rodauth 1.19.1 → 1.20.0

data/spec/lockout_spec.rb

@@ -48,7 +48,7 @@ describe 'Rodauth lockout feature' do
     email_link(/(\/unlock-account\?key=.+)$/).must_equal link
 
     visit link[0...-1]
-    page.find('#error_flash').text.must_equal 'No matching unlock account key'
+    page.find('#error_flash').text.must_equal "There was an error unlocking your account: invalid or expired unlock account key"
 
     visit link
     click_button 'Unlock Account'
@@ -212,7 +212,7 @@ describe 'Rodauth lockout feature' do
     end
 
     res = json_request('/unlock-account-request', :login=>'foo@example.com')
-    res.must_equal [401, {'error'=>"no matching login"}]
+    res.must_equal [401, {'error'=>"No matching login"}]
 
     res = json_login(:pass=>'1', :no_check=>true)
     res.must_equal [401, {'error'=>"There was an error logging in", "field-error"=>["password", "invalid password"]}]
@@ -231,14 +231,14 @@ describe 'Rodauth lockout feature' do
     end
 
     res = json_request('/unlock-account')
-    res.must_equal [401, {'error'=>"No matching unlock account key"}]
+    res.must_equal [401, {'error'=>"There was an error unlocking your account: invalid or expired unlock account key"}]
 
     res = json_request('/unlock-account-request', :login=>'foo@example.com')
     res.must_equal [200, {'success'=>"An email has been sent to you with a link to unlock your account"}]
 
     link = email_link(/key=.+$/)
     res = json_request('/unlock-account', :key=>link[4...-1])
-    res.must_equal [401, {'error'=>"No matching unlock account key"}]
+    res.must_equal [401, {'error'=>"There was an error unlocking your account: invalid or expired unlock account key"}]
 
     res = json_request('/unlock-account', :key=>link[4..-1])
     res.must_equal [200, {'success'=>"Your account has been unlocked"}]

data/spec/login_spec.rb

@@ -15,6 +15,7 @@ describe 'Rodauth login feature' do
     login(:login=>'foo@example2.com', :visit=>false)
     page.find('#error_flash').text.must_equal 'There was an error logging in'
     page.html.must_include("no matching login")
+    page.all('[type=text]').first.value.must_equal 'foo@example2.com'
 
     login(:pass=>'012345678', :visit=>false)
     page.find('#error_flash').text.must_equal 'There was an error logging in'
@@ -38,6 +39,32 @@ describe 'Rodauth login feature' do
     rodauth do
       enable :login, :logout
       use_multi_phase_login? true
+      login_input_type 'email'
+      input_field_label_suffix ' (Required)'
+      input_field_error_class ' bad-input'
+      input_field_error_message_class 'err-msg'
+      mark_input_fields_as_required? true
+      field_attributes do |field|
+        if field == 'login'
+          'custom_field="custom_value"'
+        else
+          super(field)
+        end
+      end
+      field_error_attributes do |field|
+        if field == 'login'
+          'custom_error_field="custom_error_value"'
+        else
+          super(field)
+        end
+      end
+      formatted_field_error do |field, error|
+        if field == 'login'
+          super(field, error)
+        else
+          "<span class='err-msg2'>1#{error}2</span>"
+        end
+      end
     end
     roda do |r|
       r.rodauth
@@ -48,25 +75,39 @@ describe 'Rodauth login feature' do
     visit '/login'
     page.title.must_equal 'Login'
 
-    page.all('input[type=password]').must_be :empty?
-    fill_in 'Login', :with=>'foo2@example.com'
+    page.find('[custom_field=custom_value]').value.must_equal ''
+    page.all('[custom_error_field=custom_error_value]').must_be_empty
+    page.all('input[type=password]').must_be_empty
+    fill_in 'Login (Required)', :with=>'foo2@example.com'
     click_button 'Login'
     page.find('#error_flash').text.must_equal 'There was an error logging in'
-    page.html.must_include("no matching login")
-
-    page.all('input[type=password]').must_be :empty?
-    fill_in 'Login', :with=>'foo@example.com'
+    page.find('[custom_field=custom_value]').value.must_equal 'foo2@example.com'
+    page.find('[custom_error_field=custom_error_value]').value.must_equal 'foo2@example.com'
+    page.find('[type=email]').value.must_equal 'foo2@example.com'
+    page.find('.bad-input').value.must_equal 'foo2@example.com'
+    page.find('.err-msg').text.must_equal 'no matching login'
+
+    page.all('input[type=password]').must_be_empty
+    fill_in 'Login (Required)', :with=>'foo@example.com'
     click_button 'Login'
     page.find('#notice_flash').text.must_equal 'Login recognized, please enter your password'
 
