rodauth 0.10.0 → 1.0.0

data/spec/login_spec.rb

@@ -0,0 +1,188 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe 'Rodauth login feature' do
+  it "should handle logins and logouts" do
+    rodauth{enable :login, :logout}
+    roda do |r|
+      r.rodauth
+      next unless session[:account_id]
+      r.root{view :content=>"Logged In"}
+    end
+
+    visit '/login'
+    page.title.must_equal 'Login'
+
+    login(:login=>'foo@example2.com', :visit=>false)
+    page.find('#error_flash').text.must_equal 'There was an error logging in'
+    page.html.must_include("no matching login")
+
+    login(:pass=>'012345678', :visit=>false)
+    page.find('#error_flash').text.must_equal 'There was an error logging in'
+    page.html.must_include("invalid password")
+
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Login'
+    page.current_path.must_equal '/'
+    page.find('#notice_flash').text.must_equal 'You have been logged in'
+    page.html.must_include("Logged In")
+
+    visit '/logout'
+    page.title.must_equal 'Logout'
+
+    click_button 'Logout'
+    page.find('#notice_flash').text.must_equal 'You have been logged out'
+    page.current_path.must_equal '/login'
+  end
+
+  it "should not allow login to unverified account" do
+    rodauth do
+      enable :login
+      skip_status_checks? false
+    end
+    roda do |r|
+      r.rodauth
+      next unless session[:account_id]
+      r.root{view :content=>"Logged In"}
+    end
+
+    DB[:accounts].update(:status_id=>1)
+    login
+    page.find('#error_flash').text.must_equal 'There was an error logging in'
+    page.html.must_include("unverified account, please verify account before logging in")
+  end
+
+  it "should handle overriding login action" do
+    rodauth do
+      enable :login
+    end
+    roda do |r|
+      r.post 'login' do
+        if r['login'] == 'apple' && r['password'] == 'banana'
+          session[:user_id] = 'pear'
+          r.redirect '/'
+        end
+        r.redirect '/login'
+      end
+      r.rodauth
+      next unless session[:user_id] == 'pear'
+      r.root{"Logged In"}
+    end
+
+    login(:login=>'appl', :pass=>'banana')
+    page.html.wont_match(/Logged In/)
+
+    login(:login=>'apple', :pass=>'banan', :visit=>false)
+    page.html.wont_match(/Logged In/)
+
+    login(:login=>'apple', :pass=>'banana', :visit=>false)
+    page.current_path.must_equal '/'
+    page.html.must_include("Logged In")
+  end
+
+  it "should handle overriding some login attributes" do
+    rodauth do
+      enable :login
+      account_from_login do |login|
+        DB[:accounts].first if login == 'apple'
+      end
+      password_match? do |password|
+        password == 'banana'
+      end
+      update_session do
+        session[:user_id] = 'pear'
+      end
+      no_matching_login_message "no user"
+      invalid_password_message "bad password"
+    end
+    roda do |r|
+      r.rodauth
+      next unless session[:user_id] == 'pear'
+      r.root{"Logged In"}
+    end
+
+    login(:login=>'appl', :pass=>'banana')
+    page.html.must_include("no user")
+
+    login(:login=>'apple', :pass=>'banan', :visit=>false)
+    page.html.must_include("bad password")
+
+    fill_in 'Password', :with=>'banana'
+    click_button 'Login'
+    page.current_path.must_equal '/'
+    page.html.must_include("Logged In")
+  end
+
+  it "should handle a prefix and some other login options" do
+    rodauth do
+      enable :login, :logout
+      prefix 'auth'
+      session_key :login_email
+      account_from_session{DB[:accounts].first(:email=>session_value)}
+      account_session_value{account[:email]}
+      login_param{request['lp']}
+      login_additional_form_tags "<input type='hidden' name='lp' value='l' />"
+      password_param 'p'
+      login_redirect{"/foo/#{account[:email]}"}
+      logout_redirect '/auth/lin'
+      login_route 'lin'
+      logout_route 'lout'
+    end
+    no_freeze!
+    roda do |r|
+      r.on 'auth' do
+        r.rodauth
+      end
+      next unless session[:login_email] =~ /example/
+      r.get('foo/:email'){|e| "Logged In: #{e}"}
+    end
+    app.plugin :render, :views=>'spec/views', :engine=>'str'
+
+    visit '/auth/lin?lp=l'
+
+    login(:login=>'foo@example2.com', :visit=>false)
+    page.html.must_include("no matching login")
+
+    login(:pass=>'012345678', :visit=>false)
+    page.html.must_include("invalid password")
+
+    login(:visit=>false)
+    page.current_path.must_equal '/foo/foo@example.com'
+    page.html.must_include("Logged In: foo@example.com")
+
+    visit '/auth/lout'
+    click_button 'Logout'
+    page.current_path.must_equal '/auth/lin'
+  end
+
+  it "should login and logout via jwt" do
+    rodauth do
+      enable :login, :logout
+      jwt_secret{proc{super()}.must_raise ArgumentError; "1"}
+    end
+    roda(:jwt) do |r|
+      r.rodauth
+      rodauth.logged_in? ? '1' : '2'
+    end
+
+    json_request.must_equal [200, 2]
+
+    visit '/login'
+    page.status_code.must_equal 400
+    page.body.must_equal "Only JSON format requests are allowed"
+
+    res = json_request("/login", :method=>'GET')
+    res.must_equal [405, {'error'=>'non-POST method used in JSON API'}]
+
+    res = json_request("/login", :login=>'foo@example2.com', :password=>'0123456789')
+    res.must_equal [400, {'error'=>"There was an error logging in", "field-error"=>["login", "no matching login"]}]
+
+    res = json_request("/login", :login=>'foo@example.com', :password=>'012345678')
+    res.must_equal [400, {'error'=>"There was an error logging in", "field-error"=>["password", "invalid password"]}]
+
+    json_request("/login", :login=>'foo@example.com', :password=>'0123456789').must_equal [200, {"success"=>'You have been logged in'}]
+    json_request.must_equal [200, 1]
+
+    json_request("/logout").must_equal [200, {"success"=>'You have been logged out'}]
+    json_request.must_equal [200, 2]
+  end
+end

