rodauth 0.9.0

data/lib/roda/plugins/rodauth/verify_account.rb

@@ -0,0 +1,228 @@
+class Roda
+  module RodaPlugins
+    module Rodauth
+      VerifyAccount = Feature.define(:verify_account) do
+        depends :login, :create_account
+        route 'verify-account'
+        notice_flash "Your account has been verified"
+        view 'verify-account', 'Verify Account'
+        additional_form_tags
+        after
+        button 'Verify Account'
+        redirect
+
+        auth_value_methods(
+          :no_matching_verify_account_key_message,
+          :verify_account_autologin?,
+          :verify_account_email_subject,
+          :verify_account_email_sent_redirect,
+          :verify_account_email_sent_notice_flash,
+          :verify_account_id_column,
+          :verify_account_key_column,
+          :verify_account_key_param,
+          :verify_account_key_value,
+          :verify_account_table
+        )
+        auth_methods(
+          :account_from_verify_account_key,
+          :create_verify_account_key,
+          :create_verify_account_email,
+          :remove_verify_account_key,
+          :send_verify_account_email,
+          :verify_account,
+          :verify_account_email_body,
+          :verify_account_email_link,
+          :verify_account_key_insert_hash
+        )
+
+        get_block do |r, auth|
+          if key = r[auth.verify_account_key_param]
+            if auth._account_from_verify_account_key(key)
+              auth.verify_account_view
+            else
+              auth.set_redirect_error_flash auth.no_matching_verify_account_key_message
+              r.redirect auth.require_login_redirect
+            end
+          end
+        end
+
+        post_block do |r, auth|
+          if login = r[auth.login_param]
+            if auth._account_from_login(login.to_s) && !auth.open_account? && auth.verify_account_email_resend
+              auth.set_notice_flash auth.verify_account_email_sent_notice_flash
+              r.redirect auth.verify_account_email_sent_redirect
+            end
+          elsif key = r[auth.verify_account_key_param]
+            if auth._account_from_verify_account_key(key.to_s)
+              auth.transaction do
+                auth.verify_account
+                auth.remove_verify_account_key
+                auth.after_verify_account
+              end
+              if auth.verify_account_autologin?
+                auth.update_session
+              end
+              auth.set_notice_flash auth.verify_account_notice_flash
+              r.redirect(auth.verify_account_redirect)
+            end
+          end
+        end
+
+        def before_login_attempt
+          unless open_account?
+            set_error_flash attempt_to_login_to_unverified_account_notice_message
+            response.write resend_verify_account_view
+            request.halt
+          end
+          super
+        end
+
+        def generate_verify_account_key_value
+          @verify_account_key_value = random_key
+        end
+
+        def create_verify_account_key
+          ds = db[verify_account_table].where(verify_account_id_column=>account_id_value)
+          transaction do
+            ds.insert(verify_account_key_insert_hash) if ds.empty?
+          end
+        end
+
+        def verify_account_key_insert_hash
+          {verify_account_id_column=>account_id_value, verify_account_key_column=>verify_account_key_value}
+        end
+
+        def remove_verify_account_key
+          db[verify_account_table].where(verify_account_id_column=>account_id_value).delete
+        end
+
+        def verify_account
+          account.set(account_status_id=>account_open_status_value).save_changes(:raise_on_failure=>true)
+        end
+
+        def verify_account_resend_additional_form_tags
+          nil
+        end
+
+        def verify_account_resend_button
+          'Send Verification Email Again'
+        end
+
+        def verify_account_email_resend
+          if @verify_account_key_value = db[verify_account_table].where(verify_account_id_column=>account_id_value).get(verify_account_key_column)
+            send_verify_account_email
+            true
+          end
+        end
+
+        def attempt_to_create_unverified_account_notice_message
+          "The account you tried to create is currently awaiting verification"
+        end
+
+        def attempt_to_login_to_unverified_account_notice_message
+          "The account you tried to login with is currently awaiting verification"
+        end
+
+        def resend_verify_account_view
+          view('verify-account-resend', 'Resend Verification Email')
+        end
+
+        def verify_account_email_sent_notice_flash
+          "An email has been sent to you with a link to verify your account"
+        end
+        
+        def create_account_notice_flash
+          verify_account_email_sent_notice_flash
+        end
+
+        def after_create_account
+          generate_verify_account_key_value
+          create_verify_account_key
+          send_verify_account_email
+        end
+
+        def new_account(login)
+          if _account_from_login(login)
+            set_error_flash attempt_to_create_unverified_account_notice_message
+            response.write resend_verify_account_view
+            request.halt
+          end
+          super
+        end
+
+        def no_matching_verify_account_key_message
+          "invalid verify account key"
+        end
+
+        def _account_from_verify_account_key(key)
+          @account = account_from_verify_account_key(key)
+        end
+
+        def account_from_verify_account_key(key)
+          id, key = key.split('_', 2)
+          id_column = verify_account_id_column
+          ds = db[verify_account_table].
+            select(id_column).
