rodauth 2.20.0 → 2.23.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 534a50718fe362e695a9fbd8043d1ce05ca211de2049b1351207bd5d11cbf962
4
- data.tar.gz: 9afd5a7d79dde11005b090ca18591661c55c2647387a151b0d732ef97f51f633
3
+ metadata.gz: 707e580a46dc470c4fffc91eca813495d0fb6330312131fd17b4b87db8415cc2
4
+ data.tar.gz: d73099f372d594438da78614ac974f1b9343aa4c9de93f162b9432a77f0e0ae6
5
5
  SHA512:
6
- metadata.gz: f10082d21fad4783ad6193dc7e1dfe55bc5f57c98b33e1b6f6583dbaa0e921f4d40025e935f93aef9706078232956bcde2fec4e8838b1c2ee4f49a8885c22520
7
- data.tar.gz: 8ca004055be7ee660a37f2657d6752dbe2318b30100204e8eb68c514229422158db3f513a1d9e90eb532535bdbdf5854f66834212cc43fb81f8f9b8872221af5
6
+ metadata.gz: d0005518db3164d29e4be62b76035ccb98df3f8d0f7d129624a099032b5566f125041656d11c798d0fa14b3c2b40a19df18fe5fc1df6c38603ba4660baf9d7b1
7
+ data.tar.gz: 9b585c6e4f7338609b404cbd4e35fa96467d8f04d9a98089729d7f757b7920afbb1d99a9b028519aa211ad4bd16c7b96d4e3945647a4eaf81691abf6b1a64aae
data/CHANGELOG CHANGED
@@ -1,3 +1,39 @@
1
+ === 2.23.0 (2022-04-22)
2
+
3
+ * Don't automatically set :httponly cookie option if :http_only option is set in remember feature (jeremyevans)
4
+
5
+ * Fix invalid domain check in internal_request feature when using Rack 3 (jeremyevans)
6
+
7
+ * Make removing all multifactor authentication methods mark session as not authenticated by SMS (janko) (#235)
8
+
9
+ * Use use_path option when rendering QR code to svg in the otp feature, to reduce svg size (jeremyevans)
10
+
11
+ === 2.22.0 (2022-03-22)
12
+
13
+ * Ignore parameters where the value includes a null byte by default, add null_byte_parameter_value configuration method for customization (jeremyevans)
14
+
15
+ * Handle sessions created before active_sessions feature was enabled during logout (jeremyevans) (#224)
16
+
17
+ * Add reset_password_notify for emailing users after successful password resets (jeremyevans)
18
+
19
+ * An email method can now be used in external features to DRY up email creation code (jeremyevans)
20
+
21
+ * The change_password_notify feature now correctly handles template precompilation (jeremyevans)
22
+
23
+ * Fix update_sms to update stored sms hash (bjeanes) (#222)
24
+
25
+ === 2.21.0 (2022-02-23)
26
+
27
+ * Avoid extra bcrypt hashing on account verification when using account_password_hash_column (janko) (#217)
28
+
29
+ * Make require_account public (janko) (#212)
30
+
31
+ * Force specific date/time format when displaying webauthn last use time (jeremyevans)
32
+
33
+ * Automatically clear the session in require_login if users go beyond verify account grace period (janko) (#211)
34
+
35
+ * Fix typo in default value of global_logout_label in active_sessions plugin (sterlzbd) (#209)
36
+
1
37
  === 2.20.0 (2022-01-24)
2
38
 
3
39
  * Change the default implementation of webauth_rp_id to not include the port (jeremyevans) (#203)
@@ -314,446 +350,6 @@
314
350
 
315
351
  * Drop support for Ruby 1.8 (jeremyevans)
316
352
 
317
- === 1.23.0 (2020-03-06)
318
-
319
- * Remove specs from the gem to reduce gem size by over 20% (jeremyevans)
320
-
321
- * Make rodauth.authenticated? return true on OTP setup page (jeremyevans) (#68)
322
-
323
- * Display link to email auth request form when user has entered login and incorrect password if using email_auth feature (janko) (#65)
324
-
325
- * Add *_path and *_url methods for all *_route methods (janko) (#64)
326
-
327
- * Add send_email configuration method for configuring how email is sent (janko) (#63)
328
-
329
- === 1.22.0 (2019-10-29)
330
-
331
- * Add jwt_cors feature to handle Cross-Origin Resource Sharing when using the jwt feature (jeremyevans)
332
-
333
- * Add space before newline after links in email, fixing issues with some webmail providers with broken autolinkers (jeremyevans)
334
-
335
- === 1.21.0 (2019-07-24)
336
-
337
- * Support rotp 5.1 in the otp feature (jeremyevans)
338
-
339
- * Log user out when locking out OTP account if no fallback options available (jeremyevans)
340
-
341
- === 1.20.0 (2019-06-07)
342
-
343
- * Support rotp 5 in the otp feature (jeremyevans)
344
-
345
- * Add jwt_refresh feature to allow shorter lived JWTs with a refresh token for creating new JWTs (allavena, jeremyevans) (#28)
346
-
347
- * Fix disallow_password_reuse feature when account_password_hash_column is not set and verify_account feature is not used (cptaffe) (#59)
348
-
349
- * Rename no_matching_email_auth_key_message to no_matching_email_auth_key_error_flash for consistency (jeremyevans)
350
-
351
- * Rename no_matching_verify_login_change_key_message to no_matching_verify_login_change_key_error_flash for consistency (jeremyevans)
352
-
353
- * Rename attempt_to_login_to_unverified_account_notice_message to attempt_to_login_to_unverified_account_error_flash for consistency (jeremyevans)
354
-
355
- * Rename attempt_to_create_unverified_account_notice_message to attempt_to_create_unverified_account_error_flash for consistency (jeremyevans)
356
-
357
- * Rename no_matching_verify_account_key_message to no_matching_verify_account_key_error_flash for consistency (jeremyevans)
358
-
359
- * Rename no_matching_unlock_account_key_message to no_matching_unlock_account_key_error_flash for consistency (jeremyevans)
360
-
361
- * Rename no_matching_reset_password_key_message to no_matching_reset_password_key_error_flash for consistency (jeremyevans)
362
-
363
- * Add otp_keys_use_hmac? and otp_setup_raw_param configuration methods to the otp feature for configuring use of HMACs with OTP authentication (jeremyevans)
364
-
365
- * Do not set a previous account password before password has been set when using disallow_password_reuse with verify_account_set_password? (jeremyevans)
366
-
367
- * Add allow_raw_single_session_key? to single_session feature to allow raw single single session tokens, for graceful transition (jeremyevans)
368
-
369
- * Add raw_remember_token_deadline to remember feature to allow raw remember tokens before given deadline, for graceful transition (jeremyevans)
370
-
371
- * Add allow_raw_email_token? configuration method to email_base feature to allow raw tokens when email_token_hmac_secret is set, for graceful transition (jeremyevans)
372
-
373
- * Add hmac_secret configuration method, used for additional security using HMACs (jeremyevans)
374
-
375
- * Use urlsafe base64 for new token keys on Ruby 1.8 (jeremyevans)
376
-
377
- * Add login_input_type configuration method for setting the input type for login inputs (jeremyevans)
378
-
379
- * Add formatted_field_error configuration method for formatting error messages (jeremyevans)
380
-
381
- * Add field_error_attributes configuration method for configuring attributes for fields with errors (jeremyevans)
382
-
383
- * Add field_attributes configuration method for configuring attributes for specific fields (jeremyevans)
384
-
385
- * Add default_field_attributes configuration method to set default attributes for all input fields (jeremyevans)
386
-
387
- * Make error handling accessible by default using aria-invalid and aria-describedby attributes (jeremyevans)
388
-
389
- * Add mark_input_fields_as_required? configuration method for whether inputs should use the required attribute (jeremyevans)
390
-
391
- * Add input_field_error_message_class configuration method for the CSS class used for error messages (jeremyevans)
392
-
393
- * Wrap all error messages in a span so they can be styled (jeremyevans)
394
-
395
- * Add input_field_error_class configuration method for customizing CSS class to use for inputs with errors (jeremyevans)
396
-
397
- * Add input_field_label_suffix configuration method for suffixing all input labels, useful for labeling fields as required (jeremyevans)
398
-
399
- * Add verify_account_resend_explanatory_text configuration method to verify_account feature for configuring text (jeremyevans)
400
-
401
- * Add unlock_account_explanatory_text and unlock_account_request_explanatory_text configuration methods to lockout feature for configuring text (jeremyevans)
402
-
403
- * Add reset_password_explanatory_text configuration method to reset_password feature for configuring text (jeremyevans)
404
-
405
- * Add otp_provisioning_uri_label and otp_secret_label configuration methods to otp feature for configuring labels displayed during OTP setup (jeremyevans)
406
-
407
- * Add add_recovery_codes_heading configuration method to recovery_codes feature for configuring heading text (jeremyevans)
408
-
409
- * Use define_method instead of instance_exec for route dispatching for better performance (jeremyevans)
410
-
411
- * Add already_an_account_with_this_login_message configuration method (1gor) (#54)
412
-
413
- === 1.19.1 (2018-11-16)
414
-
415
- * Support rotp 4 in the otp feature (jeremyevans)
416
-
417
- === 1.19.0 (2018-11-16)
418
-
419
- * Avoid unneeded database queries in the two factor authentication support (jeremyevans)
420
-
421
- * Add {before,after}_verify_login_change_email configuration methods, called around sending the verify login change email (jeremyevans)
422
-
423
- * Add after_account_lockout configuration method, called after locking out an account (jeremyevans)
424
-
425
- * Add default_post_email_redirect configuration method, setting default for all redirects after emailing when not logged in (jeremyevans)
426
-
427
- * Gracefully handle failure when new login is already taken in the verify_login_change feature (jeremyevans)
428
-
429
- * Support optional email rate limiting in the lockout, reset password, and verify account features (jeremyevans)
430
-
431
- * Make MySQL rodauth_get_salt function handle accounts without password hashes (jeremyevans)
432
-
433
- * Add email_auth feature, for authentication using links sent via email (jeremyevans)
434
-
435
- * Deprecate before_otp_authentication_route, users should switch to before_otp_auth_route (jeremyevans)
436
-
437
- * Add use_multi_phase_login? configuration method to login feature, separating login entry from password entry (jeremyevans)
438
-
439
- * Don't disable use of date_arithmetic extension on !MySQL when using lockout, remember, or reset password features (jeremyevans)
440
-
441
- === 1.18.0 (2018-07-18)
442
-
443
- * Add confirm_password_redirect_session_key configuration method to confirm_password feature (jeremyevans)
444
-
445
- * Work with Roda sessions plugin, using string keys for session information if that is used (jeremyevans)
446
-
447
- * Add flash_error_key and flash_notice_key configuration for setting keys used in flash (jeremyevans)
448
-
449
- === 1.17.0 (2018-06-11)
450
-
451
- * Support Roda route_csrf plugin for request-specific CSRF tokens (jeremyevans)
452
-
453
- === 1.16.0 (2018-03-09)
454
-
455
- * Add disallow_common_passwords feature, for disallowing the usage of the most common passwords (jeremyevans)
456
-
457
- * Remove calling request [] method to get request param values, as it is deprecated in the current version of rack (jeremyevans)
458
-
459
- === 1.15.0 (2018-01-29)
460
-
461
- * Add create_account_set_password? and verify_account_set_password? methods to delay setting password until account verification (jeremyevans)
462
-
463
- === 1.14.0 (2017-12-19)
464
-
465
- * Don't allow unlocking expired accounts when using account_expiration and lockout features (jeremyevans)
466
-
467
- * Don't allow resetting passwords for expired accounts when using account_expiration and reset_password features (jeremyevans)
468
-
469
- * Add change_password_notify feature for emailing when user uses change password feature (jeremyevans)
470
-
471
- === 1.13.0 (2017-11-21)
472
-
473
- * Add json_response_body(hash) configuration method to jwt feature (jeremyevans)
474
-
475
- * Support invalid_previous_password_message configuration method in change_password feature (jeremyevans)
476
-
477
- * Use custom error statuses if only_json? and json_response_custom_error_status? are true even if request isn't in json format (jeremyevans)
478
-
479
- * Add cache_templates configuration method for disabling caching of templates (adam12, jeremyevans) (#46)
480
-
481
- === 1.12.0 (2017-10-03)
482
-
483
- * [SECURITY] Clear expired password reset key for account before retrieving password reset key (chanks, jeremyevans) (#43)
484
-
485
- * Update migrations to work with Sequel 5 (jeremyevans)
486
-
487
- * Add require_http_basic_auth configuration method to http_basic_auth feature (jeremyevans) (#41)
488
-
489
- * Support passing :search_path option to Rodauth.create_database_authentication_functions when using PostgreSQL (jeremyevans)
490
-
491
- * Support passing options to Rodauth.{create,drop}_database_previous_password_check_functions (jeremyevans)
492
-
493
- * Support passing options to Rodauth.drop_database_authentication_functions (jeremyevans)
494
-
495
- === 1.11.0 (2017-04-24)
496
-
497
- * Add login_required_error_status, and use it in the jwt feature when custom error statuses are allowed (jeremyevans)
498
-
499
- * Deal better with time differences between the database and application servers in the password_expiration plugin (jeremyevans)
500
-
501
- * Add rodauth.valid_jwt? method for checking if a valid JWT was submitted with the request (jeremyevans)
502
-
503
- === 1.10.0 (2017-03-23)
504
-
505
- * Add Internals Guide (jeremyevans)
506
-
507
- * Set FeatureConfiguration instances to constants, just like Feature instances (jeremyevans)
508
-
509
- * When reopening rodauth configuration in roda subclass, automatically subclass rodauth configuration so it doesn't modify superclass (jeremyevans)
510
-
511
- * Add verify_login_change feature as an alternative to verify_change_login, where the change doesn't take affect until after verification (jeremyevans) (#31)
512
-
513
- * Add login_failed_reset_password_request_form for customizing the HTML used for the request password request form on login failures (jeremyevans)
514
-
515
- * Make reset password request form available without requiring a login attempt, and provide a login field in that case (jeremyevans) (#30)
516
-
517
- * Make resending verify account email request form available without requiring a login/account creation attempt, and provide a login field in that case (jeremyevans) (#30)
518
-
519
- * Fix resending verify account email when attempting to create a new account with same login as unverified account when using verify_account_grace_period feature (jeremyevans) (#30)
520
-
521
- * Fix precompile_rodauth_templates usage with reset_password feature (jeremyevans)
522
-
523
- === 1.9.0 (2017-02-22)
524
-
525
- * Make reset-password use existing password reset key if one is present (jeremyevans) (#26)
526
-
527
- * Add Roda.precompile_rodauth_templates method, useful to save memory when forking, or when chrooting (jeremyevans)
528
-
529
- === 1.8.0 (2017-01-06)
530
-
531
- * Add json_response_custom_error_status? option to jwt feature to use specific 4xx statuses instead of 400 (jeremyevans)
