rodauth 1.23.0 → 2.4.0

data/doc/jwt_cors.rdoc

@@ -11,13 +11,12 @@ This feature depends on the jwt feature.
 
 == Auth Value Methods
 
-jwt_cors_allow_origin :: Which origins are allowed to perform CORS requests.  The default is +false+.  This can be a String, Array of Strings, Regexp, or +true+ to allow CORS requests from any domain.
-jwt_cors_allow_methods :: For allowed CORS-preflight requests, the value returned in the Access-Control-Allow-Methods header (default: 'POST'). This specifies which methods are allowed in CORS requests.
 jwt_cors_allow_headers :: For allowed CORS-preflight requests, the value returned in the Access-Control-Allow-Headers header (default: 'Content-Type, Authorization, Accept'). This specifies which headers can be included in CORS requests.
+jwt_cors_allow_methods :: For allowed CORS-preflight requests, the value returned in the Access-Control-Allow-Methods header (default: 'POST'). This specifies which methods are allowed in CORS requests.
+jwt_cors_allow_origin :: Which origins are allowed to perform CORS requests.  The default is +false+.  This can be a String, Array of Strings, Regexp, or +true+ to allow CORS requests from any domain.
 jwt_cors_expose_headers :: For allowed CORS requests, the value returned in the Access-Control-Expose-Headers header (default: 'Authorization'). This specifies which headers the browser is allowed to access from a response to a CORS request.
 jwt_cors_max_age :: For allowed CORS-preflight requests, the value returned in the Access-Control-Max-Age header (default: 86400). This specifies how long before the information returned should be considered stale and another CORS preflight request made.
 
 == Auth Methods
 
 jwt_cors_allow? :: Whether the request should be allowed.  This is called for all requests for a Rodauth route that include an Origin header.  It should return true or false for whether to specially handle the cross-origin request.  By default, uses the +jwt_cors_allow_origin+ setting to check the origin.
-

data/doc/jwt_refresh.rdoc

@@ -5,11 +5,22 @@ setting a short lifetime on JWT access tokens.
 
 When this feature is used, the access and refresh token are provided
 at login in the response body (the access token is still provided in the Authorization
-header), and for any subsequent POST to /jwt-refresh.
+header), and for any subsequent POST to <tt>/jwt-refresh</tt>.
 
-Note that using the refresh token invalides the old refresh token and creates
+Note that using the refresh token invalides the token and creates
 a new access token with an updated lifetime.  However, it does not invalidate
-older access tokens.  Older access tokens remain valid until they expire.
+older access tokens.  Older access tokens remain valid until they expire.  You
+can use the active_sessions feature if you want previous access tokens to be invalid
+as soon as the refresh token is used.
+
+You can have multiple active refresh tokens active at a time, since each browser session
+will generally use a separate refresh token.  If you would like to revoke a refresh token
+when logging out, provide the refresh token when submitting the JSON request to logout.
+If you would like to remove all refresh tokens for the account when logging out, provide
+a value of <tt>all</tt> as the token value.
+
+When using the refresh token, you must provide a valid access token, as that contains
+information about the current session, which is used to create the new access token.
 
 This feature depends on the jwt feature.
 
@@ -18,18 +29,22 @@ This feature depends on the jwt feature.
 jwt_access_token_key :: Name of the key in the response json holding the access token.  Default is +access_token+.
 jwt_access_token_not_before_period :: How many seconds before the current time will the jwt be considered valid (to account for inaccurate clocks). Default is 5.
 jwt_access_token_period :: Validity of an access token in seconds, default is 1800 (30 minutes).
+jwt_refresh_route :: The route to the login action. Defaults to <tt>jwt-refresh</tt>.
 jwt_refresh_invalid_token_message :: Error message when the provided refresh token is non existent, invalid or expired.
-jwt_refresh_token_account_id_column :: The column name in the refresh token table storing the account id, should be a foreign key referencing the accounts table.
-jwt_refresh_token_deadline_column :: The column name in the refresh token keys table storing the deadline after which the refresh token will no longer be valid.
-jwt_refresh_token_deadline_interval :: validity of a refresh token. Default is 14 days.
+jwt_refresh_token_account_id_column :: The column name in the +jwt_refresh_token_table+ storing the account id, should be a foreign key referencing the accounts table.
+jwt_refresh_token_deadline_column :: The column name in the +jwt_refresh_token_table+ storing the deadline after which the refresh token will no longer be valid.
+jwt_refresh_token_deadline_interval :: Validity of a refresh token. Default is 14 days.
 jwt_refresh_token_id_column :: The column name in the refresh token keys table storing the id of each token (the primary key of the table).
 jwt_refresh_token_key :: Name of the key in the response json holding the refresh token.  Default is +refresh_token+.
-jwt_refresh_token_key_column :: The column name in the refresh token keys table holding the refresh token key value.
+jwt_refresh_token_key_column :: The column name in the +jwt_refresh_token_table+ holding the refresh token key value.
 jwt_refresh_token_key_param :: Name of parameter in which the refresh token is provided when requesting a new token.  Default is +refresh_token+.
 jwt_refresh_token_table :: Name of the table holding refresh token keys.
+jwt_refresh_without_access_token_message :: Error message when trying to refresh with providing an access token.
+jwt_refresh_without_access_token_status :: The HTTP status code to use when trying to refresh without providing an access token.
 
 == Auth Methods
 
-after_refresh_token :: Hooks for specific processing once the refresh token has been set.
 account_from_refresh_token(token) :: Returns the account hash for the given refresh token.
+after_refresh_token :: Hooks for specific processing once the refresh token has been set.
+before_jwt_refresh_route :: Run arbitrary code before handling a jwt_refresh route.
 before_refresh_token :: Hooks for specific processing before the refresh token is computed.

data/doc/lockout.rdoc

@@ -8,37 +8,39 @@ unlock via an email sent to them.
 
 == Auth Value Methods
 
-account_lockouts_id_column :: The id column in the account lockouts table, should be a foreign key referencing the accounts table.
-account_lockouts_deadline_column :: The deadline column in the account lockouts table, containing how long the account is locked out until.
-account_lockouts_deadline_interval :: The amount of time for which to lock out accounts, 1 day by default. Only used if set_deadline_values?  is true.
-account_lockouts_email_last_sent_column :: The email last sent column in the account lockouts table.  nil by default, so an unlock account email is always sent when requested by default.
-account_lockouts_key_column :: The unlock key column in the account lockouts table.
+account_lockouts_deadline_column :: The deadline column in the +account_lockouts_table+, containing the timestamp until which the account is locked out.
+account_lockouts_deadline_interval :: The amount of time for which to lock out accounts, 1 day by default. Only used if +set_deadline_values?+ is true.
+account_lockouts_email_last_sent_column :: The email last sent column in the +account_lockouts_table+.  Set to nil to always send an unlock account email when requested.
+account_lockouts_id_column :: The id column in the +account_lockouts_table+, should be a foreign key referencing the accounts table.
+account_lockouts_key_column :: The unlock key column in the +account_lockouts_table+.
 account_lockouts_table :: The table containing account lockout information.
-account_login_failures_id_column :: The id column in the account login failures table, should be a foreign key referencing the accounts table.
-account_login_failures_number_column :: The column in the account login failures table containing the number of login failures for the account.
+account_login_failures_id_column :: The id column in the +account_login_failures_table+, should be a foreign key referencing the accounts table.
+account_login_failures_number_column :: The column in the +account_login_failures_table+ containing the number of login failures for the account.
 account_login_failures_table :: The table containing number of login failures per account.
 login_lockout_error_flash :: The flash error to show if there if the account is or becomes locked out after a login attempt.
-max_invalid_logins :: The maximum number of failed logins before account lockout. As this feature is just designed for bruteforce protection, this is set to 100.
+max_invalid_logins :: The maximum number of failed logins before account lockout. As this feature is just designed for bruteforce protection, this defaults to 100.
 no_matching_unlock_account_key_error_flash :: The flash error message to show if attempting to access the unlock account form with an invalid key.
 unlock_account_additional_form_tags :: HTML fragment with additional form tags to use on the unlock account form.
-unlock_account_autologin? :: Whether to autologin users after successful account unlock.
+unlock_account_autologin? :: Whether to autologin users after successful account unlock. This defaults to true, as otherwise an attacker can prevent an account from logging in by continually locking out their account.
 unlock_account_button :: The text to use on the unlock account button.
 unlock_account_email_recently_sent_error_flash :: The flash error to show if not sending an unlock account email because another was sent recently.
 unlock_account_email_recently_sent_redirect :: Where to redirect after not sending an unlock account email because another was sent recently.
 unlock_account_email_subject :: The subject to use for the unlock account email.
-unlock_account_explanatory_text :: The text to display above the button to unlock an account.
 unlock_account_error_flash :: The flash error to display upon unsuccessful account unlock.
+unlock_account_explanatory_text :: The text to display above the button to unlock an account.
 unlock_account_key_param :: The parameter name to use for the unlock account key.
 unlock_account_notice_flash :: The flash notice to display upon successful account unlock.
+unlock_account_page_title :: The page title to use on the unlock account form.
 unlock_account_redirect :: Where to redirect after successful account unlock.
 unlock_account_request_additional_form_tags :: HTML fragment with additional form tags to use on the form to request an account unlock.
 unlock_account_request_button :: The text to use on the unlock account request button.
 unlock_account_request_explanatory_text :: The text to display above the button to request an account unlock.
 unlock_account_request_notice_flash :: The flash notice to display upon successful sending of the unlock account email.
-unlock_account_request_redirect :: Where to redirect after account unlock email is sent.
+unlock_account_request_page_title :: The page title to use on the unlock account request form.
+unlock_account_request_redirect :: Where to redirect after the account unlock email is sent.
 unlock_account_request_route :: The route to the unlock account request action.  Defaults to +unlock-account-request+.
 unlock_account_requires_password? :: Whether a password is required when unlocking accounts, false by default.  May want to set to true if not allowing password resets.
-unlock_account_route :: Alias for lockout_route.
+unlock_account_route :: The route to the unlock account action.  Defaults to +unlock-account+.
 unlock_account_session_key :: The key in the session to hold the unlock account key temporarily.
 unlock_account_skip_resend_email_within :: The number of seconds before sending another unlock account email, if +account_lockouts_email_last_sent_column+ is set.
 
@@ -55,15 +57,15 @@ before_unlock_account_route :: Run arbitrary code before handling an unlock acco
 clear_invalid_login_attempts :: Clear any stored login failures or lockouts for the current account.
 create_unlock_account_email :: A Mail::Message for the account unlock email to send.
 generate_unlock_account_key :: A random string to use for a new unlock account key.
-get_unlock_account_email_last_sent :: Get the last time an unlock_account email is sent, or nil if there is no last sent time.
+get_unlock_account_email_last_sent :: Get the last time an unlock account email is sent, or nil if there is no last sent time.
 get_unlock_account_key :: Retrieve the unlock account key for the current account.
-invalid_login_attempt :: Record an invalid login attempt, incrementing the number of login failures, and possibly locking out the account.
+invalid_login_attempted :: Record an invalid login attempt, incrementing the number of login failures, and possibly locking out the account.
 locked_out? :: Whether the current account is locked out.
 send_unlock_account_email :: Send the account unlock email.
 set_unlock_account_email_last_sent :: Set the last time an unlock_account email is sent.
+unlock_account :: Unlock the account.
 unlock_account_email_body :: The body to use for the unlock account email.
 unlock_account_email_link :: The link to the unlock account form to include in the unlock account email.
-unlock_account :: Unlock the account.
 unlock_account_key :: The unlock account key for the current account.
 unlock_account_request_view :: The HTML to use for the unlock account request form.
 unlock_account_view :: The HTML to use for the unlock account form.

data/doc/login.rdoc

@@ -3,6 +3,13 @@
 The login feature implements a login page.  It's the most commonly
 used feature.
 
+In addition to the auth methods below, it provides a +login+ method that wraps
++login_session+, running login hooks and redirecting to the configured
+location.
+
+  rodauth.account           #=> { id: 123, ... }
+  rodauth.login('password') # login the current account
+
 == Auth Value Methods
 
 login_additional_form_tags :: HTML fragment containing additional form tags to use on the login form.
@@ -10,13 +17,21 @@ login_button :: The text to use for the login button.
 login_error_flash :: The flash error to show for an unsuccesful login.
 login_error_status :: The response status to use when using an invalid login or password to login, 401 by default.
 login_form_footer :: A message to display after the login form.
-login_need_password_notice_flash :: The flash notice to show during multi phase login after the login has been entered, when requesting the password.
+login_form_footer_links :: An array of entries for links to show on the login page.  Each entry is an array of three elements, sort order (integer), link href, and link text.
+login_form_footer_links_heading :: A heading to show before the login form footer links.
 login_notice_flash :: The flash notice to show after successful login.
+login_page_title :: The page title to use on the login form.
 login_redirect :: Where to redirect after a sucessful login.
+login_redirect_session_key :: The key in the session hash storing the location to redirect to after successful login.
+login_return_to_requested_location? :: Whether to redirect to the originally requested location after successful login when +require_login+ was used, false by default.
 login_route :: The route to the login action. Defaults to +login+.
-use_multi_phase_login? :: Whether to ask for login first, and only ask for password after asking for the login, false by default.
+multi_phase_login_forms :: An array of entries for authentication methods that can be used to login when using multi phase login.  Each entry is an array of three elements, sort order (integer), HTML, and method to call if this entry is the only authentication method available (or nil to not call a method).
+multi_phase_login_page_title :: The page title to use on the login form after login has been entered when using multi phase login.
+need_password_notice_flash :: The flash notice to show during multi phase login after the login has been entered, when requesting the password.
+use_multi_phase_login? :: Whether to ask for login first, and only ask for password after asking for the login, false by default unless an alternative login feature such as email_auth or webauthn_login is used.
 
 == Auth Methods
 
 before_login_route :: Run arbitrary code before handling a login route.
 login_view :: The HTML to use for the login form.
+multi_phase_login_view :: The HTML to use for the login form after login has been entered when using multi phase login.

data/doc/login_password_requirements_base.rdoc

@@ -5,52 +5,33 @@ use a Rodauth feature that requires setting logins or passwords.
 
 == Auth Value Methods
 
-already_an_account_with_this_login_message :: The error message to display when
-                                              there already exists an account
-                                              with the same login
+already_an_account_with_this_login_message :: The error message to display when there already exists an account with the same login.
 login_confirm_label :: The label to use for login confirmations.
 login_confirm_param :: The parameter name to use for login confirmations.
-login_does_not_meet_requirements_message :: The error message to display when
-                                            the login does not meet the
-                                            requirements you have set.
+login_does_not_meet_requirements_message :: The error message to display when the login does not meet the requirements you have set.
+login_email_regexp :: The regular expression used to validate whether login is a valid email address.
 login_maximum_length :: The maximum length for logins, 255 by default.
 login_minimum_length :: The minimum length for logins, 3 by default.
-login_too_long_message :: The error message fragment to show if the login is
-                          too long.
-login_too_short_message :: The error message fragment to show if the login is
-                           too short.
-logins_do_not_match_message :: The error message to display when login and
-                               login confirmation do not match.
+login_not_valid_email_message :: The error message to display when login is not a valid email address.
+login_too_long_message :: The error message fragment to show if the login is too long.
+login_too_short_message :: The error message fragment to show if the login is too short.
+logins_do_not_match_message :: The error message to display when login and login confirmation do not match.
 password_confirm_label :: The label to use for password confirmations.
 password_confirm_param :: The parameter name to use for password confirmations.
-password_does_not_meet_requirements_message :: The error message to display when
-                                               the password does not meet the
-                                               requirements you have set.
+password_does_not_meet_requirements_message :: The error message to display when the password does not meet the requirements you have set.
 password_hash_cost :: The bcrypt cost to use for the password hash.
 password_minimum_length :: The minimum length for passwords, 6 by default.
-password_too_short_message :: The error message fragment to show if the password
-                              is too short.
-passwords_do_not_match_message :: The error message to display when password
-                                  and password confirmation do not match.
-require_email_address_logins? :: Whether logins need to be valid email addresses,
-                                 true by default.
-require_login_confirmation? :: Whether login confirmations are required when
-                               changing logins or creating accounts.
-require_password_confirmation? :: Whether password confirmations are required
-                                  when changing/resetting passwords and creating
-                                  accounts.
-same_as_existing_password_message :: The error message to display when a new
-                                     password is the same as the existing password.
+password_too_short_message :: The error message fragment to show if the password is too short.
+passwords_do_not_match_message :: The error message to display when password and password confirmation do not match.
+require_email_address_logins? :: Whether logins need to be valid email addresses, true by default.
+require_login_confirmation? :: Whether login confirmations are required when changing logins or creating accounts.  True by default if not verifying the account.
+require_password_confirmation? :: Whether password confirmations are required when changing/resetting passwords and creating accounts.
+same_as_existing_password_message :: The error message to display when a new password is the same as the existing password.
 
 == Auth Methods
 
-login_meets_requirements?(login) :: Whether the given login meets the requirements.
-                                    By default, just checks that the login is a
-                                    valid email address.
-password_meets_requirements?(password) :: Whether the given password meets the
-                                          requirements. Can be used to implement
-                                          complexity requirements for passwords.
+login_meets_requirements?(login) :: Whether the given login meets the requirements.  By default, just checks that the login is a valid email address.
+login_valid_email?(login) :: Whether the login is a valid email address.
 password_hash(password) :: A hash of the given password.
-set_password(password) :: Set the password for the current account to the given
-                          password.
-
+password_meets_requirements?(password) :: Whether the given password meets the requirements. Can be used to implement complexity requirements for passwords.
+set_password(password) :: Set the password for the current account to the given password.

data/doc/logout.rdoc

@@ -5,10 +5,10 @@ It is the simplest feature.
 
 == Auth Value Methods
 
-logout_additional_form_tags :: HTML fragment containing additional form
-                               tags to use on the logout form.
+logout_additional_form_tags :: HTML fragment containing additional form tags to use on the logout form.
 logout_button :: The text to use for the logout button.
 logout_notice_flash :: The flash notice to show after logout.
+logout_page_title :: The page title to use on the logout form.
 logout_redirect :: Where to redirect after a logout.
 logout_route :: The route to the logout action. Defaults to +logout+.
 

data/doc/otp.rdoc

@@ -1,8 +1,8 @@
 = Documentation for OTP Feature
 
-The otp feature implements a 2 factor authentication via time-based one-time
-passwords (TOTP).  It supports signing up for 2 factor authentication, logging
-in with authentication codes, and disabling two factor authentication.
+The otp feature implements multifactor authentication via time-based one-time
+passwords (TOTP).  It supports setting up TOTP authentication, logging
+in with TOTP authentication codes, and disabling TOTP authentication.
 
 The otp feature requires the rotp and rqrcode gems.
 
