RubyGems - rodauth - Versions diffs - 0.10.0 → 1.0.0 - Mend

rodauth 0.10.0 → 1.0.0

Files changed (137) hide show

checksums.yaml +4 -4
data/CHANGELOG +146 -0
data/README.rdoc +644 -220
data/Rakefile +99 -11
data/doc/account_expiration.rdoc +55 -0
data/doc/base.rdoc +104 -0
data/doc/change_login.rdoc +29 -0
data/doc/change_password.rdoc +26 -0
data/doc/close_account.rdoc +31 -0
data/doc/confirm_password.rdoc +22 -0
data/doc/create_account.rdoc +34 -0
data/doc/disallow_password_reuse.rdoc +37 -0
data/doc/email_base.rdoc +19 -0
data/doc/jwt.rdoc +35 -0
data/doc/lockout.rdoc +83 -0
data/doc/login.rdoc +27 -0
data/doc/login_password_requirements_base.rdoc +50 -0
data/doc/logout.rdoc +21 -0
data/doc/otp.rdoc +100 -0
data/doc/password_complexity.rdoc +50 -0
data/doc/password_expiration.rdoc +52 -0
data/doc/password_grace_period.rdoc +10 -0
data/doc/recovery_codes.rdoc +60 -0
data/doc/release_notes/1.0.0.txt +443 -0
data/doc/remember.rdoc +82 -0
data/doc/reset_password.rdoc +70 -0
data/doc/session_expiration.rdoc +27 -0
data/doc/single_session.rdoc +43 -0
data/doc/sms_codes.rdoc +119 -0
data/doc/two_factor_base.rdoc +27 -0
data/doc/verify_account.rdoc +70 -0
data/doc/verify_account_grace_period.rdoc +15 -0
data/doc/verify_change_login.rdoc +9 -0
data/lib/roda/plugins/rodauth.rb +3 -262
data/lib/rodauth.rb +260 -0
data/lib/rodauth/features/account_expiration.rb +108 -0
data/lib/rodauth/features/base.rb +479 -0
data/lib/rodauth/features/change_login.rb +77 -0
data/lib/rodauth/features/change_password.rb +66 -0
data/lib/rodauth/features/close_account.rb +82 -0
data/lib/rodauth/features/confirm_password.rb +51 -0
data/lib/rodauth/features/create_account.rb +128 -0
data/lib/rodauth/features/disallow_password_reuse.rb +82 -0
data/lib/rodauth/features/email_base.rb +63 -0
data/lib/rodauth/features/jwt.rb +151 -0
data/lib/rodauth/features/lockout.rb +262 -0
data/lib/rodauth/features/login.rb +61 -0
data/lib/rodauth/features/login_password_requirements_base.rb +123 -0
data/lib/rodauth/features/logout.rb +37 -0
data/lib/rodauth/features/otp.rb +338 -0
data/lib/rodauth/features/password_complexity.rb +89 -0
data/lib/rodauth/features/password_expiration.rb +111 -0
data/lib/rodauth/features/password_grace_period.rb +46 -0
data/lib/rodauth/features/recovery_codes.rb +240 -0
data/lib/rodauth/features/remember.rb +200 -0
data/lib/rodauth/features/reset_password.rb +207 -0
data/lib/rodauth/features/session_expiration.rb +55 -0
data/lib/rodauth/features/single_session.rb +87 -0
data/lib/rodauth/features/sms_codes.rb +498 -0
data/lib/rodauth/features/two_factor_base.rb +135 -0
data/lib/rodauth/features/verify_account.rb +232 -0
data/lib/rodauth/features/verify_account_grace_period.rb +76 -0
data/lib/rodauth/features/verify_change_login.rb +20 -0
data/lib/rodauth/migrations.rb +130 -0
data/lib/rodauth/version.rb +9 -0
data/spec/account_expiration_spec.rb +90 -0
data/spec/all.rb +1 -0
data/spec/change_login_spec.rb +149 -0
data/spec/change_password_spec.rb +177 -0
data/spec/close_account_spec.rb +162 -0
data/spec/confirm_password_spec.rb +70 -0
data/spec/create_account_spec.rb +127 -0
data/spec/disallow_password_reuse_spec.rb +84 -0
data/spec/lockout_spec.rb +228 -0
data/spec/login_spec.rb +188 -0
data/spec/migrate/001_tables.rb +103 -16
data/spec/migrate/002_account_password_hash_column.rb +11 -0
data/spec/migrate_password/001_tables.rb +60 -42
data/spec/migrate_travis/001_tables.rb +116 -0
data/spec/password_complexity_spec.rb +108 -0
data/spec/password_expiration_spec.rb +243 -0
data/spec/password_grace_period_spec.rb +93 -0
data/spec/remember_spec.rb +424 -0
data/spec/reset_password_spec.rb +185 -0
data/spec/rodauth_spec.rb +57 -980
data/spec/session_expiration_spec.rb +58 -0
data/spec/single_session_spec.rb +107 -0
data/spec/spec_helper.rb +202 -0
data/spec/two_factor_spec.rb +1310 -0
data/spec/verify_account_grace_period_spec.rb +135 -0
data/spec/verify_account_spec.rb +142 -0
data/spec/verify_change_login_spec.rb +46 -0
data/spec/views/login.str +2 -2
data/templates/add-recovery-codes.str +2 -0
data/templates/button.str +5 -0
data/templates/change-login.str +5 -18
data/templates/change-password.str +6 -14
data/templates/close-account.str +3 -6
data/templates/confirm-password.str +4 -14
data/templates/create-account.str +6 -30
data/templates/login-confirm-field.str +6 -0
data/templates/login-field.str +6 -0
data/templates/login.str +5 -19
data/templates/logout.str +2 -6
data/templates/otp-auth-code-field.str +6 -0
data/templates/otp-auth.str +8 -0
data/templates/otp-disable.str +6 -0
data/templates/otp-setup.str +21 -0
data/templates/password-confirm-field.str +6 -0
data/templates/password-field.str +6 -0
data/templates/recovery-auth.str +12 -0
data/templates/recovery-codes.str +6 -0
data/templates/remember.str +8 -12
data/templates/reset-password-request.str +2 -2
data/templates/reset-password.str +4 -18
data/templates/sms-auth.str +6 -0
data/templates/sms-code-field.str +6 -0
data/templates/sms-confirm.str +7 -0
data/templates/sms-disable.str +7 -0
data/templates/sms-request.str +5 -0
data/templates/sms-setup.str +12 -0
data/templates/unlock-account-request.str +3 -7
data/templates/unlock-account.str +4 -7
data/templates/verify-account-resend.str +2 -2
data/templates/verify-account.str +2 -6
metadata +191 -29
data/lib/roda/plugins/rodauth/base.rb +0 -428
data/lib/roda/plugins/rodauth/change_login.rb +0 -48
data/lib/roda/plugins/rodauth/change_password.rb +0 -42
data/lib/roda/plugins/rodauth/close_account.rb +0 -42
data/lib/roda/plugins/rodauth/create_account.rb +0 -92
data/lib/roda/plugins/rodauth/lockout.rb +0 -292
data/lib/roda/plugins/rodauth/login.rb +0 -81
data/lib/roda/plugins/rodauth/logout.rb +0 -36
data/lib/roda/plugins/rodauth/remember.rb +0 -226
data/lib/roda/plugins/rodauth/reset_password.rb +0 -205
data/lib/roda/plugins/rodauth/verify_account.rb +0 -228

