rodauth 1.20.0 → 2.1.0

data/lib/rodauth/features/account_expiration.rb

@@ -69,6 +69,11 @@ module Rodauth
       update_last_login
     end
 
+    def update_session
+      check_account_expiration
+      super
+    end
+
     private
 
     def before_reset_password
@@ -96,11 +101,6 @@ module Rodauth
       account_activity_ds(account_id).delete
     end
 
-    def update_session
-      check_account_expiration
-      super
-    end
-
     def account_activity_ds(account_id)
       db[account_activity_table].
         where(account_activity_id_column=>account_id)

data/lib/rodauth/features/active_sessions.rb

@@ -0,0 +1,160 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:active_sessions, :ActiveSessions) do
+    depends :logout
+
+    error_flash 'This session has been logged out'
+    redirect
+
+    session_key :session_id_session_key, :active_session_id
+    auth_value_method :active_sessions_account_id_column, :account_id
+    auth_value_method :active_sessions_created_at_column, :created_at
+    auth_value_method :active_sessions_last_use_column, :last_use
+    auth_value_method :active_sessions_session_id_column, :session_id
+    auth_value_method :active_sessions_table, :account_active_session_keys
+    translatable_method :global_logout_label, 'Logout all Logged In Sessons?'
+    auth_value_method :global_logout_param, 'global_logout'
+    auth_value_method :inactive_session_error_status, 401
+    auth_value_method :session_inactivity_deadline, 86400
+    auth_value_method(:session_lifetime_deadline, 86400*30)
+
+    auth_methods(
+      :add_active_session,
+      :currently_active_session?,
+      :handle_duplicate_active_session_id,
+      :no_longer_active_session,
+      :remove_all_active_sessions,
+      :remove_current_session,
+      :remove_inactive_sessions,
+    )
+
+    def currently_active_session?
+      return false unless session_id = session[session_id_session_key]
+
+      remove_inactive_sessions
+      ds = active_sessions_ds.
+        where(active_sessions_session_id_column => compute_hmac(session_id))
+
+      if session_inactivity_deadline
+        ds.update(active_sessions_last_use_column => Sequel::CURRENT_TIMESTAMP) == 1
+      else
+        ds.count == 1
+      end
+    end
+
+    def check_active_session
+      if logged_in? && !currently_active_session?
+        no_longer_active_session
+      end
+    end
+
+    def no_longer_active_session
+      clear_session
+      set_redirect_error_status inactive_session_error_status
+      set_redirect_error_flash active_sessions_error_flash
+      redirect active_sessions_redirect
+    end
+
+    def add_active_session
+      key = random_key
+      set_session_value(session_id_session_key, key)
+      if e = raises_uniqueness_violation? do
+          active_sessions_ds.insert(active_sessions_account_id_column => session_value, active_sessions_session_id_column => compute_hmac(key))
+        end
+        handle_duplicate_active_session_id(e)
+      end
+      nil
+    end
+
+    def handle_duplicate_active_session_id(_e)
+      # Do nothing by default as session is already tracked.  This will result in
+      # the current session and the existing session with the same id
+      # being tracked together, so that a logout of one will logout
+      # the other, and updating the last use on one will update the other,
+      # but this should be acceptable.  However, this can be overridden if different
+      # behavior is desired.
+    end
+
+    def remove_current_session
+      active_sessions_ds.where(active_sessions_session_id_column=>compute_hmac(session[session_id_session_key])).delete
+    end
+
+    def remove_all_active_sessions
+      active_sessions_ds.delete
+    end
+
+    def remove_inactive_sessions
+      if cond = inactive_session_cond
+        active_sessions_ds.where(cond).delete
+      end
+    end
+
+    def logout_additional_form_tags
+      super.to_s + render('global-logout-field')
+    end
+
+    def update_session
+      super
+      add_active_session
+    end
+
+    private
+
+    def after_refresh_token
+      super if defined?(super)
+      if prev_key = session[session_id_session_key]
+        key = random_key
+        set_session_value(session_id_session_key, key)
+        active_sessions_ds.
+          where(active_sessions_session_id_column => compute_hmac(prev_key)).
+          update(active_sessions_session_id_column => compute_hmac(key))
+      end
+    end
+
+    def after_close_account
+      super if defined?(super)
+      remove_all_active_sessions
+    end
+
+    def before_logout
+      if request.post?
+        if param_or_nil(global_logout_param)
+          remove_all_active_sessions
+        else
+          remove_current_session
+        end
+      end
+      super if defined?(super)
+    end
+
+    def session_inactivity_deadline_condition
+      if deadline = session_inactivity_deadline
+        Sequel[active_sessions_last_use_column] < Sequel.date_sub(Sequel::CURRENT_TIMESTAMP, seconds: deadline)
+      end
+    end
+
+    def session_lifetime_deadline_condition
+      if deadline = session_lifetime_deadline
+        Sequel[active_sessions_created_at_column] < Sequel.date_sub(Sequel::CURRENT_TIMESTAMP, seconds: deadline)
+      end
+    end
+
+    def inactive_session_cond
+      cond = session_inactivity_deadline_condition
+      cond2 = session_lifetime_deadline_condition
+      return false unless cond || cond2
+      Sequel.|(*[cond, cond2].compact)
+    end
+
+    def active_sessions_ds
+      db[active_sessions_table].
+        where(active_sessions_account_id_column=>session_value)
+    end
+
+    def use_date_arithmetic?
+      true
+    end
+  end
+end
+

data/lib/rodauth/features/audit_logging.rb

@@ -0,0 +1,96 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:audit_logging, :AuditLogging) do
+    auth_value_method :audit_logging_account_id_column, :account_id
+    auth_value_method :audit_logging_message_column, :message
+    auth_value_method :audit_logging_metadata_column, :metadata
+    auth_value_method :audit_logging_table, :account_authentication_audit_logs
+    auth_value_method :audit_log_metadata_default, nil
+
+    auth_methods(
+      :add_audit_log,
+      :audit_log_insert_hash,
+      :audit_log_message,
+      :audit_log_message_default,
+      :audit_log_metadata,
+      :serialize_audit_log_metadata,
+    )
+
+    configuration_module_eval do
+      [:audit_log_message_for, :audit_log_metadata_for].each do |method|
+        define_method(method) do |action, value=nil, &block|
+          block ||= proc{value}
+          meth = :"#{method}_#{action}"
+          @auth.send(:define_method, meth, &block)
+          @auth.send(:private, meth)
+        end
+      end
+    end
+
+    def hook_action(hook_type, action)
+      super
+      # In after_logout, session is already cleared, so use before_logout in that case
+      if (hook_type == :after || action == :logout) && (id = account ? account_id : session_value)
+        add_audit_log(id, action)
+      end
+    end
+
+    def add_audit_log(account_id, action)
+      if hash = audit_log_insert_hash(account_id, action)
+        audit_log_ds.insert(hash)
+      end
+    end
+
+    def audit_log_insert_hash(account_id, action)
+      if message = audit_log_message(action)
+        {
+          audit_logging_account_id_column => account_id,
+          audit_logging_message_column => message,
+          audit_logging_metadata_column => serialize_audit_log_metadata(audit_log_metadata(action))
+        }
+      end
+    end
+
+    def serialize_audit_log_metadata(metadata)
+      metadata.to_json unless metadata.nil?
+    end
+
+    def audit_log_message_default(action)
+      action.to_s
+    end
+
+    def audit_log_message(action)
+      meth = :"audit_log_message_for_#{action}"
+      if respond_to?(meth, true)
+        send(meth)
+      else
+        audit_log_message_default(action)
+      end
+    end
+
+    def audit_log_metadata(action)
+      meth = :"audit_log_metadata_for_#{action}"
+      if respond_to?(meth, true)
+        send(meth)
+      else
+        audit_log_metadata_default
+      end
+    end
+
+    private
+
+    def audit_log_ds
+      ds = db[audit_logging_table]
+      if db.database_type == :postgres
+        # For PostgreSQL, use RETURNING NULL. This allows the feature
+        # to be used with INSERT but not SELECT permissions on the
+        # table, useful for audit logging where the database user
+        # the application is running as should not need to read the
+        # logs.
+        ds = ds.returning(nil)
+      end
+      ds
+    end
+  end
+end

