rodauth 2.31.0 → 2.32.0

data/lib/rodauth/features/confirm_password.rb

@@ -11,6 +11,7 @@ module Rodauth
     button 'Confirm Password'
     before
     after
+    response
     redirect(:password_authentication_required){confirm_password_path}
 
     session_key :confirm_password_redirect_session_key, :confirm_password_redirect
@@ -37,8 +38,7 @@ module Rodauth
             confirm_password
             after_confirm_password
           end
-          set_notice_flash confirm_password_notice_flash
-          redirect confirm_password_redirect
+          confirm_password_response
         else
           set_response_error_reason_status(:invalid_password, invalid_password_error_status)
           set_field_error(password_param, invalid_password_message)

data/lib/rodauth/features/create_account.rb

@@ -13,6 +13,7 @@ module Rodauth
     button 'Create Account'
     additional_form_tags
     redirect
+    response
 
     auth_value_method :create_account_autologin?, true
     translatable_method :create_account_link_text, "Create a New Account"
@@ -79,8 +80,7 @@ module Rodauth
             if create_account_autologin?
               autologin_session('create_account')
             end
-            set_notice_flash create_account_notice_flash
-            redirect create_account_redirect
+            create_account_response
           end
         end
 

data/lib/rodauth/features/email_auth.rb

@@ -19,6 +19,7 @@ module Rodauth
     button 'Send Login Link Via Email', 'email_auth_request'
     redirect(:email_auth_email_sent){default_post_email_redirect}
     redirect(:email_auth_email_recently_sent){default_post_email_redirect}
+    response :email_auth_email_sent
     email :email_auth, 'Login Link'
     
     auth_value_method :email_auth_deadline_column, :deadline
@@ -57,12 +58,11 @@ module Rodauth
       r.post do
         if account_from_login(param(login_param)) && open_account?
           _email_auth_request
-        else
-          set_redirect_error_status(no_matching_login_error_status)
-          set_error_reason :no_matching_login
-          set_redirect_error_flash email_auth_request_error_flash
         end
 
+        set_redirect_error_status(no_matching_login_error_status)
+        set_error_reason :no_matching_login
+        set_redirect_error_flash email_auth_request_error_flash
         redirect email_auth_email_sent_redirect
       end
     end
@@ -150,7 +150,7 @@ module Rodauth
 
     def after_login_entered_during_multi_phase_login
       # If forcing email auth, just send the email link.
-      _email_auth_request_and_redirect if force_email_auth?
+      _email_auth_request if force_email_auth?
 
       super
     end
@@ -169,7 +169,7 @@ module Rodauth
 
     def _multi_phase_login_forms
       forms = super
-      forms << [30, email_auth_request_form, :_email_auth_request_and_redirect] if valid_login_entered? && allow_email_auth?
+      forms << [30, email_auth_request_form, :_email_auth_request] if valid_login_entered? && allow_email_auth?
       forms
     end
 
@@ -177,11 +177,6 @@ module Rodauth
       (email_last_sent = get_email_auth_email_last_sent) && (Time.now - email_last_sent < email_auth_skip_resend_email_within)
     end
 
-    def _email_auth_request_and_redirect
-      _email_auth_request
-      redirect email_auth_email_sent_redirect
-    end
-
     def _email_auth_request
       if email_auth_email_recently_sent?
         set_redirect_error_flash email_auth_email_recently_sent_error_flash
@@ -196,7 +191,7 @@ module Rodauth
         after_email_auth_request
       end
 
-      set_notice_flash email_auth_email_sent_notice_flash
+      email_auth_email_sent_response
     end
 
     attr_reader :email_auth_key_value

data/lib/rodauth/features/email_base.rb

@@ -69,12 +69,10 @@ module Rodauth
 
       return unless actual = yield(id)
 
