CHANGELOG

=== master

* Allow the rodauth plugin to be loaded without a block (janko) (#157)

* Use new-password autocomplete value for the password fields on the reset password form (basabin54) (#155)

* Support :auth_class plugin option, to use a specific class instead of creating a Rodauth::Auth subclass (janko) (#153)

* Make Rodauth configuration work correctly if the rodauth plugin is loaded more than once (janko) (#152)

=== 2.10.0 (2021-02-22)

* Add argon2 feature to allow use of the argon2 password hash algorithm instead of bcrypt (AlexeyMatskevich, jeremyevans) (#147)

* Avoid unnecessary previous password queries when using disallow_password_reuse feature with create_account or verify_account features (AlexeyMatskevich, jeremyevans) (#148)

=== 2.9.0 (2021-01-22)

* Split jwt feature into json and jwt features, with the json feature using standard session support (janko, jeremyevans) (#145)

* Mark remember cookie as only transmitted over HTTPS by default if created via an HTTPS request (janko) (#144)

=== 2.8.0 (2021-01-06)

* [SECURITY] Set HttpOnly on remember cookie by default so it cannot be accessed by Javascript (janko) (#142)

* Clear JWT session when rodauth.clear_session is called if the Roda sessions plugin is used (janko) (#140)

=== 2.7.0 (2020-12-22)

* Avoid method redefinition warnings in verbose warning mode (jeremyevans)

* Return expired access token error message in the JWT refresh feature when using an expired token when it isn't allowed (AlexyMatskevich) (#133)

* Allow Rodauth features to be preloaded, instead of always trying to require them (janko) (#136)

* Use a default remember cookie path of '/', though this may cause problem with multiple Rodauth configurations on the same domain (janko) (#134)

* Add auto_remove_recovery_codes? to the recovery_codes feature, for automatically removing the codes when disabling multifactor authentication (SilasSpet, jeremyevans) (#135)

=== 2.6.0 (2020-11-20)

* Avoid loading features multiple times (janko) (#131)

* Add around_rodauth method for running code around the handling of all Rodauth routes (bjeanes) (#129)

* Fix javascript for registration of multiple webauthn keys (bjeanes) (#127)

* Add allow_refresh_with_expired_jwt_access_token? configuration method to jwt_refresh feature, for allowing refresh with expired access token (jeremyevans)

* Promote setup_account_verification to public API, useful for automatically sending account verification emails (jeremyevans)

=== 2.5.0 (2020-10-22)

* Add change_login_needs_verification_notice_flash for easier translation of change_login_notice_flash when using verify_login_change (bjeanes, janko, jeremyevans) (#126)

* Add login_return_to_requested_location_path for controlling path to use as the requested location (HoneyryderChuck, jeremyevans) (#122, #123)

=== 2.4.0 (2020-09-21)

* Add session_key_prefix for more easily using separate session keys when using multiple configurations (janko) (#121)

* Add password_pepper feature for appending a secret key to passwords before they are hashed, supporting secret rotation (janko) (#119)

=== 2.3.0 (2020-08-21)

* Return an error status instead of an invalid access token when trying to refresh JWT without an access token in the jwt_refresh feature (jeremyevans)

* Allow {create,drop}_database_authentication_functions to work with UUID keys (monorkin, janko) (#117)

* Add rodauth.login('login_type') for logging in after setting a valid account (janko) (#114)

* Make new refresh token available to the after_refresh_token hook by setting it in the response first (jeremyevans)

* Make the jwt_refresh plugin call before_jwt_refresh_route hook (previously the configuration method was ignored) (AlexeyMatskevich) (#110)

* Add login_email_regexp, login_not_valid_email_message, and log_valid_email? configuration methods (janko) (#107)

=== 2.2.0 (2020-07-20)

* Allow removing all jwt_refresh tokens when logging out by providing a value of "all" as the token to remove (jeremyevans)

* Allow removing specific jwt_refresh token when logging out by providing the token to remove (jeremyevans)

* Avoid NoMethodError when checking if session is authenticated when using two factor auth, verify_account_grace_period, and email_auth (jeremyevans) (#105)

* Reduce queries in #authenticated? and #require_authentication when using two factor authentication (janko) (#106)

* Treat verify_account_email_resend returning false as an error in the verify_account feature (jeremyevans)

* Fix use of password_dictionary configuration method in password_complexity feature (jeremyevans)

* Remove unnecessary conditionals (jeremyevans)

* Add otp_last_use to the otp feature, returning the time of last successful OTP use (jeremyevans) (#103)

=== 2.1.0 (2020-06-09)

* Do not check CSRF tokens by default for requests using JWT (janko, jeremyevans) (#99)

* Use new-password autocomplete value for password field when creating accounts (jeremyevans) (#98)

* Consistently use json_response_body for all JSON responses in jwt feature (arthurmmoreira) (#97)

* Add check_csrf configuration method to customize CSRF checking (janko) (#96)

* Have logged_in? when using http_basic_auth feature check for basic authentication (jeremyevans) (#94)

* Don't consider account open if in unverified grace period without password (janko) (#92)

=== 2.0.0 (2020-05-06)

* Do not show email auth as an option for unverified accounts if using the verify_account_grace_period feature (jeremyevans) (#88)

* Generate unlock account key outside of send_unlock_account_email, similar to other email methods (janko) (#89)

* Default otp_drift to 30 in the otp feature (jeremyevans)

* Add rodauth.require_http_basic_auth to http_basic_auth feature, similar to require_login (janko) (#86)

* Rename require_http_basic_auth to require_http_basic_auth? in http_basic_auth feature (janko) (#86)

* Change http_basic_auth feature to use rodauth.http_basic_auth for handling basic authentication, similar to rodauth.load_memory (janko) (#86)

* Do not call already_logged_in if logged in when accessing verify_login_change page (janko) (#87)

* HTML id attributes now use - instead of _ in recovery_codes and remember features (jeremyevans)

* Allow *_path and *_url methods to accept a hash of query parameters (janko) (#84)

* Use a danger button when closing accounts (janko) (#83)

* Handle invalid form inputs in a more bootstrap compatible manner (janko) (#83)

* Use standard vertical Bootstrap forms instead of horizontal forms in templates (janko) (#83)

* Make templates compatible with Bootstrap 4, and still display correctly with Bootstrap 3 (janko) (#83)

* Add check_csrf_opts and check_csrf_block for arguments to the check_csrf! call before Rodauth route dispatching (jeremyevans)

* Add audit_logging feature, logging changes to a database table (jeremyevans)

* Add hook_action configuration method, called after all before/after hooks (jeremyevans)

* Enable email rate limiting by default in lockout, reset_password, and verify_account features (jeremyevans)

* Add session_expiration_error_status method to the session_expiration feature, used for JSON requests where session has expired (jeremyevans)

* Add domain configuration method to set an explicit domain, instead of relying on the host of the request (jeremyevans)

* Add inactive_session_error_status to single_session feature, used for JSON requests where session is no longer active (jeremyevans)

* Prevent use of previous JWT access tokens after refresh when using jwt_refresh and active_sessions features (jeremyevans)

* Change default setting of jwt_check_accept? from false to true in the jwt feature (jeremyevans)

* Automatically check CSRF tokens before calling any Rodauth route by default, allow disabling using check_csrf? false (jeremyevans)

* Add translate(key, default_value) configuration method and have it affect all translatable content (jeremyevans)

* Add *_page_title configuration methods for all *_view configuration methods (jeremyevans)

* Default to using Roda's route_csrf plugin for CSRF support, with :csrf=>:rack_csrf available for using rack_csrf (jeremyevans)

* Allow ability for user to fix an incorrect login when requesting a password reset (janko, jeremyevans) (#76)

* Add two_factor_auth_return_to_requested_location? to support returning to original page after successful second factor authentication (janko) (#69)

* Add login_return_to_requested_location? to support returning to original page after successful login (janko) (#69)

* Add rodauth.require_password_authentication method to confirm_password feature (janko, jeremyevans) (#75)

* Make remember feature no longer depend on confirm_password (janko) (#79)

* Replace {create_account,reset_password_request,verify_account_resend}_link configuration methods with *_link_text (janko) (#77)

* Remove remembered_session_key configuration method, no longer needed (janko) (#80)

* Add rodauth.possible_authentication_methods for the available authentication methods for the account (jeremyevans)

* Add active_sessions feature for disabling session reuse after logout, and allowing global logout of all sessions (jeremyevans)

* Add webauthn_verify_account feature for passwordless WebAuthn setup during account verification (jeremyevans)

* Allow confirm_password feature to operate as second factor authentication if using webauthn login (jeremyevans)

* Add webauthn_login feature for passwordless login via WebAuthn (jeremyevans)

* Do not allow two factor authentication using same type as primary authentication (jeremyevans)

* Do not require passwords by default if the account does not have a password (jeremyevans)

* Remove clear_remembered_session_key and two_factor_session_key configuration methods, no longer needed (jeremyevans)

* Store authentication methods used in the session, available via rodauth.authenticated_by (jeremyevans)

* Do not require login confirmation by default if verifying accounts or login changes (jeremyevans)

* Add mark_input_fields_with_inputmode? and inputmode_for_field? configuration methods for controlling inputmode (jeremyevans)

* Support and enable inputmode=numeric attributes by default for otp auth code and sms code fields (jeremyevans)

* Add sms_phone_input_type and default to tel instead of using text for SMS phone input (jeremyevans)

* Add mark_input_fields_with_autocomplete? and autocomplete_for_field? configuration methods for controlling autocomplete (jeremyevans)

* Support and enable autocomplete attributes by default for fields (jeremyevans)

* Add login_uses_email? configuration method for whether to treat logins as email addresses (jeremyevans)

* Remove the verify change login feature, users should switch to the verify login change feature (jeremyevans)

* Change default setting of json_response_success_key to success in the jwt feature (jeremyevans)

* Remove deprecated account_model configuration method (jeremyevans)

* Remove all deprecated configuration and runtime method aliases in the lockout, verify_account, email_auth, reset_password, and verify_login_change features (jeremyevans)

* Remove deprecated before_otp_authentication_route configuration method (jeremyevans)

* Change default setting of login_input_type to email if login_column is :email (jeremyevans)

* Change default setting of mark_input_fields_as_required? to true (jeremyevans)

* Change default setting of verify_account_set_password? in verify_account feature to true (jeremyevans)

* Change default setting of json_response_custom_error_status? in jwt feature to true (jeremyevans)

* Add auto_add_recovery_codes? configuration method to recovery codes feature, and default to false (jeremyevans)

* Add base_url configuration method to set an explicit base for URLs, instead of relying on the base_url of the request (jeremyevans)

* Add webauthn feature to handle WebAuthn authentication (jeremyevans)

* Fix corner cases when disabling a second factor when multiple second factors have been setup (jeremyevans)

* Don't override second factor used to authenticate when setting up additional second factor authentication (jeremyevans)

* Add two factor auth, manage, and disable pages (jeremyevans)

* Drop support for Ruby 1.8 (jeremyevans)

=== 1.23.0 (2020-03-06)

* Remove specs from the gem to reduce gem size by over 20% (jeremyevans) 

* Make rodauth.authenticated? return true on OTP setup page (jeremyevans) (#68)

* Display link to email auth request form when user has entered login and incorrect password if using email_auth feature (janko) (#65)

* Add *_path and *_url methods for all *_route methods (janko) (#64)

* Add send_email configuration method for configuring how email is sent (janko) (#63)

=== 1.22.0 (2019-10-29)

* Add jwt_cors feature to handle Cross-Origin Resource Sharing when using the jwt feature (jeremyevans)

* Add space before newline after links in email, fixing issues with some webmail providers with broken autolinkers (jeremyevans)

=== 1.21.0 (2019-07-24)

* Support rotp 5.1 in the otp feature (jeremyevans)

* Log user out when locking out OTP account if no fallback options available (jeremyevans)

=== 1.20.0 (2019-06-07)

* Support rotp 5 in the otp feature (jeremyevans)

* Add jwt_refresh feature to allow shorter lived JWTs with a refresh token for creating new JWTs (allavena, jeremyevans) (#28)

* Fix disallow_password_reuse feature when account_password_hash_column is not set and verify_account feature is not used (cptaffe) (#59)

* Rename no_matching_email_auth_key_message to no_matching_email_auth_key_error_flash for consistency (jeremyevans)

* Rename no_matching_verify_login_change_key_message to no_matching_verify_login_change_key_error_flash for consistency (jeremyevans)

* Rename attempt_to_login_to_unverified_account_notice_message to attempt_to_login_to_unverified_account_error_flash for consistency (jeremyevans)

* Rename attempt_to_create_unverified_account_notice_message to attempt_to_create_unverified_account_error_flash for consistency (jeremyevans)

* Rename no_matching_verify_account_key_message to no_matching_verify_account_key_error_flash for consistency (jeremyevans)

* Rename no_matching_unlock_account_key_message to no_matching_unlock_account_key_error_flash for consistency (jeremyevans)

* Rename no_matching_reset_password_key_message to no_matching_reset_password_key_error_flash for consistency (jeremyevans)

* Add otp_keys_use_hmac? and otp_setup_raw_param configuration methods to the otp feature for configuring use of HMACs with OTP authentication (jeremyevans)

* Do not set a previous account password before password has been set when using disallow_password_reuse with verify_account_set_password? (jeremyevans)

* Add allow_raw_single_session_key? to single_session feature to allow raw single single session tokens, for graceful transition (jeremyevans)

* Add raw_remember_token_deadline to remember feature to allow raw remember tokens before given deadline, for graceful transition (jeremyevans)

* Add allow_raw_email_token? configuration method to email_base feature to allow raw tokens when email_token_hmac_secret is set, for graceful transition (jeremyevans)

* Add hmac_secret configuration method, used for additional security using HMACs (jeremyevans)

* Use urlsafe base64 for new token keys on Ruby 1.8 (jeremyevans)

* Add login_input_type configuration method for setting the input type for login inputs (jeremyevans)

* Add formatted_field_error configuration method for formatting error messages (jeremyevans)

* Add field_error_attributes configuration method for configuring attributes for fields with errors (jeremyevans)

* Add field_attributes configuration method for configuring attributes for specific fields (jeremyevans)

* Add default_field_attributes configuration method to set default attributes for all input fields (jeremyevans)

* Make error handling accessible by default using aria-invalid and aria-describedby attributes (jeremyevans)

* Add mark_input_fields_as_required? configuration method for whether inputs should use the required attribute (jeremyevans)

* Add input_field_error_message_class configuration method for the CSS class used for error messages (jeremyevans)

* Wrap all error messages in a span so they can be styled (jeremyevans)

* Add input_field_error_class configuration method for customizing CSS class to use for inputs with errors (jeremyevans)

* Add input_field_label_suffix configuration method for suffixing all input labels, useful for labeling fields as required (jeremyevans)

* Add verify_account_resend_explanatory_text configuration method to verify_account feature for configuring text (jeremyevans)

* Add unlock_account_explanatory_text and unlock_account_request_explanatory_text configuration methods to lockout feature for configuring text (jeremyevans)

* Add reset_password_explanatory_text configuration method to reset_password feature for configuring text (jeremyevans)

* Add otp_provisioning_uri_label and otp_secret_label configuration methods to otp feature for configuring labels displayed during OTP setup (jeremyevans)

* Add add_recovery_codes_heading configuration method to recovery_codes feature for configuring heading text (jeremyevans)

* Use define_method instead of instance_exec for route dispatching for better performance (jeremyevans)

* Add already_an_account_with_this_login_message configuration method (1gor) (#54)

=== 1.19.1 (2018-11-16)

* Support rotp 4 in the otp feature (jeremyevans)

=== 1.19.0 (2018-11-16)

* Avoid unneeded database queries in the two factor authentication support (jeremyevans)

* Add {before,after}_verify_login_change_email configuration methods, called around sending the verify login change email (jeremyevans)

* Add after_account_lockout configuration method, called after locking out an account (jeremyevans)

* Add default_post_email_redirect configuration method, setting default for all redirects after emailing when not logged in (jeremyevans)

* Gracefully handle failure when new login is already taken in the verify_login_change feature (jeremyevans)

* Support optional email rate limiting in the lockout, reset password, and verify account features (jeremyevans)

* Make MySQL rodauth_get_salt function handle accounts without password hashes (jeremyevans)

* Add email_auth feature, for authentication using links sent via email (jeremyevans)

* Deprecate before_otp_authentication_route, users should switch to before_otp_auth_route (jeremyevans)

* Add use_multi_phase_login? configuration method to login feature, separating login entry from password entry (jeremyevans)

* Don't disable use of date_arithmetic extension on !MySQL when using lockout, remember, or reset password features (jeremyevans)

=== 1.18.0 (2018-07-18)

* Add confirm_password_redirect_session_key configuration method to confirm_password feature (jeremyevans)

* Work with Roda sessions plugin, using string keys for session information if that is used (jeremyevans)

* Add flash_error_key and flash_notice_key configuration for setting keys used in flash (jeremyevans)

=== 1.17.0 (2018-06-11)

* Support Roda route_csrf plugin for request-specific CSRF tokens (jeremyevans)

=== 1.16.0 (2018-03-09)

* Add disallow_common_passwords feature, for disallowing the usage of the most common passwords (jeremyevans)

* Remove calling request [] method to get request param values, as it is deprecated in the current version of rack (jeremyevans)

=== 1.15.0 (2018-01-29)

* Add create_account_set_password? and verify_account_set_password? methods to delay setting password until account verification (jeremyevans)

=== 1.14.0 (2017-12-19)

* Don't allow unlocking expired accounts when using account_expiration and lockout features (jeremyevans)

* Don't allow resetting passwords for expired accounts when using account_expiration and reset_password features (jeremyevans)

* Add change_password_notify feature for emailing when user uses change password feature (jeremyevans)

=== 1.13.0 (2017-11-21)

* Add json_response_body(hash) configuration method to jwt feature (jeremyevans)

* Support invalid_previous_password_message configuration method in change_password feature (jeremyevans)

* Use custom error statuses if only_json? and json_response_custom_error_status? are true even if request isn't in json format (jeremyevans)

* Add cache_templates configuration method for disabling caching of templates (adam12, jeremyevans) (#46)

=== 1.12.0 (2017-10-03)

* [SECURITY] Clear expired password reset key for account before retrieving password reset key (chanks, jeremyevans) (#43)

* Update migrations to work with Sequel 5 (jeremyevans)

* Add require_http_basic_auth configuration method to http_basic_auth feature (jeremyevans) (#41)

* Support passing :search_path option to Rodauth.create_database_authentication_functions when using PostgreSQL (jeremyevans)

* Support passing options to Rodauth.{create,drop}_database_previous_password_check_functions (jeremyevans)

* Support passing options to Rodauth.drop_database_authentication_functions (jeremyevans)

=== 1.11.0 (2017-04-24)

* Add login_required_error_status, and use it in the jwt feature when custom error statuses are allowed (jeremyevans)

* Deal better with time differences between the database and application servers in the password_expiration plugin (jeremyevans)

* Add rodauth.valid_jwt? method for checking if a valid JWT was submitted with the request (jeremyevans)

=== 1.10.0 (2017-03-23)

* Add Internals Guide (jeremyevans)

* Set FeatureConfiguration instances to constants, just like Feature instances (jeremyevans)

* When reopening rodauth configuration in roda subclass, automatically subclass rodauth configuration so it doesn't modify superclass (jeremyevans)

* Add verify_login_change feature as an alternative to verify_change_login, where the change doesn't take affect until after verification (jeremyevans) (#31)

* Add login_failed_reset_password_request_form for customizing the HTML used for the request password request form on login failures (jeremyevans)

* Make reset password request form available without requiring a login attempt, and provide a login field in that case (jeremyevans) (#30)

* Make resending verify account email request form available without requiring a login/account creation attempt, and provide a login field in that case (jeremyevans) (#30)

* Fix resending verify account email when attempting to create a new account with same login as unverified account when using verify_account_grace_period feature (jeremyevans) (#30)

* Fix precompile_rodauth_templates usage with reset_password feature (jeremyevans)

=== 1.9.0 (2017-02-22)

* Make reset-password use existing password reset key if one is present (jeremyevans) (#26)

* Add Roda.precompile_rodauth_templates method, useful to save memory when forking, or when chrooting (jeremyevans)

=== 1.8.0 (2017-01-06)

* Add json_response_custom_error_status? option to jwt feature to use specific 4xx statuses instead of 400 (jeremyevans)

* Use 4xx error statuses for errors, instead of using a 200 success status (jeremyevans)

=== 1.7.0 (2016-11-22)

* Make reset password, unlock account, and verify account pages not leak keys to external servers via Referer header (jeremyevans)

=== 1.6.0 (2016-10-24)

* Add http_basic_auth feature (TiagoCardoso1983, jeremyevans) (#12)

* Move login hooks from login feature to base, to be usable by other features (jeremyevans)

* Make reset_password feature not attempt to render a template in json-only mode (jeremyevans) (#11)

* Memoize jwt_payload in jwt feature, as it may be called more than once (mwpastore) (#10)

* Add jwt_decode_opts configuration method to jwt feature, for specifying options to JWT.decode, allowing for JWT claim verification (mwpastore, jeremyevans) (#9)

* Add jwt_session_hash configuration method to jwt feature, for modifying the session information stored in the JWT hash, allowing for setting JWT claims (mwpastore, jeremyevans) (#9)

* Add jwt_session_key configuration method to jwt feature, for nesting the session under a key in the JWT, avoiding reserve claim names (mwpastore, jeremyevans) (#9)

* Add jwt_symbolize_deeply? configuration method to jwt feature, for symbolizing nested keys in session hash when using JWT (mwpastore) (#9)

=== 1.5.0 (2016-09-22)

* Return error instead of raising exception in the jwt feature if an invalid jwt format is submitted in the Authorization header (jeremyevans)

* Add jwt_authorization_remove configuration method to jwt feature, for regexp to remove from Authorization header before JWT processing (jeremyevans)

* Add jwt_authorization_ignore configuration method to jwt feature, for regexp to skip processing of JWTs in Authorization header (jeremyevans)

* Add json_accept_regexp configuration method to jwt feature, for the regexp used to match against the Accept header (jeremyevans)

* Add use_jwt? configuration method to jwt feature, for whether to use the JWT token or rack session for authentication information (jeremyevans)

* Add jwt_check_accept? configuration method to jwt feature, to return 406 error if Accept header is present and json is not accepted (jeremyevans)

* Add json_response_content_type configuration method to jwt feature, for the content type to set for json responses, default to application/json (jeremyevans)

* Add json_request_content_type_regexp configuration method to the jwt feature, for the regexp that recognize a request as a json request (jeremyevans)

* Add session_jwt method to the jwt feature, which returns a string for the encoded JWT for the current session (jeremyevans)

* If the only_json? setting is true, return a 400 error if the request content type to a rodauth endpoint is not json (jeremyevans)

* The only_json? setting in the jwt feature is now only true by default if :json=>:only plugin option was used (jeremyevans)

* Don't have jwt feature break if HTTP Basic/Digest authentication is used (jeremyevans)

* Add template_opts configuration method, for overriding view/method options (jeremyevans)

=== 1.4.0 (2016-08-18)

* Add update_password_hash feature, for updating the password hash when the hash cost changes (jeremyevans)

=== 1.3.0 (2016-07-19)

* Add login_maximum_length, defaulting to 255 (jeremyevans)

=== 1.2.0 (2016-06-15)

* Add otp_drift configuration method to otp plugin, setting number of seconds of allowed drift (jeremyevans)

* Don't allow setting passwords containing the ASCII NUL character, as bcrypt truncates at that point (jeremyevans) (#4)

=== 1.1.0 (2016-05-13)

* Support :csrf=>false and :flash=>false plugin options (jeremyevans)

=== 1.0.0 (2016-04-15)

* Remove invalid remember cookies to prevent unnecessary future database checks (jeremyevans)

* Extend remember deadline in cookie in addition to database (jeremyevans)

* Make tokens work with string account ids (jeremyevans)

* Add verify_change_login feature for requiring account reverification on login changes (jeremyevans)

* Set correct cookie expiration in the remember feature (jeremyevans)

* Split confirm_password feature from remember feature (jeremyevans)

* Add verify_account_grace_period feature, for allowing logins into unverified accounts for a certain period after creation (jeremyevans)

* Move login/password requirements settings to login password requirements base feature (jeremyevans)

* Add session_expiration feature, expiring sessions based on inactivity and max lifetime checks (jeremyevans)

* Add password_grace_period feature, for not requiring password entry if password was recently entered (jeremyevans)

* Make create/verify account autologin true by default (jeremyevans)

* Optimize routing using a hash table, disallow per-request routes (jeremyevans)

* Add ability to turn off login/password confirmations (jeremyevans)

* Don't allow changing login to the same as the current login (jeremyevans)

* Only allow requesting account unlocks if the account is current locked out (jeremyevans)

* Use separate routes for unlock account/reset password/verify account requests (jeremyevans)

* Use separate routes for confirming passwords and changing remember settings (jeremyevans)

* Add JWT feature for JSON API support using JWT tokens (jeremyevans)

* Add account_select configuration option for setting which columns to select from accounts_table (jeremyevans)

* Execute get_block and post_block in the Rodauth::Auth instance scope (jeremyevans)

* Store field errors in the rodauth object instead of instance variables in the Roda scope (jeremyevans)

* Add rodauth.redirect to abstract redirection code (jeremyevans)

* Only use flash notices for successful requests, other requests that redirect now use an error flash (jeremyevans)

