Rails integration for Rodauth authentication framework
Controller callbacks can now specify :only and :except to apply just to specific Rodauth routes. For example, the following will execute before the login POST request:
class RodauthController < ApplicationController
before_action :verify_captcha, only: :login, if: -> { request.post? }
end
The Rodauth controller and route name are now being instrumented instead of RodauthApp#call. This should improve integration with APM agents, which might rely on :controller referencing and actual controller class name, and also better differentiate between Rodauth routes in APM dashboard.
The URL format for Rails routes is now being correctly applied when http_basic_auth is called in the Rodauth middleware.
Fixed data-turbo="false" being added in the wrong place in reset password request form on login validation errors.
The Rodauth app middleware subclass now uses Module#set_temporary_name on Ruby 3.3+ instead of custom #inspect output.
The generated fixtures now retrieve the auth class though the Rodauth app (RodauthApp.rodauth instead of RodauthMain), to avoid errors with BCrypt gem not being loaded.
The account model is generated with include Rodauth::Rails.model again, to avoid errors with BCrypt gem not being loaded.
Make generated convert_token_id_to_integer? configuration also work when switching to UUID primary key, while still avoiding DB queries at boot time.
Custom column attributes can now be referenced on rails_account before the account is persisted (e.g. in a before_create_account callback).
Dropped support for Ruby 2.3 and 2.4.
convert_token_id_to_integer? configuration is now set to avoid DB queries at boot time. The value will be set to true unless :primary_key_type has been set in generator options.login_confirm_param configuration is now set to "email-confirm" for consistency with the existing login_param override. This param is only used when require_login_confirmation? is true, which is the case when create_account feature is loaded without verify_account.sessions plugin (which won't work in Rails apps).#rodauth method has been added to helpers for controller tests. See the wiki for up-to-date controller test guidelines.The #rails_cookies shorthand was added on Rodauth::Rails::App and Rodauth::Rails::Auth for accessing the Rails request's cookie jar (the same as #cookies in controllers).
The #turbo_stream method is now exposed on Rodauth::Rails::Auth when using the turbo-rails gem, for easier generation of turbo stream responses.
When running rodauth:install with --jwt or --argon2 options, the generated jwt_secret and argon2_secret now default to hmac_secret (which in turn defaults to Rails secret key base), instead of having a hardcoded secret.
The rodauth:install generator now includes Rodauth::Model(RodauthMain) into the account model, which is essentially what Rodauth::Rails.model did. This makes Rodauth::Rails.model soft-deprecated.
The Rodauth app now forwards all unhandled requests to the Rails router, even those that partially matched a Roda matcher.
The rodauth:views generator can now generate the view template for the confirm_password feature as well (thanks to @igor-alexandrov).
The Rodauth::Rails.authenticate routing constraint has been added, which calls rodauth.require_account instead of rodauth.require_authentication, and this way handles if the account has been deleted or closed from the console.
Rails.application.routes.draw do
constraints Rodauth::Rails.authenticate do
mount Sidekiq::Web => "/sidekiq"
end
end
The previous Rodauth::Rails.authenticated routing constraint is now deprecated.
The Rodauth::Rails.lib method now accept plugin options as well, just like Rodauth.lib.
RodauthMain = Rodauth::Rails.lib(render: false) do
# ...
end
Loading of Roda's render plugin and the Tilt gem will now be skipped when render: false plugin option is passed in.
class RodauthApp < Rodauth::Rails::App
configure RodauthMain, render: false # skips loading render plugin and Tilt
end
There have been several improvements to the rodauth:routes Rake task:
rails -T
| symbol, just like in rails routes
The Rodauth::Rails.lib method has been added (counterpart for Rodauth.lib) for using Rodauth as a library in Rails apps, using the internal_request feature.
# Gemfile
gem "rodauth-rails", require: false # avoid inserting middleware
# app/misc/rodauth_main.rb
require "rodauth/rails"
require "sequel/core"
RodauthMain = Rodauth::Rails.lib do
enable :create_account, :login, :close_account
db Sequel.postgres(extensions: :activerecord_connection, keep_reference: false)
# ...
end
RodauthMain.create_account(login: "[email protected]", password: "secret123")
RodauthMain.login(login: "[email protected]", password: "secret123")
RodauthMain.close_account(account_login: "[email protected]")
The rodauth:views generator now supports the new webauthn_autofill feature added in Rodauth 5.30.
Existing applications can upgrade by using rodauth.login_form_footer method instead of rendering the partial directly, and using rodauth.login_field_autocomplete_value for the autocomplete attribute value on the email field in the login form.
The rodauth:views generator now requires explicitly specifying the two_factor_base feature in order to generate its view templates. Previously these view templates were generated automatically with a dependent feature (otp, sms_codes, recovery_codes, webauthn).
The generated app/misc/rodauth_main.rb now sets login_param "email" for better compatibility with other authentication frameworks such as Devise.
The generated mailer now prepends rodauth.email_subject_prefix to all email subjects, just like Rodauth does by default.
The Trilogy adapter is now better handled in generators. Note that you'll be able to use it starting from Sequel 5.69, which will include the corresponding Sequel adapter.
Fixed a typo in the unlock_account email template (thanks to @zavan)
The #rails_account method now leverages Rodauth's new account! method, which greatly simplifies the logic. As a result, the #rails_account method no longer clears the session if the logged in account was deleted. The primary goal behind that functionality was for easier development, but the session cookie never actually got cleared when Rails rendered an error response. If you were relying on this behavior, I recommend using rodauth.require_account instead of rodauth.require_authentication, and possibly even using the active_sessions feature.
Support for Rails 4.2 has been dropped.
The rodauth:install generator now accepts a table argument for generating configuration with a different table than accounts.
$ rails generate rodauth:install users # uses "users" table
The rodauth:migration generator now accepts a --prefix option for using a different prefix than account_* for generated table definitions.
$ rails generate rodauth:migration base active_sessions --prefix user
# Add the following to your Rodauth configuration:
#
# accounts_table :users
# active_sessions_table :user_active_session_keys
# active_sessions_account_id_column :user_id
# db/migration/*_create_rodauth_user_base_active_sessions.rb
class CreateRodauthUserBaseActiveSessions < ActiveRecord::Migration
def change
create_table :users do |t| ... end
create_table :user_active_session_keys do |t| ... end
end
end
The rodauth:install generator now accepts --argon2 option for configuring password hashing using Argon2.
The rodauth:install generator now sets up Sequel in the Rodauth configuration instead of an initializer. Since Rodauth configuration is autoloaded, this shaves off ~200ms from boot time on my computer, and avoids breaking rails db:create command when using the sql_log_normalizer Sequel extension.
# app/misc/rodauth_main.rb
require "sequel/core"
class RodauthMain < Rodauth::Rails::Auth
configure do
# ...
db Sequel.postgres(extensions: :activerecord_connection, keep_reference: false)
# ...
end
end
The mailer generated by rodauth:install generator now uses #email_to and #email_from configuration methods for "To" and "From" email headers, which means it will reflect any changes to email_to and email_from in Rodauth configuration.
Missing foreign key constraint has been added to the generated Active Record migration for email_auth feature.
JSON request body is now correctly parsed on web servers with non-rewindable rack input (e.g. Falcon).
The generated webauthn_remove Tailwind template now renders the validation error correctly.
rodauth.webauthn_credential_options_for_get method in generated webauthn_auth templatewebauthn_setup template not working with webauthn_verify_account featurewebauthn_{setup,auth} templateswebauthn_{setup,auth} templatesTailwind CSS view templates have been added to the rodauth:views generator, which can be imported by passing the --css=tailwind option to the generator (this is the default when using tailwindcss-rails).
$ rails generate rodauth:views --css=tailwind
Both light mode and dark mode are supported 🌘 Thanks to @benkoshy for the initial work! 🙏🏻
https://user-images.githubusercontent.com/795488/208904028-d3490579-25ec-43e7-82ad-9848cce8e043.mov