rodauth 2.11.0 → 2.15.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG +28 -0
- data/README.rdoc +29 -7
- data/doc/active_sessions.rdoc +4 -0
- data/doc/base.rdoc +1 -0
- data/doc/error_reasons.rdoc +73 -0
- data/doc/internal_request.rdoc +463 -0
- data/doc/path_class_methods.rdoc +10 -0
- data/doc/release_notes/2.11.0.txt +1 -1
- data/doc/release_notes/2.12.0.txt +17 -0
- data/doc/release_notes/2.13.0.txt +19 -0
- data/doc/release_notes/2.14.0.txt +17 -0
- data/doc/release_notes/2.15.0.txt +48 -0
- data/doc/remember.rdoc +1 -0
- data/lib/rodauth.rb +9 -2
- data/lib/rodauth/features/active_sessions.rb +29 -8
- data/lib/rodauth/features/base.rb +26 -1
- data/lib/rodauth/features/change_login.rb +6 -4
- data/lib/rodauth/features/change_password.rb +5 -3
- data/lib/rodauth/features/close_account.rb +3 -1
- data/lib/rodauth/features/confirm_password.rb +2 -2
- data/lib/rodauth/features/create_account.rb +6 -4
- data/lib/rodauth/features/disallow_common_passwords.rb +1 -1
- data/lib/rodauth/features/disallow_password_reuse.rb +1 -1
- data/lib/rodauth/features/email_auth.rb +6 -0
- data/lib/rodauth/features/internal_request.rb +367 -0
- data/lib/rodauth/features/jwt_refresh.rb +1 -1
- data/lib/rodauth/features/lockout.rb +15 -4
- data/lib/rodauth/features/login.rb +6 -3
- data/lib/rodauth/features/login_password_requirements_base.rb +15 -6
- data/lib/rodauth/features/otp.rb +13 -6
- data/lib/rodauth/features/password_complexity.rb +4 -4
- data/lib/rodauth/features/path_class_methods.rb +22 -0
- data/lib/rodauth/features/recovery_codes.rb +6 -2
- data/lib/rodauth/features/remember.rb +25 -10
- data/lib/rodauth/features/reset_password.rb +8 -4
- data/lib/rodauth/features/session_expiration.rb +1 -0
- data/lib/rodauth/features/single_session.rb +1 -0
- data/lib/rodauth/features/sms_codes.rb +17 -5
- data/lib/rodauth/features/two_factor_base.rb +6 -1
- data/lib/rodauth/features/verify_account.rb +8 -1
- data/lib/rodauth/features/verify_account_grace_period.rb +1 -1
- data/lib/rodauth/features/verify_login_change.rb +5 -2
- data/lib/rodauth/features/webauthn.rb +15 -14
- data/lib/rodauth/features/webauthn_login.rb +1 -1
- data/lib/rodauth/version.rb +1 -1
- data/templates/button.str +1 -1
- data/templates/change-password.str +2 -2
- data/templates/global-logout-field.str +1 -1
- data/templates/login-confirm-field.str +2 -2
- data/templates/login-display.str +2 -2
- data/templates/login-field.str +2 -2
- data/templates/otp-auth-code-field.str +2 -2
- data/templates/otp-setup.str +2 -2
- data/templates/password-confirm-field.str +2 -2
- data/templates/password-field.str +2 -2
- data/templates/recovery-auth.str +2 -2
- data/templates/remember.str +1 -1
- data/templates/sms-code-field.str +2 -2
- data/templates/sms-setup.str +2 -2
- data/templates/unlock-account-email.str +1 -1
- data/templates/webauthn-remove.str +1 -1
- metadata +19 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 3abad4574361365b90229229928b653d049ad73e2e366195e10bb8ee565de323
|
4
|
+
data.tar.gz: 2fecb89ba5456f9aa8569eef019dbf7f9b7a3b7736b3da053ce15e5b4d67074c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9086a3f18f04da0184af7fcaaa3c474ae3560e7b9c1b6b526cbbd8239ca4f2f47f2a44fe4e8681e349c5bb78a6e3f7529b5bd296d62ad92e1a1ac9188122a4ab
|
7
|
+
data.tar.gz: 2b67d509e6a0b0a61ca679f45238714b817d6eef1becb9e1ecfeab33d7e296d3f43ffa0a392d812981b8a3f096cbc868501c00f6661d1c72194cdfe0726ef842
|
data/CHANGELOG
CHANGED
@@ -1,3 +1,31 @@
|
|
1
|
+
=== 2.15.0 (2021-07-27)
|
2
|
+
|
3
|
+
* Add path_class_methods feature, for getting paths/URLs using class methods (jeremyevans)
|
4
|
+
|
5
|
+
* Make default base_url method use configured domain (janko) (#171)
|
6
|
+
|
7
|
+
* Add internal_request feature, for interacting with Rodauth by calling methods (jeremyevans, janko)
|
8
|
+
|
9
|
+
=== 2.14.0 (2021-06-22)
|
10
|
+
|
11
|
+
* Make jwt_refresh feature allow refresh with expired access tokens even if prefix is not set correctly (jeremyevans) (#168)
|
12
|
+
|
13
|
+
* Make internal account_in_unverified_grace_period? method handle accounts missing or unverified accounts (janko, jeremyevans) (#167)
|
14
|
+
|
15
|
+
* Add remembered_session_id configuration method for getting session id from valid remember token if present (bjeanes) (#166)
|
16
|
+
|
17
|
+
=== 2.13.0 (2021-05-22)
|
18
|
+
|
19
|
+
* Make jwt_refresh expired access token support work when using rodauth.check_active_sessions before calling r.rodauth (renchap) (#165)
|
20
|
+
|
21
|
+
* Update default templates to add classes for Bootstrap 5 compatibility (janko) (#164)
|
22
|
+
|
23
|
+
* Add set_error_reason configuration method to allow applications more finer grained error handling (renchap, jeremyevans) (#162)
|
24
|
+
|
25
|
+
=== 2.12.0 (2021-04-22)
|
26
|
+
|
27
|
+
* Add configuration methods to active_sessions plugin to control the inserting and updating of rows (janko) (#159)
|
28
|
+
|
1
29
|
=== 2.11.0 (2021-03-22)
|
2
30
|
|
3
31
|
* Add same_as_current_login_message and contains_null_byte_message configuration methods to increase translatability (dmitryzuev) (#158)
|
data/README.rdoc
CHANGED
@@ -60,6 +60,8 @@ HTML and JSON API for all supported features.