data/spec/migrate/001_tables.rb

@@ -1,5 +1,7 @@
 Sequel.migration do
   up do
+    extension :date_arithmetic
+
     # Used by the account verification and close account features
     create_table(:account_statuses) do
       Integer :id, :primary_key=>true
@@ -7,39 +9,47 @@ Sequel.migration do
     end
     from(:account_statuses).import([:id, :name], [[1, 'Unverified'], [2, 'Verified'], [3, 'Closed']])
 
-    # Used by the create account, account verification,
-    # and close account features.
+    db = self
     create_table(:accounts) do
       primary_key :id, :type=>Bignum
       foreign_key :status_id, :account_statuses, :null=>false, :default=>1
-      citext :email, :null=>false
-
-      constraint :valid_email, :email=>/^[^,;@ \r\n]+@[^,@; \r\n]+\.[^,@; \r\n]+$/
-      index :email, :unique=>true, :where=>{:status_id=>[1, 2]}
+      if db.database_type == :postgres
+        citext :email, :null=>false
+        constraint :valid_email, :email=>/^[^,;@ \r\n]+@[^,@; \r\n]+\.[^,@; \r\n]+$/
+        index :email, :unique=>true, :where=>{:status_id=>[1, 2]}
+      else
+        String :email, :null=>false
+        index :email, :unique=>true
+      end
+    end
 
-      # Only for testing of account_password_hash_column, not recommended for new
-      # applications
-      String :ph
+    deadline_opts = proc do |days|
+      if database_type == :mysql
+        {:null=>false}
+      else
+        {:null=>false, :default=>Sequel.date_add(Sequel::CURRENT_TIMESTAMP, :days=>days)}
+      end
     end
 
     # Used by the password reset feature
     create_table(:account_password_reset_keys) do
       foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
       String :key, :null=>false
-      DateTime :deadline, :null=>false, :default=>Sequel.lit("CURRENT_TIMESTAMP + '1 day'")
+      DateTime :deadline, deadline_opts[1]
     end
 
     # Used by the account verification feature
     create_table(:account_verification_keys) do
       foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
       String :key, :null=>false
+      DateTime :requested_at, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
     end
 
     # Used by the remember me feature
     create_table(:account_remember_keys) do
       foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
       String :key, :null=>false
-      DateTime :deadline, :null=>false, :default=>Sequel.lit("CURRENT_TIMESTAMP + '2 weeks'")
+      DateTime :deadline, deadline_opts[14]
     end
 
     # Used by the lockout feature
@@ -50,15 +60,92 @@ Sequel.migration do
     create_table(:account_lockouts) do
       foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
       String :key, :null=>false
-      DateTime :deadline, :null=>false, :default=>Sequel.lit("CURRENT_TIMESTAMP + '1 day'")
+      DateTime :deadline, deadline_opts[1]
+    end
+
+    # Used by the password expiration feature
+    create_table(:account_password_change_times) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
+      DateTime :changed_at, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
     end
 
