RubyGems - rodauth - Versions diffs - 2.5.0 → 2.10.0 - Mend

rodauth 2.5.0 → 2.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (38) hide show

checksums.yaml +4 -4
data/CHANGELOG +42 -0
data/MIT-LICENSE +1 -1
data/README.rdoc +18 -6
data/doc/argon2.rdoc +49 -0
data/doc/base.rdoc +3 -2
data/doc/guides/migrate_password_hash_algorithm.rdoc +15 -0
data/doc/json.rdoc +47 -0
data/doc/jwt.rdoc +1 -28
data/doc/jwt_refresh.rdoc +8 -0
data/doc/login_password_requirements_base.rdoc +1 -1
data/doc/recovery_codes.rdoc +2 -1
data/doc/release_notes/2.10.0.txt +47 -0
data/doc/release_notes/2.6.0.txt +37 -0
data/doc/release_notes/2.7.0.txt +33 -0
data/doc/release_notes/2.8.0.txt +20 -0
data/doc/release_notes/2.9.0.txt +21 -0
data/doc/remember.rdoc +1 -1
data/javascript/webauthn_auth.js +9 -9
data/javascript/webauthn_setup.js +9 -6
data/lib/rodauth.rb +14 -6
data/lib/rodauth/features/argon2.rb +69 -0
data/lib/rodauth/features/base.rb +12 -3
data/lib/rodauth/features/confirm_password.rb +2 -2
data/lib/rodauth/features/disallow_password_reuse.rb +20 -7
data/lib/rodauth/features/json.rb +189 -0
data/lib/rodauth/features/jwt.rb +22 -170
data/lib/rodauth/features/jwt_refresh.rb +63 -13
data/lib/rodauth/features/login_password_requirements_base.rb +4 -0
data/lib/rodauth/features/otp.rb +0 -2
data/lib/rodauth/features/recovery_codes.rb +22 -1
data/lib/rodauth/features/remember.rb +6 -1
data/lib/rodauth/features/update_password_hash.rb +1 -1
data/lib/rodauth/features/verify_account.rb +6 -7
data/lib/rodauth/features/webauthn_verify_account.rb +1 -1
data/lib/rodauth/migrations.rb +31 -5
data/lib/rodauth/version.rb +1 -1
metadata +55 -24

data/lib/rodauth/features/remember.rb CHANGED Viewed

@@ -132,11 +132,16 @@ module Rodauth
       opts = Hash[remember_cookie_options]
       opts[:value] = "#{account_id}_#{convert_token_key(remember_key_value)}"
       opts[:expires] = convert_timestamp(active_remember_key_ds.get(remember_deadline_column))
+      opts[:path] = "/" unless opts.key?(:path)
+      opts[:httponly] = true unless opts.key?(:httponly)
+      opts[:secure] = true unless opts.key?(:secure) || !request.ssl?
       ::Rack::Utils.set_cookie_header!(response.headers, remember_cookie_key, opts)
     end
     def forget_login
-      ::Rack::Utils.delete_cookie_header!(response.headers, remember_cookie_key, remember_cookie_options)
+      opts = Hash[remember_cookie_options]
+      opts[:path] = "/" unless opts.key?(:path)
+      ::Rack::Utils.delete_cookie_header!(response.headers, remember_cookie_key, opts)
     end
     def get_remember_key

data/lib/rodauth/features/update_password_hash.rb CHANGED Viewed

@@ -20,7 +20,7 @@ module Rodauth
     def get_password_hash
       if hash = super
-        @current_password_hash_cost = hash.split('$')[2].to_i
+        @current_password_hash_cost = extract_password_hash_cost(hash)
       end
       hash

data/lib/rodauth/features/verify_account.rb CHANGED Viewed

@@ -47,7 +47,6 @@ module Rodauth
       :get_verify_account_key,
       :get_verify_account_email_last_sent,
       :remove_verify_account_key,
-      :resend_verify_account_view,
       :send_verify_account_email,
       :set_verify_account_email_last_sent,
       :verify_account,
@@ -245,6 +244,12 @@ module Rodauth
       end
     end
+    def setup_account_verification
+      generate_verify_account_key_value
+      create_verify_account_key
+      send_verify_account_email
+    end
     private
     def _login_form_footer_links
@@ -276,12 +281,6 @@ module Rodauth
       super
     end
-    def setup_account_verification
-      generate_verify_account_key_value
-      create_verify_account_key
-      send_verify_account_email
-    end
     def verify_account_check_already_logged_in
       check_already_logged_in
     end

data/lib/rodauth/features/webauthn_verify_account.rb CHANGED Viewed

@@ -29,7 +29,7 @@ module Rodauth
     def before_verify_account
       super
-      if features.include?(:jwt) && use_jwt? && !param_or_nil(webauthn_setup_param)
+      if features.include?(:json) && use_json? && !param_or_nil(webauthn_setup_param)
         cred = new_webauthn_credential
         json_response[webauthn_setup_param] = cred.as_json
         json_response[webauthn_setup_challenge_param] = cred.challenge

data/lib/rodauth/migrations.rb CHANGED Viewed

@@ -4,7 +4,8 @@ module Rodauth
   def self.create_database_authentication_functions(db, opts={})
     table_name = opts[:table_name] || :account_password_hashes
     get_salt_name = opts[:get_salt_name] || :rodauth_get_salt
-    valid_hash_name = opts[:valid_hash_name] || :rodauth_valid_password_hash
+    valid_hash_name = opts[:valid_hash_name] || :rodauth_valid_password_hash
+    argon2 = opts[:argon2]
     case db.database_type
     when :postgres
@@ -14,12 +15,21 @@ module Rodauth
         when 'uuid' then :uuid
         else :int8
         end
+      table_name = db.literal(table_name) unless table_name.is_a?(String)
+      argon_sql = <<END
+CASE
+    WHEN password_hash ~ '^\\$argon2id'
+      THEN substring(password_hash from '\\$argon2id\\$v=\\d+\\$m=\\d+,t=\\d+,p=\\d+\\$.+\\$')
+    ELSE substr(password_hash, 0, 30)
+  END INTO salt
+END
       db.run <<END
 CREATE OR REPLACE FUNCTION #{get_salt_name}(acct_id #{primary_key_type}) RETURNS text AS $$
 DECLARE salt text;
 BEGIN
-SELECT substr(password_hash, 0, 30) INTO salt
+SELECT
+#{argon2 ? argon_sql : "substr(password_hash, 0, 30) INTO salt"}
 FROM #{table_name}
 WHERE acct_id = id;
 RETURN salt;
@@ -43,12 +53,20 @@ SECURITY DEFINER
 SET search_path = #{search_path};
 END
     when :mysql
+      argon_sql = <<END
+CASE
+  WHEN password_hash REGEXP '^.argon2id'
+    THEN left(password_hash, CHAR_LENGTH(password_hash) - INSTR(REVERSE(password_hash), '$'))
+  ELSE substr(password_hash, 1, 30)
+  END
+END
       db.run <<END
 CREATE FUNCTION #{get_salt_name}(acct_id int8) RETURNS varchar(255)
 SQL SECURITY DEFINER
 READS SQL DATA
 BEGIN
-RETURN (SELECT substr(password_hash, 1, 30)
+RETURN (SELECT
+#{argon2 ? argon_sql : "substr(password_hash, 1, 30)"}
 FROM #{table_name}
 WHERE acct_id = id);
 END;
@@ -71,13 +89,21 @@ RETURN valid;
 END;
 END
     when :mssql
+      argon_sql = <<END
+CASE
+  WHEN password_hash LIKE '[$]argon2id%'
+    THEN left(password_hash, len(password_hash) - charindex('$', reverse(password_hash)))
+  ELSE substring(password_hash, 0, 30)
+  END
+END
       db.run <<END
 CREATE FUNCTION #{get_salt_name}(@account_id bigint) RETURNS nvarchar(255)
 WITH EXECUTE AS OWNER
 AS
 BEGIN
 DECLARE @salt nvarchar(255);
-SELECT @salt = substring(password_hash, 0, 30)
+SELECT @salt =
+#{argon2 ? argon_sql : "substring(password_hash, 0, 30)"}
 FROM #{table_name}
 WHERE id = @account_id;
 RETURN @salt;
@@ -107,7 +133,7 @@ END
   def self.drop_database_authentication_functions(db, opts={})
     table_name = opts[:table_name] || :account_password_hashes
     get_salt_name = opts[:get_salt_name] || :rodauth_get_salt
-    valid_hash_name = opts[:valid_hash_name] || :rodauth_valid_password_hash
+    valid_hash_name = opts[:valid_hash_name] || :rodauth_valid_password_hash
     case db.database_type
     when :postgres

data/lib/rodauth/version.rb CHANGED Viewed

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 5
+  MINOR = 10
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.5.0
+  version: 2.10.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-10-22 00:00:00.000000000 Z
+date: 2021-02-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -80,6 +80,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: argon2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: mail
   requirement: !ruby/object:Gem::Requirement
@@ -140,14 +154,14 @@ dependencies:
   name: webauthn
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2'
 - !ruby/object:Gem::Dependency
@@ -237,28 +251,35 @@ extra_rdoc_files:
 - README.rdoc
 - CHANGELOG
 - MIT-LICENSE
-- doc/change_password_notify.rdoc
 - doc/account_expiration.rdoc
+- doc/active_sessions.rdoc
+- doc/argon2.rdoc
+- doc/audit_logging.rdoc
 - doc/base.rdoc
 - doc/change_login.rdoc
 - doc/change_password.rdoc
-- doc/confirm_password.rdoc
+- doc/change_password_notify.rdoc
 - doc/close_account.rdoc
-- doc/http_basic_auth.rdoc
+- doc/confirm_password.rdoc
 - doc/create_account.rdoc
-- doc/email_base.rdoc
 - doc/disallow_common_passwords.rdoc
 - doc/disallow_password_reuse.rdoc
-- doc/password_complexity.rdoc
+- doc/email_auth.rdoc
+- doc/email_base.rdoc
+- doc/http_basic_auth.rdoc
+- doc/json.rdoc
 - doc/jwt.rdoc
+- doc/jwt_cors.rdoc
+- doc/jwt_refresh.rdoc
 - doc/lockout.rdoc
 - doc/login.rdoc
+- doc/login_password_requirements_base.rdoc
 - doc/logout.rdoc
 - doc/otp.rdoc
-- doc/login_password_requirements_base.rdoc
-- doc/jwt_cors.rdoc
+- doc/password_complexity.rdoc
 - doc/password_expiration.rdoc
 - doc/password_grace_period.rdoc
+- doc/password_pepper.rdoc
 - doc/recovery_codes.rdoc
 - doc/remember.rdoc
 - doc/reset_password.rdoc
@@ -268,17 +289,11 @@ extra_rdoc_files:
 - doc/two_factor_base.rdoc
 - doc/update_password_hash.rdoc
 - doc/verify_account.rdoc
-- doc/email_auth.rdoc
-- doc/jwt_refresh.rdoc
 - doc/verify_account_grace_period.rdoc
 - doc/verify_login_change.rdoc
 - doc/webauthn.rdoc
 - doc/webauthn_login.rdoc
 - doc/webauthn_verify_account.rdoc
-- doc/active_sessions.rdoc
-- doc/audit_logging.rdoc
-- doc/password_pepper.rdoc
-- doc/release_notes/1.17.0.txt
 - doc/release_notes/1.0.0.txt
 - doc/release_notes/1.1.0.txt
 - doc/release_notes/1.10.0.txt
@@ -288,7 +303,14 @@ extra_rdoc_files:
 - doc/release_notes/1.14.0.txt
 - doc/release_notes/1.15.0.txt
 - doc/release_notes/1.16.0.txt
+- doc/release_notes/1.17.0.txt
+- doc/release_notes/1.18.0.txt
+- doc/release_notes/1.19.0.txt
 - doc/release_notes/1.2.0.txt
+- doc/release_notes/1.20.0.txt
+- doc/release_notes/1.21.0.txt
+- doc/release_notes/1.22.0.txt
+- doc/release_notes/1.23.0.txt
 - doc/release_notes/1.3.0.txt
 - doc/release_notes/1.4.0.txt
 - doc/release_notes/1.5.0.txt
@@ -296,18 +318,17 @@ extra_rdoc_files:
 - doc/release_notes/1.7.0.txt
 - doc/release_notes/1.8.0.txt
 - doc/release_notes/1.9.0.txt
-- doc/release_notes/1.18.0.txt
-- doc/release_notes/1.19.0.txt
-- doc/release_notes/1.20.0.txt
-- doc/release_notes/1.21.0.txt
-- doc/release_notes/1.22.0.txt
-- doc/release_notes/1.23.0.txt
 - doc/release_notes/2.0.0.txt
 - doc/release_notes/2.1.0.txt
+- doc/release_notes/2.10.0.txt
 - doc/release_notes/2.2.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
+- doc/release_notes/2.6.0.txt
+- doc/release_notes/2.7.0.txt
+- doc/release_notes/2.8.0.txt
+- doc/release_notes/2.9.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -315,6 +336,7 @@ files:
 - dict/top-10_000-passwords.txt
 - doc/account_expiration.rdoc
 - doc/active_sessions.rdoc
+- doc/argon2.rdoc
 - doc/audit_logging.rdoc
 - doc/base.rdoc
 - doc/change_login.rdoc
@@ -337,6 +359,7 @@ files:
 - doc/guides/internals.rdoc
 - doc/guides/links.rdoc
 - doc/guides/login_return.rdoc
+- doc/guides/migrate_password_hash_algorithm.rdoc
 - doc/guides/password_column.rdoc
 - doc/guides/password_confirmation.rdoc
 - doc/guides/password_requirements.rdoc
@@ -349,6 +372,7 @@ files:
 - doc/guides/status_column.rdoc
 - doc/guides/totp_or_recovery.rdoc
 - doc/http_basic_auth.rdoc
+- doc/json.rdoc
 - doc/jwt.rdoc
 - doc/jwt_cors.rdoc
 - doc/jwt_refresh.rdoc
@@ -388,10 +412,15 @@ files:
 - doc/release_notes/1.9.0.txt
 - doc/release_notes/2.0.0.txt
 - doc/release_notes/2.1.0.txt
+- doc/release_notes/2.10.0.txt
 - doc/release_notes/2.2.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
+- doc/release_notes/2.6.0.txt
+- doc/release_notes/2.7.0.txt
+- doc/release_notes/2.8.0.txt
+- doc/release_notes/2.9.0.txt
 - doc/remember.rdoc
 - doc/reset_password.rdoc
 - doc/session_expiration.rdoc
@@ -411,6 +440,7 @@ files:
 - lib/rodauth.rb
 - lib/rodauth/features/account_expiration.rb
 - lib/rodauth/features/active_sessions.rb
+- lib/rodauth/features/argon2.rb
 - lib/rodauth/features/audit_logging.rb
 - lib/rodauth/features/base.rb
 - lib/rodauth/features/change_login.rb
@@ -424,6 +454,7 @@ files:
 - lib/rodauth/features/email_auth.rb
 - lib/rodauth/features/email_base.rb
 - lib/rodauth/features/http_basic_auth.rb
+- lib/rodauth/features/json.rb
 - lib/rodauth/features/jwt.rb
 - lib/rodauth/features/jwt_cors.rb
 - lib/rodauth/features/jwt_refresh.rb
@@ -535,7 +566,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.2.3
 signing_key:
 specification_version: 4
 summary: Authentication and Account Management Framework for Rack Applications