rodauth 1.21.0 → 2.2.0

data/lib/rodauth/features/login_password_requirements_base.rb

@@ -2,18 +2,18 @@
 
 module Rodauth
   Feature.define(:login_password_requirements_base, :LoginPasswordRequirementsBase) do
-    auth_value_method :already_an_account_with_this_login_message, 'already an account with this login'
+    translatable_method :already_an_account_with_this_login_message, 'already an account with this login'
     auth_value_method :login_confirm_param, 'login-confirm'
     auth_value_method :login_minimum_length, 3
     auth_value_method :login_maximum_length, 255
-    auth_value_method :logins_do_not_match_message, 'logins do not match'
+    translatable_method :logins_do_not_match_message, 'logins do not match'
     auth_value_method :password_confirm_param, 'password-confirm'
     auth_value_method :password_minimum_length, 6
-    auth_value_method :passwords_do_not_match_message, 'passwords do not match'
+    translatable_method :passwords_do_not_match_message, 'passwords do not match'
     auth_value_method :require_email_address_logins?, true
     auth_value_method :require_login_confirmation?, true
     auth_value_method :require_password_confirmation?, true
-    auth_value_method :same_as_existing_password_message, "invalid password, same as current password"
+    translatable_method :same_as_existing_password_message, "invalid password, same as current password"
 
     auth_value_methods(
       :login_confirm_label,

data/lib/rodauth/features/otp.rb

@@ -19,62 +19,59 @@ module Rodauth
     before 'otp_setup'
     before 'otp_disable'
 
-    configuration_module_eval do
-      def before_otp_authentication_route(&block)
-        warn "before_otp_authentication_route is deprecated, switch to before_otp_auth_route"
-        before_otp_auth_route(&block)
-      end
-    end
-
-    button 'Authenticate via 2nd Factor', 'otp_auth'
-    button 'Disable Two Factor Authentication', 'otp_disable'
-    button 'Setup Two Factor Authentication', 'otp_setup'
+    button 'Authenticate Using TOTP', 'otp_auth'
+    button 'Disable TOTP Authentication', 'otp_disable'
+    button 'Setup TOTP Authentication', 'otp_setup'
 
-    error_flash "Error disabling up two factor authentication", 'otp_disable'
-    error_flash "Error logging in via two factor authentication", 'otp_auth'
-    error_flash "Error setting up two factor authentication", 'otp_setup'
-    error_flash "You have already setup two factor authentication", :otp_already_setup
+    error_flash "Error disabling TOTP authentication", 'otp_disable'
+    error_flash "Error logging in via TOTP authentication", 'otp_auth'
+    error_flash "Error setting up TOTP authentication", 'otp_setup'
+    error_flash "You have already setup TOTP authentication", 'otp_already_setup'
+    error_flash "TOTP authentication code use locked out due to numerous failures", 'otp_lockout'
 
-    notice_flash "Two factor authentication has been disabled", 'otp_disable'
-    notice_flash "Two factor authentication is now setup", 'otp_setup'
+    notice_flash "TOTP authentication has been disabled", 'otp_disable'
+    notice_flash "TOTP authentication is now setup", 'otp_setup'
 
     redirect :otp_disable
     redirect :otp_already_setup
     redirect :otp_setup
+    redirect(:otp_lockout){two_factor_auth_required_redirect}
 
     loaded_templates %w'otp-disable otp-auth otp-setup otp-auth-code-field password-field'
-    view 'otp-disable', 'Disable Two Factor Authentication', 'otp_disable'
+    view 'otp-disable', 'Disable TOTP Authentication', 'otp_disable'
     view 'otp-auth', 'Enter Authentication Code', 'otp_auth'
-    view 'otp-setup', 'Setup Two Factor Authentication', 'otp_setup'
+    view 'otp-setup', 'Setup TOTP Authentication', 'otp_setup'
+
+    translatable_method :otp_auth_link_text, "Authenticate Using TOTP"
+    translatable_method :otp_setup_link_text, "Setup TOTP Authentication"
+    translatable_method :otp_disable_link_text, "Disable TOTP Authentication"
 
     auth_value_method :otp_auth_failures_limit, 5
-    auth_value_method :otp_auth_label, 'Authentication Code'
+    translatable_method :otp_auth_label, 'Authentication Code'
     auth_value_method :otp_auth_param, 'otp'
     auth_value_method :otp_class, ROTP::TOTP
     auth_value_method :otp_digits, nil
-    auth_value_method :otp_drift, nil
+    auth_value_method :otp_drift, 30
     auth_value_method :otp_interval, nil
-    auth_value_method :otp_invalid_auth_code_message, "Invalid authentication code"
-    auth_value_method :otp_invalid_secret_message, "invalid secret"
+    translatable_method :otp_invalid_auth_code_message, "Invalid authentication code"
+    translatable_method :otp_invalid_secret_message, "invalid secret"
     auth_value_method :otp_keys_column, :key
     auth_value_method :otp_keys_id_column, :id
     auth_value_method :otp_keys_failures_column, :num_failures
     auth_value_method :otp_keys_table, :account_otp_keys
     auth_value_method :otp_keys_last_use_column, :last_use
-    auth_value_method :otp_provisioning_uri_label, 'Provisioning URL'
-    auth_value_method :otp_secret_label, 'Secret'
+    translatable_method :otp_provisioning_uri_label, 'Provisioning URL'
+    translatable_method :otp_secret_label, 'Secret'
     auth_value_method :otp_setup_param, 'otp_secret'
     auth_value_method :otp_setup_raw_param, 'otp_raw_secret'
+    translatable_method :otp_auth_form_footer, ''
 
     auth_cached_method :otp_key
     auth_cached_method :otp
     private :otp
 
     auth_value_methods(
-      :otp_auth_form_footer,
       :otp_issuer,
-      :otp_lockout_error_flash,
-      :otp_lockout_redirect,
       :otp_keys_use_hmac?
     )
 
@@ -82,6 +79,7 @@ module Rodauth
       :otp,
       :otp_exists?,
       :otp_key,
+      :otp_last_use,
       :otp_locked_out?,
       :otp_new_secret,
       :otp_provisioning_name,
@@ -103,18 +101,13 @@ module Rodauth
     route(:otp_auth) do |r|
       require_login
       require_account_session
-      require_two_factor_not_authenticated
+      require_two_factor_not_authenticated('totp')
       require_otp_setup
 
       if otp_locked_out?
         set_response_error_status(lockout_error_status)
         set_redirect_error_flash otp_lockout_error_flash
-        if redir = otp_lockout_redirect
-          redirect redir
-        else
-          clear_session
-          redirect require_login_redirect
-        end
+        redirect otp_lockout_redirect
       end
 
       before_otp_auth_route
@@ -126,7 +119,7 @@ module Rodauth
       r.post do
         if otp_valid_code?(param(otp_auth_param)) && otp_update_last_use
           before_otp_authentication
-          two_factor_authenticate(:totp)
+          two_factor_authenticate('totp')
         end
 
         otp_record_authentication_failure
@@ -178,7 +171,9 @@ module Rodauth
           transaction do
             before_otp_setup
             otp_add_key
-            two_factor_update_session(:totp)
+            unless two_factor_authenticated?
+              two_factor_update_session('totp')
+            end
             after_otp_setup
           end
           set_notice_flash otp_setup_notice_flash
@@ -204,7 +199,9 @@ module Rodauth
           transaction do
             before_otp_disable
             otp_remove
-            two_factor_remove_session
+            if two_factor_login_type_match?('totp')
+              two_factor_remove_session('totp')
+            end
             after_otp_disable
           end
           set_notice_flash otp_disable_notice_flash
@@ -218,18 +215,6 @@ module Rodauth
       end
     end
 
-    def two_factor_authentication_setup?
-      super || otp_exists?
-    end
-
-    def two_factor_need_setup_redirect
-      "#{prefix}/#{otp_setup_route}"
-    end
-
-    def two_factor_auth_required_redirect
-      "#{prefix}/#{otp_auth_route}"
-    end
-
     def two_factor_remove
       super
       otp_remove
@@ -240,19 +225,6 @@ module Rodauth
       otp_remove_auth_failures
     end
 
-    def otp_auth_form_footer
-      super if defined?(super)
-    end
-
-    def otp_lockout_redirect
-      return super if defined?(super)
-      nil
-    end
-
-    def otp_lockout_error_flash
-      "Authentication code use locked out due to numerous failures.#{super if defined?(super)}"
-    end
-
     def require_otp_setup
       unless otp_exists?
         set_redirect_error_status(two_factor_not_setup_error_status)
@@ -270,11 +242,11 @@ module Rodauth
       ot_pass = ot_pass.gsub(/\s+/, '')
       if drift = otp_drift
         if otp.respond_to?(:verify_with_drift)
+          # :nocov:
           otp.verify_with_drift(ot_pass, drift)
-        else
           # :nocov:
+        else
           otp.verify(ot_pass, :drift_behind=>drift, :drift_ahead=>drift)
-          # :nocov:
         end
       else
         otp.verify(ot_pass)
@@ -283,7 +255,7 @@ module Rodauth
 
     def otp_remove
       otp_key_ds.delete
-      super if defined?(super)
+      @otp_key = nil
     end
 
     def otp_add_key
@@ -297,6 +269,10 @@ module Rodauth
         update(otp_keys_last_use_column=>Sequel::CURRENT_TIMESTAMP) == 1
     end
 
