rodauth 2.36.0 → 2.37.0

data/doc/release_notes/2.15.0.txt

@@ -1,48 +0,0 @@
-= New Features
-
-* An internal_request feature has been added.  This feature allows
-  for interacting with Rodauth by calling methods, instead of having
-  to use a website or JSON API.  This feature is designed primarily
-  for administrative use, so that administrators can create accounts,
-  change passwords or logins for accounts, and handle similar actions
-  without the user of the account being involved.
-
-  For example, assuming you've loaded the change_password and
-  internal_request features, and that your Roda class that
-  is loading Rodauth is named App, you can change the password
-  for the account with id 1 using:
-
-    App.rodauth.change_password(account_id: 1, password: 'foobar')
-
-  The internal request methods are implemented as class methods
-  on the Rodauth::Auth subclass (the object returned by App.rodauth).
-  These methods call methods on a subclass of that class specific
-  to internal requests.
-
-  The reason the feature is named internal_request is that these
-  methods are implemented by submitting a request internally, that is
-  processed almost exactly the same way as Rodauth would process a
-  web request.
-
-  See the internal_request feature documentation for details on which
-  internal request methods are available and the options they take.
-
-* A path_class_methods feature has been added, that allows for calling
-  *_path and *_url as class methods.  If you would like to call the
-  *_url methods as class methods, make sure to use the base_url
-  configuration method to set the base URL so that it does not require
-  request-specific information.
-
-* Rodauth::Auth classes now have a configuration_name method that
-  returns the configuration name associated with the class. They also
-  have a configuration method that returns the configuration
-  associated with the class.
-
-* Rodauth::Feature now supports an internal_request_method method for
-  specifying which methods are supported as internal request methods.
-
-= Other Improvements
-
-* The default base_url configuration method will now use the domain
-  method to get the domain to use, instead of getting the domain
-  information directly from the request environment.

data/doc/release_notes/2.16.0.txt

@@ -1,20 +0,0 @@
-= New Features
-
-* Rodauth.lib has been added for using Rodauth purely as a library,
-  useful in non-web applications:
-
-    require 'rodauth'
-    rodauth = Rodauth.lib do
-      enable :create_account, :change_password
-    end
-    rodauth.create_account(login: 'foo@example.com', password: '...')
-    rodauth.change_password(account_id: 24601, password: '...')
-
-  This is built on top of the internal_request feature, and works by
-  creating a Roda application with the rodauth plugin, and returning
-  the related Rodauth::Auth class.
-
-= Other Improvements
-
-* The internal_request feature now works correctly for configurations
-  where only_json? is set to true.

data/doc/release_notes/2.17.0.txt

@@ -1,10 +0,0 @@
-= Improvements
-
-* The jwt_refresh feature now works for unverified accounts when using
-  the verify_account_grace_period feature.
-
-* When trying to create an account that already exists but is
-  unverified, Rodauth now returns a 4xx response.
-
-* When trying to login to an unverified account, Rodauth now returns a
-  4xx response.

data/doc/release_notes/2.18.0.txt

@@ -1,27 +0,0 @@
-= New Features
-
-* When using the json and multifactor auth features, the JSON API can
-  now access the multifactor-manage route to get lists of endpoints
-  for setting up and disabling supported multifactor authentication
-  methods.  The JSON API can now also access the multifactor-auth
-  route to get a list of endpoints for multifactor authentication for
-  the currently logged in account.
-
-= Other Improvements
-
-* In the otp feature, the viewbox: true rqrcode option is now used
-  when creating the QR code.  This results in a QR code that is
-  displayed better and is easier to style.  This option only has
-  an effect when using rqrcode 2+.
-
-* When using the :auth_class option when loading the rodauth plugin,
-  the configuration name is set in the provided auth class, unless the
-  auth class already has a configuration name set.
-
-* The example migration now recommends using a partial index on the
-  email column in cases where the database supports partial indexes.
-  Previously, it only recommended it on PostgreSQL.
-
-* The argon2 feature now works with argon2 2.1.0.  Older versions of
-  Rodauth work with both earlier and later versions of argon2, but
-  not 2.1.0.

data/doc/release_notes/2.19.0.txt

@@ -1,61 +0,0 @@
-= New Features
-
-* A login_maximum_bytes configuration method has been added, setting
-  the maximum bytes allowed in a login.  This was added as
-  login_maximum_length sets the maximum length in characters. It's
-  possible a different number of maximum bytes than maximum
-  characters is desired by some applications, and since the database
-  column size may be enforced in bytes, it's useful to have a check
-  before trying a database query that would raise an exception. This
-  default value for login_maximum_bytes is 255, the same as the
-  default value for login_maximum_length.
-  
-  A login_too_many_bytes_message configuration method has been added
-  for customizing the error message if a login has too many bytes.
-
-* password_maximum_length and password_maximum_bytes configuration
-  methods have been added, specifying the maximum size of passwords
-  in characters and bytes, respectively.  Both configurations default
-  to nil, meaning no limit, so there is no change in default behavior.
-  
-  The bcrypt algorithm only uses the first 72 bytes of a password, and
-  in some environments it may be desirable to reject passwords over
-  that limit.  password_too_long_message and
-  password_too_many_bytes_message configuration methods have been
-  added for customizing the error messages used for passwords that are
-  too long.
-  
-  Note that in most environments, if you want to support passwords
-  over 72 bytes and have the entire password be considered, you should
-  probably use the argon2 feature.
-
-= Other Improvements
-
-* The subclass created by the internal_request feature is now set
-  to the InternalRequest constant on the superclass, mostly to
-  make identifying it easier in inspect output.
-
-* Support has been improved for custom Rodauth::Auth subclasses that
-  load features before the subclass is loaded into Roda, by delaying
-  the call to post_configure until the subclass is loaded into Roda.
-  Among other things, this fixes the use of the internal_request
-  feature in such classes.
-
-* Multi-level inheritance of Rodauth::Auth is now supported. This can
-  be useful as a way to share custom authentication settings between
-  multiple Rodauth configurations.  However, users of multi-level
-  inheritance should be careful not to load features in subclasses
-  that override custom settings in superclasses.
-
-= Other
-
-* Rodauth's primary discussion forum is now GitHub Discussions. The
-  rodauth Google Group is still available for users who would prefer
-  to use that instead.
-
-= Backwards Compatibility
-
-* The addition of login_maximum_bytes with a default value of 255 is
-  backwards incompatible for applications that want to support logins
-  with multibyte characters where the number of characters in the
-  login is at or below 255, but the number of bytes is above 255.

data/doc/release_notes/2.2.0.txt

@@ -1,39 +0,0 @@
-= New Features
-
-* When using the jwt_refresh feature, you can remove the current
-  refresh token when logging out by submitting the refresh token
-  in the logout request, the same as when submitting the refresh
-  token to obtain a new refresh token.  You can also use a value
-  of "all" instead of the refresh token to remove all refresh
-  tokens when logging out.
-
-* A rodauth.otp_last_use method has been added to the otp feature,
-  allowing you to determine when the otp was last used.
-
-= Other Improvements
-
-* When using multifactor authentication, rodauth.authenticated? and
-  rodauth.require_authentication now cache values in the session and
-  do not perform queries every time they are called.
-
-* Many guides for common scenarios have been added to the
-  documentation.  These augment Rodauth's existing comprehensive
-  feature documentation, which is aimed to be more of a reference
-  and less of a guide.
-
-* When the verify_account_grace_period and email_auth features are
-  used with a multifactor authentication feature, and the
-  verify_account_set_password? configuration method is set to true,
-  Rodauth no longer raises a NoMethodError when checking if the
-  session was authenticated.
-
-* In the verify_account feature, if verify_account_email_resend
-  returns false indicating no email was sent, an error message
-  is now used, instead of a success message.
-
-* In the password_complexity feature, the password_dictionary
-  configuration method was previously ignored if the default
-  password dictionary file existed.
-
-* Rodauth and all features that ship with it now have 100% branch
-  coverage.

data/doc/release_notes/2.20.0.txt

@@ -1,10 +0,0 @@
-= Improvements
-
-* When using the active_sessions and remember features together,
-  doing a global logout will automatically remove the remember key for
-  the account, so the account will no longer be able to automatically
-  create new sessions using the remember key.
-
-* The default value of webauthn_rp_id now removes the port from the
-  origin if it exists, since the WebAuthn spec does not allow ports
-  in the relying party identifier.

data/doc/release_notes/2.21.0.txt

@@ -1,28 +0,0 @@
-= Improvements
-
-* When using the verify_account_grace_period feature, if the grace
-  period has expired for currently logged in session, require_login
-  will clear the session and redirect to the login page.  This is
-  implemented by having the unverified_account_session_key store the
-  time of expiration, as an integer.
-
-* The previously private require_account method is now public. The
-  method is used internally by Rodauth to check that not only is the
-  current session logged in, but also that the account related to the
-  currently logged in session still exists in the database.  The only
-  reason you would want to call require_account instead of
-  require_authentication is if you want to handle cases where there
-  can be logged in sessions for accounts that have been deleted.
-
-* Rodauth now avoids an unnecessary bcrypt hash calculation when
-  updating accounts when using the account_password_hash_column
-  configuration method.
-
-* When WebAuthn token last use times are displayed, Rodauth now uses a
-  fixed format of YYYY-MM-DD HH:MM:SS, instead of relying on
-  Time#to_s.  If this presents an problem for your application, please
-  open an issue and we can add a configuration method to control
-  the behavior.
-
-* A typo in the default value of global_logout_label in the
-  active_sessions feature has been fixed.

data/doc/release_notes/2.22.0.txt

@@ -1,43 +0,0 @@
-= New Features
-
-* Rodauth now ignores parameters containing ASCII NUL bytes ("\0") by
-  default.  You can customize this behavior using the
-  null_byte_parameter_value configuration method.
-
-* A reset_password_notify feature has been added for emailing users
-  after successful password resets.
-
-* External features can now use the email method inside their
-  feature definitions to DRY up the creation of email configuration
-  methods. The email method will setup the following configuration
-  methods for the feature:
-
-  * ${name}_email_subject
-  * ${name}_email_body
-  * create_${name}_email
-  * send_${name}_email
-
-= Other Improvements
-
-* The active_sessions feature now correctly handles logouts for
-  sessions that were created before the active_sessions feature was
-  added to the Rodauth configuration.
-
-* The change_password_notify feature now works correctly when using
-  template precompilation.
-
-* The update_sms method now updates the in-memory sms hash instead of
-  the in-memory account hash.  This only has an effect if you are
-  using the sms_codes feature and customizing Rodauth to access one
-  of these hashes after a call to update_sms.
-
-= Backwards Compatibility
-
-* If your application requires the ability to submit values containing
-  ASCII NUL bytes ("\0") as Rodauth parameters, you should use the
-  new null_byte_parameter_value configuration method to pass the
-  value through unchanged:
-
-    null_byte_parameter_value do |_, v|
-      v
-    end

data/doc/release_notes/2.23.0.txt

@@ -1,15 +0,0 @@
-= Improvements
-
-* The otp feature now uses the :use_path option when rendering QR
-  codes, resulting in significantly smaller svg images.
-
-* Removing all multifactor authentication methods now removes the fact
-  that the session was authenticated via SMS, if the user used SMS as
-  an authentication method for the current session.
-
-* The invalid domain check in the internal_request feature now works
-  correctly when using the rack master branch.
-
-* The :httponly cookie option is no longer set automatically in the
-  remember feature if the :http_only cookie option was provided by the
-  user (rack recognizes both options).

data/doc/release_notes/2.24.0.txt

@@ -1,15 +0,0 @@
-= New Features
-
-* rodauth.otp_available? has been added for checking whether the
-  account is allowed to authenticate with OTP.  It returns true
-  when the account has setup OTP and OTP use is not locked out.
-
-* rodauth.recovery_codes_available? has been added for checking
-  whether the account is allowed to authenticate using a recovery
-  code.  It returns true when there are any available recovery
-  codes for the account to use.
-
-= Other Improvements
-
-* The otp feature no longer includes the <?xml> tag for svg images,
-  since that results in invalid HTML.

data/doc/release_notes/2.25.0.txt

@@ -1,8 +0,0 @@
-= New Features
-
-* You can now disable routing to specific routes by calling the
-  related *_route configuration method with nil or false.  The main
-  reason you would want to do this is if you want to load a feature,
-  but only want to use it for internal requests (using the
-  internal_request feature), and not have the feature's routes exposed
-  to users.

data/doc/release_notes/2.26.0.txt

@@ -1,45 +0,0 @@
-= New Features
-
-* An argon2_secret configuration method has been added to the argon2
-  feature, supporting argon2's built-in password peppering.
-
-= Other Improvements
-
-* Links are no longer automatically displayed for routes that are
-  disabled by calling the *_route method with nil.
-
-* The QR code used by the otp feature now uses a white background
-  instead of a transparent background, fixing issues when the
-  underlying background is dark.
-
-* Input parameter bytesize is now limited to 1024 bytes by default.
-  Parameters larger than that will be ignored, as if they weren't
-  submitted.
-
-* The Rodauth::Auth class for internal request classes now uses the
-  same configuration name as the class it is based on.
-
-* The session_key_prefix configuration method no longer also prefixes
-  the keys used in the flash hash.
-
-* The *_path and *_url methods now return nil when the related *_route
-  method returns nil, indicating the route is disabled.
-
-* A more explicit error message is raised when using a feature that
-  requires the hmac_secret being set and not setting hmac_secret.
-
-= Backwards Compatibility
-
-* If you are using session_key_prefix and flash messages, you will
-  probably need to adjust your code to remove the prefix from the
-  expected flash keys, or manually prefix the flash keys by using
-  the flash_error_key and flash_notice_key configuration methods.
-
-* The limiting of input parameter bytesizes by default could potentially
-  break applications that use Rodauth's parameter parsing method to
-  handle parameters that Rodauth itself doesn't handle.  You can use
-  the max_param_bytesize configuration method to set a larger bytesize,
-  or use a value of nil with the method for the previous behavior of
-  no limit.  Additionally, to customize the behavior if a parameter
-  is over the allowed bytesize, you can use the
-  over_max_bytesize_param_value configuration method.

data/doc/release_notes/2.27.0.txt

@@ -1,35 +0,0 @@
-= Improvements
-
-* Token ids submitting in requests are now converted to integers if
-  the configuration uses an integer primary key for the accounts
-  table.  If the configuration uses a non-integer primary key for
-  the accounts table, the convert_token_id configuration method can
-  be used, which should return the token id converted to the
-  appropriate type, or nil if the token id is not valid for the type.
-
-  This revised handling avoids raising a database error when an
-  invalid token is submitted.
-
-* The button template can now be overridden in the same way that
-  other Rodauth templates can be overridden.
-
-* When using the Bootstrap CSS framework, the text field in the
-  Webauthn setup and auth forms is automatically hidden.  The text
-  field already had a rodauth-hidden class to make it easy to hide
-  when using other CSS frameworks.
-
-* The email_from and email_to methods are now public instead of
-  private.
-
-* A nicer error is raised if the Sequel Database object is missing.
-
-* A regression in the TOTP QR output that resulted in the QR codes
-  being solid black squares has been fixed (this was fixed in
-  Rodauth 2.26.1).
-
-= Backwards Compatibility
-
-* The webauth_credentials_for_get method in the webauthn feature has
-  been renamed to webauthn_credentials_for_get for consistency with
-  other methods.  The webauth_credentials_for_get method will still
-  work until Rodauth 3, but will issue deprecation warnings.

data/doc/release_notes/2.28.0.txt

@@ -1,16 +0,0 @@
-= New Features
-
-* A webauthn_key_insert_hash configuration method has been added when
-  using the webauthn feature, making it easier to add new columns to
-  the webauthn key data, such as a custom name for the authenticator.
-
-= Other Improvements
-
-* When using the verify_account_grace_period feature, logged_in? now
-  returns false for sessions where the grace period has expired.
-
-* When using the internal_request and reset_password features,
-  submitting an internal request for an invalid login no longer tries
-  to render a reset password request form.
-
-* The password_hash method is now public.

data/doc/release_notes/2.29.0.txt

@@ -1,27 +0,0 @@
-= New Features
-
-* When using the remember feature, by default, the remember deadline
-  is extended while logged in, if it hasn't been extended in the last
-  hour
-
-* An account! method has been added, which will return the hash for
-  the account if already retrieved, or attempt to retrieve the
-  account hash using the currently logged in session if not.
-  Because of the ambiguity in the provenance of the returned account
-  hash, callers should be careful when using this method.
-
-* A remove_active_session method has been added.  You can call this
-  method with a specific session id, and it will remove the related
-  active session.
-
-* A render: false plugin option is now support, which will disable
-  the automatic loading of the render plugin.  This should only be
-  used if you are completely replacing Rodauth's view rendering with
-  your own.
-
-= Other Improvements
-
-* When logging in when using the active_sessions feature, if there is
-  a current active session, it is removed before a new active session
-  is created. This prevents some stale active sessions from remaining
-  in the database (which would eventually be cleaned up later).

data/doc/release_notes/2.3.0.txt

@@ -1,37 +0,0 @@
-= New Features
-
-* Configuration methods have been added for easier validation of
-  logins when logins must be valid email addresses (the default):
-
-  * login_valid_email?(login) can be used for full control of
-    determining whether the login is valid.
-
-  * login_email_regexp can be used to set the regexp used in the
-    default login_valid_email? check.
-
-  * login_not_valid_email_message can be used to set the field
-    error message if the login is not a valid email.  Previously, this
-    value was hardcoded and not translatable.
-
-* The {create,drop}_database_authentication_functions now work
-  correctly with uuid keys on PostgreSQL.  All other parts of
-  Rodauth already worked correctly with uuid keys.
-
-= Other Improvements
-
-* The before_jwt_refresh_route hook is now called before the route
-  is taken. Previously, the configuration method had no effect.
-
-* rodauth.login can now be used by external code to login the current
-  account (the account that rodauth.account returns).  This should be
-  passed the authentication type string used to login, such as
-  password.
-
-* The jwt_refresh route now returns an error for requests where a
-  valid access token for a logged in session is not provided.  You
-  can use the jwt_refresh_without_access_token_message and
-  jwt_refresh_without_access_token_status configuration methods
-  to configure the error response.
-
-* The new refresh token is now available to the after_refresh_token
-  hook by looking in json_response[jwt_refresh_token_key].

data/doc/release_notes/2.30.0.txt

@@ -1,15 +0,0 @@
-= New Features
-
-* A webauthn_autofill feature has been added to allow autofilling
-  webauthn credentials during login (also known as conditional
-  mediation).  This allows for easier login using passkeys.
-  This requires a supported browser and operating system on the
-  client side to work.
-
-= Other Improvements
-
-* The load_memory method in the remember feature no longer raises
-  a NoMethodError if the there is a remember cookie, the session is
-  already logged in, and the account no longer exists.  The
-  load_memory method now removes the remember cookie and clears the
-  session in that case.

data/doc/release_notes/2.31.0.txt

@@ -1,47 +0,0 @@
-= New Features
-
-* The internal_request feature now supports WebAuthn, using 
-  the following methods:
-
-  * With the webauthn feature:
-    * webauthn_setup_params
-    * webauthn_setup
-    * webauthn_auth_params
-    * webauthn_auth
-    * webauthn_remove
-
-  * With the webauthn_login feature:
-    * webauthn_login_params
-    * webauthn_login
-
-* A webauthn_login_user_verification_additional_factor? configuration
-  method has been added to the webauthn_login feature. By default,
-  this method returns false.  If you configure the method to return
-  true, and the WebAuthn credential provided specifies that it
-  verified the user, then this will treat the user verification as
-  a second factor, so the user will be considered multifactor
-  authenticated after successful login.  You should only set this
-  method to true if you consider the WebAuthn user verification
-  strong enough to be a independent factor.
-
-* A json_response_error? configuration method has been added to the
-  json feature.  This should return whether the current response
-  should be treated as an error by the json feature.  By default,
-  it is true if json_response_error_key is set in the response,
-  since that is the default place that Rodauth stores errors when
-  using the json feature.
-
-* A webauthn_invalid_webauthn_id_message configuration method has
-  been added for customizing the error message used for invalid
-  WebAuthn IDs.
-
-= Other Improvements
-
-* The argon2 feature now supports setting the Argon2 p_cost if
-  argon2 2.1+ is installed.
-
-* An :invalid_webauthn_id error reason is now used for invalid
-  WebAuthn IDs.
-
-* The clear_session method now works as expected for internal
-  requests.

data/doc/release_notes/2.32.0.txt

@@ -1,65 +0,0 @@
-= New Features
-
-* Rodauth now supports secret rotation using the following
-  configuration methods:
-
-  * hmac_old_secret
-  * argon2_old_secret (argon2 feature)
-  * jwt_old_secret (jwt feature)
-
-  You can use these methods to specify the previous secret when
-  rotating secrets.  Note that full secret rotation (where you can
-  remove use of the old secret) may not be simple.  Here are some
-  cases that require additional work:
-
-  * Rotating the argon2 secret requires the use of the
-    update_password_hash feature.  You cannot remove the use of
-    argon2_old_secret unless every user who created a password under
-    the old secret has logged in after the new secret was added.
-    Removing the old secret before a user has logged in after the new
-    secret was added will invalidate the password for the user. Thus,
-    full rotation of the argon2 secret requires invalidating passwords
-    for inactive accounts.
-
-  * Full rotating of the hmac secret when using the remember feature
-    requires that all remember cookies created under the previous
-    secret has been removed.  By default, remember cookies expire in
-    2 weeks, but it is possible to set them much longer.
-
-  * Full rotation of the hmac secret when using the verify_account
-    feature requires invalidating old verify account links, since
-    verify account links do not have a deadline.  However, after old
-    verify account links have been invalidated, a user can request a
-    new verify account link, which will work.
-
-  * Full rotation of the hmac secret when using the otp feature
-    requires disabling otp and reenabling otp.  The
-    otp_valid_code_for_old_secret configuration method has been added,
-    which can be used to handle cases where a user successfully
-    authenticated via TOTP using the old secret.  This can be used
-    to direct them to a page to remove the TOTP authenticator and
-    then setup a new TOTP authenicator.
-
-* Many *_response configuration methods have been added, which allow
-  users to override Rodauth's default behavior in successful cases of
-  setting a flash notice and then redirecting.  Note that using these
-  configuration methods correctly requires that they halt request
-  processing.  You cannot just have them return a response body.  You
-  can use the return_response method to set the response body and
-  halt processing.
-
-* An sms_needs_confirmation_notice_flash configuration method has been
-  added, for setting the flash notice when setting up SMS
-  authentication.  By default, it uses the
-  sms_needs_confirmation_error_flash value.
-
-= Other Improvements
-
-* The argon2 feature no longer uses the Base64 constant.  Previously,
-  it uses the library without attempting to require the base64 library,
-  which would break if the base64 library was not already required.
-
-* Rodauth's documentation now recommends against the use of the argon2
-  feature, because for typical interactive login uses (targetting
-  sub-200ms response times), argon2 provides significantly worse
-  security than bcrypt.

data/doc/release_notes/2.33.0.txt

@@ -1,18 +0,0 @@
-= Improvements
-
-* Rodauth no longer accidentally confirms an SMS number upon valid
-  authentication by an alternative second factor.
-
-* Rodauth now automatically expires SMS confirmation codes after 24
-  hours by default.  You can use the sms_confirm_deadline
-  configuration method to adjust the deadline.  Previously, if an
-  invalid SMS number was submitted, or the SMS confirm code was never
-  received, it was not possible to continue SMS setup without
-  administrative intervention.
-
-* Rodauth no longer overwrites existing primary key values when
-  inserting new accounts. This fixes cases such as setting account
-  primary key values to UUIDs before inserting.
-
-* When submitting a request to a valid endpoint with a missing token,
-  Rodauth now returns an error response instead of a 404 response.