rodauth 2.19.0 → 2.22.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0defa94cb0c58b317997853eda1775694a8b0bb89e3bb75f8de50af57a2223fe
4
- data.tar.gz: 977738446cb7d8ac53a7edeab2587c07e7a9b9407d2584daa80fe6d47147f395
3
+ metadata.gz: f20339f12a4abc3d970bebd785c10d788ecb51c46f787beda3ff8a0d9a337706
4
+ data.tar.gz: 1a930e230aff9f64d7af359211fc9c568a93978372a5813612c964b673c8f6aa
5
5
  SHA512:
6
- metadata.gz: 0e8833fc2ac01f3a917b8c267642b92472969531df33dc90dcae6e90d5b62befbf2f948ca75cafcd84353b4b9d629f1dec8d70e3e77cc2387cc0791cee551773
7
- data.tar.gz: 03ff22811e9679b26f1dc83c676ca19145c762d26c216a9aafae816d3bad67cd39a68430fbd72c55f17e77117fbcd65690eb6d71f3b05f72860833a2205f2fe7
6
+ metadata.gz: '030017944284769f16d83e1454d1b7c1bdf8ec6cd1c8201e7c7feba17f0809201b436f452ed660392f78253f196ca76d4062bc94dd64c1227a4f75937ef42f2c'
7
+ data.tar.gz: e05d2d37f2c32808bb482e7f2ddd332ad34fe6478dc8ea842b84ba45fdd1e9330c081e139235abc2b7a79c0827df92f36350d35ef4b108056b0ac1b8f8a991e0
data/CHANGELOG CHANGED
@@ -1,3 +1,35 @@
1
+ === 2.22.0 (2022-03-22)
2
+
3
+ * Ignore parameters where the value includes a null byte by default, add null_byte_parameter_value configuration method for customization (jeremyevans)
4
+
5
+ * Handle sessions created before active_sessions feature was enabled during logout (jeremyevans) (#224)
6
+
7
+ * Add reset_password_notify for emailing users after successful password resets (jeremyevans)
8
+
9
+ * An email method can now be used in external features to DRY up email creation code (jeremyevans)
10
+
11
+ * The change_password_notify feature now correctly handles template precompilation (jeremyevans)
12
+
13
+ * Fix update_sms to update stored sms hash (bjeanes) (#222)
14
+
15
+ === 2.21.0 (2022-02-23)
16
+
17
+ * Avoid extra bcrypt hashing on account verification when using account_password_hash_column (janko) (#217)
18
+
19
+ * Make require_account public (janko) (#212)
20
+
21
+ * Force specific date/time format when displaying webauthn last use time (jeremyevans)
22
+
23
+ * Automatically clear the session in require_login if users go beyond verify account grace period (janko) (#211)
24
+
25
+ * Fix typo in default value of global_logout_label in active_sessions plugin (sterlzbd) (#209)
26
+
27
+ === 2.20.0 (2022-01-24)
28
+
29
+ * Change the default implementation of webauth_rp_id to not include the port (jeremyevans) (#203)
30
+
31
+ * Make logout of all sessions in active_sessions plugin also remove remember key if using remember plugin (jeremyevans)
32
+
1
33
  === 2.19.0 (2021-12-22)
2
34
 
3
35
  * Add login_maximum_bytes, setting the maximum number of bytes in a login, 255 by default (jeremyevans)
@@ -308,446 +340,6 @@
308
340
 
