rodauth 2.1.0 → 2.6.0

data/doc/release_notes/2.4.0.txt

@@ -0,0 +1,22 @@
+= New Features
+
+* A password_pepper feature has been added.  This allows you to use a
+  secret key (called a pepper) to append to passwords before hashing
+  and hash checking.  Using this approach, if an attacker obtains the
+  password hash, it is unusable for cracking unless they can also
+  get access to the pepper.
+
+  The password_pepper feature also supports a list of previous peppers
+  that can be used to implement secret rotation and to support
+  compatibility with unpeppered passwords.
+
+  Rodauth by default uses database functions for password hash
+  checking on PostgreSQL, MySQL, and Microsoft SQL Server, which in
+  general provides more security than a password pepper, but both
+  approaches can be used simultaneously.
+
+* A session_key_prefix configuration method has been added for
+  prefixing the values of all default session keys.  This can be
+  useful if you are using multiple Rodauth configurations in the same
+  application and want to make sure the session keys for the separate
+  configurations do not overlap.

data/doc/release_notes/2.5.0.txt

@@ -0,0 +1,20 @@
+= New Features
+
+* A login_return_to_requested_location_path configuration method has
+  been added to the login feature.  This controls the path to redirect
+  to if using login_return_to_requested_location?.  By default, this
+  is the same as the fullpath of the request that required login if
+  that request was a GET request, and nil if that request was not a
+  GET request.  Previously, the fullpath of that request was used even
+  if it was not a GET request, which caused problems as browsers use a
+  GET request for redirects, and it is a bad idea to redirect to a path
+  that may not handle GET requests.
+
+* A change_login_needs_verification_notice_flash configuration method
+  has been added to the verify_login_change feature, for allowing
+  translations when using the feature and not using the
+  change_login_notice_flash configuration method.
+
+= Other Improvements
+
+* new_password_label is now translatable.

data/doc/release_notes/2.6.0.txt

@@ -0,0 +1,37 @@
+= New Features
+
+* An around_rodauth configuration method has been added, which is
+  called around all Rodauth actions.  This configuration method
+  is passed a block, and is useful for cases where you want to wrap
+  Rodauth's handling of the request.
+
+  For example, if you had a method named time_block in your Roda scope
+  that timed block execution and added a response header, you could
+  time Rodauth actions using something like:
+
+    around_rodauth do |&block|
+      scope.time_block('Rodauth') do
+        super(&block)
+      end
+    end
+
+* The allow_refresh_with_expired_jwt_access_token? configuration has
+  been added to the jwt_refresh feature, allowing refreshing with an
+  expired but otherwise valid access token.  When using this method,
+  it is required to have an hmac_secret specified, so that Rodauth
+  can make sure the access token matches the refresh token.
+
+= Other Improvements
+
+* The javascript for setting up a WebAuthn token has been fixed to
+  allow it to work correctly if there is already an existing
+  WebAuthn token for the account.
+
+* The rodauth.setup_account_verification method has been promoted to
+  public API.  You can use this method for automatically sending
+  account verification emails when automatically creating accounts.
+
+* Rodauth no longer loads the same feature multiple times into a
+  single configuration.  This didn't cause any problems before, but
+  could result in duplicate entries when looking at the loaded
+  features.

data/doc/verify_login_change.rdoc

@@ -14,6 +14,7 @@ control.  Depends on the change login and email base features.
 == Auth Value Methods
 
 no_matching_verify_login_change_key_error_flash :: The flash error message to show when an invalid verify login change key is used.
+change_login_needs_verification_notice_flash :: The flash notice to show after changing a login when using this feature, if +change_login_notice_flash+ is not overridden.
 verify_login_change_additional_form_tags :: HTML fragment containing additional form tags to use on the verify login change form.
 verify_login_change_autologin? :: Whether to autologin the user after successful login change verification, false by default.
 verify_login_change_button :: The text to use for the verify login change button.

data/javascript/webauthn_auth.js

@@ -1,34 +1,34 @@
 (function() {
+  var pack = function(v) { return btoa(String.fromCharCode.apply(null, new Uint8Array(v))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''); };
+  var unpack = function(v) { return Uint8Array.from(atob(v.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0)); };
   var element = document.getElementById('webauthn-auth-form');
   var f = function(e) {
     //console.log(e);
     e.preventDefault();
     if (navigator.credentials) {
       var opts = JSON.parse(element.getAttribute("data-credential-options"));
-      opts.challenge = Uint8Array.from(atob(opts.challenge.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
-      opts.allowCredentials.forEach(function(cred) {
-        cred.id = Uint8Array.from(atob(cred.id.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
-      });
+      opts.challenge = unpack(opts.challenge);
+      opts.allowCredentials.forEach(function(cred) { cred.id = unpack(cred.id); });
       //console.log(opts);
       navigator.credentials.get({publicKey: opts}).
         then(function(cred){
           //console.log(cred);
           //window.cred = cred
 
-          var rawId = btoa(String.fromCharCode.apply(null, new Uint8Array(cred.rawId))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+          var rawId = pack(cred.rawId);
           var authValue = {
             type: cred.type,
             id: rawId,
             rawId: rawId,
             response: {
-              authenticatorData: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.authenticatorData))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''),
-              clientDataJSON: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.clientDataJSON))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''),
-              signature: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.signature))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '')
+              authenticatorData: pack(cred.response.authenticatorData),
+              clientDataJSON: pack(cred.response.clientDataJSON),
+              signature: pack(cred.response.signature)
             }
           };
 
           if (cred.response.userHandle) {
-            authValue.response.userHandle = btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.userHandle))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+            authValue.response.userHandle = pack(cred.response.userHandle);
           }
 
           document.getElementById('webauthn-auth').value = JSON.stringify(authValue);

data/javascript/webauthn_setup.js

@@ -1,26 +1,29 @@
 (function() {
+  var pack = function(v) { return btoa(String.fromCharCode.apply(null, new Uint8Array(v))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''); };
+  var unpack = function(v) { return Uint8Array.from(atob(v.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0)); };
   var element = document.getElementById('webauthn-setup-form');
   var f = function(e) {
     //console.log(e);
     e.preventDefault();
     if (navigator.credentials) {
       var opts = JSON.parse(element.getAttribute("data-credential-options"));
-      opts.challenge = Uint8Array.from(atob(opts.challenge.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
-      opts.user.id = Uint8Array.from(atob(opts.user.id.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
+      opts.challenge = unpack(opts.challenge);
+      opts.user.id = unpack(opts.user.id);
+      opts.excludeCredentials.forEach(function(cred) { cred.id = unpack(cred.id); });
       //console.log(opts);
       navigator.credentials.create({publicKey: opts}).
         then(function(cred){
           //console.log(cred);
           //window.cred = cred
-          
-          var rawId = btoa(String.fromCharCode.apply(null, new Uint8Array(cred.rawId))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+
+          var rawId = pack(cred.rawId);
           document.getElementById('webauthn-setup').value = JSON.stringify({
             type: cred.type,
             id: rawId,
             rawId: rawId,
             response: {
-              attestationObject: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.attestationObject))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''),
-              clientDataJSON: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.clientDataJSON))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '')
+              attestationObject: pack(cred.response.attestationObject),
+              clientDataJSON: pack(cred.response.clientDataJSON)
             }
           });
           element.removeEventListener("submit", f);

data/lib/rodauth.rb

@@ -120,8 +120,10 @@ module Rodauth
       define_method(handle_meth) do
         request.is send(route_meth) do
           check_csrf if check_csrf?
-          before_rodauth
-          send(internal_handle_meth, request)
+          _around_rodauth do
+            before_rodauth
+            send(internal_handle_meth, request)
+          end
         end
       end
 
@@ -137,7 +139,9 @@ module Rodauth
       feature.module_eval(&block)
       configuration.def_configuration_methods(feature)
 
