v2.1.0

Added

• Add a parent_controller configuration option to specify the controller that
  Clearance's BaseController will inherit from. Defaults to a value of
  ApplicationController.
• Use the configured primary_key_type from the Active Record settings of the
  project including Clearance, if it is set, while generating migrations. For
  example, a setting of :uuid in a Rails app using Clearance will cause the
  clearance-generated migrations to use this for the users table id type.

Fixed

• Delete cookies correctly when a custom domain setting is being used.
• Do not set the authorization cookie on requests which did not exercise the
  authorization code. Reduces the chances of leaving an auth cookie in a
  publicly cacheable page that didn't require authorization to access.

Changed

• Update the email_validator gem to a newer version embrace the more relaxed
  email validation options which it now defaults to.
• When a password reset request is submitted without an email address, a flash
  alert is now provided. Previously this continued silently as though it had
  worked. We still proceed that way when there is an invalid (but present)
  value, so as not to reveal existent vs. non-existent emails in the database.

Removed

• Remove an unused route to passwords#create nested under users.
• No longer include the (rarely used in practice) application layout as part of
  the views installer; but continue to provide some stock sign-in/out and flash
  partial code in the gem installation README output.

Deprecated

• Remove the existing deprecation notice around the rotate_csrf_on_sign_in
  setting, and make that setting default to true.

v2.0.0

Added

• Add support for Rails version 6
• Allow cookie_domain to be configured with a lambda for custom configuration
• Add ability to configure BCrypt computational cost of hash calculation.
• Add same_site configuration option for increased CSRF protection.

Fixed

• Fix issue where invalid params could raise NoMethodError when updating and
  resetting passwords.
• The backdoor auth mechanism now supports scenarios where Rails.env has been
  configured via env variables other than RAILS_ENV (RACK_ENV for example).

Removed

• Removed support for Ruby versions older than 2.4
• Removed support for Rails versions older than 5.0
• Removed all deprecated code from Clearance 1.x

Changed

• Flash messages now use flash[:alert] rather than flash[:notice] as they
  were used as errors more often than notices.

v1.17.0

Changed

• Update the HttpOnly cookie setting for the remember token to default to
  true, which prevents the value from being available to JavaScript.
• Add configuration option to allow the auth backdoor to work in specified
  environments (defaults to test, development, ci).

Full changelog

v1.16.2

Fixed

• Added missing translation keys
• Fix issue where a cookie value could be set more than once when interacting
  with the httponly option

Changed

• Remove Rails as a dependency so that clearance does not trigger a cascade of
  requirements as rails pulls in every framework. Instead, depend on just the
  frameworks relevant to Clearance.
• Prevent Clearance::BackDoor from being used outside the "test" environment.

Full changelog

v1.16.1

Fixed

• Fixed issue where tokens from abandoned password reset attempts were stored in
  the session, preventing newly generated password reset tokens from working.
• Improve compatibility with Rails API projects by calling helper_method only
  when it is defined.
• URL fragment in server-set session[:return_to] values are preserved when
  redirecting to the stored value.
• Eliminated deprecation in Clearance test helpers that were related to the
  renaming of FactoryGirl to FactoryBot.

Full changelog

v1.16.0

Security

• Clearance users can now help prevent session fixation attacks by setting
  Clearance.configuration.rotate_csrf_on_sign_in to true. This will cause
  the user's CSRF token to be rotated on sign in and is recommended for all
  Clearance applications. This setting will default to true in Clearance 2.0.
  Clearance will emit a warning on each sign in until this configuration setting
  is explicitly set to true or false.

Full changelog

v1.15.1

Fixed

• Password reset form redirect no longer uses a named route helper, which means
  it will work for developers that have customized their routes.

Full Changelog

v1.15.0

Security

• Prevent possible password reset token leak to external sites linked to on the
  password reset page. See PR #707 for more information.

Full Changelog

v1.14.2

Fixed

• Fixed incompatibility with attr_encrypted gem by inlining the body of the
  encrypt helper method used in the BCrypt password strategy.

Full Changelog

v1.14.1

Fixed

• Fixed insertion of include Clearance::User when running the install
  generator in an app that already has a User model.
• Updated deny_access matcher to assert against configured redirect location
  rather than hard coded /.

Full Changelog