rodauth 1.18.0 → 1.19.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0005c04210782f2fa730e3078b9c757930c7a9980cd9cb7228da66277175bc7a
-  data.tar.gz: c036f628ddf2479c303cb53b32c67f3b55b63d41037168ff7444c3f32fc4a3dd
+  metadata.gz: e6334a653be69dad1d434d2792e8b5eda787fa69e13cd45f83fbe23cd7ab7865
+  data.tar.gz: 5854eaa491e9887bfe5d934937bd249c5b063a621a24e3817aef51330b6bbe1f
 SHA512:
-  metadata.gz: 13da13bd1f74c5ceb9cc3d00983e832039d1081c532a49a0901a56d9f1242b2d04848d27f2672c6187a7f51343a94fc079d29d3363464562171a120c26b76325
-  data.tar.gz: fc56e0f75f4d095d1b326301e282eac64bbbfb8a52ccbce78aacc4dcb76288db1edb4d009d3ed234865449afd48cbba43e022b9b2d3f52ba838df703a3b62d38
+  metadata.gz: 0e293f83da80d612f95bbd04da5b58d20f5a3d92c4c24f6fab1b50c595f677862e4c06e3261a08c5063dcad4e491b4073f6e40942191aec8cbb6d32f94bd9cd8
+  data.tar.gz: 8ca62fd8ece8fbeef61e7f3c658e987d29cba79195aa8fff1dff3a0a99576fa557ce1ec19a22de7a09a7d850627532ab79083f24e61aa891460854fbd843d4e7

data/CHANGELOG

@@ -1,3 +1,27 @@
+=== 1.19.0 (2018-11-16)
+
+* Avoid unneeded database queries in the two factor authentication support (jeremyevans)
+
+* Add {before,after}_verify_login_change_email configuration methods, called around sending the verify login change email (jeremyevans)
+
+* Add after_account_lockout configuration method, called after locking out an account (jeremyevans)
+
+* Add default_post_email_redirect configuration method, setting default for all redirects after emailing when not logged in (jeremyevans)
+
+* Gracefully handle failure when new login is already taken in the verify_login_change feature (jeremyevans)
+
+* Support optional email rate limiting in the lockout, reset password, and verify account features (jeremyevans)
+
+* Make MySQL rodauth_get_salt function handle accounts without password hashes (jeremyevans)
+
+* Add email_auth feature, for authentication using links sent via email (jeremyevans)
+
+* Deprecate before_otp_authentication_route, users should switch to before_otp_auth_route (jeremyevans)
+
+* Add use_multi_phase_login? configuration method to login feature, separating login entry from password entry (jeremyevans)
+
+* Don't disable use of date_arithmetic extension on !MySQL when using lockout, remember, or reset password features (jeremyevans)
+
 === 1.18.0 (2018-07-18)
 
 * Add confirm_password_redirect_session_key configuration method to confirm_password feature (jeremyevans)

data/README.rdoc

@@ -26,6 +26,7 @@ hashes by protecting access via database functions.
 * Confirm Password
 * Remember (Autologin via token)
 * Lockout (Bruteforce protection)
+* Email Authentication (Login via email link)
 * OTP (2 factor authentication via TOTP)
 * Recovery Codes (2 factor authentication via backup codes)
 * SMS Codes (2 factor authentication via SMS)
@@ -151,12 +152,6 @@ The database superuser account is used to load extensions related to the
 database.  The application should never be run using the database
 superuser account.
 
