rodauth 2.0.0 → 2.5.0

data/doc/release_notes/2.3.0.txt

@@ -0,0 +1,37 @@
+= New Features
+
+* Configuration methods have been added for easier validation of
+  logins when logins must be valid email addresses (the default):
+
+  * login_valid_email?(login) can be used for full control of
+    determining whether the login is valid.
+
+  * login_email_regexp can be used to set the regexp used in the
+    default login_valid_email? check.
+
+  * login_not_valid_email_message can be used to set the field
+    error message if the login is not a valid email.  Previously, this
+    value was hardcoded and not translatable.
+
+* The {create,drop}_database_authentication_functions now work
+  correctly with uuid keys on PostgreSQL.  All other parts of
+  Rodauth already worked correctly with uuid keys.
+
+= Other Improvements
+
+* The before_jwt_refresh_route hook is now called before the route
+  is taken. Previously, the configuration method had no effect.
+
+* rodauth.login can now be used by external code to login the current
+  account (the account that rodauth.account returns).  This should be
+  passed the authentication type string used to login, such as
+  password.
+
+* The jwt_refresh route now returns an error for requests where a
+  valid access token for a logged in session is not provided.  You
+  can use the jwt_refresh_without_access_token_message and
+  jwt_refresh_without_access_token_status configuration methods
+  to configure the error response.
+
+* The new refresh token is now available to the after_refresh_token
+  hook by looking in json_response[jwt_refresh_token_key].

data/doc/release_notes/2.4.0.txt

@@ -0,0 +1,22 @@
+= New Features
+
+* A password_pepper feature has been added.  This allows you to use a
+  secret key (called a pepper) to append to passwords before hashing
+  and hash checking.  Using this approach, if an attacker obtains the
+  password hash, it is unusable for cracking unless they can also
+  get access to the pepper.
+
+  The password_pepper feature also supports a list of previous peppers
+  that can be used to implement secret rotation and to support
+  compatibility with unpeppered passwords.
+
+  Rodauth by default uses database functions for password hash
+  checking on PostgreSQL, MySQL, and Microsoft SQL Server, which in
+  general provides more security than a password pepper, but both
+  approaches can be used simultaneously.
+
+* A session_key_prefix configuration method has been added for
+  prefixing the values of all default session keys.  This can be
+  useful if you are using multiple Rodauth configurations in the same
+  application and want to make sure the session keys for the separate
+  configurations do not overlap.

data/doc/release_notes/2.5.0.txt

@@ -0,0 +1,20 @@
+= New Features
+
+* A login_return_to_requested_location_path configuration method has
+  been added to the login feature.  This controls the path to redirect
+  to if using login_return_to_requested_location?.  By default, this
+  is the same as the fullpath of the request that required login if
+  that request was a GET request, and nil if that request was not a
+  GET request.  Previously, the fullpath of that request was used even
+  if it was not a GET request, which caused problems as browsers use a
+  GET request for redirects, and it is a bad idea to redirect to a path
+  that may not handle GET requests.
+
+* A change_login_needs_verification_notice_flash configuration method
+  has been added to the verify_login_change feature, for allowing
+  translations when using the feature and not using the
+  change_login_notice_flash configuration method.
+
+= Other Improvements
+
+* new_password_label is now translatable.

data/doc/verify_login_change.rdoc

@@ -14,6 +14,7 @@ control.  Depends on the change login and email base features.
 == Auth Value Methods
 
 no_matching_verify_login_change_key_error_flash :: The flash error message to show when an invalid verify login change key is used.
+change_login_needs_verification_notice_flash :: The flash notice to show after changing a login when using this feature, if +change_login_notice_flash+ is not overridden.
 verify_login_change_additional_form_tags :: HTML fragment containing additional form tags to use on the verify login change form.
 verify_login_change_autologin? :: Whether to autologin the user after successful login change verification, false by default.
 verify_login_change_button :: The text to use for the verify login change button.

data/lib/rodauth.rb

@@ -119,7 +119,7 @@ module Rodauth
 
       define_method(handle_meth) do
         request.is send(route_meth) do
-          scope.check_csrf!(check_csrf_opts, &check_csrf_block) if check_csrf?
+          check_csrf if check_csrf?
           before_rodauth
           send(internal_handle_meth, request)
         end
@@ -137,7 +137,9 @@ module Rodauth
       feature.module_eval(&block)
       configuration.def_configuration_methods(feature)
 
