rodauth 2.21.0 → 2.24.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bb1777533bb6a941212c0e6d5be00fc393b95c3d22e7af40542d616cdd68d139
-  data.tar.gz: de6a798803940fb94ff1d44bc2d148e45b1adc8e532cb44db4602b974a1b6b19
+  metadata.gz: 3db9ca9b25c4acd3e2b16cfca4a9efbc95758242e5030cbb33502440df4dbc15
+  data.tar.gz: e77ffff24d840adc1a17d162e58f76f99b363f063c070229315f45766d71a96a
 SHA512:
-  metadata.gz: 830b574f78cba6d5e103306f3709e2ae92e99af0cb0b02c8276699c048cd799cad58cf28d521980e43c0023aadc8934705ad45ff48819c316b3c6d3b5554f189
-  data.tar.gz: d4127705f604ac89b35f17d795c07bd54bed86b6c9c784e04578f047a3b1d2e34689c0320c35ffe9f7640e7870197c6563c4c57c0867ca5d2d257d23a143ce1a
+  metadata.gz: 46064d3008752765daec092f037dc3d3b2b85a6f2a9c9a9b6fe1b4abec1cc9764d7c157adc736844ccbdde68f78a7b303225da5fe6caa895f650a9102b2cf271
+  data.tar.gz: fadc40b635e868e0b59f61faa566447f294e4fc174b0620e06bac1766c4fb6c1ce0944548d413443bc699c128b7c59d9f5c6dc7175fb46c2f9c3d1404e698c8e

data/CHANGELOG

@@ -1,3 +1,37 @@
+=== 2.24.0 (2022-05-24)
+
+* Work around implicit null byte check added in bcrypt 3.1.18 by checking password requirements before other password checks (jeremyevans)
+
+* Fix invalid HTML on pages with OTP QR codes (jeremyevans)
+
+* Add recovery_codes_available? configuration method to the recovery_codes feature (janko) (#238)
+
+* Add otp_available? configuration method to the otp feature (janko) (#238)
+
+=== 2.23.0 (2022-04-22)
+
+* Don't automatically set :httponly cookie option if :http_only option is set in remember feature (jeremyevans)
+
+* Fix invalid domain check in internal_request feature when using Rack 3 (jeremyevans)
+
+* Make removing all multifactor authentication methods mark session as not authenticated by SMS (janko) (#235)
+
+* Use use_path option when rendering QR code to svg in the otp feature, to reduce svg size (jeremyevans)
+
+=== 2.22.0 (2022-03-22)
+
+* Ignore parameters where the value includes a null byte by default, add null_byte_parameter_value configuration method for customization (jeremyevans)
+
+* Handle sessions created before active_sessions feature was enabled during logout (jeremyevans) (#224)
+
+* Add reset_password_notify for emailing users after successful password resets (jeremyevans)
+
+* An email method can now be used in external features to DRY up email creation code (jeremyevans)
+
+* The change_password_notify feature now correctly handles template precompilation (jeremyevans)
+
+* Fix update_sms to update stored sms hash (bjeanes) (#222)
+
 === 2.21.0 (2022-02-23)
 
 * Avoid extra bcrypt hashing on account verification when using account_password_hash_column (janko) (#217)
@@ -326,446 +360,6 @@
 
 * Drop support for Ruby 1.8 (jeremyevans)
 
