rodauth 2.6.0 → 2.11.0

data/doc/release_notes/2.7.0.txt

@@ -0,0 +1,33 @@
+= New Features
+
+* An auto_remove_recovery_codes? configuration method has been added
+  to the recovery_codes feature.  This will automatically remove
+  recovery codes when the last multifactor authentication type other
+  than the recovery codes has been removed.
+
+* The jwt_access_expired_status and expired_jwt_access_token_message
+  configuration methods have been added to the jwt_refresh feature,
+  for supporting custom statuses and messages for expired tokens.
+
+= Other Improvements
+
+* Rodauth will no longer attempt to require a feature that has
+  already been required.  Related to this is you can now use a
+  a custom Rodauth feature without a rodauth/features/*.rb file
+  in the Ruby library path, as long as you load the feature
+  manually.
+
+* Rodauth now avoids method redefinition warnings in verbose
+  warning mode.  As Ruby 3 is dropping uninitialized instance
+  variable warnings, Rodauth will be verbose warning free in
+  Ruby 3.
+
+= Backwards Compatibility
+
+* The default remember cookie path is now set to '/'. This fixes
+  usage in the case where rodauth is loaded under a subpath of the
+  application (which is not the default behavior).  Unfortunately,
+  this change can negatively affect cases where multiple rodauth
+  configurations are used in separate paths on the same domain.
+  In these cases, you should now use remember_cookie_options and
+  include a :path option.

data/doc/release_notes/2.8.0.txt

@@ -0,0 +1,20 @@
+= Improvements
+
+* HttpOnly is now set by default on the remember cookie, so it is no
+  longer accessible from Javascript.  This is a more secure approach
+  that makes applications using Rodauth's remember feature less
+  vulnerable in case they are subject to a separate XSS attack.
+
+* When using the jwt feature, rodauth.clear_session now clears the
+  JWT session even when the Roda sessions plugin was in use.  In most
+  cases, the jwt feature is not used with the Roda sessions plugin,
+  but in cases where the same application serves as both an JSON API
+  and as a HTML site, it is possible the two may be used together.
+
+= Backwards Compatibility
+
+* As the default remember cookie :httponly setting is now set to true,
+  applications using Rodauth that expected to be able to access the
+  remember cookie from Javascript will no longer work by default.
+  In these cases, you should now use remember_cookie_options and
+  include a :httponly=>false option.

data/doc/release_notes/2.9.0.txt

@@ -0,0 +1,21 @@
+= New Features
+
+* A json feature has been extracted from the existing jwt feature.
+  This feature allows for the same JSON API previously supported
+  by the JWT feature, but stores the session information in the
+  Rack session instead of in a separate JWT.  This makes it
+  significantly easier to have certain pages use the JSON API,
+  and other pages the HTML forms.
+
+= Other Improvements
+
+* If the remember cookie is created in an SSL request, the Secure
+  flag is added by default, so the cookie will not be transmitted
+  in non-SSL requests.
+
+= Backwards Compatibility
+
+* Rodauth configurations that use the remember feature and support
+  requests over both http and https and want to have the remember
+  cookie transmitted over both should now include :secure=>false in
+  remember_cookie_options.

data/doc/remember.rdoc

@@ -35,7 +35,7 @@ raw_remember_token_deadline :: A deadline before which to allow a raw remember t
 remember_additional_form_tags :: HTML fragment containing additional form tags to use on the change remember setting form.
 remember_button :: The text to use for the change remember settings button.
 remember_cookie_key :: The cookie name to use for the remember token.
-remember_cookie_options :: Any options to set for the remember cookie.
+remember_cookie_options :: Any options to set for the remember cookie. By default, the `:path` cookie option is set to `/` and `:httponly` is set to `true`. Also, `:secure` is set to `true` by default if the current request is an HTTPS request.
 remember_deadline_column :: The column name in the +remember_table+ storing the deadline after which the token will be ignored.
 remember_deadline_interval :: The amount of time for which to remember accounts, 14 days by default.  Only used if +set_deadline_values?+ is true.
 remember_disable_label :: The label for disabling remembering.

data/lib/rodauth.rb

@@ -39,14 +39,14 @@ module Rodauth
     else
       json_opt != :only
     end
-    auth_class = (app.opts[:rodauths] ||= {})[opts[:name]] ||= Class.new(Auth)
+    auth_class = (app.opts[:rodauths] ||= {})[opts[:name]] ||= opts[:auth_class] || Class.new(Auth)
     if !auth_class.roda_class
       auth_class.roda_class = app
     elsif auth_class.roda_class != app
       auth_class = app.opts[:rodauths][opts[:name]] = Class.new(auth_class)
       auth_class.roda_class = app
     end
-    auth_class.configure(&block)
+    auth_class.configure(&block) if block
   end
 
