rodauth 2.22.0 → 2.25.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f20339f12a4abc3d970bebd785c10d788ecb51c46f787beda3ff8a0d9a337706
-  data.tar.gz: 1a930e230aff9f64d7af359211fc9c568a93978372a5813612c964b673c8f6aa
+  metadata.gz: 934d5c19d29c583ebc73a057ba96a1c321741a64c965b22f4a243a42f56eab81
+  data.tar.gz: 6398ec3d3bc1ee36a2195909b545ba5df9f0282c5a5b9136babb3538f21cb98e
 SHA512:
-  metadata.gz: '030017944284769f16d83e1454d1b7c1bdf8ec6cd1c8201e7c7feba17f0809201b436f452ed660392f78253f196ca76d4062bc94dd64c1227a4f75937ef42f2c'
-  data.tar.gz: e05d2d37f2c32808bb482e7f2ddd332ad34fe6478dc8ea842b84ba45fdd1e9330c081e139235abc2b7a79c0827df92f36350d35ef4b108056b0ac1b8f8a991e0
+  metadata.gz: 32bae60cf66d97326397f3429d74ac2e7093afae74c59191bba5013ad6c7ec46782ddfa54c0a28b9a68c38cbf52b7e5071cd9d4eb7e434e5632c70842658120c
+  data.tar.gz: b157ffa28b3f539c7618d747ab8cee321de6fbfdac11c603176b325ce54d10294a9b8860715a27c08e7d6128928e78d51e8f776b0201fcadec99075354c32f51

data/CHANGELOG

@@ -1,3 +1,27 @@
+=== 2.25.0 (2022-06-22)
+
+* Support disabling routes by passing nil/false to *_route methods (janko) (#245)
+
+=== 2.24.0 (2022-05-24)
+
+* Work around implicit null byte check added in bcrypt 3.1.18 by checking password requirements before other password checks (jeremyevans)
+
+* Fix invalid HTML on pages with OTP QR codes (jeremyevans)
+
+* Add recovery_codes_available? configuration method to the recovery_codes feature (janko) (#238)
+
+* Add otp_available? configuration method to the otp feature (janko) (#238)
+
+=== 2.23.0 (2022-04-22)
+
+* Don't automatically set :httponly cookie option if :http_only option is set in remember feature (jeremyevans)
+
+* Fix invalid domain check in internal_request feature when using Rack 3 (jeremyevans)
+
+* Make removing all multifactor authentication methods mark session as not authenticated by SMS (janko) (#235)
+
+* Use use_path option when rendering QR code to svg in the otp feature, to reduce svg size (jeremyevans)
+
 === 2.22.0 (2022-03-22)
 
 * Ignore parameters where the value includes a null byte by default, add null_byte_parameter_value configuration method for customization (jeremyevans)

data/README.rdoc

@@ -1294,6 +1294,12 @@ By setting <tt>env['rodauth'] = rodauth</tt> in the route block
 inside the middleware, you can easily provide a way for your
 application to call Rodauth methods.
 
+If you're using the remember feature with +extend_remember_deadline?+ set to
+true, you'll want to load roda's middleware plugin with
++forward_response_headers: true+ option, so that +Set-Cookie+ header changes
+from the +load_memory+ call in the route block are propagated when the request
+is forwarded to the main app.
+
 Here are some examples of integrating Rodauth into applications that
 don't use Roda:
 
@@ -1495,9 +1501,9 @@ required to run the current version of Rodauth is 1.9.2.
 
 All of these are Rails-specific:
 
-* Devise
-* Authlogic
-* Sorcery
+* {Devise}[https://github.com/heartcombo/devise]
+* {Authlogic}[https://github.com/binarylogic/authlogic]
+* {Sorcery}[https://github.com/Sorcery/sorcery]
 
 == Author
 

data/doc/guides/paths.rdoc

@@ -37,3 +37,15 @@ setting:
 
     # ...
   end
+
+There are cases where you may want to disable certain routes. For example, you
+may want to enable the create_account feature to allow creating admins, but
+only make it possible programmatically via internal requests. In this case,
+you should set the corresponding <tt>*_route</tt> method to +nil+:
+
+  plugin :rodauth, name: :admin do
+    enable :create_account
+
+    # disable the /create-account route
+    create_account_route nil
+  end

data/doc/otp.rdoc

@@ -70,6 +70,7 @@ before_otp_setup_route :: Run arbitrary code before handling an OTP authenticati
 otp :: The object used for verifying OTP authentication attempts.
 otp_add_key(secret) :: Add an OTP key for the current account with the given secret.
 otp_auth_view :: The HTML to use for the OTP authentication form.
+otp_available? :: Whether OTP authentication is ready for use.
 otp_disable_view :: The HTML to use for the OTP disable form.
 otp_exists? :: Whether the current account has setup OTP.
 otp_key :: The stored OTP secret for the account.

data/doc/recovery_codes.rdoc

@@ -57,4 +57,5 @@ new_recovery_code :: A new recovery code to insert into the recovery codes table
 recovery_auth_view :: The HTML to use for the form to authenticate via a recovery code.
 recovery_code_match?(code) :: Whether the given code matches any of the existing recovery_codes.
 recovery_codes :: An array containing all valid recovery codes for the current account.
+recovery_codes_available? :: Whether authentication via recovery codes is ready for use.
 recovery_codes_view :: The HTML to use for the form to view recovery codes.

data/doc/release_notes/2.23.0.txt

@@ -0,0 +1,15 @@
+= Improvements
+
+* The otp feature now uses the :use_path option when rendering QR
+  codes, resulting in significantly smaller svg images.
+
+* Removing all multifactor authentication methods now removes the fact
+  that the session was authenticated via SMS, if the user used SMS as
+  an authentication method for the current session.
+
+* The invalid domain check in the internal_request feature now works
+  correctly when using the rack master branch.
+
+* The :httponly cookie option is no longer set automatically in the
+  remember feature if the :http_only cookie option was provided by the
+  user (rack recognizes both options).

data/doc/release_notes/2.24.0.txt

@@ -0,0 +1,15 @@
+= New Features
+
+* rodauth.otp_available? has been added for checking whether the
+  account is allowed to authenticate with OTP.  It returns true
+  when the account has setup OTP and OTP use is not locked out.
+
+* rodauth.recovery_codes_available? has been added for checking
+  whether the account is allowed to authenticate using a recovery
+  code.  It returns true when there are any available recovery
+  codes for the account to use.
+
+= Other Improvements
+
+* The otp feature no longer includes the <?xml> tag for svg images,
+  since that results in invalid HTML.

data/doc/release_notes/2.25.0.txt

@@ -0,0 +1,8 @@
+= New Features
+
+* You can now disable routing to specific routes by calling the
+  related *_route configuration method with nil or false.  The main
+  reason you would want to do this is if you want to load a feature,
+  but only want to use it for internal requests (using the
+  internal_request feature), and not have the feature's routes exposed
+  to users.

data/lib/rodauth/features/base.rb

@@ -1,5 +1,8 @@
 # frozen-string-literal: true
 
+require 'rack/request'
+require 'rack/utils'
+
 module Rodauth
   Feature.define(:base, :Base) do
     after 'login'
@@ -399,7 +402,10 @@ module Rodauth
       db.extension :date_arithmetic if use_date_arithmetic?
       route_hash= {}
       self.class.routes.each do |meth|
-        route_hash["/#{send("#{meth.to_s.sub(/\Ahandle_/, '')}_route")}"] = meth
+        route_meth = "#{meth.to_s.sub(/\Ahandle_/, '')}_route"
+        if route = send(route_meth)
+          route_hash["/#{route}"] = meth
+        end
       end
       self.class.route_hash = route_hash.freeze
     end
@@ -511,6 +517,11 @@ module Rodauth
       request.redirect(path)
     end
 
+    def return_response(body=nil)
+      response.write(body) if body
+      request.halt
+    end
+
     def route_path(route, opts={})
       path  = "#{prefix}/#{route}"
       path += "?#{Rack::Utils.build_nested_query(opts)}" unless opts.empty?

