wikk_web_auth 0.1.3 → 0.1.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: a3a11d0ad1eb25e5922bf01b2a1a82ac24c7cd11
-  data.tar.gz: 3bac1582e8ee3f9ba72d7368e43174a16342aa3c
+SHA256:
+  metadata.gz: 671e30332d7611b59813c740329597c67743e6dfb1d14f5624b0d2f048f735ed
+  data.tar.gz: 370ae2207160bb1d6b7304c2451cdf9de71ea0f0da2e760e60642c9f3a8c822b
 SHA512:
-  metadata.gz: 8fe5be8ee402f1e9c5b0070feac195be961d2b4081a0c2acc314bac7a576d603cbd8565b16a88b9b584d54f2b238f8baa9f2e2f9459e24261d18f521fcf99781
-  data.tar.gz: d53acd59750c5479de0ef32b04e46c2b93d35cf63170d2c15204b31ada6381248b8036dce9ae1ce15b1f96e17010e42d29a3918ff127d84a9a565a6e4d2e2d29
+  metadata.gz: 80f9e4d1c65fdd6d96f35399ba86fa2a11ff09a505bfa8154fc6f0f3f464bb1ec9b4f5697655822439e7523cde7da2c4dddc210e78aeaeca690d499c04231cfa
+  data.tar.gz: 874afd4511eae12ece2931f7bce38bcb991ae6ae76660d30c53e3aa2254660fa778d3d31eed573e33b66d9dd23d3ed7cf19da263ea1f52c554ba4647c0b75cc8

data/History.txt

@@ -1,3 +1,69 @@
+robertburrowes	Sat Apr 15 16:18:34 2023 +1200
+	deleted an end in error
+robertburrowes	Sat Apr 15 16:05:26 2023 +1200
+	removed the syslogs. Getting odd errors, depending on the context.
+robertburrowes	Sat Apr 15 15:53:04 2023 +1200
+	factor out code into new_session() Clean up old cookie entries in cgi instance.
+robertburrowes	Sat Apr 15 15:49:37 2023 +1200
+	more output from the tests
+robertburrowes	Wed Apr 12 18:31:54 2023 +1200
+	Add test for authenticated on a reconnect Add test for trying to reauthenticate, by sending a previous response.
+robertburrowes	Wed Apr 12 18:30:25 2023 +1200
+	Initialize instance vars earlier @log.error now failing. Replaced with full call, using LOG_NOTICE session and @session mix up Explicitly set no_cookies and no_hidden to false (should be default)
+robertburrowes	Tue Apr 11 17:56:27 2023 +1200
+	bumped the version
+robertburrowes	Tue Apr 11 17:56:01 2023 +1200
+	Added test/direct_test.rb Cleaned up test, moving conf files into test/conf Created test/conf/pstore for the pstore temp files (which need cleaning out after the test)
+robertburrowes	Tue Apr 11 15:06:47 2023 +1200
+	refactor: Bump version Set return_url globally Initialize @session globally Separate generating challenge into its own method (for new rpc) Optionally call to authencate in initialize (for new rpc) Added check for the username changing during login. Fail authorized step, if challenge not set (i.e. we jumped straight to step 2. nil cgi params get converted to '' seed now reset, if authorization fails. Authorized? should have been private session_state_init should have been private
+robertburrowes	Sun Apr 9 17:57:33 2023 +1200
+	not used
+robertburrowes	Wed Mar 29 22:03:06 2023 +1300
+	Test against the new lib version, not the gem
+robertburrowes	Wed Mar 29 22:02:44 2023 +1300
+	Put back lines deleted from previous version. Added nil? check on session_expires, which we are now getting.
+robertburrowes	Wed Mar 29 18:07:39 2023 +1300
+	consistent use of args.
+robertburrowes	Wed Mar 29 17:58:25 2023 +1300
+	make init more compatible with previous version
+robertburrowes	Wed Mar 29 16:27:00 2023 +1300
+	better naming for config
+robertburrowes	Wed Mar 29 16:13:58 2023 +1300
+	mixed my config files up. Need to do this more cleanly.
+robertburrowes	Wed Mar 29 13:17:17 2023 +1300
+	Change self.session_config to have a config_override: param, and to use named arguments
+robertburrowes	Tue Mar 28 09:28:06 2023 +1300
+	Give option to pass in config to class methods (and use the config passed into initialize)
+robertburrowes	Mon Mar 27 17:22:31 2023 +1300
+	Moved pstore default location, so we can test against new thin Rack version of rpc
+robertburrowes	Mon Jun 13 17:53:13 2022 +1200
+	rubcop'd
+robertburrowes	Mon Jun 13 17:51:24 2022 +1200
+	Merge branch 'master' of github.com:wikarekare/wikk_web_auth
+robertburrowes	Mon Jun 13 13:55:32 2022 +1200
+	rubocop Scripts to bash
+robertburrowes	Mon Jun 13 12:20:35 2022 +1200
+	rubocop'd
+robertburrowes	Sun Oct 25 21:36:01 2020 +1300
+	Tidy up the yard comments to fix formatting
+robertburrowes	Sun Oct 25 21:22:21 2020 +1300
+	mode change
+robertburrowes	Sun Oct 25 21:22:11 2020 +1300
+	new Hoe format
+robertburrowes	Sun Oct 25 21:21:50 2020 +1300
+	Improve dependencies to remove warning
+robertburrowes	Sun Oct 25 21:21:29 2020 +1300
+	include in repo
+robertburrowes	Sun Oct 25 21:21:18 2020 +1300
+	mv dev scripts to sbin
+robertburrowes	Mon Apr 13 23:14:27 2020 +1200
+	bump version
+robertburrowes	Mon Apr 13 23:14:14 2020 +1200
+	change logging name to match gem name
+robertburrowes	Mon Apr 13 23:13:37 2020 +1200
+	rename js to json
+robertburrowes	Mon Apr 13 23:13:19 2020 +1200
+	qualify dir for passwd.json
 robertburrowes	Fri May 26 09:38:55 2017 +1200
 	Bug fix: @log.err -> @log.error
 robertburrowes	Mon Jun 27 12:23:02 2016 +1200

data/README.md

@@ -1,8 +1,8 @@
 # wikk_web_auth
 
-* http://wikarekare.github.com/wikk_web_auth/
-* Source https://github.com/wikarekare/wikk_web_auth
-* Gem https://rubygems.org/gems/wikk_web_auth
+* Docs :: https://wikarekare.github.io/wikk_web_auth/
+* Source :: https://github.com/wikarekare/wikk_web_auth
+* Gem :: https://rubygems.org/gems/wikk_web_auth
 
 ## DESCRIPTION:
 

data/Rakefile

@@ -1,5 +1,4 @@
 # -*- ruby -*-
-
 require 'rubygems'
 require 'hoe'
 Hoe.plugin :yard
@@ -12,7 +11,7 @@ Hoe.spec 'wikk_web_auth' do
   self.yard_title = 'wikk_web_auth'
   self.yard_options = ['--markup', 'markdown', '--protected']
 
-  self.dependency "wikk_password", [">= 0.1.0"]
+  self.dependency "wikk_password", ['~> 0.1', '>= 0.1.0']
 end
 
 

data/lib/wikk_web_auth.rb

@@ -1,263 +1,372 @@
-module WIKK 
-  require 'cgi' 
-  require 'cgi/session' 
+module WIKK
+  require 'cgi'
+  require 'cgi/session'
   require 'cgi/session/pstore'     # provides CGI::Session::PStore
   require 'digest/sha2'
-  require 'syslog/logger'
-  require "wikk_aes_256"
+  require 'securerandom'
   require 'wikk_password'
 
-  #Provides common authentication mechanism for all our cgis.
-  #  @attr_reader [String] user , the remote user's user name 
+  # Provides common authentication mechanism for all our cgis.
+  # Uses standard cgi parameters, unless overridden e.g. cgi?user=x&response=y
+  # Returns values imbedded as hidden fields in the login form
+  #  @attr_reader [String] user , the remote user's user name
   #  @attr_reader [String] session , the persistent Session record for this user
   class Web_Auth
-    VERSION = "0.1.3" #Gem version
-    
-    attr_reader :user, :session
-    
-    #Create new Web_Auth instance, and proceed through authentication process by creating a login web form, if the user isn't authenticated.
+    VERSION = '0.1.6' # Gem version
+
+    attr_reader :user, :challenge
+    attr_accessor :response
+
+    # Create new Web_Auth instance, and proceed through authentication process by creating a login web form, if the user isn't authenticated.
     #  @param cgi [CGI] Which carries the client data, cookies, and PUT/POST form data.
-    #  @param config [WIKK::Configuration|Hash] the location of the password file is embedded here.
+    #  @param pwd_config [WIKK::Configuration|Hash] the location of the password file is embedded here.
+    #  @param user [String] overrides cgi['user']
+    #  @param response [String] overrides cgi['response']
+    #  @param user_logout [Boolean] overrides cgi['logout']
+    #  @param pstore_config [Hash] overrides default pstore settings
     #  @param return_url [String] If we successfully authenticate, return here.
     #  @return [WIKK::Web_Auth]
-  	def initialize(cgi, config, return_url = nil)
-      if config.class == Hash
-        sym = config.each_with_object({}) { |(k,v),h| h[k.to_sym] = v }
+    def initialize(cgi, pwd_config = nil, return_url = nil, user: nil, response: nil, user_logout: false, pstore_config: nil, run_auth: true)
+      if pwd_config.instance_of?(Hash)
+        sym = pwd_config.each_with_object({}) { |(k, v), h| h[k.to_sym] = v }
         @config = Struct.new(*(k = sym.keys)).new(*sym.values_at(*k))
       else
-    	  @config = config
-    	end
-  	  @cgi = cgi
-      @user = ''
-      @session = nil
-  	  begin
-        @log = Syslog::Logger.syslog
-      rescue
-        @log = Syslog::Logger.new("authlib.rbx")
+        @pwd_config = pwd_config
+      end
+
+      @cgi = cgi
+      @pstore_config = pstore_config
+
+      # Set variables from the method's params, or alternately, from the CGI params
+      @user = user.nil? ? cgi_param('Username') : user
+      @response = response.nil? ? cgi_param('Response') : response
+      @return_url = return_url.nil? ? cgi_param('ReturnURL') : return_url
+
+      # Look for existing session, but don't start a new one.
+      begin
+        @session = CGI::Session.new(@cgi, Web_Auth.session_config( { 'new_session' => false }, pstore_config: @pstore_config ))
+      rescue ArgumentError => _e # if no old session
+        @session = nil
+      rescue Exception => e # rubocop:disable Lint/RescueException In CGI, we want to handle every exception
+        raise e.class, 'Authenticate, CGI::Session.new ' + e.message
+      end
+
+      if @session.nil?
+        @challenge = '' # there is no current challenge
+      elsif @session['session_expires'].nil? ||       # Shouldn't be the case
+            @session['session_expires'] < Time.now || # Session has expired
+            @session['ip'] != @cgi.remote_addr ||     # Not coming from same IP address
+            # @session['user'] != @user ||              # Not the same user
+            cgi_param('logout') != '' ||        # Requested a logout
+            user_logout                               # Alternate way to request a logout
+        logout
+      else
+        # We ignore the cgi['Challenge'] value, and always get this from the pstore
+        @challenge = @session['seed'] # Recover the challenge from the pstore entry. It may be ''
       end
-      authenticate(return_url) 
+
+      authenticate if run_auth # This generates html output, so it is now conditionally run.
+    end
+
+    # Debug dump of session keys
+    def session_to_s
+      return '' if @session.nil?
+
+      s = '{'
+      [ 'auth', 'seed', 'ip', 'user', 'session_expires' ].each do |k|
+        s += "'#{k}':'#{@session[k]}', "
+      end
+      s += '}'
+      return s
+    end
+
+    # expose the session_id. This is also returned by modifying the cgi instance passed in to initialize
+    # * The cgi.output_cookies Array of Cookies gets modified if no_cookies is false (the default)
+    # * And cgi.output_hidden Hash get modified if no_hidden is false (the default)
+    # @return [String] random session id
+    def session_id
+      @session.nil? ? '' : @session.session_id
     end
 
