rodauth 1.14.0 → 1.15.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG +4 -0
- data/MIT-LICENSE +1 -1
- data/doc/change_password_notify.rdoc +0 -10
- data/doc/create_account.rdoc +3 -0
- data/doc/release_notes/1.15.0.txt +21 -0
- data/doc/verify_account.rdoc +3 -0
- data/lib/rodauth/features/create_account.rb +13 -10
- data/lib/rodauth/features/verify_account.rb +37 -13
- data/lib/rodauth/version.rb +1 -1
- data/spec/verify_account_spec.rb +45 -0
- data/templates/create-account.str +2 -2
- data/templates/verify-account.str +2 -0
- metadata +4 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d3c6bdb8caddbc1197f6af32fffb55ed7f1f66b088849893ee01dd2584ca10ac
|
|
4
|
+
data.tar.gz: 429057d63aba07108ff8e7df142509c8c4459db6ddda89cd1869b82b2ab0c6e4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cceea61e53481439c655ad641a1b417200e65802996ce9ee99b03d1626a928dc073f5b96225e904b1c971407c0a96c05305a974a7f25f45199d78b2f9d612c7c
|
|
7
|
+
data.tar.gz: 05a840ba64a93b8f80e4dc58c52129b9720fa2f8ab80c7d4011dc5e0880f74818264af5ffc5ca995bc06255ab75fd8a187696d15fa1ff1024b2f01dc92305fd6
|
data/CHANGELOG
CHANGED
|
@@ -1,3 +1,7 @@
|
|
|
1
|
+
=== 1.15.0 (2018-01-29)
|
|
2
|
+
|
|
3
|
+
* Add create_account_set_password? and verify_account_set_password? methods to delay setting password until account verification (jeremyevans)
|
|
4
|
+
|
|
1
5
|
=== 1.14.0 (2017-12-19)
|
|
2
6
|
|
|
3
7
|
* Don't allow unlocking expired accounts when using account_expiration and lockout features (jeremyevans)
|
data/MIT-LICENSE
CHANGED
|
@@ -2,16 +2,6 @@
|
|
|
2
2
|
|
|
3
3
|
The change password notify feature emails the user when their password
|
|
4
4
|
is changed using the change password feature.
|
|
5
|
-
auth_value_method :password_changed_email_subject, 'Password Changed'
|
|
6
|
-
|
|
7
|
-
auth_value_methods(
|
|
8
|
-
:password_changed_email_body
|
|
9
|
-
)
|
|
10
|
-
auth_methods(
|
|
11
|
-
:create_password_changed_email,
|
|
12
|
-
:send_password_changed_email
|
|
13
|
-
)
|
|
14
|
-
|
|
15
5
|
|
|
16
6
|
== Auth Value Methods
|
|
17
7
|
|
data/doc/create_account.rdoc
CHANGED
|
@@ -14,6 +14,9 @@ create_account_notice_flash :: The flash notice to show after successful
|
|
|
14
14
|
create_account_redirect :: Where to redirect after creating the account.
|
|
15
15
|
create_account_route :: The route to the create account action. Defaults to
|
|
16
16
|
+create-account+.
|
|
17
|
+
create_account_set_password? :: Whether to ask for a password to be set on the create
|
|
18
|
+
account form. Defaults to true. If set to false, an
|
|
19
|
+
alternative method to set the password should be used.
|
|
17
20
|
|
|
18
21
|
== Auth Methods
|
|
19
22
|
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
= New Features
|
|
2
|
+
|
|
3
|
+
* create_account_set_password? and verify_account_set_password?
|
|
4
|
+
configuration methods have been added to the create_account and
|
|
5
|
+
verify_account features. Setting:
|
|
6
|
+
|
|
7
|
+
verify_account_set_password? true
|
|
8
|
+
|
|
9
|
+
in your rodauth configuration will change Rodauth so that instead
|
|
10
|
+
of asking for a password on the create account form, it will ask for
|
|
11
|
+
a password on the verify account form.
|
|
12
|
+
|
|
13
|
+
This can fix a possible issue where an attacker creates an account
|
|
14
|
+
for a user with a password the attacker knows. If the user clicks
|
|
15
|
+
on the link in the verify account email and clicks on the button on
|
|
16
|
+
the verify account page, the attacker would have have a verified
|
|
17
|
+
account that they know the password to.
|
|
18
|
+
|
|
19
|
+
By setting verify_account_set_password? to true, you can ensure that
|
|
20
|
+
only the user who has access to the email can enter the password for
|
|
21
|
+
the account.
|
data/doc/verify_account.rdoc
CHANGED
|
@@ -45,6 +45,9 @@ verify_account_resend_route :: The route to the verify account resend action.
|
|
|
45
45
|
verify_account_route :: The route to the verify account action. Defaults to
|
|
46
46
|
+verify-account+.
|
|
47
47
|
verify_account_session_key :: The key in the session to hold the verify account key temporarily.
|
|
48
|
+
verify_account_set_password? :: Whether to ask for a password to be set on the verify account
|
|
49
|
+
form. Defaults to false. If set to true, will automatically
|
|
50
|
+
stop asking for passwords to be set on the create account form.
|
|
48
51
|
verify_account_table :: The name of the verify account keys table.
|
|
49
52
|
|
|
50
53
|
== Auth Methods
|
|
@@ -16,6 +16,7 @@ module Rodauth
|
|
|
16
16
|
redirect
|
|
17
17
|
|
|
18
18
|
auth_value_method :create_account_autologin?, true
|
|
19
|
+
auth_value_method :create_account_set_password?, true
|
|
19
20
|
|
|
20
21
|
auth_value_methods :create_account_link
|
|
21
22
|
|
|
@@ -41,10 +42,6 @@ module Rodauth
|
|
|
41
42
|
password = param(password_param)
|
|
42
43
|
new_account(login)
|
|
43
44
|
|
|
44
|
-
if account_password_hash_column
|
|
45
|
-
set_new_account_password(param(password_param))
|
|
46
|
-
end
|
|
47
|
-
|
|
48
45
|
catch_error do
|
|
49
46
|
if require_login_confirmation? && login != param(login_confirm_param)
|
|
50
47
|
throw_error_status(unmatched_field_error_status, login_param, logins_do_not_match_message)
|
|
@@ -54,12 +51,18 @@ module Rodauth
|
|
|
54
51
|
throw_error_status(invalid_field_error_status, login_param, login_does_not_meet_requirements_message)
|
|
55
52
|
end
|
|
56
53
|
|
|
57
|
-
if
|
|
58
|
-
|
|
59
|
-
|
|
54
|
+
if create_account_set_password?
|
|
55
|
+
if require_password_confirmation? && password != param(password_confirm_param)
|
|
56
|
+
throw_error_status(unmatched_field_error_status, password_param, passwords_do_not_match_message)
|
|
57
|
+
end
|
|
60
58
|
|
|
61
|
-
|
|
62
|
-
|
|
59
|
+
unless password_meets_requirements?(password)
|
|
60
|
+
throw_error_status(invalid_field_error_status, password_param, password_does_not_meet_requirements_message)
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
if account_password_hash_column
|
|
64
|
+
set_new_account_password(password)
|
|
65
|
+
end
|
|
63
66
|
end
|
|
64
67
|
|
|
65
68
|
transaction do
|
|
@@ -68,7 +71,7 @@ module Rodauth
|
|
|
68
71
|
throw_error_status(invalid_field_error_status, login_param, login_does_not_meet_requirements_message)
|
|
69
72
|
end
|
|
70
73
|
|
|
71
|
-
|
|
74
|
+
if create_account_set_password? && !account_password_hash_column
|
|
72
75
|
set_password(password)
|
|
73
76
|
end
|
|
74
77
|
after_create_account
|
|
@@ -32,8 +32,7 @@ module Rodauth
|
|
|
32
32
|
auth_value_method :verify_account_id_column, :id
|
|
33
33
|
auth_value_method :verify_account_key_column, :key
|
|
34
34
|
auth_value_method :verify_account_session_key, :verify_account_key
|
|
35
|
-
|
|
36
|
-
auth_value_methods :verify_account_resend_link
|
|
35
|
+
auth_value_method :verify_account_set_password?, false
|
|
37
36
|
|
|
38
37
|
auth_methods(
|
|
39
38
|
:allow_resending_verify_account_email?,
|
|
@@ -108,20 +107,40 @@ module Rodauth
|
|
|
108
107
|
redirect verify_account_redirect
|
|
109
108
|
end
|
|
110
109
|
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
110
|
+
catch_error do
|
|
111
|
+
if verify_account_set_password?
|
|
112
|
+
password = param(password_param)
|
|
113
|
+
|
|
114
|
+
if require_password_confirmation? && password != param(password_confirm_param)
|
|
115
|
+
throw_error_status(unmatched_field_error_status, password_param, passwords_do_not_match_message)
|
|
116
|
+
end
|
|
117
|
+
|
|
118
|
+
unless password_meets_requirements?(password)
|
|
119
|
+
throw_error_status(invalid_field_error_status, password_param, password_does_not_meet_requirements_message)
|
|
120
|
+
end
|
|
121
|
+
end
|
|
122
|
+
|
|
123
|
+
transaction do
|
|
124
|
+
before_verify_account
|
|
125
|
+
verify_account
|
|
126
|
+
if verify_account_set_password?
|
|
127
|
+
set_password(password)
|
|
128
|
+
end
|
|
129
|
+
remove_verify_account_key
|
|
130
|
+
after_verify_account
|
|
131
|
+
end
|
|
117
132
|
|
|
118
|
-
|
|
119
|
-
|
|
133
|
+
if verify_account_autologin?
|
|
134
|
+
update_session
|
|
135
|
+
end
|
|
136
|
+
|
|
137
|
+
session[verify_account_session_key] = nil
|
|
138
|
+
set_notice_flash verify_account_notice_flash
|
|
139
|
+
redirect verify_account_redirect
|
|
120
140
|
end
|
|
121
141
|
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
redirect verify_account_redirect
|
|
142
|
+
set_error_flash verify_account_error_flash
|
|
143
|
+
verify_account_view
|
|
125
144
|
end
|
|
126
145
|
end
|
|
127
146
|
|
|
@@ -194,6 +213,11 @@ module Rodauth
|
|
|
194
213
|
"<p><a href=\"#{prefix}/#{verify_account_resend_route}\">Resend Verify Account Information</a></p>"
|
|
195
214
|
end
|
|
196
215
|
|
|
216
|
+
def create_account_set_password?
|
|
217
|
+
return false if verify_account_set_password?
|
|
218
|
+
super
|
|
219
|
+
end
|
|
220
|
+
|
|
197
221
|
private
|
|
198
222
|
|
|
199
223
|
attr_reader :verify_account_key_value
|
data/lib/rodauth/version.rb
CHANGED
data/spec/verify_account_spec.rb
CHANGED
|
@@ -55,6 +55,51 @@ describe 'Rodauth verify_account feature' do
|
|
|
55
55
|
page.current_path.must_equal '/'
|
|
56
56
|
end
|
|
57
57
|
|
|
58
|
+
[false, true].each do |ph|
|
|
59
|
+
it "should support setting passwords when verifying accounts #{'with account_password_hash_column' if ph}" do
|
|
60
|
+
rodauth do
|
|
61
|
+
enable :login, :create_account, :verify_account
|
|
62
|
+
account_password_hash_column :ph if ph
|
|
63
|
+
verify_account_autologin? false
|
|
64
|
+
verify_account_set_password? true
|
|
65
|
+
end
|
|
66
|
+
roda do |r|
|
|
67
|
+
r.rodauth
|
|
68
|
+
r.root{view :content=>""}
|
|
69
|
+
end
|
|
70
|
+
|
|
71
|
+
visit '/create-account'
|
|
72
|
+
fill_in 'Login', :with=>'foo@example2.com'
|
|
73
|
+
fill_in 'Confirm Login', :with=>'foo@example2.com'
|
|
74
|
+
click_button 'Create Account'
|
|
75
|
+
page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to verify your account"
|
|
76
|
+
|
|
77
|
+
link = email_link(/(\/verify-account\?key=.+)$/, 'foo@example2.com')
|
|
78
|
+
visit link
|
|
79
|
+
fill_in 'Password', :with=>'0123456789'
|
|
80
|
+
fill_in 'Confirm Password', :with=>'012345678'
|
|
81
|
+
click_button 'Verify Account'
|
|
82
|
+
page.html.must_include("passwords do not match")
|
|
83
|
+
page.find('#error_flash').text.must_equal "Unable to verify account"
|
|
84
|
+
|
|
85
|
+
fill_in 'Password', :with=>'0123'
|
|
86
|
+
fill_in 'Confirm Password', :with=>'0123'
|
|
87
|
+
click_button 'Verify Account'
|
|
88
|
+
page.html.must_include("invalid password, does not meet requirements (minimum 6 characters)")
|
|
89
|
+
page.find('#error_flash').text.must_equal "Unable to verify account"
|
|
90
|
+
|
|
91
|
+
fill_in 'Password', :with=>'0123456789'
|
|
92
|
+
fill_in 'Confirm Password', :with=>'0123456789'
|
|
93
|
+
click_button 'Verify Account'
|
|
94
|
+
page.find('#notice_flash').text.must_equal "Your account has been verified"
|
|
95
|
+
page.current_path.must_equal '/'
|
|
96
|
+
|
|
97
|
+
login(:login=>'foo@example2.com', :password=>'0123456789')
|
|
98
|
+
page.find('#notice_flash').text.must_equal 'You have been logged in'
|
|
99
|
+
page.current_path.must_equal '/'
|
|
100
|
+
end
|
|
101
|
+
end
|
|
102
|
+
|
|
58
103
|
it "should support autologin when verifying accounts" do
|
|
59
104
|
rodauth do
|
|
60
105
|
enable :login, :create_account, :verify_account
|
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
#{rodauth.csrf_tag}
|
|
4
4
|
#{rodauth.render('login-field')}
|
|
5
5
|
#{rodauth.render('login-confirm-field') if rodauth.require_login_confirmation?}
|
|
6
|
-
#{rodauth.render('password-field')}
|
|
7
|
-
#{rodauth.render('password-confirm-field') if rodauth.require_password_confirmation?}
|
|
6
|
+
#{rodauth.render('password-field') if rodauth.create_account_set_password?}
|
|
7
|
+
#{rodauth.render('password-confirm-field') if rodauth.create_account_set_password? && rodauth.require_password_confirmation?}
|
|
8
8
|
#{rodauth.button(rodauth.create_account_button)}
|
|
9
9
|
</form>
|
|
@@ -1,6 +1,8 @@
|
|
|
1
1
|
<form method="post" class="rodauth form-horizontal" role="form" id="verify-account-form">
|
|
2
2
|
#{rodauth.verify_account_additional_form_tags}
|
|
3
3
|
#{rodauth.csrf_tag}
|
|
4
|
+
#{rodauth.render('password-field') if rodauth.verify_account_set_password?}
|
|
5
|
+
#{rodauth.render('password-confirm-field') if rodauth.verify_account_set_password? && rodauth.require_password_confirmation?}
|
|
4
6
|
#{rodauth.button(rodauth.verify_account_button)}
|
|
5
7
|
</form>
|
|
6
8
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rodauth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.15.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jeremy Evans
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2018-01-29 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: sequel
|
|
@@ -244,6 +244,7 @@ extra_rdoc_files:
|
|
|
244
244
|
- doc/release_notes/1.12.0.txt
|
|
245
245
|
- doc/release_notes/1.13.0.txt
|
|
246
246
|
- doc/release_notes/1.14.0.txt
|
|
247
|
+
- doc/release_notes/1.15.0.txt
|
|
247
248
|
files:
|
|
248
249
|
- CHANGELOG
|
|
249
250
|
- MIT-LICENSE
|
|
@@ -278,6 +279,7 @@ files:
|
|
|
278
279
|
- doc/release_notes/1.12.0.txt
|
|
279
280
|
- doc/release_notes/1.13.0.txt
|
|
280
281
|
- doc/release_notes/1.14.0.txt
|
|
282
|
+
- doc/release_notes/1.15.0.txt
|
|
281
283
|
- doc/release_notes/1.2.0.txt
|
|
282
284
|
- doc/release_notes/1.3.0.txt
|
|
283
285
|
- doc/release_notes/1.4.0.txt
|