-    # Grant password user access to reference accounts
-    pw_user = get{Sequel.lit('current_user')} + '_password'
-    run "GRANT REFERENCES ON accounts TO #{pw_user}"
+    # Used by the account expiration feature
+    create_table(:account_activity_times) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
+      DateTime :last_activity_at, :null=>false
+      DateTime :last_login_at, :null=>false
+      DateTime :expired_at
+    end
+
+    # Used by the single session feature
+    create_table(:account_session_keys) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
+      String :key, :null=>false
+    end
+
+    # Used by the otp feature
+    create_table(:account_otp_keys) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
+      String :key, :null=>false
+      Integer :num_failures, :null=>false, :default=>0
+      Time :last_use, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
+    end
+
+    # Used by the recovery codes feature
+    create_table(:account_recovery_codes) do
+      foreign_key :id, :accounts, :type=>Bignum
+      String :code
+      primary_key [:id, :code]
+    end
+
+    # Used by the sms codes feature
+    create_table(:account_sms_codes) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
+      String :phone_number, :null=>false
+      Integer :num_failures
+      String :code
+      DateTime :code_issued_at, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
+    end
+
+    case database_type
+    when :postgres
+      user = get{Sequel.lit('current_user')} + '_password'
+      run "GRANT REFERENCES ON accounts TO #{user}"
+    when :mysql, :mssql
+      user = if database_type == :mysql
+        get{Sequel.lit('current_user')}.sub(/_password@/, '@')
+      else
+        get{DB_NAME{}}
+      end
+      run "GRANT ALL ON account_statuses TO #{user}"
+      run "GRANT ALL ON accounts TO #{user}"
+      run "GRANT ALL ON account_password_reset_keys TO #{user}"
+      run "GRANT ALL ON account_verification_keys TO #{user}"
+      run "GRANT ALL ON account_remember_keys TO #{user}"
+      run "GRANT ALL ON account_login_failures TO #{user}"
+      run "GRANT ALL ON account_lockouts TO #{user}"
+      run "GRANT ALL ON account_password_change_times TO #{user}"
+      run "GRANT ALL ON account_activity_times TO #{user}"
+      run "GRANT ALL ON account_session_keys TO #{user}"
+      run "GRANT ALL ON account_otp_keys TO #{user}"
+      run "GRANT ALL ON account_recovery_codes TO #{user}"
+      run "GRANT ALL ON account_sms_codes TO #{user}"
+    end
   end
 
   down do
-    drop_table(:account_lockouts, :account_login_failures, :account_remember_keys, :account_verification_keys, :account_password_reset_keys, :accounts, :account_statuses)
+    drop_table(:account_sms_codes,
+               :account_recovery_codes,
+               :account_otp_keys,
+               :account_session_keys,
+               :account_activity_times,
+               :account_password_change_times,
+               :account_lockouts,
+               :account_login_failures,
+               :account_remember_keys,
+               :account_verification_keys,
+               :account_password_reset_keys,
+               :accounts,
+               :account_statuses)
   end
 end

data/spec/migrate/002_account_password_hash_column.rb

@@ -0,0 +1,11 @@
+Sequel.migration do
+  up do
+    # Only for testing of account_password_hash_column, not recommended for new
+    # applications
+    add_column :accounts, :ph, String
+  end
+
+  down do
+    drop_column :accounts, :ph
+  end
+end

data/spec/migrate_password/001_tables.rb

@@ -1,55 +1,73 @@
+require 'rodauth/migrations'
+
 Sequel.migration do
   up do
-    # Used by the login and change password features
     create_table(:account_password_hashes) do
       foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
       String :password_hash, :null=>false
     end
+    Rodauth.create_database_authentication_functions(self)
+    case database_type
+    when :postgres
+      user = get{Sequel.lit('current_user')}.sub(/_password\z/, '')
+      run "REVOKE ALL ON account_password_hashes FROM public"
+      run "REVOKE ALL ON FUNCTION rodauth_get_salt(int8) FROM public"
+      run "REVOKE ALL ON FUNCTION rodauth_valid_password_hash(int8, text) FROM public"
+      run "GRANT INSERT, UPDATE, DELETE ON account_password_hashes TO #{user}"
+      run "GRANT SELECT(id) ON account_password_hashes TO #{user}"
+      run "GRANT EXECUTE ON FUNCTION rodauth_get_salt(int8) TO #{user}"
+      run "GRANT EXECUTE ON FUNCTION rodauth_valid_password_hash(int8, text) TO #{user}"
+    when :mysql
+      user = get{Sequel.lit('current_user')}.sub(/_password@/, '@')
+      db_name = get{database{}}
+      run "GRANT EXECUTE ON #{db_name}.* TO #{user}"
+      run "GRANT INSERT, UPDATE, DELETE ON account_password_hashes TO #{user}"
+      run "GRANT SELECT (id) ON account_password_hashes TO #{user}"
+    when :mssql
+      user = get{DB_NAME{}}
+      run "GRANT EXECUTE ON rodauth_get_salt TO #{user}"
+      run "GRANT EXECUTE ON rodauth_valid_password_hash TO #{user}"
+      run "GRANT INSERT, UPDATE, DELETE ON account_password_hashes TO #{user}"
+      run "GRANT SELECT ON account_password_hashes(id) TO #{user}"
+    end
 
