rodauth 1.23.0 → 2.0.0

data/lib/rodauth/features/change_password_notify.rb

@@ -4,7 +4,7 @@ module Rodauth
   Feature.define(:change_password_notify, :ChangePasswordNotify) do
     depends :change_password, :email_base
 
-    auth_value_method :password_changed_email_subject, 'Password Changed'
+    translatable_method :password_changed_email_subject, 'Password Changed'
 
     auth_value_methods(
       :password_changed_email_body

data/lib/rodauth/features/confirm_password.rb

@@ -4,20 +4,26 @@ module Rodauth
   Feature.define(:confirm_password, :ConfirmPassword) do
     notice_flash "Your password has been confirmed"
     error_flash "There was an error confirming your password"
+    error_flash "You need to confirm your password before continuing", 'password_authentication_required'
     loaded_templates %w'confirm-password password-field'
     view 'confirm-password', 'Confirm Password'
     additional_form_tags
     button 'Confirm Password'
     before
     after
+    redirect(:password_authentication_required){confirm_password_path}
 
     session_key :confirm_password_redirect_session_key, :confirm_password_redirect
+    translatable_method :confirm_password_link_text, "Enter Password"
+    auth_value_method :password_authentication_required_error_status, 401
+
     auth_value_methods :confirm_password_redirect
 
     auth_methods :confirm_password
 
     route do |r|
-      require_account
+      require_login
+      require_account_session
       before_confirm_password_route
 
       request.get do
@@ -42,12 +48,44 @@ module Rodauth
       end
     end
 
+    def require_password_authentication
+      require_login
+
+      if require_password_authentication? && has_password?
+        set_redirect_error_status(password_authentication_required_error_status)
+        set_redirect_error_flash password_authentication_required_error_flash
+        set_session_value(confirm_password_redirect_session_key, request.fullpath)
+        redirect password_authentication_required_redirect
+      end
+    end
+
     def confirm_password
+      authenticated_by.delete('autologin')
+      authenticated_by.delete('remember')
+      authenticated_by.delete('email_auth')
+      authenticated_by.delete('password')
+      authenticated_by.unshift("password")
+      remove_session_value(autologin_type_session_key)
       nil
     end
 
     def confirm_password_redirect
-      session.delete(confirm_password_redirect_session_key) || default_redirect
+      remove_session_value(confirm_password_redirect_session_key) || default_redirect
+    end
+
+    private
+
+    def _two_factor_auth_links
+      links = (super if defined?(super)) || []
+      if authenticated_by.length == 1 && !authenticated_by.include?('password') && has_password?
+        links << [5, confirm_password_path, confirm_password_link_text]
+      end
+      links
+    end
+
+    def require_password_authentication?
+      return true if defined?(super) && super
+      !authenticated_by.include?('password')
     end
   end
 end

data/lib/rodauth/features/create_account.rb

@@ -2,9 +2,8 @@
 
 module Rodauth
   Feature.define(:create_account, :CreateAccount) do
-    depends :login_password_requirements_base
+    depends :login, :login_password_requirements_base
 
-    depends :login
     notice_flash 'Your account has been created'
     error_flash "There was an error creating your account"
     loaded_templates %w'create-account login-field login-confirm-field password-field password-confirm-field'
@@ -16,10 +15,9 @@ module Rodauth
     redirect
 
     auth_value_method :create_account_autologin?, true
+    translatable_method :create_account_link_text, "Create a New Account"
     auth_value_method :create_account_set_password?, true
 
-    auth_value_methods :create_account_link
-
     auth_methods(
       :save_account,
       :set_new_account_password
@@ -76,7 +74,7 @@ module Rodauth
             end
             after_create_account
             if create_account_autologin?
-              update_session
+              autologin_session('create_account')
             end
             set_notice_flash create_account_notice_flash
             redirect create_account_redirect
@@ -88,14 +86,6 @@ module Rodauth
       end
     end
 
-    def create_account_link
-      "<p><a href=\"#{create_account_path}\">Create a New Account</a></p>"
-    end
-
-    def login_form_footer
-      super + create_account_link
-    end
-
     def set_new_account_password(password)
       account[account_password_hash_column] = password_hash(password)
     end
@@ -121,6 +111,10 @@ module Rodauth
 
     private
 
+    def _login_form_footer_links
+      super << [10, create_account_path, create_account_link_text]
+    end
+
     def _new_account(login)
       acc = {login_column=>login}
       unless skip_status_checks?

data/lib/rodauth/features/disallow_common_passwords.rb

@@ -5,7 +5,7 @@ module Rodauth
     depends :login_password_requirements_base
 
     auth_value_method :most_common_passwords_file, File.expand_path('../../../../dict/top-10_000-passwords.txt', __FILE__)
-    auth_value_method :password_is_one_of_the_most_common_message, "is one of the most common passwords"
+    translatable_method :password_is_one_of_the_most_common_message, "is one of the most common passwords"
     auth_value_method :most_common_passwords, nil
 
     auth_methods :password_one_of_most_common?

data/lib/rodauth/features/disallow_password_reuse.rb

@@ -4,7 +4,7 @@ module Rodauth
   Feature.define(:disallow_password_reuse, :DisallowPasswordReuse) do
     depends :login_password_requirements_base
 
-    auth_value_method :password_same_as_previous_password_message, "same as previous password"
+    translatable_method :password_same_as_previous_password_message, "same as previous password"
     auth_value_method :previous_password_account_id_column, :account_id
     auth_value_method :previous_password_hash_column, :password_hash
     auth_value_method :previous_password_hash_table, :account_previous_password_hashes

data/lib/rodauth/features/email_auth.rb

@@ -4,8 +4,6 @@ module Rodauth
   Feature.define(:email_auth, :EmailAuth) do
     depends :login, :email_base
 
-    def_deprecated_alias :no_matching_email_auth_key_error_flash, :no_matching_email_auth_key_message
-
     notice_flash "An email has been sent to you with a link to login to your account", 'email_auth_email_sent'
     error_flash "There was an error logging you in"
     error_flash "There was an error requesting an email link to authenticate", 'email_auth_request'
@@ -23,17 +21,16 @@ module Rodauth
     redirect(:email_auth_email_recently_sent){default_post_email_redirect}
     
     auth_value_method :email_auth_deadline_column, :deadline
-    auth_value_method :email_auth_deadline_interval, {:days=>1}
-    auth_value_method :email_auth_email_subject, 'Login Link'
+    auth_value_method :email_auth_deadline_interval, {:days=>1}.freeze
+    translatable_method :email_auth_email_subject, 'Login Link'
     auth_value_method :email_auth_id_column, :id
     auth_value_method :email_auth_key_column, :key
     auth_value_method :email_auth_key_param, 'key'
     auth_value_method :email_auth_email_last_sent_column, :email_last_sent
     auth_value_method :email_auth_skip_resend_email_within, 300
     auth_value_method :email_auth_table, :account_email_auth_keys
+    auth_value_method :force_email_auth?, false
     session_key :email_auth_session_key, :email_auth_key
-
-    auth_value_methods :force_email_auth?
     
     auth_methods(
       :create_email_auth_email,
@@ -74,7 +71,7 @@ module Rodauth
 
       r.get do
         if key = param_or_nil(email_auth_key_param)
-          session[email_auth_session_key] = key
+          set_session_value(email_auth_session_key, key)
           redirect(r.path)
         end
 
@@ -82,7 +79,7 @@ module Rodauth
           if account_from_email_auth_key(key)
             email_auth_view
           else
-            session[email_auth_session_key] = nil
+            remove_session_value(email_auth_session_key)
             set_redirect_error_flash no_matching_email_auth_key_error_flash
             redirect require_login_redirect
           end
@@ -97,7 +94,7 @@ module Rodauth
           redirect email_auth_email_sent_redirect
         end
 
-        _login
+        _login('email_auth')
       end
     end
 
@@ -148,43 +145,44 @@ module Rodauth
       ds.get(email_auth_key_column)
     end
 
-    def login_form_footer
-      footer = super
-      footer += email_auth_request_form if valid_login_entered?
-      footer
-    end
-
     def email_auth_request_form
       render('email-auth-request-form')
     end
 
     def after_login_entered_during_multi_phase_login
-      if force_email_auth?
-        # If the account does not have a password hash, just send the
-        # email link.
-        _email_auth_request
-        redirect email_auth_email_sent_redirect
-      else
-        # If the account has a password hash, allow password login, but
-        # we will show form below to also login via email link.
-        super
-      end
+      # If forcing email auth, just send the email link.
+      _email_auth_request_and_redirect if force_email_auth?
+
+      super
     end
 
     def use_multi_phase_login?
       true
     end
 
-    def force_email_auth?
-      get_password_hash.nil?
+    def possible_authentication_methods
+      methods = super
+      methods << 'email_auth' if !methods.include?('password') && allow_email_auth?
+      methods
     end
 
     private
 
+    def _multi_phase_login_forms
+      forms = super
+      forms << [30, email_auth_request_form, :_email_auth_request_and_redirect] if valid_login_entered? && allow_email_auth?
+      forms
+    end
+
     def email_auth_email_recently_sent?
       (email_last_sent = get_email_auth_email_last_sent) && (Time.now - email_last_sent < email_auth_skip_resend_email_within)
     end
 
+    def _email_auth_request_and_redirect
+      _email_auth_request
+      redirect email_auth_email_sent_redirect
+    end
+
     def _email_auth_request
       if email_auth_email_recently_sent?
         set_redirect_error_flash email_auth_email_recently_sent_error_flash
@@ -204,6 +202,10 @@ module Rodauth
 
     attr_reader :email_auth_key_value
 
+    def allow_email_auth?
+      defined?(super) ? super : true
+    end
+
     def after_login
       # Remove the email auth key after any login, even if
       # it is a password login.  This is done to invalidate

data/lib/rodauth/features/email_base.rb

@@ -2,7 +2,7 @@
 
 module Rodauth
   Feature.define(:email_base, :EmailBase) do
-    auth_value_method :email_subject_prefix, nil
+    translatable_method :email_subject_prefix, ''
     auth_value_method :require_mail?, true
     auth_value_method :allow_raw_email_token?, false
 
@@ -43,7 +43,7 @@ module Rodauth
     end
 
     def email_from
-      "webmaster@#{request.host}"
+      "webmaster@#{domain}"
     end
 
     def email_to
@@ -51,7 +51,7 @@ module Rodauth
     end
 
     def token_link(route, param, key)
-      "#{route_url(route)}?#{param}=#{account_id}#{token_separator}#{convert_email_token_key(key)}"
+      route_url(route, param => "#{account_id}#{token_separator}#{convert_email_token_key(key)}")
     end
 
     def convert_email_token_key(key)

data/lib/rodauth/features/http_basic_auth.rb

@@ -3,54 +3,61 @@
 module Rodauth
   Feature.define(:http_basic_auth, :HttpBasicAuth) do
     auth_value_method :http_basic_auth_realm, "protected"
-    auth_value_method :require_http_basic_auth, false
+    auth_value_method :require_http_basic_auth?, false
 
-    def session
-      return @session if defined?(@session)
-      sess = super
-      return sess if sess[session_key]
-      return sess unless token = ((v = request.env['HTTP_AUTHORIZATION']) && v[/\A *Basic (.*)\Z/, 1])
-      username, password = token.unpack("m*").first.split(/:/, 2)
-
-      if username && password
-        catch_error do
-          unless account_from_login(username)
-            throw_basic_auth_error(login_param, no_matching_login_message)
-          end
-
-          before_login_attempt
-          
-          unless open_account?
-            throw_basic_auth_error(login_param, no_matching_login_message)
-          end
-
-          unless password_match?(password)
-            after_login_failure
-            throw_basic_auth_error(password_param, invalid_password_message)
-          end
-          
-          transaction do
-            before_login
-            sess[session_key] = account_session_value
-            after_login
-          end
-        end
+    def require_login
+      if require_http_basic_auth?
+        require_http_basic_auth
+      elsif !logged_in?
+        http_basic_auth
       end
 
-      sess
+      super
     end
 
-    private
-
-    def require_login
-      if !logged_in? && require_http_basic_auth
+    def require_http_basic_auth
+      unless http_basic_auth
         set_http_basic_auth_error_response
         request.halt
       end
+    end
 
-      super
+    def http_basic_auth
+      return unless token = ((v = request.env['HTTP_AUTHORIZATION']) && v[/\A *Basic (.*)\Z/, 1])
+
+      username, password = token.unpack("m*").first.split(/:/, 2)
+      return unless username && password
+
+      catch_error do
+        unless account_from_login(username)
+          throw_basic_auth_error(login_param, no_matching_login_message)
+        end
+
+        before_login_attempt
+
+        unless open_account?
+          throw_basic_auth_error(login_param, no_matching_login_message)
+        end
+
+        unless password_match?(password)
+          after_login_failure
+          throw_basic_auth_error(password_param, invalid_password_message)
+        end
+
+        transaction do
+          before_login
+          login_session('password')
+          after_login
+        end
+
+        return true
+      end
+
+      nil
     end
 
+    private
+
     def set_http_basic_auth_error_response
       response.status = 401
       response.headers["WWW-Authenticate"] = "Basic realm=\"#{http_basic_auth_realm}\""

data/lib/rodauth/features/jwt.rb

@@ -4,25 +4,25 @@ require 'jwt'
 
 module Rodauth
   Feature.define(:jwt, :Jwt) do
-    auth_value_method :invalid_jwt_format_error_message, "invalid JWT format or claim in Authorization header"
-    auth_value_method :json_non_post_error_message, 'non-POST method used in JSON API'
-    auth_value_method :json_not_accepted_error_message, 'Unsupported Accept header. Must accept "application/json" or compatible content type'
+    translatable_method :invalid_jwt_format_error_message, "invalid JWT format or claim in Authorization header"
+    translatable_method :json_non_post_error_message, 'non-POST method used in JSON API'
+    translatable_method :json_not_accepted_error_message, 'Unsupported Accept header. Must accept "application/json" or compatible content type'
     auth_value_method :json_accept_regexp, /(?:(?:\*|\bapplication)\/\*|\bapplication\/(?:vnd\.api\+)?json\b)/i
     auth_value_method :json_request_content_type_regexp, /\bapplication\/(?:vnd\.api\+)?json\b/i
     auth_value_method :json_response_content_type, 'application/json'
     auth_value_method :json_response_error_status, 400
-    auth_value_method :json_response_custom_error_status?, false
+    auth_value_method :json_response_custom_error_status?, true
     auth_value_method :json_response_error_key, "error"
     auth_value_method :json_response_field_error_key, "field-error"
-    auth_value_method :json_response_success_key, nil
+    auth_value_method :json_response_success_key, "success"
     auth_value_method :jwt_algorithm, "HS256"
     auth_value_method :jwt_authorization_ignore, /\A(?:Basic|Digest) /
     auth_value_method :jwt_authorization_remove, /\ABearer:?\s+/
-    auth_value_method :jwt_check_accept?, false
-    auth_value_method :jwt_decode_opts, {}
+    auth_value_method :jwt_check_accept?, true
+    auth_value_method :jwt_decode_opts, {}.freeze
     auth_value_method :jwt_session_key, nil
     auth_value_method :jwt_symbolize_deeply?, false
-    auth_value_method :non_json_request_error_message, 'Only JSON format requests are allowed'
+    translatable_method :non_json_request_error_message, 'Only JSON format requests are allowed'
 
     auth_value_methods(
       :only_json?,
@@ -173,6 +173,43 @@ module Rodauth
       end
     end
 
+    def before_webauthn_setup_route
+      super if defined?(super)
+      if use_jwt? && !param_or_nil(webauthn_setup_param)
+        cred = new_webauthn_credential
+        json_response[webauthn_setup_param] = cred.as_json
+        json_response[webauthn_setup_challenge_param] = cred.challenge
+        json_response[webauthn_setup_challenge_hmac_param] = compute_hmac(cred.challenge)
+      end
+    end
+
+    def before_webauthn_auth_route
+      super if defined?(super)
+      if use_jwt? && !param_or_nil(webauthn_auth_param)
+        cred = webauth_credential_options_for_get
+        json_response[webauthn_auth_param] = cred.as_json
+        json_response[webauthn_auth_challenge_param] = cred.challenge
+        json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)
+      end
+    end
+
+    def before_webauthn_login_route
+      super if defined?(super)
+      if use_jwt? && !param_or_nil(webauthn_auth_param) && account_from_login(param(login_param))
+        cred = webauth_credential_options_for_get
+        json_response[webauthn_auth_param] = cred.as_json
+        json_response[webauthn_auth_challenge_param] = cred.challenge
+        json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)
+      end
+    end
+
+    def before_webauthn_remove_route
+      super if defined?(super)
+      if use_jwt? && !param_or_nil(webauthn_remove_param)
+        json_response[webauthn_remove_param] = account_webauthn_usage
+      end
+    end
+
     def before_otp_setup_route
       super if defined?(super)
       if use_jwt? && otp_keys_use_hmac? && !param_or_nil(otp_setup_raw_param)
@@ -204,6 +241,12 @@ module Rodauth
       value
     end
 
+    def remove_session_value(key)
+      value = super
+      set_jwt if use_jwt?
+      value
+    end
+
     def json_response
       @json_response ||= {}
     end