rodauth 1.23.0 → 2.0.0

data/lib/rodauth/features/jwt_refresh.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  JwtRefresh = Feature.define(:jwt_refresh) do
+  Feature.define(:jwt_refresh, :JwtRefresh) do
     depends :jwt
 
     after 'refresh_token'
@@ -10,10 +10,10 @@ module Rodauth
     auth_value_method :jwt_access_token_key, 'access_token'
     auth_value_method :jwt_access_token_not_before_period, 5
     auth_value_method :jwt_access_token_period, 1800
-    auth_value_method :jwt_refresh_invalid_token_message, 'invalid JWT refresh token'
+    translatable_method :jwt_refresh_invalid_token_message, 'invalid JWT refresh token'
     auth_value_method :jwt_refresh_token_account_id_column, :account_id
     auth_value_method :jwt_refresh_token_deadline_column, :deadline
-    auth_value_method :jwt_refresh_token_deadline_interval, {:days=>14}
+    auth_value_method :jwt_refresh_token_deadline_interval, {:days=>14}.freeze
     auth_value_method :jwt_refresh_token_id_column, :id
     auth_value_method :jwt_refresh_token_key, 'refresh_token'
     auth_value_method :jwt_refresh_token_key_column, :key

data/lib/rodauth/features/lockout.rb

@@ -4,8 +4,6 @@ module Rodauth
   Feature.define(:lockout, :Lockout) do
     depends :login, :email_base
 
-    def_deprecated_alias :no_matching_unlock_account_key_error_flash, :no_matching_unlock_account_key_message
-
     loaded_templates %w'unlock-account-request unlock-account password-field unlock-account-email'
     view 'unlock-account-request', 'Request Account Unlock', 'unlock_account_request'
     view 'unlock-account', 'Unlock Account', 'unlock_account'
@@ -19,7 +17,7 @@ module Rodauth
     button 'Unlock Account', 'unlock_account'
     button 'Request Account Unlock', 'unlock_account_request'
     error_flash "There was an error unlocking your account", 'unlock_account'
-    error_flash "This account is currently locked out and cannot be logged in to.", "login_lockout"
+    error_flash "This account is currently locked out and cannot be logged in to", "login_lockout"
     error_flash "An email has recently been sent to you with a link to unlock the account", 'unlock_account_email_recently_sent'
     error_flash "There was an error unlocking your account: invalid or expired unlock account key", 'no_matching_unlock_account_key'
     notice_flash "Your account has been unlocked", 'unlock_account'
@@ -36,12 +34,12 @@ module Rodauth
     auth_value_method :account_lockouts_table, :account_lockouts
     auth_value_method :account_lockouts_id_column, :id
     auth_value_method :account_lockouts_key_column, :key
-    auth_value_method :account_lockouts_email_last_sent_column, nil
+    auth_value_method :account_lockouts_email_last_sent_column, :email_last_sent
     auth_value_method :account_lockouts_deadline_column, :deadline
-    auth_value_method :account_lockouts_deadline_interval, {:days=>1}
-    auth_value_method :unlock_account_email_subject, 'Unlock Account'
-    auth_value_method :unlock_account_explanatory_text, '<p>This account is currently locked out.  You can unlock the account:</p>'
-    auth_value_method :unlock_account_request_explanatory_text, '<p>This account is currently locked out.  You can request that the account be unlocked:</p>'
+    auth_value_method :account_lockouts_deadline_interval, {:days=>1}.freeze
+    translatable_method :unlock_account_email_subject, 'Unlock Account'
+    translatable_method :unlock_account_explanatory_text, '<p>This account is currently locked out.  You can unlock the account:</p>'
+    translatable_method :unlock_account_request_explanatory_text, '<p>This account is currently locked out.  You can request that the account be unlocked:</p>'
     auth_value_method :unlock_account_key_param, 'key'
     auth_value_method :unlock_account_requires_password?, false
     auth_value_method :unlock_account_skip_resend_email_within, 300
@@ -75,6 +73,7 @@ module Rodauth
             redirect unlock_account_email_recently_sent_redirect
           end
 