data/lib/rodauth/features/base.rb

@@ -18,17 +18,19 @@ module Rodauth
     auth_value_method :account_unverified_status_value, 1
     auth_value_method :accounts_table, :accounts
     auth_value_method :cache_templates, true
+    auth_value_method :check_csrf_block, nil
+    auth_value_method :check_csrf_opts, {}.freeze
     auth_value_method :default_redirect, '/'
     session_key :flash_error_key, :error
     session_key :flash_notice_key, :notice
     auth_value_method :hmac_secret, nil
-    auth_value_method :input_field_label_suffix, ''
-    auth_value_method :input_field_error_class, 'error'
-    auth_value_method :input_field_error_message_class, 'error_message'
+    translatable_method :input_field_label_suffix, ''
+    auth_value_method :input_field_error_class, 'error is-invalid'
+    auth_value_method :input_field_error_message_class, 'error_message invalid-feedback'
     auth_value_method :invalid_field_error_status, 422
     auth_value_method :invalid_key_error_status, 401
     auth_value_method :invalid_password_error_status, 401
-    auth_value_method :invalid_password_message, "invalid password"
+    translatable_method :invalid_password_message, "invalid password"
     auth_value_method :login_column, :email
     auth_value_method :login_required_error_status, 401
     auth_value_method :lockout_error_status, 403
@@ -36,30 +38,38 @@ module Rodauth
     auth_value_method :password_hash_column, :password_hash
     auth_value_method :password_hash_table, :account_password_hashes
     auth_value_method :no_matching_login_error_status, 401
-    auth_value_method :no_matching_login_message, "no matching login"
+    translatable_method :no_matching_login_message, "no matching login"
     auth_value_method :login_param, 'login'
-    auth_value_method :login_label, 'Login'
-    auth_value_method :login_input_type, 'text'
-    auth_value_method :password_label, 'Password'
+    translatable_method :login_label, 'Login'
+    translatable_method :password_label, 'Password'
     auth_value_method :password_param, 'password'
-    auth_value_method :modifications_require_password?, true
     session_key :session_key, :account_id
+    session_key :authenticated_by_session_key, :authenticated_by
+    session_key :autologin_type_session_key, :autologin_type
     auth_value_method :prefix, ''
     auth_value_method :require_bcrypt?, true
-    auth_value_method :mark_input_fields_as_required?, false
+    auth_value_method :mark_input_fields_as_required?, true
+    auth_value_method :mark_input_fields_with_autocomplete?, true
+    auth_value_method :mark_input_fields_with_inputmode?, true
     auth_value_method :skip_status_checks?, true
-    auth_value_method :template_opts, {}
+    auth_value_method :template_opts, {}.freeze
     auth_value_method :title_instance_variable, nil 
     auth_value_method :token_separator, "_"
     auth_value_method :unmatched_field_error_status, 422
     auth_value_method :unopen_account_error_status, 403
-    auth_value_method :unverified_account_message, "unverified account, please verify account before logging in"
+    translatable_method :unverified_account_message, "unverified account, please verify account before logging in"
+    auth_value_method :default_field_attributes, ''
 
