CHANGELOG

2.34.0 (2024-03-22)¶ ↑

Add remove_all_active_sessions_except_current method for removing current active session (jeremyevans) (#395)
Add remove_all_active_sessions_except_for method for removing active sessions except for given session id (jeremyevans) (#395)
Avoid overriding WebAuthn internals when using webauthn 3 (santiagorodriguez96, jeremyevans) (#398)
Support overriding webauthn_rp_id when verifying Webauthn credentials (butsjoh, jeremyevans) (#397)
Override require_login_redirect in login feature to use login_path (janko) (#396)
Do not override convert_token_id_to_integer? if the user has already configured it (janko) (#393)
Have uses_two_factor_authentication? handle case where account has been deleted (janko) (#390)
Add current_route accessor to allow easy determination of which rodauth route was requested (janko) (#381)

2.33.0 (2023-12-21)¶ ↑

Expire SMS confirm code after 24 hours by default (jeremyevans)
Do not accidentally confirm SMS phone number on successful authentication of other second factor (Bertg) (#376, #377)
Return error response instead of 404 response for requests to valid pages with missing tokens (janko) (#375)
Do not override existing primary key value in the cached account when inserting a new account (janko) (#372)

2.32.0 (2023-10-23)¶ ↑

Remove use of Base64 in argon2 feature (jeremyevans)
Add sms_needs_confirmation_notice_flash configuration method, supporting different flash notice for successful submission (jeremyevans)
Support *_response configuration methods for overriding common notice flash/redirect handling in many features (HoneyryderChuck, jeremyevans) (#369)
Support hmac_secret rotation in the otp feature (jeremyevans) (#365)
Support hmac_secret rotation in the email_base feature (jeremyevans) (#365)
Support hmac_secret rotation in the webauthn feature (jeremyevans) (#365)
Support hmac_secret rotation in the jwt_refresh feature (jeremyevans) (#365)
Support hmac_secret rotation in the single_session feature (jeremyevans) (#365)
Support hmac_secret rotation in the remember feature (jeremyevans) (#365)
Support hmac_secret rotation via hmac_old_secret configuration method in the active_sessions feature (jeremyevans) (#365)
Support argon2 secret rotation via argon2_old_secret configuration method and the update_password_hash feature (jeremyevans) (#365)
Support jwt secret rotation via jwt_old_secret configuration method, if using jwt 2.4+ (jeremyevans) (#365)

2.31.0 (2023-08-22)¶ ↑

Make clear_session work correctly for internal requests (janko) (#359)
Support webauthn_invalid_webauthn_id_message configuration method in the webauthn_autofill feature (janko) (#356)
Support webauth features in the internal_request feature (janko) (#355)
Allow WebAuthn login to count for two factors if user verification is provided (janko) (#354)
Allow explicit use of p_cost in argon2 feature if using argon2 2.1+ (estebanz01) (#353)
Add json_response_error? configuration method to json feature, for whether response indicates an error (opya) (#340)

2.30.0 (2023-05-22)¶ ↑

Make load_memory in the remember feature not raise NoMethodError if logged in when the account no longer exists (jeremyevans) (#331)
Add webauthn_autofill feature, for supporting autofill of webauthn information on the login form (janko) (#328)

2.29.0 (2023-03-22)¶ ↑

Support :render=>false plugin options (davekaro) (#319)
Add remove_active_session method for removing the active session for a given session id (janko) (#317)
Remove current active session when adding new active session (janko) (#314)
Extend the remember cookie deadline once an hour by default while logged in (janko, jeremyevans) (#313)
Add account! method for returning associated account or loading account based on the session value (janko) (#309)

2.28.0 (2023-02-22)¶ ↑

Skip rendering reset password request form on invalid internal request logins (janko) (#303)
Make logged_in? return false if using verify_account_grace_period feature and grace_period has expired (janko) (#300)
Make password_hash method public (janko) (#299)
Add webauthn_key_insert_hash auth method to webauthn feature to control inserts into webauthn keys table (janko) (#298)

2.27.0 (2023-01-24)¶ ↑

Rename webauth_credentials_for_get to webauthn_credentials_for_get for consistency (janko) (#295)
Hide WebAuthn text inputs by default when using Bootstrap (janko) (#294)
Attempt to avoid database errors when invalid tokens are submitted (jeremyevans)
Allow button template to be overridden just as other templates can be (jeremyevans) (#280)

