rodauth 2.21.0 → 2.24.0

data/doc/release_notes/2.24.0.txt

@@ -0,0 +1,15 @@
+= New Features
+
+* rodauth.otp_available? has been added for checking whether the
+  account is allowed to authenticate with OTP.  It returns true
+  when the account has setup OTP and OTP use is not locked out.
+
+* rodauth.recovery_codes_available? has been added for checking
+  whether the account is allowed to authenticate using a recovery
+  code.  It returns true when there are any available recovery
+  codes for the account to use.
+
+= Other Improvements
+
+* The otp feature no longer includes the <?xml> tag for svg images,
+  since that results in invalid HTML.

data/doc/reset_password.rdoc

@@ -14,12 +14,12 @@ reset_password_autologin? :: Whether to autologin the user after successfully re
 reset_password_button :: The text to use for the reset password button.
 reset_password_deadline_column :: The column name in the +reset_password_table+ storing the deadline after which the token will be ignored.
 reset_password_deadline_interval :: The amount of time for which to allow users to reset their passwords, 1 day by default. Only used if +set_deadline_values?+ is true.
-reset_password_email_last_sent_column :: The email last sent column in the +reset_password_table+. Set to nil to always send a reset password email when requested.
-reset_password_email_recently_sent_error_flash :: The flash error to show if not sending reset password email because one has been sent recently.
-reset_password_email_recently_sent_redirect :: Where to redirect if not sending reset password email because one has been sent recently.
-reset_password_email_sent_notice_flash :: The flash notice to show after a reset password email has been sent.
-reset_password_email_sent_redirect :: Where to redirect after sending a reset password email.
-reset_password_email_subject :: The subject to use for reset password emails.
+reset_password_email_last_sent_column :: The email last sent column in the +reset_password_table+. Set to nil to always send a reset password request email when requested.
+reset_password_email_recently_sent_error_flash :: The flash error to show if not sending reset password request email because one has been sent recently.
+reset_password_email_recently_sent_redirect :: Where to redirect if not sending reset password request email because one has been sent recently.
+reset_password_email_sent_notice_flash :: The flash notice to show after a reset password request email has been sent.
+reset_password_email_sent_redirect :: Where to redirect after sending a reset password request email.
+reset_password_email_subject :: The subject to use for the reset password request email.
 reset_password_error_flash :: The flash error to show after resetting a password.
 reset_password_explanatory_text :: The text to display above the button to request a password reset.
 reset_password_id_column :: The id column in the +reset_password_table+, should be a foreign key referencing the accounts table.
@@ -30,35 +30,35 @@ reset_password_page_title :: The page title to use on the reset password form.
 reset_password_redirect :: Where to redirect after resetting a password.
 reset_password_request_additional_form_tags :: HTML fragment containing additional form tags to use on the reset password request form.
 reset_password_request_button :: The text to use for the reset password request button.
-reset_password_request_error_flash :: The flash error to show if not able to send a reset password email.
+reset_password_request_error_flash :: The flash error to show if not able to send a reset password request email.
 reset_password_request_link_text :: The text to use for a link to the page to request a password reset.
 reset_password_request_page_title :: The page title to use on the reset password request form.
 reset_password_request_route :: The route to the reset password request action.  Defaults to +reset-password-request+.
 reset_password_route :: The route to the reset password action. Defaults to +reset-password+.
 reset_password_session_key :: The key in the session to hold the reset password key temporarily.
-reset_password_skip_resend_email_within :: The number of seconds before sending another reset password email, if +reset_password_email_last_sent_column+ is set.
+reset_password_skip_resend_email_within :: The number of seconds before sending another reset password request email, if +reset_password_email_last_sent_column+ is set.
 reset_password_table :: The name of the reset password keys table.
 
 == Auth Methods
 
 account_from_reset_password_key(key) :: Retrieve the account using the given reset password key, or return nil if no account matches.
 after_reset_password :: Run arbitrary code after successfully resetting a password.
-after_reset_password_request :: Run arbitrary code after sending the reset password email.
+after_reset_password_request :: Run arbitrary code after sending the reset password request email.
 before_reset_password :: Run arbitrary code before resetting a password.
-before_reset_password_request :: Run arbitrary code before sending the reset password email.
+before_reset_password_request :: Run arbitrary code before sending the reset password request email.
 before_reset_password_request_route :: Run arbitrary code before handling a reset password request route.
 before_reset_password_route :: Run arbitrary code before handling a reset password route.
-create_reset_password_email :: A Mail::Message for the reset password email.
+create_reset_password_email :: A Mail::Message for the reset password request email.
 create_reset_password_key :: Add the reset password key data to the database.
-get_reset_password_email_last_sent :: Get the last time a reset password email is sent, or nil if there is no last sent time.
+get_reset_password_email_last_sent :: Get the last time a reset password request email is sent, or nil if there is no last sent time.
 get_reset_password_key(id) :: Get the password reset key for the given account id from the database.
 login_failed_reset_password_request_form :: The HTML to use for a form to request a password reset, shown on the login page after the user tries to login with an invalid password.
 remove_reset_password_key :: Remove the reset password key for the current account, run after successful password reset.
-reset_password_email_body :: The body to use for the reset password email.
-reset_password_email_link :: The link to the reset password form in the reset password email.
+reset_password_email_body :: The body to use for the reset password request email.
+reset_password_email_link :: The link to the reset password form in the reset password request email.
 reset_password_key_insert_hash :: The hash to insert into the +reset_password_table+.
 reset_password_key_value :: The reset password key for the current account.
 reset_password_request_view :: The HTML to use for the reset password request form.
 reset_password_view :: The HTML to use for the reset password form.
-send_reset_password_email :: Send the reset password email.
-set_reset_password_email_last_sent :: Set the last time a reset password email is sent.
+send_reset_password_email :: Send the reset password request email.
+set_reset_password_email_last_sent :: Set the last time a reset password request email is sent.

data/doc/reset_password_notify.rdoc

@@ -0,0 +1,17 @@
+= Documentation for Reset Password Notify Feature
+
+The reset password notify feature emails the user after the user has
+reset their password. The user has already been sent a reset password
+email by this point, so they know a password reset was requested, but
+this feature allows for confirming that the password reset process
+was completed. Depends on the reset_password feature.
+
+== Auth Value Methods
+
+reset_password_notify_email_subject :: The subject to use for the reset password notify email.
+reset_password_notify_email_body :: The body to use for the reset password notify email.
+
+== Auth Methods
+
+create_reset_password_notify_email :: A Mail::Message for the reset password notify email.
+send_reset_password_notify_email :: Send the reset password notify email.

data/lib/rodauth/features/active_sessions.rb

@@ -81,7 +81,9 @@ module Rodauth
     end
 
     def remove_current_session
-      active_sessions_ds.where(active_sessions_session_id_column=>compute_hmac(session[session_id_session_key])).delete
+      if session_id = session[session_id_session_key]
+        active_sessions_ds.where(active_sessions_session_id_column=>compute_hmac(session_id)).delete
+      end
     end
 
     def remove_all_active_sessions

data/lib/rodauth/features/base.rb

@@ -1,5 +1,8 @@
 # frozen-string-literal: true
 
+require 'rack/request'
+require 'rack/utils'
+
 module Rodauth
   Feature.define(:base, :Base) do
     after 'login'
@@ -91,6 +94,7 @@ module Rodauth
       :inputmode_for_field?,
       :logged_in?,
       :login_required,
+      :null_byte_parameter_value,
       :open_account?,
       :password_match?,
       :random_key,
@@ -446,7 +450,16 @@ module Rodauth
     # parameter with that name.
     def param_or_nil(key)
       value = raw_param(key)
-      value.to_s unless value.nil?
+      unless value.nil?
+        value = value.to_s
+        value = null_byte_parameter_value(key, value) if value.include?("\0")
+      end
+      value
+    end
+
+    # Return nil by default for values with null bytes
+    def null_byte_parameter_value(key, value)
+      nil
     end
 
     def raw_param(key)
@@ -501,6 +514,11 @@ module Rodauth
       request.redirect(path)
     end
 
