The noteworthy changes for each Clearance version are included here. For a complete changelog, see the git history for each version via the version links.
2.4.0 - March 5, 2021
- Optionally use signed cookies to prevent remember token timing attacks
2.3.1 - March 5, 2021
- Support for accessing Rails 6.x primary_key_type in generator.
- Fix password reset URLs when using a custom model
- Fix flaky test that relied on too specific time delta
- Revert case sensitivity for email uniqueness
- Bump nokogiri and actionview dependencies to address security vulnerabilities
2.3.0 - August 14, 2020
- Delete cookie correctly when a callable object is set as the custom domain setting.
- Strip
as
parameter when signing in through the back door. - Remove broken autoload for deprecated password strategies.
- Deliver password reset email inline rather than in the background.
- Remove unnecessary unsafe interpolation in erb templates.
2.2.1 - August 7, 2020
- Prevent user enumeration by timing attacks. Trying to log in with an unrecognized email address will now take the same amount of time as for a user that does exist in the system.
2.2.0 - July 9, 2020
- Add an Argon2 password strategy
- Use strings instead of classes on guard classes, avoids Rails deprecation warning.
- Use
find_by
style for finders, improves neo4j support - Provide explicit case sensitivity option for email uniqueness, avoid Rails deprecation warning.
2.1.0 - December 19, 2019
- Add a
parent_controller
configuration option to specify the controller that Clearance'sBaseController
will inherit from. Defaults to a value ofApplicationController
. - Use the configured
primary_key_type
from the Active Record settings of the project including Clearance, if it is set, while generating migrations. For example, a setting of:uuid
in a Rails app using Clearance will cause the clearance-generated migrations to use this for theusers
table id type.
- Delete cookies correctly when a custom domain setting is being used.
- Do not set the authorization cookie on requests which did not exercise the authorization code. Reduces the chances of leaving an auth cookie in a publicly cacheable page that didn't require authorization to access.
- Update the
email_validator
gem to a newer version embrace the more relaxed email validation options which it now defaults to. - When a password reset request is submitted without an email address, a flash alert is now provided. Previously this continued silently as though it had worked. We still proceed that way when there is an invalid (but present) value, so as not to reveal existent vs. non-existent emails in the database.
- Remove an unused route to
passwords#create
nested underusers
. - No longer include the (rarely used in practice) application layout as part of the views installer; but continue to provide some stock sign-in/out and flash partial code in the gem installation README output.
- Remove the existing deprecation notice around the
rotate_csrf_on_sign_in
setting, and make that setting default to true.
2.0.0 - November 12, 2019
- Add support for Rails version 6
- Allow
cookie_domain
to be configured with a lambda for custom configuration - Add ability to configure BCrypt computational cost of hash calculation.
- Add
same_site
configuration option for increased CSRF protection.
- Fix issue where invalid params could raise
NoMethodError
when updating and resetting passwords. - The backdoor auth mechanism now supports scenarios where
Rails.env
has been configured via env variables other thanRAILS_ENV
(RACK_ENV
for example).
- Removed support for Ruby versions older than 2.4
- Removed support for Rails versions older than 5.0
- Removed all deprecated code from Clearance 1.x
- Flash messages now use
flash[:alert]
rather thanflash[:notice]
as they were used as errors more often than notices.
1.17.0 - April 11, 2019
- Update the
HttpOnly
cookie setting for the remember token to default to true, which prevents the value from being available to JavaScript. - Add configuration option to allow the auth backdoor to work in specified
environments (defaults to
test
,development
,ci
).
1.16.2 - February 25, 2019
- Added missing translation keys
- Fix issue where a cookie value could be set more than once when interacting
with the
httponly
option
- Remove Rails as a dependency so that clearance does not trigger a cascade of requirements as rails pulls in every framework. Instead, depend on just the frameworks relevant to Clearance.
- Prevent
Clearance::BackDoor
from being used outside the "test" environment.
1.16.1 - November 2, 2017
- Fixed issue where tokens from abandoned password reset attempts were stored in the session, preventing newly generated password reset tokens from working.
- Improve compatibility with Rails API projects by calling
helper_method
only when it is defined. - URL fragment in server-set
session[:return_to]
values are preserved when redirecting to the stored value. - Eliminated deprecation in Clearance test helpers that were related to the renaming of FactoryGirl to FactoryBot.
1.16.0 - January 16, 2017
- Clearance users can now help prevent session fixation attacks by setting
Clearance.configuration.rotate_csrf_on_sign_in
totrue
. This will cause the user's CSRF token to be rotated on sign in and is recommended for all Clearance applications. This setting will default totrue
in Clearance 2.0. Clearance will emit a warning on each sign in until this configuration setting is explicitly set totrue
orfalse
.
1.15.1 - October 6, 2016
- Password reset form redirect no longer uses a named route helper, which means it will work for developers that have customized their routes.
1.15.0 - September 26, 2016
- Prevent possible password reset token leak to external sites linked to on the password reset page. See PR #707 for more information.
1.14.2 - August 10, 2016
- Fixed incompatibility with
attr_encrypted
gem by inlining the body of theencrypt
helper method used in the BCrypt password strategy.
1.14.1 - May 12, 2016
- Fixed insertion of
include Clearance::User
when running the install generator in an app that already has aUser
model. - Updated
deny_access
matcher to assert against configured redirect location rather than hard coded/
.
1.14.0 - April 29, 2016
Clearance::BackDoor
now accepts a block, allowing the user for a test to be looked up by a parameter other thanid
if you have overriddento_param
for theUser
model.
- We now correctly track the dirty state of
User#encrypted_password
, which fixes custom validations onUser#password
(e.g. validating password length) that were conditional on the password actually changing. - The
clearance:install
generator will now generate aUser
model that inherits fromApplicationRecord
if run on a Rails 5 app that doesn't already have aUser
model.
User#password_changing
is deprecated in favor of automatic dirty tracking onencrypted_password
andpassword
. If you are calling this in your application you should be able to remove it.
1.13.0 - March 4, 2016
- Clearance now supports Rails 5.0.0.beta3 and newer.
- Clearance will now infer the parameter name to use when accessing user
parameters in a request. This previously used
:user
, which was incorrect for customized user models. - Generated feature specs no longer rely on RSpec monkey patches.
1.12.1 - January 7, 2016
- Fixed the
create_users
migration generated byrails generate clearance:install
under Rails 3.x.
1.12.0 - November 17, 2015
- Users will now see a flash message when redirected to sign in by
require_login
. This I18n key for this message isflashes.failure_when_not_signed_in
and defaults to "Please sign in to continue". - Added significant API documentation. API documentation effort is ongoing.
- Fixed expectation in the generated
visitor_resets_password_spec.rb
file. - Corrected indentation of routes inserted by the routes generator.
- Corrected indentation of
include Clearance::User
when the install generator adds it to an existing user class.
1.11.0 - August 21, 2015
- Add
sign_in
andsign_in_as
helper methods to view specs. These helpers avoid errors from verified partial doubles that come from. See 462c009.
clearance:routes
generator now properly disables internal routes in your Clearance initializer.- Clearance now accesses the cookie jar via ActionDispatch::Request rather than
Rack::Request
. This is more consistent with what Rails does internally.
Clearance::Testing::Helpers
has been deprecated in favor ofClearance::Testing::ControllerHelpers
. Most users are accessing these helpers by requiringclearance/rspec
orclearance/test_unit
and should be unaffected.
1.10.1 - May 15, 2015
- All clearance-provided password strategies other than BCrypt have been
deprecated. You can continue to use those strategies without a deprecation
warning by adding
clearance-deprecated_password_strategies
to your Gemfile.
1.9.0 - April 3, 2015
- The change password mailer now produces a multipart message which includes a
text part along with the previously existing HTML part. To override the text
part, add
change_password.text.erb
alongside yourchange_password.html.erb
file.
- Custom
user_model
configured in a Rails initializer will now be reloaded in development mode. - Change password template now contains "Change my password" link text to address an issue linking the URL in some mail clients.
1.8.1 - March 3, 2015
- Enable cross-site request forgery protection on
sessions#create
. See 7f5d56e.
- All methods included by
Clearance::Controller
are now excluded fromaction_methods
.
1.8.0 - January 23, 2015
- The remember token cookie name is now customizable via
Clearance.configuration.cookie_name
.
- Fixed a redirect loop on the sign in page for applications that are still
using the deprecated
authorize
filter. - Signed in users that attempt to visit the sign in path are now redirected. The
redirect URL defaults to the same URL used for the redirect after sign in, but
can be customized by overriding
passwords_controller#url_for_signed_in_users
users_controller#avoid_sign_in
is now deprecated in favor ofredirect_signed_in_users
which is more accurately named.
1.7.0 - January, 8, 2015
- Fix the negation of the
deny_access
matcher in Rails 4.0.x on Ruby 2.2
- The
authorize
filter has been deprecated in favor ofrequire_login
. Update all reference to the filter including any calls toskip_before_filter
orskip_before_action
. - The
Clearance.root
method has been deprecated. It was used internally and unlikely to impact external users.
1.6.1 - January 6, 2015
- Secure cookies are no longer overwritten when the user visits a non-HTTPS URL.
1.6.0 - December 20, 2014
- When using Rails 4.2, password reset emails are sent with the
ActiveJob-compatible
#deliver_later
method.
1.5.1 - December 19, 2014
- Blowfish password strategy fixed
- Specs generated with
rails generate clearance:specs
now work properly in RSpec 3 projects.
1.5.0 - October 17, 2014
- Disable clearance routes by setting
config.routes = false
. - Running
rails generate clearance:routes
will dump the default set of routes to your application's routes file for modification.
1.4.3 - October 3, 2014
- Routing constraints act appropriately when session data is missing.
1.4.2 - September 13, 2014
- Eliminate deprecation message when using DenyAccess matcher with RSpec 3.
1.4.1 - September 5, 2014
- Prevent BCrypt strategy from raising an exception when
encypted_password
is nil.
1.4.0 - July 18, 2014
user_params
method was added toClearance::UsersController
which provides a convenient place to override the parameters used when creating users.- Controllers now inherit from
Clearance::BaseController
to allow for easily adding behavior to all of them.
- The sign out link in the default application layout has been replaced with a semantically correct sign out button. This also removes an unnecessary JavaScript dependency.
- Clearance now uses
original_fullpath
when redirecting to a saved URL after login. This should improve the behavior in mounted engines.
1.3.0 - March 14, 2014
- Installing Clearance with an existing User model will now create a migration that includes adding remember tokens to all existing user records.
1.2.1 - March 6, 2014
- Query string is now included in the redirect URL when Clearance redirects to a previously stored URL.
1.2.0 - February 28, 2014
- Support for Rails 4.1.0.rc1
- Sign in can now be disabled with
config.allow_sign_in = false
- Sign in failure message is now customized exclusively via I18n.
SessionsController#flash_failure_after_create
is no longer called. To customize the message, change theclearance.controllers.sessions.bad_email_or_password
orflashes.failure_after_create
key.
clearance/testing
is now deprecated. Requireclearance/rspec
orclearance/test_unit
as appropriate.
1.1.0 - November 21, 2013
- Validate email with
EmailValidator
strict mode. - The
cookie_expiration
configuration lambda can now be called with acookies
parameter. Allows the Clearance cookie expiration to be set according to the value of another cookie (such asremember_me
). - Allow cookie domain and path configuration.
- Add sign in guards.
- Don't allow logins with blank
remember_token
.
- A
cookie_expiration
lambda that does not accept thiscookies
parameter has been deprecated.
1.0.1 - August 9, 2013
- Fix an issue when trying to sign in with
nil
1.0.0 - August 1, 2013
- Support Rails 4.
- Speed up test suites using
::BCrypt::Engine::MIN_COST
. - Speed up integration suites with
Clearance::BackDoor
. - Provide
BCryptMigrationFromSHA1
password strategy to help people migrate from SHA1 (the old default password strategy) to BCrypt (the new default). - Support Ruby 2.
- More extension points in more controllers.
- Add
SignedIn
andSignedOut
routing constraints. - Add a fake password strategy, which is useful when writing tests.
- Add
redirect_url
configuration option. - Add
secure_cookie
configuration option.
- Change default password strategy to BCrypt.
- Replace email regular expression with
EmailValidator
gem. - Require > Ruby 1.9.
- The
email
,encrypted_password
, andremember_token
fields of the users table areNOT NULL
in the default migration. - Replace Cucumber feature generator with RSpec + Capybara.
- Remove Diesel dependency.
PasswordsController
params[:user]
has changed toparams[:password_reset]
to avoid locale conflicts.
- Improve security when changing password.
- Reduce extra user lookups when adding cookie to headers.
- Unauthorized API requests return HTTP status 401 rather than a redirect to the sign in page.
- Remove deprecated methods on User:
remember_me!
,generate_random_code
,password_required?
. - Remove
unloadable
from controllers (Rails 4 bug fix in development environment). - Remove support for supplying
return_to
value via request parameter.
0.16.2 - May 11, 2012
- Change default email sender to
[email protected]
.
0.16.1 - April 16, 2012
- Behave correctly when Rails whitelist attributes mass assignment protection is turned on.
- Fix for Rails 3.2.x modifying the HTTP cookie headers in rack requests.
0.16.0 - March 16, 2012
- Blowfish password encryption strategy.
0.15.0 - February 3, 2012
- The
User
model can be swapped out using theClearance.configure
method.
- Remove
User::InstanceMethods
to silence a Rails 3.2 deprecation warning.
0.14.0 - January 13, 2012
- Support clearance session management from the Rack environment.
0.13.2 - January 13, 2012
- Fixed the
deny_access
matcher.
0.13.0 - October 11, 2011
- In Clearance's optional generated features, use pure Capybara instead of
depending on Cucumber's removed
web_steps
, paths, and selectors. - Extract SHA-1-specific code out of
User
intoPasswordStrategies
module. - Extract sign in form so that other methods can be added easily.
- Test against Rails 3.1. Required upgrades to Diesel and Appraisal.
0.12.0 - June 30, 2011
- Denying access redirects to
root_url
when signed in,sign_in_url
when signed out. - Using flash
:notice
key everywhere now instead of:success
and:failure
. More in line with Rails conventions. redirect_back_or
on sign up.- Resetting password no longer redirects to sign in page. It displays a message telling them to look for an email.
- Removed redundant flash messages. ("Signed in.", "Signed out.", and "You are now signed up.")
0.11.2 - June 29, 2011
- Rails 3.1.rc compatible.
- RSpec and Test::Unit compliant test matcher (
should deny_access
, etc)
- No more Clearance
shoulda_macros
. Instead providing RSpec and Test::Unit-compliant test matchers (should deny_access
, etc).
0.11.1 - April 30, 2011
- Redirect to home page after sign up.
- Removing
:case_sensitive
option fromvalidates_uniqueness_of
. It was unnecessary and causes a small performance problem on some apps.
- Remove dependency on
dynamic_form
. Replaced with flashes due to limited number of failure cases.
0.11.0 - April 24, 2011
- New
controller#authenticate(params)
method. Redefine username & password or other styles of authentication.
before_filter :authenticate
API replaced with more aptly-namedbefore_filter :authorize
.
- Removing password confirmation.
0.10.5 - April 19, 2011
- Closing CSRF hole for Rails >= 3.0.4 apps.
0.10.4 - April 16, 2011
- Use HTML5 email fields.
- Emails forced to be downcased (particularly for iPhone user case).
- Password reset requires a password.
- Formtastic views generator removed.
0.10.3.2 - March 6, 2011
- Fix gemspec to include all necessary files.
0.10.3.1 - February 20, 2011
- Ensure everything within features inside any engine directory is included in
the
gemspec
.
0.10.3 - February 19, 2011
- Include features/engines in
gemspec
file list so generator works as expected.
0.10.2 - February 18, 2011
- New generator command:
rails generate clearance:install
. - When Clearance installed in an app that already has users, allow old users to sign in by resetting their password.
- Step definitions are now prefixed with
visitor_
to use thoughtbot convention.
0.10.1 - February 9, 2011
- Replaced
ActionController::Forbidden
with a user-friendly flash message.
0.10.0 - June 29, 2010
- Better email validation regular expression.
- Removed email confirmation step, was mostly a hassle and can always be added back in at the application level (instead of engine level) if necessary.
- Removed
disable_with
on forms since it does not allow IE users to submit forms. Read more.
0.9.1 - June 29, 2010
- This release supports Rails 3, capybara, and shoulda 2.10+.
0.9.0 - June 11, 2010
- Allow customization of cookie duration.
- Removed unnecessary db index.
0.8.8 - February 25, 2010
- Fixed
sign_in
andsign_out
not settingcurrent_user
.
0.8.7 - February 21, 2010
- Fixed global sign out bug.
- Allow Rails apps to
before_filter :authenticate
the entire app inApplicationController
and still have password recovery work without overriding any controllers. - Rails 3 fix for
ActionController
/ActionDispatch
change.
0.8.6 - February 17, 2010
- Allow overridden user models to skip email/password validations conditionally. This makes username/facebook integration easier.
- Clearance features capitalization should match view text.
- Skip
:authenticate before_filter
in controllers so apps can easily authenticate a whole site without subclassing. - Added randomness to token and salt generation,
- Reset the
remember_token
on sign out instead of sign in. Allows for the same user to sign in from two locations at once. - Append the version number to generated update migrations.
0.8.5 - January 20, 2010
- Removed
attr_accessible
fromClearance::User
. - Remove dependency on
root_path
, use'/'
instead. - Use
Clearance.configure
block to set mailer sender instead ofDO_NOT_REPLY
constant.
- Replaced routing hack with
Clearance::Routes.draw(map)
to give more control to the application developer. - Fixed bug in password reset feature.
0.8.4 - December 08, 2009
- Remove unnecessary
require 'factory_girl'
in generator.
0.8.3 - September 21, 2009
- Avoid possible collisions in the remember me token.
0.8.2 - September 01, 2009
current_user= accessor
method.- Set
current_user
insign_in
.
0.8.1 - August 31, 2009
- Removed unnecessary
remember_token_expires_at
column.
- Removed
remember?
andforget_me!
user instance methods.
0.8.0 - August 31, 2009
- Documented
Clearance::Authentication
with YARD. - Documented
Clearance::User
with YARD.
- Always remember me. Replaced session-and-remember-me authentication with always using a cookie with a long timeout.
0.7.0 - August 4, 2009
- Added
signed_out?
convenience method for controllers, helpers, views. - Added
clearance_views
generator. By default, creates formtastic views which pass all tests and features.
- Redirect signed in user who clicks confirmation link again.
- Redirect signed out user who clicks confirmation link again.
0.6.9 - July 4, 2009
- Added timestamps to create users migration.
- Ready for Ruby 1.9.
0.6.8 - June 24, 2009
- Added
defined?
checks for various Rails constants such asActionController
for easier unit testing of Clearance extensions... particularlyActiveRecord
extensions...particularly strong_password
.
0.6.7 - June 13, 2009
- Added
sign_up
,sign_in
,sign_out
named routes. flash_success_after_create
,flash_notice_after_create
,flash_failure_after_create
,flash_sucess_after_update
,flash_success_after_destroy
, etc.- Added
#create
to forbiddenbefore_filters
on confirmations controller.
should_be_signed_in_as
shouldn't look in the session.
- Deprecated
sign_user_in
. Told developers to usesign_in
instead.
0.6.6 - May 18, 2009
- replaced
class_eval
inClearance::User
with modules. This was needed so we could write our own validations.
0.6.5 - May 17, 2009
- Make Clearance i18n aware.
0.6.4 - May 12, 2009
- Replacing
sign_in_as
&sign_out
shoulda macros with a stubbing (requires no dependency) approach. This will avoid dealing with the internals ofcurrent_user
, such as session & cookies. Addedsign_in
macro which signs in an email confirmed user from clearance's factories. - Move private methods on sessions controller into
Clearance::Authentication
module. - Audited flash keys.
0.6.3 - April 23, 2009
- Scoping
ClearanceMailer
properly within controllers so it works in production environments.
0.6.2 - April 22, 2009
- Insert
Clearance::User
into User model if it exists.
0.6.1 - April 21, 2009
- Scope operators are necessary to keep Rails happy. Reverting the original revert so they're back in the library now for constants referenced inside of the gem.
0.6.0 - April 21, 2009
- Converted Clearance to a Rails engine.
- Include
Clearance::User
in User model in app. - Include
Clearance::Authentication
inApplicationController
. - Namespace controllers under
Clearance
module. - Routes move to engine, use namespaced controllers but publicly the same.
- If you want to override a controller, subclass it like
SessionsController < Clearance::SessionsController
. This gives you access to usual hooks such asurl_after_create
. - Controllers, mailer, model, routes all unit tested inside engine. Use
script/generate clearance_features
to test integration of Clearance with your Rails app. No longer including modules in your app's test files. - Moved views to engine.
- Converted generated
test/factories/clearance.rb
to use inheritance foremail_confirmed_user
. - Corrected some spelling errors with methods.
- Loading clearance routes after rails routes via some monkey patching.
- Made the clearance controllers
unloadable
to stop constant loading errors in development mode.
0.5.6 - April 11, 2009
- Step definition changed for "User should see error messages" so features won't fail for certain validations.
0.5.5 - March 23, 2009
- Removing duplicate test to get rid of warning.
0.5.4 - March 21, 2009
- When users fail logging in, redirect them instead of rendering.
0.5.3 - March 5, 2009
- Clearance now works with (and requires) Shoulda 2.10.0.
0.5.2 - March 2, 2009
- Full compatible with Rails 2.3 (all tests pass)
0.5.1 - February 27, 2009
- A user with unconfirmed email who resets password now confirms email.
- Switch order of cookies and sessions to take advantage of Rails 2.3's "Rack-based lazy-loaded sessions",
- Altered generator to interact with
application_controller.rb
instead ofapplication.rb
in Rails 2.3 apps.
- Rack-based session change altered how to test remember me cookie.
0.5.0 - February 27, 2009
- Fixed problem with Cucumber features.
- Fixed missing HTTP fluency use case.
0.4.9 - February 20, 2009
- Protect passwords & confirmations actions with forbidden filters.
- Return 403 Forbidden status code in those cases.
- Fixed bug that allowed anyone to edit another user's password.
0.4.8 - February 16, 2009
- Added documentation for the flash.
- Generators
require 'test_helper'
instead ofFile.join
for RR compatibility.
- Removed interpolated email address from flash message to make i18n easier.
- Standardized flash messages that refer to email delivery.
0.4.7 - February 12, 2009
- Removed
Clearance::Test::TestHelper
so there is one less setup step. - All test helpers now in
shoulda_macros
.
0.4.6 - February 11, 2009
- Created
Actions
andPrivateMethods
modules on controllers for future RDoc reasons.
0.4.5 - February 9, 2009
- Added password reset feature to
clearance_features
generator.
- Only store location for
session[:return_to]
for GET requests. - Audited "sign up" naming convention. "Register" had slipped in a few places.
- Switched to
SHA1
encryption. Cypher doesn't matter much for email confirmation, password reset. Better to have shorter hashes in the emails for clients who line break on 72 chars.
- Removed email downcasing because local-part is case sensitive per RFC5321.
- Removed unnecessary
session[:salt]
.
0.4.4 - February 2, 2009
- Added a generator for Cucumber features.
- Standardized naming for "Sign up," "Sign in," and "Sign out".