+          @unlock_account_key_value = get_unlock_account_key
           transaction do
             before_unlock_account_request
             set_unlock_account_email_last_sent
@@ -98,7 +97,7 @@ module Rodauth
 
       r.get do
         if key = param_or_nil(unlock_account_key_param)
-          session[unlock_account_session_key] = key
+          set_session_value(unlock_account_session_key, key)
           redirect(r.path)
         end
 
@@ -106,7 +105,7 @@ module Rodauth
           if account_from_unlock_key(key)
             unlock_account_view
           else
-            session[unlock_account_session_key] = nil
+            remove_session_value(unlock_account_session_key)
             set_redirect_error_flash no_matching_unlock_account_key_error_flash
             redirect require_login_redirect
           end
@@ -127,11 +126,11 @@ module Rodauth
             unlock_account
             after_unlock_account
             if unlock_account_autologin?
-              update_session
+              autologin_session('unlock_account')
             end
           end
 
-          session[unlock_account_session_key] = nil
+          remove_session_value(unlock_account_session_key)
           set_notice_flash unlock_account_notice_flash
           redirect unlock_account_redirect
         else
@@ -217,7 +216,6 @@ module Rodauth
     end
 
     def send_unlock_account_email
-      @unlock_account_key_value = get_unlock_account_key
       send_email(create_unlock_account_email)
     end
 

data/lib/rodauth/features/login.rb

@@ -5,16 +5,24 @@ module Rodauth
     notice_flash "You have been logged in"
     notice_flash "Login recognized, please enter your password", "need_password"
     error_flash "There was an error logging in"
-    loaded_templates %w'login login-field password-field login-display'
+    loaded_templates %w'login login-form login-form-footer multi-phase-login login-field password-field login-display'
     view 'login', 'Login'
+    view 'multi-phase-login', 'Login', 'multi_phase_login'
     additional_form_tags
     button 'Login'
     redirect
 
     auth_value_method :login_error_status, 401
-    auth_value_method :login_form_footer, ''
+    translatable_method :login_form_footer_links_heading, '<h2 class="rodauth-login-form-footer-links-heading">Other Options</h2>'
+    auth_value_method :login_return_to_requested_location?, false
     auth_value_method :use_multi_phase_login?, false
 
+    session_key :login_redirect_session_key, :login_redirect
+
+    auth_cached_method :multi_phase_login_forms
+    auth_cached_method :login_form_footer_links
+    auth_cached_method :login_form_footer
+
     route do |r|
       check_already_logged_in
       before_login_route
@@ -24,8 +32,8 @@ module Rodauth
       end
 
       r.post do
-        clear_session
         skip_error_flash = false
+        view = :login_view
 
         catch_error do
           unless account_from_login(param(login_param))
@@ -40,6 +48,7 @@ module Rodauth
 
           if use_multi_phase_login?
             @valid_login_entered = true
+            view = :multi_phase_login_view
 
             unless param_or_nil(password_param)
               after_login_entered_during_multi_phase_login
@@ -53,18 +62,28 @@ module Rodauth
             throw_error_status(login_error_status, password_param, invalid_password_message)
           end
 
-          _login
+          _login('password')
         end
 
         set_error_flash login_error_flash unless skip_error_flash
-        login_view
+        send(view)
       end
     end
 
     attr_reader :login_form_header
 
+    def login_required
+      if login_return_to_requested_location?
+        set_session_value(login_redirect_session_key, request.fullpath)
+      end
+      super
+    end
+
     def after_login_entered_during_multi_phase_login
       set_notice_now_flash need_password_notice_flash
+      if multi_phase_login_forms.length == 1 && (meth = multi_phase_login_forms[0][2])
+        send(meth)
+      end
     end
 
     def skip_login_field_on_login?
@@ -85,16 +104,37 @@ module Rodauth
       "<input type='hidden' name=\"#{login_param}\" value=\"#{scope.h param(login_param)}\" />"
     end
 
+    def render_multi_phase_login_forms
+      multi_phase_login_forms.sort.map{|_, form, _| form}.join("\n")
+    end
+
     private
 
-    def _login
+    def _login_form_footer_links
+      []
+    end
+
+    def _multi_phase_login_forms
+      forms = []
+      forms << [10, render("login-form"), nil] if has_password?
+      forms
+    end
+
+    def _login_form_footer
+      return '' if _login_form_footer_links.empty?
+      render('login-form-footer')
+    end
+
+    def _login(auth_type)
+      saved_login_redirect = remove_session_value(login_redirect_session_key)
       transaction do
         before_login
-        update_session
+        login_session(auth_type)
+        yield if block_given?
         after_login
       end
       set_notice_flash login_notice_flash
-      redirect login_redirect
+      redirect(saved_login_redirect || login_redirect)
     end
   end
 end

data/lib/rodauth/features/login_password_requirements_base.rb

@@ -2,18 +2,18 @@
 
 module Rodauth
   Feature.define(:login_password_requirements_base, :LoginPasswordRequirementsBase) do
-    auth_value_method :already_an_account_with_this_login_message, 'already an account with this login'
+    translatable_method :already_an_account_with_this_login_message, 'already an account with this login'
     auth_value_method :login_confirm_param, 'login-confirm'
     auth_value_method :login_minimum_length, 3
     auth_value_method :login_maximum_length, 255
-    auth_value_method :logins_do_not_match_message, 'logins do not match'
+    translatable_method :logins_do_not_match_message, 'logins do not match'
     auth_value_method :password_confirm_param, 'password-confirm'
     auth_value_method :password_minimum_length, 6
-    auth_value_method :passwords_do_not_match_message, 'passwords do not match'
+    translatable_method :passwords_do_not_match_message, 'passwords do not match'
     auth_value_method :require_email_address_logins?, true
     auth_value_method :require_login_confirmation?, true
     auth_value_method :require_password_confirmation?, true
-    auth_value_method :same_as_existing_password_message, "invalid password, same as current password"
+    translatable_method :same_as_existing_password_message, "invalid password, same as current password"
 
     auth_value_methods(
       :login_confirm_label,

data/lib/rodauth/features/otp.rb

@@ -19,62 +19,59 @@ module Rodauth
     before 'otp_setup'
     before 'otp_disable'
 
-    configuration_module_eval do
-      def before_otp_authentication_route(&block)
-        warn "before_otp_authentication_route is deprecated, switch to before_otp_auth_route"
-        before_otp_auth_route(&block)
-      end
-    end
-
-    button 'Authenticate via 2nd Factor', 'otp_auth'
-    button 'Disable Two Factor Authentication', 'otp_disable'
-    button 'Setup Two Factor Authentication', 'otp_setup'
+    button 'Authenticate Using TOTP', 'otp_auth'
+    button 'Disable TOTP Authentication', 'otp_disable'
+    button 'Setup TOTP Authentication', 'otp_setup'
 
-    error_flash "Error disabling up two factor authentication", 'otp_disable'
-    error_flash "Error logging in via two factor authentication", 'otp_auth'
-    error_flash "Error setting up two factor authentication", 'otp_setup'
-    error_flash "You have already setup two factor authentication", :otp_already_setup
+    error_flash "Error disabling TOTP authentication", 'otp_disable'
+    error_flash "Error logging in via TOTP authentication", 'otp_auth'
+    error_flash "Error setting up TOTP authentication", 'otp_setup'
+    error_flash "You have already setup TOTP authentication", 'otp_already_setup'
+    error_flash "TOTP authentication code use locked out due to numerous failures", 'otp_lockout'
 
-    notice_flash "Two factor authentication has been disabled", 'otp_disable'
-    notice_flash "Two factor authentication is now setup", 'otp_setup'
+    notice_flash "TOTP authentication has been disabled", 'otp_disable'
+    notice_flash "TOTP authentication is now setup", 'otp_setup'
 
     redirect :otp_disable
     redirect :otp_already_setup
     redirect :otp_setup
+    redirect(:otp_lockout){two_factor_auth_required_redirect}
 
     loaded_templates %w'otp-disable otp-auth otp-setup otp-auth-code-field password-field'
-    view 'otp-disable', 'Disable Two Factor Authentication', 'otp_disable'
+    view 'otp-disable', 'Disable TOTP Authentication', 'otp_disable'
     view 'otp-auth', 'Enter Authentication Code', 'otp_auth'
-    view 'otp-setup', 'Setup Two Factor Authentication', 'otp_setup'
+    view 'otp-setup', 'Setup TOTP Authentication', 'otp_setup'
+
+    translatable_method :otp_auth_link_text, "Authenticate Using TOTP"
+    translatable_method :otp_setup_link_text, "Setup TOTP Authentication"
+    translatable_method :otp_disable_link_text, "Disable TOTP Authentication"
 
     auth_value_method :otp_auth_failures_limit, 5
-    auth_value_method :otp_auth_label, 'Authentication Code'
+    translatable_method :otp_auth_label, 'Authentication Code'
     auth_value_method :otp_auth_param, 'otp'
     auth_value_method :otp_class, ROTP::TOTP
     auth_value_method :otp_digits, nil
-    auth_value_method :otp_drift, nil
+    auth_value_method :otp_drift, 30
     auth_value_method :otp_interval, nil
-    auth_value_method :otp_invalid_auth_code_message, "Invalid authentication code"
-    auth_value_method :otp_invalid_secret_message, "invalid secret"
+    translatable_method :otp_invalid_auth_code_message, "Invalid authentication code"
+    translatable_method :otp_invalid_secret_message, "invalid secret"
     auth_value_method :otp_keys_column, :key
     auth_value_method :otp_keys_id_column, :id
     auth_value_method :otp_keys_failures_column, :num_failures
     auth_value_method :otp_keys_table, :account_otp_keys
     auth_value_method :otp_keys_last_use_column, :last_use
-    auth_value_method :otp_provisioning_uri_label, 'Provisioning URL'
-    auth_value_method :otp_secret_label, 'Secret'
+    translatable_method :otp_provisioning_uri_label, 'Provisioning URL'
+    translatable_method :otp_secret_label, 'Secret'
     auth_value_method :otp_setup_param, 'otp_secret'
     auth_value_method :otp_setup_raw_param, 'otp_raw_secret'
+    translatable_method :otp_auth_form_footer, ''
 
     auth_cached_method :otp_key
     auth_cached_method :otp
     private :otp
 
     auth_value_methods(
-      :otp_auth_form_footer,
       :otp_issuer,
-      :otp_lockout_error_flash,
-      :otp_lockout_redirect,
       :otp_keys_use_hmac?
     )
 
@@ -103,18 +100,13 @@ module Rodauth
     route(:otp_auth) do |r|
       require_login
       require_account_session
-      require_two_factor_not_authenticated
+      require_two_factor_not_authenticated('totp')
       require_otp_setup
 
       if otp_locked_out?
         set_response_error_status(lockout_error_status)
         set_redirect_error_flash otp_lockout_error_flash
-        if redir = otp_lockout_redirect
-          redirect redir
-        else
-          clear_session
-          redirect require_login_redirect
-        end
+        redirect otp_lockout_redirect
       end
 
       before_otp_auth_route
@@ -126,7 +118,7 @@ module Rodauth
       r.post do
         if otp_valid_code?(param(otp_auth_param)) && otp_update_last_use
           before_otp_authentication
-          two_factor_authenticate(:totp)
+          two_factor_authenticate('totp')
         end
 
         otp_record_authentication_failure
@@ -178,7 +170,9 @@ module Rodauth
           transaction do
             before_otp_setup
             otp_add_key
-            two_factor_update_session(:totp)
+            unless two_factor_authenticated?
+              two_factor_update_session('totp')
+            end
             after_otp_setup
           end
           set_notice_flash otp_setup_notice_flash
@@ -204,7 +198,9 @@ module Rodauth
           transaction do
             before_otp_disable
             otp_remove
-            two_factor_remove_session
+            if two_factor_login_type_match?('totp')
+              two_factor_remove_session('totp')
+            end
             after_otp_disable
           end
           set_notice_flash otp_disable_notice_flash
@@ -218,20 +214,6 @@ module Rodauth
       end
     end
 
-    def two_factor_authentication_setup?
-      return true if super
-      return false if @otp_tmp_key
-      otp_exists?
-    end
-
-    def two_factor_need_setup_redirect
-      otp_setup_path
-    end
-
-    def two_factor_auth_required_redirect
-      otp_auth_path
-    end
-
     def two_factor_remove
       super
       otp_remove
@@ -242,19 +224,6 @@ module Rodauth
       otp_remove_auth_failures
     end
 
-    def otp_auth_form_footer
-      super if defined?(super)
-    end
-
-    def otp_lockout_redirect
-      return super if defined?(super)
-      nil
-    end
-
-    def otp_lockout_error_flash
-      "Authentication code use locked out due to numerous failures.#{super if defined?(super)}"
-    end
-
     def require_otp_setup
       unless otp_exists?
         set_redirect_error_status(two_factor_not_setup_error_status)
@@ -272,11 +241,11 @@ module Rodauth
       ot_pass = ot_pass.gsub(/\s+/, '')
       if drift = otp_drift
         if otp.respond_to?(:verify_with_drift)
+          # :nocov:
           otp.verify_with_drift(ot_pass, drift)
-        else
           # :nocov:
+        else
           otp.verify(ot_pass, :drift_behind=>drift, :drift_ahead=>drift)
-          # :nocov:
         end
       else
         otp.verify(ot_pass)
@@ -285,6 +254,7 @@ module Rodauth
 
     def otp_remove
       otp_key_ds.delete
+      @otp_key = nil
       super if defined?(super)
     end
 
@@ -316,7 +286,7 @@ module Rodauth
     end
 
     def otp_issuer
-      request.host
+      domain
     end
 
     def otp_provisioning_name
@@ -339,8 +309,37 @@ module Rodauth
       !!hmac_secret
     end
 
+    def possible_authentication_methods
+      methods = super
+      methods << 'totp' if otp_exists? && !@otp_tmp_key
+      methods
+    end
+
     private
 
+    def _two_factor_auth_links
+      links = super
+      links << [20, otp_auth_path, otp_auth_link_text] if otp_exists? && !otp_locked_out?
+      links
+    end
+
+    def _two_factor_setup_links
+      links = super
+      links << [20, otp_setup_path, otp_setup_link_text] unless otp_exists?
+      links
+    end
+
+    def _two_factor_remove_links
+      links = super
+      links << [20, otp_disable_path, otp_disable_link_text] if otp_exists?
+      links
+    end
+
+    def _two_factor_remove_all_from_session
+      two_factor_remove_session('totp')
+      super
+    end
+
     def clear_cached_otp
       remove_instance_variable(:@otp) if defined?(@otp)
     end
@@ -364,29 +363,20 @@ module Rodauth
     end
 
     if ROTP::Base32.respond_to?(:random_base32)
-      # :nocov:
       def otp_new_secret
         ROTP::Base32.random_base32.downcase
       end
-      # :nocov:
     else
+      # :nocov:
       def otp_new_secret
         ROTP::Base32.random.downcase
       end
+      # :nocov:
     end
 
-    if RUBY_VERSION < '1.9'
-      # :nocov:
-      def base32_encode(data, length)
-        chars = 'abcdefghijklmnopqrstuvwxyz234567'
-        length.times.map{|i|chars[data[i] % 32].chr}.join
-      end
-      # :nocov:
-    else
-      def base32_encode(data, length)
-        chars = 'abcdefghijklmnopqrstuvwxyz234567'
-        length.times.map{|i|chars[data[i].ord % 32]}.join
-      end
+    def base32_encode(data, length)
+      chars = 'abcdefghijklmnopqrstuvwxyz234567'
+      length.times.map{|i|chars[data[i].ord % 32]}.join
     end
 
     def _otp_tmp_key(secret)