rodauth 2.30.0 → 2.31.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8270d10e6c0fbe554fc322958893f2c8069363af6455c0d17b0a7d3aafab11bd
-  data.tar.gz: 6eae8a9487764a9b189b27b8f1588e1516d86a6953fdabe0cff6adfd84facb5a
+  metadata.gz: 34f1a4bc530025482c6550375de67bf9dcbe4ea75ca9f4f775d179805629e115
+  data.tar.gz: 75339b39caf60463c076459e1fc21fd4d2291e4bc756c4cc5107edf7462c0186
 SHA512:
-  metadata.gz: d4dca9a0819842a478fac05f138b07452a054c7e498821eee7e61ab49640eccc46974d38c3aea1f71bf226eb7f76b03888a6734d7ae2139bcc74aca9a24bad6c
-  data.tar.gz: 5075118b0c6a8b27df251a2e6bfcd45e3dacc7ba1402bf5bacfc38a50b93b424a0ccdb479b1f5541d589f5687a8424c7319a194c0b01a80c762b725065190013
+  metadata.gz: 9e66e012fca7c52bd25206fd7711921148e8372a249047687e5429074dd9ea64461dcbbda1a0412b16920270814fef9fa5954dda701ae30af66e7a78a7975855
+  data.tar.gz: f7c9ec1aac7150a3fa1b4d2af3e8278f16ef3982d5cd84b6b2984d41b5f5b70f60e9f7c0e099d338055201d820bd099093609b2683086c5a8ec9fdf53dee2e58

data/CHANGELOG

@@ -1,3 +1,17 @@
+=== 2.31.0 (2023-08-22)
+
+* Make clear_session work correctly for internal requests (janko) (#359)
+
+* Support webauthn_invalid_webauthn_id_message configuration method in the webauthn_autofill feature (janko) (#356)
+
+* Support webauth features in the internal_request feature (janko) (#355)
+
+* Allow WebAuthn login to count for two factors if user verification is provided (janko) (#354)
+
+* Allow explicit use of p_cost in argon2 feature if using argon2 2.1+ (estebanz01) (#353)
+
+* Add json_response_error? configuration method to json feature, for whether response indicates an error (opya) (#340)
+
 === 2.30.0 (2023-05-22)
 
 * Make load_memory in the remember feature not raise NoMethodError if logged in when the account no longer exists (jeremyevans) (#331)

data/README.rdoc

@@ -98,6 +98,9 @@ rqrcode :: Used by the otp feature
 jwt :: Used by the jwt feature
 webauthn :: Used by the webauthn feature
 
+You can use <tt>gem install --development rodauth</tt> to install
+the development dependencies in order to run tests.
+
 == Security
 
 === Password Hash Access Via Database Functions

data/doc/error_reasons.rdoc

@@ -38,6 +38,7 @@ Rodauth will call +set_error_reason+ with:
 * :invalid_verify_account_key
 * :invalid_verify_login_change_key
 * :invalid_webauthn_auth_param
+* :invalid_webauthn_id
 * :invalid_webauthn_remove_param
 * :invalid_webauthn_setup_param
 * :invalid_webauthn_sign_count

data/doc/guides/registration_field.rdoc

@@ -10,7 +10,7 @@ or their company's name.
 Let's assume you wanted to wanted to store the additional field(s) directly on
 the +accounts+ table:
 
-  atler_table :accounts do
+  alter_table :accounts do
     add_column :name, String
   end
 

data/doc/guides/render_confirmation.rdoc

@@ -0,0 +1,17 @@
+= Render confirmation view
+
+Most Rodauth actions redirect and display a flash notice after they're succesfully performed. However, in some cases you may wish to render a view confirming that the action was succesful, for nicer user experience.
+
+For example, when the user creates an account, you might render a page with a call to action to verify their account. Assuming you've created an +account_created+ view template alongside your other Rodauth templates, you can configure the following:
+
+  after_create_account do
+    # render "account_created" view template with page title of "Account created!"
+    return_response view("account_created", "Account created!")
+  end
+
+Similarly, when the user has requested a password reset, you can render a page telling them to check their email:
+
+  after_reset_password_request do
+    # render "password_reset_sent" view template with page title of "Password sent!"
+    return_response view("password_reset_sent", "Password sent!")
+  end

data/doc/internal_request.rdoc

@@ -461,3 +461,79 @@ account login, before the change.
 
