rodauth 1.23.0 → 2.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG +132 -0
- data/MIT-LICENSE +1 -1
- data/README.rdoc +207 -79
- data/doc/account_expiration.rdoc +12 -26
- data/doc/active_sessions.rdoc +49 -0
- data/doc/audit_logging.rdoc +44 -0
- data/doc/base.rdoc +74 -128
- data/doc/change_login.rdoc +7 -14
- data/doc/change_password.rdoc +9 -13
- data/doc/change_password_notify.rdoc +2 -2
- data/doc/close_account.rdoc +9 -16
- data/doc/confirm_password.rdoc +12 -5
- data/doc/create_account.rdoc +11 -22
- data/doc/disallow_password_reuse.rdoc +6 -13
- data/doc/email_auth.rdoc +15 -14
- data/doc/email_base.rdoc +5 -15
- data/doc/http_basic_auth.rdoc +10 -1
- data/doc/jwt.rdoc +22 -22
- data/doc/jwt_cors.rdoc +2 -3
- data/doc/jwt_refresh.rdoc +12 -8
- data/doc/lockout.rdoc +17 -15
- data/doc/login.rdoc +10 -2
- data/doc/login_password_requirements_base.rdoc +15 -37
- data/doc/logout.rdoc +2 -2
- data/doc/otp.rdoc +24 -19
- data/doc/password_complexity.rdoc +10 -26
- data/doc/password_expiration.rdoc +11 -25
- data/doc/password_grace_period.rdoc +16 -2
- data/doc/recovery_codes.rdoc +18 -12
- data/doc/release_notes/2.0.0.txt +361 -0
- data/doc/remember.rdoc +40 -64
- data/doc/reset_password.rdoc +12 -9
- data/doc/session_expiration.rdoc +1 -0
- data/doc/single_session.rdoc +16 -25
- data/doc/sms_codes.rdoc +24 -14
- data/doc/two_factor_base.rdoc +60 -22
- data/doc/verify_account.rdoc +14 -12
- data/doc/verify_account_grace_period.rdoc +6 -2
- data/doc/verify_login_change.rdoc +9 -8
- data/doc/webauthn.rdoc +115 -0
- data/doc/webauthn_login.rdoc +15 -0
- data/doc/webauthn_verify_account.rdoc +9 -0
- data/javascript/webauthn_auth.js +45 -0
- data/javascript/webauthn_setup.js +35 -0
- data/lib/roda/plugins/rodauth.rb +1 -1
- data/lib/rodauth.rb +29 -24
- data/lib/rodauth/features/account_expiration.rb +5 -5
- data/lib/rodauth/features/active_sessions.rb +160 -0
- data/lib/rodauth/features/audit_logging.rb +96 -0
- data/lib/rodauth/features/base.rb +131 -47
- data/lib/rodauth/features/change_password_notify.rb +1 -1
- data/lib/rodauth/features/confirm_password.rb +40 -2
- data/lib/rodauth/features/create_account.rb +7 -13
- data/lib/rodauth/features/disallow_common_passwords.rb +1 -1
- data/lib/rodauth/features/disallow_password_reuse.rb +1 -1
- data/lib/rodauth/features/email_auth.rb +29 -27
- data/lib/rodauth/features/email_base.rb +3 -3
- data/lib/rodauth/features/http_basic_auth.rb +44 -37
- data/lib/rodauth/features/jwt.rb +51 -8
- data/lib/rodauth/features/jwt_refresh.rb +3 -3
- data/lib/rodauth/features/lockout.rb +11 -13
- data/lib/rodauth/features/login.rb +48 -8
- data/lib/rodauth/features/login_password_requirements_base.rb +4 -4
- data/lib/rodauth/features/otp.rb +71 -81
- data/lib/rodauth/features/password_complexity.rb +4 -11
- data/lib/rodauth/features/password_expiration.rb +1 -1
- data/lib/rodauth/features/password_grace_period.rb +17 -10
- data/lib/rodauth/features/recovery_codes.rb +47 -51
- data/lib/rodauth/features/remember.rb +11 -27
- data/lib/rodauth/features/reset_password.rb +25 -25
- data/lib/rodauth/features/session_expiration.rb +6 -4
- data/lib/rodauth/features/single_session.rb +7 -5
- data/lib/rodauth/features/sms_codes.rb +58 -67
- data/lib/rodauth/features/two_factor_base.rb +132 -28
- data/lib/rodauth/features/verify_account.rb +23 -20
- data/lib/rodauth/features/verify_account_grace_period.rb +19 -8
- data/lib/rodauth/features/verify_login_change.rb +11 -10
- data/lib/rodauth/features/webauthn.rb +507 -0
- data/lib/rodauth/features/webauthn_login.rb +70 -0
- data/lib/rodauth/features/webauthn_verify_account.rb +46 -0
- data/lib/rodauth/version.rb +2 -2
- data/templates/button.str +1 -3
- data/templates/change-login.str +1 -2
- data/templates/change-password.str +3 -5
- data/templates/close-account.str +2 -2
- data/templates/confirm-password.str +1 -1
- data/templates/create-account.str +1 -1
- data/templates/email-auth-request-form.str +1 -2
- data/templates/email-auth.str +1 -1
- data/templates/global-logout-field.str +6 -0
- data/templates/login-confirm-field.str +2 -4
- data/templates/login-display.str +3 -2
- data/templates/login-field.str +2 -4
- data/templates/login-form-footer.str +6 -0
- data/templates/login-form.str +7 -0
- data/templates/login.str +1 -9
- data/templates/logout.str +1 -1
- data/templates/multi-phase-login.str +3 -0
- data/templates/otp-auth-code-field.str +5 -3
- data/templates/otp-auth.str +1 -1
- data/templates/otp-disable.str +1 -1
- data/templates/otp-setup.str +3 -3
- data/templates/password-confirm-field.str +2 -4
- data/templates/password-field.str +2 -4
- data/templates/recovery-auth.str +3 -6
- data/templates/recovery-codes.str +1 -1
- data/templates/remember.str +15 -20
- data/templates/reset-password-request.str +2 -2
- data/templates/reset-password.str +1 -2
- data/templates/sms-auth.str +1 -1
- data/templates/sms-code-field.str +5 -3
- data/templates/sms-confirm.str +1 -2
- data/templates/sms-disable.str +1 -2
- data/templates/sms-request.str +1 -1
- data/templates/sms-setup.str +6 -4
- data/templates/two-factor-auth.str +5 -0
- data/templates/two-factor-disable.str +6 -0
- data/templates/two-factor-manage.str +16 -0
- data/templates/unlock-account-request.str +2 -2
- data/templates/unlock-account.str +1 -1
- data/templates/verify-account-resend.str +1 -1
- data/templates/verify-account.str +1 -2
- data/templates/verify-login-change.str +1 -1
- data/templates/webauthn-auth.str +11 -0
- data/templates/webauthn-remove.str +14 -0
- data/templates/webauthn-setup.str +12 -0
- metadata +64 -11
- data/doc/verify_change_login.rdoc +0 -11
- data/lib/rodauth/features/verify_change_login.rb +0 -20
data/doc/remember.rdoc
CHANGED
@@ -1,99 +1,75 @@
|
|
1
1
|
= Documentation for Remember Feature
|
2
2
|
|
3
|
-
The remember feature allows for token-based autologin for users.
|
4
|
-
|
5
|
-
|
6
|
-
|
7
|
-
|
3
|
+
The remember feature allows for token-based autologin for users. Calling
|
4
|
+
+rodauth.remember_login+ for an authenticated session will create a token for
|
5
|
+
the current account and store it in a cookie. You can then add the following
|
6
|
+
code to your routing block to automatically login users from that token if the
|
7
|
+
session has expired:
|
8
|
+
|
9
|
+
rodauth.load_memory
|
8
10
|
|
9
11
|
By default, the remember feature just supports a form that the user can use
|
10
12
|
to change their remember settings for the current browser. They can either
|
11
13
|
enable remembering for the browser, forget it for the browser, or disable
|
12
14
|
it completely so that any remembering for other browsers is removed as well.
|
13
15
|
|
14
|
-
In some cases, you may want to
|
15
|
-
|
16
|
-
|
16
|
+
In some cases, you may want to automatically remember users and not require
|
17
|
+
users to turn it on manually. If you want to automatically remember users
|
18
|
+
on login:
|
17
19
|
|
18
20
|
after_login do
|
19
21
|
remember_login
|
20
22
|
end
|
21
23
|
|
24
|
+
The remember feature records which sessions were autologged in via the
|
25
|
+
remember cookie. If you have sections where you want to add more security,
|
26
|
+
you can use the confirm password feature to request password authentication
|
27
|
+
for sessions autologged in via a remember token:
|
28
|
+
|
29
|
+
rodauth.require_password_authentication
|
30
|
+
|
22
31
|
== Auth Value Methods
|
23
32
|
|
24
|
-
extend_remember_deadline? :: Whether to extend the remember token deadline
|
25
|
-
|
26
|
-
|
27
|
-
token to be used. Allows for graceful transition
|
28
|
-
for when +hmac_secret+ is first set.
|
29
|
-
remember_additional_form_tags :: HTML fragment containing additional
|
30
|
-
form tags to use on the change remember
|
31
|
-
setting form.
|
33
|
+
extend_remember_deadline? :: Whether to extend the remember token deadline when the user is autologged in via remember token.
|
34
|
+
raw_remember_token_deadline :: A deadline before which to allow a raw remember token to be used. Allows for graceful transition for when +hmac_secret+ is first set.
|
35
|
+
remember_additional_form_tags :: HTML fragment containing additional form tags to use on the change remember setting form.
|
32
36
|
remember_button :: The text to use for the change remember settings button.
|
33
37
|
remember_cookie_key :: The cookie name to use for the remember token.
|
34
38
|
remember_cookie_options :: Any options to set for the remember cookie.
|
35
|
-
remember_deadline_column :: The column name in the
|
36
|
-
|
37
|
-
ignored.
|
38
|
-
remember_deadline_interval :: The amount of time for which to remember accounts,
|
39
|
-
14 days by default. Only used if set_deadline_values?
|
40
|
-
is true.
|
39
|
+
remember_deadline_column :: The column name in the +remember_table+ storing the deadline after which the token will be ignored.
|
40
|
+
remember_deadline_interval :: The amount of time for which to remember accounts, 14 days by default. Only used if +set_deadline_values?+ is true.
|
41
41
|
remember_disable_label :: The label for disabling remembering.
|
42
42
|
remember_disable_param_value :: The parameter value for disabling remembering.
|
43
|
-
remember_error_flash :: The flash error to show if there is an error changing a
|
44
|
-
remember setting.
|
43
|
+
remember_error_flash :: The flash error to show if there is an error changing a remember setting.
|
45
44
|
remember_forget_label :: The label for turning off remembering.
|
46
45
|
remember_forget_param_value :: The parameter value for turning off remembering.
|
47
|
-
remember_id_column :: The id column in the
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
remember_period :: The additional time to extend the remember deadline if
|
53
|
-
extending remember deadlines.
|
46
|
+
remember_id_column :: The id column in the +remember_table+, should be a foreign key referencing the accounts table.
|
47
|
+
remember_key_column :: The remember key/token column in the +remember_table+.
|
48
|
+
remember_notice_flash :: The flash notice to show after remember setting has been updated.
|
49
|
+
remember_page_title :: The page title to use on the change remember settings form.
|
50
|
+
remember_param :: The parameter name to use for the remember password settings choice.
|
51
|
+
remember_period :: The additional time to extend the remember deadline if extending remember deadlines.
|
54
52
|
remember_redirect :: Where to redirect after changing the remember settings.
|
55
|
-
remember_remember_param_value :: The parameter value for switching on remembering.
|
56
53
|
remember_remember_label :: The label for turning on remembering.
|
57
|
-
|
58
|
-
|
54
|
+
remember_remember_param_value :: The parameter value for switching on remembering.
|
55
|
+
remember_route :: The route to the change remember settings action. Defaults to +remember+.
|
59
56
|
remember_table :: The name of the remember keys table.
|
60
|
-
remember_param :: The parameter name to use for the remember password settings
|
61
|
-
choice.
|
62
|
-
remembered_session_key :: The key in the session storing whether the current
|
63
|
-
session has been autologged in via remember token.
|
64
57
|
|
65
58
|
== Auth Methods
|
66
59
|
|
67
|
-
add_remember_key :: Add a remember key for the current account to the remember
|
68
|
-
|
69
|
-
after_load_memory :: Run arbitrary code after autologging in an account via
|
70
|
-
a remember token.
|
60
|
+
add_remember_key :: Add a remember key for the current account to the remember keys table.
|
61
|
+
after_load_memory :: Run arbitrary code after autologging in an account via a remember token.
|
71
62
|
after_remember :: Run arbitrary code after changing the remember settings.
|
72
|
-
before_load_memory :: Run arbitrary code before autologging in an account via
|
73
|
-
a remember token.
|
63
|
+
before_load_memory :: Run arbitrary code before autologging in an account via a remember token.
|
74
64
|
before_remember :: Run arbitrary code before changing the remember settings.
|
75
65
|
before_remember_route :: Run arbitrary code before handling the remember route.
|
76
|
-
|
77
|
-
|
78
|
-
after successful password confirmation.
|
79
|
-
disable_remember_login :: Disable the remember key token, clearing the token
|
80
|
-
from the database so future connections with the
|
81
|
-
token will not be recognized.
|
82
|
-
forget_login :: Forget the current remember token, deleting the related cookie.
|
83
|
-
Other browsers that have the cookie cached can still use it
|
84
|
-
login.
|
66
|
+
disable_remember_login :: Disable the remember key token, clearing the token from the database so future connections with the token will not be recognized.
|
67
|
+
forget_login :: Forget the current remember token, deleting the related cookie. Other browsers that have the cookie cached can still use it login.
|
85
68
|
generate_remember_key_value :: A random string to use as the remember key.
|
86
69
|
get_remember_key :: Retrieve the remember key from the database.
|
87
|
-
load_memory :: If the remember key cookie is included in the request, and the
|
88
|
-
|
89
|
-
and autologin the user if the remember key cookie matches the
|
90
|
-
current remember key for the account. This method needs to be
|
91
|
-
called manually inside the Roda route block to autologin users.
|
92
|
-
logged_in_via_remember_key? :: Whether the current session was logged in via
|
93
|
-
a remember key.
|
70
|
+
load_memory :: If the remember key cookie is included in the request, and the user is not currently logged in, check the remember keys table and autologin the user if the remember key cookie matches the current remember key for the account. This method needs to be called manually inside the Roda route block to autologin users.
|
71
|
+
logged_in_via_remember_key? :: Whether the current session was logged in via a remember key.
|
94
72
|
remember_key_value :: The current value of the remember key/token.
|
95
|
-
remember_login :: Set the cookie containing the remember token, so that future
|
96
|
-
sessions will be autologged in.
|
73
|
+
remember_login :: Set the cookie containing the remember token, so that future sessions will be autologged in.
|
97
74
|
remember_view :: The HTML to use for the change remember settings form.
|
98
|
-
remove_remember_key(id_value=account_id) :: Delete the related remember key from
|
99
|
-
the database.
|
75
|
+
remove_remember_key(id_value=account_id) :: Delete the related remember key from the database.
|
data/doc/reset_password.rdoc
CHANGED
@@ -10,26 +10,29 @@ the login feature.
|
|
10
10
|
|
11
11
|
no_matching_reset_password_key_error_flash :: The flash error message to show if attempting to access the reset password form with an invalid key.
|
12
12
|
reset_password_additional_form_tags :: HTML fragment containing additional form tags to use on the reset password form.
|
13
|
-
reset_password_autologin? :: Whether to autologin the user after successfully resetting a password.
|
13
|
+
reset_password_autologin? :: Whether to autologin the user after successfully resetting a password, false by default.
|
14
14
|
reset_password_button :: The text to use for the reset password button.
|
15
|
-
reset_password_deadline_column :: The column name in the
|
16
|
-
reset_password_deadline_interval :: The amount of time for which to allow users to reset their passwords, 1 day by default. Only used if set_deadline_values
|
15
|
+
reset_password_deadline_column :: The column name in the +reset_password_table+ storing the deadline after which the token will be ignored.
|
16
|
+
reset_password_deadline_interval :: The amount of time for which to allow users to reset their passwords, 1 day by default. Only used if +set_deadline_values?+ is true.
|
17
|
+
reset_password_email_last_sent_column :: The email last sent column in the +reset_password_table+. Set to nil to always send a reset password email when requested.
|
17
18
|
reset_password_email_recently_sent_error_flash :: The flash error to show if not sending reset password email because one has been sent recently.
|
18
19
|
reset_password_email_recently_sent_redirect :: Where to redirect if not sending reset password email because one has been sent recently.
|
19
20
|
reset_password_email_sent_notice_flash :: The flash notice to show after a reset password email has been sent.
|
20
21
|
reset_password_email_sent_redirect :: Where to redirect after sending a reset password email.
|
21
22
|
reset_password_email_subject :: The subject to use for reset password emails.
|
22
23
|
reset_password_error_flash :: The flash error to show after resetting a password.
|
23
|
-
reset_password_email_last_sent_column :: The email last sent column in the reset password keys table. nil by default, so a reset password email is always sent when requested by default.
|
24
24
|
reset_password_explanatory_text :: The text to display above the button to request a password reset.
|
25
|
-
reset_password_id_column :: The id column in the
|
26
|
-
reset_password_key_column :: The reset password key/token column in the
|
25
|
+
reset_password_id_column :: The id column in the +reset_password_table+, should be a foreign key referencing the accounts table.
|
26
|
+
reset_password_key_column :: The reset password key/token column in the +reset_password_table+.
|
27
27
|
reset_password_key_param :: The parameter name to use for the reset password key.
|
28
|
+
reset_password_notice_flash :: The flash notice to show after resetting a password.
|
29
|
+
reset_password_page_title :: The page title to use on the reset password form.
|
28
30
|
reset_password_redirect :: Where to redirect after resetting a password.
|
29
31
|
reset_password_request_additional_form_tags :: HTML fragment containing additional form tags to use on the reset password request form.
|
30
32
|
reset_password_request_button :: The text to use for the reset password request button.
|
31
33
|
reset_password_request_error_flash :: The flash error to show if not able to send a reset password email.
|
32
|
-
|
34
|
+
reset_password_request_link_text :: The text to use for a link to the page to request a password reset.
|
35
|
+
reset_password_request_page_title :: The page title to use on the reset password request form.
|
33
36
|
reset_password_request_route :: The route to the reset password request action. Defaults to +reset-password-request+.
|
34
37
|
reset_password_route :: The route to the reset password action. Defaults to +reset-password+.
|
35
38
|
reset_password_session_key :: The key in the session to hold the reset password key temporarily.
|
@@ -45,15 +48,15 @@ before_reset_password :: Run arbitrary code before resetting a password.
|
|
45
48
|
before_reset_password_request :: Run arbitrary code before sending the reset password email.
|
46
49
|
before_reset_password_request_route :: Run arbitrary code before handling a reset password request route.
|
47
50
|
before_reset_password_route :: Run arbitrary code before handling a reset password route.
|
48
|
-
create_reset_password_key :: Add the reset password key data to the database.
|
49
51
|
create_reset_password_email :: A Mail::Message for the reset password email.
|
52
|
+
create_reset_password_key :: Add the reset password key data to the database.
|
50
53
|
get_reset_password_email_last_sent :: Get the last time a reset password email is sent, or nil if there is no last sent time.
|
51
54
|
get_reset_password_key(id) :: Get the password reset key for the given account id from the database.
|
52
55
|
login_failed_reset_password_request_form :: The HTML to use for a form to request a password reset, shown on the login page after the user tries to login with an invalid password.
|
53
56
|
remove_reset_password_key :: Remove the reset password key for the current account, run after successful password reset.
|
54
57
|
reset_password_email_body :: The body to use for the reset password email.
|
55
58
|
reset_password_email_link :: The link to the reset password form in the reset password email.
|
56
|
-
reset_password_key_insert_hash :: The hash to insert into the
|
59
|
+
reset_password_key_insert_hash :: The hash to insert into the +reset_password_table+.
|
57
60
|
reset_password_key_value :: The reset password key for the current account.
|
58
61
|
reset_password_request_view :: The HTML to use for the reset password request form.
|
59
62
|
reset_password_view :: The HTML to use for the reset password form.
|
data/doc/session_expiration.rdoc
CHANGED
@@ -22,6 +22,7 @@ max_session_lifetime :: The maximum number of seconds since session creation tha
|
|
22
22
|
session_created_session_key :: The session key storing the session creation timestamp.
|
23
23
|
session_expiration_default :: Whether to expire sessions that don't have the created at or last activity at timestamps set, true by default.
|
24
24
|
session_expiration_error_flash :: The flash error to show if a session expires.
|
25
|
+
session_expiration_error_status :: The error status to use when a JSON request is made and the session has expired, 401 by default.
|
25
26
|
session_expiration_redirect :: Where to redirect if a session expires.
|
26
27
|
session_inactivity_timeout :: The maximum number of seconds allowed since the last activity before the session will be considered invalid. 1800 by default (30 minutes).
|
27
28
|
session_last_activity_session_key :: The session key storing the last session activity timestamp.
|
data/doc/single_session.rdoc
CHANGED
@@ -7,40 +7,31 @@ the stored key by doing:
|
|
7
7
|
|
8
8
|
rodauth.check_single_session
|
9
9
|
|
10
|
-
|
10
|
+
It is not recommended to use this feature unless you
|
11
11
|
have a policy that requires it. Many users find it useful to
|
12
12
|
be able to have multiple concurrent sessions, and restricting
|
13
|
-
this ability does not make things more secure.
|
13
|
+
this ability does not make things more secure. You can use the
|
14
|
+
active_sessions feature for something with similar behavior but
|
15
|
+
that allows for concurrent sessions.
|
14
16
|
|
15
|
-
|
17
|
+
One of the side benefits with this feature is that
|
16
18
|
logouts reset the single session key, so attempts to reuse
|
17
19
|
the previous session after logout no longer work.
|
18
20
|
|
19
21
|
== Auth Value Methods
|
20
22
|
|
21
|
-
allow_raw_single_session_key? :: Whether to allow a raw single session key to
|
22
|
-
|
23
|
-
|
24
|
-
single_session_id_column :: The column in the +single_session_table+ containing
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
single_session_error_flash :: The flash error to display if the current session
|
29
|
-
is no longer the active session for the account.
|
30
|
-
single_session_redirect :: Where to redirect if the current session is no longer
|
31
|
-
the active session for the account.
|
32
|
-
single_session_session_key :: The session key name to use for storing the single
|
33
|
-
session key.
|
23
|
+
allow_raw_single_session_key? :: Whether to allow a raw single session key to be accepted, should only be enabled for graceful transition when +hmac_secret+ is first set.
|
24
|
+
inactive_session_error_status :: The error status to use when a JSON request is made and the session is no longer active, 401 by default.
|
25
|
+
single_session_error_flash :: The flash error to display if the current session is no longer the active session for the account.
|
26
|
+
single_session_id_column :: The column in the +single_session_table+ containing the account id.
|
27
|
+
single_session_key_column :: The column in the +single_session_table+ containing the single session key.
|
28
|
+
single_session_redirect :: Where to redirect if the current session is no longer the active session for the account.
|
29
|
+
single_session_session_key :: The session key name to use for storing the single session key.
|
34
30
|
single_session_table :: The database table storing single session keys.
|
35
31
|
|
36
32
|
== Auth Methods
|
37
33
|
|
38
|
-
currently_active_session? :: Whether the current session is the active session for
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
reset_single_session_key :: Reset the single session key for the user, by default
|
43
|
-
to a new random key.
|
44
|
-
update_single_session_key :: Update the single session key in the current session
|
45
|
-
and in the database, reflecting that the current
|
46
|
-
session is the active session for the user.
|
34
|
+
currently_active_session? :: Whether the current session is the active session for the user.
|
35
|
+
no_longer_active_session :: The action to take if the current session is no longer the active session for the user.
|
36
|
+
reset_single_session_key :: Reset the single session key for the user, by default to a new random key.
|
37
|
+
update_single_session_key :: Update the single session key in the current session and in the database, reflecting that the current session is the active session for the user.
|
data/doc/sms_codes.rdoc
CHANGED
@@ -1,8 +1,8 @@
|
|
1
1
|
= Documentation for SMS Codes Feature
|
2
2
|
|
3
|
-
The sms codes feature allows
|
4
|
-
SMS messages. It is usually used as a backup if
|
5
|
-
or has been locked out, but it can be used as the primary
|
3
|
+
The sms codes feature allows for multifactor authentication via codes provided via
|
4
|
+
SMS messages. It is usually used as a backup if other multifactor authentication is not available
|
5
|
+
or has been locked out, but it can be used as the primary multifactor authentication method.
|
6
6
|
|
7
7
|
This feature allows users to register their mobile phone number with the system, confirm that
|
8
8
|
they can receive SMS messages on the mobile phone number they have registered, request
|
@@ -21,30 +21,36 @@ you prefer:
|
|
21
21
|
== Auth Value Methods
|
22
22
|
|
23
23
|
no_current_sms_code_error_flash :: The flash error to show when going to the SMS authentication page and no current SMS authentication code is available.
|
24
|
-
|
24
|
+
sms :: A hash of SMS information for the user, if SMS authentication has been setup.
|
25
25
|
sms_already_setup_error_flash :: The flash error to show when going to a page to setup SMS authentication if SMS authentication has already been setup.
|
26
|
+
sms_already_setup_error_status :: The response status to use when going to a page to setup SMS authentication if SMS authentication has already been setup, 403 by default.
|
26
27
|
sms_already_setup_redirect :: Where to redirect when going to a page to setup SMS authentication if SMS authentication has already been setup.
|
27
28
|
sms_auth_additional_form_tags :: HTML fragment containing additional form tags when authenticating via SMS.
|
28
|
-
sms_auth_button :: Text to use for button on form to authenticate via SMS.
|
29
|
+
sms_auth_button :: Text to use for button on the form to authenticate via SMS.
|
29
30
|
sms_auth_code_length :: The length of SMS authentication codes, 6 by default.
|
31
|
+
sms_auth_link_text :: The text to use for the link from the multifactor auth page.
|
32
|
+
sms_auth_page_title :: The page title to use on the form to authenticate via SMS code.
|
30
33
|
sms_auth_redirect :: Where to redirect if SMS authentication is needed.
|
31
34
|
sms_auth_route :: The route to the SMS authentication action. Defaults to +sms-auth+.
|
32
35
|
sms_code_allowed_seconds :: The number of seconds after an SMS authentication is sent until it is no longer valid, 300 seconds by default.
|
33
36
|
sms_code_column :: The column in the +sms_codes_table+ containing the currently valid SMS authentication/confirmation code.
|
34
37
|
sms_code_label :: The label for SMS codes.
|
35
38
|
sms_code_param :: The parameter name for SMS codes.
|
39
|
+
sms_codes_primary? :: Whether SMS codes are a primary multifactor authentication method. If not, they cannot be setup unless multifactor authentication has already been setup.
|
36
40
|
sms_codes_table :: The name of the table storing SMS code data.
|
37
|
-
sms_codes_primary? :: Whether SMS codes are the primary 2nd factor authentication method, true by default if not using the otp feature.
|
38
41
|
sms_confirm_additional_form_tags :: HTML fragment containing additional form tags when confirming SMS setup.
|
39
|
-
sms_confirm_button :: Text to use for button on form to confirm SMS setup.
|
42
|
+
sms_confirm_button :: Text to use for button on the form to confirm SMS setup.
|
40
43
|
sms_confirm_code_length :: The length of SMS confirmation codes, 12 by default, as there is no lockout.
|
41
44
|
sms_confirm_notice_flash :: The flash notice to show when SMS authentication setup has been confirmed.
|
42
|
-
|
45
|
+
sms_confirm_page_title :: The page title to use on the form to authenticate via SMS code.
|
46
|
+
sms_confirm_redirect :: Where to redirect after SMS authentication setup has been confirmed.
|
43
47
|
sms_confirm_route :: The route to the SMS setup confirmation action. Defaults to +sms-confirm+.
|
44
48
|
sms_disable_additional_form_tags :: HTML fragment containing additional form tags when disabling SMS authentication.
|
45
|
-
sms_disable_button :: Text to use for button on form to disable SMS authentication.
|
49
|
+
sms_disable_button :: Text to use for button on the form to disable SMS authentication.
|
46
50
|
sms_disable_error_flash :: The flash error to show when disabling SMS authentication fails.
|
51
|
+
sms_disable_link_text :: The text to use for the remove link from the multifactor manage page.
|
47
52
|
sms_disable_notice_flash :: The flash notice to show when SMS authentication has been successfully disabled.
|
53
|
+
sms_disable_page_title :: The page title to use on the form to disable SMS authentication.
|
48
54
|
sms_disable_redirect :: Where to redirect after SMS authentication has been disabled.
|
49
55
|
sms_disable_route :: The route to the SMS authentication disable action. Defaults to +sms-disable+.
|
50
56
|
sms_failure_limit :: The number of failures until SMS authentication is locked out.
|
@@ -57,23 +63,27 @@ sms_invalid_phone_message :: The error message to show when an invalid SMS phone
|
|
57
63
|
sms_issued_at_column :: The column in the +sms_codes_table+ containing the time the SMS code was issued.
|
58
64
|
sms_lockout_error_flash :: The flash error to show when SMS authentication has been locked out due to repeated failures.
|
59
65
|
sms_lockout_redirect :: Where to redirect after SMS authentication has been locked out.
|
60
|
-
sms_needs_confirmation_error_status :: The response status to use on SMS authentication pages when SMS authentication setup needs confirmation, 403 by default.
|
61
66
|
sms_needs_confirmation_error_flash :: The flash error to show on SMS authentication pages when SMS authentication setup needs confirmation.
|
67
|
+
sms_needs_confirmation_error_status :: The response status to use on SMS authentication pages when SMS authentication setup needs confirmation, 403 by default.
|
62
68
|
sms_needs_confirmation_redirect :: Where to redirect after SMS setup, when confirmation is required.
|
63
69
|
sms_needs_setup_redirect :: Where to redirect if going to an SMS authentication page when SMS authentication has not been setup.
|
64
70
|
sms_not_setup_error_flash :: The flash error to show when on SMS authentication pages when SMS authentication has not yet been setup.
|
65
71
|
sms_phone_column :: The column in the +sms_codes_table+ containing the phone number to which to send SMS messages.
|
72
|
+
sms_phone_input_type :: The input type to use for SMS phone numbers, tel by default.
|
66
73
|
sms_phone_label :: The label for SMS phone numbers.
|
67
74
|
sms_phone_min_length :: The minimum length of phone numbers allowed for SMS authentication, 7 by default.
|
68
75
|
sms_phone_param :: The parameter name for SMS phone numbers.
|
69
76
|
sms_request_additional_form_tags :: HTML fragment containing additional form tags when requesting an SMS authentication code.
|
70
|
-
sms_request_button :: Text to use for button on form to request an SMS authentication code.
|
77
|
+
sms_request_button :: Text to use for button on the form to request an SMS authentication code.
|
71
78
|
sms_request_notice_flash :: The flash notice to show when an SMS authentication code is requested.
|
79
|
+
sms_request_page_title :: The page title to use on the form to request an SMS authentication code.
|
72
80
|
sms_request_redirect :: Where to redirect after requesting an SMS authentication code.
|
73
81
|
sms_request_route :: The route to the SMS authentication code request action. Defaults to +sms-request+.
|
74
82
|
sms_setup_additional_form_tags :: HTML fragment containing additional form tags when setting up SMS authentication.
|
75
|
-
sms_setup_button :: Text to use for button on form to setup SMS authentication.
|
83
|
+
sms_setup_button :: Text to use for button on the form to setup SMS authentication.
|
76
84
|
sms_setup_error_flash :: The flash error to show when setting up SMS authentication fails.
|
85
|
+
sms_setup_link_text :: The text to use for the setup link from the multifactor manage page.
|
86
|
+
sms_setup_page_title :: The page title to use on the form to setup SMS authentication.
|
77
87
|
sms_setup_route :: The route to the SMS authentication setup action. Defaults to +sms-setup+.
|
78
88
|
|
79
89
|
== Auth Methods
|
@@ -111,10 +121,10 @@ sms_new_auth_code :: A new SMS authentication code that can be used for the acco
|
|
111
121
|
sms_new_confirm_code :: A new SMS confirmation code that can be used for the account.
|
112
122
|
sms_normalize_phone(phone) :: A normalized version of the given phone number, by default removing everything except 0-9.
|
113
123
|
sms_record_failure :: Record an SMS authentication failure for the current account.
|
114
|
-
sms_remove_failures :: Reset the SMS authentication failure counter for the current account, used after a successful
|
124
|
+
sms_remove_failures :: Reset the SMS authentication failure counter for the current account, used after a successful multifactor authentication.
|
115
125
|
sms_request_view :: The HTML to use for the form to request an SMS authentication code.
|
116
126
|
sms_send(phone, message) :: Send the given message to the given phone number via SMS. By default a NotImplementedError is raised, this is the only method that must be overridden.
|
117
|
-
sms_set_code(code) :: Set the SMS authentication code for the current account to the given code. The code can be
|
127
|
+
sms_set_code(code) :: Set the SMS authentication code for the current account to the given code. The code can be nil to specify that no SMS authentication code is currently valid.
|
118
128
|
sms_setup :: Setup SMS authentication for the current account.
|
119
129
|
sms_setup? :: Whether SMS authentication has been setup and confirmed for the current account.
|
120
130
|
sms_setup_view :: The HTML to use for the form to setup SMS authentication.
|
data/doc/two_factor_base.rdoc
CHANGED
@@ -1,30 +1,68 @@
|
|
1
1
|
= Documentation for Two Factor Base Feature
|
2
2
|
|
3
|
-
The
|
4
|
-
|
3
|
+
The two_factor_base feature implements shared functionality for the other
|
4
|
+
multifactor authentication features.
|
5
|
+
|
6
|
+
To handle multiple and potentially different multifactor authentication setups
|
7
|
+
per user, this feature implements disambiguation pages for multifactor
|
8
|
+
authentication and manage. If only a single multifactor authentication is
|
9
|
+
available to setup, the manage page will redirect to the appropriate page.
|
10
|
+
Likewise, if only a single multifactor authentication method is available,
|
11
|
+
the authentication page will redirect to the appropriate page. Otherwise,
|
12
|
+
the authentication and manage pages will show links to the available pages.
|
13
|
+
Additionally, there is a separate page for disabling all multifactor
|
14
|
+
authentication methods and reverting to single factor authentication,
|
15
|
+
so users do not have to disable each multifactor authentication method
|
16
|
+
individually.
|
5
17
|
|
6
18
|
== Auth Value Methods
|
7
19
|
|
8
|
-
|
9
|
-
|
10
|
-
two_factor_already_authenticated_redirect :: Where to redirect if going to a
|
11
|
-
two_factor_auth_notice_flash :: The flash notice to show after a successful
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
20
|
+
two_factor_already_authenticated_error_flash :: The flash error to show if going to a multifactor authentication page when already multifactor authenticated.
|
21
|
+
two_factor_already_authenticated_error_status :: The response status to use if going to a multifactor authentication page when already multifactor authenticated, 403 by default.
|
22
|
+
two_factor_already_authenticated_redirect :: Where to redirect if going to a multifactor authentication page when already multifactor authenticated.
|
23
|
+
two_factor_auth_notice_flash :: The flash notice to show after a successful multifactor authentication.
|
24
|
+
two_factor_auth_page_title :: The page title to use on the page linking to other multifactor authentication pages.
|
25
|
+
two_factor_auth_redirect :: Where to redirect after a successful multifactor authentication.
|
26
|
+
two_factor_auth_redirect_session_key :: The key in the session hash storing the location to redirect to after successful multifactor authentication.
|
27
|
+
two_factor_auth_required_redirect :: Where to redirect if going to a page requiring multifactor authentication when not multifactor authenticated (the multifactor auth page by default).
|
28
|
+
two_factor_auth_return_to_requested_location? :: Whether to redirect to the originally requested location after successful multifactor authentication when +require_two_factor_authenticated+ was used, false by default.
|
29
|
+
two_factor_auth_route :: The route to the multifactor authentication page. Defaults to +multifactor-auth+.
|
30
|
+
two_factor_disable_additional_form_tags :: HTML fragment containing additional form tags when disabling all multifactor authentication.
|
31
|
+
two_factor_disable_button :: Text to use for button on the form to disable all multifactor authentication.
|
32
|
+
two_factor_disable_error_flash :: The flash error to show if unable to disable all multifactor authentication.
|
33
|
+
two_factor_disable_link_text :: The text to use for the link to disable all multifactor authentication from the multifactor manage page.
|
34
|
+
two_factor_disable_notice_flash :: The flash notice to show after a successfully disabling all multifactor authentication.
|
35
|
+
two_factor_disable_page_title :: The page title to use on the page for disabling all multifactor authentication.
|
36
|
+
two_factor_disable_redirect :: Where to redirect after a successfully disabling all multifactor authentication.
|
37
|
+
two_factor_disable_route :: The route to the page to disable all multifactor authentication. Defaults to +multifactor-disable+.
|
38
|
+
two_factor_manage_page_title :: The page title to use on the page linking to other multifactor setup and remove pages.
|
39
|
+
two_factor_manage_route :: The route to the page to manage multifactor authentication. Defaults to +multifactor-manage+.
|
40
|
+
two_factor_modifications_require_password? :: Whether modifications to multifactor authentication require the inputing the user's password.
|
41
|
+
two_factor_need_authentication_error_flash :: The flash error to show if going to a page that requires multifactor authentication when not authenticated.
|
42
|
+
two_factor_need_authentication_error_status :: The response status to use if going to a page that requires multifactor authentication when not authenticated, 401 by default.
|
43
|
+
two_factor_need_setup_redirect :: Where to redirect if going to a multifactor authentication page when multifactor authentication has not been setup (the multifactor manage page by default).
|
44
|
+
two_factor_not_setup_error_flash :: The flash error to show if going to a multifactor authentication page when multifactor authentication has not been setup.
|
45
|
+
two_factor_not_setup_error_status :: The response status to use if going to a multifactor authentication page when multifactor authentication has not been setup, 403 by default.
|
46
|
+
two_factor_remove_heading :: The HTML to use above the remove links on the multifactor manage page.
|
47
|
+
two_factor_setup_heading :: The HTML to use above the setup links on the multifactor manage page.
|
48
|
+
two_factor_setup_session_key :: The session key used for storing whether multifactor authentication has been setup for the current account.
|
22
49
|
|
23
50
|
== Auth Methods
|
24
51
|
|
25
|
-
after_two_factor_authentication :: Any actions to take after successful
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
52
|
+
after_two_factor_authentication :: Any actions to take after successful multifactor authentication.
|
53
|
+
after_two_factor_disable :: Any actions to take after successful disabling of all multifactor authentication.
|
54
|
+
before_two_factor_auth_route :: Run arbitrary code before handling the multifactor auth route.
|
55
|
+
before_two_factor_disable :: Any actions to take before disabling of all multifactor authentication.
|
56
|
+
before_two_factor_disable_route :: Run arbitrary code before handling the multifactor disable route.
|
57
|
+
before_two_factor_manage_route :: Run arbitrary code before handling the multifactor manage route.
|
58
|
+
two_factor_auth_links :: An array of entries for links to show on the multifactor auth page. Each entry is an array of three elements, sort order (integer), link href, and link text.
|
59
|
+
two_factor_auth_view :: The HTML to use for the page linking to other multifactor authentication pages.
|
60
|
+
two_factor_authenticated? :: Whether the current session has already been multifactor authenticated.
|
61
|
+
two_factor_disable_view :: The HTML to use for the page for disabling all multifactor authentication.
|
62
|
+
two_factor_manage_view :: The HTML to use for the page linking to other multifactor setup and remove pages.
|
63
|
+
two_factor_remove :: Any action to take to remove multifactor authentication, called when closing accounts.
|
64
|
+
two_factor_remove_auth_failures :: Any action to take to remove multifactor authentication failures, called after a successful multifactor authentication.
|
65
|
+
two_factor_remove_links :: An array of entries for remove links to show on the multifactor manage page. Each entry is an array of three elements, sort order (integer), link href, and link text.
|
66
|
+
two_factor_remove_session :: What actions to take to remove multifactor authentication status from the session, called when disabling multifactor authentication when authenticated using the factor being removed.
|
67
|
+
two_factor_setup_links :: An array of entries for setup links to show on the multifactor manage page. Each entry is an array of three elements, sort order (integer), link href, and link text.
|
68
|
+
two_factor_update_session(type) :: How to update the session to reflect a successful multifactor authentication.
|