data/lib/rodauth/features/http_basic_auth.rb

@@ -27,7 +27,7 @@ module Rodauth
     def require_http_basic_auth
       unless http_basic_auth
         set_http_basic_auth_error_response
-        request.halt
+        return_response
       end
     end
 

data/lib/rodauth/features/internal_request.rb

@@ -40,7 +40,7 @@ module Rodauth
 
     def domain
       d = super
-      if d == INVALID_DOMAIN
+      if d.nil? || d == INVALID_DOMAIN
         raise InternalRequestError, "must set domain in configuration, as it cannot be determined from internal request"
       end
       d

data/lib/rodauth/features/json.rb

@@ -156,8 +156,7 @@ module Rodauth
         end
       elsif only_json?
         response.status = json_response_error_status
-        response.write non_json_request_error_message
-        request.halt
+        return_response non_json_request_error_message
       end
 
       super
@@ -175,8 +174,7 @@ module Rodauth
     def _return_json_response
       response.status ||= json_response_error_status if json_response[json_response_error_key]
       response['Content-Type'] ||= json_response_content_type
-      response.write(_json_response_body(json_response))
-      request.halt
+      return_response _json_response_body(json_response)
     end
 
     def include_success_messages?

data/lib/rodauth/features/jwt_cors.rb

@@ -41,7 +41,7 @@ module Rodauth
           response['Access-Control-Allow-Headers'] = jwt_cors_allow_headers
           response['Access-Control-Max-Age'] = jwt_cors_max_age.to_s
           response.status = 204
-          request.halt(response.finish)
+          return_response
         end
 
         response['Access-Control-Expose-Headers'] = jwt_cors_expose_headers

data/lib/rodauth/features/lockout.rb

@@ -277,8 +277,7 @@ module Rodauth
     def show_lockout_page
       set_response_error_reason_status(:account_locked_out, lockout_error_status)
       set_error_flash login_lockout_error_flash
-      response.write unlock_account_request_view
-      request.halt
+      return_response unlock_account_request_view
     end
 
     def unlock_account_email_recently_sent?

data/lib/rodauth/features/otp.rb

@@ -76,6 +76,7 @@ module Rodauth
     )
 
     auth_methods(
+      :otp_available?,
       :otp_exists?,
       :otp_last_use,
       :otp_locked_out?,
@@ -238,6 +239,10 @@ module Rodauth
       end
     end
 
+    def otp_available?
+      otp_exists? && !otp_locked_out?
+    end
+
     def otp_exists?
       !otp_key.nil?
     end
@@ -303,7 +308,8 @@ module Rodauth
     end
 
     def otp_qr_code
-      RQRCode::QRCode.new(otp_provisioning_uri).as_svg(:module_size=>8, :viewbox=>true)
+      svg = RQRCode::QRCode.new(otp_provisioning_uri).as_svg(:module_size=>8, :viewbox=>true, :use_path=>true)
+      svg.sub(/\A<\?xml version="1\.0" standalone="yes"\?>/, '')
     end
 
     def otp_user_key
@@ -328,7 +334,7 @@ module Rodauth
 
     def _two_factor_auth_links
       links = super
-      links << [20, otp_auth_path, otp_auth_link_text] if otp_exists? && !otp_locked_out?
+      links << [20, otp_auth_path, otp_auth_link_text] if otp_available?
       links
     end
 

data/lib/rodauth/features/recovery_codes.rb

@@ -57,6 +57,7 @@ module Rodauth
       :can_add_recovery_codes?,
       :new_recovery_code,
       :recovery_code_match?,
+      :recovery_codes_available?,
     )
 
     internal_request_method :recovery_codes
@@ -192,6 +193,10 @@ module Rodauth
       end
     end
 
+    def recovery_codes_available?
+      !recovery_codes_ds.empty?
+    end
+
     def possible_authentication_methods
       methods = super
       methods << 'recovery_code' unless recovery_codes_ds.empty?
@@ -202,7 +207,7 @@ module Rodauth
 
     def _two_factor_auth_links
       links = super
-      links << [40, recovery_auth_path, recovery_auth_link_text] unless recovery_codes_ds.empty?
+      links << [40, recovery_auth_path, recovery_auth_link_text] if recovery_codes_available?
       links
     end
 

