rodauth 1.23.0 → 2.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e4306ff08603b48a95bc543ffe53188d28d71ffdf8bf7427b65f4384eab8f430
-  data.tar.gz: a7319dbdfa10b43743ec76f32453ef0d65f3b1a30945f9c3988c7b87c6a639a2
+  metadata.gz: db02abed46d2dd511d07e2c8bf8640ca01f14fff595953a3c05b9a2cbe314511
+  data.tar.gz: 81f74322d49942d099789350c031c59227ec92b8eb6304dce9b4e15a91f2e60f
 SHA512:
-  metadata.gz: 21d00b963f35ce2f356ba139cc07f0e0612484cc55a42efe5502f8401b8c373eeab2b2c71c92f68a2886d523e0b73a5fda80b5137fecec5b26ca9a0f517a3040
-  data.tar.gz: c5947144c88fbe98c31a2a24cd7a349953f8ff1717b9258f39ff58cbd98de85fb36abf6912b51496b6965ed7367f3fc13aad702db9443e587d9bde15dfc7c7c7
+  metadata.gz: bda7da30406c315d6f467ac88701668c5288c93f8415bb1cffa280136cf7838a4fec81e865b8d0e607fef646df5d33a37e96f6e5e00dba2d6956757efc25ffc8
+  data.tar.gz: f19903ffb51eb7a87107fe0a24a33214fde275e732a6ac2a41e9bf3409f7b348c2ca8f9f87fe690d8b239fc5ae796f02a36ac32c7f615c8fca25f628d4173a80

data/CHANGELOG

@@ -1,3 +1,187 @@
+=== 2.4.0 (2020-09-21)
+
+* Add session_key_prefix for more easily using separate session keys when using multiple configurations (janko) (#121)
+
+* Add password_pepper feature for appending a secret key to passwords before they are hashed, supporting secret rotation (janko) (#119)
+
+=== 2.3.0 (2020-08-21)
+
+* Return an error status instead of an invalid access token when trying to refresh JWT without an access token in the jwt_refresh feature (jeremyevans)
+
+* Allow {create,drop}_database_authentication_functions to work with UUID keys (monorkin, janko) (#117)
+
+* Add rodauth.login('login_type') for logging in after setting a valid account (janko) (#114)
+
+* Make new refresh token available to the after_refresh_token hook by setting it in the response first (jeremyevans)
+
+* Make the jwt_refresh plugin call before_jwt_refresh_route hook (previously the configuration method was ignored) (AlexeyMatskevich) (#110)
+
+* Add login_email_regexp, login_not_valid_email_message, and log_valid_email? configuration methods (janko) (#107)
+
+=== 2.2.0 (2020-07-20)
+
+* Allow removing all jwt_refresh tokens when logging out by providing a value of "all" as the token to remove (jeremyevans)
+
+* Allow removing specific jwt_refresh token when logging out by providing the token to remove (jeremyevans)
+
+* Avoid NoMethodError when checking if session is authenticated when using two factor auth, verify_account_grace_period, and email_auth (jeremyevans) (#105)
+
+* Reduce queries in #authenticated? and #require_authentication when using two factor authentication (janko) (#106)
+
+* Treat verify_account_email_resend returning false as an error in the verify_account feature (jeremyevans)
+
+* Fix use of password_dictionary configuration method in password_complexity feature (jeremyevans)
+
+* Remove unnecessary conditionals (jeremyevans)
+
+* Add otp_last_use to the otp feature, returning the time of last successful OTP use (jeremyevans) (#103)
+
+=== 2.1.0 (2020-06-09)
+
+* Do not check CSRF tokens by default for requests using JWT (janko, jeremyevans) (#99)
+
+* Use new-password autocomplete value for password field when creating accounts (jeremyevans) (#98)
+
+* Consistently use json_response_body for all JSON responses in jwt feature (arthurmmoreira) (#97)
+
+* Add check_csrf configuration method to customize CSRF checking (janko) (#96)
+
+* Have logged_in? when using http_basic_auth feature check for basic authentication (jeremyevans) (#94)
+
+* Don't consider account open if in unverified grace period without password (janko) (#92)
+
+=== 2.0.0 (2020-05-06)
+
+* Do not show email auth as an option for unverified accounts if using the verify_account_grace_period feature (jeremyevans) (#88)
+
+* Generate unlock account key outside of send_unlock_account_email, similar to other email methods (janko) (#89)
+
+* Default otp_drift to 30 in the otp feature (jeremyevans)
+
+* Add rodauth.require_http_basic_auth to http_basic_auth feature, similar to require_login (janko) (#86)
+
+* Rename require_http_basic_auth to require_http_basic_auth? in http_basic_auth feature (janko) (#86)
+
+* Change http_basic_auth feature to use rodauth.http_basic_auth for handling basic authentication, similar to rodauth.load_memory (janko) (#86)
+
+* Do not call already_logged_in if logged in when accessing verify_login_change page (janko) (#87)
+
+* HTML id attributes now use - instead of _ in recovery_codes and remember features (jeremyevans)
+
+* Allow *_path and *_url methods to accept a hash of query parameters (janko) (#84)
+
+* Use a danger button when closing accounts (janko) (#83)
+
+* Handle invalid form inputs in a more bootstrap compatible manner (janko) (#83)
+
+* Use standard vertical Bootstrap forms instead of horizontal forms in templates (janko) (#83)
+
+* Make templates compatible with Bootstrap 4, and still display correctly with Bootstrap 3 (janko) (#83)
+
+* Add check_csrf_opts and check_csrf_block for arguments to the check_csrf! call before Rodauth route dispatching (jeremyevans)
+
+* Add audit_logging feature, logging changes to a database table (jeremyevans)
+
+* Add hook_action configuration method, called after all before/after hooks (jeremyevans)
+
+* Enable email rate limiting by default in lockout, reset_password, and verify_account features (jeremyevans)
+
+* Add session_expiration_error_status method to the session_expiration feature, used for JSON requests where session has expired (jeremyevans)
+
+* Add domain configuration method to set an explicit domain, instead of relying on the host of the request (jeremyevans)
+
+* Add inactive_session_error_status to single_session feature, used for JSON requests where session is no longer active (jeremyevans)
+
+* Prevent use of previous JWT access tokens after refresh when using jwt_refresh and active_sessions features (jeremyevans)
+
+* Change default setting of jwt_check_accept? from false to true in the jwt feature (jeremyevans)
+
+* Automatically check CSRF tokens before calling any Rodauth route by default, allow disabling using check_csrf? false (jeremyevans)
+
+* Add translate(key, default_value) configuration method and have it affect all translatable content (jeremyevans)
+
+* Add *_page_title configuration methods for all *_view configuration methods (jeremyevans)
+
+* Default to using Roda's route_csrf plugin for CSRF support, with :csrf=>:rack_csrf available for using rack_csrf (jeremyevans)
+
+* Allow ability for user to fix an incorrect login when requesting a password reset (janko, jeremyevans) (#76)
+
+* Add two_factor_auth_return_to_requested_location? to support returning to original page after successful second factor authentication (janko) (#69)
+
+* Add login_return_to_requested_location? to support returning to original page after successful login (janko) (#69)
+
+* Add rodauth.require_password_authentication method to confirm_password feature (janko, jeremyevans) (#75)
+
+* Make remember feature no longer depend on confirm_password (janko) (#79)
+
+* Replace {create_account,reset_password_request,verify_account_resend}_link configuration methods with *_link_text (janko) (#77)
+
+* Remove remembered_session_key configuration method, no longer needed (janko) (#80)
+
+* Add rodauth.possible_authentication_methods for the available authentication methods for the account (jeremyevans)
+
+* Add active_sessions feature for disabling session reuse after logout, and allowing global logout of all sessions (jeremyevans)
+
+* Add webauthn_verify_account feature for passwordless WebAuthn setup during account verification (jeremyevans)
+
+* Allow confirm_password feature to operate as second factor authentication if using webauthn login (jeremyevans)
+
+* Add webauthn_login feature for passwordless login via WebAuthn (jeremyevans)
+
+* Do not allow two factor authentication using same type as primary authentication (jeremyevans)
+
+* Do not require passwords by default if the account does not have a password (jeremyevans)
+
+* Remove clear_remembered_session_key and two_factor_session_key configuration methods, no longer needed (jeremyevans)
+
+* Store authentication methods used in the session, available via rodauth.authenticated_by (jeremyevans)
+
+* Do not require login confirmation by default if verifying accounts or login changes (jeremyevans)
+
+* Add mark_input_fields_with_inputmode? and inputmode_for_field? configuration methods for controlling inputmode (jeremyevans)
+
+* Support and enable inputmode=numeric attributes by default for otp auth code and sms code fields (jeremyevans)
+
+* Add sms_phone_input_type and default to tel instead of using text for SMS phone input (jeremyevans)
+
+* Add mark_input_fields_with_autocomplete? and autocomplete_for_field? configuration methods for controlling autocomplete (jeremyevans)
+
+* Support and enable autocomplete attributes by default for fields (jeremyevans)
+
+* Add login_uses_email? configuration method for whether to treat logins as email addresses (jeremyevans)
+
+* Remove the verify change login feature, users should switch to the verify login change feature (jeremyevans)
+
+* Change default setting of json_response_success_key to success in the jwt feature (jeremyevans)
+
+* Remove deprecated account_model configuration method (jeremyevans)
+
+* Remove all deprecated configuration and runtime method aliases in the lockout, verify_account, email_auth, reset_password, and verify_login_change features (jeremyevans)
+
+* Remove deprecated before_otp_authentication_route configuration method (jeremyevans)
+
+* Change default setting of login_input_type to email if login_column is :email (jeremyevans)
+
+* Change default setting of mark_input_fields_as_required? to true (jeremyevans)
+
+* Change default setting of verify_account_set_password? in verify_account feature to true (jeremyevans)
+
+* Change default setting of json_response_custom_error_status? in jwt feature to true (jeremyevans)
+
+* Add auto_add_recovery_codes? configuration method to recovery codes feature, and default to false (jeremyevans)
+
+* Add base_url configuration method to set an explicit base for URLs, instead of relying on the base_url of the request (jeremyevans)
+
+* Add webauthn feature to handle WebAuthn authentication (jeremyevans)
+
+* Fix corner cases when disabling a second factor when multiple second factors have been setup (jeremyevans)
+
+* Don't override second factor used to authenticate when setting up additional second factor authentication (jeremyevans)
+
+* Add two factor auth, manage, and disable pages (jeremyevans)
+
+* Drop support for Ruby 1.8 (jeremyevans)
+
 === 1.23.0 (2020-03-06)
 
 * Remove specs from the gem to reduce gem size by over 20% (jeremyevans) 

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2015-2019 Jeremy Evans
+Copyright (c) 2015-2020 Jeremy Evans
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to

data/README.rdoc

@@ -1,12 +1,18 @@
 = Rodauth
 
-Rodauth is an authentication and account management framework for
-rack applications.  It's built using Roda and Sequel, but it can
-be used with other web frameworks, database libraries, and databases.
+Rodauth is Ruby's most advanced authentication framework, designed
+to work in any rack application.  It's built using Roda and Sequel,
+but it can be used with other web frameworks, database libraries,
+and databases.
+
 When used with PostgreSQL, MySQL, and Microsoft SQL Server in the
 default configuration, it offers additional security for password
 hashes by protecting access via database functions.
 
+Rodauth supports multiple multifactor authentication methods,
+multiple passwordless authentication methods, and offers both an
+HTML and JSON API for all supported features.
+
 == Design Goals
 
 * Security: Ship in a maximum security by default configuration
@@ -26,19 +32,25 @@ hashes by protecting access via database functions.
 * Confirm Password
 * Remember (Autologin via token)
 * Lockout (Bruteforce protection)
-* Email Authentication (Login via email link)
-* OTP (2 factor authentication via TOTP)
-* Recovery Codes (2 factor authentication via backup codes)
-* SMS Codes (2 factor authentication via SMS)
+* Audit Logging
+* Email Authentication (Passwordless login via email link)
+* WebAuthn (Multifactor authentication via WebAuthn)
+* WebAuthn Login (Passwordless login via WebAuthn)
+* WebAuthn Verify Account (Passwordless WebAuthn Setup)
+* OTP (Multifactor authentication via TOTP)
+* Recovery Codes (Multifactor authentication via backup codes)
+* SMS Codes (Multifactor authentication via SMS)
 * Verify Login Change (Verify new login before changing login)
 * Verify Account Grace Period (Don't require verification before login)
 * Password Grace Period (Don't require password entry if recently entered)
 * Password Complexity (More sophisticated checks)
+* Password Pepper
 * Disallow Password Reuse
 * Disallow Common Passwords
 * Password Expiration
 * Account Expiration
 * Session Expiration
+* Active Sessions (Prevent session reuse after logout, allow logout of all sessions)
 * Single Session (Only one active session per account)
 * JWT (JSON API support for all other features)
 * JWT Refresh (Access & Refresh Token)
@@ -58,21 +70,24 @@ IRC :: irc://chat.freenode.net/#rodauth
 
