RubyGems - rodauth - Versions diffs - 2.7.0 → 2.8.0 - Mend

rodauth 2.7.0 → 2.8.0

Files changed (10) hide show

checksums.yaml +4 -4
data/CHANGELOG +6 -0
data/MIT-LICENSE +1 -1
data/doc/release_notes/2.8.0.txt +20 -0
data/doc/remember.rdoc +1 -1
data/lib/rodauth/features/jwt.rb +4 -1
data/lib/rodauth/features/jwt_refresh.rb +3 -6
data/lib/rodauth/features/remember.rb +1 -0
data/lib/rodauth/version.rb +1 -1
metadata +24 -22

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ce2af7161a7aaba17ebb25beda65f8598306b2d040986db0be215b89fb683149
-  data.tar.gz: cf69c788c9401485610599f0b6996f340ab315fcbceb359bccf01a78dceaadc8
+  metadata.gz: a39430563fc9d81e610b8a28b5c044eedd7ebd361d6294f9bd02687ce2d24c27
+  data.tar.gz: a852e9713602b807bb7566b3db4038a6fda0ae0d2b90bf4b1ce2e45429c8efd2
 SHA512:
-  metadata.gz: 8b2d72d0f9338a359653e90829618f2579afc30095bb0dd1bd0c627730c91117158ef5ebbca9a4a32bb78bd312ebbac308a68efb761cf93c4dfc707d7bdcea24
-  data.tar.gz: d5eb1fc01df26b8305edec707642d3192e7a5dc3507416d0e60aaf6ffd1b079ac4ddced72a85d61c4623c70df2d784307cfba60b8759741b2991f591c623b0b0
+  metadata.gz: ba8f83d3f9afc3f1bcca6f649e925b1b3f795002dc980ae5bfb219885a74c69c34bbacaccda83c153bf9f799f328970cd900a3abf5966b88956dc3476ef3f9f8
+  data.tar.gz: 9d2042a183a7fdc941cd2b8716aba581861b9e1831574eac3241979ab32e2fe2076baf94e3ab0782487aa34d4e7f98f063035c22dcd7088f1a4fd1f1b83a7e6d

data/CHANGELOG CHANGED

@@ -1,3 +1,9 @@
+=== 2.8.0 (2021-01-06)
+* [SECURITY] Set HttpOnly on remember cookie by default so it cannot be accessed by Javascript (janko) (#142)
+* Clear JWT session when rodauth.clear_session is called if the Roda sessions plugin is used (janko) (#140)
 === 2.7.0 (2020-12-22)
 * Avoid method redefinition warnings in verbose warning mode (jeremyevans)

data/MIT-LICENSE CHANGED

@@ -1,4 +1,4 @@
-Copyright (c) 2015-2020 Jeremy Evans
+Copyright (c) 2015-2021 Jeremy Evans
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to

data/doc/release_notes/2.8.0.txt ADDED

@@ -0,0 +1,20 @@
+= Improvements
+* HttpOnly is now set by default on the remember cookie, so it is no
+  longer accessible from Javascript.  This is a more secure approach
+  that makes applications using Rodauth's remember feature less
+  vulnerable in case they are subject to a separate XSS attack.
+* When using the jwt feature, rodauth.clear_session now clears the
+  JWT session even when the Roda sessions plugin was in use.  In most
+  cases, the jwt feature is not used with the Roda sessions plugin,
+  but in cases where the same application serves as both an JSON API
+  and as a HTML site, it is possible the two may be used together.
+= Backwards Compatibility
+* As the default remember cookie :httponly setting is now set to true,
+  applications using Rodauth that expected to be able to access the
+  remember cookie from Javascript will no longer work by default.
+  In these cases, you should now use remember_cookie_options and
+  include a :httponly=>false option.

data/doc/remember.rdoc CHANGED

@@ -35,7 +35,7 @@ raw_remember_token_deadline :: A deadline before which to allow a raw remember t
 remember_additional_form_tags :: HTML fragment containing additional form tags to use on the change remember setting form.
 remember_button :: The text to use for the change remember settings button.
 remember_cookie_key :: The cookie name to use for the remember token.
-remember_cookie_options :: Any options to set for the remember cookie. By default, the `:path` cookie option is set to `/`.
+remember_cookie_options :: Any options to set for the remember cookie. By default, the `:path` cookie option is set to `/`, and `:httponly` is set to `true`.
 remember_deadline_column :: The column name in the +remember_table+ storing the deadline after which the token will be ignored.
 remember_deadline_interval :: The amount of time for which to remember accounts, 14 days by default.  Only used if +set_deadline_values?+ is true.
 remember_disable_label :: The label for disabling remembering.

data/lib/rodauth/features/jwt.rb CHANGED

@@ -73,7 +73,10 @@ module Rodauth
     def clear_session
       super
-      set_jwt if use_jwt?
+      if use_jwt?
+        session.clear
+        set_jwt
+      end
     end
     def set_field_error(field, message)

data/lib/rodauth/features/jwt_refresh.rb CHANGED

@@ -65,7 +65,7 @@ module Rodauth
       # JWT login puts the access token in the header.
       # We put the refresh token in the body.
       # Note, do not put the access_token in the body here, as the access token content is not yet finalised.
-      token = json_response['refresh_token'] = generate_refresh_token
+      token = json_response[jwt_refresh_token_key] = generate_refresh_token
       set_jwt_refresh_token_hmac_session_key(token)
     end
@@ -177,8 +177,7 @@ module Rodauth
     end
     def remove_jwt_refresh_token_key(token)
-      account_id, token = split_token(token)
-      token_id, _ = split_token(token)
+      account_id, token_id, _ = _account_refresh_token_split(token)
       jwt_refresh_token_account_token_ds(account_id, token_id).delete
     end
@@ -210,9 +209,7 @@ module Rodauth
           id, token_id, key = _account_refresh_token_split(token)
           if id && token_id && key && (actual = get_active_refresh_token(session_value, token_id)) && timing_safe_eql?(key, convert_token_key(actual))
-            jwt_refresh_token_account_ds(id).
-              where(jwt_refresh_token_id_column=>token_id).
-              delete
+            jwt_refresh_token_account_token_ds(id, token_id).delete
           end
         end
       end

data/lib/rodauth/features/remember.rb CHANGED

@@ -133,6 +133,7 @@ module Rodauth
       opts[:value] = "#{account_id}_#{convert_token_key(remember_key_value)}"
       opts[:expires] = convert_timestamp(active_remember_key_ds.get(remember_deadline_column))
       opts[:path] = "/" unless opts.key?(:path)
+      opts[:httponly] = true unless opts.key?(:httponly)
       ::Rack::Utils.set_cookie_header!(response.headers, remember_cookie_key, opts)
     end

data/lib/rodauth/version.rb CHANGED

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 7
+  MINOR = 8
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.7.0
+  version: 2.8.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-12-22 00:00:00.000000000 Z
+date: 2021-01-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -237,28 +237,33 @@ extra_rdoc_files:
 - README.rdoc
 - CHANGELOG
 - MIT-LICENSE
-- doc/change_password_notify.rdoc
 - doc/account_expiration.rdoc
+- doc/active_sessions.rdoc
+- doc/audit_logging.rdoc
 - doc/base.rdoc
 - doc/change_login.rdoc
 - doc/change_password.rdoc
-- doc/confirm_password.rdoc
+- doc/change_password_notify.rdoc
 - doc/close_account.rdoc
-- doc/http_basic_auth.rdoc
+- doc/confirm_password.rdoc
 - doc/create_account.rdoc
-- doc/email_base.rdoc
 - doc/disallow_common_passwords.rdoc
 - doc/disallow_password_reuse.rdoc
-- doc/password_complexity.rdoc
+- doc/email_auth.rdoc
+- doc/email_base.rdoc
+- doc/http_basic_auth.rdoc
 - doc/jwt.rdoc
+- doc/jwt_cors.rdoc
+- doc/jwt_refresh.rdoc
 - doc/lockout.rdoc
 - doc/login.rdoc
+- doc/login_password_requirements_base.rdoc
 - doc/logout.rdoc
 - doc/otp.rdoc
-- doc/login_password_requirements_base.rdoc
-- doc/jwt_cors.rdoc
+- doc/password_complexity.rdoc
 - doc/password_expiration.rdoc
 - doc/password_grace_period.rdoc
+- doc/password_pepper.rdoc
 - doc/recovery_codes.rdoc
 - doc/remember.rdoc
 - doc/reset_password.rdoc
@@ -268,17 +273,11 @@ extra_rdoc_files:
 - doc/two_factor_base.rdoc
 - doc/update_password_hash.rdoc
 - doc/verify_account.rdoc
-- doc/email_auth.rdoc
-- doc/jwt_refresh.rdoc
 - doc/verify_account_grace_period.rdoc
 - doc/verify_login_change.rdoc
 - doc/webauthn.rdoc
 - doc/webauthn_login.rdoc
 - doc/webauthn_verify_account.rdoc
-- doc/active_sessions.rdoc
-- doc/audit_logging.rdoc
-- doc/password_pepper.rdoc
-- doc/release_notes/1.17.0.txt
 - doc/release_notes/1.0.0.txt
 - doc/release_notes/1.1.0.txt
 - doc/release_notes/1.10.0.txt
@@ -288,7 +287,14 @@ extra_rdoc_files:
 - doc/release_notes/1.14.0.txt
 - doc/release_notes/1.15.0.txt
 - doc/release_notes/1.16.0.txt
+- doc/release_notes/1.17.0.txt
+- doc/release_notes/1.18.0.txt
+- doc/release_notes/1.19.0.txt
 - doc/release_notes/1.2.0.txt
+- doc/release_notes/1.20.0.txt
+- doc/release_notes/1.21.0.txt
+- doc/release_notes/1.22.0.txt
+- doc/release_notes/1.23.0.txt
 - doc/release_notes/1.3.0.txt
 - doc/release_notes/1.4.0.txt
 - doc/release_notes/1.5.0.txt
@@ -296,12 +302,6 @@ extra_rdoc_files:
 - doc/release_notes/1.7.0.txt
 - doc/release_notes/1.8.0.txt
 - doc/release_notes/1.9.0.txt
-- doc/release_notes/1.18.0.txt
-- doc/release_notes/1.19.0.txt
-- doc/release_notes/1.20.0.txt
-- doc/release_notes/1.21.0.txt
-- doc/release_notes/1.22.0.txt
-- doc/release_notes/1.23.0.txt
 - doc/release_notes/2.0.0.txt
 - doc/release_notes/2.1.0.txt
 - doc/release_notes/2.2.0.txt
@@ -310,6 +310,7 @@ extra_rdoc_files:
 - doc/release_notes/2.5.0.txt
 - doc/release_notes/2.6.0.txt
 - doc/release_notes/2.7.0.txt
+- doc/release_notes/2.8.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -396,6 +397,7 @@ files:
 - doc/release_notes/2.5.0.txt
 - doc/release_notes/2.6.0.txt
 - doc/release_notes/2.7.0.txt
+- doc/release_notes/2.8.0.txt
 - doc/remember.rdoc
 - doc/reset_password.rdoc
 - doc/session_expiration.rdoc
@@ -539,7 +541,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.2.3
 signing_key:
 specification_version: 4
 summary: Authentication and Account Management Framework for Rack Applications