Set if the password hash column is in the same table as the login. If this is set, Rodauth will check the password hash in ruby. This is often used if you are replacing a legacy authentication system with Rodauth.

The database table containing the accounts.

The base URL to use, used when construct absolute links. It is recommended to set this if the application can be reached using arbitrary Host headers, as otherwise it is possible for an attacker to control the value.

The Sequel::Database object used for database access.

The domain to use, required by some other features. It is recommended to set this if the application can be reached using arbitrary Host headers, as otherwise it is possible for an attacker to control the value.

This sets the secret to use for all of Rodauth’s HMACs. This is not set by default, in which case Rodauth does not use HMACs for additional security. However, it is highly recommended that you set this, and some features require it.

Whether input fields should be marked as required, so browsers will not allow submission without filling out the field (default: true).

The routing prefix used for Rodauth routes. If you are calling in a routing subtree, this should be set to the root path of the subtree. This should include a leading slash if set, but not a trailing slash.

Set to false to not require bcrypt, useful if using custom authentication or when using the argon2 feature without existing bcrypt password hashes.

The key in the session hash storing the primary key of the logged in account.

The string that will be prepended to the default value for all session keys.

Whether status checks should be skipped for accounts. Defaults to true unless enabling the verify_account or close_account features.

The instance variable to set in the Roda scope with the page title. The layout should use this instance variable if available to set the title of the page. You can use set_title if setting the page title is not done through an instance variable.

The primary key column of the accounts_table.

The integer representing open accounts.

An array of columns to select from accounts_table. By default, selects all columns in the table.

The status id column in the accounts_table.

The integer representating unverified accounts.

The key in the session hash storing an array of methods used to authenticate.

Whether to use an autocomplete attribute for the given parameter, defaults to mark_input_fields_with_autocomplete?.

The key in the session hash storing the type of autologin method used, if autologin was used to authenticate.

Whether to cache templates. True by default. It may be worth switching this to false in development if you are using your own templates instead of the templates provided by Rodauth.

Whether Rodauth should use Roda’s check_csrf! method for checking CSRF tokens before dispatching to Rodauth routes, true by default.

Options to pass to Roda’s check_csrf! if Rodauth calls it before dispatching.

Proc for block to pass to Roda’s check_csrf! if Rodauth calls it before dispatching.

Whether token ids should be converted to a valid 64-bit integer value. If not set, defaults to true if account_id_column uses an integer type, and false otherwise.

The default attributes to use for input field tags, if field_attributes returns nil for the field.

Where to redirect after most successful actions.

The attributes to use for the input field tags for the given field (parameter name).

The attributes to use for the input field tags for the given field (parameter name), if the input has an error.

The flash key to use for error messages (default: :error or 'error' depending on session support for symbols).

The flash key to use for notice messages (default: :notice or 'notice' depending on session support for symbols).

HTML to use for error messages for the field (parameter name), if the field has an error. By default, uses a span tag for the error message.

This sets the previous secret used for Rodauth’s HMACs, to allow for secret rotation.

Arbitrary action to take on all hook processing, with hook type being :before or :after, and action being symbol for related action.

The CSS class to use for input fields with errors. Can be a space separated string for multiple CSS classes.

The CSS class to use for error messages. Can be a space separated string for multiple CSS classes.

The suffix to use for all labels. Useful for noting that the fields are required.

Whether to use an inputmode attribute for the given parameter, defaults to mark_input_fields_with_inputmode?.

The response status to use for invalid field value errors, 422 by default.

The response status to use for invalid key codes, 401 by default.

The response status to use for invalid passwords, 401 by default.

The error message to display when a given password doesn’t match the stored password hash.

The response status to use a login is attempted to an account that is locked out, 403 by default.

The login column in the accounts_table.

The input type to use for logins. Defaults to email if login column is email and text otherwise.

The label to use for logins.

The parameter name to use for logins.

The response status to return when a login is required and you are not logged in, if not redirecting, 401 by default

Whether the login field uses email, used to set the type of the login field as well as the autocomplete setting.

Whether input fields should be marked with autocomplete attribute appropriate for the field, true by default.

Whether input fields should be marked with inputmode attribute appropriate for the field, true by default.

The maximum bytesize allowed for submitted parameters, 1024 by default. Use nil for no limit.

Whether making changes to an account requires the user reinputing their password. True by default if the account has a password.

The response status to use when the login is not in the database, 401 by default.

The error message to display when the login used is not in the database.

The password hash column in the password_hash_table.

The account id column in the password_hash_table.

The table storing the password hashes.

The label to use for passwords.

The parameter name to use for passwords.

The flash error to display when accessing a page that requires a login, when you are not logged in.

A redirect to the login page.

Whether deadline values should be set. True by default on MySQL, as that doesn’t support default values that are not constant. Can be set to true on other databases if you want to vary the value based on a request parameter.

Any template options to pass to view/render. This can be used to set a custom layout, for example.

The string used to separate account id from the random key in links.

The response status to use when two field values should match but do not, 422 by default.

The response status to use when trying to login to an account that isn’t open, 403 by default.

Whether to use functions to do authentication. True by default on PostgreSQL, MySQL, and Microsoft SQL Server, false otherwise.

Whether the date_arithmetic extension should be loaded into the database. Defaults to whether deadline values should be set.

Whether to use request-specific CSRF tokens. True if the default CSRF setting are used.

Retrieve the account hash related to the given login or nil if no login matches.

Retrieve the account hash related to the currently logged in session.

The primary key value of the current account.

The primary value of the current account to store in the session when logging in.

Run arbitrary code after a successful login.

Run arbitrary code after a login failure due to an invalid password.

What action to take if you are already logged in and attempt to access a page that only makes sense if you are not logged in.

Run arbitrary code around handling any rodauth route. Call super(&block) for Rodauth to handle the action.

Whether the user has been authenticated. If multifactor authentication has been enabled for the account, this is true only if the session is multifactor authenticated.

Run arbitrary code after password has been checked, but before updating the session.

Run arbitrary code after an account has been located, but before the password has been checked.

Run arbitrary code before handling any rodauth route, but after CSRF checks if Rodauth is doing CSRF checks.

Checks CSRF token using Roda’s check_csrf! method.

Clears the current session.

Convert the token id string to an appropriate object to use for the token id (or return nil to signal an invalid token id). By default, converts to a 64-bit signed integer if convert_token_id_to_integer? is true.

The HTML fragment containing the CSRF tag to use, if any.

The name of the database function to call. It’s passed either :rodauth_get_salt or :rodauth_valid_password_hash.

Whether the current session is logged in.

Action to take when a login is required to access the page and the user is not logged in.

The value to use for the parameter if the parameter includes an ASCII NUL byte (“0”), nil by default to ignore the parameter.

Whether the current account is an open account (not closed or unverified).

The value to use for the parameter if the parameter is over the maximum allowed bytesize, nil by default to ignore the parameter.

Check whether the given password matches the stored password hash.

A randomly generated string, used for creating tokens.

Redirect the request to the given path.

The value for session_key in the current session.

Set the current error flash to the given message.

You can override this method to customize handling of specific error types (does nothing by default). Each separate error type has a separate reason symbol, you can see the list of error reason symbols.

Set the next notice flash to the given message.

Set the current notice flash to the given message.

Set the next error flash to the given message.

Set the title of the page to the given title.

Return a translated version for the key (uses the default value by default).

The message to use when attempting to login to an unverified account.

Clear the session, then set the session key to the primary key of the current account.