+      # :nocov:
       if constant
+      # :nocov:
         Rodauth.const_set(constant, feature)
         Rodauth::FeatureConfiguration.const_set(constant, configuration)
       end
@@ -336,10 +338,8 @@ module Rodauth
     end
 
     def freeze
-      if opts[:rodauths]
-        opts[:rodauths].each_value(&:freeze)
-        opts[:rodauths].freeze
-      end
+      opts[:rodauths].each_value(&:freeze)
+      opts[:rodauths].freeze
       super
     end
   end

data/lib/rodauth/features/active_sessions.rb

@@ -118,14 +118,12 @@ module Rodauth
     end
 
     def before_logout
-      if request.post?
-        if param_or_nil(global_logout_param)
-          remove_all_active_sessions
-        else
-          remove_current_session
-        end
+      if param_or_nil(global_logout_param)
+        remove_all_active_sessions
+      else
+        remove_current_session
       end
-      super if defined?(super)
+      super
     end
 
     def session_inactivity_deadline_condition

data/lib/rodauth/features/audit_logging.rb

@@ -82,7 +82,9 @@ module Rodauth
 
     def audit_log_ds
       ds = db[audit_logging_table]
+      # :nocov:
       if db.database_type == :postgres
+      # :nocov:
         # For PostgreSQL, use RETURNING NULL. This allows the feature
         # to be used with INSERT but not SELECT permissions on the
         # table, useful for audit logging where the database user

data/lib/rodauth/features/base.rb

@@ -47,6 +47,7 @@ module Rodauth
     session_key :authenticated_by_session_key, :authenticated_by
     session_key :autologin_type_session_key, :autologin_type
     auth_value_method :prefix, ''
+    auth_value_method :session_key_prefix, nil
     auth_value_method :require_bcrypt?, true
     auth_value_method :mark_input_fields_as_required?, true
     auth_value_method :mark_input_fields_with_autocomplete?, true
@@ -82,6 +83,7 @@ module Rodauth
       :already_logged_in,
       :authenticated?,
       :autocomplete_for_field?,
+      :check_csrf,
       :clear_session,
       :csrf_tag,
       :function_name,
@@ -254,6 +256,10 @@ module Rodauth
       Sequel::DATABASES.first
     end
 
+    def password_field_autocomplete_value
+      @password_field_autocomplete_value || 'current-password'
+    end
+
     # If the account_password_hash_column is set, the password hash is verified in
     # ruby, it will not use a database function to do so, it will check the password
     # hash using bcrypt.
@@ -333,6 +339,10 @@ module Rodauth
       @account = _account_from_session
     end
 
+    def check_csrf
+      scope.check_csrf!(check_csrf_opts, &check_csrf_block)
+    end
+
     def csrf_tag(path=request.path)
       return unless scope.respond_to?(:csrf_tag)
 
@@ -384,9 +394,9 @@ module Rodauth
     def password_match?(password)
       if hash = get_password_hash
         if account_password_hash_column || !use_database_authentication_functions?
-          BCrypt::Password.new(hash) == password
+          password_hash_match?(hash, password)
         else
-          db.get(Sequel.function(function_name(:rodauth_valid_password_hash), account_id, BCrypt::Engine.hash_secret(password, hash)))
+          database_function_password_match?(:rodauth_valid_password_hash, account_id, password, hash)
         end 
       end
     end
@@ -449,6 +459,14 @@ module Rodauth
 
     private
 
+    def database_function_password_match?(name, hash_id, password, salt)
+      db.get(Sequel.function(function_name(name), hash_id, BCrypt::Engine.hash_secret(password, salt)))
+    end
+
+    def password_hash_match?(hash, password)
+      BCrypt::Password.new(hash) == password
+    end
+
     def convert_token_key(key)
       if key && hmac_secret
         compute_hmac(key)
@@ -484,6 +502,7 @@ module Rodauth
     end
 
     def convert_session_key(key)
+      key = "#{session_key_prefix}#{key}".to_sym if session_key_prefix
       scope.opts[:sessions_convert_symbols] ? key.to_s : key
     end
 

data/lib/rodauth/features/change_password.rb

@@ -14,7 +14,7 @@ module Rodauth
     button 'Change Password'
     redirect
 
-    auth_value_method :new_password_label, 'New Password'
+    translatable_method :new_password_label, 'New Password'
     auth_value_method :new_password_param, 'new-password'
 
     auth_value_methods(

data/lib/rodauth/features/close_account.rb

@@ -33,7 +33,11 @@ module Rodauth
       end
 
       r.post do
-        if !close_account_requires_password? || password_match?(param(password_param))
+        catch_error do
+          if close_account_requires_password? && !password_match?(param(password_param))
+            throw_error_status(invalid_password_error_status, password_param, invalid_password_message)
+          end
+
           transaction do
             before_close_account
             close_account
@@ -46,12 +50,10 @@ module Rodauth
 
           set_notice_flash close_account_notice_flash
           redirect close_account_redirect
-        else
-          set_response_error_status(invalid_password_error_status)
-          set_field_error(password_param, invalid_password_message)
-          set_error_flash close_account_error_flash
-          close_account_view
         end
+
+        set_error_flash close_account_error_flash
+        close_account_view
       end
     end
 

data/lib/rodauth/features/create_account.rb

@@ -30,6 +30,7 @@ module Rodauth
     route do |r|
       check_already_logged_in
       before_create_account_route
+      @password_field_autocomplete_value = 'new-password'
 
       r.get do
         create_account_view

data/lib/rodauth/features/disallow_password_reuse.rb

@@ -51,11 +51,13 @@ module Rodauth
         return true if salts.empty?
 
         salts.any? do |hash_id, salt|
-          db.get(Sequel.function(function_name(:rodauth_previous_password_hash_match), hash_id, BCrypt::Engine.hash_secret(password, salt)))
+          database_function_password_match?(:rodauth_previous_password_hash_match, hash_id, password, salt)
         end
       else
         # :nocov:
-        previous_password_ds.select_map(previous_password_hash_column).any?{|hash| BCrypt::Password.new(hash) == password}
+        previous_password_ds.select_map(previous_password_hash_column).any? do |hash|
+          password_hash_match?(hash, password)
+        end
         # :nocov:
       end
 

data/lib/rodauth/features/email_auth.rb

@@ -94,7 +94,7 @@ module Rodauth
           redirect email_auth_email_sent_redirect
         end
 
-        _login('email_auth')
+        login('email_auth')
       end
     end
 
@@ -215,7 +215,7 @@ module Rodauth
       # that allows login access to the account becomes a
       # security liability, and it is best to remove it.
       remove_email_auth_key
-      super if defined?(super)
+      super
     end
 
     def after_close_account

data/lib/rodauth/features/http_basic_auth.rb

@@ -5,11 +5,20 @@ module Rodauth
     auth_value_method :http_basic_auth_realm, "protected"
     auth_value_method :require_http_basic_auth?, false
 
+    def logged_in?
+      ret = super
+
+      if !ret && !defined?(@checked_http_basic_auth)
+        http_basic_auth
+        ret = super
+      end
+
+      ret
+    end
+
     def require_login
       if require_http_basic_auth?
         require_http_basic_auth
-      elsif !logged_in?
-        http_basic_auth
       end
 
       super
@@ -23,6 +32,9 @@ module Rodauth
     end
 
     def http_basic_auth
+      return @checked_http_basic_auth if defined?(@checked_http_basic_auth)
+
+      @checked_http_basic_auth = nil
       return unless token = ((v = request.env['HTTP_AUTHORIZATION']) && v[/\A *Basic (.*)\Z/, 1])
 
       username, password = token.unpack("m*").first.split(/:/, 2)
@@ -50,6 +62,7 @@ module Rodauth
           after_login
         end
 
+        @checked_http_basic_auth = true
         return true
       end
 

data/lib/rodauth/features/jwt.rb

@@ -50,7 +50,7 @@ module Rodauth
           json_response[json_response_error_key] = invalid_jwt_format_error_message
           response.status ||= json_response_error_status
           response['Content-Type'] ||= json_response_content_type
-          response.write(request.send(:convert_to_json, json_response))
+          response.write(_json_response_body(json_response))
           request.halt
         end
 
@@ -138,15 +138,25 @@ module Rodauth
       !!(jwt_token && jwt_payload)
     end
 
+    def view(page, title)
+      return super unless use_jwt?
+      return_json_response
+    end
+
     private
 
+    def check_csrf?
+      return false if use_jwt?
+      super
+    end
+
     def before_rodauth
       if json_request?
         if jwt_check_accept? && (accept = request.env['HTTP_ACCEPT']) && accept !~ json_accept_regexp
           response.status = 406
           json_response[json_response_error_key] = json_not_accepted_error_message
           response['Content-Type'] ||= json_response_content_type
-          response.write(request.send(:convert_to_json, json_response))
+          response.write(_json_response_body(json_response))
           request.halt
         end
 
@@ -251,12 +261,6 @@ module Rodauth
       @json_response ||= {}
     end
 
-    def _view(meth, page)
-      return super unless use_jwt?
-      return super if meth == :render
-      return_json_response
-    end
-
     def _json_response_body(hash)
       request.send(:convert_to_json, hash)
     end

data/lib/rodauth/features/jwt_cors.rb

@@ -13,27 +13,27 @@ module Rodauth
     auth_methods(:jwt_cors_allow?)
 
     def jwt_cors_allow?
-      if origin = request.env['HTTP_ORIGIN']
-        case allowed = jwt_cors_allow_origin
-        when String
-          timing_safe_eql?(origin, allowed)
-        when Array
-          allowed.any?{|s| timing_safe_eql?(origin, s)}
-        when Regexp
-          allowed =~ origin
-        when true
-          true
-        else
-          false
-        end
+      return false unless origin = request.env['HTTP_ORIGIN']
+
+      case allowed = jwt_cors_allow_origin
+      when String
+        timing_safe_eql?(origin, allowed)
+      when Array
+        allowed.any?{|s| timing_safe_eql?(origin, s)}
+      when Regexp
+        allowed =~ origin
+      when true
+        true
+      else
+        false
       end
     end
 
     private
 
     def before_rodauth
-      if (origin = request.env['HTTP_ORIGIN']) && jwt_cors_allow?
-        response['Access-Control-Allow-Origin'] = origin
+      if jwt_cors_allow?
+        response['Access-Control-Allow-Origin'] = request.env['HTTP_ORIGIN']
 
         # Handle CORS preflight request
         if request.request_method == 'OPTIONS'

data/lib/rodauth/features/jwt_refresh.rb

@@ -19,23 +19,29 @@ module Rodauth
     auth_value_method :jwt_refresh_token_key_column, :key
     auth_value_method :jwt_refresh_token_key_param, 'refresh_token'
     auth_value_method :jwt_refresh_token_table, :account_jwt_refresh_keys
+    translatable_method :jwt_refresh_without_access_token_message, 'no JWT access token provided during refresh'
+    auth_value_method :jwt_refresh_without_access_token_status, 401
 
     auth_private_methods(
       :account_from_refresh_token
     )
 
     route do |r|
+      before_jwt_refresh_route
+
       r.post do
-        if (refresh_token = param_or_nil(jwt_refresh_token_key_param)) && account_from_refresh_token(refresh_token)
-          formatted_token = nil
+        if !session_value
+          response.status ||= jwt_refresh_without_access_token_status
+          json_response[json_response_error_key] = jwt_refresh_without_access_token_message
+        elsif (refresh_token = param_or_nil(jwt_refresh_token_key_param)) && account_from_refresh_token(refresh_token)
           transaction do
             before_refresh_token
             formatted_token = generate_refresh_token
             remove_jwt_refresh_token_key(refresh_token)
+            json_response[jwt_refresh_token_key] = formatted_token
+            json_response[jwt_access_token_key] = session_jwt
             after_refresh_token
           end
-          json_response[jwt_refresh_token_key] = formatted_token
-          json_response[jwt_access_token_key] = session_jwt
         else
           json_response[json_response_error_key] = jwt_refresh_invalid_token_message
           response.status ||= json_response_error_status
@@ -80,14 +86,10 @@ module Rodauth
     private
 
     def _account_from_refresh_token(token)
-      id, token = split_token(token)
-      return unless id && token
-
-      token_id, key = split_token(token)
-      return unless token_id && key
+      id, token_id, key = _account_refresh_token_split(token)
 
+      return unless key
       return unless actual = get_active_refresh_token(id, token_id)
-
       return unless timing_safe_eql?(key, convert_token_key(actual))
 
       ds = account_ds(id)
@@ -95,6 +97,16 @@ module Rodauth
       ds.first
     end
 
+    def _account_refresh_token_split(token)
+      id, token = split_token(token)
+      return unless id && token
+
+      token_id, key = split_token(token)
+      return unless token_id && key
+
+      [id, token_id, key]
+    end
+
     def get_active_refresh_token(account_id, token_id)
       jwt_refresh_token_account_ds(account_id).
         where(Sequel::CURRENT_TIMESTAMP > jwt_refresh_token_deadline_column).
@@ -134,6 +146,23 @@ module Rodauth
       hash
     end
 
+    def before_logout
+      if token = param_or_nil(jwt_refresh_token_key_param)
+        if token == 'all'
+          jwt_refresh_token_account_ds(session_value).delete
+        else
+          id, token_id, key = _account_refresh_token_split(token)
+
+          if id && token_id && key && (actual = get_active_refresh_token(session_value, token_id)) && timing_safe_eql?(key, convert_token_key(actual))
+            jwt_refresh_token_account_ds(id).
+              where(jwt_refresh_token_id_column=>token_id).
+              delete
+          end
+        end
+      end
+      super if defined?(super)
+    end
+
     def after_close_account
       jwt_refresh_token_account_ds(account_id).delete
       super if defined?(super)