rodauth 1.23.0 → 2.0.0

data/templates/sms-code-field.str

@@ -1,6 +1,8 @@
 <div class="form-group">
-  <label class="col-sm-3 control-label" for="sms-code">#{rodauth.sms_code_label}#{rodauth.input_field_label_suffix}</label>
-  <div class="col-sm-3">
-    #{rodauth.input_field_string(rodauth.sms_code_param, 'sms-code', :value => '')}
+  <label for="sms-code">#{rodauth.sms_code_label}#{rodauth.input_field_label_suffix}</label>
+  <div class="row">
+    <div class="col-sm-3">
+      #{rodauth.input_field_string(rodauth.sms_code_param, 'sms-code', :value => '', :autocomplete=>'one-time-code', :inputmode=>'numeric')}
+    </div>
   </div>
 </div>

data/templates/sms-confirm.str

@@ -1,7 +1,6 @@
-<form method="post" class="rodauth form-horizontal" role="form" id="sms-confirm-form">
+<form method="post" class="rodauth" role="form" id="sms-confirm-form">
   #{rodauth.sms_confirm_additional_form_tags}
   #{rodauth.csrf_tag}
   #{rodauth.render('sms-code-field')}
   #{rodauth.button(rodauth.sms_confirm_button)}
 </form>
-

data/templates/sms-disable.str

@@ -1,7 +1,6 @@
-<form method="post" class="rodauth form-horizontal" role="form" id="sms-disable-form">
+<form method="post" class="rodauth" role="form" id="sms-disable-form">
   #{rodauth.sms_disable_additional_form_tags}
   #{rodauth.csrf_tag}
   #{rodauth.render('password-field') if rodauth.two_factor_modifications_require_password?}
   #{rodauth.button(rodauth.sms_disable_button)}
 </form>
-

data/templates/sms-request.str

@@ -1,4 +1,4 @@
-<form method="post" class="rodauth form-horizontal" role="form" id="sms-request-form">
+<form method="post" class="rodauth" role="form" id="sms-request-form">
   #{rodauth.sms_request_additional_form_tags}
   #{rodauth.csrf_tag}
   #{rodauth.button(rodauth.sms_request_button)}

data/templates/sms-setup.str

@@ -1,11 +1,13 @@
-<form method="post" class="rodauth form-horizontal" role="form" id="sms-setup-form">
+<form method="post" class="rodauth" role="form" id="sms-setup-form">
   #{rodauth.sms_setup_additional_form_tags}
   #{rodauth.csrf_tag}
   #{rodauth.render('password-field') if rodauth.two_factor_modifications_require_password?}
   <div class="form-group">
-    <label class="col-sm-2 control-label" for="sms-phone">#{rodauth.sms_phone_label}#{rodauth.input_field_label_suffix}</label>
-    <div class="col-sm-3">
-      #{rodauth.input_field_string(rodauth.sms_phone_param, 'sms-phone')}
+    <label for="sms-phone">#{rodauth.sms_phone_label}#{rodauth.input_field_label_suffix}</label>
+    <div class="row">
+      <div class="col-sm-3">
+        #{rodauth.input_field_string(rodauth.sms_phone_param, 'sms-phone', :type=>rodauth.sms_phone_input_type, :autocomplete=>'tel')}
+      </div>
     </div>
   </div>
   #{rodauth.button(rodauth.sms_setup_button)}

data/templates/two-factor-auth.str

@@ -0,0 +1,5 @@
+<ul class="rodauth-links rodauth-two-factor-auth-links">
+#{rodauth.two_factor_auth_links.sort.map do |_, link, text|
+  "<li><a href=\"#{h link}\">#{h text}</a></li>"
+end.join}
+</ul>

data/templates/two-factor-disable.str

@@ -0,0 +1,6 @@
+<form method="post" class="rodauth" role="form" id="multifactor-disable-form">
+  #{rodauth.two_factor_disable_additional_form_tags}
+  #{rodauth.csrf_tag}
+  #{rodauth.render('password-field') if rodauth.two_factor_modifications_require_password?}
+  #{rodauth.button(rodauth.two_factor_disable_button)}
+</form>

data/templates/two-factor-manage.str

@@ -0,0 +1,16 @@
+#{rodauth.two_factor_setup_heading unless rodauth.two_factor_setup_links.empty?}
+
+<ul class="rodauth-links rodauth-multifactor-setup-links">
+#{rodauth.two_factor_setup_links.sort.map do |_, link, text|
+  "<li><a href=\"#{h link}\">#{h text}</a></li>"
+end.join("\n")}
+</ul>
+
+#{rodauth.two_factor_remove_heading unless rodauth.two_factor_remove_links.empty?}
+
+<ul class="rodauth-links rodauth-multifactor-remove-links">
+#{rodauth.two_factor_remove_links.sort.map do |_, link, text|
+  "<li><a href=\"#{h link}\">#{h text}</a></li>"
+end.join("\n")}
+#{"<li><a href=\"#{h rodauth.two_factor_disable_path}\">#{rodauth.two_factor_disable_link_text}</a></li>" if rodauth.two_factor_remove_links.length > 1}
+</ul>

data/templates/unlock-account-request.str

@@ -1,7 +1,7 @@
-<form action="#{rodauth.unlock_account_request_path}" method="post" class="rodauth form-horizontal" role="form" id="unlock-account-request-form">
+<form action="#{rodauth.unlock_account_request_path}" method="post" class="rodauth" role="form" id="unlock-account-request-form">
   #{rodauth.unlock_account_request_additional_form_tags}
   #{rodauth.csrf_tag(rodauth.unlock_account_request_path)}
   #{rodauth.login_hidden_field}
   #{rodauth.unlock_account_request_explanatory_text}
-  <input type="submit" class="btn btn-primary inline" value="#{rodauth.unlock_account_request_button}"/>
+  #{rodauth.button(rodauth.unlock_account_request_button)}
 </form>

data/templates/unlock-account.str

@@ -1,4 +1,4 @@
-<form method="post" class="rodauth form-horizontal" role="form" id="unlock-account-form">
+<form method="post" class="rodauth" role="form" id="unlock-account-form">
   #{rodauth.unlock_account_additional_form_tags}
   #{rodauth.csrf_tag}
   #{rodauth.unlock_account_explanatory_text}

data/templates/verify-account-resend.str

@@ -1,4 +1,4 @@
-<form action="#{rodauth.verify_account_resend_path}" method="post" class="rodauth form-horizontal" role="form" id="verify-account-resend-form">
+<form action="#{rodauth.verify_account_resend_path}" method="post" class="rodauth" role="form" id="verify-account-resend-form">
   #{rodauth.verify_account_resend_additional_form_tags}
   #{rodauth.csrf_tag(rodauth.verify_account_resend_path)}
   #{rodauth.verify_account_resend_explanatory_text}

data/templates/verify-account.str

@@ -1,8 +1,7 @@
-<form method="post" class="rodauth form-horizontal" role="form" id="verify-account-form">
+<form method="post" class="rodauth" role="form" id="verify-account-form">
   #{rodauth.verify_account_additional_form_tags}
   #{rodauth.csrf_tag}
   #{rodauth.render('password-field') if rodauth.verify_account_set_password?}
   #{rodauth.render('password-confirm-field') if rodauth.verify_account_set_password? && rodauth.require_password_confirmation?}
   #{rodauth.button(rodauth.verify_account_button)}
 </form>
-

data/templates/verify-login-change.str

@@ -1,4 +1,4 @@
-<form method="post" class="rodauth form-horizontal" role="form" id="verify-login-change-form">
+<form method="post" class="rodauth" role="form" id="verify-login-change-form">
   #{rodauth.verify_login_change_additional_form_tags}
   #{rodauth.csrf_tag}
   #{rodauth.button(rodauth.verify_login_change_button)}

data/templates/webauthn-auth.str

@@ -0,0 +1,11 @@
+<form method="post" action="#{rodauth.webauthn_auth_form_path}" class="rodauth" role="form" id="webauthn-auth-form" data-credential-options="#{h((cred = rodauth.webauth_credential_options_for_get).as_json.to_json)}">
+  #{rodauth.webauthn_auth_additional_form_tags}
+  #{rodauth.csrf_tag(rodauth.webauthn_auth_form_path)}
+  <input type="hidden" name="#{rodauth.webauthn_auth_challenge_param}" value="#{cred.challenge}" />
+  <input type="hidden" name="#{rodauth.webauthn_auth_challenge_hmac_param}" value="#{rodauth.compute_hmac(cred.challenge)}" />
+  <input class="rodauth_hidden" aria-hidden="true" type="text" name="#{rodauth.webauthn_auth_param}" id="webauthn-auth" value="" />
+  <div id="webauthn-auth-button"> 
+    #{rodauth.button(rodauth.webauthn_auth_button)}
+  </div>
+</form>
+<script src="#{rodauth.webauthn_js_host}#{rodauth.webauthn_auth_js_path}"></script>