+      # :nocov:
       if constant
+      # :nocov:
         Rodauth.const_set(constant, feature)
         Rodauth::FeatureConfiguration.const_set(constant, configuration)
       end
@@ -286,9 +290,11 @@ module Rodauth
     end
 
     def enable(*features)
-      new_features = features - @auth.features
-      new_features.each{|f| load_feature(f)}
-      @auth.features.concat(new_features)
+      features.each do |feature|
+        next if @auth.features.include?(feature)
+        load_feature(feature)
+        @auth.features << feature
+      end
     end
 
     private
@@ -336,10 +342,8 @@ module Rodauth
     end
 
     def freeze
-      if opts[:rodauths]
-        opts[:rodauths].each_value(&:freeze)
-        opts[:rodauths].freeze
-      end
+      opts[:rodauths].each_value(&:freeze)
+      opts[:rodauths].freeze
       super
     end
   end

data/lib/rodauth/features/active_sessions.rb

@@ -118,14 +118,12 @@ module Rodauth
     end
 
     def before_logout
-      if request.post?
-        if param_or_nil(global_logout_param)
-          remove_all_active_sessions
-        else
-          remove_current_session
-        end
+      if param_or_nil(global_logout_param)
+        remove_all_active_sessions
+      else
+        remove_current_session
       end
-      super if defined?(super)
+      super
     end
 
     def session_inactivity_deadline_condition

data/lib/rodauth/features/audit_logging.rb

@@ -82,7 +82,9 @@ module Rodauth
 
     def audit_log_ds
       ds = db[audit_logging_table]
+      # :nocov:
       if db.database_type == :postgres
+      # :nocov:
         # For PostgreSQL, use RETURNING NULL. This allows the feature
         # to be used with INSERT but not SELECT permissions on the
         # table, useful for audit logging where the database user

data/lib/rodauth/features/base.rb

@@ -47,6 +47,7 @@ module Rodauth
     session_key :authenticated_by_session_key, :authenticated_by
     session_key :autologin_type_session_key, :autologin_type
     auth_value_method :prefix, ''
+    auth_value_method :session_key_prefix, nil
     auth_value_method :require_bcrypt?, true
     auth_value_method :mark_input_fields_as_required?, true
     auth_value_method :mark_input_fields_with_autocomplete?, true
@@ -110,7 +111,8 @@ module Rodauth
       :account_from_session,
       :field_attributes,
       :field_error_attributes,
-      :formatted_field_error
+      :formatted_field_error,
+      :around_rodauth
     )
 
     configuration_module_eval do
@@ -393,9 +395,9 @@ module Rodauth
     def password_match?(password)
       if hash = get_password_hash
         if account_password_hash_column || !use_database_authentication_functions?
-          BCrypt::Password.new(hash) == password
+          password_hash_match?(hash, password)
         else
-          db.get(Sequel.function(function_name(:rodauth_valid_password_hash), account_id, BCrypt::Engine.hash_secret(password, hash)))
+          database_function_password_match?(:rodauth_valid_password_hash, account_id, password, hash)
         end 
       end
     end
@@ -458,6 +460,18 @@ module Rodauth
 
     private
 
+    def _around_rodauth
+      yield
+    end
+
+    def database_function_password_match?(name, hash_id, password, salt)
+      db.get(Sequel.function(function_name(name), hash_id, BCrypt::Engine.hash_secret(password, salt)))
+    end
+
+    def password_hash_match?(hash, password)
+      BCrypt::Password.new(hash) == password
+    end
+
     def convert_token_key(key)
       if key && hmac_secret
         compute_hmac(key)
@@ -493,6 +507,7 @@ module Rodauth
     end
 
     def convert_session_key(key)
+      key = "#{session_key_prefix}#{key}".to_sym if session_key_prefix
       scope.opts[:sessions_convert_symbols] ? key.to_s : key
     end
 

data/lib/rodauth/features/change_password.rb

@@ -14,7 +14,7 @@ module Rodauth
     button 'Change Password'
     redirect
 
-    auth_value_method :new_password_label, 'New Password'
+    translatable_method :new_password_label, 'New Password'
     auth_value_method :new_password_param, 'new-password'
 
     auth_value_methods(

data/lib/rodauth/features/close_account.rb

@@ -33,7 +33,11 @@ module Rodauth
       end
 
       r.post do
-        if !close_account_requires_password? || password_match?(param(password_param))
+        catch_error do
+          if close_account_requires_password? && !password_match?(param(password_param))
+            throw_error_status(invalid_password_error_status, password_param, invalid_password_message)
+          end
+
           transaction do
             before_close_account
             close_account
@@ -46,12 +50,10 @@ module Rodauth
 
           set_notice_flash close_account_notice_flash
           redirect close_account_redirect
-        else
-          set_response_error_status(invalid_password_error_status)
-          set_field_error(password_param, invalid_password_message)
-          set_error_flash close_account_error_flash
-          close_account_view
         end
+
+        set_error_flash close_account_error_flash
+        close_account_view
       end
     end
 

data/lib/rodauth/features/confirm_password.rb

@@ -26,11 +26,11 @@ module Rodauth
       require_account_session
       before_confirm_password_route
 
-      request.get do
+      r.get do
         confirm_password_view
       end
 
-      request.post do
+      r.post do
         if password_match?(param(password_param))
           transaction do
             before_confirm_password

data/lib/rodauth/features/disallow_password_reuse.rb

@@ -51,11 +51,13 @@ module Rodauth
         return true if salts.empty?
 
         salts.any? do |hash_id, salt|
-          db.get(Sequel.function(function_name(:rodauth_previous_password_hash_match), hash_id, BCrypt::Engine.hash_secret(password, salt)))
+          database_function_password_match?(:rodauth_previous_password_hash_match, hash_id, password, salt)
         end
       else
         # :nocov:
-        previous_password_ds.select_map(previous_password_hash_column).any?{|hash| BCrypt::Password.new(hash) == password}
+        previous_password_ds.select_map(previous_password_hash_column).any? do |hash|
+          password_hash_match?(hash, password)
+        end
         # :nocov:
       end
 

data/lib/rodauth/features/email_auth.rb

@@ -94,7 +94,7 @@ module Rodauth
           redirect email_auth_email_sent_redirect
         end
 
-        _login('email_auth')
+        login('email_auth')
       end
     end
 
@@ -215,7 +215,7 @@ module Rodauth
       # that allows login access to the account becomes a
       # security liability, and it is best to remove it.
       remove_email_auth_key
-      super if defined?(super)
+      super
     end
 
     def after_close_account

data/lib/rodauth/features/jwt.rb

@@ -138,6 +138,11 @@ module Rodauth
       !!(jwt_token && jwt_payload)
     end
 
+    def view(page, title)
+      return super unless use_jwt?
+      return_json_response
+    end
+
     private
 
     def check_csrf?
@@ -224,9 +229,13 @@ module Rodauth
       end
     end
 
+    def _jwt_decode_opts
+      jwt_decode_opts
+    end
+
     def jwt_payload
       return @jwt_payload if defined?(@jwt_payload)
-      @jwt_payload = JWT.decode(jwt_token, jwt_secret, true, jwt_decode_opts.merge(:algorithm=>jwt_algorithm))[0]
+      @jwt_payload = JWT.decode(jwt_token, jwt_secret, true, _jwt_decode_opts.merge(:algorithm=>jwt_algorithm))[0]
     rescue JWT::DecodeError
       @jwt_payload = false
     end
@@ -256,12 +265,6 @@ module Rodauth
       @json_response ||= {}
     end
 
-    def _view(meth, page)
-      return super unless use_jwt?
-      return super if meth == :render
-      return_json_response
-    end
-
     def _json_response_body(hash)
       request.send(:convert_to_json, hash)
     end

data/lib/rodauth/features/jwt_cors.rb

@@ -13,27 +13,27 @@ module Rodauth
     auth_methods(:jwt_cors_allow?)
 
     def jwt_cors_allow?
-      if origin = request.env['HTTP_ORIGIN']
-        case allowed = jwt_cors_allow_origin
-        when String
-          timing_safe_eql?(origin, allowed)
-        when Array
-          allowed.any?{|s| timing_safe_eql?(origin, s)}
-        when Regexp
-          allowed =~ origin
-        when true
-          true
-        else
-          false
-        end
+      return false unless origin = request.env['HTTP_ORIGIN']
+
+      case allowed = jwt_cors_allow_origin
+      when String
+        timing_safe_eql?(origin, allowed)
+      when Array
+        allowed.any?{|s| timing_safe_eql?(origin, s)}
+      when Regexp
+        allowed =~ origin
+      when true
+        true
+      else
+        false
       end
     end
 
     private
 
     def before_rodauth
-      if (origin = request.env['HTTP_ORIGIN']) && jwt_cors_allow?
-        response['Access-Control-Allow-Origin'] = origin
+      if jwt_cors_allow?
+        response['Access-Control-Allow-Origin'] = request.env['HTTP_ORIGIN']
 
         # Handle CORS preflight request
         if request.request_method == 'OPTIONS'