rodauth 0.10.0 → 1.0.0

data/lib/rodauth/migrations.rb

@@ -0,0 +1,130 @@
+# frozen-string-literal: true
+
+module Rodauth
+  def self.create_database_authentication_functions(db, opts={})
+    table_name = opts[:table_name] || :account_password_hashes
+    get_salt_name = opts[:get_salt_name] || :rodauth_get_salt
+    valid_hash_name = opts[:valid_hash_name] || :rodauth_valid_password_hash 
+    case db.database_type
+    when :postgres
+      db.run <<END
+CREATE OR REPLACE FUNCTION #{get_salt_name}(acct_id int8) RETURNS text AS $$
+DECLARE salt text;
+BEGIN
+SELECT substr(password_hash, 0, 30) INTO salt 
+FROM #{table_name}
+WHERE acct_id = id;
+RETURN salt;
+END;
+$$ LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = public, pg_temp;
+END
+
+      db.run <<END
+CREATE OR REPLACE FUNCTION #{valid_hash_name}(acct_id int8, hash text) RETURNS boolean AS $$
+DECLARE valid boolean;
+BEGIN
+SELECT password_hash = hash INTO valid 
+FROM #{table_name}
+WHERE acct_id = id;
+RETURN valid;
+END;
+$$ LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = public, pg_temp;
+END
+    when :mysql
+      db.run <<END
+CREATE FUNCTION #{get_salt_name}(acct_id int8) RETURNS varchar(255)
+SQL SECURITY DEFINER
+READS SQL DATA
+BEGIN
+DECLARE salt varchar(255);
+DECLARE csr CURSOR FOR
+SELECT substr(password_hash, 1, 30)
+FROM #{table_name}
+WHERE acct_id = id;
+OPEN csr;
+FETCH csr INTO salt;
+CLOSE csr;
+RETURN salt;
+END;
+END
+
+      db.run <<END
+CREATE FUNCTION #{valid_hash_name}(acct_id int8, hash varchar(255)) RETURNS tinyint(1)
+SQL SECURITY DEFINER
+READS SQL DATA
+BEGIN
+DECLARE valid tinyint(1);
+DECLARE csr CURSOR FOR 
+SELECT password_hash = hash
+FROM #{table_name}
+WHERE acct_id = id;
+OPEN csr;
+FETCH csr INTO valid;
+CLOSE csr;
+RETURN valid;
+END;
+END
+    when :mssql
+      db.run <<END
+CREATE FUNCTION #{get_salt_name}(@account_id bigint) RETURNS nvarchar(255)
+WITH EXECUTE AS OWNER
+AS
+BEGIN
+DECLARE @salt nvarchar(255);
+SELECT @salt = substring(password_hash, 0, 30)
+FROM #{table_name}
+WHERE id = @account_id;
+RETURN @salt;
+END;
+END
+
+      db.run <<END
+CREATE FUNCTION #{valid_hash_name}(@account_id bigint, @hash nvarchar(255)) RETURNS bit
+WITH EXECUTE AS OWNER
+AS
+BEGIN
+DECLARE @valid bit;
+DECLARE @ph nvarchar(255);
+SELECT @ph = password_hash
+FROM #{table_name}
+WHERE id = @account_id;
+IF(@hash = @ph)
+  SET @valid = 1;
+ELSE
+  SET @valid = 0
+RETURN @valid;
+END;
+END
+    end
+  end
+
+  def self.drop_database_authentication_functions(db)
+    case db.database_type
+    when :postgres
+      db.run "DROP FUNCTION rodauth_get_salt(int8)"
+      db.run "DROP FUNCTION rodauth_valid_password_hash(int8, text)"
+    when :mysql, :mssql
+      db.run "DROP FUNCTION rodauth_get_salt"
+      db.run "DROP FUNCTION rodauth_valid_password_hash"
+    end
+  end
+
+  def self.create_database_previous_password_check_functions(db)
+    create_database_authentication_functions(db, :table_name=>:account_previous_password_hashes, :get_salt_name=>:rodauth_get_previous_salt, :valid_hash_name=>:rodauth_previous_password_hash_match)
+  end
+
+  def self.drop_database_previous_password_check_functions(db)
+    case db.database_type
+    when :postgres
+      db.run "DROP FUNCTION rodauth_get_previous_salt(int8)"
+      db.run "DROP FUNCTION rodauth_previous_password_hash_match(int8, text)"
+    when :mysql, :mssql
+      db.run "DROP FUNCTION rodauth_get_previous_salt"
+      db.run "DROP FUNCTION rodauth_previous_password_hash_match"
+    end
+  end
+end

