rodauth 2.33.0 → 2.34.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG +18 -0
- data/README.rdoc +1 -0
- data/doc/active_sessions.rdoc +3 -1
- data/doc/release_notes/2.34.0.txt +36 -0
- data/lib/rodauth/features/active_sessions.rb +14 -0
- data/lib/rodauth/features/base.rb +3 -2
- data/lib/rodauth/features/login.rb +4 -0
- data/lib/rodauth/features/webauthn.rb +56 -16
- data/lib/rodauth/version.rb +1 -1
- data/lib/rodauth.rb +1 -0
- metadata +5 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 96f5711d9bb49c87385e4e0ef0f07e0e8624e1139f145429c1a518d844811757
|
|
4
|
+
data.tar.gz: 01c43ee8ceb8d4c61c040e3463bf8b03cdd239e2c401461ef0122a24407ce311
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 9b66e0f290cf4ae0c6d14c4032ff0830ef4b229a158def47247bec420414161dcfe35c60de12b15f20ac358d9c55d7ed446bf1d07cb0b6302031b63e5ce4b5a2
|
|
7
|
+
data.tar.gz: 304d17a7a183a0e33e42db2fcb5be6e9cdab0b58a70416ac2abd49478c4a1cc28c62395bd25f0e5b154a8117e712772045994c72159f4d36b3413d5f567c5a2c
|
data/CHANGELOG
CHANGED
|
@@ -1,3 +1,21 @@
|
|
|
1
|
+
=== 2.34.0 (2024-03-22)
|
|
2
|
+
|
|
3
|
+
* Add remove_all_active_sessions_except_current method for removing current active session (jeremyevans) (#395)
|
|
4
|
+
|
|
5
|
+
* Add remove_all_active_sessions_except_for method for removing active sessions except for given session id (jeremyevans) (#395)
|
|
6
|
+
|
|
7
|
+
* Avoid overriding WebAuthn internals when using webauthn 3 (santiagorodriguez96, jeremyevans) (#398)
|
|
8
|
+
|
|
9
|
+
* Support overriding webauthn_rp_id when verifying Webauthn credentials (butsjoh, jeremyevans) (#397)
|
|
10
|
+
|
|
11
|
+
* Override require_login_redirect in login feature to use login_path (janko) (#396)
|
|
12
|
+
|
|
13
|
+
* Do not override convert_token_id_to_integer? if the user has already configured it (janko) (#393)
|
|
14
|
+
|
|
15
|
+
* Have uses_two_factor_authentication? handle case where account has been deleted (janko) (#390)
|
|
16
|
+
|
|
17
|
+
* Add current_route accessor to allow easy determination of which rodauth route was requested (janko) (#381)
|
|
18
|
+
|
|
1
19
|
=== 2.33.0 (2023-12-21)
|
|
2
20
|
|
|
3
21
|
* Expire SMS confirm code after 24 hours by default (jeremyevans)
|
data/README.rdoc
CHANGED
|
@@ -830,6 +830,7 @@ scope :: Roda instance
|
|
|
830
830
|
session :: session hash
|
|
831
831
|
flash :: flash message hash
|
|
832
832
|
account :: account hash (if set by an earlier Rodauth method)
|
|
833
|
+
current_route :: route name symbol (if Rodauth is handling the route)
|
|
833
834
|
|
|
834
835
|
So if you want to log the IP address for the user during login:
|
|
835
836
|
|
data/doc/active_sessions.rdoc
CHANGED
|
@@ -49,6 +49,8 @@ currently_active_session? :: Whether the session is currently active, by checkin
|
|
|
49
49
|
handle_duplicate_active_session_id(exception) :: How to handle the case where a duplicate session id for the account is inserted into the table. Does nothing by default. This should only be called if the random number generator is broken.
|
|
50
50
|
no_longer_active_session :: What action to take if +rodauth.check_active_session+ is called and the session is no longer active.
