rodauth 1.18.0 → 1.19.0

data/lib/rodauth/features/verify_account.rb

@@ -6,6 +6,7 @@ module Rodauth
 
     error_flash "Unable to verify account"
     error_flash "Unable to resend verify account email", 'verify_account_resend'
+    error_flash "An email has recently been sent to you with a link to verify your account", 'verify_account_email_recently_sent'
     notice_flash "Your account has been verified"
     notice_flash "An email has been sent to you with a link to verify your account", 'verify_account_email_sent'
     loaded_templates %w'verify-account verify-account-resend verify-account-email'
@@ -20,7 +21,8 @@ module Rodauth
     button 'Verify Account'
     button 'Send Verification Email Again', 'verify_account_resend'
     redirect
-    redirect(:verify_account_email_sent){require_login_redirect}
+    redirect(:verify_account_email_sent){default_post_email_redirect}
+    redirect(:verify_account_email_recently_sent){default_post_email_redirect}
 
     auth_value_method :no_matching_verify_account_key_message, "invalid verify account key"
     auth_value_method :attempt_to_create_unverified_account_notice_message, "The account you tried to create is currently awaiting verification"
@@ -30,6 +32,8 @@ module Rodauth
     auth_value_method :verify_account_autologin?, true
     auth_value_method :verify_account_table, :account_verification_keys
     auth_value_method :verify_account_id_column, :id
+    auth_value_method :verify_account_email_last_sent_column, nil
+    auth_value_method :verify_account_skip_resend_email_within, 300
     auth_value_method :verify_account_key_column, :key
     session_key :verify_account_session_key, :verify_account_key
     auth_value_method :verify_account_set_password?, false
@@ -63,6 +67,11 @@ module Rodauth
 
       r.post do
         if account_from_login(param(login_param)) && allow_resending_verify_account_email?
+          if verify_account_email_recently_sent?
+            set_redirect_error_flash verify_account_email_recently_sent_error_flash
+            redirect verify_account_email_recently_sent_redirect
+          end
+
           before_verify_account_email_resend
           if verify_account_email_resend
             after_verify_account_email_resend
@@ -158,6 +167,7 @@ module Rodauth
 
     def verify_account_email_resend
       if @verify_account_key_value = get_verify_account_key(account_id)
+        set_verify_account_email_last_sent
         send_verify_account_email
         true
       end
@@ -218,8 +228,24 @@ module Rodauth
       super
     end
 
+    def set_verify_account_email_last_sent
+       verify_account_ds.update(verify_account_email_last_sent_column=>Sequel::CURRENT_TIMESTAMP) if verify_account_email_last_sent_column
+    end
+
+    def get_verify_account_email_last_sent
+      if column = verify_account_email_last_sent_column
+        if ts = verify_account_ds.get(column)
+          convert_timestamp(ts)
+        end
+      end
+    end
+
     private
 
+    def verify_account_email_recently_sent?
+      (email_last_sent = get_verify_account_email_last_sent) && (Time.now - email_last_sent < verify_account_skip_resend_email_within)
+    end
+
     attr_reader :verify_account_key_value
 
     def before_login_attempt

data/lib/rodauth/features/verify_login_change.rb

@@ -5,14 +5,18 @@ module Rodauth
     depends :change_login, :email_base
 
     error_flash "Unable to verify login change"
+    error_flash "Unable to change login as there is already an account with the new login", :verify_login_change_duplicate_account
     notice_flash "Your login change has been verified"
     loaded_templates %w'verify-login-change verify-login-change-email'
     view 'verify-login-change', 'Verify Login Change'
     additional_form_tags
     after
+    after 'verify_login_change_email'
     before
+    before 'verify_login_change_email'
     button 'Verify Login Change'
     redirect
+    redirect(:verify_login_change_duplicate_account){require_login_redirect}
 