data/lib/rodauth/version.rb

@@ -0,0 +1,9 @@
+# frozen-string-literal: true
+
+module Rodauth
+  VERSION = '1.0.0'.freeze
+
+  def self.version
+    VERSION
+  end
+end

data/spec/account_expiration_spec.rb

@@ -0,0 +1,90 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe 'Rodauth account expiration feature' do
+  it "should force account expiration after x number of days" do
+    rodauth do
+      enable :login, :logout, :account_expiration
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>rodauth.logged_in? ? "Logged In#{rodauth.last_account_login_at.strftime('%m%d%y')}" : "Not Logged"}
+    end
+
+    now = Time.now
+    2.times do
+      login
+      page.body.must_include "Logged In#{now.strftime('%m%d%y')}"
+
+      logout
+    end
+
+    DB[:account_activity_times].update(:last_login_at => Time.now - 181*86400)
+
+    2.times do
+      login
+      page.body.must_include 'Not Logged'
+      page.find('#error_flash').text.must_equal "You cannot log into this account as it has expired"
+    end
+  end
+
+  it "should use last activity time if configured" do
+    rodauth do
+      enable :login, :logout, :account_expiration
+      expire_account_on_last_activity? true
+      account_expiration_error_flash{"Account expired on #{account_expired_at.strftime('%m%d%y')}"}
+    end
+    roda do |r|
+      r.is("a"){view :content=>"Logged In#{rodauth.last_account_activity_at.strftime('%m%d%y')}"}
+      rodauth.update_last_activity
+      r.rodauth
+      r.root{view :content=>rodauth.logged_in? ? "Logged In#{rodauth.last_account_activity_at.strftime('%m%d%y')}" : 'Not Logged'}
+    end
+
+    now = Time.now
+    login
+    page.body.must_include "Logged In#{now.strftime('%m%d%y')}"
+
+    DB[:account_activity_times].count.must_equal 1
+    DB[:account_activity_times].delete
+
+    visit '/'
+    DB[:account_activity_times].count.must_equal 1
+
+    t1 = now - 179*86400
+    DB[:account_activity_times].update(:last_activity_at => t1)
+    visit '/a'
+    page.body.must_include "Logged In#{t1.strftime('%m%d%y')}"
+
+    logout
+
+    t2 = now - 181*86400
+    DB[:account_activity_times].update(:last_activity_at => t2).must_equal 1
+
+    login
+    page.body.must_include 'Not Logged'
+    page.find('#error_flash').text.must_equal "Account expired on #{now.strftime('%m%d%y')}"
+
+    DB[:account_activity_times].update(:expired_at=>t1).must_equal 1
+
+    login
+    page.body.must_include 'Not Logged'
+    page.find('#error_flash').text.must_equal "Account expired on #{t1.strftime('%m%d%y')}"
+  end
+
+  it "should remove account activity data when closing accounts" do
+    rodauth do
+      enable :login, :close_account, :account_expiration
+      close_account_requires_password? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>rodauth.logged_in? ? "Logged In#{rodauth.last_account_login_at.strftime('%m%d%y')}" : "Not Logged"}
+    end
+
+    login
+    DB[:account_activity_times].count.must_equal 1
+    visit '/close-account'
+    click_button 'Close Account'
+    DB[:account_activity_times].count.must_equal 0
+  end
+end

