rodauth 1.10.0 → 1.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b1741b1db3b830dd1edde47d251c388e51901d85
-  data.tar.gz: 1066a17b7b2a3565335cbcd47ef6903d3c1f5a93
+  metadata.gz: f15b58f396d567f884cc2aaf40794e07110e2091
+  data.tar.gz: 69a0eadaf802e8c82793c9c43084b0e4f442c8f7
 SHA512:
-  metadata.gz: 76b1d26463432bb939565f09b3779cbdf6f8d7b632079115eaf62288c2817f80c1f24752e3847893e17242eadb21eccfae5cc7d7df54a45f4f7be2032207e751
-  data.tar.gz: 59c18ab583fde50543c9284a7831d2fbf2087d64bb8e5c33a257b82cd3b3ded7c6d28f1a38a6a32cbba04d1c34ff9d2d87264a9356fc44cc40c02ceac8298454
+  metadata.gz: 7bcc3c3455093d1a1a21c358f99c4440a1a09ead7d34087a541490ab4e73acf1b7bea97ce0bbc2675392fbbae96b70ed9099ab63182355a647830d1877a143b5
+  data.tar.gz: 03b37be1351549b1e8b5c6a8e3c102a26c946501b11282081ce92213c9ab169077edf1a75b920589a3a4d1d905732d6cb6ac91197f181305f9002791ca109f35

data/CHANGELOG

@@ -1,3 +1,11 @@
+=== 1.11.0 (2017-04-24)
+
+* Add login_required_error_status, and use it in the jwt feature when custom error statuses are allowed (jeremyevans)
+
+* Deal better with time differences between the database and application servers in the password_expiration plugin (jeremyevans)
+
+* Add rodauth.valid_jwt? method for checking if a valid JWT was submitted with the request (jeremyevans)
+
 === 1.10.0 (2017-03-23)
 
 * Add Internals Guide (jeremyevans)

data/doc/base.rdoc

@@ -16,7 +16,8 @@ account_password_hash_column :: Set if the password hash column is in the same
 db :: The Sequel::Database object used for database access.
 prefix :: The routing prefix used for Rodauth routes.  If you are calling
           in a routing subtree, this should be set to the root path of the
-          subtree.
+          subtree.  This should include a leading slash if set, but not a
+          trailing slash.
 require_bcrypt? :: Set to false to not require bcrypt, useful if using custom
                    authentication.
 session_key :: The key in the session hash storing the primary key of the
@@ -50,6 +51,8 @@ lockout_error_status :: The response status to use a login is attempted to an ac
 login_column :: The login column in the account model.
 login_label :: The label to use for logins.
 login_param :: The parameter name to use for logins.
+login_required_error_status :: The response status to return when a login is required
+                               and you are not logged in, if not redirecting, 401 by detault
 modifications_require_password? :: Whether making changes to an account requires
                                    the user reinputing their password.
 no_matching_login_error_status :: The response status to use when the login is not

data/doc/internals.rdoc

@@ -149,7 +149,7 @@ Here's a heavily commented example showing what is going on inside a Rodauth fea
       # methods are actually defined in terms of this method.
       #
       # So this particular method defines a foo_error_status method that will return 401 by
-      # default, but also adds a cofniguration method that allows you to override the default.
+      # default, but also adds a configuration method that allows you to override the default.
       auth_value_method :foo_error_status, 401
 
       # This is similar to auth_value_method, but it only adds the configuration method.

data/doc/jwt.rdoc

@@ -33,6 +33,11 @@ will probably result in an error if a request to a Rodauth endpoint comes
 in with a Content-Type that isn't application/json, unless you also set
 <tt>only_json? false</tt> in your rodauth configuration.
 
+If you would like to check if a valid JWT was submitted with the current
+request in your Roda app, you can call the rodauth.valid_jwt? method.  If
+rodauth.valid_jwt?  returns true, the contents of the jwt can be retrieved
+from rodauth.session.
+
 == Auth Value Methods
 
 invalid_jwt_format_error_message :: The error message to use when a JWT with an invalid format is submitted in the Authorization header.

data/doc/password_expiration.rdoc

@@ -21,7 +21,7 @@ expiration is in general a net loss from a security perspective.
 == Auth Value Methods
 
 allow_password_change_after :: How long in seconds after the last password change
-                               until another password change is allowed (0 by default).
+                               until another password change is allowed (always allowed by default).
 password_expiration_error_flash :: The flash error to display when the account's
                                    password has expired and needs to be changed.
 password_not_changeable_yet_error_flash :: The flash error to display when not

data/doc/release_notes/1.11.0.txt

@@ -0,0 +1,32 @@
+= New Features
+
+* A rodauth.valid_jwt? method has been added, allowing for easy
+  checking of whether a valid JWT has been submitted.  If a valid
+  JWT has been submitted, the contents of the JWT will be available
+  in rodauth.session.
+
+* If using the jwt feature with json_response_custom_error_status?
+  set to true, and going to a page that requires a login when not
+  logged in, a 401 error status will now be used instead of a 400
+  error status.  You can customize this status using the new
+  login_required_error_status configuration method.
+
+= Improvements
+
+* Time differences between the database server and the application
+  server are now handled slightly better in the password_expiration
+  feature.  This mostly affects testing, where sometimes tests would
+  previously fail if the database server time was ahead of the
+  application server time when testing whether a password change was
+  allowed.
+
+* Some methods that were private by default, but public if overridden,
+  are now public by default.  These include update_session and
+  only_json? in the base feature, and json_request?, jwt_secret, and
+  use_jwt? in the jwt feature.
+
+= Backwards Compatibility
+
+* The private jwt_payload method in the jwt feature now returns false
+  instead of redirecting on error.  This should not affect the
+  application unless the method was being called explicitly.

data/lib/rodauth/features/base.rb

@@ -23,6 +23,7 @@ module Rodauth
     auth_value_method :invalid_password_error_status, 401
     auth_value_method :invalid_password_message, "invalid password"
     auth_value_method :login_column, :email
+    auth_value_method :login_required_error_status, 401
     auth_value_method :lockout_error_status, 403
     auth_value_method :password_hash_id_column, :id
     auth_value_method :password_hash_column, :password_hash
@@ -182,6 +183,7 @@ module Rodauth
     end
 
     def login_required
+      set_redirect_error_status(login_required_error_status)
       set_redirect_error_flash require_login_error_flash
       redirect require_login_redirect
     end
@@ -253,6 +255,10 @@ module Rodauth
       _view(:render, page)
     end
 
+    def only_json?
+      scope.class.opts[:rodauth_json] == :only
+    end
+
     def post_configure
       require 'bcrypt' if require_bcrypt?
       db.extension :date_arithmetic if use_date_arithmetic?
@@ -273,13 +279,13 @@ module Rodauth
       end
     end
 
-    private
-
     def update_session
       clear_session
       session[session_key] = account_session_value
     end
 
+    private
+
     # Return a string for the parameter name.  This will be an empty
     # string if the parameter doesn't exist.
     def param(key)
@@ -412,10 +418,6 @@ module Rodauth
       {account_status_column=>account_open_status_value}
     end
 
-    def only_json?
-      scope.class.opts[:rodauth_json] == :only
-    end
-
     def template_path(page)
       File.join(File.dirname(__FILE__), '../../../templates', "#{page}.str")
     end

data/lib/rodauth/features/jwt.rb

@@ -43,11 +43,25 @@ module Rodauth
       return super unless use_jwt?
 
       s = {}
-      if jwt_token && (session_data = jwt_session_key ? jwt_payload[jwt_session_key] : jwt_payload)
-        if jwt_symbolize_deeply?
-          s = JSON.parse(JSON.fast_generate(session_data), :symbolize_names=>true)
-        else
-          session_data.each{|k,v| s[k.to_sym] = v}
+      if jwt_token
+        unless session_data = jwt_payload
+          json_response[json_response_error_key] = invalid_jwt_format_error_message
+          response.status ||= json_response_error_status
+          response['Content-Type'] ||= json_response_content_type
+          response.write(request.send(:convert_to_json, json_response))
+          request.halt
+        end
+
+        if jwt_session_key
+          session_data = session_data[jwt_session_key]
+        end
+
+        if session_data
+          if jwt_symbolize_deeply?
+            s = JSON.parse(JSON.fast_generate(session_data), :symbolize_names=>true)
+          else
+            session_data.each{|k,v| s[k.to_sym] = v}
+          end
         end
       end
       @session = s
@@ -83,6 +97,15 @@ module Rodauth
       json_response[json_response_success_key] = message if include_success_messages?
     end
 
