rodauth 0.10.0 → 1.0.0

data/lib/rodauth/features/change_login.rb

@@ -0,0 +1,77 @@
+# frozen-string-literal: true
+
+module Rodauth
+  ChangeLogin = Feature.define(:change_login) do
+    depends :login_password_requirements_base
+
+    notice_flash 'Your login has been changed'
+    error_flash 'There was an error changing your login'
+    view 'change-login', 'Change Login'
+    after
+    before
+    additional_form_tags
+    button 'Change Login'
+    redirect
+
+    auth_value_methods :change_login_requires_password?
+
+    auth_methods :change_login
+
+    route do |r|
+      require_account
+      before_change_login_route
+
+      r.get do
+        change_login_view
+      end
+
+      r.post do
+        catch_error do
+          if change_login_requires_password? && !password_match?(param(password_param))
+            throw_error(password_param, invalid_password_message)
+          end
+
+          login = param(login_param)
+          unless login_meets_requirements?(login)
+            throw_error(login_param, login_does_not_meet_requirements_message)
+          end
+
+          if require_login_confirmation? && login != param(login_confirm_param)
+            throw_error(login_param, logins_do_not_match_message)
+          end
+
+          transaction do
+            before_change_login
+            unless change_login(login)
+              throw_error(login_param, login_does_not_meet_requirements_message)
+            end
+
+            after_change_login
+            set_notice_flash change_login_notice_flash
+            redirect change_login_redirect
+          end
+        end
+
+        set_error_flash change_login_error_flash
+        change_login_view
+      end
+    end
+
+    def change_login_requires_password?
+      modifications_require_password?
+    end
+
+    def change_login(login)
+      updated = nil
+      if account_ds.get(login_column).downcase == login.downcase
+        @login_requirement_message = 'same as current login'
+        return false
+      end
+      raised = raises_uniqueness_violation?{updated = update_account({login_column=>login}, account_ds.exclude(login_column=>login)) == 1}
+      if raised
+        @login_requirement_message = 'already an account with this login'
+      end
+      updated && !raised
+    end
+  end
+end

data/lib/rodauth/features/change_password.rb

@@ -0,0 +1,66 @@
+# frozen-string-literal: true
+
+module Rodauth
+  ChangePassword = Feature.define(:change_password) do
+    depends :login_password_requirements_base
+
+    notice_flash 'Your password has been changed'
+    error_flash 'There was an error changing your password'
+    view 'change-password', 'Change Password'
+    after
+    before
+    additional_form_tags
+    button 'Change Password'
+    redirect
+
+    auth_value_method :new_password_label, 'New Password'
+    auth_value_method :new_password_param, 'new-password'
+
+    auth_value_methods :change_password_requires_password?
+
+    route do |r|
+      require_account
+      before_change_password_route
+
+      r.get do
+        change_password_view
+      end
+
+      r.post do
+        catch_error do
+          if change_password_requires_password? && !password_match?(param(password_param))
+            throw_error(password_param, invalid_password_message)
+          end
+
+          password = param(new_password_param)
+          if require_password_confirmation? && password != param(password_confirm_param)
+            throw_error(new_password_param, passwords_do_not_match_message)
+          end
+
+          if password_match?(password) 
+            throw_error(new_password_param, same_as_existing_password_message)
+          end
+
+          unless password_meets_requirements?(password)
+            throw_error(new_password_param, password_does_not_meet_requirements_message)
+          end
+
+          transaction do
+            before_change_password
+            set_password(password)
+            after_change_password
+          end
+          set_notice_flash change_password_notice_flash
+          redirect change_password_redirect
+        end
+
+        set_error_flash change_password_error_flash
+        change_password_view
+      end
+    end
+
+    def change_password_requires_password?
+      modifications_require_password?
+    end
+  end
+end

data/lib/rodauth/features/close_account.rb

@@ -0,0 +1,82 @@
+# frozen-string-literal: true
+
+module Rodauth
+  CloseAccount = Feature.define(:close_account) do
+    notice_flash 'Your account has been closed'
+    error_flash 'There was an error closing your account'
+    view 'close-account', 'Close Account'
+    additional_form_tags
+    button 'Close Account'
+    after
+    before
+    redirect
+
+    auth_value_method :account_closed_status_value, 3
+
+    auth_value_methods(
+      :close_account_requires_password?,
+      :delete_account_on_close?
+    )
+
+    auth_methods(
+      :close_account,
+      :delete_account
+    )
+
+    route do |r|
+      require_account
+      before_close_account_route
+
+      r.get do
+        close_account_view
+      end
+
+      r.post do
+        if !close_account_requires_password? || password_match?(param(password_param))
+          transaction do
+            before_close_account
+            close_account
+            after_close_account
+            if delete_account_on_close?
+              delete_account
+            end
+          end
+          clear_session
+
+          set_notice_flash close_account_notice_flash
+          redirect close_account_redirect
+        else
+          set_field_error(password_param, invalid_password_message)
+          set_error_flash close_account_error_flash
+          close_account_view
+        end
+      end
+    end
+
+    def close_account_requires_password?
+      modifications_require_password?
+    end
+
+    def close_account
+      unless skip_status_checks?
+        update_account(account_status_column=>account_closed_status_value)
+      end
+
+      unless account_password_hash_column
+        password_hash_ds.delete
+      end
+    end
+
+    def delete_account
+      account_ds.delete
+    end
+
+    def delete_account_on_close?
+      skip_status_checks?
+    end
+
+    def skip_status_checks?
+      false
+    end
+  end
+end

data/lib/rodauth/features/confirm_password.rb

@@ -0,0 +1,51 @@
+# frozen-string-literal: true
+
+module Rodauth
+  ConfirmPassword = Feature.define(:confirm_password) do
+    notice_flash "Your password has been confirmed"
+    error_flash "There was an error confirming your password"
+    view 'confirm-password', 'Confirm Password'
+    additional_form_tags
+    button 'Confirm Password'
+    before
+    after
+
+    auth_value_methods :confirm_password_redirect
+
+    auth_methods :confirm_password
+
+    route do
+      require_account
+      before_confirm_password_route
+
+      request.get do
+        confirm_password_view
+      end
+
+      request.post do
+        if password_match?(param(password_param))
+          transaction do
+            before_confirm_password
+            confirm_password
+            after_confirm_password
+          end
+          set_notice_flash confirm_password_notice_flash
+          redirect confirm_password_redirect
+        else
+          set_field_error(password_param, invalid_password_message)
+          set_error_flash confirm_password_error_flash
+          confirm_password_view
+        end
+      end
+    end
+
+    def confirm_password
+      nil
+    end
+
+    def confirm_password_redirect
+      session.delete(:confirm_password_redirect) || default_redirect
+    end
+  end
+end
+

data/lib/rodauth/features/create_account.rb

@@ -0,0 +1,128 @@
+# frozen-string-literal: true
+
+module Rodauth
+  CreateAccount = Feature.define(:create_account) do
+    depends :login_password_requirements_base
+
+    depends :login
+    notice_flash 'Your account has been created'
+    error_flash "There was an error creating your account"
+    view 'create-account', 'Create Account'
+    after
+    before
+    button 'Create Account'
+    additional_form_tags
+    redirect
+
+    auth_value_method :create_account_autologin?, true
+
+    auth_value_methods :create_account_link
+
+    auth_methods(
+      :save_account,
+      :set_new_account_password
+    )
+
+    auth_private_methods(
+      :new_account
+    )
+
+    route do |r|
+      check_already_logged_in
+      before_create_account_route
+
+      r.get do
+        create_account_view
+      end
+
+      r.post do
+        login = param(login_param)
+        password = param(password_param)
+        new_account(login)
+
+        if account_password_hash_column
+          set_new_account_password(param(password_param))
+        end
+
+        catch_error do
+          if require_login_confirmation? && login != param(login_confirm_param)
+            throw_error(login_param, logins_do_not_match_message)
+          end
+
+          unless login_meets_requirements?(login)
+            throw_error(login_param, login_does_not_meet_requirements_message)
+          end
+
+          if require_password_confirmation? && password != param(password_confirm_param)
+            throw_error(password_param, passwords_do_not_match_message)
+          end
+
+          unless password_meets_requirements?(password)
+            throw_error(password_param, password_does_not_meet_requirements_message)
+          end
+
+          transaction do
+            before_create_account
+            unless save_account
+              throw_error(login_param, login_does_not_meet_requirements_message)
+            end
+
+            unless account_password_hash_column
+              set_password(password)
+            end
+            after_create_account
+            if create_account_autologin?
+              update_session
+            end
+            set_notice_flash create_account_notice_flash
+            redirect create_account_redirect
+          end
+        end
+
+        set_error_flash create_account_error_flash
+        create_account_view
+      end
+    end
+
+    def create_account_link
+      "<p><a href=\"#{prefix}/#{create_account_route}\">Create a New Account</a></p>"
+    end
+
+    def login_form_footer
+      super + create_account_link
+    end
+
+    def set_new_account_password(password)
+      account[account_password_hash_column] = password_hash(password)
+    end
+
+    def new_account(login)
+      @account = _new_account(login)
+    end
+    
+    def save_account
+      id = nil
+      raised = raises_uniqueness_violation?{id = db[accounts_table].insert(account)}
+
+      if raised
+        @login_requirement_message = 'already an account with this login'
+      end
+
+      if id
+        account[account_id_column] = id
+      end
+
+      id && !raised
+    end
+
+    private
+
+    def _new_account(login)
+      acc = {login_column=>login}
+      unless skip_status_checks?
+        acc[account_status_column] = account_initial_status_value
+      end
+      acc
+    end
+  end
+end