data/spec/all.rb

@@ -0,0 +1 @@
+Dir['./spec/*_spec.rb'].each{|f| require f}

data/spec/change_login_spec.rb

@@ -0,0 +1,149 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe 'Rodauth change_login feature' do
+  it "should support changing logins for accounts" do
+    DB[:accounts].insert(:email=>'foo2@example.com')
+    require_password = false
+    require_email = true
+
+    rodauth do
+      enable :login, :logout, :change_login
+      change_login_requires_password?{require_password}
+      require_email_address_logins?{require_email}
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    login
+    page.current_path.must_equal '/'
+
+    visit '/change-login'
+    page.title.must_equal 'Change Login'
+
+    fill_in 'Login', :with=>'foobar'
+    fill_in 'Confirm Login', :with=>'foobar'
+    click_button 'Change Login'
+    page.find('#error_flash').text.must_equal "There was an error changing your login"
+    page.html.must_include("invalid login, not a valid email address")
+    page.current_path.must_equal '/change-login'
+
+    require_email = false
+
+    fill_in 'Login', :with=>'fb'
+    fill_in 'Confirm Login', :with=>'fb'
+    click_button 'Change Login'
+    page.find('#error_flash').text.must_equal "There was an error changing your login"
+    page.html.must_include("invalid login, minimum 3 characters")
+    page.current_path.must_equal '/change-login'
+
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Confirm Login', :with=>'foo2@example.com'
+    click_button 'Change Login'
+    page.find('#error_flash').text.must_equal "There was an error changing your login"
+    page.html.must_include("logins do not match")
+    page.current_path.must_equal '/change-login'
+
+    fill_in 'Login', :with=>'foo2@example.com'
+    click_button 'Change Login'
+    page.find('#error_flash').text.must_equal "There was an error changing your login"
+    page.html.must_include("invalid login, already an account with this login")
+    page.current_path.must_equal '/change-login'
+
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Confirm Login', :with=>'foo@example.com'
+    click_button 'Change Login'
+    page.find('#error_flash').text.must_equal "There was an error changing your login"
+    page.html.must_include("invalid login, same as current login")
+    page.current_path.must_equal '/change-login'
+
+    fill_in 'Login', :with=>'foo3@example.com'
+    fill_in 'Confirm Login', :with=>'foo3@example.com'
+    click_button 'Change Login'
+    page.find('#notice_flash').text.must_equal "Your login has been changed"
+    page.current_path.must_equal '/'
+
+    logout
+    login(:login=>'foo3@example.com')
+    page.current_path.must_equal '/'
+
+    require_password = true
+    visit '/change-login'
+    fill_in 'Password', :with=>'012345678'
+    fill_in 'Login', :with=>'foo4@example.com'
+    fill_in 'Confirm Login', :with=>'foo4@example.com'
+    click_button 'Change Login'
+    page.find('#error_flash').text.must_equal "There was an error changing your login"
+    page.html.must_include("invalid password")
+    page.current_path.must_equal '/change-login'
+
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Change Login'
+    page.find('#notice_flash').text.must_equal "Your login has been changed"
+    page.current_path.must_equal '/'
+
+    logout
+    login(:login=>'foo4@example.com')
+    page.current_path.must_equal '/'
+  end
+
+  it "should support changing logins for accounts with login confirmation" do
+    rodauth do
+      enable :login, :change_login
+      change_login_requires_password? false
+      require_login_confirmation? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    login
+    visit '/change-login'
+    fill_in 'Login', :with=>'foo3@example.com'
+    click_button 'Change Login'
+    page.find('#notice_flash').text.must_equal "Your login has been changed"
+  end
+
+  it "should support changing logins via jwt" do
+    DB[:accounts].insert(:email=>'foo2@example.com')
+    require_password = false
+
+    rodauth do
+      enable :login, :logout, :change_login
+      change_login_requires_password?{require_password}
+    end
+    roda(:jwt) do |r|
+      r.rodauth
+    end
+
+    json_login
+
+    res = json_request('/change-login', :login=>'foobar', "login-confirm"=>'foobar')
+    res.must_equal [400, {'error'=>"There was an error changing your login", "field-error"=>["login", "invalid login, not a valid email address"]}]
+
+    res = json_request('/change-login', :login=>'foo@example.com', "login-confirm"=>'foo2@example.com')
+    res.must_equal [400, {'error'=>"There was an error changing your login", "field-error"=>["login", "logins do not match"]}]
+
+    res = json_request('/change-login', :login=>'foo2@example.com', "login-confirm"=>'foo2@example.com')
+    res.must_equal [400, {'error'=>"There was an error changing your login", "field-error"=>["login", "invalid login, already an account with this login"]}]
+
+    res = json_request('/change-login', :login=>'foo3@example.com', "login-confirm"=>'foo3@example.com')
+    res.must_equal [200, {'success'=>"Your login has been changed"}]
+
+    json_logout
+    json_login(:login=>'foo3@example.com')
+
+    require_password = true
+
+    res = json_request('/change-login', :login=>'foo4@example.com', "login-confirm"=>'foo4@example.com', :password=>'012345678')
+    res.must_equal [400, {'error'=>"There was an error changing your login", "field-error"=>["password", "invalid password"]}]
+
+    res = json_request('/change-login', :login=>'foo4@example.com', "login-confirm"=>'foo4@example.com', :password=>'0123456789')
+    res.must_equal [200, {'success'=>"Your login has been changed"}]
+
+    json_logout
+    json_login(:login=>'foo4@example.com')
+  end
+end

data/spec/change_password_spec.rb

@@ -0,0 +1,177 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe 'Rodauth change_password feature' do
+  [false, true].each do |ph|
+    it "should support changing passwords for accounts #{'with account_password_hash_column' if ph}" do
+      require_password = true
+      rodauth do
+        enable :login, :logout, :change_password
+        account_password_hash_column :ph if ph
+        change_password_requires_password?{require_password}
+      end
+      roda do |r|
+        r.rodauth
+        r.root{view :content=>""}
+      end
+
+      login
+      page.current_path.must_equal '/'
+
+      visit '/change-password'
+      page.title.must_equal 'Change Password'
+
+      fill_in 'Password', :with=>'0123456789'
+      fill_in 'New Password', :with=>'0123456'
+      fill_in 'Confirm Password', :with=>'0123456789'
+      click_button 'Change Password'
+      page.html.must_include("passwords do not match")
+      page.find('#error_flash').text.must_equal "There was an error changing your password"
+      page.current_path.must_equal '/change-password'
+
+      fill_in 'Password', :with=>'0123456'
+      fill_in 'New Password', :with=>'0123456'
+      fill_in 'Confirm Password', :with=>'0123456'
+      click_button 'Change Password'
+      page.find('#error_flash').text.must_equal "There was an error changing your password"
+      page.body.must_include 'invalid password'
+      page.current_path.must_equal '/change-password'
+
+      fill_in 'Password', :with=>'0123456789'
+      fill_in 'New Password', :with=>'0123456789'
+      fill_in 'Confirm Password', :with=>'0123456789'
+      click_button 'Change Password'
+      page.find('#error_flash').text.must_equal "There was an error changing your password"
+      page.body.must_include 'invalid password, same as current password'
+      page.current_path.must_equal '/change-password'
+
+      fill_in 'Password', :with=>'0123456789'
+      fill_in 'New Password', :with=>'0123456'
+      fill_in 'Confirm Password', :with=>'0123456'
+      click_button 'Change Password'
+      page.find('#notice_flash').text.must_equal "Your password has been changed"
+      page.current_path.must_equal '/'
+
+      logout
+      login
+      page.html.must_include("invalid password")
+      page.current_path.must_equal '/login'
+
+      fill_in 'Password', :with=>'0123456'
+      click_button 'Login'
+      page.current_path.must_equal '/'
+
+      require_password = false
+      visit '/change-password'
+      fill_in 'New Password', :with=>'012345678'
+      fill_in 'Confirm Password', :with=>'012345678'
+      click_button 'Change Password'
+      page.find('#notice_flash').text.must_equal "Your password has been changed"
+      page.current_path.must_equal '/'
+
+      login(:pass=>'012345678')
+      page.current_path.must_equal '/'
+    end
+  end
+
+  it "should support changing passwords for accounts without confirmation" do
+    rodauth do
+      enable :login, :change_password
+      modifications_require_password? false
+      require_password_confirmation? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    login
+    visit '/change-password'
+    fill_in 'New Password', :with=>'012345678'
+    click_button 'Change Password'
+    page.find('#notice_flash').text.must_equal "Your password has been changed"
+  end
+
+  it "should support setting requirements for passwords" do
+    rodauth do
+      enable :login, :create_account, :change_password
+      create_account_autologin? false
+      password_meets_requirements? do |password|
+        password =~ /banana/
+      end
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo2@example.com'
+    fill_in 'Confirm Login', :with=>'foo2@example.com'
+    fill_in 'Password', :with=>'apple'
+    fill_in 'Confirm Password', :with=>'apple'
+    click_button 'Create Account'
+    page.html.must_include("invalid password, does not meet requirements")
+    page.find('#error_flash').text.must_equal "There was an error creating your account"
+    page.current_path.must_equal '/create-account'
+
+    fill_in 'Password', :with=>'banana'
+    fill_in 'Confirm Password', :with=>'banana'
+    click_button 'Create Account'
+
+    login(:login=>'foo2@example.com', :pass=>'banana')
+
+    visit '/change-password'
+    fill_in 'Password', :with=>'banana'
+    fill_in 'New Password', :with=>'apple'
+    fill_in 'Confirm Password', :with=>'apple'
+    click_button 'Change Password'
+    page.html.must_include("invalid password, does not meet requirements")
+    page.find('#error_flash').text.must_equal "There was an error changing your password"
+    page.current_path.must_equal '/change-password'
+
+    fill_in 'Password', :with=>'banana'
+    fill_in 'New Password', :with=>'my_banana_3'
+    fill_in 'Confirm Password', :with=>'my_banana_3'
+    click_button 'Change Password'
+    page.current_path.must_equal '/'
+  end
+
+  it "should support changing passwords for accounts via jwt" do
+    require_password = true
+    rodauth do
+      enable :login, :logout, :change_password
+      change_password_requires_password?{require_password}
+    end
+    roda(:jwt) do |r|
+      r.rodauth
+    end
+
+    json_login
+
+    res = json_request('/change-password', :password=>'0123456789', "new-password"=>'0123456', "password-confirm"=>'0123456789')
+    res.must_equal [400, {'error'=>"There was an error changing your password", "field-error"=>["new-password", "passwords do not match"]}]
+
+    res = json_request('/change-password', :password=>'0123456', "new-password"=>'0123456', "password-confirm"=>'0123456')
+    res.must_equal [400, {'error'=>"There was an error changing your password", "field-error"=>["password", "invalid password"]}]
+
+    res = json_request('/change-password', :password=>'0123456789', "new-password"=>'0123456789', "password-confirm"=>'0123456789')
+    res.must_equal [400, {'error'=>"There was an error changing your password", "field-error"=>["new-password", "invalid password, same as current password"]}]
+
+    res = json_request('/change-password', :password=>'0123456789', "new-password"=>'0123456', "password-confirm"=>'0123456')
+    res.must_equal [200, {'success'=>"Your password has been changed"}]
+
+    json_logout
+    res = json_login(:no_check=>true)
+    res.must_equal [400, {'error'=>"There was an error logging in", "field-error"=>["password", "invalid password"]}]
+
+    json_login(:pass=>'0123456')
+
+    require_password = false
+
+    res = json_request('/change-password', "new-password"=>'012345678', "password-confirm"=>'012345678')
+    res.must_equal [200, {'success'=>"Your password has been changed"}]
+
+    json_logout
+    json_login(:pass=>'012345678')
+  end
+end