# frozen-string-literal: true
require 'rack/request'
require 'rack/utils'
module Rodauth
Feature.define(:base, :Base) do
after 'login'
after 'login_failure'
before 'login'
before 'login_attempt'
before 'rodauth'
error_flash "Please login to continue", 'require_login'
auth_value_method :account_id_column, :id
auth_value_method :account_open_status_value, 2
auth_value_method :account_password_hash_column, nil
auth_value_method :account_select, nil
auth_value_method :account_status_column, :status_id
auth_value_method :account_unverified_status_value, 1
auth_value_method :accounts_table, :accounts
auth_value_method :cache_templates, true
auth_value_method :check_csrf_block, nil
auth_value_method :check_csrf_opts, {}.freeze
auth_value_method :default_redirect, '/'
auth_value_method :convert_token_id_to_integer?, nil
flash_key :flash_error_key, :error
flash_key :flash_notice_key, :notice
auth_value_method :hmac_old_secret, nil
auth_value_method :hmac_secret, nil
translatable_method :input_field_label_suffix, ''
auth_value_method :input_field_error_class, 'error is-invalid'
auth_value_method :input_field_error_message_class, 'error_message invalid-feedback'
auth_value_method :invalid_field_error_status, 422
auth_value_method :invalid_key_error_status, 401
auth_value_method :invalid_password_error_status, 401
translatable_method :invalid_password_message, "invalid password"
auth_value_method :login_column, :email
auth_value_method :login_required_error_status, 401
auth_value_method :lockout_error_status, 403
auth_value_method :max_param_bytesize, 1024
auth_value_method :password_hash_id_column, :id
auth_value_method :password_hash_column, :password_hash
auth_value_method :password_hash_table, :account_password_hashes
auth_value_method :no_matching_login_error_status, 401
translatable_method :no_matching_login_message, "no matching login"
auth_value_method :login_param, 'login'
translatable_method :login_label, 'Login'
translatable_method :password_label, 'Password'
auth_value_method :password_param, 'password'
session_key :session_key, :account_id
session_key :authenticated_by_session_key, :authenticated_by
session_key :autologin_type_session_key, :autologin_type
auth_value_method :prefix, ''
auth_value_method :session_key_prefix, nil
auth_value_method :require_bcrypt?, true
auth_value_method :mark_input_fields_as_required?, true
auth_value_method :mark_input_fields_with_autocomplete?, true
auth_value_method :mark_input_fields_with_inputmode?, true
auth_value_method :skip_status_checks?, true
translatable_method :strftime_format, '%F %T'
auth_value_method :template_opts, {}.freeze
auth_value_method :title_instance_variable, nil
auth_value_method :token_separator, "_"
auth_value_method :unmatched_field_error_status, 422
auth_value_method :unopen_account_error_status, 403
translatable_method :unverified_account_message, "unverified account, please verify account before logging in"
auth_value_method :default_field_attributes, ''
auth_value_method :use_template_fixed_locals?, true
redirect(:require_login){"#{prefix}/login"}
auth_value_methods(
:base_url,
:check_csrf?,
:db,
:domain,
:login_input_type,
:login_uses_email?,
:modifications_require_password?,
:set_deadline_values?,
:use_date_arithmetic?,
:use_database_authentication_functions?,
:use_request_specific_csrf_tokens?
)
auth_methods(
:account_id,
:account_session_value,
:already_logged_in,
:authenticated?,
:autocomplete_for_field?,
:check_csrf,
:clear_session,
:clear_tokens,
:csrf_tag,
:function_name,
:hook_action,
:inputmode_for_field?,
:logged_in?,
:login_required,
:normalize_login,
:null_byte_parameter_value,
:open_account?,
:over_max_bytesize_param_value,
:password_match?,
:random_key,
:redirect,
:session_value,
:set_error_flash,
:set_notice_flash,
:set_notice_now_flash,
:set_redirect_error_flash,
:set_error_reason,
:set_title,
:translate,
:update_session
)
auth_private_methods(
:account_from_id,
:account_from_login,
:account_from_session,
:convert_token_id,
:field_attributes,
:field_error_attributes,
:formatted_field_error,
:around_rodauth
)
internal_request_method :account_exists?
internal_request_method :account_id_for_login
internal_request_method :internal_request_eval
configuration_module_eval do
def auth_class_eval(&block)
auth.class_eval(&block)
end
end
attr_reader :scope
attr_reader :account
attr_reader :current_route
def initialize(scope)
@scope = scope
end
def features
self.class.features
end
def request
scope.request
end
def response
scope.response
end
def session
scope.session
end
def flash
scope.flash
end
def route!
if meth = self.class.route_hash[request.remaining_path]
send(meth)
end
nil
end
def set_field_error(field, error)
(@field_errors ||= {})[field] = error
end
def field_error(field)
return nil unless @field_errors
@field_errors[field]
end
def add_field_error_class(field)
if field_error(field)
" #{input_field_error_class}"
end
end
def input_field_string(param, id, opts={})
type = opts.fetch(:type, "text")
unless type == "password"
value = opts.fetch(:value){scope.h param(param)}
end
field_class = opts.fetch(:class, "form-control")
if autocomplete_for_field?(param) && opts[:autocomplete]
autocomplete = "autocomplete=\"#{opts[:autocomplete]}\""
end
if inputmode_for_field?(param) && opts[:inputmode]
inputmode = "inputmode=\"#{opts[:inputmode]}\""
end
if mark_input_fields_as_required? && opts[:required] != false
required = "required=\"required\""
end
" #{formatted_field_error(param) unless opts[:skip_error_message]}"
end
def autocomplete_for_field?(_param)
mark_input_fields_with_autocomplete?
end
def inputmode_for_field?(_param)
mark_input_fields_with_inputmode?
end
def field_attributes(field)
_field_attributes(field) || default_field_attributes
end
def field_error_attributes(field)
if field_error(field)
_field_error_attributes(field)
end
end
def formatted_field_error(field)
if error = field_error(field)
_formatted_field_error(field, error)
end
end
def hook_action(_hook_type, _action)
# nothing by default
end
def translate(_key, default)
# do not attempt to translate by default
default
end
# Return urlsafe base64 HMAC for data, assumes hmac_secret is set.
def compute_hmac(data)
_process_raw_hmac(compute_raw_hmac(data))
end
# Return urlsafe base64 HMAC for data using hmac_old_secret, assumes hmac_old_secret is set.
def compute_old_hmac(data)
_process_raw_hmac(compute_raw_hmac_with_secret(data, hmac_old_secret))
end
# Return array of hmacs. Array has two strings if hmac_old_secret
# is set, or one string otherwise.
def compute_hmacs(data)
hmacs = [compute_hmac(data)]
if hmac_old_secret
hmacs << compute_old_hmac(data)
end
hmacs
end
def account_id
account[account_id_column]
end
alias account_session_value account_id
def session_value
session[session_key]
end
alias logged_in? session_value
def account_from_login(login)
@account = _account_from_login(login)
end
def open_account?
skip_status_checks? || account[account_status_column] == account_open_status_value
end
def db
Sequel::DATABASES.first or raise "Sequel database connection is missing"
end
def login_field_autocomplete_value
login_uses_email? ? "email" : "on"
end
def password_field_autocomplete_value
@password_field_autocomplete_value || 'current-password'
end
alias account_password_hash_column account_password_hash_column
# If the account_password_hash_column is set, the password hash is verified in
# ruby, it will not use a database function to do so, it will check the password
# hash using bcrypt.
def account_password_hash_column
nil
end
def check_already_logged_in
already_logged_in if logged_in?
end
def already_logged_in
nil
end
def login_input_type
login_uses_email? ? 'email' : 'text'
end
def login_uses_email?
