rodauth 2.4.0 → 2.9.0

data/lib/rodauth/features/jwt_refresh.rb

@@ -7,6 +7,9 @@ module Rodauth
     after 'refresh_token'
     before 'refresh_token'
 
+    auth_value_method :allow_refresh_with_expired_jwt_access_token?, false
+    session_key :jwt_refresh_token_data_session_key, :jwt_refresh_token_data
+    session_key :jwt_refresh_token_hmac_session_key, :jwt_refresh_token_hash
     auth_value_method :jwt_access_token_key, 'access_token'
     auth_value_method :jwt_access_token_not_before_period, 5
     auth_value_method :jwt_access_token_period, 1800
@@ -21,12 +24,15 @@ module Rodauth
     auth_value_method :jwt_refresh_token_table, :account_jwt_refresh_keys
     translatable_method :jwt_refresh_without_access_token_message, 'no JWT access token provided during refresh'
     auth_value_method :jwt_refresh_without_access_token_status, 401
+    translatable_method :expired_jwt_access_token_message, "expired JWT access token"
+    auth_value_method :expired_jwt_access_token_status, 400
 
     auth_private_methods(
       :account_from_refresh_token
     )
 
     route do |r|
+      @jwt_refresh_route = true
       before_jwt_refresh_route
 
       r.post do
@@ -38,17 +44,15 @@ module Rodauth
             before_refresh_token
             formatted_token = generate_refresh_token
             remove_jwt_refresh_token_key(refresh_token)
+            set_jwt_refresh_token_hmac_session_key(formatted_token)
             json_response[jwt_refresh_token_key] = formatted_token
             json_response[jwt_access_token_key] = session_jwt
             after_refresh_token
           end
         else
           json_response[json_response_error_key] = jwt_refresh_invalid_token_message
-          response.status ||= json_response_error_status
         end
-        response['Content-Type'] ||= json_response_content_type
-        response.write(_json_response_body(json_response))
-        request.halt
+        _return_json_response
       end
     end
 
@@ -58,7 +62,9 @@ module Rodauth
       # JWT login puts the access token in the header.
       # We put the refresh token in the body.
       # Note, do not put the access_token in the body here, as the access token content is not yet finalised.
-      json_response['refresh_token'] = generate_refresh_token
+      token = json_response[jwt_refresh_token_key] = generate_refresh_token
+
+      set_jwt_refresh_token_hmac_session_key(token)
     end
 
     def set_jwt_token(token)
@@ -85,12 +91,33 @@ module Rodauth
 
     private
 
+    def rescue_jwt_payload(e)
+      if e.instance_of?(JWT::ExpiredSignature)
+        begin
+          # Some versions of jwt will raise JWT::ExpiredSignature even when the
+          # JWT is invalid for other reasons.  Make sure the expiration is the
+          # only reason the JWT isn't valid before treating this as an expired token.
+          JWT.decode(jwt_token, jwt_secret, true, Hash[jwt_decode_opts].merge!(:verify_expiration=>false, :algorithm=>jwt_algorithm))[0]
+        rescue => e
+        else
+          json_response[json_response_error_key] = expired_jwt_access_token_message
+          response.status ||= expired_jwt_access_token_status
+        end
+      end
+
+      super
+    end
+
     def _account_from_refresh_token(token)
       id, token_id, key = _account_refresh_token_split(token)
 
-      return unless key
-      return unless actual = get_active_refresh_token(id, token_id)
-      return unless timing_safe_eql?(key, convert_token_key(actual))
+      unless key &&
+             (id == session_value.to_s) &&
+             (actual = get_active_refresh_token(id, token_id)) &&
+             timing_safe_eql?(key, convert_token_key(actual)) &&
+             jwt_refresh_token_match?(key)
+        return
+      end
 
       ds = account_ds(id)
       ds = ds.where(account_status_column=>account_open_status_value) unless skip_status_checks?
@@ -107,6 +134,23 @@ module Rodauth
       [id, token_id, key]
     end
 
