rodauth 1.20.0 → 2.1.0

data/lib/rodauth/features/jwt.rb

@@ -4,25 +4,25 @@ require 'jwt'
 
 module Rodauth
   Feature.define(:jwt, :Jwt) do
-    auth_value_method :invalid_jwt_format_error_message, "invalid JWT format or claim in Authorization header"
-    auth_value_method :json_non_post_error_message, 'non-POST method used in JSON API'
-    auth_value_method :json_not_accepted_error_message, 'Unsupported Accept header. Must accept "application/json" or compatible content type'
+    translatable_method :invalid_jwt_format_error_message, "invalid JWT format or claim in Authorization header"
+    translatable_method :json_non_post_error_message, 'non-POST method used in JSON API'
+    translatable_method :json_not_accepted_error_message, 'Unsupported Accept header. Must accept "application/json" or compatible content type'
     auth_value_method :json_accept_regexp, /(?:(?:\*|\bapplication)\/\*|\bapplication\/(?:vnd\.api\+)?json\b)/i
     auth_value_method :json_request_content_type_regexp, /\bapplication\/(?:vnd\.api\+)?json\b/i
     auth_value_method :json_response_content_type, 'application/json'
     auth_value_method :json_response_error_status, 400
-    auth_value_method :json_response_custom_error_status?, false
+    auth_value_method :json_response_custom_error_status?, true
     auth_value_method :json_response_error_key, "error"
     auth_value_method :json_response_field_error_key, "field-error"
-    auth_value_method :json_response_success_key, nil
+    auth_value_method :json_response_success_key, "success"
     auth_value_method :jwt_algorithm, "HS256"
     auth_value_method :jwt_authorization_ignore, /\A(?:Basic|Digest) /
     auth_value_method :jwt_authorization_remove, /\ABearer:?\s+/
-    auth_value_method :jwt_check_accept?, false
-    auth_value_method :jwt_decode_opts, {}
+    auth_value_method :jwt_check_accept?, true
+    auth_value_method :jwt_decode_opts, {}.freeze
     auth_value_method :jwt_session_key, nil
     auth_value_method :jwt_symbolize_deeply?, false
-    auth_value_method :non_json_request_error_message, 'Only JSON format requests are allowed'
+    translatable_method :non_json_request_error_message, 'Only JSON format requests are allowed'
 
     auth_value_methods(
       :only_json?,
@@ -50,7 +50,7 @@ module Rodauth
           json_response[json_response_error_key] = invalid_jwt_format_error_message
           response.status ||= json_response_error_status
           response['Content-Type'] ||= json_response_content_type
-          response.write(request.send(:convert_to_json, json_response))
+          response.write(_json_response_body(json_response))
           request.halt
         end
 
@@ -140,13 +140,18 @@ module Rodauth
 
     private
 
+    def check_csrf?
+      return false if use_jwt?
+      super
+    end
+
     def before_rodauth
       if json_request?
         if jwt_check_accept? && (accept = request.env['HTTP_ACCEPT']) && accept !~ json_accept_regexp
           response.status = 406
           json_response[json_response_error_key] = json_not_accepted_error_message
           response['Content-Type'] ||= json_response_content_type
-          response.write(request.send(:convert_to_json, json_response))
+          response.write(_json_response_body(json_response))
           request.halt
         end
 
