rodauth 2.6.0 → 2.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 82585797ff882cb56340e2145b05b74da1e10c428413b02e1656604fa8209c93
-  data.tar.gz: 7148d04c255f4310a21c6373d9ab20888e8fe46d3a07c090576385890ea82858
+  metadata.gz: 52cc814306a88708a5ade63bfa8288521db20517fdac543217e86a084e8e189f
+  data.tar.gz: ebd02824ee15ede1c58a5ca93c092d2372e953790f7535d0889521bc95b9dfd3
 SHA512:
-  metadata.gz: be8a3bffa982ca9730dafdefb8a8a874c2a2cb8fa62c84d4b0467928fc2164251ba28bb88948274316d7870473f0a602b8ac69eef8b48b70b27584ed7a443ded
-  data.tar.gz: afaf45ddda1073eaba697035700ec9108bebd1fc18998af9245fd86f532f497e6723fa532624aae426dac7e1600556af7b7369b2e7203e387be26dcbdfc22e3d
+  metadata.gz: 435b51b083c4509626c0699c2298c641134b132e0c08fae0c738823f4230d35d2a714761b7afdb2c9a48bb7c025e653a2bce84ae88b07f21a2bd5b494b52e6cc
+  data.tar.gz: 179b131a07064033a1c934360578f8b7a8703421133179255078063d9bde7621f9865c3bb00f51dceb313255e4d685804ba2f1a0ba2d109198f660802d6eda61

data/CHANGELOG

@@ -1,3 +1,45 @@
+=== 2.11.0 (2021-03-22)
+
+* Add same_as_current_login_message and contains_null_byte_message configuration methods to increase translatability (dmitryzuev) (#158)
+
+* Allow the rodauth plugin to be loaded without a block (janko) (#157)
+
+* Use new-password autocomplete value for the password fields on the reset password form (basabin54) (#155)
+
+* Support :auth_class plugin option, to use a specific class instead of creating a Rodauth::Auth subclass (janko) (#153)
+
+* Make Rodauth configuration work correctly if the rodauth plugin is loaded more than once (janko) (#152)
+
+=== 2.10.0 (2021-02-22)
+
+* Add argon2 feature to allow use of the argon2 password hash algorithm instead of bcrypt (AlexeyMatskevich, jeremyevans) (#147)
+
+* Avoid unnecessary previous password queries when using disallow_password_reuse feature with create_account or verify_account features (AlexeyMatskevich, jeremyevans) (#148)
+
+=== 2.9.0 (2021-01-22)
+
+* Split jwt feature into json and jwt features, with the json feature using standard session support (janko, jeremyevans) (#145)
+
+* Mark remember cookie as only transmitted over HTTPS by default if created via an HTTPS request (janko) (#144)
+
+=== 2.8.0 (2021-01-06)
+
+* [SECURITY] Set HttpOnly on remember cookie by default so it cannot be accessed by Javascript (janko) (#142)
+
+* Clear JWT session when rodauth.clear_session is called if the Roda sessions plugin is used (janko) (#140)
+
+=== 2.7.0 (2020-12-22)
+
+* Avoid method redefinition warnings in verbose warning mode (jeremyevans)
+
+* Return expired access token error message in the JWT refresh feature when using an expired token when it isn't allowed (AlexyMatskevich) (#133)
+
+* Allow Rodauth features to be preloaded, instead of always trying to require them (janko) (#136)
+
+* Use a default remember cookie path of '/', though this may cause problem with multiple Rodauth configurations on the same domain (janko) (#134)
+
+* Add auto_remove_recovery_codes? to the recovery_codes feature, for automatically removing the codes when disabling multifactor authentication (SilasSpet, jeremyevans) (#135)
+
 === 2.6.0 (2020-11-20)
 
 * Avoid loading features multiple times (janko) (#131)

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2015-2020 Jeremy Evans
+Copyright (c) 2015-2021 Jeremy Evans
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to

data/README.rdoc

@@ -52,10 +52,12 @@ HTML and JSON API for all supported features.
 * Session Expiration
 * Active Sessions (Prevent session reuse after logout, allow logout of all sessions)
 * Single Session (Only one active session per account)
-* JWT (JSON API support for all other features)
+* JSON (JSON API support for all other features)
+* JWT (JSON Web Token support for all other features)
 * JWT Refresh (Access & Refresh Token)
 * JWT CORS (Cross-Origin Resource Sharing)
 * Update Password Hash (when hash cost changes)
+* Argon2
 * HTTP Basic Auth
 * Change Password Notify
 
@@ -79,8 +81,10 @@ rack_csrf :: Used for CSRF support if the :csrf=>:rack_csrf plugin
              option is given (the default is to use Roda's route_csrf
              plugin, as that allows for more secure request-specific
              tokens).
-bcrypt :: Used by default for password matching, can be skipped
+bcrypt :: Used by default for password hashing, can be skipped
           if password_match? is overridden for custom authentication.
+argon2 :: Used by the argon2 feature as alternative to bcrypt for
+          password hashing.
 mail :: Used by default for mailing in the reset password, verify
         account, verify_login_change, change_password_notify,
         lockout, and email_auth features.
@@ -105,7 +109,7 @@ correctly without it.  There may be cases where you cannot use
 this feature, such as when using a different database or when you
 do not have full control over the database you are using.
 
-Passwords are hashed using bcrypt, and the password hashes are
+Passwords are hashed using bcrypt by default, and the password hashes are
 kept in a separate table from the accounts table, with a foreign key
 referencing the accounts table.  Two database functions are added,
 one to retrieve the salt for a password, and the other to check
@@ -332,7 +336,7 @@ things for the schema changes:
     foreign_key :id, Sequel[:${DATABASE_NAME}][:accounts], :primary_key=>true, :type=>:Bignum
     String :password_hash, :null=>false
   end
-  Rodauth.create_database_authentication_functions(self, :table_name=>"${DATABASE_NAME}_password.account_password_hashes")
+  Rodauth.create_database_authentication_functions(self, :table_name=>Sequel[:${DATABASE_NAME}_password][:account_password_hashes])
 
   # if using the disallow_password_reuse feature:
   create_table(:account_previous_password_hashes) do
@@ -340,7 +344,7 @@ things for the schema changes:
     foreign_key :account_id, Sequel[:${DATABASE_NAME}][:accounts], :type=>:Bignum
     String :password_hash, :null=>false
   end
-  Rodauth.create_database_previous_password_check_functions(self, :table_name=>"${DATABASE_NAME}_password.account_previous_password_hashes")
+  Rodauth.create_database_previous_password_check_functions(self, :table_name=>Sequel[:${DATABASE_NAME}_password][:account_previous_password_hashes])
 
 You'll also need to use the following Rodauth configuration methods so that the
 app account calls functions in a separate schema:
@@ -848,6 +852,9 @@ which configures which dependent plugins should be loaded. Options:
          still need to load the render plugin manually.
 :name :: Provide a name for the given Rodauth configuration, used to
          support multiple Rodauth configurations in a given Roda application.
+:auth_class :: Provide a specific Rodauth::Auth subclass that should be set
+               on the Roda application. By default, an anonymous
+               Rodauth::Auth subclass is created.
 
 === Feature Documentation
 
@@ -862,6 +869,7 @@ view the appropriate file in the doc directory.
 * {Account Expiration}[rdoc-ref:doc/account_expiration.rdoc]
 * {Active Sessions}[rdoc-ref:doc/active_sessions.rdoc]
 * {Audit Logging}[rdoc-ref:doc/audit_logging.rdoc]
+* {Argon2}[rdoc-ref:doc/argon2.rdoc]
 * {Change Login}[rdoc-ref:doc/change_login.rdoc]
 * {Change Password}[rdoc-ref:doc/change_password.rdoc]
 * {Change Password Notify}[rdoc-ref:doc/change_password_notify.rdoc]
@@ -872,6 +880,7 @@ view the appropriate file in the doc directory.
 * {Disallow Password Reuse}[rdoc-ref:doc/disallow_password_reuse.rdoc]
 * {Email Authentication}[rdoc-ref:doc/email_auth.rdoc]
 * {HTTP Basic Auth}[rdoc-ref:doc/http_basic_auth.rdoc]
+* {JSON}[rdoc-ref:doc/json.rdoc]
 * {JWT CORS}[rdoc-ref:doc/jwt_cors.rdoc]
 * {JWT Refresh}[rdoc-ref:doc/jwt_refresh.rdoc]
 * {JWT}[rdoc-ref:doc/jwt.rdoc]
@@ -1320,7 +1329,13 @@ use the necessary *_email_body configuration options to specify
 the body of the emails.
 
 The JWT feature enables JSON API support for all of the other features
-that Rodauth ships with.
+that Rodauth ships with. If you would like JSON API access that still uses
+rack session for storing session data, enable the JSON feature instead:
+
+  plugin :rodauth, :json=>true do
+    enable :login, :logout, :json
+    only_json? true # if you want to only handle JSON requests
+  end
 
 === Adding Custom Methods to the +rodauth+ Object
 

data/doc/argon2.rdoc

@@ -0,0 +1,49 @@
+= Documentation for Argon2 Feature
+
+The argon2 feature adds the ability to replace the bcrypt password hash
+algorithm with argon2 (specifically, argon2id).  Argon2 is an alternative to
+bcrypt that offers the ability to be memory-hard.  However, if you are storing
+password hashes in a table that the database user does not have access to
+(the recommended way to use Rodauth), argon2 does not offer significant
+security advantages over bcrypt.
+
+If you are using this feature with Rodauth's database authentication functions,
+you need to make sure that the database authentication functions are configured
+to support argon2 in addition to bcrypt.  You can do this by passing the
++:argon2+ option when calling the method to define the database functions.
+In this example, +DB+ should be your Sequel::Database object:
+
+  require 'rodauth/migrations'
+
+  # If the functions are already defined and you are not using PostgreSQL,
+  # you need to drop the existing functions.
+  Rodauth.drop_database_authentication_functions(DB)
+
+  # If you are using the disallow_password_reuse feature, also drop the
+  # database functions related to that if not using PostgreSQL:
+  Rodauth.drop_database_previous_password_check_functions(DB)
+
+  # Define new functions that support argon2:
+  Rodauth.create_database_authentication_functions(DB, argon2: true)
+
+  # If you are using the disallow_password_reuse feature, also define
+  # new functions that support argon2 for that:
+  Rodauth.create_database_previous_password_check_functions(DB, argon2: true) 
+
+The argon2 feature provides the ability to allow for a gradual migration
+from transitioning from bcrypt to argon2 and vice-versa, if you are using the
+update_password_hash.
+
+Argon2 is more configurable than bcrypt in terms of password hash cost
+speficiation.  Instead of specifying the password_hash_cost value as
+an integer, you must specify the password hash cost as a hash, such as
+(<tt>{t_cost: 2, m_cost: 16}</tt>).
+
+If you are using the argon2 feature and if you have no bcrypt passwords in
+your database, you should use <tt>require_bcrypt? false</tt> in your
+Rodauth configuration to prevent loading the bcrypt library, which will save
+memory.
+
+== Auth Value Methods
+
+use_argon2? :: Whether to use the argon2 password hash algorithm for new passwords (true by default). The only reason to set this to false is if you have existing passwords using argon2 that you want to support, but want to use bcrypt for new passwords.

data/doc/base.rdoc

@@ -15,7 +15,7 @@ domain :: The domain to use, required by some other features. It is recommended
 hmac_secret :: This sets the secret to use for all of Rodauth's HMACs.  This is not set by default, in which case Rodauth does not use HMACs for additional security.  However, it is highly recommended that you set this, and some features require it.
 mark_input_fields_as_required? :: Whether input fields should be marked as required, so browsers will not allow submission without filling out the field (default: true).
 prefix :: The routing prefix used for Rodauth routes.  If you are calling in a routing subtree, this should be set to the root path of the subtree.  This should include a leading slash if set, but not a trailing slash.
-require_bcrypt? :: Set to false to not require bcrypt, useful if using custom authentication.
+require_bcrypt? :: Set to false to not require bcrypt, useful if using custom authentication or when using the argon2 feature without existing bcrypt password hashes.
 session_key :: The key in the session hash storing the primary key of the logged in account.
 session_key_prefix :: The string that will be prepended to the default value for all session keys.
 skip_status_checks? :: Whether status checks should be skipped for accounts.  Defaults to true unless enabling the verify_account or close_account features.

data/doc/change_login.rdoc

@@ -13,6 +13,7 @@ change_login_page_title :: The page title to use on the change login form.
 change_login_redirect :: Where to redirect after a sucessful login change.
 change_login_requires_password? :: Whether a password is required when changing logins.
 change_login_route :: The route to the change login action. Defaults to +change-login+.
+same_as_current_login_message :: The error message to display if using the same value as the current login when changing the login.
 
 == Auth Methods
 

data/doc/guides/migrate_password_hash_algorithm.rdoc

@@ -0,0 +1,15 @@
+= Migrate users passwords from bcrypt to argon2 or back
+
+If you are currently using the default bcrypt password hash algorithm, and want to
+gradually migrate to the argon2 password hash algorithm, you can use both the argon2
+and update_password_hash features:
+
+  plugin :rodauth do
+    enable :login, :update_password_hash, :argon2
+  end
+
+When a user with a current bcrypt password hash next successfully uses their
+password, their password hash will be migrated to argon2.
+
+If for some reason you want to migrate back from argon2 to bcrypt, you can set
+<tt>use_argon2? false</tt> in your Rodauth configuration.

data/doc/json.rdoc

@@ -0,0 +1,47 @@
+= Documentation for JSON Feature
+
+The json feature adds support for JSON API access for all other
+features that ship with Rodauth.
+
+When this feature is used, all other features become accessible via a
+JSON API.  The JSON API uses the POST method for all requests, using
+the same parameter names as the features uses.  JSON API requests to
+Rodauth endpoints that use a method other than POST will result in a
+405 Method Not Allowed response.
+
+Responses are returned as JSON hashes.  In case of an error, the +error+
+entry is set to an error message, and the <tt>field-error</tt> entry is set to
+an array containing the field name and the error message for that field.
+Successful requests by default store a +success+ entry with a success
+message, though that can be disabled.
+
+The session state is managed in the rack session, so make sure that
+CSRF protection is enabled. This will be the case when passing the
+<tt>json: true</tt> option when loading the rodauth plugin. If you
+want to only handle JSON requests, set <tt>only_json? true</tt> in
+your rodauth configuration.
+
+If you want token-based authentication sent via the Authorization
+header, consider using the jwt feature.
+
+== Auth Value Methods
+
+json_accept_regexp :: The regexp to use to check the Accept header for JSON if +json_check_accept?+ is true.
+json_check_accept? :: Whether to check the Accept header to see if the client supports JSON responses, true by default.
+json_non_post_error_message :: The error message to use when a JSON non-POST request is sent.
+json_not_accepted_error_message :: The error message to display if +json_check_accept?+ is true and the Accept header is present but does not match +json_request_content_type_regexp+.
+json_request_content_type_regexp :: The regexp to use to recognize a request as a json request.
+json_response_content_type :: The content type to set for json responses, <tt>application/json</tt> by default.
+json_response_custom_error_status? :: Whether to use custom error statuses, instead of always using +json_response_error_status+, true by default, can be set to false for backwards compatibility with Rodauth 1.
+json_response_error_key :: The JSON result key containing an error message, +error+ by default.
+json_response_error_status :: The HTTP status code to use for JSON error responses if not using custom error statuses, 400 by default.
+json_response_field_error_key :: The JSON result key containing an field error message, <tt>field-error</tt> by default.
+json_response_success_key :: The JSON result key containing a success message for successful request, if set.  +success+ by default.
+non_json_request_error_message :: The error message to use when a non-JSON request is sent and +only_json?+ is set.
+only_json? :: Whether to have Rodauth only allow JSON requests.  True by default if <tt>json: :only</tt> option was given when loading the plugin.  If set, rodauth endpoints will issue an error for non-JSON requests.
+use_json? :: Whether to return a JSON response. By default, a JSON response is returned if +only_json?+ is true, or if the request uses a json content type.
+
+== Auth Methods
+
+json_request? :: Whether the current request is a JSON request, looks at the Content-Type request header by default.
+json_response_body(hash) :: The body to use for JSON response.  By default just converts hash to JSON.  Can be used to reformat JSON output in arbitrary ways.

data/doc/jwt.rdoc

@@ -2,19 +2,7 @@
 
 The jwt feature adds support for JSON API access for all other features
 that ship with Rodauth, using JWT (JSON Web Tokens) to hold the
-session information.
-
-When this feature is used, all other features become accessible via a
-JSON API.  The JSON API uses the POST method for all requests, using
-the same parameter names as the features uses.  JSON API requests to
-Rodauth endpoints that use a method other than POST will result in a
-405 Method Not Allowed response.
-
-Responses are returned as JSON hashes.  In case of an error, the +error+
-entry is set to an error message, and the <tt>field-error</tt> entry is set to
-an array containing the field name and the error message for that field.
-Successful requests by default store a +success+ entry with a success
-message, though that can be disabled.
+session information. It depends on the json feature.
 
 In order to use this feature, you have to set the +jwt_secret+ configuration
 option the secret used to cryptographically protect the token.
@@ -41,32 +29,17 @@ from +rodauth.session+.
 == Auth Value Methods
 
 invalid_jwt_format_error_message :: The error message to use when a JWT with an invalid format is submitted in the Authorization header.
-json_accept_regexp :: The regexp to use to check the Accept header for JSON if +jwt_check_accept?+ is true.
-json_non_post_error_message :: The error message to use when a JSON non-POST request is sent.
-json_not_accepted_error_message :: The error message to display if +jwt_check_accept?+ is true and the Accept header is present but does not match +json_request_content_type_regexp+.
-json_request_content_type_regexp :: The regexp to use to recognize a request as a json request.
-json_response_content_type :: The content type to set for json responses, <tt>application/json</tt> by default.
-json_response_custom_error_status? :: Whether to use custom error statuses, instead of always using +json_response_error_status+, true by default, can be set to false for backwards compatibility with Rodauth 1.
-json_response_error_key :: The JSON result key containing an error message, +error+ by default.
-json_response_error_status :: The HTTP status code to use for JSON error responses if not using custom error statuses, 400 by default.
-json_response_field_error_key :: The JSON result key containing an field error message, <tt>field-error</tt> by default.
-json_response_success_key :: The JSON result key containing a success message for successful request, if set.  +success+ by default.
 jwt_algorithm :: The JWT algorithm to use, +HS256+ by default.
 jwt_authorization_ignore :: A regexp matched against the Authorization header, which skips JWT processing if it matches.  By default, HTTP Basic and Digest authentication are ignored.
 jwt_authorization_remove :: A regexp to remove from the Authorization header before processing the JWT.  By default, a Bearer prefix is removed.
-jwt_check_accept? :: Whether to check the Accept header to see if the client supports JSON responses, true by default, can be set to false for backwards compatibility with Rodauth 1.
 jwt_decode_opts :: An optional hash to pass to +JWT.decode+. Can be used to set JWT verifiers.
 jwt_secret :: The JWT secret to use.  Access to this should be protected the same as a session secret.
 jwt_session_key :: A key to nest the session hash under in the JWT payload.  nil by default, for no nesting.
 jwt_symbolize_deeply? :: Whether to symbolize the session hash deeply.  false by default.
-non_json_request_error_message :: The error message to use when a non-JSON request is sent and +only_json?+ is set.
-only_json? :: Whether to have Rodauth only allow JSON requests.  True by default if <tt>json: :only</tt> option was given when loading the plugin.  If set, rodauth endpoints will issue an error for non-JSON requests.
 use_jwt? :: Whether to use the JWT in the Authorization header for authentication information.  If false, falls back to using the rack session. By default, the Authorization header is used if it is present, if +only_json?+ is true, or if the request uses a json content type.
 
 == Auth Methods
 
-json_request? :: Whether the current request is a JSON request, looks at the Content-Type request header by default.
-json_response_body(hash) :: The body to use for JSON response.  By default just converts hash to JSON.  Can be used to reformat JSON output in arbitrary ways.
 jwt_session_hash :: The session hash used to create the session_jwt. Can be used to set JWT claims.
 jwt_token :: Retrieve the JWT token from the request, by default taking it from the Authorization header.
 session_jwt :: An encoded JWT for the current session.

data/doc/jwt_refresh.rdoc

@@ -30,6 +30,8 @@ This feature depends on the jwt feature.
 == Auth Value Methods
 
 allow_refresh_with_expired_jwt_access_token? :: Whether refreshing should be allowed with an expired access token. Default is +false+.  You must set an +hmac_secret+ if setting this value to +true+.
+expired_jwt_access_token_status :: The HTTP status code to use when a access token (JWT) is expired is submitted in the Authorization header. Default is 400 for backwards compatibility, and it is recommended to set it to 401.
+expired_jwt_access_token_message :: The error message to use when a access token (JWT) is expired is submitted in the Authorization header.
 jwt_access_token_key :: Name of the key in the response json holding the access token.  Default is +access_token+.
 jwt_access_token_not_before_period :: How many seconds before the current time will the jwt be considered valid (to account for inaccurate clocks). Default is 5.
 jwt_access_token_period :: Validity of an access token in seconds, default is 1800 (30 minutes).

data/doc/login_password_requirements_base.rdoc

@@ -6,6 +6,7 @@ use a Rodauth feature that requires setting logins or passwords.
 == Auth Value Methods
 
 already_an_account_with_this_login_message :: The error message to display when there already exists an account with the same login.
+contains_null_byte_message :: The error message to display when the password contains a null byte.
 login_confirm_label :: The label to use for login confirmations.
 login_confirm_param :: The parameter name to use for login confirmations.
 login_does_not_meet_requirements_message :: The error message to display when the login does not meet the requirements you have set.
@@ -19,7 +20,7 @@ logins_do_not_match_message :: The error message to display when login and login
 password_confirm_label :: The label to use for password confirmations.
 password_confirm_param :: The parameter name to use for password confirmations.
 password_does_not_meet_requirements_message :: The error message to display when the password does not meet the requirements you have set.
-password_hash_cost :: The bcrypt cost to use for the password hash.
+password_hash_cost :: The cost to use for the password hash algorithm. This should be an integer when using bcrypt (the default), and a hash if using argon2 (supported by the argon2 feature).
 password_minimum_length :: The minimum length for passwords, 6 by default.
 password_too_short_message :: The error message fragment to show if the password is too short.
 passwords_do_not_match_message :: The error message to display when password and password confirmation do not match.

data/doc/recovery_codes.rdoc

@@ -17,7 +17,8 @@ add_recovery_codes_error_flash :: The flash error to show when adding recovery c
 add_recovery_codes_heading :: Text to use for heading above the form to add recovery codes.
 add_recovery_codes_page_title :: The page title to use on the add recovery codes form.
 add_recovery_codes_param :: The parameter name to use for adding recovery codes.
-auto_add_recovery_codes? :: Whether to automatically add recovery codes (or any missing recovery codes) when another multifactor authentication type is enabled (false by default).
+auto_add_recovery_codes? :: Whether to automatically add recovery codes (or any missing recovery codes) when enabling otp, webauthn, or sms authentication (false by default).
+auto_remove_recovery_codes? :: Whether to automatically remove recovery codes when disabling otp, webauthn, or sms authentication and not having one of the other two authentication methods enabled (false by default).
 invalid_recovery_code_error_flash :: The flash error to show when an invalid recovery code is used.
 invalid_recovery_code_message :: The error message to show when an invalid recovery code is used.
 recovery_auth_additional_form_tags :: HTML fragment containing additional form tags when authenticating via a recovery code.

data/doc/release_notes/2.10.0.txt

@@ -0,0 +1,47 @@
+= New Features
+
+* An argon2 feature has been added that supports using the argon2
+  password hashing algorithm instead of the bcrypt password hashing
+  algorithm.  While argon2 does not provide an advantage over bcrypt
+  if the attacker cannot access the password hashes directly (which
+  is how Rodauth is recommended to be used), in cases where attackers
+  can access the password hashes directly, argon2 is thought to be
+  more difficult or expensive to crack due to requiring more memory
+  (bcrypt is not a memory-hard password hash algorithm).
+
+  If you are using this feature with Rodauth's database authentication
+  functions, you need to make sure that the database authentication
+  functions are configured to support argon2 in addition to bcrypt.
+  You can do this by passing the :argon2 option when calling the
+  method to define the database functions.  In this example, DB should
+  be your Sequel::Database object (this could be self if used in a
+  Sequel migration):
+
+    require 'rodauth/migrations'
+
+    # If the functions are already defined and you are not using PostgreSQL,
+    # you need to drop the existing functions.
+    Rodauth.drop_database_authentication_functions(DB)
+
+    # If you are using the disallow_password_reuse feature, also drop the
+    # database functions related to that if you are not using PostgreSQL:
+    Rodauth.drop_database_previous_password_check_functions(DB)
+
+    # Define new functions that support argon2:
+    Rodauth.create_database_authentication_functions(DB, argon2: true)
+
+    # If you are using the disallow_password_reuse feature, also define
+    # new functions that support argon2 for that:
+    Rodauth.create_database_previous_password_check_functions(DB, argon2: true) 
+
+  You can transparently migrate bcrypt password hashes to argon2
+  password hashes whenever a user successfully uses their password
+  by using the argon2 feature in combination with the
+  update_password_hash feature.
+
+= Other Improvements
+
+* Unnecessary queries to determine whether the new password matches
+  a previous password are now skipped when using the create_account
+  or verify_account features with the disallow_password_reuse
+  feature.

data/doc/release_notes/2.11.0.txt

@@ -0,0 +1,31 @@
+= New Features
+
+* An :auth_class rodauth plugin option has been added, allowing a user
+  to specify a specific Rodauth::Auth subclass to use, instead of
+  always using a new subclass of Rodauth::Auth.  This is designed for
+  advanced configurations or other frameworks that build on top of
+  Rodauth, which may want to customize the Rodauth::Auth subclasses to
+  use.
+
+* Two additional configuration methods have been added for easier
+  translatability, fixing issues where English text was hardcoded:
+
+  * same_as_current_login_message (change_login feature)
+  * contains_null_byte_message (login_password_requirements_base
+    feature)
+
+= Other Improvements
+
+* Loading the rodauth plugin multiple times in the same application
+  with different blocks now works better.  The same context is now
+  shared between the blocks, so you can load features in one block
+  and call configuration methods added by the feature in the other
+  block.  Previously, you could only call configuration methods in
+  the block that added the feature, and enabling a feature in a
+  block that was already enabled in a previous block did not allow
+  the use of configuraton methods related to the feature.
+
+* Passing a block when loading the rodauth plugin is now optional.
+
+* The autocomplete attribute on the reset password form now uses
+  new-password instead of current-password.