rodauth 2.9.0 → 2.14.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG +38 -0
- data/README.rdoc +11 -5
- data/doc/active_sessions.rdoc +4 -0
- data/doc/argon2.rdoc +49 -0
- data/doc/base.rdoc +2 -1
- data/doc/change_login.rdoc +1 -0
- data/doc/error_reasons.rdoc +73 -0
- data/doc/guides/migrate_password_hash_algorithm.rdoc +15 -0
- data/doc/login_password_requirements_base.rdoc +2 -1
- data/doc/release_notes/2.10.0.txt +47 -0
- data/doc/release_notes/2.11.0.txt +31 -0
- data/doc/release_notes/2.12.0.txt +17 -0
- data/doc/release_notes/2.13.0.txt +19 -0
- data/doc/release_notes/2.14.0.txt +17 -0
- data/doc/remember.rdoc +1 -0
- data/lib/rodauth.rb +12 -3
- data/lib/rodauth/features/active_sessions.rb +29 -8
- data/lib/rodauth/features/argon2.rb +69 -0
- data/lib/rodauth/features/base.rb +20 -1
- data/lib/rodauth/features/change_login.rb +5 -4
- data/lib/rodauth/features/change_password.rb +3 -3
- data/lib/rodauth/features/close_account.rb +1 -1
- data/lib/rodauth/features/confirm_password.rb +2 -2
- data/lib/rodauth/features/create_account.rb +4 -4
- data/lib/rodauth/features/disallow_common_passwords.rb +1 -1
- data/lib/rodauth/features/disallow_password_reuse.rb +21 -8
- data/lib/rodauth/features/email_auth.rb +2 -0
- data/lib/rodauth/features/email_base.rb +5 -2
- data/lib/rodauth/features/jwt_refresh.rb +1 -1
- data/lib/rodauth/features/lockout.rb +4 -2
- data/lib/rodauth/features/login.rb +3 -3
- data/lib/rodauth/features/login_password_requirements_base.rb +20 -6
- data/lib/rodauth/features/otp.rb +7 -6
- data/lib/rodauth/features/password_complexity.rb +4 -4
- data/lib/rodauth/features/recovery_codes.rb +2 -2
- data/lib/rodauth/features/remember.rb +16 -9
- data/lib/rodauth/features/reset_password.rb +6 -4
- data/lib/rodauth/features/session_expiration.rb +1 -0
- data/lib/rodauth/features/single_session.rb +1 -0
- data/lib/rodauth/features/sms_codes.rb +10 -5
- data/lib/rodauth/features/two_factor_base.rb +4 -1
- data/lib/rodauth/features/update_password_hash.rb +1 -1
- data/lib/rodauth/features/verify_account.rb +5 -1
- data/lib/rodauth/features/verify_account_grace_period.rb +1 -1
- data/lib/rodauth/features/verify_login_change.rb +3 -2
- data/lib/rodauth/features/webauthn.rb +15 -14
- data/lib/rodauth/features/webauthn_login.rb +1 -1
- data/lib/rodauth/migrations.rb +31 -5
- data/lib/rodauth/version.rb +1 -1
- data/templates/button.str +1 -1
- data/templates/change-password.str +2 -2
- data/templates/global-logout-field.str +1 -1
- data/templates/login-confirm-field.str +2 -2
- data/templates/login-display.str +2 -2
- data/templates/login-field.str +2 -2
- data/templates/otp-auth-code-field.str +2 -2
- data/templates/otp-setup.str +2 -2
- data/templates/password-confirm-field.str +2 -2
- data/templates/password-field.str +2 -2
- data/templates/recovery-auth.str +2 -2
- data/templates/remember.str +1 -1
- data/templates/sms-code-field.str +2 -2
- data/templates/sms-setup.str +2 -2
- data/templates/unlock-account-email.str +1 -1
- data/templates/webauthn-remove.str +1 -1