-    page.all('input[type=text]').must_be :empty?
-    fill_in 'Password', :with=>'012345678'
+    page.all('[custom_field=custom_value]').must_be_empty
+    page.all('[custom_error_field=custom_error_value]').must_be_empty
+    page.all('[aria-invalid=true]').must_be_empty
+    page.all('[aria-describedby]').must_be_empty
+    page.find('[required=required]').value.to_s.must_equal ''
+    page.all('input[type=text]').must_be_empty
+    fill_in 'Password (Required)', :with=>'012345678'
     click_button 'Login'
     page.find('#error_flash').text.must_equal 'There was an error logging in'
-    page.html.must_include("invalid password")
+    page.find('[aria-invalid=true]').value.to_s.must_equal ''
+    page.find('[aria-describedby=password_error_message]').value.to_s.must_equal ''
+    page.all('[custom_error_field=custom_error_value]').must_be_empty
+    page.find('.err-msg2').text.must_equal '1invalid password2'
 
-    page.all('input[type=text]').must_be :empty?
-    fill_in 'Password', :with=>'0123456789'
+    page.all('input[type=text]').must_be_empty
+    fill_in 'Password (Required)', :with=>'0123456789'
     click_button 'Login'
     page.current_path.must_equal '/'
     page.find('#notice_flash').text.must_equal 'You have been logged in'

data/spec/migrate/001_tables.rb

@@ -39,6 +39,14 @@ Sequel.migration do
       DateTime :email_last_sent, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
     end
 
+    # Used by the refresh token feature
+    create_table(:account_jwt_refresh_keys) do
+      primary_key :id, :type=>:Bignum
+      foreign_key :account_id, :accounts, :type=>:Bignum
+      String :key, :null=>false
+      DateTime :deadline, deadline_opts[1]
+    end
+
     # Used by the account verification feature
     create_table(:account_verification_keys) do
       foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
@@ -139,6 +147,7 @@ Sequel.migration do
       run "GRANT ALL ON account_statuses TO #{user}"
       run "GRANT ALL ON accounts TO #{user}"
       run "GRANT ALL ON account_password_reset_keys TO #{user}"
+      run "GRANT ALL ON account_jwt_refresh_keys TO #{user}"
       run "GRANT ALL ON account_verification_keys TO #{user}"
       run "GRANT ALL ON account_login_change_keys TO #{user}"
       run "GRANT ALL ON account_remember_keys TO #{user}"
@@ -167,6 +176,7 @@ Sequel.migration do
                :account_remember_keys,
                :account_login_change_keys,
                :account_verification_keys,
+               :account_jwt_refresh_keys,
                :account_password_reset_keys,
                :accounts,
                :account_statuses)

data/spec/migrate_travis/001_tables.rb

@@ -47,6 +47,14 @@ Sequel.migration do
       DateTime :email_last_sent, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
     end
 
+    # Used by the refresh token feature
+    create_table(:account_jwt_refresh_keys) do
+      primary_key :id, :type=>:Bignum
+      foreign_key :account_id, :accounts, :type=>:Bignum
+      String :key, :null=>false
+      DateTime :deadline, deadline_opts[1]
+    end
+
     create_table(:account_verification_keys) do
       foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
       String :key, :null=>false

data/spec/remember_spec.rb

@@ -2,8 +2,12 @@ require File.expand_path("spec_helper", File.dirname(__FILE__))
 
 describe 'Rodauth remember feature' do
   it "should support login via remember token" do
+    secret = nil
+    raw_before = Time.now - 100000000
     rodauth do
       enable :login, :remember
+      hmac_secret{secret}
+      raw_remember_token_deadline{raw_before}
     end
     roda do |r|
       r.rodauth
@@ -43,6 +47,19 @@ describe 'Rodauth remember feature' do
     visit '/'
     page.body.must_include 'Not Logged In'
 
+    secret = SecureRandom.random_bytes(32)
+    visit '/load'
+    page.body.must_include 'Not Logged In'
+
+    secret = nil
+    raw_before = Time.now + 100000000
+    login
+    visit '/remember'
+    choose 'Remember Me'
+    click_button 'Change Remember Setting'
+    remove_cookie('rack.session')
+
+    secret = SecureRandom.random_bytes(32)
     visit '/load'
     page.body.must_include 'Logged In via Remember'
 
@@ -75,6 +92,16 @@ describe 'Rodauth remember feature' do
     set_cookie('_remember', key)
     visit '/load'
     page.body.must_include 'Not Logged In'
+
+    login
+    visit '/remember'
+    choose 'Remember Me'
+    click_button 'Change Remember Setting'
+
+    secret = SecureRandom.random_bytes(32)
+    remove_cookie('rack.session')
+    visit '/load'
+    page.body.must_include 'Not Logged In'
   end
 
   it "should forget remember token when explicitly logging out" do

data/spec/reset_password_spec.rb

@@ -23,7 +23,7 @@ describe 'Rodauth reset_password feature' do
     link = email_link(/(\/reset-password\?key=.+)$/)
 
     visit link[0...-1]
-    page.find('#error_flash').text.must_equal "invalid password reset key"
+    page.find('#error_flash').text.must_equal "There was an error resetting your password: invalid or expired password reset key"
 
     visit '/login'
     click_link 'Forgot Password?'
@@ -92,7 +92,7 @@ describe 'Rodauth reset_password feature' do
     DB[:account_password_reset_keys].update(:deadline => Time.now - 60).must_equal 1
     link = email_link(/(\/reset-password\?key=.+)$/)
     visit link
-    page.find('#error_flash').text.must_equal "invalid password reset key"
+    page.find('#error_flash').text.must_equal "There was an error resetting your password: invalid or expired password reset key"
   end
 
   it "should support resetting passwords for accounts without confirmation" do

data/spec/rodauth_spec.rb

@@ -57,6 +57,30 @@ describe 'Rodauth' do
     page.title.must_equal 'Login'
   end
 
+  it "should warn when using deprecated configuration methods" do
+    warning = nil
+    rodauth do
+      enable :email_auth
+      (class << self; self end).send(:define_method, :warn) do |*a|
+        warning = a.first
+      end
+      auth_class_eval do
+        define_method(:warn) do |*a|
+          warning = a.first
+        end
+      end
+      no_matching_email_auth_key_message 'foo'
+    end
+    roda do |r|
+      rodauth.no_matching_email_auth_key_message
+    end
+
+    warning.must_equal "Deprecated no_matching_email_auth_key_message method used during configuration, switch to using no_matching_email_auth_key_error_flash"
+    visit '/'
+    body.must_equal 'foo'
+    warning.must_equal "Deprecated no_matching_email_auth_key_message method called at runtime, switch to using no_matching_email_auth_key_error_flash"
+  end
+
   it "should pick up template changes if not caching templates" do
     begin
       @no_freeze = true
@@ -294,7 +318,7 @@ describe 'Rodauth' do
     auth_class = nil
     no_freeze!
     rodauth{auth_class = auth}
-    roda(:csrf=>false, :flash=>false){}
+    roda(:csrf=>false, :flash=>false){|r|}
     Class.new(app).rodauth.must_equal auth_class
   end
 

data/spec/single_session_spec.rb

@@ -2,8 +2,12 @@ require File.expand_path("spec_helper", File.dirname(__FILE__))
 
 describe 'Rodauth single session feature' do
   it "should limit accounts to a single logged in session" do
+    secret = nil
+    allow_raw = true
     rodauth do
       enable :login, :logout, :single_session
+      hmac_secret{secret}
+      allow_raw_single_session_key?{allow_raw}
     end
     roda do |r|
       rodauth.check_single_session
@@ -47,6 +51,22 @@ describe 'Rodauth single session feature' do
     visit '/clear'
     page.current_path.must_equal '/'
     page.body.must_include "Logged In"
+
+    secret = SecureRandom.random_bytes(32)
+    visit '/'
+    page.body.must_include "Logged In"
+
+    allow_raw = false
+    visit '/'
+    page.body.must_include "Not Logged"
+
+    login
+    page.body.must_include "Logged In"
+
+    allow_raw = true
+    secret = SecureRandom.random_bytes(32)
+    visit '/'
+    page.body.must_include "Not Logged"
   end
 
   it "should limit accounts to a single logged in session" do

data/spec/spec_helper.rb

@@ -73,6 +73,7 @@ ENV['RACK_ENV'] = 'test'
 end
 
 Base = Class.new(Roda)
+Base.opts[:check_dynamic_arity] = Base.opts[:check_arity] = :warn
 Base.plugin :flash
 Base.plugin :render, :layout_opts=>{:path=>'spec/views/layout.str'}
 Base.plugin(:not_found){raise "path #{request.path_info} not found"}
@@ -90,11 +91,20 @@ else
   Base.use Rack::Session::Cookie, :secret => '0123456789'
 end
 
+unless defined?(Rack::Test::VERSION) && Rack::Test::VERSION >= '0.8'
+  class Rack::Test::Cookie
+    def path
+      ([*(@options['path'] == "" ? "/" : @options['path'])].first.split(',').first || '/').strip
+    end
+  end
+end
+
 class Base
   attr_writer :title
 end
 
 JsonBase = Class.new(Roda)
+JsonBase.opts[:check_dynamic_arity] = JsonBase.opts[:check_arity] = :warn
 JsonBase.plugin(:not_found){raise "path #{request.path_info} not found"}
 
 class Minitest::HooksSpec
@@ -256,6 +266,25 @@ class Minitest::HooksSpec
     res
   end
 
+  def jwt_refresh_login
+    res = json_login({:no_check => true})
+    jwt_refresh_validate_login(res)
+    res
+  end
+
+  def jwt_refresh_validate_login(res)
+    res.first.must_equal 200
+    res.last.keys.sort.must_equal ['access_token', 'refresh_token', 'success']
+    res.last['success'].must_equal 'You have been logged in'
+    res
+  end
+
+  def jwt_refresh_validate(res)
+    res.first.must_equal 200
+    res.last.keys.sort.must_equal ['access_token', 'refresh_token']
+    res
+  end
+
   def json_logout
     json_request("/logout").must_equal [200, {"success"=>'You have been logged out'}]
   end

data/spec/two_factor_spec.rb

@@ -3,7 +3,7 @@ require File.expand_path("spec_helper", File.dirname(__FILE__))
 require 'rotp'
 
 describe 'Rodauth OTP feature' do
-  secret_length = ROTP::Base32.random_base32.length
+  secret_length = (ROTP::Base32.respond_to?(:random_base32) ? ROTP::Base32.random_base32 : ROTP::Base32.random).length
 
   def reset_otp_last_use
     DB[:account_otp_keys].update(:last_use=>Sequel.date_sub(Sequel::CURRENT_TIMESTAMP, :seconds=>600))
@@ -11,9 +11,13 @@ describe 'Rodauth OTP feature' do
 
   it "should allow two factor authentication setup, login, recovery, removal" do
     sms_phone = sms_message = nil
+    hmac_secret = '123'
     rodauth do
       enable :login, :logout, :otp, :recovery_codes, :sms_codes
       otp_drift 10
+      hmac_secret do
+        hmac_secret
+      end
       sms_send do |phone, msg|
         proc{super(phone, msg)}.must_raise NotImplementedError
         sms_phone = phone
@@ -57,6 +61,14 @@ describe 'Rodauth OTP feature' do
     page.find('#error_flash').text.must_equal 'Error setting up two factor authentication'
     page.html.must_include 'Invalid authentication code'
 
+    hmac_secret = "321"
+    fill_in 'Password', :with=>'0123456789'
+    fill_in 'Authentication Code', :with=>totp.now
+    click_button 'Setup Two Factor Authentication'
+    page.find('#error_flash').text.must_equal 'Error setting up two factor authentication'
+
+    secret = page.html.match(/Secret: ([a-z2-7]{#{secret_length}})/)[1]
+    totp = ROTP::TOTP.new(secret)
     fill_in 'Password', :with=>'0123456789'
     fill_in 'Authentication Code', :with=>totp.now
     click_button 'Setup Two Factor Authentication'
@@ -68,6 +80,8 @@ describe 'Rodauth OTP feature' do
     login
     page.current_path.must_equal '/otp-auth'
 
+    page.find_by_id('otp-auth-code')[:autocomplete].must_equal 'off'
+
     %w'/otp-disable /recovery-codes /otp-setup /sms-setup /sms-disable /sms-confirm'.each do |path|
       visit path
       page.find('#error_flash').text.must_equal 'You need to authenticate via 2nd factor before continuing.'
@@ -86,6 +100,14 @@ describe 'Rodauth OTP feature' do
     page.html.must_include 'Invalid authentication code'
     reset_otp_last_use
 
+    hmac_secret = '123'
+    fill_in 'Authentication Code', :with=>"#{totp.now[0..2]} #{totp.now[3..-1]}"
+    click_button 'Authenticate via 2nd Factor'
+    page.find('#error_flash').text.must_equal 'Error logging in via two factor authentication'
+    page.html.must_include 'Invalid authentication code'
+    reset_otp_last_use
+
+    hmac_secret = '321'
     fill_in 'Authentication Code', :with=>"#{totp.now[0..2]} #{totp.now[3..-1]}"
     click_button 'Authenticate via 2nd Factor'
     page.find('#notice_flash').text.must_equal 'You have been authenticated via 2nd factor'
@@ -1085,10 +1107,13 @@ describe 'Rodauth OTP feature' do
   end
 
   it "should allow two factor authentication via jwt" do
-    sms_phone = sms_message = sms_code = nil
+    hmac_secret = sms_phone = sms_message = sms_code = nil
     rodauth do
       enable :login, :logout, :otp, :recovery_codes, :sms_codes
       otp_drift 10
+      hmac_secret do
+        hmac_secret
+      end
       sms_send do |phone, msg|
         sms_phone = phone
         sms_message = msg
@@ -1124,7 +1149,7 @@ describe 'Rodauth OTP feature' do
       json_request(path).must_equal [403, {'error'=>'SMS authentication has not been setup yet.'}]
     end
 
-    secret = ROTP::Base32.random_base32
+    secret = (ROTP::Base32.respond_to?(:random_base32) ? ROTP::Base32.random_base32 : ROTP::Base32.random.downcase)
     totp = ROTP::TOTP.new(secret)
 
     res = json_request('/otp-setup', :password=>'123456', :otp_secret=>secret)
@@ -1319,6 +1344,35 @@ describe 'Rodauth OTP feature' do
     [:account_otp_keys, :account_recovery_codes, :account_sms_codes].each do |t|
       DB[t].count.must_equal 0
     end
+
+    hmac_secret  = "123"
+    res = json_request('/otp-setup')
+    secret = res[1].delete("otp_secret")
+    raw_secret = res[1].delete("otp_raw_secret")
+    res.must_equal [422, {'error'=>'Error setting up two factor authentication', "field-error"=>["otp_secret", 'invalid secret']}] 
+
+    totp = ROTP::TOTP.new(secret)
+    hmac_secret  = "321"
+    res = json_request('/otp-setup', :password=>'0123456789', :otp=>totp.now, :otp_secret=>secret, :otp_raw_secret=>raw_secret)
+    res.must_equal [422, {'error'=>'Error setting up two factor authentication', "field-error"=>["otp_secret", 'invalid secret']}] 
+
+    reset_otp_last_use
+    hmac_secret  = "123"
+    res = json_request('/otp-setup', :password=>'0123456789', :otp=>totp.now, :otp_secret=>secret, :otp_raw_secret=>raw_secret)
+    res.must_equal [200, {'success'=>'Two factor authentication is now setup'}]
+    reset_otp_last_use
+
+    json_logout
+    json_login
+
+    hmac_secret  = "321"
+    res = json_request('/otp-auth', :otp=>totp.now)
+    res.must_equal [401, {'error'=>'Error logging in via two factor authentication', "field-error"=>["otp", 'Invalid authentication code']}] 
+
+    hmac_secret  = "123"
+    res = json_request('/otp-auth', :otp=>totp.now)
+    res.must_equal [200, {'success'=>'You have been authenticated via 2nd factor'}]
+    json_request.must_equal [200, [1]]
   end
 
   it "should allow two factor authentication setup, login, recovery, removal" do