rodauth 1.23.0 → 2.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (130) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG +132 -0
  3. data/MIT-LICENSE +1 -1
  4. data/README.rdoc +207 -79
  5. data/doc/account_expiration.rdoc +12 -26
  6. data/doc/active_sessions.rdoc +49 -0
  7. data/doc/audit_logging.rdoc +44 -0
  8. data/doc/base.rdoc +74 -128
  9. data/doc/change_login.rdoc +7 -14
  10. data/doc/change_password.rdoc +9 -13
  11. data/doc/change_password_notify.rdoc +2 -2
  12. data/doc/close_account.rdoc +9 -16
  13. data/doc/confirm_password.rdoc +12 -5
  14. data/doc/create_account.rdoc +11 -22
  15. data/doc/disallow_password_reuse.rdoc +6 -13
  16. data/doc/email_auth.rdoc +15 -14
  17. data/doc/email_base.rdoc +5 -15
  18. data/doc/http_basic_auth.rdoc +10 -1
  19. data/doc/jwt.rdoc +22 -22
  20. data/doc/jwt_cors.rdoc +2 -3
  21. data/doc/jwt_refresh.rdoc +12 -8
  22. data/doc/lockout.rdoc +17 -15
  23. data/doc/login.rdoc +10 -2
  24. data/doc/login_password_requirements_base.rdoc +15 -37
  25. data/doc/logout.rdoc +2 -2
  26. data/doc/otp.rdoc +24 -19
  27. data/doc/password_complexity.rdoc +10 -26
  28. data/doc/password_expiration.rdoc +11 -25
  29. data/doc/password_grace_period.rdoc +16 -2
  30. data/doc/recovery_codes.rdoc +18 -12
  31. data/doc/release_notes/2.0.0.txt +361 -0
  32. data/doc/remember.rdoc +40 -64
  33. data/doc/reset_password.rdoc +12 -9
  34. data/doc/session_expiration.rdoc +1 -0
  35. data/doc/single_session.rdoc +16 -25
  36. data/doc/sms_codes.rdoc +24 -14
  37. data/doc/two_factor_base.rdoc +60 -22
  38. data/doc/verify_account.rdoc +14 -12
  39. data/doc/verify_account_grace_period.rdoc +6 -2
  40. data/doc/verify_login_change.rdoc +9 -8
  41. data/doc/webauthn.rdoc +115 -0
  42. data/doc/webauthn_login.rdoc +15 -0
  43. data/doc/webauthn_verify_account.rdoc +9 -0
  44. data/javascript/webauthn_auth.js +45 -0
  45. data/javascript/webauthn_setup.js +35 -0
  46. data/lib/roda/plugins/rodauth.rb +1 -1
  47. data/lib/rodauth.rb +29 -24
  48. data/lib/rodauth/features/account_expiration.rb +5 -5
  49. data/lib/rodauth/features/active_sessions.rb +160 -0
  50. data/lib/rodauth/features/audit_logging.rb +96 -0
  51. data/lib/rodauth/features/base.rb +131 -47
  52. data/lib/rodauth/features/change_password_notify.rb +1 -1
  53. data/lib/rodauth/features/confirm_password.rb +40 -2
  54. data/lib/rodauth/features/create_account.rb +7 -13
  55. data/lib/rodauth/features/disallow_common_passwords.rb +1 -1
  56. data/lib/rodauth/features/disallow_password_reuse.rb +1 -1
  57. data/lib/rodauth/features/email_auth.rb +29 -27
  58. data/lib/rodauth/features/email_base.rb +3 -3
  59. data/lib/rodauth/features/http_basic_auth.rb +44 -37
  60. data/lib/rodauth/features/jwt.rb +51 -8
  61. data/lib/rodauth/features/jwt_refresh.rb +3 -3
  62. data/lib/rodauth/features/lockout.rb +11 -13
  63. data/lib/rodauth/features/login.rb +48 -8
  64. data/lib/rodauth/features/login_password_requirements_base.rb +4 -4
  65. data/lib/rodauth/features/otp.rb +71 -81
  66. data/lib/rodauth/features/password_complexity.rb +4 -11
  67. data/lib/rodauth/features/password_expiration.rb +1 -1
  68. data/lib/rodauth/features/password_grace_period.rb +17 -10
  69. data/lib/rodauth/features/recovery_codes.rb +47 -51
  70. data/lib/rodauth/features/remember.rb +11 -27
  71. data/lib/rodauth/features/reset_password.rb +25 -25
  72. data/lib/rodauth/features/session_expiration.rb +6 -4
  73. data/lib/rodauth/features/single_session.rb +7 -5
  74. data/lib/rodauth/features/sms_codes.rb +58 -67
  75. data/lib/rodauth/features/two_factor_base.rb +132 -28
  76. data/lib/rodauth/features/verify_account.rb +23 -20
  77. data/lib/rodauth/features/verify_account_grace_period.rb +19 -8
  78. data/lib/rodauth/features/verify_login_change.rb +11 -10
  79. data/lib/rodauth/features/webauthn.rb +507 -0
  80. data/lib/rodauth/features/webauthn_login.rb +70 -0
  81. data/lib/rodauth/features/webauthn_verify_account.rb +46 -0
  82. data/lib/rodauth/version.rb +2 -2
  83. data/templates/button.str +1 -3
  84. data/templates/change-login.str +1 -2
  85. data/templates/change-password.str +3 -5
  86. data/templates/close-account.str +2 -2
  87. data/templates/confirm-password.str +1 -1
  88. data/templates/create-account.str +1 -1
  89. data/templates/email-auth-request-form.str +1 -2
  90. data/templates/email-auth.str +1 -1
  91. data/templates/global-logout-field.str +6 -0
  92. data/templates/login-confirm-field.str +2 -4
  93. data/templates/login-display.str +3 -2
  94. data/templates/login-field.str +2 -4
  95. data/templates/login-form-footer.str +6 -0
  96. data/templates/login-form.str +7 -0
  97. data/templates/login.str +1 -9
  98. data/templates/logout.str +1 -1
  99. data/templates/multi-phase-login.str +3 -0
  100. data/templates/otp-auth-code-field.str +5 -3
  101. data/templates/otp-auth.str +1 -1
  102. data/templates/otp-disable.str +1 -1
