RubyGems - rodauth - Versions diffs - 0.10.0 → 1.0.0 - Mend

rodauth 0.10.0 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (137) hide show

checksums.yaml +4 -4
data/CHANGELOG +146 -0
data/README.rdoc +644 -220
data/Rakefile +99 -11
data/doc/account_expiration.rdoc +55 -0
data/doc/base.rdoc +104 -0
data/doc/change_login.rdoc +29 -0
data/doc/change_password.rdoc +26 -0
data/doc/close_account.rdoc +31 -0
data/doc/confirm_password.rdoc +22 -0
data/doc/create_account.rdoc +34 -0
data/doc/disallow_password_reuse.rdoc +37 -0
data/doc/email_base.rdoc +19 -0
data/doc/jwt.rdoc +35 -0
data/doc/lockout.rdoc +83 -0
data/doc/login.rdoc +27 -0
data/doc/login_password_requirements_base.rdoc +50 -0
data/doc/logout.rdoc +21 -0
data/doc/otp.rdoc +100 -0
data/doc/password_complexity.rdoc +50 -0
data/doc/password_expiration.rdoc +52 -0
data/doc/password_grace_period.rdoc +10 -0
data/doc/recovery_codes.rdoc +60 -0
data/doc/release_notes/1.0.0.txt +443 -0
data/doc/remember.rdoc +82 -0
data/doc/reset_password.rdoc +70 -0
data/doc/session_expiration.rdoc +27 -0
data/doc/single_session.rdoc +43 -0
data/doc/sms_codes.rdoc +119 -0
data/doc/two_factor_base.rdoc +27 -0
data/doc/verify_account.rdoc +70 -0
data/doc/verify_account_grace_period.rdoc +15 -0
data/doc/verify_change_login.rdoc +9 -0
data/lib/roda/plugins/rodauth.rb +3 -262
data/lib/rodauth.rb +260 -0
data/lib/rodauth/features/account_expiration.rb +108 -0
data/lib/rodauth/features/base.rb +479 -0
data/lib/rodauth/features/change_login.rb +77 -0
data/lib/rodauth/features/change_password.rb +66 -0
data/lib/rodauth/features/close_account.rb +82 -0
data/lib/rodauth/features/confirm_password.rb +51 -0
data/lib/rodauth/features/create_account.rb +128 -0
data/lib/rodauth/features/disallow_password_reuse.rb +82 -0
data/lib/rodauth/features/email_base.rb +63 -0
data/lib/rodauth/features/jwt.rb +151 -0
data/lib/rodauth/features/lockout.rb +262 -0
data/lib/rodauth/features/login.rb +61 -0
data/lib/rodauth/features/login_password_requirements_base.rb +123 -0
data/lib/rodauth/features/logout.rb +37 -0
data/lib/rodauth/features/otp.rb +338 -0
data/lib/rodauth/features/password_complexity.rb +89 -0
data/lib/rodauth/features/password_expiration.rb +111 -0
data/lib/rodauth/features/password_grace_period.rb +46 -0
data/lib/rodauth/features/recovery_codes.rb +240 -0
data/lib/rodauth/features/remember.rb +200 -0
data/lib/rodauth/features/reset_password.rb +207 -0
data/lib/rodauth/features/session_expiration.rb +55 -0
data/lib/rodauth/features/single_session.rb +87 -0
data/lib/rodauth/features/sms_codes.rb +498 -0
data/lib/rodauth/features/two_factor_base.rb +135 -0
data/lib/rodauth/features/verify_account.rb +232 -0
data/lib/rodauth/features/verify_account_grace_period.rb +76 -0
data/lib/rodauth/features/verify_change_login.rb +20 -0
data/lib/rodauth/migrations.rb +130 -0
data/lib/rodauth/version.rb +9 -0
data/spec/account_expiration_spec.rb +90 -0
data/spec/all.rb +1 -0
data/spec/change_login_spec.rb +149 -0
data/spec/change_password_spec.rb +177 -0
data/spec/close_account_spec.rb +162 -0
data/spec/confirm_password_spec.rb +70 -0
data/spec/create_account_spec.rb +127 -0
data/spec/disallow_password_reuse_spec.rb +84 -0
