rodauth 1.21.0 → 2.2.0

data/lib/rodauth/features/remember.rb

@@ -2,8 +2,6 @@
 
 module Rodauth
   Feature.define(:remember, :Remember) do
-    depends :confirm_password
-
     notice_flash "Your remember setting has been updated"
     error_flash "There was an error updating your remember setting"
     loaded_templates %w'remember'
@@ -17,11 +15,10 @@ module Rodauth
     redirect
 
     auth_value_method :raw_remember_token_deadline, nil
-    auth_value_method :remember_cookie_options, {}
+    auth_value_method :remember_cookie_options, {}.freeze
     auth_value_method :extend_remember_deadline?, false
-    auth_value_method :remember_period, {:days=>14}
-    session_key :remembered_session_key, :remembered
-    auth_value_method :remember_deadline_interval, {:days=>14}
+    auth_value_method :remember_period, {:days=>14}.freeze
+    auth_value_method :remember_deadline_interval, {:days=>14}.freeze
     auth_value_method :remember_id_column, :id
     auth_value_method :remember_key_column, :key
     auth_value_method :remember_deadline_column, :deadline
@@ -31,13 +28,12 @@ module Rodauth
     auth_value_method :remember_remember_param_value, 'remember'
     auth_value_method :remember_forget_param_value, 'forget'
     auth_value_method :remember_disable_param_value, 'disable'
-    auth_value_method :remember_remember_label, 'Remember Me'
-    auth_value_method :remember_forget_label, 'Forget Me'
-    auth_value_method :remember_disable_label, 'Disable Remember Me'
+    translatable_method :remember_remember_label, 'Remember Me'
+    translatable_method :remember_forget_label, 'Forget Me'
+    translatable_method :remember_disable_label, 'Disable Remember Me'
 
     auth_methods(
       :add_remember_key,
-      :clear_remembered_session_key,
       :disable_remember_login,
       :forget_login,
       :generate_remember_key_value,
@@ -109,9 +105,9 @@ module Rodauth
         return
       end
 
-      session[session_key] = id
+      set_session_value(session_key, id)
       account = account_from_session
-      session.delete(session_key)
+      remove_session_value(session_key)
 
       unless account
         remove_remember_key(id)
@@ -120,9 +116,8 @@ module Rodauth
       end
 
       before_load_memory
-      update_session
+      login_session('remember')
 
-      set_session_value(remembered_session_key, true)
       if extend_remember_deadline?
         active_remember_key_ds(id).update(remember_deadline_column=>Sequel.date_add(Sequel::CURRENT_TIMESTAMP, remember_period))
         remember_login
@@ -133,9 +128,7 @@ module Rodauth
     def remember_login
       get_remember_key
       opts = Hash[remember_cookie_options]
-      key = remember_key_value
-      key = compute_hmac(key) if hmac_secret
-      opts[:value] = "#{account_id}_#{key}"
+      opts[:value] = "#{account_id}_#{convert_token_key(remember_key_value)}"
       opts[:expires] = convert_timestamp(active_remember_key_ds.get(remember_deadline_column))
       ::Rack::Utils.set_cookie_header!(response.headers, remember_cookie_key, opts)
     end
@@ -174,12 +167,8 @@ module Rodauth
       remember_key_ds(id).delete
     end
 
-    def clear_remembered_session_key
-      session.delete(remembered_session_key)
-    end
-
     def logged_in_via_remember_key?
-      !!session[remembered_session_key]
+      authenticated_by.include?('remember')
     end
 
     private
@@ -194,11 +183,6 @@ module Rodauth
       super if defined?(super)
     end
 
-    def after_confirm_password
-      super
-      clear_remembered_session_key
-    end
-
     attr_reader :remember_key_value
 
     def generate_remember_key_value

data/lib/rodauth/features/reset_password.rb

@@ -4,8 +4,6 @@ module Rodauth
   Feature.define(:reset_password, :ResetPassword) do
     depends :login, :email_base, :login_password_requirements_base
 
-    def_deprecated_alias :no_matching_reset_password_key_error_flash, :no_matching_reset_password_key_message
-
     notice_flash "Your password has been reset"
     notice_flash "An email has been sent to you with a link to reset the password for your account", 'reset_password_email_sent'
     error_flash "There was an error resetting your password"
@@ -28,20 +26,19 @@ module Rodauth
     redirect(:reset_password_email_recently_sent){default_post_email_redirect}
     
     auth_value_method :reset_password_deadline_column, :deadline
-    auth_value_method :reset_password_deadline_interval, {:days=>1}
-    auth_value_method :reset_password_email_subject, 'Reset Password'
+    auth_value_method :reset_password_deadline_interval, {:days=>1}.freeze
+    translatable_method :reset_password_email_subject, 'Reset Password'
     auth_value_method :reset_password_key_param, 'key'
     auth_value_method :reset_password_autologin?, false
     auth_value_method :reset_password_table, :account_password_reset_keys
     auth_value_method :reset_password_id_column, :id
     auth_value_method :reset_password_key_column, :key
-    auth_value_method :reset_password_email_last_sent_column, nil
-    auth_value_method :reset_password_explanatory_text, "<p>If you have forgotten your password, you can request a password reset:</p>"
+    auth_value_method :reset_password_email_last_sent_column, :email_last_sent
+    translatable_method :reset_password_explanatory_text, "<p>If you have forgotten your password, you can request a password reset:</p>"
     auth_value_method :reset_password_skip_resend_email_within, 300
+    translatable_method :reset_password_request_link_text, "Forgot Password?"
     session_key :reset_password_session_key, :reset_password_key
 
-    auth_value_methods :reset_password_request_link
-
     auth_methods(
       :create_reset_password_key,
       :create_reset_password_email,
@@ -69,7 +66,15 @@ module Rodauth
       end
 
       r.post do
-        if account_from_login(param(login_param)) && open_account?
+        catch_error do
+          unless account_from_login(param(login_param))
+            throw_error_status(no_matching_login_error_status, login_param, no_matching_login_message)
+          end
+
+          unless open_account?
+            throw_error_status(unopen_account_error_status, login_param, unverified_account_message)
+          end
+
           if reset_password_email_recently_sent?
             set_redirect_error_flash reset_password_email_recently_sent_error_flash
             redirect reset_password_email_recently_sent_redirect
@@ -84,12 +89,11 @@ module Rodauth
           end
 
           set_notice_flash reset_password_email_sent_notice_flash
-        else
-          set_redirect_error_status(no_matching_login_error_status)
-          set_redirect_error_flash reset_password_request_error_flash
+          redirect reset_password_email_sent_redirect
         end
 
-        redirect reset_password_email_sent_redirect
+        set_error_flash reset_password_request_error_flash
+        reset_password_request_view
       end
     end
 
@@ -99,7 +103,7 @@ module Rodauth
 
       r.get do
         if key = param_or_nil(reset_password_key_param)
-          session[reset_password_session_key] = key
+          set_session_value(reset_password_session_key, key)
           redirect(r.path)
         end
 
@@ -107,7 +111,7 @@ module Rodauth
           if account_from_reset_password_key(key)
             reset_password_view
           else
-            session[reset_password_session_key] = nil
+            remove_session_value(reset_password_session_key)
             set_redirect_error_flash no_matching_reset_password_key_error_flash
             redirect require_login_redirect
           end
@@ -144,10 +148,10 @@ module Rodauth
           end
 
           if reset_password_autologin?
-            update_session
+            autologin_session('reset_password')
           end
 
-          session[reset_password_session_key] = nil
+          remove_session_value(reset_password_session_key)
           set_notice_flash reset_password_notice_flash
           redirect reset_password_redirect
         end
@@ -179,7 +183,7 @@ module Rodauth
     end
 
     def send_reset_password_email
-      create_reset_password_email.deliver!
+      send_email(create_reset_password_email)
     end
 
     def reset_password_email_link
@@ -192,14 +196,6 @@ module Rodauth
       ds.get(reset_password_key_column)
     end
 
