rodauth 1.1.0 → 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG +6 -0
- data/README.rdoc +1 -1
- data/doc/otp.rdoc +2 -0
- data/doc/release_notes/1.2.0.txt +18 -0
- data/lib/rodauth/features/login_password_requirements_base.rb +8 -1
- data/lib/rodauth/features/otp.rb +7 -2
- data/lib/rodauth/version.rb +1 -1
- data/spec/reset_password_spec.rb +3 -0
- data/spec/two_factor_spec.rb +13 -4
- metadata +4 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0b6660226ea467fd230f849bf44098c6cd9d62bc
|
4
|
+
data.tar.gz: bd83d6ccffd22d79704aca7dba5bc50ee7a169a8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 31c568259583e2edc819d3d40887fca878a84ac059d0a516b40477a09a01213b41da73638f7f85cba455cf7528b414e241bc607ae8e7225146800d2d7e7622ab
|
7
|
+
data.tar.gz: a6d9a5730691944339b3ace15b92ef1d64b41a0b24188c8dc0c2ccfea97056c5d338d7adbc2128306313729893c3ab8d44e579ded94540a8b9405b08f26a3542
|
data/CHANGELOG
CHANGED
@@ -1,3 +1,9 @@
|
|
1
|
+
=== 1.2.0 (2016-06-16)
|
2
|
+
|
3
|
+
* Add otp_drift configuration method to otp plugin, setting number of seconds of allowed drift (jeremyevans)
|
4
|
+
|
5
|
+
* Don't allow setting passwords containing the ASCII NUL character, as bcrypt truncates at that point (jeremyevans) (#4)
|
6
|
+
|
1
7
|
=== 1.1.0 (2016-05-13)
|
2
8
|
|
3
9
|
* Support :csrf=>false and :flash=>false plugin options (jeremyevans)
|
data/README.rdoc
CHANGED
data/doc/otp.rdoc
CHANGED
@@ -31,6 +31,8 @@ otp_disable_error_flash :: The flash error to show if unable to disable OTP auth
|
|
31
31
|
otp_disable_notice_flash :: The flash notice to show after disabling OTP authentication.
|
32
32
|
otp_disable_redirect :: Where to redirect after disabling OTP authentication.
|
33
33
|
otp_disable_route :: The route to the OTP disable action.
|
34
|
+
otp_drift :: The number of seconds the client and server are allowed to drift apart. The
|
35
|
+
default is nil, to not allow drift.
|
34
36
|
otp_invalid_auth_code_message :: The error message to show when an invalid OTP authentication
|
35
37
|
code is used.
|
36
38
|
otp_invalid_secret_message :: The error message to show when an invalid OTP secret is submitted
|
@@ -0,0 +1,18 @@
|
|
1
|
+
= New Features
|
2
|
+
|
3
|
+
* An otp_drift configuration method has been added to the otp plugin,
|
4
|
+
which allows you to set the number of seconds of allowed drift. This
|
5
|
+
makes the otp plugin easier to use if the client and server do not
|
6
|
+
have good synchronize to the same time source.
|
7
|
+
|
8
|
+
= Other Improvements
|
9
|
+
|
10
|
+
* Passwords containing the ASCII NUL character "\0" are no longer
|
11
|
+
allowed, as bcrypt truncates the password at the first NUL
|
12
|
+
character.
|
13
|
+
|
14
|
+
Note that bcrypt only uses the first 72 characters of the password
|
15
|
+
when constructing the hash, but Rodauth does not enforce a limit
|
16
|
+
of 72 characters. If you want to enforce a maximum password length
|
17
|
+
in your application, use the password_meets_requirements?
|
18
|
+
configuration method with a block and call super inside the block.
|
@@ -44,7 +44,8 @@ module Rodauth
|
|
44
44
|
end
|
45
45
|
|
46
46
|
def password_meets_requirements?(password)
|
47
|
-
password_meets_length_requirements?(password)
|
47
|
+
password_meets_length_requirements?(password) && \
|
48
|
+
password_does_not_contain_null_byte?(password)
|
48
49
|
end
|
49
50
|
|
50
51
|
def set_password(password)
|
@@ -103,6 +104,12 @@ module Rodauth
|
|
103
104
|
false
|
104
105
|
end
|
105
106
|
|
107
|
+
def password_does_not_contain_null_byte?(password)
|
108
|
+
return true unless password.include?("\0")
|
109
|
+
@password_requirement_message = 'contains null byte'
|
110
|
+
false
|
111
|
+
end
|
112
|
+
|
106
113
|
if ENV['RACK_ENV'] == 'test'
|
107
114
|
def password_hash_cost
|
108
115
|
BCrypt::Engine::MIN_COST
|
data/lib/rodauth/features/otp.rb
CHANGED
@@ -47,6 +47,7 @@ module Rodauth
|
|
47
47
|
auth_value_method :otp_auth_param, 'otp'
|
48
48
|
auth_value_method :otp_class, ROTP::TOTP
|
49
49
|
auth_value_method :otp_digits, nil
|
50
|
+
auth_value_method :otp_drift, nil
|
50
51
|
auth_value_method :otp_interval, nil
|
51
52
|
auth_value_method :otp_invalid_auth_code_message, "Invalid authentication code"
|
52
53
|
auth_value_method :otp_invalid_secret_message, "invalid secret"
|
@@ -241,8 +242,12 @@ module Rodauth
|
|
241
242
|
end
|
242
243
|
|
243
244
|
def otp_valid_code?(ot_pass)
|
244
|
-
|
245
|
-
|
245
|
+
return false unless otp_exists?
|
246
|
+
ot_pass = ot_pass.gsub(/\s+/, '')
|
247
|
+
if drift = otp_drift
|
248
|
+
otp.verify_with_drift(ot_pass, drift)
|
249
|
+
else
|
250
|
+
otp.verify(ot_pass)
|
246
251
|
end
|
247
252
|
end
|
248
253
|
|
data/lib/rodauth/version.rb
CHANGED
data/spec/reset_password_spec.rb
CHANGED
@@ -177,6 +177,9 @@ describe 'Rodauth reset_password feature' do
|
|
177
177
|
res = json_request('/reset-password', :key=>link[4..-1], :password=>'1', "password-confirm"=>'1')
|
178
178
|
res.must_equal [400, {"error"=>"There was an error resetting your password", "field-error"=>["password", "invalid password, does not meet requirements (minimum 6 characters)"]}]
|
179
179
|
|
180
|
+
res = json_request('/reset-password', :key=>link[4..-1], :password=>"\0ab123456", "password-confirm"=>"\0ab123456")
|
181
|
+
res.must_equal [400, {"error"=>"There was an error resetting your password", "field-error"=>["password", "invalid password, does not meet requirements (contains null byte)"]}]
|
182
|
+
|
180
183
|
res = json_request('/reset-password', :key=>link[4..-1], :password=>'0123456', "password-confirm"=>'0123456')
|
181
184
|
res.must_equal [200, {"success"=>"Your password has been reset"}]
|
182
185
|
|
data/spec/two_factor_spec.rb
CHANGED
@@ -9,6 +9,7 @@ describe 'Rodauth OTP feature' do
|
|
9
9
|
sms_phone = sms_message = nil
|
10
10
|
rodauth do
|
11
11
|
enable :login, :logout, :otp, :recovery_codes, :sms_codes
|
12
|
+
otp_drift 10
|
12
13
|
sms_send do |phone, msg|
|
13
14
|
proc{super(phone, msg)}.must_raise NotImplementedError
|
14
15
|
sms_phone = phone
|
@@ -314,9 +315,9 @@ describe 'Rodauth OTP feature' do
|
|
314
315
|
it "should allow namespaced two factor authentication without password requirements" do
|
315
316
|
rodauth do
|
316
317
|
enable :login, :logout, :otp, :recovery_codes
|
318
|
+
otp_drift 10
|
317
319
|
two_factor_modifications_require_password? false
|
318
320
|
otp_digits 8
|
319
|
-
otp_interval 300
|
320
321
|
prefix "/auth"
|
321
322
|
end
|
322
323
|
roda do |r|
|
@@ -346,7 +347,7 @@ describe 'Rodauth OTP feature' do
|
|
346
347
|
page.title.must_equal 'Setup Two Factor Authentication'
|
347
348
|
page.html.must_include '<svg'
|
348
349
|
secret = page.html.match(/Secret: ([a-z2-7]{16})/)[1]
|
349
|
-
totp = ROTP::TOTP.new(secret, :digits=>8
|
350
|
+
totp = ROTP::TOTP.new(secret, :digits=>8)
|
350
351
|
fill_in 'Authentication Code', :with=>"asdf"
|
351
352
|
click_button 'Setup Two Factor Authentication'
|
352
353
|
page.find('#error_flash').text.must_equal 'Error setting up two factor authentication'
|
@@ -455,6 +456,7 @@ describe 'Rodauth OTP feature' do
|
|
455
456
|
it "should require login and OTP authentication to perform certain actions if user signed up for OTP" do
|
456
457
|
rodauth do
|
457
458
|
enable :login, :logout, :change_password, :change_login, :close_account, :otp, :recovery_codes
|
459
|
+
otp_drift 10
|
458
460
|
end
|
459
461
|
roda do |r|
|
460
462
|
r.rodauth
|
@@ -498,8 +500,10 @@ describe 'Rodauth OTP feature' do
|
|
498
500
|
|
499
501
|
it "should handle attempts to insert a duplicate recovery code" do
|
500
502
|
keys = ['a', 'a', 'b']
|
503
|
+
interval = 1000000
|
501
504
|
rodauth do
|
502
505
|
enable :login, :logout, :otp, :recovery_codes
|
506
|
+
otp_interval interval
|
503
507
|
recovery_codes_limit 2
|
504
508
|
new_recovery_code{keys.shift}
|
505
509
|
end
|
@@ -521,7 +525,7 @@ describe 'Rodauth OTP feature' do
|
|
521
525
|
|
522
526
|
visit '/otp-auth'
|
523
527
|
secret = page.html.match(/Secret: ([a-z2-7]{16})/)[1]
|
524
|
-
totp = ROTP::TOTP.new(secret)
|
528
|
+
totp = ROTP::TOTP.new(secret, :interval=>interval)
|
525
529
|
fill_in 'Password', :with=>'0123456789'
|
526
530
|
fill_in 'Authentication Code', :with=>totp.now
|
527
531
|
click_button 'Setup Two Factor Authentication'
|
@@ -531,7 +535,10 @@ describe 'Rodauth OTP feature' do
|
|
531
535
|
end
|
532
536
|
|
533
537
|
it "should allow two factor authentication setup, login, removal without recovery" do
|
534
|
-
rodauth
|
538
|
+
rodauth do
|
539
|
+
enable :login, :logout, :otp
|
540
|
+
otp_drift 10
|
541
|
+
end
|
535
542
|
roda do |r|
|
536
543
|
r.rodauth
|
537
544
|
|
@@ -603,6 +610,7 @@ describe 'Rodauth OTP feature' do
|
|
603
610
|
it "should remove otp data when closing accounts" do
|
604
611
|
rodauth do
|
605
612
|
enable :login, :logout, :otp, :recovery_codes, :sms_codes, :close_account
|
613
|
+
otp_drift 10
|
606
614
|
two_factor_modifications_require_password? false
|
607
615
|
close_account_requires_password? false
|
608
616
|
sms_send{|*|}
|
@@ -1076,6 +1084,7 @@ describe 'Rodauth OTP feature' do
|
|
1076
1084
|
sms_phone = sms_message = sms_code = nil
|
1077
1085
|
rodauth do
|
1078
1086
|
enable :login, :logout, :otp, :recovery_codes, :sms_codes
|
1087
|
+
otp_drift 10
|
1079
1088
|
sms_send do |phone, msg|
|
1080
1089
|
sms_phone = phone
|
1081
1090
|
sms_message = msg
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rodauth
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jeremy Evans
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-
|
11
|
+
date: 2016-06-15 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: sequel
|
@@ -226,6 +226,7 @@ extra_rdoc_files:
|
|
226
226
|
- doc/verify_change_login.rdoc
|
227
227
|
- doc/release_notes/1.0.0.txt
|
228
228
|
- doc/release_notes/1.1.0.txt
|
229
|
+
- doc/release_notes/1.2.0.txt
|
229
230
|
files:
|
230
231
|
- CHANGELOG
|
231
232
|
- MIT-LICENSE
|
@@ -252,6 +253,7 @@ files:
|
|
252
253
|
- doc/recovery_codes.rdoc
|
253
254
|
- doc/release_notes/1.0.0.txt
|
254
255
|
- doc/release_notes/1.1.0.txt
|
256
|
+
- doc/release_notes/1.2.0.txt
|
255
257
|
- doc/remember.rdoc
|
256
258
|
- doc/reset_password.rdoc
|
257
259
|
- doc/session_expiration.rdoc
|