rodauth 2.36.0 → 2.37.0

data/doc/account_expiration.rdoc

@@ -1,41 +0,0 @@
-= Documentation for Account Expiration Feature
-
-The account expiration feature disallows access to accounts after
-a configurable amount of time since the last login or activity
-(default: 180 days since last login).  By default, this feature
-does not track activity times as that can slow things down, but if
-you want to record activity times, you can do so by adding the
-following code to your routing block:
-
-  rodauth.update_last_activity
-
-Note that it only makes sense to do this if you are also expiring
-accounts based on last activity instead of last login, via the
-+expire_account_on_last_activity?+ configuration setting.
-
-Note that this feature does not support the reenabling of expired
-accounts, that is something you would have to implement yourself,
-if you need such a feature.
-
-== Auth Value Methods
-
-account_activity_expired_column :: The column in the +account_activity_table+ storing the expiration timestamp.
-account_activity_id_column :: The column in the +account_activity_table+ storing the account id.
-account_activity_last_activity_column :: The column in the +account_activity_table+ storing the last activity timestamp.
-account_activity_last_login_column :: The column in the +account_activity_table+ storing the last login timestamp.
-account_activity_table :: The database table use for storing account login/activity/expiration timestamps.
-account_expiration_error_flash :: The flash error to show when attempting to login to an account that has expired.
-account_expiration_redirect :: Where to redirect after attempting to login to an account that has expired.
-expire_account_after :: How long in seconds from last login or activity until an account is considered expired.
-expire_account_on_last_activity? :: Whether to use the last activity timestamp when checking an account for expiration.  By default, this is false and it uses the last login timestamp.
-
-== Auth Methods
-
-account_expired? :: Whether the current account has expired.
-account_expired_at :: The expiration timestamp for the current account, nil if the account hasn't been expired.
-after_account_expiration :: Run arbitrary code after account expiration.
-last_account_activity_at :: The last activity timestamp for the current account, nil if the account hasn't had activity recorded yet.
-last_account_login_at :: The last login timestamp for the current account, nil if the account hasn't had a login recorded yet.
-set_expired :: Set the current account as having expired.
-update_last_activity :: Update the last activity timestamp for the account.
-update_last_login :: Update the last login timestamp for the account.

data/doc/active_sessions.rdoc

@@ -1,56 +0,0 @@
-= Documentation for Active Sessions Feature
-
-The active sessions feature stores an id for each session in a
-database table whenever a user logs in to the system.  In your
-routing block, you can check that the session id given is
-still listed as an active session:
-
-  rodauth.check_active_session
-
-On logout, the session id is removed from the database table,
-so attempts to reuse the session id after that will fail.
-Additionally, this supports an option on logout to globally
-logout all sessions, which removes all active session ids for
-the account from the database table.
-
-In addition to removing sessions on logout, this also by default
-supports session inactivity deadlines (based on time since last
-use) and session lifetime deadlines (based on time since session
-creation).  To prevent the sessions table from growing
-indefinitely, sessions that are passed either deadline are
-removed when checking if the current session is active.
-
-This depends on the logout feature.
-
-== Auth Value Methods
-
-active_sessions_account_id_column :: The column in the +active_sessions_table+ containing the account id.
-active_sessions_created_at_column :: The column in the +active_sessions_table+ containing the time of session creation.
-active_sessions_error_flash :: The flash error to display if the current session is no longer active.
-active_sessions_last_use_column :: The column in the +active_sessions_table+ containing the time the session was last used.
-active_sessions_redirect :: Where to redirect if the current session is no longer active.
-active_sessions_session_id_column :: The column in the +active_sessions_table+ containing the session_id.
-active_sessions_table :: The database table storing active session keys.
-global_logout_label :: The label for the global logout checkbox on the logout page.
-global_logout_param :: The parameter name for the global logout checkbox on the logout page.
-inactive_session_error_status :: The error status to use when a JSON request is made and the session is no longer active, 401 by default.
-session_id_session_key :: The session key name to use for storing the session id.
-session_inactivity_deadline :: The number of seconds since last use after which the session will be considered expired (1 day by default).  Can be set to nil to not check session inactivity.
-session_lifetime_deadline :: The number of seconds since session creation after which the session will be considered expired (30 days by default).   Can be set to nil to not check session lifetimes.
-update_current_session? :: Whether the update current session with +active_sessions_update_hash+. By default returns true if +session_inactivity_deadline+ is set.
-
-== Auth Methods
-
-active_sessions_insert_hash :: The hash to insert into the +active_sessions_table+.
-active_sessions_key :: The active session key for the current account.
-active_sessions_update_hash :: The hash to update the currently active session when +update_current_session?+ is true. By default updates last use to current time.
-add_active_session :: Create a session id for the session and populate the session and add the session id to the database.
-currently_active_session? :: Whether the session is currently active, by checking the database table.
-handle_duplicate_active_session_id(exception) :: How to handle the case where a duplicate session id for the account is inserted into the table.  Does nothing by default.  This should only be called if the random number generator is broken.
-no_longer_active_session :: What action to take if +rodauth.check_active_session+ is called and the session is no longer active.
-remove_active_session(session_id) :: Removes the active session matching the given session ID from the database. Useful for implementing session revoking.
-remove_all_active_sessions :: Remove all active sessions for the account from the database, used for global logouts and when closing accounts.
-remove_all_active_sessions_except_for(session_id) :: Remove all active sessions for the account from the database, except for the session id given.
-remove_all_active_sessions_except_current :: Remove all active sessions for the account from the database, except for the current session.
-remove_current_session :: Remove current session from the database, used for regular logouts.
-remove_inactive_sessions :: Remove inactive sessions from the database, run before checking for whether the current session is active.

data/doc/argon2.rdoc

@@ -1,54 +0,0 @@
-= Documentation for Argon2 Feature
-
-The argon2 feature adds the ability to replace the bcrypt password hash
-algorithm with argon2 (specifically, argon2id).  Argon2 is an alternative to
-bcrypt that offers the ability to be memory-hard.  However, argon2 is weaker
-than bcrypt for interactive login environments (e.g. password check times
-under a second), so for the vast majority of web applications, using the
-argon2 feature will weaken the application's security.  You should not use
-the argon2 feature unless the usage of argon2 is required or you are a
-cryptographer and understand why argon2 would be better than bcrypt for your
-application.
-
-If you are using this feature with Rodauth's database authentication functions,
-you need to make sure that the database authentication functions are configured
-to support argon2 in addition to bcrypt.  You can do this by passing the
-+:argon2+ option when calling the method to define the database functions.
-In this example, +DB+ should be your Sequel::Database object:
-
-  require 'rodauth/migrations'
-
-  # If the functions are already defined and you are not using PostgreSQL,
-  # you need to drop the existing functions.
-  Rodauth.drop_database_authentication_functions(DB)
-
-  # If you are using the disallow_password_reuse feature, also drop the
-  # database functions related to that if not using PostgreSQL:
-  Rodauth.drop_database_previous_password_check_functions(DB)
-
-  # Define new functions that support argon2:
-  Rodauth.create_database_authentication_functions(DB, argon2: true)
-
-  # If you are using the disallow_password_reuse feature, also define
-  # new functions that support argon2 for that:
-  Rodauth.create_database_previous_password_check_functions(DB, argon2: true) 
-
-The argon2 feature provides the ability to allow for a gradual migration
-from transitioning from bcrypt to argon2 and vice-versa, if you are using the
-update_password_hash feature.
-
-Argon2 is more configurable than bcrypt in terms of password hash cost
-speficiation.  Instead of specifying the password_hash_cost value as
-an integer, you must specify the password hash cost as a hash, such as
-(<tt>{t_cost: 2, m_cost: 16}</tt>).
-
-If you are using the argon2 feature and if you have no bcrypt passwords in
-your database, you should use <tt>require_bcrypt? false</tt> in your
-Rodauth configuration to prevent loading the bcrypt library, which will save
-memory.
-
-== Auth Value Methods
-
-argon2_old_secret :: The previous secret key used as input at hashing time, used for argon2_secret rotation.  In order to rotate the argon2_secret, you must also use the update_password_hash feature, and rotation will not be finished until all users have logged in using the new secret.
-argon2_secret :: A secret key used as input at hashing time, folded into the value of the hash.
-use_argon2? :: Whether to use the argon2 password hash algorithm for new passwords (true by default). The only reason to set this to false is if you have existing passwords using argon2 that you want to support, but want to use bcrypt for new passwords.

data/doc/audit_logging.rdoc

@@ -1,44 +0,0 @@
-= Documentation for Audit Logging Feature
-
-The audit logging feature adds audit logging of rodauth actions to a
-database table.  It ties into the after hook processing used by all
-features so that all features that use after hooks automatically
-support audit logging.
-
-In addition to the configuration methods defined below, the audit
-logging feature also offers two additional configuration methods
-for action specific audit log messages and metadata,
-+audit_log_message_for+ and +audit_log_metadata_for+.  These
-methods take the action symbol and either take a value or a
-block that returns a value to use for the message and metadata
-for that action:
-
-  audit_log_message_for :login, "I have logged in"
-  audit_log_metadata_for :logout, 'Uses'=>'JSON Metadata'
-
-  audit_log_message_for :login_failure do
-    "Login failure on domain #{request.host}"
-  end
-  audit_log_metadata_for :login_failure do
-    {'ip'=>request.ip}
-  end
-
-To skip audit logging for a particular action, you can set the
-log message for the action to nil.
-
-== Auth Value Methods
-
-audit_logging_account_id_column :: The id column in the +audit_logging_table+, should be a foreign key referencing the accounts table.
-audit_logging_message_column :: The message column in the +audit_logging_table+, containing the log message.
-audit_logging_metadata_column :: The metadata column in the +audit_logging_table+, storing metadata for the log (if any).
-audit_logging_table :: The name of the audit logging table.
-audit_log_metadata_default :: The default metadata to use for logs that do not have custom metadata specified by +audit_log_metadata_for+.
-
-== Auth Methods
-
-add_audit_log(account_id, action) :: Add an appropriate audit log entry for the account id and action.
-audit_log_insert_hash(account_id, action) :: A hash to use when inserting into the +audit_logging_table+.
-audit_log_message(action) :: The log message to use when logging the action, by default using +audit_log_message_for+ and +audit_log_message_default+.
-audit_log_message_default(action) :: The log message to use when logging the action for logs that do not have custom metadata specified by +audit_log_message_for+
-audit_log_metadata(action) :: The metadata to use when logging the action, by default using +audit_log_metadata_for+ and +audit_log_metadata_default+.
-serialize_audit_log_metadata(metadata) :: Serialize the metadata for insertion into the database.  By default, this converts the metadata using +to_json+, unless the metadata is nil.