data/lib/rodauth/features/remember.rb

@@ -144,7 +144,7 @@ module Rodauth
       opts[:value] = "#{account_id}_#{convert_token_key(remember_key_value)}"
       opts[:expires] = convert_timestamp(active_remember_key_ds.get(remember_deadline_column))
       opts[:path] = "/" unless opts.key?(:path)
-      opts[:httponly] = true unless opts.key?(:httponly)
+      opts[:httponly] = true unless opts.key?(:httponly) || opts.key?(:http_only)
       opts[:secure] = true unless opts.key?(:secure) || !request.ssl?
       ::Rack::Utils.set_cookie_header!(response.headers, remember_cookie_key, opts)
     end

data/lib/rodauth/features/reset_password.rb

@@ -130,6 +130,10 @@ module Rodauth
 
         password = param(password_param)
         catch_error do
+          unless password_meets_requirements?(password)
+            throw_error_status(invalid_field_error_status, password_param, password_does_not_meet_requirements_message)
+          end
+
           if password_match?(password) 
             throw_error_reason(:same_as_existing_password, invalid_field_error_status, password_param, same_as_existing_password_message)
           end
@@ -138,10 +142,6 @@ module Rodauth
             throw_error_reason(:passwords_do_not_match, unmatched_field_error_status, password_param, passwords_do_not_match_message)
           end
 
-          unless password_meets_requirements?(password)
-            throw_error_status(invalid_field_error_status, password_param, password_does_not_meet_requirements_message)
-          end
-
           transaction do
             before_reset_password
             set_password(password)

data/lib/rodauth/features/sms_codes.rb

@@ -430,7 +430,7 @@ module Rodauth
     end
 
     def sms_available?
-      sms && !sms_needs_confirmation? && !sms_locked_out?
+      sms_setup? && !sms_locked_out?
     end
 
     def sms_locked_out?
@@ -468,7 +468,7 @@ module Rodauth
     end
 
     def _two_factor_remove_all_from_session
-      two_factor_remove_session('sms_codes')
+      two_factor_remove_session('sms_code')
       super
     end
 

data/lib/rodauth/features/verify_account.rb

@@ -195,8 +195,7 @@ module Rodauth
       if account_from_login(login) && allow_resending_verify_account_email?
         set_response_error_reason_status(:already_an_unverified_account_with_this_login, unopen_account_error_status)
         set_error_flash attempt_to_create_unverified_account_error_flash
-        response.write resend_verify_account_view
-        request.halt
+        return_response resend_verify_account_view
       end
       super
     end
@@ -268,8 +267,7 @@ module Rodauth
       unless open_account?
         set_response_error_reason_status(:unverified_account, unopen_account_error_status)
         set_error_flash attempt_to_login_to_unverified_account_error_flash
-        response.write resend_verify_account_view
-        request.halt
+        return_response resend_verify_account_view
       end
       super
     end

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 22
+  MINOR = 25
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.22.0
+  version: 2.25.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-03-22 00:00:00.000000000 Z
+date: 2022-06-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -338,6 +338,9 @@ extra_rdoc_files:
 - doc/release_notes/2.20.0.txt
 - doc/release_notes/2.21.0.txt
 - doc/release_notes/2.22.0.txt
+- doc/release_notes/2.23.0.txt
+- doc/release_notes/2.24.0.txt
+- doc/release_notes/2.25.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
@@ -447,6 +450,9 @@ files:
 - doc/release_notes/2.20.0.txt
 - doc/release_notes/2.21.0.txt
 - doc/release_notes/2.22.0.txt
+- doc/release_notes/2.23.0.txt
+- doc/release_notes/2.24.0.txt
+- doc/release_notes/2.25.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
@@ -573,13 +579,13 @@ files:
 - templates/webauthn-auth.str
 - templates/webauthn-remove.str
 - templates/webauthn-setup.str
-homepage: https://github.com/jeremyevans/rodauth
+homepage: https://rodauth.jeremyevans.net
 licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/jeremyevans/rodauth/issues
-  changelog_uri: http://rodauth.jeremyevans.net/rdoc/files/CHANGELOG.html
-  documentation_uri: http://rodauth.jeremyevans.net/documentation.html
+  changelog_uri: https://rodauth.jeremyevans.net/rdoc/files/CHANGELOG.html
+  documentation_uri: https://rodauth.jeremyevans.net/documentation.html
   mailing_list_uri: https://github.com/jeremyevans/rodauth/discussions
   source_code_uri: https://github.com/jeremyevans/rodauth
 post_install_message: