v0.4.6

The callback flow has been changed so sessions are now stored in the backend cache with PowAssent.Store.SessionCache instead of using Plug.Session. This prevents exposure of sensitive data, as the only thing stored in the Plug session is a random UUID.

Updated Pow requirement to ~> 1.0.17. #141

Enhancements

• [PowAssent.Plug] Added PowAssent.Plug.change_user/4 #118
• [PowAssent.Operations] Added PowAssent.Operations.user_identity_changeset/4 #118
• [PowAssent.Phoenix.AuthorizationController] Now prevents user enumeration attack using PowEmailConfirmation.Phoenix.ControllerCallbacks when PowEmailConfirmation extension is enabled #128
• [PowAssent.Phoenix.AuthorizationController] Now stores :changeset in session when redirecting to :add_user_id page #137
• [PowAssent.Phoenix.RegistrationController] Now prevents user enumeration attack using PowEmailConfirmation.Phoenix.ControllerCallbacks when PowEmailConfirmation extension is enabled #128
• [PowAssent.Phoenix.RegistrationController] Now uses :changeset stored in the session when rendering :add_user_id page #137
• [PowAssent.Plug] Moved business logic away from PowAssent.Phoenix.AuthorizationController into PowAssent.Plug.callback_upsert/4 that will authenticate, upsert user identity, or create user #133
• [PowAssent.Store.SessionCache] Added session store module #135
• [PowAssent.Plug] Added PowAssent.Plug.init_session/1 #135
• [PowAssent.Plug] Added PowAssent.Plug.put_session/3 #135
• [PowAssent.Plug] Added PowAssent.Plug.delete_session/2 #135

Bug fixes

• [PowAssent.Ecto.Schema] Fixed issue in PowAssent.Ecto.Schema.changeset/2 where confirmation token was not set thus allowing users with unconfirmed email to sign in #121

Documentation

• Added legacy migration guide #129
• Added API guide #143