 Options:
 +:verify_login_change_key+ :: The verify login change key for the account. This allows verifying login changes by key, without knowing the account id or login.
+
+=== WebAuthn
+
+==== webauthn_setup_params (requires account)
+
+The +webauthn_setup_params+ method returns a hash with +:webauthn_setup+,
++:webauthn_setup_challenge+ and +:webauthn_setup_challenge_hmac+ keys.
+
+The +:webauthn_setup+ options should be provided to the client for WebAuthn
+registration, while +:webauthn_setup_challenge+ and
++webauthn_setup_challenge_hmac+ should be passed to the +webauthn_setup+
+method.
+
+==== webauthn_setup (requires account)
+
+The +webauthn_setup+ method creates a WebAuthn credential for the account.
+
+Options:
++:webauthn_setup+ :: The WebAuthn credential provided by the client during registration.
++:webauthn_setup_challenge+ :: The WebAuthn challenge generated for registration.
++:webauthn_setup_challenge_hmac+ :: The HMAC of the WebAuthn challenge generated for registration.
+
+==== webauthn_auth_params (requires account)
+
+The +webauthn_auth_params+ method returns a hash with +:webauthn_auth+,
++:webauthn_auth_challenge+ and +:webauthn_auth_challenge_hmac+ keys.
+
+The +:webauthn_auth+ options should be provided to the client for WebAuthn
+authentication, while +:webauthn_auth_challenge+ and
++webauthn_auth_challenge_hmac+ should be passed to the +webauthn_auth+ method.
+
+==== webauthn_auth (requires account)
+
+The +webauthn_auth+ method determines if the given WebAuthn credential is valid
+for the account.
+
+Options:
++:webauthn_auth+ :: The WebAuthn credential provided by the client during authentication.
++:webauthn_auth_challenge+ :: The WebAuthn challenge generated for authentication.
++:webauthn_auth_challenge_hmac+ :: The HMAC of the WebAuthn challenge generated for authentication.
+
+==== webauthn_remove (requires account)
+
+The +webauthn_remove+ methods deletes the given WebAuthn credential for the
+account.
+
+Options:
++:webauthn_remove+ :: The ID of the WebAuthn credential to delete.
+
+=== WebAuthn Login
+
+==== webauthn_login_params (requires account or login)
+
+The +webauthn_login_params+ method returns a hash with +:webauthn_auth+,
++:webauthn_auth_challenge+ and +:webauthn_auth_challenge_hmac+ keys.
+
+The +:webauthn_auth+ options should be provided to the client for WebAuthn
+authentication, while +:webauthn_auth_challenge+ and
++webauthn_auth_challenge_hmac+ should be passed to the +webauthn_login+ method.
+
+==== webauthn_login (requires account or login)
+
+The +webauthn_login+ method determines if the given WebAuthn credential is
+valid for the given account.
+
+This method will return the account id if the WebAuthn credential is valid.
+
+Options:
++:webauthn_auth+ :: The WebAuthn credential provided by the client during authentication.
++:webauthn_auth_challenge+ :: The WebAuthn challenge generated for authentication.
++:webauthn_auth_challenge_hmac+ :: The HMAC of the WebAuthn challenge generated for authentication.
+
+=== WebAuthn Autofill
+
+Enabling this feature modifies +webauthn_login_params+ and +webauthn_login+
+methods not to require an account or login.

data/doc/json.rdoc

@@ -41,6 +41,7 @@ json_not_accepted_error_message :: The error message to display if +json_check_a
 json_request_content_type_regexp :: The regexp to use to recognize a request as a json request.
 json_response_content_type :: The content type to set for json responses, <tt>application/json</tt> by default.
 json_response_custom_error_status? :: Whether to use custom error statuses, instead of always using +json_response_error_status+, true by default, can be set to false for backwards compatibility with Rodauth 1.
+json_response_error? :: Whether the current JSON response indicates an error.  By default, returns whether +json_response_error_key+ is set.
 json_response_error_key :: The JSON result key containing an error message, +error+ by default.
 json_response_error_status :: The HTTP status code to use for JSON error responses if not using custom error statuses, 400 by default.
 json_response_field_error_key :: The JSON result key containing an field error message, <tt>field-error</tt> by default.

data/doc/jwt.rdoc

@@ -5,7 +5,7 @@ that ship with Rodauth, using JWT (JSON Web Tokens) to hold the
 session information. It depends on the json feature.
 
 In order to use this feature, you have to set the +jwt_secret+ configuration
-option the secret used to cryptographically protect the token.
+option with the secret used to cryptographically protect the token.
 
 To use this JSON API, when processing responses for requests to a Rodauth
 endpoint, check for the Authorization header, and use the value of the
@@ -26,6 +26,11 @@ request in your Roda app, you can call the +rodauth.valid_jwt?+ method.  If
 +rodauth.valid_jwt?+ returns true, the contents of the jwt can be retrieved
 from +rodauth.session+.
 
