rodauth 1.23.0 → 2.0.0

data/doc/login.rdoc

@@ -10,13 +10,21 @@ login_button :: The text to use for the login button.
 login_error_flash :: The flash error to show for an unsuccesful login.
 login_error_status :: The response status to use when using an invalid login or password to login, 401 by default.
 login_form_footer :: A message to display after the login form.
-login_need_password_notice_flash :: The flash notice to show during multi phase login after the login has been entered, when requesting the password.
+login_form_footer_links :: An array of entries for links to show on the login page.  Each entry is an array of three elements, sort order (integer), link href, and link text.
+login_form_footer_links_heading :: A heading to show before the login form footer links.
 login_notice_flash :: The flash notice to show after successful login.
+login_page_title :: The page title to use on the login form.
 login_redirect :: Where to redirect after a sucessful login.
+login_redirect_session_key :: The key in the session hash storing the location to redirect to after successful login.
+login_return_to_requested_location? :: Whether to redirect to the originally requested location after successful login when +require_login+ was used, false by default.
 login_route :: The route to the login action. Defaults to +login+.
-use_multi_phase_login? :: Whether to ask for login first, and only ask for password after asking for the login, false by default.
+multi_phase_login_forms :: An array of entries for authentication methods that can be used to login when using multi phase login.  Each entry is an array of three elements, sort order (integer), HTML, and method to call if this entry is the only authentication method available (or nil to not call a method).
+multi_phase_login_page_title :: The page title to use on the login form after login has been entered when using multi phase login.
+need_password_notice_flash :: The flash notice to show during multi phase login after the login has been entered, when requesting the password.
+use_multi_phase_login? :: Whether to ask for login first, and only ask for password after asking for the login, false by default unless an alternative login feature such as email_auth or webauthn_login is used.
 
 == Auth Methods
 
 before_login_route :: Run arbitrary code before handling a login route.
 login_view :: The HTML to use for the login form.
+multi_phase_login_view :: The HTML to use for the login form after login has been entered when using multi phase login.

data/doc/login_password_requirements_base.rdoc

@@ -5,52 +5,30 @@ use a Rodauth feature that requires setting logins or passwords.
 
 == Auth Value Methods
 
-already_an_account_with_this_login_message :: The error message to display when
-                                              there already exists an account
-                                              with the same login
+already_an_account_with_this_login_message :: The error message to display when there already exists an account with the same login.
 login_confirm_label :: The label to use for login confirmations.
 login_confirm_param :: The parameter name to use for login confirmations.
-login_does_not_meet_requirements_message :: The error message to display when
-                                            the login does not meet the
-                                            requirements you have set.
+login_does_not_meet_requirements_message :: The error message to display when the login does not meet the requirements you have set.
 login_maximum_length :: The maximum length for logins, 255 by default.
 login_minimum_length :: The minimum length for logins, 3 by default.
-login_too_long_message :: The error message fragment to show if the login is
-                          too long.
-login_too_short_message :: The error message fragment to show if the login is
-                           too short.
-logins_do_not_match_message :: The error message to display when login and
-                               login confirmation do not match.
+login_too_long_message :: The error message fragment to show if the login is too long.
+login_too_short_message :: The error message fragment to show if the login is too short.
+logins_do_not_match_message :: The error message to display when login and login confirmation do not match.
 password_confirm_label :: The label to use for password confirmations.
 password_confirm_param :: The parameter name to use for password confirmations.
-password_does_not_meet_requirements_message :: The error message to display when
-                                               the password does not meet the
-                                               requirements you have set.
+password_does_not_meet_requirements_message :: The error message to display when the password does not meet the requirements you have set.
 password_hash_cost :: The bcrypt cost to use for the password hash.
 password_minimum_length :: The minimum length for passwords, 6 by default.
-password_too_short_message :: The error message fragment to show if the password
-                              is too short.
-passwords_do_not_match_message :: The error message to display when password
-                                  and password confirmation do not match.
-require_email_address_logins? :: Whether logins need to be valid email addresses,
-                                 true by default.
-require_login_confirmation? :: Whether login confirmations are required when
-                               changing logins or creating accounts.
-require_password_confirmation? :: Whether password confirmations are required
-                                  when changing/resetting passwords and creating
-                                  accounts.
-same_as_existing_password_message :: The error message to display when a new
-                                     password is the same as the existing password.
+password_too_short_message :: The error message fragment to show if the password is too short.
+passwords_do_not_match_message :: The error message to display when password and password confirmation do not match.
+require_email_address_logins? :: Whether logins need to be valid email addresses, true by default.
+require_login_confirmation? :: Whether login confirmations are required when changing logins or creating accounts.  True by default if not verifying the account.
+require_password_confirmation? :: Whether password confirmations are required when changing/resetting passwords and creating accounts.
+same_as_existing_password_message :: The error message to display when a new password is the same as the existing password.
 
