rodauth 2.36.0 → 2.37.0

data/doc/release_notes/2.34.0.txt

@@ -1,36 +0,0 @@
-= New Features
-
-* A rodauth.current_route method has been added for returning the route
-  name symbol (if rodauth is currently handling the route).  This makes it
-  simpler to write code that extends Rodauth and works with
-  applications that use override the default route names.
-
-* A remove_all_active_sessions_except_for method has been added to the
-  active_sessions feature, which removes all active sessions for the
-  current account, except for the session id given.
-
-* A remove_all_active_sessions_except_current method has been added to
-  the active_sessions feature, which removes all active sessions for
-  the current account, except for the current session.
-
-= Improvements
-
-* Rodauth now supports overriding webauthn_rp_id in the webauthn
-  feature.
-
-* When using the login feature, Rodauth now defaults
-  require_login_redirect to use the path to the login route, instead
-  of /login.
-
-* When setting up multifactor authentication, Rodauth now handles the
-  case where account has been deleted, instead of raising an exception.
-
-* When a database connection is not available during startup, Rodauth
-  now handles that case instead of raising an exception.  Note that in
-  this case, Rodauth cannot automatically setup a conversion of token
-  ids to integer, since it cannot determine whether the underlying
-  database column uses an integer type.
-
-* When using WebAuthn 3+, Rodauth no longer defines singleton methods
-  to work around limitations in WebAuthn.  Instead, it uses public
-  APIs that were added in WebAuthn 3.

data/doc/release_notes/2.35.0.txt

@@ -1,22 +0,0 @@
-= New Features
-
-* A throw_rodauth_error method has been added to make it easier
-  for external extensions to throw the expected error value without
-  setting a field error.
-
-= Improvements
-
-* If an account is not currently logged in, but Rodauth knows the
-  related account id, remove_all_active_sessions and related
-  methods in the active_sessions plugin will now remove sessions
-  for the related account.
-
-* When using the internal_request feature and subclasses,
-  internal_request_configuration blocks in superclasses are now
-  respected when creating the internal request class for a
-  subclass.  When creating the internal request in the subclass,
-  this behaves as if all internal_request_configuration blocks
-  were specified directly in the subclass.
-
-* An ignored block warning on Ruby 3.4 is now avoided by having
-  Rodauth.load_dependencies accept a block.

data/doc/release_notes/2.36.0.txt

@@ -1,35 +0,0 @@
-= New Features
-
-* An otp_unlock feature has been added, allowing a user to unlock
-  TOTP authentication with 3 consecutive successful TOTP
-  authentications.  Previously, once TOTP authentication was locked
-  out, there was no way for the user to unlock it.
-
-  Any unsuccessful TOTP authentication during the unlock process
-  prevents unlocks attempts for a configurable amount of time (15
-  minutes by default).  By default, this limits brute force attempts
-  to unlock TOTP authentication to less than 10^2 per day, with the
-  odds of a successful unlock in each attempt being 1 in 10^18.
-
-* An otp_lockout_email feature has been added for emailing the user
-  when their TOTP authentication has been locked out or unlocked, and
-  when there has been a failed unlock attempt.
-
-* An otp_modify_email feature has been added for emailing the user
-  when TOTP authentication has been setup or disabled for their
-  account.
-
-* A webauthn_modify_email feature has been added for emailing the
-  user when a WebAuthn authenticator has been added or removed from
-  their account.
-
-* An account_from_id configuration method has been added for loading
-  the account with the given account id.
-
-* A strftime_format configuration method has been added for
-  configuring how Time values are formatted for display to the user.
-
-= Improvements
-
-* The internal_request feature now works with Roda's path_rewriter
-  plugin.

data/doc/release_notes/2.4.0.txt

@@ -1,22 +0,0 @@
-= New Features
-
-* A password_pepper feature has been added.  This allows you to use a
-  secret key (called a pepper) to append to passwords before hashing
-  and hash checking.  Using this approach, if an attacker obtains the
-  password hash, it is unusable for cracking unless they can also
-  get access to the pepper.
-
-  The password_pepper feature also supports a list of previous peppers
-  that can be used to implement secret rotation and to support
-  compatibility with unpeppered passwords.
-
-  Rodauth by default uses database functions for password hash
-  checking on PostgreSQL, MySQL, and Microsoft SQL Server, which in
-  general provides more security than a password pepper, but both
-  approaches can be used simultaneously.
-
-* A session_key_prefix configuration method has been added for
-  prefixing the values of all default session keys.  This can be
-  useful if you are using multiple Rodauth configurations in the same
-  application and want to make sure the session keys for the separate
-  configurations do not overlap.

data/doc/release_notes/2.5.0.txt

@@ -1,20 +0,0 @@
-= New Features
-
-* A login_return_to_requested_location_path configuration method has
-  been added to the login feature.  This controls the path to redirect
-  to if using login_return_to_requested_location?.  By default, this
-  is the same as the fullpath of the request that required login if
-  that request was a GET request, and nil if that request was not a
-  GET request.  Previously, the fullpath of that request was used even
-  if it was not a GET request, which caused problems as browsers use a
-  GET request for redirects, and it is a bad idea to redirect to a path
-  that may not handle GET requests.
-
-* A change_login_needs_verification_notice_flash configuration method
-  has been added to the verify_login_change feature, for allowing
-  translations when using the feature and not using the
-  change_login_notice_flash configuration method.
-
-= Other Improvements
-
-* new_password_label is now translatable.

data/doc/release_notes/2.6.0.txt

@@ -1,37 +0,0 @@
-= New Features
-
-* An around_rodauth configuration method has been added, which is
-  called around all Rodauth actions.  This configuration method
-  is passed a block, and is useful for cases where you want to wrap
-  Rodauth's handling of the request.
-
-  For example, if you had a method named time_block in your Roda scope
-  that timed block execution and added a response header, you could
-  time Rodauth actions using something like:
-
-    around_rodauth do |&block|
-      scope.time_block('Rodauth') do
-        super(&block)
-      end
-    end
-
-* The allow_refresh_with_expired_jwt_access_token? configuration has
-  been added to the jwt_refresh feature, allowing refreshing with an
-  expired but otherwise valid access token.  When using this method,
-  it is required to have an hmac_secret specified, so that Rodauth
-  can make sure the access token matches the refresh token.
-
-= Other Improvements
-
-* The javascript for setting up a WebAuthn token has been fixed to
-  allow it to work correctly if there is already an existing
-  WebAuthn token for the account.
-
-* The rodauth.setup_account_verification method has been promoted to
-  public API.  You can use this method for automatically sending
-  account verification emails when automatically creating accounts.
-
-* Rodauth no longer loads the same feature multiple times into a
-  single configuration.  This didn't cause any problems before, but
-  could result in duplicate entries when looking at the loaded
-  features.

data/doc/release_notes/2.7.0.txt

@@ -1,33 +0,0 @@
-= New Features
-
-* An auto_remove_recovery_codes? configuration method has been added
-  to the recovery_codes feature.  This will automatically remove
-  recovery codes when the last multifactor authentication type other
-  than the recovery codes has been removed.
-
-* The jwt_access_expired_status and expired_jwt_access_token_message
-  configuration methods have been added to the jwt_refresh feature,
-  for supporting custom statuses and messages for expired tokens.
-
-= Other Improvements
-
-* Rodauth will no longer attempt to require a feature that has
-  already been required.  Related to this is you can now use a
-  a custom Rodauth feature without a rodauth/features/*.rb file
-  in the Ruby library path, as long as you load the feature
-  manually.
-
-* Rodauth now avoids method redefinition warnings in verbose
-  warning mode.  As Ruby 3 is dropping uninitialized instance
-  variable warnings, Rodauth will be verbose warning free in
-  Ruby 3.
-
-= Backwards Compatibility
-
-* The default remember cookie path is now set to '/'. This fixes
-  usage in the case where rodauth is loaded under a subpath of the
-  application (which is not the default behavior).  Unfortunately,
-  this change can negatively affect cases where multiple rodauth
-  configurations are used in separate paths on the same domain.
-  In these cases, you should now use remember_cookie_options and
-  include a :path option.

data/doc/release_notes/2.8.0.txt

@@ -1,20 +0,0 @@
-= Improvements
-
-* HttpOnly is now set by default on the remember cookie, so it is no
-  longer accessible from Javascript.  This is a more secure approach
-  that makes applications using Rodauth's remember feature less
-  vulnerable in case they are subject to a separate XSS attack.
-
-* When using the jwt feature, rodauth.clear_session now clears the
-  JWT session even when the Roda sessions plugin was in use.  In most
-  cases, the jwt feature is not used with the Roda sessions plugin,
-  but in cases where the same application serves as both an JSON API
-  and as a HTML site, it is possible the two may be used together.
-
-= Backwards Compatibility
-
-* As the default remember cookie :httponly setting is now set to true,
-  applications using Rodauth that expected to be able to access the
-  remember cookie from Javascript will no longer work by default.
-  In these cases, you should now use remember_cookie_options and
-  include a :httponly=>false option.

data/doc/release_notes/2.9.0.txt

@@ -1,21 +0,0 @@
-= New Features
-
-* A json feature has been extracted from the existing jwt feature.
-  This feature allows for the same JSON API previously supported
-  by the JWT feature, but stores the session information in the
-  Rack session instead of in a separate JWT.  This makes it
-  significantly easier to have certain pages use the JSON API,
-  and other pages the HTML forms.
-
-= Other Improvements
-
-* If the remember cookie is created in an SSL request, the Secure
-  flag is added by default, so the cookie will not be transmitted
-  in non-SSL requests.
-
-= Backwards Compatibility
-
-* Rodauth configurations that use the remember feature and support
-  requests over both http and https and want to have the remember
-  cookie transmitted over both should now include :secure=>false in
-  remember_cookie_options.

data/doc/remember.rdoc

@@ -1,79 +0,0 @@
-= Documentation for Remember Feature
-
-The remember feature allows for token-based autologin for users. Calling
-+rodauth.remember_login+ for an authenticated session will create a token for
-the current account and store it in a cookie. You can then add the following
-code to your routing block to automatically login users from that token if the
-session has expired:
-
-  rodauth.load_memory
-
-By default, the remember feature just supports a form that the user can use
-to change their remember settings for the current browser.  They can either
-enable remembering for the browser, forget it for the browser, or disable
-it completely so that any remembering for other browsers is removed as well.
-
-In some cases, you may want to automatically remember users and not require
-users to turn it on manually.  If you want to automatically remember users
-on login:
-
-  after_login do
-    remember_login
-  end
-
-The remember feature records which sessions were autologged in via the
-remember cookie. If you have sections where you want to add more security,
-you can use the confirm password feature to request password authentication
-for sessions autologged in via a remember token:
-
-  rodauth.require_password_authentication
-
-== Auth Value Methods
-
-extend_remember_deadline? :: Whether to extend the remember token deadline when the user is autologged in via remember token and every +extend_remember_deadline_period+ seconds while logged in.
-extend_remember_deadline_period :: The amount of seconds to wait before extending remember token deadline when +extend_remember_deadline?+ is true (3600 by default).
-raw_remember_token_deadline :: A deadline before which to allow a raw remember token to be used. Allows for graceful transition for when +hmac_secret+ is first set.
-remember_additional_form_tags :: HTML fragment containing additional form tags to use on the change remember setting form.
-remember_button :: The text to use for the change remember settings button.
-remember_cookie_key :: The cookie name to use for the remember token.
-remember_cookie_options :: Any options to set for the remember cookie. By default, the `:path` cookie option is set to `/` and `:httponly` is set to `true`. Also, `:secure` is set to `true` by default if the current request is an HTTPS request.
-remember_deadline_column :: The column name in the +remember_table+ storing the deadline after which the token will be ignored.
-remember_deadline_extended_session_key :: The session key set if the remember deadline token is being extended.
-remember_deadline_interval :: The amount of time for which to remember accounts, 14 days by default.  Only used if +set_deadline_values?+ is true.
-remember_disable_label :: The label for disabling remembering.
-remember_disable_param_value :: The parameter value for disabling remembering.
-remember_error_flash :: The flash error to show if there is an error changing a remember setting.
-remember_forget_label :: The label for turning off remembering.
-remember_forget_param_value :: The parameter value for turning off remembering.
-remember_id_column :: The id column in the +remember_table+, should be a foreign key referencing the accounts table.
-remember_key_column :: The remember key/token column in the +remember_table+.
-remember_notice_flash :: The flash notice to show after remember setting has been updated.
-remember_page_title :: The page title to use on the change remember settings form.
-remember_param :: The parameter name to use for the remember password settings choice.
-remember_period :: The additional time to extend the remember deadline if extending remember deadlines.
-remember_redirect :: Where to redirect after changing the remember settings.
-remember_remember_label :: The label for turning on remembering.
-remember_remember_param_value :: The parameter value for switching on remembering.
-remember_route :: The route to the change remember settings action. Defaults to +remember+.
-remember_table :: The name of the remember keys table.
-
-== Auth Methods
-
-add_remember_key :: Add a remember key for the current account to the remember keys table.
-after_load_memory :: Run arbitrary code after autologging in an account via a remember token.
-after_remember :: Run arbitrary code after changing the remember settings.
-before_load_memory :: Run arbitrary code before autologging in an account via a remember token.
-before_remember :: Run arbitrary code before changing the remember settings.
-before_remember_route :: Run arbitrary code before handling the remember route.
-disable_remember_login :: Disable the remember key token, clearing the token from the database so future connections with the token will not be recognized.
-forget_login :: Forget the current remember token, deleting the related cookie.  Other browsers that have the cookie cached can still use it login.
-generate_remember_key_value :: A random string to use as the remember key.
-get_remember_key :: Retrieve the remember key from the database.
-load_memory :: If the remember key cookie is included in the request, and the user is not currently logged in, check the remember keys table and autologin the user if the remember key cookie matches the current remember key for the account. This method needs to be called manually inside the Roda route block to autologin users.
-logged_in_via_remember_key? :: Whether the current session was logged in via a remember key.
-remembered_session_id :: The session_id which is validly remembered, if any.
-remember_key_value :: The current value of the remember key/token.
-remember_login :: Set the cookie containing the remember token, so that future sessions will be autologged in.
-remember_response :: Return a response after successfully changing remember settings. By default, redirects to +remember_redirect+.
-remember_view :: The HTML to use for the change remember settings form.
-remove_remember_key(id_value=account_id) :: Delete the related remember key from the database.

data/doc/reset_password.rdoc

@@ -1,66 +0,0 @@
-= Documentation for Reset Password Feature
-
-The reset password feature implements password resets.  If the user enters
-an invalid password, they will be displayed a form where they can request
-a password reset.  Submitting that form will send an email containing a
-link, and that link will taken them to a password reset form. Depends on
-the login feature.
-
-== Auth Value Methods
-
-no_matching_reset_password_key_error_flash :: The flash error message to show if attempting to access the reset password form with an invalid key.
-reset_password_additional_form_tags :: HTML fragment containing additional form tags to use on the reset password form.
-reset_password_autologin? :: Whether to autologin the user after successfully resetting a password, false by default.
-reset_password_button :: The text to use for the reset password button.
-reset_password_deadline_column :: The column name in the +reset_password_table+ storing the deadline after which the token will be ignored.
-reset_password_deadline_interval :: The amount of time for which to allow users to reset their passwords, 1 day by default. Only used if +set_deadline_values?+ is true.
-reset_password_email_last_sent_column :: The email last sent column in the +reset_password_table+. Set to nil to always send a reset password request email when requested.
-reset_password_email_recently_sent_error_flash :: The flash error to show if not sending reset password request email because one has been sent recently.
-reset_password_email_recently_sent_redirect :: Where to redirect if not sending reset password request email because one has been sent recently.
-reset_password_email_sent_notice_flash :: The flash notice to show after a reset password request email has been sent.
-reset_password_email_sent_redirect :: Where to redirect after sending a reset password request email.
-reset_password_email_subject :: The subject to use for the reset password request email.
-reset_password_error_flash :: The flash error to show after resetting a password.
-reset_password_explanatory_text :: The text to display above the button to request a password reset.
-reset_password_id_column :: The id column in the +reset_password_table+, should be a foreign key referencing the accounts table.
-reset_password_key_column :: The reset password key/token column in the +reset_password_table+.
-reset_password_key_param :: The parameter name to use for the reset password key.
-reset_password_notice_flash :: The flash notice to show after resetting a password.
-reset_password_page_title :: The page title to use on the reset password form.
-reset_password_redirect :: Where to redirect after resetting a password.
-reset_password_request_additional_form_tags :: HTML fragment containing additional form tags to use on the reset password request form.
-reset_password_request_button :: The text to use for the reset password request button.
-reset_password_request_error_flash :: The flash error to show if not able to send a reset password request email.
-reset_password_request_link_text :: The text to use for a link to the page to request a password reset.
-reset_password_request_page_title :: The page title to use on the reset password request form.
-reset_password_request_route :: The route to the reset password request action.  Defaults to +reset-password-request+.
-reset_password_route :: The route to the reset password action. Defaults to +reset-password+.
-reset_password_session_key :: The key in the session to hold the reset password key temporarily.
-reset_password_skip_resend_email_within :: The number of seconds before sending another reset password request email, if +reset_password_email_last_sent_column+ is set.
-reset_password_table :: The name of the reset password keys table.
-
-== Auth Methods
-
-account_from_reset_password_key(key) :: Retrieve the account using the given reset password key, or return nil if no account matches.
-after_reset_password :: Run arbitrary code after successfully resetting a password.
-after_reset_password_request :: Run arbitrary code after sending the reset password request email.
-before_reset_password :: Run arbitrary code before resetting a password.
-before_reset_password_request :: Run arbitrary code before sending the reset password request email.
-before_reset_password_request_route :: Run arbitrary code before handling a reset password request route.
-before_reset_password_route :: Run arbitrary code before handling a reset password route.
-create_reset_password_email :: A Mail::Message for the reset password request email.
-create_reset_password_key :: Add the reset password key data to the database.
-get_reset_password_email_last_sent :: Get the last time a reset password request email is sent, or nil if there is no last sent time.
-get_reset_password_key(id) :: Get the password reset key for the given account id from the database.
-login_failed_reset_password_request_form :: The HTML to use for a form to request a password reset, shown on the login page after the user tries to login with an invalid password.
-remove_reset_password_key :: Remove the reset password key for the current account, run after successful password reset.
-reset_password_email_body :: The body to use for the reset password request email.
-reset_password_email_link :: The link to the reset password form in the reset password request email.
-reset_password_email_sent_response :: Return a response after successfully sending a password reset email. By default, redirects to +reset_password_email_sent_redirect+.
-reset_password_key_insert_hash :: The hash to insert into the +reset_password_table+.
-reset_password_key_value :: The reset password key for the current account.
-reset_password_request_view :: The HTML to use for the reset password request form.
-reset_password_response :: Return a response after successfully resetting a password. By default, redirects to +reset_password_redirect+.
-reset_password_view :: The HTML to use for the reset password form.
-send_reset_password_email :: Send the reset password request email.
-set_reset_password_email_last_sent :: Set the last time a reset password request email is sent.

data/doc/reset_password_notify.rdoc

@@ -1,17 +0,0 @@
-= Documentation for Reset Password Notify Feature
-
-The reset password notify feature emails the user after the user has
-reset their password. The user has already been sent a reset password
-email by this point, so they know a password reset was requested, but
-this feature allows for confirming that the password reset process
-was completed. Depends on the reset_password feature.
-
-== Auth Value Methods
-
-reset_password_notify_email_subject :: The subject to use for the reset password notify email.
-reset_password_notify_email_body :: The body to use for the reset password notify email.
-
-== Auth Methods
-
-create_reset_password_notify_email :: A Mail::Message for the reset password notify email.
-send_reset_password_notify_email :: Send the reset password notify email.

data/doc/session_expiration.rdoc

@@ -1,28 +0,0 @@
-= Documentation for Session Expiration Feature
-
-The session expiration feature allows setting an inactivity timeout and a max
-lifetime for sessions.  When this feature is used, you should use
-+rodauth.check_session_expiration+ at the top (or other appropriate place)
-in your routing tree.
-
-  route do |r|
-    rodauth.check_session_expiration
-    r.rodauth
-
-    # ...
-  end
-
-When checking session expiration, if the last activity was more than the
-inactivity timeout, or the session was created more the maximum lifetime
-ago, the session is cleared, and the user is redirected to the login page.
-
-== Auth Value Methods
-
-max_session_lifetime :: The maximum number of seconds since session creation that sessions will be valid for, regardless of session activity. 86400 by default (1 day).
-session_created_session_key :: The session key storing the session creation timestamp.
-session_expiration_default :: Whether to expire sessions that don't have the created at or last activity at timestamps set, true by default.
-session_expiration_error_flash :: The flash error to show if a session expires.
-session_expiration_error_status :: The error status to use when a JSON request is made and the session has expired, 401 by default.
-session_expiration_redirect :: Where to redirect if a session expires.
-session_inactivity_timeout :: The maximum number of seconds allowed since the last activity before the session will be considered invalid.  1800 by default (30 minutes).
-session_last_activity_session_key :: The session key storing the last session activity timestamp.

data/doc/single_session.rdoc

@@ -1,37 +0,0 @@
-= Documentation for Single Session Feature
-
-The single session feature stores the key for the session in a
-database table whenever a user logs in to the system.  In your
-routing block, you can check that the session key given matches
-the stored key by doing:
-
-  rodauth.check_single_session
-
-It is not recommended to use this feature unless you
-have a policy that requires it.  Many users find it useful to
-be able to have multiple concurrent sessions, and restricting
-this ability does not make things more secure.  You can use the
-active_sessions feature for something with similar behavior but
-that allows for concurrent sessions.
-
-One of the side benefits with this feature is that
-logouts reset the single session key, so attempts to reuse
-the previous session after logout no longer work.
-
-== Auth Value Methods
-
-allow_raw_single_session_key? :: Whether to allow a raw single session key to be accepted, should only be enabled for graceful transition when +hmac_secret+ is first set.
-inactive_session_error_status :: The error status to use when a JSON request is made and the session is no longer active, 401 by default.
-single_session_error_flash :: The flash error to display if the current session is no longer the active session for the account.
-single_session_id_column :: The column in the +single_session_table+ containing the account id.
-single_session_key_column :: The column in the +single_session_table+ containing the single session key.
-single_session_redirect :: Where to redirect if the current session is no longer the active session for the account.
-single_session_session_key :: The session key name to use for storing the single session key.
-single_session_table :: The database table storing single session keys.
-
-== Auth Methods
-
-currently_active_session? :: Whether the current session is the active session for the user.
-no_longer_active_session :: The action to take if the current session is no longer the active session for the user.
-reset_single_session_key :: Reset the single session key for the user, by default to a new random key.
-update_single_session_key :: Update the single session key in the current session and in the database, reflecting that the current session is the active session for the user.

data/doc/sms_codes.rdoc

@@ -1,138 +0,0 @@
-= Documentation for SMS Codes Feature
-
-The sms codes feature allows for multifactor authentication via codes provided via
-SMS messages.  It is usually used as a backup if other multifactor authentication is not available
-or has been locked out, but it can be used as the primary multifactor authentication method.
-
-This feature allows users to register their mobile phone number with the system, confirm that
-they can receive SMS messages on the mobile phone number they have registered, request
-SMS authentication codes, authenticate via SMS codes, and disable SMS authentication.
-
-While this feature sets up all of the infrastructure needed to support SMS authentication,
-it doesn't handle sending SMS messages itself.  There are many ruby libraries that send
-SMS messages, and you can choose which one to use.  When using this feature, you must
-use the +sms_send+ configuration method and send the SMS using whatever SMS library
-you prefer:
-
-    sms_send do |phone_number, message|
-      # ...
-    end
-
-== Auth Value Methods
-
-no_current_sms_code_error_flash :: The flash error to show when going to the SMS authentication page and no current SMS authentication code is available.
-sms :: A hash of SMS information for the user, if SMS authentication has been setup.
-sms_already_setup_error_flash :: The flash error to show when going to a page to setup SMS authentication if SMS authentication has already been setup.
-sms_already_setup_error_status :: The response status to use when going to a page to setup SMS authentication if SMS authentication has already been setup, 403 by default.
-sms_already_setup_redirect :: Where to redirect when going to a page to setup SMS authentication if SMS authentication has already been setup.
-sms_auth_additional_form_tags :: HTML fragment containing additional form tags when authenticating via SMS.
-sms_auth_button :: Text to use for button on the form to authenticate via SMS.
-sms_auth_code_length :: The length of SMS authentication codes, 6 by default.
-sms_auth_link_text :: The text to use for the link from the multifactor auth page.
-sms_auth_page_title :: The page title to use on the form to authenticate via SMS code.
-sms_auth_redirect :: Where to redirect if SMS authentication is needed.
-sms_auth_route :: The route to the SMS authentication action. Defaults to +sms-auth+.
-sms_code_allowed_seconds :: The number of seconds after an SMS authentication is sent until it is no longer valid, 300 seconds by default.
-sms_code_column :: The column in the +sms_codes_table+ containing the currently valid SMS authentication/confirmation code.
-sms_code_label :: The label for SMS codes.
-sms_code_param :: The parameter name for SMS codes.
-sms_codes_primary? :: Whether SMS codes are a primary multifactor authentication method.  If not, they cannot be setup unless multifactor authentication has already been setup.
-sms_codes_table :: The name of the table storing SMS code data.
-sms_confirm_additional_form_tags :: HTML fragment containing additional form tags when confirming SMS setup.
-sms_confirm_button :: Text to use for button on the form to confirm SMS setup.
-sms_confirm_code_length :: The length of SMS confirmation codes, 12 by default, as there is no lockout. 
-sms_confirm_deadline :: The number of seconds before an SMS confirmation code expires (86400 seconds by default).
-sms_confirm_notice_flash :: The flash notice to show when SMS authentication setup has been confirmed.
-sms_confirm_page_title :: The page title to use on the form to authenticate via SMS code.
-sms_confirm_redirect :: Where to redirect after SMS authentication setup has been confirmed.
-sms_confirm_route :: The route to the SMS setup confirmation action. Defaults to +sms-confirm+.
-sms_disable_additional_form_tags :: HTML fragment containing additional form tags when disabling SMS authentication.
-sms_disable_button :: Text to use for button on the form to disable SMS authentication.
-sms_disable_error_flash :: The flash error to show when disabling SMS authentication fails.
-sms_disable_link_text :: The text to use for the remove link from the multifactor manage page.
-sms_disable_notice_flash :: The flash notice to show when SMS authentication has been successfully disabled.
-sms_disable_page_title :: The page title to use on the form to disable SMS authentication.
-sms_disable_redirect :: Where to redirect after SMS authentication has been disabled.
-sms_disable_route :: The route to the SMS authentication disable action. Defaults to +sms-disable+.
-sms_failure_limit :: The number of failures until SMS authentication is locked out.
-sms_failures_column :: The column in the +sms_codes_table+ containing the number of SMS authentication failures since the last successful authentication.
-sms_id_column :: The column in the +sms_codes_table+ containing the account id.
-sms_invalid_code_error_flash :: The flash error to show when an invalid SMS authentication code is used.
-sms_invalid_code_message :: The error message to show when an invalid SMS code is used.
-sms_invalid_confirmation_code_error_flash :: The flash error to show when an invalid SMS confirmation code is used.
-sms_invalid_phone_message :: The error message to show when an invalid SMS phone number is used.
-sms_issued_at_column :: The column in the +sms_codes_table+ containing the time the SMS code was issued.
-sms_lockout_error_flash :: The flash error to show when SMS authentication has been locked out due to repeated failures.
-sms_lockout_redirect :: Where to redirect after SMS authentication has been locked out.
-sms_needs_confirmation_notice_flash :: The flash notice to show on SMS authentication pages when SMS authentication setup needs confirmation (uses +sms_needs_confirmation_error_flash+ by default).
-sms_needs_confirmation_error_flash :: The flash error to show on SMS authentication pages when SMS authentication setup needs confirmation.
-sms_needs_confirmation_error_status :: The response status to use on SMS authentication pages when SMS authentication setup needs confirmation, 403 by default.
-sms_needs_confirmation_redirect :: Where to redirect after SMS setup, when confirmation is required.
-sms_needs_setup_redirect :: Where to redirect if going to an SMS authentication page when SMS authentication has not been setup.
-sms_not_setup_error_flash :: The flash error to show when on SMS authentication pages when SMS authentication has not yet been setup.
-sms_phone_column :: The column in the +sms_codes_table+ containing the phone number to which to send SMS messages.
-sms_phone_input_type :: The input type to use for SMS phone numbers, tel by default.
-sms_phone_label :: The label for SMS phone numbers.
-sms_phone_min_length :: The minimum length of phone numbers allowed for SMS authentication, 7 by default.
-sms_phone_param :: The parameter name for SMS phone numbers.
-sms_request_additional_form_tags :: HTML fragment containing additional form tags when requesting an SMS authentication code.
-sms_request_button :: Text to use for button on the form to request an SMS authentication code.
-sms_request_notice_flash :: The flash notice to show when an SMS authentication code is requested.
-sms_request_page_title :: The page title to use on the form to request an SMS authentication code.
-sms_request_redirect :: Where to redirect after requesting an SMS authentication code.
-sms_request_route :: The route to the SMS authentication code request action. Defaults to +sms-request+.
-sms_setup_additional_form_tags :: HTML fragment containing additional form tags when setting up SMS authentication.
-sms_setup_button :: Text to use for button on the form to setup SMS authentication.
-sms_setup_error_flash :: The flash error to show when setting up SMS authentication fails.
-sms_setup_link_text :: The text to use for the setup link from the multifactor manage page.
-sms_setup_page_title :: The page title to use on the form to setup SMS authentication.
-sms_setup_route :: The route to the SMS authentication setup action. Defaults to +sms-setup+.
-
-== Auth Methods
-
-after_sms_confirm :: Run arbitrary code after successful SMS authentication confirmation.
-after_sms_disable :: Run arbitrary code after disabling SMS authentication.
-after_sms_failure :: Run arbitrary code after SMS authentication failure.
-after_sms_request :: Run arbitrary code after SMS authentication code request.
-after_sms_setup :: Run arbitrary code after SMS authentication setup.
-before_sms_auth :: Run arbitrary code before SMS authentication.
-before_sms_auth_route :: Run arbitrary code before handling SMS authentication route.
-before_sms_confirm :: Run arbitrary code before SMS confirmation.
-before_sms_confirm_route :: Run arbitrary code before handling SMS confirmation route.
-before_sms_disable :: Run arbitrary code before disabling SMS authentication.
-before_sms_disable_route :: Run arbitrary code before handling SMS disable route.
-before_sms_request :: Run arbitrary code before sending SMS code.
-before_sms_request_route :: Run arbitrary code before handling SMS request route.
-before_sms_setup :: Run arbitrary code before setting up SMS authentication.
-before_sms_setup_route :: Run arbitrary code before handling SMS setup route.
-sms_auth_message(code) :: The SMS message to use for the given authentication code.
-sms_auth_view :: The HTML to use for the form to authenticate via SMS code.
-sms_available? :: Whether SMS authentication is ready for use.
-sms_code_issued_at :: The timestamp the current SMS code was issued at.
-sms_code_match?(code) :: Whether there is an active SMS authentication code for the current account and the given code matches it.
-sms_confirm_message(code) :: The SMS message to use for the given confirmation code.
-sms_confirm_response :: Return a response after successfully confirming SMS code during SMS setup. By default, redirects to +sms_confirm_redirect+.
-sms_confirm_view :: The HTML to use for the form to authenticate via SMS code.
-sms_confirmation_match?(code) :: Whether there is an active SMS confirmation code for the current account and the given code matches it.
-sms_current_auth? :: Whether there is a active SMS authentication code for the current account.
-sms_disable :: Action to take to disable SMS authentication for the account.
-sms_disable_response :: Return a response after successfully disabling SMS. By default, redirects to +sms_disable_redirect+.
-sms_disable_view :: The HTML to use for the form to disable SMS authentication.
-sms_failures :: The number of SMS authentication failures since the last successfully SMS authentication for this account.
-sms_locked_out? :: Whether SMS authentication has been locked out for the current account.
-sms_needs_confirmation? :: Whether SMS authentication has been setup but not confirmed for the current account.
-sms_needs_confirmation_response :: Return a response after successfully providing SMS number during SMS setup. By default, redirects to +sms_needs_confirmation_redirect+.
-sms_new_auth_code :: A new SMS authentication code that can be used for the account.
-sms_new_confirm_code :: A new SMS confirmation code that can be used for the account.
-sms_normalize_phone(phone) :: A normalized version of the given phone number, by default removing everything except 0-9.
-sms_record_failure :: Record an SMS authentication failure for the current account.
-sms_remove_expired_confirm_code :: Remove an expired SMS confirm code, allowing setup of a new sms confirm code.
-sms_remove_failures :: Reset the SMS authentication failure counter for the current account, used after a successful multifactor authentication.
-sms_request_response :: Return a response after a successful SMS request during SMS authentication. By default, redirects to +sms_auth_redirect+.
-sms_request_view :: The HTML to use for the form to request an SMS authentication code.
-sms_send(phone, message) :: Send the given message to the given phone number via SMS.  By default a NotImplementedError is raised, this is the only method that must be overridden. 
-sms_set_code(code) :: Set the SMS authentication code for the current account to the given code.  The code can be nil to specify that no SMS authentication code is currently valid.
-sms_setup :: Setup SMS authentication for the current account.
-sms_setup? :: Whether SMS authentication has been setup and confirmed for the current account.
-sms_setup_view :: The HTML to use for the form to setup SMS authentication.
-sms_valid_phone?(phone) :: Whether the given phone number is a valid phone number.