# frozen-string-literal: true module Rodauth Feature.define(:password_expiration, :PasswordExpiration) do depends :login, :change_password error_flash "Your password has expired and needs to be changed" error_flash "Your password cannot be changed yet", 'password_not_changeable_yet' redirect :password_not_changeable_yet redirect(:password_change_needed){change_password_path} auth_value_method :allow_password_change_after, -86400 auth_value_method :require_password_change_after, 90*86400 auth_value_method :password_expiration_table, :account_password_change_times auth_value_method :password_expiration_id_column, :id auth_value_method :password_expiration_changed_at_column, :changed_at session_key :password_changed_at_session_key, :password_changed_at auth_value_method :password_expiration_default, false auth_methods( :password_expired?, :update_password_changed_at ) def get_password_changed_at convert_timestamp(password_expiration_ds.get(password_expiration_changed_at_column)) end def check_password_change_allowed if password_changed_at = get_password_changed_at if password_changed_at > Time.now - allow_password_change_after set_redirect_error_flash password_not_changeable_yet_error_flash redirect password_not_changeable_yet_redirect end end end def set_password(password) update_password_changed_at session[password_changed_at_session_key] = Time.now.to_i super end def account_from_reset_password_key(key) if a = super check_password_change_allowed end a end def update_password_changed_at ds = password_expiration_ds if ds.update(password_expiration_changed_at_column=>Sequel::CURRENT_TIMESTAMP) == 0 # Ignoring the violation is safe here, since a concurrent insert would also set it to the # current timestamp. ignore_uniqueness_violation{ds.insert(password_expiration_id_column=>account_id)} end end def require_current_password if authenticated? && password_expired? && password_change_needed_redirect != request.path_info set_redirect_error_flash password_expiration_error_flash redirect password_change_needed_redirect end end def password_expired? if password_changed_at = session[password_changed_at_session_key] return password_changed_at + require_password_change_after < Time.now.to_i end account_from_session if password_changed_at = get_password_changed_at set_session_value(password_changed_at_session_key, password_changed_at.to_i) password_changed_at + require_password_change_after < Time.now else set_session_value(password_changed_at_session_key, password_expiration_default ? 0 : 2147483647) password_expiration_default end end private def after_close_account super if defined?(super) password_expiration_ds.delete end def before_change_password_route check_password_change_allowed super end def after_create_account if account_password_hash_column update_password_changed_at end super if defined?(super) end def after_login require_current_password super end def password_expiration_ds db[password_expiration_table].where(password_expiration_id_column=>account_id) end end end