RubyGems - rodauth - Versions diffs - 1.20.0 → 2.1.0 - Mend

rodauth 1.20.0 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (180) hide show

checksums.yaml +4 -4
data/CHANGELOG +170 -0
data/MIT-LICENSE +1 -1
data/README.rdoc +211 -79
data/doc/account_expiration.rdoc +12 -26
data/doc/active_sessions.rdoc +49 -0
data/doc/audit_logging.rdoc +44 -0
data/doc/base.rdoc +75 -128
data/doc/change_login.rdoc +7 -14
data/doc/change_password.rdoc +9 -13
data/doc/change_password_notify.rdoc +2 -2
data/doc/close_account.rdoc +9 -16
data/doc/confirm_password.rdoc +12 -5
data/doc/create_account.rdoc +11 -22
data/doc/disallow_password_reuse.rdoc +6 -13
data/doc/email_auth.rdoc +15 -14
data/doc/email_base.rdoc +6 -15
data/doc/http_basic_auth.rdoc +10 -1
data/doc/internals.rdoc +1 -1
data/doc/jwt.rdoc +22 -22
data/doc/jwt_cors.rdoc +22 -0
data/doc/jwt_refresh.rdoc +12 -8
data/doc/lockout.rdoc +17 -15
data/doc/login.rdoc +10 -2
data/doc/login_password_requirements_base.rdoc +15 -37
data/doc/logout.rdoc +2 -2
data/doc/otp.rdoc +24 -19
data/doc/password_complexity.rdoc +10 -26
data/doc/password_expiration.rdoc +11 -25
data/doc/password_grace_period.rdoc +16 -2
data/doc/recovery_codes.rdoc +18 -12
data/doc/release_notes/1.21.0.txt +12 -0
data/doc/release_notes/1.22.0.txt +11 -0
data/doc/release_notes/1.23.0.txt +32 -0
data/doc/release_notes/2.0.0.txt +361 -0
data/doc/release_notes/2.1.0.txt +31 -0
data/doc/remember.rdoc +40 -64
data/doc/reset_password.rdoc +12 -9
data/doc/session_expiration.rdoc +1 -0
data/doc/single_session.rdoc +16 -25
data/doc/sms_codes.rdoc +24 -14
data/doc/two_factor_base.rdoc +60 -22
data/doc/verify_account.rdoc +14 -12
data/doc/verify_account_grace_period.rdoc +6 -2
data/doc/verify_login_change.rdoc +9 -8
data/doc/webauthn.rdoc +115 -0
data/doc/webauthn_login.rdoc +15 -0
data/doc/webauthn_verify_account.rdoc +9 -0
data/javascript/webauthn_auth.js +45 -0
data/javascript/webauthn_setup.js +35 -0
data/lib/roda/plugins/rodauth.rb +1 -1
data/lib/rodauth.rb +32 -24
data/lib/rodauth/features/account_expiration.rb +5 -5
data/lib/rodauth/features/active_sessions.rb +160 -0
data/lib/rodauth/features/audit_logging.rb +96 -0
data/lib/rodauth/features/base.rb +144 -43
data/lib/rodauth/features/change_password_notify.rb +2 -2
data/lib/rodauth/features/confirm_password.rb +40 -2
data/lib/rodauth/features/create_account.rb +8 -13
data/lib/rodauth/features/disallow_common_passwords.rb +1 -1
data/lib/rodauth/features/disallow_password_reuse.rb +1 -1
data/lib/rodauth/features/email_auth.rb +30 -29
data/lib/rodauth/features/email_base.rb +9 -4
data/lib/rodauth/features/http_basic_auth.rb +55 -35
data/lib/rodauth/features/jwt.rb +58 -10
data/lib/rodauth/features/jwt_cors.rb +53 -0
data/lib/rodauth/features/jwt_refresh.rb +3 -3
data/lib/rodauth/features/lockout.rb +12 -14
data/lib/rodauth/features/login.rb +54 -10
data/lib/rodauth/features/login_password_requirements_base.rb +4 -4
data/lib/rodauth/features/otp.rb +72 -74
data/lib/rodauth/features/password_complexity.rb +4 -11
data/lib/rodauth/features/password_expiration.rb +2 -2
data/lib/rodauth/features/password_grace_period.rb +17 -10
data/lib/rodauth/features/recovery_codes.rb +49 -53
data/lib/rodauth/features/remember.rb +11 -27
data/lib/rodauth/features/reset_password.rb +26 -26
data/lib/rodauth/features/session_expiration.rb +6 -4
data/lib/rodauth/features/single_session.rb +7 -5
data/lib/rodauth/features/sms_codes.rb +62 -71
data/lib/rodauth/features/two_factor_base.rb +132 -28
data/lib/rodauth/features/verify_account.rb +25 -21
data/lib/rodauth/features/verify_account_grace_period.rb +20 -9
data/lib/rodauth/features/verify_login_change.rb +12 -11
data/lib/rodauth/features/webauthn.rb +507 -0
data/lib/rodauth/features/webauthn_login.rb +70 -0
data/lib/rodauth/features/webauthn_verify_account.rb +46 -0
data/lib/rodauth/version.rb +2 -2
data/templates/button.str +1 -3
data/templates/change-login.str +1 -2
data/templates/change-password.str +3 -5
data/templates/close-account.str +2 -2
data/templates/confirm-password.str +1 -1
data/templates/create-account.str +1 -1
data/templates/email-auth-email.str +1 -1
data/templates/email-auth-request-form.str +2 -3
data/templates/email-auth.str +1 -1
data/templates/global-logout-field.str +6 -0
data/templates/login-confirm-field.str +2 -4
data/templates/login-display.str +3 -2
data/templates/login-field.str +2 -4
data/templates/login-form-footer.str +6 -0
data/templates/login-form.str +7 -0
data/templates/login.str +1 -9
data/templates/logout.str +1 -1
data/templates/multi-phase-login.str +3 -0
data/templates/otp-auth-code-field.str +5 -3
data/templates/otp-auth.str +1 -1
data/templates/otp-disable.str +1 -1
data/templates/otp-setup.str +3 -3
data/templates/password-confirm-field.str +2 -4
data/templates/password-field.str +2 -4
data/templates/recovery-auth.str +3 -6
data/templates/recovery-codes.str +1 -1
data/templates/remember.str +15 -20
data/templates/reset-password-email.str +1 -1
data/templates/reset-password-request.str +3 -3
data/templates/reset-password.str +1 -2
data/templates/sms-auth.str +1 -1
data/templates/sms-code-field.str +5 -3
data/templates/sms-confirm.str +1 -2
data/templates/sms-disable.str +1 -2
data/templates/sms-request.str +1 -1
data/templates/sms-setup.str +6 -4
data/templates/two-factor-auth.str +5 -0
data/templates/two-factor-disable.str +6 -0
data/templates/two-factor-manage.str +16 -0
data/templates/unlock-account-email.str +1 -1
data/templates/unlock-account-request.str +4 -4
data/templates/unlock-account.str +1 -1
data/templates/verify-account-email.str +1 -1
data/templates/verify-account-resend.str +3 -3
data/templates/verify-account.str +1 -2
data/templates/verify-login-change-email.str +2 -1
data/templates/verify-login-change.str +1 -1
data/templates/webauthn-auth.str +11 -0
data/templates/webauthn-remove.str +14 -0
data/templates/webauthn-setup.str +12 -0
metadata +89 -50
data/Rakefile +0 -179
data/doc/verify_change_login.rdoc +0 -11
data/lib/rodauth/features/verify_change_login.rb +0 -20
data/spec/account_expiration_spec.rb +0 -225
data/spec/all.rb +0 -1
data/spec/change_login_spec.rb +0 -156
data/spec/change_password_notify_spec.rb +0 -33
data/spec/change_password_spec.rb +0 -202
data/spec/close_account_spec.rb +0 -162
data/spec/confirm_password_spec.rb +0 -70
data/spec/create_account_spec.rb +0 -127
data/spec/disallow_common_passwords_spec.rb +0 -93
data/spec/disallow_password_reuse_spec.rb +0 -179
data/spec/email_auth_spec.rb +0 -285
data/spec/http_basic_auth_spec.rb +0 -143
data/spec/jwt_refresh_spec.rb +0 -256
data/spec/jwt_spec.rb +0 -235
data/spec/lockout_spec.rb +0 -250
data/spec/login_spec.rb +0 -328
data/spec/migrate/001_tables.rb +0 -184
data/spec/migrate/002_account_password_hash_column.rb +0 -11
data/spec/migrate_password/001_tables.rb +0 -73
data/spec/migrate_travis/001_tables.rb +0 -141
data/spec/password_complexity_spec.rb +0 -109
data/spec/password_expiration_spec.rb +0 -244
data/spec/password_grace_period_spec.rb +0 -93
data/spec/remember_spec.rb +0 -451
data/spec/reset_password_spec.rb +0 -229
data/spec/rodauth_spec.rb +0 -343
data/spec/session_expiration_spec.rb +0 -58
data/spec/single_session_spec.rb +0 -127
data/spec/spec_helper.rb +0 -327
data/spec/two_factor_spec.rb +0 -1423
data/spec/update_password_hash_spec.rb +0 -40
data/spec/verify_account_grace_period_spec.rb +0 -171
data/spec/verify_account_spec.rb +0 -240
data/spec/verify_change_login_spec.rb +0 -46
data/spec/verify_login_change_spec.rb +0 -232
data/spec/views/layout-other.str +0 -11
data/spec/views/layout.str +0 -11
data/spec/views/login.str +0 -21

data/spec/two_factor_spec.rb DELETED

@@ -1,1423 +0,0 @@
-require File.expand_path("spec_helper", File.dirname(__FILE__))
-require 'rotp'
-describe 'Rodauth OTP feature' do
-  secret_length = (ROTP::Base32.respond_to?(:random_base32) ? ROTP::Base32.random_base32 : ROTP::Base32.random).length
-  def reset_otp_last_use
-    DB[:account_otp_keys].update(:last_use=>Sequel.date_sub(Sequel::CURRENT_TIMESTAMP, :seconds=>600))
-  end
-  it "should allow two factor authentication setup, login, recovery, removal" do
-    sms_phone = sms_message = nil
-    hmac_secret = '123'
-    rodauth do
-      enable :login, :logout, :otp, :recovery_codes, :sms_codes
-      otp_drift 10
-      hmac_secret do
-        hmac_secret
-      end
-      sms_send do |phone, msg|
-        proc{super(phone, msg)}.must_raise NotImplementedError
-        sms_phone = phone
-        sms_message = msg
-      end
-    end
-    roda do |r|
-      r.rodauth
-      r.redirect '/login' unless rodauth.logged_in?
-      if rodauth.two_factor_authentication_setup?
-        r.redirect '/otp-auth' unless rodauth.authenticated?
-        view :content=>"With OTP"
-      else
-        view :content=>"Without OTP"
-      end
-    end
-    login
-    page.html.must_include('Without OTP')
-    %w'/otp-disable /recovery-auth /recovery-codes /sms-setup /sms-disable /sms-confirm /sms-request /sms-auth /otp-auth'.each do |path|
-      visit path
-      page.find('#error_flash').text.must_equal 'This account has not been setup for two factor authentication'
-      page.current_path.must_equal '/otp-setup'
-    end
-    page.title.must_equal 'Setup Two Factor Authentication'
-    page.html.must_include '<svg'
-    secret = page.html.match(/Secret: ([a-z2-7]{#{secret_length}})/)[1]
-    totp = ROTP::TOTP.new(secret)
-    fill_in 'Password', :with=>'asdf'
-    click_button 'Setup Two Factor Authentication'
-    page.find('#error_flash').text.must_equal 'Error setting up two factor authentication'
-    page.html.must_include 'invalid password'
-    fill_in 'Password', :with=>'0123456789'
-    fill_in 'Authentication Code', :with=>"asdf"
-    click_button 'Setup Two Factor Authentication'
-    page.find('#error_flash').text.must_equal 'Error setting up two factor authentication'
-    page.html.must_include 'Invalid authentication code'
-    hmac_secret = "321"
-    fill_in 'Password', :with=>'0123456789'
-    fill_in 'Authentication Code', :with=>totp.now
-    click_button 'Setup Two Factor Authentication'
-    page.find('#error_flash').text.must_equal 'Error setting up two factor authentication'
-    secret = page.html.match(/Secret: ([a-z2-7]{#{secret_length}})/)[1]
-    totp = ROTP::TOTP.new(secret)
-    fill_in 'Password', :with=>'0123456789'
-    fill_in 'Authentication Code', :with=>totp.now
-    click_button 'Setup Two Factor Authentication'
-    page.find('#notice_flash').text.must_equal 'Two factor authentication is now setup'
-    page.current_path.must_equal '/'
-    page.html.must_include 'With OTP'
-    logout
-    login
-    page.current_path.must_equal '/otp-auth'
-    page.find_by_id('otp-auth-code')[:autocomplete].must_equal 'off'
-    %w'/otp-disable /recovery-codes /otp-setup /sms-setup /sms-disable /sms-confirm'.each do |path|
-      visit path
-      page.find('#error_flash').text.must_equal 'You need to authenticate via 2nd factor before continuing.'
-      page.current_path.must_equal '/otp-auth'
-    end
-    page.title.must_equal 'Enter Authentication Code'
-    fill_in 'Authentication Code', :with=>"asdf"
-    click_button 'Authenticate via 2nd Factor'
-    page.find('#error_flash').text.must_equal 'Error logging in via two factor authentication'
-    page.html.must_include 'Invalid authentication code'
-    fill_in 'Authentication Code', :with=>"#{totp.now[0..2]} #{totp.now[3..-1]}"
-    click_button 'Authenticate via 2nd Factor'
-    page.find('#error_flash').text.must_equal 'Error logging in via two factor authentication'
-    page.html.must_include 'Invalid authentication code'
-    reset_otp_last_use
-    hmac_secret = '123'
-    fill_in 'Authentication Code', :with=>"#{totp.now[0..2]} #{totp.now[3..-1]}"
-    click_button 'Authenticate via 2nd Factor'
-    page.find('#error_flash').text.must_equal 'Error logging in via two factor authentication'
-    page.html.must_include 'Invalid authentication code'
-    reset_otp_last_use
-    hmac_secret = '321'
-    fill_in 'Authentication Code', :with=>"#{totp.now[0..2]} #{totp.now[3..-1]}"
-    click_button 'Authenticate via 2nd Factor'
-    page.find('#notice_flash').text.must_equal 'You have been authenticated via 2nd factor'
-    page.html.must_include 'With OTP'
-    reset_otp_last_use
-    visit '/otp-setup'
-    page.find('#error_flash').text.must_equal 'You have already setup two factor authentication'
-    %w'/otp-auth /recovery-auth /sms-request /sms-auth'.each do |path|
-      visit path
-      page.find('#error_flash').text.must_equal 'Already authenticated via 2nd factor'
-    end
-    visit '/sms-disable'
-    page.find('#error_flash').text.must_equal 'SMS authentication has not been setup yet.'
-    visit '/sms-setup'
-    page.title.must_equal 'Setup SMS Backup Number'
-    fill_in 'Password', :with=>'012345678'
-    fill_in 'Phone Number', :with=>'(123) 456'
-    click_button 'Setup SMS Backup Number'
-    page.find('#error_flash').text.must_equal 'Error setting up SMS authentication'
-    page.html.must_include 'invalid password'
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'Setup SMS Backup Number'
-    page.find('#error_flash').text.must_equal 'Error setting up SMS authentication'
-    page.html.must_include 'invalid SMS phone number'
-    fill_in 'Password', :with=>'0123456789'
-    fill_in 'Phone Number', :with=>'(123) 456-7890'
-    click_button 'Setup SMS Backup Number'
-    page.find('#notice_flash').text.must_equal 'SMS authentication needs confirmation.'
-    sms_phone.must_equal '1234567890'
-    sms_message.must_match(/\ASMS confirmation code for www\.example\.com is \d{12}\z/)
-    page.title.must_equal 'Confirm SMS Backup Number'
-    fill_in 'SMS Code', :with=>"asdf"
-    click_button 'Confirm SMS Backup Number'
-    page.find('#error_flash').text.must_equal 'Invalid or out of date SMS confirmation code used, must setup SMS authentication again.'
-    fill_in 'Password', :with=>'0123456789'
-    fill_in 'Phone Number', :with=>'(123) 456-7890'
-    click_button 'Setup SMS Backup Number'
-    visit '/sms-setup'
-    page.find('#error_flash').text.must_equal 'SMS authentication needs confirmation.'
-    page.title.must_equal 'Confirm SMS Backup Number'
-    DB[:account_sms_codes].update(:code_issued_at=>Time.now - 310)
-    sms_code = sms_message[/\d{12}\z/]
-    fill_in 'SMS Code', :with=>sms_code
-    click_button 'Confirm SMS Backup Number'
-    page.find('#error_flash').text.must_equal 'Invalid or out of date SMS confirmation code used, must setup SMS authentication again.'
-    fill_in 'Password', :with=>'0123456789'
-    fill_in 'Phone Number', :with=>'(123) 456-7890'
-    click_button 'Setup SMS Backup Number'
-    sms_code = sms_message[/\d{12}\z/]
-    fill_in 'SMS Code', :with=>sms_code
-    click_button 'Confirm SMS Backup Number'
-    page.find('#notice_flash').text.must_equal 'SMS authentication has been setup.'
-    %w'/sms-setup /sms-confirm'.each do |path|
-      visit path
-      page.find('#error_flash').text.must_equal 'SMS authentication has already been setup.'
-      page.current_path.must_equal '/'
-    end
-    logout
-    login
-    visit '/sms-auth'
-    page.current_path.must_equal '/sms-request'
-    page.find('#error_flash').text.must_equal 'No current SMS code for this account'
-    sms_phone = sms_message = nil
-    page.title.must_equal 'Send SMS Code'
-    click_button 'Send SMS Code'
-    sms_phone.must_equal '1234567890'
-    sms_message.must_match(/\ASMS authentication code for www\.example\.com is \d{6}\z/)
-    sms_code = sms_message[/\d{6}\z/]
-    fill_in 'SMS Code', :with=>"asdf"
-    click_button 'Authenticate via SMS Code'
-    page.html.must_include 'invalid SMS code'
-    page.find('#error_flash').text.must_equal 'Error authenticating via SMS code.'
-    DB[:account_sms_codes].update(:code_issued_at=>Time.now - 310)
-    fill_in 'SMS Code', :with=>sms_code
-    click_button 'Authenticate via SMS Code'
-    page.find('#error_flash').text.must_equal 'No current SMS code for this account'
-    click_button 'Send SMS Code'
-    sms_code = sms_message[/\d{6}\z/]
-    fill_in 'SMS Code', :with=>sms_code
-    click_button 'Authenticate via SMS Code'
-    page.find('#notice_flash').text.must_equal 'You have been authenticated via 2nd factor'
-    logout
-    login
-    visit '/sms-request'
-    click_button 'Send SMS Code'
-    5.times do
-      click_button 'Authenticate via SMS Code'
-      page.find('#error_flash').text.must_equal 'Error authenticating via SMS code.'
-      page.current_path.must_equal '/sms-auth'
-    end
-    click_button 'Authenticate via SMS Code'
-    page.find('#error_flash').text.must_equal 'SMS authentication has been locked out.'
-    page.current_path.must_equal '/otp-auth'
-    visit '/sms-request'
-    page.find('#error_flash').text.must_equal 'SMS authentication has been locked out.'
-    page.current_path.must_equal '/otp-auth'
-    fill_in 'Authentication Code', :with=>totp.now
-    click_button 'Authenticate via 2nd Factor'
-    visit '/sms-disable'
-    page.title.must_equal 'Disable Backup SMS Authentication'
-    fill_in 'Password', :with=>'012345678'
-    click_button 'Disable Backup SMS Authentication'
-    page.find('#error_flash').text.must_equal 'Error disabling SMS authentication'
-    page.html.must_include 'invalid password'
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'Disable Backup SMS Authentication'
-    page.find('#notice_flash').text.must_equal 'SMS authentication has been disabled.'
-    page.current_path.must_equal '/'
-    visit '/sms-setup'
-    page.title.must_equal 'Setup SMS Backup Number'
-    fill_in 'Password', :with=>'0123456789'
-    fill_in 'Phone Number', :with=>'(123) 456-7890'
-    click_button 'Setup SMS Backup Number'
-    sms_code = sms_message[/\d{12}\z/]
-    fill_in 'SMS Code', :with=>sms_code
-    click_button 'Confirm SMS Backup Number'
-    visit '/recovery-codes'
-    page.title.must_equal 'View Authentication Recovery Codes'
-    fill_in 'Password', :with=>'012345678'
-    click_button 'View Authentication Recovery Codes'
-    page.find('#error_flash').text.must_equal 'Unable to view recovery codes.'
-    page.html.must_include 'invalid password'
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'View Authentication Recovery Codes'
-    page.title.must_equal 'Authentication Recovery Codes'
-    recovery_codes = find('#recovery-codes').text.split
-    recovery_codes.length.must_equal 16
-    recovery_code = recovery_codes.first
-    logout
-    login
-    5.times do
-      page.title.must_equal 'Enter Authentication Code'
-      fill_in 'Authentication Code', :with=>"asdf"
-      click_button 'Authenticate via 2nd Factor'
-      page.find('#error_flash').text.must_equal 'Error logging in via two factor authentication'
-      page.html.must_include 'Invalid authentication code'
-    end
-    page.title.must_equal 'Enter Authentication Code'
-    fill_in 'Authentication Code', :with=>"asdf"
-    click_button 'Authenticate via 2nd Factor'
-    page.find('#error_flash').text.must_equal 'Authentication code use locked out due to numerous failures. Can use recovery code to unlock. Can use SMS code to unlock.'
-    click_button 'Send SMS Code'
-    5.times do
-      click_button 'Authenticate via SMS Code'
-      page.find('#error_flash').text.must_equal 'Error authenticating via SMS code.'
-    end
-    click_button 'Authenticate via SMS Code'
-    page.find('#error_flash').text.must_equal 'Authentication code use locked out due to numerous failures. Can use recovery code to unlock.'
-    page.title.must_equal 'Enter Authentication Recovery Code'
-    fill_in 'Recovery Code', :with=>"asdf"
-    click_button 'Authenticate via Recovery Code'
-    page.find('#error_flash').text.must_equal 'Error authenticating via recovery code.'
-    page.html.must_include 'Invalid recovery code'
-    fill_in 'Recovery Code', :with=>recovery_code
-    click_button 'Authenticate via Recovery Code'
-    page.find('#notice_flash').text.must_equal 'You have been authenticated via 2nd factor'
-    page.html.must_include 'With OTP'
-    visit '/recovery-codes'
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'View Authentication Recovery Codes'
-    page.title.must_equal 'Authentication Recovery Codes'
-    page.html.wont_include(recovery_code)
-    find('#recovery-codes').text.split.length.must_equal 15
-    click_button 'Add Authentication Recovery Codes'
-    page.find('#error_flash').text.must_equal 'Unable to add recovery codes.'
-    page.html.must_include 'invalid password'
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'View Authentication Recovery Codes'
-    find('#recovery-codes').text.split.length.must_equal 15
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'Add Authentication Recovery Codes'
-    page.find('#notice_flash').text.must_equal 'Additional authentication recovery codes have been added.'
-    find('#recovery-codes').text.split.length.must_equal 16
-    page.html.wont_include('Add Additional Authentication Recovery Codes')
-    visit '/otp-disable'
-    fill_in 'Password', :with=>'012345678'
-    click_button 'Disable Two Factor Authentication'
-    page.find('#error_flash').text.must_equal 'Error disabling up two factor authentication'
-    page.html.must_include 'invalid password'
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'Disable Two Factor Authentication'
-    page.find('#notice_flash').text.must_equal 'Two factor authentication has been disabled'
-    page.html.must_include 'Without OTP'
-    [:account_otp_keys, :account_recovery_codes, :account_sms_codes].each do |t|
-      DB[t].count.must_equal 0
-    end
-  end
-  it "should allow namespaced two factor authentication without password requirements" do
-    rodauth do
-      enable :login, :logout, :otp, :recovery_codes
-      otp_drift 10
-      two_factor_modifications_require_password? false
-      otp_digits 8
-      prefix "/auth"
-    end
-    roda do |r|
-      r.on "auth" do
-        r.rodauth
-      end
-      r.redirect '/auth/login' unless rodauth.logged_in?
-      if rodauth.two_factor_authentication_setup?
-        r.redirect '/auth/otp-auth' unless rodauth.two_factor_authenticated?
-        view :content=>"With OTP"
-      else
-        view :content=>"Without OTP"
-      end
-    end
-    login
-    page.html.must_include('Without OTP')
-    %w'/auth/otp-disable /auth/recovery-auth /auth/recovery-codes /auth/otp-auth'.each do
-      visit '/auth/otp-disable'
-      page.find('#error_flash').text.must_equal 'This account has not been setup for two factor authentication'
-      page.current_path.must_equal '/auth/otp-setup'
-    end
-    page.title.must_equal 'Setup Two Factor Authentication'
-    page.html.must_include '<svg'
-    secret = page.html.match(/Secret: ([a-z2-7]{#{secret_length}})/)[1]
-    totp = ROTP::TOTP.new(secret, :digits=>8)
-    fill_in 'Authentication Code', :with=>"asdf"
-    click_button 'Setup Two Factor Authentication'
-    page.find('#error_flash').text.must_equal 'Error setting up two factor authentication'
-    page.html.must_include 'Invalid authentication code'
-    fill_in 'Authentication Code', :with=>totp.now
-    click_button 'Setup Two Factor Authentication'
-    page.find('#notice_flash').text.must_equal 'Two factor authentication is now setup'
-    page.current_path.must_equal '/'
-    page.html.must_include 'With OTP'
-    reset_otp_last_use
-    visit '/auth/logout'
-    click_button 'Logout'
-    login(:visit=>false)
-    page.current_path.must_equal '/auth/otp-auth'
-    visit '/auth/otp-disable'
-    page.find('#error_flash').text.must_equal 'You need to authenticate via 2nd factor before continuing.'
-    page.current_path.must_equal '/auth/otp-auth'
-    visit '/auth/recovery-codes'
-    page.find('#error_flash').text.must_equal 'You need to authenticate via 2nd factor before continuing.'
-    page.current_path.must_equal '/auth/otp-auth'
-    visit '/auth/otp-setup'
-    page.find('#error_flash').text.must_equal 'You need to authenticate via 2nd factor before continuing.'
-    page.current_path.must_equal '/auth/otp-auth'
-    page.title.must_equal 'Enter Authentication Code'
-    fill_in 'Authentication Code', :with=>"asdf"
-    click_button 'Authenticate via 2nd Factor'
-    page.find('#error_flash').text.must_equal 'Error logging in via two factor authentication'
-    page.html.must_include 'Invalid authentication code'
-    fill_in 'Authentication Code', :with=>totp.now
-    click_button 'Authenticate via 2nd Factor'
-    page.find('#notice_flash').text.must_equal 'You have been authenticated via 2nd factor'
-    page.html.must_include 'With OTP'
-    reset_otp_last_use
-    visit '/auth/otp-auth'
-    page.find('#error_flash').text.must_equal 'Already authenticated via 2nd factor'
-    visit '/auth/otp-setup'
-    page.find('#error_flash').text.must_equal 'You have already setup two factor authentication'
-    visit '/auth/recovery-auth'
-    page.find('#error_flash').text.must_equal 'Already authenticated via 2nd factor'
-    visit '/auth/recovery-codes'
-    page.title.must_equal 'View Authentication Recovery Codes'
-    click_button 'View Authentication Recovery Codes'
-    page.title.must_equal 'Authentication Recovery Codes'
-    recovery_codes = find('#recovery-codes').text.split
-    recovery_codes.length.must_equal 16
-    recovery_code = recovery_codes.first
-    visit '/auth/logout'
-    click_button 'Logout'
-    login(:visit=>false)
-    5.times do
-      page.title.must_equal 'Enter Authentication Code'
-      fill_in 'Authentication Code', :with=>"asdf"
-      click_button 'Authenticate via 2nd Factor'
-      page.find('#error_flash').text.must_equal 'Error logging in via two factor authentication'
-      page.html.must_include 'Invalid authentication code'
-    end
-    page.title.must_equal 'Enter Authentication Code'
-    fill_in 'Authentication Code', :with=>"asdf"
-    click_button 'Authenticate via 2nd Factor'
-    page.find('#error_flash').text.must_equal 'Authentication code use locked out due to numerous failures. Can use recovery code to unlock.'
-    page.title.must_equal 'Enter Authentication Recovery Code'
-    fill_in 'Recovery Code', :with=>"asdf"
-    click_button 'Authenticate via Recovery Code'
-    page.find('#error_flash').text.must_equal 'Error authenticating via recovery code.'
-    page.html.must_include 'Invalid recovery code'
-    fill_in 'Recovery Code', :with=>recovery_code
-    click_button 'Authenticate via Recovery Code'
-    page.find('#notice_flash').text.must_equal 'You have been authenticated via 2nd factor'
-    page.html.must_include 'With OTP'
-    visit '/auth/recovery-codes'
-    click_button 'View Authentication Recovery Codes'
-    page.title.must_equal 'Authentication Recovery Codes'
-    page.html.wont_include(recovery_code)
-    find('#recovery-codes').text.split.length.must_equal 15
-    click_button 'Add Authentication Recovery Codes'
-    page.find('#notice_flash').text.must_equal 'Additional authentication recovery codes have been added.'
-    find('#recovery-codes').text.split.length.must_equal 16
-    page.html.wont_include('Add Additional Authentication Recovery Codes')
-    visit '/auth/otp-disable'
-    click_button 'Disable Two Factor Authentication'
-    page.find('#notice_flash').text.must_equal 'Two factor authentication has been disabled'
-    page.html.must_include 'Without OTP'
-    [:account_otp_keys, :account_recovery_codes].each do |t|
-      DB[t].count.must_equal 0
-    end
-  end
-  it "should require login and OTP authentication to perform certain actions if user signed up for OTP" do
-    rodauth do
-      enable :login, :logout, :change_password, :change_login, :close_account, :otp, :recovery_codes
-      otp_drift 10
-    end
-    roda do |r|
-      r.rodauth
-      r.is "a" do
-        rodauth.require_authentication
-        view(:content=>"a")
-      end
-      view(:content=>"b")
-    end
-    %w'/change-password /change-login /close-account /a'.each do |path|
-      visit '/change-password'
-      page.current_path.must_equal '/login'
-    end
-    login
-    %w'/change-password /change-login /close-account /a'.each do |path|
-      visit path
-      page.current_path.must_equal path
-    end
-    visit '/otp-setup'
-    secret = page.html.match(/Secret: ([a-z2-7]{#{secret_length}})/)[1]
-    totp = ROTP::TOTP.new(secret)
-    fill_in 'Password', :with=>'0123456789'
-    fill_in 'Authentication Code', :with=>totp.now
-    click_button 'Setup Two Factor Authentication'
-    page.current_path.must_equal '/'
-    logout
-    login
-    %w'/change-password /change-login /close-account /a'.each do |path|
-      visit path
-      page.current_path.must_equal '/otp-auth'
-    end
-  end
-  it "should handle attempts to insert a duplicate recovery code" do
-    keys = ['a', 'a', 'b']
-    interval = 1000000
-    rodauth do
-      enable :login, :logout, :otp, :recovery_codes
-      otp_interval interval
-      recovery_codes_limit 2
-      new_recovery_code{keys.shift}
-    end
-    roda do |r|
-      r.rodauth
-      r.redirect '/login' unless rodauth.logged_in?
-      if rodauth.two_factor_authentication_setup?
-        r.redirect '/otp-auth' unless rodauth.authenticated?
-        view :content=>"With OTP"
-      else
-        view :content=>"Without OTP"
-      end
-    end
-    login
-    page.html.must_include('Without OTP')
-    visit '/otp-auth'
-    secret = page.html.match(/Secret: ([a-z2-7]{#{secret_length}})/)[1]
-    totp = ROTP::TOTP.new(secret, :interval=>interval)
-    fill_in 'Password', :with=>'0123456789'
-    fill_in 'Authentication Code', :with=>totp.now
-    click_button 'Setup Two Factor Authentication'
-    page.find('#notice_flash').text.must_equal 'Two factor authentication is now setup'
-    page.current_path.must_equal '/'
-    DB[:account_recovery_codes].select_order_map(:code).must_equal ['a', 'b']
-  end
-  it "should allow two factor authentication setup, login, removal without recovery" do
-    rodauth do
-      enable :login, :logout, :otp
-      otp_drift 10
-    end
-    roda do |r|
-      r.rodauth
-      r.redirect '/login' unless rodauth.logged_in?
-      if rodauth.two_factor_authentication_setup?
-        if rodauth.otp_locked_out?
-          view :content=>"OTP Locked Out"
-        else
-          r.redirect '/otp-auth' unless rodauth.authenticated?
-          view :content=>"With OTP"
-        end
-      else
-        view :content=>"Without OTP"
-      end
-    end
-    visit '/recovery-auth'
-    page.current_path.must_equal '/login'
-    visit '/recovery-codes'
-    page.current_path.must_equal '/login'
-    login
-    page.html.must_include('Without OTP')
-    visit '/otp-setup'
-    page.title.must_equal 'Setup Two Factor Authentication'
-    page.html.must_include '<svg'
-    secret = page.html.match(/Secret: ([a-z2-7]{#{secret_length}})/)[1]
-    totp = ROTP::TOTP.new(secret)
-    fill_in 'Password', :with=>'0123456789'
-    fill_in 'Authentication Code', :with=>totp.now
-    click_button 'Setup Two Factor Authentication'
-    page.find('#notice_flash').text.must_equal 'Two factor authentication is now setup'
-    page.current_path.must_equal '/'
-    page.html.must_include 'With OTP'
-    reset_otp_last_use
-    logout
-    login
-    visit '/otp-auth'
-    6.times do
-      page.title.must_equal 'Enter Authentication Code'
-      fill_in 'Authentication Code', :with=>'foo'
-      click_button 'Authenticate via 2nd Factor'
-    end
-    page.find('#error_flash').text.must_equal 'Authentication code use locked out due to numerous failures.'
-    page.body.must_include 'OTP Locked Out'
-    page.current_path.must_equal '/'
-    DB[:account_otp_keys].update(:num_failures=>0)
-    visit '/otp-auth'
-    page.title.must_equal 'Enter Authentication Code'
-    page.html.wont_include 'Authenticate using recovery code'
-    fill_in 'Authentication Code', :with=>totp.now
-    click_button 'Authenticate via 2nd Factor'
-    page.find('#notice_flash').text.must_equal 'You have been authenticated via 2nd factor'
-    page.html.must_include 'With OTP'
-    visit '/otp-disable'
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'Disable Two Factor Authentication'
-    page.find('#notice_flash').text.must_equal 'Two factor authentication has been disabled'
-    page.html.must_include 'Without OTP'
-    DB[:account_otp_keys].count.must_equal 0
-  end
-  it "should remove otp data when closing accounts" do
-    rodauth do
-      enable :login, :logout, :otp, :recovery_codes, :sms_codes, :close_account
-      otp_drift 10
-      two_factor_modifications_require_password? false
-      close_account_requires_password? false
-      sms_send{|*|}
-    end
-    roda do |r|
-      r.rodauth
-      r.root{view :content=>"With OTP"}
-    end
-    login
-    visit '/otp-setup'
-    secret = page.html.match(/Secret: ([a-z2-7]{#{secret_length}})/)[1]
-    totp = ROTP::TOTP.new(secret)
-    fill_in 'Authentication Code', :with=>totp.now
-    click_button 'Setup Two Factor Authentication'
-    visit '/sms-setup'
-    fill_in 'Phone Number', :with=>'(123) 456-7890'
-    click_button 'Setup SMS Backup Number'
-    DB[:account_otp_keys].count.must_equal 1
-    DB[:account_recovery_codes].count.must_equal 16
-    DB[:account_sms_codes].count.must_equal 1
-    visit '/close-account'
-    click_button 'Close Account'
-    [:account_otp_keys, :account_recovery_codes, :account_sms_codes].each do |t|
-      DB[t].count.must_equal 0
-    end
-  end
-  it "should have recovery_codes and sms_codes work when used without otp" do
-    sms_code, sms_phone, sms_message = nil
-    rodauth do
-      enable :login, :logout, :recovery_codes, :sms_codes
-      sms_send do |phone, msg|
-        sms_phone = phone
-        sms_message = msg
-        sms_code = msg[/\d+\z/]
-      end
-    end
-    roda do |r|
-      r.rodauth
-      r.redirect '/login' unless rodauth.logged_in?
-      if rodauth.two_factor_authentication_setup?
-        r.redirect '/sms-request' unless rodauth.authenticated?
-        view :content=>"With OTP"
-      else
-        view :content=>"Without OTP"
-      end
-    end
-    login
-    page.html.must_include('Without OTP')
-    %w'/recovery-auth /recovery-codes'.each do |path|
-      visit path
-      page.find('#error_flash').text.must_equal 'This account has not been setup for two factor authentication'
-      page.current_path.must_equal '/sms-setup'
-    end
-    %w'/sms-disable /sms-request /sms-auth'.each do |path|
-      visit path
-      page.find('#error_flash').text.must_equal 'SMS authentication has not been setup yet.'
-      page.current_path.must_equal '/sms-setup'
-    end
-    visit '/sms-setup'
-    page.title.must_equal 'Setup SMS Backup Number'
-    fill_in 'Password', :with=>'012345678'
-    fill_in 'Phone Number', :with=>'(123) 456'
-    click_button 'Setup SMS Backup Number'
-    page.find('#error_flash').text.must_equal 'Error setting up SMS authentication'
-    page.html.must_include 'invalid password'
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'Setup SMS Backup Number'
-    page.find('#error_flash').text.must_equal 'Error setting up SMS authentication'
-    page.html.must_include 'invalid SMS phone number'
-    fill_in 'Password', :with=>'0123456789'
-    fill_in 'Phone Number', :with=>'(123) 456-7890'
-    click_button 'Setup SMS Backup Number'
-    page.find('#notice_flash').text.must_equal 'SMS authentication needs confirmation.'
-    sms_phone.must_equal '1234567890'
-    sms_message.must_match(/\ASMS confirmation code for www\.example\.com is \d{12}\z/)
-    page.title.must_equal 'Confirm SMS Backup Number'
-    fill_in 'SMS Code', :with=>"asdf"
-    click_button 'Confirm SMS Backup Number'
-    page.find('#error_flash').text.must_equal 'Invalid or out of date SMS confirmation code used, must setup SMS authentication again.'
-    fill_in 'Password', :with=>'0123456789'
-    fill_in 'Phone Number', :with=>'(123) 456-7890'
-    click_button 'Setup SMS Backup Number'
-    visit '/sms-setup'
-    page.find('#error_flash').text.must_equal 'SMS authentication needs confirmation.'
-    page.title.must_equal 'Confirm SMS Backup Number'
-    DB[:account_sms_codes].update(:code_issued_at=>Time.now - 310)
-    fill_in 'SMS Code', :with=>sms_code
-    click_button 'Confirm SMS Backup Number'
-    page.find('#error_flash').text.must_equal 'Invalid or out of date SMS confirmation code used, must setup SMS authentication again.'
-    fill_in 'Password', :with=>'0123456789'
-    fill_in 'Phone Number', :with=>'(123) 456-7890'
-    click_button 'Setup SMS Backup Number'
-    fill_in 'SMS Code', :with=>sms_code
-    click_button 'Confirm SMS Backup Number'
-    page.find('#notice_flash').text.must_equal 'You have been authenticated via 2nd factor'
-    visit '/recovery-codes'
-    page.title.must_equal 'View Authentication Recovery Codes'
-    fill_in 'Password', :with=>'012345678'
-    click_button 'View Authentication Recovery Codes'
-    page.find('#error_flash').text.must_equal 'Unable to view recovery codes.'
-    page.html.must_include 'invalid password'
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'View Authentication Recovery Codes'
-    page.title.must_equal 'Authentication Recovery Codes'
-    recovery_codes = find('#recovery-codes').text.split
-    recovery_codes.length.must_equal 16
-    recovery_code = recovery_codes.first
-    logout
-    login
-    page.current_path.must_equal '/sms-request'
-    %w'/recovery-codes /sms-setup /sms-disable /sms-confirm'.each do |path|
-      visit path
-      page.find('#error_flash').text.must_equal 'You need to authenticate via 2nd factor before continuing.'
-      page.current_path.must_equal '/sms-request'
-    end
-    visit '/sms-auth'
-    page.current_path.must_equal '/sms-request'
-    page.find('#error_flash').text.must_equal 'No current SMS code for this account'
-    sms_phone = sms_message = nil
-    page.title.must_equal 'Send SMS Code'
-    click_button 'Send SMS Code'
-    sms_phone.must_equal '1234567890'
-    sms_message.must_match(/\ASMS authentication code for www\.example\.com is \d{6}\z/)
-    fill_in 'SMS Code', :with=>"asdf"
-    click_button 'Authenticate via SMS Code'
-    page.html.must_include 'invalid SMS code'
-    page.find('#error_flash').text.must_equal 'Error authenticating via SMS code.'
-    DB[:account_sms_codes].update(:code_issued_at=>Time.now - 310)
-    fill_in 'SMS Code', :with=>sms_code
-    click_button 'Authenticate via SMS Code'
-    page.find('#error_flash').text.must_equal 'No current SMS code for this account'
-    click_button 'Send SMS Code'
-    fill_in 'SMS Code', :with=>sms_code
-    click_button 'Authenticate via SMS Code'
-    page.find('#notice_flash').text.must_equal 'You have been authenticated via 2nd factor'
-    %w'/recovery-auth /sms-request /sms-auth'.each do |path|
-      visit path
-      page.find('#error_flash').text.must_equal 'Already authenticated via 2nd factor'
-    end
-    %w'/sms-setup /sms-confirm'.each do |path|
-      visit path
-      page.find('#error_flash').text.must_equal 'SMS authentication has already been setup.'
-      page.current_path.must_equal '/'
-    end
-    logout
-    login
-    click_button 'Send SMS Code'
-    5.times do
-      click_button 'Authenticate via SMS Code'
-      page.find('#error_flash').text.must_equal 'Error authenticating via SMS code.'
-      page.current_path.must_equal '/sms-auth'
-    end
-    click_button 'Authenticate via SMS Code'
-    page.find('#error_flash').text.must_equal 'SMS authentication has been locked out.'
-    page.current_path.must_equal '/recovery-auth'
-    visit '/sms-request'
-    page.find('#error_flash').text.must_equal 'SMS authentication has been locked out.'
-    page.current_path.must_equal '/recovery-auth'
-    page.title.must_equal 'Enter Authentication Recovery Code'
-    fill_in 'Recovery Code', :with=>"asdf"
-    click_button 'Authenticate via Recovery Code'
-    page.find('#error_flash').text.must_equal 'Error authenticating via recovery code.'
-    page.html.must_include 'Invalid recovery code'
-    fill_in 'Recovery Code', :with=>recovery_code
-    click_button 'Authenticate via Recovery Code'
-    page.find('#notice_flash').text.must_equal 'You have been authenticated via 2nd factor'
-    page.html.must_include 'With OTP'
-    visit '/recovery-codes'
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'View Authentication Recovery Codes'
-    page.title.must_equal 'Authentication Recovery Codes'
-    page.html.wont_include(recovery_code)
-    find('#recovery-codes').text.split.length.must_equal 15
-    click_button 'Add Authentication Recovery Codes'
-    page.find('#error_flash').text.must_equal 'Unable to add recovery codes.'
-    page.html.must_include 'invalid password'
-    visit '/sms-disable'
-    page.title.must_equal 'Disable Backup SMS Authentication'
-    fill_in 'Password', :with=>'012345678'
-    click_button 'Disable Backup SMS Authentication'
-    page.find('#error_flash').text.must_equal 'Error disabling SMS authentication'
-    page.html.must_include 'invalid password'
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'Disable Backup SMS Authentication'
-    page.find('#notice_flash').text.must_equal 'SMS authentication has been disabled.'
-    page.current_path.must_equal '/'
-    [:account_recovery_codes, :account_sms_codes].each do |t|
-      DB[t].count.must_equal 0
-    end
-  end
-  it "should have recovery_codes work when used by itself" do
-    rodauth do
-      enable :login, :logout, :recovery_codes
-    end
-    roda do |r|
-      r.rodauth
-      r.redirect '/login' unless rodauth.logged_in?
-      if rodauth.two_factor_authentication_setup?
-        r.redirect '/recovery-auth' unless rodauth.authenticated?
-        view :content=>"With OTP"
-      else
-        view :content=>"Without OTP"
-      end
-    end
-    login
-    page.html.must_include('Without OTP')
-    visit '/recovery-auth'
-    page.find('#error_flash').text.must_equal 'This account has not been setup for two factor authentication'
-    page.current_path.must_equal '/recovery-codes'
-    page.title.must_equal 'View Authentication Recovery Codes'
-    fill_in 'Password', :with=>'012345678'
-    click_button 'View Authentication Recovery Codes'
-    page.find('#error_flash').text.must_equal 'Unable to view recovery codes.'
-    page.html.must_include 'invalid password'
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'View Authentication Recovery Codes'
-    page.title.must_equal 'Authentication Recovery Codes'
-    recovery_codes = find('#recovery-codes').text.split
-    recovery_codes.length.must_equal 0
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'Add Authentication Recovery Codes'
-    recovery_codes = find('#recovery-codes').text.split
-    recovery_codes.length.must_equal 16
-    recovery_code = recovery_codes.first
-    logout
-    login
-    page.current_path.must_equal '/recovery-auth'
-    visit '/recovery-codes'
-    page.find('#error_flash').text.must_equal 'You need to authenticate via 2nd factor before continuing.'
-    page.current_path.must_equal '/recovery-auth'
-    page.title.must_equal 'Enter Authentication Recovery Code'
-    fill_in 'Recovery Code', :with=>"asdf"
-    click_button 'Authenticate via Recovery Code'
-    page.find('#error_flash').text.must_equal 'Error authenticating via recovery code.'
-    page.html.must_include 'Invalid recovery code'
-    fill_in 'Recovery Code', :with=>recovery_code
-    click_button 'Authenticate via Recovery Code'
-    page.find('#notice_flash').text.must_equal 'You have been authenticated via 2nd factor'
-    page.html.must_include 'With OTP'
-    visit '/recovery-codes'
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'View Authentication Recovery Codes'
-    page.title.must_equal 'Authentication Recovery Codes'
-    page.html.wont_include(recovery_code)
-    page.html.wont_include('Add Authentication Recovery Codes')
-    find('#recovery-codes').text.split.length.must_equal 16
-  end
-  it "should have sms_codes work when used by itself" do
-    sms_code, sms_phone, sms_message = nil
-    rodauth do
-      enable :login, :logout, :sms_codes
-      sms_send do |phone, msg|
-        sms_phone = phone
-        sms_message = msg
-        sms_code = msg[/\d+\z/]
-      end
-    end
-    roda do |r|
-      r.rodauth
-      r.redirect '/login' unless rodauth.logged_in?
-      if rodauth.two_factor_authentication_setup?
-        if rodauth.sms_locked_out?
-          view :content=>"With SMS Locked Out"
-        else
-          rodauth.require_two_factor_authenticated
-          view :content=>"With OTP"
-        end
-      else
-        view :content=>"Without OTP"
-      end
-    end
-    login
-    page.html.must_include('Without OTP')
-    %w'/sms-disable /sms-request /sms-auth'.each do |path|
-      visit path
-      page.find('#error_flash').text.must_equal 'SMS authentication has not been setup yet.'
-      page.current_path.must_equal '/sms-setup'
-    end
-    visit '/sms-setup'
-    page.title.must_equal 'Setup SMS Backup Number'
-    fill_in 'Password', :with=>'012345678'
-    fill_in 'Phone Number', :with=>'(123) 456'
-    click_button 'Setup SMS Backup Number'
-    page.find('#error_flash').text.must_equal 'Error setting up SMS authentication'
-    page.html.must_include 'invalid password'
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'Setup SMS Backup Number'
-    page.find('#error_flash').text.must_equal 'Error setting up SMS authentication'
-    page.html.must_include 'invalid SMS phone number'
-    fill_in 'Password', :with=>'0123456789'
-    fill_in 'Phone Number', :with=>'(123) 456-7890'
-    click_button 'Setup SMS Backup Number'
-    page.find('#notice_flash').text.must_equal 'SMS authentication needs confirmation.'
-    sms_phone.must_equal '1234567890'
-    sms_message.must_match(/\ASMS confirmation code for www\.example\.com is \d{12}\z/)
-    page.title.must_equal 'Confirm SMS Backup Number'
-    fill_in 'SMS Code', :with=>"asdf"
-    click_button 'Confirm SMS Backup Number'
-    page.find('#error_flash').text.must_equal 'Invalid or out of date SMS confirmation code used, must setup SMS authentication again.'
-    fill_in 'Password', :with=>'0123456789'
-    fill_in 'Phone Number', :with=>'(123) 456-7890'
-    click_button 'Setup SMS Backup Number'
-    visit '/sms-setup'
-    page.find('#error_flash').text.must_equal 'SMS authentication needs confirmation.'
-    page.title.must_equal 'Confirm SMS Backup Number'
-    DB[:account_sms_codes].update(:code_issued_at=>Time.now - 310)
-    fill_in 'SMS Code', :with=>sms_code
-    click_button 'Confirm SMS Backup Number'
-    page.find('#error_flash').text.must_equal 'Invalid or out of date SMS confirmation code used, must setup SMS authentication again.'
-    fill_in 'Password', :with=>'0123456789'
-    fill_in 'Phone Number', :with=>'(123) 456-7890'
-    click_button 'Setup SMS Backup Number'
-    fill_in 'SMS Code', :with=>sms_code
-    click_button 'Confirm SMS Backup Number'
-    page.find('#notice_flash').text.must_equal 'You have been authenticated via 2nd factor'
-    logout
-    login
-    page.current_path.must_equal '/sms-request'
-    %w'/sms-setup /sms-disable /sms-confirm'.each do |path|
-      visit path
-      page.find('#error_flash').text.must_equal 'You need to authenticate via 2nd factor before continuing.'
-      page.current_path.must_equal '/sms-request'
-    end
-    visit '/sms-auth'
-    page.current_path.must_equal '/sms-request'
-    page.find('#error_flash').text.must_equal 'No current SMS code for this account'
-    sms_phone = sms_message = nil
-    page.title.must_equal 'Send SMS Code'
-    click_button 'Send SMS Code'
-    sms_phone.must_equal '1234567890'
-    sms_message.must_match(/\ASMS authentication code for www\.example\.com is \d{6}\z/)
-    fill_in 'SMS Code', :with=>"asdf"
-    click_button 'Authenticate via SMS Code'
-    page.html.must_include 'invalid SMS code'
-    page.find('#error_flash').text.must_equal 'Error authenticating via SMS code.'
-    DB[:account_sms_codes].update(:code_issued_at=>Time.now - 310)
-    fill_in 'SMS Code', :with=>sms_code
-    click_button 'Authenticate via SMS Code'
-    page.find('#error_flash').text.must_equal 'No current SMS code for this account'
-    click_button 'Send SMS Code'
-    fill_in 'SMS Code', :with=>sms_code
-    click_button 'Authenticate via SMS Code'
-    page.find('#notice_flash').text.must_equal 'You have been authenticated via 2nd factor'
-    %w'/sms-request /sms-auth'.each do |path|
-      visit path
-      page.find('#error_flash').text.must_equal 'Already authenticated via 2nd factor'
-    end
-    %w'/sms-setup /sms-confirm'.each do |path|
-      visit path
-      page.find('#error_flash').text.must_equal 'SMS authentication has already been setup.'
-      page.current_path.must_equal '/'
-    end
-    logout
-    login
-    click_button 'Send SMS Code'
-    5.times do
-      click_button 'Authenticate via SMS Code'
-      page.find('#error_flash').text.must_equal 'Error authenticating via SMS code.'
-      page.current_path.must_equal '/sms-auth'
-    end
-    click_button 'Authenticate via SMS Code'
-    page.body.must_include "With SMS Locked Out"
-    page.find('#error_flash').text.must_equal 'SMS authentication has been locked out.'
-    page.current_path.must_equal '/'
-    visit '/sms-request'
-    page.find('#error_flash').text.must_equal 'SMS authentication has been locked out.'
-    page.current_path.must_equal '/'
-    DB[:account_sms_codes].update(:num_failures=>0)
-    visit '/sms-request'
-    click_button 'Send SMS Code'
-    fill_in 'SMS Code', :with=>sms_code
-    click_button 'Authenticate via SMS Code'
-    visit '/sms-disable'
-    page.title.must_equal 'Disable Backup SMS Authentication'
-    fill_in 'Password', :with=>'012345678'
-    click_button 'Disable Backup SMS Authentication'
-    page.find('#error_flash').text.must_equal 'Error disabling SMS authentication'
-    page.html.must_include 'invalid password'
-    fill_in 'Password', :with=>'0123456789'
-    click_button 'Disable Backup SMS Authentication'
-    page.find('#notice_flash').text.must_equal 'SMS authentication has been disabled.'
-    page.current_path.must_equal '/'
-    DB[:account_sms_codes].count.must_equal 0
-  end
-  it "should allow two factor authentication via jwt" do
-    hmac_secret = sms_phone = sms_message = sms_code = nil
-    rodauth do
-      enable :login, :logout, :otp, :recovery_codes, :sms_codes
-      otp_drift 10
-      hmac_secret do
-        hmac_secret
-      end
-      sms_send do |phone, msg|
-        sms_phone = phone
-        sms_message = msg
-        sms_code = msg[/\d+\z/]
-      end
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-      if rodauth.logged_in?
-        if rodauth.two_factor_authentication_setup?
-          if rodauth.authenticated?
-           [1]
-          else
-           [2]
-          end
-        else
-         [3]
-        end
-      else
-        [4]
-      end
-    end
-    json_request.must_equal [200, [4]]
-    json_login
-    json_request.must_equal [200, [3]]
-    %w'/otp-disable /recovery-auth /recovery-codes /sms-setup /sms-confirm /otp-auth'.each do |path|
-      json_request(path).must_equal [403, {'error'=>'This account has not been setup for two factor authentication'}]
-    end
-    %w'/sms-disable /sms-request /sms-auth'.each do |path|
-      json_request(path).must_equal [403, {'error'=>'SMS authentication has not been setup yet.'}]
-    end
-    secret = (ROTP::Base32.respond_to?(:random_base32) ? ROTP::Base32.random_base32 : ROTP::Base32.random.downcase)
-    totp = ROTP::TOTP.new(secret)
-    res = json_request('/otp-setup', :password=>'123456', :otp_secret=>secret)
-    res.must_equal [401, {'error'=>'Error setting up two factor authentication', "field-error"=>["password", 'invalid password']}]
-    res = json_request('/otp-setup', :password=>'0123456789', :otp=>'adsf', :otp_secret=>secret)
-    res.must_equal [401, {'error'=>'Error setting up two factor authentication', "field-error"=>["otp", 'Invalid authentication code']}]
-    res = json_request('/otp-setup', :password=>'0123456789', :otp=>'adsf', :otp_secret=>'asdf')
-    res.must_equal [422, {'error'=>'Error setting up two factor authentication', "field-error"=>["otp_secret", 'invalid secret']}]
-    res = json_request('/otp-setup', :password=>'0123456789', :otp=>totp.now, :otp_secret=>secret)
-    res.must_equal [200, {'success'=>'Two factor authentication is now setup'}]
-    reset_otp_last_use
-    json_logout
-    json_login
-    json_request.must_equal [200, [2]]
-    %w'/otp-disable /recovery-codes /otp-setup /sms-setup /sms-disable /sms-confirm'.each do |path|
-      json_request(path).must_equal [401, {'error'=>'You need to authenticate via 2nd factor before continuing.'}]
-    end
-    res = json_request('/otp-auth', :otp=>'adsf')
-    res.must_equal [401, {'error'=>'Error logging in via two factor authentication', "field-error"=>["otp", 'Invalid authentication code']}]
-    res = json_request('/otp-auth', :otp=>totp.now)
-    res.must_equal [200, {'success'=>'You have been authenticated via 2nd factor'}]
-    json_request.must_equal [200, [1]]
-    reset_otp_last_use
-    res = json_request('/otp-setup')
-    res.must_equal [400, {'error'=>'You have already setup two factor authentication'}]
-    %w'/otp-auth /recovery-auth /sms-request /sms-auth'.each do |path|
-      res = json_request(path)
-      res.must_equal [403, {'error'=>'Already authenticated via 2nd factor'}]
-    end
-    res = json_request('/sms-disable')
-    res.must_equal [403, {'error'=>'SMS authentication has not been setup yet.'}]
-    res = json_request('/sms-setup', :password=>'012345678', "sms-phone"=>'(123) 456')
-    res.must_equal [401, {'error'=>'Error setting up SMS authentication', "field-error"=>["password", 'invalid password']}]
-    res = json_request('/sms-setup', :password=>'0123456789', "sms-phone"=>'(123) 456')
-    res.must_equal [422, {'error'=>'Error setting up SMS authentication', "field-error"=>["sms-phone", 'invalid SMS phone number']}]
-    res = json_request('/sms-setup', :password=>'0123456789', "sms-phone"=>'(123) 4567 890')
-    res.must_equal [200, {'success'=>'SMS authentication needs confirmation.'}]
-    sms_phone.must_equal '1234567890'
-    sms_message.must_match(/\ASMS confirmation code for example\.com: is \d{12}\z/)
-    res = json_request('/sms-confirm', :sms_code=>'asdf')
-    res.must_equal [401, {'error'=>'Invalid or out of date SMS confirmation code used, must setup SMS authentication again.'}]
-    res = json_request('/sms-setup', :password=>'0123456789', "sms-phone"=>'(123) 4567 890')
-    res.must_equal [200, {'success'=>'SMS authentication needs confirmation.'}]
-    DB[:account_sms_codes].update(:code_issued_at=>Time.now - 310)
-    res = json_request('/sms-confirm', :sms_code=>sms_code)
-    res.must_equal [401, {'error'=>'Invalid or out of date SMS confirmation code used, must setup SMS authentication again.'}]
-    res = json_request('/sms-setup', :password=>'0123456789', "sms-phone"=>'(123) 4567 890')
-    res.must_equal [200, {'success'=>'SMS authentication needs confirmation.'}]
-    res = json_request('/sms-confirm', "sms-code"=>sms_code)
-    res.must_equal [200, {'success'=>'SMS authentication has been setup.'}]
-    %w'/sms-setup /sms-confirm'.each do |path|
-      res = json_request(path)
-      res.must_equal [403, {'error'=>'SMS authentication has already been setup.'}]
-    end
-    json_logout
-    json_login
-    res = json_request('/sms-auth')
-    res.must_equal [401, {'error'=>'No current SMS code for this account'}]
-    sms_phone = sms_message = nil
-    res = json_request('/sms-request')
-    res.must_equal [200, {'success'=>'SMS authentication code has been sent.'}]
-    sms_phone.must_equal '1234567890'
-    sms_message.must_match(/\ASMS authentication code for example\.com: is \d{6}\z/)
-    res = json_request('/sms-auth')
-    res.must_equal [401, {'error'=>'Error authenticating via SMS code.', "field-error"=>["sms-code", "invalid SMS code"]}]
-    DB[:account_sms_codes].update(:code_issued_at=>Time.now - 310)
-    res = json_request('/sms-auth')
-    res.must_equal [401, {'error'=>'No current SMS code for this account'}]
-    res = json_request('/sms-request')
-    res.must_equal [200, {'success'=>'SMS authentication code has been sent.'}]
-    res = json_request('/sms-auth', 'sms-code'=>sms_code)
-    res.must_equal [200, {'success'=>'You have been authenticated via 2nd factor'}]
-    json_request.must_equal [200, [1]]
-    json_logout
-    json_login
-    res = json_request('/sms-request')
-    res.must_equal [200, {'success'=>'SMS authentication code has been sent.'}]
-    5.times do
-      res = json_request('/sms-auth')
-      res.must_equal [401, {'error'=>'Error authenticating via SMS code.', "field-error"=>["sms-code", "invalid SMS code"]}]
-    end
-    res = json_request('/sms-auth')
-    res.must_equal [403, {'error'=>'SMS authentication has been locked out.'}]
-    res = json_request('/sms-request')
-    res.must_equal [403, {'error'=>'SMS authentication has been locked out.'}]
-    res = json_request('/otp-auth', :otp=>totp.now)
-    res.must_equal [200, {'success'=>'You have been authenticated via 2nd factor'}]
-    json_request.must_equal [200, [1]]
-    res = json_request('/sms-disable', :password=>'012345678')
-    res.must_equal [401, {'error'=>'Error disabling SMS authentication', "field-error"=>["password", 'invalid password']}]
-    res = json_request('/sms-disable', :password=>'0123456789')
-    res.must_equal [200, {'success'=>'SMS authentication has been disabled.'}]
-    res = json_request('/sms-setup', :password=>'0123456789', "sms-phone"=>'(123) 4567 890')
-    res.must_equal [200, {'success'=>'SMS authentication needs confirmation.'}]
-    res = json_request('/sms-confirm', "sms-code"=>sms_code)
-    res.must_equal [200, {'success'=>'SMS authentication has been setup.'}]
-    res = json_request('/recovery-codes', :password=>'asdf')
-    res.must_equal [401, {'error'=>'Unable to view recovery codes.', "field-error"=>["password", 'invalid password']}]
-    res = json_request('/recovery-codes', :password=>'0123456789')
-    codes = res[1].delete('codes')
-    codes.sort.must_equal DB[:account_recovery_codes].select_map(:code).sort
-    res.must_equal [200, {'success'=>''}]
-    json_logout
-    json_login
-    5.times do
-      res = json_request('/otp-auth', :otp=>'asdf')
-      res.must_equal [401, {'error'=>'Error logging in via two factor authentication', "field-error"=>["otp", 'Invalid authentication code']}]
-    end
-    res = json_request('/otp-auth', :otp=>'asdf')
-    res.must_equal [403, {'error'=>'Authentication code use locked out due to numerous failures. Can use recovery code to unlock. Can use SMS code to unlock.'}]
-    res = json_request('/sms-request')
-    5.times do
-      res = json_request('/sms-auth')
-      res.must_equal [401, {'error'=>'Error authenticating via SMS code.', "field-error"=>["sms-code", "invalid SMS code"]}]
-    end
-    res = json_request('/otp-auth', :otp=>'asdf')
-    res.must_equal [403, {'error'=>'Authentication code use locked out due to numerous failures. Can use recovery code to unlock.'}]
-    res = json_request('/sms-auth')
-    res.must_equal [403, {'error'=>'SMS authentication has been locked out.'}]
-    res = json_request('/recovery-auth', 'recovery-code'=>'adsf')
-    res.must_equal [401, {'error'=>'Error authenticating via recovery code.', "field-error"=>["recovery-code", "Invalid recovery code"]}]
-    res = json_request('/recovery-auth', 'recovery-code'=>codes.first)
-    res.must_equal [200, {'success'=>'You have been authenticated via 2nd factor'}]
-    json_request.must_equal [200, [1]]
-    res = json_request('/recovery-codes', :password=>'0123456789')
-    codes2 = res[1].delete('codes')
-    codes2.sort.must_equal codes[1..-1].sort
-    res.must_equal [200, {'success'=>''}]
-    res = json_request('/recovery-codes', :password=>'012345678', :add=>'1')
-    res.must_equal [401, {'error'=>'Unable to add recovery codes.', "field-error"=>["password", 'invalid password']}]
-    res = json_request('/recovery-codes', :password=>'0123456789', :add=>'1')
-    codes3 = res[1].delete('codes')
-    (codes3 - codes2).length.must_equal 1
-    res.must_equal [200, {'success'=>'Additional authentication recovery codes have been added.'}]
-    res = json_request('/otp-disable', :password=>'012345678')
-    res.must_equal [401, {'error'=>'Error disabling up two factor authentication', "field-error"=>["password", 'invalid password']}]
-    res = json_request('/otp-disable', :password=>'0123456789')
-    res.must_equal [200, {'success'=>'Two factor authentication has been disabled'}]
-    [:account_otp_keys, :account_recovery_codes, :account_sms_codes].each do |t|
-      DB[t].count.must_equal 0
-    end
-    hmac_secret  = "123"
-    res = json_request('/otp-setup')
-    secret = res[1].delete("otp_secret")
-    raw_secret = res[1].delete("otp_raw_secret")
-    res.must_equal [422, {'error'=>'Error setting up two factor authentication', "field-error"=>["otp_secret", 'invalid secret']}]
-    totp = ROTP::TOTP.new(secret)
-    hmac_secret  = "321"
-    res = json_request('/otp-setup', :password=>'0123456789', :otp=>totp.now, :otp_secret=>secret, :otp_raw_secret=>raw_secret)
-    res.must_equal [422, {'error'=>'Error setting up two factor authentication', "field-error"=>["otp_secret", 'invalid secret']}]
-    reset_otp_last_use
-    hmac_secret  = "123"
-    res = json_request('/otp-setup', :password=>'0123456789', :otp=>totp.now, :otp_secret=>secret, :otp_raw_secret=>raw_secret)
-    res.must_equal [200, {'success'=>'Two factor authentication is now setup'}]
-    reset_otp_last_use
-    json_logout
-    json_login
-    hmac_secret  = "321"
-    res = json_request('/otp-auth', :otp=>totp.now)
-    res.must_equal [401, {'error'=>'Error logging in via two factor authentication', "field-error"=>["otp", 'Invalid authentication code']}]
-    hmac_secret  = "123"
-    res = json_request('/otp-auth', :otp=>totp.now)
-    res.must_equal [200, {'success'=>'You have been authenticated via 2nd factor'}]
-    json_request.must_equal [200, [1]]
-  end
-  it "should allow two factor authentication setup, login, recovery, removal" do
-    warning = nil
-    before_called = false
-    rodauth do
-      enable :login, :otp, :logout
-      (class << self; self end).send(:define_method, :warn){|w| warning = w}
-      before_otp_authentication_route{before_called = true}
-      warning.must_equal "before_otp_authentication_route is deprecated, switch to before_otp_auth_route"
-      otp_drift 10
-    end
-    roda do |r|
-      r.rodauth
-      r.redirect '/login' unless rodauth.logged_in?
-      if rodauth.two_factor_authentication_setup?
-        r.redirect '/otp-auth' unless rodauth.authenticated?
-        view :content=>"With OTP"
-      else
-        view :content=>"Without OTP"
-      end
-    end
-    login
-    page.html.must_include('Without OTP')
-    visit '/otp-auth'
-    before_called.must_equal false
-    page.current_path.must_equal '/otp-setup'
-    secret = page.html.match(/Secret: ([a-z2-7]{#{secret_length}})/)[1]
-    totp = ROTP::TOTP.new(secret)
-    fill_in 'Password', :with=>'0123456789'
-    fill_in 'Authentication Code', :with=>totp.now
-    click_button 'Setup Two Factor Authentication'
-    page.find('#notice_flash').text.must_equal 'Two factor authentication is now setup'
-    page.current_path.must_equal '/'
-    page.html.must_include 'With OTP'
-    logout
-    before_called.must_equal false
-    login
-    page.current_path.must_equal '/otp-auth'
-    before_called.must_equal true
-  end
-end