RubyGems - rodauth - Versions diffs - 2.22.0 → 2.23.0 - Mend

rodauth 2.22.0 → 2.23.0

Files changed (16) hide show

checksums.yaml +4 -4
data/CHANGELOG +10 -0
data/README.rdoc +9 -3
data/doc/release_notes/2.23.0.txt +15 -0
data/lib/rodauth/features/base.rb +8 -0
data/lib/rodauth/features/http_basic_auth.rb +1 -1
data/lib/rodauth/features/internal_request.rb +1 -1
data/lib/rodauth/features/json.rb +2 -4
data/lib/rodauth/features/jwt_cors.rb +1 -1
data/lib/rodauth/features/lockout.rb +1 -2
data/lib/rodauth/features/otp.rb +1 -1
data/lib/rodauth/features/remember.rb +1 -1
data/lib/rodauth/features/sms_codes.rb +1 -1
data/lib/rodauth/features/verify_account.rb +2 -4
data/lib/rodauth/version.rb +1 -1
metadata +4 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f20339f12a4abc3d970bebd785c10d788ecb51c46f787beda3ff8a0d9a337706
-  data.tar.gz: 1a930e230aff9f64d7af359211fc9c568a93978372a5813612c964b673c8f6aa
+  metadata.gz: 707e580a46dc470c4fffc91eca813495d0fb6330312131fd17b4b87db8415cc2
+  data.tar.gz: d73099f372d594438da78614ac974f1b9343aa4c9de93f162b9432a77f0e0ae6
 SHA512:
-  metadata.gz: '030017944284769f16d83e1454d1b7c1bdf8ec6cd1c8201e7c7feba17f0809201b436f452ed660392f78253f196ca76d4062bc94dd64c1227a4f75937ef42f2c'
-  data.tar.gz: e05d2d37f2c32808bb482e7f2ddd332ad34fe6478dc8ea842b84ba45fdd1e9330c081e139235abc2b7a79c0827df92f36350d35ef4b108056b0ac1b8f8a991e0
+  metadata.gz: d0005518db3164d29e4be62b76035ccb98df3f8d0f7d129624a099032b5566f125041656d11c798d0fa14b3c2b40a19df18fe5fc1df6c38603ba4660baf9d7b1
+  data.tar.gz: 9b585c6e4f7338609b404cbd4e35fa96467d8f04d9a98089729d7f757b7920afbb1d99a9b028519aa211ad4bd16c7b96d4e3945647a4eaf81691abf6b1a64aae

data/CHANGELOG CHANGED Viewed

@@ -1,3 +1,13 @@
+=== 2.23.0 (2022-04-22)
+* Don't automatically set :httponly cookie option if :http_only option is set in remember feature (jeremyevans)
+* Fix invalid domain check in internal_request feature when using Rack 3 (jeremyevans)
+* Make removing all multifactor authentication methods mark session as not authenticated by SMS (janko) (#235)
+* Use use_path option when rendering QR code to svg in the otp feature, to reduce svg size (jeremyevans)
 === 2.22.0 (2022-03-22)
 * Ignore parameters where the value includes a null byte by default, add null_byte_parameter_value configuration method for customization (jeremyevans)

data/README.rdoc CHANGED Viewed

@@ -1294,6 +1294,12 @@ By setting <tt>env['rodauth'] = rodauth</tt> in the route block
 inside the middleware, you can easily provide a way for your
 application to call Rodauth methods.
+If you're using the remember feature with +extend_remember_deadline?+ set to
+true, you'll want to load roda's middleware plugin with
++forward_response_headers: true+ option, so that +Set-Cookie+ header changes
+from the +load_memory+ call in the route block are propagated when the request
+is forwarded to the main app.
 Here are some examples of integrating Rodauth into applications that
 don't use Roda:
@@ -1495,9 +1501,9 @@ required to run the current version of Rodauth is 1.9.2.
 All of these are Rails-specific:
-* Devise
-* Authlogic
-* Sorcery
+* {Devise}[https://github.com/heartcombo/devise]
+* {Authlogic}[https://github.com/binarylogic/authlogic]
+* {Sorcery}[https://github.com/Sorcery/sorcery]
 == Author

data/doc/release_notes/2.23.0.txt ADDED Viewed

@@ -0,0 +1,15 @@
+= Improvements
+* The otp feature now uses the :use_path option when rendering QR
+  codes, resulting in significantly smaller svg images.
+* Removing all multifactor authentication methods now removes the fact
+  that the session was authenticated via SMS, if the user used SMS as
+  an authentication method for the current session.
+* The invalid domain check in the internal_request feature now works
+  correctly when using the rack master branch.
+* The :httponly cookie option is no longer set automatically in the
+  remember feature if the :http_only cookie option was provided by the
+  user (rack recognizes both options).

data/lib/rodauth/features/base.rb CHANGED Viewed

@@ -1,5 +1,8 @@
 # frozen-string-literal: true
+require 'rack/request'
+require 'rack/utils'
 module Rodauth
   Feature.define(:base, :Base) do
     after 'login'
@@ -511,6 +514,11 @@ module Rodauth
       request.redirect(path)
     end
+    def return_response(body=nil)
+      response.write(body) if body
+      request.halt
+    end
     def route_path(route, opts={})
       path  = "#{prefix}/#{route}"
       path += "?#{Rack::Utils.build_nested_query(opts)}" unless opts.empty?