-=== 1.23.0 (2020-03-06)
-
-* Remove specs from the gem to reduce gem size by over 20% (jeremyevans) 
-
-* Make rodauth.authenticated? return true on OTP setup page (jeremyevans) (#68)
-
-* Display link to email auth request form when user has entered login and incorrect password if using email_auth feature (janko) (#65)
-
-* Add *_path and *_url methods for all *_route methods (janko) (#64)
-
-* Add send_email configuration method for configuring how email is sent (janko) (#63)
-
-=== 1.22.0 (2019-10-29)
-
-* Add jwt_cors feature to handle Cross-Origin Resource Sharing when using the jwt feature (jeremyevans)
-
-* Add space before newline after links in email, fixing issues with some webmail providers with broken autolinkers (jeremyevans)
-
-=== 1.21.0 (2019-07-24)
-
-* Support rotp 5.1 in the otp feature (jeremyevans)
-
-* Log user out when locking out OTP account if no fallback options available (jeremyevans)
-
-=== 1.20.0 (2019-06-07)
-
-* Support rotp 5 in the otp feature (jeremyevans)
-
-* Add jwt_refresh feature to allow shorter lived JWTs with a refresh token for creating new JWTs (allavena, jeremyevans) (#28)
-
-* Fix disallow_password_reuse feature when account_password_hash_column is not set and verify_account feature is not used (cptaffe) (#59)
-
-* Rename no_matching_email_auth_key_message to no_matching_email_auth_key_error_flash for consistency (jeremyevans)
-
-* Rename no_matching_verify_login_change_key_message to no_matching_verify_login_change_key_error_flash for consistency (jeremyevans)
-
-* Rename attempt_to_login_to_unverified_account_notice_message to attempt_to_login_to_unverified_account_error_flash for consistency (jeremyevans)
-
-* Rename attempt_to_create_unverified_account_notice_message to attempt_to_create_unverified_account_error_flash for consistency (jeremyevans)
-
-* Rename no_matching_verify_account_key_message to no_matching_verify_account_key_error_flash for consistency (jeremyevans)
-
-* Rename no_matching_unlock_account_key_message to no_matching_unlock_account_key_error_flash for consistency (jeremyevans)
-
-* Rename no_matching_reset_password_key_message to no_matching_reset_password_key_error_flash for consistency (jeremyevans)
-
-* Add otp_keys_use_hmac? and otp_setup_raw_param configuration methods to the otp feature for configuring use of HMACs with OTP authentication (jeremyevans)
-
-* Do not set a previous account password before password has been set when using disallow_password_reuse with verify_account_set_password? (jeremyevans)
-
-* Add allow_raw_single_session_key? to single_session feature to allow raw single single session tokens, for graceful transition (jeremyevans)
-
-* Add raw_remember_token_deadline to remember feature to allow raw remember tokens before given deadline, for graceful transition (jeremyevans)
-
-* Add allow_raw_email_token? configuration method to email_base feature to allow raw tokens when email_token_hmac_secret is set, for graceful transition (jeremyevans)
-
-* Add hmac_secret configuration method, used for additional security using HMACs (jeremyevans)
-
-* Use urlsafe base64 for new token keys on Ruby 1.8 (jeremyevans)
-
-* Add login_input_type configuration method for setting the input type for login inputs (jeremyevans)
-
-* Add formatted_field_error configuration method for formatting error messages (jeremyevans)
-
-* Add field_error_attributes configuration method for configuring attributes for fields with errors (jeremyevans)
-
-* Add field_attributes configuration method for configuring attributes for specific fields (jeremyevans)
-
-* Add default_field_attributes configuration method to set default attributes for all input fields (jeremyevans)
-
-* Make error handling accessible by default using aria-invalid and aria-describedby attributes (jeremyevans)
-
-* Add mark_input_fields_as_required? configuration method for whether inputs should use the required attribute (jeremyevans)
-
-* Add input_field_error_message_class configuration method for the CSS class used for error messages (jeremyevans)
-
-* Wrap all error messages in a span so they can be styled (jeremyevans)
-
-* Add input_field_error_class configuration method for customizing CSS class to use for inputs with errors (jeremyevans)
-
-* Add input_field_label_suffix configuration method for suffixing all input labels, useful for labeling fields as required (jeremyevans)
-
-* Add verify_account_resend_explanatory_text configuration method to verify_account feature for configuring text (jeremyevans)
-
-* Add unlock_account_explanatory_text and unlock_account_request_explanatory_text configuration methods to lockout feature for configuring text (jeremyevans)
-
-* Add reset_password_explanatory_text configuration method to reset_password feature for configuring text (jeremyevans)
-
-* Add otp_provisioning_uri_label and otp_secret_label configuration methods to otp feature for configuring labels displayed during OTP setup (jeremyevans)
-
-* Add add_recovery_codes_heading configuration method to recovery_codes feature for configuring heading text (jeremyevans)
-
-* Use define_method instead of instance_exec for route dispatching for better performance (jeremyevans)
-
-* Add already_an_account_with_this_login_message configuration method (1gor) (#54)
-
-=== 1.19.1 (2018-11-16)
-
-* Support rotp 4 in the otp feature (jeremyevans)
-
-=== 1.19.0 (2018-11-16)
-
-* Avoid unneeded database queries in the two factor authentication support (jeremyevans)
-
-* Add {before,after}_verify_login_change_email configuration methods, called around sending the verify login change email (jeremyevans)
-
-* Add after_account_lockout configuration method, called after locking out an account (jeremyevans)
-
-* Add default_post_email_redirect configuration method, setting default for all redirects after emailing when not logged in (jeremyevans)
-
-* Gracefully handle failure when new login is already taken in the verify_login_change feature (jeremyevans)
-
-* Support optional email rate limiting in the lockout, reset password, and verify account features (jeremyevans)
-
-* Make MySQL rodauth_get_salt function handle accounts without password hashes (jeremyevans)
-
-* Add email_auth feature, for authentication using links sent via email (jeremyevans)
-
-* Deprecate before_otp_authentication_route, users should switch to before_otp_auth_route (jeremyevans)
-
-* Add use_multi_phase_login? configuration method to login feature, separating login entry from password entry (jeremyevans)
-
-* Don't disable use of date_arithmetic extension on !MySQL when using lockout, remember, or reset password features (jeremyevans)
-
-=== 1.18.0 (2018-07-18)
-
-* Add confirm_password_redirect_session_key configuration method to confirm_password feature (jeremyevans)
-
-* Work with Roda sessions plugin, using string keys for session information if that is used (jeremyevans)
-
-* Add flash_error_key and flash_notice_key configuration for setting keys used in flash (jeremyevans)
-
-=== 1.17.0 (2018-06-11)
-
-* Support Roda route_csrf plugin for request-specific CSRF tokens (jeremyevans)
-
-=== 1.16.0 (2018-03-09)
-
-* Add disallow_common_passwords feature, for disallowing the usage of the most common passwords (jeremyevans)
-
-* Remove calling request [] method to get request param values, as it is deprecated in the current version of rack (jeremyevans)
-
-=== 1.15.0 (2018-01-29)
-
-* Add create_account_set_password? and verify_account_set_password? methods to delay setting password until account verification (jeremyevans)
-
-=== 1.14.0 (2017-12-19)
-
-* Don't allow unlocking expired accounts when using account_expiration and lockout features (jeremyevans)
-
-* Don't allow resetting passwords for expired accounts when using account_expiration and reset_password features (jeremyevans)
-
-* Add change_password_notify feature for emailing when user uses change password feature (jeremyevans)
-
-=== 1.13.0 (2017-11-21)
-
-* Add json_response_body(hash) configuration method to jwt feature (jeremyevans)
-
-* Support invalid_previous_password_message configuration method in change_password feature (jeremyevans)
-
-* Use custom error statuses if only_json? and json_response_custom_error_status? are true even if request isn't in json format (jeremyevans)
-
-* Add cache_templates configuration method for disabling caching of templates (adam12, jeremyevans) (#46)
-
-=== 1.12.0 (2017-10-03)
-
-* [SECURITY] Clear expired password reset key for account before retrieving password reset key (chanks, jeremyevans) (#43)
-
-* Update migrations to work with Sequel 5 (jeremyevans)
-
-* Add require_http_basic_auth configuration method to http_basic_auth feature (jeremyevans) (#41)
-
-* Support passing :search_path option to Rodauth.create_database_authentication_functions when using PostgreSQL (jeremyevans)
