rodauth 1.21.0 → 2.2.0

data/lib/rodauth/features/jwt.rb

@@ -4,25 +4,25 @@ require 'jwt'
 
 module Rodauth
   Feature.define(:jwt, :Jwt) do
-    auth_value_method :invalid_jwt_format_error_message, "invalid JWT format or claim in Authorization header"
-    auth_value_method :json_non_post_error_message, 'non-POST method used in JSON API'
-    auth_value_method :json_not_accepted_error_message, 'Unsupported Accept header. Must accept "application/json" or compatible content type'
+    translatable_method :invalid_jwt_format_error_message, "invalid JWT format or claim in Authorization header"
+    translatable_method :json_non_post_error_message, 'non-POST method used in JSON API'
+    translatable_method :json_not_accepted_error_message, 'Unsupported Accept header. Must accept "application/json" or compatible content type'
     auth_value_method :json_accept_regexp, /(?:(?:\*|\bapplication)\/\*|\bapplication\/(?:vnd\.api\+)?json\b)/i
     auth_value_method :json_request_content_type_regexp, /\bapplication\/(?:vnd\.api\+)?json\b/i
     auth_value_method :json_response_content_type, 'application/json'
     auth_value_method :json_response_error_status, 400
-    auth_value_method :json_response_custom_error_status?, false
+    auth_value_method :json_response_custom_error_status?, true
     auth_value_method :json_response_error_key, "error"
     auth_value_method :json_response_field_error_key, "field-error"
-    auth_value_method :json_response_success_key, nil
+    auth_value_method :json_response_success_key, "success"
     auth_value_method :jwt_algorithm, "HS256"
     auth_value_method :jwt_authorization_ignore, /\A(?:Basic|Digest) /
     auth_value_method :jwt_authorization_remove, /\ABearer:?\s+/
-    auth_value_method :jwt_check_accept?, false
-    auth_value_method :jwt_decode_opts, {}
+    auth_value_method :jwt_check_accept?, true
+    auth_value_method :jwt_decode_opts, {}.freeze
     auth_value_method :jwt_session_key, nil
     auth_value_method :jwt_symbolize_deeply?, false
-    auth_value_method :non_json_request_error_message, 'Only JSON format requests are allowed'
+    translatable_method :non_json_request_error_message, 'Only JSON format requests are allowed'
 
     auth_value_methods(
       :only_json?,
@@ -50,7 +50,7 @@ module Rodauth
           json_response[json_response_error_key] = invalid_jwt_format_error_message
           response.status ||= json_response_error_status
           response['Content-Type'] ||= json_response_content_type
-          response.write(request.send(:convert_to_json, json_response))
+          response.write(_json_response_body(json_response))
           request.halt
         end
 
@@ -138,15 +138,25 @@ module Rodauth
       !!(jwt_token && jwt_payload)
     end
 
+    def view(page, title)
+      return super unless use_jwt?
+      return_json_response
+    end
+
     private
 
+    def check_csrf?
+      return false if use_jwt?
+      super
+    end
+
     def before_rodauth
       if json_request?
         if jwt_check_accept? && (accept = request.env['HTTP_ACCEPT']) && accept !~ json_accept_regexp
           response.status = 406
           json_response[json_response_error_key] = json_not_accepted_error_message
           response['Content-Type'] ||= json_response_content_type
-          response.write(request.send(:convert_to_json, json_response))
+          response.write(_json_response_body(json_response))
           request.halt
         end
 
@@ -173,6 +183,43 @@ module Rodauth
       end
     end
 
+    def before_webauthn_setup_route
+      super if defined?(super)
+      if use_jwt? && !param_or_nil(webauthn_setup_param)
+        cred = new_webauthn_credential
+        json_response[webauthn_setup_param] = cred.as_json
+        json_response[webauthn_setup_challenge_param] = cred.challenge
+        json_response[webauthn_setup_challenge_hmac_param] = compute_hmac(cred.challenge)
+      end
+    end
+
+    def before_webauthn_auth_route
+      super if defined?(super)
+      if use_jwt? && !param_or_nil(webauthn_auth_param)
+        cred = webauth_credential_options_for_get
+        json_response[webauthn_auth_param] = cred.as_json
+        json_response[webauthn_auth_challenge_param] = cred.challenge
+        json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)
+      end
+    end
+
+    def before_webauthn_login_route
+      super if defined?(super)
+      if use_jwt? && !param_or_nil(webauthn_auth_param) && account_from_login(param(login_param))
+        cred = webauth_credential_options_for_get
+        json_response[webauthn_auth_param] = cred.as_json
+        json_response[webauthn_auth_challenge_param] = cred.challenge
+        json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)
+      end
+    end
+
+    def before_webauthn_remove_route
+      super if defined?(super)
+      if use_jwt? && !param_or_nil(webauthn_remove_param)
+        json_response[webauthn_remove_param] = account_webauthn_usage
+      end
+    end
+
     def before_otp_setup_route
       super if defined?(super)
       if use_jwt? && otp_keys_use_hmac? && !param_or_nil(otp_setup_raw_param)
@@ -204,14 +251,14 @@ module Rodauth
       value
     end
 
