rodauth 2.8.0 → 2.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a39430563fc9d81e610b8a28b5c044eedd7ebd361d6294f9bd02687ce2d24c27
-  data.tar.gz: a852e9713602b807bb7566b3db4038a6fda0ae0d2b90bf4b1ce2e45429c8efd2
+  metadata.gz: a51cd006e762abd197f16ec9b8337cd54bf15206fcc2ce3a83cb1c424bb83845
+  data.tar.gz: 41e21158bee2b7ef8c75a93b035a5ff08c0245e5719aecbf783a818a860329b6
 SHA512:
-  metadata.gz: ba8f83d3f9afc3f1bcca6f649e925b1b3f795002dc980ae5bfb219885a74c69c34bbacaccda83c153bf9f799f328970cd900a3abf5966b88956dc3476ef3f9f8
-  data.tar.gz: 9d2042a183a7fdc941cd2b8716aba581861b9e1831574eac3241979ab32e2fe2076baf94e3ab0782487aa34d4e7f98f063035c22dcd7088f1a4fd1f1b83a7e6d
+  metadata.gz: fb2c83005f29f8e8f2ea36ae97111c2b2108dc370ce1fee624c6cd27fd96eaa70be8f1471d9b9cb4a8b652b55e2277cce3489514bf56624bceb2c4f52413b580
+  data.tar.gz: 6bf8b23187ab6935cd33259b4ee546281df100641b7927c9e03e531f591a451ba5d56b50b8621cbc7948ad8807253dbded5da0b85247e70db7aa5db1d2be765a

data/CHANGELOG

@@ -1,3 +1,9 @@
+=== 2.9.0 (2021-01-22)
+
+* Split jwt feature into json and jwt features, with the json feature using standard session support (janko, jeremyevans) (#145)
+
+* Mark remember cookie as only transmitted over HTTPS by default if created via an HTTPS request (janko) (#144)
+
 === 2.8.0 (2021-01-06)
 
 * [SECURITY] Set HttpOnly on remember cookie by default so it cannot be accessed by Javascript (janko) (#142)

data/README.rdoc

@@ -52,7 +52,8 @@ HTML and JSON API for all supported features.
 * Session Expiration
 * Active Sessions (Prevent session reuse after logout, allow logout of all sessions)
 * Single Session (Only one active session per account)
-* JWT (JSON API support for all other features)
+* JSON (JSON API support for all other features)
+* JWT (JSON Web Token support for all other features)
 * JWT Refresh (Access & Refresh Token)
 * JWT CORS (Cross-Origin Resource Sharing)
 * Update Password Hash (when hash cost changes)
@@ -872,6 +873,7 @@ view the appropriate file in the doc directory.
 * {Disallow Password Reuse}[rdoc-ref:doc/disallow_password_reuse.rdoc]
 * {Email Authentication}[rdoc-ref:doc/email_auth.rdoc]
 * {HTTP Basic Auth}[rdoc-ref:doc/http_basic_auth.rdoc]
+* {JSON}[rdoc-ref:doc/json.rdoc]
 * {JWT CORS}[rdoc-ref:doc/jwt_cors.rdoc]
 * {JWT Refresh}[rdoc-ref:doc/jwt_refresh.rdoc]
 * {JWT}[rdoc-ref:doc/jwt.rdoc]
@@ -1320,7 +1322,13 @@ use the necessary *_email_body configuration options to specify
 the body of the emails.
 
 The JWT feature enables JSON API support for all of the other features
-that Rodauth ships with.
+that Rodauth ships with. If you would like JSON API access that still uses
+rack session for storing session data, enable the JSON feature instead:
+
+  plugin :rodauth, :json=>true do
+    enable :login, :logout, :json
+    only_json? true # if you want to only handle JSON requests
+  end
 
