rodauth 2.36.0 → 2.38.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4daf43beb9b2af129683b299f1e455e5b38fa925b1cc020ec79ae951f56f292b
-  data.tar.gz: a694fe203f76512691004d1138ad03cab7699d317a0a658ae6ac51732ff22b36
+  metadata.gz: f79db7dec7147665538bf0b4f8e0c6c554d88396b294f19e5a5ed26543c31d1c
+  data.tar.gz: ea377861679a55895bc325b1cf3932970b0de9c773615ba2daecb5805704ae02
 SHA512:
-  metadata.gz: aef00a1d31a310ea0061f54ebcb4044ccdcc7106d2f07074f4585ac5406776784bef9c698befa050b374d4dd37dd2495d3a3e4dcd6854e387fc8442901f3f227
-  data.tar.gz: 85d9837f21b320f2bec1241f07e22ff150b49192017cb1ea20d2863fce93b547d5271cafe30b08baeaa582fd4f40b715ce488d9fb19bd7fe2cc43a2f565b5266
+  metadata.gz: 8e13b4dc188867866ee0eda53765091bb48f583d65957e488737b612bde4cf4ae9caa18edd2d88b3c609a7a3e25a51eec42fc5aa25e4083ea51c283310a36cb9
+  data.tar.gz: d50e275056bf3196a025e1933ab97ecd88d784c80ec97412cf046bb9718f558da4b321f7fbf52ba09d3554059157ef67f3f407625fd65c237fd2334e170066a7

data/lib/rodauth/features/base.rb

@@ -67,6 +67,7 @@ module Rodauth
     auth_value_method :unopen_account_error_status, 403
     translatable_method :unverified_account_message, "unverified account, please verify account before logging in"
     auth_value_method :default_field_attributes, ''
+    auth_value_method :use_template_fixed_locals?, true
 
     redirect(:require_login){"#{prefix}/login"}
 
@@ -98,6 +99,7 @@ module Rodauth
       :inputmode_for_field?,
       :logged_in?,
       :login_required,
+      :normalize_login,
       :null_byte_parameter_value,
       :open_account?,
       :over_max_bytesize_param_value,
@@ -321,7 +323,7 @@ module Rodauth
     end
 
     def clear_session
-      if scope.respond_to?(:clear_session)
+      if use_scope_clear_session?
         scope.clear_session
       else
         session.clear
@@ -408,6 +410,7 @@ module Rodauth
 
     def button_opts(value, opts)
       opts = Hash[template_opts].merge!(opts)
+      _merge_fixed_locals_opts(opts, button_fixed_locals)
       opts[:locals] = {:value=>value, :opts=>opts}
       opts[:cache] = cache_templates
       opts[:cache_key] = :rodauth_button
@@ -505,6 +508,15 @@ module Rodauth
       nil
     end
 
+    # The normalized value of the login parameter
+    def login_param_value
+      normalize_login(param(login_param))
+    end
+
+    def normalize_login(login)
+      login
+    end
+
     # Return nil by default for values with null bytes
     def null_byte_parameter_value(key, value)
       nil
@@ -532,6 +544,12 @@ module Rodauth
       has_password? ? ['password'] : []
     end
 
+    def has_password?
+      return @has_password if defined?(@has_password)
+      return false unless account || session_value
+      @has_password = !!get_password_hash
+    end
+
     private
 
     def _around_rodauth
@@ -545,6 +563,20 @@ module Rodauth
       s
     end
 
+    if RUBY_VERSION >= '2.1'
+      def button_fixed_locals
+        '(value:, opts:)'
+      end
+    # :nocov:
+    else
+      # Work on Ruby 2.0 when using Tilt 2.6+, as Ruby 2.0 does
+      # not support required keyword arguments.
+      def button_fixed_locals
+        '(value: nil, opts: nil)'
+      end
+    end
+    # :nocov:
+
     def database_function_password_match?(name, hash_id, password, salt)
       db.get(Sequel.function(function_name(name), hash_id, password_hash_using_salt(password, salt)))
     end
@@ -708,12 +740,6 @@ module Rodauth
       end
     end
 
-    def has_password?
-      return @has_password if defined?(@has_password)
-      return false unless account || session_value
-      @has_password = !!get_password_hash
-    end
-
     def password_hash_using_salt(password, salt)
       BCrypt::Engine.hash_secret(password, salt)
     end
@@ -756,7 +782,7 @@ module Rodauth
     end
 
     def compute_raw_hmac(data)
-      raise ArgumentError, "hmac_secret not set" unless hmac_secret
+      raise ConfigurationError, "hmac_secret not set" unless hmac_secret
       compute_raw_hmac_with_secret(data, hmac_secret)
     end
 
@@ -869,9 +895,13 @@ module Rodauth
       false
     end
 
+    def use_scope_clear_session?
+      scope.respond_to?(:clear_session)
+    end
+
     def require_response(meth)
       send(meth)
-      raise RuntimeError, "#{meth.to_s.sub(/\A_/, '')} overridden without returning a response (should use redirect or request.halt). This is a bug in your Rodauth configuration, not a bug in Rodauth itself."
+      raise ConfigurationError, "#{meth.to_s.sub(/\A_/, '')} overridden without returning a response (should use redirect or request.halt)."
     end
 
     def set_session_value(key, value)
@@ -898,6 +928,7 @@ module Rodauth
 
     def _view_opts(page)
       opts = template_opts.dup
+      _merge_fixed_locals_opts(opts, '(rodauth: self.rodauth)')
       opts[:locals] = opts[:locals] ? opts[:locals].dup : {}
       opts[:locals][:rodauth] = self
       opts[:cache] = cache_templates
@@ -905,6 +936,14 @@ module Rodauth
       _template_opts(opts, page)
     end
 
+    def _merge_fixed_locals_opts(opts, fixed_locals)
+      if use_template_fixed_locals? && !opts[:locals]
+        fixed_locals_opts = {default_fixed_locals: fixed_locals}
+        fixed_locals_opts.merge!(opts[:template_opts]) if opts[:template_opts]
+        opts[:template_opts] = fixed_locals_opts
+      end
+    end
+
     # Set the template path only if there isn't an overridden template in the application.
     # Result should replace existing template opts.
     def _template_opts(opts, page)
@@ -916,6 +955,10 @@ module Rodauth
     end
 
     def _view(meth, page)
+      unless scope.respond_to?(meth)
+        raise ConfigurationError, "attempted to render a built-in view/email template (#{page.inspect}), but rendering is disabled"
+      end
+
       scope.send(meth, _view_opts(page))
     end
   end

data/lib/rodauth/features/change_login.rb

@@ -36,12 +36,12 @@ module Rodauth
             throw_error_reason(:invalid_password, invalid_password_error_status, password_param, invalid_password_message)
           end
 
-          login = param(login_param)
+          login = login_param_value
           unless login_meets_requirements?(login)
             throw_error_status(invalid_field_error_status, login_param, login_does_not_meet_requirements_message)
           end
 
-          if require_login_confirmation? && login != param(login_confirm_param)
+          if require_login_confirmation? && !login_confirmation_matches?(login, param(login_confirm_param))
             throw_error_reason(:logins_do_not_match, unmatched_field_error_status, login_param, logins_do_not_match_message)
           end
 

data/lib/rodauth/features/create_account.rb

@@ -40,12 +40,12 @@ module Rodauth
       end
 
       r.post do
-        login = param(login_param)
+        login = login_param_value
         password = param(password_param)
         new_account(login)
 
         catch_error do
-          if require_login_confirmation? && login != param(login_confirm_param)
+          if require_login_confirmation? && !login_confirmation_matches?(login, param(login_confirm_param))
             throw_error_reason(:logins_do_not_match, unmatched_field_error_status, login_param, logins_do_not_match_message)
           end
 

data/lib/rodauth/features/email_auth.rb

@@ -56,7 +56,7 @@ module Rodauth
       before_email_auth_request_route
 
       r.post do
-        if account_from_login(param(login_param)) && open_account?
+        if account_from_login(login_param_value) && open_account?
           _email_auth_request
         end
 
@@ -163,6 +163,10 @@ module Rodauth
       methods
     end
 
+    def email_auth_email_recently_sent?
+      (email_last_sent = get_email_auth_email_last_sent) && (Time.now - email_last_sent < email_auth_skip_resend_email_within)
+    end
+
     private
 
     def _multi_phase_login_forms
@@ -171,10 +175,6 @@ module Rodauth
       forms
     end
 
-    def email_auth_email_recently_sent?
-      (email_last_sent = get_email_auth_email_last_sent) && (Time.now - email_last_sent < email_auth_skip_resend_email_within)
-    end
-
     def _email_auth_request
       if email_auth_email_recently_sent?
         set_redirect_error_flash email_auth_email_recently_sent_error_flash

data/lib/rodauth/features/internal_request.rb

@@ -223,14 +223,14 @@ module Rodauth
     end
 
     def _handle_account_id_for_login(_)
-      raise InternalRequestError, "no login provided" unless login = param_or_nil(login_param)
-      raise InternalRequestError, "no account for login" unless account = account_from_login(login)
+      raise InternalRequestError, "no login provided" unless param_or_nil(login_param)
+      raise InternalRequestError, "no account for login" unless account = account_from_login(login_param_value)
       _return_from_internal_request(account[account_id_column])
     end
 
     def _handle_account_exists?(_)
-      raise InternalRequestError, "no login provided" unless login = param_or_nil(login_param)
-      _return_from_internal_request(!!account_from_login(login))
+      raise InternalRequestError, "no login provided" unless param_or_nil(login_param)
+      _return_from_internal_request(!!account_from_login(login_param_value))
     end
 
     def _handle_lock_account(_)

data/lib/rodauth/features/json.rb

@@ -72,6 +72,11 @@ module Rodauth
 
     private
 
+    def check_csrf?
+      return false if use_json?
+      super
+    end
+
     def _set_otp_unlock_info
       if use_json?
         json_response[:num_successes] = otp_unlock_num_successes

data/lib/rodauth/features/jwt.rb

@@ -60,14 +60,11 @@ module Rodauth
 
     def clear_session
       super
-      if use_jwt?
-        session.clear
-        set_jwt
-      end
+      set_jwt if use_jwt?
     end
 
     def jwt_secret
-      raise ArgumentError, "jwt_secret not set"
+      raise ConfigurationError, "jwt_secret not set"
     end
 
     def jwt_session_hash
@@ -104,16 +101,11 @@ module Rodauth
 
     private
 
-    def check_csrf?
-      return false if use_jwt?
-      super
-    end
-
     def _jwt_decode_opts
       jwt_decode_opts
     end
 
-    if JWT::VERSION::MAJOR > 2 || (JWT::VERSION::MAJOR == 2 && JWT::VERSION::MINOR >= 4)
+    if JWT.gem_version >= Gem::Version.new("2.4")
       def _jwt_decode_secrets
         secrets = [jwt_secret, jwt_old_secret]
         secrets.compact!
@@ -158,5 +150,9 @@ module Rodauth
     def set_jwt
       set_jwt_token(session_jwt)
     end
+
+    def use_scope_clear_session?
+      super && !use_jwt?
+    end
   end
 end

data/lib/rodauth/features/lockout.rb

@@ -70,7 +70,7 @@ module Rodauth
       before_unlock_account_request_route
 
       r.post do
-        if account_from_login(param(login_param)) && get_unlock_account_key
+        if account_from_login(login_param_value) && get_unlock_account_key
           if unlock_account_email_recently_sent?
             set_redirect_error_flash unlock_account_email_recently_sent_error_flash
             redirect unlock_account_email_recently_sent_redirect
@@ -237,6 +237,10 @@ module Rodauth
       account_lockouts_ds.update(account_lockouts_email_last_sent_column=>Sequel::CURRENT_TIMESTAMP) if account_lockouts_email_last_sent_column
     end
 
+    def unlock_account_email_recently_sent?
+      (email_last_sent = get_unlock_account_email_last_sent) && (Time.now - email_last_sent < unlock_account_skip_resend_email_within)
+    end
+
     private
 
     attr_reader :unlock_account_key_value
@@ -278,10 +282,6 @@ module Rodauth
       return_response unlock_account_request_view
     end
 
-    def unlock_account_email_recently_sent?
-      (email_last_sent = get_unlock_account_email_last_sent) && (Time.now - email_last_sent < unlock_account_skip_resend_email_within)
-    end
-
     def use_date_arithmetic?
       super || db.database_type == :mysql
     end

data/lib/rodauth/features/login.rb

@@ -45,7 +45,7 @@ module Rodauth
         view = :login_view
 
         catch_error do
-          unless account_from_login(param(login_param))
+          unless account_from_login(login_param_value)
             throw_error_reason(:no_matching_login, no_matching_login_error_status, login_param, no_matching_login_message)
           end
 

data/lib/rodauth/features/login_password_requirements_base.rb

@@ -36,6 +36,7 @@ module Rodauth
     )
 
     auth_methods(
+      :login_confirmation_matches?,
       :login_meets_requirements?,
       :login_valid_email?,
       :password_hash,
@@ -126,6 +127,18 @@ module Rodauth
       @login_requirement_message = message
     end
 
+    if RUBY_VERSION >= '2.4'
+      def login_confirmation_matches?(login, login_confirmation)
+        login.casecmp?(login_confirmation)
+      end
+    # :nocov:
+    else
+      def login_confirmation_matches?(login, login_confirmation)
+        login.casecmp(login_confirmation) == 0
+      end
+    # :nocov:
+    end
+
     def login_meets_length_requirements?(login)
       if login_minimum_length > login.length
         set_login_requirement_error_message(:login_too_short, login_too_short_message)

data/lib/rodauth/features/reset_password.rb

@@ -69,7 +69,7 @@ module Rodauth
 
       r.post do
         catch_error do
-          unless account_from_login(param(login_param))
+          unless account_from_login(login_param_value)
             throw_error_reason(:no_matching_login, no_matching_login_error_status, login_param, no_matching_login_message)
           end
 
@@ -204,16 +204,16 @@ module Rodauth
       end
     end
 
+    def reset_password_email_recently_sent?
+      (email_last_sent = get_reset_password_email_last_sent) && (Time.now - email_last_sent < reset_password_skip_resend_email_within)
+    end
+
     private
 
     def _login_form_footer_links
       super << [20, reset_password_request_path, reset_password_request_link_text]
     end
 
-    def reset_password_email_recently_sent?
-      (email_last_sent = get_reset_password_email_last_sent) && (Time.now - email_last_sent < reset_password_skip_resend_email_within)
-    end
-
     attr_reader :reset_password_key_value
 
     def after_login_failure

data/lib/rodauth/features/sms_codes.rb

@@ -514,7 +514,7 @@ module Rodauth
     end
 
     def sms_send(phone, message)
-      raise NotImplementedError, "sms_send needs to be defined in the Rodauth configuration for SMS sending to work"
+      raise ConfigurationError, "sms_send needs to be defined in the Rodauth configuration for SMS sending to work"
     end
 
     def update_sms(values)

data/lib/rodauth/features/two_factor_base.rb

@@ -124,23 +124,12 @@ module Rodauth
     end
 
     def authenticated?
-      # False if not authenticated via single factor
-      return false unless super
-
-      # True if already authenticated via 2nd factor
-      return true if two_factor_authenticated?
-
-      # True if authenticated via single factor and 2nd factor not setup 
-      !uses_two_factor_authentication?
+      super && !two_factor_partially_authenticated?
     end
 
     def require_authentication
       super
-
-      # Avoid database query if already authenticated via 2nd factor
-      return if two_factor_authenticated?
-
-      require_two_factor_authenticated if uses_two_factor_authentication?
+      require_two_factor_authenticated if two_factor_partially_authenticated?
     end
 
     def require_two_factor_setup
@@ -188,6 +177,10 @@ module Rodauth
       end
     end
 
+    def two_factor_partially_authenticated?
+      logged_in? && !two_factor_authenticated? && uses_two_factor_authentication?
+    end
+
     def two_factor_authenticated?
       authenticated_by && authenticated_by.length >= 2
     end

data/lib/rodauth/features/verify_account.rb

@@ -71,7 +71,7 @@ module Rodauth
       end
 
       r.post do
-        if account_from_login(param(login_param)) && allow_resending_verify_account_email?
+        if account_from_login(login_param_value) && allow_resending_verify_account_email?
           if verify_account_email_recently_sent?
             set_redirect_error_flash verify_account_email_recently_sent_error_flash
             redirect verify_account_email_recently_sent_redirect
@@ -240,20 +240,20 @@ module Rodauth
       send_verify_account_email
     end
 
+    def verify_account_email_recently_sent?
+      account && (email_last_sent = get_verify_account_email_last_sent) && (Time.now - email_last_sent < verify_account_skip_resend_email_within)
+    end
+
     private
 
     def _login_form_footer_links
       links = super
-      if !param_or_nil(login_param) || ((account || account_from_login(param(login_param))) && allow_resending_verify_account_email?)
+      if !param_or_nil(login_param) || ((account || account_from_login(login_param_value)) && allow_resending_verify_account_email?)
         links << [30, verify_account_resend_path, verify_account_resend_link_text]
       end
       links
     end
 
-    def verify_account_email_recently_sent?
-      (email_last_sent = get_verify_account_email_last_sent) && (Time.now - email_last_sent < verify_account_skip_resend_email_within)
-    end
-
     attr_reader :verify_account_key_value
 
     def before_login_attempt

data/lib/rodauth/features/webauthn_autofill.rb

@@ -4,6 +4,7 @@ module Rodauth
   Feature.define(:webauthn_autofill, :WebauthnAutofill) do
     depends :webauthn_login
 
+    auth_value_method :webauthn_autofill?, true
     auth_value_method :webauthn_autofill_js, File.binread(File.expand_path('../../../../javascript/webauthn_autofill.js', __FILE__)).freeze
 
     translatable_method :webauthn_invalid_webauthn_id_message, "no webauthn key with given id found"
@@ -37,7 +38,7 @@ module Rodauth
 
     def _login_form_footer
       footer = super
-      footer += render("webauthn-autofill") unless valid_login_entered?
+      footer += render("webauthn-autofill") if webauthn_autofill? && !valid_login_entered?
       footer
     end
 

data/lib/rodauth/features/webauthn_login.rb

@@ -74,7 +74,7 @@ module Rodauth
     end
 
     def account_from_webauthn_login
-      account_from_login(param(login_param))
+      account_from_login(login_param_value)
     end
 
     def webauthn_login_options?

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 36
+  MINOR = 38
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

data/lib/rodauth.rb

@@ -3,6 +3,8 @@
 require 'securerandom'
 
 module Rodauth
+  class ConfigurationError < StandardError; end
+
   def self.lib(opts={}, &block) 
     require 'roda'
     c = Class.new(Roda)
@@ -402,7 +404,11 @@ module Rodauth
   end
 
   module InstanceMethods
-    def rodauth(name=nil)
+    def default_rodauth_name
+      nil
+    end
+
+    def rodauth(name=default_rodauth_name)
       if name
         (@_rodauths ||= {})[name] ||= self.class.rodauth(name).new(self)
       else
@@ -440,7 +446,7 @@ module Rodauth
   end
 
   module RequestMethods
-    def rodauth(name=nil)
+    def rodauth(name=scope.default_rodauth_name)
       scope.rodauth(name).route!
     end
   end