rodauth 1.4.0 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: eedc388675de95e1b6d8f6281bc57cefb262eec9
-  data.tar.gz: 725710de442759eba54e3a2245e2ed08af52d479
+  metadata.gz: 03da9b51a0536d056d085d1d6c7d69f037e63825
+  data.tar.gz: 6c554cef3c2f122fce444146f7032c922ef93b9d
 SHA512:
-  metadata.gz: c354d87afa1dac53d2589b2626a17841e33b3f3041145cf88ccaef9ad4a4041a94b1a5140b88e7fb43af7de8efde7ad26f34fec0a5f79b962617656eccb10a35
-  data.tar.gz: acc6f4b368095dafb9d102642b5da105405475fd73fae8e31c162fe086cb8f7baf849052a9274d6e64f5988b98bf7e4319595c8a746190b1edd6dd529414ded6
+  metadata.gz: 37a8361ce43dfcf74bf5768e386eba59555c44fb3da0b29ae638eefa61ad6f9db70e9f25cf42831fddef200b10db9bb36fd67d60d630dfe11e96275d3f2be5a4
+  data.tar.gz: d88123e032493908205f0f93f93f8ae813942d3574adddb89fb77cf9053f255f3d814c9c84ae84ee5c939ac1f946c60032b6bdba89b96644abb139ffea69fd3a

data/CHANGELOG

@@ -1,3 +1,31 @@
+=== 1.5.0 (2016-09-22)
+
+* Return error instead of raising exception in the jwt feature if an invalid jwt format is submitted in the Authorization header (jeremyevans)
+
+* Add jwt_authorization_remove configuration method to jwt feature, for regexp to remove from Authorization header before JWT processing (jeremyevans)
+
+* Add jwt_authorization_ignore configuration method to jwt feature, for regexp to skip processing of JWTs in Authorization header (jeremyevans)
+
+* Add json_accept_regexp configuration method to jwt feature, for the regexp used to match against the Accept header (jeremyevans)
+
+* Add use_jwt? configuration method to jwt feature, for whether to use the JWT token or rack session for authentication information (jeremyevans)
+
+* Add jwt_check_accept? configuration method to jwt feature, to return 406 error if Accept header is present and json is not accepted (jeremyevans)
+
+* Add json_response_content_type configuration method to jwt feature, for the content type to set for json responses, default to application/json (jeremyevans)
+
+* Add json_request_content_type_regexp configuration method to the jwt feature, for the regexp that recognize a request as a json request (jeremyevans)
+
+* Add session_jwt method to the jwt feature, which returns a string for the encoded JWT for the current session (jeremyevans)
+
+* If the only_json? setting is true, return a 400 error if the request content type to a rodauth endpoint is not json (jeremyevans)
+
+* The only_json? setting in the jwt feature is now only true by default if :json=>:only plugin option was used (jeremyevans)
+
+* Don't have jwt feature break if HTTP Basic/Digest authentication is used (jeremyevans)
+
+* Add template_opts configuration method, for overriding view/method options (jeremyevans)
+
 === 1.4.0 (2016-08-18)
 
 * Add update_password_hash feature, for updating the password hash when the hash cost changes (jeremyevans)

data/README.rdoc

@@ -897,7 +897,7 @@ authentication only for particular branches:
     # ...
   end
 
-== JSON API Support
+=== JSON API Support
 
 To add support for handling JSON responses, you can pass the +:json+
 option to the plugin, and enable the JWT feature in addition to

data/doc/base.rdoc

@@ -59,6 +59,8 @@ set_deadline_values? :: Whether deadline values should be set.  True by default
                         on MySQL, as that doesn't support default values that
                         are not constant.  Can be set to true on other databases
                         if you want to vary the value based on a request parameter.
+template_opts :: Any template options to pass to view/render.  This can be used
+                 to set a custom layout, for example.
 use_date_arithmetic? :: Whether the date_arithmetic extension should be loaded into
                         the database.  Defaults to whether deadline values should
                         be set.

data/doc/jwt.rdoc

@@ -1,11 +1,14 @@
 = Documentation for JWT Feature
 
 The jwt feature adds support for JSON API access for all other features
-that ship with Rodauth, using JWT as the token format.
+that ship with Rodauth, using JWT (JSON Web Tokens) to hold the
+authentication data.
 