data/spec/lockout_spec.rb +228 -0
data/spec/login_spec.rb +188 -0
data/spec/migrate/001_tables.rb +103 -16
data/spec/migrate/002_account_password_hash_column.rb +11 -0
data/spec/migrate_password/001_tables.rb +60 -42
data/spec/migrate_travis/001_tables.rb +116 -0
data/spec/password_complexity_spec.rb +108 -0
data/spec/password_expiration_spec.rb +243 -0
data/spec/password_grace_period_spec.rb +93 -0
data/spec/remember_spec.rb +424 -0
data/spec/reset_password_spec.rb +185 -0
data/spec/rodauth_spec.rb +57 -980
data/spec/session_expiration_spec.rb +58 -0
data/spec/single_session_spec.rb +107 -0
data/spec/spec_helper.rb +202 -0
data/spec/two_factor_spec.rb +1310 -0
data/spec/verify_account_grace_period_spec.rb +135 -0
data/spec/verify_account_spec.rb +142 -0
data/spec/verify_change_login_spec.rb +46 -0
data/spec/views/login.str +2 -2
data/templates/add-recovery-codes.str +2 -0
data/templates/button.str +5 -0
data/templates/change-login.str +5 -18
data/templates/change-password.str +6 -14
data/templates/close-account.str +3 -6
data/templates/confirm-password.str +4 -14
data/templates/create-account.str +6 -30
data/templates/login-confirm-field.str +6 -0
data/templates/login-field.str +6 -0
data/templates/login.str +5 -19
data/templates/logout.str +2 -6
data/templates/otp-auth-code-field.str +6 -0
data/templates/otp-auth.str +8 -0
data/templates/otp-disable.str +6 -0
data/templates/otp-setup.str +21 -0
data/templates/password-confirm-field.str +6 -0
data/templates/password-field.str +6 -0
data/templates/recovery-auth.str +12 -0
data/templates/recovery-codes.str +6 -0
data/templates/remember.str +8 -12
data/templates/reset-password-request.str +2 -2
data/templates/reset-password.str +4 -18
data/templates/sms-auth.str +6 -0
data/templates/sms-code-field.str +6 -0
data/templates/sms-confirm.str +7 -0
data/templates/sms-disable.str +7 -0
data/templates/sms-request.str +5 -0
data/templates/sms-setup.str +12 -0
data/templates/unlock-account-request.str +3 -7
data/templates/unlock-account.str +4 -7
data/templates/verify-account-resend.str +2 -2
data/templates/verify-account.str +2 -6
metadata +191 -29
data/lib/roda/plugins/rodauth/base.rb +0 -428
data/lib/roda/plugins/rodauth/change_login.rb +0 -48
data/lib/roda/plugins/rodauth/change_password.rb +0 -42
data/lib/roda/plugins/rodauth/close_account.rb +0 -42
data/lib/roda/plugins/rodauth/create_account.rb +0 -92
data/lib/roda/plugins/rodauth/lockout.rb +0 -292
data/lib/roda/plugins/rodauth/login.rb +0 -81
data/lib/roda/plugins/rodauth/logout.rb +0 -36
data/lib/roda/plugins/rodauth/remember.rb +0 -226
data/lib/roda/plugins/rodauth/reset_password.rb +0 -205
data/lib/roda/plugins/rodauth/verify_account.rb +0 -228

data/lib/rodauth/features/email_base.rb ADDED

@@ -0,0 +1,63 @@
+# frozen-string-literal: true
+module Rodauth
+  EmailBase = Feature.define(:email_base) do
+    auth_value_method :email_subject_prefix, nil
+    auth_value_method :require_mail?, true
+    auth_value_method :token_separator, "_"
+    auth_value_methods(
+      :email_from
+    )
+    auth_methods(
+      :create_email,
+      :email_to
+    )
+    def post_configure
+      super
+      require 'mail' if require_mail?
+    end
+    private
+    def create_email(subject, body)
+      m = Mail.new
+      m.from = email_from
+      m.to = email_to
+      m.subject = "#{email_subject_prefix}#{subject}"
+      m.body = body
+      m
+    end
+    def email_from
+      "webmaster@#{request.host}"
+    end
+    def email_to
+      account[login_column]
+    end
+    def split_token(token)
+      token.split(token_separator, 2)
+    end
+    def token_link(route, param, key)
+      "#{request.base_url}#{prefix}/#{route}?#{param}=#{account_id}#{token_separator}#{key}"
+    end
+    def account_from_key(token, status_id=nil)
+      id, key = split_token(token)
+      return unless id && key
+      return unless actual = yield(id)
+      return unless timing_safe_eql?(key, actual)
+      ds = account_ds(id)
+      ds = ds.where(account_status_column=>status_id) if status_id && !skip_status_checks?
+      ds.first
+    end
+  end
+end

data/lib/rodauth/features/jwt.rb ADDED

@@ -0,0 +1,151 @@
+# frozen-string-literal: true
+require 'jwt'
+module Rodauth
+  Jwt = Feature.define(:jwt) do
+    auth_value_method :json_non_post_error_message, 'non-POST method used in JSON API'
+    auth_value_method :json_response_error_status, 400
+    auth_value_method :json_response_error_key, "error"
+    auth_value_method :json_response_field_error_key, "field-error"
+    auth_value_method :json_response_success_key, nil
+    auth_value_method :jwt_algorithm, "HS256"
+    auth_value_method :non_json_request_error_message, 'Only JSON format requests are allowed'
+    auth_value_method :only_json?, true
+    auth_value_methods :jwt_secret
+    auth_methods(
+      :json_request?,
+      :jwt_token,
+      :set_jwt_token
+    )
+    def session
+      return super unless json_request?
+      return @session if defined?(@session)
+      @session = if token = jwt_token
+        s = {}
+        payload, header = JWT.decode(token, jwt_secret, true, :algorithm=>jwt_algorithm)
+        payload.each do |k,v|
+          s[k.to_sym] = v
+        end
+        s
+      else
+        {}
+      end
+    end
+    def clear_session
+      super
+      set_jwt if json_request?
+    end
+    def set_field_error(field, message)
+      return super unless json_request?
+      json_response[json_response_field_error_key] = [field, message]
+    end
+    def set_error_flash(message)
+      return super unless json_request?
+      json_response[json_response_error_key] = message
+    end
+    def set_redirect_error_flash(message)
+      return super unless json_request?
+      json_response[json_response_error_key] = message
+    end
+    def set_notice_flash(message)
+      return super unless json_request?
+      json_response[json_response_success_key] = message if include_success_messages?
+    end
+    def set_notice_now_flash(message)
+      return super unless json_request?
+      json_response[json_response_success_key] = message if include_success_messages?
+    end
+    def jwt_token
+      if v = request.env['HTTP_AUTHORIZATION']
+        v.sub(/\ABearer:?\s+/, '')
+      end
+    end
+    def set_jwt_token(token)
+      response.headers['Authorization'] = token
+    end
+    private
+    def before_rodauth
+      if only_json? && !json_request?
+        response.status = json_response_error_status
+        response.write non_json_request_error_message
+        request.halt
+      end
+      if json_request? && !request.post?
+        response.status = 405
+        response.headers['Allow'] = 'POST'
+        json_response[json_response_error_key] = json_non_post_error_message
+        return_json_response
+      end
+      super
+    end
+    def before_view_recovery_codes
+      super if defined?(super)
+      if json_request?
+        json_response[:codes] = recovery_codes
+        json_response[json_response_success_key] ||= "" if include_success_messages?
+      end
+    end
+    def jwt_secret
+      raise ArgumentError, "jwt_secret not set"
+    end
+    def redirect(_)
+      return super unless json_request?
+      return_json_response
+    end
+    def include_success_messages?
+      !json_response_success_key.nil?
+    end
+    def set_session_value(key, value)
+      super
+      set_jwt if json_request?
+      value
+    end
+    def json_response
+      @json_response ||= {}
+    end
+    def _view(meth, page)
+      return super unless json_request?
+      return super if meth == :render
+      return_json_response
+    end
+    def return_json_response
+      response.status ||= json_response_error_status if json_response[json_response_error_key]
+      set_jwt
+      response.write(request.send(:convert_to_json, json_response))
+      request.halt
+    end
+    def set_jwt
+      set_jwt_token(JWT.encode(session, jwt_secret, jwt_algorithm))
+    end
+    def json_request?
+      return @json_request if defined?(@json_request)
+      @json_request = request.content_type =~ /application\/json/
+    end
+  end
+end

data/lib/rodauth/features/lockout.rb ADDED

@@ -0,0 +1,262 @@
+# frozen-string-literal: true
+module Rodauth
+  Lockout = Feature.define(:lockout) do
+    depends :login, :email_base
+    view 'unlock-account-request', 'Request Account Unlock', 'unlock_account_request'
+    view 'unlock-account', 'Unlock Account', 'unlock_account'
+    before 'unlock_account'
+    before 'unlock_account_request'
+    after 'unlock_account'
+    after 'unlock_account_request'
+    additional_form_tags 'unlock_account'
+    additional_form_tags 'unlock_account_request'
+    button 'Unlock Account', 'unlock_account'
+    button 'Request Account Unlock', 'unlock_account_request'
+    error_flash "There was an error unlocking your account", 'unlock_account'
+    error_flash "This account is currently locked out and cannot be logged in to.", "login_lockout"
+    notice_flash "Your account has been unlocked", 'unlock_account'
+    notice_flash "An email has been sent to you with a link to unlock your account", 'unlock_account_request'
+    redirect :unlock_account
+    redirect :unlock_account_request
+    auth_value_method :unlock_account_autologin?, true
+    auth_value_method :max_invalid_logins, 100
+    auth_value_method :account_login_failures_table, :account_login_failures
+    auth_value_method :account_login_failures_id_column, :id
+    auth_value_method :account_login_failures_number_column, :number
+    auth_value_method :account_lockouts_table, :account_lockouts
+    auth_value_method :account_lockouts_id_column, :id
+    auth_value_method :account_lockouts_key_column, :key
+    auth_value_method :account_lockouts_deadline_column, :deadline
+    auth_value_method :account_lockouts_deadline_interval, {:days=>1}
+    auth_value_method :no_matching_unlock_account_key_message, 'No matching unlock account key'
+    auth_value_method :unlock_account_email_subject, 'Unlock Account'
+    auth_value_method :unlock_account_key_param, 'key'
+    auth_value_method :unlock_account_requires_password?, false
+    auth_value_methods(
+      :unlock_account_redirect,
+      :unlock_account_request_redirect
+    )
+    auth_methods(
+      :clear_invalid_login_attempts,
+      :create_unlock_account_email,
+      :generate_unlock_account_key,
+      :get_unlock_account_key,
+      :invalid_login_attempted,
+      :locked_out?,
+      :send_unlock_account_email,
+      :unlock_account_email_body,
+      :unlock_account_email_link,
+      :unlock_account,
+      :unlock_account_key
+    )
+    auth_private_methods :account_from_unlock_key
+    route(:unlock_account_request) do |r|
+      check_already_logged_in
+      before_unlock_account_request_route
+      r.post do
+        if account_from_login(param(login_param)) && get_unlock_account_key
+          transaction do
+            before_unlock_account_request
+            send_unlock_account_email
+            after_unlock_account_request
+          end
+          set_notice_flash unlock_account_request_notice_flash
+        else
+          set_redirect_error_flash no_matching_login_message
+        end
+        redirect unlock_account_request_redirect
+      end
+    end
+    route(:unlock_account) do |r|
+      check_already_logged_in
+      before_unlock_account_route
+      r.get do
+        if account_from_unlock_key(param(unlock_account_key_param))
+          unlock_account_view
+        else
+          set_redirect_error_flash no_matching_unlock_account_key_message
+          redirect require_login_redirect
+        end
+      end
+      r.post do
+        key = param(unlock_account_key_param)
+        unless account_from_unlock_key(key)
+          set_redirect_error_flash no_matching_unlock_account_key_message
+          redirect unlock_account_request_redirect
+        end
+        if !unlock_account_requires_password? || password_match?(param(password_param))
+          transaction do
+            before_unlock_account
+            unlock_account
+            after_unlock_account
+            if unlock_account_autologin?
+              update_session
+            end
+          end
+          set_notice_flash unlock_account_notice_flash
+          redirect unlock_account_redirect
+        else
+          set_field_error(password_param, invalid_password_message)
+          set_error_flash unlock_account_error_flash
+          unlock_account_view
+        end
+      end
+    end
+    def locked_out?
+      if t = convert_timestamp(account_lockouts_ds.get(account_lockouts_deadline_column))
+        if Time.now < t
+          true
+        else
+          unlock_account
+          false
+        end
+      else
+        false
+      end
+    end
+    def unlock_account
+      transaction do
+        remove_lockout_metadata
+      end
+    end
+    def clear_invalid_login_attempts
+      unlock_account
+    end
+    def invalid_login_attempted
+      ds = account_login_failures_ds.
+          where(account_login_failures_id_column=>account_id)
+      number = if db.database_type == :postgres
+        ds.returning(account_login_failures_number_column).
+          with_sql(:update_sql, account_login_failures_number_column=>Sequel.expr(account_login_failures_number_column)+1).
+          single_value
+      else
+        # :nocov:
+        if ds.update(account_login_failures_number_column=>Sequel.expr(account_login_failures_number_column)+1) > 0
+          ds.get(account_login_failures_number_column)
+        end
+        # :nocov:
+      end
+      unless number
+        # Ignoring the violation is safe here.  It may allow slightly more than max_invalid_logins invalid logins before
+        # lockout, but allowing a few extra is OK if the race is lost.
+        ignore_uniqueness_violation{account_login_failures_ds.insert(account_login_failures_id_column=>account_id)}
+        number = 1
+      end
+      if number >= max_invalid_logins
+        @unlock_account_key_value = generate_unlock_account_key
+        hash = {account_lockouts_id_column=>account_id, account_lockouts_key_column=>unlock_account_key_value}
+        set_deadline_value(hash, account_lockouts_deadline_column, account_lockouts_deadline_interval)
+        if e = raised_uniqueness_violation{account_lockouts_ds.insert(hash)}
+          # If inserting into the lockout table raises a violation, we should just be able to pull the already inserted
+          # key out of it.  If that doesn't return a valid key, we should reraise the error.
+          raise e unless @unlock_account_key_value = account_lockouts_ds.get(account_lockouts_key_column)
+          show_lockout_page
+        end
+      end
+    end
+    def get_unlock_account_key
+      account_lockouts_ds.get(account_lockouts_key_column)
+    end
+    def account_from_unlock_key(key)
+      @account = _account_from_unlock_key(key)
+    end
+    def send_unlock_account_email
+      @unlock_account_key_value = get_unlock_account_key
+      create_unlock_account_email.deliver!
+    end
+    def unlock_account_email_link
+      token_link(unlock_account_route, unlock_account_key_param, unlock_account_key_value)
+    end
+    private
+    attr_reader :unlock_account_key_value
+    def before_login_attempt
+      if locked_out?
+        show_lockout_page
+      end
+      super
+    end
+    def after_login
+      clear_invalid_login_attempts
+      super
+    end
+    def after_login_failure
+      invalid_login_attempted
+      super
+    end
+    def after_close_account
+      remove_lockout_metadata
+      super if defined?(super)
+    end
+    def generate_unlock_account_key
+      random_key
+    end
+    def remove_lockout_metadata
+      account_login_failures_ds.delete
+      account_lockouts_ds.delete
+    end
+    def show_lockout_page
+      set_error_flash login_lockout_error_flash
+      response.write unlock_account_request_view
+      request.halt
+    end
+    def create_unlock_account_email
+      create_email(unlock_account_email_subject, unlock_account_email_body)
+    end
+    def unlock_account_email_body
+      render('unlock-account-email')
+    end
+    def use_date_arithmetic?
+      db.database_type == :mysql
+    end
+    def account_login_failures_ds
+      db[account_login_failures_table].where(account_login_failures_id_column=>account_id)
+    end
+    def account_lockouts_ds(id=account_id)
+      db[account_lockouts_table].where(account_lockouts_id_column=>id)
+    end
+    def _account_from_unlock_key(token)
+      account_from_key(token){|id| account_lockouts_ds(id).get(account_lockouts_key_column)}
+    end
+  end
+end