532
-
533
- * Use 4xx error statuses for errors, instead of using a 200 success status (jeremyevans)
534
-
535
- === 1.7.0 (2016-11-22)
536
-
537
- * Make reset password, unlock account, and verify account pages not leak keys to external servers via Referer header (jeremyevans)
538
-
539
- === 1.6.0 (2016-10-24)
540
-
541
- * Add http_basic_auth feature (TiagoCardoso1983, jeremyevans) (#12)
542
-
543
- * Move login hooks from login feature to base, to be usable by other features (jeremyevans)
544
-
545
- * Make reset_password feature not attempt to render a template in json-only mode (jeremyevans) (#11)
546
-
547
- * Memoize jwt_payload in jwt feature, as it may be called more than once (mwpastore) (#10)
548
-
549
- * Add jwt_decode_opts configuration method to jwt feature, for specifying options to JWT.decode, allowing for JWT claim verification (mwpastore, jeremyevans) (#9)
550
-
551
- * Add jwt_session_hash configuration method to jwt feature, for modifying the session information stored in the JWT hash, allowing for setting JWT claims (mwpastore, jeremyevans) (#9)
552
-
553
- * Add jwt_session_key configuration method to jwt feature, for nesting the session under a key in the JWT, avoiding reserve claim names (mwpastore, jeremyevans) (#9)
554
-
555
- * Add jwt_symbolize_deeply? configuration method to jwt feature, for symbolizing nested keys in session hash when using JWT (mwpastore) (#9)
556
-
557
- === 1.5.0 (2016-09-22)
558
-
559
- * Return error instead of raising exception in the jwt feature if an invalid jwt format is submitted in the Authorization header (jeremyevans)
560
-
561
- * Add jwt_authorization_remove configuration method to jwt feature, for regexp to remove from Authorization header before JWT processing (jeremyevans)
562
-
563
- * Add jwt_authorization_ignore configuration method to jwt feature, for regexp to skip processing of JWTs in Authorization header (jeremyevans)
564
-
565
- * Add json_accept_regexp configuration method to jwt feature, for the regexp used to match against the Accept header (jeremyevans)
566
-
567
- * Add use_jwt? configuration method to jwt feature, for whether to use the JWT token or rack session for authentication information (jeremyevans)
568
-
569
- * Add jwt_check_accept? configuration method to jwt feature, to return 406 error if Accept header is present and json is not accepted (jeremyevans)
570
-
571
- * Add json_response_content_type configuration method to jwt feature, for the content type to set for json responses, default to application/json (jeremyevans)
572
-
573
- * Add json_request_content_type_regexp configuration method to the jwt feature, for the regexp that recognize a request as a json request (jeremyevans)
574
-
575
- * Add session_jwt method to the jwt feature, which returns a string for the encoded JWT for the current session (jeremyevans)
576
-
577
- * If the only_json? setting is true, return a 400 error if the request content type to a rodauth endpoint is not json (jeremyevans)
578
-
579
- * The only_json? setting in the jwt feature is now only true by default if :json=>:only plugin option was used (jeremyevans)
580
-
581
- * Don't have jwt feature break if HTTP Basic/Digest authentication is used (jeremyevans)
582
-
583
- * Add template_opts configuration method, for overriding view/method options (jeremyevans)
584
-
585
- === 1.4.0 (2016-08-18)
586
-
587
- * Add update_password_hash feature, for updating the password hash when the hash cost changes (jeremyevans)
588
-
589
- === 1.3.0 (2016-07-19)
590
-
591
- * Add login_maximum_length, defaulting to 255 (jeremyevans)
592
-
593
- === 1.2.0 (2016-06-15)
594
-
595
- * Add otp_drift configuration method to otp plugin, setting number of seconds of allowed drift (jeremyevans)
596
-
597
- * Don't allow setting passwords containing the ASCII NUL character, as bcrypt truncates at that point (jeremyevans) (#4)
598
-
599
- === 1.1.0 (2016-05-13)
600
-
601
- * Support :csrf=>false and :flash=>false plugin options (jeremyevans)
602
-
603
- === 1.0.0 (2016-04-15)
604
-
605
- * Remove invalid remember cookies to prevent unnecessary future database checks (jeremyevans)
606
-
607
- * Extend remember deadline in cookie in addition to database (jeremyevans)
608
-
609
- * Make tokens work with string account ids (jeremyevans)
610
-
611
- * Add verify_change_login feature for requiring account reverification on login changes (jeremyevans)
612
-
613
- * Set correct cookie expiration in the remember feature (jeremyevans)
614
-
615
- * Split confirm_password feature from remember feature (jeremyevans)
616
-
617
- * Add verify_account_grace_period feature, for allowing logins into unverified accounts for a certain period after creation (jeremyevans)
618
-
619
- * Move login/password requirements settings to login password requirements base feature (jeremyevans)
620
-
621
- * Add session_expiration feature, expiring sessions based on inactivity and max lifetime checks (jeremyevans)
622
-
623
- * Add password_grace_period feature, for not requiring password entry if password was recently entered (jeremyevans)
624
-
625
- * Make create/verify account autologin true by default (jeremyevans)
626
-
627
- * Optimize routing using a hash table, disallow per-request routes (jeremyevans)
628
-
629
- * Add ability to turn off login/password confirmations (jeremyevans)
630
-
631
- * Don't allow changing login to the same as the current login (jeremyevans)
632
-
633
- * Only allow requesting account unlocks if the account is current locked out (jeremyevans)
634
-
635
- * Use separate routes for unlock account/reset password/verify account requests (jeremyevans)
636
-
637
- * Use separate routes for confirming passwords and changing remember settings (jeremyevans)
638
-
639
- * Add JWT feature for JSON API support using JWT tokens (jeremyevans)
640
-
641
- * Add account_select configuration option for setting which columns to select from accounts_table (jeremyevans)
642
-
643
- * Execute get_block and post_block in the Rodauth::Auth instance scope (jeremyevans)
644
-
645
- * Store field errors in the rodauth object instead of instance variables in the Roda scope (jeremyevans)
646
-
647
- * Add rodauth.redirect to abstract redirection code (jeremyevans)
648
-
649
- * Only use flash notices for successful requests, other requests that redirect now use an error flash (jeremyevans)
650
-
651
- * The before_* configuration methods now run directly before making the related database changes (jeremyevans)
652
-
653
- * Before hooks run before routes now use before_*_route instead of before_* configuration methods (jeremyevans)
654
-
655
- * Add token_separator configuration method to replace the default of _ (jeremyevans)
656
-
657
- * Rename account_id_value to account_id (jeremyevans)
658
-
659
- * Rename account_id to account_id_column and account_session_id to account_session_column (jeremyevans)
660
-
661
- * Make skip_status_checks? default to true unless loading verify_account or close_account features (jeremyevans)
662
-
663
- * Replace account_model with accounts_table and db, removing use of Sequel models (jeremyevans)
664
-
665
- * Extract shared email-related code into email_base feature (jeremyevans)
666
-
667
- * Add auth_class_eval to configuration block for adding custom methods (jeremyevans)
668
-
669
- * Add configuration_eval to feature definitions for adding custom configuration methods (jeremyevans)
670
-
671
- * Allow close_account feature to optionally delete accounts (jeremyevans)
672
-
673
- * Make close_account feature work when skipping status checks or when using account_password_hash_column (jeremyevans)
674
-
675
- * Add sms_codes feature, for codes received via SMS that can be used if TOTP authentication is not available (jeremyevans)
676
-
677
- * Attempt to handle unique constraint violations raised in race conditions where possible (jeremyevans)
678
-
679
- * Add _before and _after internal methods, make ununderscored methods only for users (jeremyevans)
680
-
681
- * Add single_session feature, for only allowing a single active session per account (jeremyevans)
682
-
683
- * Add account_expiration feature, for disallowing access to accounts after an amount of time since last login/activity (jeremyevans)
684
-
685
- * Check account status in rodauth.load_memory in remember plugin (jeremyevans)
686
-
687
- * Use csrf plugin automatically, depend on Roda >=2.6.0 (jeremyevans)
688
-
689
- * Make bcrypt and mail development dependencies instead of runtime dependencies in the gem (jeremyevans)
690
-
691
- * Add password_expiration feature, requiring users to change their password after a given amount of time (jeremyevans)
692
-
693
- * Add disallow_password_reuse feature, checking that a new password doesn't match previous passwords (jeremyevans)
694
-
695
- * Add password_complexity feature, allowing more sophisticated password complexity checks (jeremyevans)
696
-
697
- * Add rodauth.remember_param and .remember_confirm_param for overriding parameter names (jeremyevans)
698
-
699
- * Check that new password is not the same as existing password in change password and reset password features (jeremyevans)
700
-
701
- * Add rodauth.login_meets_requirements? for checking if a login is valid, by default a valid email address (jeremyevans)
702
-
703
- * Allow unlock account to optionally require the user's current password (jeremyevans)
704
-
705
- * Add support for running on Microsoft SQL Server with database functions for authentication (jeremyevans)
706
-
707
- * Make change password, change login, and close account require the user's current password by default (jeremyevans)
708
-
709
- * Add rodauth.csrf_tag to make it easy to replace the CSRF tag implementation (jeremyevans)
710
-
711
- * Switch unlock_account_autologin? to be true by default (jeremyevans)
712
-
713
- * Add rodauth.authenticated? and .require_authentication (jeremyevans)
714
-
715
- * Add recovery_codes feature, for single use codes that can be used if TOTP authentication is not available (jeremyevans)
716
-
717
- * Add otp feature, for 2 factor authentication via TOTP (jeremyevans)
718
-
719
- * Add support for running on MySQL with database functions for authentication (jeremyevans)
720
-
721
- * Add *_interval and set_deadline_values? methods for setting deadline intervals on a per-request basis (jeremyevans)
722
-
723
- * Add remember_deadline_column method for overriding the column used for storing the deadline (jeremyevans)
724
-
725
- * Add rodauth/migrations file for DRYing up the database function creation (jeremyevans)
726
-
727
- * Add Rodauth.version for getting the version (jeremyevans)
728
-
729
- * External features should now be requirable via rodauth/features/feature_name instead of roda/plugins/rodauth/feature_name (jeremyevans)
730
-
731
- * Make Rodauth top level module instead of under Roda::RodaPlugins (jeremyevans)
732
-
733
- * Require mail at configure time instead of run time if using a feature that sends email, use require_mail? false to disable (jeremyevans)
734
-
735
- * Require bcrypt at configure time instead of run time, use require_bcrypt? false to disable (jeremyevans)
736
-
737
- * Always require securerandom (jeremyevans)
738
-
739
- * Make remember, password reset, and lockout features work on non-PostgreSQL databases (jeremyevans)
740
-
741
- * Support authentication without database functions when password hashes are stored in separate table (jeremyevans)
742
-
743
- * Remove overriding of route/get/post blocks (jeremyevans)
744
-
745
- * Make lockout feature work on databases not supporting UPDATE RETURNING (jeremyevans)
746
-
747
- * Add timing safe comparison of tokens (jeremyevans)
748
-
749
- === 0.10.0 (2016-02-17)
750
-
751
- * Retrieve salt from database and compute hash client side, instead of computing hash on server (jeremyevans)
752
-
753
- === 0.9.1 (2015-08-13)
754
-
755
- * Don't use csrf plugin automatically (jeremyevans)
756
-
757
- === 0.9.0 (2015-08-12)
353
+ === Older
758
354
 
759
- * Initial public release
355
+ See doc/CHANGELOG.old
data/README.rdoc CHANGED
@@ -60,6 +60,7 @@ HTML and JSON API for all supported features.
60
60
  * Argon2
61
61
  * HTTP Basic Auth
62
62
  * Change Password Notify
63
+ * Reset Password Notify
63
64
  * Internal Request
64
65
  * Path Class Methods
65
66
 
@@ -902,6 +903,7 @@ view the appropriate file in the doc directory.
902
903
  * {Recovery Codes}[rdoc-ref:doc/recovery_codes.rdoc]
903
904
  * {Remember}[rdoc-ref:doc/remember.rdoc]
904
905
  * {Reset Password}[rdoc-ref:doc/reset_password.rdoc]
906
+ * {Reset Password Notify}[rdoc-ref:doc/reset_password_notify.rdoc]
905
907
  * {Session Expiration}[rdoc-ref:doc/session_expiration.rdoc]
906
908
  * {Single Session}[rdoc-ref:doc/single_session.rdoc]
907
909
  * {SMS Codes}[rdoc-ref:doc/sms_codes.rdoc]
@@ -990,6 +992,10 @@ require_authentication :: Similar to +require_login+, but also requires
990
992
  two factor authentication. Redirects the request to
991
993
  the two factor authentication page if logged in but not
992
994
  authenticated via two factors.
995
+ require_account :: Similar to +require_authentication+, but also loads the logged
996
+ in account to ensure it exists in the database. If the account
997
+ doesn't exist, or if it exists but isn't verified, the session
998
+ is cleared and the request redirected to the login page.
993
999
  logged_in? :: Whether the session has been logged in.
994
1000
  authenticated? :: Similar to +logged_in?+, but if the account has setup two
995
1001
  factor authentication, whether the session has authenticated
@@ -1288,6 +1294,12 @@ By setting <tt>env['rodauth'] = rodauth</tt> in the route block
1288
1294
  inside the middleware, you can easily provide a way for your
1289
1295
  application to call Rodauth methods.
1290
1296
 
1297
+ If you're using the remember feature with +extend_remember_deadline?+ set to
1298
+ true, you'll want to load roda's middleware plugin with
1299
+ +forward_response_headers: true+ option, so that +Set-Cookie+ header changes
1300
+ from the +load_memory+ call in the route block are propagated when the request
1301
+ is forwarded to the main app.
1302
+
1291
1303
  Here are some examples of integrating Rodauth into applications that
1292
1304
  don't use Roda:
1293
1305
 
@@ -1489,9 +1501,9 @@ required to run the current version of Rodauth is 1.9.2.
1489
1501
 
1490
1502
  All of these are Rails-specific:
1491
1503
 
1492
- * Devise
1493
- * Authlogic
1494
- * Sorcery
1504
+ * {Devise}[https://github.com/heartcombo/devise]
1505
+ * {Authlogic}[https://github.com/binarylogic/authlogic]
1506
+ * {Sorcery}[https://github.com/Sorcery/sorcery]
1495
1507
 
1496
1508
  == Author
1497
1509
 
data/doc/base.rdoc CHANGED
@@ -99,6 +99,7 @@ csrf_tag(path=request.path) :: The HTML fragment containing the CSRF tag to use,
99
99
  function_name(name) :: The name of the database function to call. It's passed either :rodauth_get_salt or :rodauth_valid_password_hash.
100
100
  logged_in? :: Whether the current session is logged in.
101
101
  login_required :: Action to take when a login is required to access the page and the user is not logged in.
102
+ null_byte_parameter_value(key, value) :: The value to use for the parameter if the parameter includes an ASCII NUL byte ("\0"), nil by default to ignore the parameter.
102
103
  open_account? :: Whether the current account is an open account (not closed or unverified).
103
104
  password_match?(password) :: Check whether the given password matches the stored password hash.
104
105
  random_key :: A randomly generated string, used for creating tokens.
@@ -143,6 +143,17 @@ Here's a heavily commented example showing what is going on inside a Rodauth fea
143
143
  # templates. This is necessary for precompilation of templates to work.
144
144
  loaded_templates ['foo']
145
145
 
146
+ # This defines the following methods related to sending email:
147
+ #
148
+ # * foo_email_subject: uses given subject
149
+ # * foo_email_body: renders foo-email template
150
+ # * create_foo_email: creates Mail::Message using subject and body
151
+ # * send_foo_email: sends created email
152
+ #
153
+ # The foo-email template should be included in the loaded_templates call to make sure
154
+ # template precompilation works.
155
+ email :foo, 'Foo Subject'
156
+
146
157
  # auth_value_method is a generic method that takes two arguments, a method to define
147
158
  # and a default value. It is similar to the methods above, except that it allows
148
159
  # arbitrary method names. The notice_flash, error_flash, button, and additional_form_tags
@@ -8,6 +8,9 @@ corresponding <tt>*_route</tt> method:
8
8
 
9
9
  # Change login route to "/signin"
10
10
  login_route "signin"
11
+
12
+ # Change redirect when login is required to "/signin"
13
+ require_login_redirect { login_path }
11
14
 
12
15
  # Change create account route to "/register"
13
16
  create_account_route "register"
@@ -6,7 +6,7 @@ use a Rodauth feature that requires setting logins or passwords.
6
6
  == Auth Value Methods
7
7
 
8
8
  already_an_account_with_this_login_message :: The error message to display when there already exists an account with the same login.
9
- contains_null_byte_message :: The error message to display when the password contains a null byte.
9
+ contains_null_byte_message :: The error message to display when the password contains a null byte (only used if parameters with null bytes are otherwise allowed).
10
10
  login_confirm_label :: The label to use for login confirmations.
11
11
  login_confirm_param :: The parameter name to use for login confirmations.
12
12
  login_does_not_meet_requirements_message :: The error message to display when the login does not meet the requirements you have set.
@@ -0,0 +1,28 @@
1
+ = Improvements
2
+
3
+ * When using the verify_account_grace_period feature, if the grace
4
+ period has expired for currently logged in session, require_login
5
+ will clear the session and redirect to the login page. This is
6
+ implemented by having the unverified_account_session_key store the
7
+ time of expiration, as an integer.
8
+
9
+ * The previously private require_account method is now public. The
10
+ method is used internally by Rodauth to check that not only is the
11
+ current session logged in, but also that the account related to the
12
+ currently logged in session still exists in the database. The only
13
+ reason you would want to call require_account instead of
14
+ require_authentication is if you want to handle cases where there
15
+ can be logged in sessions for accounts that have been deleted.
16
+
17
+ * Rodauth now avoids an unnecessary bcrypt hash calculation when
18
+ updating accounts when using the account_password_hash_column
19
+ configuration method.
20
+
21
+ * When WebAuthn token last use times are displayed, Rodauth now uses a
22
+ fixed format of YYYY-MM-DD HH:MM:SS, instead of relying on
23
+ Time#to_s. If this presents an problem for your application, please
24
+ open an issue and we can add a configuration method to control
25
+ the behavior.
26
+
27
+ * A typo in the default value of global_logout_label in the
28
+ active_sessions feature has been fixed.
@@ -0,0 +1,43 @@
1
+ = New Features
2
+
3
+ * Rodauth now ignores parameters containing ASCII NUL bytes ("\0") by
4
+ default. You can customize this behavior using the
5
+ null_byte_parameter_value configuration method.
6
+
7
+ * A reset_password_notify feature has been added for emailing users
8
+ after successful password resets.
9
+
10
+ * External features can now use the email method inside their
11
+ feature definitions to DRY up the creation of email configuration
12
+ methods. The email method will setup the following configuration
13
+ methods for the feature:
14
+
15
+ * ${name}_email_subject
16
+ * ${name}_email_body
17
+ * create_${name}_email
18
+ * send_${name}_email
19
+
20
+ = Other Improvements
21
+
22
+ * The active_sessions feature now correctly handles logouts for
23
+ sessions that were created before the active_sessions feature was
24
+ added to the Rodauth configuration.
25
+
26
+ * The change_password_notify feature now works correctly when using
27
+ template precompilation.
28
+
29
+ * The update_sms method now updates the in-memory sms hash instead of
30
+ the in-memory account hash. This only has an effect if you are
31
+ using the sms_codes feature and customizing Rodauth to access one
32
+ of these hashes after a call to update_sms.
33
+
34
+ = Backwards Compatibility
35
+
36
+ * If your application requires the ability to submit values containing
37
+ ASCII NUL bytes ("\0") as Rodauth parameters, you should use the
38
+ new null_byte_parameter_value configuration method to pass the
39
+ value through unchanged:
40
+
41
+ null_byte_parameter_value do |_, v|
42
+ v
43
+ end