rodauth 1.22.0 → 2.3.0

data/lib/rodauth/features/login_password_requirements_base.rb

@@ -2,18 +2,20 @@
 
 module Rodauth
   Feature.define(:login_password_requirements_base, :LoginPasswordRequirementsBase) do
-    auth_value_method :already_an_account_with_this_login_message, 'already an account with this login'
+    translatable_method :already_an_account_with_this_login_message, 'already an account with this login'
     auth_value_method :login_confirm_param, 'login-confirm'
+    auth_value_method :login_email_regexp, /\A[^,;@ \r\n]+@[^,@; \r\n]+\.[^,@; \r\n]+\z/
     auth_value_method :login_minimum_length, 3
     auth_value_method :login_maximum_length, 255
-    auth_value_method :logins_do_not_match_message, 'logins do not match'
+    translatable_method :login_not_valid_email_message, 'not a valid email address'
+    translatable_method :logins_do_not_match_message, 'logins do not match'
     auth_value_method :password_confirm_param, 'password-confirm'
     auth_value_method :password_minimum_length, 6
-    auth_value_method :passwords_do_not_match_message, 'passwords do not match'
+    translatable_method :passwords_do_not_match_message, 'passwords do not match'
     auth_value_method :require_email_address_logins?, true
     auth_value_method :require_login_confirmation?, true
     auth_value_method :require_password_confirmation?, true
-    auth_value_method :same_as_existing_password_message, "invalid password, same as current password"
+    translatable_method :same_as_existing_password_message, "invalid password, same as current password"
 
     auth_value_methods(
       :login_confirm_label,
@@ -28,6 +30,7 @@ module Rodauth
 
     auth_methods(
       :login_meets_requirements?,
+      :login_valid_email?,
       :password_hash,
       :password_meets_requirements?,
       :set_password
@@ -104,13 +107,15 @@ module Rodauth
 
     def login_meets_email_requirements?(login)
       return true unless require_email_address_logins?
-      if login =~ /\A[^,;@ \r\n]+@[^,@; \r\n]+\.[^,@; \r\n]+\z/
-        return true
-      end
-      @login_requirement_message = 'not a valid email address'
+      return true if login_valid_email?(login)
+      @login_requirement_message = login_not_valid_email_message
       return false
     end
 
+    def login_valid_email?(login)
+      login =~ login_email_regexp
+    end
+
     def password_meets_length_requirements?(password)
       return true if password_minimum_length <= password.length
       @password_requirement_message = password_too_short_message

data/lib/rodauth/features/otp.rb

@@ -19,62 +19,59 @@ module Rodauth
     before 'otp_setup'
     before 'otp_disable'
 
-    configuration_module_eval do
-      def before_otp_authentication_route(&block)
-        warn "before_otp_authentication_route is deprecated, switch to before_otp_auth_route"
-        before_otp_auth_route(&block)
-      end
-    end
-
-    button 'Authenticate via 2nd Factor', 'otp_auth'
-    button 'Disable Two Factor Authentication', 'otp_disable'
-    button 'Setup Two Factor Authentication', 'otp_setup'
+    button 'Authenticate Using TOTP', 'otp_auth'
+    button 'Disable TOTP Authentication', 'otp_disable'
+    button 'Setup TOTP Authentication', 'otp_setup'
 
-    error_flash "Error disabling up two factor authentication", 'otp_disable'
-    error_flash "Error logging in via two factor authentication", 'otp_auth'
-    error_flash "Error setting up two factor authentication", 'otp_setup'
-    error_flash "You have already setup two factor authentication", :otp_already_setup
+    error_flash "Error disabling TOTP authentication", 'otp_disable'
+    error_flash "Error logging in via TOTP authentication", 'otp_auth'
+    error_flash "Error setting up TOTP authentication", 'otp_setup'
+    error_flash "You have already setup TOTP authentication", 'otp_already_setup'
+    error_flash "TOTP authentication code use locked out due to numerous failures", 'otp_lockout'
 
