devise 3.5.10 → 4.8.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (258) hide show
  1. checksums.yaml +5 -5
  2. data/CHANGELOG.md +279 -1126
  3. data/MIT-LICENSE +2 -1
  4. data/README.md +291 -97
  5. data/app/controllers/devise/confirmations_controller.rb +3 -1
  6. data/app/controllers/devise/omniauth_callbacks_controller.rb +8 -6
  7. data/app/controllers/devise/passwords_controller.rb +7 -4
  8. data/app/controllers/devise/registrations_controller.rb +39 -18
  9. data/app/controllers/devise/sessions_controller.rb +9 -7
  10. data/app/controllers/devise/unlocks_controller.rb +4 -2
  11. data/app/controllers/devise_controller.rb +25 -12
  12. data/app/helpers/devise_helper.rb +23 -18
  13. data/app/mailers/devise/mailer.rb +10 -4
  14. data/app/views/devise/confirmations/new.html.erb +2 -2
  15. data/app/views/devise/mailer/email_changed.html.erb +7 -0
  16. data/app/views/devise/passwords/edit.html.erb +3 -3
  17. data/app/views/devise/passwords/new.html.erb +2 -2
  18. data/app/views/devise/registrations/edit.html.erb +9 -5
  19. data/app/views/devise/registrations/new.html.erb +4 -4
  20. data/app/views/devise/sessions/new.html.erb +4 -4
  21. data/app/views/devise/shared/_error_messages.html.erb +15 -0
  22. data/app/views/devise/shared/_links.html.erb +8 -8
  23. data/app/views/devise/unlocks/new.html.erb +2 -2
  24. data/config/locales/en.yml +5 -2
  25. data/lib/devise.rb +57 -40
  26. data/lib/devise/controllers/helpers.rb +30 -27
  27. data/lib/devise/controllers/rememberable.rb +3 -1
  28. data/lib/devise/controllers/scoped_views.rb +2 -0
  29. data/lib/devise/controllers/sign_in_out.rb +39 -14
  30. data/lib/devise/controllers/store_location.rb +25 -7
  31. data/lib/devise/controllers/url_helpers.rb +3 -1
  32. data/lib/devise/delegator.rb +2 -0
  33. data/lib/devise/encryptor.rb +6 -4
  34. data/lib/devise/failure_app.rb +75 -38
  35. data/lib/devise/hooks/activatable.rb +2 -0
  36. data/lib/devise/hooks/csrf_cleaner.rb +2 -0
  37. data/lib/devise/hooks/forgetable.rb +2 -0
  38. data/lib/devise/hooks/lockable.rb +4 -2
  39. data/lib/devise/hooks/proxy.rb +3 -1
  40. data/lib/devise/hooks/rememberable.rb +2 -0
  41. data/lib/devise/hooks/timeoutable.rb +4 -2
  42. data/lib/devise/hooks/trackable.rb +2 -0
  43. data/lib/devise/mailers/helpers.rb +7 -4
  44. data/lib/devise/mapping.rb +3 -1
  45. data/lib/devise/models.rb +3 -1
  46. data/lib/devise/models/authenticatable.rb +63 -33
  47. data/lib/devise/models/confirmable.rb +90 -29
  48. data/lib/devise/models/database_authenticatable.rb +93 -22
  49. data/lib/devise/models/lockable.rb +19 -5
  50. data/lib/devise/models/omniauthable.rb +2 -0
  51. data/lib/devise/models/recoverable.rb +33 -21
  52. data/lib/devise/models/registerable.rb +4 -0
  53. data/lib/devise/models/rememberable.rb +6 -11
  54. data/lib/devise/models/timeoutable.rb +2 -0
  55. data/lib/devise/models/trackable.rb +15 -1
  56. data/lib/devise/models/validatable.rb +10 -3
  57. data/lib/devise/modules.rb +2 -0
  58. data/lib/devise/omniauth.rb +4 -5
  59. data/lib/devise/omniauth/config.rb +2 -0
  60. data/lib/devise/omniauth/url_helpers.rb +14 -5
  61. data/lib/devise/orm/active_record.rb +5 -1
  62. data/lib/devise/orm/mongoid.rb +6 -2
  63. data/lib/devise/parameter_filter.rb +4 -0
  64. data/lib/devise/parameter_sanitizer.rb +139 -65
  65. data/lib/devise/rails.rb +7 -16
  66. data/lib/devise/rails/deprecated_constant_accessor.rb +39 -0
  67. data/lib/devise/rails/routes.rb +48 -37
  68. data/lib/devise/rails/warden_compat.rb +3 -10
  69. data/lib/devise/secret_key_finder.rb +27 -0
  70. data/lib/devise/strategies/authenticatable.rb +3 -1
  71. data/lib/devise/strategies/base.rb +2 -0
  72. data/lib/devise/strategies/database_authenticatable.rb +11 -4
  73. data/lib/devise/strategies/rememberable.rb +2 -0
  74. data/lib/devise/test/controller_helpers.rb +167 -0
  75. data/lib/devise/test/integration_helpers.rb +63 -0
  76. data/lib/devise/test_helpers.rb +7 -124
  77. data/lib/devise/time_inflector.rb +2 -0
  78. data/lib/devise/token_generator.rb +3 -41
  79. data/lib/devise/version.rb +3 -1
  80. data/lib/generators/active_record/devise_generator.rb +46 -12
  81. data/lib/generators/active_record/templates/migration.rb +4 -2
  82. data/lib/generators/active_record/templates/migration_existing.rb +4 -2
  83. data/lib/generators/devise/controllers_generator.rb +3 -1
  84. data/lib/generators/devise/devise_generator.rb +5 -3
  85. data/lib/generators/devise/install_generator.rb +18 -5
  86. data/lib/generators/devise/orm_helpers.rb +10 -21
  87. data/lib/generators/devise/views_generator.rb +8 -9
  88. data/lib/generators/mongoid/devise_generator.rb +7 -5
  89. data/lib/generators/templates/README +9 -8
  90. data/lib/generators/templates/controllers/confirmations_controller.rb +2 -0
  91. data/lib/generators/templates/controllers/omniauth_callbacks_controller.rb +3 -1
  92. data/lib/generators/templates/controllers/passwords_controller.rb +2 -0
  93. data/lib/generators/templates/controllers/registrations_controller.rb +6 -4
  94. data/lib/generators/templates/controllers/sessions_controller.rb +4 -2
  95. data/lib/generators/templates/controllers/unlocks_controller.rb +2 -0
  96. data/lib/generators/templates/devise.rb +63 -21
  97. data/lib/generators/templates/markerb/email_changed.markerb +7 -0
  98. data/lib/generators/templates/markerb/password_change.markerb +2 -2
  99. data/lib/generators/templates/simple_form_for/confirmations/new.html.erb +5 -1
  100. data/lib/generators/templates/simple_form_for/passwords/edit.html.erb +10 -2
  101. data/lib/generators/templates/simple_form_for/passwords/new.html.erb +4 -1
  102. data/lib/generators/templates/simple_form_for/registrations/edit.html.erb +11 -3
  103. data/lib/generators/templates/simple_form_for/registrations/new.html.erb +11 -3
  104. data/lib/generators/templates/simple_form_for/sessions/new.html.erb +7 -2
  105. data/lib/generators/templates/simple_form_for/unlocks/new.html.erb +4 -1
  106. metadata +19 -317
  107. data/.gitignore +0 -10
  108. data/.travis.yml +0 -44
  109. data/.yardopts +0 -9
  110. data/CODE_OF_CONDUCT.md +0 -22
  111. data/CONTRIBUTING.md +0 -16
  112. data/Gemfile +0 -30
  113. data/Gemfile.lock +0 -187
  114. data/Rakefile +0 -36
  115. data/devise.gemspec +0 -27
  116. data/devise.png +0 -0
  117. data/gemfiles/Gemfile.rails-3.2-stable +0 -29
  118. data/gemfiles/Gemfile.rails-3.2-stable.lock +0 -172
  119. data/gemfiles/Gemfile.rails-4.0-stable +0 -30
  120. data/gemfiles/Gemfile.rails-4.0-stable.lock +0 -166
  121. data/gemfiles/Gemfile.rails-4.1-stable +0 -30
  122. data/gemfiles/Gemfile.rails-4.1-stable.lock +0 -171
  123. data/gemfiles/Gemfile.rails-4.2-stable +0 -30
  124. data/gemfiles/Gemfile.rails-4.2-stable.lock +0 -193
  125. data/script/cached-bundle +0 -49
  126. data/script/s3-put +0 -71
  127. data/test/controllers/custom_registrations_controller_test.rb +0 -40
  128. data/test/controllers/custom_strategy_test.rb +0 -62
  129. data/test/controllers/helper_methods_test.rb +0 -21
  130. data/test/controllers/helpers_test.rb +0 -316
  131. data/test/controllers/inherited_controller_i18n_messages_test.rb +0 -51
  132. data/test/controllers/internal_helpers_test.rb +0 -129
  133. data/test/controllers/load_hooks_controller_test.rb +0 -19
  134. data/test/controllers/passwords_controller_test.rb +0 -31
  135. data/test/controllers/sessions_controller_test.rb +0 -103
  136. data/test/controllers/url_helpers_test.rb +0 -65
  137. data/test/delegator_test.rb +0 -19
  138. data/test/devise_test.rb +0 -107
  139. data/test/failure_app_test.rb +0 -315
  140. data/test/generators/active_record_generator_test.rb +0 -109
  141. data/test/generators/controllers_generator_test.rb +0 -48
  142. data/test/generators/devise_generator_test.rb +0 -39
  143. data/test/generators/install_generator_test.rb +0 -13
  144. data/test/generators/mongoid_generator_test.rb +0 -23
  145. data/test/generators/views_generator_test.rb +0 -103
  146. data/test/helpers/devise_helper_test.rb +0 -49
  147. data/test/integration/authenticatable_test.rb +0 -729
  148. data/test/integration/confirmable_test.rb +0 -324
  149. data/test/integration/database_authenticatable_test.rb +0 -95
  150. data/test/integration/http_authenticatable_test.rb +0 -105
  151. data/test/integration/lockable_test.rb +0 -239
  152. data/test/integration/omniauthable_test.rb +0 -135
  153. data/test/integration/recoverable_test.rb +0 -347
  154. data/test/integration/registerable_test.rb +0 -359
  155. data/test/integration/rememberable_test.rb +0 -214
  156. data/test/integration/timeoutable_test.rb +0 -184
  157. data/test/integration/trackable_test.rb +0 -92
  158. data/test/mailers/confirmation_instructions_test.rb +0 -115
  159. data/test/mailers/reset_password_instructions_test.rb +0 -96
  160. data/test/mailers/unlock_instructions_test.rb +0 -91
  161. data/test/mapping_test.rb +0 -134
  162. data/test/models/authenticatable_test.rb +0 -23
  163. data/test/models/confirmable_test.rb +0 -511
  164. data/test/models/database_authenticatable_test.rb +0 -269
  165. data/test/models/lockable_test.rb +0 -350
  166. data/test/models/omniauthable_test.rb +0 -7
  167. data/test/models/recoverable_test.rb +0 -251
  168. data/test/models/registerable_test.rb +0 -7
  169. data/test/models/rememberable_test.rb +0 -169
  170. data/test/models/serializable_test.rb +0 -49
  171. data/test/models/timeoutable_test.rb +0 -51
  172. data/test/models/trackable_test.rb +0 -41
  173. data/test/models/validatable_test.rb +0 -127
  174. data/test/models_test.rb +0 -153
  175. data/test/omniauth/config_test.rb +0 -57
  176. data/test/omniauth/url_helpers_test.rb +0 -54
  177. data/test/orm/active_record.rb +0 -10
  178. data/test/orm/mongoid.rb +0 -13
  179. data/test/parameter_sanitizer_test.rb +0 -81
  180. data/test/rails_app/Rakefile +0 -6
  181. data/test/rails_app/app/active_record/admin.rb +0 -6
  182. data/test/rails_app/app/active_record/shim.rb +0 -2
  183. data/test/rails_app/app/active_record/user.rb +0 -6
  184. data/test/rails_app/app/active_record/user_on_engine.rb +0 -7
  185. data/test/rails_app/app/active_record/user_on_main_app.rb +0 -7
  186. data/test/rails_app/app/active_record/user_without_email.rb +0 -8
  187. data/test/rails_app/app/controllers/admins/sessions_controller.rb +0 -6
  188. data/test/rails_app/app/controllers/admins_controller.rb +0 -6
  189. data/test/rails_app/app/controllers/application_controller.rb +0 -12
  190. data/test/rails_app/app/controllers/application_with_fake_engine.rb +0 -30
  191. data/test/rails_app/app/controllers/custom/registrations_controller.rb +0 -31
  192. data/test/rails_app/app/controllers/home_controller.rb +0 -25
  193. data/test/rails_app/app/controllers/publisher/registrations_controller.rb +0 -2
  194. data/test/rails_app/app/controllers/publisher/sessions_controller.rb +0 -2
  195. data/test/rails_app/app/controllers/users/omniauth_callbacks_controller.rb +0 -14
  196. data/test/rails_app/app/controllers/users_controller.rb +0 -31
  197. data/test/rails_app/app/helpers/application_helper.rb +0 -3
  198. data/test/rails_app/app/mailers/users/from_proc_mailer.rb +0 -3
  199. data/test/rails_app/app/mailers/users/mailer.rb +0 -3
  200. data/test/rails_app/app/mailers/users/reply_to_mailer.rb +0 -4
  201. data/test/rails_app/app/mongoid/admin.rb +0 -29
  202. data/test/rails_app/app/mongoid/shim.rb +0 -23
  203. data/test/rails_app/app/mongoid/user.rb +0 -39
  204. data/test/rails_app/app/mongoid/user_on_engine.rb +0 -39
  205. data/test/rails_app/app/mongoid/user_on_main_app.rb +0 -39
  206. data/test/rails_app/app/mongoid/user_without_email.rb +0 -33
  207. data/test/rails_app/app/views/admins/index.html.erb +0 -1
  208. data/test/rails_app/app/views/admins/sessions/new.html.erb +0 -2
  209. data/test/rails_app/app/views/home/admin_dashboard.html.erb +0 -1
  210. data/test/rails_app/app/views/home/index.html.erb +0 -1
  211. data/test/rails_app/app/views/home/join.html.erb +0 -1
  212. data/test/rails_app/app/views/home/private.html.erb +0 -1
  213. data/test/rails_app/app/views/home/user_dashboard.html.erb +0 -1
  214. data/test/rails_app/app/views/layouts/application.html.erb +0 -24
  215. data/test/rails_app/app/views/users/edit_form.html.erb +0 -1
  216. data/test/rails_app/app/views/users/index.html.erb +0 -1
  217. data/test/rails_app/app/views/users/mailer/confirmation_instructions.erb +0 -1
  218. data/test/rails_app/app/views/users/sessions/new.html.erb +0 -1
  219. data/test/rails_app/bin/bundle +0 -3
  220. data/test/rails_app/bin/rails +0 -4
  221. data/test/rails_app/bin/rake +0 -4
  222. data/test/rails_app/config.ru +0 -4
  223. data/test/rails_app/config/application.rb +0 -40
  224. data/test/rails_app/config/boot.rb +0 -14
  225. data/test/rails_app/config/database.yml +0 -18
  226. data/test/rails_app/config/environment.rb +0 -5
  227. data/test/rails_app/config/environments/development.rb +0 -30
  228. data/test/rails_app/config/environments/production.rb +0 -84
  229. data/test/rails_app/config/environments/test.rb +0 -41
  230. data/test/rails_app/config/initializers/backtrace_silencers.rb +0 -7
  231. data/test/rails_app/config/initializers/devise.rb +0 -180
  232. data/test/rails_app/config/initializers/inflections.rb +0 -2
  233. data/test/rails_app/config/initializers/secret_token.rb +0 -8
  234. data/test/rails_app/config/initializers/session_store.rb +0 -1
  235. data/test/rails_app/config/routes.rb +0 -125
  236. data/test/rails_app/db/migrate/20100401102949_create_tables.rb +0 -71
  237. data/test/rails_app/db/schema.rb +0 -55
  238. data/test/rails_app/lib/shared_admin.rb +0 -17
  239. data/test/rails_app/lib/shared_user.rb +0 -29
  240. data/test/rails_app/lib/shared_user_without_email.rb +0 -26
  241. data/test/rails_app/lib/shared_user_without_omniauth.rb +0 -13
  242. data/test/rails_app/public/404.html +0 -26
  243. data/test/rails_app/public/422.html +0 -26
  244. data/test/rails_app/public/500.html +0 -26
  245. data/test/rails_app/public/favicon.ico +0 -0
  246. data/test/rails_test.rb +0 -9
  247. data/test/routes_test.rb +0 -264
  248. data/test/support/action_controller/record_identifier.rb +0 -10
  249. data/test/support/assertions.rb +0 -39
  250. data/test/support/helpers.rb +0 -77
  251. data/test/support/integration.rb +0 -92
  252. data/test/support/locale/en.yml +0 -8
  253. data/test/support/mongoid.yml +0 -6
  254. data/test/support/webrat/integrations/rails.rb +0 -24
  255. data/test/test_helper.rb +0 -34
  256. data/test/test_helpers_test.rb +0 -178
  257. data/test/test_models.rb +0 -33
  258. data/test/time_helpers.rb +0 -137
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: 1c056db58a1f4a6a0a7732f2c856dde7e2ec4669
4
- data.tar.gz: 0374256e647f923a10ef261ae405f55123bdfed8
2
+ SHA256:
3
+ metadata.gz: 197ce185bf22b8dc45c17a615895b60e6b788360113c37d99a116db868197309
4
+ data.tar.gz: 8e3fa67c5bcd6c05ac3011e0b35f0cda57596ae74c2affceab84cab1da3aeb58
5
5
  SHA512:
6
- metadata.gz: cbac30ebe59bcc1aea16a7a9981677d71c2a361b4ece716fca6c594d4888130f583f7c6cf4c959278d189fba00a30fa2101c069fcb046609b020e2ddb3a61590
7
- data.tar.gz: 53c77b74f79ba50de083d8625f0b77578ca10d45e3037c7f7ce1a871412e8eb8f082d10f817ab83d297ca9f4247eb1f82d14f3ae77f2bf9ccf3483a1522fbfc0
6
+ metadata.gz: 8d3f76d9e898d36dc6eb4db5d5b098b76d339aeadac014c772b7097dc6a730a7577049bd00ea7a073beead47454edb91d24fe73b50e90af3555cc5e83886902f
7
+ data.tar.gz: 84cbafa77c70de3c204dfdf19e4ce53ac05796eaf959bba4d4909d0c91686baa6da61f732e13bce0892d8932af375d2b81340f6bd1047384f15325f8a24011e0
data/CHANGELOG.md CHANGED
@@ -1,1198 +1,351 @@
1
- ### 3.5.10 - 2016-05-15
1
+ ### unreleased
2
2
 
3
- * bug fixes
4
- * Fix overwriting the remember_token when a valid one already exists (by @ralinchimev).
5
-
6
- ### 3.5.9 - 2016-05-02
7
-
8
- * bug fixes
9
- * Fix strategy checking in `Lockable#unlock_strategy_enabled?` for `:none`
10
- and `:undefined` strategies. (by @f3ndot)
3
+ ### 4.8.0 - 2021-04-29
11
4
 
12
- ### 3.5.8 - 2016-04-25
13
-
14
- * bug fixes
15
- * Fix the e-mail confirmation instructions send when a user updates the email address from nil
16
-
17
- ### 3.5.7 - 2016-04-18
5
+ * enhancements
6
+ * Devise now enables the upgrade of OmniAuth 2+. Previously Devise would raise an error if you'd try to upgrade. Please note that OmniAuth 2 is considered a security upgrade and recommended to everyone. You can read more about the details (and possible necessary changes to your app as part of the upgrade) in [their release notes](https://github.com/omniauth/omniauth/releases/tag/v2.0.0). [Devise's OmniAuth Overview wiki](https://github.com/heartcombo/devise/wiki/OmniAuth:-Overview) was also updated to cover OmniAuth 2.0 requirements.
7
+ - Note that the upgrade required Devise shared links that initiate the OmniAuth flow to be changed to `method: :post`, which is now a requirement for OmniAuth, part of the security improvement. If you have copied and customized the Devise shared links partial to your app, or if you have other links in your app that initiate the OmniAuth flow, they will have to be updated to use `method: :post`, or changed to use buttons (e.g. `button_to`) to work with OmniAuth 2. (if you're using links with `method: :post`, make sure your app has `rails-ujs` or `jquery-ujs` included in order for these links to work properly.)
8
+ - As part of the OmniAuth 2.0 upgrade you might also need to add the [`omniauth-rails_csrf_protection`](https://github.com/cookpad/omniauth-rails_csrf_protection) gem to your app if you don't have it already. (and you don't want to roll your own code to verify requests.) Check the OmniAuth v2 release notes for more info.
9
+ * Introduce `Lockable#reset_failed_attempts!` model method to reset failed attempts counter to 0 after the user signs in.
10
+ - This logic existed inside the lockable warden hook and is triggered automatically after the user signs in. The new model method is an extraction to allow you to override it in the application to implement things like switching to a write database if you're using the new multi-DB infrastructure from Rails for example, similar to how it's already possible with `Trackable#update_tracked_fields!`.
11
+ * Add support for Ruby 3.
12
+ * Add support for Rails 6.1.
13
+ * Move CI to GitHub Actions.
18
14
 
19
- * bug fixes
20
- * Fix the `extend_remember_period` configuration. When set to `false` it does
21
- not update the cookie expiration anymore.(by @ulissesalmeida)
15
+ * deprecations
16
+ * `Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION` is deprecated in favor of `Devise::Models::Authenticatable::UNSAFE_ATTRIBUTES_FOR_SERIALIZATION` (@hanachin)
22
17
 
23
- ### 3.5.6 - 2016-01-02
18
+ ### 4.7.3 - 2020-09-20
24
19
 
25
20
  * bug fixes
26
- * Fix type coercion of the rememberable timestamp stored on cookies.
21
+ * Do not modify `:except` option given to `#serializable_hash`. (by @dpep)
22
+ * Fix thor deprecation when running the devise generator. (by @deivid-rodriguez)
23
+ * Fix hanging tests for streaming controllers using Devise. (by @afn)
27
24
 
28
- ### 3.5.5 - 2016-22-01
29
-
30
- * bug fixes
31
- * Bring back remember_expired? implementation
32
- * Ensure timeouts are not triggered if remember me is being used
25
+ ### 4.7.2 - 2020-06-10
33
26
 
34
- ### 3.5.4 - 2016-18-01
27
+ * enhancements
28
+ * Increase default stretches to 12 (by @sergey-alekseev)
29
+ * Ruby 2.7 support (kwarg warnings removed)
35
30
 
36
31
  * bug fixes
37
- * Store creation timestamps on remember cookies
32
+ * Generate scoped views with proper scoped errors partial (by @shobhitic)
33
+ * Allow to set scoped `already_authenticated` error messages (by @gurgelrenan)
38
34
 
39
- ### 3.5.3 - 2015-12-10
35
+ ### 4.7.1 - 2019-09-06
40
36
 
41
37
  * bug fixes
42
- * Fix password reset for records where `confirmation_required?` is disabled and
43
- `confirmation_sent_at` is nil. (by @andygeers)
44
- * Allow resources with no `email` field to be recoverable (and do not clear the
45
- reset password token if the model was already persisted). (by @seddy, @stanhu)
46
-
47
- * enhancements
48
- * Upon setting `Devise.send_password_change_notification = true` a user will receive notification when their password has been changed.
38
+ * Fix an edge case where records with a blank `confirmation_token` could be confirmed (by @tegon)
39
+ * Fix typo inside `update_needs_confirmation` i18n key (by @lslm)
49
40
 
50
- ### 3.5.2 - 2015-08-10
41
+ ### 4.7.0 - 2019-08-19
51
42
 
52
43
  * enhancements
53
- * Perform case insensitive basic authorization matching
44
+ * Support Rails 6.0
45
+ * Update CI to rails 6.0.0.beta3 (by @tunnes)
46
+ * refactor method name to be more consistent (by @saiqulhaq)
47
+ * Fix rails 6.0.rc1 email uniqueness validation deprecation warning (by @Vasfed)
54
48
 
55
49
  * bug fixes
56
- * Do not use digests for password confirmation token
57
- * Fix infinite redirect in Rails 4.2 authenticated routes
58
- * Autoload Devise::Encryptor to avoid errors on thread-safe mode
59
-
60
- * deprecations
61
- * `config.expire_auth_token_on_timeout` was removed
50
+ * Add `autocomplete="new-password"` to `password_confirmation` fields (by @ferrl)
51
+ * Fix rails_51_and_up? method for Rails 6.rc1 (by @igorkasyanchuk)
62
52
 
63
- ### 3.5.1 - 2015-05-24
64
-
65
- Note: 3.5.0 has been yanked due to a regression
66
-
67
- * security improvements
68
- * Clean up reset password token whenever e-mail or password changes. thanks to George Deglin & Dennis Charles Hackethal for reporting this bug
69
- * Ensure empty `authenticable_salt` cannot be used as remember token. This bug can only affect users who manually implement their own `authenticable_salt` and allow empty values as salt
70
-
71
- * enhancements
72
- * The hint about minimum password length required both `@validatable` and `@minimum_password_length` variables on the views, it now uses only the latter. If you have generated the views relying on the `@validatable` variable, replace it with `@minimum_password_length`.
73
- * Added an ActiveSupport load hook for `:devise_controller`. (by @nakhli)
74
- * Location fragments are now preserved between requests. (by @jbourassa)
75
- * Added an `after_remembered` callback for the Rememerable module. (by @BM5k)
76
- * `RegistrationsController#new` and `SessionsController#new` now yields the
77
- current resource. (by @mtarnovan, @deivid-rodriguez)
78
- * Password length validation is now limited to 72 characters for newer apps. (by @lleger)
79
- * Controllers inheriting from any Devise core controller will now use appropriate translations. The i18n scope can be overridden in `translation_scope`.
80
- * Allow the user to set the length of friendly token. (by @Angelmmiguel)
53
+ ### 4.6.2 - 2019-03-26
81
54
 
82
55
  * bug fixes
83
- * Use router_name from scope if one is available to support isolated engines. (by @cipater)
84
- * Do not clean up CSRF on rememberable.
85
- * Only use flash if it has been configured in failure app. (by @alex88)
86
-
87
- * deprecations
88
- * `confirm!` has been deprecated in favor of `confirm`.
89
- * `reset_password!` has been deprecated in favor of `reset_password`.
90
- * `Devise.bcrypt` has been deprecated in favor of `Devise::Encryptor.digest`".
91
-
92
- ### 3.4.1 - 2014-10-29
93
-
94
- * enhancements
95
- * Devise default views now have a similar markup to Rails scaffold views. (by @udaysinghcode, @cllns)
96
- * Passing `now: true` to the `set_flash_message` helper now sets the message into
97
- the `flash.now` Hash. (by @hbriggs)
98
- * bugfixes
99
- * Fixed an regression with translation of flash messages for when the `authentication_keys`
100
- config is a Hash. (by @lucasmazza)
101
-
102
- ### 3.4.0 - 2014-10-03
103
-
104
- * enhancements
105
- * Support added for Rails 4.2. Devise now depends on the `responders` gem due
106
- the extraction of the `respond_with` API from Rails. (by @lucasmazza)
107
- * The Simple Form templates follow the same change from 3.3.0 by using `Log in` and adding
108
- a hint about the minimum password length when `validatable` is enabled. (by @aried3r)
109
- * Controller generator added as `devise:controllers SCOPE`. You can use the `-c` flag
110
- to pick which controllers (`unlocks`, `confirmations`, etc) you want to generate. (by @Chun-Yang)
111
- * Removed the hardcoded references for "email" in the flash messages. If you are using
112
- different attributes as the `authentication_keys` they will be interpolated in the
113
- messages instead. (by @timoschilling)
114
- * bug fix
115
- * Fixed a regression where the devise generator would fail with a `ConnectionNotEstablished`
116
- exception when executed inside a mountable engine. (by @lucasmazza)
117
- * Ensure to return symbols in find_scope! fixing a previous regression from 3.3.0 (by @micat)
118
- * Ensure all causes of failed login have the same error message (by @pjungwir)
119
- * The `last_attempt_warning` now takes effect when generating the unauthenticated
120
- message for your users. To keep the current behavior, this flag is now `true`
121
- by default. (by @lucasmazza)
122
-
123
- ### 3.3.0 - 2014-08-13
124
-
125
- * enhancements
126
- * Support multiple warden configuration blocks on devise configuration. (by @rossta)
127
- * Previously, when a user signed out, all remember me tokens for all sessions/browsers would be
128
- invalidated, and this behavior could not be changed. This behavior is now configurable via
129
- `expire_all_remember_me_on_sign_out`. The default continues to be true. (by @laurocaetano)
130
- * Default email messages was updated with grammar fixes, check the diff on
131
- #2906 for the updated copy (by @p-originate)
132
- * Allow a resource to be found based on its encrypted password token (by @karlentwistle)
133
- * Adds `devise_group`, a macro to define controller helpers for multiple mappings at once. (by @dropletzz)
134
- * The default views now use `Log in` instead of `Sign in` and have a hint about the minimum password length if
135
- the current scope is using the `validatable` module (by @alexsoble)
136
-
137
- * bug fix
138
- * Check if there is a signed in user before executing the `SessionsController#destroy`.
139
- * `SessionsController#destroy` no longer yields the `resource` to receiving block,
140
- since the resource isn't loaded in the action. If you need access to the current
141
- resource when overring the action use the scope helper (like `current_user`) before
142
- calling `super`
143
- * Serialize the `last_request_at` entry as an Integer
144
- * Ensure registration controller block yields happen on failure in addition to success (by @dpehrson)
145
- * Only valid paths will be stored for redirections (by @parallel588)
146
-
147
- ### 3.2.4 - 2014-03-17
148
-
149
- * enhancements
150
- * `bcrypt` dependency updated due https://github.com/codahale/bcrypt-ruby/pull/86.
151
- * View generator now can generate specific views with the `-v` flag, like `rails g devise:views -v sessions` (by @kayline)
152
-
153
- ### 3.2.3 - 2014-02-20
154
-
155
- * enhancements
156
- * Devise will use the `secret_key_base` on Rails 4+ applications as its `secret_key`.
157
- You can change this and use your own secret by changing the `devise.rb` initializer.
158
-
159
- * bug fix
160
- * Migrations will be properly generated when using rails 4.1.0.
161
-
162
- ### 3.2.2 - 2013-11-25
163
-
164
- * bug fix
165
- * Ensure timeoutable works when `sign_out_all_scopes` is false (by @louman)
166
- * Keep the query string when storing location (by @csexton)
167
- * Require rails generator base class in devise generators
168
-
169
- ### 3.2.1 - 2013-11-13
170
-
171
- Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumeration-in-devise-in-paranoid-mode
172
-
173
- * enhancements
174
- * Add `store_location_for` helper and ensure it is safe (by @matthewrudy and @homakov)
175
- * Add `yield` around resource methods in Devise controllers (by @edelpero)
176
-
177
- * bug fix
178
- * Bring `password_digest` back to fix compatibility with `devise-encryptable`
179
- * Avoid e-mail enumeration on sign in when in paranoid mode
180
-
181
- ### 3.2.0 - 2013-11-06
182
-
183
- * enhancements
184
- * Previously deprecated token authenticatable and insecure lookups have been removed
185
- * Add a class method so you can encrypt passwords from fixtures (by @tenderlove)
186
- * Send custom message when user enters invalid password and it has only one attempt
187
- to enter correct password before their account will be locked (by @Lightpower)
188
- * Prevent mutation of values assigned to case and whitespace santitized members (by @iamvery)
189
- * Separate redirects and flash messages in `navigational_formats` and `flashing_formats` (by @ssendev)
190
-
191
- * bug fix
192
- * A GET to sign_in page shouldn't extend the session (by @drewish)
193
- * Splat the arguments to `strong_parameters#permit` to work around a limitation in the `strong_parameters` gem (by @memberful)
194
- * Omniauth now uses `mapping.fullpath` when generating routes. This means if you call `devise_for :users` inside a scope, like `scope "/api"`, the scope will now apply to the omniauth route (by @AlexanderZaytsev)
195
- * Ensure timeoutable hook respects `Devise.sign_out_all_scopes` configuration
196
-
197
- * deprecations
198
- * `expire_session_data_after_sign_in!` has been deprecated in favor of `expire_data_after_sign_in!`
199
-
200
- ### 3.1.1 - 2013-10-01
201
-
202
- * bug fix
203
- * Improve default message which asked users to sign in even when they were already signed (by @gregates)
204
- * Improve error message for when the config.secret_key is missing
205
-
206
- ### 3.1.0 - 2013-09-05
207
-
208
- Security announcement: http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/
209
-
210
- * backwards incompatible changes
211
- * Do not store confirmation, unlock and reset password tokens directly in the database. This means tokens previously stored in the database are no longer valid. You can reenable this temporarily by setting `config.allow_insecure_token_lookup = true` in your configuration file. It is recommended to keep this configuration set to true just temporarily in your production servers only to aid migration
212
- * The Devise mailer and its views were changed to explicitly receive a token argument as `@token`. You will need to update your mailers and re-copy the views to your application with `rails g devise:views`
213
- * Sanitization of parameters should be done by calling `devise_parameter_sanitizer.sanitize(:action)` instead of `devise_parameter_sanitizer.for(:action)`
214
-
215
- * deprecations
216
- * Token authentication is deprecated
217
-
218
- * enhancements
219
- * Better security defaults
220
- * Allow easier customization of parameter sanitizer (by @alexpeattie)
221
-
222
- * bug fix
223
- * Do not confirm e-mail after password reset (by @moll)
224
- * Do not sign in after confirmation
225
- * Do not store confirmation, unlock and reset password tokens directly in the database
226
- * Do not compare directly against confirmation, unlock and reset password tokens
227
- * Skip storage for cookies on unverified requests
228
-
229
- ### 3.0.2 - 2013-08-09
230
-
231
- * bug fix
232
- * Skip storage for cookies on unverified requests
233
-
234
- ### 3.0.1 - 2013-08-02
235
-
236
- Security announcement: http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/
237
-
238
- * enhancements
239
- * Add after_confirmation callback
240
-
241
- * bug fix
242
- * When using rails 3.2, the generator adds 'attr_accessible' to the model (by @jcoyne)
243
- * Clean up CSRF token after authentication (by @homakov). Notice this change will clean up the CSRF Token after authentication (sign in, sign up, etc). So if you are using AJAX for such features, you will need to fetch a new CSRF token from the server.
244
-
245
- ### 3.0.0 - 2013-07-14
246
-
247
- * enhancements
248
- * Rails 4 and Strong Parameters compatibility (by @carlosantoniodasilva, @josevalim, @latortuga, @lucasmazza, @nashby, @rafaelfranca, @spastorino)
249
- * Drop support for Rails < 3.2 and Ruby < 1.9.3
250
- * Enable to skip sending reconfirmation email when reconfirmable is on and `skip_confirmation_notification!` is invoked (by @tkhr)
251
-
252
- * bug fix
253
- * Errors on unlock are now properly reflected on the first `unlock_keys`
254
-
255
- ### 2.2.4 - 2013-05-07
256
-
257
- * enhancements
258
- * Add `destroy_with_password` to `DatabaseAuthenticatable`. Allows destroying a record when `:current_password` matches, similarly to how `update_with_password` works. (by @michiel3)
259
- * Allow to override path after password resetting (by @worker8)
260
- * Add `#skip_confirmation_notification!` method to `Confirmable`. Allows skipping confirmation email without auto-confirming. (by @gregates)
261
- * allow_unconfirmed_access_for config from `:confirmable` module can be set to `nil` that means unconfirmed access for unlimited time. (by @nashby)
262
- * Support Rails' token strategy on authentication (by @robhurring)
263
- * Support explicitly setting the http authentication key via `config.http_authentication_key` (by @neo)
264
-
265
- * bug fix
266
- * Do not redirect when accessing devise API via JSON. (by @sebastianwr)
267
- * Generating scoped devise views now uses the correct scoped shared links partial instead of the default devise one (by @nashby)
268
- * Fix inheriting mailer templates from `Devise::Mailer`
269
- * Fix a bug when procs are used as default mailer in Devise (by @tomasv)
270
-
271
- * backwards incompatible changes
272
- * Changes on session storage will expire all existing sessions on upgrade. For those storing the session in the DB, they can be upgraded according to this gist: https://gist.github.com/moll/6417606
273
-
274
- ### 2.2.3 - 2013-01-26
275
-
276
- Security announcement: http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/
56
+ * Revert "Set `encrypted_password` to `nil` when `password` is set to `nil`" since it broke backward compatibility with existing applications. See more on https://github.com/heartcombo/devise/issues/5033#issuecomment-476386275 (by @mracos)
277
57
 
278
- * bug fix
279
- * Require string conversion for all values
58
+ ### 4.6.1 - 2019-02-11
280
59
 
281
- ### 2.2.2 - 2013-01-15
282
-
283
- * bug fix
284
- * Fix bug when checking for reconfirmable in templates
285
-
286
- ### 2.2.1 - 2013-01-11
287
-
288
- * bug fix
289
- * Fix regression with case_insensitive_keys
290
- * Fix regression when password is blank when it is invalid
291
-
292
- ### 2.2.0 - 2013-01-08
293
-
294
- * backwards incompatible changes
295
- * `headers_for` is deprecated, customize the mailer directly instead
296
- * All mailer methods now expect a second argument with delivery options
297
- * Default minimum password length is now 8 (by @carlosgaldino)
298
- * Support alternate sign in error message when email record does not exist (this adds a new I18n key to the locale file) (by @gabetax)
299
- * DeviseController responds only to HTML requests by default (call `DeviseController.respond_to` or `ApplicationController.respond_to` to add new formats)
300
- * Support Mongoid 3 onwards (by @durran)
301
-
302
- * enhancements
303
- * Fix unlockable which could leak account existence on paranoid mode (by @latortuga)
304
- * Confirmable now has a confirm_within option to set a period while the confirmation token is still valid (by @promisedlandt)
305
- * Flash messages in controller now respects `resource_name` (by @latortuga)
306
- * Separate `sign_in` and `sign_up` on RegistrationsController (by @rubynortheast)
307
- * Add autofocus to default views (by @Radagaisus)
308
- * Unlock user on password reset (by @marcinb)
309
- * Allow validation callbacks to apply to virtual attributes (by @latortuga)
310
-
311
- * bug fix
312
- * unconfirmed_email now uses the proper e-mail on salutation
313
- * Fix default email_regexp config to not allow spaces (by @kukula)
314
- * Fix a regression introduced on warden 1.2.1 (by @ejfinneran)
315
- * Properly camelize omniauth strategies (by @saizai)
316
- * Do not set flash messages for non navigational requests on session sign out (by @mathieul)
317
- * Set the proper fields as required on the lockable module (by @nickhoffman)
318
- * Respects Devise mailer default's reply_to (by @mrchrisadams)
319
- * Properly assign resource on `sign_in` related action (by @adammcnamara)
320
- * `update_with_password` doesn't change encrypted password when it is invalid (by @nashby)
321
- * Properly handle namespaced models on Active Record generator (by @nashby)
322
-
323
- ### 2.1.4 - 2013-08-18
324
-
325
- * bugfix
326
- * Do not confirm account after reset password
327
-
328
- ### 2.1.3 - 2013-01-26
329
-
330
- * bugfix
331
- * Require string conversion for all values
332
-
333
- ### 2.1.2 - 2012-06-19
334
-
335
- * enhancements
336
- * Handle backwards incompatibility between Rails 3.2.6 and Thor 0.15.x
337
-
338
- * bug fix
339
- * Fix regression on strategy validation on previous release
340
-
341
- ### 2.1.1 - 2012-06-15 (yanked)
342
-
343
- * enhancements
344
- * `sign_out_all_scopes` now locks warden and does not allow new logins in the same action
345
- * `Devise.omniauth_path_prefix` is available to configure omniauth path prefix
346
- * Redirect to sign in page when trying to access password#edit without a token (by @gbataille)
347
- * Allow a lambda in authenticate(d) routes helpers to further select the scope
348
- * Removed warnings on Rails 3.2.6 (by @nashby)
349
-
350
- * bug fix
351
- * `update_with_password` now relies on assign_attributes and forwards the :as option (by @wtn)
352
- * Do not trigger timeout on sign in related actions
353
- * Timeout does not explode when reset_authentication_token! is accidentally defined by Active Model (by @remomueller)
354
-
355
- * deprecations
356
- * Strategy#validate() no longer validates nil resources
357
-
358
- ### 2.1.0 - 2012-05-15
359
-
360
- * enhancements
361
- * Add `check_fields!(model_class)` method on Devise::Models to check if the model includes the fields that Devise uses
362
- * Add `skip_reconfirmation!` to skip reconfirmation
363
- * Devise model generator now works with engines
364
- * Devise encryptable was moved to its new gem (http://github.com/plataformatec/devise-encryptable)
365
-
366
- * deprecations
367
- * Deprecations warnings added on Devise 2.0 are now removed with their features
368
- * All devise modules should now have a `required_fields(klass)` module method to help gathering missing attributes
369
- * `use_salt_as_remember_token` and `apply_schema` does not have any effect since 2.0 and are now deprecated
370
- * `valid_for_authentication?` must now return a boolean
371
-
372
- * bug fix
373
- * Ensure after sign in hook is not called without a resource
374
- * Fix a term: now on Omniauth related flash messages, we say that we're authenticating from an omniauth provider instead of authorizing
375
- * Fixed redirect when authenticated mounted apps (by @hakanensari)
376
- * Ensure the failure app still respects config.relative_url_root
377
- * `/users/sign_in` doesn't choke on protected attributes used to select sign in scope (by @Paymium)
378
- * `failed_attempts` is set to zero after any sign in (including via reset password) (by @rodrigoflores)
379
- * Added token expiration on timeout (by @antiarchitect)
380
- * Do not accidentally mark `_prefixes` as private
381
- * Better support for custom strategies on test helpers (by @mattconnolly)
382
- * Return `head :no_content` in SessionsController now that most JS libraries handle it (by @julianvargasalvarez)
383
- * Reverted moving devise/shared/_links.erb to devise/_links.erb
384
-
385
- ### 2.0.4 - 2012-02-17
386
-
387
- Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.0
388
-
389
- * bug fix
390
- * Fix when :host is used with devise_for (by @mreinsch)
391
- * Fix a regression that caused Warden to be initialized too late
392
-
393
- ### 2.0.3 - 2012-06-16 (yanked)
394
-
395
- * bug fix
396
- * Ensure warning is not shown by mistake on apps with mounted engines
397
- * Fixes related to remember_token and rememberable_options
398
- * Ensure serializable_hash does not depend on accessible attributes
399
- * Ensure that timeout callback does not run on sign out action
400
-
401
- ### 2.0.2 - 2012-02-14
402
-
403
- * enhancements
404
- * Add devise_i18n_options to customize I18n message
405
-
406
- * bug fix
407
- * Ensure Devise.available_router_name defaults to :main_app
408
- * Set autocomplete to off for password on edit forms
409
- * Better error messages in case a trackable model can't be saved
410
- * Show a warning in case someone gives a pluralized name to devise generator
411
- * Fix test behavior for rspec subject requests (by @sj26)
412
-
413
- ### 2.0.1 - 2012-02-09
414
-
415
- * enhancements
416
- * Improved error messages on deprecation warnings
417
- * Hide Devise's internal generators from `rails g` command
418
-
419
- * bug fix
420
- * Removed tmp and log files from gem
421
-
422
- ### 2.0.0 - 2012-01-26
423
-
424
- * enhancements
425
- * Add support for e-mail reconfirmation on change (by @Mandaryn and @heimidal)
426
- * Redirect users to sign in page after unlock (by @nashby)
427
- * Redirect to the previous URL on timeout
428
- * Inherit from the same Devise parent controller (by @sj26)
429
- * Allow parent_controller to be customizable via Devise.parent_controller, useful for engines
430
- * Allow router_name to be customizable via Devise.router_name, useful for engines
431
- * Allow alternate ORMs to run compatibility setup code before Authenticatable is included (by @jm81)
432
-
433
- * deprecation
434
- * Devise now only supports Rails 3.1 forward
435
- * Devise.confirm_within was deprecated in favor Devise.allow_unconfirmed_access_for
436
- * Devise.stateless_token= is deprecated in favor of appending :token_auth to Devise.skip_session_storage
437
- * Usage of Devise.apply_schema is deprecated
438
- * Usage of Devise migration helpers are deprecated
439
- * Usage of Devise.remember_across_browsers was deprecated
440
- * Usage of rememberable with remember_token was removed
441
- * Usage of recoverable without reset_password_sent_at was removed
442
- * Usage of Devise.case_insensitive_keys equals to false was removed
443
- * Move devise/shared/_links.erb to devise/_links.erb
444
- * Deprecated support of nested devise_for blocks
445
- * Deprecated support to devise.registrations.reasons and devise.registrations.inactive_signed_up in favor of devise.registrations.signed_up_but_*
446
- * Protected method render_with_scope was removed.
447
-
448
- ### 1.5.3 - 2011-12-19
449
-
450
- * bug fix
451
- * Ensure delegator converts scope to symbol (by @dmitriy-kiriyenko)
452
- * Ensure passing :format => false to devise_for is not permanent
453
- * Ensure path checker does not check invalid routes
454
-
455
- ### 1.5.2 - 2011-11-30
456
-
457
- * enhancements
458
- * Add support for Rails 3.1 new mass assignment conventions (by @kirs)
459
- * Add timeout_in method to Timeoutable, it can be overridden in a model (by @lest)
460
-
461
- * bug fix
462
- * OmniAuth error message now shows the proper option (:strategy_class instead of :klass)
463
-
464
- ### 1.5.1 - 2011-11-22
465
-
466
- * bug fix
467
- * Devise should not attempt to load OmniAuth strategies. Strategies should be loaded before hand by the developer or explicitly given to Devise.
468
-
469
- ### 1.5.0 - 2011-11-13
470
-
471
- * enhancements
472
- * Timeoutable also skips tracking if skip_trackable is given
473
- * devise_for now accepts :failure_app as an option
474
- * Models can select the proper mailer via devise_mailer method (by @locomotivecms)
475
- * Migration generator now uses the change method (by @nashby)
476
- * Support to markerb templates on the mailer generator (by @sbounmy)
477
- * Support for Omniauth 1.0 (older versions are no longer supported) (by @TamiasSibiricus)
478
-
479
- * bug fix
480
- * Allow idempotent API requests
481
- * Fix bug where logs did not show 401 as status code
482
- * Change paranoid settings to behave as success instead of as failure
483
- * Fix bug where activation messages were shown first than the credentials error message
484
- * Instance variables are expired after sign out
485
-
486
- * deprecation
487
- * redirect_location is deprecated, please use after_sign_in_path_for
488
- * after_sign_in_path_for now redirects to session[scope_return_to] if any value is stored in it
489
-
490
- ### 1.4.9 - 2011-10-19
491
-
492
- * bug fix
493
- * url helpers were not being set under some circumstances
494
-
495
- ### 1.4.8 - 2011-10-09
496
-
497
- * enhancements
498
- * Add docs for assets pipeline and Heroku
499
-
500
- * bug fix
501
- * confirmation_url was not being set under some circumstances
502
-
503
- ### 1.4.7 - 2011-09-21
504
-
505
- * bug fix
506
- * Fix backward incompatible change from 1.4.6 for those using custom controllers
507
-
508
- ### 1.4.6 - 2011-09-19 (yanked)
509
-
510
- * enhancements
511
- * Allow devise_for :skip => :all
512
- * Allow options to be passed to authenticate_user!
513
- * Allow --skip-routes to devise generator
514
- * Add allow_params_authentication! to make it explicit when params authentication is allowed in a controller
515
-
516
- ### 1.4.5 - 2011-09-07
517
-
518
- * bug fix
519
- * Failure app tries the root path if a session one does not exist
520
- * No need to finalize Devise helpers all the time (by @bradleypriest)
521
- * Reset password shows proper message if user is not active
522
- * `clean_up_passwords` sets the accessors to nil to skip validations
523
-
524
- ### 1.4.4 - 2011-08-30
525
-
526
- * bug fix
527
- * Do not always skip helpers, instead provide :skip_helpers as option to trigger it manually
528
-
529
- ### 1.4.3 - 2011-08-29
530
-
531
- * enhancements
532
- * Improve Rails 3.1 compatibility
533
- * Use serialize_into_session and serialize_from_session in Warden serialize to improve extensibility
534
-
535
- * bug fix
536
- * Generator properly generates a change_table migration if a model already exists
537
- * Properly deprecate setup_mail
538
- * Fix encoding issues with email regexp
539
- * Only generate helpers for the used mappings
540
- * Wrap :action constraints in the proper hash
541
-
542
- * deprecations
543
- * Loosened the used email regexp to simply assert the existent of "@". If someone relies on a more strict regexp, they may use https://github.com/SixArm/sixarm_ruby_email_address_validation
544
-
545
- ### 1.4.2 - 2011-06-30
546
-
547
- * bug fix
548
- * Provide a more robust behavior to serializers and add :force_except option
549
-
550
- ### 1.4.1 - 2011-06-29
551
-
552
- * enhancements
553
- * Add :defaults and :format support on router
554
- * Add simple form generators
555
- * Better localization for devise_error_messages! (by @zedtux)
556
-
557
- * bug fix
558
- * Ensure to_xml is properly white listened
559
- * Ensure handle_unverified_request clean up any cached signed-in user
560
-
561
- ### 1.4.0 - 2011-06-23
562
-
563
- * enhancements
564
- * Added authenticated and unauthenticated to the router to route the used based on their status (by @sj26)
565
- * Improve e-mail regexp (by @rodrigoflores)
566
- * Add strip_whitespace_keys and default to e-mail (by @swrobel)
567
- * Do not run format and uniqueness validations on e-mail if it hasn't changed (by @Thibaut)
568
- * Added update_without_password to update models but not allowing the password to change (by @fschwahn)
569
- * Added config.paranoid, check the generator for more information (by @rodrigoflores)
570
-
571
- * bug fix
572
- * password_required? should not affect length validation
573
- * User cannot access sign up and similar pages if they are already signed in through a cookie or token
574
- * Do not convert booleans to strings on finders (by @xavier)
575
- * Run validations even if current_password fails (by @crx)
576
- * Devise now honors routes constraints (by @macmartine)
577
- * Do not return the user resource when requesting instructions (by @rodrigoflores)
578
-
579
- ### 1.3.4 - 2011-04-28
580
-
581
- * bug fix
582
- * Do not add formats if html or "*/*"
583
-
584
- ### 1.3.3 - 2011-04-20
585
-
586
- * bug fix
587
- * Explicitly mark the token as expired if so
588
-
589
- ### 1.3.2 - 2011-04-20
590
-
591
- * bug fix
592
- * Fix another regression related to reset_password_sent_at (by @alexdreher)
593
-
594
- ### 1.3.1 - 2011-04-18
595
-
596
- * enhancements
597
- * Improve failure_app responses (by @indirect)
598
- * sessions/new and registrations/new also respond to xml and json now
599
-
600
- * bug fix
601
- * Fix a regression that occurred if reset_password_sent_at is not present (by @stevehodgkiss)
602
-
603
- ### 1.3.0 - 2011-04-15
604
-
605
- * enhancements
606
- * All controllers can now handle different mime types than html using Responders (by @sikachu)
607
- * Added reset_password_within as configuration option to send the token for recovery (by @jdguyot)
608
- * Bump password length to 128 characters (by @k33l0r)
609
- * Add :only as option to devise_for (by @timoschilling)
610
- * Allow to override path after sending password instructions (by @irohiroki)
611
- * require_no_authentication has its own flash message (by @jackdempsey)
612
-
613
- * bug fix
614
- * Fix a bug where configuration options were being included too late
615
- * Ensure Devise::TestHelpers can be used to tests Devise internal controllers (by @jwilger)
616
- * valid_password? should not choke on empty passwords (by @mikel)
617
- * Calling devise more than once does not include previously added modules anymore
618
- * downcase_keys before validation
619
-
620
- * backward incompatible changes
621
- * authentication_keys are no longer considered when creating the e-mail validations, the previous behavior was buggy. You must double check if you were relying on such behavior.
622
-
623
- ### 1.2.1 - 2011-03-27
624
-
625
- * enhancements
626
- * Improve update path messages
627
-
628
- ### 1.2.0 - 2011-03-24
629
-
630
- * bug fix
631
- * Properly ignore path prefix on omniauthable
632
- * Faster uniqueness queries
633
- * Rename active? to active_for_authentication? to avoid conflicts
634
-
635
- ### 1.2.rc2 - 2011-03-10
636
-
637
- * enhancements
638
- * Make friendly_token 20 chars long
639
- * Use secure_compare
640
-
641
- * bug fix
642
- * Fix an issue causing infinite redirects in production
643
- * rails g destroy works properly with devise generators (by @andmej)
644
- * before_failure callbacks should work on test helpers (by @twinge)
645
- * rememberable cookie now is httponly by default (by @JamesFerguson)
646
- * Add missing confirmation_keys (by @JohnPlummer)
647
- * Ensure after_* hooks are called on RegistrationsController
648
- * When using database_authenticatable Devise will now only create an email field when appropriate (if using default authentication_keys or custom authentication_keys with email included)
649
- * Ensure stateless token does not trigger timeout (by @pixelauthority)
650
- * Implement handle_unverified_request for Rails 3.0.4 compatibility and improve FailureApp reliance on symbols
651
- * Consider namespaces while generating routes
652
- * Custom failure apps no longer ignored in test mode (by @jaghion)
653
- * Do not depend on ActiveModel::Dirty
654
- * Manual sign_in now triggers remember token
655
- * Be sure to halt strategies on failures
656
- * Consider SCRIPT_NAME on Omniauth paths
657
- * Reset failed attempts when lock is expired
658
- * Ensure there is no Mongoid injection
659
-
660
- * deprecations
661
- * Deprecated anybody_signed_in? in favor of signed_in? (by @gavinhughes)
662
- * Removed --haml and --slim view templates
663
- * Devise::OmniAuth helpers were deprecated and removed in favor of Omniauth.config.test_mode
664
-
665
- ### 1.2.rc - 2010-10-25
666
-
667
- * deprecations
668
- * cookie_domain is deprecated in favor of cookie_options
669
- * after_update_path_for can no longer be defined in ApplicationController
670
-
671
- * enhancements
672
- * Added OmniAuth support
673
- * Added ORM adapter to abstract ORM iteraction
674
- * sign_out_via is available in the router to configure the method used for sign out (by @martinrehfeld)
675
- * Improved Ajax requests handling in failure app (by @spastorino)
676
- * Added request_keys to easily use request specific values (like subdomain) in authentication
677
- * Increased the size of friendly_token to 60 characters (reduces the chances of a successful brute attack)
678
- * Ensure the friendly token does not include "_" or "-" since some e-mails may not autolink it properly (by @rymai)
679
- * Extracted encryptors into :encryptable for better bcrypt support
680
- * :rememberable is now able to use salt as token if no remember_token is provided
681
- * Store the salt in session and expire the session if the user changes their password
682
- * Allow :stateless_token to be set to true avoiding users to be stored in session through token authentication
683
- * cookie_options uses session_options values by default
684
- * Sign up now checks if the user is active or not and redirect them accordingly, setting the inactive_signed_up message
685
- * Use ActiveModel#to_key instead of #id
686
- * sign_out_all_scopes now destroys the whole session
687
- * Added case_insensitive_keys that automatically downcases the given keys, by default downcases only e-mail (by @adahl)
688
-
689
- * default behavior changes
690
- * sign_out_all_scopes defaults to true as security measure
691
- * http authenticatable is disabled by default
692
- * Devise does not intercept 401 returned from applications
693
-
694
- * bugfix
695
- * after_sign_in_path_for always receives a resource
696
- * Do not execute Warden::Callbacks on Devise::TestHelpers (by @sgronblo)
697
- * Allow password recovery and account unlocking to change used keys (by @RStankov)
698
- * FailureApp now properly handles nil request.format
699
- * Fix a bug causing FailureApp to return with HTTP Auth Headers for IE7
700
- * Ensure namespaces has proper scoped views
701
- * Ensure Devise does not set empty flash messages (by @sxross)
702
-
703
- ### 1.1.6 - 2011-02-14
704
-
705
- * Use a more secure e-mail regexp
706
- * Implement Rails 3.0.4 handle unverified request
707
- * Use secure_compare to compare passwords
708
-
709
- ### 1.1.5 - 2010-11-26
710
-
711
- * bugfix
712
- * Ensure to convert keys on indifferent hash
713
-
714
- * defaults
715
- * Set config.http_authenticatable to false to avoid confusion
716
-
717
- ### 1.1.4 - 2010-11-25
718
-
719
- * bugfix
720
- * Avoid session fixation attacks
721
-
722
- ### 1.1.3 - 2010-09-23
723
-
724
- * bugfix
725
- * Add reply-to to e-mail headers by default
726
- * Updated the views generator to respect the rails :template_engine option (by @fredwu)
727
- * Check the type of HTTP Authentication before using Basic headers
728
- * Avoid invalid_salt errors by checking salt presence (by @thibaudgg)
729
- * Forget user deletes the right cookie before logout, not remembering the user anymore (by @emtrane)
730
- * Fix for failed first-ever logins on PostgreSQL where column default is nil (by @bensie)
731
- * :default options is now honored in migrations
732
-
733
- ### 1.1.2 - 2010-08-25
734
-
735
- * bugfix
736
- * Compatibility with latest Rails routes schema
737
-
738
- ### 1.1.1 - 2010-07-26
739
-
740
- * bugfix
741
- * Fix a small bug where generated locale file was empty on devise:install
742
-
743
- ### 1.1.0 - 2010-07-25
744
-
745
- * enhancements
746
- * Rememberable module allows user to be remembered across browsers and is enabled by default (by @trevorturk)
747
- * Rememberable module allows you to activate the period the remember me token is extended (by @trevorturk)
748
- * devise_for can now be used together with scope method in routes but with a few limitations (check the documentation)
749
- * Support `as` or `devise_scope` in the router to specify controller access scope
750
- * HTTP Basic Auth can now be disabled/enabled for xhr(ajax) requests using http_authenticatable_on_xhr option (by @pellja)
751
-
752
- * bug fix
753
- * Fix a bug in Devise::TestHelpers where current_user was returning a Response object for non active accounts
754
- * Devise should respect script_name and path_info contracts
755
- * Fix a bug when accessing a path with (.:format) (by @klacointe)
756
- * Do not add unlock routes unless unlock strategy is email or both
757
- * Email should be case insensitive
758
- * Store classes as string in session, to avoid serialization and stale data issues
759
-
760
- * deprecations
761
- * use_default_scope is deprecated and has no effect. Use :as or :devise_scope in the router instead
60
+ * bug fixes
61
+ * Check if `root_path` is defined with `#respond_to?` instead of `#present` (by @tegon)
762
62
 
763
- ### 1.1.rc2 - 2010-06-22
63
+ ### 4.6.0 - 2019-02-07
764
64
 
765
65
  * enhancements
766
- * Allow to set cookie domain for the remember token. (by @mantas)
767
- * Added navigational formats to specify when it should return a 302 and when a 401.
768
- * Added authenticate(scope) support in routes (by @wildchild)
769
- * Added after_update_path_for to registrations controller (by @thedelchop)
770
- * Allow the mailer object to be replaced through config.mailer = "MyOwnMailer"
66
+ * Allow to skip email and password change notifications (by @iorme1)
67
+ * Include the use of `nil` for `allow_unconfirmed_access_for` in the docs (by @joaumg)
68
+ * Ignore useless files into the `.gem` file (by @huacnlee)
69
+ * Explain the code that prevents enumeration attacks inside `Devise::Strategies::DatabaseAuthenticatable` (by @tegon)
70
+ * Refactor the `devise_error_messages!` helper to render a partial (by @prograhamer)
71
+ * Add an option (`Devise.sign_in_after_change_password`) to not automatically sign in a user after changing a password (by @knjko)
771
72
 
772
- * bug fix
773
- * Fix a bug where session was timing out on sign out
774
-
775
- * deprecations
776
- * bcrypt is now the default encryptor
777
- * devise.mailer.confirmations_instructions now should be devise.mailer.confirmations_instructions.subject
778
- * devise.mailer.user.confirmations_instructions now should be devise.mailer.confirmations_instructions.user_subject
779
- * Generators now use Rails 3 syntax (devise:install) instead of devise_install
780
-
781
- ### 1.1.rc1 - 2010-04-14
73
+ * bug fixes
74
+ * Fix missing comma in Simple Form generator (by @colinross)
75
+ * Fix error with migration generator in Rails 6 (by @oystersauce8)
76
+ * Set `encrypted_password` to `nil` when `password` is set to `nil` (by @sivagollapalli)
77
+ * Consider whether the request supports flash messages inside `Devise::Controllers::Helpers#is_flashing_format?` (by @colinross)
78
+ * Fix typo inside `Devise::Generators::ControllersGenerator` (by @kopylovvlad)
79
+ * Sanitize parameters inside `Devise::Models::Authenticatable#find_or_initialize_with_errors` (by @rlue)
80
+ * `#after_database_authentication` callback was not called after authentication on password reset (by @kanmaniselvan)
81
+ * Fix corner case when `#confirmation_period_valid?` was called at the same second as `confirmation_sent_at` was set. Mostly true for date types that only have second precisions. (by @stanhu)
82
+ * Fix unclosed `li` tag in `error_messages` partial (by @mracos)
83
+ * Fix Routes issue when devise engine is mounted in another engine on Rails versions lower than 5.1 (by @a-barbieri)
84
+ * Make `#increment_failed_attempts` concurrency safe (by @tegon)
85
+ * Apply Test Helper fix to Rails 6.0 as well as 5.x (by @matthewrudy)
782
86
 
783
- * enhancements
784
- * Rails 3 compatibility
785
- * All controllers and views are namespaced, for example: Devise::SessionsController and "devise/sessions"
786
- * Devise.orm is deprecated. This reduces the required API to hook your ORM with devise
787
- * Use metal for failure app
788
- * HTML e-mails now have proper formatting
789
- * Allow to give :skip and :controllers in routes
790
- * Move trackable logic to the model
791
- * E-mails now use any template available in the filesystem. Easy to create multipart e-mails
792
- * E-mails asks headers_for in the model to set the proper headers
793
- * Allow to specify haml in devise_views
794
- * Compatibility with Mongoid
795
- * Make config.devise available on config/application.rb
796
- * TokenAuthenticatable now works with HTTP Basic Auth
797
- * Allow :unlock_strategy to be :none and add :lock_strategy which can be :failed_attempts or none. Setting those values to :none means that you want to handle lock and unlocking by yourself
798
- * No need to append ?unauthenticated=true in URLs anymore since Flash was moved to a middleware in Rails 3
799
- * :activatable is included by default in your models
800
-
801
- * bug fix
802
- * Fix a bug with STI
803
87
 
804
88
  * deprecations
805
- * Rails 3 compatible only
806
- * Removed support for MongoMapper
807
- * Scoped views are no longer "sessions/users/new". Now use "users/sessions/new"
808
- * Devise.orm is deprecated, just require "devise/orm/YOUR_ORM" instead
809
- * Devise.default_url_options is deprecated, just modify ApplicationController.default_url_options
810
- * All messages under devise.sessions, except :signed_in and :signed_out, should be moved to devise.failure
811
- * :as and :scope in routes is deprecated. Use :path and :singular instead
89
+ * The second argument of `DatabaseAuthenticatable`'s `#update_with_password` and `#update_without_password` is deprecated and will be removed in the next major version. It was added to support a feature deprecated in Rails 4, so you can safely remove it from your code. (by @ihatov08)
90
+ * The `DeviseHelper.devise_error_messages!` is deprecated and will be removed in the next major version. Use the `devise/shared/error_messages` partial instead. (by @mracos)
812
91
 
813
- ### 1.0.8 - 2010-06-22
92
+ ### 4.5.0 - 2018-08-15
814
93
 
815
94
  * enhancements
816
- * Support for latest MongoMapper
817
- * Added anybody_signed_in? helper (by @SSDany)
818
-
819
- * bug fix
820
- * confirmation_required? is properly honored on active? calls. (by @paulrosania)
821
-
822
- ### 1.0.7 - 2010-05-02
823
-
824
- * bug fix
825
- * Ensure password confirmation is always required
826
-
827
- * deprecations
828
- * authenticatable was deprecated and renamed to database_authenticatable
829
- * confirmable is not included by default on generation
830
-
831
- ### 1.0.6 - 2010-04-02
832
-
833
- * bug fix
834
- * Do not allow unlockable strategies based on time to access a controller.
835
- * Do not send unlockable email several times.
836
- * Allow controller to upstram custom! failures to Warden.
837
-
838
- ### 1.0.5 - 2010-03-25
839
-
840
- * bug fix
841
- * Use prepend_before_filter in require_no_authentication.
842
- * require_no_authentication on unlockable.
843
- * Fix a bug when giving an association proxy to devise.
844
- * Do not use lock! on lockable since it's part of ActiveRecord API.
845
-
846
- ### 1.0.4 - 2010-03-02
847
-
848
- * bug fix
849
- * Fixed a bug when deleting an account with rememberable
850
- * Fixed a bug with custom controllers
851
-
852
- ### 1.0.3 - 2010-02-22
853
-
854
- * enhancements
855
- * HTML e-mails now have proper formatting
856
- * Do not remove MongoMapper options in find
857
-
858
- ### 1.0.2 - 2010-02-17
859
-
860
- * enhancements
861
- * Allows you set mailer content type (by @glennr)
862
-
863
- * bug fix
864
- * Uses the same content type as request on http authenticatable 401 responses
865
-
866
- ### 1.0.1 - 2010-02-16
867
-
868
- * enhancements
869
- * HttpAuthenticatable is not added by default automatically.
870
- * Avoid mass assignment error messages with current password.
871
-
872
- * bug fix
873
- * Fixed encryptors autoload
874
-
875
- ### 1.0.0 - 2010-02-08
876
-
877
- * deprecation
878
- * :old_password in update_with_password is deprecated, use :current_password instead
879
-
880
- * enhancements
881
- * Added Registerable
882
- * Added Http Basic Authentication support
883
- * Allow scoped_views to be customized per controller/mailer class
884
- * Allow authenticatable to used in change_table statements
885
-
886
- ### 0.9.2 - 2010-02-04
887
-
888
- * bug fix
889
- * Ensure inactive user cannot sign in
890
- * Ensure redirect to proper url after sign up
891
-
892
- * enhancements
893
- * Added gemspec to repo
894
- * Added token authenticatable (by @grimen)
895
-
896
- ### 0.9.1 - 2010-01-24
897
-
898
- * bug fix
899
- * Allow bigger salt size (by @jgeiger)
900
- * Fix relative url root
901
-
902
- ### 0.9.0 - 2010-01-20
903
-
904
- * deprecation
905
- * devise :all is deprecated
906
- * :success and :failure flash messages are now :notice and :alert
907
-
908
- * enhancements
909
- * Added devise lockable (by @mhfs)
910
- * Warden 0.9.0 compatibility
911
- * Mongomapper 0.6.10 compatibility
912
- * Added Devise.add_module as hooks for extensions (by @grimen)
913
- * Ruby 1.9.1 compatibility (by @grimen)
914
-
915
- * bug fix
916
- * Accept path prefix not starting with slash
917
- * url helpers should rely on find_scope!
918
-
919
- ### 0.8.2 - 2010-01-12
920
-
921
- * enhancements
922
- * Allow Devise.mailer_sender to be a proc (by @grimen)
923
-
924
- * bug fix
925
- * Fix bug with passenger, update is required to anyone deploying on passenger (by @dvdpalm)
926
-
927
- ### 0.8.1 - 2010-01-07
928
-
929
- * enhancements
930
- * Move salt to encryptors
931
- * Devise::Lockable
932
- * Moved view links into partial and I18n'ed them
933
-
934
- * bug fix
935
- * Bcrypt generator was not being loaded neither setting the proper salt
936
-
937
- ### 0.8.0 - 2010-01-06
938
-
939
- * enhancements
940
- * Warden 0.8.0 compatibility
941
- * Add an easy for map.connect "sign_in", :controller => "sessions", :action => "new" to work
942
- * Added :bcrypt encryptor (by @capotej)
943
-
944
- * bug fix
945
- * sign_in_count is also increased when user signs in via password change, confirmation, etc..
946
- * More DataMapper compatibility (by @lancecarlson)
947
-
948
- * deprecation
949
- * Removed DeviseMailer.sender
95
+ * Use `before_action` instead of `before_filter` (by @edenthecat)
96
+ * Allow people to extend devise failure app, through invoking `ActiveSupport.run_load_hooks` once `Devise::FailureApp` is loaded (by @wnm)
97
+ * Use `update` instead of `update_attributes` (by @koic)
98
+ * Split IP resolution from `update_tracked_fields` (by @mckramer)
99
+ * upgrade dependencies for rails and responders (by @lancecarlson)
100
+ * Add `autocomplete="new-password"` to new password fields (by @gssbzn)
101
+ * Add `autocomplete="current-password"` to current password fields (by @gssbzn)
102
+ * Remove redundant `self` from `database_authenticatable` module (by @abhishekkanojia)
103
+ * Update `simple_form` templates with changes from https://github.com/heartcombo/devise/commit/16b3d6d67c7e017d461ea17ed29ea9738dc77e83 and https://github.com/heartcombo/devise/commit/6260c29a867b9a656f1e1557abe347a523178fab (by @gssbzn)
104
+ * Remove `:trackable` from the default modules in the generators, to be more GDPR-friendly (by @fakenine)
950
105
 
951
- ### 0.7.5 - 2010-01-01
952
-
953
- * enhancements
954
- * Set a default value for mailer to avoid find_template issues
955
- * Add models configuration to MongoMapper::EmbeddedDocument as well
956
-
957
- ### 0.7.4 - 2009-12-21
106
+ * bug fixes
107
+ * Use same string on failed login regardless of whether account exists when in paranoid mode (by @TonyMK9068)
108
+ * Fix error when params is not a hash inside `Devise::ParameterSanitizer` (by @b0nn1e)
109
+ * Look for `secret_key_base` inside `Rails.application` (by @gencer)
110
+ * Ensure `Devise::ParameterFilter` does not add missing keys when called with a hash that has a `default` / `default_proc`
111
+ configured (by @joshpencheon)
112
+ * Adds `is_navigational_format?` check to `after_sign_up_path_for` to keep consistency (by @iorme1)
958
113
 
959
- * enhancements
960
- * Extract Activatable from Confirmable
961
- * Decouple Serializers from Devise modules
114
+ ### 4.4.3 - 2018-03-17
962
115
 
963
- ### 0.7.3 - 2009-12-15
116
+ * bug fixes
117
+ * Fix undefined method `rails5?` for Devise::Test:Module (by @tegon)
118
+ * Fix: secret key was being required to be set inside credentials on Rails 5.2 (by @tegon)
964
119
 
965
- * bug fix
966
- * Give scope to the proper model validation
120
+ ### 4.4.2 - 2018-03-15
967
121
 
968
122
  * enhancements
969
- * Mail views are scoped as well
970
- * Added update_with_password for authenticatable
971
- * Allow render_with_scope to accept :controller option
972
-
973
- ### 0.7.2 - 2009-12-14
974
-
975
- * deprecation
976
- * Renamed reset_confirmation! to resend_confirmation!
977
- * Copying locale is part of the installation process
123
+ * Support for :credentials on Rails v5.2.x. (by @gencer)
124
+ * Improve documentation about the test suite. (by @tegon)
125
+ * Test with Rails 5.2.rc1 on Travis. (by @jcoyne)
126
+ * Allow test with Rails 6. (by @Fudoshiki)
127
+ * Creating a new section for controller configuration on `devise.rb` template (by @Danilo-Araujo-Silva)
978
128
 
979
- * bug fix
980
- * Fixed render_with_scope to work with all controllers
981
- * Allow sign in with two different users in Devise::TestHelpers
982
-
983
- ### 0.7.1 - 2009-12-09
129
+ * bug fixes
130
+ * Preserve content_type for unauthenticated tests (by @gmcnaughton)
131
+ * Check if the resource is persisted in `update_tracked_fields!` instead of performing validations (by @tegon)
132
+ * Revert "Replace log_process_action to append_info_to_payload" (by @tegon)
984
133
 
985
- * enhancements
986
- * Small enhancements for other plugins compatibility (by @grimen)
134
+ ### 4.4.1 - 2018-01-23
987
135
 
988
- ### 0.7.0 - 2009-12-08
136
+ * bug fixes
137
+ * Ensure Gemspec is loaded as utf-8. (by @segiddins)
138
+ * Fix `ActiveRecord` check on `Confirmable`. (by @tegon)
139
+ * Fix `signed_in?` docs without running auth hooks. by (@machty)
989
140
 
990
- * deprecations
991
- * :authenticatable is not included by default anymore
141
+ ### 4.4.0 - 2017-12-29
992
142
 
993
143
  * enhancements
994
- * Improve loading process
995
- * Extract SessionSerializer from Authenticatable
996
-
997
- ### 0.6.3 - 2009-12-02
998
-
999
- * bug fix
1000
- * Added trackable to migrations
1001
- * Allow inflections to work
144
+ * Add `frozen_string_literal` pragma comment to all Ruby files. (by @pat)
145
+ * Use `set_flash_method!` instead of `set_flash_method` in `Devise::OmniauthCallbacksController#failure`. (by @saichander17)
146
+ * Clarify how `store_location_for` modifies URIs. (by @olivierlacan)
147
+ * Move `failed_attempts` increment into its own function. by (@mobilutz)
148
+ * Add `autocomplete="email"` to email fields. by (@MikeRogers0)
149
+ * Add the ability to change the default migrations path introduced in Rails 5.0.3. (by @alexhifer)
150
+ * Delete unnecessary condition for helper method. (by @davydovanton)
151
+ * Support `id: :uuid` option for migrations. (by @filip373)
1002
152
 
1003
- ### 0.6.2 - 2009-11-25
153
+ * bug fixes
154
+ * Fix syntax for MRI 2.5.0. (by @pat)
155
+ * Validations were being ignored on singup in the `Trackable#update_tracked_fields!` method. (by @AshleyFoster)
156
+ * Do not modify options for `#serializable_hash`. (by @guigs)
157
+ * Email confirmations were being sent on sign in/sign out for application using `mongoid` and `mongoid-paperclip` gems. This is because previously we were checking if a model is from Active Record by checking if the method `after_commit` was defined - since `mongoid` doesn' have one - but `mongoid-paperclip` gem does define one, which cause this issue. (by @fjg)
1004
158
 
1005
- * enhancements
1006
- * More DataMapper compatibility
1007
- * Devise::Trackable - track sign in count, timestamps and ips
159
+ ### 4.3.0 - 2017-05-14
1008
160
 
1009
- ### 0.6.1 - 2009-11-24
161
+ * Enhancements
162
+ * Dependency support added for Rails 5.1.x.
1010
163
 
1011
- * enhancements
1012
- * Devise::Timeoutable - timeout sessions without activity
1013
- * DataMapper now accepts conditions
1014
-
1015
- ### 0.6.0 - 2009-11-22
164
+ ### 4.2.1 - 2017-03-15
1016
165
 
166
+ * removals
167
+ * `Devise::Mailer#scope_name` and `Devise::Mailer#resource` are now protected
168
+ methods instead of public.
169
+ * bug fixes
170
+ * Attempt to reset password without the password field in the request now results in a `:blank` validation error.
171
+ Before this change, Devise would accept the reset password request and log the user in, without validating/changing
172
+ the password. (by @victor-am)
173
+ * Confirmation links now expire based on UTC time, working properly when using different timezones. (by @jjuliano)
174
+ * enhancements
175
+ * Notify the original email when it is changed with a new `Devise.send_email_changed_notification` setting.
176
+ When using `reconfirmable`, the notification will be sent right away instead of when the unconfirmed email is confirmed.
177
+ (original change by @ethirajsrinivasan)
178
+
179
+ ### 4.2.0 - 2016-07-01
180
+
181
+ * removals
182
+ * Remove the deprecated `Devise::ParameterSanitizer` API from Devise 3.
183
+ Please use the `#permit` and `#sanitize` methods over `#for`.
184
+ * Remove the deprecated OmniAuth URL helpers. Use the fully qualified helpers
185
+ (`user_facebook_omniauth_authorize_path`) over the scope based helpers
186
+ ( `user_omniauth_authorize_path(:facebook)`).
187
+ * Remove the `Devise.bcrypt` method, use `Devise::Encryptor.digest` instead.
188
+ * Remove the `Devise::Models::Confirmable#confirm!` method, use `confirm` instead.
189
+ * Remove the `Devise::Models::Recoverable#reset_password!` method, use `reset_password` instead.
190
+ * Remove the `Devise::Models::Recoverable#after_password_reset` method.
191
+ * bug fixes
192
+ * Fix an `ActionDispatch::IllegalStateError` when testing controllers with Rails 5 rc 2(by @hamadata).
193
+ * Use `ActiveSupport.on_load` hooks to include Devise on `ActiveRecord` and `Mongoid`,
194
+ avoiding autoloading these constants too soon (by @lucasmazza, @rafaelfranca).
195
+ * enhancements
196
+ * Display the minimum password length on `registrations/edit` view (by @Yanchek99).
197
+ * You can disable Devise's routes reloading on boot by through the `reload_routes = false` config.
198
+ This can reduce the time taken to boot the application but it might trigger
199
+ some errors if you application (mostly your controllers) requires that
200
+ Devise mappings be loaded during boot time (by @sidonath).
201
+ * Added `Devise::Test::IntegrationHelpers` to bypass the sign in process using
202
+ Warden test API (by @lucasmazza).
203
+ * Define `inspect` in `Devise::Models::Authenticatable` to help ensure password hashes
204
+ aren't included in exceptions or otherwise accidentally serialized (by @tkrajcar).
205
+ * Add missing support of `Rails.application.config.action_controller.relative_url_root` (by @kosdiamantis).
1017
206
  * deprecations
1018
- * :authenticatable is still included by default, but yields a deprecation warning
1019
-
1020
- * enhancements
1021
- * Added DataMapper support
1022
- * Remove store_location from authenticatable strategy and add it to failure app
1023
- * Allow a strategy to be placed after authenticatable
1024
- * Do not rely attribute? methods, since they are not added on Datamapper
1025
-
1026
- ### 0.5.6 - 2009-11-21
1027
-
1028
- * enhancements
1029
- * Do not send nil to build (DataMapper compatibility)
1030
- * Allow to have scoped views
207
+ * `Devise::TestHelpers` is deprecated in favor of `Devise::Test::ControllerHelpers`
208
+ (by @lucasmazza).
209
+ * The `sign_in` test helper has changed to use keyword arguments when passing
210
+ a scope. `sign_in :admin, users(:alice)` should be rewritten as
211
+ `sign_in users(:alice), scope: :admin` (by @lucasmazza).
212
+ * The option `bypass` of `Devise::Controllers::SignInOut#sign_in` method is
213
+ deprecated in favor of `Devise::Controllers::SignInOut#bypass_sign_in`
214
+ method (by @ulissesalmeida).
1031
215
 
1032
- ### 0.5.5 - 2009-11-20
216
+ ### 4.1.1 - 2016-05-15
1033
217
 
1034
- * enhancements
1035
- * Allow overwriting find for authentication method
1036
- * Remove Ruby 1.8.7 dependency
218
+ * bug fixes
219
+ * Fix overwriting the remember_token when a valid one already exists (by @ralinchimev).
1037
220
 
1038
- ### 0.5.4 - 2009-11-19
221
+ ### 4.1.0
1039
222
 
223
+ * bug fixes
224
+ * Fix race condition of sending the confirmation instructions e-mail using background jobs.
225
+ Using the previous `after_create` callback, the e-mail can be sent before
226
+ the record be committed on database, generating a `ActiveRecord::NotFound` error.
227
+ Now the confirmation e-mail will be only sent after the database commit,
228
+ using the `after_commit` callback.
229
+ It may break your test suite on Rails 4 if you are testing the sent e-mails
230
+ or enqueued jobs using transactional fixtures enabled or `DatabaseCleaner` with `transaction` strategy.
231
+ You can easily fix your test suite using the gem
232
+ [test_after_commit](https://github.com/grosser/test_after_commit). For example, put in your Gemfile:
233
+
234
+ ```ruby
235
+ gem 'test_after_commit', :group => :test
236
+ ```
237
+
238
+ On Rails 5 `after_commit` callbacks are triggered even using transactional
239
+ fixtures, then this fix will not break your test suite. If you are using `DatabaseCleaner` with the `deletion` or `truncation` strategies it may not break your tests. (by @allenwq)
240
+ * Fix strategy checking in `Lockable#unlock_strategy_enabled?` for `:none` and
241
+ `:undefined` strategies. (by @f3ndot)
242
+ * features
243
+ * Humanize authentication keys in failure flash message (by @byzg)
244
+ When you are configuring the translations of `devise.failure.invalid`, the
245
+ `authentication_keys` is translated now.
1040
246
  * deprecations
1041
- * Deprecate :singular in devise_for and use :scope instead
247
+ * Remove code supporting old session serialization format (by @fphilipe).
248
+ * Now the `email_regexp` default uses a more permissive regex:
249
+ `/\A[^@\s]+@[^@\s]+\z/` (by @kimgb)
250
+ * Now the `strip_whitespace_keys` default is `[:email]` (by @ulissesalmeida)
251
+ * Now the `reconfirmable` default is `true` (by @ulissesalmeida)
252
+ * Now the `skip_session_storage` default is `[:http_auth]` (by @ulissesalmeida)
253
+ * Now the `sign_out_via` default is `:delete` (by @ulissesalmeida)
254
+ * improvements
255
+ * Avoids extra computation of friendly token for confirmation token (by @sbc100)
1042
256
 
1043
- * enhancements
1044
- * Create after_sign_in_path_for and after_sign_out_path_for hooks to be
1045
- overwriten in ApplicationController
1046
- * Create sign_in_and_redirect and sign_out_and_redirect helpers
1047
- * Warden::Manager.default_scope is automatically configured to the first given scope
1048
-
1049
- ### 0.5.3 - 2009-11-18
1050
-
1051
- * bug fix
1052
- * MongoMapper now converts DateTime to Time
1053
- * Ensure all controllers are unloadable
1054
-
1055
- * enhancements
1056
- * Moved friendly_token to Devise
1057
- * Added Devise.all, so you can freeze your app strategies
1058
- * Added Devise.apply_schema, so you can turn it to false in Datamapper or MongoMapper
1059
- in cases you don't want it be handlded automatically
257
+ ### 4.0.3 - 2016-05-15
1060
258
 
1061
- ### 0.5.2 - 2009-11-17
1062
-
1063
- * enhancements
1064
- * Improved sign_in and sign_out helpers to accepts resources
1065
- * Added stored_location_for as a helper
1066
- * Added test helpers
1067
-
1068
- ### 0.5.1 - 2009-11-15
1069
-
1070
- * enhancements
1071
- * Added serializers based on Warden ones
1072
- * Allow authentication keys to be set
259
+ * bug fixes
260
+ * Fix overwriting the remember_token when a valid one already exists (by @ralinchimev).
1073
261
 
1074
- ### 0.5.0 - 2009-11-13
262
+ ### 4.0.2 - 2016-05-02
1075
263
 
1076
- * bug fix
1077
- * Fixed a bug where remember me module was not working properly
264
+ * bug fixes
265
+ * Fix strategy checking in `Lockable#unlock_strategy_enabled?` for `:none`
266
+ and `:undefined` strategies. (by @f3ndot)
1078
267
 
1079
- * enhancements
1080
- * Moved encryption strategy into the Encryptors module to allow several algorithms (by @mhfs)
1081
- * Implemented encryptors for Clearance, Authlogic and Restful-Authentication (by @mhfs)
1082
- * Added support for MongoMapper (by @shingara)
268
+ ### 4.0.1 - 2016-04-25
1083
269
 
1084
- ### 0.4.3 - 2009-11-10
270
+ * bug fixes
271
+ * Fix the e-mail confirmation instructions send when a user updates the email
272
+ address from nil. (by @lmduc)
273
+ * Remove unnecessary `attribute_will_change!` call. (by @cadejscroggins)
274
+ * Consistent `permit!` check. (by @ulissesalmeida)
1085
275
 
1086
- * bug fix
1087
- * Authentication just fails if user cannot be serialized from session, without raising errors;
1088
- * Default configuration values should not overwrite user values;
276
+ ### 4.0.0 - 2016-04-18
1089
277
 
1090
- ### 0.4.2 - 2009-11-06
278
+ * bug fixes
279
+ * Fix the `extend_remember_period` configuration. When set to `false` it does
280
+ not update the cookie expiration anymore.(by @ulissesalmeida)
1091
281
 
1092
282
  * deprecations
1093
- * Renamed mail_sender to mailer_sender
1094
-
1095
- * enhancements
1096
- * skip_before_filter added in Devise controllers
1097
- * Use home_or_root_path on require_no_authentication as well
1098
- * Added devise_controller?, useful to select or reject filters in ApplicationController
1099
- * Allow :path_prefix to be given to devise_for
1100
- * Allow default_url_options to be configured through devise (:path_prefix => "/:locale" is now supported)
1101
-
1102
- ### 0.4.1 - 2009-11-04
1103
-
1104
- * bug fix
1105
- * Ensure options can be set even if models were not loaded
1106
-
1107
- ### 0.4.0 - 2009-11-03
283
+ * Added a warning of default value change in Devise 4.1 for users that uses
284
+ the the default configuration of the following configurations: (by @ulissesalmeida)
285
+ * `strip_whitespace_keys` - The default will be `[:email]`.
286
+ * `skip_session_storage` - The default will be `[:http_auth]`.
287
+ * `sign_out_via` - The default will be `:delete`.
288
+ * `reconfirmable` - The default will be `true`.
289
+ * `email_regexp` - The default will be `/\A[^@\s]+@[^@\s]+\z/`.
290
+ * Removed deprecated argument of `Devise::Models::Rememberable#remember_me!` (by @ulissesalmeida)
291
+ * Removed deprecated private method Devise::Controllers::Helpers#expire_session_data_after_sign_in!
292
+ (by @bogdanvlviv)
293
+
294
+ ### 4.0.0.rc2 - 2016-03-09
295
+
296
+ * enhancements
297
+ * Introduced `DeviseController#set_flash_message!` for conditional flash
298
+ messages setting to reduce complexity.
299
+ * `rails g devise:install` will fail if the app does not have a ORM configured
300
+ (by @arjunsharma)
301
+ * Support to Rails 5 versioned migrations added.
1108
302
 
1109
303
  * deprecations
1110
- * Notifier is deprecated, use DeviseMailer instead. Remember to rename
1111
- app/views/notifier to app/views/devise_mailer and I18n key from
1112
- devise.notifier to devise.mailer
1113
- * :authenticable calls are deprecated, use :authenticatable instead
304
+ * omniauth routes are no longer defined with a wildcard `:provider` parameter,
305
+ and provider specific routes are defined instead, so route helpers like `user_omniauth_authorize_path(:github)` are deprecated in favor of `user_github_omniauth_authorize_path`.
306
+ You can still use `omniauth_authorize_path(:user, :github)` if you need to
307
+ call the helpers dynamically.
1114
308
 
1115
- * enhancements
1116
- * Allow devise to be more agnostic and do not require ActiveRecord to be loaded
1117
- * Allow Warden::Manager to be configured through Devise
1118
- * Created a generator which creates an initializer
309
+ ### 4.0.0.rc1 - 2016-02-01
1119
310
 
1120
- ### 0.3.0 - 2009-10-30
1121
-
1122
- * bug fix
1123
- * Allow yml messages to be configured by not using engine locales
311
+ * Support added to Rails 5 (by @twalpole).
312
+ * Devise no longer supports Rails 3.2 and 4.0.
313
+ * Devise no longer supports Ruby 1.9 and 2.0.
1124
314
 
1125
315
  * deprecations
1126
- * Renamed confirm_in to confirm_within
1127
- * Do not send confirmation messages when user changes their e-mail
1128
- * Renamed authenticable to authenticatable and added deprecation warnings
1129
-
1130
- ### 0.2.3 - 2009-10-29
1131
-
1132
- * enhancements
1133
- * Ensure fail! works inside strategies
1134
- * Make unauthenticated message (when you haven't signed in) different from invalid message
1135
-
1136
- * bug fix
1137
- * Do not redirect on invalid authenticate
1138
- * Allow model configuration to be set to nil
1139
-
1140
- ### 0.2.2 - 2009-10-28
1141
-
1142
- * bug fix
1143
- * Fix a bug when using customized resources
1144
-
1145
- ### 0.2.1 - 2009-10-27
1146
-
1147
- * refactor
1148
- * Clean devise_views generator to use devise existing views
1149
-
1150
- * enhancements
1151
- * Create instance variables (like @user) for each devise controller
1152
- * Use Devise::Controller::Helpers only internally
1153
-
1154
- * bug fix
1155
- * Fix a bug with Mongrel and Ruby 1.8.6
1156
-
1157
- ### 0.2.0 - 2009-10-24
1158
-
1159
- * enhancements
1160
- * Allow option :null => true in authenticable migration
1161
- * Remove attr_accessible calls from devise modules
1162
- * Customizable time frame for rememberable with :remember_for config
1163
- * Customizable time frame for confirmable with :confirm_in config
1164
- * Generators for creating a resource and copy views
1165
-
1166
- * optimize
1167
- * Do not load hooks or strategies if they are not used
1168
-
1169
- * bug fixes
1170
- * Fixed requiring devise strategies
1171
-
1172
- ### 0.1.1 - 2009-10-21
1173
-
1174
- * bug fixes
1175
- * Fixed requiring devise mapping
1176
-
1177
- ### 0.1.0 - 2009-10-21
1178
-
1179
- * Devise::Authenticable
1180
- * Devise::Confirmable
1181
- * Devise::Recoverable
1182
- * Devise::Validatable
1183
- * Devise::Migratable
1184
- * Devise::Rememberable
1185
-
1186
- * SessionsController
1187
- * PasswordsController
1188
- * ConfirmationsController
1189
-
1190
- * Create an example app
1191
- * devise :all, :except => :rememberable
1192
- * Use sign_in and sign_out in SessionsController
1193
-
1194
- * Mailer subjects namespaced by model
1195
- * Allow stretches and pepper per model
1196
-
1197
- * Store session[:return_to] in session
1198
- * Sign user in automatically after confirming or changing it's password
316
+ * The `devise_parameter_sanitize` API has changed:
317
+ The `for` method was deprecated in favor of `permit`:
318
+
319
+ ```ruby
320
+ def configure_permitted_parameters
321
+ devise_parameter_sanitizer.for(:sign_up) << :subscribe_newsletter
322
+ # Should become the following.
323
+ devise_parameter_sanitizer.permit(:sign_up, keys: [:subscribe_newsletter])
324
+ end
325
+ ```
326
+
327
+ The customization through instance methods on the sanitizer implementation
328
+ should be done through it's `initialize` method:
329
+
330
+ ```ruby
331
+ class User::ParameterSanitizer < Devise::ParameterSanitizer
332
+ def sign_up
333
+ default_params.permit(:username, :email)
334
+ end
335
+ end
336
+
337
+ # The `sign_up` method can be a `permit` call on the sanitizer `initialize`.
338
+
339
+ class User::ParameterSanitizer < Devise::ParameterSanitizer
340
+ def initialize(*)
341
+ super
342
+ permit(:sign_up, keys: [:username, :email])
343
+ end
344
+ end
345
+ ```
346
+
347
+ You can check more examples and explanations on the [README section](README.md#strong-parameters)
348
+ and on the [ParameterSanitizer docs](lib/devise/parameter_sanitizer.rb).
349
+
350
+ Please check [3-stable](https://github.com/heartcombo/devise/blob/3-stable/CHANGELOG.md)
351
+ for previous changes.