rodauth 2.18.0 → 2.19.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 60f279e15751f9a0915c72e919726cae392844137ddabd98cb5a973815ada935
-  data.tar.gz: ae841728e69f0fdf1d2c67de55f52ed535971a349ecc6dbddeaf6250e573515f
+  metadata.gz: 0defa94cb0c58b317997853eda1775694a8b0bb89e3bb75f8de50af57a2223fe
+  data.tar.gz: 977738446cb7d8ac53a7edeab2587c07e7a9b9407d2584daa80fe6d47147f395
 SHA512:
-  metadata.gz: 7490aded0f6e506fff03b445d569709ec77d1dc7e36193d8939c36d706a95f4b9bbd2ad0a05feaa7f4e2c309ce03ceeff302de81546a23f8c26bbd1c62f12c88
-  data.tar.gz: bb437de6fd56ee88a2acdccc6058eefe05c856d3bc0569b473d968aa7c8c2eae64817944dade3987b612322e61c7351808765e7dfa897267e4966a7b4c8c4206
+  metadata.gz: 0e8833fc2ac01f3a917b8c267642b92472969531df33dc90dcae6e90d5b62befbf2f948ca75cafcd84353b4b9d629f1dec8d70e3e77cc2387cc0791cee551773
+  data.tar.gz: 03ff22811e9679b26f1dc83c676ca19145c762d26c216a9aafae816d3bad67cd39a68430fbd72c55f17e77117fbcd65690eb6d71f3b05f72860833a2205f2fe7

data/CHANGELOG

@@ -1,3 +1,17 @@
+=== 2.19.0 (2021-12-22)
+
+* Add login_maximum_bytes, setting the maximum number of bytes in a login, 255 by default (jeremyevans)
+
+* Add password_maximum_bytes, setting the maximum number of bytes in a password, nil by default for no limit (jeremyevans)
+
+* Add password_maximum_length, setting the maximum number of characters in a password, nil by default for no limit (jeremyevans)
+
+* Support multi-level inheritance of Rodauth::Auth (janko) (#191)
+
+* Allow internal_request feature to work correctly when loaded into custom Rodauth::Auth subclasses before loading into a Roda application (janko) (#190)
+
+* Assign internal subclass created by internal_request feature to the InternalRequest constant (janko) (#187)
+
 === 2.18.0 (2021-11-23)
 
 * Allow JSON API access to /multifactor-manage to get links to setup/disable multifactor authentication endpoints (jeremyevans)

data/README.rdoc

@@ -69,7 +69,8 @@ Website :: http://rodauth.jeremyevans.net
 Demo Site :: http://rodauth-demo.jeremyevans.net
 Source :: http://github.com/jeremyevans/rodauth
 Bugs :: http://github.com/jeremyevans/rodauth/issues
-Google Group :: https://groups.google.com/forum/#!forum/rodauth
+Discussion Forum (GitHub Discussions) :: https://github.com/jeremyevans/rodauth/discussions
+Alternate Discussion Forum (Google Groups) :: https://groups.google.com/forum/#!forum/rodauth
 
 == Dependencies
 

data/doc/error_reasons.rdoc

@@ -44,6 +44,7 @@ Rodauth will call +set_error_reason+ with:
 * :login_not_valid_email
 * :login_required
 * :login_too_long
+* :login_too_many_bytes
 * :login_too_short
 * :logins_do_not_match
 * :no_current_sms_code
@@ -56,6 +57,8 @@ Rodauth will call +set_error_reason+ with:
 * :password_in_dictionary
 * :password_is_one_of_the_most_common
 * :password_same_as_previous_password
+* :password_too_long
+* :password_too_many_bytes
 * :password_too_short
 * :passwords_do_not_match
 * :same_as_current_login

data/doc/guides/change_table_and_column_names.rdoc

@@ -0,0 +1,19 @@
+= Change table and column names
+
+All tables that Rodauth uses will have a configuration method that ends with
++_table+ for configuring the table name.  For example, if you store user accounts
+in the +users+ table instead of +accounts+ table, you can use the following
+in your configuration:
+
+  accounts_table :users
+
+All columns that Rodauth uses will have a configuration method that ends with
++_column+ for configuring the column name.  For example, if you are storing the
+login for accounts in the +login+ column instead of the +email+ column, you
+can use the following in your configuration:
+
+  login_column :login
+
+Please see the documentation for Rodauth features for the names of the
+configuration methods that you can use.  You can see the default values for
+the tables and columns in the {"Creating tables" section of the README}[rdoc-ref:README.rdoc].

