rodauth 2.4.0 → 2.9.0

data/javascript/webauthn_setup.js

@@ -1,26 +1,29 @@
 (function() {
+  var pack = function(v) { return btoa(String.fromCharCode.apply(null, new Uint8Array(v))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''); };
+  var unpack = function(v) { return Uint8Array.from(atob(v.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0)); };
   var element = document.getElementById('webauthn-setup-form');
   var f = function(e) {
     //console.log(e);
     e.preventDefault();
     if (navigator.credentials) {
       var opts = JSON.parse(element.getAttribute("data-credential-options"));
-      opts.challenge = Uint8Array.from(atob(opts.challenge.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
-      opts.user.id = Uint8Array.from(atob(opts.user.id.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
+      opts.challenge = unpack(opts.challenge);
+      opts.user.id = unpack(opts.user.id);
+      opts.excludeCredentials.forEach(function(cred) { cred.id = unpack(cred.id); });
       //console.log(opts);
       navigator.credentials.create({publicKey: opts}).
         then(function(cred){
           //console.log(cred);
           //window.cred = cred
-          
-          var rawId = btoa(String.fromCharCode.apply(null, new Uint8Array(cred.rawId))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+
+          var rawId = pack(cred.rawId);
           document.getElementById('webauthn-setup').value = JSON.stringify({
             type: cred.type,
             id: rawId,
             rawId: rawId,
             response: {
-              attestationObject: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.attestationObject))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''),
-              clientDataJSON: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.clientDataJSON))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '')
+              attestationObject: pack(cred.response.attestationObject),
+              clientDataJSON: pack(cred.response.clientDataJSON)
             }
           });
           element.removeEventListener("submit", f);

data/lib/rodauth.rb

@@ -66,6 +66,7 @@ module Rodauth
       define_method(meth) do |&block|
         @auth.send(:define_method, meth, &block)
         @auth.send(:private, meth) if priv
+        @auth.send(:alias_method, meth, meth)
       end
     end
 
@@ -74,6 +75,7 @@ module Rodauth
       define_method(meth) do |&block|
         @auth.send(:define_method, umeth, &block)
         @auth.send(:private, umeth)
+        @auth.send(:alias_method, umeth, umeth)
       end
     end
 
@@ -82,6 +84,7 @@ module Rodauth
         block ||= proc{v}
         @auth.send(:define_method, meth, &block)
         @auth.send(:private, meth) if priv
+        @auth.send(:alias_method, meth, meth)
       end
     end
   end
@@ -120,8 +123,10 @@ module Rodauth
       define_method(handle_meth) do
         request.is send(route_meth) do
           check_csrf if check_csrf?
-          before_rodauth
-          send(internal_handle_meth, request)
+          _around_rodauth do
+            before_rodauth
+            send(internal_handle_meth, request)
+          end
         end
       end
 
@@ -238,6 +243,7 @@ module Rodauth
           instance_variable_set(iv, send(umeth))
         end
       end
+      alias_method(meth, meth)
       auth_private_methods(meth)
     end
 
@@ -288,15 +294,17 @@ module Rodauth
     end
 
     def enable(*features)
-      new_features = features - @auth.features
-      new_features.each{|f| load_feature(f)}
-      @auth.features.concat(new_features)
+      features.each do |feature|
+        next if @auth.features.include?(feature)
+        load_feature(feature)
+        @auth.features << feature
+      end
     end
 
     private
 
     def load_feature(feature_name)
-      require "rodauth/features/#{feature_name}"
+      require "rodauth/features/#{feature_name}" unless FEATURES[feature_name]
       feature = FEATURES[feature_name]
       enable(*feature.dependencies)
       extend feature.configuration

data/lib/rodauth/features/base.rb

@@ -102,7 +102,6 @@ module Rodauth
       :set_redirect_error_flash,
       :set_title,
       :translate,
-      :unverified_account_message,
       :update_session
     )
 