 === Adding Custom Methods to the +rodauth+ Object
 

data/doc/json.rdoc

@@ -0,0 +1,47 @@
+= Documentation for JSON Feature
+
+The json feature adds support for JSON API access for all other
+features that ship with Rodauth.
+
+When this feature is used, all other features become accessible via a
+JSON API.  The JSON API uses the POST method for all requests, using
+the same parameter names as the features uses.  JSON API requests to
+Rodauth endpoints that use a method other than POST will result in a
+405 Method Not Allowed response.
+
+Responses are returned as JSON hashes.  In case of an error, the +error+
+entry is set to an error message, and the <tt>field-error</tt> entry is set to
+an array containing the field name and the error message for that field.
+Successful requests by default store a +success+ entry with a success
+message, though that can be disabled.
+
+The session state is managed in the rack session, so make sure that
+CSRF protection is enabled. This will be the case when passing the
+<tt>json: true</tt> option when loading the rodauth plugin. If you
+want to only handle JSON requests, set <tt>only_json? true</tt> in
+your rodauth configuration.
+
+If you want token-based authentication sent via the Authorization
+header, consider using the jwt feature.
+
+== Auth Value Methods
+
+json_accept_regexp :: The regexp to use to check the Accept header for JSON if +json_check_accept?+ is true.
+json_check_accept? :: Whether to check the Accept header to see if the client supports JSON responses, true by default.
+json_non_post_error_message :: The error message to use when a JSON non-POST request is sent.
+json_not_accepted_error_message :: The error message to display if +json_check_accept?+ is true and the Accept header is present but does not match +json_request_content_type_regexp+.
+json_request_content_type_regexp :: The regexp to use to recognize a request as a json request.
+json_response_content_type :: The content type to set for json responses, <tt>application/json</tt> by default.
+json_response_custom_error_status? :: Whether to use custom error statuses, instead of always using +json_response_error_status+, true by default, can be set to false for backwards compatibility with Rodauth 1.
+json_response_error_key :: The JSON result key containing an error message, +error+ by default.
+json_response_error_status :: The HTTP status code to use for JSON error responses if not using custom error statuses, 400 by default.
+json_response_field_error_key :: The JSON result key containing an field error message, <tt>field-error</tt> by default.
+json_response_success_key :: The JSON result key containing a success message for successful request, if set.  +success+ by default.
+non_json_request_error_message :: The error message to use when a non-JSON request is sent and +only_json?+ is set.
+only_json? :: Whether to have Rodauth only allow JSON requests.  True by default if <tt>json: :only</tt> option was given when loading the plugin.  If set, rodauth endpoints will issue an error for non-JSON requests.
+use_json? :: Whether to return a JSON response. By default, a JSON response is returned if +only_json?+ is true, or if the request uses a json content type.
+
+== Auth Methods
+
+json_request? :: Whether the current request is a JSON request, looks at the Content-Type request header by default.
+json_response_body(hash) :: The body to use for JSON response.  By default just converts hash to JSON.  Can be used to reformat JSON output in arbitrary ways.

data/doc/jwt.rdoc

@@ -2,19 +2,7 @@
 
 The jwt feature adds support for JSON API access for all other features
 that ship with Rodauth, using JWT (JSON Web Tokens) to hold the
-session information.
-
-When this feature is used, all other features become accessible via a
-JSON API.  The JSON API uses the POST method for all requests, using
-the same parameter names as the features uses.  JSON API requests to
-Rodauth endpoints that use a method other than POST will result in a
-405 Method Not Allowed response.
-
-Responses are returned as JSON hashes.  In case of an error, the +error+
-entry is set to an error message, and the <tt>field-error</tt> entry is set to
-an array containing the field name and the error message for that field.
-Successful requests by default store a +success+ entry with a success
-message, though that can be disabled.
+session information. It depends on the json feature.
 
 In order to use this feature, you have to set the +jwt_secret+ configuration
 option the secret used to cryptographically protect the token.
@@ -41,32 +29,17 @@ from +rodauth.session+.
 == Auth Value Methods
 