 == Auth Methods
 
-login_meets_requirements?(login) :: Whether the given login meets the requirements.
-                                    By default, just checks that the login is a
-                                    valid email address.
-password_meets_requirements?(password) :: Whether the given password meets the
-                                          requirements. Can be used to implement
-                                          complexity requirements for passwords.
+login_meets_requirements?(login) :: Whether the given login meets the requirements.  By default, just checks that the login is a valid email address.
 password_hash(password) :: A hash of the given password.
-set_password(password) :: Set the password for the current account to the given
-                          password.
-
+password_meets_requirements?(password) :: Whether the given password meets the requirements. Can be used to implement complexity requirements for passwords.
+set_password(password) :: Set the password for the current account to the given password.

data/doc/logout.rdoc

@@ -5,10 +5,10 @@ It is the simplest feature.
 
 == Auth Value Methods
 
-logout_additional_form_tags :: HTML fragment containing additional form
-                               tags to use on the logout form.
+logout_additional_form_tags :: HTML fragment containing additional form tags to use on the logout form.
 logout_button :: The text to use for the logout button.
 logout_notice_flash :: The flash notice to show after logout.
+logout_page_title :: The page title to use on the logout form.
 logout_redirect :: Where to redirect after a logout.
 logout_route :: The route to the logout action. Defaults to +logout+.
 

data/doc/otp.rdoc

@@ -1,8 +1,8 @@
 = Documentation for OTP Feature
 
-The otp feature implements a 2 factor authentication via time-based one-time
-passwords (TOTP).  It supports signing up for 2 factor authentication, logging
-in with authentication codes, and disabling two factor authentication.
+The otp feature implements multifactor authentication via time-based one-time
+passwords (TOTP).  It supports setting up TOTP authentication, logging
+in with TOTP authentication codes, and disabling TOTP authentication.
 
 The otp feature requires the rotp and rqrcode gems.
 
@@ -16,36 +16,41 @@ otp_auth_error_flash :: The flash error to show if unable to authenticate via OT
 otp_auth_failures_limit :: The number of allowed OTP authentication failures before locking out.
 otp_auth_form_footer :: A footer to display at the bottom of the OTP authentication form.
 otp_auth_label :: The label for the OTP authentication code.
+otp_auth_link_text :: The text to use for the link from the multifactor auth page.
+otp_auth_page_title :: The page title to use on the OTP authentication form.
 otp_auth_param :: The parameter name for the OTP authentication code.
 otp_auth_route :: The route to the OTP authentication action. Defaults to +otp-auth+.
 otp_class :: The class to use for OTP authentication (default: ROTP::TOTP)
 otp_digits :: The number of digits to use in OTP authentication codes (rotp's default is 6).
-otp_disable_additional_form_tags :: HTML fragment containing additional form tags to use on the from to disable OTP authentication.
-otp_disable_button :: The text to use for button on form to disable OTP authentication.
+otp_disable_additional_form_tags :: HTML fragment containing additional form tags to use on the form to disable OTP authentication.
+otp_disable_button :: The text to use for button on the form to disable OTP authentication.
 otp_disable_error_flash :: The flash error to show if unable to disable OTP authentication.
+otp_disable_link_text :: The text to use for the disable link from the multifactor manage page.
 otp_disable_notice_flash :: The flash notice to show after disabling OTP authentication.
+otp_disable_page_title :: The page title to use on the OTP disable form.
 otp_disable_redirect :: Where to redirect after disabling OTP authentication.
 otp_disable_route :: The route to the OTP disable action. Defaults to +otp-disable+.
-otp_drift :: The number of seconds the client and server are allowed to drift apart. The default is nil, to not allow drift.
+otp_drift :: The number of seconds the client and server are allowed to drift apart. The default is 30.  Can be set to nil to not allow drift.
+otp_interval :: The number of seconds in which to rotate TOTP auth codes (rotp's default is 30).
 otp_invalid_auth_code_message :: The error message to show when an invalid OTP authentication code is used.
 otp_invalid_secret_message :: The error message to show when an invalid OTP secret is submitted during OTP setup.
-otp_interval :: The number of seconds in which to rotate TOTP auth codes (rotp's default is 300).
-otp_issuer :: The issuer to use in the OTP provisioning URL.  Defaults to the host name of the request.
-otp_keys_id_column :: The column in the otp_keys_table containing the account id.
-otp_keys_column :: The column in the otp_keys_table containing the OTP secret.
-otp_keys_failures_column :: The column in the otp_keys_table containing the number of OTP authentication failures.
-otp_keys_last_use_column :: The column in otp_keys_table containing the last authentication timestamp.
+otp_issuer :: The issuer to use in the OTP provisioning URL.  Defaults to +domain+.
+otp_keys_column :: The column in the +otp_keys_table+ containing the OTP secret.
+otp_keys_failures_column :: The column in the +otp_keys_table+ containing the number of OTP authentication failures.
+otp_keys_id_column :: The column in the +otp_keys_table+ containing the account id.
+otp_keys_last_use_column :: The column in +otp_keys_table+ containing the last authentication timestamp.
 otp_keys_table :: The table name containing the OTP secrets.
 otp_keys_use_hmac? :: Whether to use HMACs for OTP keys.  Defaults to whether +hmac_secret+ has been set.  Should be set to false if adding +hmac_secret+ to Rodauth where the otp feature is already in use, as otherwise it will render existing OTP keys invalid.
-otp_lockout_redirect :: Where to redirect if going to OTP authentication page and OTP authentication has been locked out.
 otp_lockout_error_flash :: The flash error show show when OTP authentication has been locked out due to numerous authentication failures.
+otp_lockout_redirect :: Where to redirect if going to OTP authentication page and OTP authentication has been locked out.
 otp_provisioning_uri_label :: The label used when displaying the OTP provisioning URI during OTP setup.
 otp_secret_label :: The label used when displaying the OTP secret during OTP setup.
-otp_session_key :: The session key used to store whether the user has authenticated via OTP.
 otp_setup_additional_form_tags :: HTML fragment containing additional form tags when setting up OTP authentication.
 otp_setup_button :: Text for the button when setting up OTP authentication.
 otp_setup_error_flash :: The flash error to show if OTP authentication setup was not successful.
+otp_setup_link_text :: The text to use for the setup link from the multifactor manage page.
 otp_setup_notice_flash :: The flash notice to show if OTP authentication setup was successful.
+otp_setup_page_title :: The page title to use on the form to setup OTP authentication.
 otp_setup_param :: The parameter name used for the OTP secret when setting up OTP authentication.
 otp_setup_raw_param :: The parameter name used for the raw OTP secret when setting up OTP authentication, when +otp_keys_use_hmac?+ is true. 
 otp_setup_redirect :: Where to redirect after sucessful OTP authentication setup.
@@ -56,12 +61,12 @@ otp_setup_route :: The route to the OTP setup action. Defaults to +otp-setup+.
 after_otp_authentication_failure :: Run arbitrary code after OTP authentication failure.
 after_otp_disable :: Run arbitrary code after OTP authentication has been disabled.
 after_otp_setup :: Run arbitrary code after OTP authentication has been setup.
-before_otp_authentication :: Run arbitrary code before OTP authentication.
 before_otp_auth_route :: Run arbitrary code before handling an OTP authentication route.
-before_otp_setup :: Run arbitrary code before OTP authentication setup.
-before_otp_setup_route :: Run arbitrary code before handling an OTP authentication setup route.
+before_otp_authentication :: Run arbitrary code before OTP authentication.
 before_otp_disable :: Run arbitrary code before OTP authentication disabling.
 before_otp_disable_route :: Run arbitrary code before handling an OTP authentication disable route.
+before_otp_setup :: Run arbitrary code before OTP authentication setup.
+before_otp_setup_route :: Run arbitrary code before handling an OTP authentication setup route.
 otp :: The object used for verifying OTP authentication attempts.
 otp_add_key(secret) :: Add an OTP key for the current account with the given secret.
 otp_auth_view :: The HTML to use for the OTP authentication form.
@@ -75,9 +80,9 @@ otp_provisioning_uri :: The provisioning URI displayed during OTP setup.
 otp_qr_code :: The QR code containing the otp_provisioning_uri, by default an SVG image.
 otp_record_authentication_failure :: Record an OTP authentication failure.
 otp_remove :: Removes all stored OTP data for the current account.
-otp_remove_auth_failures :: Removes OTP authentication failures for the current account, used after successful OTP authentication.
+otp_remove_auth_failures :: Removes OTP authentication failures for the current account, used after successful multifactor authentication.
 otp_setup_view :: The HTML to use for the form to setup OTP authentication.
-otp_tmp_key(secret) :: Set the secret to use for the OTP key.
+otp_tmp_key(secret) :: Set the secret to use for the temporary OTP key, during OTP setup.
 otp_update_last_use :: Update the last time OTP authentication was successful for the account.  Return true if the authentication should be allowed, or false if it should not be allowed because the last authentication was too recent and indicates the possible reuse of a TOTP authentication code.
 otp_valid_code?(auth_code) :: Whether the given code is the currently valid OTP auth code for the account.
 otp_valid_key?(secret) :: Whether the given secret is a valid OTP secret.

data/doc/password_complexity.rdoc

@@ -21,30 +21,14 @@ Checks:
 
 == Auth Value Methods
 
-password_character_groups :: An array of regular expressions representing
-                             different character groups.
-password_dictionary :: A Array/Hash/Set containing dictionary words, which cannot
-                       match the password.
-password_dictionary_file :: A file containing dictionary words, which will not be allowed.
-                            By default, <tt>/usr/share/dict/words</tt> if present.  Set to
-                            false to not use a password dictionary. Note that this is only
-                            used during initialization, and cannot refer to request-specific
-                            state, unlike most other settings.
-password_in_dictionary_message :: The error message fragment to show if the password
-                                  is derived from a word in a dictionary.
-password_invalid_pattern :: A regexp where any match is considered an invalid password.
-                            For multiple sequences, use +Regexp.union+.
-password_invalid_pattern_message :: The error message fragment to show if the password
-                                    matches the invalid pattern.
-password_max_length_for_groups_check :: The number of characters above which
-                                        to skip the checks for character groups.
+password_character_groups :: An array of regular expressions representing different character groups.
+password_dictionary :: A Array/Hash/Set containing dictionary words, which cannot match the password.
+password_dictionary_file :: A file containing dictionary words, which will not be allowed.  By default, <tt>/usr/share/dict/words</tt> if present.  Set to false to not use a password dictionary. Note that this is only used during initialization, and cannot refer to request-specific state, unlike most other settings.
+password_in_dictionary_message :: The error message fragment to show if the password is derived from a word in a dictionary.
+password_invalid_pattern :: A regexp where any match is considered an invalid password.  For multiple sequences, use +Regexp.union+.
+password_invalid_pattern_message :: The error message fragment to show if the password matches the invalid pattern.
+password_max_length_for_groups_check :: The number of characters above which to skip the checks for character groups.
 password_max_repeating_characters :: The maximum number of repeating characters allowed.
-password_min_groups :: The minimum number of character groups the password
-                       has to contain if it is less than
-                       +password_max_length_for_groups_check+ characters.
-password_not_enough_character_groups_message :: The error message fragment to show if the
-                                                password does not contain characters from
-                                                enough character groups.
-password_too_many_repeating_characters_message :: The error message fragment to show if the
-                                                  password contains too many repeating
-                                                  characters.
+password_min_groups :: The minimum number of character groups the password has to contain if it is less than +password_max_length_for_groups_check+ characters.
+password_not_enough_character_groups_message :: The error message fragment to show if the password does not contain characters from enough character groups.
+password_too_many_repeating_characters_message :: The error message fragment to show if the password contains too many repeating characters.

data/doc/password_expiration.rdoc

@@ -20,33 +20,19 @@ expiration is in general a net loss from a security perspective.
 
 == Auth Value Methods
 
-allow_password_change_after :: How long in seconds after the last password change
-                               until another password change is allowed (always allowed by default).
-password_expiration_error_flash :: The flash error to display when the account's
-                                   password has expired and needs to be changed.
-password_not_changeable_yet_error_flash :: The flash error to display when not
-                                           enough time has elapsed since the last
-                                           password change and an attempt is made
-                                           to change the password.
-password_not_changeable_yet_redirect :: Where to redirect if the password cannot
-                                        be changed yet.
-password_change_needed_redirect :: Where to redirect if a password needs to be
-                                   changes.
-password_changed_at_session_key :: The key in the session storing the timestamp the password
-                                   was changed at.
-password_expiration_default :: If the last password change time for an account cannot
-                               be determined, whether to consider the account expired,
-                               false by default.
+allow_password_change_after :: How long in seconds after the last password change until another password change is allowed (always allowed by default).
+password_change_needed_redirect :: Where to redirect if a password needs to be changed.
+password_changed_at_session_key :: The key in the session storing the timestamp the password was changed at.
+password_expiration_changed_at_column :: The column in the +password_expiration_table+ containing the timestamp
+password_expiration_default :: If the last password change time for an account cannot be determined, whether to consider the account expired, false by default.
+password_expiration_error_flash :: The flash error to display when the account's password has expired and needs to be changed.
+password_expiration_id_column :: The column in the +password_expiration_table+ containing the account's id.
 password_expiration_table :: The table holding the password last changed timestamps.
-password_expiration_id_column :: The column in the +password_expiration_table+ containing
-                                 the account's id.
-password_expiration_changed_at_column :: The column in the +password_expiration_table+
-                                         containing the timestamp
-require_password_change_after :: How long in seconds until a password change is
-                                 required (90 days by default).
+password_not_changeable_yet_error_flash :: The flash error to display when not enough time has elapsed since the last password change and an attempt is made to change the password.
+password_not_changeable_yet_redirect :: Where to redirect if the password cannot be changed yet.
+require_password_change_after :: How long in seconds until a password change is required (90 days by default).
 
 == Auth Methods
 
 password_expired? :: Whether the password has expired for the related account.
-update_password_changed_at :: Update the password last changed timestamp for the
-                              current account.
+update_password_changed_at :: Update the password last changed timestamp for the current account.

data/doc/password_grace_period.rdoc

@@ -1,10 +1,24 @@
 = Documentation for Password Grace Period Feature
 
 The password grace period feature keeps track of the last time the
-user entered their password, and doesn't require they reenter their
+user entered their password in the session, and doesn't require they reenter their
 password for account modifications if they recently entered it correctly.
 
+If you would like to provide extra security before certain routes, you can use
+the confirm password feature to require users to reenter their password if they
+haven't entered it recently:
+
+  rodauth.require_password_authentication
+
+By default, this does not redirect if the session has been authenticated via
+password, but with the password_grace_period feature, it also redirects if the
+password has not been entered recently.
+
 == Auth Value Methods
 
-password_grace_period :: The number of seconds after a password entry until password reentry is required, 300 by default (5 minutes).
 last_password_entry_session_key :: The session key in which to store the last password entry time.
+password_grace_period :: The number of seconds after a password entry until password reentry is required, 300 by default (5 minutes).
+
+== Auth Methods
+
+password_recently_entered? :: Whether the password has last been entered within the grace period.

data/doc/recovery_codes.rdoc

@@ -1,8 +1,8 @@
 = Documentation for Recovery Codes Feature
 
-The recovery codes feature allows 2nd factor authentication via single use recovery
-codes.  It is usually used as a backup if OTP authentication is not available or
-has been locked out, but can be used by itself or as a backup to SMS codes.  It allows
+The recovery codes feature allows multifactor authentication via single use recovery
+codes.  It is usually used as a backup if other multifactor authentication methods are
+not available or have been locked out, but can be used by itself.  It allows
 users to view authentication recovery codes as well as regenerate recovery codes.
 
 Access to recovery codes is limited to authenticated sessions only, so users should
@@ -11,25 +11,31 @@ of them being required due to a missing / lost device.
 
 == Auth Value Methods
 
-add_recovery_codes_button :: Text to use for button on form to add recovery codes.
+add_recovery_codes_redirect :: Where to redirect to add recovery codes if recovery codes are the primary multifactor authentication and have not been setup yet.
+add_recovery_codes_button :: Text to use for button on the form to add recovery codes.
 add_recovery_codes_error_flash :: The flash error to show when adding recovery codes.
-add_recovery_codes_heading :: Text to use for heading above form to add recovery codes.
+add_recovery_codes_heading :: Text to use for heading above the form to add recovery codes.
+add_recovery_codes_page_title :: The page title to use on the add recovery codes form.
 add_recovery_codes_param :: The parameter name to use for adding recovery codes.
-add_recovery_auth_redirect :: Where to redirect to add recovery codes if recovery codes are the primary 2nd factor and have not been setup yet.
+auto_add_recovery_codes? :: Whether to automatically add recovery codes (or any missing recovery codes) when another multifactor authentication type is enabled (false by default).
 invalid_recovery_code_error_flash :: The flash error to show when an invalid recovery code is used.
 invalid_recovery_code_message :: The error message to show when an invalid recovery code is used.
 recovery_auth_additional_form_tags :: HTML fragment containing additional form tags when authenticating via a recovery code.
 recovery_auth_button :: The text to use for the button when authenticating via a recovery code.
+recovery_auth_link_text :: The text to use for the link from the multifactor auth page.
+recovery_auth_page_title :: The page title to use on the form to authenticate via a recovery code.
 recovery_auth_redirect :: Where to redirect after authenticating via an recovery code.
 recovery_auth_route :: The route to the recovery code authentication action.  Defaults to +recovery-auth+.
 recovery_codes_added_notice_flash :: The flash notice to show when recovery codes were added.
 recovery_codes_additional_form_tags :: HTML fragment containing additional form tags when adding recovery codes.
-recovery_codes_column :: The column in the recovery_codes_table containing the recovery code.
-recovery_codes_id_column :: The column in the recovery_codes_table containing the account id.
+recovery_codes_column :: The column in the +recovery_codes_table+ containing the recovery code.
+recovery_codes_id_column :: The column in the +recovery_codes_table+ containing the account id.
 recovery_codes_label :: The label for recovery codes.
-recovery_codes_limit :: The number of recovery codes to allow.
+recovery_codes_limit :: The number of recovery codes to setup.
+recovery_codes_link_text :: The text to use for the setup link from the multifactor manage page.
+recovery_codes_page_title :: The page title to use on the form to view recovery codes.
 recovery_codes_param :: The parameter name for the recovery code.
-recovery_codes_primary? :: Whether recovery codes are the primary second factor, true by default if neither the otp or sms_codes features are enabled.
+recovery_codes_primary? :: Whether recovery codes are a primary multifactor authentication type.  If not, they cannot be setup unless multifactor authentication is already setup.
 recovery_codes_route :: The route to the view recovery codes action. Defaults to +recovery-codes+.
 recovery_codes_table :: The table storing the recovery codes.
 view_recovery_codes_button :: Text for the button to view recovery codes.
@@ -41,8 +47,8 @@ add_recovery_code :: Add a recovery code for the given account.
 add_recovery_codes_view :: The HTML to use for the add recovery codes form.
 after_add_recovery_codes :: Run arbitrary code after adding recovery codes.
 before_add_recovery_codes :: Run arbitrary code before adding recovery codes.
-before_recovery_auth :: Run arbitrary code before recovery authentication.
-before_recovery_auth_route :: Run arbitrary code before handling recovery authentication route.
+before_recovery_auth :: Run arbitrary code before recovery code authentication.
+before_recovery_auth_route :: Run arbitrary code before handling recovery code authentication route.
 before_recovery_codes_route :: Run arbitrary code before handling view/add recovery codes route.
 before_view_recovery_codes :: Run arbitrary code before viewing recovery codes.
 can_add_recovery_codes? :: Whether the current account can add more recovery codes.

