rodauth 1.7.0 → 1.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 72d21867a8a5d725cfe2331b979ffbe31f3e9e9a
-  data.tar.gz: b204b666ab3b52ab94c291a660af0c6f6741772b
+  metadata.gz: 65176959334b7e6fa96008eabe2b3f6f4d69032d
+  data.tar.gz: 44aeba80765dfc4a4afa4f15848f4004a83d453a
 SHA512:
-  metadata.gz: 6e7ec902dd360cf3687097e3c8934687f8915f277334270b2acbf3a02e33314e83cb42631ae3539d8edfaa87dc50aaebeef5b184f0fdc601c1d0c8ee196156be
-  data.tar.gz: 49de39a38e7cb00f6869c4c0bc25f7df521f541615373d21530d802b5d390924a178b86274620ed6b08517157bd704eaad1dc5c7847e9ee2ef5df1d2ae25ac44
+  metadata.gz: 0500da1e1abe0cf9ed4e3cac1ca02102ab8a388bc6726e35de3934600676e7c886ca0181d2e0bd06385d1cd43015120cf5b4a97dcbaff6ceba4dc66ae8ac9abd
+  data.tar.gz: 8a5eed74a9f73f0ef22a9965a8c7f74b5c5de6036fa9af62d6adced7304f01a147d3f9e16d2966a79a898766704d512079d801f5be6864929f533db9f1aacfed

data/CHANGELOG

@@ -1,3 +1,9 @@
+=== 1.8.0 (2017-01-06)
+
+* Add json_response_custom_error_status? option to jwt feature to use specific 4xx statuses instead of 400 (jeremyevans)
+
+* Use 4xx error statuses for errors, instead of using a 200 success status (jeremyevans)
+
 === 1.7.0 (2016-11-22)
 
 * Make reset password, unlock account, and verify account pages not leak keys to external servers via Referer header (jeremyevans)

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2015-2016 Jeremy Evans
+Copyright (c) 2015-2017 Jeremy Evans
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to

data/doc/base.rdoc

@@ -37,13 +37,23 @@ account_select :: An array of columns to select from +accounts_table+. By
 account_status_column :: The status id column in the account model.
 account_unverified_status_value :: The representating unverified accounts.
 default_redirect :: Where to redirect after most successful actions.
+invalid_field_error_status :: The response status to use for invalid field
+                              value errors, 422 by default.
+invalid_key_error_status :: The response status to use for invalid key codes,
+                            401 by default.
+invalid_password_error_status :: The response status to use for invalid passwords,
+                                 401 by default.
 invalid_password_message :: The error message to display when a given
                             password doesn't match the stored password hash.
+lockout_error_status :: The response status to use a login is attempted to an account that
+                        is locked out, 403 by default.
 login_column :: The login column in the account model.
 login_label :: The label to use for logins.
 login_param :: The parameter name to use for logins.
 modifications_require_password? :: Whether making changes to an account requires
                                    the user reinputing their password.
+no_matching_login_error_status :: The response status to use when the login is not
+                                  in the database, 401 by default.
 no_matching_login_message :: The error message to display when the login
                              used is not in the database.
 password_hash_column :: The password hash column in the password hash table.
@@ -61,6 +71,10 @@ set_deadline_values? :: Whether deadline values should be set.  True by default
                         if you want to vary the value based on a request parameter.
 template_opts :: Any template options to pass to view/render.  This can be used
                  to set a custom layout, for example.
+unmatched_field_error_status :: The response status to use when two field values should
+                                match but do not, 422 by default.
+unopen_account_error_status :: The response status to use when trying to login to an
+                               account that isn't open, 403 by default.
 use_date_arithmetic? :: Whether the date_arithmetic extension should be loaded into
                         the database.  Defaults to whether deadline values should
                         be set.

data/doc/jwt.rdoc

@@ -41,6 +41,7 @@ json_non_post_error_message :: The error message to use when a JSON non-POST req
 json_not_accepted_error_message :: The error message to display if jwt_check_accept? is true and the Accept header is present but does not match json_request_content_type_regexp.
 json_request_content_type_regexp :: The regexp to use to recognize a request as a json request.
 json_response_content_type :: The content type to set for json responses, application/json by default.
+json_response_custom_error_status? :: Whether to use custom error statuses, instead of always using +json_response_error_status+, false by default for backwards compatibility.
 json_response_error_key :: The JSON result key containing an error message, "error" by default.
 json_response_error_status :: The HTTP status code to use for JSON error responses, 400 by default.
 json_response_field_error_key :: The JSON result key containing an field error message, "field-error" by default.

data/doc/login.rdoc

@@ -9,6 +9,8 @@ login_additional_form_tags :: HTML fragment containing additional form
                               tags to use on the login form.
 login_button :: The text to use for the login button.
 login_error_flash :: The flash error to show for an unsuccesful login.
+login_error_status :: The response status to use when using an invalid
+                      login or password to login, 401 by default.
 login_form_footer :: A message to display after the login form.
 login_notice_flash :: The flash notice to show after successful login.
 login_redirect :: Where to redirect after a sucessful login.

data/doc/release_notes/1.8.0.txt

@@ -0,0 +1,14 @@
+= Improvements
+
+* When using a browser, Rodauth now uses an appropriate 401, 403,
+  or 422 error status for errors instead of using 200 success status.
+  Many configuration methods have been added to customize the status
+  codes used for specific types of errors.
+
+* The json_response_custom_error_status? configuration method
+  has been added to the jwt feature, which if set to true makes
+  the jwt feature use the same error status codes for JSON API
+  requests that it would use for browser requests.  For backward
+  compatibility, the default is to continue to use the 400
+  error status for all errors in the JSON API, but this will
+  change in Rodauth 2.

data/doc/sms_codes.rdoc

@@ -21,7 +21,8 @@ you prefer:
 == Auth Value Methods
 
 no_current_sms_code_error_flash :: The flash error to show when going to the SMS authentication page and no current SMS authentication code is available.
-sms_already_setup_error_flash :: The flash error to show when goign to a page to setup SMS authentication if SMS authentication has already been setup.
+sms_already_setup_error_status :: The response status to use when going to a page to setup SMS authentication if SMS authentication has already been setup, 403 by default.
+sms_already_setup_error_flash :: The flash error to show when going to a page to setup SMS authentication if SMS authentication has already been setup.
 sms_already_setup_redirect :: Where to redirect when going to a page to setup SMS authentication if SMS authentication has already been setup.
 sms_auth_additional_form_tags :: HTML fragment containing additional form tags when authenticating via SMS.
 sms_auth_button :: Text to use for button on form to authenticate via SMS.
@@ -56,6 +57,7 @@ sms_invalid_phone_message :: The error message to show when an invalid SMS phone
 sms_issued_at_column :: The column in the +sms_codes_table+ containing the time the SMS code was issued.
 sms_lockout_error_flash :: The flash error to show when SMS authentication has been locked out due to repeated failures.
 sms_lockout_redirect :: Where to redirect after SMS authentication has been locked out.
+sms_needs_confirmation_error_status :: The response status to use on SMS authentication pages when SMS authentication setup needs confirmation, 403 by default.
 sms_needs_confirmation_error_flash :: The flash error to show on SMS authentication pages when SMS authentication setup needs confirmation.
 sms_needs_confirmation_redirect :: Where to redirect after SMS setup, when confirmation is required.
 sms_needs_setup_redirect :: Where to redirect if going to an SMS authentication page when SMS authentication has not been setup.

data/doc/two_factor_base.rdoc

@@ -5,14 +5,17 @@ factor authentication features.
 