   FEATURES = {}
@@ -66,6 +66,7 @@ module Rodauth
       define_method(meth) do |&block|
         @auth.send(:define_method, meth, &block)
         @auth.send(:private, meth) if priv
+        @auth.send(:alias_method, meth, meth)
       end
     end
 
@@ -74,6 +75,7 @@ module Rodauth
       define_method(meth) do |&block|
         @auth.send(:define_method, umeth, &block)
         @auth.send(:private, umeth)
+        @auth.send(:alias_method, umeth, umeth)
       end
     end
 
@@ -82,6 +84,7 @@ module Rodauth
         block ||= proc{v}
         @auth.send(:define_method, meth, &block)
         @auth.send(:private, meth) if priv
+        @auth.send(:alias_method, meth, meth)
       end
     end
   end
@@ -240,6 +243,7 @@ module Rodauth
           instance_variable_set(iv, send(umeth))
         end
       end
+      alias_method(meth, meth)
       auth_private_methods(meth)
     end
 
@@ -264,11 +268,12 @@ module Rodauth
         @features = []
         @routes = []
         @route_hash = {}
+        @configuration = Configuration.new(self)
       end
     end
 
     def self.configure(&block)
-      Configuration.new(self, &block)
+      @configuration.apply(&block)
     end
 
     def self.freeze
@@ -284,6 +289,14 @@ module Rodauth
 
     def initialize(auth, &block)
       @auth = auth
+      # :nocov:
+      # Only for backwards compatibility
+      # RODAUTH3: Remove
+      apply(&block) if block
+      # :nocov:
+    end
+
+    def apply(&block)
       load_feature(:base)
       instance_exec(&block)
       auth.allocate.post_configure
@@ -300,7 +313,7 @@ module Rodauth
     private
 
     def load_feature(feature_name)
-      require "rodauth/features/#{feature_name}"
+      require "rodauth/features/#{feature_name}" unless FEATURES[feature_name]
       feature = FEATURES[feature_name]
       enable(*feature.dependencies)
       extend feature.configuration

data/lib/rodauth/features/argon2.rb

@@ -0,0 +1,69 @@
+# frozen-string-literal: true
+
+require 'argon2'
+
+# :nocov:
+if !defined?(Argon2::VERSION) || Argon2::VERSION < '2'
+  raise LoadError, "argon2 version 1.x not supported as it does not support argon2id hashes"
+end
+# :nocov:
+
+module Rodauth
+  Feature.define(:argon2, :Argon2) do
+    depends :login_password_requirements_base
+
+    auth_value_method :use_argon2?, true
+
+    private
+
+    def password_hash_cost
+      return super unless use_argon2?
+      argon2_hash_cost 
+    end
+
+    def password_hash(password)
+      return super unless use_argon2?
+      ::Argon2::Password.new(password_hash_cost).create(password)
+    end
+
+    def password_hash_match?(hash, password)
+      return super unless argon2_hash_algorithm?(hash)
+      argon2_password_hash_match?(hash, password)
+    end
+
+    def password_hash_using_salt(password, salt)
+      return super unless argon2_hash_algorithm?(salt)
+
+      argon2_params = Hash[extract_password_hash_cost(salt)]
+      argon2_params[:salt_do_not_supply] = Base64.decode64(salt.split('$').last)
+      ::Argon2::Password.new(argon2_params).create(password)
+    end
+
+    def extract_password_hash_cost(hash)
+      return super unless argon2_hash_algorithm?(hash )
+
+      /\A\$argon2id\$v=\d+\$m=(\d+),t=(\d+)/ =~ hash
+      { t_cost: $2.to_i, m_cost: Math.log2($1.to_i).to_i }
+    end
+
+    if ENV['RACK_ENV'] == 'test'
+      def argon2_hash_cost
+        {t_cost: 1, m_cost: 3}
+      end
+    # :nocov:
+    else
+      def argon2_hash_cost
+        {t_cost: 2, m_cost: 16}
+      end
+    end
+    # :nocov:
+
+    def argon2_hash_algorithm?(hash)
+      hash.start_with?('$argon2id$')
+    end
+
+    def argon2_password_hash_match?(hash, password)
+      ::Argon2::Password.verify_password(password, hash)
+    end
+  end
+end

data/lib/rodauth/features/base.rb

@@ -102,7 +102,6 @@ module Rodauth
       :set_redirect_error_flash,
       :set_title,
       :translate,
-      :unverified_account_message,
       :update_session
     )
 
@@ -261,6 +260,7 @@ module Rodauth
       @password_field_autocomplete_value || 'current-password'
     end
 
