rodauth 2.30.0 → 2.32.0

data/lib/rodauth/features/logout.rb

@@ -10,6 +10,7 @@ module Rodauth
     after
     button 'Logout'
     redirect{require_login_redirect}
+    response
 
     auth_methods :logout
 
@@ -26,8 +27,7 @@ module Rodauth
           logout
           after_logout
         end
-        set_notice_flash logout_notice_flash
-        redirect logout_redirect
+        logout_response
       end
     end
 

data/lib/rodauth/features/otp.rb

@@ -35,6 +35,8 @@ module Rodauth
     redirect :otp_disable
     redirect :otp_already_setup
     redirect :otp_setup
+    response :otp_disable
+    response :otp_setup
     redirect(:otp_lockout){two_factor_auth_required_redirect}
 
     loaded_templates %w'otp-disable otp-auth otp-setup otp-auth-code-field password-field'
@@ -94,7 +96,8 @@ module Rodauth
 
     auth_private_methods(
       :otp_add_key,
-      :otp_tmp_key
+      :otp_tmp_key,
+      :otp_valid_code_for_old_secret
     )
 
     internal_request_method :otp_setup_params
@@ -181,8 +184,7 @@ module Rodauth
             end
             after_otp_setup
           end
-          set_notice_flash otp_setup_notice_flash
-          redirect otp_setup_redirect
+          otp_setup_response
         end
 
         set_error_flash otp_setup_error_flash
@@ -209,8 +211,7 @@ module Rodauth
             end
             after_otp_disable
           end
-          set_notice_flash otp_disable_notice_flash
-          redirect otp_disable_redirect
+          otp_disable_response
         end
 
         set_response_error_reason_status(:invalid_password, invalid_password_error_status)
@@ -246,8 +247,19 @@ module Rodauth
     def otp_exists?
       !otp_key.nil?
     end
-    
+
     def otp_valid_code?(ot_pass)
+      if _otp_valid_code?(ot_pass, otp)
+        true
+      elsif hmac_secret_rotation? && _otp_valid_code?(ot_pass, _otp_for_key(otp_hmac_old_secret(otp_key)))
+        _otp_valid_code_for_old_secret
+        true
+      else
+        false
+      end
+    end
+
+    def _otp_valid_code?(ot_pass, otp)
       return false unless otp_exists?
       ot_pass = ot_pass.gsub(/\s+/, '')
       if drift = otp_drift
@@ -368,9 +380,17 @@ module Rodauth
       base32_encode(compute_raw_hmac(ROTP::Base32.decode(key)), key.bytesize)
     end
 
+    def otp_hmac_old_secret(key)
+      base32_encode(compute_raw_hmac_with_secret(ROTP::Base32.decode(key), hmac_old_secret), key.bytesize)
+    end
+
     def otp_valid_key?(secret)
       return false unless secret =~ /\A([a-z2-7]{16}|[a-z2-7]{32})\z/
       if otp_keys_use_hmac?
+        # Purposely do not allow creating new OTPs with old secrets,
+        # since OTP rotation is difficult.  The user will get shown
+        # the same page with an updated secret, which they can submit
+        # to setup OTP.
         timing_safe_eql?(otp_hmac_secret(param(otp_setup_raw_param)), secret)
       else
         true
@@ -400,6 +420,10 @@ module Rodauth
       @otp_key = secret
     end
 
+    # Called for valid OTP codes for old secrets
+    def _otp_valid_code_for_old_secret
+    end
+
     def _otp_add_key(secret)
       # Uniqueness errors can't be handled here, as we can't be sure the secret provided
       # is the same as the current secret.
@@ -411,8 +435,12 @@ module Rodauth
       otp_key_ds.get(otp_keys_column)
     end
 
+    def _otp_for_key(key)
+      otp_class.new(key, :issuer=>otp_issuer, :digits=>otp_digits, :interval=>otp_interval)
+    end
+
     def _otp
-      otp_class.new(otp_user_key, :issuer=>otp_issuer, :digits=>otp_digits, :interval=>otp_interval)
+      _otp_for_key(otp_user_key)
     end
 
     def otp_key_ds

data/lib/rodauth/features/remember.rb

@@ -13,6 +13,7 @@ module Rodauth
     after
     after 'load_memory'
     redirect
+    response
 
     auth_value_method :raw_remember_token_deadline, nil
     auth_value_method :remember_cookie_options, {}.freeze
@@ -71,15 +72,14 @@ module Rodauth
             when remember_remember_param_value
               remember_login
             when remember_forget_param_value
-              forget_login 
+              forget_login
             when remember_disable_param_value
-              disable_remember_login 
+              disable_remember_login
             end
             after_remember
           end
 
-          set_notice_flash remember_notice_flash
-          redirect remember_redirect
+          remember_response
         else
           set_response_error_reason_status(:invalid_remember_param, invalid_field_error_status)
           set_error_flash remember_error_flash
@@ -96,11 +96,11 @@ module Rodauth
       actual, deadline = active_remember_key_ds(id).get([remember_key_column, remember_deadline_column])
       return unless actual
 
-      if hmac_secret
-        unless valid = timing_safe_eql?(key, compute_hmac(actual))
-          unless raw_remember_token_deadline && raw_remember_token_deadline > convert_timestamp(deadline)
-            return
-          end
+      if hmac_secret && !(valid = timing_safe_eql?(key, compute_hmac(actual)))
+        if hmac_secret_rotation? && (valid = timing_safe_eql?(key, compute_old_hmac(actual)))
+          _set_remember_cookie(id, actual, deadline)
+        elsif !(raw_remember_token_deadline && raw_remember_token_deadline > convert_timestamp(deadline))
+          return
         end
       end
 
@@ -177,16 +177,20 @@ module Rodauth
 
     private
 
-    def set_remember_cookie
+    def _set_remember_cookie(account_id, remember_key_value, deadline)
       opts = Hash[remember_cookie_options]
       opts[:value] = "#{account_id}_#{convert_token_key(remember_key_value)}"
-      opts[:expires] = convert_timestamp(active_remember_key_ds.get(remember_deadline_column))
+      opts[:expires] = convert_timestamp(deadline)
       opts[:path] = "/" unless opts.key?(:path)
       opts[:httponly] = true unless opts.key?(:httponly) || opts.key?(:http_only)
       opts[:secure] = true unless opts.key?(:secure) || !request.ssl?
       ::Rack::Utils.set_cookie_header!(response.headers, remember_cookie_key, opts)
     end
 
+    def set_remember_cookie
+      _set_remember_cookie(account_id, remember_key_value, active_remember_key_ds.get(remember_deadline_column))
+    end
+
     def extend_remember_deadline_while_logged_in?
       return false unless extend_remember_deadline?
 

data/lib/rodauth/features/reset_password.rb

@@ -24,8 +24,10 @@ module Rodauth
     redirect
     redirect(:reset_password_email_sent){default_post_email_redirect}
     redirect(:reset_password_email_recently_sent){default_post_email_redirect}
+    response
+    response :reset_password_email_sent
     email :reset_password, 'Reset Password'
-    
+
     auth_value_method :reset_password_deadline_column, :deadline
     auth_value_method :reset_password_deadline_interval, {:days=>1}.freeze
     auth_value_method :reset_password_key_param, 'key'
@@ -88,8 +90,7 @@ module Rodauth
             after_reset_password_request
           end
 
-          set_notice_flash reset_password_email_sent_notice_flash
-          redirect reset_password_email_sent_redirect
+          reset_password_email_sent_response
         end
 
         set_error_flash reset_password_request_error_flash
@@ -154,8 +155,7 @@ module Rodauth
           end
 
           remove_session_value(reset_password_session_key)
-          set_notice_flash reset_password_notice_flash
-          redirect reset_password_redirect
+          reset_password_response
         end
 
         set_error_flash reset_password_error_flash

data/lib/rodauth/features/single_session.rb

@@ -37,9 +37,10 @@ module Rodauth
         end
         true
       elsif current_key
-        if hmac_secret
-          valid = timing_safe_eql?(single_session_key, compute_hmac(current_key))
-          if !valid && !allow_raw_single_session_key?
+        if hmac_secret && !(valid = timing_safe_eql?(single_session_key, hmac = compute_hmac(current_key)))
+          if hmac_secret_rotation? && (valid = timing_safe_eql?(single_session_key, compute_old_hmac(current_key)))
+            session[single_session_session_key] = hmac
+          elsif !allow_raw_single_session_key?
             return false
           end
         end

data/lib/rodauth/features/sms_codes.rb

@@ -55,6 +55,10 @@ module Rodauth
     redirect(:sms_request){sms_request_path}
     redirect(:sms_lockout){two_factor_auth_required_redirect}
 
+    response :sms_confirm
+    response :sms_disable
+    response :sms_needs_confirmation
+
     loaded_templates %w'sms-auth sms-confirm sms-disable sms-request sms-setup sms-code-field password-field'
     view 'sms-auth', 'Authenticate via SMS Code', 'sms_auth'
     view 'sms-confirm', 'Confirm SMS Backup Number', 'sms_confirm'
@@ -86,7 +90,11 @@ module Rodauth
 
     auth_cached_method :sms
 
-    auth_value_methods :sms_codes_primary?
+    auth_value_methods(
+      :sms_codes_primary?,
+      :sms_needs_confirmation_notice_flash,
+      :sms_request_response
+    )
 
     auth_methods(
       :sms_auth_message,
@@ -136,9 +144,8 @@ module Rodauth
           sms_send_auth_code
           after_sms_request
         end
-        
-        set_notice_flash sms_request_notice_flash
-        redirect sms_auth_redirect
+
+        require_response(:_sms_request_response)
       end
     end
 
@@ -223,8 +230,7 @@ module Rodauth
             after_sms_setup
           end
 
-          set_notice_flash sms_needs_confirmation_error_flash
-          redirect sms_needs_confirmation_redirect
+          sms_needs_confirmation_response
         end
 
         set_error_flash sms_setup_error_flash
@@ -256,8 +262,7 @@ module Rodauth
             end
           end
 
-          set_notice_flash sms_confirm_notice_flash
-          redirect sms_confirm_redirect
+          sms_confirm_response
         end
 
         sms_confirm_failure
@@ -287,8 +292,7 @@ module Rodauth
             end
             after_sms_disable
           end
-          set_notice_flash sms_disable_notice_flash
-          redirect sms_disable_redirect
+          sms_disable_response
         end
 
         set_response_error_reason_status(:invalid_password, invalid_password_error_status)
@@ -395,6 +399,10 @@ module Rodauth
       "SMS confirmation code for #{domain} is #{code}"
     end
 
+    def sms_needs_confirmation_notice_flash
+      sms_needs_confirmation_error_flash
+    end
+
     def sms_set_code(code)
      update_sms(sms_code_column=>code, sms_issued_at_column=>Sequel::CURRENT_TIMESTAMP)
     end
@@ -449,6 +457,11 @@ module Rodauth
 
     private
 
+    def _sms_request_response
+      set_notice_flash sms_request_notice_flash
+      redirect sms_auth_redirect
+    end
+
     def _two_factor_auth_links
       links = super
       links << [30, sms_request_path, sms_auth_link_text] if sms_available?

data/lib/rodauth/features/two_factor_base.rb

@@ -23,6 +23,8 @@ module Rodauth
     redirect(:two_factor_need_setup){two_factor_manage_path}
     redirect(:two_factor_auth_required){two_factor_auth_path}
 
+    response :two_factor_disable
+
     notice_flash "You have been multifactor authenticated", "two_factor_auth"
     notice_flash "All multifactor authentication methods have been disabled", "two_factor_disable"
 
@@ -55,6 +57,7 @@ module Rodauth
 
     auth_private_methods(
       :two_factor_auth_links,
+      :two_factor_auth_response,
       :two_factor_setup_links,
       :two_factor_remove_links
     )
@@ -106,8 +109,7 @@ module Rodauth
             _two_factor_remove_all_from_session
             after_two_factor_disable
           end
-          set_notice_flash two_factor_disable_notice_flash
-          redirect two_factor_disable_redirect
+          two_factor_disable_response
         end
 
         set_response_error_reason_status(:invalid_password, invalid_password_error_status)
@@ -247,13 +249,13 @@ module Rodauth
       two_factor_update_session(type)
       two_factor_remove_auth_failures
       after_two_factor_authentication
-      set_notice_flash two_factor_auth_notice_flash
-      redirect_two_factor_authenticated
+      require_response(:_two_factor_auth_response)
     end
 
-    def redirect_two_factor_authenticated
+    def _two_factor_auth_response
       saved_two_factor_auth_redirect = remove_session_value(two_factor_auth_redirect_session_key)
-      redirect saved_two_factor_auth_redirect || two_factor_auth_redirect
+      set_notice_flash two_factor_auth_notice_flash
+      redirect(saved_two_factor_auth_redirect || two_factor_auth_redirect)
     end
 
     def two_factor_remove_session(type)

data/lib/rodauth/features/update_password_hash.rb

@@ -6,6 +6,7 @@ module Rodauth
 
     def password_match?(password)
       if (result = super) && update_password_hash?
+        @update_password_hash = false
         set_password(password)
       end
 
@@ -15,7 +16,7 @@ module Rodauth
     private
 
     def update_password_hash?
-      password_hash_cost != @current_password_hash_cost
+      password_hash_cost != @current_password_hash_cost || @update_password_hash
     end
 
     def get_password_hash

data/lib/rodauth/features/verify_account.rb

@@ -24,6 +24,8 @@ module Rodauth
     button 'Verify Account'
     button 'Send Verification Email Again', 'verify_account_resend'
     redirect
+    response
+    response :verify_account_email_sent
     redirect(:verify_account_email_sent){default_post_email_redirect}
     redirect(:verify_account_email_recently_sent){default_post_email_redirect}
     email :verify_account, 'Verify Account'
@@ -69,7 +71,6 @@ module Rodauth
       end
 
       r.post do
-        verified = false
         if account_from_login(param(login_param)) && allow_resending_verify_account_email?
           if verify_account_email_recently_sent?
             set_redirect_error_flash verify_account_email_recently_sent_error_flash
@@ -79,18 +80,13 @@ module Rodauth
           before_verify_account_email_resend
           if verify_account_email_resend
             after_verify_account_email_resend
-            verified = true
+            verify_account_email_sent_response
           end
         end
 
-        if verified
-          set_notice_flash verify_account_email_sent_notice_flash
-        else
-          set_redirect_error_status(no_matching_login_error_status)
-          set_error_reason :no_matching_login
-          set_redirect_error_flash verify_account_resend_error_flash
-        end
-        
+        set_redirect_error_status(no_matching_login_error_status)
+        set_error_reason :no_matching_login
+        set_redirect_error_flash verify_account_resend_error_flash
         redirect verify_account_email_sent_redirect
       end
     end
@@ -154,8 +150,7 @@ module Rodauth
           end
 
           remove_session_value(verify_account_session_key)
-          set_notice_flash verify_account_notice_flash
-          redirect verify_account_redirect
+          verify_account_response
         end
 
         set_error_flash verify_account_error_flash

data/lib/rodauth/features/verify_login_change.rb

@@ -18,6 +18,7 @@ module Rodauth
     before 'verify_login_change_email'
     button 'Verify Login Change'
     redirect
+    response
     redirect(:verify_login_change_duplicate_account){require_login_redirect}
 
     auth_value_method :verify_login_change_autologin?, false
@@ -98,8 +99,7 @@ module Rodauth
         end
 
         remove_session_value(verify_login_change_session_key)
-        set_notice_flash verify_login_change_notice_flash
-        redirect verify_login_change_redirect
+        verify_login_change_response
       end
     end
 

data/lib/rodauth/features/webauthn.rb

@@ -30,6 +30,8 @@ module Rodauth
 
     redirect :webauthn_setup
     redirect :webauthn_remove
+    response :webauthn_setup
+    response :webauthn_remove
 
     notice_flash "WebAuthn authentication is now setup", 'webauthn_setup'
     notice_flash "WebAuthn authenticator has been removed", 'webauthn_remove'
@@ -112,6 +114,12 @@ module Rodauth
 
     def_deprecated_alias :webauthn_credential_options_for_get, :webauth_credential_options_for_get
 
+    internal_request_method :webauthn_setup_params
+    internal_request_method :webauthn_setup
+    internal_request_method :webauthn_auth_params
+    internal_request_method :webauthn_auth
+    internal_request_method :webauthn_remove
+
     route(:webauthn_auth_js) do |r|
       before_webauthn_auth_js_route
       r.get do
@@ -188,8 +196,7 @@ module Rodauth
             throw_error_reason(:duplicate_webauthn_id, invalid_field_error_status, webauthn_setup_param, webauthn_duplicate_webauthn_id_message)
           end
 
-          set_notice_flash webauthn_setup_notice_flash
-          redirect webauthn_setup_redirect
+          webauthn_setup_response
         end
 
         set_error_flash webauthn_setup_error_flash
@@ -229,8 +236,7 @@ module Rodauth
             after_webauthn_remove
           end
 
-          set_notice_flash webauthn_remove_notice_flash
-          redirect webauthn_remove_redirect
+          webauthn_remove_response
         end
 
         set_error_flash webauthn_remove_error_flash
@@ -314,7 +320,7 @@ module Rodauth
 
       (challenge = param_or_nil(webauthn_setup_challenge_param)) &&
         (hmac = param_or_nil(webauthn_setup_challenge_hmac_param)) &&
-        timing_safe_eql?(compute_hmac(challenge), hmac) &&
+        (timing_safe_eql?(compute_hmac(challenge), hmac) || (hmac_secret_rotation? && timing_safe_eql?(compute_old_hmac(challenge), hmac))) &&
         webauthn_credential.verify(challenge)
     end
 
@@ -370,7 +376,7 @@ module Rodauth
 
       (challenge = param_or_nil(webauthn_auth_challenge_param)) &&
         (hmac = param_or_nil(webauthn_auth_challenge_hmac_param)) &&
-        timing_safe_eql?(compute_hmac(challenge), hmac) &&
+        (timing_safe_eql?(compute_hmac(challenge), hmac) || (hmac_secret_rotation? && timing_safe_eql?(compute_old_hmac(challenge), hmac))) &&
         webauthn_credential.verify(challenge, public_key: pub_key, sign_count: sign_count) &&
         ds.update(
           webauthn_keys_sign_count_column => Integer(webauthn_credential.sign_count),

data/lib/rodauth/features/webauthn_autofill.rb

@@ -6,6 +6,8 @@ module Rodauth
 
     auth_value_method :webauthn_autofill_js, File.binread(File.expand_path('../../../../javascript/webauthn_autofill.js', __FILE__)).freeze
 
+    translatable_method :webauthn_invalid_webauthn_id_message, "no webauthn key with given id found"
+
     route(:webauthn_autofill_js) do |r|
       before_webauthn_autofill_js_route
       r.get do
@@ -47,7 +49,11 @@ module Rodauth
         .where(webauthn_keys_webauthn_id_column => credential_id)
         .get(webauthn_keys_account_id_column)
 
-      @account = account_ds(account_id).first if account_id
+      unless account_id
+        throw_error_reason(:invalid_webauthn_id, invalid_field_error_status, webauthn_auth_param, webauthn_invalid_webauthn_id_message)
+      end
+
+      @account = account_ds(account_id).first
     end
 
     def webauthn_login_options?

data/lib/rodauth/features/webauthn_login.rb

@@ -10,6 +10,11 @@ module Rodauth
 
     error_flash "There was an error authenticating via WebAuthn"
 
+    auth_value_method :webauthn_login_user_verification_additional_factor?, false
+
+    internal_request_method :webauthn_login_params
+    internal_request_method :webauthn_login
+
     route(:webauthn_login) do |r|
       check_already_logged_in
       before_webauthn_login_route
@@ -24,6 +29,9 @@ module Rodauth
           before_webauthn_login
           login('webauthn') do
             webauthn_update_session(webauthn_credential.id)
+            if webauthn_login_verification_factor?(webauthn_credential)
+              two_factor_update_session('webauthn-verification')
+            end
           end
         end
 
@@ -48,12 +56,23 @@ module Rodauth
       end
     end
 
+    def webauthn_user_verification
+      return 'preferred' if webauthn_login_user_verification_additional_factor?
+      super
+    end
+
     def use_multi_phase_login?
       true
     end
 
     private
 
+    def webauthn_login_verification_factor?(webauthn_credential)
+      webauthn_login_user_verification_additional_factor? &&
+        webauthn_credential.response.authenticator_data.user_verified? &&
+        uses_two_factor_authentication?
+    end
+
     def account_from_webauthn_login
       account_from_login(param(login_param))
     end

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 30
+  MINOR = 32
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

data/lib/rodauth.rb

@@ -214,6 +214,22 @@ module Rodauth
       auth_methods meth
     end
 
+    def response(name=feature_name)
+      meth = :"#{name}_response"
+      overridable_meth = :"_#{meth}"
+      notice_flash_meth = :"#{name}_notice_flash"
+      redirect_meth = :"#{name}_redirect"
+      define_method(overridable_meth) do
+        set_notice_flash send(notice_flash_meth)
+        redirect send(redirect_meth)
+      end
+      define_method(meth) do
+        require_response(overridable_meth)
+      end
+      private overridable_meth, meth
+      auth_private_methods meth
+    end
+
     def loaded_templates(v)
       define_method(:loaded_templates) do
         super().concat(v)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.30.0
+  version: 2.32.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-05-22 00:00:00.000000000 Z
+date: 2023-10-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -348,6 +348,8 @@ extra_rdoc_files:
 - doc/release_notes/2.29.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.30.0.txt
+- doc/release_notes/2.31.0.txt
+- doc/release_notes/2.32.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
 - doc/release_notes/2.6.0.txt
@@ -394,6 +396,7 @@ files:
 - doc/guides/query_params.rdoc
 - doc/guides/redirects.rdoc
 - doc/guides/registration_field.rdoc
+- doc/guides/render_confirmation.rdoc
 - doc/guides/require_mfa.rdoc
 - doc/guides/reset_password_autologin.rdoc
 - doc/guides/share_configuration.rdoc
@@ -465,6 +468,8 @@ files:
 - doc/release_notes/2.29.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.30.0.txt
+- doc/release_notes/2.31.0.txt
+- doc/release_notes/2.32.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
 - doc/release_notes/2.6.0.txt