rodauth 2.28.0 → 2.30.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 15ed571757453e13ded3557bd2736779546b2c759230f8ee9070976a0207899e
-  data.tar.gz: 9aa5adf648fa1449a75a03d62ae4907f71d41adc49e81fde8da52097042c986c
+  metadata.gz: 8270d10e6c0fbe554fc322958893f2c8069363af6455c0d17b0a7d3aafab11bd
+  data.tar.gz: 6eae8a9487764a9b189b27b8f1588e1516d86a6953fdabe0cff6adfd84facb5a
 SHA512:
-  metadata.gz: bdae4bbe3d9c471f967a8b24741504494a4003edce0c265dba9026694d64c08f61bd74cdbf80bded79e3b2c163fe7d273fcf72741f986711891fea5e481c501f
-  data.tar.gz: 5c6352c91b52012c6869a149e61887a1a6e0ace76557f2c4922eb699dc4da7f08a1265c5548bff25a3f617fa0a3b565b6d00f3472822d32812ae6261a4bcc95c
+  metadata.gz: d4dca9a0819842a478fac05f138b07452a054c7e498821eee7e61ab49640eccc46974d38c3aea1f71bf226eb7f76b03888a6734d7ae2139bcc74aca9a24bad6c
+  data.tar.gz: 5075118b0c6a8b27df251a2e6bfcd45e3dacc7ba1402bf5bacfc38a50b93b424a0ccdb479b1f5541d589f5687a8424c7319a194c0b01a80c762b725065190013

data/CHANGELOG

@@ -1,3 +1,21 @@
+=== 2.30.0 (2023-05-22)
+
+* Make load_memory in the remember feature not raise NoMethodError if logged in when the account no longer exists (jeremyevans) (#331)
+
+* Add webauthn_autofill feature, for supporting autofill of webauthn information on the login form (janko) (#328)
+
+=== 2.29.0 (2023-03-22)
+
+* Support :render=>false plugin options (davekaro) (#319)
+
+* Add remove_active_session method for removing the active session for a given session id (janko) (#317)
+
+* Remove current active session when adding new active session (janko) (#314) 
+
+* Extend the remember cookie deadline once an hour by default while logged in (janko, jeremyevans) (#313)
+
+* Add account! method for returning associated account or loading account based on the session value (janko) (#309)
+
 === 2.28.0 (2023-02-22)
 
 * Skip rendering reset password request form on invalid internal request logins (janko) (#303)

data/README.rdoc

@@ -37,6 +37,7 @@ HTML and JSON API for all supported features.
 * WebAuthn (Multifactor authentication via WebAuthn)
 * WebAuthn Login (Passwordless login via WebAuthn)
 * WebAuthn Verify Account (Passwordless WebAuthn Setup)
+* WebAuthn Autofill (Autofill WebAuthn credentials on login)
 * OTP (Multifactor authentication via TOTP)
 * Recovery Codes (Multifactor authentication via backup codes)
 * SMS Codes (Multifactor authentication via SMS)
@@ -79,7 +80,8 @@ There are some dependencies that Rodauth uses depending on the
 features in use. These are development dependencies instead of
 runtime dependencies in the gem as it is possible to run without them:
 
-tilt :: Used by all features unless in JSON API only mode.
+tilt :: Used by all features unless in JSON API only mode or using
+        :render=>false plugin option.
 rack_csrf :: Used for CSRF support if the <tt>csrf: :rack_csrf</tt> plugin
              option is given (the default is to use Roda's route_csrf
              plugin, as that allows for more secure request-specific
@@ -317,6 +319,16 @@ bad idea), you don't need to use the PostgreSQL citext extension. Just
 remember to modify the migration below to use +String+ instead of +citext+
 for the email in that case.
 
+=== Grant schema rights (PostgreSQL 15+)
+
+PostgreSQL 15 changed default database security so that only the database
+owner has writable access to the public schema.  Rodauth expects the
++ph+ account to have writable access to the public schema when setting
+things up.  Temporarily grant that access (it will be revoked after the
+migation has run)
+
+  psql -U postgres -c "GRANT CREATE ON SCHEMA public TO ${DATABASE_NAME}_password" ${DATABASE_NAME}
+
 === Using non-default schema
 
 PostgreSQL sets up new tables in the public schema by default.
@@ -738,6 +750,13 @@ One thing to notice in the above migrations is that Rodauth uses additional
 tables for additional features, instead of additional columns in a single
 table.
 
+=== Revoking schema rights (PostgreSQL 15+)
+
+If you explicit granted access to the public schema before running the
+migration, revoke it afterward:
+
+  psql -U postgres -c "REVOKE CREATE ON SCHEMA public FROM ${DATABASE_NAME}_password" ${DATABASE_NAME}
+
 === Locking Down (PostgreSQL only)
 
 After running the migrations, you can increase security slightly by making
@@ -852,6 +871,8 @@ which configures which dependent plugins should be loaded. Options:
 :csrf :: Set to +false+ to not load a csrf plugin.  Set to +:rack_csrf+
          to use the csrf plugin instead of the route_csrf plugin.
 :flash :: Set to +false+ to not load the flash plugin
+:render :: Set to +false+ to not load the render plugin. This is useful
+           to avoid the dependency on tilt when using alternative view libaries.
 :json :: Set to +true+ to load the json and json_parser plugins. Set
          to +:only+ to only load those plugins and not any other plugins.
          Note that if you are enabling features that send email, you
@@ -912,6 +933,7 @@ view the appropriate file in the doc directory.
 * {Verify Account Grace Period}[rdoc-ref:doc/verify_account_grace_period.rdoc]
 * {Verify Login Change}[rdoc-ref:doc/verify_login_change.rdoc]
 * {WebAuthn}[rdoc-ref:doc/webauthn.rdoc]
+* {WebAuthn Autofill}[rdoc-ref:doc/webauthn_autofill.rdoc]
 * {WebAuthn Login}[rdoc-ref:doc/webauthn_login.rdoc]
 * {WebAuthn Verify Account}[rdoc-ref:doc/webauthn_verify_account.rdoc]
 
@@ -1000,6 +1022,8 @@ logged_in? :: Whether the session has been logged in.
 authenticated? :: Similar to +logged_in?+, but if the account has setup two
                   factor authentication, whether the session has authenticated
                   via two factors.
+account! :: Returns the current account record if it has already been loaded,
+            otherwise retrieves the account from session if logged in.
 authenticated_by :: An array of strings for successful authentication methods for
                     the current session (e.g. password/remember/webauthn).
 possible_authentication_methods :: An array of strings for possible authentication

data/doc/active_sessions.rdoc

@@ -48,6 +48,7 @@ add_active_session :: Create a session id for the session and populate the sessi
 currently_active_session? :: Whether the session is currently active, by checking the database table.
 handle_duplicate_active_session_id(exception) :: How to handle the case where a duplicate session id for the account is inserted into the table.  Does nothing by default.  This should only be called if the random number generator is broken.
 no_longer_active_session :: What action to take if +rodauth.check_active_session+ is called and the session is no longer active.
+remove_active_session(session_id) :: Removes the active session matching the given session ID from the database. Useful for implementing session revoking.
 remove_all_active_sessions :: Remove all active session from the database, used for global logouts and when closing accounts.
 remove_current_session :: Remove current session from the database, used for regular logouts.
 remove_inactive_sessions :: Remove inactive sessions from the database, run before checking for whether the current session is active.

data/doc/json.rdoc

@@ -15,7 +15,7 @@ an array containing the field name and the error message for that field.
 Successful requests by default store a +success+ entry with a success
 message, though that can be disabled.
 
-The JSON response can be modified at any point by modifying the `json_response`
+The JSON response can be modified at any point by modifying the +json_response+
 hash. The following example adds an {error reason}[rdoc-ref:doc/error_reasons.rdoc]
 to the JSON response:
 

data/doc/release_notes/2.29.0.txt

@@ -0,0 +1,27 @@
+= New Features
+
+* When using the remember feature, by default, the remember deadline
+  is extended while logged in, if it hasn't been extended in the last
+  hour
+
+* An account! method has been added, which will return the hash for
+  the account if already retrieved, or attempt to retrieve the
+  account hash using the currently logged in session if not.
+  Because of the ambiguity in the provenance of the returned account
+  hash, callers should be careful when using this method.
+
+* A remove_active_session method has been added.  You can call this
+  method with a specific session id, and it will remove the related
+  active session.
+
+* A render: false plugin option is now support, which will disable
+  the automatic loading of the render plugin.  This should only be
+  used if you are completely replacing Rodauth's view rendering with
+  your own.
+
+= Other Improvements
+
+* When logging in when using the active_sessions feature, if there is
+  a current active session, it is removed before a new active session
+  is created. This prevents some stale active sessions from remaining
+  in the database (which would eventually be cleaned up later).

data/doc/release_notes/2.30.0.txt

@@ -0,0 +1,15 @@
+= New Features
+
+* A webauthn_autofill feature has been added to allow autofilling
+  webauthn credentials during login (also known as conditional
+  mediation).  This allows for easier login using passkeys.
+  This requires a supported browser and operating system on the
+  client side to work.
+
+= Other Improvements
+
+* The load_memory method in the remember feature no longer raises
+  a NoMethodError if the there is a remember cookie, the session is
+  already logged in, and the account no longer exists.  The
+  load_memory method now removes the remember cookie and clears the
+  session in that case.

data/doc/remember.rdoc

@@ -30,13 +30,15 @@ for sessions autologged in via a remember token:
 
 == Auth Value Methods
 
-extend_remember_deadline? :: Whether to extend the remember token deadline when the user is autologged in via remember token.
+extend_remember_deadline? :: Whether to extend the remember token deadline when the user is autologged in via remember token and every +extend_remember_deadline_period+ seconds while logged in.
+extend_remember_deadline_period :: The amount of seconds to wait before extending remember token deadline when +extend_remember_deadline?+ is true (3600 by default).
 raw_remember_token_deadline :: A deadline before which to allow a raw remember token to be used. Allows for graceful transition for when +hmac_secret+ is first set.
 remember_additional_form_tags :: HTML fragment containing additional form tags to use on the change remember setting form.
 remember_button :: The text to use for the change remember settings button.
 remember_cookie_key :: The cookie name to use for the remember token.
 remember_cookie_options :: Any options to set for the remember cookie. By default, the `:path` cookie option is set to `/` and `:httponly` is set to `true`. Also, `:secure` is set to `true` by default if the current request is an HTTPS request.
 remember_deadline_column :: The column name in the +remember_table+ storing the deadline after which the token will be ignored.
+remember_deadline_extended_session_key :: The session key set if the remember deadline token is being extended.
 remember_deadline_interval :: The amount of time for which to remember accounts, 14 days by default.  Only used if +set_deadline_values?+ is true.
 remember_disable_label :: The label for disabling remembering.
 remember_disable_param_value :: The parameter value for disabling remembering.

data/doc/webauthn_autofill.rdoc

@@ -0,0 +1,14 @@
+= Documentation for WebAuthn Autofill Feature
+
+The webauthn_autofill feature enables autofill UI (aka "conditional mediation")
+for WebAuthn credentials, logging the user in on selection. It depends on the
+webauthn_login feature.
+
+== Auth Value Methods
+
+webauthn_autofill_js :: The javascript code to execute on the login page to enable autofill UI.
+webauthn_autofill_js_route :: The route to the webauthn autofill javascript file.
+
+== Auth Methods
+
+before_webauthn_autofill_js_route :: Run arbitrary code before handling a webauthn autofill javascript route.

data/doc/webauthn_login.rdoc

@@ -1,6 +1,6 @@
 = Documentation for WebAuthn Login Feature
 
-The webauthn feature implements passwordless authentication via
+The webauthn_login feature implements passwordless authentication via
 WebAuthn. It depends on the login and webauthn features.
 
 == Auth Value Methods

data/doc/webauthn_verify_account.rdoc

@@ -1,6 +1,6 @@
 = Documentation for WebAuthn Verify Account Feature
 
-The webauthn feature implements setting up an WebAuthn authenticator
+The webauthn_verify_account feature implements setting up an WebAuthn authenticator
 during the account verification process, and making such setup
 a requirement for account verification.  By default, it disables
 asking for a password during account creation and verification,

data/javascript/webauthn_autofill.js

@@ -0,0 +1,38 @@
+(function() {
+  var pack = function(v) { return btoa(String.fromCharCode.apply(null, new Uint8Array(v))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''); };
+  var unpack = function(v) { return Uint8Array.from(atob(v.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0)); };
+  var element = document.getElementById('webauthn-login-form');
+
+  if (!window.PublicKeyCredential || !PublicKeyCredential.isConditionalMediationAvailable) return;
+
+  PublicKeyCredential.isConditionalMediationAvailable().then(function(available) {
+    if (!available) return;
+
+    var opts = JSON.parse(element.getAttribute("data-credential-options"));
+    opts.challenge = unpack(opts.challenge);
+    opts.allowCredentials.forEach(function(cred) { cred.id = unpack(cred.id); });
+
+    navigator.credentials.get({mediation: "conditional", publicKey: opts}).then(function(cred) {
+      var rawId = pack(cred.rawId);
+      var authValue = {
+        type: cred.type,
+        id: rawId,
+        rawId: rawId,
+        response: {
+          authenticatorData: pack(cred.response.authenticatorData),
+          clientDataJSON: pack(cred.response.clientDataJSON),
+          signature: pack(cred.response.signature)
+        }
+      };
+
+      if (cred.response.userHandle) {
+        authValue.response.userHandle = pack(cred.response.userHandle);
+      }
+
+      document.getElementById('webauthn-auth').value = JSON.stringify(authValue);
+
+      element.submit();
+    });
+  });
+})();
+

data/lib/rodauth/features/active_sessions.rb

@@ -29,6 +29,7 @@ module Rodauth
       :currently_active_session?,
       :handle_duplicate_active_session_id,
       :no_longer_active_session,
+      :remove_active_session,
       :remove_all_active_sessions,
       :remove_current_session,
       :remove_inactive_sessions,
@@ -82,10 +83,14 @@ module Rodauth
 
     def remove_current_session
       if session_id = session[session_id_session_key]
-        active_sessions_ds.where(active_sessions_session_id_column=>compute_hmac(session_id)).delete
+        remove_active_session(compute_hmac(session_id))
       end
     end
 
+    def remove_active_session(session_id)
+      active_sessions_ds.where(active_sessions_session_id_column=>session_id).delete
+    end
+
     def remove_all_active_sessions
       active_sessions_ds.delete
     end
@@ -101,6 +106,7 @@ module Rodauth
     end
 
     def update_session
+      remove_current_session
       super
       add_active_session
     end

data/lib/rodauth/features/base.rb

@@ -269,6 +269,10 @@ module Rodauth
       Sequel::DATABASES.first or raise "Sequel database connection is missing"
     end
 
+    def login_field_autocomplete_value
+      login_uses_email? ? "email" : "on"
+    end
+
     def password_field_autocomplete_value
       @password_field_autocomplete_value || 'current-password'
     end
@@ -355,6 +359,10 @@ module Rodauth
       account_open_status_value
     end
 
+    def account!
+      account || (session_value && account_from_session)
+    end
+
     def account_from_session
       @account = _account_from_session
     end
@@ -680,7 +688,7 @@ module Rodauth
     # note that only the salt is returned.
     def get_password_hash
       if account_password_hash_column
-        (account || account_from_session)[account_password_hash_column]
+        account![account_password_hash_column]
       elsif use_database_authentication_functions?
         db.get(Sequel.function(function_name(:rodauth_get_salt), account ? account_id : session_value))
       else

data/lib/rodauth/features/json.rb

@@ -116,7 +116,7 @@ module Rodauth
 
     def before_webauthn_login_route
       super if defined?(super)
-      if use_json? && !param_or_nil(webauthn_auth_param) && account_from_login(param(login_param))
+      if use_json? && !param_or_nil(webauthn_auth_param) && webauthn_login_options?
         cred = webauthn_credential_options_for_get
         json_response[webauthn_auth_param] = cred.as_json
         json_response[webauthn_auth_challenge_param] = cred.challenge

data/lib/rodauth/features/remember.rb

@@ -17,6 +17,7 @@ module Rodauth
     auth_value_method :raw_remember_token_deadline, nil
     auth_value_method :remember_cookie_options, {}.freeze
     auth_value_method :extend_remember_deadline?, false
+    auth_value_method :extend_remember_deadline_period, 3600
     auth_value_method :remember_period, {:days=>14}.freeze
     auth_value_method :remember_deadline_interval, {:days=>14}.freeze
     auth_value_method :remember_id_column, :id
@@ -28,6 +29,7 @@ module Rodauth
     auth_value_method :remember_remember_param_value, 'remember'
     auth_value_method :remember_forget_param_value, 'forget'
     auth_value_method :remember_disable_param_value, 'disable'
+    session_key :remember_deadline_extended_session_key, :remember_deadline_extended_at
     translatable_method :remember_remember_label, 'Remember Me'
     translatable_method :remember_forget_label, 'Forget Me'
     translatable_method :remember_disable_label, 'Disable Remember Me'
@@ -110,43 +112,27 @@ module Rodauth
     end
 
     def load_memory
-      return if session[session_key]
-
-      unless id = remembered_session_id
-        # Only set expired cookie if there is already a cookie set.
-        forget_login if _get_remember_cookie
-        return
-      end
-
-      set_session_value(session_key, id)
-      account = account_from_session
-      remove_session_value(session_key)
-
-      unless account
-        remove_remember_key(id)
-        forget_login
-        return 
-      end
-
-      before_load_memory
-      login_session('remember')
-
-      if extend_remember_deadline?
-        active_remember_key_ds(id).update(remember_deadline_column=>Sequel.date_add(Sequel::CURRENT_TIMESTAMP, remember_period))
-        remember_login
+      if logged_in?
+        if extend_remember_deadline_while_logged_in?
+          if account_from_session
+            extend_remember_deadline
+          else
+            forget_login
+            clear_session
+          end
+        end
+      elsif account_from_remember_cookie
+        before_load_memory
+        login_session('remember')
+        extend_remember_deadline if extend_remember_deadline?
+        after_load_memory
       end
-      after_load_memory
     end
 
     def remember_login
       get_remember_key
-      opts = Hash[remember_cookie_options]
-      opts[:value] = "#{account_id}_#{convert_token_key(remember_key_value)}"
-      opts[:expires] = convert_timestamp(active_remember_key_ds.get(remember_deadline_column))
-      opts[:path] = "/" unless opts.key?(:path)
-      opts[:httponly] = true unless opts.key?(:httponly) || opts.key?(:http_only)
-      opts[:secure] = true unless opts.key?(:secure) || !request.ssl?
-      ::Rack::Utils.set_cookie_header!(response.headers, remember_cookie_key, opts)
+      set_remember_cookie
+      set_session_value(remember_deadline_extended_session_key, Time.now.to_i) if extend_remember_deadline?
     end
 
     def forget_login
@@ -191,6 +177,53 @@ module Rodauth
 
     private
 
+    def set_remember_cookie
+      opts = Hash[remember_cookie_options]
+      opts[:value] = "#{account_id}_#{convert_token_key(remember_key_value)}"
+      opts[:expires] = convert_timestamp(active_remember_key_ds.get(remember_deadline_column))
+      opts[:path] = "/" unless opts.key?(:path)
+      opts[:httponly] = true unless opts.key?(:httponly) || opts.key?(:http_only)
+      opts[:secure] = true unless opts.key?(:secure) || !request.ssl?
+      ::Rack::Utils.set_cookie_header!(response.headers, remember_cookie_key, opts)
+    end
+
+    def extend_remember_deadline_while_logged_in?
+      return false unless extend_remember_deadline?
+
+      if extended_at = session[remember_deadline_extended_session_key]
+        extended_at + extend_remember_deadline_period < Time.now.to_i
+      elsif logged_in_via_remember_key?
+        # Handle existing sessions before the change to extend remember deadline
+        # while logged in.
+        true
+      end
+    end
+
+    def extend_remember_deadline
+      active_remember_key_ds.update(remember_deadline_column=>Sequel.date_add(Sequel::CURRENT_TIMESTAMP, remember_period))
+      remember_login
+    end
+
+    def account_from_remember_cookie
+      unless id = remembered_session_id
+        # Only set expired cookie if there is already a cookie set.
+        forget_login if _get_remember_cookie
+        return
+      end
+
+      set_session_value(session_key, id)
+      account_from_session
+      remove_session_value(session_key)
+
+      unless account
+        remove_remember_key(id)
+        forget_login
+        return
+      end
+
+      account
+    end
+
     def _get_remember_cookie
       request.cookies[remember_cookie_key]
     end

data/lib/rodauth/features/verify_account_grace_period.rb

@@ -83,7 +83,7 @@ module Rodauth
     end
 
     def account_in_unverified_grace_period?
-      return false unless account || (session_value && account_from_session)
+      return false unless account!
       account[account_status_column] == account_unverified_status_value &&
         verify_account_grace_period &&
         !verify_account_ds.where(Sequel.date_add(verification_requested_at_column, :seconds=>verify_account_grace_period) > Sequel::CURRENT_TIMESTAMP).empty?

data/lib/rodauth/features/webauthn.rb

@@ -320,7 +320,7 @@ module Rodauth
 
     def webauthn_credential_options_for_get
       WebAuthn::Credential.options_for_get(
-        :allow => account_webauthn_ids,
+        :allow => webauthn_allow,
         :timeout => webauthn_auth_timeout,
         :rp_id => webauthn_rp_id,
         :user_verification => webauthn_user_verification,
@@ -329,13 +329,17 @@ module Rodauth
     end
 
     def webauthn_user_name
-      (account || account_from_session)[login_column]
+      account![login_column]
     end
 
     def webauthn_origin
       base_url
     end
 
+    def webauthn_allow
+      account_webauthn_ids
+    end
+
     def webauthn_rp_id
       webauthn_origin.sub(/\Ahttps?:\/\//, '').sub(/:\d+\z/, '')
     end
@@ -453,21 +457,8 @@ module Rodauth
     end
 
     def webauthn_auth_credential_from_form_submission
-      case auth_data = raw_param(webauthn_auth_param)
-      when String
-        begin
-          auth_data = JSON.parse(auth_data)
-        rescue
-          throw_error_reason(:invalid_webauthn_auth_param, invalid_field_error_status, webauthn_auth_param, webauthn_invalid_auth_param_message) 
-        end
-      when Hash
-        # nothing
-      else
-        throw_error_reason(:invalid_webauthn_auth_param, invalid_field_error_status, webauthn_auth_param, webauthn_invalid_auth_param_message)
-      end
-
       begin
-        webauthn_credential = WebAuthn::Credential.from_get(auth_data)
+        webauthn_credential = WebAuthn::Credential.from_get(webauthn_auth_data)
         unless valid_webauthn_credential_auth?(webauthn_credential)
           throw_error_reason(:invalid_webauthn_auth_param, invalid_key_error_status, webauthn_auth_param, webauthn_invalid_auth_param_message)
         end
@@ -480,26 +471,28 @@ module Rodauth
       webauthn_credential
     end
 
-    def webauthn_setup_credential_from_form_submission
-      case setup_data = raw_param(webauthn_setup_param)
+    def webauthn_auth_data
+      case auth_data = raw_param(webauthn_auth_param)
       when String
         begin
-          setup_data = JSON.parse(setup_data)
+          JSON.parse(auth_data)
         rescue
-          throw_error_reason(:invalid_webauthn_setup_param, invalid_field_error_status, webauthn_setup_param, webauthn_invalid_setup_param_message) 
+          throw_error_reason(:invalid_webauthn_auth_param, invalid_field_error_status, webauthn_auth_param, webauthn_invalid_auth_param_message) 
         end
       when Hash
-        # nothing
+        auth_data
       else
-        throw_error_reason(:invalid_webauthn_setup_param, invalid_field_error_status, webauthn_setup_param, webauthn_invalid_setup_param_message)
+        throw_error_reason(:invalid_webauthn_auth_param, invalid_field_error_status, webauthn_auth_param, webauthn_invalid_auth_param_message)
       end
+    end
 
+    def webauthn_setup_credential_from_form_submission
       unless two_factor_password_match?(param(password_param))
         throw_error_reason(:invalid_password, invalid_password_error_status, password_param, invalid_password_message)
       end
 
       begin
-        webauthn_credential = WebAuthn::Credential.from_create(setup_data)
+        webauthn_credential = WebAuthn::Credential.from_create(webauthn_setup_data)
         unless valid_new_webauthn_credential?(webauthn_credential)
           throw_error_reason(:invalid_webauthn_setup_param, invalid_field_error_status, webauthn_setup_param, webauthn_invalid_setup_param_message) 
         end
@@ -509,5 +502,20 @@ module Rodauth
 
       webauthn_credential
     end
+
+    def webauthn_setup_data
+      case setup_data = raw_param(webauthn_setup_param)
+      when String
+        begin
+          JSON.parse(setup_data)
+        rescue
+          throw_error_reason(:invalid_webauthn_setup_param, invalid_field_error_status, webauthn_setup_param, webauthn_invalid_setup_param_message) 
+        end
+      when Hash
+        setup_data
+      else
+        throw_error_reason(:invalid_webauthn_setup_param, invalid_field_error_status, webauthn_setup_param, webauthn_invalid_setup_param_message)
+      end
+    end
   end
 end

data/lib/rodauth/features/webauthn_autofill.rb

@@ -0,0 +1,58 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:webauthn_autofill, :WebauthnAutofill) do
+    depends :webauthn_login
+
+    auth_value_method :webauthn_autofill_js, File.binread(File.expand_path('../../../../javascript/webauthn_autofill.js', __FILE__)).freeze
+
+    route(:webauthn_autofill_js) do |r|
+      before_webauthn_autofill_js_route
+      r.get do
+        response['Content-Type'] = 'text/javascript'
+        webauthn_autofill_js
+      end
+    end
+
+    def webauthn_allow
+      return [] unless logged_in? || account
+      super
+    end
+
+    def webauthn_user_verification
+      'preferred'
+    end
+
+    def webauthn_authenticator_selection
+      super.merge({ 'residentKey' => 'required', 'requireResidentKey' => true })
+    end
+
+    def login_field_autocomplete_value
+      request.path_info == login_path ? "#{super} webauthn" : super
+    end
+
+    private
+
+    def _login_form_footer
+      footer = super
+      footer += render("webauthn-autofill") unless valid_login_entered?
+      footer
+    end
+
+    def account_from_webauthn_login
+      return super if param_or_nil(login_param)
+
+      credential_id = webauthn_auth_data["id"]
+      account_id = db[webauthn_keys_table]
+        .where(webauthn_keys_webauthn_id_column => credential_id)
+        .get(webauthn_keys_account_id_column)
+
+      @account = account_ds(account_id).first if account_id
+    end
+
+    def webauthn_login_options?
+      return true unless param_or_nil(login_param)
+      super
+    end
+  end
+end

data/lib/rodauth/features/webauthn_login.rb

@@ -16,7 +16,7 @@ module Rodauth
 
       r.post do
         catch_error do
-          unless account_from_login(param(login_param)) && open_account?
+          unless account_from_webauthn_login && open_account?
             throw_error_reason(:no_matching_login, no_matching_login_error_status, login_param, no_matching_login_message) 
           end
 
@@ -54,6 +54,14 @@ module Rodauth
 
     private
 
+    def account_from_webauthn_login
+      account_from_login(param(login_param))
+    end
+
+    def webauthn_login_options?
+      !!account_from_webauthn_login
+    end
+
     def _multi_phase_login_forms
       forms = super
       if valid_login_entered? && webauthn_setup?

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 28
+  MINOR = 30
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

data/lib/rodauth.rb

@@ -22,8 +22,10 @@ module Rodauth
     end
 
     unless json_opt == :only
-      require 'tilt/string'
-      app.plugin :render
+      unless opts[:render] == false
+        require 'tilt/string'
+        app.plugin :render
+      end
 
       case opts.fetch(:csrf, app.opts[:rodauth_csrf])
       when false

data/templates/login-field.str

@@ -1,4 +1,4 @@
 <div class="form-group mb-3">
   <label for="login" class="form-label">#{rodauth.login_label}#{rodauth.input_field_label_suffix}</label>
-  #{rodauth.input_field_string(rodauth.login_param, 'login', :type=>rodauth.login_input_type, :autocomplete=>rodauth.login_uses_email? ? "email" : "on")}
+  #{rodauth.input_field_string(rodauth.login_param, 'login', :type=>rodauth.login_input_type, :autocomplete=>rodauth.login_field_autocomplete_value)}
 </div>

data/templates/webauthn-autofill.str

@@ -0,0 +1,9 @@
+<form method="post" action="#{rodauth.webauthn_login_path}" class="rodauth" role="form" id="webauthn-login-form" data-credential-options="#{h((cred = rodauth.webauthn_credential_options_for_get).as_json.to_json)}">
+  #{rodauth.webauthn_auth_additional_form_tags}
+  #{rodauth.csrf_tag(rodauth.webauthn_login_path)}
+  <input type="hidden" name="#{rodauth.webauthn_auth_challenge_param}" value="#{cred.challenge}" />
+  <input type="hidden" name="#{rodauth.webauthn_auth_challenge_hmac_param}" value="#{rodauth.compute_hmac(cred.challenge)}" />
+  <input class="rodauth_hidden d-none" aria-hidden="true" type="text" name="#{rodauth.webauthn_auth_param}" id="webauthn-auth" value="" />
+  #{rodauth.button(rodauth.webauthn_auth_button, class: "d-none")}
+</form>
+<script src="#{rodauth.webauthn_js_host}#{rodauth.webauthn_autofill_js_path}"></script>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.28.0
+  version: 2.30.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-02-22 00:00:00.000000000 Z
+date: 2023-05-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -296,6 +296,7 @@ extra_rdoc_files:
 - doc/verify_account_grace_period.rdoc
 - doc/verify_login_change.rdoc
 - doc/webauthn.rdoc
+- doc/webauthn_autofill.rdoc
 - doc/webauthn_login.rdoc
 - doc/webauthn_verify_account.rdoc
 - doc/release_notes/1.0.0.txt
@@ -344,7 +345,9 @@ extra_rdoc_files:
 - doc/release_notes/2.26.0.txt
 - doc/release_notes/2.27.0.txt
 - doc/release_notes/2.28.0.txt
+- doc/release_notes/2.29.0.txt
 - doc/release_notes/2.3.0.txt
+- doc/release_notes/2.30.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
 - doc/release_notes/2.6.0.txt
@@ -459,7 +462,9 @@ files:
 - doc/release_notes/2.26.0.txt
 - doc/release_notes/2.27.0.txt
 - doc/release_notes/2.28.0.txt
+- doc/release_notes/2.29.0.txt
 - doc/release_notes/2.3.0.txt
+- doc/release_notes/2.30.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
 - doc/release_notes/2.6.0.txt
@@ -478,9 +483,11 @@ files:
 - doc/verify_account_grace_period.rdoc
 - doc/verify_login_change.rdoc
 - doc/webauthn.rdoc
+- doc/webauthn_autofill.rdoc
 - doc/webauthn_login.rdoc
 - doc/webauthn_verify_account.rdoc
 - javascript/webauthn_auth.js
+- javascript/webauthn_autofill.js
 - javascript/webauthn_setup.js
 - lib/roda/plugins/rodauth.rb
 - lib/rodauth.rb
@@ -528,6 +535,7 @@ files:
 - lib/rodauth/features/verify_account_grace_period.rb
 - lib/rodauth/features/verify_login_change.rb
 - lib/rodauth/features/webauthn.rb
+- lib/rodauth/features/webauthn_autofill.rb
 - lib/rodauth/features/webauthn_login.rb
 - lib/rodauth/features/webauthn_verify_account.rb
 - lib/rodauth/migrations.rb
@@ -583,6 +591,7 @@ files:
 - templates/verify-login-change-email.str
 - templates/verify-login-change.str
 - templates/webauthn-auth.str
+- templates/webauthn-autofill.str
 - templates/webauthn-remove.str
 - templates/webauthn-setup.str
 homepage: https://rodauth.jeremyevans.net
@@ -616,7 +625,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.6
+rubygems_version: 3.4.10
 signing_key:
 specification_version: 4
 summary: Authentication and Account Management Framework for Rack Applications