 When this feature is used, all other features become accessible via a
 JSON API.  The JSON API uses the POST method for all requests, using
-the same parameter names as the features uses.
+the same parameter names as the features uses.  JSON API requests to
+Rodauth endpoints that use a method other than POST will result in a
+405 Method Not Allowed response.
 
 Responses are returned as JSON hashes.  In case of an error, the "error"
 entry is set to an error message, and the "field-error" entry is set to
@@ -16,20 +19,44 @@ message, though that can be disabled.
 In order to use this feature, you have to set the +jwt_secret+ configuration
 option the secret used to cryptographically protect the token.
 
+To use this JSON API, when processing responses for requests to a Rodauth
+endpoint, check for the Authorization header, and use the value of the
+response Authorization header as the request Authorization header in
+future requests, if the response Authorization header is set. If the
+response Authorization header is not set, then continue to use the
+previous Authorization header.
+
+When using this feature, consider using the :json=>:only option when
+loading the rodauth plugin, if you want Rodauth to only handle
+JSON requests.  If you don't use the :json=>:only option, the jwt feature
+will probably result in an error if a request to a Rodauth endpoint comes
+in with a Content-Type that isn't application/json, unless you also set
+<tt>only_json? false</tt> in your rodauth configuration.
+
 == Auth Value Methods
 
+invalid_jwt_format_error_message :: The error message to use when a JWT with an invalid format is submitted in the Authorization header.
+json_accept_regexp :: The regexp to use to check the Accept header for JSON if jwt_check_accept? is true.
 json_non_post_error_message :: The error message to use when a JSON non-POST request is sent.
+json_not_accepted_error_message :: The error message to display if jwt_check_accept? is true and the Accept header is present but does not match json_request_content_type_regexp.
+json_request_content_type_regexp :: The regexp to use to recognize a request as a json request.
+json_response_content_type :: The content type to set for json responses, application/json by default.
 json_response_error_key :: The JSON result key containing an error message, "error" by default.
 json_response_error_status :: The HTTP status code to use for JSON error responses, 400 by default.
 json_response_field_error_key :: The JSON result key containing an field error message, "field-error" by default.
 json_response_success_key :: The JSON result key containing a success message for successful request, if set.  nil by default to not set success messages.
 jwt_algorithm :: The JWT algorithm to use, "HS256" by default.
 non_json_request_error_message :: The error message to use when a non-JSON request is sent and +only_json?+ is set.
-only_json? :: Whether to have Rodauth only allow JSON requests.  True by default, which means that rodauth will issue an error for non-JSON requests.
+only_json? :: Whether to have Rodauth only allow JSON requests.  True by default if :json=>:only option was given when loading the plugin.  If set, rodauth endpoints will issue an error for non-JSON requests.
+jwt_authorization_ignore :: A regexp matched against the Authorization header, which skips JWT processing if it matches.  By default, HTTP Basic and Digest authentication are ignored.
+jwt_authorization_remove :: A regexp to remove from the Authorization header before processing the JWT.  By default, a Bearer prefix is removed.
+jwt_check_accept? :: Whether to check the Accept header to see if the client supports JSON responses, false by default for backwards compatibility.
 jwt_secret :: The JWT secret to use.  Access to this should be protected the same as a session secret.
+use_jwt? :: Whether to use the JWT in the Authorization header for authentication information.  If false, falls back to using the rack session. By default, the Authorization header is used if it is present, if only_json? is true, or if the request uses a json content type.
 
 == Auth Methods
 
 json_request? :: Whether the current request is a JSON request, looks at the Content-Type request header by default.
 jwt_token :: Retrieve the JWT token from the request, by default taking it from the Authorization header.
+session_jwt :: An encoded JWT for the current session.
 set_jwt_token(token) :: Set the JWT token in the response, by default storing it in the Authorization header.