@@ -16,36 +16,41 @@ otp_auth_error_flash :: The flash error to show if unable to authenticate via OT
 otp_auth_failures_limit :: The number of allowed OTP authentication failures before locking out.
 otp_auth_form_footer :: A footer to display at the bottom of the OTP authentication form.
 otp_auth_label :: The label for the OTP authentication code.
+otp_auth_link_text :: The text to use for the link from the multifactor auth page.
+otp_auth_page_title :: The page title to use on the OTP authentication form.
 otp_auth_param :: The parameter name for the OTP authentication code.
 otp_auth_route :: The route to the OTP authentication action. Defaults to +otp-auth+.
 otp_class :: The class to use for OTP authentication (default: ROTP::TOTP)
 otp_digits :: The number of digits to use in OTP authentication codes (rotp's default is 6).
-otp_disable_additional_form_tags :: HTML fragment containing additional form tags to use on the from to disable OTP authentication.
-otp_disable_button :: The text to use for button on form to disable OTP authentication.
+otp_disable_additional_form_tags :: HTML fragment containing additional form tags to use on the form to disable OTP authentication.
+otp_disable_button :: The text to use for button on the form to disable OTP authentication.
 otp_disable_error_flash :: The flash error to show if unable to disable OTP authentication.
+otp_disable_link_text :: The text to use for the disable link from the multifactor manage page.
 otp_disable_notice_flash :: The flash notice to show after disabling OTP authentication.
+otp_disable_page_title :: The page title to use on the OTP disable form.
 otp_disable_redirect :: Where to redirect after disabling OTP authentication.
 otp_disable_route :: The route to the OTP disable action. Defaults to +otp-disable+.
-otp_drift :: The number of seconds the client and server are allowed to drift apart. The default is nil, to not allow drift.
+otp_drift :: The number of seconds the client and server are allowed to drift apart. The default is 30.  Can be set to nil to not allow drift.
+otp_interval :: The number of seconds in which to rotate TOTP auth codes (rotp's default is 30).
 otp_invalid_auth_code_message :: The error message to show when an invalid OTP authentication code is used.
 otp_invalid_secret_message :: The error message to show when an invalid OTP secret is submitted during OTP setup.
-otp_interval :: The number of seconds in which to rotate TOTP auth codes (rotp's default is 300).
-otp_issuer :: The issuer to use in the OTP provisioning URL.  Defaults to the host name of the request.
-otp_keys_id_column :: The column in the otp_keys_table containing the account id.
-otp_keys_column :: The column in the otp_keys_table containing the OTP secret.
-otp_keys_failures_column :: The column in the otp_keys_table containing the number of OTP authentication failures.
-otp_keys_last_use_column :: The column in otp_keys_table containing the last authentication timestamp.
+otp_issuer :: The issuer to use in the OTP provisioning URL.  Defaults to +domain+.
+otp_keys_column :: The column in the +otp_keys_table+ containing the OTP secret.
+otp_keys_failures_column :: The column in the +otp_keys_table+ containing the number of OTP authentication failures.
+otp_keys_id_column :: The column in the +otp_keys_table+ containing the account id.
+otp_keys_last_use_column :: The column in +otp_keys_table+ containing the last authentication timestamp.
 otp_keys_table :: The table name containing the OTP secrets.
 otp_keys_use_hmac? :: Whether to use HMACs for OTP keys.  Defaults to whether +hmac_secret+ has been set.  Should be set to false if adding +hmac_secret+ to Rodauth where the otp feature is already in use, as otherwise it will render existing OTP keys invalid.
-otp_lockout_redirect :: Where to redirect if going to OTP authentication page and OTP authentication has been locked out.
 otp_lockout_error_flash :: The flash error show show when OTP authentication has been locked out due to numerous authentication failures.
+otp_lockout_redirect :: Where to redirect if going to OTP authentication page and OTP authentication has been locked out.
 otp_provisioning_uri_label :: The label used when displaying the OTP provisioning URI during OTP setup.