2.26.1 (2022-11-08)¶ ↑

Fix regression in QR code generation in otp feature causing all black QR code (janko) (#279)

2.26.0 (2022-10-21)¶ ↑

Raise a more informative error when using a feature requiring hmac_secret but not setting hmac_secret (janko) (#271)
Limit parameter bytesize to 1024 by default, override with max_param_bytesize configuration method (jeremyevans)
Skip displaying links for disabled routes (janko) (#269)
Do not prefix flash keys with the session key prefix (jeremyevans) (#266)
Set configuration_name correctly for internal request classes (janko) (#265)
Add argon2_secret configuration method to the argon2 feature to specify the secret/pepper used for argon2 password hashes (janko) (#264)
Use white background instead of transparent background for QR code in otp feature (jeremyevans) (#256)

2.25.0 (2022-06-22)¶ ↑

Support disabling routes by passing nil/false to *_route methods (janko) (#245)

2.24.0 (2022-05-24)¶ ↑

Work around implicit null byte check added in bcrypt 3.1.18 by checking password requirements before other password checks (jeremyevans)
Fix invalid HTML on pages with OTP QR codes (jeremyevans)
Add recovery_codes_available? configuration method to the recovery_codes feature (janko) (#238)
Add otp_available? configuration method to the otp feature (janko) (#238)

2.23.0 (2022-04-22)¶ ↑

Don’t automatically set :httponly cookie option if :http_only option is set in remember feature (jeremyevans)
Fix invalid domain check in internal_request feature when using Rack 3 (jeremyevans)
Make removing all multifactor authentication methods mark session as not authenticated by SMS (janko) (#235)
Use use_path option when rendering QR code to svg in the otp feature, to reduce svg size (jeremyevans)

2.22.0 (2022-03-22)¶ ↑

Ignore parameters where the value includes a null byte by default, add null_byte_parameter_value configuration method for customization (jeremyevans)
Handle sessions created before active_sessions feature was enabled during logout (jeremyevans) (#224)
Add reset_password_notify for emailing users after successful password resets (jeremyevans)
An email method can now be used in external features to DRY up email creation code (jeremyevans)
The change_password_notify feature now correctly handles template precompilation (jeremyevans)
Fix update_sms to update stored sms hash (bjeanes) (#222)

2.21.0 (2022-02-23)¶ ↑

Avoid extra bcrypt hashing on account verification when using account_password_hash_column (janko) (#217)
Make require_account public (janko) (#212)
Force specific date/time format when displaying webauthn last use time (jeremyevans)
Automatically clear the session in require_login if users go beyond verify account grace period (janko) (#211)
Fix typo in default value of global_logout_label in active_sessions plugin (sterlzbd) (#209)

2.20.0 (2022-01-24)¶ ↑

Change the default implementation of webauth_rp_id to not include the port (jeremyevans) (#203)
Make logout of all sessions in active_sessions plugin also remove remember key if using remember plugin (jeremyevans)

2.19.0 (2021-12-22)¶ ↑

Add login_maximum_bytes, setting the maximum number of bytes in a login, 255 by default (jeremyevans)
Add password_maximum_bytes, setting the maximum number of bytes in a password, nil by default for no limit (jeremyevans)
Add password_maximum_length, setting the maximum number of characters in a password, nil by default for no limit (jeremyevans)
Support multi-level inheritance of Rodauth::Auth (janko) (#191)
Allow internal_request feature to work correctly when loaded into custom Rodauth::Auth subclasses before loading into a Roda application (janko) (#190)
Assign internal subclass created by internal_request feature to the InternalRequest constant (janko) (#187)

2.18.0 (2021-11-23)¶ ↑

Allow JSON API access to /multifactor-manage to get links to setup/disable multifactor authentication endpoints (jeremyevans)
Allow JSON API access to /multifactor-auth to get links to possible multifactor authentication endpoints (jeremyevans)
Set configuration_name on class passed via :auth_class option if not already set (janko, jeremyevans) (#181)
Use viewbox: true option when creating QR code in otp feature, displays better and easier to style when using rqrcode 2+ (jeremyevans)
Make argon2 feature work with argon2 2.1.0 (jeremyevans)