|
|
51
51
|
remove_active_session(session_id) :: Removes the active session matching the given session ID from the database. Useful for implementing session revoking.
|
|
52
|
-
remove_all_active_sessions :: Remove all active
|
|
52
|
+
remove_all_active_sessions :: Remove all active sessions for the account from the database, used for global logouts and when closing accounts.
|
|
53
|
+
remove_all_active_sessions_except_for(session_id) :: Remove all active sessions for the account from the database, except for the session id given.
|
|
54
|
+
remove_all_active_sessions_except_current :: Remove all active sessions for the account from the database, except for the current session.
|
|
53
55
|
remove_current_session :: Remove current session from the database, used for regular logouts.
|
|
54
56
|
remove_inactive_sessions :: Remove inactive sessions from the database, run before checking for whether the current session is active.
|
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
= New Features
|
|
2
|
+
|
|
3
|
+
* A rodauth.current_route method has been added for returning the route
|
|
4
|
+
name symbol (if rodauth is currently handling the route). This makes it
|
|
5
|
+
simpler to write code that extends Rodauth and works with
|
|
6
|
+
applications that use override the default route names.
|
|
7
|
+
|
|
8
|
+
* A remove_all_active_sessions_except_for method has been added to the
|
|
9
|
+
active_sessions feature, which removes all active sessions for the
|
|
10
|
+
current account, except for the session id given.
|
|
11
|
+
|
|
12
|
+
* A remove_all_active_sessions_except_current method has been added to
|
|
13
|
+
the active_sessions feature, which removes all active sessions for
|
|
14
|
+
the current account, except for the current session.
|
|
15
|
+
|
|
16
|
+
= Improvements
|
|
17
|
+
|
|
18
|
+
* Rodauth now supports overriding webauthn_rp_id in the webauthn
|
|
19
|
+
feature.
|
|
20
|
+
|
|
21
|
+
* When using the login feature, Rodauth now defaults
|
|
22
|
+
require_login_redirect to use the path to the login route, instead
|
|
23
|
+
of /login.
|
|
24
|
+
|
|
25
|
+
* When setting up multifactor authentication, Rodauth now handles the
|
|
26
|
+
case where account has been deleted, instead of raising an exception.
|
|
27
|
+
|
|
28
|
+
* When a database connection is not available during startup, Rodauth
|
|
29
|
+
now handles that case instead of raising an exception. Note that in
|
|
30
|
+
this case, Rodauth cannot automatically setup a conversion of token
|
|
31
|
+
ids to integer, since it cannot determine whether the underlying
|
|
32
|
+
database column uses an integer type.
|
|
33
|
+
|
|
34
|
+
* When using WebAuthn 3+, Rodauth no longer defines singleton methods
|
|
35
|
+
to work around limitations in WebAuthn. Instead, it uses public
|
|
36
|
+
APIs that were added in WebAuthn 3.
|
|
@@ -31,6 +31,8 @@ module Rodauth
|
|
|
31
31
|
:no_longer_active_session,
|
|
32
32
|
:remove_active_session,
|
|
33
33
|
:remove_all_active_sessions,
|
|
34
|
+
:remove_all_active_sessions_except_for,
|
|
35
|
+
:remove_all_active_sessions_except_current,
|
|
34
36
|
:remove_current_session,
|
|
35
37
|
:remove_inactive_sessions,
|
|
36
38
|
)
|
|
@@ -95,6 +97,18 @@ module Rodauth
|
|
|
95
97
|
active_sessions_ds.delete
|
|
96
98
|
end
|
|
97
99
|
|
|
100
|
+
def remove_all_active_sessions_except_for(session_id)
|
|
101
|
+
active_sessions_ds.exclude(active_sessions_session_id_column=>compute_hmacs(session_id)).delete
|
|
102
|
+
end
|
|
103
|
+
|
|
104
|
+
def remove_all_active_sessions_except_current
|
|
105
|
+
if session_id = session[session_id_session_key]
|
|
106
|
+
remove_all_active_sessions_except_for(session_id)
|
|
107
|
+
else
|
|
108
|
+
remove_all_active_sessions
|
|
109
|
+
end
|
|
110
|
+
end
|
|
111
|
+
|
|
98
112
|
def remove_inactive_sessions
|
|
99
113
|
if cond = inactive_session_cond
|
|
100
114
|
active_sessions_ds.where(cond).delete
|
|
@@ -136,6 +136,7 @@ module Rodauth
|
|
|
136
136
|
|
|
137
137
|
attr_reader :scope
|
|
138
138
|
attr_reader :account
|
|
139
|
+
attr_reader :current_route
|
|
139
140
|
|
|
140
141
|
def initialize(scope)
|
|
141
142
|
@scope = scope
|
|
@@ -428,7 +429,7 @@ module Rodauth
|
|
|
428
429
|
require 'bcrypt' if require_bcrypt?
|
|
429
430
|
db.extension :date_arithmetic if use_date_arithmetic?
|
|
430
431
|
|
|
431
|
-
if convert_token_id_to_integer
|
|
432
|
+
if method(:convert_token_id_to_integer?).owner == Rodauth::Base && (db rescue false) && db.table_exists?(accounts_table) && db.schema(accounts_table).find{|col, v| break v[:type] == :integer if col == account_id_column}
|
|
432
433
|
self.class.send(:define_method, :convert_token_id_to_integer?){true}
|
|
433
434
|
end
|
|
434
435
|
|
|
@@ -711,7 +712,7 @@ module Rodauth
|
|
|
711
712
|
# note that only the salt is returned.
|
|
712
713
|
def get_password_hash
|
|
713
714
|
if account_password_hash_column
|
|
714
|
-
account
|
|
715
|
+
account[account_password_hash_column] if account!
|
|
715
716
|
elsif use_database_authentication_functions?
|
|
716
717
|
db.get(Sequel.function(function_name(:rodauth_get_salt), account ? account_id : session_value))
|
|
717
718
|
else
|
|
@@ -302,22 +302,17 @@ module Rodauth
|
|
|
302
302
|
def new_webauthn_credential
|
|
303
303
|
WebAuthn::Credential.options_for_create(
|
|
304
304
|
:timeout => webauthn_setup_timeout,
|
|
305
|
-
:rp => {:name=>webauthn_rp_name, :id=>webauthn_rp_id},
|
|
306
305
|
:user => {:id=>account_webauthn_user_id, :name=>webauthn_user_name},
|
|
307
306
|
:authenticator_selection => webauthn_authenticator_selection,
|
|
308
307
|
:attestation => webauthn_attestation,
|
|
309
308
|
:extensions => webauthn_extensions,
|
|
310
309
|
:exclude => account_webauthn_ids,
|
|
310
|
+
**webauthn_create_relying_party_opts
|
|
311
311
|
)
|
|
312
312
|
end
|
|
313
313
|
|
|
314
314
|
def valid_new_webauthn_credential?(webauthn_credential)
|
|
315
|
-
|
|
316
|
-
origin = webauthn_origin
|
|
317
|
-
webauthn_credential.response.define_singleton_method(:verify) do |expected_challenge, expected_origin = nil, **kw|
|
|
318
|
-
super(expected_challenge, expected_origin || origin, **kw)
|
|
319
|
-
end
|
|
320
|
-
|
|
315
|
+
_override_webauthn_credential_response_verify(webauthn_credential)
|
|
321
316
|
(challenge = param_or_nil(webauthn_setup_challenge_param)) &&
|
|
322
317
|
(hmac = param_or_nil(webauthn_setup_challenge_hmac_param)) &&
|
|
323
318
|
(timing_safe_eql?(compute_hmac(challenge), hmac) || (hmac_secret_rotation? && timing_safe_eql?(compute_old_hmac(challenge), hmac))) &&
|
|
@@ -328,9 +323,9 @@ module Rodauth
|
|
|
328
323
|
WebAuthn::Credential.options_for_get(
|
|
329
324
|
:allow => webauthn_allow,
|
|
330
325
|
:timeout => webauthn_auth_timeout,
|
|
331
|
-
:rp_id => webauthn_rp_id,
|
|
332
326
|
:user_verification => webauthn_user_verification,
|
|
333
327
|
:extensions => webauthn_extensions,
|
|
328
|
+
**webauthn_get_relying_party_opts
|
|
334
329
|
)
|
|
335
330
|
end
|
|
336
331
|
|
|
@@ -368,12 +363,7 @@ module Rodauth
|
|
|
368
363
|
ds = webauthn_keys_ds.where(webauthn_keys_webauthn_id_column => webauthn_credential.id)
|
|
369
364
|
pub_key, sign_count = ds.get([webauthn_keys_public_key_column, webauthn_keys_sign_count_column])
|
|
370
365
|
|
|
371
|
-
|
|
372
|
-
origin = webauthn_origin
|
|
373
|
-
webauthn_credential.response.define_singleton_method(:verify) do |expected_challenge, expected_origin = nil, **kw|
|
|
374
|
-
super(expected_challenge, expected_origin || origin, **kw)
|
|
375
|
-
end
|
|
376
|
-
|
|
366
|
+
_override_webauthn_credential_response_verify(webauthn_credential)
|
|
377
367
|
(challenge = param_or_nil(webauthn_auth_challenge_param)) &&
|
|
378
368
|
(hmac = param_or_nil(webauthn_auth_challenge_hmac_param)) &&
|
|
379
369
|
(timing_safe_eql?(compute_hmac(challenge), hmac) || (hmac_secret_rotation? && timing_safe_eql?(compute_old_hmac(challenge), hmac))) &&
|
|
@@ -419,6 +409,54 @@ module Rodauth
|
|
|
419
409
|
|
|
420
410
|
private
|
|
421
411
|
|
|
412
|
+
if WebAuthn::VERSION >= '3'
|
|
413
|
+
def webauthn_relying_party
|
|
414
|
+
# No need to memoize, only called once per request
|
|
415
|
+
WebAuthn::RelyingParty.new(
|
|
416
|
+
origin: webauthn_origin,
|
|
417
|
+
id: webauthn_rp_id,
|
|
418
|
+
name: webauthn_rp_name,
|
|
419
|
+
)
|
|
420
|
+
end
|
|
421
|
+
|
|
422
|
+
def webauthn_create_relying_party_opts
|
|
423
|
+
{ :relying_party => webauthn_relying_party }
|
|
424
|
+
end
|
|
425
|
+
alias webauthn_get_relying_party_opts webauthn_create_relying_party_opts
|
|
426
|
+
|
|
427
|
+
def webauthn_form_submission_call(meth, arg)
|
|
428
|
+
WebAuthn::Credential.public_send(meth, arg, :relying_party => webauthn_relying_party)
|
|
429
|
+
end
|
|
430
|
+
|
|
431
|
+
def _override_webauthn_credential_response_verify(webauthn_credential)
|
|
432
|
+
# no need to override
|
|
433
|
+
end
|
|
434
|
+
# :nocov:
|
|
435
|
+
else
|
|
436
|
+
def webauthn_create_relying_party_opts
|
|
437
|
+
{:rp => {:name=>webauthn_rp_name, :id=>webauthn_rp_id}}
|
|
438
|
+
end
|
|
439
|
+
|
|
440
|
+
def webauthn_get_relying_party_opts
|
|
441
|
+
{ :rp_id => webauthn_rp_id }
|
|
442
|
+
end
|
|
443
|
+
|
|
444
|
+
def webauthn_form_submission_call(meth, arg)
|
|
445
|
+
WebAuthn::Credential.public_send(meth, arg)
|
|
446
|
+
end
|
|
447
|
+
|
|
448
|
+
def _override_webauthn_credential_response_verify(webauthn_credential)
|
|
449
|
+
# Hack around inability to override expected_origin and rp_id
|
|
450
|
+
origin = webauthn_origin
|
|
451
|
+
rp_id = webauthn_rp_id
|
|
452
|
+
webauthn_credential.response.define_singleton_method(:verify) do |expected_challenge, expected_origin = nil, **kw|
|
|
453
|
+
kw[:rp_id] = rp_id
|
|
454
|
+
super(expected_challenge, expected_origin || origin, **kw)
|
|
455
|
+
end
|
|
456
|
+
end
|
|
457
|
+
# :nocov:
|
|
458
|
+
end
|
|
459
|
+
|
|
422
460
|
def _two_factor_auth_links
|
|
423
461
|
links = super
|
|
424
462
|
links << [10, webauthn_auth_path, webauthn_auth_link_text] if webauthn_setup? && !two_factor_login_type_match?('webauthn')
|
|
@@ -464,7 +502,8 @@ module Rodauth
|
|
|
464
502
|
|
|
465
503
|
def webauthn_auth_credential_from_form_submission
|
|
466
504
|
begin
|
|
467
|
-
webauthn_credential =
|
|
505
|
+
webauthn_credential = webauthn_form_submission_call(:from_get, webauthn_auth_data)
|
|
506
|
+
|
|
468
507
|
unless valid_webauthn_credential_auth?(webauthn_credential)
|
|
469
508
|
throw_error_reason(:invalid_webauthn_auth_param, invalid_key_error_status, webauthn_auth_param, webauthn_invalid_auth_param_message)
|
|
470
509
|
end
|
|
@@ -498,7 +537,8 @@ module Rodauth
|
|
|
498
537
|
end
|
|
499
538
|
|
|
500
539
|
begin
|
|
501
|
-
webauthn_credential =
|
|
540
|
+
webauthn_credential = webauthn_form_submission_call(:from_create, webauthn_setup_data)
|
|
541
|
+
|
|
502
542
|
unless valid_new_webauthn_credential?(webauthn_credential)
|
|
503
543
|
throw_error_reason(:invalid_webauthn_setup_param, invalid_field_error_status, webauthn_setup_param, webauthn_invalid_setup_param_message)
|
|
504
544
|
end
|
data/lib/rodauth/version.rb
CHANGED
data/lib/rodauth.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rodauth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.34.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jeremy Evans
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2024-03-22 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: sequel
|
|
@@ -351,6 +351,7 @@ extra_rdoc_files:
|
|
|
351
351
|
- doc/release_notes/2.31.0.txt
|
|
352
352
|
- doc/release_notes/2.32.0.txt
|
|
353
353
|
- doc/release_notes/2.33.0.txt
|
|
354
|
+
- doc/release_notes/2.34.0.txt
|
|
354
355
|
- doc/release_notes/2.4.0.txt
|
|
355
356
|
- doc/release_notes/2.5.0.txt
|
|
356
357
|
- doc/release_notes/2.6.0.txt
|
|
@@ -472,6 +473,7 @@ files:
|
|
|
472
473
|
- doc/release_notes/2.31.0.txt
|
|
473
474
|
- doc/release_notes/2.32.0.txt
|
|
474
475
|
- doc/release_notes/2.33.0.txt
|
|
476
|
+
- doc/release_notes/2.34.0.txt
|
|
475
477
|
- doc/release_notes/2.4.0.txt
|
|
476
478
|
- doc/release_notes/2.5.0.txt
|
|
477
479
|
- doc/release_notes/2.6.0.txt
|
|
@@ -632,7 +634,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
632
634
|
- !ruby/object:Gem::Version
|
|
633
635
|
version: '0'
|
|
634
636
|
requirements: []
|
|
635
|
-
rubygems_version: 3.
|
|
637
|
+
rubygems_version: 3.5.3
|
|
636
638
|
signing_key:
|
|
637
639
|
specification_version: 4
|
|
638
640
|
summary: Authentication and Account Management Framework for Rack Applications
|