rodauth 2.36.0 → 2.37.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4daf43beb9b2af129683b299f1e455e5b38fa925b1cc020ec79ae951f56f292b
-  data.tar.gz: a694fe203f76512691004d1138ad03cab7699d317a0a658ae6ac51732ff22b36
+  metadata.gz: 8c4f8a9edcebe8714dfa15132986c74e12e1823837ab71230008c42df9c2432d
+  data.tar.gz: f5cb984675323f2c2b83bd1d7be0626f511381b69e090c1d39bfb7b31d09321d
 SHA512:
-  metadata.gz: aef00a1d31a310ea0061f54ebcb4044ccdcc7106d2f07074f4585ac5406776784bef9c698befa050b374d4dd37dd2495d3a3e4dcd6854e387fc8442901f3f227
-  data.tar.gz: 85d9837f21b320f2bec1241f07e22ff150b49192017cb1ea20d2863fce93b547d5271cafe30b08baeaa582fd4f40b715ce488d9fb19bd7fe2cc43a2f565b5266
+  metadata.gz: 3cdaaafebe4a7dba8b985dd1fbf39087a95fb3a49150e67487024e9374c50da6eced618ef702bfb70fbc483f83f9c29dba873d07bac2b4c1ec442007f3556f61
+  data.tar.gz: 8774b5ae4c7e430f76705857bd0e80a59a0171c60b9693581ee7eae7c07a1c300b89c38c7d7f660cf01e48e6c2190597449eec4cadf57cd38c08cbe8a2783886

data/lib/rodauth/features/base.rb

@@ -98,6 +98,7 @@ module Rodauth
       :inputmode_for_field?,
       :logged_in?,
       :login_required,
+      :normalize_login,
       :null_byte_parameter_value,
       :open_account?,
       :over_max_bytesize_param_value,
@@ -321,7 +322,7 @@ module Rodauth
     end
 
     def clear_session
-      if scope.respond_to?(:clear_session)
+      if use_scope_clear_session?
         scope.clear_session
       else
         session.clear
@@ -505,6 +506,15 @@ module Rodauth
       nil
     end
 
+    # The normalized value of the login parameter
+    def login_param_value
+      normalize_login(param(login_param))
+    end
+
+    def normalize_login(login)
+      login
+    end
+
     # Return nil by default for values with null bytes
     def null_byte_parameter_value(key, value)
       nil
@@ -869,6 +879,10 @@ module Rodauth
       false
     end
 
+    def use_scope_clear_session?
+      scope.respond_to?(:clear_session)
+    end
+
     def require_response(meth)
       send(meth)
       raise RuntimeError, "#{meth.to_s.sub(/\A_/, '')} overridden without returning a response (should use redirect or request.halt). This is a bug in your Rodauth configuration, not a bug in Rodauth itself."

data/lib/rodauth/features/change_login.rb

@@ -36,12 +36,12 @@ module Rodauth
             throw_error_reason(:invalid_password, invalid_password_error_status, password_param, invalid_password_message)
           end
 
-          login = param(login_param)
+          login = login_param_value
           unless login_meets_requirements?(login)
             throw_error_status(invalid_field_error_status, login_param, login_does_not_meet_requirements_message)
           end
 
-          if require_login_confirmation? && login != param(login_confirm_param)
+          if require_login_confirmation? && !login_confirmation_matches?(login, param(login_confirm_param))
             throw_error_reason(:logins_do_not_match, unmatched_field_error_status, login_param, logins_do_not_match_message)
           end
 

data/lib/rodauth/features/create_account.rb

@@ -40,12 +40,12 @@ module Rodauth
       end
 
       r.post do
-        login = param(login_param)
+        login = login_param_value
         password = param(password_param)
         new_account(login)
 
         catch_error do
-          if require_login_confirmation? && login != param(login_confirm_param)
+          if require_login_confirmation? && !login_confirmation_matches?(login, param(login_confirm_param))
             throw_error_reason(:logins_do_not_match, unmatched_field_error_status, login_param, logins_do_not_match_message)
           end
 

data/lib/rodauth/features/email_auth.rb

@@ -56,7 +56,7 @@ module Rodauth
       before_email_auth_request_route
 
       r.post do
-        if account_from_login(param(login_param)) && open_account?
+        if account_from_login(login_param_value) && open_account?
           _email_auth_request
         end
 

data/lib/rodauth/features/internal_request.rb

@@ -223,14 +223,14 @@ module Rodauth
     end
 
     def _handle_account_id_for_login(_)
-      raise InternalRequestError, "no login provided" unless login = param_or_nil(login_param)
-      raise InternalRequestError, "no account for login" unless account = account_from_login(login)
+      raise InternalRequestError, "no login provided" unless param_or_nil(login_param)
+      raise InternalRequestError, "no account for login" unless account = account_from_login(login_param_value)
       _return_from_internal_request(account[account_id_column])
     end
 
     def _handle_account_exists?(_)
-      raise InternalRequestError, "no login provided" unless login = param_or_nil(login_param)
-      _return_from_internal_request(!!account_from_login(login))
+      raise InternalRequestError, "no login provided" unless param_or_nil(login_param)
+      _return_from_internal_request(!!account_from_login(login_param_value))
     end
 
     def _handle_lock_account(_)

data/lib/rodauth/features/json.rb

@@ -72,6 +72,11 @@ module Rodauth
 
     private
 
+    def check_csrf?
+      return false if use_json?
+      super
+    end
+
     def _set_otp_unlock_info
       if use_json?
         json_response[:num_successes] = otp_unlock_num_successes

data/lib/rodauth/features/jwt.rb

@@ -60,10 +60,7 @@ module Rodauth
 
     def clear_session
       super
-      if use_jwt?
-        session.clear
-        set_jwt
-      end
+      set_jwt if use_jwt?
     end
 
     def jwt_secret
@@ -104,11 +101,6 @@ module Rodauth
 
     private
 
-    def check_csrf?
-      return false if use_jwt?
-      super
-    end
-
     def _jwt_decode_opts
       jwt_decode_opts
     end
@@ -158,5 +150,9 @@ module Rodauth
     def set_jwt
       set_jwt_token(session_jwt)
     end
+
+    def use_scope_clear_session?
+      super && !use_jwt?
+    end
   end
 end

data/lib/rodauth/features/lockout.rb

@@ -70,7 +70,7 @@ module Rodauth
       before_unlock_account_request_route
 
       r.post do
-        if account_from_login(param(login_param)) && get_unlock_account_key
+        if account_from_login(login_param_value) && get_unlock_account_key
           if unlock_account_email_recently_sent?
             set_redirect_error_flash unlock_account_email_recently_sent_error_flash
             redirect unlock_account_email_recently_sent_redirect

data/lib/rodauth/features/login.rb

@@ -45,7 +45,7 @@ module Rodauth
         view = :login_view
 
         catch_error do
-          unless account_from_login(param(login_param))
+          unless account_from_login(login_param_value)
             throw_error_reason(:no_matching_login, no_matching_login_error_status, login_param, no_matching_login_message)
           end
 

data/lib/rodauth/features/login_password_requirements_base.rb

@@ -36,6 +36,7 @@ module Rodauth
     )
 
     auth_methods(
+      :login_confirmation_matches?,
       :login_meets_requirements?,
       :login_valid_email?,
       :password_hash,
@@ -126,6 +127,18 @@ module Rodauth
       @login_requirement_message = message
     end
 
