rodauth 1.19.1 → 1.20.0

data/lib/rodauth/features/recovery_codes.rb

@@ -32,6 +32,7 @@ module Rodauth
     view 'recovery-codes', 'View Authentication Recovery Codes', 'recovery_codes'
 
     auth_value_method :add_recovery_codes_param, 'add'
+    auth_value_method :add_recovery_codes_heading, '<h2>Add Additional Recovery Codes</h2>'
     auth_value_method :invalid_recovery_code_message, "Invalid recovery code"
     auth_value_method :recovery_codes_limit, 16
     auth_value_method :recovery_codes_column, :code

data/lib/rodauth/features/remember.rb

@@ -16,6 +16,7 @@ module Rodauth
     after 'load_memory'
     redirect
 
+    auth_value_method :raw_remember_token_deadline, nil
     auth_value_method :remember_cookie_options, {}
     auth_value_method :extend_remember_deadline?, false
     auth_value_method :remember_period, {:days=>14}
@@ -88,7 +89,22 @@ module Rodauth
       id, key = cookie.split('_', 2)
       return unless id && key
 
-      unless (actual = active_remember_key_ds(id).get(remember_key_column)) && timing_safe_eql?(key, actual)
+      actual, deadline = active_remember_key_ds(id).get([remember_key_column, remember_deadline_column])
+      unless actual
+        forget_login
+        return
+      end
+
+      if hmac_secret
+        unless valid = timing_safe_eql?(key, compute_hmac(actual))
+          unless raw_remember_token_deadline && raw_remember_token_deadline > convert_timestamp(deadline)
+            forget_login
+            return
+          end
+        end
+      end
+
+      unless valid || timing_safe_eql?(key, actual)
         forget_login
         return
       end
@@ -117,7 +133,9 @@ module Rodauth
     def remember_login
       get_remember_key
       opts = Hash[remember_cookie_options]
-      opts[:value] = "#{account_id}_#{remember_key_value}"
+      key = remember_key_value
+      key = compute_hmac(key) if hmac_secret
+      opts[:value] = "#{account_id}_#{key}"
       opts[:expires] = convert_timestamp(active_remember_key_ds.get(remember_deadline_column))
       ::Rack::Utils.set_cookie_header!(response.headers, remember_cookie_key, opts)
     end

data/lib/rodauth/features/reset_password.rb

@@ -4,11 +4,14 @@ module Rodauth
   Feature.define(:reset_password, :ResetPassword) do
     depends :login, :email_base, :login_password_requirements_base
 
+    def_deprecated_alias :no_matching_reset_password_key_error_flash, :no_matching_reset_password_key_message
+
     notice_flash "Your password has been reset"
     notice_flash "An email has been sent to you with a link to reset the password for your account", 'reset_password_email_sent'
     error_flash "There was an error resetting your password"
     error_flash "There was an error requesting a password reset", 'reset_password_request'
     error_flash "An email has recently been sent to you with a link to reset your password", 'reset_password_email_recently_sent'
+    error_flash "There was an error resetting your password: invalid or expired password reset key", 'no_matching_reset_password_key'
     loaded_templates %w'reset-password-request reset-password password-field password-confirm-field reset-password-email'
     view 'reset-password', 'Reset Password'
     view 'reset-password-request', 'Request Password Reset', 'reset_password_request'
@@ -26,7 +29,6 @@ module Rodauth
     
     auth_value_method :reset_password_deadline_column, :deadline
     auth_value_method :reset_password_deadline_interval, {:days=>1}
-    auth_value_method :no_matching_reset_password_key_message, "invalid password reset key"
     auth_value_method :reset_password_email_subject, 'Reset Password'
     auth_value_method :reset_password_key_param, 'key'
     auth_value_method :reset_password_autologin?, false
@@ -34,6 +36,7 @@ module Rodauth
     auth_value_method :reset_password_id_column, :id
     auth_value_method :reset_password_key_column, :key
     auth_value_method :reset_password_email_last_sent_column, nil
+    auth_value_method :reset_password_explanatory_text, "<p>If you have forgotten your password, you can request a password reset:</p>"
     auth_value_method :reset_password_skip_resend_email_within, 300
     session_key :reset_password_session_key, :reset_password_key
 
