v0.7.2

0.7.2 - June 22, 2017

API change

• removed new_users_path, sign_up_path remains

New Feature

• added allow_sign_up flag to install generator

v0.7.0: api changes

API Changes

• controller#require_authentication is deprecated, use controller#require_login
• controller#authenticated? is deprecated, use controller#logged_in?
• added controller#logged_out?
  authenticated? and required_authentication will be removed in a future release.

Test support

• Added login_as via middleware for feature/integration/system tests.
• added rspec helpers for view and controller tests
• added test-unit helpers for controller/view tests

Internal changes - will not affect normal apps

• Session#initialize(request, cookies) is now Session#initialize(request)
• Session API changes, #authenticated? renamed #logged_in?

v0.6.0: security fixes

Security

• Prevent password reset token leakage through HTTP referrer across domains. password#edit removes the password
  reset token from the url, sets it into the user's session (typically a cookie), and redirects to password#url
  without the token in the url.

• Prevent session fixation attacks by rotating CSRF tokens on sign-in by setting
  Authentication.configuration.rotate_csrf_on_sign_in to true. This is recommended for
  all applications. The setting defaults to false in this release, but will default to true
  in a future release.

Fixed

• Location to return to after login is now written to session. Was previously written explicitly to a cookie.
• Most controller tests rewritten as feature and request tests.

v0.5.0: support (in gemspec) for rails 5.1

added support for rails 5.1 (bumped version supported in gemspec).
improved criteria to see if a password reset is within the valid period.

v0.4.0

Install generator User: ActiveRecord::Base for Rails 4 apps, ApplicationRecord for rails 5 (issue #2).
Test fixes, less sensitive to tiny timing changes.

v0.3.3

update password streamlining
ActiveRecord::Migration.maintain_test_schema! called in spec_helper
added codeclimate config

v0.3.2

updated version and changelog

v0.3.1

User controller now allows arbitrary parameters without having to explicitly declare
them. Still requires email and password.
Mailer now checks for mail.respond_to?(:deliver_later) rather than rails version,
to decide deliver vs deliver_later.
Removed unused user_id_parameter config method.

v0.3.0

Moved normalize_email and find_normalized_email methods to base User module, so they're always available.
Added full suite of controller and feature tests.
Bug fixes:

• failed login count fix was off by one.
• password validation now done only in correct circumstances

v0.2.2

Password length range requirements added, defaults to 8..128.
Generators and app now respect model class more completely, including in routes.