rodauth 2.27.0 → 2.29.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eeb08d35b1a9cf7c0a5393bbcf831d41fa0ff1a9d822761ef63c149723d79db2
-  data.tar.gz: 8a890d1659b1a0634960420ab0546db1e76363dad7c43dc01a0b05dfe4cc85e3
+  metadata.gz: c1714e5a3a0a5bbae56f2905dd528611de3b958d505d312071148b56fdfb3d6f
+  data.tar.gz: 8bb57c30ced05b0825a5d1fd74efe9f6523202f1b151b591c0bbdf10ad9f12af
 SHA512:
-  metadata.gz: 1e27b99b1fa245aab6c600257fc82fcae6789d31105047d06d39eae185064d08917359ba8eb631b94dcfa7aa6a05be77e700a8935070b8467bcac25bbd3e2cb1
-  data.tar.gz: 71bfbebd641cc594889fa4d82086a17b250388796990d24b8240acb6e668fe41b52f9b1727b4b8b49846cc13574b398da0ae7c4f092436d027a4719df96f0e75
+  metadata.gz: 4dfc0639aaebdeacf6961122265720c992fb0d1af5d7864f5984fa902eef0ae49aea30db63681b1bdd1c598458f8ce5b035fdb3192249f3983afba15442bf990
+  data.tar.gz: d044a6934b3d06bee1e260de68ca5a88016b6f611da1e59dabf1e16afc63e7a82c6d16d196ed57a23558c14a0d6aecba4030ece7830a4f0a6211260b1e619b50

data/CHANGELOG

@@ -1,3 +1,25 @@
+=== 2.29.0 (2023-03-22)
+
+* Support :render=>false plugin options (davekaro) (#319)
+
+* Add remove_active_session method for removing the active session for a given session id (janko) (#317)
+
+* Remove current active session when adding new active session (janko) (#314) 
+
+* Extend the remember cookie deadline once an hour by default while logged in (janko, jeremyevans) (#313)
+
+* Add account! method for returning associated account or loading account based on the session value (janko) (#309)
+
+=== 2.28.0 (2023-02-22)
+
+* Skip rendering reset password request form on invalid internal request logins (janko) (#303)
+
+* Make logged_in? return false if using verify_account_grace_period feature and grace_period has expired (janko) (#300)
+
+* Make password_hash method public (janko) (#299)
+
+* Add webauthn_key_insert_hash auth method to webauthn feature to control inserts into webauthn keys table (janko) (#298)
+
 === 2.27.0 (2023-01-24)
 
 * Rename webauth_credentials_for_get to webauthn_credentials_for_get for consistency (janko) (#295)

data/README.rdoc

@@ -79,7 +79,8 @@ There are some dependencies that Rodauth uses depending on the
 features in use. These are development dependencies instead of
 runtime dependencies in the gem as it is possible to run without them:
 
-tilt :: Used by all features unless in JSON API only mode.
+tilt :: Used by all features unless in JSON API only mode or using
+        :render=>false plugin option.
 rack_csrf :: Used for CSRF support if the <tt>csrf: :rack_csrf</tt> plugin
              option is given (the default is to use Roda's route_csrf
              plugin, as that allows for more secure request-specific
@@ -852,6 +853,8 @@ which configures which dependent plugins should be loaded. Options:
 :csrf :: Set to +false+ to not load a csrf plugin.  Set to +:rack_csrf+
          to use the csrf plugin instead of the route_csrf plugin.
 :flash :: Set to +false+ to not load the flash plugin
+:render :: Set to +false+ to not load the render plugin. This is useful
+           to avoid the dependency on tilt when using alternative view libaries.
 :json :: Set to +true+ to load the json and json_parser plugins. Set
          to +:only+ to only load those plugins and not any other plugins.
          Note that if you are enabling features that send email, you
@@ -1000,6 +1003,8 @@ logged_in? :: Whether the session has been logged in.
 authenticated? :: Similar to +logged_in?+, but if the account has setup two
                   factor authentication, whether the session has authenticated
                   via two factors.
+account! :: Returns the current account record if it has already been loaded,
+            otherwise retrieves the account from session if logged in.
 authenticated_by :: An array of strings for successful authentication methods for
                     the current session (e.g. password/remember/webauthn).
 possible_authentication_methods :: An array of strings for possible authentication

data/doc/active_sessions.rdoc

@@ -48,6 +48,7 @@ add_active_session :: Create a session id for the session and populate the sessi
 currently_active_session? :: Whether the session is currently active, by checking the database table.
 handle_duplicate_active_session_id(exception) :: How to handle the case where a duplicate session id for the account is inserted into the table.  Does nothing by default.  This should only be called if the random number generator is broken.
 no_longer_active_session :: What action to take if +rodauth.check_active_session+ is called and the session is no longer active.
+remove_active_session(session_id) :: Removes the active session matching the given session ID from the database. Useful for implementing session revoking.
 remove_all_active_sessions :: Remove all active session from the database, used for global logouts and when closing accounts.
 remove_current_session :: Remove current session from the database, used for regular logouts.
 remove_inactive_sessions :: Remove inactive sessions from the database, run before checking for whether the current session is active.

data/doc/guides/password_requirements.rdoc

@@ -1,13 +1,16 @@
 = Customize password requirements
 
 By default, Rodauth requires passwords to have at least 6 characters. You can
-modify the minimum length:
+modify the minimum and maximum length:
 
   plugin :rodauth do
     enable :login, :logout, :create_account
 
     # Require passwords to have at least 8 characters
     password_minimum_length 8
+
+    # Don't allow passwords to be too long, to prevent long password DoS attacks
+    password_maximum_length 64
   end
 
 You can use the {disallow common passwords feature}[rdoc-ref:doc/disallow_common_passwords.rdoc]
@@ -25,6 +28,16 @@ can use the <tt>password_meets_requirements?</tt> configuration method.
     enable :login, :logout, :create_account
 
     password_meets_requirements? do |password|
-      #true if password meets requirements, false otherwise
+      super(password) && password_complex_enough?(password)
+    end
+
+    auth_class_eval do
+      # If password doesn't pass custom validation, add field error with error
+      # reason, and return false.
+      def password_complex_enough?(password)
+        return true if password.match?(/\d/) && password.match?(/[^a-zA-Z\d]/)
+        set_password_requirement_error_message(:password_simple, "requires one number and one special character")
+        false
+      end
     end
   end

data/doc/json.rdoc

@@ -15,6 +15,14 @@ an array containing the field name and the error message for that field.
 Successful requests by default store a +success+ entry with a success
 message, though that can be disabled.
 
+The JSON response can be modified at any point by modifying the +json_response+
+hash. The following example adds an {error reason}[rdoc-ref:doc/error_reasons.rdoc]
+to the JSON response:
+
+  set_error_reason do |reason|
+    json_response[:error_reason] = reason
+  end
+
 The session state is managed in the rack session, so make sure that
 CSRF protection is enabled. This will be the case when passing the
 <tt>json: true</tt> option when loading the rodauth plugin. If you

data/doc/release_notes/2.28.0.txt

@@ -0,0 +1,16 @@
+= New Features
+
+* A webauthn_key_insert_hash configuration method has been added when
+  using the webauthn feature, making it easier to add new columns to
+  the webauthn key data, such as a custom name for the authenticator.
+
+= Other Improvements
+
+* When using the verify_account_grace_period feature, logged_in? now
+  returns false for sessions where the grace period has expired.
+
+* When using the internal_request and reset_password features,
+  submitting an internal request for an invalid login no longer tries
+  to render a reset password request form.
+
+* The password_hash method is now public.

