rodauth-rails 0.11.0 → 0.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b8063be8ad00634114f74f0eb549c672e2b62cd1fa81cb7f124cc9cd12505e3f
-  data.tar.gz: 6f466e29420f9e4bacb58c855e942cc20289d2c3fc69a12638b97628d25dbbfb
+  metadata.gz: '097625662e9cefbf7484ea775c9b1930968fbbc3a1b8ad24df9e229e2194e301'
+  data.tar.gz: fbbfe9dd849646e859aecbf3c600168fc0b65255f7b2bf933a2e42591f8b0b79
 SHA512:
-  metadata.gz: 8cc0af59c6ce29837fbc8a3401d456fd407ef76b74493b08ee9b4f2dfc8807d4a95c86f9bb0266401013d5162c009d46b7d07e3f741654af2cc267c0ee2c135e
-  data.tar.gz: 78c098dbaed458d5764ca2e7ee61f4710e01b2386d0cc04831b1732b9883d76c4b9f56c35c0a1e557c40951086d72bb0ed264f769313c1b45be30b2dd760024a
+  metadata.gz: 762d0c1725dcd0017cdd6722894e546dfdf246e245af688a8bc99f177e43765fe8bd7a79639e45d3146ca5bedadce9f34389f61bf3a6957b406cbc664cf93829
+  data.tar.gz: 8c6624c70668356b8434dde9bd237cced89f23d4d241b770989f1af68ee687b7186f305ada409885d619b9974e7d2d47b6fddc9faf6935653cab805ee8709167

data/CHANGELOG.md

@@ -1,3 +1,43 @@
+## 0.15.0 (2021-07-29)
+
+* Add `Rodauth::Rails::Model` mixin that defines password attribute and associations on the model (@janko)
+
+* Add support for the new internal_request feature (@janko)
+
+* Implement `Rodauth::Rails.rodauth` in terms of the internal_request feature (@janko)
+
+## 0.14.0 (2021-07-10)
+
+* Speed up template rendering by only searching formats accepted by the request (@janko)
+
+* Add `--name` option to `rodauth:views` generator for specifying different rodauth configuration (@janko)
+
+* Infer correct template path from configured controller in `rodauth:views` generator (@janko)
+
+* Raise `ArgumentError` if undefined rodauth configuration is passed to `Rodauth::Rails.app` (@janko)
+
+* Make `#rails_controller` method on the rodauth instance public (@janko)
+
+* Remove `--directory` option from `rodauth:views` generator (@janko)
+
+* Remove `#features` and `#routes` writer and `#configuration` reader from `Rodauth::Rails::Auth` (@janko)
+
+## 0.13.0 (2021-06-10)
+
+* Add `:query`, `:form`, `:session`, `:account`, and `:env` options to `Rodauth::Rails.rodauth` (@janko)
+
+## 0.12.0 (2021-05-15)
+
+* Include total view render time in logs for Rodauth requests (@janko)
+
+* Instrument redirects (@janko)
+
+* Instrument Rodauth requests on `action_controller` namespace (@janko)
+
+* Update templates for Boostrap 5 compatibility (@janko)
+
+* Log request parameters for Rodauth requests (@janko)
+
 ## 0.11.0 (2021-05-06)
 
 * Add controller-like logging for requests to Rodauth endpoints (@janko)

data/README.md

@@ -41,27 +41,15 @@ Active Record's database connection][sequel-activerecord_connection].
 
 ## Upgrading
 
-### Upgrading to 0.7.0
-
-Starting from version 0.7.0, rodauth-rails now correctly detects Rails
-application's `secret_key_base` when setting default `hmac_secret`, including
-when it's set via credentials or `$SECRET_KEY_BASE` environment variable. This
-means that your authentication will now be more secure by default, and Rodauth
-features that require `hmac_secret` should now work automatically as well.
-
-However, if you've already been using rodauth-rails in production, where the
-`secret_key_base` is set via credentials or environment variable and `hmac_secret`
-was not explicitly set, the fact that your authentication will now start using
-HMACs has backwards compatibility considerations. See the [Rodauth
-documentation][hmac] for instructions on how to safely transition, or just set
-`hmac_secret nil` in your Rodauth configuration.
+For instructions on upgrading from previous rodauth-rails versions, see
+[UPGRADING.md](/UPGRADING.md).
 
 ## Installation
 
 Add the gem to your Gemfile:
 
 ```rb
-gem "rodauth-rails", "~> 0.10"
+gem "rodauth-rails", "~> 0.15"
 
 # gem "jwt",      require: false # for JWT feature
 # gem "rotp",     require: false # for OTP feature
@@ -86,132 +74,22 @@ $ rails generate rodauth:install --jwt # token authentication via the "Authoriza
 $ bundle add jwt
 ```
 
-The generator will create the following files:
-
-* Rodauth migration at `db/migrate/*_create_rodauth.rb`
-* Rodauth initializer at `config/initializers/rodauth.rb`
-* Sequel initializer at `config/initializers/sequel.rb` for ActiveRecord integration
-* Rodauth app at `app/lib/rodauth_app.rb`
-* Rodauth controller at `app/controllers/rodauth_controller.rb`
-* Account model at `app/models/account.rb`
-* Rodauth mailer at `app/mailers/rodauth_mailer.rb` with views
-
-### Migration
-
-The migration file creates tables required by Rodauth. You're encouraged to
-review the migration, and modify it to only create tables for features you
-intend to use.
-
-```rb
-# db/migrate/*_create_rodauth.rb
-class CreateRodauth < ActiveRecord::Migration
-  def change
-    create_table :accounts do |t| ... end
-    create_table :account_password_hashes do |t| ... end
-    create_table :account_password_reset_keys do |t| ... end
-    create_table :account_verification_keys do |t| ... end
-    create_table :account_login_change_keys do |t| ... end
-    create_table :account_remember_keys do |t| ... end
-  end
-end
-```
+This generator will create a Rodauth app with common authentication features
+enabled, a database migration with tables required by those features, a mailer
+with default templates, and a few other files.
 
-Once you're done, you can run the migration:
+Feel free to remove any features you don't need, along with their corresponding
+tables. Afterwards, run the migration:
 
-```
+```sh
 $ rails db:migrate
 ```
 
-### Rodauth initializer
-
-The Rodauth initializer assigns the constant for your Rodauth app, which will
-be called by the Rack middleware that's added in front of your Rails router.
-
-```rb
-# config/initializers/rodauth.rb
-Rodauth::Rails.configure do |config|
-  config.app = "RodauthApp"
-end
-```
-
-### Sequel initializer
-
-Rodauth uses [Sequel] for database interaction. If you're using ActiveRecord,
-an additional initializer will be created which configures Sequel to use the
-ActiveRecord connection.
-
-```rb
-# config/initializers/sequel.rb
-require "sequel/core"
-
-# initialize Sequel and have it reuse Active Record's database connection
-DB = Sequel.connect("postgresql://", extensions: :activerecord_connection)
-```
-
-### Rodauth app
-
-Your Rodauth app is created in the `app/lib/` directory, and comes with a
-default set of authentication features enabled, as well as extensive examples
-on ways you can configure authentication behaviour.
-
-```rb
-# app/lib/rodauth_app.rb
-class RodauthApp < Rodauth::Rails::App
-  configure do
-    # authentication configuration
-  end
-
-  route do |r|
-    # request handling
-  end
-end
-```
-
-### Controller
-
-Your Rodauth app will by default use `RodauthController` for view rendering,
-CSRF protection, and running controller callbacks and rescue handlers around
-Rodauth actions.
-
-```rb
-# app/controllers/rodauth_controller.rb
-class RodauthController < ApplicationController
-end
-```
-
-### Account model
-
-Rodauth stores user accounts in the `accounts` table, so the generator will
-also create an `Account` model for custom use.
-
-```rb
-# app/models/account.rb
-class Account < ApplicationRecord
-end
-```
-
-### Rodauth mailer
-
-The default Rodauth app is configured to use `RodauthMailer` mailer
-for sending authentication emails.
-
-```rb
-# app/mailers/rodauth_mailer.rb
-class RodauthMailer < ApplicationMailer
-  def verify_account(recipient, email_link) ... end
-  def reset_password(recipient, email_link) ... end
-  def verify_login_change(recipient, old_login, new_login, email_link) ... end
-  def password_changed(recipient) ... end
-  # def email_auth(recipient, email_link) ... end
-  # def unlock_account(recipient, email_link) ... end
-end
-```
-
 ## Usage
 
 ### Routes
 
-We can see the list of routes our Rodauth middleware handles:
+You can see the list of routes our Rodauth middleware handles:
 
 ```sh
 $ rails rodauth:routes
@@ -233,7 +111,7 @@ Routes handled by RodauthApp:
   /close-account           rodauth.close_account_path
 ```
 
-Using this information, we could add some basic authentication links to our
+Using this information, you can add some basic authentication links to your
 navigation header:
 
 ```erb
@@ -264,7 +142,7 @@ end
 
 ### Current account
 
-To be able to fetch currently authenticated account, let's define a
+To be able to fetch currently authenticated account, you can define a
 `#current_account` method that fetches the account id from session and
 retrieves the corresponding account record:
 
@@ -281,11 +159,11 @@ class ApplicationController < ActionController::Base
     rodauth.logout
     rodauth.login_required
   end
-  helper_method :current_account # skip if inheriting from ActionController:API
+  helper_method :current_account # skip if inheriting from ActionController::API
 end
 ```
 
-This allows us to access the current account in controllers and views:
+This allows you to access the current account in controllers and views:
 
 ```erb
 <p>Authenticated as: <%= current_account.email %></p>
@@ -293,9 +171,9 @@ This allows us to access the current account in controllers and views:
 
 ### Requiring authentication
 
-We'll likely want to require authentication for certain parts of our app,
-redirecting the user to the login page if they're not logged in. We can do this
-in our Rodauth app's routing block, which helps keep the authentication logic
+You'll likely want to require authentication for certain parts of your app,
+redirecting the user to the login page if they're not logged in. You can do this
+in your Rodauth app's routing block, which helps keep the authentication logic
 encapsulated:
 
 ```rb
@@ -314,7 +192,7 @@ class RodauthApp < Rodauth::Rails::App
 end
 ```
 
-We can also require authentication at the controller layer:
+You can also require authentication at the controller layer:
 
 ```rb
 # app/controllers/application_controller.rb
@@ -341,8 +219,8 @@ end
 
 #### Routing constraints
 
-You can also require authentication at the Rails router level by
-using a built-in `authenticated` routing constraint:
+In some cases it makes sense to require authentication at the Rails router
+level. You can do this via the built-in `authenticated` routing constraint:
 
 ```rb
 # config/routes.rb
@@ -400,11 +278,11 @@ $ rails generate rodauth:views
 ```
 
 This will generate views for the default set of Rodauth features into the
-`app/views/rodauth` directory, which will be automatically picked up by the
-`RodauthController`.
+`app/views/rodauth` directory, provided that `RodauthController` is set for the
+main configuration.
 
 You can pass a list of Rodauth features to the generator to create views for
-these features (this will not remove any existing views):
+these features (this will not remove or overwrite any existing views):
 
 ```sh
 $ rails generate rodauth:views login create_account lockout otp
@@ -416,12 +294,10 @@ Or you can generate views for all features:
 $ rails generate rodauth:views --all
 ```
 
-You can also tell the generator to create views into another directory (in this
-case make sure to rename the Rodauth controller accordingly):
+Use `--name` to generate views for a different Rodauth configuration:
 
 ```sh
-# generates views into app/views/authentication
-$ rails generate rodauth:views --name authentication
+$ rails generate rodauth:views --name admin
 ```
 
 #### Layout
@@ -514,14 +390,48 @@ end
 This configuration calls `#deliver_later`, which uses Active Job to deliver
 emails in a background job. It's generally recommended to send emails
 asynchronously for better request throughput and the ability to retry
-deliveries. However, if you want to send emails synchronously, modify the
-configuration to call `#deliver_now` instead.
+deliveries. However, if you want to send emails synchronously, you can modify
+the configuration to call `#deliver_now` instead.
 
 If you're using a background processing library without an Active Job adapter,
 or a 3rd-party service for sending transactional emails, this two-phase API
 might not be suitable. In this case, instead of overriding `#create_*_email`
 and `#send_email`, override the `#send_*_email` methods instead, which are
-required to send the email immediately.
+required to send the email immediately. For example:
+
+```rb
+# app/workers/rodauth_mailer_worker.rb
+class RodauthMailerWorker
+  include Sidekiq::Worker
+
+  def perform(name, *args)
+    email = RodauthMailer.public_send(name, *args)
+    email.deliver_now
+  end
+end
+```
+```rb
+# app/lib/rodauth_app.rb
+class RodauthApp < Rodauth::Rails::App
+  configure do
+    # ...
+    # use `#send_*_email` method to be able to immediately enqueue email delivery
+    send_reset_password_email do
+      enqueue_email(:reset_password, email_to, reset_password_email_link)
+    end
+    # ...
+    auth_class_eval do
+      # custom method for enqueuing email delivery using our worker
+      def enqueue_email(name, *args)
+        db.after_commit do
+          RodauthMailerWorker.perform_async(name, *args)
+        end
+      end
+    end
+    # ...
+  end
+end
+```
 
 ### Migrations
 
@@ -543,10 +453,134 @@ class CreateRodauthOtpSmsCodesRecoveryCodes < ActiveRecord::Migration
 end
 ```
 
+### Model
+
+The `Rodauth::Rails::Model` mixin can be included into the account model, which
+defines a password attribute and associations for tables used by enabled
+authentication features.
+
+```rb
+class Account < ApplicationRecord
+  include Rodauth::Rails.model # or `Rodauth::Rails.model(:admin)`
+end
+```
+
+#### Password attribute
+
+Regardless of whether you're storing the password hash in a column in the
+accounts table, or in a separate table, the `#password` attribute can be used
+to set or clear the password hash.
+
+```rb
+account = Account.create!(email: "user@example.com", password: "secret")
+
+# when password hash is stored in a column on the accounts table
+account.password_hash #=> "$2a$12$k/Ub1I2iomi84RacqY89Hu4.M0vK7klRnRtzorDyvOkVI.hKhkNw."
+
+# when password hash is stored in a separate table
+account.password_hash #=> #<Account::PasswordHash...> (record from `account_password_hashes` table)
+account.password_hash.password_hash #=> "$2a$12$k/Ub1..." (inaccessible when using database authentication functions)
+
+account.password = nil # clears password hash
+account.password_hash #=> nil
+```
+
+Note that the password attribute doesn't come with validations, making it
+unsuitable for forms. It was primarily intended to allow easily creating
+accounts in development console and in tests.
+
+#### Associations
+
+The `Rodauth::Rails::Model` mixin defines associations for Rodauth tables
+associated to the accounts table:
+
+```rb
+account.remember_key #=> #<Account::RememberKey> (record from `account_remember_keys` table)
+account.active_session_keys #=> [#<Account::ActiveSessionKey>,...] (records from `account_active_session_keys` table)
+```
+
+You can also reference the associated models directly:
+
+```rb
+# model referencing the `account_authentication_audit_logs` table
+Account::AuthenticationAuditLog.where(message: "login").group(:account_id)
+```
+
+The associated models define the inverse `belongs_to :account` association:
+
+```rb
+Account::ActiveSessionKey.includes(:account).map(&:account)
+```
+
+Here is an example of using associations to create a method that returns
+whether the account has multifactor authentication enabled:
+
+```rb
+class Account < ApplicationRecord
+  include Rodauth::Rails.model
+
+  def mfa_enabled?
+    otp_key || (sms_code && sms_code.num_failures.nil?) || recovery_codes.any?
+  end
+end
+```
+
+Here is another example of creating a query scope that selects accounts with
+multifactor authentication enabled:
+
+```rb
+class Account < ApplicationRecord
+  include Rodauth::Rails.model
+
+  scope :otp_setup, -> { where(otp_key: OtpKey.all) }
+  scope :sms_codes_setup, -> { where(sms_code: SmsCode.where(num_failures: nil)) }
+  scope :recovery_codes_setup, -> { where(recovery_codes: RecoveryCode.all) }
+  scope :mfa_enabled, -> { merge(otp_setup.or(sms_codes_setup).or(recovery_codes_setup)) }
+end
+```
+
+Below is a list of all associations defined depending on the features loaded:
+
+| Feature                 | Association                  | Type       | Model                    | Table (default)                     |
+| :------                 | :----------                  | :---       | :----                    | :----                               |
+| account_expiration      | `:activity_time`             | `has_one`  | `ActivityTime`           | `account_activity_times`            |
+| active_sessions         | `:active_session_keys`       | `has_many` | `ActiveSessionKey`       | `account_active_session_keys`       |
+| audit_logging           | `:authentication_audit_logs` | `has_many` | `AuthenticationAuditLog` | `account_authentication_audit_logs` |
+| disallow_password_reuse | `:previous_password_hashes`  | `has_many` | `PreviousPasswordHash`   | `account_previous_password_hashes`  |
+| email_auth              | `:email_auth_key`            | `has_one`  | `EmailAuthKey`           | `account_email_auth_keys`           |
+| jwt_refresh             | `:jwt_refresh_keys`          | `has_many` | `JwtRefreshKey`          | `account_jwt_refresh_keys`          |
+| lockout                 | `:lockout`                   | `has_one`  | `Lockout`                | `account_lockouts`                  |
+| lockout                 | `:login_failure`             | `has_one`  | `LoginFailure`           | `account_login_failures`            |
+| otp                     | `:otp_key`                   | `has_one`  | `OtpKey`                 | `account_otp_keys`                  |
+| password_expiration     | `:password_change_time`      | `has_one`  | `PasswordChangeTime`     | `account_password_change_times`     |
+| recovery_codes          | `:recovery_codes`            | `has_many` | `RecoveryCode`           | `account_recovery_codes`            |
+| remember                | `:remember_key`              | `has_one`  | `RememberKey`            | `account_remember_keys`             |
+| reset_password          | `:password_reset_key`        | `has_one`  | `PasswordResetKey`       | `account_password_reset_keys`       |
+| single_session          | `:session_key`               | `has_one`  | `SessionKey`             | `account_session_keys`              |
+| sms_codes               | `:sms_code`                  | `has_one`  | `SmsCode`                | `account_sms_codes`                 |
+| verify_account          | `:verification_key`          | `has_one`  | `VerificationKey`        | `account_verification_keys`         |
+| verify_login_change     | `:login_change_key`          | `has_one`  | `LoginChangeKey`         | `account_login_change_keys`         |
+| webauthn                | `:webauthn_keys`             | `has_many` | `WebauthnKey`            | `account_webauthn_keys`             |
+| webauthn                | `:webauthn_user_id`          | `has_one`  | `WebauthnUserId`         | `account_webauthn_user_ids`         |
+
+By default, all associations except for audit logs have `dependent: :destroy`
+set, to allow for easy deletion of account records in the console. You can use
+`:association_options` to modify global or per-association options:
+
+```rb
+# don't auto-delete associations when account model is deleted
+Rodauth::Rails.model(association_options: { dependent: nil })
+
+# require authentication audit logs to be eager loaded before retrieval
+Rodauth::Rails.model(association_options: -> (name) {
+  { strict_loading: true } if name == :authentication_audit_logs
+})
+```
+
 ### Multiple configurations
 
 If you need to handle multiple types of accounts that require different
-authentication logic, you can create different configurations for them:
+authentication logic, you can create additional configurations for them:
 
 ```rb
 # app/lib/rodauth_app.rb
@@ -562,10 +596,6 @@ class RodauthApp < Rodauth::Rails::App
     prefix "/admin"
     session_key_prefix "admin_"
     remember_cookie_key "_admin_remember" # if using remember feature
-
-    # if you want separate tables
-    accounts_table :admin_accounts
-    password_hash_table :admin_account_password_hashes
     # ...
   end
 
@@ -574,7 +604,7 @@ class RodauthApp < Rodauth::Rails::App
 
     r.on "admin" do
       r.rodauth(:admin)
-      r.pass # allow the Rails app to handle other "/admin/*" requests
+      break # allow routing of other /admin/* requests to continue to Rails
     end
 
     # ...
@@ -588,6 +618,50 @@ Then in your application you can reference the secondary Rodauth instance:
 rodauth(:admin).login_path #=> "/admin/login"
 ```
 
+You'll likely want to save the information of which account belongs to which
+configuration to the database. One way would be to have a separate table that
+stores account types:
+
+```sh
+$ rails generate migration create_account_types
+```
+```rb
+# db/migrate/*_create_account_types.rb
+class CreateAccountTypes < ActiveRecord::Migration
+  def change
+    create_table :account_types do |t|
+      t.references :account, foreign_key: { on_delete: :cascade }, null: false
+      t.string :type, null: false
+    end
+  end
+end
+```
+```sh
+$ rails db:migrate
+```
+
+Then an entry would be inserted after account creation, and optionally whenever
+Rodauth retrieves accounts you could filter only those belonging to the current
+configuration:
+
+```rb
+# app/lib/rodauth_app.rb
+class RodauthApp < Rodauth::Rails::App
+  configure(:admin) do
+    # ...
+    after_create_account do
+      db[:account_types].insert(account_id: account_id, type: "admin")
+    end
+    auth_class_eval do
+      def account_ds(*)
+        super.join(:account_types, account_id: :id).where(type: "admin")
+      end
+    end
+    # ...
+  end
+end
+```
+
 #### Named auth classes
 
 A `configure` block inside `Rodauth::Rails::App` will internally create an
@@ -656,8 +730,8 @@ class RodauthAdmin < RodauthBase # inherit common settings
 end
 ```
 
-Another benefit is that you can define custom methods directly on the class
-instead of through `auth_class_eval`:
+Another benefit of explicit classes is that you can define custom methods
+directly at the class level instead of inside an `auth_class_eval`:
 
 ```rb
 # app/lib/rodauth_admin.rb
@@ -706,24 +780,54 @@ class RodauthApp < Rodauth::Rails::App
 end
 ```
 
-### Rodauth instance
+### Outside of a request
+
+In some cases you might need to use Rodauth more programmatically. If you would
+like to perform Rodauth operations outside of request context, Rodauth ships
+with the [internal_request] feature just for that. The rodauth-rails gem
+additionally updates the internal rack env hash with your
+`config.action_mailer.default_url_options`, which is used for generating URLs.
 
-In some cases you might need to use Rodauth more programmatically, and perform
-Rodauth operations outside of the request context. rodauth-rails gives you the
-ability to retrieve the Rodauth instance:
+If you need to access Rodauth methods not exposed as internal requests, you can
+use `Rodauth::Rails.rodauth` to retrieve the Rodauth instance used by the
+internal_request feature:
 
 ```rb
-rodauth = Rodauth::Rails.rodauth # or Rodauth::Rails.rodauth(:admin)
+# app/lib/rodauth_app.rb
+class RodauthApp < Rodauth::Rails::App
+  configure do
+    enable :internal_request # this is required
+  end
+end
+```
+```rb
+account = Account.find_by!(email: "user@example.com")
+rodauth = Rodauth::Rails.rodauth(account: account)
+
+rodauth.compute_hmac("token") #=> "TpEJTKfKwqYvIDKWsuZhkhKlhaBXtR1aodskBAflD8U"
+rodauth.open_account? #=> true
+rodauth.two_factor_authentication_setup? #=> true
+rodauth.password_meets_requirements?("foo") #=> false
+rodauth.locked_out? #=> false
+```
+
+In addition to the `:account` option, the `Rodauth::Rails.rodauth`
+method accepts any options supported by the internal_request feature.
 
-rodauth.login_url #=> "https://example.com/login"
-rodauth.account_from_login("user@example.com") # loads user by email
-rodauth.password_match?("secret") #=> true
-rodauth.setup_account_verification
-rodauth.close_account
+```rb
+Rodauth::Rails.rodauth(
+  env: { "HTTP_USER_AGENT" => "programmatic" },
+  session: { two_factor_auth_setup: true },
+  params: { "param" => "value" }
+)
 ```
 
-This Rodauth instance will be initialized with basic Rack env that allows is it
-to generate URLs, using `config.action_mailer.default_url_options` options.
+Secondary Rodauth configurations are specified by passing the configuration
+name:
+
+```rb
+Rodauth::Rails.rodauth(:admin)
+```
 
 ## How it works
 
@@ -834,7 +938,7 @@ class RodauthApp < Rodauth::Rails::App
   configure do
     # ...
     enable :json
-    only_json? true # accept only JSON requests
+    only_json? true # accept only JSON requests (optional)
     # ...
   end
 end
@@ -855,27 +959,29 @@ class RodauthApp < Rodauth::Rails::App
     # ...
     enable :jwt
     jwt_secret "<YOUR_SECRET_KEY>" # store the JWT secret in a safe place
-    only_json? true # accept only JSON requests
+    only_json? true # accept only JSON requests (optional)
     # ...
   end
 end
 ```
 
-If you need Cross-Origin Resource Sharing and/or JWT refresh tokens, enable the
-corresponding Rodauth features and create the necessary tables:
+The JWT token will be returned after each request to Rodauth routes. To also
+return the JWT token on requests to your app's routes, you can add the
+following code to your base controller:
 
-```sh
-$ rails generate rodauth:migration jwt_refresh
-$ rails db:migrate
-```
 ```rb
-# app/lib/rodauth_app.rb
-class RodauthApp < Rodauth::Rails::App
-  configure do
-    # ...
-    enable :jwt, :jwt_cors, :jwt_refresh
-    # ...
+class ApplicationController < ActionController::Base
+  # ...
+  after_action :set_jwt_token
+
+  private
+
+  def set_jwt_token
+    if rodauth.use_jwt? && rodauth.valid_jwt?
+      response.headers["Authorization"] = rodauth.session_jwt
+    end
   end
+  # ...
 end
 ```
 
@@ -935,7 +1041,8 @@ end
 <%= link_to "Login via Facebook", "/auth/facebook" %>
 ```
 
-Let's implement the OmniAuth callback endpoint on our Rodauth controller:
+Finally, let's implement the OmniAuth callback endpoint on our Rodauth
+controller:
 
 ```rb
 # config/routes.rb
@@ -988,11 +1095,8 @@ end
 
 ## Configuring
 
-For the list of configuration methods provided by Rodauth, see the [feature
-documentation].
-
-The `rails` feature rodauth-rails loads is customizable as well, here is the
-list of its configuration methods:
+The `rails` feature rodauth-rails loads provides the following configuration
+methods:
 
 | Name                        | Description                                                        |
 | :----                       | :----------                                                        |
@@ -1019,12 +1123,16 @@ Rodauth::Rails.configure do |config|
 end
 ```
 
+For the list of configuration methods provided by Rodauth, see the [feature
+documentation].
+
 ## Custom extensions
 
 When developing custom extensions for Rodauth inside your Rails project, it's
-better to use plain modules (at least in the beginning), because Rodauth
-feature design doesn't yet support Zeitwerk reloading well. Here is
-an example of an LDAP authentication extension that uses the
+probably better to use plain modules, at least in the beginning, as Rodauth
+feature design doesn't yet work well with Zeitwerk reloading.
+
+Here is an example of an LDAP authentication extension that uses the
 [simple_ldap_authenticator] gem.
 
 ```rb
@@ -1181,29 +1289,6 @@ Rails.application.configure do |config|
 end
 ```
 
-If you need to create an account record with a password directly, you can do it
-as follows:
-
-```rb
-# app/models/account.rb
-class Account < ApplicationRecord
-  has_one :password_hash, foreign_key: :id
-end
-```
-```rb
-# app/models/account/password_hash.rb
-class Account::PasswordHash < ApplicationRecord
-  belongs_to :account, foreign_key: :id
-end
-```
-```rb
-require "bcrypt"
-
-account = Account.create!(email: "user@example.com", status: "verified")
-password_hash = BCrypt::Password.create("secret", cost: BCrypt::Engine::MIN_COST)
-account.create_password_hash!(id: account.id, password_hash: password_hash)
-```
-
 ## Rodauth defaults
 
 rodauth-rails changes some of the default Rodauth settings for easier setup:
@@ -1284,6 +1369,18 @@ configure do
 end
 ```
 
+### Deadline values
+
+To simplify changes to the database schema, rodauth-rails configures Rodauth
+to set deadline values for various features in Ruby, instead of relying on
+the database to set default column values.
+
+You can easily change this back:
+
+```rb
+set_deadline_values? false
+```
+
 ## License
 
 The gem is available as open source under the terms of the [MIT
@@ -1325,3 +1422,4 @@ conduct](https://github.com/janko/rodauth-rails/blob/master/CODE_OF_CONDUCT.md).
 [single_session]: http://rodauth.jeremyevans.net/rdoc/files/doc/single_session_rdoc.html
 [account_expiration]: http://rodauth.jeremyevans.net/rdoc/files/doc/account_expiration_rdoc.html
 [simple_ldap_authenticator]: https://github.com/jeremyevans/simple_ldap_authenticator
+[internal_request]: http://rodauth.jeremyevans.net/rdoc/files/doc/internal_request_rdoc.html