 invalid_jwt_format_error_message :: The error message to use when a JWT with an invalid format is submitted in the Authorization header.
-json_accept_regexp :: The regexp to use to check the Accept header for JSON if +jwt_check_accept?+ is true.
-json_non_post_error_message :: The error message to use when a JSON non-POST request is sent.
-json_not_accepted_error_message :: The error message to display if +jwt_check_accept?+ is true and the Accept header is present but does not match +json_request_content_type_regexp+.
-json_request_content_type_regexp :: The regexp to use to recognize a request as a json request.
-json_response_content_type :: The content type to set for json responses, <tt>application/json</tt> by default.
-json_response_custom_error_status? :: Whether to use custom error statuses, instead of always using +json_response_error_status+, true by default, can be set to false for backwards compatibility with Rodauth 1.
-json_response_error_key :: The JSON result key containing an error message, +error+ by default.
-json_response_error_status :: The HTTP status code to use for JSON error responses if not using custom error statuses, 400 by default.
-json_response_field_error_key :: The JSON result key containing an field error message, <tt>field-error</tt> by default.
-json_response_success_key :: The JSON result key containing a success message for successful request, if set.  +success+ by default.
 jwt_algorithm :: The JWT algorithm to use, +HS256+ by default.
 jwt_authorization_ignore :: A regexp matched against the Authorization header, which skips JWT processing if it matches.  By default, HTTP Basic and Digest authentication are ignored.
 jwt_authorization_remove :: A regexp to remove from the Authorization header before processing the JWT.  By default, a Bearer prefix is removed.
-jwt_check_accept? :: Whether to check the Accept header to see if the client supports JSON responses, true by default, can be set to false for backwards compatibility with Rodauth 1.
 jwt_decode_opts :: An optional hash to pass to +JWT.decode+. Can be used to set JWT verifiers.
 jwt_secret :: The JWT secret to use.  Access to this should be protected the same as a session secret.
 jwt_session_key :: A key to nest the session hash under in the JWT payload.  nil by default, for no nesting.
 jwt_symbolize_deeply? :: Whether to symbolize the session hash deeply.  false by default.
-non_json_request_error_message :: The error message to use when a non-JSON request is sent and +only_json?+ is set.
-only_json? :: Whether to have Rodauth only allow JSON requests.  True by default if <tt>json: :only</tt> option was given when loading the plugin.  If set, rodauth endpoints will issue an error for non-JSON requests.
 use_jwt? :: Whether to use the JWT in the Authorization header for authentication information.  If false, falls back to using the rack session. By default, the Authorization header is used if it is present, if +only_json?+ is true, or if the request uses a json content type.
 
 == Auth Methods
 
-json_request? :: Whether the current request is a JSON request, looks at the Content-Type request header by default.
-json_response_body(hash) :: The body to use for JSON response.  By default just converts hash to JSON.  Can be used to reformat JSON output in arbitrary ways.
 jwt_session_hash :: The session hash used to create the session_jwt. Can be used to set JWT claims.
 jwt_token :: Retrieve the JWT token from the request, by default taking it from the Authorization header.
 session_jwt :: An encoded JWT for the current session.

data/doc/release_notes/2.9.0.txt

@@ -0,0 +1,21 @@
+= New Features
+
+* A json feature has been extracted from the existing jwt feature.
+  This feature allows for the same JSON API previously supported
+  by the JWT feature, but stores the session information in the
+  Rack session instead of in a separate JWT.  This makes it
+  significantly easier to have certain pages use the JSON API,
+  and other pages the HTML forms.
+
+= Other Improvements
+
+* If the remember cookie is created in an SSL request, the Secure
+  flag is added by default, so the cookie will not be transmitted
+  in non-SSL requests.
+
+= Backwards Compatibility
+
+* Rodauth configurations that use the remember feature and support
+  requests over both http and https and want to have the remember
+  cookie transmitted over both should now include :secure=>false in
+  remember_cookie_options.

data/doc/remember.rdoc

@@ -35,7 +35,7 @@ raw_remember_token_deadline :: A deadline before which to allow a raw remember t
 remember_additional_form_tags :: HTML fragment containing additional form tags to use on the change remember setting form.
 remember_button :: The text to use for the change remember settings button.
 remember_cookie_key :: The cookie name to use for the remember token.
-remember_cookie_options :: Any options to set for the remember cookie. By default, the `:path` cookie option is set to `/`, and `:httponly` is set to `true`.
+remember_cookie_options :: Any options to set for the remember cookie. By default, the `:path` cookie option is set to `/` and `:httponly` is set to `true`. Also, `:secure` is set to `true` by default if the current request is an HTTPS request.
 remember_deadline_column :: The column name in the +remember_table+ storing the deadline after which the token will be ignored.
 remember_deadline_interval :: The amount of time for which to remember accounts, 14 days by default.  Only used if +set_deadline_values?+ is true.
 remember_disable_label :: The label for disabling remembering.

