All Versions
Latest Version
Avg Release Cycle
100 days
Latest Release
921 days ago

Changelog History
Page 1

  • v4.8.1 Changes

    December 16, 2021
    • โœจ enhancements
      • Add support for Rails 7.0. Please note that Turbo integration is not fully supported by Devise yet.
  • v4.8.0 Changes

    April 29, 2021
    • โœจ enhancements

      • Devise now enables the upgrade of OmniAuth 2+. Previously Devise would raise an error if you'd try to upgrade. Please note that OmniAuth 2 is considered a security upgrade and recommended to everyone. You can read more about the details (and possible necessary changes to your app as part of the upgrade) in their release notes. Devise's OmniAuth Overview wiki was also updated to cover OmniAuth 2.0 requirements.
      • Note that the upgrade required Devise shared links that initiate the OmniAuth flow to be changed to method: :post, which is now a requirement for OmniAuth, part of the security improvement. If you have copied and customized the Devise shared links partial to your app, or if you have other links in your app that initiate the OmniAuth flow, they will have to be updated to use method: :post, or changed to use buttons (e.g. button_to) to work with OmniAuth 2. (if you're using links with method: :post, make sure your app has rails-ujs or jquery-ujs included in order for these links to work properly.)
      • As part of the OmniAuth 2.0 upgrade you might also need to add the omniauth-rails_csrf_protection gem to your app if you don't have it already. (and you don't want to roll your own code to verify requests.) Check the OmniAuth v2 release notes for more info.
      • Introduce Lockable#reset_failed_attempts! model method to reset failed attempts counter to 0 after the user signs in.
      • This logic existed inside the lockable warden hook and is triggered automatically after the user signs in. The new model method is an extraction to allow you to override it in the application to implement things like switching to a write database if you're using the new multi-DB infrastructure from Rails for example, similar to how it's already possible with Trackable#update_tracked_fields!.
      • Add support for Ruby 3.
      • Add support for Rails 6.1.
      • Move CI to GitHub Actions.
    • ๐Ÿ—„ deprecations

      • Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION is deprecated in favor of Devise::Models::Authenticatable::UNSAFE_ATTRIBUTES_FOR_SERIALIZATION (@hanachin)
  • v4.7.3 Changes

    September 20, 2020
    • ๐Ÿ› bug fixes
      • Do not modify :except option given to #serializable_hash. (by @dpep)
      • Fix thor deprecation when running the devise generator. (by @deivid-rodriguez)
      • Fix hanging tests for streaming controllers using Devise. (by @afn)
  • v4.7.2 Changes

    June 10, 2020
    • โœจ enhancements

      • Increase default stretches to 12 (by @sergey-alekseev)
      • Ruby 2.7 support (kwarg warnings removed)
    • ๐Ÿ› bug fixes

      • Generate scoped views with proper scoped errors partial (by @shobhitic)
      • Allow to set scoped already_authenticated error messages (by @gurgelrenan)
  • v4.7.1 Changes

    September 06, 2019
    • ๐Ÿ› bug fixes
      • Fix an edge case where records with a blank confirmation_token could be confirmed (by @tegon)
      • Fix typo inside update_needs_confirmation i18n key (by @lslm)
  • v4.7.0 Changes

    August 19, 2019
    • โœจ enhancements

      • Support Rails 6.0
      • Update CI to rails 6.0.0.beta3 (by @tunnes)
      • refactor method name to be more consistent (by @saiqulhaq)
      • Fix rails 6.0.rc1 email uniqueness validation deprecation warning (by @Vasfed)
    • ๐Ÿ› bug fixes

      • Add autocomplete="new-password" to password_confirmation fields (by @ferrl)
      • Fix rails_51_and_up? method for Rails 6.rc1 (by @igorkasyanchuk)
  • v4.6.2 Changes

    March 26, 2019
  • v4.6.1 Changes

    February 11, 2019
    • ๐Ÿ› bug fixes
      • Check if root_path is defined with #respond_to? instead of #present (by @tegon)
  • v4.6.0 Changes

    February 07, 2019
    • โœจ enhancements

      • Allow to skip email and password change notifications (by @iorme1)
      • Include the use of nil for allow_unconfirmed_access_for in the docs (by @joaumg)
      • Ignore useless files into the .gem file (by @huacnlee)
      • Explain the code that prevents enumeration attacks inside Devise::Strategies::DatabaseAuthenticatable (by @tegon)
      • Refactor the devise_error_messages! helper to render a partial (by @prograhamer)
      • Add an option (Devise.sign_in_after_change_password) to not automatically sign in a user after changing a password (by @knjko)
    • ๐Ÿ› bug fixes

      • Fix missing comma in Simple Form generator (by @colinross)
      • Fix error with migration generator in Rails 6 (by @oystersauce8)
      • Set encrypted_password to nil when password is set to nil (by @sivagollapalli)
      • Consider whether the request supports flash messages inside Devise::Controllers::Helpers#is_flashing_format? (by @colinross)
      • Fix typo inside Devise::Generators::ControllersGenerator (by @kopylovvlad)
      • Sanitize parameters inside Devise::Models::Authenticatable#find_or_initialize_with_errors (by @rlue)
      • #after_database_authentication callback was not called after authentication on password reset (by @kanmaniselvan)
      • Fix corner case when #confirmation_period_valid? was called at the same second as confirmation_sent_at was set. Mostly true for date types that only have second precisions. (by @stanhu)
      • Fix unclosed li tag in error_messages partial (by @mracos)
      • Fix Routes issue when devise engine is mounted in another engine on Rails versions lower than 5.1 (by @a-barbieri)
      • Make #increment_failed_attempts concurrency safe (by @tegon)
      • Apply Test Helper fix to Rails 6.0 as well as 5.x (by @matthewrudy)
    • ๐Ÿ—„ deprecations

      • The second argument of DatabaseAuthenticatable's #update_with_password and #update_without_password is deprecated and will be removed in the next major version. It was added to support a feature deprecated in Rails 4, so you can safely remove it from your code. (by @ihatov08)
      • The DeviseHelper.devise_error_messages! is deprecated and will be removed in the next major version. Use the devise/shared/error_messages partial instead. (by @mracos)
  • v4.5.0 Changes

    August 15, 2018
    • โœจ enhancements

      • Use before_action instead of before_filter (by @edenthecat)
      • Allow people to extend devise failure app, through invoking ActiveSupport.run_load_hooks once Devise::FailureApp is loaded (by @wnm)
      • Use update instead of update_attributes (by @koic)
      • Split IP resolution from update_tracked_fields (by @mckramer)
      • upgrade dependencies for rails and responders (by @lancecarlson)
      • Add autocomplete="new-password" to new password fields (by @gssbzn)
      • Add autocomplete="current-password" to current password fields (by @gssbzn)
      • Remove redundant self from database_authenticatable module (by @abhishekkanojia)
      • Update simple_form templates with changes from and (by @gssbzn)
      • Remove :trackable from the default modules in the generators, to be more GDPR-friendly (by @fakenine)
    • ๐Ÿ› bug fixes

      • Use same string on failed login regardless of whether account exists when in paranoid mode (by @TonyMK9068)
      • Fix error when params is not a hash inside Devise::ParameterSanitizer (by @b0nn1e)
      • Look for secret_key_base inside Rails.application (by @gencer)
      • Ensure Devise::ParameterFilter does not add missing keys when called with a hash that has a default / default_proc ๐Ÿ”ง configured (by @joshpencheon)
      • Adds is_navigational_format? check to after_sign_up_path_for to keep consistency (by @iorme1)