rodauth 2.9.0 → 2.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a51cd006e762abd197f16ec9b8337cd54bf15206fcc2ce3a83cb1c424bb83845
-  data.tar.gz: 41e21158bee2b7ef8c75a93b035a5ff08c0245e5719aecbf783a818a860329b6
+  metadata.gz: 5286a570d72b6bc951ca489e12a696a4c2348d789d09f2782cfbd3521e63ee6d
+  data.tar.gz: be5d4e5bef18f6f62978bc84e07da1c4b31db4f03bf104d01abf8510812c5719
 SHA512:
-  metadata.gz: fb2c83005f29f8e8f2ea36ae97111c2b2108dc370ce1fee624c6cd27fd96eaa70be8f1471d9b9cb4a8b652b55e2277cce3489514bf56624bceb2c4f52413b580
-  data.tar.gz: 6bf8b23187ab6935cd33259b4ee546281df100641b7927c9e03e531f591a451ba5d56b50b8621cbc7948ad8807253dbded5da0b85247e70db7aa5db1d2be765a
+  metadata.gz: 98a849b965bfee4d80b8b6f6fc286d22f57673bf37da4e2cb338c114275795b665e46b561781f688dbb2ddfdd312e8b393f545d1920ac9f83024e042ff97cee0
+  data.tar.gz: 46da808a9d2e38c647339eed1554183b0e175fb3dbf4fd04d49d78015ff523bc0960091b3643bbc3913cfce88b7f78a240bd1857002de889a2d9455f106e4e03

data/CHANGELOG

@@ -1,3 +1,9 @@
+=== 2.10.0 (2021-02-22)
+
+* Add argon2 feature to allow use of the argon2 password hash algorithm instead of bcrypt (AlexeyMatskevich, jeremyevans) (#147)
+
+* Avoid unnecessary previous password queries when using disallow_password_reuse feature with create_account or verify_account features (AlexeyMatskevich, jeremyevans) (#148)
+
 === 2.9.0 (2021-01-22)
 
 * Split jwt feature into json and jwt features, with the json feature using standard session support (janko, jeremyevans) (#145)

data/README.rdoc

@@ -57,6 +57,7 @@ HTML and JSON API for all supported features.
 * JWT Refresh (Access & Refresh Token)
 * JWT CORS (Cross-Origin Resource Sharing)
 * Update Password Hash (when hash cost changes)
+* Argon2
 * HTTP Basic Auth
 * Change Password Notify
 
@@ -80,8 +81,10 @@ rack_csrf :: Used for CSRF support if the :csrf=>:rack_csrf plugin
              option is given (the default is to use Roda's route_csrf
              plugin, as that allows for more secure request-specific
              tokens).
-bcrypt :: Used by default for password matching, can be skipped
+bcrypt :: Used by default for password hashing, can be skipped
           if password_match? is overridden for custom authentication.
+argon2 :: Used by the argon2 feature as alternative to bcrypt for
+          password hashing.
 mail :: Used by default for mailing in the reset password, verify
         account, verify_login_change, change_password_notify,
         lockout, and email_auth features.
@@ -106,7 +109,7 @@ correctly without it.  There may be cases where you cannot use
 this feature, such as when using a different database or when you
 do not have full control over the database you are using.
 
-Passwords are hashed using bcrypt, and the password hashes are
+Passwords are hashed using bcrypt by default, and the password hashes are
 kept in a separate table from the accounts table, with a foreign key
 referencing the accounts table.  Two database functions are added,
 one to retrieve the salt for a password, and the other to check
@@ -333,7 +336,7 @@ things for the schema changes:
     foreign_key :id, Sequel[:${DATABASE_NAME}][:accounts], :primary_key=>true, :type=>:Bignum
     String :password_hash, :null=>false
   end
-  Rodauth.create_database_authentication_functions(self, :table_name=>"${DATABASE_NAME}_password.account_password_hashes")
+  Rodauth.create_database_authentication_functions(self, :table_name=>Sequel[:${DATABASE_NAME}_password][:account_password_hashes])
 
   # if using the disallow_password_reuse feature:
   create_table(:account_previous_password_hashes) do
@@ -341,7 +344,7 @@ things for the schema changes:
     foreign_key :account_id, Sequel[:${DATABASE_NAME}][:accounts], :type=>:Bignum
     String :password_hash, :null=>false
   end
-  Rodauth.create_database_previous_password_check_functions(self, :table_name=>"${DATABASE_NAME}_password.account_previous_password_hashes")
+  Rodauth.create_database_previous_password_check_functions(self, :table_name=>Sequel[:${DATABASE_NAME}_password][:account_previous_password_hashes])
 
 You'll also need to use the following Rodauth configuration methods so that the
 app account calls functions in a separate schema:
@@ -863,6 +866,7 @@ view the appropriate file in the doc directory.
 * {Account Expiration}[rdoc-ref:doc/account_expiration.rdoc]
 * {Active Sessions}[rdoc-ref:doc/active_sessions.rdoc]
 * {Audit Logging}[rdoc-ref:doc/audit_logging.rdoc]
+* {Argon2}[rdoc-ref:doc/argon2.rdoc]
 * {Change Login}[rdoc-ref:doc/change_login.rdoc]
 * {Change Password}[rdoc-ref:doc/change_password.rdoc]
 * {Change Password Notify}[rdoc-ref:doc/change_password_notify.rdoc]

data/doc/argon2.rdoc

@@ -0,0 +1,49 @@
+= Documentation for Argon2 Feature
+
+The argon2 feature adds the ability to replace the bcrypt password hash
+algorithm with argon2 (specifically, argon2id).  Argon2 is an alternative to
+bcrypt that offers the ability to be memory-hard.  However, if you are storing
+password hashes in a table that the database user does not have access to
+(the recommended way to use Rodauth), argon2 does not offer significant
+security advantages over bcrypt.
+
+If you are using this feature with Rodauth's database authentication functions,
+you need to make sure that the database authentication functions are configured
+to support argon2 in addition to bcrypt.  You can do this by passing the
++:argon2+ option when calling the method to define the database functions.
+In this example, +DB+ should be your Sequel::Database object:
+
+  require 'rodauth/migrations'
+
+  # If the functions are already defined and you are not using PostgreSQL,
+  # you need to drop the existing functions.
+  Rodauth.drop_database_authentication_functions(DB)
+
+  # If you are using the disallow_password_reuse feature, also drop the
+  # database functions related to that if not using PostgreSQL:
+  Rodauth.drop_database_previous_password_check_functions(DB)
+
+  # Define new functions that support argon2:
+  Rodauth.create_database_authentication_functions(DB, argon2: true)
+
+  # If you are using the disallow_password_reuse feature, also define
+  # new functions that support argon2 for that:
+  Rodauth.create_database_previous_password_check_functions(DB, argon2: true) 
+
+The argon2 feature provides the ability to allow for a gradual migration
+from transitioning from bcrypt to argon2 and vice-versa, if you are using the
+update_password_hash.
+
+Argon2 is more configurable than bcrypt in terms of password hash cost
+speficiation.  Instead of specifying the password_hash_cost value as
+an integer, you must specify the password hash cost as a hash, such as
+(<tt>{t_cost: 2, m_cost: 16}</tt>).
+
+If you are using the argon2 feature and if you have no bcrypt passwords in
+your database, you should use <tt>require_bcrypt? false</tt> in your
+Rodauth configuration to prevent loading the bcrypt library, which will save
+memory.
+
+== Auth Value Methods
+
+use_argon2? :: Whether to use the argon2 password hash algorithm for new passwords (true by default). The only reason to set this to false is if you have existing passwords using argon2 that you want to support, but want to use bcrypt for new passwords.

