rodauth 1.19.1 → 1.20.0

data/lib/rodauth/features/change_login.rb

@@ -81,7 +81,7 @@ module Rodauth
       updated = nil
       raised = raises_uniqueness_violation?{updated = update_account({login_column=>login}, account_ds.exclude(login_column=>login)) == 1}
       if raised
-        @login_requirement_message = 'already an account with this login'
+        @login_requirement_message = already_an_account_with_this_login_message
       end
       updated && !raised
     end

data/lib/rodauth/features/confirm_password.rb

@@ -16,7 +16,7 @@ module Rodauth
 
     auth_methods :confirm_password
 
-    route do
+    route do |r|
       require_account
       before_confirm_password_route
 

data/lib/rodauth/features/create_account.rb

@@ -103,13 +103,13 @@ module Rodauth
     def new_account(login)
       @account = _new_account(login)
     end
-    
+
     def save_account
       id = nil
       raised = raises_uniqueness_violation?{id = db[accounts_table].insert(account)}
 
       if raised
-        @login_requirement_message = 'already an account with this login'
+        @login_requirement_message = already_an_account_with_this_login_message
       end
 
       if id

data/lib/rodauth/features/disallow_password_reuse.rb

@@ -28,8 +28,10 @@ module Rodauth
         limit(nil, previous_passwords_to_check).
         get(previous_password_id_column)
 
-      ds.where(Sequel.expr(previous_password_id_column) <= keep_before).
-        delete
+      if keep_before
+        ds.where(Sequel.expr(previous_password_id_column) <= keep_before).
+          delete
+      end
 
       # This should never raise uniqueness violations, as it uses a serial primary key
       ds.insert(previous_password_account_id_column=>account_id, previous_password_hash_column=>hash)
@@ -68,7 +70,7 @@ module Rodauth
     end
 
     def after_create_account
-      if account_password_hash_column
+      if account_password_hash_column && !(respond_to?(:verify_account_set_password?) && verify_account_set_password?)
         add_previous_password_hash(password_hash(param(password_param)))
       end
       super if defined?(super)

data/lib/rodauth/features/email_auth.rb

@@ -4,10 +4,13 @@ module Rodauth
   Feature.define(:email_auth, :EmailAuth) do
     depends :login, :email_base
 
+    def_deprecated_alias :no_matching_email_auth_key_error_flash, :no_matching_email_auth_key_message
+
     notice_flash "An email has been sent to you with a link to login to your account", 'email_auth_email_sent'
     error_flash "There was an error logging you in"
     error_flash "There was an error requesting an email link to authenticate", 'email_auth_request'
     error_flash "An email has recently been sent to you with a link to login", 'email_auth_email_recently_sent'
+    error_flash "There was an error logging you in: invalid email authentication key", 'no_matching_email_auth_key'
     loaded_templates %w'email-auth email-auth-request-form email-auth-email'
 
     view 'email-auth', 'Login'
@@ -28,7 +31,6 @@ module Rodauth
     auth_value_method :email_auth_email_last_sent_column, :email_last_sent
     auth_value_method :email_auth_skip_resend_email_within, 300
     auth_value_method :email_auth_table, :account_email_auth_keys
-    auth_value_method :no_matching_email_auth_key_message, "invalid email authentication key"
     session_key :email_auth_session_key, :email_auth_key
 
     auth_value_methods :force_email_auth?
@@ -81,7 +83,7 @@ module Rodauth
             email_auth_view
           else
             session[email_auth_session_key] = nil
-            set_redirect_error_flash no_matching_email_auth_key_message
+            set_redirect_error_flash no_matching_email_auth_key_error_flash
             redirect require_login_redirect
           end
         end

data/lib/rodauth/features/email_base.rb

@@ -4,7 +4,7 @@ module Rodauth
   Feature.define(:email_base, :EmailBase) do
     auth_value_method :email_subject_prefix, nil
     auth_value_method :require_mail?, true
-    auth_value_method :token_separator, "_"
+    auth_value_method :allow_raw_email_token?, false
 
     redirect :default_post_email
 
@@ -45,12 +45,12 @@ module Rodauth
       account[login_column]
     end
 
-    def split_token(token)
-      token.split(token_separator, 2)
+    def token_link(route, param, key)
+      "#{request.base_url}#{prefix}/#{route}?#{param}=#{account_id}#{token_separator}#{convert_email_token_key(key)}"
     end
 
-    def token_link(route, param, key)
-      "#{request.base_url}#{prefix}/#{route}?#{param}=#{account_id}#{token_separator}#{key}"
+    def convert_email_token_key(key)
+      convert_token_key(key)
     end
 
     def account_from_key(token, status_id=nil)
@@ -59,7 +59,13 @@ module Rodauth
 
       return unless actual = yield(id)
 
