rodauth 2.14.0 → 2.18.0

data/doc/release_notes/2.15.0.txt

@@ -0,0 +1,48 @@
+= New Features
+
+* An internal_request feature has been added.  This feature allows
+  for interacting with Rodauth by calling methods, instead of having
+  to use a website or JSON API.  This feature is designed primarily
+  for administrative use, so that administrators can create accounts,
+  change passwords or logins for accounts, and handle similar actions
+  without the user of the account being involved.
+
+  For example, assuming you've loaded the change_password and
+  internal_request features, and that your Roda class that
+  is loading Rodauth is named App, you can change the password
+  for the account with id 1 using:
+
+    App.rodauth.change_password(account_id: 1, password: 'foobar')
+
+  The internal request methods are implemented as class methods
+  on the Rodauth::Auth subclass (the object returned by App.rodauth).
+  These methods call methods on a subclass of that class specific
+  to internal requests.
+
+  The reason the feature is named internal_request is that these
+  methods are implemented by submitting a request internally, that is
+  processed almost exactly the same way as Rodauth would process a
+  web request.
+
+  See the internal_request feature documentation for details on which
+  internal request methods are available and the options they take.
+
+* A path_class_methods feature has been added, that allows for calling
+  *_path and *_url as class methods.  If you would like to call the
+  *_url methods as class methods, make sure to use the base_url
+  configuration method to set the base URL so that it does not require
+  request-specific information.
+
+* Rodauth::Auth classes now have a configuration_name method that
+  returns the configuration name associated with the class. They also
+  have a configuration method that returns the configuration
+  associated with the class.
+
+* Rodauth::Feature now supports an internal_request_method method for
+  specifying which methods are supported as internal request methods.
+
+= Other Improvements
+
+* The default base_url configuration method will now use the domain
+  method to get the domain to use, instead of getting the domain
+  information directly from the request environment.

data/doc/release_notes/2.16.0.txt

@@ -0,0 +1,20 @@
+= New Features
+
+* Rodauth.lib has been added for using Rodauth purely as a library,
+  useful in non-web applications:
+
+    require 'rodauth'
+    rodauth = Rodauth.lib do
+      enable :create_account, :change_password
+    end
+    rodauth.create_account(login: 'foo@example.com', password: '...')
+    rodauth.change_password(account_id: 24601, password: '...')
+
+  This is built on top of the internal_request feature, and works by
+  creating a Roda application with the rodauth plugin, and returning
+  the related Rodauth::Auth class.
+
+= Other Improvements
+
+* The internal_request feature now works correctly for configurations
+  where only_json? is set to true.

data/doc/release_notes/2.17.0.txt

@@ -0,0 +1,10 @@
+= Improvements
+
+* The jwt_refresh feature now works for unverified accounts when using
+  the verify_account_grace_period feature.
+
+* When trying to create an account that already exists but is
+  unverified, Rodauth now returns a 4xx response.
+
+* When trying to login to an unverified account, Rodauth now returns a
+  4xx response.

data/doc/release_notes/2.18.0.txt

@@ -0,0 +1,27 @@
+= New Features
+
+* When using the json and multifactor auth features, the JSON API can
+  now access the multifactor-manage route to get lists of endpoints
+  for setting up and disabling supported multifactor authentication
+  methods.  The JSON API can now also access the multifactor-auth
+  route to get a list of endpoints for multifactor authentication for
+  the currently logged in account.
+
+= Other Improvements
+
+* In the otp feature, the viewbox: true rqrcode option is now used
+  when creating the QR code.  This results in a QR code that is
+  displayed better and is easier to style.  This option only has
+  an effect when using rqrcode 2+.
+
+* When using the :auth_class option when loading the rodauth plugin,
+  the configuration name is set in the provided auth class, unless the
+  auth class already has a configuration name set.
+
+* The example migration now recommends using a partial index on the
+  email column in cases where the database supports partial indexes.
+  Previously, it only recommended it on PostgreSQL.
+
+* The argon2 feature now works with argon2 2.1.0.  Older versions of
+  Rodauth work with both earlier and later versions of argon2, but
+  not 2.1.0.

data/lib/rodauth/features/argon2.rb

@@ -16,6 +16,18 @@ module Rodauth
 
     private
 
+    if Argon2::VERSION != '2.1.0'
+      def argon2_salt_option
+        :salt_do_not_supply
+      end
+    # :nocov:
+    else
+      def argon2_salt_option
+        :salt_for_testing_purposes_only
+      end
+    # :nocov:
+    end
+
     def password_hash_cost
       return super unless use_argon2?
       argon2_hash_cost 
@@ -35,7 +47,7 @@ module Rodauth
       return super unless argon2_hash_algorithm?(salt)
 
       argon2_params = Hash[extract_password_hash_cost(salt)]
-      argon2_params[:salt_do_not_supply] = Base64.decode64(salt.split('$').last)
+      argon2_params[argon2_salt_option] = Base64.decode64(salt.split('$').last)
       ::Argon2::Password.new(argon2_params).create(password)
     end
 

data/lib/rodauth/features/base.rb

@@ -115,6 +115,10 @@ module Rodauth
       :around_rodauth
     )
 
+    internal_request_method :account_exists?
+    internal_request_method :account_id_for_login
+    internal_request_method :internal_request_eval
+
     configuration_module_eval do
       def auth_class_eval(&block)
         auth.class_eval(&block)
@@ -445,7 +449,9 @@ module Rodauth
     end
 
     def base_url
-      request.base_url
+      url = String.new("#{request.scheme}://#{domain}")
+      url << ":#{request.port}" if request.port != Rack::Request::DEFAULT_PORTS[request.scheme]
+      url
     end
 
     def domain
@@ -734,6 +740,10 @@ module Rodauth
       end
     end
 
+    def internal_request?
+      false
+    end
+
     def set_session_value(key, value)
       session[key] = value
     end

data/lib/rodauth/features/change_login.rb

@@ -19,6 +19,8 @@ module Rodauth
 
     auth_methods :change_login
 
+    internal_request_method
+
     route do |r|
       require_account
       before_change_login_route

data/lib/rodauth/features/change_password.rb

@@ -22,6 +22,8 @@ module Rodauth
       :invalid_previous_password_message
     )
 
+    internal_request_method
+
     route do |r|
       require_account
       before_change_password_route

data/lib/rodauth/features/close_account.rb

@@ -24,6 +24,8 @@ module Rodauth
       :delete_account
     )
 
+    internal_request_method
+
     route do |r|
       require_account
       before_close_account_route

data/lib/rodauth/features/create_account.rb

@@ -27,6 +27,8 @@ module Rodauth
       :new_account
     )
 
+    internal_request_method
+
     route do |r|
       check_already_logged_in
       before_create_account_route

data/lib/rodauth/features/email_auth.rb

@@ -49,6 +49,10 @@ module Rodauth
 
     auth_private_methods :account_from_email_auth_key
 
+    internal_request_method
+    internal_request_method :email_auth_request
+    internal_request_method :valid_email_auth?
+
     route(:email_auth_request) do |r|
       check_already_logged_in
       before_email_auth_request_route

data/lib/rodauth/features/internal_request.rb

@@ -0,0 +1,371 @@
+# frozen-string-literal: true
+
+require 'stringio'
+
+module Rodauth
+  INVALID_DOMAIN = "invalidurl @@.com"
+
+  class InternalRequestError < StandardError
+    attr_accessor :flash
+    attr_accessor :reason
+    attr_accessor :field_errors
+
+    def initialize(attrs)
+      return super if attrs.is_a?(String)
+
+      @flash = attrs[:flash]
+      @reason = attrs[:reason]
+      @field_errors = attrs[:field_errors] || {}
+
+      super(build_message)
+    end
+
+    private
+
+    def build_message
+      extras = []
+      extras << reason if reason
+      extras << field_errors unless field_errors.empty?
+      extras = (" (#{extras.join(", ")})" unless extras.empty?)
+
+      "#{flash}#{extras}"
+    end
+  end
+
+  module InternalRequestMethods
+    attr_accessor :session
+    attr_accessor :params
+    attr_reader :flash
+    attr_accessor :internal_request_block
+
+    def domain
+      d = super
+      if d == INVALID_DOMAIN
+        raise InternalRequestError, "must set domain in configuration, as it cannot be determined from internal request"
+      end
+      d
+    end
+
+    def raw_param(k)
+      @params[k]
+    end
+
+    def set_error_flash(message)
+      @flash = message
+      _handle_internal_request_error
+    end
+    alias set_redirect_error_flash set_error_flash
+
+    def set_notice_flash(message)
+      @flash = message
+    end
+    alias set_notice_now_flash set_notice_flash
+
+    def modifications_require_password?
+      false
+    end
+    alias require_login_confirmation? modifications_require_password?
+    alias require_password_confirmation? modifications_require_password?
+    alias change_login_requires_password? modifications_require_password?
+    alias change_password_requires_password? modifications_require_password?
+    alias close_account_requires_password? modifications_require_password?
+    alias two_factor_modifications_require_password? modifications_require_password?
+
+    def otp_setup_view
+      hash = {:otp_setup=>otp_user_key}
+      hash[:otp_setup_raw] = otp_key if hmac_secret
+      _return_from_internal_request(hash)
+    end
+
+    def add_recovery_codes_view
+      _return_from_internal_request(recovery_codes)
+    end
+
+    def handle_internal_request(meth)
+      catch(:halt) do
+        _around_rodauth do
+          before_rodauth
+          send(meth, request)
+        end
+      end
+
+      @internal_request_return_value
+    end
+
+    def only_json?
+      false
+    end
+
+    private
+
+    def internal_request?
+      true
+    end
+
+    def set_error_reason(reason)
+      @error_reason = reason
+    end
+
+    def after_login
+      super
+      _set_internal_request_return_value(account_id) unless @return_false_on_error
+    end
+
+    def after_remember
+      super
+      if params[remember_param] == remember_remember_param_value
+        _set_internal_request_return_value("#{account_id}_#{convert_token_key(remember_key_value)}")
+      end
+    end
+
+    def after_load_memory
+      super
+      _return_from_internal_request(session_value)
+    end
+
+    def before_change_password_route
+      super
+      params[new_password_param] ||= params[password_param]
+    end
+
+    def before_email_auth_request_route
+      super
+      _set_login_param_from_account
+    end
+
+    def before_login_route
+      super
+      _set_login_param_from_account
+    end
+
+    def before_unlock_account_request_route
+      super
+      _set_login_param_from_account
+    end
+
+    def before_reset_password_request_route
+      super
+      _set_login_param_from_account
+    end
+
+    def before_verify_account_resend_route
+      super
+      _set_login_param_from_account
+    end
+
+    def account_from_key(token, status_id=nil)
+      return super unless session_value
+      return unless yield session_value
+      ds = account_ds(session_value)
+      ds = ds.where(account_status_column=>status_id) if status_id && !skip_status_checks?
+      ds.first
+    end
+
+    def _set_internal_request_return_value(value)
+      @internal_request_return_value = value
+    end
+
+    def _return_from_internal_request(value)
+      _set_internal_request_return_value(value)
+      throw(:halt)
+    end
+
+    def _handle_internal_request_error
+      if @return_false_on_error
+        _return_from_internal_request(false)
+      else
+        raise InternalRequestError.new(flash: @flash, reason: @error_reason, field_errors: @field_errors)
+      end
+    end
+
+    def _return_false_on_error!
+      @return_false_on_error = true
+    end
+
+    def _set_login_param_from_account
+      if session_value && !params[login_param] && (account = account_ds(session_value).first)
+        params[login_param] = account[login_column]
+      end
+    end
+
+    def _get_remember_cookie
+      params[remember_param]
+    end
+
+    def _handle_internal_request_eval(_)
+      v = instance_eval(&internal_request_block)
+      _set_internal_request_return_value(v) unless defined?(@internal_request_return_value)
+    end
+
+    def _handle_account_id_for_login(_)
+      raise InternalRequestError, "no login provided" unless login = param_or_nil(login_param)
+      raise InternalRequestError, "no account for login" unless account = account_from_login(login)
+      _return_from_internal_request(account[account_id_column])
+    end
+
+    def _handle_account_exists?(_)
+      raise InternalRequestError, "no login provided" unless login = param_or_nil(login_param)
+      _return_from_internal_request(!!account_from_login(login))
+    end
+
+    def _handle_lock_account(_)
+      raised_uniqueness_violation{account_lockouts_ds(session_value).insert(_setup_account_lockouts_hash(session_value, generate_unlock_account_key))}
+    end
+
+    def _handle_remember_setup(request)
+      params[remember_param] = remember_remember_param_value
+      _handle_remember(request)
+    end
+
+    def _handle_remember_disable(request)
+      params[remember_param] = remember_disable_param_value
+      _handle_remember(request)
+    end
+
+    def _handle_account_id_for_remember_key(request)
+      load_memory
+      raise InternalRequestError, "invalid remember key"
+    end
+
+    def _handle_otp_setup_params(request)
+      request.env['REQUEST_METHOD'] = 'GET'
+      _handle_otp_setup(request)
+    end
+
+    def _predicate_internal_request(meth, request)
+      _return_false_on_error!
+      _set_internal_request_return_value(true)
+      send(meth, request)
+    end
+
+    def _handle_valid_login_and_password?(request)
+      _predicate_internal_request(:_handle_login, request)
+    end
+
+    def _handle_valid_email_auth?(request)
+      _predicate_internal_request(:_handle_email_auth, request)
+    end
+
+    def _handle_valid_otp_auth?(request)
+      _predicate_internal_request(:_handle_otp_auth, request)
+    end
+
+    def _handle_valid_recovery_auth?(request)
+      _predicate_internal_request(:_handle_recovery_auth, request)
+    end
+
+    def _handle_valid_sms_auth?(request)
+      _predicate_internal_request(:_handle_sms_auth, request)
+    end
+  end
+
+  module InternalRequestClassMethods
+    def internal_request(route, opts={}, &block)
+      opts = opts.dup
+      
+      env = {
+         'REQUEST_METHOD'=>'POST',
+         'PATH_INFO'=>'/',
+         "SCRIPT_NAME" => "",
+         "HTTP_HOST" => INVALID_DOMAIN,
+         "SERVER_NAME" => INVALID_DOMAIN,
+         "SERVER_PORT" => 443,
+         "CONTENT_TYPE" => "application/x-www-form-urlencoded",
+         "rack.input"=>StringIO.new(''),
+         "rack.url_scheme"=>"https"
+      }
+      env.merge!(opts.delete(:env)) if opts[:env]
+
+      session = {}
+      session.merge!(opts.delete(:session)) if opts[:session]
+
+      params = {}
+      params.merge!(opts.delete(:params)) if opts[:params]
+
+      scope = roda_class.new(env)
+      rodauth = new(scope)
+      rodauth.session = session
+      rodauth.params = params
+      rodauth.internal_request_block = block
+
+      unless account_id = opts.delete(:account_id)
+        if (account_login = opts.delete(:account_login))
+          if (account = rodauth.send(:_account_from_login, account_login))
+            account_id = account[rodauth.account_id_column]
+          else
+            raise InternalRequestError, "no account for login: #{account_login.inspect}"
+          end
+        end
+      end
+
+      if account_id
+        session[rodauth.session_key] = account_id
+        unless authenticated_by = opts.delete(:authenticated_by)
+          authenticated_by = case route
+          when :otp_auth, :sms_request, :sms_auth, :recovery_auth, :valid_otp_auth?, :valid_sms_auth?, :valid_recovery_auth?
+            ['internal1']
+          else
+            ['internal1', 'internal2']
+          end
+        end
+        session[rodauth.authenticated_by_session_key] = authenticated_by
+      end
+
+      opts.keys.each do |k|
+        meth = :"#{k}_param"
+        params[rodauth.public_send(meth).to_s] = opts.delete(k) if rodauth.respond_to?(meth)
+      end
+
+      unless opts.empty?
+        warn "unhandled options passed to #{route}: #{opts.inspect}"
+      end
+
+      rodauth.handle_internal_request(:"_handle_#{route}")
+    end
+  end
+
+  Feature.define(:internal_request, :InternalRequest) do
+    configuration_module_eval do
+      def internal_request_configuration(&block)
+        @auth.instance_exec do
+          (@internal_request_configuration_blocks ||= []) << block
+        end
+      end
+    end
+
+    def post_configure
+      super
+
+      return if is_a?(InternalRequestMethods)
+
+      klass = self.class
+      internal_class = Class.new(klass) do
+        @roda_class = klass.roda_class
+        @features = klass.features.clone
+        @routes = klass.routes.clone
+        @route_hash = klass.route_hash.clone
+        @configuration = klass.configuration.clone
+        @configuration.instance_variable_set(:@auth, self)
+      end
+
+      if blocks = klass.instance_variable_get(:@internal_request_configuration_blocks)
+        configuration = internal_class.configuration
+        blocks.each do |block|
+          configuration.instance_exec(&block)
+        end
+      end
+      internal_class.send(:extend, InternalRequestClassMethods)
+      internal_class.send(:include, InternalRequestMethods)
+      internal_class.allocate.post_configure
+
+      ([:base] + internal_class.features).each do |feature_name|
+        feature = FEATURES[feature_name]
+        if meths = feature.internal_request_methods
+          meths.each do |name|
+            klass.define_singleton_method(name){|opts={}, &block| internal_class.internal_request(name, opts, &block)}
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rodauth/features/json.rb

@@ -67,6 +67,25 @@ module Rodauth
 
     private
 
+    def before_two_factor_manage_route
+      super if defined?(super)
+      if use_json?
+        json_response[:setup_links] = two_factor_setup_links.sort.map{|_,link| link}
+        json_response[:remove_links] = two_factor_remove_links.sort.map{|_,link| link}
+        json_response[json_response_success_key] ||= "" if include_success_messages?
+        return_json_response
+      end
+    end
+
+    def before_two_factor_auth_route
+      super if defined?(super)
+      if use_json?
+        json_response[:auth_links] = two_factor_auth_links.sort.map{|_,link| link}
+        json_response[json_response_success_key] ||= "" if include_success_messages?
+        return_json_response
+      end
+    end
+
     def before_view_recovery_codes
       super if defined?(super)
       if use_json?

data/lib/rodauth/features/jwt_refresh.rb

@@ -98,7 +98,7 @@ module Rodauth
           # JWT is invalid for other reasons.  Make sure the expiration is the
           # only reason the JWT isn't valid before treating this as an expired token.
           JWT.decode(jwt_token, jwt_secret, true, Hash[jwt_decode_opts].merge!(:verify_expiration=>false, :algorithm=>jwt_algorithm))[0]
-        rescue => e
+        rescue
         else
           json_response[json_response_error_key] = expired_jwt_access_token_message
           response.status ||= expired_jwt_access_token_status
@@ -120,7 +120,7 @@ module Rodauth
       end
 
       ds = account_ds(id)
-      ds = ds.where(account_status_column=>account_open_status_value) unless skip_status_checks?
+      ds = ds.where(account_session_status_filter) unless skip_status_checks?
       ds.first
     end
 

data/lib/rodauth/features/lockout.rb

@@ -62,6 +62,10 @@ module Rodauth
     )
     auth_private_methods :account_from_unlock_key
 
+    internal_request_method(:lock_account)
+    internal_request_method(:unlock_account_request)
+    internal_request_method(:unlock_account)
+
     route(:unlock_account_request) do |r|
       check_already_logged_in
       before_unlock_account_request_route
@@ -167,6 +171,12 @@ module Rodauth
       unlock_account
     end
 
+    def _setup_account_lockouts_hash(account_id, key)
+      hash = {account_lockouts_id_column=>account_id, account_lockouts_key_column=>key}
+      set_deadline_value(hash, account_lockouts_deadline_column, account_lockouts_deadline_interval)
+      hash
+    end
+
     def invalid_login_attempted
       ds = account_login_failures_ds.
           where(account_login_failures_id_column=>account_id)
@@ -192,8 +202,7 @@ module Rodauth
 
       if number >= max_invalid_logins
         @unlock_account_key_value = generate_unlock_account_key
-        hash = {account_lockouts_id_column=>account_id, account_lockouts_key_column=>unlock_account_key_value}
-        set_deadline_value(hash, account_lockouts_deadline_column, account_lockouts_deadline_interval)
+        hash = _setup_account_lockouts_hash(account_id, unlock_account_key_value)
 
         if e = raised_uniqueness_violation{account_lockouts_ds.insert(hash)}
           # If inserting into the lockout table raises a violation, we should just be able to pull the already inserted

data/lib/rodauth/features/login.rb

@@ -25,6 +25,9 @@ module Rodauth
 
     auth_value_methods :login_return_to_requested_location_path
 
+    internal_request_method
+    internal_request_method :valid_login_and_password?
+
     route do |r|
       check_already_logged_in
       before_login_route