rodauth 1.20.0 → 2.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (180) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG +170 -0
  3. data/MIT-LICENSE +1 -1
  4. data/README.rdoc +211 -79
  5. data/doc/account_expiration.rdoc +12 -26
  6. data/doc/active_sessions.rdoc +49 -0
  7. data/doc/audit_logging.rdoc +44 -0
  8. data/doc/base.rdoc +75 -128
  9. data/doc/change_login.rdoc +7 -14
  10. data/doc/change_password.rdoc +9 -13
  11. data/doc/change_password_notify.rdoc +2 -2
  12. data/doc/close_account.rdoc +9 -16
  13. data/doc/confirm_password.rdoc +12 -5
  14. data/doc/create_account.rdoc +11 -22
  15. data/doc/disallow_password_reuse.rdoc +6 -13
  16. data/doc/email_auth.rdoc +15 -14
  17. data/doc/email_base.rdoc +6 -15
  18. data/doc/http_basic_auth.rdoc +10 -1
  19. data/doc/internals.rdoc +1 -1
  20. data/doc/jwt.rdoc +22 -22
  21. data/doc/jwt_cors.rdoc +22 -0
  22. data/doc/jwt_refresh.rdoc +12 -8
  23. data/doc/lockout.rdoc +17 -15
  24. data/doc/login.rdoc +10 -2
  25. data/doc/login_password_requirements_base.rdoc +15 -37
  26. data/doc/logout.rdoc +2 -2
  27. data/doc/otp.rdoc +24 -19
  28. data/doc/password_complexity.rdoc +10 -26
  29. data/doc/password_expiration.rdoc +11 -25
  30. data/doc/password_grace_period.rdoc +16 -2
  31. data/doc/recovery_codes.rdoc +18 -12
  32. data/doc/release_notes/1.21.0.txt +12 -0
  33. data/doc/release_notes/1.22.0.txt +11 -0
  34. data/doc/release_notes/1.23.0.txt +32 -0
  35. data/doc/release_notes/2.0.0.txt +361 -0
  36. data/doc/release_notes/2.1.0.txt +31 -0
  37. data/doc/remember.rdoc +40 -64
  38. data/doc/reset_password.rdoc +12 -9
  39. data/doc/session_expiration.rdoc +1 -0
  40. data/doc/single_session.rdoc +16 -25
  41. data/doc/sms_codes.rdoc +24 -14
  42. data/doc/two_factor_base.rdoc +60 -22
  43. data/doc/verify_account.rdoc +14 -12
  44. data/doc/verify_account_grace_period.rdoc +6 -2
  45. data/doc/verify_login_change.rdoc +9 -8
  46. data/doc/webauthn.rdoc +115 -0
  47. data/doc/webauthn_login.rdoc +15 -0
  48. data/doc/webauthn_verify_account.rdoc +9 -0
  49. data/javascript/webauthn_auth.js +45 -0
  50. data/javascript/webauthn_setup.js +35 -0
  51. data/lib/roda/plugins/rodauth.rb +1 -1
  52. data/lib/rodauth.rb +32 -24
  53. data/lib/rodauth/features/account_expiration.rb +5 -5
  54. data/lib/rodauth/features/active_sessions.rb +160 -0
  55. data/lib/rodauth/features/audit_logging.rb +96 -0
  56. data/lib/rodauth/features/base.rb +144 -43
  57. data/lib/rodauth/features/change_password_notify.rb +2 -2
  58. data/lib/rodauth/features/confirm_password.rb +40 -2
  59. data/lib/rodauth/features/create_account.rb +8 -13
  60. data/lib/rodauth/features/disallow_common_passwords.rb +1 -1
  61. data/lib/rodauth/features/disallow_password_reuse.rb +1 -1
  62. data/lib/rodauth/features/email_auth.rb +30 -29
  63. data/lib/rodauth/features/email_base.rb +9 -4
  64. data/lib/rodauth/features/http_basic_auth.rb +55 -35
  65. data/lib/rodauth/features/jwt.rb +58 -10
  66. data/lib/rodauth/features/jwt_cors.rb +53 -0
  67. data/lib/rodauth/features/jwt_refresh.rb +3 -3
  68. data/lib/rodauth/features/lockout.rb +12 -14
  69. data/lib/rodauth/features/login.rb +54 -10
  70. data/lib/rodauth/features/login_password_requirements_base.rb +4 -4
  71. data/lib/rodauth/features/otp.rb +72 -74
  72. data/lib/rodauth/features/password_complexity.rb +4 -11
  73. data/lib/rodauth/features/password_expiration.rb +2 -2
  74. data/lib/rodauth/features/password_grace_period.rb +17 -10
  75. data/lib/rodauth/features/recovery_codes.rb +49 -53
  76. data/lib/rodauth/features/remember.rb +11 -27
  77. data/lib/rodauth/features/reset_password.rb +26 -26
  78. data/lib/rodauth/features/session_expiration.rb +6 -4
  79. data/lib/rodauth/features/single_session.rb +7 -5
  80. data/lib/rodauth/features/sms_codes.rb +62 -71
  81. data/lib/rodauth/features/two_factor_base.rb +132 -28
  82. data/lib/rodauth/features/verify_account.rb +25 -21
  83. data/lib/rodauth/features/verify_account_grace_period.rb +20 -9
  84. data/lib/rodauth/features/verify_login_change.rb +12 -11
  85. data/lib/rodauth/features/webauthn.rb +507 -0
  86. data/lib/rodauth/features/webauthn_login.rb +70 -0
  87. data/lib/rodauth/features/webauthn_verify_account.rb +46 -0
  88. data/lib/rodauth/version.rb +2 -2
  89. data/templates/button.str +1 -3
  90. data/templates/change-login.str +1 -2
  91. data/templates/change-password.str +3 -5
  92. data/templates/close-account.str +2 -2
  93. data/templates/confirm-password.str +1 -1
  94. data/templates/create-account.str +1 -1
  95. data/templates/email-auth-email.str +1 -1
  96. data/templates/email-auth-request-form.str +2 -3
  97. data/templates/email-auth.str +1 -1
  98. data/templates/global-logout-field.str +6 -0
  99. data/templates/login-confirm-field.str +2 -4
  100. data/templates/login-display.str +3 -2
  101. data/templates/login-field.str +2 -4
  102. data/templates/login-form-footer.str +6 -0
  103. data/templates/login-form.str +7 -0
  104. data/templates/login.str +1 -9
  105. data/templates/logout.str +1 -1
  106. data/templates/multi-phase-login.str +3 -0
  107. data/templates/otp-auth-code-field.str +5 -3
  108. data/templates/otp-auth.str +1 -1
  109. data/templates/otp-disable.str +1 -1
  110. data/templates/otp-setup.str +3 -3
  111. data/templates/password-confirm-field.str +2 -4
  112. data/templates/password-field.str +2 -4
  113. data/templates/recovery-auth.str +3 -6
  114. data/templates/recovery-codes.str +1 -1
  115. data/templates/remember.str +15 -20
  116. data/templates/reset-password-email.str +1 -1
  117. data/templates/reset-password-request.str +3 -3
  118. data/templates/reset-password.str +1 -2
  119. data/templates/sms-auth.str +1 -1
  120. data/templates/sms-code-field.str +5 -3
  121. data/templates/sms-confirm.str +1 -2
  122. data/templates/sms-disable.str +1 -2
  123. data/templates/sms-request.str +1 -1
  124. data/templates/sms-setup.str +6 -4
  125. data/templates/two-factor-auth.str +5 -0
  126. data/templates/two-factor-disable.str +6 -0
  127. data/templates/two-factor-manage.str +16 -0
  128. data/templates/unlock-account-email.str +1 -1
  129. data/templates/unlock-account-request.str +4 -4
  130. data/templates/unlock-account.str +1 -1
  131. data/templates/verify-account-email.str +1 -1
  132. data/templates/verify-account-resend.str +3 -3
  133. data/templates/verify-account.str +1 -2
  134. data/templates/verify-login-change-email.str +2 -1
  135. data/templates/verify-login-change.str +1 -1
  136. data/templates/webauthn-auth.str +11 -0
  137. data/templates/webauthn-remove.str +14 -0
  138. data/templates/webauthn-setup.str +12 -0
  139. metadata +89 -50
  140. data/Rakefile +0 -179
  141. data/doc/verify_change_login.rdoc +0 -11
  142. data/lib/rodauth/features/verify_change_login.rb +0 -20
  143. data/spec/account_expiration_spec.rb +0 -225
  144. data/spec/all.rb +0 -1
  145. data/spec/change_login_spec.rb +0 -156
  146. data/spec/change_password_notify_spec.rb +0 -33
  147. data/spec/change_password_spec.rb +0 -202
  148. data/spec/close_account_spec.rb +0 -162
  149. data/spec/confirm_password_spec.rb +0 -70
  150. data/spec/create_account_spec.rb +0 -127
  151. data/spec/disallow_common_passwords_spec.rb +0 -93
  152. data/spec/disallow_password_reuse_spec.rb +0 -179
  153. data/spec/email_auth_spec.rb +0 -285
  154. data/spec/http_basic_auth_spec.rb +0 -143
  155. data/spec/jwt_refresh_spec.rb +0 -256
  156. data/spec/jwt_spec.rb +0 -235
  157. data/spec/lockout_spec.rb +0 -250
  158. data/spec/login_spec.rb +0 -328
  159. data/spec/migrate/001_tables.rb +0 -184
  160. data/spec/migrate/002_account_password_hash_column.rb +0 -11
  161. data/spec/migrate_password/001_tables.rb +0 -73
  162. data/spec/migrate_travis/001_tables.rb +0 -141
  163. data/spec/password_complexity_spec.rb +0 -109
  164. data/spec/password_expiration_spec.rb +0 -244
  165. data/spec/password_grace_period_spec.rb +0 -93
  166. data/spec/remember_spec.rb +0 -451
  167. data/spec/reset_password_spec.rb +0 -229
  168. data/spec/rodauth_spec.rb +0 -343
  169. data/spec/session_expiration_spec.rb +0 -58
  170. data/spec/single_session_spec.rb +0 -127
  171. data/spec/spec_helper.rb +0 -327
  172. data/spec/two_factor_spec.rb +0 -1423
  173. data/spec/update_password_hash_spec.rb +0 -40
  174. data/spec/verify_account_grace_period_spec.rb +0 -171
  175. data/spec/verify_account_spec.rb +0 -240
  176. data/spec/verify_change_login_spec.rb +0 -46
  177. data/spec/verify_login_change_spec.rb +0 -232
  178. data/spec/views/layout-other.str +0 -11
  179. data/spec/views/layout.str +0 -11
  180. data/spec/views/login.str +0 -21
@@ -5,28 +5,21 @@ The close account feature allows users to close their accounts.
5
5
  == Auth Value Methods
6
6
 
7
7
  account_closed_status_value :: The integer representing closed accounts.
8
- close_account_additional_form_tags :: HTML fragment containing additional
9
- form tags to use on the close account
10
- form.
8
+ close_account_additional_form_tags :: HTML fragment containing additional form tags to use on the close account form.
11
9
  close_account_button :: The text to use for the close account button.
12
- close_account_notice_flash :: The flash notice to show after closing the
13
- account.
10
+ close_account_error_flash :: The flash error to show if there is an error closing the account.
11
+ close_account_notice_flash :: The flash notice to show after closing the account.
12
+ close_account_page_title :: The page title to use on the close account form.
14
13
  close_account_redirect :: Where to redirect after closing the account.
15
- close_account_requires_password? :: Whether a password is required when
16
- closing accounts.
17
- close_account_route :: The route to the close account action. Defaults to
18
- +close-account+.
19
- delete_account_on_close? :: Whether to delete the account when closing it,
20
- default value is to use +skip_status_checks?+.
14
+ close_account_requires_password? :: Whether a password is required when closing accounts.
15
+ close_account_route :: The route to the close account action. Defaults to +close-account+.
16
+ delete_account_on_close? :: Whether to delete the account when closing it, default value is to use +skip_status_checks?+.
21
17
 
22
18
  == Auth Methods
23
19
 
24
20
  after_close_account :: Run arbitrary code after closing the account.
25
21
  before_close_account :: Run arbitrary code before closing an account.
26
22
  before_close_account_route :: Run arbitrary code before handling a close account route.
27
- close_account :: Close the account, by default setting the account status
28
- to closed.
23
+ close_account :: Close the account, by default setting the account status to closed.
29
24
  close_account_view :: The HTML to use for the close account form.
30
- delete_account :: If +delete_account_on_close?+ is true, delete the account
31
- when closing it.
32
-
25
+ delete_account :: If +delete_account_on_close?+ is true, delete the account when closing it.
@@ -1,24 +1,31 @@
1
1
  = Documentation for Confirm Password Feature
2
2
 
3
3
  The confirm password feature allows you to redirect users to a page to
4
- confirm their password. It's used by the remember feature, but can also
5
- by your application if you want to confirm passwords.
4
+ confirm their password.
5
+
6
+ When confirming passwords, if authenticated via autologin, a remember token,
7
+ or an email_auth token, switches the authentication type from that login
8
+ method to password.
6
9
 
7
10
  == Auth Value Methods
8
11
 
9
12
  confirm_password_additional_form_tags :: HTML fragment containing additional form tags to use on the confirm password form.
10
13
  confirm_password_button :: The text to use for the confirm password button.
11
14
  confirm_password_error_flash :: The flash error to show if password confirmation is unsuccessful.
15
+ confirm_password_link_text :: The text to use for the link from the two factor auth page.
12
16
  confirm_password_notice_flash :: The flash notice to show after password confirmed successful.
17
+ confirm_password_page_title :: The page title to use on the confirm password form.
13
18
  confirm_password_redirect :: Where to redirect after successful password confirmation. By default, uses <tt>session[confirm_password_redirect_session_key]</tt> if set, allowing an easy way to redirect back to the page requesting password confirmation.
14
19
  confirm_password_redirect_session_key :: The session key used to check for the confirm_password_redirect.
15
- confirm_password_route :: The route to the confirm password form. Defaults to
16
- +confirm-password+.
20
+ confirm_password_route :: The route to the confirm password form. Defaults to +confirm-password+.
21
+ password_authentication_required_error_flash :: The flash error to show if going to a page requiring password confirmation.
22
+ password_authentication_required_error_status :: The response status to use if going to a page requiring password confirmation, 401 by default.
23
+ password_authentication_required_redirect :: Where to redirect when going to a page requiring password confirmation.
17
24
 
18
25
  == Auth Methods
19
26
 
20
27
  after_confirm_password :: Run arbitrary code after successful confirmation of password.
21
28
  before_confirm_password :: Run arbitrary code before setting that the password has been confirmed.
22
- confirm_password :: Run arbitrary code on correct password confirmation.
23
29
  before_confirm_password_route :: Run arbitrary code before handling the password confirmation route.
30
+ confirm_password :: Update the session to reflect the password has been confirmed.
24
31
  confirm_password_view :: The HTML to use for the confirm password form.
@@ -4,34 +4,23 @@ The create account feature allows users to create new accounts.
4
4
 
5
5
  == Auth Value Methods
6
6
 
7
- create_account_additional_form_tags :: HTML fragment containing additional
8
- form tags to use on the create account
9
- form.
7
+ create_account_additional_form_tags :: HTML fragment containing additional form tags to use on the create account form.
10
8
  create_account_button :: The text to use for the create account button.
11
- create_account_error_flash :: The flash error to show for unsuccessful
12
- account creation.
13
- create_account_notice_flash :: The flash notice to show after successful
9
+ create_account_error_flash :: The flash error to show for unsuccessful account creation.
10
+ create_account_notice_flash :: The flash notice to show after successful account creation.
11
+ create_account_page_title :: The page title to use on the create account form.
14
12
  create_account_redirect :: Where to redirect after creating the account.
15
- create_account_route :: The route to the create account action. Defaults to
16
- +create-account+.
17
- create_account_set_password? :: Whether to ask for a password to be set on the create
18
- account form. Defaults to true. If set to false, an
19
- alternative method to set the password should be used.
13
+ create_account_route :: The route to the create account action. Defaults to +create-account+.
14
+ create_account_set_password? :: Whether to ask for a password to be set on the create account form. Defaults to true if not verifying accounts. If set to false, an alternative method to set the password should be used (assuming you want to allow password authentication).
20
15
 
21
16
  == Auth Methods
22
17
 
23
18
  after_create_account :: Run arbitrary code after creating the account.
24
19
  before_create_account :: Run arbitrary code before creating the account.
25
20
  before_create_account_route :: Run arbitrary code before handling a create account route.
26
- create_account_autologin? :: Whether to autologin the user upon
27
- successful account creation, true by default unless verifying
28
- accounts.
29
- create_account_link :: HTML fragment to display with a link to the create
30
- account form.
21
+ create_account_autologin? :: Whether to autologin the user upon successful account creation, true by default unless verifying accounts.
22
+ create_account_link_text :: The text to use for a link to the create account form.
31
23
  create_account_view :: The HTML to use for the create account form.
32
- new_account(login) :: Instantiate a new account hash for the
33
- given login, without saving it.
34
- save_account :: Insert the account into the database, or return nil/false if that
35
- was not successful.
36
- set_new_account_password :: Set the password for a new account if
37
- +account_password_hash_column+ is set, without saving.
24
+ new_account(login) :: Instantiate a new account hash for the given login, without saving it.
25
+ save_account :: Insert the account into the database, or return nil/false if that was not successful.
26
+ set_new_account_password :: Set the password for a new account if +account_password_hash_column+ is set, without saving.
@@ -17,21 +17,14 @@ current password.
17
17
 
18
18
  == Auth Value Methods
19
19
 
20
- password_same_as_previous_password_message :: The error message fragment to display if the
21
- given password is the same as a previous
22
- password.
23
- previous_password_account_id_column :: The column in the +previous_password_hash_table+ that
24
- stores the account id.
25
- previous_password_hash_column :: The column in the +previous_password_hash_table+ that
26
- stores the password hash.
20
+ password_same_as_previous_password_message :: The error message fragment to display if the given password is the same as a previous password.
21
+ previous_password_account_id_column :: The column in the +previous_password_hash_table+ that stores the account id.
22
+ previous_password_hash_column :: The column in the +previous_password_hash_table+ that stores the password hash.
27
23
  previous_password_hash_table :: The table storing previous password hashes.
28
- previous_password_id_column :: The column in the +previous_password_hash_table+ that
29
- stores the autoincrementing primary key.
24
+ previous_password_id_column :: The column in the +previous_password_hash_table+ that stores the autoincrementing primary key.
30
25
  previous_passwords_to_check :: The number of previous password hashes to store and check.
31
26
 
32
27
  == Auth Methods
33
28
 
34
- add_previous_password_hash(hash) :: Add the given hash to the list of previous hashes for
35
- the current account.
36
- password_doesnt_match_previous_password?(password) :: Whether the password given matches any
37
- of the previous passwords.
29
+ add_previous_password_hash(hash) :: Add the given hash to the list of previous hashes for the current account.
30
+ password_doesnt_match_previous_password?(password) :: Whether the password given matches any of the previous passwords.
@@ -1,34 +1,35 @@
1
1
  = Documentation for Email Auth Feature
2
2
 
3
- The email auth feature implements login using links sent via email. It is
4
- very similar to the email auth feature, except you don't need to update
5
- a password, or even have a password to login. Depends on the login and
3
+ The email auth feature implements passwordless login using links sent via email. It is
4
+ similar to the reset password feature, except you don't need to update
5
+ a password, or even have a password to login. It depends on the login and
6
6
  email_base features.
7
7
 
8
8
  == Auth Value Methods
9
9
 
10
10
  email_auth_additional_form_tags :: HTML fragment containing additional form tags to use on the email auth login form.
11
+ email_auth_deadline_column :: The column name in the +email_auth_table+ storing the deadline after which the token will be ignored.
12
+ email_auth_deadline_interval :: The amount of time for which to allow users to use email auth keys, 1 day by default. Only used if set_deadline_values? is true.
13
+ email_auth_email_last_sent_column :: The email auth last sent column in the +email_auth_table+, storing the last time the email was sent. Set to nil to always send an email when requested.
11
14
  email_auth_email_recently_sent_error_flash :: The flash error to show if not sending an email auth email because another was sent recently.
12
15
  email_auth_email_recently_sent_redirect :: Where to redirect after not sending an email auth email because another was sent recently.
13
- email_auth_deadline_column :: The column name in the email auth keys table storing the deadline after which the token will be ignored.
14
- email_auth_deadline_interval :: The amount of time for which to allow users to reset their passwords, 1 day by default. Only used if set_deadline_values? is true.
15
16
  email_auth_email_sent_notice_flash :: The flash notice to show after an email auth email has been sent.
16
17
  email_auth_email_sent_redirect :: Where to redirect after sending an email auth email.
17
18
  email_auth_email_subject :: The subject to use for email auth emails.
18
19
  email_auth_error_flash :: The flash error to show if unable to login using email authentication.
19
- email_auth_id_column :: The id column in the email auth keys table, should be a foreign key referencing the accounts table.
20
- email_auth_key_column :: The email auth key/token column in the email auth keys table.
20
+ email_auth_id_column :: The id column in the +email_auth_table+, should be a foreign key referencing the accounts table.
21
+ email_auth_key_column :: The email auth key/token column in the +email_auth_table+.
21
22
  email_auth_key_param :: The parameter name to use for the email auth key.
22
- email_auth_last_column :: The email auth last sent column in the email auth keys table, storing the last time the email was sent. Set to nil to always send an email when requested.
23
+ email_auth_page_title :: The page title to use on the email auth form.
23
24
  email_auth_request_additional_form_tags :: HTML fragment containing additional form tags to use on the email auth request form.
24
25
  email_auth_request_button :: The text to use for the email auth request button.
25
26
  email_auth_request_error_flash :: The flash error to show if not able to send an email auth email.
26
27
  email_auth_request_route :: The route to the email auth request action. Defaults to +email-auth-request+.
27
28
  email_auth_route :: The route to the email auth action. Defaults to +email-auth+.
28
29
  email_auth_session_key :: The key in the session to hold the email auth key temporarily.
29
- email_auth_skip_resend_within :: The number of seconds before sending another email auth email.
30
- email_auth_table :: The name of the email auth keys table.
31
- force_email_auth? :: Whether email auth should be forced for the account. By default, email auth is forced if the account does not have a password.
30
+ email_auth_skip_resend_email_within :: The number of seconds required before sending another email auth email, 5 minutes by default.
31
+ email_auth_table :: The name of the table storing email auth keys.
32
+ force_email_auth? :: Whether email auth should be forced for the account. False by default, which results in email auth only be used automatically if the account does not have a password.
32
33
  no_matching_email_auth_key_error_flash :: The flash error message to show if attempting to access the email auth form with an invalid key.
33
34
 
34
35
  == Auth Methods
@@ -42,12 +43,12 @@ create_email_auth_email :: A Mail::Message for the email auth email.
42
43
  create_email_auth_key :: Add the email auth key data to the database.
43
44
  email_auth_email_body :: The body to use for the email auth email.
44
45
  email_auth_email_link :: The link to the email auth form in the email auth email.
45
- email_auth_key_insert_hash :: The hash to insert into the email auth keys table.
46
+ email_auth_key_insert_hash :: The hash to insert into the +email_auth_table+.
46
47
  email_auth_key_value :: The email auth key for the current account.
47
- email_auth_request_form :: The HTML to use for a form to request an email auth email, shown on the login page after the user submits their login, if +force_email_auth?+ is false.
48
+ email_auth_request_form :: The HTML to use for a form to request an email auth email, shown on the login page after the user submits their login, if +force_email_auth?+ is false and email authentication is not the only possible for of authentication for the user.
48
49
  email_auth_view :: The HTML to use for the email auth form.
49
- get_email_auth_key(id) :: Get the email auth key for the given account id from the database.
50
50
  get_email_auth_email_last_sent :: Get the last time an email auth email is sent, or nil if there is no last sent time.
51
+ get_email_auth_key(id) :: Get the email auth key for the given account id from the database.
51
52
  remove_email_auth_key :: Remove the email auth key for the current account, run after successful email auth.
52
53
  send_email_auth_email :: Send the email auth email.
53
54
  set_email_auth_email_last_sent :: Set the last time an email auth email is sent. This is only called if there is a previous email auth token still active.
@@ -5,23 +5,14 @@ that requires sending emails.
5
5
 
6
6
  == Auth Value Methods
7
7
 
8
- allow_raw_email_token? :: When +email_token_hmac_secret+ is used, this allows the use of the raw
9
- token. This should only be set to true temporarily during a transition
10
- period from using raw tokens to using HMACed tokens. After the transition
11
- period, this should not be set, as setting this to true removes the
12
- security that HMACed tokens add.
13
- default_post_email_redirect :: Where to redirect after sending an email. This is the default
14
- redirect location for all redirects after an email is sent when the
15
- account is not logged in. Also includes cases where an email is not
16
- sent due to rate limiting.
8
+ allow_raw_email_token? :: When +hmac_secret+ is used, this allows the use of the raw token. This should only be set to true temporarily during a transition period from using raw tokens to using HMACed tokens. After the transition period, this should not be set, as setting this to true removes the security that HMACed tokens add.
9
+ default_post_email_redirect :: Where to redirect after sending an email. This is the default redirect location for all redirects after an email is sent when the account is not logged in. Also includes cases where an email is not sent due to rate limiting.
17
10
  email_from :: The from address to use for emails sent by Rodauth.
18
11
  email_subject_prefix :: The prefix to use for email subjects
19
- require_mail? :: Set to false to not require mail, useful if using a different
20
- library for sending email.
12
+ require_mail? :: Set to false to not require mail, useful if using a different library for sending email.
21
13
 
22
14
  == Auth Methods
23
15
 
24
- email_to :: The email address to send emails to, by default the login of the
25
- current account.
26
- create_email(subject, body) :: Return a Mail::Message instance with the given subject
27
- and body.
16
+ create_email(subject, body) :: Return a Mail::Message instance with the given subject and body.
17
+ email_to :: The email address to send emails to, by default the login of the current account.
18
+ send_email(email) :: Deliver a given Mail::Message instance.
@@ -3,7 +3,16 @@
3
3
  The HTTP basic auth feature allows logins using HTTP basic authentication,
4
4
  described in RFC 1945.
5
5
 
6
+ In your routing block, you can require HTTP basic authentication via:
7
+
8
+ rodauth.require_http_basic_auth
9
+
10
+ If you want to allow HTTP basic authentication but not require it, you can
11
+ call:
12
+
13
+ rodauth.http_basic_auth
14
+
6
15
  == Auth Value Methods
7
16
 
8
17
  http_basic_auth_realm :: The realm to return in the WWW-Authenticate header.
9
- require_http_basic_auth :: If true, when +rodauth.require_authentication+ is used, return a 401 status if basic auth has not been provided, instead of redirecting to the login page. False by default.
18
+ require_http_basic_auth? :: If true, when +rodauth.require_login+ or +rodauth.require_authentication+ is used, return a 401 status page if basic auth has not been provided, instead of redirecting to the login page. If false, +rodauth.require_login+ or +rodauth.require_authentication+ will check for HTTP basic authentication if not already logged in. False by default.
@@ -183,7 +183,7 @@ Here's a heavily commented example showing what is going on inside a Rodauth fea
183
183
  foo_view
184
184
  end
185
185
 
186
- # Just like in Roda, r.post is called for GET requests
186
+ # Just like in Roda, r.post is called for POST requests
187
187
  r.post do
188
188
  # This is called before performing the foo action
189
189
  before_foo
@@ -2,7 +2,7 @@
2
2
 
3
3
  The jwt feature adds support for JSON API access for all other features
4
4
  that ship with Rodauth, using JWT (JSON Web Tokens) to hold the
5
- authentication data.
5
+ session information.
6
6
 
7
7
  When this feature is used, all other features become accessible via a
8
8
  JSON API. The JSON API uses the POST method for all requests, using
@@ -10,10 +10,10 @@ the same parameter names as the features uses. JSON API requests to
10
10
  Rodauth endpoints that use a method other than POST will result in a
11
11
  405 Method Not Allowed response.
12
12
 
13
- Responses are returned as JSON hashes. In case of an error, the "error"
14
- entry is set to an error message, and the "field-error" entry is set to
13
+ Responses are returned as JSON hashes. In case of an error, the +error+
14
+ entry is set to an error message, and the <tt>field-error</tt> entry is set to
15
15
  an array containing the field name and the error message for that field.
16
- Successful requests by default store a "success" entry with a success
16
+ Successful requests by default store a +success+ entry with a success
17
17
  message, though that can be disabled.
18
18
 
19
19
  In order to use this feature, you have to set the +jwt_secret+ configuration
@@ -26,42 +26,42 @@ future requests, if the response Authorization header is set. If the
26
26
  response Authorization header is not set, then continue to use the
27
27
  previous Authorization header.
28
28
 
29
- When using this feature, consider using the :json=>:only option when
29
+ When using this feature, consider using the <tt>json: :only</tt> option when
30
30
  loading the rodauth plugin, if you want Rodauth to only handle
31
- JSON requests. If you don't use the :json=>:only option, the jwt feature
31
+ JSON requests. If you don't use the <tt>json: :only</tt> option, the jwt feature
32
32
  will probably result in an error if a request to a Rodauth endpoint comes
33
33
  in with a Content-Type that isn't application/json, unless you also set
34
34
  <tt>only_json? false</tt> in your rodauth configuration.
35
35
 
36
36
  If you would like to check if a valid JWT was submitted with the current
37
- request in your Roda app, you can call the rodauth.valid_jwt? method. If
38
- rodauth.valid_jwt? returns true, the contents of the jwt can be retrieved
39
- from rodauth.session.
37
+ request in your Roda app, you can call the +rodauth.valid_jwt?+ method. If
38
+ +rodauth.valid_jwt?+ returns true, the contents of the jwt can be retrieved
39
+ from +rodauth.session+.
40
40
 
41
41
  == Auth Value Methods
42
42
 
43
43
  invalid_jwt_format_error_message :: The error message to use when a JWT with an invalid format is submitted in the Authorization header.
44
- json_accept_regexp :: The regexp to use to check the Accept header for JSON if jwt_check_accept? is true.
44
+ json_accept_regexp :: The regexp to use to check the Accept header for JSON if +jwt_check_accept?+ is true.
45
45
  json_non_post_error_message :: The error message to use when a JSON non-POST request is sent.
46
- json_not_accepted_error_message :: The error message to display if jwt_check_accept? is true and the Accept header is present but does not match json_request_content_type_regexp.
46
+ json_not_accepted_error_message :: The error message to display if +jwt_check_accept?+ is true and the Accept header is present but does not match +json_request_content_type_regexp+.
47
47
  json_request_content_type_regexp :: The regexp to use to recognize a request as a json request.
48
- json_response_content_type :: The content type to set for json responses, application/json by default.
49
- json_response_custom_error_status? :: Whether to use custom error statuses, instead of always using +json_response_error_status+, false by default for backwards compatibility.
50
- json_response_error_key :: The JSON result key containing an error message, "error" by default.
51
- json_response_error_status :: The HTTP status code to use for JSON error responses, 400 by default.
52
- json_response_field_error_key :: The JSON result key containing an field error message, "field-error" by default.
53
- json_response_success_key :: The JSON result key containing a success message for successful request, if set. nil by default to not set success messages.
54
- jwt_algorithm :: The JWT algorithm to use, "HS256" by default.
48
+ json_response_content_type :: The content type to set for json responses, <tt>application/json</tt> by default.
49
+ json_response_custom_error_status? :: Whether to use custom error statuses, instead of always using +json_response_error_status+, true by default, can be set to false for backwards compatibility with Rodauth 1.
50
+ json_response_error_key :: The JSON result key containing an error message, +error+ by default.
51
+ json_response_error_status :: The HTTP status code to use for JSON error responses if not using custom error statuses, 400 by default.
52
+ json_response_field_error_key :: The JSON result key containing an field error message, <tt>field-error</tt> by default.
53
+ json_response_success_key :: The JSON result key containing a success message for successful request, if set. +success+ by default.
54
+ jwt_algorithm :: The JWT algorithm to use, +HS256+ by default.
55
55
  jwt_authorization_ignore :: A regexp matched against the Authorization header, which skips JWT processing if it matches. By default, HTTP Basic and Digest authentication are ignored.
56
56
  jwt_authorization_remove :: A regexp to remove from the Authorization header before processing the JWT. By default, a Bearer prefix is removed.
57
- jwt_check_accept? :: Whether to check the Accept header to see if the client supports JSON responses, false by default for backwards compatibility.
58
- jwt_decode_opts :: An optional hash to pass to JWT.decode. Can be used to set JWT verifiers.
57
+ jwt_check_accept? :: Whether to check the Accept header to see if the client supports JSON responses, true by default, can be set to false for backwards compatibility with Rodauth 1.
58
+ jwt_decode_opts :: An optional hash to pass to +JWT.decode+. Can be used to set JWT verifiers.
59
59
  jwt_secret :: The JWT secret to use. Access to this should be protected the same as a session secret.
60
60
  jwt_session_key :: A key to nest the session hash under in the JWT payload. nil by default, for no nesting.
61
61
  jwt_symbolize_deeply? :: Whether to symbolize the session hash deeply. false by default.
62
62
  non_json_request_error_message :: The error message to use when a non-JSON request is sent and +only_json?+ is set.
63
- only_json? :: Whether to have Rodauth only allow JSON requests. True by default if :json=>:only option was given when loading the plugin. If set, rodauth endpoints will issue an error for non-JSON requests.
64
- use_jwt? :: Whether to use the JWT in the Authorization header for authentication information. If false, falls back to using the rack session. By default, the Authorization header is used if it is present, if only_json? is true, or if the request uses a json content type.
63
+ only_json? :: Whether to have Rodauth only allow JSON requests. True by default if <tt>json: :only</tt> option was given when loading the plugin. If set, rodauth endpoints will issue an error for non-JSON requests.
64
+ use_jwt? :: Whether to use the JWT in the Authorization header for authentication information. If false, falls back to using the rack session. By default, the Authorization header is used if it is present, if +only_json?+ is true, or if the request uses a json content type.
65
65
 
66
66
  == Auth Methods
67
67
 
@@ -0,0 +1,22 @@
1
+ = Documentation for JWT CORS Feature
2
+
3
+ The jwt_cors feature adds support for Cross-Origin Resource Sharing
4
+ to Rodauth's JSON API.
5
+
6
+ When this feature is used, CORS requests are handled. This includes
7
+ CORS preflight requests, which are required since Rodauth's JSON API
8
+ uses the application/json request content type.
9
+
10
+ This feature depends on the jwt feature.
11
+
12
+ == Auth Value Methods
13
+
14
+ jwt_cors_allow_headers :: For allowed CORS-preflight requests, the value returned in the Access-Control-Allow-Headers header (default: 'Content-Type, Authorization, Accept'). This specifies which headers can be included in CORS requests.
15
+ jwt_cors_allow_methods :: For allowed CORS-preflight requests, the value returned in the Access-Control-Allow-Methods header (default: 'POST'). This specifies which methods are allowed in CORS requests.
16
+ jwt_cors_allow_origin :: Which origins are allowed to perform CORS requests. The default is +false+. This can be a String, Array of Strings, Regexp, or +true+ to allow CORS requests from any domain.
17
+ jwt_cors_expose_headers :: For allowed CORS requests, the value returned in the Access-Control-Expose-Headers header (default: 'Authorization'). This specifies which headers the browser is allowed to access from a response to a CORS request.
18
+ jwt_cors_max_age :: For allowed CORS-preflight requests, the value returned in the Access-Control-Max-Age header (default: 86400). This specifies how long before the information returned should be considered stale and another CORS preflight request made.
19
+
20
+ == Auth Methods
21
+
22
+ jwt_cors_allow? :: Whether the request should be allowed. This is called for all requests for a Rodauth route that include an Origin header. It should return true or false for whether to specially handle the cross-origin request. By default, uses the +jwt_cors_allow_origin+ setting to check the origin.
@@ -5,11 +5,13 @@ setting a short lifetime on JWT access tokens.
5
5
 
6
6
  When this feature is used, the access and refresh token are provided
7
7
  at login in the response body (the access token is still provided in the Authorization
8
- header), and for any subsequent POST to /jwt-refresh.
8
+ header), and for any subsequent POST to <tt>/jwt-refresh</tt>.
9
9
 
10
- Note that using the refresh token invalides the old refresh token and creates
10
+ Note that using the refresh token invalides the token and creates
11
11
  a new access token with an updated lifetime. However, it does not invalidate
12
- older access tokens. Older access tokens remain valid until they expire.
12
+ older access tokens. Older access tokens remain valid until they expire. You
13
+ can use the active_sessions feature if you want previous access tokens to be invalid
14
+ as soon as the refresh token is used.
13
15
 
14
16
  This feature depends on the jwt feature.
15
17
 
@@ -18,18 +20,20 @@ This feature depends on the jwt feature.
18
20
  jwt_access_token_key :: Name of the key in the response json holding the access token. Default is +access_token+.
19
21
  jwt_access_token_not_before_period :: How many seconds before the current time will the jwt be considered valid (to account for inaccurate clocks). Default is 5.
20
22
  jwt_access_token_period :: Validity of an access token in seconds, default is 1800 (30 minutes).
23
+ jwt_refresh_route :: The route to the login action. Defaults to <tt>jwt-refresh</tt>.
21
24
  jwt_refresh_invalid_token_message :: Error message when the provided refresh token is non existent, invalid or expired.
22
- jwt_refresh_token_account_id_column :: The column name in the refresh token table storing the account id, should be a foreign key referencing the accounts table.
23
- jwt_refresh_token_deadline_column :: The column name in the refresh token keys table storing the deadline after which the refresh token will no longer be valid.
24
- jwt_refresh_token_deadline_interval :: validity of a refresh token. Default is 14 days.
25
+ jwt_refresh_token_account_id_column :: The column name in the +jwt_refresh_token_table+ storing the account id, should be a foreign key referencing the accounts table.
26
+ jwt_refresh_token_deadline_column :: The column name in the +jwt_refresh_token_table+ storing the deadline after which the refresh token will no longer be valid.
27
+ jwt_refresh_token_deadline_interval :: Validity of a refresh token. Default is 14 days.
25
28
  jwt_refresh_token_id_column :: The column name in the refresh token keys table storing the id of each token (the primary key of the table).
26
29
  jwt_refresh_token_key :: Name of the key in the response json holding the refresh token. Default is +refresh_token+.
27
- jwt_refresh_token_key_column :: The column name in the refresh token keys table holding the refresh token key value.
30
+ jwt_refresh_token_key_column :: The column name in the +jwt_refresh_token_table+ holding the refresh token key value.
28
31
  jwt_refresh_token_key_param :: Name of parameter in which the refresh token is provided when requesting a new token. Default is +refresh_token+.
29
32
  jwt_refresh_token_table :: Name of the table holding refresh token keys.
30
33
 
31
34
  == Auth Methods
32
35
 
33
- after_refresh_token :: Hooks for specific processing once the refresh token has been set.
34
36
  account_from_refresh_token(token) :: Returns the account hash for the given refresh token.
37
+ after_refresh_token :: Hooks for specific processing once the refresh token has been set.
38
+ before_jwt_refresh_route :: Run arbitrary code before handling a jwt_refresh route.
35
39
  before_refresh_token :: Hooks for specific processing before the refresh token is computed.
@@ -8,37 +8,39 @@ unlock via an email sent to them.
8
8
 
9
9
  == Auth Value Methods
10
10
 
11
- account_lockouts_id_column :: The id column in the account lockouts table, should be a foreign key referencing the accounts table.
12
- account_lockouts_deadline_column :: The deadline column in the account lockouts table, containing how long the account is locked out until.
13
- account_lockouts_deadline_interval :: The amount of time for which to lock out accounts, 1 day by default. Only used if set_deadline_values? is true.
14
- account_lockouts_email_last_sent_column :: The email last sent column in the account lockouts table. nil by default, so an unlock account email is always sent when requested by default.
15
- account_lockouts_key_column :: The unlock key column in the account lockouts table.
11
+ account_lockouts_deadline_column :: The deadline column in the +account_lockouts_table+, containing the timestamp until which the account is locked out.
12
+ account_lockouts_deadline_interval :: The amount of time for which to lock out accounts, 1 day by default. Only used if +set_deadline_values?+ is true.
13
+ account_lockouts_email_last_sent_column :: The email last sent column in the +account_lockouts_table+. Set to nil to always send an unlock account email when requested.
14
+ account_lockouts_id_column :: The id column in the +account_lockouts_table+, should be a foreign key referencing the accounts table.
15
+ account_lockouts_key_column :: The unlock key column in the +account_lockouts_table+.
16
16
  account_lockouts_table :: The table containing account lockout information.
17
- account_login_failures_id_column :: The id column in the account login failures table, should be a foreign key referencing the accounts table.
18
- account_login_failures_number_column :: The column in the account login failures table containing the number of login failures for the account.
17
+ account_login_failures_id_column :: The id column in the +account_login_failures_table+, should be a foreign key referencing the accounts table.
18
+ account_login_failures_number_column :: The column in the +account_login_failures_table+ containing the number of login failures for the account.
19
19
  account_login_failures_table :: The table containing number of login failures per account.
20
20
  login_lockout_error_flash :: The flash error to show if there if the account is or becomes locked out after a login attempt.
21
- max_invalid_logins :: The maximum number of failed logins before account lockout. As this feature is just designed for bruteforce protection, this is set to 100.
21
+ max_invalid_logins :: The maximum number of failed logins before account lockout. As this feature is just designed for bruteforce protection, this defaults to 100.
22
22
  no_matching_unlock_account_key_error_flash :: The flash error message to show if attempting to access the unlock account form with an invalid key.
23
23
  unlock_account_additional_form_tags :: HTML fragment with additional form tags to use on the unlock account form.
24
- unlock_account_autologin? :: Whether to autologin users after successful account unlock.
24
+ unlock_account_autologin? :: Whether to autologin users after successful account unlock. This defaults to true, as otherwise an attacker can prevent an account from logging in by continually locking out their account.
25
25
  unlock_account_button :: The text to use on the unlock account button.
26
26
  unlock_account_email_recently_sent_error_flash :: The flash error to show if not sending an unlock account email because another was sent recently.
27
27
  unlock_account_email_recently_sent_redirect :: Where to redirect after not sending an unlock account email because another was sent recently.
28
28
  unlock_account_email_subject :: The subject to use for the unlock account email.
29
- unlock_account_explanatory_text :: The text to display above the button to unlock an account.
30
29
  unlock_account_error_flash :: The flash error to display upon unsuccessful account unlock.
30
+ unlock_account_explanatory_text :: The text to display above the button to unlock an account.
31
31
  unlock_account_key_param :: The parameter name to use for the unlock account key.
32
32
  unlock_account_notice_flash :: The flash notice to display upon successful account unlock.
33
+ unlock_account_page_title :: The page title to use on the unlock account form.
33
34
  unlock_account_redirect :: Where to redirect after successful account unlock.
34
35
  unlock_account_request_additional_form_tags :: HTML fragment with additional form tags to use on the form to request an account unlock.
35
36
  unlock_account_request_button :: The text to use on the unlock account request button.
36
37
  unlock_account_request_explanatory_text :: The text to display above the button to request an account unlock.
37
38
  unlock_account_request_notice_flash :: The flash notice to display upon successful sending of the unlock account email.
38
- unlock_account_request_redirect :: Where to redirect after account unlock email is sent.
39
+ unlock_account_request_page_title :: The page title to use on the unlock account request form.
40
+ unlock_account_request_redirect :: Where to redirect after the account unlock email is sent.
39
41
  unlock_account_request_route :: The route to the unlock account request action. Defaults to +unlock-account-request+.
40
42
  unlock_account_requires_password? :: Whether a password is required when unlocking accounts, false by default. May want to set to true if not allowing password resets.
41
- unlock_account_route :: Alias for lockout_route.
43
+ unlock_account_route :: The route to the unlock account action. Defaults to +unlock-account+.
42
44
  unlock_account_session_key :: The key in the session to hold the unlock account key temporarily.
43
45
  unlock_account_skip_resend_email_within :: The number of seconds before sending another unlock account email, if +account_lockouts_email_last_sent_column+ is set.
44
46
 
@@ -55,15 +57,15 @@ before_unlock_account_route :: Run arbitrary code before handling an unlock acco
55
57
  clear_invalid_login_attempts :: Clear any stored login failures or lockouts for the current account.
56
58
  create_unlock_account_email :: A Mail::Message for the account unlock email to send.
57
59
  generate_unlock_account_key :: A random string to use for a new unlock account key.
58
- get_unlock_account_email_last_sent :: Get the last time an unlock_account email is sent, or nil if there is no last sent time.
60
+ get_unlock_account_email_last_sent :: Get the last time an unlock account email is sent, or nil if there is no last sent time.
59
61
  get_unlock_account_key :: Retrieve the unlock account key for the current account.
60
- invalid_login_attempt :: Record an invalid login attempt, incrementing the number of login failures, and possibly locking out the account.
62
+ invalid_login_attempted :: Record an invalid login attempt, incrementing the number of login failures, and possibly locking out the account.
61
63
  locked_out? :: Whether the current account is locked out.
62
64
  send_unlock_account_email :: Send the account unlock email.
63
65
  set_unlock_account_email_last_sent :: Set the last time an unlock_account email is sent.
66
+ unlock_account :: Unlock the account.
64
67
  unlock_account_email_body :: The body to use for the unlock account email.
65
68
  unlock_account_email_link :: The link to the unlock account form to include in the unlock account email.
66
- unlock_account :: Unlock the account.
67
69
  unlock_account_key :: The unlock account key for the current account.
68
70
  unlock_account_request_view :: The HTML to use for the unlock account request form.
69
71
  unlock_account_view :: The HTML to use for the unlock account form.