rodauth 0.10.0 → 1.0.0

data/lib/rodauth/features/two_factor_base.rb

@@ -0,0 +1,135 @@
+# frozen-string-literal: true
+
+module Rodauth
+  TwoFactorBase = Feature.define(:two_factor_base) do
+    after :two_factor_authentication
+
+    redirect :two_factor_auth
+    redirect :two_factor_already_authenticated
+
+    notice_flash "You have been authenticated via 2nd factor", "two_factor_auth"
+
+    error_flash "This account has not been setup for two factor authentication", 'two_factor_not_setup'
+    error_flash "Already authenticated via 2nd factor", 'two_factor_already_authenticated'
+    error_flash "You need to authenticate via 2nd factor before continuing.", 'two_factor_need_authentication'
+
+    auth_value_method :two_factor_session_key, :two_factor_auth
+    auth_value_method :two_factor_setup_session_key, :two_factor_auth_setup
+    auth_value_method :two_factor_need_setup_redirect, nil
+
+    auth_value_methods(
+      :two_factor_auth_required_redirect,
+      :two_factor_modifications_require_password?
+    )
+
+    auth_methods(
+      :two_factor_authenticated?,
+      :two_factor_remove,
+      :two_factor_remove_auth_failures,
+      :two_factor_remove_session,
+      :two_factor_update_session
+    )
+
+    def two_factor_modifications_require_password?
+      modifications_require_password?
+    end
+
+    def authenticated?
+      super
+      two_factor_authenticated? if two_factor_authentication_setup?
+    end
+
+    def require_authentication
+      super
+      require_two_factor_authenticated if two_factor_authentication_setup?
+    end
+
+    def require_two_factor_setup
+      unless uses_two_factor_authentication?
+        set_redirect_error_flash two_factor_not_setup_error_flash
+        redirect two_factor_need_setup_redirect
+      end
+    end
+    
+    def require_two_factor_not_authenticated
+      if two_factor_authenticated?
+        set_redirect_error_flash two_factor_already_authenticated_error_flash
+        redirect two_factor_already_authenticated_redirect
+      end
+    end
+
+    def require_two_factor_authenticated
+      unless two_factor_authenticated?
+        set_redirect_error_flash two_factor_need_authentication_error_flash
+        redirect _two_factor_auth_required_redirect
+      end
+    end
+
+    def two_factor_remove_auth_failures
+      nil
+    end
+
+    def two_factor_auth_required_redirect
+      nil
+    end
+
+    def two_factor_auth_fallback_redirect
+      nil
+    end
+
+    def two_factor_password_match?(password)
+      if two_factor_modifications_require_password?
+        password_match?(password)
+      else
+        true
+      end
+    end
+
+    def two_factor_authenticated?
+      !!session[two_factor_session_key]
+    end
+
+    def two_factor_authentication_setup?
+      false
+    end
+
+    def uses_two_factor_authentication?
+      return false unless logged_in?
+      session[two_factor_setup_session_key] = two_factor_authentication_setup? unless session.has_key?(two_factor_setup_session_key)
+      session[two_factor_setup_session_key]
+    end
+
+    def two_factor_remove
+      nil
+    end
+
+    private
+
+    def after_close_account
+      super if defined?(super)
+      two_factor_remove
+    end
+
+    def two_factor_authenticate(type)
+      two_factor_update_session(type)
+      two_factor_remove_auth_failures
+      after_two_factor_authentication
+      set_notice_flash two_factor_auth_notice_flash
+      redirect two_factor_auth_redirect
+    end
+
+    def two_factor_remove_session
+      session.delete(two_factor_session_key)
+      session[two_factor_setup_session_key] = false
+    end
+
+    def two_factor_update_session(type)
+      session[two_factor_session_key] = type
+      session[two_factor_setup_session_key] = true
+    end
+
+    def _two_factor_auth_required_redirect
+      two_factor_auth_required_redirect || two_factor_auth_fallback_redirect || default_redirect
+    end
+  end
+end

data/lib/rodauth/features/verify_account.rb

@@ -0,0 +1,232 @@
+# frozen-string-literal: true
+
+module Rodauth
+  VerifyAccount = Feature.define(:verify_account) do
+    depends :login, :create_account, :email_base
+
+    error_flash "Unable to verify account"
+    error_flash "Unable to resend verify account email", 'verify_account_resend'
+    notice_flash "Your account has been verified"
+    notice_flash "An email has been sent to you with a link to verify your account", 'verify_account_email_sent'
+    view 'verify-account', 'Verify Account'
+    view 'verify-account-resend', 'Resend Verification Email', 'resend_verify_account'
+    additional_form_tags
+    additional_form_tags 'verify_account_resend'
+    after
+    after 'verify_account_email_resend'
+    before
+    before 'verify_account_email_resend'
+    button 'Verify Account'
+    button 'Send Verification Email Again', 'verify_account_resend'
+    redirect
+    redirect(:verify_account_email_sent){require_login_redirect}
+
+    auth_value_method :no_matching_verify_account_key_message, "invalid verify account key"
+    auth_value_method :attempt_to_create_unverified_account_notice_message, "The account you tried to create is currently awaiting verification"
+    auth_value_method :attempt_to_login_to_unverified_account_notice_message, "The account you tried to login with is currently awaiting verification"
+    auth_value_method :verify_account_email_subject, 'Verify Account'
+    auth_value_method :verify_account_key_param, 'key'
+    auth_value_method :verify_account_autologin?, true
+    auth_value_method :verify_account_table, :account_verification_keys
+    auth_value_method :verify_account_id_column, :id
+    auth_value_method :verify_account_key_column, :key
+
+    auth_value_methods :verify_account_key_value
+
+    auth_methods(
+      :create_verify_account_key,
+      :create_verify_account_email,
+      :get_verify_account_key,
+      :remove_verify_account_key,
+      :resend_verify_account_view,
+      :send_verify_account_email,
+      :verify_account,
+      :verify_account_email_body,
+      :verify_account_email_link,
+      :verify_account_key_insert_hash
+    )
+
+    auth_private_methods(
+      :account_from_verify_account_key
+    )
+
+    route(:verify_account_resend) do |r|
+      verify_account_check_already_logged_in
+      before_verify_account_resend_route
+
+      r.post do
+        if account_from_login(param(login_param)) && !open_account?
+          before_verify_account_email_resend
+          if verify_account_email_resend
+            after_verify_account_email_resend
+          end
+
+          set_notice_flash verify_account_email_sent_notice_flash
+        else
+          set_redirect_error_flash verify_account_resend_error_flash
+        end
+        
+        redirect verify_account_email_sent_redirect
+      end
+    end
+
+    route do |r|
+      verify_account_check_already_logged_in
+      before_verify_account_route
+
+      r.get do
+        if key = param_or_nil(verify_account_key_param)
+          if account_from_verify_account_key(key)
+            verify_account_view
+          else
+            set_redirect_error_flash no_matching_verify_account_key_message
+            redirect require_login_redirect
+          end
+        end
+      end
+
+      r.post do
+        key = param(verify_account_key_param)
+        unless account_from_verify_account_key(key)
+          set_redirect_error_flash verify_account_error_flash
+          redirect verify_account_redirect
+        end
+
+        transaction do
+          before_verify_account
+          verify_account
+          remove_verify_account_key
+          after_verify_account
+        end
+
+        if verify_account_autologin?
+          update_session
+        end
+
+        set_notice_flash verify_account_notice_flash
+        redirect verify_account_redirect
+      end
+    end
+
+    def remove_verify_account_key
+      verify_account_ds.delete
+    end
+
+    def verify_account
+      update_account(account_status_column=>account_open_status_value) == 1
+    end
+
+    def verify_account_email_resend
+      if @verify_account_key_value = get_verify_account_key(account_id)
+        send_verify_account_email
+        true
+      end
+    end
+
+    def create_account_notice_flash
+      verify_account_email_sent_notice_flash
+    end
+
+    def new_account(login)
+      if account_from_login(login)
+        set_error_flash attempt_to_create_unverified_account_notice_message
+        response.write resend_verify_account_view
+        request.halt
+      end
+      super
+    end
+
+    def account_from_verify_account_key(key)
+      @account = _account_from_verify_account_key(key)
+    end
+
+    def account_initial_status_value
+      account_unverified_status_value
+    end
+
+    def send_verify_account_email
+      create_verify_account_email.deliver!
+    end
+
+    def verify_account_email_link
+      token_link(verify_account_route, verify_account_key_param, verify_account_key_value)
+    end
+
+    def get_verify_account_key(id)
+      verify_account_ds(id).get(verify_account_key_column)
+    end
+
+    def skip_status_checks?
+      false
+    end
+
+    def create_account_autologin?
+      false
+    end
+
+    private
+
+    attr_reader :verify_account_key_value
+
+    def before_login_attempt
+      unless open_account?
+        set_error_flash attempt_to_login_to_unverified_account_notice_message
+        response.write resend_verify_account_view
+        request.halt
+      end
+      super
+    end
+
+    def after_create_account
+      setup_account_verification
+      super
+    end
+
+    def setup_account_verification
+      generate_verify_account_key_value
+      create_verify_account_key
+      send_verify_account_email
+    end
+
+    def verify_account_check_already_logged_in
+      check_already_logged_in
+    end
+
+    def generate_verify_account_key_value
+      @verify_account_key_value = random_key
+    end
+
+    def create_verify_account_key
+      ds = verify_account_ds
+      transaction do
+        if ds.empty?
+          if e = raised_uniqueness_violation{ds.insert(verify_account_key_insert_hash)}
+            # If inserting into the verify account table causes a violation, we can pull the 
+            # key from the verify account table, or reraise.
+            raise e unless @verify_account_key_value = get_verify_account_key(account_id)
+          end
+        end
+      end
+    end
+
+    def verify_account_key_insert_hash
+      {verify_account_id_column=>account_id, verify_account_key_column=>verify_account_key_value}
+    end
+
+    def create_verify_account_email
+      create_email(verify_account_email_subject, verify_account_email_body)
+    end
+
+    def verify_account_email_body
+      render('verify-account-email')
+    end
+
+    def verify_account_ds(id=account_id)
+      db[verify_account_table].where(verify_account_id_column=>id)
+    end
+
+    def _account_from_verify_account_key(token)
+      account_from_key(token, account_unverified_status_value){|id| get_verify_account_key(id)}
+    end
+  end
+end

