rodauth 1.19.1 → 1.20.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (70) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG +72 -0
  3. data/MIT-LICENSE +1 -1
  4. data/README.rdoc +100 -7
  5. data/doc/base.rdoc +25 -0
  6. data/doc/email_auth.rdoc +1 -1
  7. data/doc/email_base.rdoc +5 -1
  8. data/doc/internals.rdoc +2 -2
  9. data/doc/jwt_refresh.rdoc +35 -0
  10. data/doc/lockout.rdoc +3 -0
  11. data/doc/login_password_requirements_base.rdoc +4 -1
  12. data/doc/otp.rdoc +22 -39
  13. data/doc/recovery_codes.rdoc +15 -28
  14. data/doc/release_notes/1.20.0.txt +175 -0
  15. data/doc/remember.rdoc +3 -0
  16. data/doc/reset_password.rdoc +2 -1
  17. data/doc/single_session.rdoc +3 -0
  18. data/doc/verify_account.rdoc +4 -3
  19. data/doc/verify_login_change.rdoc +1 -1
  20. data/lib/rodauth.rb +33 -4
  21. data/lib/rodauth/features/base.rb +93 -10
  22. data/lib/rodauth/features/change_login.rb +1 -1
  23. data/lib/rodauth/features/confirm_password.rb +1 -1
  24. data/lib/rodauth/features/create_account.rb +2 -2
  25. data/lib/rodauth/features/disallow_password_reuse.rb +5 -3
  26. data/lib/rodauth/features/email_auth.rb +4 -2
  27. data/lib/rodauth/features/email_base.rb +12 -6
  28. data/lib/rodauth/features/jwt.rb +9 -0
  29. data/lib/rodauth/features/jwt_refresh.rb +142 -0
  30. data/lib/rodauth/features/lockout.rb +8 -4
  31. data/lib/rodauth/features/login_password_requirements_base.rb +1 -0
  32. data/lib/rodauth/features/otp.rb +63 -6
  33. data/lib/rodauth/features/recovery_codes.rb +1 -0
  34. data/lib/rodauth/features/remember.rb +20 -2
  35. data/lib/rodauth/features/reset_password.rb +5 -2
  36. data/lib/rodauth/features/single_session.rb +15 -2
  37. data/lib/rodauth/features/verify_account.rb +11 -6
  38. data/lib/rodauth/features/verify_login_change.rb +5 -3
  39. data/lib/rodauth/version.rb +2 -2
  40. data/spec/disallow_password_reuse_spec.rb +115 -28
  41. data/spec/email_auth_spec.rb +2 -2
  42. data/spec/jwt_refresh_spec.rb +256 -0
  43. data/spec/lockout_spec.rb +4 -4
  44. data/spec/login_spec.rb +52 -11
  45. data/spec/migrate/001_tables.rb +10 -0
  46. data/spec/migrate_travis/001_tables.rb +8 -0
  47. data/spec/remember_spec.rb +27 -0
  48. data/spec/reset_password_spec.rb +2 -2
  49. data/spec/rodauth_spec.rb +25 -1
  50. data/spec/single_session_spec.rb +20 -0
  51. data/spec/spec_helper.rb +29 -0
  52. data/spec/two_factor_spec.rb +57 -3
  53. data/spec/verify_account_spec.rb +18 -1
  54. data/spec/verify_login_change_spec.rb +2 -2
  55. data/templates/add-recovery-codes.str +1 -1
  56. data/templates/change-password.str +2 -2
  57. data/templates/login-confirm-field.str +2 -2
  58. data/templates/login-field.str +2 -2
  59. data/templates/otp-auth-code-field.str +2 -2
  60. data/templates/otp-setup.str +4 -3
  61. data/templates/password-confirm-field.str +2 -2
  62. data/templates/password-field.str +2 -2
  63. data/templates/recovery-auth.str +2 -2
  64. data/templates/reset-password-request.str +1 -1
  65. data/templates/sms-code-field.str +2 -2
  66. data/templates/sms-setup.str +2 -2
  67. data/templates/unlock-account-request.str +1 -1
  68. data/templates/unlock-account.str +1 -1
  69. data/templates/verify-account-resend.str +1 -1
  70. metadata +15 -5
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: bad06774a2bc77b951a38d149fd641d16bf1034e379458b4e5fb49bbf4dfb0f3
4
- data.tar.gz: c82fc51c1c7bc5c917e4ef59816db28fb4fd3df52a90262b215215b7f1732639
3
+ metadata.gz: 7ecf305eda0aef347c6464decf7ef50e8e5fd4a69927bd690b68deae66de6b63
4
+ data.tar.gz: 6f8e6ffcd70b5ff94b4f922c04661896055b401a85930e085e8aaa91d1e12dfe
5
5
  SHA512:
6
- metadata.gz: c53d4e2757e9f2d6ceb0d7724b5d6f9d7090c3e1fa88471e570b4c72ffeb63aea71e0e1dc1d93e0d16463ba982e70cd0f0e00ef8a2ecb6fbf4acdb33420da3f4
7
- data.tar.gz: 50269467b08e309416984b6831a8871e023edb1287a88306e072fc375e1a75e4bdb866cc4533cab3e468d3666f1892f71bf1cfd93cefe186941957617c91e1eb
6
+ metadata.gz: ebc055ab52ae0da05d5145b273cc63b53e93f29dae456ff86c321e4c5d5798b92d65b43f0d91272ccb2a44b7b77fc29765e45ffc511564c814771b87fc1b62bf
7
+ data.tar.gz: fe083dd6517fd410eacfba69e061b3b7b82e6beae68e1413334db939c956ccb953e28d0a7a074731205e1d3ada60f12e96660b525bfc836a5a4fea45b33b881f
data/CHANGELOG CHANGED
@@ -1,3 +1,75 @@
1
+ === 1.20.0 (2019-06-07)
2
+
3
+ * Support rotp 5 in the otp feature (jeremyevans)
4
+
5
+ * Add jwt_refresh feature to allow shorter lived JWTs with a refresh token for creating new JWTs (allavena, jeremyevans) (#28)
6
+
7
+ * Fix disallow_password_reuse feature when account_password_hash_column is not set and verify_account feature is not used (cptaffe) (#59)
8
+
9
+ * Rename no_matching_email_auth_key_message to no_matching_email_auth_key_error_flash for consistency (jeremyevans)
10
+
11
+ * Rename no_matching_verify_login_change_key_message to no_matching_verify_login_change_key_error_flash for consistency (jeremyevans)
12
+
13
+ * Rename attempt_to_login_to_unverified_account_notice_message to attempt_to_login_to_unverified_account_error_flash for consistency (jeremyevans)
14
+
15
+ * Rename attempt_to_create_unverified_account_notice_message to attempt_to_create_unverified_account_error_flash for consistency (jeremyevans)
16
+
17
+ * Rename no_matching_verify_account_key_message to no_matching_verify_account_key_error_flash for consistency (jeremyevans)
18
+
19
+ * Rename no_matching_unlock_account_key_message to no_matching_unlock_account_key_error_flash for consistency (jeremyevans)
20
+
21
+ * Rename no_matching_reset_password_key_message to no_matching_reset_password_key_error_flash for consistency (jeremyevans)
22
+
23
+ * Add otp_keys_use_hmac? and otp_setup_raw_param configuration methods to the otp feature for configuring use of HMACs with OTP authentication (jeremyevans)
24
+
25
+ * Do not set a previous account password before password has been set when using disallow_password_reuse with verify_account_set_password? (jeremyevans)
26
+
27
+ * Add allow_raw_single_session_key? to single_session feature to allow raw single single session tokens, for graceful transition (jeremyevans)
28
+
29
+ * Add raw_remember_token_deadline to remember feature to allow raw remember tokens before given deadline, for graceful transition (jeremyevans)
30
+
31
+ * Add allow_raw_email_token? configuration method to email_base feature to allow raw tokens when email_token_hmac_secret is set, for graceful transition (jeremyevans)
32
+
33
+ * Add hmac_secret configuration method, used for additional security using HMACs (jeremyevans)
34
+
35
+ * Use urlsafe base64 for new token keys on Ruby 1.8 (jeremyevans)
36
+
37
+ * Add login_input_type configuration method for setting the input type for login inputs (jeremyevans)
38
+
39
+ * Add formatted_field_error configuration method for formatting error messages (jeremyevans)
40
+
41
+ * Add field_error_attributes configuration method for configuring attributes for fields with errors (jeremyevans)
42
+
43
+ * Add field_attributes configuration method for configuring attributes for specific fields (jeremyevans)
44
+
45
+ * Add default_field_attributes configuration method to set default attributes for all input fields (jeremyevans)
46
+
47
+ * Make error handling accessible by default using aria-invalid and aria-describedby attributes (jeremyevans)
48
+
49
+ * Add mark_input_fields_as_required? configuration method for whether inputs should use the required attribute (jeremyevans)
50
+
51
+ * Add input_field_error_message_class configuration method for the CSS class used for error messages (jeremyevans)
52
+
53
+ * Wrap all error messages in a span so they can be styled (jeremyevans)
54
+
55
+ * Add input_field_error_class configuration method for customizing CSS class to use for inputs with errors (jeremyevans)
56
+
57
+ * Add input_field_label_suffix configuration method for suffixing all input labels, useful for labeling fields as required (jeremyevans)
58
+
59
+ * Add verify_account_resend_explanatory_text configuration method to verify_account feature for configuring text (jeremyevans)
60
+
61
+ * Add unlock_account_explanatory_text and unlock_account_request_explanatory_text configuration methods to lockout feature for configuring text (jeremyevans)
62
+
63
+ * Add reset_password_explanatory_text configuration method to reset_password feature for configuring text (jeremyevans)
64
+
65
+ * Add otp_provisioning_uri_label and otp_secret_label configuration methods to otp feature for configuring labels displayed during OTP setup (jeremyevans)
66
+
67
+ * Add add_recovery_codes_heading configuration method to recovery_codes feature for configuring heading text (jeremyevans)
68
+
69
+ * Use define_method instead of instance_exec for route dispatching for better performance (jeremyevans)
70
+
71
+ * Add already_an_account_with_this_login_message configuration method (1gor) (#54)
72
+
1
73
  === 1.19.1 (2018-11-16)
2
74
 
