rodauth 2.2.0 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f672a0312d4a0c6103bb763d339161119551a0e64cc248546a0cb52f4e6784c1
-  data.tar.gz: 530d322cc3ddba655959238aafe155512de11f090afb9465980181dcc729d1b9
+  metadata.gz: 4ea58deac2998a11cd0cd4b17545eab5fce6fb0acd7751416fd521cbd77d6add
+  data.tar.gz: c113c1131f5d756fd3aa5c1dbf083f40506b8822fb1c9b67537069c9e8695fba
 SHA512:
-  metadata.gz: d8018f5e02d077bd8625c17c8c5a1f607b986c1916296132ef68e2651d2af26d65ddbdfdc9b5f1352431c74caa30e94d270cc03840207303f8fa0e6a44910a0b
-  data.tar.gz: 5f24ce4d800d3bbe914dac40dba1cd68b78af4aff5efdaf976b32702d45b5fe7809453d2a650f407437afb1b9d6206ff3d79e6f703fcd85d8d55a0f0658464eb
+  metadata.gz: 1fa2ce1d08a9f09e21d2fb1fe5b71ea3c6fc55181452302a35929229f0fad8c3c5d3d3324d73bee9c69daf0ff7a2d14ddbb731ef994bd3317512627233a69d28
+  data.tar.gz: 7a188457006390730f00bc4a2ea5159c002dba66b300fd993929a5b5a491f2f4be0191c7e7c8e4b9e82b2e709b1a4e8ea8f5d335613f262671e1d68507cc2e26

data/CHANGELOG

@@ -1,3 +1,17 @@
+=== 2.3.0 (2020-08-21)
+
+* Return an error status instead of an invalid access token when trying to refresh JWT without an access token in the jwt_refresh feature (jeremyevans)
+
+* Allow {create,drop}_database_authentication_functions to work with UUID keys (monorkin, janko) (#117)
+
+* Add rodauth.login('login_type') for logging in after setting a valid account (janko) (#114)
+
+* Make new refresh token available to the after_refresh_token hook by setting it in the response first (jeremyevans)
+
+* Make the jwt_refresh plugin call before_jwt_refresh_route hook (previously the configuration method was ignored) (AlexeyMatskevich) (#110)
+
+* Add login_email_regexp, login_not_valid_email_message, and log_valid_email? configuration methods (janko) (#107)
+
 === 2.2.0 (2020-07-20)
 
 * Allow removing all jwt_refresh tokens when logging out by providing a value of "all" as the token to remove (jeremyevans)

data/doc/jwt_refresh.rdoc

@@ -19,6 +19,9 @@ when logging out, provide the refresh token when submitting the JSON request to
 If you would like to remove all refresh tokens for the account when logging out, provide
 a value of <tt>all</tt> as the token value.
 
+When using the refresh token, you must provide a valid access token, as that contains
+information about the current session, which is used to create the new access token.
+
 This feature depends on the jwt feature.
 
 == Auth Value Methods
@@ -36,6 +39,8 @@ jwt_refresh_token_key :: Name of the key in the response json holding the refres
 jwt_refresh_token_key_column :: The column name in the +jwt_refresh_token_table+ holding the refresh token key value.
 jwt_refresh_token_key_param :: Name of parameter in which the refresh token is provided when requesting a new token.  Default is +refresh_token+.
 jwt_refresh_token_table :: Name of the table holding refresh token keys.
+jwt_refresh_without_access_token_message :: Error message when trying to refresh with providing an access token.
+jwt_refresh_without_access_token_status :: The HTTP status code to use when trying to refresh without providing an access token.
 
 == Auth Methods
 

data/doc/login.rdoc

@@ -3,6 +3,13 @@
 The login feature implements a login page.  It's the most commonly
 used feature.
 
