rodauth 2.27.0 → 2.28.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG +10 -0
- data/doc/guides/password_requirements.rdoc +15 -2
- data/doc/json.rdoc +8 -0
- data/doc/release_notes/2.28.0.txt +16 -0
- data/doc/webauthn.rdoc +2 -1
- data/lib/rodauth/features/argon2.rb +12 -12
- data/lib/rodauth/features/login_password_requirements_base.rb +4 -4
- data/lib/rodauth/features/password_pepper.rb +2 -2
- data/lib/rodauth/features/reset_password.rb +1 -1
- data/lib/rodauth/features/verify_account_grace_period.rb +4 -0
- data/lib/rodauth/features/webauthn.rb +11 -6
- data/lib/rodauth/version.rb +1 -1
- metadata +5 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 15ed571757453e13ded3557bd2736779546b2c759230f8ee9070976a0207899e
|
|
4
|
+
data.tar.gz: 9aa5adf648fa1449a75a03d62ae4907f71d41adc49e81fde8da52097042c986c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: bdae4bbe3d9c471f967a8b24741504494a4003edce0c265dba9026694d64c08f61bd74cdbf80bded79e3b2c163fe7d273fcf72741f986711891fea5e481c501f
|
|
7
|
+
data.tar.gz: 5c6352c91b52012c6869a149e61887a1a6e0ace76557f2c4922eb699dc4da7f08a1265c5548bff25a3f617fa0a3b565b6d00f3472822d32812ae6261a4bcc95c
|
data/CHANGELOG
CHANGED
|
@@ -1,3 +1,13 @@
|
|
|
1
|
+
=== 2.28.0 (2023-02-22)
|
|
2
|
+
|
|
3
|
+
* Skip rendering reset password request form on invalid internal request logins (janko) (#303)
|
|
4
|
+
|
|
5
|
+
* Make logged_in? return false if using verify_account_grace_period feature and grace_period has expired (janko) (#300)
|
|
6
|
+
|
|
7
|
+
* Make password_hash method public (janko) (#299)
|
|
8
|
+
|
|
9
|
+
* Add webauthn_key_insert_hash auth method to webauthn feature to control inserts into webauthn keys table (janko) (#298)
|
|
10
|
+
|
|
1
11
|
=== 2.27.0 (2023-01-24)
|
|
2
12
|
|
|
3
13
|
* Rename webauth_credentials_for_get to webauthn_credentials_for_get for consistency (janko) (#295)
|
|
@@ -1,13 +1,16 @@
|
|
|
1
1
|
= Customize password requirements
|
|
2
2
|
|
|
3
3
|
By default, Rodauth requires passwords to have at least 6 characters. You can
|
|
4
|
-
modify the minimum length:
|
|
4
|
+
modify the minimum and maximum length:
|
|
5
5
|
|
|
6
6
|
plugin :rodauth do
|
|
7
7
|
enable :login, :logout, :create_account
|
|
8
8
|
|
|
9
9
|
# Require passwords to have at least 8 characters
|
|
10
10
|
password_minimum_length 8
|
|
11
|
+
|
|
12
|
+
# Don't allow passwords to be too long, to prevent long password DoS attacks
|
|
13
|
+
password_maximum_length 64
|
|
11
14
|
end
|
|
12
15
|
|
|
13
16
|
You can use the {disallow common passwords feature}[rdoc-ref:doc/disallow_common_passwords.rdoc]
|
|
@@ -25,6 +28,16 @@ can use the <tt>password_meets_requirements?</tt> configuration method.
|
|
|
25
28
|
enable :login, :logout, :create_account
|
|
26
29
|
|
|
27
30
|
password_meets_requirements? do |password|
|
|
28
|
-
|
|
31
|
+
super(password) && password_complex_enough?(password)
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
auth_class_eval do
|
|
35
|
+
# If password doesn't pass custom validation, add field error with error
|
|
36
|
+
# reason, and return false.
|
|
37
|
+
def password_complex_enough?(password)
|
|
38
|
+
return true if password.match?(/\d/) && password.match?(/[^a-zA-Z\d]/)
|
|
39
|
+
set_password_requirement_error_message(:password_simple, "requires one number and one special character")
|
|
40
|
+
false
|
|
41
|
+
end
|
|
29
42
|
end
|
|
30
43
|
end
|
data/doc/json.rdoc
CHANGED
|
@@ -15,6 +15,14 @@ an array containing the field name and the error message for that field.
|
|
|
15
15
|
Successful requests by default store a +success+ entry with a success
|
|
16
16
|
message, though that can be disabled.
|
|
17
17
|
|
|
18
|
+
The JSON response can be modified at any point by modifying the `json_response`
|
|
19
|
+
hash. The following example adds an {error reason}[rdoc-ref:doc/error_reasons.rdoc]
|
|
20
|
+
to the JSON response:
|
|
21
|
+
|
|
22
|
+
set_error_reason do |reason|
|
|
23
|
+
json_response[:error_reason] = reason
|
|
24
|
+
end
|
|
25
|
+
|
|
18
26
|
The session state is managed in the rack session, so make sure that
|
|
19
27
|
CSRF protection is enabled. This will be the case when passing the
|
|
20
28
|
<tt>json: true</tt> option when loading the rodauth plugin. If you
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
= New Features
|
|
2
|
+
|
|
3
|
+
* A webauthn_key_insert_hash configuration method has been added when
|
|
4
|
+
using the webauthn feature, making it easier to add new columns to
|
|
5
|
+
the webauthn key data, such as a custom name for the authenticator.
|
|
6
|
+
|
|
7
|
+
= Other Improvements
|
|
8
|
+
|
|
9
|
+
* When using the verify_account_grace_period feature, logged_in? now
|
|
10
|
+
returns false for sessions where the grace period has expired.
|
|
11
|
+
|
|
12
|
+
* When using the internal_request and reset_password features,
|
|
13
|
+
submitting an internal request for an invalid login no longer tries
|
|
14
|
+
to render a reset password request form.
|
|
15
|
+
|
|
16
|
+
* The password_hash method is now public.
|
data/doc/webauthn.rdoc
CHANGED
|
@@ -104,9 +104,10 @@ remove_all_webauthn_keys_and_user_ids :: Remove all WebAuthn credentials and the
|
|
|
104
104
|
remove_webauthn_key(webauthn_id) :: Remove the WebAuthn credential with the given WebAuthn ID from the current account.
|
|
105
105
|
valid_new_webauthn_credential?(webauthn_credential) :: Check wheck the WebAuthn credential provided by the client during registration is valid.
|
|
106
106
|
valid_webauthn_credential_auth?(webauthn_credential) :: Check wheck the WebAuthn credential provided by the client during authentication is valid.
|
|
107
|
-
webauthn_credential_options_for_get :: WebAuthn credential options to provide to the client during WebAuthn authentication.
|
|
108
107
|
webauthn_auth_js_path :: The path to the WebAuthn authentication javascript.
|
|
109
108
|
webauthn_auth_view :: The HTML to use for the page for authenticating via WebAuthn.
|
|
109
|
+
webauthn_credential_options_for_get :: WebAuthn credential options to provide to the client during WebAuthn authentication.
|
|
110
|
+
webauthn_key_insert_hash(webauthn_credential) :: The hash to insert into the +webauthn_keys_table+.
|
|
110
111
|
webauthn_remove_authenticated_session :: Remove the authenticated WebAuthn ID, used when removing the WebAuthn credential with the ID after authenticating with it.
|
|
111
112
|
webauthn_remove_view :: The HTML to use for the page for removing an existing WebAuthn authenticator.
|
|
112
113
|
webauthn_setup_js_path :: The path to the WebAuthn registration javascript.
|
|
@@ -15,6 +15,18 @@ module Rodauth
|
|
|
15
15
|
auth_value_method :argon2_secret, nil
|
|
16
16
|
auth_value_method :use_argon2?, true
|
|
17
17
|
|
|
18
|
+
def password_hash(password)
|
|
19
|
+
return super unless use_argon2?
|
|
20
|
+
|
|
21
|
+
if secret = argon2_secret
|
|
22
|
+
argon2_params = Hash[password_hash_cost]
|
|
23
|
+
argon2_params[:secret] = secret
|
|
24
|
+
else
|
|
25
|
+
argon2_params = password_hash_cost
|
|
26
|
+
end
|
|
27
|
+
::Argon2::Password.new(argon2_params).create(password)
|
|
28
|
+
end
|
|
29
|
+
|
|
18
30
|
private
|
|
19
31
|
|
|
20
32
|
if Argon2::VERSION != '2.1.0'
|
|
@@ -34,18 +46,6 @@ module Rodauth
|
|
|
34
46
|
argon2_hash_cost
|
|
35
47
|
end
|
|
36
48
|
|
|
37
|
-
def password_hash(password)
|
|
38
|
-
return super unless use_argon2?
|
|
39
|
-
|
|
40
|
-
if secret = argon2_secret
|
|
41
|
-
argon2_params = Hash[password_hash_cost]
|
|
42
|
-
argon2_params[:secret] = secret
|
|
43
|
-
else
|
|
44
|
-
argon2_params = password_hash_cost
|
|
45
|
-
end
|
|
46
|
-
::Argon2::Password.new(argon2_params).create(password)
|
|
47
|
-
end
|
|
48
|
-
|
|
49
49
|
def password_hash_match?(hash, password)
|
|
50
50
|
return super unless argon2_hash_algorithm?(hash)
|
|
51
51
|
argon2_password_hash_match?(hash, password)
|
|
@@ -75,6 +75,10 @@ module Rodauth
|
|
|
75
75
|
hash
|
|
76
76
|
end
|
|
77
77
|
|
|
78
|
+
def password_hash(password)
|
|
79
|
+
BCrypt::Password.create(password, :cost=>password_hash_cost)
|
|
80
|
+
end
|
|
81
|
+
|
|
78
82
|
private
|
|
79
83
|
|
|
80
84
|
attr_reader :login_requirement_message
|
|
@@ -184,9 +188,5 @@ module Rodauth
|
|
|
184
188
|
def extract_password_hash_cost(hash)
|
|
185
189
|
hash[4, 2].to_i
|
|
186
190
|
end
|
|
187
|
-
|
|
188
|
-
def password_hash(password)
|
|
189
|
-
BCrypt::Password.create(password, :cost=>password_hash_cost)
|
|
190
|
-
end
|
|
191
191
|
end
|
|
192
192
|
end
|
|
@@ -103,6 +103,7 @@ module Rodauth
|
|
|
103
103
|
:valid_webauthn_credential_auth?,
|
|
104
104
|
:webauthn_auth_js_path,
|
|
105
105
|
:webauthn_credential_options_for_get,
|
|
106
|
+
:webauthn_key_insert_hash,
|
|
106
107
|
:webauthn_remove_authenticated_session,
|
|
107
108
|
:webauthn_setup_js_path,
|
|
108
109
|
:webauthn_update_session,
|
|
@@ -348,12 +349,7 @@ module Rodauth
|
|
|
348
349
|
end
|
|
349
350
|
|
|
350
351
|
def add_webauthn_credential(webauthn_credential)
|
|
351
|
-
webauthn_keys_ds.insert(
|
|
352
|
-
webauthn_keys_account_id_column => webauthn_account_id,
|
|
353
|
-
webauthn_keys_webauthn_id_column => webauthn_credential.id,
|
|
354
|
-
webauthn_keys_public_key_column => webauthn_credential.public_key,
|
|
355
|
-
webauthn_keys_sign_count_column => Integer(webauthn_credential.sign_count)
|
|
356
|
-
)
|
|
352
|
+
webauthn_keys_ds.insert(webauthn_key_insert_hash(webauthn_credential))
|
|
357
353
|
super if defined?(super)
|
|
358
354
|
nil
|
|
359
355
|
end
|
|
@@ -435,6 +431,15 @@ module Rodauth
|
|
|
435
431
|
super
|
|
436
432
|
end
|
|
437
433
|
|
|
434
|
+
def webauthn_key_insert_hash(webauthn_credential)
|
|
435
|
+
{
|
|
436
|
+
webauthn_keys_account_id_column => webauthn_account_id,
|
|
437
|
+
webauthn_keys_webauthn_id_column => webauthn_credential.id,
|
|
438
|
+
webauthn_keys_public_key_column => webauthn_credential.public_key,
|
|
439
|
+
webauthn_keys_sign_count_column => Integer(webauthn_credential.sign_count)
|
|
440
|
+
}
|
|
441
|
+
end
|
|
442
|
+
|
|
438
443
|
def webauthn_account_id
|
|
439
444
|
session_value
|
|
440
445
|
end
|
data/lib/rodauth/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rodauth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.28.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jeremy Evans
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-
|
|
11
|
+
date: 2023-02-22 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: sequel
|
|
@@ -343,6 +343,7 @@ extra_rdoc_files:
|
|
|
343
343
|
- doc/release_notes/2.25.0.txt
|
|
344
344
|
- doc/release_notes/2.26.0.txt
|
|
345
345
|
- doc/release_notes/2.27.0.txt
|
|
346
|
+
- doc/release_notes/2.28.0.txt
|
|
346
347
|
- doc/release_notes/2.3.0.txt
|
|
347
348
|
- doc/release_notes/2.4.0.txt
|
|
348
349
|
- doc/release_notes/2.5.0.txt
|
|
@@ -457,6 +458,7 @@ files:
|
|
|
457
458
|
- doc/release_notes/2.25.0.txt
|
|
458
459
|
- doc/release_notes/2.26.0.txt
|
|
459
460
|
- doc/release_notes/2.27.0.txt
|
|
461
|
+
- doc/release_notes/2.28.0.txt
|
|
460
462
|
- doc/release_notes/2.3.0.txt
|
|
461
463
|
- doc/release_notes/2.4.0.txt
|
|
462
464
|
- doc/release_notes/2.5.0.txt
|
|
@@ -614,7 +616,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
614
616
|
- !ruby/object:Gem::Version
|
|
615
617
|
version: '0'
|
|
616
618
|
requirements: []
|
|
617
|
-
rubygems_version: 3.4.
|
|
619
|
+
rubygems_version: 3.4.6
|
|
618
620
|
signing_key:
|
|
619
621
|
specification_version: 4
|
|
620
622
|
summary: Authentication and Account Management Framework for Rack Applications
|