@@ -173,6 +178,43 @@ module Rodauth
       end
     end
 
+    def before_webauthn_setup_route
+      super if defined?(super)
+      if use_jwt? && !param_or_nil(webauthn_setup_param)
+        cred = new_webauthn_credential
+        json_response[webauthn_setup_param] = cred.as_json
+        json_response[webauthn_setup_challenge_param] = cred.challenge
+        json_response[webauthn_setup_challenge_hmac_param] = compute_hmac(cred.challenge)
+      end
+    end
+
+    def before_webauthn_auth_route
+      super if defined?(super)
+      if use_jwt? && !param_or_nil(webauthn_auth_param)
+        cred = webauth_credential_options_for_get
+        json_response[webauthn_auth_param] = cred.as_json
+        json_response[webauthn_auth_challenge_param] = cred.challenge
+        json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)
+      end
+    end
+
+    def before_webauthn_login_route
+      super if defined?(super)
+      if use_jwt? && !param_or_nil(webauthn_auth_param) && account_from_login(param(login_param))
+        cred = webauth_credential_options_for_get
+        json_response[webauthn_auth_param] = cred.as_json
+        json_response[webauthn_auth_challenge_param] = cred.challenge
+        json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)
+      end
+    end
+
+    def before_webauthn_remove_route
+      super if defined?(super)
+      if use_jwt? && !param_or_nil(webauthn_remove_param)
+        json_response[webauthn_remove_param] = account_webauthn_usage
+      end
+    end
+
     def before_otp_setup_route
       super if defined?(super)
       if use_jwt? && otp_keys_use_hmac? && !param_or_nil(otp_setup_raw_param)
@@ -204,6 +246,12 @@ module Rodauth
       value
     end
 
+    def remove_session_value(key)
+      value = super
+      set_jwt if use_jwt?
+      value
+    end
+
     def json_response
       @json_response ||= {}
     end

data/lib/rodauth/features/jwt_cors.rb

@@ -0,0 +1,53 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:jwt_cors, :JwtCors) do
+    depends :jwt
+
+    auth_value_method :jwt_cors_allow_origin, false
+    auth_value_method :jwt_cors_allow_methods, 'POST'
+    auth_value_method :jwt_cors_allow_headers, 'Content-Type, Authorization, Accept'
+    auth_value_method :jwt_cors_expose_headers, 'Authorization'
+    auth_value_method :jwt_cors_max_age, 86400
+
+    auth_methods(:jwt_cors_allow?)
+
+    def jwt_cors_allow?
+      if origin = request.env['HTTP_ORIGIN']
+        case allowed = jwt_cors_allow_origin
+        when String
+          timing_safe_eql?(origin, allowed)
+        when Array
+          allowed.any?{|s| timing_safe_eql?(origin, s)}
+        when Regexp
+          allowed =~ origin
+        when true
+          true
+        else
+          false
+        end
+      end
+    end
+
+    private
+
+    def before_rodauth
+      if (origin = request.env['HTTP_ORIGIN']) && jwt_cors_allow?
+        response['Access-Control-Allow-Origin'] = origin
+
+        # Handle CORS preflight request
+        if request.request_method == 'OPTIONS'
+          response['Access-Control-Allow-Methods'] = jwt_cors_allow_methods
+          response['Access-Control-Allow-Headers'] = jwt_cors_allow_headers
+          response['Access-Control-Max-Age'] = jwt_cors_max_age.to_s
+          response.status = 204
+          request.halt(response.finish)
+        end
+
+        response['Access-Control-Expose-Headers'] = jwt_cors_expose_headers
+      end
+
+      super
+    end
+  end
+end

data/lib/rodauth/features/jwt_refresh.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  JwtRefresh = Feature.define(:jwt_refresh) do
+  Feature.define(:jwt_refresh, :JwtRefresh) do
     depends :jwt
 
     after 'refresh_token'
@@ -10,10 +10,10 @@ module Rodauth
     auth_value_method :jwt_access_token_key, 'access_token'
     auth_value_method :jwt_access_token_not_before_period, 5
     auth_value_method :jwt_access_token_period, 1800
-    auth_value_method :jwt_refresh_invalid_token_message, 'invalid JWT refresh token'
+    translatable_method :jwt_refresh_invalid_token_message, 'invalid JWT refresh token'
     auth_value_method :jwt_refresh_token_account_id_column, :account_id
     auth_value_method :jwt_refresh_token_deadline_column, :deadline
-    auth_value_method :jwt_refresh_token_deadline_interval, {:days=>14}
+    auth_value_method :jwt_refresh_token_deadline_interval, {:days=>14}.freeze
     auth_value_method :jwt_refresh_token_id_column, :id
     auth_value_method :jwt_refresh_token_key, 'refresh_token'
     auth_value_method :jwt_refresh_token_key_column, :key

data/lib/rodauth/features/lockout.rb

@@ -4,8 +4,6 @@ module Rodauth
   Feature.define(:lockout, :Lockout) do
     depends :login, :email_base
 