309
341
  * Drop support for Ruby 1.8 (jeremyevans)
310
342
 
311
- === 1.23.0 (2020-03-06)
312
-
313
- * Remove specs from the gem to reduce gem size by over 20% (jeremyevans)
314
-
315
- * Make rodauth.authenticated? return true on OTP setup page (jeremyevans) (#68)
316
-
317
- * Display link to email auth request form when user has entered login and incorrect password if using email_auth feature (janko) (#65)
318
-
319
- * Add *_path and *_url methods for all *_route methods (janko) (#64)
320
-
321
- * Add send_email configuration method for configuring how email is sent (janko) (#63)
322
-
323
- === 1.22.0 (2019-10-29)
324
-
325
- * Add jwt_cors feature to handle Cross-Origin Resource Sharing when using the jwt feature (jeremyevans)
326
-
327
- * Add space before newline after links in email, fixing issues with some webmail providers with broken autolinkers (jeremyevans)
328
-
329
- === 1.21.0 (2019-07-24)
330
-
331
- * Support rotp 5.1 in the otp feature (jeremyevans)
332
-
333
- * Log user out when locking out OTP account if no fallback options available (jeremyevans)
334
-
335
- === 1.20.0 (2019-06-07)
336
-
337
- * Support rotp 5 in the otp feature (jeremyevans)
338
-
339
- * Add jwt_refresh feature to allow shorter lived JWTs with a refresh token for creating new JWTs (allavena, jeremyevans) (#28)
340
-
341
- * Fix disallow_password_reuse feature when account_password_hash_column is not set and verify_account feature is not used (cptaffe) (#59)
342
-
343
- * Rename no_matching_email_auth_key_message to no_matching_email_auth_key_error_flash for consistency (jeremyevans)
344
-
345
- * Rename no_matching_verify_login_change_key_message to no_matching_verify_login_change_key_error_flash for consistency (jeremyevans)
346
-
347
- * Rename attempt_to_login_to_unverified_account_notice_message to attempt_to_login_to_unverified_account_error_flash for consistency (jeremyevans)
348
-
349
- * Rename attempt_to_create_unverified_account_notice_message to attempt_to_create_unverified_account_error_flash for consistency (jeremyevans)
350
-
351
- * Rename no_matching_verify_account_key_message to no_matching_verify_account_key_error_flash for consistency (jeremyevans)
352
-
353
- * Rename no_matching_unlock_account_key_message to no_matching_unlock_account_key_error_flash for consistency (jeremyevans)
354
-
355
- * Rename no_matching_reset_password_key_message to no_matching_reset_password_key_error_flash for consistency (jeremyevans)
356
-
357
- * Add otp_keys_use_hmac? and otp_setup_raw_param configuration methods to the otp feature for configuring use of HMACs with OTP authentication (jeremyevans)
358
-
359
- * Do not set a previous account password before password has been set when using disallow_password_reuse with verify_account_set_password? (jeremyevans)
360
-
361
- * Add allow_raw_single_session_key? to single_session feature to allow raw single single session tokens, for graceful transition (jeremyevans)
362
-
363
- * Add raw_remember_token_deadline to remember feature to allow raw remember tokens before given deadline, for graceful transition (jeremyevans)
364
-
365
- * Add allow_raw_email_token? configuration method to email_base feature to allow raw tokens when email_token_hmac_secret is set, for graceful transition (jeremyevans)
366
-
367
- * Add hmac_secret configuration method, used for additional security using HMACs (jeremyevans)
368
-
369
- * Use urlsafe base64 for new token keys on Ruby 1.8 (jeremyevans)
370
-
371
- * Add login_input_type configuration method for setting the input type for login inputs (jeremyevans)
372
-
373
- * Add formatted_field_error configuration method for formatting error messages (jeremyevans)
374
-
375
- * Add field_error_attributes configuration method for configuring attributes for fields with errors (jeremyevans)
376
-
377
- * Add field_attributes configuration method for configuring attributes for specific fields (jeremyevans)
378
-
379
- * Add default_field_attributes configuration method to set default attributes for all input fields (jeremyevans)
380
-
381
- * Make error handling accessible by default using aria-invalid and aria-describedby attributes (jeremyevans)
382
-
383
- * Add mark_input_fields_as_required? configuration method for whether inputs should use the required attribute (jeremyevans)
384
-
385
- * Add input_field_error_message_class configuration method for the CSS class used for error messages (jeremyevans)
386
-
387
- * Wrap all error messages in a span so they can be styled (jeremyevans)
388
-
389
- * Add input_field_error_class configuration method for customizing CSS class to use for inputs with errors (jeremyevans)
390
-
391
- * Add input_field_label_suffix configuration method for suffixing all input labels, useful for labeling fields as required (jeremyevans)
392
-
393
- * Add verify_account_resend_explanatory_text configuration method to verify_account feature for configuring text (jeremyevans)
394
-
395
- * Add unlock_account_explanatory_text and unlock_account_request_explanatory_text configuration methods to lockout feature for configuring text (jeremyevans)
396
-
397
- * Add reset_password_explanatory_text configuration method to reset_password feature for configuring text (jeremyevans)
398
-
399
- * Add otp_provisioning_uri_label and otp_secret_label configuration methods to otp feature for configuring labels displayed during OTP setup (jeremyevans)
400
-
401
- * Add add_recovery_codes_heading configuration method to recovery_codes feature for configuring heading text (jeremyevans)
402
-
403
- * Use define_method instead of instance_exec for route dispatching for better performance (jeremyevans)
404
-
405
- * Add already_an_account_with_this_login_message configuration method (1gor) (#54)
406
-
407
- === 1.19.1 (2018-11-16)
408
-
409
- * Support rotp 4 in the otp feature (jeremyevans)
410
-
411
- === 1.19.0 (2018-11-16)
412
-
413
- * Avoid unneeded database queries in the two factor authentication support (jeremyevans)
414
-
415
- * Add {before,after}_verify_login_change_email configuration methods, called around sending the verify login change email (jeremyevans)
416
-
417
- * Add after_account_lockout configuration method, called after locking out an account (jeremyevans)
418
-
419
- * Add default_post_email_redirect configuration method, setting default for all redirects after emailing when not logged in (jeremyevans)
420
-
421
- * Gracefully handle failure when new login is already taken in the verify_login_change feature (jeremyevans)
422
-
423
- * Support optional email rate limiting in the lockout, reset password, and verify account features (jeremyevans)
424
-
425
- * Make MySQL rodauth_get_salt function handle accounts without password hashes (jeremyevans)
426
-
427
- * Add email_auth feature, for authentication using links sent via email (jeremyevans)
428
-
429
- * Deprecate before_otp_authentication_route, users should switch to before_otp_auth_route (jeremyevans)
430
-
431
- * Add use_multi_phase_login? configuration method to login feature, separating login entry from password entry (jeremyevans)
432
-
433
- * Don't disable use of date_arithmetic extension on !MySQL when using lockout, remember, or reset password features (jeremyevans)
434
-
435
- === 1.18.0 (2018-07-18)
436
-
437
- * Add confirm_password_redirect_session_key configuration method to confirm_password feature (jeremyevans)
438
-
439
- * Work with Roda sessions plugin, using string keys for session information if that is used (jeremyevans)
440
-
441
- * Add flash_error_key and flash_notice_key configuration for setting keys used in flash (jeremyevans)
442
-
443
- === 1.17.0 (2018-06-11)
444
-
445
- * Support Roda route_csrf plugin for request-specific CSRF tokens (jeremyevans)
446
-
447
- === 1.16.0 (2018-03-09)
448
-
449
- * Add disallow_common_passwords feature, for disallowing the usage of the most common passwords (jeremyevans)
450
-
451
- * Remove calling request [] method to get request param values, as it is deprecated in the current version of rack (jeremyevans)
452
-
453
- === 1.15.0 (2018-01-29)
454
-
455
- * Add create_account_set_password? and verify_account_set_password? methods to delay setting password until account verification (jeremyevans)
456
-
457
- === 1.14.0 (2017-12-19)
458
-
459
- * Don't allow unlocking expired accounts when using account_expiration and lockout features (jeremyevans)
460
-
461
- * Don't allow resetting passwords for expired accounts when using account_expiration and reset_password features (jeremyevans)
462
-
463
- * Add change_password_notify feature for emailing when user uses change password feature (jeremyevans)
464
-
465
- === 1.13.0 (2017-11-21)
466
-
467
- * Add json_response_body(hash) configuration method to jwt feature (jeremyevans)
468
-
469
- * Support invalid_previous_password_message configuration method in change_password feature (jeremyevans)
470
-
471
- * Use custom error statuses if only_json? and json_response_custom_error_status? are true even if request isn't in json format (jeremyevans)
472
-
473
- * Add cache_templates configuration method for disabling caching of templates (adam12, jeremyevans) (#46)
474
-
475
- === 1.12.0 (2017-10-03)
476
-
477
- * [SECURITY] Clear expired password reset key for account before retrieving password reset key (chanks, jeremyevans) (#43)
478
-
479
- * Update migrations to work with Sequel 5 (jeremyevans)
480
-
481
- * Add require_http_basic_auth configuration method to http_basic_auth feature (jeremyevans) (#41)
482
-
483
- * Support passing :search_path option to Rodauth.create_database_authentication_functions when using PostgreSQL (jeremyevans)
484
-
485
- * Support passing options to Rodauth.{create,drop}_database_previous_password_check_functions (jeremyevans)
486
-
487
- * Support passing options to Rodauth.drop_database_authentication_functions (jeremyevans)
488
-
489
- === 1.11.0 (2017-04-24)
490
-
491
- * Add login_required_error_status, and use it in the jwt feature when custom error statuses are allowed (jeremyevans)
492
-
493
- * Deal better with time differences between the database and application servers in the password_expiration plugin (jeremyevans)
494
-
495
- * Add rodauth.valid_jwt? method for checking if a valid JWT was submitted with the request (jeremyevans)
496
-
497
- === 1.10.0 (2017-03-23)
498
-
499
- * Add Internals Guide (jeremyevans)
500
-
501
- * Set FeatureConfiguration instances to constants, just like Feature instances (jeremyevans)
502
-
503
- * When reopening rodauth configuration in roda subclass, automatically subclass rodauth configuration so it doesn't modify superclass (jeremyevans)
504
-
505
- * Add verify_login_change feature as an alternative to verify_change_login, where the change doesn't take affect until after verification (jeremyevans) (#31)
506
-
507
- * Add login_failed_reset_password_request_form for customizing the HTML used for the request password request form on login failures (jeremyevans)
508
-
509
- * Make reset password request form available without requiring a login attempt, and provide a login field in that case (jeremyevans) (#30)
510
-
511
- * Make resending verify account email request form available without requiring a login/account creation attempt, and provide a login field in that case (jeremyevans) (#30)
512
-
513
- * Fix resending verify account email when attempting to create a new account with same login as unverified account when using verify_account_grace_period feature (jeremyevans) (#30)
514
-
515
- * Fix precompile_rodauth_templates usage with reset_password feature (jeremyevans)
516
-
517
- === 1.9.0 (2017-02-22)
518
-
519
- * Make reset-password use existing password reset key if one is present (jeremyevans) (#26)
520
-
521
- * Add Roda.precompile_rodauth_templates method, useful to save memory when forking, or when chrooting (jeremyevans)
522
-
523
- === 1.8.0 (2017-01-06)
524
-
525
- * Add json_response_custom_error_status? option to jwt feature to use specific 4xx statuses instead of 400 (jeremyevans)
526
-
527
- * Use 4xx error statuses for errors, instead of using a 200 success status (jeremyevans)
528
-
529
- === 1.7.0 (2016-11-22)
530
-
531
- * Make reset password, unlock account, and verify account pages not leak keys to external servers via Referer header (jeremyevans)
532
-
533
- === 1.6.0 (2016-10-24)
534
-
535
- * Add http_basic_auth feature (TiagoCardoso1983, jeremyevans) (#12)
536
-
537
- * Move login hooks from login feature to base, to be usable by other features (jeremyevans)
538
-
539
- * Make reset_password feature not attempt to render a template in json-only mode (jeremyevans) (#11)
540
-
541
- * Memoize jwt_payload in jwt feature, as it may be called more than once (mwpastore) (#10)
542
-
543
- * Add jwt_decode_opts configuration method to jwt feature, for specifying options to JWT.decode, allowing for JWT claim verification (mwpastore, jeremyevans) (#9)
544
-
545
- * Add jwt_session_hash configuration method to jwt feature, for modifying the session information stored in the JWT hash, allowing for setting JWT claims (mwpastore, jeremyevans) (#9)
546
-
547
- * Add jwt_session_key configuration method to jwt feature, for nesting the session under a key in the JWT, avoiding reserve claim names (mwpastore, jeremyevans) (#9)
548
-
549
- * Add jwt_symbolize_deeply? configuration method to jwt feature, for symbolizing nested keys in session hash when using JWT (mwpastore) (#9)
550
-
551
- === 1.5.0 (2016-09-22)
552
-
553
- * Return error instead of raising exception in the jwt feature if an invalid jwt format is submitted in the Authorization header (jeremyevans)
554
-
555
- * Add jwt_authorization_remove configuration method to jwt feature, for regexp to remove from Authorization header before JWT processing (jeremyevans)
556
-
557
- * Add jwt_authorization_ignore configuration method to jwt feature, for regexp to skip processing of JWTs in Authorization header (jeremyevans)
558
-
559
- * Add json_accept_regexp configuration method to jwt feature, for the regexp used to match against the Accept header (jeremyevans)
560
-
561
- * Add use_jwt? configuration method to jwt feature, for whether to use the JWT token or rack session for authentication information (jeremyevans)
562
-
563
- * Add jwt_check_accept? configuration method to jwt feature, to return 406 error if Accept header is present and json is not accepted (jeremyevans)
564
-
565
- * Add json_response_content_type configuration method to jwt feature, for the content type to set for json responses, default to application/json (jeremyevans)
566
-
567
- * Add json_request_content_type_regexp configuration method to the jwt feature, for the regexp that recognize a request as a json request (jeremyevans)
568
-
569
- * Add session_jwt method to the jwt feature, which returns a string for the encoded JWT for the current session (jeremyevans)
570
-
571
- * If the only_json? setting is true, return a 400 error if the request content type to a rodauth endpoint is not json (jeremyevans)
572
-
573
- * The only_json? setting in the jwt feature is now only true by default if :json=>:only plugin option was used (jeremyevans)
574
-
575
- * Don't have jwt feature break if HTTP Basic/Digest authentication is used (jeremyevans)
576
-
577
- * Add template_opts configuration method, for overriding view/method options (jeremyevans)
578
-
579
- === 1.4.0 (2016-08-18)
580
-
581
- * Add update_password_hash feature, for updating the password hash when the hash cost changes (jeremyevans)
582
-
583
- === 1.3.0 (2016-07-19)
584
-
585
- * Add login_maximum_length, defaulting to 255 (jeremyevans)
586
-
587
- === 1.2.0 (2016-06-15)
588
-
589
- * Add otp_drift configuration method to otp plugin, setting number of seconds of allowed drift (jeremyevans)
590
-
591
- * Don't allow setting passwords containing the ASCII NUL character, as bcrypt truncates at that point (jeremyevans) (#4)
592
-
593
- === 1.1.0 (2016-05-13)
594
-
595
- * Support :csrf=>false and :flash=>false plugin options (jeremyevans)
596
-
597
- === 1.0.0 (2016-04-15)
598
-
599
- * Remove invalid remember cookies to prevent unnecessary future database checks (jeremyevans)
600
-
601
- * Extend remember deadline in cookie in addition to database (jeremyevans)
602
-
603
- * Make tokens work with string account ids (jeremyevans)
604
-
605
- * Add verify_change_login feature for requiring account reverification on login changes (jeremyevans)
606
-
607
- * Set correct cookie expiration in the remember feature (jeremyevans)
608
-
609
- * Split confirm_password feature from remember feature (jeremyevans)
610
-
611
- * Add verify_account_grace_period feature, for allowing logins into unverified accounts for a certain period after creation (jeremyevans)
612
-
613
- * Move login/password requirements settings to login password requirements base feature (jeremyevans)
614
-
615
- * Add session_expiration feature, expiring sessions based on inactivity and max lifetime checks (jeremyevans)
616
-
617
- * Add password_grace_period feature, for not requiring password entry if password was recently entered (jeremyevans)
618
-
619
- * Make create/verify account autologin true by default (jeremyevans)
620
-
621
- * Optimize routing using a hash table, disallow per-request routes (jeremyevans)
622
-
623
- * Add ability to turn off login/password confirmations (jeremyevans)
624
-
625
- * Don't allow changing login to the same as the current login (jeremyevans)
626
-
627
- * Only allow requesting account unlocks if the account is current locked out (jeremyevans)
628
-
629
- * Use separate routes for unlock account/reset password/verify account requests (jeremyevans)
630
-
631
- * Use separate routes for confirming passwords and changing remember settings (jeremyevans)
632
-
633
- * Add JWT feature for JSON API support using JWT tokens (jeremyevans)
634
-
635
- * Add account_select configuration option for setting which columns to select from accounts_table (jeremyevans)
636
-
637
- * Execute get_block and post_block in the Rodauth::Auth instance scope (jeremyevans)
638
-
639
- * Store field errors in the rodauth object instead of instance variables in the Roda scope (jeremyevans)
640
-
641
- * Add rodauth.redirect to abstract redirection code (jeremyevans)
642
-
643
- * Only use flash notices for successful requests, other requests that redirect now use an error flash (jeremyevans)
644
-
645
- * The before_* configuration methods now run directly before making the related database changes (jeremyevans)
646
-
647
- * Before hooks run before routes now use before_*_route instead of before_* configuration methods (jeremyevans)
648
-
649
- * Add token_separator configuration method to replace the default of _ (jeremyevans)
650
-
651
- * Rename account_id_value to account_id (jeremyevans)
652
-
653
- * Rename account_id to account_id_column and account_session_id to account_session_column (jeremyevans)
654
-
655
- * Make skip_status_checks? default to true unless loading verify_account or close_account features (jeremyevans)
656
-
657
- * Replace account_model with accounts_table and db, removing use of Sequel models (jeremyevans)
658
-
659
- * Extract shared email-related code into email_base feature (jeremyevans)
660
-
661
- * Add auth_class_eval to configuration block for adding custom methods (jeremyevans)
662
-
663
- * Add configuration_eval to feature definitions for adding custom configuration methods (jeremyevans)
664
-
665
- * Allow close_account feature to optionally delete accounts (jeremyevans)
666
-
667
- * Make close_account feature work when skipping status checks or when using account_password_hash_column (jeremyevans)
668
-
669
- * Add sms_codes feature, for codes received via SMS that can be used if TOTP authentication is not available (jeremyevans)
670
-
671
- * Attempt to handle unique constraint violations raised in race conditions where possible (jeremyevans)
672
-
673
- * Add _before and _after internal methods, make ununderscored methods only for users (jeremyevans)
674
-
675
- * Add single_session feature, for only allowing a single active session per account (jeremyevans)
676
-
677
- * Add account_expiration feature, for disallowing access to accounts after an amount of time since last login/activity (jeremyevans)
678
-
679
- * Check account status in rodauth.load_memory in remember plugin (jeremyevans)
680
-
681
- * Use csrf plugin automatically, depend on Roda >=2.6.0 (jeremyevans)
682
-
683
- * Make bcrypt and mail development dependencies instead of runtime dependencies in the gem (jeremyevans)
684
-
685
- * Add password_expiration feature, requiring users to change their password after a given amount of time (jeremyevans)
686
-
687
- * Add disallow_password_reuse feature, checking that a new password doesn't match previous passwords (jeremyevans)
688
-
689
- * Add password_complexity feature, allowing more sophisticated password complexity checks (jeremyevans)
690
-
691
- * Add rodauth.remember_param and .remember_confirm_param for overriding parameter names (jeremyevans)
692
-
693
- * Check that new password is not the same as existing password in change password and reset password features (jeremyevans)
694
-
695
- * Add rodauth.login_meets_requirements? for checking if a login is valid, by default a valid email address (jeremyevans)
696
-
697
- * Allow unlock account to optionally require the user's current password (jeremyevans)
698
-
699
- * Add support for running on Microsoft SQL Server with database functions for authentication (jeremyevans)
700
-
701
- * Make change password, change login, and close account require the user's current password by default (jeremyevans)
702
-
703
- * Add rodauth.csrf_tag to make it easy to replace the CSRF tag implementation (jeremyevans)
704
-
705
- * Switch unlock_account_autologin? to be true by default (jeremyevans)
706
-
707
- * Add rodauth.authenticated? and .require_authentication (jeremyevans)
708
-
709
- * Add recovery_codes feature, for single use codes that can be used if TOTP authentication is not available (jeremyevans)
710
-
711
- * Add otp feature, for 2 factor authentication via TOTP (jeremyevans)
712
-
713
- * Add support for running on MySQL with database functions for authentication (jeremyevans)
714
-
715
- * Add *_interval and set_deadline_values? methods for setting deadline intervals on a per-request basis (jeremyevans)
716
-
717
- * Add remember_deadline_column method for overriding the column used for storing the deadline (jeremyevans)
718
-
719
- * Add rodauth/migrations file for DRYing up the database function creation (jeremyevans)
720
-
721
- * Add Rodauth.version for getting the version (jeremyevans)
722
-
723
- * External features should now be requirable via rodauth/features/feature_name instead of roda/plugins/rodauth/feature_name (jeremyevans)
724
-
725
- * Make Rodauth top level module instead of under Roda::RodaPlugins (jeremyevans)
726
-
727
- * Require mail at configure time instead of run time if using a feature that sends email, use require_mail? false to disable (jeremyevans)
728
-
729
- * Require bcrypt at configure time instead of run time, use require_bcrypt? false to disable (jeremyevans)
730
-
731
- * Always require securerandom (jeremyevans)
732
-
733
- * Make remember, password reset, and lockout features work on non-PostgreSQL databases (jeremyevans)
734
-
735
- * Support authentication without database functions when password hashes are stored in separate table (jeremyevans)
736
-
737
- * Remove overriding of route/get/post blocks (jeremyevans)
738
-
739
- * Make lockout feature work on databases not supporting UPDATE RETURNING (jeremyevans)
740
-
741
- * Add timing safe comparison of tokens (jeremyevans)
742
-
743
- === 0.10.0 (2016-02-17)
744
-
745
- * Retrieve salt from database and compute hash client side, instead of computing hash on server (jeremyevans)
746
-
747
- === 0.9.1 (2015-08-13)
748
-
749
- * Don't use csrf plugin automatically (jeremyevans)
750
-
751
- === 0.9.0 (2015-08-12)
343
+ === Older
752
344
 
753
- * Initial public release
345
+ See doc/CHANGELOG.old
data/README.rdoc CHANGED
@@ -60,6 +60,7 @@ HTML and JSON API for all supported features.
60
60
  * Argon2
61
61
  * HTTP Basic Auth
62
62
  * Change Password Notify
63
+ * Reset Password Notify
63
64
  * Internal Request
64
65
  * Path Class Methods
65
66
 
@@ -902,6 +903,7 @@ view the appropriate file in the doc directory.
902
903
  * {Recovery Codes}[rdoc-ref:doc/recovery_codes.rdoc]
903
904
  * {Remember}[rdoc-ref:doc/remember.rdoc]
904
905
  * {Reset Password}[rdoc-ref:doc/reset_password.rdoc]
906
+ * {Reset Password Notify}[rdoc-ref:doc/reset_password_notify.rdoc]
905
907
  * {Session Expiration}[rdoc-ref:doc/session_expiration.rdoc]
906
908
  * {Single Session}[rdoc-ref:doc/single_session.rdoc]
907
909
  * {SMS Codes}[rdoc-ref:doc/sms_codes.rdoc]
@@ -990,6 +992,10 @@ require_authentication :: Similar to +require_login+, but also requires
990
992
  two factor authentication. Redirects the request to
991
993
  the two factor authentication page if logged in but not
992
994
  authenticated via two factors.
995
+ require_account :: Similar to +require_authentication+, but also loads the logged
996
+ in account to ensure it exists in the database. If the account
997
+ doesn't exist, or if it exists but isn't verified, the session
998
+ is cleared and the request redirected to the login page.
993
999
  logged_in? :: Whether the session has been logged in.
994
1000
  authenticated? :: Similar to +logged_in?+, but if the account has setup two
995
1001
  factor authentication, whether the session has authenticated
data/doc/base.rdoc CHANGED
@@ -99,6 +99,7 @@ csrf_tag(path=request.path) :: The HTML fragment containing the CSRF tag to use,
99
99
  function_name(name) :: The name of the database function to call. It's passed either :rodauth_get_salt or :rodauth_valid_password_hash.
100
100
  logged_in? :: Whether the current session is logged in.
101
101
  login_required :: Action to take when a login is required to access the page and the user is not logged in.
102
+ null_byte_parameter_value(key, value) :: The value to use for the parameter if the parameter includes an ASCII NUL byte ("\0"), nil by default to ignore the parameter.
102
103
  open_account? :: Whether the current account is an open account (not closed or unverified).
103
104
  password_match?(password) :: Check whether the given password matches the stored password hash.
104
105
  random_key :: A randomly generated string, used for creating tokens.
@@ -143,6 +143,17 @@ Here's a heavily commented example showing what is going on inside a Rodauth fea
143
143
  # templates. This is necessary for precompilation of templates to work.
144
144
  loaded_templates ['foo']
145
145
 
146
+ # This defines the following methods related to sending email:
147
+ #
148
+ # * foo_email_subject: uses given subject
149
+ # * foo_email_body: renders foo-email template
150
+ # * create_foo_email: creates Mail::Message using subject and body
151
+ # * send_foo_email: sends created email
152
+ #
153
+ # The foo-email template should be included in the loaded_templates call to make sure
154
+ # template precompilation works.
155
+ email :foo, 'Foo Subject'
156
+
146
157
  # auth_value_method is a generic method that takes two arguments, a method to define
147
158
  # and a default value. It is similar to the methods above, except that it allows
148
159
  # arbitrary method names. The notice_flash, error_flash, button, and additional_form_tags
@@ -8,6 +8,9 @@ corresponding <tt>*_route</tt> method:
8
8
 
9
9
  # Change login route to "/signin"
10
10
  login_route "signin"
11
+
12
+ # Change redirect when login is required to "/signin"
13
+ require_login_redirect { login_path }
11
14
 
12
15
  # Change create account route to "/register"
13
16
  create_account_route "register"
@@ -6,7 +6,7 @@ use a Rodauth feature that requires setting logins or passwords.
6
6
  == Auth Value Methods
7
7
 
