forked from jeremyevans/rodauth
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCHANGELOG
419 lines (210 loc) · 20.2 KB
/
CHANGELOG
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
=== master
* Support rotp 5 in the otp feature (jeremyevans)
* Add jwt_refresh feature to allow shorter lived JWTs with a refresh token for creating new JWTs (allavena, jeremyevans) (#28)
* Fix disallow_password_reuse feature when account_password_hash_column is not set and verify_account feature is not used (cptaffe) (#59)
* Rename no_matching_email_auth_key_message to no_matching_email_auth_key_error_flash for consistency (jeremyevans)
* Rename no_matching_verify_login_change_key_message to no_matching_verify_login_change_key_error_flash for consistency (jeremyevans)
* Rename attempt_to_login_to_unverified_account_notice_message to attempt_to_login_to_unverified_account_error_flash for consistency (jeremyevans)
* Rename attempt_to_create_unverified_account_notice_message to attempt_to_create_unverified_account_error_flash for consistency (jeremyevans)
* Rename no_matching_verify_account_key_message to no_matching_verify_account_key_error_flash for consistency (jeremyevans)
* Rename no_matching_unlock_account_key_message to no_matching_unlock_account_key_error_flash for consistency (jeremyevans)
* Rename no_matching_reset_password_key_message to no_matching_reset_password_key_error_flash for consistency (jeremyevans)
* Add otp_keys_use_hmac? and otp_setup_raw_param configuration methods to the otp feature for configuring use of HMACs with OTP authentication (jeremyevans)
* Do not set a previous account password before password has been set when using disallow_password_reuse with verify_account_set_password? (jeremyevans)
* Add allow_raw_single_session_key? to single_session feature to allow raw single single session tokens, for graceful transition (jeremyevans)
* Add raw_remember_token_deadline to remember feature to allow raw remember tokens before given deadline, for graceful transition (jeremyevans)
* Add allow_raw_email_token? configuration method to email_base feature to allow raw tokens when email_token_hmac_secret is set, for graceful transition (jeremyevans)
* Add hmac_secret configuration method, used for additional security using HMACs (jeremyevans)
* Use urlsafe base64 for new token keys on Ruby 1.8 (jeremyevans)
* Add login_input_type configuration method for setting the input type for login inputs (jeremyevans)
* Add formatted_field_error configuration method for formatting error messages (jeremyevans)
* Add field_error_attributes configuration method for configuring attributes for fields with errors (jeremyevans)
* Add field_attributes configuration method for configuring attributes for specific fields (jeremyevans)
* Add default_field_attributes configuration method to set default attributes for all input fields (jeremyevans)
* Make error handling accessible by default using aria-invalid and aria-describedby attributes (jeremyevans)
* Add mark_input_fields_as_required? configuration method for whether inputs should use the required attribute (jeremyevans)
* Add input_field_error_message_class configuration method for the CSS class used for error messages (jeremyevans)
* Wrap all error messages in a span so they can be styled (jeremyevans)
* Add input_field_error_class configuration method for customizing CSS class to use for inputs with errors (jeremyevans)
* Add input_field_label_suffix configuration method for suffixing all input labels, useful for labeling fields as required (jeremyevans)
* Add verify_account_resend_explanatory_text configuration method to verify_account feature for configuring text (jeremyevans)
* Add unlock_account_explanatory_text and unlock_account_request_explanatory_text configuration methods to lockout feature for configuring text (jeremyevans)
* Add reset_password_explanatory_text configuration method to reset_password feature for configuring text (jeremyevans)
* Add otp_provisioning_uri_label and otp_secret_label configuration methods to otp feature for configuring labels displayed during OTP setup (jeremyevans)
* Add add_recovery_codes_heading configuration method to recovery_codes feature for configuring heading text (jeremyevans)
* Use define_method instead of instance_exec for route dispatching for better performance (jeremyevans)
* Add already_an_account_with_this_login_message configuration method (1gor) (#54)
=== 1.19.1 (2018-11-16)
* Support rotp 4 in the otp feature (jeremyevans)
=== 1.19.0 (2018-11-16)
* Avoid unneeded database queries in the two factor authentication support (jeremyevans)
* Add {before,after}_verify_login_change_email configuration methods, called around sending the verify login change email (jeremyevans)
* Add after_account_lockout configuration method, called after locking out an account (jeremyevans)
* Add default_post_email_redirect configuration method, setting default for all redirects after emailing when not logged in (jeremyevans)
* Gracefully handle failure when new login is already taken in the verify_login_change feature (jeremyevans)
* Support optional email rate limiting in the lockout, reset password, and verify account features (jeremyevans)