-    #way of checking without doing a full login sequence.
+    # way of checking without doing a full login sequence.
     #  @param cgi [CGI] Which carries the client data, cookies, and PUT/POST form data.
+    #  @param pstore_config [Hash] overrides default pstore settings
     #  @return [Boolean] authenticated == true.
-  	def self.authenticated?(cgi)
+    def self.authenticated?(cgi, pstore_config: nil )
       begin
-          session = CGI::Session.new(cgi, Web_Auth.session_config({'new_session' => false}) )
-          authenticated = (session != nil && session['session_expires'] > Time.now && session['auth'] == true && session['ip'] == cgi.remote_addr)
-          session.close #Writes back the session data
-          return authenticated
-      rescue ArgumentError => error # if no old session to find.
-    	  begin
-          @log = Syslog::Logger.syslog
-        rescue
-          @log = Syslog::Logger.new("authlib.rbx")
-        end
-        @log.error(error.message)
+        session = CGI::Session.new(cgi, Web_Auth.session_config( { 'new_session' => false }, pstore_config: pstore_config ) )
+        authenticated = (session != nil && !session['session_expires'].nil? && session['session_expires'] > Time.now && session['auth'] == true && session['ip'] == cgi.remote_addr)
+        session.close # Tidy up, so we don't leak file descriptors
+        return authenticated
+      rescue ArgumentError => _e # if no old session to find.
         return false
       end
     end
 
-    #get the session reference and delete the session.
+    # Test to see if user authenticated.
+    # If this is the only call, then follow this with close_session()
+    #  @return [Boolean] True, if this session is authenticated
+    def authenticated?
+      @session != nil && !@session['session_expires'].nil? && @session['session_expires'] > Time.now && @session['auth'] == true && @session['ip'] == @cgi.remote_addr
+    end
+
+    # get the session reference and delete the session.
+    #  @param pstore_config [Hash] overrides default pstore settings
     #  @param cgi [CGI] Which carries the client data, cookies, and PUT/POST form data.
-    def self.logout(cgi)
+    def self.logout(cgi, pstore_config: nil)
       begin
-          session = CGI::Session.new(cgi, Web_Auth.session_config({'new_session' => false}))
-          session.delete if session != nil
-      rescue ArgumentError => error # if no old session
-    	  begin
-          @log = Syslog::Logger.syslog
-        rescue
-          @log = Syslog::Logger.new("authlib.rbx")
-        end
-        @log.error(error.message)
+        session = CGI::Session.new(cgi, Web_Auth.session_config( { 'new_session' => false }, pstore_config: pstore_config ))
+        session.delete unless session.nil? # Also closes the session
+      rescue ArgumentError => _e # if no old session
+        # Not an error.
       end
     end
-    
-    #Checks password file to see if the response from the user matches generating a hash from the password locally.
-    #  @param user [String] Who the remote user claims to be
-    #  @param challenge [String] Random string we sent to this user, and they used in hashing their password.
-    #  @param received_hash [String] The hex_SHA256(password + challenge) string that the user sent back.
-    #  @return [Boolean] True for authorization test suceeded.
-    def authorized?(user, challenge, received_hash)
-     begin
-       return WIKK::Password.valid_sha256_response?(user, @config, challenge, received_hash)
-     rescue IndexError => error #User didn't exist
-       @log.error("authorized?(#{user}): " + error.message)
-       return false
-     rescue Exception => error #Something else
-       @log.error("authorized?(#{user}): " + error.message)
-       return false
-     end
+
+    # clean up the session, deleting the session state.
+    def logout
+      @session.delete unless @session.nil? # Will close the existing session
+      @session = nil
+      @challenge = '' # no current session, so no challenge string
+      clear_cgi_cookies
     end
 
-    #Generate the new Session's config parameters, mixing in and/or overriding the preset values.
-    #  @param extra_arguments [Hash] Extra arguments that get added to the hash, or override values with the same key.
+    # Generate the new Session's config parameters, mixing in and/or overriding the preset values.
+    #  @param pstore_config [Hash] Override the default pstore configurations. Only changed keys need to be included
+    #  @param extra_arguments [Hash] Extra arguments that get added to the hash. Will also override values with the same key.
     #  @return [Hash] The configuration hash.
-    def self.session_config(extra_arguments = {})
-      return {
+    def self.session_config( extra_arguments = nil, pstore_config: nil )
+      instance_of?(Hash)
+      session_conf = {
         'database_manager' => CGI::Session::PStore,  # use PStore
-        'session_key' => '_wikk_rb_sess_id',              # custom session key
-        #'session_id' => ?,
+        'session_key' => '_wikk_rb_sess_id',         # custom session key
         'session_expires' => (Time.now + 86400),     # 1 day timeout
-        'prefix' => 'pstore_sid_',  # PStore option
-        'tmpdir' => '/tmp',  # PStore option
-        #new_session => ?,#boolean
-        #no_hidden => ?,
-        #session_domain => ?,
-        #session_secure => ?,
-        #session_path => ?,
-        #no_cookies => ?, #boolean
-        #suffix => ?
-      }.merge(extra_arguments)
+        'prefix' => 'pstore_sid_',                   # Prefix for pstore file
+        # 'suffix' => ?
+        'tmpdir' => '/tmp',                          # PStore option. Under Apache2, this is a private namespace /tmp
+        'session_path' => '/',                       # The cookie gets returned for URLs starting with this path
+        # 'new_session' => true,                     # Default, is to create a new session if it doesn't already exist
+        # 'session_domain' => ?,
+        # 'session_secure' => ?,
+        # 'session_id' => ?,                         # Created for new sessions. Merged in for existing sessions
+        'no_cookies' => false,                       # boolean. Do fill in cgi output_cookies array of Cookies
+        'no_hidden' => false                         # boolean fill in the cgi output_hidden Hash key=cookie, value=session_id
+      }
+      session_conf.merge!(pstore_config) if pstore_config.instance_of?(Hash)
+      session_conf.merge!(extra_arguments) if extra_arguments.instance_of?(Hash)
+      return session_conf
+    end
+
+    # Generate a challenge, as step 1 of a login
+    # If this is the only call, then follow this with close_session()
+    def gen_challenge
+      # Short session, which gets replaced if we successfully authenticate
+      new_session( { 'session_expires' => Time.now + 120 } )
+      raise 'gen_challenge: @session == nil' if @session.nil?
+
+      @challenge = SecureRandom.base64(32)
+      # Store the challenge in the pstore, ready for the 2nd login step, along with browser details
+      session_state_init('auth' => false, 'seed' => @challenge, 'ip' => @cgi.remote_addr, 'user' => @user, 'session_expires' => @session_options['session_expires'])
+      @session.update
+      return @challenge
     end
-    
-    def session_state_init(session_options = {})
-      session_options.each { |k,v| @session[k] = v }
+
+    # Test the response against the password file
+    # If this is the only call, then follow this with close_session()
+    # @return [Boolean] We got authorized
+    def valid_response?
+      if authorized?
+        # We got a challenge string, so we are on step 2 of the authentication
+        # And have passed the password check ( authorized?() )
+        new_session # regenerate the cookie with a longer lifetime.
+        raise 'valid_response?: @session == nil' if @session.nil?
+
+        session_state_init('auth' => true, 'seed' => '', 'ip' => @cgi.remote_addr, 'user' => @user, 'session_expires' => @session_options['session_expires'])
+        @session.update       # Should also update on close, which we probably do next
+        return true
+      else # Failed to authorize. The temporary challenge session cookie is no longer valid.
+        logout
+        return false
+      end
     end
 
-    #Test to see if we are already authenticated, and if not, generate an HTML login page.
-    #  @param return_url [String] We return here if we sucessfully login
+    # Test to see if we are already authenticated, and if not, generate an HTML login page.
+    #  @param return_url [String] We return here if we sucessfully login. Overrides initialize value
     def authenticate(return_url = nil)
-      begin
-        @session = CGI::Session.new(@cgi, Web_Auth.session_config({'new_session' => false})) #Look for existing session.
-        return gen_html_login_page(return_url) if @session == nil
-      rescue ArgumentError => error # if no old session
-        return gen_html_login_page(return_url)
-      rescue Exception => error
-        raise Exception, "Authenticate, CGI::Session.new " + error.message
+      @return_url = return_url unless return_url.nil? # Update the return url (Backward compatibility)
+
+      # We have no session setup, or haven't sent the challenge yet.
+      # So we are at step 1 of the authentication
+      if @session.nil? || @challenge == ''
+        gen_html_login_page(message: 'no current challenge')
+        return
       end
-      
-      @session['auth'] = false if @session['session_expires'] < Time.now || #Session has expired
-                                  @session['ip'] != @cgi.remote_addr || #Not coming from same IP address
-                                  CGI::escapeHTML(@cgi['logout']) != '' #Are trying to logout
-                                  
-      return if(@session['auth'] == true) #if this is true, then we have already authenticated this session.       
-
-      if (challenge = @session['seed']) != '' #see if we are looking at a login response.
-        @user = CGI::escapeHTML(@cgi['Username'])
-        response = CGI::escapeHTML(@cgi['Response'])
-        if  @user != '' && response != '' && authorized?(@user, challenge, response)
-          @session['auth'] = true #Response valid.
-          @session['user'] = @user
-          @session['ip'] = @cgi.remote_addr
-          @session['seed'] = '' #Don't use the same one twice.
-          @session.close 
-          return
+
+      # We are now at step 2, expecting a response to the challenge
+      begin
+        # Might be a while since we initialized the class, so repeat this test
+        @session['auth'] = false if @session['session_expires'].nil? ||       # Shouldn't ever happen, but has
+                                    @session['session_expires'] < Time.now || # Session has expired
+                                    @session['ip'] != @cgi.remote_addr # ||     # Not coming from same IP address
+        #                           @session['user'] != @user                 # Username not the same as the session
+
+        return if @session['auth'] == true # if this is true, then we have already authenticated this session.
+
+        unless valid_response?
+          gen_html_login_page(message: 'invalid response:')
         end
+        @session.close unless @session.nil? # Saves the session state.
+      rescue Exception => e # rubocop:disable Lint/RescueException
+        raise e.class, 'Authenticate, CGI::Session.new ' + e.message
       end
-
-      @session.delete #Start a new session.
-      gen_html_login_page(return_url)
-      @session.close if @session != nil #Saves the session state.
     end
 
-    #clean up the session, setting @authenticated to false and deleting the session state.
-    def logout 
-      @session.delete if @session != nil
+    # Ensure we don't consume all file descriptors
+    # Call after last call (though most calls do close the session)
+    def close_session
+      @session.close unless @session.nil?
+      @session = nil
     end
 
-    #Test to see if user authenticated, 
-    #  @return [Boolean] i.e @authenticated's value.
-    def authenticated?
-      @session != nil && @session['session_expires'] > Time.now && @session['auth'] == true && session['ip'] == @cgi.remote_addr
-    end
-      
-
-    #Used by calling cgi to generate a standard login page
-    #  @param return_url [String] We return here if we sucessfully login
-    def gen_html_login_page(return_url = nil)
-      session_options = Web_Auth.session_config()
-      @session = CGI::Session.new(@cgi, session_options) #Start a new session for future authentications.
-      raise "gen_html_login_page: @session == nil" if @session == nil
-      challenge = WIKK::AES_256.gen_key_to_s
-      session_state_init('auth' => false, 'seed' => challenge, 'ip' => @cgi.remote_addr, 'session_expires' => session_options['session_expires'])
-      @cgi.header("type"=>"text/html")
+    # Used by calling cgi to generate a standard login page
+    def gen_html_login_page(message: '')
+      gen_challenge
+      @cgi.header('type' => 'text/html')
       @cgi.out do
         @cgi.html do
-          @cgi.head{ @cgi.title{"login"} + html_nocache + html_script() } +
-          @cgi.body {  html_login_form(user, challenge, return_url) + "\n" }
+          @cgi.head { @cgi.title { 'login' } + html_nocache + html_script } +
+            @cgi.body { html_login_form(message: message) + "\n" }
         end
       end
-      @session.update
     end
 
-    #Used by calling cgi to inject a return URL into the html response. 
-    #Called by calling cgi, when constructing their html headers.
+    # Used by calling cgi to inject a return URL into the html response.
+    # Called by calling cgi, when constructing their html headers.
     #  @param url [String] URL to redirect to.
     #  @return [String] The HTML meta header, or "", if url is empty.
     def html_reload(url = nil)
       if url != nil && url != ''
         "<meta http-equiv=\"Refresh\" content=\"0; URL=#{url}\">\n"
       else
-        ""
+        ''
       end
     end
 
-    #Used by calling cgi to generate logout with this form.
+    # Used by calling cgi to generate logout with this form.
     #  @param cgi_dir [String] directory holding the login.rbx cgi.
     #  @return [String] Html logout form.
     def html_logout_form(cgi_dir)
-      <<-EOHTMLF2
-      <form NAME="login" ACTION="#{cgi_dir}/login.rbx" METHOD="post">
-      <input TYPE="submit" NAME="logout" VALUE="logout" >
-      </form>
-      EOHTMLF2
+      <<~HTML
+        <form NAME="login" ACTION="#{cgi_dir}/login.rbx" METHOD="post">
+        <input TYPE="submit" NAME="logout" VALUE="logout" >
+        </form>
+      HTML
     end
-    
-    private 
-    #Login form javascript helper to SHA256 Hash a password and the challenge string sent by the server.
+
+    # Get a CGI param
+    # @param key [String] name of the CGI param
+    # @return [String] Either the value, or ''
+    private def cgi_param(key)
+      value = @cgi[key]
+      return value.nil? ? '' : CGI.escapeHTML(value)
+    end
+
+    # Short hand for set up of the pstore session entry
+    # @param session_options [Hash] key pairs for the pstore session
+    private def session_state_init(session_options = {})
+      session_options.each { |k, v| @session[k] = v }
+    end
+
+    # Blat the session cookies, that would have been sent back to the server
+    private def clear_cgi_cookies
+      # Update the cgi record, removing the cookies
+      @cgi.instance_eval do
+        @output_hidden = {}
+        @output_cookies = []
+      end
+    end
+
+    # Create a new session in the pstore, having deleted any existing session.
+    # @param session_params [Hash] Optionally alter the session params
+    private def new_session(session_params = nil)
+      @session.delete unless @session.nil? # Closes and Deletes the existing session
+      clear_cgi_cookies
+      # Start a new session for future authentications.
+      # This resets the expiry timestamp
+      @session_options = Web_Auth.session_config( session_params, pstore_config: @pstore_config )
+      @session = CGI::Session.new(@cgi, @session_options )
+    end
+
+    # Checks password file to see if the response from the user matches generating a hash from the password locally.
+    #  @param user [String] Who the remote user claims to be
+    #  @param challenge [String] Random string we sent to this user, and they used in hashing their password.
+    #  @param response [String] The hex_SHA256(password + challenge) string that the user sent back.
+    #  @return [Boolean] True for authorization test suceeded.
+    private def authorized?
+      begin
+        unless @session.nil? ||
+               @challenge.nil? || @challenge == '' ||
+               @user.nil? || @user.empty? ||
+               @response.nil? || @response.empty?
+          return WIKK::Password.valid_sha256_response?(@user, @pwd_config, @challenge, @response)
+        end
+      rescue IndexError => _e # User didn't exist
+        # Not an error.
+      end
+      return false
+    end
+
+    # Login form javascript helper to SHA256 Hash a password and the challenge string sent by the server.
     #  @return [String] Javascript to embed in html response.
-    def html_script
-      <<-EOHTML
-      <script type="text/javascript" src="/js/sha256.js"></script>
-
-      <script language="JavaScript">
-      function sendhash() {
-          str = document.login.Password.value +
-              document.login.Challenge.value;
-
-          document.login.Response.value = hex_sha256(str);
-          document.login.Password.value = "";
-          document.login.Challenge.value = "";
-          document.login.submit();
-      }
-      </script>
-      EOHTML
+    private def html_script
+      <<~HTML
+        <script type="text/javascript" src="/js/sha256.js"></script>
+
+        <script language="JavaScript">
+        function sendhash() {
+            str = document.login.Password.value +
+                document.login.Challenge.value;
+
+            document.login.Response.value = hex_sha256(str);
+            document.login.Password.value = "";
+            document.login.Challenge.value = "";
+            document.login.submit();
+        }
+        </script>
+      HTML
     end
 
-    #Generate html login form.
+    # Generate html login form.
     #  @param user [String] user's login name.
     #  @param challenge [String] Random bytes to add to password, before sending back to server.
-    #  @param return_url [String] Pass the url we want to return to if the login succeeds.
+    #  @param return_url [String] We return here if we sucessfully login. Overrides initialize value
     #  @return [String] Login form to embed in html response to user.
-    def html_login_form(user, challenge, return_url='')
-    <<-EOHTMLF
-    <form NAME="login" ACTION="/ruby/login.rbx" METHOD="post">
-    <input TYPE="hidden" NAME="Challenge" VALUE="#{challenge}"> 
-    <input TYPE="hidden" NAME="Response" VALUE="">
-    <input TYPE="hidden" NAME="ReturnURL" VALUE="#{return_url}">
-    <table>
-    <tr><th>User name</th><td><input TYPE="text" NAME="Username" VALUE="#{user}" SIZE="32" MAXLENGTH="32"></td></tr>
-    <tr><th>Password</th><td><input TYPE="password" NAME="Password" VALUE="" SIZE="32" MAXLENGTH="32"></td></tr>
-    <tr><td>&nbsp;</td><td>
-      <input ONCLICK="sendhash(); return false;" TYPE="submit" NAME="login" VALUE="Login">
-      <input TYPE="button" NAME="Cancel" VALUE="   Cancel   " 
-      ONCLICK="document.login.Username.value='';document.login.Password.value=';return false;'">
-    </td></tr>
-    </table>
-    </form>
-    <script LANGUAGE="javascript" TYPE="text/javascript">
-          document.login.Username.focus();
-    </script>
-    EOHTMLF
+    private def html_login_form(message: '')
+      <<~HTML
+        <form NAME="login" ACTION="/ruby/login.rbx" METHOD="post">
+        <input TYPE="hidden" NAME="Challenge" VALUE="#{@challenge}">
+        <input TYPE="hidden" NAME="Response" VALUE="">
+        <input TYPE="hidden" NAME="ReturnURL" VALUE="#{@return_url}">
+        <span hidden>#{message}</span>
+        <table>
+        <tr><th>User name</th><td><input TYPE="text" NAME="Username" VALUE="#{@user}" SIZE="32" MAXLENGTH="32"></td></tr>
+        <tr><th>Password</th><td><input TYPE="password" NAME="Password" VALUE="" SIZE="32" MAXLENGTH="32"></td></tr>
+        <tr><td>&nbsp;</td><td>
+          <input ONCLICK="sendhash(); return false;" TYPE="submit" NAME="login" VALUE="Login">
+          <input TYPE="button" NAME="Cancel" VALUE="   Cancel   "
+          ONCLICK="document.login.Username.value='';document.login.Password.value=';return false;'">
+        </td></tr>
+        </table>
+        </form>
+        <script LANGUAGE="javascript" TYPE="text/javascript">
+              document.login.Username.focus();
+        </script>
+      HTML
     end
 
-    #Generate no cache metadata header record.
+    # Generate no cache metadata header record.
     #  @return [String] Html no-cache meta tag
-    def html_nocache
-      "<META HTTP-EQUIV=\"Pragma\" CONTENT=\"no-cache\">"
+    private def html_nocache
+      '<META HTTP-EQUIV="Pragma" CONTENT="no-cache">'
     end
   end
 end
-

metadata

@@ -1,19 +1,22 @@
 --- !ruby/object:Gem::Specification
 name: wikk_web_auth
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.6
 platform: ruby
 authors:
 - Rob Burrowes
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-05-25 00:00:00.000000000 Z
+date: 2023-04-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: wikk_password
   requirement: !ruby/object:Gem::Requirement
     requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
     - - ">="
       - !ruby/object:Gem::Version
         version: 0.1.0
@@ -21,6 +24,9 @@ dependencies:
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
     - - ">="
       - !ruby/object:Gem::Version
         version: 0.1.0
@@ -44,14 +50,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.16'
+        version: '3.25'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.16'
+        version: '3.25'
 description: Gem provides common authentication framework for Wikarekare's Ruby CGIs.
 email:
 - r.burrowes@auckland.ac.nz
@@ -67,11 +73,11 @@ files:
 - README.md
 - Rakefile
 - lib/wikk_web_auth.rb
-homepage: http://wikarekare.github.com/wikk_web_auth/
+homepage: https://wikarekare.github.io/wikk_web_auth/
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options:
 - "--markup"
 - markdown
@@ -92,9 +98,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.8
-signing_key: 
+rubygems_version: 3.3.7
+signing_key:
 specification_version: 4
 summary: Gem provides common authentication framework for Wikarekare's Ruby CGIs.
 test_files: []