rodauth 2.14.0 → 2.15.0

data/doc/path_class_methods.rdoc

@@ -0,0 +1,10 @@
+= Documentation for Path Class Methods Feature
+
+The path class methods feature allows for calling the *_path and *_url
+methods directly on the class, as opposed to an instance of the class.
+
+In order for the *_url methods to be used, you must use the base_url
+configuration so that determining the base URL doesn't depend on the
+submitted request, as the request will not be set when using the
+class method. Failure to do this will probably result in a NoMethodError
+being raised.

data/doc/release_notes/2.15.0.txt

@@ -0,0 +1,48 @@
+= New Features
+
+* An internal_request feature has been added.  This feature allows
+  for interacting with Rodauth by calling methods, instead of having
+  to use a website or JSON API.  This feature is designed primarily
+  for administrative use, so that administrators can create accounts,
+  change passwords or logins for accounts, and handle similar actions
+  without the user of the account being involved.
+
+  For example, assuming you've loaded the change_password and
+  internal_request features, and that your Roda class that
+  is loading Rodauth is named App, you can change the password
+  for the account with id 1 using:
+
+    App.rodauth.change_password(account_id: 1, password: 'foobar')
+
+  The internal request methods are implemented as class methods
+  on the Rodauth::Auth subclass (the object returned by App.rodauth).
+  These methods call methods on a subclass of that class specific
+  to internal requests.
+
+  The reason the feature is named internal_request is that these
+  methods are implemented by submitting a request internally, that is
+  processed almost exactly the same way as Rodauth would process a
+  web request.
+
+  See the internal_request feature documentation for details on which
+  internal request methods are available and the options they take.
+
+* A path_class_methods feature has been added, that allows for calling
+  *_path and *_url as class methods.  If you would like to call the
+  *_url methods as class methods, make sure to use the base_url
+  configuration method to set the base URL so that it does not require
+  request-specific information.
+
+* Rodauth::Auth classes now have a configuration_name method that
+  returns the configuration name associated with the class. They also
+  have a configuration method that returns the configuration
+  associated with the class.
+
+* Rodauth::Feature now supports an internal_request_method method for
+  specifying which methods are supported as internal request methods.
+
+= Other Improvements
+
+* The default base_url configuration method will now use the domain
+  method to get the domain to use, instead of getting the domain
+  information directly from the request environment.

data/lib/rodauth.rb

@@ -39,11 +39,11 @@ module Rodauth
     else
       json_opt != :only
     end
-    auth_class = (app.opts[:rodauths] ||= {})[opts[:name]] ||= opts[:auth_class] || Class.new(Auth)
+    auth_class = (app.opts[:rodauths] ||= {})[opts[:name]] ||= opts[:auth_class] || Class.new(Auth){@configuration_name = opts[:name]}
     if !auth_class.roda_class
       auth_class.roda_class = app
     elsif auth_class.roda_class != app
-      auth_class = app.opts[:rodauths][opts[:name]] = Class.new(auth_class)
+      auth_class = app.opts[:rodauths][opts[:name]] = Class.new(auth_class){@configuration_name = opts[:name]}
       auth_class.roda_class = app
     end
     auth_class.configure(&block) if block
@@ -107,6 +107,7 @@ module Rodauth
     attr_accessor :dependencies
     attr_accessor :routes
     attr_accessor :configuration
+    attr_reader :internal_request_methods
 
     def route(name=feature_name, default=name.to_s.tr('_', '-'), &block)
       route_meth = :"#{name}_route"
@@ -152,6 +153,10 @@ module Rodauth
       FEATURES[name] = feature
     end
 
+    def internal_request_method(name=feature_name)
+      (@internal_request_methods ||= []) << name
+    end
+
     def configuration_module_eval(&block)
       configuration.module_eval(&block)
     end
@@ -260,6 +265,8 @@ module Rodauth
       attr_reader :features
       attr_reader :routes
       attr_accessor :route_hash
+      attr_reader :configuration_name
+      attr_reader :configuration
     end
 
     def self.inherited(subclass)

data/lib/rodauth/features/base.rb

@@ -115,6 +115,10 @@ module Rodauth
       :around_rodauth
     )
 
+    internal_request_method :account_exists?
+    internal_request_method :account_id_for_login
+    internal_request_method :internal_request_eval
+
     configuration_module_eval do
       def auth_class_eval(&block)
         auth.class_eval(&block)
@@ -445,7 +449,9 @@ module Rodauth
     end
 
     def base_url
-      request.base_url
+      url = String.new("#{request.scheme}://#{domain}")
+      url << ":#{request.port}" if request.port != Rack::Request::DEFAULT_PORTS[request.scheme]
+      url
     end
 
     def domain
@@ -734,6 +740,10 @@ module Rodauth
       end
     end
 
+    def internal_request?
+      false
+    end
+
     def set_session_value(key, value)
       session[key] = value
     end

data/lib/rodauth/features/change_login.rb

@@ -19,6 +19,8 @@ module Rodauth
 
     auth_methods :change_login
 
+    internal_request_method
+
     route do |r|
       require_account
       before_change_login_route

data/lib/rodauth/features/change_password.rb

@@ -22,6 +22,8 @@ module Rodauth
       :invalid_previous_password_message
     )
 
+    internal_request_method
+
     route do |r|
       require_account
       before_change_password_route

data/lib/rodauth/features/close_account.rb

@@ -24,6 +24,8 @@ module Rodauth
       :delete_account
     )
 
+    internal_request_method
+
     route do |r|
       require_account
       before_close_account_route

data/lib/rodauth/features/create_account.rb

@@ -27,6 +27,8 @@ module Rodauth
       :new_account
     )
 
+    internal_request_method
+
     route do |r|
       check_already_logged_in
       before_create_account_route

data/lib/rodauth/features/email_auth.rb

@@ -49,6 +49,10 @@ module Rodauth
 
     auth_private_methods :account_from_email_auth_key
 
+    internal_request_method
+    internal_request_method :email_auth_request
+    internal_request_method :valid_email_auth?
+
     route(:email_auth_request) do |r|
       check_already_logged_in
       before_email_auth_request_route

data/lib/rodauth/features/internal_request.rb

@@ -0,0 +1,367 @@
+# frozen-string-literal: true
+
+require 'stringio'
+
+module Rodauth
+  INVALID_DOMAIN = "invalidurl @@.com"
+
+  class InternalRequestError < StandardError
+    attr_accessor :flash
+    attr_accessor :reason
+    attr_accessor :field_errors
+
+    def initialize(attrs)
+      return super if attrs.is_a?(String)
+
+      @flash = attrs[:flash]
+      @reason = attrs[:reason]
+      @field_errors = attrs[:field_errors] || {}
+
+      super(build_message)
+    end
+
+    private
+
+    def build_message
+      extras = []
+      extras << reason if reason
+      extras << field_errors unless field_errors.empty?
+      extras = (" (#{extras.join(", ")})" unless extras.empty?)
+
+      "#{flash}#{extras}"
+    end
+  end
+
+  module InternalRequestMethods
+    attr_accessor :session
+    attr_accessor :params
+    attr_reader :flash
+    attr_accessor :internal_request_block
+
+    def domain
+      d = super
+      if d == INVALID_DOMAIN
+        raise InternalRequestError, "must set domain in configuration, as it cannot be determined from internal request"
+      end
+      d
+    end
+
+    def raw_param(k)
+      @params[k]
+    end
+
+    def set_error_flash(message)
+      @flash = message
+      _handle_internal_request_error
+    end
+    alias set_redirect_error_flash set_error_flash
+
+    def set_notice_flash(message)
+      @flash = message
+    end
+    alias set_notice_now_flash set_notice_flash
+
+    def modifications_require_password?
+      false
+    end
+    alias require_login_confirmation? modifications_require_password?
+    alias require_password_confirmation? modifications_require_password?
+    alias change_login_requires_password? modifications_require_password?
+    alias change_password_requires_password? modifications_require_password?
+    alias close_account_requires_password? modifications_require_password?
+    alias two_factor_modifications_require_password? modifications_require_password?
+
+    def otp_setup_view
+      hash = {:otp_setup=>otp_user_key}
+      hash[:otp_setup_raw] = otp_key if hmac_secret
+      _return_from_internal_request(hash)
+    end
+
+    def add_recovery_codes_view
+      _return_from_internal_request(recovery_codes)
+    end
+
+    def handle_internal_request(meth)
+      catch(:halt) do
+        _around_rodauth do
+          before_rodauth
+          send(meth, request)
+        end
+      end
+
+      @internal_request_return_value
+    end
+
+    private
+
+    def internal_request?
+      true
+    end
+
+    def set_error_reason(reason)
+      @error_reason = reason
+    end
+
+    def after_login
+      super
+      _set_internal_request_return_value(account_id) unless @return_false_on_error
+    end
+
+    def after_remember
+      super
+      if params[remember_param] == remember_remember_param_value
+        _set_internal_request_return_value("#{account_id}_#{convert_token_key(remember_key_value)}")
+      end
+    end
+
+    def after_load_memory
+      super
+      _return_from_internal_request(session_value)
+    end
+
+    def before_change_password_route
+      super
+      params[new_password_param] ||= params[password_param]
+    end
+
+    def before_email_auth_request_route
+      super
+      _set_login_param_from_account
+    end
+
+    def before_login_route
+      super
+      _set_login_param_from_account
+    end
+
+    def before_unlock_account_request_route
+      super
+      _set_login_param_from_account
+    end
+
+    def before_reset_password_request_route
+      super
+      _set_login_param_from_account
+    end
+
+    def before_verify_account_resend_route
+      super
+      _set_login_param_from_account
+    end
+
+    def account_from_key(token, status_id=nil)
+      return super unless session_value
+      return unless yield session_value
+      ds = account_ds(session_value)
+      ds = ds.where(account_status_column=>status_id) if status_id && !skip_status_checks?
+      ds.first
+    end
+
+    def _set_internal_request_return_value(value)
+      @internal_request_return_value = value
+    end
+
+    def _return_from_internal_request(value)
+      _set_internal_request_return_value(value)
+      throw(:halt)
+    end
+
+    def _handle_internal_request_error
+      if @return_false_on_error
+        _return_from_internal_request(false)
+      else
+        raise InternalRequestError.new(flash: @flash, reason: @error_reason, field_errors: @field_errors)
+      end
+    end
+
+    def _return_false_on_error!
+      @return_false_on_error = true
+    end
+
+    def _set_login_param_from_account
+      if session_value && !params[login_param] && (account = account_ds(session_value).first)
+        params[login_param] = account[login_column]
+      end
+    end
+
+    def _get_remember_cookie
+      params[remember_param]
+    end
+
+    def _handle_internal_request_eval(_)
+      v = instance_eval(&internal_request_block)
+      _set_internal_request_return_value(v) unless defined?(@internal_request_return_value)
+    end
+
+    def _handle_account_id_for_login(_)
+      raise InternalRequestError, "no login provided" unless login = param_or_nil(login_param)
+      raise InternalRequestError, "no account for login" unless account = account_from_login(login)
+      _return_from_internal_request(account[account_id_column])
+    end
+
+    def _handle_account_exists?(_)
+      raise InternalRequestError, "no login provided" unless login = param_or_nil(login_param)
+      _return_from_internal_request(!!account_from_login(login))
+    end
+
+    def _handle_lock_account(_)
+      raised_uniqueness_violation{account_lockouts_ds(session_value).insert(_setup_account_lockouts_hash(session_value, generate_unlock_account_key))}
+    end
+
+    def _handle_remember_setup(request)
+      params[remember_param] = remember_remember_param_value
+      _handle_remember(request)
+    end
+
+    def _handle_remember_disable(request)
+      params[remember_param] = remember_disable_param_value
+      _handle_remember(request)
+    end
+
+    def _handle_account_id_for_remember_key(request)
+      load_memory
+      raise InternalRequestError, "invalid remember key"
+    end
+
+    def _handle_otp_setup_params(request)
+      request.env['REQUEST_METHOD'] = 'GET'
+      _handle_otp_setup(request)
+    end
+
+    def _predicate_internal_request(meth, request)
+      _return_false_on_error!
+      _set_internal_request_return_value(true)
+      send(meth, request)
+    end
+
+    def _handle_valid_login_and_password?(request)
+      _predicate_internal_request(:_handle_login, request)
+    end
+
+    def _handle_valid_email_auth?(request)
+      _predicate_internal_request(:_handle_email_auth, request)
+    end
+
+    def _handle_valid_otp_auth?(request)
+      _predicate_internal_request(:_handle_otp_auth, request)
+    end
+
+    def _handle_valid_recovery_auth?(request)
+      _predicate_internal_request(:_handle_recovery_auth, request)
+    end
+
+    def _handle_valid_sms_auth?(request)
+      _predicate_internal_request(:_handle_sms_auth, request)
+    end
+  end
+
+  module InternalRequestClassMethods
+    def internal_request(route, opts={}, &block)
+      opts = opts.dup
+      
+      env = {
+         'REQUEST_METHOD'=>'POST',
+         'PATH_INFO'=>'/',
+         "SCRIPT_NAME" => "",
+         "HTTP_HOST" => INVALID_DOMAIN,
+         "SERVER_NAME" => INVALID_DOMAIN,
+         "SERVER_PORT" => 443,
+         "CONTENT_TYPE" => "application/x-www-form-urlencoded",
+         "rack.input"=>StringIO.new(''),
+         "rack.url_scheme"=>"https"
+      }
+      env.merge!(opts.delete(:env)) if opts[:env]
+
+      session = {}
+      session.merge!(opts.delete(:session)) if opts[:session]
+
+      params = {}
+      params.merge!(opts.delete(:params)) if opts[:params]
+
+      scope = roda_class.new(env)
+      rodauth = new(scope)
+      rodauth.session = session
+      rodauth.params = params
+      rodauth.internal_request_block = block
+
+      unless account_id = opts.delete(:account_id)
+        if (account_login = opts.delete(:account_login))
+          if (account = rodauth.send(:_account_from_login, account_login))
+            account_id = account[rodauth.account_id_column]
+          else
+            raise InternalRequestError, "no account for login: #{account_login.inspect}"
+          end
+        end
+      end
+
+      if account_id
+        session[rodauth.session_key] = account_id
+        unless authenticated_by = opts.delete(:authenticated_by)
+          authenticated_by = case route
+          when :otp_auth, :sms_request, :sms_auth, :recovery_auth, :valid_otp_auth?, :valid_sms_auth?, :valid_recovery_auth?
+            ['internal1']
+          else
+            ['internal1', 'internal2']
+          end
+        end
+        session[rodauth.authenticated_by_session_key] = authenticated_by
+      end
+
+      opts.keys.each do |k|
+        meth = :"#{k}_param"
+        params[rodauth.public_send(meth).to_s] = opts.delete(k) if rodauth.respond_to?(meth)
+      end
+
+      unless opts.empty?
+        warn "unhandled options passed to #{route}: #{opts.inspect}"
+      end
+
+      rodauth.handle_internal_request(:"_handle_#{route}")
+    end
+  end
+
+  Feature.define(:internal_request, :InternalRequest) do
+    configuration_module_eval do
+      def internal_request_configuration(&block)
+        @auth.instance_exec do
+          (@internal_request_configuration_blocks ||= []) << block
+        end
+      end
+    end
+
+    def post_configure
+      super
+
+      return if is_a?(InternalRequestMethods)
+
+      klass = self.class
+      internal_class = Class.new(klass) do
+        @roda_class = klass.roda_class
+        @features = klass.features.clone
+        @routes = klass.routes.clone
+        @route_hash = klass.route_hash.clone
+        @configuration = klass.configuration.clone
+        @configuration.instance_variable_set(:@auth, self)
+      end
+
+      if blocks = klass.instance_variable_get(:@internal_request_configuration_blocks)
+        configuration = internal_class.configuration
+        blocks.each do |block|
+          configuration.instance_exec(&block)
+        end
+      end
+      internal_class.send(:extend, InternalRequestClassMethods)
+      internal_class.send(:include, InternalRequestMethods)
+      internal_class.allocate.post_configure
+
+      ([:base] + internal_class.features).each do |feature_name|
+        feature = FEATURES[feature_name]
+        if meths = feature.internal_request_methods
+          meths.each do |name|
+            klass.define_singleton_method(name){|opts={}, &block| internal_class.internal_request(name, opts, &block)}
+          end
+        end
+      end
+    end
+  end
+end