rodauth 1.20.0 → 1.21.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG +6 -0
- data/doc/internals.rdoc +1 -1
- data/doc/release_notes/1.21.0.txt +12 -0
- data/lib/rodauth/features/otp.rb +8 -3
- data/lib/rodauth/version.rb +1 -1
- data/spec/two_factor_spec.rb +40 -1
- metadata +4 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e2660e5b2f14afadab7d56a0a7329ff3f22cea0bb800fa952b3b40c3dcfbcb29
|
|
4
|
+
data.tar.gz: 34b96d4d8bc26d641288af6bced9a42b9a895790b019a03b00c3f0e55b67843b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c1f90ea3269e61b7de2e336bbe08ccde86b9d343d4b773971fcda7c4f3294804d9b251087978a57ae6eb0fea0a435fd16f0dd239ae524c465739fa6a129b3584
|
|
7
|
+
data.tar.gz: 6d8b86790ac1214bd48fffea3aaeffdce63351b8bf6fc40dce6ca96fa471f84a2d08be525d804f5138ba5664ac73bbc68bfda6f279ef17655fc4f24e64bd23d0
|
data/CHANGELOG
CHANGED
data/doc/internals.rdoc
CHANGED
|
@@ -183,7 +183,7 @@ Here's a heavily commented example showing what is going on inside a Rodauth fea
|
|
|
183
183
|
foo_view
|
|
184
184
|
end
|
|
185
185
|
|
|
186
|
-
# Just like in Roda, r.post is called for
|
|
186
|
+
# Just like in Roda, r.post is called for POST requests
|
|
187
187
|
r.post do
|
|
188
188
|
# This is called before performing the foo action
|
|
189
189
|
before_foo
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
= Improvements
|
|
2
|
+
|
|
3
|
+
* rotp 5.1 is now supported in the otp feature. Previous rotp
|
|
4
|
+
versions down to rotp 2.1.1 remain supported.
|
|
5
|
+
|
|
6
|
+
* When using the otp feature without the sms or recovery_codes
|
|
7
|
+
features, if an account gets locked out from OTP authentication due
|
|
8
|
+
to multiple invalid OTP authentication codes, automatically log
|
|
9
|
+
them out, and redirect them to the login page. Previously, the
|
|
10
|
+
default behavior in this case could be a redirect loop if OTP
|
|
11
|
+
authentication is required for the user on the default_redirect
|
|
12
|
+
page.
|
data/lib/rodauth/features/otp.rb
CHANGED
|
@@ -109,7 +109,12 @@ module Rodauth
|
|
|
109
109
|
if otp_locked_out?
|
|
110
110
|
set_response_error_status(lockout_error_status)
|
|
111
111
|
set_redirect_error_flash otp_lockout_error_flash
|
|
112
|
-
|
|
112
|
+
if redir = otp_lockout_redirect
|
|
113
|
+
redirect redir
|
|
114
|
+
else
|
|
115
|
+
clear_session
|
|
116
|
+
redirect require_login_redirect
|
|
117
|
+
end
|
|
113
118
|
end
|
|
114
119
|
|
|
115
120
|
before_otp_auth_route
|
|
@@ -241,7 +246,7 @@ module Rodauth
|
|
|
241
246
|
|
|
242
247
|
def otp_lockout_redirect
|
|
243
248
|
return super if defined?(super)
|
|
244
|
-
|
|
249
|
+
nil
|
|
245
250
|
end
|
|
246
251
|
|
|
247
252
|
def otp_lockout_error_flash
|
|
@@ -359,7 +364,7 @@ module Rodauth
|
|
|
359
364
|
if ROTP::Base32.respond_to?(:random_base32)
|
|
360
365
|
# :nocov:
|
|
361
366
|
def otp_new_secret
|
|
362
|
-
ROTP::Base32.random_base32
|
|
367
|
+
ROTP::Base32.random_base32.downcase
|
|
363
368
|
end
|
|
364
369
|
# :nocov:
|
|
365
370
|
else
|
data/lib/rodauth/version.rb
CHANGED
data/spec/two_factor_spec.rb
CHANGED
|
@@ -560,10 +560,49 @@ describe 'Rodauth OTP feature' do
|
|
|
560
560
|
DB[:account_recovery_codes].select_order_map(:code).must_equal ['a', 'b']
|
|
561
561
|
end
|
|
562
562
|
|
|
563
|
+
it "should handle two factor lockout when using rodauth.require_two_factor_setup and rodauth.require_authentication" do
|
|
564
|
+
rodauth do
|
|
565
|
+
enable :login, :logout, :otp
|
|
566
|
+
otp_drift 10
|
|
567
|
+
end
|
|
568
|
+
roda do |r|
|
|
569
|
+
r.rodauth
|
|
570
|
+
rodauth.require_authentication
|
|
571
|
+
rodauth.require_two_factor_setup
|
|
572
|
+
|
|
573
|
+
view :content=>"Logged in"
|
|
574
|
+
end
|
|
575
|
+
|
|
576
|
+
login
|
|
577
|
+
page.title.must_equal 'Setup Two Factor Authentication'
|
|
578
|
+
secret = page.html.match(/Secret: ([a-z2-7]{#{secret_length}})/)[1]
|
|
579
|
+
totp = ROTP::TOTP.new(secret)
|
|
580
|
+
fill_in 'Password', :with=>'0123456789'
|
|
581
|
+
fill_in 'Authentication Code', :with=>totp.now
|
|
582
|
+
click_button 'Setup Two Factor Authentication'
|
|
583
|
+
page.find('#notice_flash').text.must_equal 'Two factor authentication is now setup'
|
|
584
|
+
page.current_path.must_equal '/'
|
|
585
|
+
page.html.must_include 'Logged in'
|
|
586
|
+
reset_otp_last_use
|
|
587
|
+
|
|
588
|
+
logout
|
|
589
|
+
login
|
|
590
|
+
|
|
591
|
+
6.times do
|
|
592
|
+
page.title.must_equal 'Enter Authentication Code'
|
|
593
|
+
fill_in 'Authentication Code', :with=>'foo'
|
|
594
|
+
click_button 'Authenticate via 2nd Factor'
|
|
595
|
+
end
|
|
596
|
+
page.find('#error_flash').text.must_equal 'Authentication code use locked out due to numerous failures.'
|
|
597
|
+
page.title.must_include 'Login'
|
|
598
|
+
page.current_path.must_equal '/login'
|
|
599
|
+
end
|
|
600
|
+
|
|
563
601
|
it "should allow two factor authentication setup, login, removal without recovery" do
|
|
564
602
|
rodauth do
|
|
565
603
|
enable :login, :logout, :otp
|
|
566
604
|
otp_drift 10
|
|
605
|
+
otp_lockout_redirect '/'
|
|
567
606
|
end
|
|
568
607
|
roda do |r|
|
|
569
608
|
r.rodauth
|
|
@@ -1149,7 +1188,7 @@ describe 'Rodauth OTP feature' do
|
|
|
1149
1188
|
json_request(path).must_equal [403, {'error'=>'SMS authentication has not been setup yet.'}]
|
|
1150
1189
|
end
|
|
1151
1190
|
|
|
1152
|
-
secret = (ROTP::Base32.respond_to?(:random_base32) ? ROTP::Base32.random_base32 : ROTP::Base32.random.downcase
|
|
1191
|
+
secret = (ROTP::Base32.respond_to?(:random_base32) ? ROTP::Base32.random_base32 : ROTP::Base32.random).downcase
|
|
1153
1192
|
totp = ROTP::TOTP.new(secret)
|
|
1154
1193
|
|
|
1155
1194
|
res = json_request('/otp-setup', :password=>'123456', :otp_secret=>secret)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rodauth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.21.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jeremy Evans
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-
|
|
11
|
+
date: 2019-07-24 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: sequel
|
|
@@ -253,6 +253,7 @@ extra_rdoc_files:
|
|
|
253
253
|
- doc/release_notes/1.18.0.txt
|
|
254
254
|
- doc/release_notes/1.19.0.txt
|
|
255
255
|
- doc/release_notes/1.20.0.txt
|
|
256
|
+
- doc/release_notes/1.21.0.txt
|
|
256
257
|
files:
|
|
257
258
|
- CHANGELOG
|
|
258
259
|
- MIT-LICENSE
|
|
@@ -298,6 +299,7 @@ files:
|
|
|
298
299
|
- doc/release_notes/1.19.0.txt
|
|
299
300
|
- doc/release_notes/1.2.0.txt
|
|
300
301
|
- doc/release_notes/1.20.0.txt
|
|
302
|
+
- doc/release_notes/1.21.0.txt
|
|
301
303
|
- doc/release_notes/1.3.0.txt
|
|
302
304
|
- doc/release_notes/1.4.0.txt
|
|
303
305
|
- doc/release_notes/1.5.0.txt
|