rodauth 2.30.0 → 2.32.0

data/doc/webauthn_autofill.rdoc

@@ -4,10 +4,15 @@ The webauthn_autofill feature enables autofill UI (aka "conditional mediation")
 for WebAuthn credentials, logging the user in on selection. It depends on the
 webauthn_login feature.
 
+This feature allows generating WebAuthn credential options and submitting a
+WebAuthn login request without providing a login, which can be used
+independently from the autofill UI.
+
 == Auth Value Methods
 
 webauthn_autofill_js :: The javascript code to execute on the login page to enable autofill UI.
 webauthn_autofill_js_route :: The route to the webauthn autofill javascript file.
+webauthn_invalid_webauthn_id_message :: The error message to show when provided WebAuthn ID wasn't found in the database.
 
 == Auth Methods
 

data/doc/webauthn_login.rdoc

@@ -5,6 +5,7 @@ WebAuthn. It depends on the login and webauthn features.
 
 == Auth Value Methods
 
+webauthn_login_user_verification_additional_factor? :: Whether passwordless login via WebAuthn should consider user verification as 2nd factor when using multifactor authentication, false by default. Setting this to true means that the app trusts the user verification done by the authenticator is strong enough to be considered an additional factor.
 webauthn_login_error_flash :: The flash error to show if there is a failure during passwordless login via WebAuthn.
 webauthn_login_failure_redirect :: Whether to redirect if there is a failure during passwordless login via WebAuthn.
 webauthn_login_route :: The route to the webauthn login action.

data/lib/rodauth/features/active_sessions.rb

@@ -40,7 +40,7 @@ module Rodauth
 
       remove_inactive_sessions
       ds = active_sessions_ds.
-        where(active_sessions_session_id_column => compute_hmac(session_id))
+        where(active_sessions_session_id_column => compute_hmacs(session_id))
 
       if update_current_session?
         ds.update(active_sessions_update_hash) == 1
@@ -83,7 +83,7 @@ module Rodauth
 
     def remove_current_session
       if session_id = session[session_id_session_key]
-        remove_active_session(compute_hmac(session_id))
+        remove_active_session(compute_hmacs(session_id))
       end
     end
 
@@ -119,7 +119,7 @@ module Rodauth
         key = generate_active_sessions_key
         set_session_value(session_id_session_key, key)
         active_sessions_ds.
-          where(active_sessions_session_id_column => compute_hmac(prev_key)).
+          where(active_sessions_session_id_column => compute_hmacs(prev_key)).
           update(active_sessions_session_id_column => compute_hmac(key))
       end
     end
@@ -150,7 +150,13 @@ module Rodauth
     end
 
     def active_sessions_update_hash
-      {active_sessions_last_use_column => Sequel::CURRENT_TIMESTAMP}
+      h = {active_sessions_last_use_column => Sequel::CURRENT_TIMESTAMP}
+
+      if hmac_secret_rotation?
+        h[active_sessions_session_id_column] = compute_hmac(session[session_id_session_key])
+      end
+
+      h
     end
 
     def session_inactivity_deadline_condition

data/lib/rodauth/features/argon2.rb

@@ -12,6 +12,7 @@ module Rodauth
   Feature.define(:argon2, :Argon2) do
     depends :login_password_requirements_base
 
+    auth_value_method :argon2_old_secret, nil
     auth_value_method :argon2_secret, nil
     auth_value_method :use_argon2?, true
 
@@ -43,7 +44,7 @@ module Rodauth
 
     def password_hash_cost
       return super unless use_argon2?
-      argon2_hash_cost 
+      argon2_hash_cost
     end
 
     def password_hash_match?(hash, password)
@@ -53,28 +54,50 @@ module Rodauth
 
     def password_hash_using_salt(password, salt)
       return super unless argon2_hash_algorithm?(salt)
+      argon2_password_hash_using_salt_and_secret(password, salt, argon2_secret)
+    end
 
+    def argon2_password_hash_using_salt_and_secret(password, salt, secret)
       argon2_params = Hash[extract_password_hash_cost(salt)]
-      argon2_params[argon2_salt_option] = Base64.decode64(salt.split('$').last)
-      argon2_params[:secret] = argon2_secret
+      argon2_params[argon2_salt_option] = salt.split('$').last.unpack("m")[0]
+      argon2_params[:secret] = secret
       ::Argon2::Password.new(argon2_params).create(password)
     end
 