+    def json_request?
+      return @json_request if defined?(@json_request)
+      @json_request = request.content_type =~ json_request_content_type_regexp
+    end
+
+    def jwt_secret
+      raise ArgumentError, "jwt_secret not set"
+    end
+
     def jwt_session_hash
       jwt_session_key ? {jwt_session_key=>session} : session
     end
@@ -103,6 +126,14 @@ module Rodauth
       response.headers['Authorization'] = token
     end
 
+    def use_jwt?
+      jwt_token || only_json? || json_request?
+    end
+
+    def valid_jwt?
+      !!(jwt_token && jwt_payload)
+    end
+
     private
 
     def before_rodauth
@@ -139,17 +170,10 @@ module Rodauth
     end
 
     def jwt_payload
-      @jwt_payload ||= JWT.decode(jwt_token, jwt_secret, true, jwt_decode_opts.merge(:algorithm=>jwt_algorithm))[0]
+      return @jwt_payload if defined?(@jwt_payload)
+      @jwt_payload = JWT.decode(jwt_token, jwt_secret, true, jwt_decode_opts.merge(:algorithm=>jwt_algorithm))[0]
     rescue JWT::DecodeError
-      json_response[json_response_error_key] = invalid_jwt_format_error_message
-      response.status ||= json_response_error_status
-      response['Content-Type'] ||= json_response_content_type
-      response.write(request.send(:convert_to_json, json_response))
-      request.halt
-    end
-
-    def jwt_secret
-      raise ArgumentError, "jwt_secret not set"
+      @jwt_payload = false
     end
 
     def redirect(_)
@@ -189,11 +213,6 @@ module Rodauth
       set_jwt_token(session_jwt)
     end
 
-    def json_request?
-      return @json_request if defined?(@json_request)
-      @json_request = request.content_type =~ json_request_content_type_regexp
-    end
-
     def set_redirect_error_status(status)
       if json_request? && json_response_custom_error_status?
         response.status = status
@@ -207,9 +226,5 @@ module Rodauth
 
       super
     end
-
-    def use_jwt?
-      jwt_token || only_json? || json_request?
-    end
   end
 end

data/lib/rodauth/features/password_expiration.rb

@@ -10,7 +10,7 @@ module Rodauth
     redirect :password_not_changeable_yet 
     redirect(:password_change_needed){"#{prefix}/#{change_password_route}"}
 
-    auth_value_method :allow_password_change_after, 0
+    auth_value_method :allow_password_change_after, -86400
     auth_value_method :require_password_change_after, 90*86400
     auth_value_method :password_expiration_table, :account_password_change_times
     auth_value_method :password_expiration_id_column, :id

data/lib/rodauth/version.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  VERSION = '1.10.0'.freeze
+  VERSION = '1.11.0'.freeze
 
   def self.version
     VERSION

data/spec/http_basic_auth_spec.rb

@@ -104,7 +104,7 @@ describe "Rodauth http basic auth feature" do
 
     @authorization = nil
     res = basic_auth_json_request(:auth=>'.')
-    res.must_equal [400, {'error'=>"Please login to continue"}]
+    res.must_equal [401, {'error'=>"Please login to continue"}]
 
