rodauth 1.22.0 → 2.3.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (198) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG +190 -0
  3. data/MIT-LICENSE +1 -1
  4. data/README.rdoc +210 -80
  5. data/doc/account_expiration.rdoc +12 -26
  6. data/doc/active_sessions.rdoc +49 -0
  7. data/doc/audit_logging.rdoc +44 -0
  8. data/doc/base.rdoc +75 -128
  9. data/doc/change_login.rdoc +7 -14
  10. data/doc/change_password.rdoc +9 -13
  11. data/doc/change_password_notify.rdoc +2 -2
  12. data/doc/close_account.rdoc +9 -16
  13. data/doc/confirm_password.rdoc +12 -5
  14. data/doc/create_account.rdoc +11 -22
  15. data/doc/disallow_password_reuse.rdoc +6 -13
  16. data/doc/email_auth.rdoc +15 -14
  17. data/doc/email_base.rdoc +6 -15
  18. data/doc/guides/admin_activation.rdoc +46 -0
  19. data/doc/guides/already_authenticated.rdoc +10 -0
  20. data/doc/guides/alternative_login.rdoc +46 -0
  21. data/doc/guides/create_account_programmatically.rdoc +38 -0
  22. data/doc/guides/delay_password.rdoc +25 -0
  23. data/doc/guides/email_only.rdoc +16 -0
  24. data/doc/guides/i18n.rdoc +26 -0
  25. data/doc/{internals.rdoc → guides/internals.rdoc} +0 -0
  26. data/doc/guides/links.rdoc +12 -0
  27. data/doc/guides/login_return.rdoc +37 -0
  28. data/doc/guides/password_column.rdoc +25 -0
  29. data/doc/guides/password_confirmation.rdoc +37 -0
  30. data/doc/guides/password_requirements.rdoc +30 -0
  31. data/doc/guides/paths.rdoc +36 -0
  32. data/doc/guides/query_params.rdoc +9 -0
  33. data/doc/guides/redirects.rdoc +17 -0
  34. data/doc/guides/registration_field.rdoc +68 -0
  35. data/doc/guides/require_mfa.rdoc +30 -0
  36. data/doc/guides/reset_password_autologin.rdoc +21 -0
  37. data/doc/guides/status_column.rdoc +28 -0
  38. data/doc/guides/totp_or_recovery.rdoc +16 -0
  39. data/doc/http_basic_auth.rdoc +10 -1
  40. data/doc/jwt.rdoc +22 -22
  41. data/doc/jwt_cors.rdoc +2 -3
  42. data/doc/jwt_refresh.rdoc +23 -8
  43. data/doc/lockout.rdoc +17 -15
  44. data/doc/login.rdoc +17 -2
  45. data/doc/login_password_requirements_base.rdoc +18 -37
  46. data/doc/logout.rdoc +2 -2
  47. data/doc/otp.rdoc +25 -19
  48. data/doc/password_complexity.rdoc +10 -26
  49. data/doc/password_expiration.rdoc +11 -25
  50. data/doc/password_grace_period.rdoc +16 -2
  51. data/doc/recovery_codes.rdoc +18 -12
  52. data/doc/release_notes/1.23.0.txt +32 -0
  53. data/doc/release_notes/2.0.0.txt +361 -0
  54. data/doc/release_notes/2.1.0.txt +31 -0
  55. data/doc/release_notes/2.2.0.txt +39 -0
  56. data/doc/release_notes/2.3.0.txt +37 -0
  57. data/doc/remember.rdoc +40 -64
  58. data/doc/reset_password.rdoc +12 -9
  59. data/doc/session_expiration.rdoc +1 -0
  60. data/doc/single_session.rdoc +16 -25
  61. data/doc/sms_codes.rdoc +24 -14
  62. data/doc/two_factor_base.rdoc +60 -22
  63. data/doc/verify_account.rdoc +14 -12
  64. data/doc/verify_account_grace_period.rdoc +6 -2
  65. data/doc/verify_login_change.rdoc +9 -8
  66. data/doc/webauthn.rdoc +115 -0
  67. data/doc/webauthn_login.rdoc +15 -0
  68. data/doc/webauthn_verify_account.rdoc +9 -0
  69. data/javascript/webauthn_auth.js +45 -0
  70. data/javascript/webauthn_setup.js +35 -0
  71. data/lib/roda/plugins/rodauth.rb +1 -1
  72. data/lib/rodauth.rb +36 -28
  73. data/lib/rodauth/features/account_expiration.rb +5 -5
  74. data/lib/rodauth/features/active_sessions.rb +158 -0
  75. data/lib/rodauth/features/audit_logging.rb +98 -0
  76. data/lib/rodauth/features/base.rb +144 -43
  77. data/lib/rodauth/features/change_password_notify.rb +2 -2
  78. data/lib/rodauth/features/close_account.rb +8 -6
  79. data/lib/rodauth/features/confirm_password.rb +40 -2
  80. data/lib/rodauth/features/create_account.rb +8 -13
  81. data/lib/rodauth/features/disallow_common_passwords.rb +1 -1
  82. data/lib/rodauth/features/disallow_password_reuse.rb +1 -1
  83. data/lib/rodauth/features/email_auth.rb +31 -30
  84. data/lib/rodauth/features/email_base.rb +9 -4
  85. data/lib/rodauth/features/http_basic_auth.rb +55 -35
  86. data/lib/rodauth/features/jwt.rb +63 -16
  87. data/lib/rodauth/features/jwt_cors.rb +15 -15
  88. data/lib/rodauth/features/jwt_refresh.rb +42 -13
  89. data/lib/rodauth/features/lockout.rb +12 -14
  90. data/lib/rodauth/features/login.rb +64 -15
  91. data/lib/rodauth/features/login_password_requirements_base.rb +13 -8
  92. data/lib/rodauth/features/otp.rb +77 -80
  93. data/lib/rodauth/features/password_complexity.rb +8 -13
  94. data/lib/rodauth/features/password_expiration.rb +2 -2
  95. data/lib/rodauth/features/password_grace_period.rb +17 -10
  96. data/lib/rodauth/features/recovery_codes.rb +49 -53
  97. data/lib/rodauth/features/remember.rb +11 -27
  98. data/lib/rodauth/features/reset_password.rb +26 -26
  99. data/lib/rodauth/features/session_expiration.rb +7 -10
  100. data/lib/rodauth/features/single_session.rb +8 -6
  101. data/lib/rodauth/features/sms_codes.rb +62 -72
  102. data/lib/rodauth/features/two_factor_base.rb +134 -30
  103. data/lib/rodauth/features/verify_account.rb +29 -21
  104. data/lib/rodauth/features/verify_account_grace_period.rb +18 -9
  105. data/lib/rodauth/features/verify_login_change.rb +12 -11
  106. data/lib/rodauth/features/webauthn.rb +505 -0
  107. data/lib/rodauth/features/webauthn_login.rb +70 -0
  108. data/lib/rodauth/features/webauthn_verify_account.rb +46 -0
  109. data/lib/rodauth/migrations.rb +16 -5
  110. data/lib/rodauth/version.rb +2 -2
  111. data/templates/button.str +1 -3
  112. data/templates/change-login.str +1 -2
  113. data/templates/change-password.str +3 -5
  114. data/templates/close-account.str +2 -2
  115. data/templates/confirm-password.str +1 -1
  116. data/templates/create-account.str +1 -1
  117. data/templates/email-auth-request-form.str +2 -3
  118. data/templates/email-auth.str +1 -1
  119. data/templates/global-logout-field.str +6 -0
  120. data/templates/login-confirm-field.str +2 -4
  121. data/templates/login-display.str +3 -2
  122. data/templates/login-field.str +2 -4
  123. data/templates/login-form-footer.str +6 -0
  124. data/templates/login-form.str +7 -0
  125. data/templates/login.str +1 -9
  126. data/templates/logout.str +1 -1
  127. data/templates/multi-phase-login.str +3 -0
  128. data/templates/otp-auth-code-field.str +5 -3
  129. data/templates/otp-auth.str +1 -1
  130. data/templates/otp-disable.str +1 -1
  131. data/templates/otp-setup.str +3 -3
  132. data/templates/password-confirm-field.str +2 -4
  133. data/templates/password-field.str +2 -4
  134. data/templates/recovery-auth.str +3 -6
  135. data/templates/recovery-codes.str +1 -1
  136. data/templates/remember.str +15 -20
  137. data/templates/reset-password-request.str +3 -3
  138. data/templates/reset-password.str +1 -2
  139. data/templates/sms-auth.str +1 -1
  140. data/templates/sms-code-field.str +5 -3
  141. data/templates/sms-confirm.str +1 -2
  142. data/templates/sms-disable.str +1 -2
  143. data/templates/sms-request.str +1 -1
  144. data/templates/sms-setup.str +6 -4
  145. data/templates/two-factor-auth.str +5 -0
  146. data/templates/two-factor-disable.str +6 -0
  147. data/templates/two-factor-manage.str +16 -0
  148. data/templates/unlock-account-request.str +4 -4
  149. data/templates/unlock-account.str +1 -1
  150. data/templates/verify-account-resend.str +3 -3
  151. data/templates/verify-account.str +1 -2
  152. data/templates/verify-login-change.str +1 -1
  153. data/templates/webauthn-auth.str +11 -0
  154. data/templates/webauthn-remove.str +14 -0
  155. data/templates/webauthn-setup.str +12 -0
  156. metadata +94 -54
  157. data/Rakefile +0 -179
  158. data/doc/verify_change_login.rdoc +0 -11
  159. data/lib/rodauth/features/verify_change_login.rb +0 -20
  160. data/spec/account_expiration_spec.rb +0 -225
  161. data/spec/all.rb +0 -1
  162. data/spec/change_login_spec.rb +0 -156
  163. data/spec/change_password_notify_spec.rb +0 -33
  164. data/spec/change_password_spec.rb +0 -202
  165. data/spec/close_account_spec.rb +0 -162
  166. data/spec/confirm_password_spec.rb +0 -70
  167. data/spec/create_account_spec.rb +0 -127
  168. data/spec/disallow_common_passwords_spec.rb +0 -93
  169. data/spec/disallow_password_reuse_spec.rb +0 -179
  170. data/spec/email_auth_spec.rb +0 -285
  171. data/spec/http_basic_auth_spec.rb +0 -143
  172. data/spec/jwt_cors_spec.rb +0 -57
  173. data/spec/jwt_refresh_spec.rb +0 -256
  174. data/spec/jwt_spec.rb +0 -235
  175. data/spec/lockout_spec.rb +0 -250
  176. data/spec/login_spec.rb +0 -328
  177. data/spec/migrate/001_tables.rb +0 -184
  178. data/spec/migrate/002_account_password_hash_column.rb +0 -11
  179. data/spec/migrate_password/001_tables.rb +0 -73
  180. data/spec/migrate_travis/001_tables.rb +0 -141
  181. data/spec/password_complexity_spec.rb +0 -109
  182. data/spec/password_expiration_spec.rb +0 -244
  183. data/spec/password_grace_period_spec.rb +0 -93
  184. data/spec/remember_spec.rb +0 -451
  185. data/spec/reset_password_spec.rb +0 -229
  186. data/spec/rodauth_spec.rb +0 -343
  187. data/spec/session_expiration_spec.rb +0 -58
  188. data/spec/single_session_spec.rb +0 -127
  189. data/spec/spec_helper.rb +0 -327
  190. data/spec/two_factor_spec.rb +0 -1462
  191. data/spec/update_password_hash_spec.rb +0 -40
  192. data/spec/verify_account_grace_period_spec.rb +0 -171
  193. data/spec/verify_account_spec.rb +0 -240
  194. data/spec/verify_change_login_spec.rb +0 -46
  195. data/spec/verify_login_change_spec.rb +0 -232
  196. data/spec/views/layout-other.str +0 -11
  197. data/spec/views/layout.str +0 -11
  198. data/spec/views/login.str +0 -21
@@ -1,10 +1,24 @@
1
1
  = Documentation for Password Grace Period Feature
2
2
 
3
3
  The password grace period feature keeps track of the last time the
4
- user entered their password, and doesn't require they reenter their
4
+ user entered their password in the session, and doesn't require they reenter their
5
5
  password for account modifications if they recently entered it correctly.
6
6
 
7
+ If you would like to provide extra security before certain routes, you can use
8
+ the confirm password feature to require users to reenter their password if they
9
+ haven't entered it recently:
10
+
11
+ rodauth.require_password_authentication
12
+
13
+ By default, this does not redirect if the session has been authenticated via
14
+ password, but with the password_grace_period feature, it also redirects if the
15
+ password has not been entered recently.
16
+
7
17
  == Auth Value Methods
8
18
 
9
- password_grace_period :: The number of seconds after a password entry until password reentry is required, 300 by default (5 minutes).
10
19
  last_password_entry_session_key :: The session key in which to store the last password entry time.
20
+ password_grace_period :: The number of seconds after a password entry until password reentry is required, 300 by default (5 minutes).
21
+
22
+ == Auth Methods
23
+
24
+ password_recently_entered? :: Whether the password has last been entered within the grace period.
