1.15.0

New features

• Migrations and view/email templates have been added for the new otp_unlock, otp_lockout_email, otp_modify_email and webauthn_modify_email features added in Rodauth 2.36.

• New rodauth:mailer generator has been added to accommodate for the increased number of possible emails. Mailer integration isn't generated by rodauth:install generator anymore.

• The rodauth.rails_url_options hash can now be overridden at runtime. This is useful when different mailers have different URL options (e.g. subdomains).

  class RodauthMailer < ApplicationMailer
    # ...
    def rodauth(name, account_id, &block)
      instance = RodauthApp.rodauth(name).allocate
      instance.account_from_id(account_id)
      instance.rails_url_options.merge!(default_url_options) # merge current default URL options
      instance.instance_eval(&block) if block
      instance
    end
  end

Bug fixes

• The model instance returned by rodauth.rails_account is now refreshed when rodauth.account changes. This fixes integration with rodauth-become_account gem.

• Fixed error on Rails 7.2 when Rodauth attempts to redirect to a URLs with query parameters.

Other improvements

• The generated mailer now uses rodauth.account_from_id added in Rodauth 2.36 for setting the current account.

• Explicit index names have been removed from generated migrations in favor of default index names.

• Added missing email template for the reset_password_notify feature.

• The generated Rodauth configuration no longer enables the change_password_notify feature.

• The generated webauthn_remove view template now uses rodauth.strftime_format for displaying last use.

• The convert_token_id_to_integer? configuration is now skipped on install when Sequel is used as primary ORM.

1.14.1

• Fixed matching on account status when passing Active Record object to Rodauth::Rails.account (@dush)

1.14.0

• Controller callbacks can now specify :only and :except to apply just to specific Rodauth routes. For example, the following will execute before the login POST request:

  class RodauthController < ApplicationController
    before_action :verify_captcha, only: :login, if: -> { request.post? }
  end

• The Rodauth controller and route name are now being instrumented instead of RodauthApp#call. This should improve integration with APM agents, which might rely on :controller referencing and actual controller class name, and also better differentiate between Rodauth routes in APM dashboard.

• The URL format for Rails routes is now being correctly applied when http_basic_auth is called in the Rodauth middleware.

• Fixed data-turbo="false" being added in the wrong place in reset password request form on login validation errors.

• The Rodauth app middleware subclass now uses Module#set_temporary_name on Ruby 3.3+ instead of custom #inspect output.

• The generated fixtures now retrieve the auth class though the Rodauth app (RodauthApp.rodauth instead of RodauthMain), to avoid errors with BCrypt gem not being loaded.

• The account model is generated with include Rodauth::Rails.model again, to avoid errors with BCrypt gem not being loaded.

• Make generated convert_token_id_to_integer? configuration also work when switching to UUID primary key, while still avoiding DB queries at boot time.

• Custom column attributes can now be referenced on rails_account before the account is persisted (e.g. in a before_create_account callback).

• Dropped support for Ruby 2.3 and 2.4.

1.13.0 🎄

• The convert_token_id_to_integer? configuration is now set to avoid DB queries at boot time. The value will be set to true unless :primary_key_type has been set in generator options.
• The login_confirm_param configuration is now set to "email-confirm" for consistency with the existing login_param override. This param is only used when require_login_confirmation? is true, which is the case when create_account feature is loaded without verify_account.
• When the session middleware is missing in API-only Rails apps, and a request to Rodauth requires sessions, the raised error will now point to Rails docs instead of suggesting to load the Roda sessions plugin (which won't work in Rails apps).
• A #rodauth method has been added to helpers for controller tests. See the wiki for up-to-date controller test guidelines.

1.12.0

• The #rails_cookies shorthand was added on Rodauth::Rails::App and Rodauth::Rails::Auth for accessing the Rails request's cookie jar (the same as #cookies in controllers).

• The #turbo_stream method is now exposed on Rodauth::Rails::Auth when using the turbo-rails gem, for easier generation of turbo stream responses.

• When running rodauth:install with --jwt or --argon2 options, the generated jwt_secret and argon2_secret now default to hmac_secret (which in turn defaults to Rails secret key base), instead of having a hardcoded secret.

• The rodauth:install generator now includes Rodauth::Model(RodauthMain) into the account model, which is essentially what Rodauth::Rails.model did. This makes Rodauth::Rails.model soft-deprecated.

• The Rodauth app now forwards all unhandled requests to the Rails router, even those that partially matched a Roda matcher.

• The rodauth:views generator can now generate the view template for the confirm_password feature as well (thanks to @igor-alexandrov).

1.11.0

• The Rodauth::Rails.authenticate routing constraint has been added, which calls rodauth.require_account instead of rodauth.require_authentication, and this way handles if the account has been deleted or closed from the console.

  Rails.application.routes.draw do
    constraints Rodauth::Rails.authenticate do
      mount Sidekiq::Web => "/sidekiq"
    end
  end

  The previous Rodauth::Rails.authenticated routing constraint is now deprecated.

• The Rodauth::Rails.lib method now accept plugin options as well, just like Rodauth.lib.

  RodauthMain = Rodauth::Rails.lib(render: false) do
    # ...
  end

• Loading of Roda's render plugin and the Tilt gem will now be skipped when render: false plugin option is passed in.

  class RodauthApp < Rodauth::Rails::App
    configure RodauthMain, render: false # skips loading render plugin and Tilt
  end

• There have been several improvements to the rodauth:routes Rake task:

  • it now has a description and shows up in rails -T
  • two factor manage & auth JSON POST routes are now listed
  • HTTP verbs are separated with | symbol, just like in rails routes
  • the JS routes for WebAuthn features are excluded, since they stop being relevant with custom JS

1.10.0

• The Rodauth::Rails.lib method has been added (counterpart for Rodauth.lib) for using Rodauth as a library in Rails apps, using the internal_request feature.

  # Gemfile
  gem "rodauth-rails", require: false # avoid inserting middleware

  # app/misc/rodauth_main.rb
  require "rodauth/rails"
  require "sequel/core"
  
  RodauthMain = Rodauth::Rails.lib do
    enable :create_account, :login, :close_account
    db Sequel.postgres(extensions: :activerecord_connection, keep_reference: false)
    # ...
  end

  RodauthMain.create_account(login: "[email protected]", password: "secret123")
  RodauthMain.login(login: "[email protected]", password: "secret123")
  RodauthMain.close_account(account_login: "[email protected]")

1.9.0

New features

• The rodauth:views generator now supports the new webauthn_autofill feature added in Rodauth 5.30.

  Existing applications can upgrade by using rodauth.login_form_footer method instead of rendering the partial directly, and using rodauth.login_field_autocomplete_value for the autocomplete attribute value on the email field in the login form.

Other improvements

• The rodauth:views generator now requires explicitly specifying the two_factor_base feature in order to generate its view templates. Previously these view templates were generated automatically with a dependent feature (otp, sms_codes, recovery_codes, webauthn).

• The generated app/misc/rodauth_main.rb now sets login_param "email" for better compatibility with other authentication frameworks such as Devise.

• The generated mailer now prepends rodauth.email_subject_prefix to all email subjects, just like Rodauth does by default.

• The Trilogy adapter is now better handled in generators. Note that you'll be able to use it starting from Sequel 5.69, which will include the corresponding Sequel adapter.

• Fixed a typo in the unlock_account email template (thanks to @zavan)

Backwards compatibility

• The #rails_account method now leverages Rodauth's new account! method, which greatly simplifies the logic. As a result, the #rails_account method no longer clears the session if the logged in account was deleted. The primary goal behind that functionality was for easier development, but the session cookie never actually got cleared when Rails rendered an error response. If you were relying on this behavior, I recommend using rodauth.require_account instead of rodauth.require_authentication, and possibly even using the active_sessions feature.

• Support for Rails 4.2 has been dropped.

1.8.0

New features

• The rodauth:install generator now accepts a table argument for generating configuration with a different table than accounts.

  $ rails generate rodauth:install users # uses "users" table

• The rodauth:migration generator now accepts a --prefix option for using a different prefix than account_* for generated table definitions.

  $ rails generate rodauth:migration base active_sessions --prefix user
  
  # Add the following to your Rodauth configuration:
  #
  #   accounts_table :users
  #   active_sessions_table :user_active_session_keys
  #   active_sessions_account_id_column :user_id

  # db/migration/*_create_rodauth_user_base_active_sessions.rb
  class CreateRodauthUserBaseActiveSessions < ActiveRecord::Migration
    def change
      create_table :users do |t| ... end
      create_table :user_active_session_keys do |t| ... end
    end
  end

• The rodauth:install generator now accepts --argon2 option for configuring password hashing using Argon2.

Other improvements

• The rodauth:install generator now sets up Sequel in the Rodauth configuration instead of an initializer. Since Rodauth configuration is autoloaded, this shaves off ~200ms from boot time on my computer, and avoids breaking rails db:create command when using the sql_log_normalizer Sequel extension.

  # app/misc/rodauth_main.rb
  require "sequel/core"
  
  class RodauthMain < Rodauth::Rails::Auth
    configure do
      # ...
      db Sequel.postgres(extensions: :activerecord_connection, keep_reference: false)
      # ...
    end
  end

• The mailer generated by rodauth:install generator now uses #email_to and #email_from configuration methods for "To" and "From" email headers, which means it will reflect any changes to email_to and email_from in Rodauth configuration.

• Missing foreign key constraint has been added to the generated Active Record migration for email_auth feature.

• JSON request body is now correctly parsed on web servers with non-rewindable rack input (e.g. Falcon).

• The generated webauthn_remove Tailwind template now renders the validation error correctly.

1.7.1

• Make internal_request integration work on Rack 3.x, which will be supported in Rails 7.1
• Add missing Tailwind templates for WebAuthn feature
• Use renamed rodauth.webauthn_credential_options_for_get method in generated webauthn_auth template
• Fix generated webauthn_setup template not working with webauthn_verify_account feature
• Hide text fields in generated webauthn_{setup,auth} templates
• Fix loading JavaScript for WebAuthn in generated webauthn_{setup,auth} templates
• Make built-in mailer work in Rails 6.x on Ruby 3.2