data/doc/release_notes/1.5.0.txt

@@ -0,0 +1,74 @@
+= jwt Feature Additions/Improvements 
+
+* JSON format responses now have the response content type set to
+  application/json.
+
+* The jwt feature now does not break if HTTP Basic or Digest
+  authentication is used.
+
+* If jwt_check_accept? is true, Rodauth will return a 406 error if
+  a request Accept header is provided and it does not indicate that
+  JSON is acceptable.
+
+* Many new configuration methods have been added:
+
+  * invalid_jwt_format_error_message: The error message to use when a
+    JWT with an invalid format is submitted in the Authorization
+    header.
+
+  * json_accept_regexp: The regexp to use to check the Accept header
+    for JSON if jwt_check_accept? is true.
+
+  * json_not_accepted_error_message: The error message to display if
+    jwt_check_accept? is true and the Accept header is present but
+    does not match json_request_content_type_regexp.
+
+  * json_request_content_type_regexp: The regexp to use to recognize
+    a request as a json request.
+
+  * json_response_content_type: The content type to set for json
+    responses, application/json by default.
+
+  * jwt_authorization_ignore: A regexp matched against the
+    Authorization header, which skips JWT processing if it matches.
+    By default, HTTP Basic and Digest authentication are ignored.
+
+  * jwt_authorization_remove: A regexp to remove from the
+    Authorization header before processing the JWT.  By default, a
+    Bearer prefix is removed.
+
+  * jwt_check_accept?: Whether to check the Accept header to see if
+    the client supports JSON responses, false by default for backwards
+    compatibility.
+
+  * session_jwt: An encoded JWT for the current session.
+
+  * use_jwt?: Whether to use the JWT in the Authorization header for
+    authentication information.  If false, falls back to using the
+    rack session. By default, the Authorization header is used if it
+    is present, if only_json? is true, or if the request uses a json
+    content type.
+
+= jwt Feature Backwards Compatibility Issues
+
+* The only_json? setting in the jwt feature is now only true by
+  default if the :json=>:only option was used when loading the
+  rodauth plugin into the roda app.  Previously, it was always true,
+  but it only was considered in requests to Rodauth endpoints.  It
+  now also is considered in most Rodauth calls, and if true will use
+  an empty session instead of falling back to the rack session if an
+  Authorization header is not present.
+
+* Previously, the jwt feature only handled requests where the
+  request content-type is JSON.  It now also handles non-JSON
+  requests if the Authorization header is present or if only_json?
+  is true.
+
+* If an invalid JWT format is used in the Authorization header,
+  Rodauth now returns a 400 error, instead of raising an exception.
+
+= Other Improvements
+
+* A template_opts configuration method has been added, for
+  overriding the view/render options.  One possible use for this is
+  to specify a non-default layout.

data/lib/rodauth.rb

@@ -19,6 +19,7 @@ module Rodauth
   end
 
   def self.configure(app, opts={}, &block)
+    app.opts[:rodauth_json] = opts.fetch(:json, app.opts[:rodauth_json])
     ((app.opts[:rodauths] ||= {})[opts[:name]] ||= Class.new(Auth)).configure(&block)
   end
 

data/lib/rodauth/features/base.rb

@@ -29,6 +29,7 @@ module Rodauth
     auth_value_method :prefix, ''
     auth_value_method :require_bcrypt?, true
     auth_value_method :skip_status_checks?, true
+    auth_value_method :template_opts, {}
     auth_value_method :title_instance_variable, nil 
     auth_value_method :unverified_account_message, "unverified account, please verify account before logging in"
 
@@ -471,14 +472,17 @@ module Rodauth
     end
 
     def _view(meth, page)
-      auth = self
       auth_template_path = template_path(page)
+      opts = template_opts.dup
+      opts[:locals] = opts[:locals] ? opts[:locals].dup : {}
+      opts[:locals][:rodauth] = self
+
       scope.instance_exec do
-        template_opts = find_template(parse_template_opts(page, :locals=>{:rodauth=>auth}))
-        unless File.file?(template_path(template_opts))
-          template_opts[:path] = auth_template_path
+        opts = find_template(parse_template_opts(page, opts))
+        unless File.file?(template_path(opts))
+          opts[:path] = auth_template_path
         end
-        send(meth, template_opts)
+        send(meth, opts)
       end
     end
   end

data/lib/rodauth/features/jwt.rb

@@ -4,30 +4,42 @@ require 'jwt'
 
