rodauth 0.10.0 → 1.0.0

data/spec/verify_account_grace_period_spec.rb

@@ -0,0 +1,135 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe 'Rodauth verify_account_grace_period feature' do
+  it "should support grace periods when verifying accounts" do
+    rodauth do
+      enable :login, :logout, :change_password, :create_account, :verify_account_grace_period
+      change_password_requires_password? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>rodauth.logged_in? ? "Logged In#{rodauth.verified_account?}" : "Not Logged"}
+    end
+
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Confirm Login', :with=>'foo@example2.com'
+    fill_in 'Password', :with=>'0123456789'
+    fill_in 'Confirm Password', :with=>'0123456789'
+    click_button 'Create Account'
+    page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to verify your account"
+    link = email_link(/(\/verify-account\?key=.+)$/, 'foo@example2.com')
+    page.body.must_include('Logged Infalse')
+    page.current_path.must_equal '/'
+
+    logout
+    login(:login=>'foo@example2.com')
+    page.body.must_include('Logged Infalse')
+
+    visit '/change-password'
+    fill_in 'New Password', :with=>'012345678'
+    fill_in 'Confirm Password', :with=>'012345678'
+    click_button 'Change Password'
+    page.find('#notice_flash').text.must_equal "Your password has been changed"
+
+    DB[:account_verification_keys].update(:requested_at=>Time.now - 100000)
+
+    logout
+    login(:login=>'foo@example2.com', :pass=>'012345678')
+    page.find('#error_flash').text.must_equal 'The account you tried to login with is currently awaiting verification'
+    visit '/'
+    page.body.must_include('Not Logged')
+
+    visit link
+    click_button 'Verify Account'
+    page.find('#notice_flash').text.must_equal "Your account has been verified"
+    page.body.must_include('Logged Intrue')
+  end
+
+  it "should not allow changing logins for unverified accounts" do
+    rodauth do
+      enable :login, :logout, :change_login, :verify_account_grace_period
+      change_login_requires_password? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>rodauth.logged_in? ? "Logged In#{rodauth.verified_account?}" : "Not Logged"}
+    end
+
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Confirm Login', :with=>'foo@example2.com'
+    fill_in 'Password', :with=>'0123456789'
+    fill_in 'Confirm Password', :with=>'0123456789'
+    click_button 'Create Account'
+    link = email_link(/(\/verify-account\?key=.+)$/, 'foo@example2.com')
+
+    visit '/change-login'
+    page.find('#error_flash').text.must_equal "Cannot change login for unverified account. Please verify this account before changing the login."
+    page.current_path.must_equal '/'
+
+    visit link
+    click_button 'Verify Account'
+    page.find('#notice_flash').text.must_equal "Your account has been verified"
+    page.body.must_include('Logged Intrue')
+
+    visit '/change-login'
+    fill_in 'Login', :with=>'foo3@example.com'
+    fill_in 'Confirm Login', :with=>'foo3@example.com'
+    click_button 'Change Login'
+    page.find('#notice_flash').text.must_equal "Your login has been changed"
+    page.current_path.must_equal '/'
+  end
+
+  it "should allow verifying accounts while logged in during grace period" do
+    rodauth do
+      enable :login, :verify_account_grace_period
+      already_logged_in{request.redirect '/'}
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>rodauth.logged_in? ? "Logged In#{rodauth.verified_account?}" : "Not Logged"}
+    end
+
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Confirm Login', :with=>'foo@example2.com'
+    fill_in 'Password', :with=>'0123456789'
+    fill_in 'Confirm Password', :with=>'0123456789'
+    click_button 'Create Account'
+    page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to verify your account"
+    link = email_link(/(\/verify-account\?key=.+)$/, 'foo@example2.com')
+    page.body.must_include('Logged Infalse')
+    page.current_path.must_equal '/'
+
+    visit link
+    click_button 'Verify Account'
+    page.find('#notice_flash').text.must_equal "Your account has been verified"
+    page.body.must_include('Logged Intrue')
+  end
+
+  it "should remove verify keys if closing unverified accounts" do
+    rodauth do
+      enable :login, :close_account, :verify_account_grace_period
+      already_logged_in{request.redirect '/'}
+      close_account_requires_password? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>rodauth.logged_in? ? "Logged In#{rodauth.verified_account?}" : "Not Logged"}
+    end
+
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Confirm Login', :with=>'foo@example2.com'
+    fill_in 'Password', :with=>'0123456789'
+    fill_in 'Confirm Password', :with=>'0123456789'
+    click_button 'Create Account'
+    email_link(/(\/verify-account\?key=.+)$/, 'foo@example2.com')
+
+    visit '/close-account'
+    click_button 'Close Account'
+    page.find('#notice_flash').text.must_equal "Your account has been closed"
+    DB[:account_verification_keys].must_be :empty?
+  end
+end

data/spec/verify_account_spec.rb

@@ -0,0 +1,142 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe 'Rodauth verify_account feature' do
+  it "should support verifying accounts" do
+    rodauth do
+      enable :login, :create_account, :verify_account
+      verify_account_autologin? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Confirm Login', :with=>'foo@example2.com'
+    fill_in 'Password', :with=>'0123456789'
+    fill_in 'Confirm Password', :with=>'0123456789'
+    click_button 'Create Account'
+    page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to verify your account"
+    page.current_path.must_equal '/'
+
+    link = email_link(/(\/verify-account\?key=.+)$/, 'foo@example2.com')
+    login(:login=>'foo@example2.com')
+    page.find('#error_flash').text.must_equal 'The account you tried to login with is currently awaiting verification'
+    page.html.must_include("If you no longer have the email to verify the account, you can request that it be resent to you")
+    click_button 'Send Verification Email Again'
+    page.current_path.must_equal '/login'
+
+    email_link(/(\/verify-account\?key=.+)$/, 'foo@example2.com').must_equal link
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo@example2.com'
+    click_button 'Create Account'
+    click_button 'Send Verification Email Again'
+    page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to verify your account"
+    page.current_path.must_equal '/login'
+
+    link = email_link(/(\/verify-account\?key=.+)$/, 'foo@example2.com')
+    visit link[0...-1]
+    page.find('#error_flash').text.must_equal "invalid verify account key"
+
+    visit link
+    click_button 'Verify Account'
+    page.find('#notice_flash').text.must_equal "Your account has been verified"
+    page.current_path.must_equal '/'
+
+    login(:login=>'foo@example2.com')
+    page.find('#notice_flash').text.must_equal 'You have been logged in'
+    page.current_path.must_equal '/'
+  end
+
+  it "should support autologin when verifying accounts" do
+    rodauth do
+      enable :login, :create_account, :verify_account
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
+    end
+
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Confirm Login', :with=>'foo@example2.com'
+    fill_in 'Password', :with=>'0123456789'
+    fill_in 'Confirm Password', :with=>'0123456789'
+    click_button 'Create Account'
+    page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to verify your account"
+    page.current_path.must_equal '/'
+
+    link = email_link(/(\/verify-account\?key=.+)$/, 'foo@example2.com')
+    visit link
+    click_button 'Verify Account'
+    page.find('#notice_flash').text.must_equal "Your account has been verified"
+    page.body.must_include 'Logged In'
+  end
+
+  it "should handle uniqueness errors raised when inserting verify account token" do
+    rodauth do
+      enable :login, :verify_account
+    end
+    roda do |r|
+      def rodauth.raised_uniqueness_violation(*) super; true; end
+      r.rodauth
+      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
+    end
+
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Confirm Login', :with=>'foo@example2.com'
+    fill_in 'Password', :with=>'0123456789'
+    fill_in 'Confirm Password', :with=>'0123456789'
+    click_button 'Create Account'
+    page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to verify your account"
+    page.current_path.must_equal '/'
+
+    link = email_link(/(\/verify-account\?key=.+)$/, 'foo@example2.com')
+    visit link
+    click_button 'Verify Account'
+    page.find('#notice_flash').text.must_equal "Your account has been verified"
+    page.body.must_include 'Logged In'
+  end
+
+  it "should support verifying accounts via jwt" do
+    rodauth do
+      enable :login, :create_account, :verify_account
+      verify_account_autologin? false
+      verify_account_email_body{verify_account_email_link}
+    end
+    roda(:jwt) do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    res = json_request('/create-account', :login=>'foo@example2.com', "login-confirm"=>'foo@example2.com', :password=>'0123456789', "password-confirm"=>'0123456789')
+    res.must_equal [200, {'success'=>"An email has been sent to you with a link to verify your account"}]
+    link = email_link(/key=.+$/, 'foo@example2.com')
+
+    res = json_request('/verify-account-resend', :login=>'foo@example.com')
+    res.must_equal [400, {'error'=>"Unable to resend verify account email"}]
+
+    res = json_request('/verify-account-resend', :login=>'foo@example3.com')
+    res.must_equal [400, {'error'=>"Unable to resend verify account email"}]
+
+    res = json_request('/login', :login=>'foo@example2.com',:password=>'0123456789')
+    res.must_equal [400, {'error'=>"The account you tried to login with is currently awaiting verification"}]
+
+    res = json_request('/verify-account-resend', :login=>'foo@example2.com')
+    res.must_equal [200, {'success'=>"An email has been sent to you with a link to verify your account"}]
+    email_link(/key=.+$/, 'foo@example2.com').must_equal link
+
+    res = json_request('/verify-account')
+    res.must_equal [400, {'error'=>"Unable to verify account"}]
+
+    res = json_request('/verify-account', :key=>link[4...-1])
+    res.must_equal [400, {"error"=>"Unable to verify account"}]
+
+    res = json_request('/verify-account', :key=>link[4..-1])
+    res.must_equal [200, {"success"=>"Your account has been verified"}]
+
+    json_login(:login=>'foo@example2.com')
+  end
+end

data/spec/verify_change_login_spec.rb

@@ -0,0 +1,46 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe 'Rodauth verify_change_login feature' do
+  it "should support reverifying accounts after changing logins" do
+    rodauth do
+      enable :login, :verify_change_login
+      change_login_requires_password? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>rodauth.logged_in? ? "Logged In#{rodauth.verified_account?}" : "Not Logged"}
+    end
+
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Confirm Login', :with=>'foo@example2.com'
+    fill_in 'Password', :with=>'0123456789'
+    fill_in 'Confirm Password', :with=>'0123456789'
+    click_button 'Create Account'
+    link = email_link(/(\/verify-account\?key=.+)$/, 'foo@example2.com')
+
+    visit '/change-login'
+    page.find('#error_flash').text.must_equal "Cannot change login for unverified account. Please verify this account before changing the login."
+    page.current_path.must_equal '/'
+
+    visit link
+    click_button 'Verify Account'
+    page.find('#notice_flash').text.must_equal "Your account has been verified"
+    page.body.must_include('Logged Intrue')
+
+    visit '/change-login'
+    fill_in 'Login', :with=>'foo3@example.com'
+    fill_in 'Confirm Login', :with=>'foo3@example.com'
+    click_button 'Change Login'
+    page.find('#notice_flash').text.must_equal "Your login has been changed. An email has been sent to you with a link to verify your account"
+    page.current_path.must_equal '/'
+    page.body.must_include('Logged Infalse')
+    link2 = email_link(/(\/verify-account\?key=.+)$/, 'foo3@example.com')
+    link2.wont_equal link
+
+    visit link2
+    click_button 'Verify Account'
+    page.find('#notice_flash').text.must_equal "Your account has been verified"
+    page.body.must_include('Logged Intrue')
+  end
+end

data/spec/views/login.str

@@ -4,13 +4,13 @@
   <div class="form-group">
     <label class="col-sm-2 control-label" for="login">Login</label>
     <div class="col-sm-10">
-      <input type="text" class="form-control#{' error' if @login_error}" name="l" id="login"/> #{@login_error}
+      <input type="text" class="form-control#{' error' if rodauth.field_error(rodauth.login_param)}" name="l" id="login"/> #{rodauth.field_error(rodauth.login_param)}
     </div>
   </div>
   <div class="form-group">
     <label class="col-sm-2 control-label" for="password">Password</label>
     <div class="col-sm-10">
-      <input type="password" class="form-control#{' error' if @password_error}" name="p" id="password"/> #{@password_error}
+      <input type="password" class="form-control#{' error' if rodauth.field_error(rodauth.password_param)}" name="p" id="password"/> #{rodauth.field_error(rodauth.password_param)}
     </div>
   </div>
   <div class="form-group">

