rodauth 1.6.0 → 1.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 8be62d375631a0d62337cc9da83782e1a765ecc1
-  data.tar.gz: e5cc52f5bec8e0f7820b1b16ac11d96d385e0187
+  metadata.gz: 72d21867a8a5d725cfe2331b979ffbe31f3e9e9a
+  data.tar.gz: b204b666ab3b52ab94c291a660af0c6f6741772b
 SHA512:
-  metadata.gz: cd373d957b4b636afab06b24a7c782c9b3e605de844f0083c7eb2953779715dc4fec20418984ef4cdbce93d9f65e4848eed11a8318985d52d03ecdb9b2f1301f
-  data.tar.gz: d156aaad0e89d164a467e44c946088f28487db41a4b0cb1ec57dda6584ca36ffbb8c87daf02bcc868dcfe8322bf56fc4fa005ab9fdfd2cd0b8620bce6334d593
+  metadata.gz: 6e7ec902dd360cf3687097e3c8934687f8915f277334270b2acbf3a02e33314e83cb42631ae3539d8edfaa87dc50aaebeef5b184f0fdc601c1d0c8ee196156be
+  data.tar.gz: 49de39a38e7cb00f6869c4c0bc25f7df521f541615373d21530d802b5d390924a178b86274620ed6b08517157bd704eaad1dc5c7847e9ee2ef5df1d2ae25ac44

data/CHANGELOG

@@ -1,3 +1,7 @@
+=== 1.7.0 (2016-11-22)
+
+* Make reset password, unlock account, and verify account pages not leak keys to external servers via Referer header (jeremyevans)
+
 === 1.6.0 (2016-10-24)
 
 * Add http_basic_auth feature (TiagoCardoso1983, jeremyevans) (#12)

data/README.rdoc

@@ -161,9 +161,10 @@ Example:
   psql -U postgres -c "CREATE EXTENSION citext" ${DATABASE_NAME}
 
 Note that on Heroku, this extension can be loaded using a standard database
-account.  If you don't want to support case sensitive logins, you don't
-need to use the PostgreSQL citext extension. Just remember to modify the
-migration below to use +String+ instead of +citext+ for the email.
+account.  If you want logins to be case sensitive (generally considered a
+bad idea), you don't need to use the PostgreSQL citext extension. Just
+remember to modify the migration below to use +String+ instead of +citext+
+for the email in that case.
 
 === Create database accounts
 

data/Rakefile

@@ -61,9 +61,10 @@ end
   
 desc "Run specs with -w, some warnings filtered"
 task "spec_w" do
-  ENV['RUBYOPT'] ? (ENV['RUBYOPT'] += " -w") : (ENV['RUBYOPT'] = '-w')
-  rake = ENV['RAKE'] || "#{FileUtils::RUBY} -S rake"
-  sh %{#{rake} 2>&1 | egrep -v \": warning: instance variable @.* not initialized|: warning: method redefined; discarding old|: warning: previous definition of|: warning: statement not reached"}
+  rubyopt = ENV['RUBYOPT']
+  ENV['RUBYOPT'] = "#{rubyopt} -w"
+  spec.call('WARNING'=>'1')
+  ENV['RUBYOPT'] = rubyopt
 end
 
 desc "Setup database used for testing on PostgreSQL"

data/doc/lockout.rdoc

@@ -51,6 +51,7 @@ unlock_account_requires_password? :: Whether a password is required when unlocki
                                      false by default.  May want to set to true if not
                                      allowing password resets.
 unlock_account_route :: Alias for lockout_route.
+unlock_account_session_key :: The key in the session to hold the unlock account key temporarily.
 
 == Auth Methods
 

data/doc/release_notes/1.7.0.txt

@@ -0,0 +1,6 @@
+= Improvements
+
+* The reset password, unlock account, and verify account features now
+  temporarily store the feature-specific keys in the session instead
+  of keeping them as parameters, which avoids leaking the keys to
+  asset hosts or other external servers via the HTTP Referer header.

data/doc/reset_password.rdoc

@@ -40,6 +40,7 @@ reset_password_request_error_flash :: The flash error to show if not able to sen
                                       password email.
 reset_password_request_route :: The route to the reset password request action.
 reset_password_route :: The route to the reset password action.
+reset_password_session_key :: The key in the session to hold the reset password key temporarily.
 reset_password_table :: The name of the reset password keys table.
 
 == Auth Methods

data/doc/verify_account.rdoc

@@ -40,6 +40,7 @@ verify_account_resend_error_flash :: The flash error to show if unable to resend
                                      verify account email.
 verify_account_resend_route :: The route to the verify account resend action.
 verify_account_route :: The route to the verify account action.
+verify_account_session_key :: The key in the session to hold the verify account key temporarily.
 verify_account_table :: The name of the verify account keys table.
 
 == Auth Methods

data/lib/rodauth/features/disallow_password_reuse.rb

@@ -43,7 +43,6 @@ module Rodauth
     private
 
     def password_doesnt_match_previous_password?(password)
-      id = account_id
       match = if use_database_authentication_functions?
         salts = previous_password_ds.
           select_map([previous_password_id_column, Sequel.function(function_name(:rodauth_get_previous_salt), previous_password_id_column).as(:salt)])

data/lib/rodauth/features/lockout.rb

@@ -35,6 +35,7 @@ module Rodauth
     auth_value_method :unlock_account_email_subject, 'Unlock Account'
     auth_value_method :unlock_account_key_param, 'key'
     auth_value_method :unlock_account_requires_password?, false
+    auth_value_method :unlock_account_session_key, :unlock_account_key
 
     auth_value_methods(
       :unlock_account_redirect,
@@ -81,16 +82,24 @@ module Rodauth
       before_unlock_account_route
 
       r.get do
-        if account_from_unlock_key(param(unlock_account_key_param))
-          unlock_account_view
-        else
-          set_redirect_error_flash no_matching_unlock_account_key_message
-          redirect require_login_redirect
+        if key = param_or_nil(unlock_account_key_param)
+          session[unlock_account_session_key] = key
+          redirect(r.path)
+        end
+
+        if key = session[unlock_account_session_key]
+          if account_from_unlock_key(key)
+            unlock_account_view
+          else
+            session[unlock_account_session_key] = nil
+            set_redirect_error_flash no_matching_unlock_account_key_message
+            redirect require_login_redirect
+          end
         end
       end
 
       r.post do
-        key = param(unlock_account_key_param)
+        key = session[unlock_account_session_key] || param(unlock_account_key_param)
         unless account_from_unlock_key(key)
           set_redirect_error_flash no_matching_unlock_account_key_message
           redirect unlock_account_request_redirect
@@ -106,6 +115,7 @@ module Rodauth
             end
           end
 
+          session[unlock_account_session_key] = nil
           set_notice_flash unlock_account_notice_flash
           redirect unlock_account_redirect
         else

data/lib/rodauth/features/password_complexity.rb

@@ -31,7 +31,7 @@ module Rodauth
       super
       return if singleton_methods.map(&:to_sym).include?(:password_dictionary)
 
-      case dictionary_file = password_dictionary_file
+      case password_dictionary_file
       when false
         return
       when nil

data/lib/rodauth/features/reset_password.rb

@@ -29,6 +29,7 @@ module Rodauth
     auth_value_method :reset_password_table, :account_password_reset_keys
     auth_value_method :reset_password_id_column, :id
     auth_value_method :reset_password_key_column, :key
+    auth_value_method :reset_password_session_key, :reset_password_key
 
     auth_value_methods :reset_password_email_sent_redirect
 
@@ -76,9 +77,15 @@ module Rodauth
 
       r.get do
         if key = param_or_nil(reset_password_key_param)
+          session[reset_password_session_key] = key
+          redirect(r.path)
+        end
+
+        if key = session[reset_password_session_key]
           if account_from_reset_password_key(key)
             reset_password_view
           else
+            session[reset_password_session_key] = nil
             set_redirect_error_flash no_matching_reset_password_key_message
             redirect require_login_redirect
           end
@@ -86,7 +93,7 @@ module Rodauth
       end
 
       r.post do
-        key = param(reset_password_key_param)
+        key = session[reset_password_session_key] || param(reset_password_key_param)
         unless account_from_reset_password_key(key)
           set_redirect_error_flash reset_password_error_flash
           redirect reset_password_email_sent_redirect
@@ -117,6 +124,7 @@ module Rodauth
             update_session
           end
 
+          session[reset_password_session_key] = nil
           set_notice_flash reset_password_notice_flash
           redirect reset_password_redirect
         end

data/lib/rodauth/features/verify_account.rb

@@ -30,6 +30,7 @@ module Rodauth
     auth_value_method :verify_account_table, :account_verification_keys
     auth_value_method :verify_account_id_column, :id
     auth_value_method :verify_account_key_column, :key
+    auth_value_method :verify_account_session_key, :verify_account_key
 
     auth_value_methods :verify_account_key_value
 
@@ -76,9 +77,15 @@ module Rodauth
 
       r.get do
         if key = param_or_nil(verify_account_key_param)
+          session[verify_account_session_key] = key
+          redirect(r.path)
+        end
+
+        if key = session[verify_account_session_key]
           if account_from_verify_account_key(key)
             verify_account_view
           else
+            session[verify_account_session_key] = nil
             set_redirect_error_flash no_matching_verify_account_key_message
             redirect require_login_redirect
           end
@@ -86,7 +93,7 @@ module Rodauth
       end
 
       r.post do
-        key = param(verify_account_key_param)
+        key = session[verify_account_session_key] || param(verify_account_key_param)
         unless account_from_verify_account_key(key)
           set_redirect_error_flash verify_account_error_flash
           redirect verify_account_redirect
@@ -103,6 +110,7 @@ module Rodauth
           update_session
         end
 
+        session[verify_account_session_key] = nil
         set_notice_flash verify_account_notice_flash
         redirect verify_account_redirect
       end

data/lib/rodauth/version.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  VERSION = '1.6.0'.freeze
+  VERSION = '1.7.0'.freeze
 
   def self.version
     VERSION

data/spec/password_complexity_spec.rb

@@ -48,7 +48,9 @@ describe 'Rodauth password complexity feature' do
   it "should support default dictionary" do
     default_dictionary = '/usr/share/dict/words'
     skip("#{default_dictionary} not present") unless File.file?(default_dictionary)
-    password = File.read(default_dictionary).split.sort_by{|w| w.length}.last
+    pass = File.read(default_dictionary).split.sort_by{|w| w.length}.last
+    skip("#{default_dictionary} empty") unless pass
+    pass = pass.downcase.gsub(/[^a-z]/, '')
 
     rodauth do
       enable :login, :change_password, :password_complexity
@@ -78,7 +80,6 @@ describe 'Rodauth password complexity feature' do
   it "should support no dictionary" do
     default_dictionary = '/usr/share/dict/words'
     skip("#{default_dictionary} not present") unless File.file?(default_dictionary)
-    password = File.read(default_dictionary).split.sort_by{|w| w.length}.last
 
     rodauth do
       enable :login, :change_password, :password_complexity

data/spec/reset_password_spec.rb

@@ -113,7 +113,7 @@ describe 'Rodauth reset_password feature' do
 
     login(:pass=>'01234567')
     click_button 'Request Password Reset'
-    link = email_link(/(\/reset-password\?key=.+)$/)
+    email_link(/(\/reset-password\?key=.+)$/)
 
     login
 

data/spec/rodauth_spec.rb

@@ -187,7 +187,6 @@ describe 'Rodauth' do
   end
 
   it "should support account_select setting for choosing account columns" do
-    warning = nil
     rodauth do
       enable :login
       account_select [:id, :email]

data/spec/spec_helper.rb

@@ -1,5 +1,12 @@
 $: << 'lib'
 
+if ENV['WARNING']
+  require 'warning'
+  Warning.ignore([:missing_ivar, :missing_gvar, :fixnum])
+  #Warning.ignore(/warning: URI\.escape is obsolete\n\z/)
+  Warning.ignore(:method_redefined, File.dirname(File.dirname(__FILE__)))
+end
+
 if ENV['COVERAGE']
   require 'coverage'
   require 'simplecov'

data/templates/reset-password.str

@@ -1,6 +1,5 @@
 <form method="post" class="rodauth form-horizontal" role="form" id="reset-password-form">
   #{rodauth.reset_password_additional_form_tags}
-  <input type="hidden" name="#{rodauth.reset_password_key_param}" value="#{h request[rodauth.reset_password_key_param]}" />
   #{rodauth.csrf_tag}
   #{rodauth.render('password-field')}
   #{rodauth.render('password-confirm-field') if rodauth.require_password_confirmation?}

data/templates/unlock-account.str

@@ -1,7 +1,6 @@
 <form method="post" class="rodauth form-horizontal" role="form" id="unlock-account-form">
   #{rodauth.unlock_account_additional_form_tags}
   #{rodauth.csrf_tag}
-  <input type="hidden" name="#{rodauth.unlock_account_key_param}" value="#{h request[rodauth.unlock_account_key_param]}"/>
   <p>This account is currently locked out.  You can unlock the account.</p>
   #{rodauth.render('password-field') if rodauth.unlock_account_requires_password?}
   #{rodauth.button(rodauth.unlock_account_button)}

data/templates/verify-account.str

@@ -1,6 +1,5 @@
 <form method="post" class="rodauth form-horizontal" role="form" id="verify-account-form">
   #{rodauth.verify_account_additional_form_tags}
-  <input type="hidden" name="#{rodauth.verify_account_key_param}" value="#{h request[rodauth.verify_account_key_param]}" />
   #{rodauth.csrf_tag}
   #{rodauth.button(rodauth.verify_account_button)}
 </form>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 1.6.0
+  version: 1.7.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-10-24 00:00:00.000000000 Z
+date: 2016-11-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -233,6 +233,7 @@ extra_rdoc_files:
 - doc/release_notes/1.4.0.txt
 - doc/release_notes/1.5.0.txt
 - doc/release_notes/1.6.0.txt
+- doc/release_notes/1.7.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -265,6 +266,7 @@ files:
 - doc/release_notes/1.4.0.txt
 - doc/release_notes/1.5.0.txt
 - doc/release_notes/1.6.0.txt
+- doc/release_notes/1.7.0.txt
 - doc/remember.rdoc
 - doc/reset_password.rdoc
 - doc/session_expiration.rdoc
@@ -404,7 +406,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.6
+rubygems_version: 2.6.8
 signing_key: 
 specification_version: 4
 summary: Authentication and Account Management Framework for Rack Applications