All notable changes to this project will be documented in this file. This project adheres to Semantic Versioning.
For everyone
- Change gem version in Gemfile from '
> 1.3' to '> 2.0' and runbundle install
. - Replace
authenticate
filters withauthenticate_user
. - Remove this line from
config/routes.rb
:mount Knock::Engine => "/knock"
- Run the token controller generator:
rails g knock:token_controller user
For special configurations
If you have a custom value set for Knock.handle_attr
AND/OR Knock.current_user_from_handle
:
- Remove it from the
config/initializers/knock.rb
- Implement the
User.find_for_token_creation
method inuser.rb
:
Example to use :username
instead of :email
:
def self.find_for_token_creation params
User.find_by username: params[:username]
end
This method takes the parameters from the controller (params.require(:auth).permit!
) in argument.
If the user cannot be found, it should return a falsy value (nil
or false
).
If you raise an exception here, it is your responsability to rescue it and act accordingly.
If you have a custom value set for Knock.current_user_from_token
:
- Remove it from the
config/initializers/knock.rb
. - Implement the
User.find_for_authentication
method inuser.rb
:
Example to retrieve the user id from a field other than 'sub' in the token payload:
def self.find_for_authentication payload
User.find payload['custom_field']
end
This method takes the token payload in argument.
If the user cannot be found, it should return a falsly value (nil
or false
) or raise an exception.
In both case, knock will respond with head :unauthorized
.
- Define
find_for_authentication
in a resource model (eg: User) to customize the way the resource is fetched from the database when decoding the token. This deprecates the use ofKnock.current_user_from_token
. - Define
find_for_token_creation
in a resource model (eg: User) to customize the way the resource is fetched from the database when generating an authentication token. This deprecates the use ofKnock.current_user_from_handle
. - Authenticate any resource (eg:
User
,Admin
, ...) by including theKnock::Authenticatable
module and calling the corresponding before action (eg:authenticate_user
,authenticate_admin
, ...). - Generator for token controller (for signing in):
knock:token_controller
. - Handle multiple types of user models (useful if you need admin users for example).
- Token controller generator (for signing in):
knock:token_controller
. Multiple user models means we need one token controller per user type. - Config options for exception class
- Rename
Knock::Authenticable
toKnock::Authenticatable
. - Rename
authenticate
toauthenticate_user
. - Use class method
find_for_authentication
in the user model instead ofKnock.current_user_from_token
. - Use class method
find_for_token_creation
in the user model instead ofKnock.current_user_from_handle
andKnock.handle_attr
.
Knock.handle_attr
Knock.current_user_from_handle
Knock.current_user_from_token
- No need to mount the engine anymore.
- Allow use of any or no prefix in authorization header.
This fixes an unwanted breaking change introduced in
1.4.0
forcing the use of theBearer
prefix.
- Use lambda for audience verification
- Allow use of rails versions above 4.2
- Travis integration
- Contribution guidelines
- URL authentication
- Allow use of different encoding algorithm
- Expose
current_user
in the controllers without authenticating
- Audience verification in token
- Use lambda syntax compatible with older ruby versions
- A few typos
- Configuration option for how the current_user is retrieved when signing in.
- Configuration option for the handle attribute (email by default).
- Configuration option for how the current_user is retrieved when validating a token. (#1)
- Use "sub" claim to store the user id by default instead of "user_id". (#1)
- Decode auth0_client_secret in default configuration for Auth0
Knock.token_lifetime
configuration variableKnock.token_secret_signature_key
configuration variableKnock.token_audience
configuration variable- audience claim verification when decoding token
Knock.setup
method for configuration inknock.rb
initializer- generator for initializer (rails g knock:install)
Knock::Authenticable
to secure endpoints withbefore_action :authenticate
AuthToken
model provides JWT encapsulationAuthTokenController
provides out of the box sign in implementation