rodauth 0.10.0 → 1.0.0

data/spec/migrate_travis/001_tables.rb

@@ -0,0 +1,116 @@
+require 'rodauth/migrations'
+
+Sequel.migration do
+  up do
+    extension :date_arithmetic
+
+    create_table(:account_statuses) do
+      Integer :id, :primary_key=>true
+      String :name, :null=>false, :unique=>true
+    end
+    from(:account_statuses).import([:id, :name], [[1, 'Unverified'], [2, 'Verified'], [3, 'Closed']])
+
+    db = self
+    create_table(:accounts) do
+      primary_key :id, :type=>Bignum
+      foreign_key :status_id, :account_statuses, :null=>false, :default=>1
+      if db.database_type == :postgres
+        citext :email, :null=>false
+        constraint :valid_email, :email=>/^[^,;@ \r\n]+@[^,@; \r\n]+\.[^,@; \r\n]+$/
+        index :email, :unique=>true, :where=>{:status_id=>[1, 2]}
+      else
+        String :email, :null=>false
+        index :email, :unique=>true
+      end
+
+      String :ph
+    end
+
+    create_table(:account_password_hashes) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
+      String :password_hash, :null=>false
+    end
+    Rodauth.create_database_authentication_functions(self)
+
+    deadline_opts = proc do |days|
+      if database_type == :mysql
+        {:null=>false}
+      else
+        {:null=>false, :default=>Sequel.date_add(Sequel::CURRENT_TIMESTAMP, :days=>days)}
+      end
+    end
+
+    create_table(:account_password_reset_keys) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
+      String :key, :null=>false
+      DateTime :deadline, deadline_opts[1]
+    end
+
+    create_table(:account_verification_keys) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
+      String :key, :null=>false
+      DateTime :requested_at, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
+    end
+
+    create_table(:account_remember_keys) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
+      String :key, :null=>false
+      DateTime :deadline, deadline_opts[14]
+    end
+
+    create_table(:account_login_failures) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
+      Integer :number, :null=>false, :default=>1
+    end
+    create_table(:account_lockouts) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
+      String :key, :null=>false
+      DateTime :deadline, deadline_opts[1]
+    end
+
+    create_table(:account_password_change_times) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
+      DateTime :changed_at, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
+    end
+
+    create_table(:account_activity_times) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
+      DateTime :last_activity_at, :null=>false
+      DateTime :last_login_at, :null=>false
+      DateTime :expired_at
+    end
+
+    create_table(:account_session_keys) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
+      String :key, :null=>false
+    end
+
+    create_table(:account_otp_keys) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
+      String :key, :null=>false
+      Integer :num_failures, :null=>false, :default=>0
+      Time :last_use, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
+    end
+
+    create_table(:account_recovery_codes) do
+      foreign_key :id, :accounts, :type=>Bignum
+      String :code
+      primary_key [:id, :code]
+    end
+
+    create_table(:account_sms_codes) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
+      String :phone_number, :null=>false
+      Integer :num_failures
+      String :code
+      DateTime :code_issued_at, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
+    end
+
+    create_table(:account_previous_password_hashes) do
+      primary_key :id, :type=>Bignum
+      foreign_key :account_id, :accounts, :type=>Bignum
+      String :password_hash, :null=>false
+    end
+    Rodauth.create_database_previous_password_check_functions(self)
+  end
+end

data/spec/password_complexity_spec.rb

@@ -0,0 +1,108 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe 'Rodauth password complexity feature' do
+  it "should do additional password complexity checks" do
+    rodauth do
+      enable :login, :change_password, :password_complexity
+      change_password_requires_password? false
+      password_dictionary_file 'spec/words'
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    login
+    page.current_path.must_equal '/'
+
+    visit '/change-password'
+
+    bad_passwords = [
+      ["minimum 6 characters", %w"a1OX"],
+      ["does not include uppercase letters, lowercase letters, and numbers",
+       %w'sdflksdfl sdflks!fl Sdflksdfl dfl1sdfl DFL1SDFL DFL!SDFL'],
+      ["includes common character sequence",
+       %w"Aqwerty12 Aazerty12 HA123ha HA234ha HA345ha HA456ha HA567ha HA678ha HA789ha HA890ha"],
+      ["contains 3 or more of the same character in a row", %w"Helll0 Hellllll0"],
+      ["is a word in a dictionary", 
+       %w"Password1 1Password1 1PaSSword1 1P@$5w0Rd1 2398|3@$+7809 2|!7+1e l4$7$124 N!88|e56"]
+    ]
+
+
+    bad_passwords.each do |message, passwords|
+      passwords.each do |pass|
+        fill_in 'New Password', :with=>pass
+        fill_in 'Confirm Password', :with=>pass
+        click_button 'Change Password'
+        page.html.must_include("invalid password, does not meet requirements (#{message})")
+        page.find('#error_flash').text.must_equal "There was an error changing your password"
+      end
+    end
+
+    fill_in 'New Password', :with=>'footpassword'
+    fill_in 'Confirm Password', :with=>'footpassword'
+    click_button 'Change Password'
+    page.find('#notice_flash').text.must_equal "Your password has been changed"
+  end
+
+  it "should support default dictionary" do
+    default_dictionary = '/usr/share/dict/words'
+    skip("#{default_dictionary} not present") unless File.file?(default_dictionary)
+    password = File.read(default_dictionary).split.sort_by{|w| w.length}.last
+
+    rodauth do
+      enable :login, :change_password, :password_complexity
+      change_password_requires_password? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    login
+    page.current_path.must_equal '/'
+
+    visit '/change-password'
+    fill_in 'New Password', :with=>"135#{pass}135"
+    fill_in 'Confirm Password', :with=>"135#{pass}135"
+    click_button 'Change Password'
+    page.html.must_include("invalid password")
+    page.find('#error_flash').text.must_equal "There was an error changing your password"
+
+    fill_in 'New Password', :with=>'footpassword'
+    fill_in 'Confirm Password', :with=>'footpassword'
+    click_button 'Change Password'
+    page.find('#notice_flash').text.must_equal "Your password has been changed"
+  end
+
+  it "should support no dictionary" do
+    default_dictionary = '/usr/share/dict/words'
+    skip("#{default_dictionary} not present") unless File.file?(default_dictionary)
+    password = File.read(default_dictionary).split.sort_by{|w| w.length}.last
+
+    rodauth do
+      enable :login, :change_password, :password_complexity
+      change_password_requires_password? false
+      password_dictionary_file false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    login
+    page.current_path.must_equal '/'
+
+    visit '/change-password'
+    fill_in 'New Password', :with=>"password123"
+    fill_in 'Confirm Password', :with=>"password123"
+    click_button 'Change Password'
+    page.html.must_include("invalid password")
+    page.find('#error_flash').text.must_equal "There was an error changing your password"
+
+    fill_in 'New Password', :with=>'Password1'
+    fill_in 'Confirm Password', :with=>'Password1'
+    click_button 'Change Password'
+    page.find('#notice_flash').text.must_equal "Your password has been changed"
+  end
+end

