rodauth 1.23.0 → 2.4.0

data/lib/rodauth/features/change_password_notify.rb

@@ -4,7 +4,7 @@ module Rodauth
   Feature.define(:change_password_notify, :ChangePasswordNotify) do
     depends :change_password, :email_base
 
-    auth_value_method :password_changed_email_subject, 'Password Changed'
+    translatable_method :password_changed_email_subject, 'Password Changed'
 
     auth_value_methods(
       :password_changed_email_body

data/lib/rodauth/features/close_account.rb

@@ -33,7 +33,11 @@ module Rodauth
       end
 
       r.post do
-        if !close_account_requires_password? || password_match?(param(password_param))
+        catch_error do
+          if close_account_requires_password? && !password_match?(param(password_param))
+            throw_error_status(invalid_password_error_status, password_param, invalid_password_message)
+          end
+
           transaction do
             before_close_account
             close_account
@@ -46,12 +50,10 @@ module Rodauth
 
           set_notice_flash close_account_notice_flash
           redirect close_account_redirect
-        else
-          set_response_error_status(invalid_password_error_status)
-          set_field_error(password_param, invalid_password_message)
-          set_error_flash close_account_error_flash
-          close_account_view
         end
+
+        set_error_flash close_account_error_flash
+        close_account_view
       end
     end
 

data/lib/rodauth/features/confirm_password.rb

@@ -4,20 +4,26 @@ module Rodauth
   Feature.define(:confirm_password, :ConfirmPassword) do
     notice_flash "Your password has been confirmed"
     error_flash "There was an error confirming your password"
+    error_flash "You need to confirm your password before continuing", 'password_authentication_required'
     loaded_templates %w'confirm-password password-field'
     view 'confirm-password', 'Confirm Password'
     additional_form_tags
     button 'Confirm Password'
     before
     after
+    redirect(:password_authentication_required){confirm_password_path}
 
     session_key :confirm_password_redirect_session_key, :confirm_password_redirect
+    translatable_method :confirm_password_link_text, "Enter Password"
+    auth_value_method :password_authentication_required_error_status, 401
+
     auth_value_methods :confirm_password_redirect
 
     auth_methods :confirm_password
 
     route do |r|
-      require_account
+      require_login
+      require_account_session
       before_confirm_password_route
 
       request.get do
@@ -42,12 +48,44 @@ module Rodauth
       end
     end
 
+    def require_password_authentication
+      require_login
+
+      if require_password_authentication? && has_password?
+        set_redirect_error_status(password_authentication_required_error_status)
+        set_redirect_error_flash password_authentication_required_error_flash
+        set_session_value(confirm_password_redirect_session_key, request.fullpath)
+        redirect password_authentication_required_redirect
+      end
+    end
+
     def confirm_password
+      authenticated_by.delete('autologin')
+      authenticated_by.delete('remember')
+      authenticated_by.delete('email_auth')
+      authenticated_by.delete('password')
+      authenticated_by.unshift("password")
+      remove_session_value(autologin_type_session_key)
       nil
     end
 
     def confirm_password_redirect
-      session.delete(confirm_password_redirect_session_key) || default_redirect
+      remove_session_value(confirm_password_redirect_session_key) || default_redirect
+    end
+
+    private
+
+    def _two_factor_auth_links
+      links = (super if defined?(super)) || []
+      if authenticated_by.length == 1 && !authenticated_by.include?('password') && has_password?
+        links << [5, confirm_password_path, confirm_password_link_text]
+      end
+      links
+    end
+
+    def require_password_authentication?
+      return true if defined?(super) && super
+      !authenticated_by.include?('password')
     end
   end
 end

data/lib/rodauth/features/create_account.rb

@@ -2,9 +2,8 @@
 
 module Rodauth
   Feature.define(:create_account, :CreateAccount) do
-    depends :login_password_requirements_base
+    depends :login, :login_password_requirements_base
 
-    depends :login
     notice_flash 'Your account has been created'
     error_flash "There was an error creating your account"
     loaded_templates %w'create-account login-field login-confirm-field password-field password-confirm-field'
@@ -16,10 +15,9 @@ module Rodauth
     redirect
 
     auth_value_method :create_account_autologin?, true
+    translatable_method :create_account_link_text, "Create a New Account"
     auth_value_method :create_account_set_password?, true
 
-    auth_value_methods :create_account_link
-
     auth_methods(
       :save_account,
       :set_new_account_password
@@ -32,6 +30,7 @@ module Rodauth
     route do |r|
       check_already_logged_in
       before_create_account_route
+      @password_field_autocomplete_value = 'new-password'
 
       r.get do
         create_account_view
@@ -76,7 +75,7 @@ module Rodauth
             end
             after_create_account
             if create_account_autologin?
-              update_session
+              autologin_session('create_account')
             end
             set_notice_flash create_account_notice_flash
             redirect create_account_redirect
@@ -88,14 +87,6 @@ module Rodauth
       end
     end
 
-    def create_account_link
-      "<p><a href=\"#{create_account_path}\">Create a New Account</a></p>"
-    end
-
-    def login_form_footer
-      super + create_account_link
-    end
-
     def set_new_account_password(password)
       account[account_password_hash_column] = password_hash(password)
     end
@@ -121,6 +112,10 @@ module Rodauth
 
     private
 
+    def _login_form_footer_links
+      super << [10, create_account_path, create_account_link_text]
+    end
+
     def _new_account(login)
       acc = {login_column=>login}
       unless skip_status_checks?

data/lib/rodauth/features/disallow_common_passwords.rb

@@ -5,7 +5,7 @@ module Rodauth
     depends :login_password_requirements_base
 
     auth_value_method :most_common_passwords_file, File.expand_path('../../../../dict/top-10_000-passwords.txt', __FILE__)
-    auth_value_method :password_is_one_of_the_most_common_message, "is one of the most common passwords"
+    translatable_method :password_is_one_of_the_most_common_message, "is one of the most common passwords"
     auth_value_method :most_common_passwords, nil
 
     auth_methods :password_one_of_most_common?

data/lib/rodauth/features/disallow_password_reuse.rb

@@ -4,7 +4,7 @@ module Rodauth
   Feature.define(:disallow_password_reuse, :DisallowPasswordReuse) do
     depends :login_password_requirements_base
 
-    auth_value_method :password_same_as_previous_password_message, "same as previous password"
+    translatable_method :password_same_as_previous_password_message, "same as previous password"
     auth_value_method :previous_password_account_id_column, :account_id
     auth_value_method :previous_password_hash_column, :password_hash
     auth_value_method :previous_password_hash_table, :account_previous_password_hashes
@@ -51,11 +51,13 @@ module Rodauth
         return true if salts.empty?
 
         salts.any? do |hash_id, salt|
-          db.get(Sequel.function(function_name(:rodauth_previous_password_hash_match), hash_id, BCrypt::Engine.hash_secret(password, salt)))
+          database_function_password_match?(:rodauth_previous_password_hash_match, hash_id, password, salt)
         end
       else
         # :nocov:
-        previous_password_ds.select_map(previous_password_hash_column).any?{|hash| BCrypt::Password.new(hash) == password}
+        previous_password_ds.select_map(previous_password_hash_column).any? do |hash|
+          password_hash_match?(hash, password)
+        end
         # :nocov:
       end
 

data/lib/rodauth/features/email_auth.rb

@@ -4,8 +4,6 @@ module Rodauth
   Feature.define(:email_auth, :EmailAuth) do
     depends :login, :email_base
 
-    def_deprecated_alias :no_matching_email_auth_key_error_flash, :no_matching_email_auth_key_message
-
     notice_flash "An email has been sent to you with a link to login to your account", 'email_auth_email_sent'
     error_flash "There was an error logging you in"
     error_flash "There was an error requesting an email link to authenticate", 'email_auth_request'
@@ -23,17 +21,16 @@ module Rodauth
     redirect(:email_auth_email_recently_sent){default_post_email_redirect}
     
     auth_value_method :email_auth_deadline_column, :deadline
-    auth_value_method :email_auth_deadline_interval, {:days=>1}
-    auth_value_method :email_auth_email_subject, 'Login Link'
+    auth_value_method :email_auth_deadline_interval, {:days=>1}.freeze
+    translatable_method :email_auth_email_subject, 'Login Link'
     auth_value_method :email_auth_id_column, :id
     auth_value_method :email_auth_key_column, :key
     auth_value_method :email_auth_key_param, 'key'
     auth_value_method :email_auth_email_last_sent_column, :email_last_sent
     auth_value_method :email_auth_skip_resend_email_within, 300
     auth_value_method :email_auth_table, :account_email_auth_keys
+    auth_value_method :force_email_auth?, false
     session_key :email_auth_session_key, :email_auth_key
-
-    auth_value_methods :force_email_auth?
     
     auth_methods(
       :create_email_auth_email,
@@ -74,7 +71,7 @@ module Rodauth
 
       r.get do
         if key = param_or_nil(email_auth_key_param)
-          session[email_auth_session_key] = key
+          set_session_value(email_auth_session_key, key)
           redirect(r.path)
         end
 
@@ -82,7 +79,7 @@ module Rodauth
           if account_from_email_auth_key(key)
             email_auth_view
           else
-            session[email_auth_session_key] = nil
+            remove_session_value(email_auth_session_key)
             set_redirect_error_flash no_matching_email_auth_key_error_flash
             redirect require_login_redirect
           end
@@ -97,7 +94,7 @@ module Rodauth
           redirect email_auth_email_sent_redirect
         end
 
-        _login
+        login('email_auth')
       end
     end
 
@@ -148,43 +145,44 @@ module Rodauth
       ds.get(email_auth_key_column)
     end
 
-    def login_form_footer
-      footer = super
-      footer += email_auth_request_form if valid_login_entered?
-      footer
-    end
-
     def email_auth_request_form
       render('email-auth-request-form')
     end
 
     def after_login_entered_during_multi_phase_login
-      if force_email_auth?
-        # If the account does not have a password hash, just send the
-        # email link.
-        _email_auth_request
-        redirect email_auth_email_sent_redirect
-      else
-        # If the account has a password hash, allow password login, but
-        # we will show form below to also login via email link.
-        super
-      end
+      # If forcing email auth, just send the email link.
+      _email_auth_request_and_redirect if force_email_auth?
+
+      super
     end
 
     def use_multi_phase_login?
       true
     end
 
-    def force_email_auth?
-      get_password_hash.nil?
+    def possible_authentication_methods
+      methods = super
+      methods << 'email_auth' if !methods.include?('password') && allow_email_auth?
+      methods
     end
 
     private
 
+    def _multi_phase_login_forms
+      forms = super
+      forms << [30, email_auth_request_form, :_email_auth_request_and_redirect] if valid_login_entered? && allow_email_auth?
+      forms
+    end
+
     def email_auth_email_recently_sent?
       (email_last_sent = get_email_auth_email_last_sent) && (Time.now - email_last_sent < email_auth_skip_resend_email_within)
     end
 
+    def _email_auth_request_and_redirect
+      _email_auth_request
+      redirect email_auth_email_sent_redirect
+    end
+
     def _email_auth_request
       if email_auth_email_recently_sent?
         set_redirect_error_flash email_auth_email_recently_sent_error_flash
@@ -204,6 +202,10 @@ module Rodauth
 
     attr_reader :email_auth_key_value
 
+    def allow_email_auth?
+      defined?(super) ? super : true
+    end
+
     def after_login
       # Remove the email auth key after any login, even if
       # it is a password login.  This is done to invalidate
@@ -213,7 +215,7 @@ module Rodauth
       # that allows login access to the account becomes a
       # security liability, and it is best to remove it.
       remove_email_auth_key
-      super if defined?(super)
+      super
     end
 
     def after_close_account

data/lib/rodauth/features/email_base.rb

@@ -2,7 +2,7 @@
 
 module Rodauth
   Feature.define(:email_base, :EmailBase) do
-    auth_value_method :email_subject_prefix, nil
+    translatable_method :email_subject_prefix, ''
     auth_value_method :require_mail?, true
     auth_value_method :allow_raw_email_token?, false
 
@@ -43,7 +43,7 @@ module Rodauth
     end
 
     def email_from
-      "webmaster@#{request.host}"
+      "webmaster@#{domain}"
     end
 
     def email_to
@@ -51,7 +51,7 @@ module Rodauth
     end
 
     def token_link(route, param, key)
-      "#{route_url(route)}?#{param}=#{account_id}#{token_separator}#{convert_email_token_key(key)}"
+      route_url(route, param => "#{account_id}#{token_separator}#{convert_email_token_key(key)}")
     end
 
     def convert_email_token_key(key)

data/lib/rodauth/features/http_basic_auth.rb

@@ -3,54 +3,74 @@
 module Rodauth
   Feature.define(:http_basic_auth, :HttpBasicAuth) do
     auth_value_method :http_basic_auth_realm, "protected"
-    auth_value_method :require_http_basic_auth, false
+    auth_value_method :require_http_basic_auth?, false
 
-    def session
-      return @session if defined?(@session)
-      sess = super
-      return sess if sess[session_key]
-      return sess unless token = ((v = request.env['HTTP_AUTHORIZATION']) && v[/\A *Basic (.*)\Z/, 1])
-      username, password = token.unpack("m*").first.split(/:/, 2)
+    def logged_in?
+      ret = super
 
-      if username && password
-        catch_error do
-          unless account_from_login(username)
-            throw_basic_auth_error(login_param, no_matching_login_message)
-          end
-
-          before_login_attempt
-          
-          unless open_account?
-            throw_basic_auth_error(login_param, no_matching_login_message)
-          end
-
-          unless password_match?(password)
-            after_login_failure
-            throw_basic_auth_error(password_param, invalid_password_message)
-          end
-          
-          transaction do
-            before_login
-            sess[session_key] = account_session_value
-            after_login
-          end
-        end
+      if !ret && !defined?(@checked_http_basic_auth)
+        http_basic_auth
+        ret = super
       end
 
-      sess
+      ret
     end
 
-    private
-
     def require_login
-      if !logged_in? && require_http_basic_auth
+      if require_http_basic_auth?
+        require_http_basic_auth
+      end
+
+      super
+    end
+
+    def require_http_basic_auth
+      unless http_basic_auth
         set_http_basic_auth_error_response
         request.halt
       end
+    end
 
-      super
+    def http_basic_auth
+      return @checked_http_basic_auth if defined?(@checked_http_basic_auth)
+
+      @checked_http_basic_auth = nil
+      return unless token = ((v = request.env['HTTP_AUTHORIZATION']) && v[/\A *Basic (.*)\Z/, 1])
+
+      username, password = token.unpack("m*").first.split(/:/, 2)
+      return unless username && password
+
+      catch_error do
+        unless account_from_login(username)
+          throw_basic_auth_error(login_param, no_matching_login_message)
+        end
+
+        before_login_attempt
+
+        unless open_account?
+          throw_basic_auth_error(login_param, no_matching_login_message)
+        end
+
+        unless password_match?(password)
+          after_login_failure
+          throw_basic_auth_error(password_param, invalid_password_message)
+        end
+
+        transaction do
+          before_login
+          login_session('password')
+          after_login
+        end
+
+        @checked_http_basic_auth = true
+        return true
+      end
+
+      nil
     end
 
+    private
+
     def set_http_basic_auth_error_response
       response.status = 401
       response.headers["WWW-Authenticate"] = "Basic realm=\"#{http_basic_auth_realm}\""