|
|
60
60
|
* Argon2
|
61
61
|
* HTTP Basic Auth
|
62
62
|
* Change Password Notify
|
63
|
+
* Internal Request
|
64
|
+
* Path Class Methods
|
63
65
|
|
64
66
|
== Resources
|
65
67
|
|
@@ -68,7 +70,6 @@ Demo Site :: http://rodauth-demo.jeremyevans.net
|
|
68
70
|
Source :: http://github.com/jeremyevans/rodauth
|
69
71
|
Bugs :: http://github.com/jeremyevans/rodauth/issues
|
70
72
|
Google Group :: https://groups.google.com/forum/#!forum/rodauth
|
71
|
-
IRC :: irc://chat.freenode.net/#rodauth
|
72
73
|
|
73
74
|
== Dependencies
|
74
75
|
|
@@ -85,9 +86,9 @@ bcrypt :: Used by default for password hashing, can be skipped
|
|
85
86
|
if password_match? is overridden for custom authentication.
|
86
87
|
argon2 :: Used by the argon2 feature as alternative to bcrypt for
|
87
88
|
password hashing.
|
88
|
-
mail :: Used by default for mailing in the
|
89
|
-
|
90
|
-
|
89
|
+
mail :: Used by default for mailing in the reset_password, verify_account,
|
90
|
+
verify_login_change, change_password_notify, lockout, and
|
91
|
+
email_auth features.
|
91
92
|
rotp :: Used by the otp feature
|
92
93
|
rqrcode :: Used by the otp feature
|
93
94
|
jwt :: Used by the jwt feature
|
@@ -831,7 +832,7 @@ overriding for all behavior, using any information from the request:
|
|
831
832
|
plugin :rodauth do
|
832
833
|
enable :login, :logout
|
833
834
|
accounts_table do
|
834
|
-
request.ip.start_with?("192.168.1") ? :admins : :users
|
835
|
+
request.ip.start_with?("192.168.1.") ? :admins : :users
|
835
836
|
end
|
836
837
|
end
|
837
838
|
|
@@ -880,6 +881,7 @@ view the appropriate file in the doc directory.
|
|
880
881
|
* {Disallow Password Reuse}[rdoc-ref:doc/disallow_password_reuse.rdoc]
|
881
882
|
* {Email Authentication}[rdoc-ref:doc/email_auth.rdoc]
|
882
883
|
* {HTTP Basic Auth}[rdoc-ref:doc/http_basic_auth.rdoc]
|
884
|
+
* {Internal Request}[rdoc-ref:doc/internal_request.rdoc]
|
883
885
|
* {JSON}[rdoc-ref:doc/json.rdoc]
|
884
886
|
* {JWT CORS}[rdoc-ref:doc/jwt_cors.rdoc]
|
885
887
|
* {JWT Refresh}[rdoc-ref:doc/jwt_refresh.rdoc]
|
@@ -892,6 +894,7 @@ view the appropriate file in the doc directory.
|
|
892
894
|
* {Password Expiration}[rdoc-ref:doc/password_expiration.rdoc]
|
893
895
|
* {Password Grace Period}[rdoc-ref:doc/password_grace_period.rdoc]
|
894
896
|
* {Password Pepper}[rdoc-ref:doc/password_pepper.rdoc]
|
897
|
+
* {Path Class Methods}[rdoc-ref:doc/path_class_methods.rdoc]
|
895
898
|
* {Recovery Codes}[rdoc-ref:doc/recovery_codes.rdoc]
|
896
899
|
* {Remember}[rdoc-ref:doc/remember.rdoc]
|
897
900
|
* {Reset Password}[rdoc-ref:doc/reset_password.rdoc]
|
@@ -1051,6 +1054,25 @@ authenticated_webauthn_id :: (webauthn feature) If the current session was
|
|
1051
1054
|
URL to the route. Any options passed to this method will be converted
|
1052
1055
|
into query parameters.
|
1053
1056
|
|
1057
|
+
=== Calling Rodauth Methods for Other Accounts
|
1058
|
+
|
1059
|
+
In some cases, you may want to interact with Rodauth directly on behalf
|
1060
|
+
of a user. For example, let's say you want to create accounts or change passwords
|
1061
|
+
for existing accounts. Using Rodauth's internal_request feature, you can do this
|
1062
|
+
by:
|
1063
|
+
|
1064
|
+
plugin :rodauth do
|
1065
|
+
enable :create_account, :change_password, :internal_request
|
1066
|
+
end
|
1067
|
+
rodauth.create_account(login: 'foo@example.com', password: '...')
|
1068
|
+
rodauth.change_password(account_id: 24601, password: '...')
|
1069
|
+
|
1070
|
+
Here the +rodauth+ method is called as the Roda class level, which returns
|
1071
|
+
the appropriate <tt>Rodauth::Auth</tt> subclass. You call internal request
|
1072
|
+
methods on that class to perform actions on behalf of a user. See the
|
1073
|
+
{internal request feature documentation}[rdoc-ref:doc/internal_request.rdoc]
|
1074
|
+
for details.
|
1075
|
+
|
1054
1076
|
=== With Multiple Configurations
|
1055
1077
|
|
1056
1078
|
Rodauth supports using multiple rodauth configurations in the same
|
@@ -1362,7 +1384,7 @@ custom methods that will be callable on the +rodauth+ object.
|
|
1362
1384
|
|
1363
1385
|
=== Using External Features
|
1364
1386
|
|
1365
|
-
The enable configuration method is able to load features external to
|
1387
|
+
The +enable+ configuration method is able to load features external to
|
1366
1388
|
Rodauth. You need to place the external feature file where it can be
|
1367
1389
|
required via rodauth/features/feature_name. That file should
|
1368
1390
|
use the following basic structure
|
@@ -1401,7 +1423,7 @@ use the following basic structure
|
|
1401
1423
|
end
|
1402
1424
|
end
|
1403
1425
|
|
1404
|
-
See the {internals guide}[rdoc-ref:doc/internals.rdoc] for a more complete
|
1426
|
+
See the {internals guide}[rdoc-ref:doc/guides/internals.rdoc] for a more complete
|
1405
1427
|
example of how to construct features.
|
1406
1428
|
|
1407
1429
|
=== Overriding Route-Level Behavior
|
data/doc/active_sessions.rdoc
CHANGED
@@ -37,9 +37,13 @@ inactive_session_error_status :: The error status to use when a JSON request is
|
|
37
37
|
session_id_session_key :: The session key name to use for storing the session id.
|
38
38
|
session_inactivity_deadline :: The number of seconds since last use after which the session will be considered expired (1 day by default). Can be set to nil to not check session inactivity.
|
39
39
|
session_lifetime_deadline :: The number of seconds since session creation after which the session will be considered expired (30 days by default). Can be set to nil to not check session lifetimes.
|
40
|
+
update_current_session? :: Whether the update current session with +active_sessions_update_hash+. By default returns true if +session_inactivity_deadline+ is set.
|
40
41
|
|
41
42
|
== Auth Methods
|
42
43
|
|
44
|
+
active_sessions_insert_hash :: The hash to insert into the +active_sessions_table+.
|
45
|
+
active_sessions_key :: The active session key for the current account.
|
46
|
+
active_sessions_update_hash :: The hash to update the currently active session when +update_current_session?+ is true. By default updates last use to current time.
|
43
47
|
add_active_session :: Create a session id for the session and populate the session and add the session id to the database.
|
44
48
|
currently_active_session? :: Whether the session is currently active, by checking the database table.
|
45
49
|
handle_duplicate_active_session_id(exception) :: How to handle the case where a duplicate session id for the account is inserted into the table. Does nothing by default. This should only be called if the random number generator is broken.
|
data/doc/base.rdoc
CHANGED
@@ -105,6 +105,7 @@ random_key :: A randomly generated string, used for creating tokens.
|
|
105
105
|
redirect(path) :: Redirect the request to the given path.
|
106
106
|
session_value :: The value for session_key in the current session.
|
107
107
|
set_error_flash(message) :: Set the current error flash to the given message.
|
108
|
+
set_error_reason(reason) :: You can override this method to customize handling of specific error types (does nothing by default). Each separate error type has a separate reason symbol, you can see the {list of error reason symbols}[rdoc-ref:doc/error_reasons.rdoc].
|
108
109
|
set_notice_flash(message) :: Set the next notice flash to the given message.
|
109
110
|
set_notice_now_flash(message) :: Set the current notice flash to the given message.
|
110
111
|
set_redirect_error_flash(message) :: Set the next error flash to the given message.