+    def otp_last_use
+      convert_timestamp(otp_key_ds.get(otp_keys_last_use_column))
+    end
+
     def otp_record_authentication_failure
       otp_key_ds.update(otp_keys_failures_column=>Sequel.identifier(otp_keys_failures_column) + 1)
     end
@@ -314,7 +290,7 @@ module Rodauth
     end
 
     def otp_issuer
-      request.host
+      domain
     end
 
     def otp_provisioning_name
@@ -337,8 +313,37 @@ module Rodauth
       !!hmac_secret
     end
 
+    def possible_authentication_methods
+      methods = super
+      methods << 'totp' if otp_exists? && !@otp_tmp_key
+      methods
+    end
+
     private
 
+    def _two_factor_auth_links
+      links = super
+      links << [20, otp_auth_path, otp_auth_link_text] if otp_exists? && !otp_locked_out?
+      links
+    end
+
+    def _two_factor_setup_links
+      links = super
+      links << [20, otp_setup_path, otp_setup_link_text] unless otp_exists?
+      links
+    end
+
+    def _two_factor_remove_links
+      links = super
+      links << [20, otp_disable_path, otp_disable_link_text] if otp_exists?
+      links
+    end
+
+    def _two_factor_remove_all_from_session
+      two_factor_remove_session('totp')
+      super
+    end
+
     def clear_cached_otp
       remove_instance_variable(:@otp) if defined?(@otp)
     end
@@ -362,32 +367,24 @@ module Rodauth
     end
 
     if ROTP::Base32.respond_to?(:random_base32)
-      # :nocov:
       def otp_new_secret
         ROTP::Base32.random_base32.downcase
       end
-      # :nocov:
     else
+      # :nocov:
       def otp_new_secret
         ROTP::Base32.random.downcase
       end
+      # :nocov:
     end
 
-    if RUBY_VERSION < '1.9'
-      # :nocov:
-      def base32_encode(data, length)
-        chars = 'abcdefghijklmnopqrstuvwxyz234567'
-        length.times.map{|i|chars[data[i] % 32].chr}.join
-      end
-      # :nocov:
-    else
-      def base32_encode(data, length)
-        chars = 'abcdefghijklmnopqrstuvwxyz234567'
-        length.times.map{|i|chars[data[i].ord % 32]}.join
-      end
+    def base32_encode(data, length)
+      chars = 'abcdefghijklmnopqrstuvwxyz234567'
+      length.times.map{|i|chars[data[i].ord % 32]}.join
     end
 
     def _otp_tmp_key(secret)
+      @otp_tmp_key = true
       @otp_user_key = nil
       @otp_key = secret
     end

data/lib/rodauth/features/password_complexity.rb

@@ -11,13 +11,10 @@ module Rodauth
     auth_value_method :password_max_length_for_groups_check, 11
     auth_value_method :password_max_repeating_characters, 3
     auth_value_method :password_invalid_pattern, Regexp.union([/qwerty/i, /azerty/i, /asdf/i, /zxcv/i] + (1..8).map{|i| /#{i}#{i+1}#{(i+2)%10}/})
-    auth_value_method :password_not_enough_character_groups_message, "does not include uppercase letters, lowercase letters, and numbers"
-    auth_value_method :password_invalid_pattern_message, "includes common character sequence"
-    auth_value_method :password_in_dictionary_message, "is a word in a dictionary"
-
-    auth_value_methods(
-      :password_too_many_repeating_characters_message
-    )
+    translatable_method :password_not_enough_character_groups_message, "does not include uppercase letters, lowercase letters, and numbers"
+    translatable_method :password_invalid_pattern_message, "includes common character sequence"
+    translatable_method :password_in_dictionary_message, "is a word in a dictionary"
+    translatable_method :password_too_many_repeating_characters_message, "contains too many of the same character in a row"
 
     def password_meets_requirements?(password)
       super && \
@@ -29,14 +26,16 @@ module Rodauth
 
     def post_configure
       super
-      return if singleton_methods.map(&:to_sym).include?(:password_dictionary)
+      return if method(:password_dictionary).owner != Rodauth::PasswordComplexity
 
       case password_dictionary_file
       when false
-        return
+        # nothing
       when nil
         default_dictionary_file = '/usr/share/dict/words'
+        # :nocov:
         if File.file?(default_dictionary_file)
+        # :nocov:
           words = File.read(default_dictionary_file)
         end
       else
@@ -73,10 +72,6 @@ module Rodauth
       false
     end
 
