rodauth 2.33.0 → 2.35.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 57dd78525df05b6947a84692c0f061b435dc2d07c072f689dcda121c788c59dd
-  data.tar.gz: 984dde3de0dd4329505eaaf04e8a49b8e5c4b8347e8dea454d6aa586ab0f5846
+  metadata.gz: f2b961b8668976f18f46df1c499c1c8f101e75a76527feef460419ad71d7d15b
+  data.tar.gz: 446184720914538cd207b90cb0d6b9e484eadb12559be84f117532aed5d1cf87
 SHA512:
-  metadata.gz: 0abb1ad9eedc3f0d23db686ac490483a86ba73c8f5a9e33bd375e5a93b98790a133b2e1da6599bfdd3759f0a56e4c890ac1cbf0f89bf7edc69e8159de7c173ed
-  data.tar.gz: 2d82400b1298b9a372ef8fd4aea5f9e1ba490e6572113a112f15e3dd1a3ed0655d4d934c84d18f61909bc6d0ed54c6bc2e1486f945da14cedbe35f1ea1614c10
+  metadata.gz: 548c5f50659441297116a0343d2cf2160a8f54ec7c0f7b87867e6377bf9165a53db9b69802f2573343031a26c073ef3e4d0e4358163a97686511b32448f05f5f
+  data.tar.gz: bf33b84dcb33a6f5cb54f4df2f4561d57d74cc91040032d3eee58e72dbdedad618b726daff2341e91f4350a451b816f719c836f6211acfe20ffaecb879e736d5

data/CHANGELOG

@@ -1,3 +1,31 @@
+=== 2.35.0 (2025-05-28)
+
+* Handle internal_request_configuration blocks in superclasses (jeremyevans, bjeanes)
+
+* Avoid unused block warning on Ruby 3.4 (jeremyevans)
+
+* Add throw_rodauth_error method to make it possible to throw without setting a field error (jf) (#418)
+
+* Support logging out all active sessions for a loaded account that is not logged in (such as after resetting password) (enescakir) (#401)
+
+=== 2.34.0 (2024-03-22)
+
+* Add remove_all_active_sessions_except_current method for removing current active session (jeremyevans) (#395)
+
+* Add remove_all_active_sessions_except_for method for removing active sessions except for given session id (jeremyevans) (#395)
+
+* Avoid overriding WebAuthn internals when using webauthn 3 (santiagorodriguez96, jeremyevans) (#398)
+
+* Support overriding webauthn_rp_id when verifying Webauthn credentials (butsjoh, jeremyevans) (#397)
+
+* Override require_login_redirect in login feature to use login_path (janko) (#396)
+
+* Do not override convert_token_id_to_integer? if the user has already configured it (janko) (#393)
+
+* Have uses_two_factor_authentication? handle case where account has been deleted (janko) (#390)
+
+* Add current_route accessor to allow easy determination of which rodauth route was requested (janko) (#381)
+
 === 2.33.0 (2023-12-21)
 
 * Expire SMS confirm code after 24 hours by default (jeremyevans)

data/README.rdoc

@@ -338,10 +338,10 @@ PostgreSQL sets up new tables in the public schema by default.
 If you would like to use separate schemas per user, you can do:
 
   psql -U postgres -c "DROP SCHEMA public;" ${DATABASE_NAME}
-  psql -U postgres -c "CREATE SCHEMA ${DATABASE_NAME} AUTHORIZATION ${DATABASE_NAME};" ${DATABASE_NAME}
-  psql -U postgres -c "CREATE SCHEMA ${DATABASE_NAME}_password AUTHORIZATION ${DATABASE_NAME}_password;" ${DATABASE_NAME}
-  psql -U postgres -c "GRANT USAGE ON SCHEMA ${DATABASE_NAME} TO ${DATABASE_NAME}_password;" ${DATABASE_NAME}
-  psql -U postgres -c "GRANT USAGE ON SCHEMA ${DATABASE_NAME}_password TO ${DATABASE_NAME};" ${DATABASE_NAME}
+  psql -U postgres -c "CREATE SCHEMA AUTHORIZATION ${DATABASE_NAME};"          ${DATABASE_NAME}
+  psql -U postgres -c "CREATE SCHEMA AUTHORIZATION ${DATABASE_NAME}_password;" ${DATABASE_NAME}
+  psql -U postgres -c "GRANT USAGE ON SCHEMA ${DATABASE_NAME}          TO ${DATABASE_NAME}_password;" ${DATABASE_NAME}
+  psql -U postgres -c "GRANT USAGE ON SCHEMA ${DATABASE_NAME}_password TO ${DATABASE_NAME};"          ${DATABASE_NAME}
 
