rodauth 2.13.0 → 2.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f01d42c90dd22a88566f17b3e77b9495dc1431f004f2f54865cff45a3874ce43
-  data.tar.gz: b09c0a44b2b4f6ab1eb795b11a69ec7acd1d4ed5ac4abbe45d8bb4072cb61e0f
+  metadata.gz: 0bb25afa1cfb6fb579a10dea617ae2f9d0fdd2b302decdbf15aaf6ca88186ccb
+  data.tar.gz: 67c76a614ff85e298b288f81ae22fb54ea54a83c5d1584e097ba66b4dada9d1b
 SHA512:
-  metadata.gz: 2934f2824b7c805f6400fab52aad9c4aaca2f3bbfb4584688619b0b24b9e052a3cecc4b36b6eb7379e13f2a9bf2bc64e0efac077d932e390270401966223e2ae
-  data.tar.gz: c1dcf6d140117743baa62ba0715c99584bb80b8aa933f596424f242c2ffb6a31c7d25f0fdba65fed4b1bd93d63692502c7c63b36a1f2b793083b1972c5313304
+  metadata.gz: 6516c812865c540be99116e0afadfbf98de81d450dafd0aee81e6c661201e6bd62086c10db1b892e273286c53bcb61c3d84f8ed807c47e7ebd7befcd1d6cd849
+  data.tar.gz: 8c4efe011be6f94a0886e3dae1eb8106e3fcd295c55663f2dcea0b02794db229377450ab8738ef651e18704cc129df4f47b69e69aff08229a58f2544fab73b13

data/CHANGELOG

@@ -1,3 +1,11 @@
+=== 2.14.0 (2021-06-22)
+
+* Make jwt_refresh feature allow refresh with expired access tokens even if prefix is not set correctly (jeremyevans) (#168)
+
+* Make internal account_in_unverified_grace_period? method handle accounts missing or unverified accounts (janko, jeremyevans) (#167)
+
+* Add remembered_session_id configuration method for getting session id from valid remember token if present (bjeanes) (#166)
+
 === 2.13.0 (2021-05-22)
 
 * Make jwt_refresh expired access token support work when using rodauth.check_active_sessions before calling r.rodauth (renchap) (#165)

data/README.rdoc

@@ -68,7 +68,6 @@ Demo Site :: http://rodauth-demo.jeremyevans.net
 Source :: http://github.com/jeremyevans/rodauth
 Bugs :: http://github.com/jeremyevans/rodauth/issues
 Google Group :: https://groups.google.com/forum/#!forum/rodauth
-IRC :: irc://chat.freenode.net/#rodauth
 
 == Dependencies
 

data/doc/release_notes/2.14.0.txt

@@ -0,0 +1,17 @@
+= New Features
+
+* A remembered_session_id method has been added for getting the
+  account id from a valid remember token, without modifying the
+  session to log the account in.
+
+= Other Improvements
+
+* The jwt_refresh feature's support for allowing refresh with
+  an expired access token now works even if the Rodauth
+  configuration uses an incorrect prefix.
+
+* The internal account_in_unverified_grace_period? method now
+  returns false if an account has not been loaded and the
+  session has not been logged in. Previously, calling this
+  method in such cases would result in an exception being
+  raised.

data/doc/remember.rdoc

@@ -69,6 +69,7 @@ generate_remember_key_value :: A random string to use as the remember key.
 get_remember_key :: Retrieve the remember key from the database.
 load_memory :: If the remember key cookie is included in the request, and the user is not currently logged in, check the remember keys table and autologin the user if the remember key cookie matches the current remember key for the account. This method needs to be called manually inside the Roda route block to autologin users.
 logged_in_via_remember_key? :: Whether the current session was logged in via a remember key.
+remembered_session_id :: The session_id which is validly remembered, if any.
 remember_key_value :: The current value of the remember key/token.
 remember_login :: Set the cookie containing the remember token, so that future sessions will be autologged in.
 remember_view :: The HTML to use for the change remember settings form.

data/lib/rodauth/features/jwt_refresh.rb

@@ -32,8 +32,6 @@ module Rodauth
     )
 
     route do |r|
-      # For backward compatibility, unused in core Rodauth
-      # RODAUTH3: Remove
       @jwt_refresh_route = true
       before_jwt_refresh_route
 
@@ -137,7 +135,7 @@ module Rodauth
     end
 
     def _jwt_decode_opts
-      if allow_refresh_with_expired_jwt_access_token? && request.path == jwt_refresh_path
+      if allow_refresh_with_expired_jwt_access_token? && (@jwt_refresh_route || request.path == jwt_refresh_path)
         Hash[super].merge!(:verify_expiration=>false)
       else
         super

data/lib/rodauth/features/remember.rb

@@ -39,6 +39,7 @@ module Rodauth
       :generate_remember_key_value,
       :get_remember_key,
       :load_memory,
+      :remembered_session_id,
       :logged_in_via_remember_key?,
       :remember_key_value,
       :remember_login,
@@ -81,29 +82,35 @@ module Rodauth
       end
     end
 
-    def load_memory
-      return if session[session_key]
+    def remembered_session_id
       return unless cookie = request.cookies[remember_cookie_key]
       id, key = cookie.split('_', 2)
       return unless id && key
 
       actual, deadline = active_remember_key_ds(id).get([remember_key_column, remember_deadline_column])
-      unless actual
-        forget_login
-        return
-      end
+      return unless actual
 
       if hmac_secret
         unless valid = timing_safe_eql?(key, compute_hmac(actual))
           unless raw_remember_token_deadline && raw_remember_token_deadline > convert_timestamp(deadline)
-            forget_login
             return
           end
         end
       end
 
       unless valid || timing_safe_eql?(key, actual)
-        forget_login
+        return
+      end
+
+      id
+    end
+
+    def load_memory
+      return if session[session_key]
+
+      unless id = remembered_session_id
+        # Only set expired cookie if there is already a cookie set.
+        forget_login if request.cookies[remember_cookie_key]
         return
       end
 

data/lib/rodauth/features/verify_account_grace_period.rb

@@ -72,7 +72,7 @@ module Rodauth
     end
 
     def account_in_unverified_grace_period?
-      account || account_from_session
+      return false unless account || (session_value && account_from_session)
       account[account_status_column] == account_unverified_status_value &&
         verify_account_grace_period &&
         !verify_account_ds.where(Sequel.date_add(verification_requested_at_column, :seconds=>verify_account_grace_period) > Sequel::CURRENT_TIMESTAMP).empty?

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 13
+  MINOR = 14
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.13.0
+  version: 2.14.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-05-23 00:00:00.000000000 Z
+date: 2021-06-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -325,6 +325,7 @@ extra_rdoc_files:
 - doc/release_notes/2.11.0.txt
 - doc/release_notes/2.12.0.txt
 - doc/release_notes/2.13.0.txt
+- doc/release_notes/2.14.0.txt
 - doc/release_notes/2.2.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.4.0.txt
@@ -421,6 +422,7 @@ files:
 - doc/release_notes/2.11.0.txt
 - doc/release_notes/2.12.0.txt
 - doc/release_notes/2.13.0.txt
+- doc/release_notes/2.14.0.txt
 - doc/release_notes/2.2.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.4.0.txt