rodauth 1.23.0 → 2.4.0

data/lib/rodauth/features/password_pepper.rb

@@ -0,0 +1,45 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:password_pepper, :PasswordPepper) do
+    depends :login_password_requirements_base
+
+    auth_value_method :password_pepper, nil
+    auth_value_method :previous_password_peppers, [""]
+    auth_value_method :password_pepper_update?, true
+
+    def password_match?(password)
+      if (result = super) && @previous_pepper_matched && password_pepper_update?
+        set_password(password)
+      end
+
+      result
+    end
+
+    private
+
+    def password_hash(password)
+      super(password + password_pepper.to_s)
+    end
+
+    def password_hash_match?(hash, password)
+      return super if password_pepper.nil?
+
+      return true if super(hash, password + password_pepper)
+
+      @previous_pepper_matched = previous_password_peppers.any? do |pepper|
+        super(hash, password + pepper)
+      end
+    end
+
+    def database_function_password_match?(name, hash_id, password, salt)
+      return super if password_pepper.nil?
+
+      return true if super(name, hash_id, password + password_pepper, salt)
+
+      @previous_pepper_matched = previous_password_peppers.any? do |pepper|
+        super(name, hash_id, password + pepper, salt)
+      end
+    end
+  end
+end

data/lib/rodauth/features/recovery_codes.rb

@@ -17,11 +17,11 @@ module Rodauth
     button 'Authenticate via Recovery Code', 'recovery_auth'
     button 'View Authentication Recovery Codes', 'view_recovery_codes'
 
-    error_flash "Error authenticating via recovery code.", 'invalid_recovery_code'
-    error_flash "Unable to add recovery codes.", 'add_recovery_codes'
-    error_flash "Unable to view recovery codes.", 'view_recovery_codes'
+    error_flash "Error authenticating via recovery code", 'invalid_recovery_code'
+    error_flash "Unable to add recovery codes", 'add_recovery_codes'
+    error_flash "Unable to view recovery codes", 'view_recovery_codes'
 
-    notice_flash "Additional authentication recovery codes have been added.", 'recovery_codes_added'
+    notice_flash "Additional authentication recovery codes have been added", 'recovery_codes_added'
 
     redirect(:recovery_auth){recovery_auth_path}
     redirect(:add_recovery_codes){recovery_codes_path}
@@ -32,15 +32,19 @@ module Rodauth
     view 'recovery-codes', 'View Authentication Recovery Codes', 'recovery_codes'
 
     auth_value_method :add_recovery_codes_param, 'add'
-    auth_value_method :add_recovery_codes_heading, '<h2>Add Additional Recovery Codes</h2>'
-    auth_value_method :invalid_recovery_code_message, "Invalid recovery code"
+    translatable_method :add_recovery_codes_heading, '<h2>Add Additional Recovery Codes</h2>'
+    auth_value_method :auto_add_recovery_codes?, false
+    translatable_method :invalid_recovery_code_message, "Invalid recovery code"
     auth_value_method :recovery_codes_limit, 16
     auth_value_method :recovery_codes_column, :code
     auth_value_method :recovery_codes_id_column, :id
-    auth_value_method :recovery_codes_label, 'Recovery Code'
+    translatable_method :recovery_codes_label, 'Recovery Code'
     auth_value_method :recovery_codes_param, 'recovery-code'
     auth_value_method :recovery_codes_table, :account_recovery_codes
 
+    translatable_method :recovery_auth_link_text, "Authenticate Using Recovery Code"
+    translatable_method :recovery_codes_link_text, "View Authentication Recovery Codes"
+
     auth_cached_method :recovery_codes
 
     auth_value_methods(
@@ -59,7 +63,7 @@ module Rodauth
       require_login
       require_account_session
       require_two_factor_setup
-      require_two_factor_not_authenticated
+      require_two_factor_not_authenticated('recovery_code')
       before_recovery_auth_route
 
       r.get do
@@ -69,7 +73,7 @@ module Rodauth
       r.post do
         if recovery_code_match?(param(recovery_codes_param))
           before_recovery_auth
-          two_factor_authenticate(:recovery_code)
+          two_factor_authenticate('recovery_code')
         end
 
         set_response_error_status(invalid_key_error_status)
@@ -124,61 +128,24 @@ module Rodauth
 
     attr_accessor :recovery_codes_button
 
-    def two_factor_need_setup_redirect
-      super || (add_recovery_codes_redirect if recovery_codes_primary?)
-    end
-
-    def two_factor_auth_required_redirect
-      super || (recovery_auth_redirect if recovery_codes_primary?)
-    end
-
-    def two_factor_auth_fallback_redirect
-      recovery_auth_redirect
-    end
-
     def two_factor_remove
       super
       recovery_codes_remove
     end
 
-    def two_factor_authentication_setup?
-      super || (recovery_codes_primary? && !recovery_codes.empty?)
-    end
-
-    def otp_auth_form_footer
-      "#{super if defined?(super)}<p><a href=\"#{recovery_auth_path}\">Authenticate using recovery code</a></p>"
-    end
-
-    def otp_lockout_redirect
-      recovery_auth_redirect
-    end
-
-    def otp_lockout_error_flash
-      "#{super if defined?(super)} Can use recovery code to unlock."
-    end
-
     def otp_add_key
       super if defined?(super)
-      add_recovery_codes(recovery_codes_limit - recovery_codes.length)
+      auto_add_missing_recovery_codes
     end
 
     def sms_confirm
       super if defined?(super)
-      add_recovery_codes(recovery_codes_limit - recovery_codes.length)
-    end
-
-    def otp_remove
-      super if defined?(super)
-      unless recovery_codes_primary?
-        recovery_codes_remove
-      end
+      auto_add_missing_recovery_codes
     end
 
-    def sms_disable
+    def add_webauthn_credential(_)
       super if defined?(super)
-      unless recovery_codes_primary?
-        recovery_codes_remove
-      end
+      auto_add_missing_recovery_codes
     end
 
     def recovery_codes_remove
@@ -221,14 +188,43 @@ module Rodauth
       end
     end
 
+    def possible_authentication_methods
+      methods = super
+      methods << 'recovery_code' unless recovery_codes_ds.empty?
+      methods
+    end
+
     private
 
+    def _two_factor_auth_links
+      links = super
+      links << [40, recovery_auth_path, recovery_auth_link_text] unless recovery_codes_ds.empty?
+      links
+    end
+
+    def _two_factor_setup_links
+      links = super
+      links << [40, recovery_codes_path, recovery_codes_link_text] if (recovery_codes_primary? || uses_two_factor_authentication?)
+      links
+    end
+
+    def _two_factor_remove_all_from_session
+      two_factor_remove_session('recovery_code')
+      super
+    end
+
     def new_recovery_code
       random_key
     end
     
     def recovery_codes_primary?
-      (features & [:otp, :sms_codes]).empty?
+      (features & [:otp, :sms_codes, :webauthn]).empty?
+    end
+
+    def auto_add_missing_recovery_codes
+      if auto_add_recovery_codes?
+        add_recovery_codes(recovery_codes_limit - recovery_codes.length)
+      end
     end
 
     def _recovery_codes

data/lib/rodauth/features/remember.rb

@@ -2,8 +2,6 @@
 
 module Rodauth
   Feature.define(:remember, :Remember) do
-    depends :confirm_password
-
     notice_flash "Your remember setting has been updated"
     error_flash "There was an error updating your remember setting"
     loaded_templates %w'remember'
@@ -17,11 +15,10 @@ module Rodauth
     redirect
 
     auth_value_method :raw_remember_token_deadline, nil
-    auth_value_method :remember_cookie_options, {}
+    auth_value_method :remember_cookie_options, {}.freeze
     auth_value_method :extend_remember_deadline?, false
-    auth_value_method :remember_period, {:days=>14}
-    session_key :remembered_session_key, :remembered
-    auth_value_method :remember_deadline_interval, {:days=>14}
+    auth_value_method :remember_period, {:days=>14}.freeze
+    auth_value_method :remember_deadline_interval, {:days=>14}.freeze
     auth_value_method :remember_id_column, :id
     auth_value_method :remember_key_column, :key
     auth_value_method :remember_deadline_column, :deadline
@@ -31,13 +28,12 @@ module Rodauth
     auth_value_method :remember_remember_param_value, 'remember'
     auth_value_method :remember_forget_param_value, 'forget'
     auth_value_method :remember_disable_param_value, 'disable'
-    auth_value_method :remember_remember_label, 'Remember Me'
-    auth_value_method :remember_forget_label, 'Forget Me'
-    auth_value_method :remember_disable_label, 'Disable Remember Me'
+    translatable_method :remember_remember_label, 'Remember Me'
+    translatable_method :remember_forget_label, 'Forget Me'
+    translatable_method :remember_disable_label, 'Disable Remember Me'
 