data/lib/rodauth/features/verify_account_grace_period.rb

@@ -0,0 +1,76 @@
+# frozen-string-literal: true
+
+module Rodauth
+  VerifyAccountGracePeriod = Feature.define(:verify_account_grace_period) do
+    depends :verify_account
+    error_flash "Cannot change login for unverified account. Please verify this account before changing the login.", "unverified_change_login"
+    redirect :unverified_change_login
+
+    auth_value_method :verification_requested_at_column, :requested_at
+    auth_value_method :unverified_account_session_key, :unverified_account
+    auth_value_method :verify_account_grace_period, 86400
+
+    auth_methods(
+      :account_in_unverified_grace_period?
+    )
+
+    def verified_account?
+      logged_in? && !session[unverified_account_session_key]
+    end
+
+    def create_account_autologin?
+      true
+    end
+
+    def open_account?
+      super || account_in_unverified_grace_period?
+    end
+
+    private
+
+    def after_close_account
+      super if defined?(super)
+      verify_account_ds.delete
+    end
+    
+    def before_change_login_route
+      unless verified_account?
+        set_redirect_error_flash unverified_change_login_error_flash
+        redirect unverified_change_login_redirect
+      end
+      super if defined?(super)
+    end
+
+    def verify_account_check_already_logged_in
+      nil
+    end
+
+    def account_session_status_filter
+      s = super
+      if verify_account_grace_period
+        grace_period_ds = db[verify_account_table].
+          select(verify_account_id_column).
+          where((Sequel.date_add(verification_requested_at_column, :seconds=>verify_account_grace_period) > Sequel::CURRENT_TIMESTAMP))
+        s = Sequel.|(s, Sequel.expr(account_status_column=>account_unverified_status_value) & {account_id_column => grace_period_ds})
+      end
+      s
+    end
+
+    def update_session
+      super
+      if account_in_unverified_grace_period?
+        session[unverified_account_session_key] = true
+      end
+    end
+
+    def account_in_unverified_grace_period?
+      account[account_status_column] == account_unverified_status_value &&
+        verify_account_grace_period &&
+        !verify_account_ds.where(Sequel.date_add(verification_requested_at_column, :seconds=>verify_account_grace_period) > Sequel::CURRENT_TIMESTAMP).empty?
+    end
+
+    def use_date_arithmetic?
+      true
+    end
+  end
+end

data/lib/rodauth/features/verify_change_login.rb

@@ -0,0 +1,20 @@
+# frozen-string-literal: true
+
+module Rodauth
+  VerifyChangeLogin = Feature.define(:verify_change_login) do
+    depends :change_login, :verify_account_grace_period
+
+    def change_login_notice_flash
+      "#{super}. #{verify_account_email_sent_notice_flash}"
+    end
+
+    private
+
+    def after_change_login
+      super
+      update_account(account_status_column=>account_unverified_status_value)
+      setup_account_verification
+      session[unverified_account_session_key] = true
+    end
+  end
+end