rodauth 1.22.0 → 2.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG +190 -0
- data/MIT-LICENSE +1 -1
- data/README.rdoc +210 -80
- data/doc/account_expiration.rdoc +12 -26
- data/doc/active_sessions.rdoc +49 -0
- data/doc/audit_logging.rdoc +44 -0
- data/doc/base.rdoc +75 -128
- data/doc/change_login.rdoc +7 -14
- data/doc/change_password.rdoc +9 -13
- data/doc/change_password_notify.rdoc +2 -2
- data/doc/close_account.rdoc +9 -16
- data/doc/confirm_password.rdoc +12 -5
- data/doc/create_account.rdoc +11 -22
- data/doc/disallow_password_reuse.rdoc +6 -13
- data/doc/email_auth.rdoc +15 -14
- data/doc/email_base.rdoc +6 -15
- data/doc/guides/admin_activation.rdoc +46 -0
- data/doc/guides/already_authenticated.rdoc +10 -0
- data/doc/guides/alternative_login.rdoc +46 -0
- data/doc/guides/create_account_programmatically.rdoc +38 -0
- data/doc/guides/delay_password.rdoc +25 -0
- data/doc/guides/email_only.rdoc +16 -0
- data/doc/guides/i18n.rdoc +26 -0
- data/doc/{internals.rdoc → guides/internals.rdoc} +0 -0
- data/doc/guides/links.rdoc +12 -0
- data/doc/guides/login_return.rdoc +37 -0
- data/doc/guides/password_column.rdoc +25 -0
- data/doc/guides/password_confirmation.rdoc +37 -0
- data/doc/guides/password_requirements.rdoc +30 -0
- data/doc/guides/paths.rdoc +36 -0
- data/doc/guides/query_params.rdoc +9 -0
- data/doc/guides/redirects.rdoc +17 -0
- data/doc/guides/registration_field.rdoc +68 -0
- data/doc/guides/require_mfa.rdoc +30 -0
- data/doc/guides/reset_password_autologin.rdoc +21 -0
- data/doc/guides/status_column.rdoc +28 -0
- data/doc/guides/totp_or_recovery.rdoc +16 -0
- data/doc/http_basic_auth.rdoc +10 -1
- data/doc/jwt.rdoc +22 -22
- data/doc/jwt_cors.rdoc +2 -3
- data/doc/jwt_refresh.rdoc +23 -8
- data/doc/lockout.rdoc +17 -15
- data/doc/login.rdoc +17 -2
- data/doc/login_password_requirements_base.rdoc +18 -37
- data/doc/logout.rdoc +2 -2
- data/doc/otp.rdoc +25 -19
- data/doc/password_complexity.rdoc +10 -26
- data/doc/password_expiration.rdoc +11 -25
- data/doc/password_grace_period.rdoc +16 -2
- data/doc/recovery_codes.rdoc +18 -12
- data/doc/release_notes/1.23.0.txt +32 -0
- data/doc/release_notes/2.0.0.txt +361 -0
- data/doc/release_notes/2.1.0.txt +31 -0
- data/doc/release_notes/2.2.0.txt +39 -0
- data/doc/release_notes/2.3.0.txt +37 -0
- data/doc/remember.rdoc +40 -64
- data/doc/reset_password.rdoc +12 -9
- data/doc/session_expiration.rdoc +1 -0
- data/doc/single_session.rdoc +16 -25
- data/doc/sms_codes.rdoc +24 -14
- data/doc/two_factor_base.rdoc +60 -22
- data/doc/verify_account.rdoc +14 -12
- data/doc/verify_account_grace_period.rdoc +6 -2
- data/doc/verify_login_change.rdoc +9 -8
- data/doc/webauthn.rdoc +115 -0
- data/doc/webauthn_login.rdoc +15 -0
- data/doc/webauthn_verify_account.rdoc +9 -0
- data/javascript/webauthn_auth.js +45 -0
- data/javascript/webauthn_setup.js +35 -0
- data/lib/roda/plugins/rodauth.rb +1 -1
- data/lib/rodauth.rb +36 -28
- data/lib/rodauth/features/account_expiration.rb +5 -5
- data/lib/rodauth/features/active_sessions.rb +158 -0
- data/lib/rodauth/features/audit_logging.rb +98 -0
- data/lib/rodauth/features/base.rb +144 -43
- data/lib/rodauth/features/change_password_notify.rb +2 -2
- data/lib/rodauth/features/close_account.rb +8 -6
- data/lib/rodauth/features/confirm_password.rb +40 -2
- data/lib/rodauth/features/create_account.rb +8 -13
- data/lib/rodauth/features/disallow_common_passwords.rb +1 -1
- data/lib/rodauth/features/disallow_password_reuse.rb +1 -1
- data/lib/rodauth/features/email_auth.rb +31 -30
- data/lib/rodauth/features/email_base.rb +9 -4
- data/lib/rodauth/features/http_basic_auth.rb +55 -35
- data/lib/rodauth/features/jwt.rb +63 -16
- data/lib/rodauth/features/jwt_cors.rb +15 -15
- data/lib/rodauth/features/jwt_refresh.rb +42 -13
- data/lib/rodauth/features/lockout.rb +12 -14
- data/lib/rodauth/features/login.rb +64 -15
- data/lib/rodauth/features/login_password_requirements_base.rb +13 -8
- data/lib/rodauth/features/otp.rb +77 -80
- data/lib/rodauth/features/password_complexity.rb +8 -13
- data/lib/rodauth/features/password_expiration.rb +2 -2
- data/lib/rodauth/features/password_grace_period.rb +17 -10
- data/lib/rodauth/features/recovery_codes.rb +49 -53
- data/lib/rodauth/features/remember.rb +11 -27
- data/lib/rodauth/features/reset_password.rb +26 -26
- data/lib/rodauth/features/session_expiration.rb +7 -10
- data/lib/rodauth/features/single_session.rb +8 -6
- data/lib/rodauth/features/sms_codes.rb +62 -72