-      return unless timing_safe_eql?(key, actual)
+      unless timing_safe_eql?(key, convert_email_token_key(actual))
+        if hmac_secret && allow_raw_email_token?
+          return unless timing_safe_eql?(key, actual)
+        else
+          return
+        end
+      end
 
       ds = account_ds(id)
       ds = ds.where(account_status_column=>status_id) if status_id && !skip_status_checks?

data/lib/rodauth/features/jwt.rb

@@ -173,6 +173,15 @@ module Rodauth
       end
     end
 
+    def before_otp_setup_route
+      super if defined?(super)
+      if use_jwt? && otp_keys_use_hmac? && !param_or_nil(otp_setup_raw_param)
+        _otp_tmp_key(otp_new_secret)
+        json_response[otp_setup_param] = otp_user_key
+        json_response[otp_setup_raw_param] = otp_key
+      end
+    end
+
     def jwt_payload
       return @jwt_payload if defined?(@jwt_payload)
       @jwt_payload = JWT.decode(jwt_token, jwt_secret, true, jwt_decode_opts.merge(:algorithm=>jwt_algorithm))[0]

data/lib/rodauth/features/jwt_refresh.rb

@@ -0,0 +1,142 @@
+# frozen-string-literal: true
+
+module Rodauth
+  JwtRefresh = Feature.define(:jwt_refresh) do
+    depends :jwt
+
+    after 'refresh_token'
+    before 'refresh_token'
+
+    auth_value_method :jwt_access_token_key, 'access_token'
+    auth_value_method :jwt_access_token_not_before_period, 5
+    auth_value_method :jwt_access_token_period, 1800
+    auth_value_method :jwt_refresh_invalid_token_message, 'invalid JWT refresh token'
+    auth_value_method :jwt_refresh_token_account_id_column, :account_id
+    auth_value_method :jwt_refresh_token_deadline_column, :deadline
+    auth_value_method :jwt_refresh_token_deadline_interval, {:days=>14}
+    auth_value_method :jwt_refresh_token_id_column, :id
+    auth_value_method :jwt_refresh_token_key, 'refresh_token'
+    auth_value_method :jwt_refresh_token_key_column, :key
+    auth_value_method :jwt_refresh_token_key_param, 'refresh_token'
+    auth_value_method :jwt_refresh_token_table, :account_jwt_refresh_keys
+
+    auth_private_methods(
+      :account_from_refresh_token
+    )
+
+    route do |r|
+      r.post do
+        if (refresh_token = param_or_nil(jwt_refresh_token_key_param)) && account_from_refresh_token(refresh_token)
+          formatted_token = nil
+          transaction do
+            before_refresh_token
+            formatted_token = generate_refresh_token
+            remove_jwt_refresh_token_key(refresh_token)
+            after_refresh_token
+          end
+          json_response[jwt_refresh_token_key] = formatted_token
+          json_response[jwt_access_token_key] = session_jwt
+        else
+          json_response[json_response_error_key] = jwt_refresh_invalid_token_message
+          response.status ||= json_response_error_status
+        end
+        response['Content-Type'] ||= json_response_content_type
+        response.write(_json_response_body(json_response))
+        request.halt
+      end
+    end
+
+    def update_session
+      super
+
+      # JWT login puts the access token in the header.
+      # We put the refresh token in the body.
+      # Note, do not put the access_token in the body here, as the access token content is not yet finalised.
+      json_response['refresh_token'] = generate_refresh_token
+    end
+
+    def set_jwt_token(token)
+      super
+      if json_response[json_response_error_key]
+        json_response.delete(jwt_access_token_key)
+      else
+        json_response[jwt_access_token_key] = token
+      end
+    end
+
+    def jwt_session_hash
+      h = super
+      t = Time.now.to_i
+      h[:exp] = t + jwt_access_token_period
+      h[:iat] = t
+      h[:nbf] = t - jwt_access_token_not_before_period
+      h
+    end
+
+    def account_from_refresh_token(token)
+      @account = _account_from_refresh_token(token)
+    end
+
+    private
+
+    def _account_from_refresh_token(token)
+      id, token = split_token(token)
+      return unless id && token
+
+      token_id, key = split_token(token)
+      return unless token_id && key
+
+      return unless actual = get_active_refresh_token(id, token_id)
+
+      return unless timing_safe_eql?(key, convert_token_key(actual))
+
+      ds = account_ds(id)
+      ds = ds.where(account_status_column=>account_open_status_value) unless skip_status_checks?
+      ds.first
+    end
+
+    def get_active_refresh_token(account_id, token_id)
+      jwt_refresh_token_account_ds(account_id).
+        where(Sequel::CURRENT_TIMESTAMP > jwt_refresh_token_deadline_column).
+        delete
+
+      jwt_refresh_token_account_token_ds(account_id, token_id).
+        get(jwt_refresh_token_key_column)
+    end
+
+    def jwt_refresh_token_account_ds(account_id)
+      jwt_refresh_token_ds.where(jwt_refresh_token_account_id_column => account_id)
+    end
+
+    def jwt_refresh_token_account_token_ds(account_id, token_id)
+      jwt_refresh_token_account_ds(account_id).
+        where(jwt_refresh_token_id_column=>token_id)
+    end
+
+    def jwt_refresh_token_ds
+      db[jwt_refresh_token_table]
+    end
+
+    def remove_jwt_refresh_token_key(token)
+      account_id, token = split_token(token)
+      token_id, _ = split_token(token)
+      jwt_refresh_token_account_token_ds(account_id, token_id).delete
+    end
+
+    def generate_refresh_token
+      hash = jwt_refresh_token_insert_hash
+      [account_id, jwt_refresh_token_ds.insert(hash), convert_token_key(hash[jwt_refresh_token_key_column])].join(token_separator)
+    end
+
+    def jwt_refresh_token_insert_hash
+      hash = {jwt_refresh_token_account_id_column => account_id, jwt_refresh_token_key_column => random_key}
+      set_deadline_value(hash, jwt_refresh_token_deadline_column, jwt_refresh_token_deadline_interval)
+      hash
+    end
+
+    def after_close_account
+      jwt_refresh_token_account_ds(account_id).delete
+      super if defined?(super)
+    end
+  end
+end

data/lib/rodauth/features/lockout.rb

@@ -4,6 +4,8 @@ module Rodauth
   Feature.define(:lockout, :Lockout) do
     depends :login, :email_base
 
+    def_deprecated_alias :no_matching_unlock_account_key_error_flash, :no_matching_unlock_account_key_message
+
     loaded_templates %w'unlock-account-request unlock-account password-field unlock-account-email'
     view 'unlock-account-request', 'Request Account Unlock', 'unlock_account_request'
     view 'unlock-account', 'Unlock Account', 'unlock_account'
@@ -19,6 +21,7 @@ module Rodauth
     error_flash "There was an error unlocking your account", 'unlock_account'
     error_flash "This account is currently locked out and cannot be logged in to.", "login_lockout"
     error_flash "An email has recently been sent to you with a link to unlock the account", 'unlock_account_email_recently_sent'
+    error_flash "There was an error unlocking your account: invalid or expired unlock account key", 'no_matching_unlock_account_key'
     notice_flash "Your account has been unlocked", 'unlock_account'
     notice_flash "An email has been sent to you with a link to unlock your account", 'unlock_account_request'
     redirect :unlock_account
@@ -36,8 +39,9 @@ module Rodauth
     auth_value_method :account_lockouts_email_last_sent_column, nil
     auth_value_method :account_lockouts_deadline_column, :deadline
     auth_value_method :account_lockouts_deadline_interval, {:days=>1}
-    auth_value_method :no_matching_unlock_account_key_message, 'No matching unlock account key'
     auth_value_method :unlock_account_email_subject, 'Unlock Account'
+    auth_value_method :unlock_account_explanatory_text, '<p>This account is currently locked out.  You can unlock the account:</p>'
+    auth_value_method :unlock_account_request_explanatory_text, '<p>This account is currently locked out.  You can request that the account be unlocked:</p>'
     auth_value_method :unlock_account_key_param, 'key'
     auth_value_method :unlock_account_requires_password?, false
     auth_value_method :unlock_account_skip_resend_email_within, 300
@@ -81,7 +85,7 @@ module Rodauth
           set_notice_flash unlock_account_request_notice_flash
         else
           set_redirect_error_status(no_matching_login_error_status)
-          set_redirect_error_flash no_matching_login_message
+          set_redirect_error_flash no_matching_login_message.to_s.capitalize
         end
 
         redirect unlock_account_request_redirect
@@ -103,7 +107,7 @@ module Rodauth
             unlock_account_view
           else
             session[unlock_account_session_key] = nil
-            set_redirect_error_flash no_matching_unlock_account_key_message
+            set_redirect_error_flash no_matching_unlock_account_key_error_flash
             redirect require_login_redirect
           end
         end
@@ -113,7 +117,7 @@ module Rodauth
         key = session[unlock_account_session_key] || param(unlock_account_key_param)
         unless account_from_unlock_key(key)
           set_redirect_error_status invalid_key_error_status
-          set_redirect_error_flash no_matching_unlock_account_key_message
+          set_redirect_error_flash no_matching_unlock_account_key_error_flash
           redirect unlock_account_request_redirect
         end
 