-    def password_too_many_repeating_characters_message
-      "contains #{password_max_repeating_characters} or more of the same character in a row"
-    end
-
     def password_not_in_dictionary?(password)
       return true unless dict = password_dictionary
       return true unless password =~ /\A(?:\d*)([A-Za-z!@$+|][A-Za-z!@$+|0134578]+[A-Za-z!@$+|])(?:\d*)\z/

data/lib/rodauth/features/password_expiration.rb

@@ -8,7 +8,7 @@ module Rodauth
     error_flash "Your password cannot be changed yet", 'password_not_changeable_yet'
 
     redirect :password_not_changeable_yet 
-    redirect(:password_change_needed){"#{prefix}/#{change_password_route}"}
+    redirect(:password_change_needed){change_password_path}
 
     auth_value_method :allow_password_change_after, -86400
     auth_value_method :require_password_change_after, 90*86400
@@ -38,7 +38,7 @@ module Rodauth
 
     def set_password(password)
       update_password_changed_at
-      session[password_changed_at_session_key] = Time.now.to_i 
+      set_session_value(password_changed_at_session_key, Time.now.to_i)
       super
     end
 

data/lib/rodauth/features/password_grace_period.rb

@@ -5,6 +5,8 @@ module Rodauth
     auth_value_method :password_grace_period, 300
     session_key :last_password_entry_session_key, :last_password_entry
 
+    auth_methods :password_recently_entered?
+
     def modifications_require_password?
       return false unless super
       !password_recently_entered?
@@ -17,6 +19,16 @@ module Rodauth
       v
     end
 
+    def password_recently_entered?
+      return false unless last_password_entry = session[last_password_entry_session_key]
+      last_password_entry + password_grace_period > Time.now.to_i
+    end
+
+    def update_session
+      super
+      set_session_value(last_password_entry_session_key, @last_password_entry) if defined?(@last_password_entry)
+    end
+
     private
 
     def after_create_account
@@ -29,18 +41,13 @@ module Rodauth
       @last_password_entry = Time.now.to_i
     end
 
-    def update_session
-      super
-      session[last_password_entry_session_key] = @last_password_entry if defined?(@last_password_entry)
-    end
-
-    def password_recently_entered?
-      return false unless last_password_entry = session[last_password_entry_session_key]
-      last_password_entry + password_grace_period > Time.now.to_i
+    def set_last_password_entry
+      set_session_value(last_password_entry_session_key, Time.now.to_i)
     end
 
-    def set_last_password_entry
-      session[last_password_entry_session_key] = Time.now.to_i
+    def require_password_authentication?
+      return true if defined?(super) && super
+      !password_recently_entered?
     end
   end
 end

data/lib/rodauth/features/recovery_codes.rb

@@ -17,14 +17,14 @@ module Rodauth
     button 'Authenticate via Recovery Code', 'recovery_auth'
     button 'View Authentication Recovery Codes', 'view_recovery_codes'
 
-    error_flash "Error authenticating via recovery code.", 'invalid_recovery_code'
-    error_flash "Unable to add recovery codes.", 'add_recovery_codes'
-    error_flash "Unable to view recovery codes.", 'view_recovery_codes'
+    error_flash "Error authenticating via recovery code", 'invalid_recovery_code'
+    error_flash "Unable to add recovery codes", 'add_recovery_codes'
+    error_flash "Unable to view recovery codes", 'view_recovery_codes'
 
-    notice_flash "Additional authentication recovery codes have been added.", 'recovery_codes_added'
+    notice_flash "Additional authentication recovery codes have been added", 'recovery_codes_added'
 
-    redirect(:recovery_auth){"#{prefix}/#{recovery_auth_route}"}
-    redirect(:add_recovery_codes){"#{prefix}/#{recovery_codes_route}"}
+    redirect(:recovery_auth){recovery_auth_path}
+    redirect(:add_recovery_codes){recovery_codes_path}
 
     loaded_templates %w'add-recovery-codes recovery-auth recovery-codes password-field'
     view 'add-recovery-codes', 'Authentication Recovery Codes', 'add_recovery_codes'
@@ -32,15 +32,19 @@ module Rodauth
     view 'recovery-codes', 'View Authentication Recovery Codes', 'recovery_codes'
 
