rodauth 2.26.1 → 2.27.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f30e5f8dc756435bee2a6956764516d6697434f507e3226562659807a02b2f0a
-  data.tar.gz: 71738c31b50b8f82f351eabf0743eb3439cf7519782a10483d16a32a3d0b709b
+  metadata.gz: eeb08d35b1a9cf7c0a5393bbcf831d41fa0ff1a9d822761ef63c149723d79db2
+  data.tar.gz: 8a890d1659b1a0634960420ab0546db1e76363dad7c43dc01a0b05dfe4cc85e3
 SHA512:
-  metadata.gz: 7b28515139d2894a9a6164e6ef6f95aebe33b8be4b54548bb4d5c616dd380c7eeb7ff9470c1ac8dc044bbcafb373b596324286f48c860375ed3e1b85aebb6b84
-  data.tar.gz: 20445419c0e2af068dc3141976cda754e71bfcd96204c1f97215e81764afe4376a58f03cbd6d53c524364e3b56e4ae20ff34904b876a4dcc7beb89254e698b80
+  metadata.gz: 1e27b99b1fa245aab6c600257fc82fcae6789d31105047d06d39eae185064d08917359ba8eb631b94dcfa7aa6a05be77e700a8935070b8467bcac25bbd3e2cb1
+  data.tar.gz: 71bfbebd641cc594889fa4d82086a17b250388796990d24b8240acb6e668fe41b52f9b1727b4b8b49846cc13574b398da0ae7c4f092436d027a4719df96f0e75

data/CHANGELOG

@@ -1,3 +1,13 @@
+=== 2.27.0 (2023-01-24)
+
+* Rename webauth_credentials_for_get to webauthn_credentials_for_get for consistency (janko) (#295)
+
+* Hide WebAuthn text inputs by default when using Bootstrap (janko) (#294)
+
+* Attempt to avoid database errors when invalid tokens are submitted (jeremyevans)
+
+* Allow button template to be overridden just as other templates can be (jeremyevans) (#280)
+
 === 2.26.1 (2022-11-08)
 
 * Fix regression in QR code generation in otp feature causing all black QR code (janko) (#279)

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2015-2021 Jeremy Evans
+Copyright (c) 2015-2023 Jeremy Evans
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to

data/doc/base.rdoc

@@ -35,6 +35,7 @@ cache_templates :: Whether to cache templates. True by default. It may be worth
 check_csrf? :: Whether Rodauth should use Roda's +check_csrf!+ method for checking CSRF tokens before dispatching to Rodauth routes, true by default.
 check_csrf_opts :: Options to pass to Roda's +check_csrf!+ if Rodauth calls it before dispatching.
 check_csrf_block :: Proc for block to pass to Roda's +check_csrf!+ if Rodauth calls it before dispatching.
+convert_token_id_to_integer? :: Whether token ids should be converted to a valid 64-bit integer value.  If not set, defaults to true if +account_id_column+ uses an integer type, and false otherwise.
 default_field_attributes :: The default attributes to use for input field tags, if field_attributes returns nil for the field.
 default_redirect :: Where to redirect after most successful actions.
 field_attributes(field) :: The attributes to use for the input field tags for the given field (parameter name).
@@ -96,6 +97,7 @@ before_login_attempt :: Run arbitrary code after an account has been located, bu
 before_rodauth :: Run arbitrary code before handling any rodauth route, but after CSRF checks if Rodauth is doing CSRF checks.
 check_csrf :: Checks CSRF token using Roda's +check_csrf!+ method.
 clear_session :: Clears the current session.
+convert_token_id(id) :: Convert the token id string to an appropriate object to use for the token id (or return +nil+ to signal an invalid token id).  By default, converts to a 64-bit signed integer if +convert_token_id_to_integer?+ is true.
 csrf_tag(path=request.path) :: The HTML fragment containing the CSRF tag to use, if any.
 function_name(name) :: The name of the database function to call.  It's passed either :rodauth_get_salt or :rodauth_valid_password_hash.
 logged_in? :: Whether the current session is logged in.

data/doc/release_notes/2.27.0.txt

@@ -0,0 +1,35 @@
+= Improvements
+
+* Token ids submitting in requests are now converted to integers if
+  the configuration uses an integer primary key for the accounts
+  table.  If the configuration uses a non-integer primary key for
+  the accounts table, the convert_token_id configuration method can
+  be used, which should return the token id converted to the
+  appropriate type, or nil if the token id is not valid for the type.
+
+  This revised handling avoids raising a database error when an
+  invalid token is submitted.
+
+* The button template can now be overridden in the same way that
+  other Rodauth templates can be overridden.
+
+* When using the Bootstrap CSS framework, the text field in the
+  Webauthn setup and auth forms is automatically hidden.  The text
+  field already had a rodauth-hidden class to make it easy to hide
+  when using other CSS frameworks.
+
+* The email_from and email_to methods are now public instead of
+  private.
+
+* A nicer error is raised if the Sequel Database object is missing.
+
+* A regression in the TOTP QR output that resulted in the QR codes
+  being solid black squares has been fixed (this was fixed in
+  Rodauth 2.26.1).
+
+= Backwards Compatibility
+
+* The webauth_credentials_for_get method in the webauthn feature has
+  been renamed to webauthn_credentials_for_get for consistency with
+  other methods.  The webauth_credentials_for_get method will still
+  work until Rodauth 3, but will issue deprecation warnings.

data/doc/webauthn.rdoc

@@ -104,7 +104,7 @@ remove_all_webauthn_keys_and_user_ids :: Remove all WebAuthn credentials and the
 remove_webauthn_key(webauthn_id) :: Remove the WebAuthn credential with the given WebAuthn ID from the current account.
 valid_new_webauthn_credential?(webauthn_credential) :: Check wheck the WebAuthn credential provided by the client during registration is valid.
 valid_webauthn_credential_auth?(webauthn_credential) :: Check wheck the WebAuthn credential provided by the client during authentication is valid.
-webauth_credential_options_for_get :: WebAuthn credential options to provide to the client during WebAuthn authentication.
+webauthn_credential_options_for_get :: WebAuthn credential options to provide to the client during WebAuthn authentication.
 webauthn_auth_js_path :: The path to the WebAuthn authentication javascript.
 webauthn_auth_view :: The HTML to use for the page for authenticating via WebAuthn.
 webauthn_remove_authenticated_session :: Remove the authenticated WebAuthn ID, used when removing the WebAuthn credential with the ID after authenticating with it.

data/lib/rodauth/features/base.rb

@@ -24,6 +24,7 @@ module Rodauth
     auth_value_method :check_csrf_block, nil
     auth_value_method :check_csrf_opts, {}.freeze
     auth_value_method :default_redirect, '/'
+    auth_value_method :convert_token_id_to_integer?, nil
     flash_key :flash_error_key, :error
     flash_key :flash_notice_key, :notice
     auth_value_method :hmac_secret, nil
@@ -115,6 +116,7 @@ module Rodauth
     auth_private_methods(
       :account_from_login,
       :account_from_session,
+      :convert_token_id,
       :field_attributes,
       :field_error_attributes,
       :formatted_field_error,
@@ -264,7 +266,7 @@ module Rodauth
     end
 
     def db
-      Sequel::DATABASES.first
+      Sequel::DATABASES.first or raise "Sequel database connection is missing"
     end
 
     def password_field_autocomplete_value
@@ -376,10 +378,9 @@ module Rodauth
     def button_opts(value, opts)
       opts = Hash[template_opts].merge!(opts)
       opts[:locals] = {:value=>value, :opts=>opts}
-      opts[:path] = template_path('button')
       opts[:cache] = cache_templates
       opts[:cache_key] = :rodauth_button
-      opts
+      _template_opts(opts, 'button')
     end
 
     def button(value, opts={})
@@ -402,6 +403,11 @@ module Rodauth
     def post_configure
       require 'bcrypt' if require_bcrypt?
       db.extension :date_arithmetic if use_date_arithmetic?
+
+      if convert_token_id_to_integer?.nil? && (db rescue false) && db.table_exists?(accounts_table) && db.schema(accounts_table).find{|col, v| break v[:type] == :integer if col == account_id_column}
+        self.class.send(:define_method, :convert_token_id_to_integer?){true}
+      end
+
       route_hash= {}
       self.class.routes.each do |meth|
         route_meth = "#{meth.to_s.sub(/\Ahandle_/, '')}_route"
@@ -521,6 +527,25 @@ module Rodauth
       token.split(token_separator, 2)
     end
 
+    def convert_token_id(id)
+      if convert_token_id_to_integer?
+        convert_token_id_to_integer(id)
+      else
+        id
+      end
+    end
+
+    def convert_token_id_to_integer(id)
+      if id = (Integer(id, 10) rescue nil)
+        if id > 9223372036854775807 || id < -9223372036854775808
+          # Only allow 64-bit signed integer range to avoid problems on PostgreSQL
+          id = nil
+        end
+      end
+
+      id
+    end
+
     def redirect(path)
       request.redirect(path)
     end
@@ -817,12 +842,16 @@ module Rodauth
       opts[:locals][:rodauth] = self
       opts[:cache] = cache_templates
       opts[:cache_key] = :"rodauth_#{page}"
+      _template_opts(opts, page)
+    end
 
+    # Set the template path only if there isn't an overridden template in the application.
+    # Result should replace existing template opts.
+    def _template_opts(opts, page)
       opts = scope.send(:find_template, scope.send(:parse_template_opts, page, opts))
       unless File.file?(scope.send(:template_path, opts))
         opts[:path] = template_path(page)
       end
-
       opts
     end
 

data/lib/rodauth/features/email_base.rb

@@ -23,6 +23,14 @@ module Rodauth
       require 'mail' if require_mail?
     end
 
+    def email_from
+      "webmaster@#{domain}"
+    end
+
+    def email_to
+      account[login_column]
+    end
+
     private
 
     def send_email(email)
@@ -42,14 +50,6 @@ module Rodauth
       m
     end
 
-    def email_from
-      "webmaster@#{domain}"
-    end
-
-    def email_to
-      account[login_column]
-    end
-
     def token_link(route, param, key)
       route_url(route, param => token_param_value(key))
     end
@@ -64,6 +64,7 @@ module Rodauth
 
     def account_from_key(token, status_id=nil)
       id, key = split_token(token)
+      id = convert_token_id(id)
       return unless id && key
 
       return unless actual = yield(id)

data/lib/rodauth/features/json.rb

@@ -107,7 +107,7 @@ module Rodauth
     def before_webauthn_auth_route
       super if defined?(super)
       if use_json? && !param_or_nil(webauthn_auth_param)
-        cred = webauth_credential_options_for_get
+        cred = webauthn_credential_options_for_get
         json_response[webauthn_auth_param] = cred.as_json
         json_response[webauthn_auth_challenge_param] = cred.challenge
         json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)
@@ -117,7 +117,7 @@ module Rodauth
     def before_webauthn_login_route
       super if defined?(super)
       if use_json? && !param_or_nil(webauthn_auth_param) && account_from_login(param(login_param))
-        cred = webauth_credential_options_for_get
+        cred = webauthn_credential_options_for_get
         json_response[webauthn_auth_param] = cred.as_json
         json_response[webauthn_auth_challenge_param] = cred.challenge
         json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)

data/lib/rodauth/features/jwt_refresh.rb

@@ -112,7 +112,7 @@ module Rodauth
       id, token_id, key = _account_refresh_token_split(token)
 
       unless key &&
-             (id == session_value.to_s) &&
+             (id.to_s == session_value.to_s) &&
              (actual = get_active_refresh_token(id, token_id)) &&
              timing_safe_eql?(key, convert_token_key(actual)) &&
              jwt_refresh_token_match?(key)
@@ -126,9 +126,11 @@ module Rodauth
 
     def _account_refresh_token_split(token)
       id, token = split_token(token)
+      id = convert_token_id(id)
       return unless id && token
 
       token_id, key = split_token(token)
+      token_id = convert_token_id(token_id)
       return unless token_id && key
 
       [id, token_id, key]

data/lib/rodauth/features/webauthn.rb

@@ -102,13 +102,15 @@ module Rodauth
       :valid_new_webauthn_credential?,
       :valid_webauthn_credential_auth?,
       :webauthn_auth_js_path,
-      :webauth_credential_options_for_get,
+      :webauthn_credential_options_for_get,
       :webauthn_remove_authenticated_session,
       :webauthn_setup_js_path,
       :webauthn_update_session,
       :webauthn_user_name,
     )
 
+    def_deprecated_alias :webauthn_credential_options_for_get, :webauth_credential_options_for_get
+
     route(:webauthn_auth_js) do |r|
       before_webauthn_auth_js_route
       r.get do
@@ -315,7 +317,7 @@ module Rodauth
         webauthn_credential.verify(challenge)
     end
 
-    def webauth_credential_options_for_get
+    def webauthn_credential_options_for_get
       WebAuthn::Credential.options_for_get(
         :allow => account_webauthn_ids,
         :timeout => webauthn_auth_timeout,

data/lib/rodauth/version.rb

@@ -6,11 +6,11 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 26
+  MINOR = 27
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.
-  TINY = 1
+  TINY = 0
 
   # The full version of Rodauth as a string
   VERSION = "#{MAJOR}.#{MINOR}.#{TINY}".freeze

data/templates/webauthn-auth.str

@@ -1,9 +1,9 @@
-<form method="post" action="#{rodauth.webauthn_auth_form_path}" class="rodauth" role="form" id="webauthn-auth-form" data-credential-options="#{h((cred = rodauth.webauth_credential_options_for_get).as_json.to_json)}">
+<form method="post" action="#{rodauth.webauthn_auth_form_path}" class="rodauth" role="form" id="webauthn-auth-form" data-credential-options="#{h((cred = rodauth.webauthn_credential_options_for_get).as_json.to_json)}">
   #{rodauth.webauthn_auth_additional_form_tags}
   #{rodauth.csrf_tag(rodauth.webauthn_auth_form_path)}
   <input type="hidden" name="#{rodauth.webauthn_auth_challenge_param}" value="#{cred.challenge}" />
   <input type="hidden" name="#{rodauth.webauthn_auth_challenge_hmac_param}" value="#{rodauth.compute_hmac(cred.challenge)}" />
-  <input class="rodauth_hidden" aria-hidden="true" type="text" name="#{rodauth.webauthn_auth_param}" id="webauthn-auth" value="" />
+  <input class="rodauth_hidden d-none" aria-hidden="true" type="text" name="#{rodauth.webauthn_auth_param}" id="webauthn-auth" value="" />
   <div id="webauthn-auth-button"> 
     #{rodauth.button(rodauth.webauthn_auth_button)}
   </div>

data/templates/webauthn-setup.str

@@ -3,7 +3,7 @@
   #{rodauth.csrf_tag}
   <input type="hidden" name="#{rodauth.webauthn_setup_challenge_param}" value="#{cred.challenge}" />
   <input type="hidden" name="#{rodauth.webauthn_setup_challenge_hmac_param}" value="#{rodauth.compute_hmac(cred.challenge)}" />
-  <input class="rodauth_hidden" aria-hidden="true" type="text" name="#{rodauth.webauthn_setup_param}" id="webauthn-setup" value="" />
+  <input class="rodauth_hidden d-none" aria-hidden="true" type="text" name="#{rodauth.webauthn_setup_param}" id="webauthn-setup" value="" />
   #{rodauth.render('password-field') if rodauth.two_factor_modifications_require_password?}
   <div id="webauthn-setup-button"> 
     #{rodauth.button(rodauth.webauthn_setup_button)}

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.26.1
+  version: 2.27.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-11-08 00:00:00.000000000 Z
+date: 2023-01-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -342,6 +342,7 @@ extra_rdoc_files:
 - doc/release_notes/2.24.0.txt
 - doc/release_notes/2.25.0.txt
 - doc/release_notes/2.26.0.txt
+- doc/release_notes/2.27.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
@@ -455,6 +456,7 @@ files:
 - doc/release_notes/2.24.0.txt
 - doc/release_notes/2.25.0.txt
 - doc/release_notes/2.26.0.txt
+- doc/release_notes/2.27.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
@@ -612,7 +614,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.4.1
 signing_key:
 specification_version: 4
 summary: Authentication and Account Management Framework for Rack Applications