rodauth 2.1.0 → 2.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 11417c5f63db5803f35ba8a92e98827b9f0deeb0a774071b5fbe712fa24f02fd
-  data.tar.gz: b0ee20c0ce7af6eea42b32bcab2e476a2ee75b62b283281de7001d5ba4002597
+  metadata.gz: f672a0312d4a0c6103bb763d339161119551a0e64cc248546a0cb52f4e6784c1
+  data.tar.gz: 530d322cc3ddba655959238aafe155512de11f090afb9465980181dcc729d1b9
 SHA512:
-  metadata.gz: 13110a40f40a08c7fb03f1ce44a723afc6e53b4f4b16f690c852dc0adfc4d1bb08b6b87f164be98d50dfc61a6c99a35759901ed3bc7b5ab3dbbcb48b00b6ec5e
-  data.tar.gz: 2d7f46d8a9370b67af58eb60d5ac8f324f2619d3cd9bac10b6a27890c9637ceff229ce0404a6d00c9c7fdf8d796d045d3bd06e7489fe08f589580d6a20271cf4
+  metadata.gz: d8018f5e02d077bd8625c17c8c5a1f607b986c1916296132ef68e2651d2af26d65ddbdfdc9b5f1352431c74caa30e94d270cc03840207303f8fa0e6a44910a0b
+  data.tar.gz: 5f24ce4d800d3bbe914dac40dba1cd68b78af4aff5efdaf976b32702d45b5fe7809453d2a650f407437afb1b9d6206ff3d79e6f703fcd85d8d55a0f0658464eb

data/CHANGELOG

@@ -1,3 +1,21 @@
+=== 2.2.0 (2020-07-20)
+
+* Allow removing all jwt_refresh tokens when logging out by providing a value of "all" as the token to remove (jeremyevans)
+
+* Allow removing specific jwt_refresh token when logging out by providing the token to remove (jeremyevans)
+
+* Avoid NoMethodError when checking if session is authenticated when using two factor auth, verify_account_grace_period, and email_auth (jeremyevans) (#105)
+
+* Reduce queries in #authenticated? and #require_authentication when using two factor authentication (janko) (#106)
+
+* Treat verify_account_email_resend returning false as an error in the verify_account feature (jeremyevans)
+
+* Fix use of password_dictionary configuration method in password_complexity feature (jeremyevans)
+
+* Remove unnecessary conditionals (jeremyevans)
+
+* Add otp_last_use to the otp feature, returning the time of last successful OTP use (jeremyevans) (#103)
+
 === 2.1.0 (2020-06-09)
 
 * Do not check CSRF tokens by default for requests using JWT (janko, jeremyevans) (#99)

data/doc/guides/admin_activation.rdoc

@@ -0,0 +1,46 @@
+= Require account verification by admin
+
+There are scenarios in which, instead of allowing the user to verify they have
+access to the email for the account, you may want to have an admin or moderator
+approve new accounts manually. One way this can be achieved by sending the
+account verification email to the admin:
+
+  plugin :rodauth do
+    enable :login, :logout, :verify_account, :reset_password
+
+    # Send account verification email to the admin
+    email_to do
+      if account[account_status_column] == account_unverified_status_value
+        "admin@myapp.com"
+      else
+        super()
+      end
+    end
+
+    # Do not ask for password when creating or verifying account
+    verify_account_set_password? false
+    create_account_set_password? false
+
+    # Adjust the account verification email subject and body
+    verify_account_email_subject "New User Awaiting Admin Approval"
+    verify_account_email_body do
+      "The user #{account[login_column]} has created an account. Click here to approve it: #{verify_account_email_link}."
+    end
+
+    # Display this message to the user after they've created their account
+    verify_account_email_sent_notice_flash "Your account has been created and is awaiting approval"
+
+    # Prevent the admin from being logged in after confirming the account
+    verify_account_autologin? false
+    verify_account_notice_flash "The account has been approved"
+
+    # Send a reset password email after verifying the account.
+    # This allows the user to choose the password for the account,
+    # and also makes sure the user can only log in if they have
+    # access to the email address for the account.
+    after_verify_account do
+      generate_reset_password_key_value
+      create_reset_password_key
+      send_reset_password_email
+    end
+  end

data/doc/guides/already_authenticated.rdoc

@@ -0,0 +1,10 @@
+= Skip login page if already authenticated
+
+In some cases it may be useful to skip login/registration pages when the user
+is already logged in. This can be achieved as follows.  Note that this only
+matters if the user manually navigates to the login or create account pages.
+
+  plugin :rodauth do
+    # Redirect logged in users to the wherever login redirects to
+    already_logged_in { redirect login_redirect }
+  end

data/doc/guides/alternative_login.rdoc

@@ -0,0 +1,46 @@
+= Use a non-email login
+
+Rodauth's by default uses email addresses for identifying users, since that is
+the most common form of identifier currently. In some cases, you might want
+to allow logging in via alternative identifiers, such as a username.  In this
+case, it is best to choose a different column name for the login, such as
++:username+.  Among other things, this also makes it so that the login field
+does not expect an email address to be provided.
+
+  plugin :rodauth do
+    enable :login, :logout
+    login_column :username
+  end
+
+Note that Rodauth features that require sending email need an email address, and
+that defaults to the value of the login column.  If you have both a username and
+an email for an account, you can have the login column be the user, and use the
+value of the email colummn for the email address.
+
+  plugin :rodauth do
+    enable :login, :logout, :reset_password
+
+    login_column :username
+    email_to do
+      account[:email]
+    end
+  end
+
+An alternative approach would be to accept a login and automatically change it
+to an email address. If you have a +username+ field on the +accounts+ table,
+then you can configure Rodauth to allow entering a username instead of email
+during login.  See the {Adding new registration field}[rdoc-ref:doc/guides/registration_field.rdoc]
+guide for instructions on requiring add an additional field during registration.
+
+  plugin :rodauth do
+    enable :login, :logout
+
+    account_from_login do |login|
+      # handle the case when login parameter is a username
+      unless login.include?("@")
+        login = db[:accounts].where(username: login).get(:email)
+      end
+
+      super(login)
+    end
+  end

data/doc/guides/create_account_programmatically.rdoc

@@ -0,0 +1,38 @@
+= Create an account record programmatically
+
+In some scenarios you might want to create an account records programmatically,
+for example in your tests.
+
+If you're storing passwords in a separate table, you can create an account
+records as follows:
+
+  account_id = DB[:accounts].insert(
+    email:     "name@example.com",
+    status_id: 2, # verified
+  )
+
+  DB[:account_password_hashes].insert(
+    id:            account_id,
+    password_hash: BCrypt::Password.create("secret").to_s,
+  )
+
+If the password is stored in a column in the accounts table:
+
+  account_id = DB[:accounts].insert(
+    email:         "name@example.com",
+    password_hash: BCrypt::Password.create("secret").to_s,
+    status_id:     2, # verified
+  )
+
+If you are creating accounts in your tests, you probably want to use
+the +:cost+ option, otherwise you will have very slow tests:
+
+  account_id = DB[:accounts].insert(
+    email:     "name@example.com",
+    status_id: 2, # verified
+  )
+
+  DB[:account_password_hashes].insert(
+    id:            account_id,
+    password_hash: BCrypt::Password.create("secret", cost: BCrypt::Engine::MIN_COST).to_s,
+  )

data/doc/guides/delay_password.rdoc

@@ -0,0 +1,25 @@
+= Set password when verifying account
+
+If you want to request less information from the user on registration, you can
+ask the user to set their password only when they verify their account:
+
+  plugin :rodauth do
+    enable :login, :logout, :verify_account
+    verify_account_set_password? true
+  end
+
+Note that this is already the default behaviour when verify account feature is
+loaded, but it's not when verify account grace period is used, because it would
+prevent the account from logging in during the grace period. You can work around
+this by automatically remebering their login during account creation using the
+remember feature.  Be aware that remembering accounts has effects beyond the
+verification period, and this would only allow automatic logins from the browser
+that created the account.
+
+  plugin :rodauth do
+    enable :login, :logout, :verify_account_grace_period, :remember
+    verify_account_set_password? true
+    after_create_account do
+      remember_login
+    end
+  end

data/doc/guides/email_only.rdoc

@@ -0,0 +1,16 @@
+= Allow only email authentication
+
+When using the email authentication feature, you can avoid other authentication
+mechanisms entirely as follows:
+
+  plugin :rodauth do
+    enable :login, :email_auth, :create_account, :verify_account
+
+    create_account_set_password? false
+    verify_account_set_password? false
+    force_email_auth? true
+  end
+
+With this configuration, users won't be required to enter a password on
+registration, and on login the email authentication link will automatically be
+sent after the email address is entered.

data/doc/guides/i18n.rdoc

@@ -0,0 +1,26 @@
+= Translate with i18n gem
+
+Rodauth allows transforming user-facing text configuration such as flash
+messages, validation errors, labels etc. via the +translate+ configuration
+method. This method receives a name of a configuration along with its default
+value, and is expected to return the result text.
+
+You can use this to perform translations using the
+{i18n gem}[https://github.com/ruby-i18n/i18n]:
+
+  plugin :rodauth do
+    enable :login, :logout, :reset_password
+
+    translate do |key, default|
+      I18n.translate("rodauth.#{key}") || default
+    end
+  end
+
+Your translation file may then look something like this:
+
+  en:
+    rodauth:
+      login_notice_flash: "You have been signed in"
+      require_login_error_flash: "Login is required for accessing this page"
+      no_matching_login_message: "user with this email address doesn't exist"
+      reset_password_email_subject: "Password Reset Instructions"

data/doc/guides/links.rdoc

@@ -0,0 +1,12 @@
+= Display authentication links
+
+You can retrieve a relative URL to any Rodauth action by calling the
+corresponding <tt>*_path</tt> method on the Rodauth instance:
+
+  <a href="<%= rodauth.login_path %>">Sign in</a>
+  <a href="<%= rodauth.create_account_path %>">Sign up</a>
+
+For absolute URLs instead of paths, you can use the <tt>*_url</tt> methods:
+
+  <a href="<%= rodauth.login_url %>">Sign in</a>
+  <a href="<%= rodauth.create_account_url %>">Sign up</a>

data/doc/guides/login_return.rdoc

@@ -0,0 +1,37 @@
+= Redirect to original page after login
+
+When the user attempts to open a page that requires authentication, Rodauth
+redirects them to the login page. It can be useful to redirect them back to
+the page they originally requested after successful login.  Similarly, you
+can do this for pages requiring multifactor authentication.
+
+  plugin :rodauth do
+    enable :login, :logout, :otp
+
+    # Have successful login redirect back to originally requested page
+    login_return_to_requested_location? true
+
+    # Have successful multifactor authentication redirect back to
+    # originally requested page
+    two_factor_auth_return_to_requested_location? true
+  end
+
+You can manually set which page to redirect after login or multifactor
+authentication, though it is questionable whether the user will desire
+this behavior compared to the default.
+
+  route do |r|
+    r.rodauth
+
+    # Return the last visited path after login
+    if rodauth.logged_in?
+      # Return to the last visited page after multifactor authentication
+      unless rodauth.two_factor_authenticated?
+        session[rodauth.two_factor_auth_redirect_session_key] = request.fullpath
+      end
+    else
+      session[rodauth.login_redirect_session_key] = request.fullpath
+    end
+
+    # rest of routes
+  end

data/doc/guides/password_column.rdoc

@@ -0,0 +1,25 @@
+= Store password hash in accounts table
+
+By default, Rodauth stores the password hash in a separate
++account_password_hashes+ table.  This makes it a lot less likely that the
+password hashes will be leaked, especially if you use Rodauth's default
+approach of using database functions for checking the hashes.
+
+However, if you have reasons for storing the password hashes in +accounts+
+table that outweigh the security benefits of Rodauth's default approach,
+Rodauth supports that.
+
+To do this, add the password hash column to the +accounts+ table:
+
+  alter_table :accounts do
+    add_column :password_hash, String
+  end
+
+And then tell Rodauth to use it:
+
+  plugin :rodauth do
+    enable :login, :logout
+
+    # Use the password_hash column in the accounts table
+    account_password_hash_column :password_hash
+  end

data/doc/guides/password_confirmation.rdoc

@@ -0,0 +1,37 @@
+= Require password confirmation for certain actions
+
+You might want to require the user to enter their password before accessing
+sensitive sections of the app. This functionality is provided by the confirm
+password feature, which accompanied with the password grace period feature will
+remember the entered password for a period of time:
+
+  plugin :rodauth do
+    enable :confirm_password, :password_grace_period
+
+    # Remember the password for 1 hour
+    password_grace_period 60*60
+  end
+
+  route do |r|
+    r.rodauth
+
+    r.is 'some-action' do
+      # Require password authentication if the password has not been
+      # input recently.
+      rodauth.require_password_authentication
+
+      # ...
+    end
+  end
+
+You can also do this for Rodauth actions that normally require a password.
+Which essentially moves the password confirmation into a separate step, as
+Rodauth's behavior with the password grace period feature is to ask for the
+password on the same form.
+
+  plugin :rodauth do
+    enable :confirm_password, :password_grace_period, :change_login, :change_password
+
+    before_change_login_route    { require_password_authentication }
+    before_change_password_route { require_password_authentication }
+  end

data/doc/guides/password_requirements.rdoc

@@ -0,0 +1,30 @@
+= Customize password requirements
+
+By default, Rodauth requires passwords to have at least 6 characters. You can
+modify the minimum length:
+
+  plugin :rodauth do
+    enable :login, :logout, :create_account
+
+    # Require passwords to have at least 8 characters
+    password_minimum_length 8
+  end
+
+You can use the {disallow common passwords feature}[rdoc-ref:doc/disallow_common_passwords.rdoc]
+to prevent the usage of common passwords (the most common 10,000 by default).
+
+You can use additional complexity checks on passwords via the {password
+complexity feature}[rdoc-ref:doc/password_complexity.rdoc], though most of
+those complexity checks are no longer considered modern security best
+practices and are likely to decrease overall security.
+
+If you want complete control over whether passwords meet requirements, you
+can use the <tt>password_meets_requirements?</tt> configuration method.
+
+  plugin :rodauth do
+    enable :login, :logout, :create_account
+
+    password_meets_requirements? do |password|
+      #true if password meets requirements, false otherwise
+    end
+  end

data/doc/guides/paths.rdoc

@@ -0,0 +1,36 @@
+= Change route path
+
+You can change the URL path of any Rodauth route by overriding the
+corresponding <tt>*_route</tt> method:
+
+  plugin :rodauth do
+    enable :login, :logout, :create_account, :reset_password
+
+    # Change login route to "/signin"
+    login_route "signin"
+
+    # Change create account route to "/register"
+    create_account_route "register"
+
+    # Change password reset request route to "/reset-password/request"
+    reset_password_request_route "reset-password/request"
+  end
+
+If you want to add a prefix to all Rodauth routes, you should use the +prefix+
+setting:
+
+  plugin :rodauth do
+    enable :login, :logout
+
+    # Use /auth prefix to each Rodauth route
+    prefix "/auth"
+  end
+
+  route do |r|
+    r.on "auth" do
+      # Serve Rodauth routes under the /auth branch of the routing tree
+      r.rodauth
+    end
+
+    # ...
+  end

data/doc/guides/query_params.rdoc

@@ -0,0 +1,9 @@
+= Pass query parameters to auth URLs
+
+The <tt>*_path</tt> and <tt>*_url</tt> methods allow passing additional query parameters:
+
+  rodauth.create_account_path(type: "seller")
+  #=> "/create-account?type=seller"
+
+  rodauth.login_url(type: "operator")
+  #=> "https//example.com/login?type=operator"

data/doc/guides/redirects.rdoc

@@ -0,0 +1,17 @@
+= Change redirect destination
+
+You can change the redirect destination for any Rodauth action by overriding
+the corresponding <tt>*_redirect</tt> method:
+
+  plugin :rodauth do
+    enable :login, :logout, :create_account, :reset_password
+
+    # Redirect to "/dashboard" after login
+    login_redirect "/dashboard"
+
+    # Redirect to wherever login redirects to after creating account
+    create_account_redirect { login_redirect }
+
+    # Redirect to login page after password reset
+    reset_password_redirect { login_path }
+  end

data/doc/guides/registration_field.rdoc

@@ -0,0 +1,68 @@
+= Add new field during account creation
+
+The create account form only handles login and password parameters by
+default. However, you might want to ask for additional information during
+account creation, such as requiring the user to also enter their full name
+or their company's name.
+
+== A) Accounts table
+
+Let's assume you wanted to wanted to store the additional field(s) directly on
+the +accounts+ table:
+
+  atler_table :accounts do
+    add_column :name, String
+  end
+
+You need to override the <tt>create-account</tt> template, which by default in
+Rodauth you can do by adding a <tt>create-account.erb</tt> template in your
+Roda +views+ directory.  
+
+Once you've added the <tt>create-account.erb</tt> template, and had it include
+a field for the +name+, you can handle the submission of that field in a before
+create account hook:
+
+  plugin :rodauth do
+    enable :login, :logout, :create_account
+
+    before_create_account do
+      # Validate presence of the name field
+      unless name = param_or_nil("name")
+        throw_error_status(422, "name", "must be present")
+      end
+
+      # Assign the new field to the account record
+      account[:name] = name
+    end
+  end
+
+== B) Separate table
+
+Alternatively, you can store the additional field(s) in separate table, for
+example:
+
+  create_table :account_names do
+    foreign_key :account_id, :accounts, primary_key: true, type: :Bignum
+    String :name, null: false
+  end
+
+You can then handle the new submitted field as follows:
+
+  plugin :rodauth do
+    enable :login, :logout, :create_account
+
+    before_create_account do
+      # Validate presence of the name field
+      throw_error_status(422, "name", "must be present") unless param_or_nil("name")
+    end
+
+    after_create_account do
+      # Create the associated record
+      db[:account_names].insert(account_id: account[:id], name: param("name"))
+    end
+
+    after_close_account do
+      # Delete the associated record
+      db[:account_names].where(account_id: account[:id]).delete
+    end
+  end

data/doc/guides/require_mfa.rdoc

@@ -0,0 +1,30 @@
+= Require multifactor authentication after login
+
+You may want to require multifactor authentication on login for people
+that have multifactor authentication set up. The +require_authentication+
+Rodauth method works for pages that require an authenticated user, but not for
+pages where authentication is optional.
+
+You can set this up as follows:
+
+  plugin :rodauth do
+    enable :login, :logout, :otp
+
+    # If you don't want to show an error message when redirecting
+    # to the multifactor authentication page.
+    two_factor_need_authentication_error_flash nil
+
+    # Display the same flash message after multifactor
+    # authentication than is displayed after login
+    two_factor_auth_notice_flash { login_notice_flash }
+  end
+
+  route do |r|
+    r.rodauth
+
+    if rodauth.logged_in? && rodauth.two_factor_authentication_setup?
+      rodauth.require_two_factor_authenticated
+    end
+
+    # ...
+  end

data/doc/guides/reset_password_autologin.rdoc

@@ -0,0 +1,21 @@
+= Autologin after password reset
+
+When the user resets their password, by default they are not automatically
+logged in. You can change this behaviour and login the user automatically
+after password reset.
+
+  plugin :rodauth do
+    enable :login, :logout, :reset_password
+
+    reset_password_autologin? true
+  end
+
+Similarly, when the verify login change feature is used, the user is not
+automatically logged in after verifying the login change.  You can configure
+Rodauth to automatically log the user in in this case:
+
+  plugin :rodauth do
+    enable :login, :logout, :verify_login_change
+
+    verify_login_change_autologin? true
+  end

data/doc/guides/status_column.rdoc

@@ -0,0 +1,28 @@
+= Store account status in a text column
+
+By default, Rodauth recommends using a separate table for account statuses, and
+linking them via foreign keys. This is useful as it achieves an enum-like
+behaviour, where the database ensures a constrained set of status values.
+
+However, if you use a testing environment that starts with a blank database,
+and don't want to fix your testing environment to support real foreign keys,
+you can configure Rodauth to store the account status in a text column.
+Doing so results in problems if a text value you do not expect gets stored
+in the column.  We can mitigate the problems by using a CHECK constraint
+on the column.
+
+  create_table :accounts do
+    # ...
+    String :status, null: false, default: "verified",
+      check: {status: %w'unverified verified closed'}
+  end
+
+Then we can configure Rodauth to support this.
+
+  plugin :rodauth do
+    # ...
+    account_status_column :status
+    account_unverified_status_value "unverified"
+    account_open_status_value "verified"
+    account_closed_status_value "closed"
+  end

data/doc/guides/totp_or_recovery.rdoc

@@ -0,0 +1,16 @@
+= Allow recovery code on TOTP code field
+
+If using the otp feature, for convenience you might want to allow
+the user to enter the recovery code into the TOTP code field, instead
+of requiring they use the separate recovery codes form. You can
+implement this using the following configuration:
+
+  plugin :rodauth do
+    enable :login, :logout, :otp, :recovery_codes
+
+    before_otp_auth_route do
+      if recovery_code_match?(param(otp_auth_param))
+        two_factor_authenticate("recovery_code")
+      end
+    end
+  end

data/doc/jwt_refresh.rdoc

@@ -13,6 +13,12 @@ older access tokens.  Older access tokens remain valid until they expire.  You
 can use the active_sessions feature if you want previous access tokens to be invalid
 as soon as the refresh token is used.
 
+You can have multiple active refresh tokens active at a time, since each browser session
+will generally use a separate refresh token.  If you would like to revoke a refresh token
+when logging out, provide the refresh token when submitting the JSON request to logout.
+If you would like to remove all refresh tokens for the account when logging out, provide
+a value of <tt>all</tt> as the token value.
+
 This feature depends on the jwt feature.
 
 == Auth Value Methods

data/doc/otp.rdoc

@@ -73,6 +73,7 @@ otp_auth_view :: The HTML to use for the OTP authentication form.
 otp_disable_view :: The HTML to use for the OTP disable form.
 otp_exists? :: Whether the current account has setup OTP.
 otp_key :: The stored OTP secret for the account.
+otp_last_use :: The last time OTP authentication was successful for the account.
 otp_locked_out? :: Whether the current account has been locked out of OTP authentication.
 otp_new_secret :: A new secret to use when setting up OTP.
 otp_provisioning_name :: The provisioning name to use during OTP setup, defaults to the account's email.

data/doc/release_notes/2.2.0.txt

@@ -0,0 +1,39 @@
+= New Features
+
+* When using the jwt_refresh feature, you can remove the current
+  refresh token when logging out by submitting the refresh token
+  in the logout request, the same as when submitting the refresh
+  token to obtain a new refresh token.  You can also use a value
+  of "all" instead of the refresh token to remove all refresh
+  tokens when logging out.
+
+* A rodauth.otp_last_use method has been added to the otp feature,
+  allowing you to determine when the otp was last used.
+
+= Other Improvements
+
+* When using multifactor authentication, rodauth.authenticated? and
+  rodauth.require_authentication now cache values in the session and
+  do not perform queries every time they are called.
+
+* Many guides for common scenarios have been added to the
+  documentation.  These augment Rodauth's existing comprehensive
+  feature documentation, which is aimed to be more of a reference
+  and less of a guide.
+
+* When the verify_account_grace_period and email_auth features are
+  used with a multifactor authentication feature, and the
+  verify_account_set_password? configuration method is set to true,
+  Rodauth no longer raises a NoMethodError when checking if the
+  session was authenticated.
+
+* In the verify_account feature, if verify_account_email_resend
+  returns false indicating no email was sent, an error message
+  is now used, instead of a success message.
+
+* In the password_complexity feature, the password_dictionary
+  configuration method was previously ignored if the default
+  password dictionary file existed.
+
+* Rodauth and all features that ship with it now have 100% branch
+  coverage.

data/lib/rodauth.rb

@@ -137,7 +137,9 @@ module Rodauth
       feature.module_eval(&block)
       configuration.def_configuration_methods(feature)
 
+      # :nocov:
       if constant
+      # :nocov:
         Rodauth.const_set(constant, feature)
         Rodauth::FeatureConfiguration.const_set(constant, configuration)
       end
@@ -336,10 +338,8 @@ module Rodauth
     end
 
     def freeze
-      if opts[:rodauths]
-        opts[:rodauths].each_value(&:freeze)
-        opts[:rodauths].freeze
-      end
+      opts[:rodauths].each_value(&:freeze)
+      opts[:rodauths].freeze
       super
     end
   end

data/lib/rodauth/features/active_sessions.rb

@@ -118,14 +118,12 @@ module Rodauth
     end
 
     def before_logout
-      if request.post?
-        if param_or_nil(global_logout_param)
-          remove_all_active_sessions
-        else
-          remove_current_session
-        end
+      if param_or_nil(global_logout_param)
+        remove_all_active_sessions
+      else
+        remove_current_session
       end
-      super if defined?(super)
+      super
     end
 
     def session_inactivity_deadline_condition

data/lib/rodauth/features/audit_logging.rb

@@ -82,7 +82,9 @@ module Rodauth
 
     def audit_log_ds
       ds = db[audit_logging_table]
+      # :nocov:
       if db.database_type == :postgres
+      # :nocov:
         # For PostgreSQL, use RETURNING NULL. This allows the feature
         # to be used with INSERT but not SELECT permissions on the
         # table, useful for audit logging where the database user

data/lib/rodauth/features/email_auth.rb

@@ -215,7 +215,7 @@ module Rodauth
       # that allows login access to the account becomes a
       # security liability, and it is best to remove it.
       remove_email_auth_key
-      super if defined?(super)
+      super
     end
 
     def after_close_account

data/lib/rodauth/features/jwt.rb

@@ -138,6 +138,11 @@ module Rodauth
       !!(jwt_token && jwt_payload)
     end
 
+    def view(page, title)
+      return super unless use_jwt?
+      return_json_response
+    end
+
     private
 
     def check_csrf?
@@ -256,12 +261,6 @@ module Rodauth
       @json_response ||= {}
     end
 
-    def _view(meth, page)
-      return super unless use_jwt?
-      return super if meth == :render
-      return_json_response
-    end
-
     def _json_response_body(hash)
       request.send(:convert_to_json, hash)
     end

data/lib/rodauth/features/jwt_cors.rb

@@ -13,27 +13,27 @@ module Rodauth
     auth_methods(:jwt_cors_allow?)
 
     def jwt_cors_allow?
-      if origin = request.env['HTTP_ORIGIN']
-        case allowed = jwt_cors_allow_origin
-        when String
-          timing_safe_eql?(origin, allowed)
-        when Array
-          allowed.any?{|s| timing_safe_eql?(origin, s)}
-        when Regexp
-          allowed =~ origin
-        when true
-          true
-        else
-          false
-        end
+      return false unless origin = request.env['HTTP_ORIGIN']
+
+      case allowed = jwt_cors_allow_origin
+      when String
+        timing_safe_eql?(origin, allowed)
+      when Array
+        allowed.any?{|s| timing_safe_eql?(origin, s)}
+      when Regexp
+        allowed =~ origin
+      when true
+        true
+      else
+        false
       end
     end
 
     private
 
     def before_rodauth
-      if (origin = request.env['HTTP_ORIGIN']) && jwt_cors_allow?
-        response['Access-Control-Allow-Origin'] = origin
+      if jwt_cors_allow?
+        response['Access-Control-Allow-Origin'] = request.env['HTTP_ORIGIN']
 
         # Handle CORS preflight request
         if request.request_method == 'OPTIONS'

data/lib/rodauth/features/jwt_refresh.rb

@@ -80,14 +80,10 @@ module Rodauth
     private
 
     def _account_from_refresh_token(token)
-      id, token = split_token(token)
-      return unless id && token
-
-      token_id, key = split_token(token)
-      return unless token_id && key
+      id, token_id, key = _account_refresh_token_split(token)
 
+      return unless key
       return unless actual = get_active_refresh_token(id, token_id)
-
       return unless timing_safe_eql?(key, convert_token_key(actual))
 
       ds = account_ds(id)
@@ -95,6 +91,16 @@ module Rodauth
       ds.first
     end
 
+    def _account_refresh_token_split(token)
+      id, token = split_token(token)
+      return unless id && token
+
+      token_id, key = split_token(token)
+      return unless token_id && key
+
+      [id, token_id, key]
+    end
+
     def get_active_refresh_token(account_id, token_id)
       jwt_refresh_token_account_ds(account_id).
         where(Sequel::CURRENT_TIMESTAMP > jwt_refresh_token_deadline_column).
@@ -134,6 +140,23 @@ module Rodauth
       hash
     end
 
+    def before_logout
+      if token = param_or_nil(jwt_refresh_token_key_param)
+        if token == 'all'
+          jwt_refresh_token_account_ds(session_value).delete
+        else
+          id, token_id, key = _account_refresh_token_split(token)
+
+          if id && token_id && key && (actual = get_active_refresh_token(session_value, token_id)) && timing_safe_eql?(key, convert_token_key(actual))
+            jwt_refresh_token_account_ds(id).
+              where(jwt_refresh_token_id_column=>token_id).
+              delete
+          end
+        end
+      end
+      super if defined?(super)
+    end
+
     def after_close_account
       jwt_refresh_token_account_ds(account_id).delete
       super if defined?(super)

data/lib/rodauth/features/otp.rb

@@ -79,6 +79,7 @@ module Rodauth
       :otp,
       :otp_exists?,
       :otp_key,
+      :otp_last_use,
       :otp_locked_out?,
       :otp_new_secret,
       :otp_provisioning_name,
@@ -255,7 +256,6 @@ module Rodauth
     def otp_remove
       otp_key_ds.delete
       @otp_key = nil
-      super if defined?(super)
     end
 
     def otp_add_key
@@ -269,6 +269,10 @@ module Rodauth
         update(otp_keys_last_use_column=>Sequel::CURRENT_TIMESTAMP) == 1
     end
 
+    def otp_last_use
+      convert_timestamp(otp_key_ds.get(otp_keys_last_use_column))
+    end
+
     def otp_record_authentication_failure
       otp_key_ds.update(otp_keys_failures_column=>Sequel.identifier(otp_keys_failures_column) + 1)
     end

data/lib/rodauth/features/password_complexity.rb

@@ -26,14 +26,16 @@ module Rodauth
 
     def post_configure
       super
-      return if singleton_methods.map(&:to_sym).include?(:password_dictionary)
+      return if method(:password_dictionary).owner != Rodauth::PasswordComplexity
 
       case password_dictionary_file
       when false
-        return
+        # nothing
       when nil
         default_dictionary_file = '/usr/share/dict/words'
+        # :nocov:
         if File.file?(default_dictionary_file)
+        # :nocov:
           words = File.read(default_dictionary_file)
         end
       else

data/lib/rodauth/features/single_session.rb

@@ -85,7 +85,7 @@ module Rodauth
     end
 
     def before_logout
-      reset_single_session_key if request.post?
+      reset_single_session_key
       super if defined?(super)
     end
 

data/lib/rodauth/features/sms_codes.rb

@@ -337,7 +337,6 @@ module Rodauth
     def sms_disable
       sms_ds.delete
       @sms = nil
-      super if defined?(super)
     end
 
     def sms_confirm_failure

data/lib/rodauth/features/two_factor_base.rb

@@ -125,7 +125,7 @@ module Rodauth
       return true if two_factor_authenticated?
 
       # True if authenticated via single factor and 2nd factor not setup 
-      !two_factor_authentication_setup?
+      !uses_two_factor_authentication?
     end
 
     def require_authentication
@@ -134,7 +134,7 @@ module Rodauth
       # Avoid database query if already authenticated via 2nd factor
       return if two_factor_authenticated?
 
-      require_two_factor_authenticated if two_factor_authentication_setup?
+      require_two_factor_authenticated if uses_two_factor_authentication?
     end
 
     def require_two_factor_setup
@@ -208,11 +208,11 @@ module Rodauth
     end
 
     def _two_factor_setup_links
-      (super if defined?(super)) || []
+      []
     end
 
     def _two_factor_remove_links
-      (super if defined?(super)) || []
+      []
     end
 
     def _two_factor_remove_all_from_session

data/lib/rodauth/features/verify_account.rb

@@ -70,6 +70,7 @@ module Rodauth
       end
 
       r.post do
+        verified = false
         if account_from_login(param(login_param)) && allow_resending_verify_account_email?
           if verify_account_email_recently_sent?
             set_redirect_error_flash verify_account_email_recently_sent_error_flash
@@ -79,8 +80,11 @@ module Rodauth
           before_verify_account_email_resend
           if verify_account_email_resend
             after_verify_account_email_resend
+            verified = true
           end
+        end
 
+        if verified
           set_notice_flash verify_account_email_sent_notice_flash
         else
           set_redirect_error_status(no_matching_login_error_status)

data/lib/rodauth/features/verify_account_grace_period.rb

@@ -53,10 +53,7 @@ module Rodauth
     end
 
     def allow_email_auth?
-      if defined?(super)
-        return false unless super
-      end
-      !account_in_unverified_grace_period?
+      (defined?(super) ? super : true) && !account_in_unverified_grace_period?
     end
 
     def verify_account_check_already_logged_in
@@ -75,6 +72,7 @@ module Rodauth
     end
 
     def account_in_unverified_grace_period?
+      account || account_from_session
       account[account_status_column] == account_unverified_status_value &&
         verify_account_grace_period &&
         !verify_account_ds.where(Sequel.date_add(verification_requested_at_column, :seconds=>verify_account_grace_period) > Sequel::CURRENT_TIMESTAMP).empty?

data/lib/rodauth/features/webauthn.rb

@@ -377,9 +377,7 @@ module Rodauth
     end
 
     def remove_webauthn_key(webauthn_id)
-      ret = webauthn_keys_ds.where(webauthn_keys_webauthn_id_column=>webauthn_id).delete == 1
-      super if defined?(super)
-      ret
+      webauthn_keys_ds.where(webauthn_keys_webauthn_id_column=>webauthn_id).delete == 1
     end
 
     def remove_all_webauthn_keys_and_user_ids

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 1
+  MINOR = 2
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 2.2.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-06-09 00:00:00.000000000 Z
+date: 2020-07-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -247,7 +247,6 @@ extra_rdoc_files:
 - doc/http_basic_auth.rdoc
 - doc/create_account.rdoc
 - doc/email_base.rdoc
-- doc/internals.rdoc
 - doc/disallow_common_passwords.rdoc
 - doc/disallow_password_reuse.rdoc
 - doc/password_complexity.rdoc
@@ -304,6 +303,7 @@ extra_rdoc_files:
 - doc/release_notes/1.23.0.txt
 - doc/release_notes/2.0.0.txt
 - doc/release_notes/2.1.0.txt
+- doc/release_notes/2.2.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -323,8 +323,28 @@ files:
 - doc/disallow_password_reuse.rdoc
 - doc/email_auth.rdoc
 - doc/email_base.rdoc
+- doc/guides/admin_activation.rdoc
+- doc/guides/already_authenticated.rdoc
+- doc/guides/alternative_login.rdoc
+- doc/guides/create_account_programmatically.rdoc
+- doc/guides/delay_password.rdoc
+- doc/guides/email_only.rdoc
+- doc/guides/i18n.rdoc
+- doc/guides/internals.rdoc
+- doc/guides/links.rdoc
+- doc/guides/login_return.rdoc
+- doc/guides/password_column.rdoc
+- doc/guides/password_confirmation.rdoc
+- doc/guides/password_requirements.rdoc
+- doc/guides/paths.rdoc
+- doc/guides/query_params.rdoc
+- doc/guides/redirects.rdoc
+- doc/guides/registration_field.rdoc
+- doc/guides/require_mfa.rdoc
+- doc/guides/reset_password_autologin.rdoc
+- doc/guides/status_column.rdoc
+- doc/guides/totp_or_recovery.rdoc
 - doc/http_basic_auth.rdoc
-- doc/internals.rdoc
 - doc/jwt.rdoc
 - doc/jwt_cors.rdoc
 - doc/jwt_refresh.rdoc
@@ -363,6 +383,7 @@ files:
 - doc/release_notes/1.9.0.txt
 - doc/release_notes/2.0.0.txt
 - doc/release_notes/2.1.0.txt
+- doc/release_notes/2.2.0.txt
 - doc/remember.rdoc
 - doc/reset_password.rdoc
 - doc/session_expiration.rdoc