- metadata +35 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0bb25afa1cfb6fb579a10dea617ae2f9d0fdd2b302decdbf15aaf6ca88186ccb
|
4
|
+
data.tar.gz: 67c76a614ff85e298b288f81ae22fb54ea54a83c5d1584e097ba66b4dada9d1b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 6516c812865c540be99116e0afadfbf98de81d450dafd0aee81e6c661201e6bd62086c10db1b892e273286c53bcb61c3d84f8ed807c47e7ebd7befcd1d6cd849
|
7
|
+
data.tar.gz: 8c4efe011be6f94a0886e3dae1eb8106e3fcd295c55663f2dcea0b02794db229377450ab8738ef651e18704cc129df4f47b69e69aff08229a58f2544fab73b13
|
data/CHANGELOG
CHANGED
@@ -1,3 +1,41 @@
|
|
1
|
+
=== 2.14.0 (2021-06-22)
|
2
|
+
|
3
|
+
* Make jwt_refresh feature allow refresh with expired access tokens even if prefix is not set correctly (jeremyevans) (#168)
|
4
|
+
|
5
|
+
* Make internal account_in_unverified_grace_period? method handle accounts missing or unverified accounts (janko, jeremyevans) (#167)
|
6
|
+
|
7
|
+
* Add remembered_session_id configuration method for getting session id from valid remember token if present (bjeanes) (#166)
|
8
|
+
|
9
|
+
=== 2.13.0 (2021-05-22)
|
10
|
+
|
11
|
+
* Make jwt_refresh expired access token support work when using rodauth.check_active_sessions before calling r.rodauth (renchap) (#165)
|
12
|
+
|
13
|
+
* Update default templates to add classes for Bootstrap 5 compatibility (janko) (#164)
|
14
|
+
|
15
|
+
* Add set_error_reason configuration method to allow applications more finer grained error handling (renchap, jeremyevans) (#162)
|
16
|
+
|
17
|
+
=== 2.12.0 (2021-04-22)
|
18
|
+
|
19
|
+
* Add configuration methods to active_sessions plugin to control the inserting and updating of rows (janko) (#159)
|
20
|
+
|
21
|
+
=== 2.11.0 (2021-03-22)
|
22
|
+
|
23
|
+
* Add same_as_current_login_message and contains_null_byte_message configuration methods to increase translatability (dmitryzuev) (#158)
|
24
|
+
|
25
|
+
* Allow the rodauth plugin to be loaded without a block (janko) (#157)
|
26
|
+
|
27
|
+
* Use new-password autocomplete value for the password fields on the reset password form (basabin54) (#155)
|
28
|
+
|
29
|
+
* Support :auth_class plugin option, to use a specific class instead of creating a Rodauth::Auth subclass (janko) (#153)
|
30
|
+
|
31
|
+
* Make Rodauth configuration work correctly if the rodauth plugin is loaded more than once (janko) (#152)
|
32
|
+
|
33
|
+
=== 2.10.0 (2021-02-22)
|
34
|
+
|
35
|
+
* Add argon2 feature to allow use of the argon2 password hash algorithm instead of bcrypt (AlexeyMatskevich, jeremyevans) (#147)
|
36
|
+
|
37
|
+
* Avoid unnecessary previous password queries when using disallow_password_reuse feature with create_account or verify_account features (AlexeyMatskevich, jeremyevans) (#148)
|
38
|
+
|
1
39
|
=== 2.9.0 (2021-01-22)
|
2
40
|
|
3
41
|
* Split jwt feature into json and jwt features, with the json feature using standard session support (janko, jeremyevans) (#145)
|
data/README.rdoc
CHANGED
@@ -57,6 +57,7 @@ HTML and JSON API for all supported features.
|
|
57
57
|
* JWT Refresh (Access & Refresh Token)
|
58
58
|
* JWT CORS (Cross-Origin Resource Sharing)
|
59
59
|
* Update Password Hash (when hash cost changes)
|
60
|
+
* Argon2
|
60
61
|
* HTTP Basic Auth
|
61
62
|
* Change Password Notify
|
62
63
|
|
@@ -67,7 +68,6 @@ Demo Site :: http://rodauth-demo.jeremyevans.net
|
|
67
68
|
Source :: http://github.com/jeremyevans/rodauth
|
68
69
|
Bugs :: http://github.com/jeremyevans/rodauth/issues
|
69
70
|
Google Group :: https://groups.google.com/forum/#!forum/rodauth
|
70
|
-
IRC :: irc://chat.freenode.net/#rodauth
|
71
71
|
|
72
72
|
== Dependencies
|
73
73
|
|
@@ -80,8 +80,10 @@ rack_csrf :: Used for CSRF support if the :csrf=>:rack_csrf plugin
|
|
80
80
|
option is given (the default is to use Roda's route_csrf
|
81
81
|
plugin, as that allows for more secure request-specific
|
82
82
|
tokens).
|
83
|
-
bcrypt :: Used by default for password
|
83
|
+
bcrypt :: Used by default for password hashing, can be skipped
|
84
84
|
if password_match? is overridden for custom authentication.
|
85
|
+
argon2 :: Used by the argon2 feature as alternative to bcrypt for
|
86
|
+
password hashing.
|
85
87
|
mail :: Used by default for mailing in the reset password, verify
|
86
88
|
account, verify_login_change, change_password_notify,
|
87
89
|
lockout, and email_auth features.
|
@@ -106,7 +108,7 @@ correctly without it. There may be cases where you cannot use
|
|
106
108
|
this feature, such as when using a different database or when you
|
107
109
|
do not have full control over the database you are using.
|
108
110
|
|
109
|
-
Passwords are hashed using bcrypt, and the password hashes are
|
111
|
+
Passwords are hashed using bcrypt by default, and the password hashes are
|
110
112
|
kept in a separate table from the accounts table, with a foreign key
|
111
113
|
referencing the accounts table. Two database functions are added,
|
112
114
|
one to retrieve the salt for a password, and the other to check
|
@@ -333,7 +335,7 @@ things for the schema changes:
|
|
333
335
|
foreign_key :id, Sequel[:${DATABASE_NAME}][:accounts], :primary_key=>true, :type=>:Bignum
|
334
336
|
String :password_hash, :null=>false
|
335
337
|
end
|
336
|
-
Rodauth.create_database_authentication_functions(self, :table_name=>
|
338
|
+
Rodauth.create_database_authentication_functions(self, :table_name=>Sequel[:${DATABASE_NAME}_password][:account_password_hashes])
|
337
339
|
|
338
340
|
# if using the disallow_password_reuse feature:
|
339
341
|
create_table(:account_previous_password_hashes) do
|
@@ -341,7 +343,7 @@ things for the schema changes:
|
|
341
343
|
foreign_key :account_id, Sequel[:${DATABASE_NAME}][:accounts], :type=>:Bignum
|
342
344
|
String :password_hash, :null=>false
|
343
345
|
end
|
344
|
-
Rodauth.create_database_previous_password_check_functions(self, :table_name=>
|
346
|
+
Rodauth.create_database_previous_password_check_functions(self, :table_name=>Sequel[:${DATABASE_NAME}_password][:account_previous_password_hashes])
|
345
347
|
|
346
348
|
You'll also need to use the following Rodauth configuration methods so that the
|
347
349
|
app account calls functions in a separate schema:
|
@@ -849,6 +851,9 @@ which configures which dependent plugins should be loaded. Options:
|
|
849
851
|
still need to load the render plugin manually.
|
850
852
|
:name :: Provide a name for the given Rodauth configuration, used to
|
851
853
|
support multiple Rodauth configurations in a given Roda application.
|
854
|
+
:auth_class :: Provide a specific Rodauth::Auth subclass that should be set
|
855
|
+
on the Roda application. By default, an anonymous
|
856
|
+
Rodauth::Auth subclass is created.
|
852
857
|
|
853
858
|
=== Feature Documentation
|
854
859
|
|
@@ -863,6 +868,7 @@ view the appropriate file in the doc directory.
