Releases: thoughtbot/clearance
Releases · thoughtbot/clearance
v2.1.0
Added
- Add a
parent_controller
configuration option to specify the controller that
Clearance'sBaseController
will inherit from. Defaults to a value of
ApplicationController
. - Use the configured
primary_key_type
from the Active Record settings of the
project including Clearance, if it is set, while generating migrations. For
example, a setting of:uuid
in a Rails app using Clearance will cause the
clearance-generated migrations to use this for theusers
table id type.
Fixed
- Delete cookies correctly when a custom domain setting is being used.
- Do not set the authorization cookie on requests which did not exercise the
authorization code. Reduces the chances of leaving an auth cookie in a
publicly cacheable page that didn't require authorization to access.
Changed
- Update the
email_validator
gem to a newer version embrace the more relaxed
email validation options which it now defaults to. - When a password reset request is submitted without an email address, a flash
alert is now provided. Previously this continued silently as though it had
worked. We still proceed that way when there is an invalid (but present)
value, so as not to reveal existent vs. non-existent emails in the database.
Removed
- Remove an unused route to
passwords#create
nested underusers
. - No longer include the (rarely used in practice) application layout as part of
the views installer; but continue to provide some stock sign-in/out and flash
partial code in the gem installation README output.
Deprecated
- Remove the existing deprecation notice around the
rotate_csrf_on_sign_in
setting, and make that setting default to true.
v2.0.0
Added
- Add support for Rails version 6
- Allow
cookie_domain
to be configured with a lambda for custom configuration - Add ability to configure BCrypt computational cost of hash calculation.
- Add
same_site
configuration option for increased CSRF protection.
Fixed
- Fix issue where invalid params could raise
NoMethodError
when updating and
resetting passwords. - The backdoor auth mechanism now supports scenarios where
Rails.env
has been
configured via env variables other thanRAILS_ENV
(RACK_ENV
for example).
Removed
- Removed support for Ruby versions older than 2.4
- Removed support for Rails versions older than 5.0
- Removed all deprecated code from Clearance 1.x
Changed
- Flash messages now use
flash[:alert]
rather thanflash[:notice]
as they
were used as errors more often than notices.
v1.17.0
Changed
- Update the
HttpOnly
cookie setting for the remember token to default to
true, which prevents the value from being available to JavaScript. - Add configuration option to allow the auth backdoor to work in specified
environments (defaults totest
,development
,ci
).
v1.16.2
Fixed
- Added missing translation keys
- Fix issue where a cookie value could be set more than once when interacting
with thehttponly
option
Changed
- Remove Rails as a dependency so that clearance does not trigger a cascade of
requirements as rails pulls in every framework. Instead, depend on just the
frameworks relevant to Clearance. - Prevent
Clearance::BackDoor
from being used outside the "test" environment.
v1.16.1
Fixed
- Fixed issue where tokens from abandoned password reset attempts were stored in
the session, preventing newly generated password reset tokens from working. - Improve compatibility with Rails API projects by calling
helper_method
only
when it is defined. - URL fragment in server-set
session[:return_to]
values are preserved when
redirecting to the stored value. - Eliminated deprecation in Clearance test helpers that were related to the
renaming of FactoryGirl to FactoryBot.
v1.16.0
Security
- Clearance users can now help prevent session fixation attacks by setting
Clearance.configuration.rotate_csrf_on_sign_in
totrue
. This will cause
the user's CSRF token to be rotated on sign in and is recommended for all
Clearance applications. This setting will default totrue
in Clearance 2.0.
Clearance will emit a warning on each sign in until this configuration setting
is explicitly set totrue
orfalse
.
v1.15.1
Fixed
- Password reset form redirect no longer uses a named route helper, which means
it will work for developers that have customized their routes.
v1.15.0
Security
- Prevent possible password reset token leak to external sites linked to on the
password reset page. See PR #707 for more information.
v1.14.2
Fixed
- Fixed incompatibility with
attr_encrypted
gem by inlining the body of the
encrypt
helper method used in the BCrypt password strategy.
v1.14.1
Fixed
- Fixed insertion of
include Clearance::User
when running the install
generator in an app that already has aUser
model. - Updated
deny_access
matcher to assert against configured redirect location
rather than hard coded/
.