data/lib/rodauth/features/email_base.rb ADDED

@@ -0,0 +1,63 @@
+# frozen-string-literal: true
+module Rodauth
+  EmailBase = Feature.define(:email_base) do
+    auth_value_method :email_subject_prefix, nil
+    auth_value_method :require_mail?, true
+    auth_value_method :token_separator, "_"
+    auth_value_methods(
+      :email_from
+    )
+    auth_methods(
+      :create_email,
+      :email_to
+    )
+    def post_configure
+      super
+      require 'mail' if require_mail?
+    end
+    private
+    def create_email(subject, body)
+      m = Mail.new
+      m.from = email_from
+      m.to = email_to
+      m.subject = "#{email_subject_prefix}#{subject}"
+      m.body = body
+      m
+    end
+    def email_from
+      "webmaster@#{request.host}"
+    end
+    def email_to
+      account[login_column]
+    end
+    def split_token(token)
+      token.split(token_separator, 2)
+    end
+    def token_link(route, param, key)
+      "#{request.base_url}#{prefix}/#{route}?#{param}=#{account_id}#{token_separator}#{key}"
+    end
+    def account_from_key(token, status_id=nil)
+      id, key = split_token(token)
+      return unless id && key
+      return unless actual = yield(id)
+      return unless timing_safe_eql?(key, actual)
+      ds = account_ds(id)
+      ds = ds.where(account_status_column=>status_id) if status_id && !skip_status_checks?
+      ds.first
+    end
+  end
+end