+            where(id_column=>id, verify_account_key_column=>key)
+          @account = account_model.where(account_status_id=>account_unverified_status_value, account_id=>ds).first
+        end
+        
+        def verify_account_email_sent_redirect
+          require_login_redirect
+        end
+
+        def verify_account_table
+          :account_verification_keys
+        end
+
+        def verify_account_id_column
+          :id
+        end
+
+        def verify_account_key_column
+          :key
+        end
+
+        def account_initial_status_value
+          account_unverified_status_value
+        end
+
+        attr_reader :verify_account_key_value
+
+        def create_verify_account_email
+          create_email(verify_account_email_subject, verify_account_email_body)
+        end
+
+        def send_verify_account_email
+          create_verify_account_email.deliver!
+        end
+
+        def verify_account_email_body
+          render('verify-account-email')
+        end
+
+        def verify_account_email_link
+          "#{request.base_url}#{prefix}/#{verify_account_route}?#{verify_account_key_param}=#{account_id_value}_#{verify_account_key_value}"
+        end
+
+        def verify_account_email_subject
+          'Verify Account'
+        end
+
+        def verify_account_key_param
+          'key'
+        end
+
+        def verify_account_autologin?
+          false
+        end
+
+        def after_close_account
+          super
+          db[verify_account_table].where(reset_password_id_column=>account_id_value).delete
+        end
+      end
+    end
+  end
+end
+

data/spec/migrate/001_tables.rb

@@ -0,0 +1,64 @@
+Sequel.migration do
+  up do
+    # Used by the account verification and close account features
+    create_table(:account_statuses) do
+      Integer :id, :primary_key=>true
+      String :name, :null=>false, :unique=>true
+    end
+    from(:account_statuses).import([:id, :name], [[1, 'Unverified'], [2, 'Verified'], [3, 'Closed']])
+
+    # Used by the create account, account verification,
+    # and close account features.
+    create_table(:accounts) do
+      primary_key :id, :type=>Bignum
+      foreign_key :status_id, :account_statuses, :null=>false, :default=>1
+      citext :email, :null=>false
+
+      constraint :valid_email, :email=>/^[^,;@ \r\n]+@[^,@; \r\n]+\.[^,@; \r\n]+$/
+      index :email, :unique=>true, :where=>{:status_id=>[1, 2]}
+
+      # Only for testing of account_password_hash_column, not recommended for new
+      # applications
+      String :ph
+    end
+
+    # Used by the password reset feature
+    create_table(:account_password_reset_keys) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
+      String :key, :null=>false
+      DateTime :deadline, :null=>false, :default=>Sequel.lit("CURRENT_TIMESTAMP + '1 day'")
+    end
+
+    # Used by the account verification feature
+    create_table(:account_verification_keys) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
+      String :key, :null=>false
+    end
+
+    # Used by the remember me feature
+    create_table(:account_remember_keys) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
+      String :key, :null=>false
+      DateTime :deadline, :null=>false, :default=>Sequel.lit("CURRENT_TIMESTAMP + '2 weeks'")
+    end
+
+    # Used by the lockout feature
+    create_table(:account_login_failures) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
+      Integer :number, :null=>false, :default=>1
+    end
+    create_table(:account_lockouts) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
+      String :key, :null=>false
+      DateTime :deadline, :null=>false, :default=>Sequel.lit("CURRENT_TIMESTAMP + '1 day'")
+    end
+
+    # Grant password user access to reference accounts
+    pw_user = get{Sequel.lit('current_user')} + '_password'
+    run "GRANT REFERENCES ON accounts TO #{pw_user}"
+  end
+
+  down do
+    drop_table(:account_lockouts, :account_login_failures, :account_remember_keys, :account_verification_keys, :account_password_reset_keys, :accounts, :account_statuses)
+  end
+end

data/spec/migrate_password/001_tables.rb

@@ -0,0 +1,38 @@
+Sequel.migration do
+  up do
+    # Used by the login and change password features
+    create_table(:account_password_hashes) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>Bignum
+      String :password_hash, :null=>false
+    end
+
+    # Function used to check if a password is valid.  Takes the related account id
+    # and unencrypted password, checks if password matches password hash.
+    run <<END
+CREATE OR REPLACE FUNCTION account_valid_password(account_id int8, password text) RETURNS boolean AS $$
+DECLARE valid boolean;
+BEGIN
+SELECT password_hash = crypt($2, password_hash) INTO valid 
+FROM account_password_hashes
+WHERE account_id = id;
+RETURN valid;
+END;
+$$ LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = public, pg_temp;
+END
+
+    # Restrict access to the password hash table
+    app_user = get{Sequel.lit('current_user')}.sub(/_password\z/, '')
+    run "REVOKE ALL ON account_password_hashes FROM public"
+    run "REVOKE ALL ON FUNCTION account_valid_password(int8, text) FROM public"
+    run "GRANT INSERT, UPDATE, DELETE ON account_password_hashes TO #{app_user}"
+    run "GRANT SELECT(id) ON account_password_hashes TO #{app_user}"
+    run "GRANT EXECUTE ON FUNCTION account_valid_password(int8, text) TO #{app_user}"
+  end
+
+  down do
+    run "DROP FUNCTION account_valid_password(int8, text)"
+    drop_table(:account_password_hashes)
+  end
+end

data/spec/rodauth_spec.rb

@@ -0,0 +1,1114 @@
+$: << 'lib'
+
+if ENV['COVERAGE']
+  require 'coverage'
+  require 'simplecov'
+
+  def SimpleCov.rodauth_coverage(opts = {})
+    start do
+      add_filter "/spec/"
+      add_group('Missing'){|src| src.covered_percent < 100}
+      add_group('Covered'){|src| src.covered_percent == 100}
+      yield self if block_given?
+    end
+  end
+
+  ENV.delete('COVERAGE')
+  SimpleCov.rodauth_coverage
+end
+
+require 'rubygems'
+require 'capybara'
+require 'capybara/dsl'
+require 'rack/test'
+gem 'minitest'
+require 'minitest/autorun'
+require 'minitest/hooks/default'
+
+require 'roda'
+require 'sequel'
+require 'bcrypt'
+require 'mail'
+require 'logger'
+require 'tilt/string'
+
+DB = Sequel.postgres(:user=>'rodauth_test', :password=>'rodauth_test')
+#DB.loggers << Logger.new($stdout)
+
+ENV['RACK_ENV'] = 'test'
+
+::Mail.defaults do
+  delivery_method :test
+end
+
+class Account < Sequel::Model
+  plugin :validation_helpers
+
+  def validate
+    super
+    validates_unique(:email){|ds| ds.where(:status_id=>[1,2])} unless status_id == 3
+  end
+end
+
+Base = Class.new(Roda)
+Base.plugin :render, :layout=>{:path=>'spec/views/layout.str'}
+Base.plugin(:not_found){raise "path #{request.path_info} not found"}
+Base.use Rack::Session::Cookie, :secret=>'0123456789'
+class Base
+  attr_writer :title
+end
+
+class Minitest::HooksSpec
+  include Rack::Test::Methods
+  include Capybara::DSL
+
+  attr_reader :app
+
+  def no_freeze!
+    @no_freeze = true
+  end
+
+  def app=(app)
+    @app = Capybara.app = app
+  end
+
+  def rodauth(&block)
+    @rodauth_block = block
+  end
+
+  def roda(&block)
+    app = Class.new(Base)
+    rodauth_block = @rodauth_block
+    app.plugin(:rodauth) do
+      title_instance_variable :@title
+      instance_exec(&rodauth_block)
+    end
+    app.route(&block)
+    app.freeze unless @no_freeze
+    self.app = app
+  end
+
+  def email_link(regexp)
+    link = Mail::TestMailer.deliveries.first.body.to_s[regexp]
+    Mail::TestMailer.deliveries.clear
+    link.must_be_kind_of(String)
+    link
+  end
+
+  def remove_cookie(key)
+    page.driver.browser.rack_mock_session.cookie_jar.delete(key)
+  end
+
+  def get_cookie(key)
+    page.driver.browser.rack_mock_session.cookie_jar[key]
+  end
+
+  def set_cookie(key, value)
+    page.driver.browser.rack_mock_session.cookie_jar[key] = value
+  end
+
+  around do |&block|
+    DB.transaction(:rollback=>:always, :savepoint=>true, :auto_savepoint=>true){super(&block)}
+  end
+  
+  around(:all) do |&block|
+    DB.transaction(:rollback=>:always){super(&block)}
+  end
+  
+  after do
+    Capybara.reset_sessions!
+    Capybara.use_default_driver
+  end
+end
+
+describe 'Rodauth' do
+  before(:all) do
+    hash = BCrypt::Password.create('0123456789', :cost=>BCrypt::Engine::MIN_COST)
+    DB[:account_password_hashes].insert(:id=>Account.create(:email=>'foo@example.com', :status_id=>2, :ph=>hash).id, :password_hash=>hash)
+  end
+
+  it "should handle logins and logouts" do
+    rodauth{enable :login, :logout}
+    roda do |r|
+      r.rodauth
+      next unless session[:account_id]
+      r.root{view :content=>"Logged In"}
+    end
+
+    visit '/login'
+    page.title.must_equal 'Login'
+
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Login'
+    page.find('#error_flash').text.must_equal 'There was an error logging in'
+    page.html.must_match(/no matching login/)
+
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Password', :with=>'012345678'
+    click_button 'Login'
+    page.find('#error_flash').text.must_equal 'There was an error logging in'
+    page.html.must_match(/invalid password/)
+
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Login'
+    page.current_path.must_equal '/'
+    page.find('#notice_flash').text.must_equal 'You have been logged in'
+    page.html.must_match(/Logged In/)
+
+    visit '/logout'
+    page.title.must_equal 'Logout'
+
+    click_button 'Logout'
+    page.find('#notice_flash').text.must_equal 'You have been logged out'
+    page.current_path.must_equal '/login'
+  end
+
+  it "should not allow login to unverified account" do
+    rodauth{enable :login}
+    roda do |r|
+      r.rodauth
+      next unless session[:account_id]
+      r.root{view :content=>"Logged In"}
+    end
+
+    visit '/login'
+    page.title.must_equal 'Login'
+
+    Account.first.update(:status_id=>1)
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Login'
+    page.find('#error_flash').text.must_equal 'There was an error logging in'
+    page.html.must_match(/unverified account, please verify account before logging in/)
+  end
+
+  it "should handle overriding login action" do
+    rodauth do
+      enable :login
+      login_post_block do |r, _|
+        if r['login'] == 'apple' && r['password'] == 'banana'
+          session[:user_id] = 'pear'
+          r.redirect '/'
+        end
+        r.redirect '/login'
+      end
+    end
+    roda do |r|
+      r.rodauth
+      next unless session[:user_id] == 'pear'
+      r.root{"Logged In"}
+    end
+
+    visit '/login'
+
+    fill_in 'Login', :with=>'appl'
+    fill_in 'Password', :with=>'banana'
+    click_button 'Login'
+    page.html.wont_match(/Logged In/)
+
+    fill_in 'Login', :with=>'apple'
+    fill_in 'Password', :with=>'banan'
+    click_button 'Login'
+    page.html.wont_match(/Logged In/)
+
+    fill_in 'Login', :with=>'apple'
+    fill_in 'Password', :with=>'banana'