 == Dependencies
 
-There are some dependencies that Rodauth uses by default, but are
-development dependencies instead of runtime dependencies in the
-gem as it is possible to run without them:
+There are some dependencies that Rodauth uses depending on the
+features in use. These are development dependencies instead of
+runtime dependencies in the gem as it is possible to run without them:
 
 tilt :: Used by all features unless in JSON API only mode.
-rack_csrf :: Used by all features unless in JSON API only mode
-             or the :csrf=>false|:route_csrf option is used when
-             loading the Rodauth plugin.
+rack_csrf :: Used for CSRF support if the :csrf=>:rack_csrf plugin
+             option is given (the default is to use Roda's route_csrf
+             plugin, as that allows for more secure request-specific
+             tokens).
 bcrypt :: Used by default for password matching, can be skipped
           if password_match? is overridden for custom authentication.
 mail :: Used by default for mailing in the reset password, verify
-        account, verify_login_change, change_password_notify, and
-        lockout features.
-rotp, rqrcode :: Used by the otp feature
+        account, verify_login_change, change_password_notify,
+        lockout, and email_auth features.
+rotp :: Used by the otp feature
+rqrcode :: Used by the otp feature
 jwt :: Used by the jwt feature
+webauthn :: Used by the webauthn feature
 
 == Security
 
@@ -143,10 +158,10 @@ function to reduce the risk of timing attacks.
 
 == HMAC
 
-By default, Rodauth does not use HMACs, but you are encouraged to use
-the +hmac_secret+ configuration method to set an HMAC secret.  Setting
-an HMAC secret will enable HMACs for additional security, as described
-below.
+By default, for backwards compatibility, Rodauth does not use HMACs,
+but you are strongly encouraged to use the +hmac_secret+ configuration
+method to set an HMAC secret.  Setting an HMAC secret will enable HMACs
+for additional security, as described below.
 
 === email_base feature
 
@@ -213,6 +228,17 @@ to the OTP setup route.  This will return an error with the +otp_secret+ and
 in the POST request to setup OTP, along with a valid OTP auth code for the
 +otp_secret+.
 
+=== webauthn feature
+
+Setting +hmac_secret+ is required to use the webauthn feature, as it is
+used for checking that the provided authentication challenges have not
+been modified.
+
+=== active_sessions feature
+
+Setting +hmac_secret+ is required to use the active_sessions feature,
+as the database stores an HMAC of the active session ID.
+
 === single_session feature
 
 Setting +hmac_secret+ will ensure the single session secret set in the
@@ -406,6 +432,25 @@ Note that these migrations require Sequel 4.35.0+.
         end
       end
 
+      # Used by the audit logging feature
+      json_type = case database_type
+      when :postgres
+        :jsonb
+      when :sqlite, :mysql
+        :json
+      else
+        String
+      end
+      create_table(:account_authentication_audit_logs) do
+        primary_key :id, :type=>:Bignum
+        foreign_key :account_id, :accounts, :null=>false, :type=>:Bignum
+        DateTime :at, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
+        String :message, :null=>false
+        column :metadata, json_type
+        index [:account_id, :at], :name=>:audit_account_at_idx
+        index :at, :name=>:audit_at_idx
+      end
+
       # Used by the password reset feature
       create_table(:account_password_reset_keys) do
         foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
@@ -417,9 +462,10 @@ Note that these migrations require Sequel 4.35.0+.
       # Used by the jwt refresh feature
       create_table(:account_jwt_refresh_keys) do
         primary_key :id, :type=>:Bignum
-        foreign_key :account_id, :accounts, :type=>:Bignum
+        foreign_key :account_id, :accounts, :null=>false, :type=>:Bignum
         String :key, :null=>false
         DateTime :deadline, deadline_opts[1]
+        index :account_id, :name=>:account_jwt_rk_account_id_idx
       end
 
       # Used by the account verification feature
@@ -485,6 +531,29 @@ Note that these migrations require Sequel 4.35.0+.
         String :key, :null=>false
       end
 
