Clearance Versions Save

Rails authentication with email & password.

v2.7.0

4 weeks ago

2.7.0 - April 19, 2024

Added

  • Call dynamic README workflow (#1004)
  • Add configuration options for failure method redirects (#1002) Dan Sharp

Fixed

  • Update specs to match on translations (#1015)

Removed

  • Drop Ruby 2.76 and Rails 6.0 (#1005)

Thank you to our community contributor Dan Sharp (@drsharp)!

v2.6.2

4 months ago

2.6.2 - January 15, 2024

Added

  • Add CODEOWNERS file (#994)
  • Add support for Rails 7.1 (#995) Samuel Giddens
  • Add Ruby 3.2.2 to testing matrix (#991)

Fixed

  • Fix typo in Clearance::Token docs (#1000) Gabe Berke-Williams
  • Fix for setup & CI for Rails 7.1 support, update "MiniTest" to "Minitest", add handling for different versions of Rack::Utils.set_cookie_header!, remove deprecated active record handling in application.rb (#998)
  • Fix broken thoughtbot logo on README.md

Changed

  • Replace mentions of NEWS.md with CHANGELOG.md (#982)
  • Update argon2 to v2.2.0 (#989) Georg Leciejewski
  • Prefer literal hash creation notation (#984) Ivan Marynych

Thank you to our community contributors Samuel (@segiddins), Georg (@schorsch), Ivan (@loqimean), Gabe (@gabebw)!

v2.6.1

1 year ago

2.6.1 - September 23, 2022

  • Document how to report security issues
  • Only update the env["QUERY_STRING"] if the as parameter is present in backdoor middleware

v2.5.0

2 years ago

[2.5.0] - September 10, 2021

Fixed

  • Fix open redirect vulnerability

Changed

  • Rename default branch to main

v2.4.0

3 years ago

2.4.0 - March 5, 2021

Added

  • Optionally use signed cookies to prevent remember token timing attacks. Big thank you for @gingerlime!

v2.3.1

3 years ago

Fixed

  • Support for accessing Rails 6.x primary_key_type in generator.
  • Fix password reset URLs when using a custom model
  • Fix flaky test that relied on too specific time delta
  • Revert case sensitivity for email uniqueness
  • Bump nokogiri and actionview dependencies to address security vulnerabilities

v2.3.0

3 years ago

2.3.0 - August 14, 2020

Fixed

  • Delete cookie correctly when a callable object is set as the custom domain setting.
  • Strip as parameter when signing in through the back door.
  • Remove broken autoload for deprecated password strategies.

Changed

  • Deliver password reset email inline rather than in the background.
  • Remove unnecessary unsafe interpolation in erb templates.

v2.2.1

3 years ago

Fixed

  • Prevent user enumeration by timing attacks. Trying to log in with an unrecognized email address will now take the same amount of time as for a user that does exist in the system.

v2.2.0

3 years ago

Added

  • Add an Argon2 password strategy

Fixed

  • Use strings instead of classes on guard classes, avoids Rails deprecation warning.
  • Use find_by style for finders, improves neo4j support
  • Provide explicit case sensitivity option for email uniqueness, avoid Rails deprecation warning.

v2.1.0

4 years ago

Added

  • Add a parent_controller configuration option to specify the controller that Clearance's BaseController will inherit from. Defaults to a value of ApplicationController.
  • Use the configured primary_key_type from the Active Record settings of the project including Clearance, if it is set, while generating migrations. For example, a setting of :uuid in a Rails app using Clearance will cause the clearance-generated migrations to use this for the users table id type.

Fixed

  • Delete cookies correctly when a custom domain setting is being used.
  • Do not set the authorization cookie on requests which did not exercise the authorization code. Reduces the chances of leaving an auth cookie in a publicly cacheable page that didn't require authorization to access.

Changed

  • Update the email_validator gem to a newer version embrace the more relaxed email validation options which it now defaults to.
  • When a password reset request is submitted without an email address, a flash alert is now provided. Previously this continued silently as though it had worked. We still proceed that way when there is an invalid (but present) value, so as not to reveal existent vs. non-existent emails in the database.

Removed

  • Remove an unused route to passwords#create nested under users.
  • No longer include the (rarely used in practice) application layout as part of the views installer; but continue to provide some stock sign-in/out and flash partial code in the gem installation README output.

Deprecated

  • Remove the existing deprecation notice around the rotate_csrf_on_sign_in setting, and make that setting default to true.