@@ -111,7 +110,8 @@ module Rodauth
       :account_from_session,
       :field_attributes,
       :field_error_attributes,
-      :formatted_field_error
+      :formatted_field_error,
+      :around_rodauth
     )
 
     configuration_module_eval do
@@ -260,6 +260,7 @@ module Rodauth
       @password_field_autocomplete_value || 'current-password'
     end
 
+    alias account_password_hash_column account_password_hash_column
     # If the account_password_hash_column is set, the password hash is verified in
     # ruby, it will not use a database function to do so, it will check the password
     # hash using bcrypt.
@@ -459,6 +460,10 @@ module Rodauth
 
     private
 
+    def _around_rodauth
+      yield
+    end
+
     def database_function_password_match?(name, hash_id, password, salt)
       db.get(Sequel.function(function_name(name), hash_id, BCrypt::Engine.hash_secret(password, salt)))
     end

data/lib/rodauth/features/change_password.rb

@@ -14,7 +14,7 @@ module Rodauth
     button 'Change Password'
     redirect
 
-    auth_value_method :new_password_label, 'New Password'
+    translatable_method :new_password_label, 'New Password'
     auth_value_method :new_password_param, 'new-password'
 
     auth_value_methods(

data/lib/rodauth/features/confirm_password.rb

@@ -26,11 +26,11 @@ module Rodauth
       require_account_session
       before_confirm_password_route
 
-      request.get do
+      r.get do
         confirm_password_view
       end
 
-      request.post do
+      r.post do
         if password_match?(param(password_param))
           transaction do
             before_confirm_password

data/lib/rodauth/features/json.rb

@@ -0,0 +1,189 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:json, :Json) do
+    translatable_method :json_not_accepted_error_message, 'Unsupported Accept header. Must accept "application/json" or compatible content type'
+    translatable_method :json_non_post_error_message, 'non-POST method used in JSON API'
+    auth_value_method :json_accept_regexp, /(?:(?:\*|\bapplication)\/\*|\bapplication\/(?:vnd\.api\+)?json\b)/i
+    auth_value_method :json_check_accept?, true
+    auth_value_method :json_request_content_type_regexp, /\bapplication\/(?:vnd\.api\+)?json\b/i
+    auth_value_method :json_response_content_type, 'application/json'
+    auth_value_method :json_response_custom_error_status?, true
+    auth_value_method :json_response_error_status, 400
+    auth_value_method :json_response_error_key, "error"
+    auth_value_method :json_response_field_error_key, "field-error"
+    auth_value_method :json_response_success_key, "success"
+    translatable_method :non_json_request_error_message, 'Only JSON format requests are allowed'
+
+    auth_value_methods(
+      :only_json?,
+      :use_json?,
+    )
+
+    auth_methods(
+      :json_request?,
+    )
+
+    auth_private_methods :json_response_body
+
+    def set_field_error(field, message)
+      return super unless use_json?
+      json_response[json_response_field_error_key] = [field, message]
+    end
+
+    def set_error_flash(message)
+      return super unless use_json?
+      json_response[json_response_error_key] = message
+    end
+
+    def set_redirect_error_flash(message)
+      return super unless use_json?
+      json_response[json_response_error_key] = message
+    end
+
+    def set_notice_flash(message)
+      return super unless use_json?
+      json_response[json_response_success_key] = message if include_success_messages?
+    end
+
+    def set_notice_now_flash(message)
+      return super unless use_json?
+      json_response[json_response_success_key] = message if include_success_messages?
+    end
+
+    def json_request?
+      return @json_request if defined?(@json_request)
+      @json_request = request.content_type =~ json_request_content_type_regexp
+    end
+
+    def use_json?
+      json_request? || only_json?
+    end
+
+    def view(page, title)
+      return super unless use_json?
+      return_json_response
+    end
+
+    private
+
+    def before_view_recovery_codes
+      super if defined?(super)
+      if use_json?
+        json_response[:codes] = recovery_codes
+        json_response[json_response_success_key] ||= "" if include_success_messages?
+      end
+    end
+
+    def before_webauthn_setup_route
+      super if defined?(super)
+      if use_json? && !param_or_nil(webauthn_setup_param)
+        cred = new_webauthn_credential
+        json_response[webauthn_setup_param] = cred.as_json
+        json_response[webauthn_setup_challenge_param] = cred.challenge
+        json_response[webauthn_setup_challenge_hmac_param] = compute_hmac(cred.challenge)
+      end
+    end
+
+    def before_webauthn_auth_route
+      super if defined?(super)
+      if use_json? && !param_or_nil(webauthn_auth_param)
+        cred = webauth_credential_options_for_get
+        json_response[webauthn_auth_param] = cred.as_json
+        json_response[webauthn_auth_challenge_param] = cred.challenge
+        json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)
+      end
+    end
+
+    def before_webauthn_login_route
+      super if defined?(super)
+      if use_json? && !param_or_nil(webauthn_auth_param) && account_from_login(param(login_param))
+        cred = webauth_credential_options_for_get
+        json_response[webauthn_auth_param] = cred.as_json
+        json_response[webauthn_auth_challenge_param] = cred.challenge
+        json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)
+      end
+    end
+
+    def before_webauthn_remove_route
+      super if defined?(super)
+      if use_json? && !param_or_nil(webauthn_remove_param)
+        json_response[webauthn_remove_param] = account_webauthn_usage
+      end
+    end
+
+    def before_otp_setup_route
+      super if defined?(super)
+      if use_json? && otp_keys_use_hmac? && !param_or_nil(otp_setup_raw_param)
+        _otp_tmp_key(otp_new_secret)
+        json_response[otp_setup_param] = otp_user_key
+        json_response[otp_setup_raw_param] = otp_key
+      end
+    end
+
+    def before_rodauth
+      if json_request?
+        if json_check_accept? && (accept = request.env['HTTP_ACCEPT']) && accept !~ json_accept_regexp
+          response.status = 406
+          json_response[json_response_error_key] = json_not_accepted_error_message
+          _return_json_response
+        end
+
+        unless request.post?
+          response.status = 405
+          response.headers['Allow'] = 'POST'
+          json_response[json_response_error_key] = json_non_post_error_message
+          return_json_response
+        end
+      elsif only_json?
+        response.status = json_response_error_status
+        response.write non_json_request_error_message
+        request.halt
+      end
+
+      super
+    end
+
+    def redirect(_)
+      return super unless use_json?
+      return_json_response
+    end
+
+    def return_json_response
+      _return_json_response
+    end
+
+    def _return_json_response
+      response.status ||= json_response_error_status if json_response[json_response_error_key]
+      response['Content-Type'] ||= json_response_content_type
+      response.write(_json_response_body(json_response))
+      request.halt
+    end
+
+    def include_success_messages?
+      !json_response_success_key.nil?
+    end
+
+    def _json_response_body(hash)
+      request.send(:convert_to_json, hash)
+    end
+
+    def json_response
+      @json_response ||= {}
+    end
+
+    def set_redirect_error_status(status)
+      if use_json? && json_response_custom_error_status?
+        response.status = status
+      end
+    end
+
+    def set_response_error_status(status)
+      if use_json? && !json_response_custom_error_status?
+        status = json_response_error_status
+      end
+
+      super
+    end
+  end
+end

data/lib/rodauth/features/jwt.rb

@@ -4,41 +4,29 @@ require 'jwt'
 
 module Rodauth
   Feature.define(:jwt, :Jwt) do
+    depends :json
+
     translatable_method :invalid_jwt_format_error_message, "invalid JWT format or claim in Authorization header"
-    translatable_method :json_non_post_error_message, 'non-POST method used in JSON API'
-    translatable_method :json_not_accepted_error_message, 'Unsupported Accept header. Must accept "application/json" or compatible content type'
-    auth_value_method :json_accept_regexp, /(?:(?:\*|\bapplication)\/\*|\bapplication\/(?:vnd\.api\+)?json\b)/i
-    auth_value_method :json_request_content_type_regexp, /\bapplication\/(?:vnd\.api\+)?json\b/i
-    auth_value_method :json_response_content_type, 'application/json'
-    auth_value_method :json_response_error_status, 400
-    auth_value_method :json_response_custom_error_status?, true
-    auth_value_method :json_response_error_key, "error"
-    auth_value_method :json_response_field_error_key, "field-error"
-    auth_value_method :json_response_success_key, "success"
     auth_value_method :jwt_algorithm, "HS256"
     auth_value_method :jwt_authorization_ignore, /\A(?:Basic|Digest) /
     auth_value_method :jwt_authorization_remove, /\ABearer:?\s+/
-    auth_value_method :jwt_check_accept?, true
     auth_value_method :jwt_decode_opts, {}.freeze
     auth_value_method :jwt_session_key, nil
     auth_value_method :jwt_symbolize_deeply?, false
-    translatable_method :non_json_request_error_message, 'Only JSON format requests are allowed'
 
     auth_value_methods(
-      :only_json?,
       :jwt_secret,
       :use_jwt?
     )
 
     auth_methods(
-      :json_request?,
       :jwt_session_hash,
       :jwt_token,
       :session_jwt,
       :set_jwt_token
     )
 
-    auth_private_methods :json_response_body
+    def_deprecated_alias :json_check_accept?, :jwt_check_accept?
 
     def session
       return @session if defined?(@session)
@@ -47,11 +35,8 @@ module Rodauth
       s = {}
       if jwt_token
         unless session_data = jwt_payload
-          json_response[json_response_error_key] = invalid_jwt_format_error_message
-          response.status ||= json_response_error_status
-          response['Content-Type'] ||= json_response_content_type
-          response.write(_json_response_body(json_response))
-          request.halt
+          json_response[json_response_error_key] ||= invalid_jwt_format_error_message
+          _return_json_response
         end
 
         if jwt_session_key
@@ -73,37 +58,10 @@ module Rodauth
 
     def clear_session
       super
-      set_jwt if use_jwt?
-    end
-
-    def set_field_error(field, message)
-      return super unless use_jwt?
-      json_response[json_response_field_error_key] = [field, message]
-    end
-
-    def set_error_flash(message)
-      return super unless use_jwt?
-      json_response[json_response_error_key] = message
-    end
-
-    def set_redirect_error_flash(message)
-      return super unless use_jwt?
-      json_response[json_response_error_key] = message
-    end
-
-    def set_notice_flash(message)
-      return super unless use_jwt?
-      json_response[json_response_success_key] = message if include_success_messages?
-    end
-
-    def set_notice_now_flash(message)
-      return super unless use_jwt?
-      json_response[json_response_success_key] = message if include_success_messages?
-    end
-
-    def json_request?
-      return @json_request if defined?(@json_request)
-      @json_request = request.content_type =~ json_request_content_type_regexp
+      if use_jwt?
+        session.clear
+        set_jwt
+      end
     end
 
     def jwt_secret
@@ -131,16 +89,15 @@ module Rodauth
     end
 
     def use_jwt?
-      jwt_token || only_json? || json_request?
+      use_json?
     end
 
-    def valid_jwt?
-      !!(jwt_token && jwt_payload)
+    def use_json?
+      jwt_token || super
     end
 
-    def view(page, title)
-      return super unless use_jwt?
-      return_json_response
+    def valid_jwt?
+      !!(jwt_token && jwt_payload)
     end
 
     private
@@ -150,99 +107,19 @@ module Rodauth
       super
     end
 
-    def before_rodauth
-      if json_request?
-        if jwt_check_accept? && (accept = request.env['HTTP_ACCEPT']) && accept !~ json_accept_regexp
-          response.status = 406
-          json_response[json_response_error_key] = json_not_accepted_error_message
-          response['Content-Type'] ||= json_response_content_type
-          response.write(_json_response_body(json_response))
-          request.halt
-        end
-
-        unless request.post?
-          response.status = 405
-          response.headers['Allow'] = 'POST'
-          json_response[json_response_error_key] = json_non_post_error_message
-          return_json_response
-        end
-      elsif only_json?
-        response.status = json_response_error_status
-        response.write non_json_request_error_message
-        request.halt
-      end
-
-      super
-    end
-
-    def before_view_recovery_codes
-      super if defined?(super)
-      if use_jwt?
-        json_response[:codes] = recovery_codes
-        json_response[json_response_success_key] ||= "" if include_success_messages?
-      end
-    end
-
-    def before_webauthn_setup_route
-      super if defined?(super)
-      if use_jwt? && !param_or_nil(webauthn_setup_param)
-        cred = new_webauthn_credential
-        json_response[webauthn_setup_param] = cred.as_json
-        json_response[webauthn_setup_challenge_param] = cred.challenge
-        json_response[webauthn_setup_challenge_hmac_param] = compute_hmac(cred.challenge)
-      end
-    end
-
-    def before_webauthn_auth_route
-      super if defined?(super)
-      if use_jwt? && !param_or_nil(webauthn_auth_param)
-        cred = webauth_credential_options_for_get
-        json_response[webauthn_auth_param] = cred.as_json
-        json_response[webauthn_auth_challenge_param] = cred.challenge
-        json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)
-      end
-    end
-
-    def before_webauthn_login_route
-      super if defined?(super)
-      if use_jwt? && !param_or_nil(webauthn_auth_param) && account_from_login(param(login_param))
-        cred = webauth_credential_options_for_get
-        json_response[webauthn_auth_param] = cred.as_json
-        json_response[webauthn_auth_challenge_param] = cred.challenge
-        json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)
-      end
-    end
-
-    def before_webauthn_remove_route
-      super if defined?(super)
-      if use_jwt? && !param_or_nil(webauthn_remove_param)
-        json_response[webauthn_remove_param] = account_webauthn_usage
-      end
-    end
-
-    def before_otp_setup_route
-      super if defined?(super)
-      if use_jwt? && otp_keys_use_hmac? && !param_or_nil(otp_setup_raw_param)
-        _otp_tmp_key(otp_new_secret)
-        json_response[otp_setup_param] = otp_user_key
-        json_response[otp_setup_raw_param] = otp_key
-      end
+    def _jwt_decode_opts
+      jwt_decode_opts
     end
 
     def jwt_payload
       return @jwt_payload if defined?(@jwt_payload)
-      @jwt_payload = JWT.decode(jwt_token, jwt_secret, true, jwt_decode_opts.merge(:algorithm=>jwt_algorithm))[0]
-    rescue JWT::DecodeError
-      @jwt_payload = false
+      @jwt_payload = JWT.decode(jwt_token, jwt_secret, true, _jwt_decode_opts.merge(:algorithm=>jwt_algorithm))[0]
+    rescue JWT::DecodeError => e
+      rescue_jwt_payload(e)
     end
 
-    def redirect(_)
-      return super unless use_jwt?
-      return_json_response
-    end
-
-    def include_success_messages?
-      !json_response_success_key.nil?
+    def rescue_jwt_payload(_)
+      @jwt_payload = false
     end
 
     def set_session_value(key, value)
@@ -257,38 +134,13 @@ module Rodauth
       value
     end
 
-    def json_response
-      @json_response ||= {}
-    end
-
-    def _json_response_body(hash)
-      request.send(:convert_to_json, hash)
-    end
-
     def return_json_response
-      response.status ||= json_response_error_status if json_response[json_response_error_key]
       set_jwt
-      response['Content-Type'] ||= json_response_content_type
-      response.write(_json_response_body(json_response))
-      request.halt
+      super
     end
 
     def set_jwt
       set_jwt_token(session_jwt)
     end
-
-    def set_redirect_error_status(status)
-      if use_jwt? && json_response_custom_error_status?
-        response.status = status
-      end
-    end
-
-    def set_response_error_status(status)
-      if use_jwt? && !json_response_custom_error_status?
-        status = json_response_error_status
-      end
-
-      super
-    end
   end
 end