rodauth 2.36.0 → 2.37.0

data/doc/release_notes/1.5.0.txt

@@ -1,74 +0,0 @@
-= jwt Feature Additions/Improvements 
-
-* JSON format responses now have the response content type set to
-  application/json.
-
-* The jwt feature now does not break if HTTP Basic or Digest
-  authentication is used.
-
-* If jwt_check_accept? is true, Rodauth will return a 406 error if
-  a request Accept header is provided and it does not indicate that
-  JSON is acceptable.
-
-* Many new configuration methods have been added:
-
-  * invalid_jwt_format_error_message: The error message to use when a
-    JWT with an invalid format is submitted in the Authorization
-    header.
-
-  * json_accept_regexp: The regexp to use to check the Accept header
-    for JSON if jwt_check_accept? is true.
-
-  * json_not_accepted_error_message: The error message to display if
-    jwt_check_accept? is true and the Accept header is present but
-    does not match json_request_content_type_regexp.
-
-  * json_request_content_type_regexp: The regexp to use to recognize
-    a request as a json request.
-
-  * json_response_content_type: The content type to set for json
-    responses, application/json by default.
-
-  * jwt_authorization_ignore: A regexp matched against the
-    Authorization header, which skips JWT processing if it matches.
-    By default, HTTP Basic and Digest authentication are ignored.
-
-  * jwt_authorization_remove: A regexp to remove from the
-    Authorization header before processing the JWT.  By default, a
-    Bearer prefix is removed.
-
-  * jwt_check_accept?: Whether to check the Accept header to see if
-    the client supports JSON responses, false by default for backwards
-    compatibility.
-
-  * session_jwt: An encoded JWT for the current session.
-
-  * use_jwt?: Whether to use the JWT in the Authorization header for
-    authentication information.  If false, falls back to using the
-    rack session. By default, the Authorization header is used if it
-    is present, if only_json? is true, or if the request uses a json
-    content type.
-
-= jwt Feature Backwards Compatibility Issues
-
-* The only_json? setting in the jwt feature is now only true by
-  default if the :json=>:only option was used when loading the
-  rodauth plugin into the roda app.  Previously, it was always true,
-  but it only was considered in requests to Rodauth endpoints.  It
-  now also is considered in most Rodauth calls, and if true will use
-  an empty session instead of falling back to the rack session if an
-  Authorization header is not present.
-
-* Previously, the jwt feature only handled requests where the
-  request content-type is JSON.  It now also handles non-JSON
-  requests if the Authorization header is present or if only_json?
-  is true.
-
-* If an invalid JWT format is used in the Authorization header,
-  Rodauth now returns a 400 error, instead of raising an exception.
-
-= Other Improvements
-
-* A template_opts configuration method has been added, for
-  overriding the view/render options.  One possible use for this is
-  to specify a non-default layout.

data/doc/release_notes/1.6.0.txt

@@ -1,37 +0,0 @@
-= New Feature
-
-* An http_basic_auth feature has been added, allowing the use of
-  HTTP Basic Auth to login.
-
-= New Configuration Options for jwt Feature
-
-* jwt_session_hash has been added, for modifying the hash given before
-  creating the JWT.  This can be used for setting JWT claims.
-  Example:
-
-    jwt_session_hash do
-      super().merge(:exp=>Time.now.to_i + 120)
-    end
-
-* jwt_decode_opts has been added for specifying additional options to
-  JWT.decode. Among other things, this allows for JWT claim
-  verification. Example:
-
-    jwt_decode_opts(:verify_expiration=>true)
-
-* jwt_session_key has been added, specifying a key in the JWT that
-  will be used to store session information, instead of storing
-  session keys in the root of the JWT.  Use of this option can avoid
-  issues with reserved JWT claim names, and will probably be enabled
-  by default starting in Rodauth 2.
-
-* jwt_symbolize_deeply? configuration method has been added, for
-  whether to symbolize nested keys when decoding a JWT session hash.
-
-= Other Improvements
-
-* The reset_password feature no longer attempts to render a template
-  in json-only mode.
-
-* The jwt_payload method is now memoized by default.
-

data/doc/release_notes/1.7.0.txt

@@ -1,6 +0,0 @@
-= Improvements
-
-* The reset password, unlock account, and verify account features now
-  temporarily store the feature-specific keys in the session instead
-  of keeping them as parameters, which avoids leaking the keys to
-  asset hosts or other external servers via the HTTP Referer header.

