rodauth 1.5.0 → 1.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 03da9b51a0536d056d085d1d6c7d69f037e63825
-  data.tar.gz: 6c554cef3c2f122fce444146f7032c922ef93b9d
+  metadata.gz: 8be62d375631a0d62337cc9da83782e1a765ecc1
+  data.tar.gz: e5cc52f5bec8e0f7820b1b16ac11d96d385e0187
 SHA512:
-  metadata.gz: 37a8361ce43dfcf74bf5768e386eba59555c44fb3da0b29ae638eefa61ad6f9db70e9f25cf42831fddef200b10db9bb36fd67d60d630dfe11e96275d3f2be5a4
-  data.tar.gz: d88123e032493908205f0f93f93f8ae813942d3574adddb89fb77cf9053f255f3d814c9c84ae84ee5c939ac1f946c60032b6bdba89b96644abb139ffea69fd3a
+  metadata.gz: cd373d957b4b636afab06b24a7c782c9b3e605de844f0083c7eb2953779715dc4fec20418984ef4cdbce93d9f65e4848eed11a8318985d52d03ecdb9b2f1301f
+  data.tar.gz: d156aaad0e89d164a467e44c946088f28487db41a4b0cb1ec57dda6584ca36ffbb8c87daf02bcc868dcfe8322bf56fc4fa005ab9fdfd2cd0b8620bce6334d593

data/CHANGELOG

@@ -1,3 +1,21 @@
+=== 1.6.0 (2016-10-24)
+
+* Add http_basic_auth feature (TiagoCardoso1983, jeremyevans) (#12)
+
+* Move login hooks from login feature to base, to be usable by other features (jeremyevans)
+
+* Make reset_password feature not attempt to render a template in json-only mode (jeremyevans) (#11)
+
+* Memoize jwt_payload in jwt feature, as it may be called more than once (mwpastore) (#10)
+
+* Add jwt_decode_opts configuration method to jwt feature, for specifying options to JWT.decode, allowing for JWT claim verification (mwpastore, jeremyevans) (#9)
+
+* Add jwt_session_hash configuration method to jwt feature, for modifying the session information stored in the JWT hash, allowing for setting JWT claims (mwpastore, jeremyevans) (#9)
+
+* Add jwt_session_key configuration method to jwt feature, for nesting the session under a key in the JWT, avoiding reserve claim names (mwpastore, jeremyevans) (#9)
+
+* Add jwt_symbolize_deeply? configuration method to jwt feature, for symbolizing nested keys in session hash when using JWT (mwpastore) (#9)
+
 === 1.5.0 (2016-09-22)
 
 * Return error instead of raising exception in the jwt feature if an invalid jwt format is submitted in the Authorization header (jeremyevans)

data/README.rdoc

@@ -40,6 +40,7 @@ hashes by protecting access via database functions.
 * Single Session (Only one active session per account)
 * JWT (JSON API support for all other features)
 * Update Password Hash (when hash cost changes)
+* HTTP Basic Auth
 
 == Resources
 
@@ -505,7 +506,7 @@ add additional logging when a user logs in:
   plugin :rodauth do
     enable :login, :logout
     after_login do
-      LOGGER.info "#{account.email} logged in!"
+      LOGGER.info "#{account[:email]} logged in!"
     end
   end
 
@@ -525,7 +526,7 @@ So if you want to log the IP address for the user during login:
   plugin :rodauth do
     enable :login, :logout
     after_login do
-      LOGGER.info "#{account.email} logged in from #{request.ip}"
+      LOGGER.info "#{account[:email]} logged in from #{request.ip}"
     end
   end
 
@@ -836,14 +837,15 @@ By setting <tt>env['rodauth'] = rodauth</tt> in the route block
 inside the middleware, you can easily provide a way for your
 application to call Rodauth methods.
 
-For an example of integrating Rodauth into a real application that
-doesn't use Roda, see
-{this example integrating Rodauth into Ginatra, a Sinatra-based git repository viewer}[https://github.com/jeremyevans/ginatra/commit/28108ebec96e8d42596ee55b01c3f7b50c155dd1].
+Here are some examples of integrating Rodauth into applications that
+doesn't use Roda:
 