+      # Used by the active sessions feature
+      create_table(:account_active_session_keys) do
+        foreign_key :account_id, :accounts, :type=>:Bignum
+        String :session_id
+        Time :created_at, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
+        Time :last_use, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
+        primary_key [:account_id, :session_id]
+      end
+
+      # Used by the webauthn feature
+      create_table(:account_webauthn_user_ids) do
+        foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
+        String :webauthn_id, :null=>false
+      end
+      create_table(:account_webauthn_keys) do
+        foreign_key :account_id, :accounts, :type=>:Bignum
+        String :webauthn_id
+        String :public_key, :null=>false
+        Integer :sign_count, :null=>false
+        Time :last_use, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
+        primary_key [:account_id, :webauthn_id]
+      end
+
       # Used by the otp feature
       create_table(:account_otp_keys) do
         foreign_key :id, :accounts, :primary_key=>true, :type=>:Bignum
@@ -519,22 +588,26 @@ Note that these migrations require Sequel 4.35.0+.
         else
           get(Sequel.function(:DB_NAME))
         end
-        run "GRANT ALL ON account_statuses TO #{user}"
-        run "GRANT ALL ON accounts TO #{user}"
-        run "GRANT ALL ON account_password_reset_keys TO #{user}"
-        run "GRANT ALL ON account_jwt_refresh_keys TO #{user}"
-        run "GRANT ALL ON account_verification_keys TO #{user}"
-        run "GRANT ALL ON account_login_change_keys TO #{user}"
-        run "GRANT ALL ON account_remember_keys TO #{user}"
-        run "GRANT ALL ON account_login_failures TO #{user}"
-        run "GRANT ALL ON account_lockouts TO #{user}"
-        run "GRANT ALL ON account_email_auth_keys TO #{user}"
-        run "GRANT ALL ON account_password_change_times TO #{user}"
-        run "GRANT ALL ON account_activity_times TO #{user}"
-        run "GRANT ALL ON account_session_keys TO #{user}"
-        run "GRANT ALL ON account_otp_keys TO #{user}"
-        run "GRANT ALL ON account_recovery_codes TO #{user}"
-        run "GRANT ALL ON account_sms_codes TO #{user}"
+        run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_statuses TO #{user}"
+        run "GRANT SELECT, INSERT, UPDATE, DELETE ON accounts TO #{user}"
+        run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_authentication_audit_logs TO #{user}"
+        run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_password_reset_keys TO #{user}"
+        run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_jwt_refresh_keys TO #{user}"
+        run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_verification_keys TO #{user}"
+        run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_login_change_keys TO #{user}"
+        run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_remember_keys TO #{user}"
+        run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_login_failures TO #{user}"
+        run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_email_auth_keys TO #{user}"
+        run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_lockouts TO #{user}"
+        run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_password_change_times TO #{user}"
+        run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_activity_times TO #{user}"
+        run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_session_keys TO #{user}"
+        run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_active_session_keys TO #{user}"
+        run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_webauthn_user_ids TO #{user}"
+        run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_webauthn_keys TO #{user}"
+        run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_otp_keys TO #{user}"
+        run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_recovery_codes TO #{user}"
+        run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_sms_codes TO #{user}"
       end
     end
 
@@ -542,7 +615,10 @@ Note that these migrations require Sequel 4.35.0+.
       drop_table(:account_sms_codes,
                  :account_recovery_codes,
                  :account_otp_keys,
+                 :account_webauthn_keys,
+                 :account_webauthn_user_ids,
                  :account_session_keys,
+                 :account_active_session_keys,
                  :account_activity_times,
                  :account_password_change_times,
                  :account_email_auth_keys,
@@ -553,6 +629,7 @@ Note that these migrations require Sequel 4.35.0+.
                  :account_verification_keys,
                  :account_jwt_refresh_keys,
                  :account_password_reset_keys,
+                 :account_authentication_audit_logs,
                  :accounts,
                  :account_statuses)
     end
@@ -644,7 +721,8 @@ for the password user using Sequel's migration API:
 
 If the database is not PostgreSQL, MySQL, or Microsoft SQL Server, or you
 cannot use multiple user accounts, just combine the two migrations into a
-single migration.
+single migration, removing all the code related to database permissions
+and database functions.
 
 One thing to notice in the above migrations is that Rodauth uses additional
 tables for additional features, instead of additional columns in a single
@@ -761,10 +839,8 @@ should be flexible enough to integrate into most legacy systems.
 When loading the rodauth plugin, you can also pass an options hash,
 which configures which dependent plugins should be loaded. Options:
 
-:csrf :: Set to +false+ to not load a csrf plugin.  Set to +:route_csrf+
-         to use the route_csrf plugin instead of the csrf plugin. It is
-         recommended to set the +:route_csrf+ option as that allows
-         for more secure request-specific CSRF tokens.
+:csrf :: Set to +false+ to not load a csrf plugin.  Set to +:rack_csrf+
+         to use the csrf plugin instead of the route_csrf plugin.
 :flash :: Set to +false+ to not load the flash plugin
 :json :: Set to +true+ to load the json and json_parser plugins. Set
          to +:only+ to only load those plugins and not any other plugins.
@@ -783,42 +859,47 @@ view the appropriate file in the doc directory.
 * {Login Password Requirements Base}[rdoc-ref:doc/login_password_requirements_base.rdoc] (this feature is autoloaded by features that set logins/passwords)
 * {Email Base}[rdoc-ref:doc/email_base.rdoc] (this feature is autoloaded by features that send email)
 * {Two Factor Base}[rdoc-ref:doc/two_factor_base.rdoc] (this feature is autoloaded by 2 factor authentication features)
-* {Login}[rdoc-ref:doc/login.rdoc]
-* {Logout}[rdoc-ref:doc/logout.rdoc]
+* {Account Expiration}[rdoc-ref:doc/account_expiration.rdoc]
+* {Active Sessions}[rdoc-ref:doc/active_sessions.rdoc]
+* {Audit Logging}[rdoc-ref:doc/audit_logging.rdoc]
+* {Change Login}[rdoc-ref:doc/change_login.rdoc]
 * {Change Password}[rdoc-ref:doc/change_password.rdoc]
 * {Change Password Notify}[rdoc-ref:doc/change_password_notify.rdoc]
-* {Change Login}[rdoc-ref:doc/change_login.rdoc]
-* {Reset Password}[rdoc-ref:doc/reset_password.rdoc]
-* {Create Account}[rdoc-ref:doc/create_account.rdoc]
 * {Close Account}[rdoc-ref:doc/close_account.rdoc]
-* {Verify Account}[rdoc-ref:doc/verify_account.rdoc]
 * {Confirm Password}[rdoc-ref:doc/confirm_password.rdoc]
-* {Remember}[rdoc-ref:doc/remember.rdoc]
-* {Lockout}[rdoc-ref:doc/lockout.rdoc]
+* {Create Account}[rdoc-ref:doc/create_account.rdoc]
+* {Disallow Common Passwords}[rdoc-ref:doc/disallow_common_passwords.rdoc]
+* {Disallow Password Reuse}[rdoc-ref:doc/disallow_password_reuse.rdoc]
 * {Email Authentication}[rdoc-ref:doc/email_auth.rdoc]
+* {HTTP Basic Auth}[rdoc-ref:doc/http_basic_auth.rdoc]
+* {JWT CORS}[rdoc-ref:doc/jwt_cors.rdoc]
+* {JWT Refresh}[rdoc-ref:doc/jwt_refresh.rdoc]
+* {JWT}[rdoc-ref:doc/jwt.rdoc]
+* {Lockout}[rdoc-ref:doc/lockout.rdoc]
+* {Login}[rdoc-ref:doc/login.rdoc]
+* {Logout}[rdoc-ref:doc/logout.rdoc]
 * {OTP}[rdoc-ref:doc/otp.rdoc]
-* {Recovery Codes}[rdoc-ref:doc/recovery_codes.rdoc]
-* {SMS Codes}[rdoc-ref:doc/sms_codes.rdoc]
-* {Verify Login Change}[rdoc-ref:doc/verify_login_change.rdoc]
-* {Verify Change Login}[rdoc-ref:doc/verify_change_login.rdoc]
-* {Verify Account Grace Period}[rdoc-ref:doc/verify_account_grace_period.rdoc]
-* {Password Grace Period}[rdoc-ref:doc/password_grace_period.rdoc]
 * {Password Complexity}[rdoc-ref:doc/password_complexity.rdoc]
-* {Disallow Password Reuse}[rdoc-ref:doc/disallow_password_reuse.rdoc]
-* {Disallow Common Passwords}[rdoc-ref:doc/disallow_common_passwords.rdoc]
-* {Update Password Hash}[rdoc-ref:doc/update_password_hash.rdoc]
 * {Password Expiration}[rdoc-ref:doc/password_expiration.rdoc]
-* {Account Expiration}[rdoc-ref:doc/account_expiration.rdoc]
+* {Password Grace Period}[rdoc-ref:doc/password_grace_period.rdoc]
+* {Password Pepper}[rdoc-ref:doc/password_pepper.rdoc]
+* {Recovery Codes}[rdoc-ref:doc/recovery_codes.rdoc]
+* {Remember}[rdoc-ref:doc/remember.rdoc]
+* {Reset Password}[rdoc-ref:doc/reset_password.rdoc]
 * {Session Expiration}[rdoc-ref:doc/session_expiration.rdoc]
 * {Single Session}[rdoc-ref:doc/single_session.rdoc]
-* {JWT}[rdoc-ref:doc/jwt.rdoc]
-* {JWT Refresh}[rdoc-ref:doc/jwt_refresh.rdoc]
-* {JWT CORS}[rdoc-ref:doc/jwt_cors.rdoc]
-* {HTTP Basic Auth}[rdoc-ref:doc/http_basic_auth.rdoc]
+* {SMS Codes}[rdoc-ref:doc/sms_codes.rdoc]
+* {Update Password Hash}[rdoc-ref:doc/update_password_hash.rdoc]
+* {Verify Account}[rdoc-ref:doc/verify_account.rdoc]
+* {Verify Account Grace Period}[rdoc-ref:doc/verify_account_grace_period.rdoc]
+* {Verify Login Change}[rdoc-ref:doc/verify_login_change.rdoc]
+* {WebAuthn}[rdoc-ref:doc/webauthn.rdoc]
+* {WebAuthn Login}[rdoc-ref:doc/webauthn_login.rdoc]
+* {WebAuthn Verify Account}[rdoc-ref:doc/webauthn_verify_account.rdoc]
 
 === Calling Rodauth in the Routing Tree
 
-In general, you will usually want to call rodauth early in your
+In general, you will usually want to call +r.rodauth+ early in your
 route block:
 
   route do |r|
@@ -897,6 +978,12 @@ logged_in? :: Whether the session has been logged in.
 authenticated? :: Similar to +logged_in?+, but if the account has setup two
                   factor authentication, whether the session has authenticated
                   via two factors.
+authenticated_by :: An array of strings for successful authentication methods for
+                    the current session (e.g. password/remember/webauthn).
+possible_authentication_methods :: An array of strings for possible authentication
+                                   types that can be used for the account.
+autologin_type :: If the current session was authenticated via autologin, the
+                  type of autologin used.
 require_two_factor_setup :: (two_factor_base feature) Require the session to have
                             setup two factor authentication, redirecting the
                             request to the two factor authentication setup page
@@ -911,6 +998,14 @@ require_current_password :: (password_expiration feature) Require a current
                             password, redirecting the request to the change
                             password page if the password for the account has
                             expired.
+require_password_authentication :: (confirm_password feature) If not authenticated
+                                   via password and the account has a password,
+                                   redirect to the password confirmation page,
+                                   saving the current location to redirect back
+                                   to after password has been successfully
+                                   confirmed. If the password_grace_period feature
+                                   is used, also redirect if the password has not
+                                   been recently entered.
 load_memory :: (remember feature) If the session has not been authenticated, look
                for the remember cookie.  If present and valid, automatically
                log the session in, but mark that it was logged in via a remember
@@ -920,9 +1015,15 @@ logged_in_via_remember_key? :: (remember feature) Whether the current session ha
                                sensitive actions where you want to require the user
                                to reenter the password, you can use the
                                confirm_password feature.
+http_basic_auth :: (http_basic_auth feature) Use HTTP Basic Authentication information
+                   to login the user if provided.
+require_http_basic_auth :: (http_basic_auth feature) Require that HTTP Basic
+                           Authentication be provided in the request.
 check_session_expiration :: (session_expiration feature) Check whether the current
                             session has expired, automatically logging the session
                             out if so.
+check_active_session :: (active_sessions feature) Check whether the current session
+                        is still active, automatically logging the session out if not.
 check_single_session :: (single_session feature) Check whether the current
                         session is still the only valid session, automatically logging
                         the session out if not.
@@ -931,10 +1032,15 @@ verified_account? :: (verify_grace_period feature) Whether the account is curren
                      login as they are in the grace period.
 locked_out? :: (lockout feature) Whether the account for the current session has been
                locked out.
+authenticated_webauthn_id :: (webauthn feature) If the current session was
+                             authenticated via webauthn, the webauthn id of the
+                             credential used.
 *_path :: One of these is added for each of the routes added by Rodauth, giving the
-          relative path to the route.
+          relative path to the route. Any options passed to this method will be
+          converted into query parameters.
 *_url :: One of these is added for each of the routes added by Rodauth, giving the
-         absolute path to the routE.
+         URL to the route. Any options passed to this method will be converted
+         into query parameters.
 
 === With Multiple Configurations
 
@@ -958,6 +1064,18 @@ the name as an argument to use that configuration:
     r.rodauth
   end
 
+By default, alternate configurations will use the same session keys as the
+primary configuration, which may be undesirable. To ensure session state is
+separated between configurations, you can set a session key prefix for
+alternate configurations.  If you are using the remember feature in both
+configurations, you may also want to set a different remember key in the
+alternate configuration:
+
+  plugin :rodauth, :name=>:secondary do
+    session_key_prefix "secondary_"
+    remember_cookie_key "_secondary_remember"
+  end
+
 === With Password Hashes Inside the Accounts Table
 
 You can use Rodauth if you are storing password hashes in the same
@@ -1066,6 +1184,20 @@ Facebook OAuth access token.
     end
   end
 
+=== With Rails
+
+If you're using Rails, you can use the
+{rodauth-rails}[https://github.com/janko/rodauth-rails] gem which provides
+Rails integration for Rodauth. Some of its features include:
+
+* generators for Rodauth & Sequel configuration, as well as views and mailers
+* uses Rails' flash messages and CSRF protection
+* automatically sets HMAC secret to Rails' secret key base
+* uses Action Controller & Action View for rendering templates
+* uses Action Mailer for sending emails
+
+Follow the instructions in the rodauth-rails README to get started.
+
 === With Other Web Frameworks
 
 You can use Rodauth even if your application does not use the Roda web
@@ -1110,17 +1242,20 @@ don't use Roda:
 
 === Using 2 Factor Authentication
 
-Rodauth ships with 2 factor authentication support via TOTP (Time-Based
-One-Time Passwords, RFC 6238).  There are a wide variety of ways in
-which to integrate 2 factor authentication into your site with Rodauth,
-based on the needs of the application.
+Rodauth ships with 2 factor authentication support via the following
+methods:
+
+* WebAuthn
+* TOTP (Time-Based One-Time Passwords, RFC 6238).
+* SMS Codes
+* Recovery Codes
 
-The 2 factor authentication support is part of the OTP feature, which
-needs to be enabled in addition to the login feature.  In addition,
-when implementing 2 factor authentication, you should generally
-provide a backup 2nd factor if the primary second factor is not
-available.  Rodauth supports SMS codes and recovery codes as other
-2nd factors.
+There are multiple ways to integrate 2 factor authentication with
+Rodauth, based on the needs of the application.  By default, SMS
+codes and recovery codes are treated only as backup 2nd factors,
+a user cannot enable them without first enabling another 2nd factor
+authentication method.  However, you can change this by using
+a configuration method.
 
 If you want to support but not require 2 factor authentication:
 
@@ -1134,7 +1269,7 @@ If you want to support but not require 2 factor authentication:
     # ...
   end
 
-If you want to force all users to use OTP authentication, requiring users
+If you want to force all users to use 2 factor authentication, requiring users
 that don't currently have two authentication to set it up:
 
   route do |r|
@@ -1251,7 +1386,7 @@ use the following basic structure
     end
   end
 
-See the source code for the features that ship with Rodauth for an
+See the {internals guide}[rdoc-ref:doc/internals.rdoc] for a more complete
 example of how to construct features.
 
 === Overriding Route-Level Behavior
@@ -1281,6 +1416,13 @@ benefit from precompiling your rodauth templates:
   end
   precompile_rodauth_templates
 
+== Ruby Support Policy
+
+Rodauth fully supports the currently supported versions of Ruby (MRI) and JRuby.  It may
+support unsupported versions of Ruby or JRuby, but such support may be dropped in any
+minor version if keeping it becomes a support issue.  The minimum Ruby version
+required to run the current version of Rodauth is 1.9.2.
+
 == Similar Projects
 
 All of these are Rails-specific: