rodauth 2.2.0 → 2.7.0

data/lib/rodauth/features/login_password_requirements_base.rb

@@ -4,8 +4,10 @@ module Rodauth
   Feature.define(:login_password_requirements_base, :LoginPasswordRequirementsBase) do
     translatable_method :already_an_account_with_this_login_message, 'already an account with this login'
     auth_value_method :login_confirm_param, 'login-confirm'
+    auth_value_method :login_email_regexp, /\A[^,;@ \r\n]+@[^,@; \r\n]+\.[^,@; \r\n]+\z/
     auth_value_method :login_minimum_length, 3
     auth_value_method :login_maximum_length, 255
+    translatable_method :login_not_valid_email_message, 'not a valid email address'
     translatable_method :logins_do_not_match_message, 'logins do not match'
     auth_value_method :password_confirm_param, 'password-confirm'
     auth_value_method :password_minimum_length, 6
@@ -28,6 +30,7 @@ module Rodauth
 
     auth_methods(
       :login_meets_requirements?,
+      :login_valid_email?,
       :password_hash,
       :password_meets_requirements?,
       :set_password
@@ -104,13 +107,15 @@ module Rodauth
 
     def login_meets_email_requirements?(login)
       return true unless require_email_address_logins?
-      if login =~ /\A[^,;@ \r\n]+@[^,@; \r\n]+\.[^,@; \r\n]+\z/
-        return true
-      end
-      @login_requirement_message = 'not a valid email address'
+      return true if login_valid_email?(login)
+      @login_requirement_message = login_not_valid_email_message
       return false
     end
 
+    def login_valid_email?(login)
+      login =~ login_email_regexp
+    end
+
     def password_meets_length_requirements?(password)
       return true if password_minimum_length <= password.length
       @password_requirement_message = password_too_short_message

data/lib/rodauth/features/otp.rb

@@ -76,9 +76,7 @@ module Rodauth
     )
 
     auth_methods(
-      :otp,
       :otp_exists?,
-      :otp_key,
       :otp_last_use,
       :otp_locked_out?,
       :otp_new_secret,

data/lib/rodauth/features/password_pepper.rb

@@ -0,0 +1,45 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:password_pepper, :PasswordPepper) do
+    depends :login_password_requirements_base
+
+    auth_value_method :password_pepper, nil
+    auth_value_method :previous_password_peppers, [""]
+    auth_value_method :password_pepper_update?, true
+
+    def password_match?(password)
+      if (result = super) && @previous_pepper_matched && password_pepper_update?
+        set_password(password)
+      end
+
+      result
+    end
+
+    private
+
+    def password_hash(password)
+      super(password + password_pepper.to_s)
+    end
+
+    def password_hash_match?(hash, password)
+      return super if password_pepper.nil?
+
+      return true if super(hash, password + password_pepper)
+
+      @previous_pepper_matched = previous_password_peppers.any? do |pepper|
+        super(hash, password + pepper)
+      end
+    end
+
+    def database_function_password_match?(name, hash_id, password, salt)
+      return super if password_pepper.nil?
+
+      return true if super(name, hash_id, password + password_pepper, salt)
+
+      @previous_pepper_matched = previous_password_peppers.any? do |pepper|
+        super(name, hash_id, password + pepper, salt)
+      end
+    end
+  end
+end

data/lib/rodauth/features/recovery_codes.rb

@@ -34,6 +34,7 @@ module Rodauth
     auth_value_method :add_recovery_codes_param, 'add'
     translatable_method :add_recovery_codes_heading, '<h2>Add Additional Recovery Codes</h2>'
     auth_value_method :auto_add_recovery_codes?, false
+    auth_value_method :auto_remove_recovery_codes?, false
     translatable_method :invalid_recovery_code_message, "Invalid recovery code"
     auth_value_method :recovery_codes_limit, 16
     auth_value_method :recovery_codes_column, :code
@@ -56,7 +57,6 @@ module Rodauth
       :can_add_recovery_codes?,
       :new_recovery_code,
       :recovery_code_match?,
-      :recovery_codes
     )
 
     route(:recovery_auth) do |r|
@@ -213,6 +213,21 @@ module Rodauth
       super
     end
 
+    def after_otp_disable
+      super if defined?(super)
+      auto_remove_recovery_codes
+    end
+
+    def after_sms_disable
+      super if defined?(super)
+      auto_remove_recovery_codes
+    end
+
+    def after_webauthn_remove
+      super if defined?(super)
+      auto_remove_recovery_codes
+    end
+
     def new_recovery_code
       random_key
     end
@@ -227,6 +242,12 @@ module Rodauth
       end
     end
 
+    def auto_remove_recovery_codes
+      if auto_remove_recovery_codes? && (%w'totp webauthn sms_code' & possible_authentication_methods).empty?
+        recovery_codes_remove
+      end
+    end
+
     def _recovery_codes
       recovery_codes_ds.select_map(recovery_codes_column)
     end

data/lib/rodauth/features/remember.rb

@@ -58,7 +58,9 @@ module Rodauth
         if [remember_remember_param_value, remember_forget_param_value, remember_disable_param_value].include?(remember)
           transaction do
             before_remember
+            # :nocov:
             case remember
+            # :nocov:
             when remember_remember_param_value
               remember_login
             when remember_forget_param_value
@@ -130,11 +132,14 @@ module Rodauth
       opts = Hash[remember_cookie_options]
       opts[:value] = "#{account_id}_#{convert_token_key(remember_key_value)}"
       opts[:expires] = convert_timestamp(active_remember_key_ds.get(remember_deadline_column))
+      opts[:path] = "/" unless opts.key?(:path)
       ::Rack::Utils.set_cookie_header!(response.headers, remember_cookie_key, opts)
     end
 
     def forget_login
-      ::Rack::Utils.delete_cookie_header!(response.headers, remember_cookie_key, remember_cookie_options)
+      opts = Hash[remember_cookie_options]
+      opts[:path] = "/" unless opts.key?(:path)
+      ::Rack::Utils.delete_cookie_header!(response.headers, remember_cookie_key, opts)
     end
 
     def get_remember_key

data/lib/rodauth/features/session_expiration.rb

@@ -3,6 +3,7 @@
 module Rodauth
   Feature.define(:session_expiration, :SessionExpiration) do
     error_flash "This session has expired, please login again"
+    redirect{require_login_redirect}
 
     auth_value_method :max_session_lifetime, 86400
     session_key :session_created_session_key, :session_created_at
@@ -11,8 +12,6 @@ module Rodauth
     auth_value_method :session_inactivity_timeout, 1800
     session_key :session_last_activity_session_key, :last_session_activity_at
 
-    auth_value_methods :session_expiration_redirect
-    
     def check_session_expiration
       return unless logged_in?
 
@@ -43,10 +42,6 @@ module Rodauth
       redirect session_expiration_redirect
     end
 
-    def session_expiration_redirect
-      require_login_redirect
-    end
-
     def update_session
       super
       t = Time.now.to_i

data/lib/rodauth/features/verify_account.rb

@@ -47,7 +47,6 @@ module Rodauth
       :get_verify_account_key,
       :get_verify_account_email_last_sent,
       :remove_verify_account_key,
-      :resend_verify_account_view,
       :send_verify_account_email,
       :set_verify_account_email_last_sent,
       :verify_account,
@@ -245,6 +244,12 @@ module Rodauth
       end
     end
 
+    def setup_account_verification
+      generate_verify_account_key_value
+      create_verify_account_key
+      send_verify_account_email
+    end
+
     private
 
     def _login_form_footer_links
@@ -276,12 +281,6 @@ module Rodauth
       super
     end
 
-    def setup_account_verification
-      generate_verify_account_key_value
-      create_verify_account_key
-      send_verify_account_email
-    end
-
     def verify_account_check_already_logged_in
       check_already_logged_in
     end

data/lib/rodauth/features/verify_login_change.rb

@@ -8,6 +8,7 @@ module Rodauth
     error_flash "Unable to change login as there is already an account with the new login", 'verify_login_change_duplicate_account'
     error_flash "There was an error verifying your login change: invalid verify login change key", 'no_matching_verify_login_change_key'
     notice_flash "Your login change has been verified"
+    notice_flash "An email has been sent to you with a link to verify your login change", 'change_login_needs_verification'
     loaded_templates %w'verify-login-change verify-login-change-email'
     view 'verify-login-change', 'Verify Login Change'
     additional_form_tags
@@ -131,7 +132,7 @@ module Rodauth
     end
 
     def change_login_notice_flash
-      "An email has been sent to you with a link to verify your login change"
+      change_login_needs_verification_notice_flash
     end
 
     def verify_login_change_old_login

data/lib/rodauth/features/webauthn_login.rb

@@ -22,7 +22,7 @@ module Rodauth
 
           webauthn_credential = webauthn_auth_credential_from_form_submission
           before_webauthn_login
-          _login('webauthn') do
+          login('webauthn') do
             webauthn_update_session(webauthn_credential.id)
           end
         end

data/lib/rodauth/migrations.rb

@@ -9,9 +9,14 @@ module Rodauth
     case db.database_type
     when :postgres
       search_path = opts[:search_path] || 'public, pg_temp'
+      primary_key_type =
+        case db.schema(table_name).find { |row| row.first == :id }[1][:db_type]
+        when 'uuid' then :uuid
+        else :int8
+        end
 
       db.run <<END
-CREATE OR REPLACE FUNCTION #{get_salt_name}(acct_id int8) RETURNS text AS $$
+CREATE OR REPLACE FUNCTION #{get_salt_name}(acct_id #{primary_key_type}) RETURNS text AS $$
 DECLARE salt text;
 BEGIN
 SELECT substr(password_hash, 0, 30) INTO salt 
@@ -25,7 +30,7 @@ SET search_path = #{search_path};
 END
 
       db.run <<END
-CREATE OR REPLACE FUNCTION #{valid_hash_name}(acct_id int8, hash text) RETURNS boolean AS $$
+CREATE OR REPLACE FUNCTION #{valid_hash_name}(acct_id #{primary_key_type}, hash text) RETURNS boolean AS $$
 DECLARE valid boolean;
 BEGIN
 SELECT password_hash = hash INTO valid 
@@ -100,13 +105,19 @@ END
   end
 
   def self.drop_database_authentication_functions(db, opts={})
+    table_name = opts[:table_name] || :account_password_hashes
     get_salt_name = opts[:get_salt_name] || :rodauth_get_salt
     valid_hash_name = opts[:valid_hash_name] || :rodauth_valid_password_hash 
 
     case db.database_type
     when :postgres
-      db.run "DROP FUNCTION #{get_salt_name}(int8)"
-      db.run "DROP FUNCTION #{valid_hash_name}(int8, text)"
+      primary_key_type =
+        case db.schema(table_name).find { |row| row.first == :id }[1][:db_type]
+        when 'uuid' then :uuid
+        else :int8
+        end
+      db.run "DROP FUNCTION #{get_salt_name}(#{primary_key_type})"
+      db.run "DROP FUNCTION #{valid_hash_name}(#{primary_key_type}, text)"
     when :mysql, :mssql
       db.run "DROP FUNCTION #{get_salt_name}"
       db.run "DROP FUNCTION #{valid_hash_name}"
@@ -118,6 +129,6 @@ END
   end
 
   def self.drop_database_previous_password_check_functions(db, opts={})
-    drop_database_authentication_functions(db, {:get_salt_name=>:rodauth_get_previous_salt, :valid_hash_name=>:rodauth_previous_password_hash_match}.merge(opts))
+    drop_database_authentication_functions(db, {:table_name=>:account_previous_password_hashes, :get_salt_name=>:rodauth_get_previous_salt, :valid_hash_name=>:rodauth_previous_password_hash_match}.merge(opts))
   end
 end

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 2
+  MINOR = 7
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.7.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-07-20 00:00:00.000000000 Z
+date: 2020-12-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -277,6 +277,7 @@ extra_rdoc_files:
 - doc/webauthn_verify_account.rdoc
 - doc/active_sessions.rdoc
 - doc/audit_logging.rdoc
+- doc/password_pepper.rdoc
 - doc/release_notes/1.17.0.txt
 - doc/release_notes/1.0.0.txt
 - doc/release_notes/1.1.0.txt
@@ -304,6 +305,11 @@ extra_rdoc_files:
 - doc/release_notes/2.0.0.txt
 - doc/release_notes/2.1.0.txt
 - doc/release_notes/2.2.0.txt
+- doc/release_notes/2.3.0.txt
+- doc/release_notes/2.4.0.txt
+- doc/release_notes/2.5.0.txt
+- doc/release_notes/2.6.0.txt
+- doc/release_notes/2.7.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -356,6 +362,7 @@ files:
 - doc/password_complexity.rdoc
 - doc/password_expiration.rdoc
 - doc/password_grace_period.rdoc
+- doc/password_pepper.rdoc
 - doc/recovery_codes.rdoc
 - doc/release_notes/1.0.0.txt
 - doc/release_notes/1.1.0.txt
@@ -384,6 +391,11 @@ files:
 - doc/release_notes/2.0.0.txt
 - doc/release_notes/2.1.0.txt
 - doc/release_notes/2.2.0.txt
+- doc/release_notes/2.3.0.txt
+- doc/release_notes/2.4.0.txt
+- doc/release_notes/2.5.0.txt
+- doc/release_notes/2.6.0.txt
+- doc/release_notes/2.7.0.txt
 - doc/remember.rdoc
 - doc/reset_password.rdoc
 - doc/session_expiration.rdoc
@@ -427,6 +439,7 @@ files:
 - lib/rodauth/features/password_complexity.rb
 - lib/rodauth/features/password_expiration.rb
 - lib/rodauth/features/password_grace_period.rb
+- lib/rodauth/features/password_pepper.rb
 - lib/rodauth/features/recovery_codes.rb
 - lib/rodauth/features/remember.rb
 - lib/rodauth/features/reset_password.rb
@@ -526,7 +539,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: Authentication and Account Management Framework for Rack Applications