  103. data/templates/otp-setup.str +3 -3
  104. data/templates/password-confirm-field.str +2 -4
  105. data/templates/password-field.str +2 -4
  106. data/templates/recovery-auth.str +3 -6
  107. data/templates/recovery-codes.str +1 -1
  108. data/templates/remember.str +15 -20
  109. data/templates/reset-password-request.str +2 -2
  110. data/templates/reset-password.str +1 -2
  111. data/templates/sms-auth.str +1 -1
  112. data/templates/sms-code-field.str +5 -3
  113. data/templates/sms-confirm.str +1 -2
  114. data/templates/sms-disable.str +1 -2
  115. data/templates/sms-request.str +1 -1
  116. data/templates/sms-setup.str +6 -4
  117. data/templates/two-factor-auth.str +5 -0
  118. data/templates/two-factor-disable.str +6 -0
  119. data/templates/two-factor-manage.str +16 -0
  120. data/templates/unlock-account-request.str +2 -2
  121. data/templates/unlock-account.str +1 -1
  122. data/templates/verify-account-resend.str +1 -1
  123. data/templates/verify-account.str +1 -2
  124. data/templates/verify-login-change.str +1 -1
  125. data/templates/webauthn-auth.str +11 -0
  126. data/templates/webauthn-remove.str +14 -0
  127. data/templates/webauthn-setup.str +12 -0
  128. metadata +64 -11
  129. data/doc/verify_change_login.rdoc +0 -11
  130. data/lib/rodauth/features/verify_change_login.rb +0 -20
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: e4306ff08603b48a95bc543ffe53188d28d71ffdf8bf7427b65f4384eab8f430
4
- data.tar.gz: a7319dbdfa10b43743ec76f32453ef0d65f3b1a30945f9c3988c7b87c6a639a2
3
+ metadata.gz: 729e0ac62a92c8c92808b20e292ad8b8ad5cc2ba935d62702f8d88496e54e1a1
4
+ data.tar.gz: f0f0aa6dafc54aefd135b3a94b963a136349a69eef9614f4f61f8c24fe759709
5
5
  SHA512:
6
- metadata.gz: 21d00b963f35ce2f356ba139cc07f0e0612484cc55a42efe5502f8401b8c373eeab2b2c71c92f68a2886d523e0b73a5fda80b5137fecec5b26ca9a0f517a3040
7
- data.tar.gz: c5947144c88fbe98c31a2a24cd7a349953f8ff1717b9258f39ff58cbd98de85fb36abf6912b51496b6965ed7367f3fc13aad702db9443e587d9bde15dfc7c7c7
6
+ metadata.gz: 7474a1229f4d069ced3b4575c2aa9d343f4bf1b4f3efd4ed64c33b5985b262863d97366f86d226c261f7cce1ccd20090412639f782b38e5f85f4f56556b45622
7
+ data.tar.gz: 427688ab9aae856b200dee9b7fcfb71bad8bf52b657e1f4d3c8e8ecb3ccd6c2831f71033054bf0d6ef3335fc7697dbdc9a82d29e71393328534b57406316b184
data/CHANGELOG CHANGED
@@ -1,3 +1,135 @@
1
+ === 2.0.0 (2020-05-06)
2
+
3
+ * Do not show email auth as an option for unverified accounts if using the verify_account_grace_period feature (jeremyevans) (#88)
4
+
5
+ * Generate unlock account key outside of send_unlock_account_email, similar to other email methods (janko) (#89)
6
+
7
+ * Default otp_drift to 30 in the otp feature (jeremyevans)
8
+
9
+ * Add rodauth.require_http_basic_auth to http_basic_auth feature, similar to require_login (janko) (#86)
10
+
11
+ * Rename require_http_basic_auth to require_http_basic_auth? in http_basic_auth feature (janko) (#86)
12
+
13
+ * Change http_basic_auth feature to use rodauth.http_basic_auth for handling basic authentication, similar to rodauth.load_memory (janko) (#86)
14
+
15
+ * Do not call already_logged_in if logged in when accessing verify_login_change page (janko) (#87)
16
+
17
+ * HTML id attributes now use - instead of _ in recovery_codes and remember features (jeremyevans)
18
+
19
+ * Allow *_path and *_url methods to accept a hash of query parameters (janko) (#84)
20
+
21
+ * Use a danger button when closing accounts (janko) (#83)
22
+
23
+ * Handle invalid form inputs in a more bootstrap compatible manner (janko) (#83)
24
+
25
+ * Use standard vertical Bootstrap forms instead of horizontal forms in templates (janko) (#83)
26
+
27
+ * Make templates compatible with Bootstrap 4, and still display correctly with Bootstrap 3 (janko) (#83)
28
+
29
+ * Add check_csrf_opts and check_csrf_block for arguments to the check_csrf! call before Rodauth route dispatching (jeremyevans)
30
+
31
+ * Add audit_logging feature, logging changes to a database table (jeremyevans)
32
+
33
+ * Add hook_action configuration method, called after all before/after hooks (jeremyevans)
34
+
35
+ * Enable email rate limiting by default in lockout, reset_password, and verify_account features (jeremyevans)
36
+
37
+ * Add session_expiration_error_status method to the session_expiration feature, used for JSON requests where session has expired (jeremyevans)
38
+
39
+ * Add domain configuration method to set an explicit domain, instead of relying on the host of the request (jeremyevans)
40
+
41
+ * Add inactive_session_error_status to single_session feature, used for JSON requests where session is no longer active (jeremyevans)
42
+
43
+ * Prevent use of previous JWT access tokens after refresh when using jwt_refresh and active_sessions features (jeremyevans)
44
+
45
+ * Change default setting of jwt_check_accept? from false to true in the jwt feature (jeremyevans)
46
+
47
+ * Automatically check CSRF tokens before calling any Rodauth route by default, allow disabling using check_csrf? false (jeremyevans)
