1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
# frozen-string-literal: true
module Rodauth
Feature.define(:password_expiration, :PasswordExpiration) do
depends :login, :change_password
error_flash "Your password has expired and needs to be changed"
error_flash "Your password cannot be changed yet", 'password_not_changeable_yet'
redirect :password_not_changeable_yet
redirect(:password_change_needed){change_password_path}
auth_value_method :allow_password_change_after, -86400
auth_value_method :require_password_change_after, 90*86400
auth_value_method :password_expiration_table, :account_password_change_times
auth_value_method :password_expiration_id_column, :id
auth_value_method :password_expiration_changed_at_column, :changed_at
session_key :password_changed_at_session_key, :password_changed_at
auth_value_method :password_expiration_default, false
auth_methods(
:password_expired?,
:update_password_changed_at
)
def get_password_changed_at
convert_timestamp(password_expiration_ds.get(password_expiration_changed_at_column))
end
def check_password_change_allowed
if password_changed_at = get_password_changed_at
if password_changed_at > Time.now - allow_password_change_after
set_redirect_error_flash password_not_changeable_yet_error_flash
redirect password_not_changeable_yet_redirect
end
end
end
def set_password(password)
update_password_changed_at
set_session_value(password_changed_at_session_key, Time.now.to_i)
super
end
def account_from_reset_password_key(key)
if a = super
check_password_change_allowed
end
a
end
def update_password_changed_at
ds = password_expiration_ds
if ds.update(password_expiration_changed_at_column=>Sequel::CURRENT_TIMESTAMP) == 0
# Ignoring the violation is safe here, since a concurrent insert would also set it to the
# current timestamp.
ignore_uniqueness_violation{ds.insert(password_expiration_id_column=>account_id)}
end
end
def require_current_password
if authenticated? && password_expired? && password_change_needed_redirect != request.path_info
set_redirect_error_flash password_expiration_error_flash
redirect password_change_needed_redirect
end
end
def password_expired?
if password_changed_at = session[password_changed_at_session_key]
return password_changed_at + require_password_change_after < Time.now.to_i
end
account_from_session
if password_changed_at = get_password_changed_at
set_session_value(password_changed_at_session_key, password_changed_at.to_i)
password_changed_at + require_password_change_after < Time.now
else
set_session_value(password_changed_at_session_key, password_expiration_default ? 0 : 2147483647)
password_expiration_default
end
end
private
def after_close_account
super if defined?(super)
password_expiration_ds.delete
end
def before_change_password_route
check_password_change_allowed
super
end
def after_create_account
if account_password_hash_column
update_password_changed_at
end
super if defined?(super)
end
def after_login
require_current_password
super
end
def password_expiration_ds
db[password_expiration_table].where(password_expiration_id_column=>account_id)
end
end
end
|