@@ -1,8 +1,8 @@
1
1
  = Documentation for Recovery Codes Feature
2
2
 
3
- The recovery codes feature allows 2nd factor authentication via single use recovery
4
- codes. It is usually used as a backup if OTP authentication is not available or
5
- has been locked out, but can be used by itself or as a backup to SMS codes. It allows
3
+ The recovery codes feature allows multifactor authentication via single use recovery
4
+ codes. It is usually used as a backup if other multifactor authentication methods are
5
+ not available or have been locked out, but can be used by itself. It allows
6
6
  users to view authentication recovery codes as well as regenerate recovery codes.
7
7
 
8
8
  Access to recovery codes is limited to authenticated sessions only, so users should
@@ -11,25 +11,31 @@ of them being required due to a missing / lost device.
11
11
 
12
12
  == Auth Value Methods
13
13
 
14
- add_recovery_codes_button :: Text to use for button on form to add recovery codes.
14
+ add_recovery_codes_redirect :: Where to redirect to add recovery codes if recovery codes are the primary multifactor authentication and have not been setup yet.
15
+ add_recovery_codes_button :: Text to use for button on the form to add recovery codes.
15
16
  add_recovery_codes_error_flash :: The flash error to show when adding recovery codes.
16
- add_recovery_codes_heading :: Text to use for heading above form to add recovery codes.
17
+ add_recovery_codes_heading :: Text to use for heading above the form to add recovery codes.
18
+ add_recovery_codes_page_title :: The page title to use on the add recovery codes form.
17
19
  add_recovery_codes_param :: The parameter name to use for adding recovery codes.
18
- add_recovery_auth_redirect :: Where to redirect to add recovery codes if recovery codes are the primary 2nd factor and have not been setup yet.
20
+ auto_add_recovery_codes? :: Whether to automatically add recovery codes (or any missing recovery codes) when another multifactor authentication type is enabled (false by default).
19
21
  invalid_recovery_code_error_flash :: The flash error to show when an invalid recovery code is used.
20
22
  invalid_recovery_code_message :: The error message to show when an invalid recovery code is used.
21
23
  recovery_auth_additional_form_tags :: HTML fragment containing additional form tags when authenticating via a recovery code.
22
24
  recovery_auth_button :: The text to use for the button when authenticating via a recovery code.
25
+ recovery_auth_link_text :: The text to use for the link from the multifactor auth page.
26
+ recovery_auth_page_title :: The page title to use on the form to authenticate via a recovery code.
23
27
  recovery_auth_redirect :: Where to redirect after authenticating via an recovery code.
24
28
  recovery_auth_route :: The route to the recovery code authentication action. Defaults to +recovery-auth+.
25
29
  recovery_codes_added_notice_flash :: The flash notice to show when recovery codes were added.
26
30
  recovery_codes_additional_form_tags :: HTML fragment containing additional form tags when adding recovery codes.
27
- recovery_codes_column :: The column in the recovery_codes_table containing the recovery code.
28
- recovery_codes_id_column :: The column in the recovery_codes_table containing the account id.
31
+ recovery_codes_column :: The column in the +recovery_codes_table+ containing the recovery code.
32
+ recovery_codes_id_column :: The column in the +recovery_codes_table+ containing the account id.
29
33
  recovery_codes_label :: The label for recovery codes.
30
- recovery_codes_limit :: The number of recovery codes to allow.
34
+ recovery_codes_limit :: The number of recovery codes to setup.
35
+ recovery_codes_link_text :: The text to use for the setup link from the multifactor manage page.
36
+ recovery_codes_page_title :: The page title to use on the form to view recovery codes.
31
37
  recovery_codes_param :: The parameter name for the recovery code.
32
- recovery_codes_primary? :: Whether recovery codes are the primary second factor, true by default if neither the otp or sms_codes features are enabled.
38
+ recovery_codes_primary? :: Whether recovery codes are a primary multifactor authentication type. If not, they cannot be setup unless multifactor authentication is already setup.
33
39
  recovery_codes_route :: The route to the view recovery codes action. Defaults to +recovery-codes+.
34
40
  recovery_codes_table :: The table storing the recovery codes.
35
41
  view_recovery_codes_button :: Text for the button to view recovery codes.
@@ -41,8 +47,8 @@ add_recovery_code :: Add a recovery code for the given account.
41
47
  add_recovery_codes_view :: The HTML to use for the add recovery codes form.
42
48
  after_add_recovery_codes :: Run arbitrary code after adding recovery codes.
43
49
  before_add_recovery_codes :: Run arbitrary code before adding recovery codes.
44
- before_recovery_auth :: Run arbitrary code before recovery authentication.
45
- before_recovery_auth_route :: Run arbitrary code before handling recovery authentication route.
50
+ before_recovery_auth :: Run arbitrary code before recovery code authentication.
51
+ before_recovery_auth_route :: Run arbitrary code before handling recovery code authentication route.
46
52
  before_recovery_codes_route :: Run arbitrary code before handling view/add recovery codes route.
47
53
  before_view_recovery_codes :: Run arbitrary code before viewing recovery codes.
48
54
  can_add_recovery_codes? :: Whether the current account can add more recovery codes.
@@ -0,0 +1,32 @@
1
+ = New Features
2
+
3
+ * When the email_auth feature is used, the link to request email
4
+ authentication is now displayed if the user inputs an incorrect
5
+ password. Previously, it was only shown if the user had not
6
+ yet entered a password.
7
+
8
+ * A send_email configuration method has been added, which can be
9
+ overridden to customize email delivery (such as logging such
10
+ email). The configuration method block accepts a Mail::Message
11
+ argument.
12
+
13
+ * All rodauth.*_route methods that return the name of the route
14
+ segment now have rodauth.*_path and rodauth.*_url equivalents,
15
+ which return the path and URL for the related routes, respectively.
16
+ The rodauth.*_path methods are useful when constructing links to
17
+ the related Rodauth pages on the same site, and the rodauth.*_url
18
+ methods are useful for constructing link to the Rodauth pages from
19
+ other sites or in email.
20
+
21
+ = Other Improvements
22
+
23
+ * Specs have been removed from the gem file, reducing gem size by
24
+ over 20%.
25
+
26
+ * rodauth.authenticated? now returns true on the OTP setup page
27
+ when using the otp feature. Previously, this method returned
28
+ false on the OTP setup page. However, as the user has not yet
29
+ setup OTP when viewing this page, they should be considered
30
+ fully authenticated, as they would be if they viewed any other
31
+ page before setting up OTP. This change probably only affects
32
+ cases where the layout uses rodauth.authenticated?.
@@ -0,0 +1,361 @@
1
+ = New Features
2
+
3
+ * A webauthn feature has been added, allowing multifactor
4
+ authentication using WebAuthn. It allows for registering multiple
5
+ WebAuthn authenticators per account, authenticating using
6
+ WebAuthn, and removing WebAuthn authenticators. This feature
7
+ depends on the webauthn gem.
8
+
9
+ WebAuthn in browsers requires javascript to work, but Rodauth's
10
+ approach has the javascript set hidden form inputs and then use a
11
+ standard form submission, making it easy to test applications
12
+ using WebAuthn without a full browser, as long as a software
13
+ WebAuthn authenticator can be used (the webauthn gem provides
14
+ such an authenticator).
15
+
16
+ * A webauthn_login feature has been added, allowing passwordless
17
+ logins using WebAuthn.
18
+
19
+ * A webauthn_verify_account feature has been added, which requires
20
+ setting up a WebAuthn authenticator during account verification.
21
+ This allows for setups where WebAuthn is the sole method of
22
+ authentication.
23
+
24
+ * An active_sessions feature has been added, which disallows
25
+ session reuse after logout, and allows for a global logout of all
26
+ sessions for the account. It also supports inactivity and
27
+ lifetime deadlines for sessions. This also integrates with the
28
+ jwt_refresh feature to disable JWT access token usage after
29
+ logout.
30
+
31
+ * An audit_logging feature has been added, which logs Rodauth
32
+ actions to a database table. This hooks into all of Rodauth's
33
+ after_* hooks, and will implement audit logging for all
34
+ features that use such hooks.
35
+
36
+ * The confirm_password feature can now operate as multifactor
37
+ authentication if the user has a password but was originally
38
+ authenticated using the webauthn_login feature.
39
+
40
+ * The multifactor authentication support now better handles
41
+ multiple multifactor authentication methods. When setting up
42
+ multifactor authentication, a page is provided linking to all
43
+ enabled multifactor authentication options. When authenticating
44
+ via an additional factor, a page is provided linking to all
45
+ multifactor authentication options that have been setup and are
46
+ available for use. There is also a page to disable all multifactor
47
+ authentication methods that have been setup, and revert to single
48
+ factor authentication.
49
+
50
+ To provide a better user experience, if there would only be a
51
+ single link on the pages to setup multifactor authentication
52
+ or authenticate with an additional factor, the user is redirected
53
+ directly to the appropriate page.
54
+
55
+ * A translate configuration method has been added. This is called
56
+ with a translation key and default value for the translation, and
57
+ allows for internationalizing Rodauth. All translatable strings
58
+ are passed through this method, including flash messages, page
59
+ titles, button text, field error messages, and link texts.
60
+
61
+ * login_return_to_requested_location? and
62
+ two_factor_auth_return_to_requested_location? configuration methods
63
+ have been added. With these methods set to true, if
64
+ rodauth.require_login needs to redirect, it will store the current
65
+ page, and after logging in, the user will be redirected back to the
66
+ page. Likewise, if rodauth.require_two_factor_authenticated needs
67
+ to redirect, it will store the current page, and after multifactor
68
+ authentication, the user will be redirected back to the page.
69
+
70
+ * domain and base_url configuration methods have been added and it is
71
+ recommended that applications use them if they can be reached with
72
+ arbitrary Host headers. If not set, Rodauth will use information
73
+ from the request, which can be provided by an attacker.
74
+
75
+ * The *_url and *_path methods now accept an optional hash of query
76
+ parameters to use.
77
+
78
+ * Many Rodauth forms will now use appropriate autocomplete and
79
+ inputmode attributes on form inputs. You can modify the behavior
80
+ using the following configuration methods:
81
+
82
+ * autocomplete_for_field?
83
+ * inputmode_for_field?
84
+ * mark_input_fields_with_autocomplete?
85
+ * mark_input_fields_with_inputmode?
86
+
87
+ * An sms_phone_input_type configuration method has been added and
88
+ now defaults to tel. Previous, the SMS phone input used a text
89
+ type.
90
+
91
+ * rodauth.require_password_authentication has been added to the
92
+ confirm_password_feature, which will redirect to the login page
93
+ if not logged in, and will redirect to the confirm password page
94
+ if the user was logged in without typing in a password. If the
95
+ password_grace_period feature is used, this also redirects if
96
+ the password has not been entered recently.
97
+
98
+ * rodauth.authenticated_by has been added, which is an array of
99
+ strings for all methods by which the current session has been
100
+ authenticated, or nil if the session has not been authenticated.
101
+
102
+ * rodauth.possible_authentication_methods has been added, which is
103
+ an array of strings for all methods by which the current session
104
+ could be authenticated.
105
+
106
+ * rodauth.autologin_type now returns the type of autologin used if
107
+ authenticated using autologin.
108
+
109
+ * All *_view configuration methods now have *_page_title
110
+ configuration methods for setting custom page titles.
111
+
112
+ = Other Improvements
113
+
114
+ * The templates Rodauth uses by default are now compatible with
115
+ Bootstrap 4, and compatibility with Bootstrap 3 (which Rodauth
116
+ previously targeted) has been improved.
117
+
118
+ * When requesting a password reset, if the user provides an invalid
119
+ login, an input for the login is now displayed so the problem
120
+ can be corrected.
121
+
122
+ * When setting up an additional multifactor authentication method,
123
+ Rodauth no longer overrides which multifactor authentication method
124
+ was used to authenticate the current session.
125
+
126
+ * When disabling a multifactor authentication method that was not
127
+ used to authenticate the current session, the session remains
128
+ multifactor authenticated.
129
+
130
+ * When multiple multifactor authentication methods are setup for
131
+ an account, disabling a multifactor authentication method will not
132
+ mark the session as not having multifactor authentication enabled.
133
+
134
+ * When disabling OTP authentication, future calls to
135
+ rodauth.otp_exists? will return false instead of true.
136
+
137
+ * Recovery codes are no longer generated automatically when OTP or
138
+ SMS authentication is setup. There is no point generating codes
139
+ that the user has not yet viewed, and generating them automatically
140
+ will disable automatic redirections in the cases where only one
141
+ multifactor authentication method is setup. This can be turned
142
+ back on using the auto_add_recovery_codes? configuration method.
143
+
144
+ * The OTP setup page now displays better on phones and other devices
145
+ with small viewports.
146
+
147
+ * Links and alternative login forms shown on the login page are
148
+ now in a specific order and not based on the order in which
149
+ features were enabled.
150
+
151
+ * The link to resend the verify account email is not shown on the
152
+ multi-phase login page after the login has been entered if the
153
+ account has already been verified.
154
+
155
+ * The modifications_require_password? configuration method now
156
+ defaults to false for accounts that do not have a password.
157
+
158
+ * Multifactor authentication is no longer allowed using the same
159
+ factor type as used for initial authentication. Previously,
160
+ no multifactor authentication type could be used for initial
161
+ authentication, so this wasn't an issue.
162
+
163
+ * The verify login change page no longer calls already_logged_in
164
+ if the session is already logged in. This method is documented
165
+ to only be called on pages that expect not to be already logged
166
+ in, and it's common to access the verify login change page
167
+ while being logged in, since you need to be logged in to go to
168
+ the change login page. The default behavior of already_logged_in
169
+ is to do nothing, so this only affects you if you have used the
170
+ already_logged_in configuration method.
171
+
172
+ * If using the email_auth and verify_account_grace_period features
173
+ together, do not show email authentication as an option for
174
+ unverified accounts during the grace period.
175
+
176
+ * In the lockout feature, generate the unlock account key before
177
+ calling send_unlock_account_email, similar to how key generation
178
+ happens in other features that send email. This makes it easier
179
+ to override the method.
180
+
181
+ * Various method visibility issues have been fixed, so that
182
+ enabling any feature that ships with Rodauth will not affect
183
+ visibility of methods for features already enabled.
184
+
185
+ * All Rodauth configuration methods (over 1000) are now documented.
186
+
187
+ = Backwards Compatibility
188
+
189
+ * The verify_change_login feature has been removed. Users should
190
+ switch to the verify_login_change feature, which verifies the
191
+ new login works correctly before switching the login.
192
+
193
+ * For CSRF protection, Roda's route_csrf plugin is now used by
194
+ default instead of rack_csrf. This supports request specific
195
+ CSRF tokens by default. The :csrf=>:rack_csrf plugin option
196
+ can be used to continue using rack_csrf.
197
+
198
+ Roda's route_csrf allows for per-route checking of the CSRF token,
199
+ and support for that is enabled for all Rodauth routes. However,
200
+ if you were using Rodauth without explicitly loading rack_csrf,
201
+ these changes could remove CSRF support from your application.
202
+ You should probably load Roda's route_csrf plugin explicitly and
203
+ use it in your Roda routing tree if you want CSRF protection for
204
+ non-Rodauth routes. You can use the new check_csrf_opts and
205
+ check_csrf_block to customize options to pass to check_csrf!, or
206
+ set check_csrf? false to disable calling check_csrf!.
207
+
208
+ * Email rate limiting is now enabled by default in the lockout,
209
+ reset_password, and verify_account features. This requires
210
+ adding a column to store the last email sent time to the
211
+ related tables, if the tables were created without one:
212
+
213
+ DB.add_column :account_password_reset_keys, :email_last_sent,
214
+ DateTime, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
215
+ DB.add_column :account_verification_keys, :email_last_sent,
216
+ DateTime, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
217
+ DB.add_column :account_lockouts, :email_last_sent, DateTime
218
+
219
+ Alternatively, you can set the appropriate configuration method
220
+ (e.g. verify_account_email_last_sent_column) to nil to disable
221
+ rate limiting.
222
+
223
+ * The http_basic_auth feature has been changed significantly.
224
+ You should now call rodauth.http_basic_auth in the routing tree
225
+ to load authentication information from the Authorization
226
+ request header, similar to how rodauth.load_memory works in the
227
+ remember feature.
228
+
229
+ The require_http_basic_auth configuration method has been renamed
230
+ to require_http_basic_auth?. rodauth.require_http_basic_auth?
231
+ should now be used to check whether HTTP basic auth is required.
232
+ rodauth.require_http_basic_auth now requires that HTTP basic
233
+ auth is provided in the request.
234
+
235
+ To be more backwards compatible, if not already logged in,
236
+ rodauth.require_login will load HTTP basic auth information if
237
+ available, and will require HTTP basic auth if
238
+ require_http_basic_auth? is configured.
239
+
240
+ * If using the Bootstrap 3/4 compatibility, the forms used are
241
+ now standard (vertical) Bootstrap forms. Previously, they were
242
+ horizontal forms.
243
+
244
+ * Most of the strings related to multifactor authentication have
245
+ been changed to refer to multifactor authentication instead of
246
+ two factor authentication, or changed to refer to a specific
247
+ multifactor authentication type (such as TOTP), as appropriate.
248
+
249
+ * Periods at the end of some default flash messages have been
250
+ removed for consistency.
251
+
252
+ * The remember feature no longer depends on the confirm_password
253
+ feature. You must now enable confirm_password separately if you
254
+ want to use it.
255
+
256
+ * Login confirmation is no longer required by default when
257
+ verifying accounts or verifying login changes. In both cases,
258
+ entering an invalid login causes no problems.
259
+
260
+ * The otp_drift configuration method now defaults to 30, to allow
261
+ 30 seconds of drift. The previous setting of nil generally
262
+ resulted in usability problems, especially without good clock
263
+ synchronization.
264
+
265
+ * The json_response_custom_error_status? configuration method now
266
+ defaults to true, so that custom error statuses are now used by
267
+ default, instead of a generic 400 response.
268
+
269
+ * The jwt_check_accept? configuration method now defaults to true,
270
+ so that the request Accept header is checked.
271
+
272
+ * The verify_account_set_password? configuration method now defaults
273
+ to true, so that passwords will be set when verifying accounts
274
+ instead of when creating accounts. This prevents issues when
275
+ an attacker creates an account with a password they know, if the
276
+ user with access to the email address verifies the account.
277
+
278
+ * The mark_input_fields_as_required? configuration method now defaults
279
+ to true. Most of rodauth's input fields are required, and this
280
+ provides a nicer experience. However, it may cause accessibility
281
+ issues if screen readers do not handle invalid form submissions due
282
+ to missing required fields in an accessible manner.
283
+
284
+ * The login_input_type configuration method now defaults to email if
285
+ login_column is :email (the default setting). This can cause
286
+ accessibility issues if screen readers do not handle invalid form
287
+ submissions due to an invalid login field format in an accessible
288
+ manner. It can also break installations that leave login_column
289
+ as :email but do not use email addresses for logins.
290
+
291
+ * The json_response_success_key configuration method now defaults to
292
+ success, so success messages are included by default. This can be
293
+ set back to nil to not include them.
294
+
295
+ * The single_session and session_expiration plugin now use a
296
+ configurable error status code for JSON requests when the session
297
+ has expired, using inactive_session_error_status and
298
+ session_expiration_error_status configuration methods,
299
+ respectively.
300
+
301
+ * If you are using the jwt_refresh feature and used the migration
302
+ previously recommended in the README, you should mark the account_id
303
+ field as NOT NULL and add an index:
304
+
305
+ DB.alter_table(:account_jwt_refresh_keys) do
306
+ set_column_not_null :account_id
307
+ add_index :account_id, :name=>:account_jwt_rk_account_id_idx
308
+ end
309
+
310
+ * The otp authentication form no longer shows SMS or recovery code
311
+ information on failure. The multifactor authentication page will
312
+ have links to SMS or recovery code authentication if they have been
313
+ setup, and will redirect or show the appropriate links to those
314
+ authentication methods if OTP authentication gets locked out.
315
+
316
+ * Disabling OTP authentication no longer automatically disables SMS
317
+ authentication and recovery codes, and disabling SMS authentication
318
+ no longer disables recovery codes. To disable all multifactor
319
+ authentication methods at once, the new multifactor authentication
320
+ disable page should be used. If you want to revert to the previous
321
+ behavior of automatic disabling, override after_otp_disable to
322
+ disable SMS and recovery codes, and override after_sms_disable to
323
+ disable recovery codes.
324
+
325
+ * HTML id attributes in the recovery_codes and remember features have
326
+ been modified to use - instead of _, for consistency with all other
327
+ Rodauth features.
328
+
329
+ * Ruby 1.8 support has been dropped. The minimum supported version is
330
+ now Ruby 1.9.2. Support for versions of Ruby that are no longer
331
+ supported by ruby-core may be dropped in future minor releases if
332
+ keeping the support becomes a maintenance issue.
333
+
334
+ * The following configuration methods have been replaced:
335
+
336
+ * create_account_link -> create_account_link_text
337
+ * reset_password_request_link -> reset_password_request_link_text
338
+ * verify_account_resend_link -> verify_account_resend_link_text
339
+
340
+ The new methods take only the text of the link, the path to link
341
+ to can already be determined by Rodauth.
342
+
343
+ * The following configuration methods have been removed:
344
+
345
+ * account_model
346
+ * attempt_to_create_unverified_account_notice_message
347
+ * attempt_to_login_to_unverified_account_notice_message
348
+ * before_otp_authentication_route
349
+ * clear_remembered_session_key
350
+ * no_matching_email_auth_key_message
351
+ * no_matching_reset_password_key_message
352
+ * no_matching_unlock_account_key_message
353
+ * no_matching_verify_account_key_message
354
+ * no_matching_verify_login_change_key_message
355
+ * remembered_session_key
356
+ * two_factor_session_key
357
+
358
+ Most of these methods were already deprecated.
359
+
360
+ * Route blocks in external Rodauth features must now have an arity
361
+ of 1.