+    if RUBY_VERSION >= '2.4'
+      def login_confirmation_matches?(login, login_confirmation)
+        login.casecmp?(login_confirmation)
+      end
+    # :nocov:
+    else
+      def login_confirmation_matches?(login, login_confirmation)
+        login.casecmp(login_confirmation) == 0
+      end
+    # :nocov:
+    end
+
     def login_meets_length_requirements?(login)
       if login_minimum_length > login.length
         set_login_requirement_error_message(:login_too_short, login_too_short_message)

data/lib/rodauth/features/reset_password.rb

@@ -69,7 +69,7 @@ module Rodauth
 
       r.post do
         catch_error do
-          unless account_from_login(param(login_param))
+          unless account_from_login(login_param_value)
             throw_error_reason(:no_matching_login, no_matching_login_error_status, login_param, no_matching_login_message)
           end
 

data/lib/rodauth/features/two_factor_base.rb

@@ -124,23 +124,12 @@ module Rodauth
     end
 
     def authenticated?
-      # False if not authenticated via single factor
-      return false unless super
-
-      # True if already authenticated via 2nd factor
-      return true if two_factor_authenticated?
-
-      # True if authenticated via single factor and 2nd factor not setup 
-      !uses_two_factor_authentication?
+      super && !two_factor_partially_authenticated?
     end
 
     def require_authentication
       super
-
-      # Avoid database query if already authenticated via 2nd factor
-      return if two_factor_authenticated?
-
-      require_two_factor_authenticated if uses_two_factor_authentication?
+      require_two_factor_authenticated if two_factor_partially_authenticated?
     end
 
     def require_two_factor_setup
@@ -188,6 +177,10 @@ module Rodauth
       end
     end
 
+    def two_factor_partially_authenticated?
+      logged_in? && !two_factor_authenticated? && uses_two_factor_authentication?
+    end
+
     def two_factor_authenticated?
       authenticated_by && authenticated_by.length >= 2
     end

data/lib/rodauth/features/verify_account.rb

@@ -71,7 +71,7 @@ module Rodauth
       end
 
       r.post do
-        if account_from_login(param(login_param)) && allow_resending_verify_account_email?
+        if account_from_login(login_param_value) && allow_resending_verify_account_email?
           if verify_account_email_recently_sent?
             set_redirect_error_flash verify_account_email_recently_sent_error_flash
             redirect verify_account_email_recently_sent_redirect
@@ -244,7 +244,7 @@ module Rodauth
 
     def _login_form_footer_links
       links = super
-      if !param_or_nil(login_param) || ((account || account_from_login(param(login_param))) && allow_resending_verify_account_email?)
+      if !param_or_nil(login_param) || ((account || account_from_login(login_param_value)) && allow_resending_verify_account_email?)
         links << [30, verify_account_resend_path, verify_account_resend_link_text]
       end
       links

data/lib/rodauth/features/webauthn_autofill.rb

@@ -4,6 +4,7 @@ module Rodauth
   Feature.define(:webauthn_autofill, :WebauthnAutofill) do
     depends :webauthn_login
 
+    auth_value_method :webauthn_autofill?, true
     auth_value_method :webauthn_autofill_js, File.binread(File.expand_path('../../../../javascript/webauthn_autofill.js', __FILE__)).freeze
 
     translatable_method :webauthn_invalid_webauthn_id_message, "no webauthn key with given id found"
@@ -37,7 +38,7 @@ module Rodauth
 
     def _login_form_footer
       footer = super
-      footer += render("webauthn-autofill") unless valid_login_entered?
+      footer += render("webauthn-autofill") if webauthn_autofill? && !valid_login_entered?
       footer
     end
 

data/lib/rodauth/features/webauthn_login.rb

@@ -74,7 +74,7 @@ module Rodauth
     end
 
     def account_from_webauthn_login
-      account_from_login(param(login_param))
+      account_from_login(login_param_value)
     end
 
     def webauthn_login_options?

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 36
+  MINOR = 37
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

data/lib/rodauth.rb

@@ -402,7 +402,11 @@ module Rodauth
   end
 
   module InstanceMethods
-    def rodauth(name=nil)
+    def default_rodauth_name
+      nil
+    end
+
+    def rodauth(name=default_rodauth_name)
       if name
         (@_rodauths ||= {})[name] ||= self.class.rodauth(name).new(self)
       else
@@ -440,7 +444,7 @@ module Rodauth
   end
 
   module RequestMethods
-    def rodauth(name=nil)
+    def rodauth(name=scope.default_rodauth_name)
       scope.rodauth(name).route!
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.36.0
+  version: 2.37.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-07-23 00:00:00.000000000 Z
+date: 2024-11-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -248,265 +248,10 @@ email: code@jeremyevans.net
 executables: []
 extensions: []
 extra_rdoc_files:
-- README.rdoc
-- CHANGELOG
 - MIT-LICENSE
-- doc/account_expiration.rdoc
-- doc/active_sessions.rdoc
-- doc/argon2.rdoc
-- doc/audit_logging.rdoc
-- doc/base.rdoc
-- doc/change_login.rdoc
-- doc/change_password.rdoc
-- doc/change_password_notify.rdoc
-- doc/close_account.rdoc
-- doc/confirm_password.rdoc
-- doc/create_account.rdoc
-- doc/disallow_common_passwords.rdoc
-- doc/disallow_password_reuse.rdoc
-- doc/email_auth.rdoc
-- doc/email_base.rdoc
-- doc/error_reasons.rdoc
-- doc/http_basic_auth.rdoc
-- doc/internal_request.rdoc
-- doc/json.rdoc
-- doc/jwt.rdoc
-- doc/jwt_cors.rdoc
-- doc/jwt_refresh.rdoc
-- doc/lockout.rdoc
-- doc/login.rdoc
-- doc/login_password_requirements_base.rdoc
-- doc/logout.rdoc
-- doc/otp.rdoc
-- doc/otp_lockout_email.rdoc
-- doc/otp_modify_email.rdoc
-- doc/otp_unlock.rdoc
-- doc/password_complexity.rdoc
-- doc/password_expiration.rdoc
-- doc/password_grace_period.rdoc
-- doc/password_pepper.rdoc
-- doc/path_class_methods.rdoc
-- doc/recovery_codes.rdoc
-- doc/remember.rdoc
-- doc/reset_password.rdoc
-- doc/reset_password_notify.rdoc
-- doc/session_expiration.rdoc
-- doc/single_session.rdoc
-- doc/sms_codes.rdoc
-- doc/two_factor_base.rdoc
-- doc/update_password_hash.rdoc
-- doc/verify_account.rdoc
-- doc/verify_account_grace_period.rdoc
-- doc/verify_login_change.rdoc
-- doc/webauthn.rdoc
-- doc/webauthn_autofill.rdoc
-- doc/webauthn_login.rdoc
-- doc/webauthn_modify_email.rdoc
-- doc/webauthn_verify_account.rdoc
-- doc/release_notes/1.0.0.txt
-- doc/release_notes/1.1.0.txt
-- doc/release_notes/1.10.0.txt
-- doc/release_notes/1.11.0.txt
-- doc/release_notes/1.12.0.txt
-- doc/release_notes/1.13.0.txt
-- doc/release_notes/1.14.0.txt
-- doc/release_notes/1.15.0.txt
-- doc/release_notes/1.16.0.txt
-- doc/release_notes/1.17.0.txt
-- doc/release_notes/1.18.0.txt
-- doc/release_notes/1.19.0.txt
-- doc/release_notes/1.2.0.txt
-- doc/release_notes/1.20.0.txt
-- doc/release_notes/1.21.0.txt
-- doc/release_notes/1.22.0.txt
-- doc/release_notes/1.23.0.txt
-- doc/release_notes/1.3.0.txt
-- doc/release_notes/1.4.0.txt
-- doc/release_notes/1.5.0.txt
-- doc/release_notes/1.6.0.txt
-- doc/release_notes/1.7.0.txt
-- doc/release_notes/1.8.0.txt
-- doc/release_notes/1.9.0.txt
-- doc/release_notes/2.0.0.txt
-- doc/release_notes/2.1.0.txt
-- doc/release_notes/2.10.0.txt
-- doc/release_notes/2.11.0.txt
-- doc/release_notes/2.12.0.txt
-- doc/release_notes/2.13.0.txt
-- doc/release_notes/2.14.0.txt
-- doc/release_notes/2.15.0.txt
-- doc/release_notes/2.16.0.txt
-- doc/release_notes/2.17.0.txt
-- doc/release_notes/2.18.0.txt
-- doc/release_notes/2.19.0.txt
-- doc/release_notes/2.2.0.txt
-- doc/release_notes/2.20.0.txt
-- doc/release_notes/2.21.0.txt
-- doc/release_notes/2.22.0.txt
-- doc/release_notes/2.23.0.txt
-- doc/release_notes/2.24.0.txt
-- doc/release_notes/2.25.0.txt
-- doc/release_notes/2.26.0.txt
-- doc/release_notes/2.27.0.txt
-- doc/release_notes/2.28.0.txt
-- doc/release_notes/2.29.0.txt
-- doc/release_notes/2.3.0.txt
-- doc/release_notes/2.30.0.txt
-- doc/release_notes/2.31.0.txt
-- doc/release_notes/2.32.0.txt
-- doc/release_notes/2.33.0.txt
-- doc/release_notes/2.34.0.txt
-- doc/release_notes/2.35.0.txt
-- doc/release_notes/2.36.0.txt
-- doc/release_notes/2.4.0.txt
-- doc/release_notes/2.5.0.txt
-- doc/release_notes/2.6.0.txt
-- doc/release_notes/2.7.0.txt
-- doc/release_notes/2.8.0.txt
-- doc/release_notes/2.9.0.txt
 files:
-- CHANGELOG
 - MIT-LICENSE
-- README.rdoc
 - dict/top-10_000-passwords.txt
-- doc/account_expiration.rdoc
-- doc/active_sessions.rdoc
-- doc/argon2.rdoc
-- doc/audit_logging.rdoc
-- doc/base.rdoc
-- doc/change_login.rdoc
-- doc/change_password.rdoc
-- doc/change_password_notify.rdoc
-- doc/close_account.rdoc
-- doc/confirm_password.rdoc
-- doc/create_account.rdoc
-- doc/disallow_common_passwords.rdoc
-- doc/disallow_password_reuse.rdoc
-- doc/email_auth.rdoc
-- doc/email_base.rdoc
-- doc/error_reasons.rdoc
-- doc/guides/admin_activation.rdoc
-- doc/guides/already_authenticated.rdoc
-- doc/guides/alternative_login.rdoc
-- doc/guides/change_table_and_column_names.rdoc
-- doc/guides/create_account_programmatically.rdoc
-- doc/guides/delay_password.rdoc
-- doc/guides/email_only.rdoc
-- doc/guides/i18n.rdoc
-- doc/guides/internals.rdoc
-- doc/guides/links.rdoc
-- doc/guides/login_return.rdoc
-- doc/guides/migrate_password_hash_algorithm.rdoc
-- doc/guides/password_column.rdoc
-- doc/guides/password_confirmation.rdoc
-- doc/guides/password_requirements.rdoc
-- doc/guides/paths.rdoc
-- doc/guides/query_params.rdoc
-- doc/guides/redirects.rdoc
-- doc/guides/registration_field.rdoc
-- doc/guides/render_confirmation.rdoc
-- doc/guides/require_mfa.rdoc
-- doc/guides/reset_password_autologin.rdoc
-- doc/guides/share_configuration.rdoc
-- doc/guides/status_column.rdoc
-- doc/guides/totp_or_recovery.rdoc
-- doc/http_basic_auth.rdoc
-- doc/internal_request.rdoc
-- doc/json.rdoc
-- doc/jwt.rdoc
-- doc/jwt_cors.rdoc
-- doc/jwt_refresh.rdoc
-- doc/lockout.rdoc
-- doc/login.rdoc
-- doc/login_password_requirements_base.rdoc
-- doc/logout.rdoc
-- doc/otp.rdoc
-- doc/otp_lockout_email.rdoc
-- doc/otp_modify_email.rdoc
-- doc/otp_unlock.rdoc
-- doc/password_complexity.rdoc
-- doc/password_expiration.rdoc
-- doc/password_grace_period.rdoc
-- doc/password_pepper.rdoc
-- doc/path_class_methods.rdoc
-- doc/recovery_codes.rdoc
-- doc/release_notes/1.0.0.txt
-- doc/release_notes/1.1.0.txt
-- doc/release_notes/1.10.0.txt
-- doc/release_notes/1.11.0.txt
-- doc/release_notes/1.12.0.txt
-- doc/release_notes/1.13.0.txt
-- doc/release_notes/1.14.0.txt
-- doc/release_notes/1.15.0.txt
-- doc/release_notes/1.16.0.txt
-- doc/release_notes/1.17.0.txt
-- doc/release_notes/1.18.0.txt
-- doc/release_notes/1.19.0.txt
-- doc/release_notes/1.2.0.txt
-- doc/release_notes/1.20.0.txt
-- doc/release_notes/1.21.0.txt
-- doc/release_notes/1.22.0.txt
-- doc/release_notes/1.23.0.txt
-- doc/release_notes/1.3.0.txt
-- doc/release_notes/1.4.0.txt
-- doc/release_notes/1.5.0.txt
-- doc/release_notes/1.6.0.txt
-- doc/release_notes/1.7.0.txt
-- doc/release_notes/1.8.0.txt
-- doc/release_notes/1.9.0.txt
-- doc/release_notes/2.0.0.txt
-- doc/release_notes/2.1.0.txt
-- doc/release_notes/2.10.0.txt
-- doc/release_notes/2.11.0.txt
-- doc/release_notes/2.12.0.txt
-- doc/release_notes/2.13.0.txt
-- doc/release_notes/2.14.0.txt
-- doc/release_notes/2.15.0.txt
-- doc/release_notes/2.16.0.txt
-- doc/release_notes/2.17.0.txt
-- doc/release_notes/2.18.0.txt
-- doc/release_notes/2.19.0.txt
-- doc/release_notes/2.2.0.txt
-- doc/release_notes/2.20.0.txt
-- doc/release_notes/2.21.0.txt
-- doc/release_notes/2.22.0.txt
-- doc/release_notes/2.23.0.txt
-- doc/release_notes/2.24.0.txt
-- doc/release_notes/2.25.0.txt
-- doc/release_notes/2.26.0.txt
-- doc/release_notes/2.27.0.txt
-- doc/release_notes/2.28.0.txt
-- doc/release_notes/2.29.0.txt
-- doc/release_notes/2.3.0.txt
-- doc/release_notes/2.30.0.txt
-- doc/release_notes/2.31.0.txt
-- doc/release_notes/2.32.0.txt
-- doc/release_notes/2.33.0.txt
-- doc/release_notes/2.34.0.txt
-- doc/release_notes/2.35.0.txt
-- doc/release_notes/2.36.0.txt
-- doc/release_notes/2.4.0.txt
-- doc/release_notes/2.5.0.txt
-- doc/release_notes/2.6.0.txt
-- doc/release_notes/2.7.0.txt
-- doc/release_notes/2.8.0.txt
-- doc/release_notes/2.9.0.txt
-- doc/remember.rdoc
-- doc/reset_password.rdoc
-- doc/reset_password_notify.rdoc
-- doc/session_expiration.rdoc
-- doc/single_session.rdoc
-- doc/sms_codes.rdoc
-- doc/two_factor_base.rdoc
-- doc/update_password_hash.rdoc
-- doc/verify_account.rdoc
-- doc/verify_account_grace_period.rdoc
-- doc/verify_login_change.rdoc
-- doc/webauthn.rdoc
-- doc/webauthn_autofill.rdoc
-- doc/webauthn_login.rdoc
-- doc/webauthn_modify_email.rdoc
-- doc/webauthn_verify_account.rdoc
 - javascript/webauthn_auth.js
 - javascript/webauthn_autofill.js
 - javascript/webauthn_setup.js
@@ -659,7 +404,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.11
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: Authentication and Account Management Framework for Rack Applications