v0.6.0

• OmniAuth login can now count as two factors when account is using 2FA. This is useful when using OmniAuth login as SSO, and one can rely on an 2FA policy on the external provider.

  omniauth_two_factors? true

  This can also be made conditional based on data from the external provider, for example:

  omniauth_two_factors? do
    # only count as two factors if external account uses 2FA
    omniauth_extra["raw_info"]["two_factor_authentication"]
  end

v0.5.1

• Fixed email auth link on login page being incorrectly hidden after valid email was entered when the account has linked external identities.

v0.5.0

• Added the omniauth_create_account? configuration method for disabling automatic account creation.

  For example, if you have OmniAuth links on both login and registration pages, and you want the OmniAuth login on the login page to only log into existing accounts, you could configure this so that it's controlled via a query parameter:

  # somewhere in your view template:
  rodauth.omniauth_request_path(:google, action: "login") #=> "/auth/github?action=login"

  # in your Rodauth configuration:
  omniauth_create_account? { omniauth_params["action"] != "login" }

v0.4.0

• Unverified accounts are now automatically verified when logging in via OmniAuth if the external email matches the email of the local account. This can be disabled by adding omniauth_verify_account? false to your Rodauth configuration.

• When making a GET request to the request path when only POST requests are allowed, a 404 response is now returned instead of an error.

• Calling omniauth_* methods that read data from Rack env hash will now return nil instead of raising a KeyError when the omniauth.<key> item isn't present in the env hash.

v0.3.4

• Fix NoMethodError: undefined method 'destroy' for nil when login is trying to clear the session in JWT mode without session middleware (#13).

v0.3.3

• Use account_id column for the foreign key in the identities model association instead of the id column (thanks to @Dainii).

v0.3.2

• Fixed identities model association not being defined.

v0.3.1

• Ship with EN translations for the rodauth-i18n gem

v0.3.0

• Added account_from_omniauth auth method for changing how an existing account is found for a new external identity. By default, it searches for accounts with the same email as the external identity.

  account_from_omniauth do
    account_table_ds.first(email: omniauth_email) # roughly the default implementation
  end
  # or
  account_from_omniauth {} # new identity = new account

• Calling OmniAuth endpoints via JWT requests should now work correctly when using something other than Roda sessions plugin, such as Rack::Session::Cookie or Rails session.

• When attempting to log into an account that's unverified, an error reason is now set to :unverified_account when returning the error response.

• When there is an OmniAuth authentication failure, an error reason is now set to :omniauth_failure when returning the error response.

v0.2.0

• When a user is logged in via OmniAuth, and they've authenticated via password through the confirm_password feature, the session is no longer considered multifactor authenticated.

  This should be a safer default, considering that people still reuse passwords, so a database breach might allow the attacker to log into both accounts using the same credentials, and the developer might not be aware they've allowed using OmniAuth login as 2nd factor in the first place.