-    def_deprecated_alias :no_matching_unlock_account_key_error_flash, :no_matching_unlock_account_key_message
-
     loaded_templates %w'unlock-account-request unlock-account password-field unlock-account-email'
     view 'unlock-account-request', 'Request Account Unlock', 'unlock_account_request'
     view 'unlock-account', 'Unlock Account', 'unlock_account'
@@ -19,7 +17,7 @@ module Rodauth
     button 'Unlock Account', 'unlock_account'
     button 'Request Account Unlock', 'unlock_account_request'
     error_flash "There was an error unlocking your account", 'unlock_account'
-    error_flash "This account is currently locked out and cannot be logged in to.", "login_lockout"
+    error_flash "This account is currently locked out and cannot be logged in to", "login_lockout"
     error_flash "An email has recently been sent to you with a link to unlock the account", 'unlock_account_email_recently_sent'
     error_flash "There was an error unlocking your account: invalid or expired unlock account key", 'no_matching_unlock_account_key'
     notice_flash "Your account has been unlocked", 'unlock_account'
@@ -36,12 +34,12 @@ module Rodauth
     auth_value_method :account_lockouts_table, :account_lockouts
     auth_value_method :account_lockouts_id_column, :id
     auth_value_method :account_lockouts_key_column, :key
-    auth_value_method :account_lockouts_email_last_sent_column, nil
+    auth_value_method :account_lockouts_email_last_sent_column, :email_last_sent
     auth_value_method :account_lockouts_deadline_column, :deadline
-    auth_value_method :account_lockouts_deadline_interval, {:days=>1}
-    auth_value_method :unlock_account_email_subject, 'Unlock Account'
-    auth_value_method :unlock_account_explanatory_text, '<p>This account is currently locked out.  You can unlock the account:</p>'
-    auth_value_method :unlock_account_request_explanatory_text, '<p>This account is currently locked out.  You can request that the account be unlocked:</p>'
+    auth_value_method :account_lockouts_deadline_interval, {:days=>1}.freeze
+    translatable_method :unlock_account_email_subject, 'Unlock Account'
+    translatable_method :unlock_account_explanatory_text, '<p>This account is currently locked out.  You can unlock the account:</p>'
+    translatable_method :unlock_account_request_explanatory_text, '<p>This account is currently locked out.  You can request that the account be unlocked:</p>'
     auth_value_method :unlock_account_key_param, 'key'
     auth_value_method :unlock_account_requires_password?, false
     auth_value_method :unlock_account_skip_resend_email_within, 300
@@ -75,6 +73,7 @@ module Rodauth
             redirect unlock_account_email_recently_sent_redirect
           end
 
+          @unlock_account_key_value = get_unlock_account_key
           transaction do
             before_unlock_account_request
             set_unlock_account_email_last_sent
@@ -98,7 +97,7 @@ module Rodauth
 
       r.get do
         if key = param_or_nil(unlock_account_key_param)
-          session[unlock_account_session_key] = key
+          set_session_value(unlock_account_session_key, key)
           redirect(r.path)
         end
 
@@ -106,7 +105,7 @@ module Rodauth
           if account_from_unlock_key(key)
             unlock_account_view
           else
-            session[unlock_account_session_key] = nil
+            remove_session_value(unlock_account_session_key)
             set_redirect_error_flash no_matching_unlock_account_key_error_flash
             redirect require_login_redirect
           end
@@ -127,11 +126,11 @@ module Rodauth
             unlock_account
             after_unlock_account
             if unlock_account_autologin?
-              update_session
+              autologin_session('unlock_account')
             end
           end
 