-    def extract_password_hash_cost(hash)
-      return super unless argon2_hash_algorithm?(hash )
+    if Argon2::VERSION >= '2.1'
+      def extract_password_hash_cost(hash)
+        return super unless argon2_hash_algorithm?(hash)
 
-      /\A\$argon2id\$v=\d+\$m=(\d+),t=(\d+)/ =~ hash
-      { t_cost: $2.to_i, m_cost: Math.log2($1.to_i).to_i }
-    end
+        /\A\$argon2id\$v=\d+\$m=(\d+),t=(\d+),p=(\d+)/ =~ hash
+        { t_cost: $2.to_i, m_cost: Math.log2($1.to_i).to_i, p_cost: $3.to_i }
+      end
 
-    if ENV['RACK_ENV'] == 'test'
-      def argon2_hash_cost
-        {t_cost: 1, m_cost: 3}
+      if ENV['RACK_ENV'] == 'test'
+        def argon2_hash_cost
+          { t_cost: 1, m_cost: 5, p_cost: 1 }
+        end
+      # :nocov:
+      else
+        def argon2_hash_cost
+          { t_cost: 2, m_cost: 16, p_cost: 1 }
+        end
       end
-    # :nocov:
     else
-      def argon2_hash_cost
-        {t_cost: 2, m_cost: 16}
+      def extract_password_hash_cost(hash)
+        return super unless argon2_hash_algorithm?(hash )
+
+        /\A\$argon2id\$v=\d+\$m=(\d+),t=(\d+)/ =~ hash
+        { t_cost: $2.to_i, m_cost: Math.log2($1.to_i).to_i }
+      end
+
+      if ENV['RACK_ENV'] == 'test'
+        def argon2_hash_cost
+          { t_cost: 1, m_cost: 5 }
+        end
+      else
+        def argon2_hash_cost
+          { t_cost: 2, m_cost: 16 }
+        end
       end
     end
     # :nocov:
@@ -84,7 +107,23 @@ module Rodauth
     end
 
     def argon2_password_hash_match?(hash, password)
-      ::Argon2::Password.verify_password(password, hash, argon2_secret)
+      ret = ::Argon2::Password.verify_password(password, hash, argon2_secret)
+
+      if ret == false && argon2_old_secret != argon2_secret && (ret = ::Argon2::Password.verify_password(password, hash, argon2_old_secret))
+        @update_password_hash = true
+      end
+
+      ret
+    end
+
+    def database_function_password_match?(name, hash_id, password, salt)
+      return true if super
+
+      if use_argon2? && argon2_hash_algorithm?(salt) && argon2_old_secret != argon2_secret && (ret = db.get(Sequel.function(function_name(name), hash_id, argon2_password_hash_using_salt_and_secret(password, salt, argon2_old_secret))))
+        @update_password_hash = true
+      end
+
+      !!ret
     end
   end
 end

data/lib/rodauth/features/base.rb

@@ -27,6 +27,7 @@ module Rodauth
     auth_value_method :convert_token_id_to_integer?, nil
     flash_key :flash_error_key, :error
     flash_key :flash_notice_key, :notice
+    auth_value_method :hmac_old_secret, nil
     auth_value_method :hmac_secret, nil
     translatable_method :input_field_label_suffix, ''
     auth_value_method :input_field_error_class, 'error is-invalid'
@@ -242,9 +243,24 @@ module Rodauth
 
     # Return urlsafe base64 HMAC for data, assumes hmac_secret is set.
     def compute_hmac(data)
-      s = [compute_raw_hmac(data)].pack('m').chomp!("=\n")
-      s.tr!('+/', '-_')
-      s
+      _process_raw_hmac(compute_raw_hmac(data))
+    end
+
+    # Return urlsafe base64 HMAC for data using hmac_old_secret, assumes hmac_old_secret is set.
+    def compute_old_hmac(data)
+      _process_raw_hmac(compute_raw_hmac_with_secret(data, hmac_old_secret))
+    end
+
+    # Return array of hmacs.  Array has two strings if hmac_old_secret
+    # is set, or one string otherwise.
+    def compute_hmacs(data)
+      hmacs = [compute_hmac(data)]
+
+      if hmac_old_secret
+        hmacs << compute_old_hmac(data)
+      end
+
+      hmacs
     end
 
