rodauth 2.3.0 → 2.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4ea58deac2998a11cd0cd4b17545eab5fce6fb0acd7751416fd521cbd77d6add
-  data.tar.gz: c113c1131f5d756fd3aa5c1dbf083f40506b8822fb1c9b67537069c9e8695fba
+  metadata.gz: a39430563fc9d81e610b8a28b5c044eedd7ebd361d6294f9bd02687ce2d24c27
+  data.tar.gz: a852e9713602b807bb7566b3db4038a6fda0ae0d2b90bf4b1ce2e45429c8efd2
 SHA512:
-  metadata.gz: 1fa2ce1d08a9f09e21d2fb1fe5b71ea3c6fc55181452302a35929229f0fad8c3c5d3d3324d73bee9c69daf0ff7a2d14ddbb731ef994bd3317512627233a69d28
-  data.tar.gz: 7a188457006390730f00bc4a2ea5159c002dba66b300fd993929a5b5a491f2f4be0191c7e7c8e4b9e82b2e709b1a4e8ea8f5d335613f262671e1d68507cc2e26
+  metadata.gz: ba8f83d3f9afc3f1bcca6f649e925b1b3f795002dc980ae5bfb219885a74c69c34bbacaccda83c153bf9f799f328970cd900a3abf5966b88956dc3476ef3f9f8
+  data.tar.gz: 9d2042a183a7fdc941cd2b8716aba581861b9e1831574eac3241979ab32e2fe2076baf94e3ab0782487aa34d4e7f98f063035c22dcd7088f1a4fd1f1b83a7e6d

data/CHANGELOG

@@ -1,3 +1,45 @@
+=== 2.8.0 (2021-01-06)
+
+* [SECURITY] Set HttpOnly on remember cookie by default so it cannot be accessed by Javascript (janko) (#142)
+
+* Clear JWT session when rodauth.clear_session is called if the Roda sessions plugin is used (janko) (#140)
+
+=== 2.7.0 (2020-12-22)
+
+* Avoid method redefinition warnings in verbose warning mode (jeremyevans)
+
+* Return expired access token error message in the JWT refresh feature when using an expired token when it isn't allowed (AlexyMatskevich) (#133)
+
+* Allow Rodauth features to be preloaded, instead of always trying to require them (janko) (#136)
+
+* Use a default remember cookie path of '/', though this may cause problem with multiple Rodauth configurations on the same domain (janko) (#134)
+
+* Add auto_remove_recovery_codes? to the recovery_codes feature, for automatically removing the codes when disabling multifactor authentication (SilasSpet, jeremyevans) (#135)
+
+=== 2.6.0 (2020-11-20)
+
+* Avoid loading features multiple times (janko) (#131)
+
+* Add around_rodauth method for running code around the handling of all Rodauth routes (bjeanes) (#129)
+
+* Fix javascript for registration of multiple webauthn keys (bjeanes) (#127)
+
+* Add allow_refresh_with_expired_jwt_access_token? configuration method to jwt_refresh feature, for allowing refresh with expired access token (jeremyevans)
+
+* Promote setup_account_verification to public API, useful for automatically sending account verification emails (jeremyevans)
+
+=== 2.5.0 (2020-10-22)
+
+* Add change_login_needs_verification_notice_flash for easier translation of change_login_notice_flash when using verify_login_change (bjeanes, janko, jeremyevans) (#126)
+
+* Add login_return_to_requested_location_path for controlling path to use as the requested location (HoneyryderChuck, jeremyevans) (#122, #123)
+
+=== 2.4.0 (2020-09-21)
+
+* Add session_key_prefix for more easily using separate session keys when using multiple configurations (janko) (#121)
+
+* Add password_pepper feature for appending a secret key to passwords before they are hashed, supporting secret rotation (janko) (#119)
+
 === 2.3.0 (2020-08-21)
 
 * Return an error status instead of an invalid access token when trying to refresh JWT without an access token in the jwt_refresh feature (jeremyevans)

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2015-2020 Jeremy Evans
+Copyright (c) 2015-2021 Jeremy Evans
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to

data/README.rdoc

@@ -44,6 +44,7 @@ HTML and JSON API for all supported features.
 * Verify Account Grace Period (Don't require verification before login)
 * Password Grace Period (Don't require password entry if recently entered)
 * Password Complexity (More sophisticated checks)
+* Password Pepper
 * Disallow Password Reuse
 * Disallow Common Passwords
 * Password Expiration
@@ -881,6 +882,7 @@ view the appropriate file in the doc directory.
 * {Password Complexity}[rdoc-ref:doc/password_complexity.rdoc]
 * {Password Expiration}[rdoc-ref:doc/password_expiration.rdoc]
 * {Password Grace Period}[rdoc-ref:doc/password_grace_period.rdoc]
+* {Password Pepper}[rdoc-ref:doc/password_pepper.rdoc]
 * {Recovery Codes}[rdoc-ref:doc/recovery_codes.rdoc]
 * {Remember}[rdoc-ref:doc/remember.rdoc]
 * {Reset Password}[rdoc-ref:doc/reset_password.rdoc]
@@ -1062,6 +1064,18 @@ the name as an argument to use that configuration:
     r.rodauth
   end
 
+By default, alternate configurations will use the same session keys as the
+primary configuration, which may be undesirable. To ensure session state is
+separated between configurations, you can set a session key prefix for
+alternate configurations.  If you are using the remember feature in both
+configurations, you may also want to set a different remember key in the
+alternate configuration:
+
+  plugin :rodauth, :name=>:secondary do
+    session_key_prefix "secondary_"
+    remember_cookie_key "_secondary_remember"
+  end
+
 === With Password Hashes Inside the Accounts Table
 
 You can use Rodauth if you are storing password hashes in the same

data/doc/base.rdoc

@@ -1,7 +1,7 @@
 = Documentation for Base Feature
 
 The base feature is automatically loaded when you use Rodauth.  It contains
-shared functionality that is used by multiple features. 
+shared functionality that is used by multiple features.
 