 otp_secret_label :: The label used when displaying the OTP secret during OTP setup.
-otp_session_key :: The session key used to store whether the user has authenticated via OTP.
 otp_setup_additional_form_tags :: HTML fragment containing additional form tags when setting up OTP authentication.
 otp_setup_button :: Text for the button when setting up OTP authentication.
 otp_setup_error_flash :: The flash error to show if OTP authentication setup was not successful.
+otp_setup_link_text :: The text to use for the setup link from the multifactor manage page.
 otp_setup_notice_flash :: The flash notice to show if OTP authentication setup was successful.
+otp_setup_page_title :: The page title to use on the form to setup OTP authentication.
 otp_setup_param :: The parameter name used for the OTP secret when setting up OTP authentication.
 otp_setup_raw_param :: The parameter name used for the raw OTP secret when setting up OTP authentication, when +otp_keys_use_hmac?+ is true. 
 otp_setup_redirect :: Where to redirect after sucessful OTP authentication setup.
@@ -56,18 +61,19 @@ otp_setup_route :: The route to the OTP setup action. Defaults to +otp-setup+.
 after_otp_authentication_failure :: Run arbitrary code after OTP authentication failure.
 after_otp_disable :: Run arbitrary code after OTP authentication has been disabled.
 after_otp_setup :: Run arbitrary code after OTP authentication has been setup.
-before_otp_authentication :: Run arbitrary code before OTP authentication.
 before_otp_auth_route :: Run arbitrary code before handling an OTP authentication route.
-before_otp_setup :: Run arbitrary code before OTP authentication setup.
-before_otp_setup_route :: Run arbitrary code before handling an OTP authentication setup route.
+before_otp_authentication :: Run arbitrary code before OTP authentication.
 before_otp_disable :: Run arbitrary code before OTP authentication disabling.
 before_otp_disable_route :: Run arbitrary code before handling an OTP authentication disable route.
+before_otp_setup :: Run arbitrary code before OTP authentication setup.
+before_otp_setup_route :: Run arbitrary code before handling an OTP authentication setup route.
 otp :: The object used for verifying OTP authentication attempts.
 otp_add_key(secret) :: Add an OTP key for the current account with the given secret.
 otp_auth_view :: The HTML to use for the OTP authentication form.
 otp_disable_view :: The HTML to use for the OTP disable form.
 otp_exists? :: Whether the current account has setup OTP.
 otp_key :: The stored OTP secret for the account.
+otp_last_use :: The last time OTP authentication was successful for the account.
 otp_locked_out? :: Whether the current account has been locked out of OTP authentication.
 otp_new_secret :: A new secret to use when setting up OTP.
 otp_provisioning_name :: The provisioning name to use during OTP setup, defaults to the account's email.
@@ -75,9 +81,9 @@ otp_provisioning_uri :: The provisioning URI displayed during OTP setup.
 otp_qr_code :: The QR code containing the otp_provisioning_uri, by default an SVG image.
 otp_record_authentication_failure :: Record an OTP authentication failure.
 otp_remove :: Removes all stored OTP data for the current account.
-otp_remove_auth_failures :: Removes OTP authentication failures for the current account, used after successful OTP authentication.
+otp_remove_auth_failures :: Removes OTP authentication failures for the current account, used after successful multifactor authentication.
 otp_setup_view :: The HTML to use for the form to setup OTP authentication.
-otp_tmp_key(secret) :: Set the secret to use for the OTP key.
+otp_tmp_key(secret) :: Set the secret to use for the temporary OTP key, during OTP setup.
 otp_update_last_use :: Update the last time OTP authentication was successful for the account.  Return true if the authentication should be allowed, or false if it should not be allowed because the last authentication was too recent and indicates the possible reuse of a TOTP authentication code.
 otp_valid_code?(auth_code) :: Whether the given code is the currently valid OTP auth code for the account.
 otp_valid_key?(secret) :: Whether the given secret is a valid OTP secret.

data/doc/password_complexity.rdoc

@@ -21,30 +21,14 @@ Checks:
 
 == Auth Value Methods
 
-password_character_groups :: An array of regular expressions representing
-                             different character groups.
-password_dictionary :: A Array/Hash/Set containing dictionary words, which cannot
-                       match the password.
-password_dictionary_file :: A file containing dictionary words, which will not be allowed.
-                            By default, <tt>/usr/share/dict/words</tt> if present.  Set to
-                            false to not use a password dictionary. Note that this is only
-                            used during initialization, and cannot refer to request-specific
-                            state, unlike most other settings.
-password_in_dictionary_message :: The error message fragment to show if the password
-                                  is derived from a word in a dictionary.
-password_invalid_pattern :: A regexp where any match is considered an invalid password.
-                            For multiple sequences, use +Regexp.union+.
-password_invalid_pattern_message :: The error message fragment to show if the password
-                                    matches the invalid pattern.
-password_max_length_for_groups_check :: The number of characters above which
-                                        to skip the checks for character groups.
+password_character_groups :: An array of regular expressions representing different character groups.
+password_dictionary :: A Array/Hash/Set containing dictionary words, which cannot match the password.
+password_dictionary_file :: A file containing dictionary words, which will not be allowed.  By default, <tt>/usr/share/dict/words</tt> if present.  Set to false to not use a password dictionary. Note that this is only used during initialization, and cannot refer to request-specific state, unlike most other settings.
+password_in_dictionary_message :: The error message fragment to show if the password is derived from a word in a dictionary.
+password_invalid_pattern :: A regexp where any match is considered an invalid password.  For multiple sequences, use +Regexp.union+.
+password_invalid_pattern_message :: The error message fragment to show if the password matches the invalid pattern.
+password_max_length_for_groups_check :: The number of characters above which to skip the checks for character groups.
 password_max_repeating_characters :: The maximum number of repeating characters allowed.
-password_min_groups :: The minimum number of character groups the password
-                       has to contain if it is less than
-                       +password_max_length_for_groups_check+ characters.
-password_not_enough_character_groups_message :: The error message fragment to show if the
-                                                password does not contain characters from
-                                                enough character groups.
-password_too_many_repeating_characters_message :: The error message fragment to show if the
-                                                  password contains too many repeating
-                                                  characters.
+password_min_groups :: The minimum number of character groups the password has to contain if it is less than +password_max_length_for_groups_check+ characters.
+password_not_enough_character_groups_message :: The error message fragment to show if the password does not contain characters from enough character groups.
+password_too_many_repeating_characters_message :: The error message fragment to show if the password contains too many repeating characters.

data/doc/password_expiration.rdoc

@@ -20,33 +20,19 @@ expiration is in general a net loss from a security perspective.
 
 == Auth Value Methods
 
-allow_password_change_after :: How long in seconds after the last password change
-                               until another password change is allowed (always allowed by default).
-password_expiration_error_flash :: The flash error to display when the account's
-                                   password has expired and needs to be changed.
-password_not_changeable_yet_error_flash :: The flash error to display when not
-                                           enough time has elapsed since the last
-                                           password change and an attempt is made
-                                           to change the password.
-password_not_changeable_yet_redirect :: Where to redirect if the password cannot
-                                        be changed yet.
-password_change_needed_redirect :: Where to redirect if a password needs to be
-                                   changes.
-password_changed_at_session_key :: The key in the session storing the timestamp the password
-                                   was changed at.
-password_expiration_default :: If the last password change time for an account cannot
-                               be determined, whether to consider the account expired,
-                               false by default.
+allow_password_change_after :: How long in seconds after the last password change until another password change is allowed (always allowed by default).
+password_change_needed_redirect :: Where to redirect if a password needs to be changed.
+password_changed_at_session_key :: The key in the session storing the timestamp the password was changed at.
+password_expiration_changed_at_column :: The column in the +password_expiration_table+ containing the timestamp
+password_expiration_default :: If the last password change time for an account cannot be determined, whether to consider the account expired, false by default.
+password_expiration_error_flash :: The flash error to display when the account's password has expired and needs to be changed.
+password_expiration_id_column :: The column in the +password_expiration_table+ containing the account's id.
 password_expiration_table :: The table holding the password last changed timestamps.
-password_expiration_id_column :: The column in the +password_expiration_table+ containing
-                                 the account's id.
-password_expiration_changed_at_column :: The column in the +password_expiration_table+
-                                         containing the timestamp
-require_password_change_after :: How long in seconds until a password change is
-                                 required (90 days by default).
+password_not_changeable_yet_error_flash :: The flash error to display when not enough time has elapsed since the last password change and an attempt is made to change the password.
+password_not_changeable_yet_redirect :: Where to redirect if the password cannot be changed yet.
+require_password_change_after :: How long in seconds until a password change is required (90 days by default).
 
 == Auth Methods
 
 password_expired? :: Whether the password has expired for the related account.
-update_password_changed_at :: Update the password last changed timestamp for the
-                              current account.
+update_password_changed_at :: Update the password last changed timestamp for the current account.