CHANGELOG

CHANGELOG
Last Update: 2018-11-16 10:37:55 -0800

1.19.0 (2018-11-16)

  • Avoid unneeded database queries in the two factor authentication support (jeremyevans)

  • Add {before,after}_verify_login_change_email configuration methods, called around sending the verify login change email (jeremyevans)

  • Add after_account_lockout configuration method, called after locking out an account (jeremyevans)

  • Add default_post_email_redirect configuration method, setting default for all redirects after emailing when not logged in (jeremyevans)

  • Gracefully handle failure when new login is already taken in the verify_login_change feature (jeremyevans)

  • Support optional email rate limiting in the lockout, reset password, and verify account features (jeremyevans)

  • Make MySQL rodauth_get_salt function handle accounts without password hashes (jeremyevans)

  • Add email_auth feature, for authentication using links sent via email (jeremyevans)

  • Deprecate before_otp_authentication_route, users should switch to before_otp_auth_route (jeremyevans)

  • Add use_multi_phase_login? configuration method to login feature, separating login entry from password entry (jeremyevans)

  • Don't disable use of date_arithmetic extension on !MySQL when using lockout, remember, or reset password features (jeremyevans)

1.18.0 (2018-07-18)

  • Add confirm_password_redirect_session_key configuration method to confirm_password feature (jeremyevans)

  • Work with Roda sessions plugin, using string keys for session information if that is used (jeremyevans)

  • Add flash_error_key and flash_notice_key configuration for setting keys used in flash (jeremyevans)

1.17.0 (2018-06-11)

  • Support Roda route_csrf plugin for request-specific CSRF tokens (jeremyevans)

1.16.0 (2018-03-09)

  • Add disallow_common_passwords feature, for disallowing the usage of the most common passwords (jeremyevans)

  • Remove calling request [] method to get request param values, as it is deprecated in the current version of rack (jeremyevans)

1.15.0 (2018-01-29)

  • Add create_account_set_password? and verify_account_set_password? methods to delay setting password until account verification (jeremyevans)

1.14.0 (2017-12-19)

1.13.0 (2017-11-21)

  • Add json_response_body(hash) configuration method to jwt feature (jeremyevans)

  • Support invalid_previous_password_message configuration method in change_password feature (jeremyevans)

  • Use custom error statuses if only_json? and json_response_custom_error_status? are true even if request isn't in json format (jeremyevans)

  • Add cache_templates configuration method for disabling caching of templates (adam12, jeremyevans) (#46)

1.12.0 (2017-10-03)

  • SECURITY

    Clear expired password reset key for account before retrieving password reset key (chanks, jeremyevans) (#43)

  • Update migrations to work with Sequel 5 (jeremyevans)

  • Add require_http_basic_auth configuration method to http_basic_auth feature (jeremyevans) (#41)

  • Support passing :search_path option to Rodauth.create_database_authentication_functions when using PostgreSQL (jeremyevans)

  • Support passing options to Rodauth.{create,drop}_database_previous_password_check_functions (jeremyevans)

  • Support passing options to Rodauth.drop_database_authentication_functions (jeremyevans)

1.11.0 (2017-04-24)

  • Add login_required_error_status, and use it in the jwt feature when custom error statuses are allowed (jeremyevans)

  • Deal better with time differences between the database and application servers in the password_expiration plugin (jeremyevans)

  • Add rodauth.valid_jwt? method for checking if a valid JWT was submitted with the request (jeremyevans)

1.10.0 (2017-03-23)

  • Add Internals Guide (jeremyevans)

  • Set FeatureConfiguration instances to constants, just like Feature instances (jeremyevans)

  • When reopening rodauth configuration in roda subclass, automatically subclass rodauth configuration so it doesn't modify superclass (jeremyevans)

  • Add verify_login_change feature as an alternative to verify_change_login, where the change doesn't take affect until after verification (jeremyevans) (#31)

  • Add login_failed_reset_password_request_form for customizing the HTML used for the request password request form on login failures (jeremyevans)

  • Make reset password request form available without requiring a login attempt, and provide a login field in that case (jeremyevans) (#30)

  • Make resending verify account email request form available without requiring a login/account creation attempt, and provide a login field in that case (jeremyevans) (#30)

  • Fix resending verify account email when attempting to create a new account with same login as unverified account when using verify_account_grace_period feature (jeremyevans) (#30)

  • Fix precompile_rodauth_templates usage with reset_password feature (jeremyevans)

1.9.0 (2017-02-22)

  • Make reset-password use existing password reset key if one is present (jeremyevans) (#26)

  • Add Roda.precompile_rodauth_templates method, useful to save memory when forking, or when chrooting (jeremyevans)

1.8.0 (2017-01-06)

  • Add json_response_custom_error_status? option to jwt feature to use specific 4xx statuses instead of 400 (jeremyevans)

  • Use 4xx error statuses for errors, instead of using a 200 success status (jeremyevans)