data/doc/release_notes/2.0.0.txt

@@ -0,0 +1,361 @@
+= New Features
+
+* A webauthn feature has been added, allowing multifactor
+  authentication using WebAuthn.  It allows for registering multiple
+  WebAuthn authenticators per account, authenticating using
+  WebAuthn, and removing WebAuthn authenticators.  This feature
+  depends on the webauthn gem.
+
+  WebAuthn in browsers requires javascript to work, but Rodauth's
+  approach has the javascript set hidden form inputs and then use a
+  standard form submission, making it easy to test applications
+  using WebAuthn without a full browser, as long as a software
+  WebAuthn authenticator can be used (the webauthn gem provides
+  such an authenticator).
+
+* A webauthn_login feature has been added, allowing passwordless
+  logins using WebAuthn.
+
+* A webauthn_verify_account feature has been added, which requires
+  setting up a WebAuthn authenticator during account verification.
+  This allows for setups where WebAuthn is the sole method of
+  authentication.
+
+* An active_sessions feature has been added, which disallows
+  session reuse after logout, and allows for a global logout of all
+  sessions for the account.  It also supports inactivity and
+  lifetime deadlines for sessions.  This also integrates with the
+  jwt_refresh feature to disable JWT access token usage after
+  logout.
+
+* An audit_logging feature has been added, which logs Rodauth
+  actions to a database table.  This hooks into all of Rodauth's
+  after_* hooks, and will implement audit logging for all
+  features that use such hooks.
+
+* The confirm_password feature can now operate as multifactor
+  authentication if the user has a password but was originally
+  authenticated using the webauthn_login feature.
+
+* The multifactor authentication support now better handles
+  multiple multifactor authentication methods.  When setting up
+  multifactor authentication, a page is provided linking to all
+  enabled multifactor authentication options.  When authenticating
+  via an additional factor, a page is provided linking to all
+  multifactor authentication options that have been setup and are
+  available for use.  There is also a page to disable all multifactor
+  authentication methods that have been setup, and revert to single
+  factor authentication.
+
+  To provide a better user experience, if there would only be a
+  single link on the pages to setup multifactor authentication
+  or authenticate with an additional factor, the user is redirected
+  directly to the appropriate page.
+
+* A translate configuration method has been added.  This is called
+  with a translation key and default value for the translation, and
+  allows for internationalizing Rodauth.  All translatable strings
+  are passed through this method, including flash messages, page
+  titles, button text, field error messages, and link texts.
+
+* login_return_to_requested_location? and
+  two_factor_auth_return_to_requested_location? configuration methods
+  have been added.  With these methods set to true, if
+  rodauth.require_login needs to redirect, it will store the current
+  page, and after logging in, the user will be redirected back to the
+  page.  Likewise, if rodauth.require_two_factor_authenticated needs
+  to redirect, it will store the current page, and after multifactor
+  authentication, the user will be redirected back to the page.
+
+* domain and base_url configuration methods have been added and it is
+  recommended that applications use them if they can be reached with
+  arbitrary Host headers.  If not set, Rodauth will use information
+  from the request, which can be provided by an attacker.
+
+* The *_url and *_path methods now accept an optional hash of query
+  parameters to use.
+
+* Many Rodauth forms will now use appropriate autocomplete and
+  inputmode attributes on form inputs.  You can modify the behavior
+  using the following configuration methods:
+  
+  * autocomplete_for_field?
+  * inputmode_for_field?
+  * mark_input_fields_with_autocomplete?
+  * mark_input_fields_with_inputmode?
+
+* An sms_phone_input_type configuration method has been added and
+  now defaults to tel.  Previous, the SMS phone input used a text
+  type.
+
+* rodauth.require_password_authentication has been added to the
+  confirm_password_feature, which will redirect to the login page
+  if not logged in, and will redirect to the confirm password page
+  if the user was logged in without typing in a password.  If the
+  password_grace_period feature is used, this also redirects if
+  the password has not been entered recently.
+
+* rodauth.authenticated_by has been added, which is an array of
+  strings for all methods by which the current session has been
+  authenticated, or nil if the session has not been authenticated.
+
+* rodauth.possible_authentication_methods has been added, which is
+  an array of strings for all methods by which the current session
+  could be authenticated.
+
+* rodauth.autologin_type now returns the type of autologin used if
+  authenticated using autologin.
+
+* All *_view configuration methods now have *_page_title
+  configuration methods for setting custom page titles.
+
+= Other Improvements
+
+* The templates Rodauth uses by default are now compatible with
+  Bootstrap 4, and compatibility with Bootstrap 3 (which Rodauth
+  previously targeted) has been improved.
+
+* When requesting a password reset, if the user provides an invalid
+  login, an input for the login is now displayed so the problem
+  can be corrected.
+
+* When setting up an additional multifactor authentication method,
+  Rodauth no longer overrides which multifactor authentication method
+  was used to authenticate the current session.
+
+* When disabling a multifactor authentication method that was not
+  used to authenticate the current session, the session remains
+  multifactor authenticated.
+
+* When multiple multifactor authentication methods are setup for
+  an account, disabling a multifactor authentication method will not
+  mark the session as not having multifactor authentication enabled.
+
+* When disabling OTP authentication, future calls to
+  rodauth.otp_exists? will return false instead of true.
+
+* Recovery codes are no longer generated automatically when OTP or
+  SMS authentication is setup.  There is no point generating codes
+  that the user has not yet viewed, and generating them automatically
+  will disable automatic redirections in the cases where only one
+  multifactor authentication method is setup.  This can be turned
+  back on using the auto_add_recovery_codes? configuration method.
+
+* The OTP setup page now displays better on phones and other devices
+  with small viewports.
+
+* Links and alternative login forms shown on the login page are
+  now in a specific order and not based on the order in which
+  features were enabled.
+
+* The link to resend the verify account email is not shown on the
+  multi-phase login page after the login has been entered if the
+  account has already been verified.
+
+* The modifications_require_password? configuration method now
+  defaults to false for accounts that do not have a password.
+
+* Multifactor authentication is no longer allowed using the same
+  factor type as used for initial authentication.  Previously,
+  no multifactor authentication type could be used for initial
+  authentication, so this wasn't an issue.
+
+* The verify login change page no longer calls already_logged_in
+  if the session is already logged in.  This method is documented
+  to only be called on pages that expect not to be already logged
+  in, and it's common to access the verify login change page
+  while being logged in, since you need to be logged in to go to
+  the change login page.  The default behavior of already_logged_in
+  is to do nothing, so this only affects you if you have used the
+  already_logged_in configuration method.
+
+* If using the email_auth and verify_account_grace_period features
+  together, do not show email authentication as an option for
+  unverified accounts during the grace period.
+
+* In the lockout feature, generate the unlock account key before
+  calling send_unlock_account_email, similar to how key generation
+  happens in other features that send email.  This makes it easier
+  to override the method.
+
+* Various method visibility issues have been fixed, so that
+  enabling any feature that ships with Rodauth will not affect
+  visibility of methods for features already enabled.
+
+* All Rodauth configuration methods (over 1000) are now documented.
+
+= Backwards Compatibility
+
+* The verify_change_login feature has been removed.  Users should
+  switch to the verify_login_change feature, which verifies the
+  new login works correctly before switching the login.
+
+* For CSRF protection, Roda's route_csrf plugin is now used by
+  default instead of rack_csrf.  This supports request specific
+  CSRF tokens by default.  The :csrf=>:rack_csrf plugin option
+  can be used to continue using rack_csrf.
+
+  Roda's route_csrf allows for per-route checking of the CSRF token,
+  and support for that is enabled for all Rodauth routes.  However,
+  if you were using Rodauth without explicitly loading rack_csrf,
+  these changes could remove CSRF support from your application.
+  You should probably load Roda's route_csrf plugin explicitly and
+  use it in your Roda routing tree if you want CSRF protection for
+  non-Rodauth routes.  You can use the new check_csrf_opts and
+  check_csrf_block to customize options to pass to check_csrf!, or
+  set check_csrf? false to disable calling check_csrf!.
+
+* Email rate limiting is now enabled by default in the lockout,
+  reset_password, and verify_account features.  This requires
+  adding a column to store the last email sent time to the
+  related tables, if the tables were created without one:
+
+    DB.add_column :account_password_reset_keys, :email_last_sent,
+      DateTime, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
+    DB.add_column :account_verification_keys, :email_last_sent,
+      DateTime, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
+    DB.add_column :account_lockouts, :email_last_sent, DateTime
+
+  Alternatively, you can set the appropriate configuration method
+  (e.g. verify_account_email_last_sent_column) to nil to disable
+  rate limiting.
+
+* The http_basic_auth feature has been changed significantly.
+  You should now call rodauth.http_basic_auth in the routing tree
+  to load authentication information from the Authorization
+  request header, similar to how rodauth.load_memory works in the
+  remember feature.
+
+  The require_http_basic_auth configuration method has been renamed
+  to require_http_basic_auth?.  rodauth.require_http_basic_auth?
+  should now be used to check whether HTTP basic auth is required.
+  rodauth.require_http_basic_auth now requires that HTTP basic
+  auth is provided in the request.
+
+  To be more backwards compatible, if not already logged in,
+  rodauth.require_login will load HTTP basic auth information if
+  available, and will require HTTP basic auth if
+  require_http_basic_auth? is configured.
+
+* If using the Bootstrap 3/4 compatibility, the forms used are
+  now standard (vertical) Bootstrap forms.  Previously, they were
+  horizontal forms.
+
+* Most of the strings related to multifactor authentication have
+  been changed to refer to multifactor authentication instead of
+  two factor authentication, or changed to refer to a specific
+  multifactor authentication type (such as TOTP), as appropriate.
+
+* Periods at the end of some default flash messages have been
+  removed for consistency.
+
+* The remember feature no longer depends on the confirm_password
+  feature.  You must now enable confirm_password separately if you
+  want to use it.
+
+* Login confirmation is no longer required by default when
+  verifying accounts or verifying login changes.  In both cases,
+  entering an invalid login causes no problems.
+
+* The otp_drift configuration method now defaults to 30, to allow
+  30 seconds of drift.  The previous setting of nil generally
+  resulted in usability problems, especially without good clock
+  synchronization.
+
+* The json_response_custom_error_status? configuration method now
+  defaults to true, so that custom error statuses are now used by
+  default, instead of a generic 400 response.
+
+* The jwt_check_accept? configuration method now defaults to true,
+  so that the request Accept header is checked.
+
+* The verify_account_set_password? configuration method now defaults
+  to true, so that passwords will be set when verifying accounts
+  instead of when creating accounts.  This prevents issues when
+  an attacker creates an account with a password they know, if the
+  user with access to the email address verifies the account.
+
+* The mark_input_fields_as_required? configuration method now defaults
+  to true.  Most of rodauth's input fields are required, and this
+  provides a nicer experience.  However, it may cause accessibility
+  issues if screen readers do not handle invalid form submissions due
+  to missing required fields in an accessible manner.
+
+* The login_input_type configuration method now defaults to email if
+  login_column is :email (the default setting).  This can cause
+  accessibility issues if screen readers do not handle invalid form
+  submissions due to an invalid login field format in an accessible
+  manner.  It can also break installations that leave login_column
+  as :email but do not use email addresses for logins.
+
+* The json_response_success_key configuration method now defaults to
+  success, so success messages are included by default.  This can be
+  set back to nil to not include them.
+
+* The single_session and session_expiration plugin now use a
+  configurable error status code for JSON requests when the session
+  has expired, using inactive_session_error_status and
+  session_expiration_error_status configuration methods,
+  respectively.
+
+* If you are using the jwt_refresh feature and used the migration
+  previously recommended in the README, you should mark the account_id
+  field as NOT NULL and add an index:
+
+    DB.alter_table(:account_jwt_refresh_keys) do
+      set_column_not_null :account_id
+      add_index :account_id, :name=>:account_jwt_rk_account_id_idx
+    end
+
+* The otp authentication form no longer shows SMS or recovery code
+  information on failure.  The multifactor authentication page will
+  have links to SMS or recovery code authentication if they have been
+  setup, and will redirect or show the appropriate links to those
+  authentication methods if OTP authentication gets locked out.
+
+* Disabling OTP authentication no longer automatically disables SMS
+  authentication and recovery codes, and disabling SMS authentication
+  no longer disables recovery codes.  To disable all multifactor
+  authentication methods at once, the new multifactor authentication
+  disable page should be used.  If you want to revert to the previous
+  behavior of automatic disabling, override after_otp_disable to
+  disable SMS and recovery codes, and override after_sms_disable to
+  disable recovery codes.
+
+* HTML id attributes in the recovery_codes and remember features have
+  been modified to use - instead of _, for consistency with all other
+  Rodauth features.
+
+* Ruby 1.8 support has been dropped.  The minimum supported version is
+  now Ruby 1.9.2.  Support for versions of Ruby that are no longer
+  supported by ruby-core may be dropped in future minor releases if
+  keeping the support becomes a maintenance issue.
+
+* The following configuration methods have been replaced:
+
+  * create_account_link -> create_account_link_text
+  * reset_password_request_link -> reset_password_request_link_text
+  * verify_account_resend_link -> verify_account_resend_link_text
+
+  The new methods take only the text of the link, the path to link
+  to can already be determined by Rodauth.
+
+* The following configuration methods have been removed:
+
+  * account_model
+  * attempt_to_create_unverified_account_notice_message
+  * attempt_to_login_to_unverified_account_notice_message
+  * before_otp_authentication_route
+  * clear_remembered_session_key
+  * no_matching_email_auth_key_message
+  * no_matching_reset_password_key_message
+  * no_matching_unlock_account_key_message
+  * no_matching_verify_account_key_message
+  * no_matching_verify_login_change_key_message
+  * remembered_session_key
+  * two_factor_session_key
+
+  Most of these methods were already deprecated.
+ 
+* Route blocks in external Rodauth features must now have an arity
+  of 1.