rodauth 2.36.0 → 2.37.0

data/doc/jwt_refresh.rdoc

@@ -1,58 +0,0 @@
-= Documentation for JWT Refresh Feature
-
-The jwt_refresh feature adds support for a database-backed JWT refresh token,
-setting a short lifetime on JWT access tokens.
-
-When this feature is used, the access and refresh token are provided
-at login in the response body (the access token is still provided in the Authorization
-header), and for any subsequent POST to <tt>/jwt-refresh</tt>.
-
-Note that using the refresh token invalidates the token and creates
-a new access token with an updated lifetime.  However, it does not invalidate
-older access tokens.  Older access tokens remain valid until they expire.  You
-can use the active_sessions feature if you want previous access tokens to be invalid
-as soon as the refresh token is used.
-
-You can have multiple active refresh tokens active at a time, since each browser session
-will generally use a separate refresh token.  If you would like to revoke a refresh token
-when logging out, provide the refresh token when submitting the JSON request to logout.
-If you would like to remove all refresh tokens for the account when logging out, provide
-a value of <tt>all</tt> as the token value.
-
-When using the refresh token, you must provide a valid access token, as that contains
-information about the current session, which is used to create the new access token.
-If you change the +allow_refresh_with_expired_jwt_access_token?+ setting to +true+,
-an expired but otherwise valid access token will be accepted, and Rodauth will check
-that the access token was issued in the same session as the refresh token.
-
-This feature depends on the jwt feature.
-
-== Auth Value Methods
-
-allow_refresh_with_expired_jwt_access_token? :: Whether refreshing should be allowed with an expired access token. Default is +false+.  You must set an +hmac_secret+ if setting this value to +true+.
-expired_jwt_access_token_status :: The HTTP status code to use when a access token (JWT) is expired is submitted in the Authorization header. Default is 400 for backwards compatibility, and it is recommended to set it to 401.
-expired_jwt_access_token_message :: The error message to use when a access token (JWT) is expired is submitted in the Authorization header.
-jwt_access_token_key :: Name of the key in the response json holding the access token.  Default is +access_token+.
-jwt_access_token_not_before_period :: How many seconds before the current time will the jwt be considered valid (to account for inaccurate clocks). Default is 5.
-jwt_access_token_period :: Validity of an access token in seconds, default is 1800 (30 minutes).
-jwt_refresh_route :: The route to the login action. Defaults to <tt>jwt-refresh</tt>.
-jwt_refresh_invalid_token_message :: Error message when the provided refresh token is non existent, invalid or expired.
-jwt_refresh_token_account_id_column :: The column name in the +jwt_refresh_token_table+ storing the account id, should be a foreign key referencing the accounts table.
-jwt_refresh_token_data_session_key :: The key in the session hash storing random data, for access checking during refresh if +allow_refresh_with_expired_jwt_access_token?+ is set.
-jwt_refresh_token_deadline_column :: The column name in the +jwt_refresh_token_table+ storing the deadline after which the refresh token will no longer be valid.
-jwt_refresh_token_deadline_interval :: Validity of a refresh token. Default is 14 days.
-jwt_refresh_token_hmac_session_key :: The key in the session hash storing the hmac, for access checking during refresh if +allow_refresh_with_expired_jwt_access_token?+ is set.
-jwt_refresh_token_id_column :: The column name in the refresh token keys table storing the id of each token (the primary key of the table).
-jwt_refresh_token_key :: Name of the key in the response json holding the refresh token.  Default is +refresh_token+.
-jwt_refresh_token_key_column :: The column name in the +jwt_refresh_token_table+ holding the refresh token key value.
-jwt_refresh_token_key_param :: Name of parameter in which the refresh token is provided when requesting a new token.  Default is +refresh_token+.
-jwt_refresh_token_table :: Name of the table holding refresh token keys.
-jwt_refresh_without_access_token_message :: Error message when trying to refresh with providing an access token.
-jwt_refresh_without_access_token_status :: The HTTP status code to use when trying to refresh without providing an access token.
-
-== Auth Methods
-
-account_from_refresh_token(token) :: Returns the account hash for the given refresh token.
-after_refresh_token :: Hooks for specific processing once the refresh token has been set.
-before_jwt_refresh_route :: Run arbitrary code before handling a jwt_refresh route.
-before_refresh_token :: Hooks for specific processing before the refresh token is computed.

data/doc/lockout.rdoc

@@ -1,73 +0,0 @@
-= Documentation for Lockout Feature
-
-The lockout feature implements bruteforce protection for accounts.
-It depends on the login feature.  If a user fails to login due to
-a password error more than a given number of times, their account
-gets locked out, and they are given an option to request an account
-unlock via an email sent to them.
-
-== Auth Value Methods
-
-account_lockouts_deadline_column :: The deadline column in the +account_lockouts_table+, containing the timestamp until which the account is locked out.
-account_lockouts_deadline_interval :: The amount of time for which to lock out accounts, 1 day by default. Only used if +set_deadline_values?+ is true.
-account_lockouts_email_last_sent_column :: The email last sent column in the +account_lockouts_table+.  Set to nil to always send an unlock account email when requested.
-account_lockouts_id_column :: The id column in the +account_lockouts_table+, should be a foreign key referencing the accounts table.
-account_lockouts_key_column :: The unlock key column in the +account_lockouts_table+.
-account_lockouts_table :: The table containing account lockout information.
-account_login_failures_id_column :: The id column in the +account_login_failures_table+, should be a foreign key referencing the accounts table.
-account_login_failures_number_column :: The column in the +account_login_failures_table+ containing the number of login failures for the account.
-account_login_failures_table :: The table containing number of login failures per account.
-login_lockout_error_flash :: The flash error to show if there if the account is or becomes locked out after a login attempt.
-max_invalid_logins :: The maximum number of failed logins before account lockout. As this feature is just designed for bruteforce protection, this defaults to 100.
-no_matching_unlock_account_key_error_flash :: The flash error message to show if attempting to access the unlock account form with an invalid key.
-unlock_account_additional_form_tags :: HTML fragment with additional form tags to use on the unlock account form.
-unlock_account_autologin? :: Whether to autologin users after successful account unlock. This defaults to true, as otherwise an attacker can prevent an account from logging in by continually locking out their account.
-unlock_account_button :: The text to use on the unlock account button.
-unlock_account_email_recently_sent_error_flash :: The flash error to show if not sending an unlock account email because another was sent recently.
-unlock_account_email_recently_sent_redirect :: Where to redirect after not sending an unlock account email because another was sent recently.
-unlock_account_email_subject :: The subject to use for the unlock account email.
-unlock_account_error_flash :: The flash error to display upon unsuccessful account unlock.
-unlock_account_explanatory_text :: The text to display above the button to unlock an account.
-unlock_account_key_param :: The parameter name to use for the unlock account key.
-unlock_account_notice_flash :: The flash notice to display upon successful account unlock.
-unlock_account_page_title :: The page title to use on the unlock account form.
-unlock_account_redirect :: Where to redirect after successful account unlock.
-unlock_account_request_additional_form_tags :: HTML fragment with additional form tags to use on the form to request an account unlock.
-unlock_account_request_button :: The text to use on the unlock account request button.
-unlock_account_request_explanatory_text :: The text to display above the button to request an account unlock.
-unlock_account_request_notice_flash :: The flash notice to display upon successful sending of the unlock account email.
-unlock_account_request_page_title :: The page title to use on the unlock account request form.
-unlock_account_request_redirect :: Where to redirect after the account unlock email is sent.
-unlock_account_request_route :: The route to the unlock account request action.  Defaults to +unlock-account-request+.
-unlock_account_requires_password? :: Whether a password is required when unlocking accounts, false by default.  May want to set to true if not allowing password resets.
-unlock_account_route :: The route to the unlock account action.  Defaults to +unlock-account+.
-unlock_account_session_key :: The key in the session to hold the unlock account key temporarily.
-unlock_account_skip_resend_email_within :: The number of seconds before sending another unlock account email, if +account_lockouts_email_last_sent_column+ is set.
-
-== Auth Methods
-
-account_from_unlock_key(key) :: Retrieve the account using the given verify account key, or return nil if no account matches.
-after_account_lockout :: Run arbitrary code after an account has been locked out.
-after_unlock_account :: Run arbitrary code after a successful account unlock.
-after_unlock_account_request :: Run arbitrary code after a successful account unlock request.
-before_unlock_account :: Run arbitrary code before unlocking an account.
-before_unlock_account_request :: Run arbitrary code before sending an account unlock email.
-before_unlock_account_request_route :: Run arbitrary code before handling an account unlock request route.
-before_unlock_account_route :: Run arbitrary code before handling an unlock account route.
-clear_invalid_login_attempts :: Clear any stored login failures or lockouts for the current account.
-create_unlock_account_email :: A Mail::Message for the account unlock email to send.
-generate_unlock_account_key :: A random string to use for a new unlock account key.
-get_unlock_account_email_last_sent :: Get the last time an unlock account email is sent, or nil if there is no last sent time.
-get_unlock_account_key :: Retrieve the unlock account key for the current account.
-invalid_login_attempted :: Record an invalid login attempt, incrementing the number of login failures, and possibly locking out the account.
-locked_out? :: Whether the current account is locked out.
-send_unlock_account_email :: Send the account unlock email.
-set_unlock_account_email_last_sent :: Set the last time an unlock_account email is sent.
-unlock_account :: Unlock the account.
-unlock_account_email_body :: The body to use for the unlock account email.
-unlock_account_email_link :: The link to the unlock account form to include in the unlock account email.
-unlock_account_key :: The unlock account key for the current account.
-unlock_account_request_response :: Return a response after successfully requesting an account unlock. By default, redirects to +unlock_account_request_redirect+.
-unlock_account_request_view :: The HTML to use for the unlock account request form.
-unlock_account_response :: Return a response after successfully unlocking an account. By default, redirects to +unlock_account_redirect+.
-unlock_account_view :: The HTML to use for the unlock account form.

