rodauth 1.18.0 → 1.19.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG +24 -0
- data/README.rdoc +20 -11
- data/doc/base.rdoc +2 -2
- data/doc/email_auth.rdoc +53 -0
- data/doc/email_base.rdoc +4 -0
- data/doc/internals.rdoc +3 -3
- data/doc/lockout.rdoc +28 -48
- data/doc/login.rdoc +4 -4
- data/doc/otp.rdoc +1 -3
- data/doc/release_notes/1.19.0.txt +116 -0
- data/doc/reset_password.rdoc +29 -49
- data/doc/verify_account.rdoc +30 -50
- data/doc/verify_login_change.rdoc +4 -0
- data/lib/rodauth/features/base.rb +0 -1
- data/lib/rodauth/features/change_login.rb +4 -0
- data/lib/rodauth/features/disallow_common_passwords.rb +1 -1
- data/lib/rodauth/features/email_auth.rb +253 -0
- data/lib/rodauth/features/email_base.rb +2 -0
- data/lib/rodauth/features/lockout.rb +35 -6
- data/lib/rodauth/features/login.rb +46 -9
- data/lib/rodauth/features/otp.rb +8 -4
- data/lib/rodauth/features/recovery_codes.rb +0 -2
- data/lib/rodauth/features/remember.rb +1 -1
- data/lib/rodauth/features/reset_password.rb +32 -4
- data/lib/rodauth/features/sms_codes.rb +2 -8
- data/lib/rodauth/features/two_factor_base.rb +22 -15
- data/lib/rodauth/features/verify_account.rb +27 -1
- data/lib/rodauth/features/verify_login_change.rb +30 -7
- data/lib/rodauth/migrations.rb +2 -8
- data/lib/rodauth/version.rb +1 -1
- data/spec/email_auth_spec.rb +285 -0
- data/spec/lockout_spec.rb +24 -2
- data/spec/login_spec.rb +47 -1
- data/spec/migrate/001_tables.rb +13 -0
- data/spec/migrate_travis/001_tables.rb +10 -0
- data/spec/reset_password_spec.rb +20 -2
- data/spec/two_factor_spec.rb +46 -0
- data/spec/verify_account_grace_period_spec.rb +1 -1
- data/spec/verify_account_spec.rb +33 -3
- data/spec/verify_login_change_spec.rb +54 -1
- data/templates/email-auth-email.str +5 -0
- data/templates/email-auth-request-form.str +7 -0
- data/templates/email-auth.str +5 -0
- data/templates/login-display.str +4 -0
- data/templates/login.str +2 -2
- data/templates/otp-setup.str +13 -11
- metadata +12 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: e6334a653be69dad1d434d2792e8b5eda787fa69e13cd45f83fbe23cd7ab7865
|
4
|
+
data.tar.gz: 5854eaa491e9887bfe5d934937bd249c5b063a621a24e3817aef51330b6bbe1f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0e293f83da80d612f95bbd04da5b58d20f5a3d92c4c24f6fab1b50c595f677862e4c06e3261a08c5063dcad4e491b4073f6e40942191aec8cbb6d32f94bd9cd8
|
7
|
+
data.tar.gz: 8ca62fd8ece8fbeef61e7f3c658e987d29cba79195aa8fff1dff3a0a99576fa557ce1ec19a22de7a09a7d850627532ab79083f24e61aa891460854fbd843d4e7
|
data/CHANGELOG
CHANGED
@@ -1,3 +1,27 @@
|
|
1
|
+
=== 1.19.0 (2018-11-16)
|
2
|
+
|
3
|
+
* Avoid unneeded database queries in the two factor authentication support (jeremyevans)
|
4
|
+
|
5
|
+
* Add {before,after}_verify_login_change_email configuration methods, called around sending the verify login change email (jeremyevans)
|
6
|
+
|
7
|
+
* Add after_account_lockout configuration method, called after locking out an account (jeremyevans)
|
8
|
+
|
9
|
+
* Add default_post_email_redirect configuration method, setting default for all redirects after emailing when not logged in (jeremyevans)
|
10
|
+
|
11
|
+
* Gracefully handle failure when new login is already taken in the verify_login_change feature (jeremyevans)
|
12
|
+
|
13
|
+
* Support optional email rate limiting in the lockout, reset password, and verify account features (jeremyevans)
|
14
|
+
|
15
|
+
* Make MySQL rodauth_get_salt function handle accounts without password hashes (jeremyevans)
|
16
|
+
|
17
|
+
* Add email_auth feature, for authentication using links sent via email (jeremyevans)
|
18
|
+
|
19
|
+
* Deprecate before_otp_authentication_route, users should switch to before_otp_auth_route (jeremyevans)
|
20
|
+
|
21
|
+
* Add use_multi_phase_login? configuration method to login feature, separating login entry from password entry (jeremyevans)
|
22
|
+
|
23
|
+
* Don't disable use of date_arithmetic extension on !MySQL when using lockout, remember, or reset password features (jeremyevans)
|
24
|
+
|
1
25
|
=== 1.18.0 (2018-07-18)
|
2
26
|
|
3
27
|
* Add confirm_password_redirect_session_key configuration method to confirm_password feature (jeremyevans)
|
data/README.rdoc
CHANGED
@@ -26,6 +26,7 @@ hashes by protecting access via database functions.
|
|
26
26
|
* Confirm Password
|
27
27
|
* Remember (Autologin via token)
|
28
28
|
* Lockout (Bruteforce protection)
|
29
|
+
* Email Authentication (Login via email link)
|
29
30
|
* OTP (2 factor authentication via TOTP)
|
30
31
|
* Recovery Codes (2 factor authentication via backup codes)
|
31
32
|
* SMS Codes (2 factor authentication via SMS)
|
@@ -151,12 +152,6 @@ The database superuser account is used to load extensions related to the
|
|
151
152
|
database. The application should never be run using the database
|
152
153
|
superuser account.
|
153
154
|
|
154
|
-
Note that there is not a simple way to use multiple database accounts in
|
155
|
-
the same PostgreSQL database on Heroku. You can still use Rodauth on
|
156
|
-
Heroku, it just won't have the same security benefits. That's not to say
|
157
|
-
it is insecure, just that it drops the security level for password hash
|
158
|
-
storage to the same level as other common authentication solutions.
|
159
|
-
|
160
155
|
=== Create database accounts
|
161
156
|
|
162
157
|
If you are currently running your application using the database superuser
|
@@ -333,6 +328,7 @@ Note that these migrations require Sequel 4.35.0+.
|
|
333
328
|
foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
|
334
329
|
String :key, :null=>false
|
335
330
|
DateTime :deadline, deadline_opts[1]
|
331
|
+
DateTime :email_last_sent, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
|
336
332
|
end
|
337
333
|
|
338
334
|
# Used by the account verification feature
|
@@ -340,6 +336,7 @@ Note that these migrations require Sequel 4.35.0+.
|
|
340
336
|
foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
|
341
337
|
String :key, :null=>false
|
342
338
|
DateTime :requested_at, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
|
339
|
+
DateTime :email_last_sent, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
|
343
340
|
end
|
344
341
|
|
345
342
|
# Used by the verify login change feature
|
@@ -366,6 +363,15 @@ Note that these migrations require Sequel 4.35.0+.
|
|
366
363
|
foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
|
367
364
|
String :key, :null=>false
|
368
365
|
DateTime :deadline, deadline_opts[1]
|
366
|
+
DateTime :email_last_sent
|
367
|
+
end
|
368
|
+
|
369
|
+
# Used by the email auth feature
|
370
|
+
create_table(:account_email_auth_keys) do
|
371
|
+
foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
|
372
|
+
String :key, :null=>false
|
373
|
+
DateTime :deadline, deadline_opts[1]
|
374
|
+
DateTime :email_last_sent, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
|
369
375
|
end
|
370
376
|
|
371
377
|
# Used by the password expiration feature
|
@@ -430,6 +436,7 @@ Note that these migrations require Sequel 4.35.0+.
|
|
430
436
|
run "GRANT ALL ON account_remember_keys TO #{user}"
|
431
437
|
run "GRANT ALL ON account_login_failures TO #{user}"
|
432
438
|
run "GRANT ALL ON account_lockouts TO #{user}"
|
439
|
+
run "GRANT ALL ON account_email_auth_keys TO #{user}"
|
433
440
|
run "GRANT ALL ON account_password_change_times TO #{user}"
|
434
441
|
run "GRANT ALL ON account_activity_times TO #{user}"
|
435
442
|
run "GRANT ALL ON account_session_keys TO #{user}"
|
@@ -446,6 +453,7 @@ Note that these migrations require Sequel 4.35.0+.
|
|
446
453
|
:account_session_keys,
|
447
454
|
:account_activity_times,
|
448
455
|
:account_password_change_times,
|
456
|
+
:account_email_auth_keys,
|
449
457
|
:account_lockouts,
|
450
458
|
:account_login_failures,
|
451
459
|
:account_remember_keys,
|
@@ -694,6 +702,7 @@ view the appropriate file in the doc directory.
|
|
694
702
|
* {Confirm Password}[rdoc-ref:doc/confirm_password.rdoc]
|
695
703
|
* {Remember}[rdoc-ref:doc/remember.rdoc]
|
696
704
|
* {Lockout}[rdoc-ref:doc/lockout.rdoc]
|
705
|
+
* {Email Authentication}[rdoc-ref:doc/email_auth.rdoc]
|
697
706
|
* {OTP}[rdoc-ref:doc/otp.rdoc]
|
698
707
|
* {Recovery Codes}[rdoc-ref:doc/recovery_codes.rdoc]
|
699
708
|
* {SMS Codes}[rdoc-ref:doc/sms_codes.rdoc]
|
@@ -758,7 +767,7 @@ inside a matching routing tree branch:
|
|
758
767
|
|
759
768
|
plugin :rodauth do
|
760
769
|
enable :login, :logout
|
761
|
-
prefix "auth"
|
770
|
+
prefix "/auth"
|
762
771
|
end
|
763
772
|
|
764
773
|
route do |r|
|
@@ -819,10 +828,10 @@ logged_in_via_remember_key? :: (remember feature) Whether the current session ha
|
|
819
828
|
check_session_expiration :: (session_expiration feature) Check whether the current
|
820
829
|
session has expired, automatically logging the session
|
821
830
|
out if so.
|
822
|
-
check_single_session :: (single_session
|
831
|
+
check_single_session :: (single_session feature) Check whether the current
|
823
832
|
session is still the only valid session, automatically logging
|
824
833
|
the session out if not.
|
825
|
-
verified_account? :: (verify_grace_period
|
834
|
+
verified_account? :: (verify_grace_period feature) Whether the account is currently
|
826
835
|
verified. If false, it is because the account is allowed to
|
827
836
|
login as they are in the grace period.
|
828
837
|
locked_out? :: (lockout feature) Whether the account for the current session has been
|
@@ -1029,12 +1038,12 @@ If you want to support but not require 2 factor authentication:
|
|
1029
1038
|
end
|
1030
1039
|
|
1031
1040
|
If you want to force all users to use OTP authentication, requiring users
|
1032
|
-
that don't currently have
|
1041
|
+
that don't currently have two authentication to set it up:
|
1033
1042
|
|
1034
1043
|
route do |r|
|
1035
1044
|
r.rodauth
|
1036
1045
|
rodauth.require_authentication
|
1037
|
-
rodauth.
|
1046
|
+
rodauth.require_two_factor_setup
|
1038
1047
|
|
1039
1048
|
# ...
|
1040
1049
|
end
|
data/doc/base.rdoc
CHANGED
@@ -114,8 +114,8 @@ account_session_value :: The primary value of the account currently stored in th
|
|
114
114
|
already_logged_in :: What action to take if you are already logged in and attempt
|
115
115
|
to access a page that only makes sense if you are not logged in.
|
116
116
|
authenticated? :: Whether the user has been authenticated. If 2 factor authentication
|
117
|
-
has
|
118
|
-
|
117
|
+
has been enabled for the account, this is true only if both factors
|
118
|
+
have been authenticated.
|
119
119
|
clear_session :: Clears the current session.
|
120
120
|
csrf_tag(path=request.path) :: The HTML fragment containing the CSRF tag to use, if any.
|
121
121
|
function_name(name) :: The name of the database function to call. It's passed either
|
data/doc/email_auth.rdoc
ADDED
@@ -0,0 +1,53 @@
|
|
1
|
+
= Documentation for Email Auth Feature
|
2
|
+
|
3
|
+
The email auth feature implements login using links sent via email. It is
|
4
|
+
very similar to the email auth feature, except you don't need to update
|
5
|
+
a password, or even have a password to login. Depends on the login and
|
6
|
+
email_base features.
|
7
|
+
|
8
|
+
== Auth Value Methods
|
9
|
+
|
10
|
+
email_auth_additional_form_tags :: HTML fragment containing additional form tags to use on the email auth login form.
|
11
|
+
email_auth_email_recently_sent_error_flash :: The flash error to show if not sending an email auth email because another was sent recently.
|
12
|
+
email_auth_email_recently_sent_redirect :: Where to redirect after not sending an email auth email because another was sent recently.
|
13
|
+
email_auth_deadline_column :: The column name in the email auth keys table storing the deadline after which the token will be ignored.
|
14
|
+
email_auth_deadline_interval :: The amount of time for which to allow users to reset their passwords, 1 day by default. Only used if set_deadline_values? is true.
|
15
|
+
email_auth_email_sent_notice_flash :: The flash notice to show after an email auth email has been sent.
|
16
|
+
email_auth_email_sent_redirect :: Where to redirect after sending an email auth email.
|
17
|
+
email_auth_email_subject :: The subject to use for email auth emails.
|
18
|
+
email_auth_error_flash :: The flash error to show if unable to login using email authentication.
|
19
|
+
email_auth_id_column :: The id column in the email auth keys table, should be a foreign key referencing the accounts table.
|
20
|
+
email_auth_key_column :: The email auth key/token column in the email auth keys table.
|
21
|
+
email_auth_key_param :: The parameter name to use for the email auth key.
|
22
|
+
email_auth_last_column :: The email auth last sent column in the email auth keys table, storing the last time the email was sent. Set to nil to always send an email when requested.
|
23
|
+
email_auth_request_additional_form_tags :: HTML fragment containing additional form tags to use on the email auth request form.
|
24
|
+
email_auth_request_button :: The text to use for the email auth request button.
|
25
|
+
email_auth_request_error_flash :: The flash error to show if not able to send an email auth email.
|
26
|
+
email_auth_request_route :: The route to the email auth request action. Defaults to +email-auth-request+.
|
27
|
+
email_auth_route :: The route to the email auth action. Defaults to +email-auth+.
|
28
|
+
email_auth_session_key :: The key in the session to hold the email auth key temporarily.
|
29
|
+
email_auth_skip_resend_within :: The number of seconds before sending another email auth email.
|
30
|
+
email_auth_table :: The name of the email auth keys table.
|
31
|
+
force_email_auth? :: Whether email auth should be forced for the account. By default, email auth is forced if the account does not have a password.
|
32
|
+
no_matching_email_auth_key_message :: The flash error message to show if attempting to access the email auth form with an invalid key.
|
33
|
+
|
34
|
+
== Auth Methods
|
35
|
+
|
36
|
+
account_from_email_auth_key(key) :: Retrieve the account using the given email auth key, or return nil if no account matches.
|
37
|
+
after_email_auth_request :: Run arbitrary code after sending the email auth email.
|
38
|
+
before_email_auth_request :: Run arbitrary code before sending the email auth email.
|
39
|
+
before_email_auth_request_route :: Run arbitrary code before handling an email auth request route.
|
40
|
+
before_email_auth_route :: Run arbitrary code before handling an email auth route.
|
41
|
+
create_email_auth_email :: A Mail::Message for the email auth email.
|
42
|
+
create_email_auth_key :: Add the email auth key data to the database.
|
43
|
+
email_auth_email_body :: The body to use for the email auth email.
|
44
|
+
email_auth_email_link :: The link to the email auth form in the email auth email.
|
45
|
+
email_auth_key_insert_hash :: The hash to insert into the email auth keys table.
|
46
|
+
email_auth_key_value :: The email auth key for the current account.
|
47
|
+
email_auth_request_form :: The HTML to use for a form to request an email auth email, shown on the login page after the user submits their login, if +force_email_auth?+ is false.
|
48
|
+
email_auth_view :: The HTML to use for the email auth form.
|
49
|
+
get_email_auth_key(id) :: Get the email auth key for the given account id from the database.
|
50
|
+
get_email_auth_email_last_sent :: Get the last time an email auth email is sent, or nil if there is no last sent time.
|
51
|
+
remove_email_auth_key :: Remove the email auth key for the current account, run after successful email auth.
|
52
|
+
send_email_auth_email :: Send the email auth email.
|
53
|
+
set_email_auth_email_last_sent :: Set the last time an email auth email is sent. This is only called if there is a previous email auth token still active.
|
data/doc/email_base.rdoc
CHANGED
@@ -5,6 +5,10 @@ that requires sending emails.
|
|
5
5
|
|
6
6
|
== Auth Value Methods
|
7
7
|
|
8
|
+
default_post_email_redirect :: Where to redirect after sending an email. This is the default
|
9
|
+
redirect location for all redirects after an email is sent when the
|
10
|
+
account is not logged in. Also includes cases where an email is not
|
11
|
+
sent due to rate limiting.
|
8
12
|
email_from :: The from address to use for emails sent by Rodauth.
|
9
13
|
email_subject_prefix :: The prefix to use for email subjects
|
10
14
|
require_mail? :: Set to false to not require mail, useful if using a different
|
data/doc/internals.rdoc
CHANGED
@@ -166,9 +166,9 @@ Here's a heavily commented example showing what is going on inside a Rodauth fea
|
|
166
166
|
# route defines a route used for the feature. This is the code that will be executed
|
167
167
|
# if a user goes to /foo in the Roda app.
|
168
168
|
route do |r|
|
169
|
-
# Inside the block, you are in the context of the
|
170
|
-
#
|
171
|
-
#
|
169
|
+
# Inside the block, you are in the context of the Rodauth::Auth subclass instance.
|
170
|
+
# r is the Roda::RodaRequest subclass instance, just as it would be for a Roda
|
171
|
+
# route block.
|
172
172
|
|
173
173
|
# route adds a before_foo_route method that by default does nothing. It also
|
174
174
|
# adds a configuration method that you can call to set behavior that will be
|
data/doc/lockout.rdoc
CHANGED
@@ -8,78 +8,58 @@ unlock via an email sent to them.
|
|
8
8
|
|
9
9
|
== Auth Value Methods
|
10
10
|
|
11
|
-
account_lockouts_id_column :: The id column in the account lockouts table,
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
table, containing how long the account is
|
16
|
-
locked out until.
|
17
|
-
account_lockouts_deadline_interval :: The amount of time for which to lock out accounts,
|
18
|
-
1 day by default. Only used if set_deadline_values?
|
19
|
-
is true.
|
11
|
+
account_lockouts_id_column :: The id column in the account lockouts table, should be a foreign key referencing the accounts table.
|
12
|
+
account_lockouts_deadline_column :: The deadline column in the account lockouts table, containing how long the account is locked out until.
|
13
|
+
account_lockouts_deadline_interval :: The amount of time for which to lock out accounts, 1 day by default. Only used if set_deadline_values? is true.
|
14
|
+
account_lockouts_email_last_sent_column :: The email last sent column in the account lockouts table. nil by default, so an unlock account email is always sent when requested by default.
|
20
15
|
account_lockouts_key_column :: The unlock key column in the account lockouts table.
|
21
16
|
account_lockouts_table :: The table containing account lockout information.
|
22
|
-
account_login_failures_id_column :: The id column in the account login failures table,
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
account_login_failures_table :: The table containing number of login failures
|
29
|
-
per account.
|
30
|
-
login_lockout_error_flash :: The flash error to show if there if the account is or becomes
|
31
|
-
locked out after a login attempt.
|
32
|
-
max_invalid_logins :: The maximum number of failed logins before account lockout. As this
|
33
|
-
feature is just designed for bruteforce protection, this is set to
|
34
|
-
100.
|
35
|
-
unlock_account_additional_form_tags :: HTML fragment with additional form tags to use
|
36
|
-
on the unlock account form.
|
17
|
+
account_login_failures_id_column :: The id column in the account login failures table, should be a foreign key referencing the accounts table.
|
18
|
+
account_login_failures_number_column :: The column in the account login failures table containing the number of login failures for the account.
|
19
|
+
account_login_failures_table :: The table containing number of login failures per account.
|
20
|
+
login_lockout_error_flash :: The flash error to show if there if the account is or becomes locked out after a login attempt.
|
21
|
+
max_invalid_logins :: The maximum number of failed logins before account lockout. As this feature is just designed for bruteforce protection, this is set to 100.
|
22
|
+
unlock_account_additional_form_tags :: HTML fragment with additional form tags to use on the unlock account form.
|
37
23
|
unlock_account_autologin? :: Whether to autologin users after successful account unlock.
|
38
24
|
unlock_account_button :: The text to use on the unlock account button.
|
25
|
+
unlock_account_email_recently_sent_error_flash :: The flash error to show if not sending an unlock account email because another was sent recently.
|
26
|
+
unlock_account_email_recently_sent_redirect :: Where to redirect after not sending an unlock account email because another was sent recently.
|
39
27
|
unlock_account_email_subject :: The subject to use for the unlock account email.
|
40
28
|
unlock_account_error_flash :: The flash error to display upon unsuccessful account unlock.
|
41
29
|
unlock_account_key_param :: The parameter name to use for the unlock account key.
|
42
30
|
unlock_account_notice_flash :: The flash notice to display upon successful account unlock.
|
43
31
|
unlock_account_redirect :: Where to redirect after successful account unlock.
|
44
|
-
unlock_account_request_additional_form_tags :: HTML fragment with additional form tags to use
|
45
|
-
on the form to request an account unlock.
|
32
|
+
unlock_account_request_additional_form_tags :: HTML fragment with additional form tags to use on the form to request an account unlock.
|
46
33
|
unlock_account_request_button :: The text to use on the unlock account request button.
|
47
|
-
unlock_account_request_notice_flash :: The flash notice to display upon successful sending of
|
48
|
-
the unlock account email.
|
34
|
+
unlock_account_request_notice_flash :: The flash notice to display upon successful sending of the unlock account email.
|
49
35
|
unlock_account_request_redirect :: Where to redirect after account unlock email is sent.
|
50
|
-
unlock_account_request_route :: The route to the unlock account request action.
|
51
|
-
|
52
|
-
unlock_account_requires_password? :: Whether a password is required when unlocking accounts,
|
53
|
-
false by default. May want to set to true if not
|
54
|
-
allowing password resets.
|
36
|
+
unlock_account_request_route :: The route to the unlock account request action. Defaults to +unlock-account-request+.
|
37
|
+
unlock_account_requires_password? :: Whether a password is required when unlocking accounts, false by default. May want to set to true if not allowing password resets.
|
55
38
|
unlock_account_route :: Alias for lockout_route.
|
56
39
|
unlock_account_session_key :: The key in the session to hold the unlock account key temporarily.
|
40
|
+
unlock_account_skip_resend_email_within :: The number of seconds before sending another unlock account email, if +account_lockouts_email_last_sent_column+ is set.
|
57
41
|
|
58
42
|
== Auth Methods
|
59
43
|
|
60
|
-
account_from_unlock_key(key) :: Retrieve the account using the given verify
|
61
|
-
|
62
|
-
matches.
|
44
|
+
account_from_unlock_key(key) :: Retrieve the account using the given verify account key, or return nil if no account matches.
|
45
|
+
after_account_lockout :: Run arbitrary code after an account has been locked out.
|
63
46
|
after_unlock_account :: Run arbitrary code after a successful account unlock.
|
64
|
-
after_unlock_account_request :: Run arbitrary code after a successful account
|
65
|
-
unlock request.
|
47
|
+
after_unlock_account_request :: Run arbitrary code after a successful account unlock request.
|
66
48
|
before_unlock_account :: Run arbitrary code before unlocking an account.
|
67
|
-
before_unlock_account_request :: Run arbitrary code before sending an account
|
68
|
-
|
69
|
-
|
70
|
-
clear_invalid_login_attempts :: Clear any stored login failures or lockouts for
|
71
|
-
the current account.
|
49
|
+
before_unlock_account_request :: Run arbitrary code before sending an account unlock email.
|
50
|
+
before_unlock_account_request_route :: Run arbitrary code before handling an account unlock request route.
|
51
|
+
before_unlock_account_route :: Run arbitrary code before handling an unlock account route.
|
52
|
+
clear_invalid_login_attempts :: Clear any stored login failures or lockouts for the current account.
|
72
53
|
create_unlock_account_email :: A Mail::Message for the account unlock email to send.
|
73
54
|
generate_unlock_account_key :: A random string to use for a new unlock account key.
|
55
|
+
get_unlock_account_email_last_sent :: Get the last time an unlock_account email is sent, or nil if there is no last sent time.
|
74
56
|
get_unlock_account_key :: Retrieve the unlock account key for the current account.
|
75
|
-
invalid_login_attempt :: Record an invalid login attempt, incrementing the
|
76
|
-
number of login failures, and possibly locking out
|
77
|
-
the account.
|
57
|
+
invalid_login_attempt :: Record an invalid login attempt, incrementing the number of login failures, and possibly locking out the account.
|
78
58
|
locked_out? :: Whether the current account is locked out.
|
79
59
|
send_unlock_account_email :: Send the account unlock email.
|
60
|
+
set_unlock_account_email_last_sent :: Set the last time an unlock_account email is sent.
|
80
61
|
unlock_account_email_body :: The body to use for the unlock account email.
|
81
|
-
unlock_account_email_link :: The link to the unlock account form to include in the
|
82
|
-
unlock account email.
|
62
|
+
unlock_account_email_link :: The link to the unlock account form to include in the unlock account email.
|
83
63
|
unlock_account :: Unlock the account.
|
84
64
|
unlock_account_key :: The unlock account key for the current account.
|
85
65
|
unlock_account_request_view :: The HTML to use for the unlock account request form.
|
data/doc/login.rdoc
CHANGED
@@ -5,16 +5,16 @@ used feature.
|
|
5
5
|
|
6
6
|
== Auth Value Methods
|
7
7
|
|
8
|
-
login_additional_form_tags :: HTML fragment containing additional form
|
9
|
-
tags to use on the login form.
|
8
|
+
login_additional_form_tags :: HTML fragment containing additional form tags to use on the login form.
|
10
9
|
login_button :: The text to use for the login button.
|
11
10
|
login_error_flash :: The flash error to show for an unsuccesful login.
|
12
|
-
login_error_status :: The response status to use when using an invalid
|
13
|
-
login or password to login, 401 by default.
|
11
|
+
login_error_status :: The response status to use when using an invalid login or password to login, 401 by default.
|
14
12
|
login_form_footer :: A message to display after the login form.
|
13
|
+
login_need_password_notice_flash :: The flash notice to show during multi phase login after the login has been entered, when requesting the password.
|
15
14
|
login_notice_flash :: The flash notice to show after successful login.
|
16
15
|
login_redirect :: Where to redirect after a sucessful login.
|
17
16
|
login_route :: The route to the login action. Defaults to +login+.
|
17
|
+
use_multi_phase_login? :: Whether to ask for login first, and only ask for password after asking for the login, false by default.
|
18
18
|
|
19
19
|
== Auth Methods
|
20
20
|
|
data/doc/otp.rdoc
CHANGED
@@ -51,8 +51,6 @@ otp_lockout_redirect :: Where to redirect if going to OTP authentication page an
|
|
51
51
|
authentication has been locked out.
|
52
52
|
otp_lockout_error_flash :: The flash error show show when OTP authentication has been locked
|
53
53
|
out due to numerous authentication failures.
|
54
|
-
otp_modifications_require_password? :: Whether modifying OTP settings requires reentering the
|
55
|
-
password for the account, true by default.
|
56
54
|
otp_session_key :: The session key used to store whether the user has authenticated via OTP.
|
57
55
|
otp_setup_additional_form_tags :: HTML fragment containing additional form tags when setting up
|
58
56
|
OTP authentication.
|
@@ -69,7 +67,7 @@ after_otp_authentication_failure :: Run arbitrary code after OTP authentication
|
|
69
67
|
after_otp_disable :: Run arbitrary code after OTP authentication has been disabled.
|
70
68
|
after_otp_setup :: Run arbitrary code after OTP authentication has been setup.
|
71
69
|
before_otp_authentication :: Run arbitrary code before OTP authentication.
|
72
|
-
|
70
|
+
before_otp_auth_route :: Run arbitrary code before handling an OTP authentication route.
|
73
71
|
before_otp_setup :: Run arbitrary code before OTP authentication setup.
|
74
72
|
before_otp_setup_route :: Run arbitrary code before handling an OTP authentication setup route.
|
75
73
|
before_otp_disable :: Run arbitrary code before OTP authentication disabling.
|
@@ -0,0 +1,116 @@
|
|
1
|
+
= New Features
|
2
|
+
|
3
|
+
* An email_auth feature has been added, which allows passwordless
|
4
|
+
logins using links sent via email. This allows usage without any
|
5
|
+
password storage. If the user does not have a password, when they
|
6
|
+
submit their login, they are sent a link via email. If the user
|
7
|
+
has a password, they have the option of either entering their
|
8
|
+
password or being sent a link via email.
|
9
|
+
|
10
|
+
* A use_multi_phase_login? configuration method has been added. If
|
11
|
+
this configuration method is set to true, a two-phase login is used,
|
12
|
+
which the login form only has a field for a user's login. After the
|
13
|
+
login form has been submitted (assuming there is a valid login), a
|
14
|
+
form is displayed with a field for the password.
|
15
|
+
|
16
|
+
* Optional email rate limiting is now supported in the lockout,
|
17
|
+
reset_password, and verify_account features, using the following
|
18
|
+
configuration methods:
|
19
|
+
|
20
|
+
* account_lockouts_email_last_sent_column
|
21
|
+
* reset_password_email_last_sent_column
|
22
|
+
* verify_account_email_last_sent_column
|
23
|
+
|
24
|
+
These methods are nil by default. To enable rate limiting, set
|
25
|
+
these to a symbol representing the column name in the appropriate
|
26
|
+
table. The recommended column name is email_last_sent. To use
|
27
|
+
this feature, you'll have to add this column to the appropriate
|
28
|
+
tables:
|
29
|
+
|
30
|
+
DB.add_column :account_lockouts, :email_last_sent, DateTime
|
31
|
+
DB.add_column :account_password_reset_keys, :email_last_sent, DateTime,
|
32
|
+
:null=>false, :default=>Sequel::CURRENT_TIMESTAMP
|
33
|
+
DB.add_column :account_verification_keys, :email_last_sent, DateTime,
|
34
|
+
:null=>false, :default=>Sequel::CURRENT_TIMESTAMP
|
35
|
+
|
36
|
+
When this support is enabled, by default Rodauth will not send
|
37
|
+
an email if an email has been sent within the last 5 minutes. You
|
38
|
+
can change this time period using the following configuration
|
39
|
+
methods, which take the number of seconds that must have elapsed
|
40
|
+
before sending another email:
|
41
|
+
|
42
|
+
* unlock_account_skip_resend_email_within
|
43
|
+
* reset_password_skip_resend_email_within
|
44
|
+
* verify_account_skip_resend_email_within
|
45
|
+
|
46
|
+
The new email_auth feature also supports email rate limiting, and
|
47
|
+
because there are no backwards compatibility issues, the support
|
48
|
+
is enabled by default.
|
49
|
+
|
50
|
+
* An after_account_lockout configuration method has been added,
|
51
|
+
which is called directly after locking out an account. This can
|
52
|
+
be useful for audit logging.
|
53
|
+
|
54
|
+
* A default_post_email_redirect configuration has been added, which
|
55
|
+
sets the default for all redirects after emailing if the account
|
56
|
+
is not currently logged in. Each individual feature that emails
|
57
|
+
still supports the appropriate *_redirect configuration method
|
58
|
+
for specifying behavior for that feature.
|
59
|
+
|
60
|
+
* A verify_login_change_duplicate_account_redirect configuration
|
61
|
+
method has been added for where to redirect if a user attempts
|
62
|
+
a login change where the new proposed login already exists.
|
63
|
+
|
64
|
+
* before_verify_login_change_email and after_verify_login_change_email
|
65
|
+
configuration methods have been added for executing code before
|
66
|
+
or after the verify login change email is sent.
|
67
|
+
|
68
|
+
= Other Improvements
|
69
|
+
|
70
|
+
* When using the verify_login_change feature, Rodauth now checks
|
71
|
+
that the new login is not already taken and fails in a more
|
72
|
+
graceful manner. Previously, Rodauth would not report an
|
73
|
+
error when the login change was requested, and would raise an
|
74
|
+
exception when attempting to verify the login change due to the
|
75
|
+
violation of a uniqueness constraint.
|
76
|
+
|
77
|
+
* Rodauth now avoids unnecessary database queries when using the
|
78
|
+
two factor authentication support and the following methods:
|
79
|
+
|
80
|
+
* authenticated?
|
81
|
+
* require_authentication
|
82
|
+
* require_two_factor_setup
|
83
|
+
|
84
|
+
* The otp-setup template now looks nicer when using both Bootstrap
|
85
|
+
3 and 4, especially on small screens such as phones.
|
86
|
+
|
87
|
+
* If the database_type was not MySQL, the lockout, remember, and
|
88
|
+
reset_password features no longer disable the requiring of the
|
89
|
+
date_arithmetic Sequel extension if another feature that
|
90
|
+
requires the extension is used.
|
91
|
+
|
92
|
+
* On MySQL, the rodauth_get_salt database function definition now
|
93
|
+
handles accounts without passwords. If you previously added the
|
94
|
+
database function and want to support accounts without passwords,
|
95
|
+
then you should drop the function and re-add it via:
|
96
|
+
|
97
|
+
Rodauth.drop_database_authentication_functions(DB)
|
98
|
+
Rodauth.create_database_authentication_functions(DB)
|
99
|
+
|
100
|
+
Note that MySQL does not support CREATE OR REPLACE FUNCTION, so
|
101
|
+
you have to drop the function and then create it, which will
|
102
|
+
temporarily result in the function not being defined.
|
103
|
+
|
104
|
+
= Backwards Compatibility
|
105
|
+
|
106
|
+
* The before_otp_authentication_route configuration method is
|
107
|
+
deprecated, please switch to before_otp_auth_route instead. This
|
108
|
+
change is made so that before_*_route method names are consistent
|
109
|
+
with the route name.
|
110
|
+
|
111
|
+
* The verify_account_email_sent_redirect configuration method now
|
112
|
+
defaults to / instead of /login. If you were previously not
|
113
|
+
setting this configuration method and would like it to default to
|
114
|
+
/login, you will now have to force the setting:
|
115
|
+
|
116
|
+
verify_account_email_sent_redirect '/login'
|