data/templates/webauthn-remove.str

@@ -0,0 +1,14 @@
+<form method="post" class="rodauth" role="form" id="webauthn-remove-form">
+  #{rodauth.webauthn_remove_additional_form_tags}
+  #{rodauth.csrf_tag}
+  #{rodauth.render('password-field') if rodauth.two_factor_modifications_require_password?}
+  <fieldset class="form-group">
+    #{(usage = rodauth.account_webauthn_usage; last_id = usage.keys.last; usage;).map do |id, last_use|
+      input = rodauth.input_field_string(rodauth.webauthn_remove_param, "webauthn-remove-#{h id}", :type=>'radio', :class=>"form-check-input", :skip_error_message=>true, :value=>id, :required=>false)
+      label = "<label class=\"rodauth-webauthn-id form-check-label\" for=\"webauthn-remove-#{h id}\">Last Use: #{last_use}</label>"
+      error = rodauth.formatted_field_error(rodauth.webauthn_remove_param) if id == last_id
+      "<div class=\"form-check radio\">#{input}#{label}#{error}</div>"
+      end.join("\n")}
+  </fieldset>
+  #{rodauth.button(rodauth.webauthn_remove_button)}
+</form>

data/templates/webauthn-setup.str

@@ -0,0 +1,12 @@
+<form method="post" class="rodauth" role="form" id="webauthn-setup-form" data-credential-options="#{h((cred = rodauth.new_webauthn_credential).as_json.to_json)}">
+  #{rodauth.webauthn_setup_additional_form_tags}
+  #{rodauth.csrf_tag}
+  <input type="hidden" name="#{rodauth.webauthn_setup_challenge_param}" value="#{cred.challenge}" />
+  <input type="hidden" name="#{rodauth.webauthn_setup_challenge_hmac_param}" value="#{rodauth.compute_hmac(cred.challenge)}" />
+  <input class="rodauth_hidden" aria-hidden="true" type="text" name="#{rodauth.webauthn_setup_param}" id="webauthn-setup" value="" />
+  #{rodauth.render('password-field') if rodauth.two_factor_modifications_require_password?}
+  <div id="webauthn-setup-button"> 
+    #{rodauth.button(rodauth.webauthn_setup_button)}
+  </div>
+</form>
+<script src="#{rodauth.webauthn_js_host}#{rodauth.webauthn_setup_js_path}"></script>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 1.23.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-03-06 00:00:00.000000000 Z
+date: 2020-05-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -136,6 +136,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: webauthn
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -193,9 +207,9 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 2.1.0
 description: |
-  Rodauth is an authentication and account management framework for
-  rack applications.  It's built using Roda and Sequel, but it can
-  be used as middleware in front of web applications that use
+  Rodauth is Ruby's most advanced authentication framework, designed
+  to work in all rack applications.  It's built using Roda and Sequel,
+  but it can be used as middleware in front of web applications that use
   other web frameworks and database libraries.
 
   Rodauth aims to provide strong security for password storage by
@@ -203,6 +217,19 @@ description: |
   MySQL, and Microsoft SQL Server.  Configuration is done via
   a DSL that makes it easy to override any part of the authentication
   process.
+
+  Rodauth supports typical authentication features: such as login and
+  logout, changing logins and passwords, and creating, verifying,
+  unlocking, and resetting passwords for accounts.  Rodauth also
+  supports many advanced authentication features:
+
+  * Secure password storage using security definer database functions
+  * Multiple primary multifactor authentication methods (WebAuthn and
+    TOTP), as well as backup multifactor authentication methods (SMS
+    and recovery codes).
+  * Passwordless authentication using email links and WebAuthn
+    authenticators.
+  * Both standard HTML form and JSON API support for all features.
 email: code@jeremyevans.net
 executables: []
 extensions: []
@@ -230,7 +257,7 @@ extra_rdoc_files:
 - doc/logout.rdoc
 - doc/otp.rdoc
 - doc/login_password_requirements_base.rdoc
-- doc/verify_change_login.rdoc
+- doc/jwt_cors.rdoc
 - doc/password_expiration.rdoc
 - doc/password_grace_period.rdoc
 - doc/recovery_codes.rdoc
@@ -246,7 +273,11 @@ extra_rdoc_files:
 - doc/jwt_refresh.rdoc
 - doc/verify_account_grace_period.rdoc
 - doc/verify_login_change.rdoc
-- doc/jwt_cors.rdoc
+- doc/webauthn.rdoc
+- doc/webauthn_login.rdoc
+- doc/webauthn_verify_account.rdoc
+- doc/active_sessions.rdoc
+- doc/audit_logging.rdoc
 - doc/release_notes/1.17.0.txt
 - doc/release_notes/1.0.0.txt
 - doc/release_notes/1.1.0.txt
@@ -271,12 +302,15 @@ extra_rdoc_files:
 - doc/release_notes/1.21.0.txt
 - doc/release_notes/1.22.0.txt
 - doc/release_notes/1.23.0.txt
+- doc/release_notes/2.0.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
 - README.rdoc
 - dict/top-10_000-passwords.txt
 - doc/account_expiration.rdoc
+- doc/active_sessions.rdoc
+- doc/audit_logging.rdoc
 - doc/base.rdoc
 - doc/change_login.rdoc
 - doc/change_password.rdoc
@@ -326,6 +360,7 @@ files:
 - doc/release_notes/1.7.0.txt
 - doc/release_notes/1.8.0.txt
 - doc/release_notes/1.9.0.txt
+- doc/release_notes/2.0.0.txt
 - doc/remember.rdoc
 - doc/reset_password.rdoc
 - doc/session_expiration.rdoc
@@ -335,11 +370,17 @@ files:
 - doc/update_password_hash.rdoc
 - doc/verify_account.rdoc
 - doc/verify_account_grace_period.rdoc
-- doc/verify_change_login.rdoc
 - doc/verify_login_change.rdoc
+- doc/webauthn.rdoc
+- doc/webauthn_login.rdoc
+- doc/webauthn_verify_account.rdoc
+- javascript/webauthn_auth.js
+- javascript/webauthn_setup.js
 - lib/roda/plugins/rodauth.rb
 - lib/rodauth.rb
 - lib/rodauth/features/account_expiration.rb
+- lib/rodauth/features/active_sessions.rb
+- lib/rodauth/features/audit_logging.rb
 - lib/rodauth/features/base.rb
 - lib/rodauth/features/change_login.rb
 - lib/rodauth/features/change_password.rb
@@ -373,8 +414,10 @@ files:
 - lib/rodauth/features/update_password_hash.rb
 - lib/rodauth/features/verify_account.rb
 - lib/rodauth/features/verify_account_grace_period.rb
-- lib/rodauth/features/verify_change_login.rb
 - lib/rodauth/features/verify_login_change.rb
+- lib/rodauth/features/webauthn.rb
+- lib/rodauth/features/webauthn_login.rb
+- lib/rodauth/features/webauthn_verify_account.rb
 - lib/rodauth/migrations.rb
 - lib/rodauth/version.rb
 - templates/add-recovery-codes.str
@@ -387,11 +430,15 @@ files:
 - templates/email-auth-email.str
 - templates/email-auth-request-form.str
 - templates/email-auth.str
+- templates/global-logout-field.str
 - templates/login-confirm-field.str
 - templates/login-display.str
 - templates/login-field.str
+- templates/login-form-footer.str
+- templates/login-form.str
 - templates/login.str
 - templates/logout.str
+- templates/multi-phase-login.str
 - templates/otp-auth-code-field.str
 - templates/otp-auth.str
 - templates/otp-disable.str
@@ -411,6 +458,9 @@ files:
 - templates/sms-disable.str
 - templates/sms-request.str
 - templates/sms-setup.str
+- templates/two-factor-auth.str
+- templates/two-factor-disable.str
+- templates/two-factor-manage.str
 - templates/unlock-account-email.str
 - templates/unlock-account-request.str
 - templates/unlock-account.str
@@ -419,6 +469,9 @@ files:
 - templates/verify-account.str
 - templates/verify-login-change-email.str
 - templates/verify-login-change.str
+- templates/webauthn-auth.str
+- templates/webauthn-remove.str
+- templates/webauthn-setup.str
 homepage: https://github.com/jeremyevans/rodauth
 licenses:
 - MIT
@@ -434,7 +487,7 @@ rdoc_options:
 - "--line-numbers"
 - "--inline-source"
 - "--title"
-- 'Rodauth: Authentication and Account Management Framework for Rack Applications'
+- 'Rodauth: Ruby''s Most Advanced Authentication Framework'
 - "--main"
 - README.rdoc
 require_paths:
@@ -443,7 +496,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 1.8.7
+      version: 1.9.2
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="

data/doc/verify_change_login.rdoc

@@ -1,11 +0,0 @@
-= Documentation for Verify Change Login Feature
-
-This feature is deprecated, because it is possible for a user to get
-locked out of their account if they use the wrong address on the
-change login page.  It is recommended that users switch to using the
-verify login change feature, which doesn't change the login until
-after it has been verified.
-
-The verify change login feature implements account reverification after
-change login.  Depends on the change login and verify account grace
-period features.

data/lib/rodauth/features/verify_change_login.rb

@@ -1,20 +0,0 @@
-# frozen-string-literal: true
-
-module Rodauth
-  Feature.define(:verify_change_login, :VerifyChangeLogin) do
-    depends :change_login, :verify_account_grace_period
-
-    def change_login_notice_flash
-      "#{super}. #{verify_account_email_sent_notice_flash}"
-    end
-
-    private
-
-    def after_change_login
-      super
-      update_account(account_status_column=>account_unverified_status_value)
-      setup_account_verification
-      session[unverified_account_session_key] = true
-    end
-  end
-end