 == Auth Value Methods
 
-two_factor_already_authenticated_error_flash :: The flash error to show if going to a two factor authentication page when already authenticated via 2nd factor
+two_factor_already_authenticated_error_status :: The response status to use if going to a two factor authentication page when already authenticated via 2nd factor, 403 by default.
+two_factor_already_authenticated_error_flash :: The flash error to show if going to a two factor authentication page when already authenticated via 2nd factor.
 two_factor_already_authenticated_redirect :: Where to redirect if going to a two factor authentication page when already authenticated via 2nd factor.
 two_factor_auth_notice_flash :: The flash notice to show after a successful two factor authentication.
 two_factor_auth_redirect :: Whether to redirect after a successful two factor authentication.
 two_factor_auth_required_redirect :: Where to redirect if going to a page requiring two factor authentication when not authenticated via 2nd factor.
 two_factor_modifications_require_password? :: Whether modifications to two factor authentication require the use of passwords.
+two_factor_need_authentication_error_status :: The response status to use if going to a page that requires two factor authentication when not authenticated, 401 by default.
 two_factor_need_authentication_error_flash :: The flash error to show if going to a page that requires two factor authentication when not authenticated.
 two_factor_need_setup_redirect :: Where to redirect if going to a two factor authentication page when two factor authentication has not been setup.
+two_factor_not_setup_error_status :: The response status to use if going to a two factor authentication page when two factor authentication has not been setup, 403 by default.
 two_factor_not_setup_error_flash :: The flash error to show if going to a two factor authentication page when two factor authentication has not been setup.
 two_factor_session_key :: The session key used for storing a symbol indicating which type of 2nd factor was used to authenticate.
 two_factor_setup_session_key :: The session key used for storing whether two factor authentication has been setup for the current account.

data/lib/rodauth/features/base.rb

@@ -18,11 +18,16 @@ module Rodauth
     auth_value_method :account_unverified_status_value, 1
     auth_value_method :accounts_table, :accounts
     auth_value_method :default_redirect, '/'
+    auth_value_method :invalid_field_error_status, 422
+    auth_value_method :invalid_key_error_status, 401
+    auth_value_method :invalid_password_error_status, 401
     auth_value_method :invalid_password_message, "invalid password"
     auth_value_method :login_column, :email
+    auth_value_method :lockout_error_status, 403
     auth_value_method :password_hash_id_column, :id
     auth_value_method :password_hash_column, :password_hash
     auth_value_method :password_hash_table, :account_password_hashes
+    auth_value_method :no_matching_login_error_status, 401
     auth_value_method :no_matching_login_message, "no matching login"
     auth_value_method :login_param, 'login'
     auth_value_method :login_label, 'Login'
@@ -35,6 +40,8 @@ module Rodauth
     auth_value_method :skip_status_checks?, true
     auth_value_method :template_opts, {}
     auth_value_method :title_instance_variable, nil 
+    auth_value_method :unmatched_field_error_status, 422
+    auth_value_method :unopen_account_error_status, 403
     auth_value_method :unverified_account_message, "unverified account, please verify account before logging in"
 
     redirect(:require_login){"#{prefix}/login"}
@@ -321,11 +328,24 @@ module Rodauth
       catch(:rodauth_error, &block)
     end
 
+    # Don't set an error status when redirecting in an error case, as a redirect status is needed.
+    def set_redirect_error_status(status)
+    end
+
+    def set_response_error_status(status)
+      response.status = status
+    end
+
     def throw_error(field, error)
       set_field_error(field, error)
       throw :rodauth_error
     end
 
+    def throw_error_status(status, field, error)
+      set_response_error_status(status)
+      throw_error(field, error)
+    end
+
     def use_date_arithmetic?
       set_deadline_values?
     end

data/lib/rodauth/features/change_login.rb

@@ -28,22 +28,22 @@ module Rodauth
       r.post do
         catch_error do
           if change_login_requires_password? && !password_match?(param(password_param))
-            throw_error(password_param, invalid_password_message)
+            throw_error_status(invalid_password_error_status, password_param, invalid_password_message)
           end
 
           login = param(login_param)
           unless login_meets_requirements?(login)
-            throw_error(login_param, login_does_not_meet_requirements_message)
+            throw_error_status(invalid_field_error_status, login_param, login_does_not_meet_requirements_message)
           end
 
           if require_login_confirmation? && login != param(login_confirm_param)
-            throw_error(login_param, logins_do_not_match_message)
+            throw_error_status(unmatched_field_error_status, login_param, logins_do_not_match_message)
           end
 
           transaction do
             before_change_login
             unless change_login(login)
-              throw_error(login_param, login_does_not_meet_requirements_message)
+              throw_error_status(invalid_field_error_status, login_param, login_does_not_meet_requirements_message)
             end
 
             after_change_login

data/lib/rodauth/features/change_password.rb

@@ -29,20 +29,20 @@ module Rodauth
       r.post do
         catch_error do
           if change_password_requires_password? && !password_match?(param(password_param))
-            throw_error(password_param, invalid_password_message)
+            throw_error_status(invalid_password_error_status, password_param, invalid_password_message)
           end
 
           password = param(new_password_param)
           if require_password_confirmation? && password != param(password_confirm_param)
-            throw_error(new_password_param, passwords_do_not_match_message)
+            throw_error_status(unmatched_field_error_status, new_password_param, passwords_do_not_match_message)
           end
 
           if password_match?(password) 
-            throw_error(new_password_param, same_as_existing_password_message)
+            throw_error_status(invalid_field_error_status, new_password_param, same_as_existing_password_message)
           end
 
           unless password_meets_requirements?(password)
-            throw_error(new_password_param, password_does_not_meet_requirements_message)
+            throw_error_status(invalid_field_error_status, new_password_param, password_does_not_meet_requirements_message)
           end
 
           transaction do

data/lib/rodauth/features/close_account.rb

@@ -46,6 +46,7 @@ module Rodauth
           set_notice_flash close_account_notice_flash
           redirect close_account_redirect
         else
+          set_response_error_status(invalid_password_error_status)
           set_field_error(password_param, invalid_password_message)
           set_error_flash close_account_error_flash
           close_account_view

data/lib/rodauth/features/confirm_password.rb

@@ -32,6 +32,7 @@ module Rodauth
           set_notice_flash confirm_password_notice_flash
           redirect confirm_password_redirect
         else
+          set_response_error_status(invalid_password_error_status)
           set_field_error(password_param, invalid_password_message)
           set_error_flash confirm_password_error_flash
           confirm_password_view

data/lib/rodauth/features/create_account.rb

@@ -46,25 +46,25 @@ module Rodauth
 
         catch_error do
           if require_login_confirmation? && login != param(login_confirm_param)
-            throw_error(login_param, logins_do_not_match_message)
+            throw_error_status(unmatched_field_error_status, login_param, logins_do_not_match_message)
           end
 
           unless login_meets_requirements?(login)
-            throw_error(login_param, login_does_not_meet_requirements_message)
+            throw_error_status(invalid_field_error_status, login_param, login_does_not_meet_requirements_message)
           end
 
           if require_password_confirmation? && password != param(password_confirm_param)
-            throw_error(password_param, passwords_do_not_match_message)
+            throw_error_status(unmatched_field_error_status, password_param, passwords_do_not_match_message)
           end
 
           unless password_meets_requirements?(password)
-            throw_error(password_param, password_does_not_meet_requirements_message)
+            throw_error_status(invalid_field_error_status, password_param, password_does_not_meet_requirements_message)
           end
 
           transaction do
             before_create_account
             unless save_account
-              throw_error(login_param, login_does_not_meet_requirements_message)
+              throw_error_status(invalid_field_error_status, login_param, login_does_not_meet_requirements_message)
             end
 
             unless account_password_hash_column

data/lib/rodauth/features/jwt.rb

@@ -11,6 +11,7 @@ module Rodauth
     auth_value_method :json_request_content_type_regexp, /\bapplication\/(?:vnd\.api\+)?json\b/i
     auth_value_method :json_response_content_type, 'application/json'
     auth_value_method :json_response_error_status, 400
+    auth_value_method :json_response_custom_error_status?, false
     auth_value_method :json_response_error_key, "error"
     auth_value_method :json_response_field_error_key, "field-error"
     auth_value_method :json_response_success_key, nil
@@ -193,6 +194,20 @@ module Rodauth
       @json_request = request.content_type =~ json_request_content_type_regexp
     end
 
+    def set_redirect_error_status(status)
+      if json_request? && json_response_custom_error_status?
+        response.status = status
+      end
+    end
+
+    def set_response_error_status(status)
+      if json_request? && !json_response_custom_error_status?
+        status = json_response_error_status
+      end
+
+      super
+    end
+
     def use_jwt?
       jwt_token || only_json? || json_request?
     end

data/lib/rodauth/features/lockout.rb

@@ -70,6 +70,7 @@ module Rodauth
 
           set_notice_flash unlock_account_request_notice_flash
         else
+          set_redirect_error_status(no_matching_login_error_status)
           set_redirect_error_flash no_matching_login_message
         end
 
@@ -101,6 +102,7 @@ module Rodauth
       r.post do
         key = session[unlock_account_session_key] || param(unlock_account_key_param)
         unless account_from_unlock_key(key)
+          set_redirect_error_status invalid_key_error_status
           set_redirect_error_flash no_matching_unlock_account_key_message
           redirect unlock_account_request_redirect
         end
@@ -119,6 +121,7 @@ module Rodauth
           set_notice_flash unlock_account_notice_flash
           redirect unlock_account_redirect
         else
+          set_response_error_status(invalid_password_error_status)
           set_field_error(password_param, invalid_password_message)
           set_error_flash unlock_account_error_flash
           unlock_account_view
@@ -240,6 +243,7 @@ module Rodauth
     end
 
     def show_lockout_page
+      set_response_error_status lockout_error_status
       set_error_flash login_lockout_error_flash
       response.write unlock_account_request_view
       request.halt

data/lib/rodauth/features/login.rb

@@ -9,6 +9,7 @@ module Rodauth
     button 'Login'
     redirect
 
+    auth_value_method :login_error_status, 401
     auth_value_method :login_form_footer, ''
 
     route do |r|
@@ -24,18 +25,18 @@ module Rodauth
 
         catch_error do
           unless account_from_login(param(login_param))
-            throw_error(login_param, no_matching_login_message)
+            throw_error_status(no_matching_login_error_status, login_param, no_matching_login_message)
           end
 
           before_login_attempt
 
           unless open_account?
-            throw_error(login_param, unverified_account_message)
+            throw_error_status(unopen_account_error_status, login_param, unverified_account_message)
           end
 
           unless password_match?(param(password_param))
             after_login_failure
-            throw_error(password_param, invalid_password_message)
+            throw_error_status(login_error_status, password_param, invalid_password_message)
           end
 
           transaction do

data/lib/rodauth/features/otp.rb

@@ -98,6 +98,7 @@ module Rodauth
       require_otp_setup
 
       if otp_locked_out?
+        set_response_error_status(lockout_error_status)
         set_redirect_error_flash otp_lockout_error_flash
         redirect otp_lockout_redirect
       end
@@ -116,6 +117,7 @@ module Rodauth
 
         otp_record_authentication_failure
         after_otp_authentication_failure
+        set_response_error_status(invalid_key_error_status)
         set_field_error(otp_auth_param, otp_invalid_auth_code_message)
         set_error_flash otp_auth_error_flash
         otp_auth_view
@@ -141,16 +143,16 @@ module Rodauth
         secret = param(otp_setup_param)
         catch_error do
           unless otp_valid_key?(secret)
-            throw_error(otp_setup_param, otp_invalid_secret_message)
+            throw_error_status(invalid_field_error_status, otp_setup_param, otp_invalid_secret_message)
           end
           otp_tmp_key(secret)
 
           unless two_factor_password_match?(param(password_param))
-            throw_error(password_param, invalid_password_message)
+            throw_error_status(invalid_password_error_status, password_param, invalid_password_message)
           end
 
           unless otp_valid_code?(param(otp_auth_param))
-            throw_error(otp_auth_param, otp_invalid_auth_code_message)
+            throw_error_status(invalid_key_error_status, otp_auth_param, otp_invalid_auth_code_message)
           end
 
           transaction do
@@ -189,6 +191,7 @@ module Rodauth
           redirect otp_disable_redirect
         end
 
+        set_response_error_status(invalid_password_error_status)
         set_field_error(password_param, invalid_password_message)
         set_error_flash otp_disable_error_flash
         otp_disable_view
@@ -232,6 +235,7 @@ module Rodauth
 
     def require_otp_setup
       unless otp_exists?
+        set_redirect_error_status(two_factor_not_setup_error_status)
         set_redirect_error_flash two_factor_not_setup_error_flash
         redirect two_factor_need_setup_redirect
       end

data/lib/rodauth/features/recovery_codes.rb

@@ -72,6 +72,7 @@ module Rodauth
           two_factor_authenticate(:recovery_code)
         end
 
+        set_response_error_status(invalid_key_error_status)
         set_field_error(recovery_codes_param, invalid_recovery_code_message)
         set_error_flash invalid_recovery_code_error_flash
         recovery_auth_view
@@ -114,6 +115,7 @@ module Rodauth
             set_error_flash view_recovery_codes_error_flash
           end
 
+          set_response_error_status(invalid_password_error_status)
           set_field_error(password_param, invalid_password_message)
           recovery_codes_view
         end

data/lib/rodauth/features/remember.rb

@@ -74,6 +74,7 @@ module Rodauth
           set_notice_flash remember_notice_flash
           redirect remember_redirect
         else
+          set_response_error_status(invalid_field_error_status)
           set_error_flash remember_error_flash
           remember_view
         end

data/lib/rodauth/features/reset_password.rb

@@ -64,6 +64,7 @@ module Rodauth
 
           set_notice_flash reset_password_email_sent_notice_flash
         else
+          set_redirect_error_status(no_matching_login_error_status)
           set_redirect_error_flash reset_password_request_error_flash
         end
 
@@ -95,6 +96,7 @@ module Rodauth
       r.post do
         key = session[reset_password_session_key] || param(reset_password_key_param)
         unless account_from_reset_password_key(key)
+          set_redirect_error_status(invalid_key_error_status)
           set_redirect_error_flash reset_password_error_flash
           redirect reset_password_email_sent_redirect
         end
@@ -102,15 +104,15 @@ module Rodauth
         password = param(password_param)
         catch_error do
           if password_match?(password) 
-            throw_error(password_param, same_as_existing_password_message)
+            throw_error_status(invalid_field_error_status, password_param, same_as_existing_password_message)
           end
 
           if require_password_confirmation? && password != param(password_confirm_param)
-            throw_error(password_param, passwords_do_not_match_message)
+            throw_error_status(unmatched_field_error_status, password_param, passwords_do_not_match_message)
           end
 
           unless password_meets_requirements?(password)
-            throw_error(password_param, password_does_not_meet_requirements_message)
+            throw_error_status(invalid_field_error_status, password_param, password_does_not_meet_requirements_message)
           end
 
           transaction do

data/lib/rodauth/features/sms_codes.rb

@@ -56,6 +56,9 @@ module Rodauth
     view 'sms-request', 'Send SMS Code', 'sms_request'
     view 'sms-setup', 'Setup SMS Backup Number', 'sms_setup'
 
+    auth_value_method :sms_already_setup_error_status, 403
+    auth_value_method :sms_needs_confirmation_error_status, 403
+
     auth_value_method :sms_auth_code_length, 6
     auth_value_method :sms_code_allowed_seconds, 300
     auth_value_method :sms_code_column, :code
@@ -138,6 +141,8 @@ module Rodauth
         if sms_code
           sms_set_code(nil)
         end
+
+        set_response_error_status(invalid_key_error_status)
         set_redirect_error_flash no_current_sms_code_error_flash
         redirect sms_request_redirect
       end
@@ -160,6 +165,7 @@ module Rodauth
           end
         end
 
+        set_response_error_status(invalid_key_error_status)
         set_field_error(sms_code_param, sms_invalid_code_message)
         set_error_flash sms_invalid_code_error_flash
         sms_auth_view
@@ -175,6 +181,7 @@ module Rodauth
       require_sms_not_setup
 
       if sms_needs_confirmation?
+        set_redirect_error_status(sms_needs_confirmation_error_status)
         set_redirect_error_flash sms_needs_confirmation_error_flash
         redirect sms_needs_confirmation_redirect
       end
@@ -188,13 +195,13 @@ module Rodauth
       r.post do
         catch_error do
           unless two_factor_password_match?(param(password_param))
-            throw_error(password_param, invalid_password_message)
+            throw_error_status(invalid_password_error_status, password_param, invalid_password_message)
           end
 
           phone = sms_normalize_phone(param(sms_phone_param))
 
           unless sms_valid_phone?(phone)
-            throw_error(sms_phone_param, sms_invalid_phone_message)
+            throw_error_status(invalid_field_error_status, sms_phone_param, sms_invalid_phone_message)
           end
 
           transaction do
@@ -242,6 +249,7 @@ module Rodauth
         end
 
         sms_confirm_failure
+        set_redirect_error_status(invalid_key_error_status)
         set_redirect_error_flash sms_invalid_confirmation_code_error_flash
         redirect sms_needs_setup_redirect
       end
@@ -270,6 +278,7 @@ module Rodauth
           redirect sms_disable_redirect
         end
 
+        set_response_error_status(invalid_password_error_status)
         set_field_error(password_param, invalid_password_message)
         set_error_flash sms_disable_error_flash
         sms_disable_view
@@ -331,6 +340,7 @@ module Rodauth
 
     def require_sms_setup
       unless sms_setup?
+        set_redirect_error_status(two_factor_not_setup_error_status)
         set_redirect_error_flash sms_not_setup_error_flash
         redirect sms_needs_setup_redirect
       end
@@ -338,6 +348,7 @@ module Rodauth
 
     def require_sms_not_setup
       if sms_setup?
+        set_redirect_error_status(sms_already_setup_error_status)
         set_redirect_error_flash sms_already_setup_error_flash
         redirect sms_already_setup_redirect
       end
@@ -347,6 +358,7 @@ module Rodauth
       require_sms_setup
 
       if sms_locked_out?
+        set_redirect_error_status(lockout_error_status)
         set_redirect_error_flash sms_lockout_error_flash
         redirect sms_lockout_redirect
       end

data/lib/rodauth/features/two_factor_base.rb

@@ -13,6 +13,10 @@ module Rodauth
     error_flash "Already authenticated via 2nd factor", 'two_factor_already_authenticated'
     error_flash "You need to authenticate via 2nd factor before continuing.", 'two_factor_need_authentication'
 
+    auth_value_method :two_factor_already_authenticated_error_status, 403
+    auth_value_method :two_factor_need_authentication_error_status, 401
+    auth_value_method :two_factor_not_setup_error_status, 403
+
     auth_value_method :two_factor_session_key, :two_factor_auth
     auth_value_method :two_factor_setup_session_key, :two_factor_auth_setup
     auth_value_method :two_factor_need_setup_redirect, nil
@@ -46,6 +50,7 @@ module Rodauth
 
     def require_two_factor_setup
       unless uses_two_factor_authentication?
+        set_redirect_error_status(two_factor_not_setup_error_status)
         set_redirect_error_flash two_factor_not_setup_error_flash
         redirect two_factor_need_setup_redirect
       end
@@ -53,6 +58,7 @@ module Rodauth
     
     def require_two_factor_not_authenticated
       if two_factor_authenticated?
+        set_redirect_error_status(two_factor_already_authenticated_error_status)
         set_redirect_error_flash two_factor_already_authenticated_error_flash
         redirect two_factor_already_authenticated_redirect
       end
@@ -60,6 +66,7 @@ module Rodauth
 
     def require_two_factor_authenticated
       unless two_factor_authenticated?
+        set_redirect_error_status(two_factor_need_authentication_error_status)
         set_redirect_error_flash two_factor_need_authentication_error_flash
         redirect _two_factor_auth_required_redirect
       end

data/lib/rodauth/features/verify_account.rb

@@ -64,6 +64,7 @@ module Rodauth
 
           set_notice_flash verify_account_email_sent_notice_flash
         else
+          set_redirect_error_status(no_matching_login_error_status)
           set_redirect_error_flash verify_account_resend_error_flash
         end
         
@@ -95,6 +96,7 @@ module Rodauth
       r.post do
         key = session[verify_account_session_key] || param(verify_account_key_param)
         unless account_from_verify_account_key(key)
+          set_redirect_error_status(invalid_key_error_status)
           set_redirect_error_flash verify_account_error_flash
           redirect verify_account_redirect
         end
@@ -137,6 +139,7 @@ module Rodauth
 
     def new_account(login)
       if account_from_login(login)
+        set_redirect_error_status(unopen_account_error_status)
         set_error_flash attempt_to_create_unverified_account_notice_message
         response.write resend_verify_account_view
         request.halt
@@ -178,6 +181,7 @@ module Rodauth
 
     def before_login_attempt
       unless open_account?
+        set_redirect_error_status(unopen_account_error_status)
         set_error_flash attempt_to_login_to_unverified_account_notice_message
         response.write resend_verify_account_view
         request.halt

data/lib/rodauth/version.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  VERSION = '1.7.0'.freeze
+  VERSION = '1.8.0'.freeze
 
   def self.version
     VERSION

data/spec/change_login_spec.rb

@@ -128,13 +128,13 @@ describe 'Rodauth change_login feature' do
     json_login
 
     res = json_request('/change-login', :login=>'foobar', "login-confirm"=>'foobar')
-    res.must_equal [400, {'error'=>"There was an error changing your login", "field-error"=>["login", "invalid login, not a valid email address"]}]
+    res.must_equal [422, {'error'=>"There was an error changing your login", "field-error"=>["login", "invalid login, not a valid email address"]}]
 
     res = json_request('/change-login', :login=>'foo@example.com', "login-confirm"=>'foo2@example.com')
-    res.must_equal [400, {'error'=>"There was an error changing your login", "field-error"=>["login", "logins do not match"]}]
+    res.must_equal [422, {'error'=>"There was an error changing your login", "field-error"=>["login", "logins do not match"]}]
 
     res = json_request('/change-login', :login=>'foo2@example.com', "login-confirm"=>'foo2@example.com')
-    res.must_equal [400, {'error'=>"There was an error changing your login", "field-error"=>["login", "invalid login, already an account with this login"]}]
+    res.must_equal [422, {'error'=>"There was an error changing your login", "field-error"=>["login", "invalid login, already an account with this login"]}]
 
     res = json_request('/change-login', :login=>'foo3@example.com', "login-confirm"=>'foo3@example.com')
     res.must_equal [200, {'success'=>"Your login has been changed"}]
@@ -145,7 +145,7 @@ describe 'Rodauth change_login feature' do
     require_password = true
 
     res = json_request('/change-login', :login=>'foo4@example.com', "login-confirm"=>'foo4@example.com', :password=>'012345678')
-    res.must_equal [400, {'error'=>"There was an error changing your login", "field-error"=>["password", "invalid password"]}]
+    res.must_equal [401, {'error'=>"There was an error changing your login", "field-error"=>["password", "invalid password"]}]
 
     res = json_request('/change-login', :login=>'foo4@example.com', "login-confirm"=>'foo4@example.com', :password=>'0123456789')
     res.must_equal [200, {'success'=>"Your login has been changed"}]

data/spec/change_password_spec.rb

@@ -149,20 +149,20 @@ describe 'Rodauth change_password feature' do
     json_login
 
     res = json_request('/change-password', :password=>'0123456789', "new-password"=>'0123456', "password-confirm"=>'0123456789')
-    res.must_equal [400, {'error'=>"There was an error changing your password", "field-error"=>["new-password", "passwords do not match"]}]
+    res.must_equal [422, {'error'=>"There was an error changing your password", "field-error"=>["new-password", "passwords do not match"]}]
 
     res = json_request('/change-password', :password=>'0123456', "new-password"=>'0123456', "password-confirm"=>'0123456')
-    res.must_equal [400, {'error'=>"There was an error changing your password", "field-error"=>["password", "invalid password"]}]
+    res.must_equal [401, {'error'=>"There was an error changing your password", "field-error"=>["password", "invalid password"]}]
 
     res = json_request('/change-password', :password=>'0123456789', "new-password"=>'0123456789', "password-confirm"=>'0123456789')
-    res.must_equal [400, {'error'=>"There was an error changing your password", "field-error"=>["new-password", "invalid password, same as current password"]}]
+    res.must_equal [422, {'error'=>"There was an error changing your password", "field-error"=>["new-password", "invalid password, same as current password"]}]
 
     res = json_request('/change-password', :password=>'0123456789', "new-password"=>'0123456', "password-confirm"=>'0123456')
     res.must_equal [200, {'success'=>"Your password has been changed"}]
 
     json_logout
     res = json_login(:no_check=>true)
-    res.must_equal [400, {'error'=>"There was an error logging in", "field-error"=>["password", "invalid password"]}]
+    res.must_equal [401, {'error'=>"There was an error logging in", "field-error"=>["password", "invalid password"]}]
 
     json_login(:pass=>'0123456')
 

data/spec/close_account_spec.rb

@@ -152,7 +152,7 @@ describe 'Rodauth close_account feature' do
     json_login
 
     res = json_request('/close-account', :password=>'0123456')
-    res.must_equal [400, {'error'=>"There was an error closing your account", "field-error"=>["password", "invalid password"]}]
+    res.must_equal [401, {'error'=>"There was an error closing your account", "field-error"=>["password", "invalid password"]}]
     DB[:accounts].select_map(:status_id).must_equal [2]
 
     res = json_request('/close-account', :password=>'0123456789')

data/spec/confirm_password_spec.rb

@@ -59,7 +59,7 @@ describe 'Rodauth confirm password feature' do
     json_request('/reset').must_equal [200, [1]]
 
     res = json_request('/change-password', "new-password"=>'01234567', "password-confirm"=>'01234567')
-    res.must_equal [400, {"field-error"=>["password", "invalid password"], "error"=>"There was an error changing your password"}]
+    res.must_equal [401, {"field-error"=>["password", "invalid password"], "error"=>"There was an error changing your password"}]
 
     res = json_request('/confirm-password', "password"=>'0123456')
     res.must_equal [200, {'success'=>"Your password has been confirmed"}]

data/spec/create_account_spec.rb

@@ -108,16 +108,16 @@ describe 'Rodauth create_account feature' do
     end
 
     res = json_request('/create-account', :login=>'foo@example.com', "login-confirm"=>'foo@example.com', :password=>'0123456789', "password-confirm"=>'0123456789')
-    res.must_equal [400, {'error'=>"There was an error creating your account", "field-error"=>["login", "invalid login, already an account with this login"]}]
+    res.must_equal [422, {'error'=>"There was an error creating your account", "field-error"=>["login", "invalid login, already an account with this login"]}]
 
     res = json_request('/create-account', :login=>'foobar', "login-confirm"=>'foobar', :password=>'0123456789', "password-confirm"=>'0123456789')
-    res.must_equal [400, {'error'=>"There was an error creating your account", "field-error"=>["login", "invalid login, not a valid email address"]}]
+    res.must_equal [422, {'error'=>"There was an error creating your account", "field-error"=>["login", "invalid login, not a valid email address"]}]
 
     res = json_request('/create-account', :login=>'foo@example2.com', "login-confirm"=>'foobar', :password=>'0123456789', "password-confirm"=>'0123456789')
-    res.must_equal [400, {'error'=>"There was an error creating your account", "field-error"=>["login", "logins do not match"]}]
+    res.must_equal [422, {'error'=>"There was an error creating your account", "field-error"=>["login", "logins do not match"]}]
 
     res = json_request('/create-account', :login=>'foo@example2.com', "login-confirm"=>'foo@example2.com', :password=>'012345678', "password-confirm"=>'0123456789')
-    res.must_equal [400, {'error'=>"There was an error creating your account", "field-error"=>["password", "passwords do not match"]}]
+    res.must_equal [422, {'error'=>"There was an error creating your account", "field-error"=>["password", "passwords do not match"]}]
 
     res = json_request('/create-account', :login=>'foo@example2.com', "login-confirm"=>'foo@example2.com', :password=>'0123456789', "password-confirm"=>'0123456789')
     res.must_equal [200, {'success'=>"Your account has been created", 'account_id'=>DB[:accounts].max(:id)}]

data/spec/lockout_spec.rb

@@ -190,33 +190,33 @@ describe 'Rodauth lockout feature' do
     end
 
     res = json_request('/unlock-account-request', :login=>'foo@example.com')
-    res.must_equal [400, {'error'=>"no matching login"}]
+    res.must_equal [401, {'error'=>"no matching login"}]
 
     res = json_login(:pass=>'1', :no_check=>true)
-    res.must_equal [400, {'error'=>"There was an error logging in", "field-error"=>["password", "invalid password"]}]
+    res.must_equal [401, {'error'=>"There was an error logging in", "field-error"=>["password", "invalid password"]}]
 
     json_login
     json_logout
 
     2.times do
       res = json_login(:pass=>'1', :no_check=>true)
-      res.must_equal [400, {'error'=>"There was an error logging in", "field-error"=>["password", "invalid password"]}]
+      res.must_equal [401, {'error'=>"There was an error logging in", "field-error"=>["password", "invalid password"]}]
     end
 