* Make MySQL rodauth_get_salt function handle accounts without password hashes (jeremyevans)
* Add email_auth feature, for authentication using links sent via email (jeremyevans)
* Deprecate before_otp_authentication_route, users should switch to before_otp_auth_route (jeremyevans)
* Add use_multi_phase_login? configuration method to login feature, separating login entry from password entry (jeremyevans)
* Don't disable use of date_arithmetic extension on !MySQL when using lockout, remember, or reset password features (jeremyevans)
=== 1.18.0 (2018-07-18)
* Add confirm_password_redirect_session_key configuration method to confirm_password feature (jeremyevans)
* Work with Roda sessions plugin, using string keys for session information if that is used (jeremyevans)
* Add flash_error_key and flash_notice_key configuration for setting keys used in flash (jeremyevans)
=== 1.17.0 (2018-06-11)
* Support Roda route_csrf plugin for request-specific CSRF tokens (jeremyevans)
=== 1.16.0 (2018-03-09)
* Add disallow_common_passwords feature, for disallowing the usage of the most common passwords (jeremyevans)
* Remove calling request [] method to get request param values, as it is deprecated in the current version of rack (jeremyevans)
=== 1.15.0 (2018-01-29)
* Add create_account_set_password? and verify_account_set_password? methods to delay setting password until account verification (jeremyevans)
=== 1.14.0 (2017-12-19)
* Don't allow unlocking expired accounts when using account_expiration and lockout features (jeremyevans)
* Don't allow resetting passwords for expired accounts when using account_expiration and reset_password features (jeremyevans)
* Add change_password_notify feature for emailing when user uses change password feature (jeremyevans)
=== 1.13.0 (2017-11-21)
* Add json_response_body(hash) configuration method to jwt feature (jeremyevans)
* Support invalid_previous_password_message configuration method in change_password feature (jeremyevans)
* Use custom error statuses if only_json? and json_response_custom_error_status? are true even if request isn't in json format (jeremyevans)
* Add cache_templates configuration method for disabling caching of templates (adam12, jeremyevans) (#46)
=== 1.12.0 (2017-10-03)
* [SECURITY] Clear expired password reset key for account before retrieving password reset key (chanks, jeremyevans) (#43)
* Update migrations to work with Sequel 5 (jeremyevans)
* Add require_http_basic_auth configuration method to http_basic_auth feature (jeremyevans) (#41)
* Support passing :search_path option to Rodauth.create_database_authentication_functions when using PostgreSQL (jeremyevans)
* Support passing options to Rodauth.{create,drop}_database_previous_password_check_functions (jeremyevans)
* Support passing options to Rodauth.drop_database_authentication_functions (jeremyevans)
=== 1.11.0 (2017-04-24)
* Add login_required_error_status, and use it in the jwt feature when custom error statuses are allowed (jeremyevans)
* Deal better with time differences between the database and application servers in the password_expiration plugin (jeremyevans)
* Add rodauth.valid_jwt? method for checking if a valid JWT was submitted with the request (jeremyevans)
=== 1.10.0 (2017-03-23)
* Add Internals Guide (jeremyevans)
* Set FeatureConfiguration instances to constants, just like Feature instances (jeremyevans)
* When reopening rodauth configuration in roda subclass, automatically subclass rodauth configuration so it doesn't modify superclass (jeremyevans)
* Add verify_login_change feature as an alternative to verify_change_login, where the change doesn't take affect until after verification (jeremyevans) (#31)
* Add login_failed_reset_password_request_form for customizing the HTML used for the request password request form on login failures (jeremyevans)
* Make reset password request form available without requiring a login attempt, and provide a login field in that case (jeremyevans) (#30)
* Make resending verify account email request form available without requiring a login/account creation attempt, and provide a login field in that case (jeremyevans) (#30)
* Fix resending verify account email when attempting to create a new account with same login as unverified account when using verify_account_grace_period feature (jeremyevans) (#30)
* Fix precompile_rodauth_templates usage with reset_password feature (jeremyevans)
=== 1.9.0 (2017-02-22)
* Make reset-password use existing password reset key if one is present (jeremyevans) (#26)
* Add Roda.precompile_rodauth_templates method, useful to save memory when forking, or when chrooting (jeremyevans)
=== 1.8.0 (2017-01-06)
* Add json_response_custom_error_status? option to jwt feature to use specific 4xx statuses instead of 400 (jeremyevans)
* Use 4xx error statuses for errors, instead of using a 200 success status (jeremyevans)
=== 1.7.0 (2016-11-22)
* Make reset password, unlock account, and verify account pages not leak keys to external servers via Referer header (jeremyevans)
=== 1.6.0 (2016-10-24)
* Add http_basic_auth feature (TiagoCardoso1983, jeremyevans) (#12)
* Move login hooks from login feature to base, to be usable by other features (jeremyevans)
* Make reset_password feature not attempt to render a template in json-only mode (jeremyevans) (#11)
* Memoize jwt_payload in jwt feature, as it may be called more than once (mwpastore) (#10)
* Add jwt_decode_opts configuration method to jwt feature, for specifying options to JWT.decode, allowing for JWT claim verification (mwpastore, jeremyevans) (#9)
* Add jwt_session_hash configuration method to jwt feature, for modifying the session information stored in the JWT hash, allowing for setting JWT claims (mwpastore, jeremyevans) (#9)
* Add jwt_session_key configuration method to jwt feature, for nesting the session under a key in the JWT, avoiding reserve claim names (mwpastore, jeremyevans) (#9)
* Add jwt_symbolize_deeply? configuration method to jwt feature, for symbolizing nested keys in session hash when using JWT (mwpastore) (#9)
=== 1.5.0 (2016-09-22)
* Return error instead of raising exception in the jwt feature if an invalid jwt format is submitted in the Authorization header (jeremyevans)
* Add jwt_authorization_remove configuration method to jwt feature, for regexp to remove from Authorization header before JWT processing (jeremyevans)
* Add jwt_authorization_ignore configuration method to jwt feature, for regexp to skip processing of JWTs in Authorization header (jeremyevans)
* Add json_accept_regexp configuration method to jwt feature, for the regexp used to match against the Accept header (jeremyevans)
* Add use_jwt? configuration method to jwt feature, for whether to use the JWT token or rack session for authentication information (jeremyevans)
* Add jwt_check_accept? configuration method to jwt feature, to return 406 error if Accept header is present and json is not accepted (jeremyevans)
* Add json_response_content_type configuration method to jwt feature, for the content type to set for json responses, default to application/json (jeremyevans)
* Add json_request_content_type_regexp configuration method to the jwt feature, for the regexp that recognize a request as a json request (jeremyevans)
* Add session_jwt method to the jwt feature, which returns a string for the encoded JWT for the current session (jeremyevans)
* If the only_json? setting is true, return a 400 error if the request content type to a rodauth endpoint is not json (jeremyevans)
* The only_json? setting in the jwt feature is now only true by default if :json=>:only plugin option was used (jeremyevans)
* Don't have jwt feature break if HTTP Basic/Digest authentication is used (jeremyevans)
* Add template_opts configuration method, for overriding view/method options (jeremyevans)
=== 1.4.0 (2016-08-18)
* Add update_password_hash feature, for updating the password hash when the hash cost changes (jeremyevans)
=== 1.3.0 (2016-07-19)
* Add login_maximum_length, defaulting to 255 (jeremyevans)
=== 1.2.0 (2016-06-15)
* Add otp_drift configuration method to otp plugin, setting number of seconds of allowed drift (jeremyevans)
* Don't allow setting passwords containing the ASCII NUL character, as bcrypt truncates at that point (jeremyevans) (#4)
=== 1.1.0 (2016-05-13)
* Support :csrf=>false and :flash=>false plugin options (jeremyevans)
=== 1.0.0 (2016-04-15)
* Remove invalid remember cookies to prevent unnecessary future database checks (jeremyevans)
* Extend remember deadline in cookie in addition to database (jeremyevans)
* Make tokens work with string account ids (jeremyevans)
* Add verify_change_login feature for requiring account reverification on login changes (jeremyevans)
* Set correct cookie expiration in the remember feature (jeremyevans)
* Split confirm_password feature from remember feature (jeremyevans)
* Add verify_account_grace_period feature, for allowing logins into unverified accounts for a certain period after creation (jeremyevans)
* Move login/password requirements settings to login password requirements base feature (jeremyevans)
* Add session_expiration feature, expiring sessions based on inactivity and max lifetime checks (jeremyevans)
* Add password_grace_period feature, for not requiring password entry if password was recently entered (jeremyevans)
* Make create/verify account autologin true by default (jeremyevans)
* Optimize routing using a hash table, disallow per-request routes (jeremyevans)
* Add ability to turn off login/password confirmations (jeremyevans)
* Don't allow changing login to the same as the current login (jeremyevans)
* Only allow requesting account unlocks if the account is current locked out (jeremyevans)
* Use separate routes for unlock account/reset password/verify account requests (jeremyevans)
* Use separate routes for confirming passwords and changing remember settings (jeremyevans)
* Add JWT feature for JSON API support using JWT tokens (jeremyevans)
* Add account_select configuration option for setting which columns to select from accounts_table (jeremyevans)
* Execute get_block and post_block in the Rodauth::Auth instance scope (jeremyevans)
* Store field errors in the rodauth object instead of instance variables in the Roda scope (jeremyevans)
* Add rodauth.redirect to abstract redirection code (jeremyevans)
* Only use flash notices for successful requests, other requests that redirect now use an error flash (jeremyevans)
* The before_* configuration methods now run directly before making the related database changes (jeremyevans)
* Before hooks run before routes now use before_*_route instead of before_* configuration methods (jeremyevans)
* Add token_separator configuration method to replace the default of _ (jeremyevans)
* Rename account_id_value to account_id (jeremyevans)
* Rename account_id to account_id_column and account_session_id to account_session_column (jeremyevans)
* Make skip_status_checks? default to true unless loading verify_account or close_account features (jeremyevans)
* Replace account_model with accounts_table and db, removing use of Sequel models (jeremyevans)
* Extract shared email-related code into email_base feature (jeremyevans)
* Add auth_class_eval to configuration block for adding custom methods (jeremyevans)
* Add configuration_eval to feature definitions for adding custom configuration methods (jeremyevans)
* Allow close_account feature to optionally delete accounts (jeremyevans)
* Make close_account feature work when skipping status checks or when using account_password_hash_column (jeremyevans)
* Add sms_codes feature, for codes received via SMS that can be used if TOTP authentication is not available (jeremyevans)
* Attempt to handle unique constraint violations raised in race conditions where possible (jeremyevans)
* Add _before and _after internal methods, make ununderscored methods only for users (jeremyevans)
* Add single_session feature, for only allowing a single active session per account (jeremyevans)
* Add account_expiration feature, for disallowing access to accounts after an amount of time since last login/activity (jeremyevans)
* Check account status in rodauth.load_memory in remember plugin (jeremyevans)
* Use csrf plugin automatically, depend on Roda >=2.6.0 (jeremyevans)
* Make bcrypt and mail development dependencies instead of runtime dependencies in the gem (jeremyevans)
* Add password_expiration feature, requiring users to change their password after a given amount of time (jeremyevans)
* Add disallow_password_reuse feature, checking that a new password doesn't match previous passwords (jeremyevans)
* Add password_complexity feature, allowing more sophisticated password complexity checks (jeremyevans)
* Add rodauth.remember_param and .remember_confirm_param for overriding parameter names (jeremyevans)
* Check that new password is not the same as existing password in change password and reset password features (jeremyevans)
* Add rodauth.login_meets_requirements? for checking if a login is valid, by default a valid email address (jeremyevans)
* Allow unlock account to optionally require the user's current password (jeremyevans)
* Add support for running on Microsoft SQL Server with database functions for authentication (jeremyevans)
* Make change password, change login, and close account require the user's current password by default (jeremyevans)
* Add rodauth.csrf_tag to make it easy to replace the CSRF tag implementation (jeremyevans)
* Switch unlock_account_autologin? to be true by default (jeremyevans)
* Add rodauth.authenticated? and .require_authentication (jeremyevans)
* Add recovery_codes feature, for single use codes that can be used if TOTP authentication is not available (jeremyevans)
* Add otp feature, for 2 factor authentication via TOTP (jeremyevans)
* Add support for running on MySQL with database functions for authentication (jeremyevans)
* Add *_interval and set_deadline_values? methods for setting deadline intervals on a per-request basis (jeremyevans)
* Add remember_deadline_column method for overriding the column used for storing the deadline (jeremyevans)
* Add rodauth/migrations file for DRYing up the database function creation (jeremyevans)
* Add Rodauth.version for getting the version (jeremyevans)
* External features should now be requirable via rodauth/features/feature_name instead of roda/plugins/rodauth/feature_name (jeremyevans)
* Make Rodauth top level module instead of under Roda::RodaPlugins (jeremyevans)
* Require mail at configure time instead of run time if using a feature that sends email, use require_mail? false to disable (jeremyevans)
* Require bcrypt at configure time instead of run time, use require_bcrypt? false to disable (jeremyevans)
* Always require securerandom (jeremyevans)
* Make remember, password reset, and lockout features work on non-PostgreSQL databases (jeremyevans)
* Support authentication without database functions when password hashes are stored in separate table (jeremyevans)
* Remove overriding of route/get/post blocks (jeremyevans)
* Make lockout feature work on databases not supporting UPDATE RETURNING (jeremyevans)
* Add timing safe comparison of tokens (jeremyevans)
=== 0.10.0 (2016-02-17)
* Retrieve salt from database and compute hash client side, instead of computing hash on server (jeremyevans)
=== 0.9.1 (2015-08-13)
* Don't use csrf plugin automatically (jeremyevans)
=== 0.9.0 (2015-08-12)
* Initial public release