data/doc/base.rdoc

@@ -15,7 +15,7 @@ domain :: The domain to use, required by some other features. It is recommended
 hmac_secret :: This sets the secret to use for all of Rodauth's HMACs.  This is not set by default, in which case Rodauth does not use HMACs for additional security.  However, it is highly recommended that you set this, and some features require it.
 mark_input_fields_as_required? :: Whether input fields should be marked as required, so browsers will not allow submission without filling out the field (default: true).
 prefix :: The routing prefix used for Rodauth routes.  If you are calling in a routing subtree, this should be set to the root path of the subtree.  This should include a leading slash if set, but not a trailing slash.
-require_bcrypt? :: Set to false to not require bcrypt, useful if using custom authentication.
+require_bcrypt? :: Set to false to not require bcrypt, useful if using custom authentication or when using the argon2 feature without existing bcrypt password hashes.
 session_key :: The key in the session hash storing the primary key of the logged in account.
 session_key_prefix :: The string that will be prepended to the default value for all session keys.
 skip_status_checks? :: Whether status checks should be skipped for accounts.  Defaults to true unless enabling the verify_account or close_account features.

data/doc/guides/migrate_password_hash_algorithm.rdoc

@@ -0,0 +1,15 @@
+= Migrate users passwords from bcrypt to argon2 or back
+
+If you are currently using the default bcrypt password hash algorithm, and want to
+gradually migrate to the argon2 password hash algorithm, you can use both the argon2
+and update_password_hash features:
+
+  plugin :rodauth do
+    enable :login, :update_password_hash, :argon2
+  end
+
+When a user with a current bcrypt password hash next successfully uses their
+password, their password hash will be migrated to argon2.
+
+If for some reason you want to migrate back from argon2 to bcrypt, you can set
+<tt>use_argon2? false</tt> in your Rodauth configuration.

data/doc/login_password_requirements_base.rdoc

@@ -19,7 +19,7 @@ logins_do_not_match_message :: The error message to display when login and login
 password_confirm_label :: The label to use for password confirmations.
 password_confirm_param :: The parameter name to use for password confirmations.
 password_does_not_meet_requirements_message :: The error message to display when the password does not meet the requirements you have set.
-password_hash_cost :: The bcrypt cost to use for the password hash.
+password_hash_cost :: The cost to use for the password hash algorithm. This should be an integer when using bcrypt (the default), and a hash if using argon2 (supported by the argon2 feature).
 password_minimum_length :: The minimum length for passwords, 6 by default.
 password_too_short_message :: The error message fragment to show if the password is too short.
 passwords_do_not_match_message :: The error message to display when password and password confirmation do not match.

data/doc/release_notes/2.10.0.txt

@@ -0,0 +1,47 @@
+= New Features
+
+* An argon2 feature has been added that supports using the argon2
+  password hashing algorithm instead of the bcrypt password hashing
+  algorithm.  While argon2 does not provide an advantage over bcrypt
+  if the attacker cannot access the password hashes directly (which
+  is how Rodauth is recommended to be used), in cases where attackers
+  can access the password hashes directly, argon2 is thought to be
+  more difficult or expensive to crack due to requiring more memory
+  (bcrypt is not a memory-hard password hash algorithm).
+
+  If you are using this feature with Rodauth's database authentication
+  functions, you need to make sure that the database authentication
+  functions are configured to support argon2 in addition to bcrypt.
+  You can do this by passing the :argon2 option when calling the
+  method to define the database functions.  In this example, DB should
+  be your Sequel::Database object (this could be self if used in a
+  Sequel migration):
+
+    require 'rodauth/migrations'
+
+    # If the functions are already defined and you are not using PostgreSQL,
+    # you need to drop the existing functions.
+    Rodauth.drop_database_authentication_functions(DB)
+
+    # If you are using the disallow_password_reuse feature, also drop the
+    # database functions related to that if you are not using PostgreSQL:
+    Rodauth.drop_database_previous_password_check_functions(DB)
+
+    # Define new functions that support argon2:
+    Rodauth.create_database_authentication_functions(DB, argon2: true)
+
+    # If you are using the disallow_password_reuse feature, also define
+    # new functions that support argon2 for that:
+    Rodauth.create_database_previous_password_check_functions(DB, argon2: true) 
+
+  You can transparently migrate bcrypt password hashes to argon2
+  password hashes whenever a user successfully uses their password
+  by using the argon2 feature in combination with the
+  update_password_hash feature.
+
+= Other Improvements
+
+* Unnecessary queries to determine whether the new password matches
+  a previous password are now skipped when using the create_account
+  or verify_account features with the disallow_password_reuse
+  feature.