 You'll need to modify the code to load the extension to specify the schema:
 
@@ -830,6 +830,7 @@ scope :: Roda instance
 session :: session hash
 flash :: flash message hash
 account :: account hash (if set by an earlier Rodauth method)
+current_route :: route name symbol (if Rodauth is handling the route)
 
 So if you want to log the IP address for the user during login:
 

data/doc/active_sessions.rdoc

@@ -49,6 +49,8 @@ currently_active_session? :: Whether the session is currently active, by checkin
 handle_duplicate_active_session_id(exception) :: How to handle the case where a duplicate session id for the account is inserted into the table.  Does nothing by default.  This should only be called if the random number generator is broken.
 no_longer_active_session :: What action to take if +rodauth.check_active_session+ is called and the session is no longer active.
 remove_active_session(session_id) :: Removes the active session matching the given session ID from the database. Useful for implementing session revoking.
-remove_all_active_sessions :: Remove all active session from the database, used for global logouts and when closing accounts.
+remove_all_active_sessions :: Remove all active sessions for the account from the database, used for global logouts and when closing accounts.
+remove_all_active_sessions_except_for(session_id) :: Remove all active sessions for the account from the database, except for the session id given.
+remove_all_active_sessions_except_current :: Remove all active sessions for the account from the database, except for the current session.
 remove_current_session :: Remove current session from the database, used for regular logouts.
 remove_inactive_sessions :: Remove inactive sessions from the database, run before checking for whether the current session is active.

data/doc/guides/render_confirmation.rdoc

@@ -1,6 +1,6 @@
 = Render confirmation view
 
-Most Rodauth actions redirect and display a flash notice after they're succesfully performed. However, in some cases you may wish to render a view confirming that the action was succesful, for nicer user experience.
+Most Rodauth actions redirect and display a flash notice after they're successfully performed. However, in some cases you may wish to render a view confirming that the action was successful, for nicer user experience.
 
 For example, when the user creates an account, you might render a page with a call to action to verify their account. Assuming you've created an +account_created+ view template alongside your other Rodauth templates, you can configure the following:
 

data/doc/login.rdoc

@@ -14,9 +14,8 @@ location.
 
 login_additional_form_tags :: HTML fragment containing additional form tags to use on the login form.
 login_button :: The text to use for the login button.
-login_error_flash :: The flash error to show for an unsuccesful login.
+login_error_flash :: The flash error to show for an unsuccessful login.
 login_error_status :: The response status to use when using an invalid login or password to login, 401 by default.
-login_form_footer :: A message to display after the login form.
 login_form_footer_links :: An array of entries for links to show on the login page.  Each entry is an array of three elements, sort order (integer), link href, and link text.
 login_form_footer_links_heading :: A heading to show before the login form footer links.
 login_notice_flash :: The flash notice to show after successful login.
@@ -33,6 +32,7 @@ use_multi_phase_login? :: Whether to ask for login first, and only ask for passw
 == Auth Methods
 
 before_login_route :: Run arbitrary code before handling a login route.
+login_form_footer :: A message to display after the login form.
 login_response :: Return a response after a successful login. By default, redirects to +login_redirect+ (or the requested location if +login_return_to_requested_location?+ is true).
 login_return_to_requested_location_path :: If +login_return_to_requested_location?+ is true, the path to use as the requested location.  By default, uses the full path of the request for GET requests, and is nil for non-GET requests (in which case the default +login_redirect+ will be used).
 login_view :: The HTML to use for the login form.

data/doc/release_notes/2.34.0.txt

@@ -0,0 +1,36 @@
+= New Features
+
+* A rodauth.current_route method has been added for returning the route
+  name symbol (if rodauth is currently handling the route).  This makes it
+  simpler to write code that extends Rodauth and works with
+  applications that use override the default route names.
+
+* A remove_all_active_sessions_except_for method has been added to the
+  active_sessions feature, which removes all active sessions for the
+  current account, except for the session id given.
+
+* A remove_all_active_sessions_except_current method has been added to
+  the active_sessions feature, which removes all active sessions for
+  the current account, except for the current session.
+
+= Improvements
+
+* Rodauth now supports overriding webauthn_rp_id in the webauthn
+  feature.
+
+* When using the login feature, Rodauth now defaults
+  require_login_redirect to use the path to the login route, instead
+  of /login.
+
+* When setting up multifactor authentication, Rodauth now handles the
+  case where account has been deleted, instead of raising an exception.
+
+* When a database connection is not available during startup, Rodauth
+  now handles that case instead of raising an exception.  Note that in
+  this case, Rodauth cannot automatically setup a conversion of token
+  ids to integer, since it cannot determine whether the underlying
+  database column uses an integer type.
+
+* When using WebAuthn 3+, Rodauth no longer defines singleton methods
+  to work around limitations in WebAuthn.  Instead, it uses public
+  APIs that were added in WebAuthn 3.

data/doc/release_notes/2.35.0.txt

@@ -0,0 +1,22 @@
+= New Features
+
+* A throw_rodauth_error method has been added to make it easier
+  for external extensions to throw the expected error value without
+  setting a field error.
+
+= Improvements
+
+* If an account is not currently logged in, but Rodauth knows the
+  related account id, remove_all_active_sessions and related
+  methods in the active_sessions plugin will now remove sessions
+  for the related account.
+
+* When using the internal_request feature and subclasses,
+  internal_request_configuration blocks in superclasses are now
+  respected when creating the internal request class for a
+  subclass.  When creating the internal request in the subclass,
+  this behaves as if all internal_request_configuration blocks
+  were specified directly in the subclass.
+
+* An ignored block warning on Ruby 3.4 is now avoided by having
+  Rodauth.load_dependencies accept a block.

data/lib/rodauth/features/active_sessions.rb

@@ -31,6 +31,8 @@ module Rodauth
       :no_longer_active_session,
       :remove_active_session,
       :remove_all_active_sessions,
+      :remove_all_active_sessions_except_for,
+      :remove_all_active_sessions_except_current,
       :remove_current_session,
       :remove_inactive_sessions,
     )
@@ -95,6 +97,18 @@ module Rodauth
       active_sessions_ds.delete
     end
 
+    def remove_all_active_sessions_except_for(session_id)
+      active_sessions_ds.exclude(active_sessions_session_id_column=>compute_hmacs(session_id)).delete
+    end
+
+    def remove_all_active_sessions_except_current 
+      if session_id = session[session_id_session_key]
+        remove_all_active_sessions_except_for(session_id)
+      else
+        remove_all_active_sessions
+      end
+    end
+
     def remove_inactive_sessions
       if cond = inactive_session_cond
         active_sessions_ds.where(cond).delete
@@ -184,7 +198,7 @@ module Rodauth
 
     def active_sessions_ds
       db[active_sessions_table].
-        where(active_sessions_account_id_column=>session_value)
+        where(active_sessions_account_id_column=>session_value || account_id)
     end
 
     def use_date_arithmetic?

data/lib/rodauth/features/base.rb

@@ -136,6 +136,7 @@ module Rodauth
 
     attr_reader :scope
     attr_reader :account
+    attr_reader :current_route
 
     def initialize(scope)
       @scope = scope
@@ -428,7 +429,7 @@ module Rodauth
       require 'bcrypt' if require_bcrypt?
       db.extension :date_arithmetic if use_date_arithmetic?
 
-      if convert_token_id_to_integer?.nil? && (db rescue false) && db.table_exists?(accounts_table) && db.schema(accounts_table).find{|col, v| break v[:type] == :integer if col == account_id_column}
+      if method(:convert_token_id_to_integer?).owner == Rodauth::Base && (db rescue false) && db.table_exists?(accounts_table) && db.schema(accounts_table).find{|col, v| break v[:type] == :integer if col == account_id_column}
         self.class.send(:define_method, :convert_token_id_to_integer?){true}
       end
 
@@ -642,9 +643,13 @@ module Rodauth
       set_response_error_status(status)
     end
 
+    def throw_rodauth_error
+      throw :rodauth_error
+    end
+
     def throw_error(field, error)
       set_field_error(field, error)
-      throw :rodauth_error
+      throw_rodauth_error
     end
 
     def throw_error_status(status, field, error)
@@ -711,7 +716,7 @@ module Rodauth
     # note that only the salt is returned.
     def get_password_hash
       if account_password_hash_column
-        account![account_password_hash_column]
+        account[account_password_hash_column] if account!
       elsif use_database_authentication_functions?
         db.get(Sequel.function(function_name(:rodauth_get_salt), account ? account_id : session_value))
       else

data/lib/rodauth/features/internal_request.rb

@@ -384,16 +384,26 @@ module Rodauth
 
       return if is_a?(InternalRequestMethods)
 
