rodauth 1.13.0 → 1.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: f6c97c6e01c1026bf027fb99348421103909a668
-  data.tar.gz: 910777f85e599d240356aeb2eba4339db0c481c3
+SHA256:
+  metadata.gz: 62724514e9c4c31b8af9992d86ed3f1de98a38860ee7890f2da54e28fa4f2394
+  data.tar.gz: 58ba690b1c2e193728c6341d60df851e043fd3706ed1769c5ae6ecc0eed24592
 SHA512:
-  metadata.gz: c2a571d6eac5c96a458da39020a074edb561c2f71ef32a93382177fcdfe67d73d0ad5dd548255d7c8a09e9f9d67166becd616ec1d8c650d30d766a42b24990ae
-  data.tar.gz: '070838b8388668fa6c7ac73145c82dd0e825d61c83ea43e603789f1efd0383d3c57b147345f55b47d709f6a3786f475fc78fa2e1f5fd30213d6e691fcb6ba5ba'
+  metadata.gz: 8b187d024978cf9a7c22cc8f21e892dab50075c7eb2a605c45c7423cec186169e160d944e051d1e9c369222e373ee0e5ebd9effe217ca13f0d3edc7ec0e2875e
+  data.tar.gz: b990669e7aecbc09dcd90d89001ca35dd12fea964bbe1e8c29629b95f9a9bfe4fbb19cbcd683ab5b28575a7e00940aff087604e80f18c3d6c9a65b7bc658976b

data/CHANGELOG

@@ -1,3 +1,11 @@
+=== 1.14.0 (2017-12-19)
+
+* Don't allow unlocking expired accounts when using account_expiration and lockout features (jeremyevans)
+
+* Don't allow resetting passwords for expired accounts when using account_expiration and reset_password features (jeremyevans)
+
+* Add change_password_notify feature for emailing when user uses change password feature (jeremyevans)
+
 === 1.13.0 (2017-11-21)
 
 * Add json_response_body(hash) configuration method to jwt feature (jeremyevans)

data/README.rdoc

@@ -41,6 +41,7 @@ hashes by protecting access via database functions.
 * JWT (JSON API support for all other features)
 * Update Password Hash (when hash cost changes)
 * HTTP Basic Auth
+* Change Password Notify
 
 == Resources
 

data/doc/change_password_notify.rdoc

@@ -0,0 +1,24 @@
+= Documentation for Change Password Notify Feature
+
+The change password notify feature emails the user when their password
+is changed using the change password feature.
+    auth_value_method :password_changed_email_subject, 'Password Changed'
+
+    auth_value_methods(
+      :password_changed_email_body
+    )
+    auth_methods(
+      :create_password_changed_email,
+      :send_password_changed_email
+    )
+
+
+== Auth Value Methods
+
+password_changed_email_subject :: Subject to use for the password changed emails
+password_changed_email_body :: Body to use for the password changed emails
+
+== Auth Methods
+
+create_password_changed_email :: A Mail::Message for the password changed email to send.
+send_password_changed_email :: Send the account unlock email.

data/doc/release_notes/1.14.0.txt

@@ -0,0 +1,19 @@
+= New Features
+
+* A change_password_notify feature has been added, which emails the
+  user when the change_password feature is used to change their
+  password.  This can alert the user when their password may have
+  been changed without their knowledge.
+
+= Other Improvements
+
+* When using the account_expiration feature with the reset_password
+  feature, resetting the passwords for expired accounts is no longer
+  allowed.  Note that the previous behavior isn't considered a
+  security issue, because even after resetting their password,
+  expired accounts could not login.
+
+* When using the account_expiration feature with the lockout feature,
+  unlocking expired accounts is no longer allowed.  Note that the
+  previous behavior isn't considered a security issue, because even
+  after unlocking the account, expired accounts could not login.

data/lib/rodauth/features/account_expiration.rb

@@ -71,6 +71,26 @@ module Rodauth
 
     private
 
+    def before_reset_password
+      check_account_expiration
+      super if defined?(super)
+    end
+
+    def before_reset_password_request
+      check_account_expiration
+      super if defined?(super)
+    end
+
+    def before_unlock_account
+      check_account_expiration
+      super if defined?(super)
+    end
+
+    def before_unlock_account_request
+      check_account_expiration
+      super if defined?(super)
+    end
+
     def after_close_account
       super if defined?(super)
       account_activity_ds(account_id).delete

data/lib/rodauth/features/change_password_notify.rb

@@ -0,0 +1,37 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:change_password_notify, :ChangePasswordNotify) do
+    depends :change_password, :email_base
+
+    auth_value_method :password_changed_email_subject, 'Password Changed'
+
+    auth_value_methods(
+      :password_changed_email_body
+    )
+    auth_methods(
+      :create_password_changed_email,
+      :send_password_changed_email
+    )
+
+    private
+
+    def send_password_changed_email
+      create_password_changed_email.deliver!
+    end
+
+    def create_password_changed_email
+      create_email(password_changed_email_subject, password_changed_email_body)
+    end
+
+    def password_changed_email_body
+      render('password-changed-email')
+    end
+
+    def after_change_password
+      super
+      send_password_changed_email
+    end
+  end
+end
+

data/lib/rodauth/version.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  VERSION = '1.13.0'.freeze
+  VERSION = '1.14.0'.freeze
 
   def self.version
     VERSION

data/spec/account_expiration_spec.rb

@@ -1,7 +1,7 @@
 require File.expand_path("spec_helper", File.dirname(__FILE__))
 
 describe 'Rodauth account expiration feature' do
-  it "should force account expiration after x number of days" do
+  it "should force account expiration after x number of days since last login" do
     rodauth do
       enable :login, :logout, :account_expiration
     end
@@ -27,6 +27,141 @@ describe 'Rodauth account expiration feature' do
     end
   end
 
+  it "should not allow resetting of passwords for expired accounts" do
+    rodauth do
+      enable :login, :logout, :account_expiration, :reset_password
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>rodauth.logged_in? ? "Logged In#{rodauth.last_account_login_at.strftime('%m%d%y')}" : "Not Logged"}
+    end
+
+    now = Time.now
+    login
+    page.body.must_include "Logged In#{now.strftime('%m%d%y')}"
+    logout
+
+    visit '/login'
+    click_link 'Forgot Password?'
+    fill_in 'Login', :with=>'foo@example.com'
+    click_button 'Request Password Reset'
+    link = email_link(/(\/reset-password\?key=.+)$/)
+
+    visit link
+    fill_in 'Password', :with=>'0123456'
+    fill_in 'Confirm Password', :with=>'0123456'
+    click_button 'Reset Password'
+    page.find('#notice_flash').text.must_equal "Your password has been reset"
+    page.current_path.must_equal '/'
+
+    visit '/login'
+    click_link 'Forgot Password?'
+    fill_in 'Login', :with=>'foo@example.com'
+    click_button 'Request Password Reset'
+    link = email_link(/(\/reset-password\?key=.+)$/)
+
+    DB[:account_activity_times].update(:last_login_at => Time.now - 181*86400)
+
+    visit link
+    page.title.must_equal 'Reset Password'
+    fill_in 'Password', :with=>'01234567'
+    fill_in 'Confirm Password', :with=>'01234567'
+    click_button 'Reset Password'
+    page.find('#error_flash').text.must_equal "You cannot log into this account as it has expired"
+    page.body.must_include 'Not Logged'
+    page.current_path.must_equal '/'
+
+    visit '/login'
+    click_link 'Forgot Password?'
+    fill_in 'Login', :with=>'foo@example.com'
+    click_button 'Request Password Reset'
+    page.find('#error_flash').text.must_equal "You cannot log into this account as it has expired"
+    page.body.must_include 'Not Logged'
+    page.current_path.must_equal '/'
+  end
+
+  it "should not allow account unlocks for expired accounts" do
+    rodauth do
+      enable :lockout, :account_expiration, :logout
+      max_invalid_logins 2
+      unlock_account_autologin? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>(rodauth.logged_in? ? "Logged In" : "Not Logged")}
+    end
+
+    login
+    logout
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    3.times do
+      fill_in 'Password', :with=>'012345678910'
+      click_button 'Login'
+    end
+
+    page.body.must_include("This account is currently locked out")
+    click_button 'Request Account Unlock'
+    page.find('#notice_flash').text.must_equal 'An email has been sent to you with a link to unlock your account'
+    link = email_link(/(\/unlock-account\?key=.+)$/)
+
+    visit link
+    click_button 'Unlock Account'
+    page.find('#notice_flash').text.must_equal 'Your account has been unlocked'
+    page.body.must_include('Not Logged')
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    3.times do
+      fill_in 'Password', :with=>'012345678910'
+      click_button 'Login'
+    end
+
+    page.body.must_include("This account is currently locked out")
+    click_button 'Request Account Unlock'
+    page.find('#notice_flash').text.must_equal 'An email has been sent to you with a link to unlock your account'
+    link = email_link(/(\/unlock-account\?key=.+)$/)
+
+    DB[:account_activity_times].update(:last_login_at => Time.now - 181*86400)
+
+    visit link
+    click_button 'Unlock Account'
+    page.find('#error_flash').text.must_equal "You cannot log into this account as it has expired"
+    page.body.must_include 'Not Logged'
+    page.current_path.must_equal '/'
+  end
+
+  it "should not allow account unlock requests for expired accounts" do
+    rodauth do
+      enable :lockout, :account_expiration, :logout
+      max_invalid_logins 2
+      unlock_account_autologin? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>(rodauth.logged_in? ? "Logged In" : "Not Logged")}
+    end
+
+    login
+    logout
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    3.times do
+      fill_in 'Password', :with=>'012345678910'
+      click_button 'Login'
+    end
+
+    DB[:account_activity_times].update(:last_login_at => Time.now - 181*86400)
+
+    page.body.must_include("This account is currently locked out")
+    click_button 'Request Account Unlock'
+    page.find('#error_flash').text.must_equal "You cannot log into this account as it has expired"
+    page.body.must_include 'Not Logged'
+    page.current_path.must_equal '/'
+  end
+
   it "should use last activity time if configured" do
     rodauth do
       enable :login, :logout, :account_expiration

data/spec/change_password_notify_spec.rb

@@ -0,0 +1,33 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe 'Rodauth change_password_notify feature' do
+  it "should email when using change password" do
+    rodauth do
+      enable :login, :logout, :change_password_notify
+      change_password_requires_password? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    login
+    page.current_path.must_equal '/'
+
+    visit '/change-password'
+    fill_in 'New Password', :with=>'0123456'
+    fill_in 'Confirm Password', :with=>'0123456'
+    click_button 'Change Password'
+    page.find('#notice_flash').text.must_equal "Your password has been changed"
+
+    page.current_path.must_equal '/'
+    msgs = Mail::TestMailer.deliveries
+    msgs.length.must_equal 1
+    msgs.first.to.first.must_equal 'foo@example.com'
+    msgs.first.body.to_s.must_equal <<EMAIL
+Someone (hopefully you) has changed the password for the account
+associated to this email address.
+EMAIL
+    msgs.clear
+  end
+end

data/templates/password-changed-email.str

@@ -0,0 +1,2 @@
+Someone (hopefully you) has changed the password for the account
+associated to this email address.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 1.13.0
+  version: 1.14.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-11-21 00:00:00.000000000 Z
+date: 2017-12-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -228,6 +228,7 @@ extra_rdoc_files:
 - doc/http_basic_auth.rdoc
 - doc/verify_login_change.rdoc
 - doc/internals.rdoc
+- doc/change_password_notify.rdoc
 - doc/release_notes/1.0.0.txt
 - doc/release_notes/1.1.0.txt
 - doc/release_notes/1.2.0.txt
@@ -242,6 +243,7 @@ extra_rdoc_files:
 - doc/release_notes/1.11.0.txt
 - doc/release_notes/1.12.0.txt
 - doc/release_notes/1.13.0.txt
+- doc/release_notes/1.14.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -251,6 +253,7 @@ files:
 - doc/base.rdoc
 - doc/change_login.rdoc
 - doc/change_password.rdoc
+- doc/change_password_notify.rdoc
 - doc/close_account.rdoc
 - doc/confirm_password.rdoc
 - doc/create_account.rdoc
@@ -274,6 +277,7 @@ files:
 - doc/release_notes/1.11.0.txt
 - doc/release_notes/1.12.0.txt
 - doc/release_notes/1.13.0.txt
+- doc/release_notes/1.14.0.txt
 - doc/release_notes/1.2.0.txt
 - doc/release_notes/1.3.0.txt
 - doc/release_notes/1.4.0.txt
@@ -299,6 +303,7 @@ files:
 - lib/rodauth/features/base.rb
 - lib/rodauth/features/change_login.rb
 - lib/rodauth/features/change_password.rb
+- lib/rodauth/features/change_password_notify.rb
 - lib/rodauth/features/close_account.rb
 - lib/rodauth/features/confirm_password.rb
 - lib/rodauth/features/create_account.rb
@@ -331,6 +336,7 @@ files:
 - spec/account_expiration_spec.rb
 - spec/all.rb
 - spec/change_login_spec.rb
+- spec/change_password_notify_spec.rb
 - spec/change_password_spec.rb
 - spec/close_account_spec.rb
 - spec/confirm_password_spec.rb
@@ -377,6 +383,7 @@ files:
 - templates/otp-auth.str
 - templates/otp-disable.str
 - templates/otp-setup.str
+- templates/password-changed-email.str
 - templates/password-confirm-field.str
 - templates/password-field.str
 - templates/recovery-auth.str
@@ -426,7 +433,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.13
+rubygems_version: 2.7.3
 signing_key: 
 specification_version: 4
 summary: Authentication and Account Management Framework for Rack Applications