rodauth 1.16.0 → 1.17.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f3e8136954b7c89f30d79ddde2b4741f52f79e20f37419eadd6d41318f9a7307
-  data.tar.gz: 4c24e750803018e9213111cc7b2542dee126ffa824b2eee340cac431450cce68
+  metadata.gz: b1798ddc466406349db5af1aade5b74cc46996c13c2fa67deaba0b4dd868f5a8
+  data.tar.gz: fc4232e2eefd30d947285667355fe67bfcd3cd8bb8271d5137f812da525b7ff2
 SHA512:
-  metadata.gz: 8920079043a45421794ac3dac2b4c7e2adc24b0c2a5a53c272fd53341c8148e0848020aeea2113d1cea6ab793c93f30bc59ad6a2a82fdd3d533a8988110fcc8a
-  data.tar.gz: 1d6f4b1efc597efb5ffda44b9725d1768e13117d954f465a09cc4af8bbe28be8c455980db8a8fc778ac6c5aa974812684c619c4fd9743b0c3559ac44db6e2999
+  metadata.gz: cb68af1641b0c62f21ac2c0dca6fff2384e4fd45e6110e0bf4ef7ebf7d037475aa0a6f2caa84218303c49be23fc0d05a0735e484374bc9bb4b229967cd9574b2
+  data.tar.gz: e2d63f243e0ebfded4b2145cec4b2ae6c9f27980e4a41c9de2b2726aeb22fa4e488a1ae68defb33adfe724666aa6d41649694d06aec06b7de8fd6abe85b57304

data/CHANGELOG

@@ -1,3 +1,7 @@
+=== 1.17.0 (2018-06-11)
+
+* Support Roda route_csrf plugin for request-specific CSRF tokens (jeremyevans)
+
 === 1.16.0 (2018-03-09)
 
 * Add disallow_common_passwords feature, for disallowing the usage of the most common passwords (jeremyevans)

data/README.rdoc

@@ -59,11 +59,15 @@ There are some dependencies that Rodauth uses by default, but are
 development dependencies instead of runtime dependencies in the
 gem as it is possible to run without them:
 
-tilt, rack_csrf :: Used by all features unless in JSON API only mode.
+tilt :: Used by all features unless in JSON API only mode.
+rack_csrf :: Used by all features unless in JSON API only mode
+             or the :csrf=>false|:route_csrf option is used when
+             loading the Rodauth plugin.
 bcrypt :: Used by default for password matching, can be skipped
           if password_match? is overridden for custom authentication.
 mail :: Used by default for mailing in the reset password, verify
-        account, and lockout features.
+        account, verify_login_change, change_password_notify, and
+        lockout features.
 rotp, rqrcode :: Used by the otp feature
 jwt :: Used by the jwt feature
 
@@ -545,6 +549,32 @@ One thing to notice in the above migrations is that Rodauth uses additional
 tables for additional features, instead of additional columns in a single
 table.
 
+=== Locking Down (PostgreSQL only)
+
+After running the migrations, you can increase security slightly by making
+it not possible for the +ph+ account to login to the database directly.
+This can be accomplished by modifying the +pg_hba.conf+ file.  You can also
+consider restricting access using GRANT/REVOKE.
+
+You can restrict access to the database itself to just the +app+ account.  You
+can run this using the +app+ account, since that account owns the database:
+
+  GRANT ALL ON DATABASE ${DATABASE_NAME} TO ${DATABASE_NAME};
+  REVOKE ALL ON DATABASE ${DATABASE_NAME} FROM public;
+
+You can also restrict access to the public schema (this is not needed if you
+are using a custom schema).  Note that by default, the database superuser
+owns the public schema, so you have to run this as the database superuser
+account (generally +postgres+):
+
+  GRANT ALL ON SCHEMA public TO ${DATABASE_NAME};
+  GRANT USAGE ON SCHEMA public TO ${DATABASE_NAME}_password;
+  REVOKE ALL ON SCHEMA public FROM public;
+
+If you are using MySQL or Microsoft SQL Server, please consult their
+documentation for how to restrict access so that the +ph+ account cannot
+login directly.
+
 == Usage
 
 === Basic Usage
@@ -588,7 +618,7 @@ response :: RodaResponse instance
 scope :: Roda instance
 session :: session hash
 flash :: flash message hash
-account :: account model instance (if set by an earlier Rodauth method)
+account :: account hash (if set by an earlier Rodauth method)
 
 So if you want to log the IP address for the user during login:
 
@@ -625,6 +655,23 @@ overriding for all behavior, using any information from the request:
 By allowing every configuration method to take a block, Rodauth
 should be flexible enough to integrate into most legacy systems.
 
+=== Plugin Options
+
+When loading the rodauth plugin, you can also pass an options hash,
+which configures which dependent plugins should be loaded. Options:
+
+:csrf :: Set to +false+ to not load a csrf plugin.  Set to +:route_csrf+
+         to use the route_csrf plugin instead of the csrf plugin. It is
+         recommended to set the +:route_csrf+ option as that allows
+         for more secure request-specific CSRF tokens.
+:flash :: Set to +false+ to not load the flash plugin
+:json :: Set to +true+ to load the json and json_parser plugins. Set
+         to +:only+ to only load those plugins and not any other plugins.
+         Note that if you are enabling features that send email, you
+         still need to load the render plugin manually.
+:name :: Provide a name for the given Rodauth configuration, used to
+         support multiple Rodauth configurations in a given Roda application.
+
 === Feature Documentation
 
 The options/methods for the supported features are listed on a

data/doc/base.rdoc

@@ -85,7 +85,12 @@ use_date_arithmetic? :: Whether the date_arithmetic extension should be loaded i
                         the database.  Defaults to whether deadline values should
                         be set.
 use_database_authentication_functions? :: Whether to use functions to do authentication.
-                                          True by default on PostgreSQL, false otherwise.
+                                          True by default on PostgreSQL, MySQL, and
+                                          Microsoft SQL Server, false otherwise.
+use_request_specific_csrf_tokens? :: Whether to use request-specific CSRF tokens.
+                                     True if the :csrf=>:route_csrf option is used when
+                                     loading the plugin, and the Roda route_csrf plugin
+                                     is configured to use request-specific CSRF tokens.
 
 == Auth Methods
 
@@ -97,9 +102,9 @@ before_login :: Run arbitrary code after password has been checked, but
 before_login_attempt :: Run arbitrary code after an account has been
                         located, but before the password has been checked.
 before_rodauth :: Run arbitrary code before handling any rodauth route.
-account_from_login(login) :: Retrieve the account model instance related to the
+account_from_login(login) :: Retrieve the account hash related to the
                              given login or nil if no login matches.
-account_from_session :: Retrieve the account model instance related to the currently
+account_from_session :: Retrieve the account hash related to the currently
                         logged in session.
 account_id :: The primary key value of the current account
 account_session_value :: The primary value of the account currently stored in the
@@ -110,7 +115,7 @@ authenticated? :: Whether the user has been authenticated. If 2 factor authentic
                   has not been enabled for the account, this is true only if both
                   factors have been authenticated.
 clear_session :: Clears the current session.
-csrf_tag :: The HTML fragment containing the CSRF tag to use, if any.
+csrf_tag(path=request.path) :: The HTML fragment containing the CSRF tag to use, if any.
 function_name(name) :: The name of the database function to call.  It's passed either
                        :rodauth_get_salt or :rodauth_valid_password_hash.
 logged_in? :: Whether there is an account currently logged in.

data/doc/create_account.rdoc

@@ -29,7 +29,7 @@ create_account_autologin? :: Whether to autologin the user upon
 create_account_link :: HTML fragment to display with a link to the create
                        account form.
 create_account_view :: The HTML to use for the create account form.
-new_account(login) :: Instantiate a new account model instance for the
+new_account(login) :: Instantiate a new account hash for the
                       given login, without saving it.
 save_account :: Insert the account into the database, or return nil/false if that
                 was not successful.

