rodauth 2.7.0 → 2.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG +6 -0
  3. data/MIT-LICENSE +1 -1
  4. data/doc/release_notes/2.8.0.txt +20 -0
  5. data/doc/remember.rdoc +1 -1
  6. data/lib/rodauth/features/jwt.rb +4 -1
  7. data/lib/rodauth/features/jwt_refresh.rb +3 -6
  8. data/lib/rodauth/features/remember.rb +1 -0
  9. data/lib/rodauth/version.rb +1 -1
  10. metadata +24 -22
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ce2af7161a7aaba17ebb25beda65f8598306b2d040986db0be215b89fb683149
4
- data.tar.gz: cf69c788c9401485610599f0b6996f340ab315fcbceb359bccf01a78dceaadc8
3
+ metadata.gz: a39430563fc9d81e610b8a28b5c044eedd7ebd361d6294f9bd02687ce2d24c27
4
+ data.tar.gz: a852e9713602b807bb7566b3db4038a6fda0ae0d2b90bf4b1ce2e45429c8efd2
5
5
  SHA512:
6
- metadata.gz: 8b2d72d0f9338a359653e90829618f2579afc30095bb0dd1bd0c627730c91117158ef5ebbca9a4a32bb78bd312ebbac308a68efb761cf93c4dfc707d7bdcea24
7
- data.tar.gz: d5eb1fc01df26b8305edec707642d3192e7a5dc3507416d0e60aaf6ffd1b079ac4ddced72a85d61c4623c70df2d784307cfba60b8759741b2991f591c623b0b0
6
+ metadata.gz: ba8f83d3f9afc3f1bcca6f649e925b1b3f795002dc980ae5bfb219885a74c69c34bbacaccda83c153bf9f799f328970cd900a3abf5966b88956dc3476ef3f9f8
7
+ data.tar.gz: 9d2042a183a7fdc941cd2b8716aba581861b9e1831574eac3241979ab32e2fe2076baf94e3ab0782487aa34d4e7f98f063035c22dcd7088f1a4fd1f1b83a7e6d
data/CHANGELOG CHANGED
@@ -1,3 +1,9 @@
1
+ === 2.8.0 (2021-01-06)
2
+
3
+ * [SECURITY] Set HttpOnly on remember cookie by default so it cannot be accessed by Javascript (janko) (#142)
4
+
5
+ * Clear JWT session when rodauth.clear_session is called if the Roda sessions plugin is used (janko) (#140)
6
+
1
7
  === 2.7.0 (2020-12-22)
2
8
 
3
9
  * Avoid method redefinition warnings in verbose warning mode (jeremyevans)
data/MIT-LICENSE CHANGED
@@ -1,4 +1,4 @@
1
- Copyright (c) 2015-2020 Jeremy Evans
1
+ Copyright (c) 2015-2021 Jeremy Evans
2
2
 
3
3
  Permission is hereby granted, free of charge, to any person obtaining a copy
4
4
  of this software and associated documentation files (the "Software"), to
data/doc/release_notes/2.8.0.txt ADDED
@@ -0,0 +1,20 @@
1
+ = Improvements
2
+
3
+ * HttpOnly is now set by default on the remember cookie, so it is no
4
+ longer accessible from Javascript. This is a more secure approach
5
+ that makes applications using Rodauth's remember feature less
6
+ vulnerable in case they are subject to a separate XSS attack.
7
+
8
+ * When using the jwt feature, rodauth.clear_session now clears the
9
+ JWT session even when the Roda sessions plugin was in use. In most
10
+ cases, the jwt feature is not used with the Roda sessions plugin,
11
+ but in cases where the same application serves as both an JSON API
12
+ and as a HTML site, it is possible the two may be used together.
13
+
14
+ = Backwards Compatibility
15
+
16
+ * As the default remember cookie :httponly setting is now set to true,
17
+ applications using Rodauth that expected to be able to access the
18
+ remember cookie from Javascript will no longer work by default.
19
+ In these cases, you should now use remember_cookie_options and
20
+ include a :httponly=>false option.
data/doc/remember.rdoc CHANGED
@@ -35,7 +35,7 @@ raw_remember_token_deadline :: A deadline before which to allow a raw remember t
35
35
  remember_additional_form_tags :: HTML fragment containing additional form tags to use on the change remember setting form.
36
36
  remember_button :: The text to use for the change remember settings button.
37
37
  remember_cookie_key :: The cookie name to use for the remember token.
38
- remember_cookie_options :: Any options to set for the remember cookie. By default, the `:path` cookie option is set to `/`.
38
+ remember_cookie_options :: Any options to set for the remember cookie. By default, the `:path` cookie option is set to `/`, and `:httponly` is set to `true`.
39
39
  remember_deadline_column :: The column name in the +remember_table+ storing the deadline after which the token will be ignored.
40
40
  remember_deadline_interval :: The amount of time for which to remember accounts, 14 days by default. Only used if +set_deadline_values?+ is true.
41
41
  remember_disable_label :: The label for disabling remembering.
data/lib/rodauth/features/jwt.rb CHANGED
@@ -73,7 +73,10 @@ module Rodauth
73
73
 
74
74
  def clear_session
75
75
  super
76
- set_jwt if use_jwt?
76
+ if use_jwt?
77
+ session.clear
78
+ set_jwt
79
+ end
77
80
  end
78
81
 
79
82
  def set_field_error(field, message)
data/lib/rodauth/features/jwt_refresh.rb CHANGED
@@ -65,7 +65,7 @@ module Rodauth
65
65
  # JWT login puts the access token in the header.
66
66
  # We put the refresh token in the body.
67
67
  # Note, do not put the access_token in the body here, as the access token content is not yet finalised.
68
- token = json_response['refresh_token'] = generate_refresh_token
68
+ token = json_response[jwt_refresh_token_key] = generate_refresh_token
69
69
 
70
70
  set_jwt_refresh_token_hmac_session_key(token)
71
71
  end
@@ -177,8 +177,7 @@ module Rodauth
177
177
  end
178
178
 
179
179
  def remove_jwt_refresh_token_key(token)
180
- account_id, token = split_token(token)
181
- token_id, _ = split_token(token)
180
+ account_id, token_id, _ = _account_refresh_token_split(token)
182
181
  jwt_refresh_token_account_token_ds(account_id, token_id).delete
183
182
  end
184
183
 
@@ -210,9 +209,7 @@ module Rodauth
210
209
  id, token_id, key = _account_refresh_token_split(token)
211
210
 
212
211
  if id && token_id && key && (actual = get_active_refresh_token(session_value, token_id)) && timing_safe_eql?(key, convert_token_key(actual))
213
- jwt_refresh_token_account_ds(id).
214
- where(jwt_refresh_token_id_column=>token_id).
215
- delete
212
+ jwt_refresh_token_account_token_ds(id, token_id).delete
216
213
  end
217
214
  end
218
215
  end
data/lib/rodauth/features/remember.rb CHANGED
@@ -133,6 +133,7 @@ module Rodauth
133
133
  opts[:value] = "#{account_id}_#{convert_token_key(remember_key_value)}"
134
134
  opts[:expires] = convert_timestamp(active_remember_key_ds.get(remember_deadline_column))
135
135
  opts[:path] = "/" unless opts.key?(:path)
136
+ opts[:httponly] = true unless opts.key?(:httponly)
136
137
  ::Rack::Utils.set_cookie_header!(response.headers, remember_cookie_key, opts)
137
138
  end
138
139
 
data/lib/rodauth/version.rb CHANGED
@@ -6,7 +6,7 @@ module Rodauth
6
6
  MAJOR = 2
7
7
 
8
8
  # The minor version of Rodauth, updated for new feature releases of Rodauth.
9
- MINOR = 7
9
+ MINOR = 8
10
10
 
11
11
  # The patch version of Rodauth, updated only for bug fixes from the last
12
12
  # feature release.
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rodauth
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.7.0
4
+ version: 2.8.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jeremy Evans
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-12-22 00:00:00.000000000 Z
11
+ date: 2021-01-06 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: sequel
@@ -237,28 +237,33 @@ extra_rdoc_files:
237
237
  - README.rdoc
238
238
  - CHANGELOG
239
239
  - MIT-LICENSE
240
- - doc/change_password_notify.rdoc
241
240
  - doc/account_expiration.rdoc
241
+ - doc/active_sessions.rdoc
242
+ - doc/audit_logging.rdoc
242
243
  - doc/base.rdoc
243
244
  - doc/change_login.rdoc
244
245
  - doc/change_password.rdoc
245
- - doc/confirm_password.rdoc
246
+ - doc/change_password_notify.rdoc
246
247
  - doc/close_account.rdoc
247
- - doc/http_basic_auth.rdoc
248
+ - doc/confirm_password.rdoc
248
249
  - doc/create_account.rdoc
249
- - doc/email_base.rdoc
250
250
  - doc/disallow_common_passwords.rdoc
251
251
  - doc/disallow_password_reuse.rdoc
252
- - doc/password_complexity.rdoc
252
+ - doc/email_auth.rdoc
253
+ - doc/email_base.rdoc
254
+ - doc/http_basic_auth.rdoc
253
255
  - doc/jwt.rdoc
256
+ - doc/jwt_cors.rdoc
257
+ - doc/jwt_refresh.rdoc
254
258
  - doc/lockout.rdoc
255
259
  - doc/login.rdoc
260
+ - doc/login_password_requirements_base.rdoc
256
261
  - doc/logout.rdoc
257
262
  - doc/otp.rdoc
258
- - doc/login_password_requirements_base.rdoc
259
- - doc/jwt_cors.rdoc
263
+ - doc/password_complexity.rdoc
260
264
  - doc/password_expiration.rdoc
261
265
  - doc/password_grace_period.rdoc
266
+ - doc/password_pepper.rdoc
262
267
  - doc/recovery_codes.rdoc
263
268
  - doc/remember.rdoc
264
269
  - doc/reset_password.rdoc
@@ -268,17 +273,11 @@ extra_rdoc_files:
268
273
  - doc/two_factor_base.rdoc
269
274
  - doc/update_password_hash.rdoc
270
275
  - doc/verify_account.rdoc
271
- - doc/email_auth.rdoc
272
- - doc/jwt_refresh.rdoc
273
276
  - doc/verify_account_grace_period.rdoc
274
277
  - doc/verify_login_change.rdoc
275
278
  - doc/webauthn.rdoc
276
279
  - doc/webauthn_login.rdoc
277
280
  - doc/webauthn_verify_account.rdoc
278
- - doc/active_sessions.rdoc
279
- - doc/audit_logging.rdoc
280
- - doc/password_pepper.rdoc
281
- - doc/release_notes/1.17.0.txt
282
281
  - doc/release_notes/1.0.0.txt
283
282
  - doc/release_notes/1.1.0.txt
284
283
  - doc/release_notes/1.10.0.txt
@@ -288,7 +287,14 @@ extra_rdoc_files:
288
287
  - doc/release_notes/1.14.0.txt
289
288
  - doc/release_notes/1.15.0.txt
290
289
  - doc/release_notes/1.16.0.txt
290
+ - doc/release_notes/1.17.0.txt
291
+ - doc/release_notes/1.18.0.txt
292
+ - doc/release_notes/1.19.0.txt
291
293
  - doc/release_notes/1.2.0.txt
294
+ - doc/release_notes/1.20.0.txt
295
+ - doc/release_notes/1.21.0.txt
296
+ - doc/release_notes/1.22.0.txt
297
+ - doc/release_notes/1.23.0.txt
292
298
  - doc/release_notes/1.3.0.txt
293
299
  - doc/release_notes/1.4.0.txt
294
300
  - doc/release_notes/1.5.0.txt
@@ -296,12 +302,6 @@ extra_rdoc_files:
296
302
  - doc/release_notes/1.7.0.txt
297
303
  - doc/release_notes/1.8.0.txt
298
304
  - doc/release_notes/1.9.0.txt
299
- - doc/release_notes/1.18.0.txt
300
- - doc/release_notes/1.19.0.txt
301
- - doc/release_notes/1.20.0.txt
302
- - doc/release_notes/1.21.0.txt
303
- - doc/release_notes/1.22.0.txt
304
- - doc/release_notes/1.23.0.txt
305
305
  - doc/release_notes/2.0.0.txt
306
306
  - doc/release_notes/2.1.0.txt
307
307
  - doc/release_notes/2.2.0.txt
@@ -310,6 +310,7 @@ extra_rdoc_files:
310
310
  - doc/release_notes/2.5.0.txt
311
311
  - doc/release_notes/2.6.0.txt
312
312
  - doc/release_notes/2.7.0.txt
313
+ - doc/release_notes/2.8.0.txt
313
314
  files:
314
315
  - CHANGELOG
315
316
  - MIT-LICENSE
@@ -396,6 +397,7 @@ files:
396
397
  - doc/release_notes/2.5.0.txt
397
398
  - doc/release_notes/2.6.0.txt
398
399
  - doc/release_notes/2.7.0.txt
400
+ - doc/release_notes/2.8.0.txt
399
401
  - doc/remember.rdoc
400
402
  - doc/reset_password.rdoc
401
403
  - doc/session_expiration.rdoc
@@ -539,7 +541,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
539
541
  - !ruby/object:Gem::Version
540
542
  version: '0'
541
543
  requirements: []
542
- rubygems_version: 3.1.4
544
+ rubygems_version: 3.2.3
543
545
  signing_key:
544
546
  specification_version: 4
545
547
  summary: Authentication and Account Management Framework for Rack Applications