data/lib/rodauth/features/login_password_requirements_base.rb

@@ -2,6 +2,7 @@
 
 module Rodauth
   Feature.define(:login_password_requirements_base, :LoginPasswordRequirementsBase) do
+    auth_value_method :already_an_account_with_this_login_message, 'already an account with this login'
     auth_value_method :login_confirm_param, 'login-confirm'
     auth_value_method :login_minimum_length, 3
     auth_value_method :login_maximum_length, 255

data/lib/rodauth/features/otp.rb

@@ -61,7 +61,10 @@ module Rodauth
     auth_value_method :otp_keys_failures_column, :num_failures
     auth_value_method :otp_keys_table, :account_otp_keys
     auth_value_method :otp_keys_last_use_column, :last_use
+    auth_value_method :otp_provisioning_uri_label, 'Provisioning URL'
+    auth_value_method :otp_secret_label, 'Secret'
     auth_value_method :otp_setup_param, 'otp_secret'
+    auth_value_method :otp_setup_raw_param, 'otp_raw_secret'
 
     auth_cached_method :otp_key
     auth_cached_method :otp
@@ -71,7 +74,8 @@ module Rodauth
       :otp_auth_form_footer,
       :otp_issuer,
       :otp_lockout_error_flash,
-      :otp_lockout_redirect
+      :otp_lockout_redirect,
+      :otp_keys_use_hmac?
     )
 
     auth_methods(
@@ -148,9 +152,15 @@ module Rodauth
         secret = param(otp_setup_param)
         catch_error do
           unless otp_valid_key?(secret)
+            otp_tmp_key(otp_new_secret)
             throw_error_status(invalid_field_error_status, otp_setup_param, otp_invalid_secret_message)
           end
-          otp_tmp_key(secret)
+
+          if otp_keys_use_hmac?
+            otp_tmp_key(param(otp_setup_raw_param))
+          else
+            otp_tmp_key(secret)
+          end
 
           unless two_factor_password_match?(param(password_param))
             throw_error_status(invalid_password_error_status, password_param, invalid_password_message)
@@ -257,7 +267,9 @@ module Rodauth
         if otp.respond_to?(:verify_with_drift)
           otp.verify_with_drift(ot_pass, drift)
         else
+          # :nocov:
           otp.verify(ot_pass, :drift_behind=>drift, :drift_ahead=>drift)
+          # :nocov:
         end
       else
         otp.verify(ot_pass)
@@ -308,6 +320,18 @@ module Rodauth
       RQRCode::QRCode.new(otp_provisioning_uri).as_svg(:module_size=>8)
     end
 
+    def otp_user_key
+      @otp_user_key ||= if otp_keys_use_hmac?
+        otp_hmac_secret(otp_key)
+      else
+        otp_key
+      end
+    end
+
+    def otp_keys_use_hmac?
+      !!hmac_secret
+    end
+
     private
 
     def clear_cached_otp
@@ -319,15 +343,47 @@ module Rodauth
       clear_cached_otp
     end
 
+    def otp_hmac_secret(key)
+      base32_encode(compute_raw_hmac(ROTP::Base32.decode(key)), key.bytesize)
+    end
+
     def otp_valid_key?(secret)
-      secret =~ /\A([a-z2-7]{16}|[a-z2-7]{32})\z/
+      return false unless secret =~ /\A([a-z2-7]{16}|[a-z2-7]{32})\z/
+      if otp_keys_use_hmac?
+        timing_safe_eql?(otp_hmac_secret(param(otp_setup_raw_param)), secret)
+      else
+        true
+      end
     end
 
-    def otp_new_secret
-      ROTP::Base32.random_base32
+    if ROTP::Base32.respond_to?(:random_base32)
+      # :nocov:
+      def otp_new_secret
+        ROTP::Base32.random_base32
+      end
+      # :nocov:
+    else
+      def otp_new_secret
+        ROTP::Base32.random.downcase
+      end
+    end
+
+    if RUBY_VERSION < '1.9'
+      # :nocov:
+      def base32_encode(data, length)
+        chars = 'abcdefghijklmnopqrstuvwxyz234567'
+        length.times.map{|i|chars[data[i] % 32].chr}.join
+      end
+      # :nocov:
+    else
+      def base32_encode(data, length)
+        chars = 'abcdefghijklmnopqrstuvwxyz234567'
+        length.times.map{|i|chars[data[i].ord % 32]}.join
+      end
     end
 
     def _otp_tmp_key(secret)
+      @otp_user_key = nil
       @otp_key = secret
     end
 
@@ -338,11 +394,12 @@ module Rodauth
     end
 
     def _otp_key
+      @otp_user_key = nil
       otp_key_ds.get(otp_keys_column)
     end
 
     def _otp
-      otp_class.new(otp_key, :issuer=>otp_issuer, :digits=>otp_digits, :interval=>otp_interval)
+      otp_class.new(otp_user_key, :issuer=>otp_issuer, :digits=>otp_digits, :interval=>otp_interval)
     end
 
     def otp_key_ds