data/templates/add-recovery-codes.str

@@ -0,0 +1,2 @@
+<pre id="recovery-codes">#{rodauth.recovery_codes.map{|s| h s}.join("\n\n")}</pre>
+#{"<h2>Add Additional Recovery Codes</h2>#{rodauth.render('recovery-codes')}" if rodauth.can_add_recovery_codes?}

data/templates/button.str

@@ -0,0 +1,5 @@
+<div class="form-group">
+  <div class="col-sm-offset-2 col-sm-10">
+    <input type="submit" #{"name=\"#{h opts[:name]}\"" if opts[:name]} class="#{h(opts[:class] || 'btn btn-primary')}" value="#{h value}"/>
+  </div>
+</div>

data/templates/change-login.str

@@ -1,22 +1,9 @@
 <form method="post" class="rodauth form-horizontal" role="form" id="change-login-form">
   #{rodauth.change_login_additional_form_tags}
-  #{csrf_tag if respond_to?(:csrf_tag)}
-  <div class="form-group">
-    <label class="col-sm-2 control-label" for="login">#{rodauth.login_label}</label>
-    <div class="col-sm-10">
-      <input type="text" class="form-control#{' error' if @login_error}" name="#{rodauth.login_param}" id="login" value="#{h request[rodauth.login_param]}"/> #{@login_error}
-    </div>
-  </div>
-  <div class="form-group">
-    <label class="col-sm-2 control-label" for="login-confirm">#{rodauth.login_confirm_label}</label>
-    <div class="col-sm-10">
-      <input type="text" class="form-control" name="#{rodauth.login_confirm_param}" id="login-confirm" value="#{h request[rodauth.login_confirm_param]}"/>
-    </div>
-  </div>
-  <div class="form-group">
-    <div class="col-sm-offset-2 col-sm-10">
-      <input type="submit" class="btn btn-primary" value="#{rodauth.change_login_button}"/>
-    </div>
-  </div>
+  #{rodauth.csrf_tag}
+  #{rodauth.render('login-field')}
+  #{rodauth.render('login-confirm-field') if rodauth.require_login_confirmation?}
+  #{rodauth.render('password-field') if rodauth.change_login_requires_password?}
+  #{rodauth.button(rodauth.change_login_button)}
 </form>
 

data/templates/change-password.str

@@ -1,21 +1,13 @@
 <form method="post" class="rodauth form-horizontal" role="form" id="change-password-form">
   #{rodauth.change_password_additional_form_tags}
-  #{csrf_tag if respond_to?(:csrf_tag)}
+  #{rodauth.csrf_tag}
+  #{rodauth.render('password-field') if rodauth.change_password_requires_password?}
   <div class="form-group">
-    <label class="col-sm-2 control-label" for="password">#{rodauth.password_label}</label>
+    <label class="col-sm-2 control-label" for="new-password">#{rodauth.new_password_label}</label>
     <div class="col-sm-10">
-      <input type="password" class="form-control#{' error' if @password_error}" name="#{rodauth.password_param}" id="password"/> #{@password_error}
-    </div>
-  </div>
-  <div class="form-group">
-    <label class="col-sm-2 control-label" for="password-confirm">#{rodauth.password_confirm_label}</label>
-    <div class="col-sm-10">
-      <input type="password" class="form-control" name="#{rodauth.password_confirm_param}" id="password-confirm"/>
-    </div>
-  </div>
-  <div class="form-group">
-    <div class="col-sm-offset-2 col-sm-10">
-      <input type="submit" class="btn btn-primary" value="#{rodauth.change_password_button}"/>
+      <input type="password" class="form-control#{' error' if rodauth.field_error(rodauth.new_password_param)}" name="#{rodauth.new_password_param}" id="new-password"/> #{rodauth.field_error(rodauth.new_password_param)}
     </div>
   </div>
+  #{rodauth.render('password-confirm-field') if rodauth.require_password_confirmation?}
+  #{rodauth.button(rodauth.change_password_button)}
 </form>