-          session[unlock_account_session_key] = nil
+          remove_session_value(unlock_account_session_key)
           set_notice_flash unlock_account_notice_flash
           redirect unlock_account_redirect
         else
@@ -217,8 +216,7 @@ module Rodauth
     end
 
     def send_unlock_account_email
-      @unlock_account_key_value = get_unlock_account_key
-      create_unlock_account_email.deliver!
+      send_email(create_unlock_account_email)
     end
 
     def unlock_account_email_link

data/lib/rodauth/features/login.rb

@@ -5,16 +5,24 @@ module Rodauth
     notice_flash "You have been logged in"
     notice_flash "Login recognized, please enter your password", "need_password"
     error_flash "There was an error logging in"
-    loaded_templates %w'login login-field password-field login-display'
+    loaded_templates %w'login login-form login-form-footer multi-phase-login login-field password-field login-display'
     view 'login', 'Login'
+    view 'multi-phase-login', 'Login', 'multi_phase_login'
     additional_form_tags
     button 'Login'
     redirect
 
     auth_value_method :login_error_status, 401
-    auth_value_method :login_form_footer, ''
+    translatable_method :login_form_footer_links_heading, '<h2 class="rodauth-login-form-footer-links-heading">Other Options</h2>'
+    auth_value_method :login_return_to_requested_location?, false
     auth_value_method :use_multi_phase_login?, false
 
+    session_key :login_redirect_session_key, :login_redirect
+
+    auth_cached_method :multi_phase_login_forms
+    auth_cached_method :login_form_footer_links
+    auth_cached_method :login_form_footer
+
     route do |r|
       check_already_logged_in
       before_login_route
@@ -24,8 +32,8 @@ module Rodauth
       end
 
       r.post do
-        clear_session
         skip_error_flash = false
+        view = :login_view
 
         catch_error do
           unless account_from_login(param(login_param))
@@ -40,6 +48,7 @@ module Rodauth
 
           if use_multi_phase_login?
             @valid_login_entered = true
+            view = :multi_phase_login_view
 
             unless param_or_nil(password_param)
               after_login_entered_during_multi_phase_login
@@ -53,44 +62,79 @@ module Rodauth
             throw_error_status(login_error_status, password_param, invalid_password_message)
           end
 
-          _login
+          _login('password')
         end
 
         set_error_flash login_error_flash unless skip_error_flash
-        login_view
+        send(view)
       end
     end
 
     attr_reader :login_form_header
 
+    def login_required
+      if login_return_to_requested_location?
+        set_session_value(login_redirect_session_key, request.fullpath)
+      end
+      super
+    end
+
     def after_login_entered_during_multi_phase_login
       set_notice_now_flash need_password_notice_flash
+      if multi_phase_login_forms.length == 1 && (meth = multi_phase_login_forms[0][2])
+        send(meth)
+      end
     end
 
     def skip_login_field_on_login?
       return false unless use_multi_phase_login?
-      @valid_login_entered
+      valid_login_entered?
     end
 
     def skip_password_field_on_login?
       return false unless use_multi_phase_login?
-      @valid_login_entered != true
+      !valid_login_entered?
+    end
+
+    def valid_login_entered?
+      @valid_login_entered
     end
 
     def login_hidden_field
       "<input type='hidden' name=\"#{login_param}\" value=\"#{scope.h param(login_param)}\" />"
     end
 
+    def render_multi_phase_login_forms
+      multi_phase_login_forms.sort.map{|_, form, _| form}.join("\n")
+    end
+
     private
 
-    def _login
+    def _login_form_footer_links
+      []
+    end
+
+    def _multi_phase_login_forms
+      forms = []
+      forms << [10, render("login-form"), nil] if has_password?
+      forms
+    end
+
+    def _login_form_footer
+      return '' if _login_form_footer_links.empty?
+      render('login-form-footer')
+    end
+
+    def _login(auth_type)
+      saved_login_redirect = remove_session_value(login_redirect_session_key)
       transaction do
         before_login
-        update_session
+        login_session(auth_type)
+        yield if block_given?
         after_login
       end
       set_notice_flash login_notice_flash
-      redirect login_redirect
+      redirect(saved_login_redirect || login_redirect)
     end
   end
 end

data/lib/rodauth/features/login_password_requirements_base.rb

@@ -2,18 +2,18 @@
 
 module Rodauth
   Feature.define(:login_password_requirements_base, :LoginPasswordRequirementsBase) do
-    auth_value_method :already_an_account_with_this_login_message, 'already an account with this login'
+    translatable_method :already_an_account_with_this_login_message, 'already an account with this login'
     auth_value_method :login_confirm_param, 'login-confirm'
     auth_value_method :login_minimum_length, 3
     auth_value_method :login_maximum_length, 255
-    auth_value_method :logins_do_not_match_message, 'logins do not match'
+    translatable_method :logins_do_not_match_message, 'logins do not match'
     auth_value_method :password_confirm_param, 'password-confirm'
     auth_value_method :password_minimum_length, 6
-    auth_value_method :passwords_do_not_match_message, 'passwords do not match'
+    translatable_method :passwords_do_not_match_message, 'passwords do not match'
     auth_value_method :require_email_address_logins?, true
     auth_value_method :require_login_confirmation?, true
     auth_value_method :require_password_confirmation?, true
-    auth_value_method :same_as_existing_password_message, "invalid password, same as current password"
+    translatable_method :same_as_existing_password_message, "invalid password, same as current password"
 
     auth_value_methods(
       :login_confirm_label,

data/lib/rodauth/features/otp.rb

@@ -19,62 +19,59 @@ module Rodauth
     before 'otp_setup'
     before 'otp_disable'
 
-    configuration_module_eval do
-      def before_otp_authentication_route(&block)
-        warn "before_otp_authentication_route is deprecated, switch to before_otp_auth_route"
-        before_otp_auth_route(&block)
-      end
-    end
-
-    button 'Authenticate via 2nd Factor', 'otp_auth'
-    button 'Disable Two Factor Authentication', 'otp_disable'
-    button 'Setup Two Factor Authentication', 'otp_setup'
+    button 'Authenticate Using TOTP', 'otp_auth'
+    button 'Disable TOTP Authentication', 'otp_disable'
+    button 'Setup TOTP Authentication', 'otp_setup'
 
-    error_flash "Error disabling up two factor authentication", 'otp_disable'
-    error_flash "Error logging in via two factor authentication", 'otp_auth'
-    error_flash "Error setting up two factor authentication", 'otp_setup'
-    error_flash "You have already setup two factor authentication", :otp_already_setup
+    error_flash "Error disabling TOTP authentication", 'otp_disable'
+    error_flash "Error logging in via TOTP authentication", 'otp_auth'
+    error_flash "Error setting up TOTP authentication", 'otp_setup'
+    error_flash "You have already setup TOTP authentication", 'otp_already_setup'
+    error_flash "TOTP authentication code use locked out due to numerous failures", 'otp_lockout'
 
-    notice_flash "Two factor authentication has been disabled", 'otp_disable'
-    notice_flash "Two factor authentication is now setup", 'otp_setup'
+    notice_flash "TOTP authentication has been disabled", 'otp_disable'
+    notice_flash "TOTP authentication is now setup", 'otp_setup'
 
     redirect :otp_disable
     redirect :otp_already_setup
     redirect :otp_setup
+    redirect(:otp_lockout){two_factor_auth_required_redirect}
 
     loaded_templates %w'otp-disable otp-auth otp-setup otp-auth-code-field password-field'
-    view 'otp-disable', 'Disable Two Factor Authentication', 'otp_disable'
+    view 'otp-disable', 'Disable TOTP Authentication', 'otp_disable'
     view 'otp-auth', 'Enter Authentication Code', 'otp_auth'
-    view 'otp-setup', 'Setup Two Factor Authentication', 'otp_setup'
+    view 'otp-setup', 'Setup TOTP Authentication', 'otp_setup'
+
+    translatable_method :otp_auth_link_text, "Authenticate Using TOTP"
+    translatable_method :otp_setup_link_text, "Setup TOTP Authentication"
+    translatable_method :otp_disable_link_text, "Disable TOTP Authentication"
 
     auth_value_method :otp_auth_failures_limit, 5
-    auth_value_method :otp_auth_label, 'Authentication Code'
+    translatable_method :otp_auth_label, 'Authentication Code'
     auth_value_method :otp_auth_param, 'otp'
     auth_value_method :otp_class, ROTP::TOTP
     auth_value_method :otp_digits, nil
-    auth_value_method :otp_drift, nil
+    auth_value_method :otp_drift, 30
     auth_value_method :otp_interval, nil
-    auth_value_method :otp_invalid_auth_code_message, "Invalid authentication code"
-    auth_value_method :otp_invalid_secret_message, "invalid secret"
+    translatable_method :otp_invalid_auth_code_message, "Invalid authentication code"
+    translatable_method :otp_invalid_secret_message, "invalid secret"
     auth_value_method :otp_keys_column, :key
     auth_value_method :otp_keys_id_column, :id
     auth_value_method :otp_keys_failures_column, :num_failures
     auth_value_method :otp_keys_table, :account_otp_keys
     auth_value_method :otp_keys_last_use_column, :last_use
-    auth_value_method :otp_provisioning_uri_label, 'Provisioning URL'
-    auth_value_method :otp_secret_label, 'Secret'
+    translatable_method :otp_provisioning_uri_label, 'Provisioning URL'
+    translatable_method :otp_secret_label, 'Secret'
     auth_value_method :otp_setup_param, 'otp_secret'
     auth_value_method :otp_setup_raw_param, 'otp_raw_secret'
+    translatable_method :otp_auth_form_footer, ''
 
     auth_cached_method :otp_key
     auth_cached_method :otp
     private :otp
 
     auth_value_methods(
-      :otp_auth_form_footer,
       :otp_issuer,
-      :otp_lockout_error_flash,
-      :otp_lockout_redirect,
       :otp_keys_use_hmac?
     )
 
@@ -103,7 +100,7 @@ module Rodauth
     route(:otp_auth) do |r|
       require_login
       require_account_session
-      require_two_factor_not_authenticated
+      require_two_factor_not_authenticated('totp')
       require_otp_setup
 
       if otp_locked_out?
@@ -121,7 +118,7 @@ module Rodauth
       r.post do
         if otp_valid_code?(param(otp_auth_param)) && otp_update_last_use
           before_otp_authentication
-          two_factor_authenticate(:totp)
+          two_factor_authenticate('totp')
         end
 
         otp_record_authentication_failure
@@ -173,7 +170,9 @@ module Rodauth
           transaction do
             before_otp_setup
             otp_add_key
-            two_factor_update_session(:totp)
+            unless two_factor_authenticated?
+              two_factor_update_session('totp')
+            end
             after_otp_setup
           end
           set_notice_flash otp_setup_notice_flash
@@ -199,7 +198,9 @@ module Rodauth
           transaction do
             before_otp_disable
             otp_remove
-            two_factor_remove_session
+            if two_factor_login_type_match?('totp')
+              two_factor_remove_session('totp')
+            end
             after_otp_disable
           end
           set_notice_flash otp_disable_notice_flash
@@ -213,18 +214,6 @@ module Rodauth
       end
     end
 
-    def two_factor_authentication_setup?
-      super || otp_exists?
-    end
-
-    def two_factor_need_setup_redirect
-      "#{prefix}/#{otp_setup_route}"
-    end
-
-    def two_factor_auth_required_redirect
-      "#{prefix}/#{otp_auth_route}"
-    end
-
     def two_factor_remove
       super
       otp_remove
@@ -235,19 +224,6 @@ module Rodauth
       otp_remove_auth_failures
     end
 
-    def otp_auth_form_footer
-      super if defined?(super)
-    end
-
-    def otp_lockout_redirect
-      return super if defined?(super)
-      default_redirect
-    end
-
-    def otp_lockout_error_flash
-      "Authentication code use locked out due to numerous failures.#{super if defined?(super)}"
-    end
-
     def require_otp_setup
       unless otp_exists?
         set_redirect_error_status(two_factor_not_setup_error_status)
@@ -265,11 +241,11 @@ module Rodauth
       ot_pass = ot_pass.gsub(/\s+/, '')
       if drift = otp_drift
         if otp.respond_to?(:verify_with_drift)
+          # :nocov:
           otp.verify_with_drift(ot_pass, drift)
-        else
           # :nocov:
+        else
           otp.verify(ot_pass, :drift_behind=>drift, :drift_ahead=>drift)
-          # :nocov:
         end
       else
         otp.verify(ot_pass)
@@ -278,6 +254,7 @@ module Rodauth
 
     def otp_remove
       otp_key_ds.delete
+      @otp_key = nil
       super if defined?(super)
     end
 
@@ -309,7 +286,7 @@ module Rodauth
     end
 
     def otp_issuer
-      request.host
+      domain
     end
 
     def otp_provisioning_name
@@ -332,8 +309,37 @@ module Rodauth
       !!hmac_secret
     end
 
+    def possible_authentication_methods
+      methods = super
+      methods << 'totp' if otp_exists? && !@otp_tmp_key
+      methods
+    end
+
     private
 
+    def _two_factor_auth_links
+      links = super
+      links << [20, otp_auth_path, otp_auth_link_text] if otp_exists? && !otp_locked_out?
+      links
+    end
+
+    def _two_factor_setup_links
+      links = super
+      links << [20, otp_setup_path, otp_setup_link_text] unless otp_exists?
+      links
+    end
+
+    def _two_factor_remove_links
+      links = super
+      links << [20, otp_disable_path, otp_disable_link_text] if otp_exists?
+      links
+    end
+
+    def _two_factor_remove_all_from_session
+      two_factor_remove_session('totp')
+      super
+    end
+
     def clear_cached_otp
       remove_instance_variable(:@otp) if defined?(@otp)
     end
@@ -357,32 +363,24 @@ module Rodauth
     end
 
     if ROTP::Base32.respond_to?(:random_base32)
-      # :nocov:
       def otp_new_secret
-        ROTP::Base32.random_base32
+        ROTP::Base32.random_base32.downcase
       end
-      # :nocov:
     else
+      # :nocov:
       def otp_new_secret
         ROTP::Base32.random.downcase
       end
+      # :nocov:
     end
 
-    if RUBY_VERSION < '1.9'
-      # :nocov:
-      def base32_encode(data, length)
-        chars = 'abcdefghijklmnopqrstuvwxyz234567'
-        length.times.map{|i|chars[data[i] % 32].chr}.join
-      end
-      # :nocov:
-    else
-      def base32_encode(data, length)
-        chars = 'abcdefghijklmnopqrstuvwxyz234567'
-        length.times.map{|i|chars[data[i].ord % 32]}.join
-      end
+    def base32_encode(data, length)
+      chars = 'abcdefghijklmnopqrstuvwxyz234567'
+      length.times.map{|i|chars[data[i].ord % 32]}.join
     end
 
     def _otp_tmp_key(secret)
+      @otp_tmp_key = true
       @otp_user_key = nil
       @otp_key = secret
     end