data/lib/rodauth/features/jwt.rb ADDED

@@ -0,0 +1,151 @@
+# frozen-string-literal: true
+require 'jwt'
+module Rodauth
+  Jwt = Feature.define(:jwt) do
+    auth_value_method :json_non_post_error_message, 'non-POST method used in JSON API'
+    auth_value_method :json_response_error_status, 400
+    auth_value_method :json_response_error_key, "error"
+    auth_value_method :json_response_field_error_key, "field-error"
+    auth_value_method :json_response_success_key, nil
+    auth_value_method :jwt_algorithm, "HS256"
+    auth_value_method :non_json_request_error_message, 'Only JSON format requests are allowed'
+    auth_value_method :only_json?, true
+    auth_value_methods :jwt_secret
+    auth_methods(
+      :json_request?,
+      :jwt_token,
+      :set_jwt_token
+    )
+    def session
+      return super unless json_request?
+      return @session if defined?(@session)
+      @session = if token = jwt_token
+        s = {}
+        payload, header = JWT.decode(token, jwt_secret, true, :algorithm=>jwt_algorithm)
+        payload.each do |k,v|
+          s[k.to_sym] = v
+        end
+        s
+      else
+        {}
+      end
+    end
+    def clear_session
+      super
+      set_jwt if json_request?
+    end
+    def set_field_error(field, message)
+      return super unless json_request?
+      json_response[json_response_field_error_key] = [field, message]
+    end
+    def set_error_flash(message)
+      return super unless json_request?
+      json_response[json_response_error_key] = message
+    end
+    def set_redirect_error_flash(message)
+      return super unless json_request?
+      json_response[json_response_error_key] = message
+    end
+    def set_notice_flash(message)
+      return super unless json_request?
+      json_response[json_response_success_key] = message if include_success_messages?
+    end
+    def set_notice_now_flash(message)
+      return super unless json_request?
+      json_response[json_response_success_key] = message if include_success_messages?
+    end
+    def jwt_token
+      if v = request.env['HTTP_AUTHORIZATION']
+        v.sub(/\ABearer:?\s+/, '')
+      end
+    end
+    def set_jwt_token(token)
+      response.headers['Authorization'] = token
+    end
+    private
+    def before_rodauth
+      if only_json? && !json_request?
+        response.status = json_response_error_status
+        response.write non_json_request_error_message
+        request.halt
+      end
+      if json_request? && !request.post?
+        response.status = 405
+        response.headers['Allow'] = 'POST'
+        json_response[json_response_error_key] = json_non_post_error_message
+        return_json_response
+      end
+      super
+    end
+    def before_view_recovery_codes
+      super if defined?(super)
+      if json_request?
+        json_response[:codes] = recovery_codes
+        json_response[json_response_success_key] ||= "" if include_success_messages?
+      end
+    end
+    def jwt_secret
+      raise ArgumentError, "jwt_secret not set"
+    end
+    def redirect(_)
+      return super unless json_request?
+      return_json_response
+    end
+    def include_success_messages?
+      !json_response_success_key.nil?
+    end
+    def set_session_value(key, value)
+      super
+      set_jwt if json_request?
+      value
+    end
+    def json_response
+      @json_response ||= {}
+    end
+    def _view(meth, page)
+      return super unless json_request?
+      return super if meth == :render
+      return_json_response
+    end
+    def return_json_response
+      response.status ||= json_response_error_status if json_response[json_response_error_key]
+      set_jwt
+      response.write(request.send(:convert_to_json, json_response))
+      request.halt
+    end
+    def set_jwt
+      set_jwt_token(JWT.encode(session, jwt_secret, jwt_algorithm))
+    end
+    def json_request?
+      return @json_request if defined?(@json_request)
+      @json_request = request.content_type =~ /application\/json/
+    end
+  end
+end

data/lib/rodauth/features/lockout.rb ADDED

@@ -0,0 +1,262 @@
+# frozen-string-literal: true
+module Rodauth
+  Lockout = Feature.define(:lockout) do
+    depends :login, :email_base
+    view 'unlock-account-request', 'Request Account Unlock', 'unlock_account_request'
+    view 'unlock-account', 'Unlock Account', 'unlock_account'
+    before 'unlock_account'
+    before 'unlock_account_request'
+    after 'unlock_account'
+    after 'unlock_account_request'
+    additional_form_tags 'unlock_account'
+    additional_form_tags 'unlock_account_request'
+    button 'Unlock Account', 'unlock_account'
+    button 'Request Account Unlock', 'unlock_account_request'
+    error_flash "There was an error unlocking your account", 'unlock_account'
+    error_flash "This account is currently locked out and cannot be logged in to.", "login_lockout"
+    notice_flash "Your account has been unlocked", 'unlock_account'
+    notice_flash "An email has been sent to you with a link to unlock your account", 'unlock_account_request'
+    redirect :unlock_account
+    redirect :unlock_account_request
+    auth_value_method :unlock_account_autologin?, true
+    auth_value_method :max_invalid_logins, 100
+    auth_value_method :account_login_failures_table, :account_login_failures
+    auth_value_method :account_login_failures_id_column, :id
+    auth_value_method :account_login_failures_number_column, :number
+    auth_value_method :account_lockouts_table, :account_lockouts
+    auth_value_method :account_lockouts_id_column, :id
+    auth_value_method :account_lockouts_key_column, :key
+    auth_value_method :account_lockouts_deadline_column, :deadline
+    auth_value_method :account_lockouts_deadline_interval, {:days=>1}
+    auth_value_method :no_matching_unlock_account_key_message, 'No matching unlock account key'
+    auth_value_method :unlock_account_email_subject, 'Unlock Account'
+    auth_value_method :unlock_account_key_param, 'key'
+    auth_value_method :unlock_account_requires_password?, false
+    auth_value_methods(
+      :unlock_account_redirect,
+      :unlock_account_request_redirect
+    )
+    auth_methods(
+      :clear_invalid_login_attempts,
+      :create_unlock_account_email,
+      :generate_unlock_account_key,
+      :get_unlock_account_key,
+      :invalid_login_attempted,
+      :locked_out?,
+      :send_unlock_account_email,
+      :unlock_account_email_body,
+      :unlock_account_email_link,
+      :unlock_account,
+      :unlock_account_key
+    )
+    auth_private_methods :account_from_unlock_key
+    route(:unlock_account_request) do |r|
+      check_already_logged_in
+      before_unlock_account_request_route
+      r.post do
+        if account_from_login(param(login_param)) && get_unlock_account_key
+          transaction do
+            before_unlock_account_request
+            send_unlock_account_email
+            after_unlock_account_request
+          end
+          set_notice_flash unlock_account_request_notice_flash
+        else
+          set_redirect_error_flash no_matching_login_message
+        end
+        redirect unlock_account_request_redirect
+      end
+    end
+    route(:unlock_account) do |r|
+      check_already_logged_in
+      before_unlock_account_route
+      r.get do
+        if account_from_unlock_key(param(unlock_account_key_param))
+          unlock_account_view
+        else
+          set_redirect_error_flash no_matching_unlock_account_key_message
+          redirect require_login_redirect
+        end
+      end
+      r.post do
+        key = param(unlock_account_key_param)
+        unless account_from_unlock_key(key)
+          set_redirect_error_flash no_matching_unlock_account_key_message
+          redirect unlock_account_request_redirect
+        end
+        if !unlock_account_requires_password? || password_match?(param(password_param))
+          transaction do
+            before_unlock_account
+            unlock_account
+            after_unlock_account
+            if unlock_account_autologin?
+              update_session
+            end
+          end
+          set_notice_flash unlock_account_notice_flash
+          redirect unlock_account_redirect
+        else
+          set_field_error(password_param, invalid_password_message)
+          set_error_flash unlock_account_error_flash
+          unlock_account_view
+        end
+      end
+    end
+    def locked_out?
+      if t = convert_timestamp(account_lockouts_ds.get(account_lockouts_deadline_column))
+        if Time.now < t
+          true
+        else
+          unlock_account
+          false
+        end
+      else
+        false
+      end
+    end
+    def unlock_account
+      transaction do
+        remove_lockout_metadata
+      end
+    end
+    def clear_invalid_login_attempts
+      unlock_account
+    end
+    def invalid_login_attempted
+      ds = account_login_failures_ds.
+          where(account_login_failures_id_column=>account_id)
+      number = if db.database_type == :postgres
+        ds.returning(account_login_failures_number_column).
+          with_sql(:update_sql, account_login_failures_number_column=>Sequel.expr(account_login_failures_number_column)+1).
+          single_value
+      else
+        # :nocov:
+        if ds.update(account_login_failures_number_column=>Sequel.expr(account_login_failures_number_column)+1) > 0
+          ds.get(account_login_failures_number_column)
+        end
+        # :nocov:
+      end
+      unless number
+        # Ignoring the violation is safe here.  It may allow slightly more than max_invalid_logins invalid logins before
+        # lockout, but allowing a few extra is OK if the race is lost.
+        ignore_uniqueness_violation{account_login_failures_ds.insert(account_login_failures_id_column=>account_id)}
+        number = 1
+      end
+      if number >= max_invalid_logins
+        @unlock_account_key_value = generate_unlock_account_key
+        hash = {account_lockouts_id_column=>account_id, account_lockouts_key_column=>unlock_account_key_value}
+        set_deadline_value(hash, account_lockouts_deadline_column, account_lockouts_deadline_interval)
+        if e = raised_uniqueness_violation{account_lockouts_ds.insert(hash)}
+          # If inserting into the lockout table raises a violation, we should just be able to pull the already inserted
+          # key out of it.  If that doesn't return a valid key, we should reraise the error.
+          raise e unless @unlock_account_key_value = account_lockouts_ds.get(account_lockouts_key_column)
+          show_lockout_page
+        end
+      end
+    end
+    def get_unlock_account_key
+      account_lockouts_ds.get(account_lockouts_key_column)
+    end
+    def account_from_unlock_key(key)
+      @account = _account_from_unlock_key(key)
+    end
+    def send_unlock_account_email
+      @unlock_account_key_value = get_unlock_account_key
+      create_unlock_account_email.deliver!
+    end
+    def unlock_account_email_link
+      token_link(unlock_account_route, unlock_account_key_param, unlock_account_key_value)
+    end
+    private
+    attr_reader :unlock_account_key_value
+    def before_login_attempt
+      if locked_out?
+        show_lockout_page
+      end
+      super
+    end
+    def after_login
+      clear_invalid_login_attempts
+      super
+    end
+    def after_login_failure
+      invalid_login_attempted
+      super
+    end
+    def after_close_account
+      remove_lockout_metadata
+      super if defined?(super)
+    end
+    def generate_unlock_account_key
+      random_key
+    end
+    def remove_lockout_metadata
+      account_login_failures_ds.delete
+      account_lockouts_ds.delete
+    end
+    def show_lockout_page
+      set_error_flash login_lockout_error_flash
+      response.write unlock_account_request_view
+      request.halt
+    end
+    def create_unlock_account_email
+      create_email(unlock_account_email_subject, unlock_account_email_body)
+    end
+    def unlock_account_email_body
+      render('unlock-account-email')
+    end
+    def use_date_arithmetic?
+      db.database_type == :mysql
+    end
+    def account_login_failures_ds
+      db[account_login_failures_table].where(account_login_failures_id_column=>account_id)
+    end
+    def account_lockouts_ds(id=account_id)
+      db[account_lockouts_table].where(account_lockouts_id_column=>id)
+    end
+    def _account_from_unlock_key(token)
+      account_from_key(token){|id| account_lockouts_ds(id).get(account_lockouts_key_column)}
+    end
+  end
+end