rodauth 2.1.0 → 2.6.0

data/lib/rodauth/features/jwt_refresh.rb

@@ -7,6 +7,9 @@ module Rodauth
     after 'refresh_token'
     before 'refresh_token'
 
+    auth_value_method :allow_refresh_with_expired_jwt_access_token?, false
+    session_key :jwt_refresh_token_data_session_key, :jwt_refresh_token_data
+    session_key :jwt_refresh_token_hmac_session_key, :jwt_refresh_token_hash
     auth_value_method :jwt_access_token_key, 'access_token'
     auth_value_method :jwt_access_token_not_before_period, 5
     auth_value_method :jwt_access_token_period, 1800
@@ -19,23 +22,31 @@ module Rodauth
     auth_value_method :jwt_refresh_token_key_column, :key
     auth_value_method :jwt_refresh_token_key_param, 'refresh_token'
     auth_value_method :jwt_refresh_token_table, :account_jwt_refresh_keys
+    translatable_method :jwt_refresh_without_access_token_message, 'no JWT access token provided during refresh'
+    auth_value_method :jwt_refresh_without_access_token_status, 401
 
     auth_private_methods(
       :account_from_refresh_token
     )
 
     route do |r|
+      @jwt_refresh_route = true
+      before_jwt_refresh_route
+
       r.post do
-        if (refresh_token = param_or_nil(jwt_refresh_token_key_param)) && account_from_refresh_token(refresh_token)
-          formatted_token = nil
+        if !session_value
+          response.status ||= jwt_refresh_without_access_token_status
+          json_response[json_response_error_key] = jwt_refresh_without_access_token_message
+        elsif (refresh_token = param_or_nil(jwt_refresh_token_key_param)) && account_from_refresh_token(refresh_token)
           transaction do
             before_refresh_token
             formatted_token = generate_refresh_token
             remove_jwt_refresh_token_key(refresh_token)
+            set_jwt_refresh_token_hmac_session_key(formatted_token)
+            json_response[jwt_refresh_token_key] = formatted_token
+            json_response[jwt_access_token_key] = session_jwt
             after_refresh_token
           end
-          json_response[jwt_refresh_token_key] = formatted_token
-          json_response[jwt_access_token_key] = session_jwt
         else
           json_response[json_response_error_key] = jwt_refresh_invalid_token_message
           response.status ||= json_response_error_status
@@ -52,7 +63,9 @@ module Rodauth
       # JWT login puts the access token in the header.
       # We put the refresh token in the body.
       # Note, do not put the access_token in the body here, as the access token content is not yet finalised.
-      json_response['refresh_token'] = generate_refresh_token
+      token = json_response['refresh_token'] = generate_refresh_token
+
+      set_jwt_refresh_token_hmac_session_key(token)
     end
 
     def set_jwt_token(token)
@@ -80,19 +93,46 @@ module Rodauth
     private
 
     def _account_from_refresh_token(token)
+      id, token_id, key = _account_refresh_token_split(token)
+
+      unless key &&
+             (id == session_value.to_s) &&
+             (actual = get_active_refresh_token(id, token_id)) &&
+             timing_safe_eql?(key, convert_token_key(actual)) &&
+             jwt_refresh_token_match?(key)
+        return
+      end
+
+      ds = account_ds(id)
+      ds = ds.where(account_status_column=>account_open_status_value) unless skip_status_checks?
+      ds.first
+    end
+
+    def _account_refresh_token_split(token)
       id, token = split_token(token)
       return unless id && token
 
       token_id, key = split_token(token)
       return unless token_id && key
 
-      return unless actual = get_active_refresh_token(id, token_id)
+      [id, token_id, key]
+    end
 
-      return unless timing_safe_eql?(key, convert_token_key(actual))
+    def _jwt_decode_opts
+      if allow_refresh_with_expired_jwt_access_token? && @jwt_refresh_route
+        Hash[super].merge!(:verify_expiration=>false)
+      else
+        super
+      end
+    end
 
-      ds = account_ds(id)
-      ds = ds.where(account_status_column=>account_open_status_value) unless skip_status_checks?
-      ds.first
+    def jwt_refresh_token_match?(key)
+      # We don't need to match tokens if we are requiring a valid current access token
+      return true unless allow_refresh_with_expired_jwt_access_token?
+
+      # If allowing with expired jwt access token, check the expired session contains
+      # hmac matching submitted and active refresh token.
+      timing_safe_eql?(compute_hmac(session[jwt_refresh_token_data_session_key].to_s + key), session[jwt_refresh_token_hmac_session_key].to_s)
     end
 
     def get_active_refresh_token(account_id, token_id)
@@ -134,6 +174,32 @@ module Rodauth
       hash
     end
 
+    def set_jwt_refresh_token_hmac_session_key(token)
+      if allow_refresh_with_expired_jwt_access_token?
+        key = _account_refresh_token_split(token).last
+        data = random_key
+        set_session_value(jwt_refresh_token_data_session_key, data)
+        set_session_value(jwt_refresh_token_hmac_session_key, compute_hmac(data + key))
+      end
+    end
+
+    def before_logout
+      if token = param_or_nil(jwt_refresh_token_key_param)
+        if token == 'all'
+          jwt_refresh_token_account_ds(session_value).delete
+        else
+          id, token_id, key = _account_refresh_token_split(token)
+
+          if id && token_id && key && (actual = get_active_refresh_token(session_value, token_id)) && timing_safe_eql?(key, convert_token_key(actual))
+            jwt_refresh_token_account_ds(id).
+              where(jwt_refresh_token_id_column=>token_id).
+              delete
+          end
+        end
+      end
+      super if defined?(super)
+    end
+
     def after_close_account
       jwt_refresh_token_account_ds(account_id).delete
       super if defined?(super)

data/lib/rodauth/features/login.rb

@@ -23,6 +23,8 @@ module Rodauth
     auth_cached_method :login_form_footer_links
     auth_cached_method :login_form_footer
 
+    auth_value_methods :login_return_to_requested_location_path
+
     route do |r|
       check_already_logged_in
       before_login_route
@@ -62,7 +64,7 @@ module Rodauth
             throw_error_status(login_error_status, password_param, invalid_password_message)
           end
 
-          _login('password')
+          login('password')
         end
 
         set_error_flash login_error_flash unless skip_error_flash
@@ -72,13 +74,29 @@ module Rodauth
 
     attr_reader :login_form_header
 
+    def login(auth_type)
+      saved_login_redirect = remove_session_value(login_redirect_session_key)
+      transaction do
+        before_login
+        login_session(auth_type)
+        yield if block_given?
+        after_login
+      end
+      set_notice_flash login_notice_flash
+      redirect(saved_login_redirect || login_redirect)
+    end
+
     def login_required
-      if login_return_to_requested_location?
-        set_session_value(login_redirect_session_key, request.fullpath)
+      if login_return_to_requested_location? && (path = login_return_to_requested_location_path)
+        set_session_value(login_redirect_session_key, path)
       end
       super
     end
 
+    def login_return_to_requested_location_path
+      request.fullpath if request.get?
+    end
+
     def after_login_entered_during_multi_phase_login
       set_notice_now_flash need_password_notice_flash
       if multi_phase_login_forms.length == 1 && (meth = multi_phase_login_forms[0][2])
@@ -126,15 +144,8 @@ module Rodauth
     end
 
     def _login(auth_type)
-      saved_login_redirect = remove_session_value(login_redirect_session_key)
-      transaction do
-        before_login
-        login_session(auth_type)
-        yield if block_given?
-        after_login
-      end
-      set_notice_flash login_notice_flash
-      redirect(saved_login_redirect || login_redirect)
+      warn("Deprecated #_login method called, use #login instead.")
+      login(auth_type)
     end
   end
 end

data/lib/rodauth/features/login_password_requirements_base.rb

@@ -4,8 +4,10 @@ module Rodauth
   Feature.define(:login_password_requirements_base, :LoginPasswordRequirementsBase) do
     translatable_method :already_an_account_with_this_login_message, 'already an account with this login'
     auth_value_method :login_confirm_param, 'login-confirm'
+    auth_value_method :login_email_regexp, /\A[^,;@ \r\n]+@[^,@; \r\n]+\.[^,@; \r\n]+\z/
     auth_value_method :login_minimum_length, 3
     auth_value_method :login_maximum_length, 255
+    translatable_method :login_not_valid_email_message, 'not a valid email address'
     translatable_method :logins_do_not_match_message, 'logins do not match'
     auth_value_method :password_confirm_param, 'password-confirm'
     auth_value_method :password_minimum_length, 6
@@ -28,6 +30,7 @@ module Rodauth
 
     auth_methods(
       :login_meets_requirements?,
+      :login_valid_email?,
       :password_hash,
       :password_meets_requirements?,
       :set_password
@@ -104,13 +107,15 @@ module Rodauth
 
     def login_meets_email_requirements?(login)
       return true unless require_email_address_logins?
-      if login =~ /\A[^,;@ \r\n]+@[^,@; \r\n]+\.[^,@; \r\n]+\z/
-        return true
-      end
-      @login_requirement_message = 'not a valid email address'
+      return true if login_valid_email?(login)
+      @login_requirement_message = login_not_valid_email_message
       return false
     end
 
+    def login_valid_email?(login)
+      login =~ login_email_regexp
+    end
+
     def password_meets_length_requirements?(password)
       return true if password_minimum_length <= password.length
       @password_requirement_message = password_too_short_message

data/lib/rodauth/features/otp.rb

@@ -79,6 +79,7 @@ module Rodauth
       :otp,
       :otp_exists?,
       :otp_key,
+      :otp_last_use,
       :otp_locked_out?,
       :otp_new_secret,
       :otp_provisioning_name,
@@ -255,7 +256,6 @@ module Rodauth
     def otp_remove
       otp_key_ds.delete
       @otp_key = nil
-      super if defined?(super)
     end
 
     def otp_add_key
@@ -269,6 +269,10 @@ module Rodauth
         update(otp_keys_last_use_column=>Sequel::CURRENT_TIMESTAMP) == 1
     end
 
+    def otp_last_use
+      convert_timestamp(otp_key_ds.get(otp_keys_last_use_column))
+    end
+
     def otp_record_authentication_failure
       otp_key_ds.update(otp_keys_failures_column=>Sequel.identifier(otp_keys_failures_column) + 1)
     end

data/lib/rodauth/features/password_complexity.rb

@@ -26,14 +26,16 @@ module Rodauth
 
     def post_configure
       super
-      return if singleton_methods.map(&:to_sym).include?(:password_dictionary)
+      return if method(:password_dictionary).owner != Rodauth::PasswordComplexity
 
       case password_dictionary_file
       when false
-        return
+        # nothing
       when nil
         default_dictionary_file = '/usr/share/dict/words'
+        # :nocov:
         if File.file?(default_dictionary_file)
+        # :nocov:
           words = File.read(default_dictionary_file)
         end
       else

data/lib/rodauth/features/password_pepper.rb

@@ -0,0 +1,45 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:password_pepper, :PasswordPepper) do
+    depends :login_password_requirements_base
+
+    auth_value_method :password_pepper, nil
+    auth_value_method :previous_password_peppers, [""]
+    auth_value_method :password_pepper_update?, true
+
+    def password_match?(password)
+      if (result = super) && @previous_pepper_matched && password_pepper_update?
+        set_password(password)
+      end
+
+      result
+    end
+
+    private
+
+    def password_hash(password)
+      super(password + password_pepper.to_s)
+    end
+
+    def password_hash_match?(hash, password)
+      return super if password_pepper.nil?
+
+      return true if super(hash, password + password_pepper)
+
+      @previous_pepper_matched = previous_password_peppers.any? do |pepper|
+        super(hash, password + pepper)
+      end
+    end
+
+    def database_function_password_match?(name, hash_id, password, salt)
+      return super if password_pepper.nil?
+
+      return true if super(name, hash_id, password + password_pepper, salt)
+
+      @previous_pepper_matched = previous_password_peppers.any? do |pepper|
+        super(name, hash_id, password + pepper, salt)
+      end
+    end
+  end
+end

data/lib/rodauth/features/remember.rb

@@ -58,7 +58,9 @@ module Rodauth
         if [remember_remember_param_value, remember_forget_param_value, remember_disable_param_value].include?(remember)
           transaction do
             before_remember
+            # :nocov:
             case remember
+            # :nocov:
             when remember_remember_param_value
               remember_login
             when remember_forget_param_value

data/lib/rodauth/features/session_expiration.rb

@@ -3,6 +3,7 @@
 module Rodauth
   Feature.define(:session_expiration, :SessionExpiration) do
     error_flash "This session has expired, please login again"
+    redirect{require_login_redirect}
 
     auth_value_method :max_session_lifetime, 86400
     session_key :session_created_session_key, :session_created_at
@@ -11,8 +12,6 @@ module Rodauth
     auth_value_method :session_inactivity_timeout, 1800
     session_key :session_last_activity_session_key, :last_session_activity_at
 
-    auth_value_methods :session_expiration_redirect
-    
     def check_session_expiration
       return unless logged_in?
 
@@ -43,10 +42,6 @@ module Rodauth
       redirect session_expiration_redirect
     end
 
-    def session_expiration_redirect
-      require_login_redirect
-    end
-
     def update_session
       super
       t = Time.now.to_i

data/lib/rodauth/features/single_session.rb

@@ -85,7 +85,7 @@ module Rodauth
     end
 
     def before_logout
-      reset_single_session_key if request.post?
+      reset_single_session_key
       super if defined?(super)
     end
 

data/lib/rodauth/features/sms_codes.rb

@@ -337,7 +337,6 @@ module Rodauth
     def sms_disable
       sms_ds.delete
       @sms = nil
-      super if defined?(super)
     end
 
     def sms_confirm_failure

data/lib/rodauth/features/two_factor_base.rb

@@ -125,7 +125,7 @@ module Rodauth
       return true if two_factor_authenticated?
 
       # True if authenticated via single factor and 2nd factor not setup 
-      !two_factor_authentication_setup?
+      !uses_two_factor_authentication?
     end
 
     def require_authentication
@@ -134,7 +134,7 @@ module Rodauth
       # Avoid database query if already authenticated via 2nd factor
       return if two_factor_authenticated?
 
-      require_two_factor_authenticated if two_factor_authentication_setup?
+      require_two_factor_authenticated if uses_two_factor_authentication?
     end
 
     def require_two_factor_setup
@@ -208,11 +208,11 @@ module Rodauth
     end
 
     def _two_factor_setup_links
-      (super if defined?(super)) || []
+      []
     end
 
     def _two_factor_remove_links
-      (super if defined?(super)) || []
+      []
     end
 
     def _two_factor_remove_all_from_session

data/lib/rodauth/features/verify_account.rb

@@ -70,6 +70,7 @@ module Rodauth
       end
 
       r.post do
+        verified = false
         if account_from_login(param(login_param)) && allow_resending_verify_account_email?
           if verify_account_email_recently_sent?
             set_redirect_error_flash verify_account_email_recently_sent_error_flash
@@ -79,8 +80,11 @@ module Rodauth
           before_verify_account_email_resend
           if verify_account_email_resend
             after_verify_account_email_resend
+            verified = true
           end
+        end
 
+        if verified
           set_notice_flash verify_account_email_sent_notice_flash
         else
           set_redirect_error_status(no_matching_login_error_status)
@@ -241,6 +245,12 @@ module Rodauth
       end
     end
 
+    def setup_account_verification
+      generate_verify_account_key_value
+      create_verify_account_key
+      send_verify_account_email
+    end
+
     private
 
     def _login_form_footer_links
@@ -272,12 +282,6 @@ module Rodauth
       super
     end
 
-    def setup_account_verification
-      generate_verify_account_key_value
-      create_verify_account_key
-      send_verify_account_email
-    end
-
     def verify_account_check_already_logged_in
       check_already_logged_in
     end