rodauth 1.22.0 → 2.3.0

data/lib/rodauth/features/webauthn_login.rb

@@ -0,0 +1,70 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:webauthn_login, :WebauthnLogin) do
+    depends :login, :webauthn
+
+    before
+
+    redirect(:webauthn_login_failure){require_login_redirect}
+
+    error_flash "There was an error authenticating via WebAuthn"
+
+    route(:webauthn_login) do |r|
+      check_already_logged_in
+      before_webauthn_login_route
+
+      r.post do
+        catch_error do
+          unless account_from_login(param(login_param)) && open_account?
+            throw_error_status(no_matching_login_error_status, login_param, no_matching_login_message) 
+          end
+
+          webauthn_credential = webauthn_auth_credential_from_form_submission
+          before_webauthn_login
+          login('webauthn') do
+            webauthn_update_session(webauthn_credential.id)
+          end
+        end
+
+        set_redirect_error_flash webauthn_login_error_flash
+        redirect webauthn_login_failure_redirect
+      end
+    end
+
+    def webauthn_auth_additional_form_tags
+      if @webauthn_login
+        super.to_s + login_hidden_field
+      else
+        super
+      end
+    end
+
+    def webauthn_auth_form_path
+      if @webauthn_login
+        webauthn_login_path
+      else
+        super
+      end
+    end
+
+    def use_multi_phase_login?
+      true
+    end
+
+    private
+
+    def _multi_phase_login_forms
+      forms = super
+      if valid_login_entered? && webauthn_setup?
+        @webauthn_login = true
+        forms << [20, render('webauthn-auth'), nil]
+      end
+      forms
+    end
+
+    def webauthn_account_id
+      super || account_id
+    end
+  end
+end

data/lib/rodauth/features/webauthn_verify_account.rb

@@ -0,0 +1,46 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:webauthn_verify_account, :WebauthnVerifyAccount) do
+    depends :verify_account, :webauthn
+
+    def verify_account_view
+      webauthn_setup_view
+    end
+
+    def create_account_set_password?
+      false
+    end
+
+    def verify_account_set_password?
+      false
+    end
+
+    def autologin_session(autologin_type)
+      super
+      if autologin_type == 'verify_account'
+        set_session_value(authenticated_by_session_key, ['webauthn'])
+        remove_session_value(autologin_type_session_key)
+        webauthn_update_session(@webauthn_credential.id)
+      end
+    end
+
+    private
+
+    def before_verify_account
+      super
+      if features.include?(:jwt) && use_jwt? && !param_or_nil(webauthn_setup_param)
+        cred = new_webauthn_credential
+        json_response[webauthn_setup_param] = cred.as_json
+        json_response[webauthn_setup_challenge_param] = cred.challenge
+        json_response[webauthn_setup_challenge_hmac_param] = compute_hmac(cred.challenge)
+      end
+      @webauthn_credential = webauthn_setup_credential_from_form_submission
+      add_webauthn_credential(@webauthn_credential)
+    end
+
+    def webauthn_account_id
+      super || account_id
+    end
+  end
+end

data/lib/rodauth/migrations.rb

@@ -9,9 +9,14 @@ module Rodauth
     case db.database_type
     when :postgres
       search_path = opts[:search_path] || 'public, pg_temp'
+      primary_key_type =
+        case db.schema(table_name).find { |row| row.first == :id }[1][:db_type]
+        when 'uuid' then :uuid
+        else :int8
+        end
 
       db.run <<END
-CREATE OR REPLACE FUNCTION #{get_salt_name}(acct_id int8) RETURNS text AS $$
+CREATE OR REPLACE FUNCTION #{get_salt_name}(acct_id #{primary_key_type}) RETURNS text AS $$
 DECLARE salt text;
 BEGIN
 SELECT substr(password_hash, 0, 30) INTO salt 
@@ -25,7 +30,7 @@ SET search_path = #{search_path};
 END
 
       db.run <<END
-CREATE OR REPLACE FUNCTION #{valid_hash_name}(acct_id int8, hash text) RETURNS boolean AS $$
+CREATE OR REPLACE FUNCTION #{valid_hash_name}(acct_id #{primary_key_type}, hash text) RETURNS boolean AS $$
 DECLARE valid boolean;
 BEGIN
 SELECT password_hash = hash INTO valid 
@@ -100,13 +105,19 @@ END
   end
 
   def self.drop_database_authentication_functions(db, opts={})
+    table_name = opts[:table_name] || :account_password_hashes
     get_salt_name = opts[:get_salt_name] || :rodauth_get_salt
     valid_hash_name = opts[:valid_hash_name] || :rodauth_valid_password_hash 
 
     case db.database_type
     when :postgres
-      db.run "DROP FUNCTION #{get_salt_name}(int8)"
-      db.run "DROP FUNCTION #{valid_hash_name}(int8, text)"
+      primary_key_type =
+        case db.schema(table_name).find { |row| row.first == :id }[1][:db_type]
+        when 'uuid' then :uuid
+        else :int8
+        end
+      db.run "DROP FUNCTION #{get_salt_name}(#{primary_key_type})"
+      db.run "DROP FUNCTION #{valid_hash_name}(#{primary_key_type}, text)"
     when :mysql, :mssql
       db.run "DROP FUNCTION #{get_salt_name}"
       db.run "DROP FUNCTION #{valid_hash_name}"
@@ -118,6 +129,6 @@ END
   end
 
   def self.drop_database_previous_password_check_functions(db, opts={})
-    drop_database_authentication_functions(db, {:get_salt_name=>:rodauth_get_previous_salt, :valid_hash_name=>:rodauth_previous_password_hash_match}.merge(opts))
+    drop_database_authentication_functions(db, {:table_name=>:account_previous_password_hashes, :get_salt_name=>:rodauth_get_previous_salt, :valid_hash_name=>:rodauth_previous_password_hash_match}.merge(opts))
   end
 end

data/lib/rodauth/version.rb

@@ -3,10 +3,10 @@
 module Rodauth
   # The major version of Rodauth, updated only for major changes that are
   # likely to require modification to apps using Rodauth.
-  MAJOR = 1
+  MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 22
+  MINOR = 3
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

data/templates/button.str

@@ -1,5 +1,3 @@
 <div class="form-group">
-  <div class="col-sm-offset-2 col-sm-10">
-    <input type="submit" #{"name=\"#{h opts[:name]}\"" if opts[:name]} class="#{h(opts[:class] || 'btn btn-primary')}" value="#{h value}"/>
-  </div>
+  <input type="submit" #{"name=\"#{h opts[:name]}\"" if opts[:name]} class="#{h(opts[:class] || 'btn btn-primary')}" value="#{h value}"/>
 </div>

data/templates/change-login.str

@@ -1,4 +1,4 @@
-<form method="post" class="rodauth form-horizontal" role="form" id="change-login-form">
+<form method="post" class="rodauth" role="form" id="change-login-form">
   #{rodauth.change_login_additional_form_tags}
   #{rodauth.csrf_tag}
   #{rodauth.render('login-field')}
@@ -6,4 +6,3 @@
   #{rodauth.render('password-field') if rodauth.change_login_requires_password?}
   #{rodauth.button(rodauth.change_login_button)}
 </form>
-

data/templates/change-password.str

@@ -1,12 +1,10 @@
-<form method="post" class="rodauth form-horizontal" role="form" id="change-password-form">
+<form method="post" class="rodauth" role="form" id="change-password-form">
   #{rodauth.change_password_additional_form_tags}
   #{rodauth.csrf_tag}
   #{rodauth.render('password-field') if rodauth.change_password_requires_password?}
   <div class="form-group">
-    <label class="col-sm-2 control-label" for="new-password">#{rodauth.new_password_label}#{rodauth.input_field_label_suffix}</label>
-    <div class="col-sm-10">
-      #{rodauth.input_field_string(rodauth.new_password_param, 'new-password', :type => 'password')}
-    </div>
+    <label for="new-password">#{rodauth.new_password_label}#{rodauth.input_field_label_suffix}</label>
+    #{rodauth.input_field_string(rodauth.new_password_param, 'new-password', :type => 'password', :autocomplete=>"new-password")}
   </div>
   #{rodauth.render('password-confirm-field') if rodauth.require_password_confirmation?}
   #{rodauth.button(rodauth.change_password_button)}

data/templates/close-account.str

@@ -1,6 +1,6 @@
-<form method="post" class="rodauth form-horizontal" role="form" id="close-account-form">
+<form method="post" class="rodauth" role="form" id="close-account-form">
   #{rodauth.close_account_additional_form_tags}
   #{rodauth.csrf_tag}
   #{rodauth.render('password-field') if rodauth.close_account_requires_password?}
-  #{rodauth.button(rodauth.close_account_button, :class=>'btn btn-warning')}
+  #{rodauth.button(rodauth.close_account_button, :class=>'btn btn-danger')}
 </form>

data/templates/confirm-password.str

@@ -1,4 +1,4 @@
-<form method="post" class="rodauth form-horizontal" role="form" id="confirm-password-form">
+<form method="post" class="rodauth" role="form" id="confirm-password-form">
   #{rodauth.confirm_password_additional_form_tags}
   #{rodauth.csrf_tag}
   #{rodauth.render('password-field')}

data/templates/create-account.str

@@ -1,4 +1,4 @@
-<form method="post" class="rodauth form-horizontal" role="form" id="create-account-form">
+<form method="post" class="rodauth" role="form" id="create-account-form">
   #{rodauth.create_account_additional_form_tags}
   #{rodauth.csrf_tag}
   #{rodauth.render('login-field')}

data/templates/email-auth-request-form.str

@@ -1,7 +1,6 @@
-<form action="#{rodauth.prefix}/#{rodauth.email_auth_request_route}" method="post" class="rodauth form-horizontal" role="form" id="email-auth-request-form">
+<form action="#{rodauth.email_auth_request_path}" method="post" class="rodauth" role="form" id="email-auth-request-form">
   #{rodauth.email_auth_request_additional_form_tags}
-  #{rodauth.csrf_tag("#{rodauth.prefix}/#{rodauth.email_auth_request_route}")}
+  #{rodauth.csrf_tag(rodauth.email_auth_request_path)}
   #{rodauth.login_hidden_field}
   #{rodauth.button(rodauth.email_auth_request_button)}
 </form>
-

data/templates/email-auth.str

@@ -1,4 +1,4 @@
-<form method="post" class="rodauth form-horizontal" role="form" id="email-auth-form">
+<form method="post" class="rodauth" role="form" id="email-auth-form">
   #{rodauth.email_auth_additional_form_tags}
   #{rodauth.csrf_tag}
   #{rodauth.button(rodauth.login_button)}

data/templates/global-logout-field.str

@@ -0,0 +1,6 @@
+<div class="form-group">
+  <div class="form-check checkbox">
+    <input type="checkbox" name="#{rodauth.global_logout_param}" class="form-check-input" id="global-logout" value="t"/>
+    <label class="rodauth-global-logout-label form-check-label" for="global-logout">#{rodauth.global_logout_label}</label>
+  </div>
+</div>

data/templates/login-confirm-field.str

@@ -1,6 +1,4 @@
 <div class="form-group">
-  <label class="col-sm-2 control-label" for="login-confirm">#{rodauth.login_confirm_label}#{rodauth.input_field_label_suffix}</label>
-  <div class="col-sm-10">
-    #{rodauth.input_field_string(rodauth.login_confirm_param, 'login-confirm', :type=>rodauth.login_input_type)}
-  </div>
+  <label for="login-confirm">#{rodauth.login_confirm_label}#{rodauth.input_field_label_suffix}</label>
+  #{rodauth.input_field_string(rodauth.login_confirm_param, 'login-confirm', :type=>rodauth.login_input_type, :autocomplete=>rodauth.login_uses_email? ? "email" : "on")}
 </div>

data/templates/login-display.str

@@ -1,4 +1,5 @@
 <div class="form-group">
-  <label class="col-sm-2 control-label">#{rodauth.login_label}</label>
-  <div class="col-sm-10">#{rodauth.login_hidden_field}#{h rodauth.param(rodauth.login_param)}</div>
+  #{rodauth.login_hidden_field}
+  <label for="login">#{rodauth.login_label}</label>
+  <div class="form-control-plaintext form-control-static">#{h rodauth.param(rodauth.login_param)}</div>
 </div>

data/templates/login-field.str

@@ -1,6 +1,4 @@
 <div class="form-group">
-  <label class="col-sm-2 control-label" for="login">#{rodauth.login_label}#{rodauth.input_field_label_suffix}</label>
-  <div class="col-sm-10">
-    #{rodauth.input_field_string(rodauth.login_param, 'login', :type=>rodauth.login_input_type)}
-  </div>
+  <label for="login">#{rodauth.login_label}#{rodauth.input_field_label_suffix}</label>
+  #{rodauth.input_field_string(rodauth.login_param, 'login', :type=>rodauth.login_input_type, :autocomplete=>rodauth.login_uses_email? ? "email" : "on")}
 </div>

data/templates/login-form-footer.str

@@ -0,0 +1,6 @@
+#{rodauth.login_form_footer_links_heading}
+<ul class="rodauth-links rodauth-login-footer-links">
+#{rodauth.login_form_footer_links.sort.map do |_, link, text|
+  "<li><a href=\"#{h link}\">#{h text}</a></li>"
+end.join("\n")}
+</ul>

data/templates/login-form.str

@@ -0,0 +1,7 @@
+<form method="post" class="rodauth" role="form" id="login-form">
+  #{rodauth.login_additional_form_tags}
+  #{rodauth.csrf_tag}
+  #{rodauth.skip_login_field_on_login? ? rodauth.render('login-display') : rodauth.render('login-field')}
+  #{rodauth.render('password-field') unless rodauth.skip_password_field_on_login?}
+  #{rodauth.button(rodauth.login_button)}
+</form>

data/templates/login.str

@@ -1,11 +1,3 @@
 #{rodauth.login_form_header}
-
-<form method="post" class="rodauth form-horizontal" role="form" id="login-form">
-  #{rodauth.login_additional_form_tags}
-  #{rodauth.csrf_tag}
-  #{rodauth.skip_login_field_on_login? ? rodauth.render('login-display') : rodauth.render('login-field')}
-  #{rodauth.render('password-field') unless rodauth.skip_password_field_on_login?}
-  #{rodauth.button(rodauth.login_button)}
-</form>
-
+#{rodauth.render('login-form')}
 #{rodauth.login_form_footer}

data/templates/logout.str

@@ -1,4 +1,4 @@
-<form method="post" class="rodauth form-horizontal" role="form" id="logout-form">
+<form method="post" class="rodauth" role="form" id="logout-form">
   #{rodauth.logout_additional_form_tags}
   #{rodauth.csrf_tag}
   #{rodauth.button(rodauth.logout_button, :class=>'btn btn-warning')}

data/templates/multi-phase-login.str

@@ -0,0 +1,3 @@
+#{rodauth.login_form_header}
+#{rodauth.render_multi_phase_login_forms}
+#{rodauth.login_form_footer}

data/templates/otp-auth-code-field.str

@@ -1,6 +1,8 @@
 <div class="form-group">
-  <label class="col-sm-4 control-label" for="otp-auth-code">#{rodauth.otp_auth_label}#{rodauth.input_field_label_suffix}</label>
-  <div class="col-sm-3">
-    #{rodauth.input_field_string(rodauth.otp_auth_param, 'otp-auth-code', :value=>'', :attr=>'autocomplete="off"' )}
+  <label for="otp-auth-code">#{rodauth.otp_auth_label}#{rodauth.input_field_label_suffix}</label>
+  <div class="row">
+    <div class="col-sm-3">
+      #{rodauth.input_field_string(rodauth.otp_auth_param, 'otp-auth-code', :value=>'', :autocomplete=>"off", :inputmode=>'numeric')}
+    </div>
   </div>
 </div>

data/templates/otp-auth.str

@@ -1,4 +1,4 @@
-<form method="post" class="rodauth form-horizontal" role="form" id="otp-auth-form">
+<form method="post" class="rodauth" role="form" id="otp-auth-form">
   #{rodauth.otp_auth_additional_form_tags}
   #{rodauth.csrf_tag}
   #{rodauth.render('otp-auth-code-field')}

data/templates/otp-disable.str

@@ -1,4 +1,4 @@
-<form method="post" class="rodauth form-horizontal" role="form" id="otp-disable-form">
+<form method="post" class="rodauth" role="form" id="otp-disable-form">
   #{rodauth.otp_disable_additional_form_tags}
   #{rodauth.csrf_tag}
   #{rodauth.render('password-field') if rodauth.two_factor_modifications_require_password?}

data/templates/otp-setup.str

@@ -1,4 +1,4 @@
-<form method="post" class="rodauth form-horizontal" role="form" id="otp-setup-form">
+<form method="post" class="rodauth" role="form" id="otp-setup-form">
   #{rodauth.otp_setup_additional_form_tags}
   <input type="hidden" id="otp-key" name="#{rodauth.otp_setup_param}" value="#{rodauth.otp_user_key}" />
   #{"<input type=\"hidden\" id=\"otp-hmac-secret\" name=\"#{rodauth.otp_setup_raw_param}\" value=\"#{rodauth.otp_key}\" />" if rodauth.otp_keys_use_hmac?}
@@ -9,13 +9,13 @@
   </div>
  
   <div class="row">
-    <div class="col-sm-6 col-sm">
+    <div class="col-lg-6 col-lg">
       <div class="form-group">
         <p>#{rodauth.otp_qr_code}</p>
       </div>
     </div>
 
-    <div class="col-sm-6 col-sm">
+    <div class="col-lg-6 col-lg">
       #{rodauth.render('password-field') if rodauth.two_factor_modifications_require_password?}
       #{rodauth.render('otp-auth-code-field')}
       #{rodauth.button(rodauth.otp_setup_button)}

data/templates/password-confirm-field.str

@@ -1,6 +1,4 @@
 <div class="form-group">
-  <label class="col-sm-2 control-label" for="password-confirm">#{rodauth.password_confirm_label}#{rodauth.input_field_label_suffix}</label>
-  <div class="col-sm-10">
-    #{rodauth.input_field_string(rodauth.password_confirm_param, 'password-confirm', :type => 'password')}
-  </div>
+  <label for="password-confirm">#{rodauth.password_confirm_label}#{rodauth.input_field_label_suffix}</label>
+  #{rodauth.input_field_string(rodauth.password_confirm_param, 'password-confirm', :type => 'password', :autocomplete=>'new-password')}
 </div>

data/templates/password-field.str

@@ -1,6 +1,4 @@
 <div class="form-group">
-  <label class="col-sm-2 control-label" for="password">#{rodauth.password_label}#{rodauth.input_field_label_suffix}</label>
-  <div class="col-sm-10">
-    #{rodauth.input_field_string(rodauth.password_param, 'password', :type => 'password')}
-  </div>
+  <label for="password">#{rodauth.password_label}#{rodauth.input_field_label_suffix}</label>
+  #{rodauth.input_field_string(rodauth.password_param, 'password', :type => 'password', :autocomplete=>rodauth.password_field_autocomplete_value)}
 </div>

data/templates/recovery-auth.str

@@ -1,12 +1,9 @@
-<form method="post" class="rodauth form-horizontal" role="form" id="recovery-auth-form">
+<form method="post" class="rodauth" role="form" id="recovery-auth-form">
   #{rodauth.recovery_auth_additional_form_tags}
   #{rodauth.csrf_tag}
   <div class="form-group">
-    <label class="col-sm-2 control-label" for="recovery_code">#{rodauth.recovery_codes_label}#{rodauth.input_field_label_suffix}</label>
-    <div class="col-sm-10">
-      #{rodauth.input_field_string(rodauth.recovery_codes_param, 'recovery_code', :value => '')}
-    </div>
+    <label for="recovery-code">#{rodauth.recovery_codes_label}#{rodauth.input_field_label_suffix}</label>
+    #{rodauth.input_field_string(rodauth.recovery_codes_param, 'recovery-code', :value => '', :autocomplete=>'off')}
   </div>
   #{rodauth.button(rodauth.recovery_auth_button)}
 </form>
-

data/templates/recovery-codes.str

@@ -1,4 +1,4 @@
-<form method="post" class="rodauth form-horizontal" role="form" id="recovery-codes-form">
+<form method="post" class="rodauth" role="form" id="recovery-codes-form">
   #{rodauth.recovery_codes_additional_form_tags}
   #{rodauth.csrf_tag}
   #{rodauth.render('password-field') if rodauth.two_factor_modifications_require_password?}

data/templates/remember.str

@@ -1,24 +1,19 @@
-<form method="post" class="rodauth form-horizontal" role="form" id="remember-form">
+<form method="post" class="rodauth" role="form" id="remember-form">
   #{rodauth.remember_additional_form_tags}
   #{rodauth.csrf_tag}
-  <div class="radio">
-    <label>
-      <input type="radio" name="#{rodauth.remember_param}" id="remember_remember" value="#{rodauth.remember_remember_param_value}"/>
-      #{rodauth.remember_remember_label}
-    </label>
-  </div>
-  <div class="radio">
-    <label>
-      <input type="radio" name="#{rodauth.remember_param}" id="remember_forget" value="#{rodauth.remember_forget_param_value}"/>
-      #{rodauth.remember_forget_label}
-    </label>
-  </div>
-  <div class="radio">
-    <label>
-      <input type="radio" name="#{rodauth.remember_param}" id="remember_disable" value="#{rodauth.remember_disable_param_value}"/>
-      #{rodauth.remember_disable_label}
-    </label>
-  </div>
+  <fieldset class="form-group">
+    <div class="form-check radio">
+      <input type="radio" name="#{rodauth.remember_param}" id="remember-remember" value="#{h rodauth.remember_remember_param_value}" class="form-check-input"/>
+      <label class="form-check-label" for="remember-remember">#{rodauth.remember_remember_label}</label>
+    </div>
+    <div class="form-check radio">
+      <input type="radio" name="#{rodauth.remember_param}" id="remember-forget" value="#{h rodauth.remember_forget_param_value}" class="form-check-input"/>
+      <label class="form-check-label" for="remember-forget">#{rodauth.remember_forget_label}</label>
+    </div>
+    <div class="form-check radio">
+      <input type="radio" name="#{rodauth.remember_param}" id="remember-disable" value="#{h rodauth.remember_disable_param_value}" class="form-check-input"/>
+      <label class="form-check-label" for="remember-disable">#{rodauth.remember_disable_label}</label>
+    </div>
+  </fieldset>
   #{rodauth.button(rodauth.remember_button)}
 </form>
-