rodauth 1.15.0 → 1.16.0

data/doc/disallow_common_passwords.rdoc

@@ -0,0 +1,17 @@
+= Documentation for Disallow Common Passwords Feature
+
+The disallow common passwords feature disallows setting of a password
+that matches one of the most common passwords.  By default, a list of
+10,000 of the most common passwords is used, but you can supply your
+own file.  Using a larger list is recommended, but Rodauth doesn't
+ship with a larger list to avoid bloating the size of the gem.
+
+== Auth Value Methods
+
+most_common_passwords :: An object that responds to +include?+ which will return true if the password given is one of the most common passwords. Useful for custom password sets where they are not stored in files and kept in memory.
+most_common_passwords_file :: The path to the file containing the most common passwords, which are not allowed to be used for new passwords.  Defaults to a list of 10,000 most common passwords that ships with Rodauth.  Can be set to nil/false if you do not want to to load common passwords from a file.
+password_is_one_of_the_most_common_message :: The error message fragment to display if the given password matches one of the most common passwords.
+
+== Auth Methods
+
+password_one_of_most_common?(password) :: This can be used to override the default check for whether the given password is contained in the most_common_passwords_file.  This method may be useful when using very large password databases where you don't want to keep the list of most common passwords in memory.

data/doc/release_notes/1.16.0.txt

@@ -0,0 +1,31 @@
+= New Features
+
+* A disallow_common_passwords feature has been added.  This feature
+  by default will disallow the 10,000 most common passwords:
+
+    enable :disallow_common_passwords
+
+  You can supply your own file containing common passwords separated
+  by newlines ("\n"):
+
+    most_common_passwords_file '/path/to/file'
+
+  You can also supply a password dictionary directly as any object
+  that responds to include?:
+
+    most_common_passwords some_password_dictionary_object
+
+  The reason only the 10,000 most common passwords are used by
+  default is larger password files would significantly bloat the
+  size of the gem.  Also, because the most common passwords are kept
+  in memory by default for performance reasons, larger password
+  files can bloat the memory usage of the process (the
+  disallow_common_passwords feature should use around 500KB of
+  memory by default).  For very large password dictionaries,
+  consider using a custom object that does not keep all common
+  passwords in memory.
+  
+= Other Improvements
+
+* Rodauth no longer uses the Rack::Request#[] method to get
+  parameter values.  This method is deprecated in Rack 2.  

data/doc/remember.rdoc

@@ -6,6 +6,19 @@ password confirmation later for such sessions if they are accessing a
 section requiring more security.  The remember feature depends on the
 logout feature.
 
+By default, the remember feature just supports a form that the user can use
+to change their remember settings for the current browser.  They can either
+enable remembering for the browser, forget it for the browser, or disable
+it completely so that any remembering for other browsers is removed as well.
+
+In some cases, you may want to force remembering on users if you don't want
+to force them to turn it on manually.  For example, if you want to force
+remembering on login, you can do that via:
+
+  after_login do
+    remember_login
+  end
+
 == Auth Value Methods
 
 extend_remember_deadline? :: Whether to extend the remember token deadline
@@ -46,7 +59,6 @@ remember_param :: The parameter name to use for the remember password settings
 remembered_session_key :: The key in the session storing whether the current
                           session has been autologged in via remember token.
 
-
 == Auth Methods
 
 add_remember_key :: Add a remember key for the current account to the remember

data/lib/rodauth/features/base.rb

@@ -286,8 +286,6 @@ module Rodauth
       session[session_key] = account_session_value
     end
 
-    private
-
     # Return a string for the parameter name.  This will be an empty
     # string if the parameter doesn't exist.
     def param(key)
@@ -301,6 +299,8 @@ module Rodauth
       value.to_s unless value.nil?
     end
 
+    private
+
     def redirect(path)
       request.redirect(path)
     end

data/lib/rodauth/features/disallow_common_passwords.rb

@@ -0,0 +1,39 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:disallow_common_passwords, :DisallowCommonPasswords) do
+    depends :login_password_requirements_base
+
+    auth_value_method :most_common_passwords_file, File.join(File.dirname(File.dirname(File.dirname(File.dirname(File.expand_path(__FILE__))))), 'dict', 'top-10_000-passwords.txt')
+    auth_value_method :password_is_one_of_the_most_common_message, "is one of the most common passwords"
+    auth_value_method :most_common_passwords, nil
+
+    auth_methods :password_one_of_most_common?
+
+    def password_meets_requirements?(password)
+      super && password_not_one_of_the_most_common?(password)
+    end
+
+    def post_configure
+      super
+
+      return if most_common_passwords || !most_common_passwords_file
+
+      require 'set'
+      most_common = Set.new(File.read(most_common_passwords_file).split("\n").each(&:freeze)).freeze
+      self.class.send(:define_method, :most_common_passwords){most_common}
+    end
+
+    def password_one_of_most_common?(password)
+      most_common_passwords.include?(password)
+    end
+
+    private
+
+    def password_not_one_of_the_most_common?(password)
+      return true unless password_one_of_most_common?(password)
+      @password_requirement_message = password_is_one_of_the_most_common_message
+      false
+    end
+  end
+end

data/lib/rodauth/features/disallow_password_reuse.rb

@@ -69,7 +69,7 @@ module Rodauth
 
     def after_create_account
       if account_password_hash_column
-        add_previous_password_hash(password_hash(request[password_param]))
+        add_previous_password_hash(password_hash(param(password_param)))
       end
       super if defined?(super)
     end

data/lib/rodauth/version.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  VERSION = '1.15.0'.freeze
+  VERSION = '1.16.0'.freeze
 
   def self.version
     VERSION

data/spec/disallow_common_passwords_spec.rb

@@ -0,0 +1,93 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe 'Rodauth disallow common passwords feature' do
+  it "should check that password used is not one of the most common" do
+    rodauth do
+      enable :login, :change_password, :disallow_common_passwords
+      change_password_requires_password? false
+      password_minimum_length 1
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    login
+    page.current_path.must_equal '/'
+
+    visit '/change-password'
+
+    bad_password_file = File.join(File.dirname(File.dirname(File.expand_path(__FILE__))), 'dict', 'top-10_000-passwords.txt')
+    File.read(bad_password_file).split.shuffle.take(5).each do |pass|
+      fill_in 'New Password', :with=>pass
+      fill_in 'Confirm Password', :with=>pass
+      click_button 'Change Password'
+      page.html.must_include("invalid password, does not meet requirements (is one of the most common passwords)")
+      page.find('#error_flash').text.must_equal "There was an error changing your password"
+    end
+
+    fill_in 'New Password', :with=>'footpassword'
+    fill_in 'Confirm Password', :with=>'footpassword'
+    click_button 'Change Password'
+    page.find('#notice_flash').text.must_equal "Your password has been changed"
+  end
+
+  it "should check that password used is not one of the most common with custom password set" do
+    rodauth do
+      enable :login, :change_password, :disallow_common_passwords
+      change_password_requires_password? false
+      most_common_passwords ['foobarbaz']
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    login
+    page.current_path.must_equal '/'
+
+    visit '/change-password'
+
+    fill_in 'New Password', :with=>'foobarbaz'
+    fill_in 'Confirm Password', :with=>'foobarbaz'
+    click_button 'Change Password'
+    page.html.must_include("invalid password, does not meet requirements (is one of the most common passwords)")
+    page.find('#error_flash').text.must_equal "There was an error changing your password"
+
+    fill_in 'New Password', :with=>'footpassword'
+    fill_in 'Confirm Password', :with=>'footpassword'
+    click_button 'Change Password'
+    page.find('#notice_flash').text.must_equal "Your password has been changed"
+  end
+
+  it "should check that password used is not one of the most common with custom check" do
+    rodauth do
+      enable :login, :change_password, :disallow_common_passwords
+      change_password_requires_password? false
+      most_common_passwords_file nil
+      password_one_of_most_common? do |password|
+        password == 'foobarbaz'
+      end
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    login
+    page.current_path.must_equal '/'
+
+    visit '/change-password'
+
+    fill_in 'New Password', :with=>'foobarbaz'
+    fill_in 'Confirm Password', :with=>'foobarbaz'
+    click_button 'Change Password'
+    page.html.must_include("invalid password, does not meet requirements (is one of the most common passwords)")
+    page.find('#error_flash').text.must_equal "There was an error changing your password"
+
+    fill_in 'New Password', :with=>'footpassword'
+    fill_in 'Confirm Password', :with=>'footpassword'
+    click_button 'Change Password'
+    page.find('#notice_flash').text.must_equal "Your password has been changed"
+  end
+end

data/spec/login_spec.rb

@@ -57,7 +57,7 @@ describe 'Rodauth login feature' do
     end
     roda do |r|
       r.post 'login' do
-        if r['login'] == 'apple' && r['password'] == 'banana'
+        if r.params['login'] == 'apple' && r.params['password'] == 'banana'
           session[:user_id] = 'pear'
           r.redirect '/'
         end
@@ -119,7 +119,7 @@ describe 'Rodauth login feature' do
       session_key :login_email
       account_from_session{DB[:accounts].first(:email=>session_value)}
       account_session_value{account[:email]}
-      login_param{request['lp']}
+      login_param{param('lp')}
       login_additional_form_tags "<input type='hidden' name='lp' value='l' />"
       password_param 'p'
       login_redirect{"/foo/#{account[:email]}"}

data/spec/spec_helper.rb

@@ -103,6 +103,10 @@ class Minitest::HooksSpec
     jwt = type == :jwt || type == :jwt_html
 
     app = Class.new(jwt_only ? JsonBase : Base)
+    begin
+      app.plugin :request_aref, :raise
+    rescue LoadError
+    end
     app.opts[:unsupported_block_result] = :raise
     app.opts[:unsupported_matcher] = :raise
     app.opts[:verbatim_string_matcher] = true

data/spec/views/login.str

@@ -1,6 +1,6 @@
 <form method="post" class="form-horizontal" role="form" id="login-form">
   #{csrf_tag if respond_to?(:csrf_tag)}
-  <input type="hidden" name="lp" value="#{request['lp']}"/>
+  <input type="hidden" name="lp" value="#{rodauth.param('lp')}"/>
   <div class="form-group">
     <label class="col-sm-2 control-label" for="login">Login</label>
     <div class="col-sm-10">

data/templates/login-confirm-field.str

@@ -1,6 +1,6 @@
 <div class="form-group">
   <label class="col-sm-2 control-label" for="login-confirm">#{rodauth.login_confirm_label}</label>
   <div class="col-sm-10">
-    <input type="text" class="form-control" name="login-confirm" id="#{rodauth.login_confirm_param}" value="#{h request[rodauth.login_confirm_param]}"/>
+    <input type="text" class="form-control" name="login-confirm" id="#{rodauth.login_confirm_param}" value="#{h rodauth.param(rodauth.login_confirm_param)}"/>
   </div>
 </div>

data/templates/login-field.str

@@ -1,6 +1,6 @@
 <div class="form-group">
   <label class="col-sm-2 control-label" for="login">#{rodauth.login_label}</label>
   <div class="col-sm-10">
-    <input type="text" class="form-control#{' error' if rodauth.field_error(rodauth.login_param)}" name="#{rodauth.login_param}" id="login" value="#{h request[rodauth.login_param]}"/> #{rodauth.field_error(rodauth.login_param)}
+    <input type="text" class="form-control#{' error' if rodauth.field_error(rodauth.login_param)}" name="#{rodauth.login_param}" id="login" value="#{h rodauth.param(rodauth.login_param)}"/> #{rodauth.field_error(rodauth.login_param)}
   </div>
 </div>

data/templates/reset-password-request.str

@@ -2,6 +2,6 @@
   #{rodauth.reset_password_request_additional_form_tags}
   #{rodauth.csrf_tag}
   <p>If you have forgotten your password, you can request a password reset: </p>
-  #{(login = request[rodauth.login_param]) ? "<input type=\"hidden\" name=\"#{rodauth.login_param}\" value=\"#{h login}\"/>" : rodauth.render('login-field')}
+  #{(login = rodauth.param_or_nil(rodauth.login_param)) ? "<input type=\"hidden\" name=\"#{rodauth.login_param}\" value=\"#{h login}\"/>" : rodauth.render('login-field')}
   #{rodauth.button(rodauth.reset_password_request_button)}
 </form>

data/templates/sms-setup.str

@@ -5,7 +5,7 @@
   <div class="form-group">
     <label class="col-sm-2 control-label" for="sms-phone">#{rodauth.sms_phone_label}</label>
     <div class="col-sm-3">
-      <input type="text" class="form-control#{' error' if rodauth.field_error(rodauth.sms_phone_param)}" name="#{rodauth.sms_phone_param}" id="sms-phone" value="#{h request[rodauth.sms_phone_param]}"/> #{rodauth.field_error(rodauth.sms_phone_param)}
+      <input type="text" class="form-control#{' error' if rodauth.field_error(rodauth.sms_phone_param)}" name="#{rodauth.sms_phone_param}" id="sms-phone" value="#{h rodauth.param(rodauth.sms_phone_param)}"/> #{rodauth.field_error(rodauth.sms_phone_param)}
     </div>
   </div>
   #{rodauth.button(rodauth.sms_setup_button)}

data/templates/unlock-account-request.str

@@ -1,7 +1,7 @@
 <form action="#{rodauth.prefix}/#{rodauth.unlock_account_request_route}" method="post" class="rodauth form-horizontal" role="form" id="unlock-account-request-form">
   #{rodauth.unlock_account_request_additional_form_tags}
   #{rodauth.csrf_tag}
-  <input type="hidden" name="#{rodauth.login_param}" value="#{h request[rodauth.login_param]}"/>
+  <input type="hidden" name="#{rodauth.login_param}" value="#{h rodauth.param(rodauth.login_param)}"/>
   This account is currently locked out.  You can request that the account be unlocked: 
   <input type="submit" class="btn btn-primary inline" value="#{rodauth.unlock_account_request_button}"/>
 </form>

data/templates/verify-account-resend.str

@@ -2,6 +2,6 @@
   #{rodauth.verify_account_resend_additional_form_tags}
   #{rodauth.csrf_tag}
   <p>If you no longer have the email to verify the account, you can request that it be resent to you:</p>
-  #{(login = request[rodauth.login_param]) ? "<input type=\"hidden\" name=\"#{rodauth.login_param}\" value=\"#{h login}\"/>" : rodauth.render('login-field')}
+  #{(login = rodauth.param_or_nil(rodauth.login_param)) ? "<input type=\"hidden\" name=\"#{rodauth.login_param}\" value=\"#{h login}\"/>" : rodauth.render('login-field')}
   #{rodauth.button(rodauth.verify_account_resend_button)}
 </form>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 1.15.0
+  version: 1.16.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-01-29 00:00:00.000000000 Z
+date: 2018-03-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -229,6 +229,7 @@ extra_rdoc_files:
 - doc/verify_login_change.rdoc
 - doc/internals.rdoc
 - doc/change_password_notify.rdoc
+- doc/disallow_common_passwords.rdoc
 - doc/release_notes/1.0.0.txt
 - doc/release_notes/1.1.0.txt
 - doc/release_notes/1.2.0.txt
@@ -245,11 +246,13 @@ extra_rdoc_files:
 - doc/release_notes/1.13.0.txt
 - doc/release_notes/1.14.0.txt
 - doc/release_notes/1.15.0.txt
+- doc/release_notes/1.16.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
 - README.rdoc
 - Rakefile
+- dict/top-10_000-passwords.txt
 - doc/account_expiration.rdoc
 - doc/base.rdoc
 - doc/change_login.rdoc
@@ -258,6 +261,7 @@ files:
 - doc/close_account.rdoc
 - doc/confirm_password.rdoc
 - doc/create_account.rdoc
+- doc/disallow_common_passwords.rdoc
 - doc/disallow_password_reuse.rdoc
 - doc/email_base.rdoc
 - doc/http_basic_auth.rdoc
@@ -280,6 +284,7 @@ files:
 - doc/release_notes/1.13.0.txt
 - doc/release_notes/1.14.0.txt
 - doc/release_notes/1.15.0.txt
+- doc/release_notes/1.16.0.txt
 - doc/release_notes/1.2.0.txt
 - doc/release_notes/1.3.0.txt
 - doc/release_notes/1.4.0.txt
@@ -309,6 +314,7 @@ files:
 - lib/rodauth/features/close_account.rb
 - lib/rodauth/features/confirm_password.rb
 - lib/rodauth/features/create_account.rb
+- lib/rodauth/features/disallow_common_passwords.rb
 - lib/rodauth/features/disallow_password_reuse.rb
 - lib/rodauth/features/email_base.rb
 - lib/rodauth/features/http_basic_auth.rb
@@ -343,6 +349,7 @@ files:
 - spec/close_account_spec.rb
 - spec/confirm_password_spec.rb
 - spec/create_account_spec.rb
+- spec/disallow_common_passwords_spec.rb
 - spec/disallow_password_reuse_spec.rb
 - spec/http_basic_auth_spec.rb
 - spec/jwt_spec.rb