rodauth 2.12.0 → 2.16.0

data/lib/rodauth/features/jwt_refresh.rb

@@ -135,7 +135,7 @@ module Rodauth
     end
 
     def _jwt_decode_opts
-      if allow_refresh_with_expired_jwt_access_token? && @jwt_refresh_route
+      if allow_refresh_with_expired_jwt_access_token? && (@jwt_refresh_route || request.path == jwt_refresh_path)
         Hash[super].merge!(:verify_expiration=>false)
       else
         super

data/lib/rodauth/features/lockout.rb

@@ -62,6 +62,10 @@ module Rodauth
     )
     auth_private_methods :account_from_unlock_key
 
+    internal_request_method(:lock_account)
+    internal_request_method(:unlock_account_request)
+    internal_request_method(:unlock_account)
+
     route(:unlock_account_request) do |r|
       check_already_logged_in
       before_unlock_account_request_route
@@ -84,6 +88,7 @@ module Rodauth
           set_notice_flash unlock_account_request_notice_flash
         else
           set_redirect_error_status(no_matching_login_error_status)
+          set_error_reason :no_matching_login
           set_redirect_error_flash no_matching_login_message.to_s.capitalize
         end
 
@@ -116,6 +121,7 @@ module Rodauth
         key = session[unlock_account_session_key] || param(unlock_account_key_param)
         unless account_from_unlock_key(key)
           set_redirect_error_status invalid_key_error_status
+          set_error_reason :invalid_unlock_account_key
           set_redirect_error_flash no_matching_unlock_account_key_error_flash
           redirect unlock_account_request_redirect
         end
@@ -134,7 +140,7 @@ module Rodauth
           set_notice_flash unlock_account_notice_flash
           redirect unlock_account_redirect
         else
-          set_response_error_status(invalid_password_error_status)
+          set_response_error_reason_status(:invalid_password, invalid_password_error_status)
           set_field_error(password_param, invalid_password_message)
           set_error_flash unlock_account_error_flash
           unlock_account_view
@@ -165,6 +171,12 @@ module Rodauth
       unlock_account
     end
 
+    def _setup_account_lockouts_hash(account_id, key)
+      hash = {account_lockouts_id_column=>account_id, account_lockouts_key_column=>key}
+      set_deadline_value(hash, account_lockouts_deadline_column, account_lockouts_deadline_interval)
+      hash
+    end
+
     def invalid_login_attempted
       ds = account_login_failures_ds.
           where(account_login_failures_id_column=>account_id)
@@ -190,8 +202,7 @@ module Rodauth
 
       if number >= max_invalid_logins
         @unlock_account_key_value = generate_unlock_account_key
-        hash = {account_lockouts_id_column=>account_id, account_lockouts_key_column=>unlock_account_key_value}
-        set_deadline_value(hash, account_lockouts_deadline_column, account_lockouts_deadline_interval)
+        hash = _setup_account_lockouts_hash(account_id, unlock_account_key_value)
 
         if e = raised_uniqueness_violation{account_lockouts_ds.insert(hash)}
           # If inserting into the lockout table raises a violation, we should just be able to pull the already inserted
@@ -271,7 +282,7 @@ module Rodauth
     end
 
     def show_lockout_page
-      set_response_error_status lockout_error_status
+      set_response_error_reason_status(:account_locked_out, lockout_error_status)
       set_error_flash login_lockout_error_flash
       response.write unlock_account_request_view
       request.halt

data/lib/rodauth/features/login.rb

@@ -25,6 +25,9 @@ module Rodauth
 
     auth_value_methods :login_return_to_requested_location_path
 
+    internal_request_method
+    internal_request_method :valid_login_and_password?
+
     route do |r|
       check_already_logged_in
       before_login_route
@@ -39,13 +42,13 @@ module Rodauth
 
         catch_error do
           unless account_from_login(param(login_param))
-            throw_error_status(no_matching_login_error_status, login_param, no_matching_login_message)
+            throw_error_reason(:no_matching_login, no_matching_login_error_status, login_param, no_matching_login_message)
           end
 
           before_login_attempt
 
           unless open_account?
-            throw_error_status(unopen_account_error_status, login_param, unverified_account_message)
+            throw_error_reason(:unverified_account, unopen_account_error_status, login_param, unverified_account_message)
           end
 
           if use_multi_phase_login?
@@ -61,7 +64,7 @@ module Rodauth
 
           unless password_match?(param(password_param))
             after_login_failure
-            throw_error_status(login_error_status, password_param, invalid_password_message)
+            throw_error_reason(:invalid_password, login_error_status, password_param, invalid_password_message)
           end
 
           login('password')

data/lib/rodauth/features/login_password_requirements_base.rb

@@ -81,6 +81,11 @@ module Rodauth
     def password_too_short_message
       "minimum #{password_minimum_length} characters"
     end
+    
+    def set_password_requirement_error_message(reason, message)
+      set_error_reason(reason)
+      @password_requirement_message = message
+    end
 
     def login_does_not_meet_requirements_message
       "invalid login#{", #{login_requirement_message}" if login_requirement_message}"
@@ -93,13 +98,18 @@ module Rodauth
     def login_too_short_message
       "minimum #{login_minimum_length} characters"
     end
+    
+    def set_login_requirement_error_message(reason, message)
+      set_error_reason(reason)
+      @login_requirement_message = message
+    end
 
     def login_meets_length_requirements?(login)
       if login_minimum_length > login.length
-        @login_requirement_message = login_too_short_message
+        set_login_requirement_error_message(:login_too_short, login_too_short_message)
         false
       elsif login_maximum_length < login.length
-        @login_requirement_message = login_too_long_message
+        set_login_requirement_error_message(:login_too_long, login_too_long_message)
         false
       else
         true
@@ -109,7 +119,7 @@ module Rodauth
     def login_meets_email_requirements?(login)
       return true unless require_email_address_logins?
       return true if login_valid_email?(login)
-      @login_requirement_message = login_not_valid_email_message
+      set_login_requirement_error_message(:login_not_valid_email, login_not_valid_email_message)
       return false
     end
 
@@ -119,13 +129,13 @@ module Rodauth
 
     def password_meets_length_requirements?(password)
       return true if password_minimum_length <= password.length
-      @password_requirement_message = password_too_short_message
+      set_password_requirement_error_message(:password_too_short, password_too_short_message)
       false
     end
 
     def password_does_not_contain_null_byte?(password)
       return true unless password.include?("\0")
-      @password_requirement_message = contains_null_byte_message
+      set_password_requirement_error_message(:password_contains_null_byte, contains_null_byte_message)
       false
     end
 
@@ -150,4 +160,3 @@ module Rodauth
     end
   end
 end
-

data/lib/rodauth/features/otp.rb

@@ -96,6 +96,12 @@ module Rodauth
       :otp_tmp_key
     )
 
+    internal_request_method :otp_setup_params
+    internal_request_method :otp_setup
+    internal_request_method :otp_auth
+    internal_request_method :valid_otp_auth?
+    internal_request_method :otp_disable
+
     route(:otp_auth) do |r|
       require_login
       require_account_session
@@ -103,7 +109,7 @@ module Rodauth
       require_otp_setup
 
       if otp_locked_out?
-        set_response_error_status(lockout_error_status)
+        set_response_error_reason_status(:otp_locked_out, lockout_error_status)
         set_redirect_error_flash otp_lockout_error_flash
         redirect otp_lockout_redirect
       end
@@ -122,7 +128,7 @@ module Rodauth
 
         otp_record_authentication_failure
         after_otp_authentication_failure
-        set_response_error_status(invalid_key_error_status)
+        set_response_error_reason_status(:invalid_otp_auth_code, invalid_key_error_status)
         set_field_error(otp_auth_param, otp_invalid_auth_code_message)
         set_error_flash otp_auth_error_flash
         otp_auth_view
@@ -149,7 +155,7 @@ module Rodauth
         catch_error do
           unless otp_valid_key?(secret)
             otp_tmp_key(otp_new_secret)
-            throw_error_status(invalid_field_error_status, otp_setup_param, otp_invalid_secret_message)
+            throw_error_reason(:invalid_otp_secret, invalid_field_error_status, otp_setup_param, otp_invalid_secret_message)
           end
 
           if otp_keys_use_hmac?
@@ -159,11 +165,11 @@ module Rodauth
           end
 
           unless two_factor_password_match?(param(password_param))
-            throw_error_status(invalid_password_error_status, password_param, invalid_password_message)
+            throw_error_reason(:invalid_password, invalid_password_error_status, password_param, invalid_password_message)
           end
 
           unless otp_valid_code?(param(otp_auth_param))
-            throw_error_status(invalid_key_error_status, otp_auth_param, otp_invalid_auth_code_message)
+            throw_error_reason(:invalid_otp_auth_code, invalid_key_error_status, otp_auth_param, otp_invalid_auth_code_message)
           end
 
           transaction do
@@ -206,7 +212,7 @@ module Rodauth
           redirect otp_disable_redirect
         end
 
-        set_response_error_status(invalid_password_error_status)
+        set_response_error_reason_status(:invalid_password, invalid_password_error_status)
         set_field_error(password_param, invalid_password_message)
         set_error_flash otp_disable_error_flash
         otp_disable_view
@@ -226,6 +232,7 @@ module Rodauth
     def require_otp_setup
       unless otp_exists?
         set_redirect_error_status(two_factor_not_setup_error_status)
+        set_error_reason :two_factor_not_setup
         set_redirect_error_flash two_factor_not_setup_error_flash
         redirect two_factor_need_setup_redirect
       end

data/lib/rodauth/features/password_complexity.rb

@@ -54,21 +54,21 @@ module Rodauth
     def password_has_enough_character_groups?(password)
       return true if password.length > password_max_length_for_groups_check
       return true if password_character_groups.select{|re| password =~ re}.length >= password_min_groups
-      @password_requirement_message = password_not_enough_character_groups_message
+      set_password_requirement_error_message(:not_enough_character_groups_in_password, password_not_enough_character_groups_message)
       false
     end
 
     def password_has_no_invalid_pattern?(password)
       return true unless password_invalid_pattern
       return true if password !~ password_invalid_pattern
-      @password_requirement_message = password_invalid_pattern_message
+      set_password_requirement_error_message(:invalid_password_pattern, password_invalid_pattern_message)
       false
     end
 
     def password_not_too_many_repeating_characters?(password)
       return true if password_max_repeating_characters < 2
       return true if password !~ /(.)(\1){#{password_max_repeating_characters-1}}/ 
-      @password_requirement_message = password_too_many_repeating_characters_message
+      set_password_requirement_error_message(:too_many_repeating_characters_in_password, password_too_many_repeating_characters_message)
       false
     end
 
@@ -77,7 +77,7 @@ module Rodauth
       return true unless password =~ /\A(?:\d*)([A-Za-z!@$+|][A-Za-z!@$+|0134578]+[A-Za-z!@$+|])(?:\d*)\z/
       word = $1.downcase.tr('!@$+|0134578', 'iastloleastb')
       return true if !dict.include?(word)
-      @password_requirement_message = password_in_dictionary_message
+      set_password_requirement_error_message(:password_in_dictionary, password_in_dictionary_message)
       false
     end
   end

data/lib/rodauth/features/path_class_methods.rb

@@ -0,0 +1,22 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:path_class_methods, :PathClassMethods) do
+    def post_configure
+      super
+
+      klass = self.class
+      klass.features.each do |feature_name|
+        feature = FEATURES[feature_name]
+        feature.routes.each do |handle_meth|
+          route = handle_meth.to_s.sub(/\Ahandle_/, '')
+          path_meth = :"#{route}_path"
+          url_meth = :"#{route}_url"
+          instance = klass.allocate.freeze
+          klass.define_singleton_method(path_meth){|opts={}| instance.send(path_meth, opts)}
+          klass.define_singleton_method(url_meth){|opts={}| instance.send(url_meth, opts)}
+        end
+      end
+    end
+  end
+end

data/lib/rodauth/features/recovery_codes.rb

@@ -59,6 +59,10 @@ module Rodauth
       :recovery_code_match?,
     )
 
+    internal_request_method :recovery_codes
+    internal_request_method :recovery_auth
+    internal_request_method :valid_recovery_auth?
+
     route(:recovery_auth) do |r|
       require_login
       require_account_session
@@ -76,7 +80,7 @@ module Rodauth
           two_factor_authenticate('recovery_code')
         end
 
-        set_response_error_status(invalid_key_error_status)
+        set_response_error_reason_status(:invalid_recovery_code, invalid_key_error_status)
         set_field_error(recovery_codes_param, invalid_recovery_code_message)
         set_error_flash invalid_recovery_code_error_flash
         recovery_auth_view
@@ -119,7 +123,7 @@ module Rodauth
             set_error_flash view_recovery_codes_error_flash
           end
 
-          set_response_error_status(invalid_password_error_status)
+          set_response_error_reason_status(:invalid_password, invalid_password_error_status)
           set_field_error(password_param, invalid_password_message)
           recovery_codes_view
         end

data/lib/rodauth/features/remember.rb

@@ -39,12 +39,17 @@ module Rodauth
       :generate_remember_key_value,
       :get_remember_key,
       :load_memory,
+      :remembered_session_id,
       :logged_in_via_remember_key?,
       :remember_key_value,
       :remember_login,
       :remove_remember_key
     )
 
+    internal_request_method :remember_setup
+    internal_request_method :remember_disable
+    internal_request_method :account_id_for_remember_key
+
     route do |r|
       require_account
       before_remember_route
@@ -74,36 +79,42 @@ module Rodauth
           set_notice_flash remember_notice_flash
           redirect remember_redirect
         else
-          set_response_error_status(invalid_field_error_status)
+          set_response_error_reason_status(:invalid_remember_param, invalid_field_error_status)
           set_error_flash remember_error_flash
           remember_view
         end
       end
     end
 
-    def load_memory
-      return if session[session_key]
-      return unless cookie = request.cookies[remember_cookie_key]
+    def remembered_session_id
+      return unless cookie = _get_remember_cookie
       id, key = cookie.split('_', 2)
       return unless id && key
 
       actual, deadline = active_remember_key_ds(id).get([remember_key_column, remember_deadline_column])
-      unless actual
-        forget_login
-        return
-      end
+      return unless actual
 
       if hmac_secret
         unless valid = timing_safe_eql?(key, compute_hmac(actual))
           unless raw_remember_token_deadline && raw_remember_token_deadline > convert_timestamp(deadline)
-            forget_login
             return
           end
         end
       end
 
       unless valid || timing_safe_eql?(key, actual)
-        forget_login
+        return
+      end
+
+      id
+    end
+
+    def load_memory
+      return if session[session_key]
+
+      unless id = remembered_session_id
+        # Only set expired cookie if there is already a cookie set.
+        forget_login if _get_remember_cookie
         return
       end
 
@@ -180,6 +191,10 @@ module Rodauth
 
     private
 
+    def _get_remember_cookie
+      request.cookies[remember_cookie_key]
+    end
+
     def after_logout
       forget_login
       super if defined?(super)

data/lib/rodauth/features/reset_password.rb

@@ -57,6 +57,9 @@ module Rodauth
       :account_from_reset_password_key
     )
 
+    internal_request_method(:reset_password_request)
+    internal_request_method
+
     route(:reset_password_request) do |r|
       check_already_logged_in
       before_reset_password_request_route
@@ -68,11 +71,11 @@ module Rodauth
       r.post do
         catch_error do
           unless account_from_login(param(login_param))
-            throw_error_status(no_matching_login_error_status, login_param, no_matching_login_message)
+            throw_error_reason(:no_matching_login, no_matching_login_error_status, login_param, no_matching_login_message)
           end
 
           unless open_account?
-            throw_error_status(unopen_account_error_status, login_param, unverified_account_message)
+            throw_error_reason(:unverified_account, unopen_account_error_status, login_param, unverified_account_message)
           end
 
           if reset_password_email_recently_sent?
@@ -123,6 +126,7 @@ module Rodauth
         key = session[reset_password_session_key] || param(reset_password_key_param)
         unless account_from_reset_password_key(key)
           set_redirect_error_status(invalid_key_error_status)
+          set_error_reason :invalid_reset_password_key
           set_redirect_error_flash reset_password_error_flash
           redirect reset_password_email_sent_redirect
         end
@@ -130,11 +134,11 @@ module Rodauth
         password = param(password_param)
         catch_error do
           if password_match?(password) 
-            throw_error_status(invalid_field_error_status, password_param, same_as_existing_password_message)
+            throw_error_reason(:same_as_existing_password, invalid_field_error_status, password_param, same_as_existing_password_message)
           end
 
           if require_password_confirmation? && password != param(password_confirm_param)
-            throw_error_status(unmatched_field_error_status, password_param, passwords_do_not_match_message)
+            throw_error_reason(:passwords_do_not_match, unmatched_field_error_status, password_param, passwords_do_not_match_message)
           end
 
           unless password_meets_requirements?(password)