rodauth 1.22.0 → 1.23.0

data/spec/migrate/002_account_password_hash_column.rb

@@ -1,11 +0,0 @@
-Sequel.migration do
-  up do
-    # Only for testing of account_password_hash_column, not recommended for new
-    # applications
-    add_column :accounts, :ph, String
-  end
-
-  down do
-    drop_column :accounts, :ph
-  end
-end

data/spec/migrate_password/001_tables.rb

@@ -1,73 +0,0 @@
-require 'rodauth/migrations'
-
-Sequel.migration do
-  up do
-    create_table(:account_password_hashes) do
-      foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
-      String :password_hash, :null=>false
-    end
-    Rodauth.create_database_authentication_functions(self)
-    case database_type
-    when :postgres
-      user = get(Sequel.lit('current_user')).sub(/_password\z/, '')
-      run "REVOKE ALL ON account_password_hashes FROM public"
-      run "REVOKE ALL ON FUNCTION rodauth_get_salt(int8) FROM public"
-      run "REVOKE ALL ON FUNCTION rodauth_valid_password_hash(int8, text) FROM public"
-      run "GRANT INSERT, UPDATE, DELETE ON account_password_hashes TO #{user}"
-      run "GRANT SELECT(id) ON account_password_hashes TO #{user}"
-      run "GRANT EXECUTE ON FUNCTION rodauth_get_salt(int8) TO #{user}"
-      run "GRANT EXECUTE ON FUNCTION rodauth_valid_password_hash(int8, text) TO #{user}"
-    when :mysql
-      user = get(Sequel.lit('current_user')).sub(/_password@/, '@')
-      db_name = get(Sequel.function(:database))
-      run "GRANT EXECUTE ON #{db_name}.* TO #{user}"
-      run "GRANT INSERT, UPDATE, DELETE ON account_password_hashes TO #{user}"
-      run "GRANT SELECT (id) ON account_password_hashes TO #{user}"
-    when :mssql
-      user = get(Sequel.function(:DB_NAME))
-      run "GRANT EXECUTE ON rodauth_get_salt TO #{user}"
-      run "GRANT EXECUTE ON rodauth_valid_password_hash TO #{user}"
-      run "GRANT INSERT, UPDATE, DELETE ON account_password_hashes TO #{user}"
-      run "GRANT SELECT ON account_password_hashes(id) TO #{user}"
-    end
-
-    # Used by the disallow_password_reuse feature
-    create_table(:account_previous_password_hashes) do
-      primary_key :id, :type=>:Bignum
-      foreign_key :account_id, :accounts, :type=>:Bignum
-      String :password_hash, :null=>false
-    end
-    Rodauth.create_database_previous_password_check_functions(self)
-
-    case database_type
-    when :postgres
-      user = get(Sequel.lit('current_user')).sub(/_password\z/, '')
-      run "REVOKE ALL ON account_previous_password_hashes FROM public"
-      run "REVOKE ALL ON FUNCTION rodauth_get_previous_salt(int8) FROM public"
-      run "REVOKE ALL ON FUNCTION rodauth_previous_password_hash_match(int8, text) FROM public"
-      run "GRANT INSERT, UPDATE, DELETE ON account_previous_password_hashes TO #{user}"
-      run "GRANT SELECT(id, account_id) ON account_previous_password_hashes TO #{user}"
-      run "GRANT USAGE ON account_previous_password_hashes_id_seq TO #{user}"
-      run "GRANT EXECUTE ON FUNCTION rodauth_get_previous_salt(int8) TO #{user}"
-      run "GRANT EXECUTE ON FUNCTION rodauth_previous_password_hash_match(int8, text) TO #{user}"
-    when :mysql
-      user = get(Sequel.lit('current_user')).sub(/_password@/, '@')
-      db_name = get(Sequel.function(:database))
-      run "GRANT EXECUTE ON #{db_name}.* TO #{user}"
-      run "GRANT INSERT, UPDATE, DELETE ON account_previous_password_hashes TO #{user}"
-      run "GRANT SELECT (id, account_id) ON account_previous_password_hashes TO #{user}"
-    when :mssql
-      user = get(Sequel.function(:DB_NAME))
-      run "GRANT EXECUTE ON rodauth_get_previous_salt TO #{user}"
-      run "GRANT EXECUTE ON rodauth_previous_password_hash_match TO #{user}"
-      run "GRANT INSERT, UPDATE, DELETE ON account_previous_password_hashes TO #{user}"
-      run "GRANT SELECT ON account_previous_password_hashes(id, account_id) TO #{user}"
-    end
-  end
-
-  down do
-    Rodauth.drop_database_previous_password_check_functions(self)
-    Rodauth.drop_database_authentication_functions(self)
-    drop_table(:account_previous_password_hashes, :account_password_hashes)
-  end
-end

data/spec/migrate_travis/001_tables.rb

@@ -1,141 +0,0 @@
-require 'rodauth/migrations'
-
-Sequel.migration do
-  up do
-    extension :date_arithmetic
-
-    create_table(:account_statuses) do
-      Integer :id, :primary_key=>true
-      String :name, :null=>false, :unique=>true
-    end
-    from(:account_statuses).import([:id, :name], [[1, 'Unverified'], [2, 'Verified'], [3, 'Closed']])
-
-    db = self
-    create_table(:accounts) do
-      primary_key :id, :type=>:Bignum
-      foreign_key :status_id, :account_statuses, :null=>false, :default=>1
-      if db.database_type == :postgres
-        citext :email, :null=>false
-        constraint :valid_email, :email=>/^[^,;@ \r\n]+@[^,@; \r\n]+\.[^,@; \r\n]+$/
-        index :email, :unique=>true, :where=>{:status_id=>[1, 2]}
-      else
-        String :email, :null=>false
-        index :email, :unique=>true
-      end
-
-      String :ph
-    end
-
-    create_table(:account_password_hashes) do
-      foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
-      String :password_hash, :null=>false
-    end
-    Rodauth.create_database_authentication_functions(self)
-
-    deadline_opts = proc do |days|
-      if database_type == :mysql
-        {:null=>false}
-      else
-        {:null=>false, :default=>Sequel.date_add(Sequel::CURRENT_TIMESTAMP, :days=>days)}
-      end
-    end
-
-    create_table(:account_password_reset_keys) do
-      foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
-      String :key, :null=>false
-      DateTime :deadline, deadline_opts[1]
-      DateTime :email_last_sent, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
-    end
-
-    # Used by the refresh token feature
-    create_table(:account_jwt_refresh_keys) do
-      primary_key :id, :type=>:Bignum
-      foreign_key :account_id, :accounts, :type=>:Bignum
-      String :key, :null=>false
-      DateTime :deadline, deadline_opts[1]
-    end
-
-    create_table(:account_verification_keys) do
-      foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
-      String :key, :null=>false
-      DateTime :requested_at, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
-      DateTime :email_last_sent, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
-    end
-
-    create_table(:account_login_change_keys) do
-      foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
-      String :key, :null=>false
-      String :login, :null=>false
-      DateTime :deadline, deadline_opts[1]
-    end
-
-    create_table(:account_remember_keys) do
-      foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
-      String :key, :null=>false
-      DateTime :deadline, deadline_opts[14]
-    end
-
-    create_table(:account_email_auth_keys) do
-      foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
-      String :key, :null=>false
-      DateTime :deadline, deadline_opts[1]
-      DateTime :email_last_sent, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
-    end
-
-    create_table(:account_login_failures) do
-      foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
-      Integer :number, :null=>false, :default=>1
-    end
-    create_table(:account_lockouts) do
-      foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
-      String :key, :null=>false
-      DateTime :deadline, deadline_opts[1]
-      DateTime :email_last_sent
-    end
-
-    create_table(:account_password_change_times) do
-      foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
-      DateTime :changed_at, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
-    end
-
-    create_table(:account_activity_times) do
-      foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
-      DateTime :last_activity_at, :null=>false
-      DateTime :last_login_at, :null=>false
-      DateTime :expired_at
-    end
-
-    create_table(:account_session_keys) do
-      foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
-      String :key, :null=>false
-    end
-
-    create_table(:account_otp_keys) do
-      foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
-      String :key, :null=>false
-      Integer :num_failures, :null=>false, :default=>0
-      Time :last_use, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
-    end
-
-    create_table(:account_recovery_codes) do
-      foreign_key :id, :accounts, :type=>:Bignum
-      String :code
-      primary_key [:id, :code]
-    end
-
-    create_table(:account_sms_codes) do
-      foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
-      String :phone_number, :null=>false
-      Integer :num_failures
-      String :code
-      DateTime :code_issued_at, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
-    end
-
-    create_table(:account_previous_password_hashes) do
-      primary_key :id, :type=>:Bignum
-      foreign_key :account_id, :accounts, :type=>:Bignum
-      String :password_hash, :null=>false
-    end
-    Rodauth.create_database_previous_password_check_functions(self)
-  end
-end

data/spec/password_complexity_spec.rb

@@ -1,109 +0,0 @@
-require File.expand_path("spec_helper", File.dirname(__FILE__))
-
-describe 'Rodauth password complexity feature' do
-  it "should do additional password complexity checks" do
-    rodauth do
-      enable :login, :change_password, :password_complexity
-      change_password_requires_password? false
-      password_dictionary_file 'spec/words'
-    end
-    roda do |r|
-      r.rodauth
-      r.root{view :content=>""}
-    end
-
-    login
-    page.current_path.must_equal '/'
-
-    visit '/change-password'
-
-    bad_passwords = [
-      ["minimum 6 characters", %w"a1OX"],
-      ["does not include uppercase letters, lowercase letters, and numbers",
-       %w'sdflksdfl sdflks!fl Sdflksdfl dfl1sdfl DFL1SDFL DFL!SDFL'],
-      ["includes common character sequence",
-       %w"Aqwerty12 Aazerty12 HA123ha HA234ha HA345ha HA456ha HA567ha HA678ha HA789ha HA890ha"],
-      ["contains 3 or more of the same character in a row", %w"Helll0 Hellllll0"],
-      ["is a word in a dictionary", 
-       %w"Password1 1Password1 1PaSSword1 1P@$5w0Rd1 2398|3@$+7809 2|!7+1e l4$7$124 N!88|e56"]
-    ]
-
-
-    bad_passwords.each do |message, passwords|
-      passwords.each do |pass|
-        fill_in 'New Password', :with=>pass
-        fill_in 'Confirm Password', :with=>pass
-        click_button 'Change Password'
-        page.html.must_include("invalid password, does not meet requirements (#{message})")
-        page.find('#error_flash').text.must_equal "There was an error changing your password"
-      end
-    end
-
-    fill_in 'New Password', :with=>'footpassword'
-    fill_in 'Confirm Password', :with=>'footpassword'
-    click_button 'Change Password'
-    page.find('#notice_flash').text.must_equal "Your password has been changed"
-  end
-
-  it "should support default dictionary" do
-    default_dictionary = '/usr/share/dict/words'
-    skip("#{default_dictionary} not present") unless File.file?(default_dictionary)
-    pass = File.read(default_dictionary).split.sort_by{|w| w.length}.last
-    skip("#{default_dictionary} empty") unless pass
-    pass = pass.downcase.gsub(/[^a-z]/, '')
-
-    rodauth do
-      enable :login, :change_password, :password_complexity
-      change_password_requires_password? false
-    end
-    roda do |r|
-      r.rodauth
-      r.root{view :content=>""}
-    end
-
-    login
-    page.current_path.must_equal '/'
-
-    visit '/change-password'
-    fill_in 'New Password', :with=>"135#{pass}135"
-    fill_in 'Confirm Password', :with=>"135#{pass}135"
-    click_button 'Change Password'
-    page.html.must_include("invalid password")
-    page.find('#error_flash').text.must_equal "There was an error changing your password"
-
-    fill_in 'New Password', :with=>'footpassword'
-    fill_in 'Confirm Password', :with=>'footpassword'
-    click_button 'Change Password'
-    page.find('#notice_flash').text.must_equal "Your password has been changed"
-  end
-
-  it "should support no dictionary" do
-    default_dictionary = '/usr/share/dict/words'
-    skip("#{default_dictionary} not present") unless File.file?(default_dictionary)
-
-    rodauth do
-      enable :login, :change_password, :password_complexity
-      change_password_requires_password? false
-      password_dictionary_file false
-    end
-    roda do |r|
-      r.rodauth
-      r.root{view :content=>""}
-    end
-
-    login
-    page.current_path.must_equal '/'
-
-    visit '/change-password'
-    fill_in 'New Password', :with=>"password123"
-    fill_in 'Confirm Password', :with=>"password123"
-    click_button 'Change Password'
-    page.html.must_include("invalid password")
-    page.find('#error_flash').text.must_equal "There was an error changing your password"
-
-    fill_in 'New Password', :with=>'Password1'
-    fill_in 'Confirm Password', :with=>'Password1'
-    click_button 'Change Password'
-    page.find('#notice_flash').text.must_equal "Your password has been changed"
-  end
-end

data/spec/password_expiration_spec.rb

@@ -1,244 +0,0 @@
-require File.expand_path("spec_helper", File.dirname(__FILE__))
-
-describe 'Rodauth password expiration feature' do
-  it "should force password changes after x number of days" do
-    rodauth do
-      enable :login, :logout, :change_password, :reset_password, :password_expiration
-      allow_password_change_after 1000
-      change_password_requires_password? false
-    end
-    roda do |r|
-      r.rodauth
-      rodauth.require_current_password if rodauth.logged_in?
-      r.root{view :content=>""}
-    end
-
-    login(:pass=>'01234567')
-    click_button 'Request Password Reset'
-    link = email_link(/(\/reset-password\?key=.+)$/)
-
-    visit link
-    page.current_path.must_equal '/reset-password'
-
-    login
-    page.current_path.must_equal '/'
-
-    visit '/change-password'
-    fill_in 'New Password', :with=>'banana'
-    fill_in 'Confirm Password', :with=>'banana'
-    click_button 'Change Password'
-    page.current_path.must_equal '/'
-
-    visit '/change-password'
-    page.current_path.must_equal '/'
-    page.find('#error_flash').text.must_equal "Your password cannot be changed yet"
-
-    logout
-
-    visit link
-    page.current_path.must_equal '/'
-    page.find('#error_flash').text.must_equal "Your password cannot be changed yet"
-
-    DB[:account_password_change_times].update(:changed_at=>Time.now - 1100)
-
-    visit link
-    page.current_path.must_equal '/reset-password'
-
-    login(:pass=>'banana')
-    page.current_path.must_equal '/'
-
-    visit '/change-password'
-    page.current_path.must_equal '/change-password'
-
-    logout
-
-    DB[:account_password_change_times].update(:changed_at=>Time.now - 91*86400)
-
-    login(:pass=>'banana')
-    page.current_path.must_equal '/change-password'
-    page.find('#error_flash').text.must_equal "Your password has expired and needs to be changed"
-
-    visit '/foo'
-    page.current_path.must_equal '/change-password'
-    page.find('#error_flash').text.must_equal "Your password has expired and needs to be changed"
-
-    fill_in 'New Password', :with=>'banana2'
-    fill_in 'Confirm Password', :with=>'banana2'
-    click_button 'Change Password'
-    page.current_path.must_equal '/'
-
-    visit '/change-password'
-    page.current_path.must_equal '/'
-    page.find('#error_flash').text.must_equal "Your password cannot be changed yet"
-
-    logout
-
-    visit link
-    page.current_path.must_equal '/'
-    page.find('#error_flash').text.must_equal "Your password cannot be changed yet"
-  end
-
-  it "should update password changed at when creating accounts" do
-    rodauth do
-      enable :login, :change_password, :password_expiration
-      password_expiration_default true
-      change_password_requires_password? false
-    end
-    roda do |r|
-      r.rodauth
-      rodauth.require_current_password
-      r.root{view :content=>""}
-    end
-
-    login
-    page.current_path.must_equal '/change-password'
-
-    visit '/'
-    page.current_path.must_equal '/change-password'
-    fill_in 'New Password', :with=>'banana'
-    fill_in 'Confirm Password', :with=>'banana'
-    click_button 'Change Password'
-    page.current_path.must_equal '/'
-  end
-
-  it "should update password changed at when creating accounts" do
-    rodauth do
-      enable :login, :create_account, :password_expiration
-      allow_password_change_after 1000
-      account_password_hash_column :ph
-    end
-    roda do |r|
-      r.rodauth
-      r.root{view :content=>""}
-    end
-
-    visit '/create-account'
-    fill_in 'Login', :with=>'foo2@example.com'
-    fill_in 'Confirm Login', :with=>'foo2@example.com'
-    fill_in 'Password', :with=>'apple2'
-    fill_in 'Confirm Password', :with=>'apple2'
-    click_button 'Create Account'
-
-    visit '/change-password'
-    page.current_path.must_equal '/'
-    page.find('#error_flash').text.must_equal "Your password cannot be changed yet"
-  end
-
-  it "should remove password expiration data when closing accounts" do
-    rodauth do
-      enable :create_account, :close_account, :password_expiration
-      close_account_requires_password? false
-      create_account_autologin? true
-    end
-    roda do |r|
-      r.rodauth
-      r.root{view :content=>""}
-    end
-
-    visit '/create-account'
-    fill_in 'Login', :with=>'foo2@example.com'
-    fill_in 'Confirm Login', :with=>'foo2@example.com'
-    fill_in 'Password', :with=>'apple2'
-    fill_in 'Confirm Password', :with=>'apple2'
-    click_button 'Create Account'
-
-    DB[:account_password_change_times].count.must_equal 1
-    visit '/close-account'
-    click_button 'Close Account'
-    DB[:account_password_change_times].count.must_equal 0
-  end
-
-  it "should handle the case where the password is expired while the user has logged in" do
-    rodauth do
-      enable :login, :change_password, :password_expiration
-      password_expiration_default true
-      allow_password_change_after(-1000)
-      change_password_requires_password? false
-      require_password_change_after 3600
-    end
-    roda do |r|
-      r.rodauth
-      rodauth.require_current_password
-      r.get("expire", :d){|d| session[:password_changed_at] = Time.now.to_i - d.to_i; r.redirect '/'}
-      r.root{view :content=>""}
-    end
-
-    login
-    page.current_path.must_equal '/change-password'
-
-    visit '/'
-    page.current_path.must_equal '/change-password'
-    fill_in 'New Password', :with=>'banana'
-    fill_in 'Confirm Password', :with=>'banana'
-    click_button 'Change Password'
-    page.current_path.must_equal '/'
-
-    visit "/expire/90"
-    page.current_path.must_equal '/'
-
-    visit "/expire/7200"
-    page.current_path.must_equal '/change-password'
-  end
-
-  it "should force password changes via jwt" do
-    rodauth do
-      enable :login, :logout, :change_password, :reset_password, :password_expiration
-      allow_password_change_after 1000
-      change_password_requires_password? false
-      reset_password_email_body{reset_password_email_link}
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-      rodauth.require_current_password
-      if rodauth.authenticated?
-        [1]
-      else
-        [2]
-      end
-    end
-
-    json_request.must_equal [200, [2]]
-
-    res = json_request('/reset-password-request', :login=>'foo@example.com')
-    res.must_equal [200, {"success"=>"An email has been sent to you with a link to reset the password for your account"}]
-    link = email_link(/key=.+$/)
-
-    json_login
-
-    res = json_request('/change-password', :password=>'0123456789', "new-password"=>'0123456', "password-confirm"=>'0123456')
-    res.must_equal [200, {'success'=>"Your password has been changed"}]
-
-    json_request.must_equal [200, [1]]
-
-    res = json_request('/change-password', :password=>'0123456', "new-password"=>'01234567', "password-confirm"=>'01234567')
-    res.must_equal [400, {'error'=>"Your password cannot be changed yet"}]
-
-    json_logout
-
-    res = json_request('/reset-password', :key=>link[4..-1], :password=>'01234567', "password-confirm"=>'01234567')
-    res.must_equal [400, {'error'=>"Your password cannot be changed yet"}]
-
-    DB[:account_password_change_times].update(:changed_at=>Time.now - 1100)
-    res = json_request('/reset-password', :key=>link[4..-1], :password=>'01234567', "password-confirm"=>'01234567')
-    res.must_equal [200, {"success"=>"Your password has been reset"}]
-
-    DB[:account_password_change_times].update(:changed_at=>Time.now - 1100)
-    json_login(:pass=>'01234567')
-    res = json_request('/change-password', :password=>'01234567', "new-password"=>'012345678', "password-confirm"=>'012345678')
-    res.must_equal [200, {'success'=>"Your password has been changed"}]
-
-    DB[:account_password_change_times].update(:changed_at=>Time.now - 91*86400)
-
-    json_logout
-    json_request.must_equal [200, [2]]
-
-    res = json_login(:pass=>'012345678', :no_check=>true)
-    res.must_equal [400, {'error'=>"Your password has expired and needs to be changed"}]
-    json_request.must_equal [400, {'error'=>"Your password has expired and needs to be changed"}]
-
-    res = json_request('/change-password', :password=>'012345678', "new-password"=>'012345678a', "password-confirm"=>'012345678a')
-    res.must_equal [200, {'success'=>"Your password has been changed"}]
-
-    json_request.must_equal [200, [1]]
-  end
-end