     auth_value_method :no_matching_verify_login_change_key_message, "invalid verify login change key"
     auth_value_method :verify_login_change_autologin?, false
@@ -76,7 +80,11 @@ module Rodauth
 
         transaction do
           before_verify_login_change
-          verify_login_change
+          unless verify_login_change
+            set_redirect_error_status(invalid_key_error_status)
+            set_redirect_error_flash verify_login_change_duplicate_account_error_flash
+            redirect verify_login_change_duplicate_account_redirect
+          end
           remove_verify_login_change_key
           after_verify_login_change
         end
@@ -96,7 +104,11 @@ module Rodauth
     end
 
     def verify_login_change
-      update_account(login_column=>verify_login_change_new_login)
+      unless res = _update_login(verify_login_change_new_login)
+        remove_verify_login_change_key
+      end
+
+      res
     end
 
     def account_from_verify_login_change_key(key)
@@ -134,10 +146,21 @@ module Rodauth
     end
 
     def update_login(login)
-      generate_verify_login_change_key_value
-      @verify_login_change_new_login = login
-      create_verify_login_change_key(login)
-      send_verify_login_change_email(login)
+      if _account_from_login(login)
+        @login_requirement_message = 'already an account with this login'
+        return false
+      end
+
+      transaction do
+        before_verify_login_change_email
+        generate_verify_login_change_key_value
+        @verify_login_change_new_login = login
+        create_verify_login_change_key(login)
+        send_verify_login_change_email(login)
+        after_verify_login_change_email
+      end
+
+      true
     end
 
     def generate_verify_login_change_key_value
@@ -150,7 +173,7 @@ module Rodauth
         ds.where((Sequel::CURRENT_TIMESTAMP > verify_login_change_deadline_column) | ~Sequel.expr(verify_login_change_login_column=>login)).delete
         if e = raised_uniqueness_violation{ds.insert(verify_login_change_key_insert_hash(login))}
           old_login, key = get_verify_login_change_login_and_key(account_id)
-          # If inserting into the verify account table causes a violation, we can pull the 
+          # If inserting into the verify login change table causes a violation, we can pull the 
           # key from the verify login change table if the logins match, or reraise.
           @verify_login_change_key_value = if old_login.downcase == login.downcase
             key

data/lib/rodauth/migrations.rb

@@ -43,15 +43,9 @@ CREATE FUNCTION #{get_salt_name}(acct_id int8) RETURNS varchar(255)
 SQL SECURITY DEFINER
 READS SQL DATA
 BEGIN
-DECLARE salt varchar(255);
-DECLARE csr CURSOR FOR
-SELECT substr(password_hash, 1, 30)
+RETURN (SELECT substr(password_hash, 1, 30)
 FROM #{table_name}
-WHERE acct_id = id;
-OPEN csr;
-FETCH csr INTO salt;
-CLOSE csr;
-RETURN salt;
+WHERE acct_id = id);
 END;
 END
 

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 1
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 18
+  MINOR = 19
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

data/spec/email_auth_spec.rb

@@ -0,0 +1,285 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe 'Rodauth email auth feature' do
+  it "should support logging in use link sent via email, without a password for the account" do
+    rodauth do
+      enable :login, :email_auth, :logout
+      account_password_hash_column :ph
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    DB[:accounts].update(:ph=>nil).must_equal 1
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo2@example.com'
+    click_button 'Login'
+    page.find('#error_flash').text.must_equal 'There was an error logging in'
+    page.html.must_include("no matching login")
+
+    fill_in 'Login', :with=>'foo@example.com'
+    click_button 'Login'
+    page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to login to your account"
+    page.current_path.must_equal '/'
+    link = email_link(/(\/email-auth\?key=.+)$/)
+
+    visit link[0...-1]
+    page.find('#error_flash').text.must_equal "invalid email authentication key"
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    click_button 'Login'
+    page.find('#error_flash').text.must_equal "An email has recently been sent to you with a link to login"
+    Mail::TestMailer.deliveries.must_equal []
+
+    DB[:account_email_auth_keys].update(:email_last_sent => Time.now - 250).must_equal 1
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    click_button 'Login'
+    page.find('#error_flash').text.must_equal "An email has recently been sent to you with a link to login"
+    Mail::TestMailer.deliveries.must_equal []
+
+    DB[:account_email_auth_keys].update(:email_last_sent => Time.now - 350).must_equal 1
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    click_button 'Login'
+    email_link(/(\/email-auth\?key=.+)$/).must_equal link
+
+    visit link
+    page.title.must_equal 'Login'
+    click_button 'Login'
+    page.find('#notice_flash').text.must_equal 'You have been logged in'
+    page.current_path.must_equal '/'
+
+    logout
+
+    visit link
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    click_button 'Login'
+
+    link2 = email_link(/(\/email-auth\?key=.+)$/)
+    link2.wont_equal link
+
+    visit link2
+    DB[:account_email_auth_keys].update(:deadline => Time.now - 60).must_equal 1
+    click_button 'Login'
+    page.find('#error_flash').text.must_equal "There was an error logging you in"
+    page.current_path.must_equal '/'
+    DB[:account_email_auth_keys].count.must_equal 0
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    click_button 'Login'
+
+    visit email_link(/(\/email-auth\?key=.+)$/)
+    DB[:account_email_auth_keys].update(:key=>'1').must_equal 1
+    click_button 'Login'
+    page.find('#error_flash').text.must_equal "There was an error logging you in"
+    page.current_path.must_equal '/'
+  end
+
+  it "should support logging in use link sent via email, with a password for the account" do
+    rodauth do
+      enable :login, :email_auth, :logout
+      email_auth_email_last_sent_column nil
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo2@example.com'
+    click_button 'Login'
+    page.find('#error_flash').text.must_equal 'There was an error logging in'
+    page.html.must_include("no matching login")
+
+    fill_in 'Login', :with=>'foo@example.com'
+    click_button 'Login'
+    click_button 'Send Login Link Via Email'
+    page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to login to your account"
+    page.current_path.must_equal '/'
+    link = email_link(/(\/email-auth\?key=.+)$/)
+
+    visit link[0...-1]
+    page.find('#error_flash').text.must_equal "invalid email authentication key"
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    click_button 'Login'
+    click_button 'Send Login Link Via Email'
+    email_link(/(\/email-auth\?key=.+)$/).must_equal link
+
+    visit link
+    page.title.must_equal 'Login'
+    click_button 'Login'
+    page.find('#notice_flash').text.must_equal 'You have been logged in'
+    page.current_path.must_equal '/'
+
+    logout
+
+    visit link
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    click_button 'Login'
+    click_button 'Send Login Link Via Email'
+
+    link2 = email_link(/(\/email-auth\?key=.+)$/)
+    link2.wont_equal link
+
+    visit link2
+    DB[:account_email_auth_keys].update(:deadline => Time.now - 60).must_equal 1
+    click_button 'Login'
+    page.find('#error_flash').text.must_equal "There was an error logging you in"
+    page.current_path.must_equal '/'
+    DB[:account_email_auth_keys].count.must_equal 0
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    click_button 'Login'
+    click_button 'Send Login Link Via Email'
+
+    visit email_link(/(\/email-auth\?key=.+)$/)
+    DB[:account_email_auth_keys].update(:key=>'1').must_equal 1
+    click_button 'Login'
+    page.find('#error_flash').text.must_equal "There was an error logging you in"
+    page.current_path.must_equal '/'
+  end
+
+  it "should allow password login for accounts with password hashes" do
+    rodauth do
+      enable :login, :email_auth
+    end
+    roda do |r|
+      r.rodauth
+      next unless rodauth.logged_in?
+      r.root{view :content=>"Logged In"}
+    end
+
+    visit '/login'
+    page.title.must_equal 'Login'
+    fill_in 'Login', :with=>'foo@example.com'
+    click_button 'Login'
+    page.html.must_include 'Send Login Link Via Email'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Login'
+    page.current_path.must_equal '/'
+    page.find('#notice_flash').text.must_equal 'You have been logged in'
+  end
+
+  it "should work with creating accounts without setting passwords" do
+    rodauth do
+      enable :login, :create_account, :email_auth
+      require_login_confirmation? false
+      create_account_autologin? false
+      create_account_set_password? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo@example2.com'
+    click_button 'Create Account'
+    page.find('#notice_flash').text.must_equal "Your account has been created"
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example2.com'
+    click_button 'Login'
+    page.current_path.must_equal '/'
+    visit email_link(/(\/email-auth\?key=.+)$/, 'foo@example2.com')
+    page.title.must_equal 'Login'
+    click_button 'Login'
+    page.find('#notice_flash').text.must_equal 'You have been logged in'
+    page.current_path.must_equal '/'
+  end
+
+  it "should clear email auth token when closing account" do
+    rodauth do
+      enable :login, :email_auth, :close_account
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
+    end
+
+    visit '/login'
+    page.title.must_equal 'Login'
+    fill_in 'Login', :with=>'foo@example.com'
+    click_button 'Login'
+    click_button 'Send Login Link Via Email'
+
+    hash = DB[:account_email_auth_keys].first
+
+    visit email_link(/(\/email-auth\?key=.+)$/)
+    click_button 'Login'
+
+    DB[:account_email_auth_keys].count.must_equal 0
+    DB[:account_email_auth_keys].insert(hash)
+
+    visit '/close-account'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Close Account'
+    DB[:account_email_auth_keys].count.must_equal 0
+  end
+
+  it "should handle uniqueness errors raised when inserting email auth token" do
+    rodauth do
+      enable :login, :email_auth
+    end
+    roda do |r|
+      def rodauth.raised_uniqueness_violation(*) super; true; end
+      r.rodauth
+      r.root{view :content=>""}
+    end
+
+    visit '/login'
+    page.title.must_equal 'Login'
+    fill_in 'Login', :with=>'foo@example.com'
+    click_button 'Login'
+    click_button 'Send Login Link Via Email'
+    link = email_link(/(\/email-auth\?key=.+)$/)
+
+    DB[:account_email_auth_keys].update(:email_last_sent => Time.now - 350).must_equal 1
+    visit '/login'
+    page.title.must_equal 'Login'
+    fill_in 'Login', :with=>'foo@example.com'
+    click_button 'Login'
+    click_button 'Send Login Link Via Email'
+    email_link(/(\/email-auth\?key=.+)$/).must_equal link
+  end
+
+  it "should support email auth for accounts via jwt" do
+    rodauth do
+      enable :login, :email_auth
+      email_auth_email_body{email_auth_email_link}
+    end
+    roda(:jwt) do |r|
+      r.rodauth
+    end
+
+    res = json_request('/email-auth-request')
+    res.must_equal [401, {"error"=>"There was an error requesting an email link to authenticate"}]
+
+    res = json_request('/email-auth-request', :login=>'foo@example2.com')
+    res.must_equal [401, {"error"=>"There was an error requesting an email link to authenticate"}]
+
+    res = json_request('/email-auth-request', :login=>'foo@example.com')
+    res.must_equal [200, {"success"=>"An email has been sent to you with a link to login to your account"}]
+
+    link = email_link(/key=.+$/)
+    res = json_request('/email-auth')
+    res.must_equal [401, {"error"=>"There was an error logging you in"}]
+
+    res = json_request('/email-auth', :key=>link[4...-1])
+    res.must_equal [401, {"error"=>"There was an error logging you in"}]
+
+    res = json_request('/email-auth', :key=>link[4..-1])
+    res.must_equal [200, {"success"=>"You have been logged in"}]
+  end
+end
+