rodauth 1.23.0 → 2.0.0

data/doc/verify_account.rdoc

@@ -10,30 +10,32 @@ after verifying the account. Depends on the login and create account features.
 attempt_to_create_unverified_account_error_flash :: The flash error message to show when attempting to create an account awaiting verification.
 attempt_to_login_to_unverified_account_error_flash :: The flash error message to show when attempting to login to an account awaiting verification.
 no_matching_verify_account_key_error_flash :: The flash error message to show when an invalid verify account key is used.
+resend_verify_account_page_title :: The page title to use on page requesting resending the verify account email.
 verify_account_additional_form_tags :: HTML fragment containing additional form tags to use on the verify account form.
 verify_account_autologin? :: Whether to autologin the user after successful account verification, true by default.
 verify_account_button :: The text to use for the verify account button.
+verify_account_email_last_sent_column :: The email last sent column in the +verify_account_table+. Set to nil to always send a verify account email when requested.
 verify_account_email_recently_sent_error_flash :: The flash error to show if not sending verify account email because one has been sent recently.
 verify_account_email_recently_sent_redirect :: Where to redirect if not sending verify account email because one has been sent recently.
-verify_account_email_subject :: The subject to use for the verify account email.
-verify_account_email_sent_redirect :: Where to redirect after sending the verify account email.
 verify_account_email_sent_notice_flash :: The flash notice to set after sending the verify account email.
-verify_account_email_last_sent_column :: The email last sent column in the verify account keys table.  nil by default, so a verify account email is always sent when requested by default.
+verify_account_email_sent_redirect :: Where to redirect after sending the verify account email.
+verify_account_email_subject :: The subject to use for the verify account email.
 verify_account_error_flash :: The flash error to show if no matching key is submitted when verifying an account.
-verify_account_id_column :: The id column in the verify account keys table, should be a foreign key referencing the accounts table.
-verify_account_key_column :: The verify account key/token column in the verify account keys table.
+verify_account_id_column :: The id column in the +verify_account_table+, should be a foreign key referencing the accounts table.
+verify_account_key_column :: The verify account key/token column in the +verify_account_table+.
 verify_account_key_param :: The parameter name to use for the verify account key.
 verify_account_notice_flash :: The flash notice to show after verifying the account.
+verify_account_page_title :: The page title to use on the verify account form.
+verify_account_redirect :: Where to redirect after verifying the account.
 verify_account_resend_additional_form_tags :: HTML fragment containing additional form tags to use on the page requesting resending the verify account email.
 verify_account_resend_button :: The text to use for the verify account resend button.
-verify_account_redirect :: Where to redirect after verifying the account.
 verify_account_resend_error_flash :: The flash error to show if unable to resend a verify account email.
 verify_account_resend_explanatory_text :: The text to display above the button to resend the verify account email.
-verify_account_resend_link :: The HTML to use for a link to the page to request the account verification email be resent.
+verify_account_resend_link_text :: The text to use for a link to the page to request the account verification email be resent.
 verify_account_resend_route :: The route to the verify account resend action.  Defaults to +verify-account-resend+.
 verify_account_route :: The route to the verify account action. Defaults to +verify-account+.
 verify_account_session_key :: The key in the session to hold the verify account key temporarily.
-verify_account_set_password? :: Whether to ask for a password to be set on the verify account form.  Defaults to false.  If set to true, will automatically stop asking for passwords to be set on the create account form.
+verify_account_set_password? :: Whether to ask for a password to be set on the verify account form.  True by default. If set to false, will ask for password when creating the account instead of when verifying.
 verify_account_skip_resend_email_within :: The number of seconds before sending another verify account email, if +verify_account_email_last_sent_column+ is set.
 verify_account_table :: The name of the verify account keys table.
 
@@ -41,14 +43,14 @@ verify_account_table :: The name of the verify account keys table.
 
 account_from_verify_account_key(key) :: Retrieve the account using the given verify account key, or return nil if no account matches.
 after_verify_account :: Run arbitrary code after verifying the account.
-after_verify_account_resend :: Run arbitrary code after resending a verify account email.
+after_verify_account_email_resend :: Run arbitrary code after resending a verify account email.
 allow_resending_verify_account_email? :: Whether to allow sending the verify account email for the account, true by default only if the account has not been verified.
 before_verify_account :: Run arbitrary code before verifying the account.
-before_verify_account_resend :: Run arbitrary code before resending a verify account email.
+before_verify_account_email_resend :: Run arbitrary code before resending a verify account email.
 before_verify_account_resend_route :: Run arbitrary code before handling a verify account resend route.
 before_verify_account_route :: Run arbitrary code before handling a verify account route.
-create_verify_account_key :: Add the verify account key data to the database.
 create_verify_account_email :: A Mail::Message for the verify account email.
+create_verify_account_key :: Add the verify account key data to the database.
 get_verify_account_email_last_sent :: Get the last time a verify account email is sent, or nil if there is no last sent time.
 get_verify_account_key(id) :: Get the verify account key for the given account id from the database.
 remove_verify_account_key :: Remove the verify account key for the current account, run after successful account verification.
@@ -58,6 +60,6 @@ set_verify_account_email_last_sent :: Set the last time a verify account email i
 verify_account :: Verify the account by changing the status from unverified to open.
 verify_account_email_body :: The body to use for the verify account email.
 verify_account_email_link :: The link to the verify account form in the verify account email.
-verify_account_key_insert_hash :: The hash to insert into the verify account keys table.
+verify_account_key_insert_hash :: The hash to insert into the +verify_account_table+.
 verify_account_key_value :: The value of the verify account key.
 verify_account_view :: The HTML to use for the verify account form.

data/doc/verify_account_grace_period.rdoc

@@ -2,12 +2,16 @@
 
 The verify account grace period feature allows users to login for
 a given period of time (1 day by default) before their account is
-verified.  Depends on the verify account feature.
+verified.  Depends on the verify account feature.  This switches
+the +verify_account_set_password?+ to false so that user can login
+with a password during the grace period.
 
 == Auth Value Methods
 
-verification_requested_at_column :: The column in the +verify_account_table+ table that holds the verification requested timestamp.
 unverified_account_session_key :: The session key set if the logged in account has not been unverified.
+unverified_change_login_error_flash :: The flash error to show when an unverified accounts accesses a change login route.
+unverified_change_login_redirect :: Where to redirect when an unverified accounts accesses a change login route.
+verification_requested_at_column :: The column in the +verify_account_table+ table that holds the verification requested timestamp.
 verify_account_grace_period :: The amount of seconds after an account creation that a user will be able to login without verifying (86400 by default).
 
 == Auth Methods

data/doc/verify_login_change.rdoc

@@ -1,11 +1,11 @@
 = Documentation for Verify Login Change Feature
 
-The verify login change feature implements login verification after
-a login change.  With this feature, login changes do not take effect
+The verify login change feature implements verification of login
+changes.  With this feature, login changes do not take effect
 until after the user has verified the new login.  Until the new
 login has been verified, the old login continues to work.
 
-Any time you use the verify login change and change login features together,
+Any time you use the verify account and change login features together,
 you should probably use this, otherwise it is trivial for users to work
 around account verification by creating an account with an email address
 they control, and the changing the login to an email address they don't
@@ -17,17 +17,18 @@ no_matching_verify_login_change_key_error_flash :: The flash error message to sh
 verify_login_change_additional_form_tags :: HTML fragment containing additional form tags to use on the verify login change form.
 verify_login_change_autologin? :: Whether to autologin the user after successful login change verification, false by default.
 verify_login_change_button :: The text to use for the verify login change button.
-verify_login_change_deadline_column :: The column name in the verify login change keys table storing the deadline after which the token will be ignored.
+verify_login_change_deadline_column :: The column name in the +verify_login_change_table+ storing the deadline after which the token will be ignored.
 verify_login_change_deadline_interval :: The amount of time for which to allow users to verify login changes, 1 day by default.
 verify_login_change_duplicate_account_error_flash :: The flash error message to show when attempting to verify a login change when the login is already taken.
 verify_login_change_duplicate_account_redirect :: Where to redirect if not changing a login during verification because the new login is already taken.
 verify_login_change_email_subject :: The subject to use for the verify login change email.
 verify_login_change_error_flash :: The flash error to show if no matching key is submitted when verifying login change.
-verify_login_change_id_column :: The id column in the verify login change keys table, should be a foreign key referencing the accounts table.
-verify_login_change_key_column :: The verify login change key/token column in the verify login change keys table.
+verify_login_change_id_column :: The id column in the +verify_login_change_table+, should be a foreign key referencing the accounts table.
+verify_login_change_key_column :: The verify login change key/token column in the +verify_login_change_table+.
 verify_login_change_key_param :: The parameter name to use for the verify login change key.
-verify_login_change_login_column :: The login column in the verify login change keys table, containing the new login.
+verify_login_change_login_column :: The login column in the +verify_login_change_table+, containing the new login.
 verify_login_change_notice_flash :: The flash notice to show after verifying the login change.
+verify_login_change_page_title :: The page title to use on the verify login change form.
 verify_login_change_redirect :: Where to redirect after verifying the login change.
 verify_login_change_route :: The route to the verify login change action. Defaults to +verify-login-change+.
 verify_login_change_session_key :: The key in the session to hold the verify login change key temporarily.
@@ -49,7 +50,7 @@ send_verify_login_change_email(login) :: Send the verify login change email.
 verify_login_change :: Change the login for the given account to the new login.
 verify_login_change_email_body :: The body to use for the verify login change email.
 verify_login_change_email_link :: The link to the verify login change form in the verify login change email.
-verify_login_change_key_insert_hash(login) :: The hash to insert into the verify login change keys table.
+verify_login_change_key_insert_hash(login) :: The hash to insert into the +verify_login_change_table+.
 verify_login_change_key_value :: The value of the verify login change key.
 verify_login_change_new_login :: The new login to use when the login change is verified.
 verify_login_change_old_login :: The old login to display in the verify login change email.

data/doc/webauthn.rdoc

@@ -0,0 +1,115 @@
+= Documentation for WebAuthn Feature
+
+The webauthn feature implements multifactor authentication via WebAuthn.
+It supports registering WebAuthn authenticators, using them for
+multifactor authentication, and removing WebAuthn authenticators.
+This feature supports multiple WebAuthn authenticators per user,
+and users are encouraged to have multiple WebAuthn authenticators
+so that they have a backup if one is not available.
+
+WebAuthn authentication requires javascript to work in
+browsers, for the browser to communicate with the authenticator.
+This feature offers routes that return the appropriate javascript.
+However, the javascript works by setting a hidden form field and
+using normal form submission.  This allows testing the feature
+without using javascript.  See Rodauth's tests for how testing
+without javascript works.
+
+The webauthn feature requires the webauthn gem.
+
+== Auth Value Methods
+
+authenticated_webauthn_id_session_key :: The session key used for storing which WebAuthn ID was used during authentication.
+webauthn_attestation :: The value of the WebAuthn attestation option when registering a new WebAuthn authenticator.
+webauthn_auth_additional_form_tags :: HTML fragment containing additional form tags when authenticating via WebAuthn.
+webauthn_auth_button :: Text to use for button on the form to authenticate via WebAuthn.
+webauthn_auth_challenge_hmac_param :: The parameter name for the HMAC of the WebAuthn challenge during authentication.
+webauthn_auth_challenge_param :: The parameter name for the WebAuthn challenge during authentication.
+webauthn_auth_error_flash :: The flash error to show if unable to authenticate via WebAuthn.
+webauthn_auth_js :: The javascript code to execute on the page to authenticate via WebAuthn.
+webauthn_auth_js_route :: The route to the webauthn auth javascript file.
+webauthn_auth_link_text :: The text to use for the link from the multifactor auth page.
+webauthn_auth_page_title :: The page title to use on the page for authenticating via WebAuthn.
+webauthn_auth_param :: The parameter name for the WebAuthn authentication data.
+webauthn_auth_route :: The route to the webauthn auth action.
+webauthn_auth_timeout :: The number of milliseconds to wait when authenticating using a WebAuthn authenticator.
+webauthn_authenticator_selection ::  The value of the WebAuthn authenticatorSelection option when registering a new WebAuthn authenticator.
+webauthn_duplicate_webauthn_id_message :: The error message to when there is an attempt to insert a duplicate WebAuthn authenticator. 
+webauthn_extensions :: The value of the WebAuthn extensions option when registering a new WebAuthn authenticator or authenticating via WebAuthn.
+webauthn_invalid_auth_param_message :: The error message to show when invalid or missing WebAuthn authentication data is provided.
+webauthn_invalid_remove_param_message :: The error message to show when invalid WebAuthn ID is provided when removing a WebAuthn authenticator.
+webauthn_invalid_setup_param_message :: The error message to show when invalid or missing WebAuthn registration data is provided.
+webauthn_invalid_sign_count_message :: The error message to when there is an attempt to authenticate with WebAuthn authenticator with an invalid sign count.
+webauthn_js_host :: The protocol and domain if using a separate host for the WebAuthn setup and auth javascript files.
+webauthn_keys_account_id_column :: The column in the +webauthn_keys_table+ containing the account id.
+webauthn_keys_last_use_column :: The column in the +webauthn_keys_table+ containing the last time the WebAuthn credential was used.
+webauthn_keys_public_key_column :: The column in the +webauthn_keys_table+ containing the public key for the WebAuthn credential.
+webauthn_keys_sign_count_column :: The column in the +webauthn_keys_table+ containing the sign count for the WebAuthn credential.
+webauthn_keys_table :: The table name containing the WebAuthn public keys.
+webauthn_keys_webauthn_id_column :: The column in the +webauthn_keys_table+ containing the WebAuthn ID for the WebAuthn credential.
+webauthn_not_setup_error_flash :: The flash error to show if going to the WebAuthn authentication page without having registered a WebAuthn authenticator.
+webauthn_not_setup_error_status :: The status code to use if going to the WebAuthn authentication page without having registered a WebAuthn authenticator.
+webauthn_origin :: The origin to use when verifying a WebAuthn authenticator.
+webauthn_remove_additional_form_tags :: HTML fragment containing additional form tags when removing an existing WebAuthn authenticator.
+webauthn_remove_button :: Text to use for button on the form to remove an existing WebAuthn authenticator.
+webauthn_remove_error_flash :: The flash error to show if unable to remove an existing WebAuthn authenticator.
+webauthn_remove_link_text :: The text to use for the remove link from the multifactor manage page.
+webauthn_remove_notice_flash :: The flash notice to show after removing an existing WebAuthn authenticator.
+webauthn_remove_page_title :: The page title to use on the page for removing an existing WebAuthn authenticator.
+webauthn_remove_param :: The parameter name for the WebAuthn ID to remove.
+webauthn_remove_redirect :: Where to redirect after successfully removing an existing WebAuthn authenticator.
+webauthn_remove_route :: The route to the webauthn remove action.
+webauthn_rp_id :: The relying party ID to use when registering a WebAuthn authenticator or authenticating via WebAuthn.
+webauthn_rp_name :: The relying party name to use when registering a WebAuthn authenticator.
+webauthn_setup_additional_form_tags :: HTML fragment containing additional form tags when registering a new WebAuthn authenticator.
+webauthn_setup_button :: Text to use for button on the form to register a new WebAuthn authenticator.
+webauthn_setup_challenge_hmac_param :: The parameter name for the HMAC of the WebAuthn challenge during registration.
+webauthn_setup_challenge_param :: The parameter name for the WebAuthn challenge during registration.
+webauthn_setup_error_flash :: The flash error to show if unable to register a new WebAuthn authenticator.
+webauthn_setup_js :: The javascript code to execute on the page to register a new WebAuthn credential.
+webauthn_setup_js_route :: The route to the webauthn setup javascript file.
+webauthn_setup_link_text :: The text to use for the setup link from the multifactor manage page.
+webauthn_setup_notice_flash :: The flash notice to show after registering a new WebAuthn authenticator.
+webauthn_setup_page_title :: The page title to use on the page for registering a new WebAuthn authenticator.
+webauthn_setup_param :: The parameter name for the WebAuthn registration data.
+webauthn_setup_redirect :: Where to redirect after successfully registering a new WebAuthn authenticator.
+webauthn_setup_timeout :: The number of milliseconds to wait when registering a new WebAuthn authenticator.
+webauthn_setup_route :: The route to the webauthn setup action.
+webauthn_user_ids_account_id_column :: The column in the +webauthn_user_ids_table+ containing the account id.
+webauthn_user_ids_table :: The table name containing the WebAuthn user IDs.
+webauthn_user_ids_webauthn_id_column :: The column in the +webauthn_user_ids_table+ containing the accounts WebAuthn user ID.
+webauthn_user_verification :: The value of the WebAuthn userVerification option when registering a new WebAuthn authenticator.
+
+== Auth Methods
+
+account_webauthn_ids :: An array of WebAuthn IDs for registered WebAuthn credentials for the current account.
+account_webauthn_usage :: A hash mapping WebAuthn IDs to the time of their last use for registered WebAuthn credentials for the current account.
+account_webauthn_user_id :: The WebAuthn User ID for the current account.
+add_webauthn_credential(webauthn_credential) :: Register the given WebAuthn credential to current account.
+after_webauthn_auth_failure :: Any actions to take after a WebAuthn authentication failure.
+after_webauthn_remove :: Any actions to take after removing an existing WebAuthn authenticator.
+after_webauthn_setup :: Any actions to take after registering a new WebAuthn authenticator.
+authenticated_webauthn_id :: The WebAuthn ID for the credential used to authenticate via WebAuthn for the current session.
+before_webauthn_auth :: Any actions to take before authenticating via WebAuthn.
+before_webauthn_auth_js_route :: Run arbitrary code before handling a webauthn auth javascript route.
+before_webauthn_auth_route :: Run arbitrary code before handling a webauthn auth route.
+before_webauthn_remove :: Any actions to take before removing an existing WebAuthn authenticator.
+before_webauthn_remove_route :: Run arbitrary code before handling a webauthn remove route.
+before_webauthn_setup :: Any actions to take before registering a new WebAuthn authenticator.
+before_webauthn_setup_js_route :: Run arbitrary code before handling a webauthn setup javascript route.
+before_webauthn_setup_route :: Run arbitrary code before handling a webauthn setup route.
+handle_webauthn_sign_count_verification_error :: What actions to take if there is an invalid sign count when authenticating. The default results in an error, but overriding without calling super will result in successful WebAuthn authentication.
+new_webauthn_credential :: WebAuthn credential options to provide to the client during WebAuthn registration.
+remove_all_webauthn_keys_and_user_ids :: Remove all WebAuthn credentials and the WebAuthn user ID from the current account.
+remove_webauthn_key(webauthn_id) :: Remove the WebAuthn credential with the given WebAuthn ID from the current account.
+valid_new_webauthn_credential?(webauthn_credential) :: Check wheck the WebAuthn credential provided by the client during registration is valid.
+valid_webauthn_credential_auth?(webauthn_credential) :: Check wheck the WebAuthn credential provided by the client during authentication is valid.
+webauth_credential_options_for_get :: WebAuthn credential options to provide to the client during WebAuthn authentication.
+webauthn_auth_js_path :: The path to the WebAuthn authentication javascript.
+webauthn_auth_view :: The HTML to use for the page for authenticating via WebAuthn.
+webauthn_remove_authenticated_session :: Remove the authenticated WebAuthn ID, used when removing the WebAuthn credential with the ID after authenticating with it.
+webauthn_remove_view :: The HTML to use for the page for removing an existing WebAuthn authenticator.
+webauthn_setup_js_path :: The path to the WebAuthn registration javascript.
+webauthn_setup_view :: The HTML to use for the page for registering a new WebAuthn authenticator.
+webauthn_update_session(webauthn_id) :: Set the authenticated WebAuthn ID after authenticating via WebAuthn.
+webauthn_user_name :: The user name to use when registering a new WebAuthn credential, the user's email by default.

data/doc/webauthn_login.rdoc

@@ -0,0 +1,15 @@
+= Documentation for WebAuthn Login Feature
+
+The webauthn feature implements passwordless authentication via
+WebAuthn. It depends on the login and webauthn features.
+
+== Auth Value Methods
+
+webauthn_login_error_flash :: The flash error to show if there is a failure during passwordless login via WebAuthn.
+webauthn_login_failure_redirect :: Whether to redirect if there is a failure during passwordless login via WebAuthn.
+webauthn_login_route :: The route to the webauthn login action.
+
+== Auth Methods
+
+before_webauthn_login :: Any actions to take before passwordless login via WebAuthn.
+before_webauthn_login_route :: Run arbitrary code before handling a webauthn login route.

data/doc/webauthn_verify_account.rdoc

@@ -0,0 +1,9 @@
+= Documentation for WebAuthn Verify Account Feature
+
+The webauthn feature implements setting up an WebAuthn authenticator
+during the account verification process, and making such setup
+a requirement for account verification.  By default, it disables
+asking for a password during account creation and verification,
+allowing for completely passwordless designs, where the only
+authentication option is WebAuthn. It depends on the verify_account
+and webauthn features.

data/javascript/webauthn_auth.js

@@ -0,0 +1,45 @@
+(function() {
+  var element = document.getElementById('webauthn-auth-form');
+  var f = function(e) {
+    //console.log(e);
+    e.preventDefault();
+    if (navigator.credentials) {
+      var opts = JSON.parse(element.getAttribute("data-credential-options"));
+      opts.challenge = Uint8Array.from(atob(opts.challenge.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
+      opts.allowCredentials.forEach(function(cred) {
+        cred.id = Uint8Array.from(atob(cred.id.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
+      });
+      //console.log(opts);
+      navigator.credentials.get({publicKey: opts}).
+        then(function(cred){
+          //console.log(cred);
+          //window.cred = cred
+
+          var rawId = btoa(String.fromCharCode.apply(null, new Uint8Array(cred.rawId))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+          var authValue = {
+            type: cred.type,
+            id: rawId,
+            rawId: rawId,
+            response: {
+              authenticatorData: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.authenticatorData))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''),
+              clientDataJSON: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.clientDataJSON))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''),
+              signature: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.signature))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '')
+            }
+          };
+
+          if (cred.response.userHandle) {
+            authValue.response.userHandle = btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.userHandle))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+          }
+
+          document.getElementById('webauthn-auth').value = JSON.stringify(authValue);
+          element.removeEventListener("submit", f);
+          element.submit();
+        }).
+        catch(function(e){document.getElementById('webauthn-auth-button').innerHTML = "Error authenticating using WebAuthn: " + e});
+    } else {
+        document.getElementById('webauthn-auth-button').innerHTML = "WebAuthn not supported by browser, or browser has disabled it on this page";
+    }
+  };
+  element.addEventListener("submit", f);
+})();
+

data/javascript/webauthn_setup.js

@@ -0,0 +1,35 @@
+(function() {
+  var element = document.getElementById('webauthn-setup-form');
+  var f = function(e) {
+    //console.log(e);
+    e.preventDefault();
+    if (navigator.credentials) {
+      var opts = JSON.parse(element.getAttribute("data-credential-options"));
+      opts.challenge = Uint8Array.from(atob(opts.challenge.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
+      opts.user.id = Uint8Array.from(atob(opts.user.id.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
+      //console.log(opts);
+      navigator.credentials.create({publicKey: opts}).
+        then(function(cred){
+          //console.log(cred);
+          //window.cred = cred
+          
+          var rawId = btoa(String.fromCharCode.apply(null, new Uint8Array(cred.rawId))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+          document.getElementById('webauthn-setup').value = JSON.stringify({
+            type: cred.type,
+            id: rawId,
+            rawId: rawId,
+            response: {
+              attestationObject: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.attestationObject))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''),
+              clientDataJSON: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.clientDataJSON))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '')
+            }
+          });
+          element.removeEventListener("submit", f);
+          element.submit();
+        }).
+        catch(function(e){document.getElementById('webauthn-setup-button').innerHTML = "Error creating public key in authenticator: " + e});
+    } else {
+        document.getElementById('webauthn-setup-button').innerHTML = "WebAuthn not supported by browser, or browser has disabled it on this page";
+    }
+  };
+  element.addEventListener("submit", f);
+})();

data/lib/roda/plugins/rodauth.rb

@@ -1,5 +1,5 @@
 # frozen-string-literal: true
 
-require 'rodauth'
+require_relative '../../rodauth'
 
 Roda::RodaPlugins.register_plugin(:rodauth, Rodauth)

data/lib/rodauth.rb

@@ -14,15 +14,15 @@ module Rodauth
       require 'tilt/string'
       app.plugin :render
 
-      case opts.fetch(:csrf, app.opts[:rodauth_route_csrf])
+      case opts.fetch(:csrf, app.opts[:rodauth_csrf])
       when false
         # nothing
-      when :route_csrf
-        app.plugin :route_csrf
-      else
+      when :rack_csrf
         # :nocov:
         app.plugin :csrf
         # :nocov:
+      else
+        app.plugin :route_csrf
       end
 
       app.plugin :flash unless opts[:flash] == false
@@ -31,8 +31,14 @@ module Rodauth
   end
 
   def self.configure(app, opts={}, &block)
-    app.opts[:rodauth_json] = opts.fetch(:json, app.opts[:rodauth_json])
-    app.opts[:rodauth_csrf] = opts.fetch(:csrf, app.opts[:rodauth_route_csrf])
+    json_opt = app.opts[:rodauth_json] = opts.fetch(:json, app.opts[:rodauth_json])
+    csrf = app.opts[:rodauth_csrf] = opts.fetch(:csrf, app.opts[:rodauth_csrf])
+    app.opts[:rodauth_route_csrf] = case csrf
+    when false, :rack_csrf
+      false
+    else
+      json_opt != :only
+    end
     auth_class = (app.opts[:rodauths] ||= {})[opts[:name]] ||= Class.new(Auth)
     if !auth_class.roda_class
       auth_class.roda_class = app
@@ -72,8 +78,7 @@ module Rodauth
     end
 
     def def_auth_value_method(meth, priv)
-      define_method(meth) do |*v, &block|
-        v = v.first
+      define_method(meth) do |v=nil, &block|
         block ||= proc{v}
         @auth.send(:define_method, meth, &block)
         @auth.send(:private, meth) if priv
@@ -104,23 +109,17 @@ module Rodauth
       route_meth = :"#{name}_route"
       auth_value_method route_meth, default
 
-      define_method(:"#{name}_path") { route_path(send(route_meth)) }
-      define_method(:"#{name}_url") { route_url(send(route_meth)) }
+      define_method(:"#{name}_path"){|opts={}| route_path(send(route_meth), opts)}
+      define_method(:"#{name}_url"){|opts={}| route_url(send(route_meth), opts)}
 
       handle_meth = :"handle_#{name}"
       internal_handle_meth = :"_#{handle_meth}"
       before route_meth
-
-      unless block.arity == 1
-        # :nocov:
-        b = block
-        block = lambda{|r| instance_exec(r, &b)}
-        # :nocov:
-      end
       define_method(internal_handle_meth, &block)
 
       define_method(handle_meth) do
         request.is send(route_meth) do
+          scope.check_csrf!(check_csrf_opts, &check_csrf_block) if check_csrf?
           before_rodauth
           send(internal_handle_meth, request)
         end
@@ -180,8 +179,10 @@ module Rodauth
 
     def view(page, title, name=feature_name)
       meth = :"#{name}_view"
+      title_meth = :"#{name}_page_title"
+      translatable_method(title_meth, title)
       define_method(meth) do
-        view(page, title)
+        view(page, send(title_meth))
       end
       auth_methods meth
     end
@@ -190,6 +191,7 @@ module Rodauth
       define_method(:loaded_templates) do
         super().concat(v)
       end
+      private :loaded_templates
     end
 
     def depends(*deps)
@@ -197,10 +199,9 @@ module Rodauth
     end
 
     %w'after before'.each do |hook|
-      define_method(hook) do |*args|
-        name = args[0] || feature_name
+      define_method(hook) do |name=feature_name|
         meth = "#{hook}_#{name}"
-        class_eval("def #{meth}; super if defined?(super); _#{meth} end", __FILE__, __LINE__)
+        class_eval("def #{meth}; super if defined?(super); _#{meth}; hook_action(:#{hook}, :#{name}); nil end", __FILE__, __LINE__)
         class_eval("def _#{meth}; nil end", __FILE__, __LINE__)
         private meth, :"_#{meth}"
         auth_private_methods(meth)
@@ -221,6 +222,11 @@ module Rodauth
       auth_value_methods(meth)
     end
 
+    def translatable_method(meth, value)
+      define_method(meth){translate(meth, value)}
+      auth_value_methods(meth)
+    end
+
     def auth_cached_method(meth, iv=:"@#{meth}")
       umeth = :"_#{meth}"
       define_method(meth) do
@@ -234,9 +240,8 @@ module Rodauth
     end
 
     [:notice_flash, :error_flash, :button].each do |meth|
-      define_method(meth) do |v, *args|
-        name = args.shift || feature_name
-        auth_value_method(:"#{name}_#{meth}", v)
+      define_method(meth) do |v, name=feature_name|
+        translatable_method(:"#{name}_#{meth}", v)
       end
     end
   end