+    alias account_password_hash_column account_password_hash_column
     # If the account_password_hash_column is set, the password hash is verified in
     # ruby, it will not use a database function to do so, it will check the password
     # hash using bcrypt.
@@ -465,7 +465,7 @@ module Rodauth
     end
 
     def database_function_password_match?(name, hash_id, password, salt)
-      db.get(Sequel.function(function_name(name), hash_id, BCrypt::Engine.hash_secret(password, salt)))
+      db.get(Sequel.function(function_name(name), hash_id, password_hash_using_salt(password, salt)))
     end
 
     def password_hash_match?(hash, password)
@@ -593,6 +593,10 @@ module Rodauth
       @has_password = !!get_password_hash
     end
 
+    def password_hash_using_salt(password, salt)
+      BCrypt::Engine.hash_secret(password, salt)
+    end
+
     # Get the password hash for the user.  When using database authentication functions,
     # note that only the salt is returned.
     def get_password_hash

data/lib/rodauth/features/change_login.rb

@@ -6,6 +6,7 @@ module Rodauth
 
     notice_flash 'Your login has been changed'
     error_flash 'There was an error changing your login'
+    translatable_method :same_as_current_login_message, 'same as current login'
     loaded_templates %w'change-login login-field login-confirm-field password-field'
     view 'change-login', 'Change Login'
     after
@@ -64,7 +65,7 @@ module Rodauth
 
     def change_login(login)
       if account_ds.get(login_column).downcase == login.downcase
-        @login_requirement_message = 'same as current login'
+        @login_requirement_message = same_as_current_login_message
         return false
       end
 

data/lib/rodauth/features/disallow_password_reuse.rb

@@ -24,13 +24,16 @@ module Rodauth
 
     def add_previous_password_hash(hash) 
       ds = previous_password_ds
-      keep_before = ds.reverse(previous_password_id_column).
-        limit(nil, previous_passwords_to_check).
-        get(previous_password_id_column)
 
-      if keep_before
-        ds.where(Sequel.expr(previous_password_id_column) <= keep_before).
-          delete
+      unless @dont_check_previous_password
+        keep_before = ds.reverse(previous_password_id_column).
+          limit(nil, previous_passwords_to_check).
+          get(previous_password_id_column)
+
+        if keep_before
+          ds.where(Sequel.expr(previous_password_id_column) <= keep_before).
+            delete
+        end
       end
 
       # This should never raise uniqueness violations, as it uses a serial primary key
@@ -39,7 +42,7 @@ module Rodauth
 
     def password_meets_requirements?(password)
       super &&
-        password_doesnt_match_previous_password?(password)
+        (@dont_check_previous_password || password_doesnt_match_previous_password?(password))
     end
 
     private
@@ -71,6 +74,16 @@ module Rodauth
       previous_password_ds.delete
     end
 
+    def before_create_account_route
+      super if defined?(super)
+      @dont_check_previous_password = true
+    end
+
+    def before_verify_account_route
+      super if defined?(super)
+      @dont_check_previous_password = true
+    end
+
     def after_create_account
       if account_password_hash_column && !(respond_to?(:verify_account_set_password?) && verify_account_set_password?)
         add_previous_password_hash(password_hash(param(password_param)))

data/lib/rodauth/features/email_base.rb

@@ -51,7 +51,11 @@ module Rodauth
     end
 
     def token_link(route, param, key)
-      route_url(route, param => "#{account_id}#{token_separator}#{convert_email_token_key(key)}")
+      route_url(route, param => token_param_value(key))
+    end
+
+    def token_param_value(key)
+      "#{account_id}#{token_separator}#{convert_email_token_key(key)}"
     end
 
     def convert_email_token_key(key)
@@ -71,7 +75,6 @@ module Rodauth
           return
         end
       end
-
       ds = account_ds(id)
       ds = ds.where(account_status_column=>status_id) if status_id && !skip_status_checks?
       ds.first

data/lib/rodauth/features/json.rb

@@ -0,0 +1,189 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:json, :Json) do
+    translatable_method :json_not_accepted_error_message, 'Unsupported Accept header. Must accept "application/json" or compatible content type'
+    translatable_method :json_non_post_error_message, 'non-POST method used in JSON API'
+    auth_value_method :json_accept_regexp, /(?:(?:\*|\bapplication)\/\*|\bapplication\/(?:vnd\.api\+)?json\b)/i
+    auth_value_method :json_check_accept?, true
+    auth_value_method :json_request_content_type_regexp, /\bapplication\/(?:vnd\.api\+)?json\b/i
+    auth_value_method :json_response_content_type, 'application/json'
+    auth_value_method :json_response_custom_error_status?, true
+    auth_value_method :json_response_error_status, 400
+    auth_value_method :json_response_error_key, "error"
+    auth_value_method :json_response_field_error_key, "field-error"
+    auth_value_method :json_response_success_key, "success"
+    translatable_method :non_json_request_error_message, 'Only JSON format requests are allowed'
+
+    auth_value_methods(
+      :only_json?,
+      :use_json?,
+    )
+
+    auth_methods(
+      :json_request?,
+    )
+
+    auth_private_methods :json_response_body
+
+    def set_field_error(field, message)
+      return super unless use_json?
+      json_response[json_response_field_error_key] = [field, message]
+    end
+
+    def set_error_flash(message)
+      return super unless use_json?
+      json_response[json_response_error_key] = message
+    end
+
+    def set_redirect_error_flash(message)
+      return super unless use_json?
+      json_response[json_response_error_key] = message
+    end
+
+    def set_notice_flash(message)
+      return super unless use_json?
+      json_response[json_response_success_key] = message if include_success_messages?
+    end
+
+    def set_notice_now_flash(message)
+      return super unless use_json?
+      json_response[json_response_success_key] = message if include_success_messages?
+    end
+
+    def json_request?
+      return @json_request if defined?(@json_request)
+      @json_request = request.content_type =~ json_request_content_type_regexp
+    end
+
+    def use_json?
+      json_request? || only_json?
+    end
+
+    def view(page, title)
+      return super unless use_json?
+      return_json_response
+    end
+
+    private
+
+    def before_view_recovery_codes
+      super if defined?(super)
+      if use_json?
+        json_response[:codes] = recovery_codes
+        json_response[json_response_success_key] ||= "" if include_success_messages?
+      end
+    end
+
+    def before_webauthn_setup_route
+      super if defined?(super)
+      if use_json? && !param_or_nil(webauthn_setup_param)
+        cred = new_webauthn_credential
+        json_response[webauthn_setup_param] = cred.as_json
+        json_response[webauthn_setup_challenge_param] = cred.challenge
+        json_response[webauthn_setup_challenge_hmac_param] = compute_hmac(cred.challenge)
+      end
+    end
+
+    def before_webauthn_auth_route
+      super if defined?(super)
+      if use_json? && !param_or_nil(webauthn_auth_param)
+        cred = webauth_credential_options_for_get
+        json_response[webauthn_auth_param] = cred.as_json
+        json_response[webauthn_auth_challenge_param] = cred.challenge
+        json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)
+      end
+    end
+
+    def before_webauthn_login_route
+      super if defined?(super)
+      if use_json? && !param_or_nil(webauthn_auth_param) && account_from_login(param(login_param))
+        cred = webauth_credential_options_for_get
+        json_response[webauthn_auth_param] = cred.as_json
+        json_response[webauthn_auth_challenge_param] = cred.challenge
+        json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)
+      end
+    end
+
+    def before_webauthn_remove_route
+      super if defined?(super)
+      if use_json? && !param_or_nil(webauthn_remove_param)
+        json_response[webauthn_remove_param] = account_webauthn_usage
+      end
+    end
+
+    def before_otp_setup_route
+      super if defined?(super)
+      if use_json? && otp_keys_use_hmac? && !param_or_nil(otp_setup_raw_param)
+        _otp_tmp_key(otp_new_secret)
+        json_response[otp_setup_param] = otp_user_key
+        json_response[otp_setup_raw_param] = otp_key
+      end
+    end
+
+    def before_rodauth
+      if json_request?
+        if json_check_accept? && (accept = request.env['HTTP_ACCEPT']) && accept !~ json_accept_regexp
+          response.status = 406
+          json_response[json_response_error_key] = json_not_accepted_error_message
+          _return_json_response
+        end
+
+        unless request.post?
+          response.status = 405
+          response.headers['Allow'] = 'POST'
+          json_response[json_response_error_key] = json_non_post_error_message
+          return_json_response
+        end
+      elsif only_json?
+        response.status = json_response_error_status
+        response.write non_json_request_error_message
+        request.halt
+      end
+
+      super
+    end
+
+    def redirect(_)
+      return super unless use_json?
+      return_json_response
+    end
+
+    def return_json_response
+      _return_json_response
+    end
+
+    def _return_json_response
+      response.status ||= json_response_error_status if json_response[json_response_error_key]
+      response['Content-Type'] ||= json_response_content_type
+      response.write(_json_response_body(json_response))
+      request.halt
+    end
+
+    def include_success_messages?
+      !json_response_success_key.nil?
+    end
+
+    def _json_response_body(hash)
+      request.send(:convert_to_json, hash)
+    end
+
+    def json_response
+      @json_response ||= {}
+    end
+
+    def set_redirect_error_status(status)
+      if use_json? && json_response_custom_error_status?
+        response.status = status
+      end
+    end
+
+    def set_response_error_status(status)
+      if use_json? && !json_response_custom_error_status?
+        status = json_response_error_status
+      end
+
+      super
+    end
+  end
+end