     redirect(:require_login){"#{prefix}/login"}
 
     auth_value_methods(
+      :base_url,
+      :check_csrf?,
       :db,
-      :default_field_attributes,
+      :domain,
+      :login_input_type,
+      :login_uses_email?,
+      :modifications_require_password?,
       :set_deadline_values?,
       :use_date_arithmetic?,
       :use_database_authentication_functions?,
@@ -71,9 +81,13 @@ module Rodauth
       :account_session_value,
       :already_logged_in,
       :authenticated?,
+      :autocomplete_for_field?,
+      :check_csrf,
       :clear_session,
       :csrf_tag,
       :function_name,
+      :hook_action,
+      :inputmode_for_field?,
       :logged_in?,
       :login_required,
       :open_account?,
@@ -86,6 +100,7 @@ module Rodauth
       :set_notice_now_flash,
       :set_redirect_error_flash,
       :set_title,
+      :translate,
       :unverified_account_message,
       :update_session
     )
@@ -102,13 +117,6 @@ module Rodauth
       def auth_class_eval(&block)
         auth.class_eval(&block)
       end
-
-      def account_model(model)
-        warn "account_model is deprecated, use db and accounts_table settings"
-        db model.db
-        accounts_table model.table_name
-        account_select model.dataset.opts[:select]
-      end
     end
 
     attr_reader :scope
@@ -168,13 +176,29 @@ module Rodauth
         value = opts.fetch(:value){scope.h param(param)}
       end
 
-      "<input #{opts[:attr]} #{field_attributes(param)} #{field_error_attributes(param)} type=\"#{type}\" class=\"form-control#{add_field_error_class(param)}\" name=\"#{param}\" id=\"#{id}\" value=\"#{value}\"/> #{formatted_field_error(param)}"
-    end
+      field_class = opts.fetch(:class, "form-control")
+
+      if autocomplete_for_field?(param) && opts[:autocomplete]
+        autocomplete = "autocomplete=\"#{opts[:autocomplete]}\""
+      end
+
+      if inputmode_for_field?(param) && opts[:inputmode]
+        inputmode = "inputmode=\"#{opts[:inputmode]}\""
+      end
 
-    def default_field_attributes
-      if mark_input_fields_as_required?
-        "required=\"required\""
+      if mark_input_fields_as_required? && opts[:required] != false
+        required = "required=\"required\""
       end
+
+      "<input #{opts[:attr]} #{autocomplete} #{inputmode} #{required} #{field_attributes(param)} #{field_error_attributes(param)} type=\"#{type}\" class=\"#{field_class}#{add_field_error_class(param)}\" name=\"#{param}\" id=\"#{id}\" value=\"#{value}\"/> #{formatted_field_error(param) unless opts[:skip_error_message]}"
+    end
+
+    def autocomplete_for_field?(_param)
+      mark_input_fields_with_autocomplete?
+    end
+
+    def inputmode_for_field?(_param)
+      mark_input_fields_with_inputmode?
     end
 
     def field_attributes(field)
@@ -193,6 +217,15 @@ module Rodauth
       end
     end
 
+    def hook_action(_hook_type, _action)
+      # nothing by default
+    end
+
+    def translate(_key, default)
+      # do not attempt to translate by default
+      default
+    end
+
     # Return urlsafe base64 HMAC for data, assumes hmac_secret is set.
     def compute_hmac(data)
       s = [compute_raw_hmac(data)].pack('m').chomp!("=\n")
@@ -222,6 +255,10 @@ module Rodauth
       Sequel::DATABASES.first
     end
 
+    def password_field_autocomplete_value
+      @password_field_autocomplete_value || 'current-password'
+    end
+
     # If the account_password_hash_column is set, the password hash is verified in
     # ruby, it will not use a database function to do so, it will check the password
     # hash using bcrypt.
@@ -237,6 +274,14 @@ module Rodauth
       nil
     end
 
+    def login_input_type
+      login_uses_email? ? 'email' : 'text'
+    end
+
+    def login_uses_email?
+      login_column == :email
+    end
+
     def clear_session
       if scope.respond_to?(:clear_session)
         scope.clear_session
@@ -293,6 +338,10 @@ module Rodauth
       @account = _account_from_session
     end
 
+    def check_csrf
+      scope.check_csrf!(check_csrf_opts, &check_csrf_block)
+    end
+
     def csrf_tag(path=request.path)
       return unless scope.respond_to?(:csrf_tag)
 
