rodauth 1.20.0 → 1.21.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG +6 -0
- data/doc/internals.rdoc +1 -1
- data/doc/release_notes/1.21.0.txt +12 -0
- data/lib/rodauth/features/otp.rb +8 -3
- data/lib/rodauth/version.rb +1 -1
- data/spec/two_factor_spec.rb +40 -1
- metadata +4 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e2660e5b2f14afadab7d56a0a7329ff3f22cea0bb800fa952b3b40c3dcfbcb29
|
|
4
|
+
data.tar.gz: 34b96d4d8bc26d641288af6bced9a42b9a895790b019a03b00c3f0e55b67843b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c1f90ea3269e61b7de2e336bbe08ccde86b9d343d4b773971fcda7c4f3294804d9b251087978a57ae6eb0fea0a435fd16f0dd239ae524c465739fa6a129b3584
|
|
7
|
+
data.tar.gz: 6d8b86790ac1214bd48fffea3aaeffdce63351b8bf6fc40dce6ca96fa471f84a2d08be525d804f5138ba5664ac73bbc68bfda6f279ef17655fc4f24e64bd23d0
|
data/CHANGELOG
CHANGED
data/doc/internals.rdoc
CHANGED
|
@@ -183,7 +183,7 @@ Here's a heavily commented example showing what is going on inside a Rodauth fea
|
|
|
183
183
|
foo_view
|
|
184
184
|
end
|
|
185
185
|
|
|
186
|
-
# Just like in Roda, r.post is called for
|
|
186
|
+
# Just like in Roda, r.post is called for POST requests
|
|
187
187
|
r.post do
|
|
188
188
|
# This is called before performing the foo action
|
|
189
189
|
before_foo
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
= Improvements
|
|
2
|
+
|
|
3
|
+
* rotp 5.1 is now supported in the otp feature. Previous rotp
|
|
4
|
+
versions down to rotp 2.1.1 remain supported.
|
|
5
|
+
|
|
6
|
+
* When using the otp feature without the sms or recovery_codes
|
|
7
|
+
features, if an account gets locked out from OTP authentication due
|
|
8
|
+
to multiple invalid OTP authentication codes, automatically log
|
|
9
|
+
them out, and redirect them to the login page. Previously, the
|
|
10
|
+
default behavior in this case could be a redirect loop if OTP
|
|
11
|
+
authentication is required for the user on the default_redirect
|
|
12
|
+
page.
|
data/lib/rodauth/features/otp.rb
CHANGED
|
@@ -109,7 +109,12 @@ module Rodauth
|
|
|
109
109
|
if otp_locked_out?
|
|
110
110
|
set_response_error_status(lockout_error_status)
|
|
111
111
|
set_redirect_error_flash otp_lockout_error_flash
|
|
112
|
-
|
|
112
|
+
if redir = otp_lockout_redirect
|
|
113
|
+
redirect redir
|
|
114
|
+
else
|
|
115
|
+
clear_session
|
|
116
|
+
redirect require_login_redirect
|
|
117
|
+
end
|
|
113
118
|
end
|
|
114
119
|
|
|
115
120
|
before_otp_auth_route
|
|
@@ -241,7 +246,7 @@ module Rodauth
|
|
|
241
246
|
|
|
242
247
|
def otp_lockout_redirect
|
|
243
248
|
return super if defined?(super)
|
|
244
|
-
|
|
249
|
+
nil
|
|
245
250
|
end
|
|
246
251
|
|
|
247
252
|
def otp_lockout_error_flash
|
|
@@ -359,7 +364,7 @@ module Rodauth
|
|
|
359
364
|
if ROTP::Base32.respond_to?(:random_base32)
|
|
360
365
|
# :nocov:
|
|
361
366
|
def otp_new_secret
|
|
362
|
-
ROTP::Base32.random_base32
|
|
367
|
+
ROTP::Base32.random_base32.downcase
|
|
363
368
|
end
|
|
364
369
|
# :nocov:
|
|
365
370
|
else
|
data/lib/rodauth/version.rb
CHANGED
data/spec/two_factor_spec.rb
CHANGED
|
@@ -560,10 +560,49 @@ describe 'Rodauth OTP feature' do
|
|
|
560
560
|
DB[:account_recovery_codes].select_order_map(:code).must_equal ['a', 'b']
|
|
561
561
|
end
|
|
562
562
|
|
|
563
|
+
it "should handle two factor lockout when using rodauth.require_two_factor_setup and rodauth.require_authentication" do
|
|
564
|
+
rodauth do
|
|
565
|
+
enable :login, :logout, :otp
|
|
566
|
+
otp_drift 10
|
|
567
|
+
end
|
|
568
|
+
roda do |r|
|
|
569
|
+
r.rodauth
|
|
570
|
+
rodauth.require_authentication
|
|
571
|
+
rodauth.require_two_factor_setup
|
|
572
|
+
|
|
573
|
+
view :content=>"Logged in"
|
|
574
|
+
end
|
|
575
|
+
|
|
576
|
+
login
|
|
577
|
+
page.title.must_equal 'Setup Two Factor Authentication'
|
|
578
|
+
secret = page.html.match(/Secret: ([a-z2-7]{#{secret_length}})/)[1]
|
|
579
|
+
totp = ROTP::TOTP.new(secret)
|
|
580
|
+
fill_in 'Password', :with=>'0123456789'
|
|
581
|
+
fill_in 'Authentication Code', :with=>totp.now
|
|
582
|
+
click_button 'Setup Two Factor Authentication'
|
|
583
|
+
page.find('#notice_flash').text.must_equal 'Two factor authentication is now setup'
|
|
584
|
+
page.current_path.must_equal '/'
|
|
585
|
+
page.html.must_include 'Logged in'
|
|
586
|
+
reset_otp_last_use
|
|
587
|
+
|
|
588
|
+
logout
|
|
589
|
+
login
|
|
590
|
+
|
|
591
|
+
6.times do
|
|
592
|
+
page.title.must_equal 'Enter Authentication Code'
|
|
593
|
+
fill_in 'Authentication Code', :with=>'foo'
|
|
594
|
+
click_button 'Authenticate via 2nd Factor'
|
|
595
|
+
end
|
|
596
|
+
page.find('#error_flash').text.must_equal 'Authentication code use locked out due to numerous failures.'
|
|
597
|
+
page.title.must_include 'Login'
|
|
598
|
+
page.current_path.must_equal '/login'
|
|
599
|
+
end
|
|
600
|
+
|
|
563
601
|
it "should allow two factor authentication setup, login, removal without recovery" do
|
|
564
602
|
rodauth do
|
|
565
603
|
enable :login, :logout, :otp
|
|
566
604
|
otp_drift 10
|
|
605
|
+
otp_lockout_redirect '/'
|
|
567
606
|
end
|
|
568
607
|
roda do |r|
|
|
569
608
|
r.rodauth
|
|
@@ -1149,7 +1188,7 @@ describe 'Rodauth OTP feature' do
|
|
|
1149
1188
|
json_request(path).must_equal [403, {'error'=>'SMS authentication has not been setup yet.'}]
|
|
1150
1189
|
end
|
|
1151
1190
|
|
|
1152
|
-
secret = (ROTP::Base32.respond_to?(:random_base32) ? ROTP::Base32.random_base32 : ROTP::Base32.random.downcase
|
|
1191
|
+
secret = (ROTP::Base32.respond_to?(:random_base32) ? ROTP::Base32.random_base32 : ROTP::Base32.random).downcase
|
|
1153
1192
|
totp = ROTP::TOTP.new(secret)
|
|
1154
1193
|
|
|
1155
1194
|
res = json_request('/otp-setup', :password=>'123456', :otp_secret=>secret)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rodauth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.21.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jeremy Evans
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-
|
|
11
|
+
date: 2019-07-24 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: sequel
|
|
@@ -253,6 +253,7 @@ extra_rdoc_files:
|
|
|
253
253
|
- doc/release_notes/1.18.0.txt
|
|
254
254
|
- doc/release_notes/1.19.0.txt
|
|
255
255
|
- doc/release_notes/1.20.0.txt
|
|
256
|
+
- doc/release_notes/1.21.0.txt
|
|
256
257
|
files:
|
|
257
258
|
- CHANGELOG
|
|
258
259
|
- MIT-LICENSE
|
|
@@ -298,6 +299,7 @@ files:
|
|
|
298
299
|
- doc/release_notes/1.19.0.txt
|
|
299
300
|
- doc/release_notes/1.2.0.txt
|
|
300
301
|
- doc/release_notes/1.20.0.txt
|
|
302
|
+
- doc/release_notes/1.21.0.txt
|
|
301
303
|
- doc/release_notes/1.3.0.txt
|
|
302
304
|
- doc/release_notes/1.4.0.txt
|
|
303
305
|
- doc/release_notes/1.5.0.txt
|