, :deadline
+    auth_value_method :reset_password_deadline_interval, {:days=>1}
+    auth_value_method :no_matching_reset_password_key_message, "invalid password reset key"
+    auth_value_method :reset_password_email_subject, 'Reset Password'
+    auth_value_method :reset_password_key_param, 'key'
+    auth_value_method :reset_password_autologin?, false
+    auth_value_method :reset_password_table, :account_password_reset_keys
+    auth_value_method :reset_password_id_column, :id
+    auth_value_method :reset_password_key_column, :key
+
+    auth_value_methods :reset_password_email_sent_redirect
+
+    auth_methods(
+      :create_reset_password_key,
+      :create_reset_password_email,
+      :get_reset_password_key,
+      :remove_reset_password_key,
+      :reset_password_email_body,
+      :reset_password_email_link,
+      :reset_password_key_insert_hash,
+      :reset_password_key_value,
+      :send_reset_password_email
+    )
+    auth_private_methods(
+      :account_from_reset_password_key
+    )
+
+    route(:reset_password_request) do |r|
+      check_already_logged_in
+      before_reset_password_request_route
+
+      r.post do
+        if account_from_login(param(login_param)) && open_account?
+          generate_reset_password_key_value
+          transaction do
+            before_reset_password_request
+            create_reset_password_key
+            send_reset_password_email
+            after_reset_password_request
+          end
+
+          set_notice_flash reset_password_email_sent_notice_flash
+        else
+          set_redirect_error_flash reset_password_request_error_flash
+        end
+
+        redirect reset_password_email_sent_redirect
+      end
+    end
+
+    route do |r|
+      check_already_logged_in
+      before_reset_password_route
+
+      r.get do
+        if key = param_or_nil(reset_password_key_param)
+          if account_from_reset_password_key(key)
+            reset_password_view
+          else
+            set_redirect_error_flash no_matching_reset_password_key_message
+            redirect require_login_redirect
+          end
+        end
+      end
+
+      r.post do
+        key = param(reset_password_key_param)
+        unless account_from_reset_password_key(key)
+          set_redirect_error_flash reset_password_error_flash
+          redirect reset_password_email_sent_redirect
+        end
+
+        password = param(password_param)
+        catch_error do
+          if password_match?(password) 
+            throw_error(password_param, same_as_existing_password_message)
+          end
+
+          if require_password_confirmation? && password != param(password_confirm_param)
+            throw_error(password_param, passwords_do_not_match_message)
+          end
+
+          unless password_meets_requirements?(password)
+            throw_error(password_param, password_does_not_meet_requirements_message)
+          end
+
+          transaction do
+            before_reset_password
+            set_password(password)
+            remove_reset_password_key
+            after_reset_password
+          end
+
+          if reset_password_autologin?
+            update_session
+          end
+
+          set_notice_flash reset_password_notice_flash
+          redirect reset_password_redirect
+        end
+
+        set_error_flash reset_password_error_flash
+        reset_password_view
+      end
+    end
+
+    def create_reset_password_key
+      ds = password_reset_ds
+      transaction do
+        ds.where(Sequel::CURRENT_TIMESTAMP > reset_password_deadline_column).delete
+        if ds.empty?
+          if e = raised_uniqueness_violation{ds.insert(reset_password_key_insert_hash)}
+            # If inserting into the reset password table causes a violation, we can pull the 
+            # existing reset password key from the table, or reraise.
+            raise e unless @reset_password_key_value = get_password_reset_key(account_id)
+          end
+        end
+      end
+    end
+
+    def remove_reset_password_key
+      password_reset_ds.delete
+    end
+
+    def account_from_reset_password_key(key)
+      @account = _account_from_reset_password_key(key)
+    end
+
+    def send_reset_password_email
+      create_reset_password_email.deliver!
+    end
+
+    def reset_password_email_link
+      token_link(reset_password_route, reset_password_key_param, reset_password_key_value)
+    end
+
+    def get_password_reset_key(id)
+      password_reset_ds(id).get(reset_password_key_column)
+    end
+
+    private
+
+    attr_reader :reset_password_key_value
+
+    def after_login_failure
+      @login_form_header = render("reset-password-request")
+      super
+    end
+
+    def after_close_account
+      remove_reset_password_key
+      super if defined?(super)
+    end
+
+    def generate_reset_password_key_value
+      @reset_password_key_value = random_key
+    end
+
+    def create_reset_password_email
+      create_email(reset_password_email_subject, reset_password_email_body)
+    end
+
+    def reset_password_email_body
+      render('reset-password-email')
+    end
+
+    def use_date_arithmetic?
+      db.database_type == :mysql
+    end
+
+    def reset_password_key_insert_hash
+      hash = {reset_password_id_column=>account_id, reset_password_key_column=>reset_password_key_value}
+      set_deadline_value(hash, reset_password_deadline_column, reset_password_deadline_interval)
+      hash
+    end
+
+    def password_reset_ds(id=account_id)
+      db[reset_password_table].where(reset_password_id_column=>id)
+    end
+
+    def _account_from_reset_password_key(token)
+      account_from_key(token, account_open_status_value){|id| get_password_reset_key(id)}
+    end
+  end
+end

data/lib/rodauth/features/session_expiration.rb

@@ -0,0 +1,55 @@
+# frozen-string-literal: true
+
+module Rodauth
+  SessionExpiration = Feature.define(:session_expiration) do
+    error_flash "This session has expired, please login again."
+
+    auth_value_method :max_session_lifetime, 86400
+    auth_value_method :session_created_session_key, :session_created_at
+    auth_value_method :session_expiration_default, true
+    auth_value_method :session_inactivity_timeout, 1800
+    auth_value_method :session_last_activity_session_key, :last_session_activity_at
+
+    auth_value_methods :session_expiration_redirect
+    
+    def check_session_expiration
+      return unless logged_in?
+
+      unless session.has_key?(session_last_activity_session_key) && session.has_key?(session_created_session_key)
+        if session_expiration_default
+          expire_session
+        end
+
+        return
+      end
+
+      time = Time.now.to_i
+
+      if session[session_last_activity_session_key] + session_inactivity_timeout < time
+        expire_session
+      end
+      set_session_value(session_last_activity_session_key, time)
+
+      if session[session_created_session_key] + max_session_lifetime < time
+        expire_session
+      end
+    end
+
+    def expire_session
+      clear_session
+      set_redirect_error_flash session_expiration_error_flash
+      redirect session_expiration_redirect
+    end
+
+    def session_expiration_redirect
+      require_login_redirect
+    end
+
+    private
+
+    def update_session
+      super
+      session[session_last_activity_session_key] = session[session_created_session_key] = Time.now.to_i
+    end
+  end
+end