data/lib/rodauth/features/disallow_password_reuse.rb

@@ -0,0 +1,82 @@
+# frozen-string-literal: true
+
+module Rodauth
+  DisallowPasswordReuse = Feature.define(:disallow_password_reuse) do
+    depends :login_password_requirements_base
+
+    auth_value_method :password_same_as_previous_password_message, "same as previous password"
+    auth_value_method :previous_password_account_id_column, :account_id
+    auth_value_method :previous_password_hash_column, :password_hash
+    auth_value_method :previous_password_hash_table, :account_previous_password_hashes
+    auth_value_method :previous_password_id_column, :id
+    auth_value_method :previous_passwords_to_check, 6
+
+    auth_methods(
+      :add_previous_password_hash,
+      :password_doesnt_match_previous_password?
+    )
+
+    def set_password(password)
+      hash = super
+      add_previous_password_hash(hash)
+      hash
+    end
+
+    def add_previous_password_hash(hash) 
+      ds = previous_password_ds
+      keep_before = ds.reverse(previous_password_id_column).
+        limit(nil, previous_passwords_to_check).
+        get(previous_password_id_column)
+
+      ds.where(Sequel.expr(previous_password_id_column) <= keep_before).
+        delete
+
+      # This should never raise uniqueness violations, as it uses a serial primary key
+      ds.insert(previous_password_account_id_column=>account_id, previous_password_hash_column=>hash)
+    end
+
+    def password_meets_requirements?(password)
+      super &&
+        password_doesnt_match_previous_password?(password)
+    end
+
+    private
+
+    def password_doesnt_match_previous_password?(password)
+      id = account_id
+      match = if use_database_authentication_functions?
+        salts = previous_password_ds.
+          select_map([previous_password_id_column, Sequel.function(function_name(:rodauth_get_previous_salt), previous_password_id_column).as(:salt)])
+        return true if salts.empty?
+
+        salts.any? do |hash_id, salt|
+          db.get(Sequel.function(function_name(:rodauth_previous_password_hash_match), hash_id, BCrypt::Engine.hash_secret(password, salt)))
+        end
+      else
+        # :nocov:
+        previous_password_ds.select_map(previous_password_hash_column).any?{|hash| BCrypt::Password.new(hash) == password}
+        # :nocov:
+      end
+
+      return true unless match
+      @password_requirement_message = password_same_as_previous_password_message
+      false
+    end
+
+    def after_close_account
+      super if defined?(super)
+      previous_password_ds.delete
+    end
+
+    def after_create_account
+      if account_password_hash_column
+        add_previous_password_hash(password_hash(request[password_param]))
+      end
+      super if defined?(super)
+    end
+
+    def previous_password_ds
+      db[previous_password_hash_table].where(previous_password_account_id_column=>account_id)
+    end
+  end
+end