rodauth 2.22.0 → 2.23.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f20339f12a4abc3d970bebd785c10d788ecb51c46f787beda3ff8a0d9a337706
4
- data.tar.gz: 1a930e230aff9f64d7af359211fc9c568a93978372a5813612c964b673c8f6aa
3
+ metadata.gz: 707e580a46dc470c4fffc91eca813495d0fb6330312131fd17b4b87db8415cc2
4
+ data.tar.gz: d73099f372d594438da78614ac974f1b9343aa4c9de93f162b9432a77f0e0ae6
5
5
  SHA512:
6
- metadata.gz: '030017944284769f16d83e1454d1b7c1bdf8ec6cd1c8201e7c7feba17f0809201b436f452ed660392f78253f196ca76d4062bc94dd64c1227a4f75937ef42f2c'
7
- data.tar.gz: e05d2d37f2c32808bb482e7f2ddd332ad34fe6478dc8ea842b84ba45fdd1e9330c081e139235abc2b7a79c0827df92f36350d35ef4b108056b0ac1b8f8a991e0
6
+ metadata.gz: d0005518db3164d29e4be62b76035ccb98df3f8d0f7d129624a099032b5566f125041656d11c798d0fa14b3c2b40a19df18fe5fc1df6c38603ba4660baf9d7b1
7
+ data.tar.gz: 9b585c6e4f7338609b404cbd4e35fa96467d8f04d9a98089729d7f757b7920afbb1d99a9b028519aa211ad4bd16c7b96d4e3945647a4eaf81691abf6b1a64aae
data/CHANGELOG CHANGED
@@ -1,3 +1,13 @@
1
+ === 2.23.0 (2022-04-22)
2
+
3
+ * Don't automatically set :httponly cookie option if :http_only option is set in remember feature (jeremyevans)
4
+
5
+ * Fix invalid domain check in internal_request feature when using Rack 3 (jeremyevans)
6
+
7
+ * Make removing all multifactor authentication methods mark session as not authenticated by SMS (janko) (#235)
8
+
9
+ * Use use_path option when rendering QR code to svg in the otp feature, to reduce svg size (jeremyevans)
10
+
1
11
  === 2.22.0 (2022-03-22)
2
12
 
3
13
  * Ignore parameters where the value includes a null byte by default, add null_byte_parameter_value configuration method for customization (jeremyevans)
data/README.rdoc CHANGED
@@ -1294,6 +1294,12 @@ By setting <tt>env['rodauth'] = rodauth</tt> in the route block
1294
1294
  inside the middleware, you can easily provide a way for your
1295
1295
  application to call Rodauth methods.
1296
1296
 
1297
+ If you're using the remember feature with +extend_remember_deadline?+ set to
1298
+ true, you'll want to load roda's middleware plugin with
1299
+ +forward_response_headers: true+ option, so that +Set-Cookie+ header changes
1300
+ from the +load_memory+ call in the route block are propagated when the request
1301
+ is forwarded to the main app.
1302
+
1297
1303
  Here are some examples of integrating Rodauth into applications that
1298
1304
  don't use Roda:
1299
1305
 
@@ -1495,9 +1501,9 @@ required to run the current version of Rodauth is 1.9.2.
1495
1501
 
1496
1502
  All of these are Rails-specific:
1497
1503
 
1498
- * Devise
1499
- * Authlogic
1500
- * Sorcery
1504
+ * {Devise}[https://github.com/heartcombo/devise]
1505
+ * {Authlogic}[https://github.com/binarylogic/authlogic]
1506
+ * {Sorcery}[https://github.com/Sorcery/sorcery]
1501
1507
 
1502
1508
  == Author
1503
1509
 
@@ -0,0 +1,15 @@
1
+ = Improvements
2
+
3
+ * The otp feature now uses the :use_path option when rendering QR
4
+ codes, resulting in significantly smaller svg images.
5
+
6
+ * Removing all multifactor authentication methods now removes the fact
7
+ that the session was authenticated via SMS, if the user used SMS as
8
+ an authentication method for the current session.
9
+
10
+ * The invalid domain check in the internal_request feature now works
11
+ correctly when using the rack master branch.
12
+
13
+ * The :httponly cookie option is no longer set automatically in the
14
+ remember feature if the :http_only cookie option was provided by the
15
+ user (rack recognizes both options).
@@ -1,5 +1,8 @@
1
1
  # frozen-string-literal: true
2
2
 
3
+ require 'rack/request'
4
+ require 'rack/utils'
5
+
3
6
  module Rodauth
4
7
  Feature.define(:base, :Base) do
5
8
  after 'login'
@@ -511,6 +514,11 @@ module Rodauth
511
514
  request.redirect(path)
512
515
  end
513
516
 
517
+ def return_response(body=nil)
518
+ response.write(body) if body
519
+ request.halt
520
+ end
521
+
514
522
  def route_path(route, opts={})
515
523
  path = "#{prefix}/#{route}"
516
524
  path += "?#{Rack::Utils.build_nested_query(opts)}" unless opts.empty?
@@ -27,7 +27,7 @@ module Rodauth
27
27
  def require_http_basic_auth
28
28
  unless http_basic_auth
29
29
  set_http_basic_auth_error_response
30
- request.halt
30
+ return_response
31
31
  end
32
32
  end
33
33
 
@@ -40,7 +40,7 @@ module Rodauth
40
40
 
41
41
  def domain
42
42
  d = super
43
- if d == INVALID_DOMAIN
43
+ if d.nil? || d == INVALID_DOMAIN
44
44
  raise InternalRequestError, "must set domain in configuration, as it cannot be determined from internal request"
45
45
  end
46
46
  d
@@ -156,8 +156,7 @@ module Rodauth
156
156
  end
157
157
  elsif only_json?
158
158
  response.status = json_response_error_status
159
- response.write non_json_request_error_message
160
- request.halt
159
+ return_response non_json_request_error_message
161
160
  end
162
161
 
163
162
  super
@@ -175,8 +174,7 @@ module Rodauth
175
174
  def _return_json_response
176
175
  response.status ||= json_response_error_status if json_response[json_response_error_key]
177
176
  response['Content-Type'] ||= json_response_content_type
178
- response.write(_json_response_body(json_response))
179
- request.halt
177
+ return_response _json_response_body(json_response)
180
178
  end
181
179
 
182
180
  def include_success_messages?
@@ -41,7 +41,7 @@ module Rodauth
41
41
  response['Access-Control-Allow-Headers'] = jwt_cors_allow_headers
42
42
  response['Access-Control-Max-Age'] = jwt_cors_max_age.to_s
43
43
  response.status = 204
44
- request.halt(response.finish)
44
+ return_response
45
45
  end
46
46
 
47
47
  response['Access-Control-Expose-Headers'] = jwt_cors_expose_headers
@@ -277,8 +277,7 @@ module Rodauth
277
277
  def show_lockout_page
278
278
  set_response_error_reason_status(:account_locked_out, lockout_error_status)
279
279
  set_error_flash login_lockout_error_flash
280
- response.write unlock_account_request_view
281
- request.halt
280
+ return_response unlock_account_request_view
282
281
  end
283
282
 
284
283
  def unlock_account_email_recently_sent?
@@ -303,7 +303,7 @@ module Rodauth
303
303
  end
304
304
 
305
305
  def otp_qr_code
306
- RQRCode::QRCode.new(otp_provisioning_uri).as_svg(:module_size=>8, :viewbox=>true)
306
+ RQRCode::QRCode.new(otp_provisioning_uri).as_svg(:module_size=>8, :viewbox=>true, :use_path=>true)
307
307
  end
308
308
 
309
309
  def otp_user_key
@@ -144,7 +144,7 @@ module Rodauth
144
144
  opts[:value] = "#{account_id}_#{convert_token_key(remember_key_value)}"
145
145
  opts[:expires] = convert_timestamp(active_remember_key_ds.get(remember_deadline_column))
146
146
  opts[:path] = "/" unless opts.key?(:path)
147
- opts[:httponly] = true unless opts.key?(:httponly)
147
+ opts[:httponly] = true unless opts.key?(:httponly) || opts.key?(:http_only)
148
148
  opts[:secure] = true unless opts.key?(:secure) || !request.ssl?
149
149
  ::Rack::Utils.set_cookie_header!(response.headers, remember_cookie_key, opts)
150
150
  end
@@ -468,7 +468,7 @@ module Rodauth
468
468
  end
469
469
 
470
470
  def _two_factor_remove_all_from_session
471
- two_factor_remove_session('sms_codes')
471
+ two_factor_remove_session('sms_code')
472
472
  super
473
473
  end
474
474
 
@@ -195,8 +195,7 @@ module Rodauth
195
195
  if account_from_login(login) && allow_resending_verify_account_email?
196
196
  set_response_error_reason_status(:already_an_unverified_account_with_this_login, unopen_account_error_status)
197
197
  set_error_flash attempt_to_create_unverified_account_error_flash
198
- response.write resend_verify_account_view
199
- request.halt
198
+ return_response resend_verify_account_view
200
199
  end
201
200
  super
202
201
  end
@@ -268,8 +267,7 @@ module Rodauth
268
267
  unless open_account?
269
268
  set_response_error_reason_status(:unverified_account, unopen_account_error_status)
270
269
  set_error_flash attempt_to_login_to_unverified_account_error_flash
271
- response.write resend_verify_account_view
272
- request.halt
270
+ return_response resend_verify_account_view
273
271
  end
274
272
  super
275
273
  end
@@ -6,7 +6,7 @@ module Rodauth
6
6
  MAJOR = 2
7
7
 
8
8
  # The minor version of Rodauth, updated for new feature releases of Rodauth.
9
- MINOR = 22
9
+ MINOR = 23
10
10
 
11
11
  # The patch version of Rodauth, updated only for bug fixes from the last
12
12
  # feature release.
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rodauth
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.22.0
4
+ version: 2.23.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jeremy Evans
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-03-22 00:00:00.000000000 Z
11
+ date: 2022-04-22 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: sequel
@@ -338,6 +338,7 @@ extra_rdoc_files:
338
338
  - doc/release_notes/2.20.0.txt
339
339
  - doc/release_notes/2.21.0.txt
340
340
  - doc/release_notes/2.22.0.txt
341
+ - doc/release_notes/2.23.0.txt
341
342
  - doc/release_notes/2.3.0.txt
342
343
  - doc/release_notes/2.4.0.txt
343
344
  - doc/release_notes/2.5.0.txt
@@ -447,6 +448,7 @@ files:
447
448
  - doc/release_notes/2.20.0.txt
448
449
  - doc/release_notes/2.21.0.txt
449
450
  - doc/release_notes/2.22.0.txt
451
+ - doc/release_notes/2.23.0.txt
450
452
  - doc/release_notes/2.3.0.txt
451
453
  - doc/release_notes/2.4.0.txt
452
454
  - doc/release_notes/2.5.0.txt