rodauth 1.23.0 → 2.0.0

data/doc/account_expiration.rdoc

@@ -19,37 +19,23 @@ if you need such a feature.
 
 == Auth Value Methods
 
-account_activity_expired_column :: The column in the +account_activity_table+
-                                   storing the expiration timestamp.
-account_activity_id_column :: The column in the +account_activity_table+
-                              storing the account id.
-account_activity_last_activity_column :: The column in the +account_activity_table+
-                                         storing the last activity timestamp.
-account_activity_last_login_column :: The column in the +account_activity_table+
-                                      storing the last login timestamp.
-account_activity_table :: The database table use for storing account
-                          login/activity/expiration timestamps.
-account_expiration_error_flash :: The flash error to show when attempting to
-                                  login to an account that has expired.
-account_expiration_redirect :: Where to redirect after attempting to login to
-                               an account that has expired.
-expire_account_after :: How long in seconds from last login or activity until
-                        an account is considered expired.
-expire_account_on_last_activity? :: Whether to use the last activity timestamp
-                                    when checking an account for expiration.
-                                    By default, this is false and it uses the
-                                    last login timestamp.
+account_activity_expired_column :: The column in the +account_activity_table+ storing the expiration timestamp.
+account_activity_id_column :: The column in the +account_activity_table+ storing the account id.
+account_activity_last_activity_column :: The column in the +account_activity_table+ storing the last activity timestamp.
+account_activity_last_login_column :: The column in the +account_activity_table+ storing the last login timestamp.
+account_activity_table :: The database table use for storing account login/activity/expiration timestamps.
+account_expiration_error_flash :: The flash error to show when attempting to login to an account that has expired.
+account_expiration_redirect :: Where to redirect after attempting to login to an account that has expired.
+expire_account_after :: How long in seconds from last login or activity until an account is considered expired.
+expire_account_on_last_activity? :: Whether to use the last activity timestamp when checking an account for expiration.  By default, this is false and it uses the last login timestamp.
 
 == Auth Methods
 
 account_expired? :: Whether the current account has expired.
-account_expired_at :: The expiration timestamp for the current account, nil if the
-                      account hasn't been expired.
+account_expired_at :: The expiration timestamp for the current account, nil if the account hasn't been expired.
 after_account_expiration :: Run arbitrary code after account expiration.
-last_account_activity_at :: The last activity timestamp for the current account, nil if
-                            the account hasn't had activity recorded yet.
-last_account_login_at :: The last login timestamp for the current account, nil if
-                         the account hasn't had a login recorded yet.
+last_account_activity_at :: The last activity timestamp for the current account, nil if the account hasn't had activity recorded yet.
+last_account_login_at :: The last login timestamp for the current account, nil if the account hasn't had a login recorded yet.
 set_expired :: Set the current account as having expired.
 update_last_activity :: Update the last activity timestamp for the account.
 update_last_login :: Update the last login timestamp for the account.

data/doc/active_sessions.rdoc

@@ -0,0 +1,49 @@
+= Documentation for Active Sessions Feature
+
+The active sessions feature stores an id for each session in a
+database table whenever a user logs in to the system.  In your
+routing block, you can check that the session id given is
+still listed as an active session:
+
+  rodauth.check_active_session
+
+On logout, the session id is removed from the database table,
+so attempts to reuse the session id after that will fail.
+Additionally, this supports an option on logout to globally
+logout all sessions, which removes all active session ids for
+the account from the database table.
+
+In addition to removing sessions on logout, this also by default
+supports session inactivity deadlines (based on time since last
+use) and session lifetime deadlines (based on time since session
+creation).  To prevent the sessions table from growing
+indefinitely, sessions that are passed either deadline are
+removed when checking if the current session is active.
+
+This depends on the logout feature.
+
+== Auth Value Methods
+
+active_sessions_account_id_column :: The column in the +active_sessions_table+ containing the account id.
+active_sessions_created_at_column :: The column in the +active_sessions_table+ containing the time of session creation.
+active_sessions_error_flash :: The flash error to display if the current session is no longer active.
+active_sessions_last_use_column :: The column in the +active_sessions_table+ containing the time the session was last used.
+active_sessions_redirect :: Where to redirect if the current session is no longer active.
+active_sessions_session_id_column :: The column in the +active_sessions_table+ containing the session_id.
+active_sessions_table :: The database table storing active session keys.
+global_logout_label :: The label for the global logout checkbox on the logout page.
+global_logout_param :: The parameter name for the global logout checkbox on the logout page.
+inactive_session_error_status :: The error status to use when a JSON request is made and the session is no longer active, 401 by default.
+session_id_session_key :: The session key name to use for storing the session id.
+session_inactivity_deadline :: The number of seconds since last use after which the session will be considered expired (1 day by default).  Can be set to nil to not check session inactivity.
+session_lifetime_deadline :: The number of seconds since session creation after which the session will be considered expired (30 days by default).   Can be set to nil to not check session lifetimes.
+
+== Auth Methods
+
+add_active_session :: Create a session id for the session and populate the session and add the session id to the database.
+currently_active_session? :: Whether the session is currently active, by checking the database table.
+handle_duplicate_active_session_id(exception) :: How to handle the case where a duplicate session id for the account is inserted into the table.  Does nothing by default.  This should only be called if the random number generator is broken.
+no_longer_active_session :: What action to take if +rodauth.check_active_session+ is called and the session is no longer active.
+remove_all_active_sessions :: Remove all active session from the database, used for global logouts and when closing accounts.
+remove_current_session :: Remove current session from the database, used for regular logouts.
+remove_inactive_sessions :: Remove inactive sessions from the database, run before checking for whether the current session is active.

data/doc/audit_logging.rdoc

@@ -0,0 +1,44 @@
+= Documentation for Audit Logging Feature
+
+The audit logging feature adds audit logging of rodauth actions to a
+database table.  It ties into the after hook processing used by all
+features so that all features that use after hooks automatically
+support audit logging.
+
+In addition to the configuration methods defined below, the audit
+logging feature also offers two additional configuration methods
+for action specific audit log messages and metadata,
++audit_log_message_for+ and +audit_log_metadata_for+.  These
+methods take the action symbol and either take a value or a
+block that returns a value to use for the message and metadata
+for that action:
+
+  audit_log_message_for :login, "I have logged in"
+  audit_log_metadata_for :logout, 'Uses'=>'JSON Metadata'
+
+  audit_log_message_for :login_failure do
+    "Login failure on domain #{request.host}"
+  end
+  audit_log_metadata_for :login_failure do
+    {'ip'=>request.ip}
+  end
+
+To skip audit logging for a particular action, you can set the
+log message for the action to nil.
+
+== Auth Value Methods
+
+audit_logging_account_id_column :: The id column in the +audit_logging_table+, should be a foreign key referencing the accounts table.
+audit_logging_message_column :: The message column in the +audit_logging_table+, containing the log message.
+audit_logging_metadata_column :: The metadata column in the +audit_logging_table+, storing metadata for the log (if any).
+audit_logging_table :: The name of the audit logging table.
+audit_log_metadata_default :: The default metadata to use for logs that do not have custom metadata specified by +audit_log_metadata_for+.
+
+== Auth Methods
+
+add_audit_log(account_id, action) :: Add an appropriate audit log entry for the account id and action.
+audit_log_insert_hash(account_id, action) :: A hash to use when inserting into the +audit_logging_table+.
+audit_log_message(action) :: The log message to use when logging the action, by default using +audit_log_message_for+ and +audit_log_message_default+.
+audit_log_message_default(action) :: The log message to use when logging the action for logs that do not have custom metadata specified by +audit_log_message_for+
+audit_log_metadata(action) :: The metadata to use when logging the action, by default using +audit_log_metadata_for+ and +audit_log_metadata_default+.
+serialize_audit_log_metadata(metadata) :: Serialize the metadata for insertion into the database.  By default, this converts the metadata using +to_json+, unless the metadata is nil.

data/doc/base.rdoc

@@ -7,151 +7,97 @@ shared functionality that is used by multiple features.
 