     auth_methods(
       :add_remember_key,
-      :clear_remembered_session_key,
       :disable_remember_login,
       :forget_login,
       :generate_remember_key_value,
@@ -62,7 +58,9 @@ module Rodauth
         if [remember_remember_param_value, remember_forget_param_value, remember_disable_param_value].include?(remember)
           transaction do
             before_remember
+            # :nocov:
             case remember
+            # :nocov:
             when remember_remember_param_value
               remember_login
             when remember_forget_param_value
@@ -109,9 +107,9 @@ module Rodauth
         return
       end
 
-      session[session_key] = id
+      set_session_value(session_key, id)
       account = account_from_session
-      session.delete(session_key)
+      remove_session_value(session_key)
 
       unless account
         remove_remember_key(id)
@@ -120,9 +118,8 @@ module Rodauth
       end
 
       before_load_memory
-      update_session
+      login_session('remember')
 
-      set_session_value(remembered_session_key, true)
       if extend_remember_deadline?
         active_remember_key_ds(id).update(remember_deadline_column=>Sequel.date_add(Sequel::CURRENT_TIMESTAMP, remember_period))
         remember_login
@@ -133,9 +130,7 @@ module Rodauth
     def remember_login
       get_remember_key
       opts = Hash[remember_cookie_options]
-      key = remember_key_value
-      key = compute_hmac(key) if hmac_secret
-      opts[:value] = "#{account_id}_#{key}"
+      opts[:value] = "#{account_id}_#{convert_token_key(remember_key_value)}"
       opts[:expires] = convert_timestamp(active_remember_key_ds.get(remember_deadline_column))
       ::Rack::Utils.set_cookie_header!(response.headers, remember_cookie_key, opts)
     end
@@ -174,12 +169,8 @@ module Rodauth
       remember_key_ds(id).delete
     end
 
-    def clear_remembered_session_key
-      session.delete(remembered_session_key)
-    end
-
     def logged_in_via_remember_key?
-      !!session[remembered_session_key]
+      authenticated_by.include?('remember')
     end
 
     private
@@ -194,11 +185,6 @@ module Rodauth
       super if defined?(super)
     end
 
-    def after_confirm_password
-      super
-      clear_remembered_session_key
-    end
-
     attr_reader :remember_key_value
 
     def generate_remember_key_value

data/lib/rodauth/features/reset_password.rb

@@ -4,8 +4,6 @@ module Rodauth
   Feature.define(:reset_password, :ResetPassword) do
     depends :login, :email_base, :login_password_requirements_base
 
-    def_deprecated_alias :no_matching_reset_password_key_error_flash, :no_matching_reset_password_key_message
-
     notice_flash "Your password has been reset"
     notice_flash "An email has been sent to you with a link to reset the password for your account", 'reset_password_email_sent'
     error_flash "There was an error resetting your password"
@@ -28,20 +26,19 @@ module Rodauth
     redirect(:reset_password_email_recently_sent){default_post_email_redirect}
     
     auth_value_method :reset_password_deadline_column, :deadline
-    auth_value_method :reset_password_deadline_interval, {:days=>1}
-    auth_value_method :reset_password_email_subject, 'Reset Password'
+    auth_value_method :reset_password_deadline_interval, {:days=>1}.freeze
+    translatable_method :reset_password_email_subject, 'Reset Password'
     auth_value_method :reset_password_key_param, 'key'
     auth_value_method :reset_password_autologin?, false
     auth_value_method :reset_password_table, :account_password_reset_keys
     auth_value_method :reset_password_id_column, :id
     auth_value_method :reset_password_key_column, :key
-    auth_value_method :reset_password_email_last_sent_column, nil
-    auth_value_method :reset_password_explanatory_text, "<p>If you have forgotten your password, you can request a password reset:</p>"
+    auth_value_method :reset_password_email_last_sent_column, :email_last_sent
+    translatable_method :reset_password_explanatory_text, "<p>If you have forgotten your password, you can request a password reset:</p>"
     auth_value_method :reset_password_skip_resend_email_within, 300
+    translatable_method :reset_password_request_link_text, "Forgot Password?"
     session_key :reset_password_session_key, :reset_password_key
 
-    auth_value_methods :reset_password_request_link
-
     auth_methods(
       :create_reset_password_key,
       :create_reset_password_email,
@@ -69,7 +66,15 @@ module Rodauth
       end
 
       r.post do
-        if account_from_login(param(login_param)) && open_account?
+        catch_error do
+          unless account_from_login(param(login_param))
+            throw_error_status(no_matching_login_error_status, login_param, no_matching_login_message)
+          end
+
+          unless open_account?
+            throw_error_status(unopen_account_error_status, login_param, unverified_account_message)
+          end
+
           if reset_password_email_recently_sent?
             set_redirect_error_flash reset_password_email_recently_sent_error_flash
             redirect reset_password_email_recently_sent_redirect
@@ -84,12 +89,11 @@ module Rodauth
           end
 
           set_notice_flash reset_password_email_sent_notice_flash
-        else
-          set_redirect_error_status(no_matching_login_error_status)
-          set_redirect_error_flash reset_password_request_error_flash
+          redirect reset_password_email_sent_redirect
         end
 
-        redirect reset_password_email_sent_redirect
+        set_error_flash reset_password_request_error_flash
+        reset_password_request_view
       end
     end
 
@@ -99,7 +103,7 @@ module Rodauth
 
       r.get do
         if key = param_or_nil(reset_password_key_param)
-          session[reset_password_session_key] = key
+          set_session_value(reset_password_session_key, key)
           redirect(r.path)
         end
 
@@ -107,7 +111,7 @@ module Rodauth
           if account_from_reset_password_key(key)
             reset_password_view
           else
-            session[reset_password_session_key] = nil
+            remove_session_value(reset_password_session_key)
             set_redirect_error_flash no_matching_reset_password_key_error_flash
             redirect require_login_redirect
           end
@@ -144,10 +148,10 @@ module Rodauth
           end
 
           if reset_password_autologin?
-            update_session
+            autologin_session('reset_password')
           end
 
-          session[reset_password_session_key] = nil
+          remove_session_value(reset_password_session_key)
           set_notice_flash reset_password_notice_flash
           redirect reset_password_redirect
         end
@@ -192,14 +196,6 @@ module Rodauth
       ds.get(reset_password_key_column)
     end
 
-    def login_form_footer
-      super + reset_password_request_link
-    end
-
-    def reset_password_request_link
-      "<p><a href=\"#{reset_password_request_path}\">Forgot Password?</a></p>"
-    end
-
     def set_reset_password_email_last_sent
        password_reset_ds.update(reset_password_email_last_sent_column=>Sequel::CURRENT_TIMESTAMP) if reset_password_email_last_sent_column
     end
@@ -214,6 +210,10 @@ module Rodauth
 
     private
 
+    def _login_form_footer_links
+      super << [20, reset_password_request_path, reset_password_request_link_text]
+    end
+
     def reset_password_email_recently_sent?
       (email_last_sent = get_reset_password_email_last_sent) && (Time.now - email_last_sent < reset_password_skip_resend_email_within)
     end

data/lib/rodauth/features/session_expiration.rb

@@ -2,16 +2,16 @@
 
 module Rodauth
   Feature.define(:session_expiration, :SessionExpiration) do
-    error_flash "This session has expired, please login again."
+    error_flash "This session has expired, please login again"
+    redirect{require_login_redirect}
 
     auth_value_method :max_session_lifetime, 86400
     session_key :session_created_session_key, :session_created_at
+    auth_value_method :session_expiration_error_status, 401
     auth_value_method :session_expiration_default, true
     auth_value_method :session_inactivity_timeout, 1800
     session_key :session_last_activity_session_key, :last_session_activity_at
 
-    auth_value_methods :session_expiration_redirect
-    
     def check_session_expiration
       return unless logged_in?
 
@@ -37,19 +37,16 @@ module Rodauth
 
     def expire_session
       clear_session
+      set_redirect_error_status session_expiration_error_status
       set_redirect_error_flash session_expiration_error_flash
       redirect session_expiration_redirect
     end
 
-    def session_expiration_redirect
-      require_login_redirect
-    end
-
-    private
-
     def update_session
       super
-      session[session_last_activity_session_key] = session[session_created_session_key] = Time.now.to_i
+      t = Time.now.to_i
+      set_session_value(session_last_activity_session_key, t)
+      set_session_value(session_created_session_key, t)
     end
   end
 end