* The before_* configuration methods now run directly before making the related database changes (jeremyevans)

* Before hooks run before routes now use before_*_route instead of before_* configuration methods (jeremyevans)

* Add token_separator configuration method to replace the default of _ (jeremyevans)

* Rename account_id_value to account_id (jeremyevans)

* Rename account_id to account_id_column and account_session_id to account_session_column (jeremyevans)

* Make skip_status_checks? default to true unless loading verify_account or close_account features (jeremyevans)

* Replace account_model with accounts_table and db, removing use of Sequel models (jeremyevans)

* Extract shared email-related code into email_base feature (jeremyevans)

* Add auth_class_eval to configuration block for adding custom methods (jeremyevans)

* Add configuration_eval to feature definitions for adding custom configuration methods (jeremyevans)

* Allow close_account feature to optionally delete accounts (jeremyevans)

* Make close_account feature work when skipping status checks or when using account_password_hash_column (jeremyevans)

* Add sms_codes feature, for codes received via SMS that can be used if TOTP authentication is not available (jeremyevans)

* Attempt to handle unique constraint violations raised in race conditions where possible (jeremyevans)

* Add _before and _after internal methods, make ununderscored methods only for users (jeremyevans)

* Add single_session feature, for only allowing a single active session per account (jeremyevans)

* Add account_expiration feature, for disallowing access to accounts after an amount of time since last login/activity (jeremyevans)

* Check account status in rodauth.load_memory in remember plugin (jeremyevans)

* Use csrf plugin automatically, depend on Roda >=2.6.0 (jeremyevans)

* Make bcrypt and mail development dependencies instead of runtime dependencies in the gem (jeremyevans)

* Add password_expiration feature, requiring users to change their password after a given amount of time (jeremyevans)

* Add disallow_password_reuse feature, checking that a new password doesn't match previous passwords (jeremyevans)

* Add password_complexity feature, allowing more sophisticated password complexity checks (jeremyevans)

* Add rodauth.remember_param and .remember_confirm_param for overriding parameter names (jeremyevans)

* Check that new password is not the same as existing password in change password and reset password features (jeremyevans)

* Add rodauth.login_meets_requirements? for checking if a login is valid, by default a valid email address (jeremyevans)

* Allow unlock account to optionally require the user's current password (jeremyevans)

* Add support for running on Microsoft SQL Server with database functions for authentication (jeremyevans)

* Make change password, change login, and close account require the user's current password by default (jeremyevans)

* Add rodauth.csrf_tag to make it easy to replace the CSRF tag implementation (jeremyevans)

* Switch unlock_account_autologin? to be true by default (jeremyevans)

* Add rodauth.authenticated? and .require_authentication (jeremyevans)

* Add recovery_codes feature, for single use codes that can be used if TOTP authentication is not available (jeremyevans)

* Add otp feature, for 2 factor authentication via TOTP (jeremyevans)

* Add support for running on MySQL with database functions for authentication (jeremyevans)

* Add *_interval and set_deadline_values? methods for setting deadline intervals on a per-request basis (jeremyevans)

* Add remember_deadline_column method for overriding the column used for storing the deadline (jeremyevans)

* Add rodauth/migrations file for DRYing up the database function creation (jeremyevans)

* Add Rodauth.version for getting the version (jeremyevans)

* External features should now be requirable via rodauth/features/feature_name instead of roda/plugins/rodauth/feature_name (jeremyevans)

* Make Rodauth top level module instead of under Roda::RodaPlugins (jeremyevans)

* Require mail at configure time instead of run time if using a feature that sends email, use require_mail? false to disable (jeremyevans)

* Require bcrypt at configure time instead of run time, use require_bcrypt? false to disable (jeremyevans)

* Always require securerandom (jeremyevans)

* Make remember, password reset, and lockout features work on non-PostgreSQL databases (jeremyevans)

* Support authentication without database functions when password hashes are stored in separate table (jeremyevans)

* Remove overriding of route/get/post blocks (jeremyevans)

* Make lockout feature work on databases not supporting UPDATE RETURNING (jeremyevans)

* Add timing safe comparison of tokens (jeremyevans)

=== 0.10.0 (2016-02-17)

* Retrieve salt from database and compute hash client side, instead of computing hash on server (jeremyevans)

=== 0.9.1 (2015-08-13)

* Don't use csrf plugin automatically (jeremyevans)

=== 0.9.0 (2015-08-12)

* Initial public release