data/lib/rodauth/features/json.rb

@@ -0,0 +1,189 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:json, :Json) do
+    translatable_method :json_not_accepted_error_message, 'Unsupported Accept header. Must accept "application/json" or compatible content type'
+    translatable_method :json_non_post_error_message, 'non-POST method used in JSON API'
+    auth_value_method :json_accept_regexp, /(?:(?:\*|\bapplication)\/\*|\bapplication\/(?:vnd\.api\+)?json\b)/i
+    auth_value_method :json_check_accept?, true
+    auth_value_method :json_request_content_type_regexp, /\bapplication\/(?:vnd\.api\+)?json\b/i
+    auth_value_method :json_response_content_type, 'application/json'
+    auth_value_method :json_response_custom_error_status?, true
+    auth_value_method :json_response_error_status, 400
+    auth_value_method :json_response_error_key, "error"
+    auth_value_method :json_response_field_error_key, "field-error"
+    auth_value_method :json_response_success_key, "success"
+    translatable_method :non_json_request_error_message, 'Only JSON format requests are allowed'
+
+    auth_value_methods(
+      :only_json?,
+      :use_json?,
+    )
+
+    auth_methods(
+      :json_request?,
+    )
+
+    auth_private_methods :json_response_body
+
+    def set_field_error(field, message)
+      return super unless use_json?
+      json_response[json_response_field_error_key] = [field, message]
+    end
+
+    def set_error_flash(message)
+      return super unless use_json?
+      json_response[json_response_error_key] = message
+    end
+
+    def set_redirect_error_flash(message)
+      return super unless use_json?
+      json_response[json_response_error_key] = message
+    end
+
+    def set_notice_flash(message)
+      return super unless use_json?
+      json_response[json_response_success_key] = message if include_success_messages?
+    end
+
+    def set_notice_now_flash(message)
+      return super unless use_json?
+      json_response[json_response_success_key] = message if include_success_messages?
+    end
+
+    def json_request?
+      return @json_request if defined?(@json_request)
+      @json_request = request.content_type =~ json_request_content_type_regexp
+    end
+
+    def use_json?
+      json_request? || only_json?
+    end
+
+    def view(page, title)
+      return super unless use_json?
+      return_json_response
+    end
+
+    private
+
+    def before_view_recovery_codes
+      super if defined?(super)
+      if use_json?
+        json_response[:codes] = recovery_codes
+        json_response[json_response_success_key] ||= "" if include_success_messages?
+      end
+    end
+
+    def before_webauthn_setup_route
+      super if defined?(super)
+      if use_json? && !param_or_nil(webauthn_setup_param)
+        cred = new_webauthn_credential
+        json_response[webauthn_setup_param] = cred.as_json
+        json_response[webauthn_setup_challenge_param] = cred.challenge
+        json_response[webauthn_setup_challenge_hmac_param] = compute_hmac(cred.challenge)
+      end
+    end
+
+    def before_webauthn_auth_route
+      super if defined?(super)
+      if use_json? && !param_or_nil(webauthn_auth_param)
+        cred = webauth_credential_options_for_get
+        json_response[webauthn_auth_param] = cred.as_json
+        json_response[webauthn_auth_challenge_param] = cred.challenge
+        json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)
+      end
+    end
+
+    def before_webauthn_login_route
+      super if defined?(super)
+      if use_json? && !param_or_nil(webauthn_auth_param) && account_from_login(param(login_param))
+        cred = webauth_credential_options_for_get
+        json_response[webauthn_auth_param] = cred.as_json
+        json_response[webauthn_auth_challenge_param] = cred.challenge
+        json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)
+      end
+    end
+
+    def before_webauthn_remove_route
+      super if defined?(super)
+      if use_json? && !param_or_nil(webauthn_remove_param)
+        json_response[webauthn_remove_param] = account_webauthn_usage
+      end
+    end
+
+    def before_otp_setup_route
+      super if defined?(super)
+      if use_json? && otp_keys_use_hmac? && !param_or_nil(otp_setup_raw_param)
+        _otp_tmp_key(otp_new_secret)
+        json_response[otp_setup_param] = otp_user_key
+        json_response[otp_setup_raw_param] = otp_key
+      end
+    end
+
+    def before_rodauth
+      if json_request?
+        if json_check_accept? && (accept = request.env['HTTP_ACCEPT']) && accept !~ json_accept_regexp
+          response.status = 406
+          json_response[json_response_error_key] = json_not_accepted_error_message
+          _return_json_response
+        end
+
+        unless request.post?
+          response.status = 405
+          response.headers['Allow'] = 'POST'
+          json_response[json_response_error_key] = json_non_post_error_message
+          return_json_response
+        end
+      elsif only_json?
+        response.status = json_response_error_status
+        response.write non_json_request_error_message
+        request.halt
+      end
+
+      super
+    end
+
+    def redirect(_)
+      return super unless use_json?
+      return_json_response
+    end
+
+    def return_json_response
+      _return_json_response
+    end
+
+    def _return_json_response
+      response.status ||= json_response_error_status if json_response[json_response_error_key]
+      response['Content-Type'] ||= json_response_content_type
+      response.write(_json_response_body(json_response))
+      request.halt
+    end
+
+    def include_success_messages?
+      !json_response_success_key.nil?
+    end
+
+    def _json_response_body(hash)
+      request.send(:convert_to_json, hash)
+    end
+
+    def json_response
+      @json_response ||= {}
+    end
+
+    def set_redirect_error_status(status)
+      if use_json? && json_response_custom_error_status?
+        response.status = status
+      end
+    end
+
+    def set_response_error_status(status)
+      if use_json? && !json_response_custom_error_status?
+        status = json_response_error_status
+      end
+
+      super
+    end
+  end
+end

