rodauth 1.11.0 → 1.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f15b58f396d567f884cc2aaf40794e07110e2091
-  data.tar.gz: 69a0eadaf802e8c82793c9c43084b0e4f442c8f7
+  metadata.gz: 888e341c90edf3af686821f3d64998da9fcdd5cb
+  data.tar.gz: 5f50386e3657dce0c24b81465a2e54ad8c81221a
 SHA512:
-  metadata.gz: 7bcc3c3455093d1a1a21c358f99c4440a1a09ead7d34087a541490ab4e73acf1b7bea97ce0bbc2675392fbbae96b70ed9099ab63182355a647830d1877a143b5
-  data.tar.gz: 03b37be1351549b1e8b5c6a8e3c102a26c946501b11282081ce92213c9ab169077edf1a75b920589a3a4d1d905732d6cb6ac91197f181305f9002791ca109f35
+  metadata.gz: 2315ff44b30666ac9291217ba2c9fa2ecb928b0b6ac0919d4a6debc70ec093c1b42f1866191024ee00f0d086c9103b996b173e36a092b84eb56ea9017a7baea0
+  data.tar.gz: c432df2a344582f4aef84b7512fa4f5a5a72058dc9a8528ee315e95e21044bff3d46ac29052cc1a9968e5dd298370e447df31f31a19519880b5da200df680eb9

data/CHANGELOG

@@ -1,3 +1,17 @@
+=== 1.12.0 (2017-10-03)
+
+* [SECURITY] Clear expired password reset key for account before retrieving password reset key (chanks, jeremyevans) (#43)
+
+* Update migrations to work with Sequel 5 (jeremyevans)
+
+* Add require_http_basic_auth configuration method to http_basic_auth feature (jeremyevans) (#41)
+
+* Support passing :search_path option to Rodauth.create_database_authentication_functions when using PostgreSQL (jeremyevans)
+
+* Support passing options to Rodauth.{create,drop}_database_previous_password_check_functions (jeremyevans)
+
+* Support passing options to Rodauth.drop_database_authentication_functions (jeremyevans)
+
 === 1.11.0 (2017-04-24)
 
 * Add login_required_error_status, and use it in the jwt feature when custom error statuses are allowed (jeremyevans)

data/README.rdoc

@@ -93,7 +93,7 @@ account does not have access to read the password hashes. The other
 account handles password hashes and is referred to as the +ph+
 account.  The +ph+ account sets up the database functions that can
 retrieve the salt for a given account's password, and check if a
-password hash matches for for a given account.  The +ph+ account
+password hash matches for a given account.  The +ph+ account
 sets these functions up so that the +app+ account can execute the
 functions using the +ph+ account's permissions.  This allows the
 +app+ account to check passwords without having access to read
@@ -151,6 +151,40 @@ Heroku, it just won't have the same security benefits.  That's not to say
 it is insecure, just that it drops the security level for password hash
 storage to the same level as other common authentication solutions.
 
+=== Create database accounts
+
+If you are currently running your application using the database superuser
+account, the first thing you need to do is to create the +app+ database
+account.  It's often best to name this account the same as the
+database name.
+
+You should also create the +ph+ database account which will handle access
+to the password hashes.
+
+Example for PostgreSQL:
+
+  createuser -U postgres ${DATABASE_NAME}
+  createuser -U postgres ${DATABASE_NAME}_password
+
+Note that if the database superuser account owns all of the items in the
+database, you'll need to change the ownership to the database account you
+just created.  See https://gist.github.com/jeremyevans/8483320
+for a way to do that.
+
+=== Create database
+
+In general, the +app+ account is the owner of the database, since it will
+own most of the tables:
+
+  createdb -U postgres -O ${DATABASE_NAME} ${DATABASE_NAME}
+
+Note that this is not the most secure way to develop applications.  For
+maximum security, you would want to use a separate database account as
+the owner of the tables, have the +app+ account not be the
+owner of any tables, and specifically grant the +app+ account only the
+minimum access it needs to work correctly.  Doing that is beyond the
+scope of Rodauth, though.
+
 === Load extensions
 
 If you want to use the login features for Rodauth, you need to load the
@@ -166,25 +200,48 @@ bad idea), you don't need to use the PostgreSQL citext extension. Just
 remember to modify the migration below to use +String+ instead of +citext+
 for the email in that case.
 
-=== Create database accounts
+=== Using non-default schema
 
-If you are currently running your application using the database superuser
-account, the first thing you need to do is to create the +app+ database
-account.  It's often best to name this account the same as the
-database name.
+PostgreSQL sets up new tables in the public schema by default.
+If you would like to use separate schemas per user, you can do:
 
-You should also create the +ph+ database account which will handle access
-to the password hashes.
+  psql -U postgres -c "DROP SCHEMA public;" ${DATABASE_NAME}
+  psql -U postgres -c "CREATE SCHEMA ${DATABASE_NAME} AUTHORIZATION ${DATABASE_NAME};" ${DATABASE_NAME}
+  psql -U postgres -c "CREATE SCHEMA ${DATABASE_NAME}_password AUTHORIZATION ${DATABASE_NAME}_password;" ${DATABASE_NAME}
+  psql -U postgres -c "GRANT USAGE ON SCHEMA ${DATABASE_NAME} TO ${DATABASE_NAME}_password;" ${DATABASE_NAME}
+  psql -U postgres -c "GRANT USAGE ON SCHEMA ${DATABASE_NAME}_password TO ${DATABASE_NAME};" ${DATABASE_NAME}
 
-Example for PostgreSQL:
+You'll need to modify the code to load the extension to specify the schema:
 
-  createuser -U postgres ${DATABASE_NAME}
-  createuser -U postgres ${DATABASE_NAME}_password
+  psql -U postgres -c "CREATE EXTENSION citext SCHEMA ${DATABASE_NAME}" ${DATABASE_NAME}
 
-Note that if the database superuser account owns all of the items in the
-database, you'll need to change the ownership to the database account you
-just created.  See https://gist.github.com/jeremyevans/8483320
-for a way to do that.
+When running the migration for the +ph+ user you'll need to modify a couple
+things for the schema changes:
+
+  create_table(:account_password_hashes) do
+    foreign_key :id, Sequel[:${DATABASE_NAME}][:accounts], :primary_key=>true, :type=>:Bignum
+    String :password_hash, :null=>false
+  end
+  Rodauth.create_database_authentication_functions(self, :table_name=>"${DATABASE_NAME}_password.account_password_hashes")
+
+  # if using the disallow_password_reuse feature:
+  create_table(:account_previous_password_hashes) do
+    primary_key :id, :type=>:Bignum
+    foreign_key :account_id, Sequel[:${DATABASE_NAME}][:accounts], :type=>:Bignum
+    String :password_hash, :null=>false
+  end
+  Rodauth.create_database_previous_password_check_functions(self, :table_name=>"${DATABASE_NAME}_password.account_previous_password_hashes")
+
+You'll also need to use the following Rodauth configuration methods so that the
+app account calls functions in a separate schema:
+
+  function_name do |name|
+    "${DATABASE_NAME}_password.#{name}"
+  end
+  password_hash_table Sequel[:${DATABASE_NAME}_password][:account_password_hashes]
+
+  # if using the disallow_password_reuse feature:
+  previous_password_hash_table Sequel[:${DATABASE_NAME}_password][:account_previous_password_hashes]
 
 == MySQL Database Setup
 
@@ -352,13 +409,13 @@ versions of Sequel, switch the :Bignum symbols to Bignum constants.
 
       case database_type
       when :postgres
-        user = get{Sequel.lit('current_user')} + '_password'
+        user = get(Sequel.lit('current_user')) + '_password'
         run "GRANT REFERENCES ON accounts TO #{user}"
       when :mysql, :mssql
         user = if database_type == :mysql
-          get{Sequel.lit('current_user')}.sub(/_password@/, '@')
+          get(Sequel.lit('current_user')).sub(/_password@/, '@')
         else
-          get{DB_NAME{}}
+          get(Sequel.function(:DB_NAME))
         end
         run "GRANT ALL ON account_statuses TO #{user}"
         run "GRANT ALL ON accounts TO #{user}"
@@ -408,7 +465,7 @@ Second migration, run using the +ph+ account:
       Rodauth.create_database_authentication_functions(self)
       case database_type
       when :postgres
-        user = get{Sequel.lit('current_user')}.sub(/_password\z/, '')
+        user = get(Sequel.lit('current_user')).sub(/_password\z/, '')
         run "REVOKE ALL ON account_password_hashes FROM public"
         run "REVOKE ALL ON FUNCTION rodauth_get_salt(int8) FROM public"
         run "REVOKE ALL ON FUNCTION rodauth_valid_password_hash(int8, text) FROM public"
@@ -417,13 +474,13 @@ Second migration, run using the +ph+ account:
         run "GRANT EXECUTE ON FUNCTION rodauth_get_salt(int8) TO #{user}"
         run "GRANT EXECUTE ON FUNCTION rodauth_valid_password_hash(int8, text) TO #{user}"
       when :mysql
-        user = get{Sequel.lit('current_user')}.sub(/_password@/, '@')
-        db_name = get{database{}}
+        user = get(Sequel.lit('current_user')).sub(/_password@/, '@')
+        db_name = get(Sequel.function(:database))
         run "GRANT EXECUTE ON #{db_name}.* TO #{user}"
         run "GRANT INSERT, UPDATE, DELETE ON account_password_hashes TO #{user}"
         run "GRANT SELECT (id) ON account_password_hashes TO #{user}"
       when :mssql
-        user = get{DB_NAME{}}
+        user = get(Sequel.function(:DB_NAME))
         run "GRANT EXECUTE ON rodauth_get_salt TO #{user}"
         run "GRANT EXECUTE ON rodauth_valid_password_hash TO #{user}"
         run "GRANT INSERT, UPDATE, DELETE ON account_password_hashes TO #{user}"
@@ -440,7 +497,7 @@ Second migration, run using the +ph+ account:
 
       case database_type
       when :postgres
-        user = get{Sequel.lit('current_user')}.sub(/_password\z/, '')
+        user = get(Sequel.lit('current_user')).sub(/_password\z/, '')
         run "REVOKE ALL ON account_previous_password_hashes FROM public"
         run "REVOKE ALL ON FUNCTION rodauth_get_previous_salt(int8) FROM public"
         run "REVOKE ALL ON FUNCTION rodauth_previous_password_hash_match(int8, text) FROM public"
@@ -450,13 +507,13 @@ Second migration, run using the +ph+ account:
         run "GRANT EXECUTE ON FUNCTION rodauth_get_previous_salt(int8) TO #{user}"
         run "GRANT EXECUTE ON FUNCTION rodauth_previous_password_hash_match(int8, text) TO #{user}"
       when :mysql
-        user = get{Sequel.lit('current_user')}.sub(/_password@/, '@')
-        db_name = get{database{}}
+        user = get(Sequel.lit('current_user')).sub(/_password@/, '@')
+        db_name = get(Sequel.function(:database))
         run "GRANT EXECUTE ON #{db_name}.* TO #{user}"
         run "GRANT INSERT, UPDATE, DELETE ON account_previous_password_hashes TO #{user}"
         run "GRANT SELECT (id, account_id) ON account_previous_password_hashes TO #{user}"
       when :mssql
-        user = get{DB_NAME{}}
+        user = get(Sequel.function(:DB_NAME))
         run "GRANT EXECUTE ON rodauth_get_previous_salt TO #{user}"
         run "GRANT EXECUTE ON rodauth_previous_password_hash_match TO #{user}"
         run "GRANT INSERT, UPDATE, DELETE ON account_previous_password_hashes TO #{user}"
@@ -825,8 +882,8 @@ to +/login+ with an +access_token+ parameter that is set to the user's
 Facebook OAuth access token.
 