-    notice_flash "Two factor authentication has been disabled", 'otp_disable'
-    notice_flash "Two factor authentication is now setup", 'otp_setup'
+    notice_flash "TOTP authentication has been disabled", 'otp_disable'
+    notice_flash "TOTP authentication is now setup", 'otp_setup'
 
     redirect :otp_disable
     redirect :otp_already_setup
     redirect :otp_setup
+    redirect(:otp_lockout){two_factor_auth_required_redirect}
 
     loaded_templates %w'otp-disable otp-auth otp-setup otp-auth-code-field password-field'
-    view 'otp-disable', 'Disable Two Factor Authentication', 'otp_disable'
+    view 'otp-disable', 'Disable TOTP Authentication', 'otp_disable'
     view 'otp-auth', 'Enter Authentication Code', 'otp_auth'
-    view 'otp-setup', 'Setup Two Factor Authentication', 'otp_setup'
+    view 'otp-setup', 'Setup TOTP Authentication', 'otp_setup'
+
+    translatable_method :otp_auth_link_text, "Authenticate Using TOTP"
+    translatable_method :otp_setup_link_text, "Setup TOTP Authentication"
+    translatable_method :otp_disable_link_text, "Disable TOTP Authentication"
 
     auth_value_method :otp_auth_failures_limit, 5
-    auth_value_method :otp_auth_label, 'Authentication Code'
+    translatable_method :otp_auth_label, 'Authentication Code'
     auth_value_method :otp_auth_param, 'otp'
     auth_value_method :otp_class, ROTP::TOTP
     auth_value_method :otp_digits, nil
-    auth_value_method :otp_drift, nil
+    auth_value_method :otp_drift, 30
     auth_value_method :otp_interval, nil
-    auth_value_method :otp_invalid_auth_code_message, "Invalid authentication code"
-    auth_value_method :otp_invalid_secret_message, "invalid secret"
+    translatable_method :otp_invalid_auth_code_message, "Invalid authentication code"
+    translatable_method :otp_invalid_secret_message, "invalid secret"
     auth_value_method :otp_keys_column, :key
     auth_value_method :otp_keys_id_column, :id
     auth_value_method :otp_keys_failures_column, :num_failures
     auth_value_method :otp_keys_table, :account_otp_keys
     auth_value_method :otp_keys_last_use_column, :last_use
-    auth_value_method :otp_provisioning_uri_label, 'Provisioning URL'
-    auth_value_method :otp_secret_label, 'Secret'
+    translatable_method :otp_provisioning_uri_label, 'Provisioning URL'
+    translatable_method :otp_secret_label, 'Secret'
     auth_value_method :otp_setup_param, 'otp_secret'
     auth_value_method :otp_setup_raw_param, 'otp_raw_secret'
+    translatable_method :otp_auth_form_footer, ''
 
     auth_cached_method :otp_key
     auth_cached_method :otp
     private :otp
 
     auth_value_methods(
-      :otp_auth_form_footer,
       :otp_issuer,
-      :otp_lockout_error_flash,
-      :otp_lockout_redirect,
       :otp_keys_use_hmac?
     )
 
@@ -82,6 +79,7 @@ module Rodauth
       :otp,
       :otp_exists?,
       :otp_key,
+      :otp_last_use,
       :otp_locked_out?,
       :otp_new_secret,
       :otp_provisioning_name,
@@ -103,18 +101,13 @@ module Rodauth
     route(:otp_auth) do |r|
       require_login
       require_account_session
-      require_two_factor_not_authenticated
+      require_two_factor_not_authenticated('totp')
       require_otp_setup
 
       if otp_locked_out?
         set_response_error_status(lockout_error_status)
         set_redirect_error_flash otp_lockout_error_flash
-        if redir = otp_lockout_redirect
-          redirect redir
-        else
-          clear_session
-          redirect require_login_redirect
-        end
+        redirect otp_lockout_redirect
       end
 
       before_otp_auth_route
@@ -126,7 +119,7 @@ module Rodauth
       r.post do
         if otp_valid_code?(param(otp_auth_param)) && otp_update_last_use
           before_otp_authentication
-          two_factor_authenticate(:totp)
+          two_factor_authenticate('totp')
         end
 
         otp_record_authentication_failure
@@ -178,7 +171,9 @@ module Rodauth
           transaction do
             before_otp_setup
             otp_add_key
-            two_factor_update_session(:totp)
+            unless two_factor_authenticated?
+              two_factor_update_session('totp')
+            end
             after_otp_setup
           end
           set_notice_flash otp_setup_notice_flash
@@ -204,7 +199,9 @@ module Rodauth
           transaction do
             before_otp_disable
             otp_remove
-            two_factor_remove_session
+            if two_factor_login_type_match?('totp')
+              two_factor_remove_session('totp')
+            end
             after_otp_disable
           end
           set_notice_flash otp_disable_notice_flash
@@ -218,18 +215,6 @@ module Rodauth
       end
     end
 