3
75
  * Support rotp 4 in the otp feature (jeremyevans)
data/MIT-LICENSE CHANGED
@@ -1,4 +1,4 @@
1
- Copyright (c) 2015-2018 Jeremy Evans
1
+ Copyright (c) 2015-2019 Jeremy Evans
2
2
 
3
3
  Permission is hereby granted, free of charge, to any person obtaining a copy
4
4
  of this software and associated documentation files (the "Software"), to
data/README.rdoc CHANGED
@@ -41,6 +41,7 @@ hashes by protecting access via database functions.
41
41
  * Session Expiration
42
42
  * Single Session (Only one active session per account)
43
43
  * JWT (JSON API support for all other features)
44
+ * JWT Refresh (Access & Refresh Token)
44
45
  * Update Password Hash (when hash cost changes)
45
46
  * HTTP Basic Auth
46
47
  * Change Password Notify
@@ -128,17 +129,98 @@ of your application.
128
129
 
129
130
  === Tokens
130
131
 
131
- Account verification, password resets, remember, and lockout tokens
132
- all use a similar approach. They all provide a token, in the format
133
- "account-id_long-random-string". By including the id of the account
134
- in the token, an attacker can only attempt to bruteforce the token
135
- for a single account, instead of being able to bruteforce tokens for
136
- all accounts at once (which would be possible if the token was just a
137
- random string).
132
+ Account verification, password resets, email auth, verify login change,
133
+ remember, and lockout tokens all use a similar approach. They all
134
+ provide a token, in the format "account-id_long-random-string". By
135
+ including the id of the account in the token, an attacker can only
136
+ attempt to bruteforce the token for a single account, instead of being
137
+ able to bruteforce tokens for all accounts at once (which would be
138
+ possible if the token was just a random string).
138
139
 
139
140
  Additionally, all comparisons of tokens use a timing-safe comparison
140
141
  function to reduce the risk of timing attacks.
141
142
 
143
+ == HMAC
144
+
145
+ By default, Rodauth does not use HMACs, but you are encouraged to use
146
+ the +hmac_secret+ configuration method to set an HMAC secret. Setting
147
+ an HMAC secret will enable HMACs for additional security, as described
148
+ below.
149
+
150
+ === email_base feature
151
+
152
+ All features that send email use this feature. Setting +hmac_secret+
153
+ will make the tokens sent via email use an HMAC, while the raw token
154
+ stored in the database will not use an HMAC. This will make it so
155
+ if the tokens in the database are leaked (e.g. via an SQL injection
156
+ vulnerability), they will not be usable without also having access
157
+ to the +hmac_secret+. Without an HMAC, the raw token is sent in the
158
+ email, and if the tokens in the database are leaked, they will be
159
+ usable.
160
+
161
+ To allow for an graceful transition, you can set +allow_raw_email_token?+
162
+ to true temporarily. This will allow the raw tokens in previous sent
163
+ emails to still work. This should only be set temporarily as it
164
+ removes the security that +hmac_secret+ adds. Most features that
165
+ send email have tokens that expire by default in 1 day. The
166
+ exception is the verify_account feature, which has tokens that do
167
+ not expire. For the verify_account feature, if the user requested
168
+ an email before +hmac_secret+ was set, after +allow_raw_email_token+
169
+ is no longer set, they will need to request the verification email
170
+ be resent, in which case they will receive an email with a token
171
+ that uses an HMAC.
172
+
173
+ === remember feature
174
+
175
+ Similar to the email_base feature, this uses HMACs for remember
176
+ tokens, while storing the raw tokens in the database. This makes
177
+ it so if the raw tokens in the database are leaked, the remember
178
+ tokens are not usable without knowledge of the +hmac_secret+.
179
+
180
+ The +raw_remember_token_deadline+ configuration method can
181
+ be set to allow a previously set raw remember token to be used
182
+ if the deadline for the remember token is before the given time.
183
+ This allows for graceful transition to using HMACs for remember tokens.
184
+ By default, the deadline is 14 days after the token is created, so this
185
+ should be set to 14 days after the time you enable the HMAC for the
186
+ remember feature if you are using the defaults.
187
+
188
+ === otp feature
189
+
190
+ Setting +hmac_secret+ will provide HMACed OTP keys to users, and
191
+ would store the raw OTP keys in the database. This will make so
192
+ if the raw OTP keys in the database are leaked, they will not be
193
+ usable for two factor authentication without knowledge of the +hmac_secret+.
194
+
195
+ Unfortunately, there can be no simple graceful transition for existing users.
196
+ When introducing +hmac_secret+ to a Rodauth installation that already uses
197
+ the otp feature, you will have to either revoke and replace all OTP keys,
198
+ set +otp_keys_use_hmac?+ to false and continue to use raw OTP keys, or override
199
+ +otp_keys_use_hmac?+ to return false if the user was issued an OTP key before
200
+ +hmac_secret+ was added to the configuration, and true otherwise.
201
+ +otp_keys_use_hmac?+ defaults to true if +hmac_secret+ is set, and false
202
+ otherwise.
203
+
204
+ If +otp_keys_use_hmac?+ is true, Rodauth will also ensure during OTP setup
205
+ that the OTP key was generated by the server. If +otp_keys_use_hmac?+ is false,
206
+ any OTP key in a valid format will be accepted during setup.
207
+
208
+ If +otp_keys_use_hmac?+ is true, the jwt and otp features are in use and you
209
+ are setting up OTP via JSON requests, you need to first send a POST request
210
+ to the OTP setup route. This will return an error with the +otp_secret+ and
211
+ +otp_raw_secret+ parameters in the JSON. These parameters should be submitted
212
+ in the POST request to setup OTP, along with a valid OTP auth code for the
213
+ +otp_secret+.
214
+
215
+ === single_session feature
216
+
217
+ Setting +hmac_secret+ will ensure the single session secret set in the
218
+ session will be an HMACed. This does not affect security, as the session
219
+ itself should at the least by protected by an HMAC (if not encrypted).
220
+ This is only done for consistency, so that the raw tokens in the database
221
+ are distinct from the tokens provided to the users. To allow for a
222
+ graceful transition, +allow_raw_single_session_key?+ can be set to true.
223
+
142
224
  == PostgreSQL Database Setup
143
225
 