data/doc/base.rdoc

@@ -1,123 +0,0 @@
-= Documentation for Base Feature
-
-The base feature is automatically loaded when you use Rodauth.  It contains
-shared functionality that is used by multiple features.
-
-== Auth Value Methods
-
-=== Most Commonly Used
-
-account_password_hash_column :: Set if the password hash column is in the same table as the login.  If this is set, Rodauth will check the password hash in ruby. This is often used if you are replacing a legacy authentication system with Rodauth.
-accounts_table :: The database table containing the accounts.
-base_url :: The base URL to use, used when construct absolute links. It is recommended to set this if the application can be reached using arbitrary Host headers, as otherwise it is possible for an attacker to control the value.
-db :: The Sequel::Database object used for database access.
-domain :: The domain to use, required by some other features. It is recommended to set this if the application can be reached using arbitrary Host headers, as otherwise it is possible for an attacker to control the value.
-hmac_secret :: This sets the secret to use for all of Rodauth's HMACs.  This is not set by default, in which case Rodauth does not use HMACs for additional security.  However, it is highly recommended that you set this, and some features require it.
-mark_input_fields_as_required? :: Whether input fields should be marked as required, so browsers will not allow submission without filling out the field (default: true).
-prefix :: The routing prefix used for Rodauth routes.  If you are calling in a routing subtree, this should be set to the root path of the subtree.  This should include a leading slash if set, but not a trailing slash.
-require_bcrypt? :: Set to false to not require bcrypt, useful if using custom authentication or when using the argon2 feature without existing bcrypt password hashes.
-session_key :: The key in the session hash storing the primary key of the logged in account.
-session_key_prefix :: The string that will be prepended to the default value for all session keys.
-skip_status_checks? :: Whether status checks should be skipped for accounts.  Defaults to true unless enabling the verify_account or close_account features.
-title_instance_variable :: The instance variable to set in the Roda scope with the page title.  The layout should use this instance variable if available to set the title of the page.  You can use +set_title+ if setting the page title is not done through an instance variable.
-
-=== Other
-
-account_id_column :: The primary key column of the +accounts_table+.
-account_open_status_value :: The integer representing open accounts.
-account_select :: An array of columns to select from +accounts_table+. By default, selects all columns in the table.
-account_status_column :: The status id column in the +accounts_table+.
-account_unverified_status_value :: The integer representating unverified accounts.
-authenticated_by_session_key :: The key in the session hash storing an array of methods used to authenticate.
-autocomplete_for_field?(param) :: Whether to use an autocomplete attribute for the given parameter, defaults to +mark_input_fields_with_autocomplete?+.
-autologin_type_session_key :: The key in the session hash storing the type of autologin method used, if autologin was used to authenticate.
-cache_templates :: Whether to cache templates. True by default. It may be worth switching this to false in development if you are using your own templates instead of the templates provided by Rodauth.
-check_csrf? :: Whether Rodauth should use Roda's +check_csrf!+ method for checking CSRF tokens before dispatching to Rodauth routes, true by default.
-check_csrf_opts :: Options to pass to Roda's +check_csrf!+ if Rodauth calls it before dispatching.
-check_csrf_block :: Proc for block to pass to Roda's +check_csrf!+ if Rodauth calls it before dispatching.
-convert_token_id_to_integer? :: Whether token ids should be converted to a valid 64-bit integer value.  If not set, defaults to true if +account_id_column+ uses an integer type, and false otherwise.
-default_field_attributes :: The default attributes to use for input field tags, if field_attributes returns nil for the field.
-default_redirect :: Where to redirect after most successful actions.
-field_attributes(field) :: The attributes to use for the input field tags for the given field (parameter name).
-field_error_attributes(field) :: The attributes to use for the input field tags for the given field (parameter name), if the input has an error.
-flash_error_key :: The flash key to use for error messages (default: +:error+ or <tt>'error'</tt> depending on session support for symbols).
-flash_notice_key :: The flash key to use for notice messages (default: +:notice+ or <tt>'notice'</tt> depending on session support for symbols).
-formatted_field_error(field, error) :: HTML to use for error messages for the field (parameter name), if the field has an error.  By default, uses a span tag for the error message.
-hmac_old_secret :: This sets the previous secret used for Rodauth's HMACs, to allow for secret rotation.
-hook_action(hook_type, action) :: Arbitrary action to take on all hook processing, with hook type being +:before+ or +:after+, and action being symbol for related action.
-input_field_error_class :: The CSS class to use for input fields with errors. Can be a space separated string for multiple CSS classes.
-input_field_error_message_class :: The CSS class to use for error messages. Can be a space separated string for multiple CSS classes.
-input_field_label_suffix :: The suffix to use for all labels.  Useful for noting that the fields are required.
-inputmode_for_field?(param) :: Whether to use an inputmode attribute for the given parameter, defaults to mark_input_fields_with_inputmode?.
-invalid_field_error_status :: The response status to use for invalid field value errors, 422 by default.
-invalid_key_error_status :: The response status to use for invalid key codes, 401 by default.
-invalid_password_error_status :: The response status to use for invalid passwords, 401 by default.
-invalid_password_message :: The error message to display when a given password doesn't match the stored password hash.
-lockout_error_status :: The response status to use a login is attempted to an account that is locked out, 403 by default.
-login_column :: The login column in the +accounts_table+.
-login_input_type :: The input type to use for logins. Defaults to email if login column is email and text otherwise.
-login_label :: The label to use for logins.
-login_param :: The parameter name to use for logins.
-login_required_error_status :: The response status to return when a login is required and you are not logged in, if not redirecting, 401 by default
-login_uses_email? :: Whether the login field uses email, used to set the type of the login field as well as the autocomplete setting.
-mark_input_fields_with_autocomplete? :: Whether input fields should be marked with autocomplete attribute appropriate for the field, true by default.
-mark_input_fields_with_inputmode? :: Whether input fields should be marked with inputmode attribute appropriate for the field, true by default.
-max_param_bytesize :: The maximum bytesize allowed for submitted parameters, 1024 by default. Use nil for no limit.
-modifications_require_password? :: Whether making changes to an account requires the user reinputing their password.  True by default if the account has a password.
-no_matching_login_error_status :: The response status to use when the login is not in the database, 401 by default.
-no_matching_login_message :: The error message to display when the login used is not in the database.
-password_hash_column :: The password hash column in the +password_hash_table+.
-password_hash_id_column :: The account id column in the +password_hash_table+.
-password_hash_table :: The table storing the password hashes.
-password_label :: The label to use for passwords.
-password_param :: The parameter name to use for passwords.
-require_login_error_flash :: The flash error to display when accessing a page that requires a login, when you are not logged in.
-require_login_redirect :: A redirect to the login page.
-set_deadline_values? :: Whether deadline values should be set.  True by default on MySQL, as that doesn't support default values that are not constant.  Can be set to true on other databases if you want to vary the value based on a request parameter.
-strftime_format :: The format to pass to Time#strftime when formatting timestamps to display to the user, '%F %T' by default.
-template_opts :: Any template options to pass to view/render.  This can be used to set a custom layout, for example.
-token_separator :: The string used to separate account id from the random key in links.
-unmatched_field_error_status :: The response status to use when two field values should match but do not, 422 by default.
-unopen_account_error_status :: The response status to use when trying to login to an account that isn't open, 403 by default.
-use_database_authentication_functions? :: Whether to use functions to do authentication.  True by default on PostgreSQL, MySQL, and Microsoft SQL Server, false otherwise.
-use_date_arithmetic? :: Whether the date_arithmetic extension should be loaded into the database.  Defaults to whether deadline values should be set.
-use_request_specific_csrf_tokens? :: Whether to use request-specific CSRF tokens.  True if the default CSRF setting are used.
-
-== Auth Methods
-
-account_from_id(id, status_id=nil) :: Retrieve the account hash for the given account id and status.
-account_from_login(login) :: Retrieve the account hash related to the given login or nil if no login matches.
-account_from_session :: Retrieve the account hash related to the currently logged in session.
-account_id :: The primary key value of the current account.
-account_session_value :: The primary value of the current account to store in the session when logging in.
-after_login :: Run arbitrary code after a successful login.
-after_login_failure :: Run arbitrary code after a login failure due to an invalid password.
-already_logged_in :: What action to take if you are already logged in and attempt to access a page that only makes sense if you are not logged in.
-around_rodauth(&block) :: Run arbitrary code around handling any rodauth route.  Call <tt>super(&block)</tt> for Rodauth to handle the action.
-authenticated? :: Whether the user has been authenticated. If multifactor authentication has been enabled for the account, this is true only if the session is multifactor authenticated.
-before_login :: Run arbitrary code after password has been checked, but before updating the session.
-before_login_attempt :: Run arbitrary code after an account has been located, but before the password has been checked.
-before_rodauth :: Run arbitrary code before handling any rodauth route, but after CSRF checks if Rodauth is doing CSRF checks.
-check_csrf :: Checks CSRF token using Roda's +check_csrf!+ method.
-clear_session :: Clears the current session.
-convert_token_id(id) :: Convert the token id string to an appropriate object to use for the token id (or return +nil+ to signal an invalid token id).  By default, converts to a 64-bit signed integer if +convert_token_id_to_integer?+ is true.
-csrf_tag(path=request.path) :: The HTML fragment containing the CSRF tag to use, if any.
-function_name(name) :: The name of the database function to call.  It's passed either :rodauth_get_salt or :rodauth_valid_password_hash.
-logged_in? :: Whether the current session is logged in.
-login_required :: Action to take when a login is required to access the page and the user is not logged in.
-null_byte_parameter_value(key, value) :: The value to use for the parameter if the parameter includes an ASCII NUL byte ("\0"), nil by default to ignore the parameter.
-open_account? :: Whether the current account is an open account (not closed or unverified).
-over_max_bytesize_param_value(key, value) :: The value to use for the parameter if the parameter is over the maximum allowed bytesize, nil by default to ignore the parameter.
-password_match?(password) :: Check whether the given password matches the stored password hash.
-random_key :: A randomly generated string, used for creating tokens.
-redirect(path) :: Redirect the request to the given path.
-session_value :: The value for session_key in the current session.
-set_error_flash(message) :: Set the current error flash to the given message.
-set_error_reason(reason) :: You can override this method to customize handling of specific error types (does nothing by default).  Each separate error type has a separate reason symbol, you can see the {list of error reason symbols}[rdoc-ref:doc/error_reasons.rdoc].
-set_notice_flash(message) :: Set the next notice flash to the given message.
-set_notice_now_flash(message) :: Set the current notice flash to the given message.
-set_redirect_error_flash(message) :: Set the next error flash to the given message.
-set_title(title) :: Set the title of the page to the given title.
-translate(key, default_value) :: Return a translated version for the key (uses the default value by default).
-unverified_account_message :: The message to use when attempting to login to an unverified account.
-update_session :: Clear the session, then set the session key to the primary key of the current account.

data/doc/change_login.rdoc

@@ -1,25 +0,0 @@
-= Documentation for Change Login Feature
-
-The change login feature implements a form that a user can use to
-change their login.
-
-== Auth Value Methods
-
-change_login_additional_form_tags :: HTML fragment containing additional form tags to use on the change login form.
-change_login_button :: The text to use for the change login button.
-change_login_error_flash :: The flash error to show for an unsuccessful login change.
-change_login_notice_flash :: The flash notice to show after a successful login change.
-change_login_page_title :: The page title to use on the change login form.
-change_login_redirect :: Where to redirect after a sucessful login change.
-change_login_requires_password? :: Whether a password is required when changing logins.
-change_login_route :: The route to the change login action. Defaults to +change-login+.
-same_as_current_login_message :: The error message to display if using the same value as the current login when changing the login.
-
-== Auth Methods
-
-after_change_login :: Run arbitrary code after successful login change.
-before_change_login :: Run arbitrary code before changing a login.
-before_change_login_route :: Run arbitrary code before handling a change login route.
-change_login(login) :: Change the users login to the given login, or return nil/false if the login cannot be changed to the given login.
-change_login_response :: Return a response after a successful login change. By default, redirects to +change_login_redirect+.
-change_login_view :: The HTML to use for the change login form.

data/doc/change_password.rdoc

@@ -1,26 +0,0 @@
-= Documentation for Change Password Feature
-
-The change password feature implements a form that a user can use to
-change their password.
-
-== Auth Value Methods
-
-change_password_additional_form_tags :: HTML fragment containing additional form tags to use on the change password form.
-change_password_button :: The text to use for the change password button.
-change_password_error_flash :: The flash error to show for an unsuccessful password change.
-change_password_notice_flash :: The flash notice to show after a successful password change.
-change_password_page_title :: The page title to use on the change password form.
-change_password_redirect :: Where to redirect after a sucessful password change.
-change_password_requires_password? :: Whether a password is required when changing passwords.
-change_password_route :: The route to the change password action. Defaults to +change-password+.
-invalid_previous_password_message :: The message to use when the previous password was incorrect.  Defaults to +invalid_password_message+.
-new_password_label :: The label to use for the new password.
-new_password_param :: The parameter name to use for new passwords.
-
-== Auth Methods
-
-after_change_password :: Run arbitrary code after successful password change.
-before_change_password :: Run arbitrary code before changing the password for an account.
-before_change_password_route :: Run arbitrary code before handling a change password route.
-change_password_response :: Return a response after a successful password change. By default, redirects to +change_password_redirect+.
-change_password_view :: The HTML to use for the change password form.

data/doc/change_password_notify.rdoc

@@ -1,14 +0,0 @@
-= Documentation for Change Password Notify Feature
-
-The change password notify feature emails the user when their password
-is changed using the change password feature.
-
-== Auth Value Methods
-
-password_changed_email_body :: Body to use for the password changed emails
-password_changed_email_subject :: Subject to use for the password changed emails
-
-== Auth Methods
-
-create_password_changed_email :: A Mail::Message for the password changed email to send.
-send_password_changed_email :: Send the password changed email.

data/doc/close_account.rdoc

@@ -1,26 +0,0 @@
-= Documentation for Close Account Feature
-
-The close account feature allows users to close their accounts.
-
-== Auth Value Methods
-
-account_closed_status_value :: The integer representing closed accounts.
-close_account_additional_form_tags :: HTML fragment containing additional form tags to use on the close account form.
-close_account_button :: The text to use for the close account button.
-close_account_error_flash :: The flash error to show if there is an error closing the account.
-close_account_notice_flash :: The flash notice to show after closing the account.
-close_account_page_title :: The page title to use on the close account form.
-close_account_redirect :: Where to redirect after closing the account.
-close_account_requires_password? :: Whether a password is required when closing accounts.
-close_account_route :: The route to the close account action. Defaults to +close-account+.
-delete_account_on_close? :: Whether to delete the account when closing it, default value is to use +skip_status_checks?+.
-
-== Auth Methods
-
-after_close_account :: Run arbitrary code after closing the account.
-before_close_account :: Run arbitrary code before closing an account.
-before_close_account_route :: Run arbitrary code before handling a close account route.
-close_account :: Close the account, by default setting the account status to closed.
-close_account_response :: Return a response after successfully closing the account . By default, redirects to +close_account_redirect+.
-close_account_view :: The HTML to use for the close account form.
-delete_account :: If +delete_account_on_close?+ is true, delete the account when closing it.

data/doc/confirm_password.rdoc

@@ -1,32 +0,0 @@
-= Documentation for Confirm Password Feature
-
-The confirm password feature allows you to redirect users to a page to
-confirm their password.
-
-When confirming passwords, if authenticated via autologin, a remember token,
-or an email_auth token, switches the authentication type from that login
-method to password.
-
-== Auth Value Methods
-
-confirm_password_additional_form_tags :: HTML fragment containing additional form tags to use on the confirm password form.
-confirm_password_button :: The text to use for the confirm password button.
-confirm_password_error_flash :: The flash error to show if password confirmation is unsuccessful.
-confirm_password_link_text :: The text to use for the link from the two factor auth page.
-confirm_password_notice_flash :: The flash notice to show after password confirmed successful.
-confirm_password_page_title :: The page title to use on the confirm password form.
-confirm_password_redirect :: Where to redirect after successful password confirmation. By default, uses <tt>session[confirm_password_redirect_session_key]</tt> if set, allowing an easy way to redirect back to the page requesting password confirmation.
-confirm_password_redirect_session_key :: The session key used to check for the confirm_password_redirect.
-confirm_password_route :: The route to the confirm password form. Defaults to +confirm-password+.
-password_authentication_required_error_flash :: The flash error to show if going to a page requiring password confirmation.
-password_authentication_required_error_status :: The response status to use if going to a page requiring password confirmation, 401 by default.
-password_authentication_required_redirect :: Where to redirect when going to a page requiring password confirmation.
-
-== Auth Methods
-
-after_confirm_password :: Run arbitrary code after successful confirmation of password.
-before_confirm_password :: Run arbitrary code before setting that the password has been confirmed.
-before_confirm_password_route :: Run arbitrary code before handling the password confirmation route.
-confirm_password :: Update the session to reflect the password has been confirmed.
-confirm_password_response :: Return a response after successful password confirmation. By default, redirects to +confirm_password_redirect+.
-confirm_password_view :: The HTML to use for the confirm password form.

data/doc/create_account.rdoc

@@ -1,27 +0,0 @@
-= Documentation for Create Account Feature
-
-The create account feature allows users to create new accounts.
-
-== Auth Value Methods
-
-create_account_additional_form_tags :: HTML fragment containing additional form tags to use on the create account form.
-create_account_button :: The text to use for the create account button.
-create_account_error_flash :: The flash error to show for unsuccessful account creation.
-create_account_notice_flash :: The flash notice to show after successful account creation.
-create_account_page_title :: The page title to use on the create account form.
-create_account_redirect :: Where to redirect after creating the account.
-create_account_route :: The route to the create account action. Defaults to +create-account+.
-create_account_set_password? :: Whether to ask for a password to be set on the create account form.  Defaults to true if not verifying accounts.  If set to false, an alternative method to set the password should be used (assuming you want to allow password authentication).
-
-== Auth Methods
-
-after_create_account :: Run arbitrary code after creating the account.
-before_create_account :: Run arbitrary code before creating the account.
-before_create_account_route :: Run arbitrary code before handling a create account route.
-create_account_autologin? :: Whether to autologin the user upon successful account creation, true by default unless verifying accounts.
-create_account_link_text :: The text to use for a link to the create account form.
-create_account_response :: Return a response after successful account creation. By default, redirects to +create_account_redirect+.
-create_account_view :: The HTML to use for the create account form.
-new_account(login) :: Instantiate a new account hash for the given login, without saving it.
-save_account :: Insert the account into the database, or return nil/false if that was not successful.
-set_new_account_password :: Set the password for a new account if +account_password_hash_column+ is set, without saving.

data/doc/disallow_common_passwords.rdoc

@@ -1,17 +0,0 @@
-= Documentation for Disallow Common Passwords Feature
-
-The disallow common passwords feature disallows setting of a password
-that matches one of the most common passwords.  By default, a list of
-10,000 of the most common passwords is used, but you can supply your
-own file.  Using a larger list is recommended, but Rodauth doesn't
-ship with a larger list to avoid bloating the size of the gem.
-
-== Auth Value Methods
-
-most_common_passwords :: An object that responds to +include?+ which will return true if the password given is one of the most common passwords. Useful for custom password sets where they are not stored in files and kept in memory.
-most_common_passwords_file :: The path to the file containing the most common passwords, which are not allowed to be used for new passwords.  Defaults to a list of 10,000 most common passwords that ships with Rodauth.  Can be set to nil/false if you do not want to to load common passwords from a file.
-password_is_one_of_the_most_common_message :: The error message fragment to display if the given password matches one of the most common passwords.
-
-== Auth Methods
-
-password_one_of_most_common?(password) :: This can be used to override the default check for whether the given password is contained in the most_common_passwords_file.  This method may be useful when using very large password databases where you don't want to keep the list of most common passwords in memory.

data/doc/disallow_password_reuse.rdoc

@@ -1,30 +0,0 @@
-= Documentation for Disallow Password Reuse Feature
-
-The disallow password reuse feature disallows setting of a password
-that matches a number of previous passwords (6 by default).
-
-On databases where Rodauth supports the use of database authentication
-functions, Rodauth also supports the use of database functions for checking
-previous passwords, so previous password hashes enjoy the same database
-security as current password hashes.
-
-It is not recommended to use this feature unless you have a policy that
-requires it.  This will significantly slow down setting a new password
-due to the need to check all of the previous stored passwords.  Additionally,
-storing previous passwords means that if attackers can get access to the
-the database, they can get the previous stored passwords in addition to the
-current password.
-
-== Auth Value Methods
-
-password_same_as_previous_password_message :: The error message fragment to display if the given password is the same as a previous password.
-previous_password_account_id_column :: The column in the +previous_password_hash_table+ that stores the account id.
-previous_password_hash_column :: The column in the +previous_password_hash_table+ that stores the password hash.
-previous_password_hash_table :: The table storing previous password hashes.
-previous_password_id_column :: The column in the +previous_password_hash_table+ that stores the autoincrementing primary key.
-previous_passwords_to_check :: The number of previous password hashes to store and check.
-
-== Auth Methods
-
-add_previous_password_hash(hash) :: Add the given hash to the list of previous hashes for the current account.
-password_doesnt_match_previous_password?(password) :: Whether the password given matches any of the previous passwords.

data/doc/email_auth.rdoc

@@ -1,55 +0,0 @@
-= Documentation for Email Auth Feature
-
-The email auth feature implements passwordless login using links sent via email.  It is
-similar to the reset password feature, except you don't need to update
-a password, or even have a password to login.  It depends on the login and
-email_base features.
-
-== Auth Value Methods
-
-email_auth_additional_form_tags :: HTML fragment containing additional form tags to use on the email auth login form.
-email_auth_deadline_column :: The column name in the +email_auth_table+ storing the deadline after which the token will be ignored.
-email_auth_deadline_interval :: The amount of time for which to allow users to use email auth keys, 1 day by default. Only used if set_deadline_values? is true.
-email_auth_email_last_sent_column :: The email auth last sent column in the +email_auth_table+, storing the last time the email was sent. Set to nil to always send an email when requested.
-email_auth_email_recently_sent_error_flash :: The flash error to show if not sending an email auth email because another was sent recently.
-email_auth_email_recently_sent_redirect :: Where to redirect after not sending an email auth email because another was sent recently.
-email_auth_email_sent_notice_flash :: The flash notice to show after an email auth email has been sent.
-email_auth_email_sent_redirect :: Where to redirect after sending an email auth email.
-email_auth_email_subject :: The subject to use for email auth emails.
-email_auth_error_flash :: The flash error to show if unable to login using email authentication.
-email_auth_id_column :: The id column in the +email_auth_table+, should be a foreign key referencing the accounts table.
-email_auth_key_column :: The email auth key/token column in the +email_auth_table+.
-email_auth_key_param :: The parameter name to use for the email auth key.
-email_auth_page_title :: The page title to use on the email auth form.
-email_auth_request_additional_form_tags :: HTML fragment containing additional form tags to use on the email auth request form.
-email_auth_request_button :: The text to use for the email auth request button.
-email_auth_request_error_flash :: The flash error to show if not able to send an email auth email.
-email_auth_request_route :: The route to the email auth request action.  Defaults to +email-auth-request+.
-email_auth_route :: The route to the email auth action. Defaults to +email-auth+.
-email_auth_session_key :: The key in the session to hold the email auth key temporarily.
-email_auth_skip_resend_email_within :: The number of seconds required before sending another email auth email, 5 minutes by default.
-email_auth_table :: The name of the table storing email auth keys.
-force_email_auth? :: Whether email auth should be forced for the account.  False by default, which results in email auth only be used automatically if the account does not have a password.
-no_matching_email_auth_key_error_flash :: The flash error message to show if attempting to access the email auth form with an invalid key.
-
-== Auth Methods
-
-account_from_email_auth_key(key) :: Retrieve the account using the given email auth key, or return nil if no account matches.
-after_email_auth_request :: Run arbitrary code after sending the email auth email.
-before_email_auth_request :: Run arbitrary code before sending the email auth email.
-before_email_auth_request_route :: Run arbitrary code before handling an email auth request route.
-before_email_auth_route :: Run arbitrary code before handling an email auth route.
-create_email_auth_email :: A Mail::Message for the email auth email.
-create_email_auth_key :: Add the email auth key data to the database.
-email_auth_email_body :: The body to use for the email auth email.
-email_auth_email_link :: The link to the email auth form in the email auth email.
-email_auth_email_sent_response :: Return a response after successfully sending an email auth email. By default, redirects to +email_auth_email_sent_redirect+.
-email_auth_key_insert_hash :: The hash to insert into the +email_auth_table+.
-email_auth_key_value :: The email auth key for the current account.
-email_auth_request_form :: The HTML to use for a form to request an email auth email, shown on the login page after the user submits their login, if +force_email_auth?+ is false and email authentication is not the only possible for of authentication for the user.
-email_auth_view :: The HTML to use for the email auth form.
-get_email_auth_email_last_sent :: Get the last time an email auth email is sent, or nil if there is no last sent time.
-get_email_auth_key(id) :: Get the email auth key for the given account id from the database.
-remove_email_auth_key :: Remove the email auth key for the current account, run after successful email auth.
-send_email_auth_email :: Send the email auth email.
-set_email_auth_email_last_sent :: Set the last time an email auth email is sent.  This is only called if there is a previous email auth token still active.

data/doc/email_base.rdoc

@@ -1,18 +0,0 @@
-= Documentation for Email Base Feature
-
-The email base feature is automatically loaded when you use a Rodauth feature
-that requires sending emails.
-
-== Auth Value Methods
-
-allow_raw_email_token? :: When +hmac_secret+ is used, this allows the use of the raw token.  This should only be set to true temporarily during a transition period from using raw tokens to using HMACed tokens.  After the transition period, this should not be set, as setting this to true removes the security that HMACed tokens add.
-default_post_email_redirect :: Where to redirect after sending an email. This is the default redirect location for all redirects after an email is sent when the account is not logged in.  Also includes cases where an email is not sent due to rate limiting.
-email_from :: The from address to use for emails sent by Rodauth.
-email_subject_prefix :: The prefix to use for email subjects 
-require_mail? :: Set to false to not require mail, useful if using a different library for sending email.
-
-== Auth Methods
-
-create_email(subject, body) :: Return a Mail::Message instance with the given subject and body.
-email_to :: The email address to send emails to, by default the login of the current account.
-send_email(email) :: Deliver a given Mail::Message instance.