-    def two_factor_authentication_setup?
-      super || otp_exists?
-    end
-
-    def two_factor_need_setup_redirect
-      "#{prefix}/#{otp_setup_route}"
-    end
-
-    def two_factor_auth_required_redirect
-      "#{prefix}/#{otp_auth_route}"
-    end
-
     def two_factor_remove
       super
       otp_remove
@@ -240,19 +225,6 @@ module Rodauth
       otp_remove_auth_failures
     end
 
-    def otp_auth_form_footer
-      super if defined?(super)
-    end
-
-    def otp_lockout_redirect
-      return super if defined?(super)
-      nil
-    end
-
-    def otp_lockout_error_flash
-      "Authentication code use locked out due to numerous failures.#{super if defined?(super)}"
-    end
-
     def require_otp_setup
       unless otp_exists?
         set_redirect_error_status(two_factor_not_setup_error_status)
@@ -270,11 +242,11 @@ module Rodauth
       ot_pass = ot_pass.gsub(/\s+/, '')
       if drift = otp_drift
         if otp.respond_to?(:verify_with_drift)
+          # :nocov:
           otp.verify_with_drift(ot_pass, drift)
-        else
           # :nocov:
+        else
           otp.verify(ot_pass, :drift_behind=>drift, :drift_ahead=>drift)
-          # :nocov:
         end
       else
         otp.verify(ot_pass)
@@ -283,7 +255,7 @@ module Rodauth
 
     def otp_remove
       otp_key_ds.delete
-      super if defined?(super)
+      @otp_key = nil
     end
 
     def otp_add_key
@@ -297,6 +269,10 @@ module Rodauth
         update(otp_keys_last_use_column=>Sequel::CURRENT_TIMESTAMP) == 1
     end
 
+    def otp_last_use
+      convert_timestamp(otp_key_ds.get(otp_keys_last_use_column))
+    end
+
     def otp_record_authentication_failure
       otp_key_ds.update(otp_keys_failures_column=>Sequel.identifier(otp_keys_failures_column) + 1)
     end
@@ -314,7 +290,7 @@ module Rodauth
     end
 
     def otp_issuer
-      request.host
+      domain
     end
 
     def otp_provisioning_name
@@ -337,8 +313,37 @@ module Rodauth
       !!hmac_secret
     end
 
+    def possible_authentication_methods
+      methods = super
+      methods << 'totp' if otp_exists? && !@otp_tmp_key
+      methods
+    end
+
     private
 
+    def _two_factor_auth_links
+      links = super
+      links << [20, otp_auth_path, otp_auth_link_text] if otp_exists? && !otp_locked_out?
+      links
+    end
+
+    def _two_factor_setup_links
+      links = super
+      links << [20, otp_setup_path, otp_setup_link_text] unless otp_exists?
+      links
+    end
+
+    def _two_factor_remove_links
+      links = super
+      links << [20, otp_disable_path, otp_disable_link_text] if otp_exists?
+      links
+    end
+
+    def _two_factor_remove_all_from_session
+      two_factor_remove_session('totp')
+      super
+    end
+
     def clear_cached_otp
       remove_instance_variable(:@otp) if defined?(@otp)
     end
@@ -362,32 +367,24 @@ module Rodauth
     end
 
     if ROTP::Base32.respond_to?(:random_base32)
-      # :nocov:
       def otp_new_secret
         ROTP::Base32.random_base32.downcase
       end
-      # :nocov:
     else
+      # :nocov:
       def otp_new_secret
         ROTP::Base32.random.downcase
       end
+      # :nocov:
     end
 
-    if RUBY_VERSION < '1.9'
-      # :nocov:
-      def base32_encode(data, length)
-        chars = 'abcdefghijklmnopqrstuvwxyz234567'
-        length.times.map{|i|chars[data[i] % 32].chr}.join
-      end
-      # :nocov:
-    else
-      def base32_encode(data, length)
-        chars = 'abcdefghijklmnopqrstuvwxyz234567'
-        length.times.map{|i|chars[data[i].ord % 32]}.join
-      end
+    def base32_encode(data, length)
+      chars = 'abcdefghijklmnopqrstuvwxyz234567'
+      length.times.map{|i|chars[data[i].ord % 32]}.join
     end
 
     def _otp_tmp_key(secret)
+      @otp_tmp_key = true
       @otp_user_key = nil
       @otp_key = secret
     end

data/lib/rodauth/features/password_complexity.rb

@@ -11,13 +11,10 @@ module Rodauth
     auth_value_method :password_max_length_for_groups_check, 11
     auth_value_method :password_max_repeating_characters, 3
     auth_value_method :password_invalid_pattern, Regexp.union([/qwerty/i, /azerty/i, /asdf/i, /zxcv/i] + (1..8).map{|i| /#{i}#{i+1}#{(i+2)%10}/})
-    auth_value_method :password_not_enough_character_groups_message, "does not include uppercase letters, lowercase letters, and numbers"
-    auth_value_method :password_invalid_pattern_message, "includes common character sequence"
-    auth_value_method :password_in_dictionary_message, "is a word in a dictionary"
-
-    auth_value_methods(
-      :password_too_many_repeating_characters_message
-    )
+    translatable_method :password_not_enough_character_groups_message, "does not include uppercase letters, lowercase letters, and numbers"
+    translatable_method :password_invalid_pattern_message, "includes common character sequence"
+    translatable_method :password_in_dictionary_message, "is a word in a dictionary"
+    translatable_method :password_too_many_repeating_characters_message, "contains too many of the same character in a row"
 
     def password_meets_requirements?(password)
       super && \
@@ -29,14 +26,16 @@ module Rodauth
 
     def post_configure
       super
-      return if singleton_methods.map(&:to_sym).include?(:password_dictionary)
+      return if method(:password_dictionary).owner != Rodauth::PasswordComplexity
 
       case password_dictionary_file
       when false
-        return
+        # nothing
       when nil
         default_dictionary_file = '/usr/share/dict/words'
+        # :nocov:
         if File.file?(default_dictionary_file)
+        # :nocov:
           words = File.read(default_dictionary_file)
         end
       else
@@ -73,10 +72,6 @@ module Rodauth
       false
     end
 
-    def password_too_many_repeating_characters_message
-      "contains #{password_max_repeating_characters} or more of the same character in a row"
-    end
-
     def password_not_in_dictionary?(password)
       return true unless dict = password_dictionary
       return true unless password =~ /\A(?:\d*)([A-Za-z!@$+|][A-Za-z!@$+|0134578]+[A-Za-z!@$+|])(?:\d*)\z/

data/lib/rodauth/features/password_expiration.rb

@@ -8,7 +8,7 @@ module Rodauth
     error_flash "Your password cannot be changed yet", 'password_not_changeable_yet'
 
     redirect :password_not_changeable_yet 
-    redirect(:password_change_needed){"#{prefix}/#{change_password_route}"}
+    redirect(:password_change_needed){change_password_path}
 
     auth_value_method :allow_password_change_after, -86400
     auth_value_method :require_password_change_after, 90*86400
@@ -38,7 +38,7 @@ module Rodauth
 
     def set_password(password)
       update_password_changed_at
-      session[password_changed_at_session_key] = Time.now.to_i 
+      set_session_value(password_changed_at_session_key, Time.now.to_i)
       super
     end
 

data/lib/rodauth/features/password_grace_period.rb

@@ -5,6 +5,8 @@ module Rodauth
     auth_value_method :password_grace_period, 300
     session_key :last_password_entry_session_key, :last_password_entry
 
+    auth_methods :password_recently_entered?
+
     def modifications_require_password?
       return false unless super
       !password_recently_entered?
@@ -17,6 +19,16 @@ module Rodauth
       v
     end
 
+    def password_recently_entered?
+      return false unless last_password_entry = session[last_password_entry_session_key]
+      last_password_entry + password_grace_period > Time.now.to_i
+    end
+
+    def update_session
+      super
+      set_session_value(last_password_entry_session_key, @last_password_entry) if defined?(@last_password_entry)
+    end
+
     private
 
     def after_create_account
@@ -29,18 +41,13 @@ module Rodauth
       @last_password_entry = Time.now.to_i
     end
 
-    def update_session
-      super
-      session[last_password_entry_session_key] = @last_password_entry if defined?(@last_password_entry)
-    end
-
-    def password_recently_entered?
-      return false unless last_password_entry = session[last_password_entry_session_key]
-      last_password_entry + password_grace_period > Time.now.to_i
+    def set_last_password_entry
+      set_session_value(last_password_entry_session_key, Time.now.to_i)
     end
 
-    def set_last_password_entry
-      session[last_password_entry_session_key] = Time.now.to_i
+    def require_password_authentication?
+      return true if defined?(super) && super
+      !password_recently_entered?
     end
   end
 end