|
|
863
868
|
* {Account Expiration}[rdoc-ref:doc/account_expiration.rdoc]
|
864
869
|
* {Active Sessions}[rdoc-ref:doc/active_sessions.rdoc]
|
865
870
|
* {Audit Logging}[rdoc-ref:doc/audit_logging.rdoc]
|
871
|
+
* {Argon2}[rdoc-ref:doc/argon2.rdoc]
|
866
872
|
* {Change Login}[rdoc-ref:doc/change_login.rdoc]
|
867
873
|
* {Change Password}[rdoc-ref:doc/change_password.rdoc]
|
868
874
|
* {Change Password Notify}[rdoc-ref:doc/change_password_notify.rdoc]
|
data/doc/active_sessions.rdoc
CHANGED
@@ -37,9 +37,13 @@ inactive_session_error_status :: The error status to use when a JSON request is
|
|
37
37
|
session_id_session_key :: The session key name to use for storing the session id.
|
38
38
|
session_inactivity_deadline :: The number of seconds since last use after which the session will be considered expired (1 day by default). Can be set to nil to not check session inactivity.
|
39
39
|
session_lifetime_deadline :: The number of seconds since session creation after which the session will be considered expired (30 days by default). Can be set to nil to not check session lifetimes.
|
40
|
+
update_current_session? :: Whether the update current session with +active_sessions_update_hash+. By default returns true if +session_inactivity_deadline+ is set.
|
40
41
|
|
41
42
|
== Auth Methods
|
42
43
|
|
44
|
+
active_sessions_insert_hash :: The hash to insert into the +active_sessions_table+.
|
45
|
+
active_sessions_key :: The active session key for the current account.
|
46
|
+
active_sessions_update_hash :: The hash to update the currently active session when +update_current_session?+ is true. By default updates last use to current time.
|
43
47
|
add_active_session :: Create a session id for the session and populate the session and add the session id to the database.
|
44
48
|
currently_active_session? :: Whether the session is currently active, by checking the database table.
|
45
49
|
handle_duplicate_active_session_id(exception) :: How to handle the case where a duplicate session id for the account is inserted into the table. Does nothing by default. This should only be called if the random number generator is broken.
|
data/doc/argon2.rdoc
ADDED
@@ -0,0 +1,49 @@
|
|
1
|
+
= Documentation for Argon2 Feature
|
2
|
+
|
3
|
+
The argon2 feature adds the ability to replace the bcrypt password hash
|
4
|
+
algorithm with argon2 (specifically, argon2id). Argon2 is an alternative to
|
5
|
+
bcrypt that offers the ability to be memory-hard. However, if you are storing
|
6
|
+
password hashes in a table that the database user does not have access to
|
7
|
+
(the recommended way to use Rodauth), argon2 does not offer significant
|
8
|
+
security advantages over bcrypt.
|
9
|
+
|
10
|
+
If you are using this feature with Rodauth's database authentication functions,
|
11
|
+
you need to make sure that the database authentication functions are configured
|
12
|
+
to support argon2 in addition to bcrypt. You can do this by passing the
|
13
|
+
+:argon2+ option when calling the method to define the database functions.
|
14
|
+
In this example, +DB+ should be your Sequel::Database object:
|
15
|
+
|
16
|
+
require 'rodauth/migrations'
|
17
|
+
|
18
|
+
# If the functions are already defined and you are not using PostgreSQL,
|
19
|
+
# you need to drop the existing functions.
|
20
|
+
Rodauth.drop_database_authentication_functions(DB)
|
21
|
+
|
22
|
+
# If you are using the disallow_password_reuse feature, also drop the
|
23
|
+
# database functions related to that if not using PostgreSQL:
|
24
|
+
Rodauth.drop_database_previous_password_check_functions(DB)
|
25
|
+
|
26
|
+
# Define new functions that support argon2:
|
27
|
+
Rodauth.create_database_authentication_functions(DB, argon2: true)
|
28
|
+
|
29
|
+
# If you are using the disallow_password_reuse feature, also define
|
30
|
+
# new functions that support argon2 for that:
|
31
|
+
Rodauth.create_database_previous_password_check_functions(DB, argon2: true)
|
32
|
+
|
33
|
+
The argon2 feature provides the ability to allow for a gradual migration
|
34
|
+
from transitioning from bcrypt to argon2 and vice-versa, if you are using the
|
35
|
+
update_password_hash.
|
36
|
+
|
37
|
+
Argon2 is more configurable than bcrypt in terms of password hash cost
|
38
|
+
speficiation. Instead of specifying the password_hash_cost value as
|
39
|
+
an integer, you must specify the password hash cost as a hash, such as
|
40
|
+
(<tt>{t_cost: 2, m_cost: 16}</tt>).
|
41
|
+
|
42
|
+
If you are using the argon2 feature and if you have no bcrypt passwords in
|
43
|
+
your database, you should use <tt>require_bcrypt? false</tt> in your
|
44
|
+
Rodauth configuration to prevent loading the bcrypt library, which will save
|
45
|
+
memory.
|
46
|
+
|
47
|
+
== Auth Value Methods
|
48
|
+
|
49
|
+
use_argon2? :: Whether to use the argon2 password hash algorithm for new passwords (true by default). The only reason to set this to false is if you have existing passwords using argon2 that you want to support, but want to use bcrypt for new passwords.
|
data/doc/base.rdoc
CHANGED
@@ -15,7 +15,7 @@ domain :: The domain to use, required by some other features. It is recommended
|
|
15
15
|
hmac_secret :: This sets the secret to use for all of Rodauth's HMACs. This is not set by default, in which case Rodauth does not use HMACs for additional security. However, it is highly recommended that you set this, and some features require it.
|
16
16
|
mark_input_fields_as_required? :: Whether input fields should be marked as required, so browsers will not allow submission without filling out the field (default: true).
|
17
17
|
prefix :: The routing prefix used for Rodauth routes. If you are calling in a routing subtree, this should be set to the root path of the subtree. This should include a leading slash if set, but not a trailing slash.
|
18
|
-
require_bcrypt? :: Set to false to not require bcrypt, useful if using custom authentication.
|
18
|
+
require_bcrypt? :: Set to false to not require bcrypt, useful if using custom authentication or when using the argon2 feature without existing bcrypt password hashes.
|
19
19
|
session_key :: The key in the session hash storing the primary key of the logged in account.
|
20
20
|
session_key_prefix :: The string that will be prepended to the default value for all session keys.
|
21
21
|
skip_status_checks? :: Whether status checks should be skipped for accounts. Defaults to true unless enabling the verify_account or close_account features.
|
@@ -105,6 +105,7 @@ random_key :: A randomly generated string, used for creating tokens.
|
|
105
105
|
redirect(path) :: Redirect the request to the given path.
|
106
106
|
session_value :: The value for session_key in the current session.
|
107
107
|
set_error_flash(message) :: Set the current error flash to the given message.
|
108
|
+
set_error_reason(reason) :: You can override this method to customize handling of specific error types (does nothing by default). Each separate error type has a separate reason symbol, you can see the {list of error reason symbols}[rdoc-ref:doc/error_reasons.rdoc].
|
108
109
|
set_notice_flash(message) :: Set the next notice flash to the given message.
|
109
110
|
set_notice_now_flash(message) :: Set the current notice flash to the given message.
|
110
111
|
set_redirect_error_flash(message) :: Set the next error flash to the given message.
|
data/doc/change_login.rdoc
CHANGED
@@ -13,6 +13,7 @@ change_login_page_title :: The page title to use on the change login form.
|
|
13
13
|
change_login_redirect :: Where to redirect after a sucessful login change.
|
14
14
|
change_login_requires_password? :: Whether a password is required when changing logins.
|
15
15
|
change_login_route :: The route to the change login action. Defaults to +change-login+.
|
16
|
+
same_as_current_login_message :: The error message to display if using the same value as the current login when changing the login.
|
16
17
|
|
17
18
|
== Auth Methods
|
18
19
|
|
@@ -0,0 +1,73 @@
|
|
1
|
+
= Error Reasons
|
2
|
+
|
3
|
+
Rodauth allows for customizing response status codes and error
|
4
|
+
messages for each type of error. However, in some cases, the
|
5
|
+
response status code is too coarse for desired error handling
|
6
|
+
by the application (since many error types use the same status
|
7
|
+
code), and using the error message is too fragile since it may
|
8
|
+
be translated.
|
9
|
+
|
10
|
+
For this reason, Rodauth associates a fine grained reason for
|
11
|
+
each type of error. If an error occurs in Rodauth, it will
|
12
|
+
call the +set_error_reason+ method with a symbol for the
|
13
|
+
specific type of error. By default, this method does not do
|
14
|
+
anything, but you can use the +set_error_reason+ configuration
|
15
|
+
method to customize the error handling.
|
16
|
+
|
17
|
+
These are the currently supported error type symbols that
|
18
|
+
Rodauth will call +set_error_reason+ with:
|
19
|
+
|
20
|
+
* :account_locked_out
|
21
|
+
* :already_an_account_with_this_login
|
22
|
+
* :already_an_unverified_account_with_this_login
|
23
|
+
* :duplicate_webauthn_id
|
24
|
+
* :inactive_session
|
25
|
+
* :invalid_email_auth_key
|
26
|
+
* :invalid_otp_auth_code
|
27
|
+
* :invalid_otp_secret
|
28
|
+
* :invalid_password
|
29
|
+
* :invalid_password_pattern
|
30
|
+
* :invalid_phone_number
|
31
|
+
* :invalid_previous_password
|
32
|
+
* :invalid_recovery_code
|
33
|
+
* :invalid_remember_param
|
34
|
+
* :invalid_reset_password_key
|
35
|
+
* :invalid_sms_code
|
36
|
+
* :invalid_sms_confirmation_code
|
37
|
+
* :invalid_unlock_account_key
|
38
|
+
* :invalid_verify_account_key
|
39
|
+
* :invalid_verify_login_change_key
|
40
|
+
* :invalid_webauthn_auth_param
|
41
|
+
* :invalid_webauthn_remove_param
|
42
|
+
* :invalid_webauthn_setup_param
|
43
|
+
* :invalid_webauthn_sign_count
|
44
|
+
* :login_not_valid_email
|
45
|
+
* :login_required
|
46
|
+
* :login_too_long
|
47
|
+
* :login_too_short
|
48
|
+
* :logins_do_not_match
|
49
|
+
* :no_current_sms_code
|
50
|
+
* :no_matching_login
|
51
|
+
* :not_enough_character_groups_in_password
|
52
|
+
* :otp_locked_out
|
53
|
+
* :password_authentication_required
|
54
|
+
* :password_contains_null_byte
|
55
|
+
* :password_does_not_meet_requirements
|
56
|
+
* :password_in_dictionary
|
57
|
+
* :password_is_one_of_the_most_common
|
58
|
+
* :password_same_as_previous_password
|
59
|
+
* :password_too_short
|
60
|
+
* :passwords_do_not_match
|
61
|
+
* :same_as_current_login
|
62
|
+
* :same_as_existing_password
|
63
|
+
* :session_expired
|
64
|
+
* :sms_already_setup
|
65
|
+
* :sms_locked_out
|
66
|
+
* :sms_needs_confirmation
|
67
|
+
* :sms_not_setup
|
68
|
+
* :too_many_repeating_characters_in_password
|
69
|
+
* :two_factor_already_authenticated
|
70
|
+
* :two_factor_need_authentication
|
71
|
+
* :two_factor_not_setup
|
72
|
+
* :unverified_account
|
73
|
+
* :webauthn_not_setup
|
@@ -0,0 +1,15 @@
|
|
1
|
+
= Migrate users passwords from bcrypt to argon2 or back
|
2
|
+
|
3
|
+
If you are currently using the default bcrypt password hash algorithm, and want to
|
4
|
+
gradually migrate to the argon2 password hash algorithm, you can use both the argon2
|
5
|
+
and update_password_hash features:
|
6
|
+
|
7
|
+
plugin :rodauth do
|
8
|
+
enable :login, :update_password_hash, :argon2
|
9
|
+
end
|
10
|
+
|
11
|
+
When a user with a current bcrypt password hash next successfully uses their
|
12
|
+
password, their password hash will be migrated to argon2.
|
13
|
+
|
14
|
+
If for some reason you want to migrate back from argon2 to bcrypt, you can set
|
15
|
+
<tt>use_argon2? false</tt> in your Rodauth configuration.
|
@@ -6,6 +6,7 @@ use a Rodauth feature that requires setting logins or passwords.
|
|
6
6
|
== Auth Value Methods
|
7
7
|
|
8
8
|
already_an_account_with_this_login_message :: The error message to display when there already exists an account with the same login.
|
9
|
+
contains_null_byte_message :: The error message to display when the password contains a null byte.
|
9
10
|
login_confirm_label :: The label to use for login confirmations.
|
10
11
|
login_confirm_param :: The parameter name to use for login confirmations.
|
11
12
|
login_does_not_meet_requirements_message :: The error message to display when the login does not meet the requirements you have set.
|
@@ -19,7 +20,7 @@ logins_do_not_match_message :: The error message to display when login and login
|
|
19
20
|
password_confirm_label :: The label to use for password confirmations.
|
20
21
|
password_confirm_param :: The parameter name to use for password confirmations.
|
21
22
|
password_does_not_meet_requirements_message :: The error message to display when the password does not meet the requirements you have set.
|
22
|
-
password_hash_cost :: The
|
23
|
+
password_hash_cost :: The cost to use for the password hash algorithm. This should be an integer when using bcrypt (the default), and a hash if using argon2 (supported by the argon2 feature).
|
23
24
|
password_minimum_length :: The minimum length for passwords, 6 by default.
|
24
25
|
password_too_short_message :: The error message fragment to show if the password is too short.
|
25
26
|
passwords_do_not_match_message :: The error message to display when password and password confirmation do not match.
|
@@ -0,0 +1,47 @@
|
|
1
|
+
= New Features
|
2
|
+
|
3
|
+
* An argon2 feature has been added that supports using the argon2
|
4
|
+
password hashing algorithm instead of the bcrypt password hashing
|
5
|
+
algorithm. While argon2 does not provide an advantage over bcrypt
|
6
|
+
if the attacker cannot access the password hashes directly (which
|
7
|
+
is how Rodauth is recommended to be used), in cases where attackers
|
8
|
+
can access the password hashes directly, argon2 is thought to be
|
9
|
+
more difficult or expensive to crack due to requiring more memory
|
10
|
+
(bcrypt is not a memory-hard password hash algorithm).
|
11
|
+
|
12
|
+
If you are using this feature with Rodauth's database authentication
|
13
|
+
functions, you need to make sure that the database authentication
|
14
|
+
functions are configured to support argon2 in addition to bcrypt.
|
15
|
+
You can do this by passing the :argon2 option when calling the
|
16
|
+
method to define the database functions. In this example, DB should
|
17
|
+
be your Sequel::Database object (this could be self if used in a
|
18
|
+
Sequel migration):
|
19
|
+
|
20
|
+
require 'rodauth/migrations'
|
21
|
+
|
22
|
+
# If the functions are already defined and you are not using PostgreSQL,
|
23
|
+
# you need to drop the existing functions.
|
24
|
+
Rodauth.drop_database_authentication_functions(DB)
|
25
|
+
|
26
|
+
# If you are using the disallow_password_reuse feature, also drop the
|
27
|
+
# database functions related to that if you are not using PostgreSQL:
|
28
|
+
Rodauth.drop_database_previous_password_check_functions(DB)
|
29
|
+
|
30
|
+
# Define new functions that support argon2:
|
31
|
+
Rodauth.create_database_authentication_functions(DB, argon2: true)
|
32
|
+
|
33
|
+
# If you are using the disallow_password_reuse feature, also define
|
34
|
+
# new functions that support argon2 for that:
|
35
|
+
Rodauth.create_database_previous_password_check_functions(DB, argon2: true)
|
36
|
+
|
37
|
+
You can transparently migrate bcrypt password hashes to argon2
|
38
|
+
password hashes whenever a user successfully uses their password
|
39
|
+
by using the argon2 feature in combination with the
|
40
|
+
update_password_hash feature.
|
41
|
+
|
42
|
+
= Other Improvements
|
43
|
+
|
44
|
+
* Unnecessary queries to determine whether the new password matches
|
45
|
+
a previous password are now skipped when using the create_account
|
46
|
+
or verify_account features with the disallow_password_reuse
|
47
|
+
feature.
|
@@ -0,0 +1,31 @@
|
|
1
|
+
= New Features
|
2
|
+
|
3
|
+
* An :auth_class rodauth plugin option has been added, allowing a user
|
4
|
+
to specify a specific Rodauth::Auth subclass to use, instead of
|
5
|
+
always using a new subclass of Rodauth::Auth. This is designed for
|
6
|
+
advanced configurations or other frameworks that build on top of
|
7
|
+
Rodauth, which may want to customize the Rodauth::Auth subclasses to
|
8
|
+
use.
|
9
|
+
|
10
|
+
* Two additional configuration methods have been added for easier
|
11
|
+
translatability, fixing issues where English text was hardcoded:
|
12
|
+
|
13
|
+
* same_as_current_login_message (change_login feature)
|
14
|
+
* contains_null_byte_message (login_password_requirements_base
|
15
|
+
feature)
|
16
|
+
|
17
|
+
= Other Improvements
|
18
|
+
|
19
|
+
* Loading the rodauth plugin multiple times in the same application
|
20
|
+
with different blocks now works better. The same context is now
|
21
|
+
shared between the blocks, so you can load features in one block
|
22
|
+
and call configuration methods added by the feature in the other
|
23
|
+
block. Previously, you could only call configuration methods in
|
24
|
+
the block that added the feature, and enabling a feature in a
|
25
|
+
block that was already enabled in a previous block did not allow
|
26
|
+
the use of configuration methods related to the feature.
|
27
|
+
|
28
|
+
* Passing a block when loading the rodauth plugin is now optional.
|
29
|
+
|
30
|
+
* The autocomplete attribute on the reset password form now uses
|
31
|
+
new-password instead of current-password.
|
@@ -0,0 +1,17 @@
|
|
1
|
+
= New Features
|
2
|
+
|
3
|
+
* The following configuration methods have been added to the
|
4
|
+
active_sessions feature:
|
5
|
+
|
6
|
+
* active_sessions_insert_hash
|
7
|
+
* active_sessions_key
|
8
|
+
* active_sessions_update_hash
|
9
|
+
* update_current_session?
|
10
|
+
|
11
|
+
These methods allow you to control what gets inserted and
|
12
|
+
updated into the active_sessions_table, and to control
|
13
|
+
whether to perform updates.
|
14
|
+
|
15
|
+
= Other Improvements
|
16
|
+
|
17
|
+
* A typo was fixed in the default unlock account email.
|
@@ -0,0 +1,19 @@
|
|
1
|
+
= New Features
|
2
|
+
|
3
|
+
* A set_error_reason configuration method has been added. This method
|
4
|
+
is called whenever a error occurs in Rodauth, with a symbol
|
5
|
+
describing the error. The default implementation of this method does
|
6
|
+
nothing, it has been added to make it easier for Rodauth users to
|
7
|
+
implement custom handling for specific error types. See the Rodauth
|
8
|
+
documentation for this method to see the list of symbols this method
|
9
|
+
can be called with.
|
10
|
+
|
11
|
+
= Other Improvements
|
12
|
+
|
13
|
+
* When using active_sessions and jwt_refresh together, and allowing for
|
14
|
+
expired JWTs when refreshing, you can now call
|
15
|
+
rodauth.check_active_session before r.rodauth. Previously, this
|
16
|
+
did not work, and you had to call rodauth.check_active_session
|
17
|
+
after r.rodauth.
|
18
|
+
|
19
|
+
* The default templates now also support Bootstrap 5.
|