All Versions
95
Latest Version
Avg Release Cycle
114 days
Latest Release
681 days ago
Changelog History
Page 1
Changelog History
Page 1
-
v2.6.0 Changes
June 12, 2022- ⬇️ Drops support for Rails 5.0, 5.1 and 5.2, see https://endoflife.date/rails #964
- ⬇️ Drops support for Ruby 2.4, 2.5 and 2.6, see https://endoflife.date/ruby #964
- ➕ Adds support for Turbo with appropriate status codes #965
- Adds unique constraints on
remember_token
andconfirmation_token
#966 - 🔧 Allows
user_parameter
to be configuration, e.g.params[:custom_id]
instead ofparams[:user_id]
#782 (Bryan Marble) - 📚 Updates SignInGuard documentation #950 (Matthew LS)
- Forward options in redirect_back_or helper (#968) (Matthew LS)
- ➕ Add configuration option to disable sign in after password reset (#969) (Till Prochaska)
-
v2.5.0 Changes
September 10, 2021🛠 Fixed
- 🛠 Fix open redirect vulnerability
🔄 Changed
- 0️⃣ Rename default branch to
main
-
v2.4.0 Changes
March 05, 2021➕ Added
- Optionally use signed cookies to prevent remember token timing attacks
-
v2.3.1 Changes
March 05, 2021🛠 Fixed
- Support for accessing Rails 6.x primary_key_type in generator.
- 🛠 Fix password reset URLs when using a custom model
- 🛠 Fix flaky test that relied on too specific time delta
- ⏪ Revert case sensitivity for email uniqueness
- 🔒 Bump nokogiri and actionview dependencies to address security vulnerabilities
-
v2.3.0 Changes
August 14, 20202.3.0 - August 14, 2020
🛠 Fixed
- ✂ Delete cookie correctly when a callable object is set as the custom domain
setting. - Strip
as
parameter when signing in through the back door. - ✂ Remove broken autoload for deprecated password strategies.
🔄 Changed
- Deliver password reset email inline rather than in the background.
- ✂ Remove unnecessary unsafe interpolation in erb templates.
- ✂ Delete cookie correctly when a callable object is set as the custom domain
-
v2.2.1 Changes
August 07, 2020🛠 Fixed
- 🌲 Prevent user enumeration by timing attacks. Trying to log in with an unrecognized email address will now take the same amount of time as for a user that does exist in the system.
-
v2.2.0 Changes
July 09, 2020➕ Added
- ➕ Add an Argon2 password strategy
🛠 Fixed
- 🗄 Use strings instead of classes on guard classes, avoids Rails deprecation warning.
- 💅 Use
find_by
style for finders, improves neo4j support - 🚅 Provide explicit case sensitivity option for email uniqueness, avoid Rails deprecation warning.
-
v2.1.0 Changes
December 19, 2019➕ Added
- ➕ Add a
parent_controller
configuration option to specify the controller that Clearance'sBaseController
will inherit from. Defaults to a value ofApplicationController
. - Use the configured
primary_key_type
from the Active Record settings of the project including Clearance, if it is set, while generating migrations. For example, a setting of:uuid
in a Rails app using Clearance will cause the clearance-generated migrations to use this for theusers
table id type.
🛠 Fixed
- ✂ Delete cookies correctly when a custom domain setting is being used.
- Do not set the authorization cookie on requests which did not exercise the authorization code. Reduces the chances of leaving an auth cookie in a publicly cacheable page that didn't require authorization to access.
🔄 Changed
- ⚡️ Update the
email_validator
gem to a newer version embrace the more relaxed email validation options which it now defaults to. - When a password reset request is submitted without an email address, a flash alert is now provided. Previously this continued silently as though it had worked. We still proceed that way when there is an invalid (but present) value, so as not to reveal existent vs. non-existent emails in the database.
✂ Removed
- ✂ Remove an unused route to
passwords#create
nested underusers
. - No longer include the (rarely used in practice) application layout as part of the views installer; but continue to provide some stock sign-in/out and flash partial code in the gem installation README output.
🗄 Deprecated
- Remove the existing deprecation notice around the
rotate_csrf_on_sign_in
setting, and make that setting default to true.
- ➕ Add a
-
v2.0.0 Changes
November 12, 2019➕ Added
- ➕ Add support for Rails version 6
- 👍 Allow
cookie_domain
to be configured with a lambda for custom configuration - ➕ Add ability to configure BCrypt computational cost of hash calculation.
- ➕ Add
same_site
configuration option for increased CSRF protection.
🛠 Fixed
- 🛠 Fix issue where invalid params could raise
NoMethodError
when updating and resetting passwords. - 🚅 The backdoor auth mechanism now supports scenarios where
Rails.env
has been configured via env variables other thanRAILS_ENV
(RACK_ENV
for example).
✂ Removed
- ✂ Removed support for Ruby versions older than 2.4
- ✂ Removed support for Rails versions older than 5.0
- ✂ Removed all deprecated code from Clearance 1.x
🔄 Changed
- Flash messages now use
flash[:alert]
rather thanflash[:notice]
as they were used as errors more often than notices.
-
v1.17.0 Changes
April 11, 2019🔄 Changed
- ⚡️ Update the
HttpOnly
cookie setting for the remember token to default to
true, which prevents the value from being available to JavaScript. - ➕ Add configuration option to allow the auth backdoor to work in specified
✅ environments (defaults totest
,development
,ci
).
- ⚡️ Update the