@@ -353,7 +402,25 @@ module Rodauth
 
     def update_session
       clear_session
-      session[session_key] = account_session_value
+      set_session_value(session_key, account_session_value)
+    end
+
+    def authenticated_by
+      session[authenticated_by_session_key]
+    end
+
+    def login_session(auth_type)
+      update_session
+      set_session_value(authenticated_by_session_key, [auth_type])
+    end
+
+    def autologin_type
+      session[autologin_type_session_key]
+    end
+
+    def autologin_session(autologin_type)
+      login_session('autologin')
+      set_session_value(autologin_type_session_key, autologin_type)
     end
 
     # Return a string for the parameter name.  This will be an empty
@@ -365,10 +432,30 @@ module Rodauth
     # Return a string for the parameter name, or nil if there is no
     # parameter with that name.
     def param_or_nil(key)
-      value = request.params[key]
+      value = raw_param(key)
       value.to_s unless value.nil?
     end
 
+    def raw_param(key)
+      request.params[key]
+    end
+
+    def base_url
+      request.base_url
+    end
+
+    def domain
+      request.host
+    end
+
+    def modifications_require_password?
+      has_password?
+    end
+
+    def possible_authentication_methods
+      has_password? ? ['password'] : []
+    end
+
     private
 
     def convert_token_key(key)
@@ -387,22 +474,22 @@ module Rodauth
       request.redirect(path)
     end
 
+    def route_path(route, opts={})
+      path  = "#{prefix}/#{route}"
+      path += "?#{Rack::Utils.build_nested_query(opts)}" unless opts.empty?
+      path
+    end
+
+    def route_url(route, opts={})
+      "#{base_url}#{route_path(route, opts)}"
+    end
+
     def transaction(opts={}, &block)
       db.transaction(opts, &block)
     end
 
-    if RUBY_VERSION >= '1.9'
-      def random_key
-        SecureRandom.urlsafe_base64(32)
-      end
-    else
-      # :nocov:
-      def random_key
-        s = [SecureRandom.random_bytes(32)].pack('m').chomp!("=\n")
-        s.tr!('+/', '-_')
-        s
-      end
-      # :nocov:
+    def random_key
+      SecureRandom.urlsafe_base64(32)
     end
 
     def convert_session_key(key)
@@ -468,7 +555,11 @@ module Rodauth
     end
 
     def use_request_specific_csrf_tokens?
-      scope.opts[:rodauth_csrf] == :route_csrf && scope.use_request_specific_csrf_tokens?
+      scope.opts[:rodauth_route_csrf] && scope.use_request_specific_csrf_tokens?
+    end
+
+    def check_csrf?
+      scope.opts[:rodauth_route_csrf]
     end
 
     def function_name(name)
@@ -481,13 +572,19 @@ module Rodauth
       end
     end
 
+    def has_password?
+      return @has_password if defined?(@has_password)
+      return false unless account || session_value
+      @has_password = !!get_password_hash
+    end
+
     # Get the password hash for the user.  When using database authentication functions,
     # note that only the salt is returned.
     def get_password_hash
       if account_password_hash_column
-        account[account_password_hash_column]
+        (account || account_from_session)[account_password_hash_column]
       elsif use_database_authentication_functions?
-        db.get(Sequel.function(function_name(:rodauth_get_salt), account_id))
+        db.get(Sequel.function(function_name(:rodauth_get_salt), account ? account_id : session_value))
       else
         # :nocov:
         password_hash_ds.get(password_hash_column)
@@ -540,7 +637,7 @@ module Rodauth
     end
 
     def password_hash_ds
-      db[password_hash_table].where(password_hash_id_column=>account_id)
+      db[password_hash_table].where(password_hash_id_column=>account ? account_id : session_value)
     end
 
     # This is needed for jdbc/sqlite, which returns timestamp columns as strings
@@ -607,6 +704,10 @@ module Rodauth
       session[key] = value
     end
 
+    def remove_session_value(key)
+      session.delete(key)
+    end
+
     def update_hash_ds(hash, ds, values)
       num = ds.update(values)
       if num == 1