All Versions
13
Latest Version
Avg Release Cycle
130 days
Latest Release
438 days ago

Changelog History
Page 1

  • v2.3.0 Changes

    August 14, 2020

    2.3.0 - August 14, 2020

    ๐Ÿ›  Fixed

    • โœ‚ Delete cookie correctly when a callable object is set as the custom domain
      setting.
    • Strip as parameter when signing in through the back door.
    • โœ‚ Remove broken autoload for deprecated password strategies.

    ๐Ÿ”„ Changed

    • Deliver password reset email inline rather than in the background.
    • โœ‚ Remove unnecessary unsafe interpolation in erb templates.
  • v2.2.1 Changes

    August 07, 2020

    ๐Ÿ›  Fixed

    • ๐ŸŒฒ Prevent user enumeration by timing attacks. Trying to log in with an
      unrecognized email address will now take the same amount of time as for a user
      that does exist in the system.
  • v2.2.0 Changes

    July 09, 2020

    โž• Added

    • โž• Add an Argon2 password strategy

    ๐Ÿ›  Fixed

    • ๐Ÿ—„ Use strings instead of classes on guard classes, avoids Rails deprecation
      โš  warning.
    • ๐Ÿ’… Use find_by style for finders, improves neo4j support
    • ๐Ÿš… Provide explicit case sensitivity option for email uniqueness, avoid Rails
      ๐Ÿ—„ deprecation warning.
  • v2.1.0 Changes

    December 19, 2019

    โž• Added

    • โž• Add a parent_controller configuration option to specify the controller that
      0๏ธโƒฃ Clearance's BaseController will inherit from. Defaults to a value of
      ApplicationController.
    • Use the configured primary_key_type from the Active Record settings of the
      project including Clearance, if it is set, while generating migrations. For
      ๐Ÿš… example, a setting of :uuid in a Rails app using Clearance will cause the
      clearance-generated migrations to use this for the users table id type.

    ๐Ÿ›  Fixed

    • โœ‚ Delete cookies correctly when a custom domain setting is being used.
    • Do not set the authorization cookie on requests which did not exercise the
      authorization code. Reduces the chances of leaving an auth cookie in a
      publicly cacheable page that didn't require authorization to access.

    ๐Ÿ”„ Changed

    • โšก๏ธ Update the email_validator gem to a newer version embrace the more relaxed
      0๏ธโƒฃ email validation options which it now defaults to.
    • When a password reset request is submitted without an email address, a flash
      alert is now provided. Previously this continued silently as though it had
      worked. We still proceed that way when there is an invalid (but present)
      value, so as not to reveal existent vs. non-existent emails in the database.

    โœ‚ Removed

    • โœ‚ Remove an unused route to passwords#create nested under users.
    • No longer include the (rarely used in practice) application layout as part of
      the views installer; but continue to provide some stock sign-in/out and flash
      partial code in the gem installation README output.

    ๐Ÿ—„ Deprecated

    • Remove the existing deprecation notice around the rotate_csrf_on_sign_in
      0๏ธโƒฃ setting, and make that setting default to true.
  • v2.0.0 Changes

    November 12, 2019

    โž• Added

    • โž• Add support for Rails version 6
    • ๐Ÿ‘ Allow cookie_domain to be configured with a lambda for custom configuration
    • โž• Add ability to configure BCrypt computational cost of hash calculation.
    • โž• Add same_site configuration option for increased CSRF protection.

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fix issue where invalid params could raise NoMethodError when updating and
      resetting passwords.
    • ๐Ÿš… The backdoor auth mechanism now supports scenarios where Rails.env has been
      configured via env variables other than RAILS_ENV (RACK_ENV for example).

    โœ‚ Removed

    • โœ‚ Removed support for Ruby versions older than 2.4
    • โœ‚ Removed support for Rails versions older than 5.0
    • โœ‚ Removed all deprecated code from Clearance 1.x

    ๐Ÿ”„ Changed

    • Flash messages now use flash[:alert] rather than flash[:notice] as they
      were used as errors more often than notices.
  • v1.17.0 Changes

    April 11, 2019

    ๐Ÿ”„ Changed

    • โšก๏ธ Update the HttpOnly cookie setting for the remember token to default to
      true, which prevents the value from being available to JavaScript.
    • โž• Add configuration option to allow the auth backdoor to work in specified
      โœ… environments (defaults to test, development, ci).

    Full changelog

  • v1.16.2 Changes

    February 25, 2019

    ๐Ÿ›  Fixed

    • โž• Added missing translation keys
    • ๐Ÿ›  Fix issue where a cookie value could be set more than once when interacting
      with the httponly option

    ๐Ÿ”„ Changed

    • โœ‚ Remove Rails as a dependency so that clearance does not trigger a cascade of
      ๐Ÿš… requirements as rails pulls in every framework. Instead, depend on just the
      frameworks relevant to Clearance.
    • โœ… Prevent Clearance::BackDoor from being used outside the "test" environment.

    Full changelog

  • v1.16.1 Changes

    November 02, 2017

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fixed issue where tokens from abandoned password reset attempts were stored in
      the session, preventing newly generated password reset tokens from working.
    • ๐Ÿ‘Œ Improve compatibility with Rails API projects by calling helper_method only
      when it is defined.
    • URL fragment in server-set session[:return_to] values are preserved when
      redirecting to the stored value.
    • โœ… Eliminated deprecation in Clearance test helpers that were related to the
      renaming of FactoryGirl to FactoryBot.

    Full changelog

  • v1.16.0 Changes

    November 02, 2017

    ๐Ÿ”’ Security

    • Clearance users can now help prevent session fixation attacks by setting
      Clearance.configuration.rotate_csrf_on_sign_in to true. This will cause
      the user's CSRF token to be rotated on sign in and is recommended for all
      0๏ธโƒฃ Clearance applications. This setting will default to true in Clearance 2.0.
      ๐Ÿ”ง Clearance will emit a warning on each sign in until this configuration setting
      is explicitly set to true or false.

    Full changelog

  • v1.15.1 Changes

    October 06, 2016

    ๐Ÿ›  Fixed

    • Password reset form redirect no longer uses a named route helper, which means
      it will work for developers that have customized their routes.

    Full Changelog