-Note that there is not a simple way to use multiple database accounts in
-the same PostgreSQL database on Heroku.  You can still use Rodauth on
-Heroku, it just won't have the same security benefits.  That's not to say
-it is insecure, just that it drops the security level for password hash
-storage to the same level as other common authentication solutions.
-
 === Create database accounts
 
 If you are currently running your application using the database superuser
@@ -333,6 +328,7 @@ Note that these migrations require Sequel 4.35.0+.
         foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
         String :key, :null=>false
         DateTime :deadline, deadline_opts[1]
+        DateTime :email_last_sent, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
       end
 
       # Used by the account verification feature
@@ -340,6 +336,7 @@ Note that these migrations require Sequel 4.35.0+.
         foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
         String :key, :null=>false
         DateTime :requested_at, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
+        DateTime :email_last_sent, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
       end
 
       # Used by the verify login change feature
@@ -366,6 +363,15 @@ Note that these migrations require Sequel 4.35.0+.
         foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
         String :key, :null=>false
         DateTime :deadline, deadline_opts[1]
+        DateTime :email_last_sent
+      end
+
+      # Used by the email auth feature
+      create_table(:account_email_auth_keys) do
+        foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
+        String :key, :null=>false
+        DateTime :deadline, deadline_opts[1]
+        DateTime :email_last_sent, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
       end
 
       # Used by the password expiration feature
@@ -430,6 +436,7 @@ Note that these migrations require Sequel 4.35.0+.
         run "GRANT ALL ON account_remember_keys TO #{user}"
         run "GRANT ALL ON account_login_failures TO #{user}"
         run "GRANT ALL ON account_lockouts TO #{user}"
+        run "GRANT ALL ON account_email_auth_keys TO #{user}"
         run "GRANT ALL ON account_password_change_times TO #{user}"
         run "GRANT ALL ON account_activity_times TO #{user}"
         run "GRANT ALL ON account_session_keys TO #{user}"
@@ -446,6 +453,7 @@ Note that these migrations require Sequel 4.35.0+.
                  :account_session_keys,
                  :account_activity_times,
                  :account_password_change_times,
+                 :account_email_auth_keys,
                  :account_lockouts,
                  :account_login_failures,
                  :account_remember_keys,
@@ -694,6 +702,7 @@ view the appropriate file in the doc directory.
 * {Confirm Password}[rdoc-ref:doc/confirm_password.rdoc]
 * {Remember}[rdoc-ref:doc/remember.rdoc]
 * {Lockout}[rdoc-ref:doc/lockout.rdoc]
+* {Email Authentication}[rdoc-ref:doc/email_auth.rdoc]
 * {OTP}[rdoc-ref:doc/otp.rdoc]
 * {Recovery Codes}[rdoc-ref:doc/recovery_codes.rdoc]
 * {SMS Codes}[rdoc-ref:doc/sms_codes.rdoc]
@@ -758,7 +767,7 @@ inside a matching routing tree branch:
 
   plugin :rodauth do
     enable :login, :logout
-    prefix "auth"
+    prefix "/auth"
   end
 
   route do |r|
@@ -819,10 +828,10 @@ logged_in_via_remember_key? :: (remember feature) Whether the current session ha
 check_session_expiration :: (session_expiration feature) Check whether the current
                             session has expired, automatically logging the session
                             out if so.
-check_single_session :: (single_session expiration) Check whether the current
+check_single_session :: (single_session feature) Check whether the current
                         session is still the only valid session, automatically logging
                         the session out if not.
-verified_account? :: (verify_grace_period extension) Whether the account is currently
+verified_account? :: (verify_grace_period feature) Whether the account is currently
                      verified.  If false, it is because the account is allowed to
                      login as they are in the grace period.
 locked_out? :: (lockout feature) Whether the account for the current session has been
@@ -1029,12 +1038,12 @@ If you want to support but not require 2 factor authentication:
   end
 
 If you want to force all users to use OTP authentication, requiring users
-that don't currently have an account to set one up:
+that don't currently have two authentication to set it up:
 
   route do |r|
     r.rodauth
     rodauth.require_authentication
-    rodauth.require_two_factor_authentication_setup
+    rodauth.require_two_factor_setup
 