2.17.0 (2021-09-24)¶ ↑

Make jwt_refresh work correctly with verify_account_grace_period (jeremyevans)
Use 4xx status code when attempting to login to or create an unverified account (janko) (#177, #178)

2.16.0 (2021-08-23)¶ ↑

Add Rodauth.lib for using Rodauth as a library (jeremyevans)
Make internal_request feature work if the configuration uses only_json? true (janko) (#176)

2.15.0 (2021-07-27)¶ ↑

Add path_class_methods feature, for getting paths/URLs using class methods (jeremyevans)
Make default base_url method use configured domain (janko) (#171)
Add internal_request feature, for interacting with Rodauth by calling methods (jeremyevans, janko)

2.14.0 (2021-06-22)¶ ↑

Make jwt_refresh feature allow refresh with expired access tokens even if prefix is not set correctly (jeremyevans) (#168)
Make internal account_in_unverified_grace_period? method handle accounts missing or unverified accounts (janko, jeremyevans) (#167)
Add remembered_session_id configuration method for getting session id from valid remember token if present (bjeanes) (#166)

2.13.0 (2021-05-22)¶ ↑

Make jwt_refresh expired access token support work when using rodauth.check_active_sessions before calling r.rodauth (renchap) (#165)
Update default templates to add classes for Bootstrap 5 compatibility (janko) (#164)
Add set_error_reason configuration method to allow applications more finer grained error handling (renchap, jeremyevans) (#162)

2.12.0 (2021-04-22)¶ ↑

Add configuration methods to active_sessions plugin to control the inserting and updating of rows (janko) (#159)

2.11.0 (2021-03-22)¶ ↑

Add same_as_current_login_message and contains_null_byte_message configuration methods to increase translatability (dmitryzuev) (#158)
Allow the rodauth plugin to be loaded without a block (janko) (#157)
Use new-password autocomplete value for the password fields on the reset password form (basabin54) (#155)
Support :auth_class plugin option, to use a specific class instead of creating a Rodauth::Auth subclass (janko) (#153)
Make Rodauth configuration work correctly if the rodauth plugin is loaded more than once (janko) (#152)

2.10.0 (2021-02-22)¶ ↑

Add argon2 feature to allow use of the argon2 password hash algorithm instead of bcrypt (AlexeyMatskevich, jeremyevans) (#147)
Avoid unnecessary previous password queries when using disallow_password_reuse feature with create_account or verify_account features (AlexeyMatskevich, jeremyevans) (#148)

2.9.0 (2021-01-22)¶ ↑

Split jwt feature into json and jwt features, with the json feature using standard session support (janko, jeremyevans) (#145)
Mark remember cookie as only transmitted over HTTPS by default if created via an HTTPS request (janko) (#144)

2.8.0 (2021-01-06)¶ ↑

SECURITY
Set HttpOnly on remember cookie by default so it cannot be accessed by Javascript (janko) (#142)
Clear JWT session when rodauth.clear_session is called if the Roda sessions plugin is used (janko) (#140)

2.7.0 (2020-12-22)¶ ↑

Avoid method redefinition warnings in verbose warning mode (jeremyevans)
Return expired access token error message in the JWT refresh feature when using an expired token when it isn’t allowed (AlexyMatskevich) (#133)
Allow Rodauth features to be preloaded, instead of always trying to require them (janko) (#136)
Use a default remember cookie path of ‘/’, though this may cause problem with multiple Rodauth configurations on the same domain (janko) (#134)
Add auto_remove_recovery_codes? to the recovery_codes feature, for automatically removing the codes when disabling multifactor authentication (SilasSpet, jeremyevans) (#135)

2.6.0 (2020-11-20)¶ ↑

Avoid loading features multiple times (janko) (#131)
Add around_rodauth method for running code around the handling of all Rodauth routes (bjeanes) (#129)
Fix javascript for registration of multiple webauthn keys (bjeanes) (#127)
Add allow_refresh_with_expired_jwt_access_token? configuration method to jwt_refresh feature, for allowing refresh with expired access token (jeremyevans)
Promote setup_account_verification to public API, useful for automatically sending account verification emails (jeremyevans)