144
226
  In order to get full advantages of Rodauth's security design on PostgreSQL,
@@ -331,6 +413,14 @@ Note that these migrations require Sequel 4.35.0+.
331
413
  DateTime :email_last_sent, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
332
414
  end
333
415
 
416
+ # Used by the jwt refresh feature
417
+ create_table(:account_jwt_refresh_keys) do
418
+ primary_key :id, :type=>:Bignum
419
+ foreign_key :account_id, :accounts, :type=>:Bignum
420
+ String :key, :null=>false
421
+ DateTime :deadline, deadline_opts[1]
422
+ end
423
+
334
424
  # Used by the account verification feature
335
425
  create_table(:account_verification_keys) do
336
426
  foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
@@ -431,6 +521,7 @@ Note that these migrations require Sequel 4.35.0+.
431
521
  run "GRANT ALL ON account_statuses TO #{user}"
432
522
  run "GRANT ALL ON accounts TO #{user}"
433
523
  run "GRANT ALL ON account_password_reset_keys TO #{user}"
524
+ run "GRANT ALL ON account_jwt_refresh_keys TO #{user}"
434
525
  run "GRANT ALL ON account_verification_keys TO #{user}"
435
526
  run "GRANT ALL ON account_login_change_keys TO #{user}"
436
527
  run "GRANT ALL ON account_remember_keys TO #{user}"
@@ -459,6 +550,7 @@ Note that these migrations require Sequel 4.35.0+.
459
550
  :account_remember_keys,
460
551
  :account_login_change_keys,
461
552
  :account_verification_keys,
553
+ :account_jwt_refresh_keys,
462
554
  :account_password_reset_keys,
463
555
  :accounts,
464
556
  :account_statuses)
@@ -719,6 +811,7 @@ view the appropriate file in the doc directory.
719
811
  * {Session Expiration}[rdoc-ref:doc/session_expiration.rdoc]
720
812
  * {Single Session}[rdoc-ref:doc/single_session.rdoc]
721
813
  * {JWT}[rdoc-ref:doc/jwt.rdoc]
814
+ * {JWT}[rdoc-ref:doc/jwt_refresh.rdoc]
722
815
  * {HTTP Basic Auth}[rdoc-ref:doc/http_basic_auth.rdoc]
723
816
 