     auth_value_method :add_recovery_codes_param, 'add'
-    auth_value_method :add_recovery_codes_heading, '<h2>Add Additional Recovery Codes</h2>'
-    auth_value_method :invalid_recovery_code_message, "Invalid recovery code"
+    translatable_method :add_recovery_codes_heading, '<h2>Add Additional Recovery Codes</h2>'
+    auth_value_method :auto_add_recovery_codes?, false
+    translatable_method :invalid_recovery_code_message, "Invalid recovery code"
     auth_value_method :recovery_codes_limit, 16
     auth_value_method :recovery_codes_column, :code
     auth_value_method :recovery_codes_id_column, :id
-    auth_value_method :recovery_codes_label, 'Recovery Code'
+    translatable_method :recovery_codes_label, 'Recovery Code'
     auth_value_method :recovery_codes_param, 'recovery-code'
     auth_value_method :recovery_codes_table, :account_recovery_codes
 
+    translatable_method :recovery_auth_link_text, "Authenticate Using Recovery Code"
+    translatable_method :recovery_codes_link_text, "View Authentication Recovery Codes"
+
     auth_cached_method :recovery_codes
 
     auth_value_methods(
@@ -59,7 +63,7 @@ module Rodauth
       require_login
       require_account_session
       require_two_factor_setup
-      require_two_factor_not_authenticated
+      require_two_factor_not_authenticated('recovery_code')
       before_recovery_auth_route
 
       r.get do
@@ -69,7 +73,7 @@ module Rodauth
       r.post do
         if recovery_code_match?(param(recovery_codes_param))
           before_recovery_auth
-          two_factor_authenticate(:recovery_code)
+          two_factor_authenticate('recovery_code')
         end
 
         set_response_error_status(invalid_key_error_status)
@@ -124,61 +128,24 @@ module Rodauth
 
     attr_accessor :recovery_codes_button
 
-    def two_factor_need_setup_redirect
-      super || (add_recovery_codes_redirect if recovery_codes_primary?)
-    end
-
-    def two_factor_auth_required_redirect
-      super || (recovery_auth_redirect if recovery_codes_primary?)
-    end
-
-    def two_factor_auth_fallback_redirect
-      recovery_auth_redirect
-    end
-
     def two_factor_remove
       super
       recovery_codes_remove
     end
 
-    def two_factor_authentication_setup?
-      super || (recovery_codes_primary? && !recovery_codes.empty?)
-    end
-
-    def otp_auth_form_footer
-      "#{super if defined?(super)}<p><a href=\"#{recovery_auth_route}\">Authenticate using recovery code</a></p>"
-    end
-
-    def otp_lockout_redirect
-      recovery_auth_redirect
-    end
-
-    def otp_lockout_error_flash
-      "#{super if defined?(super)} Can use recovery code to unlock."
-    end
-
     def otp_add_key
       super if defined?(super)
-      add_recovery_codes(recovery_codes_limit - recovery_codes.length)
+      auto_add_missing_recovery_codes
     end
 
     def sms_confirm
       super if defined?(super)
-      add_recovery_codes(recovery_codes_limit - recovery_codes.length)
-    end
-
-    def otp_remove
-      super if defined?(super)
-      unless recovery_codes_primary?
-        recovery_codes_remove
-      end
+      auto_add_missing_recovery_codes
     end
 
-    def sms_disable
+    def add_webauthn_credential(_)
       super if defined?(super)
-      unless recovery_codes_primary?
-        recovery_codes_remove
-      end
+      auto_add_missing_recovery_codes
     end
 
     def recovery_codes_remove
@@ -221,14 +188,43 @@ module Rodauth
       end
     end
 
+    def possible_authentication_methods
+      methods = super
+      methods << 'recovery_code' unless recovery_codes_ds.empty?
+      methods
+    end
+
     private
 
+    def _two_factor_auth_links
+      links = super
+      links << [40, recovery_auth_path, recovery_auth_link_text] unless recovery_codes_ds.empty?
+      links
+    end
+
+    def _two_factor_setup_links
+      links = super
+      links << [40, recovery_codes_path, recovery_codes_link_text] if (recovery_codes_primary? || uses_two_factor_authentication?)
+      links
+    end
+
+    def _two_factor_remove_all_from_session
+      two_factor_remove_session('recovery_code')
+      super
+    end
+
     def new_recovery_code
       random_key
     end
     
     def recovery_codes_primary?
-      (features & [:otp, :sms_codes]).empty?
+      (features & [:otp, :sms_codes, :webauthn]).empty?
+    end
+
+    def auto_add_missing_recovery_codes
+      if auto_add_recovery_codes?
+        add_recovery_codes(recovery_codes_limit - recovery_codes.length)
+      end
     end
 
     def _recovery_codes