rodauth 2.29.0 → 2.31.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c1714e5a3a0a5bbae56f2905dd528611de3b958d505d312071148b56fdfb3d6f
-  data.tar.gz: 8bb57c30ced05b0825a5d1fd74efe9f6523202f1b151b591c0bbdf10ad9f12af
+  metadata.gz: 34f1a4bc530025482c6550375de67bf9dcbe4ea75ca9f4f775d179805629e115
+  data.tar.gz: 75339b39caf60463c076459e1fc21fd4d2291e4bc756c4cc5107edf7462c0186
 SHA512:
-  metadata.gz: 4dfc0639aaebdeacf6961122265720c992fb0d1af5d7864f5984fa902eef0ae49aea30db63681b1bdd1c598458f8ce5b035fdb3192249f3983afba15442bf990
-  data.tar.gz: d044a6934b3d06bee1e260de68ca5a88016b6f611da1e59dabf1e16afc63e7a82c6d16d196ed57a23558c14a0d6aecba4030ece7830a4f0a6211260b1e619b50
+  metadata.gz: 9e66e012fca7c52bd25206fd7711921148e8372a249047687e5429074dd9ea64461dcbbda1a0412b16920270814fef9fa5954dda701ae30af66e7a78a7975855
+  data.tar.gz: f7c9ec1aac7150a3fa1b4d2af3e8278f16ef3982d5cd84b6b2984d41b5f5b70f60e9f7c0e099d338055201d820bd099093609b2683086c5a8ec9fdf53dee2e58

data/CHANGELOG

@@ -1,3 +1,23 @@
+=== 2.31.0 (2023-08-22)
+
+* Make clear_session work correctly for internal requests (janko) (#359)
+
+* Support webauthn_invalid_webauthn_id_message configuration method in the webauthn_autofill feature (janko) (#356)
+
+* Support webauth features in the internal_request feature (janko) (#355)
+
+* Allow WebAuthn login to count for two factors if user verification is provided (janko) (#354)
+
+* Allow explicit use of p_cost in argon2 feature if using argon2 2.1+ (estebanz01) (#353)
+
+* Add json_response_error? configuration method to json feature, for whether response indicates an error (opya) (#340)
+
+=== 2.30.0 (2023-05-22)
+
+* Make load_memory in the remember feature not raise NoMethodError if logged in when the account no longer exists (jeremyevans) (#331)
+
+* Add webauthn_autofill feature, for supporting autofill of webauthn information on the login form (janko) (#328)
+
 === 2.29.0 (2023-03-22)
 
 * Support :render=>false plugin options (davekaro) (#319)

data/README.rdoc

@@ -37,6 +37,7 @@ HTML and JSON API for all supported features.
 * WebAuthn (Multifactor authentication via WebAuthn)
 * WebAuthn Login (Passwordless login via WebAuthn)
 * WebAuthn Verify Account (Passwordless WebAuthn Setup)
+* WebAuthn Autofill (Autofill WebAuthn credentials on login)
 * OTP (Multifactor authentication via TOTP)
 * Recovery Codes (Multifactor authentication via backup codes)
 * SMS Codes (Multifactor authentication via SMS)
@@ -97,6 +98,9 @@ rqrcode :: Used by the otp feature
 jwt :: Used by the jwt feature
 webauthn :: Used by the webauthn feature
 
+You can use <tt>gem install --development rodauth</tt> to install
+the development dependencies in order to run tests.
+
 == Security
 
 === Password Hash Access Via Database Functions
@@ -318,6 +322,16 @@ bad idea), you don't need to use the PostgreSQL citext extension. Just
 remember to modify the migration below to use +String+ instead of +citext+
 for the email in that case.
 
+=== Grant schema rights (PostgreSQL 15+)
+
+PostgreSQL 15 changed default database security so that only the database
+owner has writable access to the public schema.  Rodauth expects the
++ph+ account to have writable access to the public schema when setting
+things up.  Temporarily grant that access (it will be revoked after the
+migation has run)
+
+  psql -U postgres -c "GRANT CREATE ON SCHEMA public TO ${DATABASE_NAME}_password" ${DATABASE_NAME}
+
 === Using non-default schema
 
 PostgreSQL sets up new tables in the public schema by default.
@@ -739,6 +753,13 @@ One thing to notice in the above migrations is that Rodauth uses additional
 tables for additional features, instead of additional columns in a single
 table.
 
+=== Revoking schema rights (PostgreSQL 15+)
+
+If you explicit granted access to the public schema before running the
+migration, revoke it afterward:
+
+  psql -U postgres -c "REVOKE CREATE ON SCHEMA public FROM ${DATABASE_NAME}_password" ${DATABASE_NAME}
+
 === Locking Down (PostgreSQL only)
 
 After running the migrations, you can increase security slightly by making
@@ -915,6 +936,7 @@ view the appropriate file in the doc directory.
 * {Verify Account Grace Period}[rdoc-ref:doc/verify_account_grace_period.rdoc]
 * {Verify Login Change}[rdoc-ref:doc/verify_login_change.rdoc]
 * {WebAuthn}[rdoc-ref:doc/webauthn.rdoc]
+* {WebAuthn Autofill}[rdoc-ref:doc/webauthn_autofill.rdoc]
 * {WebAuthn Login}[rdoc-ref:doc/webauthn_login.rdoc]
 * {WebAuthn Verify Account}[rdoc-ref:doc/webauthn_verify_account.rdoc]
 

data/doc/error_reasons.rdoc

@@ -38,6 +38,7 @@ Rodauth will call +set_error_reason+ with:
 * :invalid_verify_account_key
 * :invalid_verify_login_change_key
 * :invalid_webauthn_auth_param
+* :invalid_webauthn_id
 * :invalid_webauthn_remove_param
 * :invalid_webauthn_setup_param
 * :invalid_webauthn_sign_count

data/doc/guides/registration_field.rdoc

@@ -10,7 +10,7 @@ or their company's name.
 Let's assume you wanted to wanted to store the additional field(s) directly on
 the +accounts+ table:
 
-  atler_table :accounts do
+  alter_table :accounts do
     add_column :name, String
   end
 

data/doc/guides/render_confirmation.rdoc

@@ -0,0 +1,17 @@
+= Render confirmation view
+
+Most Rodauth actions redirect and display a flash notice after they're succesfully performed. However, in some cases you may wish to render a view confirming that the action was succesful, for nicer user experience.
+
+For example, when the user creates an account, you might render a page with a call to action to verify their account. Assuming you've created an +account_created+ view template alongside your other Rodauth templates, you can configure the following:
+
+  after_create_account do
+    # render "account_created" view template with page title of "Account created!"
+    return_response view("account_created", "Account created!")
+  end
+
+Similarly, when the user has requested a password reset, you can render a page telling them to check their email:
+
+  after_reset_password_request do
+    # render "password_reset_sent" view template with page title of "Password sent!"
+    return_response view("password_reset_sent", "Password sent!")
+  end

data/doc/internal_request.rdoc

@@ -461,3 +461,79 @@ account login, before the change.
 
 Options:
 +:verify_login_change_key+ :: The verify login change key for the account. This allows verifying login changes by key, without knowing the account id or login.
+
+=== WebAuthn
+
+==== webauthn_setup_params (requires account)
+
+The +webauthn_setup_params+ method returns a hash with +:webauthn_setup+,
++:webauthn_setup_challenge+ and +:webauthn_setup_challenge_hmac+ keys.
+
+The +:webauthn_setup+ options should be provided to the client for WebAuthn
+registration, while +:webauthn_setup_challenge+ and
++webauthn_setup_challenge_hmac+ should be passed to the +webauthn_setup+
+method.
+
+==== webauthn_setup (requires account)
+
+The +webauthn_setup+ method creates a WebAuthn credential for the account.
+
+Options:
++:webauthn_setup+ :: The WebAuthn credential provided by the client during registration.
++:webauthn_setup_challenge+ :: The WebAuthn challenge generated for registration.
++:webauthn_setup_challenge_hmac+ :: The HMAC of the WebAuthn challenge generated for registration.
+
+==== webauthn_auth_params (requires account)
+
+The +webauthn_auth_params+ method returns a hash with +:webauthn_auth+,
++:webauthn_auth_challenge+ and +:webauthn_auth_challenge_hmac+ keys.
+
+The +:webauthn_auth+ options should be provided to the client for WebAuthn
+authentication, while +:webauthn_auth_challenge+ and
++webauthn_auth_challenge_hmac+ should be passed to the +webauthn_auth+ method.
+
+==== webauthn_auth (requires account)
+
+The +webauthn_auth+ method determines if the given WebAuthn credential is valid
+for the account.
+
+Options:
++:webauthn_auth+ :: The WebAuthn credential provided by the client during authentication.
++:webauthn_auth_challenge+ :: The WebAuthn challenge generated for authentication.
++:webauthn_auth_challenge_hmac+ :: The HMAC of the WebAuthn challenge generated for authentication.
+
+==== webauthn_remove (requires account)
+
+The +webauthn_remove+ methods deletes the given WebAuthn credential for the
+account.
+
+Options:
++:webauthn_remove+ :: The ID of the WebAuthn credential to delete.
+
+=== WebAuthn Login
+
+==== webauthn_login_params (requires account or login)
+
+The +webauthn_login_params+ method returns a hash with +:webauthn_auth+,
++:webauthn_auth_challenge+ and +:webauthn_auth_challenge_hmac+ keys.
+
+The +:webauthn_auth+ options should be provided to the client for WebAuthn
+authentication, while +:webauthn_auth_challenge+ and
++webauthn_auth_challenge_hmac+ should be passed to the +webauthn_login+ method.
+
+==== webauthn_login (requires account or login)
+
+The +webauthn_login+ method determines if the given WebAuthn credential is
+valid for the given account.
+
+This method will return the account id if the WebAuthn credential is valid.
+
+Options:
++:webauthn_auth+ :: The WebAuthn credential provided by the client during authentication.
++:webauthn_auth_challenge+ :: The WebAuthn challenge generated for authentication.
++:webauthn_auth_challenge_hmac+ :: The HMAC of the WebAuthn challenge generated for authentication.
+
+=== WebAuthn Autofill
+
+Enabling this feature modifies +webauthn_login_params+ and +webauthn_login+
+methods not to require an account or login.

data/doc/json.rdoc

@@ -41,6 +41,7 @@ json_not_accepted_error_message :: The error message to display if +json_check_a
 json_request_content_type_regexp :: The regexp to use to recognize a request as a json request.
 json_response_content_type :: The content type to set for json responses, <tt>application/json</tt> by default.
 json_response_custom_error_status? :: Whether to use custom error statuses, instead of always using +json_response_error_status+, true by default, can be set to false for backwards compatibility with Rodauth 1.
+json_response_error? :: Whether the current JSON response indicates an error.  By default, returns whether +json_response_error_key+ is set.
 json_response_error_key :: The JSON result key containing an error message, +error+ by default.
 json_response_error_status :: The HTTP status code to use for JSON error responses if not using custom error statuses, 400 by default.
 json_response_field_error_key :: The JSON result key containing an field error message, <tt>field-error</tt> by default.

data/doc/jwt.rdoc

@@ -5,7 +5,7 @@ that ship with Rodauth, using JWT (JSON Web Tokens) to hold the
 session information. It depends on the json feature.
 
 In order to use this feature, you have to set the +jwt_secret+ configuration
-option the secret used to cryptographically protect the token.
+option with the secret used to cryptographically protect the token.
 
 To use this JSON API, when processing responses for requests to a Rodauth
 endpoint, check for the Authorization header, and use the value of the
@@ -26,6 +26,11 @@ request in your Roda app, you can call the +rodauth.valid_jwt?+ method.  If
 +rodauth.valid_jwt?+ returns true, the contents of the jwt can be retrieved
 from +rodauth.session+.
 
+Logging the session out does not invalidate the previous JWT token by default.
+If you would like this behavior, you can use the active_sessions feature, which
+stores session identifiers in the database and deletes them when the session
+expires. This provides a whitelist approach of revoking JWT tokens.
+
 == Auth Value Methods
 
 invalid_jwt_format_error_message :: The error message to use when a JWT with an invalid format is submitted in the Authorization header.

data/doc/jwt_refresh.rdoc

@@ -7,7 +7,7 @@ When this feature is used, the access and refresh token are provided
 at login in the response body (the access token is still provided in the Authorization
 header), and for any subsequent POST to <tt>/jwt-refresh</tt>.
 
-Note that using the refresh token invalides the token and creates
+Note that using the refresh token invalidates the token and creates
 a new access token with an updated lifetime.  However, it does not invalidate
 older access tokens.  Older access tokens remain valid until they expire.  You
 can use the active_sessions feature if you want previous access tokens to be invalid

data/doc/release_notes/2.30.0.txt

@@ -0,0 +1,15 @@
+= New Features
+
+* A webauthn_autofill feature has been added to allow autofilling
+  webauthn credentials during login (also known as conditional
+  mediation).  This allows for easier login using passkeys.
+  This requires a supported browser and operating system on the
+  client side to work.
+
+= Other Improvements
+
+* The load_memory method in the remember feature no longer raises
+  a NoMethodError if the there is a remember cookie, the session is
+  already logged in, and the account no longer exists.  The
+  load_memory method now removes the remember cookie and clears the
+  session in that case.

data/doc/release_notes/2.31.0.txt

@@ -0,0 +1,47 @@
+= New Features
+
+* The internal_request feature now supports WebAuthn, using 
+  the following methods:
+
+  * With the webauthn feature:
+    * webauthn_setup_params
+    * webauthn_setup
+    * webauthn_auth_params
+    * webauthn_auth
+    * webauthn_remove
+
+  * With the webauthn_login feature:
+    * webauthn_login_params
+    * webauthn_login
+
+* A webauthn_login_user_verification_additional_factor? configuration
+  method has been added to the webauthn_login feature. By default,
+  this method returns false.  If you configure the method to return
+  true, and the WebAuthn credential provided specifies that it
+  verified the user, then this will treat the user verification as
+  a second factor, so the user will be considered multifactor
+  authenticated after successful login.  You should only set this
+  method to true if you consider the WebAuthn user verification
+  strong enough to be a independent factor.
+
+* A json_response_error? configuration method has been added to the
+  json feature.  This should return whether the current response
+  should be treated as an error by the json feature.  By default,
+  it is true if json_response_error_key is set in the response,
+  since that is the default place that Rodauth stores errors when
+  using the json feature.
+
+* A webauthn_invalid_webauthn_id_message configuration method has
+  been added for customizing the error message used for invalid
+  WebAuthn IDs.
+
+= Other Improvements
+
+* The argon2 feature now supports setting the Argon2 p_cost if
+  argon2 2.1+ is installed.
+
+* An :invalid_webauthn_id error reason is now used for invalid
+  WebAuthn IDs.
+
+* The clear_session method now works as expected for internal
+  requests.

data/doc/webauthn_autofill.rdoc

@@ -0,0 +1,19 @@
+= Documentation for WebAuthn Autofill Feature
+
+The webauthn_autofill feature enables autofill UI (aka "conditional mediation")
+for WebAuthn credentials, logging the user in on selection. It depends on the
+webauthn_login feature.
+
+This feature allows generating WebAuthn credential options and submitting a
+WebAuthn login request without providing a login, which can be used
+independently from the autofill UI.
+
+== Auth Value Methods
+
+webauthn_autofill_js :: The javascript code to execute on the login page to enable autofill UI.
+webauthn_autofill_js_route :: The route to the webauthn autofill javascript file.
+webauthn_invalid_webauthn_id_message :: The error message to show when provided WebAuthn ID wasn't found in the database.
+
+== Auth Methods
+
+before_webauthn_autofill_js_route :: Run arbitrary code before handling a webauthn autofill javascript route.

data/doc/webauthn_login.rdoc

@@ -1,10 +1,11 @@
 = Documentation for WebAuthn Login Feature
 
-The webauthn feature implements passwordless authentication via
+The webauthn_login feature implements passwordless authentication via
 WebAuthn. It depends on the login and webauthn features.
 
 == Auth Value Methods
 
+webauthn_login_user_verification_additional_factor? :: Whether passwordless login via WebAuthn should consider user verification as 2nd factor when using multifactor authentication, false by default. Setting this to true means that the app trusts the user verification done by the authenticator is strong enough to be considered an additional factor.
 webauthn_login_error_flash :: The flash error to show if there is a failure during passwordless login via WebAuthn.
 webauthn_login_failure_redirect :: Whether to redirect if there is a failure during passwordless login via WebAuthn.
 webauthn_login_route :: The route to the webauthn login action.

data/doc/webauthn_verify_account.rdoc

@@ -1,6 +1,6 @@
 = Documentation for WebAuthn Verify Account Feature
 
-The webauthn feature implements setting up an WebAuthn authenticator
+The webauthn_verify_account feature implements setting up an WebAuthn authenticator
 during the account verification process, and making such setup
 a requirement for account verification.  By default, it disables
 asking for a password during account creation and verification,

data/javascript/webauthn_autofill.js

@@ -0,0 +1,38 @@
+(function() {
+  var pack = function(v) { return btoa(String.fromCharCode.apply(null, new Uint8Array(v))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''); };
+  var unpack = function(v) { return Uint8Array.from(atob(v.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0)); };
+  var element = document.getElementById('webauthn-login-form');
+
+  if (!window.PublicKeyCredential || !PublicKeyCredential.isConditionalMediationAvailable) return;
+
+  PublicKeyCredential.isConditionalMediationAvailable().then(function(available) {
+    if (!available) return;
+
+    var opts = JSON.parse(element.getAttribute("data-credential-options"));
+    opts.challenge = unpack(opts.challenge);
+    opts.allowCredentials.forEach(function(cred) { cred.id = unpack(cred.id); });
+
+    navigator.credentials.get({mediation: "conditional", publicKey: opts}).then(function(cred) {
+      var rawId = pack(cred.rawId);
+      var authValue = {
+        type: cred.type,
+        id: rawId,
+        rawId: rawId,
+        response: {
+          authenticatorData: pack(cred.response.authenticatorData),
+          clientDataJSON: pack(cred.response.clientDataJSON),
+          signature: pack(cred.response.signature)
+        }
+      };
+
+      if (cred.response.userHandle) {
+        authValue.response.userHandle = pack(cred.response.userHandle);
+      }
+
+      document.getElementById('webauthn-auth').value = JSON.stringify(authValue);
+
+      element.submit();
+    });
+  });
+})();
+

data/lib/rodauth/features/argon2.rb

@@ -43,7 +43,7 @@ module Rodauth
 
     def password_hash_cost
       return super unless use_argon2?
-      argon2_hash_cost 
+      argon2_hash_cost
     end
 
     def password_hash_match?(hash, password)
@@ -60,21 +60,40 @@ module Rodauth
       ::Argon2::Password.new(argon2_params).create(password)
     end
 
-    def extract_password_hash_cost(hash)
-      return super unless argon2_hash_algorithm?(hash )
+    if Argon2::VERSION >= '2.1'
+      def extract_password_hash_cost(hash)
+        return super unless argon2_hash_algorithm?(hash )
 
-      /\A\$argon2id\$v=\d+\$m=(\d+),t=(\d+)/ =~ hash
-      { t_cost: $2.to_i, m_cost: Math.log2($1.to_i).to_i }
-    end
+        /\A\$argon2id\$v=\d+\$m=(\d+),t=(\d+),p=(\d+)/ =~ hash
+        { t_cost: $2.to_i, m_cost: Math.log2($1.to_i).to_i, p_cost: $3.to_i }
+      end
 
-    if ENV['RACK_ENV'] == 'test'
-      def argon2_hash_cost
-        {t_cost: 1, m_cost: 3}
+      if ENV['RACK_ENV'] == 'test'
+        def argon2_hash_cost
+          { t_cost: 1, m_cost: 3, p_cost: 1 }
+        end
+      # :nocov:
+      else
+        def argon2_hash_cost
+          { t_cost: 2, m_cost: 16, p_cost: 1 }
+        end
       end
-    # :nocov:
     else
-      def argon2_hash_cost
-        {t_cost: 2, m_cost: 16}
+      def extract_password_hash_cost(hash)
+        return super unless argon2_hash_algorithm?(hash )
+
+        /\A\$argon2id\$v=\d+\$m=(\d+),t=(\d+)/ =~ hash
+        { t_cost: $2.to_i, m_cost: Math.log2($1.to_i).to_i }
+      end
+
+      if ENV['RACK_ENV'] == 'test'
+        def argon2_hash_cost
+          { t_cost: 1, m_cost: 3 }
+        end
+      else
+        def argon2_hash_cost
+          { t_cost: 2, m_cost: 16 }
+        end
       end
     end
     # :nocov:

data/lib/rodauth/features/base.rb

@@ -269,6 +269,10 @@ module Rodauth
       Sequel::DATABASES.first or raise "Sequel database connection is missing"
     end
 
+    def login_field_autocomplete_value
+      login_uses_email? ? "email" : "on"
+    end
+
     def password_field_autocomplete_value
       @password_field_autocomplete_value || 'current-password'
     end

data/lib/rodauth/features/internal_request.rb

@@ -50,6 +50,10 @@ module Rodauth
       @params[k]
     end
 
+    def clear_session
+      @session.clear
+    end
+
     def set_error_flash(message)
       @flash = message
       _handle_internal_request_error
@@ -81,6 +85,24 @@ module Rodauth
       _return_from_internal_request(recovery_codes)
     end
 
+    def webauthn_setup_view
+      cred = new_webauthn_credential
+      _return_from_internal_request({
+        webauthn_setup: cred.as_json,
+        webauthn_setup_challenge: cred.challenge,
+        webauthn_setup_challenge_hmac: compute_hmac(cred.challenge)
+      })
+    end
+
+    def webauthn_auth_view
+      cred = webauthn_credential_options_for_get
+      _return_from_internal_request({
+        webauthn_auth: cred.as_json,
+        webauthn_auth_challenge: cred.challenge,
+        webauthn_auth_challenge_hmac: compute_hmac(cred.challenge)
+      })
+    end
+
     def handle_internal_request(meth)
       catch(:halt) do
         _around_rodauth do
@@ -153,6 +175,11 @@ module Rodauth
       _set_login_param_from_account
     end
 
+    def before_webauthn_login_route
+      super
+      _set_login_param_from_account
+    end
+
     def account_from_key(token, status_id=nil)
       return super unless session_value
       return unless yield session_value
@@ -232,6 +259,25 @@ module Rodauth
       _handle_otp_setup(request)
     end
 
+    def _handle_webauthn_setup_params(request)
+      request.env['REQUEST_METHOD'] = 'GET'
+      _handle_webauthn_setup(request)
+    end
+
+    def _handle_webauthn_auth_params(request)
+      request.env['REQUEST_METHOD'] = 'GET'
+      _handle_webauthn_auth(request)
+    end
+
+    def _handle_webauthn_login_params(request)
+      _set_login_param_from_account
+      unless webauthn_login_options?
+        raise InternalRequestError, "no login provided" unless param_or_nil(login_param)
+        raise InternalRequestError, "no account for login"
+      end
+      webauthn_auth_view
+    end
+
     def _predicate_internal_request(meth, request)
       _return_false_on_error!
       _set_internal_request_return_value(true)
@@ -302,7 +348,7 @@ module Rodauth
         session[rodauth.session_key] = account_id
         unless authenticated_by = opts.delete(:authenticated_by)
           authenticated_by = case route
-          when :otp_auth, :sms_request, :sms_auth, :recovery_auth, :valid_otp_auth?, :valid_sms_auth?, :valid_recovery_auth?
+          when :otp_auth, :sms_request, :sms_auth, :recovery_auth, :webauthn_auth, :webauthn_auth_params, :valid_otp_auth?, :valid_sms_auth?, :valid_recovery_auth?
             ['internal1']
           else
             ['internal1', 'internal2']

data/lib/rodauth/features/json.rb

@@ -22,6 +22,7 @@ module Rodauth
 
     auth_methods(
       :json_request?,
+      :json_response_error?
     )
 
     auth_private_methods :json_response_body
@@ -65,6 +66,10 @@ module Rodauth
       return_json_response
     end
 
+    def json_response_error?
+      !!json_response[json_response_error_key]
+    end
+
     private
 
     def before_two_factor_manage_route
@@ -116,7 +121,7 @@ module Rodauth
 
     def before_webauthn_login_route
       super if defined?(super)
-      if use_json? && !param_or_nil(webauthn_auth_param) && account_from_login(param(login_param))
+      if use_json? && !param_or_nil(webauthn_auth_param) && webauthn_login_options?
         cred = webauthn_credential_options_for_get
         json_response[webauthn_auth_param] = cred.as_json
         json_response[webauthn_auth_challenge_param] = cred.challenge
@@ -172,7 +177,7 @@ module Rodauth
     end
 
     def _return_json_response
-      response.status ||= json_response_error_status if json_response[json_response_error_key]
+      response.status ||= json_response_error_status if json_response_error?
       response['Content-Type'] ||= json_response_content_type
       return_response _json_response_body(json_response)
     end

data/lib/rodauth/features/remember.rb

@@ -114,8 +114,12 @@ module Rodauth
     def load_memory
       if logged_in?
         if extend_remember_deadline_while_logged_in?
-          account_from_session
-          extend_remember_deadline
+          if account_from_session
+            extend_remember_deadline
+          else
+            forget_login
+            clear_session
+          end
         end
       elsif account_from_remember_cookie
         before_load_memory

data/lib/rodauth/features/webauthn.rb

@@ -112,6 +112,12 @@ module Rodauth
 
     def_deprecated_alias :webauthn_credential_options_for_get, :webauth_credential_options_for_get
 
+    internal_request_method :webauthn_setup_params
+    internal_request_method :webauthn_setup
+    internal_request_method :webauthn_auth_params
+    internal_request_method :webauthn_auth
+    internal_request_method :webauthn_remove
+
     route(:webauthn_auth_js) do |r|
       before_webauthn_auth_js_route
       r.get do
@@ -320,7 +326,7 @@ module Rodauth
 
     def webauthn_credential_options_for_get
       WebAuthn::Credential.options_for_get(
-        :allow => account_webauthn_ids,
+        :allow => webauthn_allow,
         :timeout => webauthn_auth_timeout,
         :rp_id => webauthn_rp_id,
         :user_verification => webauthn_user_verification,
@@ -336,6 +342,10 @@ module Rodauth
       base_url
     end
 
+    def webauthn_allow
+      account_webauthn_ids
+    end
+
     def webauthn_rp_id
       webauthn_origin.sub(/\Ahttps?:\/\//, '').sub(/:\d+\z/, '')
     end
@@ -453,21 +463,8 @@ module Rodauth
     end
 
     def webauthn_auth_credential_from_form_submission
-      case auth_data = raw_param(webauthn_auth_param)
-      when String
-        begin
-          auth_data = JSON.parse(auth_data)
-        rescue
-          throw_error_reason(:invalid_webauthn_auth_param, invalid_field_error_status, webauthn_auth_param, webauthn_invalid_auth_param_message) 
-        end
-      when Hash
-        # nothing
-      else
-        throw_error_reason(:invalid_webauthn_auth_param, invalid_field_error_status, webauthn_auth_param, webauthn_invalid_auth_param_message)
-      end
-
       begin
-        webauthn_credential = WebAuthn::Credential.from_get(auth_data)
+        webauthn_credential = WebAuthn::Credential.from_get(webauthn_auth_data)
         unless valid_webauthn_credential_auth?(webauthn_credential)
           throw_error_reason(:invalid_webauthn_auth_param, invalid_key_error_status, webauthn_auth_param, webauthn_invalid_auth_param_message)
         end
@@ -480,26 +477,28 @@ module Rodauth
       webauthn_credential
     end
 
-    def webauthn_setup_credential_from_form_submission
-      case setup_data = raw_param(webauthn_setup_param)
+    def webauthn_auth_data
+      case auth_data = raw_param(webauthn_auth_param)
       when String
         begin
-          setup_data = JSON.parse(setup_data)
+          JSON.parse(auth_data)
         rescue
-          throw_error_reason(:invalid_webauthn_setup_param, invalid_field_error_status, webauthn_setup_param, webauthn_invalid_setup_param_message) 
+          throw_error_reason(:invalid_webauthn_auth_param, invalid_field_error_status, webauthn_auth_param, webauthn_invalid_auth_param_message) 
         end
       when Hash
-        # nothing
+        auth_data
       else
-        throw_error_reason(:invalid_webauthn_setup_param, invalid_field_error_status, webauthn_setup_param, webauthn_invalid_setup_param_message)
+        throw_error_reason(:invalid_webauthn_auth_param, invalid_field_error_status, webauthn_auth_param, webauthn_invalid_auth_param_message)
       end
+    end
 
+    def webauthn_setup_credential_from_form_submission
       unless two_factor_password_match?(param(password_param))
         throw_error_reason(:invalid_password, invalid_password_error_status, password_param, invalid_password_message)
       end
 
       begin
-        webauthn_credential = WebAuthn::Credential.from_create(setup_data)
+        webauthn_credential = WebAuthn::Credential.from_create(webauthn_setup_data)
         unless valid_new_webauthn_credential?(webauthn_credential)
           throw_error_reason(:invalid_webauthn_setup_param, invalid_field_error_status, webauthn_setup_param, webauthn_invalid_setup_param_message) 
         end
@@ -509,5 +508,20 @@ module Rodauth
 
       webauthn_credential
     end
+
+    def webauthn_setup_data
+      case setup_data = raw_param(webauthn_setup_param)
+      when String
+        begin
+          JSON.parse(setup_data)
+        rescue
+          throw_error_reason(:invalid_webauthn_setup_param, invalid_field_error_status, webauthn_setup_param, webauthn_invalid_setup_param_message) 
+        end
+      when Hash
+        setup_data
+      else
+        throw_error_reason(:invalid_webauthn_setup_param, invalid_field_error_status, webauthn_setup_param, webauthn_invalid_setup_param_message)
+      end
+    end
   end
 end

data/lib/rodauth/features/webauthn_autofill.rb

@@ -0,0 +1,64 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:webauthn_autofill, :WebauthnAutofill) do
+    depends :webauthn_login
+
+    auth_value_method :webauthn_autofill_js, File.binread(File.expand_path('../../../../javascript/webauthn_autofill.js', __FILE__)).freeze
+
+    translatable_method :webauthn_invalid_webauthn_id_message, "no webauthn key with given id found"
+
+    route(:webauthn_autofill_js) do |r|
+      before_webauthn_autofill_js_route
+      r.get do
+        response['Content-Type'] = 'text/javascript'
+        webauthn_autofill_js
+      end
+    end
+
+    def webauthn_allow
+      return [] unless logged_in? || account
+      super
+    end
+
+    def webauthn_user_verification
+      'preferred'
+    end
+
+    def webauthn_authenticator_selection
+      super.merge({ 'residentKey' => 'required', 'requireResidentKey' => true })
+    end
+
+    def login_field_autocomplete_value
+      request.path_info == login_path ? "#{super} webauthn" : super
+    end
+
+    private
+
+    def _login_form_footer
+      footer = super
+      footer += render("webauthn-autofill") unless valid_login_entered?
+      footer
+    end
+
+    def account_from_webauthn_login
+      return super if param_or_nil(login_param)
+
+      credential_id = webauthn_auth_data["id"]
+      account_id = db[webauthn_keys_table]
+        .where(webauthn_keys_webauthn_id_column => credential_id)
+        .get(webauthn_keys_account_id_column)
+
+      unless account_id
+        throw_error_reason(:invalid_webauthn_id, invalid_field_error_status, webauthn_auth_param, webauthn_invalid_webauthn_id_message)
+      end
+
+      @account = account_ds(account_id).first
+    end
+
+    def webauthn_login_options?
+      return true unless param_or_nil(login_param)
+      super
+    end
+  end
+end

data/lib/rodauth/features/webauthn_login.rb

@@ -10,13 +10,18 @@ module Rodauth
 
     error_flash "There was an error authenticating via WebAuthn"
 
+    auth_value_method :webauthn_login_user_verification_additional_factor?, false
+
+    internal_request_method :webauthn_login_params
+    internal_request_method :webauthn_login
+
     route(:webauthn_login) do |r|
       check_already_logged_in
       before_webauthn_login_route
 
       r.post do
         catch_error do
-          unless account_from_login(param(login_param)) && open_account?
+          unless account_from_webauthn_login && open_account?
             throw_error_reason(:no_matching_login, no_matching_login_error_status, login_param, no_matching_login_message) 
           end
 
@@ -24,6 +29,9 @@ module Rodauth
           before_webauthn_login
           login('webauthn') do
             webauthn_update_session(webauthn_credential.id)
+            if webauthn_login_verification_factor?(webauthn_credential)
+              two_factor_update_session('webauthn-verification')
+            end
           end
         end
 
@@ -48,12 +56,31 @@ module Rodauth
       end
     end
 
+    def webauthn_user_verification
+      return 'preferred' if webauthn_login_user_verification_additional_factor?
+      super
+    end
+
     def use_multi_phase_login?
       true
     end
 
     private
 
+    def webauthn_login_verification_factor?(webauthn_credential)
+      webauthn_login_user_verification_additional_factor? &&
+        webauthn_credential.response.authenticator_data.user_verified? &&
+        uses_two_factor_authentication?
+    end
+
+    def account_from_webauthn_login
+      account_from_login(param(login_param))
+    end
+
+    def webauthn_login_options?
+      !!account_from_webauthn_login
+    end
+
     def _multi_phase_login_forms
       forms = super
       if valid_login_entered? && webauthn_setup?

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 29
+  MINOR = 31
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

data/templates/login-field.str

@@ -1,4 +1,4 @@
 <div class="form-group mb-3">
   <label for="login" class="form-label">#{rodauth.login_label}#{rodauth.input_field_label_suffix}</label>
-  #{rodauth.input_field_string(rodauth.login_param, 'login', :type=>rodauth.login_input_type, :autocomplete=>rodauth.login_uses_email? ? "email" : "on")}
+  #{rodauth.input_field_string(rodauth.login_param, 'login', :type=>rodauth.login_input_type, :autocomplete=>rodauth.login_field_autocomplete_value)}
 </div>

data/templates/webauthn-autofill.str

@@ -0,0 +1,9 @@
+<form method="post" action="#{rodauth.webauthn_login_path}" class="rodauth" role="form" id="webauthn-login-form" data-credential-options="#{h((cred = rodauth.webauthn_credential_options_for_get).as_json.to_json)}">
+  #{rodauth.webauthn_auth_additional_form_tags}
+  #{rodauth.csrf_tag(rodauth.webauthn_login_path)}
+  <input type="hidden" name="#{rodauth.webauthn_auth_challenge_param}" value="#{cred.challenge}" />
+  <input type="hidden" name="#{rodauth.webauthn_auth_challenge_hmac_param}" value="#{rodauth.compute_hmac(cred.challenge)}" />
+  <input class="rodauth_hidden d-none" aria-hidden="true" type="text" name="#{rodauth.webauthn_auth_param}" id="webauthn-auth" value="" />
+  #{rodauth.button(rodauth.webauthn_auth_button, class: "d-none")}
+</form>
+<script src="#{rodauth.webauthn_js_host}#{rodauth.webauthn_autofill_js_path}"></script>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.29.0
+  version: 2.31.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-03-22 00:00:00.000000000 Z
+date: 2023-08-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -296,6 +296,7 @@ extra_rdoc_files:
 - doc/verify_account_grace_period.rdoc
 - doc/verify_login_change.rdoc
 - doc/webauthn.rdoc
+- doc/webauthn_autofill.rdoc
 - doc/webauthn_login.rdoc
 - doc/webauthn_verify_account.rdoc
 - doc/release_notes/1.0.0.txt
@@ -346,6 +347,8 @@ extra_rdoc_files:
 - doc/release_notes/2.28.0.txt
 - doc/release_notes/2.29.0.txt
 - doc/release_notes/2.3.0.txt
+- doc/release_notes/2.30.0.txt
+- doc/release_notes/2.31.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
 - doc/release_notes/2.6.0.txt
@@ -392,6 +395,7 @@ files:
 - doc/guides/query_params.rdoc
 - doc/guides/redirects.rdoc
 - doc/guides/registration_field.rdoc
+- doc/guides/render_confirmation.rdoc
 - doc/guides/require_mfa.rdoc
 - doc/guides/reset_password_autologin.rdoc
 - doc/guides/share_configuration.rdoc
@@ -462,6 +466,8 @@ files:
 - doc/release_notes/2.28.0.txt
 - doc/release_notes/2.29.0.txt
 - doc/release_notes/2.3.0.txt
+- doc/release_notes/2.30.0.txt
+- doc/release_notes/2.31.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
 - doc/release_notes/2.6.0.txt
@@ -480,9 +486,11 @@ files:
 - doc/verify_account_grace_period.rdoc
 - doc/verify_login_change.rdoc
 - doc/webauthn.rdoc
+- doc/webauthn_autofill.rdoc
 - doc/webauthn_login.rdoc
 - doc/webauthn_verify_account.rdoc
 - javascript/webauthn_auth.js
+- javascript/webauthn_autofill.js
 - javascript/webauthn_setup.js
 - lib/roda/plugins/rodauth.rb
 - lib/rodauth.rb
@@ -530,6 +538,7 @@ files:
 - lib/rodauth/features/verify_account_grace_period.rb
 - lib/rodauth/features/verify_login_change.rb
 - lib/rodauth/features/webauthn.rb
+- lib/rodauth/features/webauthn_autofill.rb
 - lib/rodauth/features/webauthn_login.rb
 - lib/rodauth/features/webauthn_verify_account.rb
 - lib/rodauth/migrations.rb
@@ -585,6 +594,7 @@ files:
 - templates/verify-login-change-email.str
 - templates/verify-login-change.str
 - templates/webauthn-auth.str
+- templates/webauthn-autofill.str
 - templates/webauthn-remove.str
 - templates/webauthn-setup.str
 homepage: https://rodauth.jeremyevans.net
@@ -618,7 +628,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.6
+rubygems_version: 3.4.10
 signing_key:
 specification_version: 4
 summary: Authentication and Account Management Framework for Rack Applications