data/doc/login.rdoc

@@ -1,39 +0,0 @@
-= Documentation for Login Feature
-
-The login feature implements a login page.  It's the most commonly
-used feature.
-
-In addition to the auth methods below, it provides a +login+ method that wraps
-+login_session+, running login hooks and redirecting to the configured
-location.
-
-  rodauth.account           #=> { id: 123, ... }
-  rodauth.login('password') # login the current account
-
-== Auth Value Methods
-
-login_additional_form_tags :: HTML fragment containing additional form tags to use on the login form.
-login_button :: The text to use for the login button.
-login_error_flash :: The flash error to show for an unsuccessful login.
-login_error_status :: The response status to use when using an invalid login or password to login, 401 by default.
-login_form_footer_links :: An array of entries for links to show on the login page.  Each entry is an array of three elements, sort order (integer), link href, and link text.
-login_form_footer_links_heading :: A heading to show before the login form footer links.
-login_notice_flash :: The flash notice to show after successful login.
-login_page_title :: The page title to use on the login form.
-login_redirect :: Where to redirect after a sucessful login.
-login_redirect_session_key :: The key in the session hash storing the location to redirect to after successful login.
-login_return_to_requested_location? :: Whether to redirect to the originally requested location after successful login when +require_login+ was used, false by default.
-login_route :: The route to the login action. Defaults to +login+.
-multi_phase_login_forms :: An array of entries for authentication methods that can be used to login when using multi phase login.  Each entry is an array of three elements, sort order (integer), HTML, and method to call if this entry is the only authentication method available (or nil to not call a method).
-multi_phase_login_page_title :: The page title to use on the login form after login has been entered when using multi phase login.
-need_password_notice_flash :: The flash notice to show during multi phase login after the login has been entered, when requesting the password.
-use_multi_phase_login? :: Whether to ask for login first, and only ask for password after asking for the login, false by default unless an alternative login feature such as email_auth or webauthn_login is used.
-
-== Auth Methods
-
-before_login_route :: Run arbitrary code before handling a login route.
-login_form_footer :: A message to display after the login form.
-login_response :: Return a response after a successful login. By default, redirects to +login_redirect+ (or the requested location if +login_return_to_requested_location?+ is true).
-login_return_to_requested_location_path :: If +login_return_to_requested_location?+ is true, the path to use as the requested location.  By default, uses the full path of the request for GET requests, and is nil for non-GET requests (in which case the default +login_redirect+ will be used).
-login_view :: The HTML to use for the login form.
-multi_phase_login_view :: The HTML to use for the login form after login has been entered when using multi phase login.

data/doc/login_password_requirements_base.rdoc

@@ -1,44 +0,0 @@
-= Documentation for Login Password Requirements Base Feature
-
-The login password requirements base feature is automatically loaded when you
-use a Rodauth feature that requires setting logins or passwords.
-
-== Auth Value Methods
-
-already_an_account_with_this_login_message :: The error message to display when there already exists an account with the same login.
-contains_null_byte_message :: The error message to display when the password contains a null byte (only used if parameters with null bytes are otherwise allowed).
-login_confirm_label :: The label to use for login confirmations.
-login_confirm_param :: The parameter name to use for login confirmations.
-login_does_not_meet_requirements_message :: The error message to display when the login does not meet the requirements you have set.
-login_email_regexp :: The regular expression used to validate whether login is a valid email address.
-login_maximum_bytes :: The maximum length for logins in bytes, 255 by default.
-login_maximum_length :: The maximum length for logins in characters, 255 by default.
-login_minimum_length :: The minimum length for logins in characters, 3 by default.
-login_not_valid_email_message :: The error message to display when login is not a valid email address.
-login_too_long_message :: The error message fragment to show if the login is too long.
-login_too_many_bytes_message :: The error message fragment to show if the login has too many bytes.
-login_too_short_message :: The error message fragment to show if the login is too short.
-logins_do_not_match_message :: The error message to display when login and login confirmation do not match.
-password_confirm_label :: The label to use for password confirmations.
-password_confirm_param :: The parameter name to use for password confirmations.
-password_does_not_meet_requirements_message :: The error message to display when the password does not meet the requirements you have set.
-password_hash_cost :: The cost to use for the password hash algorithm. This should be an integer when using bcrypt (the default), and a hash if using argon2 (supported by the argon2 feature).
-password_maximum_bytes :: The maximum length for passwords in bytes, nil by default for no limit. bcrypt only uses the first 72 bytes of the password when creating the password hash, so if you are using bcrypt as the password hash function, you may want to set this to 72.
-password_maximum_length :: The maximum length for passwords in characters, nil by default for no limit.
-password_minimum_length :: The minimum length for passwords in characters, 6 by default.
-password_too_long_message :: The error message fragment to show if the password is too long.
-password_too_many_bytes_message :: The error message fragment to show if the password is has too many bytes.
-password_too_short_message :: The error message fragment to show if the password is too short.
-passwords_do_not_match_message :: The error message to display when password and password confirmation do not match.
-require_email_address_logins? :: Whether logins need to be valid email addresses, true by default.
-require_login_confirmation? :: Whether login confirmations are required when changing logins or creating accounts.  True by default if not verifying the account.
-require_password_confirmation? :: Whether password confirmations are required when changing/resetting passwords and creating accounts.
-same_as_existing_password_message :: The error message to display when a new password is the same as the existing password.
-
-== Auth Methods
-
-login_meets_requirements?(login) :: Whether the given login meets the requirements.  By default, just checks that the login is a valid email address.
-login_valid_email?(login) :: Whether the login is a valid email address.
-password_hash(password) :: A hash of the given password.
-password_meets_requirements?(password) :: Whether the given password meets the requirements. Can be used to implement complexity requirements for passwords.
-set_password(password) :: Set the password for the current account to the given password.

data/doc/logout.rdoc

@@ -1,22 +0,0 @@
-= Documentation for Logout Feature
-
-The logout feature implements a logout button, which clears the session.
-It is the simplest feature.
-
-== Auth Value Methods
-
-logout_additional_form_tags :: HTML fragment containing additional form tags to use on the logout form.
-logout_button :: The text to use for the logout button.
-logout_notice_flash :: The flash notice to show after logout.
-logout_page_title :: The page title to use on the logout form.
-logout_redirect :: Where to redirect after a logout.
-logout_route :: The route to the logout action. Defaults to +logout+.
-
-== Auth Methods
-
-after_logout :: Run arbitrary code after logout.
-before_logout :: Run arbitrary code before logout.
-before_logout_route :: Run arbitrary code before handling a logout route.
-logout :: Log the user out, by default clearing the session.
-logout_response :: Return a response after a successful logout. By default, redirects to +logout_redirect+.
-logout_view :: The HTML to use for the logout form.

data/doc/otp.rdoc

@@ -1,93 +0,0 @@
-= Documentation for OTP Feature
-
-The otp feature implements multifactor authentication via time-based one-time
-passwords (TOTP).  It supports setting up TOTP authentication, logging
-in with TOTP authentication codes, and disabling TOTP authentication.
-
-The otp feature requires the rotp and rqrcode gems.
-
-== Auth Value Methods
-
-otp_already_setup_error_flash :: The flash error to show if going to the OTP setup page when OTP is already setup.
-otp_already_setup_redirect :: Where to redirect if going to the OTP setup page when OTP has already been setup.
-otp_auth_additional_form_tags :: HTML fragment containing additional form tags to use on the OTP authentication form.
-otp_auth_button :: Text to use for button on OTP authentication form.
-otp_auth_error_flash :: The flash error to show if unable to authenticate via OTP.
-otp_auth_failures_limit :: The number of allowed OTP authentication failures before locking out.
-otp_auth_form_footer :: A footer to display at the bottom of the OTP authentication form.
-otp_auth_label :: The label for the OTP authentication code.
-otp_auth_link_text :: The text to use for the link from the multifactor auth page.
-otp_auth_page_title :: The page title to use on the OTP authentication form.
-otp_auth_param :: The parameter name for the OTP authentication code.
-otp_auth_route :: The route to the OTP authentication action. Defaults to +otp-auth+.
-otp_class :: The class to use for OTP authentication (default: ROTP::TOTP)
-otp_digits :: The number of digits to use in OTP authentication codes (rotp's default is 6).
-otp_disable_additional_form_tags :: HTML fragment containing additional form tags to use on the form to disable OTP authentication.
-otp_disable_button :: The text to use for button on the form to disable OTP authentication.
-otp_disable_error_flash :: The flash error to show if unable to disable OTP authentication.
-otp_disable_link_text :: The text to use for the disable link from the multifactor manage page.
-otp_disable_notice_flash :: The flash notice to show after disabling OTP authentication.
-otp_disable_page_title :: The page title to use on the OTP disable form.
-otp_disable_redirect :: Where to redirect after disabling OTP authentication.
-otp_disable_route :: The route to the OTP disable action. Defaults to +otp-disable+.
-otp_drift :: The number of seconds the client and server are allowed to drift apart. The default is 30.  Can be set to nil to not allow drift.
-otp_interval :: The number of seconds in which to rotate TOTP auth codes (rotp's default is 30).
-otp_invalid_auth_code_message :: The error message to show when an invalid OTP authentication code is used.
-otp_invalid_secret_message :: The error message to show when an invalid OTP secret is submitted during OTP setup.
-otp_issuer :: The issuer to use in the OTP provisioning URL.  Defaults to +domain+.
-otp_keys_column :: The column in the +otp_keys_table+ containing the OTP secret.
-otp_keys_failures_column :: The column in the +otp_keys_table+ containing the number of OTP authentication failures.
-otp_keys_id_column :: The column in the +otp_keys_table+ containing the account id.
-otp_keys_last_use_column :: The column in +otp_keys_table+ containing the last authentication timestamp.
-otp_keys_table :: The table name containing the OTP secrets.
-otp_keys_use_hmac? :: Whether to use HMACs for OTP keys.  Defaults to whether +hmac_secret+ has been set.  Should be set to false if adding +hmac_secret+ to Rodauth where the otp feature is already in use, as otherwise it will render existing OTP keys invalid.
-otp_lockout_error_flash :: The flash error show show when OTP authentication has been locked out due to numerous authentication failures.
-otp_lockout_redirect :: Where to redirect if going to OTP authentication page and OTP authentication has been locked out.
-otp_provisioning_uri_label :: The label used when displaying the OTP provisioning URI during OTP setup.
-otp_secret_label :: The label used when displaying the OTP secret during OTP setup.
-otp_setup_additional_form_tags :: HTML fragment containing additional form tags when setting up OTP authentication.
-otp_setup_button :: Text for the button when setting up OTP authentication.
-otp_setup_error_flash :: The flash error to show if OTP authentication setup was not successful.
-otp_setup_link_text :: The text to use for the setup link from the multifactor manage page.
-otp_setup_notice_flash :: The flash notice to show if OTP authentication setup was successful.
-otp_setup_page_title :: The page title to use on the form to setup OTP authentication.
-otp_setup_param :: The parameter name used for the OTP secret when setting up OTP authentication.
-otp_setup_raw_param :: The parameter name used for the raw OTP secret when setting up OTP authentication, when +otp_keys_use_hmac?+ is true. 
-otp_setup_redirect :: Where to redirect after sucessful OTP authentication setup.
-otp_setup_route :: The route to the OTP setup action. Defaults to +otp-setup+.
-
-== Auth Methods
-
-after_otp_authentication_failure :: Run arbitrary code after OTP authentication failure.
-after_otp_disable :: Run arbitrary code after OTP authentication has been disabled.
-after_otp_setup :: Run arbitrary code after OTP authentication has been setup.
-before_otp_auth_route :: Run arbitrary code before handling an OTP authentication route.
-before_otp_authentication :: Run arbitrary code before OTP authentication.
-before_otp_disable :: Run arbitrary code before OTP authentication disabling.
-before_otp_disable_route :: Run arbitrary code before handling an OTP authentication disable route.
-before_otp_setup :: Run arbitrary code before OTP authentication setup.
-before_otp_setup_route :: Run arbitrary code before handling an OTP authentication setup route.
-otp :: The object used for verifying OTP authentication attempts.
-otp_add_key(secret) :: Add an OTP key for the current account with the given secret.
-otp_auth_view :: The HTML to use for the OTP authentication form.
-otp_available? :: Whether OTP authentication is ready for use.
-otp_disable_response :: Return a response after successfully disabling OTP . By default, redirects to +otp_disable_redirect+.
-otp_disable_view :: The HTML to use for the OTP disable form.
-otp_exists? :: Whether the current account has setup OTP.
-otp_key :: The stored OTP secret for the account.
-otp_last_use :: The last time OTP authentication was successful for the account.
-otp_locked_out? :: Whether the current account has been locked out of OTP authentication.
-otp_new_secret :: A new secret to use when setting up OTP.
-otp_provisioning_name :: The provisioning name to use during OTP setup, defaults to the account's email.
-otp_provisioning_uri :: The provisioning URI displayed during OTP setup.
-otp_qr_code :: The QR code containing the otp_provisioning_uri, by default an SVG image.
-otp_record_authentication_failure :: Record an OTP authentication failure.
-otp_remove :: Removes all stored OTP data for the current account.
-otp_remove_auth_failures :: Removes OTP authentication failures for the current account, used after successful multifactor authentication.
-otp_setup_response :: Return a response after successful OTP setup. By default, redirects to +otp_setup_redirect+.
-otp_setup_view :: The HTML to use for the form to setup OTP authentication.
-otp_tmp_key(secret) :: Set the secret to use for the temporary OTP key, during OTP setup.
-otp_update_last_use :: Update the last time OTP authentication was successful for the account.  Return true if the authentication should be allowed, or false if it should not be allowed because the last authentication was too recent and indicates the possible reuse of a TOTP authentication code.
-otp_valid_code_for_old_secret :: Called when valid OTP authentication is performed using hmac_old_secret.  This indicates the OTP needs to be rotated before support for the previous hmac secret value is removed.  You can use this to track users who need their OTP rotated, and take appropriate action.
-otp_valid_code?(auth_code) :: Whether the given code is the currently valid OTP auth code for the account.
-otp_valid_key?(secret) :: Whether the given secret is a valid OTP secret.

data/doc/otp_lockout_email.rdoc

@@ -1,30 +0,0 @@
-= Documentation for OTP Lockout Email Feature
-
-The otp_lockout_email feature emails users when:
-
-* TOTP authentication is locked out
-* TOTP authentication is unlocked
-* A TOTP unlock attempt has failed
-
-The otp_unlock_email feature depends on the otp_lockout and email_base features.
-
-== Auth Value Methods
-
-otp_locked_out_email_body :: Body to use for the email notifying user that TOTP authentication has been locked out.
-otp_locked_out_email_subject :: Subject to use for the email notifying user that TOTP authentication has been locked out.
-otp_unlock_failed_email_body :: Body to use for the email notifying user that there has been an unsuccessful attempt to unlock TOTP authentication.
-otp_unlock_failed_email_subject :: Subject to use for the email notifying user that there has been an unsuccessful attempt to unlock TOTP authentication.
-otp_unlocked_email_body :: Body to use for the email notifying user that TOTP authentication has been unlocked.
-otp_unlocked_email_subject :: Subject to use for the email notifying user that TOTP authentication has been unlocked.
-send_otp_locked_out_email? :: Whether to send an email when TOTP authentication is locked out.
-send_otp_unlock_failed_email? :: Whether to send an email when there has been an unsuccessful attempt to unlock TOTP authentication.
-send_otp_unlocked_email? :: Whether to send an email when TOTP authentication is unlocked.
-
-== Auth Methods
-
-create_otp_locked_out_email :: A Mail::Message for the email notifying user that TOTP authentication has been locked out.
-create_otp_unlock_failed_email :: A Mail::Message for the email notifying user that there has been an unsuccessful attempt to unlock TOTP authentication.
-create_otp_unlocked_email :: A Mail::Message for the email notifying user that TOTP authentication has been unlocked.
-send_otp_locked_out_email :: Send the email notifying user that TOTP authentication has been locked out.
-send_otp_unlock_failed_email :: Send the email notifying user that there has been an unsuccessful attempt to unlock TOTP authentication.
-send_otp_unlocked_email :: Send the email notifying user that TOTP authentication has been unlocked.

data/doc/otp_modify_email.rdoc

@@ -1,19 +0,0 @@
-= Documentation for OTP Modify Email Feature
-
-The otp_modify_email feature emails users when TOTP authentication is setup or disabled.
-
-The otp_modify_email feature depends on the otp and email_base features.
-
-== Auth Value Methods
-
-otp_disabled_email_body :: Body to use for the email notifying user that TOTP authentication has been disabled.
-otp_disabled_email_subject :: Subject to use for the email notifying user that TOTP authentication has been disabled.
-otp_setup_email_body :: Body to use for the email notifying user that TOTP authentication has been setup.
-otp_setup_email_subject :: Subject to use for the email notifying user that TOTP authentication has been setup.
-
-== Auth Methods
-
-create_otp_disabled_email :: A Mail::Message for the email notifying user that TOTP authentication has been disabled.
-create_otp_setup_email :: A Mail::Message for the email notifying user that TOTP authentication has been setup.
-send_otp_disabled_email :: Send the email notifying user that TOTP authentication has been disabled.
-send_otp_setup_email :: Send the email notifying user that TOTP authentication has been setup.

data/doc/otp_unlock.rdoc

@@ -1,58 +0,0 @@
-= Documentation for OTP Unlock Feature
-
-The otp_unlock feature implements unlocking of TOTP authentication after
-TOTP authentication.  The user must consecutively successfully authenticate
-with TOTP multiple times (default: 3) within a given time period (15 minutes
-per attempt) in order to unlock TOTP authentication.  By requiring
-consecutive successful unlocks, with a delay after failure, it is infeasible
-to brute force the TOTP unlock process.
-
-The otp_unlock feature depends on the otp feature.
-
-== Auth Value Methods
-
-otp_unlock_additional_form_tags :: HTML fragment containing additional form tags to use on the OTP unlock form.
-otp_unlock_auth_deadline_passed_error_flash :: The flash error to show if attempting to unlock OTP after the deadline for submittal has passed.
-otp_unlock_auth_deadline_passed_error_status :: The response status to use if attempting to unlock OTP after the deadline for submittal has passed, 403 by default.
-otp_unlock_auth_failure_cooldown_seconds :: The number of seconds the user must wait to attempt OTP unlock again after a failed OTP unlock attempt.
-otp_unlock_auth_failure_error_flash :: The flash error to show if attempting to unlock OTP using an incorrect authentication code.
-otp_unlock_auth_failure_error_status :: The response status to use if attempting to unlock OTP using an incorrect authentication code, 403 by default.
-otp_unlock_auth_not_yet_available_error_flash :: The flash error to show if attempting to unlock OTP when doing so is not yet available due to a recent attempt.
-otp_unlock_auth_not_yet_available_error_status :: The response status to use if attempting to unlock OTP when doing so is not yet available due to a recent attempt, 403 by default.
-otp_unlock_auth_success_notice_flash :: The flash notice to show upon successful unlock authentication, when additional unlock authentication is still needed.
-otp_unlock_auths_required :: The number of consecutive successful authentication attempts needed to unlock OTP authentication, 3 by default.
-otp_unlock_button :: Text to use for button on OTP unlock form.
-otp_unlock_consecutive_successes_label :: Text to show next to the number of consecutive successful authentication attempts the user has already made.
-otp_unlock_deadline_seconds :: The number of seconds between a previously successful authentication attempt and the next successful authentication attempt. This defaults to twice the amount of time of the OTP interval (30 seconds) plus twice the amount of allowed drift (30 seconds), for a total of 120 seconds.  This is to make sure the same OTP code cannot be used more than one when unlocking.
-otp_unlock_form_footer :: A footer to display at the bottom of the OTP unlock form.
-otp_unlock_id_column :: The column in the +otp_unlock_table+ containing the account id.
-otp_unlock_next_auth_attempt_after_column :: The column in the +otp_unlock_table+ containing a timestamp for when the user can next try an authentication attempt.
-otp_unlock_next_auth_attempt_label :: Text to show next to the time when the next unlock authentication attempt will be allowed.
-otp_unlock_next_auth_attempt_refresh_label :: Text to show explaining that the page will refresh when the next unlock authentication attempt will be allowed.
-otp_unlock_next_auth_deadline_label :: Text to show next to the deadline for unlock authentication.
-otp_unlock_not_available_page_title :: The page title to use on the page letting users know they need to wait to unlock OTP authentication.
-otp_unlock_not_locked_out_error_flash :: The flash error to show if attempting to access the OTP unlock page when OTP authentication is not locked out.
-otp_unlock_not_locked_out_error_status :: The response status to use if attempting to access the OTP unlock page when OTP authentication is not locked out, 403 by default.
-otp_unlock_not_locked_out_redirect :: Where to redirect if attempting to access the OTP unlock page when OTP authentication is not locked out.
-otp_unlock_num_successes_column :: The column in the +otp_unlock_table+ containing the number of consecutive successful authentications.
-otp_unlock_page_title :: The page title to use on the OTP unlock form.
-otp_unlock_refresh_tag :: The meta refresh tag HTML to use to force a refresh of the page.  This can be overridden to use a different refresh approach.
-otp_unlock_required_consecutive_successes_label :: Text to show next to the number of consecutive successful authentication attempts the user is required to make to unlock OTP authentication.
-otp_unlock_route :: The route to the OTP unlock action. Defaults to +otp-unlock+.
-otp_unlock_table :: The table name containing the OTP unlock information.
-otp_unlocked_notice_flash :: The flash notice to show when OTP authentication is successfully fully unlocked.
-otp_unlocked_redirect :: Where to redirect when OTP authentication is successfully fully unlocked.
-
-== Auth Methods
-
-after_otp_unlock_auth_failure :: Run arbitrary code after OTP unlock authentication failure.
-after_otp_unlock_auth_success :: Run arbitrary code after OTP unlock authentication success.
-after_otp_unlock_not_yet_available :: Run arbitrary code when attempting OTP unlock when it is not yet available.
-before_otp_unlock_attempt :: Run arbitrary code before checking whether OTP unlock authentication code is valid.
-before_otp_unlock_route :: Run arbitrary code before handling an OTP unlock route.
-otp_unlock_auth_failure :: Handle a authentication failure when trying to unlock.  By default, this sets the number of consecutive successful authentication attempts to 0, and forces a significant delay before the next unlock authentication attempt can be made.
-otp_unlock_auth_success :: Handle a authentication failure when trying to unlock.  By default, this increments the number of consecutive successful authentication attempts, and imposes a short delay before the next unlock authentication attempt can be made (to ensure the code cannot be reused).
-otp_unlock_available? :: Returns whether it is possible to unlock OTP authentication. This assumes that OTP is already locked out.
-otp_unlock_deadline_passed? :: Returns whether the deadline to submit an OTP unlock authentication code has passed.
-otp_unlock_not_available_view :: The HTML to use for the page when the OTP unlock form is not yet available due to a recent unlock authentication attempt.
-otp_unlock_view :: The HTML to use for the OTP unlock form.

