RubyGems - devise-two-factor - Versions diffs - 2.2.1 → 3.0.0 - Mend

devise-two-factor 2.2.1 → 3.0.0

Potentially problematic release.

This version of devise-two-factor might be problematic. Click here for more details.

Files changed (10) hide show

checksums.yaml +4 -4
checksums.yaml.gz.sig +0 -0
data.tar.gz.sig +0 -0
data/.travis.yml +0 -1
data/CHANGELOG.md +42 -0
data/README.md +14 -0
data/devise-two-factor.gemspec +1 -1
data/lib/devise_two_factor/version.rb +1 -1
metadata +5 -4
metadata.gz.sig +0 -0

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7733242048c6e6912c7768974ae43ad710aee326
-  data.tar.gz: 4148cd6ab0a90308fd07f98ba395982b7ffc098d
+  metadata.gz: 4b3b5de2fc272e8a4cb6efed6a5767d5ebf98b7a
+  data.tar.gz: b9f07dd6665d994fc78c3fca5baf074a2a7ecdbd
 SHA512:
-  metadata.gz: a6b74254dd5c556c532070905ee2075c66fe43dc9b41c4121b57f15ed971f7239aa85e663526f72e1aa36dd3e7d76e06b3d8897985f62e103f11cb41dc3280f0
-  data.tar.gz: e35807622d16188854d134cd7365e53ed2a616757e2baa38a808e4444bcbd891a90c665ab07b6c7b186a635124db4f7f1c83161caaa2e1d8044c13c6d99273ec
+  metadata.gz: fdd8ddf024c2d4d336026262ea27c9660df54d6363c3aff582c500e76ae7b8bc136d1cf3f048527b5e95c899af04dc1ae4fb4c91e4323c5b47aeb6fe922df98d
+  data.tar.gz: 11b3e866530264a4c3779fc49150df1de42658e7ead17496844d7f667d6d033c5c5fb7808d50df62a0a7afdc265e6d442f31d55ac2188d9f330662545d5c37f7

checksums.yaml.gz.sig CHANGED

Binary file

data.tar.gz.sig CHANGED

Binary file

data/.travis.yml CHANGED

@@ -5,7 +5,6 @@ before_install:
   - gem update --system
   - gem update bundler
 rvm:
-  - "2.0.0"
   - "2.1"
   - "2.2"
   - "2.3.0"

data/CHANGELOG.md ADDED

@@ -0,0 +1,42 @@
+# CHANGELOG
+## Unreleased
+## 3.0.0
+See `UPGRADING.md` for specific help with breaking changes from 2.x to 3.0.0.
+- Adds support for Devise 4.
+- Relax dependencies to allow attr_encrypted 3.x.
+- Blocks the use of attr_encrypted 2.x. There was a significant vulnerability in the encryption implementation in attr_encrypted 2.x, and that version of the gem should not be used.
+## 2.2.0
+- Use 192 bits, not 1024, as a secret key length. RFC 4226 recommends a minimum length of 128 bits and a recommended length of 160 bits. Google Authenticator doesn't accept 160 bit keys.
+## 2.1.0
+- Return false if OTP value is nil, instead of an ROTP exception.
+## 2.0.1
+No user-facing changes.
+## 2.0.0
+See `UPGRADING.md` for specific help with breaking changes from 1.x to 2.0.0.
+- Replace `valid_otp?` method with `validate_and_consume_otp!`.
+- Disallow subsequent OTPs once validated via timesteps.
+## 1.1.0
+- Removes runtimez activemodel dependency.
+- Uses `Devise::Encryptor` instead of `Devise.bcrypt`, which is deprecated.
+- Bump `rotp` dependency to 2.x.
+## 1.0.2
+- Makes Railties the only requirement for Rails generators.
+- Explicitly check that the `otp_attempt` param is not nil in order to avoid 'ROTP only verifies strings' exceptions.
+- Adding warning about recoverable devise strategy and automatic `sign_in` after a password reset.
+- Loosen dependency version requirements for rotp, devise, and attr_encrypted.
+## 1.0.1
+- Add version requirements for dependencies.
+## 1.0.0
+- Initial release.

data/README.md CHANGED

@@ -68,6 +68,20 @@ def configure_permitted_parameters
 end
 ```
+If you're running Devise 4.0.0 or above, you'll want to use `.permit` instead:
+```ruby
+before_action :configure_permitted_parameters, if: :devise_controller?
+...
+protected
+def configure_permitted_parameters
+  devise_parameter_sanitizer.permit(:sign_in, keys: [:otp_attempt])
+end
+```
 **After running the generator, verify that :database_authenticatable is not being loaded by your model. The generator will try to remove it, but if you have a non-standard Devise setup, this step may fail. Loading both :database_authenticatable and `:two_factor_authenticatable` in a model will allow users to bypass two-factor authenticatable due to the way Warden handles cascading strategies.**
 ## Designing Your Workflow

data/devise-two-factor.gemspec CHANGED

@@ -27,7 +27,7 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency 'railties'
   s.add_runtime_dependency 'activesupport'
   s.add_runtime_dependency 'attr_encrypted', '>= 1.3', '< 4', '!= 2'
-  s.add_runtime_dependency 'devise',         '~> 3.5'
+  s.add_runtime_dependency 'devise',         '~> 4.0'
   s.add_runtime_dependency 'rotp',           '~> 2.0'
   s.add_development_dependency 'activemodel'

data/lib/devise_two_factor/version.rb CHANGED

@@ -1,3 +1,3 @@
 module DeviseTwoFactor
-   VERSION = '2.2.1'.freeze
+   VERSION = '3.0.0'.freeze
 end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: devise-two-factor
 version: !ruby/object:Gem::Version
-  version: 2.2.1
+  version: 3.0.0
 platform: ruby
 authors:
 - Shane Wilton
@@ -84,7 +84,7 @@ cert_chain:
   5C31v4YyRBnNCp0pN66nxYX2avEiQ8riTBP5mlkPPOhsIoYQHHe2Uj75aVpu0LZ3
   cdFzuO4GC1dV0Wv+dsDm+MyF7DT5E9pUPXpnMJuPvPrFpCb+wrFlszW9hGjXbQ==
   -----END CERTIFICATE-----
-date: 2016-05-11 00:00:00.000000000 Z
+date: 2016-05-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -146,14 +146,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.5'
+        version: '4.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.5'
+        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: rotp
   requirement: !ruby/object:Gem::Requirement
@@ -261,6 +261,7 @@ files:
 - ".gitignore"
 - ".rspec"
 - ".travis.yml"
+- CHANGELOG.md
 - CONTRIBUTING.md
 - Gemfile
 - LICENSE

metadata.gz.sig CHANGED

Binary file