rodauth 2.28.0 → 2.29.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 15ed571757453e13ded3557bd2736779546b2c759230f8ee9070976a0207899e
-  data.tar.gz: 9aa5adf648fa1449a75a03d62ae4907f71d41adc49e81fde8da52097042c986c
+  metadata.gz: c1714e5a3a0a5bbae56f2905dd528611de3b958d505d312071148b56fdfb3d6f
+  data.tar.gz: 8bb57c30ced05b0825a5d1fd74efe9f6523202f1b151b591c0bbdf10ad9f12af
 SHA512:
-  metadata.gz: bdae4bbe3d9c471f967a8b24741504494a4003edce0c265dba9026694d64c08f61bd74cdbf80bded79e3b2c163fe7d273fcf72741f986711891fea5e481c501f
-  data.tar.gz: 5c6352c91b52012c6869a149e61887a1a6e0ace76557f2c4922eb699dc4da7f08a1265c5548bff25a3f617fa0a3b565b6d00f3472822d32812ae6261a4bcc95c
+  metadata.gz: 4dfc0639aaebdeacf6961122265720c992fb0d1af5d7864f5984fa902eef0ae49aea30db63681b1bdd1c598458f8ce5b035fdb3192249f3983afba15442bf990
+  data.tar.gz: d044a6934b3d06bee1e260de68ca5a88016b6f611da1e59dabf1e16afc63e7a82c6d16d196ed57a23558c14a0d6aecba4030ece7830a4f0a6211260b1e619b50

data/CHANGELOG

@@ -1,3 +1,15 @@
+=== 2.29.0 (2023-03-22)
+
+* Support :render=>false plugin options (davekaro) (#319)
+
+* Add remove_active_session method for removing the active session for a given session id (janko) (#317)
+
+* Remove current active session when adding new active session (janko) (#314) 
+
+* Extend the remember cookie deadline once an hour by default while logged in (janko, jeremyevans) (#313)
+
+* Add account! method for returning associated account or loading account based on the session value (janko) (#309)
+
 === 2.28.0 (2023-02-22)
 
 * Skip rendering reset password request form on invalid internal request logins (janko) (#303)

data/README.rdoc

@@ -79,7 +79,8 @@ There are some dependencies that Rodauth uses depending on the
 features in use. These are development dependencies instead of
 runtime dependencies in the gem as it is possible to run without them:
 
-tilt :: Used by all features unless in JSON API only mode.
+tilt :: Used by all features unless in JSON API only mode or using
+        :render=>false plugin option.
 rack_csrf :: Used for CSRF support if the <tt>csrf: :rack_csrf</tt> plugin
              option is given (the default is to use Roda's route_csrf
              plugin, as that allows for more secure request-specific
@@ -852,6 +853,8 @@ which configures which dependent plugins should be loaded. Options:
 :csrf :: Set to +false+ to not load a csrf plugin.  Set to +:rack_csrf+
          to use the csrf plugin instead of the route_csrf plugin.
 :flash :: Set to +false+ to not load the flash plugin
+:render :: Set to +false+ to not load the render plugin. This is useful
+           to avoid the dependency on tilt when using alternative view libaries.
 :json :: Set to +true+ to load the json and json_parser plugins. Set
          to +:only+ to only load those plugins and not any other plugins.
          Note that if you are enabling features that send email, you
@@ -1000,6 +1003,8 @@ logged_in? :: Whether the session has been logged in.
 authenticated? :: Similar to +logged_in?+, but if the account has setup two
                   factor authentication, whether the session has authenticated
                   via two factors.
+account! :: Returns the current account record if it has already been loaded,
+            otherwise retrieves the account from session if logged in.
 authenticated_by :: An array of strings for successful authentication methods for
                     the current session (e.g. password/remember/webauthn).
 possible_authentication_methods :: An array of strings for possible authentication

data/doc/active_sessions.rdoc

@@ -48,6 +48,7 @@ add_active_session :: Create a session id for the session and populate the sessi
 currently_active_session? :: Whether the session is currently active, by checking the database table.
 handle_duplicate_active_session_id(exception) :: How to handle the case where a duplicate session id for the account is inserted into the table.  Does nothing by default.  This should only be called if the random number generator is broken.
 no_longer_active_session :: What action to take if +rodauth.check_active_session+ is called and the session is no longer active.
+remove_active_session(session_id) :: Removes the active session matching the given session ID from the database. Useful for implementing session revoking.
 remove_all_active_sessions :: Remove all active session from the database, used for global logouts and when closing accounts.
 remove_current_session :: Remove current session from the database, used for regular logouts.
 remove_inactive_sessions :: Remove inactive sessions from the database, run before checking for whether the current session is active.

data/doc/json.rdoc

@@ -15,7 +15,7 @@ an array containing the field name and the error message for that field.
 Successful requests by default store a +success+ entry with a success
 message, though that can be disabled.
 
-The JSON response can be modified at any point by modifying the `json_response`
+The JSON response can be modified at any point by modifying the +json_response+
 hash. The following example adds an {error reason}[rdoc-ref:doc/error_reasons.rdoc]
 to the JSON response:
 

data/doc/release_notes/2.29.0.txt

@@ -0,0 +1,27 @@
+= New Features
+
+* When using the remember feature, by default, the remember deadline
+  is extended while logged in, if it hasn't been extended in the last
+  hour
+
+* An account! method has been added, which will return the hash for
+  the account if already retrieved, or attempt to retrieve the
+  account hash using the currently logged in session if not.
+  Because of the ambiguity in the provenance of the returned account
+  hash, callers should be careful when using this method.
+
+* A remove_active_session method has been added.  You can call this
+  method with a specific session id, and it will remove the related
+  active session.
+
+* A render: false plugin option is now support, which will disable
+  the automatic loading of the render plugin.  This should only be
+  used if you are completely replacing Rodauth's view rendering with
+  your own.
+
+= Other Improvements
+
+* When logging in when using the active_sessions feature, if there is
+  a current active session, it is removed before a new active session
+  is created. This prevents some stale active sessions from remaining
+  in the database (which would eventually be cleaned up later).

data/doc/remember.rdoc

@@ -30,13 +30,15 @@ for sessions autologged in via a remember token:
 
 == Auth Value Methods
 
-extend_remember_deadline? :: Whether to extend the remember token deadline when the user is autologged in via remember token.
+extend_remember_deadline? :: Whether to extend the remember token deadline when the user is autologged in via remember token and every +extend_remember_deadline_period+ seconds while logged in.
+extend_remember_deadline_period :: The amount of seconds to wait before extending remember token deadline when +extend_remember_deadline?+ is true (3600 by default).
 raw_remember_token_deadline :: A deadline before which to allow a raw remember token to be used. Allows for graceful transition for when +hmac_secret+ is first set.
 remember_additional_form_tags :: HTML fragment containing additional form tags to use on the change remember setting form.
 remember_button :: The text to use for the change remember settings button.
 remember_cookie_key :: The cookie name to use for the remember token.
 remember_cookie_options :: Any options to set for the remember cookie. By default, the `:path` cookie option is set to `/` and `:httponly` is set to `true`. Also, `:secure` is set to `true` by default if the current request is an HTTPS request.
 remember_deadline_column :: The column name in the +remember_table+ storing the deadline after which the token will be ignored.
+remember_deadline_extended_session_key :: The session key set if the remember deadline token is being extended.
 remember_deadline_interval :: The amount of time for which to remember accounts, 14 days by default.  Only used if +set_deadline_values?+ is true.
 remember_disable_label :: The label for disabling remembering.
 remember_disable_param_value :: The parameter value for disabling remembering.

data/lib/rodauth/features/active_sessions.rb

@@ -29,6 +29,7 @@ module Rodauth
       :currently_active_session?,
       :handle_duplicate_active_session_id,
       :no_longer_active_session,
+      :remove_active_session,
       :remove_all_active_sessions,
       :remove_current_session,
       :remove_inactive_sessions,
@@ -82,10 +83,14 @@ module Rodauth
 
     def remove_current_session
       if session_id = session[session_id_session_key]
-        active_sessions_ds.where(active_sessions_session_id_column=>compute_hmac(session_id)).delete
+        remove_active_session(compute_hmac(session_id))
       end
     end
 
+    def remove_active_session(session_id)
+      active_sessions_ds.where(active_sessions_session_id_column=>session_id).delete
+    end
+
     def remove_all_active_sessions
       active_sessions_ds.delete
     end
@@ -101,6 +106,7 @@ module Rodauth
     end
 
     def update_session
+      remove_current_session
       super
       add_active_session
     end

data/lib/rodauth/features/base.rb

@@ -355,6 +355,10 @@ module Rodauth
       account_open_status_value
     end
 
+    def account!
+      account || (session_value && account_from_session)
+    end
+
     def account_from_session
       @account = _account_from_session
     end
@@ -680,7 +684,7 @@ module Rodauth
     # note that only the salt is returned.
     def get_password_hash
       if account_password_hash_column
-        (account || account_from_session)[account_password_hash_column]
+        account![account_password_hash_column]
       elsif use_database_authentication_functions?
         db.get(Sequel.function(function_name(:rodauth_get_salt), account ? account_id : session_value))
       else

data/lib/rodauth/features/remember.rb

@@ -17,6 +17,7 @@ module Rodauth
     auth_value_method :raw_remember_token_deadline, nil
     auth_value_method :remember_cookie_options, {}.freeze
     auth_value_method :extend_remember_deadline?, false
+    auth_value_method :extend_remember_deadline_period, 3600
     auth_value_method :remember_period, {:days=>14}.freeze
     auth_value_method :remember_deadline_interval, {:days=>14}.freeze
     auth_value_method :remember_id_column, :id
@@ -28,6 +29,7 @@ module Rodauth
     auth_value_method :remember_remember_param_value, 'remember'
     auth_value_method :remember_forget_param_value, 'forget'
     auth_value_method :remember_disable_param_value, 'disable'
+    session_key :remember_deadline_extended_session_key, :remember_deadline_extended_at
     translatable_method :remember_remember_label, 'Remember Me'
     translatable_method :remember_forget_label, 'Forget Me'
     translatable_method :remember_disable_label, 'Disable Remember Me'
@@ -110,43 +112,23 @@ module Rodauth
     end
 
     def load_memory
-      return if session[session_key]
-
-      unless id = remembered_session_id
-        # Only set expired cookie if there is already a cookie set.
-        forget_login if _get_remember_cookie
-        return
-      end
-
-      set_session_value(session_key, id)
-      account = account_from_session
-      remove_session_value(session_key)
-
-      unless account
-        remove_remember_key(id)
-        forget_login
-        return 
-      end
-
-      before_load_memory
-      login_session('remember')
-
-      if extend_remember_deadline?
-        active_remember_key_ds(id).update(remember_deadline_column=>Sequel.date_add(Sequel::CURRENT_TIMESTAMP, remember_period))
-        remember_login
+      if logged_in?
+        if extend_remember_deadline_while_logged_in?
+          account_from_session
+          extend_remember_deadline
+        end
+      elsif account_from_remember_cookie
+        before_load_memory
+        login_session('remember')
+        extend_remember_deadline if extend_remember_deadline?
+        after_load_memory
       end
-      after_load_memory
     end
 
     def remember_login
       get_remember_key
-      opts = Hash[remember_cookie_options]
-      opts[:value] = "#{account_id}_#{convert_token_key(remember_key_value)}"
-      opts[:expires] = convert_timestamp(active_remember_key_ds.get(remember_deadline_column))
-      opts[:path] = "/" unless opts.key?(:path)
-      opts[:httponly] = true unless opts.key?(:httponly) || opts.key?(:http_only)
-      opts[:secure] = true unless opts.key?(:secure) || !request.ssl?
-      ::Rack::Utils.set_cookie_header!(response.headers, remember_cookie_key, opts)
+      set_remember_cookie
+      set_session_value(remember_deadline_extended_session_key, Time.now.to_i) if extend_remember_deadline?
     end
 
     def forget_login
@@ -191,6 +173,53 @@ module Rodauth
 
     private
 
+    def set_remember_cookie
+      opts = Hash[remember_cookie_options]
+      opts[:value] = "#{account_id}_#{convert_token_key(remember_key_value)}"
+      opts[:expires] = convert_timestamp(active_remember_key_ds.get(remember_deadline_column))
+      opts[:path] = "/" unless opts.key?(:path)
+      opts[:httponly] = true unless opts.key?(:httponly) || opts.key?(:http_only)
+      opts[:secure] = true unless opts.key?(:secure) || !request.ssl?
+      ::Rack::Utils.set_cookie_header!(response.headers, remember_cookie_key, opts)
+    end
+
+    def extend_remember_deadline_while_logged_in?
+      return false unless extend_remember_deadline?
+
+      if extended_at = session[remember_deadline_extended_session_key]
+        extended_at + extend_remember_deadline_period < Time.now.to_i
+      elsif logged_in_via_remember_key?
+        # Handle existing sessions before the change to extend remember deadline
+        # while logged in.
+        true
+      end
+    end
+
+    def extend_remember_deadline
+      active_remember_key_ds.update(remember_deadline_column=>Sequel.date_add(Sequel::CURRENT_TIMESTAMP, remember_period))
+      remember_login
+    end
+
+    def account_from_remember_cookie
+      unless id = remembered_session_id
+        # Only set expired cookie if there is already a cookie set.
+        forget_login if _get_remember_cookie
+        return
+      end
+
+      set_session_value(session_key, id)
+      account_from_session
+      remove_session_value(session_key)
+
+      unless account
+        remove_remember_key(id)
+        forget_login
+        return
+      end
+
+      account
+    end
+
     def _get_remember_cookie
       request.cookies[remember_cookie_key]
     end

data/lib/rodauth/features/verify_account_grace_period.rb

@@ -83,7 +83,7 @@ module Rodauth
     end
 
     def account_in_unverified_grace_period?
-      return false unless account || (session_value && account_from_session)
+      return false unless account!
       account[account_status_column] == account_unverified_status_value &&
         verify_account_grace_period &&
         !verify_account_ds.where(Sequel.date_add(verification_requested_at_column, :seconds=>verify_account_grace_period) > Sequel::CURRENT_TIMESTAMP).empty?

data/lib/rodauth/features/webauthn.rb

@@ -329,7 +329,7 @@ module Rodauth
     end
 
     def webauthn_user_name
-      (account || account_from_session)[login_column]
+      account![login_column]
     end
 
     def webauthn_origin

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 28
+  MINOR = 29
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

data/lib/rodauth.rb

@@ -22,8 +22,10 @@ module Rodauth
     end
 
     unless json_opt == :only
-      require 'tilt/string'
-      app.plugin :render
+      unless opts[:render] == false
+        require 'tilt/string'
+        app.plugin :render
+      end
 
       case opts.fetch(:csrf, app.opts[:rodauth_csrf])
       when false

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.28.0
+  version: 2.29.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-02-22 00:00:00.000000000 Z
+date: 2023-03-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -344,6 +344,7 @@ extra_rdoc_files:
 - doc/release_notes/2.26.0.txt
 - doc/release_notes/2.27.0.txt
 - doc/release_notes/2.28.0.txt
+- doc/release_notes/2.29.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
@@ -459,6 +460,7 @@ files:
 - doc/release_notes/2.26.0.txt
 - doc/release_notes/2.27.0.txt
 - doc/release_notes/2.28.0.txt
+- doc/release_notes/2.29.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt