rodauth 2.33.0 → 2.34.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 57dd78525df05b6947a84692c0f061b435dc2d07c072f689dcda121c788c59dd
4
- data.tar.gz: 984dde3de0dd4329505eaaf04e8a49b8e5c4b8347e8dea454d6aa586ab0f5846
3
+ metadata.gz: 96f5711d9bb49c87385e4e0ef0f07e0e8624e1139f145429c1a518d844811757
4
+ data.tar.gz: 01c43ee8ceb8d4c61c040e3463bf8b03cdd239e2c401461ef0122a24407ce311
5
5
  SHA512:
6
- metadata.gz: 0abb1ad9eedc3f0d23db686ac490483a86ba73c8f5a9e33bd375e5a93b98790a133b2e1da6599bfdd3759f0a56e4c890ac1cbf0f89bf7edc69e8159de7c173ed
7
- data.tar.gz: 2d82400b1298b9a372ef8fd4aea5f9e1ba490e6572113a112f15e3dd1a3ed0655d4d934c84d18f61909bc6d0ed54c6bc2e1486f945da14cedbe35f1ea1614c10
6
+ metadata.gz: 9b66e0f290cf4ae0c6d14c4032ff0830ef4b229a158def47247bec420414161dcfe35c60de12b15f20ac358d9c55d7ed446bf1d07cb0b6302031b63e5ce4b5a2
7
+ data.tar.gz: 304d17a7a183a0e33e42db2fcb5be6e9cdab0b58a70416ac2abd49478c4a1cc28c62395bd25f0e5b154a8117e712772045994c72159f4d36b3413d5f567c5a2c
data/CHANGELOG CHANGED
@@ -1,3 +1,21 @@
1
+ === 2.34.0 (2024-03-22)
2
+
3
+ * Add remove_all_active_sessions_except_current method for removing current active session (jeremyevans) (#395)
4
+
5
+ * Add remove_all_active_sessions_except_for method for removing active sessions except for given session id (jeremyevans) (#395)
6
+
7
+ * Avoid overriding WebAuthn internals when using webauthn 3 (santiagorodriguez96, jeremyevans) (#398)
8
+
9
+ * Support overriding webauthn_rp_id when verifying Webauthn credentials (butsjoh, jeremyevans) (#397)
10
+
11
+ * Override require_login_redirect in login feature to use login_path (janko) (#396)
12
+
13
+ * Do not override convert_token_id_to_integer? if the user has already configured it (janko) (#393)
14
+
15
+ * Have uses_two_factor_authentication? handle case where account has been deleted (janko) (#390)
16
+
17
+ * Add current_route accessor to allow easy determination of which rodauth route was requested (janko) (#381)
18
+
1
19
  === 2.33.0 (2023-12-21)
2
20
 
3
21
  * Expire SMS confirm code after 24 hours by default (jeremyevans)
data/README.rdoc CHANGED
@@ -830,6 +830,7 @@ scope :: Roda instance
830
830
  session :: session hash
831
831
  flash :: flash message hash
832
832
  account :: account hash (if set by an earlier Rodauth method)
833
+ current_route :: route name symbol (if Rodauth is handling the route)
833
834
 
834
835
  So if you want to log the IP address for the user during login:
835
836
 
@@ -49,6 +49,8 @@ currently_active_session? :: Whether the session is currently active, by checkin
49
49
  handle_duplicate_active_session_id(exception) :: How to handle the case where a duplicate session id for the account is inserted into the table. Does nothing by default. This should only be called if the random number generator is broken.
50
50
  no_longer_active_session :: What action to take if +rodauth.check_active_session+ is called and the session is no longer active.
51
51
  remove_active_session(session_id) :: Removes the active session matching the given session ID from the database. Useful for implementing session revoking.
52
- remove_all_active_sessions :: Remove all active session from the database, used for global logouts and when closing accounts.
52
+ remove_all_active_sessions :: Remove all active sessions for the account from the database, used for global logouts and when closing accounts.
53
+ remove_all_active_sessions_except_for(session_id) :: Remove all active sessions for the account from the database, except for the session id given.
54
+ remove_all_active_sessions_except_current :: Remove all active sessions for the account from the database, except for the current session.
53
55
  remove_current_session :: Remove current session from the database, used for regular logouts.
54
56
  remove_inactive_sessions :: Remove inactive sessions from the database, run before checking for whether the current session is active.
@@ -0,0 +1,36 @@
1
+ = New Features
2
+
3
+ * A rodauth.current_route method has been added for returning the route
4
+ name symbol (if rodauth is currently handling the route). This makes it
5
+ simpler to write code that extends Rodauth and works with
6
+ applications that use override the default route names.
7
+
8
+ * A remove_all_active_sessions_except_for method has been added to the
9
+ active_sessions feature, which removes all active sessions for the
10
+ current account, except for the session id given.
11
+
12
+ * A remove_all_active_sessions_except_current method has been added to
13
+ the active_sessions feature, which removes all active sessions for
14
+ the current account, except for the current session.
15
+
16
+ = Improvements
17
+
18
+ * Rodauth now supports overriding webauthn_rp_id in the webauthn
19
+ feature.
20
+
21
+ * When using the login feature, Rodauth now defaults
22
+ require_login_redirect to use the path to the login route, instead
23
+ of /login.
24
+
25
+ * When setting up multifactor authentication, Rodauth now handles the
26
+ case where account has been deleted, instead of raising an exception.
27
+
28
+ * When a database connection is not available during startup, Rodauth
29
+ now handles that case instead of raising an exception. Note that in
30
+ this case, Rodauth cannot automatically setup a conversion of token
31
+ ids to integer, since it cannot determine whether the underlying
32
+ database column uses an integer type.
33
+
34
+ * When using WebAuthn 3+, Rodauth no longer defines singleton methods
35
+ to work around limitations in WebAuthn. Instead, it uses public
36
+ APIs that were added in WebAuthn 3.
@@ -31,6 +31,8 @@ module Rodauth
31
31
  :no_longer_active_session,
32
32
  :remove_active_session,
33
33
  :remove_all_active_sessions,
34
+ :remove_all_active_sessions_except_for,
35
+ :remove_all_active_sessions_except_current,
34
36
  :remove_current_session,
35
37
  :remove_inactive_sessions,
36
38
  )
@@ -95,6 +97,18 @@ module Rodauth
95
97
  active_sessions_ds.delete
96
98
  end
97
99
 
100
+ def remove_all_active_sessions_except_for(session_id)
101
+ active_sessions_ds.exclude(active_sessions_session_id_column=>compute_hmacs(session_id)).delete
102
+ end
103
+
104
+ def remove_all_active_sessions_except_current
105
+ if session_id = session[session_id_session_key]
106
+ remove_all_active_sessions_except_for(session_id)
107
+ else
108
+ remove_all_active_sessions
109
+ end
110
+ end
111
+
98
112
  def remove_inactive_sessions
99
113
  if cond = inactive_session_cond
100
114
  active_sessions_ds.where(cond).delete
@@ -136,6 +136,7 @@ module Rodauth
136
136
 
137
137
  attr_reader :scope
138
138
  attr_reader :account
139
+ attr_reader :current_route
139
140
 
140
141
  def initialize(scope)
141
142
  @scope = scope
@@ -428,7 +429,7 @@ module Rodauth
428
429
  require 'bcrypt' if require_bcrypt?
429
430
  db.extension :date_arithmetic if use_date_arithmetic?
430
431
 
431
- if convert_token_id_to_integer?.nil? && (db rescue false) && db.table_exists?(accounts_table) && db.schema(accounts_table).find{|col, v| break v[:type] == :integer if col == account_id_column}
432
+ if method(:convert_token_id_to_integer?).owner == Rodauth::Base && (db rescue false) && db.table_exists?(accounts_table) && db.schema(accounts_table).find{|col, v| break v[:type] == :integer if col == account_id_column}
432
433
  self.class.send(:define_method, :convert_token_id_to_integer?){true}
433
434
  end
434
435
 
@@ -711,7 +712,7 @@ module Rodauth
711
712
  # note that only the salt is returned.
712
713
  def get_password_hash
713
714
  if account_password_hash_column
714
- account![account_password_hash_column]
715
+ account[account_password_hash_column] if account!
715
716
  elsif use_database_authentication_functions?
716
717
  db.get(Sequel.function(function_name(:rodauth_get_salt), account ? account_id : session_value))
717
718
  else
@@ -138,6 +138,10 @@ module Rodauth
138
138
  multi_phase_login_forms.sort.map{|_, form, _| form}.join("\n")
139
139
  end
140
140
 
141
+ def require_login_redirect
142
+ login_path
143
+ end
144
+
141
145
  private
142
146
 
143
147
  def _login_response
@@ -302,22 +302,17 @@ module Rodauth
302
302
  def new_webauthn_credential
303
303
  WebAuthn::Credential.options_for_create(
304
304
  :timeout => webauthn_setup_timeout,
305
- :rp => {:name=>webauthn_rp_name, :id=>webauthn_rp_id},
306
305
  :user => {:id=>account_webauthn_user_id, :name=>webauthn_user_name},
307
306
  :authenticator_selection => webauthn_authenticator_selection,
308
307
  :attestation => webauthn_attestation,
309
308
  :extensions => webauthn_extensions,
310
309
  :exclude => account_webauthn_ids,
310
+ **webauthn_create_relying_party_opts
311
311
  )
312
312
  end
313
313
 
314
314
  def valid_new_webauthn_credential?(webauthn_credential)
315
- # Hack around inability to override expected_origin
316
- origin = webauthn_origin
317
- webauthn_credential.response.define_singleton_method(:verify) do |expected_challenge, expected_origin = nil, **kw|
318
- super(expected_challenge, expected_origin || origin, **kw)
319
- end
320
-
315
+ _override_webauthn_credential_response_verify(webauthn_credential)
321
316
  (challenge = param_or_nil(webauthn_setup_challenge_param)) &&
322
317
  (hmac = param_or_nil(webauthn_setup_challenge_hmac_param)) &&
323
318
  (timing_safe_eql?(compute_hmac(challenge), hmac) || (hmac_secret_rotation? && timing_safe_eql?(compute_old_hmac(challenge), hmac))) &&
@@ -328,9 +323,9 @@ module Rodauth
328
323
  WebAuthn::Credential.options_for_get(
329
324
  :allow => webauthn_allow,
330
325
  :timeout => webauthn_auth_timeout,
331
- :rp_id => webauthn_rp_id,
332
326
  :user_verification => webauthn_user_verification,
333
327
  :extensions => webauthn_extensions,
328
+ **webauthn_get_relying_party_opts
334
329
  )
335
330
  end
336
331
 
@@ -368,12 +363,7 @@ module Rodauth
368
363
  ds = webauthn_keys_ds.where(webauthn_keys_webauthn_id_column => webauthn_credential.id)
369
364
  pub_key, sign_count = ds.get([webauthn_keys_public_key_column, webauthn_keys_sign_count_column])
370
365
 
371
- # Hack around inability to override expected_origin
372
- origin = webauthn_origin
373
- webauthn_credential.response.define_singleton_method(:verify) do |expected_challenge, expected_origin = nil, **kw|
374
- super(expected_challenge, expected_origin || origin, **kw)
375
- end
376
-
366
+ _override_webauthn_credential_response_verify(webauthn_credential)
377
367
  (challenge = param_or_nil(webauthn_auth_challenge_param)) &&
378
368
  (hmac = param_or_nil(webauthn_auth_challenge_hmac_param)) &&
379
369
  (timing_safe_eql?(compute_hmac(challenge), hmac) || (hmac_secret_rotation? && timing_safe_eql?(compute_old_hmac(challenge), hmac))) &&
@@ -419,6 +409,54 @@ module Rodauth
419
409
 
420
410
  private
421
411
 
412
+ if WebAuthn::VERSION >= '3'
413
+ def webauthn_relying_party
414
+ # No need to memoize, only called once per request
415
+ WebAuthn::RelyingParty.new(
416
+ origin: webauthn_origin,
417
+ id: webauthn_rp_id,
418
+ name: webauthn_rp_name,
419
+ )
420
+ end
421
+
422
+ def webauthn_create_relying_party_opts
423
+ { :relying_party => webauthn_relying_party }
424
+ end
425
+ alias webauthn_get_relying_party_opts webauthn_create_relying_party_opts
426
+
427
+ def webauthn_form_submission_call(meth, arg)
428
+ WebAuthn::Credential.public_send(meth, arg, :relying_party => webauthn_relying_party)
429
+ end
430
+
431
+ def _override_webauthn_credential_response_verify(webauthn_credential)
432
+ # no need to override
433
+ end
434
+ # :nocov:
435
+ else
436
+ def webauthn_create_relying_party_opts
437
+ {:rp => {:name=>webauthn_rp_name, :id=>webauthn_rp_id}}
438
+ end
439
+
440
+ def webauthn_get_relying_party_opts
441
+ { :rp_id => webauthn_rp_id }
442
+ end
443
+
444
+ def webauthn_form_submission_call(meth, arg)
445
+ WebAuthn::Credential.public_send(meth, arg)
446
+ end
447
+
448
+ def _override_webauthn_credential_response_verify(webauthn_credential)
449
+ # Hack around inability to override expected_origin and rp_id
450
+ origin = webauthn_origin
451
+ rp_id = webauthn_rp_id
452
+ webauthn_credential.response.define_singleton_method(:verify) do |expected_challenge, expected_origin = nil, **kw|
453
+ kw[:rp_id] = rp_id
454
+ super(expected_challenge, expected_origin || origin, **kw)
455
+ end
456
+ end
457
+ # :nocov:
458
+ end
459
+
422
460
  def _two_factor_auth_links
423
461
  links = super
424
462
  links << [10, webauthn_auth_path, webauthn_auth_link_text] if webauthn_setup? && !two_factor_login_type_match?('webauthn')
@@ -464,7 +502,8 @@ module Rodauth
464
502
 
465
503
  def webauthn_auth_credential_from_form_submission
466
504
  begin
467
- webauthn_credential = WebAuthn::Credential.from_get(webauthn_auth_data)
505
+ webauthn_credential = webauthn_form_submission_call(:from_get, webauthn_auth_data)
506
+
468
507
  unless valid_webauthn_credential_auth?(webauthn_credential)
469
508
  throw_error_reason(:invalid_webauthn_auth_param, invalid_key_error_status, webauthn_auth_param, webauthn_invalid_auth_param_message)
470
509
  end
@@ -498,7 +537,8 @@ module Rodauth
498
537
  end
499
538
 
500
539
  begin
501
- webauthn_credential = WebAuthn::Credential.from_create(webauthn_setup_data)
540
+ webauthn_credential = webauthn_form_submission_call(:from_create, webauthn_setup_data)
541
+
502
542
  unless valid_new_webauthn_credential?(webauthn_credential)
503
543
  throw_error_reason(:invalid_webauthn_setup_param, invalid_field_error_status, webauthn_setup_param, webauthn_invalid_setup_param_message)
504
544
  end
@@ -6,7 +6,7 @@ module Rodauth
6
6
  MAJOR = 2
7
7
 
8
8
  # The minor version of Rodauth, updated for new feature releases of Rodauth.
9
- MINOR = 33
9
+ MINOR = 34
10
10
 
11
11
  # The patch version of Rodauth, updated only for bug fixes from the last
12
12
  # feature release.
data/lib/rodauth.rb CHANGED
@@ -138,6 +138,7 @@ module Rodauth
138
138
 
139
139
  define_method(handle_meth) do
140
140
  request.is send(route_meth) do
141
+ @current_route = name
141
142
  check_csrf if check_csrf?
142
143
  _around_rodauth do
143
144
  before_rodauth
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rodauth
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.33.0
4
+ version: 2.34.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jeremy Evans
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-12-21 00:00:00.000000000 Z
11
+ date: 2024-03-22 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: sequel
@@ -351,6 +351,7 @@ extra_rdoc_files:
351
351
  - doc/release_notes/2.31.0.txt
352
352
  - doc/release_notes/2.32.0.txt
353
353
  - doc/release_notes/2.33.0.txt
354
+ - doc/release_notes/2.34.0.txt
354
355
  - doc/release_notes/2.4.0.txt
355
356
  - doc/release_notes/2.5.0.txt
356
357
  - doc/release_notes/2.6.0.txt
@@ -472,6 +473,7 @@ files:
472
473
  - doc/release_notes/2.31.0.txt
473
474
  - doc/release_notes/2.32.0.txt
474
475
  - doc/release_notes/2.33.0.txt
476
+ - doc/release_notes/2.34.0.txt
475
477
  - doc/release_notes/2.4.0.txt
476
478
  - doc/release_notes/2.5.0.txt
477
479
  - doc/release_notes/2.6.0.txt
@@ -632,7 +634,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
632
634
  - !ruby/object:Gem::Version
633
635
  version: '0'
634
636
  requirements: []
635
- rubygems_version: 3.4.10
637
+ rubygems_version: 3.5.3
636
638
  signing_key:
637
639
  specification_version: 4
638
640
  summary: Authentication and Account Management Framework for Rack Applications