rodauth 2.0.0 → 2.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG +14 -0
- data/doc/base.rdoc +1 -0
- data/doc/release_notes/2.1.0.txt +31 -0
- data/lib/rodauth.rb +1 -1
- data/lib/rodauth/features/base.rb +9 -0
- data/lib/rodauth/features/create_account.rb +1 -0
- data/lib/rodauth/features/http_basic_auth.rb +15 -2
- data/lib/rodauth/features/jwt.rb +7 -2
- data/lib/rodauth/features/verify_account.rb +1 -0
- data/lib/rodauth/features/verify_account_grace_period.rb +1 -1
- data/lib/rodauth/version.rb +1 -1
- data/templates/password-field.str +1 -1
- metadata +4 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 11417c5f63db5803f35ba8a92e98827b9f0deeb0a774071b5fbe712fa24f02fd
|
|
4
|
+
data.tar.gz: b0ee20c0ce7af6eea42b32bcab2e476a2ee75b62b283281de7001d5ba4002597
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 13110a40f40a08c7fb03f1ce44a723afc6e53b4f4b16f690c852dc0adfc4d1bb08b6b87f164be98d50dfc61a6c99a35759901ed3bc7b5ab3dbbcb48b00b6ec5e
|
|
7
|
+
data.tar.gz: 2d7f46d8a9370b67af58eb60d5ac8f324f2619d3cd9bac10b6a27890c9637ceff229ce0404a6d00c9c7fdf8d796d045d3bd06e7489fe08f589580d6a20271cf4
|
data/CHANGELOG
CHANGED
|
@@ -1,3 +1,17 @@
|
|
|
1
|
+
=== 2.1.0 (2020-06-09)
|
|
2
|
+
|
|
3
|
+
* Do not check CSRF tokens by default for requests using JWT (janko, jeremyevans) (#99)
|
|
4
|
+
|
|
5
|
+
* Use new-password autocomplete value for password field when creating accounts (jeremyevans) (#98)
|
|
6
|
+
|
|
7
|
+
* Consistently use json_response_body for all JSON responses in jwt feature (arthurmmoreira) (#97)
|
|
8
|
+
|
|
9
|
+
* Add check_csrf configuration method to customize CSRF checking (janko) (#96)
|
|
10
|
+
|
|
11
|
+
* Have logged_in? when using http_basic_auth feature check for basic authentication (jeremyevans) (#94)
|
|
12
|
+
|
|
13
|
+
* Don't consider account open if in unverified grace period without password (janko) (#92)
|
|
14
|
+
|
|
1
15
|
=== 2.0.0 (2020-05-06)
|
|
2
16
|
|
|
3
17
|
* Do not show email auth as an option for unverified accounts if using the verify_account_grace_period feature (jeremyevans) (#88)
|
data/doc/base.rdoc
CHANGED
|
@@ -91,6 +91,7 @@ authenticated? :: Whether the user has been authenticated. If multifactor authen
|
|
|
91
91
|
before_login :: Run arbitrary code after password has been checked, but before updating the session.
|
|
92
92
|
before_login_attempt :: Run arbitrary code after an account has been located, but before the password has been checked.
|
|
93
93
|
before_rodauth :: Run arbitrary code before handling any rodauth route, but after CSRF checks if Rodauth is doing CSRF checks.
|
|
94
|
+
check_csrf :: Checks CSRF token using Roda's +check_csrf!+ method.
|
|
94
95
|
clear_session :: Clears the current session.
|
|
95
96
|
csrf_tag(path=request.path) :: The HTML fragment containing the CSRF tag to use, if any.
|
|
96
97
|
function_name(name) :: The name of the database function to call. It's passed either :rodauth_get_salt or :rodauth_valid_password_hash.
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
= New Features
|
|
2
|
+
|
|
3
|
+
* A check_csrf configuration method has been added for checking
|
|
4
|
+
the CSRF token. This is useful in cases where the CSRF protection
|
|
5
|
+
is provided by something other than the Roda route_csrf plugin.
|
|
6
|
+
|
|
7
|
+
= Other Improvements
|
|
8
|
+
|
|
9
|
+
* When using the http_basic_auth feature, logged_in? now checks for
|
|
10
|
+
Basic authentication if the session is not already authenticated
|
|
11
|
+
and Basic authentication has not yet been checked. This increases
|
|
12
|
+
compatibility for applications that were using the http_basic_auth
|
|
13
|
+
feature in Rodauth 1.
|
|
14
|
+
|
|
15
|
+
* When creating accounts, the password field now correctly uses the
|
|
16
|
+
new-password autocomplete attribute instead of the current-password
|
|
17
|
+
autocomplete attribute.
|
|
18
|
+
|
|
19
|
+
* When using the jwt feature, Rodauth no longer checks CSRF tokens
|
|
20
|
+
in requests to Rodauth routes if the request submitted is a JSON
|
|
21
|
+
request, includes a JWT, or Rodauth has been configured in JSON-only
|
|
22
|
+
mode.
|
|
23
|
+
|
|
24
|
+
* When using the verify_account_grace_period feature, if there is an
|
|
25
|
+
unverified account without a password, do not consider the account
|
|
26
|
+
open. Attempting to login into the account in such a case now
|
|
27
|
+
shows a message letting the user know to verify the account.
|
|
28
|
+
|
|
29
|
+
* The json_response_body configuration method is now used consistently
|
|
30
|
+
in the jwt feature for all JSON responses. Previously, there were
|
|
31
|
+
some cases that did not use it.
|
data/lib/rodauth.rb
CHANGED
|
@@ -119,7 +119,7 @@ module Rodauth
|
|
|
119
119
|
|
|
120
120
|
define_method(handle_meth) do
|
|
121
121
|
request.is send(route_meth) do
|
|
122
|
-
|
|
122
|
+
check_csrf if check_csrf?
|
|
123
123
|
before_rodauth
|
|
124
124
|
send(internal_handle_meth, request)
|
|
125
125
|
end
|
|
@@ -82,6 +82,7 @@ module Rodauth
|
|
|
82
82
|
:already_logged_in,
|
|
83
83
|
:authenticated?,
|
|
84
84
|
:autocomplete_for_field?,
|
|
85
|
+
:check_csrf,
|
|
85
86
|
:clear_session,
|
|
86
87
|
:csrf_tag,
|
|
87
88
|
:function_name,
|
|
@@ -254,6 +255,10 @@ module Rodauth
|
|
|
254
255
|
Sequel::DATABASES.first
|
|
255
256
|
end
|
|
256
257
|
|
|
258
|
+
def password_field_autocomplete_value
|
|
259
|
+
@password_field_autocomplete_value || 'current-password'
|
|
260
|
+
end
|
|
261
|
+
|
|
257
262
|
# If the account_password_hash_column is set, the password hash is verified in
|
|
258
263
|
# ruby, it will not use a database function to do so, it will check the password
|
|
259
264
|
# hash using bcrypt.
|
|
@@ -333,6 +338,10 @@ module Rodauth
|
|
|
333
338
|
@account = _account_from_session
|
|
334
339
|
end
|
|
335
340
|
|
|
341
|
+
def check_csrf
|
|
342
|
+
scope.check_csrf!(check_csrf_opts, &check_csrf_block)
|
|
343
|
+
end
|
|
344
|
+
|
|
336
345
|
def csrf_tag(path=request.path)
|
|
337
346
|
return unless scope.respond_to?(:csrf_tag)
|
|
338
347
|
|
|
@@ -5,11 +5,20 @@ module Rodauth
|
|
|
5
5
|
auth_value_method :http_basic_auth_realm, "protected"
|
|
6
6
|
auth_value_method :require_http_basic_auth?, false
|
|
7
7
|
|
|
8
|
+
def logged_in?
|
|
9
|
+
ret = super
|
|
10
|
+
|
|
11
|
+
if !ret && !defined?(@checked_http_basic_auth)
|
|
12
|
+
http_basic_auth
|
|
13
|
+
ret = super
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
ret
|
|
17
|
+
end
|
|
18
|
+
|
|
8
19
|
def require_login
|
|
9
20
|
if require_http_basic_auth?
|
|
10
21
|
require_http_basic_auth
|
|
11
|
-
elsif !logged_in?
|
|
12
|
-
http_basic_auth
|
|
13
22
|
end
|
|
14
23
|
|
|
15
24
|
super
|
|
@@ -23,6 +32,9 @@ module Rodauth
|
|
|
23
32
|
end
|
|
24
33
|
|
|
25
34
|
def http_basic_auth
|
|
35
|
+
return @checked_http_basic_auth if defined?(@checked_http_basic_auth)
|
|
36
|
+
|
|
37
|
+
@checked_http_basic_auth = nil
|
|
26
38
|
return unless token = ((v = request.env['HTTP_AUTHORIZATION']) && v[/\A *Basic (.*)\Z/, 1])
|
|
27
39
|
|
|
28
40
|
username, password = token.unpack("m*").first.split(/:/, 2)
|
|
@@ -50,6 +62,7 @@ module Rodauth
|
|
|
50
62
|
after_login
|
|
51
63
|
end
|
|
52
64
|
|
|
65
|
+
@checked_http_basic_auth = true
|
|
53
66
|
return true
|
|
54
67
|
end
|
|
55
68
|
|
data/lib/rodauth/features/jwt.rb
CHANGED
|
@@ -50,7 +50,7 @@ module Rodauth
|
|
|
50
50
|
json_response[json_response_error_key] = invalid_jwt_format_error_message
|
|
51
51
|
response.status ||= json_response_error_status
|
|
52
52
|
response['Content-Type'] ||= json_response_content_type
|
|
53
|
-
response.write(
|
|
53
|
+
response.write(_json_response_body(json_response))
|
|
54
54
|
request.halt
|
|
55
55
|
end
|
|
56
56
|
|
|
@@ -140,13 +140,18 @@ module Rodauth
|
|
|
140
140
|
|
|
141
141
|
private
|
|
142
142
|
|
|
143
|
+
def check_csrf?
|
|
144
|
+
return false if use_jwt?
|
|
145
|
+
super
|
|
146
|
+
end
|
|
147
|
+
|
|
143
148
|
def before_rodauth
|
|
144
149
|
if json_request?
|
|
145
150
|
if jwt_check_accept? && (accept = request.env['HTTP_ACCEPT']) && accept !~ json_accept_regexp
|
|
146
151
|
response.status = 406
|
|
147
152
|
json_response[json_response_error_key] = json_not_accepted_error_message
|
|
148
153
|
response['Content-Type'] ||= json_response_content_type
|
|
149
|
-
response.write(
|
|
154
|
+
response.write(_json_response_body(json_response))
|
|
150
155
|
request.halt
|
|
151
156
|
end
|
|
152
157
|
|
data/lib/rodauth/version.rb
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
1
|
<div class="form-group">
|
|
2
2
|
<label for="password">#{rodauth.password_label}#{rodauth.input_field_label_suffix}</label>
|
|
3
|
-
#{rodauth.input_field_string(rodauth.password_param, 'password', :type => 'password', :autocomplete=>
|
|
3
|
+
#{rodauth.input_field_string(rodauth.password_param, 'password', :type => 'password', :autocomplete=>rodauth.password_field_autocomplete_value)}
|
|
4
4
|
</div>
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rodauth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jeremy Evans
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-
|
|
11
|
+
date: 2020-06-09 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: sequel
|
|
@@ -303,6 +303,7 @@ extra_rdoc_files:
|
|
|
303
303
|
- doc/release_notes/1.22.0.txt
|
|
304
304
|
- doc/release_notes/1.23.0.txt
|
|
305
305
|
- doc/release_notes/2.0.0.txt
|
|
306
|
+
- doc/release_notes/2.1.0.txt
|
|
306
307
|
files:
|
|
307
308
|
- CHANGELOG
|
|
308
309
|
- MIT-LICENSE
|
|
@@ -361,6 +362,7 @@ files:
|
|
|
361
362
|
- doc/release_notes/1.8.0.txt
|
|
362
363
|
- doc/release_notes/1.9.0.txt
|
|
363
364
|
- doc/release_notes/2.0.0.txt
|
|
365
|
+
- doc/release_notes/2.1.0.txt
|
|
364
366
|
- doc/remember.rdoc
|
|
365
367
|
- doc/reset_password.rdoc
|
|
366
368
|
- doc/session_expiration.rdoc
|