login_column == :email
end
def clear_session
if use_scope_clear_session?
scope.clear_session
else
session.clear
end
end
def clear_tokens(reason)
end
def login_required
set_redirect_error_status(login_required_error_status)
set_error_reason :login_required
set_redirect_error_flash require_login_error_flash
redirect require_login_redirect
end
def set_title(title)
if title_instance_variable
scope.instance_variable_set(title_instance_variable, title)
end
end
def set_error_flash(message)
flash.now[flash_error_key] = message
end
def set_redirect_error_flash(message)
flash[flash_error_key] = message
end
def set_notice_flash(message)
flash[flash_notice_key] = message
end
def set_notice_now_flash(message)
flash.now[flash_notice_key] = message
end
def require_login
login_required unless logged_in?
end
def authenticated?
logged_in?
end
def require_authentication
require_login
end
def require_account
require_authentication
require_account_session
end
def account_initial_status_value
account_open_status_value
end
def account!
account || (session_value && account_from_session)
end
def account_from_session
@account = _account_from_session
end
def account_from_id(id, status_id=nil)
@account = _account_from_id(id, status_id)
end
def check_csrf
scope.check_csrf!(check_csrf_opts, &check_csrf_block)
end
def csrf_tag(path=request.path)
return unless scope.respond_to?(:csrf_tag)
if use_request_specific_csrf_tokens?
scope.csrf_tag(path)
else
# :nocov:
scope.csrf_tag
# :nocov:
end
end
def button_opts(value, opts)
opts = Hash[template_opts].merge!(opts)
_merge_fixed_locals_opts(opts, button_fixed_locals)
opts[:locals] = {:value=>value, :opts=>opts}
opts[:cache] = cache_templates
opts[:cache_key] = :rodauth_button
_template_opts(opts, 'button')
end
def button(value, opts={})
scope.render(button_opts(value, opts))
end
def view(page, title)
set_title(title)
_view(:view, page)
end
def render(page)
_view(:render, page)
end
def only_json?
scope.class.opts[:rodauth_json] == :only
end
def post_configure
require 'bcrypt' if require_bcrypt?
db.extension :date_arithmetic if use_date_arithmetic?
if method(:convert_token_id_to_integer?).owner == Rodauth::Base && (db rescue false) && db.table_exists?(accounts_table) && db.schema(accounts_table).find{|col, v| break v[:type] == :integer if col == account_id_column}
self.class.send(:define_method, :convert_token_id_to_integer?){true}
end
route_hash= {}
self.class.routes.each do |meth|
route_meth = "#{meth.to_s.sub(/\Ahandle_/, '')}_route"
if route = send(route_meth)
route_hash["/#{route}"] = meth
end
end
self.class.route_hash = route_hash.freeze
end
def password_match?(password)
if hash = get_password_hash
if account_password_hash_column || !use_database_authentication_functions?
password_hash_match?(hash, password)
else
database_function_password_match?(:rodauth_valid_password_hash, account_id, password, hash)
end
end
end
def update_session
clear_session
set_session_value(session_key, account_session_value)
end
def authenticated_by
session[authenticated_by_session_key]
end
def login_session(auth_type)
update_session
set_session_value(authenticated_by_session_key, [auth_type])
end
def autologin_type
session[autologin_type_session_key]
end
def autologin_session(autologin_type)
login_session('autologin')
set_session_value(autologin_type_session_key, autologin_type)
end
# Return a string for the parameter name. This will be an empty
# string if the parameter doesn't exist.
def param(key)
param_or_nil(key).to_s
end
# Return a string for the parameter name, or nil if there is no
# parameter with that name.
def param_or_nil(key)
value = raw_param(key)
unless value.nil?
value = value.to_s
value = over_max_bytesize_param_value(key, value) if max_param_bytesize && value.bytesize > max_param_bytesize
value = null_byte_parameter_value(key, value) if value && value.include?("\0")
end
value
end
# Return nil by default for values over maximum bytesize.
def over_max_bytesize_param_value(key, value)
nil
end
# The normalized value of the login parameter
def login_param_value
normalize_login(param(login_param))
end
def normalize_login(login)
login
end
# Return nil by default for values with null bytes
def null_byte_parameter_value(key, value)
nil
end
def raw_param(key)
request.params[key]
end
def base_url
url = String.new("#{request.scheme}://#{domain}")
url << ":#{request.port}" if request.port != Rack::Request::DEFAULT_PORTS[request.scheme]
url
end
def domain
request.host
end
def modifications_require_password?
has_password?
end
def possible_authentication_methods
has_password? ? ['password'] : []
end
def has_password?
return @has_password if defined?(@has_password)
return false unless account || session_value
@has_password = !!get_password_hash
end
private
def _around_rodauth
yield
end
def _process_raw_hmac(hmac)
s = [hmac].pack('m')
s.chomp!("=\n")
s.tr!('+/', '-_')
s
end
if Rack.release >= '3'
def set_response_header(key, value)
response.headers[key] = value
end
def convert_response_header_key(key)
key
end
# :nocov:
else
def set_response_header(key, value)
response.headers[convert_response_header_key(key)] = value
end
# Attempt backwards compatibility on Rack < 3 by changing
# known cases from lower case to mixed case.
mixed_case_headers = {}
(<<-END).split.each { |k| mixed_case_headers[k.downcase.freeze] = k.freeze }
Access-Control-Allow-Headers
Access-Control-Allow-Methods
Access-Control-Allow-Origin
Access-Control-Expose-Headers
Access-Control-Max-Age
Allow
Authorization
Content-Type
Content-Length
WWW-Authenticate
END
mixed_case_headers.freeze
define_method(:convert_response_header_key) do |key|
mixed_case_headers.fetch(key, key)
end
end
# :nocov:
if RUBY_VERSION >= '2.1'
def button_fixed_locals
'(value:, opts:)'
end
# :nocov:
else
# Work on Ruby 2.0 when using Tilt 2.6+, as Ruby 2.0 does
# not support required keyword arguments.
def button_fixed_locals
'(value: nil, opts: nil)'
end
end
# :nocov:
def database_function_password_match?(name, hash_id, password, salt)
db.get(Sequel.function(function_name(name), hash_id, password_hash_using_salt(password, salt)))
end
def password_hash_match?(hash, password)
BCrypt::Password.new(hash) == password
end
def convert_token_key(key)
if key && hmac_secret
compute_hmac(key)
else
key
end
end
def split_token(token)
token.split(token_separator, 2)
end
def convert_token_id(id)
if convert_token_id_to_integer?
convert_token_id_to_integer(id)
else
id
end
end
def convert_token_id_to_integer(id)
if id = (Integer(id, 10) rescue nil)
if id > 9223372036854775807 || id < -9223372036854775808
# Only allow 64-bit signed integer range to avoid problems on PostgreSQL
id = nil
end
end
id
end
def redirect(path)
request.redirect(path)
end
def return_response(body=nil)
response.write(body) if body
request.halt
end
def route_path(route, opts={})
path = "#{prefix}/#{route}"
path += "?#{Rack::Utils.build_nested_query(opts)}" unless opts.empty?
path
end
def route_url(route, opts={})
"#{base_url}#{route_path(route, opts)}"
end
def transaction(opts={}, &block)
db.transaction(opts, &block)
end
def random_key
SecureRandom.urlsafe_base64(32)
end
def convert_session_key(key)
key = :"#{session_key_prefix}#{key}" if session_key_prefix
normalize_session_or_flash_key(key)
end
def normalize_session_or_flash_key(key)
scope.opts[:sessions_convert_symbols] ? key.to_s : key
end
def timing_safe_eql?(provided, actual)
provided = provided.to_s
Rack::Utils.secure_compare(provided.ljust(actual.length), actual) && provided.length == actual.length
end
def require_account_session
unless account_from_session
clear_session
login_required
end
end
def catch_error(&block)
catch(:rodauth_error, &block)
end
# Don't set an error status when redirecting in an error case, as a redirect status is needed.
def set_redirect_error_status(status)
end
def set_response_error_status(status)
response.status = status
end
def set_response_error_reason_status(reason, status)
set_error_reason(reason)
set_response_error_status(status)
end
def throw_rodauth_error
throw :rodauth_error
end
def throw_error(field, error)
set_field_error(field, error)
throw_rodauth_error
end
def throw_error_status(status, field, error)
set_response_error_status(status)
throw_error(field, error)
end
def set_error_reason(reason)
end
def throw_error_reason(reason, status, field, message)
set_error_reason(reason)
throw_error_status(status, field, message)
end
def use_date_arithmetic?
set_deadline_values?
end
def set_deadline_values?
db.database_type == :mysql
end
def use_database_authentication_functions?
case db.database_type
when :postgres, :mysql, :mssql
true
else
# :nocov:
false
# :nocov:
end
end
def use_request_specific_csrf_tokens?
scope.opts[:rodauth_route_csrf] && scope.use_request_specific_csrf_tokens?
end
def check_csrf?
scope.opts[:rodauth_route_csrf]
end
def function_name(name)
if db.database_type == :mssql
# :nocov:
"dbo.#{name}"
# :nocov:
else
name
end
end
def password_hash_using_salt(password, salt)
BCrypt::Engine.hash_secret(password, salt)
end
# Get the password hash for the user. When using database authentication functions,
# note that only the salt is returned.
def get_password_hash
if account_password_hash_column
account[account_password_hash_column] if account!
elsif use_database_authentication_functions?
db.get(Sequel.function(function_name(:rodauth_get_salt), account ? account_id : session_value))
else
# :nocov:
password_hash_ds.get(password_hash_column)
# :nocov:
end
end
def _account_from_login(login)
ds = account_table_ds.where(login_column=>login)
ds = ds.select(*account_select) if account_select
ds = ds.where(account_status_column=>[account_unverified_status_value, account_open_status_value]) unless skip_status_checks?
ds.first
end
def _account_from_session
ds = account_ds(session_value)
ds = ds.where(account_session_status_filter) unless skip_status_checks?
ds.first
end
def _account_from_id(id, status_id=nil)
ds = account_ds(id)
ds = ds.where(account_status_column=>status_id) if status_id && !skip_status_checks?
ds.first
end
def hmac_secret_rotation?
hmac_secret && hmac_old_secret && hmac_secret != hmac_old_secret
end
def compute_raw_hmac(data)
raise ConfigurationError, "hmac_secret not set" unless hmac_secret
compute_raw_hmac_with_secret(data, hmac_secret)
end
def compute_raw_hmac_with_secret(data, secret)
OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, secret, data)
end
def _field_attributes(field)
nil
end
def _field_error_attributes(field)
" aria-invalid=\"true\" aria-describedby=\"#{field}_error_message\" "
end
def _formatted_field_error(field, error)
"#{error}"
end
def account_session_status_filter
{account_status_column=>account_open_status_value}
end
def template_path(page)
File.join(File.dirname(__FILE__), '../../../templates', "#{page}.str")
end
def account_ds(id=account_id)
raise ArgumentError, "invalid account id passed to account_ds" unless id
ds = account_table_ds.where(account_id_column=>id)
ds = ds.select(*account_select) if account_select
ds
end
def account_table_ds
db[accounts_table]
end
def password_hash_ds
db[password_hash_table].where(password_hash_id_column=>account ? account_id : session_value)
end
# This is needed for jdbc/sqlite, which returns timestamp columns as strings
def convert_timestamp(timestamp)
timestamp = db.to_application_timestamp(timestamp) if timestamp.is_a?(String)
timestamp
end
def loaded_templates
[]
end
# This is used to avoid race conditions when using the pattern of inserting when
# an update affects no rows. In such cases, if a row is inserted between the
# update and the insert, the insert will fail with a uniqueness error, but
# retrying will work. It is possible for it to fail again, but only if the row
# is deleted before the update and readded before the insert, which is very
# unlikely to happen. In such cases, raising an exception is acceptable.
def retry_on_uniqueness_violation(&block)
if raises_uniqueness_violation?(&block)
yield
end
end
# In cases where retrying on uniqueness violations cannot work, this will detect
# whether a uniqueness violation is raised by the block and return the exception if so.
# This method should be used if you don't care about the exception itself.
def raises_uniqueness_violation?(&block)
transaction(:savepoint=>:only, &block)
false
rescue unique_constraint_violation_class => e
e
end
# Work around jdbc/sqlite issue where it only raises ConstraintViolation and not
# UniqueConstraintViolation.
def unique_constraint_violation_class
if db.adapter_scheme == :jdbc && db.database_type == :sqlite
# :nocov:
Sequel::ConstraintViolation
# :nocov:
else
Sequel::UniqueConstraintViolation
end
end
# If you would like to operate/reraise the exception, this alias makes more sense.
alias raised_uniqueness_violation raises_uniqueness_violation?
# If you just want to ignore uniqueness violations, this alias makes more sense.
alias ignore_uniqueness_violation raises_uniqueness_violation?
# This is needed on MySQL, which doesn't support non constant defaults other than
# CURRENT_TIMESTAMP.
def set_deadline_value(hash, column, interval)
if set_deadline_values?
# :nocov:
hash[column] = Sequel.date_add(Sequel::CURRENT_TIMESTAMP, interval)
# :nocov:
end
end
def _filter_links(links)
links.select!{|_, link| link}
links.sort!
links
end
def internal_request?
false
end
def use_scope_clear_session?
scope.respond_to?(:clear_session)
end
def require_response(meth)
send(meth)
raise ConfigurationError, "#{meth.to_s.sub(/\A_/, '')} overridden without returning a response (should use redirect or request.halt)."
end
def set_session_value(key, value)
session[key] = value
end
def remove_session_value(key)
session.delete(key)
end
def update_hash_ds(hash, ds, values)
num = ds.update(values)
if num == 1
values.each do |k, v|
hash[k] = Sequel::CURRENT_TIMESTAMP == v ? Time.now : v
end
end
num
end
def update_account(values, ds=account_ds)
update_hash_ds(account, ds, values)
end
def _view_opts(page)
opts = template_opts.dup
_merge_fixed_locals_opts(opts, '(rodauth: self.rodauth)')
opts[:locals] = opts[:locals] ? opts[:locals].dup : {}
opts[:locals][:rodauth] = self
opts[:cache] = cache_templates
opts[:cache_key] = :"rodauth_#{page}"
_template_opts(opts, page)
end
def _merge_fixed_locals_opts(opts, fixed_locals)
if use_template_fixed_locals? && !opts[:locals]
fixed_locals_opts = {default_fixed_locals: fixed_locals}
fixed_locals_opts.merge!(opts[:template_opts]) if opts[:template_opts]
opts[:template_opts] = fixed_locals_opts
end
end
# Set the template path only if there isn't an overridden template in the application.
# Result should replace existing template opts.
def _template_opts(opts, page)
opts = scope.send(:find_template, scope.send(:parse_template_opts, page, opts))
unless File.file?(scope.send(:template_path, opts))
opts[:path] = template_path(page)
end
opts
end
def _view(meth, page)
unless scope.respond_to?(meth)
raise ConfigurationError, "attempted to render a built-in view/email template (#{page.inspect}), but rendering is disabled"
end
scope.send(meth, _view_opts(page))
end
end
end