data/doc/password_complexity.rdoc

@@ -1,34 +0,0 @@
-= Documentation for Password Complexity Feature
-
-The password complexity feature implements more sophisticated password
-complexity checks.  It is not recommended to use this feature unless
-you have a policy that requires it, as users that would not choose a
-good password in the absense of password complexity requirements are
-unlikely to choose a good password if you have password complexity
-requirements.
-
-Checks:
-
-* Contains characters in multiple character groups, by default at
-  least 3 of uppercase letters, lowercase letters, numbers, and
-  everything else, unless the password is over 11 characters.
-* Does not contain any invalid patterns, by default patterns like
-  +qwerty+, +azerty+, +asdf+, +zxcv+, or number sequences such as +123+.
-* Does not contain a certain number of repeating characters, by default 3.
-* Is not a dictionary word, after stripping off numbers from the prefix
-  and suffix and replacing some common numbers/symbols often substituted
-  for letters, catching things like <tt>P@$$w0rd1</tt>.
-
-== Auth Value Methods
-
-password_character_groups :: An array of regular expressions representing different character groups.
-password_dictionary :: A Array/Hash/Set containing dictionary words, which cannot match the password.
-password_dictionary_file :: A file containing dictionary words, which will not be allowed.  By default, <tt>/usr/share/dict/words</tt> if present.  Set to false to not use a password dictionary. Note that this is only used during initialization, and cannot refer to request-specific state, unlike most other settings.
-password_in_dictionary_message :: The error message fragment to show if the password is derived from a word in a dictionary.
-password_invalid_pattern :: A regexp where any match is considered an invalid password.  For multiple sequences, use +Regexp.union+.
-password_invalid_pattern_message :: The error message fragment to show if the password matches the invalid pattern.
-password_max_length_for_groups_check :: The number of characters above which to skip the checks for character groups.
-password_max_repeating_characters :: The maximum number of repeating characters allowed.
-password_min_groups :: The minimum number of character groups the password has to contain if it is less than +password_max_length_for_groups_check+ characters.
-password_not_enough_character_groups_message :: The error message fragment to show if the password does not contain characters from enough character groups.
-password_too_many_repeating_characters_message :: The error message fragment to show if the password contains too many repeating characters.

data/doc/password_expiration.rdoc

@@ -1,38 +0,0 @@
-= Documentation for Password Expiration Feature
-
-The password expiration feature requires that users change their
-password on login if it has expired (default: every 90 days). You can
-force password expiration checks for all logged in users by adding
-the following code to your route block:
-
-   rodauth.require_current_password
-
-Additionally, you can set a minimum amount of time after a password
-is changed until it can be changed again.  By default this is not
-enabled, but it can be enabled by setting +allow_password_change_after+
-to a positive number of seconds.
-
-It is not recommended to use this feature unless you have a policy that
-requires it, as password expiration in general results in users chosing
-weaker passwords.  When asked to change their password, many users choose
-a password that is based on their previous password, so forcing password
-expiration is in general a net loss from a security perspective.
-
-== Auth Value Methods
-
-allow_password_change_after :: How long in seconds after the last password change until another password change is allowed (always allowed by default).
-password_change_needed_redirect :: Where to redirect if a password needs to be changed.
-password_changed_at_session_key :: The key in the session storing the timestamp the password was changed at.
-password_expiration_changed_at_column :: The column in the +password_expiration_table+ containing the timestamp
-password_expiration_default :: If the last password change time for an account cannot be determined, whether to consider the account expired, false by default.
-password_expiration_error_flash :: The flash error to display when the account's password has expired and needs to be changed.
-password_expiration_id_column :: The column in the +password_expiration_table+ containing the account's id.
-password_expiration_table :: The table holding the password last changed timestamps.
-password_not_changeable_yet_error_flash :: The flash error to display when not enough time has elapsed since the last password change and an attempt is made to change the password.
-password_not_changeable_yet_redirect :: Where to redirect if the password cannot be changed yet.
-require_password_change_after :: How long in seconds until a password change is required (90 days by default).
-
-== Auth Methods
-
-password_expired? :: Whether the password has expired for the related account.
-update_password_changed_at :: Update the password last changed timestamp for the current account.

data/doc/password_grace_period.rdoc

@@ -1,24 +0,0 @@
-= Documentation for Password Grace Period Feature
-
-The password grace period feature keeps track of the last time the
-user entered their password in the session, and doesn't require they reenter their
-password for account modifications if they recently entered it correctly.
-
-If you would like to provide extra security before certain routes, you can use
-the confirm password feature to require users to reenter their password if they
-haven't entered it recently:
-
-  rodauth.require_password_authentication
-
-By default, this does not redirect if the session has been authenticated via
-password, but with the password_grace_period feature, it also redirects if the
-password has not been entered recently.
-
-== Auth Value Methods
-
-last_password_entry_session_key :: The session key in which to store the last password entry time.
-password_grace_period :: The number of seconds after a password entry until password reentry is required, 300 by default (5 minutes).
-
-== Auth Methods
-
-password_recently_entered? :: Whether the password has last been entered within the grace period.

data/doc/password_pepper.rdoc

@@ -1,52 +0,0 @@
-= Documentation for Password Pepper Feature
-
-The password pepper feature appends a specified secret string to passwords
-before they are hashed. This way, if the password hashes get compromised, an
-attacker cannot use them to crack the passwords without also knowing the
-pepper.
-
-In the configuration block set the +password_pepper+ with your secret string.
-It's recommended for the password pepper to be at last 32 characters long and
-randomly generated.
-
-  password_pepper "<long secret key>"
-
-If your database already contains password hashes that were created without a
-password pepper, these will get automatically updated with a password pepper
-next time the user successfully enters their password.
-
-If you're using bcrypt (default), you should set +password_maximum_bytes+ so
-that password + pepper don't exceed 72 bytes. This is because bcrypt truncates
-passwords longer than 72 bytes, enabling an attacker to crack the pepper if the
-password bytesize is unlimited. If you're using argon2, you should probably set
-+argon2_secret+ instead of using this feature.
-
-== Pepper Rotation
-
-You can rotate the password pepper as well, just make sure to add the previous
-pepper to the +previous_password_peppers+ array. Password hashes using the old
-pepper will get automatically updated on the next successful password match.
-
-  password_pepper "new pepper"
-  previous_password_peppers ["old pepper", ""] 
-
-The empty string above ensures password hashes without pepper are handled as
-well.
-
-Note that each entry in +previous_password_peppers+ will multiply the amount of
-possible password checks during login, at least for incorrect passwords.
-
-Additionally, when using this feature with the disallow_password_reuse feature,
-the number of passwords checked when changing or resetting a password will be
-
-  (previous_password_peppers.length + 1) * previous_passwords_to_check
-
-So if you have 2 entries in +previous_password_peppers+, using the default
-value of 6 for +previous_passwords_to_check+, every time a password
-is changed, there will be 18 password checks done, which will be quite slow.
-
-== Auth Value Methods
-
-password_pepper :: The secret string appended to passwords before they are hashed.
-previous_password_peppers :: An array of password peppers that will be tried on an unsuccessful password match. Defaults to <tt>[""]</tt>, which allows introducing this feature with existing passwords.
-password_pepper_update? :: Whether to update password hashes that use a pepper from +previous_password_peppers+ with a new pepper. Defaults to +true+.

data/doc/path_class_methods.rdoc

@@ -1,10 +0,0 @@
-= Documentation for Path Class Methods Feature
-
-The path class methods feature allows for calling the *_path and *_url
-methods directly on the class, as opposed to an instance of the class.
-
-In order for the *_url methods to be used, you must use the base_url
-configuration so that determining the base URL doesn't depend on the
-submitted request, as the request will not be set when using the
-class method. Failure to do this will probably result in a NoMethodError
-being raised.