rodauth 2.31.0 → 2.33.0

data/lib/rodauth/features/sms_codes.rb

@@ -55,6 +55,10 @@ module Rodauth
     redirect(:sms_request){sms_request_path}
     redirect(:sms_lockout){two_factor_auth_required_redirect}
 
+    response :sms_confirm
+    response :sms_disable
+    response :sms_needs_confirmation
+
     loaded_templates %w'sms-auth sms-confirm sms-disable sms-request sms-setup sms-code-field password-field'
     view 'sms-auth', 'Authenticate via SMS Code', 'sms_auth'
     view 'sms-confirm', 'Confirm SMS Backup Number', 'sms_confirm'
@@ -72,6 +76,7 @@ module Rodauth
     auth_value_method :sms_code_param, 'sms-code'
     auth_value_method :sms_codes_table, :account_sms_codes
     auth_value_method :sms_confirm_code_length, 12
+    auth_value_method :sms_confirm_deadline, 86400
     auth_value_method :sms_failure_limit, 5
     auth_value_method :sms_failures_column, :num_failures
     auth_value_method :sms_id_column, :id
@@ -86,7 +91,11 @@ module Rodauth
 
     auth_cached_method :sms
 
-    auth_value_methods :sms_codes_primary?
+    auth_value_methods(
+      :sms_codes_primary?,
+      :sms_needs_confirmation_notice_flash,
+      :sms_request_response
+    )
 
     auth_methods(
       :sms_auth_message,
@@ -104,6 +113,7 @@ module Rodauth
       :sms_new_confirm_code,
       :sms_normalize_phone,
       :sms_record_failure,
+      :sms_remove_expired_confirm_code,
       :sms_remove_failures,
       :sms_send,
       :sms_set_code,
@@ -136,9 +146,8 @@ module Rodauth
           sms_send_auth_code
           after_sms_request
         end
-        
-        set_notice_flash sms_request_notice_flash
-        redirect sms_auth_redirect
+
+        require_response(:_sms_request_response)
       end
     end
 
@@ -189,6 +198,7 @@ module Rodauth
         require_two_factor_setup
         require_two_factor_authenticated
       end
+      sms_remove_expired_confirm_code
       require_sms_not_setup
 
       if sms_needs_confirmation?
@@ -223,8 +233,7 @@ module Rodauth
             after_sms_setup
           end
 
-          set_notice_flash sms_needs_confirmation_error_flash
-          redirect sms_needs_confirmation_redirect
+          sms_needs_confirmation_response
         end
 
         set_error_flash sms_setup_error_flash
@@ -238,6 +247,7 @@ module Rodauth
         require_two_factor_setup
         require_two_factor_authenticated
       end
+      sms_remove_expired_confirm_code
       require_sms_not_setup
       before_sms_confirm_route
 
@@ -256,8 +266,7 @@ module Rodauth
             end
           end
 
-          set_notice_flash sms_confirm_notice_flash
-          redirect sms_confirm_redirect
+          sms_confirm_response
         end
 
         sms_confirm_failure
@@ -287,8 +296,7 @@ module Rodauth
             end
             after_sms_disable
           end
-          set_notice_flash sms_disable_notice_flash
-          redirect sms_disable_redirect
+          sms_disable_response
         end
 
         set_response_error_reason_status(:invalid_password, invalid_password_error_status)
@@ -358,16 +366,17 @@ module Rodauth
     def sms_setup(phone_number)
       # Cannot handle uniqueness violation here, as the phone number given may not match the
       # one in the table.
-      sms_ds.insert(sms_id_column=>session_value, sms_phone_column=>phone_number)
+      sms_ds.insert(sms_id_column=>session_value, sms_phone_column=>phone_number, sms_failures_column => nil)
       remove_instance_variable(:@sms) if instance_variable_defined?(:@sms)
     end
 
     def sms_remove_failures
-      update_sms(sms_failures_column => 0, sms_code_column => nil)
+      return if sms_needs_confirmation?
+      update_hash_ds(sms, sms_ds.exclude(sms_failures_column => nil), sms_failures_column => 0, sms_code_column => nil)
     end
 
     def sms_confirm
-      sms_remove_failures
+      update_hash_ds(sms, sms_ds.where(sms_failures_column => nil), sms_failures_column => 0, sms_code_column => nil)
       super if defined?(super)
     end
 
@@ -395,10 +404,21 @@ module Rodauth
       "SMS confirmation code for #{domain} is #{code}"
     end
 
+    def sms_needs_confirmation_notice_flash
+      sms_needs_confirmation_error_flash
+    end
+
     def sms_set_code(code)
      update_sms(sms_code_column=>code, sms_issued_at_column=>Sequel::CURRENT_TIMESTAMP)
     end
 
+    def sms_remove_expired_confirm_code
+      db[sms_codes_table].
+        where(sms_id_column=>session_value, sms_failures_column => nil).
+        where(Sequel[sms_issued_at_column] < Sequel.date_sub(Sequel::CURRENT_TIMESTAMP, seconds: sms_confirm_deadline)).
+        delete
+    end
+
     def sms_record_failure
       update_sms(sms_failures_column=>Sequel.expr(sms_failures_column)+1)
       sms[sms_failures_column] = sms_ds.get(sms_failures_column)
@@ -449,6 +469,11 @@ module Rodauth
 
     private
 
+    def _sms_request_response
+      set_notice_flash sms_request_notice_flash
+      redirect sms_auth_redirect
+    end
+
     def _two_factor_auth_links
       links = super
       links << [30, sms_request_path, sms_auth_link_text] if sms_available?
@@ -503,5 +528,9 @@ module Rodauth
     def sms_ds
       db[sms_codes_table].where(sms_id_column=>session_value)
     end
+
+    def use_date_arithmetic?
+      true
+    end
   end
 end

data/lib/rodauth/features/two_factor_base.rb

@@ -23,6 +23,8 @@ module Rodauth
     redirect(:two_factor_need_setup){two_factor_manage_path}
     redirect(:two_factor_auth_required){two_factor_auth_path}
 
+    response :two_factor_disable
+
     notice_flash "You have been multifactor authenticated", "two_factor_auth"
     notice_flash "All multifactor authentication methods have been disabled", "two_factor_disable"
 
@@ -55,6 +57,7 @@ module Rodauth
 
     auth_private_methods(
       :two_factor_auth_links,
+      :two_factor_auth_response,
       :two_factor_setup_links,
       :two_factor_remove_links
     )
@@ -106,8 +109,7 @@ module Rodauth
             _two_factor_remove_all_from_session
             after_two_factor_disable
           end
-          set_notice_flash two_factor_disable_notice_flash
-          redirect two_factor_disable_redirect
+          two_factor_disable_response
         end
 
         set_response_error_reason_status(:invalid_password, invalid_password_error_status)
@@ -247,13 +249,13 @@ module Rodauth
       two_factor_update_session(type)
       two_factor_remove_auth_failures
       after_two_factor_authentication
-      set_notice_flash two_factor_auth_notice_flash
-      redirect_two_factor_authenticated
+      require_response(:_two_factor_auth_response)
     end
 
-    def redirect_two_factor_authenticated
+    def _two_factor_auth_response
       saved_two_factor_auth_redirect = remove_session_value(two_factor_auth_redirect_session_key)
-      redirect saved_two_factor_auth_redirect || two_factor_auth_redirect
+      set_notice_flash two_factor_auth_notice_flash
+      redirect(saved_two_factor_auth_redirect || two_factor_auth_redirect)
     end
 
     def two_factor_remove_session(type)

data/lib/rodauth/features/update_password_hash.rb

@@ -6,6 +6,7 @@ module Rodauth
 
     def password_match?(password)
       if (result = super) && update_password_hash?
+        @update_password_hash = false
         set_password(password)
       end
 
@@ -15,7 +16,7 @@ module Rodauth
     private
 
     def update_password_hash?
-      password_hash_cost != @current_password_hash_cost
+      password_hash_cost != @current_password_hash_cost || @update_password_hash
     end
 
     def get_password_hash

data/lib/rodauth/features/verify_account.rb

@@ -24,6 +24,8 @@ module Rodauth
     button 'Verify Account'
     button 'Send Verification Email Again', 'verify_account_resend'
     redirect
+    response
+    response :verify_account_email_sent
     redirect(:verify_account_email_sent){default_post_email_redirect}
     redirect(:verify_account_email_recently_sent){default_post_email_redirect}
     email :verify_account, 'Verify Account'
@@ -69,7 +71,6 @@ module Rodauth
       end
 
       r.post do
-        verified = false
         if account_from_login(param(login_param)) && allow_resending_verify_account_email?
           if verify_account_email_recently_sent?
             set_redirect_error_flash verify_account_email_recently_sent_error_flash
@@ -79,18 +80,13 @@ module Rodauth
           before_verify_account_email_resend
           if verify_account_email_resend
             after_verify_account_email_resend
-            verified = true
+            verify_account_email_sent_response
           end
         end
 
-        if verified
-          set_notice_flash verify_account_email_sent_notice_flash
-        else
-          set_redirect_error_status(no_matching_login_error_status)
-          set_error_reason :no_matching_login
-          set_redirect_error_flash verify_account_resend_error_flash
-        end
-        
+        set_redirect_error_status(no_matching_login_error_status)
+        set_error_reason :no_matching_login
+        set_redirect_error_flash verify_account_resend_error_flash
         redirect verify_account_email_sent_redirect
       end
     end
@@ -106,14 +102,12 @@ module Rodauth
           redirect(r.path)
         end
 
-        if key = session[verify_account_session_key]
-          if account_from_verify_account_key(key)
-            verify_account_view
-          else
-            remove_session_value(verify_account_session_key)
-            set_redirect_error_flash no_matching_verify_account_key_error_flash
-            redirect require_login_redirect
-          end
+        if (key = session[verify_account_session_key]) && account_from_verify_account_key(key)
+          verify_account_view
+        else
+          remove_session_value(verify_account_session_key)
+          set_redirect_error_flash no_matching_verify_account_key_error_flash
+          redirect require_login_redirect
         end
       end
 
@@ -154,8 +148,7 @@ module Rodauth
           end
 
           remove_session_value(verify_account_session_key)
-          set_notice_flash verify_account_notice_flash
-          redirect verify_account_redirect
+          verify_account_response
         end
 
         set_error_flash verify_account_error_flash

data/lib/rodauth/features/verify_login_change.rb

@@ -18,6 +18,7 @@ module Rodauth
     before 'verify_login_change_email'
     button 'Verify Login Change'
     redirect
+    response
     redirect(:verify_login_change_duplicate_account){require_login_redirect}
 
     auth_value_method :verify_login_change_autologin?, false
@@ -61,14 +62,12 @@ module Rodauth
           redirect(r.path)
         end
 
-        if key = session[verify_login_change_session_key]
-          if account_from_verify_login_change_key(key)
-            verify_login_change_view
-          else
-            remove_session_value(verify_login_change_session_key)
-            set_redirect_error_flash no_matching_verify_login_change_key_error_flash
-            redirect require_login_redirect
-          end
+        if (key = session[verify_login_change_session_key]) && account_from_verify_login_change_key(key)
+          verify_login_change_view
+        else
+          remove_session_value(verify_login_change_session_key)
+          set_redirect_error_flash no_matching_verify_login_change_key_error_flash
+          redirect require_login_redirect
         end
       end
 
@@ -98,8 +97,7 @@ module Rodauth
         end
 
         remove_session_value(verify_login_change_session_key)
-        set_notice_flash verify_login_change_notice_flash
-        redirect verify_login_change_redirect
+        verify_login_change_response
       end
     end
 

data/lib/rodauth/features/webauthn.rb

@@ -30,6 +30,8 @@ module Rodauth
 
     redirect :webauthn_setup
     redirect :webauthn_remove
+    response :webauthn_setup
+    response :webauthn_remove
 
     notice_flash "WebAuthn authentication is now setup", 'webauthn_setup'
     notice_flash "WebAuthn authenticator has been removed", 'webauthn_remove'
@@ -194,8 +196,7 @@ module Rodauth
             throw_error_reason(:duplicate_webauthn_id, invalid_field_error_status, webauthn_setup_param, webauthn_duplicate_webauthn_id_message)
           end
 
-          set_notice_flash webauthn_setup_notice_flash
-          redirect webauthn_setup_redirect
+          webauthn_setup_response
         end
 
         set_error_flash webauthn_setup_error_flash
@@ -235,8 +236,7 @@ module Rodauth
             after_webauthn_remove
           end
 
-          set_notice_flash webauthn_remove_notice_flash
-          redirect webauthn_remove_redirect
+          webauthn_remove_response
         end
 
         set_error_flash webauthn_remove_error_flash
@@ -320,7 +320,7 @@ module Rodauth
 
       (challenge = param_or_nil(webauthn_setup_challenge_param)) &&
         (hmac = param_or_nil(webauthn_setup_challenge_hmac_param)) &&
-        timing_safe_eql?(compute_hmac(challenge), hmac) &&
+        (timing_safe_eql?(compute_hmac(challenge), hmac) || (hmac_secret_rotation? && timing_safe_eql?(compute_old_hmac(challenge), hmac))) &&
         webauthn_credential.verify(challenge)
     end
 
@@ -376,7 +376,7 @@ module Rodauth
 
       (challenge = param_or_nil(webauthn_auth_challenge_param)) &&
         (hmac = param_or_nil(webauthn_auth_challenge_hmac_param)) &&
-        timing_safe_eql?(compute_hmac(challenge), hmac) &&
+        (timing_safe_eql?(compute_hmac(challenge), hmac) || (hmac_secret_rotation? && timing_safe_eql?(compute_old_hmac(challenge), hmac))) &&
         webauthn_credential.verify(challenge, public_key: pub_key, sign_count: sign_count) &&
         ds.update(
           webauthn_keys_sign_count_column => Integer(webauthn_credential.sign_count),

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 31
+  MINOR = 33
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

data/lib/rodauth.rb

@@ -214,6 +214,22 @@ module Rodauth
       auth_methods meth
     end
 
+    def response(name=feature_name)
+      meth = :"#{name}_response"
+      overridable_meth = :"_#{meth}"
+      notice_flash_meth = :"#{name}_notice_flash"
+      redirect_meth = :"#{name}_redirect"
+      define_method(overridable_meth) do
+        set_notice_flash send(notice_flash_meth)
+        redirect send(redirect_meth)
+      end
+      define_method(meth) do
+        require_response(overridable_meth)
+      end
+      private overridable_meth, meth
+      auth_private_methods meth
+    end
+
     def loaded_templates(v)
       define_method(:loaded_templates) do
         super().concat(v)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.31.0
+  version: 2.33.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-08-22 00:00:00.000000000 Z
+date: 2023-12-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -349,6 +349,8 @@ extra_rdoc_files:
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.30.0.txt
 - doc/release_notes/2.31.0.txt
+- doc/release_notes/2.32.0.txt
+- doc/release_notes/2.33.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
 - doc/release_notes/2.6.0.txt
@@ -468,6 +470,8 @@ files:
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.30.0.txt
 - doc/release_notes/2.31.0.txt
+- doc/release_notes/2.32.0.txt
+- doc/release_notes/2.33.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
 - doc/release_notes/2.6.0.txt