data/doc/release_notes/1.17.0.txt

@@ -0,0 +1,23 @@
+= Improvements
+
+* Support has been added for using Roda's route_csrf plugin with
+  request-specific CSRF tokens.  When loading the Rodauth into
+  your Roda app, specify the :csrf=>:route_csrf plugin option
+  so that Rodauth will load the route_csrf plugin instead of
+  the csrf plugin.
+
+* The use_request_specific_csrf_tokens? configuration option
+  has been added, it defaults to true when the the
+  :csrf=>:route_csrf option is used when loading the plugin.
+
+* If you have custom templates for the reset password request,
+  unlock account request, or verify account resend link
+  request, you will have to update them to use the new
+  request-specific CSRF token feature.
+
+= Backwards Compatibility
+
+* The csrf_tag configuration method now accepts the path as
+  an optional argument, previously it accepted no arguments.
+  The optional argument defaults to the path of the current
+  request.

data/lib/rodauth.rb

@@ -4,15 +4,27 @@ require 'securerandom'
 
 module Rodauth
   def self.load_dependencies(app, opts={})
-    if opts[:json]
+    json_opt = opts.fetch(:json, app.opts[:rodauth_json])
+    if json_opt
       app.plugin :json
       app.plugin :json_parser
     end
 
-    unless opts[:json] == :only
+    unless json_opt == :only
       require 'tilt/string'
       app.plugin :render
-      app.plugin :csrf unless opts[:csrf] == false
+
+      case opts.fetch(:csrf, app.opts[:rodauth_route_csrf])
+      when false
+        # nothing
+      when :route_csrf
+        # :nocov:
+        app.plugin :route_csrf
+        # :nocov:
+      else
+        app.plugin :csrf
+      end
+
       app.plugin :flash unless opts[:flash] == false
       app.plugin :h
     end
@@ -20,6 +32,7 @@ module Rodauth
 
   def self.configure(app, opts={}, &block)
     app.opts[:rodauth_json] = opts.fetch(:json, app.opts[:rodauth_json])
+    app.opts[:rodauth_csrf] = opts.fetch(:csrf, app.opts[:rodauth_route_csrf])
     auth_class = (app.opts[:rodauths] ||= {})[opts[:name]] ||= Class.new(Auth)
     if !auth_class.roda_class
       auth_class.roda_class = app

data/lib/rodauth/features/base.rb

@@ -53,7 +53,8 @@ module Rodauth
       :require_login_redirect,
       :set_deadline_values?,
       :use_date_arithmetic?,
-      :use_database_authentication_functions?
+      :use_database_authentication_functions?,
+      :use_request_specific_csrf_tokens?
     )
 
     auth_methods(
@@ -231,8 +232,16 @@ module Rodauth
       @account = _account_from_session
     end
 
-    def csrf_tag
-      scope.csrf_tag if scope.respond_to?(:csrf_tag)
+    def csrf_tag(path=request.path)
+      return unless scope.respond_to?(:csrf_tag)
+
+      if use_request_specific_csrf_tokens?
+        # :nocov:
+        scope.csrf_tag(path)
+        # :nocov:
+      else
+        scope.csrf_tag
+      end
     end
 
     def button_opts(value, opts)
@@ -379,6 +388,10 @@ module Rodauth
       end
     end
 
+    def use_request_specific_csrf_tokens?
+      scope.opts[:rodauth_csrf] == :route_csrf && scope.use_request_specific_csrf_tokens?
+    end
+
     def function_name(name)
       if db.database_type == :mssql
         # :nocov:

data/lib/rodauth/version.rb

@@ -1,7 +1,22 @@
 # frozen-string-literal: true
 
 module Rodauth
-  VERSION = '1.16.0'.freeze
+  # The major version of Rodauth, updated only for major changes that are
+  # likely to require modification to apps using Rodauth.
+  MAJOR = 1
+
+  # The minor version of Rodauth, updated for new feature releases of Rodauth.
+  MINOR = 17
+
+  # The patch version of Rodauth, updated only for bug fixes from the last
+  # feature release.
+  TINY = 0
+
+  # The full version of Rodauth as a string
+  VERSION = "#{MAJOR}.#{MINOR}.#{TINY}".freeze
+
+  # The full version of Rodauth as a number (1.17.0 => 11700)
+  VERSION_NUMBER = MAJOR*10000 + MINOR*100 + TINY
 
   def self.version
     VERSION

data/spec/change_password_spec.rb

@@ -92,7 +92,6 @@ describe 'Rodauth change_password feature' do
   end
 
   it "should support invalid_previous_password_message" do
-    require_password = true
     rodauth do
       enable :login, :logout, :change_password
       invalid_previous_password_message "Previous password not correct"

data/spec/password_expiration_spec.rb

@@ -152,7 +152,7 @@ describe 'Rodauth password expiration feature' do
     rodauth do
       enable :login, :change_password, :password_expiration
       password_expiration_default true
-      allow_password_change_after -1000
+      allow_password_change_after(-1000)
       change_password_requires_password? false
       require_password_change_after 3600
     end

data/spec/rodauth_spec.rb

@@ -184,7 +184,7 @@ describe 'Rodauth' do
 
   it "should support multiple rodauth configurations in an app" do
     app = Class.new(Base)
-    app.plugin(:rodauth) do
+    app.plugin(:rodauth, rodauth_opts) do
       enable :login
       if ENV['RODAUTH_SEPARATE_SCHEMA']
         password_hash_table Sequel[:rodauth_test_password][:account_password_hashes]
@@ -193,10 +193,18 @@ describe 'Rodauth' do
         end
       end
     end
-    app.plugin(:rodauth, :name=>:r2) do
+    app.plugin(:rodauth, rodauth_opts.merge(:name=>:r2)) do
       enable :logout
     end
+
+    if Minitest::HooksSpec::USE_ROUTE_CSRF
+      app.plugin :route_csrf, Minitest::HooksSpec::ROUTE_CSRF_OPTS
+    end
+
     app.route do |r|
+      if Minitest::HooksSpec::USE_ROUTE_CSRF
+        check_csrf!
+      end
       r.on 'r1' do
         r.rodauth
         'r1'

data/spec/spec_helper.rb

@@ -2,7 +2,7 @@ $: << 'lib'
 
 if ENV['WARNING']
   require 'warning'
-  Warning.ignore([:missing_ivar, :missing_gvar, :fixnum])
+  Warning.ignore([:missing_ivar, :missing_gvar, :fixnum, :not_reached])
   #Warning.ignore(/warning: URI\.escape is obsolete\n\z/)
   Warning.ignore(:method_redefined, File.dirname(File.dirname(__FILE__)))
 end
@@ -29,6 +29,8 @@ require 'capybara'
 require 'capybara/dsl'
 require 'rack/test'
 require 'stringio'
+
+ENV['MT_NO_PLUGINS'] = '1' # Work around stupid autoloading of plugins
 gem 'minitest'
 require 'minitest/autorun'
 require 'minitest/hooks/default'
@@ -83,6 +85,17 @@ JsonBase.plugin(:not_found){raise "path #{request.path_info} not found"}
 class Minitest::HooksSpec
   include Rack::Test::Methods
   include Capybara::DSL
+  
+  case ENV['RODA_ROUTE_CSRF']
+  when '1'
+    USE_ROUTE_CSRF = true
+    ROUTE_CSRF_OPTS = {}
+  when '2'
+    USE_ROUTE_CSRF = true
+    ROUTE_CSRF_OPTS = {:require_request_specific_tokens=>false}
+  else
+    USE_ROUTE_CSRF = false
+  end
 
   attr_reader :app
 
@@ -98,6 +111,14 @@ class Minitest::HooksSpec
     @rodauth_block = block
   end
 
+  def rodauth_opts(type={})
+    opts = type.is_a?(Hash) ? type : {}
+    if USE_ROUTE_CSRF && !opts.has_key?(:csrf)
+      opts[:csrf] = :route_csrf
+    end
+    opts
+  end
+
   def roda(type=nil, &block)
     jwt_only = type == :jwt
     jwt = type == :jwt || type == :jwt_html
@@ -111,7 +132,7 @@ class Minitest::HooksSpec
     app.opts[:unsupported_matcher] = :raise
     app.opts[:verbatim_string_matcher] = true
     rodauth_block = @rodauth_block
-    opts = type.is_a?(Hash) ? type : {}
+    opts = rodauth_opts(type)
 
     if jwt
       opts[:json] = jwt_only ? :only : true
@@ -133,6 +154,14 @@ class Minitest::HooksSpec
       end
       instance_exec(&rodauth_block)
     end
+    if USE_ROUTE_CSRF && !jwt_only && opts[:csrf] != false
+      app.plugin(:route_csrf, ROUTE_CSRF_OPTS)
+      orig_block = block
+      block = proc do |r|
+        check_csrf!
+        instance_exec(r, &orig_block)
+      end
+    end
     app.route(&block)
     app.precompile_rodauth_templates unless @no_precompile || jwt_only
     app.freeze unless @no_freeze

data/spec/verify_login_change_spec.rb

@@ -102,7 +102,7 @@ describe 'Rodauth verify_login_change feature' do
     fill_in 'Login', :with=>'foo@example2.com'
     fill_in 'Confirm Login', :with=>'foo@example2.com'
     click_button 'Change Login'
-    link = email_link(/(\/verify-login-change\?key=.+)$/, 'foo@example2.com')
+    email_link(/(\/verify-login-change\?key=.+)$/, 'foo@example2.com')
     page.find('#notice_flash').text.must_equal "An email has been sent to you with a link to verify your login change"
 
     unique = lambda{DB[:account_login_change_keys].update(:login=>'foo@example3.com'); true}

data/templates/reset-password-request.str

@@ -1,6 +1,6 @@
 <form action="#{rodauth.prefix}/#{rodauth.reset_password_request_route}" method="post" class="rodauth form-horizontal" role="form" id="reset-password-request-form">
   #{rodauth.reset_password_request_additional_form_tags}
-  #{rodauth.csrf_tag}
+  #{rodauth.csrf_tag("#{rodauth.prefix}/#{rodauth.reset_password_request_route}")}
   <p>If you have forgotten your password, you can request a password reset: </p>
   #{(login = rodauth.param_or_nil(rodauth.login_param)) ? "<input type=\"hidden\" name=\"#{rodauth.login_param}\" value=\"#{h login}\"/>" : rodauth.render('login-field')}
   #{rodauth.button(rodauth.reset_password_request_button)}

data/templates/unlock-account-request.str

@@ -1,6 +1,6 @@
 <form action="#{rodauth.prefix}/#{rodauth.unlock_account_request_route}" method="post" class="rodauth form-horizontal" role="form" id="unlock-account-request-form">
   #{rodauth.unlock_account_request_additional_form_tags}
-  #{rodauth.csrf_tag}
+  #{rodauth.csrf_tag("#{rodauth.prefix}/#{rodauth.unlock_account_request_route}")}
   <input type="hidden" name="#{rodauth.login_param}" value="#{h rodauth.param(rodauth.login_param)}"/>
   This account is currently locked out.  You can request that the account be unlocked: 
   <input type="submit" class="btn btn-primary inline" value="#{rodauth.unlock_account_request_button}"/>

data/templates/verify-account-resend.str

@@ -1,6 +1,6 @@
 <form action="#{rodauth.prefix}/#{rodauth.verify_account_resend_route}" method="post" class="rodauth form-horizontal" role="form" id="verify-account-resend-form">
   #{rodauth.verify_account_resend_additional_form_tags}
-  #{rodauth.csrf_tag}
+  #{rodauth.csrf_tag("#{rodauth.prefix}/#{rodauth.verify_account_resend_route}")}
   <p>If you no longer have the email to verify the account, you can request that it be resent to you:</p>
   #{(login = rodauth.param_or_nil(rodauth.login_param)) ? "<input type=\"hidden\" name=\"#{rodauth.login_param}\" value=\"#{h login}\"/>" : rodauth.render('login-field')}
   #{rodauth.button(rodauth.verify_account_resend_button)}

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 1.16.0
+  version: 1.17.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-03-09 00:00:00.000000000 Z
+date: 2018-06-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -196,42 +196,50 @@ extra_rdoc_files:
 - README.rdoc
 - CHANGELOG
 - MIT-LICENSE
+- doc/change_password_notify.rdoc
+- doc/account_expiration.rdoc
 - doc/base.rdoc
-- doc/login.rdoc
-- doc/logout.rdoc
+- doc/change_login.rdoc
 - doc/change_password.rdoc
-- doc/reset_password.rdoc
-- doc/remember.rdoc
-- doc/create_account.rdoc
+- doc/confirm_password.rdoc
 - doc/close_account.rdoc
-- doc/verify_account.rdoc
+- doc/http_basic_auth.rdoc
+- doc/create_account.rdoc
+- doc/email_base.rdoc
+- doc/internals.rdoc
+- doc/disallow_common_passwords.rdoc
+- doc/disallow_password_reuse.rdoc
+- doc/password_complexity.rdoc
+- doc/jwt.rdoc
 - doc/lockout.rdoc
+- doc/login.rdoc
+- doc/logout.rdoc
 - doc/otp.rdoc
-- doc/change_login.rdoc
-- doc/password_complexity.rdoc
-- doc/disallow_password_reuse.rdoc
+- doc/login_password_requirements_base.rdoc
+- doc/verify_change_login.rdoc
 - doc/password_expiration.rdoc
-- doc/account_expiration.rdoc
-- doc/single_session.rdoc
+- doc/password_grace_period.rdoc
 - doc/recovery_codes.rdoc
+- doc/remember.rdoc
+- doc/reset_password.rdoc
+- doc/session_expiration.rdoc
+- doc/single_session.rdoc
 - doc/sms_codes.rdoc
-- doc/email_base.rdoc
 - doc/two_factor_base.rdoc
-- doc/jwt.rdoc
-- doc/password_grace_period.rdoc
-- doc/session_expiration.rdoc
-- doc/login_password_requirements_base.rdoc
-- doc/verify_account_grace_period.rdoc
-- doc/confirm_password.rdoc
-- doc/verify_change_login.rdoc
 - doc/update_password_hash.rdoc
-- doc/http_basic_auth.rdoc
+- doc/verify_account.rdoc
+- doc/verify_account_grace_period.rdoc
 - doc/verify_login_change.rdoc
-- doc/internals.rdoc
-- doc/change_password_notify.rdoc
-- doc/disallow_common_passwords.rdoc
+- doc/release_notes/1.17.0.txt
 - doc/release_notes/1.0.0.txt
 - doc/release_notes/1.1.0.txt
+- doc/release_notes/1.10.0.txt
+- doc/release_notes/1.11.0.txt
+- doc/release_notes/1.12.0.txt
+- doc/release_notes/1.13.0.txt
+- doc/release_notes/1.14.0.txt
+- doc/release_notes/1.15.0.txt
+- doc/release_notes/1.16.0.txt
 - doc/release_notes/1.2.0.txt
 - doc/release_notes/1.3.0.txt
 - doc/release_notes/1.4.0.txt
@@ -240,13 +248,6 @@ extra_rdoc_files:
 - doc/release_notes/1.7.0.txt
 - doc/release_notes/1.8.0.txt
 - doc/release_notes/1.9.0.txt
-- doc/release_notes/1.10.0.txt
-- doc/release_notes/1.11.0.txt
-- doc/release_notes/1.12.0.txt
-- doc/release_notes/1.13.0.txt
-- doc/release_notes/1.14.0.txt
-- doc/release_notes/1.15.0.txt
-- doc/release_notes/1.16.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -285,6 +286,7 @@ files:
 - doc/release_notes/1.14.0.txt
 - doc/release_notes/1.15.0.txt
 - doc/release_notes/1.16.0.txt
+- doc/release_notes/1.17.0.txt
 - doc/release_notes/1.2.0.txt
 - doc/release_notes/1.3.0.txt
 - doc/release_notes/1.4.0.txt
@@ -442,7 +444,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.3
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: Authentication and Account Management Framework for Rack Applications