data/spec/password_expiration_spec.rb

@@ -0,0 +1,243 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe 'Rodauth password expiration feature' do
+  it "should force password changes after x number of days" do
+    rodauth do
+      enable :login, :logout, :change_password, :reset_password, :password_expiration
+      allow_password_change_after 1000
+      change_password_requires_password? false
+    end
+    roda do |r|
+      r.rodauth
+      rodauth.require_current_password if rodauth.logged_in?
+      r.root{view :content=>""}
+    end
+
+    login(:pass=>'01234567')
+    click_button 'Request Password Reset'
+    link = email_link(/(\/reset-password\?key=.+)$/)
+
+    visit link
+    page.current_path.must_equal '/reset-password'
+
+    login
+    page.current_path.must_equal '/'
+
+    visit '/change-password'
+    fill_in 'New Password', :with=>'banana'
+    fill_in 'Confirm Password', :with=>'banana'
+    click_button 'Change Password'
+    page.current_path.must_equal '/'
+
+    visit '/change-password'
+    page.current_path.must_equal '/'
+    page.find('#error_flash').text.must_equal "Your password cannot be changed yet"
+
+    logout
+
+    visit link
+    page.current_path.must_equal '/'
+    page.find('#error_flash').text.must_equal "Your password cannot be changed yet"
+
+    DB[:account_password_change_times].update(:changed_at=>Time.now - 1100)
+
+    visit link
+    page.current_path.must_equal '/reset-password'
+
+    login(:pass=>'banana')
+    page.current_path.must_equal '/'
+
+    visit '/change-password'
+    page.current_path.must_equal '/change-password'
+
+    logout
+
+    DB[:account_password_change_times].update(:changed_at=>Time.now - 91*86400)
+
+    login(:pass=>'banana')
+    page.current_path.must_equal '/change-password'
+    page.find('#error_flash').text.must_equal "Your password has expired and needs to be changed"
+
+    visit '/foo'
+    page.current_path.must_equal '/change-password'
+    page.find('#error_flash').text.must_equal "Your password has expired and needs to be changed"
+
+    fill_in 'New Password', :with=>'banana2'
+    fill_in 'Confirm Password', :with=>'banana2'
+    click_button 'Change Password'
+    page.current_path.must_equal '/'
+
+    visit '/change-password'
+    page.current_path.must_equal '/'
+    page.find('#error_flash').text.must_equal "Your password cannot be changed yet"
+
+    logout
+
+    visit link
+    page.current_path.must_equal '/'
+    page.find('#error_flash').text.must_equal "Your password cannot be changed yet"
+  end
+
+  it "should update password changed at when creating accounts" do
+    rodauth do
+      enable :login, :change_password, :password_expiration
+      password_expiration_default true
+      change_password_requires_password? false
+    end
+    roda do |r|
+      r.rodauth
+      rodauth.require_current_password
+      r.root{view :content=>""}
+    end
+
+    login
+    page.current_path.must_equal '/change-password'
+
+    visit '/'
+    page.current_path.must_equal '/change-password'
+    fill_in 'New Password', :with=>'banana'
+    fill_in 'Confirm Password', :with=>'banana'
+    click_button 'Change Password'
+    page.current_path.must_equal '/'
+  end
+
+  it "should update password changed at when creating accounts" do
+    rodauth do
+      enable :login, :create_account, :password_expiration
+      allow_password_change_after 1000
+      account_password_hash_column :ph
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo2@example.com'
+    fill_in 'Confirm Login', :with=>'foo2@example.com'
+    fill_in 'Password', :with=>'apple2'
+    fill_in 'Confirm Password', :with=>'apple2'
+    click_button 'Create Account'
+
+    visit '/change-password'
+    page.current_path.must_equal '/'
+    page.find('#error_flash').text.must_equal "Your password cannot be changed yet"
+  end
+
+  it "should remove password expiration data when closing accounts" do
+    rodauth do
+      enable :create_account, :close_account, :password_expiration
+      close_account_requires_password? false
+      create_account_autologin? true
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo2@example.com'
+    fill_in 'Confirm Login', :with=>'foo2@example.com'
+    fill_in 'Password', :with=>'apple2'
+    fill_in 'Confirm Password', :with=>'apple2'
+    click_button 'Create Account'
+
+    DB[:account_password_change_times].count.must_equal 1
+    visit '/close-account'
+    click_button 'Close Account'
+    DB[:account_password_change_times].count.must_equal 0
+  end
+
+  it "should handle the case where the password is expired while the user has logged in" do
+    rodauth do
+      enable :login, :change_password, :password_expiration
+      password_expiration_default true
+      change_password_requires_password? false
+      require_password_change_after 100
+    end
+    roda do |r|
+      r.rodauth
+      rodauth.require_current_password
+      r.get("expire/:d"){|d| session[:password_changed_at] = Time.now.to_i - d.to_i; r.redirect '/'}
+      r.root{view :content=>""}
+    end
+
+    login
+    page.current_path.must_equal '/change-password'
+
+    visit '/'
+    page.current_path.must_equal '/change-password'
+    fill_in 'New Password', :with=>'banana'
+    fill_in 'Confirm Password', :with=>'banana'
+    click_button 'Change Password'
+    page.current_path.must_equal '/'
+
+    visit "/expire/90"
+    page.current_path.must_equal '/'
+
+    visit "/expire/110"
+    page.current_path.must_equal '/change-password'
+  end
+
+  it "should force password changes via jwt" do
+    rodauth do
+      enable :login, :logout, :change_password, :reset_password, :password_expiration
+      allow_password_change_after 1000
+      change_password_requires_password? false
+      reset_password_email_body{reset_password_email_link}
+    end
+    roda(:jwt) do |r|
+      r.rodauth
+      rodauth.require_current_password
+      if rodauth.authenticated?
+        [1]
+      else
+        [2]
+      end
+    end
+
+    json_request.must_equal [200, [2]]
+
+    res = json_request('/reset-password-request', :login=>'foo@example.com')
+    res.must_equal [200, {"success"=>"An email has been sent to you with a link to reset the password for your account"}]
+    link = email_link(/key=.+$/)
+
+    json_login
+
+    res = json_request('/change-password', :password=>'0123456789', "new-password"=>'0123456', "password-confirm"=>'0123456')
+    res.must_equal [200, {'success'=>"Your password has been changed"}]
+
+    json_request.must_equal [200, [1]]
+
+    res = json_request('/change-password', :password=>'0123456', "new-password"=>'01234567', "password-confirm"=>'01234567')
+    res.must_equal [400, {'error'=>"Your password cannot be changed yet"}]
+
+    json_logout
+
+    res = json_request('/reset-password', :key=>link[4..-1], :password=>'01234567', "password-confirm"=>'01234567')
+    res.must_equal [400, {'error'=>"Your password cannot be changed yet"}]
+
+    DB[:account_password_change_times].update(:changed_at=>Time.now - 1100)
+    res = json_request('/reset-password', :key=>link[4..-1], :password=>'01234567', "password-confirm"=>'01234567')
+    res.must_equal [200, {"success"=>"Your password has been reset"}]
+
+    DB[:account_password_change_times].update(:changed_at=>Time.now - 1100)
+    json_login(:pass=>'01234567')
+    res = json_request('/change-password', :password=>'01234567', "new-password"=>'012345678', "password-confirm"=>'012345678')
+    res.must_equal [200, {'success'=>"Your password has been changed"}]
+
+    DB[:account_password_change_times].update(:changed_at=>Time.now - 91*86400)
+
+    json_logout
+    json_request.must_equal [200, [2]]
+
+    res = json_login(:pass=>'012345678', :no_check=>true)
+    res.must_equal [400, {'error'=>"Your password has expired and needs to be changed"}]
+    json_request.must_equal [400, {'error'=>"Your password has expired and needs to be changed"}]
+
+    res = json_request('/change-password', :password=>'012345678', "new-password"=>'012345678a', "password-confirm"=>'012345678a')
+    res.must_equal [200, {'success'=>"Your password has been changed"}]
+
+    json_request.must_equal [200, [1]]
+  end
+end