rodauth 2.27.0 → 2.28.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG +10 -0
- data/doc/guides/password_requirements.rdoc +15 -2
- data/doc/json.rdoc +8 -0
- data/doc/release_notes/2.28.0.txt +16 -0
- data/doc/webauthn.rdoc +2 -1
- data/lib/rodauth/features/argon2.rb +12 -12
- data/lib/rodauth/features/login_password_requirements_base.rb +4 -4
- data/lib/rodauth/features/password_pepper.rb +2 -2
- data/lib/rodauth/features/reset_password.rb +1 -1
- data/lib/rodauth/features/verify_account_grace_period.rb +4 -0
- data/lib/rodauth/features/webauthn.rb +11 -6
- data/lib/rodauth/version.rb +1 -1
- metadata +5 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 15ed571757453e13ded3557bd2736779546b2c759230f8ee9070976a0207899e
|
|
4
|
+
data.tar.gz: 9aa5adf648fa1449a75a03d62ae4907f71d41adc49e81fde8da52097042c986c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: bdae4bbe3d9c471f967a8b24741504494a4003edce0c265dba9026694d64c08f61bd74cdbf80bded79e3b2c163fe7d273fcf72741f986711891fea5e481c501f
|
|
7
|
+
data.tar.gz: 5c6352c91b52012c6869a149e61887a1a6e0ace76557f2c4922eb699dc4da7f08a1265c5548bff25a3f617fa0a3b565b6d00f3472822d32812ae6261a4bcc95c
|
data/CHANGELOG
CHANGED
|
@@ -1,3 +1,13 @@
|
|
|
1
|
+
=== 2.28.0 (2023-02-22)
|
|
2
|
+
|
|
3
|
+
* Skip rendering reset password request form on invalid internal request logins (janko) (#303)
|
|
4
|
+
|
|
5
|
+
* Make logged_in? return false if using verify_account_grace_period feature and grace_period has expired (janko) (#300)
|
|
6
|
+
|
|
7
|
+
* Make password_hash method public (janko) (#299)
|
|
8
|
+
|
|
9
|
+
* Add webauthn_key_insert_hash auth method to webauthn feature to control inserts into webauthn keys table (janko) (#298)
|
|
10
|
+
|
|
1
11
|
=== 2.27.0 (2023-01-24)
|
|
2
12
|
|
|
3
13
|
* Rename webauth_credentials_for_get to webauthn_credentials_for_get for consistency (janko) (#295)
|
|
@@ -1,13 +1,16 @@
|
|
|
1
1
|
= Customize password requirements
|
|
2
2
|
|
|
3
3
|
By default, Rodauth requires passwords to have at least 6 characters. You can
|
|
4
|
-
modify the minimum length:
|
|
4
|
+
modify the minimum and maximum length:
|
|
5
5
|
|
|
6
6
|
plugin :rodauth do
|
|
7
7
|
enable :login, :logout, :create_account
|
|
8
8
|
|
|
9
9
|
# Require passwords to have at least 8 characters
|
|
10
10
|
password_minimum_length 8
|
|
11
|
+
|
|
12
|
+
# Don't allow passwords to be too long, to prevent long password DoS attacks
|
|
13
|
+
password_maximum_length 64
|
|
11
14
|
end
|
|
12
15
|
|
|
13
16
|
You can use the {disallow common passwords feature}[rdoc-ref:doc/disallow_common_passwords.rdoc]
|
|
@@ -25,6 +28,16 @@ can use the <tt>password_meets_requirements?</tt> configuration method.
|
|
|
25
28
|
enable :login, :logout, :create_account
|
|
26
29
|
|
|
27
30
|
password_meets_requirements? do |password|
|
|
28
|
-
|
|
31
|
+
super(password) && password_complex_enough?(password)
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
auth_class_eval do
|
|
35
|
+
# If password doesn't pass custom validation, add field error with error
|
|
36
|
+
# reason, and return false.
|
|
37
|
+
def password_complex_enough?(password)
|
|
38
|
+
return true if password.match?(/\d/) && password.match?(/[^a-zA-Z\d]/)
|
|
39
|
+
set_password_requirement_error_message(:password_simple, "requires one number and one special character")
|
|
40
|
+
false
|
|
41
|
+
end
|
|
29
42
|
end
|
|
30
43
|
end
|
data/doc/json.rdoc
CHANGED
|
@@ -15,6 +15,14 @@ an array containing the field name and the error message for that field.
|
|
|
15
15
|
Successful requests by default store a +success+ entry with a success
|
|
16
16
|
message, though that can be disabled.
|
|
17
17
|
|
|
18
|
+
The JSON response can be modified at any point by modifying the `json_response`
|
|
19
|
+
hash. The following example adds an {error reason}[rdoc-ref:doc/error_reasons.rdoc]
|
|
20
|
+
to the JSON response:
|
|
21
|
+
|
|
22
|
+
set_error_reason do |reason|
|
|
23
|
+
json_response[:error_reason] = reason
|
|
24
|
+
end
|
|
25
|
+
|
|
18
26
|
The session state is managed in the rack session, so make sure that
|
|
19
27
|
CSRF protection is enabled. This will be the case when passing the
|
|
20
28
|
<tt>json: true</tt> option when loading the rodauth plugin. If you
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
= New Features
|
|
2
|
+
|
|
3
|
+
* A webauthn_key_insert_hash configuration method has been added when
|
|
4
|
+
using the webauthn feature, making it easier to add new columns to
|
|
5
|
+
the webauthn key data, such as a custom name for the authenticator.
|
|
6
|
+
|
|
7
|
+
= Other Improvements
|
|
8
|
+
|
|
9
|
+
* When using the verify_account_grace_period feature, logged_in? now
|
|
10
|
+
returns false for sessions where the grace period has expired.
|
|
11
|
+
|
|
12
|
+
* When using the internal_request and reset_password features,
|
|
13
|
+
submitting an internal request for an invalid login no longer tries
|
|
14
|
+
to render a reset password request form.
|
|
15
|
+
|
|
16
|
+
* The password_hash method is now public.
|
data/doc/webauthn.rdoc
CHANGED
|
@@ -104,9 +104,10 @@ remove_all_webauthn_keys_and_user_ids :: Remove all WebAuthn credentials and the
|
|
|
104
104
|
remove_webauthn_key(webauthn_id) :: Remove the WebAuthn credential with the given WebAuthn ID from the current account.
|
|
105
105
|
valid_new_webauthn_credential?(webauthn_credential) :: Check wheck the WebAuthn credential provided by the client during registration is valid.
|
|
106
106
|
valid_webauthn_credential_auth?(webauthn_credential) :: Check wheck the WebAuthn credential provided by the client during authentication is valid.
|
|
107
|
-
webauthn_credential_options_for_get :: WebAuthn credential options to provide to the client during WebAuthn authentication.
|
|
108
107
|
webauthn_auth_js_path :: The path to the WebAuthn authentication javascript.
|
|
109
108
|
webauthn_auth_view :: The HTML to use for the page for authenticating via WebAuthn.
|
|
109
|
+
webauthn_credential_options_for_get :: WebAuthn credential options to provide to the client during WebAuthn authentication.
|
|
110
|
+
webauthn_key_insert_hash(webauthn_credential) :: The hash to insert into the +webauthn_keys_table+.
|
|
110
111
|
webauthn_remove_authenticated_session :: Remove the authenticated WebAuthn ID, used when removing the WebAuthn credential with the ID after authenticating with it.
|
|
111
112
|
webauthn_remove_view :: The HTML to use for the page for removing an existing WebAuthn authenticator.
|
|
112
113
|
webauthn_setup_js_path :: The path to the WebAuthn registration javascript.
|
|
@@ -15,6 +15,18 @@ module Rodauth
|
|
|
15
15
|
auth_value_method :argon2_secret, nil
|
|
16
16
|
auth_value_method :use_argon2?, true
|
|
17
17
|
|
|
18
|
+
def password_hash(password)
|
|
19
|
+
return super unless use_argon2?
|
|
20
|
+
|
|
21
|
+
if secret = argon2_secret
|
|
22
|
+
argon2_params = Hash[password_hash_cost]
|
|
23
|
+
argon2_params[:secret] = secret
|
|
24
|
+
else
|
|
25
|
+
argon2_params = password_hash_cost
|
|
26
|
+
end
|
|
27
|
+
::Argon2::Password.new(argon2_params).create(password)
|
|
28
|
+
end
|
|
29
|
+
|
|
18
30
|
private
|
|
19
31
|
|
|
20
32
|
if Argon2::VERSION != '2.1.0'
|
|
@@ -34,18 +46,6 @@ module Rodauth
|
|
|
34
46
|
argon2_hash_cost
|
|
35
47
|
end
|
|
36
48
|
|
|
37
|
-
def password_hash(password)
|
|
38
|
-
return super unless use_argon2?
|
|
39
|
-
|
|
40
|
-
if secret = argon2_secret
|
|
41
|
-
argon2_params = Hash[password_hash_cost]
|
|
42
|
-
argon2_params[:secret] = secret
|
|
43
|
-
else
|
|
44
|
-
argon2_params = password_hash_cost
|
|
45
|
-
end
|
|
46
|
-
::Argon2::Password.new(argon2_params).create(password)
|
|
47
|
-
end
|
|
48
|
-
|
|
49
49
|
def password_hash_match?(hash, password)
|
|
50
50
|
return super unless argon2_hash_algorithm?(hash)
|
|
51
51
|
argon2_password_hash_match?(hash, password)
|
|
@@ -75,6 +75,10 @@ module Rodauth
|
|
|
75
75
|
hash
|
|
76
76
|
end
|
|
77
77
|
|
|
78
|
+
def password_hash(password)
|
|
79
|
+
BCrypt::Password.create(password, :cost=>password_hash_cost)
|
|
80
|
+
end
|
|
81
|
+
|
|
78
82
|
private
|
|
79
83
|
|
|
80
84
|
attr_reader :login_requirement_message
|
|
@@ -184,9 +188,5 @@ module Rodauth
|
|
|
184
188
|
def extract_password_hash_cost(hash)
|
|
185
189
|
hash[4, 2].to_i
|
|
186
190
|
end
|
|
187
|
-
|
|
188
|
-
def password_hash(password)
|
|
189
|
-
BCrypt::Password.create(password, :cost=>password_hash_cost)
|
|
190
|
-
end
|
|
191
191
|
end
|
|
192
192
|
end
|
|
@@ -103,6 +103,7 @@ module Rodauth
|
|
|
103
103
|
:valid_webauthn_credential_auth?,
|
|
104
104
|
:webauthn_auth_js_path,
|
|
105
105
|
:webauthn_credential_options_for_get,
|
|
106
|
+
:webauthn_key_insert_hash,
|
|
106
107
|
:webauthn_remove_authenticated_session,
|
|
107
108
|
:webauthn_setup_js_path,
|
|
108
109
|
:webauthn_update_session,
|
|
@@ -348,12 +349,7 @@ module Rodauth
|
|
|
348
349
|
end
|
|
349
350
|
|
|
350
351
|
def add_webauthn_credential(webauthn_credential)
|
|
351
|
-
webauthn_keys_ds.insert(
|
|
352
|
-
webauthn_keys_account_id_column => webauthn_account_id,
|
|
353
|
-
webauthn_keys_webauthn_id_column => webauthn_credential.id,
|
|
354
|
-
webauthn_keys_public_key_column => webauthn_credential.public_key,
|
|
355
|
-
webauthn_keys_sign_count_column => Integer(webauthn_credential.sign_count)
|
|
356
|
-
)
|
|
352
|
+
webauthn_keys_ds.insert(webauthn_key_insert_hash(webauthn_credential))
|
|
357
353
|
super if defined?(super)
|
|
358
354
|
nil
|
|
359
355
|
end
|
|
@@ -435,6 +431,15 @@ module Rodauth
|
|
|
435
431
|
super
|
|
436
432
|
end
|
|
437
433
|
|
|
434
|
+
def webauthn_key_insert_hash(webauthn_credential)
|
|
435
|
+
{
|
|
436
|
+
webauthn_keys_account_id_column => webauthn_account_id,
|
|
437
|
+
webauthn_keys_webauthn_id_column => webauthn_credential.id,
|
|
438
|
+
webauthn_keys_public_key_column => webauthn_credential.public_key,
|
|
439
|
+
webauthn_keys_sign_count_column => Integer(webauthn_credential.sign_count)
|
|
440
|
+
}
|
|
441
|
+
end
|
|
442
|
+
|
|
438
443
|
def webauthn_account_id
|
|
439
444
|
session_value
|
|
440
445
|
end
|
data/lib/rodauth/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rodauth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.28.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jeremy Evans
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-
|
|
11
|
+
date: 2023-02-22 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: sequel
|
|
@@ -343,6 +343,7 @@ extra_rdoc_files:
|
|
|
343
343
|
- doc/release_notes/2.25.0.txt
|
|
344
344
|
- doc/release_notes/2.26.0.txt
|
|
345
345
|
- doc/release_notes/2.27.0.txt
|
|
346
|
+
- doc/release_notes/2.28.0.txt
|
|
346
347
|
- doc/release_notes/2.3.0.txt
|
|
347
348
|
- doc/release_notes/2.4.0.txt
|
|
348
349
|
- doc/release_notes/2.5.0.txt
|
|
@@ -457,6 +458,7 @@ files:
|
|
|
457
458
|
- doc/release_notes/2.25.0.txt
|
|
458
459
|
- doc/release_notes/2.26.0.txt
|
|
459
460
|
- doc/release_notes/2.27.0.txt
|
|
461
|
+
- doc/release_notes/2.28.0.txt
|
|
460
462
|
- doc/release_notes/2.3.0.txt
|
|
461
463
|
- doc/release_notes/2.4.0.txt
|
|
462
464
|
- doc/release_notes/2.5.0.txt
|
|
@@ -614,7 +616,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
614
616
|
- !ruby/object:Gem::Version
|
|
615
617
|
version: '0'
|
|
616
618
|
requirements: []
|
|
617
|
-
rubygems_version: 3.4.
|
|
619
|
+
rubygems_version: 3.4.6
|
|
618
620
|
signing_key:
|
|
619
621
|
specification_version: 4
|
|
620
622
|
summary: Authentication and Account Management Framework for Rack Applications
|