-To see an example of integrating Rodauth into a Rails application, see
-{this example porting Rodauth's demo site to Rails}[https://github.com/jeremyevans/rodauth-demo-rails].
-This uses the {roda-rails gem}[https://github.com/jeremyevans/roda-rails]
-so that Rodauth uses Rails' CSRF and flash support.
+* {Ginatra, a Sinatra-based git repository viewer}[https://github.com/jeremyevans/ginatra/commit/28108ebec96e8d42596ee55b01c3f7b50c155dd1] 
+* {Rodauth's demo site as a Rails application}[https://github.com/jeremyevans/rodauth-demo-rails] (
+  This uses the {roda-rails gem}[https://github.com/jeremyevans/roda-rails]
+  so that Rodauth uses Rails' CSRF and flash support)
+* {Grape application}[https://github.com/davydovanton/grape-rodauth]
+* {Hanami application}[https://github.com/davydovanton/rodauth_hanami]
 
 === Using 2 Factor Authentication
 

data/doc/base.rdoc

@@ -69,6 +69,13 @@ use_database_authentication_functions? :: Whether to use functions to do authent
 
 == Auth Methods
 
+after_login :: Run arbitrary code after a successful login.
+after_login_failure :: Run arbitrary code after a login failure due to
+                       an invalid password.
+before_login :: Run arbitrary code after password has been checked, but
+                before updating the session.
+before_login_attempt :: Run arbitrary code after an account has been
+                        located, but before the password has been checked.
 before_rodauth :: Run arbitrary code before handling any rodauth route.
 account_from_login(login) :: Retrieve the account model instance related to the
                              given login or nil if no login matches.

data/doc/http_basic_auth.rdoc

@@ -0,0 +1,8 @@
+= Documentation for HTTP Basic Auth Feature
+
+The HTTP basic auth feature allows logins using HTTP basic authentication,
+described in RFC 1945.
+
+== Auth Value Methods
+
+http_basic_auth_realm :: The realm to return in the WWW-Authenticate header.

data/doc/jwt.rdoc

@@ -46,17 +46,21 @@ json_response_error_status :: The HTTP status code to use for JSON error respons
 json_response_field_error_key :: The JSON result key containing an field error message, "field-error" by default.
 json_response_success_key :: The JSON result key containing a success message for successful request, if set.  nil by default to not set success messages.
 jwt_algorithm :: The JWT algorithm to use, "HS256" by default.
-non_json_request_error_message :: The error message to use when a non-JSON request is sent and +only_json?+ is set.
-only_json? :: Whether to have Rodauth only allow JSON requests.  True by default if :json=>:only option was given when loading the plugin.  If set, rodauth endpoints will issue an error for non-JSON requests.
 jwt_authorization_ignore :: A regexp matched against the Authorization header, which skips JWT processing if it matches.  By default, HTTP Basic and Digest authentication are ignored.
 jwt_authorization_remove :: A regexp to remove from the Authorization header before processing the JWT.  By default, a Bearer prefix is removed.
 jwt_check_accept? :: Whether to check the Accept header to see if the client supports JSON responses, false by default for backwards compatibility.
+jwt_decode_opts :: An optional hash to pass to JWT.decode. Can be used to set JWT verifiers.
 jwt_secret :: The JWT secret to use.  Access to this should be protected the same as a session secret.
+jwt_session_key :: A key to nest the session hash under in the JWT payload.  nil by default, for no nesting.
+jwt_symbolize_deeply? :: Whether to symbolize the session hash deeply.  false by default.
+non_json_request_error_message :: The error message to use when a non-JSON request is sent and +only_json?+ is set.
+only_json? :: Whether to have Rodauth only allow JSON requests.  True by default if :json=>:only option was given when loading the plugin.  If set, rodauth endpoints will issue an error for non-JSON requests.
 use_jwt? :: Whether to use the JWT in the Authorization header for authentication information.  If false, falls back to using the rack session. By default, the Authorization header is used if it is present, if only_json? is true, or if the request uses a json content type.
 
 == Auth Methods
 
 json_request? :: Whether the current request is a JSON request, looks at the Content-Type request header by default.
+jwt_session_hash :: The session hash used to create the session_jwt. Can be used to set JWT claims.
 jwt_token :: Retrieve the JWT token from the request, by default taking it from the Authorization header.
 session_jwt :: An encoded JWT for the current session.
 set_jwt_token(token) :: Set the JWT token in the response, by default storing it in the Authorization header.

data/doc/login.rdoc

@@ -16,12 +16,5 @@ login_route :: The route to the login action.
 
 == Auth Methods
 
-after_login :: Run arbitrary code after a successful login.
-after_login_failure :: Run arbitrary code after a login failure due to
-                       an invalid password.
-before_login :: Run arbitrary code after password has been checked, but
-                before updating the session.
-before_login_attempt :: Run arbitrary code after an account has been
-                        located, but before the password has been checked.
 before_login_route :: Run arbitrary code before handling a login route.
 login_view :: The HTML to use for the login form.

data/doc/release_notes/1.6.0.txt

@@ -0,0 +1,37 @@
+= New Feature
+
+* An http_basic_auth feature has been added, allowing the use of
+  HTTP Basic Auth to login.
+
+= New Configuration Options for jwt Feature
+
+* jwt_session_hash has been added, for modifying the hash given before
+  creating the JWT.  This can be used for setting JWT claims.
+  Example:
+
+    jwt_session_hash do
+      super().merge(:exp=>Time.now.to_i + 120)
+    end
+
+* jwt_decode_opts has been added for specifying additional options to
+  JWT.decode. Among other things, this allows for JWT claim
+  verification. Example:
+
+    jwt_decode_opts(:verify_expiration=>true)
+
+* jwt_session_key has been added, specifying a key in the JWT that
+  will be used to store session information, instead of storing
+  session keys in the root of the JWT.  Use of this option can avoid
+  issues with reserved JWT claim names, and will probably be enabled
+  by default starting in Rodauth 2.
+
+* jwt_symbolize_deeply? configuration method has been added, for
+  whether to symbolize nested keys when decoding a JWT session hash.
+
+= Other Improvements
+
+* The reset_password feature no longer attempts to render a template
+  in json-only mode.
+
+* The jwt_payload method is now memoized by default.
+

data/lib/rodauth/features/base.rb

@@ -2,6 +2,10 @@
 
 module Rodauth
   Base = Feature.define(:base) do
+    after 'login'
+    after 'login_failure'
+    before 'login'
+    before 'login_attempt'
     before 'rodauth'
 
     error_flash "Please login to continue", 'require_login'
@@ -382,6 +386,10 @@ module Rodauth
       {account_status_column=>account_open_status_value}
     end
 
+    def only_json?
+      scope.class.opts[:rodauth_json] == :only
+    end
+
     def template_path(page)
       File.join(File.dirname(__FILE__), '../../../templates', "#{page}.str")
     end

data/lib/rodauth/features/http_basic_auth.rb

@@ -0,0 +1,50 @@
+# frozen-string-literal: true
+
+module Rodauth
+  HTTTBasicAuth = Feature.define(:http_basic_auth) do
+    auth_value_method :http_basic_auth_realm, "protected"
+
+    def session
+      return @session if defined?(@session)
+      sess = super
+      return sess if sess[session_key]
+      return sess unless token = ((v = request.env['HTTP_AUTHORIZATION']) && v[/\A *Basic (.*)\Z/, 1])
+      username, password = token.unpack("m*").first.split(/:/, 2)
+
+      if username && password
+        catch_error do
+          unless account_from_login(username)
+            throw_basic_auth_error(login_param, no_matching_login_message)
+          end
+
+          before_login_attempt
+          
+          unless open_account?
+            throw_basic_auth_error(login_param, no_matching_login_message)
+          end
+
+          unless password_match?(password)
+            after_login_failure
+            throw_basic_auth_error(password_param, invalid_password_message)
+          end
+          
+          transaction do
+            before_login
+            sess[session_key] = account_session_value
+            after_login
+          end
+        end
+      end
+
+      sess
+    end
+
+    private
+
+    def throw_basic_auth_error(*args)
+      response.status = 401
+      response.headers["WWW-Authenticate"] = "Basic realm=\"#{http_basic_auth_realm}\""
+      throw_error(*args) 
+    end
+  end
+end

data/lib/rodauth/features/jwt.rb

@@ -4,7 +4,7 @@ require 'jwt'
 
 module Rodauth
   Jwt = Feature.define(:jwt) do
-    auth_value_method :invalid_jwt_format_error_message, "invalid JWT format in Authorization header"
+    auth_value_method :invalid_jwt_format_error_message, "invalid JWT format or claim in Authorization header"
     auth_value_method :json_non_post_error_message, 'non-POST method used in JSON API'
     auth_value_method :json_not_accepted_error_message, 'Unsupported Accept header. Must accept "application/json" or compatible content type'
     auth_value_method :json_accept_regexp, /(?:(?:\*|\bapplication)\/\*|\bapplication\/(?:vnd\.api\+)?json\b)/i
@@ -18,6 +18,9 @@ module Rodauth
     auth_value_method :jwt_authorization_ignore, /\A(?:Basic|Digest) /
     auth_value_method :jwt_authorization_remove, /\ABearer:?\s+/
     auth_value_method :jwt_check_accept?, false
+    auth_value_method :jwt_decode_opts, {}
+    auth_value_method :jwt_session_key, nil
+    auth_value_method :jwt_symbolize_deeply?, false
     auth_value_method :non_json_request_error_message, 'Only JSON format requests are allowed'
 
     auth_value_methods(
@@ -28,6 +31,7 @@ module Rodauth
 
     auth_methods(
       :json_request?,
+      :jwt_session_hash,
       :jwt_token,
       :session_jwt,
       :set_jwt_token
@@ -37,15 +41,15 @@ module Rodauth
       return @session if defined?(@session)
       return super unless use_jwt?
 
-      @session = if jwt_token
-        s = {}
-        jwt_payload.each do |k,v|
-          s[k.to_sym] = v
+      s = {}
+      if jwt_token && (session_data = jwt_session_key ? jwt_payload[jwt_session_key] : jwt_payload)
+        if jwt_symbolize_deeply?
+          s = JSON.parse(JSON.fast_generate(session_data), :symbolize_names=>true)
+        else
+          session_data.each{|k,v| s[k.to_sym] = v}
         end
-        s
-      else
-        {}
       end
+      @session = s
     end
 
     def clear_session
@@ -53,10 +57,6 @@ module Rodauth
       set_jwt if use_jwt?
     end
 
-    def only_json?
-      scope.class.opts[:rodauth_json] == :only
-    end
-
     def set_field_error(field, message)
       return super unless use_jwt?
       json_response[json_response_field_error_key] = [field, message]
@@ -82,8 +82,12 @@ module Rodauth
       json_response[json_response_success_key] = message if include_success_messages?
     end
 
+    def jwt_session_hash
+      jwt_session_key ? {jwt_session_key=>session} : session
+    end
+
     def session_jwt
-      JWT.encode(session, jwt_secret, jwt_algorithm)
+      JWT.encode(jwt_session_hash, jwt_secret, jwt_algorithm)
     end
 
     def jwt_token
@@ -134,7 +138,7 @@ module Rodauth
     end
 
     def jwt_payload
-      JWT.decode(jwt_token, jwt_secret, true, :algorithm=>jwt_algorithm)[0]
+      @jwt_payload ||= JWT.decode(jwt_token, jwt_secret, true, jwt_decode_opts.merge(:algorithm=>jwt_algorithm))[0]
     rescue JWT::DecodeError
       json_response[json_response_error_key] = invalid_jwt_format_error_message
       response.status ||= json_response_error_status

data/lib/rodauth/features/login.rb

@@ -5,10 +5,6 @@ module Rodauth
     notice_flash "You have been logged in"
     error_flash "There was an error logging in"
     view 'login', 'Login'
-    after
-    after 'login_failure'
-    before
-    before 'login_attempt'
     additional_form_tags
     button 'Login'
     redirect

data/lib/rodauth/features/reset_password.rb

@@ -165,7 +165,9 @@ module Rodauth
     attr_reader :reset_password_key_value
 
     def after_login_failure
-      @login_form_header = render("reset-password-request")
+      unless only_json?
+        @login_form_header = render("reset-password-request")
+      end
       super
     end
 

data/lib/rodauth/version.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  VERSION = '1.5.0'.freeze
+  VERSION = '1.6.0'.freeze
 
