rodauth 2.4.0 → 2.9.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG +42 -0
- data/MIT-LICENSE +1 -1
- data/README.rdoc +10 -2
- data/doc/base.rdoc +2 -1
- data/doc/json.rdoc +47 -0
- data/doc/jwt.rdoc +1 -28
- data/doc/jwt_refresh.rdoc +8 -0
- data/doc/login.rdoc +1 -0
- data/doc/recovery_codes.rdoc +2 -1
- data/doc/release_notes/2.5.0.txt +20 -0
- data/doc/release_notes/2.6.0.txt +37 -0
- data/doc/release_notes/2.7.0.txt +33 -0
- data/doc/release_notes/2.8.0.txt +20 -0
- data/doc/release_notes/2.9.0.txt +21 -0
- data/doc/remember.rdoc +1 -1
- data/doc/verify_login_change.rdoc +1 -0
- data/javascript/webauthn_auth.js +9 -9
- data/javascript/webauthn_setup.js +9 -6
- data/lib/rodauth.rb +14 -6
- data/lib/rodauth/features/base.rb +7 -2
- data/lib/rodauth/features/change_password.rb +1 -1
- data/lib/rodauth/features/confirm_password.rb +2 -2
- data/lib/rodauth/features/json.rb +189 -0
- data/lib/rodauth/features/jwt.rb +22 -170
- data/lib/rodauth/features/jwt_refresh.rb +63 -13
- data/lib/rodauth/features/login.rb +8 -2
- data/lib/rodauth/features/otp.rb +0 -2
- data/lib/rodauth/features/recovery_codes.rb +22 -1
- data/lib/rodauth/features/remember.rb +6 -1
- data/lib/rodauth/features/verify_account.rb +6 -7
- data/lib/rodauth/features/verify_login_change.rb +2 -1
- data/lib/rodauth/features/webauthn_verify_account.rb +1 -1
- data/lib/rodauth/version.rb +1 -1
- metadata +35 -22
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: a51cd006e762abd197f16ec9b8337cd54bf15206fcc2ce3a83cb1c424bb83845
|
4
|
+
data.tar.gz: 41e21158bee2b7ef8c75a93b035a5ff08c0245e5719aecbf783a818a860329b6
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: fb2c83005f29f8e8f2ea36ae97111c2b2108dc370ce1fee624c6cd27fd96eaa70be8f1471d9b9cb4a8b652b55e2277cce3489514bf56624bceb2c4f52413b580
|
7
|
+
data.tar.gz: 6bf8b23187ab6935cd33259b4ee546281df100641b7927c9e03e531f591a451ba5d56b50b8621cbc7948ad8807253dbded5da0b85247e70db7aa5db1d2be765a
|
data/CHANGELOG
CHANGED
@@ -1,3 +1,45 @@
|
|
1
|
+
=== 2.9.0 (2021-01-22)
|
2
|
+
|
3
|
+
* Split jwt feature into json and jwt features, with the json feature using standard session support (janko, jeremyevans) (#145)
|
4
|
+
|
5
|
+
* Mark remember cookie as only transmitted over HTTPS by default if created via an HTTPS request (janko) (#144)
|
6
|
+
|
7
|
+
=== 2.8.0 (2021-01-06)
|
8
|
+
|
9
|
+
* [SECURITY] Set HttpOnly on remember cookie by default so it cannot be accessed by Javascript (janko) (#142)
|
10
|
+
|
11
|
+
* Clear JWT session when rodauth.clear_session is called if the Roda sessions plugin is used (janko) (#140)
|
12
|
+
|
13
|
+
=== 2.7.0 (2020-12-22)
|
14
|
+
|
15
|
+
* Avoid method redefinition warnings in verbose warning mode (jeremyevans)
|
16
|
+
|
17
|
+
* Return expired access token error message in the JWT refresh feature when using an expired token when it isn't allowed (AlexyMatskevich) (#133)
|
18
|
+
|
19
|
+
* Allow Rodauth features to be preloaded, instead of always trying to require them (janko) (#136)
|
20
|
+
|
21
|
+
* Use a default remember cookie path of '/', though this may cause problem with multiple Rodauth configurations on the same domain (janko) (#134)
|
22
|
+
|
23
|
+
* Add auto_remove_recovery_codes? to the recovery_codes feature, for automatically removing the codes when disabling multifactor authentication (SilasSpet, jeremyevans) (#135)
|
24
|
+
|
25
|
+
=== 2.6.0 (2020-11-20)
|
26
|
+
|
27
|
+
* Avoid loading features multiple times (janko) (#131)
|
28
|
+
|
29
|
+
* Add around_rodauth method for running code around the handling of all Rodauth routes (bjeanes) (#129)
|
30
|
+
|
31
|
+
* Fix javascript for registration of multiple webauthn keys (bjeanes) (#127)
|
32
|
+
|
33
|
+
* Add allow_refresh_with_expired_jwt_access_token? configuration method to jwt_refresh feature, for allowing refresh with expired access token (jeremyevans)
|
34
|
+
|
35
|
+
* Promote setup_account_verification to public API, useful for automatically sending account verification emails (jeremyevans)
|
36
|
+
|
37
|
+
=== 2.5.0 (2020-10-22)
|
38
|
+
|
39
|
+
* Add change_login_needs_verification_notice_flash for easier translation of change_login_notice_flash when using verify_login_change (bjeanes, janko, jeremyevans) (#126)
|
40
|
+
|
41
|
+
* Add login_return_to_requested_location_path for controlling path to use as the requested location (HoneyryderChuck, jeremyevans) (#122, #123)
|
42
|
+
|
1
43
|
=== 2.4.0 (2020-09-21)
|
2
44
|
|
3
45
|
* Add session_key_prefix for more easily using separate session keys when using multiple configurations (janko) (#121)
|
data/MIT-LICENSE
CHANGED
data/README.rdoc
CHANGED
@@ -52,7 +52,8 @@ HTML and JSON API for all supported features.
|
|
52
52
|
* Session Expiration
|
53
53
|
* Active Sessions (Prevent session reuse after logout, allow logout of all sessions)
|
54
54
|
* Single Session (Only one active session per account)
|
55
|
-
*
|
55
|
+
* JSON (JSON API support for all other features)
|
56
|
+
* JWT (JSON Web Token support for all other features)
|
56
57
|
* JWT Refresh (Access & Refresh Token)
|
57
58
|
* JWT CORS (Cross-Origin Resource Sharing)
|
58
59
|
* Update Password Hash (when hash cost changes)
|
@@ -872,6 +873,7 @@ view the appropriate file in the doc directory.
|
|
872
873
|
* {Disallow Password Reuse}[rdoc-ref:doc/disallow_password_reuse.rdoc]
|
873
874
|
* {Email Authentication}[rdoc-ref:doc/email_auth.rdoc]
|
874
875
|
* {HTTP Basic Auth}[rdoc-ref:doc/http_basic_auth.rdoc]
|
876
|
+
* {JSON}[rdoc-ref:doc/json.rdoc]
|
875
877
|
* {JWT CORS}[rdoc-ref:doc/jwt_cors.rdoc]
|
876
878
|
* {JWT Refresh}[rdoc-ref:doc/jwt_refresh.rdoc]
|
877
879
|
* {JWT}[rdoc-ref:doc/jwt.rdoc]
|
@@ -1320,7 +1322,13 @@ use the necessary *_email_body configuration options to specify
|
|
1320
1322
|
the body of the emails.
|
1321
1323
|
|
1322
1324
|
The JWT feature enables JSON API support for all of the other features
|
1323
|
-
that Rodauth ships with.
|
1325
|
+
that Rodauth ships with. If you would like JSON API access that still uses
|
1326
|
+
rack session for storing session data, enable the JSON feature instead:
|
1327
|
+
|
1328
|
+
plugin :rodauth, :json=>true do
|
1329
|
+
enable :login, :logout, :json
|
1330
|
+
only_json? true # if you want to only handle JSON requests
|
1331
|
+
end
|
1324
1332
|
|
1325
1333
|
=== Adding Custom Methods to the +rodauth+ Object
|
1326
1334
|
|
data/doc/base.rdoc
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
= Documentation for Base Feature
|
2
2
|
|
3
3
|
The base feature is automatically loaded when you use Rodauth. It contains
|
4
|
-
shared functionality that is used by multiple features.
|
4
|
+
shared functionality that is used by multiple features.
|
5
5
|
|
6
6
|
== Auth Value Methods
|
7
7
|
|
@@ -88,6 +88,7 @@ account_session_value :: The primary value of the current account to store in th
|
|
88
88
|
after_login :: Run arbitrary code after a successful login.
|
89
89
|
after_login_failure :: Run arbitrary code after a login failure due to an invalid password.
|
90
90
|
already_logged_in :: What action to take if you are already logged in and attempt to access a page that only makes sense if you are not logged in.
|
91
|
+
around_rodauth(&block) :: Run arbitrary code around handling any rodauth route. Call <tt>super(&block)</tt> for Rodauth to handle the action.
|
91
92
|
authenticated? :: Whether the user has been authenticated. If multifactor authentication has been enabled for the account, this is true only if the session is multifactor authenticated.
|
92
93
|
before_login :: Run arbitrary code after password has been checked, but before updating the session.
|
93
94
|
before_login_attempt :: Run arbitrary code after an account has been located, but before the password has been checked.
|
data/doc/json.rdoc
ADDED
@@ -0,0 +1,47 @@
|
|
1
|
+
= Documentation for JSON Feature
|
2
|
+
|
3
|
+
The json feature adds support for JSON API access for all other
|
4
|
+
features that ship with Rodauth.
|
5
|
+
|
6
|
+
When this feature is used, all other features become accessible via a
|
7
|
+
JSON API. The JSON API uses the POST method for all requests, using
|
8
|
+
the same parameter names as the features uses. JSON API requests to
|
9
|
+
Rodauth endpoints that use a method other than POST will result in a
|
10
|
+
405 Method Not Allowed response.
|
11
|
+
|
12
|
+
Responses are returned as JSON hashes. In case of an error, the +error+
|
13
|
+
entry is set to an error message, and the <tt>field-error</tt> entry is set to
|
14
|
+
an array containing the field name and the error message for that field.
|
15
|
+
Successful requests by default store a +success+ entry with a success
|
16
|
+
message, though that can be disabled.
|
17
|
+
|
18
|
+
The session state is managed in the rack session, so make sure that
|
19
|
+
CSRF protection is enabled. This will be the case when passing the
|
20
|
+
<tt>json: true</tt> option when loading the rodauth plugin. If you
|
21
|
+
want to only handle JSON requests, set <tt>only_json? true</tt> in
|
22
|
+
your rodauth configuration.
|
23
|
+
|
24
|
+
If you want token-based authentication sent via the Authorization
|
25
|
+
header, consider using the jwt feature.
|
26
|
+
|
27
|
+
== Auth Value Methods
|
28
|
+
|
29
|
+
json_accept_regexp :: The regexp to use to check the Accept header for JSON if +json_check_accept?+ is true.
|
30
|
+
json_check_accept? :: Whether to check the Accept header to see if the client supports JSON responses, true by default.
|
31
|
+
json_non_post_error_message :: The error message to use when a JSON non-POST request is sent.
|
32
|
+
json_not_accepted_error_message :: The error message to display if +json_check_accept?+ is true and the Accept header is present but does not match +json_request_content_type_regexp+.
|
33
|
+
json_request_content_type_regexp :: The regexp to use to recognize a request as a json request.
|
34
|
+
json_response_content_type :: The content type to set for json responses, <tt>application/json</tt> by default.
|
35
|
+
json_response_custom_error_status? :: Whether to use custom error statuses, instead of always using +json_response_error_status+, true by default, can be set to false for backwards compatibility with Rodauth 1.
|
36
|
+
json_response_error_key :: The JSON result key containing an error message, +error+ by default.
|
37
|
+
json_response_error_status :: The HTTP status code to use for JSON error responses if not using custom error statuses, 400 by default.
|
38
|
+
json_response_field_error_key :: The JSON result key containing an field error message, <tt>field-error</tt> by default.
|
39
|
+
json_response_success_key :: The JSON result key containing a success message for successful request, if set. +success+ by default.
|
40
|
+
non_json_request_error_message :: The error message to use when a non-JSON request is sent and +only_json?+ is set.
|
41
|
+
only_json? :: Whether to have Rodauth only allow JSON requests. True by default if <tt>json: :only</tt> option was given when loading the plugin. If set, rodauth endpoints will issue an error for non-JSON requests.
|
42
|
+
use_json? :: Whether to return a JSON response. By default, a JSON response is returned if +only_json?+ is true, or if the request uses a json content type.
|
43
|
+
|
44
|
+
== Auth Methods
|
45
|
+
|
46
|
+
json_request? :: Whether the current request is a JSON request, looks at the Content-Type request header by default.
|
47
|
+
json_response_body(hash) :: The body to use for JSON response. By default just converts hash to JSON. Can be used to reformat JSON output in arbitrary ways.
|
data/doc/jwt.rdoc
CHANGED
@@ -2,19 +2,7 @@
|
|
2
2
|
|
3
3
|
The jwt feature adds support for JSON API access for all other features
|
4
4
|
that ship with Rodauth, using JWT (JSON Web Tokens) to hold the
|
5
|
-
session information.
|
6
|
-
|
7
|
-
When this feature is used, all other features become accessible via a
|
8
|
-
JSON API. The JSON API uses the POST method for all requests, using
|
9
|
-
the same parameter names as the features uses. JSON API requests to
|
10
|
-
Rodauth endpoints that use a method other than POST will result in a
|
11
|
-
405 Method Not Allowed response.
|
12
|
-
|
13
|
-
Responses are returned as JSON hashes. In case of an error, the +error+
|
14
|
-
entry is set to an error message, and the <tt>field-error</tt> entry is set to
|
15
|
-
an array containing the field name and the error message for that field.
|
16
|
-
Successful requests by default store a +success+ entry with a success
|
17
|
-
message, though that can be disabled.
|
5
|
+
session information. It depends on the json feature.
|
18
6
|
|
19
7
|
In order to use this feature, you have to set the +jwt_secret+ configuration
|
20
8
|
option the secret used to cryptographically protect the token.
|
@@ -41,32 +29,17 @@ from +rodauth.session+.
|
|
41
29
|
== Auth Value Methods
|
42
30
|
|
43
31
|
invalid_jwt_format_error_message :: The error message to use when a JWT with an invalid format is submitted in the Authorization header.
|
44
|
-
json_accept_regexp :: The regexp to use to check the Accept header for JSON if +jwt_check_accept?+ is true.
|
45
|
-
json_non_post_error_message :: The error message to use when a JSON non-POST request is sent.
|
46
|
-
json_not_accepted_error_message :: The error message to display if +jwt_check_accept?+ is true and the Accept header is present but does not match +json_request_content_type_regexp+.
|
47
|
-
json_request_content_type_regexp :: The regexp to use to recognize a request as a json request.
|
48
|
-
json_response_content_type :: The content type to set for json responses, <tt>application/json</tt> by default.
|
49
|
-
json_response_custom_error_status? :: Whether to use custom error statuses, instead of always using +json_response_error_status+, true by default, can be set to false for backwards compatibility with Rodauth 1.
|
50
|
-
json_response_error_key :: The JSON result key containing an error message, +error+ by default.
|
51
|
-
json_response_error_status :: The HTTP status code to use for JSON error responses if not using custom error statuses, 400 by default.
|
52
|
-
json_response_field_error_key :: The JSON result key containing an field error message, <tt>field-error</tt> by default.
|
53
|
-
json_response_success_key :: The JSON result key containing a success message for successful request, if set. +success+ by default.
|
54
32
|
jwt_algorithm :: The JWT algorithm to use, +HS256+ by default.
|
55
33
|
jwt_authorization_ignore :: A regexp matched against the Authorization header, which skips JWT processing if it matches. By default, HTTP Basic and Digest authentication are ignored.
|
56
34
|
jwt_authorization_remove :: A regexp to remove from the Authorization header before processing the JWT. By default, a Bearer prefix is removed.
|
57
|
-
jwt_check_accept? :: Whether to check the Accept header to see if the client supports JSON responses, true by default, can be set to false for backwards compatibility with Rodauth 1.
|
58
35
|
jwt_decode_opts :: An optional hash to pass to +JWT.decode+. Can be used to set JWT verifiers.
|
59
36
|
jwt_secret :: The JWT secret to use. Access to this should be protected the same as a session secret.
|
60
37
|
jwt_session_key :: A key to nest the session hash under in the JWT payload. nil by default, for no nesting.
|
61
38
|
jwt_symbolize_deeply? :: Whether to symbolize the session hash deeply. false by default.
|
62
|
-
non_json_request_error_message :: The error message to use when a non-JSON request is sent and +only_json?+ is set.
|
63
|
-
only_json? :: Whether to have Rodauth only allow JSON requests. True by default if <tt>json: :only</tt> option was given when loading the plugin. If set, rodauth endpoints will issue an error for non-JSON requests.
|
64
39
|
use_jwt? :: Whether to use the JWT in the Authorization header for authentication information. If false, falls back to using the rack session. By default, the Authorization header is used if it is present, if +only_json?+ is true, or if the request uses a json content type.
|
65
40
|
|
66
41
|
== Auth Methods
|
67
42
|
|
68
|
-
json_request? :: Whether the current request is a JSON request, looks at the Content-Type request header by default.
|
69
|
-
json_response_body(hash) :: The body to use for JSON response. By default just converts hash to JSON. Can be used to reformat JSON output in arbitrary ways.
|
70
43
|
jwt_session_hash :: The session hash used to create the session_jwt. Can be used to set JWT claims.
|
71
44
|
jwt_token :: Retrieve the JWT token from the request, by default taking it from the Authorization header.
|
72
45
|
session_jwt :: An encoded JWT for the current session.
|
data/doc/jwt_refresh.rdoc
CHANGED
@@ -21,19 +21,27 @@ a value of <tt>all</tt> as the token value.
|
|
21
21
|
|
22
22
|
When using the refresh token, you must provide a valid access token, as that contains
|
23
23
|
information about the current session, which is used to create the new access token.
|
24
|
+
If you change the +allow_refresh_with_expired_jwt_access_token?+ setting to +true+,
|
25
|
+
an expired but otherwise valid access token will be accepted, and Rodauth will check
|
26
|
+
that the access token was issued in the same session as the refresh token.
|
24
27
|
|
25
28
|
This feature depends on the jwt feature.
|
26
29
|
|
27
30
|
== Auth Value Methods
|
28
31
|
|
32
|
+
allow_refresh_with_expired_jwt_access_token? :: Whether refreshing should be allowed with an expired access token. Default is +false+. You must set an +hmac_secret+ if setting this value to +true+.
|
33
|
+
expired_jwt_access_token_status :: The HTTP status code to use when a access token (JWT) is expired is submitted in the Authorization header. Default is 400 for backwards compatibility, and it is recommended to set it to 401.
|
34
|
+
expired_jwt_access_token_message :: The error message to use when a access token (JWT) is expired is submitted in the Authorization header.
|
29
35
|
jwt_access_token_key :: Name of the key in the response json holding the access token. Default is +access_token+.
|
30
36
|
jwt_access_token_not_before_period :: How many seconds before the current time will the jwt be considered valid (to account for inaccurate clocks). Default is 5.
|
31
37
|
jwt_access_token_period :: Validity of an access token in seconds, default is 1800 (30 minutes).
|
32
38
|
jwt_refresh_route :: The route to the login action. Defaults to <tt>jwt-refresh</tt>.
|
33
39
|
jwt_refresh_invalid_token_message :: Error message when the provided refresh token is non existent, invalid or expired.
|
34
40
|
jwt_refresh_token_account_id_column :: The column name in the +jwt_refresh_token_table+ storing the account id, should be a foreign key referencing the accounts table.
|
41
|
+
jwt_refresh_token_data_session_key :: The key in the session hash storing random data, for access checking during refresh if +allow_refresh_with_expired_jwt_access_token?+ is set.
|
35
42
|
jwt_refresh_token_deadline_column :: The column name in the +jwt_refresh_token_table+ storing the deadline after which the refresh token will no longer be valid.
|
36
43
|
jwt_refresh_token_deadline_interval :: Validity of a refresh token. Default is 14 days.
|
44
|
+
jwt_refresh_token_hmac_session_key :: The key in the session hash storing the hmac, for access checking during refresh if +allow_refresh_with_expired_jwt_access_token?+ is set.
|
37
45
|
jwt_refresh_token_id_column :: The column name in the refresh token keys table storing the id of each token (the primary key of the table).
|
38
46
|
jwt_refresh_token_key :: Name of the key in the response json holding the refresh token. Default is +refresh_token+.
|
39
47
|
jwt_refresh_token_key_column :: The column name in the +jwt_refresh_token_table+ holding the refresh token key value.
|
data/doc/login.rdoc
CHANGED
@@ -34,4 +34,5 @@ use_multi_phase_login? :: Whether to ask for login first, and only ask for passw
|
|
34
34
|
|
35
35
|
before_login_route :: Run arbitrary code before handling a login route.
|
36
36
|
login_view :: The HTML to use for the login form.
|
37
|
+
login_return_to_requested_location_path :: If +login_return_to_requested_location?+ is true, the path to use as the requested location. By default, uses the full path of the request for GET requests, and is nil for non-GET requests (in which case the default +login_redirect+ will be used).
|
37
38
|
multi_phase_login_view :: The HTML to use for the login form after login has been entered when using multi phase login.
|
data/doc/recovery_codes.rdoc
CHANGED
@@ -17,7 +17,8 @@ add_recovery_codes_error_flash :: The flash error to show when adding recovery c
|
|
17
17
|
add_recovery_codes_heading :: Text to use for heading above the form to add recovery codes.
|
18
18
|
add_recovery_codes_page_title :: The page title to use on the add recovery codes form.
|
19
19
|
add_recovery_codes_param :: The parameter name to use for adding recovery codes.
|
20
|
-
auto_add_recovery_codes? :: Whether to automatically add recovery codes (or any missing recovery codes) when
|
20
|
+
auto_add_recovery_codes? :: Whether to automatically add recovery codes (or any missing recovery codes) when enabling otp, webauthn, or sms authentication (false by default).
|
21
|
+
auto_remove_recovery_codes? :: Whether to automatically remove recovery codes when disabling otp, webauthn, or sms authentication and not having one of the other two authentication methods enabled (false by default).
|
21
22
|
invalid_recovery_code_error_flash :: The flash error to show when an invalid recovery code is used.
|
22
23
|
invalid_recovery_code_message :: The error message to show when an invalid recovery code is used.
|
23
24
|
recovery_auth_additional_form_tags :: HTML fragment containing additional form tags when authenticating via a recovery code.
|
@@ -0,0 +1,20 @@
|
|
1
|
+
= New Features
|
2
|
+
|
3
|
+
* A login_return_to_requested_location_path configuration method has
|
4
|
+
been added to the login feature. This controls the path to redirect
|
5
|
+
to if using login_return_to_requested_location?. By default, this
|
6
|
+
is the same as the fullpath of the request that required login if
|
7
|
+
that request was a GET request, and nil if that request was not a
|
8
|
+
GET request. Previously, the fullpath of that request was used even
|
9
|
+
if it was not a GET request, which caused problems as browsers use a
|
10
|
+
GET request for redirects, and it is a bad idea to redirect to a path
|
11
|
+
that may not handle GET requests.
|
12
|
+
|
13
|
+
* A change_login_needs_verification_notice_flash configuration method
|
14
|
+
has been added to the verify_login_change feature, for allowing
|
15
|
+
translations when using the feature and not using the
|
16
|
+
change_login_notice_flash configuration method.
|
17
|
+
|
18
|
+
= Other Improvements
|
19
|
+
|
20
|
+
* new_password_label is now translatable.
|
@@ -0,0 +1,37 @@
|
|
1
|
+
= New Features
|
2
|
+
|
3
|
+
* An around_rodauth configuration method has been added, which is
|
4
|
+
called around all Rodauth actions. This configuration method
|
5
|
+
is passed a block, and is useful for cases where you want to wrap
|
6
|
+
Rodauth's handling of the request.
|
7
|
+
|
8
|
+
For example, if you had a method named time_block in your Roda scope
|
9
|
+
that timed block execution and added a response header, you could
|
10
|
+
time Rodauth actions using something like:
|
11
|
+
|
12
|
+
around_rodauth do |&block|
|
13
|
+
scope.time_block('Rodauth') do
|
14
|
+
super(&block)
|
15
|
+
end
|
16
|
+
end
|
17
|
+
|
18
|
+
* The allow_refresh_with_expired_jwt_access_token? configuration has
|
19
|
+
been added to the jwt_refresh feature, allowing refreshing with an
|
20
|
+
expired but otherwise valid access token. When using this method,
|
21
|
+
it is required to have an hmac_secret specified, so that Rodauth
|
22
|
+
can make sure the access token matches the refresh token.
|
23
|
+
|
24
|
+
= Other Improvements
|
25
|
+
|
26
|
+
* The javascript for setting up a WebAuthn token has been fixed to
|
27
|
+
allow it to work correctly if there is already an existing
|
28
|
+
WebAuthn token for the account.
|
29
|
+
|
30
|
+
* The rodauth.setup_account_verification method has been promoted to
|
31
|
+
public API. You can use this method for automatically sending
|
32
|
+
account verification emails when automatically creating accounts.
|
33
|
+
|
34
|
+
* Rodauth no longer loads the same feature multiple times into a
|
35
|
+
single configuration. This didn't cause any problems before, but
|
36
|
+
could result in duplicate entries when looking at the loaded
|
37
|
+
features.
|
@@ -0,0 +1,33 @@
|
|
1
|
+
= New Features
|
2
|
+
|
3
|
+
* An auto_remove_recovery_codes? configuration method has been added
|
4
|
+
to the recovery_codes feature. This will automatically remove
|
5
|
+
recovery codes when the last multifactor authentication type other
|
6
|
+
than the recovery codes has been removed.
|
7
|
+
|
8
|
+
* The jwt_access_expired_status and expired_jwt_access_token_message
|
9
|
+
configuration methods have been added to the jwt_refresh feature,
|
10
|
+
for supporting custom statuses and messages for expired tokens.
|
11
|
+
|
12
|
+
= Other Improvements
|
13
|
+
|
14
|
+
* Rodauth will no longer attempt to require a feature that has
|
15
|
+
already been required. Related to this is you can now use a
|
16
|
+
a custom Rodauth feature without a rodauth/features/*.rb file
|
17
|
+
in the Ruby library path, as long as you load the feature
|
18
|
+
manually.
|
19
|
+
|
20
|
+
* Rodauth now avoids method redefinition warnings in verbose
|
21
|
+
warning mode. As Ruby 3 is dropping uninitialized instance
|
22
|
+
variable warnings, Rodauth will be verbose warning free in
|
23
|
+
Ruby 3.
|
24
|
+
|
25
|
+
= Backwards Compatibility
|
26
|
+
|
27
|
+
* The default remember cookie path is now set to '/'. This fixes
|
28
|
+
usage in the case where rodauth is loaded under a subpath of the
|
29
|
+
application (which is not the default behavior). Unfortunately,
|
30
|
+
this change can negatively affect cases where multiple rodauth
|
31
|
+
configurations are used in separate paths on the same domain.
|
32
|
+
In these cases, you should now use remember_cookie_options and
|
33
|
+
include a :path option.
|
@@ -0,0 +1,20 @@
|
|
1
|
+
= Improvements
|
2
|
+
|
3
|
+
* HttpOnly is now set by default on the remember cookie, so it is no
|
4
|
+
longer accessible from Javascript. This is a more secure approach
|
5
|
+
that makes applications using Rodauth's remember feature less
|
6
|
+
vulnerable in case they are subject to a separate XSS attack.
|
7
|
+
|
8
|
+
* When using the jwt feature, rodauth.clear_session now clears the
|
9
|
+
JWT session even when the Roda sessions plugin was in use. In most
|
10
|
+
cases, the jwt feature is not used with the Roda sessions plugin,
|
11
|
+
but in cases where the same application serves as both an JSON API
|
12
|
+
and as a HTML site, it is possible the two may be used together.
|
13
|
+
|
14
|
+
= Backwards Compatibility
|
15
|
+
|
16
|
+
* As the default remember cookie :httponly setting is now set to true,
|
17
|
+
applications using Rodauth that expected to be able to access the
|
18
|
+
remember cookie from Javascript will no longer work by default.
|
19
|
+
In these cases, you should now use remember_cookie_options and
|
20
|
+
include a :httponly=>false option.
|
@@ -0,0 +1,21 @@
|
|
1
|
+
= New Features
|
2
|
+
|
3
|
+
* A json feature has been extracted from the existing jwt feature.
|
4
|
+
This feature allows for the same JSON API previously supported
|
5
|
+
by the JWT feature, but stores the session information in the
|
6
|
+
Rack session instead of in a separate JWT. This makes it
|
7
|
+
significantly easier to have certain pages use the JSON API,
|
8
|
+
and other pages the HTML forms.
|
9
|
+
|
10
|
+
= Other Improvements
|
11
|
+
|
12
|
+
* If the remember cookie is created in an SSL request, the Secure
|
13
|
+
flag is added by default, so the cookie will not be transmitted
|
14
|
+
in non-SSL requests.
|
15
|
+
|
16
|
+
= Backwards Compatibility
|
17
|
+
|
18
|
+
* Rodauth configurations that use the remember feature and support
|
19
|
+
requests over both http and https and want to have the remember
|
20
|
+
cookie transmitted over both should now include :secure=>false in
|
21
|
+
remember_cookie_options.
|
data/doc/remember.rdoc
CHANGED
@@ -35,7 +35,7 @@ raw_remember_token_deadline :: A deadline before which to allow a raw remember t
|
|
35
35
|
remember_additional_form_tags :: HTML fragment containing additional form tags to use on the change remember setting form.
|
36
36
|
remember_button :: The text to use for the change remember settings button.
|
37
37
|
remember_cookie_key :: The cookie name to use for the remember token.
|
38
|
-
remember_cookie_options :: Any options to set for the remember cookie.
|
38
|
+
remember_cookie_options :: Any options to set for the remember cookie. By default, the `:path` cookie option is set to `/` and `:httponly` is set to `true`. Also, `:secure` is set to `true` by default if the current request is an HTTPS request.
|
39
39
|
remember_deadline_column :: The column name in the +remember_table+ storing the deadline after which the token will be ignored.
|
40
40
|
remember_deadline_interval :: The amount of time for which to remember accounts, 14 days by default. Only used if +set_deadline_values?+ is true.
|
41
41
|
remember_disable_label :: The label for disabling remembering.
|
@@ -14,6 +14,7 @@ control. Depends on the change login and email base features.
|
|
14
14
|
== Auth Value Methods
|
15
15
|
|
16
16
|
no_matching_verify_login_change_key_error_flash :: The flash error message to show when an invalid verify login change key is used.
|
17
|
+
change_login_needs_verification_notice_flash :: The flash notice to show after changing a login when using this feature, if +change_login_notice_flash+ is not overridden.
|
17
18
|
verify_login_change_additional_form_tags :: HTML fragment containing additional form tags to use on the verify login change form.
|
18
19
|
verify_login_change_autologin? :: Whether to autologin the user after successful login change verification, false by default.
|
19
20
|
verify_login_change_button :: The text to use for the verify login change button.
|
data/javascript/webauthn_auth.js
CHANGED
@@ -1,34 +1,34 @@
|
|
1
1
|
(function() {
|
2
|
+
var pack = function(v) { return btoa(String.fromCharCode.apply(null, new Uint8Array(v))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''); };
|
3
|
+
var unpack = function(v) { return Uint8Array.from(atob(v.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0)); };
|
2
4
|
var element = document.getElementById('webauthn-auth-form');
|
3
5
|
var f = function(e) {
|
4
6
|
//console.log(e);
|
5
7
|
e.preventDefault();
|
6
8
|
if (navigator.credentials) {
|
7
9
|
var opts = JSON.parse(element.getAttribute("data-credential-options"));
|
8
|
-
opts.challenge =
|
9
|
-
opts.allowCredentials.forEach(function(cred) {
|
10
|
-
cred.id = Uint8Array.from(atob(cred.id.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
|
11
|
-
});
|
10
|
+
opts.challenge = unpack(opts.challenge);
|
11
|
+
opts.allowCredentials.forEach(function(cred) { cred.id = unpack(cred.id); });
|
12
12
|
//console.log(opts);
|
13
13
|
navigator.credentials.get({publicKey: opts}).
|
14
14
|
then(function(cred){
|
15
15
|
//console.log(cred);
|
16
16
|
//window.cred = cred
|
17
17
|
|
18
|
-
var rawId =
|
18
|
+
var rawId = pack(cred.rawId);
|
19
19
|
var authValue = {
|
20
20
|
type: cred.type,
|
21
21
|
id: rawId,
|
22
22
|
rawId: rawId,
|
23
23
|
response: {
|
24
|
-
authenticatorData:
|
25
|
-
clientDataJSON:
|
26
|
-
signature:
|
24
|
+
authenticatorData: pack(cred.response.authenticatorData),
|
25
|
+
clientDataJSON: pack(cred.response.clientDataJSON),
|
26
|
+
signature: pack(cred.response.signature)
|
27
27
|
}
|
28
28
|
};
|
29
29
|
|
30
30
|
if (cred.response.userHandle) {
|
31
|
-
authValue.response.userHandle =
|
31
|
+
authValue.response.userHandle = pack(cred.response.userHandle);
|
32
32
|
}
|
33
33
|
|
34
34
|
document.getElementById('webauthn-auth').value = JSON.stringify(authValue);
|