- Added
config.after_session_confirm
hook (#237)
- Added
Passwordless::Constraint
andPasswordless::ConstraintNot
for routing constraints (#228)
- Fixed double loading of locale files (#221)
- Use flash.alert as standard Rails (#215)
- Add support for scoped routes with
default_url_options
(#209)
- Fix
paranoid
mode creating a session for missing users (#219) - Fix missing
token
locale key (#214)
- Evaluate callable redirects in context of controller (#203)
- Add url_options param to sign_in email (#208)
- Include TestHelpers in ActionDispatch::IntegrationTest (#211)
- Configurable redirect paths now accept both strings and lambdas (#202)
- The default
from
of the parent mailer won't be overridden if thedefault_from_address
option is set tonil
(#198)
- Added
paranoid
option to display the email sent notice even when the resource is not found (#196) - Added
parent_controller
option to set theSessionsController
parent class (#199) - Added
only_path
param toSystemTestCase#passwordless_sign_in
andSystemTestCase#passwordless_sign_out
(#197)
- Added the option
combat_brute_force_attacks
, enabled everywhere but Rails.env.test (#190)
- Fixed url generation when custom controller is specified (#180)
- Fixed a bug in
passwordless_sign_in
(#179)
Sessions are now referenced publicly by a random UUID instead of their primary key.
This needs a manual database migration like so:
class AddIndentifierToPasswordlessSessions < ActiveRecord::Migration[7.1]
def change
add_column(:passwordless_sessions, :identifier, :string)
add_index(:passwordless_sessions, :identifier, unique: true)
end
end
- Use UUIDs as indentifiers for sessions in public (#176)
- Add default flash notice for sign out (#178)
- Route generation with :as option (#174)
- Test helper route generation (#174)
- Fix sessions/new label for attribute (#172)
- Adds
autocomplete: 'off'
to token field (#173) - Adds sessions/show "Confirm" to locale definition (#173)
This major release of Passwordless changes a lot of things and it is almost guaranteed that you will need to change your code to upgrade to this version.
(Note that there is no need to upgrade. The previous versions of Passwordless will continue to work for the foreseeable future.)
See Upgrading to Passwordless 1.0 for more details.
- Added an option to set a custom controller for
passwordless_for
routes (#152) - Added
ControllerHelpers#create_passwordless_session
(#161)
- Tokens are now encrypted in the database (#145)
- Un-isolate namespace (#146)
- Move configuration to
Passwordless.config
(#155)
- Added option
redirect_to_response_options
(#142)
- Replaced
form_for
withform_with
in view template (#128) - Added frontend validation for email presence in views (#128)
- Always redirect magic link requests back to the sign_in page and render generic flash (#120)
- Fix
Passwordless#ControllerHelpers
to be used outside controllers (#124)
- Reset session at sign_in to protect from session fixation attacks (#108)
- Fixed support for Turbo Drive (#116)
- Option to customize mailer inheritance with a new configuration
parent_mailer
(#82)
- Calls
strip
on passwordless field param
- Customizable redirects (#69)
- Fixes session availability wrongly determined by timeout not expiry (#61)
- Fixes an issue with using a resource class not named
User
(#58)
This version moves from storing the session information in the cookies
to the session
.
Your users will therefore have to sign in again after upgrading.
To provide a smoother experience, you can use the provided session upgrade helper like this:
def current_user
@current_user ||=
authenticate_by_session(User) ||
upgrade_passwordless_cookie(User)
end
- Deprecates
authenticate_by_cookie
, useauthenticate_by_session
.(#56)
restrict_token_reuse
disables session reuse (#51)
- Optionally pass
request
toafter_session_save
(#49) - Sign in via
Passwordless::Session
instead of authenticatable and store it insession
instead ofcookies
(#56) sign_in
helper now expects aPasswordless::Session
.
- Option to customize callback (eg. send e-mail, sms, whatever) (#39)
- Use
timeout_at
instead ofexpires_at
when signing in (#43)
- Option to set custom expiration and timeout durations (#37)
- Allow overriding the lookup method of the user resource (#33)
- Fixed: Support models using Single Table Inheritance (#26)
- Fixed: Missing
as:
on session associationhas_many
(#23)
- Added: Include main app's routes in passwordless views
- Fixed: Authenticatable (User) lookup is case-insentive
- Added: Support for I18n (Thanks @mftaff)
- Fixed: Actually expire sessions (Thanks @mftaff)
- Added:
build_passwordless_session
controller helper
- Added: Documentation! (Thanks to @mftaff)
- Fixed: Case-insensitive email lookup
- Fixed: Post-sign in redirect destination is scoped to model
- Added: Redirect to previous destination post sign in
- Added: Added
#passwordless_controller?
- Fixed: Inherit from main app's ApplicationController
- Fixed: Removed Gemfile.lock
- Added: An option to provide a custom token generator
- Added: Changelog