data/lib/rodauth/features/argon2.rb

@@ -0,0 +1,69 @@
+# frozen-string-literal: true
+
+require 'argon2'
+
+# :nocov:
+if !defined?(Argon2::VERSION) || Argon2::VERSION < '2'
+  raise LoadError, "argon2 version 1.x not supported as it does not support argon2id hashes"
+end
+# :nocov:
+
+module Rodauth
+  Feature.define(:argon2, :Argon2) do
+    depends :login_password_requirements_base
+
+    auth_value_method :use_argon2?, true
+
+    private
+
+    def password_hash_cost
+      return super unless use_argon2?
+      argon2_hash_cost 
+    end
+
+    def password_hash(password)
+      return super unless use_argon2?
+      ::Argon2::Password.new(password_hash_cost).create(password)
+    end
+
+    def password_hash_match?(hash, password)
+      return super unless argon2_hash_algorithm?(hash)
+      argon2_password_hash_match?(hash, password)
+    end
+
+    def password_hash_using_salt(password, salt)
+      return super unless argon2_hash_algorithm?(salt)
+
+      argon2_params = Hash[extract_password_hash_cost(salt)]
+      argon2_params[:salt_do_not_supply] = Base64.decode64(salt.split('$').last)
+      ::Argon2::Password.new(argon2_params).create(password)
+    end
+
+    def extract_password_hash_cost(hash)
+      return super unless argon2_hash_algorithm?(hash )
+
+      /\A\$argon2id\$v=\d+\$m=(\d+),t=(\d+)/ =~ hash
+      { t_cost: $2.to_i, m_cost: Math.log2($1.to_i).to_i }
+    end
+
+    if ENV['RACK_ENV'] == 'test'
+      def argon2_hash_cost
+        {t_cost: 1, m_cost: 3}
+      end
+    # :nocov:
+    else
+      def argon2_hash_cost
+        {t_cost: 2, m_cost: 16}
+      end
+    end
+    # :nocov:
+
+    def argon2_hash_algorithm?(hash)
+      hash.start_with?('$argon2id$')
+    end
+
+    def argon2_password_hash_match?(hash, password)
+      ::Argon2::Password.verify_password(password, hash)
+    end
+  end
+end

data/lib/rodauth/features/base.rb

@@ -465,7 +465,7 @@ module Rodauth
     end
 
     def database_function_password_match?(name, hash_id, password, salt)
-      db.get(Sequel.function(function_name(name), hash_id, BCrypt::Engine.hash_secret(password, salt)))
+      db.get(Sequel.function(function_name(name), hash_id, password_hash_using_salt(password, salt)))
     end
 
     def password_hash_match?(hash, password)
@@ -593,6 +593,10 @@ module Rodauth
       @has_password = !!get_password_hash
     end
 
+    def password_hash_using_salt(password, salt)
+      BCrypt::Engine.hash_secret(password, salt)
+    end
+
     # Get the password hash for the user.  When using database authentication functions,
     # note that only the salt is returned.
     def get_password_hash

data/lib/rodauth/features/disallow_password_reuse.rb

@@ -24,13 +24,16 @@ module Rodauth
 
     def add_previous_password_hash(hash) 
       ds = previous_password_ds
-      keep_before = ds.reverse(previous_password_id_column).
-        limit(nil, previous_passwords_to_check).
-        get(previous_password_id_column)
 
-      if keep_before
-        ds.where(Sequel.expr(previous_password_id_column) <= keep_before).
-          delete
+      unless @dont_check_previous_password
+        keep_before = ds.reverse(previous_password_id_column).
+          limit(nil, previous_passwords_to_check).
+          get(previous_password_id_column)
+
+        if keep_before
+          ds.where(Sequel.expr(previous_password_id_column) <= keep_before).
+            delete
+        end
       end
 
       # This should never raise uniqueness violations, as it uses a serial primary key
@@ -39,7 +42,7 @@ module Rodauth
 
     def password_meets_requirements?(password)
       super &&
-        password_doesnt_match_previous_password?(password)
+        (@dont_check_previous_password || password_doesnt_match_previous_password?(password))
     end
 
     private
@@ -71,6 +74,16 @@ module Rodauth
       previous_password_ds.delete
     end
 
+    def before_create_account_route
+      super if defined?(super)
+      @dont_check_previous_password = true
+    end
+
+    def before_verify_account_route
+      super if defined?(super)
+      @dont_check_previous_password = true
+    end
+
     def after_create_account
       if account_password_hash_column && !(respond_to?(:verify_account_set_password?) && verify_account_set_password?)
         add_previous_password_hash(password_hash(param(password_param)))

data/lib/rodauth/features/login_password_requirements_base.rb

@@ -140,6 +140,10 @@ module Rodauth
       # :nocov:
     end
 
+    def extract_password_hash_cost(hash)
+      hash[4, 2].to_i
+    end
+    
     def password_hash(password)
       BCrypt::Password.create(password, :cost=>password_hash_cost)
     end

data/lib/rodauth/features/update_password_hash.rb

@@ -20,7 +20,7 @@ module Rodauth
 
     def get_password_hash
       if hash = super
-        @current_password_hash_cost = hash.split('$')[2].to_i
+        @current_password_hash_cost = extract_password_hash_cost(hash)
       end
 
       hash

data/lib/rodauth/migrations.rb

@@ -4,7 +4,8 @@ module Rodauth
   def self.create_database_authentication_functions(db, opts={})
     table_name = opts[:table_name] || :account_password_hashes
     get_salt_name = opts[:get_salt_name] || :rodauth_get_salt
-    valid_hash_name = opts[:valid_hash_name] || :rodauth_valid_password_hash 
+    valid_hash_name = opts[:valid_hash_name] || :rodauth_valid_password_hash
+    argon2 = opts[:argon2]
 
     case db.database_type
     when :postgres
@@ -14,12 +15,21 @@ module Rodauth
         when 'uuid' then :uuid
         else :int8
         end
+      table_name = db.literal(table_name) unless table_name.is_a?(String)
 
+      argon_sql = <<END
+CASE
+    WHEN password_hash ~ '^\\$argon2id'
+      THEN substring(password_hash from '\\$argon2id\\$v=\\d+\\$m=\\d+,t=\\d+,p=\\d+\\$.+\\$')
+    ELSE substr(password_hash, 0, 30)
+  END INTO salt
+END
       db.run <<END
 CREATE OR REPLACE FUNCTION #{get_salt_name}(acct_id #{primary_key_type}) RETURNS text AS $$
 DECLARE salt text;
 BEGIN
-SELECT substr(password_hash, 0, 30) INTO salt 
+SELECT
+#{argon2 ? argon_sql : "substr(password_hash, 0, 30) INTO salt"}
 FROM #{table_name}
 WHERE acct_id = id;
 RETURN salt;
@@ -43,12 +53,20 @@ SECURITY DEFINER
 SET search_path = #{search_path};
 END
     when :mysql
+      argon_sql = <<END
+CASE
+  WHEN password_hash REGEXP '^.argon2id'
+    THEN left(password_hash, CHAR_LENGTH(password_hash) - INSTR(REVERSE(password_hash), '$'))
+  ELSE substr(password_hash, 1, 30)
+  END
+END
       db.run <<END
 CREATE FUNCTION #{get_salt_name}(acct_id int8) RETURNS varchar(255)
 SQL SECURITY DEFINER
 READS SQL DATA
 BEGIN
-RETURN (SELECT substr(password_hash, 1, 30)
+RETURN (SELECT
+#{argon2 ? argon_sql : "substr(password_hash, 1, 30)"}
 FROM #{table_name}
 WHERE acct_id = id);
 END;
@@ -71,13 +89,21 @@ RETURN valid;
 END;
 END
     when :mssql
+      argon_sql = <<END
+CASE
+  WHEN password_hash LIKE '[$]argon2id%'
+    THEN left(password_hash, len(password_hash) - charindex('$', reverse(password_hash)))
+  ELSE substring(password_hash, 0, 30)
+  END
+END
       db.run <<END
 CREATE FUNCTION #{get_salt_name}(@account_id bigint) RETURNS nvarchar(255)
 WITH EXECUTE AS OWNER
 AS
 BEGIN
 DECLARE @salt nvarchar(255);
-SELECT @salt = substring(password_hash, 0, 30)
+SELECT @salt =
+#{argon2 ? argon_sql : "substring(password_hash, 0, 30)"}
 FROM #{table_name}
 WHERE id = @account_id;
 RETURN @salt;
@@ -107,7 +133,7 @@ END
   def self.drop_database_authentication_functions(db, opts={})
     table_name = opts[:table_name] || :account_password_hashes
     get_salt_name = opts[:get_salt_name] || :rodauth_get_salt
-    valid_hash_name = opts[:valid_hash_name] || :rodauth_valid_password_hash 
+    valid_hash_name = opts[:valid_hash_name] || :rodauth_valid_password_hash
 
     case db.database_type
     when :postgres

data/lib/rodauth/version.rb

@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 9
+  MINOR = 10
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth
 version: !ruby/object:Gem::Version
-  version: 2.9.0
+  version: 2.10.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-01-23 00:00:00.000000000 Z
+date: 2021-02-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -80,6 +80,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: argon2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: mail
   requirement: !ruby/object:Gem::Requirement
@@ -140,14 +154,14 @@ dependencies:
   name: webauthn
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2'
 - !ruby/object:Gem::Dependency
@@ -239,6 +253,7 @@ extra_rdoc_files:
 - MIT-LICENSE
 - doc/account_expiration.rdoc
 - doc/active_sessions.rdoc
+- doc/argon2.rdoc
 - doc/audit_logging.rdoc
 - doc/base.rdoc
 - doc/change_login.rdoc
@@ -305,6 +320,7 @@ extra_rdoc_files:
 - doc/release_notes/1.9.0.txt
 - doc/release_notes/2.0.0.txt
 - doc/release_notes/2.1.0.txt
+- doc/release_notes/2.10.0.txt
 - doc/release_notes/2.2.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.4.0.txt
@@ -320,6 +336,7 @@ files:
 - dict/top-10_000-passwords.txt
 - doc/account_expiration.rdoc
 - doc/active_sessions.rdoc
+- doc/argon2.rdoc
 - doc/audit_logging.rdoc
 - doc/base.rdoc
 - doc/change_login.rdoc
@@ -342,6 +359,7 @@ files:
 - doc/guides/internals.rdoc
 - doc/guides/links.rdoc
 - doc/guides/login_return.rdoc
+- doc/guides/migrate_password_hash_algorithm.rdoc
 - doc/guides/password_column.rdoc
 - doc/guides/password_confirmation.rdoc
 - doc/guides/password_requirements.rdoc
@@ -394,6 +412,7 @@ files:
 - doc/release_notes/1.9.0.txt
 - doc/release_notes/2.0.0.txt
 - doc/release_notes/2.1.0.txt
+- doc/release_notes/2.10.0.txt
 - doc/release_notes/2.2.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.4.0.txt
@@ -421,6 +440,7 @@ files:
 - lib/rodauth.rb
 - lib/rodauth/features/account_expiration.rb
 - lib/rodauth/features/active_sessions.rb
+- lib/rodauth/features/argon2.rb
 - lib/rodauth/features/audit_logging.rb
 - lib/rodauth/features/base.rb
 - lib/rodauth/features/change_login.rb