-    def login_form_footer
-      super + reset_password_request_link
-    end
-
-    def reset_password_request_link
-      "<p><a href=\"#{prefix}/#{reset_password_request_route}\">Forgot Password?</a></p>"
-    end
-
     def set_reset_password_email_last_sent
        password_reset_ds.update(reset_password_email_last_sent_column=>Sequel::CURRENT_TIMESTAMP) if reset_password_email_last_sent_column
     end
@@ -214,6 +210,10 @@ module Rodauth
 
     private
 
+    def _login_form_footer_links
+      super << [20, reset_password_request_path, reset_password_request_link_text]
+    end
+
     def reset_password_email_recently_sent?
       (email_last_sent = get_reset_password_email_last_sent) && (Time.now - email_last_sent < reset_password_skip_resend_email_within)
     end

data/lib/rodauth/features/session_expiration.rb

@@ -2,10 +2,11 @@
 
 module Rodauth
   Feature.define(:session_expiration, :SessionExpiration) do
-    error_flash "This session has expired, please login again."
+    error_flash "This session has expired, please login again"
 
     auth_value_method :max_session_lifetime, 86400
     session_key :session_created_session_key, :session_created_at
+    auth_value_method :session_expiration_error_status, 401
     auth_value_method :session_expiration_default, true
     auth_value_method :session_inactivity_timeout, 1800
     session_key :session_last_activity_session_key, :last_session_activity_at
@@ -37,6 +38,7 @@ module Rodauth
 
     def expire_session
       clear_session
+      set_redirect_error_status session_expiration_error_status
       set_redirect_error_flash session_expiration_error_flash
       redirect session_expiration_redirect
     end
@@ -45,11 +47,11 @@ module Rodauth
       require_login_redirect
     end
 
-    private
-
     def update_session
       super
-      session[session_last_activity_session_key] = session[session_created_session_key] = Time.now.to_i
+      t = Time.now.to_i
+      set_session_value(session_last_activity_session_key, t)
+      set_session_value(session_created_session_key, t)
     end
   end
 end

data/lib/rodauth/features/single_session.rb

@@ -6,6 +6,7 @@ module Rodauth
     redirect
 
     auth_value_method :allow_raw_single_session_key?, false
+    auth_value_method :inactive_session_error_status, 401
     auth_value_method :single_session_id_column, :id
     auth_value_method :single_session_key_column, :key
     session_key :single_session_session_key, :single_session_key
@@ -55,6 +56,7 @@ module Rodauth
 
     def no_longer_active_session
       clear_session
+      set_redirect_error_status inactive_session_error_status
       set_redirect_error_flash single_session_error_flash
       redirect single_session_redirect
     end
@@ -70,6 +72,11 @@ module Rodauth
       end
     end
 
+    def update_session
+      super
+      update_single_session_key
+    end
+
     private
 
     def after_close_account
@@ -78,7 +85,7 @@ module Rodauth
     end
 
     def before_logout
-      reset_single_session_key if request.post?
+      reset_single_session_key
       super if defined?(super)
     end
 
@@ -87,11 +94,6 @@ module Rodauth
       set_session_value(single_session_session_key, data)
     end
 
-    def update_session
-      super
-      update_single_session_key
-    end
-
     def single_session_ds
       db[single_session_table].
         where(single_session_id_column=>session_value)

data/lib/rodauth/features/sms_codes.rb

@@ -28,28 +28,32 @@ module Rodauth
     button 'Send SMS Code', 'sms_request'
     button 'Setup SMS Backup Number', 'sms_setup'
 
-    error_flash "Error authenticating via SMS code.", 'sms_invalid_code'
+    error_flash "Error authenticating via SMS code", 'sms_invalid_code'
     error_flash "Error disabling SMS authentication", 'sms_disable'
     error_flash "Error setting up SMS authentication", 'sms_setup'
-    error_flash "Invalid or out of date SMS confirmation code used, must setup SMS authentication again.", 'sms_invalid_confirmation_code'
+    error_flash "Invalid or out of date SMS confirmation code used, must setup SMS authentication again", 'sms_invalid_confirmation_code'
     error_flash "No current SMS code for this account", 'no_current_sms_code'
-    error_flash "SMS authentication has been locked out.", 'sms_lockout'
-    error_flash "SMS authentication has already been setup.", 'sms_already_setup'
-    error_flash "SMS authentication has not been setup yet.", 'sms_not_setup'
-    error_flash "SMS authentication needs confirmation.", 'sms_needs_confirmation'
+    error_flash "SMS authentication has been locked out", 'sms_lockout'
+    error_flash "SMS authentication has already been setup", 'sms_already_setup'
+    error_flash "SMS authentication has not been setup yet", 'sms_not_setup'
+    error_flash "SMS authentication needs confirmation", 'sms_needs_confirmation'
 
-    notice_flash "SMS authentication code has been sent.", 'sms_request'
-    notice_flash "SMS authentication has been disabled.", 'sms_disable'
-    notice_flash "SMS authentication has been setup.", 'sms_confirm'
+    notice_flash "SMS authentication code has been sent", 'sms_request'
+    notice_flash "SMS authentication has been disabled", 'sms_disable'
+    notice_flash "SMS authentication has been setup", 'sms_confirm'
+
+    translatable_method :sms_auth_link_text, "Authenticate Using SMS Code"
+    translatable_method :sms_setup_link_text, "Setup Backup SMS Authentication"
+    translatable_method :sms_disable_link_text, "Disable SMS Authentication"
 
     redirect :sms_already_setup
     redirect :sms_confirm
     redirect :sms_disable
-    redirect(:sms_auth){"#{prefix}/#{sms_auth_route}"}
-    redirect(:sms_needs_confirmation){"#{prefix}/#{sms_confirm_route}"}
-    redirect(:sms_needs_setup){"#{prefix}/#{sms_setup_route}"}
-    redirect(:sms_request){"#{prefix}/#{sms_request_route}"}
-    redirect(:sms_lockout){_two_factor_auth_required_redirect}
+    redirect(:sms_auth){sms_auth_path}
+    redirect(:sms_needs_confirmation){sms_confirm_path}
+    redirect(:sms_needs_setup){sms_setup_path}
+    redirect(:sms_request){sms_request_path}
+    redirect(:sms_lockout){two_factor_auth_required_redirect}
 
     loaded_templates %w'sms-auth sms-confirm sms-disable sms-request sms-setup sms-code-field password-field'
     view 'sms-auth', 'Authenticate via SMS Code', 'sms_auth'
@@ -64,18 +68,19 @@ module Rodauth
     auth_value_method :sms_auth_code_length, 6
     auth_value_method :sms_code_allowed_seconds, 300
     auth_value_method :sms_code_column, :code
-    auth_value_method :sms_code_label, 'SMS Code'
+    translatable_method :sms_code_label, 'SMS Code'
     auth_value_method :sms_code_param, 'sms-code'
     auth_value_method :sms_codes_table, :account_sms_codes
     auth_value_method :sms_confirm_code_length, 12
     auth_value_method :sms_failure_limit, 5
     auth_value_method :sms_failures_column, :num_failures
     auth_value_method :sms_id_column, :id
-    auth_value_method :sms_invalid_code_message, "invalid SMS code"
-    auth_value_method :sms_invalid_phone_message, "invalid SMS phone number"
+    translatable_method :sms_invalid_code_message, "invalid SMS code"
+    translatable_method :sms_invalid_phone_message, "invalid SMS phone number"
     auth_value_method :sms_issued_at_column, :code_issued_at
     auth_value_method :sms_phone_column, :phone_number
-    auth_value_method :sms_phone_label, 'Phone Number'
+    translatable_method :sms_phone_label, 'Phone Number'
+    auth_value_method :sms_phone_input_type, 'tel'
     auth_value_method :sms_phone_min_length, 7
     auth_value_method :sms_phone_param, 'sms-phone'
 
@@ -110,7 +115,7 @@ module Rodauth
     route(:sms_request) do |r|
       require_login
       require_account_session
-      require_two_factor_not_authenticated
+      require_two_factor_not_authenticated('sms_code')
       require_sms_available
       before_sms_request_route
 
@@ -133,7 +138,7 @@ module Rodauth
     route(:sms_auth) do |r|
       require_login
       require_account_session
-      require_two_factor_not_authenticated
+      require_two_factor_not_authenticated('sms_code')
       require_sms_available
 
       unless sms_current_auth?
@@ -157,7 +162,7 @@ module Rodauth
           if sms_code_match?(param(sms_code_param))
             before_sms_auth
             sms_remove_failures
-            two_factor_authenticate(:sms_code)
+            two_factor_authenticate('sms_code')
           else
             sms_record_failure
             after_sms_failure
@@ -238,8 +243,8 @@ module Rodauth
             before_sms_confirm
             sms_confirm
             after_sms_confirm
-            if sms_codes_primary?
-              two_factor_authenticate(:sms_code)
+            unless two_factor_authenticated?
+              two_factor_update_session('sms_code')
             end
           end
 
@@ -268,8 +273,8 @@ module Rodauth
           transaction do
             before_sms_disable
             sms_disable
-            if sms_codes_primary?
-              two_factor_remove_session
+            if two_factor_login_type_match?('sms_code')
+              two_factor_remove_session('sms_code')
             end
             after_sms_disable
           end
@@ -284,18 +289,6 @@ module Rodauth
       end
     end
 
-    def two_factor_need_setup_redirect
-      super || (sms_needs_setup_redirect if sms_codes_primary?)
-    end
-
-    def two_factor_auth_required_redirect
-      super || (sms_request_redirect if sms_codes_primary? && sms_available?)
-    end
-
-    def two_factor_auth_fallback_redirect
-      sms_available? ? sms_request_redirect : super
-    end
-
     def two_factor_remove
       super
       sms_disable
@@ -306,37 +299,6 @@ module Rodauth
       sms_remove_failures
     end
 
-    def two_factor_authentication_setup?
-      super || (sms_codes_primary? && sms_setup?)
-    end
-
-    def otp_auth_form_footer
-      "#{super if defined?(super)}#{"<p><a href=\"#{sms_request_route}\">Authenticate using SMS code</a></p>" if sms_available?}"
-    end
-
-    def otp_lockout_redirect
-      if sms_available?
-        sms_request_redirect
-      else
-        super if defined?(super)
-      end
-    end
-
-    def otp_lockout_error_flash
-      msg = super if defined?(super)
-      if sms_available?
-         msg = "#{msg} Can use SMS code to unlock."
-      end
-      msg
-    end
-
-    def otp_remove
-      super if defined?(super)
-      unless sms_codes_primary?
-        sms_disable
-      end
-    end
-
     def require_sms_setup
       unless sms_setup?
         set_redirect_error_status(two_factor_not_setup_error_status)
@@ -375,7 +337,6 @@ module Rodauth
     def sms_disable
       sms_ds.delete
       @sms = nil
-      super if defined?(super)
     end
 
     def sms_confirm_failure
@@ -415,11 +376,11 @@ module Rodauth
     end
 
     def sms_auth_message(code)
-      "SMS authentication code for #{request.host} is #{code}"
+      "SMS authentication code for #{domain} is #{code}"
     end
 
     def sms_confirm_message(code)
-      "SMS confirmation code for #{request.host} is #{code}"
+      "SMS confirmation code for #{domain} is #{code}"
     end
 
     def sms_set_code(code)
@@ -468,10 +429,39 @@ module Rodauth
       sms_code && sms_code_issued_at + sms_code_allowed_seconds > Time.now
     end
 
+    def possible_authentication_methods
+      methods = super
+      methods << 'sms_code' if sms_setup?
+      methods
+    end
+
     private
 
+    def _two_factor_auth_links
+      links = super
+      links << [30, sms_request_path, sms_auth_link_text] if sms_available?
+      links
+    end
+
+    def _two_factor_setup_links
+      links = super
+      links << [30, sms_setup_path, sms_setup_link_text] if !sms_setup? && (sms_codes_primary? || uses_two_factor_authentication?)
+      links
+    end
+
+    def _two_factor_remove_links
+      links = super
+      links << [30, sms_disable_path, sms_disable_link_text] if sms_setup?
+      links
+    end
+
+    def _two_factor_remove_all_from_session
+      two_factor_remove_session('sms_codes')
+      super
+    end
+
     def sms_codes_primary?
-      !features.include?(:otp)
+      (features & [:otp, :webauthn]).empty?
     end
 
     def sms_normalize_phone(phone)