codeword 0.2.0.beta4 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cb390e385a9ce1fe7f4e8f987be5e02d1542795d209d74d282887f93cbc03c33
-  data.tar.gz: 9f53cfbc92b062d4c531d025535f93213ac7bebed588233aa37b7c7036501764
+  metadata.gz: edc4c98d1d7d4aaeecc0e2d0b7afcb8a532753e057ae77998f804d4fc74203b7
+  data.tar.gz: 0abf677be13b090ab310441dd01e07b403fe7296b747f92b8729dc87cc1b21d1
 SHA512:
-  metadata.gz: 966df1e8a10079976ff0efe940935c67a634ae0de335d702e6c74a8af314d88c18d1beb97edf7dbdeb93e09e1c5e305ed355ae898a1799879d33c701b019cc5b
-  data.tar.gz: a62f1f572a373e268f661bfedfab93049f85ec034d07547735a7b5049d8920defd71a82aad11dba4137ae905278c3de4500eb94c4225ddefe2ce2b35aa0a3f97
+  metadata.gz: bd5f76a4bd9cc4560fb55d2645bbe6229c00fec7a9969b003835ef85927ede1fac0eb27dcc918fe626671643e64d5e1cd2ee448379b4f5209e42deab498e70b4
+  data.tar.gz: 24e3c1cddb91cf2a2f08582fbde8184b81abcdf96c29fb70c10fcbcba2dcadd281a53c5e931eda35f25cb66bef32e878c121da4cd9c45f5d8f402d28f5e183c9

data/CHANGELOG.md

@@ -1,4 +1,4 @@
-## [Unreleased]
+## [0.2.0] - 2025-09-25
 
 - BREAKING: Only support namespaced Rails credentials under `codeword` (e.g. `codeword.codeword`, `codeword.hint`, `codeword.cookie_lifetime_in_weeks`)
 - BREAKING: Drop support for Rails < 7.2
@@ -11,6 +11,8 @@
 - `codeword_cookie_lifetime` now returns an `ActiveSupport::Duration`; cookie expiry uses `from_now`
 - Updated crawler detection regex (removed duplicate `spider` and generic `click` token)
 
+Migration: see [UPGRADE-0.2.md](./UPGRADE-0.2.md) for steps to upgrade from 0.1.x to 0.2.0.
+
 ## [0.1.1] - 2021-12-17
 
 - Fix unlocks

data/UPGRADE-0.2.md

@@ -0,0 +1,51 @@
+# Migrating from 0.1.x to 0.2.0
+
+This guide walks you through the changes required to upgrade from 0.1.x to 0.2.0.
+
+## TL;DR checklist
+
+- Update to Rails >= 7.2.
+- Move credentials to the namespaced structure under `codeword`.
+- Ensure controllers use `require_codeword!` (and skip it only where access is allowed).
+- Stop relying on external `return_to` redirects; they are blocked now.
+
+## 1) Credentials: namespaced only
+
+Codeword now reads credentials only from the namespaced structure:
+
+```yml
+# config/credentials.yml.enc
+codeword:
+  codeword: "love"
+  hint: "Pepé Le Pew"
+  cookie_lifetime_in_weeks: 4
+```
+
+- Non‑namespaced keys like `codeword_hint:` at the root are no longer read.
+- Environment variable fallbacks still work: `ENV['CODEWORD']`, `ENV['CODEWORD_HINT']`, `ENV['COOKIE_LIFETIME_IN_WEEKS']`.
+
+## 2) Controller hook rename and usage
+
+- Use `require_codeword!` to enforce the codeword gate.
+
+```ruby
+class ApplicationController < ActionController::Base
+  include Codeword::Authentication
+  before_action :require_codeword!
+end
+```
+
+- Skip it only for controllers/actions you want to allow without the codeword:
+
+```ruby
+class APIController < ApplicationController
+  skip_before_action :require_codeword!
+end
+```
+
+- The old `check_for_codeword` name is deprecated; switch to `require_codeword!`.
+
+## 3) Redirect hardening (open redirects)
+
+- After a successful unlock, external `return_to` URLs are no longer allowed. Redirects now use `allow_other_host: false` and will fall back to the root path if unsafe.
+- If you previously depended on redirecting to external domains, move that flow behind your own internal path and perform external navigation server‑side or client‑side after the unlock.

data/lib/codeword/version.rb

@@ -1,3 +1,3 @@
 module Codeword
-  VERSION = '0.2.0.beta4'.freeze
+  VERSION = '0.2.0'.freeze
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: codeword
 version: !ruby/object:Gem::Version
-  version: 0.2.0.beta4
+  version: 0.2.0
 platform: ruby
 authors:
 - Dan Kim
@@ -95,6 +95,7 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- UPGRADE-0.2.md
 - app/controllers/codeword/application_controller.rb
 - app/controllers/codeword/codeword_controller.rb
 - app/helpers/codeword/application_helper.rb