data/doc/guides/share_configuration.rdoc

@@ -0,0 +1,34 @@
+= Share configuration via inheritance
+
+If you have multiple configurations that needs to share some amount of
+authentication behaviour, you can do so through inheritance. For example:
+
+  require "rodauth"
+
+  class RodauthBase < Rodauth::Auth
+    configure do
+      # common authentication configuration
+    end
+  end
+
+  class RodauthMain < RodauthBase # inherit common configuration
+    configure do
+      # main-specific authentication configuration
+    end
+  end
+
+  class RodauthAdmin < RodauthBase # inherit common configuration
+    configure do
+      # admin-specific authentication configuration
+    end
+  end
+
+  class RodauthApp < Roda
+    plugin :rodauth, auth_class: RodauthMain
+    plugin :rodauth, auth_class: RodauthAdmin, name: :admin
+    # ...
+  end
+
+However, when doing this, you need to be careful that you do not use a
+configuration method in a superclass, and then load a feature in a subclass
+that overrides the configuration you set in the superclass.

data/doc/login_password_requirements_base.rdoc

@@ -11,17 +11,23 @@ login_confirm_label :: The label to use for login confirmations.
 login_confirm_param :: The parameter name to use for login confirmations.
 login_does_not_meet_requirements_message :: The error message to display when the login does not meet the requirements you have set.
 login_email_regexp :: The regular expression used to validate whether login is a valid email address.
-login_maximum_length :: The maximum length for logins, 255 by default.
-login_minimum_length :: The minimum length for logins, 3 by default.
+login_maximum_bytes :: The maximum length for logins in bytes, 255 by default.
+login_maximum_length :: The maximum length for logins in characters, 255 by default.
+login_minimum_length :: The minimum length for logins in characters, 3 by default.
 login_not_valid_email_message :: The error message to display when login is not a valid email address.
 login_too_long_message :: The error message fragment to show if the login is too long.
+login_too_many_bytes_message :: The error message fragment to show if the login has too many bytes.
 login_too_short_message :: The error message fragment to show if the login is too short.
 logins_do_not_match_message :: The error message to display when login and login confirmation do not match.
 password_confirm_label :: The label to use for password confirmations.
 password_confirm_param :: The parameter name to use for password confirmations.
 password_does_not_meet_requirements_message :: The error message to display when the password does not meet the requirements you have set.
 password_hash_cost :: The cost to use for the password hash algorithm. This should be an integer when using bcrypt (the default), and a hash if using argon2 (supported by the argon2 feature).
-password_minimum_length :: The minimum length for passwords, 6 by default.
+password_maximum_bytes :: The maximum length for passwords in bytes, nil by default for no limit. bcrypt only uses the first 72 bytes of the password when creating the password hash, so if you are using bcrypt as the password hash function, you may want to set this to 72.
+password_maximum_length :: The maximum length for passwords in characters, nil by default for no limit.
+password_minimum_length :: The minimum length for passwords in characters, 6 by default.
+password_too_long_message :: The error message fragment to show if the password is too long.
+password_too_many_bytes_message :: The error message fragment to show if the password is has too many bytes.
 password_too_short_message :: The error message fragment to show if the password is too short.
 passwords_do_not_match_message :: The error message to display when password and password confirmation do not match.
 require_email_address_logins? :: Whether logins need to be valid email addresses, true by default.

data/doc/release_notes/2.19.0.txt

@@ -0,0 +1,61 @@
+= New Features
+
+* A login_maximum_bytes configuration method has been added, setting
+  the maximum bytes allowed in a login.  This was added as
+  login_maximum_length sets the maximum length in characters. It's
+  possible a different number of maximum bytes than maximum
+  characters is desired by some applications, and since the database
+  column size may be enforced in bytes, it's useful to have a check
+  before trying a database query that would raise an exception. This
+  default value for login_maximum_bytes is 255, the same as the
+  default value for login_maximum_length.
+  
+  A login_too_many_bytes_message configuration method has been added
+  for customizing the error message if a login has too many bytes.
+
+* password_maximum_length and password_maximum_bytes configuration
+  methods have been added, specifying the maximum size of passwords
+  in characters and bytes, respectively.  Both configurations default
+  to nil, meaning no limit, so there is no change in default behavior.
+  
+  The bcrypt algorithm only uses the first 72 bytes of a password, and
+  in some environments it may be desirable to reject passwords over
+  that limit.  password_too_long_message and
+  password_too_many_bytes_message configuration methods have been
+  added for customizing the error messages used for passwords that are
+  too long.
+  
+  Note that in most environments, if you want to support passwords
+  over 72 bytes and have the entire password be considered, you should
+  probably use the argon2 feature.
+
+= Other Improvements
+
+* The subclass created by the internal_request feature is now set
+  to the InternalRequest constant on the superclass, mostly to
+  make identifying it easier in inspect output.
+
+* Support has been improved for custom Rodauth::Auth subclasses that
+  load features before the subclass is loaded into Roda, by delaying
+  the call to post_configure until the subclass is loaded into Roda.
+  Among other things, this fixes the use of the internal_request
+  feature in such classes.
+
+* Multi-level inheritance of Rodauth::Auth is now supported. This can
+  be useful as a way to share custom authentication settings between
+  multiple Rodauth configurations.  However, users of multi-level
+  inheritance should be careful not to load features in subclasses
+  that override custom settings in superclasses.
+
+= Other
+
+* Rodauth's primary discussion forum is now GitHub Discussions. The
+  rodauth Google Group is still available for users who would prefer
+  to use that instead.
+
+= Backwards Compatibility
+
+* The addition of login_maximum_bytes with a default value of 255 is
+  backwards incompatible for applications that want to support logins
+  with multibyte characters where the number of characters in the
+  login is at or below 255, but the number of bytes is above 255.