data/lib/rodauth/features/jwt.rb

@@ -4,41 +4,29 @@ require 'jwt'
 
 module Rodauth
   Feature.define(:jwt, :Jwt) do
+    depends :json
+
     translatable_method :invalid_jwt_format_error_message, "invalid JWT format or claim in Authorization header"
-    translatable_method :json_non_post_error_message, 'non-POST method used in JSON API'
-    translatable_method :json_not_accepted_error_message, 'Unsupported Accept header. Must accept "application/json" or compatible content type'
-    auth_value_method :json_accept_regexp, /(?:(?:\*|\bapplication)\/\*|\bapplication\/(?:vnd\.api\+)?json\b)/i
-    auth_value_method :json_request_content_type_regexp, /\bapplication\/(?:vnd\.api\+)?json\b/i
-    auth_value_method :json_response_content_type, 'application/json'
-    auth_value_method :json_response_error_status, 400
-    auth_value_method :json_response_custom_error_status?, true
-    auth_value_method :json_response_error_key, "error"
-    auth_value_method :json_response_field_error_key, "field-error"
-    auth_value_method :json_response_success_key, "success"
     auth_value_method :jwt_algorithm, "HS256"
     auth_value_method :jwt_authorization_ignore, /\A(?:Basic|Digest) /
     auth_value_method :jwt_authorization_remove, /\ABearer:?\s+/
-    auth_value_method :jwt_check_accept?, true
     auth_value_method :jwt_decode_opts, {}.freeze
     auth_value_method :jwt_session_key, nil
     auth_value_method :jwt_symbolize_deeply?, false
-    translatable_method :non_json_request_error_message, 'Only JSON format requests are allowed'
 
     auth_value_methods(
-      :only_json?,
       :jwt_secret,
       :use_jwt?
     )
 
     auth_methods(
-      :json_request?,
       :jwt_session_hash,
       :jwt_token,
       :session_jwt,
       :set_jwt_token
     )
 
-    auth_private_methods :json_response_body
+    def_deprecated_alias :json_check_accept?, :jwt_check_accept?
 
     def session
       return @session if defined?(@session)
@@ -48,10 +36,7 @@ module Rodauth
       if jwt_token
         unless session_data = jwt_payload
           json_response[json_response_error_key] ||= invalid_jwt_format_error_message
-          response.status ||= json_response_error_status
-          response['Content-Type'] ||= json_response_content_type
-          response.write(_json_response_body(json_response))
-          request.halt
+          _return_json_response
         end
 