1.7.0 (2016-11-22)

  • Make reset password, unlock account, and verify account pages not leak keys to external servers via Referer header (jeremyevans)

1.6.0 (2016-10-24)

  • Add http_basic_auth feature (TiagoCardoso1983, jeremyevans) (#12)

  • Move login hooks from login feature to base, to be usable by other features (jeremyevans)

  • Make reset_password feature not attempt to render a template in json-only mode (jeremyevans) (#11)

  • Memoize jwt_payload in jwt feature, as it may be called more than once (mwpastore) (#10)

  • Add jwt_decode_opts configuration method to jwt feature, for specifying options to JWT.decode, allowing for JWT claim verification (mwpastore, jeremyevans) (#9)

  • Add jwt_session_hash configuration method to jwt feature, for modifying the session information stored in the JWT hash, allowing for setting JWT claims (mwpastore, jeremyevans) (#9)

  • Add jwt_session_key configuration method to jwt feature, for nesting the session under a key in the JWT, avoiding reserve claim names (mwpastore, jeremyevans) (#9)

  • Add jwt_symbolize_deeply? configuration method to jwt feature, for symbolizing nested keys in session hash when using JWT (mwpastore) (#9)

1.5.0 (2016-09-22)

  • Return error instead of raising exception in the jwt feature if an invalid jwt format is submitted in the Authorization header (jeremyevans)

  • Add jwt_authorization_remove configuration method to jwt feature, for regexp to remove from Authorization header before JWT processing (jeremyevans)

  • Add jwt_authorization_ignore configuration method to jwt feature, for regexp to skip processing of JWTs in Authorization header (jeremyevans)

  • Add json_accept_regexp configuration method to jwt feature, for the regexp used to match against the Accept header (jeremyevans)

  • Add use_jwt? configuration method to jwt feature, for whether to use the JWT token or rack session for authentication information (jeremyevans)

  • Add jwt_check_accept? configuration method to jwt feature, to return 406 error if Accept header is present and json is not accepted (jeremyevans)

  • Add json_response_content_type configuration method to jwt feature, for the content type to set for json responses, default to application/json (jeremyevans)

  • Add json_request_content_type_regexp configuration method to the jwt feature, for the regexp that recognize a request as a json request (jeremyevans)

  • Add session_jwt method to the jwt feature, which returns a string for the encoded JWT for the current session (jeremyevans)

  • If the only_json? setting is true, return a 400 error if the request content type to a rodauth endpoint is not json (jeremyevans)

  • The only_json? setting in the jwt feature is now only true by default if :json=>:only plugin option was used (jeremyevans)

  • Don't have jwt feature break if HTTP Basic/Digest authentication is used (jeremyevans)

  • Add template_opts configuration method, for overriding view/method options (jeremyevans)

1.4.0 (2016-08-18)

  • Add update_password_hash feature, for updating the password hash when the hash cost changes (jeremyevans)

1.3.0 (2016-07-19)

  • Add login_maximum_length, defaulting to 255 (jeremyevans)

1.2.0 (2016-06-15)

  • Add otp_drift configuration method to otp plugin, setting number of seconds of allowed drift (jeremyevans)

  • Don't allow setting passwords containing the ASCII NUL character, as bcrypt truncates at that point (jeremyevans) (#4)

1.1.0 (2016-05-13)

  • Support :csrf=>false and :flash=>false plugin options (jeremyevans)

1.0.0 (2016-04-15)

  • Remove invalid remember cookies to prevent unnecessary future database checks (jeremyevans)

  • Extend remember deadline in cookie in addition to database (jeremyevans)

  • Make tokens work with string account ids (jeremyevans)

  • Add verify_change_login feature for requiring account reverification on login changes (jeremyevans)

  • Set correct cookie expiration in the remember feature (jeremyevans)

  • Split confirm_password feature from remember feature (jeremyevans)

  • Add verify_account_grace_period feature, for allowing logins into unverified accounts for a certain period after creation (jeremyevans)

  • Move login/password requirements settings to login password requirements base feature (jeremyevans)

  • Add session_expiration feature, expiring sessions based on inactivity and max lifetime checks (jeremyevans)

  • Add password_grace_period feature, for not requiring password entry if password was recently entered (jeremyevans)

  • Make create/verify account autologin true by default (jeremyevans)

  • Optimize routing using a hash table, disallow per-request routes (jeremyevans)

  • Add ability to turn off login/password confirmations (jeremyevans)

  • Don't allow changing login to the same as the current login (jeremyevans)

  • Only allow requesting account unlocks if the account is current locked out (jeremyevans)

  • Use separate routes for unlock account/reset password/verify account requests (jeremyevans)

  • Use separate routes for confirming passwords and changing remember settings (jeremyevans)

  • Add JWT feature for JSON API support using JWT tokens (jeremyevans)

  • Add account_select configuration option for setting which columns to select from accounts_table (jeremyevans)

  • Execute get_block and post_block in the Rodauth::Auth instance scope (jeremyevans)

  • Store field errors in the rodauth object instead of instance variables in the Roda scope (jeremyevans)

  • Add rodauth.redirect to abstract redirection code (jeremyevans)

  • Only use flash notices for successful requests, other requests that redirect now use an error flash (jeremyevans)

  • The before_* configuration methods now run directly before making the related database changes (jeremyevans)

  • Before hooks run before routes now use before_*_route instead of before_* configuration methods (jeremyevans)

  • Add token_separator configuration method to replace the default of _ (jeremyevans)

  • Rename account_id_value to account_id (jeremyevans)

  • Rename account_id to account_id_column and account_session_id to account_session_column (jeremyevans)

  • Make skip_status_checks? default to true unless loading verify_account or close_account features (jeremyevans)

  • Replace account_model with accounts_table and db, removing use of Sequel models (jeremyevans)

  • Extract shared email-related code into email_base feature (jeremyevans)

  • Add auth_class_eval to configuration block for adding custom methods (jeremyevans)

  • Add configuration_eval to feature definitions for adding custom configuration methods (jeremyevans)

  • Allow close_account feature to optionally delete accounts (jeremyevans)

  • Make close_account feature work when skipping status checks or when using account_password_hash_column (jeremyevans)

  • Add sms_codes feature, for codes received via SMS that can be used if TOTP authentication is not available (jeremyevans)

  • Attempt to handle unique constraint violations raised in race conditions where possible (jeremyevans)

  • Add _before and _after internal methods, make ununderscored methods only for users (jeremyevans)

  • Add single_session feature, for only allowing a single active session per account (jeremyevans)

  • Add account_expiration feature, for disallowing access to accounts after an amount of time since last login/activity (jeremyevans)

  • Check account status in rodauth.load_memory in remember plugin (jeremyevans)

  • Use csrf plugin automatically, depend on Roda >=2.6.0 (jeremyevans)

  • Make bcrypt and mail development dependencies instead of runtime dependencies in the gem (jeremyevans)

  • Add password_expiration feature, requiring users to change their password after a given amount of time (jeremyevans)

  • Add disallow_password_reuse feature, checking that a new password doesn't match previous passwords (jeremyevans)

  • Add password_complexity feature, allowing more sophisticated password complexity checks (jeremyevans)

  • Add rodauth.remember_param and .remember_confirm_param for overriding parameter names (jeremyevans)

  • Check that new password is not the same as existing password in change password and reset password features (jeremyevans)

  • Add rodauth.login_meets_requirements? for checking if a login is valid, by default a valid email address (jeremyevans)

  • Allow unlock account to optionally require the user's current password (jeremyevans)

  • Add support for running on Microsoft SQL Server with database functions for authentication (jeremyevans)

  • Make change password, change login, and close account require the user's current password by default (jeremyevans)

  • Add rodauth.csrf_tag to make it easy to replace the CSRF tag implementation (jeremyevans)

  • Switch unlock_account_autologin? to be true by default (jeremyevans)

  • Add rodauth.authenticated? and .require_authentication (jeremyevans)

  • Add recovery_codes feature, for single use codes that can be used if TOTP authentication is not available (jeremyevans)

  • Add otp feature, for 2 factor authentication via TOTP (jeremyevans)

  • Add support for running on MySQL with database functions for authentication (jeremyevans)

  • Add *_interval and set_deadline_values? methods for setting deadline intervals on a per-request basis (jeremyevans)

  • Add remember_deadline_column method for overriding the column used for storing the deadline (jeremyevans)

  • Add rodauth/migrations file for DRYing up the database function creation (jeremyevans)

  • Add Rodauth.version for getting the version (jeremyevans)

  • External features should now be requirable via rodauth/features/feature_name instead of roda/plugins/rodauth/feature_name (jeremyevans)

  • Make Rodauth top level module instead of under Roda::RodaPlugins (jeremyevans)

  • Require mail at configure time instead of run time if using a feature that sends email, use require_mail? false to disable (jeremyevans)

  • Require bcrypt at configure time instead of run time, use require_bcrypt? false to disable (jeremyevans)

  • Always require securerandom (jeremyevans)

  • Make remember, password reset, and lockout features work on non-PostgreSQL databases (jeremyevans)

  • Support authentication without database functions when password hashes are stored in separate table (jeremyevans)

  • Remove overriding of route/get/post blocks (jeremyevans)

  • Make lockout feature work on databases not supporting UPDATE RETURNING (jeremyevans)

  • Add timing safe comparison of tokens (jeremyevans)

0.10.0 (2016-02-17)

  • Retrieve salt from database and compute hash client side, instead of computing hash on server (jeremyevans)

0.9.1 (2015-08-13)

  • Don't use csrf plugin automatically (jeremyevans)

0.9.0 (2015-08-12)

  • Initial public release