- data/lib/rodauth/features/two_factor_base.rb +134 -30
- data/lib/rodauth/features/verify_account.rb +29 -21
- data/lib/rodauth/features/verify_account_grace_period.rb +18 -9
- data/lib/rodauth/features/verify_login_change.rb +12 -11
- data/lib/rodauth/features/webauthn.rb +505 -0
- data/lib/rodauth/features/webauthn_login.rb +70 -0
- data/lib/rodauth/features/webauthn_verify_account.rb +46 -0
- data/lib/rodauth/migrations.rb +16 -5
- data/lib/rodauth/version.rb +2 -2
- data/templates/button.str +1 -3
- data/templates/change-login.str +1 -2
- data/templates/change-password.str +3 -5
- data/templates/close-account.str +2 -2
- data/templates/confirm-password.str +1 -1
- data/templates/create-account.str +1 -1
- data/templates/email-auth-request-form.str +2 -3
- data/templates/email-auth.str +1 -1
- data/templates/global-logout-field.str +6 -0
- data/templates/login-confirm-field.str +2 -4
- data/templates/login-display.str +3 -2
- data/templates/login-field.str +2 -4
- data/templates/login-form-footer.str +6 -0
- data/templates/login-form.str +7 -0
- data/templates/login.str +1 -9
- data/templates/logout.str +1 -1
- data/templates/multi-phase-login.str +3 -0
- data/templates/otp-auth-code-field.str +5 -3
- data/templates/otp-auth.str +1 -1
- data/templates/otp-disable.str +1 -1
- data/templates/otp-setup.str +3 -3
- data/templates/password-confirm-field.str +2 -4
- data/templates/password-field.str +2 -4
- data/templates/recovery-auth.str +3 -6
- data/templates/recovery-codes.str +1 -1
- data/templates/remember.str +15 -20
- data/templates/reset-password-request.str +3 -3
- data/templates/reset-password.str +1 -2
- data/templates/sms-auth.str +1 -1
- data/templates/sms-code-field.str +5 -3
- data/templates/sms-confirm.str +1 -2
- data/templates/sms-disable.str +1 -2
- data/templates/sms-request.str +1 -1
- data/templates/sms-setup.str +6 -4
- data/templates/two-factor-auth.str +5 -0
- data/templates/two-factor-disable.str +6 -0
- data/templates/two-factor-manage.str +16 -0
- data/templates/unlock-account-request.str +4 -4
- data/templates/unlock-account.str +1 -1
- data/templates/verify-account-resend.str +3 -3
- data/templates/verify-account.str +1 -2
- data/templates/verify-login-change.str +1 -1
- data/templates/webauthn-auth.str +11 -0
- data/templates/webauthn-remove.str +14 -0
- data/templates/webauthn-setup.str +12 -0
- metadata +94 -54
- data/Rakefile +0 -179
- data/doc/verify_change_login.rdoc +0 -11
- data/lib/rodauth/features/verify_change_login.rb +0 -20
- data/spec/account_expiration_spec.rb +0 -225
- data/spec/all.rb +0 -1
- data/spec/change_login_spec.rb +0 -156
- data/spec/change_password_notify_spec.rb +0 -33
- data/spec/change_password_spec.rb +0 -202
- data/spec/close_account_spec.rb +0 -162
- data/spec/confirm_password_spec.rb +0 -70
- data/spec/create_account_spec.rb +0 -127
- data/spec/disallow_common_passwords_spec.rb +0 -93
- data/spec/disallow_password_reuse_spec.rb +0 -179
- data/spec/email_auth_spec.rb +0 -285
- data/spec/http_basic_auth_spec.rb +0 -143
- data/spec/jwt_cors_spec.rb +0 -57
- data/spec/jwt_refresh_spec.rb +0 -256
- data/spec/jwt_spec.rb +0 -235
- data/spec/lockout_spec.rb +0 -250
- data/spec/login_spec.rb +0 -328
- data/spec/migrate/001_tables.rb +0 -184
- data/spec/migrate/002_account_password_hash_column.rb +0 -11
- data/spec/migrate_password/001_tables.rb +0 -73
- data/spec/migrate_travis/001_tables.rb +0 -141
- data/spec/password_complexity_spec.rb +0 -109
- data/spec/password_expiration_spec.rb +0 -244
- data/spec/password_grace_period_spec.rb +0 -93
- data/spec/remember_spec.rb +0 -451
- data/spec/reset_password_spec.rb +0 -229
- data/spec/rodauth_spec.rb +0 -343
- data/spec/session_expiration_spec.rb +0 -58
- data/spec/single_session_spec.rb +0 -127
- data/spec/spec_helper.rb +0 -327
- data/spec/two_factor_spec.rb +0 -1462
- data/spec/update_password_hash_spec.rb +0 -40
- data/spec/verify_account_grace_period_spec.rb +0 -171
- data/spec/verify_account_spec.rb +0 -240
- data/spec/verify_change_login_spec.rb +0 -46
- data/spec/verify_login_change_spec.rb +0 -232
- data/spec/views/layout-other.str +0 -11
- data/spec/views/layout.str +0 -11
- data/spec/views/login.str +0 -21
@@ -0,0 +1,31 @@
|
|
1
|
+
= New Features
|
2
|
+
|
3
|
+
* A check_csrf configuration method has been added for checking
|
4
|
+
the CSRF token. This is useful in cases where the CSRF protection
|
5
|
+
is provided by something other than the Roda route_csrf plugin.
|
6
|
+
|
7
|
+
= Other Improvements
|
8
|
+
|
9
|
+
* When using the http_basic_auth feature, logged_in? now checks for
|
10
|
+
Basic authentication if the session is not already authenticated
|
11
|
+
and Basic authentication has not yet been checked. This increases
|
12
|
+
compatibility for applications that were using the http_basic_auth
|
13
|
+
feature in Rodauth 1.
|
14
|
+
|
15
|
+
* When creating accounts, the password field now correctly uses the
|
16
|
+
new-password autocomplete attribute instead of the current-password
|
17
|
+
autocomplete attribute.
|
18
|
+
|
19
|
+
* When using the jwt feature, Rodauth no longer checks CSRF tokens
|
20
|
+
in requests to Rodauth routes if the request submitted is a JSON
|
21
|
+
request, includes a JWT, or Rodauth has been configured in JSON-only
|
22
|
+
mode.
|
23
|
+
|
24
|
+
* When using the verify_account_grace_period feature, if there is an
|
25
|
+
unverified account without a password, do not consider the account
|
26
|
+
open. Attempting to login into the account in such a case now
|
27
|
+
shows a message letting the user know to verify the account.
|
28
|
+
|
29
|
+
* The json_response_body configuration method is now used consistently
|
30
|
+
in the jwt feature for all JSON responses. Previously, there were
|
31
|
+
some cases that did not use it.
|
@@ -0,0 +1,39 @@
|
|
1
|
+
= New Features
|
2
|
+
|
3
|
+
* When using the jwt_refresh feature, you can remove the current
|
4
|
+
refresh token when logging out by submitting the refresh token
|
5
|
+
in the logout request, the same as when submitting the refresh
|
6
|
+
token to obtain a new refresh token. You can also use a value
|
7
|
+
of "all" instead of the refresh token to remove all refresh
|
8
|
+
tokens when logging out.
|
9
|
+
|
10
|
+
* A rodauth.otp_last_use method has been added to the otp feature,
|
11
|
+
allowing you to determine when the otp was last used.
|
12
|
+
|
13
|
+
= Other Improvements
|
14
|
+
|
15
|
+
* When using multifactor authentication, rodauth.authenticated? and
|
16
|
+
rodauth.require_authentication now cache values in the session and
|
17
|
+
do not perform queries every time they are called.
|
18
|
+
|
19
|
+
* Many guides for common scenarios have been added to the
|
20
|
+
documentation. These augment Rodauth's existing comprehensive
|
21
|
+
feature documentation, which is aimed to be more of a reference
|
22
|
+
and less of a guide.
|
23
|
+
|
24
|
+
* When the verify_account_grace_period and email_auth features are
|
25
|
+
used with a multifactor authentication feature, and the
|
26
|
+
verify_account_set_password? configuration method is set to true,
|
27
|
+
Rodauth no longer raises a NoMethodError when checking if the
|
28
|
+
session was authenticated.
|
29
|
+
|
30
|
+
* In the verify_account feature, if verify_account_email_resend
|
31
|
+
returns false indicating no email was sent, an error message
|
32
|
+
is now used, instead of a success message.
|
33
|
+
|
34
|
+
* In the password_complexity feature, the password_dictionary
|
35
|
+
configuration method was previously ignored if the default
|
36
|
+
password dictionary file existed.
|
37
|
+
|
38
|
+
* Rodauth and all features that ship with it now have 100% branch
|
39
|
+
coverage.
|
@@ -0,0 +1,37 @@
|
|
1
|
+
= New Features
|
2
|
+
|
3
|
+
* Configuration methods have been added for easier validation of
|
4
|
+
logins when logins must be valid email addresses (the default):
|
5
|
+
|
6
|
+
* login_valid_email?(login) can be used for full control of
|
7
|
+
determining whether the login is valid.
|
8
|
+
|
9
|
+
* login_email_regexp can be used to set the regexp used in the
|
10
|
+
default login_valid_email? check.
|
11
|
+
|
12
|
+
* login_not_valid_email_message can be used to set the field
|
13
|
+
error message if the login is not a valid email. Previously, this
|
14
|
+
value was hardcoded and not translatable.
|
15
|
+
|
16
|
+
* The {create,drop}_database_authentication_functions now work
|
17
|
+
correctly with uuid keys on PostgreSQL. All other parts of
|
18
|
+
Rodauth already worked correctly with uuid keys.
|
19
|
+
|
20
|
+
= Other Improvements
|
21
|
+
|
22
|
+
* The before_jwt_refresh_route hook is now called before the route
|
23
|
+
is taken. Previously, the configuration method had no effect.
|
24
|
+
|
25
|
+
* rodauth.login can now be used by external code to login the current
|
26
|
+
account (the account that rodauth.account returns). This should be
|
27
|
+
passed the authentication type string used to login, such as
|
28
|
+
password.
|
29
|
+
|
30
|
+
* The jwt_refresh route now returns an error for requests where a
|
31
|
+
valid access token for a logged in session is not provided. You
|
32
|
+
can use the jwt_refresh_without_access_token_message and
|
33
|
+
jwt_refresh_without_access_token_status configuration methods
|
34
|
+
to configure the error response.
|
35
|
+
|
36
|
+
* The new refresh token is now available to the after_refresh_token
|
37
|
+
hook by looking in json_response[jwt_refresh_token_key].
|
data/doc/remember.rdoc
CHANGED
@@ -1,99 +1,75 @@
|
|
1
1
|
= Documentation for Remember Feature
|
2
2
|
|
3
|
-
The remember feature allows for token-based autologin for users.
|
4
|
-
|
5
|
-
|
6
|
-
|
7
|
-
|
3
|
+
The remember feature allows for token-based autologin for users. Calling
|
4
|
+
+rodauth.remember_login+ for an authenticated session will create a token for
|
5
|
+
the current account and store it in a cookie. You can then add the following
|
6
|
+
code to your routing block to automatically login users from that token if the
|
7
|
+
session has expired:
|
8
|
+
|
9
|
+
rodauth.load_memory
|
8
10
|
|
9
11
|
By default, the remember feature just supports a form that the user can use
|
10
12
|
to change their remember settings for the current browser. They can either
|
11
13
|
enable remembering for the browser, forget it for the browser, or disable
|
12
14
|
it completely so that any remembering for other browsers is removed as well.
|
13
15
|
|
14
|
-
In some cases, you may want to
|
15
|
-
|
16
|
-
|
16
|
+
In some cases, you may want to automatically remember users and not require
|
17
|
+
users to turn it on manually. If you want to automatically remember users
|
18
|
+
on login:
|
17
19
|
|
18
20
|
after_login do
|
19
21
|
remember_login
|
20
22
|
end
|
21
23
|
|
24
|
+
The remember feature records which sessions were autologged in via the
|
25
|
+
remember cookie. If you have sections where you want to add more security,
|
26
|
+
you can use the confirm password feature to request password authentication
|
27
|
+
for sessions autologged in via a remember token:
|
28
|
+
|
29
|
+
rodauth.require_password_authentication
|
30
|
+
|
22
31
|
== Auth Value Methods
|
23
32
|
|
24
|
-
extend_remember_deadline? :: Whether to extend the remember token deadline
|
25
|
-
|
26
|
-
|
27
|
-
token to be used. Allows for graceful transition
|
28
|
-
for when +hmac_secret+ is first set.
|
29
|
-
remember_additional_form_tags :: HTML fragment containing additional
|
30
|
-
form tags to use on the change remember
|
31
|
-
setting form.
|
33
|
+
extend_remember_deadline? :: Whether to extend the remember token deadline when the user is autologged in via remember token.
|
34
|
+
raw_remember_token_deadline :: A deadline before which to allow a raw remember token to be used. Allows for graceful transition for when +hmac_secret+ is first set.
|
35
|
+
remember_additional_form_tags :: HTML fragment containing additional form tags to use on the change remember setting form.
|
32
36
|
remember_button :: The text to use for the change remember settings button.
|
33
37
|
remember_cookie_key :: The cookie name to use for the remember token.
|
34
38
|
remember_cookie_options :: Any options to set for the remember cookie.
|
35
|
-
remember_deadline_column :: The column name in the
|
36
|
-
|
37
|
-
ignored.
|
38
|
-
remember_deadline_interval :: The amount of time for which to remember accounts,
|
39
|
-
14 days by default. Only used if set_deadline_values?
|
40
|
-
is true.
|
39
|
+
remember_deadline_column :: The column name in the +remember_table+ storing the deadline after which the token will be ignored.
|
40
|
+
remember_deadline_interval :: The amount of time for which to remember accounts, 14 days by default. Only used if +set_deadline_values?+ is true.
|
41
41
|
remember_disable_label :: The label for disabling remembering.
|
42
42
|
remember_disable_param_value :: The parameter value for disabling remembering.
|
43
|
-
remember_error_flash :: The flash error to show if there is an error changing a
|
44
|
-
remember setting.
|
43
|
+
remember_error_flash :: The flash error to show if there is an error changing a remember setting.
|
45
44
|
remember_forget_label :: The label for turning off remembering.
|
46
45
|
remember_forget_param_value :: The parameter value for turning off remembering.
|
47
|
-
remember_id_column :: The id column in the
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
remember_period :: The additional time to extend the remember deadline if
|
53
|
-
extending remember deadlines.
|
46
|
+
remember_id_column :: The id column in the +remember_table+, should be a foreign key referencing the accounts table.
|
47
|
+
remember_key_column :: The remember key/token column in the +remember_table+.
|
48
|
+
remember_notice_flash :: The flash notice to show after remember setting has been updated.
|
49
|
+
remember_page_title :: The page title to use on the change remember settings form.
|
50
|
+
remember_param :: The parameter name to use for the remember password settings choice.
|
51
|
+
remember_period :: The additional time to extend the remember deadline if extending remember deadlines.
|
54
52
|
remember_redirect :: Where to redirect after changing the remember settings.
|
55
|
-
remember_remember_param_value :: The parameter value for switching on remembering.
|
56
53
|
remember_remember_label :: The label for turning on remembering.
|
57
|
-
|
58
|
-
|
54
|
+
remember_remember_param_value :: The parameter value for switching on remembering.
|
55
|
+
remember_route :: The route to the change remember settings action. Defaults to +remember+.
|
59
56
|
remember_table :: The name of the remember keys table.
|
60
|
-
remember_param :: The parameter name to use for the remember password settings
|
61
|
-
choice.
|
62
|
-
remembered_session_key :: The key in the session storing whether the current
|
63
|
-
session has been autologged in via remember token.
|
64
57
|
|
65
58
|
== Auth Methods
|
66
59
|
|
67
|
-
add_remember_key :: Add a remember key for the current account to the remember
|
68
|
-
|
69
|
-
after_load_memory :: Run arbitrary code after autologging in an account via
|
70
|
-
a remember token.
|
60
|
+
add_remember_key :: Add a remember key for the current account to the remember keys table.
|
61
|
+
after_load_memory :: Run arbitrary code after autologging in an account via a remember token.
|
71
62
|
after_remember :: Run arbitrary code after changing the remember settings.
|
72
|
-
before_load_memory :: Run arbitrary code before autologging in an account via
|
73
|
-
a remember token.
|
63
|
+
before_load_memory :: Run arbitrary code before autologging in an account via a remember token.
|
74
64
|
before_remember :: Run arbitrary code before changing the remember settings.
|
75
65
|
before_remember_route :: Run arbitrary code before handling the remember route.
|
76
|
-
|
77
|
-
|
78
|
-
after successful password confirmation.
|
79
|
-
disable_remember_login :: Disable the remember key token, clearing the token
|
80
|
-
from the database so future connections with the
|
81
|
-
token will not be recognized.
|
82
|
-
forget_login :: Forget the current remember token, deleting the related cookie.
|
83
|
-
Other browsers that have the cookie cached can still use it
|
84
|
-
login.
|
66
|
+
disable_remember_login :: Disable the remember key token, clearing the token from the database so future connections with the token will not be recognized.
|
67
|
+
forget_login :: Forget the current remember token, deleting the related cookie. Other browsers that have the cookie cached can still use it login.
|
85
68
|
generate_remember_key_value :: A random string to use as the remember key.
|
86
69
|
get_remember_key :: Retrieve the remember key from the database.
|
87
|
-
load_memory :: If the remember key cookie is included in the request, and the
|
88
|
-
|
89
|
-
and autologin the user if the remember key cookie matches the
|
90
|
-
current remember key for the account. This method needs to be
|
91
|
-
called manually inside the Roda route block to autologin users.
|
92
|
-
logged_in_via_remember_key? :: Whether the current session was logged in via
|
93
|
-
a remember key.
|
70
|
+
load_memory :: If the remember key cookie is included in the request, and the user is not currently logged in, check the remember keys table and autologin the user if the remember key cookie matches the current remember key for the account. This method needs to be called manually inside the Roda route block to autologin users.
|
71
|
+
logged_in_via_remember_key? :: Whether the current session was logged in via a remember key.
|
94
72
|
remember_key_value :: The current value of the remember key/token.
|
95
|
-
remember_login :: Set the cookie containing the remember token, so that future
|
96
|
-
sessions will be autologged in.
|
73
|
+
remember_login :: Set the cookie containing the remember token, so that future sessions will be autologged in.
|
97
74
|
remember_view :: The HTML to use for the change remember settings form.
|
98
|
-
remove_remember_key(id_value=account_id) :: Delete the related remember key from
|
99
|
-
the database.
|
75
|
+
remove_remember_key(id_value=account_id) :: Delete the related remember key from the database.
|
data/doc/reset_password.rdoc
CHANGED
@@ -10,26 +10,29 @@ the login feature.
|
|
10
10
|
|
11
11
|
no_matching_reset_password_key_error_flash :: The flash error message to show if attempting to access the reset password form with an invalid key.
|
12
12
|
reset_password_additional_form_tags :: HTML fragment containing additional form tags to use on the reset password form.
|
13
|
-
reset_password_autologin? :: Whether to autologin the user after successfully resetting a password.
|
13
|
+
reset_password_autologin? :: Whether to autologin the user after successfully resetting a password, false by default.
|
14
14
|
reset_password_button :: The text to use for the reset password button.
|
15
|
-
reset_password_deadline_column :: The column name in the
|
16
|
-
reset_password_deadline_interval :: The amount of time for which to allow users to reset their passwords, 1 day by default. Only used if set_deadline_values
|
15
|
+
reset_password_deadline_column :: The column name in the +reset_password_table+ storing the deadline after which the token will be ignored.
|
16
|
+
reset_password_deadline_interval :: The amount of time for which to allow users to reset their passwords, 1 day by default. Only used if +set_deadline_values?+ is true.
|
17
|
+
reset_password_email_last_sent_column :: The email last sent column in the +reset_password_table+. Set to nil to always send a reset password email when requested.
|
17
18
|
reset_password_email_recently_sent_error_flash :: The flash error to show if not sending reset password email because one has been sent recently.
|
18
19
|
reset_password_email_recently_sent_redirect :: Where to redirect if not sending reset password email because one has been sent recently.
|
19
20
|
reset_password_email_sent_notice_flash :: The flash notice to show after a reset password email has been sent.
|
20
21
|
reset_password_email_sent_redirect :: Where to redirect after sending a reset password email.
|
21
22
|
reset_password_email_subject :: The subject to use for reset password emails.
|
22
23
|
reset_password_error_flash :: The flash error to show after resetting a password.
|
23
|
-
reset_password_email_last_sent_column :: The email last sent column in the reset password keys table. nil by default, so a reset password email is always sent when requested by default.
|
24
24
|
reset_password_explanatory_text :: The text to display above the button to request a password reset.
|
25
|
-
reset_password_id_column :: The id column in the
|
26
|
-
reset_password_key_column :: The reset password key/token column in the
|
25
|
+
reset_password_id_column :: The id column in the +reset_password_table+, should be a foreign key referencing the accounts table.
|
26
|
+
reset_password_key_column :: The reset password key/token column in the +reset_password_table+.
|
27
27
|
reset_password_key_param :: The parameter name to use for the reset password key.
|
28
|
+
reset_password_notice_flash :: The flash notice to show after resetting a password.
|
29
|
+
reset_password_page_title :: The page title to use on the reset password form.
|
28
30
|
reset_password_redirect :: Where to redirect after resetting a password.
|
29
31
|
reset_password_request_additional_form_tags :: HTML fragment containing additional form tags to use on the reset password request form.
|
30
32
|
reset_password_request_button :: The text to use for the reset password request button.
|
31
33
|
reset_password_request_error_flash :: The flash error to show if not able to send a reset password email.
|
32
|
-
|
34
|
+
reset_password_request_link_text :: The text to use for a link to the page to request a password reset.
|
35
|
+
reset_password_request_page_title :: The page title to use on the reset password request form.
|
33
36
|
reset_password_request_route :: The route to the reset password request action. Defaults to +reset-password-request+.
|
34
37
|
reset_password_route :: The route to the reset password action. Defaults to +reset-password+.
|
35
38
|
reset_password_session_key :: The key in the session to hold the reset password key temporarily.
|
@@ -45,15 +48,15 @@ before_reset_password :: Run arbitrary code before resetting a password.
|
|
45
48
|
before_reset_password_request :: Run arbitrary code before sending the reset password email.
|
46
49
|
before_reset_password_request_route :: Run arbitrary code before handling a reset password request route.
|
47
50
|
before_reset_password_route :: Run arbitrary code before handling a reset password route.
|
48
|
-
create_reset_password_key :: Add the reset password key data to the database.
|
49
51
|
create_reset_password_email :: A Mail::Message for the reset password email.
|
52
|
+
create_reset_password_key :: Add the reset password key data to the database.
|
50
53
|
get_reset_password_email_last_sent :: Get the last time a reset password email is sent, or nil if there is no last sent time.
|
51
54
|
get_reset_password_key(id) :: Get the password reset key for the given account id from the database.
|
52
55
|
login_failed_reset_password_request_form :: The HTML to use for a form to request a password reset, shown on the login page after the user tries to login with an invalid password.
|
53
56
|
remove_reset_password_key :: Remove the reset password key for the current account, run after successful password reset.
|
54
57
|
reset_password_email_body :: The body to use for the reset password email.
|
55
58
|
reset_password_email_link :: The link to the reset password form in the reset password email.
|
56
|
-
reset_password_key_insert_hash :: The hash to insert into the
|
59
|
+
reset_password_key_insert_hash :: The hash to insert into the +reset_password_table+.
|
57
60
|
reset_password_key_value :: The reset password key for the current account.
|
58
61
|
reset_password_request_view :: The HTML to use for the reset password request form.
|
59
62
|
reset_password_view :: The HTML to use for the reset password form.
|
data/doc/session_expiration.rdoc
CHANGED
@@ -22,6 +22,7 @@ max_session_lifetime :: The maximum number of seconds since session creation tha
|
|
22
22
|
session_created_session_key :: The session key storing the session creation timestamp.
|
23
23
|
session_expiration_default :: Whether to expire sessions that don't have the created at or last activity at timestamps set, true by default.
|
24
24
|
session_expiration_error_flash :: The flash error to show if a session expires.
|
25
|
+
session_expiration_error_status :: The error status to use when a JSON request is made and the session has expired, 401 by default.
|
25
26
|
session_expiration_redirect :: Where to redirect if a session expires.
|
26
27
|
session_inactivity_timeout :: The maximum number of seconds allowed since the last activity before the session will be considered invalid. 1800 by default (30 minutes).
|
27
28
|
session_last_activity_session_key :: The session key storing the last session activity timestamp.
|
data/doc/single_session.rdoc
CHANGED
@@ -7,40 +7,31 @@ the stored key by doing:
|
|
7
7
|
|
8
8
|
rodauth.check_single_session
|
9
9
|
|
10
|
-
|
10
|
+
It is not recommended to use this feature unless you
|
11
11
|
have a policy that requires it. Many users find it useful to
|
12
12
|
be able to have multiple concurrent sessions, and restricting
|
13
|
-
this ability does not make things more secure.
|
13
|
+
this ability does not make things more secure. You can use the
|
14
|
+
active_sessions feature for something with similar behavior but
|
15
|
+
that allows for concurrent sessions.
|
14
16
|
|
15
|
-
|
17
|
+
One of the side benefits with this feature is that
|
16
18
|
logouts reset the single session key, so attempts to reuse
|
17
19
|
the previous session after logout no longer work.
|
18
20
|
|
19
21
|
== Auth Value Methods
|
20
22
|
|
21
|
-
allow_raw_single_session_key? :: Whether to allow a raw single session key to
|
22
|
-
|
23
|
-
|
24
|
-
single_session_id_column :: The column in the +single_session_table+ containing
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
single_session_error_flash :: The flash error to display if the current session
|
29
|
-
is no longer the active session for the account.
|
30
|
-
single_session_redirect :: Where to redirect if the current session is no longer
|
31
|
-
the active session for the account.
|
32
|
-
single_session_session_key :: The session key name to use for storing the single
|
33
|
-
session key.
|
23
|
+
allow_raw_single_session_key? :: Whether to allow a raw single session key to be accepted, should only be enabled for graceful transition when +hmac_secret+ is first set.
|
24
|
+
inactive_session_error_status :: The error status to use when a JSON request is made and the session is no longer active, 401 by default.
|
25
|
+
single_session_error_flash :: The flash error to display if the current session is no longer the active session for the account.
|
26
|
+
single_session_id_column :: The column in the +single_session_table+ containing the account id.
|
27
|
+
single_session_key_column :: The column in the +single_session_table+ containing the single session key.
|
28
|
+
single_session_redirect :: Where to redirect if the current session is no longer the active session for the account.
|
29
|
+
single_session_session_key :: The session key name to use for storing the single session key.
|
34
30
|
single_session_table :: The database table storing single session keys.
|
35
31
|
|
36
32
|
== Auth Methods
|
37
33
|
|
38
|
-
currently_active_session? :: Whether the current session is the active session for
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
reset_single_session_key :: Reset the single session key for the user, by default
|
43
|
-
to a new random key.
|
44
|
-
update_single_session_key :: Update the single session key in the current session
|
45
|
-
and in the database, reflecting that the current
|
46
|
-
session is the active session for the user.
|
34
|
+
currently_active_session? :: Whether the current session is the active session for the user.
|
35
|
+
no_longer_active_session :: The action to take if the current session is no longer the active session for the user.
|
36
|
+
reset_single_session_key :: Reset the single session key for the user, by default to a new random key.
|
37
|
+
update_single_session_key :: Update the single session key in the current session and in the database, reflecting that the current session is the active session for the user.
|
data/doc/sms_codes.rdoc
CHANGED
@@ -1,8 +1,8 @@
|
|
1
1
|
= Documentation for SMS Codes Feature
|
2
2
|
|
3
|
-
The sms codes feature allows
|
4
|
-
SMS messages. It is usually used as a backup if
|
5
|
-
or has been locked out, but it can be used as the primary
|
3
|
+
The sms codes feature allows for multifactor authentication via codes provided via
|
4
|
+
SMS messages. It is usually used as a backup if other multifactor authentication is not available
|
5
|
+
or has been locked out, but it can be used as the primary multifactor authentication method.
|
6
6
|
|
7
7
|
This feature allows users to register their mobile phone number with the system, confirm that
|
8
8
|
they can receive SMS messages on the mobile phone number they have registered, request
|
@@ -21,30 +21,36 @@ you prefer:
|
|
21
21
|
== Auth Value Methods
|
22
22
|
|
23
23
|
no_current_sms_code_error_flash :: The flash error to show when going to the SMS authentication page and no current SMS authentication code is available.
|
24
|
-
|
24
|
+
sms :: A hash of SMS information for the user, if SMS authentication has been setup.
|
25
25
|
sms_already_setup_error_flash :: The flash error to show when going to a page to setup SMS authentication if SMS authentication has already been setup.
|
26
|
+
sms_already_setup_error_status :: The response status to use when going to a page to setup SMS authentication if SMS authentication has already been setup, 403 by default.
|
26
27
|
sms_already_setup_redirect :: Where to redirect when going to a page to setup SMS authentication if SMS authentication has already been setup.
|
27
28
|
sms_auth_additional_form_tags :: HTML fragment containing additional form tags when authenticating via SMS.
|
28
|
-
sms_auth_button :: Text to use for button on form to authenticate via SMS.
|
29
|
+
sms_auth_button :: Text to use for button on the form to authenticate via SMS.
|
29
30
|
sms_auth_code_length :: The length of SMS authentication codes, 6 by default.
|
31
|
+
sms_auth_link_text :: The text to use for the link from the multifactor auth page.
|
32
|
+
sms_auth_page_title :: The page title to use on the form to authenticate via SMS code.
|
30
33
|
sms_auth_redirect :: Where to redirect if SMS authentication is needed.
|
31
34
|
sms_auth_route :: The route to the SMS authentication action. Defaults to +sms-auth+.
|
32
35
|
sms_code_allowed_seconds :: The number of seconds after an SMS authentication is sent until it is no longer valid, 300 seconds by default.
|
33
36
|
sms_code_column :: The column in the +sms_codes_table+ containing the currently valid SMS authentication/confirmation code.
|
34
37
|
sms_code_label :: The label for SMS codes.
|
35
38
|
sms_code_param :: The parameter name for SMS codes.
|
39
|
+
sms_codes_primary? :: Whether SMS codes are a primary multifactor authentication method. If not, they cannot be setup unless multifactor authentication has already been setup.
|
36
40
|
sms_codes_table :: The name of the table storing SMS code data.
|
37
|
-
sms_codes_primary? :: Whether SMS codes are the primary 2nd factor authentication method, true by default if not using the otp feature.
|
38
41
|
sms_confirm_additional_form_tags :: HTML fragment containing additional form tags when confirming SMS setup.
|
39
|
-
sms_confirm_button :: Text to use for button on form to confirm SMS setup.
|
42
|
+
sms_confirm_button :: Text to use for button on the form to confirm SMS setup.
|
40
43
|
sms_confirm_code_length :: The length of SMS confirmation codes, 12 by default, as there is no lockout.
|
41
44
|
sms_confirm_notice_flash :: The flash notice to show when SMS authentication setup has been confirmed.
|
42
|
-
|
45
|
+
sms_confirm_page_title :: The page title to use on the form to authenticate via SMS code.
|
46
|
+
sms_confirm_redirect :: Where to redirect after SMS authentication setup has been confirmed.
|
43
47
|
sms_confirm_route :: The route to the SMS setup confirmation action. Defaults to +sms-confirm+.
|
44
48
|
sms_disable_additional_form_tags :: HTML fragment containing additional form tags when disabling SMS authentication.
|
45
|
-
sms_disable_button :: Text to use for button on form to disable SMS authentication.
|
49
|
+
sms_disable_button :: Text to use for button on the form to disable SMS authentication.
|
46
50
|
sms_disable_error_flash :: The flash error to show when disabling SMS authentication fails.
|
51
|
+
sms_disable_link_text :: The text to use for the remove link from the multifactor manage page.
|
47
52
|
sms_disable_notice_flash :: The flash notice to show when SMS authentication has been successfully disabled.
|
53
|
+
sms_disable_page_title :: The page title to use on the form to disable SMS authentication.
|
48
54
|
sms_disable_redirect :: Where to redirect after SMS authentication has been disabled.
|
49
55
|
sms_disable_route :: The route to the SMS authentication disable action. Defaults to +sms-disable+.
|
50
56
|
sms_failure_limit :: The number of failures until SMS authentication is locked out.
|
@@ -57,23 +63,27 @@ sms_invalid_phone_message :: The error message to show when an invalid SMS phone
|
|
57
63
|
sms_issued_at_column :: The column in the +sms_codes_table+ containing the time the SMS code was issued.
|
58
64
|
sms_lockout_error_flash :: The flash error to show when SMS authentication has been locked out due to repeated failures.
|
59
65
|
sms_lockout_redirect :: Where to redirect after SMS authentication has been locked out.
|
60
|
-
sms_needs_confirmation_error_status :: The response status to use on SMS authentication pages when SMS authentication setup needs confirmation, 403 by default.
|
61
66
|
sms_needs_confirmation_error_flash :: The flash error to show on SMS authentication pages when SMS authentication setup needs confirmation.
|
67
|
+
sms_needs_confirmation_error_status :: The response status to use on SMS authentication pages when SMS authentication setup needs confirmation, 403 by default.
|
62
68
|
sms_needs_confirmation_redirect :: Where to redirect after SMS setup, when confirmation is required.
|
63
69
|
sms_needs_setup_redirect :: Where to redirect if going to an SMS authentication page when SMS authentication has not been setup.
|
64
70
|
sms_not_setup_error_flash :: The flash error to show when on SMS authentication pages when SMS authentication has not yet been setup.
|
65
71
|
sms_phone_column :: The column in the +sms_codes_table+ containing the phone number to which to send SMS messages.
|
72
|
+
sms_phone_input_type :: The input type to use for SMS phone numbers, tel by default.
|
66
73
|
sms_phone_label :: The label for SMS phone numbers.
|
67
74
|
sms_phone_min_length :: The minimum length of phone numbers allowed for SMS authentication, 7 by default.
|
68
75
|
sms_phone_param :: The parameter name for SMS phone numbers.
|
69
76
|
sms_request_additional_form_tags :: HTML fragment containing additional form tags when requesting an SMS authentication code.
|
70
|
-
sms_request_button :: Text to use for button on form to request an SMS authentication code.
|
77
|
+
sms_request_button :: Text to use for button on the form to request an SMS authentication code.
|
71
78
|
sms_request_notice_flash :: The flash notice to show when an SMS authentication code is requested.
|
79
|
+
sms_request_page_title :: The page title to use on the form to request an SMS authentication code.
|
72
80
|
sms_request_redirect :: Where to redirect after requesting an SMS authentication code.
|
73
81
|
sms_request_route :: The route to the SMS authentication code request action. Defaults to +sms-request+.
|
74
82
|
sms_setup_additional_form_tags :: HTML fragment containing additional form tags when setting up SMS authentication.
|
75
|
-
sms_setup_button :: Text to use for button on form to setup SMS authentication.
|
83
|
+
sms_setup_button :: Text to use for button on the form to setup SMS authentication.
|
76
84
|
sms_setup_error_flash :: The flash error to show when setting up SMS authentication fails.
|
85
|
+
sms_setup_link_text :: The text to use for the setup link from the multifactor manage page.
|
86
|
+
sms_setup_page_title :: The page title to use on the form to setup SMS authentication.
|
77
87
|
sms_setup_route :: The route to the SMS authentication setup action. Defaults to +sms-setup+.
|
78
88
|
|
79
89
|
== Auth Methods
|
@@ -111,10 +121,10 @@ sms_new_auth_code :: A new SMS authentication code that can be used for the acco
|
|
111
121
|
sms_new_confirm_code :: A new SMS confirmation code that can be used for the account.
|
112
122
|
sms_normalize_phone(phone) :: A normalized version of the given phone number, by default removing everything except 0-9.
|
113
123
|
sms_record_failure :: Record an SMS authentication failure for the current account.
|
114
|
-
sms_remove_failures :: Reset the SMS authentication failure counter for the current account, used after a successful
|
124
|
+
sms_remove_failures :: Reset the SMS authentication failure counter for the current account, used after a successful multifactor authentication.
|
115
125
|
sms_request_view :: The HTML to use for the form to request an SMS authentication code.
|
116
126
|
sms_send(phone, message) :: Send the given message to the given phone number via SMS. By default a NotImplementedError is raised, this is the only method that must be overridden.
|
117
|
-
sms_set_code(code) :: Set the SMS authentication code for the current account to the given code. The code can be
|
127
|
+
sms_set_code(code) :: Set the SMS authentication code for the current account to the given code. The code can be nil to specify that no SMS authentication code is currently valid.
|
118
128
|
sms_setup :: Setup SMS authentication for the current account.
|
119
129
|
sms_setup? :: Whether SMS authentication has been setup and confirmed for the current account.
|
120
130
|
sms_setup_view :: The HTML to use for the form to setup SMS authentication.
|