+Logging the session out does not invalidate the previous JWT token by default.
+If you would like this behavior, you can use the active_sessions feature, which
+stores session identifiers in the database and deletes them when the session
+expires. This provides a whitelist approach of revoking JWT tokens.
+
 == Auth Value Methods
 
 invalid_jwt_format_error_message :: The error message to use when a JWT with an invalid format is submitted in the Authorization header.

data/doc/jwt_refresh.rdoc

@@ -7,7 +7,7 @@ When this feature is used, the access and refresh token are provided
 at login in the response body (the access token is still provided in the Authorization
 header), and for any subsequent POST to <tt>/jwt-refresh</tt>.
 
-Note that using the refresh token invalides the token and creates
+Note that using the refresh token invalidates the token and creates
 a new access token with an updated lifetime.  However, it does not invalidate
 older access tokens.  Older access tokens remain valid until they expire.  You
 can use the active_sessions feature if you want previous access tokens to be invalid

data/doc/release_notes/2.31.0.txt

@@ -0,0 +1,47 @@
+= New Features
+
+* The internal_request feature now supports WebAuthn, using 
+  the following methods:
+
+  * With the webauthn feature:
+    * webauthn_setup_params
+    * webauthn_setup
+    * webauthn_auth_params
+    * webauthn_auth
+    * webauthn_remove
+
+  * With the webauthn_login feature:
+    * webauthn_login_params
+    * webauthn_login
+
+* A webauthn_login_user_verification_additional_factor? configuration
+  method has been added to the webauthn_login feature. By default,
+  this method returns false.  If you configure the method to return
+  true, and the WebAuthn credential provided specifies that it
+  verified the user, then this will treat the user verification as
+  a second factor, so the user will be considered multifactor
+  authenticated after successful login.  You should only set this
+  method to true if you consider the WebAuthn user verification
+  strong enough to be a independent factor.
+
+* A json_response_error? configuration method has been added to the
+  json feature.  This should return whether the current response
+  should be treated as an error by the json feature.  By default,
+  it is true if json_response_error_key is set in the response,
+  since that is the default place that Rodauth stores errors when
+  using the json feature.
+
+* A webauthn_invalid_webauthn_id_message configuration method has
+  been added for customizing the error message used for invalid
+  WebAuthn IDs.
+
+= Other Improvements
+
+* The argon2 feature now supports setting the Argon2 p_cost if
+  argon2 2.1+ is installed.
+
+* An :invalid_webauthn_id error reason is now used for invalid
+  WebAuthn IDs.
+
+* The clear_session method now works as expected for internal
+  requests.

data/doc/webauthn_autofill.rdoc

@@ -4,10 +4,15 @@ The webauthn_autofill feature enables autofill UI (aka "conditional mediation")
 for WebAuthn credentials, logging the user in on selection. It depends on the
 webauthn_login feature.
 
+This feature allows generating WebAuthn credential options and submitting a
+WebAuthn login request without providing a login, which can be used
+independently from the autofill UI.
+
 == Auth Value Methods
 
 webauthn_autofill_js :: The javascript code to execute on the login page to enable autofill UI.
 webauthn_autofill_js_route :: The route to the webauthn autofill javascript file.
+webauthn_invalid_webauthn_id_message :: The error message to show when provided WebAuthn ID wasn't found in the database.
 
 == Auth Methods
 

data/doc/webauthn_login.rdoc

@@ -5,6 +5,7 @@ WebAuthn. It depends on the login and webauthn features.
 
 == Auth Value Methods
 
+webauthn_login_user_verification_additional_factor? :: Whether passwordless login via WebAuthn should consider user verification as 2nd factor when using multifactor authentication, false by default. Setting this to true means that the app trusts the user verification done by the authenticator is strong enough to be considered an additional factor.
 webauthn_login_error_flash :: The flash error to show if there is a failure during passwordless login via WebAuthn.
 webauthn_login_failure_redirect :: Whether to redirect if there is a failure during passwordless login via WebAuthn.
 webauthn_login_route :: The route to the webauthn login action.

data/lib/rodauth/features/argon2.rb

@@ -43,7 +43,7 @@ module Rodauth
 
     def password_hash_cost
       return super unless use_argon2?
-      argon2_hash_cost 
+      argon2_hash_cost
     end
 
     def password_hash_match?(hash, password)
@@ -60,21 +60,40 @@ module Rodauth
       ::Argon2::Password.new(argon2_params).create(password)
     end
 
-    def extract_password_hash_cost(hash)
-      return super unless argon2_hash_algorithm?(hash )
+    if Argon2::VERSION >= '2.1'
+      def extract_password_hash_cost(hash)
+        return super unless argon2_hash_algorithm?(hash )
 
-      /\A\$argon2id\$v=\d+\$m=(\d+),t=(\d+)/ =~ hash
-      { t_cost: $2.to_i, m_cost: Math.log2($1.to_i).to_i }
-    end
+        /\A\$argon2id\$v=\d+\$m=(\d+),t=(\d+),p=(\d+)/ =~ hash
+        { t_cost: $2.to_i, m_cost: Math.log2($1.to_i).to_i, p_cost: $3.to_i }
+      end
 
-    if ENV['RACK_ENV'] == 'test'
-      def argon2_hash_cost
-        {t_cost: 1, m_cost: 3}
+      if ENV['RACK_ENV'] == 'test'
+        def argon2_hash_cost
+          { t_cost: 1, m_cost: 3, p_cost: 1 }
+        end
+      # :nocov:
+      else
+        def argon2_hash_cost
+          { t_cost: 2, m_cost: 16, p_cost: 1 }
+        end
       end
-    # :nocov:
     else
-      def argon2_hash_cost
-        {t_cost: 2, m_cost: 16}
+      def extract_password_hash_cost(hash)
+        return super unless argon2_hash_algorithm?(hash )
+
+        /\A\$argon2id\$v=\d+\$m=(\d+),t=(\d+)/ =~ hash
+        { t_cost: $2.to_i, m_cost: Math.log2($1.to_i).to_i }
+      end
+
+      if ENV['RACK_ENV'] == 'test'
+        def argon2_hash_cost
+          { t_cost: 1, m_cost: 3 }
+        end
+      else
+        def argon2_hash_cost
+          { t_cost: 2, m_cost: 16 }
+        end
       end
     end
     # :nocov:

data/lib/rodauth/features/internal_request.rb

@@ -50,6 +50,10 @@ module Rodauth
       @params[k]
     end
 
+    def clear_session
+      @session.clear
+    end
+
     def set_error_flash(message)
       @flash = message
       _handle_internal_request_error
@@ -81,6 +85,24 @@ module Rodauth
       _return_from_internal_request(recovery_codes)
     end
 
+    def webauthn_setup_view
+      cred = new_webauthn_credential
+      _return_from_internal_request({
+        webauthn_setup: cred.as_json,
+        webauthn_setup_challenge: cred.challenge,
+        webauthn_setup_challenge_hmac: compute_hmac(cred.challenge)
+      })
+    end
+
+    def webauthn_auth_view
+      cred = webauthn_credential_options_for_get
+      _return_from_internal_request({
+        webauthn_auth: cred.as_json,
+        webauthn_auth_challenge: cred.challenge,
+        webauthn_auth_challenge_hmac: compute_hmac(cred.challenge)
+      })
+    end
+
     def handle_internal_request(meth)
       catch(:halt) do
         _around_rodauth do
@@ -153,6 +175,11 @@ module Rodauth
       _set_login_param_from_account
     end
 
+    def before_webauthn_login_route
+      super
+      _set_login_param_from_account
+    end
+
     def account_from_key(token, status_id=nil)
       return super unless session_value
       return unless yield session_value
@@ -232,6 +259,25 @@ module Rodauth
       _handle_otp_setup(request)
     end
 
+    def _handle_webauthn_setup_params(request)
+      request.env['REQUEST_METHOD'] = 'GET'
+      _handle_webauthn_setup(request)
+    end
+
+    def _handle_webauthn_auth_params(request)
+      request.env['REQUEST_METHOD'] = 'GET'
+      _handle_webauthn_auth(request)
+    end
+
+    def _handle_webauthn_login_params(request)
+      _set_login_param_from_account
+      unless webauthn_login_options?
+        raise InternalRequestError, "no login provided" unless param_or_nil(login_param)
+        raise InternalRequestError, "no account for login"
+      end
+      webauthn_auth_view
+    end
+
     def _predicate_internal_request(meth, request)
       _return_false_on_error!
       _set_internal_request_return_value(true)
@@ -302,7 +348,7 @@ module Rodauth
         session[rodauth.session_key] = account_id
         unless authenticated_by = opts.delete(:authenticated_by)
           authenticated_by = case route
-          when :otp_auth, :sms_request, :sms_auth, :recovery_auth, :valid_otp_auth?, :valid_sms_auth?, :valid_recovery_auth?
+          when :otp_auth, :sms_request, :sms_auth, :recovery_auth, :webauthn_auth, :webauthn_auth_params, :valid_otp_auth?, :valid_sms_auth?, :valid_recovery_auth?
             ['internal1']
           else
             ['internal1', 'internal2']

data/lib/rodauth/features/json.rb

@@ -22,6 +22,7 @@ module Rodauth
 
     auth_methods(
       :json_request?,
+      :json_response_error?
     )
 
     auth_private_methods :json_response_body
@@ -65,6 +66,10 @@ module Rodauth
       return_json_response
     end
 
+    def json_response_error?
+      !!json_response[json_response_error_key]
+    end
+
     private
 
     def before_two_factor_manage_route
@@ -172,7 +177,7 @@ module Rodauth
     end
 
     def _return_json_response
-      response.status ||= json_response_error_status if json_response[json_response_error_key]
+      response.status ||= json_response_error_status if json_response_error?
       response['Content-Type'] ||= json_response_content_type
       return_response _json_response_body(json_response)
     end

data/lib/rodauth/features/webauthn.rb

@@ -112,6 +112,12 @@ module Rodauth
 
     def_deprecated_alias :webauthn_credential_options_for_get, :webauth_credential_options_for_get
 
+    internal_request_method :webauthn_setup_params
+    internal_request_method :webauthn_setup
+    internal_request_method :webauthn_auth_params
+    internal_request_method :webauthn_auth
+    internal_request_method :webauthn_remove
+
     route(:webauthn_auth_js) do |r|
       before_webauthn_auth_js_route
       r.get do

data/lib/rodauth/features/webauthn_autofill.rb

@@ -6,6 +6,8 @@ module Rodauth
 
     auth_value_method :webauthn_autofill_js, File.binread(File.expand_path('../../../../javascript/webauthn_autofill.js', __FILE__)).freeze
 
+    translatable_method :webauthn_invalid_webauthn_id_message, "no webauthn key with given id found"
+
     route(:webauthn_autofill_js) do |r|
       before_webauthn_autofill_js_route
       r.get do
@@ -47,7 +49,11 @@ module Rodauth
         .where(webauthn_keys_webauthn_id_column => credential_id)
         .get(webauthn_keys_account_id_column)
 
-      @account = account_ds(account_id).first if account_id
+      unless account_id
+        throw_error_reason(:invalid_webauthn_id, invalid_field_error_status, webauthn_auth_param, webauthn_invalid_webauthn_id_message)
+      end
+
+      @account = account_ds(account_id).first
     end
 
     def webauthn_login_options?

data/lib/rodauth/features/webauthn_login.rb

@@ -10,6 +10,11 @@ module Rodauth
 
     error_flash "There was an error authenticating via WebAuthn"
 
+    auth_value_method :webauthn_login_user_verification_additional_factor?, false
+
+    internal_request_method :webauthn_login_params
+    internal_request_method :webauthn_login
+
     route(:webauthn_login) do |r|
       check_already_logged_in
       before_webauthn_login_route
@@ -24,6 +29,9 @@ module Rodauth
           before_webauthn_login
           login('webauthn') do
             webauthn_update_session(webauthn_credential.id)
+            if webauthn_login_verification_factor?(webauthn_credential)
+              two_factor_update_session('webauthn-verification')
+            end
           end
         end
 
@@ -48,12 +56,23 @@ module Rodauth
       end
     end
 
+    def webauthn_user_verification
+      return 'preferred' if webauthn_login_user_verification_additional_factor?
+      super
+    end
+
     def use_multi_phase_login?
       true
     end
 
     private
 
+    def webauthn_login_verification_factor?(webauthn_credential)
+      webauthn_login_user_verification_additional_factor? &&
+        webauthn_credential.response.authenticator_data.user_verified? &&
+        uses_two_factor_authentication?
+    end
+
     def account_from_webauthn_login
       account_from_login(param(login_param))
     end

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 30
+  MINOR = 31
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.30.0
+  version: 2.31.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-05-22 00:00:00.000000000 Z
+date: 2023-08-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -348,6 +348,7 @@ extra_rdoc_files:
 - doc/release_notes/2.29.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.30.0.txt
+- doc/release_notes/2.31.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
 - doc/release_notes/2.6.0.txt
@@ -394,6 +395,7 @@ files:
 - doc/guides/query_params.rdoc
 - doc/guides/redirects.rdoc
 - doc/guides/registration_field.rdoc
+- doc/guides/render_confirmation.rdoc
 - doc/guides/require_mfa.rdoc
 - doc/guides/reset_password_autologin.rdoc
 - doc/guides/share_configuration.rdoc
@@ -465,6 +467,7 @@ files:
 - doc/release_notes/2.29.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.30.0.txt
+- doc/release_notes/2.31.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
 - doc/release_notes/2.6.0.txt