rodauth 1.21.0 → 2.2.0

data/lib/rodauth/features/two_factor_base.rb

@@ -2,25 +2,50 @@
 
 module Rodauth
   Feature.define(:two_factor_base, :TwoFactorBase) do
+    loaded_templates %w'two-factor-manage two-factor-auth two-factor-disable'
+
+    view 'two-factor-manage', 'Manage Multifactor Authentication', 'two_factor_manage'
+    view 'two-factor-auth', 'Authenticate Using Additional Factor', 'two_factor_auth'
+    view 'two-factor-disable', 'Remove All Multifactor Authentication Methods', 'two_factor_disable'
+
+    before :two_factor_disable
+
     after :two_factor_authentication
+    after :two_factor_disable
+
+    additional_form_tags :two_factor_disable
+
+    button "Remove All Multifactor Authentication Methods", :two_factor_disable
 
-    redirect :two_factor_auth
-    redirect :two_factor_already_authenticated
+    redirect(:two_factor_auth)
+    redirect(:two_factor_already_authenticated)
+    redirect(:two_factor_disable)
+    redirect(:two_factor_need_setup){two_factor_manage_path}
+    redirect(:two_factor_auth_required){two_factor_auth_path}
 
-    notice_flash "You have been authenticated via 2nd factor", "two_factor_auth"
+    notice_flash "You have been multifactor authenticated", "two_factor_auth"
+    notice_flash "All multifactor authentication methods have been disabled", "two_factor_disable"
 
-    error_flash "This account has not been setup for two factor authentication", 'two_factor_not_setup'
-    error_flash "Already authenticated via 2nd factor", 'two_factor_already_authenticated'
-    error_flash "You need to authenticate via 2nd factor before continuing.", 'two_factor_need_authentication'
+    error_flash "This account has not been setup for multifactor authentication", 'two_factor_not_setup'
+    error_flash "You have already been multifactor authenticated", 'two_factor_already_authenticated'
+    error_flash "You need to authenticate via an additional factor before continuing", 'two_factor_need_authentication'
+    error_flash "Unable to remove all multifactor authentication methods", "two_factor_disable"
 
     auth_value_method :two_factor_already_authenticated_error_status, 403
     auth_value_method :two_factor_need_authentication_error_status, 401
     auth_value_method :two_factor_not_setup_error_status, 403
 
-    session_key :two_factor_session_key, :two_factor_auth
     session_key :two_factor_setup_session_key, :two_factor_auth_setup
-    auth_value_method :two_factor_need_setup_redirect, nil
-    auth_value_method :two_factor_auth_required_redirect, nil
+    session_key :two_factor_auth_redirect_session_key, :two_factor_auth_redirect
+
+    translatable_method :two_factor_setup_heading, "<h2>Setup Multifactor Authentication</h2>"
+    translatable_method :two_factor_remove_heading, "<h2>Remove Multifactor Authentication</h2>"
+    translatable_method :two_factor_disable_link_text, "Remove All Multifactor Authentication Methods"
+    auth_value_method :two_factor_auth_return_to_requested_location?, false
+
+    auth_cached_method :two_factor_auth_links
+    auth_cached_method :two_factor_setup_links
+    auth_cached_method :two_factor_remove_links
 
     auth_value_methods :two_factor_modifications_require_password?
 
@@ -32,6 +57,62 @@ module Rodauth
       :two_factor_update_session
     )
 
+    route(:two_factor_manage, 'multifactor-manage') do |r|
+      require_account
+      before_two_factor_manage_route
+
+      r.get do
+        all_links = two_factor_setup_links + two_factor_remove_links
+        if all_links.length == 1
+          redirect all_links[0][1]
+        end
+        two_factor_manage_view
+      end
+    end
+
+    route(:two_factor_auth, 'multifactor-auth') do |r|
+      require_login
+      require_account_session
+      require_two_factor_setup
+      require_two_factor_not_authenticated
+      before_two_factor_auth_route
+
+      r.get do
+        if two_factor_auth_links.length == 1
+          redirect two_factor_auth_links[0][1]
+        end
+        two_factor_auth_view
+      end
+    end
+
+    route(:two_factor_disable, 'multifactor-disable') do |r|
+      require_account
+      require_two_factor_setup
+      before_two_factor_disable_route
+
+      r.get do
+        two_factor_disable_view
+      end
+
+      r.post do
+        if two_factor_password_match?(param(password_param))
+          transaction do
+            before_two_factor_disable
+            two_factor_remove
+            _two_factor_remove_all_from_session
+            after_two_factor_disable
+          end
+          set_notice_flash two_factor_disable_notice_flash
+          redirect two_factor_disable_redirect
+        end
+
+        set_response_error_status(invalid_password_error_status)
+        set_field_error(password_param, invalid_password_message)
+        set_error_flash two_factor_disable_error_flash
+        two_factor_disable_view
+      end
+    end
+
     def two_factor_modifications_require_password?
       modifications_require_password?
     end
@@ -44,7 +125,7 @@ module Rodauth
       return true if two_factor_authenticated?
 
       # True if authenticated via single factor and 2nd factor not setup 
-      !two_factor_authentication_setup?
+      !uses_two_factor_authentication?
     end
 
     def require_authentication
@@ -53,7 +134,7 @@ module Rodauth
       # Avoid database query if already authenticated via 2nd factor
       return if two_factor_authenticated?
 
-      require_two_factor_authenticated if two_factor_authentication_setup?
+      require_two_factor_authenticated if uses_two_factor_authentication?
     end
 
     def require_two_factor_setup
@@ -67,8 +148,8 @@ module Rodauth
       redirect two_factor_need_setup_redirect
     end
     
-    def require_two_factor_not_authenticated
-      if two_factor_authenticated?
+    def require_two_factor_not_authenticated(auth_type = nil)
+      if two_factor_authenticated? || (auth_type && two_factor_login_type_match?(auth_type))
         set_redirect_error_status(two_factor_already_authenticated_error_status)
         set_redirect_error_flash two_factor_already_authenticated_error_flash
         redirect two_factor_already_authenticated_redirect
@@ -77,9 +158,12 @@ module Rodauth
 
     def require_two_factor_authenticated
       unless two_factor_authenticated?
+        if two_factor_auth_return_to_requested_location?
+          set_session_value(two_factor_auth_redirect_session_key, request.fullpath)
+        end
         set_redirect_error_status(two_factor_need_authentication_error_status)
         set_redirect_error_flash two_factor_need_authentication_error_flash
-        redirect _two_factor_auth_required_redirect
+        redirect two_factor_auth_required_redirect
       end
     end
 
@@ -87,10 +171,6 @@ module Rodauth
       nil
     end
 
-    def two_factor_auth_fallback_redirect
-      nil
-    end
-
     def two_factor_password_match?(password)
       if two_factor_modifications_require_password?
         password_match?(password)
@@ -100,25 +180,45 @@ module Rodauth
     end
 
     def two_factor_authenticated?
-      !!session[two_factor_session_key]
+      authenticated_by && authenticated_by.length >= 2
     end
 
     def two_factor_authentication_setup?
-      false
+      possible_authentication_methods.length >= 2
     end
 
     def uses_two_factor_authentication?
       return false unless logged_in?
-      session[two_factor_setup_session_key] = two_factor_authentication_setup? unless session.has_key?(two_factor_setup_session_key)
+      set_session_value(two_factor_setup_session_key, two_factor_authentication_setup?) unless session.has_key?(two_factor_setup_session_key)
       session[two_factor_setup_session_key]
     end
 
+    def two_factor_login_type_match?(type)
+      authenticated_by && authenticated_by.include?(type)
+    end
+
     def two_factor_remove
       nil
     end
 
     private
 
+    def _two_factor_auth_links
+      (super if defined?(super)) || []
+    end
+
+    def _two_factor_setup_links
+      []
+    end
+
+    def _two_factor_remove_links
+      []
+    end
+
+    def _two_factor_remove_all_from_session
+      nil
+    end
+
     def after_close_account
       super if defined?(super)
       two_factor_remove
@@ -129,21 +229,25 @@ module Rodauth
       two_factor_remove_auth_failures
       after_two_factor_authentication
       set_notice_flash two_factor_auth_notice_flash
-      redirect two_factor_auth_redirect
+      redirect_two_factor_authenticated
     end
 
-    def two_factor_remove_session
-      session.delete(two_factor_session_key)
-      session[two_factor_setup_session_key] = false
+    def redirect_two_factor_authenticated
+      saved_two_factor_auth_redirect = remove_session_value(two_factor_auth_redirect_session_key)
+      redirect saved_two_factor_auth_redirect || two_factor_auth_redirect
     end
 
-    def two_factor_update_session(type)
-      session[two_factor_session_key] = type
-      session[two_factor_setup_session_key] = true
+    def two_factor_remove_session(type)
+      authenticated_by.delete(type)
+      remove_session_value(two_factor_setup_session_key)
+      if authenticated_by.empty?
+        clear_session
+      end
     end
 
-    def _two_factor_auth_required_redirect
-      two_factor_auth_required_redirect || two_factor_auth_fallback_redirect || default_redirect
+    def two_factor_update_session(auth_type)
+      authenticated_by << auth_type
+      set_session_value(two_factor_setup_session_key, true)
     end
   end
 end

data/lib/rodauth/features/verify_account.rb

@@ -4,10 +4,6 @@ module Rodauth
   Feature.define(:verify_account, :VerifyAccount) do
     depends :login, :create_account, :email_base
 
-    def_deprecated_alias :attempt_to_create_unverified_account_error_flash, :attempt_to_create_unverified_account_notice_message
-    def_deprecated_alias :attempt_to_login_to_unverified_account_error_flash, :attempt_to_login_to_unverified_account_notice_message
-    def_deprecated_alias :no_matching_verify_account_key_error_flash, :no_matching_verify_account_key_message
-
     error_flash "Unable to verify account"
     error_flash "Unable to resend verify account email", 'verify_account_resend'
     error_flash "An email has recently been sent to you with a link to verify your account", 'verify_account_email_recently_sent'
@@ -31,26 +27,29 @@ module Rodauth
     redirect(:verify_account_email_sent){default_post_email_redirect}
     redirect(:verify_account_email_recently_sent){default_post_email_redirect}
 
-    auth_value_method :verify_account_email_subject, 'Verify Account'
+    translatable_method :verify_account_email_subject, 'Verify Account'
     auth_value_method :verify_account_key_param, 'key'
     auth_value_method :verify_account_autologin?, true
     auth_value_method :verify_account_table, :account_verification_keys
     auth_value_method :verify_account_id_column, :id
-    auth_value_method :verify_account_email_last_sent_column, nil
+    auth_value_method :verify_account_email_last_sent_column, :email_last_sent
     auth_value_method :verify_account_skip_resend_email_within, 300
     auth_value_method :verify_account_key_column, :key
-    auth_value_method :verify_account_resend_explanatory_text, "<p>If you no longer have the email to verify the account, you can request that it be resent to you:</p>"
+    translatable_method :verify_account_resend_explanatory_text, "<p>If you no longer have the email to verify the account, you can request that it be resent to you:</p>"
+    translatable_method :verify_account_resend_link_text, "Resend Verify Account Information"
     session_key :verify_account_session_key, :verify_account_key
-    auth_value_method :verify_account_set_password?, false
+    auth_value_method :verify_account_set_password?, true
 
     auth_methods(
       :allow_resending_verify_account_email?,
       :create_verify_account_key,
       :create_verify_account_email,
       :get_verify_account_key,
+      :get_verify_account_email_last_sent,
       :remove_verify_account_key,
       :resend_verify_account_view,
       :send_verify_account_email,
+      :set_verify_account_email_last_sent,
       :verify_account,
       :verify_account_email_body,
       :verify_account_email_link,
@@ -71,6 +70,7 @@ module Rodauth
       end
 
       r.post do
+        verified = false
         if account_from_login(param(login_param)) && allow_resending_verify_account_email?
           if verify_account_email_recently_sent?
             set_redirect_error_flash verify_account_email_recently_sent_error_flash
@@ -80,8 +80,11 @@ module Rodauth
           before_verify_account_email_resend
           if verify_account_email_resend
             after_verify_account_email_resend
+            verified = true
           end
+        end
 
+        if verified
           set_notice_flash verify_account_email_sent_notice_flash
         else
           set_redirect_error_status(no_matching_login_error_status)
@@ -95,10 +98,11 @@ module Rodauth
     route do |r|
       verify_account_check_already_logged_in
       before_verify_account_route
+      @password_field_autocomplete_value = 'new-password'
 
       r.get do
         if key = param_or_nil(verify_account_key_param)
-          session[verify_account_session_key] = key
+          set_session_value(verify_account_session_key, key)
           redirect(r.path)
         end
 
@@ -106,7 +110,7 @@ module Rodauth
           if account_from_verify_account_key(key)
             verify_account_view
           else
-            session[verify_account_session_key] = nil
+            remove_session_value(verify_account_session_key)
             set_redirect_error_flash no_matching_verify_account_key_error_flash
             redirect require_login_redirect
           end
@@ -145,10 +149,10 @@ module Rodauth
           end
 
           if verify_account_autologin?
-            update_session
+            autologin_session('verify_account')
           end
 
-          session[verify_account_session_key] = nil
+          remove_session_value(verify_account_session_key)
           set_notice_flash verify_account_notice_flash
           redirect verify_account_redirect
         end
@@ -158,6 +162,10 @@ module Rodauth
       end
     end
 
+    def require_login_confirmation?
+      false
+    end
+
     def allow_resending_verify_account_email?
       account[account_status_column] == account_unverified_status_value
     end
@@ -201,7 +209,7 @@ module Rodauth
     end
 
     def send_verify_account_email
-      create_verify_account_email.deliver!
+      send_email(create_verify_account_email)
     end
 
     def verify_account_email_link
@@ -220,14 +228,6 @@ module Rodauth
       false
     end
 
-    def login_form_footer
-      super + verify_account_resend_link
-    end
-
-    def verify_account_resend_link
-      "<p><a href=\"#{prefix}/#{verify_account_resend_route}\">Resend Verify Account Information</a></p>"
-    end
-
     def create_account_set_password?
       return false if verify_account_set_password?
       super
@@ -247,6 +247,14 @@ module Rodauth
 
     private
 
+    def _login_form_footer_links
+      links = super
+      if !param_or_nil(login_param) || ((account || account_from_login(param(login_param))) && allow_resending_verify_account_email?)
+        links << [30, verify_account_resend_path, verify_account_resend_link_text]
+      end
+      links
+    end
+
     def verify_account_email_recently_sent?
       (email_last_sent = get_verify_account_email_last_sent) && (Time.now - email_last_sent < verify_account_skip_resend_email_within)
     end

data/lib/rodauth/features/verify_account_grace_period.rb

@@ -3,7 +3,7 @@
 module Rodauth
   Feature.define(:verify_account_grace_period, :VerifyAccountGracePeriod) do
     depends :verify_account
-    error_flash "Cannot change login for unverified account. Please verify this account before changing the login.", "unverified_change_login"
+    error_flash "Please verify this account before changing the login", "unverified_change_login"
     redirect :unverified_change_login
 
     auth_value_method :verification_requested_at_column, :requested_at
@@ -23,7 +23,18 @@ module Rodauth
     end
 
     def open_account?
-      super || account_in_unverified_grace_period?
+      super || (account_in_unverified_grace_period? && has_password?)
+    end
+
+    def verify_account_set_password?
+      false
+    end
+
+    def update_session
+      super
+      if account_in_unverified_grace_period?
+        set_session_value(unverified_account_session_key, true)
+      end
     end
 
     private
@@ -41,6 +52,10 @@ module Rodauth
       super if defined?(super)
     end
 
+    def allow_email_auth?
+      (defined?(super) ? super : true) && !account_in_unverified_grace_period?
+    end
+
     def verify_account_check_already_logged_in
       nil
     end
@@ -56,14 +71,8 @@ module Rodauth
       s
     end
 
-    def update_session
-      super
-      if account_in_unverified_grace_period?
-        session[unverified_account_session_key] = true
-      end
-    end
-
     def account_in_unverified_grace_period?
+      account || account_from_session
       account[account_status_column] == account_unverified_status_value &&
         verify_account_grace_period &&
         !verify_account_ds.where(Sequel.date_add(verification_requested_at_column, :seconds=>verify_account_grace_period) > Sequel::CURRENT_TIMESTAMP).empty?