+    click_button 'Login'
+    page.current_path.must_equal '/'
+    page.html.must_match(/Logged In/)
+  end
+
+  it "should handle overriding some login attributes" do
+    rodauth do
+      enable :login
+      account_from_login do |login|
+        Account.first if login == 'apple'
+      end
+      password_match? do |password|
+        password == 'banana'
+      end
+      update_session do
+        session[:user_id] = 'pear'
+      end
+      no_matching_login_message "no user"
+      invalid_password_message "bad password"
+    end
+    roda do |r|
+      r.rodauth
+      next unless session[:user_id] == 'pear'
+      r.root{"Logged In"}
+    end
+
+    visit '/login'
+
+    fill_in 'Login', :with=>'appl'
+    fill_in 'Password', :with=>'banana'
+    click_button 'Login'
+    page.html.must_match(/no user/)
+
+    fill_in 'Login', :with=>'apple'
+    fill_in 'Password', :with=>'banan'
+    click_button 'Login'
+    page.html.must_match(/bad password/)
+
+    fill_in 'Password', :with=>'banana'
+    click_button 'Login'
+    page.current_path.must_equal '/'
+    page.html.must_match(/Logged In/)
+  end
+
+  it "should handle a prefix and some other login options" do
+    rodauth do
+      enable :login, :logout
+      prefix 'auth'
+      session_key :login_email
+      account_from_session{Account.first(:email=>session_value)}
+      account_session_value{account.email}
+      login_param{request['lp']}
+      password_param 'p'
+      login_redirect{"/foo/#{account.email}"}
+      logout_redirect '/auth/lin'
+      login_route 'lin'
+      logout_route 'lout'
+    end
+    no_freeze!
+    roda do |r|
+      r.on 'auth' do
+        r.rodauth
+      end
+      next unless session[:login_email] =~ /example/
+      r.get('foo/:email'){|e| "Logged In: #{e}"}
+    end
+    app.plugin :render, :views=>'spec/views', :engine=>'str'
+
+    visit '/auth/lin?lp=l'
+
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Login'
+    page.html.must_match(/no matching login/)
+
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Password', :with=>'012345678'
+    click_button 'Login'
+    page.html.must_match(/invalid password/)
+
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Login'
+    page.current_path.must_equal '/foo/foo@example.com'
+    page.html.must_match(/Logged In: foo@example\.com/)
+
+    visit '/auth/lout'
+    click_button 'Logout'
+    page.current_path.must_equal '/auth/lin'
+  end
+
+  it "should support closing accounts" do
+    rodauth do
+      enable :login, :close_account
+    end
+    roda do |r|
+      r.rodauth
+      r.root{""}
+    end
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Login'
+    page.current_path.must_equal '/'
+
+    visit '/close-account'
+    click_button 'Close Account'
+    page.current_path.must_equal '/'
+
+    Account.select_map(:status_id).must_equal [3]
+  end
+
+  it "should support closing accounts with overrides" do
+    rodauth do
+      enable :login, :close_account
+      close_account do
+        account.email = 'foo@bar.com'
+        super()
+      end
+      close_account_route 'close'
+      close_account_redirect '/login'
+    end
+    roda do |r|
+      r.rodauth
+      r.root{""}
+    end
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Login'
+    page.current_path.must_equal '/'
+
+    visit '/close'
+    page.title.must_equal 'Close Account'
+    click_button 'Close Account'
+    page.find('#notice_flash').text.must_equal "Your account has been closed"
+    page.current_path.must_equal '/login'
+
+    Account.select_map(:status_id).must_equal [3]
+    Account.select_map(:email).must_equal ['foo@bar.com']
+  end
+
+  [false, true].each do |ph|
+    it "should support creating accounts #{'with account_password_hash_column' if ph}" do
+      rodauth do
+        enable :login, :create_account
+        account_password_hash_column :ph if ph
+      end
+      roda do |r|
+        r.rodauth
+        r.root{view :content=>""}
+      end
+
+      visit '/create-account'
+      fill_in 'Login', :with=>'foo@example.com'
+      fill_in 'Confirm Login', :with=>'foo@example.com'
+      fill_in 'Password', :with=>'0123456789'
+      fill_in 'Confirm Password', :with=>'0123456789'
+      click_button 'Create Account'
+      page.html.must_match(/is already taken/)
+      page.find('#error_flash').text.must_equal "There was an error creating your account"
+      page.current_path.must_equal '/create-account'
+
+      fill_in 'Login', :with=>'foo@example2.com'
+      fill_in 'Password', :with=>'0123456789'
+      fill_in 'Confirm Password', :with=>'0123456789'
+      click_button 'Create Account'
+      page.html.must_match(/logins do not match/)
+      page.find('#error_flash').text.must_equal "There was an error creating your account"
+      page.current_path.must_equal '/create-account'
+
+      fill_in 'Confirm Login', :with=>'foo@example2.com'
+      fill_in 'Password', :with=>'0123456789'
+      fill_in 'Confirm Password', :with=>'012345678'
+      click_button 'Create Account'
+      page.html.must_match(/passwords do not match/)
+      page.find('#error_flash').text.must_equal "There was an error creating your account"
+      page.current_path.must_equal '/create-account'
+
+      fill_in 'Password', :with=>'0123456789'
+      fill_in 'Confirm Password', :with=>'0123456789'
+      click_button 'Create Account'
+      page.find('#notice_flash').text.must_equal "Your account has been created"
+      page.current_path.must_equal '/'
+
+      visit '/login'
+      fill_in 'Login', :with=>'foo@example2.com'
+      fill_in 'Password', :with=>'0123456789'
+      click_button 'Login'
+      page.current_path.must_equal '/'
+    end
+
+    it "should support changing passwords for accounts #{'with account_password_hash_column' if ph}" do
+      rodauth do
+        enable :login, :logout, :change_password
+        account_password_hash_column :ph if ph
+      end
+      roda do |r|
+        r.rodauth
+        r.root{view :content=>""}
+      end
+
+      visit '/login'
+      fill_in 'Login', :with=>'foo@example.com'
+      fill_in 'Password', :with=>'0123456789'
+      click_button 'Login'
+      page.current_path.must_equal '/'
+
+      visit '/change-password'
+      page.title.must_equal 'Change Password'
+
+      fill_in 'Password', :with=>'0123456'
+      fill_in 'Confirm Password', :with=>'0123456789'
+      click_button 'Change Password'
+      page.html.must_match(/passwords do not match/)
+      page.find('#error_flash').text.must_equal "There was an error changing your password"
+      page.current_path.must_equal '/change-password'
+
+      fill_in 'Password', :with=>'0123456'
+      fill_in 'Confirm Password', :with=>'0123456'
+      click_button 'Change Password'
+      page.find('#notice_flash').text.must_equal "Your password has been changed"
+      page.current_path.must_equal '/'
+
+      visit '/logout'
+      click_button 'Logout'
+
+      visit '/login'
+      fill_in 'Login', :with=>'foo@example.com'
+      fill_in 'Password', :with=>'0123456789'
+      click_button 'Login'
+      page.html.must_match(/invalid password/)
+      page.current_path.must_equal '/login'
+
+      fill_in 'Password', :with=>'0123456'
+      click_button 'Login'
+      page.current_path.must_equal '/'
+    end
+  end
+
+  it "should support changing logins for accounts" do
+    Account.create(:email=>'foo2@example.com')
+
+    rodauth do
+      enable :login, :logout, :change_login
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Login'
+    page.current_path.must_equal '/'
+
+    visit '/change-login'
+    page.title.must_equal 'Change Login'
+
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Confirm Login', :with=>'foo2@example.com'
+    click_button 'Change Login'
+    page.find('#error_flash').text.must_equal "There was an error changing your login"
+    page.html.must_match(/logins do not match/)
+    page.current_path.must_equal '/change-login'
+
+    fill_in 'Login', :with=>'foo2@example.com'
+    click_button 'Change Login'
+    page.find('#error_flash').text.must_equal "There was an error changing your login"
+    page.html.must_match(/is already taken/)
+    page.current_path.must_equal '/change-login'
+
+    fill_in 'Login', :with=>'foo3@example.com'
+    fill_in 'Confirm Login', :with=>'foo3@example.com'
+    click_button 'Change Login'
+    page.find('#notice_flash').text.must_equal "Your login has been changed"
+    page.current_path.must_equal '/'
+
+    visit '/logout'
+    click_button 'Logout'
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo3@example.com'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Login'
+    page.current_path.must_equal '/'
+  end
+
+  it "should support setting requirements for passwords" do
+    rodauth do
+      enable :login, :create_account, :change_password
+      password_meets_requirements? do |password|
+        password =~ /banana/
+      end
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo2@example.com'
+    fill_in 'Confirm Login', :with=>'foo2@example.com'
+    fill_in 'Password', :with=>'apple'
+    fill_in 'Confirm Password', :with=>'apple'
+    click_button 'Create Account'
+    page.html.must_match(/invalid password, does not meet requirements/)
+    page.find('#error_flash').text.must_equal "There was an error creating your account"
+    page.current_path.must_equal '/create-account'
+
+    fill_in 'Password', :with=>'banana'
+    fill_in 'Confirm Password', :with=>'banana'
+    click_button 'Create Account'
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo2@example.com'
+    fill_in 'Password', :with=>'banana'
+    click_button 'Login'
+
+    visit '/change-password'
+    fill_in 'Password', :with=>'apple'
+    fill_in 'Confirm Password', :with=>'apple'
+    click_button 'Change Password'
+    page.html.must_match(/invalid password, does not meet requirements/)
+    page.find('#error_flash').text.must_equal "There was an error changing your password"
+    page.current_path.must_equal '/change-password'
+
+    fill_in 'Password', :with=>'my_banana_3'
+    fill_in 'Confirm Password', :with=>'my_banana_3'
+    click_button 'Change Password'
+    page.current_path.must_equal '/'
+  end
+
+  it "should support autologin after account creation" do
+    rodauth do
+      enable :login, :create_account
+      create_account_autologin? true
+    end
+    roda do |r|
+      r.rodauth
+      next unless session[:account_id]
+      r.root{view :content=>"Logged In: #{Account[session[:account_id]].email}"}
+    end
+
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo2@example.com'
+    fill_in 'Confirm Login', :with=>'foo2@example.com'
+    fill_in 'Password', :with=>'apple2'
+    fill_in 'Confirm Password', :with=>'apple2'
+    click_button 'Create Account'
+    page.html.must_match(/Logged In: foo2@example\.com/)
+  end
+
+  it "should require login to perform certain actions" do
+    rodauth do
+      enable :login, :change_password, :change_login, :close_account
+    end
+    roda do |r|
+      r.rodauth
+
+      r.is "a" do
+        rodauth.require_login
+      end
+    end
+
+    visit '/change-password'
+    page.current_path.must_equal '/login'
+
+    visit '/change-login'
+    page.current_path.must_equal '/login'
+
+    visit '/close-account'
+    page.current_path.must_equal '/login'
+
+    visit '/a'
+    page.current_path.must_equal '/login'
+  end
+
+  it "should handle case where account is no longer valid during session" do
+    rodauth do
+      enable :login, :change_password
+      already_logged_in{request.redirect '/'}
+    end
+    roda do |r|
+      r.rodauth
+
+      r.root do
+        view :content=>(rodauth.logged_in? ? "Logged In" : "Not Logged")
+      end
+    end
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Login'
+    page.body.must_match(/Logged In/)
+
+    Account.first.update(:status_id=>3)
+    visit '/change-password'
+    page.current_path.must_equal '/login'
+    visit '/'
+    page.body.must_match(/Not Logged/)
+  end
+
+  it "should handle cases where you are already logged in on pages that don't expect a login" do
+    rodauth do
+      enable :login, :logout, :create_account, :reset_password, :verify_account
+      already_logged_in{request.redirect '/'}
+    end
+    roda do |r|
+      r.rodauth
+
+      r.root do
+        view :content=>''
+      end
+    end
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Login'
+
+    visit '/login'
+    page.current_path.must_equal '/'
+
+    visit '/create-account'
+    page.current_path.must_equal '/'
+
+    visit '/reset-password'
+    page.current_path.must_equal '/'
+
+    visit '/verify-account'
+    page.current_path.must_equal '/'
+
+    visit '/logout'
+    page.current_path.must_equal '/logout'
+  end
+
+  it "should support resetting passwords for accounts" do
+    rodauth do
+      enable :login, :reset_password
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Password', :with=>'01234567'
+    click_button 'Login'
+    page.html.wont_match(/notice_flash/)
+
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Password', :with=>'01234567'
+    click_button 'Login'
+
+    click_button 'Request Password Reset'
+    page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to reset the password for your account"
+    page.current_path.must_equal '/'
+
+    link = email_link(/(\/reset-password\?key=.+)$/)
+    visit link[0...-1]
+    page.find('#error_flash').text.must_equal "invalid password reset key"
+
+    visit link
+    page.title.must_equal 'Reset Password'
+
+    fill_in 'Password', :with=>'0123456'
+    fill_in 'Confirm Password', :with=>'0123456789'
+    click_button 'Reset Password'
+    page.html.must_match(/passwords do not match/)
+    page.find('#error_flash').text.must_equal "There was an error resetting your password"
+    page.current_path.must_equal '/reset-password'
+
+    fill_in 'Password', :with=>'012'
+    fill_in 'Confirm Password', :with=>'012'
+    click_button 'Reset Password'
+    page.html.must_match(/invalid password, does not meet requirements/)
+    page.find('#error_flash').text.must_equal "There was an error resetting your password"
+    page.current_path.must_equal '/reset-password'
+
+    fill_in 'Password', :with=>'0123456'
+    fill_in 'Confirm Password', :with=>'0123456'
+    click_button 'Reset Password'
+    page.find('#notice_flash').text.must_equal "Your password has been reset"
+    page.current_path.must_equal '/'
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Password', :with=>'0123456'
+    click_button 'Login'
+    page.current_path.must_equal '/'
+  end
+
+  it "should support autologin when resetting passwords for accounts" do
+    rodauth do
+      enable :login, :reset_password
+      reset_password_autologin? true
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
+    end
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Password', :with=>'01234567'
+    click_button 'Login'
+
+    click_button 'Request Password Reset'
+    link = email_link(/(\/reset-password\?key=.+)$/)
+    visit link
+    fill_in 'Password', :with=>'0123456'
+    fill_in 'Confirm Password', :with=>'0123456'
+    click_button 'Reset Password'
+    page.find('#notice_flash').text.must_equal "Your password has been reset"
+    page.body.must_match(/Logged In/)
+  end
+
+  it "should support verifying accounts" do
+    rodauth do
+      enable :login, :create_account, :verify_account
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Confirm Login', :with=>'foo@example2.com'
+    fill_in 'Password', :with=>'0123456789'
+    fill_in 'Confirm Password', :with=>'0123456789'
+    click_button 'Create Account'
+    page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to verify your account"
+    page.current_path.must_equal '/'
+
+    link = email_link(/(\/verify-account\?key=.+)$/)
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Login'
+    page.find('#error_flash').text.must_equal 'The account you tried to login with is currently awaiting verification'
+    page.html.must_match(/If you no longer have the email to verify the account, you can request that it be resent to you/)
+    click_button 'Send Verification Email Again'
+    page.current_path.must_equal '/login'
+
+    email_link(/(\/verify-account\?key=.+)$/).must_equal link
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo@example2.com'
+    click_button 'Create Account'
+    click_button 'Send Verification Email Again'
+    page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to verify your account"
+    page.current_path.must_equal '/login'
+
+    link = email_link(/(\/verify-account\?key=.+)$/)
+    visit link[0...-1]
+    page.find('#error_flash').text.must_equal "invalid verify account key"
+
+    visit link
+    click_button 'Verify Account'
+    page.find('#notice_flash').text.must_equal "Your account has been verified"
+    page.current_path.must_equal '/'
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Login'
+    page.find('#notice_flash').text.must_equal 'You have been logged in'
+    page.current_path.must_equal '/'
+  end
+
+  it "should support autologin when verifying accounts" do
+    rodauth do
+      enable :login, :create_account, :verify_account
+      verify_account_autologin? true
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
+    end
+
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Confirm Login', :with=>'foo@example2.com'
+    fill_in 'Password', :with=>'0123456789'
+    fill_in 'Confirm Password', :with=>'0123456789'
+    click_button 'Create Account'
+    page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to verify your account"
+    page.current_path.must_equal '/'
+
+    link = email_link(/(\/verify-account\?key=.+)$/)
+    visit link
+    click_button 'Verify Account'
+    page.find('#notice_flash').text.must_equal "Your account has been verified"
+    page.body.must_match /Logged In/
+  end
+
+  it "should support login via remember token" do
+    rodauth do
+      enable :login, :remember
+    end
+    roda do |r|
+      r.rodauth
+      r.get 'load' do
+        rodauth.load_memory
+        r.redirect '/'
+      end
+      r.root{rodauth.logged_in? ? "Logged In#{session[:remembered]}" : "Not Logged In"}
+    end
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Login'
+    page.body.must_equal 'Logged In'
+
+    visit '/remember'
+    choose 'Remember Me'
+    click_button 'Change Remember Setting'
+    page.body.must_equal 'Logged In'
+
+    remove_cookie('rack.session')
+    visit '/'
+    page.body.must_equal 'Not Logged In'
+
+    visit '/load'
+    page.body.must_equal 'Logged Intrue'
+
+    key = get_cookie('_remember')
+    visit '/remember'
+    choose 'Forget Me'
+    click_button 'Change Remember Setting'
+    page.body.must_equal 'Logged Intrue'
+
+    remove_cookie('rack.session')
+    visit '/'
+    page.body.must_equal 'Not Logged In'
+
+    visit '/load'
+    page.body.must_equal 'Not Logged In'
+
+    set_cookie('_remember', key)
+    visit '/load'
+    page.body.must_equal 'Logged Intrue'
+
+    visit '/remember'
+    choose 'Disable Remember Me'
+    click_button 'Change Remember Setting'
+    page.body.must_equal 'Logged Intrue'
+
+    remove_cookie('rack.session')
+    visit '/'
+    page.body.must_equal 'Not Logged In'
+
+    set_cookie('_remember', key)
+    visit '/load'
+    page.body.must_equal 'Not Logged In'
+  end
+
+  it "should forget remember token when explicitly logging out" do
+    rodauth do
+      enable :login, :logout, :remember
+    end
+    roda do |r|
+      r.rodauth
+      r.get 'load' do
+        rodauth.load_memory
+        r.redirect '/'
+      end
+      r.root{rodauth.logged_in? ? "Logged In#{session[:remembered]}" : "Not Logged In"}
+    end
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Login'
+    page.body.must_equal 'Logged In'
+
+    visit '/remember'
+    choose 'Remember Me'
+    click_button 'Change Remember Setting'
+    page.body.must_equal 'Logged In'
+
+    visit '/logout'
+    click_button 'Logout'
+
+    visit '/'
+    page.body.must_equal 'Not Logged In'
+
+    visit '/load'
+    page.body.must_equal 'Not Logged In'
+  end
+
+  it "should support clearing remembered flag" do
+    rodauth do
+      enable :login, :remember
