rodauth 2.38.0 → 2.40.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f79db7dec7147665538bf0b4f8e0c6c554d88396b294f19e5a5ed26543c31d1c
-  data.tar.gz: ea377861679a55895bc325b1cf3932970b0de9c773615ba2daecb5805704ae02
+  metadata.gz: c1a80af909390a66924a6a3317b9234cd7b99032878b4ffd794fe621fba48b6d
+  data.tar.gz: cba66489bfb59d011d4d960b9b6f2d9c6c1f3f606661467ea888f6072d2f272b
 SHA512:
-  metadata.gz: 8e13b4dc188867866ee0eda53765091bb48f583d65957e488737b612bde4cf4ae9caa18edd2d88b3c609a7a3e25a51eec42fc5aa25e4083ea51c283310a36cb9
-  data.tar.gz: d50e275056bf3196a025e1933ab97ecd88d784c80ec97412cf046bb9718f558da4b321f7fbf52ba09d3554059157ef67f3f407625fd65c237fd2334e170066a7
+  metadata.gz: f220a837ca8a81984accd87b52725633de82b7ea3452bf91bb3a43c529e4d03a785c6fccd4e5dc6c729a3f1fe33b8a8d535c25060c884dd38ef94c07d21f52ce
+  data.tar.gz: 91d278bf3d9e1f1eaa47ff77c98506581ece39b9ad61d6aa5588e98faf65261f804154980a8416d63cec77fe462fff2ce9e8e1186f1fcaf608f3703a94fed818

data/lib/rodauth/features/base.rb

@@ -563,6 +563,42 @@ module Rodauth
       s
     end
 
+    if Rack.release >= '3'
+      def set_response_header(key, value)
+        response.headers[key] = value
+      end
+
+      def convert_response_header_key(key)
+        key
+      end
+    # :nocov:
+    else
+      def set_response_header(key, value)
+        response.headers[convert_response_header_key(key)] = value
+      end
+
+      # Attempt backwards compatibility on Rack < 3 by changing
+      # known cases from lower case to mixed case.
+      mixed_case_headers = {}
+      (<<-END).split.each { |k| mixed_case_headers[k.downcase.freeze] = k.freeze }
+        Access-Control-Allow-Headers
+        Access-Control-Allow-Methods
+        Access-Control-Allow-Origin
+        Access-Control-Expose-Headers
+        Access-Control-Max-Age
+        Allow
+        Authorization
+        Content-Type
+        Content-Length
+        WWW-Authenticate
+      END
+      mixed_case_headers.freeze
+      define_method(:convert_response_header_key) do |key|
+        mixed_case_headers.fetch(key, key)
+      end
+    end
+    # :nocov:
+
     if RUBY_VERSION >= '2.1'
       def button_fixed_locals
         '(value:, opts:)'

data/lib/rodauth/features/http_basic_auth.rb

@@ -73,7 +73,7 @@ module Rodauth
 
     def set_http_basic_auth_error_response
       response.status = 401
-      response.headers["WWW-Authenticate"] = "Basic realm=\"#{http_basic_auth_realm}\""
+      set_response_header("www-authenticate", "Basic realm=\"#{http_basic_auth_realm}\"")
     end
 
     def throw_basic_auth_error(*args)

data/lib/rodauth/features/json.rb

@@ -186,7 +186,7 @@ module Rodauth
 
         unless request.post?
           response.status = 405
-          response.headers['Allow'] = 'POST'
+          set_response_header('allow', 'POST')
           json_response[json_response_error_key] = json_non_post_error_message
           return_json_response
         end
@@ -209,7 +209,7 @@ module Rodauth
 
     def _return_json_response
       response.status ||= json_response_error_status if json_response_error?
-      response['Content-Type'] ||= json_response_content_type
+      response.headers[convert_response_header_key('content-type')] ||= json_response_content_type
       return_response _json_response_body(json_response)
     end
 

data/lib/rodauth/features/jwt.rb

@@ -47,7 +47,7 @@ module Rodauth
 
         if session_data
           if jwt_symbolize_deeply?
-            s = JSON.parse(JSON.fast_generate(session_data), :symbolize_names=>true)
+            s = JSON.parse(JSON.generate(session_data), :symbolize_names=>true)
           elsif scope.opts[:sessions_convert_symbols]
             s = session_data
           else
@@ -84,7 +84,7 @@ module Rodauth
     end
 
     def set_jwt_token(token)
-      response.headers['Authorization'] = token
+      set_response_header('authorization', token)
     end
 
     def use_jwt?

data/lib/rodauth/features/jwt_cors.rb

@@ -33,18 +33,18 @@ module Rodauth
 
     def before_rodauth
       if jwt_cors_allow?
-        response['Access-Control-Allow-Origin'] = request.env['HTTP_ORIGIN']
+        set_response_header('access-control-allow-origin', request.env['HTTP_ORIGIN'])
 
         # Handle CORS preflight request
         if request.request_method == 'OPTIONS'
-          response['Access-Control-Allow-Methods'] = jwt_cors_allow_methods
-          response['Access-Control-Allow-Headers'] = jwt_cors_allow_headers
-          response['Access-Control-Max-Age'] = jwt_cors_max_age.to_s
+          set_response_header('access-control-allow-methods', jwt_cors_allow_methods)
+          set_response_header('access-control-allow-headers', jwt_cors_allow_headers)
+          set_response_header('access-control-max-age', jwt_cors_max_age.to_s)
           response.status = 204
           return_response
         end
 
-        response['Access-Control-Expose-Headers'] = jwt_cors_expose_headers
+        set_response_header('access-control-expose-headers', jwt_cors_expose_headers)
       end
 
       super

data/lib/rodauth/features/login.rb

@@ -15,6 +15,7 @@ module Rodauth
     auth_value_method :login_error_status, 401
     translatable_method :login_form_footer_links_heading, '<h2 class="rodauth-login-form-footer-links-heading">Other Options</h2>'
     auth_value_method :login_return_to_requested_location?, false
+    auth_value_method :login_return_to_requested_location_max_path_size, 2048
     auth_value_method :use_multi_phase_login?, false
 
     session_key :login_redirect_session_key, :login_redirect
@@ -95,7 +96,7 @@ module Rodauth
     end
 
     def login_required
-      if login_return_to_requested_location? && (path = login_return_to_requested_location_path)
+      if login_return_to_requested_location? && (path = login_return_to_requested_location_path) && path.bytesize <= login_return_to_requested_location_max_path_size
         set_session_value(login_redirect_session_key, path)
       end
       super

data/lib/rodauth/features/otp_unlock.rb

@@ -52,6 +52,7 @@ module Rodauth
       :otp_unlock_auth_success,
       :otp_unlock_available?,
       :otp_unlock_deadline_passed?,
+      :otp_unlock_not_available_set_refresh_header,
       :otp_unlock_refresh_tag,
     )
 
@@ -72,6 +73,7 @@ module Rodauth
         if otp_unlock_available?
           otp_unlock_view
         else
+          otp_unlock_not_available_set_refresh_header
           otp_unlock_not_available_view
         end
       end
@@ -201,6 +203,7 @@ module Rodauth
     end
 
     def otp_unlock_refresh_tag
+      # RODAUTH3: Remove
       "<meta http-equiv=\"refresh\" content=\"#{(otp_unlock_next_auth_attempt_after - Time.now).to_i + 1}\">"
     end
 
@@ -224,6 +227,10 @@ module Rodauth
       otp_unlock_data ? otp_unlock_data[otp_unlock_num_successes_column] : 0
     end
 
+    def otp_unlock_not_available_set_refresh_header
+      response.headers["refresh"] = ((otp_unlock_next_auth_attempt_after - Time.now).to_i + 1).to_s
+    end
+
     private
 
     def show_otp_auth_link?

data/lib/rodauth/features/reset_password.rb

@@ -50,6 +50,7 @@ module Rodauth
       :reset_password_email_link,
       :reset_password_key_insert_hash,
       :reset_password_key_value,
+      :reset_password_request_for_unverified_account,
       :set_reset_password_email_last_sent
     )
     auth_private_methods(
@@ -73,9 +74,7 @@ module Rodauth
             throw_error_reason(:no_matching_login, no_matching_login_error_status, login_param, no_matching_login_message)
           end
 
-          unless open_account?
-            throw_error_reason(:unverified_account, unopen_account_error_status, login_param, unverified_account_message)
-          end
+          reset_password_request_for_unverified_account unless open_account?
 
           if reset_password_email_recently_sent?
             set_redirect_error_flash reset_password_email_recently_sent_error_flash
@@ -174,6 +173,10 @@ module Rodauth
       end
     end
 
+    def reset_password_request_for_unverified_account
+      throw_error_reason(:unverified_account, unopen_account_error_status, login_param, unverified_account_message)
+    end
+
     def remove_reset_password_key
       password_reset_ds.delete
     end

data/lib/rodauth/features/webauthn.rb

@@ -123,7 +123,7 @@ module Rodauth
     route(:webauthn_auth_js) do |r|
       before_webauthn_auth_js_route
       r.get do
-        response['Content-Type'] = 'text/javascript'
+        set_response_header('content-type', 'text/javascript')
         webauthn_auth_js
       end
     end
@@ -158,7 +158,7 @@ module Rodauth
     route(:webauthn_setup_js) do |r|
       before_webauthn_setup_js_route
       r.get do
-        response['Content-Type'] = 'text/javascript'
+        set_response_header('content-type', 'text/javascript')
         webauthn_setup_js
       end
     end
@@ -410,13 +410,25 @@ module Rodauth
     private
 
     if WebAuthn::VERSION >= '3'
-      def webauthn_relying_party
-        # No need to memoize, only called once per request
-        WebAuthn::RelyingParty.new(
-          origin: webauthn_origin,
-          id: webauthn_rp_id,
-          name: webauthn_rp_name,
-        )
+      if WebAuthn::RelyingParty.instance_method(:initialize).parameters.include?([:key, :allowed_origins])
+        def webauthn_relying_party
+          # No need to memoize, only called once per request
+          WebAuthn::RelyingParty.new(
+            allowed_origins: [webauthn_origin],
+            id: webauthn_rp_id,
+            name: webauthn_rp_name,
+          )
+        end
+      # :nocov:
+      else
+        def webauthn_relying_party
+          WebAuthn::RelyingParty.new(
+            origin: webauthn_origin,
+            id: webauthn_rp_id,
+            name: webauthn_rp_name,
+          )
+        end
+      # :nocov:
       end
 
       def webauthn_create_relying_party_opts

data/lib/rodauth/features/webauthn_autofill.rb

@@ -12,7 +12,7 @@ module Rodauth
     route(:webauthn_autofill_js) do |r|
       before_webauthn_autofill_js_route
       r.get do
-        response['Content-Type'] = 'text/javascript'
+        set_response_header('content-type', 'text/javascript')
         webauthn_autofill_js
       end
     end

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 38
+  MINOR = 40
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

data/templates/otp-unlock-not-available.str

@@ -2,4 +2,3 @@
 <p>#{rodauth.otp_unlock_required_consecutive_successes_label}: #{rodauth.otp_unlock_auths_required}</p>
 <p>#{rodauth.otp_unlock_next_auth_attempt_label}: #{rodauth.otp_unlock_next_auth_attempt_after.strftime(rodauth.strftime_format)}</p>
 <p>#{rodauth.otp_unlock_next_auth_attempt_refresh_label}</p>
-#{rodauth.otp_unlock_refresh_tag}

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.38.0
+  version: 2.40.0
 platform: ruby
 authors:
 - Jeremy Evans
 bindir: bin
 cert_chain: []
-date: 2025-01-15 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -402,7 +402,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.2
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Authentication and Account Management Framework for Rack Applications
 test_files: []