data/lib/rodauth/features/http_basic_auth.rb CHANGED Viewed

@@ -27,7 +27,7 @@ module Rodauth
     def require_http_basic_auth
       unless http_basic_auth
         set_http_basic_auth_error_response
-        request.halt
+        return_response
       end
     end

data/lib/rodauth/features/internal_request.rb CHANGED Viewed

@@ -40,7 +40,7 @@ module Rodauth
     def domain
       d = super
-      if d == INVALID_DOMAIN
+      if d.nil? || d == INVALID_DOMAIN
         raise InternalRequestError, "must set domain in configuration, as it cannot be determined from internal request"
       end
       d

data/lib/rodauth/features/json.rb CHANGED Viewed

@@ -156,8 +156,7 @@ module Rodauth
         end
       elsif only_json?
         response.status = json_response_error_status
-        response.write non_json_request_error_message
-        request.halt
+        return_response non_json_request_error_message
       end
       super
@@ -175,8 +174,7 @@ module Rodauth
     def _return_json_response
       response.status ||= json_response_error_status if json_response[json_response_error_key]
       response['Content-Type'] ||= json_response_content_type
-      response.write(_json_response_body(json_response))
-      request.halt
+      return_response _json_response_body(json_response)
     end
     def include_success_messages?

data/lib/rodauth/features/jwt_cors.rb CHANGED Viewed

@@ -41,7 +41,7 @@ module Rodauth
           response['Access-Control-Allow-Headers'] = jwt_cors_allow_headers
           response['Access-Control-Max-Age'] = jwt_cors_max_age.to_s
           response.status = 204
-          request.halt(response.finish)
+          return_response
         end
         response['Access-Control-Expose-Headers'] = jwt_cors_expose_headers

data/lib/rodauth/features/lockout.rb CHANGED Viewed

@@ -277,8 +277,7 @@ module Rodauth
     def show_lockout_page
       set_response_error_reason_status(:account_locked_out, lockout_error_status)
       set_error_flash login_lockout_error_flash
-      response.write unlock_account_request_view
-      request.halt
+      return_response unlock_account_request_view
     end
     def unlock_account_email_recently_sent?

data/lib/rodauth/features/otp.rb CHANGED Viewed

@@ -303,7 +303,7 @@ module Rodauth
     end
     def otp_qr_code
-      RQRCode::QRCode.new(otp_provisioning_uri).as_svg(:module_size=>8, :viewbox=>true)
+      RQRCode::QRCode.new(otp_provisioning_uri).as_svg(:module_size=>8, :viewbox=>true, :use_path=>true)
     end
     def otp_user_key

data/lib/rodauth/features/remember.rb CHANGED Viewed

@@ -144,7 +144,7 @@ module Rodauth
       opts[:value] = "#{account_id}_#{convert_token_key(remember_key_value)}"
       opts[:expires] = convert_timestamp(active_remember_key_ds.get(remember_deadline_column))
       opts[:path] = "/" unless opts.key?(:path)
-      opts[:httponly] = true unless opts.key?(:httponly)
+      opts[:httponly] = true unless opts.key?(:httponly) || opts.key?(:http_only)
       opts[:secure] = true unless opts.key?(:secure) || !request.ssl?
       ::Rack::Utils.set_cookie_header!(response.headers, remember_cookie_key, opts)
     end

data/lib/rodauth/features/sms_codes.rb CHANGED Viewed

@@ -468,7 +468,7 @@ module Rodauth
     end
     def _two_factor_remove_all_from_session
-      two_factor_remove_session('sms_codes')
+      two_factor_remove_session('sms_code')
       super
     end

data/lib/rodauth/features/verify_account.rb CHANGED Viewed

@@ -195,8 +195,7 @@ module Rodauth
       if account_from_login(login) && allow_resending_verify_account_email?
         set_response_error_reason_status(:already_an_unverified_account_with_this_login, unopen_account_error_status)
         set_error_flash attempt_to_create_unverified_account_error_flash
-        response.write resend_verify_account_view
-        request.halt
+        return_response resend_verify_account_view
       end
       super
     end
@@ -268,8 +267,7 @@ module Rodauth
       unless open_account?
         set_response_error_reason_status(:unverified_account, unopen_account_error_status)
         set_error_flash attempt_to_login_to_unverified_account_error_flash
-        response.write resend_verify_account_view
-        request.halt
+        return_response resend_verify_account_view
       end
       super
     end

data/lib/rodauth/version.rb CHANGED Viewed

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 22
+  MINOR = 23
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.22.0
+  version: 2.23.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-03-22 00:00:00.000000000 Z
+date: 2022-04-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -338,6 +338,7 @@ extra_rdoc_files:
 - doc/release_notes/2.20.0.txt
 - doc/release_notes/2.21.0.txt
 - doc/release_notes/2.22.0.txt
+- doc/release_notes/2.23.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
@@ -447,6 +448,7 @@ files:
 - doc/release_notes/2.20.0.txt
 - doc/release_notes/2.21.0.txt
 - doc/release_notes/2.22.0.txt
+- doc/release_notes/2.23.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt