rodauth 2.5.0 → 2.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e85b192c01a27f50a917584cb3d0f09e947152c116b022f955d2c7c03ff43f7a
-  data.tar.gz: a4d87aa35b1ae50b5901495b8062ad3a2ad25695b46d4fa91b30d8439a4b7ab1
+  metadata.gz: 5286a570d72b6bc951ca489e12a696a4c2348d789d09f2782cfbd3521e63ee6d
+  data.tar.gz: be5d4e5bef18f6f62978bc84e07da1c4b31db4f03bf104d01abf8510812c5719
 SHA512:
-  metadata.gz: '000885791eb76a2f283e2f243d281c6c103cdd35ad3b8e15b2510d20e7a05db19bee9a30a5ca9d2fc536a46007fe169674aa799698ad83eac292fd5475d9beb8'
-  data.tar.gz: c73dfb2edd91f6a2d134494504ca0042f7357380ea9dbcb495b7265d25c0fdc62a8cadb07cf5182e330e1bf935c608e9f01f943dfdb21084bf08147848b67026
+  metadata.gz: 98a849b965bfee4d80b8b6f6fc286d22f57673bf37da4e2cb338c114275795b665e46b561781f688dbb2ddfdd312e8b393f545d1920ac9f83024e042ff97cee0
+  data.tar.gz: 46da808a9d2e38c647339eed1554183b0e175fb3dbf4fd04d49d78015ff523bc0960091b3643bbc3913cfce88b7f78a240bd1857002de889a2d9455f106e4e03

data/CHANGELOG

@@ -1,3 +1,45 @@
+=== 2.10.0 (2021-02-22)
+
+* Add argon2 feature to allow use of the argon2 password hash algorithm instead of bcrypt (AlexeyMatskevich, jeremyevans) (#147)
+
+* Avoid unnecessary previous password queries when using disallow_password_reuse feature with create_account or verify_account features (AlexeyMatskevich, jeremyevans) (#148)
+
+=== 2.9.0 (2021-01-22)
+
+* Split jwt feature into json and jwt features, with the json feature using standard session support (janko, jeremyevans) (#145)
+
+* Mark remember cookie as only transmitted over HTTPS by default if created via an HTTPS request (janko) (#144)
+
+=== 2.8.0 (2021-01-06)
+
+* [SECURITY] Set HttpOnly on remember cookie by default so it cannot be accessed by Javascript (janko) (#142)
+
+* Clear JWT session when rodauth.clear_session is called if the Roda sessions plugin is used (janko) (#140)
+
+=== 2.7.0 (2020-12-22)
+
+* Avoid method redefinition warnings in verbose warning mode (jeremyevans)
+
+* Return expired access token error message in the JWT refresh feature when using an expired token when it isn't allowed (AlexyMatskevich) (#133)
+
+* Allow Rodauth features to be preloaded, instead of always trying to require them (janko) (#136)
+
+* Use a default remember cookie path of '/', though this may cause problem with multiple Rodauth configurations on the same domain (janko) (#134)
+
+* Add auto_remove_recovery_codes? to the recovery_codes feature, for automatically removing the codes when disabling multifactor authentication (SilasSpet, jeremyevans) (#135)
+
+=== 2.6.0 (2020-11-20)
+
+* Avoid loading features multiple times (janko) (#131)
+
+* Add around_rodauth method for running code around the handling of all Rodauth routes (bjeanes) (#129)
+
+* Fix javascript for registration of multiple webauthn keys (bjeanes) (#127)
+
+* Add allow_refresh_with_expired_jwt_access_token? configuration method to jwt_refresh feature, for allowing refresh with expired access token (jeremyevans)
+
+* Promote setup_account_verification to public API, useful for automatically sending account verification emails (jeremyevans)
+
 === 2.5.0 (2020-10-22)
 
 * Add change_login_needs_verification_notice_flash for easier translation of change_login_notice_flash when using verify_login_change (bjeanes, janko, jeremyevans) (#126)

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2015-2020 Jeremy Evans
+Copyright (c) 2015-2021 Jeremy Evans
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to

data/README.rdoc

@@ -52,10 +52,12 @@ HTML and JSON API for all supported features.
 * Session Expiration
 * Active Sessions (Prevent session reuse after logout, allow logout of all sessions)
 * Single Session (Only one active session per account)
-* JWT (JSON API support for all other features)
+* JSON (JSON API support for all other features)
+* JWT (JSON Web Token support for all other features)
 * JWT Refresh (Access & Refresh Token)
 * JWT CORS (Cross-Origin Resource Sharing)
 * Update Password Hash (when hash cost changes)
+* Argon2
 * HTTP Basic Auth
 * Change Password Notify
 
@@ -79,8 +81,10 @@ rack_csrf :: Used for CSRF support if the :csrf=>:rack_csrf plugin
              option is given (the default is to use Roda's route_csrf
              plugin, as that allows for more secure request-specific
              tokens).
-bcrypt :: Used by default for password matching, can be skipped
+bcrypt :: Used by default for password hashing, can be skipped
           if password_match? is overridden for custom authentication.
+argon2 :: Used by the argon2 feature as alternative to bcrypt for
+          password hashing.
 mail :: Used by default for mailing in the reset password, verify
         account, verify_login_change, change_password_notify,
         lockout, and email_auth features.
@@ -105,7 +109,7 @@ correctly without it.  There may be cases where you cannot use
 this feature, such as when using a different database or when you
 do not have full control over the database you are using.
 
-Passwords are hashed using bcrypt, and the password hashes are
+Passwords are hashed using bcrypt by default, and the password hashes are
 kept in a separate table from the accounts table, with a foreign key
 referencing the accounts table.  Two database functions are added,
 one to retrieve the salt for a password, and the other to check
@@ -332,7 +336,7 @@ things for the schema changes:
     foreign_key :id, Sequel[:${DATABASE_NAME}][:accounts], :primary_key=>true, :type=>:Bignum
     String :password_hash, :null=>false
   end
-  Rodauth.create_database_authentication_functions(self, :table_name=>"${DATABASE_NAME}_password.account_password_hashes")
+  Rodauth.create_database_authentication_functions(self, :table_name=>Sequel[:${DATABASE_NAME}_password][:account_password_hashes])
 
   # if using the disallow_password_reuse feature:
   create_table(:account_previous_password_hashes) do
@@ -340,7 +344,7 @@ things for the schema changes:
     foreign_key :account_id, Sequel[:${DATABASE_NAME}][:accounts], :type=>:Bignum
     String :password_hash, :null=>false
   end
-  Rodauth.create_database_previous_password_check_functions(self, :table_name=>"${DATABASE_NAME}_password.account_previous_password_hashes")
+  Rodauth.create_database_previous_password_check_functions(self, :table_name=>Sequel[:${DATABASE_NAME}_password][:account_previous_password_hashes])
 
 You'll also need to use the following Rodauth configuration methods so that the
 app account calls functions in a separate schema:
@@ -862,6 +866,7 @@ view the appropriate file in the doc directory.
 * {Account Expiration}[rdoc-ref:doc/account_expiration.rdoc]
 * {Active Sessions}[rdoc-ref:doc/active_sessions.rdoc]
 * {Audit Logging}[rdoc-ref:doc/audit_logging.rdoc]
+* {Argon2}[rdoc-ref:doc/argon2.rdoc]
 * {Change Login}[rdoc-ref:doc/change_login.rdoc]
 * {Change Password}[rdoc-ref:doc/change_password.rdoc]
 * {Change Password Notify}[rdoc-ref:doc/change_password_notify.rdoc]
@@ -872,6 +877,7 @@ view the appropriate file in the doc directory.
 * {Disallow Password Reuse}[rdoc-ref:doc/disallow_password_reuse.rdoc]
 * {Email Authentication}[rdoc-ref:doc/email_auth.rdoc]
 * {HTTP Basic Auth}[rdoc-ref:doc/http_basic_auth.rdoc]
+* {JSON}[rdoc-ref:doc/json.rdoc]
 * {JWT CORS}[rdoc-ref:doc/jwt_cors.rdoc]
 * {JWT Refresh}[rdoc-ref:doc/jwt_refresh.rdoc]
 * {JWT}[rdoc-ref:doc/jwt.rdoc]
@@ -1320,7 +1326,13 @@ use the necessary *_email_body configuration options to specify
 the body of the emails.
 