     2.times do
       res = json_login(:pass=>'1', :no_check=>true)
-      res.must_equal [400, {'error'=>"This account is currently locked out and cannot be logged in to."}]
+      res.must_equal [403, {'error'=>"This account is currently locked out and cannot be logged in to."}]
     end
 
     res = json_request('/unlock-account')
-    res.must_equal [400, {'error'=>"No matching unlock account key"}]
+    res.must_equal [401, {'error'=>"No matching unlock account key"}]
 
     res = json_request('/unlock-account-request', :login=>'foo@example.com')
     res.must_equal [200, {'success'=>"An email has been sent to you with a link to unlock your account"}]
 
     link = email_link(/key=.+$/)
     res = json_request('/unlock-account', :key=>link[4...-1])
-    res.must_equal [400, {'error'=>"No matching unlock account key"}]
+    res.must_equal [401, {'error'=>"No matching unlock account key"}]
 
     res = json_request('/unlock-account', :key=>link[4..-1])
     res.must_equal [200, {'success'=>"Your account has been unlocked"}]

data/spec/login_spec.rb

@@ -157,6 +157,7 @@ describe 'Rodauth login feature' do
   it "should login and logout via jwt" do
     rodauth do
       enable :login, :logout
+      json_response_custom_error_status? false
       jwt_secret{proc{super()}.must_raise ArgumentError; "1"}
     end
     roda(:jwt) do |r|
@@ -179,4 +180,29 @@ describe 'Rodauth login feature' do
     json_request("/logout").must_equal [200, {"success"=>'You have been logged out'}]
     json_request.must_equal [200, 2]
   end
+
+  it "should login and logout via jwt with custom error statuses" do
+    rodauth do
+      enable :login, :logout
+    end
+    roda(:jwt) do |r|
+      r.rodauth
+      response['Content-Type'] = 'application/json'
+      rodauth.logged_in? ? '1' : '2'
+    end
+
+    json_request.must_equal [200, 2]
+
+    res = json_request("/login", :login=>'foo@example2.com', :password=>'0123456789')
+    res.must_equal [401, {'error'=>"There was an error logging in", "field-error"=>["login", "no matching login"]}]
+
+    res = json_request("/login", :login=>'foo@example.com', :password=>'012345678')
+    res.must_equal [401, {'error'=>"There was an error logging in", "field-error"=>["password", "invalid password"]}]
+
+    json_request("/login", :login=>'foo@example.com', :password=>'0123456789').must_equal [200, {"success"=>'You have been logged in'}]
+    json_request.must_equal [200, 1]
+
+    json_request("/logout").must_equal [200, {"success"=>'You have been logged out'}]
+    json_request.must_equal [200, 2]
+  end
 end

data/spec/remember_spec.rb

@@ -404,7 +404,7 @@ describe 'Rodauth remember feature' do
     json_request.must_equal [200, [1]]
 
     res = json_request('/confirm-password', :password=>'123456')
-    res.must_equal [400, {'error'=>"There was an error confirming your password", "field-error"=>["password", "invalid password"]}]
+    res.must_equal [401, {'error'=>"There was an error confirming your password", "field-error"=>["password", "invalid password"]}]
 
     res = json_request('/confirm-password', :password=>'0123456789')
     res.must_equal [200, {'success'=>"Your password has been confirmed"}]

data/spec/reset_password_spec.rb

@@ -156,32 +156,32 @@ describe 'Rodauth reset_password feature' do
     end
 
     res = json_login(:pass=>'1', :no_check=>true)
-    res.must_equal [400, {"field-error"=>["password", "invalid password"], "error"=>"There was an error logging in"}]
+    res.must_equal [401, {"field-error"=>["password", "invalid password"], "error"=>"There was an error logging in"}]
 
     res = json_request('/reset-password')
-    res.must_equal [400, {"error"=>"There was an error resetting your password"}]
+    res.must_equal [401, {"error"=>"There was an error resetting your password"}]
 
     res = json_request('/reset-password-request', :login=>'foo@example2.com')
-    res.must_equal [400, {"error"=>"There was an error requesting a password reset"}]
+    res.must_equal [401, {"error"=>"There was an error requesting a password reset"}]
 
     res = json_request('/reset-password-request', :login=>'foo@example.com')
     res.must_equal [200, {"success"=>"An email has been sent to you with a link to reset the password for your account"}]
 
     link = email_link(/key=.+$/)
     res = json_request('/reset-password', :key=>link[4...-1])
-    res.must_equal [400, {"error"=>"There was an error resetting your password"}]
+    res.must_equal [401, {"error"=>"There was an error resetting your password"}]
 
     res = json_request('/reset-password', :key=>link[4..-1], :password=>'1', "password-confirm"=>'2')
-    res.must_equal [400, {"error"=>"There was an error resetting your password", "field-error"=>["password", 'passwords do not match']}]
+    res.must_equal [422, {"error"=>"There was an error resetting your password", "field-error"=>["password", 'passwords do not match']}]
 
     res = json_request('/reset-password', :key=>link[4..-1], :password=>'0123456789', "password-confirm"=>'0123456789')
-    res.must_equal [400, {"error"=>"There was an error resetting your password", "field-error"=>["password", 'invalid password, same as current password']}]
+    res.must_equal [422, {"error"=>"There was an error resetting your password", "field-error"=>["password", 'invalid password, same as current password']}]
 
     res = json_request('/reset-password', :key=>link[4..-1], :password=>'1', "password-confirm"=>'1')
-    res.must_equal [400, {"error"=>"There was an error resetting your password", "field-error"=>["password", "invalid password, does not meet requirements (minimum 6 characters)"]}]
+    res.must_equal [422, {"error"=>"There was an error resetting your password", "field-error"=>["password", "invalid password, does not meet requirements (minimum 6 characters)"]}]
 
     res = json_request('/reset-password', :key=>link[4..-1], :password=>"\0ab123456", "password-confirm"=>"\0ab123456")
-    res.must_equal [400, {"error"=>"There was an error resetting your password", "field-error"=>["password", "invalid password, does not meet requirements (contains null byte)"]}]
+    res.must_equal [422, {"error"=>"There was an error resetting your password", "field-error"=>["password", "invalid password, does not meet requirements (contains null byte)"]}]
 
     res = json_request('/reset-password', :key=>link[4..-1], :password=>'0123456', "password-confirm"=>'0123456')
     res.must_equal [200, {"success"=>"Your password has been reset"}]

data/spec/spec_helper.rb

@@ -41,7 +41,8 @@ require 'logger'
 require 'tilt/string'
 
 db_url = ENV['RODAUTH_SPEC_DB'] || 'postgres:///?user=rodauth_test&password=rodauth_test'
-DB = Sequel.connect(db_url)
+DB = Sequel.connect(db_url, :identifier_mangling=>false)
+DB.extension(:freeze_datasets)
 puts "using #{DB.database_type}"
 
 #DB.loggers << Logger.new($stdout)
@@ -110,6 +111,7 @@ class Minitest::HooksSpec
         enable :jwt
         jwt_secret '1'
         json_response_success_key 'success'
+        json_response_custom_error_status? true
       end
       instance_exec(&rodauth_block)
     end

data/spec/two_factor_spec.rb

@@ -1114,23 +1114,23 @@ describe 'Rodauth OTP feature' do
     json_request.must_equal [200, [3]]
 