-    def json_response
-      @json_response ||= {}
+    def remove_session_value(key)
+      value = super
+      set_jwt if use_jwt?
+      value
     end
 
-    def _view(meth, page)
-      return super unless use_jwt?
-      return super if meth == :render
-      return_json_response
+    def json_response
+      @json_response ||= {}
     end
 
     def _json_response_body(hash)

data/lib/rodauth/features/jwt_cors.rb

@@ -0,0 +1,53 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:jwt_cors, :JwtCors) do
+    depends :jwt
+
+    auth_value_method :jwt_cors_allow_origin, false
+    auth_value_method :jwt_cors_allow_methods, 'POST'
+    auth_value_method :jwt_cors_allow_headers, 'Content-Type, Authorization, Accept'
+    auth_value_method :jwt_cors_expose_headers, 'Authorization'
+    auth_value_method :jwt_cors_max_age, 86400
+
+    auth_methods(:jwt_cors_allow?)
+
+    def jwt_cors_allow?
+      return false unless origin = request.env['HTTP_ORIGIN']
+
+      case allowed = jwt_cors_allow_origin
+      when String
+        timing_safe_eql?(origin, allowed)
+      when Array
+        allowed.any?{|s| timing_safe_eql?(origin, s)}
+      when Regexp
+        allowed =~ origin
+      when true
+        true
+      else
+        false
+      end
+    end
+
+    private
+
+    def before_rodauth
+      if jwt_cors_allow?
+        response['Access-Control-Allow-Origin'] = request.env['HTTP_ORIGIN']
+
+        # Handle CORS preflight request
+        if request.request_method == 'OPTIONS'
+          response['Access-Control-Allow-Methods'] = jwt_cors_allow_methods
+          response['Access-Control-Allow-Headers'] = jwt_cors_allow_headers
+          response['Access-Control-Max-Age'] = jwt_cors_max_age.to_s
+          response.status = 204
+          request.halt(response.finish)
+        end
+
+        response['Access-Control-Expose-Headers'] = jwt_cors_expose_headers
+      end
+
+      super
+    end
+  end
+end

data/lib/rodauth/features/jwt_refresh.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  JwtRefresh = Feature.define(:jwt_refresh) do
+  Feature.define(:jwt_refresh, :JwtRefresh) do
     depends :jwt
 
     after 'refresh_token'
@@ -10,10 +10,10 @@ module Rodauth
     auth_value_method :jwt_access_token_key, 'access_token'
     auth_value_method :jwt_access_token_not_before_period, 5
     auth_value_method :jwt_access_token_period, 1800
-    auth_value_method :jwt_refresh_invalid_token_message, 'invalid JWT refresh token'
+    translatable_method :jwt_refresh_invalid_token_message, 'invalid JWT refresh token'
     auth_value_method :jwt_refresh_token_account_id_column, :account_id
     auth_value_method :jwt_refresh_token_deadline_column, :deadline
-    auth_value_method :jwt_refresh_token_deadline_interval, {:days=>14}
+    auth_value_method :jwt_refresh_token_deadline_interval, {:days=>14}.freeze
     auth_value_method :jwt_refresh_token_id_column, :id
     auth_value_method :jwt_refresh_token_key, 'refresh_token'
     auth_value_method :jwt_refresh_token_key_column, :key
@@ -80,14 +80,10 @@ module Rodauth
     private
 
     def _account_from_refresh_token(token)
-      id, token = split_token(token)
-      return unless id && token
-
-      token_id, key = split_token(token)
-      return unless token_id && key
+      id, token_id, key = _account_refresh_token_split(token)
 
+      return unless key
       return unless actual = get_active_refresh_token(id, token_id)
-
       return unless timing_safe_eql?(key, convert_token_key(actual))
 
       ds = account_ds(id)
@@ -95,6 +91,16 @@ module Rodauth
       ds.first
     end
 
+    def _account_refresh_token_split(token)
+      id, token = split_token(token)
+      return unless id && token
+
+      token_id, key = split_token(token)
+      return unless token_id && key
+
+      [id, token_id, key]
+    end
+
     def get_active_refresh_token(account_id, token_id)
       jwt_refresh_token_account_ds(account_id).
         where(Sequel::CURRENT_TIMESTAMP > jwt_refresh_token_deadline_column).
@@ -134,6 +140,23 @@ module Rodauth
       hash
     end
 
+    def before_logout
+      if token = param_or_nil(jwt_refresh_token_key_param)
+        if token == 'all'
+          jwt_refresh_token_account_ds(session_value).delete
+        else
+          id, token_id, key = _account_refresh_token_split(token)
+
+          if id && token_id && key && (actual = get_active_refresh_token(session_value, token_id)) && timing_safe_eql?(key, convert_token_key(actual))
+            jwt_refresh_token_account_ds(id).
+              where(jwt_refresh_token_id_column=>token_id).
+              delete
+          end
+        end
+      end
+      super if defined?(super)
+    end
+
     def after_close_account
       jwt_refresh_token_account_ds(account_id).delete
       super if defined?(super)

data/lib/rodauth/features/lockout.rb

@@ -4,8 +4,6 @@ module Rodauth
   Feature.define(:lockout, :Lockout) do
     depends :login, :email_base
 
-    def_deprecated_alias :no_matching_unlock_account_key_error_flash, :no_matching_unlock_account_key_message
-
     loaded_templates %w'unlock-account-request unlock-account password-field unlock-account-email'
     view 'unlock-account-request', 'Request Account Unlock', 'unlock_account_request'
     view 'unlock-account', 'Unlock Account', 'unlock_account'
@@ -19,7 +17,7 @@ module Rodauth
     button 'Unlock Account', 'unlock_account'
     button 'Request Account Unlock', 'unlock_account_request'
     error_flash "There was an error unlocking your account", 'unlock_account'
-    error_flash "This account is currently locked out and cannot be logged in to.", "login_lockout"
+    error_flash "This account is currently locked out and cannot be logged in to", "login_lockout"
     error_flash "An email has recently been sent to you with a link to unlock the account", 'unlock_account_email_recently_sent'
     error_flash "There was an error unlocking your account: invalid or expired unlock account key", 'no_matching_unlock_account_key'
     notice_flash "Your account has been unlocked", 'unlock_account'
@@ -36,12 +34,12 @@ module Rodauth
     auth_value_method :account_lockouts_table, :account_lockouts
     auth_value_method :account_lockouts_id_column, :id
     auth_value_method :account_lockouts_key_column, :key
-    auth_value_method :account_lockouts_email_last_sent_column, nil
+    auth_value_method :account_lockouts_email_last_sent_column, :email_last_sent
     auth_value_method :account_lockouts_deadline_column, :deadline
-    auth_value_method :account_lockouts_deadline_interval, {:days=>1}
-    auth_value_method :unlock_account_email_subject, 'Unlock Account'
-    auth_value_method :unlock_account_explanatory_text, '<p>This account is currently locked out.  You can unlock the account:</p>'
-    auth_value_method :unlock_account_request_explanatory_text, '<p>This account is currently locked out.  You can request that the account be unlocked:</p>'
+    auth_value_method :account_lockouts_deadline_interval, {:days=>1}.freeze
+    translatable_method :unlock_account_email_subject, 'Unlock Account'
+    translatable_method :unlock_account_explanatory_text, '<p>This account is currently locked out.  You can unlock the account:</p>'
+    translatable_method :unlock_account_request_explanatory_text, '<p>This account is currently locked out.  You can request that the account be unlocked:</p>'
     auth_value_method :unlock_account_key_param, 'key'
     auth_value_method :unlock_account_requires_password?, false
     auth_value_method :unlock_account_skip_resend_email_within, 300
@@ -75,6 +73,7 @@ module Rodauth
             redirect unlock_account_email_recently_sent_redirect
           end
 
+          @unlock_account_key_value = get_unlock_account_key
           transaction do
             before_unlock_account_request
             set_unlock_account_email_last_sent
@@ -98,7 +97,7 @@ module Rodauth
 
       r.get do
         if key = param_or_nil(unlock_account_key_param)
-          session[unlock_account_session_key] = key
+          set_session_value(unlock_account_session_key, key)
           redirect(r.path)
         end
 
@@ -106,7 +105,7 @@ module Rodauth
           if account_from_unlock_key(key)
             unlock_account_view
           else
-            session[unlock_account_session_key] = nil
+            remove_session_value(unlock_account_session_key)
             set_redirect_error_flash no_matching_unlock_account_key_error_flash
             redirect require_login_redirect
           end
@@ -127,11 +126,11 @@ module Rodauth
             unlock_account
             after_unlock_account
             if unlock_account_autologin?
-              update_session
+              autologin_session('unlock_account')
             end
           end
 
-          session[unlock_account_session_key] = nil
+          remove_session_value(unlock_account_session_key)
           set_notice_flash unlock_account_notice_flash
           redirect unlock_account_redirect
         else
@@ -217,8 +216,7 @@ module Rodauth
     end
 
     def send_unlock_account_email
-      @unlock_account_key_value = get_unlock_account_key
-      create_unlock_account_email.deliver!
+      send_email(create_unlock_account_email)
     end
 
     def unlock_account_email_link

data/lib/rodauth/features/login.rb

@@ -5,16 +5,24 @@ module Rodauth
     notice_flash "You have been logged in"
     notice_flash "Login recognized, please enter your password", "need_password"
     error_flash "There was an error logging in"
-    loaded_templates %w'login login-field password-field login-display'
+    loaded_templates %w'login login-form login-form-footer multi-phase-login login-field password-field login-display'
     view 'login', 'Login'
+    view 'multi-phase-login', 'Login', 'multi_phase_login'
     additional_form_tags
     button 'Login'
     redirect
 
     auth_value_method :login_error_status, 401
-    auth_value_method :login_form_footer, ''
+    translatable_method :login_form_footer_links_heading, '<h2 class="rodauth-login-form-footer-links-heading">Other Options</h2>'
+    auth_value_method :login_return_to_requested_location?, false
     auth_value_method :use_multi_phase_login?, false
 
+    session_key :login_redirect_session_key, :login_redirect
+
+    auth_cached_method :multi_phase_login_forms
+    auth_cached_method :login_form_footer_links
+    auth_cached_method :login_form_footer
+
     route do |r|
       check_already_logged_in
       before_login_route
@@ -24,8 +32,8 @@ module Rodauth
       end
 
       r.post do
-        clear_session
         skip_error_flash = false
+        view = :login_view
 
         catch_error do
           unless account_from_login(param(login_param))
@@ -40,6 +48,7 @@ module Rodauth
 
           if use_multi_phase_login?
             @valid_login_entered = true
+            view = :multi_phase_login_view
 
             unless param_or_nil(password_param)
               after_login_entered_during_multi_phase_login
@@ -53,44 +62,79 @@ module Rodauth
             throw_error_status(login_error_status, password_param, invalid_password_message)
           end
 
-          _login
+          _login('password')
         end
 
         set_error_flash login_error_flash unless skip_error_flash
-        login_view
+        send(view)
       end
     end
 
     attr_reader :login_form_header
 
+    def login_required
+      if login_return_to_requested_location?
+        set_session_value(login_redirect_session_key, request.fullpath)
+      end
+      super
+    end
+
     def after_login_entered_during_multi_phase_login
       set_notice_now_flash need_password_notice_flash
+      if multi_phase_login_forms.length == 1 && (meth = multi_phase_login_forms[0][2])
+        send(meth)
+      end
     end
 
     def skip_login_field_on_login?
       return false unless use_multi_phase_login?
-      @valid_login_entered
+      valid_login_entered?
     end
 
     def skip_password_field_on_login?
       return false unless use_multi_phase_login?
-      @valid_login_entered != true
+      !valid_login_entered?
+    end
+
+    def valid_login_entered?
+      @valid_login_entered
     end
 
     def login_hidden_field
       "<input type='hidden' name=\"#{login_param}\" value=\"#{scope.h param(login_param)}\" />"
     end
 
+    def render_multi_phase_login_forms
+      multi_phase_login_forms.sort.map{|_, form, _| form}.join("\n")
+    end
+
     private
 
-    def _login
+    def _login_form_footer_links
+      []
+    end
+
+    def _multi_phase_login_forms
+      forms = []
+      forms << [10, render("login-form"), nil] if has_password?
+      forms
+    end
+
+    def _login_form_footer
+      return '' if _login_form_footer_links.empty?
+      render('login-form-footer')
+    end
+
+    def _login(auth_type)
+      saved_login_redirect = remove_session_value(login_redirect_session_key)
       transaction do
         before_login
-        update_session
+        login_session(auth_type)
+        yield if block_given?
         after_login
       end
       set_notice_flash login_notice_flash
-      redirect login_redirect
+      redirect(saved_login_redirect || login_redirect)
     end
   end
 end