rodauth 2.20.0 → 2.23.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG +38 -442
- data/README.rdoc +15 -3
- data/doc/base.rdoc +1 -0
- data/doc/guides/internals.rdoc +11 -0
- data/doc/guides/paths.rdoc +3 -0
- data/doc/login_password_requirements_base.rdoc +1 -1
- data/doc/release_notes/2.21.0.txt +28 -0
- data/doc/release_notes/2.22.0.txt +43 -0
- data/doc/release_notes/2.23.0.txt +15 -0
- data/doc/reset_password.rdoc +16 -16
- data/doc/reset_password_notify.rdoc +17 -0
- data/lib/rodauth/features/active_sessions.rb +4 -2
- data/lib/rodauth/features/base.rb +25 -7
- data/lib/rodauth/features/change_password_notify.rb +2 -22
- data/lib/rodauth/features/email_auth.rb +1 -16
- data/lib/rodauth/features/http_basic_auth.rb +1 -1
- data/lib/rodauth/features/internal_request.rb +1 -1
- data/lib/rodauth/features/json.rb +2 -4
- data/lib/rodauth/features/jwt_cors.rb +1 -1
- data/lib/rodauth/features/lockout.rb +2 -18
- data/lib/rodauth/features/otp.rb +1 -1
- data/lib/rodauth/features/remember.rb +1 -1
- data/lib/rodauth/features/reset_password.rb +1 -16
- data/lib/rodauth/features/reset_password_notify.rb +16 -0
- data/lib/rodauth/features/sms_codes.rb +1 -1
- data/lib/rodauth/features/verify_account.rb +3 -20
- data/lib/rodauth/features/verify_account_grace_period.rb +13 -1
- data/lib/rodauth/version.rb +1 -1
- data/lib/rodauth.rb +27 -0
- data/templates/reset-password-notify-email.str +2 -0
- data/templates/webauthn-remove.str +1 -0
- metadata +13 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 707e580a46dc470c4fffc91eca813495d0fb6330312131fd17b4b87db8415cc2
|
4
|
+
data.tar.gz: d73099f372d594438da78614ac974f1b9343aa4c9de93f162b9432a77f0e0ae6
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: d0005518db3164d29e4be62b76035ccb98df3f8d0f7d129624a099032b5566f125041656d11c798d0fa14b3c2b40a19df18fe5fc1df6c38603ba4660baf9d7b1
|
7
|
+
data.tar.gz: 9b585c6e4f7338609b404cbd4e35fa96467d8f04d9a98089729d7f757b7920afbb1d99a9b028519aa211ad4bd16c7b96d4e3945647a4eaf81691abf6b1a64aae
|
data/CHANGELOG
CHANGED
@@ -1,3 +1,39 @@
|
|
1
|
+
=== 2.23.0 (2022-04-22)
|
2
|
+
|
3
|
+
* Don't automatically set :httponly cookie option if :http_only option is set in remember feature (jeremyevans)
|
4
|
+
|
5
|
+
* Fix invalid domain check in internal_request feature when using Rack 3 (jeremyevans)
|
6
|
+
|
7
|
+
* Make removing all multifactor authentication methods mark session as not authenticated by SMS (janko) (#235)
|
8
|
+
|
9
|
+
* Use use_path option when rendering QR code to svg in the otp feature, to reduce svg size (jeremyevans)
|
10
|
+
|
11
|
+
=== 2.22.0 (2022-03-22)
|
12
|
+
|
13
|
+
* Ignore parameters where the value includes a null byte by default, add null_byte_parameter_value configuration method for customization (jeremyevans)
|
14
|
+
|
15
|
+
* Handle sessions created before active_sessions feature was enabled during logout (jeremyevans) (#224)
|
16
|
+
|
17
|
+
* Add reset_password_notify for emailing users after successful password resets (jeremyevans)
|
18
|
+
|
19
|
+
* An email method can now be used in external features to DRY up email creation code (jeremyevans)
|
20
|
+
|
21
|
+
* The change_password_notify feature now correctly handles template precompilation (jeremyevans)
|
22
|
+
|
23
|
+
* Fix update_sms to update stored sms hash (bjeanes) (#222)
|
24
|
+
|
25
|
+
=== 2.21.0 (2022-02-23)
|
26
|
+
|
27
|
+
* Avoid extra bcrypt hashing on account verification when using account_password_hash_column (janko) (#217)
|
28
|
+
|
29
|
+
* Make require_account public (janko) (#212)
|
30
|
+
|
31
|
+
* Force specific date/time format when displaying webauthn last use time (jeremyevans)
|
32
|
+
|
33
|
+
* Automatically clear the session in require_login if users go beyond verify account grace period (janko) (#211)
|
34
|
+
|
35
|
+
* Fix typo in default value of global_logout_label in active_sessions plugin (sterlzbd) (#209)
|
36
|
+
|
1
37
|
=== 2.20.0 (2022-01-24)
|
2
38
|
|
3
39
|
* Change the default implementation of webauth_rp_id to not include the port (jeremyevans) (#203)
|
@@ -314,446 +350,6 @@
|
|
314
350
|
|
315
351
|
* Drop support for Ruby 1.8 (jeremyevans)
|
316
352
|
|
317
|
-
===
|
318
|
-
|
319
|
-
* Remove specs from the gem to reduce gem size by over 20% (jeremyevans)
|
320
|
-
|
321
|
-
* Make rodauth.authenticated? return true on OTP setup page (jeremyevans) (#68)
|
322
|
-
|
323
|
-
* Display link to email auth request form when user has entered login and incorrect password if using email_auth feature (janko) (#65)
|
324
|
-
|
325
|
-
* Add *_path and *_url methods for all *_route methods (janko) (#64)
|
326
|
-
|
327
|
-
* Add send_email configuration method for configuring how email is sent (janko) (#63)
|
328
|
-
|
329
|
-
=== 1.22.0 (2019-10-29)
|
330
|
-
|
331
|
-
* Add jwt_cors feature to handle Cross-Origin Resource Sharing when using the jwt feature (jeremyevans)
|
332
|
-
|
333
|
-
* Add space before newline after links in email, fixing issues with some webmail providers with broken autolinkers (jeremyevans)