data/doc/release_notes/1.8.0.txt

@@ -1,14 +0,0 @@
-= Improvements
-
-* When using a browser, Rodauth now uses an appropriate 401, 403,
-  or 422 error status for errors instead of using 200 success status.
-  Many configuration methods have been added to customize the status
-  codes used for specific types of errors.
-
-* The json_response_custom_error_status? configuration method
-  has been added to the jwt feature, which if set to true makes
-  the jwt feature use the same error status codes for JSON API
-  requests that it would use for browser requests.  For backward
-  compatibility, the default is to continue to use the 400
-  error status for all errors in the JSON API, but this will
-  change in Rodauth 2.

data/doc/release_notes/1.9.0.txt

@@ -1,15 +0,0 @@
-= New Features
-
-* Roda.precompile_rodauth_templates has been added.  This method
-  allows for precompiling the templates that rodauth uses, which
-  allows for memory saving when using a forking webserver that
-  preloads the application, and also allows Rodauth to be used
-  with an application that uses chroot after loading.
-
-= Improvements
-
-* If requesting a password reset link more than once, the same
-  password reset key will be used.  Previously, subsequent
-  emails after the first request would contain an invalid key,
-  so if the email for the original request was lost, you could
-  not generate another key until that key expired.

data/doc/release_notes/2.0.0.txt

@@ -1,361 +0,0 @@
-= New Features
-
-* A webauthn feature has been added, allowing multifactor
-  authentication using WebAuthn.  It allows for registering multiple
-  WebAuthn authenticators per account, authenticating using
-  WebAuthn, and removing WebAuthn authenticators.  This feature
-  depends on the webauthn gem.
-
-  WebAuthn in browsers requires javascript to work, but Rodauth's
-  approach has the javascript set hidden form inputs and then use a
-  standard form submission, making it easy to test applications
-  using WebAuthn without a full browser, as long as a software
-  WebAuthn authenticator can be used (the webauthn gem provides
-  such an authenticator).
-
-* A webauthn_login feature has been added, allowing passwordless
-  logins using WebAuthn.
-
-* A webauthn_verify_account feature has been added, which requires
-  setting up a WebAuthn authenticator during account verification.
-  This allows for setups where WebAuthn is the sole method of
-  authentication.
-
-* An active_sessions feature has been added, which disallows
-  session reuse after logout, and allows for a global logout of all
-  sessions for the account.  It also supports inactivity and
-  lifetime deadlines for sessions.  This also integrates with the
-  jwt_refresh feature to disable JWT access token usage after
-  logout.
-
-* An audit_logging feature has been added, which logs Rodauth
-  actions to a database table.  This hooks into all of Rodauth's
-  after_* hooks, and will implement audit logging for all
-  features that use such hooks.
-
-* The confirm_password feature can now operate as multifactor
-  authentication if the user has a password but was originally
-  authenticated using the webauthn_login feature.
-
-* The multifactor authentication support now better handles
-  multiple multifactor authentication methods.  When setting up
-  multifactor authentication, a page is provided linking to all
-  enabled multifactor authentication options.  When authenticating
-  via an additional factor, a page is provided linking to all
-  multifactor authentication options that have been setup and are
-  available for use.  There is also a page to disable all multifactor
-  authentication methods that have been setup, and revert to single
-  factor authentication.
-
-  To provide a better user experience, if there would only be a
-  single link on the pages to setup multifactor authentication
-  or authenticate with an additional factor, the user is redirected
-  directly to the appropriate page.
-
-* A translate configuration method has been added.  This is called
-  with a translation key and default value for the translation, and
-  allows for internationalizing Rodauth.  All translatable strings
-  are passed through this method, including flash messages, page
-  titles, button text, field error messages, and link texts.
-
-* login_return_to_requested_location? and
-  two_factor_auth_return_to_requested_location? configuration methods
-  have been added.  With these methods set to true, if
-  rodauth.require_login needs to redirect, it will store the current
-  page, and after logging in, the user will be redirected back to the
-  page.  Likewise, if rodauth.require_two_factor_authenticated needs
-  to redirect, it will store the current page, and after multifactor
-  authentication, the user will be redirected back to the page.
-
-* domain and base_url configuration methods have been added and it is
-  recommended that applications use them if they can be reached with
-  arbitrary Host headers.  If not set, Rodauth will use information
-  from the request, which can be provided by an attacker.
-
-* The *_url and *_path methods now accept an optional hash of query
-  parameters to use.
-
-* Many Rodauth forms will now use appropriate autocomplete and
-  inputmode attributes on form inputs.  You can modify the behavior
-  using the following configuration methods:
-  
-  * autocomplete_for_field?
-  * inputmode_for_field?
-  * mark_input_fields_with_autocomplete?
-  * mark_input_fields_with_inputmode?
-
-* An sms_phone_input_type configuration method has been added and
-  now defaults to tel.  Previous, the SMS phone input used a text
-  type.
-
-* rodauth.require_password_authentication has been added to the
-  confirm_password_feature, which will redirect to the login page
-  if not logged in, and will redirect to the confirm password page
-  if the user was logged in without typing in a password.  If the
-  password_grace_period feature is used, this also redirects if
-  the password has not been entered recently.
-
-* rodauth.authenticated_by has been added, which is an array of
-  strings for all methods by which the current session has been
-  authenticated, or nil if the session has not been authenticated.
-
-* rodauth.possible_authentication_methods has been added, which is
-  an array of strings for all methods by which the current session
-  could be authenticated.
-
-* rodauth.autologin_type now returns the type of autologin used if
-  authenticated using autologin.
-
-* All *_view configuration methods now have *_page_title
-  configuration methods for setting custom page titles.
-
-= Other Improvements
-
-* The templates Rodauth uses by default are now compatible with
-  Bootstrap 4, and compatibility with Bootstrap 3 (which Rodauth
-  previously targeted) has been improved.
-
-* When requesting a password reset, if the user provides an invalid
-  login, an input for the login is now displayed so the problem
-  can be corrected.
-
-* When setting up an additional multifactor authentication method,
-  Rodauth no longer overrides which multifactor authentication method
-  was used to authenticate the current session.
-
-* When disabling a multifactor authentication method that was not
-  used to authenticate the current session, the session remains
-  multifactor authenticated.
-
-* When multiple multifactor authentication methods are setup for
-  an account, disabling a multifactor authentication method will not
-  mark the session as not having multifactor authentication enabled.
-
-* When disabling OTP authentication, future calls to
-  rodauth.otp_exists? will return false instead of true.
-
-* Recovery codes are no longer generated automatically when OTP or
-  SMS authentication is setup.  There is no point generating codes
-  that the user has not yet viewed, and generating them automatically
-  will disable automatic redirections in the cases where only one
-  multifactor authentication method is setup.  This can be turned
-  back on using the auto_add_recovery_codes? configuration method.
-
-* The OTP setup page now displays better on phones and other devices
-  with small viewports.
-
-* Links and alternative login forms shown on the login page are
-  now in a specific order and not based on the order in which
-  features were enabled.
-
-* The link to resend the verify account email is not shown on the
-  multi-phase login page after the login has been entered if the
-  account has already been verified.
-
-* The modifications_require_password? configuration method now
-  defaults to false for accounts that do not have a password.
-
-* Multifactor authentication is no longer allowed using the same
-  factor type as used for initial authentication.  Previously,
-  no multifactor authentication type could be used for initial
-  authentication, so this wasn't an issue.
-
-* The verify login change page no longer calls already_logged_in
-  if the session is already logged in.  This method is documented
-  to only be called on pages that expect not to be already logged
-  in, and it's common to access the verify login change page
-  while being logged in, since you need to be logged in to go to
-  the change login page.  The default behavior of already_logged_in
-  is to do nothing, so this only affects you if you have used the
-  already_logged_in configuration method.
-
-* If using the email_auth and verify_account_grace_period features
-  together, do not show email authentication as an option for
-  unverified accounts during the grace period.
-
-* In the lockout feature, generate the unlock account key before
-  calling send_unlock_account_email, similar to how key generation
-  happens in other features that send email.  This makes it easier
-  to override the method.
-
-* Various method visibility issues have been fixed, so that
-  enabling any feature that ships with Rodauth will not affect
-  visibility of methods for features already enabled.
-
-* All Rodauth configuration methods (over 1000) are now documented.
-
-= Backwards Compatibility
-
-* The verify_change_login feature has been removed.  Users should
-  switch to the verify_login_change feature, which verifies the
-  new login works correctly before switching the login.
-
-* For CSRF protection, Roda's route_csrf plugin is now used by
-  default instead of rack_csrf.  This supports request specific
-  CSRF tokens by default.  The :csrf=>:rack_csrf plugin option
-  can be used to continue using rack_csrf.
-
-  Roda's route_csrf allows for per-route checking of the CSRF token,
-  and support for that is enabled for all Rodauth routes.  However,
-  if you were using Rodauth without explicitly loading rack_csrf,
-  these changes could remove CSRF support from your application.
-  You should probably load Roda's route_csrf plugin explicitly and
-  use it in your Roda routing tree if you want CSRF protection for
-  non-Rodauth routes.  You can use the new check_csrf_opts and
-  check_csrf_block to customize options to pass to check_csrf!, or
-  set check_csrf? false to disable calling check_csrf!.
-
-* Email rate limiting is now enabled by default in the lockout,
-  reset_password, and verify_account features.  This requires
-  adding a column to store the last email sent time to the
-  related tables, if the tables were created without one:
-
-    DB.add_column :account_password_reset_keys, :email_last_sent,
-      DateTime, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
-    DB.add_column :account_verification_keys, :email_last_sent,
-      DateTime, :null=>false, :default=>Sequel::CURRENT_TIMESTAMP
-    DB.add_column :account_lockouts, :email_last_sent, DateTime
-
-  Alternatively, you can set the appropriate configuration method
-  (e.g. verify_account_email_last_sent_column) to nil to disable
-  rate limiting.
-
-* The http_basic_auth feature has been changed significantly.
-  You should now call rodauth.http_basic_auth in the routing tree
-  to load authentication information from the Authorization
-  request header, similar to how rodauth.load_memory works in the
-  remember feature.
-
-  The require_http_basic_auth configuration method has been renamed
-  to require_http_basic_auth?.  rodauth.require_http_basic_auth?
-  should now be used to check whether HTTP basic auth is required.
-  rodauth.require_http_basic_auth now requires that HTTP basic
-  auth is provided in the request.
-
-  To be more backwards compatible, if not already logged in,
-  rodauth.require_login will load HTTP basic auth information if
-  available, and will require HTTP basic auth if
-  require_http_basic_auth? is configured.
-
-* If using the Bootstrap 3/4 compatibility, the forms used are
-  now standard (vertical) Bootstrap forms.  Previously, they were
-  horizontal forms.
-
-* Most of the strings related to multifactor authentication have
-  been changed to refer to multifactor authentication instead of
-  two factor authentication, or changed to refer to a specific
-  multifactor authentication type (such as TOTP), as appropriate.
-
-* Periods at the end of some default flash messages have been
-  removed for consistency.
-
-* The remember feature no longer depends on the confirm_password
-  feature.  You must now enable confirm_password separately if you
-  want to use it.
-
-* Login confirmation is no longer required by default when
-  verifying accounts or verifying login changes.  In both cases,
-  entering an invalid login causes no problems.
-
-* The otp_drift configuration method now defaults to 30, to allow
-  30 seconds of drift.  The previous setting of nil generally
-  resulted in usability problems, especially without good clock
-  synchronization.
-
-* The json_response_custom_error_status? configuration method now
-  defaults to true, so that custom error statuses are now used by
-  default, instead of a generic 400 response.
-
-* The jwt_check_accept? configuration method now defaults to true,
-  so that the request Accept header is checked.
-
-* The verify_account_set_password? configuration method now defaults
-  to true, so that passwords will be set when verifying accounts
-  instead of when creating accounts.  This prevents issues when
-  an attacker creates an account with a password they know, if the
-  user with access to the email address verifies the account.
-
-* The mark_input_fields_as_required? configuration method now defaults
-  to true.  Most of rodauth's input fields are required, and this
-  provides a nicer experience.  However, it may cause accessibility
-  issues if screen readers do not handle invalid form submissions due
-  to missing required fields in an accessible manner.
-
-* The login_input_type configuration method now defaults to email if
-  login_column is :email (the default setting).  This can cause
-  accessibility issues if screen readers do not handle invalid form
-  submissions due to an invalid login field format in an accessible
-  manner.  It can also break installations that leave login_column
-  as :email but do not use email addresses for logins.
-
-* The json_response_success_key configuration method now defaults to
-  success, so success messages are included by default.  This can be
-  set back to nil to not include them.
-
-* The single_session and session_expiration plugin now use a
-  configurable error status code for JSON requests when the session
-  has expired, using inactive_session_error_status and
-  session_expiration_error_status configuration methods,
-  respectively.
-
-* If you are using the jwt_refresh feature and used the migration
-  previously recommended in the README, you should mark the account_id
-  field as NOT NULL and add an index:
-
-    DB.alter_table(:account_jwt_refresh_keys) do
-      set_column_not_null :account_id
-      add_index :account_id, :name=>:account_jwt_rk_account_id_idx
-    end
-
-* The otp authentication form no longer shows SMS or recovery code
-  information on failure.  The multifactor authentication page will
-  have links to SMS or recovery code authentication if they have been
-  setup, and will redirect or show the appropriate links to those
-  authentication methods if OTP authentication gets locked out.
-
-* Disabling OTP authentication no longer automatically disables SMS
-  authentication and recovery codes, and disabling SMS authentication
-  no longer disables recovery codes.  To disable all multifactor
-  authentication methods at once, the new multifactor authentication
-  disable page should be used.  If you want to revert to the previous
-  behavior of automatic disabling, override after_otp_disable to
-  disable SMS and recovery codes, and override after_sms_disable to
-  disable recovery codes.
-
-* HTML id attributes in the recovery_codes and remember features have
-  been modified to use - instead of _, for consistency with all other
-  Rodauth features.
-
-* Ruby 1.8 support has been dropped.  The minimum supported version is
-  now Ruby 1.9.2.  Support for versions of Ruby that are no longer
-  supported by ruby-core may be dropped in future minor releases if
-  keeping the support becomes a maintenance issue.
-
-* The following configuration methods have been replaced:
-
-  * create_account_link -> create_account_link_text
-  * reset_password_request_link -> reset_password_request_link_text
-  * verify_account_resend_link -> verify_account_resend_link_text
-
-  The new methods take only the text of the link, the path to link
-  to can already be determined by Rodauth.
-
-* The following configuration methods have been removed:
-
-  * account_model
-  * attempt_to_create_unverified_account_notice_message
-  * attempt_to_login_to_unverified_account_notice_message
-  * before_otp_authentication_route
-  * clear_remembered_session_key
-  * no_matching_email_auth_key_message
-  * no_matching_reset_password_key_message
-  * no_matching_unlock_account_key_message
-  * no_matching_verify_account_key_message
-  * no_matching_verify_login_change_key_message
-  * remembered_session_key
-  * two_factor_session_key
-
-  Most of these methods were already deprecated.
- 
-* Route blocks in external Rodauth features must now have an arity
-  of 1.

data/doc/release_notes/2.1.0.txt

@@ -1,31 +0,0 @@
-= New Features
-
-* A check_csrf configuration method has been added for checking
-  the CSRF token.  This is useful in cases where the CSRF protection
-  is provided by something other than the Roda route_csrf plugin.
-
-= Other Improvements
-
-* When using the http_basic_auth feature, logged_in? now checks for
-  Basic authentication if the session is not already authenticated
-  and Basic authentication has not yet been checked.  This increases
-  compatibility for applications that were using the http_basic_auth
-  feature in Rodauth 1.
-
-* When creating accounts, the password field now correctly uses the
-  new-password autocomplete attribute instead of the current-password
-  autocomplete attribute.
-
-* When using the jwt feature, Rodauth no longer checks CSRF tokens
-  in requests to Rodauth routes if the request submitted is a JSON
-  request, includes a JWT, or Rodauth has been configured in JSON-only
-  mode.
-
-* When using the verify_account_grace_period feature, if there is an
-  unverified account without a password, do not consider the account
-  open.  Attempting to login into the account in such a case now
-  shows a message letting the user know to verify the account.
-
-* The json_response_body configuration method is now used consistently
-  in the jwt feature for all JSON responses.  Previously, there were
-  some cases that did not use it.

data/doc/release_notes/2.10.0.txt

@@ -1,47 +0,0 @@
-= New Features
-
-* An argon2 feature has been added that supports using the argon2
-  password hashing algorithm instead of the bcrypt password hashing
-  algorithm.  While argon2 does not provide an advantage over bcrypt
-  if the attacker cannot access the password hashes directly (which
-  is how Rodauth is recommended to be used), in cases where attackers
-  can access the password hashes directly, argon2 is thought to be
-  more difficult or expensive to crack due to requiring more memory
-  (bcrypt is not a memory-hard password hash algorithm).
-
-  If you are using this feature with Rodauth's database authentication
-  functions, you need to make sure that the database authentication
-  functions are configured to support argon2 in addition to bcrypt.
-  You can do this by passing the :argon2 option when calling the
-  method to define the database functions.  In this example, DB should
-  be your Sequel::Database object (this could be self if used in a
-  Sequel migration):
-
-    require 'rodauth/migrations'
-
-    # If the functions are already defined and you are not using PostgreSQL,
-    # you need to drop the existing functions.
-    Rodauth.drop_database_authentication_functions(DB)
-
-    # If you are using the disallow_password_reuse feature, also drop the
-    # database functions related to that if you are not using PostgreSQL:
-    Rodauth.drop_database_previous_password_check_functions(DB)
-
-    # Define new functions that support argon2:
-    Rodauth.create_database_authentication_functions(DB, argon2: true)
-
-    # If you are using the disallow_password_reuse feature, also define
-    # new functions that support argon2 for that:
-    Rodauth.create_database_previous_password_check_functions(DB, argon2: true) 
-
-  You can transparently migrate bcrypt password hashes to argon2
-  password hashes whenever a user successfully uses their password
-  by using the argon2 feature in combination with the
-  update_password_hash feature.
-
-= Other Improvements
-
-* Unnecessary queries to determine whether the new password matches
-  a previous password are now skipped when using the create_account
-  or verify_account features with the disallow_password_reuse
-  feature.

data/doc/release_notes/2.11.0.txt

@@ -1,31 +0,0 @@
-= New Features
-
-* An :auth_class rodauth plugin option has been added, allowing a user
-  to specify a specific Rodauth::Auth subclass to use, instead of
-  always using a new subclass of Rodauth::Auth.  This is designed for
-  advanced configurations or other frameworks that build on top of
-  Rodauth, which may want to customize the Rodauth::Auth subclasses to
-  use.
-
-* Two additional configuration methods have been added for easier
-  translatability, fixing issues where English text was hardcoded:
-
-  * same_as_current_login_message (change_login feature)
-  * contains_null_byte_message (login_password_requirements_base
-    feature)
-
-= Other Improvements
-
-* Loading the rodauth plugin multiple times in the same application
-  with different blocks now works better.  The same context is now
-  shared between the blocks, so you can load features in one block
-  and call configuration methods added by the feature in the other
-  block.  Previously, you could only call configuration methods in
-  the block that added the feature, and enabling a feature in a
-  block that was already enabled in a previous block did not allow
-  the use of configuration methods related to the feature.
-
-* Passing a block when loading the rodauth plugin is now optional.
-
-* The autocomplete attribute on the reset password form now uses
-  new-password instead of current-password.

data/doc/release_notes/2.12.0.txt

@@ -1,17 +0,0 @@
-= New Features
-
-* The following configuration methods have been added to the
-  active_sessions feature:
-
-  * active_sessions_insert_hash
-  * active_sessions_key
-  * active_sessions_update_hash
-  * update_current_session?
-
-  These methods allow you to control what gets inserted and
-  updated into the active_sessions_table, and to control
-  whether to perform updates.
-
-= Other Improvements
-
-* A typo was fixed in the default unlock account email.

data/doc/release_notes/2.13.0.txt

@@ -1,19 +0,0 @@
-= New Features
-
-* A set_error_reason configuration method has been added.  This method
-  is called whenever a error occurs in Rodauth, with a symbol
-  describing the error.  The default implementation of this method does
-  nothing, it has been added to make it easier for Rodauth users to
-  implement custom handling for specific error types.  See the Rodauth
-  documentation for this method to see the list of symbols this method
-  can be called with.
-
-= Other Improvements
-
-* When using active_sessions and jwt_refresh together, and allowing for
-  expired JWTs when refreshing, you can now call
-  rodauth.check_active_session before r.rodauth.  Previously, this
-  did not work, and you had to call rodauth.check_active_session
-  after r.rodauth.
-
-* The default templates now also support Bootstrap 5.

data/doc/release_notes/2.14.0.txt

@@ -1,17 +0,0 @@
-= New Features
-
-* A remembered_session_id method has been added for getting the
-  account id from a valid remember token, without modifying the
-  session to log the account in.
-
-= Other Improvements
-
-* The jwt_refresh feature's support for allowing refresh with
-  an expired access token now works even if the Rodauth
-  configuration uses an incorrect prefix.
-
-* The internal account_in_unverified_grace_period? method now
-  returns false if an account has not been loaded and the
-  session has not been logged in. Previously, calling this
-  method in such cases would result in an exception being
-  raised.