|
@@ -0,0 +1,73 @@
|
|
1
|
+
= Error Reasons
|
2
|
+
|
3
|
+
Rodauth allows for customizing response status codes and error
|
4
|
+
messages for each type of error. However, in some cases, the
|
5
|
+
response status code is too coarse for desired error handling
|
6
|
+
by the application (since many error types use the same status
|
7
|
+
code), and using the error message is too fragile since it may
|
8
|
+
be translated.
|
9
|
+
|
10
|
+
For this reason, Rodauth associates a fine grained reason for
|
11
|
+
each type of error. If an error occurs in Rodauth, it will
|
12
|
+
call the +set_error_reason+ method with a symbol for the
|
13
|
+
specific type of error. By default, this method does not do
|
14
|
+
anything, but you can use the +set_error_reason+ configuration
|
15
|
+
method to customize the error handling.
|
16
|
+
|
17
|
+
These are the currently supported error type symbols that
|
18
|
+
Rodauth will call +set_error_reason+ with:
|
19
|
+
|
20
|
+
* :account_locked_out
|
21
|
+
* :already_an_account_with_this_login
|
22
|
+
* :already_an_unverified_account_with_this_login
|
23
|
+
* :duplicate_webauthn_id
|
24
|
+
* :inactive_session
|
25
|
+
* :invalid_email_auth_key
|
26
|
+
* :invalid_otp_auth_code
|
27
|
+
* :invalid_otp_secret
|
28
|
+
* :invalid_password
|
29
|
+
* :invalid_password_pattern
|
30
|
+
* :invalid_phone_number
|
31
|
+
* :invalid_previous_password
|
32
|
+
* :invalid_recovery_code
|
33
|
+
* :invalid_remember_param
|
34
|
+
* :invalid_reset_password_key
|
35
|
+
* :invalid_sms_code
|
36
|
+
* :invalid_sms_confirmation_code
|
37
|
+
* :invalid_unlock_account_key
|
38
|
+
* :invalid_verify_account_key
|
39
|
+
* :invalid_verify_login_change_key
|
40
|
+
* :invalid_webauthn_auth_param
|
41
|
+
* :invalid_webauthn_remove_param
|
42
|
+
* :invalid_webauthn_setup_param
|
43
|
+
* :invalid_webauthn_sign_count
|
44
|
+
* :login_not_valid_email
|
45
|
+
* :login_required
|
46
|
+
* :login_too_long
|
47
|
+
* :login_too_short
|
48
|
+
* :logins_do_not_match
|
49
|
+
* :no_current_sms_code
|
50
|
+
* :no_matching_login
|
51
|
+
* :not_enough_character_groups_in_password
|
52
|
+
* :otp_locked_out
|
53
|
+
* :password_authentication_required
|
54
|
+
* :password_contains_null_byte
|
55
|
+
* :password_does_not_meet_requirements
|
56
|
+
* :password_in_dictionary
|
57
|
+
* :password_is_one_of_the_most_common
|
58
|
+
* :password_same_as_previous_password
|
59
|
+
* :password_too_short
|
60
|
+
* :passwords_do_not_match
|
61
|
+
* :same_as_current_login
|
62
|
+
* :same_as_existing_password
|
63
|
+
* :session_expired
|
64
|
+
* :sms_already_setup
|
65
|
+
* :sms_locked_out
|
66
|
+
* :sms_needs_confirmation
|
67
|
+
* :sms_not_setup
|
68
|
+
* :too_many_repeating_characters_in_password
|
69
|
+
* :two_factor_already_authenticated
|
70
|
+
* :two_factor_need_authentication
|
71
|
+
* :two_factor_not_setup
|
72
|
+
* :unverified_account
|
73
|
+
* :webauthn_not_setup
|
@@ -0,0 +1,463 @@
|
|
1
|
+
= Documentation for Internal Request Feature
|
2
|
+
|
3
|
+
The internal request feature allows interacting with Rodauth by
|
4
|
+
calling methods, and is expected to be used mostly for administrative
|
5
|
+
purposes. It allows for things like an changing a login or password
|
6
|
+
for an existing user, without requiring that the user login to the
|
7
|
+
system. The reason the feature is named +internal_request+ is that
|
8
|
+
it internally submits requests to Rodauth, which are handled almost
|
9
|
+
identically to how actual web requests will be handled by Rodauth.
|
10
|
+
|
11
|
+
The general form of calling these methods is:
|
12
|
+
|
13
|
+
App.rodauth.internal_request_method(hash)
|
14
|
+
|
15
|
+
Where +App+ is the Roda class, and +internal_request_method+ is the
|
16
|
+
method you are calling. For example:
|
17
|
+
|
18
|
+
App.rodauth.change_password(account_id: 1, password: 'foobar')
|
19
|
+
|
20
|
+
Will change the password for the account with id 1 to +foobar+.
|
21
|
+
|
22
|
+
All internal request methods support the following options. For
|
23
|
+
internal requests that require an existing account, you should
|
24
|
+
generally use one of the two following options:
|
25
|
+
|
26
|
+
:account_id :: The id of the account to be considered as logged in when the internal request is submitted (most internal requests require a logged in account). This value is assumed to represent an existing account, the database is not checked to confirm that.
|
27
|
+
:account_login :: The login of the account to be considered as logged in when the internal request is submitted (most internal requests require a login). This will query the database to determine the account's id before submitting the request. If there is no non-closed account for the login, this will raise an exception.
|
28
|
+
|
29
|
+
There are additional options available, that you should only use
|
30
|
+
if you have special requirements:
|
31
|
+
|
32
|
+
:authenticated_by :: The array of strings to use for how the internal request's session was authenticated.
|
33
|
+
:env :: A hash to merge into the internal request environment hash. Keys given will override default values, so you will probably have problems if you directly use an existing request environment.
|
34
|
+
:session :: A hash for the session to use.
|
35
|
+
:params :: A hash of custom parameters.
|
36
|
+
|
37
|
+
All remaining options are considered parameters. Using the
|
38
|
+
previous example:
|
39
|
+
|
40
|
+
App.rodauth.change_password(account_id: 1, password: 'foobar')
|
41
|
+
|
42
|
+
The <tt>password: 'foobar'</tt> part means that the parameters
|
43
|
+
for the request will be <tt>{rodauth.password_param => 'foobar'}</tt>,
|
44
|
+
where +rodauth.password_param+ is the value of +password_param+ in
|
45
|
+
your Rodauth configuration (this defaults to <tt>"password"</tt>).
|
46
|
+
|
47
|
+
Passing any options not mentioned above that are not valid Rodauth
|
48
|
+
parameters will result in a warning.
|
49
|
+
|
50
|
+
== Configuration
|
51
|
+
|
52
|
+
In general, the configuration for internal requests is almost
|
53
|
+
the same as for regular requests. There are some minor changes
|
54
|
+
for easier usability. +modifications_require_password?+ (and
|
55
|
+
similar methods for requiring password),
|
56
|
+
+require_login_confirmation?+, and +require_password_confirmation?+
|
57
|
+
are set to false. In general, the caller of the method should not
|
58
|
+
be able to determine the user's password, and there is no point
|
59
|
+
in requiring parameter confirmation when calling the method
|
60
|
+
directly.
|
61
|
+
|
62
|
+
You can override the configuration for internal requests by using
|
63
|
+
the +internal_request_configuration+ configuration method. For
|
64
|
+
example, you can set the minimum length for logins to be 15
|
65
|
+
for normal requests, but only 3 for internal requests:
|
66
|
+
|
67
|
+
plugin :rodauth do
|
68
|
+
enable :create_account, :internal_request
|
69
|
+
login_minimum_length 15
|
70
|
+
|
71
|
+
internal_request_configuration do
|
72
|
+
login_minimum_length 3
|
73
|
+
end
|
74
|
+
end
|
75
|
+
|
76
|
+
Another approach for doing this is to call the +internal_request?+
|
77
|
+
method inside configuration method blocks:
|
78
|
+
|
79
|
+
plugin :rodauth do
|
80
|
+
enable :create_account, :internal_request
|
81
|
+
login_minimum_length{internal_request? ? 3 : 15}
|
82
|
+
end
|
83
|
+
|
84
|
+
== Return Values and Exceptions
|
85
|
+
|
86
|
+
Internal request methods ending in a question mark return true or false.
|
87
|
+
Most other internal request methods return nil on success, and or raise a
|
88
|
+
Rodauth::InternalRequestError exception on failure. The exception
|
89
|
+
message will include the flash message, {the reason for the
|
90
|
+
failure}[rdoc-ref:doc/error_reasons.rdoc] if available, and any field errors.
|
91
|
+
This data can also be retrieved via +flash+, +reason+, and +field_errors+
|
92
|
+
attributes on the exception object.
|
93
|
+
|
94
|
+
If an internal request method returns a non-nil value on success,
|
95
|
+
it will be documented in the Features section below. In such
|
96
|
+
cases, unless documented below, the methods will still raise a
|
97
|
+
Rodauth::InternalRequestError exception on failure.
|
98
|
+
|
99
|
+
== Domain
|
100
|
+
|
101
|
+
While it is a good idea to use the +domain+ configuration method
|
102
|
+
to force a domain to use, as it can avoid DNS rebinding attacks,
|
103
|
+
Rodauth can function without it, as it can use the domain of the
|
104
|
+
request. However, for internal requests, there is no submitted
|
105
|
+
domain, and Rodauth does not know what to use as the domain. To
|
106
|
+
avoid potentially using a wrong domain, Rodauth will raise an
|
107
|
+
Rodauth::InternalRequestError in internal requests if a domain
|
108
|
+
is needed and has not been configured.
|
109
|
+
|
110
|
+
== Features
|
111
|
+
|
112
|
+
This section documents the methods that are available for each
|
113
|
+
feature. You must load that feature and the internal request feature
|
114
|
+
in order to call the internal request methods for that feature.
|
115
|
+
Some features support multiple internal request methods, and
|
116
|
+
each internal request method supported will be documented under
|
117
|
+
the appropriate subheading.
|
118
|
+
|
119
|
+
If the method subheading states it it requires an account, you
|
120
|
+
must pass the +:account_id+ or +account_login+ option when calling
|
121
|
+
the method.
|
122
|
+
|
123
|
+
If the method subheading states it it requires an account or
|
124
|
+
a login, you must pass either +:login+, +:account_id+, or
|
125
|
+
+account_login+ when calling the method.
|
126
|
+
|
127
|
+
=== Base
|
128
|
+
|
129
|
+
=== account_exists?
|
130
|
+
|
131
|
+
The +account_exists?+ method returns whether the account exists
|
132
|
+
for the given login.
|
133
|
+
|
134
|
+
Options:
|
135
|
+
+:login+ :: (required) The login for the account.
|
136
|
+
|
137
|
+
=== account_id_for_login
|
138
|
+
|
139
|
+
The +account_id_for_login+ method returns the account id for
|
140
|
+
the given login. A Rodauth::InternalRequestError is raised
|
141
|
+
if the login given is not valid.
|
142
|
+
|
143
|
+
Options:
|
144
|
+
+:login+ :: (required) The login for the account.
|
145
|
+
|
146
|
+
=== internal_request_eval
|
147
|
+
|
148
|
+
The +internal_request_eval+ requires a block and will +instance_eval+
|
149
|
+
the block the context of an internal request instance. This allows
|
150
|
+
you full usage of the +Rodauth::Auth+ API inside the request.
|
151
|
+
Before using this method, you should have a good understanding
|
152
|
+
of Rodauth's internals and the effects of calling any methods you
|
153
|
+
are calling inside the block.
|
154
|
+
|
155
|
+
The return value of the method will be the return value of the
|
156
|
+
block, unless one of the methods in the block has set a
|
157
|
+
different return value.
|
158
|
+
|
159
|
+
=== Change Login
|
160
|
+
|
161
|
+
==== change_login (requires account)
|
162
|
+
|
163
|
+
The +change_login+ method changes the login for the account.
|
164
|
+
|
165
|
+
Options:
|
166
|
+
+:login+ :: (required) The new login for the account. Note that if the +:account_login+ option is provided, that is the current login for the account, not the new login.
|
167
|
+
|
168
|
+
=== Change Password
|
169
|
+
|
170
|
+
==== change_password (requires account)
|
171
|
+
|
172
|
+
The +change_password+ method changes the password for the account.
|
173
|
+
|
174
|
+
Options:
|
175
|
+
+:password+ or +new_password+ :: (required) The new password for the account.
|
176
|
+
|
177
|
+
=== Close Account
|
178
|
+
|
179
|
+
==== close_account (requires account)
|
180
|
+
|
181
|
+
The +close_account+ method closes the account. There is no method
|
182
|
+
in Rodauth to reopen closed accounts.
|
183
|
+
|
184
|
+
=== Create Account
|
185
|
+
|
186
|
+
==== create_account
|
187
|
+
|
188
|
+
The +create_account+ method creates an account.
|
189
|
+
|
190
|
+
Options:
|
191
|
+
+:login+ :: (required) The login for the created account.
|
192
|
+
+:password+ :: The password for the created account.
|
193
|
+
|
194
|
+
=== Email Auth
|
195
|
+
|
196
|
+
==== email_auth_request (requires account or login)
|
197
|
+
|
198
|
+
The +email_auth_request+ method requests an email with an
|
199
|
+
authentication link be sent to the account's email address.
|
200
|
+
|
201
|
+
==== email_auth
|
202
|
+
|
203
|
+
The +email_auth+ method determines if the given email authentication
|
204
|
+
key is valid.
|
205
|
+
|
206
|
+
This method will return the account id if the authentication key is
|
207
|
+
valid.
|
208
|
+
|
209
|
+
Options:
|
210
|
+
+:email_auth_key+ :: (required) The email authentication key for the account.
|
211
|
+
|
212
|
+
==== valid_email_auth?
|
213
|
+
|
214
|
+
The +valid_email_auth?+ method returns whether the given email
|
215
|
+
authentication key is valid.
|
216
|
+
|
217
|
+
Options:
|
218
|
+
+:email_auth_key+ :: (required) The email authentication key for the account.
|
219
|
+
|
220
|
+
=== Lockout
|
221
|
+
|
222
|
+
==== lock_account (requires account)
|
223
|
+
|
224
|
+
The +lock_account+ method locks an account, even if the account has
|
225
|
+
not experienced any login failures. This is one method only available
|
226
|
+
as an internal request.
|
227
|
+
|
228
|
+
==== unlock_account_request (requires account or login)
|
229
|
+
|
230
|
+
The +unlock_account_request+ method requests an email with an
|
231
|
+
link to unlock the account be sent to the account's email address.
|
232
|
+
|
233
|
+
==== unlock_account
|
234
|
+
|
235
|
+
The +unlock_account+ method unlocks the account.
|
236
|
+
|
237
|
+
If an +:account_id+ or +:account_login+ option is provided, this
|
238
|
+
will unlock the account without requiring the unlock account key
|
239
|
+
value.
|
240
|
+
|
241
|
+
Options:
|
242
|
+
+:unlock_account_key+ :: The unlock account key for the account. This allows unlocking accounts by key, without knowing the account id or login.
|
243
|
+
|
244
|
+
=== Login
|
245
|
+
|
246
|
+
==== login (requires account or login)
|
247
|
+
|
248
|
+
The +login+ method determines if the given password is valid for
|
249
|
+
the given account.
|
250
|
+
|
251
|
+
This method will return the account id if the password is valid.
|
252
|
+
|
253
|
+
Options:
|
254
|
+
+:password+ :: (required) The password for the account.
|
255
|
+
|
256
|
+
==== valid_login_and_password? (requires account or login)
|
257
|
+
|
258
|
+
The +valid_login_and_password?+ method returns whether the given
|
259
|
+
password is valid for the given account.
|
260
|
+
|
261
|
+
Options:
|
262
|
+
+:password+ :: (required) The password for the account.
|
263
|
+
|
264
|
+
=== OTP
|
265
|
+
|
266
|
+
==== otp_setup_params (requires account)
|
267
|
+
|
268
|
+
The +otp_setup_params+ method returns a hash with an +:otp_setup+
|
269
|
+
key, and an +:otp_setup_raw+ key if the Rodauth configuration uses
|
270
|
+
+hmac_secret+.
|
271
|
+
|
272
|
+
The +:otp_setup+ key in the returned hash specifies the OTP secret.
|
273
|
+
|
274
|
+
This hash should be merged into the options submitted to the
|
275
|
+
+otp_setup+ method in order to complete OTP setup.
|
276
|
+
|
277
|
+
==== otp_setup (requires account)
|
278
|
+
|
279
|
+
The +otp_setup+ method enables OTP multifactor authentication for
|
280
|
+
the account.
|
281
|
+
|
282
|
+
The values in the hash returned by the +otp_setup_params+ hash
|
283
|
+
must be passed as options to this method.
|
284
|
+
|
285
|
+
Additional Options:
|
286
|
+
+:otp_auth+ :: (required) The current OTP authentication code for the OTP secret.
|
287
|
+
|
288
|
+
==== otp_auth (requires account)
|
289
|
+
|
290
|
+
The +otp_auth+ method determines if the OTP authentication code is
|
291
|
+
valid for the account.
|
292
|
+
|
293
|
+
Options:
|
294
|
+
+:otp_auth+ :: (required) The current OTP authentication code for account.
|
295
|
+
|
296
|
+
==== valid_otp_auth? (requires account)
|
297
|
+
|
298
|
+
The +valid_otp_auth?+ method returns whether the OTP authentication
|
299
|
+
code is valid for the account.
|
300
|
+
|
301
|
+
Options:
|
302
|
+
+:otp_auth+ :: (required) The current OTP authentication code for account.
|
303
|
+
|
304
|
+
==== otp_disable (requires account)
|
305
|
+
|
306
|
+
The +otp_disable+ method disables OTP authentication for the account.
|
307
|
+
|
308
|
+
=== Recovery Codes
|
309
|
+
|
310
|
+
==== recovery_codes (requires account)
|
311
|
+
|
312
|
+
The +recovery_codes+ method returns an array of recovery codes for
|
313
|
+
the account. This array can be empty if no recovery codes are setup.
|
314
|
+
|
315
|
+
Options:
|
316
|
+
+:add_recovery_codes+ :: Generate new recovery codes for the account, up to the configured +recovery_codes_limit+, before returning the codes.
|
317
|
+
|
318
|
+
==== recovery_auth (requires account)
|
319
|
+
|
320
|
+
The +recovery_auth+ method determines if the recovery authentication
|
321
|
+
code is valid for the account.
|
322
|
+
|
323
|
+
Options:
|
324
|
+
+:recovery_codes+ :: (required) A valid recovery code for the account. This option sounds like it would take an array of recover codes, but it only takes a single recovery code.
|
325
|
+
|
326
|
+
==== valid_recovery_auth? (requires account)
|
327
|
+
|
328
|
+
The +valid_recovery_auth?+ method returns whether the recovery
|
329
|
+
authentication code is valid for the account.
|
330
|
+
|
331
|
+
Options:
|
332
|
+
+:recovery_codes+ :: (required) A valid recovery code for the account. This option sounds like it would take an array of recover codes, but it only takes a single recovery code.
|
333
|
+
|
334
|
+
=== Remember
|
335
|
+
|
336
|
+
==== remember_setup (requires_account)
|
337
|
+
|
338
|
+
The +remember_setup+ method setups up the remember feature for
|
339
|
+
the account, and returns the cookie value that can be used for
|
340
|
+
the remember cookie.
|
341
|
+
|
342
|
+
==== remember_disable (requires_account)
|
343
|
+
|
344
|
+
The +remember_disable+ method disables the remember feature for
|
345
|
+
the account.
|
346
|
+
|
347
|
+
==== account_id_for_remember_key
|
348
|
+
|
349
|
+
The +account_id_for_remember_key+ method returns the account id
|
350
|
+
for the given remember key.
|
351
|
+
|
352
|
+
Options:
|
353
|
+
+:remember+ :: (required) The remember key for the account. This is the same value returned by +remember_setup+.
|
354
|
+
|
355
|
+
=== Reset Password
|
356
|
+
|
357
|
+
==== reset_password_request (requires account or login)
|
358
|
+
|
359
|
+
The +reset_password_request+ method requests an email with an
|
360
|
+
link to reset the password for the account be sent to the account's
|
361
|
+
email address.
|
362
|
+
|
363
|
+
==== reset_password
|
364
|
+
|
365
|
+
The +reset_password+ method resets the password for an account.
|
366
|
+
This is similar to the +change_password+ method, but requires
|
367
|
+
that a reset password key has been created for the account, and
|
368
|
+
removes the key after the password has been reset.
|
369
|
+
|
370
|
+
If an +:account_id+ or +:account_login+ option is provided, this
|
371
|
+
will reset the password for the account without requiring the
|
372
|
+
reset password key value.
|
373
|
+
|
374
|
+
Options:
|
375
|
+
+:password+ :: (required) The new password for the account.
|
376
|
+
+:reset_password_key+ :: The reset password key for the account. This allows resetting passwords by key, without knowing the account id or login.
|
377
|
+
|
378
|
+
=== SMS Codes
|
379
|
+
|
380
|
+
==== sms_setup (requires account)
|
381
|
+
|
382
|
+
The +sms_setup+ method sends an SMS message to the given
|
383
|
+
phone number with a code to setup SMS authentication for
|
384
|
+
the account.
|
385
|
+
|
386
|
+
Options:
|
387
|
+
+:sms_phone+ :: (required) The phone number to use to setup SMS authentication.
|
388
|
+
|
389
|
+
==== sms_confirm (requires account)
|
390
|
+
|
391
|
+
The +sms_confirm+ method sets up SMS authentication for
|
392
|
+
an account, confirming that the SMS authentication code
|
393
|
+
sent previously was received.
|
394
|
+
|
395
|
+
Options:
|
396
|
+
+:sms_code+ :: (required) The authentication code sent to the user for setting up SMS authentication.
|
397
|
+
|
398
|
+
==== sms_request (requires account)
|
399
|
+
|
400
|
+
The +sms_setup+ method sends an SMS message to the account's
|
401
|
+
SMS phone number with an authentication code for two factor
|
402
|
+
authentication.
|
403
|
+
|
404
|
+
==== sms_auth (requires account)
|
405
|
+
|
406
|
+
The +sms_auth+ method determines if the SMS authentication code is
|
407
|
+
valid for the account.
|
408
|
+
|
409
|
+
Options:
|
410
|
+
+:sms_code+ :: (required) The authentication code sent to the user via SMS.
|
411
|
+
|
412
|
+
==== valid_sms_auth? (requires account)
|
413
|
+
|
414
|
+
The +valid_sms_auth?+ method returns whether the SMS authentication
|
415
|
+
code is valid for the account.
|
416
|
+
|
417
|
+
Options:
|
418
|
+
+:sms_code+ :: (required) The authentication code sent to the user via SMS.
|
419
|
+
|
420
|
+
==== sms_disable (requires account)
|
421
|
+
|
422
|
+
The +sms_disable+ method disables SMS authentication for the account.
|
423
|
+
|
424
|
+
=== Two Factor Base
|
425
|
+
|
426
|
+
==== two_factor_disable (requires_account)
|
427
|
+
|
428
|
+
The +two_factor_disable+ method disables all multifactor authentication
|
429
|
+
for the account.
|
430
|
+
|
431
|
+
=== Verify Account
|
432
|
+
|
433
|
+
==== verify_account_resend (requires account or login)
|
434
|
+
|
435
|
+
The +verify_account_resend+ method resends the account verification email
|
436
|
+
to the account's email address.
|
437
|
+
|
438
|
+
==== verify_account
|
439
|
+
|
440
|
+
The +verify_account+ method verifies the account.
|
441
|
+
to the account's email address.
|
442
|
+
|
443
|
+
If an +:account_id+ or +:account_login+ option is provided, this
|
444
|
+
will verify the account without requiring the verify account key value.
|
445
|
+
|
446
|
+
Options:
|
447
|
+
+:password+ :: The password for the account, if setting up passwords during verification.
|
448
|
+
+:verify_account_key+ :: The verify account key for the account. This allows verifying accounts by key, without knowing the account id or login.
|
449
|
+
|
450
|
+
=== Verify Login Change
|
451
|
+
|
452
|
+
==== verify_login_change
|
453
|
+
|
454
|
+
The +verify_login_change+ method verifies the login change for the
|
455
|
+
account.
|
456
|
+
|
457
|
+
If an +:account_id+ or +:account_login+ option is provided, this
|
458
|
+
will verify the account without requiring the verify account key value.
|
459
|
+
If the +:account_login+ option is provided, it specifies the current
|
460
|
+
account login, before the change.
|
461
|
+
|
462
|
+
Options:
|
463
|
+
+:verify_login_change_key+ :: The verify login change key for the account. This allows verifying login changes by key, without knowing the account id or login.
|