RubyGems - rodauth - Versions diffs - 1.22.0 → 2.3.0 - Mend

rodauth 1.22.0 → 2.3.0

Files changed (198) hide show

checksums.yaml +4 -4
data/CHANGELOG +190 -0
data/MIT-LICENSE +1 -1
data/README.rdoc +210 -80
data/doc/account_expiration.rdoc +12 -26
data/doc/active_sessions.rdoc +49 -0
data/doc/audit_logging.rdoc +44 -0
data/doc/base.rdoc +75 -128
data/doc/change_login.rdoc +7 -14
data/doc/change_password.rdoc +9 -13
data/doc/change_password_notify.rdoc +2 -2
data/doc/close_account.rdoc +9 -16
data/doc/confirm_password.rdoc +12 -5
data/doc/create_account.rdoc +11 -22
data/doc/disallow_password_reuse.rdoc +6 -13
data/doc/email_auth.rdoc +15 -14
data/doc/email_base.rdoc +6 -15
data/doc/guides/admin_activation.rdoc +46 -0
data/doc/guides/already_authenticated.rdoc +10 -0
data/doc/guides/alternative_login.rdoc +46 -0
data/doc/guides/create_account_programmatically.rdoc +38 -0
data/doc/guides/delay_password.rdoc +25 -0
data/doc/guides/email_only.rdoc +16 -0
data/doc/guides/i18n.rdoc +26 -0
data/doc/{internals.rdoc → guides/internals.rdoc} +0 -0
data/doc/guides/links.rdoc +12 -0
data/doc/guides/login_return.rdoc +37 -0
data/doc/guides/password_column.rdoc +25 -0
data/doc/guides/password_confirmation.rdoc +37 -0
data/doc/guides/password_requirements.rdoc +30 -0
data/doc/guides/paths.rdoc +36 -0
data/doc/guides/query_params.rdoc +9 -0
data/doc/guides/redirects.rdoc +17 -0
data/doc/guides/registration_field.rdoc +68 -0
data/doc/guides/require_mfa.rdoc +30 -0
data/doc/guides/reset_password_autologin.rdoc +21 -0
data/doc/guides/status_column.rdoc +28 -0
data/doc/guides/totp_or_recovery.rdoc +16 -0
data/doc/http_basic_auth.rdoc +10 -1
data/doc/jwt.rdoc +22 -22
data/doc/jwt_cors.rdoc +2 -3
data/doc/jwt_refresh.rdoc +23 -8
data/doc/lockout.rdoc +17 -15
data/doc/login.rdoc +17 -2
data/doc/login_password_requirements_base.rdoc +18 -37
data/doc/logout.rdoc +2 -2
data/doc/otp.rdoc +25 -19
data/doc/password_complexity.rdoc +10 -26
data/doc/password_expiration.rdoc +11 -25
data/doc/password_grace_period.rdoc +16 -2
data/doc/recovery_codes.rdoc +18 -12
data/doc/release_notes/1.23.0.txt +32 -0
data/doc/release_notes/2.0.0.txt +361 -0
data/doc/release_notes/2.1.0.txt +31 -0
data/doc/release_notes/2.2.0.txt +39 -0
data/doc/release_notes/2.3.0.txt +37 -0
data/doc/remember.rdoc +40 -64
data/doc/reset_password.rdoc +12 -9
data/doc/session_expiration.rdoc +1 -0
data/doc/single_session.rdoc +16 -25
data/doc/sms_codes.rdoc +24 -14
data/doc/two_factor_base.rdoc +60 -22
data/doc/verify_account.rdoc +14 -12
data/doc/verify_account_grace_period.rdoc +6 -2
data/doc/verify_login_change.rdoc +9 -8
data/doc/webauthn.rdoc +115 -0
data/doc/webauthn_login.rdoc +15 -0
data/doc/webauthn_verify_account.rdoc +9 -0
data/javascript/webauthn_auth.js +45 -0
data/javascript/webauthn_setup.js +35 -0
data/lib/roda/plugins/rodauth.rb +1 -1
data/lib/rodauth.rb +36 -28
data/lib/rodauth/features/account_expiration.rb +5 -5
data/lib/rodauth/features/active_sessions.rb +158 -0
data/lib/rodauth/features/audit_logging.rb +98 -0
data/lib/rodauth/features/base.rb +144 -43
data/lib/rodauth/features/change_password_notify.rb +2 -2
data/lib/rodauth/features/close_account.rb +8 -6
data/lib/rodauth/features/confirm_password.rb +40 -2
data/lib/rodauth/features/create_account.rb +8 -13
data/lib/rodauth/features/disallow_common_passwords.rb +1 -1
data/lib/rodauth/features/disallow_password_reuse.rb +1 -1
data/lib/rodauth/features/email_auth.rb +31 -30
data/lib/rodauth/features/email_base.rb +9 -4
data/lib/rodauth/features/http_basic_auth.rb +55 -35
data/lib/rodauth/features/jwt.rb +63 -16
data/lib/rodauth/features/jwt_cors.rb +15 -15
data/lib/rodauth/features/jwt_refresh.rb +42 -13
data/lib/rodauth/features/lockout.rb +12 -14
data/lib/rodauth/features/login.rb +64 -15
data/lib/rodauth/features/login_password_requirements_base.rb +13 -8
data/lib/rodauth/features/otp.rb +77 -80
data/lib/rodauth/features/password_complexity.rb +8 -13
data/lib/rodauth/features/password_expiration.rb +2 -2
data/lib/rodauth/features/password_grace_period.rb +17 -10
data/lib/rodauth/features/recovery_codes.rb +49 -53
data/lib/rodauth/features/remember.rb +11 -27
data/lib/rodauth/features/reset_password.rb +26 -26
data/lib/rodauth/features/session_expiration.rb +7 -10
data/lib/rodauth/features/single_session.rb +8 -6
data/lib/rodauth/features/sms_codes.rb +62 -72
data/lib/rodauth/features/two_factor_base.rb +134 -30
data/lib/rodauth/features/verify_account.rb +29 -21
data/lib/rodauth/features/verify_account_grace_period.rb +18 -9
data/lib/rodauth/features/verify_login_change.rb +12 -11
data/lib/rodauth/features/webauthn.rb +505 -0
data/lib/rodauth/features/webauthn_login.rb +70 -0
data/lib/rodauth/features/webauthn_verify_account.rb +46 -0
data/lib/rodauth/migrations.rb +16 -5
data/lib/rodauth/version.rb +2 -2
data/templates/button.str +1 -3
data/templates/change-login.str +1 -2
data/templates/change-password.str +3 -5
data/templates/close-account.str +2 -2
data/templates/confirm-password.str +1 -1
data/templates/create-account.str +1 -1
data/templates/email-auth-request-form.str +2 -3
data/templates/email-auth.str +1 -1
data/templates/global-logout-field.str +6 -0
data/templates/login-confirm-field.str +2 -4
data/templates/login-display.str +3 -2
data/templates/login-field.str +2 -4
data/templates/login-form-footer.str +6 -0
data/templates/login-form.str +7 -0
data/templates/login.str +1 -9
data/templates/logout.str +1 -1
data/templates/multi-phase-login.str +3 -0
data/templates/otp-auth-code-field.str +5 -3
data/templates/otp-auth.str +1 -1
data/templates/otp-disable.str +1 -1
data/templates/otp-setup.str +3 -3
data/templates/password-confirm-field.str +2 -4
data/templates/password-field.str +2 -4
data/templates/recovery-auth.str +3 -6
data/templates/recovery-codes.str +1 -1
data/templates/remember.str +15 -20
data/templates/reset-password-request.str +3 -3
data/templates/reset-password.str +1 -2
data/templates/sms-auth.str +1 -1
data/templates/sms-code-field.str +5 -3
data/templates/sms-confirm.str +1 -2
data/templates/sms-disable.str +1 -2
data/templates/sms-request.str +1 -1
data/templates/sms-setup.str +6 -4
data/templates/two-factor-auth.str +5 -0
data/templates/two-factor-disable.str +6 -0
data/templates/two-factor-manage.str +16 -0
data/templates/unlock-account-request.str +4 -4
data/templates/unlock-account.str +1 -1
data/templates/verify-account-resend.str +3 -3
data/templates/verify-account.str +1 -2
data/templates/verify-login-change.str +1 -1
data/templates/webauthn-auth.str +11 -0
data/templates/webauthn-remove.str +14 -0
data/templates/webauthn-setup.str +12 -0
metadata +94 -54
data/Rakefile +0 -179
data/doc/verify_change_login.rdoc +0 -11
data/lib/rodauth/features/verify_change_login.rb +0 -20
data/spec/account_expiration_spec.rb +0 -225
data/spec/all.rb +0 -1
data/spec/change_login_spec.rb +0 -156
data/spec/change_password_notify_spec.rb +0 -33
data/spec/change_password_spec.rb +0 -202
data/spec/close_account_spec.rb +0 -162
data/spec/confirm_password_spec.rb +0 -70
data/spec/create_account_spec.rb +0 -127
data/spec/disallow_common_passwords_spec.rb +0 -93
data/spec/disallow_password_reuse_spec.rb +0 -179
data/spec/email_auth_spec.rb +0 -285
data/spec/http_basic_auth_spec.rb +0 -143
data/spec/jwt_cors_spec.rb +0 -57
data/spec/jwt_refresh_spec.rb +0 -256
data/spec/jwt_spec.rb +0 -235
data/spec/lockout_spec.rb +0 -250
data/spec/login_spec.rb +0 -328
data/spec/migrate/001_tables.rb +0 -184
data/spec/migrate/002_account_password_hash_column.rb +0 -11
data/spec/migrate_password/001_tables.rb +0 -73
data/spec/migrate_travis/001_tables.rb +0 -141
data/spec/password_complexity_spec.rb +0 -109
data/spec/password_expiration_spec.rb +0 -244
data/spec/password_grace_period_spec.rb +0 -93
data/spec/remember_spec.rb +0 -451
data/spec/reset_password_spec.rb +0 -229
data/spec/rodauth_spec.rb +0 -343
data/spec/session_expiration_spec.rb +0 -58
data/spec/single_session_spec.rb +0 -127
data/spec/spec_helper.rb +0 -327
data/spec/two_factor_spec.rb +0 -1462
data/spec/update_password_hash_spec.rb +0 -40
data/spec/verify_account_grace_period_spec.rb +0 -171
data/spec/verify_account_spec.rb +0 -240
data/spec/verify_change_login_spec.rb +0 -46
data/spec/verify_login_change_spec.rb +0 -232
data/spec/views/layout-other.str +0 -11
data/spec/views/layout.str +0 -11
data/spec/views/login.str +0 -21

data/spec/http_basic_auth_spec.rb DELETED

@@ -1,143 +0,0 @@
-require File.expand_path("spec_helper", File.dirname(__FILE__))
-describe "Rodauth http basic auth feature" do
-  def basic_auth_visit(opts={})
-    page.driver.browser.basic_authorize(opts.fetch(:username,"foo@example.com"), opts.fetch(:password, "0123456789"))
-    visit(opts.fetch(:path, '/'))
-  end
-  def authorization_header(opts={})
-    ["#{opts.delete(:username)||'foo@example.com'}:#{opts.delete(:password)||'0123456789'}"].pack("m*")
-  end
-  def basic_auth_json_request(opts={})
-    auth = opts.delete(:auth) || authorization_header(opts)
-    path = opts.delete(:path) || '/'
-    json_request(path, opts.merge(:headers => {"HTTP_AUTHORIZATION" => "Basic #{auth}"}, :method=>'GET'))
-  end
-  def newline_basic_auth_json_request(opts={})
-    auth = opts.delete(:auth) || authorization_header(opts)
-    auth.chomp!
-    basic_auth_json_request(opts.merge(:auth => auth))
-  end
-  describe "on page visit" do
-    before do
-      rodauth do
-        enable :http_basic_auth
-      end
-      roda do |r|
-        r.rodauth
-        r.root{view :content=>(rodauth.logged_in? ? "Logged In" : 'Not Logged')}
-      end
-    end
-    it "handles logins" do
-      basic_auth_visit
-      page.text.must_include "Logged In"
-    end
-    it "keeps the user logged in" do
-      visit '/'
-      page.text.must_include "Not Logged"
-      basic_auth_visit
-      page.text.must_include "Logged In"
-      visit '/'
-      page.text.must_include "Logged In"
-    end
-    it "fails when no login is found" do
-      basic_auth_visit(:username => "foo2@example.com")
-      page.text.must_include "Not Logged"
-      page.response_headers.keys.must_include("WWW-Authenticate")
-    end
-    it "fails when passowrd does not match" do
-      basic_auth_visit(:password => "1111111111")
-      page.text.must_include "Not Logged"
-      page.response_headers.keys.must_include("WWW-Authenticate")
-    end
-  end
-  it "requires authentication if require_http_basic_auth is true" do
-    rodauth do
-      enable :http_basic_auth
-      require_http_basic_auth true
-    end
-    roda do |r|
-      rodauth.require_authentication
-      r.root{view :content=>(rodauth.logged_in? ? "Logged In" : 'Not Logged')}
-    end
-    visit '/'
-    page.status_code.must_equal 401
-    page.response_headers.keys.must_include("WWW-Authenticate")
-    basic_auth_visit
-    page.text.must_include "Logged In"
-  end
-  it "works with standard authentication" do
-    rodauth do
-      enable :login, :http_basic_auth
-    end
-    roda do |r|
-      r.rodauth
-      r.root{view :content=>(rodauth.logged_in? ? "Logged In" : 'Not Logged')}
-    end
-    login
-    page.text.must_include "Logged In"
-  end
-  it "does not allow login to unverified account" do
-    rodauth do
-      enable :http_basic_auth
-      skip_status_checks? false
-    end
-    roda do |r|
-      r.rodauth
-      r.root{view :content=>(rodauth.logged_in? ? "Logged In" : 'Not Logged')}
-    end
-    DB[:accounts].update(:status_id=>1)
-    basic_auth_visit
-    page.text.must_include "Not Logged"
-    page.response_headers.keys.must_include("WWW-Authenticate")
-  end
-  it "should login via jwt" do
-    rodauth do
-      enable :http_basic_auth
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-      response['Content-Type'] = 'application/json'
-      rodauth.require_authentication
-      {"success"=>'You have been logged in'}
-    end
-    @authorization = nil
-    res = basic_auth_json_request(:auth=>'.')
-    res.must_equal [401, {'error'=>"Please login to continue"}]
-    @authorization = nil
-    res = basic_auth_json_request(:username=>'foo@example2.com')
-    res.must_equal [401, {'error'=>"Please login to continue", "field-error"=>["login", "no matching login"]}]
-    @authorization = nil
-    res = basic_auth_json_request(:password=>'012345678')
-    res.must_equal [401, {'error'=>"Please login to continue", "field-error"=>["password", "invalid password"]}]
-    @authorization = nil
-    res = newline_basic_auth_json_request
-    res.must_equal [200, {"success"=>'You have been logged in'}]
-    @authorization = nil
-    res = basic_auth_json_request
-    res.must_equal [200, {"success"=>'You have been logged in'}]
-  end
-end

data/spec/jwt_cors_spec.rb DELETED

@@ -1,57 +0,0 @@
-require File.expand_path("spec_helper", File.dirname(__FILE__))
-describe 'Rodauth jwt_cors feature' do
-  it "should support CORS logins if allowed" do
-    origin = false
-    rodauth do
-      enable :login, :jwt_cors
-      jwt_secret '1'
-      json_response_success_key 'success'
-      jwt_cors_allow_origin{origin}
-    end
-    roda(:csrf=>false, :json=>true) do |r|
-      r.rodauth