 == Auth Value Methods
 
@@ -17,6 +17,7 @@ mark_input_fields_as_required? :: Whether input fields should be marked as requi
 prefix :: The routing prefix used for Rodauth routes.  If you are calling in a routing subtree, this should be set to the root path of the subtree.  This should include a leading slash if set, but not a trailing slash.
 require_bcrypt? :: Set to false to not require bcrypt, useful if using custom authentication.
 session_key :: The key in the session hash storing the primary key of the logged in account.
+session_key_prefix :: The string that will be prepended to the default value for all session keys.
 skip_status_checks? :: Whether status checks should be skipped for accounts.  Defaults to true unless enabling the verify_account or close_account features.
 title_instance_variable :: The instance variable to set in the Roda scope with the page title.  The layout should use this instance variable if available to set the title of the page.  You can use +set_title+ if setting the page title is not done through an instance variable.
 
@@ -87,6 +88,7 @@ account_session_value :: The primary value of the current account to store in th
 after_login :: Run arbitrary code after a successful login.
 after_login_failure :: Run arbitrary code after a login failure due to an invalid password.
 already_logged_in :: What action to take if you are already logged in and attempt to access a page that only makes sense if you are not logged in.
+around_rodauth(&block) :: Run arbitrary code around handling any rodauth route.  Call <tt>super(&block)</tt> for Rodauth to handle the action.
 authenticated? :: Whether the user has been authenticated. If multifactor authentication has been enabled for the account, this is true only if the session is multifactor authenticated.
 before_login :: Run arbitrary code after password has been checked, but before updating the session.
 before_login_attempt :: Run arbitrary code after an account has been located, but before the password has been checked.

data/doc/jwt_refresh.rdoc

@@ -21,19 +21,27 @@ a value of <tt>all</tt> as the token value.
 
 When using the refresh token, you must provide a valid access token, as that contains
 information about the current session, which is used to create the new access token.
+If you change the +allow_refresh_with_expired_jwt_access_token?+ setting to +true+,
+an expired but otherwise valid access token will be accepted, and Rodauth will check
+that the access token was issued in the same session as the refresh token.
 
 This feature depends on the jwt feature.
 
 == Auth Value Methods
 
+allow_refresh_with_expired_jwt_access_token? :: Whether refreshing should be allowed with an expired access token. Default is +false+.  You must set an +hmac_secret+ if setting this value to +true+.
+expired_jwt_access_token_status :: The HTTP status code to use when a access token (JWT) is expired is submitted in the Authorization header. Default is 400 for backwards compatibility, and it is recommended to set it to 401.
+expired_jwt_access_token_message :: The error message to use when a access token (JWT) is expired is submitted in the Authorization header.
 jwt_access_token_key :: Name of the key in the response json holding the access token.  Default is +access_token+.
 jwt_access_token_not_before_period :: How many seconds before the current time will the jwt be considered valid (to account for inaccurate clocks). Default is 5.
 jwt_access_token_period :: Validity of an access token in seconds, default is 1800 (30 minutes).
 jwt_refresh_route :: The route to the login action. Defaults to <tt>jwt-refresh</tt>.
 jwt_refresh_invalid_token_message :: Error message when the provided refresh token is non existent, invalid or expired.
 jwt_refresh_token_account_id_column :: The column name in the +jwt_refresh_token_table+ storing the account id, should be a foreign key referencing the accounts table.
+jwt_refresh_token_data_session_key :: The key in the session hash storing random data, for access checking during refresh if +allow_refresh_with_expired_jwt_access_token?+ is set.
 jwt_refresh_token_deadline_column :: The column name in the +jwt_refresh_token_table+ storing the deadline after which the refresh token will no longer be valid.
 jwt_refresh_token_deadline_interval :: Validity of a refresh token. Default is 14 days.
+jwt_refresh_token_hmac_session_key :: The key in the session hash storing the hmac, for access checking during refresh if +allow_refresh_with_expired_jwt_access_token?+ is set.
 jwt_refresh_token_id_column :: The column name in the refresh token keys table storing the id of each token (the primary key of the table).
 jwt_refresh_token_key :: Name of the key in the response json holding the refresh token.  Default is +refresh_token+.
 jwt_refresh_token_key_column :: The column name in the +jwt_refresh_token_table+ holding the refresh token key value.

data/doc/login.rdoc

@@ -34,4 +34,5 @@ use_multi_phase_login? :: Whether to ask for login first, and only ask for passw
 
 before_login_route :: Run arbitrary code before handling a login route.
 login_view :: The HTML to use for the login form.
+login_return_to_requested_location_path :: If +login_return_to_requested_location?+ is true, the path to use as the requested location.  By default, uses the full path of the request for GET requests, and is nil for non-GET requests (in which case the default +login_redirect+ will be used).
 multi_phase_login_view :: The HTML to use for the login form after login has been entered when using multi phase login.

data/doc/password_pepper.rdoc

@@ -0,0 +1,44 @@
+= Documentation for Password Pepper Feature
+
+The password pepper feature appends a specified secret string to passwords
+before they are hashed. This way, if the password hashes get compromised, an
+attacker cannot use them to crack the passwords without also knowing the
+pepper.
+
+In the configuration block set the +password_pepper+ with your secret string.
+It's recommended for the password pepper to be at last 32 characters long and
+randomly generated.
+
+  password_pepper "<long secret key>"
+
+If your database already contains password hashes that were created without a
+password pepper, these will get automatically updated with a password pepper
+next time the user successfully enters their password.
+
+You can rotate the password pepper as well, just make sure to add the previous
+pepper to the +previous_password_peppers+ array. Password hashes using the old
+pepper will get automatically updated on the next successful password match.
+
+  password_pepper "new pepper"
+  previous_password_peppers ["old pepper", ""] 
+
+The empty string above ensures password hashes without pepper are handled as
+well.
+
+Note that each entry in +previous_password_peppers+ will multiply the amount of
+possible password checks during login, at least for incorrect passwords.
+
+Additionally, when using this feature with the disallow_password_reuse feature,
+the number of passwords checked when changing or resetting a password will be
+
+  (previous_password_peppers.length + 1) * previous_passwords_to_check
+
+So if you have 2 entries in +previous_password_peppers+, using the default
+value of 6 for +previous_passwords_to_check+, every time a password
+is changed, there will be 18 password checks done, which will be quite slow.
+
+== Auth Value Methods
+
+password_pepper :: The secret string appended to passwords before they are hashed.
+previous_password_peppers :: An array of password peppers that will be tried on an unsuccessful password match. Defaults to <tt>[""]</tt>, which allows introducing this feature with existing passwords.
+password_pepper_update? :: Whether to update password hashes that use a pepper from +previous_password_peppers+ with a new pepper. Defaults to +true+.

data/doc/recovery_codes.rdoc

@@ -17,7 +17,8 @@ add_recovery_codes_error_flash :: The flash error to show when adding recovery c
 add_recovery_codes_heading :: Text to use for heading above the form to add recovery codes.
 add_recovery_codes_page_title :: The page title to use on the add recovery codes form.
 add_recovery_codes_param :: The parameter name to use for adding recovery codes.
-auto_add_recovery_codes? :: Whether to automatically add recovery codes (or any missing recovery codes) when another multifactor authentication type is enabled (false by default).
+auto_add_recovery_codes? :: Whether to automatically add recovery codes (or any missing recovery codes) when enabling otp, webauthn, or sms authentication (false by default).
+auto_remove_recovery_codes? :: Whether to automatically remove recovery codes when disabling otp, webauthn, or sms authentication and not having one of the other two authentication methods enabled (false by default).
 invalid_recovery_code_error_flash :: The flash error to show when an invalid recovery code is used.
 invalid_recovery_code_message :: The error message to show when an invalid recovery code is used.
 recovery_auth_additional_form_tags :: HTML fragment containing additional form tags when authenticating via a recovery code.

data/doc/release_notes/2.4.0.txt

@@ -0,0 +1,22 @@
+= New Features
+
+* A password_pepper feature has been added.  This allows you to use a
+  secret key (called a pepper) to append to passwords before hashing
+  and hash checking.  Using this approach, if an attacker obtains the
+  password hash, it is unusable for cracking unless they can also
+  get access to the pepper.
+
+  The password_pepper feature also supports a list of previous peppers
+  that can be used to implement secret rotation and to support
+  compatibility with unpeppered passwords.
+
+  Rodauth by default uses database functions for password hash
+  checking on PostgreSQL, MySQL, and Microsoft SQL Server, which in
+  general provides more security than a password pepper, but both
+  approaches can be used simultaneously.
+
+* A session_key_prefix configuration method has been added for
+  prefixing the values of all default session keys.  This can be
+  useful if you are using multiple Rodauth configurations in the same
+  application and want to make sure the session keys for the separate
+  configurations do not overlap.

data/doc/release_notes/2.5.0.txt

@@ -0,0 +1,20 @@
+= New Features
+
+* A login_return_to_requested_location_path configuration method has
+  been added to the login feature.  This controls the path to redirect
+  to if using login_return_to_requested_location?.  By default, this
+  is the same as the fullpath of the request that required login if
+  that request was a GET request, and nil if that request was not a
+  GET request.  Previously, the fullpath of that request was used even
+  if it was not a GET request, which caused problems as browsers use a
+  GET request for redirects, and it is a bad idea to redirect to a path
+  that may not handle GET requests.
+
+* A change_login_needs_verification_notice_flash configuration method
+  has been added to the verify_login_change feature, for allowing
+  translations when using the feature and not using the
+  change_login_notice_flash configuration method.
+
+= Other Improvements
+
+* new_password_label is now translatable.

data/doc/release_notes/2.6.0.txt

@@ -0,0 +1,37 @@
+= New Features
+
+* An around_rodauth configuration method has been added, which is
+  called around all Rodauth actions.  This configuration method
+  is passed a block, and is useful for cases where you want to wrap
+  Rodauth's handling of the request.
+
+  For example, if you had a method named time_block in your Roda scope
+  that timed block execution and added a response header, you could
+  time Rodauth actions using something like:
+
+    around_rodauth do |&block|
+      scope.time_block('Rodauth') do
+        super(&block)
+      end
+    end
+
+* The allow_refresh_with_expired_jwt_access_token? configuration has
+  been added to the jwt_refresh feature, allowing refreshing with an
+  expired but otherwise valid access token.  When using this method,
+  it is required to have an hmac_secret specified, so that Rodauth
+  can make sure the access token matches the refresh token.
+
+= Other Improvements
+
+* The javascript for setting up a WebAuthn token has been fixed to
+  allow it to work correctly if there is already an existing
+  WebAuthn token for the account.
+
+* The rodauth.setup_account_verification method has been promoted to
+  public API.  You can use this method for automatically sending
+  account verification emails when automatically creating accounts.
+
+* Rodauth no longer loads the same feature multiple times into a
+  single configuration.  This didn't cause any problems before, but
+  could result in duplicate entries when looking at the loaded
+  features.

data/doc/release_notes/2.7.0.txt

@@ -0,0 +1,33 @@
+= New Features
+
+* An auto_remove_recovery_codes? configuration method has been added
+  to the recovery_codes feature.  This will automatically remove
+  recovery codes when the last multifactor authentication type other
+  than the recovery codes has been removed.
+
+* The jwt_access_expired_status and expired_jwt_access_token_message
+  configuration methods have been added to the jwt_refresh feature,
+  for supporting custom statuses and messages for expired tokens.
+
+= Other Improvements
+
+* Rodauth will no longer attempt to require a feature that has
+  already been required.  Related to this is you can now use a
+  a custom Rodauth feature without a rodauth/features/*.rb file
+  in the Ruby library path, as long as you load the feature
+  manually.
+
+* Rodauth now avoids method redefinition warnings in verbose
+  warning mode.  As Ruby 3 is dropping uninitialized instance
+  variable warnings, Rodauth will be verbose warning free in
+  Ruby 3.
+
+= Backwards Compatibility
+
+* The default remember cookie path is now set to '/'. This fixes
+  usage in the case where rodauth is loaded under a subpath of the
+  application (which is not the default behavior).  Unfortunately,
+  this change can negatively affect cases where multiple rodauth
+  configurations are used in separate paths on the same domain.
+  In these cases, you should now use remember_cookie_options and
+  include a :path option.

