rodauth 2.32.0 → 2.33.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ee670a5f0a59467c2043ca7649284c04665663fa4859b52bea1200722cf69256
-  data.tar.gz: 0a270ebc549934096225c47c0ea37e218658133cd7a5a10036c60e5d6a2f3c5c
+  metadata.gz: 57dd78525df05b6947a84692c0f061b435dc2d07c072f689dcda121c788c59dd
+  data.tar.gz: 984dde3de0dd4329505eaaf04e8a49b8e5c4b8347e8dea454d6aa586ab0f5846
 SHA512:
-  metadata.gz: 8e36ee900735384b6179c44f9549c10719cd24055b04b2b4a46daf7e499aa5e9057abb205b37bb4be2ab0d43eddff88314f945d6b8e47dde4bb2b21da1160947
-  data.tar.gz: 90970c54c4f2492ff0956a8c8bdb91eb475487e5e45b71fad06a39403c658234656a644b871de4d18c74d14c3288fef5db5932ee0fc5c8434cc69788348c606c
+  metadata.gz: 0abb1ad9eedc3f0d23db686ac490483a86ba73c8f5a9e33bd375e5a93b98790a133b2e1da6599bfdd3759f0a56e4c890ac1cbf0f89bf7edc69e8159de7c173ed
+  data.tar.gz: 2d82400b1298b9a372ef8fd4aea5f9e1ba490e6572113a112f15e3dd1a3ed0655d4d934c84d18f61909bc6d0ed54c6bc2e1486f945da14cedbe35f1ea1614c10

data/CHANGELOG

@@ -1,3 +1,13 @@
+=== 2.33.0 (2023-12-21)
+
+* Expire SMS confirm code after 24 hours by default (jeremyevans)
+
+* Do not accidentally confirm SMS phone number on successful authentication of other second factor (Bertg) (#376, #377)
+
+* Return error response instead of 404 response for requests to valid pages with missing tokens (janko) (#375)
+
+* Do not override existing primary key value in the cached account when inserting a new account (janko) (#372)
+
 === 2.32.0 (2023-10-23)
 
 * Remove use of Base64 in argon2 feature (jeremyevans)

data/doc/release_notes/2.33.0.txt

@@ -0,0 +1,18 @@
+= Improvements
+
+* Rodauth no longer accidentally confirms an SMS number upon valid
+  authentication by an alternative second factor.
+
+* Rodauth now automatically expires SMS confirmation codes after 24
+  hours by default.  You can use the sms_confirm_deadline
+  configuration method to adjust the deadline.  Previously, if an
+  invalid SMS number was submitted, or the SMS confirm code was never
+  received, it was not possible to continue SMS setup without
+  administrative intervention.
+
+* Rodauth no longer overwrites existing primary key values when
+  inserting new accounts. This fixes cases such as setting account
+  primary key values to UUIDs before inserting.
+
+* When submitting a request to a valid endpoint with a missing token,
+  Rodauth now returns an error response instead of a 404 response.

data/doc/sms_codes.rdoc

@@ -41,6 +41,7 @@ sms_codes_table :: The name of the table storing SMS code data.
 sms_confirm_additional_form_tags :: HTML fragment containing additional form tags when confirming SMS setup.
 sms_confirm_button :: Text to use for button on the form to confirm SMS setup.
 sms_confirm_code_length :: The length of SMS confirmation codes, 12 by default, as there is no lockout. 
+sms_confirm_deadline :: The number of seconds before an SMS confirmation code expires (86400 seconds by default).
 sms_confirm_notice_flash :: The flash notice to show when SMS authentication setup has been confirmed.
 sms_confirm_page_title :: The page title to use on the form to authenticate via SMS code.
 sms_confirm_redirect :: Where to redirect after SMS authentication setup has been confirmed.
@@ -125,6 +126,7 @@ sms_new_auth_code :: A new SMS authentication code that can be used for the acco
 sms_new_confirm_code :: A new SMS confirmation code that can be used for the account.
 sms_normalize_phone(phone) :: A normalized version of the given phone number, by default removing everything except 0-9.
 sms_record_failure :: Record an SMS authentication failure for the current account.
+sms_remove_expired_confirm_code :: Remove an expired SMS confirm code, allowing setup of a new sms confirm code.
 sms_remove_failures :: Reset the SMS authentication failure counter for the current account, used after a successful multifactor authentication.
 sms_request_response :: Return a response after a successful SMS request during SMS authentication. By default, redirects to +sms_auth_redirect+.
 sms_request_view :: The HTML to use for the form to request an SMS authentication code.

