Skip to content

v0.26.2

Choose a tag to compare

@github-actions github-actions released this 15 Jun 04:24
e8b1420

Security

  • OTP codes and password-reset tokens no longer leak into the logs. The
    built-in mailers (PasswordlessMailer, PasswordResetMailer) pass the OTP
    code / reset URL as mailer params, which deliver_later serializes as the
    delivery job's arguments — and ActiveJob's log subscriber prints job arguments
    in plaintext on enqueue/perform (e.g. params: {email:…, otp_code: "03158369"}).
    StandardId's mailers now deliver via StandardId::SecureMailDeliveryJob
    (ActionMailer::MailDeliveryJob with log_arguments = false), so the
    arguments are kept out of the log stream. Delivery behaviour is unchanged.