 === Most Commonly Used
 
+account_password_hash_column :: Set if the password hash column is in the same table as the login.  If this is set, Rodauth will check the password hash in ruby. This is often used if you are replacing a legacy authentication system with Rodauth.
 accounts_table :: The database table containing the accounts.
-account_password_hash_column :: Set if the password hash column is in the same
-                                table as the login.  If this is set, Rodauth
-                                will check the password hash in ruby. This is
-                                often used if you are replacing a legacy
-                                authentication system with Rodauth.
+base_url :: The base URL to use, used when construct absolute links. It is recommended to set this if the application can be reached using arbitrary Host headers, as otherwise it is possible for an attacker to control the value.
 db :: The Sequel::Database object used for database access.
-hmac_secret :: This sets the secret to use for all of Rodauth's HMACs.  This is
-               not set by default, in which case Rodauth does not use HMACs for
-               additional security.  However, it is highly recommended that you
-               set this.
-mark_input_fields_as_required? :: Whether input fields should be marked as
-                                  required, so browsers will not allow submission
-                                  without filling out the field (default: false).
-prefix :: The routing prefix used for Rodauth routes.  If you are calling
-          in a routing subtree, this should be set to the root path of the
-          subtree.  This should include a leading slash if set, but not a
-          trailing slash.
-require_bcrypt? :: Set to false to not require bcrypt, useful if using custom
-                   authentication.
-session_key :: The key in the session hash storing the primary key of the
-               logged in account.
-skip_status_checks? :: Whether status checks should be skipped for accounts.
-                       Defaults to false unless enabling the verify_account
-                       or close_account features.
-title_instance_variable :: The instance variable to set in the Roda scope with
-                           the page title.  The layout should use this instance
-                           variable if available to set the title of the page.
+domain :: The domain to use, required by some other features. It is recommended to set this if the application can be reached using arbitrary Host headers, as otherwise it is possible for an attacker to control the value.
+hmac_secret :: This sets the secret to use for all of Rodauth's HMACs.  This is not set by default, in which case Rodauth does not use HMACs for additional security.  However, it is highly recommended that you set this, and some features require it.
+mark_input_fields_as_required? :: Whether input fields should be marked as required, so browsers will not allow submission without filling out the field (default: true).
+prefix :: The routing prefix used for Rodauth routes.  If you are calling in a routing subtree, this should be set to the root path of the subtree.  This should include a leading slash if set, but not a trailing slash.
+require_bcrypt? :: Set to false to not require bcrypt, useful if using custom authentication.
+session_key :: The key in the session hash storing the primary key of the logged in account.
+skip_status_checks? :: Whether status checks should be skipped for accounts.  Defaults to true unless enabling the verify_account or close_account features.
+title_instance_variable :: The instance variable to set in the Roda scope with the page title.  The layout should use this instance variable if available to set the title of the page.  You can use +set_title+ if setting the page title is not done through an instance variable.
 
 === Other
 
-account_id_column :: The primary key column of the account model.
+account_id_column :: The primary key column of the +accounts_table+.
 account_open_status_value :: The integer representing open accounts.
-account_select :: An array of columns to select from +accounts_table+. By
-                  default, selects all columns in the table.
-account_status_column :: The status id column in the account model.
-account_unverified_status_value :: The representating unverified accounts.
-cache_templates :: Whether to cache templates. True by default. It may be worth
-                   switching this to false in development if you are using your
-                   own templates instead of the templates provided by Rodauth.
+account_select :: An array of columns to select from +accounts_table+. By default, selects all columns in the table.
+account_status_column :: The status id column in the +accounts_table+.
+account_unverified_status_value :: The integer representating unverified accounts.
+authenticated_by_session_key :: The key in the session hash storing an array of methods used to authenticate.
+autocomplete_for_field?(param) :: Whether to use an autocomplete attribute for the given parameter, defaults to +mark_input_fields_with_autocomplete?+.
+autologin_type_session_key :: The key in the session hash storing the type of autologin method used, if autologin was used to authenticate.
+cache_templates :: Whether to cache templates. True by default. It may be worth switching this to false in development if you are using your own templates instead of the templates provided by Rodauth.
+check_csrf? :: Whether Rodauth should use Roda's +check_csrf!+ method for checking CSRF tokens before dispatching to Rodauth routes, true by default.
+check_csrf_opts :: Options to pass to Roda's +check_csrf!+ if Rodauth calls it before dispatching.
+check_csrf_block :: Proc for block to pass to Roda's +check_csrf!+ if Rodauth calls it before dispatching.
+default_field_attributes :: The default attributes to use for input field tags, if field_attributes returns nil for the field.
 default_redirect :: Where to redirect after most successful actions.
-default_field_attributes :: The default attributes to use for input field tags, if
-                            field_attributes returns nil for the field.
-field_attributes(field) :: The attributes to use for the input field tags for the given
-                           field (parameter name).
-field_error_attributes(field) :: The attributes to use for the input field tags for the given
-                                 field (parameter name), if the input has an error.
-flash_error_key :: The flash key to use for error messages (default: +:error+).
-flash_notice_key :: The flash key to use for notice messages (default: +:notice+).
-formatted_field_error(field, error) :: HTML to use for error messages for the field (parameter
-                                       name), if the field has an error.  By default, uses a
-                                       span tag for the error message.
-input_field_label_suffix :: The suffix to use for all labels.  Useful for noting that
-                            the fields are required.
-input_field_error_class :: The CSS class to use for input fields with errors. Can be a
-                           space separated string for multiple CSS classes.
-input_field_error_message_class :: The CSS class to use for error messages. Can be a
-                                   space separated string for multiple CSS classes.
-invalid_field_error_status :: The response status to use for invalid field
-                              value errors, 422 by default.
-invalid_key_error_status :: The response status to use for invalid key codes,
-                            401 by default.
-invalid_password_error_status :: The response status to use for invalid passwords,
-                                 401 by default.
-invalid_password_message :: The error message to display when a given
-                            password doesn't match the stored password hash.
-lockout_error_status :: The response status to use a login is attempted to an account that
-                        is locked out, 403 by default.
-login_column :: The login column in the account model.
-login_input_type :: The input type to use for logins. Defaults to text but could be set to email
-                    if all logins should be valid email addresses.
+field_attributes(field) :: The attributes to use for the input field tags for the given field (parameter name).
+field_error_attributes(field) :: The attributes to use for the input field tags for the given field (parameter name), if the input has an error.
+flash_error_key :: The flash key to use for error messages (default: +:error+ or <tt>'error'</tt> depending on session support for symbols).
+flash_notice_key :: The flash key to use for notice messages (default: +:notice+ or <tt>'notice'</tt> depending on session support for symbols).
+formatted_field_error(field, error) :: HTML to use for error messages for the field (parameter name), if the field has an error.  By default, uses a span tag for the error message.
+hook_action(hook_type, action) :: Arbitrary action to take on all hook processing, with hook type being +:before+ or +:after+, and action being symbol for related action.
+input_field_error_class :: The CSS class to use for input fields with errors. Can be a space separated string for multiple CSS classes.
+input_field_error_message_class :: The CSS class to use for error messages. Can be a space separated string for multiple CSS classes.
+input_field_label_suffix :: The suffix to use for all labels.  Useful for noting that the fields are required.
+inputmode_for_field?(param) :: Whether to use an inputmode attribute for the given parameter, defaults to mark_input_fields_with_inputmode?.
+invalid_field_error_status :: The response status to use for invalid field value errors, 422 by default.
+invalid_key_error_status :: The response status to use for invalid key codes, 401 by default.
+invalid_password_error_status :: The response status to use for invalid passwords, 401 by default.
+invalid_password_message :: The error message to display when a given password doesn't match the stored password hash.
+lockout_error_status :: The response status to use a login is attempted to an account that is locked out, 403 by default.
+login_column :: The login column in the +accounts_table+.
+login_input_type :: The input type to use for logins. Defaults to email if login column is email and text otherwise.
 login_label :: The label to use for logins.
 login_param :: The parameter name to use for logins.
-login_required_error_status :: The response status to return when a login is required
-                               and you are not logged in, if not redirecting, 401 by detault
-modifications_require_password? :: Whether making changes to an account requires
-                                   the user reinputing their password.
-no_matching_login_error_status :: The response status to use when the login is not
-                                  in the database, 401 by default.
-no_matching_login_message :: The error message to display when the login
-                             used is not in the database.
-password_hash_column :: The password hash column in the password hash table.
-password_hash_id_column :: The account id column in the password hash table.
+login_required_error_status :: The response status to return when a login is required and you are not logged in, if not redirecting, 401 by default
+login_uses_email? :: Whether the login field uses email, used to set the type of the login field as well as the autocomplete setting.
+mark_input_fields_with_autocomplete? :: Whether input fields should be marked with autocomplete attribute appropriate for the field, true by default.
+mark_input_fields_with_inputmode? :: Whether input fields should be marked with inputmode attribute appropriate for the field, true by default.
+modifications_require_password? :: Whether making changes to an account requires the user reinputing their password.  True by default if the account has a password.
+no_matching_login_error_status :: The response status to use when the login is not in the database, 401 by default.
+no_matching_login_message :: The error message to display when the login used is not in the database.
+password_hash_column :: The password hash column in the +password_hash_table+.
+password_hash_id_column :: The account id column in the +password_hash_table+.
 password_hash_table :: The table storing the password hashes.
 password_label :: The label to use for passwords.
 password_param :: The parameter name to use for passwords.
-require_login_error_flash :: The flash error to display when accessing a
-                             page that requires a login, when you are not
-                             logged in.
+require_login_error_flash :: The flash error to display when accessing a page that requires a login, when you are not logged in.
 require_login_redirect :: A redirect to the login page.
-set_deadline_values? :: Whether deadline values should be set.  True by default
-                        on MySQL, as that doesn't support default values that
-                        are not constant.  Can be set to true on other databases
-                        if you want to vary the value based on a request parameter.
-template_opts :: Any template options to pass to view/render.  This can be used
-                 to set a custom layout, for example.
+set_deadline_values? :: Whether deadline values should be set.  True by default on MySQL, as that doesn't support default values that are not constant.  Can be set to true on other databases if you want to vary the value based on a request parameter.
+template_opts :: Any template options to pass to view/render.  This can be used to set a custom layout, for example.
 token_separator :: The string used to separate account id from the random key in links.
-unmatched_field_error_status :: The response status to use when two field values should
-                                match but do not, 422 by default.
-unopen_account_error_status :: The response status to use when trying to login to an
-                               account that isn't open, 403 by default.
-use_date_arithmetic? :: Whether the date_arithmetic extension should be loaded into
-                        the database.  Defaults to whether deadline values should
-                        be set.
-use_database_authentication_functions? :: Whether to use functions to do authentication.
-                                          True by default on PostgreSQL, MySQL, and
-                                          Microsoft SQL Server, false otherwise.
-use_request_specific_csrf_tokens? :: Whether to use request-specific CSRF tokens.
-                                     True if the :csrf=>:route_csrf option is used when
-                                     loading the plugin, and the Roda route_csrf plugin
-                                     is configured to use request-specific CSRF tokens.
+unmatched_field_error_status :: The response status to use when two field values should match but do not, 422 by default.
+unopen_account_error_status :: The response status to use when trying to login to an account that isn't open, 403 by default.
+use_database_authentication_functions? :: Whether to use functions to do authentication.  True by default on PostgreSQL, MySQL, and Microsoft SQL Server, false otherwise.
+use_date_arithmetic? :: Whether the date_arithmetic extension should be loaded into the database.  Defaults to whether deadline values should be set.
+use_request_specific_csrf_tokens? :: Whether to use request-specific CSRF tokens.  True if the default CSRF setting are used.
 