         if jwt_session_key
@@ -79,36 +64,6 @@ module Rodauth
       end
     end
 
-    def set_field_error(field, message)
-      return super unless use_jwt?
-      json_response[json_response_field_error_key] = [field, message]
-    end
-
-    def set_error_flash(message)
-      return super unless use_jwt?
-      json_response[json_response_error_key] = message
-    end
-
-    def set_redirect_error_flash(message)
-      return super unless use_jwt?
-      json_response[json_response_error_key] = message
-    end
-
-    def set_notice_flash(message)
-      return super unless use_jwt?
-      json_response[json_response_success_key] = message if include_success_messages?
-    end
-
-    def set_notice_now_flash(message)
-      return super unless use_jwt?
-      json_response[json_response_success_key] = message if include_success_messages?
-    end
-
-    def json_request?
-      return @json_request if defined?(@json_request)
-      @json_request = request.content_type =~ json_request_content_type_regexp
-    end
-
     def jwt_secret
       raise ArgumentError, "jwt_secret not set"
     end
@@ -134,16 +89,15 @@ module Rodauth
     end
 
     def use_jwt?
-      jwt_token || only_json? || json_request?
+      use_json?
     end
 
-    def valid_jwt?
-      !!(jwt_token && jwt_payload)
+    def use_json?
+      jwt_token || super
     end
 
-    def view(page, title)
-      return super unless use_jwt?
-      return_json_response
+    def valid_jwt?
+      !!(jwt_token && jwt_payload)
     end
 
     private
@@ -153,85 +107,6 @@ module Rodauth
       super
     end
 
-    def before_rodauth
-      if json_request?
-        if jwt_check_accept? && (accept = request.env['HTTP_ACCEPT']) && accept !~ json_accept_regexp
-          response.status = 406
-          json_response[json_response_error_key] = json_not_accepted_error_message
-          response['Content-Type'] ||= json_response_content_type
-          response.write(_json_response_body(json_response))
-          request.halt
-        end
-
-        unless request.post?
-          response.status = 405
-          response.headers['Allow'] = 'POST'
-          json_response[json_response_error_key] = json_non_post_error_message
-          return_json_response
-        end
-      elsif only_json?
-        response.status = json_response_error_status
-        response.write non_json_request_error_message
-        request.halt
-      end
-
-      super
-    end
-
-    def before_view_recovery_codes
-      super if defined?(super)
-      if use_jwt?
-        json_response[:codes] = recovery_codes
-        json_response[json_response_success_key] ||= "" if include_success_messages?
-      end
-    end
-
-    def before_webauthn_setup_route
-      super if defined?(super)
-      if use_jwt? && !param_or_nil(webauthn_setup_param)
-        cred = new_webauthn_credential
-        json_response[webauthn_setup_param] = cred.as_json
-        json_response[webauthn_setup_challenge_param] = cred.challenge
-        json_response[webauthn_setup_challenge_hmac_param] = compute_hmac(cred.challenge)
-      end
-    end
-
-    def before_webauthn_auth_route
-      super if defined?(super)
-      if use_jwt? && !param_or_nil(webauthn_auth_param)
-        cred = webauth_credential_options_for_get
-        json_response[webauthn_auth_param] = cred.as_json
-        json_response[webauthn_auth_challenge_param] = cred.challenge
-        json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)
-      end
-    end
-
-    def before_webauthn_login_route
-      super if defined?(super)
-      if use_jwt? && !param_or_nil(webauthn_auth_param) && account_from_login(param(login_param))
-        cred = webauth_credential_options_for_get
-        json_response[webauthn_auth_param] = cred.as_json
-        json_response[webauthn_auth_challenge_param] = cred.challenge
-        json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)
-      end
-    end
-
-    def before_webauthn_remove_route
-      super if defined?(super)
-      if use_jwt? && !param_or_nil(webauthn_remove_param)
-        json_response[webauthn_remove_param] = account_webauthn_usage
-      end
-    end
-
-    def before_otp_setup_route
-      super if defined?(super)
-      if use_jwt? && otp_keys_use_hmac? && !param_or_nil(otp_setup_raw_param)
-        _otp_tmp_key(otp_new_secret)
-        json_response[otp_setup_param] = otp_user_key
-        json_response[otp_setup_raw_param] = otp_key
-      end
-    end
-
     def _jwt_decode_opts
       jwt_decode_opts
     end
@@ -247,15 +122,6 @@ module Rodauth
       @jwt_payload = false
     end
 
-    def redirect(_)
-      return super unless use_jwt?
-      return_json_response
-    end
-
-    def include_success_messages?
-      !json_response_success_key.nil?
-    end
-
     def set_session_value(key, value)
       super
       set_jwt if use_jwt?
@@ -268,38 +134,13 @@ module Rodauth
       value
     end
 
-    def json_response
-      @json_response ||= {}
-    end
-
-    def _json_response_body(hash)
-      request.send(:convert_to_json, hash)
-    end
-
     def return_json_response
-      response.status ||= json_response_error_status if json_response[json_response_error_key]
       set_jwt
-      response['Content-Type'] ||= json_response_content_type
-      response.write(_json_response_body(json_response))
-      request.halt
+      super
     end
 
     def set_jwt
       set_jwt_token(session_jwt)
     end
-
-    def set_redirect_error_status(status)
-      if use_jwt? && json_response_custom_error_status?
-        response.status = status
-      end
-    end
-
-    def set_response_error_status(status)
-      if use_jwt? && !json_response_custom_error_status?
-        status = json_response_error_status
-      end
-
-      super
-    end
   end
 end

data/lib/rodauth/features/jwt_refresh.rb

@@ -51,11 +51,8 @@ module Rodauth
           end
         else
           json_response[json_response_error_key] = jwt_refresh_invalid_token_message
-          response.status ||= json_response_error_status
         end
-        response['Content-Type'] ||= json_response_content_type
-        response.write(_json_response_body(json_response))
-        request.halt
+        _return_json_response
       end
     end
 

data/lib/rodauth/features/remember.rb

@@ -134,6 +134,7 @@ module Rodauth
       opts[:expires] = convert_timestamp(active_remember_key_ds.get(remember_deadline_column))
       opts[:path] = "/" unless opts.key?(:path)
       opts[:httponly] = true unless opts.key?(:httponly)
+      opts[:secure] = true unless opts.key?(:secure) || !request.ssl?
       ::Rack::Utils.set_cookie_header!(response.headers, remember_cookie_key, opts)
     end
 

data/lib/rodauth/features/webauthn_verify_account.rb

@@ -29,7 +29,7 @@ module Rodauth
 
     def before_verify_account
       super
-      if features.include?(:jwt) && use_jwt? && !param_or_nil(webauthn_setup_param)
+      if features.include?(:json) && use_json? && !param_or_nil(webauthn_setup_param)
         cred = new_webauthn_credential
         json_response[webauthn_setup_param] = cred.as_json
         json_response[webauthn_setup_challenge_param] = cred.challenge

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 8
+  MINOR = 9
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.8.0
+  version: 2.9.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-01-06 00:00:00.000000000 Z
+date: 2021-01-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -252,6 +252,7 @@ extra_rdoc_files:
 - doc/email_auth.rdoc
 - doc/email_base.rdoc
 - doc/http_basic_auth.rdoc
+- doc/json.rdoc
 - doc/jwt.rdoc
 - doc/jwt_cors.rdoc
 - doc/jwt_refresh.rdoc
@@ -311,6 +312,7 @@ extra_rdoc_files:
 - doc/release_notes/2.6.0.txt
 - doc/release_notes/2.7.0.txt
 - doc/release_notes/2.8.0.txt
+- doc/release_notes/2.9.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -352,6 +354,7 @@ files:
 - doc/guides/status_column.rdoc
 - doc/guides/totp_or_recovery.rdoc
 - doc/http_basic_auth.rdoc
+- doc/json.rdoc
 - doc/jwt.rdoc
 - doc/jwt_cors.rdoc
 - doc/jwt_refresh.rdoc
@@ -398,6 +401,7 @@ files:
 - doc/release_notes/2.6.0.txt
 - doc/release_notes/2.7.0.txt
 - doc/release_notes/2.8.0.txt
+- doc/release_notes/2.9.0.txt
 - doc/remember.rdoc
 - doc/reset_password.rdoc
 - doc/session_expiration.rdoc
@@ -430,6 +434,7 @@ files:
 - lib/rodauth/features/email_auth.rb
 - lib/rodauth/features/email_base.rb
 - lib/rodauth/features/http_basic_auth.rb
+- lib/rodauth/features/json.rb
 - lib/rodauth/features/jwt.rb
 - lib/rodauth/features/jwt_cors.rb
 - lib/rodauth/features/jwt_refresh.rb