rodauth 2.26.1 → 2.28.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f30e5f8dc756435bee2a6956764516d6697434f507e3226562659807a02b2f0a
-  data.tar.gz: 71738c31b50b8f82f351eabf0743eb3439cf7519782a10483d16a32a3d0b709b
+  metadata.gz: 15ed571757453e13ded3557bd2736779546b2c759230f8ee9070976a0207899e
+  data.tar.gz: 9aa5adf648fa1449a75a03d62ae4907f71d41adc49e81fde8da52097042c986c
 SHA512:
-  metadata.gz: 7b28515139d2894a9a6164e6ef6f95aebe33b8be4b54548bb4d5c616dd380c7eeb7ff9470c1ac8dc044bbcafb373b596324286f48c860375ed3e1b85aebb6b84
-  data.tar.gz: 20445419c0e2af068dc3141976cda754e71bfcd96204c1f97215e81764afe4376a58f03cbd6d53c524364e3b56e4ae20ff34904b876a4dcc7beb89254e698b80
+  metadata.gz: bdae4bbe3d9c471f967a8b24741504494a4003edce0c265dba9026694d64c08f61bd74cdbf80bded79e3b2c163fe7d273fcf72741f986711891fea5e481c501f
+  data.tar.gz: 5c6352c91b52012c6869a149e61887a1a6e0ace76557f2c4922eb699dc4da7f08a1265c5548bff25a3f617fa0a3b565b6d00f3472822d32812ae6261a4bcc95c

data/CHANGELOG

@@ -1,3 +1,23 @@
+=== 2.28.0 (2023-02-22)
+
+* Skip rendering reset password request form on invalid internal request logins (janko) (#303)
+
+* Make logged_in? return false if using verify_account_grace_period feature and grace_period has expired (janko) (#300)
+
+* Make password_hash method public (janko) (#299)
+
+* Add webauthn_key_insert_hash auth method to webauthn feature to control inserts into webauthn keys table (janko) (#298)
+
+=== 2.27.0 (2023-01-24)
+
+* Rename webauth_credentials_for_get to webauthn_credentials_for_get for consistency (janko) (#295)
+
+* Hide WebAuthn text inputs by default when using Bootstrap (janko) (#294)
+
+* Attempt to avoid database errors when invalid tokens are submitted (jeremyevans)
+
+* Allow button template to be overridden just as other templates can be (jeremyevans) (#280)
+
 === 2.26.1 (2022-11-08)
 
 * Fix regression in QR code generation in otp feature causing all black QR code (janko) (#279)

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2015-2021 Jeremy Evans
+Copyright (c) 2015-2023 Jeremy Evans
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to

data/doc/base.rdoc

@@ -35,6 +35,7 @@ cache_templates :: Whether to cache templates. True by default. It may be worth
 check_csrf? :: Whether Rodauth should use Roda's +check_csrf!+ method for checking CSRF tokens before dispatching to Rodauth routes, true by default.
 check_csrf_opts :: Options to pass to Roda's +check_csrf!+ if Rodauth calls it before dispatching.
 check_csrf_block :: Proc for block to pass to Roda's +check_csrf!+ if Rodauth calls it before dispatching.
+convert_token_id_to_integer? :: Whether token ids should be converted to a valid 64-bit integer value.  If not set, defaults to true if +account_id_column+ uses an integer type, and false otherwise.
 default_field_attributes :: The default attributes to use for input field tags, if field_attributes returns nil for the field.
 default_redirect :: Where to redirect after most successful actions.
 field_attributes(field) :: The attributes to use for the input field tags for the given field (parameter name).
@@ -96,6 +97,7 @@ before_login_attempt :: Run arbitrary code after an account has been located, bu
 before_rodauth :: Run arbitrary code before handling any rodauth route, but after CSRF checks if Rodauth is doing CSRF checks.
 check_csrf :: Checks CSRF token using Roda's +check_csrf!+ method.
 clear_session :: Clears the current session.
+convert_token_id(id) :: Convert the token id string to an appropriate object to use for the token id (or return +nil+ to signal an invalid token id).  By default, converts to a 64-bit signed integer if +convert_token_id_to_integer?+ is true.
 csrf_tag(path=request.path) :: The HTML fragment containing the CSRF tag to use, if any.
 function_name(name) :: The name of the database function to call.  It's passed either :rodauth_get_salt or :rodauth_valid_password_hash.
 logged_in? :: Whether the current session is logged in.

data/doc/guides/password_requirements.rdoc

@@ -1,13 +1,16 @@
 = Customize password requirements
 
 By default, Rodauth requires passwords to have at least 6 characters. You can
-modify the minimum length:
+modify the minimum and maximum length:
 
   plugin :rodauth do
     enable :login, :logout, :create_account
 
     # Require passwords to have at least 8 characters
     password_minimum_length 8
+
+    # Don't allow passwords to be too long, to prevent long password DoS attacks
+    password_maximum_length 64
   end
 
 You can use the {disallow common passwords feature}[rdoc-ref:doc/disallow_common_passwords.rdoc]
@@ -25,6 +28,16 @@ can use the <tt>password_meets_requirements?</tt> configuration method.
     enable :login, :logout, :create_account
 
     password_meets_requirements? do |password|
-      #true if password meets requirements, false otherwise
+      super(password) && password_complex_enough?(password)
+    end
+
+    auth_class_eval do
+      # If password doesn't pass custom validation, add field error with error
+      # reason, and return false.
+      def password_complex_enough?(password)
+        return true if password.match?(/\d/) && password.match?(/[^a-zA-Z\d]/)
+        set_password_requirement_error_message(:password_simple, "requires one number and one special character")
+        false
+      end
     end
   end

data/doc/json.rdoc

@@ -15,6 +15,14 @@ an array containing the field name and the error message for that field.
 Successful requests by default store a +success+ entry with a success
 message, though that can be disabled.
 
+The JSON response can be modified at any point by modifying the `json_response`
+hash. The following example adds an {error reason}[rdoc-ref:doc/error_reasons.rdoc]
+to the JSON response:
+
+  set_error_reason do |reason|
+    json_response[:error_reason] = reason
+  end
+
 The session state is managed in the rack session, so make sure that
 CSRF protection is enabled. This will be the case when passing the
 <tt>json: true</tt> option when loading the rodauth plugin. If you

data/doc/release_notes/2.27.0.txt

@@ -0,0 +1,35 @@
+= Improvements
+
+* Token ids submitting in requests are now converted to integers if
+  the configuration uses an integer primary key for the accounts
+  table.  If the configuration uses a non-integer primary key for
+  the accounts table, the convert_token_id configuration method can
+  be used, which should return the token id converted to the
+  appropriate type, or nil if the token id is not valid for the type.
+
+  This revised handling avoids raising a database error when an
+  invalid token is submitted.
+
+* The button template can now be overridden in the same way that
+  other Rodauth templates can be overridden.
+
+* When using the Bootstrap CSS framework, the text field in the
+  Webauthn setup and auth forms is automatically hidden.  The text
+  field already had a rodauth-hidden class to make it easy to hide
+  when using other CSS frameworks.
+
+* The email_from and email_to methods are now public instead of
+  private.
+
+* A nicer error is raised if the Sequel Database object is missing.
+
+* A regression in the TOTP QR output that resulted in the QR codes
+  being solid black squares has been fixed (this was fixed in
+  Rodauth 2.26.1).
+
+= Backwards Compatibility
+
+* The webauth_credentials_for_get method in the webauthn feature has
+  been renamed to webauthn_credentials_for_get for consistency with
+  other methods.  The webauth_credentials_for_get method will still
+  work until Rodauth 3, but will issue deprecation warnings.

data/doc/release_notes/2.28.0.txt

@@ -0,0 +1,16 @@
+= New Features
+
+* A webauthn_key_insert_hash configuration method has been added when
+  using the webauthn feature, making it easier to add new columns to
+  the webauthn key data, such as a custom name for the authenticator.
+
+= Other Improvements
+
+* When using the verify_account_grace_period feature, logged_in? now
+  returns false for sessions where the grace period has expired.
+
+* When using the internal_request and reset_password features,
+  submitting an internal request for an invalid login no longer tries
+  to render a reset password request form.
+
+* The password_hash method is now public.

data/doc/webauthn.rdoc

@@ -104,9 +104,10 @@ remove_all_webauthn_keys_and_user_ids :: Remove all WebAuthn credentials and the
 remove_webauthn_key(webauthn_id) :: Remove the WebAuthn credential with the given WebAuthn ID from the current account.
 valid_new_webauthn_credential?(webauthn_credential) :: Check wheck the WebAuthn credential provided by the client during registration is valid.
 valid_webauthn_credential_auth?(webauthn_credential) :: Check wheck the WebAuthn credential provided by the client during authentication is valid.
-webauth_credential_options_for_get :: WebAuthn credential options to provide to the client during WebAuthn authentication.
 webauthn_auth_js_path :: The path to the WebAuthn authentication javascript.
 webauthn_auth_view :: The HTML to use for the page for authenticating via WebAuthn.
+webauthn_credential_options_for_get :: WebAuthn credential options to provide to the client during WebAuthn authentication.
+webauthn_key_insert_hash(webauthn_credential) :: The hash to insert into the +webauthn_keys_table+.
 webauthn_remove_authenticated_session :: Remove the authenticated WebAuthn ID, used when removing the WebAuthn credential with the ID after authenticating with it.
 webauthn_remove_view :: The HTML to use for the page for removing an existing WebAuthn authenticator.
 webauthn_setup_js_path :: The path to the WebAuthn registration javascript.

data/lib/rodauth/features/argon2.rb

@@ -15,6 +15,18 @@ module Rodauth
     auth_value_method :argon2_secret, nil
     auth_value_method :use_argon2?, true
 
+    def password_hash(password)
+      return super unless use_argon2?
+
+      if secret = argon2_secret
+        argon2_params = Hash[password_hash_cost]
+        argon2_params[:secret] = secret
+      else
+        argon2_params = password_hash_cost
+      end
+      ::Argon2::Password.new(argon2_params).create(password)
+    end
+
     private
 
     if Argon2::VERSION != '2.1.0'
@@ -34,18 +46,6 @@ module Rodauth
       argon2_hash_cost 
     end
 
-    def password_hash(password)
-      return super unless use_argon2?
-
-      if secret = argon2_secret
-        argon2_params = Hash[password_hash_cost]
-        argon2_params[:secret] = secret
-      else
-        argon2_params = password_hash_cost
-      end
-      ::Argon2::Password.new(argon2_params).create(password)
-    end
-
     def password_hash_match?(hash, password)
       return super unless argon2_hash_algorithm?(hash)
       argon2_password_hash_match?(hash, password)

data/lib/rodauth/features/base.rb

@@ -24,6 +24,7 @@ module Rodauth
     auth_value_method :check_csrf_block, nil
     auth_value_method :check_csrf_opts, {}.freeze
     auth_value_method :default_redirect, '/'
+    auth_value_method :convert_token_id_to_integer?, nil
     flash_key :flash_error_key, :error
     flash_key :flash_notice_key, :notice
     auth_value_method :hmac_secret, nil
@@ -115,6 +116,7 @@ module Rodauth
     auth_private_methods(
       :account_from_login,
       :account_from_session,
+      :convert_token_id,
       :field_attributes,
       :field_error_attributes,
       :formatted_field_error,
@@ -264,7 +266,7 @@ module Rodauth
     end
 
     def db
-      Sequel::DATABASES.first
+      Sequel::DATABASES.first or raise "Sequel database connection is missing"
     end
 
     def password_field_autocomplete_value
@@ -376,10 +378,9 @@ module Rodauth
     def button_opts(value, opts)
       opts = Hash[template_opts].merge!(opts)
       opts[:locals] = {:value=>value, :opts=>opts}
-      opts[:path] = template_path('button')
       opts[:cache] = cache_templates
       opts[:cache_key] = :rodauth_button
-      opts
+      _template_opts(opts, 'button')
     end
 
     def button(value, opts={})
@@ -402,6 +403,11 @@ module Rodauth
     def post_configure
       require 'bcrypt' if require_bcrypt?
       db.extension :date_arithmetic if use_date_arithmetic?
+
+      if convert_token_id_to_integer?.nil? && (db rescue false) && db.table_exists?(accounts_table) && db.schema(accounts_table).find{|col, v| break v[:type] == :integer if col == account_id_column}
+        self.class.send(:define_method, :convert_token_id_to_integer?){true}
+      end
+
       route_hash= {}
       self.class.routes.each do |meth|
         route_meth = "#{meth.to_s.sub(/\Ahandle_/, '')}_route"
@@ -521,6 +527,25 @@ module Rodauth
       token.split(token_separator, 2)
     end
 
+    def convert_token_id(id)
+      if convert_token_id_to_integer?
+        convert_token_id_to_integer(id)
+      else
+        id
+      end
+    end
+
+    def convert_token_id_to_integer(id)
+      if id = (Integer(id, 10) rescue nil)
+        if id > 9223372036854775807 || id < -9223372036854775808
+          # Only allow 64-bit signed integer range to avoid problems on PostgreSQL
+          id = nil
+        end
+      end
+
+      id
+    end
+
     def redirect(path)
       request.redirect(path)
     end
@@ -817,12 +842,16 @@ module Rodauth
       opts[:locals][:rodauth] = self
       opts[:cache] = cache_templates
       opts[:cache_key] = :"rodauth_#{page}"
+      _template_opts(opts, page)
+    end
 
+    # Set the template path only if there isn't an overridden template in the application.
+    # Result should replace existing template opts.
+    def _template_opts(opts, page)
       opts = scope.send(:find_template, scope.send(:parse_template_opts, page, opts))
       unless File.file?(scope.send(:template_path, opts))
         opts[:path] = template_path(page)
       end
-
       opts
     end
 

data/lib/rodauth/features/email_base.rb

@@ -23,6 +23,14 @@ module Rodauth
       require 'mail' if require_mail?
     end
 
+    def email_from
+      "webmaster@#{domain}"
+    end
+
+    def email_to
+      account[login_column]
+    end
+
     private
 
     def send_email(email)
@@ -42,14 +50,6 @@ module Rodauth
       m
     end
 
-    def email_from
-      "webmaster@#{domain}"
-    end
-
-    def email_to
-      account[login_column]
-    end
-
     def token_link(route, param, key)
       route_url(route, param => token_param_value(key))
     end
@@ -64,6 +64,7 @@ module Rodauth
 
     def account_from_key(token, status_id=nil)
       id, key = split_token(token)
+      id = convert_token_id(id)
       return unless id && key
 
       return unless actual = yield(id)

data/lib/rodauth/features/json.rb

@@ -107,7 +107,7 @@ module Rodauth
     def before_webauthn_auth_route
       super if defined?(super)
       if use_json? && !param_or_nil(webauthn_auth_param)
-        cred = webauth_credential_options_for_get
+        cred = webauthn_credential_options_for_get
         json_response[webauthn_auth_param] = cred.as_json
         json_response[webauthn_auth_challenge_param] = cred.challenge
         json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)
@@ -117,7 +117,7 @@ module Rodauth
     def before_webauthn_login_route
       super if defined?(super)
       if use_json? && !param_or_nil(webauthn_auth_param) && account_from_login(param(login_param))
-        cred = webauth_credential_options_for_get
+        cred = webauthn_credential_options_for_get
         json_response[webauthn_auth_param] = cred.as_json
         json_response[webauthn_auth_challenge_param] = cred.challenge
         json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)

data/lib/rodauth/features/jwt_refresh.rb

@@ -112,7 +112,7 @@ module Rodauth
       id, token_id, key = _account_refresh_token_split(token)
 
       unless key &&
-             (id == session_value.to_s) &&
+             (id.to_s == session_value.to_s) &&
              (actual = get_active_refresh_token(id, token_id)) &&
              timing_safe_eql?(key, convert_token_key(actual)) &&
              jwt_refresh_token_match?(key)
@@ -126,9 +126,11 @@ module Rodauth
 
     def _account_refresh_token_split(token)
       id, token = split_token(token)
+      id = convert_token_id(id)
       return unless id && token
 
       token_id, key = split_token(token)
+      token_id = convert_token_id(token_id)
       return unless token_id && key
 
       [id, token_id, key]

data/lib/rodauth/features/login_password_requirements_base.rb

@@ -75,6 +75,10 @@ module Rodauth
       hash
     end
 
+    def password_hash(password)
+      BCrypt::Password.create(password, :cost=>password_hash_cost)
+    end
+
     private
     
     attr_reader :login_requirement_message
@@ -184,9 +188,5 @@ module Rodauth
     def extract_password_hash_cost(hash)
       hash[4, 2].to_i
     end
-    
-    def password_hash(password)
-      BCrypt::Password.create(password, :cost=>password_hash_cost)
-    end
   end
 end

data/lib/rodauth/features/password_pepper.rb

@@ -16,12 +16,12 @@ module Rodauth
       result
     end
 
-    private
-
     def password_hash(password)
       super(password + password_pepper.to_s)
     end
 
+    private
+
     def password_hash_match?(hash, password)
       return super if password_pepper.nil?
 

data/lib/rodauth/features/reset_password.rb

@@ -219,7 +219,7 @@ module Rodauth
     attr_reader :reset_password_key_value
 
     def after_login_failure
-      unless only_json?
+      unless only_json? || internal_request?
         @login_form_header = login_failed_reset_password_request_form
       end
       super

data/lib/rodauth/features/verify_account_grace_period.rb

@@ -30,6 +30,10 @@ module Rodauth
       false
     end
 
+    def logged_in?
+      super && !unverified_grace_period_expired?
+    end
+
     def require_login
       if unverified_grace_period_expired?
         clear_session

data/lib/rodauth/features/webauthn.rb

@@ -102,13 +102,16 @@ module Rodauth
       :valid_new_webauthn_credential?,
       :valid_webauthn_credential_auth?,
       :webauthn_auth_js_path,
-      :webauth_credential_options_for_get,
+      :webauthn_credential_options_for_get,
+      :webauthn_key_insert_hash,
       :webauthn_remove_authenticated_session,
       :webauthn_setup_js_path,
       :webauthn_update_session,
       :webauthn_user_name,
     )
 
+    def_deprecated_alias :webauthn_credential_options_for_get, :webauth_credential_options_for_get
+
     route(:webauthn_auth_js) do |r|
       before_webauthn_auth_js_route
       r.get do
@@ -315,7 +318,7 @@ module Rodauth
         webauthn_credential.verify(challenge)
     end
 
-    def webauth_credential_options_for_get
+    def webauthn_credential_options_for_get
       WebAuthn::Credential.options_for_get(
         :allow => account_webauthn_ids,
         :timeout => webauthn_auth_timeout,
@@ -346,12 +349,7 @@ module Rodauth
     end
 
     def add_webauthn_credential(webauthn_credential)
-      webauthn_keys_ds.insert(
-        webauthn_keys_account_id_column => webauthn_account_id,
-        webauthn_keys_webauthn_id_column => webauthn_credential.id,
-        webauthn_keys_public_key_column => webauthn_credential.public_key,
-        webauthn_keys_sign_count_column => Integer(webauthn_credential.sign_count)
-      )
+      webauthn_keys_ds.insert(webauthn_key_insert_hash(webauthn_credential))
       super if defined?(super)
       nil
     end
@@ -433,6 +431,15 @@ module Rodauth
       super
     end
 
+    def webauthn_key_insert_hash(webauthn_credential)
+      {
+        webauthn_keys_account_id_column => webauthn_account_id,
+        webauthn_keys_webauthn_id_column => webauthn_credential.id,
+        webauthn_keys_public_key_column => webauthn_credential.public_key,
+        webauthn_keys_sign_count_column => Integer(webauthn_credential.sign_count)
+      }
+    end
+
     def webauthn_account_id
       session_value
     end

data/lib/rodauth/version.rb

@@ -6,11 +6,11 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 26
+  MINOR = 28
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.
-  TINY = 1
+  TINY = 0
 
   # The full version of Rodauth as a string
   VERSION = "#{MAJOR}.#{MINOR}.#{TINY}".freeze

data/templates/webauthn-auth.str

@@ -1,9 +1,9 @@
-<form method="post" action="#{rodauth.webauthn_auth_form_path}" class="rodauth" role="form" id="webauthn-auth-form" data-credential-options="#{h((cred = rodauth.webauth_credential_options_for_get).as_json.to_json)}">
+<form method="post" action="#{rodauth.webauthn_auth_form_path}" class="rodauth" role="form" id="webauthn-auth-form" data-credential-options="#{h((cred = rodauth.webauthn_credential_options_for_get).as_json.to_json)}">
   #{rodauth.webauthn_auth_additional_form_tags}
   #{rodauth.csrf_tag(rodauth.webauthn_auth_form_path)}
   <input type="hidden" name="#{rodauth.webauthn_auth_challenge_param}" value="#{cred.challenge}" />
   <input type="hidden" name="#{rodauth.webauthn_auth_challenge_hmac_param}" value="#{rodauth.compute_hmac(cred.challenge)}" />
-  <input class="rodauth_hidden" aria-hidden="true" type="text" name="#{rodauth.webauthn_auth_param}" id="webauthn-auth" value="" />
+  <input class="rodauth_hidden d-none" aria-hidden="true" type="text" name="#{rodauth.webauthn_auth_param}" id="webauthn-auth" value="" />
   <div id="webauthn-auth-button"> 
     #{rodauth.button(rodauth.webauthn_auth_button)}
   </div>

data/templates/webauthn-setup.str

@@ -3,7 +3,7 @@
   #{rodauth.csrf_tag}
   <input type="hidden" name="#{rodauth.webauthn_setup_challenge_param}" value="#{cred.challenge}" />
   <input type="hidden" name="#{rodauth.webauthn_setup_challenge_hmac_param}" value="#{rodauth.compute_hmac(cred.challenge)}" />
-  <input class="rodauth_hidden" aria-hidden="true" type="text" name="#{rodauth.webauthn_setup_param}" id="webauthn-setup" value="" />
+  <input class="rodauth_hidden d-none" aria-hidden="true" type="text" name="#{rodauth.webauthn_setup_param}" id="webauthn-setup" value="" />
   #{rodauth.render('password-field') if rodauth.two_factor_modifications_require_password?}
   <div id="webauthn-setup-button"> 
     #{rodauth.button(rodauth.webauthn_setup_button)}

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.26.1
+  version: 2.28.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-11-08 00:00:00.000000000 Z
+date: 2023-02-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -342,6 +342,8 @@ extra_rdoc_files:
 - doc/release_notes/2.24.0.txt
 - doc/release_notes/2.25.0.txt
 - doc/release_notes/2.26.0.txt
+- doc/release_notes/2.27.0.txt
+- doc/release_notes/2.28.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
@@ -455,6 +457,8 @@ files:
 - doc/release_notes/2.24.0.txt
 - doc/release_notes/2.25.0.txt
 - doc/release_notes/2.26.0.txt
+- doc/release_notes/2.27.0.txt
+- doc/release_notes/2.28.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
@@ -612,7 +616,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.4.6
 signing_key:
 specification_version: 4
 summary: Authentication and Account Management Framework for Rack Applications