RubyGems - rodauth - Versions diffs - 1.22.0 → 1.23.0 - Mend

rodauth 1.22.0 → 1.23.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (66) hide show

checksums.yaml +4 -4
data/CHANGELOG +12 -0
data/README.rdoc +5 -3
data/doc/email_base.rdoc +1 -0
data/doc/release_notes/1.23.0.txt +32 -0
data/lib/rodauth.rb +5 -2
data/lib/rodauth/features/base.rb +8 -0
data/lib/rodauth/features/change_password_notify.rb +1 -1
data/lib/rodauth/features/create_account.rb +1 -1
data/lib/rodauth/features/email_auth.rb +3 -4
data/lib/rodauth/features/email_base.rb +7 -2
data/lib/rodauth/features/lockout.rb +1 -1
data/lib/rodauth/features/login.rb +6 -2
data/lib/rodauth/features/otp.rb +6 -3
data/lib/rodauth/features/password_expiration.rb +1 -1
data/lib/rodauth/features/recovery_codes.rb +3 -3
data/lib/rodauth/features/reset_password.rb +2 -2
data/lib/rodauth/features/sms_codes.rb +5 -5
data/lib/rodauth/features/verify_account.rb +2 -2
data/lib/rodauth/features/verify_login_change.rb +1 -1
data/lib/rodauth/version.rb +1 -1
data/templates/email-auth-request-form.str +2 -2
data/templates/reset-password-request.str +3 -3
data/templates/unlock-account-request.str +3 -3
data/templates/verify-account-resend.str +3 -3
metadata +5 -43
data/Rakefile +0 -179
data/spec/account_expiration_spec.rb +0 -225
data/spec/all.rb +0 -1
data/spec/change_login_spec.rb +0 -156
data/spec/change_password_notify_spec.rb +0 -33
data/spec/change_password_spec.rb +0 -202
data/spec/close_account_spec.rb +0 -162
data/spec/confirm_password_spec.rb +0 -70
data/spec/create_account_spec.rb +0 -127
data/spec/disallow_common_passwords_spec.rb +0 -93
data/spec/disallow_password_reuse_spec.rb +0 -179
data/spec/email_auth_spec.rb +0 -285
data/spec/http_basic_auth_spec.rb +0 -143
data/spec/jwt_cors_spec.rb +0 -57
data/spec/jwt_refresh_spec.rb +0 -256
data/spec/jwt_spec.rb +0 -235
data/spec/lockout_spec.rb +0 -250
data/spec/login_spec.rb +0 -328
data/spec/migrate/001_tables.rb +0 -184
data/spec/migrate/002_account_password_hash_column.rb +0 -11
data/spec/migrate_password/001_tables.rb +0 -73
data/spec/migrate_travis/001_tables.rb +0 -141
data/spec/password_complexity_spec.rb +0 -109
data/spec/password_expiration_spec.rb +0 -244
data/spec/password_grace_period_spec.rb +0 -93
data/spec/remember_spec.rb +0 -451
data/spec/reset_password_spec.rb +0 -229
data/spec/rodauth_spec.rb +0 -343
data/spec/session_expiration_spec.rb +0 -58
data/spec/single_session_spec.rb +0 -127
data/spec/spec_helper.rb +0 -327
data/spec/two_factor_spec.rb +0 -1462
data/spec/update_password_hash_spec.rb +0 -40
data/spec/verify_account_grace_period_spec.rb +0 -171
data/spec/verify_account_spec.rb +0 -240
data/spec/verify_change_login_spec.rb +0 -46
data/spec/verify_login_change_spec.rb +0 -232
data/spec/views/layout-other.str +0 -11
data/spec/views/layout.str +0 -11
data/spec/views/login.str +0 -21

data/spec/session_expiration_spec.rb DELETED

@@ -1,58 +0,0 @@
-require File.expand_path("spec_helper", File.dirname(__FILE__))
-describe 'Rodauth session expiration feature' do
-  it "should expire sessions based on last activity and max lifetime checks" do
-    inactivity = max_lifetime = 300
-    expiration_default = true
-    rodauth do
-      enable :login, :session_expiration
-      session_expiration_default{expiration_default}
-      session_inactivity_timeout{inactivity}
-      max_session_lifetime{max_lifetime}
-    end
-    roda do |r|
-      rodauth.check_session_expiration
-      r.rodauth
-      r.get("remove-creation"){session.delete(rodauth.session_created_session_key); r.redirect '/'}
-      r.get("set-creation"){session[rodauth.session_created_session_key] = Time.now.to_i - 100000; r.redirect '/'}
-      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
-    end
-    visit '/'
-    page.body.must_include "Not Logged"
-    login
-    page.body.must_include "Logged In"
-    inactivity = -1
-    visit '/'
-    page.title.must_equal 'Login'
-    page.find('#error_flash').text.must_equal "This session has expired, please login again."
-    login
-    page.title.must_equal 'Login'
-    page.find('#error_flash').text.must_equal "This session has expired, please login again."
-    inactivity = 10
-    login
-    page.body.must_include "Logged In"
-    visit '/set-creation'
-    page.title.must_equal 'Login'
-    page.find('#error_flash').text.must_equal "This session has expired, please login again."
-    login
-    page.body.must_include "Logged In"
-    visit '/remove-creation'
-    page.title.must_equal 'Login'
-    page.find('#error_flash').text.must_equal "This session has expired, please login again."
-    expiration_default = false
-    login
-    page.body.must_include "Logged In"
-    visit '/remove-creation'
-    page.body.must_include "Logged In"
-  end
-end

data/spec/single_session_spec.rb DELETED

@@ -1,127 +0,0 @@
-require File.expand_path("spec_helper", File.dirname(__FILE__))
-describe 'Rodauth single session feature' do
-  it "should limit accounts to a single logged in session" do
-    secret = nil
-    allow_raw = true
-    rodauth do
-      enable :login, :logout, :single_session
-      hmac_secret{secret}
-      allow_raw_single_session_key?{allow_raw}
-    end
-    roda do |r|
-      rodauth.check_single_session
-      r.rodauth
-      r.is("clear"){session.delete(rodauth.single_session_session_key); DB[:account_session_keys].delete; r.redirect '/'}
-      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
-    end
-    login
-    page.body.must_include "Logged In"
-    session1 = get_cookie('rack.session')
-    logout
-    visit '/'
-    page.body.must_include "Not Logged"
-    remove_cookie('rack.session')
-    set_cookie('rack.session', session1)
-    visit '/foo'
-    page.current_path.must_equal '/'
-    page.body.must_include "Not Logged"
-    page.find('#error_flash').text.must_equal "This session has been logged out as another session has become active"
-    login
-    page.body.must_include "Logged In"
-    session2 = get_cookie('rack.session')
-    remove_cookie('rack.session')
-    set_cookie('rack.session', session1)
-    visit '/'
-    page.body.must_include "Not Logged"
-    page.find('#error_flash').text.must_equal "This session has been logged out as another session has become active"
-    remove_cookie('rack.session')
-    set_cookie('rack.session', session2)
-    visit '/'
-    page.body.must_include "Logged In"
-    visit '/clear'
-    page.current_path.must_equal '/'
-    page.body.must_include "Logged In"
-    secret = SecureRandom.random_bytes(32)
-    visit '/'
-    page.body.must_include "Logged In"
-    allow_raw = false
-    visit '/'
-    page.body.must_include "Not Logged"
-    login
-    page.body.must_include "Logged In"
-    allow_raw = true
-    secret = SecureRandom.random_bytes(32)
-    visit '/'
-    page.body.must_include "Not Logged"
-  end
-  it "should limit accounts to a single logged in session" do
-    rodauth do
-      enable :login, :close_account, :single_session
-      close_account_requires_password? false
-    end
-    roda do |r|
-      rodauth.check_single_session
-      r.rodauth
-      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
-    end
-    login
-    DB[:account_session_keys].count.must_equal 1
-    visit '/close-account'
-    click_button 'Close Account'
-    DB[:account_session_keys].count.must_equal 0
-  end
-  it "should limit accounts to a single logged in session when using jwt" do
-    rodauth do
-      enable :login, :logout, :single_session
-    end
-    roda(:jwt) do |r|
-      rodauth.check_single_session
-      r.rodauth
-      r.post("clear"){rodauth.session.delete(:single_session_key); DB[:account_session_keys].delete; [3]}
-      rodauth.logged_in? ? [1] : [2]
-    end
-    json_login
-    authorization1 = @authorization
-    json_logout
-    json_request.must_equal [200, [2]]
-    @authorization = authorization1
-    json_request.must_equal [400, {'error'=>"This session has been logged out as another session has become active"}]
-    json_login
-    json_request.must_equal [200, [1]]
-    authorization2 = @authorization
-    @authorization = authorization1
-    json_request.must_equal [400, {'error'=>"This session has been logged out as another session has become active"}]
-    @authorization = authorization2
-    json_request.must_equal [200, [1]]
-    json_request('/clear').must_equal [200, [3]]
-    json_request.must_equal [400, {'error'=>"This session has been logged out as another session has become active"}]
-    json_request.must_equal [200, [2]]
-    @authorization = authorization2
-    json_request.must_equal [400, {'error'=>"This session has been logged out as another session has become active"}]
-  end
-end

data/spec/spec_helper.rb DELETED

@@ -1,327 +0,0 @@
-$: << 'lib'
-if ENV['WARNING']
-  require 'warning'
-  Warning.ignore([:missing_ivar, :missing_gvar, :fixnum, :not_reached])
-  #Warning.ignore(/warning: URI\.escape is obsolete\n\z/)
-  Warning.ignore(:method_redefined, File.dirname(File.dirname(__FILE__)))
-end
-if ENV['COVERAGE']
-  require 'coverage'
-  require 'simplecov'
-  def SimpleCov.rodauth_coverage(opts = {})
-    start do
-      add_filter "/spec/"
-      add_group('Missing'){|src| src.covered_percent < 100}
-      add_group('Covered'){|src| src.covered_percent == 100}
-      yield self if block_given?
-    end
-  end
-  ENV.delete('COVERAGE')
-  SimpleCov.rodauth_coverage
-end
-require 'rubygems'
-require 'capybara'
-require 'capybara/dsl'
-require 'rack/test'
-require 'stringio'
-require 'securerandom'
-ENV['MT_NO_PLUGINS'] = '1' # Work around stupid autoloading of plugins
-gem 'minitest'
-require 'minitest/global_expectations/autorun'
-require 'minitest/hooks/default'
-require 'roda'
-require 'sequel'
-require 'bcrypt'
-require 'mail'
-require 'logger'
-require 'tilt/string'
-db_url = ENV['RODAUTH_SPEC_DB'] || 'postgres:///?user=rodauth_test&password=rodauth_test'
-DB = Sequel.connect(db_url, :identifier_mangling=>false)
-DB.extension :freeze_datasets, :date_arithmetic
-puts "using #{DB.database_type}"
-#DB.loggers << Logger.new($stdout)
-if DB.adapter_scheme == :jdbc
-  case DB.database_type
-  when :postgres
-    DB.add_named_conversion_proc(:citext){|s| s}
-  when :sqlite
-    DB.timezone = :utc
-    Sequel.application_timezone = :local
-  end
-end
-if ENV['RODAUTH_SPEC_MIGRATE']
-  Sequel.extension :migration
-  Sequel::Migrator.run(DB, 'spec/migrate_travis')
-end
-DB.freeze
-ENV['RACK_ENV'] = 'test'
-::Mail.defaults do
-  delivery_method :test
-end
-Base = Class.new(Roda)
-Base.opts[:check_dynamic_arity] = Base.opts[:check_arity] = :warn
-Base.plugin :flash
-Base.plugin :render, :layout_opts=>{:path=>'spec/views/layout.str'}
-Base.plugin(:not_found){raise "path #{request.path_info} not found"}
-if defined?(Roda::RodaVersionNumber) && Roda::RodaVersionNumber >= 30100
-  if ENV['RODA_ROUTE_CSRF'] == '0'
-    require 'roda/session_middleware'
-    Base.opts[:sessions_convert_symbols] = true
-    Base.use RodaSessionMiddleware, :secret=>SecureRandom.random_bytes(64), :key=>'rack.session'
-  else
-    ENV['RODA_ROUTE_CSRF'] ||= '1'
-    Base.plugin :sessions, :secret=>SecureRandom.random_bytes(64), :key=>'rack.session'
-  end
-else
-  Base.use Rack::Session::Cookie, :secret => '0123456789'
-end
-unless defined?(Rack::Test::VERSION) && Rack::Test::VERSION >= '0.8'
-  class Rack::Test::Cookie
-    def path
-      ([*(@options['path'] == "" ? "/" : @options['path'])].first.split(',').first || '/').strip
-    end
-  end
-end
-class Base
-  attr_writer :title
-end
-JsonBase = Class.new(Roda)
-JsonBase.opts[:check_dynamic_arity] = JsonBase.opts[:check_arity] = :warn
-JsonBase.plugin(:not_found){raise "path #{request.path_info} not found"}
-class Minitest::HooksSpec
-  include Rack::Test::Methods
-  include Capybara::DSL
-  case ENV['RODA_ROUTE_CSRF']
-  when '1'
-    USE_ROUTE_CSRF = true
-    ROUTE_CSRF_OPTS = {}
-  when '2'
-    USE_ROUTE_CSRF = true
-    ROUTE_CSRF_OPTS = {:require_request_specific_tokens=>false}
-  else
-    USE_ROUTE_CSRF = false
-  end
-  attr_reader :app
-  def no_freeze!
-    @no_freeze = true
-  end
-  def app=(app)
-    @app = Capybara.app = app
-  end
-  def rodauth(&block)
-    @rodauth_block = block
-  end
-  def rodauth_opts(type={})
-    opts = type.is_a?(Hash) ? type : {}
-    if USE_ROUTE_CSRF && !opts.has_key?(:csrf)
-      opts[:csrf] = :route_csrf
-    end
-    opts
-  end
-  def roda(type=nil, &block)
-    jwt_only = type == :jwt
-    jwt = type == :jwt || type == :jwt_html
-    app = Class.new(jwt_only ? JsonBase : Base)
-    begin
-      app.plugin :request_aref, :raise
-    rescue LoadError
-    end
-    app.opts[:unsupported_block_result] = :raise
-    app.opts[:unsupported_matcher] = :raise
-    app.opts[:verbatim_string_matcher] = true
-    rodauth_block = @rodauth_block
-    opts = rodauth_opts(type)
-    if jwt
-      opts[:json] = jwt_only ? :only : true
-    end
-    app.plugin(:rodauth, opts) do
-      title_instance_variable :@title
-      if jwt
-        enable :jwt
-        jwt_secret '1'
-        json_response_success_key 'success'
-        json_response_custom_error_status? true
-      end
-      if ENV['RODAUTH_SEPARATE_SCHEMA']
-        password_hash_table Sequel[:rodauth_test_password][:account_password_hashes]
-        function_name do |name|
-          "rodauth_test_password.#{name}"
-        end
-      end
-      instance_exec(&rodauth_block)
-    end
-    if USE_ROUTE_CSRF && !jwt_only && opts[:csrf] != false
-      app.plugin(:route_csrf, ROUTE_CSRF_OPTS)
-      orig_block = block
-      block = proc do |r|
-        check_csrf!
-        instance_exec(r, &orig_block)
-      end
-    end
-    app.route(&block)
-    app.precompile_rodauth_templates unless @no_precompile || jwt_only
-    app.freeze unless @no_freeze
-    self.app = app
-  end
-  def email_link(regexp, to='foo@example.com')
-    msgs = Mail::TestMailer.deliveries
-    msgs.length.must_equal 1
-    msgs.first.to.first.must_equal to
-    link = msgs.first.body.to_s.gsub(/ $/, '')[regexp]
-    msgs.clear
-    link.must_be_kind_of(String)
-    link
-  end
-  def remove_cookie(key)
-    page.driver.browser.rack_mock_session.cookie_jar.delete(key)
-  end
-  def get_cookie(key)
-    page.driver.browser.rack_mock_session.cookie_jar[key]
-  end
-  def set_cookie(key, value)
-    page.driver.browser.rack_mock_session.cookie_jar[key] = value
-  end
-  def json_request(path='/', params={})
-    include_headers = params.delete(:include_headers)
-    headers = params.delete(:headers)
-    env = {"REQUEST_METHOD" => params.delete(:method) || "POST",
-           "PATH_INFO" => path,
-           "SCRIPT_NAME" => "",
-           "CONTENT_TYPE" => params.delete(:content_type) || "application/json",
-           "SERVER_NAME" => 'example.com',
-           "rack.input"=>StringIO.new((params || {}).to_json),
-           "rack.errors"=>$stderr
-    }
-    if @authorization
-      env["HTTP_AUTHORIZATION"] = "Bearer: #{@authorization}"
-    end
-    if @cookie
-      env["HTTP_COOKIE"] = @cookie
-    end
-    env.merge!(headers) if headers
-    r = @app.call(env)
-    if cookie = r[1]['Set-Cookie']
-      if cookie.include?('expires=Thu, 01 Jan 1970 00:00:00 -0000')
-        @cookie = nil
-      else
-        @cookie = cookie.split(';', 2)[0]
-      end
-    end
-    if authorization = r[1]['Authorization']
-      @authorization = authorization
-    end
-    if env["CONTENT_TYPE"] == "application/json"
-      r[1]['Content-Type'].must_equal 'application/json'
-      r[2] = JSON.parse("[#{r[2].join}]").first
-    end
-    r.delete_at(1) unless include_headers
-    r
-  end
-  def json_login(opts={})
-    res = json_request(opts[:path]||'/login', :login=>opts[:login]||'foo@example.com', :password=>opts[:pass]||'0123456789')
-    res.must_equal [200, {"success"=>'You have been logged in'}] unless opts[:no_check]
-    res
-  end
-  def jwt_refresh_login
-    res = json_login({:no_check => true})
-    jwt_refresh_validate_login(res)
-    res
-  end
-  def jwt_refresh_validate_login(res)
-    res.first.must_equal 200
-    res.last.keys.sort.must_equal ['access_token', 'refresh_token', 'success']
-    res.last['success'].must_equal 'You have been logged in'
-    res
-  end
-  def jwt_refresh_validate(res)
-    res.first.must_equal 200
-    res.last.keys.sort.must_equal ['access_token', 'refresh_token']
-    res
-  end
-  def json_logout
-    json_request("/logout").must_equal [200, {"success"=>'You have been logged out'}]
-  end
-  def login(opts={})
-    visit(opts[:path]||'/login') unless opts[:visit] == false
-    fill_in 'Login', :with=>opts[:login]||'foo@example.com'
-    fill_in 'Password', :with=>opts[:pass]||'0123456789'
-    click_button 'Login'
-  end
-  def logout
-    visit '/logout'
-    click_button 'Logout'
-  end
-  around do |&block|
-    DB.transaction(:rollback=>:always, :savepoint=>true, :auto_savepoint=>true){super(&block)}
-  end
-  around(:all) do |&block|
-    DB.transaction(:rollback=>:always) do
-      hash = BCrypt::Password.create('0123456789', :cost=>BCrypt::Engine::MIN_COST)
-      table = ENV['RODAUTH_SEPARATE_SCHEMA'] ? Sequel[:rodauth_test_password][:account_password_hashes] : :account_password_hashes
-      DB[table].insert(:id=>DB[:accounts].insert(:email=>'foo@example.com', :status_id=>2, :ph=>hash), :password_hash=>hash)
-      super(&block)
-    end
-  end
-  after do
-    msgs = Mail::TestMailer.deliveries
-    len = msgs.length
-    msgs.clear
-    len.must_equal 0
-    Capybara.reset_sessions!
-    Capybara.use_default_driver
-  end
-end