rodauth 1.23.0 → 2.4.0

data/lib/roda/plugins/rodauth.rb

@@ -1,5 +1,5 @@
 # frozen-string-literal: true
 
-require 'rodauth'
+require_relative '../../rodauth'
 
 Roda::RodaPlugins.register_plugin(:rodauth, Rodauth)

data/lib/rodauth.rb

@@ -14,15 +14,15 @@ module Rodauth
       require 'tilt/string'
       app.plugin :render
 
-      case opts.fetch(:csrf, app.opts[:rodauth_route_csrf])
+      case opts.fetch(:csrf, app.opts[:rodauth_csrf])
       when false
         # nothing
-      when :route_csrf
-        app.plugin :route_csrf
-      else
+      when :rack_csrf
         # :nocov:
         app.plugin :csrf
         # :nocov:
+      else
+        app.plugin :route_csrf
       end
 
       app.plugin :flash unless opts[:flash] == false
@@ -31,8 +31,14 @@ module Rodauth
   end
 
   def self.configure(app, opts={}, &block)
-    app.opts[:rodauth_json] = opts.fetch(:json, app.opts[:rodauth_json])
-    app.opts[:rodauth_csrf] = opts.fetch(:csrf, app.opts[:rodauth_route_csrf])
+    json_opt = app.opts[:rodauth_json] = opts.fetch(:json, app.opts[:rodauth_json])
+    csrf = app.opts[:rodauth_csrf] = opts.fetch(:csrf, app.opts[:rodauth_csrf])
+    app.opts[:rodauth_route_csrf] = case csrf
+    when false, :rack_csrf
+      false
+    else
+      json_opt != :only
+    end
     auth_class = (app.opts[:rodauths] ||= {})[opts[:name]] ||= Class.new(Auth)
     if !auth_class.roda_class
       auth_class.roda_class = app
@@ -72,8 +78,7 @@ module Rodauth
     end
 
     def def_auth_value_method(meth, priv)
-      define_method(meth) do |*v, &block|
-        v = v.first
+      define_method(meth) do |v=nil, &block|
         block ||= proc{v}
         @auth.send(:define_method, meth, &block)
         @auth.send(:private, meth) if priv
@@ -104,23 +109,17 @@ module Rodauth
       route_meth = :"#{name}_route"
       auth_value_method route_meth, default
 
-      define_method(:"#{name}_path") { route_path(send(route_meth)) }
-      define_method(:"#{name}_url") { route_url(send(route_meth)) }
+      define_method(:"#{name}_path"){|opts={}| route_path(send(route_meth), opts)}
+      define_method(:"#{name}_url"){|opts={}| route_url(send(route_meth), opts)}
 
       handle_meth = :"handle_#{name}"
       internal_handle_meth = :"_#{handle_meth}"
       before route_meth
-
-      unless block.arity == 1
-        # :nocov:
-        b = block
-        block = lambda{|r| instance_exec(r, &b)}
-        # :nocov:
-      end
       define_method(internal_handle_meth, &block)
 
       define_method(handle_meth) do
         request.is send(route_meth) do
+          check_csrf if check_csrf?
           before_rodauth
           send(internal_handle_meth, request)
         end
@@ -138,7 +137,9 @@ module Rodauth
       feature.module_eval(&block)
       configuration.def_configuration_methods(feature)
 
+      # :nocov:
       if constant
+      # :nocov:
         Rodauth.const_set(constant, feature)
         Rodauth::FeatureConfiguration.const_set(constant, configuration)
       end
@@ -180,8 +181,10 @@ module Rodauth
 
     def view(page, title, name=feature_name)
       meth = :"#{name}_view"
+      title_meth = :"#{name}_page_title"
+      translatable_method(title_meth, title)
       define_method(meth) do
-        view(page, title)
+        view(page, send(title_meth))
       end
       auth_methods meth
     end
@@ -190,6 +193,7 @@ module Rodauth
       define_method(:loaded_templates) do
         super().concat(v)
       end
+      private :loaded_templates
     end
 
     def depends(*deps)
@@ -197,10 +201,9 @@ module Rodauth
     end
 
     %w'after before'.each do |hook|
-      define_method(hook) do |*args|
-        name = args[0] || feature_name
+      define_method(hook) do |name=feature_name|
         meth = "#{hook}_#{name}"
-        class_eval("def #{meth}; super if defined?(super); _#{meth} end", __FILE__, __LINE__)
+        class_eval("def #{meth}; super if defined?(super); _#{meth}; hook_action(:#{hook}, :#{name}); nil end", __FILE__, __LINE__)
         class_eval("def _#{meth}; nil end", __FILE__, __LINE__)
         private meth, :"_#{meth}"
         auth_private_methods(meth)
@@ -221,6 +224,11 @@ module Rodauth
       auth_value_methods(meth)
     end
 
