RubyGems - rodauth - Versions diffs - 1.22.0 → 1.23.0 - Mend

rodauth 1.22.0 → 1.23.0

Files changed (66) hide show

checksums.yaml +4 -4
data/CHANGELOG +12 -0
data/README.rdoc +5 -3
data/doc/email_base.rdoc +1 -0
data/doc/release_notes/1.23.0.txt +32 -0
data/lib/rodauth.rb +5 -2
data/lib/rodauth/features/base.rb +8 -0
data/lib/rodauth/features/change_password_notify.rb +1 -1
data/lib/rodauth/features/create_account.rb +1 -1
data/lib/rodauth/features/email_auth.rb +3 -4
data/lib/rodauth/features/email_base.rb +7 -2
data/lib/rodauth/features/lockout.rb +1 -1
data/lib/rodauth/features/login.rb +6 -2
data/lib/rodauth/features/otp.rb +6 -3
data/lib/rodauth/features/password_expiration.rb +1 -1
data/lib/rodauth/features/recovery_codes.rb +3 -3
data/lib/rodauth/features/reset_password.rb +2 -2
data/lib/rodauth/features/sms_codes.rb +5 -5
data/lib/rodauth/features/verify_account.rb +2 -2
data/lib/rodauth/features/verify_login_change.rb +1 -1
data/lib/rodauth/version.rb +1 -1
data/templates/email-auth-request-form.str +2 -2
data/templates/reset-password-request.str +3 -3
data/templates/unlock-account-request.str +3 -3
data/templates/verify-account-resend.str +3 -3
metadata +5 -43
data/Rakefile +0 -179
data/spec/account_expiration_spec.rb +0 -225
data/spec/all.rb +0 -1
data/spec/change_login_spec.rb +0 -156
data/spec/change_password_notify_spec.rb +0 -33
data/spec/change_password_spec.rb +0 -202
data/spec/close_account_spec.rb +0 -162
data/spec/confirm_password_spec.rb +0 -70
data/spec/create_account_spec.rb +0 -127
data/spec/disallow_common_passwords_spec.rb +0 -93
data/spec/disallow_password_reuse_spec.rb +0 -179
data/spec/email_auth_spec.rb +0 -285
data/spec/http_basic_auth_spec.rb +0 -143
data/spec/jwt_cors_spec.rb +0 -57
data/spec/jwt_refresh_spec.rb +0 -256
data/spec/jwt_spec.rb +0 -235
data/spec/lockout_spec.rb +0 -250
data/spec/login_spec.rb +0 -328
data/spec/migrate/001_tables.rb +0 -184
data/spec/migrate/002_account_password_hash_column.rb +0 -11
data/spec/migrate_password/001_tables.rb +0 -73
data/spec/migrate_travis/001_tables.rb +0 -141
data/spec/password_complexity_spec.rb +0 -109
data/spec/password_expiration_spec.rb +0 -244
data/spec/password_grace_period_spec.rb +0 -93
data/spec/remember_spec.rb +0 -451
data/spec/reset_password_spec.rb +0 -229
data/spec/rodauth_spec.rb +0 -343
data/spec/session_expiration_spec.rb +0 -58
data/spec/single_session_spec.rb +0 -127
data/spec/spec_helper.rb +0 -327
data/spec/two_factor_spec.rb +0 -1462
data/spec/update_password_hash_spec.rb +0 -40
data/spec/verify_account_grace_period_spec.rb +0 -171
data/spec/verify_account_spec.rb +0 -240
data/spec/verify_change_login_spec.rb +0 -46
data/spec/verify_login_change_spec.rb +0 -232
data/spec/views/layout-other.str +0 -11
data/spec/views/layout.str +0 -11
data/spec/views/login.str +0 -21

data/spec/session_expiration_spec.rb DELETED

@@ -1,58 +0,0 @@
-require File.expand_path("spec_helper", File.dirname(__FILE__))
-describe 'Rodauth session expiration feature' do
-  it "should expire sessions based on last activity and max lifetime checks" do
-    inactivity = max_lifetime = 300
-    expiration_default = true
-    rodauth do
-      enable :login, :session_expiration
-      session_expiration_default{expiration_default}
-      session_inactivity_timeout{inactivity}
-      max_session_lifetime{max_lifetime}
-    end
-    roda do |r|
-      rodauth.check_session_expiration
-      r.rodauth
-      r.get("remove-creation"){session.delete(rodauth.session_created_session_key); r.redirect '/'}
-      r.get("set-creation"){session[rodauth.session_created_session_key] = Time.now.to_i - 100000; r.redirect '/'}
-      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
-    end
-    visit '/'
-    page.body.must_include "Not Logged"
-    login
-    page.body.must_include "Logged In"
-    inactivity = -1
-    visit '/'
-    page.title.must_equal 'Login'
-    page.find('#error_flash').text.must_equal "This session has expired, please login again."
-    login
-    page.title.must_equal 'Login'
-    page.find('#error_flash').text.must_equal "This session has expired, please login again."
-    inactivity = 10
-    login
-    page.body.must_include "Logged In"
-    visit '/set-creation'
-    page.title.must_equal 'Login'
-    page.find('#error_flash').text.must_equal "This session has expired, please login again."
-    login
-    page.body.must_include "Logged In"
-    visit '/remove-creation'
-    page.title.must_equal 'Login'
-    page.find('#error_flash').text.must_equal "This session has expired, please login again."
-    expiration_default = false
-    login
-    page.body.must_include "Logged In"
-    visit '/remove-creation'
-    page.body.must_include "Logged In"
-  end
-end

data/spec/single_session_spec.rb DELETED

@@ -1,127 +0,0 @@
-require File.expand_path("spec_helper", File.dirname(__FILE__))
-describe 'Rodauth single session feature' do
-  it "should limit accounts to a single logged in session" do
-    secret = nil
-    allow_raw = true
-    rodauth do
-      enable :login, :logout, :single_session
-      hmac_secret{secret}
-      allow_raw_single_session_key?{allow_raw}
-    end
-    roda do |r|
-      rodauth.check_single_session
-      r.rodauth
-      r.is("clear"){session.delete(rodauth.single_session_session_key); DB[:account_session_keys].delete; r.redirect '/'}
-      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
-    end
-    login
-    page.body.must_include "Logged In"
-    session1 = get_cookie('rack.session')
-    logout
-    visit '/'
-    page.body.must_include "Not Logged"
-    remove_cookie('rack.session')
-    set_cookie('rack.session', session1)
-    visit '/foo'
-    page.current_path.must_equal '/'
-    page.body.must_include "Not Logged"
-    page.find('#error_flash').text.must_equal "This session has been logged out as another session has become active"
-    login
-    page.body.must_include "Logged In"
-    session2 = get_cookie('rack.session')
-    remove_cookie('rack.session')
-    set_cookie('rack.session', session1)
-    visit '/'
-    page.body.must_include "Not Logged"
-    page.find('#error_flash').text.must_equal "This session has been logged out as another session has become active"
-    remove_cookie('rack.session')
-    set_cookie('rack.session', session2)
-    visit '/'
-    page.body.must_include "Logged In"
-    visit '/clear'
-    page.current_path.must_equal '/'
-    page.body.must_include "Logged In"
-    secret = SecureRandom.random_bytes(32)
-    visit '/'
-    page.body.must_include "Logged In"
-    allow_raw = false
-    visit '/'
-    page.body.must_include "Not Logged"
-    login
-    page.body.must_include "Logged In"
-    allow_raw = true
-    secret = SecureRandom.random_bytes(32)
-    visit '/'
-    page.body.must_include "Not Logged"
-  end
-  it "should limit accounts to a single logged in session" do
-    rodauth do
-      enable :login, :close_account, :single_session
-      close_account_requires_password? false
-    end
-    roda do |r|
-      rodauth.check_single_session
-      r.rodauth
-      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
-    end
-    login
-    DB[:account_session_keys].count.must_equal 1
-    visit '/close-account'
-    click_button 'Close Account'
-    DB[:account_session_keys].count.must_equal 0
-  end
-  it "should limit accounts to a single logged in session when using jwt" do
-    rodauth do
-      enable :login, :logout, :single_session
-    end
-    roda(:jwt) do |r|
-      rodauth.check_single_session
-      r.rodauth
-      r.post("clear"){rodauth.session.delete(:single_session_key); DB[:account_session_keys].delete; [3]}
-      rodauth.logged_in? ? [1] : [2]
-    end
-    json_login
-    authorization1 = @authorization
-    json_logout
-    json_request.must_equal [200, [2]]
-    @authorization = authorization1
-    json_request.must_equal [400, {'error'=>"This session has been logged out as another session has become active"}]
-    json_login
-    json_request.must_equal [200, [1]]
-    authorization2 = @authorization
-    @authorization = authorization1
-    json_request.must_equal [400, {'error'=>"This session has been logged out as another session has become active"}]
-    @authorization = authorization2
-    json_request.must_equal [200, [1]]
-    json_request('/clear').must_equal [200, [3]]
-    json_request.must_equal [400, {'error'=>"This session has been logged out as another session has become active"}]
-    json_request.must_equal [200, [2]]
-    @authorization = authorization2
-    json_request.must_equal [400, {'error'=>"This session has been logged out as another session has become active"}]
-  end
-end

data/spec/spec_helper.rb DELETED

@@ -1,327 +0,0 @@
-$: << 'lib'
-if ENV['WARNING']
-  require 'warning'
-  Warning.ignore([:missing_ivar, :missing_gvar, :fixnum, :not_reached])
-  #Warning.ignore(/warning: URI\.escape is obsolete\n\z/)
-  Warning.ignore(:method_redefined, File.dirname(File.dirname(__FILE__)))
-end
-if ENV['COVERAGE']
-  require 'coverage'
-  require 'simplecov'
-  def SimpleCov.rodauth_coverage(opts = {})
-    start do
-      add_filter "/spec/"
-      add_group('Missing'){|src| src.covered_percent < 100}
-      add_group('Covered'){|src| src.covered_percent == 100}
-      yield self if block_given?
-    end
-  end
-  ENV.delete('COVERAGE')
-  SimpleCov.rodauth_coverage
-end
-require 'rubygems'
-require 'capybara'
-require 'capybara/dsl'
-require 'rack/test'
-require 'stringio'
-require 'securerandom'
-ENV['MT_NO_PLUGINS'] = '1' # Work around stupid autoloading of plugins
-gem 'minitest'
-require 'minitest/global_expectations/autorun'
-require 'minitest/hooks/default'
-require 'roda'
-require 'sequel'
-require 'bcrypt'
-require 'mail'
-require 'logger'
-require 'tilt/string'
-db_url = ENV['RODAUTH_SPEC_DB'] || 'postgres:///?user=rodauth_test&password=rodauth_test'
-DB = Sequel.connect(db_url, :identifier_mangling=>false)
-DB.extension :freeze_datasets, :date_arithmetic
-puts "using #{DB.database_type}"
-#DB.loggers << Logger.new($stdout)
-if DB.adapter_scheme == :jdbc
-  case DB.database_type
-  when :postgres
-    DB.add_named_conversion_proc(:citext){|s| s}
-  when :sqlite
-    DB.timezone = :utc
-    Sequel.application_timezone = :local
-  end
-end
-if ENV['RODAUTH_SPEC_MIGRATE']
-  Sequel.extension :migration
-  Sequel::Migrator.run(DB, 'spec/migrate_travis')
-end
-DB.freeze
-ENV['RACK_ENV'] = 'test'
-::Mail.defaults do
-  delivery_method :test
-end
-Base = Class.new(Roda)
-Base.opts[:check_dynamic_arity] = Base.opts[:check_arity] = :warn
-Base.plugin :flash
-Base.plugin :render, :layout_opts=>{:path=>'spec/views/layout.str'}
-Base.plugin(:not_found){raise "path #{request.path_info} not found"}
-if defined?(Roda::RodaVersionNumber) && Roda::RodaVersionNumber >= 30100
-  if ENV['RODA_ROUTE_CSRF'] == '0'
-    require 'roda/session_middleware'
-    Base.opts[:sessions_convert_symbols] = true
-    Base.use RodaSessionMiddleware, :secret=>SecureRandom.random_bytes(64), :key=>'rack.session'
-  else
-    ENV['RODA_ROUTE_CSRF'] ||= '1'
-    Base.plugin :sessions, :secret=>SecureRandom.random_bytes(64), :key=>'rack.session'
-  end
-else
-  Base.use Rack::Session::Cookie, :secret => '0123456789'
-end
-unless defined?(Rack::Test::VERSION) && Rack::Test::VERSION >= '0.8'
-  class Rack::Test::Cookie
-    def path
-      ([*(@options['path'] == "" ? "/" : @options['path'])].first.split(',').first || '/').strip
-    end
-  end
-end
-class Base
-  attr_writer :title
-end
-JsonBase = Class.new(Roda)
-JsonBase.opts[:check_dynamic_arity] = JsonBase.opts[:check_arity] = :warn
-JsonBase.plugin(:not_found){raise "path #{request.path_info} not found"}
-class Minitest::HooksSpec
-  include Rack::Test::Methods
-  include Capybara::DSL
-  case ENV['RODA_ROUTE_CSRF']
-  when '1'
-    USE_ROUTE_CSRF = true
-    ROUTE_CSRF_OPTS = {}
-  when '2'
-    USE_ROUTE_CSRF = true
-    ROUTE_CSRF_OPTS = {:require_request_specific_tokens=>false}
-  else
-    USE_ROUTE_CSRF = false
-  end
-  attr_reader :app
-  def no_freeze!
-    @no_freeze = true
-  end
-  def app=(app)
-    @app = Capybara.app = app
-  end
-  def rodauth(&block)
-    @rodauth_block = block
-  end
-  def rodauth_opts(type={})
-    opts = type.is_a?(Hash) ? type : {}
-    if USE_ROUTE_CSRF && !opts.has_key?(:csrf)
-      opts[:csrf] = :route_csrf
-    end
-    opts
-  end
-  def roda(type=nil, &block)
-    jwt_only = type == :jwt
-    jwt = type == :jwt || type == :jwt_html
-    app = Class.new(jwt_only ? JsonBase : Base)
-    begin
-      app.plugin :request_aref, :raise
-    rescue LoadError
-    end
-    app.opts[:unsupported_block_result] = :raise
-    app.opts[:unsupported_matcher] = :raise
-    app.opts[:verbatim_string_matcher] = true
-    rodauth_block = @rodauth_block
-    opts = rodauth_opts(type)
-    if jwt
-      opts[:json] = jwt_only ? :only : true
-    end
-    app.plugin(:rodauth, opts) do
-      title_instance_variable :@title
-      if jwt
-        enable :jwt
-        jwt_secret '1'
-        json_response_success_key 'success'
-        json_response_custom_error_status? true
-      end
-      if ENV['RODAUTH_SEPARATE_SCHEMA']
-        password_hash_table Sequel[:rodauth_test_password][:account_password_hashes]
-        function_name do |name|
-          "rodauth_test_password.#{name}"
-        end
-      end
-      instance_exec(&rodauth_block)
-    end
-    if USE_ROUTE_CSRF && !jwt_only && opts[:csrf] != false
-      app.plugin(:route_csrf, ROUTE_CSRF_OPTS)
-      orig_block = block
-      block = proc do |r|
-        check_csrf!
-        instance_exec(r, &orig_block)
-      end
-    end
-    app.route(&block)
-    app.precompile_rodauth_templates unless @no_precompile || jwt_only
-    app.freeze unless @no_freeze
-    self.app = app
-  end
-  def email_link(regexp, to='foo@example.com')
-    msgs = Mail::TestMailer.deliveries
-    msgs.length.must_equal 1
-    msgs.first.to.first.must_equal to
-    link = msgs.first.body.to_s.gsub(/ $/, '')[regexp]
-    msgs.clear
-    link.must_be_kind_of(String)
-    link
-  end
-  def remove_cookie(key)
-    page.driver.browser.rack_mock_session.cookie_jar.delete(key)
-  end
-  def get_cookie(key)
-    page.driver.browser.rack_mock_session.cookie_jar[key]
-  end
-  def set_cookie(key, value)
-    page.driver.browser.rack_mock_session.cookie_jar[key] = value
-  end
-  def json_request(path='/', params={})
-    include_headers = params.delete(:include_headers)
-    headers = params.delete(:headers)
-    env = {"REQUEST_METHOD" => params.delete(:method) || "POST",
-           "PATH_INFO" => path,
-           "SCRIPT_NAME" => "",
-           "CONTENT_TYPE" => params.delete(:content_type) || "application/json",
-           "SERVER_NAME" => 'example.com',
-           "rack.input"=>StringIO.new((params || {}).to_json),
-           "rack.errors"=>$stderr
-    }
-    if @authorization
-      env["HTTP_AUTHORIZATION"] = "Bearer: #{@authorization}"
-    end
-    if @cookie
-      env["HTTP_COOKIE"] = @cookie
-    end
-    env.merge!(headers) if headers
-    r = @app.call(env)
-    if cookie = r[1]['Set-Cookie']
-      if cookie.include?('expires=Thu, 01 Jan 1970 00:00:00 -0000')
-        @cookie = nil
-      else
-        @cookie = cookie.split(';', 2)[0]
-      end
-    end
-    if authorization = r[1]['Authorization']
-      @authorization = authorization
-    end
-    if env["CONTENT_TYPE"] == "application/json"
-      r[1]['Content-Type'].must_equal 'application/json'
-      r[2] = JSON.parse("[#{r[2].join}]").first
-    end
-    r.delete_at(1) unless include_headers
-    r
-  end
-  def json_login(opts={})
-    res = json_request(opts[:path]||'/login', :login=>opts[:login]||'foo@example.com', :password=>opts[:pass]||'0123456789')
-    res.must_equal [200, {"success"=>'You have been logged in'}] unless opts[:no_check]
-    res
-  end
-  def jwt_refresh_login
-    res = json_login({:no_check => true})
-    jwt_refresh_validate_login(res)
-    res
-  end
-  def jwt_refresh_validate_login(res)
-    res.first.must_equal 200
-    res.last.keys.sort.must_equal ['access_token', 'refresh_token', 'success']
-    res.last['success'].must_equal 'You have been logged in'
-    res
-  end
-  def jwt_refresh_validate(res)
-    res.first.must_equal 200
-    res.last.keys.sort.must_equal ['access_token', 'refresh_token']
-    res
-  end
-  def json_logout
-    json_request("/logout").must_equal [200, {"success"=>'You have been logged out'}]
-  end
-  def login(opts={})
-    visit(opts[:path]||'/login') unless opts[:visit] == false
-    fill_in 'Login', :with=>opts[:login]||'foo@example.com'
-    fill_in 'Password', :with=>opts[:pass]||'0123456789'
-    click_button 'Login'
-  end
-  def logout
-    visit '/logout'
-    click_button 'Logout'
-  end
-  around do |&block|
-    DB.transaction(:rollback=>:always, :savepoint=>true, :auto_savepoint=>true){super(&block)}
-  end
-  around(:all) do |&block|
-    DB.transaction(:rollback=>:always) do
-      hash = BCrypt::Password.create('0123456789', :cost=>BCrypt::Engine::MIN_COST)
-      table = ENV['RODAUTH_SEPARATE_SCHEMA'] ? Sequel[:rodauth_test_password][:account_password_hashes] : :account_password_hashes
-      DB[table].insert(:id=>DB[:accounts].insert(:email=>'foo@example.com', :status_id=>2, :ph=>hash), :password_hash=>hash)
-      super(&block)
-    end
-  end
-  after do
-    msgs = Mail::TestMailer.deliveries
-    len = msgs.length
-    msgs.clear
-    len.must_equal 0
-    Capybara.reset_sessions!
-    Capybara.use_default_driver
-  end
-end