Documentation for Rodauth (v2.12.0)
README (Introduction to Rodauth, start here if new)
All features in Rodauth must be explicitly enabled. Configuration that is used by multiple features resides in the Base feature, all other configuration is specific to individual features, and available after the features have been enabled.
- Base: Shared behavior for other features.
- Email Base: Shared behavior for features that require sending email.
- Login Password Requirements Base: Shared behavior for features that set logins or passwords.
- Two Factor Base: Shared behavior for multifactor authentication features.
- Account Expiration: Disallows access to accounts if there has been no login or activity after a given amount of time.
- Active Sessions: Prevents session reuse after logout, and allows for global logout of all sessions for the account.
- Argon2: Allows use of the argon2 password hash algorithm.
- Audit Logging: Provides audit logging to a database table for all rodauth actions.
- Change Login: Allows a user to change their login.
- Change Password: Allows a user to change their password.
- Change Password Notify: Emails a user when they use the Change Password feature to change their password.
- Close Account: Allows a user to close their account.
- Confirm Password: Allows a user to confirm their password, or multifactor authenticate via password is authenticated via another method.
- Create Account: Allows a user to create an account.
- Disallow Common Passwords: Disallows the use of common passwords.
- Disallow Password Reuse: Disallows setting password to the same string as previous passwords.
- Email Authentication: Allows login via a link sent via email.
- HTTP Basic Auth: Allows HTTP basic authentication.
- JSON: Adds JSON API support for all other features.
- JWT: Adds JSON Web Token support for all other features.
- JWT CORS: Supports Cross-Origin Resource Sharing in the JSON API.
- JWT Refresh: Supports separate access and refresh JWT tokens.
- Lockout: Locks an account out after a number of invalid authentication attempts, allowing unlocking via email.
- Login: Allows for logging into the application via a login/email and password.
- Logout: Allows for logging out of the application, by removing the login information from the session.
- OTP: Adds support for multifactor authentication via TOTP.
- Password Complexity: Adds more sophisticated complexity checks for passwords.
- Password Expiration: Requires that accounts change their password after a given amount of time.
- Password Grace Period: Allows skipping password entry on forms normally requiring it if a user recently entered their password.
- Password Pepper: Allows appending a secret key to passwords before they are hashed.
- Recovery Codes: Adds support for mulitfactor authentication via single-use account recovery codes.
- Remember: Automatically logs a user in based on a token stored in a cookie.
- Reset Password: Allows users to reset their password if they don't remember it.
- Session Expiration: Expires sessions automatically based on inactivity or max lifetime checks.
- Single Session: Allows only a single active session per account.
- SMS Codes: Adds support for multifactor authentication via codes received via SMS.
- Update Password Hash: Updates the password hash whenever the hash cost changes.
- Verify Account: Requires verifications of newly created accounts before login.
- Verify Account Grace Period: Allows newly created accounts a grace period before verification is required.
- Verify Login Change: Requires verification of new logins before changing logins.
- WebAuthn: Adds support for multifactor authentication via WebAuthn.
- WebAuthn Login: Adds support for passwordless login via WebAuthn.
- WebAuthn Verify Account: Adds support for passwordless WebAuthn setup during account verification.
- Require account verification by admin
- Skip login page if already authenticated
- Use a non-email login
- Create an account record programmatically
- Set password when verifying account
- Allow only email authentication
- Translate with I18n gem
- Display authentication links
- Redirect to original page after login
- Store password hash in accounts table
- Require password confirmation for certain actions
- Customize password requirements
- Change route path
- Pass query parameters to auth URLs
- Change redirect destination
- Add field during account creation
- Require multifactor authentication after login
- Autologin after password reset
- Store account status in a text column
- Allow recovery code on TOTP code field
- Internals Guide, describing how Rodauth works internally
To use these external features, install their dependencies and follow their installation instructions.
- rodauth-become_account: Easily switch between Rodauth accounts.
- rodauth-oauth: Implements the OAuth 2.0 protocol on top of Rodauth.
- rodauth-pwned: Checks passwords against the Pwned Passwords API.
- rodauth-rails: Provides Rails integration for Rodauth.
- rodauth-select-account: Support logging into multiple accounts in the same session.
- 2.12 | 2.11 | 2.10
- 2.9 | 2.8 | 2.7 | 2.6 | 2.5 | 2.4 | 2.3 | 2.2 | 2.1 | 2.0
- 1.23 | 1.22 | 1.21 | 1.20
- 1.19 | 1.18 | 1.17 | 1.16 | 1.15 | 1.14 | 1.13 | 1.12 | 1.11 | 1.10
- 1.9 | 1.8 | 1.7 | 1.6 | 1.5 | 1.4 | 1.3 | 1.2 | 1.1 | 1.0
- "Rodauth: Ruby's Most Advanced Authentication Framework" Presentation at Pivorak Conf 5.0 (Video)
- "Rodauth: Clean Authentication" at Ruby Meditation #13
- "Rodauth: Website Security Through Database Security" Presentation at RubyConf LT 2016 (1024x768, 50 minutes)
- "Rodauth: Website Security Through Database Security" Presentation at RubyConf BY 2016 (1280x720, 40 minutes) (Video)
Here is a diagram of the tables that Rodauth uses and the relationships between the tables as of Rodauth 2.0.0.
Applications Using Rodauth
Here are some open source applications that use Rodauth: