Why Rodauth?
Rodauth is the only full featured authentication and account management framework designed to be usable by all Rack applications. There are other full featured authentication and account management frameworks for Ruby, such as Devise, Authlogic, and Sorcery, but all of them are Rails-specific.
Goals
- Security
- Simplicity
- Flexibility
Security
Rodauth ships in a maximum security by default configuration. The default and recommended way to use Rodauth is with multiple database accounts and using database functions for authentication, in order to protect access to password hashes from attackers. Even if you are storing nothing else important in your application, if you are storing password hashes, it is critical that you protect access to them as much as possible, so that an attacker will not be able to use the password hashes stored in your database to attack other sites.
Additionally, Rodauth ships with support for 2 factor authentication via TOTP, protecting your site from password hash attacks on other sites.
Simplicity
Rodauth uses a simple configuration DSL that allows easily constructing a custom authentication object designed for your application.
Flexibility
Rodauth allows for overriding any part of the framework on a per-request basis using any information related to the request.
Full Featured
Rodauth ships with support for most common authentication and account management features, such as:
- Login
- Logout
- Change Password
- Change Login
- Reset Password
- Create Account
- Close Account
- Verify Account
- Remember (Autologin via token)
- Lockout (Bruteforce protection)
- Email Authentication (Login via email link)
- OTP (2 factor authentication via TOTP)
- Recovery Codes (2 factor authentication via backup codes)
- SMS Codes (2 factor authentication via SMS)
- Verify Login Change (Reverify accounts after login changes)
- Verify Account Grace Period (Don't require verification before login)
- Password Grace Period (Don't require password entry if recently entered)
- Password Complexity (More sophisticated checks)
- Change Password Notify (Notify user about password changes)
- Confirm Password (Ask user to enter password if logged in via a token)
- Update Password Hash (If changing password hash cost)
- Disallow Common Passwords
- Disallow Password Reuse
- Password Expiration
- Account Expiration
- Session Expiration
- Single Session (Only one active session per account)
- HTTP Basic Auth
- JWT (JSON API support for all other features)
- JWT Refresh (Access ∧ Refresh Token)