+    end
+    roda do |r|
+      r.rodauth
+      r.get 'load' do
+        rodauth.load_memory
+        r.redirect '/'
+      end
+      r.root{rodauth.logged_in? ? "Logged In#{session[:remembered]}" : "Not Logged In"}
+    end
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Login'
+    page.body.must_equal 'Logged In'
+
+    visit '/remember'
+    choose 'Remember Me'
+    click_button 'Change Remember Setting'
+    page.body.must_equal 'Logged In'
+
+    remove_cookie('rack.session')
+    visit '/'
+    page.body.must_equal 'Not Logged In'
+
+    visit '/load'
+    page.body.must_equal 'Logged Intrue'
+
+    visit '/remember?confirm=t'
+    fill_in 'Password', :with=>'012345678'
+    click_button 'Confirm Password'
+    page.html.must_match(/invalid password/)
+
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Confirm Password'
+    page.body.must_equal 'Logged In'
+  end
+
+  it "should support extending remember token" do
+    rodauth do
+      enable :login, :remember
+      extend_remember_deadline? true
+    end
+    roda do |r|
+      r.rodauth
+      r.get 'load' do
+        rodauth.load_memory
+        r.redirect '/'
+      end
+      r.root{rodauth.logged_in? ? "Logged In#{session[:remembered]}" : "Not Logged In"}
+    end
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Login'
+
+    visit '/remember'
+    choose 'Remember Me'
+    click_button 'Change Remember Setting'
+
+    remove_cookie('rack.session')
+    visit '/'
+    page.body.must_equal 'Not Logged In'
+
+    visit '/load'
+    page.body.must_equal 'Logged Intrue'
+  end
+
+  it "should support account lockouts" do
+    rodauth do
+      enable :lockout
+      max_invalid_logins 2
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>(rodauth.logged_in? ? "Logged In" : "Not Logged")}
+    end
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Password', :with=>'012345678910'
+    click_button 'Login'
+    page.find('#error_flash').text.must_equal 'There was an error logging in'
+
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Login'
+    page.find('#notice_flash').text.must_equal 'You have been logged in'
+    page.body.must_match(/Logged In/)
+
+    remove_cookie('rack.session')
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    3.times do
+      fill_in 'Password', :with=>'012345678910'
+      click_button 'Login'
+      page.find('#error_flash').text.must_equal 'There was an error logging in'
+    end
+    page.body.must_match(/This account is currently locked out/)
+    click_button 'Request Account Unlock'
+    page.find('#notice_flash').text.must_equal 'An email has been sent to you with a link to unlock your account'
+
+    link = email_link(/(\/unlock-account\?key=.+)$/)
+    visit link[0...-1]
+    page.find('#error_flash').text.must_equal 'No matching unlock account key'
+
+    visit link
+    click_button 'Unlock Account'
+    page.find('#notice_flash').text.must_equal 'Your account has been unlocked'
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Login'
+    page.find('#notice_flash').text.must_equal 'You have been logged in'
+    page.body.must_match(/Logged In/)
+  end
+
+  it "should support autologin when unlocking account" do
+    rodauth do
+      enable :lockout
+      unlock_account_autologin? true
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>(rodauth.logged_in? ? "Logged In" : "Not Logged")}
+    end
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    101.times do |i|
+      fill_in 'Password', :with=>'012345678910'
+      click_button 'Login'
+      page.find('#error_flash').text.must_equal 'There was an error logging in'
+    end
+    page.body.must_match(/This account is currently locked out/)
+    click_button 'Request Account Unlock'
+    page.find('#notice_flash').text.must_equal 'An email has been sent to you with a link to unlock your account'
+
+    link = email_link(/(\/unlock-account\?key=.+)$/)
+    visit link
+    click_button 'Unlock Account'
+    page.body.must_match(/Logged In/)
+  end
+
+  it "should support verifying accounts" do
+    rodauth do
+      enable :login
+    end
+    roda do |r|
+      "#{rodauth.features.first.inspect}#{rodauth.session_value.inspect}"
+    end
+
+    visit '/'
+    page.body.must_equal ':loginnil'
+  end
+
+  it "should support multiple rodauth configurations in an app" do
+    app = Class.new(Base)
+    app.plugin(:rodauth) do
+      enable :login
+    end
+    app.plugin(:rodauth, :name=>:r2) do
+      enable :logout
+    end
+    app.route do |r|
+      r.on 'r1' do
+        r.rodauth
+        'r1'
+      end
+      r.on 'r2' do
+        r.rodauth(:r2)
+        'r2'
+      end
+      rodauth.session_value.inspect
+    end
+    app.freeze
+    self.app = app
+
+    visit '/r1/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Login'
+    page.body.must_equal Account.first.id.to_s
+
+    visit '/r2/logout'
+    click_button 'Logout'
+    page.body.must_equal 'nil'
+
+    visit '/r1/logout'
+    page.body.must_equal 'r1'
+    visit '/r2/login'
+    page.body.must_equal 'r2'
+  end
+end