+    def return_response(body=nil)
+      response.write(body) if body
+      request.halt
+    end
+
     def route_path(route, opts={})
       path  = "#{prefix}/#{route}"
       path += "?#{Rack::Utils.build_nested_query(opts)}" unless opts.empty?
@@ -756,7 +774,7 @@ module Rodauth
       num = ds.update(values)
       if num == 1
         values.each do |k, v|
-          account[k] = Sequel::CURRENT_TIMESTAMP == v ? Time.now : v
+          hash[k] = Sequel::CURRENT_TIMESTAMP == v ? Time.now : v
         end
       end
       num

data/lib/rodauth/features/change_password_notify.rb

@@ -3,31 +3,11 @@
 module Rodauth
   Feature.define(:change_password_notify, :ChangePasswordNotify) do
     depends :change_password, :email_base
-
-    translatable_method :password_changed_email_subject, 'Password Changed'
-
-    auth_value_methods(
-      :password_changed_email_body
-    )
-    auth_methods(
-      :create_password_changed_email,
-      :send_password_changed_email
-    )
+    loaded_templates %w'password-changed-email'
+    email :password_changed, 'Password Changed', :translatable=>true
 
     private
 
-    def send_password_changed_email
-      send_email(create_password_changed_email)
-    end
-
-    def create_password_changed_email
-      create_email(password_changed_email_subject, password_changed_email_body)
-    end
-
-    def password_changed_email_body
-      render('password-changed-email')
-    end
-
     def after_change_password
       super
       send_password_changed_email

data/lib/rodauth/features/email_auth.rb

@@ -19,10 +19,10 @@ module Rodauth
     button 'Send Login Link Via Email', 'email_auth_request'
     redirect(:email_auth_email_sent){default_post_email_redirect}
     redirect(:email_auth_email_recently_sent){default_post_email_redirect}
+    email :email_auth, 'Login Link'
     
     auth_value_method :email_auth_deadline_column, :deadline
     auth_value_method :email_auth_deadline_interval, {:days=>1}.freeze
-    translatable_method :email_auth_email_subject, 'Login Link'
     auth_value_method :email_auth_id_column, :id
     auth_value_method :email_auth_key_column, :key
     auth_value_method :email_auth_key_param, 'key'
@@ -33,9 +33,7 @@ module Rodauth
     session_key :email_auth_session_key, :email_auth_key
     
     auth_methods(
-      :create_email_auth_email,
       :create_email_auth_key,
-      :email_auth_email_body,
       :email_auth_email_link,
       :email_auth_key_insert_hash,
       :email_auth_key_value,
@@ -43,7 +41,6 @@ module Rodauth
       :get_email_auth_key,
       :get_email_auth_email_last_sent,
       :remove_email_auth_key,
-      :send_email_auth_email,
       :set_email_auth_email_last_sent
     )
 
@@ -137,10 +134,6 @@ module Rodauth
       @account = _account_from_email_auth_key(key)
     end
 
-    def send_email_auth_email
-      send_email(create_email_auth_email)
-    end
-
     def email_auth_email_link
       token_link(email_auth_route, email_auth_key_param, email_auth_key_value)
     end
@@ -233,14 +226,6 @@ module Rodauth
       @email_auth_key_value = random_key
     end
 
-    def create_email_auth_email
-      create_email(email_auth_email_subject, email_auth_email_body)
-    end
-
-    def email_auth_email_body
-      render('email-auth-email')
-    end
-
     def use_date_arithmetic?
       super || db.database_type == :mysql
     end

data/lib/rodauth/features/http_basic_auth.rb

@@ -27,7 +27,7 @@ module Rodauth
     def require_http_basic_auth
       unless http_basic_auth
         set_http_basic_auth_error_response
-        request.halt
+        return_response
       end
     end
 

data/lib/rodauth/features/internal_request.rb

@@ -40,7 +40,7 @@ module Rodauth
 
     def domain
       d = super
-      if d == INVALID_DOMAIN
+      if d.nil? || d == INVALID_DOMAIN
         raise InternalRequestError, "must set domain in configuration, as it cannot be determined from internal request"
       end
       d

data/lib/rodauth/features/json.rb

@@ -156,8 +156,7 @@ module Rodauth
         end
       elsif only_json?
         response.status = json_response_error_status
-        response.write non_json_request_error_message
-        request.halt
+        return_response non_json_request_error_message
       end
 
       super
@@ -175,8 +174,7 @@ module Rodauth
     def _return_json_response
       response.status ||= json_response_error_status if json_response[json_response_error_key]
       response['Content-Type'] ||= json_response_content_type
-      response.write(_json_response_body(json_response))
-      request.halt
+      return_response _json_response_body(json_response)
     end
 
     def include_success_messages?

data/lib/rodauth/features/jwt_cors.rb

@@ -41,7 +41,7 @@ module Rodauth
           response['Access-Control-Allow-Headers'] = jwt_cors_allow_headers
           response['Access-Control-Max-Age'] = jwt_cors_max_age.to_s
           response.status = 204
-          request.halt(response.finish)
+          return_response
         end
 
         response['Access-Control-Expose-Headers'] = jwt_cors_expose_headers

data/lib/rodauth/features/lockout.rb

@@ -25,6 +25,7 @@ module Rodauth
     redirect :unlock_account
     redirect(:unlock_account_request){default_post_email_redirect}
     redirect(:unlock_account_email_recently_sent){default_post_email_redirect}
+    email :unlock_account, 'Unlock Account'
       
     auth_value_method :unlock_account_autologin?, true
     auth_value_method :max_invalid_logins, 100
@@ -37,7 +38,6 @@ module Rodauth
     auth_value_method :account_lockouts_email_last_sent_column, :email_last_sent
     auth_value_method :account_lockouts_deadline_column, :deadline
     auth_value_method :account_lockouts_deadline_interval, {:days=>1}.freeze
-    translatable_method :unlock_account_email_subject, 'Unlock Account'
     translatable_method :unlock_account_explanatory_text, '<p>This account is currently locked out.  You can unlock the account:</p>'
     translatable_method :unlock_account_request_explanatory_text, '<p>This account is currently locked out.  You can request that the account be unlocked:</p>'
     auth_value_method :unlock_account_key_param, 'key'
@@ -47,15 +47,12 @@ module Rodauth
 
     auth_methods(
       :clear_invalid_login_attempts,
-      :create_unlock_account_email,
       :generate_unlock_account_key,
       :get_unlock_account_key,
       :get_unlock_account_email_last_sent,
       :invalid_login_attempted,
       :locked_out?,
-      :send_unlock_account_email,
       :set_unlock_account_email_last_sent,
-      :unlock_account_email_body,
       :unlock_account_email_link,
       :unlock_account,
       :unlock_account_key
@@ -226,10 +223,6 @@ module Rodauth
       @account = _account_from_unlock_key(key)
     end
 
-    def send_unlock_account_email
-      send_email(create_unlock_account_email)
-    end
-
     def unlock_account_email_link
       token_link(unlock_account_route, unlock_account_key_param, unlock_account_key_value)
     end
@@ -284,16 +277,7 @@ module Rodauth
     def show_lockout_page
       set_response_error_reason_status(:account_locked_out, lockout_error_status)
       set_error_flash login_lockout_error_flash
-      response.write unlock_account_request_view
-      request.halt
-    end
-
-    def create_unlock_account_email
-      create_email(unlock_account_email_subject, unlock_account_email_body)
-    end
-
-    def unlock_account_email_body
-      render('unlock-account-email')
+      return_response unlock_account_request_view
     end
 
     def unlock_account_email_recently_sent?

data/lib/rodauth/features/otp.rb

@@ -76,6 +76,7 @@ module Rodauth
     )
 
     auth_methods(
+      :otp_available?,
       :otp_exists?,
       :otp_last_use,
       :otp_locked_out?,
@@ -238,6 +239,10 @@ module Rodauth
       end
     end
 
+    def otp_available?
+      otp_exists? && !otp_locked_out?
+    end
+
     def otp_exists?
       !otp_key.nil?
     end
@@ -303,7 +308,8 @@ module Rodauth
     end
 
     def otp_qr_code
-      RQRCode::QRCode.new(otp_provisioning_uri).as_svg(:module_size=>8, :viewbox=>true)
+      svg = RQRCode::QRCode.new(otp_provisioning_uri).as_svg(:module_size=>8, :viewbox=>true, :use_path=>true)
+      svg.sub(/\A<\?xml version="1\.0" standalone="yes"\?>/, '')
     end
 
     def otp_user_key
@@ -328,7 +334,7 @@ module Rodauth
 
     def _two_factor_auth_links
       links = super
-      links << [20, otp_auth_path, otp_auth_link_text] if otp_exists? && !otp_locked_out?
+      links << [20, otp_auth_path, otp_auth_link_text] if otp_available?
       links
     end
 

data/lib/rodauth/features/recovery_codes.rb

@@ -57,6 +57,7 @@ module Rodauth
       :can_add_recovery_codes?,
       :new_recovery_code,
       :recovery_code_match?,
+      :recovery_codes_available?,
     )
 
     internal_request_method :recovery_codes
@@ -192,6 +193,10 @@ module Rodauth
       end
     end
 
+    def recovery_codes_available?
+      !recovery_codes_ds.empty?
+    end
+
     def possible_authentication_methods
       methods = super
       methods << 'recovery_code' unless recovery_codes_ds.empty?
@@ -202,7 +207,7 @@ module Rodauth
 
     def _two_factor_auth_links
       links = super
-      links << [40, recovery_auth_path, recovery_auth_link_text] unless recovery_codes_ds.empty?
+      links << [40, recovery_auth_path, recovery_auth_link_text] if recovery_codes_available?
       links
     end
 

data/lib/rodauth/features/remember.rb

@@ -144,7 +144,7 @@ module Rodauth
       opts[:value] = "#{account_id}_#{convert_token_key(remember_key_value)}"
       opts[:expires] = convert_timestamp(active_remember_key_ds.get(remember_deadline_column))
       opts[:path] = "/" unless opts.key?(:path)
-      opts[:httponly] = true unless opts.key?(:httponly)
+      opts[:httponly] = true unless opts.key?(:httponly) || opts.key?(:http_only)
       opts[:secure] = true unless opts.key?(:secure) || !request.ssl?
       ::Rack::Utils.set_cookie_header!(response.headers, remember_cookie_key, opts)
     end

data/lib/rodauth/features/reset_password.rb

@@ -24,10 +24,10 @@ module Rodauth
     redirect
     redirect(:reset_password_email_sent){default_post_email_redirect}
     redirect(:reset_password_email_recently_sent){default_post_email_redirect}
+    email :reset_password, 'Reset Password'
     
     auth_value_method :reset_password_deadline_column, :deadline
     auth_value_method :reset_password_deadline_interval, {:days=>1}.freeze
-    translatable_method :reset_password_email_subject, 'Reset Password'
     auth_value_method :reset_password_key_param, 'key'
     auth_value_method :reset_password_autologin?, false
     auth_value_method :reset_password_table, :account_password_reset_keys
@@ -41,16 +41,13 @@ module Rodauth
 
     auth_methods(
       :create_reset_password_key,
-      :create_reset_password_email,
       :get_reset_password_key,
       :get_reset_password_email_last_sent,
       :login_failed_reset_password_request_form,
       :remove_reset_password_key,
-      :reset_password_email_body,
       :reset_password_email_link,
       :reset_password_key_insert_hash,
       :reset_password_key_value,
-      :send_reset_password_email,
       :set_reset_password_email_last_sent
     )
     auth_private_methods(
@@ -133,6 +130,10 @@ module Rodauth
 
         password = param(password_param)
         catch_error do
+          unless password_meets_requirements?(password)
+            throw_error_status(invalid_field_error_status, password_param, password_does_not_meet_requirements_message)
+          end
+
           if password_match?(password) 
             throw_error_reason(:same_as_existing_password, invalid_field_error_status, password_param, same_as_existing_password_message)
           end
@@ -141,10 +142,6 @@ module Rodauth
             throw_error_reason(:passwords_do_not_match, unmatched_field_error_status, password_param, passwords_do_not_match_message)
           end
 
-          unless password_meets_requirements?(password)
-            throw_error_status(invalid_field_error_status, password_param, password_does_not_meet_requirements_message)
-          end
-
           transaction do
             before_reset_password
             set_password(password)
@@ -187,10 +184,6 @@ module Rodauth
       @account = _account_from_reset_password_key(key)
     end
 
-    def send_reset_password_email
-      send_email(create_reset_password_email)
-    end
-
     def reset_password_email_link
       token_link(reset_password_route, reset_password_key_param, reset_password_key_value)
     end
@@ -241,18 +234,10 @@ module Rodauth
       @reset_password_key_value = random_key
     end
 
-    def create_reset_password_email
-      create_email(reset_password_email_subject, reset_password_email_body)
-    end
-
     def login_failed_reset_password_request_form
       render("reset-password-request")
     end
 
-    def reset_password_email_body
-      render('reset-password-email')
-    end
-
     def use_date_arithmetic?
       super || db.database_type == :mysql
     end

data/lib/rodauth/features/reset_password_notify.rb

@@ -0,0 +1,16 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:reset_password_notify, :ResetPasswordNotify) do
+    depends :reset_password
+    loaded_templates %w'reset-password-notify-email'
+    email :reset_password_notify, 'Password Reset Completed', :translatable=>true
+
+    private
+
+    def after_reset_password
+      super
+      send_reset_password_notify_email
+    end
+  end
+end

data/lib/rodauth/features/sms_codes.rb

@@ -430,7 +430,7 @@ module Rodauth
     end
 
     def sms_available?
-      sms && !sms_needs_confirmation? && !sms_locked_out?
+      sms_setup? && !sms_locked_out?
     end
 
     def sms_locked_out?
@@ -468,7 +468,7 @@ module Rodauth
     end
 
     def _two_factor_remove_all_from_session
-      two_factor_remove_session('sms_codes')
+      two_factor_remove_session('sms_code')
       super
     end
 

data/lib/rodauth/features/verify_account.rb

@@ -26,8 +26,8 @@ module Rodauth
     redirect
     redirect(:verify_account_email_sent){default_post_email_redirect}
     redirect(:verify_account_email_recently_sent){default_post_email_redirect}
+    email :verify_account, 'Verify Account'
 
-    translatable_method :verify_account_email_subject, 'Verify Account'
     auth_value_method :verify_account_key_param, 'key'
     auth_value_method :verify_account_autologin?, true
     auth_value_method :verify_account_table, :account_verification_keys
@@ -43,14 +43,11 @@ module Rodauth
     auth_methods(
       :allow_resending_verify_account_email?,
       :create_verify_account_key,
-      :create_verify_account_email,
       :get_verify_account_key,
       :get_verify_account_email_last_sent,
       :remove_verify_account_key,
-      :send_verify_account_email,
       :set_verify_account_email_last_sent,
       :verify_account,
-      :verify_account_email_body,
       :verify_account_email_link,
       :verify_account_key_insert_hash,
       :verify_account_key_value
@@ -198,8 +195,7 @@ module Rodauth
       if account_from_login(login) && allow_resending_verify_account_email?
         set_response_error_reason_status(:already_an_unverified_account_with_this_login, unopen_account_error_status)
         set_error_flash attempt_to_create_unverified_account_error_flash
-        response.write resend_verify_account_view
-        request.halt
+        return_response resend_verify_account_view
       end
       super
     end
@@ -212,10 +208,6 @@ module Rodauth
       account_unverified_status_value
     end
 
-    def send_verify_account_email
-      send_email(create_verify_account_email)
-    end
-
     def verify_account_email_link
       token_link(verify_account_route, verify_account_key_param, verify_account_key_value)
     end
@@ -275,8 +267,7 @@ module Rodauth
       unless open_account?
         set_response_error_reason_status(:unverified_account, unopen_account_error_status)
         set_error_flash attempt_to_login_to_unverified_account_error_flash
-        response.write resend_verify_account_view
-        request.halt
+        return_response resend_verify_account_view
       end
       super
     end
@@ -311,14 +302,6 @@ module Rodauth
       {verify_account_id_column=>account_id, verify_account_key_column=>verify_account_key_value}
     end
 
-    def create_verify_account_email
-      create_email(verify_account_email_subject, verify_account_email_body)
-    end
-
-    def verify_account_email_body
-      render('verify-account-email')
-    end
-
     def verify_account_ds(id=account_id)
       db[verify_account_table].where(verify_account_id_column=>id)
     end

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 21
+  MINOR = 24
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.