   def self.version
     VERSION

data/spec/http_basic_auth_spec.rb

@@ -0,0 +1,125 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe "Rodauth http basic auth feature" do
+  def basic_auth_visit(opts={})
+    page.driver.browser.basic_authorize(opts.fetch(:username,"foo@example.com"), opts.fetch(:password, "0123456789"))
+    visit(opts.fetch(:path, '/'))
+  end
+
+  def authorization_header(opts={})
+    ["#{opts.delete(:username)||'foo@example.com'}:#{opts.delete(:password)||'0123456789'}"].pack("m*")
+  end
+
+  def basic_auth_json_request(opts={})
+    auth = opts.delete(:auth) || authorization_header(opts)
+    path = opts.delete(:path) || '/'
+    json_request(path, opts.merge(:headers => {"HTTP_AUTHORIZATION" => "Basic #{auth}"}, :method=>'GET'))
+  end
+
+  def newline_basic_auth_json_request(opts={})
+    auth = opts.delete(:auth) || authorization_header(opts)
+    auth.chomp!
+    basic_auth_json_request(opts.merge(:auth => auth))
+  end
+
+  describe "on page visit" do
+    before do
+      rodauth do
+        enable :http_basic_auth
+      end
+      roda do |r|
+        r.rodauth
+        r.root{view :content=>(rodauth.logged_in? ? "Logged In" : 'Not Logged')}
+      end
+    end
+
+    it "handles logins" do
+      basic_auth_visit
+      page.text.must_include "Logged In"
+    end
+
+    it "keeps the user logged in" do
+      visit '/'
+      page.text.must_include "Not Logged"
+
+      basic_auth_visit
+      page.text.must_include "Logged In"
+
+      visit '/'
+      page.text.must_include "Logged In"
+    end
+
+    it "fails when no login is found" do
+      basic_auth_visit(:username => "foo2@example.com")
+      page.text.must_include "Not Logged"
+      page.response_headers.keys.must_include("WWW-Authenticate")
+    end
+
+    it "fails when passowrd does not match" do
+      basic_auth_visit(:password => "1111111111")
+      page.text.must_include "Not Logged"
+      page.response_headers.keys.must_include("WWW-Authenticate")
+    end
+  end
+
+  it "works with standard authentication" do
+    rodauth do
+      enable :login, :http_basic_auth
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>(rodauth.logged_in? ? "Logged In" : 'Not Logged')}
+    end
+
+    login
+    page.text.must_include "Logged In"
+  end
+
+  it "does not allow login to unverified account" do
+    rodauth do
+      enable :http_basic_auth
+      skip_status_checks? false
+    end
+    roda do |r|
+      r.rodauth
+      r.root{view :content=>(rodauth.logged_in? ? "Logged In" : 'Not Logged')}
+    end
+    DB[:accounts].update(:status_id=>1)
+
+    basic_auth_visit
+    page.text.must_include "Not Logged"
+    page.response_headers.keys.must_include("WWW-Authenticate")
+  end
+
+  it "should login via jwt" do
+    rodauth do
+      enable :http_basic_auth
+    end
+    roda(:jwt) do |r|
+      r.rodauth
+      response['Content-Type'] = 'application/json'
+      rodauth.require_authentication
+      {"success"=>'You have been logged in'}
+    end
+
+    @authorization = nil
+    res = basic_auth_json_request(:auth=>'.')
+    res.must_equal [400, {'error'=>"Please login to continue"}]
+
+    @authorization = nil
+    res = basic_auth_json_request(:username=>'foo@example2.com')
+    res.must_equal [401, {'error'=>"Please login to continue", "field-error"=>["login", "no matching login"]}]
+
+    @authorization = nil
+    res = basic_auth_json_request(:password=>'012345678')
+    res.must_equal [401, {'error'=>"Please login to continue", "field-error"=>["password", "invalid password"]}]
+
+    @authorization = nil
+    res = newline_basic_auth_json_request
+    res.must_equal [200, {"success"=>'You have been logged in'}]
+
+    @authorization = nil
+    res = basic_auth_json_request
+    res.must_equal [200, {"success"=>'You have been logged in'}]
+  end
+end

data/spec/jwt_spec.rb

@@ -30,7 +30,7 @@ describe 'Rodauth login feature' do
     res = json_request('/login', :include_headers=>true, :login=>'foo@example.com', :password=>'0123456789')
 
     res = json_request("/", :headers=>{'HTTP_AUTHORIZATION'=>res[1]['Authorization'][1..-1]})
-    res.must_equal [400, {'error'=>'invalid JWT format in Authorization header'}]
+    res.must_equal [400, {'error'=>'invalid JWT format or claim in Authorization header'}]
   end
 
   it "should require json request content type in only json mode for rodauth endpoints only" do
@@ -122,4 +122,62 @@ describe 'Rodauth login feature' do
     json_request("/login", :headers=>{'HTTP_ACCEPT'=>'application/*'}, :login=>'foo@example.com', :password=>'0123456789').must_equal [200, {"success"=>'You have been logged in'}]
     json_request("/login", :headers=>{'HTTP_ACCEPT'=>'application/vnd.api+json'}, :login=>'foo@example.com', :password=>'0123456789').must_equal [200, {"success"=>'You have been logged in'}]
   end
+
+  it "generates and verifies JWTs with claims" do
+    invalid_jti = false
+
+    rodauth do
+      enable :login, :logout, :jwt
+      jwt_secret '1'
+      json_response_success_key 'success'
+      jwt_session_key 'data'
+      jwt_symbolize_deeply? true
+      jwt_session_hash do
+        h = super()
+        h['data']['foo'] = {:bar=>[1]}
+        h.merge(
+          :aud => %w[Young Old],
+          :exp => Time.now.to_i + 120,
+          :iat => Time.now.to_i,
+          :iss => "Foobar, Inc.",
+          :jti => SecureRandom.hex(10),
+          :nbf => Time.now.to_i - 30,
+          :sub => session_value
+        )
+      end
+      jwt_decode_opts(
+        :aud => 'Old',
+        :iss => "Foobar, Inc.",
+        :leeway => 30,
+        :verify_aud => true,
+        :verify_expiration => true,
+        :verify_iat => true,
+        :verify_iss => true,
+        :verify_jti => proc{|jti| invalid_jti ? false : !!jti},
+        :verify_not_before => true
+      )
+    end
+    roda(:jwt) do |r|
+      r.rodauth
+      r.post{rodauth.session[:foo][:bar]}
+    end
+
+    json_login.must_equal [200, {"success"=>'You have been logged in'}]
+
+    payload = JWT.decode(@authorization, nil, false)[0]
+    payload['sub'].must_equal payload['data']['account_id']
+    payload['iat'].must_be_kind_of Integer
+    payload['exp'].must_be_kind_of Integer
+    payload['nbf'].must_be_kind_of Integer
+    payload['iss'].must_equal "Foobar, Inc."
+    payload['aud'].must_equal %w[Young Old]
+    payload['jti'].must_match(/^[0-9a-f]{20}$/)
+
+    json_request.must_equal [200, [1]]
+
+    invalid_jti = true
+    if RUBY_VERSION >= '1.9'
+      json_login(:no_check=>true).must_equal [400, {"error"=>'invalid JWT format or claim in Authorization header'}]
+    end
+  end
 end

data/spec/reset_password_spec.rb

@@ -155,6 +155,9 @@ describe 'Rodauth reset_password feature' do
       r.rodauth
     end
 
+    res = json_login(:pass=>'1', :no_check=>true)
+    res.must_equal [400, {"field-error"=>["password", "invalid password"], "error"=>"There was an error logging in"}]
+
     res = json_request('/reset-password')
     res.must_equal [400, {"error"=>"There was an error resetting your password"}]
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 1.5.0
+  version: 1.6.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-09-22 00:00:00.000000000 Z
+date: 2016-10-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -225,12 +225,14 @@ extra_rdoc_files:
 - doc/confirm_password.rdoc
 - doc/verify_change_login.rdoc
 - doc/update_password_hash.rdoc
+- doc/http_basic_auth.rdoc
 - doc/release_notes/1.0.0.txt
 - doc/release_notes/1.1.0.txt
 - doc/release_notes/1.2.0.txt
 - doc/release_notes/1.3.0.txt
 - doc/release_notes/1.4.0.txt
 - doc/release_notes/1.5.0.txt
+- doc/release_notes/1.6.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -245,6 +247,7 @@ files:
 - doc/create_account.rdoc
 - doc/disallow_password_reuse.rdoc
 - doc/email_base.rdoc
+- doc/http_basic_auth.rdoc
 - doc/jwt.rdoc
 - doc/lockout.rdoc
 - doc/login.rdoc
@@ -261,6 +264,7 @@ files:
 - doc/release_notes/1.3.0.txt
 - doc/release_notes/1.4.0.txt
 - doc/release_notes/1.5.0.txt
+- doc/release_notes/1.6.0.txt
 - doc/remember.rdoc
 - doc/reset_password.rdoc
 - doc/session_expiration.rdoc
@@ -282,6 +286,7 @@ files:
 - lib/rodauth/features/create_account.rb
 - lib/rodauth/features/disallow_password_reuse.rb
 - lib/rodauth/features/email_base.rb
+- lib/rodauth/features/http_basic_auth.rb
 - lib/rodauth/features/jwt.rb
 - lib/rodauth/features/lockout.rb
 - lib/rodauth/features/login.rb
@@ -312,6 +317,7 @@ files:
 - spec/confirm_password_spec.rb
 - spec/create_account_spec.rb
 - spec/disallow_password_reuse_spec.rb
+- spec/http_basic_auth_spec.rb
 - spec/jwt_spec.rb
 - spec/lockout_spec.rb
 - spec/login_spec.rb
@@ -398,7 +404,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 2.6.6
 signing_key: 
 specification_version: 4
 summary: Authentication and Account Management Framework for Rack Applications