New Features¶ ↑

• A check_csrf configuration method has been added for checking the CSRF token. This is useful in cases where the CSRF protection is provided by something other than the Roda route_csrf plugin.

Other Improvements¶ ↑

• When using the http_basic_auth feature, logged_in? now checks for Basic authentication if the session is not already authenticated and Basic authentication has not yet been checked. This increases compatibility for applications that were using the http_basic_auth feature in Rodauth 1.

• When creating accounts, the password field now correctly uses the new-password autocomplete attribute instead of the current-password autocomplete attribute.

• When using the jwt feature, Rodauth no longer checks CSRF tokens in requests to Rodauth routes if the request submitted is a JSON request, includes a JWT, or Rodauth has been configured in JSON-only mode.

• When using the verify_account_grace_period feature, if there is an unverified account without a password, do not consider the account open. Attempting to login into the account in such a case now shows a message letting the user know to verify the account.

• The json_response_body configuration method is now used consistently in the jwt feature for all JSON responses. Previously, there were some cases that did not use it.