8
8
  already_an_account_with_this_login_message :: The error message to display when there already exists an account with the same login.
9
- contains_null_byte_message :: The error message to display when the password contains a null byte.
9
+ contains_null_byte_message :: The error message to display when the password contains a null byte (only used if parameters with null bytes are otherwise allowed).
10
10
  login_confirm_label :: The label to use for login confirmations.
11
11
  login_confirm_param :: The parameter name to use for login confirmations.
12
12
  login_does_not_meet_requirements_message :: The error message to display when the login does not meet the requirements you have set.
@@ -0,0 +1,10 @@
1
+ = Improvements
2
+
3
+ * When using the active_sessions and remember features together,
4
+ doing a global logout will automatically remove the remember key for
5
+ the account, so the account will no longer be able to automatically
6
+ create new sessions using the remember key.
7
+
8
+ * The default value of webauthn_rp_id now removes the port from the
9
+ origin if it exists, since the WebAuthn spec does not allow ports
10
+ in the relying party identifier.
@@ -0,0 +1,28 @@
1
+ = Improvements
2
+
3
+ * When using the verify_account_grace_period feature, if the grace
4
+ period has expired for currently logged in session, require_login
5
+ will clear the session and redirect to the login page. This is
6
+ implemented by having the unverified_account_session_key store the
7
+ time of expiration, as an integer.
8
+
9
+ * The previously private require_account method is now public. The
10
+ method is used internally by Rodauth to check that not only is the
11
+ current session logged in, but also that the account related to the
12
+ currently logged in session still exists in the database. The only
13
+ reason you would want to call require_account instead of
14
+ require_authentication is if you want to handle cases where there
15
+ can be logged in sessions for accounts that have been deleted.
16
+
17
+ * Rodauth now avoids an unnecessary bcrypt hash calculation when
18
+ updating accounts when using the account_password_hash_column
19
+ configuration method.
20
+
21
+ * When WebAuthn token last use times are displayed, Rodauth now uses a
22
+ fixed format of YYYY-MM-DD HH:MM:SS, instead of relying on
23
+ Time#to_s. If this presents an problem for your application, please
24
+ open an issue and we can add a configuration method to control
25
+ the behavior.
26
+
27
+ * A typo in the default value of global_logout_label in the
28
+ active_sessions feature has been fixed.
@@ -0,0 +1,43 @@
1
+ = New Features
2
+
3
+ * Rodauth now ignores parameters containing ASCII NUL bytes ("\0") by
4
+ default. You can customize this behavior using the
5
+ null_byte_parameter_value configuration method.
6
+
7
+ * A reset_password_notify feature has been added for emailing users
8
+ after successful password resets.
9
+
10
+ * External features can now use the email method inside their
11
+ feature definitions to DRY up the creation of email configuration
12
+ methods. The email method will setup the following configuration
13
+ methods for the feature:
14
+
15
+ * ${name}_email_subject
16
+ * ${name}_email_body
17
+ * create_${name}_email
18
+ * send_${name}_email
19
+
20
+ = Other Improvements
21
+
22
+ * The active_sessions feature now correctly handles logouts for
23
+ sessions that were created before the active_sessions feature was
24
+ added to the Rodauth configuration.
25
+
26
+ * The change_password_notify feature now works correctly when using
27
+ template precompilation.
28
+
29
+ * The update_sms method now updates the in-memory sms hash instead of
30
+ the in-memory account hash. This only has an effect if you are
31
+ using the sms_codes feature and customizing Rodauth to access one
32
+ of these hashes after a call to update_sms.
33
+
34
+ = Backwards Compatibility
35
+
36
+ * If your application requires the ability to submit values containing
37
+ ASCII NUL bytes ("\0") as Rodauth parameters, you should use the
38
+ new null_byte_parameter_value configuration method to pass the
39
+ value through unchanged:
40
+
41
+ null_byte_parameter_value do |_, v|
42
+ v
43
+ end
@@ -14,12 +14,12 @@ reset_password_autologin? :: Whether to autologin the user after successfully re
14
14
  reset_password_button :: The text to use for the reset password button.
15
15
  reset_password_deadline_column :: The column name in the +reset_password_table+ storing the deadline after which the token will be ignored.
16
16
  reset_password_deadline_interval :: The amount of time for which to allow users to reset their passwords, 1 day by default. Only used if +set_deadline_values?+ is true.
17
- reset_password_email_last_sent_column :: The email last sent column in the +reset_password_table+. Set to nil to always send a reset password email when requested.
18
- reset_password_email_recently_sent_error_flash :: The flash error to show if not sending reset password email because one has been sent recently.
19
- reset_password_email_recently_sent_redirect :: Where to redirect if not sending reset password email because one has been sent recently.
20
- reset_password_email_sent_notice_flash :: The flash notice to show after a reset password email has been sent.
21
- reset_password_email_sent_redirect :: Where to redirect after sending a reset password email.
22
- reset_password_email_subject :: The subject to use for reset password emails.
17
+ reset_password_email_last_sent_column :: The email last sent column in the +reset_password_table+. Set to nil to always send a reset password request email when requested.
18
+ reset_password_email_recently_sent_error_flash :: The flash error to show if not sending reset password request email because one has been sent recently.
19
+ reset_password_email_recently_sent_redirect :: Where to redirect if not sending reset password request email because one has been sent recently.
20
+ reset_password_email_sent_notice_flash :: The flash notice to show after a reset password request email has been sent.
21
+ reset_password_email_sent_redirect :: Where to redirect after sending a reset password request email.
22
+ reset_password_email_subject :: The subject to use for the reset password request email.
23
23
  reset_password_error_flash :: The flash error to show after resetting a password.
24
24
  reset_password_explanatory_text :: The text to display above the button to request a password reset.
25
25
  reset_password_id_column :: The id column in the +reset_password_table+, should be a foreign key referencing the accounts table.
@@ -30,35 +30,35 @@ reset_password_page_title :: The page title to use on the reset password form.
30
30
  reset_password_redirect :: Where to redirect after resetting a password.
31
31
  reset_password_request_additional_form_tags :: HTML fragment containing additional form tags to use on the reset password request form.
32
32
  reset_password_request_button :: The text to use for the reset password request button.
33
- reset_password_request_error_flash :: The flash error to show if not able to send a reset password email.
33
+ reset_password_request_error_flash :: The flash error to show if not able to send a reset password request email.
34
34
  reset_password_request_link_text :: The text to use for a link to the page to request a password reset.
35
35
  reset_password_request_page_title :: The page title to use on the reset password request form.
36
36
  reset_password_request_route :: The route to the reset password request action. Defaults to +reset-password-request+.
37
37
  reset_password_route :: The route to the reset password action. Defaults to +reset-password+.
38
38
  reset_password_session_key :: The key in the session to hold the reset password key temporarily.
39
- reset_password_skip_resend_email_within :: The number of seconds before sending another reset password email, if +reset_password_email_last_sent_column+ is set.
39
+ reset_password_skip_resend_email_within :: The number of seconds before sending another reset password request email, if +reset_password_email_last_sent_column+ is set.
40
40
  reset_password_table :: The name of the reset password keys table.
41
41
 
42
42
  == Auth Methods
43
43
 
44
44
  account_from_reset_password_key(key) :: Retrieve the account using the given reset password key, or return nil if no account matches.
45
45
  after_reset_password :: Run arbitrary code after successfully resetting a password.
46
- after_reset_password_request :: Run arbitrary code after sending the reset password email.
46
+ after_reset_password_request :: Run arbitrary code after sending the reset password request email.
47
47
  before_reset_password :: Run arbitrary code before resetting a password.
48
- before_reset_password_request :: Run arbitrary code before sending the reset password email.
48
+ before_reset_password_request :: Run arbitrary code before sending the reset password request email.
49
49
  before_reset_password_request_route :: Run arbitrary code before handling a reset password request route.
50
50
  before_reset_password_route :: Run arbitrary code before handling a reset password route.
51
- create_reset_password_email :: A Mail::Message for the reset password email.
51
+ create_reset_password_email :: A Mail::Message for the reset password request email.
52
52
  create_reset_password_key :: Add the reset password key data to the database.
53
- get_reset_password_email_last_sent :: Get the last time a reset password email is sent, or nil if there is no last sent time.
53
+ get_reset_password_email_last_sent :: Get the last time a reset password request email is sent, or nil if there is no last sent time.
54
54
  get_reset_password_key(id) :: Get the password reset key for the given account id from the database.
55
55
  login_failed_reset_password_request_form :: The HTML to use for a form to request a password reset, shown on the login page after the user tries to login with an invalid password.
56
56
  remove_reset_password_key :: Remove the reset password key for the current account, run after successful password reset.
57
- reset_password_email_body :: The body to use for the reset password email.
58
- reset_password_email_link :: The link to the reset password form in the reset password email.
57
+ reset_password_email_body :: The body to use for the reset password request email.
58
+ reset_password_email_link :: The link to the reset password form in the reset password request email.
59
59
  reset_password_key_insert_hash :: The hash to insert into the +reset_password_table+.
60
60
  reset_password_key_value :: The reset password key for the current account.
61
61
  reset_password_request_view :: The HTML to use for the reset password request form.
62
62
  reset_password_view :: The HTML to use for the reset password form.
63
- send_reset_password_email :: Send the reset password email.
64
- set_reset_password_email_last_sent :: Set the last time a reset password email is sent.
63
+ send_reset_password_email :: Send the reset password request email.
64
+ set_reset_password_email_last_sent :: Set the last time a reset password request email is sent.
@@ -0,0 +1,17 @@
1
+ = Documentation for Reset Password Notify Feature
2
+
3
+ The reset password notify feature emails the user after the user has
4
+ reset their password. The user has already been sent a reset password
5
+ email by this point, so they know a password reset was requested, but
6
+ this feature allows for confirming that the password reset process
7
+ was completed. Depends on the reset_password feature.
8
+
9
+ == Auth Value Methods
10
+
11
+ reset_password_notify_email_subject :: The subject to use for the reset password notify email.
12
+ reset_password_notify_email_body :: The body to use for the reset password notify email.
13
+
14
+ == Auth Methods
15
+
16
+ create_reset_password_notify_email :: A Mail::Message for the reset password notify email.
17
+ send_reset_password_notify_email :: Send the reset password notify email.
@@ -13,7 +13,7 @@ module Rodauth
13
13
  auth_value_method :active_sessions_last_use_column, :last_use
14
14
  auth_value_method :active_sessions_session_id_column, :session_id
15
15
  auth_value_method :active_sessions_table, :account_active_session_keys
16
- translatable_method :global_logout_label, 'Logout all Logged In Sessons?'
16
+ translatable_method :global_logout_label, 'Logout all Logged In Sessions?'
17
17
  auth_value_method :global_logout_param, 'global_logout'
18
18
  auth_value_method :inactive_session_error_status, 401
19
19
  auth_value_method :session_inactivity_deadline, 86400
@@ -81,7 +81,9 @@ module Rodauth
81
81
  end
82
82
 
83
83
  def remove_current_session
84
- active_sessions_ds.where(active_sessions_session_id_column=>compute_hmac(session[session_id_session_key])).delete
84
+ if session_id = session[session_id_session_key]
85
+ active_sessions_ds.where(active_sessions_session_id_column=>compute_hmac(session_id)).delete
86
+ end
85
87
  end
86
88
 
87
89
  def remove_all_active_sessions
@@ -123,6 +125,7 @@ module Rodauth
123
125
 
124
126
  def before_logout
125
127
  if param_or_nil(global_logout_param)
128
+ remove_remember_key(session_value) if respond_to?(:remove_remember_key)
126
129
  remove_all_active_sessions
127
130
  else
128
131
  remove_current_session
@@ -91,6 +91,7 @@ module Rodauth
91
91
  :inputmode_for_field?,
92
92
  :logged_in?,
93
93
  :login_required,
94
+ :null_byte_parameter_value,
94
95
  :open_account?,
95
96
  :password_match?,
96
97
  :random_key,
@@ -338,6 +339,11 @@ module Rodauth
338
339
  require_login
339
340
  end
340
341
 
342
+ def require_account
343
+ require_authentication
344
+ require_account_session
345
+ end
346
+
341
347
  def account_initial_status_value
342
348
  account_open_status_value
343
349
  end
@@ -441,7 +447,16 @@ module Rodauth
441
447
  # parameter with that name.
442
448
  def param_or_nil(key)
443
449
  value = raw_param(key)
444
- value.to_s unless value.nil?
450
+ unless value.nil?
451
+ value = value.to_s
452
+ value = null_byte_parameter_value(key, value) if value.include?("\0")
453
+ end
454
+ value
455
+ end
456
+
457
+ # Return nil by default for values with null bytes
458
+ def null_byte_parameter_value(key, value)
459
+ nil
445
460
  end
446
461
 
447
462
  def raw_param(key)
@@ -524,11 +539,6 @@ module Rodauth
524
539
  Rack::Utils.secure_compare(provided.ljust(actual.length), actual) && provided.length == actual.length
525
540
  end
526
541
 
527
- def require_account
528
- require_authentication
529
- require_account_session
530
- end
531
-
532
542
  def require_account_session
533
543
  unless account_from_session
534
544
  clear_session
@@ -756,7 +766,7 @@ module Rodauth
756
766
  num = ds.update(values)
757
767
  if num == 1
758
768
  values.each do |k, v|
759
- account[k] = v == Sequel::CURRENT_TIMESTAMP ? Time.now : v
769
+ hash[k] = Sequel::CURRENT_TIMESTAMP == v ? Time.now : v
760
770
  end
761
771
  end
762
772
  num
@@ -3,31 +3,11 @@
3
3
  module Rodauth
4
4
  Feature.define(:change_password_notify, :ChangePasswordNotify) do
5
5
  depends :change_password, :email_base
6
-
7
- translatable_method :password_changed_email_subject, 'Password Changed'
8
-
9
- auth_value_methods(
10
- :password_changed_email_body
11
- )
12
- auth_methods(
13
- :create_password_changed_email,
14
- :send_password_changed_email
15
- )
6
+ loaded_templates %w'password-changed-email'
7
+ email :password_changed, 'Password Changed', :translatable=>true
16
8
 
17
9
  private
18
10
 
19
- def send_password_changed_email
20
- send_email(create_password_changed_email)
21
- end
22
-
23
- def create_password_changed_email
24
- create_email(password_changed_email_subject, password_changed_email_body)
25
- end
26
-
27
- def password_changed_email_body
28
- render('password-changed-email')
29
- end
30
-
31
11
  def after_change_password
32
12
  super
33
13
  send_password_changed_email
@@ -19,10 +19,10 @@ module Rodauth
19
19
  button 'Send Login Link Via Email', 'email_auth_request'
20
20
  redirect(:email_auth_email_sent){default_post_email_redirect}
21
21
  redirect(:email_auth_email_recently_sent){default_post_email_redirect}
22
+ email :email_auth, 'Login Link'
22
23
 
23
24
  auth_value_method :email_auth_deadline_column, :deadline
24
25
  auth_value_method :email_auth_deadline_interval, {:days=>1}.freeze
25
- translatable_method :email_auth_email_subject, 'Login Link'
26
26
  auth_value_method :email_auth_id_column, :id
27
27
  auth_value_method :email_auth_key_column, :key
28
28
  auth_value_method :email_auth_key_param, 'key'
@@ -33,9 +33,7 @@ module Rodauth
33
33
  session_key :email_auth_session_key, :email_auth_key
34
34
 
35
35
  auth_methods(
36
- :create_email_auth_email,
37
36
  :create_email_auth_key,
38
- :email_auth_email_body,
39
37
  :email_auth_email_link,
40
38
  :email_auth_key_insert_hash,
41
39
  :email_auth_key_value,
@@ -43,7 +41,6 @@ module Rodauth
43
41
  :get_email_auth_key,
44
42
  :get_email_auth_email_last_sent,
45
43
  :remove_email_auth_key,
46
- :send_email_auth_email,
47
44
  :set_email_auth_email_last_sent
48
45
  )
49
46
 
@@ -137,10 +134,6 @@ module Rodauth
137
134
  @account = _account_from_email_auth_key(key)
138
135
  end
139
136
 
140
- def send_email_auth_email
141
- send_email(create_email_auth_email)
142
- end
143
-
144
137
  def email_auth_email_link
145
138
  token_link(email_auth_route, email_auth_key_param, email_auth_key_value)
146
139
  end
@@ -233,14 +226,6 @@ module Rodauth
233
226
  @email_auth_key_value = random_key
234
227
  end
235
228
 
236
- def create_email_auth_email
237
- create_email(email_auth_email_subject, email_auth_email_body)
238
- end
239
-
240
- def email_auth_email_body
241
- render('email-auth-email')
242
- end
243
-
244
229
  def use_date_arithmetic?
245
230
  super || db.database_type == :mysql
246
231
  end
@@ -25,6 +25,7 @@ module Rodauth
25
25
  redirect :unlock_account
26
26
  redirect(:unlock_account_request){default_post_email_redirect}
27
27
  redirect(:unlock_account_email_recently_sent){default_post_email_redirect}
28
+ email :unlock_account, 'Unlock Account'
28
29
 
29
30
  auth_value_method :unlock_account_autologin?, true
30
31
  auth_value_method :max_invalid_logins, 100
@@ -37,7 +38,6 @@ module Rodauth
37
38
  auth_value_method :account_lockouts_email_last_sent_column, :email_last_sent
38
39
  auth_value_method :account_lockouts_deadline_column, :deadline
39
40
  auth_value_method :account_lockouts_deadline_interval, {:days=>1}.freeze
40
- translatable_method :unlock_account_email_subject, 'Unlock Account'
41
41
  translatable_method :unlock_account_explanatory_text, '<p>This account is currently locked out. You can unlock the account:</p>'
42
42
  translatable_method :unlock_account_request_explanatory_text, '<p>This account is currently locked out. You can request that the account be unlocked:</p>'
43
43
  auth_value_method :unlock_account_key_param, 'key'
@@ -47,15 +47,12 @@ module Rodauth
47
47
 
48
48
  auth_methods(
49
49
  :clear_invalid_login_attempts,
50
- :create_unlock_account_email,
51
50
  :generate_unlock_account_key,
52
51
  :get_unlock_account_key,
53
52
  :get_unlock_account_email_last_sent,
54
53
  :invalid_login_attempted,
55
54
  :locked_out?,
56
- :send_unlock_account_email,
57
55
  :set_unlock_account_email_last_sent,
58
- :unlock_account_email_body,
59
56
  :unlock_account_email_link,
60
57
  :unlock_account,
61
58
  :unlock_account_key
@@ -226,10 +223,6 @@ module Rodauth
226
223
  @account = _account_from_unlock_key(key)
227
224
  end
228
225
 
229
- def send_unlock_account_email
230
- send_email(create_unlock_account_email)
231
- end
232
-
233
226
  def unlock_account_email_link
234
227
  token_link(unlock_account_route, unlock_account_key_param, unlock_account_key_value)
235
228
  end
@@ -288,14 +281,6 @@ module Rodauth
288
281
  request.halt
289
282
  end
290
283
 
291
- def create_unlock_account_email
292
- create_email(unlock_account_email_subject, unlock_account_email_body)
293
- end
294
-
295
- def unlock_account_email_body
296
- render('unlock-account-email')
297
- end
298
-
299
284
  def unlock_account_email_recently_sent?
300
285
  (email_last_sent = get_unlock_account_email_last_sent) && (Time.now - email_last_sent < unlock_account_skip_resend_email_within)
301
286
  end
@@ -24,10 +24,10 @@ module Rodauth
24
24
  redirect
25
25
  redirect(:reset_password_email_sent){default_post_email_redirect}
26
26
  redirect(:reset_password_email_recently_sent){default_post_email_redirect}
27
+ email :reset_password, 'Reset Password'
27
28
 
28
29
  auth_value_method :reset_password_deadline_column, :deadline
29
30
  auth_value_method :reset_password_deadline_interval, {:days=>1}.freeze
30
- translatable_method :reset_password_email_subject, 'Reset Password'
31
31
  auth_value_method :reset_password_key_param, 'key'
32
32
  auth_value_method :reset_password_autologin?, false
33
33
  auth_value_method :reset_password_table, :account_password_reset_keys
@@ -41,16 +41,13 @@ module Rodauth
41
41
 
42
42
  auth_methods(
43
43
  :create_reset_password_key,
44
- :create_reset_password_email,
45
44
  :get_reset_password_key,
46
45
  :get_reset_password_email_last_sent,
47
46
  :login_failed_reset_password_request_form,
48
47
  :remove_reset_password_key,
49
- :reset_password_email_body,
50
48
  :reset_password_email_link,
51
49
  :reset_password_key_insert_hash,
52
50
  :reset_password_key_value,
53
- :send_reset_password_email,
54
51
  :set_reset_password_email_last_sent
55
52
  )
56
53
  auth_private_methods(
@@ -187,10 +184,6 @@ module Rodauth
187
184
  @account = _account_from_reset_password_key(key)
188
185
  end
189
186
 
190
- def send_reset_password_email
191
- send_email(create_reset_password_email)
192
- end
193
-
194
187
  def reset_password_email_link
195
188
  token_link(reset_password_route, reset_password_key_param, reset_password_key_value)
196
189
  end
@@ -241,18 +234,10 @@ module Rodauth
241
234
  @reset_password_key_value = random_key
242
235
  end
243
236
 
244
- def create_reset_password_email
245
- create_email(reset_password_email_subject, reset_password_email_body)
246
- end
247
-
248
237
  def login_failed_reset_password_request_form
249
238
  render("reset-password-request")
250
239
  end
251
240
 
252
- def reset_password_email_body
253
- render('reset-password-email')
254
- end
255
-
256
241
  def use_date_arithmetic?
257
242
  super || db.database_type == :mysql
258
243
  end
@@ -0,0 +1,16 @@
1
+ # frozen-string-literal: true
2
+
3
+ module Rodauth
4
+ Feature.define(:reset_password_notify, :ResetPasswordNotify) do
5
+ depends :reset_password
6
+ loaded_templates %w'reset-password-notify-email'
7
+ email :reset_password_notify, 'Password Reset Completed', :translatable=>true
8
+
9
+ private
10
+
11
+ def after_reset_password
12
+ super
13
+ send_reset_password_notify_email
14
+ end
15
+ end
16
+ end
@@ -26,8 +26,8 @@ module Rodauth
26
26
  redirect
27
27
  redirect(:verify_account_email_sent){default_post_email_redirect}
28
28
  redirect(:verify_account_email_recently_sent){default_post_email_redirect}
29
+ email :verify_account, 'Verify Account'
29
30
 
30
- translatable_method :verify_account_email_subject, 'Verify Account'
31
31
  auth_value_method :verify_account_key_param, 'key'
32
32
  auth_value_method :verify_account_autologin?, true
33
33
  auth_value_method :verify_account_table, :account_verification_keys
@@ -43,14 +43,11 @@ module Rodauth
43
43
  auth_methods(
44
44
  :allow_resending_verify_account_email?,
45
45
  :create_verify_account_key,
46
- :create_verify_account_email,
47
46
  :get_verify_account_key,
48
47
  :get_verify_account_email_last_sent,
49
48
  :remove_verify_account_key,
50
- :send_verify_account_email,
51
49
  :set_verify_account_email_last_sent,
52
50
  :verify_account,
53
- :verify_account_email_body,
54
51
  :verify_account_email_link,
55
52
  :verify_account_key_insert_hash,
56
53
  :verify_account_key_value
@@ -212,10 +209,6 @@ module Rodauth
212
209
  account_unverified_status_value
213
210
  end
214
211
 
215
- def send_verify_account_email
216
- send_email(create_verify_account_email)
217
- end
218
-
219
212
  def verify_account_email_link
220
213
  token_link(verify_account_route, verify_account_key_param, verify_account_key_value)
221
214
  end
@@ -311,14 +304,6 @@ module Rodauth
311
304
  {verify_account_id_column=>account_id, verify_account_key_column=>verify_account_key_value}
312
305
  end
313
306
 
314
- def create_verify_account_email
315
- create_email(verify_account_email_subject, verify_account_email_body)
316
- end
317
-
318
- def verify_account_email_body
319
- render('verify-account-email')
320
- end
321
-
322
307
  def verify_account_ds(id=account_id)
323
308
  db[verify_account_table].where(verify_account_id_column=>id)
324
309
  end
@@ -30,10 +30,17 @@ module Rodauth
30
30
  false
31
31
  end
32
32
 
33
+ def require_login
34
+ if unverified_grace_period_expired?
35
+ clear_session
36
+ end
37
+ super
38
+ end
39
+
33
40
  def update_session
34
41
  super
35
42
  if account_in_unverified_grace_period?
36
- set_session_value(unverified_account_session_key, true)
43
+ set_session_value(unverified_account_session_key, Time.now.to_i + verify_account_grace_period)
37
44
  end
38
45
  end
39
46
 
@@ -78,6 +85,11 @@ module Rodauth
78
85
  !verify_account_ds.where(Sequel.date_add(verification_requested_at_column, :seconds=>verify_account_grace_period) > Sequel::CURRENT_TIMESTAMP).empty?
79
86
  end
80
87
 
88
+ def unverified_grace_period_expired?
89
+ return false unless expires_at = session[unverified_account_session_key]
90
+ expires_at.is_a?(Integer) && Time.now.to_i > expires_at
91
+ end
92
+
81
93
  def use_date_arithmetic?
82
94
  true
83
95
  end
@@ -334,7 +334,7 @@ module Rodauth
334
334
  end
335
335
 
336
336
  def webauthn_rp_id
337
- webauthn_origin.sub(/\Ahttps?:\/\//, '')
337
+ webauthn_origin.sub(/\Ahttps?:\/\//, '').sub(/:\d+\z/, '')
338
338
  end
339
339
 
340
340
  def webauthn_rp_name
@@ -6,7 +6,7 @@ module Rodauth
6
6
  MAJOR = 2
7
7
 
8
8
  # The minor version of Rodauth, updated for new feature releases of Rodauth.
9
- MINOR = 19
9
+ MINOR = 22
10
10
 
11
11
  # The patch version of Rodauth, updated only for bug fixes from the last
12
12
  # feature release.
data/lib/rodauth.rb CHANGED
@@ -233,6 +233,33 @@ module Rodauth
233
233
  end
234
234
  end
235
235
 
236
+ def email(type, subject, opts = {})
237
+ subject_method = :"#{type}_email_subject"
238
+ body_method = :"#{type}_email_body"
239
+ create_method = :"create_#{type}_email"
240
+ send_method = :"send_#{type}_email"
241
+
242
+ translatable_method subject_method, subject
243
+ auth_methods create_method, send_method
244
+
245
+ body_template = "#{type.to_s.tr('_', '-')}-email"
246
+ if opts[:translatable]
247
+ auth_value_methods body_method
248
+ define_method(body_method){translate(body_method, render(body_template))}
249
+ else
250
+ auth_methods body_method
251
+ define_method(body_method){render(body_template)}
252
+ end
253
+
254
+ define_method(create_method) do
255
+ create_email(send(subject_method), send(body_method))
256
+ end
257
+
258
+ define_method(send_method) do
259
+ send_email(send(create_method))
260
+ end
261
+ end
262
+
236
263
  def additional_form_tags(name=feature_name)
237
264
  auth_value_method(:"#{name}_additional_form_tags", nil)
238
265
  end
@@ -0,0 +1,2 @@
1
+ Someone (hopefully you) has reset the password for the account
2
+ associated to this email address.
@@ -4,6 +4,7 @@
4
4
  #{rodauth.render('password-field') if rodauth.two_factor_modifications_require_password?}
5
5
  <fieldset class="form-group mb-3">
6
6
  #{(usage = rodauth.account_webauthn_usage; last_id = usage.keys.last; usage;).map do |id, last_use|
7
+ last_use = last_use.strftime("%F %T") if last_use.is_a?(Time)
7
8
  input = rodauth.input_field_string(rodauth.webauthn_remove_param, "webauthn-remove-#{h id}", :type=>'radio', :class=>"form-check-input", :skip_error_message=>true, :value=>id, :required=>false)
8
9
  label = "<label class=\"rodauth-webauthn-id form-check-label\" for=\"webauthn-remove-#{h id}\">Last Use: #{last_use}</label>"
9
10
  error = rodauth.formatted_field_error(rodauth.webauthn_remove_param) if id == last_id
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rodauth
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.19.0
4
+ version: 2.22.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jeremy Evans
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-12-22 00:00:00.000000000 Z
11
+ date: 2022-03-22 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: sequel
@@ -286,6 +286,7 @@ extra_rdoc_files:
286
286
  - doc/recovery_codes.rdoc
287
287
  - doc/remember.rdoc
288
288
  - doc/reset_password.rdoc
289
+ - doc/reset_password_notify.rdoc
289
290
  - doc/session_expiration.rdoc
290
291
  - doc/single_session.rdoc
291
292
  - doc/sms_codes.rdoc
@@ -334,6 +335,9 @@ extra_rdoc_files:
334
335
  - doc/release_notes/2.18.0.txt
335
336
  - doc/release_notes/2.19.0.txt
336
337
  - doc/release_notes/2.2.0.txt
338
+ - doc/release_notes/2.20.0.txt
339
+ - doc/release_notes/2.21.0.txt
340
+ - doc/release_notes/2.22.0.txt
337
341
  - doc/release_notes/2.3.0.txt
338
342
  - doc/release_notes/2.4.0.txt
339
343
  - doc/release_notes/2.5.0.txt
@@ -440,6 +444,9 @@ files:
440
444
  - doc/release_notes/2.18.0.txt
441
445
  - doc/release_notes/2.19.0.txt
442
446
  - doc/release_notes/2.2.0.txt
447
+ - doc/release_notes/2.20.0.txt
448
+ - doc/release_notes/2.21.0.txt
449
+ - doc/release_notes/2.22.0.txt
443
450
  - doc/release_notes/2.3.0.txt
444
451
  - doc/release_notes/2.4.0.txt
445
452
  - doc/release_notes/2.5.0.txt
@@ -449,6 +456,7 @@ files:
449
456
  - doc/release_notes/2.9.0.txt
450
457
  - doc/remember.rdoc
451
458
  - doc/reset_password.rdoc
459
+ - doc/reset_password_notify.rdoc
452
460
  - doc/session_expiration.rdoc
453
461
  - doc/single_session.rdoc
454
462
  - doc/sms_codes.rdoc
@@ -498,6 +506,7 @@ files:
498
506
  - lib/rodauth/features/recovery_codes.rb
499
507
  - lib/rodauth/features/remember.rb
500
508
  - lib/rodauth/features/reset_password.rb
509
+ - lib/rodauth/features/reset_password_notify.rb
501
510
  - lib/rodauth/features/session_expiration.rb
502
511
  - lib/rodauth/features/single_session.rb
503
512
  - lib/rodauth/features/sms_codes.rb
@@ -541,6 +550,7 @@ files:
541
550
  - templates/recovery-codes.str
542
551
  - templates/remember.str
543
552
  - templates/reset-password-email.str
553
+ - templates/reset-password-notify-email.str
544
554
  - templates/reset-password-request.str
545
555
  - templates/reset-password.str
546
556
  - templates/sms-auth.str
@@ -594,7 +604,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
594
604
  - !ruby/object:Gem::Version
595
605
  version: '0'
596
606
  requirements: []
597
- rubygems_version: 3.2.32
607
+ rubygems_version: 3.3.7
598
608
  signing_key:
599
609
  specification_version: 4
600
610
  summary: Authentication and Account Management Framework for Rack Applications