 The JWT feature enables JSON API support for all of the other features
-that Rodauth ships with.
+that Rodauth ships with. If you would like JSON API access that still uses
+rack session for storing session data, enable the JSON feature instead:
+
+  plugin :rodauth, :json=>true do
+    enable :login, :logout, :json
+    only_json? true # if you want to only handle JSON requests
+  end
 
 === Adding Custom Methods to the +rodauth+ Object
 

data/doc/argon2.rdoc

@@ -0,0 +1,49 @@
+= Documentation for Argon2 Feature
+
+The argon2 feature adds the ability to replace the bcrypt password hash
+algorithm with argon2 (specifically, argon2id).  Argon2 is an alternative to
+bcrypt that offers the ability to be memory-hard.  However, if you are storing
+password hashes in a table that the database user does not have access to
+(the recommended way to use Rodauth), argon2 does not offer significant
+security advantages over bcrypt.
+
+If you are using this feature with Rodauth's database authentication functions,
+you need to make sure that the database authentication functions are configured
+to support argon2 in addition to bcrypt.  You can do this by passing the
++:argon2+ option when calling the method to define the database functions.
+In this example, +DB+ should be your Sequel::Database object:
+
+  require 'rodauth/migrations'
+
+  # If the functions are already defined and you are not using PostgreSQL,
+  # you need to drop the existing functions.
+  Rodauth.drop_database_authentication_functions(DB)
+
+  # If you are using the disallow_password_reuse feature, also drop the
+  # database functions related to that if not using PostgreSQL:
+  Rodauth.drop_database_previous_password_check_functions(DB)
+
+  # Define new functions that support argon2:
+  Rodauth.create_database_authentication_functions(DB, argon2: true)
+
+  # If you are using the disallow_password_reuse feature, also define
+  # new functions that support argon2 for that:
+  Rodauth.create_database_previous_password_check_functions(DB, argon2: true) 
+
+The argon2 feature provides the ability to allow for a gradual migration
+from transitioning from bcrypt to argon2 and vice-versa, if you are using the
+update_password_hash.
+
+Argon2 is more configurable than bcrypt in terms of password hash cost
+speficiation.  Instead of specifying the password_hash_cost value as
+an integer, you must specify the password hash cost as a hash, such as
+(<tt>{t_cost: 2, m_cost: 16}</tt>).
+
+If you are using the argon2 feature and if you have no bcrypt passwords in
+your database, you should use <tt>require_bcrypt? false</tt> in your
+Rodauth configuration to prevent loading the bcrypt library, which will save
+memory.
+
+== Auth Value Methods
+
+use_argon2? :: Whether to use the argon2 password hash algorithm for new passwords (true by default). The only reason to set this to false is if you have existing passwords using argon2 that you want to support, but want to use bcrypt for new passwords.

data/doc/base.rdoc

@@ -1,7 +1,7 @@
 = Documentation for Base Feature
 
 The base feature is automatically loaded when you use Rodauth.  It contains
-shared functionality that is used by multiple features. 
+shared functionality that is used by multiple features.
 
 == Auth Value Methods
 
@@ -15,7 +15,7 @@ domain :: The domain to use, required by some other features. It is recommended
 hmac_secret :: This sets the secret to use for all of Rodauth's HMACs.  This is not set by default, in which case Rodauth does not use HMACs for additional security.  However, it is highly recommended that you set this, and some features require it.
 mark_input_fields_as_required? :: Whether input fields should be marked as required, so browsers will not allow submission without filling out the field (default: true).
 prefix :: The routing prefix used for Rodauth routes.  If you are calling in a routing subtree, this should be set to the root path of the subtree.  This should include a leading slash if set, but not a trailing slash.
-require_bcrypt? :: Set to false to not require bcrypt, useful if using custom authentication.
+require_bcrypt? :: Set to false to not require bcrypt, useful if using custom authentication or when using the argon2 feature without existing bcrypt password hashes.
 session_key :: The key in the session hash storing the primary key of the logged in account.
 session_key_prefix :: The string that will be prepended to the default value for all session keys.
 skip_status_checks? :: Whether status checks should be skipped for accounts.  Defaults to true unless enabling the verify_account or close_account features.
@@ -88,6 +88,7 @@ account_session_value :: The primary value of the current account to store in th
 after_login :: Run arbitrary code after a successful login.
 after_login_failure :: Run arbitrary code after a login failure due to an invalid password.
 already_logged_in :: What action to take if you are already logged in and attempt to access a page that only makes sense if you are not logged in.
+around_rodauth(&block) :: Run arbitrary code around handling any rodauth route.  Call <tt>super(&block)</tt> for Rodauth to handle the action.
 authenticated? :: Whether the user has been authenticated. If multifactor authentication has been enabled for the account, this is true only if the session is multifactor authenticated.
 before_login :: Run arbitrary code after password has been checked, but before updating the session.
 before_login_attempt :: Run arbitrary code after an account has been located, but before the password has been checked.

data/doc/guides/migrate_password_hash_algorithm.rdoc

@@ -0,0 +1,15 @@
+= Migrate users passwords from bcrypt to argon2 or back
+
+If you are currently using the default bcrypt password hash algorithm, and want to
+gradually migrate to the argon2 password hash algorithm, you can use both the argon2
+and update_password_hash features:
+
+  plugin :rodauth do
+    enable :login, :update_password_hash, :argon2
+  end
+
+When a user with a current bcrypt password hash next successfully uses their
+password, their password hash will be migrated to argon2.
+
+If for some reason you want to migrate back from argon2 to bcrypt, you can set
+<tt>use_argon2? false</tt> in your Rodauth configuration.

data/doc/json.rdoc

@@ -0,0 +1,47 @@
+= Documentation for JSON Feature
+
+The json feature adds support for JSON API access for all other
+features that ship with Rodauth.
+
+When this feature is used, all other features become accessible via a
+JSON API.  The JSON API uses the POST method for all requests, using
+the same parameter names as the features uses.  JSON API requests to
+Rodauth endpoints that use a method other than POST will result in a
+405 Method Not Allowed response.
+
+Responses are returned as JSON hashes.  In case of an error, the +error+
+entry is set to an error message, and the <tt>field-error</tt> entry is set to
+an array containing the field name and the error message for that field.
+Successful requests by default store a +success+ entry with a success
+message, though that can be disabled.
+
+The session state is managed in the rack session, so make sure that
+CSRF protection is enabled. This will be the case when passing the
+<tt>json: true</tt> option when loading the rodauth plugin. If you
+want to only handle JSON requests, set <tt>only_json? true</tt> in
+your rodauth configuration.
+
+If you want token-based authentication sent via the Authorization
+header, consider using the jwt feature.
+
+== Auth Value Methods
+
+json_accept_regexp :: The regexp to use to check the Accept header for JSON if +json_check_accept?+ is true.
+json_check_accept? :: Whether to check the Accept header to see if the client supports JSON responses, true by default.
+json_non_post_error_message :: The error message to use when a JSON non-POST request is sent.
+json_not_accepted_error_message :: The error message to display if +json_check_accept?+ is true and the Accept header is present but does not match +json_request_content_type_regexp+.
+json_request_content_type_regexp :: The regexp to use to recognize a request as a json request.
+json_response_content_type :: The content type to set for json responses, <tt>application/json</tt> by default.
+json_response_custom_error_status? :: Whether to use custom error statuses, instead of always using +json_response_error_status+, true by default, can be set to false for backwards compatibility with Rodauth 1.
+json_response_error_key :: The JSON result key containing an error message, +error+ by default.
+json_response_error_status :: The HTTP status code to use for JSON error responses if not using custom error statuses, 400 by default.
+json_response_field_error_key :: The JSON result key containing an field error message, <tt>field-error</tt> by default.
+json_response_success_key :: The JSON result key containing a success message for successful request, if set.  +success+ by default.
+non_json_request_error_message :: The error message to use when a non-JSON request is sent and +only_json?+ is set.
+only_json? :: Whether to have Rodauth only allow JSON requests.  True by default if <tt>json: :only</tt> option was given when loading the plugin.  If set, rodauth endpoints will issue an error for non-JSON requests.
+use_json? :: Whether to return a JSON response. By default, a JSON response is returned if +only_json?+ is true, or if the request uses a json content type.
+
+== Auth Methods
+
+json_request? :: Whether the current request is a JSON request, looks at the Content-Type request header by default.
+json_response_body(hash) :: The body to use for JSON response.  By default just converts hash to JSON.  Can be used to reformat JSON output in arbitrary ways.

data/doc/jwt.rdoc

@@ -2,19 +2,7 @@
 
 The jwt feature adds support for JSON API access for all other features
 that ship with Rodauth, using JWT (JSON Web Tokens) to hold the
-session information.
-
-When this feature is used, all other features become accessible via a
-JSON API.  The JSON API uses the POST method for all requests, using
-the same parameter names as the features uses.  JSON API requests to
-Rodauth endpoints that use a method other than POST will result in a
-405 Method Not Allowed response.
-
-Responses are returned as JSON hashes.  In case of an error, the +error+
-entry is set to an error message, and the <tt>field-error</tt> entry is set to
-an array containing the field name and the error message for that field.
-Successful requests by default store a +success+ entry with a success
-message, though that can be disabled.
+session information. It depends on the json feature.
 
 In order to use this feature, you have to set the +jwt_secret+ configuration
 option the secret used to cryptographically protect the token.
@@ -41,32 +29,17 @@ from +rodauth.session+.
 == Auth Value Methods
 
 invalid_jwt_format_error_message :: The error message to use when a JWT with an invalid format is submitted in the Authorization header.
-json_accept_regexp :: The regexp to use to check the Accept header for JSON if +jwt_check_accept?+ is true.
-json_non_post_error_message :: The error message to use when a JSON non-POST request is sent.
-json_not_accepted_error_message :: The error message to display if +jwt_check_accept?+ is true and the Accept header is present but does not match +json_request_content_type_regexp+.
-json_request_content_type_regexp :: The regexp to use to recognize a request as a json request.
-json_response_content_type :: The content type to set for json responses, <tt>application/json</tt> by default.
-json_response_custom_error_status? :: Whether to use custom error statuses, instead of always using +json_response_error_status+, true by default, can be set to false for backwards compatibility with Rodauth 1.
-json_response_error_key :: The JSON result key containing an error message, +error+ by default.
-json_response_error_status :: The HTTP status code to use for JSON error responses if not using custom error statuses, 400 by default.
-json_response_field_error_key :: The JSON result key containing an field error message, <tt>field-error</tt> by default.
-json_response_success_key :: The JSON result key containing a success message for successful request, if set.  +success+ by default.
 jwt_algorithm :: The JWT algorithm to use, +HS256+ by default.
 jwt_authorization_ignore :: A regexp matched against the Authorization header, which skips JWT processing if it matches.  By default, HTTP Basic and Digest authentication are ignored.
 jwt_authorization_remove :: A regexp to remove from the Authorization header before processing the JWT.  By default, a Bearer prefix is removed.
-jwt_check_accept? :: Whether to check the Accept header to see if the client supports JSON responses, true by default, can be set to false for backwards compatibility with Rodauth 1.
 jwt_decode_opts :: An optional hash to pass to +JWT.decode+. Can be used to set JWT verifiers.
 jwt_secret :: The JWT secret to use.  Access to this should be protected the same as a session secret.
 jwt_session_key :: A key to nest the session hash under in the JWT payload.  nil by default, for no nesting.
 jwt_symbolize_deeply? :: Whether to symbolize the session hash deeply.  false by default.
-non_json_request_error_message :: The error message to use when a non-JSON request is sent and +only_json?+ is set.
-only_json? :: Whether to have Rodauth only allow JSON requests.  True by default if <tt>json: :only</tt> option was given when loading the plugin.  If set, rodauth endpoints will issue an error for non-JSON requests.
 use_jwt? :: Whether to use the JWT in the Authorization header for authentication information.  If false, falls back to using the rack session. By default, the Authorization header is used if it is present, if +only_json?+ is true, or if the request uses a json content type.
 
 == Auth Methods
 
-json_request? :: Whether the current request is a JSON request, looks at the Content-Type request header by default.
-json_response_body(hash) :: The body to use for JSON response.  By default just converts hash to JSON.  Can be used to reformat JSON output in arbitrary ways.
 jwt_session_hash :: The session hash used to create the session_jwt. Can be used to set JWT claims.
 jwt_token :: Retrieve the JWT token from the request, by default taking it from the Authorization header.
 session_jwt :: An encoded JWT for the current session.

data/doc/jwt_refresh.rdoc

@@ -21,19 +21,27 @@ a value of <tt>all</tt> as the token value.
 
 When using the refresh token, you must provide a valid access token, as that contains
 information about the current session, which is used to create the new access token.
+If you change the +allow_refresh_with_expired_jwt_access_token?+ setting to +true+,
+an expired but otherwise valid access token will be accepted, and Rodauth will check
+that the access token was issued in the same session as the refresh token.
 
 This feature depends on the jwt feature.
 
 == Auth Value Methods
 
+allow_refresh_with_expired_jwt_access_token? :: Whether refreshing should be allowed with an expired access token. Default is +false+.  You must set an +hmac_secret+ if setting this value to +true+.
+expired_jwt_access_token_status :: The HTTP status code to use when a access token (JWT) is expired is submitted in the Authorization header. Default is 400 for backwards compatibility, and it is recommended to set it to 401.
+expired_jwt_access_token_message :: The error message to use when a access token (JWT) is expired is submitted in the Authorization header.
 jwt_access_token_key :: Name of the key in the response json holding the access token.  Default is +access_token+.
 jwt_access_token_not_before_period :: How many seconds before the current time will the jwt be considered valid (to account for inaccurate clocks). Default is 5.
 jwt_access_token_period :: Validity of an access token in seconds, default is 1800 (30 minutes).
 jwt_refresh_route :: The route to the login action. Defaults to <tt>jwt-refresh</tt>.
 jwt_refresh_invalid_token_message :: Error message when the provided refresh token is non existent, invalid or expired.
 jwt_refresh_token_account_id_column :: The column name in the +jwt_refresh_token_table+ storing the account id, should be a foreign key referencing the accounts table.
+jwt_refresh_token_data_session_key :: The key in the session hash storing random data, for access checking during refresh if +allow_refresh_with_expired_jwt_access_token?+ is set.
 jwt_refresh_token_deadline_column :: The column name in the +jwt_refresh_token_table+ storing the deadline after which the refresh token will no longer be valid.
 jwt_refresh_token_deadline_interval :: Validity of a refresh token. Default is 14 days.
+jwt_refresh_token_hmac_session_key :: The key in the session hash storing the hmac, for access checking during refresh if +allow_refresh_with_expired_jwt_access_token?+ is set.
 jwt_refresh_token_id_column :: The column name in the refresh token keys table storing the id of each token (the primary key of the table).
 jwt_refresh_token_key :: Name of the key in the response json holding the refresh token.  Default is +refresh_token+.
 jwt_refresh_token_key_column :: The column name in the +jwt_refresh_token_table+ holding the refresh token key value.

data/doc/login_password_requirements_base.rdoc

@@ -19,7 +19,7 @@ logins_do_not_match_message :: The error message to display when login and login
 password_confirm_label :: The label to use for password confirmations.
 password_confirm_param :: The parameter name to use for password confirmations.
 password_does_not_meet_requirements_message :: The error message to display when the password does not meet the requirements you have set.
-password_hash_cost :: The bcrypt cost to use for the password hash.
+password_hash_cost :: The cost to use for the password hash algorithm. This should be an integer when using bcrypt (the default), and a hash if using argon2 (supported by the argon2 feature).
 password_minimum_length :: The minimum length for passwords, 6 by default.
 password_too_short_message :: The error message fragment to show if the password is too short.
 passwords_do_not_match_message :: The error message to display when password and password confirmation do not match.

data/doc/recovery_codes.rdoc

@@ -17,7 +17,8 @@ add_recovery_codes_error_flash :: The flash error to show when adding recovery c
 add_recovery_codes_heading :: Text to use for heading above the form to add recovery codes.
 add_recovery_codes_page_title :: The page title to use on the add recovery codes form.
 add_recovery_codes_param :: The parameter name to use for adding recovery codes.
-auto_add_recovery_codes? :: Whether to automatically add recovery codes (or any missing recovery codes) when another multifactor authentication type is enabled (false by default).
+auto_add_recovery_codes? :: Whether to automatically add recovery codes (or any missing recovery codes) when enabling otp, webauthn, or sms authentication (false by default).
+auto_remove_recovery_codes? :: Whether to automatically remove recovery codes when disabling otp, webauthn, or sms authentication and not having one of the other two authentication methods enabled (false by default).
 invalid_recovery_code_error_flash :: The flash error to show when an invalid recovery code is used.
 invalid_recovery_code_message :: The error message to show when an invalid recovery code is used.
 recovery_auth_additional_form_tags :: HTML fragment containing additional form tags when authenticating via a recovery code.

data/doc/release_notes/2.10.0.txt

@@ -0,0 +1,47 @@
+= New Features
+
+* An argon2 feature has been added that supports using the argon2
+  password hashing algorithm instead of the bcrypt password hashing
+  algorithm.  While argon2 does not provide an advantage over bcrypt
+  if the attacker cannot access the password hashes directly (which
+  is how Rodauth is recommended to be used), in cases where attackers
+  can access the password hashes directly, argon2 is thought to be
+  more difficult or expensive to crack due to requiring more memory
+  (bcrypt is not a memory-hard password hash algorithm).
+
+  If you are using this feature with Rodauth's database authentication
+  functions, you need to make sure that the database authentication
+  functions are configured to support argon2 in addition to bcrypt.
+  You can do this by passing the :argon2 option when calling the
+  method to define the database functions.  In this example, DB should
+  be your Sequel::Database object (this could be self if used in a
+  Sequel migration):
+
+    require 'rodauth/migrations'
+
+    # If the functions are already defined and you are not using PostgreSQL,
+    # you need to drop the existing functions.
+    Rodauth.drop_database_authentication_functions(DB)
+
+    # If you are using the disallow_password_reuse feature, also drop the
+    # database functions related to that if you are not using PostgreSQL:
+    Rodauth.drop_database_previous_password_check_functions(DB)
+
+    # Define new functions that support argon2:
+    Rodauth.create_database_authentication_functions(DB, argon2: true)
+
+    # If you are using the disallow_password_reuse feature, also define
+    # new functions that support argon2 for that:
+    Rodauth.create_database_previous_password_check_functions(DB, argon2: true) 
+
+  You can transparently migrate bcrypt password hashes to argon2
+  password hashes whenever a user successfully uses their password
+  by using the argon2 feature in combination with the
+  update_password_hash feature.
+
+= Other Improvements
+
+* Unnecessary queries to determine whether the new password matches
+  a previous password are now skipped when using the create_account
+  or verify_account features with the disallow_password_reuse
+  feature.

data/doc/release_notes/2.6.0.txt

@@ -0,0 +1,37 @@
+= New Features
+
+* An around_rodauth configuration method has been added, which is
+  called around all Rodauth actions.  This configuration method
+  is passed a block, and is useful for cases where you want to wrap
+  Rodauth's handling of the request.
+
+  For example, if you had a method named time_block in your Roda scope
+  that timed block execution and added a response header, you could
+  time Rodauth actions using something like:
+
+    around_rodauth do |&block|
+      scope.time_block('Rodauth') do
+        super(&block)
+      end
+    end
+
+* The allow_refresh_with_expired_jwt_access_token? configuration has
+  been added to the jwt_refresh feature, allowing refreshing with an
+  expired but otherwise valid access token.  When using this method,
+  it is required to have an hmac_secret specified, so that Rodauth
+  can make sure the access token matches the refresh token.
+
+= Other Improvements
+
+* The javascript for setting up a WebAuthn token has been fixed to
+  allow it to work correctly if there is already an existing
+  WebAuthn token for the account.
+
+* The rodauth.setup_account_verification method has been promoted to
+  public API.  You can use this method for automatically sending
+  account verification emails when automatically creating accounts.
+
+* Rodauth no longer loads the same feature multiple times into a
+  single configuration.  This didn't cause any problems before, but
+  could result in duplicate entries when looking at the loaded
+  features.