+    def _jwt_decode_opts
+      if allow_refresh_with_expired_jwt_access_token? && @jwt_refresh_route
+        Hash[super].merge!(:verify_expiration=>false)
+      else
+        super
+      end
+    end
+
+    def jwt_refresh_token_match?(key)
+      # We don't need to match tokens if we are requiring a valid current access token
+      return true unless allow_refresh_with_expired_jwt_access_token?
+
+      # If allowing with expired jwt access token, check the expired session contains
+      # hmac matching submitted and active refresh token.
+      timing_safe_eql?(compute_hmac(session[jwt_refresh_token_data_session_key].to_s + key), session[jwt_refresh_token_hmac_session_key].to_s)
+    end
+
     def get_active_refresh_token(account_id, token_id)
       jwt_refresh_token_account_ds(account_id).
         where(Sequel::CURRENT_TIMESTAMP > jwt_refresh_token_deadline_column).
@@ -130,8 +174,7 @@ module Rodauth
     end
 
     def remove_jwt_refresh_token_key(token)
-      account_id, token = split_token(token)
-      token_id, _ = split_token(token)
+      account_id, token_id, _ = _account_refresh_token_split(token)
       jwt_refresh_token_account_token_ds(account_id, token_id).delete
     end
 
@@ -146,6 +189,15 @@ module Rodauth
       hash
     end
 
+    def set_jwt_refresh_token_hmac_session_key(token)
+      if allow_refresh_with_expired_jwt_access_token?
+        key = _account_refresh_token_split(token).last
+        data = random_key
+        set_session_value(jwt_refresh_token_data_session_key, data)
+        set_session_value(jwt_refresh_token_hmac_session_key, compute_hmac(data + key))
+      end
+    end
+
     def before_logout
       if token = param_or_nil(jwt_refresh_token_key_param)
         if token == 'all'
@@ -154,9 +206,7 @@ module Rodauth
           id, token_id, key = _account_refresh_token_split(token)
 
           if id && token_id && key && (actual = get_active_refresh_token(session_value, token_id)) && timing_safe_eql?(key, convert_token_key(actual))
-            jwt_refresh_token_account_ds(id).
-              where(jwt_refresh_token_id_column=>token_id).
-              delete
+            jwt_refresh_token_account_token_ds(id, token_id).delete
           end
         end
       end

data/lib/rodauth/features/login.rb

@@ -23,6 +23,8 @@ module Rodauth
     auth_cached_method :login_form_footer_links
     auth_cached_method :login_form_footer
 
+    auth_value_methods :login_return_to_requested_location_path
+
     route do |r|
       check_already_logged_in
       before_login_route
@@ -85,12 +87,16 @@ module Rodauth
     end
 
     def login_required
-      if login_return_to_requested_location?
-        set_session_value(login_redirect_session_key, request.fullpath)
+      if login_return_to_requested_location? && (path = login_return_to_requested_location_path)
+        set_session_value(login_redirect_session_key, path)
       end
       super
     end
 
+    def login_return_to_requested_location_path
+      request.fullpath if request.get?
+    end
+
     def after_login_entered_during_multi_phase_login
       set_notice_now_flash need_password_notice_flash
       if multi_phase_login_forms.length == 1 && (meth = multi_phase_login_forms[0][2])

data/lib/rodauth/features/otp.rb

@@ -76,9 +76,7 @@ module Rodauth
     )
 
     auth_methods(
-      :otp,
       :otp_exists?,
-      :otp_key,
       :otp_last_use,
       :otp_locked_out?,
       :otp_new_secret,

data/lib/rodauth/features/recovery_codes.rb

@@ -34,6 +34,7 @@ module Rodauth
     auth_value_method :add_recovery_codes_param, 'add'
     translatable_method :add_recovery_codes_heading, '<h2>Add Additional Recovery Codes</h2>'
     auth_value_method :auto_add_recovery_codes?, false
+    auth_value_method :auto_remove_recovery_codes?, false
     translatable_method :invalid_recovery_code_message, "Invalid recovery code"
     auth_value_method :recovery_codes_limit, 16
     auth_value_method :recovery_codes_column, :code
@@ -56,7 +57,6 @@ module Rodauth
       :can_add_recovery_codes?,
       :new_recovery_code,
       :recovery_code_match?,
-      :recovery_codes
     )
 
     route(:recovery_auth) do |r|
@@ -213,6 +213,21 @@ module Rodauth
       super
     end
 
+    def after_otp_disable
+      super if defined?(super)
+      auto_remove_recovery_codes
+    end
+
+    def after_sms_disable
+      super if defined?(super)
+      auto_remove_recovery_codes
+    end
+
+    def after_webauthn_remove
+      super if defined?(super)
+      auto_remove_recovery_codes
+    end
+
     def new_recovery_code
       random_key
     end
@@ -227,6 +242,12 @@ module Rodauth
       end
     end
 
+    def auto_remove_recovery_codes
+      if auto_remove_recovery_codes? && (%w'totp webauthn sms_code' & possible_authentication_methods).empty?
+        recovery_codes_remove
+      end
+    end
+
     def _recovery_codes
       recovery_codes_ds.select_map(recovery_codes_column)
     end

data/lib/rodauth/features/remember.rb

@@ -132,11 +132,16 @@ module Rodauth
       opts = Hash[remember_cookie_options]
       opts[:value] = "#{account_id}_#{convert_token_key(remember_key_value)}"
       opts[:expires] = convert_timestamp(active_remember_key_ds.get(remember_deadline_column))
+      opts[:path] = "/" unless opts.key?(:path)
+      opts[:httponly] = true unless opts.key?(:httponly)
+      opts[:secure] = true unless opts.key?(:secure) || !request.ssl?
       ::Rack::Utils.set_cookie_header!(response.headers, remember_cookie_key, opts)
     end
 
     def forget_login
-      ::Rack::Utils.delete_cookie_header!(response.headers, remember_cookie_key, remember_cookie_options)
+      opts = Hash[remember_cookie_options]
+      opts[:path] = "/" unless opts.key?(:path)
+      ::Rack::Utils.delete_cookie_header!(response.headers, remember_cookie_key, opts)
     end
 
     def get_remember_key

data/lib/rodauth/features/verify_account.rb

@@ -47,7 +47,6 @@ module Rodauth
       :get_verify_account_key,
       :get_verify_account_email_last_sent,
       :remove_verify_account_key,
-      :resend_verify_account_view,
       :send_verify_account_email,
       :set_verify_account_email_last_sent,
       :verify_account,
@@ -245,6 +244,12 @@ module Rodauth
       end
     end
 
+    def setup_account_verification
+      generate_verify_account_key_value
+      create_verify_account_key
+      send_verify_account_email
+    end
+
     private
 
     def _login_form_footer_links
@@ -276,12 +281,6 @@ module Rodauth
       super
     end
 
-    def setup_account_verification
-      generate_verify_account_key_value
-      create_verify_account_key
-      send_verify_account_email
-    end
-
     def verify_account_check_already_logged_in
       check_already_logged_in
     end

data/lib/rodauth/features/verify_login_change.rb

@@ -8,6 +8,7 @@ module Rodauth
     error_flash "Unable to change login as there is already an account with the new login", 'verify_login_change_duplicate_account'
     error_flash "There was an error verifying your login change: invalid verify login change key", 'no_matching_verify_login_change_key'
     notice_flash "Your login change has been verified"
+    notice_flash "An email has been sent to you with a link to verify your login change", 'change_login_needs_verification'
     loaded_templates %w'verify-login-change verify-login-change-email'
     view 'verify-login-change', 'Verify Login Change'
     additional_form_tags
@@ -131,7 +132,7 @@ module Rodauth
     end
 
     def change_login_notice_flash
-      "An email has been sent to you with a link to verify your login change"
+      change_login_needs_verification_notice_flash
     end
 
     def verify_login_change_old_login

data/lib/rodauth/features/webauthn_verify_account.rb

@@ -29,7 +29,7 @@ module Rodauth
 
     def before_verify_account
       super
-      if features.include?(:jwt) && use_jwt? && !param_or_nil(webauthn_setup_param)
+      if features.include?(:json) && use_json? && !param_or_nil(webauthn_setup_param)
         cred = new_webauthn_credential
         json_response[webauthn_setup_param] = cred.as_json
         json_response[webauthn_setup_challenge_param] = cred.challenge

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 4
+  MINOR = 9
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.4.0
+  version: 2.9.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-09-21 00:00:00.000000000 Z
+date: 2021-01-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -237,28 +237,34 @@ extra_rdoc_files:
 - README.rdoc
 - CHANGELOG
 - MIT-LICENSE
-- doc/change_password_notify.rdoc
 - doc/account_expiration.rdoc
+- doc/active_sessions.rdoc
+- doc/audit_logging.rdoc
 - doc/base.rdoc
 - doc/change_login.rdoc
 - doc/change_password.rdoc
-- doc/confirm_password.rdoc
+- doc/change_password_notify.rdoc
 - doc/close_account.rdoc
-- doc/http_basic_auth.rdoc
+- doc/confirm_password.rdoc
 - doc/create_account.rdoc
-- doc/email_base.rdoc
 - doc/disallow_common_passwords.rdoc
 - doc/disallow_password_reuse.rdoc
-- doc/password_complexity.rdoc
+- doc/email_auth.rdoc
+- doc/email_base.rdoc
+- doc/http_basic_auth.rdoc
+- doc/json.rdoc
 - doc/jwt.rdoc
+- doc/jwt_cors.rdoc
+- doc/jwt_refresh.rdoc
 - doc/lockout.rdoc
 - doc/login.rdoc
+- doc/login_password_requirements_base.rdoc
 - doc/logout.rdoc
 - doc/otp.rdoc
-- doc/login_password_requirements_base.rdoc
-- doc/jwt_cors.rdoc
+- doc/password_complexity.rdoc
 - doc/password_expiration.rdoc
 - doc/password_grace_period.rdoc
+- doc/password_pepper.rdoc
 - doc/recovery_codes.rdoc
 - doc/remember.rdoc
 - doc/reset_password.rdoc
@@ -268,17 +274,11 @@ extra_rdoc_files:
 - doc/two_factor_base.rdoc
 - doc/update_password_hash.rdoc
 - doc/verify_account.rdoc
-- doc/email_auth.rdoc
-- doc/jwt_refresh.rdoc
 - doc/verify_account_grace_period.rdoc
 - doc/verify_login_change.rdoc
 - doc/webauthn.rdoc
 - doc/webauthn_login.rdoc
 - doc/webauthn_verify_account.rdoc
-- doc/active_sessions.rdoc
-- doc/audit_logging.rdoc
-- doc/password_pepper.rdoc
-- doc/release_notes/1.17.0.txt
 - doc/release_notes/1.0.0.txt
 - doc/release_notes/1.1.0.txt
 - doc/release_notes/1.10.0.txt
@@ -288,7 +288,14 @@ extra_rdoc_files:
 - doc/release_notes/1.14.0.txt
 - doc/release_notes/1.15.0.txt
 - doc/release_notes/1.16.0.txt
+- doc/release_notes/1.17.0.txt
+- doc/release_notes/1.18.0.txt
+- doc/release_notes/1.19.0.txt
 - doc/release_notes/1.2.0.txt
+- doc/release_notes/1.20.0.txt
+- doc/release_notes/1.21.0.txt
+- doc/release_notes/1.22.0.txt
+- doc/release_notes/1.23.0.txt
 - doc/release_notes/1.3.0.txt
 - doc/release_notes/1.4.0.txt
 - doc/release_notes/1.5.0.txt
@@ -296,17 +303,16 @@ extra_rdoc_files:
 - doc/release_notes/1.7.0.txt
 - doc/release_notes/1.8.0.txt
 - doc/release_notes/1.9.0.txt
-- doc/release_notes/1.18.0.txt
-- doc/release_notes/1.19.0.txt
-- doc/release_notes/1.20.0.txt
-- doc/release_notes/1.21.0.txt
-- doc/release_notes/1.22.0.txt
-- doc/release_notes/1.23.0.txt
 - doc/release_notes/2.0.0.txt
 - doc/release_notes/2.1.0.txt
 - doc/release_notes/2.2.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.4.0.txt
+- doc/release_notes/2.5.0.txt
+- doc/release_notes/2.6.0.txt
+- doc/release_notes/2.7.0.txt
+- doc/release_notes/2.8.0.txt
+- doc/release_notes/2.9.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -348,6 +354,7 @@ files:
 - doc/guides/status_column.rdoc
 - doc/guides/totp_or_recovery.rdoc
 - doc/http_basic_auth.rdoc
+- doc/json.rdoc
 - doc/jwt.rdoc
 - doc/jwt_cors.rdoc
 - doc/jwt_refresh.rdoc
@@ -390,6 +397,11 @@ files:
 - doc/release_notes/2.2.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.4.0.txt
+- doc/release_notes/2.5.0.txt
+- doc/release_notes/2.6.0.txt
+- doc/release_notes/2.7.0.txt
+- doc/release_notes/2.8.0.txt
+- doc/release_notes/2.9.0.txt
 - doc/remember.rdoc
 - doc/reset_password.rdoc
 - doc/session_expiration.rdoc
@@ -422,6 +434,7 @@ files:
 - lib/rodauth/features/email_auth.rb
 - lib/rodauth/features/email_base.rb
 - lib/rodauth/features/http_basic_auth.rb
+- lib/rodauth/features/json.rb
 - lib/rodauth/features/jwt.rb
 - lib/rodauth/features/jwt_cors.rb
 - lib/rodauth/features/jwt_refresh.rb
@@ -533,7 +546,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.2.3
 signing_key: 
 specification_version: 4
 summary: Authentication and Account Management Framework for Rack Applications