724
817
  === Calling Rodauth in the Routing Tree
data/doc/base.rdoc CHANGED
@@ -14,6 +14,13 @@ account_password_hash_column :: Set if the password hash column is in the same
14
14
  often used if you are replacing a legacy
15
15
  authentication system with Rodauth.
16
16
  db :: The Sequel::Database object used for database access.
17
+ hmac_secret :: This sets the secret to use for all of Rodauth's HMACs. This is
18
+ not set by default, in which case Rodauth does not use HMACs for
19
+ additional security. However, it is highly recommended that you
20
+ set this.
21
+ mark_input_fields_as_required? :: Whether input fields should be marked as
22
+ required, so browsers will not allow submission
23
+ without filling out the field (default: false).
17
24
  prefix :: The routing prefix used for Rodauth routes. If you are calling
18
25
  in a routing subtree, this should be set to the root path of the
19
26
  subtree. This should include a leading slash if set, but not a
@@ -41,8 +48,23 @@ cache_templates :: Whether to cache templates. True by default. It may be worth
41
48
  switching this to false in development if you are using your
42
49
  own templates instead of the templates provided by Rodauth.
43
50
  default_redirect :: Where to redirect after most successful actions.
51
+ default_field_attributes :: The default attributes to use for input field tags, if
52
+ field_attributes returns nil for the field.
53
+ field_attributes(field) :: The attributes to use for the input field tags for the given
54
+ field (parameter name).
55
+ field_error_attributes(field) :: The attributes to use for the input field tags for the given
56
+ field (parameter name), if the input has an error.
44
57
  flash_error_key :: The flash key to use for error messages (default: +:error+).
45
58
  flash_notice_key :: The flash key to use for notice messages (default: +:notice+).
59
+ formatted_field_error(field, error) :: HTML to use for error messages for the field (parameter
60
+ name), if the field has an error. By default, uses a
61
+ span tag for the error message.
62
+ input_field_label_suffix :: The suffix to use for all labels. Useful for noting that
63
+ the fields are required.
64
+ input_field_error_class :: The CSS class to use for input fields with errors. Can be a
65
+ space separated string for multiple CSS classes.
66
+ input_field_error_message_class :: The CSS class to use for error messages. Can be a
67
+ space separated string for multiple CSS classes.
46
68
  invalid_field_error_status :: The response status to use for invalid field
47
69
  value errors, 422 by default.
48
70
  invalid_key_error_status :: The response status to use for invalid key codes,
@@ -54,6 +76,8 @@ invalid_password_message :: The error message to display when a given
54
76
  lockout_error_status :: The response status to use a login is attempted to an account that
55
77
  is locked out, 403 by default.
56
78
  login_column :: The login column in the account model.
79
+ login_input_type :: The input type to use for logins. Defaults to text but could be set to email
80
+ if all logins should be valid email addresses.
57
81
  login_label :: The label to use for logins.
58
82
  login_param :: The parameter name to use for logins.
59
83
  login_required_error_status :: The response status to return when a login is required
@@ -79,6 +103,7 @@ set_deadline_values? :: Whether deadline values should be set. True by default
79
103
  if you want to vary the value based on a request parameter.
80
104
  template_opts :: Any template options to pass to view/render. This can be used
81
105
  to set a custom layout, for example.
106
+ token_separator :: The string used to separate account id from the random key in links.
82
107
  unmatched_field_error_status :: The response status to use when two field values should
83
108
  match but do not, 422 by default.
84
109
  unopen_account_error_status :: The response status to use when trying to login to an
data/doc/email_auth.rdoc CHANGED
@@ -29,7 +29,7 @@ email_auth_session_key :: The key in the session to hold the email auth key temp
29
29
  email_auth_skip_resend_within :: The number of seconds before sending another email auth email.
30
30
  email_auth_table :: The name of the email auth keys table.
31
31
  force_email_auth? :: Whether email auth should be forced for the account. By default, email auth is forced if the account does not have a password.
32
- no_matching_email_auth_key_message :: The flash error message to show if attempting to access the email auth form with an invalid key.
32
+ no_matching_email_auth_key_error_flash :: The flash error message to show if attempting to access the email auth form with an invalid key.
33
33
 
34
34
  == Auth Methods
35
35
 
data/doc/email_base.rdoc CHANGED
@@ -5,6 +5,11 @@ that requires sending emails.
5
5
 
6
6
  == Auth Value Methods
7
7
 
8
+ allow_raw_email_token? :: When +email_token_hmac_secret+ is used, this allows the use of the raw
9
+ token. This should only be set to true temporarily during a transition
10
+ period from using raw tokens to using HMACed tokens. After the transition
11
+ period, this should not be set, as setting this to true removes the
12
+ security that HMACed tokens add.
8
13
  default_post_email_redirect :: Where to redirect after sending an email. This is the default
9
14
  redirect location for all redirects after an email is sent when the
10
15
  account is not logged in. Also includes cases where an email is not
@@ -13,7 +18,6 @@ email_from :: The from address to use for emails sent by Rodauth.
13
18
  email_subject_prefix :: The prefix to use for email subjects
14
19
  require_mail? :: Set to false to not require mail, useful if using a different
15
20
  library for sending email.
16
- token_separator :: The string used to separate account id from the random key in links.
17
21
 
18
22
  == Auth Methods
19
23
 
data/doc/internals.rdoc CHANGED
@@ -1,6 +1,6 @@
1
1
  = Rodauth Internals
2
2
 
3
- Rodauth's implementation heavily uses metaprogramming in order to DRY up the codebase, which can be a little intimiting to developers who are not familiar with the codebase. This guide explains how Rodauth is built, which should make the internals easier to understand.
3
+ Rodauth's implementation heavily uses metaprogramming in order to DRY up the codebase, which can be a little intimidating to developers who are not familiar with the codebase. This guide explains how Rodauth is built, which should make the internals easier to understand.
4
4
 