-    # Function that returns salt for current password.
-    run <<END
-CREATE OR REPLACE FUNCTION rodauth_get_salt(account_id int8) RETURNS text AS $$
-DECLARE salt text;
-BEGIN
-SELECT substr(password_hash, 0, 30) INTO salt 
-FROM account_password_hashes
-WHERE account_id = id;
-RETURN salt;
-END;
-$$ LANGUAGE plpgsql
-SECURITY DEFINER
-SET search_path = public, pg_temp;
-END
-
-    # Function that checks if password hash is valid for given user.
-    run <<END
-CREATE OR REPLACE FUNCTION rodauth_valid_password_hash(account_id int8, hash text) RETURNS boolean AS $$
-DECLARE valid boolean;
-BEGIN
-SELECT password_hash = hash INTO valid 
-FROM account_password_hashes
-WHERE account_id = id;
-RETURN valid;
-END;
-$$ LANGUAGE plpgsql
-SECURITY DEFINER
-SET search_path = public, pg_temp;
-END
+    # Used by the disallow_password_reuse feature
+    create_table(:account_previous_password_hashes) do
+      primary_key :id, :type=>Bignum
+      foreign_key :account_id, :accounts, :type=>Bignum
+      String :password_hash, :null=>false
+    end
+    Rodauth.create_database_previous_password_check_functions(self)
 
-    # Restrict access to the password hash table
-    app_user = get{Sequel.lit('current_user')}.sub(/_password\z/, '')
-    run "REVOKE ALL ON account_password_hashes FROM public"
-    run "REVOKE ALL ON FUNCTION rodauth_get_salt(int8) FROM public"
-    run "REVOKE ALL ON FUNCTION rodauth_valid_password_hash(int8, text) FROM public"
-    run "GRANT INSERT, UPDATE, DELETE ON account_password_hashes TO #{app_user}"
-    run "GRANT SELECT(id) ON account_password_hashes TO #{app_user}"
-    run "GRANT EXECUTE ON FUNCTION rodauth_get_salt(int8) TO #{app_user}"
-    run "GRANT EXECUTE ON FUNCTION rodauth_valid_password_hash(int8, text) TO #{app_user}"
+    case database_type
+    when :postgres
+      user = get{Sequel.lit('current_user')}.sub(/_password\z/, '')
+      run "REVOKE ALL ON account_previous_password_hashes FROM public"
+      run "REVOKE ALL ON FUNCTION rodauth_get_previous_salt(int8) FROM public"
+      run "REVOKE ALL ON FUNCTION rodauth_previous_password_hash_match(int8, text) FROM public"
+      run "GRANT INSERT, UPDATE, DELETE ON account_previous_password_hashes TO #{user}"
+      run "GRANT SELECT(id, account_id) ON account_previous_password_hashes TO #{user}"
+      run "GRANT USAGE ON account_previous_password_hashes_id_seq TO #{user}"
+      run "GRANT EXECUTE ON FUNCTION rodauth_get_previous_salt(int8) TO #{user}"
+      run "GRANT EXECUTE ON FUNCTION rodauth_previous_password_hash_match(int8, text) TO #{user}"
+    when :mysql
+      user = get{Sequel.lit('current_user')}.sub(/_password@/, '@')
+      db_name = get{database{}}
+      run "GRANT EXECUTE ON #{db_name}.* TO #{user}"
+      run "GRANT INSERT, UPDATE, DELETE ON account_previous_password_hashes TO #{user}"
+      run "GRANT SELECT (id, account_id) ON account_previous_password_hashes TO #{user}"
+    when :mssql
+      user = get{DB_NAME{}}
+      run "GRANT EXECUTE ON rodauth_get_previous_salt TO #{user}"
+      run "GRANT EXECUTE ON rodauth_previous_password_hash_match TO #{user}"
+      run "GRANT INSERT, UPDATE, DELETE ON account_previous_password_hashes TO #{user}"
+      run "GRANT SELECT ON account_previous_password_hashes(id, account_id) TO #{user}"
+    end
   end
 
   down do
-    run "DROP FUNCTION rodauth_get_salt(int8)"
-    run "DROP FUNCTION rodauth_valid_password_hash(int8, text)"
-    drop_table(:account_password_hashes)
+    Rodauth.drop_database_previous_password_check_functions(self)
+    Rodauth.drop_database_authentication_functions(self)
+    drop_table(:account_previous_password_hashes, :account_password_hashes)
   end
 end