 == Auth Methods
 
+account_from_login(login) :: Retrieve the account hash related to the given login or nil if no login matches.
+account_from_session :: Retrieve the account hash related to the currently logged in session.
+account_id :: The primary key value of the current account.
+account_session_value :: The primary value of the current account to store in the session when logging in.
 after_login :: Run arbitrary code after a successful login.
-after_login_failure :: Run arbitrary code after a login failure due to
-                       an invalid password.
-before_login :: Run arbitrary code after password has been checked, but
-                before updating the session.
-before_login_attempt :: Run arbitrary code after an account has been
-                        located, but before the password has been checked.
-before_rodauth :: Run arbitrary code before handling any rodauth route.
-account_from_login(login) :: Retrieve the account hash related to the
-                             given login or nil if no login matches.
-account_from_session :: Retrieve the account hash related to the currently
-                        logged in session.
-account_id :: The primary key value of the current account
-account_session_value :: The primary value of the account currently stored in the
-                         session.
-already_logged_in :: What action to take if you are already logged in and attempt
-                     to access a page that only makes sense if you are not logged in.
-authenticated? :: Whether the user has been authenticated. If 2 factor authentication
-                  has been enabled for the account, this is true only if both factors
-                  have been authenticated.
+after_login_failure :: Run arbitrary code after a login failure due to an invalid password.
+already_logged_in :: What action to take if you are already logged in and attempt to access a page that only makes sense if you are not logged in.
+authenticated? :: Whether the user has been authenticated. If multifactor authentication has been enabled for the account, this is true only if the session is multifactor authenticated.
+before_login :: Run arbitrary code after password has been checked, but before updating the session.
+before_login_attempt :: Run arbitrary code after an account has been located, but before the password has been checked.
+before_rodauth :: Run arbitrary code before handling any rodauth route, but after CSRF checks if Rodauth is doing CSRF checks.
 clear_session :: Clears the current session.
 csrf_tag(path=request.path) :: The HTML fragment containing the CSRF tag to use, if any.
-function_name(name) :: The name of the database function to call.  It's passed either
-                       :rodauth_get_salt or :rodauth_valid_password_hash.
-logged_in? :: Whether there is an account currently logged in.
-login_required :: Action to take when a login is required to access the page and
-                  the user is not logged in.
-open_account? :: Whether the current account is an open account (not closed or
-                 unverified).
-password_match?(password) :: Check whether the given password matches the
-                             stored password hash.
+function_name(name) :: The name of the database function to call.  It's passed either :rodauth_get_salt or :rodauth_valid_password_hash.
+logged_in? :: Whether the current session is logged in.
+login_required :: Action to take when a login is required to access the page and the user is not logged in.
+open_account? :: Whether the current account is an open account (not closed or unverified).
+password_match?(password) :: Check whether the given password matches the stored password hash.
 random_key :: A randomly generated string, used for creating tokens.
 redirect(path) :: Redirect the request to the given path.
 session_value :: The value for session_key in the current session.
@@ -160,6 +106,6 @@ set_notice_flash(message) :: Set the next notice flash to the given message.
 set_notice_now_flash(message) :: Set the current notice flash to the given message.
 set_redirect_error_flash(message) :: Set the next error flash to the given message.
 set_title(title) :: Set the title of the page to the given title.
-unverified_account_message :: The message to use when attempting to login to an
-                              unverified account.
-update_session :: Set the session key to the primary key of the current account.
+translate(key, default_value) :: Return a translated version for the key (uses the default value by default).
+unverified_account_message :: The message to use when attempting to login to an unverified account.
+update_session :: Clear the session, then set the session key to the primary key of the current account.

data/doc/change_login.rdoc

@@ -5,26 +5,19 @@ change their login.
 
 == Auth Value Methods
 
-change_login_additional_form_tags :: HTML fragment containing additional
-                                     form tags to use on the change login
-                                     form.
+change_login_additional_form_tags :: HTML fragment containing additional form tags to use on the change login form.
 change_login_button :: The text to use for the change login button.
-change_login_error_flash :: The flash error to show for an unsuccessful
-                            login change.
-change_login_notice_flash :: The flash notice to show after a successful
-                             login change.
+change_login_error_flash :: The flash error to show for an unsuccessful login change.
+change_login_notice_flash :: The flash notice to show after a successful login change.
+change_login_page_title :: The page title to use on the change login form.
 change_login_redirect :: Where to redirect after a sucessful login change.
-change_login_requires_password? :: Whether a password is required when
-                                   changing logins.
-change_login_route :: The route to the change login action. Defaults to
-                      +change-login+.
+change_login_requires_password? :: Whether a password is required when changing logins.
+change_login_route :: The route to the change login action. Defaults to +change-login+.
 
 == Auth Methods
 
 after_change_login :: Run arbitrary code after successful login change.
 before_change_login :: Run arbitrary code before changing a login.
 before_change_login_route :: Run arbitrary code before handling a change login route.
-change_login(login) :: Change the users login to the given login, or
-                       return nil/false if the login cannot be changed to
-                       the given login.
+change_login(login) :: Change the users login to the given login, or return nil/false if the login cannot be changed to the given login.
 change_login_view :: The HTML to use for the change login form.

data/doc/change_password.rdoc

@@ -5,19 +5,17 @@ change their password.
 
 == Auth Value Methods
 
-change_password_additional_form_tags :: HTML fragment containing additional
-                                        form tags to use on the change password
-                                        form.
+change_password_additional_form_tags :: HTML fragment containing additional form tags to use on the change password form.
 change_password_button :: The text to use for the change password button.
-change_password_error_flash :: The flash error to show for an unsuccessful
-                               password change.
-change_password_notice_flash :: The flash notice to show after a successful
-                                password change.
+change_password_error_flash :: The flash error to show for an unsuccessful password change.
+change_password_notice_flash :: The flash notice to show after a successful password change.
+change_password_page_title :: The page title to use on the change password form.
 change_password_redirect :: Where to redirect after a sucessful password change.
-change_password_requires_password? :: Whether a password is required when
-                                      changing passwords.
-change_password_route :: The route to the change password action. Defaults to
-                         +change-password+.
+change_password_requires_password? :: Whether a password is required when changing passwords.
+change_password_route :: The route to the change password action. Defaults to +change-password+.
+invalid_previous_password_message :: The message to use when the previous password was incorrect.  Defaults to +invalid_password_message+.
+new_password_label :: The label to use for the new password.
+new_password_param :: The parameter name to use for new passwords.
 
 == Auth Methods
 
@@ -25,5 +23,3 @@ after_change_password :: Run arbitrary code after successful password change.
 before_change_password :: Run arbitrary code before changing the password for an account.
 before_change_password_route :: Run arbitrary code before handling a change password route.
 change_password_view :: The HTML to use for the change password form.
-invalid_previous_password_message :: The message to use when the previous password was
-                                     incorrect.  Defaults to invalid_password_message.

data/doc/change_password_notify.rdoc

@@ -5,10 +5,10 @@ is changed using the change password feature.
 
 == Auth Value Methods
 
-password_changed_email_subject :: Subject to use for the password changed emails
 password_changed_email_body :: Body to use for the password changed emails
+password_changed_email_subject :: Subject to use for the password changed emails
 
 == Auth Methods
 
 create_password_changed_email :: A Mail::Message for the password changed email to send.
-send_password_changed_email :: Send the account unlock email.
+send_password_changed_email :: Send the password changed email.