+    def translatable_method(meth, value)
+      define_method(meth){translate(meth, value)}
+      auth_value_methods(meth)
+    end
+
     def auth_cached_method(meth, iv=:"@#{meth}")
       umeth = :"_#{meth}"
       define_method(meth) do
@@ -234,9 +242,8 @@ module Rodauth
     end
 
     [:notice_flash, :error_flash, :button].each do |meth|
-      define_method(meth) do |v, *args|
-        name = args.shift || feature_name
-        auth_value_method(:"#{name}_#{meth}", v)
+      define_method(meth) do |v, name=feature_name|
+        translatable_method(:"#{name}_#{meth}", v)
       end
     end
   end
@@ -331,10 +338,8 @@ module Rodauth
     end
 
     def freeze
-      if opts[:rodauths]
-        opts[:rodauths].each_value(&:freeze)
-        opts[:rodauths].freeze
-      end
+      opts[:rodauths].each_value(&:freeze)
+      opts[:rodauths].freeze
       super
     end
   end

data/lib/rodauth/features/account_expiration.rb

@@ -69,6 +69,11 @@ module Rodauth
       update_last_login
     end
 
+    def update_session
+      check_account_expiration
+      super
+    end
+
     private
 
     def before_reset_password
@@ -96,11 +101,6 @@ module Rodauth
       account_activity_ds(account_id).delete
     end
 
-    def update_session
-      check_account_expiration
-      super
-    end
-
     def account_activity_ds(account_id)
       db[account_activity_table].
         where(account_activity_id_column=>account_id)

data/lib/rodauth/features/active_sessions.rb

@@ -0,0 +1,158 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:active_sessions, :ActiveSessions) do
+    depends :logout
+
+    error_flash 'This session has been logged out'
+    redirect
+
+    session_key :session_id_session_key, :active_session_id
+    auth_value_method :active_sessions_account_id_column, :account_id
+    auth_value_method :active_sessions_created_at_column, :created_at
+    auth_value_method :active_sessions_last_use_column, :last_use
+    auth_value_method :active_sessions_session_id_column, :session_id
+    auth_value_method :active_sessions_table, :account_active_session_keys
+    translatable_method :global_logout_label, 'Logout all Logged In Sessons?'
+    auth_value_method :global_logout_param, 'global_logout'
+    auth_value_method :inactive_session_error_status, 401
+    auth_value_method :session_inactivity_deadline, 86400
+    auth_value_method(:session_lifetime_deadline, 86400*30)
+
+    auth_methods(
+      :add_active_session,
+      :currently_active_session?,
+      :handle_duplicate_active_session_id,
+      :no_longer_active_session,
+      :remove_all_active_sessions,
+      :remove_current_session,
+      :remove_inactive_sessions,
+    )
+
+    def currently_active_session?
+      return false unless session_id = session[session_id_session_key]
+
+      remove_inactive_sessions
+      ds = active_sessions_ds.
+        where(active_sessions_session_id_column => compute_hmac(session_id))
+
+      if session_inactivity_deadline
+        ds.update(active_sessions_last_use_column => Sequel::CURRENT_TIMESTAMP) == 1
+      else
+        ds.count == 1
+      end
+    end
+
+    def check_active_session
+      if logged_in? && !currently_active_session?
+        no_longer_active_session
+      end
+    end
+
+    def no_longer_active_session
+      clear_session
+      set_redirect_error_status inactive_session_error_status
+      set_redirect_error_flash active_sessions_error_flash
+      redirect active_sessions_redirect
+    end
+
+    def add_active_session
+      key = random_key
+      set_session_value(session_id_session_key, key)
+      if e = raises_uniqueness_violation? do
+          active_sessions_ds.insert(active_sessions_account_id_column => session_value, active_sessions_session_id_column => compute_hmac(key))
+        end
+        handle_duplicate_active_session_id(e)
+      end
+      nil
+    end
+
+    def handle_duplicate_active_session_id(_e)
+      # Do nothing by default as session is already tracked.  This will result in
+      # the current session and the existing session with the same id
+      # being tracked together, so that a logout of one will logout
+      # the other, and updating the last use on one will update the other,
+      # but this should be acceptable.  However, this can be overridden if different
+      # behavior is desired.
+    end
+
+    def remove_current_session
+      active_sessions_ds.where(active_sessions_session_id_column=>compute_hmac(session[session_id_session_key])).delete
+    end
+
+    def remove_all_active_sessions
+      active_sessions_ds.delete
+    end
+
+    def remove_inactive_sessions
+      if cond = inactive_session_cond
+        active_sessions_ds.where(cond).delete
+      end
+    end
+
+    def logout_additional_form_tags
+      super.to_s + render('global-logout-field')
+    end
+
+    def update_session
+      super
+      add_active_session
+    end
+
+    private
+
+    def after_refresh_token
+      super if defined?(super)
+      if prev_key = session[session_id_session_key]
+        key = random_key
+        set_session_value(session_id_session_key, key)
+        active_sessions_ds.
+          where(active_sessions_session_id_column => compute_hmac(prev_key)).
+          update(active_sessions_session_id_column => compute_hmac(key))
+      end
+    end
+
+    def after_close_account
+      super if defined?(super)
+      remove_all_active_sessions
+    end
+
+    def before_logout
+      if param_or_nil(global_logout_param)
+        remove_all_active_sessions
+      else
+        remove_current_session
+      end
+      super
+    end
+
+    def session_inactivity_deadline_condition
+      if deadline = session_inactivity_deadline
+        Sequel[active_sessions_last_use_column] < Sequel.date_sub(Sequel::CURRENT_TIMESTAMP, seconds: deadline)
+      end
+    end
+
+    def session_lifetime_deadline_condition
+      if deadline = session_lifetime_deadline
+        Sequel[active_sessions_created_at_column] < Sequel.date_sub(Sequel::CURRENT_TIMESTAMP, seconds: deadline)
+      end
+    end
+
+    def inactive_session_cond
+      cond = session_inactivity_deadline_condition
+      cond2 = session_lifetime_deadline_condition
+      return false unless cond || cond2
+      Sequel.|(*[cond, cond2].compact)
+    end
+
+    def active_sessions_ds
+      db[active_sessions_table].
+        where(active_sessions_account_id_column=>session_value)
+    end
+
+    def use_date_arithmetic?
+      true
+    end
+  end
+end
+

data/lib/rodauth/features/audit_logging.rb

@@ -0,0 +1,98 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:audit_logging, :AuditLogging) do
+    auth_value_method :audit_logging_account_id_column, :account_id
+    auth_value_method :audit_logging_message_column, :message
+    auth_value_method :audit_logging_metadata_column, :metadata
+    auth_value_method :audit_logging_table, :account_authentication_audit_logs
+    auth_value_method :audit_log_metadata_default, nil
+
+    auth_methods(
+      :add_audit_log,
+      :audit_log_insert_hash,
+      :audit_log_message,
+      :audit_log_message_default,
+      :audit_log_metadata,
+      :serialize_audit_log_metadata,
+    )
+
+    configuration_module_eval do
+      [:audit_log_message_for, :audit_log_metadata_for].each do |method|
+        define_method(method) do |action, value=nil, &block|
+          block ||= proc{value}
+          meth = :"#{method}_#{action}"
+          @auth.send(:define_method, meth, &block)
+          @auth.send(:private, meth)
+        end
+      end
+    end
+
+    def hook_action(hook_type, action)
+      super
+      # In after_logout, session is already cleared, so use before_logout in that case
+      if (hook_type == :after || action == :logout) && (id = account ? account_id : session_value)
+        add_audit_log(id, action)
+      end
+    end
+
+    def add_audit_log(account_id, action)
+      if hash = audit_log_insert_hash(account_id, action)
+        audit_log_ds.insert(hash)
+      end
+    end
+
+    def audit_log_insert_hash(account_id, action)
+      if message = audit_log_message(action)
+        {
+          audit_logging_account_id_column => account_id,
+          audit_logging_message_column => message,
+          audit_logging_metadata_column => serialize_audit_log_metadata(audit_log_metadata(action))
+        }
+      end
+    end
+
+    def serialize_audit_log_metadata(metadata)
+      metadata.to_json unless metadata.nil?
+    end
+
+    def audit_log_message_default(action)
+      action.to_s
+    end
+
+    def audit_log_message(action)
+      meth = :"audit_log_message_for_#{action}"
+      if respond_to?(meth, true)
+        send(meth)
+      else
+        audit_log_message_default(action)
+      end
+    end
+
+    def audit_log_metadata(action)
+      meth = :"audit_log_metadata_for_#{action}"
+      if respond_to?(meth, true)
+        send(meth)
+      else
+        audit_log_metadata_default
+      end
+    end
+
+    private
+
+    def audit_log_ds
+      ds = db[audit_logging_table]
+      # :nocov:
+      if db.database_type == :postgres
+      # :nocov:
+        # For PostgreSQL, use RETURNING NULL. This allows the feature
+        # to be used with INSERT but not SELECT permissions on the
+        # table, useful for audit logging where the database user
+        # the application is running as should not need to read the
+        # logs.
+        ds = ds.returning(nil)
+      end
+      ds
+    end
+  end
+end

data/lib/rodauth/features/base.rb

@@ -18,17 +18,19 @@ module Rodauth
     auth_value_method :account_unverified_status_value, 1
     auth_value_method :accounts_table, :accounts
     auth_value_method :cache_templates, true
+    auth_value_method :check_csrf_block, nil
+    auth_value_method :check_csrf_opts, {}.freeze
     auth_value_method :default_redirect, '/'
     session_key :flash_error_key, :error
     session_key :flash_notice_key, :notice
     auth_value_method :hmac_secret, nil
-    auth_value_method :input_field_label_suffix, ''
-    auth_value_method :input_field_error_class, 'error'
-    auth_value_method :input_field_error_message_class, 'error_message'
+    translatable_method :input_field_label_suffix, ''
+    auth_value_method :input_field_error_class, 'error is-invalid'
+    auth_value_method :input_field_error_message_class, 'error_message invalid-feedback'
     auth_value_method :invalid_field_error_status, 422
     auth_value_method :invalid_key_error_status, 401
     auth_value_method :invalid_password_error_status, 401
-    auth_value_method :invalid_password_message, "invalid password"
+    translatable_method :invalid_password_message, "invalid password"
     auth_value_method :login_column, :email
     auth_value_method :login_required_error_status, 401
     auth_value_method :lockout_error_status, 403
@@ -36,30 +38,39 @@ module Rodauth
     auth_value_method :password_hash_column, :password_hash
     auth_value_method :password_hash_table, :account_password_hashes
     auth_value_method :no_matching_login_error_status, 401
-    auth_value_method :no_matching_login_message, "no matching login"
+    translatable_method :no_matching_login_message, "no matching login"
     auth_value_method :login_param, 'login'
-    auth_value_method :login_label, 'Login'
-    auth_value_method :login_input_type, 'text'
-    auth_value_method :password_label, 'Password'
+    translatable_method :login_label, 'Login'
+    translatable_method :password_label, 'Password'
     auth_value_method :password_param, 'password'
-    auth_value_method :modifications_require_password?, true
     session_key :session_key, :account_id
+    session_key :authenticated_by_session_key, :authenticated_by
+    session_key :autologin_type_session_key, :autologin_type
     auth_value_method :prefix, ''
+    auth_value_method :session_key_prefix, nil
     auth_value_method :require_bcrypt?, true
-    auth_value_method :mark_input_fields_as_required?, false
+    auth_value_method :mark_input_fields_as_required?, true
+    auth_value_method :mark_input_fields_with_autocomplete?, true
+    auth_value_method :mark_input_fields_with_inputmode?, true
     auth_value_method :skip_status_checks?, true
-    auth_value_method :template_opts, {}
+    auth_value_method :template_opts, {}.freeze
     auth_value_method :title_instance_variable, nil 
     auth_value_method :token_separator, "_"
     auth_value_method :unmatched_field_error_status, 422
     auth_value_method :unopen_account_error_status, 403
-    auth_value_method :unverified_account_message, "unverified account, please verify account before logging in"
+    translatable_method :unverified_account_message, "unverified account, please verify account before logging in"
+    auth_value_method :default_field_attributes, ''
 
     redirect(:require_login){"#{prefix}/login"}
 
     auth_value_methods(
+      :base_url,
+      :check_csrf?,
       :db,
-      :default_field_attributes,
+      :domain,
+      :login_input_type,
+      :login_uses_email?,
+      :modifications_require_password?,
       :set_deadline_values?,
       :use_date_arithmetic?,
       :use_database_authentication_functions?,
@@ -71,9 +82,13 @@ module Rodauth
       :account_session_value,
       :already_logged_in,
       :authenticated?,
+      :autocomplete_for_field?,
+      :check_csrf,
       :clear_session,
       :csrf_tag,
       :function_name,
+      :hook_action,
+      :inputmode_for_field?,
       :logged_in?,
       :login_required,
       :open_account?,
@@ -86,6 +101,7 @@ module Rodauth
       :set_notice_now_flash,
       :set_redirect_error_flash,
       :set_title,
+      :translate,
       :unverified_account_message,
       :update_session
     )
@@ -102,13 +118,6 @@ module Rodauth
       def auth_class_eval(&block)
         auth.class_eval(&block)
       end
-
-      def account_model(model)
-        warn "account_model is deprecated, use db and accounts_table settings"
-        db model.db
-        accounts_table model.table_name
-        account_select model.dataset.opts[:select]
-      end
     end
 
     attr_reader :scope
@@ -168,13 +177,29 @@ module Rodauth
         value = opts.fetch(:value){scope.h param(param)}
       end
 
-      "<input #{opts[:attr]} #{field_attributes(param)} #{field_error_attributes(param)} type=\"#{type}\" class=\"form-control#{add_field_error_class(param)}\" name=\"#{param}\" id=\"#{id}\" value=\"#{value}\"/> #{formatted_field_error(param)}"
-    end
+      field_class = opts.fetch(:class, "form-control")
+
+      if autocomplete_for_field?(param) && opts[:autocomplete]
+        autocomplete = "autocomplete=\"#{opts[:autocomplete]}\""
+      end
+
+      if inputmode_for_field?(param) && opts[:inputmode]
+        inputmode = "inputmode=\"#{opts[:inputmode]}\""
+      end
 
-    def default_field_attributes
-      if mark_input_fields_as_required?
-        "required=\"required\""
+      if mark_input_fields_as_required? && opts[:required] != false
+        required = "required=\"required\""
       end
+
+      "<input #{opts[:attr]} #{autocomplete} #{inputmode} #{required} #{field_attributes(param)} #{field_error_attributes(param)} type=\"#{type}\" class=\"#{field_class}#{add_field_error_class(param)}\" name=\"#{param}\" id=\"#{id}\" value=\"#{value}\"/> #{formatted_field_error(param) unless opts[:skip_error_message]}"
+    end
+
+    def autocomplete_for_field?(_param)
+      mark_input_fields_with_autocomplete?
+    end
+
+    def inputmode_for_field?(_param)
+      mark_input_fields_with_inputmode?
     end
 
     def field_attributes(field)
@@ -193,6 +218,15 @@ module Rodauth
       end
     end
 
+    def hook_action(_hook_type, _action)
+      # nothing by default
+    end
+
+    def translate(_key, default)
+      # do not attempt to translate by default
+      default
+    end
+
     # Return urlsafe base64 HMAC for data, assumes hmac_secret is set.
     def compute_hmac(data)
       s = [compute_raw_hmac(data)].pack('m').chomp!("=\n")
@@ -222,6 +256,10 @@ module Rodauth
       Sequel::DATABASES.first
     end
 
+    def password_field_autocomplete_value
+      @password_field_autocomplete_value || 'current-password'
+    end
+
     # If the account_password_hash_column is set, the password hash is verified in
     # ruby, it will not use a database function to do so, it will check the password
     # hash using bcrypt.
@@ -237,6 +275,14 @@ module Rodauth
       nil
     end
 
+    def login_input_type
+      login_uses_email? ? 'email' : 'text'
+    end
+
+    def login_uses_email?
+      login_column == :email
+    end
+
     def clear_session
       if scope.respond_to?(:clear_session)
         scope.clear_session
@@ -293,6 +339,10 @@ module Rodauth
       @account = _account_from_session
     end
 
+    def check_csrf
+      scope.check_csrf!(check_csrf_opts, &check_csrf_block)
+    end
+
     def csrf_tag(path=request.path)
       return unless scope.respond_to?(:csrf_tag)
 
@@ -344,16 +394,34 @@ module Rodauth
     def password_match?(password)
       if hash = get_password_hash
         if account_password_hash_column || !use_database_authentication_functions?
-          BCrypt::Password.new(hash) == password
+          password_hash_match?(hash, password)
         else
-          db.get(Sequel.function(function_name(:rodauth_valid_password_hash), account_id, BCrypt::Engine.hash_secret(password, hash)))
+          database_function_password_match?(:rodauth_valid_password_hash, account_id, password, hash)
         end 
       end
     end
 
     def update_session
       clear_session
-      session[session_key] = account_session_value
+      set_session_value(session_key, account_session_value)
+    end
+
+    def authenticated_by
+      session[authenticated_by_session_key]
+    end
+
+    def login_session(auth_type)
+      update_session
+      set_session_value(authenticated_by_session_key, [auth_type])
+    end
+
+    def autologin_type
+      session[autologin_type_session_key]
+    end
+
+    def autologin_session(autologin_type)
+      login_session('autologin')
+      set_session_value(autologin_type_session_key, autologin_type)
     end
 
     # Return a string for the parameter name.  This will be an empty
@@ -365,12 +433,40 @@ module Rodauth
     # Return a string for the parameter name, or nil if there is no
     # parameter with that name.
     def param_or_nil(key)
-      value = request.params[key]
+      value = raw_param(key)
       value.to_s unless value.nil?
     end
 
+    def raw_param(key)
+      request.params[key]
+    end
+
+    def base_url
+      request.base_url
+    end
+
+    def domain
+      request.host
+    end
+
+    def modifications_require_password?
+      has_password?
+    end
+
+    def possible_authentication_methods
+      has_password? ? ['password'] : []
+    end
+
     private
 
+    def database_function_password_match?(name, hash_id, password, salt)
+      db.get(Sequel.function(function_name(name), hash_id, BCrypt::Engine.hash_secret(password, salt)))
+    end
+
+    def password_hash_match?(hash, password)
+      BCrypt::Password.new(hash) == password
+    end
+
     def convert_token_key(key)
       if key && hmac_secret
         compute_hmac(key)
@@ -387,33 +483,26 @@ module Rodauth
       request.redirect(path)
     end
 
-    def route_path(route)
-      "#{prefix}/#{route}"
+    def route_path(route, opts={})
+      path  = "#{prefix}/#{route}"
+      path += "?#{Rack::Utils.build_nested_query(opts)}" unless opts.empty?
+      path
     end
 
-    def route_url(route)
-      "#{request.base_url}#{route_path(route)}"
+    def route_url(route, opts={})
+      "#{base_url}#{route_path(route, opts)}"
     end
 
     def transaction(opts={}, &block)
       db.transaction(opts, &block)
     end
 
-    if RUBY_VERSION >= '1.9'
-      def random_key
-        SecureRandom.urlsafe_base64(32)
-      end
-    else
-      # :nocov:
-      def random_key
-        s = [SecureRandom.random_bytes(32)].pack('m').chomp!("=\n")
-        s.tr!('+/', '-_')
-        s
-      end
-      # :nocov:
+    def random_key
+      SecureRandom.urlsafe_base64(32)
     end
 
     def convert_session_key(key)
+      key = "#{session_key_prefix}#{key}".to_sym if session_key_prefix
       scope.opts[:sessions_convert_symbols] ? key.to_s : key
     end
 
@@ -476,7 +565,11 @@ module Rodauth
     end
 
     def use_request_specific_csrf_tokens?
-      scope.opts[:rodauth_csrf] == :route_csrf && scope.use_request_specific_csrf_tokens?
+      scope.opts[:rodauth_route_csrf] && scope.use_request_specific_csrf_tokens?
+    end
+
+    def check_csrf?
+      scope.opts[:rodauth_route_csrf]
     end
 
     def function_name(name)
@@ -489,13 +582,19 @@ module Rodauth
       end
     end
 
+    def has_password?
+      return @has_password if defined?(@has_password)
+      return false unless account || session_value
+      @has_password = !!get_password_hash
+    end
+
     # Get the password hash for the user.  When using database authentication functions,
     # note that only the salt is returned.
     def get_password_hash
       if account_password_hash_column
-        account[account_password_hash_column]
+        (account || account_from_session)[account_password_hash_column]
       elsif use_database_authentication_functions?
-        db.get(Sequel.function(function_name(:rodauth_get_salt), account_id))
+        db.get(Sequel.function(function_name(:rodauth_get_salt), account ? account_id : session_value))
       else
         # :nocov:
         password_hash_ds.get(password_hash_column)
@@ -548,7 +647,7 @@ module Rodauth
     end
 
     def password_hash_ds
-      db[password_hash_table].where(password_hash_id_column=>account_id)
+      db[password_hash_table].where(password_hash_id_column=>account ? account_id : session_value)
     end
 
     # This is needed for jdbc/sqlite, which returns timestamp columns as strings
@@ -615,6 +714,10 @@ module Rodauth
       session[key] = value
     end
 
+    def remove_session_value(key)
+      session.delete(key)
+    end
+
     def update_hash_ds(hash, ds, values)
       num = ds.update(values)
       if num == 1