Documentation for Rodauth (v2.37.0)

README (Introduction to Rodauth, start here if new)

RDoc (frames)

Feature Configuration

All features in Rodauth must be explicitly enabled. Configuration that is used by multiple features resides in the Base feature, all other configuration is specific to individual features, and available after the features have been enabled.

• Base: Shared behavior for other features.
• Email Base: Shared behavior for features that require sending email.
• Login Password Requirements Base: Shared behavior for features that set logins or passwords.
• Two Factor Base: Shared behavior for multifactor authentication features.
• Account Expiration: Disallows access to accounts if there has been no login or activity after a given amount of time.
• Active Sessions: Prevents session reuse after logout, and allows for global logout of all sessions for the account.
• Argon2: Allows use of the argon2 password hash algorithm.
• Audit Logging: Provides audit logging to a database table for all rodauth actions.
• Change Login: Allows a user to change their login.
• Change Password: Allows a user to change their password.
• Change Password Notify: Emails the user when they use the Change Password feature to change their password.
• Close Account: Allows a user to close their account.
• Confirm Password: Allows a user to confirm their password, or multifactor authenticate via password is authenticated via another method.
• Create Account: Allows a user to create an account.
• Disallow Common Passwords: Disallows the use of common passwords.
• Disallow Password Reuse: Disallows setting password to the same string as previous passwords.
• Email Authentication: Allows login via a link sent via email.
• HTTP Basic Auth: Allows HTTP basic authentication.
• Internal Request: Allows interacting with Rodauth by calling methods.
• JSON: Adds JSON API support for all other features.
• JWT: Adds JSON Web Token support for all other features.
• JWT CORS: Supports Cross-Origin Resource Sharing in the JSON API.
• JWT Refresh: Supports separate access and refresh JWT tokens.
• Lockout: Locks an account out after a number of invalid authentication attempts, allowing unlocking via email.
• Login: Allows for logging into the application via a login/email and password.
• Logout: Allows for logging out of the application, by removing the login information from the session.
• OTP: Adds support for multifactor authentication via TOTP.
• OTP Lockout Email: Emails user when TOTP authentication is locked out or unlocked for their account.
• OTP Modify Email: Emails user when TOTP authentication is setup or disabled for their account.
• OTP Unlock: Adds support for unlocking TOTP authentication after it is locked out.
• Password Complexity: Adds more sophisticated complexity checks for passwords.
• Password Expiration: Requires that accounts change their password after a given amount of time.
• Password Grace Period: Allows skipping password entry on forms normally requiring it if a user recently entered their password.
• Password Pepper: Allows appending a secret key to passwords before they are hashed.
• Path Class Methods: Allows for getting paths/URLs for features using class methods.
• Recovery Codes: Adds support for mulitfactor authentication via single-use account recovery codes.
• Remember: Automatically logs a user in based on a token stored in a cookie.
• Reset Password: Allows users to reset their password if they don't remember it.
• Reset Password Notify: Emails the user after they have used the Reset Password feature to successfully reset their password.
• Session Expiration: Expires sessions automatically based on inactivity or max lifetime checks.
• Single Session: Allows only a single active session per account.
• SMS Codes: Adds support for multifactor authentication via codes received via SMS.
• Update Password Hash: Updates the password hash whenever the hash cost changes.
• Verify Account: Requires verifications of newly created accounts before login.
• Verify Account Grace Period: Allows newly created accounts a grace period before verification is required.
• Verify Login Change: Requires verification of new logins before changing logins.
• WebAuthn: Adds support for multifactor authentication via WebAuthn.
• WebAuthn Autofill: Enables autofill UI for WebAuthn credentials on login.
• WebAuthn Login: Adds support for passwordless login via WebAuthn.
• WebAuthn Modify Email: Emails user when a WebAuthn authenticator is added to or removed from their account.
• WebAuthn Verify Account: Adds support for passwordless WebAuthn setup during account verification.

Guides

• Require account verification by admin
• Skip login page if already authenticated
• Use a non-email login
• Case insensitive login
• Change table and column names
• Create an account record programmatically
• Set password when verifying account
• Allow only email authentication
• Translate with I18n gem
• Display authentication links
• Redirect to original page after login
• Store password hash in accounts table
• Require password confirmation for certain actions
• Customize password requirements
• Change route path
• Pass query parameters to auth URLs
• Change redirect destination
• Add field during account creation
• Render confirmation view
• Require multifactor authentication after login
• Autologin after password reset
• Share configuration via inheritance
• Store account status in a text column
• Allow recovery code on TOTP code field
• Internals Guide, describing how Rodauth works internally

External Features

To use these external features, install their dependencies and follow their installation instructions.

• rodauth-become_account: Easily switch between Rodauth accounts.
• rodauth-guest: Provides guest user functionality.
• rodauth-i18n: Provides I18n integration and translations.
• rodauth-model: Provides password attribute and associations for account model.
• rodauth-oauth: Implements the OAuth 2.0 protocol on top of Rodauth.
• rodauth-omniauth: Provides login & registration with multiple external providers using OmniAuth.
• rodauth-pwned: Checks passwords against the Pwned Passwords API.
• rodauth-rails: Provides Rails integration for Rodauth.
• rodauth-select-account: Support logging into multiple accounts in the same session.

External Documentation

• rodauth-openapi: Generate OpenAPI documentation for your Rodauth endpoints
• Documentation of Rodauth routes for JSON requests

Change Log

Release Notes

• 2.37 | 2.36 | 2.35 | 2.34 | 2.33 | 2.32 | 2.31 | 2.30
• 2.29 | 2.28 | 2.27 | 2.26 | 2.25 | 2.24 | 2.23 | 2.22 | 2.21 | 2.20
• 2.19 | 2.18 | 2.17 | 2.16 | 2.15 | 2.14 | 2.13 | 2.12 | 2.11 | 2.10
• 2.9 | 2.8 | 2.7 | 2.6 | 2.5 | 2.4 | 2.3 | 2.2 | 2.1 | 2.0
• 1.23 | 1.22 | 1.21 | 1.20
• 1.19 | 1.18 | 1.17 | 1.16 | 1.15 | 1.14 | 1.13 | 1.12 | 1.11 | 1.10
• 1.9 | 1.8 | 1.7 | 1.6 | 1.5 | 1.4 | 1.3 | 1.2 | 1.1 | 1.0

License

Presentations

• "Rodauth: Ruby's Most Advanced Authentication Framework" Presentation at Pivorak Conf 5.0 (Video)
• "Rodauth: Clean Authentication" at Ruby Meditation #13
• "Rodauth: Website Security Through Database Security" Presentation at RubyConf LT 2016 (1024x768, 50 minutes)
• "Rodauth: Website Security Through Database Security" Presentation at RubyConf BY 2016 (1280x720, 40 minutes) (Video)

Database Diagram

Here is a diagram of the tables that Rodauth uses and the relationships between the tables as of Rodauth 2.0.0.

Applications Using Rodauth

Here are some open source applications that use Rodauth:

• SPAM (Simple Personal Accounting Manager)
• Giftsmas (Gift Tracking)
• KaeruEra (Exception Tracking)
• Osso (SAML to OAuth bridge)
• Ubicloud (Open, Free, and Portable Cloud)