data/lib/rodauth/features/create_account.rb

@@ -106,7 +106,7 @@ module Rodauth
       end
 
       if id
-        account[account_id_column] = id
+        account[account_id_column] ||= id
       end
 
       id && !raised

data/lib/rodauth/features/email_auth.rb

@@ -77,14 +77,12 @@ module Rodauth
           redirect(r.path)
         end
 
-        if key = session[email_auth_session_key]
-          if account_from_email_auth_key(key)
-            email_auth_view
-          else
-            remove_session_value(email_auth_session_key)
-            set_redirect_error_flash no_matching_email_auth_key_error_flash
-            redirect require_login_redirect
-          end
+        if (key = session[email_auth_session_key]) && account_from_email_auth_key(key)
+          email_auth_view
+        else
+          remove_session_value(email_auth_session_key)
+          set_redirect_error_flash no_matching_email_auth_key_error_flash
+          redirect require_login_redirect
         end
       end
 

data/lib/rodauth/features/lockout.rb

@@ -104,14 +104,12 @@ module Rodauth
           redirect(r.path)
         end
 
-        if key = session[unlock_account_session_key]
-          if account_from_unlock_key(key)
-            unlock_account_view
-          else
-            remove_session_value(unlock_account_session_key)
-            set_redirect_error_flash no_matching_unlock_account_key_error_flash
-            redirect require_login_redirect
-          end
+        if (key = session[unlock_account_session_key]) && account_from_unlock_key(key)
+          unlock_account_view
+        else
+          remove_session_value(unlock_account_session_key)
+          set_redirect_error_flash no_matching_unlock_account_key_error_flash
+          redirect require_login_redirect
         end
       end
 

data/lib/rodauth/features/reset_password.rb

@@ -109,14 +109,12 @@ module Rodauth
           redirect(r.path)
         end
 
-        if key = session[reset_password_session_key]
-          if account_from_reset_password_key(key)
-            reset_password_view
-          else
-            remove_session_value(reset_password_session_key)
-            set_redirect_error_flash no_matching_reset_password_key_error_flash
-            redirect require_login_redirect
-          end
+        if (key = session[reset_password_session_key]) && account_from_reset_password_key(key)
+          reset_password_view
+        else
+          remove_session_value(reset_password_session_key)
+          set_redirect_error_flash no_matching_reset_password_key_error_flash
+          redirect require_login_redirect
         end
       end
 

data/lib/rodauth/features/sms_codes.rb

@@ -76,6 +76,7 @@ module Rodauth
     auth_value_method :sms_code_param, 'sms-code'
     auth_value_method :sms_codes_table, :account_sms_codes
     auth_value_method :sms_confirm_code_length, 12
+    auth_value_method :sms_confirm_deadline, 86400
     auth_value_method :sms_failure_limit, 5
     auth_value_method :sms_failures_column, :num_failures
     auth_value_method :sms_id_column, :id
@@ -112,6 +113,7 @@ module Rodauth
       :sms_new_confirm_code,
       :sms_normalize_phone,
       :sms_record_failure,
+      :sms_remove_expired_confirm_code,
       :sms_remove_failures,
       :sms_send,
       :sms_set_code,
@@ -196,6 +198,7 @@ module Rodauth
         require_two_factor_setup
         require_two_factor_authenticated
       end
+      sms_remove_expired_confirm_code
       require_sms_not_setup
 
       if sms_needs_confirmation?
@@ -244,6 +247,7 @@ module Rodauth
         require_two_factor_setup
         require_two_factor_authenticated
       end
+      sms_remove_expired_confirm_code
       require_sms_not_setup
       before_sms_confirm_route
 
@@ -362,16 +366,17 @@ module Rodauth
     def sms_setup(phone_number)
       # Cannot handle uniqueness violation here, as the phone number given may not match the
       # one in the table.
-      sms_ds.insert(sms_id_column=>session_value, sms_phone_column=>phone_number)
+      sms_ds.insert(sms_id_column=>session_value, sms_phone_column=>phone_number, sms_failures_column => nil)
       remove_instance_variable(:@sms) if instance_variable_defined?(:@sms)
     end
 
     def sms_remove_failures
-      update_sms(sms_failures_column => 0, sms_code_column => nil)
+      return if sms_needs_confirmation?
+      update_hash_ds(sms, sms_ds.exclude(sms_failures_column => nil), sms_failures_column => 0, sms_code_column => nil)
     end
 
     def sms_confirm
-      sms_remove_failures
+      update_hash_ds(sms, sms_ds.where(sms_failures_column => nil), sms_failures_column => 0, sms_code_column => nil)
       super if defined?(super)
     end
 
@@ -407,6 +412,13 @@ module Rodauth
      update_sms(sms_code_column=>code, sms_issued_at_column=>Sequel::CURRENT_TIMESTAMP)
     end
 
+    def sms_remove_expired_confirm_code
+      db[sms_codes_table].
+        where(sms_id_column=>session_value, sms_failures_column => nil).
+        where(Sequel[sms_issued_at_column] < Sequel.date_sub(Sequel::CURRENT_TIMESTAMP, seconds: sms_confirm_deadline)).
+        delete
+    end
+
     def sms_record_failure
       update_sms(sms_failures_column=>Sequel.expr(sms_failures_column)+1)
       sms[sms_failures_column] = sms_ds.get(sms_failures_column)
@@ -516,5 +528,9 @@ module Rodauth
     def sms_ds
       db[sms_codes_table].where(sms_id_column=>session_value)
     end
+
+    def use_date_arithmetic?
+      true
+    end
   end
 end

data/lib/rodauth/features/verify_account.rb

@@ -102,14 +102,12 @@ module Rodauth
           redirect(r.path)
         end
 
-        if key = session[verify_account_session_key]
-          if account_from_verify_account_key(key)
-            verify_account_view
-          else
-            remove_session_value(verify_account_session_key)
-            set_redirect_error_flash no_matching_verify_account_key_error_flash
-            redirect require_login_redirect
-          end
+        if (key = session[verify_account_session_key]) && account_from_verify_account_key(key)
+          verify_account_view
+        else
+          remove_session_value(verify_account_session_key)
+          set_redirect_error_flash no_matching_verify_account_key_error_flash
+          redirect require_login_redirect
         end
       end
 

data/lib/rodauth/features/verify_login_change.rb

@@ -62,14 +62,12 @@ module Rodauth
           redirect(r.path)
         end
 
-        if key = session[verify_login_change_session_key]
-          if account_from_verify_login_change_key(key)
-            verify_login_change_view
-          else
-            remove_session_value(verify_login_change_session_key)
-            set_redirect_error_flash no_matching_verify_login_change_key_error_flash
-            redirect require_login_redirect
-          end
+        if (key = session[verify_login_change_session_key]) && account_from_verify_login_change_key(key)
+          verify_login_change_view
+        else
+          remove_session_value(verify_login_change_session_key)
+          set_redirect_error_flash no_matching_verify_login_change_key_error_flash
+          redirect require_login_redirect
         end
       end
 

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 32
+  MINOR = 33
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.32.0
+  version: 2.33.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-10-23 00:00:00.000000000 Z
+date: 2023-12-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -350,6 +350,7 @@ extra_rdoc_files:
 - doc/release_notes/2.30.0.txt
 - doc/release_notes/2.31.0.txt
 - doc/release_notes/2.32.0.txt
+- doc/release_notes/2.33.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
 - doc/release_notes/2.6.0.txt
@@ -470,6 +471,7 @@ files:
 - doc/release_notes/2.30.0.txt
 - doc/release_notes/2.31.0.txt
 - doc/release_notes/2.32.0.txt
+- doc/release_notes/2.33.0.txt
 - doc/release_notes/2.4.0.txt
 - doc/release_notes/2.5.0.txt
 - doc/release_notes/2.6.0.txt