48
+
49
+ * Add translate(key, default_value) configuration method and have it affect all translatable content (jeremyevans)
50
+
51
+ * Add *_page_title configuration methods for all *_view configuration methods (jeremyevans)
52
+
53
+ * Default to using Roda's route_csrf plugin for CSRF support, with :csrf=>:rack_csrf available for using rack_csrf (jeremyevans)
54
+
55
+ * Allow ability for user to fix an incorrect login when requesting a password reset (janko, jeremyevans) (#76)
56
+
57
+ * Add two_factor_auth_return_to_requested_location? to support returning to original page after successful second factor authentication (janko) (#69)
58
+
59
+ * Add login_return_to_requested_location? to support returning to original page after successful login (janko) (#69)
60
+
61
+ * Add rodauth.require_password_authentication method to confirm_password feature (janko, jeremyevans) (#75)
62
+
63
+ * Make remember feature no longer depend on confirm_password (janko) (#79)
64
+
65
+ * Replace {create_account,reset_password_request,verify_account_resend}_link configuration methods with *_link_text (janko) (#77)
66
+
67
+ * Remove remembered_session_key configuration method, no longer needed (janko) (#80)
68
+
69
+ * Add rodauth.possible_authentication_methods for the available authentication methods for the account (jeremyevans)
70
+
71
+ * Add active_sessions feature for disabling session reuse after logout, and allowing global logout of all sessions (jeremyevans)
72
+
73
+ * Add webauthn_verify_account feature for passwordless WebAuthn setup during account verification (jeremyevans)
74
+
75
+ * Allow confirm_password feature to operate as second factor authentication if using webauthn login (jeremyevans)
76
+
77
+ * Add webauthn_login feature for passwordless login via WebAuthn (jeremyevans)
78
+
79
+ * Do not allow two factor authentication using same type as primary authentication (jeremyevans)
80
+
81
+ * Do not require passwords by default if the account does not have a password (jeremyevans)
82
+
83
+ * Remove clear_remembered_session_key and two_factor_session_key configuration methods, no longer needed (jeremyevans)
84
+
85
+ * Store authentication methods used in the session, available via rodauth.authenticated_by (jeremyevans)
86
+
87
+ * Do not require login confirmation by default if verifying accounts or login changes (jeremyevans)
88
+
89
+ * Add mark_input_fields_with_inputmode? and inputmode_for_field? configuration methods for controlling inputmode (jeremyevans)
90
+
91
+ * Support and enable inputmode=numeric attributes by default for otp auth code and sms code fields (jeremyevans)
92
+
93
+ * Add sms_phone_input_type and default to tel instead of using text for SMS phone input (jeremyevans)
94
+
95
+ * Add mark_input_fields_with_autocomplete? and autocomplete_for_field? configuration methods for controlling autocomplete (jeremyevans)
96
+
97
+ * Support and enable autocomplete attributes by default for fields (jeremyevans)
98
+
99
+ * Add login_uses_email? configuration method for whether to treat logins as email addresses (jeremyevans)
100
+
101
+ * Remove the verify change login feature, users should switch to the verify login change feature (jeremyevans)
102
+
103
+ * Change default setting of json_response_success_key to success in the jwt feature (jeremyevans)
104
+
105
+ * Remove deprecated account_model configuration method (jeremyevans)
106
+
107
+ * Remove all deprecated configuration and runtime method aliases in the lockout, verify_account, email_auth, reset_password, and verify_login_change features (jeremyevans)
108
+
109
+ * Remove deprecated before_otp_authentication_route configuration method (jeremyevans)
110
+
111
+ * Change default setting of login_input_type to email if login_column is :email (jeremyevans)
112
+
113
+ * Change default setting of mark_input_fields_as_required? to true (jeremyevans)
114
+
115
+ * Change default setting of verify_account_set_password? in verify_account feature to true (jeremyevans)
116
+
117
+ * Change default setting of json_response_custom_error_status? in jwt feature to true (jeremyevans)
118
+
119
+ * Add auto_add_recovery_codes? configuration method to recovery codes feature, and default to false (jeremyevans)
120
+
121
+ * Add base_url configuration method to set an explicit base for URLs, instead of relying on the base_url of the request (jeremyevans)
122
+
123
+ * Add webauthn feature to handle WebAuthn authentication (jeremyevans)
124
+
125
+ * Fix corner cases when disabling a second factor when multiple second factors have been setup (jeremyevans)
126
+
127
+ * Don't override second factor used to authenticate when setting up additional second factor authentication (jeremyevans)
128
+
129
+ * Add two factor auth, manage, and disable pages (jeremyevans)
130
+
131
+ * Drop support for Ruby 1.8 (jeremyevans)
132
+
1
133
  === 1.23.0 (2020-03-06)
2
134
 
