Why Rodauth?
Rodauth is Ruby's most advanced authentication framework. There are other authentication frameworks for Ruby, such as Devise, Authlogic, and Sorcery, but all of them are Rails-specific. Rodauth offers many advantages over competing frameworks:
- Rodauth works with any rack application, not just Rails. It can run as a rack middleware on non-Roda applications. It can also be used as a library in non-web applications.
- Rodauth uses a more secure password hash storage model that cannot leak password hashes without a privilege escalation attack on the database.
- Rodauth ships with support for multiple multifactor authentication methods.
- Rodauth ships with support for multiple passwordless authentication methods.
- Rodauth ships with a JSON API for all features.
- Rodauth supports overriding of almost all behavior on a per-request basis using a simple DSL.
Goals
- Security
- Simplicity
- Flexibility
Security
Rodauth ships in a maximum security by default configuration. The default and recommended way to use Rodauth is with multiple database accounts and using database functions for authentication, in order to protect access to password hashes from attackers. Even if you are storing nothing else important in your application, if you are storing password hashes, it is critical that you protect access to them as much as possible, so that an attacker will not be able to use the password hashes stored in your database to attack other sites. However, if you are not able to use this more secure mode, Rodauth also supports more typical methods of password storage.
Rodauth ships with support for multiple multifactor authentication methods including WebAuthn and TOTP, protecting your site from password hash attacks on other sites.
Rodauth ships with support for multiple passwordless authentication methods, allowing users to login without having passwords at all.
For tokens stored in the database (e.g. for resetting passwords), Rodauth can use an HMAC such that an SQL injection vulnerability in the application to leak the tokens will result in unusable tokens unless the application's HMAC secret is also compromised.
Simplicity
Rodauth uses a simple configuration DSL that allows easily constructing a custom authentication object designed for your application.
Flexibility
Rodauth allows for overriding any part of the framework on a per-request basis using any information related to the request, by passing a block to any configuration method.
Full Featured
Rodauth ships with support for a large amount of authentication features, such as:
- Login
- Logout
- Change Password
- Change Login
- Reset Password
- Create Account
- Close Account
- Verify Account
- Remember (Autologin via token)
- Lockout (Bruteforce protection)
- Audit Logging
- Email Authentication (Passwordless login via email link)
- WebAuthn (Multifactor authentication via WebAuthn)
- WebAuthn Login (Passwordless login via WebAuthn)
- WebAuthn Verify Account (Passwordless WebAuthn Setup)
- WebAuthn Autofill (Autofill WebAuthn credentials on login)
- WebAuthn Modify Email (Email when WebAuthn authenticator added or removed)
- OTP (Multifactor authentication via TOTP)
- OTP Modify Email (Email when TOTP authentication setup or disabled)
- OTP Unlock (Unlock TOTP authentication after lockout)
- OTP Lockout Email (Email when TOTP authentication locked out or unlocked)
- Recovery Codes (Multifactor authentication via backup codes)
- SMS Codes (Multifactor authentication via SMS)
- Verify Login Change (Reverify accounts after login changes)
- Verify Account Grace Period (Don't require verification before login)
- Password Grace Period (Don't require password entry if recently entered)
- Password Complexity (More sophisticated checks)
- Password Pepper (Appends secret to password before hashing)
- Change Password Notify (Notify user about password changes)
- Reset Password Notify (Notify user about completed password resets)
- Confirm Password (Ask user to enter password if logged in via a token)
- Update Password Hash (If changing password hash cost)
- Argon2 (Alternative Password hash algorithm)
- Disallow Common Passwords
- Disallow Password Reuse
- Password Expiration
- Account Expiration
- Session Expiration
- Active Sessions (Prevent session reuse after logout, allow logout of all sessions)
- Single Session (Only one active session per account)
- HTTP Basic Auth
- JSON (JSON API support for all other features)
- JWT (JSON Web Token support for all other features)
- JWT CORS (Cross-Origin Resource Sharing)
- JWT Refresh (Access & refresh tokens)
- Internal Request (Interact with Rodauth via methods)
- Path Class Methods (Get paths/URLs for features via class methods)
You can learn more about these features by reviewing Rodauth's documentation.