-      rodauth.require_authentication
-      response['Content-Type'] = 'application/json'
-      '1'
-    end
-    # CORS Preflight Request
-    preflight_request = {
-      :method=>'OPTIONS',
-      :headers=>{
-        "HTTP_ACCESS_CONTROL_REQUEST_METHOD"=>"POST",
-        "HTTP_ORIGIN"=>"https://foo.example.com",
-        "HTTP_ACCESS_CONTROL_REQUEST_HEADERS"=>"content-type",
-        "CONTENT_TYPE"=>' application/json'
-      }
-    }
-    res = json_request("/login", preflight_request.dup)
-    res.must_equal [405, ["{\"error\":\"non-POST method used in JSON API\"}"]]
-    origin = Object.new
-    res = json_request("/login", preflight_request.dup)
-    res.must_equal [405, ["{\"error\":\"non-POST method used in JSON API\"}"]]
-    ["https://foo.example.com", ["https://foo.example.com"], %r{https://foo.example.com}, true].each do |orig|
-      origin = orig
-      res = json_request("/login", preflight_request.merge(:include_headers=>true))
-      res[0].must_equal 204
-      res[1]['Access-Control-Allow-Origin'].must_equal "https://foo.example.com"
-      res[1]['Access-Control-Allow-Methods'].must_equal "POST"
-      res[1]['Access-Control-Allow-Headers'].must_equal "Content-Type, Authorization, Accept"
-      res[1]['Access-Control-Max-Age'].must_equal "86400"
-      res[2].must_equal []
-      res = json_request("/login", :login=>'foo@example.com', :password=>'0123456789', :headers=>{"HTTP_ORIGIN"=>"https://foo.example.com"}, :include_headers=>true)
-      res[0].must_equal 200
-      res[1]['Access-Control-Allow-Origin'].must_equal "https://foo.example.com"
-      res[1]['Access-Control-Expose-Headers'].must_equal "Authorization"
-      res[2].must_equal("success"=>"You have been logged in")
-      json_request("/foo").must_equal [200, 1]
-    end
-  end
-end

data/spec/jwt_refresh_spec.rb DELETED

@@ -1,256 +0,0 @@
-require File.expand_path("spec_helper", File.dirname(__FILE__))
-describe 'Rodauth login feature' do
-  it "should not have jwt refresh feature assume JWT token given during Basic/Digest authentication" do
-    rodauth do
-      enable :login, :logout, :jwt_refresh
-    end
-    roda(:jwt) do |r|
-      rodauth.require_authentication
-      '1'
-    end
-    res = json_request("/jwt-refresh", :headers=>{'HTTP_AUTHORIZATION'=>'Basic foo'})
-    res.must_equal [401, {'error'=>'Please login to continue'}]
-    res = json_request("/", :headers=>{'HTTP_AUTHORIZATION'=>'Digest foo'})
-    res.must_equal [401, {'error'=>'Please login to continue'}]
-  end
-  it "should require json request content type in only json mode for rodauth endpoints only" do
-    oj = false
-    rodauth do
-      enable :login, :logout, :jwt_refresh
-      jwt_secret '1'
-      json_response_success_key 'success'
-      only_json?{oj}
-    end
-    roda(:csrf=>false, :json=>true) do |r|
-      r.rodauth
-      rodauth.require_authentication
-      '1'
-    end
-    res = json_request("/", :content_type=>'application/x-www-form-urlencoded', :include_headers=>true, :method=>'GET')
-    res[1].delete('Set-Cookie')
-    res.must_equal [302, {"Content-Type"=>'text/html', "Content-Length"=>'0', "Location"=>"/login",}, []]
-    res = json_request("/", :content_type=>'application/vnd.api+json', :method=>'GET')
-    res.must_equal [400, ['{"error":"Please login to continue"}']]
-    oj = true
-    res = json_request("/", :content_type=>'application/x-www-form-urlencoded', :method=>'GET')
-    res.must_equal [400, ['{"error":"Please login to continue"}']]
-    res = json_request("/", :method=>'GET')
-    res.must_equal [400, {'error'=>'Please login to continue'}]
-    res = json_request("/login", :content_type=>'application/x-www-form-urlencoded', :include_headers=>true, :method=>'GET')
-    msg = "Only JSON format requests are allowed"
-    res[1].delete('Set-Cookie')
-    res.must_equal [400, {"Content-Type"=>'text/html', "Content-Length"=>msg.length.to_s}, [msg]]
-    jwt_refresh_login
-    res = json_request("/", :content_type=>'application/x-www-form-urlencoded', :include_headers=>true, :method=>'GET')
-    # res.must_equal [200, {"Content-Type"=>'text/html', "Content-Length"=>'1'}, ['1']]
-  end
-  it "should allow non-json requests if only_json? is false" do
-    rodauth do
-      enable :login, :logout, :jwt_refresh
-      jwt_secret '1'
-      only_json? false
-    end
-    roda(:jwt_html) do |r|
-      r.rodauth
-      rodauth.require_authentication
-      view(:content=>'1')
-    end
-    login
-    page.find('#notice_flash').text.must_equal 'You have been logged in'
-  end
-  it "should require POST for json requests" do
-    rodauth do
-      enable :login, :logout, :jwt_refresh
-      jwt_secret '1'
-      json_response_success_key 'success'
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-    end
-    res = json_request("/login", :method=>'GET')
-    res.must_equal [405, {'error'=>'non-POST method used in JSON API'}]
-  end
-  it "should require Accept contain application/json if jwt_check_accept? is true and Accept is present" do
-    rodauth do
-      enable :login, :logout, :jwt_refresh
-      jwt_secret '1'
-      json_response_success_key 'success'
-      jwt_check_accept? true
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-    end
-    res = json_request("/login", :headers=>{'HTTP_ACCEPT'=>'text/html'})
-    res.must_equal [406, {'error'=>'Unsupported Accept header. Must accept "application/json" or compatible content type'}]
-    jwt_refresh_validate_login(json_request("/login", :login=>'foo@example.com', :password=>'0123456789'))
-    jwt_refresh_validate_login(json_request("/login", :headers=>{'HTTP_ACCEPT'=>'*/*'}, :login=>'foo@example.com', :password=>'0123456789'))
-    jwt_refresh_validate_login(json_request("/login", :headers=>{'HTTP_ACCEPT'=>'application/*'}, :login=>'foo@example.com', :password=>'0123456789'))
-    jwt_refresh_validate_login(json_request("/login", :headers=>{'HTTP_ACCEPT'=>'application/vnd.api+json'}, :login=>'foo@example.com', :password=>'0123456789'))
-  end
-  it "should clear jwt refresh token when closing account" do
-    rodauth do
-      enable :login, :jwt_refresh, :close_account
-      jwt_secret '1'
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-      rodauth.require_authentication
-      response['Content-Type'] = 'application/json'
-      {'hello' => 'world'}.to_json
-    end
-    jwt_refresh_login
-    DB[:account_jwt_refresh_keys].count.must_equal 1
-    res = json_request('/close-account', :password=>'0123456789')
-    res[1].delete('access_token').must_be_kind_of(String)
-    res.must_equal [200, {'success'=>"Your account has been closed"}]
-    DB[:account_jwt_refresh_keys].count.must_equal 0
-  end
-  it "should set refresh tokens when creating accounts when using autologin" do
-    rodauth do
-      enable :login, :create_account, :jwt_refresh
-      after_create_account{json_response[:account_id] = account_id}
-      create_account_autologin? true
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-      rodauth.require_authentication
-      response['Content-Type'] = 'application/json'
-      {'hello' => 'world'}.to_json
-    end
-    res = json_request('/create-account', :login=>'foo@example2.com', "login-confirm"=>'foo@example2.com', :password=>'0123456789', "password-confirm"=>'0123456789')
-    refresh_token = res.last.delete('refresh_token')
-    @authorization = res.last.delete('access_token')
-    res.must_equal [200, {'success'=>"Your account has been created", 'account_id'=>DB[:accounts].max(:id)}]
-    res = json_request("/")
-    res.must_equal [200, {'hello'=>'world'}]
-    # We can refresh our token
-    res = json_request("/jwt-refresh", :refresh_token=>refresh_token)
-    jwt_refresh_validate(res)
-    @authorization = res.last.delete('access_token')
-    # Which we can use to access protected resources
-    res = json_request("/")
-    res.must_equal [200, {'hello'=>'world'}]
-  end
-  [false, true].each do |hs|
-    it "generates and refreshes Refresh Tokens #{'with hmac_secret' if hs}" do
-      initial_secret = secret = SecureRandom.random_bytes(32) if hs
-      rodauth do
-        enable :login, :logout, :jwt_refresh
-        hmac_secret{secret} if hs
-        jwt_secret '1'
-      end
-      roda(:jwt) do |r|
-        r.rodauth
-        rodauth.require_authentication
-        response['Content-Type'] = 'application/json'
-        {'hello' => 'world'}.to_json
-      end
-      res = json_request("/")
-      res.must_equal [401, {'error'=>'Please login to continue'}]
-      # We can login
-      res = jwt_refresh_login
-      refresh_token = res.last['refresh_token']
-      # Which gives us an access token which grants us access to protected resources
-      @authorization = res.last['access_token']
-      res = json_request("/")
-      res.must_equal [200, {'hello'=>'world'}]
-      # We can refresh our token
-      res = json_request("/jwt-refresh", :refresh_token=>refresh_token)
-      jwt_refresh_validate(res)
-      second_refresh_token = res.last['refresh_token']
-      # Which we can use to access protected resources
-      @authorization = res.last['access_token']
-      res = json_request("/")
-      res.must_equal [200, {'hello'=>'world'}]
-      # Subsequent refresh token is valid
-      res = json_request("/jwt-refresh", :refresh_token=>second_refresh_token)
-      jwt_refresh_validate(res)
-      third_refresh_token = res.last['refresh_token']
-      # First refresh token is now no longer valid
-      res = json_request("/jwt-refresh", :refresh_token=>refresh_token)
-      res.must_equal [400, {"error"=>"invalid JWT refresh token"}]
-      # Third refresh token is valid
-      res = json_request("/jwt-refresh", :refresh_token=>third_refresh_token)
-      jwt_refresh_validate(res)
-      fourth_refresh_token = res.last['refresh_token']
-      # And still gives us a valid access token
-      @authorization = res.last['access_token']
-      res = json_request("/")
-      res.must_equal [200, {'hello'=>'world'}]
-      if hs
-        # Refresh secret doesn't work if hmac_secret changed
-        secret = SecureRandom.random_bytes(32)
-        res = json_request("/jwt-refresh", :refresh_token=>fourth_refresh_token)
-        res.first.must_equal 400
-        res.must_equal [400, {'error'=>'invalid JWT refresh token'}]
-        # Refresh secret works if hmac_secret changed back
-        secret = initial_secret
-        res = json_request("/jwt-refresh", :refresh_token=>fourth_refresh_token)
-        jwt_refresh_validate(res)
-        # And still gives us a valid access token
-        @authorization = res.last['access_token']
-        res = json_request("/")
-        res.must_equal [200, {'hello'=>'world'}]
-      end
-    end
-  end
-  it "should not return access_token for failed login attempt" do
-    rodauth do
-      enable :login, :create_account, :jwt_refresh
-      after_create_account{json_response[:account_id] = account_id}
-      create_account_autologin? true
-    end
-    roda(:jwt) do |r|
-      r.rodauth
-      rodauth.require_authentication
-      response['Content-Type'] = 'application/json'
-      {'hello' => 'world'}.to_json
-    end
-    json_request('/create-account', :login=>'foo@example2.com', "login-confirm"=>'foo@example2.com', :password=>'0123456789', "password-confirm"=>'0123456789')
-    res = json_request('/login', :login=>'foo@example2.com', :password=>'123123')
-    res.must_equal [401, {"field-error"=>['password', 'invalid password'], "error"=>"There was an error logging in"}]
-  end
-end