 module Rodauth
   Jwt = Feature.define(:jwt) do
+    auth_value_method :invalid_jwt_format_error_message, "invalid JWT format in Authorization header"
     auth_value_method :json_non_post_error_message, 'non-POST method used in JSON API'
+    auth_value_method :json_not_accepted_error_message, 'Unsupported Accept header. Must accept "application/json" or compatible content type'
+    auth_value_method :json_accept_regexp, /(?:(?:\*|\bapplication)\/\*|\bapplication\/(?:vnd\.api\+)?json\b)/i
+    auth_value_method :json_request_content_type_regexp, /\bapplication\/(?:vnd\.api\+)?json\b/i
+    auth_value_method :json_response_content_type, 'application/json'
     auth_value_method :json_response_error_status, 400
     auth_value_method :json_response_error_key, "error"
     auth_value_method :json_response_field_error_key, "field-error"
     auth_value_method :json_response_success_key, nil
     auth_value_method :jwt_algorithm, "HS256"
+    auth_value_method :jwt_authorization_ignore, /\A(?:Basic|Digest) /
+    auth_value_method :jwt_authorization_remove, /\ABearer:?\s+/
+    auth_value_method :jwt_check_accept?, false
     auth_value_method :non_json_request_error_message, 'Only JSON format requests are allowed'
-    auth_value_method :only_json?, true
 
-    auth_value_methods :jwt_secret
+    auth_value_methods(
+      :only_json?,
+      :jwt_secret,
+      :use_jwt?
+    )
 
     auth_methods(
       :json_request?,
       :jwt_token,
+      :session_jwt,
       :set_jwt_token
     )
 
     def session
-      return super unless json_request?
       return @session if defined?(@session)
-      @session = if token = jwt_token
+      return super unless use_jwt?
+
+      @session = if jwt_token
         s = {}
-        payload, header = JWT.decode(token, jwt_secret, true, :algorithm=>jwt_algorithm)
-        payload.each do |k,v|
+        jwt_payload.each do |k,v|
           s[k.to_sym] = v
         end
         s
@@ -38,37 +50,47 @@ module Rodauth
 
     def clear_session
       super
-      set_jwt if json_request?
+      set_jwt if use_jwt?
+    end
+
+    def only_json?
+      scope.class.opts[:rodauth_json] == :only
     end
 
     def set_field_error(field, message)
-      return super unless json_request?
+      return super unless use_jwt?
       json_response[json_response_field_error_key] = [field, message]
     end
 
     def set_error_flash(message)
-      return super unless json_request?
+      return super unless use_jwt?
       json_response[json_response_error_key] = message
     end
 
     def set_redirect_error_flash(message)
-      return super unless json_request?
+      return super unless use_jwt?
       json_response[json_response_error_key] = message
     end
 
     def set_notice_flash(message)
-      return super unless json_request?
+      return super unless use_jwt?
       json_response[json_response_success_key] = message if include_success_messages?
     end
 
     def set_notice_now_flash(message)
-      return super unless json_request?
+      return super unless use_jwt?
       json_response[json_response_success_key] = message if include_success_messages?
     end
 
+    def session_jwt
+      JWT.encode(session, jwt_secret, jwt_algorithm)
+    end
+
     def jwt_token
-      if v = request.env['HTTP_AUTHORIZATION']
-        v.sub(/\ABearer:?\s+/, '')
+      return @jwt_token if defined?(@jwt_token)
+
+      if (v = request.env['HTTP_AUTHORIZATION']) && v !~ jwt_authorization_ignore
+        @jwt_token = v.sub(jwt_authorization_remove, '')
       end
     end
 
@@ -79,19 +101,27 @@ module Rodauth
     private
 
     def before_rodauth
-      if only_json? && !json_request?
+      if json_request?
+        if jwt_check_accept? && (accept = request.env['HTTP_ACCEPT']) && accept !~ json_accept_regexp
+          response.status = 406
+          json_response[json_response_error_key] = json_not_accepted_error_message
+          response['Content-Type'] ||= json_response_content_type
+          response.write(request.send(:convert_to_json, json_response))
+          request.halt
+        end
+
+        unless request.post?
+          response.status = 405
+          response.headers['Allow'] = 'POST'
+          json_response[json_response_error_key] = json_non_post_error_message
+          return_json_response
+        end
+      elsif only_json?
         response.status = json_response_error_status
         response.write non_json_request_error_message
         request.halt
       end
 
-      if json_request? && !request.post?
-        response.status = 405
-        response.headers['Allow'] = 'POST'
-        json_response[json_response_error_key] = json_non_post_error_message
-        return_json_response
-      end
-
       super
     end
 
@@ -103,12 +133,22 @@ module Rodauth
       end
     end
 
+    def jwt_payload
+      JWT.decode(jwt_token, jwt_secret, true, :algorithm=>jwt_algorithm)[0]
+    rescue JWT::DecodeError
+      json_response[json_response_error_key] = invalid_jwt_format_error_message
+      response.status ||= json_response_error_status
+      response['Content-Type'] ||= json_response_content_type
+      response.write(request.send(:convert_to_json, json_response))
+      request.halt
+    end
+
     def jwt_secret
       raise ArgumentError, "jwt_secret not set"
     end
 
     def redirect(_)
-      return super unless json_request?
+      return super unless use_jwt?
       return_json_response
     end
 
@@ -118,7 +158,7 @@ module Rodauth
 
     def set_session_value(key, value)
       super
-      set_jwt if json_request?
+      set_jwt if use_jwt?
       value
     end
 
@@ -127,7 +167,7 @@ module Rodauth
     end
 
     def _view(meth, page)
-      return super unless json_request?
+      return super unless use_jwt?
       return super if meth == :render
       return_json_response
     end
@@ -135,17 +175,22 @@ module Rodauth
     def return_json_response
       response.status ||= json_response_error_status if json_response[json_response_error_key]
       set_jwt
+      response['Content-Type'] ||= json_response_content_type
       response.write(request.send(:convert_to_json, json_response))
       request.halt
     end
 
     def set_jwt
-      set_jwt_token(JWT.encode(session, jwt_secret, jwt_algorithm))
+      set_jwt_token(session_jwt)
     end
 
     def json_request?
       return @json_request if defined?(@json_request)
-      @json_request = request.content_type =~ /application\/json/
+      @json_request = request.content_type =~ json_request_content_type_regexp
+    end
+
+    def use_jwt?
+      jwt_token || only_json? || json_request?
     end
   end
 end

data/lib/rodauth/version.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  VERSION = '1.4.0'.freeze
+  VERSION = '1.5.0'.freeze
 
   def self.version
     VERSION

data/spec/jwt_spec.rb

@@ -0,0 +1,125 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe 'Rodauth login feature' do
+  it "should not have jwt feature assume JWT token given during Basic/Digest authentication" do
+    rodauth do
+      enable :login, :logout
+    end
+    roda(:jwt) do |r|
+      rodauth.require_authentication
+      '1'
+    end
+
+    res = json_request("/", :headers=>{'HTTP_AUTHORIZATION'=>'Basic foo'})
+    res.must_equal [400, {'error'=>'Please login to continue'}]
+
+    res = json_request("/", :headers=>{'HTTP_AUTHORIZATION'=>'Digest foo'})
+    res.must_equal [400, {'error'=>'Please login to continue'}]
+  end
+
+  it "should return error message if invalid JWT format used in request Authorization header" do
+    rodauth do
+      enable :login, :logout
+    end
+    roda(:jwt) do |r|
+      r.rodauth
+      rodauth.require_authentication
+      '1'
+    end
+
+    res = json_request('/login', :include_headers=>true, :login=>'foo@example.com', :password=>'0123456789')
+
+    res = json_request("/", :headers=>{'HTTP_AUTHORIZATION'=>res[1]['Authorization'][1..-1]})
+    res.must_equal [400, {'error'=>'invalid JWT format in Authorization header'}]
+  end
+
+  it "should require json request content type in only json mode for rodauth endpoints only" do
+    oj = false
+    rodauth do
+      enable :login, :logout, :jwt
+      jwt_secret '1'
+      json_response_success_key 'success'
+      only_json?{oj}
+    end
+    roda(:csrf=>false, :json=>true) do |r|
+      r.rodauth
+      rodauth.require_authentication
+      '1'
+    end
+
+    res = json_request("/", :content_type=>'application/x-www-form-urlencoded', :include_headers=>true, :method=>'GET')
+    res[1].delete('Set-Cookie')
+    res.must_equal [302, {"Content-Type"=>'text/html', "Content-Length"=>'0', "Location"=>"/login",}, []]
+
+    res = json_request("/", :content_type=>'application/vnd.api+json', :method=>'GET')
+    res.must_equal [400, ['{"error":"Please login to continue"}']]
+
+    oj = true
+
+    res = json_request("/", :content_type=>'application/x-www-form-urlencoded', :method=>'GET')
+    res.must_equal [400, ['{"error":"Please login to continue"}']]
+
+    res = json_request("/", :method=>'GET')
+    res.must_equal [400, {'error'=>'Please login to continue'}]
+
+    res = json_request("/login", :content_type=>'application/x-www-form-urlencoded', :include_headers=>true, :method=>'GET')
+    msg = "Only JSON format requests are allowed"
+    res[1].delete('Set-Cookie')
+    res.must_equal [400, {"Content-Type"=>'text/html', "Content-Length"=>msg.length.to_s}, [msg]]
+
+    json_login
+
+    res = json_request("/", :content_type=>'application/x-www-form-urlencoded', :include_headers=>true, :method=>'GET')
+    res.must_equal [200, {"Content-Type"=>'text/html', "Content-Length"=>'1'}, ['1']]
+  end
+
+  it "should allow non-json requests if only_json? is false" do
+    rodauth do
+      enable :login, :logout, :jwt
+      jwt_secret '1'
+      only_json? false
+    end
+    roda(:jwt_html) do |r|
+      r.rodauth
+      rodauth.require_authentication
+      view(:content=>'1')
+    end
+
+    login
+    page.find('#notice_flash').text.must_equal 'You have been logged in'
+  end
+
+  it "should require POST for json requests" do
+    rodauth do
+      enable :login, :logout, :jwt
+      jwt_secret '1'
+      json_response_success_key 'success'
+    end
+    roda(:jwt) do |r|
+      r.rodauth
+    end
+
+    res = json_request("/login", :method=>'GET')
+    res.must_equal [405, {'error'=>'non-POST method used in JSON API'}]
+  end
+
+  it "should require Accept contain application/json if jwt_check_accept? is true and Accept is present" do
+    rodauth do
+      enable :login, :logout, :jwt
+      jwt_secret '1'
+      json_response_success_key 'success'
+      jwt_check_accept? true
+    end
+    roda(:jwt) do |r|
+      r.rodauth
+    end
+
+    res = json_request("/login", :headers=>{'HTTP_ACCEPT'=>'text/html'})
+    res.must_equal [406, {'error'=>'Unsupported Accept header. Must accept "application/json" or compatible content type'}]
+
+    json_request("/login", :login=>'foo@example.com', :password=>'0123456789').must_equal [200, {"success"=>'You have been logged in'}]
+    json_request("/login", :headers=>{'HTTP_ACCEPT'=>'*/*'}, :login=>'foo@example.com', :password=>'0123456789').must_equal [200, {"success"=>'You have been logged in'}]
+    json_request("/login", :headers=>{'HTTP_ACCEPT'=>'application/*'}, :login=>'foo@example.com', :password=>'0123456789').must_equal [200, {"success"=>'You have been logged in'}]
+    json_request("/login", :headers=>{'HTTP_ACCEPT'=>'application/vnd.api+json'}, :login=>'foo@example.com', :password=>'0123456789').must_equal [200, {"success"=>'You have been logged in'}]
+  end
+end

data/spec/login_spec.rb

@@ -161,18 +161,12 @@ describe 'Rodauth login feature' do
     end
     roda(:jwt) do |r|
       r.rodauth
+      response['Content-Type'] = 'application/json'
       rodauth.logged_in? ? '1' : '2'
     end
 
     json_request.must_equal [200, 2]
 
-    visit '/login'
-    page.status_code.must_equal 400
-    page.body.must_equal "Only JSON format requests are allowed"
-
-    res = json_request("/login", :method=>'GET')
-    res.must_equal [405, {'error'=>'non-POST method used in JSON API'}]
-
     res = json_request("/login", :login=>'foo@example2.com', :password=>'0123456789')
     res.must_equal [400, {'error'=>"There was an error logging in", "field-error"=>["login", "no matching login"]}]
 

data/spec/rodauth_spec.rb

@@ -12,6 +12,19 @@ describe 'Rodauth' do
     proc{visit '/'}.must_raise NoMethodError
   end
 
+  it "should support template_opts" do
+    rodauth do
+      enable :login
+      template_opts(:layout_opts=>{:path=>'spec/views/layout-other.str'})
+    end
+    roda do |r|
+      r.rodauth
+    end
+
+    visit '/login'
+    page.title.must_equal 'Foo Login'
+  end
+
   it "should require login to perform certain actions" do
     rodauth do
       enable :login, :change_password, :change_login, :close_account

data/spec/spec_helper.rb

@@ -57,7 +57,7 @@ ENV['RACK_ENV'] = 'test'
 end
 
 Base = Class.new(Roda)
-Base.plugin :render, :layout=>{:path=>'spec/views/layout.str'}
+Base.plugin :render, :layout_opts=>{:path=>'spec/views/layout.str'}
 Base.plugin(:not_found){raise "path #{request.path_info} not found"}
 Base.use Rack::Session::Cookie, :secret=>'0123456789'
 class Base
@@ -86,11 +86,17 @@ class Minitest::HooksSpec
   end
 
   def roda(type=nil, &block)
-    jwt = type == :jwt
-    app = Class.new(jwt ? JsonBase : Base)
+    jwt_only = type == :jwt
+    jwt = type == :jwt || type == :jwt_html
+
+    app = Class.new(jwt_only ? JsonBase : Base)
     rodauth_block = @rodauth_block
     opts = type.is_a?(Hash) ? type : {}
-    opts[:json] = :only if jwt
+
+    if jwt
+      opts[:json] = jwt_only ? :only : true
+    end
+
     app.plugin(:rodauth, opts) do
       title_instance_variable :@title
       if jwt
@@ -129,6 +135,9 @@ class Minitest::HooksSpec
   end
 
   def json_request(path='/', params={})
+    include_headers = params.delete(:include_headers)
+    headers = params.delete(:headers)
+
     env = {"REQUEST_METHOD" => params.delete(:method) || "POST",
            "PATH_INFO" => path,
            "SCRIPT_NAME" => "",
@@ -144,6 +153,8 @@ class Minitest::HooksSpec
       env["HTTP_COOKIE"] = @cookie
     end
 
+    env.merge!(headers) if headers
+
     r = @app.call(env)
 
     if cookie = r[1]['Set-Cookie']
@@ -152,7 +163,14 @@ class Minitest::HooksSpec
     if authorization = r[1]['Authorization']
       @authorization = authorization
     end
-    [r[0], JSON.parse("[#{r[2].join}]").first]
+
+    if env["CONTENT_TYPE"] == "application/json"
+      r[1]['Content-Type'].must_equal 'application/json'
+      r[2] = JSON.parse("[#{r[2].join}]").first
+    end
+
+    r.delete_at(1) unless include_headers
+    r
   end
 
   def json_login(opts={})

data/spec/views/layout-other.str

@@ -0,0 +1,11 @@
+<!doctype html>
+<html>
+<head>
+<title>Foo #{@title}</title>
+</head>
+<body>
+#{"<div id='error_flash'>#{flash[:error]}</div>" if flash[:error]}
+#{"<div id='notice_flash'>#{flash[:notice]}</div>" if flash[:notice]}
+#{yield}
+</body>
+</html>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 1.5.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-08-18 00:00:00.000000000 Z
+date: 2016-09-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -230,6 +230,7 @@ extra_rdoc_files:
 - doc/release_notes/1.2.0.txt
 - doc/release_notes/1.3.0.txt
 - doc/release_notes/1.4.0.txt
+- doc/release_notes/1.5.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -259,6 +260,7 @@ files:
 - doc/release_notes/1.2.0.txt
 - doc/release_notes/1.3.0.txt
 - doc/release_notes/1.4.0.txt
+- doc/release_notes/1.5.0.txt
 - doc/remember.rdoc
 - doc/reset_password.rdoc
 - doc/session_expiration.rdoc
@@ -310,6 +312,7 @@ files:
 - spec/confirm_password_spec.rb
 - spec/create_account_spec.rb
 - spec/disallow_password_reuse_spec.rb
+- spec/jwt_spec.rb
 - spec/lockout_spec.rb
 - spec/login_spec.rb
 - spec/migrate/001_tables.rb
@@ -330,6 +333,7 @@ files:
 - spec/verify_account_grace_period_spec.rb
 - spec/verify_account_spec.rb
 - spec/verify_change_login_spec.rb
+- spec/views/layout-other.str
 - spec/views/layout.str
 - spec/views/login.str
 - templates/add-recovery-codes.str