-
-* Support passing options to Rodauth.{create,drop}_database_previous_password_check_functions (jeremyevans)
-
-* Support passing options to Rodauth.drop_database_authentication_functions (jeremyevans)
-
-=== 1.11.0 (2017-04-24)
-
-* Add login_required_error_status, and use it in the jwt feature when custom error statuses are allowed (jeremyevans)
-
-* Deal better with time differences between the database and application servers in the password_expiration plugin (jeremyevans)
-
-* Add rodauth.valid_jwt? method for checking if a valid JWT was submitted with the request (jeremyevans)
-
-=== 1.10.0 (2017-03-23)
-
-* Add Internals Guide (jeremyevans)
-
-* Set FeatureConfiguration instances to constants, just like Feature instances (jeremyevans)
-
-* When reopening rodauth configuration in roda subclass, automatically subclass rodauth configuration so it doesn't modify superclass (jeremyevans)
-
-* Add verify_login_change feature as an alternative to verify_change_login, where the change doesn't take affect until after verification (jeremyevans) (#31)
-
-* Add login_failed_reset_password_request_form for customizing the HTML used for the request password request form on login failures (jeremyevans)
-
-* Make reset password request form available without requiring a login attempt, and provide a login field in that case (jeremyevans) (#30)
-
-* Make resending verify account email request form available without requiring a login/account creation attempt, and provide a login field in that case (jeremyevans) (#30)
-
-* Fix resending verify account email when attempting to create a new account with same login as unverified account when using verify_account_grace_period feature (jeremyevans) (#30)
-
-* Fix precompile_rodauth_templates usage with reset_password feature (jeremyevans)
-
-=== 1.9.0 (2017-02-22)
-
-* Make reset-password use existing password reset key if one is present (jeremyevans) (#26)
-
-* Add Roda.precompile_rodauth_templates method, useful to save memory when forking, or when chrooting (jeremyevans)
-
-=== 1.8.0 (2017-01-06)
-
-* Add json_response_custom_error_status? option to jwt feature to use specific 4xx statuses instead of 400 (jeremyevans)
-
-* Use 4xx error statuses for errors, instead of using a 200 success status (jeremyevans)
-
-=== 1.7.0 (2016-11-22)
-
-* Make reset password, unlock account, and verify account pages not leak keys to external servers via Referer header (jeremyevans)
-
-=== 1.6.0 (2016-10-24)
-
-* Add http_basic_auth feature (TiagoCardoso1983, jeremyevans) (#12)
-
-* Move login hooks from login feature to base, to be usable by other features (jeremyevans)
-
-* Make reset_password feature not attempt to render a template in json-only mode (jeremyevans) (#11)
-
-* Memoize jwt_payload in jwt feature, as it may be called more than once (mwpastore) (#10)
-
-* Add jwt_decode_opts configuration method to jwt feature, for specifying options to JWT.decode, allowing for JWT claim verification (mwpastore, jeremyevans) (#9)
-
-* Add jwt_session_hash configuration method to jwt feature, for modifying the session information stored in the JWT hash, allowing for setting JWT claims (mwpastore, jeremyevans) (#9)
-
-* Add jwt_session_key configuration method to jwt feature, for nesting the session under a key in the JWT, avoiding reserve claim names (mwpastore, jeremyevans) (#9)
-
-* Add jwt_symbolize_deeply? configuration method to jwt feature, for symbolizing nested keys in session hash when using JWT (mwpastore) (#9)
-
-=== 1.5.0 (2016-09-22)
-
-* Return error instead of raising exception in the jwt feature if an invalid jwt format is submitted in the Authorization header (jeremyevans)
-
-* Add jwt_authorization_remove configuration method to jwt feature, for regexp to remove from Authorization header before JWT processing (jeremyevans)
-
-* Add jwt_authorization_ignore configuration method to jwt feature, for regexp to skip processing of JWTs in Authorization header (jeremyevans)
-
-* Add json_accept_regexp configuration method to jwt feature, for the regexp used to match against the Accept header (jeremyevans)
-
-* Add use_jwt? configuration method to jwt feature, for whether to use the JWT token or rack session for authentication information (jeremyevans)
-
-* Add jwt_check_accept? configuration method to jwt feature, to return 406 error if Accept header is present and json is not accepted (jeremyevans)
-
-* Add json_response_content_type configuration method to jwt feature, for the content type to set for json responses, default to application/json (jeremyevans)
-
-* Add json_request_content_type_regexp configuration method to the jwt feature, for the regexp that recognize a request as a json request (jeremyevans)
-
-* Add session_jwt method to the jwt feature, which returns a string for the encoded JWT for the current session (jeremyevans)
-
-* If the only_json? setting is true, return a 400 error if the request content type to a rodauth endpoint is not json (jeremyevans)
-
-* The only_json? setting in the jwt feature is now only true by default if :json=>:only plugin option was used (jeremyevans)
-
-* Don't have jwt feature break if HTTP Basic/Digest authentication is used (jeremyevans)
-
-* Add template_opts configuration method, for overriding view/method options (jeremyevans)
-
-=== 1.4.0 (2016-08-18)
-
-* Add update_password_hash feature, for updating the password hash when the hash cost changes (jeremyevans)
-
-=== 1.3.0 (2016-07-19)
-
-* Add login_maximum_length, defaulting to 255 (jeremyevans)
-
-=== 1.2.0 (2016-06-15)
-
-* Add otp_drift configuration method to otp plugin, setting number of seconds of allowed drift (jeremyevans)
-
-* Don't allow setting passwords containing the ASCII NUL character, as bcrypt truncates at that point (jeremyevans) (#4)
-
-=== 1.1.0 (2016-05-13)
-
-* Support :csrf=>false and :flash=>false plugin options (jeremyevans)
-
-=== 1.0.0 (2016-04-15)
-
-* Remove invalid remember cookies to prevent unnecessary future database checks (jeremyevans)
-
-* Extend remember deadline in cookie in addition to database (jeremyevans)
-
-* Make tokens work with string account ids (jeremyevans)
-
-* Add verify_change_login feature for requiring account reverification on login changes (jeremyevans)
-
-* Set correct cookie expiration in the remember feature (jeremyevans)
-
-* Split confirm_password feature from remember feature (jeremyevans)
-
-* Add verify_account_grace_period feature, for allowing logins into unverified accounts for a certain period after creation (jeremyevans)
-
-* Move login/password requirements settings to login password requirements base feature (jeremyevans)
-
-* Add session_expiration feature, expiring sessions based on inactivity and max lifetime checks (jeremyevans)
-
-* Add password_grace_period feature, for not requiring password entry if password was recently entered (jeremyevans)
-
-* Make create/verify account autologin true by default (jeremyevans)
-
-* Optimize routing using a hash table, disallow per-request routes (jeremyevans)
-
-* Add ability to turn off login/password confirmations (jeremyevans)
-
-* Don't allow changing login to the same as the current login (jeremyevans)
-
-* Only allow requesting account unlocks if the account is current locked out (jeremyevans)
-
-* Use separate routes for unlock account/reset password/verify account requests (jeremyevans)
-
-* Use separate routes for confirming passwords and changing remember settings (jeremyevans)
-
-* Add JWT feature for JSON API support using JWT tokens (jeremyevans)
-
-* Add account_select configuration option for setting which columns to select from accounts_table (jeremyevans)
-
-* Execute get_block and post_block in the Rodauth::Auth instance scope (jeremyevans)
-
-* Store field errors in the rodauth object instead of instance variables in the Roda scope (jeremyevans)
-
-* Add rodauth.redirect to abstract redirection code (jeremyevans)
-
-* Only use flash notices for successful requests, other requests that redirect now use an error flash (jeremyevans)
-
-* The before_* configuration methods now run directly before making the related database changes (jeremyevans)
-
-* Before hooks run before routes now use before_*_route instead of before_* configuration methods (jeremyevans)
-
-* Add token_separator configuration method to replace the default of _ (jeremyevans)
-
-* Rename account_id_value to account_id (jeremyevans)
-
-* Rename account_id to account_id_column and account_session_id to account_session_column (jeremyevans)
-
-* Make skip_status_checks? default to true unless loading verify_account or close_account features (jeremyevans)
-
-* Replace account_model with accounts_table and db, removing use of Sequel models (jeremyevans)
-
-* Extract shared email-related code into email_base feature (jeremyevans)
-
-* Add auth_class_eval to configuration block for adding custom methods (jeremyevans)
-
-* Add configuration_eval to feature definitions for adding custom configuration methods (jeremyevans)
-
-* Allow close_account feature to optionally delete accounts (jeremyevans)
-
-* Make close_account feature work when skipping status checks or when using account_password_hash_column (jeremyevans)
-
-* Add sms_codes feature, for codes received via SMS that can be used if TOTP authentication is not available (jeremyevans)
-
-* Attempt to handle unique constraint violations raised in race conditions where possible (jeremyevans)
-
-* Add _before and _after internal methods, make ununderscored methods only for users (jeremyevans)
-
-* Add single_session feature, for only allowing a single active session per account (jeremyevans)
-
-* Add account_expiration feature, for disallowing access to accounts after an amount of time since last login/activity (jeremyevans)
-
-* Check account status in rodauth.load_memory in remember plugin (jeremyevans)
-
-* Use csrf plugin automatically, depend on Roda >=2.6.0 (jeremyevans)
-
-* Make bcrypt and mail development dependencies instead of runtime dependencies in the gem (jeremyevans)
-
-* Add password_expiration feature, requiring users to change their password after a given amount of time (jeremyevans)
-
-* Add disallow_password_reuse feature, checking that a new password doesn't match previous passwords (jeremyevans)
-
-* Add password_complexity feature, allowing more sophisticated password complexity checks (jeremyevans)
-
-* Add rodauth.remember_param and .remember_confirm_param for overriding parameter names (jeremyevans)
-
-* Check that new password is not the same as existing password in change password and reset password features (jeremyevans)
-
-* Add rodauth.login_meets_requirements? for checking if a login is valid, by default a valid email address (jeremyevans)
-
-* Allow unlock account to optionally require the user's current password (jeremyevans)
-
-* Add support for running on Microsoft SQL Server with database functions for authentication (jeremyevans)
-
-* Make change password, change login, and close account require the user's current password by default (jeremyevans)
-
-* Add rodauth.csrf_tag to make it easy to replace the CSRF tag implementation (jeremyevans)
-
-* Switch unlock_account_autologin? to be true by default (jeremyevans)
-
-* Add rodauth.authenticated? and .require_authentication (jeremyevans)
-
-* Add recovery_codes feature, for single use codes that can be used if TOTP authentication is not available (jeremyevans)
-
-* Add otp feature, for 2 factor authentication via TOTP (jeremyevans)
-
-* Add support for running on MySQL with database functions for authentication (jeremyevans)
-
-* Add *_interval and set_deadline_values? methods for setting deadline intervals on a per-request basis (jeremyevans)
-
-* Add remember_deadline_column method for overriding the column used for storing the deadline (jeremyevans)
-
-* Add rodauth/migrations file for DRYing up the database function creation (jeremyevans)
-
-* Add Rodauth.version for getting the version (jeremyevans)
-
-* External features should now be requirable via rodauth/features/feature_name instead of roda/plugins/rodauth/feature_name (jeremyevans)
-
-* Make Rodauth top level module instead of under Roda::RodaPlugins (jeremyevans)
-
-* Require mail at configure time instead of run time if using a feature that sends email, use require_mail? false to disable (jeremyevans)
-
-* Require bcrypt at configure time instead of run time, use require_bcrypt? false to disable (jeremyevans)
-
-* Always require securerandom (jeremyevans)
-
-* Make remember, password reset, and lockout features work on non-PostgreSQL databases (jeremyevans)
-
-* Support authentication without database functions when password hashes are stored in separate table (jeremyevans)
-
-* Remove overriding of route/get/post blocks (jeremyevans)
-
-* Make lockout feature work on databases not supporting UPDATE RETURNING (jeremyevans)
-
-* Add timing safe comparison of tokens (jeremyevans)
-
-=== 0.10.0 (2016-02-17)
-
-* Retrieve salt from database and compute hash client side, instead of computing hash on server (jeremyevans)
-
-=== 0.9.1 (2015-08-13)
-
-* Don't use csrf plugin automatically (jeremyevans)
-
-=== 0.9.0 (2015-08-12)
+=== Older
 
-* Initial public release
+See doc/CHANGELOG.old

data/README.rdoc

@@ -60,6 +60,7 @@ HTML and JSON API for all supported features.
 * Argon2
 * HTTP Basic Auth
 * Change Password Notify
+* Reset Password Notify
 * Internal Request
 * Path Class Methods
 
@@ -902,6 +903,7 @@ view the appropriate file in the doc directory.
 * {Recovery Codes}[rdoc-ref:doc/recovery_codes.rdoc]
 * {Remember}[rdoc-ref:doc/remember.rdoc]
 * {Reset Password}[rdoc-ref:doc/reset_password.rdoc]
+* {Reset Password Notify}[rdoc-ref:doc/reset_password_notify.rdoc]
 * {Session Expiration}[rdoc-ref:doc/session_expiration.rdoc]
 * {Single Session}[rdoc-ref:doc/single_session.rdoc]
 * {SMS Codes}[rdoc-ref:doc/sms_codes.rdoc]
@@ -1292,6 +1294,12 @@ By setting <tt>env['rodauth'] = rodauth</tt> in the route block
 inside the middleware, you can easily provide a way for your
 application to call Rodauth methods.
 
+If you're using the remember feature with +extend_remember_deadline?+ set to
+true, you'll want to load roda's middleware plugin with
++forward_response_headers: true+ option, so that +Set-Cookie+ header changes
+from the +load_memory+ call in the route block are propagated when the request
+is forwarded to the main app.
+
 Here are some examples of integrating Rodauth into applications that
 don't use Roda:
 
@@ -1493,9 +1501,9 @@ required to run the current version of Rodauth is 1.9.2.
 
 All of these are Rails-specific:
 
-* Devise
-* Authlogic
-* Sorcery
+* {Devise}[https://github.com/heartcombo/devise]
+* {Authlogic}[https://github.com/binarylogic/authlogic]
+* {Sorcery}[https://github.com/Sorcery/sorcery]
 
 == Author
 

data/doc/base.rdoc

@@ -99,6 +99,7 @@ csrf_tag(path=request.path) :: The HTML fragment containing the CSRF tag to use,
 function_name(name) :: The name of the database function to call.  It's passed either :rodauth_get_salt or :rodauth_valid_password_hash.
 logged_in? :: Whether the current session is logged in.
 login_required :: Action to take when a login is required to access the page and the user is not logged in.
+null_byte_parameter_value(key, value) :: The value to use for the parameter if the parameter includes an ASCII NUL byte ("\0"), nil by default to ignore the parameter.
 open_account? :: Whether the current account is an open account (not closed or unverified).
 password_match?(password) :: Check whether the given password matches the stored password hash.
 random_key :: A randomly generated string, used for creating tokens.

data/doc/guides/internals.rdoc

@@ -143,6 +143,17 @@ Here's a heavily commented example showing what is going on inside a Rodauth fea
       # templates.  This is necessary for precompilation of templates to work.
       loaded_templates ['foo']
 
+      # This defines the following methods related to sending email:
+      #
+      # * foo_email_subject: uses given subject
+      # * foo_email_body: renders foo-email template
+      # * create_foo_email: creates Mail::Message using subject and body
+      # * send_foo_email: sends created email
+      #
+      # The foo-email template should be included in the loaded_templates call to make sure
+      # template precompilation works.
+      email :foo, 'Foo Subject'
+
       # auth_value_method is a generic method that takes two arguments, a method to define
       # and a default value.  It is similar to the methods above, except that it allows
       # arbitrary method names.  The notice_flash, error_flash, button, and additional_form_tags

data/doc/guides/paths.rdoc

@@ -8,6 +8,9 @@ corresponding <tt>*_route</tt> method:
 
     # Change login route to "/signin"
     login_route "signin"
+    
+    # Change redirect when login is required to "/signin"
+    require_login_redirect { login_path }
 
     # Change create account route to "/register"
     create_account_route "register"

data/doc/login_password_requirements_base.rdoc

@@ -6,7 +6,7 @@ use a Rodauth feature that requires setting logins or passwords.
 == Auth Value Methods
 
 already_an_account_with_this_login_message :: The error message to display when there already exists an account with the same login.
-contains_null_byte_message :: The error message to display when the password contains a null byte.
+contains_null_byte_message :: The error message to display when the password contains a null byte (only used if parameters with null bytes are otherwise allowed).
 login_confirm_label :: The label to use for login confirmations.
 login_confirm_param :: The parameter name to use for login confirmations.
 login_does_not_meet_requirements_message :: The error message to display when the login does not meet the requirements you have set.

data/doc/otp.rdoc

@@ -70,6 +70,7 @@ before_otp_setup_route :: Run arbitrary code before handling an OTP authenticati
 otp :: The object used for verifying OTP authentication attempts.
 otp_add_key(secret) :: Add an OTP key for the current account with the given secret.
 otp_auth_view :: The HTML to use for the OTP authentication form.
+otp_available? :: Whether OTP authentication is ready for use.
 otp_disable_view :: The HTML to use for the OTP disable form.
 otp_exists? :: Whether the current account has setup OTP.
 otp_key :: The stored OTP secret for the account.

data/doc/recovery_codes.rdoc

@@ -57,4 +57,5 @@ new_recovery_code :: A new recovery code to insert into the recovery codes table
 recovery_auth_view :: The HTML to use for the form to authenticate via a recovery code.
 recovery_code_match?(code) :: Whether the given code matches any of the existing recovery_codes.
 recovery_codes :: An array containing all valid recovery codes for the current account.
+recovery_codes_available? :: Whether authentication via recovery codes is ready for use.
 recovery_codes_view :: The HTML to use for the form to view recovery codes.

data/doc/release_notes/2.22.0.txt

@@ -0,0 +1,43 @@
+= New Features
+
+* Rodauth now ignores parameters containing ASCII NUL bytes ("\0") by
+  default.  You can customize this behavior using the
+  null_byte_parameter_value configuration method.
+
+* A reset_password_notify feature has been added for emailing users
+  after successful password resets.
+
+* External features can now use the email method inside their
+  feature definitions to DRY up the creation of email configuration
+  methods. The email method will setup the following configuration
+  methods for the feature:
+
+  * ${name}_email_subject
+  * ${name}_email_body
+  * create_${name}_email
+  * send_${name}_email
+
+= Other Improvements
+
+* The active_sessions feature now correctly handles logouts for
+  sessions that were created before the active_sessions feature was
+  added to the Rodauth configuration.
+
+* The change_password_notify feature now works correctly when using
+  template precompilation.
+
+* The update_sms method now updates the in-memory sms hash instead of
+  the in-memory account hash.  This only has an effect if you are
+  using the sms_codes feature and customizing Rodauth to access one
+  of these hashes after a call to update_sms.
+
+= Backwards Compatibility
+
+* If your application requires the ability to submit values containing
+  ASCII NUL bytes ("\0") as Rodauth parameters, you should use the
+  new null_byte_parameter_value configuration method to pass the
+  value through unchanged:
+
+    null_byte_parameter_value do |_, v|
+      v
+    end

data/doc/release_notes/2.23.0.txt

@@ -0,0 +1,15 @@
+= Improvements
+
+* The otp feature now uses the :use_path option when rendering QR
+  codes, resulting in significantly smaller svg images.
+
+* Removing all multifactor authentication methods now removes the fact
+  that the session was authenticated via SMS, if the user used SMS as
+  an authentication method for the current session.
+
+* The invalid domain check in the internal_request feature now works
+  correctly when using the rack master branch.
+
+* The :httponly cookie option is no longer set automatically in the
+  remember feature if the :http_only cookie option was provided by the
+  user (rack recognizes both options).