rodauth 1.18.0 → 1.19.0

data/lib/rodauth/features/email_base.rb

@@ -6,6 +6,8 @@ module Rodauth
     auth_value_method :require_mail?, true
     auth_value_method :token_separator, "_"
 
+    redirect :default_post_email
+
     auth_value_methods(
       :email_from
     )

data/lib/rodauth/features/lockout.rb

@@ -11,16 +11,19 @@ module Rodauth
     before 'unlock_account_request'
     after 'unlock_account'
     after 'unlock_account_request'
+    after 'account_lockout'
     additional_form_tags 'unlock_account'
     additional_form_tags 'unlock_account_request'
     button 'Unlock Account', 'unlock_account'
     button 'Request Account Unlock', 'unlock_account_request'
     error_flash "There was an error unlocking your account", 'unlock_account'
     error_flash "This account is currently locked out and cannot be logged in to.", "login_lockout"
+    error_flash "An email has recently been sent to you with a link to unlock the account", 'unlock_account_email_recently_sent'
     notice_flash "Your account has been unlocked", 'unlock_account'
     notice_flash "An email has been sent to you with a link to unlock your account", 'unlock_account_request'
     redirect :unlock_account
-    redirect :unlock_account_request
+    redirect(:unlock_account_request){default_post_email_redirect}
+    redirect(:unlock_account_email_recently_sent){default_post_email_redirect}
       
     auth_value_method :unlock_account_autologin?, true
     auth_value_method :max_invalid_logins, 100
@@ -30,26 +33,26 @@ module Rodauth
     auth_value_method :account_lockouts_table, :account_lockouts
     auth_value_method :account_lockouts_id_column, :id
     auth_value_method :account_lockouts_key_column, :key
+    auth_value_method :account_lockouts_email_last_sent_column, nil
     auth_value_method :account_lockouts_deadline_column, :deadline
     auth_value_method :account_lockouts_deadline_interval, {:days=>1}
     auth_value_method :no_matching_unlock_account_key_message, 'No matching unlock account key'
     auth_value_method :unlock_account_email_subject, 'Unlock Account'
     auth_value_method :unlock_account_key_param, 'key'
     auth_value_method :unlock_account_requires_password?, false
+    auth_value_method :unlock_account_skip_resend_email_within, 300
     session_key :unlock_account_session_key, :unlock_account_key
 
-    auth_value_methods(
-      :unlock_account_redirect,
-      :unlock_account_request_redirect
-    )
     auth_methods(
       :clear_invalid_login_attempts,
       :create_unlock_account_email,
       :generate_unlock_account_key,
       :get_unlock_account_key,
+      :get_unlock_account_email_last_sent,
       :invalid_login_attempted,
       :locked_out?,
       :send_unlock_account_email,
+      :set_unlock_account_email_last_sent,
       :unlock_account_email_body,
       :unlock_account_email_link,
       :unlock_account,
@@ -63,8 +66,14 @@ module Rodauth
 
       r.post do
         if account_from_login(param(login_param)) && get_unlock_account_key
+          if unlock_account_email_recently_sent?
+            set_redirect_error_flash unlock_account_email_recently_sent_error_flash
+            redirect unlock_account_email_recently_sent_redirect
+          end
+
           transaction do
             before_unlock_account_request
+            set_unlock_account_email_last_sent
             send_unlock_account_email
             after_unlock_account_request
           end
@@ -186,7 +195,11 @@ module Rodauth
           # key out of it.  If that doesn't return a valid key, we should reraise the error.
           raise e unless @unlock_account_key_value = account_lockouts_ds.get(account_lockouts_key_column)
 
+          after_account_lockout
           show_lockout_page
+        else
+          after_account_lockout
+          e
         end
       end
     end
@@ -208,6 +221,18 @@ module Rodauth
       token_link(unlock_account_route, unlock_account_key_param, unlock_account_key_value)
     end
 
+    def get_unlock_account_email_last_sent
+      if column = account_lockouts_email_last_sent_column
+        if ts = account_lockouts_ds.get(column)
+          convert_timestamp(ts)
+        end
+      end
+    end
+
+    def set_unlock_account_email_last_sent
+      account_lockouts_ds.update(account_lockouts_email_last_sent_column=>Sequel::CURRENT_TIMESTAMP) if account_lockouts_email_last_sent_column
+    end
+
     private
 
     attr_reader :unlock_account_key_value
@@ -258,8 +283,12 @@ module Rodauth
       render('unlock-account-email')
     end
 
+    def unlock_account_email_recently_sent?
+      (email_last_sent = get_unlock_account_email_last_sent) && (Time.now - email_last_sent < unlock_account_skip_resend_email_within)
+    end
+
     def use_date_arithmetic?
-      db.database_type == :mysql
+      super || db.database_type == :mysql
     end
 
     def account_login_failures_ds

data/lib/rodauth/features/login.rb

@@ -3,8 +3,9 @@
 module Rodauth
   Feature.define(:login, :Login) do
     notice_flash "You have been logged in"
+    notice_flash "Login recognized, please enter your password", "need_password"
     error_flash "There was an error logging in"
-    loaded_templates %w'login login-field password-field'
+    loaded_templates %w'login login-field password-field login-display'
     view 'login', 'Login'
     additional_form_tags
     button 'Login'
@@ -12,6 +13,7 @@ module Rodauth
 
     auth_value_method :login_error_status, 401
     auth_value_method :login_form_footer, ''
+    auth_value_method :use_multi_phase_login?, false
 
     route do |r|
       check_already_logged_in
@@ -23,6 +25,7 @@ module Rodauth
 
       r.post do
         clear_session
+        skip_error_flash = false
 
         catch_error do
           unless account_from_login(param(login_param))
@@ -35,25 +38,59 @@ module Rodauth
             throw_error_status(unopen_account_error_status, login_param, unverified_account_message)
           end
 
+          if use_multi_phase_login?
+            @valid_login_entered = true
+
+            unless param_or_nil(password_param)
+              after_login_entered_during_multi_phase_login
+              skip_error_flash = true
+              next
+            end
+          end
+
           unless password_match?(param(password_param))
             after_login_failure
             throw_error_status(login_error_status, password_param, invalid_password_message)
           end
 
-          transaction do
-            before_login
-            update_session
-            after_login
-          end
-          set_notice_flash login_notice_flash
-          redirect login_redirect
+          _login
         end
 
-        set_error_flash login_error_flash
+        set_error_flash login_error_flash unless skip_error_flash
         login_view
       end
     end
 
     attr_reader :login_form_header
+
+    def after_login_entered_during_multi_phase_login
+      set_notice_now_flash need_password_notice_flash
+    end
+
+    def skip_login_field_on_login?
+      return false unless use_multi_phase_login?
+      @valid_login_entered
+    end
+
+    def skip_password_field_on_login?
+      return false unless use_multi_phase_login?
+      @valid_login_entered != true
+    end
+
+    def login_hidden_field
+      "<input type='hidden' name=\"#{login_param}\" value=\"#{scope.h param(login_param)}\" />"
+    end
+
+    private
+
+    def _login
+      transaction do
+        before_login
+        update_session
+        after_login
+      end
+      set_notice_flash login_notice_flash
+      redirect login_redirect
+    end
   end
 end

data/lib/rodauth/features/otp.rb

@@ -18,9 +18,13 @@ module Rodauth
     before 'otp_authentication'
     before 'otp_setup'
     before 'otp_disable'
-    before 'otp_authentication_route'
-    before 'otp_setup_route'
-    before 'otp_disable_route'
+
+    configuration_module_eval do
+      def before_otp_authentication_route(&block)
+        warn "before_otp_authentication_route is deprecated, switch to before_otp_auth_route"
+        before_otp_auth_route(&block)
+      end
+    end
 
     button 'Authenticate via 2nd Factor', 'otp_auth'
     button 'Disable Two Factor Authentication', 'otp_disable'
@@ -104,7 +108,7 @@ module Rodauth
         redirect otp_lockout_redirect
       end
 
-      before_otp_authentication_route
+      before_otp_auth_route
 
       r.get do
         otp_auth_view

data/lib/rodauth/features/recovery_codes.rb

@@ -10,8 +10,6 @@ module Rodauth
     before 'add_recovery_codes'
     before 'view_recovery_codes'
     before 'recovery_auth'
-    before 'recovery_auth_route'
-    before 'recovery_codes_route'
 
     after 'add_recovery_codes'
 

data/lib/rodauth/features/remember.rb

@@ -188,7 +188,7 @@ module Rodauth
     end
 
     def use_date_arithmetic?
-      extend_remember_deadline? || db.database_type == :mysql
+      super || extend_remember_deadline? || db.database_type == :mysql
     end
 
     def remember_key_ds(id=account_id)

data/lib/rodauth/features/reset_password.rb

@@ -8,6 +8,7 @@ module Rodauth
     notice_flash "An email has been sent to you with a link to reset the password for your account", 'reset_password_email_sent'
     error_flash "There was an error resetting your password"
     error_flash "There was an error requesting a password reset", 'reset_password_request'
+    error_flash "An email has recently been sent to you with a link to reset your password", 'reset_password_email_recently_sent'
     loaded_templates %w'reset-password-request reset-password password-field password-confirm-field reset-password-email'
     view 'reset-password', 'Reset Password'
     view 'reset-password-request', 'Request Password Reset', 'reset_password_request'
@@ -20,7 +21,8 @@ module Rodauth
     button 'Reset Password'
     button 'Request Password Reset', 'reset_password_request'
     redirect
-    redirect :reset_password_email_sent
+    redirect(:reset_password_email_sent){default_post_email_redirect}
+    redirect(:reset_password_email_recently_sent){default_post_email_redirect}
     
     auth_value_method :reset_password_deadline_column, :deadline
     auth_value_method :reset_password_deadline_interval, {:days=>1}
@@ -31,21 +33,25 @@ module Rodauth
     auth_value_method :reset_password_table, :account_password_reset_keys
     auth_value_method :reset_password_id_column, :id
     auth_value_method :reset_password_key_column, :key
+    auth_value_method :reset_password_email_last_sent_column, nil
+    auth_value_method :reset_password_skip_resend_email_within, 300
     session_key :reset_password_session_key, :reset_password_key
 
-    auth_value_methods :reset_password_email_sent_redirect, :reset_password_request_link
+    auth_value_methods :reset_password_request_link
 
     auth_methods(
       :create_reset_password_key,
       :create_reset_password_email,
       :get_reset_password_key,
+      :get_reset_password_email_last_sent,
       :login_failed_reset_password_request_form,
       :remove_reset_password_key,
       :reset_password_email_body,
       :reset_password_email_link,
       :reset_password_key_insert_hash,
       :reset_password_key_value,
-      :send_reset_password_email
+      :send_reset_password_email,
+      :set_reset_password_email_last_sent
     )
     auth_private_methods(
       :account_from_reset_password_key
@@ -61,6 +67,11 @@ module Rodauth
 
       r.post do
         if account_from_login(param(login_param)) && open_account?
+          if reset_password_email_recently_sent?
+            set_redirect_error_flash reset_password_email_recently_sent_error_flash
+            redirect reset_password_email_recently_sent_redirect
+          end
+
           generate_reset_password_key_value
           transaction do
             before_reset_password_request
@@ -146,6 +157,7 @@ module Rodauth
     def create_reset_password_key
       transaction do
         if reset_password_key_value = get_password_reset_key(account_id)
+          set_reset_password_email_last_sent
           @reset_password_key_value = reset_password_key_value
         elsif e = raised_uniqueness_violation{password_reset_ds.insert(reset_password_key_insert_hash)}
           # If inserting into the reset password table causes a violation, we can pull the 
@@ -185,8 +197,24 @@ module Rodauth
       "<p><a href=\"#{prefix}/#{reset_password_request_route}\">Forgot Password?</a></p>"
     end
 
+    def set_reset_password_email_last_sent
+       password_reset_ds.update(reset_password_email_last_sent_column=>Sequel::CURRENT_TIMESTAMP) if reset_password_email_last_sent_column
+    end
+
+    def get_reset_password_email_last_sent
+      if column = reset_password_email_last_sent_column
+        if ts = password_reset_ds.get(column)
+          convert_timestamp(ts)
+        end
+      end
+    end
+
     private
 
+    def reset_password_email_recently_sent?
+      (email_last_sent = get_reset_password_email_last_sent) && (Time.now - email_last_sent < reset_password_skip_resend_email_within)
+    end
+
     attr_reader :reset_password_key_value
 
     def after_login_failure
@@ -218,7 +246,7 @@ module Rodauth
     end
 
     def use_date_arithmetic?
-      db.database_type == :mysql
+      super || db.database_type == :mysql
     end
 
     def reset_password_key_insert_hash

data/lib/rodauth/features/sms_codes.rb

@@ -49,6 +49,7 @@ module Rodauth
     redirect(:sms_needs_confirmation){"#{prefix}/#{sms_confirm_route}"}
     redirect(:sms_needs_setup){"#{prefix}/#{sms_setup_route}"}
     redirect(:sms_request){"#{prefix}/#{sms_request_route}"}
+    redirect(:sms_lockout){_two_factor_auth_required_redirect}
 
     loaded_templates %w'sms-auth sms-confirm sms-disable sms-request sms-setup sms-code-field password-field'
     view 'sms-auth', 'Authenticate via SMS Code', 'sms_auth'
@@ -80,10 +81,7 @@ module Rodauth
 
     auth_cached_method :sms
 
-    auth_value_methods(
-      :sms_lockout_redirect,
-      :sms_codes_primary?
-    )
+    auth_value_methods :sms_codes_primary?
 
     auth_methods(
       :sms_auth_message,
@@ -416,10 +414,6 @@ module Rodauth
       phone.length >= sms_phone_min_length
     end
 
-    def sms_lockout_redirect
-      _two_factor_auth_required_redirect
-    end
-
     def sms_auth_message(code)
       "SMS authentication code for #{request.host} is #{code}"
     end

data/lib/rodauth/features/two_factor_base.rb

@@ -20,11 +20,9 @@ module Rodauth
     session_key :two_factor_session_key, :two_factor_auth
     session_key :two_factor_setup_session_key, :two_factor_auth_setup
     auth_value_method :two_factor_need_setup_redirect, nil
+    auth_value_method :two_factor_auth_required_redirect, nil
 
-    auth_value_methods(
-      :two_factor_auth_required_redirect,
-      :two_factor_modifications_require_password?
-    )
+    auth_value_methods :two_factor_modifications_require_password?
 
     auth_methods(
       :two_factor_authenticated?,
@@ -39,21 +37,34 @@ module Rodauth
     end
 
     def authenticated?
-      super
-      two_factor_authenticated? if two_factor_authentication_setup?
+      # False if not authenticated via single factor
+      return false unless super
+
+      # True if already authenticated via 2nd factor
+      return true if two_factor_authenticated?
+
+      # True if authenticated via single factor and 2nd factor not setup 
+      !two_factor_authentication_setup?
     end
 
     def require_authentication
       super
+
+      # Avoid database query if already authenticated via 2nd factor
+      return if two_factor_authenticated?
+
       require_two_factor_authenticated if two_factor_authentication_setup?
     end
 
     def require_two_factor_setup
-      unless uses_two_factor_authentication?
-        set_redirect_error_status(two_factor_not_setup_error_status)
-        set_redirect_error_flash two_factor_not_setup_error_flash
-        redirect two_factor_need_setup_redirect
-      end
+      # Avoid database query if already authenticated via 2nd factor
+      return if two_factor_authenticated?
+
+      return if uses_two_factor_authentication?
+
+      set_redirect_error_status(two_factor_not_setup_error_status)
+      set_redirect_error_flash two_factor_not_setup_error_flash
+      redirect two_factor_need_setup_redirect
     end
     
     def require_two_factor_not_authenticated
@@ -76,10 +87,6 @@ module Rodauth
       nil
     end
 
-    def two_factor_auth_required_redirect
-      nil
-    end
-
     def two_factor_auth_fallback_redirect
       nil
     end