 
-   require 'koala'
-   plugin :rodauth do
+  require 'koala'
+  plugin :rodauth do
     enable :login, :logout, :jwt
      
     require_bcrypt? false

data/doc/http_basic_auth.rdoc

@@ -6,3 +6,4 @@ described in RFC 1945.
 == Auth Value Methods
 
 http_basic_auth_realm :: The realm to return in the WWW-Authenticate header.
+require_http_basic_auth :: If true, when +rodauth.require_authentication+ is used, return a 401 status if basic auth has not been provided, instead of redirecting to the login page. False by default.

data/doc/lockout.rdoc

@@ -15,7 +15,8 @@ account_lockouts_deadline_column :: The deadline column in the account lockouts
                                     table, containing how long the account is
                                     locked out until.
 account_lockouts_deadline_interval :: The amount of time for which to lock out accounts,
-                                      1 day by default.
+                                      1 day by default. Only used if set_deadline_values?
+                                      is true.
 account_lockouts_key_column :: The unlock key column in the account lockouts table.
 account_lockouts_table :: The table containing account lockout information.
 account_login_failures_id_column :: The id column in the account login failures table,

data/doc/release_notes/1.12.0.txt

@@ -0,0 +1,61 @@
+= Security Fix
+
+* The password reset key deadline was previously ignored when
+  checking for a password reset key.  This allowed expired keys to
+  be used.  This problem exists in all previous versions.
+
+  The root cause of this issue is that support for deadline checking
+  was not previously implemented.  In previous versions, the deadline
+  was only used to remove old keys when creating a new key.
+
+  Rodauth only allows a single password reset key per account, and
+  deletes password reset keys when passwords are reset. So if the
+  user had subsequently generated a different password reset key, or
+  had already used the password reset key to reset the password,
+  then they would not be vulnerable.  The most likely situation
+  where there exists a vulnerability due to this issue is:
+  
+  * A user requests a password reset.
+  * They do not reset their password or request another
+    password reset.
+  * The password reset key deadline expires.
+  * An attacker gets access to their archived email containing
+    the password reset link, which they use to reset the
+    password for the account.
+
+  Reporting Details:
+
+  * Initially reported on 10/3/2017
+  * Fixed in repository on 10/3/2017
+  * Version 1.12.0 released with fix on 10/3/2017
+
+  Thanks to Chris Hanks for discovering and reporting this issue
+  and supplying an initial fix.
+
+= New Features
+
+* The http_basic_auth feature now supports a
+  require_http_basic_auth configuration method.  When set to true,
+  if authentication is required and the request is not already
+  authenticated, they will get a 401 response instead of a
+  redirect to the login page.
+
+* All of the following Rodauth migration methods now support an
+  options hash:
+
+  * Rodauth.drop_database_authentication_functions
+  * Rodauth.create_database_previous_password_check_functions
+  * Rodauth.drop_database_previous_password_check_functions
+
+  These options allow you to customize the get_salt_name and
+  valid_hash_name database functions, as well as set the the table
+  for the previous_password_check_functions.
+
+* A :search_path option is now supported when using the following
+  Rodauth migration methods on PostgreSQL:
+
+  * Rodauth.create_database_authentication_functions
+  * Rodauth.drop_database_authentication_functions
+
+  This sets the search_path to use inside the function.  For
+  backwards compatibility, it defaults to 'public, pg_temp'.

data/doc/remember.rdoc

@@ -20,7 +20,8 @@ remember_deadline_column :: The column name in the remember keys table storing
                             the deadline after which the token will be
                             ignored.
 remember_deadline_interval :: The amount of time for which to remember accounts,
-                              14 days by default.
+                              14 days by default.  Only used if set_deadline_values?
+                              is true.
 remember_disable_label :: The label for disabling remembering.
 remember_disable_param_value :: The parameter value for disabling remembering.
 remember_error_flash :: The flash error to show if there is an error changing a

data/doc/reset_password.rdoc

@@ -19,7 +19,8 @@ reset_password_button :: The text to use for the reset password button.
 reset_password_deadline_column :: The column name in the reset password keys table storing
                                   the deadline after which the token will be ignored.
 reset_password_deadline_interval :: The amount of time for which to allow users to
-                                    reset their passwords, 1 day by default.
+                                    reset their passwords, 1 day by default. Only used if
+                                    set_deadline_values? is true.
 reset_password_email_sent_notice_flash :: The flash notice to show after a reset
                                           password email has been sent.
 reset_password_email_sent_redirect :: Where to redirect after sending a reset

data/lib/rodauth/features/http_basic_auth.rb

@@ -3,6 +3,7 @@
 module Rodauth
   Feature.define(:http_basic_auth, :HttpBasicAuth) do
     auth_value_method :http_basic_auth_realm, "protected"
+    auth_value_method :require_http_basic_auth, false
 
     def session
       return @session if defined?(@session)
@@ -41,9 +42,22 @@ module Rodauth
 
     private
 
-    def throw_basic_auth_error(*args)
+    def require_login
+      if !logged_in? && require_http_basic_auth
+        set_http_basic_auth_error_response
+        request.halt
+      end
+
+      super
+    end
+
+    def set_http_basic_auth_error_response
       response.status = 401
       response.headers["WWW-Authenticate"] = "Basic realm=\"#{http_basic_auth_realm}\""
+    end
+
+    def throw_basic_auth_error(*args)
+      set_http_basic_auth_error_response
       throw_error(*args) 
     end
   end

data/lib/rodauth/features/reset_password.rb

@@ -144,17 +144,13 @@ module Rodauth
     end
 
     def create_reset_password_key
-      ds = password_reset_ds
       transaction do
-        ds.where(Sequel::CURRENT_TIMESTAMP > reset_password_deadline_column).delete
-        if ds.empty?
-          if e = raised_uniqueness_violation{ds.insert(reset_password_key_insert_hash)}
-            # If inserting into the reset password table causes a violation, we can pull the 
-            # existing reset password key from the table, or reraise.
-            raise e unless @reset_password_key_value = get_password_reset_key(account_id)
-          end
-        else
-          @reset_password_key_value = get_password_reset_key(account_id)
+        if reset_password_key_value = get_password_reset_key(account_id)
+          @reset_password_key_value = reset_password_key_value
+        elsif e = raised_uniqueness_violation{password_reset_ds.insert(reset_password_key_insert_hash)}
+          # If inserting into the reset password table causes a violation, we can pull the 
+          # existing reset password key from the table, or reraise.
+          raise e unless @reset_password_key_value = get_password_reset_key(account_id)
         end
       end
     end
@@ -176,7 +172,9 @@ module Rodauth
     end
 
     def get_password_reset_key(id)
-      password_reset_ds(id).get(reset_password_key_column)
+      ds = password_reset_ds(id)
+      ds.where(Sequel::CURRENT_TIMESTAMP > reset_password_deadline_column).delete
+      ds.get(reset_password_key_column)
     end
 
     def login_form_footer

data/lib/rodauth/migrations.rb

@@ -5,8 +5,11 @@ module Rodauth
     table_name = opts[:table_name] || :account_password_hashes
     get_salt_name = opts[:get_salt_name] || :rodauth_get_salt
     valid_hash_name = opts[:valid_hash_name] || :rodauth_valid_password_hash 
+
     case db.database_type
     when :postgres
+      search_path = opts[:search_path] || 'public, pg_temp'
+
       db.run <<END
 CREATE OR REPLACE FUNCTION #{get_salt_name}(acct_id int8) RETURNS text AS $$
 DECLARE salt text;
@@ -18,7 +21,7 @@ RETURN salt;
 END;
 $$ LANGUAGE plpgsql
 SECURITY DEFINER
-SET search_path = public, pg_temp;
+SET search_path = #{search_path};
 END
 
       db.run <<END
@@ -32,7 +35,7 @@ RETURN valid;
 END;
 $$ LANGUAGE plpgsql
 SECURITY DEFINER
-SET search_path = public, pg_temp;
+SET search_path = #{search_path};
 END
     when :mysql
       db.run <<END
@@ -102,29 +105,25 @@ END
     end
   end
 
-  def self.drop_database_authentication_functions(db)
+  def self.drop_database_authentication_functions(db, opts={})
+    get_salt_name = opts[:get_salt_name] || :rodauth_get_salt
+    valid_hash_name = opts[:valid_hash_name] || :rodauth_valid_password_hash 
+
     case db.database_type
     when :postgres
-      db.run "DROP FUNCTION rodauth_get_salt(int8)"
-      db.run "DROP FUNCTION rodauth_valid_password_hash(int8, text)"
+      db.run "DROP FUNCTION #{get_salt_name}(int8)"
+      db.run "DROP FUNCTION #{valid_hash_name}(int8, text)"
     when :mysql, :mssql
-      db.run "DROP FUNCTION rodauth_get_salt"
-      db.run "DROP FUNCTION rodauth_valid_password_hash"
+      db.run "DROP FUNCTION #{get_salt_name}"
+      db.run "DROP FUNCTION #{valid_hash_name}"
     end
   end
 
-  def self.create_database_previous_password_check_functions(db)
-    create_database_authentication_functions(db, :table_name=>:account_previous_password_hashes, :get_salt_name=>:rodauth_get_previous_salt, :valid_hash_name=>:rodauth_previous_password_hash_match)
+  def self.create_database_previous_password_check_functions(db, opts={})
+    create_database_authentication_functions(db, {:table_name=>:account_previous_password_hashes, :get_salt_name=>:rodauth_get_previous_salt, :valid_hash_name=>:rodauth_previous_password_hash_match}.merge(opts))
   end
 
-  def self.drop_database_previous_password_check_functions(db)
-    case db.database_type
-    when :postgres
-      db.run "DROP FUNCTION rodauth_get_previous_salt(int8)"
-      db.run "DROP FUNCTION rodauth_previous_password_hash_match(int8, text)"
-    when :mysql, :mssql
-      db.run "DROP FUNCTION rodauth_get_previous_salt"
-      db.run "DROP FUNCTION rodauth_previous_password_hash_match"
-    end
+  def self.drop_database_previous_password_check_functions(db, opts={})
+    drop_database_authentication_functions(db, {:get_salt_name=>:rodauth_get_previous_salt, :valid_hash_name=>:rodauth_previous_password_hash_match}.merge(opts))
   end
 end

data/lib/rodauth/version.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  VERSION = '1.11.0'.freeze
+  VERSION = '1.12.0'.freeze
 
   def self.version
     VERSION

data/spec/disallow_password_reuse_spec.rb

@@ -2,8 +2,13 @@ require File.expand_path("spec_helper", File.dirname(__FILE__))
 
 describe 'Rodauth disallow_password_reuse feature' do
   it "should disallow reuse of passwords" do
+    table = :account_previous_password_hashes
     rodauth do
       enable :login, :change_password, :disallow_password_reuse, :close_account
+      if ENV['RODAUTH_SEPARATE_SCHEMA']
+        table = Sequel[:rodauth_test_password][:account_previous_password_hashes]
+        previous_password_hash_table table
+      end
       change_password_requires_password? false
       close_account_requires_password? false
     end
@@ -43,15 +48,18 @@ describe 'Rodauth disallow_password_reuse feature' do
     click_button 'Change Password'
     page.find('#notice_flash').text.must_equal "Your password has been changed"
 
-    DB[:account_previous_password_hashes].get{count(:id)}.must_equal 7
+    DB[table].get{count(:id)}.must_equal 7
     visit '/close-account'
     click_button 'Close Account'
-    DB[:account_previous_password_hashes].get{count(:id)}.must_equal 0
+    DB[table].get{count(:id)}.must_equal 0
   end
 
   it "should handle create account when account_password_hash_column is true" do
     rodauth do
       enable :login, :create_account, :change_password, :disallow_password_reuse
+      if ENV['RODAUTH_SEPARATE_SCHEMA']
+        previous_password_hash_table Sequel[:rodauth_test_password][:account_previous_password_hashes]
+      end
       account_password_hash_column :ph
       change_password_requires_password? false
     end

data/spec/http_basic_auth_spec.rb

@@ -62,6 +62,24 @@ describe "Rodauth http basic auth feature" do
     end
   end
 
+  it "requires authentication if require_http_basic_auth is true" do
+    rodauth do
+      enable :http_basic_auth
+      require_http_basic_auth true
+    end
+    roda do |r|
+      rodauth.require_authentication
+      r.root{view :content=>(rodauth.logged_in? ? "Logged In" : 'Not Logged')}
+    end
+
+    visit '/'
+    page.status_code.must_equal 401
+    page.response_headers.keys.must_include("WWW-Authenticate")
+
+    basic_auth_visit
+    page.text.must_include "Logged In"
+  end
+
   it "works with standard authentication" do
     rodauth do
       enable :login, :http_basic_auth

data/spec/migrate/001_tables.rb

@@ -117,13 +117,13 @@ Sequel.migration do
 
     case database_type
     when :postgres
-      user = get{Sequel.lit('current_user')} + '_password'
+      user = get(Sequel.lit('current_user')) + '_password'
       run "GRANT REFERENCES ON accounts TO #{user}"
     when :mysql, :mssql
       user = if database_type == :mysql
-        get{Sequel.lit('current_user')}.sub(/_password@/, '@')
+        get(Sequel.lit('current_user')).sub(/_password@/, '@')
       else
-        get{DB_NAME{}}
+        get(Sequel.function(:DB_NAME))
       end
       run "GRANT ALL ON account_statuses TO #{user}"
       run "GRANT ALL ON accounts TO #{user}"

data/spec/migrate_password/001_tables.rb

@@ -9,7 +9,7 @@ Sequel.migration do
     Rodauth.create_database_authentication_functions(self)
     case database_type
     when :postgres
-      user = get{Sequel.lit('current_user')}.sub(/_password\z/, '')
+      user = get(Sequel.lit('current_user')).sub(/_password\z/, '')
       run "REVOKE ALL ON account_password_hashes FROM public"
       run "REVOKE ALL ON FUNCTION rodauth_get_salt(int8) FROM public"
       run "REVOKE ALL ON FUNCTION rodauth_valid_password_hash(int8, text) FROM public"
@@ -18,13 +18,13 @@ Sequel.migration do
       run "GRANT EXECUTE ON FUNCTION rodauth_get_salt(int8) TO #{user}"
       run "GRANT EXECUTE ON FUNCTION rodauth_valid_password_hash(int8, text) TO #{user}"
     when :mysql
-      user = get{Sequel.lit('current_user')}.sub(/_password@/, '@')
-      db_name = get{database{}}
+      user = get(Sequel.lit('current_user')).sub(/_password@/, '@')
+      db_name = get(Sequel.function(:database))
       run "GRANT EXECUTE ON #{db_name}.* TO #{user}"
       run "GRANT INSERT, UPDATE, DELETE ON account_password_hashes TO #{user}"
       run "GRANT SELECT (id) ON account_password_hashes TO #{user}"
     when :mssql
-      user = get{DB_NAME{}}
+      user = get(Sequel.function(:DB_NAME))
       run "GRANT EXECUTE ON rodauth_get_salt TO #{user}"
       run "GRANT EXECUTE ON rodauth_valid_password_hash TO #{user}"
       run "GRANT INSERT, UPDATE, DELETE ON account_password_hashes TO #{user}"
@@ -41,7 +41,7 @@ Sequel.migration do
 
     case database_type
     when :postgres
-      user = get{Sequel.lit('current_user')}.sub(/_password\z/, '')
+      user = get(Sequel.lit('current_user')).sub(/_password\z/, '')
       run "REVOKE ALL ON account_previous_password_hashes FROM public"
       run "REVOKE ALL ON FUNCTION rodauth_get_previous_salt(int8) FROM public"
       run "REVOKE ALL ON FUNCTION rodauth_previous_password_hash_match(int8, text) FROM public"
@@ -51,13 +51,13 @@ Sequel.migration do
       run "GRANT EXECUTE ON FUNCTION rodauth_get_previous_salt(int8) TO #{user}"
       run "GRANT EXECUTE ON FUNCTION rodauth_previous_password_hash_match(int8, text) TO #{user}"
     when :mysql
-      user = get{Sequel.lit('current_user')}.sub(/_password@/, '@')
-      db_name = get{database{}}
+      user = get(Sequel.lit('current_user')).sub(/_password@/, '@')
+      db_name = get(Sequel.function(:database))
       run "GRANT EXECUTE ON #{db_name}.* TO #{user}"
       run "GRANT INSERT, UPDATE, DELETE ON account_previous_password_hashes TO #{user}"
       run "GRANT SELECT (id, account_id) ON account_previous_password_hashes TO #{user}"
     when :mssql
-      user = get{DB_NAME{}}
+      user = get(Sequel.function(:DB_NAME))
       run "GRANT EXECUTE ON rodauth_get_previous_salt TO #{user}"
       run "GRANT EXECUTE ON rodauth_previous_password_hash_match TO #{user}"
       run "GRANT INSERT, UPDATE, DELETE ON account_previous_password_hashes TO #{user}"

data/spec/reset_password_spec.rb

@@ -66,6 +66,15 @@ describe 'Rodauth reset_password feature' do
 
     login(:pass=>'0123456')
     page.current_path.must_equal '/'
+
+    login(:pass=>'bad')
+    click_link "Forgot Password?"
+    fill_in "Login", :with=>"foo@example.com"
+    click_button "Request Password Reset"
+    DB[:account_password_reset_keys].update(:deadline => Time.now - 60).must_equal 1
+    link = email_link(/(\/reset-password\?key=.+)$/)
+    visit link
+    page.find('#error_flash').text.must_equal "invalid password reset key"
   end
 
   it "should support resetting passwords for accounts without confirmation" do

data/spec/rodauth_spec.rb

@@ -152,6 +152,12 @@ describe 'Rodauth' do
     app = Class.new(Base)
     app.plugin(:rodauth) do
       enable :login
+      if ENV['RODAUTH_SEPARATE_SCHEMA']
+        password_hash_table Sequel[:rodauth_test_password][:account_password_hashes]
+        function_name do |name|
+          "rodauth_test_password.#{name}"
+        end
+      end
     end
     app.plugin(:rodauth, :name=>:r2) do
       enable :logout
@@ -188,14 +194,14 @@ describe 'Rodauth' do
     rodauth do
       enable :login
       (class << self; self end).send(:define_method, :warn){|msg| warning = msg}
-      account_model Sequel::Model(DB[:accs].select(:id))
+      account_model Sequel::Model(DB[:accounts].select(:id))
     end
     roda do |r|
       "#{rodauth.accounts_table}#{rodauth.account_select.length}"
     end
 
     visit '/'
-    page.body.must_equal 'accs1'
+    page.body.must_equal 'accounts1'
     warning.must_equal "account_model is deprecated, use db and accounts_table settings"
   end
 

data/spec/spec_helper.rb

@@ -121,6 +121,12 @@ class Minitest::HooksSpec
         json_response_success_key 'success'
         json_response_custom_error_status? true
       end
+      if ENV['RODAUTH_SEPARATE_SCHEMA']
+        password_hash_table Sequel[:rodauth_test_password][:account_password_hashes]
+        function_name do |name|
+          "rodauth_test_password.#{name}"
+        end
+      end
       instance_exec(&rodauth_block)
     end
     app.route(&block)
@@ -220,7 +226,8 @@ class Minitest::HooksSpec
   around(:all) do |&block|
     DB.transaction(:rollback=>:always) do
       hash = BCrypt::Password.create('0123456789', :cost=>BCrypt::Engine::MIN_COST)
-      DB[:account_password_hashes].insert(:id=>DB[:accounts].insert(:email=>'foo@example.com', :status_id=>2, :ph=>hash), :password_hash=>hash)
+      table = ENV['RODAUTH_SEPARATE_SCHEMA'] ? Sequel[:rodauth_test_password][:account_password_hashes] : :account_password_hashes
+      DB[table].insert(:id=>DB[:accounts].insert(:email=>'foo@example.com', :status_id=>2, :ph=>hash), :password_hash=>hash)
       super(&block)
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 1.11.0
+  version: 1.12.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-04-24 00:00:00.000000000 Z
+date: 2017-10-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -240,6 +240,7 @@ extra_rdoc_files:
 - doc/release_notes/1.9.0.txt
 - doc/release_notes/1.10.0.txt
 - doc/release_notes/1.11.0.txt
+- doc/release_notes/1.12.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -270,6 +271,7 @@ files:
 - doc/release_notes/1.1.0.txt
 - doc/release_notes/1.10.0.txt
 - doc/release_notes/1.11.0.txt
+- doc/release_notes/1.12.0.txt
 - doc/release_notes/1.2.0.txt
 - doc/release_notes/1.3.0.txt
 - doc/release_notes/1.4.0.txt
@@ -422,7 +424,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.11
+rubygems_version: 2.6.13
 signing_key: 
 specification_version: 4
 summary: Authentication and Account Management Framework for Rack Applications