     # ...
   end

data/doc/base.rdoc

@@ -114,8 +114,8 @@ account_session_value :: The primary value of the account currently stored in th
 already_logged_in :: What action to take if you are already logged in and attempt
                      to access a page that only makes sense if you are not logged in.
 authenticated? :: Whether the user has been authenticated. If 2 factor authentication
-                  has not been enabled for the account, this is true only if both
-                  factors have been authenticated.
+                  has been enabled for the account, this is true only if both factors
+                  have been authenticated.
 clear_session :: Clears the current session.
 csrf_tag(path=request.path) :: The HTML fragment containing the CSRF tag to use, if any.
 function_name(name) :: The name of the database function to call.  It's passed either

data/doc/email_auth.rdoc

@@ -0,0 +1,53 @@
+= Documentation for Email Auth Feature
+
+The email auth feature implements login using links sent via email.  It is
+very similar to the email auth feature, except you don't need to update
+a password, or even have a password to login.  Depends on the login and
+email_base features.
+
+== Auth Value Methods
+
+email_auth_additional_form_tags :: HTML fragment containing additional form tags to use on the email auth login form.
+email_auth_email_recently_sent_error_flash :: The flash error to show if not sending an email auth email because another was sent recently.
+email_auth_email_recently_sent_redirect :: Where to redirect after not sending an email auth email because another was sent recently.
+email_auth_deadline_column :: The column name in the email auth keys table storing the deadline after which the token will be ignored.
+email_auth_deadline_interval :: The amount of time for which to allow users to reset their passwords, 1 day by default. Only used if set_deadline_values? is true.
+email_auth_email_sent_notice_flash :: The flash notice to show after an email auth email has been sent.
+email_auth_email_sent_redirect :: Where to redirect after sending an email auth email.
+email_auth_email_subject :: The subject to use for email auth emails.
+email_auth_error_flash :: The flash error to show if unable to login using email authentication.
+email_auth_id_column :: The id column in the email auth keys table, should be a foreign key referencing the accounts table.
+email_auth_key_column :: The email auth key/token column in the email auth keys table.
+email_auth_key_param :: The parameter name to use for the email auth key.
+email_auth_last_column :: The email auth last sent column in the email auth keys table, storing the last time the email was sent. Set to nil to always send an email when requested.
+email_auth_request_additional_form_tags :: HTML fragment containing additional form tags to use on the email auth request form.
+email_auth_request_button :: The text to use for the email auth request button.
+email_auth_request_error_flash :: The flash error to show if not able to send an email auth email.
+email_auth_request_route :: The route to the email auth request action.  Defaults to +email-auth-request+.
+email_auth_route :: The route to the email auth action. Defaults to +email-auth+.
+email_auth_session_key :: The key in the session to hold the email auth key temporarily.
+email_auth_skip_resend_within :: The number of seconds before sending another email auth email.
+email_auth_table :: The name of the email auth keys table.
+force_email_auth? :: Whether email auth should be forced for the account.  By default, email auth is forced if the account does not have a password.
+no_matching_email_auth_key_message :: The flash error message to show if attempting to access the email auth form with an invalid key.
+
+== Auth Methods
+
+account_from_email_auth_key(key) :: Retrieve the account using the given email auth key, or return nil if no account matches.
+after_email_auth_request :: Run arbitrary code after sending the email auth email.
+before_email_auth_request :: Run arbitrary code before sending the email auth email.
+before_email_auth_request_route :: Run arbitrary code before handling an email auth request route.
+before_email_auth_route :: Run arbitrary code before handling an email auth route.
+create_email_auth_email :: A Mail::Message for the email auth email.
+create_email_auth_key :: Add the email auth key data to the database.
+email_auth_email_body :: The body to use for the email auth email.
+email_auth_email_link :: The link to the email auth form in the email auth email.
+email_auth_key_insert_hash :: The hash to insert into the email auth keys table.
+email_auth_key_value :: The email auth key for the current account.
+email_auth_request_form :: The HTML to use for a form to request an email auth email, shown on the login page after the user submits their login, if +force_email_auth?+ is false.
+email_auth_view :: The HTML to use for the email auth form.
+get_email_auth_key(id) :: Get the email auth key for the given account id from the database.
+get_email_auth_email_last_sent :: Get the last time an email auth email is sent, or nil if there is no last sent time.
+remove_email_auth_key :: Remove the email auth key for the current account, run after successful email auth.
+send_email_auth_email :: Send the email auth email.
+set_email_auth_email_last_sent :: Set the last time an email auth email is sent.  This is only called if there is a previous email auth token still active.

data/doc/email_base.rdoc

@@ -5,6 +5,10 @@ that requires sending emails.
 
 == Auth Value Methods
 
+default_post_email_redirect :: Where to redirect after sending an email. This is the default
+                               redirect location for all redirects after an email is sent when the
+                               account is not logged in.  Also includes cases where an email is not
+                               sent due to rate limiting.
 email_from :: The from address to use for emails sent by Rodauth.
 email_subject_prefix :: The prefix to use for email subjects 
 require_mail? :: Set to false to not require mail, useful if using a different

data/doc/internals.rdoc

@@ -166,9 +166,9 @@ Here's a heavily commented example showing what is going on inside a Rodauth fea
       # route defines a route used for the feature.  This is the code that will be executed
       # if a user goes to /foo in the Roda app.
       route do |r|
-        # Inside the block, you are in the context of the Roda instance, just as you would
-        # be inside a Roda route block.  r is the RodaRequest instance, just as it would
-        # be for a Roda route block.
+        # Inside the block, you are in the context of the Rodauth::Auth subclass instance.
+        # r is the Roda::RodaRequest subclass instance, just as it would be for a Roda
+        # route block.
 
         # route adds a before_foo_route method that by default does nothing. It also
         # adds a configuration method that you can call to set behavior that will be

data/doc/lockout.rdoc

@@ -8,78 +8,58 @@ unlock via an email sent to them.
 
 == Auth Value Methods
 
-account_lockouts_id_column :: The id column in the account lockouts table,
-                              should be a foreign key referencing the accounts
-                              table.
-account_lockouts_deadline_column :: The deadline column in the account lockouts
-                                    table, containing how long the account is
-                                    locked out until.
-account_lockouts_deadline_interval :: The amount of time for which to lock out accounts,
-                                      1 day by default. Only used if set_deadline_values?
-                                      is true.
+account_lockouts_id_column :: The id column in the account lockouts table, should be a foreign key referencing the accounts table.
+account_lockouts_deadline_column :: The deadline column in the account lockouts table, containing how long the account is locked out until.
+account_lockouts_deadline_interval :: The amount of time for which to lock out accounts, 1 day by default. Only used if set_deadline_values?  is true.
+account_lockouts_email_last_sent_column :: The email last sent column in the account lockouts table.  nil by default, so an unlock account email is always sent when requested by default.
 account_lockouts_key_column :: The unlock key column in the account lockouts table.
 account_lockouts_table :: The table containing account lockout information.
-account_login_failures_id_column :: The id column in the account login failures table,
-                                    should be a foreign key referencing the accounts
-                                    table.
-account_login_failures_number_column :: The column in the account login failures table
-                                        containing the number of login failures for the
-                                        account.
-account_login_failures_table :: The table containing number of login failures
-                                per account.
-login_lockout_error_flash :: The flash error to show if there if the account is or becomes
-                             locked out after a login attempt.
-max_invalid_logins :: The maximum number of failed logins before account lockout. As this
-                      feature is just designed for bruteforce protection, this is set to
-                      100.
-unlock_account_additional_form_tags :: HTML fragment with additional form tags to use
-                                       on the unlock account form.
+account_login_failures_id_column :: The id column in the account login failures table, should be a foreign key referencing the accounts table.
+account_login_failures_number_column :: The column in the account login failures table containing the number of login failures for the account.
+account_login_failures_table :: The table containing number of login failures per account.
+login_lockout_error_flash :: The flash error to show if there if the account is or becomes locked out after a login attempt.
+max_invalid_logins :: The maximum number of failed logins before account lockout. As this feature is just designed for bruteforce protection, this is set to 100.
+unlock_account_additional_form_tags :: HTML fragment with additional form tags to use on the unlock account form.
 unlock_account_autologin? :: Whether to autologin users after successful account unlock.
 unlock_account_button :: The text to use on the unlock account button.
+unlock_account_email_recently_sent_error_flash :: The flash error to show if not sending an unlock account email because another was sent recently.
+unlock_account_email_recently_sent_redirect :: Where to redirect after not sending an unlock account email because another was sent recently.
 unlock_account_email_subject :: The subject to use for the unlock account email.
 unlock_account_error_flash :: The flash error to display upon unsuccessful account unlock.
 unlock_account_key_param :: The parameter name to use for the unlock account key.
 unlock_account_notice_flash :: The flash notice to display upon successful account unlock.
 unlock_account_redirect :: Where to redirect after successful account unlock.
-unlock_account_request_additional_form_tags :: HTML fragment with additional form tags to use
-                                               on the form to request an account unlock.
+unlock_account_request_additional_form_tags :: HTML fragment with additional form tags to use on the form to request an account unlock.
 unlock_account_request_button :: The text to use on the unlock account request button.
-unlock_account_request_notice_flash :: The flash notice to display upon successful sending of
-                                       the unlock account email.
+unlock_account_request_notice_flash :: The flash notice to display upon successful sending of the unlock account email.
 unlock_account_request_redirect :: Where to redirect after account unlock email is sent.
-unlock_account_request_route :: The route to the unlock account request action.
-                                Defaults to +unlock-account-request+.
-unlock_account_requires_password? :: Whether a password is required when unlocking accounts,
-                                     false by default.  May want to set to true if not
-                                     allowing password resets.
+unlock_account_request_route :: The route to the unlock account request action.  Defaults to +unlock-account-request+.
+unlock_account_requires_password? :: Whether a password is required when unlocking accounts, false by default.  May want to set to true if not allowing password resets.
 unlock_account_route :: Alias for lockout_route.
 unlock_account_session_key :: The key in the session to hold the unlock account key temporarily.
+unlock_account_skip_resend_email_within :: The number of seconds before sending another unlock account email, if +account_lockouts_email_last_sent_column+ is set.
 
 == Auth Methods
 
-account_from_unlock_key(key) :: Retrieve the account using the given verify
-                                account key, or return nil if no account
-                                matches. 
+account_from_unlock_key(key) :: Retrieve the account using the given verify account key, or return nil if no account matches. 
+after_account_lockout :: Run arbitrary code after an account has been locked out.
 after_unlock_account :: Run arbitrary code after a successful account unlock.
-after_unlock_account_request :: Run arbitrary code after a successful account
-                                unlock request.
+after_unlock_account_request :: Run arbitrary code after a successful account unlock request.
 before_unlock_account :: Run arbitrary code before unlocking an account.
-before_unlock_account_request :: Run arbitrary code before sending an account
-                                 unlock email.
-before_lockout_route :: Run arbitrary code before handling an unlock account route. 
-clear_invalid_login_attempts :: Clear any stored login failures or lockouts for
-                                the current account.
+before_unlock_account_request :: Run arbitrary code before sending an account unlock email.
+before_unlock_account_request_route :: Run arbitrary code before handling an account unlock request route.
+before_unlock_account_route :: Run arbitrary code before handling an unlock account route. 
+clear_invalid_login_attempts :: Clear any stored login failures or lockouts for the current account.
 create_unlock_account_email :: A Mail::Message for the account unlock email to send.
 generate_unlock_account_key :: A random string to use for a new unlock account key.
+get_unlock_account_email_last_sent :: Get the last time an unlock_account email is sent, or nil if there is no last sent time.
 get_unlock_account_key :: Retrieve the unlock account key for the current account.
-invalid_login_attempt :: Record an invalid login attempt, incrementing the
-                         number of login failures, and possibly locking out
-                         the account.
+invalid_login_attempt :: Record an invalid login attempt, incrementing the number of login failures, and possibly locking out the account.
 locked_out? :: Whether the current account is locked out.
 send_unlock_account_email :: Send the account unlock email.
+set_unlock_account_email_last_sent :: Set the last time an unlock_account email is sent.
 unlock_account_email_body :: The body to use for the unlock account email.
-unlock_account_email_link :: The link to the unlock account form to include in the
-                             unlock account email.
+unlock_account_email_link :: The link to the unlock account form to include in the unlock account email.
 unlock_account :: Unlock the account.
 unlock_account_key :: The unlock account key for the current account.
 unlock_account_request_view :: The HTML to use for the unlock account request form.

data/doc/login.rdoc

@@ -5,16 +5,16 @@ used feature.
 
 == Auth Value Methods
 
-login_additional_form_tags :: HTML fragment containing additional form
-                              tags to use on the login form.
+login_additional_form_tags :: HTML fragment containing additional form tags to use on the login form.
 login_button :: The text to use for the login button.
 login_error_flash :: The flash error to show for an unsuccesful login.
-login_error_status :: The response status to use when using an invalid
-                      login or password to login, 401 by default.
+login_error_status :: The response status to use when using an invalid login or password to login, 401 by default.
 login_form_footer :: A message to display after the login form.
+login_need_password_notice_flash :: The flash notice to show during multi phase login after the login has been entered, when requesting the password.
 login_notice_flash :: The flash notice to show after successful login.
 login_redirect :: Where to redirect after a sucessful login.
 login_route :: The route to the login action. Defaults to +login+.
+use_multi_phase_login? :: Whether to ask for login first, and only ask for password after asking for the login, false by default.
 
 == Auth Methods
 

data/doc/otp.rdoc

@@ -51,8 +51,6 @@ otp_lockout_redirect :: Where to redirect if going to OTP authentication page an
                         authentication has been locked out.
 otp_lockout_error_flash :: The flash error show show when OTP authentication has been locked
                            out due to numerous authentication failures.
-otp_modifications_require_password? :: Whether modifying OTP settings requires reentering the
-                                       password for the account, true by default.
 otp_session_key :: The session key used to store whether the user has authenticated via OTP.
 otp_setup_additional_form_tags :: HTML fragment containing additional form tags when setting up
                                   OTP authentication.
@@ -69,7 +67,7 @@ after_otp_authentication_failure :: Run arbitrary code after OTP authentication
 after_otp_disable :: Run arbitrary code after OTP authentication has been disabled.
 after_otp_setup :: Run arbitrary code after OTP authentication has been setup.
 before_otp_authentication :: Run arbitrary code before OTP authentication.
-before_otp_authentication_route :: Run arbitrary code before handling an OTP authentication route.
+before_otp_auth_route :: Run arbitrary code before handling an OTP authentication route.
 before_otp_setup :: Run arbitrary code before OTP authentication setup.
 before_otp_setup_route :: Run arbitrary code before handling an OTP authentication setup route.
 before_otp_disable :: Run arbitrary code before OTP authentication disabling.

data/doc/release_notes/1.19.0.txt

@@ -0,0 +1,116 @@
+= New Features
+
+* An email_auth feature has been added, which allows passwordless
+  logins using links sent via email.  This allows usage without any
+  password storage.  If the user does not have a password, when they
+  submit their login, they are sent a link via email.  If the user
+  has a password, they have the option of either entering their
+  password or being sent a link via email.
+
+* A use_multi_phase_login? configuration method has been added.  If
+  this configuration method is set to true, a two-phase login is used,
+  which the login form only has a field for a user's login.  After the
+  login form has been submitted (assuming there is a valid login), a
+  form is displayed with a field for the password.
+
+* Optional email rate limiting is now supported in the lockout,
+  reset_password, and verify_account features, using the following
+  configuration methods:
+
+  * account_lockouts_email_last_sent_column
+  * reset_password_email_last_sent_column
+  * verify_account_email_last_sent_column
+
+  These methods are nil by default.  To enable rate limiting, set
+  these to a symbol representing the column name in the appropriate
+  table.  The recommended column name is email_last_sent.  To use
+  this feature, you'll have to add this column to the appropriate
+  tables:
+
+    DB.add_column :account_lockouts, :email_last_sent, DateTime
+    DB.add_column :account_password_reset_keys, :email_last_sent, DateTime,
+      :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
+    DB.add_column :account_verification_keys, :email_last_sent, DateTime,
+      :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
+
+  When this support is enabled, by default Rodauth will not send
+  an email if an email has been sent within the last 5 minutes. You
+  can change this time period using the following configuration
+  methods, which take the number of seconds that must have elapsed
+  before sending another email:
+
+  * unlock_account_skip_resend_email_within
+  * reset_password_skip_resend_email_within
+  * verify_account_skip_resend_email_within
+
+  The new email_auth feature also supports email rate limiting, and
+  because there are no backwards compatibility issues, the support
+  is enabled by default.
+
+* An after_account_lockout configuration method has been added,
+  which is called directly after locking out an account.  This can
+  be useful for audit logging.
+
+* A default_post_email_redirect configuration has been added, which
+  sets the default for all redirects after emailing if the account
+  is not currently logged in.  Each individual feature that emails
+  still supports the appropriate *_redirect configuration method
+  for specifying behavior for that feature.
+
+* A verify_login_change_duplicate_account_redirect configuration
+  method has been added for where to redirect if a user attempts
+  a login change where the new proposed login already exists.
+
+* before_verify_login_change_email and after_verify_login_change_email
+  configuration methods have been added for executing code before
+  or after the verify login change email is sent.
+
+= Other Improvements
+
+* When using the verify_login_change feature, Rodauth now checks
+  that the new login is not already taken and fails in a more
+  graceful manner.  Previously, Rodauth would not report an
+  error when the login change was requested, and would raise an
+  exception when attempting to verify the login change due to the
+  violation of a uniqueness constraint.
+
+* Rodauth now avoids unnecessary database queries when using the
+  two factor authentication support and the following methods:
+
+  * authenticated?
+  * require_authentication
+  * require_two_factor_setup
+
+* The otp-setup template now looks nicer when using both Bootstrap
+  3 and 4, especially on small screens such as phones.
+
+* If the database_type was not MySQL, the lockout, remember, and
+  reset_password features no longer disable the requiring of the
+  date_arithmetic Sequel extension if another feature that
+  requires the extension is used.
+
+* On MySQL, the rodauth_get_salt database function definition now
+  handles accounts without passwords.  If you previously added the
+  database function and want to support accounts without passwords,
+  then you should drop the function and re-add it via:
+
+    Rodauth.drop_database_authentication_functions(DB)
+    Rodauth.create_database_authentication_functions(DB)
+
+  Note that MySQL does not support CREATE OR REPLACE FUNCTION, so
+  you have to drop the function and then create it, which will
+  temporarily result in the function not being defined.
+
+= Backwards Compatibility
+
+* The before_otp_authentication_route configuration method is
+  deprecated, please switch to before_otp_auth_route instead. This
+  change is made so that before_*_route method names are consistent
+  with the route name.
+
+* The verify_account_email_sent_redirect configuration method now
+  defaults to / instead of /login.  If you were previously not
+  setting this configuration method and would like it to default to
+  /login, you will now have to force the setting:
+
+    verify_account_email_sent_redirect '/login'