rodauth 2.5.0 → 2.10.0

data/lib/rodauth/features/jwt.rb

@@ -4,41 +4,29 @@ require 'jwt'
 
 module Rodauth
   Feature.define(:jwt, :Jwt) do
+    depends :json
+
     translatable_method :invalid_jwt_format_error_message, "invalid JWT format or claim in Authorization header"
-    translatable_method :json_non_post_error_message, 'non-POST method used in JSON API'
-    translatable_method :json_not_accepted_error_message, 'Unsupported Accept header. Must accept "application/json" or compatible content type'
-    auth_value_method :json_accept_regexp, /(?:(?:\*|\bapplication)\/\*|\bapplication\/(?:vnd\.api\+)?json\b)/i
-    auth_value_method :json_request_content_type_regexp, /\bapplication\/(?:vnd\.api\+)?json\b/i
-    auth_value_method :json_response_content_type, 'application/json'
-    auth_value_method :json_response_error_status, 400
-    auth_value_method :json_response_custom_error_status?, true
-    auth_value_method :json_response_error_key, "error"
-    auth_value_method :json_response_field_error_key, "field-error"
-    auth_value_method :json_response_success_key, "success"
     auth_value_method :jwt_algorithm, "HS256"
     auth_value_method :jwt_authorization_ignore, /\A(?:Basic|Digest) /
     auth_value_method :jwt_authorization_remove, /\ABearer:?\s+/
-    auth_value_method :jwt_check_accept?, true
     auth_value_method :jwt_decode_opts, {}.freeze
     auth_value_method :jwt_session_key, nil
     auth_value_method :jwt_symbolize_deeply?, false
-    translatable_method :non_json_request_error_message, 'Only JSON format requests are allowed'
 
     auth_value_methods(
-      :only_json?,
       :jwt_secret,
       :use_jwt?
     )
 
     auth_methods(
-      :json_request?,
       :jwt_session_hash,
       :jwt_token,
       :session_jwt,
       :set_jwt_token
     )
 
-    auth_private_methods :json_response_body
+    def_deprecated_alias :json_check_accept?, :jwt_check_accept?
 
     def session
       return @session if defined?(@session)
@@ -47,11 +35,8 @@ module Rodauth
       s = {}
       if jwt_token
         unless session_data = jwt_payload
-          json_response[json_response_error_key] = invalid_jwt_format_error_message
-          response.status ||= json_response_error_status
-          response['Content-Type'] ||= json_response_content_type
-          response.write(_json_response_body(json_response))
-          request.halt
+          json_response[json_response_error_key] ||= invalid_jwt_format_error_message
+          _return_json_response
         end
 
         if jwt_session_key
@@ -73,37 +58,10 @@ module Rodauth
 
     def clear_session
       super
-      set_jwt if use_jwt?
-    end
-
-    def set_field_error(field, message)
-      return super unless use_jwt?
-      json_response[json_response_field_error_key] = [field, message]
-    end
-
-    def set_error_flash(message)
-      return super unless use_jwt?
-      json_response[json_response_error_key] = message
-    end
-
-    def set_redirect_error_flash(message)
-      return super unless use_jwt?
-      json_response[json_response_error_key] = message
-    end
-
-    def set_notice_flash(message)
-      return super unless use_jwt?
-      json_response[json_response_success_key] = message if include_success_messages?
-    end
-
-    def set_notice_now_flash(message)
-      return super unless use_jwt?
-      json_response[json_response_success_key] = message if include_success_messages?
-    end
-
-    def json_request?
-      return @json_request if defined?(@json_request)
-      @json_request = request.content_type =~ json_request_content_type_regexp
+      if use_jwt?
+        session.clear
+        set_jwt
+      end
     end
 
     def jwt_secret
@@ -131,16 +89,15 @@ module Rodauth
     end
 
     def use_jwt?
-      jwt_token || only_json? || json_request?
+      use_json?
     end
 
-    def valid_jwt?
-      !!(jwt_token && jwt_payload)
+    def use_json?
+      jwt_token || super
     end
 
-    def view(page, title)
-      return super unless use_jwt?
-      return_json_response
+    def valid_jwt?
+      !!(jwt_token && jwt_payload)
     end
 
     private
@@ -150,99 +107,19 @@ module Rodauth
       super
     end
 
-    def before_rodauth
-      if json_request?
-        if jwt_check_accept? && (accept = request.env['HTTP_ACCEPT']) && accept !~ json_accept_regexp
-          response.status = 406
-          json_response[json_response_error_key] = json_not_accepted_error_message
-          response['Content-Type'] ||= json_response_content_type
-          response.write(_json_response_body(json_response))
-          request.halt
-        end
-
-        unless request.post?
-          response.status = 405
-          response.headers['Allow'] = 'POST'
-          json_response[json_response_error_key] = json_non_post_error_message
-          return_json_response
-        end
-      elsif only_json?
-        response.status = json_response_error_status
-        response.write non_json_request_error_message
-        request.halt
-      end
-
-      super
-    end
-
-    def before_view_recovery_codes
-      super if defined?(super)
-      if use_jwt?
-        json_response[:codes] = recovery_codes
-        json_response[json_response_success_key] ||= "" if include_success_messages?
-      end
-    end
-
-    def before_webauthn_setup_route
-      super if defined?(super)
-      if use_jwt? && !param_or_nil(webauthn_setup_param)
-        cred = new_webauthn_credential
-        json_response[webauthn_setup_param] = cred.as_json
-        json_response[webauthn_setup_challenge_param] = cred.challenge
-        json_response[webauthn_setup_challenge_hmac_param] = compute_hmac(cred.challenge)
-      end
-    end
-
-    def before_webauthn_auth_route
-      super if defined?(super)
-      if use_jwt? && !param_or_nil(webauthn_auth_param)
-        cred = webauth_credential_options_for_get
-        json_response[webauthn_auth_param] = cred.as_json
-        json_response[webauthn_auth_challenge_param] = cred.challenge
-        json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)
-      end
-    end
-
-    def before_webauthn_login_route
-      super if defined?(super)
-      if use_jwt? && !param_or_nil(webauthn_auth_param) && account_from_login(param(login_param))
-        cred = webauth_credential_options_for_get
-        json_response[webauthn_auth_param] = cred.as_json
-        json_response[webauthn_auth_challenge_param] = cred.challenge
-        json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)
-      end
-    end
-
-    def before_webauthn_remove_route
-      super if defined?(super)
-      if use_jwt? && !param_or_nil(webauthn_remove_param)
-        json_response[webauthn_remove_param] = account_webauthn_usage
-      end
-    end
-
-    def before_otp_setup_route
-      super if defined?(super)
-      if use_jwt? && otp_keys_use_hmac? && !param_or_nil(otp_setup_raw_param)
-        _otp_tmp_key(otp_new_secret)
-        json_response[otp_setup_param] = otp_user_key
-        json_response[otp_setup_raw_param] = otp_key
-      end
+    def _jwt_decode_opts
+      jwt_decode_opts
     end
 
     def jwt_payload
       return @jwt_payload if defined?(@jwt_payload)
-      @jwt_payload = JWT.decode(jwt_token, jwt_secret, true, jwt_decode_opts.merge(:algorithm=>jwt_algorithm))[0]
-    rescue JWT::DecodeError
-      @jwt_payload = false
+      @jwt_payload = JWT.decode(jwt_token, jwt_secret, true, _jwt_decode_opts.merge(:algorithm=>jwt_algorithm))[0]
+    rescue JWT::DecodeError => e
+      rescue_jwt_payload(e)
     end
 
-    def redirect(_)
-      return super unless use_jwt?
-      return_json_response
-    end
-
-    def include_success_messages?
-      !json_response_success_key.nil?
+    def rescue_jwt_payload(_)
+      @jwt_payload = false
     end
 
     def set_session_value(key, value)
@@ -257,38 +134,13 @@ module Rodauth
       value
     end
 
-    def json_response
-      @json_response ||= {}
-    end
-
-    def _json_response_body(hash)
-      request.send(:convert_to_json, hash)
-    end
-
     def return_json_response
-      response.status ||= json_response_error_status if json_response[json_response_error_key]
       set_jwt
-      response['Content-Type'] ||= json_response_content_type
-      response.write(_json_response_body(json_response))
-      request.halt
+      super
     end
 
     def set_jwt
       set_jwt_token(session_jwt)
     end
-
-    def set_redirect_error_status(status)
-      if use_jwt? && json_response_custom_error_status?
-        response.status = status
-      end
-    end
-
-    def set_response_error_status(status)
-      if use_jwt? && !json_response_custom_error_status?
-        status = json_response_error_status
-      end
-
-      super
-    end
   end
 end

data/lib/rodauth/features/jwt_refresh.rb

@@ -7,6 +7,9 @@ module Rodauth
     after 'refresh_token'
     before 'refresh_token'
 
+    auth_value_method :allow_refresh_with_expired_jwt_access_token?, false
+    session_key :jwt_refresh_token_data_session_key, :jwt_refresh_token_data
+    session_key :jwt_refresh_token_hmac_session_key, :jwt_refresh_token_hash
     auth_value_method :jwt_access_token_key, 'access_token'
     auth_value_method :jwt_access_token_not_before_period, 5
     auth_value_method :jwt_access_token_period, 1800
@@ -21,12 +24,15 @@ module Rodauth
     auth_value_method :jwt_refresh_token_table, :account_jwt_refresh_keys
     translatable_method :jwt_refresh_without_access_token_message, 'no JWT access token provided during refresh'
     auth_value_method :jwt_refresh_without_access_token_status, 401
+    translatable_method :expired_jwt_access_token_message, "expired JWT access token"
+    auth_value_method :expired_jwt_access_token_status, 400
 
     auth_private_methods(
       :account_from_refresh_token
     )
 
     route do |r|
+      @jwt_refresh_route = true
       before_jwt_refresh_route
 
       r.post do
@@ -38,17 +44,15 @@ module Rodauth
             before_refresh_token
             formatted_token = generate_refresh_token
             remove_jwt_refresh_token_key(refresh_token)
+            set_jwt_refresh_token_hmac_session_key(formatted_token)
             json_response[jwt_refresh_token_key] = formatted_token
             json_response[jwt_access_token_key] = session_jwt
             after_refresh_token
           end
         else
           json_response[json_response_error_key] = jwt_refresh_invalid_token_message
-          response.status ||= json_response_error_status
         end
-        response['Content-Type'] ||= json_response_content_type
-        response.write(_json_response_body(json_response))
-        request.halt
+        _return_json_response
       end
     end
 
@@ -58,7 +62,9 @@ module Rodauth
       # JWT login puts the access token in the header.
       # We put the refresh token in the body.
       # Note, do not put the access_token in the body here, as the access token content is not yet finalised.
-      json_response['refresh_token'] = generate_refresh_token
+      token = json_response[jwt_refresh_token_key] = generate_refresh_token
+
+      set_jwt_refresh_token_hmac_session_key(token)
     end
 
     def set_jwt_token(token)
@@ -85,12 +91,33 @@ module Rodauth
 
     private
 
+    def rescue_jwt_payload(e)
+      if e.instance_of?(JWT::ExpiredSignature)
+        begin
+          # Some versions of jwt will raise JWT::ExpiredSignature even when the
+          # JWT is invalid for other reasons.  Make sure the expiration is the
+          # only reason the JWT isn't valid before treating this as an expired token.
+          JWT.decode(jwt_token, jwt_secret, true, Hash[jwt_decode_opts].merge!(:verify_expiration=>false, :algorithm=>jwt_algorithm))[0]
+        rescue => e
+        else
+          json_response[json_response_error_key] = expired_jwt_access_token_message
+          response.status ||= expired_jwt_access_token_status
+        end
+      end
+
+      super
+    end
+
     def _account_from_refresh_token(token)
       id, token_id, key = _account_refresh_token_split(token)
 
-      return unless key
-      return unless actual = get_active_refresh_token(id, token_id)
-      return unless timing_safe_eql?(key, convert_token_key(actual))
+      unless key &&
+             (id == session_value.to_s) &&
+             (actual = get_active_refresh_token(id, token_id)) &&
+             timing_safe_eql?(key, convert_token_key(actual)) &&
+             jwt_refresh_token_match?(key)
+        return
+      end
 
       ds = account_ds(id)
       ds = ds.where(account_status_column=>account_open_status_value) unless skip_status_checks?
@@ -107,6 +134,23 @@ module Rodauth
       [id, token_id, key]
     end
 
+    def _jwt_decode_opts
+      if allow_refresh_with_expired_jwt_access_token? && @jwt_refresh_route
+        Hash[super].merge!(:verify_expiration=>false)
+      else
+        super
+      end
+    end
+
+    def jwt_refresh_token_match?(key)
+      # We don't need to match tokens if we are requiring a valid current access token
+      return true unless allow_refresh_with_expired_jwt_access_token?
+
+      # If allowing with expired jwt access token, check the expired session contains
+      # hmac matching submitted and active refresh token.
+      timing_safe_eql?(compute_hmac(session[jwt_refresh_token_data_session_key].to_s + key), session[jwt_refresh_token_hmac_session_key].to_s)
+    end
+
     def get_active_refresh_token(account_id, token_id)
       jwt_refresh_token_account_ds(account_id).
         where(Sequel::CURRENT_TIMESTAMP > jwt_refresh_token_deadline_column).
@@ -130,8 +174,7 @@ module Rodauth
     end
 
     def remove_jwt_refresh_token_key(token)
-      account_id, token = split_token(token)
-      token_id, _ = split_token(token)
+      account_id, token_id, _ = _account_refresh_token_split(token)
       jwt_refresh_token_account_token_ds(account_id, token_id).delete
     end
 
@@ -146,6 +189,15 @@ module Rodauth
       hash
     end
 
+    def set_jwt_refresh_token_hmac_session_key(token)
+      if allow_refresh_with_expired_jwt_access_token?
+        key = _account_refresh_token_split(token).last
+        data = random_key
+        set_session_value(jwt_refresh_token_data_session_key, data)
+        set_session_value(jwt_refresh_token_hmac_session_key, compute_hmac(data + key))
+      end
+    end
+
     def before_logout
       if token = param_or_nil(jwt_refresh_token_key_param)
         if token == 'all'
@@ -154,9 +206,7 @@ module Rodauth
           id, token_id, key = _account_refresh_token_split(token)
 
           if id && token_id && key && (actual = get_active_refresh_token(session_value, token_id)) && timing_safe_eql?(key, convert_token_key(actual))
-            jwt_refresh_token_account_ds(id).
-              where(jwt_refresh_token_id_column=>token_id).
-              delete
+            jwt_refresh_token_account_token_ds(id, token_id).delete
           end
         end
       end

data/lib/rodauth/features/login_password_requirements_base.rb

@@ -140,6 +140,10 @@ module Rodauth
       # :nocov:
     end
 
+    def extract_password_hash_cost(hash)
+      hash[4, 2].to_i
+    end
+    
     def password_hash(password)
       BCrypt::Password.create(password, :cost=>password_hash_cost)
     end

data/lib/rodauth/features/otp.rb

@@ -76,9 +76,7 @@ module Rodauth
     )
 
     auth_methods(
-      :otp,
       :otp_exists?,
-      :otp_key,
       :otp_last_use,
       :otp_locked_out?,
       :otp_new_secret,

data/lib/rodauth/features/recovery_codes.rb

@@ -34,6 +34,7 @@ module Rodauth
     auth_value_method :add_recovery_codes_param, 'add'
     translatable_method :add_recovery_codes_heading, '<h2>Add Additional Recovery Codes</h2>'
     auth_value_method :auto_add_recovery_codes?, false
+    auth_value_method :auto_remove_recovery_codes?, false
     translatable_method :invalid_recovery_code_message, "Invalid recovery code"
     auth_value_method :recovery_codes_limit, 16
     auth_value_method :recovery_codes_column, :code
@@ -56,7 +57,6 @@ module Rodauth
       :can_add_recovery_codes?,
       :new_recovery_code,
       :recovery_code_match?,
-      :recovery_codes
     )
 
     route(:recovery_auth) do |r|
@@ -213,6 +213,21 @@ module Rodauth
       super
     end
 
+    def after_otp_disable
+      super if defined?(super)
+      auto_remove_recovery_codes
+    end
+
+    def after_sms_disable
+      super if defined?(super)
+      auto_remove_recovery_codes
+    end
+
+    def after_webauthn_remove
+      super if defined?(super)
+      auto_remove_recovery_codes
+    end
+
     def new_recovery_code
       random_key
     end
@@ -227,6 +242,12 @@ module Rodauth
       end
     end
 
+    def auto_remove_recovery_codes
+      if auto_remove_recovery_codes? && (%w'totp webauthn sms_code' & possible_authentication_methods).empty?
+        recovery_codes_remove
+      end
+    end
+
     def _recovery_codes
       recovery_codes_ds.select_map(recovery_codes_column)
     end