     %w'/otp-disable /recovery-auth /recovery-codes /sms-setup /sms-confirm /otp-auth'.each do |path|
-      json_request(path).must_equal [400, {'error'=>'This account has not been setup for two factor authentication'}]
+      json_request(path).must_equal [403, {'error'=>'This account has not been setup for two factor authentication'}]
     end
     %w'/sms-disable /sms-request /sms-auth'.each do |path|
-      json_request(path).must_equal [400, {'error'=>'SMS authentication has not been setup yet.'}]
+      json_request(path).must_equal [403, {'error'=>'SMS authentication has not been setup yet.'}]
     end
 
     secret = ROTP::Base32.random_base32
     totp = ROTP::TOTP.new(secret)
 
     res = json_request('/otp-setup', :password=>'123456', :otp_secret=>secret)
-    res.must_equal [400, {'error'=>'Error setting up two factor authentication', "field-error"=>["password", 'invalid password']}] 
+    res.must_equal [401, {'error'=>'Error setting up two factor authentication', "field-error"=>["password", 'invalid password']}] 
 
     res = json_request('/otp-setup', :password=>'0123456789', :otp=>'adsf', :otp_secret=>secret)
-    res.must_equal [400, {'error'=>'Error setting up two factor authentication', "field-error"=>["otp", 'Invalid authentication code']}] 
+    res.must_equal [401, {'error'=>'Error setting up two factor authentication', "field-error"=>["otp", 'Invalid authentication code']}] 
 
     res = json_request('/otp-setup', :password=>'0123456789', :otp=>'adsf', :otp_secret=>'asdf')
-    res.must_equal [400, {'error'=>'Error setting up two factor authentication', "field-error"=>["otp_secret", 'invalid secret']}] 
+    res.must_equal [422, {'error'=>'Error setting up two factor authentication', "field-error"=>["otp_secret", 'invalid secret']}] 
 
     res = json_request('/otp-setup', :password=>'0123456789', :otp=>totp.now, :otp_secret=>secret)
     res.must_equal [200, {'success'=>'Two factor authentication is now setup'}]
@@ -1141,11 +1141,11 @@ describe 'Rodauth OTP feature' do
     json_request.must_equal [200, [2]]
 
     %w'/otp-disable /recovery-codes /otp-setup /sms-setup /sms-disable /sms-confirm'.each do |path|
-      json_request(path).must_equal [400, {'error'=>'You need to authenticate via 2nd factor before continuing.'}]
+      json_request(path).must_equal [401, {'error'=>'You need to authenticate via 2nd factor before continuing.'}]
     end
 
     res = json_request('/otp-auth', :otp=>'adsf')
-    res.must_equal [400, {'error'=>'Error logging in via two factor authentication', "field-error"=>["otp", 'Invalid authentication code']}] 
+    res.must_equal [401, {'error'=>'Error logging in via two factor authentication', "field-error"=>["otp", 'Invalid authentication code']}] 
 
     res = json_request('/otp-auth', :otp=>totp.now)
     res.must_equal [200, {'success'=>'You have been authenticated via 2nd factor'}]
@@ -1157,17 +1157,17 @@ describe 'Rodauth OTP feature' do
 
     %w'/otp-auth /recovery-auth /sms-request /sms-auth'.each do |path|
       res = json_request(path)
-      res.must_equal [400, {'error'=>'Already authenticated via 2nd factor'}] 
+      res.must_equal [403, {'error'=>'Already authenticated via 2nd factor'}] 
     end
 
     res = json_request('/sms-disable')
-    res.must_equal [400, {'error'=>'SMS authentication has not been setup yet.'}] 
+    res.must_equal [403, {'error'=>'SMS authentication has not been setup yet.'}] 
 
     res = json_request('/sms-setup', :password=>'012345678', "sms-phone"=>'(123) 456')
-    res.must_equal [400, {'error'=>'Error setting up SMS authentication', "field-error"=>["password", 'invalid password']}] 
+    res.must_equal [401, {'error'=>'Error setting up SMS authentication', "field-error"=>["password", 'invalid password']}] 
 
     res = json_request('/sms-setup', :password=>'0123456789', "sms-phone"=>'(123) 456')
-    res.must_equal [400, {'error'=>'Error setting up SMS authentication', "field-error"=>["sms-phone", 'invalid SMS phone number']}] 
+    res.must_equal [422, {'error'=>'Error setting up SMS authentication', "field-error"=>["sms-phone", 'invalid SMS phone number']}] 
 
     res = json_request('/sms-setup', :password=>'0123456789', "sms-phone"=>'(123) 4567 890')
     res.must_equal [200, {'success'=>'SMS authentication needs confirmation.'}]
@@ -1176,14 +1176,14 @@ describe 'Rodauth OTP feature' do
     sms_message.must_match(/\ASMS confirmation code for example\.com: is \d{12}\z/)
 
     res = json_request('/sms-confirm', :sms_code=>'asdf')
-    res.must_equal [400, {'error'=>'Invalid or out of date SMS confirmation code used, must setup SMS authentication again.'}] 
+    res.must_equal [401, {'error'=>'Invalid or out of date SMS confirmation code used, must setup SMS authentication again.'}] 
 
     res = json_request('/sms-setup', :password=>'0123456789', "sms-phone"=>'(123) 4567 890')
     res.must_equal [200, {'success'=>'SMS authentication needs confirmation.'}]
 
     DB[:account_sms_codes].update(:code_issued_at=>Time.now - 310)
     res = json_request('/sms-confirm', :sms_code=>sms_code)
-    res.must_equal [400, {'error'=>'Invalid or out of date SMS confirmation code used, must setup SMS authentication again.'}] 
+    res.must_equal [401, {'error'=>'Invalid or out of date SMS confirmation code used, must setup SMS authentication again.'}] 
 
     res = json_request('/sms-setup', :password=>'0123456789', "sms-phone"=>'(123) 4567 890')
     res.must_equal [200, {'success'=>'SMS authentication needs confirmation.'}]
@@ -1193,14 +1193,14 @@ describe 'Rodauth OTP feature' do
 
     %w'/sms-setup /sms-confirm'.each do |path|
       res = json_request(path)
-      res.must_equal [400, {'error'=>'SMS authentication has already been setup.'}] 
+      res.must_equal [403, {'error'=>'SMS authentication has already been setup.'}] 
     end
 
     json_logout
     json_login
 
     res = json_request('/sms-auth')
-    res.must_equal [400, {'error'=>'No current SMS code for this account'}]
+    res.must_equal [401, {'error'=>'No current SMS code for this account'}]
 
     sms_phone = sms_message = nil
     res = json_request('/sms-request')
@@ -1209,11 +1209,11 @@ describe 'Rodauth OTP feature' do
     sms_message.must_match(/\ASMS authentication code for example\.com: is \d{6}\z/)
 
     res = json_request('/sms-auth')
-    res.must_equal [400, {'error'=>'Error authenticating via SMS code.', "field-error"=>["sms-code", "invalid SMS code"]}]
+    res.must_equal [401, {'error'=>'Error authenticating via SMS code.', "field-error"=>["sms-code", "invalid SMS code"]}]
 
     DB[:account_sms_codes].update(:code_issued_at=>Time.now - 310)
     res = json_request('/sms-auth')
-    res.must_equal [400, {'error'=>'No current SMS code for this account'}]
+    res.must_equal [401, {'error'=>'No current SMS code for this account'}]
 
     res = json_request('/sms-request')
     res.must_equal [200, {'success'=>'SMS authentication code has been sent.'}]
@@ -1230,21 +1230,21 @@ describe 'Rodauth OTP feature' do
 
     5.times do
       res = json_request('/sms-auth')
-      res.must_equal [400, {'error'=>'Error authenticating via SMS code.', "field-error"=>["sms-code", "invalid SMS code"]}]
+      res.must_equal [401, {'error'=>'Error authenticating via SMS code.', "field-error"=>["sms-code", "invalid SMS code"]}]
     end
 
     res = json_request('/sms-auth')
-    res.must_equal [400, {'error'=>'SMS authentication has been locked out.'}]
+    res.must_equal [403, {'error'=>'SMS authentication has been locked out.'}]
 
     res = json_request('/sms-request')
-    res.must_equal [400, {'error'=>'SMS authentication has been locked out.'}]
+    res.must_equal [403, {'error'=>'SMS authentication has been locked out.'}]
 
     res = json_request('/otp-auth', :otp=>totp.now)
     res.must_equal [200, {'success'=>'You have been authenticated via 2nd factor'}]
     json_request.must_equal [200, [1]]
 
     res = json_request('/sms-disable', :password=>'012345678')
-    res.must_equal [400, {'error'=>'Error disabling SMS authentication', "field-error"=>["password", 'invalid password']}]
+    res.must_equal [401, {'error'=>'Error disabling SMS authentication', "field-error"=>["password", 'invalid password']}]
 
     res = json_request('/sms-disable', :password=>'0123456789')
     res.must_equal [200, {'success'=>'SMS authentication has been disabled.'}]
@@ -1256,7 +1256,7 @@ describe 'Rodauth OTP feature' do
     res.must_equal [200, {'success'=>'SMS authentication has been setup.'}]
 
     res = json_request('/recovery-codes', :password=>'asdf')
-    res.must_equal [400, {'error'=>'Unable to view recovery codes.', "field-error"=>["password", 'invalid password']}] 
+    res.must_equal [401, {'error'=>'Unable to view recovery codes.', "field-error"=>["password", 'invalid password']}] 
 
     res = json_request('/recovery-codes', :password=>'0123456789')
     codes = res[1].delete('codes')
@@ -1268,26 +1268,26 @@ describe 'Rodauth OTP feature' do
 
     5.times do
       res = json_request('/otp-auth', :otp=>'asdf')
-      res.must_equal [400, {'error'=>'Error logging in via two factor authentication', "field-error"=>["otp", 'Invalid authentication code']}] 
+      res.must_equal [401, {'error'=>'Error logging in via two factor authentication', "field-error"=>["otp", 'Invalid authentication code']}] 
     end
 
     res = json_request('/otp-auth', :otp=>'asdf')
-    res.must_equal [400, {'error'=>'Authentication code use locked out due to numerous failures. Can use recovery code to unlock. Can use SMS code to unlock.'}] 
+    res.must_equal [403, {'error'=>'Authentication code use locked out due to numerous failures. Can use recovery code to unlock. Can use SMS code to unlock.'}] 
 
     res = json_request('/sms-request')
     5.times do
       res = json_request('/sms-auth')
-      res.must_equal [400, {'error'=>'Error authenticating via SMS code.', "field-error"=>["sms-code", "invalid SMS code"]}]
+      res.must_equal [401, {'error'=>'Error authenticating via SMS code.', "field-error"=>["sms-code", "invalid SMS code"]}]
     end
 
     res = json_request('/otp-auth', :otp=>'asdf')
-    res.must_equal [400, {'error'=>'Authentication code use locked out due to numerous failures. Can use recovery code to unlock.'}] 
+    res.must_equal [403, {'error'=>'Authentication code use locked out due to numerous failures. Can use recovery code to unlock.'}] 
 
     res = json_request('/sms-auth')
-    res.must_equal [400, {'error'=>'SMS authentication has been locked out.'}] 
+    res.must_equal [403, {'error'=>'SMS authentication has been locked out.'}] 
 
     res = json_request('/recovery-auth', 'recovery-code'=>'adsf')
-    res.must_equal [400, {'error'=>'Error authenticating via recovery code.', "field-error"=>["recovery-code", "Invalid recovery code"]}]
+    res.must_equal [401, {'error'=>'Error authenticating via recovery code.', "field-error"=>["recovery-code", "Invalid recovery code"]}]
 
     res = json_request('/recovery-auth', 'recovery-code'=>codes.first)
     res.must_equal [200, {'success'=>'You have been authenticated via 2nd factor'}]
@@ -1299,7 +1299,7 @@ describe 'Rodauth OTP feature' do
     res.must_equal [200, {'success'=>''}]
 
     res = json_request('/recovery-codes', :password=>'012345678', :add=>'1')
-    res.must_equal [400, {'error'=>'Unable to add recovery codes.', "field-error"=>["password", 'invalid password']}] 
+    res.must_equal [401, {'error'=>'Unable to add recovery codes.', "field-error"=>["password", 'invalid password']}] 
 
     res = json_request('/recovery-codes', :password=>'0123456789', :add=>'1')
     codes3 = res[1].delete('codes')
@@ -1307,7 +1307,7 @@ describe 'Rodauth OTP feature' do
     res.must_equal [200, {'success'=>'Additional authentication recovery codes have been added.'}]
 
     res = json_request('/otp-disable', :password=>'012345678')
-    res.must_equal [400, {'error'=>'Error disabling up two factor authentication', "field-error"=>["password", 'invalid password']}] 
+    res.must_equal [401, {'error'=>'Error disabling up two factor authentication', "field-error"=>["password", 'invalid password']}] 
 
     res = json_request('/otp-disable', :password=>'0123456789')
     res.must_equal [200, {'success'=>'Two factor authentication has been disabled'}]

data/spec/verify_account_spec.rb

@@ -116,23 +116,23 @@ describe 'Rodauth verify_account feature' do
     link = email_link(/key=.+$/, 'foo@example2.com')
 
     res = json_request('/verify-account-resend', :login=>'foo@example.com')
-    res.must_equal [400, {'error'=>"Unable to resend verify account email"}]
+    res.must_equal [401, {'error'=>"Unable to resend verify account email"}]
 
     res = json_request('/verify-account-resend', :login=>'foo@example3.com')
-    res.must_equal [400, {'error'=>"Unable to resend verify account email"}]
+    res.must_equal [401, {'error'=>"Unable to resend verify account email"}]
 
     res = json_request('/login', :login=>'foo@example2.com',:password=>'0123456789')
-    res.must_equal [400, {'error'=>"The account you tried to login with is currently awaiting verification"}]
+    res.must_equal [403, {'error'=>"The account you tried to login with is currently awaiting verification"}]
 
     res = json_request('/verify-account-resend', :login=>'foo@example2.com')
     res.must_equal [200, {'success'=>"An email has been sent to you with a link to verify your account"}]
     email_link(/key=.+$/, 'foo@example2.com').must_equal link
 
     res = json_request('/verify-account')
-    res.must_equal [400, {'error'=>"Unable to verify account"}]
+    res.must_equal [401, {'error'=>"Unable to verify account"}]
 
     res = json_request('/verify-account', :key=>link[4...-1])
-    res.must_equal [400, {"error"=>"Unable to verify account"}]
+    res.must_equal [401, {"error"=>"Unable to verify account"}]
 
     res = json_request('/verify-account', :key=>link[4..-1])
     res.must_equal [200, {"success"=>"Your account has been verified"}]

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 1.7.0
+  version: 1.8.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-11-22 00:00:00.000000000 Z
+date: 2017-01-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -234,6 +234,7 @@ extra_rdoc_files:
 - doc/release_notes/1.5.0.txt
 - doc/release_notes/1.6.0.txt
 - doc/release_notes/1.7.0.txt
+- doc/release_notes/1.8.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -267,6 +268,7 @@ files:
 - doc/release_notes/1.5.0.txt
 - doc/release_notes/1.6.0.txt
 - doc/release_notes/1.7.0.txt
+- doc/release_notes/1.8.0.txt
 - doc/remember.rdoc
 - doc/reset_password.rdoc
 - doc/session_expiration.rdoc