3
135
  * Remove specs from the gem to reduce gem size by over 20% (jeremyevans)
@@ -1,4 +1,4 @@
1
- Copyright (c) 2015-2019 Jeremy Evans
1
+ Copyright (c) 2015-2020 Jeremy Evans
2
2
 
3
3
  Permission is hereby granted, free of charge, to any person obtaining a copy
4
4
  of this software and associated documentation files (the "Software"), to
@@ -1,12 +1,18 @@
1
1
  = Rodauth
2
2
 
3
- Rodauth is an authentication and account management framework for
4
- rack applications. It's built using Roda and Sequel, but it can
5
- be used with other web frameworks, database libraries, and databases.
3
+ Rodauth is Ruby's most advanced authentication framework, designed
4
+ to work in any rack application. It's built using Roda and Sequel,
5
+ but it can be used with other web frameworks, database libraries,
6
+ and databases.
7
+
6
8
  When used with PostgreSQL, MySQL, and Microsoft SQL Server in the
7
9
  default configuration, it offers additional security for password
8
10
  hashes by protecting access via database functions.
9
11
 
12
+ Rodauth supports multiple multifactor authentication methods,
13
+ multiple passwordless authentication methods, and offers both an
14
+ HTML and JSON API for all supported features.
15
+
10
16
  == Design Goals
11
17
 
12
18
  * Security: Ship in a maximum security by default configuration
@@ -26,10 +32,14 @@ hashes by protecting access via database functions.
26
32
  * Confirm Password
27
33
  * Remember (Autologin via token)
28
34
  * Lockout (Bruteforce protection)
29
- * Email Authentication (Login via email link)
30
- * OTP (2 factor authentication via TOTP)
31
- * Recovery Codes (2 factor authentication via backup codes)
32
- * SMS Codes (2 factor authentication via SMS)
35
+ * Audit Logging
36
+ * Email Authentication (Passwordless login via email link)
37
+ * WebAuthn (Multifactor authentication via WebAuthn)
38
+ * WebAuthn Login (Passwordless login via WebAuthn)
39
+ * WebAuthn Verify Account (Passwordless WebAuthn Setup)
40
+ * OTP (Multifactor authentication via TOTP)
41
+ * Recovery Codes (Multifactor authentication via backup codes)
42
+ * SMS Codes (Multifactor authentication via SMS)
33
43
  * Verify Login Change (Verify new login before changing login)
34
44
  * Verify Account Grace Period (Don't require verification before login)
35
45
  * Password Grace Period (Don't require password entry if recently entered)
@@ -39,6 +49,7 @@ hashes by protecting access via database functions.
39
49
  * Password Expiration
40
50
  * Account Expiration
41
51
  * Session Expiration
52
+ * Active Sessions (Prevent session reuse after logout, allow logout of all sessions)
42
53
  * Single Session (Only one active session per account)
43
54
  * JWT (JSON API support for all other features)
44
55
  * JWT Refresh (Access & Refresh Token)
@@ -58,21 +69,24 @@ IRC :: irc://chat.freenode.net/#rodauth
58
69
 
59
70
  == Dependencies
60
71
 
61
- There are some dependencies that Rodauth uses by default, but are
62
- development dependencies instead of runtime dependencies in the
63
- gem as it is possible to run without them:
72
+ There are some dependencies that Rodauth uses depending on the
73
+ features in use. These are development dependencies instead of
74
+ runtime dependencies in the gem as it is possible to run without them:
64
75
 
65
76
  tilt :: Used by all features unless in JSON API only mode.
66
- rack_csrf :: Used by all features unless in JSON API only mode
67
- or the :csrf=>false|:route_csrf option is used when
68
- loading the Rodauth plugin.
77
+ rack_csrf :: Used for CSRF support if the :csrf=>:rack_csrf plugin
78
+ option is given (the default is to use Roda's route_csrf
79
+ plugin, as that allows for more secure request-specific
80
+ tokens).
69
81
  bcrypt :: Used by default for password matching, can be skipped
70
82
  if password_match? is overridden for custom authentication.
71
83
  mail :: Used by default for mailing in the reset password, verify
72
- account, verify_login_change, change_password_notify, and
73
- lockout features.
74
- rotp, rqrcode :: Used by the otp feature
84
+ account, verify_login_change, change_password_notify,
85
+ lockout, and email_auth features.
86
+ rotp :: Used by the otp feature
87
+ rqrcode :: Used by the otp feature
75
88
  jwt :: Used by the jwt feature
89
+ webauthn :: Used by the webauthn feature
76
90
 
77
91
  == Security
78
92
 
@@ -143,10 +157,10 @@ function to reduce the risk of timing attacks.
143
157
 
144
158
  == HMAC
145
159
 
146
- By default, Rodauth does not use HMACs, but you are encouraged to use
147
- the +hmac_secret+ configuration method to set an HMAC secret. Setting
148
- an HMAC secret will enable HMACs for additional security, as described
149
- below.
160
+ By default, for backwards compatibility, Rodauth does not use HMACs,
161
+ but you are strongly encouraged to use the +hmac_secret+ configuration
162
+ method to set an HMAC secret. Setting an HMAC secret will enable HMACs
163
+ for additional security, as described below.
150
164
 
151
165
  === email_base feature
152
166
 
@@ -213,6 +227,17 @@ to the OTP setup route. This will return an error with the +otp_secret+ and
213
227
  in the POST request to setup OTP, along with a valid OTP auth code for the
214
228
  +otp_secret+.
215
229
 
230
+ === webauthn feature
231
+
232
+ Setting +hmac_secret+ is required to use the webauthn feature, as it is
233
+ used for checking that the provided authentication challenges have not
234
+ been modified.
235
+
236
+ === active_sessions feature
237
+
238
+ Setting +hmac_secret+ is required to use the active_sessions feature,
239
+ as the database stores an HMAC of the active session ID.
240
+
216
241
  === single_session feature
217
242
 
218
243
  Setting +hmac_secret+ will ensure the single session secret set in the
@@ -406,6 +431,25 @@ Note that these migrations require Sequel 4.35.0+.
406
431
  end
407
432
  end
408
433
 
434
+ # Used by the audit logging feature
435
+ json_type = case database_type
436
+ when :postgres
437
+ :jsonb
438
+ when :sqlite, :mysql
439
+ :json
440
+ else
441
+ String
442
+ end
443
+ create_table(:account_authentication_audit_logs) do
444
+ primary_key :id, :type=>:Bignum
445
+ foreign_key :account_id, :accounts, :null=>false, :type=>:Bignum
446
+ DateTime :at, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
447
+ String :message, :null=>false
448
+ column :metadata, json_type
449
+ index [:account_id, :at], :name=>:audit_account_at_idx
450
+ index :at, :name=>:audit_at_idx
451
+ end
452
+
409
453
  # Used by the password reset feature
410
454
  create_table(:account_password_reset_keys) do
411
455
  foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
@@ -417,9 +461,10 @@ Note that these migrations require Sequel 4.35.0+.
417
461
  # Used by the jwt refresh feature
418
462
  create_table(:account_jwt_refresh_keys) do
419
463
  primary_key :id, :type=>:Bignum
420
- foreign_key :account_id, :accounts, :type=>:Bignum
464
+ foreign_key :account_id, :accounts, :null=>false, :type=>:Bignum
421
465
  String :key, :null=>false
422
466
  DateTime :deadline, deadline_opts[1]
467
+ index :account_id, :name=>:account_jwt_rk_account_id_idx
423
468
  end
424
469
 
425
470
  # Used by the account verification feature
@@ -485,6 +530,29 @@ Note that these migrations require Sequel 4.35.0+.
485
530
  String :key, :null=>false
486
531
  end
487
532
 
533
+ # Used by the active sessions feature
534
+ create_table(:account_active_session_keys) do
535
+ foreign_key :account_id, :accounts, :type=>:Bignum
536
+ String :session_id
537
+ Time :created_at, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
538
+ Time :last_use, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
539
+ primary_key [:account_id, :session_id]
540
+ end
541
+
542
+ # Used by the webauthn feature
543
+ create_table(:account_webauthn_user_ids) do
544
+ foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
545
+ String :webauthn_id, :null=>false
546
+ end
547
+ create_table(:account_webauthn_keys) do
548
+ foreign_key :account_id, :accounts, :type=>:Bignum
549
+ String :webauthn_id
550
+ String :public_key, :null=>false
551
+ Integer :sign_count, :null=>false
552
+ Time :last_use, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
553
+ primary_key [:account_id, :webauthn_id]
554
+ end
555
+
488
556
  # Used by the otp feature
489
557
  create_table(:account_otp_keys) do
490
558
  foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
@@ -519,22 +587,26 @@ Note that these migrations require Sequel 4.35.0+.
519
587
  else
520
588
  get(Sequel.function(:DB_NAME))
521
589
  end
522
- run "GRANT ALL ON account_statuses TO #{user}"
523
- run "GRANT ALL ON accounts TO #{user}"
524
- run "GRANT ALL ON account_password_reset_keys TO #{user}"
525
- run "GRANT ALL ON account_jwt_refresh_keys TO #{user}"
526
- run "GRANT ALL ON account_verification_keys TO #{user}"
527
- run "GRANT ALL ON account_login_change_keys TO #{user}"
528
- run "GRANT ALL ON account_remember_keys TO #{user}"
529
- run "GRANT ALL ON account_login_failures TO #{user}"
530
- run "GRANT ALL ON account_lockouts TO #{user}"
531
- run "GRANT ALL ON account_email_auth_keys TO #{user}"
532
- run "GRANT ALL ON account_password_change_times TO #{user}"
533
- run "GRANT ALL ON account_activity_times TO #{user}"
534
- run "GRANT ALL ON account_session_keys TO #{user}"
535
- run "GRANT ALL ON account_otp_keys TO #{user}"
536
- run "GRANT ALL ON account_recovery_codes TO #{user}"
537
- run "GRANT ALL ON account_sms_codes TO #{user}"
590
+ run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_statuses TO #{user}"
591
+ run "GRANT SELECT, INSERT, UPDATE, DELETE ON accounts TO #{user}"
592
+ run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_authentication_audit_logs TO #{user}"
593
+ run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_password_reset_keys TO #{user}"
594
+ run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_jwt_refresh_keys TO #{user}"
595
+ run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_verification_keys TO #{user}"
596
+ run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_login_change_keys TO #{user}"
597
+ run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_remember_keys TO #{user}"
598
+ run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_login_failures TO #{user}"
599
+ run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_email_auth_keys TO #{user}"
600
+ run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_lockouts TO #{user}"
601
+ run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_password_change_times TO #{user}"
602
+ run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_activity_times TO #{user}"
603
+ run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_session_keys TO #{user}"
604
+ run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_active_session_keys TO #{user}"
605
+ run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_webauthn_user_ids TO #{user}"
606
+ run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_webauthn_keys TO #{user}"
607
+ run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_otp_keys TO #{user}"
608
+ run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_recovery_codes TO #{user}"
609
+ run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_sms_codes TO #{user}"
538
610
  end
539
611
  end
540
612
 
@@ -542,7 +614,10 @@ Note that these migrations require Sequel 4.35.0+.
542
614
  drop_table(:account_sms_codes,
543
615
  :account_recovery_codes,
544
616
  :account_otp_keys,
617
+ :account_webauthn_keys,
618
+ :account_webauthn_user_ids,
545
619
  :account_session_keys,
620
+ :account_active_session_keys,
546
621
  :account_activity_times,
547
622
  :account_password_change_times,
548
623
  :account_email_auth_keys,
@@ -553,6 +628,7 @@ Note that these migrations require Sequel 4.35.0+.
553
628
  :account_verification_keys,
554
629
  :account_jwt_refresh_keys,
555
630
  :account_password_reset_keys,
631
+ :account_authentication_audit_logs,
556
632
  :accounts,
557
633
  :account_statuses)
558
634
  end
@@ -644,7 +720,8 @@ for the password user using Sequel's migration API:
644
720
 
645
721
  If the database is not PostgreSQL, MySQL, or Microsoft SQL Server, or you
646
722
  cannot use multiple user accounts, just combine the two migrations into a
647
- single migration.
723
+ single migration, removing all the code related to database permissions
724
+ and database functions.
648
725
 
649
726
  One thing to notice in the above migrations is that Rodauth uses additional
650
727
  tables for additional features, instead of additional columns in a single
@@ -761,10 +838,8 @@ should be flexible enough to integrate into most legacy systems.
761
838
  When loading the rodauth plugin, you can also pass an options hash,
762
839
  which configures which dependent plugins should be loaded. Options:
763
840
 
764
- :csrf :: Set to +false+ to not load a csrf plugin. Set to +:route_csrf+
765
- to use the route_csrf plugin instead of the csrf plugin. It is
766
- recommended to set the +:route_csrf+ option as that allows
767
- for more secure request-specific CSRF tokens.
841
+ :csrf :: Set to +false+ to not load a csrf plugin. Set to +:rack_csrf+
842
+ to use the csrf plugin instead of the route_csrf plugin.
768
843
  :flash :: Set to +false+ to not load the flash plugin
769
844
  :json :: Set to +true+ to load the json and json_parser plugins. Set
770
845
  to +:only+ to only load those plugins and not any other plugins.
@@ -783,42 +858,46 @@ view the appropriate file in the doc directory.
783
858
  * {Login Password Requirements Base}[rdoc-ref:doc/login_password_requirements_base.rdoc] (this feature is autoloaded by features that set logins/passwords)
784
859
  * {Email Base}[rdoc-ref:doc/email_base.rdoc] (this feature is autoloaded by features that send email)
785
860
  * {Two Factor Base}[rdoc-ref:doc/two_factor_base.rdoc] (this feature is autoloaded by 2 factor authentication features)
786
- * {Login}[rdoc-ref:doc/login.rdoc]
787
- * {Logout}[rdoc-ref:doc/logout.rdoc]
861
+ * {Account Expiration}[rdoc-ref:doc/account_expiration.rdoc]
862
+ * {Active Sessions}[rdoc-ref:doc/active_sessions.rdoc]
863
+ * {Audit Logging}[rdoc-ref:doc/audit_logging.rdoc]
864
+ * {Change Login}[rdoc-ref:doc/change_login.rdoc]
788
865
  * {Change Password}[rdoc-ref:doc/change_password.rdoc]
789
866
  * {Change Password Notify}[rdoc-ref:doc/change_password_notify.rdoc]
790
- * {Change Login}[rdoc-ref:doc/change_login.rdoc]
791
- * {Reset Password}[rdoc-ref:doc/reset_password.rdoc]
792
- * {Create Account}[rdoc-ref:doc/create_account.rdoc]
793
867
  * {Close Account}[rdoc-ref:doc/close_account.rdoc]
794
- * {Verify Account}[rdoc-ref:doc/verify_account.rdoc]
795
868
  * {Confirm Password}[rdoc-ref:doc/confirm_password.rdoc]
796
- * {Remember}[rdoc-ref:doc/remember.rdoc]
797
- * {Lockout}[rdoc-ref:doc/lockout.rdoc]
869
+ * {Create Account}[rdoc-ref:doc/create_account.rdoc]
870
+ * {Disallow Common Passwords}[rdoc-ref:doc/disallow_common_passwords.rdoc]
871
+ * {Disallow Password Reuse}[rdoc-ref:doc/disallow_password_reuse.rdoc]
798
872
  * {Email Authentication}[rdoc-ref:doc/email_auth.rdoc]
873
+ * {HTTP Basic Auth}[rdoc-ref:doc/http_basic_auth.rdoc]
874
+ * {JWT CORS}[rdoc-ref:doc/jwt_cors.rdoc]
875
+ * {JWT Refresh}[rdoc-ref:doc/jwt_refresh.rdoc]
876
+ * {JWT}[rdoc-ref:doc/jwt.rdoc]
877
+ * {Lockout}[rdoc-ref:doc/lockout.rdoc]
878
+ * {Login}[rdoc-ref:doc/login.rdoc]
879
+ * {Logout}[rdoc-ref:doc/logout.rdoc]
799
880
  * {OTP}[rdoc-ref:doc/otp.rdoc]
800
- * {Recovery Codes}[rdoc-ref:doc/recovery_codes.rdoc]
801
- * {SMS Codes}[rdoc-ref:doc/sms_codes.rdoc]
802
- * {Verify Login Change}[rdoc-ref:doc/verify_login_change.rdoc]
803
- * {Verify Change Login}[rdoc-ref:doc/verify_change_login.rdoc]
804
- * {Verify Account Grace Period}[rdoc-ref:doc/verify_account_grace_period.rdoc]
805
- * {Password Grace Period}[rdoc-ref:doc/password_grace_period.rdoc]
806
881
  * {Password Complexity}[rdoc-ref:doc/password_complexity.rdoc]
807
- * {Disallow Password Reuse}[rdoc-ref:doc/disallow_password_reuse.rdoc]
808
- * {Disallow Common Passwords}[rdoc-ref:doc/disallow_common_passwords.rdoc]
809
- * {Update Password Hash}[rdoc-ref:doc/update_password_hash.rdoc]
810
882
  * {Password Expiration}[rdoc-ref:doc/password_expiration.rdoc]
811
- * {Account Expiration}[rdoc-ref:doc/account_expiration.rdoc]
883
+ * {Password Grace Period}[rdoc-ref:doc/password_grace_period.rdoc]
884
+ * {Recovery Codes}[rdoc-ref:doc/recovery_codes.rdoc]
885
+ * {Remember}[rdoc-ref:doc/remember.rdoc]
886
+ * {Reset Password}[rdoc-ref:doc/reset_password.rdoc]
812
887
  * {Session Expiration}[rdoc-ref:doc/session_expiration.rdoc]
813
888
  * {Single Session}[rdoc-ref:doc/single_session.rdoc]
814
- * {JWT}[rdoc-ref:doc/jwt.rdoc]
815
- * {JWT Refresh}[rdoc-ref:doc/jwt_refresh.rdoc]
816
- * {JWT CORS}[rdoc-ref:doc/jwt_cors.rdoc]
817
- * {HTTP Basic Auth}[rdoc-ref:doc/http_basic_auth.rdoc]
889
+ * {SMS Codes}[rdoc-ref:doc/sms_codes.rdoc]
890
+ * {Update Password Hash}[rdoc-ref:doc/update_password_hash.rdoc]
891
+ * {Verify Account}[rdoc-ref:doc/verify_account.rdoc]
892
+ * {Verify Account Grace Period}[rdoc-ref:doc/verify_account_grace_period.rdoc]
893
+ * {Verify Login Change}[rdoc-ref:doc/verify_login_change.rdoc]
894
+ * {WebAuthn}[rdoc-ref:doc/webauthn.rdoc]
895
+ * {WebAuthn Login}[rdoc-ref:doc/webauthn_login.rdoc]
896
+ * {WebAuthn Verify Account}[rdoc-ref:doc/webauthn_verify_account.rdoc]
818
897
 
819
898
  === Calling Rodauth in the Routing Tree
820
899
 
821
- In general, you will usually want to call rodauth early in your
900
+ In general, you will usually want to call +r.rodauth+ early in your
822
901
  route block:
823
902
 
824
903
  route do |r|
@@ -897,6 +976,12 @@ logged_in? :: Whether the session has been logged in.
897
976
  authenticated? :: Similar to +logged_in?+, but if the account has setup two
898
977
  factor authentication, whether the session has authenticated
899
978
  via two factors.
979
+ authenticated_by :: An array of strings for successful authentication methods for
980
+ the current session (e.g. password/remember/webauthn).
981
+ possible_authentication_methods :: An array of strings for possible authentication
982
+ types that can be used for the account.
983
+ autologin_type :: If the current session was authenticated via autologin, the
984
+ type of autologin used.
900
985
  require_two_factor_setup :: (two_factor_base feature) Require the session to have
901
986
  setup two factor authentication, redirecting the
902
987
  request to the two factor authentication setup page
@@ -911,6 +996,14 @@ require_current_password :: (password_expiration feature) Require a current
911
996
  password, redirecting the request to the change
912
997
  password page if the password for the account has
913
998
  expired.
999
+ require_password_authentication :: (confirm_password feature) If not authenticated
1000
+ via password and the account has a password,
1001
+ redirect to the password confirmation page,
1002
+ saving the current location to redirect back
1003
+ to after password has been successfully
1004
+ confirmed. If the password_grace_period feature
1005
+ is used, also redirect if the password has not
1006
+ been recently entered.
914
1007
  load_memory :: (remember feature) If the session has not been authenticated, look
915
1008
  for the remember cookie. If present and valid, automatically
916
1009
  log the session in, but mark that it was logged in via a remember
@@ -920,9 +1013,15 @@ logged_in_via_remember_key? :: (remember feature) Whether the current session ha
920
1013
  sensitive actions where you want to require the user
921
1014
  to reenter the password, you can use the
922
1015
  confirm_password feature.
1016
+ http_basic_auth :: (http_basic_auth feature) Use HTTP Basic Authentication information
1017
+ to login the user if provided.
1018
+ require_http_basic_auth :: (http_basic_auth feature) Require that HTTP Basic
1019
+ Authentication be provided in the request.
923
1020
  check_session_expiration :: (session_expiration feature) Check whether the current
924
1021
  session has expired, automatically logging the session
925
1022
  out if so.
1023
+ check_active_session :: (active_sessions feature) Check whether the current session
1024
+ is still active, automatically logging the session out if not.
926
1025
  check_single_session :: (single_session feature) Check whether the current
927
1026
  session is still the only valid session, automatically logging
928
1027
  the session out if not.
@@ -931,10 +1030,15 @@ verified_account? :: (verify_grace_period feature) Whether the account is curren
931
1030
  login as they are in the grace period.
932
1031
  locked_out? :: (lockout feature) Whether the account for the current session has been
933
1032
  locked out.
1033
+ authenticated_webauthn_id :: (webauthn feature) If the current session was
1034
+ authenticated via webauthn, the webauthn id of the
1035
+ credential used.
934
1036
  *_path :: One of these is added for each of the routes added by Rodauth, giving the
935
- relative path to the route.
1037
+ relative path to the route. Any options passed to this method will be
1038
+ converted into query parameters.
936
1039
  *_url :: One of these is added for each of the routes added by Rodauth, giving the
937
- absolute path to the routE.
1040
+ URL to the route. Any options passed to this method will be converted
1041
+ into query parameters.
938
1042
 
