RubyGems - rodauth - Versions diffs - 0.10.0 → 1.0.0 - Mend

rodauth 0.10.0 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (137) hide show

checksums.yaml +4 -4
data/CHANGELOG +146 -0
data/README.rdoc +644 -220
data/Rakefile +99 -11
data/doc/account_expiration.rdoc +55 -0
data/doc/base.rdoc +104 -0
data/doc/change_login.rdoc +29 -0
data/doc/change_password.rdoc +26 -0
data/doc/close_account.rdoc +31 -0
data/doc/confirm_password.rdoc +22 -0
data/doc/create_account.rdoc +34 -0
data/doc/disallow_password_reuse.rdoc +37 -0
data/doc/email_base.rdoc +19 -0
data/doc/jwt.rdoc +35 -0
data/doc/lockout.rdoc +83 -0
data/doc/login.rdoc +27 -0
data/doc/login_password_requirements_base.rdoc +50 -0
data/doc/logout.rdoc +21 -0
data/doc/otp.rdoc +100 -0
data/doc/password_complexity.rdoc +50 -0
data/doc/password_expiration.rdoc +52 -0
data/doc/password_grace_period.rdoc +10 -0
data/doc/recovery_codes.rdoc +60 -0
data/doc/release_notes/1.0.0.txt +443 -0
data/doc/remember.rdoc +82 -0
data/doc/reset_password.rdoc +70 -0
data/doc/session_expiration.rdoc +27 -0
data/doc/single_session.rdoc +43 -0
data/doc/sms_codes.rdoc +119 -0
data/doc/two_factor_base.rdoc +27 -0
data/doc/verify_account.rdoc +70 -0
data/doc/verify_account_grace_period.rdoc +15 -0
data/doc/verify_change_login.rdoc +9 -0
data/lib/roda/plugins/rodauth.rb +3 -262
data/lib/rodauth.rb +260 -0
data/lib/rodauth/features/account_expiration.rb +108 -0
data/lib/rodauth/features/base.rb +479 -0
data/lib/rodauth/features/change_login.rb +77 -0
data/lib/rodauth/features/change_password.rb +66 -0
data/lib/rodauth/features/close_account.rb +82 -0
data/lib/rodauth/features/confirm_password.rb +51 -0
data/lib/rodauth/features/create_account.rb +128 -0
data/lib/rodauth/features/disallow_password_reuse.rb +82 -0
data/lib/rodauth/features/email_base.rb +63 -0
data/lib/rodauth/features/jwt.rb +151 -0
data/lib/rodauth/features/lockout.rb +262 -0
data/lib/rodauth/features/login.rb +61 -0
data/lib/rodauth/features/login_password_requirements_base.rb +123 -0
data/lib/rodauth/features/logout.rb +37 -0
data/lib/rodauth/features/otp.rb +338 -0
data/lib/rodauth/features/password_complexity.rb +89 -0
data/lib/rodauth/features/password_expiration.rb +111 -0
data/lib/rodauth/features/password_grace_period.rb +46 -0
data/lib/rodauth/features/recovery_codes.rb +240 -0
data/lib/rodauth/features/remember.rb +200 -0
data/lib/rodauth/features/reset_password.rb +207 -0
data/lib/rodauth/features/session_expiration.rb +55 -0
data/lib/rodauth/features/single_session.rb +87 -0
data/lib/rodauth/features/sms_codes.rb +498 -0
data/lib/rodauth/features/two_factor_base.rb +135 -0
data/lib/rodauth/features/verify_account.rb +232 -0
data/lib/rodauth/features/verify_account_grace_period.rb +76 -0
data/lib/rodauth/features/verify_change_login.rb +20 -0
data/lib/rodauth/migrations.rb +130 -0
data/lib/rodauth/version.rb +9 -0
data/spec/account_expiration_spec.rb +90 -0
data/spec/all.rb +1 -0
data/spec/change_login_spec.rb +149 -0
data/spec/change_password_spec.rb +177 -0
data/spec/close_account_spec.rb +162 -0
data/spec/confirm_password_spec.rb +70 -0
data/spec/create_account_spec.rb +127 -0
data/spec/disallow_password_reuse_spec.rb +84 -0
data/spec/lockout_spec.rb +228 -0
data/spec/login_spec.rb +188 -0
data/spec/migrate/001_tables.rb +103 -16
data/spec/migrate/002_account_password_hash_column.rb +11 -0
data/spec/migrate_password/001_tables.rb +60 -42
data/spec/migrate_travis/001_tables.rb +116 -0
data/spec/password_complexity_spec.rb +108 -0
data/spec/password_expiration_spec.rb +243 -0
data/spec/password_grace_period_spec.rb +93 -0
data/spec/remember_spec.rb +424 -0
data/spec/reset_password_spec.rb +185 -0
data/spec/rodauth_spec.rb +57 -980
data/spec/session_expiration_spec.rb +58 -0
data/spec/single_session_spec.rb +107 -0
data/spec/spec_helper.rb +202 -0
data/spec/two_factor_spec.rb +1310 -0
data/spec/verify_account_grace_period_spec.rb +135 -0
data/spec/verify_account_spec.rb +142 -0
data/spec/verify_change_login_spec.rb +46 -0
data/spec/views/login.str +2 -2
data/templates/add-recovery-codes.str +2 -0
data/templates/button.str +5 -0
data/templates/change-login.str +5 -18
data/templates/change-password.str +6 -14
data/templates/close-account.str +3 -6
data/templates/confirm-password.str +4 -14
data/templates/create-account.str +6 -30
data/templates/login-confirm-field.str +6 -0
data/templates/login-field.str +6 -0
data/templates/login.str +5 -19
data/templates/logout.str +2 -6
data/templates/otp-auth-code-field.str +6 -0
data/templates/otp-auth.str +8 -0
data/templates/otp-disable.str +6 -0
data/templates/otp-setup.str +21 -0
data/templates/password-confirm-field.str +6 -0
data/templates/password-field.str +6 -0
data/templates/recovery-auth.str +12 -0
data/templates/recovery-codes.str +6 -0
data/templates/remember.str +8 -12
data/templates/reset-password-request.str +2 -2
data/templates/reset-password.str +4 -18
data/templates/sms-auth.str +6 -0
data/templates/sms-code-field.str +6 -0
data/templates/sms-confirm.str +7 -0
data/templates/sms-disable.str +7 -0
data/templates/sms-request.str +5 -0
data/templates/sms-setup.str +12 -0
data/templates/unlock-account-request.str +3 -7
data/templates/unlock-account.str +4 -7
data/templates/verify-account-resend.str +2 -2
data/templates/verify-account.str +2 -6
metadata +191 -29
data/lib/roda/plugins/rodauth/base.rb +0 -428
data/lib/roda/plugins/rodauth/change_login.rb +0 -48
data/lib/roda/plugins/rodauth/change_password.rb +0 -42
data/lib/roda/plugins/rodauth/close_account.rb +0 -42
data/lib/roda/plugins/rodauth/create_account.rb +0 -92
data/lib/roda/plugins/rodauth/lockout.rb +0 -292
data/lib/roda/plugins/rodauth/login.rb +0 -81
data/lib/roda/plugins/rodauth/logout.rb +0 -36
data/lib/roda/plugins/rodauth/remember.rb +0 -226
data/lib/roda/plugins/rodauth/reset_password.rb +0 -205
data/lib/roda/plugins/rodauth/verify_account.rb +0 -228

data/lib/rodauth/features/single_session.rb ADDED

@@ -0,0 +1,87 @@
+# frozen-string-literal: true
+module Rodauth
+  SingleSession = Feature.define(:single_session) do
+    error_flash 'This session has been logged out as another session has become active'
+    redirect
+    auth_value_method :single_session_id_column, :id
+    auth_value_method :single_session_key_column, :key
+    auth_value_method :single_session_session_key, :single_session_key
+    auth_value_method :single_session_table, :account_session_keys
+    auth_methods(
+      :currently_active_session?,
+      :no_longer_active_session,
+      :reset_single_session_key,
+      :update_single_session_key
+    )
+    def reset_single_session_key
+      if logged_in?
+        single_session_ds.update(single_session_key_column=>random_key)
+      end
+    end
+    def currently_active_session?
+      single_session_key = session[single_session_session_key]
+      current_key = single_session_ds.get(single_session_key_column)
+      if single_session_key.nil?
+        unless current_key
+          # No row exists for this user, indicating the feature has never
+          # been used, so it is OK to treat the current session as a new
+          # session.
+          update_single_session_key
+        end
+        true
+      elsif current_key
+        timing_safe_eql?(single_session_key, current_key)
+      end
+    end
+    def check_single_session
+      if logged_in? && !currently_active_session?
+        no_longer_active_session
+      end
+    end
+    def no_longer_active_session
+      clear_session
+      set_redirect_error_flash single_session_error_flash
+      redirect single_session_redirect
+    end
+    def update_single_session_key
+      key = random_key
+      set_session_value(single_session_session_key, key)
+      if single_session_ds.update(single_session_key_column=>key) == 0
+        # Don't handle uniqueness violations here.  While we could get the stored key from the
+        # database, it could lead to two sessions sharing the same key, which this feature is
+        # designed to prevent.
+        single_session_ds.insert(single_session_id_column=>session_value, single_session_key_column=>key)
+      end
+    end
+    private
+    def after_close_account
+      super if defined?(super)
+      single_session_ds.delete
+    end
+    def before_logout
+      reset_single_session_key if request.post?
+      super if defined?(super)
+    end
+    def update_session
+      super
+      update_single_session_key
+    end
+    def single_session_ds
+      db[single_session_table].
+        where(single_session_id_column=>session_value)
+    end
+  end
+end

data/lib/rodauth/features/sms_codes.rb ADDED

@@ -0,0 +1,498 @@
+# frozen-string-literal: true
+module Rodauth
+  SmsCodes = Feature.define(:sms_codes) do
+    depends :two_factor_base
+    additional_form_tags 'sms_auth'
+    additional_form_tags 'sms_confirm'
+    additional_form_tags 'sms_disable'
+    additional_form_tags 'sms_request'
+    additional_form_tags 'sms_setup'
+    before 'sms_auth'
+    before 'sms_confirm'
+    before 'sms_disable'
+    before 'sms_request'
+    before 'sms_setup'
+    after 'sms_confirm'
+    after 'sms_disable'
+    after 'sms_failure'
+    after 'sms_request'
+    after 'sms_setup'
+    button 'Authenticate via SMS Code', 'sms_auth'
+    button 'Confirm SMS Backup Number', 'sms_confirm'
+    button 'Disable Backup SMS Authentication', 'sms_disable'
+    button 'Send SMS Code', 'sms_request'
+    button 'Setup SMS Backup Number', 'sms_setup'
+    error_flash "Error authenticating via SMS code.", 'sms_invalid_code'
+    error_flash "Error disabling SMS authentication", 'sms_disable'
+    error_flash "Error setting up SMS authentication", 'sms_setup'
+    error_flash "Invalid or out of date SMS confirmation code used, must setup SMS authentication again.", 'sms_invalid_confirmation_code'
+    error_flash "No current SMS code for this account", 'no_current_sms_code'
+    error_flash "SMS authentication has been locked out.", 'sms_lockout'
+    error_flash "SMS authentication has already been setup.", 'sms_already_setup'
+    error_flash "SMS authentication has not been setup yet.", 'sms_not_setup'
+    error_flash "SMS authentication needs confirmation.", 'sms_needs_confirmation'
+    notice_flash "SMS authentication code has been sent.", 'sms_request'
+    notice_flash "SMS authentication has been disabled.", 'sms_disable'
+    notice_flash "SMS authentication has been setup.", 'sms_confirm'
+    redirect :sms_already_setup
+    redirect :sms_confirm
+    redirect :sms_disable
+    redirect(:sms_auth){"#{prefix}/#{sms_auth_route}"}
+    redirect(:sms_needs_confirmation){"#{prefix}/#{sms_confirm_route}"}
+    redirect(:sms_needs_setup){"#{prefix}/#{sms_setup_route}"}
+    redirect(:sms_request){"#{prefix}/#{sms_request_route}"}
+    view 'sms-auth', 'Authenticate via SMS Code', 'sms_auth'
+    view 'sms-confirm', 'Confirm SMS Backup Number', 'sms_confirm'
+    view 'sms-disable', 'Disable Backup SMS Authentication', 'sms_disable'
+    view 'sms-request', 'Send SMS Code', 'sms_request'
+    view 'sms-setup', 'Setup SMS Backup Number', 'sms_setup'
+    auth_value_method :sms_auth_code_length, 6
+    auth_value_method :sms_code_allowed_seconds, 300
+    auth_value_method :sms_code_column, :code
+    auth_value_method :sms_code_label, 'SMS Code'
+    auth_value_method :sms_code_param, 'sms-code'
+    auth_value_method :sms_codes_table, :account_sms_codes
+    auth_value_method :sms_confirm_code_length, 12
+    auth_value_method :sms_failure_limit, 5
+    auth_value_method :sms_failures_column, :num_failures
+    auth_value_method :sms_id_column, :id
+    auth_value_method :sms_invalid_code_message, "invalid SMS code"
+    auth_value_method :sms_invalid_phone_message, "invalid SMS phone number"
+    auth_value_method :sms_issued_at_column, :code_issued_at
+    auth_value_method :sms_phone_column, :phone_number
+    auth_value_method :sms_phone_label, 'Phone Number'
+    auth_value_method :sms_phone_min_length, 7
+    auth_value_method :sms_phone_param, 'sms-phone'
+    auth_cached_method :sms
+    auth_value_methods(
+      :sms_lockout_redirect,
+      :sms_codes_primary?
+    )
+    auth_methods(
+      :sms_auth_message,
+      :sms_available?,
+      :sms_code_issued_at,
+      :sms_code_match?,
+      :sms_confirm_message,
+      :sms_confirmation_match?,
+      :sms_current_auth?,
+      :sms_disable,
+      :sms_failures,
+      :sms_locked_out?,
+      :sms_needs_confirmation?,
+      :sms_new_auth_code,
+      :sms_new_confirm_code,
+      :sms_normalize_phone,
+      :sms_record_failure,
+      :sms_remove_failures,
+      :sms_send,
+      :sms_set_code,
+      :sms_setup,
+      :sms_setup?,
+      :sms_valid_phone?
+    )
+    route(:sms_request) do |r|
+      require_login
+      require_account_session
+      require_two_factor_not_authenticated
+      require_sms_available
+      before_sms_request_route
+      r.get do
+        sms_request_view
+      end
+      r.post do
+        transaction do
+          before_sms_request
+          sms_send_auth_code
+          after_sms_request
+        end
+        set_notice_flash sms_request_notice_flash
+        redirect sms_auth_redirect
+      end
+    end
+    route(:sms_auth) do |r|
+      require_login
+      require_account_session
+      require_two_factor_not_authenticated
+      require_sms_available
+      unless sms_current_auth?
+        if sms_code
+          sms_set_code(nil)
+        end
+        set_redirect_error_flash no_current_sms_code_error_flash
+        redirect sms_request_redirect
+      end
+      before_sms_auth_route
+      r.get do
+        sms_auth_view
+      end
+      r.post do
+        transaction do
+          if sms_code_match?(param(sms_code_param))
+            before_sms_auth
+            sms_remove_failures
+            two_factor_authenticate(:sms_code)
+          else
+            sms_record_failure
+            after_sms_failure
+          end
+        end
+        set_field_error(sms_code_param, sms_invalid_code_message)
+        set_error_flash sms_invalid_code_error_flash
+        sms_auth_view
+      end
+    end
+    route(:sms_setup) do |r|
+      require_account
+      unless sms_codes_primary?
+        require_two_factor_setup
+        require_two_factor_authenticated
+      end
+      require_sms_not_setup
+      if sms_needs_confirmation?
+        set_redirect_error_flash sms_needs_confirmation_error_flash
+        redirect sms_needs_confirmation_redirect
+      end
+      before_sms_setup_route
+      r.get do
+        sms_setup_view
+      end
+      r.post do
+        catch_error do
+          unless two_factor_password_match?(param(password_param))
+            throw_error(password_param, invalid_password_message)
+          end
+          phone = sms_normalize_phone(param(sms_phone_param))
+          unless sms_valid_phone?(phone)
+            throw_error(sms_phone_param, sms_invalid_phone_message)
+          end
+          transaction do
+            before_sms_setup
+            sms_setup(phone)
+            sms_send_confirm_code
+            after_sms_setup
+          end
+          set_notice_flash sms_needs_confirmation_error_flash
+          redirect sms_needs_confirmation_redirect
+        end
+        set_error_flash sms_setup_error_flash
+        sms_setup_view
+      end
+    end
+    route(:sms_confirm) do |r|
+      require_account
+      unless sms_codes_primary?
+        require_two_factor_setup
+        require_two_factor_authenticated
+      end
+      require_sms_not_setup
+      before_sms_confirm_route
+      r.get do
+        sms_confirm_view
+      end
+      r.post do
+        if sms_confirmation_match?(param(sms_code_param))
+          transaction do
+            before_sms_confirm
+            sms_confirm
+            after_sms_confirm
+            if sms_codes_primary?
+              two_factor_authenticate(:sms_code)
+            end
+          end
+          set_notice_flash sms_confirm_notice_flash
+          redirect sms_confirm_redirect
+        end
+        sms_confirm_failure
+        set_redirect_error_flash sms_invalid_confirmation_code_error_flash
+        redirect sms_needs_setup_redirect
+      end
+    end
+    route(:sms_disable) do |r|
+      require_account
+      require_sms_setup
+      before_sms_disable_route
+      r.get do
+        sms_disable_view
+      end
+      r.post do
+        if two_factor_password_match?(param(password_param))
+          transaction do
+            before_sms_disable
+            sms_disable
+            if sms_codes_primary?
+              two_factor_remove_session
+            end
+            after_sms_disable
+          end
+          set_notice_flash sms_disable_notice_flash
+          redirect sms_disable_redirect
+        end
+        set_field_error(password_param, invalid_password_message)
+        set_error_flash sms_disable_error_flash
+        sms_disable_view
+      end
+    end
+    def two_factor_need_setup_redirect
+      super || (sms_needs_setup_redirect if sms_codes_primary?)
+    end
+    def two_factor_auth_required_redirect
+      super || (sms_request_redirect if sms_codes_primary? && sms_available?)
+    end
+    def two_factor_auth_fallback_redirect
+      sms_available? ? sms_request_redirect : super
+    end
+    def two_factor_remove
+      super
+      sms_disable
+    end
+    def two_factor_remove_auth_failures
+      super
+      sms_remove_failures
+    end
+    def two_factor_authentication_setup?
+      super || (sms_codes_primary? && sms_setup?)
+    end
+    def otp_auth_form_footer
+      "#{super if defined?(super)}#{"<p><a href=\"#{sms_request_route}\">Authenticate using SMS code</a></p>" if sms_available?}"
+    end
+    def otp_lockout_redirect
+      if sms_available?
+        sms_request_redirect
+      else
+        super if defined?(super)
+      end
+    end
+    def otp_lockout_error_flash
+      msg = super if defined?(super)
+      if sms_available?
+         msg = "#{msg} Can use SMS code to unlock."
+      end
+      msg
+    end
+    def otp_remove
+      super if defined?(super)
+      unless sms_codes_primary?
+        sms_disable
+      end
+    end
+    def require_sms_setup
+      unless sms_setup?
+        set_redirect_error_flash sms_not_setup_error_flash
+        redirect sms_needs_setup_redirect
+      end
+    end
+    def require_sms_not_setup
+      if sms_setup?
+        set_redirect_error_flash sms_already_setup_error_flash
+        redirect sms_already_setup_redirect
+      end
+    end
+    def require_sms_available
+      require_sms_setup
+      if sms_locked_out?
+        set_redirect_error_flash sms_lockout_error_flash
+        redirect sms_lockout_redirect
+      end
+    end
+    def sms_code_match?(code)
+      return false unless sms_current_auth?
+      timing_safe_eql?(code, sms_code)
+    end
+    def sms_confirmation_match?(code)
+      sms_needs_confirmation? && sms_code_match?(code)
+    end
+    def sms_disable
+      sms_ds.delete
+      @sms = nil
+      super if defined?(super)
+    end
+    def sms_confirm_failure
+      sms_ds.delete
+    end
+    def sms_setup(phone_number)
+      # Cannot handle uniqueness violation here, as the phone number given may not match the
+      # one in the table.
+      sms_ds.insert(sms_id_column=>session_value, sms_phone_column=>phone_number)
+      remove_instance_variable(:@sms) if instance_variable_defined?(:@sms)
+    end
+    def sms_remove_failures
+      update_sms(sms_failures_column => 0, sms_code_column => nil)
+    end
+    def sms_confirm
+      sms_remove_failures
+      super if defined?(super)
+    end
+    def sms_send_auth_code
+      code = sms_new_auth_code
+      sms_set_code(code)
+      sms_send(sms_phone, sms_auth_message(code))
+    end
+    def sms_send_confirm_code
+      code = sms_new_confirm_code
+      sms_set_code(code)
+      sms_send(sms_phone, sms_confirm_message(code))
+    end
+    def sms_valid_phone?(phone)
+      phone.length >= sms_phone_min_length
+    end
+    def sms_lockout_redirect
+      _two_factor_auth_required_redirect
+    end
+    def sms_auth_message(code)
+      "SMS authentication code for #{request.host} is #{code}"
+    end
+    def sms_confirm_message(code)
+      "SMS confirmation code for #{request.host} is #{code}"
+    end
+    def sms_set_code(code)
+     update_sms(sms_code_column=>code, sms_issued_at_column=>Sequel::CURRENT_TIMESTAMP)
+    end
+    def sms_record_failure
+      update_sms(sms_failures_column=>Sequel.expr(sms_failures_column)+1)
+      sms[sms_failures_column] = sms_ds.get(sms_failures_column)
+    end
+    def sms_phone
+      sms[sms_phone_column]
+    end
+    def sms_code
+      sms[sms_code_column]
+    end
+    def sms_code_issued_at
+      convert_timestamp(sms[sms_issued_at_column])
+    end
+    def sms_failures
+      sms[sms_failures_column]
+    end
+    def sms_setup?
+      return false unless sms
+      !sms_needs_confirmation?
+    end
+    def sms_needs_confirmation?
+      sms && sms_failures.nil?
+    end
+    def sms_available?
+      sms && !sms_needs_confirmation? && !sms_locked_out?
+    end
+    def sms_locked_out?
+      sms_failures >= sms_failure_limit
+    end
+    def sms_current_auth?
+      sms_code && sms_code_issued_at + sms_code_allowed_seconds > Time.now
+    end
+    private
+    def sms_codes_primary?
+      !features.include?(:otp)
+    end
+    def sms_normalize_phone(phone)
+      phone.to_s.gsub(/\D+/, '')
+    end
+    def sms_new_auth_code
+      SecureRandom.random_number(10**sms_auth_code_length).to_s.rjust(sms_auth_code_length, "0")
+    end
+    def sms_new_confirm_code
+      SecureRandom.random_number(10**sms_confirm_code_length).to_s.rjust(sms_confirm_code_length, "0")
+    end
+    def sms_send(phone, message)
+      raise NotImplementedError, "sms_send needs to be defined in the Rodauth configuration for SMS sending to work"
+    end
+    def update_sms(values)
+      update_hash_ds(sms, sms_ds, values)
+    end
+    def _sms
+      sms_ds.first
+    end
+    def sms_ds
+      db[sms_codes_table].where(sms_id_column=>session_value)
+    end
+  end
+end