rodauth 2.2.0 → 2.7.0

data/javascript/webauthn_setup.js

@@ -1,26 +1,29 @@
 (function() {
+  var pack = function(v) { return btoa(String.fromCharCode.apply(null, new Uint8Array(v))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''); };
+  var unpack = function(v) { return Uint8Array.from(atob(v.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0)); };
   var element = document.getElementById('webauthn-setup-form');
   var f = function(e) {
     //console.log(e);
     e.preventDefault();
     if (navigator.credentials) {
       var opts = JSON.parse(element.getAttribute("data-credential-options"));
-      opts.challenge = Uint8Array.from(atob(opts.challenge.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
-      opts.user.id = Uint8Array.from(atob(opts.user.id.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
+      opts.challenge = unpack(opts.challenge);
+      opts.user.id = unpack(opts.user.id);
+      opts.excludeCredentials.forEach(function(cred) { cred.id = unpack(cred.id); });
       //console.log(opts);
       navigator.credentials.create({publicKey: opts}).
         then(function(cred){
           //console.log(cred);
           //window.cred = cred
-          
-          var rawId = btoa(String.fromCharCode.apply(null, new Uint8Array(cred.rawId))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+
+          var rawId = pack(cred.rawId);
           document.getElementById('webauthn-setup').value = JSON.stringify({
             type: cred.type,
             id: rawId,
             rawId: rawId,
             response: {
-              attestationObject: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.attestationObject))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''),
-              clientDataJSON: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.clientDataJSON))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '')
+              attestationObject: pack(cred.response.attestationObject),
+              clientDataJSON: pack(cred.response.clientDataJSON)
             }
           });
           element.removeEventListener("submit", f);

data/lib/rodauth.rb

@@ -66,6 +66,7 @@ module Rodauth
       define_method(meth) do |&block|
         @auth.send(:define_method, meth, &block)
         @auth.send(:private, meth) if priv
+        @auth.send(:alias_method, meth, meth)
       end
     end
 
@@ -74,6 +75,7 @@ module Rodauth
       define_method(meth) do |&block|
         @auth.send(:define_method, umeth, &block)
         @auth.send(:private, umeth)
+        @auth.send(:alias_method, umeth, umeth)
       end
     end
 
@@ -82,6 +84,7 @@ module Rodauth
         block ||= proc{v}
         @auth.send(:define_method, meth, &block)
         @auth.send(:private, meth) if priv
+        @auth.send(:alias_method, meth, meth)
       end
     end
   end
@@ -120,8 +123,10 @@ module Rodauth
       define_method(handle_meth) do
         request.is send(route_meth) do
           check_csrf if check_csrf?
-          before_rodauth
-          send(internal_handle_meth, request)
+          _around_rodauth do
+            before_rodauth
+            send(internal_handle_meth, request)
+          end
         end
       end
 
@@ -238,6 +243,7 @@ module Rodauth
           instance_variable_set(iv, send(umeth))
         end
       end
+      alias_method(meth, meth)
       auth_private_methods(meth)
     end
 
@@ -288,15 +294,17 @@ module Rodauth
     end
 
     def enable(*features)
-      new_features = features - @auth.features
-      new_features.each{|f| load_feature(f)}
-      @auth.features.concat(new_features)
+      features.each do |feature|
+        next if @auth.features.include?(feature)
+        load_feature(feature)
+        @auth.features << feature
+      end
     end
 
     private
 
     def load_feature(feature_name)
-      require "rodauth/features/#{feature_name}"
+      require "rodauth/features/#{feature_name}" unless FEATURES[feature_name]
       feature = FEATURES[feature_name]
       enable(*feature.dependencies)
       extend feature.configuration

data/lib/rodauth/features/base.rb

@@ -47,6 +47,7 @@ module Rodauth
     session_key :authenticated_by_session_key, :authenticated_by
     session_key :autologin_type_session_key, :autologin_type
     auth_value_method :prefix, ''
+    auth_value_method :session_key_prefix, nil
     auth_value_method :require_bcrypt?, true
     auth_value_method :mark_input_fields_as_required?, true
     auth_value_method :mark_input_fields_with_autocomplete?, true
@@ -101,7 +102,6 @@ module Rodauth
       :set_redirect_error_flash,
       :set_title,
       :translate,
-      :unverified_account_message,
       :update_session
     )
 
@@ -110,7 +110,8 @@ module Rodauth
       :account_from_session,
       :field_attributes,
       :field_error_attributes,
-      :formatted_field_error
+      :formatted_field_error,
+      :around_rodauth
     )
 
     configuration_module_eval do
@@ -259,6 +260,7 @@ module Rodauth
       @password_field_autocomplete_value || 'current-password'
     end
 
+    alias account_password_hash_column account_password_hash_column
     # If the account_password_hash_column is set, the password hash is verified in
     # ruby, it will not use a database function to do so, it will check the password
     # hash using bcrypt.
@@ -393,9 +395,9 @@ module Rodauth
     def password_match?(password)
       if hash = get_password_hash
         if account_password_hash_column || !use_database_authentication_functions?
-          BCrypt::Password.new(hash) == password
+          password_hash_match?(hash, password)
         else
-          db.get(Sequel.function(function_name(:rodauth_valid_password_hash), account_id, BCrypt::Engine.hash_secret(password, hash)))
+          database_function_password_match?(:rodauth_valid_password_hash, account_id, password, hash)
         end 
       end
     end
@@ -458,6 +460,18 @@ module Rodauth
 
     private
 
+    def _around_rodauth
+      yield
+    end
+
+    def database_function_password_match?(name, hash_id, password, salt)
+      db.get(Sequel.function(function_name(name), hash_id, BCrypt::Engine.hash_secret(password, salt)))
+    end
+
+    def password_hash_match?(hash, password)
+      BCrypt::Password.new(hash) == password
+    end
+
     def convert_token_key(key)
       if key && hmac_secret
         compute_hmac(key)
@@ -493,6 +507,7 @@ module Rodauth
     end
 
     def convert_session_key(key)
+      key = "#{session_key_prefix}#{key}".to_sym if session_key_prefix
       scope.opts[:sessions_convert_symbols] ? key.to_s : key
     end
 

data/lib/rodauth/features/change_password.rb

@@ -14,7 +14,7 @@ module Rodauth
     button 'Change Password'
     redirect
 
-    auth_value_method :new_password_label, 'New Password'
+    translatable_method :new_password_label, 'New Password'
     auth_value_method :new_password_param, 'new-password'
 
     auth_value_methods(

data/lib/rodauth/features/close_account.rb

@@ -33,7 +33,11 @@ module Rodauth
       end
 
       r.post do
-        if !close_account_requires_password? || password_match?(param(password_param))
+        catch_error do
+          if close_account_requires_password? && !password_match?(param(password_param))
+            throw_error_status(invalid_password_error_status, password_param, invalid_password_message)
+          end
+
           transaction do
             before_close_account
             close_account
@@ -46,12 +50,10 @@ module Rodauth
 
           set_notice_flash close_account_notice_flash
           redirect close_account_redirect
-        else
-          set_response_error_status(invalid_password_error_status)
-          set_field_error(password_param, invalid_password_message)
-          set_error_flash close_account_error_flash
-          close_account_view
         end
+
+        set_error_flash close_account_error_flash
+        close_account_view
       end
     end
 

data/lib/rodauth/features/confirm_password.rb

@@ -26,11 +26,11 @@ module Rodauth
       require_account_session
       before_confirm_password_route
 
-      request.get do
+      r.get do
         confirm_password_view
       end
 
-      request.post do
+      r.post do
         if password_match?(param(password_param))
           transaction do
             before_confirm_password

data/lib/rodauth/features/disallow_password_reuse.rb

@@ -51,11 +51,13 @@ module Rodauth
         return true if salts.empty?
 
         salts.any? do |hash_id, salt|
-          db.get(Sequel.function(function_name(:rodauth_previous_password_hash_match), hash_id, BCrypt::Engine.hash_secret(password, salt)))
+          database_function_password_match?(:rodauth_previous_password_hash_match, hash_id, password, salt)
         end
       else
         # :nocov:
-        previous_password_ds.select_map(previous_password_hash_column).any?{|hash| BCrypt::Password.new(hash) == password}
+        previous_password_ds.select_map(previous_password_hash_column).any? do |hash|
+          password_hash_match?(hash, password)
+        end
         # :nocov:
       end
 

data/lib/rodauth/features/email_auth.rb

@@ -94,7 +94,7 @@ module Rodauth
           redirect email_auth_email_sent_redirect
         end
 