939
1043
  === With Multiple Configurations
940
1044
 
@@ -1066,6 +1170,20 @@ Facebook OAuth access token.
1066
1170
  end
1067
1171
  end
1068
1172
 
1173
+ === With Rails
1174
+
1175
+ If you're using Rails, you can use the
1176
+ {rodauth-rails}[https://github.com/janko/rodauth-rails] gem which provides
1177
+ Rails integration for Rodauth. Some of its features include:
1178
+
1179
+ * generators for Rodauth & Sequel configuration, as well as views and mailers
1180
+ * uses Rails' flash messages and CSRF protection
1181
+ * automatically sets HMAC secret to Rails' secret key base
1182
+ * uses Action Controller & Action View for rendering templates
1183
+ * uses Action Mailer for sending emails
1184
+
1185
+ Follow the instructions in the rodauth-rails README to get started.
1186
+
1069
1187
  === With Other Web Frameworks
1070
1188
 
1071
1189
  You can use Rodauth even if your application does not use the Roda web
@@ -1110,17 +1228,20 @@ don't use Roda:
1110
1228
 
1111
1229
  === Using 2 Factor Authentication
1112
1230
 
1113
- Rodauth ships with 2 factor authentication support via TOTP (Time-Based
1114
- One-Time Passwords, RFC 6238). There are a wide variety of ways in
1115
- which to integrate 2 factor authentication into your site with Rodauth,
1116
- based on the needs of the application.
1231
+ Rodauth ships with 2 factor authentication support via the following
1232
+ methods:
1233
+
1234
+ * WebAuthn
1235
+ * TOTP (Time-Based One-Time Passwords, RFC 6238).
1236
+ * SMS Codes
1237
+ * Recovery Codes
1117
1238
 
1118
- The 2 factor authentication support is part of the OTP feature, which
1119
- needs to be enabled in addition to the login feature. In addition,
1120
- when implementing 2 factor authentication, you should generally
1121
- provide a backup 2nd factor if the primary second factor is not
1122
- available. Rodauth supports SMS codes and recovery codes as other
1123
- 2nd factors.
1239
+ There are multiple ways to integrate 2 factor authentication with
1240
+ Rodauth, based on the needs of the application. By default, SMS
1241
+ codes and recovery codes are treated only as backup 2nd factors,
1242
+ a user cannot enable them without first enabling another 2nd factor
1243
+ authentication method. However, you can change this by using
1244
+ a configuration method.
1124
1245
 
1125
1246
  If you want to support but not require 2 factor authentication:
1126
1247
 
@@ -1134,7 +1255,7 @@ If you want to support but not require 2 factor authentication:
1134
1255
  # ...
1135
1256
  end
1136
1257
 
1137
- If you want to force all users to use OTP authentication, requiring users
1258
+ If you want to force all users to use 2 factor authentication, requiring users
1138
1259
  that don't currently have two authentication to set it up:
1139
1260
 
1140
1261
  route do |r|
@@ -1251,7 +1372,7 @@ use the following basic structure
1251
1372
  end
1252
1373
  end
1253
1374
 
1254
- See the source code for the features that ship with Rodauth for an
1375
+ See the {internals guide}[rdoc-ref:doc/internals.rdoc] for a more complete
1255
1376
  example of how to construct features.
1256
1377
 
1257
1378
  === Overriding Route-Level Behavior
@@ -1281,6 +1402,13 @@ benefit from precompiling your rodauth templates:
1281
1402
  end
1282
1403
  precompile_rodauth_templates
1283
1404
 
1405
+ == Ruby Support Policy
1406
+
1407
+ Rodauth fully supports the currently supported versions of Ruby (MRI) and JRuby. It may
1408
+ support unsupported versions of Ruby or JRuby, but such support may be dropped in any
1409
+ minor version if keeping it becomes a support issue. The minimum Ruby version
1410
+ required to run the current version of Rodauth is 1.9.2.
1411
+
1284
1412
  == Similar Projects
1285
1413
 
1286
1414
  All of these are Rails-specific: