Rails integration for Rodauth authentication framework
Controller callbacks can now specify :only
and :except
to apply just to specific Rodauth routes. For example, the following will execute before the login POST request:
class RodauthController < ApplicationController
before_action :verify_captcha, only: :login, if: -> { request.post? }
end
The Rodauth controller and route name are now being instrumented instead of RodauthApp#call
. This should improve integration with APM agents, which might rely on :controller
referencing and actual controller class name, and also better differentiate between Rodauth routes in APM dashboard.
The URL format for Rails routes is now being correctly applied when http_basic_auth
is called in the Rodauth middleware.
Fixed data-turbo="false"
being added in the wrong place in reset password request form on login validation errors.
The Rodauth app middleware subclass now uses Module#set_temporary_name
on Ruby 3.3+ instead of custom #inspect
output.
The generated fixtures now retrieve the auth class though the Rodauth app (RodauthApp.rodauth
instead of RodauthMain
), to avoid errors with BCrypt gem not being loaded.
The account model is generated with include Rodauth::Rails.model
again, to avoid errors with BCrypt gem not being loaded.
Make generated convert_token_id_to_integer?
configuration also work when switching to UUID primary key, while still avoiding DB queries at boot time.
Custom column attributes can now be referenced on rails_account
before the account is persisted (e.g. in a before_create_account
callback).
Dropped support for Ruby 2.3 and 2.4.
convert_token_id_to_integer?
configuration is now set to avoid DB queries at boot time. The value will be set to true
unless :primary_key_type
has been set in generator options.login_confirm_param
configuration is now set to "email-confirm"
for consistency with the existing login_param
override. This param is only used when require_login_confirmation?
is true
, which is the case when create_account
feature is loaded without verify_account
.sessions
plugin (which won't work in Rails apps).#rodauth
method has been added to helpers for controller tests. See the wiki for up-to-date controller test guidelines.The #rails_cookies
shorthand was added on Rodauth::Rails::App
and Rodauth::Rails::Auth
for accessing the Rails request's cookie jar (the same as #cookies
in controllers).
The #turbo_stream
method is now exposed on Rodauth::Rails::Auth
when using the turbo-rails gem, for easier generation of turbo stream responses.
When running rodauth:install
with --jwt
or --argon2
options, the generated jwt_secret
and argon2_secret
now default to hmac_secret
(which in turn defaults to Rails secret key base), instead of having a hardcoded secret.
The rodauth:install
generator now includes Rodauth::Model(RodauthMain)
into the account model, which is essentially what Rodauth::Rails.model
did. This makes Rodauth::Rails.model
soft-deprecated.
The Rodauth app now forwards all unhandled requests to the Rails router, even those that partially matched a Roda matcher.
The rodauth:views
generator can now generate the view template for the confirm_password
feature as well (thanks to @igor-alexandrov).
The Rodauth::Rails.authenticate
routing constraint has been added, which calls rodauth.require_account
instead of rodauth.require_authentication
, and this way handles if the account has been deleted or closed from the console.
Rails.application.routes.draw do
constraints Rodauth::Rails.authenticate do
mount Sidekiq::Web => "/sidekiq"
end
end
The previous Rodauth::Rails.authenticated
routing constraint is now deprecated.
The Rodauth::Rails.lib
method now accept plugin options as well, just like Rodauth.lib
.
RodauthMain = Rodauth::Rails.lib(render: false) do
# ...
end
Loading of Roda's render
plugin and the Tilt gem will now be skipped when render: false
plugin option is passed in.
class RodauthApp < Rodauth::Rails::App
configure RodauthMain, render: false # skips loading render plugin and Tilt
end
There have been several improvements to the rodauth:routes
Rake task:
rails -T
|
symbol, just like in rails routes
The Rodauth::Rails.lib
method has been added (counterpart for Rodauth.lib
) for using Rodauth as a library in Rails apps, using the internal_request feature.
