rodauth 2.0.0 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 729e0ac62a92c8c92808b20e292ad8b8ad5cc2ba935d62702f8d88496e54e1a1
-  data.tar.gz: f0f0aa6dafc54aefd135b3a94b963a136349a69eef9614f4f61f8c24fe759709
+  metadata.gz: 11417c5f63db5803f35ba8a92e98827b9f0deeb0a774071b5fbe712fa24f02fd
+  data.tar.gz: b0ee20c0ce7af6eea42b32bcab2e476a2ee75b62b283281de7001d5ba4002597
 SHA512:
-  metadata.gz: 7474a1229f4d069ced3b4575c2aa9d343f4bf1b4f3efd4ed64c33b5985b262863d97366f86d226c261f7cce1ccd20090412639f782b38e5f85f4f56556b45622
-  data.tar.gz: 427688ab9aae856b200dee9b7fcfb71bad8bf52b657e1f4d3c8e8ecb3ccd6c2831f71033054bf0d6ef3335fc7697dbdc9a82d29e71393328534b57406316b184
+  metadata.gz: 13110a40f40a08c7fb03f1ce44a723afc6e53b4f4b16f690c852dc0adfc4d1bb08b6b87f164be98d50dfc61a6c99a35759901ed3bc7b5ab3dbbcb48b00b6ec5e
+  data.tar.gz: 2d7f46d8a9370b67af58eb60d5ac8f324f2619d3cd9bac10b6a27890c9637ceff229ce0404a6d00c9c7fdf8d796d045d3bd06e7489fe08f589580d6a20271cf4

data/CHANGELOG

@@ -1,3 +1,17 @@
+=== 2.1.0 (2020-06-09)
+
+* Do not check CSRF tokens by default for requests using JWT (janko, jeremyevans) (#99)
+
+* Use new-password autocomplete value for password field when creating accounts (jeremyevans) (#98)
+
+* Consistently use json_response_body for all JSON responses in jwt feature (arthurmmoreira) (#97)
+
+* Add check_csrf configuration method to customize CSRF checking (janko) (#96)
+
+* Have logged_in? when using http_basic_auth feature check for basic authentication (jeremyevans) (#94)
+
+* Don't consider account open if in unverified grace period without password (janko) (#92)
+
 === 2.0.0 (2020-05-06)
 
 * Do not show email auth as an option for unverified accounts if using the verify_account_grace_period feature (jeremyevans) (#88)

data/doc/base.rdoc

@@ -91,6 +91,7 @@ authenticated? :: Whether the user has been authenticated. If multifactor authen
 before_login :: Run arbitrary code after password has been checked, but before updating the session.
 before_login_attempt :: Run arbitrary code after an account has been located, but before the password has been checked.
 before_rodauth :: Run arbitrary code before handling any rodauth route, but after CSRF checks if Rodauth is doing CSRF checks.
+check_csrf :: Checks CSRF token using Roda's +check_csrf!+ method.
 clear_session :: Clears the current session.
 csrf_tag(path=request.path) :: The HTML fragment containing the CSRF tag to use, if any.
 function_name(name) :: The name of the database function to call.  It's passed either :rodauth_get_salt or :rodauth_valid_password_hash.

data/doc/release_notes/2.1.0.txt

@@ -0,0 +1,31 @@
+= New Features
+
+* A check_csrf configuration method has been added for checking
+  the CSRF token.  This is useful in cases where the CSRF protection
+  is provided by something other than the Roda route_csrf plugin.
+
+= Other Improvements
+
+* When using the http_basic_auth feature, logged_in? now checks for
+  Basic authentication if the session is not already authenticated
+  and Basic authentication has not yet been checked.  This increases
+  compatibility for applications that were using the http_basic_auth
+  feature in Rodauth 1.
+
+* When creating accounts, the password field now correctly uses the
+  new-password autocomplete attribute instead of the current-password
+  autocomplete attribute.
+
+* When using the jwt feature, Rodauth no longer checks CSRF tokens
+  in requests to Rodauth routes if the request submitted is a JSON
+  request, includes a JWT, or Rodauth has been configured in JSON-only
+  mode.
+
+* When using the verify_account_grace_period feature, if there is an
+  unverified account without a password, do not consider the account
+  open.  Attempting to login into the account in such a case now
+  shows a message letting the user know to verify the account.
+
+* The json_response_body configuration method is now used consistently
+  in the jwt feature for all JSON responses.  Previously, there were
+  some cases that did not use it.

data/lib/rodauth.rb

@@ -119,7 +119,7 @@ module Rodauth
 
       define_method(handle_meth) do
         request.is send(route_meth) do
-          scope.check_csrf!(check_csrf_opts, &check_csrf_block) if check_csrf?
+          check_csrf if check_csrf?
           before_rodauth
           send(internal_handle_meth, request)
         end

data/lib/rodauth/features/base.rb

@@ -82,6 +82,7 @@ module Rodauth
       :already_logged_in,
       :authenticated?,
       :autocomplete_for_field?,
+      :check_csrf,
       :clear_session,
       :csrf_tag,
       :function_name,
@@ -254,6 +255,10 @@ module Rodauth
       Sequel::DATABASES.first
     end
 
+    def password_field_autocomplete_value
+      @password_field_autocomplete_value || 'current-password'
+    end
+
     # If the account_password_hash_column is set, the password hash is verified in
     # ruby, it will not use a database function to do so, it will check the password
     # hash using bcrypt.
@@ -333,6 +338,10 @@ module Rodauth
       @account = _account_from_session
     end
 
+    def check_csrf
+      scope.check_csrf!(check_csrf_opts, &check_csrf_block)
+    end
+
     def csrf_tag(path=request.path)
       return unless scope.respond_to?(:csrf_tag)
 

data/lib/rodauth/features/create_account.rb

@@ -30,6 +30,7 @@ module Rodauth
     route do |r|
       check_already_logged_in
       before_create_account_route
+      @password_field_autocomplete_value = 'new-password'
 
       r.get do
         create_account_view

data/lib/rodauth/features/http_basic_auth.rb

@@ -5,11 +5,20 @@ module Rodauth
     auth_value_method :http_basic_auth_realm, "protected"
     auth_value_method :require_http_basic_auth?, false
 
+    def logged_in?
+      ret = super
+
+      if !ret && !defined?(@checked_http_basic_auth)
+        http_basic_auth
+        ret = super
+      end
+
+      ret
+    end
+
     def require_login
       if require_http_basic_auth?
         require_http_basic_auth
-      elsif !logged_in?
-        http_basic_auth
       end
 
       super
@@ -23,6 +32,9 @@ module Rodauth
     end
 
     def http_basic_auth
+      return @checked_http_basic_auth if defined?(@checked_http_basic_auth)
+
+      @checked_http_basic_auth = nil
       return unless token = ((v = request.env['HTTP_AUTHORIZATION']) && v[/\A *Basic (.*)\Z/, 1])
 
       username, password = token.unpack("m*").first.split(/:/, 2)
@@ -50,6 +62,7 @@ module Rodauth
           after_login
         end
 
+        @checked_http_basic_auth = true
         return true
       end
 

data/lib/rodauth/features/jwt.rb

@@ -50,7 +50,7 @@ module Rodauth
           json_response[json_response_error_key] = invalid_jwt_format_error_message
           response.status ||= json_response_error_status
           response['Content-Type'] ||= json_response_content_type
-          response.write(request.send(:convert_to_json, json_response))
+          response.write(_json_response_body(json_response))
           request.halt
         end
 
@@ -140,13 +140,18 @@ module Rodauth
 
     private
 
+    def check_csrf?
+      return false if use_jwt?
+      super
+    end
+
     def before_rodauth
       if json_request?
         if jwt_check_accept? && (accept = request.env['HTTP_ACCEPT']) && accept !~ json_accept_regexp
           response.status = 406
           json_response[json_response_error_key] = json_not_accepted_error_message
           response['Content-Type'] ||= json_response_content_type
-          response.write(request.send(:convert_to_json, json_response))
+          response.write(_json_response_body(json_response))
           request.halt
         end
 

data/lib/rodauth/features/verify_account.rb

@@ -94,6 +94,7 @@ module Rodauth
     route do |r|
       verify_account_check_already_logged_in
       before_verify_account_route
+      @password_field_autocomplete_value = 'new-password'
 
       r.get do
         if key = param_or_nil(verify_account_key_param)

data/lib/rodauth/features/verify_account_grace_period.rb

@@ -23,7 +23,7 @@ module Rodauth
     end
 
     def open_account?
-      super || account_in_unverified_grace_period?
+      super || (account_in_unverified_grace_period? && has_password?)
     end
 
     def verify_account_set_password?

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 0
+  MINOR = 1
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

data/templates/password-field.str

@@ -1,4 +1,4 @@
 <div class="form-group">
   <label for="password">#{rodauth.password_label}#{rodauth.input_field_label_suffix}</label>
-  #{rodauth.input_field_string(rodauth.password_param, 'password', :type => 'password', :autocomplete=>'current-password')}
+  #{rodauth.input_field_string(rodauth.password_param, 'password', :type => 'password', :autocomplete=>rodauth.password_field_autocomplete_value)}
 </div>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.1.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-06 00:00:00.000000000 Z
+date: 2020-06-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -303,6 +303,7 @@ extra_rdoc_files:
 - doc/release_notes/1.22.0.txt
 - doc/release_notes/1.23.0.txt
 - doc/release_notes/2.0.0.txt
+- doc/release_notes/2.1.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -361,6 +362,7 @@ files:
 - doc/release_notes/1.8.0.txt
 - doc/release_notes/1.9.0.txt
 - doc/release_notes/2.0.0.txt
+- doc/release_notes/2.1.0.txt
 - doc/remember.rdoc
 - doc/reset_password.rdoc
 - doc/session_expiration.rdoc