+In addition to the auth methods below, it provides a +login+ method that wraps
++login_session+, running login hooks and redirecting to the configured
+location.
+
+  rodauth.account           #=> { id: 123, ... }
+  rodauth.login('password') # login the current account
+
 == Auth Value Methods
 
 login_additional_form_tags :: HTML fragment containing additional form tags to use on the login form.

data/doc/login_password_requirements_base.rdoc

@@ -9,8 +9,10 @@ already_an_account_with_this_login_message :: The error message to display when
 login_confirm_label :: The label to use for login confirmations.
 login_confirm_param :: The parameter name to use for login confirmations.
 login_does_not_meet_requirements_message :: The error message to display when the login does not meet the requirements you have set.
+login_email_regexp :: The regular expression used to validate whether login is a valid email address.
 login_maximum_length :: The maximum length for logins, 255 by default.
 login_minimum_length :: The minimum length for logins, 3 by default.
+login_not_valid_email_message :: The error message to display when login is not a valid email address.
 login_too_long_message :: The error message fragment to show if the login is too long.
 login_too_short_message :: The error message fragment to show if the login is too short.
 logins_do_not_match_message :: The error message to display when login and login confirmation do not match.
@@ -29,6 +31,7 @@ same_as_existing_password_message :: The error message to display when a new pas
 == Auth Methods
 
 login_meets_requirements?(login) :: Whether the given login meets the requirements.  By default, just checks that the login is a valid email address.
+login_valid_email?(login) :: Whether the login is a valid email address.
 password_hash(password) :: A hash of the given password.
 password_meets_requirements?(password) :: Whether the given password meets the requirements. Can be used to implement complexity requirements for passwords.
 set_password(password) :: Set the password for the current account to the given password.

data/doc/release_notes/2.3.0.txt

@@ -0,0 +1,37 @@
+= New Features
+
+* Configuration methods have been added for easier validation of
+  logins when logins must be valid email addresses (the default):
+
+  * login_valid_email?(login) can be used for full control of
+    determining whether the login is valid.
+
+  * login_email_regexp can be used to set the regexp used in the
+    default login_valid_email? check.
+
+  * login_not_valid_email_message can be used to set the field
+    error message if the login is not a valid email.  Previously, this
+    value was hardcoded and not translatable.
+
+* The {create,drop}_database_authentication_functions now work
+  correctly with uuid keys on PostgreSQL.  All other parts of
+  Rodauth already worked correctly with uuid keys.
+
+= Other Improvements
+
+* The before_jwt_refresh_route hook is now called before the route
+  is taken. Previously, the configuration method had no effect.
+
+* rodauth.login can now be used by external code to login the current
+  account (the account that rodauth.account returns).  This should be
+  passed the authentication type string used to login, such as
+  password.
+
+* The jwt_refresh route now returns an error for requests where a
+  valid access token for a logged in session is not provided.  You
+  can use the jwt_refresh_without_access_token_message and
+  jwt_refresh_without_access_token_status configuration methods
+  to configure the error response.
+
+* The new refresh token is now available to the after_refresh_token
+  hook by looking in json_response[jwt_refresh_token_key].

data/lib/rodauth/features/close_account.rb

@@ -33,7 +33,11 @@ module Rodauth
       end
 
       r.post do
-        if !close_account_requires_password? || password_match?(param(password_param))
+        catch_error do
+          if close_account_requires_password? && !password_match?(param(password_param))
+            throw_error_status(invalid_password_error_status, password_param, invalid_password_message)
+          end
+
           transaction do
             before_close_account
             close_account
@@ -46,12 +50,10 @@ module Rodauth
 
           set_notice_flash close_account_notice_flash
           redirect close_account_redirect
-        else
-          set_response_error_status(invalid_password_error_status)
-          set_field_error(password_param, invalid_password_message)
-          set_error_flash close_account_error_flash
-          close_account_view
         end
+
+        set_error_flash close_account_error_flash
+        close_account_view
       end
     end
 

data/lib/rodauth/features/email_auth.rb

@@ -94,7 +94,7 @@ module Rodauth
           redirect email_auth_email_sent_redirect
         end
 
-        _login('email_auth')
+        login('email_auth')
       end
     end
 

data/lib/rodauth/features/jwt_refresh.rb

@@ -19,23 +19,29 @@ module Rodauth
     auth_value_method :jwt_refresh_token_key_column, :key
     auth_value_method :jwt_refresh_token_key_param, 'refresh_token'
     auth_value_method :jwt_refresh_token_table, :account_jwt_refresh_keys
+    translatable_method :jwt_refresh_without_access_token_message, 'no JWT access token provided during refresh'
+    auth_value_method :jwt_refresh_without_access_token_status, 401
 
     auth_private_methods(
       :account_from_refresh_token
     )
 
     route do |r|
+      before_jwt_refresh_route
+
       r.post do
-        if (refresh_token = param_or_nil(jwt_refresh_token_key_param)) && account_from_refresh_token(refresh_token)
-          formatted_token = nil
+        if !session_value
+          response.status ||= jwt_refresh_without_access_token_status
+          json_response[json_response_error_key] = jwt_refresh_without_access_token_message
+        elsif (refresh_token = param_or_nil(jwt_refresh_token_key_param)) && account_from_refresh_token(refresh_token)
           transaction do
             before_refresh_token
             formatted_token = generate_refresh_token
             remove_jwt_refresh_token_key(refresh_token)
+            json_response[jwt_refresh_token_key] = formatted_token
+            json_response[jwt_access_token_key] = session_jwt
             after_refresh_token
           end
-          json_response[jwt_refresh_token_key] = formatted_token
-          json_response[jwt_access_token_key] = session_jwt
         else
           json_response[json_response_error_key] = jwt_refresh_invalid_token_message
           response.status ||= json_response_error_status

data/lib/rodauth/features/login.rb

@@ -62,7 +62,7 @@ module Rodauth
             throw_error_status(login_error_status, password_param, invalid_password_message)
           end
 
-          _login('password')
+          login('password')
         end
 
         set_error_flash login_error_flash unless skip_error_flash
@@ -72,6 +72,18 @@ module Rodauth
 
     attr_reader :login_form_header
 
+    def login(auth_type)
+      saved_login_redirect = remove_session_value(login_redirect_session_key)
+      transaction do
+        before_login
+        login_session(auth_type)
+        yield if block_given?
+        after_login
+      end
+      set_notice_flash login_notice_flash
+      redirect(saved_login_redirect || login_redirect)
+    end
+
     def login_required
       if login_return_to_requested_location?
         set_session_value(login_redirect_session_key, request.fullpath)
@@ -126,15 +138,8 @@ module Rodauth
     end
 
     def _login(auth_type)
-      saved_login_redirect = remove_session_value(login_redirect_session_key)
-      transaction do
-        before_login
-        login_session(auth_type)
-        yield if block_given?
-        after_login
-      end
-      set_notice_flash login_notice_flash
-      redirect(saved_login_redirect || login_redirect)
+      warn("Deprecated #_login method called, use #login instead.")
+      login(auth_type)
     end
   end
 end

data/lib/rodauth/features/login_password_requirements_base.rb

@@ -4,8 +4,10 @@ module Rodauth
   Feature.define(:login_password_requirements_base, :LoginPasswordRequirementsBase) do
     translatable_method :already_an_account_with_this_login_message, 'already an account with this login'
     auth_value_method :login_confirm_param, 'login-confirm'
+    auth_value_method :login_email_regexp, /\A[^,;@ \r\n]+@[^,@; \r\n]+\.[^,@; \r\n]+\z/
     auth_value_method :login_minimum_length, 3
     auth_value_method :login_maximum_length, 255
+    translatable_method :login_not_valid_email_message, 'not a valid email address'
     translatable_method :logins_do_not_match_message, 'logins do not match'
     auth_value_method :password_confirm_param, 'password-confirm'
     auth_value_method :password_minimum_length, 6
@@ -28,6 +30,7 @@ module Rodauth
 
     auth_methods(
       :login_meets_requirements?,
+      :login_valid_email?,
       :password_hash,
       :password_meets_requirements?,
       :set_password
@@ -104,13 +107,15 @@ module Rodauth
 
     def login_meets_email_requirements?(login)
       return true unless require_email_address_logins?
-      if login =~ /\A[^,;@ \r\n]+@[^,@; \r\n]+\.[^,@; \r\n]+\z/
-        return true
-      end
-      @login_requirement_message = 'not a valid email address'
+      return true if login_valid_email?(login)
+      @login_requirement_message = login_not_valid_email_message
       return false
     end
 
+    def login_valid_email?(login)
+      login =~ login_email_regexp
+    end
+
     def password_meets_length_requirements?(password)
       return true if password_minimum_length <= password.length
       @password_requirement_message = password_too_short_message

data/lib/rodauth/features/session_expiration.rb

@@ -3,6 +3,7 @@
 module Rodauth
   Feature.define(:session_expiration, :SessionExpiration) do
     error_flash "This session has expired, please login again"
+    redirect{require_login_redirect}
 
     auth_value_method :max_session_lifetime, 86400
     session_key :session_created_session_key, :session_created_at
@@ -11,8 +12,6 @@ module Rodauth
     auth_value_method :session_inactivity_timeout, 1800
     session_key :session_last_activity_session_key, :last_session_activity_at
 
-    auth_value_methods :session_expiration_redirect
-    
     def check_session_expiration
       return unless logged_in?
 
@@ -43,10 +42,6 @@ module Rodauth
       redirect session_expiration_redirect
     end
 
-    def session_expiration_redirect
-      require_login_redirect
-    end
-
     def update_session
       super
       t = Time.now.to_i

data/lib/rodauth/features/webauthn_login.rb

@@ -22,7 +22,7 @@ module Rodauth
 
           webauthn_credential = webauthn_auth_credential_from_form_submission
           before_webauthn_login
-          _login('webauthn') do
+          login('webauthn') do
             webauthn_update_session(webauthn_credential.id)
           end
         end

data/lib/rodauth/migrations.rb

@@ -9,9 +9,14 @@ module Rodauth
     case db.database_type
     when :postgres
       search_path = opts[:search_path] || 'public, pg_temp'
+      primary_key_type =
+        case db.schema(table_name).find { |row| row.first == :id }[1][:db_type]
+        when 'uuid' then :uuid
+        else :int8
+        end
 
       db.run <<END
-CREATE OR REPLACE FUNCTION #{get_salt_name}(acct_id int8) RETURNS text AS $$
+CREATE OR REPLACE FUNCTION #{get_salt_name}(acct_id #{primary_key_type}) RETURNS text AS $$
 DECLARE salt text;
 BEGIN
 SELECT substr(password_hash, 0, 30) INTO salt 
@@ -25,7 +30,7 @@ SET search_path = #{search_path};
 END
 
       db.run <<END
-CREATE OR REPLACE FUNCTION #{valid_hash_name}(acct_id int8, hash text) RETURNS boolean AS $$
+CREATE OR REPLACE FUNCTION #{valid_hash_name}(acct_id #{primary_key_type}, hash text) RETURNS boolean AS $$
 DECLARE valid boolean;
 BEGIN
 SELECT password_hash = hash INTO valid 
@@ -100,13 +105,19 @@ END
   end
 
   def self.drop_database_authentication_functions(db, opts={})
+    table_name = opts[:table_name] || :account_password_hashes
     get_salt_name = opts[:get_salt_name] || :rodauth_get_salt
     valid_hash_name = opts[:valid_hash_name] || :rodauth_valid_password_hash 
 
     case db.database_type
     when :postgres
-      db.run "DROP FUNCTION #{get_salt_name}(int8)"
-      db.run "DROP FUNCTION #{valid_hash_name}(int8, text)"
+      primary_key_type =
+        case db.schema(table_name).find { |row| row.first == :id }[1][:db_type]
+        when 'uuid' then :uuid
+        else :int8
+        end
+      db.run "DROP FUNCTION #{get_salt_name}(#{primary_key_type})"
+      db.run "DROP FUNCTION #{valid_hash_name}(#{primary_key_type}, text)"
     when :mysql, :mssql
       db.run "DROP FUNCTION #{get_salt_name}"
       db.run "DROP FUNCTION #{valid_hash_name}"
@@ -118,6 +129,6 @@ END
   end
 
   def self.drop_database_previous_password_check_functions(db, opts={})
-    drop_database_authentication_functions(db, {:get_salt_name=>:rodauth_get_previous_salt, :valid_hash_name=>:rodauth_previous_password_hash_match}.merge(opts))
+    drop_database_authentication_functions(db, {:table_name=>:account_previous_password_hashes, :get_salt_name=>:rodauth_get_previous_salt, :valid_hash_name=>:rodauth_previous_password_hash_match}.merge(opts))
   end
 end

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 2
+  MINOR = 3
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.3.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-07-20 00:00:00.000000000 Z
+date: 2020-08-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -304,6 +304,7 @@ extra_rdoc_files:
 - doc/release_notes/2.0.0.txt
 - doc/release_notes/2.1.0.txt
 - doc/release_notes/2.2.0.txt
+- doc/release_notes/2.3.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -384,6 +385,7 @@ files:
 - doc/release_notes/2.0.0.txt
 - doc/release_notes/2.1.0.txt
 - doc/release_notes/2.2.0.txt
+- doc/release_notes/2.3.0.txt
 - doc/remember.rdoc
 - doc/reset_password.rdoc
 - doc/session_expiration.rdoc