rodauth 1.1.0 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6ff15843042dfd35b89e9e6c76a54b571941248b
-  data.tar.gz: 04df40188862b7547b0f0ae7eb1cfb55aacbfd1a
+  metadata.gz: 0b6660226ea467fd230f849bf44098c6cd9d62bc
+  data.tar.gz: bd83d6ccffd22d79704aca7dba5bc50ee7a169a8
 SHA512:
-  metadata.gz: ec10b0e76411b3512ca463700e29659a5fb258e13ecde5be57d906e133e40cb9a2760e9d4ffca1e3fe0ed6a1911336449373abfcb58200d112ff341aa3372185
-  data.tar.gz: 05327fbf88823044fa475f3cfe48ec417532882f02fd320533ecdaac548a65ca7544db8e6f0298218e2f8ffbd53d1291e7fb386f01adbf6de0cb82da2cd467d7
+  metadata.gz: 31c568259583e2edc819d3d40887fca878a84ac059d0a516b40477a09a01213b41da73638f7f85cba455cf7528b414e241bc607ae8e7225146800d2d7e7622ab
+  data.tar.gz: a6d9a5730691944339b3ace15b92ef1d64b41a0b24188c8dc0c2ccfea97056c5d338d7adbc2128306313729893c3ab8d44e579ded94540a8b9405b08f26a3542

data/CHANGELOG

@@ -1,3 +1,9 @@
+=== 1.2.0 (2016-06-16)
+
+* Add otp_drift configuration method to otp plugin, setting number of seconds of allowed drift (jeremyevans)
+
+* Don't allow setting passwords containing the ASCII NUL character, as bcrypt truncates at that point (jeremyevans) (#4)
+
 === 1.1.0 (2016-05-13)
 
 * Support :csrf=>false and :flash=>false plugin options (jeremyevans)

data/README.rdoc

@@ -938,7 +938,7 @@ custom methods that will be callable on the +rodauth+ object.
   route do |r|
     r.rodauth
 
-    r.on "admin"
+    r.on "admin" do
       rodauth.require_admin
     end
   end

data/doc/otp.rdoc

@@ -31,6 +31,8 @@ otp_disable_error_flash :: The flash error to show if unable to disable OTP auth
 otp_disable_notice_flash :: The flash notice to show after disabling OTP authentication.
 otp_disable_redirect :: Where to redirect after disabling OTP authentication.
 otp_disable_route :: The route to the OTP disable action.
+otp_drift :: The number of seconds the client and server are allowed to drift apart. The
+             default is nil, to not allow drift.
 otp_invalid_auth_code_message :: The error message to show when an invalid OTP authentication
                                  code is used.
 otp_invalid_secret_message :: The error message to show when an invalid OTP secret is submitted

data/doc/release_notes/1.2.0.txt

@@ -0,0 +1,18 @@
+= New Features
+
+* An otp_drift configuration method has been added to the otp plugin,
+  which allows you to set the number of seconds of allowed drift. This
+  makes the otp plugin easier to use if the client and server do not
+  have good synchronize to the same time source.
+
+= Other Improvements
+
+* Passwords containing the ASCII NUL character "\0" are no longer
+  allowed, as bcrypt truncates the password at the first NUL
+  character.
+
+  Note that bcrypt only uses the first 72 characters of the password
+  when constructing the hash, but Rodauth does not enforce a limit
+  of 72 characters.  If you want to enforce a maximum password length
+  in your application, use the password_meets_requirements?
+  configuration method with a block and call super inside the block.

data/lib/rodauth/features/login_password_requirements_base.rb

@@ -44,7 +44,8 @@ module Rodauth
     end
 
     def password_meets_requirements?(password)
-      password_meets_length_requirements?(password)
+      password_meets_length_requirements?(password) && \
+        password_does_not_contain_null_byte?(password)
     end
 
     def set_password(password)
@@ -103,6 +104,12 @@ module Rodauth
       false
     end
 
+    def password_does_not_contain_null_byte?(password)
+      return true unless password.include?("\0")
+      @password_requirement_message = 'contains null byte'
+      false
+    end
+
     if ENV['RACK_ENV'] == 'test'
       def password_hash_cost
         BCrypt::Engine::MIN_COST

data/lib/rodauth/features/otp.rb

@@ -47,6 +47,7 @@ module Rodauth
     auth_value_method :otp_auth_param, 'otp'
     auth_value_method :otp_class, ROTP::TOTP
     auth_value_method :otp_digits, nil
+    auth_value_method :otp_drift, nil
     auth_value_method :otp_interval, nil
     auth_value_method :otp_invalid_auth_code_message, "Invalid authentication code"
     auth_value_method :otp_invalid_secret_message, "invalid secret"
@@ -241,8 +242,12 @@ module Rodauth
     end
     
     def otp_valid_code?(ot_pass)
-      if otp_exists?
-        otp.verify(ot_pass.gsub(/\s+/, ''))
+      return false unless otp_exists?
+      ot_pass = ot_pass.gsub(/\s+/, '')
+      if drift = otp_drift
+        otp.verify_with_drift(ot_pass, drift)
+      else
+        otp.verify(ot_pass)
       end
     end
 

data/lib/rodauth/version.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  VERSION = '1.1.0'.freeze
+  VERSION = '1.2.0'.freeze
 
   def self.version
     VERSION

data/spec/reset_password_spec.rb

@@ -177,6 +177,9 @@ describe 'Rodauth reset_password feature' do
     res = json_request('/reset-password', :key=>link[4..-1], :password=>'1', "password-confirm"=>'1')
     res.must_equal [400, {"error"=>"There was an error resetting your password", "field-error"=>["password", "invalid password, does not meet requirements (minimum 6 characters)"]}]
 
+    res = json_request('/reset-password', :key=>link[4..-1], :password=>"\0ab123456", "password-confirm"=>"\0ab123456")
+    res.must_equal [400, {"error"=>"There was an error resetting your password", "field-error"=>["password", "invalid password, does not meet requirements (contains null byte)"]}]
+
     res = json_request('/reset-password', :key=>link[4..-1], :password=>'0123456', "password-confirm"=>'0123456')
     res.must_equal [200, {"success"=>"Your password has been reset"}]
 

data/spec/two_factor_spec.rb

@@ -9,6 +9,7 @@ describe 'Rodauth OTP feature' do
     sms_phone = sms_message = nil
     rodauth do
       enable :login, :logout, :otp, :recovery_codes, :sms_codes
+      otp_drift 10
       sms_send do |phone, msg|
         proc{super(phone, msg)}.must_raise NotImplementedError
         sms_phone = phone
@@ -314,9 +315,9 @@ describe 'Rodauth OTP feature' do
   it "should allow namespaced two factor authentication without password requirements" do
     rodauth do
       enable :login, :logout, :otp, :recovery_codes
+      otp_drift 10
       two_factor_modifications_require_password? false
       otp_digits 8
-      otp_interval 300
       prefix "/auth"
     end
     roda do |r|
@@ -346,7 +347,7 @@ describe 'Rodauth OTP feature' do
     page.title.must_equal 'Setup Two Factor Authentication'
     page.html.must_include '<svg' 
     secret = page.html.match(/Secret: ([a-z2-7]{16})/)[1]
-    totp = ROTP::TOTP.new(secret, :digits=>8, :interval=>300)
+    totp = ROTP::TOTP.new(secret, :digits=>8)
     fill_in 'Authentication Code', :with=>"asdf"
     click_button 'Setup Two Factor Authentication'
     page.find('#error_flash').text.must_equal 'Error setting up two factor authentication'
@@ -455,6 +456,7 @@ describe 'Rodauth OTP feature' do
   it "should require login and OTP authentication to perform certain actions if user signed up for OTP" do
     rodauth do
       enable :login, :logout, :change_password, :change_login, :close_account, :otp, :recovery_codes
+      otp_drift 10
     end
     roda do |r|
       r.rodauth
@@ -498,8 +500,10 @@ describe 'Rodauth OTP feature' do
 
   it "should handle attempts to insert a duplicate recovery code" do
     keys = ['a', 'a', 'b']
+    interval = 1000000
     rodauth do
       enable :login, :logout, :otp, :recovery_codes
+      otp_interval interval
       recovery_codes_limit 2
       new_recovery_code{keys.shift}
     end
@@ -521,7 +525,7 @@ describe 'Rodauth OTP feature' do
 
     visit '/otp-auth'
     secret = page.html.match(/Secret: ([a-z2-7]{16})/)[1]
-    totp = ROTP::TOTP.new(secret)
+    totp = ROTP::TOTP.new(secret, :interval=>interval)
     fill_in 'Password', :with=>'0123456789'
     fill_in 'Authentication Code', :with=>totp.now
     click_button 'Setup Two Factor Authentication'
@@ -531,7 +535,10 @@ describe 'Rodauth OTP feature' do
   end
 
   it "should allow two factor authentication setup, login, removal without recovery" do
-    rodauth{enable :login, :logout, :otp}
+    rodauth do
+      enable :login, :logout, :otp
+      otp_drift 10
+    end
     roda do |r|
       r.rodauth
 
@@ -603,6 +610,7 @@ describe 'Rodauth OTP feature' do
   it "should remove otp data when closing accounts" do
     rodauth do
       enable :login, :logout, :otp, :recovery_codes, :sms_codes, :close_account
+      otp_drift 10
       two_factor_modifications_require_password? false
       close_account_requires_password? false
       sms_send{|*|}
@@ -1076,6 +1084,7 @@ describe 'Rodauth OTP feature' do
     sms_phone = sms_message = sms_code = nil
     rodauth do
       enable :login, :logout, :otp, :recovery_codes, :sms_codes
+      otp_drift 10
       sms_send do |phone, msg|
         sms_phone = phone
         sms_message = msg

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.2.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-05-13 00:00:00.000000000 Z
+date: 2016-06-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -226,6 +226,7 @@ extra_rdoc_files:
 - doc/verify_change_login.rdoc
 - doc/release_notes/1.0.0.txt
 - doc/release_notes/1.1.0.txt
+- doc/release_notes/1.2.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -252,6 +253,7 @@ files:
 - doc/recovery_codes.rdoc
 - doc/release_notes/1.0.0.txt
 - doc/release_notes/1.1.0.txt
+- doc/release_notes/1.2.0.txt
 - doc/remember.rdoc
 - doc/reset_password.rdoc
 - doc/session_expiration.rdoc