data/lib/rodauth/features/internal_request.rb

@@ -339,14 +339,7 @@ module Rodauth
       return if is_a?(InternalRequestMethods)
 
       klass = self.class
-      internal_class = Class.new(klass) do
-        @roda_class = klass.roda_class
-        @features = klass.features.clone
-        @routes = klass.routes.clone
-        @route_hash = klass.route_hash.clone
-        @configuration = klass.configuration.clone
-        @configuration.instance_variable_set(:@auth, self)
-      end
+      internal_class = Class.new(klass)
 
       if blocks = klass.instance_variable_get(:@internal_request_configuration_blocks)
         configuration = internal_class.configuration
@@ -366,6 +359,9 @@ module Rodauth
           end
         end
       end
+
+      klass.const_set(:InternalRequest, internal_class)
+      klass.private_constant :InternalRequest
     end
   end
 end

data/lib/rodauth/features/login_password_requirements_base.rb

@@ -7,10 +7,13 @@ module Rodauth
     auth_value_method :login_email_regexp, /\A[^,;@ \r\n]+@[^,@; \r\n]+\.[^,@; \r\n]+\z/
     auth_value_method :login_minimum_length, 3
     auth_value_method :login_maximum_length, 255
+    auth_value_method :login_maximum_bytes, 255
     translatable_method :login_not_valid_email_message, 'not a valid email address'
     translatable_method :logins_do_not_match_message, 'logins do not match'
     auth_value_method :password_confirm_param, 'password-confirm'
     auth_value_method :password_minimum_length, 6
+    auth_value_method :password_maximum_bytes, nil
+    auth_value_method :password_maximum_length, nil
     translatable_method :passwords_do_not_match_message, 'passwords do not match'
     auth_value_method :require_email_address_logins?, true
     auth_value_method :require_login_confirmation?, true
@@ -22,10 +25,13 @@ module Rodauth
       :login_confirm_label,
       :login_does_not_meet_requirements_message,
       :login_too_long_message,
+      :login_too_many_bytes_message,
       :login_too_short_message,
       :password_confirm_label,
       :password_does_not_meet_requirements_message,
       :password_hash_cost,
+      :password_too_long_message,
+      :password_too_many_bytes_message,
       :password_too_short_message
     )
 
@@ -78,6 +84,14 @@ module Rodauth
       "invalid password, does not meet requirements#{" (#{password_requirement_message})" if password_requirement_message}"
     end
 
+    def password_too_long_message
+      "maximum #{password_maximum_length} characters"
+    end
+    
+    def password_too_many_bytes_message
+      "maximum #{password_maximum_bytes} bytes"
+    end
+    
     def password_too_short_message
       "minimum #{password_minimum_length} characters"
     end
@@ -95,6 +109,10 @@ module Rodauth
       "maximum #{login_maximum_length} characters"
     end
 
+    def login_too_many_bytes_message
+      "maximum #{login_maximum_bytes} bytes"
+    end
+
     def login_too_short_message
       "minimum #{login_minimum_length} characters"
     end
@@ -111,6 +129,9 @@ module Rodauth
       elsif login_maximum_length < login.length
         set_login_requirement_error_message(:login_too_long, login_too_long_message)
         false
+      elsif login_maximum_bytes < login.bytesize
+        set_login_requirement_error_message(:login_too_many_bytes, login_too_many_bytes_message)
+        false
       else
         true
       end
@@ -128,9 +149,18 @@ module Rodauth
     end
 
     def password_meets_length_requirements?(password)
-      return true if password_minimum_length <= password.length
-      set_password_requirement_error_message(:password_too_short, password_too_short_message)
-      false
+      if password_minimum_length > password.length
+        set_password_requirement_error_message(:password_too_short, password_too_short_message)
+        false
+      elsif password_maximum_length && password_maximum_length < password.length
+        set_password_requirement_error_message(:password_too_long, password_too_long_message)
+        false
+      elsif password_maximum_bytes && password_maximum_bytes < password.bytesize
+        set_password_requirement_error_message(:password_too_many_bytes, password_too_many_bytes_message)
+        false
+      else
+        true
+      end
     end
 
     def password_does_not_contain_null_byte?(password)

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 18
+  MINOR = 19
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

data/lib/rodauth.rb

@@ -59,6 +59,7 @@ module Rodauth
     end
     auth_class.class_eval{@configuration_name = opts[:name] unless defined?(@configuration_name)}
     auth_class.configure(&block) if block
+    auth_class.allocate.post_configure if auth_class.method_defined?(:post_configure)
   end
 
   FEATURES = {}
@@ -271,38 +272,6 @@ module Rodauth
     end
   end
 
-  class Auth
-    class << self
-      attr_accessor :roda_class
-      attr_reader :features
-      attr_reader :routes
-      attr_accessor :route_hash
-      attr_reader :configuration_name
-      attr_reader :configuration
-    end
-
-    def self.inherited(subclass)
-      super
-      subclass.instance_exec do
-        @features = []
-        @routes = []
-        @route_hash = {}
-        @configuration = Configuration.new(self)
-      end
-    end
-
-    def self.configure(&block)
-      @configuration.apply(&block)
-    end
-
-    def self.freeze
-      @features.freeze
-      @routes.freeze
-      @route_hash.freeze
-      super
-    end
-  end
-
   class Configuration
     attr_reader :auth
 
@@ -318,7 +287,6 @@ module Rodauth
     def apply(&block)
       load_feature(:base)
       instance_exec(&block)
-      auth.allocate.post_configure
     end
 
     def enable(*features)
@@ -342,6 +310,46 @@ module Rodauth
     end
   end
 
+  class Auth
+    @features = []
+    @routes = []
+    @route_hash = {}
+    @configuration = Configuration.new(self)
+
+    class << self
+      attr_accessor :roda_class
+      attr_reader :features
+      attr_reader :routes
+      attr_accessor :route_hash
+      attr_reader :configuration_name
+      attr_reader :configuration
+    end
+
+    def self.inherited(subclass)
+      super
+      superclass = self
+      subclass.instance_exec do
+        @roda_class = superclass.roda_class
+        @features = superclass.features.clone
+        @routes = superclass.routes.clone
+        @route_hash = superclass.route_hash.clone
+        @configuration = superclass.configuration.clone
+        @configuration.instance_variable_set(:@auth, self)
+      end
+    end
+
+    def self.configure(&block)
+      @configuration.apply(&block)
+    end
+
+    def self.freeze
+      @features.freeze
+      @routes.freeze
+      @route_hash.freeze
+      super
+    end
+  end
+
   module InstanceMethods
     def rodauth(name=nil)
       if name

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.18.0
+  version: 2.19.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-11-23 00:00:00.000000000 Z
+date: 2021-12-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -332,6 +332,7 @@ extra_rdoc_files:
 - doc/release_notes/2.16.0.txt
 - doc/release_notes/2.17.0.txt
 - doc/release_notes/2.18.0.txt
+- doc/release_notes/2.19.0.txt
 - doc/release_notes/2.2.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.4.0.txt
@@ -364,6 +365,7 @@ files:
 - doc/guides/admin_activation.rdoc
 - doc/guides/already_authenticated.rdoc
 - doc/guides/alternative_login.rdoc
+- doc/guides/change_table_and_column_names.rdoc
 - doc/guides/create_account_programmatically.rdoc
 - doc/guides/delay_password.rdoc
 - doc/guides/email_only.rdoc
@@ -381,6 +383,7 @@ files:
 - doc/guides/registration_field.rdoc
 - doc/guides/require_mfa.rdoc
 - doc/guides/reset_password_autologin.rdoc
+- doc/guides/share_configuration.rdoc
 - doc/guides/status_column.rdoc
 - doc/guides/totp_or_recovery.rdoc
 - doc/http_basic_auth.rdoc
@@ -435,6 +438,7 @@ files:
 - doc/release_notes/2.16.0.txt
 - doc/release_notes/2.17.0.txt
 - doc/release_notes/2.18.0.txt
+- doc/release_notes/2.19.0.txt
 - doc/release_notes/2.2.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.4.0.txt
@@ -566,7 +570,7 @@ metadata:
   bug_tracker_uri: https://github.com/jeremyevans/rodauth/issues
   changelog_uri: http://rodauth.jeremyevans.net/rdoc/files/CHANGELOG.html
   documentation_uri: http://rodauth.jeremyevans.net/documentation.html
-  mailing_list_uri: https://groups.google.com/forum/#!forum/rodauth
+  mailing_list_uri: https://github.com/jeremyevans/rodauth/discussions
   source_code_uri: https://github.com/jeremyevans/rodauth
 post_install_message: 
 rdoc_options:
@@ -590,7 +594,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.22
+rubygems_version: 3.2.32
 signing_key: 
 specification_version: 4
 summary: Authentication and Account Management Framework for Rack Applications