rodauth 2.33.0 → 2.34.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG +18 -0
- data/README.rdoc +1 -0
- data/doc/active_sessions.rdoc +3 -1
- data/doc/release_notes/2.34.0.txt +36 -0
- data/lib/rodauth/features/active_sessions.rb +14 -0
- data/lib/rodauth/features/base.rb +3 -2
- data/lib/rodauth/features/login.rb +4 -0
- data/lib/rodauth/features/webauthn.rb +56 -16
- data/lib/rodauth/version.rb +1 -1
- data/lib/rodauth.rb +1 -0
- metadata +5 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 96f5711d9bb49c87385e4e0ef0f07e0e8624e1139f145429c1a518d844811757
|
|
4
|
+
data.tar.gz: 01c43ee8ceb8d4c61c040e3463bf8b03cdd239e2c401461ef0122a24407ce311
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 9b66e0f290cf4ae0c6d14c4032ff0830ef4b229a158def47247bec420414161dcfe35c60de12b15f20ac358d9c55d7ed446bf1d07cb0b6302031b63e5ce4b5a2
|
|
7
|
+
data.tar.gz: 304d17a7a183a0e33e42db2fcb5be6e9cdab0b58a70416ac2abd49478c4a1cc28c62395bd25f0e5b154a8117e712772045994c72159f4d36b3413d5f567c5a2c
|
data/CHANGELOG
CHANGED
|
@@ -1,3 +1,21 @@
|
|
|
1
|
+
=== 2.34.0 (2024-03-22)
|
|
2
|
+
|
|
3
|
+
* Add remove_all_active_sessions_except_current method for removing current active session (jeremyevans) (#395)
|
|
4
|
+
|
|
5
|
+
* Add remove_all_active_sessions_except_for method for removing active sessions except for given session id (jeremyevans) (#395)
|
|
6
|
+
|
|
7
|
+
* Avoid overriding WebAuthn internals when using webauthn 3 (santiagorodriguez96, jeremyevans) (#398)
|
|
8
|
+
|
|
9
|
+
* Support overriding webauthn_rp_id when verifying Webauthn credentials (butsjoh, jeremyevans) (#397)
|
|
10
|
+
|
|
11
|
+
* Override require_login_redirect in login feature to use login_path (janko) (#396)
|
|
12
|
+
|
|
13
|
+
* Do not override convert_token_id_to_integer? if the user has already configured it (janko) (#393)
|
|
14
|
+
|
|
15
|
+
* Have uses_two_factor_authentication? handle case where account has been deleted (janko) (#390)
|
|
16
|
+
|
|
17
|
+
* Add current_route accessor to allow easy determination of which rodauth route was requested (janko) (#381)
|
|
18
|
+
|
|
1
19
|
=== 2.33.0 (2023-12-21)
|
|
2
20
|
|
|
3
21
|
* Expire SMS confirm code after 24 hours by default (jeremyevans)
|
data/README.rdoc
CHANGED
|
@@ -830,6 +830,7 @@ scope :: Roda instance
|
|
|
830
830
|
session :: session hash
|
|
831
831
|
flash :: flash message hash
|
|
832
832
|
account :: account hash (if set by an earlier Rodauth method)
|
|
833
|
+
current_route :: route name symbol (if Rodauth is handling the route)
|
|
833
834
|
|
|
834
835
|
So if you want to log the IP address for the user during login:
|
|
835
836
|
|
data/doc/active_sessions.rdoc
CHANGED
|
@@ -49,6 +49,8 @@ currently_active_session? :: Whether the session is currently active, by checkin
|
|
|
49
49
|
handle_duplicate_active_session_id(exception) :: How to handle the case where a duplicate session id for the account is inserted into the table. Does nothing by default. This should only be called if the random number generator is broken.
|
|
50
50
|
no_longer_active_session :: What action to take if +rodauth.check_active_session+ is called and the session is no longer active.
|
|
51
51
|
remove_active_session(session_id) :: Removes the active session matching the given session ID from the database. Useful for implementing session revoking.
|
|
52
|
-
remove_all_active_sessions :: Remove all active
|
|
52
|
+
remove_all_active_sessions :: Remove all active sessions for the account from the database, used for global logouts and when closing accounts.
|
|
53
|
+
remove_all_active_sessions_except_for(session_id) :: Remove all active sessions for the account from the database, except for the session id given.
|
|
54
|
+
remove_all_active_sessions_except_current :: Remove all active sessions for the account from the database, except for the current session.
|
|
53
55
|
remove_current_session :: Remove current session from the database, used for regular logouts.
|
|
54
56
|
remove_inactive_sessions :: Remove inactive sessions from the database, run before checking for whether the current session is active.
|
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
= New Features
|
|
2
|
+
|
|
3
|
+
* A rodauth.current_route method has been added for returning the route
|
|
4
|
+
name symbol (if rodauth is currently handling the route). This makes it
|
|
5
|
+
simpler to write code that extends Rodauth and works with
|
|
6
|
+
applications that use override the default route names.
|
|
7
|
+
|
|
8
|
+
* A remove_all_active_sessions_except_for method has been added to the
|
|
9
|
+
active_sessions feature, which removes all active sessions for the
|
|
10
|
+
current account, except for the session id given.
|
|
11
|
+
|
|
12
|
+
* A remove_all_active_sessions_except_current method has been added to
|
|
13
|
+
the active_sessions feature, which removes all active sessions for
|
|
14
|
+
the current account, except for the current session.
|
|
15
|
+
|
|
16
|
+
= Improvements
|
|
17
|
+
|
|
18
|
+
* Rodauth now supports overriding webauthn_rp_id in the webauthn
|
|
19
|
+
feature.
|
|
20
|
+
|
|
21
|
+
* When using the login feature, Rodauth now defaults
|
|
22
|
+
require_login_redirect to use the path to the login route, instead
|
|
23
|
+
of /login.
|
|
24
|
+
|
|
25
|
+
* When setting up multifactor authentication, Rodauth now handles the
|
|
26
|
+
case where account has been deleted, instead of raising an exception.
|
|
27
|
+
|
|
28
|
+
* When a database connection is not available during startup, Rodauth
|
|
29
|
+
now handles that case instead of raising an exception. Note that in
|
|
30
|
+
this case, Rodauth cannot automatically setup a conversion of token
|
|
31
|
+
ids to integer, since it cannot determine whether the underlying
|
|
32
|
+
database column uses an integer type.
|
|
33
|
+
|
|
34
|
+
* When using WebAuthn 3+, Rodauth no longer defines singleton methods
|
|
35
|
+
to work around limitations in WebAuthn. Instead, it uses public
|
|
36
|
+
APIs that were added in WebAuthn 3.
|
|
@@ -31,6 +31,8 @@ module Rodauth
|
|
|
31
31
|
:no_longer_active_session,
|
|
32
32
|
:remove_active_session,
|
|
33
33
|
:remove_all_active_sessions,
|
|
34
|
+
:remove_all_active_sessions_except_for,
|
|
35
|
+
:remove_all_active_sessions_except_current,
|
|
34
36
|
:remove_current_session,
|
|
35
37
|
:remove_inactive_sessions,
|
|
36
38
|
)
|
|
@@ -95,6 +97,18 @@ module Rodauth
|
|
|
95
97
|
active_sessions_ds.delete
|
|
96
98
|
end
|
|
97
99
|
|
|
100
|
+
def remove_all_active_sessions_except_for(session_id)
|
|
101
|
+
active_sessions_ds.exclude(active_sessions_session_id_column=>compute_hmacs(session_id)).delete
|
|
102
|
+
end
|
|
103
|
+
|
|
104
|
+
def remove_all_active_sessions_except_current
|
|
105
|
+
if session_id = session[session_id_session_key]
|
|
106
|
+
remove_all_active_sessions_except_for(session_id)
|
|
107
|
+
else
|
|
108
|
+
remove_all_active_sessions
|
|
109
|
+
end
|
|
110
|
+
end
|
|
111
|
+
|
|
98
112
|
def remove_inactive_sessions
|
|
99
113
|
if cond = inactive_session_cond
|
|
100
114
|
active_sessions_ds.where(cond).delete
|
|
@@ -136,6 +136,7 @@ module Rodauth
|
|
|
136
136
|
|
|
137
137
|
attr_reader :scope
|
|
138
138
|
attr_reader :account
|
|
139
|
+
attr_reader :current_route
|
|
139
140
|
|
|
140
141
|
def initialize(scope)
|
|
141
142
|
@scope = scope
|
|
@@ -428,7 +429,7 @@ module Rodauth
|
|
|
428
429
|
require 'bcrypt' if require_bcrypt?
|
|
429
430
|
db.extension :date_arithmetic if use_date_arithmetic?
|
|
430
431
|
|
|
431
|
-
if convert_token_id_to_integer
|
|
432
|
+
if method(:convert_token_id_to_integer?).owner == Rodauth::Base && (db rescue false) && db.table_exists?(accounts_table) && db.schema(accounts_table).find{|col, v| break v[:type] == :integer if col == account_id_column}
|
|
432
433
|
self.class.send(:define_method, :convert_token_id_to_integer?){true}
|
|
433
434
|
end
|
|
434
435
|
|
|
@@ -711,7 +712,7 @@ module Rodauth
|
|
|
711
712
|
# note that only the salt is returned.
|
|
712
713
|
def get_password_hash
|
|
713
714
|
if account_password_hash_column
|
|
714
|
-
account
|
|
715
|
+
account[account_password_hash_column] if account!
|
|
715
716
|
elsif use_database_authentication_functions?
|
|
716
717
|
db.get(Sequel.function(function_name(:rodauth_get_salt), account ? account_id : session_value))
|
|
717
718
|
else
|
|
@@ -302,22 +302,17 @@ module Rodauth
|
|
|
302
302
|
def new_webauthn_credential
|
|
303
303
|
WebAuthn::Credential.options_for_create(
|
|
304
304
|
:timeout => webauthn_setup_timeout,
|
|
305
|
-
:rp => {:name=>webauthn_rp_name, :id=>webauthn_rp_id},
|
|
306
305
|
:user => {:id=>account_webauthn_user_id, :name=>webauthn_user_name},
|
|
307
306
|
:authenticator_selection => webauthn_authenticator_selection,
|
|
308
307
|
:attestation => webauthn_attestation,
|
|
309
308
|
:extensions => webauthn_extensions,
|
|
310
309
|
:exclude => account_webauthn_ids,
|
|
310
|
+
**webauthn_create_relying_party_opts
|
|
311
311
|
)
|
|
312
312
|
end
|
|
313
313
|
|
|
314
314
|
def valid_new_webauthn_credential?(webauthn_credential)
|
|
315
|
-
|
|
316
|
-
origin = webauthn_origin
|
|
317
|
-
webauthn_credential.response.define_singleton_method(:verify) do |expected_challenge, expected_origin = nil, **kw|
|
|
318
|
-
super(expected_challenge, expected_origin || origin, **kw)
|
|
319
|
-
end
|
|
320
|
-
|
|
315
|
+
_override_webauthn_credential_response_verify(webauthn_credential)
|
|
321
316
|
(challenge = param_or_nil(webauthn_setup_challenge_param)) &&
|
|
322
317
|
(hmac = param_or_nil(webauthn_setup_challenge_hmac_param)) &&
|
|
323
318
|
(timing_safe_eql?(compute_hmac(challenge), hmac) || (hmac_secret_rotation? && timing_safe_eql?(compute_old_hmac(challenge), hmac))) &&
|
|
@@ -328,9 +323,9 @@ module Rodauth
|
|
|
328
323
|
WebAuthn::Credential.options_for_get(
|
|
329
324
|
:allow => webauthn_allow,
|
|
330
325
|
:timeout => webauthn_auth_timeout,
|
|
331
|
-
:rp_id => webauthn_rp_id,
|
|
332
326
|
:user_verification => webauthn_user_verification,
|
|
333
327
|
:extensions => webauthn_extensions,
|
|
328
|
+
**webauthn_get_relying_party_opts
|
|
334
329
|
)
|
|
335
330
|
end
|
|
336
331
|
|
|
@@ -368,12 +363,7 @@ module Rodauth
|
|
|
368
363
|
ds = webauthn_keys_ds.where(webauthn_keys_webauthn_id_column => webauthn_credential.id)
|
|
369
364
|
pub_key, sign_count = ds.get([webauthn_keys_public_key_column, webauthn_keys_sign_count_column])
|
|
370
365
|
|
|
371
|
-
|
|
372
|
-
origin = webauthn_origin
|
|
373
|
-
webauthn_credential.response.define_singleton_method(:verify) do |expected_challenge, expected_origin = nil, **kw|
|
|
374
|
-
super(expected_challenge, expected_origin || origin, **kw)
|
|
375
|
-
end
|
|
376
|
-
|
|
366
|
+
_override_webauthn_credential_response_verify(webauthn_credential)
|
|
377
367
|
(challenge = param_or_nil(webauthn_auth_challenge_param)) &&
|
|
378
368
|
(hmac = param_or_nil(webauthn_auth_challenge_hmac_param)) &&
|
|
379
369
|
(timing_safe_eql?(compute_hmac(challenge), hmac) || (hmac_secret_rotation? && timing_safe_eql?(compute_old_hmac(challenge), hmac))) &&
|
|
@@ -419,6 +409,54 @@ module Rodauth
|
|
|
419
409
|
|
|
420
410
|
private
|
|
421
411
|
|
|
412
|
+
if WebAuthn::VERSION >= '3'
|
|
413
|
+
def webauthn_relying_party
|
|
414
|
+
# No need to memoize, only called once per request
|
|
415
|
+
WebAuthn::RelyingParty.new(
|
|
416
|
+
origin: webauthn_origin,
|
|
417
|
+
id: webauthn_rp_id,
|
|
418
|
+
name: webauthn_rp_name,
|
|
419
|
+
)
|
|
420
|
+
end
|
|
421
|
+
|
|
422
|
+
def webauthn_create_relying_party_opts
|
|
423
|
+
{ :relying_party => webauthn_relying_party }
|
|
424
|
+
end
|
|
425
|
+
alias webauthn_get_relying_party_opts webauthn_create_relying_party_opts
|
|
426
|
+
|
|
427
|
+
def webauthn_form_submission_call(meth, arg)
|
|
428
|
+
WebAuthn::Credential.public_send(meth, arg, :relying_party => webauthn_relying_party)
|
|
429
|
+
end
|
|
430
|
+
|
|
431
|
+
def _override_webauthn_credential_response_verify(webauthn_credential)
|
|
432
|
+
# no need to override
|
|
433
|
+
end
|
|
434
|
+
# :nocov:
|
|
435
|
+
else
|
|
436
|
+
def webauthn_create_relying_party_opts
|
|
437
|
+
{:rp => {:name=>webauthn_rp_name, :id=>webauthn_rp_id}}
|
|
438
|
+
end
|
|
439
|
+
|
|
440
|
+
def webauthn_get_relying_party_opts
|
|
441
|
+
{ :rp_id => webauthn_rp_id }
|
|
442
|
+
end
|
|
443
|
+
|
|
444
|
+
def webauthn_form_submission_call(meth, arg)
|
|
445
|
+
WebAuthn::Credential.public_send(meth, arg)
|
|
446
|
+
end
|
|
447
|
+
|
|
448
|
+
def _override_webauthn_credential_response_verify(webauthn_credential)
|
|
449
|
+
# Hack around inability to override expected_origin and rp_id
|
|
450
|
+
origin = webauthn_origin
|
|
451
|
+
rp_id = webauthn_rp_id
|
|
452
|
+
webauthn_credential.response.define_singleton_method(:verify) do |expected_challenge, expected_origin = nil, **kw|
|
|
453
|
+
kw[:rp_id] = rp_id
|
|
454
|
+
super(expected_challenge, expected_origin || origin, **kw)
|
|
455
|
+
end
|
|
456
|
+
end
|
|
457
|
+
# :nocov:
|
|
458
|
+
end
|
|
459
|
+
|
|
422
460
|
def _two_factor_auth_links
|
|
423
461
|
links = super
|
|
424
462
|
links << [10, webauthn_auth_path, webauthn_auth_link_text] if webauthn_setup? && !two_factor_login_type_match?('webauthn')
|
|
@@ -464,7 +502,8 @@ module Rodauth
|
|
|
464
502
|
|
|
465
503
|
def webauthn_auth_credential_from_form_submission
|
|
466
504
|
begin
|
|
467
|
-
webauthn_credential =
|
|
505
|
+
webauthn_credential = webauthn_form_submission_call(:from_get, webauthn_auth_data)
|
|
506
|
+
|
|
468
507
|
unless valid_webauthn_credential_auth?(webauthn_credential)
|
|
469
508
|
throw_error_reason(:invalid_webauthn_auth_param, invalid_key_error_status, webauthn_auth_param, webauthn_invalid_auth_param_message)
|
|
470
509
|
end
|
|
@@ -498,7 +537,8 @@ module Rodauth
|
|
|
498
537
|
end
|
|
499
538
|
|
|
500
539
|
begin
|
|
501
|
-
webauthn_credential =
|
|
540
|
+
webauthn_credential = webauthn_form_submission_call(:from_create, webauthn_setup_data)
|
|
541
|
+
|
|
502
542
|
unless valid_new_webauthn_credential?(webauthn_credential)
|
|
503
543
|
throw_error_reason(:invalid_webauthn_setup_param, invalid_field_error_status, webauthn_setup_param, webauthn_invalid_setup_param_message)
|
|
504
544
|
end
|
data/lib/rodauth/version.rb
CHANGED
data/lib/rodauth.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rodauth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.34.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jeremy Evans
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2024-03-22 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: sequel
|
|
@@ -351,6 +351,7 @@ extra_rdoc_files:
|
|
|
351
351
|
- doc/release_notes/2.31.0.txt
|
|
352
352
|
- doc/release_notes/2.32.0.txt
|
|
353
353
|
- doc/release_notes/2.33.0.txt
|
|
354
|
+
- doc/release_notes/2.34.0.txt
|
|
354
355
|
- doc/release_notes/2.4.0.txt
|
|
355
356
|
- doc/release_notes/2.5.0.txt
|
|
356
357
|
- doc/release_notes/2.6.0.txt
|
|
@@ -472,6 +473,7 @@ files:
|
|
|
472
473
|
- doc/release_notes/2.31.0.txt
|
|
473
474
|
- doc/release_notes/2.32.0.txt
|
|
474
475
|
- doc/release_notes/2.33.0.txt
|
|
476
|
+
- doc/release_notes/2.34.0.txt
|
|
475
477
|
- doc/release_notes/2.4.0.txt
|
|
476
478
|
- doc/release_notes/2.5.0.txt
|
|
477
479
|
- doc/release_notes/2.6.0.txt
|
|
@@ -632,7 +634,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
632
634
|
- !ruby/object:Gem::Version
|
|
633
635
|
version: '0'
|
|
634
636
|
requirements: []
|
|
635
|
-
rubygems_version: 3.
|
|
637
|
+
rubygems_version: 3.5.3
|
|
636
638
|
signing_key:
|
|
637
639
|
specification_version: 4
|
|
638
640
|
summary: Authentication and Account Management Framework for Rack Applications
|