rodauth 1.9.0 → 1.10.0

data/lib/rodauth/features/email_base.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  EmailBase = Feature.define(:email_base) do
+  Feature.define(:email_base, :EmailBase) do
     auth_value_method :email_subject_prefix, nil
     auth_value_method :require_mail?, true
     auth_value_method :token_separator, "_"
@@ -23,9 +23,13 @@ module Rodauth
     private
 
     def create_email(subject, body)
+      create_email_to(email_to, subject, body)
+    end
+
+    def create_email_to(to, subject, body)
       m = Mail.new
       m.from = email_from
-      m.to = email_to
+      m.to = to
       m.subject = "#{email_subject_prefix}#{subject}"
       m.body = body
       m

data/lib/rodauth/features/http_basic_auth.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  HTTTBasicAuth = Feature.define(:http_basic_auth) do
+  Feature.define(:http_basic_auth, :HttpBasicAuth) do
     auth_value_method :http_basic_auth_realm, "protected"
 
     def session

data/lib/rodauth/features/jwt.rb

@@ -3,7 +3,7 @@
 require 'jwt'
 
 module Rodauth
-  Jwt = Feature.define(:jwt) do
+  Feature.define(:jwt, :Jwt) do
     auth_value_method :invalid_jwt_format_error_message, "invalid JWT format or claim in Authorization header"
     auth_value_method :json_non_post_error_message, 'non-POST method used in JSON API'
     auth_value_method :json_not_accepted_error_message, 'Unsupported Accept header. Must accept "application/json" or compatible content type'

data/lib/rodauth/features/lockout.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  Lockout = Feature.define(:lockout) do
+  Feature.define(:lockout, :Lockout) do
     depends :login, :email_base
 
     loaded_templates %w'unlock-account-request unlock-account password-field unlock-account-email'

data/lib/rodauth/features/login.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  Login = Feature.define(:login) do
+  Feature.define(:login, :Login) do
     notice_flash "You have been logged in"
     error_flash "There was an error logging in"
     loaded_templates %w'login login-field password-field'

data/lib/rodauth/features/login_password_requirements_base.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  LoginPasswordRequirementsBase = Feature.define(:login_password_requirements_base) do
+  Feature.define(:login_password_requirements_base, :LoginPasswordRequirementsBase) do
     auth_value_method :login_confirm_param, 'login-confirm'
     auth_value_method :login_minimum_length, 3
     auth_value_method :login_maximum_length, 255

data/lib/rodauth/features/logout.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  Logout = Feature.define(:logout) do
+  Feature.define(:logout, :Logout) do
     notice_flash "You have been logged out"
     loaded_templates %w'logout'
     view 'logout', 'Logout'

data/lib/rodauth/features/otp.rb

@@ -4,7 +4,7 @@ require 'rotp'
 require 'rqrcode'
 
 module Rodauth
-  Otp = Feature.define(:otp) do
+  Feature.define(:otp, :Otp) do
     depends :two_factor_base
 
     additional_form_tags 'otp_disable'

data/lib/rodauth/features/password_complexity.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  PasswordComplexity = Feature.define(:password_complexity) do
+  Feature.define(:password_complexity, :PasswordComplexity) do
     depends :login_password_requirements_base
 
     auth_value_method :password_dictionary_file, nil

data/lib/rodauth/features/password_expiration.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  PasswordExpiration = Feature.define(:password_expiration) do
+  Feature.define(:password_expiration, :PasswordExpiration) do
     depends :login, :change_password
 
     error_flash "Your password has expired and needs to be changed"

data/lib/rodauth/features/password_grace_period.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  PasswordGracePeriod = Feature.define(:password_grace_period) do
+  Feature.define(:password_grace_period, :PasswordGracePeriod) do
     auth_value_method :password_grace_period, 300
     auth_value_method :last_password_entry_session_key, :last_password_entry
 

data/lib/rodauth/features/recovery_codes.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  RecoveryCodes = Feature.define(:recovery_codes) do
+  Feature.define(:recovery_codes, :RecoveryCodes) do
     depends :two_factor_base
 
     additional_form_tags 'recovery_auth'

data/lib/rodauth/features/remember.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  Remember = Feature.define(:remember) do
+  Feature.define(:remember, :Remember) do
     depends :confirm_password
 
     notice_flash "Your remember setting has been updated"

data/lib/rodauth/features/reset_password.rb

@@ -1,15 +1,16 @@
 # frozen-string-literal: true
 
 module Rodauth
-  ResetPassword = Feature.define(:reset_password) do
+  Feature.define(:reset_password, :ResetPassword) do
     depends :login, :email_base, :login_password_requirements_base
 
     notice_flash "Your password has been reset"
     notice_flash "An email has been sent to you with a link to reset the password for your account", 'reset_password_email_sent'
     error_flash "There was an error resetting your password"
     error_flash "There was an error requesting a password reset", 'reset_password_request'
-    loaded_templates %w'reset-password password-field password-confirm-field reset-password-email'
+    loaded_templates %w'reset-password-request reset-password password-field password-confirm-field reset-password-email'
     view 'reset-password', 'Reset Password'
+    view 'reset-password-request', 'Request Password Reset', 'reset_password_request'
     additional_form_tags
     additional_form_tags 'reset_password_request'
     before 
@@ -32,12 +33,13 @@ module Rodauth
     auth_value_method :reset_password_key_column, :key
     auth_value_method :reset_password_session_key, :reset_password_key
 
-    auth_value_methods :reset_password_email_sent_redirect
+    auth_value_methods :reset_password_email_sent_redirect, :reset_password_request_link
 
     auth_methods(
       :create_reset_password_key,
       :create_reset_password_email,
       :get_reset_password_key,
+      :login_failed_reset_password_request_form,
       :remove_reset_password_key,
       :reset_password_email_body,
       :reset_password_email_link,
@@ -53,6 +55,10 @@ module Rodauth
       check_already_logged_in
       before_reset_password_request_route
 
+      r.get do
+        reset_password_request_view
+      end
+
       r.post do
         if account_from_login(param(login_param)) && open_account?
           generate_reset_password_key_value
@@ -173,13 +179,21 @@ module Rodauth
       password_reset_ds(id).get(reset_password_key_column)
     end
 
+    def login_form_footer
+      super + reset_password_request_link
+    end
+
+    def reset_password_request_link
+      "<p><a href=\"#{prefix}/#{reset_password_request_route}\">Forgot Password?</a></p>"
+    end
+
     private
 
     attr_reader :reset_password_key_value
 
     def after_login_failure
       unless only_json?
-        @login_form_header = render("reset-password-request")
+        @login_form_header = login_failed_reset_password_request_form
       end
       super
     end
@@ -197,6 +211,10 @@ module Rodauth
       create_email(reset_password_email_subject, reset_password_email_body)
     end
 
+    def login_failed_reset_password_request_form
+      render("reset-password-request")
+    end
+
     def reset_password_email_body
       render('reset-password-email')
     end

data/lib/rodauth/features/session_expiration.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  SessionExpiration = Feature.define(:session_expiration) do
+  Feature.define(:session_expiration, :SessionExpiration) do
     error_flash "This session has expired, please login again."
 
     auth_value_method :max_session_lifetime, 86400

data/lib/rodauth/features/single_session.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  SingleSession = Feature.define(:single_session) do
+  Feature.define(:single_session, :SingleSession) do
     error_flash 'This session has been logged out as another session has become active'
     redirect
 

data/lib/rodauth/features/sms_codes.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  SmsCodes = Feature.define(:sms_codes) do
+  Feature.define(:sms_codes, :SmsCodes) do
     depends :two_factor_base
 
     additional_form_tags 'sms_auth'

data/lib/rodauth/features/two_factor_base.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  TwoFactorBase = Feature.define(:two_factor_base) do
+  Feature.define(:two_factor_base, :TwoFactorBase) do
     after :two_factor_authentication
 
     redirect :two_factor_auth

data/lib/rodauth/features/update_password_hash.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  UpdatePasswordHash = Feature.define(:update_password_hash) do
+  Feature.define(:update_password_hash, :UpdatePasswordHash) do
     depends :login_password_requirements_base
 
     def password_match?(password)

data/lib/rodauth/features/verify_account.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  VerifyAccount = Feature.define(:verify_account) do
+  Feature.define(:verify_account, :VerifyAccount) do
     depends :login, :create_account, :email_base
 
     error_flash "Unable to verify account"
@@ -33,9 +33,10 @@ module Rodauth
     auth_value_method :verify_account_key_column, :key
     auth_value_method :verify_account_session_key, :verify_account_key
 
-    auth_value_methods :verify_account_key_value
+    auth_value_methods :verify_account_resend_link
 
     auth_methods(
+      :allow_resending_verify_account_email?,
       :create_verify_account_key,
       :create_verify_account_email,
       :get_verify_account_key,
@@ -45,7 +46,8 @@ module Rodauth
       :verify_account,
       :verify_account_email_body,
       :verify_account_email_link,
-      :verify_account_key_insert_hash
+      :verify_account_key_insert_hash,
+      :verify_account_key_value
     )
 
     auth_private_methods(
@@ -56,8 +58,12 @@ module Rodauth
       verify_account_check_already_logged_in
       before_verify_account_resend_route
 
+      r.get do
+        resend_verify_account_view
+      end
+
       r.post do
-        if account_from_login(param(login_param)) && !open_account?
+        if account_from_login(param(login_param)) && allow_resending_verify_account_email?
           before_verify_account_email_resend
           if verify_account_email_resend
             after_verify_account_email_resend
@@ -119,6 +125,10 @@ module Rodauth
       end
     end
 
+    def allow_resending_verify_account_email?
+      account[account_status_column] == account_unverified_status_value
+    end
+
     def remove_verify_account_key
       verify_account_ds.delete
     end
@@ -139,7 +149,7 @@ module Rodauth
     end
 
     def new_account(login)
-      if account_from_login(login)
+      if account_from_login(login) && allow_resending_verify_account_email?
         set_redirect_error_status(unopen_account_error_status)
         set_error_flash attempt_to_create_unverified_account_notice_message
         response.write resend_verify_account_view
@@ -176,6 +186,14 @@ module Rodauth
       false
     end
 
+    def login_form_footer
+      super + verify_account_resend_link
+    end
+
+    def verify_account_resend_link
+      "<p><a href=\"#{prefix}/#{verify_account_resend_route}\">Resend Verify Account Information</a></p>"
+    end
+
     private
 
     attr_reader :verify_account_key_value

data/lib/rodauth/features/verify_account_grace_period.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  VerifyAccountGracePeriod = Feature.define(:verify_account_grace_period) do
+  Feature.define(:verify_account_grace_period, :VerifyAccountGracePeriod) do
     depends :verify_account
     error_flash "Cannot change login for unverified account. Please verify this account before changing the login.", "unverified_change_login"
     redirect :unverified_change_login

data/lib/rodauth/features/verify_change_login.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  VerifyChangeLogin = Feature.define(:verify_change_login) do
+  Feature.define(:verify_change_login, :VerifyChangeLogin) do
     depends :change_login, :verify_account_grace_period
 
     def change_login_notice_flash

data/lib/rodauth/features/verify_login_change.rb

@@ -0,0 +1,189 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:verify_login_change, :VerifyLoginChange) do
+    depends :change_login, :email_base
+
+    error_flash "Unable to verify login change"
+    notice_flash "Your login change has been verified"
+    loaded_templates %w'verify-login-change verify-login-change-email'
+    view 'verify-login-change', 'Verify Login Change'
+    additional_form_tags
+    after
+    before
+    button 'Verify Login Change'
+    redirect
+
+    auth_value_method :no_matching_verify_login_change_key_message, "invalid verify login change key"
+    auth_value_method :verify_login_change_autologin?, false
+    auth_value_method :verify_login_change_deadline_column, :deadline
+    auth_value_method :verify_login_change_deadline_interval, {:days=>1}
+    auth_value_method :verify_login_change_email_subject, 'Verify Login Change'
+    auth_value_method :verify_login_change_id_column, :id
+    auth_value_method :verify_login_change_key_column, :key
+    auth_value_method :verify_login_change_key_param, 'key'
+    auth_value_method :verify_login_change_login_column, :login
+    auth_value_method :verify_login_change_session_key, :verify_login_change_key
+    auth_value_method :verify_login_change_table, :account_login_change_keys
+
+    auth_methods(
+      :create_verify_login_change_email,
+      :create_verify_login_change_key,
+      :get_verify_login_change_login_and_key,
+      :remove_verify_login_change_key,
+      :send_verify_login_change_email,
+      :verify_login_change,
+      :verify_login_change_email_body,
+      :verify_login_change_email_link,
+      :verify_login_change_key_insert_hash,
+      :verify_login_change_key_value,
+      :verify_login_change_new_login,
+      :verify_login_change_old_login
+    )
+
+    auth_private_methods(
+      :account_from_verify_login_change_key
+    )
+
+    route do |r|
+      check_already_logged_in
+      before_verify_login_change_route
+
+      r.get do
+        if key = param_or_nil(verify_login_change_key_param)
+          session[verify_login_change_session_key] = key
+          redirect(r.path)
+        end
+
+        if key = session[verify_login_change_session_key]
+          if account_from_verify_login_change_key(key)
+            verify_login_change_view
+          else
+            session[verify_login_change_session_key] = nil
+            set_redirect_error_flash no_matching_verify_login_change_key_message
+            redirect require_login_redirect
+          end
+        end
+      end
+
+      r.post do
+        key = session[verify_login_change_session_key] || param(verify_login_change_key_param)
+        unless account_from_verify_login_change_key(key)
+          set_redirect_error_status(invalid_key_error_status)
+          set_redirect_error_flash verify_login_change_error_flash
+          redirect verify_login_change_redirect
+        end
+
+        transaction do
+          before_verify_login_change
+          verify_login_change
+          remove_verify_login_change_key
+          after_verify_login_change
+        end
+
+        if verify_login_change_autologin?
+          update_session
+        end
+
+        session[verify_login_change_session_key] = nil
+        set_notice_flash verify_login_change_notice_flash
+        redirect verify_login_change_redirect
+      end
+    end
+
+    def remove_verify_login_change_key
+      verify_login_change_ds.delete
+    end
+
+    def verify_login_change
+      update_account(login_column=>verify_login_change_new_login)
+    end
+
+    def account_from_verify_login_change_key(key)
+      @account = _account_from_verify_login_change_key(key)
+    end
+
+    def send_verify_login_change_email(login)
+      create_verify_login_change_email(login).deliver!
+    end
+
+    def verify_login_change_email_link
+      token_link(verify_login_change_route, verify_login_change_key_param, verify_login_change_key_value)
+    end
+
+    def get_verify_login_change_login_and_key(id)
+      verify_login_change_ds(id).get([verify_login_change_login_column, verify_login_change_key_column])
+    end
+
+    def change_login_notice_flash
+      "An email has been sent to you with a link to verify your login change"
+    end
+
+    def verify_login_change_old_login
+      account_ds.get(login_column)
+    end
+
+    attr_reader :verify_login_change_key_value
+    attr_reader :verify_login_change_new_login
+
+    private
+
+    def after_close_account
+      remove_verify_login_change_key
+      super if defined?(super)
+    end
+
+    def update_login(login)
+      generate_verify_login_change_key_value
+      @verify_login_change_new_login = login
+      create_verify_login_change_key(login)
+      send_verify_login_change_email(login)
+    end
+
+    def generate_verify_login_change_key_value
+      @verify_login_change_key_value = random_key
+    end
+
+    def create_verify_login_change_key(login)
+      ds = verify_login_change_ds
+      transaction do
+        ds.where((Sequel::CURRENT_TIMESTAMP > verify_login_change_deadline_column) | ~Sequel.expr(verify_login_change_login_column=>login)).delete
+        if e = raised_uniqueness_violation{ds.insert(verify_login_change_key_insert_hash(login))}
+          old_login, key = get_verify_login_change_login_and_key(account_id)
+          # If inserting into the verify account table causes a violation, we can pull the 
+          # key from the verify login change table if the logins match, or reraise.
+          @verify_login_change_key_value = if old_login.downcase == login.downcase
+            key
+          end
+          raise e unless @verify_login_change_key_value
+        end
+      end
+    end
+
+    def verify_login_change_key_insert_hash(login)
+      hash = {verify_login_change_id_column=>account_id, verify_login_change_key_column=>verify_login_change_key_value, verify_login_change_login_column=>login}
+      set_deadline_value(hash, verify_login_change_deadline_column, verify_login_change_deadline_interval)
+      hash
+    end
+
+    def create_verify_login_change_email(login)
+      create_email_to(login, verify_login_change_email_subject, verify_login_change_email_body)
+    end
+
+    def verify_login_change_email_body
+      render('verify-login-change-email')
+    end
+
+    def verify_login_change_ds(id=account_id)
+      db[verify_login_change_table].where(verify_login_change_id_column=>id)
+    end
+
+    def _account_from_verify_login_change_key(token)
+      account_from_key(token) do |id|
+        @verify_login_change_new_login, key = get_verify_login_change_login_and_key(id)
+        key
+      end
+    end
+  end
+end
+

data/lib/rodauth/version.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  VERSION = '1.9.0'.freeze
+  VERSION = '1.10.0'.freeze
 
   def self.version
     VERSION

data/lib/rodauth.rb

@@ -20,7 +20,14 @@ module Rodauth
 
   def self.configure(app, opts={}, &block)
     app.opts[:rodauth_json] = opts.fetch(:json, app.opts[:rodauth_json])
-    ((app.opts[:rodauths] ||= {})[opts[:name]] ||= Class.new(Auth)).configure(&block)
+    auth_class = (app.opts[:rodauths] ||= {})[opts[:name]] ||= Class.new(Auth)
+    if !auth_class.roda_class
+      auth_class.roda_class = app
+    elsif auth_class.roda_class != app
+      auth_class = app.opts[:rodauths][opts[:name]] = Class.new(auth_class)
+      auth_class.roda_class = app
+    end
+    auth_class.configure(&block)
   end
 
   FEATURES = {}
@@ -97,7 +104,7 @@ module Rodauth
       routes << handle_meth
     end
 
-    def self.define(name, &block)
+    def self.define(name, constant=nil, &block)
       feature = new
       feature.dependencies = []
       feature.routes = []
@@ -105,6 +112,12 @@ module Rodauth
       configuration = feature.configuration = FeatureConfiguration.new
       feature.module_eval(&block)
       configuration.def_configuration_methods(feature)
+
+      if constant
+        Rodauth.const_set(constant, feature)
+        Rodauth::FeatureConfiguration.const_set(constant, configuration)
+      end
+
       FEATURES[name] = feature
     end
 
@@ -180,6 +193,7 @@ module Rodauth
 
   class Auth
     class << self
+      attr_accessor :roda_class
       attr_reader :features
       attr_reader :routes
       attr_accessor :route_hash

data/spec/migrate/001_tables.rb

@@ -45,6 +45,14 @@ Sequel.migration do
       DateTime :requested_at, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
     end
 
+    # Used by the verify login change feature
+    create_table(:account_login_change_keys) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
+      String :key, :null=>false
+      String :login, :null=>false
+      DateTime :deadline, deadline_opts[1]
+    end
+
     # Used by the remember me feature
     create_table(:account_remember_keys) do
       foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
@@ -121,6 +129,7 @@ Sequel.migration do
       run "GRANT ALL ON accounts TO #{user}"
       run "GRANT ALL ON account_password_reset_keys TO #{user}"
       run "GRANT ALL ON account_verification_keys TO #{user}"
+      run "GRANT ALL ON account_login_change_keys TO #{user}"
       run "GRANT ALL ON account_remember_keys TO #{user}"
       run "GRANT ALL ON account_login_failures TO #{user}"
       run "GRANT ALL ON account_lockouts TO #{user}"
@@ -143,6 +152,7 @@ Sequel.migration do
                :account_lockouts,
                :account_login_failures,
                :account_remember_keys,
+               :account_login_change_keys,
                :account_verification_keys,
                :account_password_reset_keys,
                :accounts,

data/spec/migrate_travis/001_tables.rb

@@ -52,6 +52,13 @@ Sequel.migration do
       DateTime :requested_at, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
     end
 
+    create_table(:account_login_change_keys) do
+      foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
+      String :key, :null=>false
+      String :login, :null=>false
+      DateTime :deadline, deadline_opts[1]
+    end
+
     create_table(:account_remember_keys) do
       foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
       String :key, :null=>false