data/doc/release_notes/2.29.0.txt

@@ -0,0 +1,27 @@
+= New Features
+
+* When using the remember feature, by default, the remember deadline
+  is extended while logged in, if it hasn't been extended in the last
+  hour
+
+* An account! method has been added, which will return the hash for
+  the account if already retrieved, or attempt to retrieve the
+  account hash using the currently logged in session if not.
+  Because of the ambiguity in the provenance of the returned account
+  hash, callers should be careful when using this method.
+
+* A remove_active_session method has been added.  You can call this
+  method with a specific session id, and it will remove the related
+  active session.
+
+* A render: false plugin option is now support, which will disable
+  the automatic loading of the render plugin.  This should only be
+  used if you are completely replacing Rodauth's view rendering with
+  your own.
+
+= Other Improvements
+
+* When logging in when using the active_sessions feature, if there is
+  a current active session, it is removed before a new active session
+  is created. This prevents some stale active sessions from remaining
+  in the database (which would eventually be cleaned up later).

data/doc/remember.rdoc

@@ -30,13 +30,15 @@ for sessions autologged in via a remember token:
 
 == Auth Value Methods
 
-extend_remember_deadline? :: Whether to extend the remember token deadline when the user is autologged in via remember token.
+extend_remember_deadline? :: Whether to extend the remember token deadline when the user is autologged in via remember token and every +extend_remember_deadline_period+ seconds while logged in.
+extend_remember_deadline_period :: The amount of seconds to wait before extending remember token deadline when +extend_remember_deadline?+ is true (3600 by default).
 raw_remember_token_deadline :: A deadline before which to allow a raw remember token to be used. Allows for graceful transition for when +hmac_secret+ is first set.
 remember_additional_form_tags :: HTML fragment containing additional form tags to use on the change remember setting form.
 remember_button :: The text to use for the change remember settings button.
 remember_cookie_key :: The cookie name to use for the remember token.
 remember_cookie_options :: Any options to set for the remember cookie. By default, the `:path` cookie option is set to `/` and `:httponly` is set to `true`. Also, `:secure` is set to `true` by default if the current request is an HTTPS request.
 remember_deadline_column :: The column name in the +remember_table+ storing the deadline after which the token will be ignored.
+remember_deadline_extended_session_key :: The session key set if the remember deadline token is being extended.
 remember_deadline_interval :: The amount of time for which to remember accounts, 14 days by default.  Only used if +set_deadline_values?+ is true.
 remember_disable_label :: The label for disabling remembering.
 remember_disable_param_value :: The parameter value for disabling remembering.

data/doc/webauthn.rdoc

@@ -104,9 +104,10 @@ remove_all_webauthn_keys_and_user_ids :: Remove all WebAuthn credentials and the
 remove_webauthn_key(webauthn_id) :: Remove the WebAuthn credential with the given WebAuthn ID from the current account.
 valid_new_webauthn_credential?(webauthn_credential) :: Check wheck the WebAuthn credential provided by the client during registration is valid.
 valid_webauthn_credential_auth?(webauthn_credential) :: Check wheck the WebAuthn credential provided by the client during authentication is valid.
-webauthn_credential_options_for_get :: WebAuthn credential options to provide to the client during WebAuthn authentication.
 webauthn_auth_js_path :: The path to the WebAuthn authentication javascript.
 webauthn_auth_view :: The HTML to use for the page for authenticating via WebAuthn.
+webauthn_credential_options_for_get :: WebAuthn credential options to provide to the client during WebAuthn authentication.
+webauthn_key_insert_hash(webauthn_credential) :: The hash to insert into the +webauthn_keys_table+.
 webauthn_remove_authenticated_session :: Remove the authenticated WebAuthn ID, used when removing the WebAuthn credential with the ID after authenticating with it.
 webauthn_remove_view :: The HTML to use for the page for removing an existing WebAuthn authenticator.
 webauthn_setup_js_path :: The path to the WebAuthn registration javascript.

data/lib/rodauth/features/active_sessions.rb

@@ -29,6 +29,7 @@ module Rodauth
       :currently_active_session?,
       :handle_duplicate_active_session_id,
       :no_longer_active_session,
+      :remove_active_session,
       :remove_all_active_sessions,
       :remove_current_session,
       :remove_inactive_sessions,
@@ -82,10 +83,14 @@ module Rodauth
 
     def remove_current_session
       if session_id = session[session_id_session_key]
-        active_sessions_ds.where(active_sessions_session_id_column=>compute_hmac(session_id)).delete
+        remove_active_session(compute_hmac(session_id))
       end
     end
 
+    def remove_active_session(session_id)
+      active_sessions_ds.where(active_sessions_session_id_column=>session_id).delete
+    end
+
     def remove_all_active_sessions
       active_sessions_ds.delete
     end
@@ -101,6 +106,7 @@ module Rodauth
     end
 
     def update_session
+      remove_current_session
       super
       add_active_session
     end

data/lib/rodauth/features/argon2.rb

@@ -15,6 +15,18 @@ module Rodauth
     auth_value_method :argon2_secret, nil
     auth_value_method :use_argon2?, true
 
+    def password_hash(password)
+      return super unless use_argon2?
+
+      if secret = argon2_secret
+        argon2_params = Hash[password_hash_cost]
+        argon2_params[:secret] = secret
+      else
+        argon2_params = password_hash_cost
+      end
+      ::Argon2::Password.new(argon2_params).create(password)
+    end
+
     private
 
     if Argon2::VERSION != '2.1.0'
@@ -34,18 +46,6 @@ module Rodauth
       argon2_hash_cost 
     end
 
-    def password_hash(password)
-      return super unless use_argon2?
-
-      if secret = argon2_secret
-        argon2_params = Hash[password_hash_cost]
-        argon2_params[:secret] = secret
-      else
-        argon2_params = password_hash_cost
-      end
-      ::Argon2::Password.new(argon2_params).create(password)
-    end
-
     def password_hash_match?(hash, password)
       return super unless argon2_hash_algorithm?(hash)
       argon2_password_hash_match?(hash, password)

data/lib/rodauth/features/base.rb

@@ -355,6 +355,10 @@ module Rodauth
       account_open_status_value
     end
 
+    def account!
+      account || (session_value && account_from_session)
+    end
+
     def account_from_session
       @account = _account_from_session
     end
@@ -680,7 +684,7 @@ module Rodauth
     # note that only the salt is returned.
     def get_password_hash
       if account_password_hash_column
-        (account || account_from_session)[account_password_hash_column]
+        account![account_password_hash_column]
       elsif use_database_authentication_functions?
         db.get(Sequel.function(function_name(:rodauth_get_salt), account ? account_id : session_value))
       else

data/lib/rodauth/features/login_password_requirements_base.rb

@@ -75,6 +75,10 @@ module Rodauth
       hash
     end
 
+    def password_hash(password)
+      BCrypt::Password.create(password, :cost=>password_hash_cost)
+    end
+
     private
     
     attr_reader :login_requirement_message
@@ -184,9 +188,5 @@ module Rodauth
     def extract_password_hash_cost(hash)
       hash[4, 2].to_i
     end
-    
-    def password_hash(password)
-      BCrypt::Password.create(password, :cost=>password_hash_cost)
-    end
   end
 end

data/lib/rodauth/features/password_pepper.rb

@@ -16,12 +16,12 @@ module Rodauth
       result
     end
 
-    private
-
     def password_hash(password)
       super(password + password_pepper.to_s)
     end
 
+    private
+
     def password_hash_match?(hash, password)
       return super if password_pepper.nil?
 

data/lib/rodauth/features/remember.rb

@@ -17,6 +17,7 @@ module Rodauth
     auth_value_method :raw_remember_token_deadline, nil
     auth_value_method :remember_cookie_options, {}.freeze
     auth_value_method :extend_remember_deadline?, false
+    auth_value_method :extend_remember_deadline_period, 3600
     auth_value_method :remember_period, {:days=>14}.freeze
     auth_value_method :remember_deadline_interval, {:days=>14}.freeze
     auth_value_method :remember_id_column, :id
@@ -28,6 +29,7 @@ module Rodauth
     auth_value_method :remember_remember_param_value, 'remember'
     auth_value_method :remember_forget_param_value, 'forget'
     auth_value_method :remember_disable_param_value, 'disable'
+    session_key :remember_deadline_extended_session_key, :remember_deadline_extended_at
     translatable_method :remember_remember_label, 'Remember Me'
     translatable_method :remember_forget_label, 'Forget Me'
     translatable_method :remember_disable_label, 'Disable Remember Me'
@@ -110,43 +112,23 @@ module Rodauth
     end
 
     def load_memory
-      return if session[session_key]
-
-      unless id = remembered_session_id
-        # Only set expired cookie if there is already a cookie set.
-        forget_login if _get_remember_cookie
-        return
-      end
-
-      set_session_value(session_key, id)
-      account = account_from_session
-      remove_session_value(session_key)
-
-      unless account
-        remove_remember_key(id)
-        forget_login
-        return 
-      end
-
-      before_load_memory
-      login_session('remember')
-
-      if extend_remember_deadline?
-        active_remember_key_ds(id).update(remember_deadline_column=>Sequel.date_add(Sequel::CURRENT_TIMESTAMP, remember_period))
-        remember_login
+      if logged_in?
+        if extend_remember_deadline_while_logged_in?
+          account_from_session
+          extend_remember_deadline
+        end
+      elsif account_from_remember_cookie
+        before_load_memory
+        login_session('remember')
+        extend_remember_deadline if extend_remember_deadline?
+        after_load_memory
       end
-      after_load_memory
     end
 
     def remember_login
       get_remember_key
-      opts = Hash[remember_cookie_options]
-      opts[:value] = "#{account_id}_#{convert_token_key(remember_key_value)}"
-      opts[:expires] = convert_timestamp(active_remember_key_ds.get(remember_deadline_column))
-      opts[:path] = "/" unless opts.key?(:path)
-      opts[:httponly] = true unless opts.key?(:httponly) || opts.key?(:http_only)
-      opts[:secure] = true unless opts.key?(:secure) || !request.ssl?
-      ::Rack::Utils.set_cookie_header!(response.headers, remember_cookie_key, opts)
+      set_remember_cookie
+      set_session_value(remember_deadline_extended_session_key, Time.now.to_i) if extend_remember_deadline?
     end
 
     def forget_login
@@ -191,6 +173,53 @@ module Rodauth
 
     private
 
+    def set_remember_cookie
+      opts = Hash[remember_cookie_options]
+      opts[:value] = "#{account_id}_#{convert_token_key(remember_key_value)}"
+      opts[:expires] = convert_timestamp(active_remember_key_ds.get(remember_deadline_column))
+      opts[:path] = "/" unless opts.key?(:path)
+      opts[:httponly] = true unless opts.key?(:httponly) || opts.key?(:http_only)
+      opts[:secure] = true unless opts.key?(:secure) || !request.ssl?
+      ::Rack::Utils.set_cookie_header!(response.headers, remember_cookie_key, opts)
+    end
+
+    def extend_remember_deadline_while_logged_in?
+      return false unless extend_remember_deadline?
+
+      if extended_at = session[remember_deadline_extended_session_key]
+        extended_at + extend_remember_deadline_period < Time.now.to_i
+      elsif logged_in_via_remember_key?
+        # Handle existing sessions before the change to extend remember deadline
+        # while logged in.
+        true
+      end
+    end
+
+    def extend_remember_deadline
+      active_remember_key_ds.update(remember_deadline_column=>Sequel.date_add(Sequel::CURRENT_TIMESTAMP, remember_period))
+      remember_login
+    end
+
+    def account_from_remember_cookie
+      unless id = remembered_session_id
+        # Only set expired cookie if there is already a cookie set.
+        forget_login if _get_remember_cookie
+        return
+      end
+
+      set_session_value(session_key, id)
+      account_from_session
+      remove_session_value(session_key)
+
+      unless account
+        remove_remember_key(id)
+        forget_login
+        return
+      end
+
+      account
+    end
+
     def _get_remember_cookie
       request.cookies[remember_cookie_key]
     end

data/lib/rodauth/features/reset_password.rb

@@ -219,7 +219,7 @@ module Rodauth
     attr_reader :reset_password_key_value
 
     def after_login_failure
-      unless only_json?
+      unless only_json? || internal_request?
         @login_form_header = login_failed_reset_password_request_form
       end
       super

data/lib/rodauth/features/verify_account_grace_period.rb

@@ -30,6 +30,10 @@ module Rodauth
       false
     end
 
+    def logged_in?
+      super && !unverified_grace_period_expired?
+    end
+
     def require_login
       if unverified_grace_period_expired?
         clear_session
@@ -79,7 +83,7 @@ module Rodauth
     end
 
     def account_in_unverified_grace_period?
-      return false unless account || (session_value && account_from_session)
+      return false unless account!
       account[account_status_column] == account_unverified_status_value &&
         verify_account_grace_period &&
         !verify_account_ds.where(Sequel.date_add(verification_requested_at_column, :seconds=>verify_account_grace_period) > Sequel::CURRENT_TIMESTAMP).empty?

data/lib/rodauth/features/webauthn.rb

@@ -103,6 +103,7 @@ module Rodauth
       :valid_webauthn_credential_auth?,
       :webauthn_auth_js_path,
       :webauthn_credential_options_for_get,
+      :webauthn_key_insert_hash,
       :webauthn_remove_authenticated_session,
       :webauthn_setup_js_path,
       :webauthn_update_session,
@@ -328,7 +329,7 @@ module Rodauth
     end
 
     def webauthn_user_name
-      (account || account_from_session)[login_column]
+      account![login_column]
     end
 
     def webauthn_origin
@@ -348,12 +349,7 @@ module Rodauth
     end
 
     def add_webauthn_credential(webauthn_credential)
-      webauthn_keys_ds.insert(
-        webauthn_keys_account_id_column => webauthn_account_id,
-        webauthn_keys_webauthn_id_column => webauthn_credential.id,
-        webauthn_keys_public_key_column => webauthn_credential.public_key,
-        webauthn_keys_sign_count_column => Integer(webauthn_credential.sign_count)
-      )
+      webauthn_keys_ds.insert(webauthn_key_insert_hash(webauthn_credential))
       super if defined?(super)
       nil
     end
@@ -435,6 +431,15 @@ module Rodauth
       super
     end
 
+    def webauthn_key_insert_hash(webauthn_credential)
+      {
+        webauthn_keys_account_id_column => webauthn_account_id,
+        webauthn_keys_webauthn_id_column => webauthn_credential.id,
+        webauthn_keys_public_key_column => webauthn_credential.public_key,
+        webauthn_keys_sign_count_column => Integer(webauthn_credential.sign_count)
+      }
+    end
+
     def webauthn_account_id
       session_value
     end

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 27
+  MINOR = 29
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

data/lib/rodauth.rb

@@ -22,8 +22,10 @@ module Rodauth
     end
 
     unless json_opt == :only
-      require 'tilt/string'
-      app.plugin :render
+      unless opts[:render] == false
+        require 'tilt/string'
+        app.plugin :render
+      end
 
       case opts.fetch(:csrf, app.opts[:rodauth_csrf])
       when false

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.27.0
+  version: 2.29.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-01-24 00:00:00.000000000 Z
+date: 2023-03-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -343,6 +343,8 @@ extra_rdoc_files:
 - doc/release_notes/2.25.0.txt
 - doc/release_notes/2.26.0.txt
 - doc/release_notes/2.27.0.txt
+- doc/release_notes/2.28.0.txt
+- doc/release_notes/2.29.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
@@ -457,6 +459,8 @@ files:
 - doc/release_notes/2.25.0.txt
 - doc/release_notes/2.26.0.txt
 - doc/release_notes/2.27.0.txt
+- doc/release_notes/2.28.0.txt
+- doc/release_notes/2.29.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
@@ -614,7 +618,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.1
+rubygems_version: 3.4.6
 signing_key:
 specification_version: 4
 summary: Authentication and Account Management Framework for Rack Applications