-        _login('email_auth')
+        login('email_auth')
       end
     end
 

data/lib/rodauth/features/jwt.rb

@@ -47,7 +47,7 @@ module Rodauth
       s = {}
       if jwt_token
         unless session_data = jwt_payload
-          json_response[json_response_error_key] = invalid_jwt_format_error_message
+          json_response[json_response_error_key] ||= invalid_jwt_format_error_message
           response.status ||= json_response_error_status
           response['Content-Type'] ||= json_response_content_type
           response.write(_json_response_body(json_response))
@@ -229,10 +229,18 @@ module Rodauth
       end
     end
 
+    def _jwt_decode_opts
+      jwt_decode_opts
+    end
+
     def jwt_payload
       return @jwt_payload if defined?(@jwt_payload)
-      @jwt_payload = JWT.decode(jwt_token, jwt_secret, true, jwt_decode_opts.merge(:algorithm=>jwt_algorithm))[0]
-    rescue JWT::DecodeError
+      @jwt_payload = JWT.decode(jwt_token, jwt_secret, true, _jwt_decode_opts.merge(:algorithm=>jwt_algorithm))[0]
+    rescue JWT::DecodeError => e
+      rescue_jwt_payload(e)
+    end
+
+    def rescue_jwt_payload(_)
       @jwt_payload = false
     end
 

data/lib/rodauth/features/jwt_refresh.rb

@@ -7,6 +7,9 @@ module Rodauth
     after 'refresh_token'
     before 'refresh_token'
 
+    auth_value_method :allow_refresh_with_expired_jwt_access_token?, false
+    session_key :jwt_refresh_token_data_session_key, :jwt_refresh_token_data
+    session_key :jwt_refresh_token_hmac_session_key, :jwt_refresh_token_hash
     auth_value_method :jwt_access_token_key, 'access_token'
     auth_value_method :jwt_access_token_not_before_period, 5
     auth_value_method :jwt_access_token_period, 1800
@@ -19,23 +22,33 @@ module Rodauth
     auth_value_method :jwt_refresh_token_key_column, :key
     auth_value_method :jwt_refresh_token_key_param, 'refresh_token'
     auth_value_method :jwt_refresh_token_table, :account_jwt_refresh_keys
+    translatable_method :jwt_refresh_without_access_token_message, 'no JWT access token provided during refresh'
+    auth_value_method :jwt_refresh_without_access_token_status, 401
+    translatable_method :expired_jwt_access_token_message, "expired JWT access token"
+    auth_value_method :expired_jwt_access_token_status, 400
 
     auth_private_methods(
       :account_from_refresh_token
     )
 
     route do |r|
+      @jwt_refresh_route = true
+      before_jwt_refresh_route
+
       r.post do
-        if (refresh_token = param_or_nil(jwt_refresh_token_key_param)) && account_from_refresh_token(refresh_token)
-          formatted_token = nil
+        if !session_value
+          response.status ||= jwt_refresh_without_access_token_status
+          json_response[json_response_error_key] = jwt_refresh_without_access_token_message
+        elsif (refresh_token = param_or_nil(jwt_refresh_token_key_param)) && account_from_refresh_token(refresh_token)
           transaction do
             before_refresh_token
             formatted_token = generate_refresh_token
             remove_jwt_refresh_token_key(refresh_token)
+            set_jwt_refresh_token_hmac_session_key(formatted_token)
+            json_response[jwt_refresh_token_key] = formatted_token
+            json_response[jwt_access_token_key] = session_jwt
             after_refresh_token
           end
-          json_response[jwt_refresh_token_key] = formatted_token
-          json_response[jwt_access_token_key] = session_jwt
         else
           json_response[json_response_error_key] = jwt_refresh_invalid_token_message
           response.status ||= json_response_error_status
@@ -52,7 +65,9 @@ module Rodauth
       # JWT login puts the access token in the header.
       # We put the refresh token in the body.
       # Note, do not put the access_token in the body here, as the access token content is not yet finalised.
-      json_response['refresh_token'] = generate_refresh_token
+      token = json_response['refresh_token'] = generate_refresh_token
+
+      set_jwt_refresh_token_hmac_session_key(token)
     end
 
     def set_jwt_token(token)
@@ -79,12 +94,33 @@ module Rodauth
 
     private
 
+    def rescue_jwt_payload(e)
+      if e.instance_of?(JWT::ExpiredSignature)
+        begin
+          # Some versions of jwt will raise JWT::ExpiredSignature even when the
+          # JWT is invalid for other reasons.  Make sure the expiration is the
+          # only reason the JWT isn't valid before treating this as an expired token.
+          JWT.decode(jwt_token, jwt_secret, true, Hash[jwt_decode_opts].merge!(:verify_expiration=>false, :algorithm=>jwt_algorithm))[0]
+        rescue => e
+        else
+          json_response[json_response_error_key] = expired_jwt_access_token_message
+          response.status ||= expired_jwt_access_token_status
+        end
+      end
+
+      super
+    end
+
     def _account_from_refresh_token(token)
       id, token_id, key = _account_refresh_token_split(token)
 
-      return unless key
-      return unless actual = get_active_refresh_token(id, token_id)
-      return unless timing_safe_eql?(key, convert_token_key(actual))
+      unless key &&
+             (id == session_value.to_s) &&
+             (actual = get_active_refresh_token(id, token_id)) &&
+             timing_safe_eql?(key, convert_token_key(actual)) &&
+             jwt_refresh_token_match?(key)
+        return
+      end
 
       ds = account_ds(id)
       ds = ds.where(account_status_column=>account_open_status_value) unless skip_status_checks?
@@ -101,6 +137,23 @@ module Rodauth
       [id, token_id, key]
     end
 
+    def _jwt_decode_opts
+      if allow_refresh_with_expired_jwt_access_token? && @jwt_refresh_route
+        Hash[super].merge!(:verify_expiration=>false)
+      else
+        super
+      end
+    end
+
+    def jwt_refresh_token_match?(key)
+      # We don't need to match tokens if we are requiring a valid current access token
+      return true unless allow_refresh_with_expired_jwt_access_token?
+
+      # If allowing with expired jwt access token, check the expired session contains
+      # hmac matching submitted and active refresh token.
+      timing_safe_eql?(compute_hmac(session[jwt_refresh_token_data_session_key].to_s + key), session[jwt_refresh_token_hmac_session_key].to_s)
+    end
+
     def get_active_refresh_token(account_id, token_id)
       jwt_refresh_token_account_ds(account_id).
         where(Sequel::CURRENT_TIMESTAMP > jwt_refresh_token_deadline_column).
@@ -140,6 +193,15 @@ module Rodauth
       hash
     end
 
+    def set_jwt_refresh_token_hmac_session_key(token)
+      if allow_refresh_with_expired_jwt_access_token?
+        key = _account_refresh_token_split(token).last
+        data = random_key
+        set_session_value(jwt_refresh_token_data_session_key, data)
+        set_session_value(jwt_refresh_token_hmac_session_key, compute_hmac(data + key))
+      end
+    end
+
     def before_logout
       if token = param_or_nil(jwt_refresh_token_key_param)
         if token == 'all'

data/lib/rodauth/features/login.rb

@@ -23,6 +23,8 @@ module Rodauth
     auth_cached_method :login_form_footer_links
     auth_cached_method :login_form_footer
 
+    auth_value_methods :login_return_to_requested_location_path
+
     route do |r|
       check_already_logged_in
       before_login_route
@@ -62,7 +64,7 @@ module Rodauth
             throw_error_status(login_error_status, password_param, invalid_password_message)
           end
 
-          _login('password')
+          login('password')
         end
 
         set_error_flash login_error_flash unless skip_error_flash
@@ -72,13 +74,29 @@ module Rodauth
 
     attr_reader :login_form_header
 
+    def login(auth_type)
+      saved_login_redirect = remove_session_value(login_redirect_session_key)
+      transaction do
+        before_login
+        login_session(auth_type)
+        yield if block_given?
+        after_login
+      end
+      set_notice_flash login_notice_flash
+      redirect(saved_login_redirect || login_redirect)
+    end
+
     def login_required
-      if login_return_to_requested_location?
-        set_session_value(login_redirect_session_key, request.fullpath)
+      if login_return_to_requested_location? && (path = login_return_to_requested_location_path)
+        set_session_value(login_redirect_session_key, path)
       end
       super
     end
 
+    def login_return_to_requested_location_path
+      request.fullpath if request.get?
+    end
+
     def after_login_entered_during_multi_phase_login
       set_notice_now_flash need_password_notice_flash
       if multi_phase_login_forms.length == 1 && (meth = multi_phase_login_forms[0][2])
@@ -126,15 +144,8 @@ module Rodauth
     end
 
     def _login(auth_type)
-      saved_login_redirect = remove_session_value(login_redirect_session_key)
-      transaction do
-        before_login
-        login_session(auth_type)
-        yield if block_given?
-        after_login
-      end
-      set_notice_flash login_notice_flash
-      redirect(saved_login_redirect || login_redirect)
+      warn("Deprecated #_login method called, use #login instead.")
+      login(auth_type)
     end
   end
 end