# Gemfile
gem "rodauth-rails", require: false # avoid inserting middleware
# app/misc/rodauth_main.rb
require "rodauth/rails"
require "sequel/core"
RodauthMain = Rodauth::Rails.lib do
enable :create_account, :login, :close_account
db Sequel.postgres(extensions: :activerecord_connection, keep_reference: false)
# ...
end
RodauthMain.create_account(login: "[email protected]", password: "secret123")
RodauthMain.login(login: "[email protected]", password: "secret123")
RodauthMain.close_account(account_login: "[email protected]")
The rodauth:views
generator now supports the new webauthn_autofill feature added in Rodauth 5.30.
Existing applications can upgrade by using rodauth.login_form_footer
method instead of rendering the partial directly, and using rodauth.login_field_autocomplete_value
for the autocomplete
attribute value on the email field in the login form.
The rodauth:views
generator now requires explicitly specifying the two_factor_base
feature in order to generate its view templates. Previously these view templates were generated automatically with a dependent feature (otp
, sms_codes
, recovery_codes
, webauthn
).
The generated app/misc/rodauth_main.rb
now sets login_param "email"
for better compatibility with other authentication frameworks such as Devise.
The generated mailer now prepends rodauth.email_subject_prefix
to all email subjects, just like Rodauth does by default.
The Trilogy adapter is now better handled in generators. Note that you'll be able to use it starting from Sequel 5.69, which will include the corresponding Sequel adapter.
Fixed a typo in the unlock_account
email template (thanks to @zavan)
The #rails_account
method now leverages Rodauth's new account!
method, which greatly simplifies the logic. As a result, the #rails_account
method no longer clears the session if the logged in account was deleted. The primary goal behind that functionality was for easier development, but the session cookie never actually got cleared when Rails rendered an error response. If you were relying on this behavior, I recommend using rodauth.require_account
instead of rodauth.require_authentication
, and possibly even using the active_sessions
feature.
Support for Rails 4.2 has been dropped.
The rodauth:install
generator now accepts a table argument for generating configuration with a different table than accounts
.
$ rails generate rodauth:install users # uses "users" table
The rodauth:migration
generator now accepts a --prefix
option for using a different prefix than account_*
for generated table definitions.
$ rails generate rodauth:migration base active_sessions --prefix user
# Add the following to your Rodauth configuration:
#
# accounts_table :users
# active_sessions_table :user_active_session_keys
# active_sessions_account_id_column :user_id
# db/migration/*_create_rodauth_user_base_active_sessions.rb
class CreateRodauthUserBaseActiveSessions < ActiveRecord::Migration
def change
create_table :users do |t| ... end
create_table :user_active_session_keys do |t| ... end
end
end
The rodauth:install
generator now accepts --argon2
option for configuring password hashing using Argon2.
The rodauth:install
generator now sets up Sequel in the Rodauth configuration instead of an initializer. Since Rodauth configuration is autoloaded, this shaves off ~200ms from boot time on my computer, and avoids breaking rails db:create
command when using the sql_log_normalizer
Sequel extension.
# app/misc/rodauth_main.rb
require "sequel/core"
class RodauthMain < Rodauth::Rails::Auth
configure do
# ...
db Sequel.postgres(extensions: :activerecord_connection, keep_reference: false)
# ...
end
end
The mailer generated by rodauth:install
generator now uses #email_to
and #email_from
configuration methods for "To" and "From" email headers, which means it will reflect any changes to email_to
and email_from
in Rodauth configuration.
Missing foreign key constraint has been added to the generated Active Record migration for email_auth
feature.
JSON request body is now correctly parsed on web servers with non-rewindable rack input (e.g. Falcon).
The generated webauthn_remove
Tailwind template now renders the validation error correctly.
rodauth.webauthn_credential_options_for_get
method in generated webauthn_auth
templatewebauthn_setup
template not working with webauthn_verify_account featurewebauthn_{setup,auth}
templateswebauthn_{setup,auth}
templatesTailwind CSS view templates have been added to the rodauth:views
generator, which can be imported by passing the --css=tailwind
option to the generator (this is the default when using tailwindcss-rails).
$ rails generate rodauth:views --css=tailwind
Both light mode and dark mode are supported 🌘 Thanks to @benkoshy for the initial work! 🙏🏻
https://user-images.githubusercontent.com/795488/208904028-d3490579-25ec-43e7-82ad-9848cce8e043.mov