-      unless timing_safe_eql?(key, convert_email_token_key(actual))
-        if hmac_secret && allow_raw_email_token?
-          return unless timing_safe_eql?(key, actual)
-        else
-          return
-        end
+      unless (hmac_secret && timing_safe_eql?(key, convert_email_token_key(actual))) ||
+         (hmac_secret_rotation? && timing_safe_eql?(key, compute_old_hmac(actual))) ||
+         ((!hmac_secret || allow_raw_email_token?) && timing_safe_eql?(key, actual))
+        return
       end
       ds = account_ds(id)
       ds = ds.where(account_status_column=>status_id) if status_id && !skip_status_checks?

data/lib/rodauth/features/jwt.rb

@@ -1,6 +1,7 @@
 # frozen-string-literal: true
 
 require 'jwt'
+require 'jwt/version'
 
 module Rodauth
   Feature.define(:jwt, :Jwt) do
@@ -11,6 +12,7 @@ module Rodauth
     auth_value_method :jwt_authorization_ignore, /\A(?:Basic|Digest) /
     auth_value_method :jwt_authorization_remove, /\ABearer:?\s+/
     auth_value_method :jwt_decode_opts, {}.freeze
+    auth_value_method :jwt_old_secret, nil
     auth_value_method :jwt_session_key, nil
     auth_value_method :jwt_symbolize_deeply?, false
 
@@ -111,9 +113,23 @@ module Rodauth
       jwt_decode_opts
     end
 
+    if JWT::VERSION::MAJOR > 2 || (JWT::VERSION::MAJOR == 2 && JWT::VERSION::MINOR >= 4)
+      def _jwt_decode_secrets
+        secrets = [jwt_secret, jwt_old_secret]
+        secrets.compact!
+        secrets
+      end
+    # :nocov:
+    else
+      def _jwt_decode_secrets
+        jwt_secret
+      end
+    # :nocov:
+    end
+
     def jwt_payload
       return @jwt_payload if defined?(@jwt_payload)
-      @jwt_payload = JWT.decode(jwt_token, jwt_secret, true, _jwt_decode_opts.merge(:algorithm=>jwt_algorithm))[0]
+      @jwt_payload = JWT.decode(jwt_token, _jwt_decode_secrets, true, _jwt_decode_opts.merge(:algorithm=>jwt_algorithm))[0]
     rescue JWT::DecodeError => e
       rescue_jwt_payload(e)
     end

data/lib/rodauth/features/jwt_refresh.rb

@@ -114,7 +114,7 @@ module Rodauth
       unless key &&
              (id.to_s == session_value.to_s) &&
              (actual = get_active_refresh_token(id, token_id)) &&
-             timing_safe_eql?(key, convert_token_key(actual)) &&
+             (timing_safe_eql?(key, convert_token_key(actual)) || (hmac_secret_rotation? && timing_safe_eql?(key, compute_old_hmac(actual)))) &&
              jwt_refresh_token_match?(key)
         return
       end
@@ -150,7 +150,9 @@ module Rodauth
 
       # If allowing with expired jwt access token, check the expired session contains
       # hmac matching submitted and active refresh token.
-      timing_safe_eql?(compute_hmac(session[jwt_refresh_token_data_session_key].to_s + key), session[jwt_refresh_token_hmac_session_key].to_s)
+      s = session[jwt_refresh_token_hmac_session_key].to_s
+      h = session[jwt_refresh_token_data_session_key].to_s + key
+      timing_safe_eql?(compute_hmac(h), s) || (hmac_secret_rotation? && timing_safe_eql?(compute_old_hmac(h), s))
     end
 
     def get_active_refresh_token(account_id, token_id)

data/lib/rodauth/features/lockout.rb

@@ -23,10 +23,12 @@ module Rodauth
     notice_flash "Your account has been unlocked", 'unlock_account'
     notice_flash "An email has been sent to you with a link to unlock your account", 'unlock_account_request'
     redirect :unlock_account
+    response :unlock_account
+    response :unlock_account_request
     redirect(:unlock_account_request){default_post_email_redirect}
     redirect(:unlock_account_email_recently_sent){default_post_email_redirect}
     email :unlock_account, 'Unlock Account'
-      
+
     auth_value_method :unlock_account_autologin?, true
     auth_value_method :max_invalid_logins, 100
     auth_value_method :account_login_failures_table, :account_login_failures
@@ -82,14 +84,13 @@ module Rodauth
             after_unlock_account_request
           end
 
-          set_notice_flash unlock_account_request_notice_flash
+          unlock_account_request_response
         else
           set_redirect_error_status(no_matching_login_error_status)
           set_error_reason :no_matching_login
           set_redirect_error_flash no_matching_login_message.to_s.capitalize
+          redirect unlock_account_request_redirect
         end
-
-        redirect unlock_account_request_redirect
       end
     end
 
@@ -134,8 +135,7 @@ module Rodauth
           end
 
           remove_session_value(unlock_account_session_key)
-          set_notice_flash unlock_account_notice_flash
-          redirect unlock_account_redirect
+          unlock_account_response
         else
           set_response_error_reason_status(:invalid_password, invalid_password_error_status)
           set_field_error(password_param, invalid_password_message)

data/lib/rodauth/features/login.rb

@@ -24,7 +24,10 @@ module Rodauth
 
     auth_value_methods :login_return_to_requested_location_path
 
-    auth_private_methods :login_form_footer_links
+    auth_private_methods(
+      :login_form_footer_links,
+      :login_response
+    )
 
     internal_request_method
     internal_request_method :valid_login_and_password?
@@ -77,17 +80,18 @@ module Rodauth
     end
 
     attr_reader :login_form_header
+    attr_reader :saved_login_redirect
+    private :saved_login_redirect
 
     def login(auth_type)
-      saved_login_redirect = remove_session_value(login_redirect_session_key)
+      @saved_login_redirect = remove_session_value(login_redirect_session_key)
       transaction do
         before_login
         login_session(auth_type)
         yield if block_given?
         after_login
       end
-      set_notice_flash login_notice_flash
-      redirect(saved_login_redirect || login_redirect)
+      require_response(:_login_response)
     end
 
     def login_required
@@ -136,6 +140,11 @@ module Rodauth
 
     private
 
+    def _login_response
+      set_notice_flash login_notice_flash
+      redirect(saved_login_redirect || login_redirect)
+    end
+
     def _login_form_footer_links
       []
     end

data/lib/rodauth/features/logout.rb

@@ -10,6 +10,7 @@ module Rodauth
     after
     button 'Logout'
     redirect{require_login_redirect}
+    response
 
     auth_methods :logout
 
@@ -26,8 +27,7 @@ module Rodauth
           logout
           after_logout
         end
-        set_notice_flash logout_notice_flash
-        redirect logout_redirect
+        logout_response
       end
     end
 

data/lib/rodauth/features/otp.rb

@@ -35,6 +35,8 @@ module Rodauth
     redirect :otp_disable
     redirect :otp_already_setup
     redirect :otp_setup
+    response :otp_disable
+    response :otp_setup
     redirect(:otp_lockout){two_factor_auth_required_redirect}
 
     loaded_templates %w'otp-disable otp-auth otp-setup otp-auth-code-field password-field'
@@ -94,7 +96,8 @@ module Rodauth
 
     auth_private_methods(
       :otp_add_key,
-      :otp_tmp_key
+      :otp_tmp_key,
+      :otp_valid_code_for_old_secret
     )
 
     internal_request_method :otp_setup_params
@@ -181,8 +184,7 @@ module Rodauth
             end
             after_otp_setup
           end
-          set_notice_flash otp_setup_notice_flash
-          redirect otp_setup_redirect
+          otp_setup_response
         end
 
         set_error_flash otp_setup_error_flash
@@ -209,8 +211,7 @@ module Rodauth
             end
             after_otp_disable
           end
-          set_notice_flash otp_disable_notice_flash
-          redirect otp_disable_redirect
+          otp_disable_response
         end
 
         set_response_error_reason_status(:invalid_password, invalid_password_error_status)
@@ -246,8 +247,19 @@ module Rodauth
     def otp_exists?
       !otp_key.nil?
     end
-    
+
     def otp_valid_code?(ot_pass)
+      if _otp_valid_code?(ot_pass, otp)
+        true
+      elsif hmac_secret_rotation? && _otp_valid_code?(ot_pass, _otp_for_key(otp_hmac_old_secret(otp_key)))
+        _otp_valid_code_for_old_secret
+        true
+      else
+        false
+      end
+    end
+
+    def _otp_valid_code?(ot_pass, otp)
       return false unless otp_exists?
       ot_pass = ot_pass.gsub(/\s+/, '')
       if drift = otp_drift
@@ -368,9 +380,17 @@ module Rodauth
       base32_encode(compute_raw_hmac(ROTP::Base32.decode(key)), key.bytesize)
     end
 
+    def otp_hmac_old_secret(key)
+      base32_encode(compute_raw_hmac_with_secret(ROTP::Base32.decode(key), hmac_old_secret), key.bytesize)
+    end
+
     def otp_valid_key?(secret)
       return false unless secret =~ /\A([a-z2-7]{16}|[a-z2-7]{32})\z/
       if otp_keys_use_hmac?
+        # Purposely do not allow creating new OTPs with old secrets,
+        # since OTP rotation is difficult.  The user will get shown
+        # the same page with an updated secret, which they can submit
+        # to setup OTP.
         timing_safe_eql?(otp_hmac_secret(param(otp_setup_raw_param)), secret)
       else
         true
@@ -400,6 +420,10 @@ module Rodauth
       @otp_key = secret
     end
 
+    # Called for valid OTP codes for old secrets
+    def _otp_valid_code_for_old_secret
+    end
+
     def _otp_add_key(secret)
       # Uniqueness errors can't be handled here, as we can't be sure the secret provided
       # is the same as the current secret.
@@ -411,8 +435,12 @@ module Rodauth
       otp_key_ds.get(otp_keys_column)
     end
 
+    def _otp_for_key(key)
+      otp_class.new(key, :issuer=>otp_issuer, :digits=>otp_digits, :interval=>otp_interval)
+    end
+
     def _otp
-      otp_class.new(otp_user_key, :issuer=>otp_issuer, :digits=>otp_digits, :interval=>otp_interval)
+      _otp_for_key(otp_user_key)
     end
 
     def otp_key_ds

data/lib/rodauth/features/remember.rb

@@ -13,6 +13,7 @@ module Rodauth
     after
     after 'load_memory'
     redirect
+    response
 
     auth_value_method :raw_remember_token_deadline, nil
     auth_value_method :remember_cookie_options, {}.freeze
@@ -71,15 +72,14 @@ module Rodauth
             when remember_remember_param_value
               remember_login
             when remember_forget_param_value
-              forget_login 
+              forget_login
             when remember_disable_param_value
-              disable_remember_login 
+              disable_remember_login
             end
             after_remember
           end
 
-          set_notice_flash remember_notice_flash
-          redirect remember_redirect
+          remember_response
         else
           set_response_error_reason_status(:invalid_remember_param, invalid_field_error_status)
           set_error_flash remember_error_flash
@@ -96,11 +96,11 @@ module Rodauth
       actual, deadline = active_remember_key_ds(id).get([remember_key_column, remember_deadline_column])
       return unless actual
 
-      if hmac_secret
-        unless valid = timing_safe_eql?(key, compute_hmac(actual))
-          unless raw_remember_token_deadline && raw_remember_token_deadline > convert_timestamp(deadline)
-            return
-          end
+      if hmac_secret && !(valid = timing_safe_eql?(key, compute_hmac(actual)))
+        if hmac_secret_rotation? && (valid = timing_safe_eql?(key, compute_old_hmac(actual)))
+          _set_remember_cookie(id, actual, deadline)
+        elsif !(raw_remember_token_deadline && raw_remember_token_deadline > convert_timestamp(deadline))
+          return
         end
       end
 
@@ -177,16 +177,20 @@ module Rodauth
 
     private
 
-    def set_remember_cookie
+    def _set_remember_cookie(account_id, remember_key_value, deadline)
       opts = Hash[remember_cookie_options]
       opts[:value] = "#{account_id}_#{convert_token_key(remember_key_value)}"
-      opts[:expires] = convert_timestamp(active_remember_key_ds.get(remember_deadline_column))
+      opts[:expires] = convert_timestamp(deadline)
       opts[:path] = "/" unless opts.key?(:path)
       opts[:httponly] = true unless opts.key?(:httponly) || opts.key?(:http_only)
       opts[:secure] = true unless opts.key?(:secure) || !request.ssl?
       ::Rack::Utils.set_cookie_header!(response.headers, remember_cookie_key, opts)
     end
 
+    def set_remember_cookie
+      _set_remember_cookie(account_id, remember_key_value, active_remember_key_ds.get(remember_deadline_column))
+    end
+
     def extend_remember_deadline_while_logged_in?
       return false unless extend_remember_deadline?
 

data/lib/rodauth/features/reset_password.rb

@@ -24,8 +24,10 @@ module Rodauth
     redirect
     redirect(:reset_password_email_sent){default_post_email_redirect}
     redirect(:reset_password_email_recently_sent){default_post_email_redirect}
+    response
+    response :reset_password_email_sent
     email :reset_password, 'Reset Password'
-    
+
     auth_value_method :reset_password_deadline_column, :deadline
     auth_value_method :reset_password_deadline_interval, {:days=>1}.freeze
     auth_value_method :reset_password_key_param, 'key'
@@ -88,8 +90,7 @@ module Rodauth
             after_reset_password_request
           end
 
-          set_notice_flash reset_password_email_sent_notice_flash
-          redirect reset_password_email_sent_redirect
+          reset_password_email_sent_response
         end
 
         set_error_flash reset_password_request_error_flash
@@ -154,8 +155,7 @@ module Rodauth
           end
 
           remove_session_value(reset_password_session_key)
-          set_notice_flash reset_password_notice_flash
-          redirect reset_password_redirect
+          reset_password_response
         end
 
         set_error_flash reset_password_error_flash

data/lib/rodauth/features/single_session.rb

@@ -37,9 +37,10 @@ module Rodauth
         end
         true
       elsif current_key
-        if hmac_secret
-          valid = timing_safe_eql?(single_session_key, compute_hmac(current_key))
-          if !valid && !allow_raw_single_session_key?
+        if hmac_secret && !(valid = timing_safe_eql?(single_session_key, hmac = compute_hmac(current_key)))
+          if hmac_secret_rotation? && (valid = timing_safe_eql?(single_session_key, compute_old_hmac(current_key)))
+            session[single_session_session_key] = hmac
+          elsif !allow_raw_single_session_key?
             return false
           end
         end

data/lib/rodauth/features/sms_codes.rb

@@ -55,6 +55,10 @@ module Rodauth
     redirect(:sms_request){sms_request_path}
     redirect(:sms_lockout){two_factor_auth_required_redirect}
 
+    response :sms_confirm
+    response :sms_disable
+    response :sms_needs_confirmation
+
     loaded_templates %w'sms-auth sms-confirm sms-disable sms-request sms-setup sms-code-field password-field'
     view 'sms-auth', 'Authenticate via SMS Code', 'sms_auth'
     view 'sms-confirm', 'Confirm SMS Backup Number', 'sms_confirm'
@@ -86,7 +90,11 @@ module Rodauth
 
     auth_cached_method :sms
 
-    auth_value_methods :sms_codes_primary?
+    auth_value_methods(
+      :sms_codes_primary?,
+      :sms_needs_confirmation_notice_flash,
+      :sms_request_response
+    )
 
     auth_methods(
       :sms_auth_message,
@@ -136,9 +144,8 @@ module Rodauth
           sms_send_auth_code
           after_sms_request
         end
-        
-        set_notice_flash sms_request_notice_flash
-        redirect sms_auth_redirect
+
+        require_response(:_sms_request_response)
       end
     end
 
@@ -223,8 +230,7 @@ module Rodauth
             after_sms_setup
           end
 
-          set_notice_flash sms_needs_confirmation_error_flash
-          redirect sms_needs_confirmation_redirect
+          sms_needs_confirmation_response
         end
 
         set_error_flash sms_setup_error_flash
@@ -256,8 +262,7 @@ module Rodauth
             end
           end
 
-          set_notice_flash sms_confirm_notice_flash
-          redirect sms_confirm_redirect
+          sms_confirm_response
         end
 
         sms_confirm_failure
@@ -287,8 +292,7 @@ module Rodauth
             end
             after_sms_disable
           end
-          set_notice_flash sms_disable_notice_flash
-          redirect sms_disable_redirect
+          sms_disable_response
         end
 
         set_response_error_reason_status(:invalid_password, invalid_password_error_status)
@@ -395,6 +399,10 @@ module Rodauth
       "SMS confirmation code for #{domain} is #{code}"
     end
 
+    def sms_needs_confirmation_notice_flash
+      sms_needs_confirmation_error_flash
+    end
+
     def sms_set_code(code)
      update_sms(sms_code_column=>code, sms_issued_at_column=>Sequel::CURRENT_TIMESTAMP)
     end
@@ -449,6 +457,11 @@ module Rodauth
 
     private
 
+    def _sms_request_response
+      set_notice_flash sms_request_notice_flash
+      redirect sms_auth_redirect
+    end
+
     def _two_factor_auth_links
       links = super
       links << [30, sms_request_path, sms_auth_link_text] if sms_available?

data/lib/rodauth/features/two_factor_base.rb

@@ -23,6 +23,8 @@ module Rodauth
     redirect(:two_factor_need_setup){two_factor_manage_path}
     redirect(:two_factor_auth_required){two_factor_auth_path}
 
+    response :two_factor_disable
+
     notice_flash "You have been multifactor authenticated", "two_factor_auth"
     notice_flash "All multifactor authentication methods have been disabled", "two_factor_disable"
 
@@ -55,6 +57,7 @@ module Rodauth
 
     auth_private_methods(
       :two_factor_auth_links,
+      :two_factor_auth_response,
       :two_factor_setup_links,
       :two_factor_remove_links
     )
@@ -106,8 +109,7 @@ module Rodauth
             _two_factor_remove_all_from_session
             after_two_factor_disable
           end
-          set_notice_flash two_factor_disable_notice_flash
-          redirect two_factor_disable_redirect
+          two_factor_disable_response
         end
 
         set_response_error_reason_status(:invalid_password, invalid_password_error_status)
@@ -247,13 +249,13 @@ module Rodauth
       two_factor_update_session(type)
       two_factor_remove_auth_failures
       after_two_factor_authentication
-      set_notice_flash two_factor_auth_notice_flash
-      redirect_two_factor_authenticated
+      require_response(:_two_factor_auth_response)
     end
 
-    def redirect_two_factor_authenticated
+    def _two_factor_auth_response
       saved_two_factor_auth_redirect = remove_session_value(two_factor_auth_redirect_session_key)
-      redirect saved_two_factor_auth_redirect || two_factor_auth_redirect
+      set_notice_flash two_factor_auth_notice_flash
+      redirect(saved_two_factor_auth_redirect || two_factor_auth_redirect)
     end
 
     def two_factor_remove_session(type)

data/lib/rodauth/features/update_password_hash.rb

@@ -6,6 +6,7 @@ module Rodauth
 
     def password_match?(password)
       if (result = super) && update_password_hash?
+        @update_password_hash = false
         set_password(password)
       end
 
@@ -15,7 +16,7 @@ module Rodauth
     private
 
     def update_password_hash?
-      password_hash_cost != @current_password_hash_cost
+      password_hash_cost != @current_password_hash_cost || @update_password_hash
     end
 
     def get_password_hash