rodauth 2.6.0 → 2.11.0

data/lib/rodauth/features/jwt.rb

@@ -4,41 +4,29 @@ require 'jwt'
 
 module Rodauth
   Feature.define(:jwt, :Jwt) do
+    depends :json
+
     translatable_method :invalid_jwt_format_error_message, "invalid JWT format or claim in Authorization header"
-    translatable_method :json_non_post_error_message, 'non-POST method used in JSON API'
-    translatable_method :json_not_accepted_error_message, 'Unsupported Accept header. Must accept "application/json" or compatible content type'
-    auth_value_method :json_accept_regexp, /(?:(?:\*|\bapplication)\/\*|\bapplication\/(?:vnd\.api\+)?json\b)/i
-    auth_value_method :json_request_content_type_regexp, /\bapplication\/(?:vnd\.api\+)?json\b/i
-    auth_value_method :json_response_content_type, 'application/json'
-    auth_value_method :json_response_error_status, 400
-    auth_value_method :json_response_custom_error_status?, true
-    auth_value_method :json_response_error_key, "error"
-    auth_value_method :json_response_field_error_key, "field-error"
-    auth_value_method :json_response_success_key, "success"
     auth_value_method :jwt_algorithm, "HS256"
     auth_value_method :jwt_authorization_ignore, /\A(?:Basic|Digest) /
     auth_value_method :jwt_authorization_remove, /\ABearer:?\s+/
-    auth_value_method :jwt_check_accept?, true
     auth_value_method :jwt_decode_opts, {}.freeze
     auth_value_method :jwt_session_key, nil
     auth_value_method :jwt_symbolize_deeply?, false
-    translatable_method :non_json_request_error_message, 'Only JSON format requests are allowed'
 
     auth_value_methods(
-      :only_json?,
       :jwt_secret,
       :use_jwt?
     )
 
     auth_methods(
-      :json_request?,
       :jwt_session_hash,
       :jwt_token,
       :session_jwt,
       :set_jwt_token
     )
 
-    auth_private_methods :json_response_body
+    def_deprecated_alias :json_check_accept?, :jwt_check_accept?
 
     def session
       return @session if defined?(@session)
@@ -47,11 +35,8 @@ module Rodauth
       s = {}
       if jwt_token
         unless session_data = jwt_payload
-          json_response[json_response_error_key] = invalid_jwt_format_error_message
-          response.status ||= json_response_error_status
-          response['Content-Type'] ||= json_response_content_type
-          response.write(_json_response_body(json_response))
-          request.halt
+          json_response[json_response_error_key] ||= invalid_jwt_format_error_message
+          _return_json_response
         end
 
         if jwt_session_key
@@ -73,37 +58,10 @@ module Rodauth
 
     def clear_session
       super
-      set_jwt if use_jwt?
-    end
-
-    def set_field_error(field, message)
-      return super unless use_jwt?
-      json_response[json_response_field_error_key] = [field, message]
-    end
-
-    def set_error_flash(message)
-      return super unless use_jwt?
-      json_response[json_response_error_key] = message
-    end
-
-    def set_redirect_error_flash(message)
-      return super unless use_jwt?
-      json_response[json_response_error_key] = message
-    end
-
-    def set_notice_flash(message)
-      return super unless use_jwt?
-      json_response[json_response_success_key] = message if include_success_messages?
-    end
-
-    def set_notice_now_flash(message)
-      return super unless use_jwt?
-      json_response[json_response_success_key] = message if include_success_messages?
-    end
-
-    def json_request?
-      return @json_request if defined?(@json_request)
-      @json_request = request.content_type =~ json_request_content_type_regexp
+      if use_jwt?
+        session.clear
+        set_jwt
+      end
     end
 
     def jwt_secret
@@ -131,16 +89,15 @@ module Rodauth
     end
 
     def use_jwt?
-      jwt_token || only_json? || json_request?
+      use_json?
     end
 
-    def valid_jwt?
-      !!(jwt_token && jwt_payload)
+    def use_json?
+      jwt_token || super
     end
 
-    def view(page, title)
-      return super unless use_jwt?
-      return_json_response
+    def valid_jwt?
+      !!(jwt_token && jwt_payload)
     end
 
     private
@@ -150,85 +107,6 @@ module Rodauth
       super
     end
 
-    def before_rodauth
-      if json_request?
-        if jwt_check_accept? && (accept = request.env['HTTP_ACCEPT']) && accept !~ json_accept_regexp
-          response.status = 406
-          json_response[json_response_error_key] = json_not_accepted_error_message
-          response['Content-Type'] ||= json_response_content_type
-          response.write(_json_response_body(json_response))
-          request.halt
-        end
-
-        unless request.post?
-          response.status = 405
-          response.headers['Allow'] = 'POST'
-          json_response[json_response_error_key] = json_non_post_error_message
-          return_json_response
-        end
-      elsif only_json?
-        response.status = json_response_error_status
-        response.write non_json_request_error_message
-        request.halt
-      end
-
-      super
-    end
-
-    def before_view_recovery_codes
-      super if defined?(super)
-      if use_jwt?
-        json_response[:codes] = recovery_codes
-        json_response[json_response_success_key] ||= "" if include_success_messages?
-      end
-    end
-
-    def before_webauthn_setup_route
-      super if defined?(super)
-      if use_jwt? && !param_or_nil(webauthn_setup_param)
-        cred = new_webauthn_credential
-        json_response[webauthn_setup_param] = cred.as_json
-        json_response[webauthn_setup_challenge_param] = cred.challenge
-        json_response[webauthn_setup_challenge_hmac_param] = compute_hmac(cred.challenge)
-      end
-    end
-
-    def before_webauthn_auth_route
-      super if defined?(super)
-      if use_jwt? && !param_or_nil(webauthn_auth_param)
-        cred = webauth_credential_options_for_get
-        json_response[webauthn_auth_param] = cred.as_json
-        json_response[webauthn_auth_challenge_param] = cred.challenge
-        json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)
-      end
-    end
-
-    def before_webauthn_login_route
-      super if defined?(super)
-      if use_jwt? && !param_or_nil(webauthn_auth_param) && account_from_login(param(login_param))
-        cred = webauth_credential_options_for_get
-        json_response[webauthn_auth_param] = cred.as_json
-        json_response[webauthn_auth_challenge_param] = cred.challenge
-        json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)
-      end
-    end
-
-    def before_webauthn_remove_route
-      super if defined?(super)
-      if use_jwt? && !param_or_nil(webauthn_remove_param)
-        json_response[webauthn_remove_param] = account_webauthn_usage
-      end
-    end
-
-    def before_otp_setup_route
-      super if defined?(super)
-      if use_jwt? && otp_keys_use_hmac? && !param_or_nil(otp_setup_raw_param)
-        _otp_tmp_key(otp_new_secret)
-        json_response[otp_setup_param] = otp_user_key
-        json_response[otp_setup_raw_param] = otp_key
-      end
-    end
-
     def _jwt_decode_opts
       jwt_decode_opts
     end
@@ -236,17 +114,12 @@ module Rodauth
     def jwt_payload
       return @jwt_payload if defined?(@jwt_payload)
       @jwt_payload = JWT.decode(jwt_token, jwt_secret, true, _jwt_decode_opts.merge(:algorithm=>jwt_algorithm))[0]
-    rescue JWT::DecodeError
-      @jwt_payload = false
+    rescue JWT::DecodeError => e
+      rescue_jwt_payload(e)
     end
 
-    def redirect(_)
-      return super unless use_jwt?
-      return_json_response
-    end
-
-    def include_success_messages?
-      !json_response_success_key.nil?
+    def rescue_jwt_payload(_)
+      @jwt_payload = false
     end
 
     def set_session_value(key, value)
@@ -261,38 +134,13 @@ module Rodauth
       value
     end
 
-    def json_response
-      @json_response ||= {}
-    end
-
-    def _json_response_body(hash)
-      request.send(:convert_to_json, hash)
-    end
-
     def return_json_response
-      response.status ||= json_response_error_status if json_response[json_response_error_key]
       set_jwt
-      response['Content-Type'] ||= json_response_content_type
-      response.write(_json_response_body(json_response))
-      request.halt
+      super
     end
 
     def set_jwt
       set_jwt_token(session_jwt)
     end
-
-    def set_redirect_error_status(status)
-      if use_jwt? && json_response_custom_error_status?
-        response.status = status
-      end
-    end
-
-    def set_response_error_status(status)
-      if use_jwt? && !json_response_custom_error_status?
-        status = json_response_error_status
-      end
-
-      super
-    end
   end
 end

data/lib/rodauth/features/jwt_refresh.rb

@@ -24,6 +24,8 @@ module Rodauth
     auth_value_method :jwt_refresh_token_table, :account_jwt_refresh_keys
     translatable_method :jwt_refresh_without_access_token_message, 'no JWT access token provided during refresh'
     auth_value_method :jwt_refresh_without_access_token_status, 401
+    translatable_method :expired_jwt_access_token_message, "expired JWT access token"
+    auth_value_method :expired_jwt_access_token_status, 400
 
     auth_private_methods(
       :account_from_refresh_token
@@ -49,11 +51,8 @@ module Rodauth
           end
         else
           json_response[json_response_error_key] = jwt_refresh_invalid_token_message
-          response.status ||= json_response_error_status
         end
-        response['Content-Type'] ||= json_response_content_type
-        response.write(_json_response_body(json_response))
-        request.halt
+        _return_json_response
       end
     end
 
@@ -63,7 +62,7 @@ module Rodauth
       # JWT login puts the access token in the header.
       # We put the refresh token in the body.
       # Note, do not put the access_token in the body here, as the access token content is not yet finalised.
-      token = json_response['refresh_token'] = generate_refresh_token
+      token = json_response[jwt_refresh_token_key] = generate_refresh_token
 
       set_jwt_refresh_token_hmac_session_key(token)
     end
@@ -92,6 +91,23 @@ module Rodauth
 
     private
 
+    def rescue_jwt_payload(e)
+      if e.instance_of?(JWT::ExpiredSignature)
+        begin
+          # Some versions of jwt will raise JWT::ExpiredSignature even when the
+          # JWT is invalid for other reasons.  Make sure the expiration is the
+          # only reason the JWT isn't valid before treating this as an expired token.
+          JWT.decode(jwt_token, jwt_secret, true, Hash[jwt_decode_opts].merge!(:verify_expiration=>false, :algorithm=>jwt_algorithm))[0]
+        rescue => e
+        else
+          json_response[json_response_error_key] = expired_jwt_access_token_message
+          response.status ||= expired_jwt_access_token_status
+        end
+      end
+
+      super
+    end
+
     def _account_from_refresh_token(token)
       id, token_id, key = _account_refresh_token_split(token)
 
@@ -158,8 +174,7 @@ module Rodauth
     end
 
     def remove_jwt_refresh_token_key(token)
-      account_id, token = split_token(token)
-      token_id, _ = split_token(token)
+      account_id, token_id, _ = _account_refresh_token_split(token)
       jwt_refresh_token_account_token_ds(account_id, token_id).delete
     end
 
@@ -191,9 +206,7 @@ module Rodauth
           id, token_id, key = _account_refresh_token_split(token)
 
           if id && token_id && key && (actual = get_active_refresh_token(session_value, token_id)) && timing_safe_eql?(key, convert_token_key(actual))
-            jwt_refresh_token_account_ds(id).
-              where(jwt_refresh_token_id_column=>token_id).
-              delete
+            jwt_refresh_token_account_token_ds(id, token_id).delete
           end
         end
       end

data/lib/rodauth/features/login_password_requirements_base.rb

@@ -16,6 +16,7 @@ module Rodauth
     auth_value_method :require_login_confirmation?, true
     auth_value_method :require_password_confirmation?, true
     translatable_method :same_as_existing_password_message, "invalid password, same as current password"
+    translatable_method :contains_null_byte_message, 'contains null byte'
 
     auth_value_methods(
       :login_confirm_label,
@@ -124,7 +125,7 @@ module Rodauth
 
     def password_does_not_contain_null_byte?(password)
       return true unless password.include?("\0")
-      @password_requirement_message = 'contains null byte'
+      @password_requirement_message = contains_null_byte_message
       false
     end
 
@@ -140,6 +141,10 @@ module Rodauth
       # :nocov:
     end
 
+    def extract_password_hash_cost(hash)
+      hash[4, 2].to_i
+    end
+    
     def password_hash(password)
       BCrypt::Password.create(password, :cost=>password_hash_cost)
     end

data/lib/rodauth/features/otp.rb

@@ -76,9 +76,7 @@ module Rodauth
     )
 
     auth_methods(
-      :otp,
       :otp_exists?,
-      :otp_key,
       :otp_last_use,
       :otp_locked_out?,
       :otp_new_secret,

data/lib/rodauth/features/recovery_codes.rb

@@ -34,6 +34,7 @@ module Rodauth
     auth_value_method :add_recovery_codes_param, 'add'
     translatable_method :add_recovery_codes_heading, '<h2>Add Additional Recovery Codes</h2>'
     auth_value_method :auto_add_recovery_codes?, false
+    auth_value_method :auto_remove_recovery_codes?, false
     translatable_method :invalid_recovery_code_message, "Invalid recovery code"
     auth_value_method :recovery_codes_limit, 16
     auth_value_method :recovery_codes_column, :code
@@ -56,7 +57,6 @@ module Rodauth
       :can_add_recovery_codes?,
       :new_recovery_code,
       :recovery_code_match?,
-      :recovery_codes
     )
 
     route(:recovery_auth) do |r|
@@ -213,6 +213,21 @@ module Rodauth
       super
     end
 
+    def after_otp_disable
+      super if defined?(super)
+      auto_remove_recovery_codes
+    end
+
+    def after_sms_disable
+      super if defined?(super)
+      auto_remove_recovery_codes
+    end
+
+    def after_webauthn_remove
+      super if defined?(super)
+      auto_remove_recovery_codes
+    end
+
     def new_recovery_code
       random_key
     end
@@ -227,6 +242,12 @@ module Rodauth
       end
     end
 
+    def auto_remove_recovery_codes
+      if auto_remove_recovery_codes? && (%w'totp webauthn sms_code' & possible_authentication_methods).empty?
+        recovery_codes_remove
+      end
+    end
+
     def _recovery_codes
       recovery_codes_ds.select_map(recovery_codes_column)
     end

data/lib/rodauth/features/remember.rb

@@ -132,11 +132,16 @@ module Rodauth
       opts = Hash[remember_cookie_options]
       opts[:value] = "#{account_id}_#{convert_token_key(remember_key_value)}"
       opts[:expires] = convert_timestamp(active_remember_key_ds.get(remember_deadline_column))
+      opts[:path] = "/" unless opts.key?(:path)
+      opts[:httponly] = true unless opts.key?(:httponly)
+      opts[:secure] = true unless opts.key?(:secure) || !request.ssl?
       ::Rack::Utils.set_cookie_header!(response.headers, remember_cookie_key, opts)
     end
 
     def forget_login
-      ::Rack::Utils.delete_cookie_header!(response.headers, remember_cookie_key, remember_cookie_options)
+      opts = Hash[remember_cookie_options]
+      opts[:path] = "/" unless opts.key?(:path)
+      ::Rack::Utils.delete_cookie_header!(response.headers, remember_cookie_key, opts)
     end
 
     def get_remember_key