rodauth 1.9.0 → 1.10.0

data/spec/reset_password_spec.rb

@@ -18,11 +18,18 @@ describe 'Rodauth reset_password feature' do
     click_button 'Request Password Reset'
     page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to reset the password for your account"
     page.current_path.must_equal '/'
-
     link = email_link(/(\/reset-password\?key=.+)$/)
+
     visit link[0...-1]
     page.find('#error_flash').text.must_equal "invalid password reset key"
 
+    visit '/login'
+    click_link 'Forgot Password?'
+    fill_in 'Login', :with=>'foo@example.com'
+    click_button 'Request Password Reset'
+    email_link(/(\/reset-password\?key=.+)$/).must_equal link
+
+    visit '/login'
     login(:pass=>'01234567', :visit=>false)
     click_button 'Request Password Reset'
     email_link(/(\/reset-password\?key=.+)$/).must_equal link

data/spec/rodauth_spec.rb

@@ -220,4 +220,31 @@ describe 'Rodauth' do
     app.instance_variable_get(:@middleware).length.must_equal 1
     app.ancestors.map(&:to_s).wont_include 'Roda::RodaPlugins::Flash::InstanceMethods'
   end
+
+  it "should inherit rodauth configuration in subclass" do
+    auth_class = nil
+    no_freeze!
+    rodauth{auth_class = auth}
+    roda(:csrf=>false, :flash=>false){}
+    Class.new(app).rodauth.must_equal auth_class
+  end
+
+  it "should use subclass of rodauth configuration if modifying rodauth configuration in subclass" do
+    auth_class = nil
+    no_freeze!
+    rodauth{auth_class = auth; auth_class_eval{def foo; 'foo' end}}
+    roda{|r| rodauth.foo}
+    visit '/'
+    page.html.must_equal 'foo'
+
+    a = Class.new(app)
+    a.plugin(:rodauth){auth_class_eval{def foo; "#{super}bar" end}}
+    a.rodauth.superclass.must_equal auth_class
+
+    visit '/'
+    page.html.must_equal 'foo'
+    self.app = a
+    visit '/'
+    page.html.must_equal 'foobar'
+  end
 end

data/spec/spec_helper.rb

@@ -43,22 +43,26 @@ require 'tilt/string'
 db_url = ENV['RODAUTH_SPEC_DB'] || 'postgres:///?user=rodauth_test&password=rodauth_test'
 DB = Sequel.connect(db_url, :identifier_mangling=>false)
 DB.extension :freeze_datasets, :date_arithmetic
-DB.freeze
 puts "using #{DB.database_type}"
 
 #DB.loggers << Logger.new($stdout)
-if DB.adapter_scheme == :jdbc && DB.database_type == :postgres
-  DB.add_named_conversion_proc(:citext){|s| s}
-end
-if DB.adapter_scheme == :jdbc && DB.database_type == :sqlite
-  DB.timezone = :utc
-  Sequel.application_timezone = :local
+if DB.adapter_scheme == :jdbc
+  case DB.database_type
+  when :postgres
+    DB.add_named_conversion_proc(:citext){|s| s}
+  when :sqlite
+    DB.timezone = :utc
+    Sequel.application_timezone = :local
+  end
 end
+
 if ENV['RODAUTH_SPEC_MIGRATE']
   Sequel.extension :migration
   Sequel::Migrator.run(DB, 'spec/migrate_travis')
 end
 
+DB.freeze
+
 ENV['RACK_ENV'] = 'test'
 
 ::Mail.defaults do

data/spec/verify_account_grace_period_spec.rb

@@ -46,6 +46,42 @@ describe 'Rodauth verify_account_grace_period feature' do
     page.body.must_include('Logged Intrue')
   end
 
+  it "should resend verify account email if attempting to create new account with same login" do
+    rodauth do
+      enable :login, :logout, :change_password, :create_account, :verify_account_grace_period
+      change_password_requires_password? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>rodauth.logged_in? ? "Logged In#{rodauth.verified_account?}" : "Not Logged"}
+    end
+
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Confirm Login', :with=>'foo@example2.com'
+    fill_in 'Password', :with=>'0123456789'
+    fill_in 'Confirm Password', :with=>'0123456789'
+    click_button 'Create Account'
+    page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to verify your account"
+    link = email_link(/(\/verify-account\?key=.+)$/, 'foo@example2.com')
+    page.body.must_include('Logged Infalse')
+    page.current_path.must_equal '/'
+
+    logout
+    visit '/create-account'
+    fill_in 'Login', :with=>'foo@example2.com'
+    click_button 'Create Account'
+    click_button 'Send Verification Email Again'
+    page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to verify your account"
+    page.current_path.must_equal '/login'
+    email_link(/(\/verify-account\?key=.+)$/, 'foo@example2.com').must_equal link
+
+    visit link
+    click_button 'Verify Account'
+    page.find('#notice_flash').text.must_equal "Your account has been verified"
+    page.body.must_include('Logged Intrue')
+  end
+
   it "should not allow changing logins for unverified accounts" do
     rodauth do
       enable :login, :logout, :change_login, :verify_account_grace_period

data/spec/verify_account_spec.rb

@@ -26,8 +26,14 @@ describe 'Rodauth verify_account feature' do
     page.html.must_include("If you no longer have the email to verify the account, you can request that it be resent to you")
     click_button 'Send Verification Email Again'
     page.current_path.must_equal '/login'
+    email_link(/(\/verify-account\?key=.+)$/, 'foo@example2.com').must_equal link
 
+    click_link 'Resend Verify Account Information'
+    fill_in 'Login', :with=>'foo@example2.com'
+    click_button 'Send Verification Email Again'
+    page.current_path.must_equal '/login'
     email_link(/(\/verify-account\?key=.+)$/, 'foo@example2.com').must_equal link
+
     visit '/create-account'
     fill_in 'Login', :with=>'foo@example2.com'
     click_button 'Create Account'

data/spec/verify_login_change_spec.rb

@@ -0,0 +1,179 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe 'Rodauth verify_login_change feature' do
+  it "should support verifying login changes" do
+    rodauth do
+      enable :login, :logout, :verify_login_change
+      change_login_requires_password? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
+    end
+
+    login
+
+    visit '/change-login'
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Confirm Login', :with=>'foo@example2.com'
+    click_button 'Change Login'
+    link = email_link(/(\/verify-login-change\?key=.+)$/, 'foo@example2.com')
+    page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to verify your login change"
+
+    visit '/change-login'
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Confirm Login', :with=>'foo@example2.com'
+    click_button 'Change Login'
+    email_link(/(\/verify-login-change\?key=.+)$/, 'foo@example2.com').must_equal link
+
+    visit '/change-login'
+    fill_in 'Login', :with=>'foo@example3.com'
+    fill_in 'Confirm Login', :with=>'foo@example3.com'
+    click_button 'Change Login'
+    new_link = email_link(/(\/verify-login-change\?key=.+)$/, 'foo@example3.com')
+    new_link.wont_equal link
+
+    logout
+
+    visit link
+    page.find('#error_flash').text.must_equal "invalid verify login change key"
+
+    visit new_link
+    page.title.must_equal 'Verify Login Change'
+    click_button 'Verify Login Change'
+    page.find('#notice_flash').text.must_equal "Your login change has been verified"
+    page.body.must_include('Not Logged')
+
+    login
+    page.find('#error_flash').text.must_equal "There was an error logging in"
+
+    login(:login=>'foo@example3.com')
+    page.body.must_include('Logged In')
+  end
+
+  it "should support verifying login changes with autologin" do
+    rodauth do
+      enable :login, :logout, :verify_login_change
+      verify_login_change_autologin? true
+      change_login_requires_password? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
+    end
+
+    login
+
+    visit '/change-login'
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Confirm Login', :with=>'foo@example2.com'
+    click_button 'Change Login'
+    link = email_link(/(\/verify-login-change\?key=.+)$/, 'foo@example2.com')
+
+    logout
+
+    visit link
+    click_button 'Verify Login Change'
+    page.find('#notice_flash').text.must_equal "Your login change has been verified"
+    page.body.must_include('Logged In')
+  end
+
+  it "should handle uniqueness errors raised when inserting password reset token" do
+    unique = false
+    rodauth do
+      enable :login, :logout, :verify_login_change
+      change_login_requires_password? false
+
+      auth_class_eval do
+        define_method(:raised_uniqueness_violation) do |*a, &block|
+          unique.call if unique
+          super(*a, &block)
+        end
+      end
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
+    end
+
+    login
+
+    visit '/change-login'
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Confirm Login', :with=>'foo@example2.com'
+    click_button 'Change Login'
+    link = email_link(/(\/verify-login-change\?key=.+)$/, 'foo@example2.com')
+    page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to verify your login change"
+
+    unique = lambda{DB[:account_login_change_keys].update(:login=>'foo@example3.com'); true}
+    visit '/change-login'
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Confirm Login', :with=>'foo@example2.com'
+    proc{click_button 'Change Login'}.must_raise Sequel::ConstraintViolation
+  end
+
+  it "should clear verify login change token when closing account" do
+    rodauth do
+      enable :login, :verify_login_change, :close_account
+      change_login_requires_password? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>rodauth.logged_in? ? "Logged In" : "Not Logged"}
+    end
+
+    login
+
+    visit '/change-login'
+    fill_in 'Login', :with=>'foo@example2.com'
+    fill_in 'Confirm Login', :with=>'foo@example2.com'
+    click_button 'Change Login'
+    email_link(/key=.+$/, 'foo@example2.com').wont_be_nil
+
+    DB[:account_login_change_keys].count.must_equal 1
+    visit '/close-account'
+    fill_in 'Password', :with=>'0123456789'
+    click_button 'Close Account'
+    DB[:account_login_change_keys].count.must_equal 0
+  end
+
+  it "should support verifying login changes for accounts via jwt" do
+    rodauth do
+      enable :login, :verify_login_change
+      change_login_requires_password? false
+      verify_login_change_email_body{verify_login_change_email_link}
+    end
+    roda(:jwt) do |r|
+      r.rodauth
+    end
+
+    json_login
+
+    res = json_request('/change-login', :login=>'foo2@example.com', "login-confirm"=>'foo2@example.com')
+    res.must_equal [200, {'success'=>"An email has been sent to you with a link to verify your login change"}]
+    link = email_link(/key=.+$/, 'foo2@example.com')
+
+    res = json_request('/change-login', :login=>'foo2@example.com', "login-confirm"=>'foo2@example.com')
+    res.must_equal [200, {'success'=>"An email has been sent to you with a link to verify your login change"}]
+    email_link(/key=.+$/, 'foo2@example.com').must_equal link
+
+    res = json_request('/change-login', :login=>'foo3@example.com', "login-confirm"=>'foo3@example.com')
+    res.must_equal [200, {'success'=>"An email has been sent to you with a link to verify your login change"}]
+    new_link = email_link(/key=.+$/, 'foo3@example.com')
+    new_link.wont_equal link
+
+    res = json_request('/verify-login-change')
+    res.must_equal [401, {"error"=>"Unable to verify login change"}]
+
+    res = json_request('/verify-login-change', :key=>link[4..-1])
+    res.must_equal [401, {"error"=>"Unable to verify login change"}]
+
+    res = json_request('/verify-login-change', :key=>new_link[4..-1])
+    res.must_equal [200, {"success"=>"Your login change has been verified"}]
+
+    res = json_request("/login", :login=>'foo@example.com', :password=>'0123456789')
+    res.must_equal [401, {'error'=>"There was an error logging in", "field-error"=>["login", "no matching login"]}]
+
+    json_login(:login=>'foo3@example.com')
+  end
+end

data/templates/reset-password-request.str

@@ -1,7 +1,7 @@
 <form action="#{rodauth.prefix}/#{rodauth.reset_password_request_route}" method="post" class="rodauth form-horizontal" role="form" id="reset-password-request-form">
   #{rodauth.reset_password_request_additional_form_tags}
-  <input type="hidden" name="#{rodauth.login_param}" value="#{h request[rodauth.login_param]}"/>
   #{rodauth.csrf_tag}
-  If you have forgotten your password, you can request a password reset: 
-  <input type="submit" class="btn btn-primary inline" value="#{rodauth.reset_password_request_button}"/>
+  <p>If you have forgotten your password, you can request a password reset: </p>
+  #{(login = request[rodauth.login_param]) ? "<input type=\"hidden\" name=\"#{rodauth.login_param}\" value=\"#{h login}\"/>" : rodauth.render('login-field')}
+  #{rodauth.button(rodauth.reset_password_request_button)}
 </form>

data/templates/verify-account-resend.str

@@ -1,7 +1,7 @@
 <form action="#{rodauth.prefix}/#{rodauth.verify_account_resend_route}" method="post" class="rodauth form-horizontal" role="form" id="verify-account-resend-form">
   #{rodauth.verify_account_resend_additional_form_tags}
-  <input type="hidden" name="#{rodauth.login_param}" value="#{h request[rodauth.login_param]}"/>
   #{rodauth.csrf_tag}
-  If you no longer have the email to verify the account, you can request that it be resent to you: 
-  <input type="submit" class="btn btn-primary inline" value="#{rodauth.verify_account_resend_button}"/>
+  <p>If you no longer have the email to verify the account, you can request that it be resent to you:</p>
+  #{(login = request[rodauth.login_param]) ? "<input type=\"hidden\" name=\"#{rodauth.login_param}\" value=\"#{h login}\"/>" : rodauth.render('login-field')}
+  #{rodauth.button(rodauth.verify_account_resend_button)}
 </form>

data/templates/verify-login-change-email.str

@@ -0,0 +1,9 @@
+Someone with an account has requested their login be changed to this email address:
+
+Old Login: #{rodauth.verify_login_change_old_login}
+New Login: #{rodauth.verify_login_change_new_login}
+
+If you did not request this login change, please ignore this message.  If you
+requested this login change, please go to
+#{rodauth.verify_login_change_email_link}
+to verify the login change.

data/templates/verify-login-change.str

@@ -0,0 +1,5 @@
+<form method="post" class="rodauth form-horizontal" role="form" id="verify-login-change-form">
+  #{rodauth.verify_login_change_additional_form_tags}
+  #{rodauth.csrf_tag}
+  #{rodauth.button(rodauth.verify_login_change_button)}
+</form>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 1.9.0
+  version: 1.10.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-02-23 00:00:00.000000000 Z
+date: 2017-03-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -226,6 +226,8 @@ extra_rdoc_files:
 - doc/verify_change_login.rdoc
 - doc/update_password_hash.rdoc
 - doc/http_basic_auth.rdoc
+- doc/verify_login_change.rdoc
+- doc/internals.rdoc
 - doc/release_notes/1.0.0.txt
 - doc/release_notes/1.1.0.txt
 - doc/release_notes/1.2.0.txt
@@ -236,6 +238,7 @@ extra_rdoc_files:
 - doc/release_notes/1.7.0.txt
 - doc/release_notes/1.8.0.txt
 - doc/release_notes/1.9.0.txt
+- doc/release_notes/1.10.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -251,6 +254,7 @@ files:
 - doc/disallow_password_reuse.rdoc
 - doc/email_base.rdoc
 - doc/http_basic_auth.rdoc
+- doc/internals.rdoc
 - doc/jwt.rdoc
 - doc/lockout.rdoc
 - doc/login.rdoc
@@ -263,6 +267,7 @@ files:
 - doc/recovery_codes.rdoc
 - doc/release_notes/1.0.0.txt
 - doc/release_notes/1.1.0.txt
+- doc/release_notes/1.10.0.txt
 - doc/release_notes/1.2.0.txt
 - doc/release_notes/1.3.0.txt
 - doc/release_notes/1.4.0.txt
@@ -281,6 +286,7 @@ files:
 - doc/verify_account.rdoc
 - doc/verify_account_grace_period.rdoc
 - doc/verify_change_login.rdoc
+- doc/verify_login_change.rdoc
 - lib/roda/plugins/rodauth.rb
 - lib/rodauth.rb
 - lib/rodauth/features/account_expiration.rb
@@ -313,6 +319,7 @@ files:
 - lib/rodauth/features/verify_account.rb
 - lib/rodauth/features/verify_account_grace_period.rb
 - lib/rodauth/features/verify_change_login.rb
+- lib/rodauth/features/verify_login_change.rb
 - lib/rodauth/migrations.rb
 - lib/rodauth/version.rb
 - spec/account_expiration_spec.rb
@@ -345,6 +352,7 @@ files:
 - spec/verify_account_grace_period_spec.rb
 - spec/verify_account_spec.rb
 - spec/verify_change_login_spec.rb
+- spec/verify_login_change_spec.rb
 - spec/views/layout-other.str
 - spec/views/layout.str
 - spec/views/login.str
@@ -383,6 +391,8 @@ files:
 - templates/verify-account-email.str
 - templates/verify-account-resend.str
 - templates/verify-account.str
+- templates/verify-login-change-email.str
+- templates/verify-login-change.str
 homepage: https://github.com/jeremyevans/rodauth
 licenses:
 - MIT