rodauth 2.36.0 → 2.37.0

data/CHANGELOG

@@ -1,521 +0,0 @@
-=== 2.36.0 (2024-07-23)
-
-* Add webauthn_modify_email feature for emailing when a WebAuthn authenticator is added or removed (jeremyevans)
-
-* Add account_from_id method for retrieving an account using the account id and optional status id (janko) (#431)
-
-* Add otp_modify_email feature for emailing when TOTP authentication is setup or disabled (jeremyevans)
-
-* Add otp_lockout_email feature for emailing when TOTP authentication is locked out or unlocked (jeremyevans)
-
-* Add strftime_format configuration method for configuring display of Time values to users (jeremyevans)
-
-* Add otp_unlock feature for unlocking TOTP authentication after it has been locked out (jeremyevans)
-
-* Make internal_request feature work with Roda path_rewriter plugin (jeremyevans) (#425)
-
-=== 2.35.0 (2024-05-28)
-
-* Handle internal_request_configuration blocks in superclasses (jeremyevans, bjeanes)
-
-* Avoid unused block warning on Ruby 3.4 (jeremyevans)
-
-* Add throw_rodauth_error method to make it possible to throw without setting a field error (jf) (#418)
-
-* Support logging out all active sessions for a loaded account that is not logged in (such as after resetting password) (enescakir) (#401)
-
-=== 2.34.0 (2024-03-22)
-
-* Add remove_all_active_sessions_except_current method for removing current active session (jeremyevans) (#395)
-
-* Add remove_all_active_sessions_except_for method for removing active sessions except for given session id (jeremyevans) (#395)
-
-* Avoid overriding WebAuthn internals when using webauthn 3 (santiagorodriguez96, jeremyevans) (#398)
-
-* Support overriding webauthn_rp_id when verifying Webauthn credentials (butsjoh, jeremyevans) (#397)
-
-* Override require_login_redirect in login feature to use login_path (janko) (#396)
-
-* Do not override convert_token_id_to_integer? if the user has already configured it (janko) (#393)
-
-* Have uses_two_factor_authentication? handle case where account has been deleted (janko) (#390)
-
-* Add current_route accessor to allow easy determination of which rodauth route was requested (janko) (#381)
-
-=== 2.33.0 (2023-12-21)
-
-* Expire SMS confirm code after 24 hours by default (jeremyevans)
-
-* Do not accidentally confirm SMS phone number on successful authentication of other second factor (Bertg) (#376, #377)
-
-* Return error response instead of 404 response for requests to valid pages with missing tokens (janko) (#375)
-
-* Do not override existing primary key value in the cached account when inserting a new account (janko) (#372)
-
-=== 2.32.0 (2023-10-23)
-
-* Remove use of Base64 in argon2 feature (jeremyevans)
-
-* Add sms_needs_confirmation_notice_flash configuration method, supporting different flash notice for successful submission (jeremyevans)
-
-* Support *_response configuration methods for overriding common notice flash/redirect handling in many features (HoneyryderChuck, jeremyevans) (#369)
-
-* Support hmac_secret rotation in the otp feature (jeremyevans) (#365)
-
-* Support hmac_secret rotation in the email_base feature (jeremyevans) (#365)
-
-* Support hmac_secret rotation in the webauthn feature (jeremyevans) (#365)
-
-* Support hmac_secret rotation in the jwt_refresh feature (jeremyevans) (#365)
-
-* Support hmac_secret rotation in the single_session feature (jeremyevans) (#365)
-
-* Support hmac_secret rotation in the remember feature (jeremyevans) (#365)
-
-* Support hmac_secret rotation via hmac_old_secret configuration method in the active_sessions feature (jeremyevans) (#365)
-
-* Support argon2 secret rotation via argon2_old_secret configuration method and the update_password_hash feature (jeremyevans) (#365)
-
-* Support jwt secret rotation via jwt_old_secret configuration method, if using jwt 2.4+ (jeremyevans) (#365)
-
-=== 2.31.0 (2023-08-22)
-
-* Make clear_session work correctly for internal requests (janko) (#359)
-
-* Support webauthn_invalid_webauthn_id_message configuration method in the webauthn_autofill feature (janko) (#356)
-
-* Support webauth features in the internal_request feature (janko) (#355)
-
-* Allow WebAuthn login to count for two factors if user verification is provided (janko) (#354)
-
-* Allow explicit use of p_cost in argon2 feature if using argon2 2.1+ (estebanz01) (#353)
-
-* Add json_response_error? configuration method to json feature, for whether response indicates an error (opya) (#340)
-
-=== 2.30.0 (2023-05-22)
-
-* Make load_memory in the remember feature not raise NoMethodError if logged in when the account no longer exists (jeremyevans) (#331)
-
-* Add webauthn_autofill feature, for supporting autofill of webauthn information on the login form (janko) (#328)
-
-=== 2.29.0 (2023-03-22)
-
-* Support :render=>false plugin options (davekaro) (#319)
-
-* Add remove_active_session method for removing the active session for a given session id (janko) (#317)
-
-* Remove current active session when adding new active session (janko) (#314) 
-
-* Extend the remember cookie deadline once an hour by default while logged in (janko, jeremyevans) (#313)
-
-* Add account! method for returning associated account or loading account based on the session value (janko) (#309)
-
-=== 2.28.0 (2023-02-22)
-
-* Skip rendering reset password request form on invalid internal request logins (janko) (#303)
-
-* Make logged_in? return false if using verify_account_grace_period feature and grace_period has expired (janko) (#300)
-
-* Make password_hash method public (janko) (#299)
-
-* Add webauthn_key_insert_hash auth method to webauthn feature to control inserts into webauthn keys table (janko) (#298)
-
-=== 2.27.0 (2023-01-24)
-
-* Rename webauth_credentials_for_get to webauthn_credentials_for_get for consistency (janko) (#295)
-
-* Hide WebAuthn text inputs by default when using Bootstrap (janko) (#294)
-
-* Attempt to avoid database errors when invalid tokens are submitted (jeremyevans)
-
-* Allow button template to be overridden just as other templates can be (jeremyevans) (#280)
-
-=== 2.26.1 (2022-11-08)
-
-* Fix regression in QR code generation in otp feature causing all black QR code (janko) (#279)
-
-=== 2.26.0 (2022-10-21)
-
-* Raise a more informative error when using a feature requiring hmac_secret but not setting hmac_secret (janko) (#271)
-
-* Limit parameter bytesize to 1024 by default, override with max_param_bytesize configuration method (jeremyevans)
-
-* Skip displaying links for disabled routes (janko) (#269)
-
-* Do not prefix flash keys with the session key prefix (jeremyevans) (#266)
-
-* Set configuration_name correctly for internal request classes (janko) (#265)
-
-* Add argon2_secret configuration method to the argon2 feature to specify the secret/pepper used for argon2 password hashes (janko) (#264)
-
-* Use white background instead of transparent background for QR code in otp feature (jeremyevans) (#256)
-
-=== 2.25.0 (2022-06-22)
-
-* Support disabling routes by passing nil/false to *_route methods (janko) (#245)
-
-=== 2.24.0 (2022-05-24)
-
-* Work around implicit null byte check added in bcrypt 3.1.18 by checking password requirements before other password checks (jeremyevans)
-
-* Fix invalid HTML on pages with OTP QR codes (jeremyevans)
-
-* Add recovery_codes_available? configuration method to the recovery_codes feature (janko) (#238)
-
-* Add otp_available? configuration method to the otp feature (janko) (#238)
-
-=== 2.23.0 (2022-04-22)
-
-* Don't automatically set :httponly cookie option if :http_only option is set in remember feature (jeremyevans)
-
-* Fix invalid domain check in internal_request feature when using Rack 3 (jeremyevans)
-
-* Make removing all multifactor authentication methods mark session as not authenticated by SMS (janko) (#235)
-
-* Use use_path option when rendering QR code to svg in the otp feature, to reduce svg size (jeremyevans)
-
-=== 2.22.0 (2022-03-22)
-
-* Ignore parameters where the value includes a null byte by default, add null_byte_parameter_value configuration method for customization (jeremyevans)
-
-* Handle sessions created before active_sessions feature was enabled during logout (jeremyevans) (#224)
-
-* Add reset_password_notify for emailing users after successful password resets (jeremyevans)
-
-* An email method can now be used in external features to DRY up email creation code (jeremyevans)
-
-* The change_password_notify feature now correctly handles template precompilation (jeremyevans)
-
-* Fix update_sms to update stored sms hash (bjeanes) (#222)
-
-=== 2.21.0 (2022-02-23)
-
-* Avoid extra bcrypt hashing on account verification when using account_password_hash_column (janko) (#217)
-
-* Make require_account public (janko) (#212)
-
-* Force specific date/time format when displaying webauthn last use time (jeremyevans)
-
-* Automatically clear the session in require_login if users go beyond verify account grace period (janko) (#211)
-
-* Fix typo in default value of global_logout_label in active_sessions plugin (sterlzbd) (#209)
-
-=== 2.20.0 (2022-01-24)
-
-* Change the default implementation of webauth_rp_id to not include the port (jeremyevans) (#203)
-
-* Make logout of all sessions in active_sessions plugin also remove remember key if using remember plugin (jeremyevans)
-
-=== 2.19.0 (2021-12-22)
-
-* Add login_maximum_bytes, setting the maximum number of bytes in a login, 255 by default (jeremyevans)
-
-* Add password_maximum_bytes, setting the maximum number of bytes in a password, nil by default for no limit (jeremyevans)
-
-* Add password_maximum_length, setting the maximum number of characters in a password, nil by default for no limit (jeremyevans)
-
-* Support multi-level inheritance of Rodauth::Auth (janko) (#191)
-
-* Allow internal_request feature to work correctly when loaded into custom Rodauth::Auth subclasses before loading into a Roda application (janko) (#190)
-
-* Assign internal subclass created by internal_request feature to the InternalRequest constant (janko) (#187)
-
-=== 2.18.0 (2021-11-23)
-
-* Allow JSON API access to /multifactor-manage to get links to setup/disable multifactor authentication endpoints (jeremyevans)
-
-* Allow JSON API access to /multifactor-auth to get links to possible multifactor authentication endpoints (jeremyevans)
-
-* Set configuration_name on class passed via :auth_class option if not already set (janko, jeremyevans) (#181)
-
-* Use viewbox: true option when creating QR code in otp feature, displays better and easier to style when using rqrcode 2+ (jeremyevans)
-
-* Make argon2 feature work with argon2 2.1.0 (jeremyevans)
-
-=== 2.17.0 (2021-09-24)
-
-* Make jwt_refresh work correctly with verify_account_grace_period (jeremyevans)
-
-* Use 4xx status code when attempting to login to or create an unverified account (janko) (#177, #178)
-
-=== 2.16.0 (2021-08-23)
-
-* Add Rodauth.lib for using Rodauth as a library (jeremyevans)
-
-* Make internal_request feature work if the configuration uses only_json? true (janko) (#176)
-
-=== 2.15.0 (2021-07-27)
-
-* Add path_class_methods feature, for getting paths/URLs using class methods (jeremyevans)
-
-* Make default base_url method use configured domain (janko) (#171)
-
-* Add internal_request feature, for interacting with Rodauth by calling methods (jeremyevans, janko)
-
-=== 2.14.0 (2021-06-22)
-
-* Make jwt_refresh feature allow refresh with expired access tokens even if prefix is not set correctly (jeremyevans) (#168)
-
-* Make internal account_in_unverified_grace_period? method handle accounts missing or unverified accounts (janko, jeremyevans) (#167)
-
-* Add remembered_session_id configuration method for getting session id from valid remember token if present (bjeanes) (#166)
-
-=== 2.13.0 (2021-05-22)
-
-* Make jwt_refresh expired access token support work when using rodauth.check_active_sessions before calling r.rodauth (renchap) (#165)
-
-* Update default templates to add classes for Bootstrap 5 compatibility (janko) (#164)
-
-* Add set_error_reason configuration method to allow applications more finer grained error handling (renchap, jeremyevans) (#162)
-
-=== 2.12.0 (2021-04-22)
-
-* Add configuration methods to active_sessions plugin to control the inserting and updating of rows (janko) (#159)
-
-=== 2.11.0 (2021-03-22)
-
-* Add same_as_current_login_message and contains_null_byte_message configuration methods to increase translatability (dmitryzuev) (#158)
-
-* Allow the rodauth plugin to be loaded without a block (janko) (#157)
-
-* Use new-password autocomplete value for the password fields on the reset password form (basabin54) (#155)
-
-* Support :auth_class plugin option, to use a specific class instead of creating a Rodauth::Auth subclass (janko) (#153)
-
-* Make Rodauth configuration work correctly if the rodauth plugin is loaded more than once (janko) (#152)
-
-=== 2.10.0 (2021-02-22)
-
-* Add argon2 feature to allow use of the argon2 password hash algorithm instead of bcrypt (AlexeyMatskevich, jeremyevans) (#147)
-
-* Avoid unnecessary previous password queries when using disallow_password_reuse feature with create_account or verify_account features (AlexeyMatskevich, jeremyevans) (#148)
-
-=== 2.9.0 (2021-01-22)
-
-* Split jwt feature into json and jwt features, with the json feature using standard session support (janko, jeremyevans) (#145)
-
-* Mark remember cookie as only transmitted over HTTPS by default if created via an HTTPS request (janko) (#144)
-
-=== 2.8.0 (2021-01-06)
-
-* [SECURITY] Set HttpOnly on remember cookie by default so it cannot be accessed by Javascript (janko) (#142)
-
-* Clear JWT session when rodauth.clear_session is called if the Roda sessions plugin is used (janko) (#140)
-
-=== 2.7.0 (2020-12-22)
-
-* Avoid method redefinition warnings in verbose warning mode (jeremyevans)
-
-* Return expired access token error message in the JWT refresh feature when using an expired token when it isn't allowed (AlexyMatskevich) (#133)
-
-* Allow Rodauth features to be preloaded, instead of always trying to require them (janko) (#136)
-
-* Use a default remember cookie path of '/', though this may cause problem with multiple Rodauth configurations on the same domain (janko) (#134)
-
-* Add auto_remove_recovery_codes? to the recovery_codes feature, for automatically removing the codes when disabling multifactor authentication (SilasSpet, jeremyevans) (#135)
-
-=== 2.6.0 (2020-11-20)
-
-* Avoid loading features multiple times (janko) (#131)
-
-* Add around_rodauth method for running code around the handling of all Rodauth routes (bjeanes) (#129)
-
-* Fix javascript for registration of multiple webauthn keys (bjeanes) (#127)
-
-* Add allow_refresh_with_expired_jwt_access_token? configuration method to jwt_refresh feature, for allowing refresh with expired access token (jeremyevans)
-
-* Promote setup_account_verification to public API, useful for automatically sending account verification emails (jeremyevans)
-
-=== 2.5.0 (2020-10-22)
-
-* Add change_login_needs_verification_notice_flash for easier translation of change_login_notice_flash when using verify_login_change (bjeanes, janko, jeremyevans) (#126)
-
-* Add login_return_to_requested_location_path for controlling path to use as the requested location (HoneyryderChuck, jeremyevans) (#122, #123)
-
-=== 2.4.0 (2020-09-21)
-
-* Add session_key_prefix for more easily using separate session keys when using multiple configurations (janko) (#121)
-
-* Add password_pepper feature for appending a secret key to passwords before they are hashed, supporting secret rotation (janko) (#119)
-
-=== 2.3.0 (2020-08-21)
-
-* Return an error status instead of an invalid access token when trying to refresh JWT without an access token in the jwt_refresh feature (jeremyevans)
-
-* Allow {create,drop}_database_authentication_functions to work with UUID keys (monorkin, janko) (#117)
-
-* Add rodauth.login('login_type') for logging in after setting a valid account (janko) (#114)
-
-* Make new refresh token available to the after_refresh_token hook by setting it in the response first (jeremyevans)
-
-* Make the jwt_refresh plugin call before_jwt_refresh_route hook (previously the configuration method was ignored) (AlexeyMatskevich) (#110)
-
-* Add login_email_regexp, login_not_valid_email_message, and log_valid_email? configuration methods (janko) (#107)
-
-=== 2.2.0 (2020-07-20)
-
-* Allow removing all jwt_refresh tokens when logging out by providing a value of "all" as the token to remove (jeremyevans)
-
-* Allow removing specific jwt_refresh token when logging out by providing the token to remove (jeremyevans)
-
-* Avoid NoMethodError when checking if session is authenticated when using two factor auth, verify_account_grace_period, and email_auth (jeremyevans) (#105)
-
-* Reduce queries in #authenticated? and #require_authentication when using two factor authentication (janko) (#106)
-
-* Treat verify_account_email_resend returning false as an error in the verify_account feature (jeremyevans)
-
-* Fix use of password_dictionary configuration method in password_complexity feature (jeremyevans)
-
-* Remove unnecessary conditionals (jeremyevans)
-
-* Add otp_last_use to the otp feature, returning the time of last successful OTP use (jeremyevans) (#103)
-
-=== 2.1.0 (2020-06-09)
-
-* Do not check CSRF tokens by default for requests using JWT (janko, jeremyevans) (#99)
-
-* Use new-password autocomplete value for password field when creating accounts (jeremyevans) (#98)
-
-* Consistently use json_response_body for all JSON responses in jwt feature (arthurmmoreira) (#97)
-
-* Add check_csrf configuration method to customize CSRF checking (janko) (#96)
-
-* Have logged_in? when using http_basic_auth feature check for basic authentication (jeremyevans) (#94)
-
-* Don't consider account open if in unverified grace period without password (janko) (#92)
-
-=== 2.0.0 (2020-05-06)
-
-* Do not show email auth as an option for unverified accounts if using the verify_account_grace_period feature (jeremyevans) (#88)
-
-* Generate unlock account key outside of send_unlock_account_email, similar to other email methods (janko) (#89)
-
-* Default otp_drift to 30 in the otp feature (jeremyevans)
-
-* Add rodauth.require_http_basic_auth to http_basic_auth feature, similar to require_login (janko) (#86)
-
-* Rename require_http_basic_auth to require_http_basic_auth? in http_basic_auth feature (janko) (#86)
-
-* Change http_basic_auth feature to use rodauth.http_basic_auth for handling basic authentication, similar to rodauth.load_memory (janko) (#86)
-
-* Do not call already_logged_in if logged in when accessing verify_login_change page (janko) (#87)
-
-* HTML id attributes now use - instead of _ in recovery_codes and remember features (jeremyevans)
-
-* Allow *_path and *_url methods to accept a hash of query parameters (janko) (#84)
-
-* Use a danger button when closing accounts (janko) (#83)
-
-* Handle invalid form inputs in a more bootstrap compatible manner (janko) (#83)
-
-* Use standard vertical Bootstrap forms instead of horizontal forms in templates (janko) (#83)
-
-* Make templates compatible with Bootstrap 4, and still display correctly with Bootstrap 3 (janko) (#83)
-
-* Add check_csrf_opts and check_csrf_block for arguments to the check_csrf! call before Rodauth route dispatching (jeremyevans)
-
-* Add audit_logging feature, logging changes to a database table (jeremyevans)
-
-* Add hook_action configuration method, called after all before/after hooks (jeremyevans)
-
-* Enable email rate limiting by default in lockout, reset_password, and verify_account features (jeremyevans)
-
-* Add session_expiration_error_status method to the session_expiration feature, used for JSON requests where session has expired (jeremyevans)
-
-* Add domain configuration method to set an explicit domain, instead of relying on the host of the request (jeremyevans)
-
-* Add inactive_session_error_status to single_session feature, used for JSON requests where session is no longer active (jeremyevans)
-
-* Prevent use of previous JWT access tokens after refresh when using jwt_refresh and active_sessions features (jeremyevans)
-
-* Change default setting of jwt_check_accept? from false to true in the jwt feature (jeremyevans)
-
-* Automatically check CSRF tokens before calling any Rodauth route by default, allow disabling using check_csrf? false (jeremyevans)
-
-* Add translate(key, default_value) configuration method and have it affect all translatable content (jeremyevans)
-
-* Add *_page_title configuration methods for all *_view configuration methods (jeremyevans)
-
-* Default to using Roda's route_csrf plugin for CSRF support, with :csrf=>:rack_csrf available for using rack_csrf (jeremyevans)
-
-* Allow ability for user to fix an incorrect login when requesting a password reset (janko, jeremyevans) (#76)
-
-* Add two_factor_auth_return_to_requested_location? to support returning to original page after successful second factor authentication (janko) (#69)
-
-* Add login_return_to_requested_location? to support returning to original page after successful login (janko) (#69)
-
-* Add rodauth.require_password_authentication method to confirm_password feature (janko, jeremyevans) (#75)
-
-* Make remember feature no longer depend on confirm_password (janko) (#79)
-
-* Replace {create_account,reset_password_request,verify_account_resend}_link configuration methods with *_link_text (janko) (#77)
-
-* Remove remembered_session_key configuration method, no longer needed (janko) (#80)
-
-* Add rodauth.possible_authentication_methods for the available authentication methods for the account (jeremyevans)
-
-* Add active_sessions feature for disabling session reuse after logout, and allowing global logout of all sessions (jeremyevans)
-
-* Add webauthn_verify_account feature for passwordless WebAuthn setup during account verification (jeremyevans)
-
-* Allow confirm_password feature to operate as second factor authentication if using webauthn login (jeremyevans)
-
-* Add webauthn_login feature for passwordless login via WebAuthn (jeremyevans)
-
-* Do not allow two factor authentication using same type as primary authentication (jeremyevans)
-
-* Do not require passwords by default if the account does not have a password (jeremyevans)
-
-* Remove clear_remembered_session_key and two_factor_session_key configuration methods, no longer needed (jeremyevans)
-
-* Store authentication methods used in the session, available via rodauth.authenticated_by (jeremyevans)
-
-* Do not require login confirmation by default if verifying accounts or login changes (jeremyevans)
-
-* Add mark_input_fields_with_inputmode? and inputmode_for_field? configuration methods for controlling inputmode (jeremyevans)
-
-* Support and enable inputmode=numeric attributes by default for otp auth code and sms code fields (jeremyevans)
-
-* Add sms_phone_input_type and default to tel instead of using text for SMS phone input (jeremyevans)
-
-* Add mark_input_fields_with_autocomplete? and autocomplete_for_field? configuration methods for controlling autocomplete (jeremyevans)
-
-* Support and enable autocomplete attributes by default for fields (jeremyevans)
-
-* Add login_uses_email? configuration method for whether to treat logins as email addresses (jeremyevans)
-
-* Remove the verify change login feature, users should switch to the verify login change feature (jeremyevans)
-
-* Change default setting of json_response_success_key to success in the jwt feature (jeremyevans)
-
-* Remove deprecated account_model configuration method (jeremyevans)
-
-* Remove all deprecated configuration and runtime method aliases in the lockout, verify_account, email_auth, reset_password, and verify_login_change features (jeremyevans)
-
-* Remove deprecated before_otp_authentication_route configuration method (jeremyevans)
-
-* Change default setting of login_input_type to email if login_column is :email (jeremyevans)
-
-* Change default setting of mark_input_fields_as_required? to true (jeremyevans)
-
-* Change default setting of verify_account_set_password? in verify_account feature to true (jeremyevans)
-
-* Change default setting of json_response_custom_error_status? in jwt feature to true (jeremyevans)
-
-* Add auto_add_recovery_codes? configuration method to recovery codes feature, and default to false (jeremyevans)
-
-* Add base_url configuration method to set an explicit base for URLs, instead of relying on the base_url of the request (jeremyevans)
-
-* Add webauthn feature to handle WebAuthn authentication (jeremyevans)
-
-* Fix corner cases when disabling a second factor when multiple second factors have been setup (jeremyevans)
-
-* Don't override second factor used to authenticate when setting up additional second factor authentication (jeremyevans)
-
-* Add two factor auth, manage, and disable pages (jeremyevans)
-
-* Drop support for Ruby 1.8 (jeremyevans)
-
-=== Older
-
-See doc/CHANGELOG.old