rodauth 1.21.0 → 1.22.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e2660e5b2f14afadab7d56a0a7329ff3f22cea0bb800fa952b3b40c3dcfbcb29
-  data.tar.gz: 34b96d4d8bc26d641288af6bced9a42b9a895790b019a03b00c3f0e55b67843b
+  metadata.gz: 3379479fde31b70cd341f7d862088a1c29f850a4293bbf08a4ddced9f152a026
+  data.tar.gz: 3ec8abcd54a4da0a230d8d5a064d75febc247ee6ed35e3282b9b3ab2e1dde21d
 SHA512:
-  metadata.gz: c1f90ea3269e61b7de2e336bbe08ccde86b9d343d4b773971fcda7c4f3294804d9b251087978a57ae6eb0fea0a435fd16f0dd239ae524c465739fa6a129b3584
-  data.tar.gz: 6d8b86790ac1214bd48fffea3aaeffdce63351b8bf6fc40dce6ca96fa471f84a2d08be525d804f5138ba5664ac73bbc68bfda6f279ef17655fc4f24e64bd23d0
+  metadata.gz: 6617d309568f8292c01d00343fdea602692fc6ca0be38d9846f0e8415a6da13cee10007e3286e03e2eb9170f693d4b2420861167225aab35ebea87b111627819
+  data.tar.gz: 30efd30667ccb724c0796aa58123beb4d2711ac92a032be21d900ae74391901521d60b6b4806463494fc748461ecac3adb28ce3bf7c1956e6dcd4b72b0fea963

data/CHANGELOG

@@ -1,3 +1,9 @@
+=== 1.22.0 (2019-10-29)
+
+* Add jwt_cors feature to handle Cross-Origin Resource Sharing when using the jwt feature (jeremyevans)
+
+* Add space before newline after links in email, fixing issues with some webmail providers with broken autolinkers (jeremyevans)
+
 === 1.21.0 (2019-07-24)
 
 * Support rotp 5.1 in the otp feature (jeremyevans)

data/README.rdoc

@@ -42,6 +42,7 @@ hashes by protecting access via database functions.
 * Single Session (Only one active session per account)
 * JWT (JSON API support for all other features)
 * JWT Refresh (Access & Refresh Token)
+* JWT CORS (Cross-Origin Resource Sharing)
 * Update Password Hash (when hash cost changes)
 * HTTP Basic Auth
 * Change Password Notify
@@ -811,7 +812,8 @@ view the appropriate file in the doc directory.
 * {Session Expiration}[rdoc-ref:doc/session_expiration.rdoc]
 * {Single Session}[rdoc-ref:doc/single_session.rdoc]
 * {JWT}[rdoc-ref:doc/jwt.rdoc]
-* {JWT}[rdoc-ref:doc/jwt_refresh.rdoc]
+* {JWT Refresh}[rdoc-ref:doc/jwt_refresh.rdoc]
+* {JWT CORS}[rdoc-ref:doc/jwt_cors.rdoc]
 * {HTTP Basic Auth}[rdoc-ref:doc/http_basic_auth.rdoc]
 
 === Calling Rodauth in the Routing Tree

data/doc/base.rdoc

@@ -64,7 +64,7 @@ input_field_label_suffix :: The suffix to use for all labels.  Useful for noting
 input_field_error_class :: The CSS class to use for input fields with errors. Can be a
                            space separated string for multiple CSS classes.
 input_field_error_message_class :: The CSS class to use for error messages. Can be a
-                           space separated string for multiple CSS classes.
+                                   space separated string for multiple CSS classes.
 invalid_field_error_status :: The response status to use for invalid field
                               value errors, 422 by default.
 invalid_key_error_status :: The response status to use for invalid key codes,

data/doc/jwt_cors.rdoc

@@ -0,0 +1,23 @@
+= Documentation for JWT CORS Feature
+
+The jwt_cors feature adds support for Cross-Origin Resource Sharing
+to Rodauth's JSON API.
+
+When this feature is used, CORS requests are handled.  This includes
+CORS preflight requests, which are required since Rodauth's JSON API
+uses the application/json request content type.
+
+This feature depends on the jwt feature.
+
+== Auth Value Methods
+
+jwt_cors_allow_origin :: Which origins are allowed to perform CORS requests.  The default is +false+.  This can be a String, Array of Strings, Regexp, or +true+ to allow CORS requests from any domain.
+jwt_cors_allow_methods :: For allowed CORS-preflight requests, the value returned in the Access-Control-Allow-Methods header (default: 'POST'). This specifies which methods are allowed in CORS requests.
+jwt_cors_allow_headers :: For allowed CORS-preflight requests, the value returned in the Access-Control-Allow-Headers header (default: 'Content-Type, Authorization, Accept'). This specifies which headers can be included in CORS requests.
+jwt_cors_expose_headers :: For allowed CORS requests, the value returned in the Access-Control-Expose-Headers header (default: 'Authorization'). This specifies which headers the browser is allowed to access from a response to a CORS request.
+jwt_cors_max_age :: For allowed CORS-preflight requests, the value returned in the Access-Control-Max-Age header (default: 86400). This specifies how long before the information returned should be considered stale and another CORS preflight request made.
+
+== Auth Methods
+
+jwt_cors_allow? :: Whether the request should be allowed.  This is called for all requests for a Rodauth route that include an Origin header.  It should return true or false for whether to specially handle the cross-origin request.  By default, uses the +jwt_cors_allow_origin+ setting to check the origin.
+

data/doc/release_notes/1.22.0.txt

@@ -0,0 +1,11 @@
+= New Features
+
+* A jwt_cors feature has been added, handling Cross-Origin Resource
+  Sharing when using the jwt feature, including supporting CORS
+  preflight requests.
+
+= Other Improvements
+
+* Mail templates that include links (e.g. for verifying accounts),
+  now add a space after the link and before the newline, fixing
+  issues with some web mail providers that have broken auto-linkers.

data/lib/rodauth/features/jwt_cors.rb

@@ -0,0 +1,53 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:jwt_cors, :JwtCors) do
+    depends :jwt
+
+    auth_value_method :jwt_cors_allow_origin, false
+    auth_value_method :jwt_cors_allow_methods, 'POST'
+    auth_value_method :jwt_cors_allow_headers, 'Content-Type, Authorization, Accept'
+    auth_value_method :jwt_cors_expose_headers, 'Authorization'
+    auth_value_method :jwt_cors_max_age, 86400
+
+    auth_methods(:jwt_cors_allow?)
+
+    def jwt_cors_allow?
+      if origin = request.env['HTTP_ORIGIN']
+        case allowed = jwt_cors_allow_origin
+        when String
+          timing_safe_eql?(origin, allowed)
+        when Array
+          allowed.any?{|s| timing_safe_eql?(origin, s)}
+        when Regexp
+          allowed =~ origin
+        when true
+          true
+        else
+          false
+        end
+      end
+    end
+
+    private
+
+    def before_rodauth
+      if (origin = request.env['HTTP_ORIGIN']) && jwt_cors_allow?
+        response['Access-Control-Allow-Origin'] = origin
+
+        # Handle CORS preflight request
+        if request.request_method == 'OPTIONS'
+          response['Access-Control-Allow-Methods'] = jwt_cors_allow_methods
+          response['Access-Control-Allow-Headers'] = jwt_cors_allow_headers
+          response['Access-Control-Max-Age'] = jwt_cors_max_age.to_s
+          response.status = 204
+          request.halt(response.finish)
+        end
+
+        response['Access-Control-Expose-Headers'] = jwt_cors_expose_headers
+      end
+
+      super
+    end
+  end
+end

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 1
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 21
+  MINOR = 22
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

data/spec/disallow_common_passwords_spec.rb

@@ -18,7 +18,7 @@ describe 'Rodauth disallow common passwords feature' do
     visit '/change-password'
 
     bad_password_file = File.join(File.dirname(File.dirname(File.expand_path(__FILE__))), 'dict', 'top-10_000-passwords.txt')
-    File.read(bad_password_file).split.shuffle.take(5).each do |pass|
+    (File.read(bad_password_file).split.shuffle - ['0123456789']).take(5).each do |pass|
       fill_in 'New Password', :with=>pass
       fill_in 'Confirm Password', :with=>pass
       click_button 'Change Password'

data/spec/jwt_cors_spec.rb

@@ -0,0 +1,57 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe 'Rodauth jwt_cors feature' do
+  it "should support CORS logins if allowed" do
+    origin = false
+    rodauth do
+      enable :login, :jwt_cors
+      jwt_secret '1'
+      json_response_success_key 'success'
+      jwt_cors_allow_origin{origin}
+    end
+    roda(:csrf=>false, :json=>true) do |r|
+      r.rodauth
+      rodauth.require_authentication
+      response['Content-Type'] = 'application/json'
+      '1'
+    end
+
+    # CORS Preflight Request
+    preflight_request = {
+      :method=>'OPTIONS',
+      :headers=>{
+        "HTTP_ACCESS_CONTROL_REQUEST_METHOD"=>"POST",
+        "HTTP_ORIGIN"=>"https://foo.example.com",
+        "HTTP_ACCESS_CONTROL_REQUEST_HEADERS"=>"content-type",
+        "CONTENT_TYPE"=>' application/json'
+      }
+    }
+
+    res = json_request("/login", preflight_request.dup)
+    res.must_equal [405, ["{\"error\":\"non-POST method used in JSON API\"}"]]
+
+    origin = Object.new
+    res = json_request("/login", preflight_request.dup)
+    res.must_equal [405, ["{\"error\":\"non-POST method used in JSON API\"}"]]
+
+    ["https://foo.example.com", ["https://foo.example.com"], %r{https://foo.example.com}, true].each do |orig|
+      origin = orig
+
+      res = json_request("/login", preflight_request.merge(:include_headers=>true))
+      res[0].must_equal 204
+      res[1]['Access-Control-Allow-Origin'].must_equal "https://foo.example.com"
+      res[1]['Access-Control-Allow-Methods'].must_equal "POST"
+      res[1]['Access-Control-Allow-Headers'].must_equal "Content-Type, Authorization, Accept"
+      res[1]['Access-Control-Max-Age'].must_equal "86400"
+      res[2].must_equal []
+
+      res = json_request("/login", :login=>'foo@example.com', :password=>'0123456789', :headers=>{"HTTP_ORIGIN"=>"https://foo.example.com"}, :include_headers=>true)
+      res[0].must_equal 200
+      res[1]['Access-Control-Allow-Origin'].must_equal "https://foo.example.com"
+      res[1]['Access-Control-Expose-Headers'].must_equal "Authorization"
+      res[2].must_equal("success"=>"You have been logged in")
+
+      json_request("/foo").must_equal [200, 1]
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -33,7 +33,7 @@ require 'securerandom'
 
 ENV['MT_NO_PLUGINS'] = '1' # Work around stupid autoloading of plugins
 gem 'minitest'
-require 'minitest/autorun'
+require 'minitest/global_expectations/autorun'
 require 'minitest/hooks/default'
 
 require 'roda'
@@ -198,7 +198,7 @@ class Minitest::HooksSpec
     msgs.length.must_equal 1
     msgs.first.to.first.must_equal to
 
-    link = msgs.first.body.to_s[regexp]
+    link = msgs.first.body.to_s.gsub(/ $/, '')[regexp]
     msgs.clear
     link.must_be_kind_of(String)
     link

data/templates/email-auth-email.str

@@ -1,5 +1,5 @@
 Someone has requested a login link for the account with this email
 address.  If you did not request a login link, please ignore this
 message.  If you requested a login link, please go to
-#{rodauth.email_auth_email_link}
+#{rodauth.email_auth_email_link} 
 to login to this account.

data/templates/reset-password-email.str

@@ -1,5 +1,5 @@
 Someone has requested a password reset for the account with this email
 address.  If you did not request a password reset, please ignore this
 message.  If you requested a password reset, please go to
-#{rodauth.reset_password_email_link}
+#{rodauth.reset_password_email_link} 
 to reset the password for the account.

data/templates/unlock-account-email.str

@@ -1,5 +1,5 @@
 Someone has requested a that the account with this email be unlocked.
 If you did not request the unlocking of this account, please ignore this
 message.  If you requested the unlocking of this account, please go to
-#{rodauth.unlock_account_email_link}
+#{rodauth.unlock_account_email_link} 
 to unlock this account.

data/templates/verify-account-email.str

@@ -1,4 +1,4 @@
 Someone has created an account with this email address.  If you did not create
 this account, please ignore this message.  If you created this account, please go to
-#{rodauth.verify_account_email_link}
+#{rodauth.verify_account_email_link} 
 to verify the account.

data/templates/verify-login-change-email.str

@@ -1,9 +1,10 @@
 Someone with an account has requested their login be changed to this email address:
 
 Old Login: #{rodauth.verify_login_change_old_login}
+
 New Login: #{rodauth.verify_login_change_new_login}
 
 If you did not request this login change, please ignore this message.  If you
 requested this login change, please go to
-#{rodauth.verify_login_change_email_link}
+#{rodauth.verify_login_change_email_link} 
 to verify the login change.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 1.21.0
+  version: 1.22.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-07-24 00:00:00.000000000 Z
+date: 2019-10-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -150,6 +150,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 5.0.0
+- !ruby/object:Gem::Dependency
+  name: minitest-global_expectations
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: minitest-hooks
   requirement: !ruby/object:Gem::Requirement
@@ -232,6 +246,7 @@ extra_rdoc_files:
 - doc/jwt_refresh.rdoc
 - doc/verify_account_grace_period.rdoc
 - doc/verify_login_change.rdoc
+- doc/jwt_cors.rdoc
 - doc/release_notes/1.17.0.txt
 - doc/release_notes/1.0.0.txt
 - doc/release_notes/1.1.0.txt
@@ -254,6 +269,7 @@ extra_rdoc_files:
 - doc/release_notes/1.19.0.txt
 - doc/release_notes/1.20.0.txt
 - doc/release_notes/1.21.0.txt
+- doc/release_notes/1.22.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -275,6 +291,7 @@ files:
 - doc/http_basic_auth.rdoc
 - doc/internals.rdoc
 - doc/jwt.rdoc
+- doc/jwt_cors.rdoc
 - doc/jwt_refresh.rdoc
 - doc/lockout.rdoc
 - doc/login.rdoc
@@ -300,6 +317,7 @@ files:
 - doc/release_notes/1.2.0.txt
 - doc/release_notes/1.20.0.txt
 - doc/release_notes/1.21.0.txt
+- doc/release_notes/1.22.0.txt
 - doc/release_notes/1.3.0.txt
 - doc/release_notes/1.4.0.txt
 - doc/release_notes/1.5.0.txt
@@ -334,6 +352,7 @@ files:
 - lib/rodauth/features/email_base.rb
 - lib/rodauth/features/http_basic_auth.rb
 - lib/rodauth/features/jwt.rb
+- lib/rodauth/features/jwt_cors.rb
 - lib/rodauth/features/jwt_refresh.rb
 - lib/rodauth/features/lockout.rb
 - lib/rodauth/features/login.rb
@@ -369,6 +388,7 @@ files:
 - spec/disallow_password_reuse_spec.rb
 - spec/email_auth_spec.rb
 - spec/http_basic_auth_spec.rb
+- spec/jwt_cors_spec.rb
 - spec/jwt_refresh_spec.rb
 - spec/jwt_spec.rb
 - spec/lockout_spec.rb