rodauth 1.18.0 → 1.19.0

data/spec/lockout_spec.rb

@@ -2,10 +2,12 @@ require File.expand_path("spec_helper", File.dirname(__FILE__))
 
 describe 'Rodauth lockout feature' do
   it "should support account lockouts without autologin on unlock" do
+    lockouts = []
     rodauth do
       enable :lockout
       max_invalid_logins 2
       unlock_account_autologin? false
+      after_account_lockout{lockouts << true}
     end
     roda do |r|
       r.rodauth
@@ -28,6 +30,7 @@ describe 'Rodauth lockout feature' do
       click_button 'Login'
       page.find('#error_flash').text.must_equal 'There was an error logging in'
     end
+    lockouts.must_equal [true]
 
     fill_in 'Password', :with=>'012345678910'
     click_button 'Login'
@@ -35,8 +38,15 @@ describe 'Rodauth lockout feature' do
     page.body.must_include("This account is currently locked out")
     click_button 'Request Account Unlock'
     page.find('#notice_flash').text.must_equal 'An email has been sent to you with a link to unlock your account'
-
     link = email_link(/(\/unlock-account\?key=.+)$/)
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Password', :with=>'012345678910'
+    click_button 'Login'
+    click_button 'Request Account Unlock'
+    email_link(/(\/unlock-account\?key=.+)$/).must_equal link
+
     visit link[0...-1]
     page.find('#error_flash').text.must_equal 'No matching unlock account key'
 
@@ -54,6 +64,7 @@ describe 'Rodauth lockout feature' do
     rodauth do
       enable :lockout
       unlock_account_requires_password? true
+      account_lockouts_email_last_sent_column :email_last_sent
     end
     roda do |r|
       r.rodauth
@@ -74,8 +85,16 @@ describe 'Rodauth lockout feature' do
     page.body.must_include("This account is currently locked out")
     click_button 'Request Account Unlock'
     page.find('#notice_flash').text.must_equal 'An email has been sent to you with a link to unlock your account'
-
     link = email_link(/(\/unlock-account\?key=.+)$/)
+
+    visit '/login'
+    fill_in 'Login', :with=>'foo@example.com'
+    fill_in 'Password', :with=>'012345678910'
+    click_button 'Login'
+    click_button 'Request Account Unlock'
+    page.find('#error_flash').text.must_equal "An email has recently been sent to you with a link to unlock the account"
+    Mail::TestMailer.deliveries.must_equal []
+
     visit link
     click_button 'Unlock Account'
 
@@ -147,9 +166,11 @@ describe 'Rodauth lockout feature' do
   end
 
   it "should handle uniqueness errors raised when inserting unlock account token" do
+    lockouts = []
     rodauth do
       enable :lockout
       max_invalid_logins 2
+      after_account_lockout{lockouts << true}
     end
     roda do |r|
       def rodauth.raised_uniqueness_violation(*) super; true; end
@@ -165,6 +186,7 @@ describe 'Rodauth lockout feature' do
 
     fill_in 'Password', :with=>'012345678910'
     click_button 'Login'
+    lockouts.must_equal [true]
     page.find('#error_flash').text.must_equal "This account is currently locked out and cannot be logged in to."
     page.body.must_include("This account is currently locked out")
     click_button 'Request Account Unlock'

data/spec/login_spec.rb

@@ -34,6 +34,52 @@ describe 'Rodauth login feature' do
     page.current_path.must_equal '/login'
   end
 
+  it "should handle multi phase login (email first, then password)" do
+    rodauth do
+      enable :login, :logout
+      use_multi_phase_login? true
+    end
+    roda do |r|
+      r.rodauth
+      next unless rodauth.logged_in?
+      r.root{view :content=>"Logged In"}
+    end
+
+    visit '/login'
+    page.title.must_equal 'Login'
+
+    page.all('input[type=password]').must_be :empty?
+    fill_in 'Login', :with=>'foo2@example.com'
+    click_button 'Login'
+    page.find('#error_flash').text.must_equal 'There was an error logging in'
+    page.html.must_include("no matching login")
+
+    page.all('input[type=password]').must_be :empty?
+    fill_in 'Login', :with=>'foo@example.com'
+    click_button 'Login'
+    page.find('#notice_flash').text.must_equal 'Login recognized, please enter your password'
+
+    page.all('input[type=text]').must_be :empty?
+    fill_in 'Password', :with=>'012345678'
+    click_button 'Login'
+    page.find('#error_flash').text.must_equal 'There was an error logging in'
+    page.html.must_include("invalid password")
+
+    page.all('input[type=text]').must_be :empty?
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Login'
+    page.current_path.must_equal '/'
+    page.find('#notice_flash').text.must_equal 'You have been logged in'
+    page.html.must_include("Logged In")
+
+    visit '/logout'
+    page.title.must_equal 'Logout'
+
+    click_button 'Logout'
+    page.find('#notice_flash').text.must_equal 'You have been logged out'
+    page.current_path.must_equal '/login'
+  end
+
   it "should not allow login to unverified account" do
     rodauth do
       enable :login
@@ -115,7 +161,7 @@ describe 'Rodauth login feature' do
   it "should handle a prefix and some other login options" do
     rodauth do
       enable :login, :logout
-      prefix 'auth'
+      prefix '/auth'
       session_key 'login_email'
       account_from_session{DB[:accounts].first(:email=>session_value)}
       account_session_value{account[:email]}

data/spec/migrate/001_tables.rb

@@ -36,6 +36,7 @@ Sequel.migration do
       foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
       String :key, :null=>false
       DateTime :deadline, deadline_opts[1]
+      DateTime :email_last_sent, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
     end
 
     # Used by the account verification feature
@@ -43,6 +44,7 @@ Sequel.migration do
       foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
       String :key, :null=>false
       DateTime :requested_at, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
+      DateTime :email_last_sent, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
     end
 
     # Used by the verify login change feature
@@ -69,6 +71,15 @@ Sequel.migration do
       foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
       String :key, :null=>false
       DateTime :deadline, deadline_opts[1]
+      DateTime :email_last_sent
+    end
+
+    # Used by the email auth feature
+    create_table(:account_email_auth_keys) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
+      String :key, :null=>false
+      DateTime :deadline, deadline_opts[1]
+      DateTime :email_last_sent, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
     end
 
     # Used by the password expiration feature
@@ -132,6 +143,7 @@ Sequel.migration do
       run "GRANT ALL ON account_login_change_keys TO #{user}"
       run "GRANT ALL ON account_remember_keys TO #{user}"
       run "GRANT ALL ON account_login_failures TO #{user}"
+      run "GRANT ALL ON account_email_auth_keys TO #{user}"
       run "GRANT ALL ON account_lockouts TO #{user}"
       run "GRANT ALL ON account_password_change_times TO #{user}"
       run "GRANT ALL ON account_activity_times TO #{user}"
@@ -149,6 +161,7 @@ Sequel.migration do
                :account_session_keys,
                :account_activity_times,
                :account_password_change_times,
+               :account_email_auth_keys,
                :account_lockouts,
                :account_login_failures,
                :account_remember_keys,

data/spec/migrate_travis/001_tables.rb

@@ -44,12 +44,14 @@ Sequel.migration do
       foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
       String :key, :null=>false
       DateTime :deadline, deadline_opts[1]
+      DateTime :email_last_sent, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
     end
 
     create_table(:account_verification_keys) do
       foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
       String :key, :null=>false
       DateTime :requested_at, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
+      DateTime :email_last_sent, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
     end
 
     create_table(:account_login_change_keys) do
@@ -65,6 +67,13 @@ Sequel.migration do
       DateTime :deadline, deadline_opts[14]
     end
 
+    create_table(:account_email_auth_keys) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
+      String :key, :null=>false
+      DateTime :deadline, deadline_opts[1]
+      DateTime :email_last_sent, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
+    end
+
     create_table(:account_login_failures) do
       foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
       Integer :number, :null=>false, :default=>1
@@ -73,6 +82,7 @@ Sequel.migration do
       foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
       String :key, :null=>false
       DateTime :deadline, deadline_opts[1]
+      DateTime :email_last_sent
     end
 
     create_table(:account_password_change_times) do

data/spec/reset_password_spec.rb

@@ -2,8 +2,10 @@ require File.expand_path("spec_helper", File.dirname(__FILE__))
 
 describe 'Rodauth reset_password feature' do
   it "should support resetting passwords for accounts" do
+    last_sent_column = nil
     rodauth do
       enable :login, :reset_password
+      reset_password_email_last_sent_column{last_sent_column}
     end
     roda do |r|
       r.rodauth
@@ -29,8 +31,24 @@ describe 'Rodauth reset_password feature' do
     click_button 'Request Password Reset'
     email_link(/(\/reset-password\?key=.+)$/).must_equal link
 
-    visit '/login'
-    login(:pass=>'01234567', :visit=>false)
+    login(:pass=>'01234567')
+    click_button 'Request Password Reset'
+    email_link(/(\/reset-password\?key=.+)$/).must_equal link
+
+    last_sent_column = :email_last_sent
+    login(:pass=>'01234567')
+    click_button 'Request Password Reset'
+    page.find('#error_flash').text.must_equal "An email has recently been sent to you with a link to reset your password"
+    Mail::TestMailer.deliveries.must_equal []
+
+    DB[:account_password_reset_keys].update(:email_last_sent => Time.now - 250).must_equal 1
+    login(:pass=>'01234567')
+    click_button 'Request Password Reset'
+    page.find('#error_flash').text.must_equal "An email has recently been sent to you with a link to reset your password"
+    Mail::TestMailer.deliveries.must_equal []
+
+    DB[:account_password_reset_keys].update(:email_last_sent => Time.now - 350).must_equal 1
+    login(:pass=>'01234567')
     click_button 'Request Password Reset'
     email_link(/(\/reset-password\?key=.+)$/).must_equal link
 

data/spec/two_factor_spec.rb

@@ -1316,4 +1316,50 @@ describe 'Rodauth OTP feature' do
       DB[t].count.must_equal 0
     end
   end
+
+  it "should allow two factor authentication setup, login, recovery, removal" do
+    warning = nil
+    before_called = false
+    rodauth do
+      enable :login, :otp, :logout
+      (class << self; self end).send(:define_method, :warn){|w| warning = w}
+      before_otp_authentication_route{before_called = true}
+      warning.must_equal "before_otp_authentication_route is deprecated, switch to before_otp_auth_route"
+      otp_drift 10
+    end
+    roda do |r|
+      r.rodauth
+
+      r.redirect '/login' unless rodauth.logged_in?
+
+      if rodauth.two_factor_authentication_setup?
+        r.redirect '/otp-auth' unless rodauth.authenticated?
+        view :content=>"With OTP"
+      else    
+        view :content=>"Without OTP"
+      end
+    end
+
+    login
+    page.html.must_include('Without OTP')
+
+    visit '/otp-auth'
+    before_called.must_equal false
+    page.current_path.must_equal '/otp-setup'
+
+    secret = page.html.match(/Secret: ([a-z2-7]{16})/)[1]
+    totp = ROTP::TOTP.new(secret)
+    fill_in 'Password', :with=>'0123456789'
+    fill_in 'Authentication Code', :with=>totp.now
+    click_button 'Setup Two Factor Authentication'
+    page.find('#notice_flash').text.must_equal 'Two factor authentication is now setup'
+    page.current_path.must_equal '/'
+    page.html.must_include 'With OTP'
+
+    logout
+    before_called.must_equal false
+    login
+    page.current_path.must_equal '/otp-auth'
+    before_called.must_equal true
+  end
 end

data/spec/verify_account_grace_period_spec.rb

@@ -73,7 +73,7 @@ describe 'Rodauth verify_account_grace_period feature' do
     click_button 'Create Account'
     click_button 'Send Verification Email Again'
     page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to verify your account"
-    page.current_path.must_equal '/login'
+    page.current_path.must_equal '/'
     email_link(/(\/verify-account\?key=.+)$/, 'foo@example2.com').must_equal link
 
     visit link

data/spec/verify_account_spec.rb

@@ -2,9 +2,11 @@ require File.expand_path("spec_helper", File.dirname(__FILE__))
 
 describe 'Rodauth verify_account feature' do
   it "should support verifying accounts" do
+    last_sent_column = nil
     rodauth do
       enable :login, :create_account, :verify_account
       verify_account_autologin? false
+      verify_account_email_last_sent_column{last_sent_column}
     end
     roda do |r|
       r.rodauth
@@ -25,21 +27,49 @@ describe 'Rodauth verify_account feature' do
     page.find('#error_flash').text.must_equal 'The account you tried to login with is currently awaiting verification'
     page.html.must_include("If you no longer have the email to verify the account, you can request that it be resent to you")
     click_button 'Send Verification Email Again'
-    page.current_path.must_equal '/login'
+    page.current_path.must_equal '/'
     email_link(/(\/verify-account\?key=.+)$/, 'foo@example2.com').must_equal link
 
+    visit '/login'
     click_link 'Resend Verify Account Information'
     fill_in 'Login', :with=>'foo@example2.com'
     click_button 'Send Verification Email Again'
-    page.current_path.must_equal '/login'
+    page.current_path.must_equal '/'
     email_link(/(\/verify-account\?key=.+)$/, 'foo@example2.com').must_equal link
 
+    visit '/login'
+    last_sent_column = :email_last_sent
+    click_link 'Resend Verify Account Information'
+    fill_in 'Login', :with=>'foo@example2.com'
+    click_button 'Send Verification Email Again'
+    page.current_path.must_equal '/'
+    page.find('#error_flash').text.must_equal "An email has recently been sent to you with a link to verify your account"
+    Mail::TestMailer.deliveries.must_equal []
+
+    visit '/login'
+    DB[:account_verification_keys].update(:email_last_sent => Time.now - 250).must_equal 1
+    click_link 'Resend Verify Account Information'
+    fill_in 'Login', :with=>'foo@example2.com'
+    click_button 'Send Verification Email Again'
+    page.current_path.must_equal '/'
+    page.find('#error_flash').text.must_equal "An email has recently been sent to you with a link to verify your account"
+    Mail::TestMailer.deliveries.must_equal []
+
+    visit '/login'
+    DB[:account_verification_keys].update(:email_last_sent => Time.now - 350).must_equal 1
+    click_link 'Resend Verify Account Information'
+    fill_in 'Login', :with=>'foo@example2.com'
+    click_button 'Send Verification Email Again'
+    page.current_path.must_equal '/'
+    email_link(/(\/verify-account\?key=.+)$/, 'foo@example2.com').must_equal link
+
+    DB[:account_verification_keys].update(:email_last_sent => Time.now - 350).must_equal 1
     visit '/create-account'
     fill_in 'Login', :with=>'foo@example2.com'
     click_button 'Create Account'
     click_button 'Send Verification Email Again'
     page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to verify your account"
-    page.current_path.must_equal '/login'
+    page.current_path.must_equal '/'
 
     link = email_link(/(\/verify-account\?key=.+)$/, 'foo@example2.com')
     visit link[0...-1]

data/spec/verify_login_change_spec.rb

@@ -78,7 +78,60 @@ describe 'Rodauth verify_login_change feature' do
     page.body.must_include('Logged In')
   end
 
-  it "should handle uniqueness errors raised when inserting password reset token" do
+  it "should check for duplicate accounts before sending verify email and before updating login" do
+    rodauth do
+      enable :login, :logout, :verify_login_change, :create_account
+      change_login_requires_password? false
+      create_account_autologin? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
+    end
+
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Confirm Login', :with=>'foo@example2.com'
+    fill_in 'Password', :with=>'0123456789'
+    fill_in 'Confirm Password', :with=>'0123456789'
+    click_button 'Create Account'
+
+    login
+
+    visit '/change-login'
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Confirm Login', :with=>'foo@example.com'
+    click_button 'Change Login'
+    page.find('#error_flash').text.must_equal "There was an error changing your login"
+    page.body.must_include "logins do not match"
+
+    visit '/change-login'
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Confirm Login', :with=>'foo@example2.com'
+    click_button 'Change Login'
+    page.find('#error_flash').text.must_equal "There was an error changing your login"
+    page.body.must_include "invalid login, already an account with this login"
+
+    visit '/change-login'
+    fill_in 'Login', :with=>'foo@example3.com'
+    fill_in 'Confirm Login', :with=>'foo@example3.com'
+    click_button 'Change Login'
+    link = email_link(/(\/verify-login-change\?key=.+)$/, 'foo@example3.com')
+
+    logout
+
+    DB[:accounts].where(:email=>'foo@example2.com').update(:email=>'foo@example3.com')
+
+    visit link
+    click_button 'Verify Login Change'
+    page.find('#error_flash').text.must_equal "Unable to change login as there is already an account with the new login"
+    page.current_path.must_equal '/login'
+
+    visit link
+    page.find('#error_flash').text.must_equal "invalid verify login change key"
+  end
+
+  it "should handle uniqueness errors raised when inserting verify login change entry" do
     unique = false
     rodauth do
       enable :login, :logout, :verify_login_change