rodauth 2.29.0 → 2.30.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c1714e5a3a0a5bbae56f2905dd528611de3b958d505d312071148b56fdfb3d6f
-  data.tar.gz: 8bb57c30ced05b0825a5d1fd74efe9f6523202f1b151b591c0bbdf10ad9f12af
+  metadata.gz: 8270d10e6c0fbe554fc322958893f2c8069363af6455c0d17b0a7d3aafab11bd
+  data.tar.gz: 6eae8a9487764a9b189b27b8f1588e1516d86a6953fdabe0cff6adfd84facb5a
 SHA512:
-  metadata.gz: 4dfc0639aaebdeacf6961122265720c992fb0d1af5d7864f5984fa902eef0ae49aea30db63681b1bdd1c598458f8ce5b035fdb3192249f3983afba15442bf990
-  data.tar.gz: d044a6934b3d06bee1e260de68ca5a88016b6f611da1e59dabf1e16afc63e7a82c6d16d196ed57a23558c14a0d6aecba4030ece7830a4f0a6211260b1e619b50
+  metadata.gz: d4dca9a0819842a478fac05f138b07452a054c7e498821eee7e61ab49640eccc46974d38c3aea1f71bf226eb7f76b03888a6734d7ae2139bcc74aca9a24bad6c
+  data.tar.gz: 5075118b0c6a8b27df251a2e6bfcd45e3dacc7ba1402bf5bacfc38a50b93b424a0ccdb479b1f5541d589f5687a8424c7319a194c0b01a80c762b725065190013

data/CHANGELOG

@@ -1,3 +1,9 @@
+=== 2.30.0 (2023-05-22)
+
+* Make load_memory in the remember feature not raise NoMethodError if logged in when the account no longer exists (jeremyevans) (#331)
+
+* Add webauthn_autofill feature, for supporting autofill of webauthn information on the login form (janko) (#328)
+
 === 2.29.0 (2023-03-22)
 
 * Support :render=>false plugin options (davekaro) (#319)

data/README.rdoc

@@ -37,6 +37,7 @@ HTML and JSON API for all supported features.
 * WebAuthn (Multifactor authentication via WebAuthn)
 * WebAuthn Login (Passwordless login via WebAuthn)
 * WebAuthn Verify Account (Passwordless WebAuthn Setup)
+* WebAuthn Autofill (Autofill WebAuthn credentials on login)
 * OTP (Multifactor authentication via TOTP)
 * Recovery Codes (Multifactor authentication via backup codes)
 * SMS Codes (Multifactor authentication via SMS)
@@ -318,6 +319,16 @@ bad idea), you don't need to use the PostgreSQL citext extension. Just
 remember to modify the migration below to use +String+ instead of +citext+
 for the email in that case.
 
+=== Grant schema rights (PostgreSQL 15+)
+
+PostgreSQL 15 changed default database security so that only the database
+owner has writable access to the public schema.  Rodauth expects the
++ph+ account to have writable access to the public schema when setting
+things up.  Temporarily grant that access (it will be revoked after the
+migation has run)
+
+  psql -U postgres -c "GRANT CREATE ON SCHEMA public TO ${DATABASE_NAME}_password" ${DATABASE_NAME}
+
 === Using non-default schema
 
 PostgreSQL sets up new tables in the public schema by default.
@@ -739,6 +750,13 @@ One thing to notice in the above migrations is that Rodauth uses additional
 tables for additional features, instead of additional columns in a single
 table.
 
+=== Revoking schema rights (PostgreSQL 15+)
+
+If you explicit granted access to the public schema before running the
+migration, revoke it afterward:
+
+  psql -U postgres -c "REVOKE CREATE ON SCHEMA public FROM ${DATABASE_NAME}_password" ${DATABASE_NAME}
+
 === Locking Down (PostgreSQL only)
 
 After running the migrations, you can increase security slightly by making
@@ -915,6 +933,7 @@ view the appropriate file in the doc directory.
 * {Verify Account Grace Period}[rdoc-ref:doc/verify_account_grace_period.rdoc]
 * {Verify Login Change}[rdoc-ref:doc/verify_login_change.rdoc]
 * {WebAuthn}[rdoc-ref:doc/webauthn.rdoc]
+* {WebAuthn Autofill}[rdoc-ref:doc/webauthn_autofill.rdoc]
 * {WebAuthn Login}[rdoc-ref:doc/webauthn_login.rdoc]
 * {WebAuthn Verify Account}[rdoc-ref:doc/webauthn_verify_account.rdoc]
 

data/doc/release_notes/2.30.0.txt

@@ -0,0 +1,15 @@
+= New Features
+
+* A webauthn_autofill feature has been added to allow autofilling
+  webauthn credentials during login (also known as conditional
+  mediation).  This allows for easier login using passkeys.
+  This requires a supported browser and operating system on the
+  client side to work.
+
+= Other Improvements
+
+* The load_memory method in the remember feature no longer raises
+  a NoMethodError if the there is a remember cookie, the session is
+  already logged in, and the account no longer exists.  The
+  load_memory method now removes the remember cookie and clears the
+  session in that case.

data/doc/webauthn_autofill.rdoc

@@ -0,0 +1,14 @@
+= Documentation for WebAuthn Autofill Feature
+
+The webauthn_autofill feature enables autofill UI (aka "conditional mediation")
+for WebAuthn credentials, logging the user in on selection. It depends on the
+webauthn_login feature.
+
+== Auth Value Methods
+
+webauthn_autofill_js :: The javascript code to execute on the login page to enable autofill UI.
+webauthn_autofill_js_route :: The route to the webauthn autofill javascript file.
+
+== Auth Methods
+
+before_webauthn_autofill_js_route :: Run arbitrary code before handling a webauthn autofill javascript route.

data/doc/webauthn_login.rdoc

@@ -1,6 +1,6 @@
 = Documentation for WebAuthn Login Feature
 
-The webauthn feature implements passwordless authentication via
+The webauthn_login feature implements passwordless authentication via
 WebAuthn. It depends on the login and webauthn features.
 
 == Auth Value Methods

data/doc/webauthn_verify_account.rdoc

@@ -1,6 +1,6 @@
 = Documentation for WebAuthn Verify Account Feature
 
-The webauthn feature implements setting up an WebAuthn authenticator
+The webauthn_verify_account feature implements setting up an WebAuthn authenticator
 during the account verification process, and making such setup
 a requirement for account verification.  By default, it disables
 asking for a password during account creation and verification,

data/javascript/webauthn_autofill.js

@@ -0,0 +1,38 @@
+(function() {
+  var pack = function(v) { return btoa(String.fromCharCode.apply(null, new Uint8Array(v))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''); };
+  var unpack = function(v) { return Uint8Array.from(atob(v.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0)); };
+  var element = document.getElementById('webauthn-login-form');
+
+  if (!window.PublicKeyCredential || !PublicKeyCredential.isConditionalMediationAvailable) return;
+
+  PublicKeyCredential.isConditionalMediationAvailable().then(function(available) {
+    if (!available) return;
+
+    var opts = JSON.parse(element.getAttribute("data-credential-options"));
+    opts.challenge = unpack(opts.challenge);
+    opts.allowCredentials.forEach(function(cred) { cred.id = unpack(cred.id); });
+
+    navigator.credentials.get({mediation: "conditional", publicKey: opts}).then(function(cred) {
+      var rawId = pack(cred.rawId);
+      var authValue = {
+        type: cred.type,
+        id: rawId,
+        rawId: rawId,
+        response: {
+          authenticatorData: pack(cred.response.authenticatorData),
+          clientDataJSON: pack(cred.response.clientDataJSON),
+          signature: pack(cred.response.signature)
+        }
+      };
+
+      if (cred.response.userHandle) {
+        authValue.response.userHandle = pack(cred.response.userHandle);
+      }
+
+      document.getElementById('webauthn-auth').value = JSON.stringify(authValue);
+
+      element.submit();
+    });
+  });
+})();
+

data/lib/rodauth/features/base.rb

@@ -269,6 +269,10 @@ module Rodauth
       Sequel::DATABASES.first or raise "Sequel database connection is missing"
     end
 
+    def login_field_autocomplete_value
+      login_uses_email? ? "email" : "on"
+    end
+
     def password_field_autocomplete_value
       @password_field_autocomplete_value || 'current-password'
     end

data/lib/rodauth/features/json.rb

@@ -116,7 +116,7 @@ module Rodauth
 
     def before_webauthn_login_route
       super if defined?(super)
-      if use_json? && !param_or_nil(webauthn_auth_param) && account_from_login(param(login_param))
+      if use_json? && !param_or_nil(webauthn_auth_param) && webauthn_login_options?
         cred = webauthn_credential_options_for_get
         json_response[webauthn_auth_param] = cred.as_json
         json_response[webauthn_auth_challenge_param] = cred.challenge

data/lib/rodauth/features/remember.rb

@@ -114,8 +114,12 @@ module Rodauth
     def load_memory
       if logged_in?
         if extend_remember_deadline_while_logged_in?
-          account_from_session
-          extend_remember_deadline
+          if account_from_session
+            extend_remember_deadline
+          else
+            forget_login
+            clear_session
+          end
         end
       elsif account_from_remember_cookie
         before_load_memory

data/lib/rodauth/features/webauthn.rb

@@ -320,7 +320,7 @@ module Rodauth
 
     def webauthn_credential_options_for_get
       WebAuthn::Credential.options_for_get(
-        :allow => account_webauthn_ids,
+        :allow => webauthn_allow,
         :timeout => webauthn_auth_timeout,
         :rp_id => webauthn_rp_id,
         :user_verification => webauthn_user_verification,
@@ -336,6 +336,10 @@ module Rodauth
       base_url
     end
 
+    def webauthn_allow
+      account_webauthn_ids
+    end
+
     def webauthn_rp_id
       webauthn_origin.sub(/\Ahttps?:\/\//, '').sub(/:\d+\z/, '')
     end
@@ -453,21 +457,8 @@ module Rodauth
     end
 
     def webauthn_auth_credential_from_form_submission
-      case auth_data = raw_param(webauthn_auth_param)
-      when String
-        begin
-          auth_data = JSON.parse(auth_data)
-        rescue
-          throw_error_reason(:invalid_webauthn_auth_param, invalid_field_error_status, webauthn_auth_param, webauthn_invalid_auth_param_message) 
-        end
-      when Hash
-        # nothing
-      else
-        throw_error_reason(:invalid_webauthn_auth_param, invalid_field_error_status, webauthn_auth_param, webauthn_invalid_auth_param_message)
-      end
-
       begin
-        webauthn_credential = WebAuthn::Credential.from_get(auth_data)
+        webauthn_credential = WebAuthn::Credential.from_get(webauthn_auth_data)
         unless valid_webauthn_credential_auth?(webauthn_credential)
           throw_error_reason(:invalid_webauthn_auth_param, invalid_key_error_status, webauthn_auth_param, webauthn_invalid_auth_param_message)
         end
@@ -480,26 +471,28 @@ module Rodauth
       webauthn_credential
     end
 
-    def webauthn_setup_credential_from_form_submission
-      case setup_data = raw_param(webauthn_setup_param)
+    def webauthn_auth_data
+      case auth_data = raw_param(webauthn_auth_param)
       when String
         begin
-          setup_data = JSON.parse(setup_data)
+          JSON.parse(auth_data)
         rescue
-          throw_error_reason(:invalid_webauthn_setup_param, invalid_field_error_status, webauthn_setup_param, webauthn_invalid_setup_param_message) 
+          throw_error_reason(:invalid_webauthn_auth_param, invalid_field_error_status, webauthn_auth_param, webauthn_invalid_auth_param_message) 
         end
       when Hash
-        # nothing
+        auth_data
       else
-        throw_error_reason(:invalid_webauthn_setup_param, invalid_field_error_status, webauthn_setup_param, webauthn_invalid_setup_param_message)
+        throw_error_reason(:invalid_webauthn_auth_param, invalid_field_error_status, webauthn_auth_param, webauthn_invalid_auth_param_message)
       end
+    end
 
+    def webauthn_setup_credential_from_form_submission
       unless two_factor_password_match?(param(password_param))
         throw_error_reason(:invalid_password, invalid_password_error_status, password_param, invalid_password_message)
       end
 
       begin
-        webauthn_credential = WebAuthn::Credential.from_create(setup_data)
+        webauthn_credential = WebAuthn::Credential.from_create(webauthn_setup_data)
         unless valid_new_webauthn_credential?(webauthn_credential)
           throw_error_reason(:invalid_webauthn_setup_param, invalid_field_error_status, webauthn_setup_param, webauthn_invalid_setup_param_message) 
         end
@@ -509,5 +502,20 @@ module Rodauth
 
       webauthn_credential
     end
+
+    def webauthn_setup_data
+      case setup_data = raw_param(webauthn_setup_param)
+      when String
+        begin
+          JSON.parse(setup_data)
+        rescue
+          throw_error_reason(:invalid_webauthn_setup_param, invalid_field_error_status, webauthn_setup_param, webauthn_invalid_setup_param_message) 
+        end
+      when Hash
+        setup_data
+      else
+        throw_error_reason(:invalid_webauthn_setup_param, invalid_field_error_status, webauthn_setup_param, webauthn_invalid_setup_param_message)
+      end
+    end
   end
 end

data/lib/rodauth/features/webauthn_autofill.rb

@@ -0,0 +1,58 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:webauthn_autofill, :WebauthnAutofill) do
+    depends :webauthn_login
+
+    auth_value_method :webauthn_autofill_js, File.binread(File.expand_path('../../../../javascript/webauthn_autofill.js', __FILE__)).freeze
+
+    route(:webauthn_autofill_js) do |r|
+      before_webauthn_autofill_js_route
+      r.get do
+        response['Content-Type'] = 'text/javascript'
+        webauthn_autofill_js
+      end
+    end
+
+    def webauthn_allow
+      return [] unless logged_in? || account
+      super
+    end
+
+    def webauthn_user_verification
+      'preferred'
+    end
+
+    def webauthn_authenticator_selection
+      super.merge({ 'residentKey' => 'required', 'requireResidentKey' => true })
+    end
+
+    def login_field_autocomplete_value
+      request.path_info == login_path ? "#{super} webauthn" : super
+    end
+
+    private
+
+    def _login_form_footer
+      footer = super
+      footer += render("webauthn-autofill") unless valid_login_entered?
+      footer
+    end
+
+    def account_from_webauthn_login
+      return super if param_or_nil(login_param)
+
+      credential_id = webauthn_auth_data["id"]
+      account_id = db[webauthn_keys_table]
+        .where(webauthn_keys_webauthn_id_column => credential_id)
+        .get(webauthn_keys_account_id_column)
+
+      @account = account_ds(account_id).first if account_id
+    end
+
+    def webauthn_login_options?
+      return true unless param_or_nil(login_param)
+      super
+    end
+  end
+end

data/lib/rodauth/features/webauthn_login.rb

@@ -16,7 +16,7 @@ module Rodauth
 
       r.post do
         catch_error do
-          unless account_from_login(param(login_param)) && open_account?
+          unless account_from_webauthn_login && open_account?
             throw_error_reason(:no_matching_login, no_matching_login_error_status, login_param, no_matching_login_message) 
           end
 
@@ -54,6 +54,14 @@ module Rodauth
 
     private
 
+    def account_from_webauthn_login
+      account_from_login(param(login_param))
+    end
+
+    def webauthn_login_options?
+      !!account_from_webauthn_login
+    end
+
     def _multi_phase_login_forms
       forms = super
       if valid_login_entered? && webauthn_setup?

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 29
+  MINOR = 30
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

data/templates/login-field.str

@@ -1,4 +1,4 @@
 <div class="form-group mb-3">
   <label for="login" class="form-label">#{rodauth.login_label}#{rodauth.input_field_label_suffix}</label>
-  #{rodauth.input_field_string(rodauth.login_param, 'login', :type=>rodauth.login_input_type, :autocomplete=>rodauth.login_uses_email? ? "email" : "on")}
+  #{rodauth.input_field_string(rodauth.login_param, 'login', :type=>rodauth.login_input_type, :autocomplete=>rodauth.login_field_autocomplete_value)}
 </div>

data/templates/webauthn-autofill.str

@@ -0,0 +1,9 @@
+<form method="post" action="#{rodauth.webauthn_login_path}" class="rodauth" role="form" id="webauthn-login-form" data-credential-options="#{h((cred = rodauth.webauthn_credential_options_for_get).as_json.to_json)}">
+  #{rodauth.webauthn_auth_additional_form_tags}
+  #{rodauth.csrf_tag(rodauth.webauthn_login_path)}
+  <input type="hidden" name="#{rodauth.webauthn_auth_challenge_param}" value="#{cred.challenge}" />
+  <input type="hidden" name="#{rodauth.webauthn_auth_challenge_hmac_param}" value="#{rodauth.compute_hmac(cred.challenge)}" />
+  <input class="rodauth_hidden d-none" aria-hidden="true" type="text" name="#{rodauth.webauthn_auth_param}" id="webauthn-auth" value="" />
+  #{rodauth.button(rodauth.webauthn_auth_button, class: "d-none")}
+</form>
+<script src="#{rodauth.webauthn_js_host}#{rodauth.webauthn_autofill_js_path}"></script>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.29.0
+  version: 2.30.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-03-22 00:00:00.000000000 Z
+date: 2023-05-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -296,6 +296,7 @@ extra_rdoc_files:
 - doc/verify_account_grace_period.rdoc
 - doc/verify_login_change.rdoc
 - doc/webauthn.rdoc
+- doc/webauthn_autofill.rdoc
 - doc/webauthn_login.rdoc
 - doc/webauthn_verify_account.rdoc
 - doc/release_notes/1.0.0.txt
@@ -346,6 +347,7 @@ extra_rdoc_files:
 - doc/release_notes/2.28.0.txt
 - doc/release_notes/2.29.0.txt
 - doc/release_notes/2.3.0.txt
+- doc/release_notes/2.30.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
 - doc/release_notes/2.6.0.txt
@@ -462,6 +464,7 @@ files:
 - doc/release_notes/2.28.0.txt
 - doc/release_notes/2.29.0.txt
 - doc/release_notes/2.3.0.txt
+- doc/release_notes/2.30.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
 - doc/release_notes/2.6.0.txt
@@ -480,9 +483,11 @@ files:
 - doc/verify_account_grace_period.rdoc
 - doc/verify_login_change.rdoc
 - doc/webauthn.rdoc
+- doc/webauthn_autofill.rdoc
 - doc/webauthn_login.rdoc
 - doc/webauthn_verify_account.rdoc
 - javascript/webauthn_auth.js
+- javascript/webauthn_autofill.js
 - javascript/webauthn_setup.js
 - lib/roda/plugins/rodauth.rb
 - lib/rodauth.rb
@@ -530,6 +535,7 @@ files:
 - lib/rodauth/features/verify_account_grace_period.rb
 - lib/rodauth/features/verify_login_change.rb
 - lib/rodauth/features/webauthn.rb
+- lib/rodauth/features/webauthn_autofill.rb
 - lib/rodauth/features/webauthn_login.rb
 - lib/rodauth/features/webauthn_verify_account.rb
 - lib/rodauth/migrations.rb
@@ -585,6 +591,7 @@ files:
 - templates/verify-login-change-email.str
 - templates/verify-login-change.str
 - templates/webauthn-auth.str
+- templates/webauthn-autofill.str
 - templates/webauthn-remove.str
 - templates/webauthn-setup.str
 homepage: https://rodauth.jeremyevans.net
@@ -618,7 +625,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.6
+rubygems_version: 3.4.10
 signing_key:
 specification_version: 4
 summary: Authentication and Account Management Framework for Rack Applications