+      superklasses = []
+      superklass = self.class
+      until superklass == Rodauth::Auth
+        superklasses << superklass
+        superklass = superklass.superclass
+      end
+
       klass = self.class
       internal_class = Class.new(klass)
       internal_class.instance_variable_set(:@configuration_name, klass.configuration_name)
+      configuration = internal_class.configuration
 
-      if blocks = klass.instance_variable_get(:@internal_request_configuration_blocks)
-        configuration = internal_class.configuration
-        blocks.each do |block|
-          configuration.instance_exec(&block)
+      superklasses.reverse_each do |superklass|
+        if blocks = superklass.instance_variable_get(:@internal_request_configuration_blocks)
+          blocks.each do |block|
+            configuration.instance_exec(&block)
+          end
         end
       end
+
       internal_class.send(:extend, InternalRequestClassMethods)
       internal_class.send(:include, InternalRequestMethods)
       internal_class.allocate.post_configure

data/lib/rodauth/features/login.rb

@@ -138,6 +138,10 @@ module Rodauth
       multi_phase_login_forms.sort.map{|_, form, _| form}.join("\n")
     end
 
+    def require_login_redirect
+      login_path
+    end
+
     private
 
     def _login_response

data/lib/rodauth/features/webauthn.rb

@@ -302,22 +302,17 @@ module Rodauth
     def new_webauthn_credential
       WebAuthn::Credential.options_for_create(
         :timeout => webauthn_setup_timeout,
-        :rp => {:name=>webauthn_rp_name, :id=>webauthn_rp_id},
         :user => {:id=>account_webauthn_user_id, :name=>webauthn_user_name},
         :authenticator_selection => webauthn_authenticator_selection,
         :attestation => webauthn_attestation,
         :extensions => webauthn_extensions,
         :exclude => account_webauthn_ids,
+        **webauthn_create_relying_party_opts
       )
     end
 
     def valid_new_webauthn_credential?(webauthn_credential)
-      # Hack around inability to override expected_origin
-      origin = webauthn_origin
-      webauthn_credential.response.define_singleton_method(:verify) do |expected_challenge, expected_origin = nil, **kw|
-        super(expected_challenge, expected_origin || origin, **kw)
-      end
-
+      _override_webauthn_credential_response_verify(webauthn_credential)
       (challenge = param_or_nil(webauthn_setup_challenge_param)) &&
         (hmac = param_or_nil(webauthn_setup_challenge_hmac_param)) &&
         (timing_safe_eql?(compute_hmac(challenge), hmac) || (hmac_secret_rotation? && timing_safe_eql?(compute_old_hmac(challenge), hmac))) &&
@@ -328,9 +323,9 @@ module Rodauth
       WebAuthn::Credential.options_for_get(
         :allow => webauthn_allow,
         :timeout => webauthn_auth_timeout,
-        :rp_id => webauthn_rp_id,
         :user_verification => webauthn_user_verification,
         :extensions => webauthn_extensions,
+        **webauthn_get_relying_party_opts
       )
     end
 
@@ -368,12 +363,7 @@ module Rodauth
       ds = webauthn_keys_ds.where(webauthn_keys_webauthn_id_column => webauthn_credential.id)
       pub_key, sign_count = ds.get([webauthn_keys_public_key_column, webauthn_keys_sign_count_column])
 
-      # Hack around inability to override expected_origin
-      origin = webauthn_origin
-      webauthn_credential.response.define_singleton_method(:verify) do |expected_challenge, expected_origin = nil, **kw|
-        super(expected_challenge, expected_origin || origin, **kw)
-      end
-
+      _override_webauthn_credential_response_verify(webauthn_credential)
       (challenge = param_or_nil(webauthn_auth_challenge_param)) &&
         (hmac = param_or_nil(webauthn_auth_challenge_hmac_param)) &&
         (timing_safe_eql?(compute_hmac(challenge), hmac) || (hmac_secret_rotation? && timing_safe_eql?(compute_old_hmac(challenge), hmac))) &&
@@ -419,6 +409,54 @@ module Rodauth
 
     private
 
+    if WebAuthn::VERSION >= '3'
+      def webauthn_relying_party
+        # No need to memoize, only called once per request
+        WebAuthn::RelyingParty.new(
+          origin: webauthn_origin,
+          id: webauthn_rp_id,
+          name: webauthn_rp_name,
+        )
+      end
+
+      def webauthn_create_relying_party_opts
+        { :relying_party => webauthn_relying_party }
+      end
+      alias webauthn_get_relying_party_opts webauthn_create_relying_party_opts
+
+      def webauthn_form_submission_call(meth, arg)
+        WebAuthn::Credential.public_send(meth, arg, :relying_party => webauthn_relying_party)
+      end
+
+      def _override_webauthn_credential_response_verify(webauthn_credential)
+        # no need to override
+      end
+    # :nocov:
+    else
+      def webauthn_create_relying_party_opts
+        {:rp => {:name=>webauthn_rp_name, :id=>webauthn_rp_id}}
+      end
+
+      def webauthn_get_relying_party_opts
+        { :rp_id => webauthn_rp_id }
+      end
+
+      def webauthn_form_submission_call(meth, arg)
+        WebAuthn::Credential.public_send(meth, arg)
+      end
+
+      def _override_webauthn_credential_response_verify(webauthn_credential)
+        # Hack around inability to override expected_origin and rp_id
+        origin = webauthn_origin
+        rp_id = webauthn_rp_id
+        webauthn_credential.response.define_singleton_method(:verify) do |expected_challenge, expected_origin = nil, **kw|
+          kw[:rp_id] = rp_id
+          super(expected_challenge, expected_origin || origin, **kw)
+        end
+      end
+    # :nocov:
+    end
+
     def _two_factor_auth_links
       links = super
       links << [10, webauthn_auth_path, webauthn_auth_link_text] if webauthn_setup? && !two_factor_login_type_match?('webauthn')
@@ -464,7 +502,8 @@ module Rodauth
 
     def webauthn_auth_credential_from_form_submission
       begin
-        webauthn_credential = WebAuthn::Credential.from_get(webauthn_auth_data)
+        webauthn_credential = webauthn_form_submission_call(:from_get, webauthn_auth_data)
+
         unless valid_webauthn_credential_auth?(webauthn_credential)
           throw_error_reason(:invalid_webauthn_auth_param, invalid_key_error_status, webauthn_auth_param, webauthn_invalid_auth_param_message)
         end
@@ -498,7 +537,8 @@ module Rodauth
       end
 
       begin
-        webauthn_credential = WebAuthn::Credential.from_create(webauthn_setup_data)
+        webauthn_credential = webauthn_form_submission_call(:from_create, webauthn_setup_data)
+
         unless valid_new_webauthn_credential?(webauthn_credential)
           throw_error_reason(:invalid_webauthn_setup_param, invalid_field_error_status, webauthn_setup_param, webauthn_invalid_setup_param_message) 
         end

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 33
+  MINOR = 35
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

data/lib/rodauth.rb

@@ -14,7 +14,7 @@ module Rodauth
     c.rodauth
   end
 
-  def self.load_dependencies(app, opts={})
+  def self.load_dependencies(app, opts={}, &_)
     json_opt = opts.fetch(:json, app.opts[:rodauth_json])
     if json_opt
       app.plugin :json
@@ -138,6 +138,7 @@ module Rodauth
 
       define_method(handle_meth) do
         request.is send(route_meth) do
+          @current_route = name
           check_csrf if check_csrf?
           _around_rodauth do
             before_rodauth

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.33.0
+  version: 2.35.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-12-21 00:00:00.000000000 Z
+date: 2024-05-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -351,6 +351,8 @@ extra_rdoc_files:
 - doc/release_notes/2.31.0.txt
 - doc/release_notes/2.32.0.txt
 - doc/release_notes/2.33.0.txt
+- doc/release_notes/2.34.0.txt
+- doc/release_notes/2.35.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
 - doc/release_notes/2.6.0.txt
@@ -472,6 +474,8 @@ files:
 - doc/release_notes/2.31.0.txt
 - doc/release_notes/2.32.0.txt
 - doc/release_notes/2.33.0.txt
+- doc/release_notes/2.34.0.txt
+- doc/release_notes/2.35.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
 - doc/release_notes/2.6.0.txt
@@ -632,7 +636,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
+rubygems_version: 3.5.9
 signing_key:
 specification_version: 4
 summary: Authentication and Account Management Framework for Rack Applications