|
334
|
-
|
335
|
-
=== 1.21.0 (2019-07-24)
|
336
|
-
|
337
|
-
* Support rotp 5.1 in the otp feature (jeremyevans)
|
338
|
-
|
339
|
-
* Log user out when locking out OTP account if no fallback options available (jeremyevans)
|
340
|
-
|
341
|
-
=== 1.20.0 (2019-06-07)
|
342
|
-
|
343
|
-
* Support rotp 5 in the otp feature (jeremyevans)
|
344
|
-
|
345
|
-
* Add jwt_refresh feature to allow shorter lived JWTs with a refresh token for creating new JWTs (allavena, jeremyevans) (#28)
|
346
|
-
|
347
|
-
* Fix disallow_password_reuse feature when account_password_hash_column is not set and verify_account feature is not used (cptaffe) (#59)
|
348
|
-
|
349
|
-
* Rename no_matching_email_auth_key_message to no_matching_email_auth_key_error_flash for consistency (jeremyevans)
|
350
|
-
|
351
|
-
* Rename no_matching_verify_login_change_key_message to no_matching_verify_login_change_key_error_flash for consistency (jeremyevans)
|
352
|
-
|
353
|
-
* Rename attempt_to_login_to_unverified_account_notice_message to attempt_to_login_to_unverified_account_error_flash for consistency (jeremyevans)
|
354
|
-
|
355
|
-
* Rename attempt_to_create_unverified_account_notice_message to attempt_to_create_unverified_account_error_flash for consistency (jeremyevans)
|
356
|
-
|
357
|
-
* Rename no_matching_verify_account_key_message to no_matching_verify_account_key_error_flash for consistency (jeremyevans)
|
358
|
-
|
359
|
-
* Rename no_matching_unlock_account_key_message to no_matching_unlock_account_key_error_flash for consistency (jeremyevans)
|
360
|
-
|
361
|
-
* Rename no_matching_reset_password_key_message to no_matching_reset_password_key_error_flash for consistency (jeremyevans)
|
362
|
-
|
363
|
-
* Add otp_keys_use_hmac? and otp_setup_raw_param configuration methods to the otp feature for configuring use of HMACs with OTP authentication (jeremyevans)
|
364
|
-
|
365
|
-
* Do not set a previous account password before password has been set when using disallow_password_reuse with verify_account_set_password? (jeremyevans)
|
366
|
-
|
367
|
-
* Add allow_raw_single_session_key? to single_session feature to allow raw single single session tokens, for graceful transition (jeremyevans)
|
368
|
-
|
369
|
-
* Add raw_remember_token_deadline to remember feature to allow raw remember tokens before given deadline, for graceful transition (jeremyevans)
|
370
|
-
|
371
|
-
* Add allow_raw_email_token? configuration method to email_base feature to allow raw tokens when email_token_hmac_secret is set, for graceful transition (jeremyevans)
|
372
|
-
|
373
|
-
* Add hmac_secret configuration method, used for additional security using HMACs (jeremyevans)
|
374
|
-
|
375
|
-
* Use urlsafe base64 for new token keys on Ruby 1.8 (jeremyevans)
|
376
|
-
|
377
|
-
* Add login_input_type configuration method for setting the input type for login inputs (jeremyevans)
|
378
|
-
|
379
|
-
* Add formatted_field_error configuration method for formatting error messages (jeremyevans)
|
380
|
-
|
381
|
-
* Add field_error_attributes configuration method for configuring attributes for fields with errors (jeremyevans)
|
382
|
-
|
383
|
-
* Add field_attributes configuration method for configuring attributes for specific fields (jeremyevans)
|
384
|
-
|
385
|
-
* Add default_field_attributes configuration method to set default attributes for all input fields (jeremyevans)
|
386
|
-
|
387
|
-
* Make error handling accessible by default using aria-invalid and aria-describedby attributes (jeremyevans)
|
388
|
-
|
389
|
-
* Add mark_input_fields_as_required? configuration method for whether inputs should use the required attribute (jeremyevans)
|
390
|
-
|
391
|
-
* Add input_field_error_message_class configuration method for the CSS class used for error messages (jeremyevans)
|
392
|
-
|
393
|
-
* Wrap all error messages in a span so they can be styled (jeremyevans)
|
394
|
-
|
395
|
-
* Add input_field_error_class configuration method for customizing CSS class to use for inputs with errors (jeremyevans)
|
396
|
-
|
397
|
-
* Add input_field_label_suffix configuration method for suffixing all input labels, useful for labeling fields as required (jeremyevans)
|
398
|
-
|
399
|
-
* Add verify_account_resend_explanatory_text configuration method to verify_account feature for configuring text (jeremyevans)
|
400
|
-
|
401
|
-
* Add unlock_account_explanatory_text and unlock_account_request_explanatory_text configuration methods to lockout feature for configuring text (jeremyevans)
|
402
|
-
|
403
|
-
* Add reset_password_explanatory_text configuration method to reset_password feature for configuring text (jeremyevans)
|
404
|
-
|
405
|
-
* Add otp_provisioning_uri_label and otp_secret_label configuration methods to otp feature for configuring labels displayed during OTP setup (jeremyevans)
|
406
|
-
|
407
|
-
* Add add_recovery_codes_heading configuration method to recovery_codes feature for configuring heading text (jeremyevans)
|
408
|
-
|
409
|
-
* Use define_method instead of instance_exec for route dispatching for better performance (jeremyevans)
|
410
|
-
|
411
|
-
* Add already_an_account_with_this_login_message configuration method (1gor) (#54)
|
412
|
-
|
413
|
-
=== 1.19.1 (2018-11-16)
|
414
|
-
|
415
|
-
* Support rotp 4 in the otp feature (jeremyevans)
|
416
|
-
|
417
|
-
=== 1.19.0 (2018-11-16)
|
418
|
-
|
419
|
-
* Avoid unneeded database queries in the two factor authentication support (jeremyevans)
|
420
|
-
|
421
|
-
* Add {before,after}_verify_login_change_email configuration methods, called around sending the verify login change email (jeremyevans)
|
422
|
-
|
423
|
-
* Add after_account_lockout configuration method, called after locking out an account (jeremyevans)
|
424
|
-
|
425
|
-
* Add default_post_email_redirect configuration method, setting default for all redirects after emailing when not logged in (jeremyevans)
|
426
|
-
|
427
|
-
* Gracefully handle failure when new login is already taken in the verify_login_change feature (jeremyevans)
|
428
|
-
|
429
|
-
* Support optional email rate limiting in the lockout, reset password, and verify account features (jeremyevans)
|
430
|
-
|
431
|
-
* Make MySQL rodauth_get_salt function handle accounts without password hashes (jeremyevans)
|
432
|
-
|
433
|
-
* Add email_auth feature, for authentication using links sent via email (jeremyevans)
|
434
|
-
|
435
|
-
* Deprecate before_otp_authentication_route, users should switch to before_otp_auth_route (jeremyevans)
|
436
|
-
|
437
|
-
* Add use_multi_phase_login? configuration method to login feature, separating login entry from password entry (jeremyevans)
|
438
|
-
|
439
|
-
* Don't disable use of date_arithmetic extension on !MySQL when using lockout, remember, or reset password features (jeremyevans)
|
440
|
-
|
441
|
-
=== 1.18.0 (2018-07-18)
|
442
|
-
|
443
|
-
* Add confirm_password_redirect_session_key configuration method to confirm_password feature (jeremyevans)
|
444
|
-
|
445
|
-
* Work with Roda sessions plugin, using string keys for session information if that is used (jeremyevans)
|
446
|
-
|
447
|
-
* Add flash_error_key and flash_notice_key configuration for setting keys used in flash (jeremyevans)
|
448
|
-
|
449
|
-
=== 1.17.0 (2018-06-11)
|
450
|
-
|
451
|
-
* Support Roda route_csrf plugin for request-specific CSRF tokens (jeremyevans)
|
452
|
-
|
453
|
-
=== 1.16.0 (2018-03-09)
|
454
|
-
|
455
|
-
* Add disallow_common_passwords feature, for disallowing the usage of the most common passwords (jeremyevans)
|
456
|
-
|
457
|
-
* Remove calling request [] method to get request param values, as it is deprecated in the current version of rack (jeremyevans)
|
458
|
-
|
459
|
-
=== 1.15.0 (2018-01-29)
|
460
|
-
|
461
|
-
* Add create_account_set_password? and verify_account_set_password? methods to delay setting password until account verification (jeremyevans)
|
462
|
-
|
463
|
-
=== 1.14.0 (2017-12-19)
|
464
|
-
|
465
|
-
* Don't allow unlocking expired accounts when using account_expiration and lockout features (jeremyevans)
|
466
|
-
|
467
|
-
* Don't allow resetting passwords for expired accounts when using account_expiration and reset_password features (jeremyevans)
|
468
|
-
|
469
|
-
* Add change_password_notify feature for emailing when user uses change password feature (jeremyevans)
|
470
|
-
|
471
|
-
=== 1.13.0 (2017-11-21)
|
472
|
-
|
473
|
-
* Add json_response_body(hash) configuration method to jwt feature (jeremyevans)
|
474
|
-
|
475
|
-
* Support invalid_previous_password_message configuration method in change_password feature (jeremyevans)
|
476
|
-
|
477
|
-
* Use custom error statuses if only_json? and json_response_custom_error_status? are true even if request isn't in json format (jeremyevans)
|
478
|
-
|
479
|
-
* Add cache_templates configuration method for disabling caching of templates (adam12, jeremyevans) (#46)
|
480
|
-
|
481
|
-
=== 1.12.0 (2017-10-03)
|
482
|
-
|
483
|
-
* [SECURITY] Clear expired password reset key for account before retrieving password reset key (chanks, jeremyevans) (#43)
|
484
|
-
|
485
|
-
* Update migrations to work with Sequel 5 (jeremyevans)
|
486
|
-
|
487
|
-
* Add require_http_basic_auth configuration method to http_basic_auth feature (jeremyevans) (#41)
|
488
|
-
|
489
|
-
* Support passing :search_path option to Rodauth.create_database_authentication_functions when using PostgreSQL (jeremyevans)
|
490
|
-
|
491
|
-
* Support passing options to Rodauth.{create,drop}_database_previous_password_check_functions (jeremyevans)
|
492
|
-
|
493
|
-
* Support passing options to Rodauth.drop_database_authentication_functions (jeremyevans)
|
494
|
-
|
495
|
-
=== 1.11.0 (2017-04-24)
|
496
|
-
|
497
|
-
* Add login_required_error_status, and use it in the jwt feature when custom error statuses are allowed (jeremyevans)
|
498
|
-
|
499
|
-
* Deal better with time differences between the database and application servers in the password_expiration plugin (jeremyevans)
|
500
|
-
|
501
|
-
* Add rodauth.valid_jwt? method for checking if a valid JWT was submitted with the request (jeremyevans)
|
502
|
-
|
503
|
-
=== 1.10.0 (2017-03-23)
|
504
|
-
|
505
|
-
* Add Internals Guide (jeremyevans)
|
506
|
-
|
507
|
-
* Set FeatureConfiguration instances to constants, just like Feature instances (jeremyevans)
|
508
|
-
|
509
|
-
* When reopening rodauth configuration in roda subclass, automatically subclass rodauth configuration so it doesn't modify superclass (jeremyevans)
|
510
|
-
|
511
|
-
* Add verify_login_change feature as an alternative to verify_change_login, where the change doesn't take affect until after verification (jeremyevans) (#31)
|
512
|
-
|
513
|
-
* Add login_failed_reset_password_request_form for customizing the HTML used for the request password request form on login failures (jeremyevans)
|
514
|
-
|
515
|
-
* Make reset password request form available without requiring a login attempt, and provide a login field in that case (jeremyevans) (#30)
|
516
|
-
|
517
|
-
* Make resending verify account email request form available without requiring a login/account creation attempt, and provide a login field in that case (jeremyevans) (#30)
|
518
|
-
|
519
|
-
* Fix resending verify account email when attempting to create a new account with same login as unverified account when using verify_account_grace_period feature (jeremyevans) (#30)
|
520
|
-
|
521
|
-
* Fix precompile_rodauth_templates usage with reset_password feature (jeremyevans)
|
522
|
-
|
523
|
-
=== 1.9.0 (2017-02-22)
|
524
|
-
|
525
|
-
* Make reset-password use existing password reset key if one is present (jeremyevans) (#26)
|
526
|
-
|
527
|
-
* Add Roda.precompile_rodauth_templates method, useful to save memory when forking, or when chrooting (jeremyevans)
|
528
|
-
|
529
|
-
=== 1.8.0 (2017-01-06)
|
530
|
-
|
531
|
-
* Add json_response_custom_error_status? option to jwt feature to use specific 4xx statuses instead of 400 (jeremyevans)
|
532
|
-
|
533
|
-
* Use 4xx error statuses for errors, instead of using a 200 success status (jeremyevans)
|
534
|
-
|
535
|
-
=== 1.7.0 (2016-11-22)
|
536
|
-
|
537
|
-
* Make reset password, unlock account, and verify account pages not leak keys to external servers via Referer header (jeremyevans)
|
538
|
-
|
539
|
-
=== 1.6.0 (2016-10-24)
|
540
|
-
|
541
|
-
* Add http_basic_auth feature (TiagoCardoso1983, jeremyevans) (#12)
|
542
|
-
|
543
|
-
* Move login hooks from login feature to base, to be usable by other features (jeremyevans)
|
544
|
-
|
545
|
-
* Make reset_password feature not attempt to render a template in json-only mode (jeremyevans) (#11)
|
546
|
-
|
547
|
-
* Memoize jwt_payload in jwt feature, as it may be called more than once (mwpastore) (#10)
|
548
|
-
|
549
|
-
* Add jwt_decode_opts configuration method to jwt feature, for specifying options to JWT.decode, allowing for JWT claim verification (mwpastore, jeremyevans) (#9)
|
550
|
-
|
551
|
-
* Add jwt_session_hash configuration method to jwt feature, for modifying the session information stored in the JWT hash, allowing for setting JWT claims (mwpastore, jeremyevans) (#9)
|
552
|
-
|
553
|
-
* Add jwt_session_key configuration method to jwt feature, for nesting the session under a key in the JWT, avoiding reserve claim names (mwpastore, jeremyevans) (#9)
|
554
|
-
|
555
|
-
* Add jwt_symbolize_deeply? configuration method to jwt feature, for symbolizing nested keys in session hash when using JWT (mwpastore) (#9)
|
556
|
-
|
557
|
-
=== 1.5.0 (2016-09-22)
|
558
|
-
|
559
|
-
* Return error instead of raising exception in the jwt feature if an invalid jwt format is submitted in the Authorization header (jeremyevans)
|
560
|
-
|
561
|
-
* Add jwt_authorization_remove configuration method to jwt feature, for regexp to remove from Authorization header before JWT processing (jeremyevans)
|
562
|
-
|
563
|
-
* Add jwt_authorization_ignore configuration method to jwt feature, for regexp to skip processing of JWTs in Authorization header (jeremyevans)
|
564
|
-
|
565
|
-
* Add json_accept_regexp configuration method to jwt feature, for the regexp used to match against the Accept header (jeremyevans)
|
566
|
-
|
567
|
-
* Add use_jwt? configuration method to jwt feature, for whether to use the JWT token or rack session for authentication information (jeremyevans)
|
568
|
-
|
569
|
-
* Add jwt_check_accept? configuration method to jwt feature, to return 406 error if Accept header is present and json is not accepted (jeremyevans)
|
570
|
-
|
571
|
-
* Add json_response_content_type configuration method to jwt feature, for the content type to set for json responses, default to application/json (jeremyevans)
|
572
|
-
|
573
|
-
* Add json_request_content_type_regexp configuration method to the jwt feature, for the regexp that recognize a request as a json request (jeremyevans)
|
574
|
-
|
575
|
-
* Add session_jwt method to the jwt feature, which returns a string for the encoded JWT for the current session (jeremyevans)
|
576
|
-
|
577
|
-
* If the only_json? setting is true, return a 400 error if the request content type to a rodauth endpoint is not json (jeremyevans)
|
578
|
-
|
579
|
-
* The only_json? setting in the jwt feature is now only true by default if :json=>:only plugin option was used (jeremyevans)
|
580
|
-
|
581
|
-
* Don't have jwt feature break if HTTP Basic/Digest authentication is used (jeremyevans)
|
582
|
-
|
583
|
-
* Add template_opts configuration method, for overriding view/method options (jeremyevans)
|
584
|
-
|
585
|
-
=== 1.4.0 (2016-08-18)
|
586
|
-
|
587
|
-
* Add update_password_hash feature, for updating the password hash when the hash cost changes (jeremyevans)
|
588
|
-
|
589
|
-
=== 1.3.0 (2016-07-19)
|
590
|
-
|
591
|
-
* Add login_maximum_length, defaulting to 255 (jeremyevans)
|
592
|
-
|
593
|
-
=== 1.2.0 (2016-06-15)
|
594
|
-
|
595
|
-
* Add otp_drift configuration method to otp plugin, setting number of seconds of allowed drift (jeremyevans)
|
596
|
-
|
597
|
-
* Don't allow setting passwords containing the ASCII NUL character, as bcrypt truncates at that point (jeremyevans) (#4)
|
598
|
-
|
599
|
-
=== 1.1.0 (2016-05-13)
|
600
|
-
|
601
|
-
* Support :csrf=>false and :flash=>false plugin options (jeremyevans)
|
602
|
-
|
603
|
-
=== 1.0.0 (2016-04-15)
|
604
|
-
|
605
|
-
* Remove invalid remember cookies to prevent unnecessary future database checks (jeremyevans)
|
606
|
-
|
607
|
-
* Extend remember deadline in cookie in addition to database (jeremyevans)
|
608
|
-
|
609
|
-
* Make tokens work with string account ids (jeremyevans)
|
610
|
-
|
611
|
-
* Add verify_change_login feature for requiring account reverification on login changes (jeremyevans)
|
612
|
-
|
613
|
-
* Set correct cookie expiration in the remember feature (jeremyevans)
|
614
|
-
|
615
|
-
* Split confirm_password feature from remember feature (jeremyevans)
|
616
|
-
|
617
|
-
* Add verify_account_grace_period feature, for allowing logins into unverified accounts for a certain period after creation (jeremyevans)
|
618
|
-
|
619
|
-
* Move login/password requirements settings to login password requirements base feature (jeremyevans)
|
620
|
-
|
621
|
-
* Add session_expiration feature, expiring sessions based on inactivity and max lifetime checks (jeremyevans)
|
622
|
-
|
623
|
-
* Add password_grace_period feature, for not requiring password entry if password was recently entered (jeremyevans)
|
624
|
-
|
625
|
-
* Make create/verify account autologin true by default (jeremyevans)
|
626
|
-
|
627
|
-
* Optimize routing using a hash table, disallow per-request routes (jeremyevans)
|
628
|
-
|
629
|
-
* Add ability to turn off login/password confirmations (jeremyevans)
|
630
|
-
|
631
|
-
* Don't allow changing login to the same as the current login (jeremyevans)
|
632
|
-
|
633
|
-
* Only allow requesting account unlocks if the account is current locked out (jeremyevans)
|
634
|
-
|
635
|
-
* Use separate routes for unlock account/reset password/verify account requests (jeremyevans)
|
636
|
-
|
637
|
-
* Use separate routes for confirming passwords and changing remember settings (jeremyevans)
|
638
|
-
|
639
|
-
* Add JWT feature for JSON API support using JWT tokens (jeremyevans)
|
640
|
-
|
641
|
-
* Add account_select configuration option for setting which columns to select from accounts_table (jeremyevans)
|
642
|
-
|
643
|
-
* Execute get_block and post_block in the Rodauth::Auth instance scope (jeremyevans)
|
644
|
-
|
645
|
-
* Store field errors in the rodauth object instead of instance variables in the Roda scope (jeremyevans)
|
646
|
-
|
647
|
-
* Add rodauth.redirect to abstract redirection code (jeremyevans)
|
648
|
-
|
649
|
-
* Only use flash notices for successful requests, other requests that redirect now use an error flash (jeremyevans)
|
650
|
-
|
651
|
-
* The before_* configuration methods now run directly before making the related database changes (jeremyevans)
|
652
|
-
|
653
|
-
* Before hooks run before routes now use before_*_route instead of before_* configuration methods (jeremyevans)
|
654
|
-
|
655
|
-
* Add token_separator configuration method to replace the default of _ (jeremyevans)
|
656
|
-
|
657
|
-
* Rename account_id_value to account_id (jeremyevans)
|
658
|
-
|
659
|
-
* Rename account_id to account_id_column and account_session_id to account_session_column (jeremyevans)
|
660
|
-
|
661
|
-
* Make skip_status_checks? default to true unless loading verify_account or close_account features (jeremyevans)
|
662
|
-
|
663
|
-
* Replace account_model with accounts_table and db, removing use of Sequel models (jeremyevans)
|
664
|
-
|
665
|
-
* Extract shared email-related code into email_base feature (jeremyevans)
|
666
|
-
|
667
|
-
* Add auth_class_eval to configuration block for adding custom methods (jeremyevans)
|
668
|
-
|
669
|
-
* Add configuration_eval to feature definitions for adding custom configuration methods (jeremyevans)
|
670
|
-
|
671
|
-
* Allow close_account feature to optionally delete accounts (jeremyevans)
|
672
|
-
|
673
|
-
* Make close_account feature work when skipping status checks or when using account_password_hash_column (jeremyevans)
|
674
|
-
|
675
|
-
* Add sms_codes feature, for codes received via SMS that can be used if TOTP authentication is not available (jeremyevans)
|
676
|
-
|
677
|
-
* Attempt to handle unique constraint violations raised in race conditions where possible (jeremyevans)
|
678
|
-
|
679
|
-
* Add _before and _after internal methods, make ununderscored methods only for users (jeremyevans)
|
680
|
-
|
681
|
-
* Add single_session feature, for only allowing a single active session per account (jeremyevans)
|
682
|
-
|
683
|
-
* Add account_expiration feature, for disallowing access to accounts after an amount of time since last login/activity (jeremyevans)
|
684
|
-
|
685
|
-
* Check account status in rodauth.load_memory in remember plugin (jeremyevans)
|
686
|
-
|
687
|
-
* Use csrf plugin automatically, depend on Roda >=2.6.0 (jeremyevans)
|
688
|
-
|
689
|
-
* Make bcrypt and mail development dependencies instead of runtime dependencies in the gem (jeremyevans)
|
690
|
-
|
691
|
-
* Add password_expiration feature, requiring users to change their password after a given amount of time (jeremyevans)
|
692
|
-
|
693
|
-
* Add disallow_password_reuse feature, checking that a new password doesn't match previous passwords (jeremyevans)
|
694
|
-
|
695
|
-
* Add password_complexity feature, allowing more sophisticated password complexity checks (jeremyevans)
|
696
|
-
|
697
|
-
* Add rodauth.remember_param and .remember_confirm_param for overriding parameter names (jeremyevans)
|
698
|
-
|
699
|
-
* Check that new password is not the same as existing password in change password and reset password features (jeremyevans)
|
700
|
-
|
701
|
-
* Add rodauth.login_meets_requirements? for checking if a login is valid, by default a valid email address (jeremyevans)
|
702
|
-
|
703
|
-
* Allow unlock account to optionally require the user's current password (jeremyevans)
|
704
|
-
|
705
|
-
* Add support for running on Microsoft SQL Server with database functions for authentication (jeremyevans)
|
706
|
-
|
707
|
-
* Make change password, change login, and close account require the user's current password by default (jeremyevans)
|
708
|
-
|
709
|
-
* Add rodauth.csrf_tag to make it easy to replace the CSRF tag implementation (jeremyevans)
|
710
|
-
|
711
|
-
* Switch unlock_account_autologin? to be true by default (jeremyevans)
|
712
|
-
|
713
|
-
* Add rodauth.authenticated? and .require_authentication (jeremyevans)
|
714
|
-
|
715
|
-
* Add recovery_codes feature, for single use codes that can be used if TOTP authentication is not available (jeremyevans)
|
716
|
-
|
717
|
-
* Add otp feature, for 2 factor authentication via TOTP (jeremyevans)
|
718
|
-
|
719
|
-
* Add support for running on MySQL with database functions for authentication (jeremyevans)
|
720
|
-
|
721
|
-
* Add *_interval and set_deadline_values? methods for setting deadline intervals on a per-request basis (jeremyevans)
|
722
|
-
|
723
|
-
* Add remember_deadline_column method for overriding the column used for storing the deadline (jeremyevans)
|
724
|
-
|
725
|
-
* Add rodauth/migrations file for DRYing up the database function creation (jeremyevans)
|
726
|
-
|
727
|
-
* Add Rodauth.version for getting the version (jeremyevans)
|
728
|
-
|
729
|
-
* External features should now be requirable via rodauth/features/feature_name instead of roda/plugins/rodauth/feature_name (jeremyevans)
|
730
|
-
|
731
|
-
* Make Rodauth top level module instead of under Roda::RodaPlugins (jeremyevans)
|
732
|
-
|
733
|
-
* Require mail at configure time instead of run time if using a feature that sends email, use require_mail? false to disable (jeremyevans)
|
734
|
-
|
735
|
-
* Require bcrypt at configure time instead of run time, use require_bcrypt? false to disable (jeremyevans)
|
736
|
-
|
737
|
-
* Always require securerandom (jeremyevans)
|
738
|
-
|
739
|
-
* Make remember, password reset, and lockout features work on non-PostgreSQL databases (jeremyevans)
|
740
|
-
|
741
|
-
* Support authentication without database functions when password hashes are stored in separate table (jeremyevans)
|
742
|
-
|
743
|
-
* Remove overriding of route/get/post blocks (jeremyevans)
|
744
|
-
|
745
|
-
* Make lockout feature work on databases not supporting UPDATE RETURNING (jeremyevans)
|
746
|
-
|
747
|
-
* Add timing safe comparison of tokens (jeremyevans)
|
748
|
-
|
749
|
-
=== 0.10.0 (2016-02-17)
|
750
|
-
|
751
|
-
* Retrieve salt from database and compute hash client side, instead of computing hash on server (jeremyevans)
|
752
|
-
|
753
|
-
=== 0.9.1 (2015-08-13)
|
754
|
-
|
755
|
-
* Don't use csrf plugin automatically (jeremyevans)
|
756
|
-
|
757
|
-
=== 0.9.0 (2015-08-12)
|
353
|
+
=== Older
|
758
354
|
|
759
|
-
|
355
|
+
See doc/CHANGELOG.old
|
data/README.rdoc
CHANGED
@@ -60,6 +60,7 @@ HTML and JSON API for all supported features.
|
|
60
60
|
* Argon2
|
61
61
|
* HTTP Basic Auth
|
62
62
|
* Change Password Notify
|
63
|
+
* Reset Password Notify
|
63
64
|
* Internal Request
|
64
65
|
* Path Class Methods
|
65
66
|
|
@@ -902,6 +903,7 @@ view the appropriate file in the doc directory.
|
|
902
903
|
* {Recovery Codes}[rdoc-ref:doc/recovery_codes.rdoc]
|
903
904
|
* {Remember}[rdoc-ref:doc/remember.rdoc]
|
904
905
|
* {Reset Password}[rdoc-ref:doc/reset_password.rdoc]
|
906
|
+
* {Reset Password Notify}[rdoc-ref:doc/reset_password_notify.rdoc]
|
905
907
|
* {Session Expiration}[rdoc-ref:doc/session_expiration.rdoc]
|
906
908
|
* {Single Session}[rdoc-ref:doc/single_session.rdoc]
|
907
909
|
* {SMS Codes}[rdoc-ref:doc/sms_codes.rdoc]
|
@@ -990,6 +992,10 @@ require_authentication :: Similar to +require_login+, but also requires
|
|
990
992
|
two factor authentication. Redirects the request to
|
991
993
|
the two factor authentication page if logged in but not
|
992
994
|
authenticated via two factors.
|
995
|
+
require_account :: Similar to +require_authentication+, but also loads the logged
|
996
|
+
in account to ensure it exists in the database. If the account
|
997
|
+
doesn't exist, or if it exists but isn't verified, the session
|
998
|
+
is cleared and the request redirected to the login page.
|
993
999
|
logged_in? :: Whether the session has been logged in.
|
994
1000
|
authenticated? :: Similar to +logged_in?+, but if the account has setup two
|
995
1001
|
factor authentication, whether the session has authenticated
|
@@ -1288,6 +1294,12 @@ By setting <tt>env['rodauth'] = rodauth</tt> in the route block
|
|
1288
1294
|
inside the middleware, you can easily provide a way for your
|
1289
1295
|
application to call Rodauth methods.
|
1290
1296
|
|
1297
|
+
If you're using the remember feature with +extend_remember_deadline?+ set to
|
1298
|
+
true, you'll want to load roda's middleware plugin with
|
1299
|
+
+forward_response_headers: true+ option, so that +Set-Cookie+ header changes
|
1300
|
+
from the +load_memory+ call in the route block are propagated when the request
|
1301
|
+
is forwarded to the main app.
|
1302
|
+
|
1291
1303
|
Here are some examples of integrating Rodauth into applications that
|
1292
1304
|
don't use Roda:
|
1293
1305
|
|
@@ -1489,9 +1501,9 @@ required to run the current version of Rodauth is 1.9.2.
|
|
1489
1501
|
|
1490
1502
|
All of these are Rails-specific:
|
1491
1503
|
|
1492
|
-
* Devise
|
1493
|
-
* Authlogic
|
1494
|
-
* Sorcery
|
1504
|
+
* {Devise}[https://github.com/heartcombo/devise]
|
1505
|
+
* {Authlogic}[https://github.com/binarylogic/authlogic]
|
1506
|
+
* {Sorcery}[https://github.com/Sorcery/sorcery]
|
1495
1507
|
|
1496
1508
|
== Author
|
1497
1509
|
|
data/doc/base.rdoc
CHANGED
@@ -99,6 +99,7 @@ csrf_tag(path=request.path) :: The HTML fragment containing the CSRF tag to use,
|
|
99
99
|
function_name(name) :: The name of the database function to call. It's passed either :rodauth_get_salt or :rodauth_valid_password_hash.
|
100
100
|
logged_in? :: Whether the current session is logged in.
|
101
101
|
login_required :: Action to take when a login is required to access the page and the user is not logged in.
|
102
|
+
null_byte_parameter_value(key, value) :: The value to use for the parameter if the parameter includes an ASCII NUL byte ("\0"), nil by default to ignore the parameter.
|
102
103
|
open_account? :: Whether the current account is an open account (not closed or unverified).
|
103
104
|
password_match?(password) :: Check whether the given password matches the stored password hash.
|
104
105
|
random_key :: A randomly generated string, used for creating tokens.
|
data/doc/guides/internals.rdoc
CHANGED
@@ -143,6 +143,17 @@ Here's a heavily commented example showing what is going on inside a Rodauth fea
|
|
143
143
|
# templates. This is necessary for precompilation of templates to work.
|
144
144
|
loaded_templates ['foo']
|
145
145
|
|
146
|
+
# This defines the following methods related to sending email:
|
147
|
+
#
|
148
|
+
# * foo_email_subject: uses given subject
|
149
|
+
# * foo_email_body: renders foo-email template
|
150
|
+
# * create_foo_email: creates Mail::Message using subject and body
|
151
|
+
# * send_foo_email: sends created email
|
152
|
+
#
|
153
|
+
# The foo-email template should be included in the loaded_templates call to make sure
|
154
|
+
# template precompilation works.
|
155
|
+
email :foo, 'Foo Subject'
|
156
|
+
|
146
157
|
# auth_value_method is a generic method that takes two arguments, a method to define
|
147
158
|
# and a default value. It is similar to the methods above, except that it allows
|
148
159
|
# arbitrary method names. The notice_flash, error_flash, button, and additional_form_tags
|
data/doc/guides/paths.rdoc
CHANGED
@@ -8,6 +8,9 @@ corresponding <tt>*_route</tt> method:
|
|
8
8
|
|
9
9
|
# Change login route to "/signin"
|
10
10
|
login_route "signin"
|
11
|
+
|
12
|
+
# Change redirect when login is required to "/signin"
|
13
|
+
require_login_redirect { login_path }
|
11
14
|
|
12
15
|
# Change create account route to "/register"
|
13
16
|
create_account_route "register"
|
@@ -6,7 +6,7 @@ use a Rodauth feature that requires setting logins or passwords.
|
|
6
6
|
== Auth Value Methods
|
7
7
|
|
8
8
|
already_an_account_with_this_login_message :: The error message to display when there already exists an account with the same login.
|
9
|
-
contains_null_byte_message :: The error message to display when the password contains a null byte.
|
9
|
+
contains_null_byte_message :: The error message to display when the password contains a null byte (only used if parameters with null bytes are otherwise allowed).
|
10
10
|
login_confirm_label :: The label to use for login confirmations.
|
11
11
|
login_confirm_param :: The parameter name to use for login confirmations.
|
12
12
|
login_does_not_meet_requirements_message :: The error message to display when the login does not meet the requirements you have set.
|
@@ -0,0 +1,28 @@
|
|
1
|
+
= Improvements
|
2
|
+
|
3
|
+
* When using the verify_account_grace_period feature, if the grace
|
4
|
+
period has expired for currently logged in session, require_login
|
5
|
+
will clear the session and redirect to the login page. This is
|
6
|
+
implemented by having the unverified_account_session_key store the
|
7
|
+
time of expiration, as an integer.
|
8
|
+
|
9
|
+
* The previously private require_account method is now public. The
|
10
|
+
method is used internally by Rodauth to check that not only is the
|
11
|
+
current session logged in, but also that the account related to the
|
12
|
+
currently logged in session still exists in the database. The only
|
13
|
+
reason you would want to call require_account instead of
|
14
|
+
require_authentication is if you want to handle cases where there
|
15
|
+
can be logged in sessions for accounts that have been deleted.
|
16
|
+
|
17
|
+
* Rodauth now avoids an unnecessary bcrypt hash calculation when
|
18
|
+
updating accounts when using the account_password_hash_column
|
19
|
+
configuration method.
|
20
|
+
|
21
|
+
* When WebAuthn token last use times are displayed, Rodauth now uses a
|
22
|
+
fixed format of YYYY-MM-DD HH:MM:SS, instead of relying on
|
23
|
+
Time#to_s. If this presents an problem for your application, please
|
24
|
+
open an issue and we can add a configuration method to control
|
25
|
+
the behavior.
|
26
|
+
|
27
|
+
* A typo in the default value of global_logout_label in the
|
28
|
+
active_sessions feature has been fixed.
|
@@ -0,0 +1,43 @@
|
|
1
|
+
= New Features
|
2
|
+
|
3
|
+
* Rodauth now ignores parameters containing ASCII NUL bytes ("\0") by
|
4
|
+
default. You can customize this behavior using the
|
5
|
+
null_byte_parameter_value configuration method.
|
6
|
+
|
7
|
+
* A reset_password_notify feature has been added for emailing users
|
8
|
+
after successful password resets.
|
9
|
+
|
10
|
+
* External features can now use the email method inside their
|
11
|
+
feature definitions to DRY up the creation of email configuration
|
12
|
+
methods. The email method will setup the following configuration
|
13
|
+
methods for the feature:
|
14
|
+
|
15
|
+
* ${name}_email_subject
|
16
|
+
* ${name}_email_body
|
17
|
+
* create_${name}_email
|
18
|
+
* send_${name}_email
|
19
|
+
|
20
|
+
= Other Improvements
|
21
|
+
|
22
|
+
* The active_sessions feature now correctly handles logouts for
|
23
|
+
sessions that were created before the active_sessions feature was
|
24
|
+
added to the Rodauth configuration.
|
25
|
+
|
26
|
+
* The change_password_notify feature now works correctly when using
|
27
|
+
template precompilation.
|
28
|
+
|
29
|
+
* The update_sms method now updates the in-memory sms hash instead of
|
30
|
+
the in-memory account hash. This only has an effect if you are
|
31
|
+
using the sms_codes feature and customizing Rodauth to access one
|
32
|
+
of these hashes after a call to update_sms.
|
33
|
+
|
34
|
+
= Backwards Compatibility
|
35
|
+
|
36
|
+
* If your application requires the ability to submit values containing
|
37
|
+
ASCII NUL bytes ("\0") as Rodauth parameters, you should use the
|
38
|
+
new null_byte_parameter_value configuration method to pass the
|
39
|
+
value through unchanged:
|
40
|
+
|
41
|
+
null_byte_parameter_value do |_, v|
|
42
|
+
v
|
43
|
+
end
|