rodauth 1.20.0 → 2.1.0

data/lib/rodauth/features/session_expiration.rb

@@ -2,10 +2,11 @@
 
 module Rodauth
   Feature.define(:session_expiration, :SessionExpiration) do
-    error_flash "This session has expired, please login again."
+    error_flash "This session has expired, please login again"
 
     auth_value_method :max_session_lifetime, 86400
     session_key :session_created_session_key, :session_created_at
+    auth_value_method :session_expiration_error_status, 401
     auth_value_method :session_expiration_default, true
     auth_value_method :session_inactivity_timeout, 1800
     session_key :session_last_activity_session_key, :last_session_activity_at
@@ -37,6 +38,7 @@ module Rodauth
 
     def expire_session
       clear_session
+      set_redirect_error_status session_expiration_error_status
       set_redirect_error_flash session_expiration_error_flash
       redirect session_expiration_redirect
     end
@@ -45,11 +47,11 @@ module Rodauth
       require_login_redirect
     end
 
-    private
-
     def update_session
       super
-      session[session_last_activity_session_key] = session[session_created_session_key] = Time.now.to_i
+      t = Time.now.to_i
+      set_session_value(session_last_activity_session_key, t)
+      set_session_value(session_created_session_key, t)
     end
   end
 end

data/lib/rodauth/features/single_session.rb

@@ -6,6 +6,7 @@ module Rodauth
     redirect
 
     auth_value_method :allow_raw_single_session_key?, false
+    auth_value_method :inactive_session_error_status, 401
     auth_value_method :single_session_id_column, :id
     auth_value_method :single_session_key_column, :key
     session_key :single_session_session_key, :single_session_key
@@ -55,6 +56,7 @@ module Rodauth
 
     def no_longer_active_session
       clear_session
+      set_redirect_error_status inactive_session_error_status
       set_redirect_error_flash single_session_error_flash
       redirect single_session_redirect
     end
@@ -70,6 +72,11 @@ module Rodauth
       end
     end
 
+    def update_session
+      super
+      update_single_session_key
+    end
+
     private
 
     def after_close_account
@@ -87,11 +94,6 @@ module Rodauth
       set_session_value(single_session_session_key, data)
     end
 
-    def update_session
-      super
-      update_single_session_key
-    end
-
     def single_session_ds
       db[single_session_table].
         where(single_session_id_column=>session_value)

data/lib/rodauth/features/sms_codes.rb

@@ -28,28 +28,32 @@ module Rodauth
     button 'Send SMS Code', 'sms_request'
     button 'Setup SMS Backup Number', 'sms_setup'
 
-    error_flash "Error authenticating via SMS code.", 'sms_invalid_code'
+    error_flash "Error authenticating via SMS code", 'sms_invalid_code'
     error_flash "Error disabling SMS authentication", 'sms_disable'
     error_flash "Error setting up SMS authentication", 'sms_setup'
-    error_flash "Invalid or out of date SMS confirmation code used, must setup SMS authentication again.", 'sms_invalid_confirmation_code'
+    error_flash "Invalid or out of date SMS confirmation code used, must setup SMS authentication again", 'sms_invalid_confirmation_code'
     error_flash "No current SMS code for this account", 'no_current_sms_code'
-    error_flash "SMS authentication has been locked out.", 'sms_lockout'
-    error_flash "SMS authentication has already been setup.", 'sms_already_setup'
-    error_flash "SMS authentication has not been setup yet.", 'sms_not_setup'
-    error_flash "SMS authentication needs confirmation.", 'sms_needs_confirmation'
+    error_flash "SMS authentication has been locked out", 'sms_lockout'
+    error_flash "SMS authentication has already been setup", 'sms_already_setup'
+    error_flash "SMS authentication has not been setup yet", 'sms_not_setup'
+    error_flash "SMS authentication needs confirmation", 'sms_needs_confirmation'
 
-    notice_flash "SMS authentication code has been sent.", 'sms_request'
-    notice_flash "SMS authentication has been disabled.", 'sms_disable'
-    notice_flash "SMS authentication has been setup.", 'sms_confirm'
+    notice_flash "SMS authentication code has been sent", 'sms_request'
+    notice_flash "SMS authentication has been disabled", 'sms_disable'
+    notice_flash "SMS authentication has been setup", 'sms_confirm'
+
+    translatable_method :sms_auth_link_text, "Authenticate Using SMS Code"
+    translatable_method :sms_setup_link_text, "Setup Backup SMS Authentication"
+    translatable_method :sms_disable_link_text, "Disable SMS Authentication"
 
     redirect :sms_already_setup
     redirect :sms_confirm
     redirect :sms_disable
-    redirect(:sms_auth){"#{prefix}/#{sms_auth_route}"}
-    redirect(:sms_needs_confirmation){"#{prefix}/#{sms_confirm_route}"}
-    redirect(:sms_needs_setup){"#{prefix}/#{sms_setup_route}"}
-    redirect(:sms_request){"#{prefix}/#{sms_request_route}"}
-    redirect(:sms_lockout){_two_factor_auth_required_redirect}
+    redirect(:sms_auth){sms_auth_path}
+    redirect(:sms_needs_confirmation){sms_confirm_path}
+    redirect(:sms_needs_setup){sms_setup_path}
+    redirect(:sms_request){sms_request_path}
+    redirect(:sms_lockout){two_factor_auth_required_redirect}
 
     loaded_templates %w'sms-auth sms-confirm sms-disable sms-request sms-setup sms-code-field password-field'
     view 'sms-auth', 'Authenticate via SMS Code', 'sms_auth'
@@ -64,18 +68,19 @@ module Rodauth
     auth_value_method :sms_auth_code_length, 6
     auth_value_method :sms_code_allowed_seconds, 300
     auth_value_method :sms_code_column, :code
-    auth_value_method :sms_code_label, 'SMS Code'
+    translatable_method :sms_code_label, 'SMS Code'
     auth_value_method :sms_code_param, 'sms-code'
     auth_value_method :sms_codes_table, :account_sms_codes
     auth_value_method :sms_confirm_code_length, 12
     auth_value_method :sms_failure_limit, 5
     auth_value_method :sms_failures_column, :num_failures
     auth_value_method :sms_id_column, :id
-    auth_value_method :sms_invalid_code_message, "invalid SMS code"
-    auth_value_method :sms_invalid_phone_message, "invalid SMS phone number"
+    translatable_method :sms_invalid_code_message, "invalid SMS code"
+    translatable_method :sms_invalid_phone_message, "invalid SMS phone number"
     auth_value_method :sms_issued_at_column, :code_issued_at
     auth_value_method :sms_phone_column, :phone_number
-    auth_value_method :sms_phone_label, 'Phone Number'
+    translatable_method :sms_phone_label, 'Phone Number'
+    auth_value_method :sms_phone_input_type, 'tel'
     auth_value_method :sms_phone_min_length, 7
     auth_value_method :sms_phone_param, 'sms-phone'
 
@@ -110,7 +115,7 @@ module Rodauth
     route(:sms_request) do |r|
       require_login
       require_account_session
-      require_two_factor_not_authenticated
+      require_two_factor_not_authenticated('sms_code')
       require_sms_available
       before_sms_request_route
 
@@ -133,7 +138,7 @@ module Rodauth
     route(:sms_auth) do |r|
       require_login
       require_account_session
-      require_two_factor_not_authenticated
+      require_two_factor_not_authenticated('sms_code')
       require_sms_available
 
       unless sms_current_auth?
@@ -157,7 +162,7 @@ module Rodauth
           if sms_code_match?(param(sms_code_param))
             before_sms_auth
             sms_remove_failures
-            two_factor_authenticate(:sms_code)
+            two_factor_authenticate('sms_code')
           else
             sms_record_failure
             after_sms_failure
@@ -238,8 +243,8 @@ module Rodauth
             before_sms_confirm
             sms_confirm
             after_sms_confirm
-            if sms_codes_primary?
-              two_factor_authenticate(:sms_code)
+            unless two_factor_authenticated?
+              two_factor_update_session('sms_code')
             end
           end
 
@@ -268,8 +273,8 @@ module Rodauth
           transaction do
             before_sms_disable
             sms_disable
-            if sms_codes_primary?
-              two_factor_remove_session
+            if two_factor_login_type_match?('sms_code')
+              two_factor_remove_session('sms_code')
             end
             after_sms_disable
           end
@@ -284,18 +289,6 @@ module Rodauth
       end
     end
 
-    def two_factor_need_setup_redirect
-      super || (sms_needs_setup_redirect if sms_codes_primary?)
-    end
-
-    def two_factor_auth_required_redirect
-      super || (sms_request_redirect if sms_codes_primary? && sms_available?)
-    end
-
-    def two_factor_auth_fallback_redirect
-      sms_available? ? sms_request_redirect : super
-    end
-
     def two_factor_remove
       super
       sms_disable
@@ -306,37 +299,6 @@ module Rodauth
       sms_remove_failures
     end
 
-    def two_factor_authentication_setup?
-      super || (sms_codes_primary? && sms_setup?)
-    end
-
-    def otp_auth_form_footer
-      "#{super if defined?(super)}#{"<p><a href=\"#{sms_request_route}\">Authenticate using SMS code</a></p>" if sms_available?}"
-    end
-
-    def otp_lockout_redirect
-      if sms_available?
-        sms_request_redirect
-      else
-        super if defined?(super)
-      end
-    end
-
-    def otp_lockout_error_flash
-      msg = super if defined?(super)
-      if sms_available?
-         msg = "#{msg} Can use SMS code to unlock."
-      end
-      msg
-    end
-
-    def otp_remove
-      super if defined?(super)
-      unless sms_codes_primary?
-        sms_disable
-      end
-    end
-
     def require_sms_setup
       unless sms_setup?
         set_redirect_error_status(two_factor_not_setup_error_status)
@@ -415,11 +377,11 @@ module Rodauth
     end
 
     def sms_auth_message(code)
-      "SMS authentication code for #{request.host} is #{code}"
+      "SMS authentication code for #{domain} is #{code}"
     end
 
     def sms_confirm_message(code)
-      "SMS confirmation code for #{request.host} is #{code}"
+      "SMS confirmation code for #{domain} is #{code}"
     end
 
     def sms_set_code(code)
@@ -468,10 +430,39 @@ module Rodauth
       sms_code && sms_code_issued_at + sms_code_allowed_seconds > Time.now
     end
 
+    def possible_authentication_methods
+      methods = super
+      methods << 'sms_code' if sms_setup?
+      methods
+    end
+
     private
 
+    def _two_factor_auth_links
+      links = super
+      links << [30, sms_request_path, sms_auth_link_text] if sms_available?
+      links
+    end
+
+    def _two_factor_setup_links
+      links = super
+      links << [30, sms_setup_path, sms_setup_link_text] if !sms_setup? && (sms_codes_primary? || uses_two_factor_authentication?)
+      links
+    end
+
+    def _two_factor_remove_links
+      links = super
+      links << [30, sms_disable_path, sms_disable_link_text] if sms_setup?
+      links
+    end
+
+    def _two_factor_remove_all_from_session
+      two_factor_remove_session('sms_codes')
+      super
+    end
+
     def sms_codes_primary?
-      !features.include?(:otp)
+      (features & [:otp, :webauthn]).empty?
     end
 
     def sms_normalize_phone(phone)

data/lib/rodauth/features/two_factor_base.rb

@@ -2,25 +2,50 @@
 
 module Rodauth
   Feature.define(:two_factor_base, :TwoFactorBase) do
+    loaded_templates %w'two-factor-manage two-factor-auth two-factor-disable'
+
+    view 'two-factor-manage', 'Manage Multifactor Authentication', 'two_factor_manage'
+    view 'two-factor-auth', 'Authenticate Using Additional Factor', 'two_factor_auth'
+    view 'two-factor-disable', 'Remove All Multifactor Authentication Methods', 'two_factor_disable'
+
+    before :two_factor_disable
+
     after :two_factor_authentication
+    after :two_factor_disable
+
+    additional_form_tags :two_factor_disable
+
+    button "Remove All Multifactor Authentication Methods", :two_factor_disable
 
-    redirect :two_factor_auth
-    redirect :two_factor_already_authenticated
+    redirect(:two_factor_auth)
+    redirect(:two_factor_already_authenticated)
+    redirect(:two_factor_disable)
+    redirect(:two_factor_need_setup){two_factor_manage_path}
+    redirect(:two_factor_auth_required){two_factor_auth_path}
 
-    notice_flash "You have been authenticated via 2nd factor", "two_factor_auth"
+    notice_flash "You have been multifactor authenticated", "two_factor_auth"
+    notice_flash "All multifactor authentication methods have been disabled", "two_factor_disable"
 
-    error_flash "This account has not been setup for two factor authentication", 'two_factor_not_setup'
-    error_flash "Already authenticated via 2nd factor", 'two_factor_already_authenticated'
-    error_flash "You need to authenticate via 2nd factor before continuing.", 'two_factor_need_authentication'
+    error_flash "This account has not been setup for multifactor authentication", 'two_factor_not_setup'
+    error_flash "You have already been multifactor authenticated", 'two_factor_already_authenticated'
+    error_flash "You need to authenticate via an additional factor before continuing", 'two_factor_need_authentication'
+    error_flash "Unable to remove all multifactor authentication methods", "two_factor_disable"
 
     auth_value_method :two_factor_already_authenticated_error_status, 403
     auth_value_method :two_factor_need_authentication_error_status, 401
     auth_value_method :two_factor_not_setup_error_status, 403
 
-    session_key :two_factor_session_key, :two_factor_auth
     session_key :two_factor_setup_session_key, :two_factor_auth_setup
-    auth_value_method :two_factor_need_setup_redirect, nil
-    auth_value_method :two_factor_auth_required_redirect, nil
+    session_key :two_factor_auth_redirect_session_key, :two_factor_auth_redirect
+
+    translatable_method :two_factor_setup_heading, "<h2>Setup Multifactor Authentication</h2>"
+    translatable_method :two_factor_remove_heading, "<h2>Remove Multifactor Authentication</h2>"
+    translatable_method :two_factor_disable_link_text, "Remove All Multifactor Authentication Methods"
+    auth_value_method :two_factor_auth_return_to_requested_location?, false
+
+    auth_cached_method :two_factor_auth_links
+    auth_cached_method :two_factor_setup_links
+    auth_cached_method :two_factor_remove_links
 
     auth_value_methods :two_factor_modifications_require_password?
 
@@ -32,6 +57,62 @@ module Rodauth
       :two_factor_update_session
     )
 
+    route(:two_factor_manage, 'multifactor-manage') do |r|
+      require_account
+      before_two_factor_manage_route
+
+      r.get do
+        all_links = two_factor_setup_links + two_factor_remove_links
+        if all_links.length == 1
+          redirect all_links[0][1]
+        end
+        two_factor_manage_view
+      end
+    end
+
+    route(:two_factor_auth, 'multifactor-auth') do |r|
+      require_login
+      require_account_session
+      require_two_factor_setup
+      require_two_factor_not_authenticated
+      before_two_factor_auth_route
+
+      r.get do
+        if two_factor_auth_links.length == 1
+          redirect two_factor_auth_links[0][1]
+        end
+        two_factor_auth_view
+      end
+    end
+
+    route(:two_factor_disable, 'multifactor-disable') do |r|
+      require_account
+      require_two_factor_setup
+      before_two_factor_disable_route
+
+      r.get do
+        two_factor_disable_view
+      end
+
+      r.post do
+        if two_factor_password_match?(param(password_param))
+          transaction do
+            before_two_factor_disable
+            two_factor_remove
+            _two_factor_remove_all_from_session
+            after_two_factor_disable
+          end
+          set_notice_flash two_factor_disable_notice_flash
+          redirect two_factor_disable_redirect
+        end
+
+        set_response_error_status(invalid_password_error_status)
+        set_field_error(password_param, invalid_password_message)
+        set_error_flash two_factor_disable_error_flash
+        two_factor_disable_view
+      end
+    end
+
     def two_factor_modifications_require_password?
       modifications_require_password?
     end
@@ -67,8 +148,8 @@ module Rodauth
       redirect two_factor_need_setup_redirect
     end
     
-    def require_two_factor_not_authenticated
-      if two_factor_authenticated?
+    def require_two_factor_not_authenticated(auth_type = nil)
+      if two_factor_authenticated? || (auth_type && two_factor_login_type_match?(auth_type))
         set_redirect_error_status(two_factor_already_authenticated_error_status)
         set_redirect_error_flash two_factor_already_authenticated_error_flash
         redirect two_factor_already_authenticated_redirect
@@ -77,9 +158,12 @@ module Rodauth
 
     def require_two_factor_authenticated
       unless two_factor_authenticated?
+        if two_factor_auth_return_to_requested_location?
+          set_session_value(two_factor_auth_redirect_session_key, request.fullpath)
+        end
         set_redirect_error_status(two_factor_need_authentication_error_status)
         set_redirect_error_flash two_factor_need_authentication_error_flash
-        redirect _two_factor_auth_required_redirect
+        redirect two_factor_auth_required_redirect
       end
     end
 
@@ -87,10 +171,6 @@ module Rodauth
       nil
     end
 
-    def two_factor_auth_fallback_redirect
-      nil
-    end
-
     def two_factor_password_match?(password)
       if two_factor_modifications_require_password?
         password_match?(password)
@@ -100,25 +180,45 @@ module Rodauth
     end
 
     def two_factor_authenticated?
-      !!session[two_factor_session_key]
+      authenticated_by && authenticated_by.length >= 2
     end
 
     def two_factor_authentication_setup?
-      false
+      possible_authentication_methods.length >= 2
     end
 
     def uses_two_factor_authentication?
       return false unless logged_in?
-      session[two_factor_setup_session_key] = two_factor_authentication_setup? unless session.has_key?(two_factor_setup_session_key)
+      set_session_value(two_factor_setup_session_key, two_factor_authentication_setup?) unless session.has_key?(two_factor_setup_session_key)
       session[two_factor_setup_session_key]
     end
 
+    def two_factor_login_type_match?(type)
+      authenticated_by && authenticated_by.include?(type)
+    end
+
     def two_factor_remove
       nil
     end
 
     private
 
+    def _two_factor_auth_links
+      (super if defined?(super)) || []
+    end
+
+    def _two_factor_setup_links
+      (super if defined?(super)) || []
+    end
+
+    def _two_factor_remove_links
+      (super if defined?(super)) || []
+    end
+
+    def _two_factor_remove_all_from_session
+      nil
+    end
+
     def after_close_account
       super if defined?(super)
       two_factor_remove
@@ -129,21 +229,25 @@ module Rodauth
       two_factor_remove_auth_failures
       after_two_factor_authentication
       set_notice_flash two_factor_auth_notice_flash
-      redirect two_factor_auth_redirect
+      redirect_two_factor_authenticated
     end
 
-    def two_factor_remove_session
-      session.delete(two_factor_session_key)
-      session[two_factor_setup_session_key] = false
+    def redirect_two_factor_authenticated
+      saved_two_factor_auth_redirect = remove_session_value(two_factor_auth_redirect_session_key)
+      redirect saved_two_factor_auth_redirect || two_factor_auth_redirect
     end
 
-    def two_factor_update_session(type)
-      session[two_factor_session_key] = type
-      session[two_factor_setup_session_key] = true
+    def two_factor_remove_session(type)
+      authenticated_by.delete(type)
+      remove_session_value(two_factor_setup_session_key)
+      if authenticated_by.empty?
+        clear_session
+      end
     end
 
-    def _two_factor_auth_required_redirect
-      two_factor_auth_required_redirect || two_factor_auth_fallback_redirect || default_redirect
+    def two_factor_update_session(auth_type)
+      authenticated_by << auth_type
+      set_session_value(two_factor_setup_session_key, true)
     end
   end
 end