data/templates/close-account.str

@@ -1,9 +1,6 @@
 <form method="post" class="rodauth form-horizontal" role="form" id="close-account-form">
   #{rodauth.close_account_additional_form_tags}
-  #{csrf_tag if respond_to?(:csrf_tag)}
-  <div class="form-group">
-    <div class="col-sm-offset-2 col-sm-10">
-      <input type="submit" class="btn btn-warning" value="#{rodauth.close_account_button}"/>
-    </div>
-  </div>
+  #{rodauth.csrf_tag}
+  #{rodauth.render('password-field') if rodauth.close_account_requires_password?}
+  #{rodauth.button(rodauth.close_account_button, :class=>'btn btn-warning')}
 </form>

data/templates/confirm-password.str

@@ -1,16 +1,6 @@
 <form method="post" class="rodauth form-horizontal" role="form" id="confirm-password-form">
-  #{rodauth.remember_confirm_additional_form_tags}
-  #{csrf_tag if respond_to?(:csrf_tag)}
-  <input type="hidden" name="confirm" value="t" />
-  <div class="form-group">
-    <label class="col-sm-2 control-label" for="password">#{rodauth.password_label}</label>
-    <div class="col-sm-10">
-      <input type="password" class="form-control#{' error' if @password_error}" name="#{rodauth.password_param}" id="password"/> #{@password_error}
-    </div>
-  </div>
-  <div class="form-group">
-    <div class="col-sm-offset-2 col-sm-10">
-      <input type="submit" class="btn btn-primary" value="#{rodauth.remember_confirm_button}"/>
-    </div>
-  </div>
+  #{rodauth.confirm_password_additional_form_tags}
+  #{rodauth.csrf_tag}
+  #{rodauth.render('password-field')}
+  #{rodauth.button(rodauth.confirm_password_button)}
 </form>

data/templates/create-account.str

@@ -1,33 +1,9 @@
 <form method="post" class="rodauth form-horizontal" role="form" id="create-account-form">
   #{rodauth.create_account_additional_form_tags}
-  #{csrf_tag if respond_to?(:csrf_tag)}
-  <div class="form-group">
-    <label class="col-sm-2 control-label" for="login">#{rodauth.login_label}</label>
-    <div class="col-sm-10">
-      <input type="text" class="form-control#{' error' if @login_error}" name="#{rodauth.login_param}" id="login" value="#{h request[rodauth.login_param]}"/> #{@login_error}
-    </div>
-  </div>
-  <div class="form-group">
-    <label class="col-sm-2 control-label" for="login-confirm">#{rodauth.login_confirm_label}</label>
-    <div class="col-sm-10">
-      <input type="text" class="form-control" name="login-confirm" id="#{rodauth.login_confirm_param}" value="#{h request[rodauth.login_confirm_param]}"/>
-    </div>
-  </div>
-  <div class="form-group">
-    <label class="col-sm-2 control-label" for="password">#{rodauth.password_label}</label>
-    <div class="col-sm-10">
-      <input type="password" class="form-control#{' error' if @password_error}" name="#{rodauth.password_param}" id="password"/> #{@password_error}
-    </div>
-  </div>
-  <div class="form-group">
-    <label class="col-sm-2 control-label" for="password-confirm">#{rodauth.password_confirm_label}</label>
-    <div class="col-sm-10">
-      <input type="password" class="form-control" name="#{rodauth.password_confirm_param}" id="password-confirm"/>
-    </div>
-  </div>
-  <div class="form-group">
-    <div class="col-sm-offset-2 col-sm-10">
-      <input type="submit" class="btn btn-primary" value="#{rodauth.create_account_button}"/>
-    </div>
-  </div>
+  #{rodauth.csrf_tag}
+  #{rodauth.render('login-field')}
+  #{rodauth.render('login-confirm-field') if rodauth.require_login_confirmation?}
+  #{rodauth.render('password-field')}
+  #{rodauth.render('password-confirm-field') if rodauth.require_password_confirmation?}
+  #{rodauth.button(rodauth.create_account_button)}
 </form>