     @authorization = nil
     res = basic_auth_json_request(:username=>'foo@example2.com')

data/spec/jwt_spec.rb

@@ -11,10 +11,10 @@ describe 'Rodauth login feature' do
     end
 
     res = json_request("/", :headers=>{'HTTP_AUTHORIZATION'=>'Basic foo'})
-    res.must_equal [400, {'error'=>'Please login to continue'}]
+    res.must_equal [401, {'error'=>'Please login to continue'}]
 
     res = json_request("/", :headers=>{'HTTP_AUTHORIZATION'=>'Digest foo'})
-    res.must_equal [400, {'error'=>'Please login to continue'}]
+    res.must_equal [401, {'error'=>'Please login to continue'}]
   end
 
   it "should return error message if invalid JWT format used in request Authorization header" do
@@ -103,6 +103,27 @@ describe 'Rodauth login feature' do
     res.must_equal [405, {'error'=>'non-POST method used in JSON API'}]
   end
 
+  it "should support valid_jwt? method for checking for valid JWT tokens" do
+    rodauth do
+      enable :login, :logout, :jwt
+      jwt_secret '1'
+      json_response_success_key 'success'
+    end
+    roda(:jwt) do |r|
+      r.rodauth
+      [rodauth.valid_jwt?.to_s]
+    end
+
+    res = json_request("/", :method=>'GET')
+    res.must_equal [200, ['false']]
+
+    res = json_request("/login", :method=>'GET')
+    res.must_equal [405, {'error'=>'non-POST method used in JSON API'}]
+
+    res = json_request("/", :method=>'GET')
+    res.must_equal [200, ['true']]
+  end
+
   it "should require Accept contain application/json if jwt_check_accept? is true and Accept is present" do
     rodauth do
       enable :login, :logout, :jwt

data/spec/login_spec.rb

@@ -188,11 +188,18 @@ describe 'Rodauth login feature' do
     roda(:jwt) do |r|
       r.rodauth
       response['Content-Type'] = 'application/json'
+      r.post('foo') do
+        rodauth.require_login
+        '3'
+      end
       rodauth.logged_in? ? '1' : '2'
     end
 
     json_request.must_equal [200, 2]
 
+    res = json_request("/foo")
+    res.must_equal [401, {"error"=>"Please login to continue"}]
+
     res = json_request("/login", :login=>'foo@example2.com', :password=>'0123456789')
     res.must_equal [401, {'error'=>"There was an error logging in", "field-error"=>["login", "no matching login"]}]
 
@@ -202,6 +209,8 @@ describe 'Rodauth login feature' do
     json_request("/login", :login=>'foo@example.com', :password=>'0123456789').must_equal [200, {"success"=>'You have been logged in'}]
     json_request.must_equal [200, 1]
 
+    res = json_request("/foo").must_equal [200, 3]
+
     json_request("/logout").must_equal [200, {"success"=>'You have been logged out'}]
     json_request.must_equal [200, 2]
   end

data/spec/password_expiration_spec.rb

@@ -152,8 +152,9 @@ describe 'Rodauth password expiration feature' do
     rodauth do
       enable :login, :change_password, :password_expiration
       password_expiration_default true
+      allow_password_change_after -1000
       change_password_requires_password? false
-      require_password_change_after 100
+      require_password_change_after 3600
     end
     roda do |r|
       r.rodauth
@@ -175,7 +176,7 @@ describe 'Rodauth password expiration feature' do
     visit "/expire/90"
     page.current_path.must_equal '/'
 
-    visit "/expire/110"
+    visit "/expire/7200"
     page.current_path.must_equal '/change-password'
   end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 1.10.0
+  version: 1.11.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-03-23 00:00:00.000000000 Z
+date: 2017-04-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -239,6 +239,7 @@ extra_rdoc_files:
 - doc/release_notes/1.8.0.txt
 - doc/release_notes/1.9.0.txt
 - doc/release_notes/1.10.0.txt
+- doc/release_notes/1.11.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -268,6 +269,7 @@ files:
 - doc/release_notes/1.0.0.txt
 - doc/release_notes/1.1.0.txt
 - doc/release_notes/1.10.0.txt
+- doc/release_notes/1.11.0.txt
 - doc/release_notes/1.2.0.txt
 - doc/release_notes/1.3.0.txt
 - doc/release_notes/1.4.0.txt
@@ -420,7 +422,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.8
+rubygems_version: 2.6.11
 signing_key: 
 specification_version: 4
 summary: Authentication and Account Management Framework for Rack Applications