data/doc/release_notes/2.8.0.txt

@@ -0,0 +1,20 @@
+= Improvements
+
+* HttpOnly is now set by default on the remember cookie, so it is no
+  longer accessible from Javascript.  This is a more secure approach
+  that makes applications using Rodauth's remember feature less
+  vulnerable in case they are subject to a separate XSS attack.
+
+* When using the jwt feature, rodauth.clear_session now clears the
+  JWT session even when the Roda sessions plugin was in use.  In most
+  cases, the jwt feature is not used with the Roda sessions plugin,
+  but in cases where the same application serves as both an JSON API
+  and as a HTML site, it is possible the two may be used together.
+
+= Backwards Compatibility
+
+* As the default remember cookie :httponly setting is now set to true,
+  applications using Rodauth that expected to be able to access the
+  remember cookie from Javascript will no longer work by default.
+  In these cases, you should now use remember_cookie_options and
+  include a :httponly=>false option.

data/doc/remember.rdoc

@@ -35,7 +35,7 @@ raw_remember_token_deadline :: A deadline before which to allow a raw remember t
 remember_additional_form_tags :: HTML fragment containing additional form tags to use on the change remember setting form.
 remember_button :: The text to use for the change remember settings button.
 remember_cookie_key :: The cookie name to use for the remember token.
-remember_cookie_options :: Any options to set for the remember cookie.
+remember_cookie_options :: Any options to set for the remember cookie. By default, the `:path` cookie option is set to `/`, and `:httponly` is set to `true`.
 remember_deadline_column :: The column name in the +remember_table+ storing the deadline after which the token will be ignored.
 remember_deadline_interval :: The amount of time for which to remember accounts, 14 days by default.  Only used if +set_deadline_values?+ is true.
 remember_disable_label :: The label for disabling remembering.

data/doc/verify_login_change.rdoc

@@ -14,6 +14,7 @@ control.  Depends on the change login and email base features.
 == Auth Value Methods
 
 no_matching_verify_login_change_key_error_flash :: The flash error message to show when an invalid verify login change key is used.
+change_login_needs_verification_notice_flash :: The flash notice to show after changing a login when using this feature, if +change_login_notice_flash+ is not overridden.
 verify_login_change_additional_form_tags :: HTML fragment containing additional form tags to use on the verify login change form.
 verify_login_change_autologin? :: Whether to autologin the user after successful login change verification, false by default.
 verify_login_change_button :: The text to use for the verify login change button.

data/javascript/webauthn_auth.js

@@ -1,34 +1,34 @@
 (function() {
+  var pack = function(v) { return btoa(String.fromCharCode.apply(null, new Uint8Array(v))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''); };
+  var unpack = function(v) { return Uint8Array.from(atob(v.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0)); };
   var element = document.getElementById('webauthn-auth-form');
   var f = function(e) {
     //console.log(e);
     e.preventDefault();
     if (navigator.credentials) {
       var opts = JSON.parse(element.getAttribute("data-credential-options"));
-      opts.challenge = Uint8Array.from(atob(opts.challenge.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
-      opts.allowCredentials.forEach(function(cred) {
-        cred.id = Uint8Array.from(atob(cred.id.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
-      });
+      opts.challenge = unpack(opts.challenge);
+      opts.allowCredentials.forEach(function(cred) { cred.id = unpack(cred.id); });
       //console.log(opts);
       navigator.credentials.get({publicKey: opts}).
         then(function(cred){
           //console.log(cred);
           //window.cred = cred
 
-          var rawId = btoa(String.fromCharCode.apply(null, new Uint8Array(cred.rawId))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+          var rawId = pack(cred.rawId);
           var authValue = {
             type: cred.type,
             id: rawId,
             rawId: rawId,
             response: {
-              authenticatorData: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.authenticatorData))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''),
-              clientDataJSON: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.clientDataJSON))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''),
-              signature: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.signature))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '')
+              authenticatorData: pack(cred.response.authenticatorData),
+              clientDataJSON: pack(cred.response.clientDataJSON),
+              signature: pack(cred.response.signature)
             }
           };
 
           if (cred.response.userHandle) {
-            authValue.response.userHandle = btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.userHandle))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+            authValue.response.userHandle = pack(cred.response.userHandle);
           }
 
           document.getElementById('webauthn-auth').value = JSON.stringify(authValue);

data/javascript/webauthn_setup.js

@@ -1,26 +1,29 @@
 (function() {
+  var pack = function(v) { return btoa(String.fromCharCode.apply(null, new Uint8Array(v))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''); };
+  var unpack = function(v) { return Uint8Array.from(atob(v.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0)); };
   var element = document.getElementById('webauthn-setup-form');
   var f = function(e) {
     //console.log(e);
     e.preventDefault();
     if (navigator.credentials) {
       var opts = JSON.parse(element.getAttribute("data-credential-options"));
-      opts.challenge = Uint8Array.from(atob(opts.challenge.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
-      opts.user.id = Uint8Array.from(atob(opts.user.id.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
+      opts.challenge = unpack(opts.challenge);
+      opts.user.id = unpack(opts.user.id);
+      opts.excludeCredentials.forEach(function(cred) { cred.id = unpack(cred.id); });
       //console.log(opts);
       navigator.credentials.create({publicKey: opts}).
         then(function(cred){
           //console.log(cred);
           //window.cred = cred
-          
-          var rawId = btoa(String.fromCharCode.apply(null, new Uint8Array(cred.rawId))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+
+          var rawId = pack(cred.rawId);
           document.getElementById('webauthn-setup').value = JSON.stringify({
             type: cred.type,
             id: rawId,
             rawId: rawId,
             response: {
-              attestationObject: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.attestationObject))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''),
-              clientDataJSON: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.clientDataJSON))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '')
+              attestationObject: pack(cred.response.attestationObject),
+              clientDataJSON: pack(cred.response.clientDataJSON)
             }
           });
           element.removeEventListener("submit", f);

data/lib/rodauth.rb

@@ -66,6 +66,7 @@ module Rodauth
       define_method(meth) do |&block|
         @auth.send(:define_method, meth, &block)
         @auth.send(:private, meth) if priv
+        @auth.send(:alias_method, meth, meth)
       end
     end
 
@@ -74,6 +75,7 @@ module Rodauth
       define_method(meth) do |&block|
         @auth.send(:define_method, umeth, &block)
         @auth.send(:private, umeth)
+        @auth.send(:alias_method, umeth, umeth)
       end
     end
 
@@ -82,6 +84,7 @@ module Rodauth
         block ||= proc{v}
         @auth.send(:define_method, meth, &block)
         @auth.send(:private, meth) if priv
+        @auth.send(:alias_method, meth, meth)
       end
     end
   end
@@ -120,8 +123,10 @@ module Rodauth
       define_method(handle_meth) do
         request.is send(route_meth) do
           check_csrf if check_csrf?
-          before_rodauth
-          send(internal_handle_meth, request)
+          _around_rodauth do
+            before_rodauth
+            send(internal_handle_meth, request)
+          end
         end
       end
 
@@ -238,6 +243,7 @@ module Rodauth
           instance_variable_set(iv, send(umeth))
         end
       end
+      alias_method(meth, meth)
       auth_private_methods(meth)
     end
 
@@ -288,15 +294,17 @@ module Rodauth
     end
 
     def enable(*features)
-      new_features = features - @auth.features
-      new_features.each{|f| load_feature(f)}
-      @auth.features.concat(new_features)
+      features.each do |feature|
+        next if @auth.features.include?(feature)
+        load_feature(feature)
+        @auth.features << feature
+      end
     end
 
     private
 
     def load_feature(feature_name)
-      require "rodauth/features/#{feature_name}"
+      require "rodauth/features/#{feature_name}" unless FEATURES[feature_name]
       feature = FEATURES[feature_name]
       enable(*feature.dependencies)
       extend feature.configuration

data/lib/rodauth/features/base.rb

@@ -47,6 +47,7 @@ module Rodauth
     session_key :authenticated_by_session_key, :authenticated_by
     session_key :autologin_type_session_key, :autologin_type
     auth_value_method :prefix, ''
+    auth_value_method :session_key_prefix, nil
     auth_value_method :require_bcrypt?, true
     auth_value_method :mark_input_fields_as_required?, true
     auth_value_method :mark_input_fields_with_autocomplete?, true
@@ -101,7 +102,6 @@ module Rodauth
       :set_redirect_error_flash,
       :set_title,
       :translate,
-      :unverified_account_message,
       :update_session
     )
 
@@ -110,7 +110,8 @@ module Rodauth
       :account_from_session,
       :field_attributes,
       :field_error_attributes,
-      :formatted_field_error
+      :formatted_field_error,
+      :around_rodauth
     )
 
     configuration_module_eval do
@@ -259,6 +260,7 @@ module Rodauth
       @password_field_autocomplete_value || 'current-password'
     end
 
+    alias account_password_hash_column account_password_hash_column
     # If the account_password_hash_column is set, the password hash is verified in
     # ruby, it will not use a database function to do so, it will check the password
     # hash using bcrypt.
@@ -393,9 +395,9 @@ module Rodauth
     def password_match?(password)
       if hash = get_password_hash
         if account_password_hash_column || !use_database_authentication_functions?
-          BCrypt::Password.new(hash) == password
+          password_hash_match?(hash, password)
         else
-          db.get(Sequel.function(function_name(:rodauth_valid_password_hash), account_id, BCrypt::Engine.hash_secret(password, hash)))
+          database_function_password_match?(:rodauth_valid_password_hash, account_id, password, hash)
         end 
       end
     end
@@ -458,6 +460,18 @@ module Rodauth
 
     private
 
+    def _around_rodauth
+      yield
+    end
+
+    def database_function_password_match?(name, hash_id, password, salt)
+      db.get(Sequel.function(function_name(name), hash_id, BCrypt::Engine.hash_secret(password, salt)))
+    end
+
+    def password_hash_match?(hash, password)
+      BCrypt::Password.new(hash) == password
+    end
+
     def convert_token_key(key)
       if key && hmac_secret
         compute_hmac(key)
@@ -493,6 +507,7 @@ module Rodauth
     end
 
     def convert_session_key(key)
+      key = "#{session_key_prefix}#{key}".to_sym if session_key_prefix
       scope.opts[:sessions_convert_symbols] ? key.to_s : key
     end
 

data/lib/rodauth/features/change_password.rb

@@ -14,7 +14,7 @@ module Rodauth
     button 'Change Password'
     redirect
 
-    auth_value_method :new_password_label, 'New Password'
+    translatable_method :new_password_label, 'New Password'
     auth_value_method :new_password_param, 'new-password'
 
     auth_value_methods(

data/lib/rodauth/features/confirm_password.rb

@@ -26,11 +26,11 @@ module Rodauth
       require_account_session
       before_confirm_password_route
 
-      request.get do
+      r.get do
         confirm_password_view
       end
 
-      request.post do
+      r.post do
         if password_match?(param(password_param))
           transaction do
             before_confirm_password

data/lib/rodauth/features/disallow_password_reuse.rb

@@ -51,11 +51,13 @@ module Rodauth
         return true if salts.empty?
 
         salts.any? do |hash_id, salt|
-          db.get(Sequel.function(function_name(:rodauth_previous_password_hash_match), hash_id, BCrypt::Engine.hash_secret(password, salt)))
+          database_function_password_match?(:rodauth_previous_password_hash_match, hash_id, password, salt)
         end
       else
         # :nocov:
-        previous_password_ds.select_map(previous_password_hash_column).any?{|hash| BCrypt::Password.new(hash) == password}
+        previous_password_ds.select_map(previous_password_hash_column).any? do |hash|
+          password_hash_match?(hash, password)
+        end
         # :nocov:
       end
 

data/lib/rodauth/features/jwt.rb

@@ -47,7 +47,7 @@ module Rodauth
       s = {}
       if jwt_token
         unless session_data = jwt_payload
-          json_response[json_response_error_key] = invalid_jwt_format_error_message
+          json_response[json_response_error_key] ||= invalid_jwt_format_error_message
           response.status ||= json_response_error_status
           response['Content-Type'] ||= json_response_content_type
           response.write(_json_response_body(json_response))
@@ -73,7 +73,10 @@ module Rodauth
 
     def clear_session
       super
-      set_jwt if use_jwt?
+      if use_jwt?
+        session.clear
+        set_jwt
+      end
     end
 
     def set_field_error(field, message)
@@ -229,10 +232,18 @@ module Rodauth
       end
     end
 
+    def _jwt_decode_opts
+      jwt_decode_opts
+    end
+
     def jwt_payload
       return @jwt_payload if defined?(@jwt_payload)
-      @jwt_payload = JWT.decode(jwt_token, jwt_secret, true, jwt_decode_opts.merge(:algorithm=>jwt_algorithm))[0]
-    rescue JWT::DecodeError
+      @jwt_payload = JWT.decode(jwt_token, jwt_secret, true, _jwt_decode_opts.merge(:algorithm=>jwt_algorithm))[0]
+    rescue JWT::DecodeError => e
+      rescue_jwt_payload(e)
+    end
+
+    def rescue_jwt_payload(_)
       @jwt_payload = false
     end
 

data/lib/rodauth/features/jwt_refresh.rb

@@ -7,6 +7,9 @@ module Rodauth
     after 'refresh_token'
     before 'refresh_token'
 
+    auth_value_method :allow_refresh_with_expired_jwt_access_token?, false
+    session_key :jwt_refresh_token_data_session_key, :jwt_refresh_token_data
+    session_key :jwt_refresh_token_hmac_session_key, :jwt_refresh_token_hash
     auth_value_method :jwt_access_token_key, 'access_token'
     auth_value_method :jwt_access_token_not_before_period, 5
     auth_value_method :jwt_access_token_period, 1800
@@ -21,12 +24,15 @@ module Rodauth
     auth_value_method :jwt_refresh_token_table, :account_jwt_refresh_keys
     translatable_method :jwt_refresh_without_access_token_message, 'no JWT access token provided during refresh'
     auth_value_method :jwt_refresh_without_access_token_status, 401
+    translatable_method :expired_jwt_access_token_message, "expired JWT access token"
+    auth_value_method :expired_jwt_access_token_status, 400
 
     auth_private_methods(
       :account_from_refresh_token
     )
 
     route do |r|
+      @jwt_refresh_route = true
       before_jwt_refresh_route
 
       r.post do
@@ -38,6 +44,7 @@ module Rodauth
             before_refresh_token
             formatted_token = generate_refresh_token
             remove_jwt_refresh_token_key(refresh_token)
+            set_jwt_refresh_token_hmac_session_key(formatted_token)
             json_response[jwt_refresh_token_key] = formatted_token
             json_response[jwt_access_token_key] = session_jwt
             after_refresh_token
@@ -58,7 +65,9 @@ module Rodauth
       # JWT login puts the access token in the header.
       # We put the refresh token in the body.
       # Note, do not put the access_token in the body here, as the access token content is not yet finalised.
-      json_response['refresh_token'] = generate_refresh_token
+      token = json_response[jwt_refresh_token_key] = generate_refresh_token
+
+      set_jwt_refresh_token_hmac_session_key(token)
     end
 
     def set_jwt_token(token)
@@ -85,12 +94,33 @@ module Rodauth
 
     private
 
+    def rescue_jwt_payload(e)
+      if e.instance_of?(JWT::ExpiredSignature)
+        begin
+          # Some versions of jwt will raise JWT::ExpiredSignature even when the
+          # JWT is invalid for other reasons.  Make sure the expiration is the
+          # only reason the JWT isn't valid before treating this as an expired token.
+          JWT.decode(jwt_token, jwt_secret, true, Hash[jwt_decode_opts].merge!(:verify_expiration=>false, :algorithm=>jwt_algorithm))[0]
+        rescue => e
+        else
+          json_response[json_response_error_key] = expired_jwt_access_token_message
+          response.status ||= expired_jwt_access_token_status
+        end
+      end
+
+      super
+    end
+
     def _account_from_refresh_token(token)
       id, token_id, key = _account_refresh_token_split(token)
 
-      return unless key
-      return unless actual = get_active_refresh_token(id, token_id)
-      return unless timing_safe_eql?(key, convert_token_key(actual))
+      unless key &&
+             (id == session_value.to_s) &&
+             (actual = get_active_refresh_token(id, token_id)) &&
+             timing_safe_eql?(key, convert_token_key(actual)) &&
+             jwt_refresh_token_match?(key)
+        return
+      end
 
       ds = account_ds(id)
       ds = ds.where(account_status_column=>account_open_status_value) unless skip_status_checks?
@@ -107,6 +137,23 @@ module Rodauth
       [id, token_id, key]
     end
 
+    def _jwt_decode_opts
+      if allow_refresh_with_expired_jwt_access_token? && @jwt_refresh_route
+        Hash[super].merge!(:verify_expiration=>false)
+      else
+        super
+      end
+    end
+
+    def jwt_refresh_token_match?(key)
+      # We don't need to match tokens if we are requiring a valid current access token
+      return true unless allow_refresh_with_expired_jwt_access_token?
+
+      # If allowing with expired jwt access token, check the expired session contains
+      # hmac matching submitted and active refresh token.
+      timing_safe_eql?(compute_hmac(session[jwt_refresh_token_data_session_key].to_s + key), session[jwt_refresh_token_hmac_session_key].to_s)
+    end
+
     def get_active_refresh_token(account_id, token_id)
       jwt_refresh_token_account_ds(account_id).
         where(Sequel::CURRENT_TIMESTAMP > jwt_refresh_token_deadline_column).
@@ -130,8 +177,7 @@ module Rodauth
     end
 
     def remove_jwt_refresh_token_key(token)
-      account_id, token = split_token(token)
-      token_id, _ = split_token(token)
+      account_id, token_id, _ = _account_refresh_token_split(token)
       jwt_refresh_token_account_token_ds(account_id, token_id).delete
     end
 
@@ -146,6 +192,15 @@ module Rodauth
       hash
     end
 
+    def set_jwt_refresh_token_hmac_session_key(token)
+      if allow_refresh_with_expired_jwt_access_token?
+        key = _account_refresh_token_split(token).last
+        data = random_key
+        set_session_value(jwt_refresh_token_data_session_key, data)
+        set_session_value(jwt_refresh_token_hmac_session_key, compute_hmac(data + key))
+      end
+    end
+
     def before_logout
       if token = param_or_nil(jwt_refresh_token_key_param)
         if token == 'all'
@@ -154,9 +209,7 @@ module Rodauth
           id, token_id, key = _account_refresh_token_split(token)
 
           if id && token_id && key && (actual = get_active_refresh_token(session_value, token_id)) && timing_safe_eql?(key, convert_token_key(actual))
-            jwt_refresh_token_account_ds(id).
-              where(jwt_refresh_token_id_column=>token_id).
-              delete
+            jwt_refresh_token_account_token_ds(id, token_id).delete
           end
         end
       end

data/lib/rodauth/features/login.rb

@@ -23,6 +23,8 @@ module Rodauth
     auth_cached_method :login_form_footer_links
     auth_cached_method :login_form_footer
 
+    auth_value_methods :login_return_to_requested_location_path
+
     route do |r|
       check_already_logged_in
       before_login_route
@@ -85,12 +87,16 @@ module Rodauth
     end
 
     def login_required
-      if login_return_to_requested_location?
-        set_session_value(login_redirect_session_key, request.fullpath)
+      if login_return_to_requested_location? && (path = login_return_to_requested_location_path)
+        set_session_value(login_redirect_session_key, path)
       end
       super
     end
 
+    def login_return_to_requested_location_path
+      request.fullpath if request.get?
+    end
+
     def after_login_entered_during_multi_phase_login
       set_notice_now_flash need_password_notice_flash
       if multi_phase_login_forms.length == 1 && (meth = multi_phase_login_forms[0][2])

data/lib/rodauth/features/otp.rb

@@ -76,9 +76,7 @@ module Rodauth
     )
 
     auth_methods(
-      :otp,
       :otp_exists?,
-      :otp_key,
       :otp_last_use,
       :otp_locked_out?,
       :otp_new_secret,

data/lib/rodauth/features/password_pepper.rb

@@ -0,0 +1,45 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:password_pepper, :PasswordPepper) do
+    depends :login_password_requirements_base
+
+    auth_value_method :password_pepper, nil
+    auth_value_method :previous_password_peppers, [""]
+    auth_value_method :password_pepper_update?, true
+
+    def password_match?(password)
+      if (result = super) && @previous_pepper_matched && password_pepper_update?
+        set_password(password)
+      end
+
+      result
+    end
+
+    private
+
+    def password_hash(password)
+      super(password + password_pepper.to_s)
+    end
+
+    def password_hash_match?(hash, password)
+      return super if password_pepper.nil?
+
+      return true if super(hash, password + password_pepper)
+
+      @previous_pepper_matched = previous_password_peppers.any? do |pepper|
+        super(hash, password + pepper)
+      end
+    end
+
+    def database_function_password_match?(name, hash_id, password, salt)
+      return super if password_pepper.nil?
+
+      return true if super(name, hash_id, password + password_pepper, salt)
+
+      @previous_pepper_matched = previous_password_peppers.any? do |pepper|
+        super(name, hash_id, password + pepper, salt)
+      end
+    end
+  end
+end

data/lib/rodauth/features/recovery_codes.rb

@@ -34,6 +34,7 @@ module Rodauth
     auth_value_method :add_recovery_codes_param, 'add'
     translatable_method :add_recovery_codes_heading, '<h2>Add Additional Recovery Codes</h2>'
     auth_value_method :auto_add_recovery_codes?, false
+    auth_value_method :auto_remove_recovery_codes?, false
     translatable_method :invalid_recovery_code_message, "Invalid recovery code"
     auth_value_method :recovery_codes_limit, 16
     auth_value_method :recovery_codes_column, :code
@@ -56,7 +57,6 @@ module Rodauth
       :can_add_recovery_codes?,
       :new_recovery_code,
       :recovery_code_match?,
-      :recovery_codes
     )
 
     route(:recovery_auth) do |r|
@@ -213,6 +213,21 @@ module Rodauth
       super
     end
 
+    def after_otp_disable
+      super if defined?(super)
+      auto_remove_recovery_codes
+    end
+
+    def after_sms_disable
+      super if defined?(super)
+      auto_remove_recovery_codes
+    end
+
+    def after_webauthn_remove
+      super if defined?(super)
+      auto_remove_recovery_codes
+    end
+
     def new_recovery_code
       random_key
     end
@@ -227,6 +242,12 @@ module Rodauth
       end
     end
 
+    def auto_remove_recovery_codes
+      if auto_remove_recovery_codes? && (%w'totp webauthn sms_code' & possible_authentication_methods).empty?
+        recovery_codes_remove
+      end
+    end
+
     def _recovery_codes
       recovery_codes_ds.select_map(recovery_codes_column)
     end

data/lib/rodauth/features/remember.rb

@@ -58,7 +58,9 @@ module Rodauth
         if [remember_remember_param_value, remember_forget_param_value, remember_disable_param_value].include?(remember)
           transaction do
             before_remember
+            # :nocov:
             case remember
+            # :nocov:
             when remember_remember_param_value
               remember_login
             when remember_forget_param_value
@@ -130,11 +132,15 @@ module Rodauth
       opts = Hash[remember_cookie_options]
       opts[:value] = "#{account_id}_#{convert_token_key(remember_key_value)}"
       opts[:expires] = convert_timestamp(active_remember_key_ds.get(remember_deadline_column))
+      opts[:path] = "/" unless opts.key?(:path)
+      opts[:httponly] = true unless opts.key?(:httponly)
       ::Rack::Utils.set_cookie_header!(response.headers, remember_cookie_key, opts)
     end
 
     def forget_login
-      ::Rack::Utils.delete_cookie_header!(response.headers, remember_cookie_key, remember_cookie_options)
+      opts = Hash[remember_cookie_options]
+      opts[:path] = "/" unless opts.key?(:path)
+      ::Rack::Utils.delete_cookie_header!(response.headers, remember_cookie_key, opts)
     end
 
     def get_remember_key

data/lib/rodauth/features/verify_account.rb

@@ -47,7 +47,6 @@ module Rodauth
       :get_verify_account_key,
       :get_verify_account_email_last_sent,
       :remove_verify_account_key,
-      :resend_verify_account_view,
       :send_verify_account_email,
       :set_verify_account_email_last_sent,
       :verify_account,
@@ -245,6 +244,12 @@ module Rodauth
       end
     end
 
+    def setup_account_verification
+      generate_verify_account_key_value
+      create_verify_account_key
+      send_verify_account_email
+    end
+
     private
 
     def _login_form_footer_links
@@ -276,12 +281,6 @@ module Rodauth
       super
     end
 
-    def setup_account_verification
-      generate_verify_account_key_value
-      create_verify_account_key
-      send_verify_account_email
-    end
-
     def verify_account_check_already_logged_in
       check_already_logged_in
     end

data/lib/rodauth/features/verify_login_change.rb

@@ -8,6 +8,7 @@ module Rodauth
     error_flash "Unable to change login as there is already an account with the new login", 'verify_login_change_duplicate_account'
     error_flash "There was an error verifying your login change: invalid verify login change key", 'no_matching_verify_login_change_key'
     notice_flash "Your login change has been verified"
+    notice_flash "An email has been sent to you with a link to verify your login change", 'change_login_needs_verification'
     loaded_templates %w'verify-login-change verify-login-change-email'
     view 'verify-login-change', 'Verify Login Change'
     additional_form_tags
@@ -131,7 +132,7 @@ module Rodauth
     end
 
     def change_login_notice_flash
-      "An email has been sent to you with a link to verify your login change"
+      change_login_needs_verification_notice_flash
     end
 
     def verify_login_change_old_login

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 3
+  MINOR = 8
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.3.0
+  version: 2.8.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-08-21 00:00:00.000000000 Z
+date: 2021-01-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -237,28 +237,33 @@ extra_rdoc_files:
 - README.rdoc
 - CHANGELOG
 - MIT-LICENSE
-- doc/change_password_notify.rdoc
 - doc/account_expiration.rdoc
+- doc/active_sessions.rdoc
+- doc/audit_logging.rdoc
 - doc/base.rdoc
 - doc/change_login.rdoc
 - doc/change_password.rdoc
-- doc/confirm_password.rdoc
+- doc/change_password_notify.rdoc
 - doc/close_account.rdoc
-- doc/http_basic_auth.rdoc
+- doc/confirm_password.rdoc
 - doc/create_account.rdoc
-- doc/email_base.rdoc
 - doc/disallow_common_passwords.rdoc
 - doc/disallow_password_reuse.rdoc
-- doc/password_complexity.rdoc
+- doc/email_auth.rdoc
+- doc/email_base.rdoc
+- doc/http_basic_auth.rdoc
 - doc/jwt.rdoc
+- doc/jwt_cors.rdoc
+- doc/jwt_refresh.rdoc
 - doc/lockout.rdoc
 - doc/login.rdoc
+- doc/login_password_requirements_base.rdoc
 - doc/logout.rdoc
 - doc/otp.rdoc
-- doc/login_password_requirements_base.rdoc
-- doc/jwt_cors.rdoc
+- doc/password_complexity.rdoc
 - doc/password_expiration.rdoc
 - doc/password_grace_period.rdoc
+- doc/password_pepper.rdoc
 - doc/recovery_codes.rdoc
 - doc/remember.rdoc
 - doc/reset_password.rdoc
@@ -268,16 +273,11 @@ extra_rdoc_files:
 - doc/two_factor_base.rdoc
 - doc/update_password_hash.rdoc
 - doc/verify_account.rdoc
-- doc/email_auth.rdoc
-- doc/jwt_refresh.rdoc
 - doc/verify_account_grace_period.rdoc
 - doc/verify_login_change.rdoc
 - doc/webauthn.rdoc
 - doc/webauthn_login.rdoc
 - doc/webauthn_verify_account.rdoc
-- doc/active_sessions.rdoc
-- doc/audit_logging.rdoc
-- doc/release_notes/1.17.0.txt
 - doc/release_notes/1.0.0.txt
 - doc/release_notes/1.1.0.txt
 - doc/release_notes/1.10.0.txt
@@ -287,7 +287,14 @@ extra_rdoc_files:
 - doc/release_notes/1.14.0.txt
 - doc/release_notes/1.15.0.txt
 - doc/release_notes/1.16.0.txt
+- doc/release_notes/1.17.0.txt
+- doc/release_notes/1.18.0.txt
+- doc/release_notes/1.19.0.txt
 - doc/release_notes/1.2.0.txt
+- doc/release_notes/1.20.0.txt
+- doc/release_notes/1.21.0.txt
+- doc/release_notes/1.22.0.txt
+- doc/release_notes/1.23.0.txt
 - doc/release_notes/1.3.0.txt
 - doc/release_notes/1.4.0.txt
 - doc/release_notes/1.5.0.txt
@@ -295,16 +302,15 @@ extra_rdoc_files:
 - doc/release_notes/1.7.0.txt
 - doc/release_notes/1.8.0.txt
 - doc/release_notes/1.9.0.txt
-- doc/release_notes/1.18.0.txt
-- doc/release_notes/1.19.0.txt
-- doc/release_notes/1.20.0.txt
-- doc/release_notes/1.21.0.txt
-- doc/release_notes/1.22.0.txt
-- doc/release_notes/1.23.0.txt
 - doc/release_notes/2.0.0.txt
 - doc/release_notes/2.1.0.txt
 - doc/release_notes/2.2.0.txt
 - doc/release_notes/2.3.0.txt
+- doc/release_notes/2.4.0.txt
+- doc/release_notes/2.5.0.txt
+- doc/release_notes/2.6.0.txt
+- doc/release_notes/2.7.0.txt
+- doc/release_notes/2.8.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -357,6 +363,7 @@ files:
 - doc/password_complexity.rdoc
 - doc/password_expiration.rdoc
 - doc/password_grace_period.rdoc
+- doc/password_pepper.rdoc
 - doc/recovery_codes.rdoc
 - doc/release_notes/1.0.0.txt
 - doc/release_notes/1.1.0.txt
@@ -386,6 +393,11 @@ files:
 - doc/release_notes/2.1.0.txt
 - doc/release_notes/2.2.0.txt
 - doc/release_notes/2.3.0.txt
+- doc/release_notes/2.4.0.txt
+- doc/release_notes/2.5.0.txt
+- doc/release_notes/2.6.0.txt
+- doc/release_notes/2.7.0.txt
+- doc/release_notes/2.8.0.txt
 - doc/remember.rdoc
 - doc/reset_password.rdoc
 - doc/session_expiration.rdoc
@@ -429,6 +441,7 @@ files:
 - lib/rodauth/features/password_complexity.rb
 - lib/rodauth/features/password_expiration.rb
 - lib/rodauth/features/password_grace_period.rb
+- lib/rodauth/features/password_pepper.rb
 - lib/rodauth/features/recovery_codes.rb
 - lib/rodauth/features/remember.rb
 - lib/rodauth/features/reset_password.rb
@@ -528,7 +541,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.2.3
 signing_key: 
 specification_version: 4
 summary: Authentication and Account Management Framework for Rack Applications