     def account_id
@@ -515,6 +531,13 @@ module Rodauth
       yield
     end
 
+    def _process_raw_hmac(hmac)
+      s = [hmac].pack('m')
+      s.chomp!("=\n")
+      s.tr!('+/', '-_')
+      s
+    end
+
     def database_function_password_match?(name, hash_id, password, salt)
       db.get(Sequel.function(function_name(name), hash_id, password_hash_using_salt(password, salt)))
     end
@@ -711,10 +734,17 @@ module Rodauth
       ds.first
     end
 
+    def hmac_secret_rotation?
+      hmac_secret && hmac_old_secret && hmac_secret != hmac_old_secret
+    end
+
     def compute_raw_hmac(data)
       raise ArgumentError, "hmac_secret not set" unless hmac_secret
+      compute_raw_hmac_with_secret(data, hmac_secret)
+    end
 
-      OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, hmac_secret, data)
+    def compute_raw_hmac_with_secret(data, secret)
+      OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, secret, data)
     end
 
     def _field_attributes(field)
@@ -822,6 +852,11 @@ module Rodauth
       false
     end
 
+    def require_response(meth)
+      send(meth)
+      raise RuntimeError, "#{meth.to_s.sub(/\A_/, '')} overridden without returning a response (should use redirect or request.halt). This is a bug in your Rodauth configuration, not a bug in Rodauth itself."
+    end
+
     def set_session_value(key, value)
       session[key] = value
     end

data/lib/rodauth/features/change_login.rb

@@ -14,6 +14,7 @@ module Rodauth
     additional_form_tags
     button 'Change Login'
     redirect
+    response
 
     auth_value_methods :change_login_requires_password?
 
@@ -51,9 +52,8 @@ module Rodauth
             end
 
             after_change_login
-            set_notice_flash change_login_notice_flash
-            redirect change_login_redirect
           end
+          change_login_response
         end
 
         set_error_flash change_login_error_flash

data/lib/rodauth/features/change_password.rb

@@ -13,6 +13,7 @@ module Rodauth
     additional_form_tags
     button 'Change Password'
     redirect
+    response
 
     translatable_method :new_password_label, 'New Password'
     auth_value_method :new_password_param, 'new-password'
@@ -56,8 +57,7 @@ module Rodauth
             set_password(password)
             after_change_password
           end
-          set_notice_flash change_password_notice_flash
-          redirect change_password_redirect
+          change_password_response
         end
 
         set_error_flash change_password_error_flash

data/lib/rodauth/features/close_account.rb

@@ -11,6 +11,7 @@ module Rodauth
     after
     before
     redirect
+    response
 
     auth_value_method :account_closed_status_value, 3
 
@@ -50,8 +51,7 @@ module Rodauth
           end
           clear_session
 
-          set_notice_flash close_account_notice_flash
-          redirect close_account_redirect
+          close_account_response
         end
 
         set_error_flash close_account_error_flash

data/lib/rodauth/features/confirm_password.rb

@@ -11,6 +11,7 @@ module Rodauth
     button 'Confirm Password'
     before
     after
+    response
     redirect(:password_authentication_required){confirm_password_path}
 
     session_key :confirm_password_redirect_session_key, :confirm_password_redirect
@@ -37,8 +38,7 @@ module Rodauth
             confirm_password
             after_confirm_password
           end
-          set_notice_flash confirm_password_notice_flash
-          redirect confirm_password_redirect
+          confirm_password_response
         else
           set_response_error_reason_status(:invalid_password, invalid_password_error_status)
           set_field_error(password_param, invalid_password_message)

data/lib/rodauth/features/create_account.rb

@@ -13,6 +13,7 @@ module Rodauth
     button 'Create Account'
     additional_form_tags
     redirect
+    response
 
     auth_value_method :create_account_autologin?, true
     translatable_method :create_account_link_text, "Create a New Account"
@@ -79,8 +80,7 @@ module Rodauth
             if create_account_autologin?
               autologin_session('create_account')
             end
-            set_notice_flash create_account_notice_flash
-            redirect create_account_redirect
+            create_account_response
           end
         end
 

data/lib/rodauth/features/email_auth.rb

@@ -19,6 +19,7 @@ module Rodauth
     button 'Send Login Link Via Email', 'email_auth_request'
     redirect(:email_auth_email_sent){default_post_email_redirect}
     redirect(:email_auth_email_recently_sent){default_post_email_redirect}
+    response :email_auth_email_sent
     email :email_auth, 'Login Link'
     
     auth_value_method :email_auth_deadline_column, :deadline
@@ -57,12 +58,11 @@ module Rodauth
       r.post do
         if account_from_login(param(login_param)) && open_account?
           _email_auth_request
-        else
-          set_redirect_error_status(no_matching_login_error_status)
-          set_error_reason :no_matching_login
-          set_redirect_error_flash email_auth_request_error_flash
         end
 
+        set_redirect_error_status(no_matching_login_error_status)
+        set_error_reason :no_matching_login
+        set_redirect_error_flash email_auth_request_error_flash
         redirect email_auth_email_sent_redirect
       end
     end
@@ -150,7 +150,7 @@ module Rodauth
 
     def after_login_entered_during_multi_phase_login
       # If forcing email auth, just send the email link.
-      _email_auth_request_and_redirect if force_email_auth?
+      _email_auth_request if force_email_auth?
 
       super
     end
@@ -169,7 +169,7 @@ module Rodauth
 
     def _multi_phase_login_forms
       forms = super
-      forms << [30, email_auth_request_form, :_email_auth_request_and_redirect] if valid_login_entered? && allow_email_auth?
+      forms << [30, email_auth_request_form, :_email_auth_request] if valid_login_entered? && allow_email_auth?
       forms
     end
 
@@ -177,11 +177,6 @@ module Rodauth
       (email_last_sent = get_email_auth_email_last_sent) && (Time.now - email_last_sent < email_auth_skip_resend_email_within)
     end
 
-    def _email_auth_request_and_redirect
-      _email_auth_request
-      redirect email_auth_email_sent_redirect
-    end
-
     def _email_auth_request
       if email_auth_email_recently_sent?
         set_redirect_error_flash email_auth_email_recently_sent_error_flash
@@ -196,7 +191,7 @@ module Rodauth
         after_email_auth_request
       end
 
-      set_notice_flash email_auth_email_sent_notice_flash
+      email_auth_email_sent_response
     end
 
     attr_reader :email_auth_key_value

data/lib/rodauth/features/email_base.rb

@@ -69,12 +69,10 @@ module Rodauth
 
       return unless actual = yield(id)
 
-      unless timing_safe_eql?(key, convert_email_token_key(actual))
-        if hmac_secret && allow_raw_email_token?
-          return unless timing_safe_eql?(key, actual)
-        else
-          return
-        end
+      unless (hmac_secret && timing_safe_eql?(key, convert_email_token_key(actual))) ||
+         (hmac_secret_rotation? && timing_safe_eql?(key, compute_old_hmac(actual))) ||
+         ((!hmac_secret || allow_raw_email_token?) && timing_safe_eql?(key, actual))
+        return
       end
       ds = account_ds(id)
       ds = ds.where(account_status_column=>status_id) if status_id && !skip_status_checks?

data/lib/rodauth/features/internal_request.rb

@@ -50,6 +50,10 @@ module Rodauth
       @params[k]
     end
 
+    def clear_session
+      @session.clear
+    end
+
     def set_error_flash(message)
       @flash = message
       _handle_internal_request_error
@@ -81,6 +85,24 @@ module Rodauth
       _return_from_internal_request(recovery_codes)
     end
 
+    def webauthn_setup_view
+      cred = new_webauthn_credential
+      _return_from_internal_request({
+        webauthn_setup: cred.as_json,
+        webauthn_setup_challenge: cred.challenge,
+        webauthn_setup_challenge_hmac: compute_hmac(cred.challenge)
+      })
+    end
+
+    def webauthn_auth_view
+      cred = webauthn_credential_options_for_get
+      _return_from_internal_request({
+        webauthn_auth: cred.as_json,
+        webauthn_auth_challenge: cred.challenge,
+        webauthn_auth_challenge_hmac: compute_hmac(cred.challenge)
+      })
+    end
+
     def handle_internal_request(meth)
       catch(:halt) do
         _around_rodauth do
@@ -153,6 +175,11 @@ module Rodauth
       _set_login_param_from_account
     end
 
+    def before_webauthn_login_route
+      super
+      _set_login_param_from_account
+    end
+
     def account_from_key(token, status_id=nil)
       return super unless session_value
       return unless yield session_value
@@ -232,6 +259,25 @@ module Rodauth
       _handle_otp_setup(request)
     end
 
+    def _handle_webauthn_setup_params(request)
+      request.env['REQUEST_METHOD'] = 'GET'
+      _handle_webauthn_setup(request)
+    end
+
+    def _handle_webauthn_auth_params(request)
+      request.env['REQUEST_METHOD'] = 'GET'
+      _handle_webauthn_auth(request)
+    end
+
+    def _handle_webauthn_login_params(request)
+      _set_login_param_from_account
+      unless webauthn_login_options?
+        raise InternalRequestError, "no login provided" unless param_or_nil(login_param)
+        raise InternalRequestError, "no account for login"
+      end
+      webauthn_auth_view
+    end
+
     def _predicate_internal_request(meth, request)
       _return_false_on_error!
       _set_internal_request_return_value(true)
@@ -302,7 +348,7 @@ module Rodauth
         session[rodauth.session_key] = account_id
         unless authenticated_by = opts.delete(:authenticated_by)
           authenticated_by = case route
-          when :otp_auth, :sms_request, :sms_auth, :recovery_auth, :valid_otp_auth?, :valid_sms_auth?, :valid_recovery_auth?
+          when :otp_auth, :sms_request, :sms_auth, :recovery_auth, :webauthn_auth, :webauthn_auth_params, :valid_otp_auth?, :valid_sms_auth?, :valid_recovery_auth?
             ['internal1']
           else
             ['internal1', 'internal2']

data/lib/rodauth/features/json.rb

@@ -22,6 +22,7 @@ module Rodauth
 
     auth_methods(
       :json_request?,
+      :json_response_error?
     )
 
     auth_private_methods :json_response_body
@@ -65,6 +66,10 @@ module Rodauth
       return_json_response
     end
 
+    def json_response_error?
+      !!json_response[json_response_error_key]
+    end
+
     private
 
     def before_two_factor_manage_route
@@ -172,7 +177,7 @@ module Rodauth
     end
 
     def _return_json_response
-      response.status ||= json_response_error_status if json_response[json_response_error_key]
+      response.status ||= json_response_error_status if json_response_error?
       response['Content-Type'] ||= json_response_content_type
       return_response _json_response_body(json_response)
     end

data/lib/rodauth/features/jwt.rb

@@ -1,6 +1,7 @@
 # frozen-string-literal: true
 
 require 'jwt'
+require 'jwt/version'
 
 module Rodauth
   Feature.define(:jwt, :Jwt) do
@@ -11,6 +12,7 @@ module Rodauth
     auth_value_method :jwt_authorization_ignore, /\A(?:Basic|Digest) /
     auth_value_method :jwt_authorization_remove, /\ABearer:?\s+/
     auth_value_method :jwt_decode_opts, {}.freeze
+    auth_value_method :jwt_old_secret, nil
     auth_value_method :jwt_session_key, nil
     auth_value_method :jwt_symbolize_deeply?, false
 
@@ -111,9 +113,23 @@ module Rodauth
       jwt_decode_opts
     end
 
+    if JWT::VERSION::MAJOR > 2 || (JWT::VERSION::MAJOR == 2 && JWT::VERSION::MINOR >= 4)
+      def _jwt_decode_secrets
+        secrets = [jwt_secret, jwt_old_secret]
+        secrets.compact!
+        secrets
+      end
+    # :nocov:
+    else
+      def _jwt_decode_secrets
+        jwt_secret
+      end
+    # :nocov:
+    end
+
     def jwt_payload
       return @jwt_payload if defined?(@jwt_payload)
-      @jwt_payload = JWT.decode(jwt_token, jwt_secret, true, _jwt_decode_opts.merge(:algorithm=>jwt_algorithm))[0]
+      @jwt_payload = JWT.decode(jwt_token, _jwt_decode_secrets, true, _jwt_decode_opts.merge(:algorithm=>jwt_algorithm))[0]
     rescue JWT::DecodeError => e
       rescue_jwt_payload(e)
     end

data/lib/rodauth/features/jwt_refresh.rb

@@ -114,7 +114,7 @@ module Rodauth
       unless key &&
              (id.to_s == session_value.to_s) &&
              (actual = get_active_refresh_token(id, token_id)) &&
-             timing_safe_eql?(key, convert_token_key(actual)) &&
+             (timing_safe_eql?(key, convert_token_key(actual)) || (hmac_secret_rotation? && timing_safe_eql?(key, compute_old_hmac(actual)))) &&
              jwt_refresh_token_match?(key)
         return
       end
@@ -150,7 +150,9 @@ module Rodauth
 
       # If allowing with expired jwt access token, check the expired session contains
       # hmac matching submitted and active refresh token.
-      timing_safe_eql?(compute_hmac(session[jwt_refresh_token_data_session_key].to_s + key), session[jwt_refresh_token_hmac_session_key].to_s)
+      s = session[jwt_refresh_token_hmac_session_key].to_s
+      h = session[jwt_refresh_token_data_session_key].to_s + key
+      timing_safe_eql?(compute_hmac(h), s) || (hmac_secret_rotation? && timing_safe_eql?(compute_old_hmac(h), s))
     end
 
     def get_active_refresh_token(account_id, token_id)

data/lib/rodauth/features/lockout.rb

@@ -23,10 +23,12 @@ module Rodauth
     notice_flash "Your account has been unlocked", 'unlock_account'
     notice_flash "An email has been sent to you with a link to unlock your account", 'unlock_account_request'
     redirect :unlock_account
+    response :unlock_account
+    response :unlock_account_request
     redirect(:unlock_account_request){default_post_email_redirect}
     redirect(:unlock_account_email_recently_sent){default_post_email_redirect}
     email :unlock_account, 'Unlock Account'
-      
+
     auth_value_method :unlock_account_autologin?, true
     auth_value_method :max_invalid_logins, 100
     auth_value_method :account_login_failures_table, :account_login_failures
@@ -82,14 +84,13 @@ module Rodauth
             after_unlock_account_request
           end
 
-          set_notice_flash unlock_account_request_notice_flash
+          unlock_account_request_response
         else
           set_redirect_error_status(no_matching_login_error_status)
           set_error_reason :no_matching_login
           set_redirect_error_flash no_matching_login_message.to_s.capitalize
+          redirect unlock_account_request_redirect
         end
-
-        redirect unlock_account_request_redirect
       end
     end
 
@@ -134,8 +135,7 @@ module Rodauth
           end
 
           remove_session_value(unlock_account_session_key)
-          set_notice_flash unlock_account_notice_flash
-          redirect unlock_account_redirect
+          unlock_account_response
         else
           set_response_error_reason_status(:invalid_password, invalid_password_error_status)
           set_field_error(password_param, invalid_password_message)

data/lib/rodauth/features/login.rb

@@ -24,7 +24,10 @@ module Rodauth
 
     auth_value_methods :login_return_to_requested_location_path
 
-    auth_private_methods :login_form_footer_links
+    auth_private_methods(
+      :login_form_footer_links,
+      :login_response
+    )
 
     internal_request_method
     internal_request_method :valid_login_and_password?
@@ -77,17 +80,18 @@ module Rodauth
     end
 
     attr_reader :login_form_header
+    attr_reader :saved_login_redirect
+    private :saved_login_redirect
 
     def login(auth_type)
-      saved_login_redirect = remove_session_value(login_redirect_session_key)
+      @saved_login_redirect = remove_session_value(login_redirect_session_key)
       transaction do
         before_login
         login_session(auth_type)
         yield if block_given?
         after_login
       end
-      set_notice_flash login_notice_flash
-      redirect(saved_login_redirect || login_redirect)
+      require_response(:_login_response)
     end
 
     def login_required
@@ -136,6 +140,11 @@ module Rodauth
 
     private
 
+    def _login_response
+      set_notice_flash login_notice_flash
+      redirect(saved_login_redirect || login_redirect)
+    end
+
     def _login_form_footer_links
       []
     end