5
5
  == Object Model
6
6
 
@@ -16,7 +16,7 @@ Inside the block you pass to <tt>plugin :rodauth</tt>, +self+ is an instance of
16
16
 
17
17
  === Rodauth::Feature
18
18
 
19
- Each of the parts of rodauth that you can use is going to be a separate feature. Rodauth::Feature is a Module subclass, and every feature you load is included in the Rodauth::Auth subclass used by the Roda application. Rodauth::Feature has many methods designed to make building Rodauth features easier by defining methods in the Rodauth::Feature instance.
19
+ Each of the parts of rodauth that you can use is going to be a separate feature. Rodauth::Feature is a Module subclass, and every rodauth feature you load is an instance of this class, which is included in the Rodauth::Auth subclass used by the Roda application. Rodauth::Feature has many methods designed to make building Rodauth features easier by defining methods in the Rodauth::Feature instance.
20
20
 
21
21
  === Rodauth::FeatureConfiguration
22
22
 
@@ -0,0 +1,35 @@
1
+ = Documentation for JWT Refresh Feature
2
+
3
+ The jwt_refresh feature adds support for a database-backed JWT refresh token,
4
+ setting a short lifetime on JWT access tokens.
5
+
6
+ When this feature is used, the access and refresh token are provided
7
+ at login in the response body (the access token is still provided in the Authorization
8
+ header), and for any subsequent POST to /jwt-refresh.
9
+
10
+ Note that using the refresh token invalides the old refresh token and creates
11
+ a new access token with an updated lifetime. However, it does not invalidate
12
+ older access tokens. Older access tokens remain valid until they expire.
13
+
14
+ This feature depends on the jwt feature.
15
+
16
+ == Auth Value Methods
17
+
18
+ jwt_access_token_key :: Name of the key in the response json holding the access token. Default is +access_token+.
19
+ jwt_access_token_not_before_period :: How many seconds before the current time will the jwt be considered valid (to account for inaccurate clocks). Default is 5.
20
+ jwt_access_token_period :: Validity of an access token in seconds, default is 1800 (30 minutes).
21
+ jwt_refresh_invalid_token_message :: Error message when the provided refresh token is non existent, invalid or expired.
22
+ jwt_refresh_token_account_id_column :: The column name in the refresh token table storing the account id, should be a foreign key referencing the accounts table.
23
+ jwt_refresh_token_deadline_column :: The column name in the refresh token keys table storing the deadline after which the refresh token will no longer be valid.
24
+ jwt_refresh_token_deadline_interval :: validity of a refresh token. Default is 14 days.
25
+ jwt_refresh_token_id_column :: The column name in the refresh token keys table storing the id of each token (the primary key of the table).
26
+ jwt_refresh_token_key :: Name of the key in the response json holding the refresh token. Default is +refresh_token+.
27
+ jwt_refresh_token_key_column :: The column name in the refresh token keys table holding the refresh token key value.
28
+ jwt_refresh_token_key_param :: Name of parameter in which the refresh token is provided when requesting a new token. Default is +refresh_token+.
29
+ jwt_refresh_token_table :: Name of the table holding refresh token keys.
30
+
31
+ == Auth Methods
32
+
33
+ after_refresh_token :: Hooks for specific processing once the refresh token has been set.
34
+ account_from_refresh_token(token) :: Returns the account hash for the given refresh token.
35
+ before_refresh_token :: Hooks for specific processing before the refresh token is computed.
data/doc/lockout.rdoc CHANGED
@@ -19,18 +19,21 @@ account_login_failures_number_column :: The column in the account login failures
19
19
  account_login_failures_table :: The table containing number of login failures per account.
20
20
  login_lockout_error_flash :: The flash error to show if there if the account is or becomes locked out after a login attempt.
21
21
  max_invalid_logins :: The maximum number of failed logins before account lockout. As this feature is just designed for bruteforce protection, this is set to 100.
22
+ no_matching_unlock_account_key_error_flash :: The flash error message to show if attempting to access the unlock account form with an invalid key.
22
23
  unlock_account_additional_form_tags :: HTML fragment with additional form tags to use on the unlock account form.
23
24
  unlock_account_autologin? :: Whether to autologin users after successful account unlock.
24
25
  unlock_account_button :: The text to use on the unlock account button.
25
26
  unlock_account_email_recently_sent_error_flash :: The flash error to show if not sending an unlock account email because another was sent recently.
26
27
  unlock_account_email_recently_sent_redirect :: Where to redirect after not sending an unlock account email because another was sent recently.
27
28
  unlock_account_email_subject :: The subject to use for the unlock account email.
29
+ unlock_account_explanatory_text :: The text to display above the button to unlock an account.
28
30
  unlock_account_error_flash :: The flash error to display upon unsuccessful account unlock.
29
31
  unlock_account_key_param :: The parameter name to use for the unlock account key.
30
32
  unlock_account_notice_flash :: The flash notice to display upon successful account unlock.
31
33
  unlock_account_redirect :: Where to redirect after successful account unlock.
32
34
  unlock_account_request_additional_form_tags :: HTML fragment with additional form tags to use on the form to request an account unlock.
33
35
  unlock_account_request_button :: The text to use on the unlock account request button.
36
+ unlock_account_request_explanatory_text :: The text to display above the button to request an account unlock.
34
37
  unlock_account_request_notice_flash :: The flash notice to display upon successful sending of the unlock account email.
35
38
  unlock_account_request_redirect :: Where to redirect after account unlock email is sent.
36
39
  unlock_account_request_route :: The route to the unlock account request action. Defaults to +unlock-account-request+.
@@ -5,6 +5,9 @@ use a Rodauth feature that requires setting logins or passwords.
5
5
 
6
6
  == Auth Value Methods
7
7
 
8
+ already_an_account_with_this_login_message :: The error message to display when
9
+ there already exists an account
10
+ with the same login
8
11
  login_confirm_label :: The label to use for login confirmations.
9
12
  login_confirm_param :: The parameter name to use for login confirmations.
10
13
  login_does_not_meet_requirements_message :: The error message to display when
@@ -13,7 +16,7 @@ login_does_not_meet_requirements_message :: The error message to display when
13
16
  login_maximum_length :: The maximum length for logins, 255 by default.
14
17
  login_minimum_length :: The minimum length for logins, 3 by default.
15
18
  login_too_long_message :: The error message fragment to show if the login is
16
- too long.
19
+ too long.
17
20
  login_too_short_message :: The error message fragment to show if the login is
18
21
  too short.
19
22
  logins_do_not_match_message :: The error message to display when login and
data/doc/otp.rdoc CHANGED
@@ -8,56 +8,46 @@ The otp feature requires the rotp and rqrcode gems.
8
8
 
9
9
  == Auth Value Methods
10
10
 
11
- otp_already_setup_error_flash :: The flash error to show if going to the OTP setup
12
- page when OTP is already setup.
13
- otp_already_setup_redirect :: Where to redirect if going to the OTP setup page when OTP
14
- has already been setup.
15
- otp_auth_additional_form_tags :: HTML fragment containing additional form tags to use on
16
- the OTP authentication form.
11
+ otp_already_setup_error_flash :: The flash error to show if going to the OTP setup page when OTP is already setup.
12
+ otp_already_setup_redirect :: Where to redirect if going to the OTP setup page when OTP has already been setup.
13
+ otp_auth_additional_form_tags :: HTML fragment containing additional form tags to use on the OTP authentication form.
17
14
  otp_auth_button :: Text to use for button on OTP authentication form.
18
15
  otp_auth_error_flash :: The flash error to show if unable to authenticate via OTP.
19
- otp_auth_failures_limit :: The number of allowed OTP authentication failures before locking
20
- out.
16
+ otp_auth_failures_limit :: The number of allowed OTP authentication failures before locking out.
21
17
  otp_auth_form_footer :: A footer to display at the bottom of the OTP authentication form.
22
18
  otp_auth_label :: The label for the OTP authentication code.
23
19
  otp_auth_param :: The parameter name for the OTP authentication code.
24
20
  otp_auth_route :: The route to the OTP authentication action. Defaults to +otp-auth+.
25
21
  otp_class :: The class to use for OTP authentication (default: ROTP::TOTP)
26
22
  otp_digits :: The number of digits to use in OTP authentication codes (rotp's default is 6).
27
- otp_disable_additional_form_tags :: HTML fragment containing additional form tags to use on
28
- the from to disable OTP authentication.
23
+ otp_disable_additional_form_tags :: HTML fragment containing additional form tags to use on the from to disable OTP authentication.
29
24
  otp_disable_button :: The text to use for button on form to disable OTP authentication.
30
25
  otp_disable_error_flash :: The flash error to show if unable to disable OTP authentication.
31
26
  otp_disable_notice_flash :: The flash notice to show after disabling OTP authentication.
32
27
  otp_disable_redirect :: Where to redirect after disabling OTP authentication.
33
28
  otp_disable_route :: The route to the OTP disable action. Defaults to +otp-disable+.
34
- otp_drift :: The number of seconds the client and server are allowed to drift apart. The
35
- default is nil, to not allow drift.
36
- otp_invalid_auth_code_message :: The error message to show when an invalid OTP authentication
37
- code is used.
38
- otp_invalid_secret_message :: The error message to show when an invalid OTP secret is submitted
39
- during OTP setup.
29
+ otp_drift :: The number of seconds the client and server are allowed to drift apart. The default is nil, to not allow drift.
30
+ otp_invalid_auth_code_message :: The error message to show when an invalid OTP authentication code is used.
31
+ otp_invalid_secret_message :: The error message to show when an invalid OTP secret is submitted during OTP setup.
40
32
  otp_interval :: The number of seconds in which to rotate TOTP auth codes (rotp's default is 300).
41
- otp_issuer :: The issuer to use in the OTP provisioning URL. Defaults to the host name of the
42
- request.
33
+ otp_issuer :: The issuer to use in the OTP provisioning URL. Defaults to the host name of the request.
43
34
  otp_keys_id_column :: The column in the otp_keys_table containing the account id.
44
35
  otp_keys_column :: The column in the otp_keys_table containing the OTP secret.
45
- otp_keys_failures_column :: The column in the otp_keys_table containing the
46
- number of OTP authentication failures.
47
- otp_keys_last_use_column :: The column in otp_keys_table containing the last authentication
48
- timestamp.
36
+ otp_keys_failures_column :: The column in the otp_keys_table containing the number of OTP authentication failures.
37
+ otp_keys_last_use_column :: The column in otp_keys_table containing the last authentication timestamp.
49
38
  otp_keys_table :: The table name containing the OTP secrets.
50
- otp_lockout_redirect :: Where to redirect if going to OTP authentication page and OTP
51
- authentication has been locked out.
52
- otp_lockout_error_flash :: The flash error show show when OTP authentication has been locked
53
- out due to numerous authentication failures.
39
+ otp_keys_use_hmac? :: Whether to use HMACs for OTP keys. Defaults to whether +hmac_secret+ has been set. Should be set to false if adding +hmac_secret+ to Rodauth where the otp feature is already in use, as otherwise it will render existing OTP keys invalid.
40
+ otp_lockout_redirect :: Where to redirect if going to OTP authentication page and OTP authentication has been locked out.
41
+ otp_lockout_error_flash :: The flash error show show when OTP authentication has been locked out due to numerous authentication failures.
42
+ otp_provisioning_uri_label :: The label used when displaying the OTP provisioning URI during OTP setup.
43
+ otp_secret_label :: The label used when displaying the OTP secret during OTP setup.
54
44
  otp_session_key :: The session key used to store whether the user has authenticated via OTP.
55
- otp_setup_additional_form_tags :: HTML fragment containing additional form tags when setting up
56
- OTP authentication.
45
+ otp_setup_additional_form_tags :: HTML fragment containing additional form tags when setting up OTP authentication.
57
46
  otp_setup_button :: Text for the button when setting up OTP authentication.
58
47
  otp_setup_error_flash :: The flash error to show if OTP authentication setup was not successful.
59
48
  otp_setup_notice_flash :: The flash notice to show if OTP authentication setup was successful.
60
49
  otp_setup_param :: The parameter name used for the OTP secret when setting up OTP authentication.
50
+ otp_setup_raw_param :: The parameter name used for the raw OTP secret when setting up OTP authentication, when +otp_keys_use_hmac?+ is true.
61
51
  otp_setup_redirect :: Where to redirect after sucessful OTP authentication setup.
62
52
  otp_setup_route :: The route to the OTP setup action. Defaults to +otp-setup+.
63
53
 
@@ -80,21 +70,14 @@ otp_exists? :: Whether the current account has setup OTP.
80
70
  otp_key :: The stored OTP secret for the account.
81
71
  otp_locked_out? :: Whether the current account has been locked out of OTP authentication.
82
72
  otp_new_secret :: A new secret to use when setting up OTP.
83
- otp_provisioning_name :: The provisioning name to use during OTP setup, defaults to the
84
- account's email.
73
+ otp_provisioning_name :: The provisioning name to use during OTP setup, defaults to the account's email.
85
74
  otp_provisioning_uri :: The provisioning URI displayed during OTP setup.
86
75
  otp_qr_code :: The QR code containing the otp_provisioning_uri, by default an SVG image.
87
76
  otp_record_authentication_failure :: Record an OTP authentication failure.
88
77
  otp_remove :: Removes all stored OTP data for the current account.
89
- otp_remove_auth_failures :: Removes OTP authentication failures for the current account,
90
- used after successful OTP authentication.
78
+ otp_remove_auth_failures :: Removes OTP authentication failures for the current account, used after successful OTP authentication.
91
79
  otp_setup_view :: The HTML to use for the form to setup OTP authentication.
92
80
  otp_tmp_key(secret) :: Set the secret to use for the OTP key.
93
- otp_update_last_use :: Update the last time OTP authentication was successful for the
94
- account. Return true if the authentication should be allowed, or
95
- false if it should not be allowed because the last authentication
96
- was too recent and indicates the possible reuse of a TOTP
97
- authentication code.
98
- otp_valid_code?(auth_code) :: Whether the given code is the currently valid OTP auth
99
- code for the account.
81
+ otp_update_last_use :: Update the last time OTP authentication was successful for the account. Return true if the authentication should be allowed, or false if it should not be allowed because the last authentication was too recent and indicates the possible reuse of a TOTP authentication code.
82
+ otp_valid_code?(auth_code) :: Whether the given code is the currently valid OTP auth code for the account.
100
83
  otp_valid_key?(secret) :: Whether the given secret is a valid OTP secret.