@@ -105,7 +108,7 @@ module Rodauth
             reset_password_view
           else
             session[reset_password_session_key] = nil
-            set_redirect_error_flash no_matching_reset_password_key_message
+            set_redirect_error_flash no_matching_reset_password_key_error_flash
             redirect require_login_redirect
           end
         end

data/lib/rodauth/features/single_session.rb

@@ -5,6 +5,7 @@ module Rodauth
     error_flash 'This session has been logged out as another session has become active'
     redirect
 
+    auth_value_method :allow_raw_single_session_key?, false
     auth_value_method :single_session_id_column, :id
     auth_value_method :single_session_key_column, :key
     session_key :single_session_session_key, :single_session_key
@@ -35,7 +36,14 @@ module Rodauth
         end
         true
       elsif current_key
-        timing_safe_eql?(single_session_key, current_key)
+        if hmac_secret
+          valid = timing_safe_eql?(single_session_key, compute_hmac(current_key))
+          if !valid && !allow_raw_single_session_key?
+            return false
+          end
+        end
+
+        valid || timing_safe_eql?(single_session_key, current_key)
       end
     end
 
@@ -53,7 +61,7 @@ module Rodauth
 
     def update_single_session_key
       key = random_key
-      set_session_value(single_session_session_key, key)
+      set_single_session_key(key)
       if single_session_ds.update(single_session_key_column=>key) == 0
         # Don't handle uniqueness violations here.  While we could get the stored key from the
         # database, it could lead to two sessions sharing the same key, which this feature is
@@ -74,6 +82,11 @@ module Rodauth
       super if defined?(super)
     end
 
+    def set_single_session_key(data)
+      data = compute_hmac(data) if hmac_secret
+      set_session_value(single_session_session_key, data)
+    end
+
     def update_session
       super
       update_single_session_key

data/lib/rodauth/features/verify_account.rb

@@ -4,9 +4,16 @@ module Rodauth
   Feature.define(:verify_account, :VerifyAccount) do
     depends :login, :create_account, :email_base
 
+    def_deprecated_alias :attempt_to_create_unverified_account_error_flash, :attempt_to_create_unverified_account_notice_message
+    def_deprecated_alias :attempt_to_login_to_unverified_account_error_flash, :attempt_to_login_to_unverified_account_notice_message
+    def_deprecated_alias :no_matching_verify_account_key_error_flash, :no_matching_verify_account_key_message
+
     error_flash "Unable to verify account"
     error_flash "Unable to resend verify account email", 'verify_account_resend'
     error_flash "An email has recently been sent to you with a link to verify your account", 'verify_account_email_recently_sent'
+    error_flash "There was an error verifying your account: invalid verify account key", 'no_matching_verify_account_key'
+    error_flash "The account you tried to create is currently awaiting verification", 'attempt_to_create_unverified_account'
+    error_flash "The account you tried to login with is currently awaiting verification", 'attempt_to_login_to_unverified_account'
     notice_flash "Your account has been verified"
     notice_flash "An email has been sent to you with a link to verify your account", 'verify_account_email_sent'
     loaded_templates %w'verify-account verify-account-resend verify-account-email'
@@ -24,9 +31,6 @@ module Rodauth
     redirect(:verify_account_email_sent){default_post_email_redirect}
     redirect(:verify_account_email_recently_sent){default_post_email_redirect}
 
-    auth_value_method :no_matching_verify_account_key_message, "invalid verify account key"
-    auth_value_method :attempt_to_create_unverified_account_notice_message, "The account you tried to create is currently awaiting verification"
-    auth_value_method :attempt_to_login_to_unverified_account_notice_message, "The account you tried to login with is currently awaiting verification"
     auth_value_method :verify_account_email_subject, 'Verify Account'
     auth_value_method :verify_account_key_param, 'key'
     auth_value_method :verify_account_autologin?, true
@@ -35,6 +39,7 @@ module Rodauth
     auth_value_method :verify_account_email_last_sent_column, nil
     auth_value_method :verify_account_skip_resend_email_within, 300
     auth_value_method :verify_account_key_column, :key
+    auth_value_method :verify_account_resend_explanatory_text, "<p>If you no longer have the email to verify the account, you can request that it be resent to you:</p>"
     session_key :verify_account_session_key, :verify_account_key
     auth_value_method :verify_account_set_password?, false
 
@@ -102,7 +107,7 @@ module Rodauth
             verify_account_view
           else
             session[verify_account_session_key] = nil
-            set_redirect_error_flash no_matching_verify_account_key_message
+            set_redirect_error_flash no_matching_verify_account_key_error_flash
             redirect require_login_redirect
           end
         end
@@ -180,7 +185,7 @@ module Rodauth
     def new_account(login)
       if account_from_login(login) && allow_resending_verify_account_email?
         set_redirect_error_status(unopen_account_error_status)
-        set_error_flash attempt_to_create_unverified_account_notice_message
+        set_error_flash attempt_to_create_unverified_account_error_flash
         response.write resend_verify_account_view
         request.halt
       end
@@ -251,7 +256,7 @@ module Rodauth
     def before_login_attempt
       unless open_account?
         set_redirect_error_status(unopen_account_error_status)
-        set_error_flash attempt_to_login_to_unverified_account_notice_message
+        set_error_flash attempt_to_login_to_unverified_account_error_flash
         response.write resend_verify_account_view
         request.halt
       end

data/lib/rodauth/features/verify_login_change.rb

@@ -4,8 +4,11 @@ module Rodauth
   Feature.define(:verify_login_change, :VerifyLoginChange) do
     depends :change_login, :email_base
 
+    def_deprecated_alias :no_matching_verify_login_change_key_error_flash, :no_matching_verify_login_change_key_message
+
     error_flash "Unable to verify login change"
     error_flash "Unable to change login as there is already an account with the new login", :verify_login_change_duplicate_account
+    error_flash "There was an error verifying your login change: invalid verify login change key", 'no_matching_verify_login_change_key'
     notice_flash "Your login change has been verified"
     loaded_templates %w'verify-login-change verify-login-change-email'
     view 'verify-login-change', 'Verify Login Change'
@@ -18,7 +21,6 @@ module Rodauth
     redirect
     redirect(:verify_login_change_duplicate_account){require_login_redirect}
 
-    auth_value_method :no_matching_verify_login_change_key_message, "invalid verify login change key"
     auth_value_method :verify_login_change_autologin?, false
     auth_value_method :verify_login_change_deadline_column, :deadline
     auth_value_method :verify_login_change_deadline_interval, {:days=>1}
@@ -64,7 +66,7 @@ module Rodauth
             verify_login_change_view
           else
             session[verify_login_change_session_key] = nil
-            set_redirect_error_flash no_matching_verify_login_change_key_message
+            set_redirect_error_flash no_matching_verify_login_change_key_error_flash
             redirect require_login_redirect
           end
         end
@@ -147,7 +149,7 @@ module Rodauth
 
     def update_login(login)
       if _account_from_login(login)
-        @login_requirement_message = 'already an account with this login'
+        @login_requirement_message = already_an_account_with_this_login_message
         return false
       end
 

data/lib/rodauth/version.rb

@@ -6,11 +6,11 @@ module Rodauth
   MAJOR = 1
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 19
+  MINOR = 20
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.
-  TINY = 1
+  TINY = 0
 
   # The full version of Rodauth as a string
   VERSION = "#{MAJOR}.#{MINOR}.#{TINY}".freeze

data/spec/disallow_password_reuse_spec.rb

@@ -54,39 +54,126 @@ describe 'Rodauth disallow_password_reuse feature' do
     DB[table].get{count(:id)}.must_equal 0
   end
 
-  it "should handle create account when account_password_hash_column is true" do
-    rodauth do
-      enable :login, :create_account, :change_password, :disallow_password_reuse
-      if ENV['RODAUTH_SEPARATE_SCHEMA']
-        previous_password_hash_table Sequel[:rodauth_test_password][:account_previous_password_hashes]
+  [true, false].each do |ph|
+    it "should handle create account when account_password_hash_column is #{ph}" do
+      rodauth do
+        enable :login, :create_account, :change_password, :disallow_password_reuse
+        if ENV['RODAUTH_SEPARATE_SCHEMA']
+          previous_password_hash_table Sequel[:rodauth_test_password][:account_previous_password_hashes]
+        end
+        account_password_hash_column :ph if ph
+        change_password_requires_password? false
       end
-      account_password_hash_column :ph
-      change_password_requires_password? false
+      roda do |r|
+        r.rodauth
+        r.root{view :content=>""}
+      end
+
+      visit '/create-account'
+      fill_in 'Login', :with=>'bar@example.com'
+      fill_in 'Confirm Login', :with=>'bar@example.com'
+      fill_in 'Password', :with=>'0123456789'
+      fill_in 'Confirm Password', :with=>'0123456789'
+      click_button 'Create Account'
+      page.current_path.must_equal '/'
+      page.find('#notice_flash').text.must_equal "Your account has been created"
+
+      visit '/change-password'
+      fill_in 'New Password', :with=>"012345678"
+      fill_in 'Confirm Password', :with=>"012345678"
+      click_button 'Change Password'
+      page.find('#notice_flash').text.must_equal "Your password has been changed"
+
+      visit '/change-password'
+      fill_in 'New Password', :with=>"0123456789"
+      fill_in 'Confirm Password', :with=>"0123456789"
+      click_button 'Change Password'
+      page.html.must_include("invalid password, does not meet requirements (same as previous password)")
     end
-    roda do |r|
-      r.rodauth
-      r.root{view :content=>""}
+
+    it "should handle verify account when account_password_hash_column is #{ph}" do
+      rodauth do
+        enable :login, :verify_account, :change_password, :disallow_password_reuse
+        if ENV['RODAUTH_SEPARATE_SCHEMA']
+          previous_password_hash_table Sequel[:rodauth_test_password][:account_previous_password_hashes]
+        end
+        account_password_hash_column :ph if ph
+        change_password_requires_password? false
+      end
+      roda do |r|
+        r.rodauth
+        r.root{view :content=>""}
+      end
+
+      visit '/create-account'
+      fill_in 'Login', :with=>'bar@example.com'
+      fill_in 'Confirm Login', :with=>'bar@example.com'
+      fill_in 'Password', :with=>'0123456789'
+      fill_in 'Confirm Password', :with=>'0123456789'
+      click_button 'Create Account'
+      page.current_path.must_equal '/'
+      page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to verify your account"
+      link = email_link(/(\/verify-account\?key=.+)$/, 'bar@example.com')
+
+      visit link
+      click_button 'Verify Account'
+      page.find('#notice_flash').text.must_equal "Your account has been verified"
+      page.current_path.must_equal '/'
+
+      visit '/change-password'
+      fill_in 'New Password', :with=>"012345678"
+      fill_in 'Confirm Password', :with=>"012345678"
+      click_button 'Change Password'
+      page.find('#notice_flash').text.must_equal "Your password has been changed"
+
+      visit '/change-password'
+      fill_in 'New Password', :with=>"0123456789"
+      fill_in 'Confirm Password', :with=>"0123456789"
+      click_button 'Change Password'
+      page.html.must_include("invalid password, does not meet requirements (same as previous password)")
     end
 
-    visit '/create-account'
-    fill_in 'Login', :with=>'bar@example.com'
-    fill_in 'Confirm Login', :with=>'bar@example.com'
-    fill_in 'Password', :with=>'0123456789'
-    fill_in 'Confirm Password', :with=>'0123456789'
-    click_button 'Create Account'
-    page.current_path.must_equal '/'
-    page.find('#notice_flash').text.must_equal "Your account has been created"
+    it "should handle verify account when account_password_hash_column is #{ph} and verify_account_set_password? is true" do
+      rodauth do
+        enable :login, :verify_account, :change_password, :disallow_password_reuse
+        if ENV['RODAUTH_SEPARATE_SCHEMA']
+          previous_password_hash_table Sequel[:rodauth_test_password][:account_previous_password_hashes]
+        end
+        account_password_hash_column :ph if ph
+        change_password_requires_password? false
+        verify_account_set_password? true
+      end
+      roda do |r|
+        r.rodauth
+        r.root{view :content=>""}
+      end
 
-    visit '/change-password'
-    fill_in 'New Password', :with=>"012345678"
-    fill_in 'Confirm Password', :with=>"012345678"
-    click_button 'Change Password'
-    page.find('#notice_flash').text.must_equal "Your password has been changed"
+      visit '/create-account'
+      fill_in 'Login', :with=>'bar@example.com'
+      fill_in 'Confirm Login', :with=>'bar@example.com'
+      click_button 'Create Account'
+      page.current_path.must_equal '/'
+      page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to verify your account"
+      link = email_link(/(\/verify-account\?key=.+)$/, 'bar@example.com')
 
-    visit '/change-password'
-    fill_in 'New Password', :with=>"0123456789"
-    fill_in 'Confirm Password', :with=>"0123456789"
-    click_button 'Change Password'
-    page.html.must_include("invalid password, does not meet requirements (same as previous password)")
+      visit link
+      fill_in 'Password', :with=>'0123456789'
+      fill_in 'Confirm Password', :with=>'0123456789'
+      click_button 'Verify Account'
+      page.find('#notice_flash').text.must_equal "Your account has been verified"
+      page.current_path.must_equal '/'
+
+      visit '/change-password'
+      fill_in 'New Password', :with=>"012345678"
+      fill_in 'Confirm Password', :with=>"012345678"
+      click_button 'Change Password'
+      page.find('#notice_flash').text.must_equal "Your password has been changed"
+
+      visit '/change-password'
+      fill_in 'New Password', :with=>"0123456789"
+      fill_in 'Confirm Password', :with=>"0123456789"
+      click_button 'Change Password'
+      page.html.must_include("invalid password, does not meet requirements (same as previous password)")
+    end
   end
 end

data/spec/email_auth_spec.rb

@@ -26,7 +26,7 @@ describe 'Rodauth email auth feature' do
     link = email_link(/(\/email-auth\?key=.+)$/)
 
     visit link[0...-1]
-    page.find('#error_flash').text.must_equal "invalid email authentication key"
+    page.find('#error_flash').text.must_equal "There was an error logging you in: invalid email authentication key"
 
     visit '/login'
     fill_in 'Login', :with=>'foo@example.com'
@@ -105,7 +105,7 @@ describe 'Rodauth email auth feature' do
     link = email_link(/(\/email-auth\?key=.+)$/)
 
     visit link[0...-1]
-    page.find('#error_flash').text.must_equal "invalid email authentication key"
+    page.find('#error_flash').text.must_equal "There was an error logging you in: invalid email authentication key"
 
     visit '/login'
     fill_in 'Login', :with=>'foo@example.com'

data/spec/jwt_refresh_spec.rb

@@ -0,0 +1,256 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe 'Rodauth login feature' do
+  it "should not have jwt refresh feature assume JWT token given during Basic/Digest authentication" do
+    rodauth do
+      enable :login, :logout, :jwt_refresh
+    end
+    roda(:jwt) do |r|
+      rodauth.require_authentication
+      '1'
+    end
+
+    res = json_request("/jwt-refresh", :headers=>{'HTTP_AUTHORIZATION'=>'Basic foo'})
+    res.must_equal [401, {'error'=>'Please login to continue'}]
+
+    res = json_request("/", :headers=>{'HTTP_AUTHORIZATION'=>'Digest foo'})
+    res.must_equal [401, {'error'=>'Please login to continue'}]
+  end
+
+  it "should require json request content type in only json mode for rodauth endpoints only" do
+    oj = false
+    rodauth do
+      enable :login, :logout, :jwt_refresh
+      jwt_secret '1'
+      json_response_success_key 'success'
+      only_json?{oj}
+    end
+    roda(:csrf=>false, :json=>true) do |r|
+      r.rodauth
+      rodauth.require_authentication
+      '1'
+    end
+
+    res = json_request("/", :content_type=>'application/x-www-form-urlencoded', :include_headers=>true, :method=>'GET')
+    res[1].delete('Set-Cookie')
+    res.must_equal [302, {"Content-Type"=>'text/html', "Content-Length"=>'0', "Location"=>"/login",}, []]
+
+    res = json_request("/", :content_type=>'application/vnd.api+json', :method=>'GET')
+    res.must_equal [400, ['{"error":"Please login to continue"}']]
+
+    oj = true
+
+    res = json_request("/", :content_type=>'application/x-www-form-urlencoded', :method=>'GET')
+    res.must_equal [400, ['{"error":"Please login to continue"}']]
+
+    res = json_request("/", :method=>'GET')
+    res.must_equal [400, {'error'=>'Please login to continue'}]
+
+    res = json_request("/login", :content_type=>'application/x-www-form-urlencoded', :include_headers=>true, :method=>'GET')
+    msg = "Only JSON format requests are allowed"
+    res[1].delete('Set-Cookie')
+    res.must_equal [400, {"Content-Type"=>'text/html', "Content-Length"=>msg.length.to_s}, [msg]]
+
+    jwt_refresh_login
+
+    res = json_request("/", :content_type=>'application/x-www-form-urlencoded', :include_headers=>true, :method=>'GET')
+    # res.must_equal [200, {"Content-Type"=>'text/html', "Content-Length"=>'1'}, ['1']]
+  end
+
+  it "should allow non-json requests if only_json? is false" do
+    rodauth do
+      enable :login, :logout, :jwt_refresh
+      jwt_secret '1'
+      only_json? false
+    end
+    roda(:jwt_html) do |r|
+      r.rodauth
+      rodauth.require_authentication
+      view(:content=>'1')
+    end
+
+    login
+    page.find('#notice_flash').text.must_equal 'You have been logged in'
+  end
+
+  it "should require POST for json requests" do
+    rodauth do
+      enable :login, :logout, :jwt_refresh
+      jwt_secret '1'
+      json_response_success_key 'success'
+    end
+    roda(:jwt) do |r|
+      r.rodauth
+    end
+
+    res = json_request("/login", :method=>'GET')
+    res.must_equal [405, {'error'=>'non-POST method used in JSON API'}]
+  end
+
+  it "should require Accept contain application/json if jwt_check_accept? is true and Accept is present" do
+    rodauth do
+      enable :login, :logout, :jwt_refresh
+      jwt_secret '1'
+      json_response_success_key 'success'
+      jwt_check_accept? true
+    end
+    roda(:jwt) do |r|
+      r.rodauth
+    end
+
+    res = json_request("/login", :headers=>{'HTTP_ACCEPT'=>'text/html'})
+    res.must_equal [406, {'error'=>'Unsupported Accept header. Must accept "application/json" or compatible content type'}]
+
+    jwt_refresh_validate_login(json_request("/login", :login=>'foo@example.com', :password=>'0123456789'))
+    jwt_refresh_validate_login(json_request("/login", :headers=>{'HTTP_ACCEPT'=>'*/*'}, :login=>'foo@example.com', :password=>'0123456789'))
+    jwt_refresh_validate_login(json_request("/login", :headers=>{'HTTP_ACCEPT'=>'application/*'}, :login=>'foo@example.com', :password=>'0123456789'))
+    jwt_refresh_validate_login(json_request("/login", :headers=>{'HTTP_ACCEPT'=>'application/vnd.api+json'}, :login=>'foo@example.com', :password=>'0123456789'))
+  end
+
+  it "should clear jwt refresh token when closing account" do
+    rodauth do
+      enable :login, :jwt_refresh, :close_account
+      jwt_secret '1'
+    end
+    roda(:jwt) do |r|
+      r.rodauth
+      rodauth.require_authentication
+      response['Content-Type'] = 'application/json'
+      {'hello' => 'world'}.to_json
+    end
+
+    jwt_refresh_login
+
+    DB[:account_jwt_refresh_keys].count.must_equal 1
+    res = json_request('/close-account', :password=>'0123456789')
+    res[1].delete('access_token').must_be_kind_of(String)
+    res.must_equal [200, {'success'=>"Your account has been closed"}]
+    DB[:account_jwt_refresh_keys].count.must_equal 0
+  end
+
+
+  it "should set refresh tokens when creating accounts when using autologin" do
+    rodauth do
+      enable :login, :create_account, :jwt_refresh
+      after_create_account{json_response[:account_id] = account_id}
+      create_account_autologin? true
+    end
+    roda(:jwt) do |r|
+      r.rodauth
+      rodauth.require_authentication
+      response['Content-Type'] = 'application/json'
+      {'hello' => 'world'}.to_json
+    end
+
+    res = json_request('/create-account', :login=>'foo@example2.com', "login-confirm"=>'foo@example2.com', :password=>'0123456789', "password-confirm"=>'0123456789')
+    refresh_token = res.last.delete('refresh_token')
+    @authorization = res.last.delete('access_token')
+    res.must_equal [200, {'success'=>"Your account has been created", 'account_id'=>DB[:accounts].max(:id)}]
+
+    res = json_request("/")
+    res.must_equal [200, {'hello'=>'world'}]
+
+    # We can refresh our token
+    res = json_request("/jwt-refresh", :refresh_token=>refresh_token)
+    jwt_refresh_validate(res)
+    @authorization = res.last.delete('access_token')
+
+    # Which we can use to access protected resources
+    res = json_request("/")
+    res.must_equal [200, {'hello'=>'world'}]
+  end
+
+  [false, true].each do |hs|
+    it "generates and refreshes Refresh Tokens #{'with hmac_secret' if hs}" do
+      initial_secret = secret = SecureRandom.random_bytes(32) if hs
+      rodauth do
+        enable :login, :logout, :jwt_refresh
+        hmac_secret{secret} if hs
+        jwt_secret '1'
+      end
+      roda(:jwt) do |r|
+        r.rodauth
+        rodauth.require_authentication
+        response['Content-Type'] = 'application/json'
+        {'hello' => 'world'}.to_json
+      end
+      res = json_request("/")
+      res.must_equal [401, {'error'=>'Please login to continue'}]
+
+      # We can login
+      res = jwt_refresh_login
+      refresh_token = res.last['refresh_token']
+
+      # Which gives us an access token which grants us access to protected resources
+      @authorization = res.last['access_token']
+      res = json_request("/")
+      res.must_equal [200, {'hello'=>'world'}]
+
+      # We can refresh our token
+      res = json_request("/jwt-refresh", :refresh_token=>refresh_token)
+      jwt_refresh_validate(res)
+      second_refresh_token = res.last['refresh_token']
+
+      # Which we can use to access protected resources
+      @authorization = res.last['access_token']
+      res = json_request("/")
+      res.must_equal [200, {'hello'=>'world'}]
+
+      # Subsequent refresh token is valid
+      res = json_request("/jwt-refresh", :refresh_token=>second_refresh_token)
+      jwt_refresh_validate(res)
+      third_refresh_token = res.last['refresh_token']
+
+      # First refresh token is now no longer valid
+      res = json_request("/jwt-refresh", :refresh_token=>refresh_token)
+      res.must_equal [400, {"error"=>"invalid JWT refresh token"}]
+
+      # Third refresh token is valid
+      res = json_request("/jwt-refresh", :refresh_token=>third_refresh_token)
+      jwt_refresh_validate(res)
+      fourth_refresh_token = res.last['refresh_token']
+
+      # And still gives us a valid access token
+      @authorization = res.last['access_token']
+      res = json_request("/")
+      res.must_equal [200, {'hello'=>'world'}]
+
+      if hs
+        # Refresh secret doesn't work if hmac_secret changed
+        secret = SecureRandom.random_bytes(32)
+        res = json_request("/jwt-refresh", :refresh_token=>fourth_refresh_token)
+        res.first.must_equal 400
+        res.must_equal [400, {'error'=>'invalid JWT refresh token'}]
+
+        # Refresh secret works if hmac_secret changed back
+        secret = initial_secret
+        res = json_request("/jwt-refresh", :refresh_token=>fourth_refresh_token)
+        jwt_refresh_validate(res)
+
+        # And still gives us a valid access token
+        @authorization = res.last['access_token']
+        res = json_request("/")
+        res.must_equal [200, {'hello'=>'world'}]
+      end
+    end
+  end
+
+  it "should not return access_token for failed login attempt" do
+    rodauth do
+      enable :login, :create_account, :jwt_refresh
+      after_create_account{json_response[:account_id] = account_id}
+      create_account_autologin? true
+    end
+    roda(:jwt) do |r|
+      r.rodauth
+      rodauth.require_authentication
+      response['Content-Type'] = 'application/json'
+      {'hello' => 'world'}.to_json
+    end
+
+    json_request('/create-account', :login=>'foo@example2.com', "login-confirm"=>'foo@example2.com', :password=>'0123456789', "password-confirm"=>'0123456789')
+
+    res = json_request('/login', :login=>'foo@example2.com', :password=>'123123')
+    res.must_equal [401, {"field-error"=>['password', 'invalid password'], "error"=>"There was an error logging in"}]
+  end
+end