2.5.0 (2020-10-22)¶ ↑

Add change_login_needs_verification_notice_flash for easier translation of change_login_notice_flash when using verify_login_change (bjeanes, janko, jeremyevans) (#126)
Add login_return_to_requested_location_path for controlling path to use as the requested location (HoneyryderChuck, jeremyevans) (#122, #123)

2.4.0 (2020-09-21)¶ ↑

Add session_key_prefix for more easily using separate session keys when using multiple configurations (janko) (#121)
Add password_pepper feature for appending a secret key to passwords before they are hashed, supporting secret rotation (janko) (#119)

2.3.0 (2020-08-21)¶ ↑

Return an error status instead of an invalid access token when trying to refresh JWT without an access token in the jwt_refresh feature (jeremyevans)
Allow {create,drop}_database_authentication_functions to work with UUID keys (monorkin, janko) (#117)
Add rodauth.login(‘login_type’) for logging in after setting a valid account (janko) (#114)
Make new refresh token available to the after_refresh_token hook by setting it in the response first (jeremyevans)
Make the jwt_refresh plugin call before_jwt_refresh_route hook (previously the configuration method was ignored) (AlexeyMatskevich) (#110)
Add login_email_regexp, login_not_valid_email_message, and log_valid_email? configuration methods (janko) (#107)

2.2.0 (2020-07-20)¶ ↑

Allow removing all jwt_refresh tokens when logging out by providing a value of “all” as the token to remove (jeremyevans)
Allow removing specific jwt_refresh token when logging out by providing the token to remove (jeremyevans)
Avoid NoMethodError when checking if session is authenticated when using two factor auth, verify_account_grace_period, and email_auth (jeremyevans) (#105)
Reduce queries in authenticated? and require_authentication when using two factor authentication (janko) (#106)
Treat verify_account_email_resend returning false as an error in the verify_account feature (jeremyevans)
Fix use of password_dictionary configuration method in password_complexity feature (jeremyevans)
Remove unnecessary conditionals (jeremyevans)
Add otp_last_use to the otp feature, returning the time of last successful OTP use (jeremyevans) (#103)

2.1.0 (2020-06-09)¶ ↑

Do not check CSRF tokens by default for requests using JWT (janko, jeremyevans) (#99)
Use new-password autocomplete value for password field when creating accounts (jeremyevans) (#98)
Consistently use json_response_body for all JSON responses in jwt feature (arthurmmoreira) (#97)
Add check_csrf configuration method to customize CSRF checking (janko) (#96)
Have logged_in? when using http_basic_auth feature check for basic authentication (jeremyevans) (#94)
Don’t consider account open if in unverified grace period without password (janko) (#92)

2.0.0 (2020-05-06)¶ ↑

Do not show email auth as an option for unverified accounts if using the verify_account_grace_period feature (jeremyevans) (#88)
Generate unlock account key outside of send_unlock_account_email, similar to other email methods (janko) (#89)
Default otp_drift to 30 in the otp feature (jeremyevans)
Add rodauth.require_http_basic_auth to http_basic_auth feature, similar to require_login (janko) (#86)
Rename require_http_basic_auth to require_http_basic_auth? in http_basic_auth feature (janko) (#86)
Change http_basic_auth feature to use rodauth.http_basic_auth for handling basic authentication, similar to rodauth.load_memory (janko) (#86)
Do not call already_logged_in if logged in when accessing verify_login_change page (janko) (#87)
HTML id attributes now use - instead of _ in recovery_codes and remember features (jeremyevans)
Allow *_path and *_url methods to accept a hash of query parameters (janko) (#84)
Use a danger button when closing accounts (janko) (#83)
Handle invalid form inputs in a more bootstrap compatible manner (janko) (#83)
Use standard vertical Bootstrap forms instead of horizontal forms in templates (janko) (#83)
Make templates compatible with Bootstrap 4, and still display correctly with Bootstrap 3 (janko) (#83)
Add check_csrf_opts and check_csrf_block for arguments to the check_csrf! call before Rodauth route dispatching (jeremyevans)
Add audit_logging feature, logging changes to a database table (jeremyevans)
Add hook_action configuration method, called after all before/after hooks (jeremyevans)
Enable email rate limiting by default in lockout, reset_password, and verify_account features (jeremyevans)
Add session_expiration_error_status method to the session_expiration feature, used for JSON requests where session has expired (jeremyevans)
Add domain configuration method to set an explicit domain, instead of relying on the host of the request (jeremyevans)
Add inactive_session_error_status to single_session feature, used for JSON requests where session is no longer active (jeremyevans)
Prevent use of previous JWT access tokens after refresh when using jwt_refresh and active_sessions features (jeremyevans)
Change default setting of jwt_check_accept? from false to true in the jwt feature (jeremyevans)
Automatically check CSRF tokens before calling any Rodauth route by default, allow disabling using check_csrf? false (jeremyevans)
Add translate(key, default_value) configuration method and have it affect all translatable content (jeremyevans)
Add *_page_title configuration methods for all *_view configuration methods (jeremyevans)
Default to using Roda’s route_csrf plugin for CSRF support, with :csrf=>:rack_csrf available for using rack_csrf (jeremyevans)
Allow ability for user to fix an incorrect login when requesting a password reset (janko, jeremyevans) (#76)
Add two_factor_auth_return_to_requested_location? to support returning to original page after successful second factor authentication (janko) (#69)
Add login_return_to_requested_location? to support returning to original page after successful login (janko) (#69)
Add rodauth.require_password_authentication method to confirm_password feature (janko, jeremyevans) (#75)
Make remember feature no longer depend on confirm_password (janko) (#79)
Replace {create_account,reset_password_request,verify_account_resend}_link configuration methods with *_link_text (janko) (#77)
Remove remembered_session_key configuration method, no longer needed (janko) (#80)
Add rodauth.possible_authentication_methods for the available authentication methods for the account (jeremyevans)
Add active_sessions feature for disabling session reuse after logout, and allowing global logout of all sessions (jeremyevans)
Add webauthn_verify_account feature for passwordless WebAuthn setup during account verification (jeremyevans)
Allow confirm_password feature to operate as second factor authentication if using webauthn login (jeremyevans)
Add webauthn_login feature for passwordless login via WebAuthn (jeremyevans)
Do not allow two factor authentication using same type as primary authentication (jeremyevans)
Do not require passwords by default if the account does not have a password (jeremyevans)
Remove clear_remembered_session_key and two_factor_session_key configuration methods, no longer needed (jeremyevans)
Store authentication methods used in the session, available via rodauth.authenticated_by (jeremyevans)
Do not require login confirmation by default if verifying accounts or login changes (jeremyevans)
Add mark_input_fields_with_inputmode? and inputmode_for_field? configuration methods for controlling inputmode (jeremyevans)
Support and enable inputmode=numeric attributes by default for otp auth code and sms code fields (jeremyevans)
Add sms_phone_input_type and default to tel instead of using text for SMS phone input (jeremyevans)
Add mark_input_fields_with_autocomplete? and autocomplete_for_field? configuration methods for controlling autocomplete (jeremyevans)
Support and enable autocomplete attributes by default for fields (jeremyevans)
Add login_uses_email? configuration method for whether to treat logins as email addresses (jeremyevans)
Remove the verify change login feature, users should switch to the verify login change feature (jeremyevans)
Change default setting of json_response_success_key to success in the jwt feature (jeremyevans)
Remove deprecated account_model configuration method (jeremyevans)
Remove all deprecated configuration and runtime method aliases in the lockout, verify_account, email_auth, reset_password, and verify_login_change features (jeremyevans)
Remove deprecated before_otp_authentication_route configuration method (jeremyevans)
Change default setting of login_input_type to email if login_column is :email (jeremyevans)
Change default setting of mark_input_fields_as_required? to true (jeremyevans)
Change default setting of verify_account_set_password? in verify_account feature to true (jeremyevans)
Change default setting of json_response_custom_error_status? in jwt feature to true (jeremyevans)
Add auto_add_recovery_codes? configuration method to recovery codes feature, and default to false (jeremyevans)
Add base_url configuration method to set an explicit base for URLs, instead of relying on the base_url of the request (jeremyevans)
Add webauthn feature to handle WebAuthn authentication (jeremyevans)
Fix corner cases when disabling a second factor when multiple second factors have been setup (jeremyevans)
Don’t override second factor used to authenticate when setting up additional second factor authentication (jeremyevans)
Add two factor auth, manage, and disable pages (jeremyevans)
Drop support for Ruby 1.8 (jeremyevans)

Older¶ ↑

See doc/CHANGELOG.old