- Fix brute force vuln due to callbacks no being ran #235
- Revert on_load change due to breaking existing applications #234
- Add forget_me! and force_forget_me! test cases #216
- In
generic_send_email
, check responds_to #211 - Fix typo #219
- Fix deprecation warnings in Rails 6 #209
- Add ruby 2.6.5 to the travis build #215
- Add discord provider #185
- Remove MySQL database creation call #214
- Use id instead of uid for VK provider #199
- Don't :return_t JSON requests after login #197
- Fix email scope for LinkedIn Provider #191
- Ignore cookies when undefined cookies #187
- Allow for custom providers with multi-word class names. #190
- Update LinkedIn to use OAuth 2 #189
- Support the LINE login auth #80
- Allow BCrypt to have app-specific secret token #173
- Add #change_password method to reset_password module. #165
- Clean up initializer comments #153
- Allow load_from_magic_login_token to accept a block #152
- Fix CipherError class name #142
- Fix
update_failed_logins_count
being called twice when login failed #163 - Update migration templates to use new hash syntax #170
- Support for Rails 4.2 and lower soft-dropped #171
- Add support for Rails 5.2 / Ruby 2.5 #129
- Fix migration files not being generated #128
- Add support for ActionController::API #133, #150, #159
- Update activation email to use after_commit callback #130
- Add opt-in
invalidate_active_sessions!
method #110 - Pass along
remember_me
to#auto_login
#136 - Respect SessionTimeout on login via RememberMe #102
- Added
demodulize
on authentication class name association name fetch #147 - Remove Gemnasium badge #140
- Add Instragram provider #51
- Remove
publish_actions
permission for facebook #139 - Prepare for 1.0.0 #157
- Add Auth0 provider #160
- Fix magic_login not inheriting from migration_class_name #99
- Update YARD dependency #100
- Make
#update_attributes
behave like#update
#98 - Add tests to the magic login submodule #95
- Set user.stretches to 1 in test env by default #81
- Allow user to be loaded from other source when session expires. fix #89 #94
- Added a new ArgumentError for not defined user_class in config #82
- Updated Required Ruby version to 2.2 #85
- Add configuration for token randomness #67
- Add facebook user_info_path option to initializer.rb #63
- Add new function:
build_from
(allows building a user instance from OAuth without saving) #54 - Add rubocop configuration and TODO list #107
- Add support for VK OAuth (thanks to @Hirurg103) #109
- Fix token leak via referrer header #56
- Add
login_user
helper for request specs #57
- Refer to User before calling remove_const to avoid NameError #58
- Resurrect block authentication, showing auth failure reason. #41
- Add github scope option to initializer.rb #50
- Fix Facebook being broken due to API deprecation #53
- Revert removal of MongoID Adapter (breaks Sorcery for MongoID users until separate gem is created) #45
- Added support for Microsoft OAuth (thanks to @athix) #37
- Fixed LinkedIn bug #36
- Adapters (Mongoid, MongoMapper, DataMapper) are now separated from the core Sorcery repo and moved under
sorcery-rails
organization. Special thanks to @juike! current_users
method was removed- Added
logged_in?
logged_out?
online?
to activity_logging instance methods - Added support for PayPal OAuth (thanks to @rubenmoya)
- Added support for Slack OAuth (thanks to @youzik)
- Added support for WeChat OAuth (thanks to @Darmody)
- Deprecated Rails 3
- Deprecated using
callback_filter
in favor ofcallback_action
- Added null: false to migrations
- Deprecated using
- Added support for Rails 5 (thanks to @kyuden)
- Added support for Ruby 2.4 (thanks to @kyuden)
- Added WeChat provider to external submodule.
- Namespace login lock/unlock methods to fix conflicts with Rails lock/unlock (thanks to @kyuden)
- Fixed fetching private emails from github (thanks to @saratovsource)
- Added support for
active_for_authentication?
method (thanks to @gchaincl) - Fixed migration bug for
external
submodule (thanks to @skv-headless) - Added support for new Facebook Graph API (thanks to @mchaisse)
- Fixed issue with Xing submodule (thanks to @yoyostile)
- Fixed security bug with using
state
field in oAuth requests
- Sending emails works with Rails 4.2 (thanks to @wooly)
- Added
valid_password?
method - Added support for JIRA OAuth (thanks to @camilasan)
- Added support for Heroku OAuth (thanks to @tyrauber)
- Added support for Salesforce OAuth (thanks to @supremebeing7)
- Added support for Mongoid 4
- Fixed issues with empty passwords (thanks to @Borzik)
find_by_provider_and_uid
method was replaced withfind_by_oauth_credentials
- Sorcery::VERSION constant was added to allow easy version check
@user.setup_activation
method was made to be public (thanks @iTakeshi)current_users
method is deprecated- Fetching email from VK auth, thanks to @makaroni4
- Add logged_in? method to test_helpers (thanks to @oriolbcn)
- #locked? method is now public API (thanks @rogercampos)
- Introduces a new User instance method
generate_reset_password_token
to generate a new reset password token without sending an email (thanks to @tbuehl)
current_user
returnsnil
instead offalse
if there's no user loggd in (#493)- MongoMapper adapter does not override
save!
method anymore. However due to ORM's lack of support forvalidate: false
insave!
, the combination ofvalidate: false
andraise_on_failure: true
is not possible in MongoMapper. The errors will not be raised in this situation. (#151) - Fixed rename warnings for bcrypt-ruby
- The way Sorcery adapters are included has been changed due to problem with multiple
included
blocks error inActiveSupport::Concern
class (#527) - Session timeout works with new cookie serializer introduced in Rails 4.1
- Rails 4.1 compatibility bugs were fixed, this version is fully supported (#538)
- VK providers now supports
scope
option - Support for DataMapper added
- Helpers for integration tests were added
- Fixed problems with special characters in user login attributes (MongoMapper & Mongoid)
- Fixed remaining
password_confirmation
value - it is now cleared just likepassword
-
Fixed add_provider_to_user with CamelCased authentications_class model (#382)
-
Fixed unlock_token_mailer_disabled to only disable automatic mailing (#467)
-
Make send_email_* methods easier to overwrite (#473)
-
Don't add
:username
field for User. Config optionusername_attribute_names
is now:email
by default instead of:username
.If you're using
username
as main field for users to login, you'll need to tune your Sorcery config:config.user_config do |user| # ... user.username_attribute_names = [:username] end
-
rails generate sorcery:install
now works inside Rails engine
- Few security fixes in
external
module
- Activity logging feature has a new column called
last_login_from_ip_address
(string type). If you use ActiveRecord, you will have to add this column to DB (#465)
- Fixed a bug in the new generator
- Many bugfixes
- MongoMapper added to supported ORMs list, thanks @kbighorse
- Sinatra support discontinued!
- New generator contributed by @ahazem
- Cookie domain setting contributed by @Highcode
- Many bugfixes
- Added default SSL certificate for oauth2
- Added multi-username ability
- Security fixes (CSRF, cookie digesting)
- Added auto_login(user) to the API
- Updated gem versions of oauth(1/2)
- Added logged_in? as a view helper
- Github provider added to external submodule
Gemfile versions updated due to public demand. (bcrypt 3.0.0 and oauth2 0.4.1)
Fixes issues with external user_hash not including some fields, and an issue with User model not loaded when user_class is called. Now config.user_class should be a string or a symbol.
Improved specs.
Fixed #9 Fixed hardcoded method names in remember_me submodule. Improved specs.
Fixed typo in initializer - MUST be "config.user_class = User"
Fixed #3 and #4 - Modular Sinatra apps work now, and User model isn't cached in development mode.
Fixed bug in reset_password - after reset can't login due to bad salt creation. Affected only Mongoid.
Added support for Mongoid! (still buggy and not recommended for serious use)
'reset_password!(:password => new_password)' changed into 'change_password!(new_password)'
Added test helpers for Rails 3 & Sinatra.
Fixing Rails app name in initializer.
Changed the way Sorcery is configured. Now inside the model only add:
authenticates_with_sorcery!
In the controller no code is needed! All configuration is done in an initializer. Added a rake task to create it.
rake sorcery:bootstrap
Renamed "oauth" module to "external" and made API prettier.
auth_at_provider(provider) => login_at(provider)
login_from_access_token(provider) => login_from(provider)
create_from_provider!(provider) => create_from(provider)
Added Sinatra support!
Added Rails 3 generator for migrations
Fixed bug with OAuth submodule - oauth gems were not required properly in gem.
Fixed bug with OAuth submodule - Authentications class was not passed between model and controller in all cases resulting in Nil exception.
Added OAuth submodule.
- OAuth1 and OAuth2 support (currently twitter & facebook)
- configurable db field names and authentications table.
Some bug fixes: 'return_to' feature, brute force permanent ban.
Added activity logging submodule.
- automatic logging of last login, last logout and last activity time.
- an easy method of collecting the list of currently logged in users.
- configurable timeout by which to decide whether to include a user in the list of logged in users.
Fixed bug in basic_auth - it didn't set the session[:user_id] on successful login and tried to relogin from basic_auth on every action.
Added Reset Password hammering protection and updated the API.
Totally rewritten Brute Force Protection submodule.
Added support for Basic HTTP Auth.
Separated mailers between user_activation and password_reset and updated readme.
Fixed bug with BCrypt not being used properly by the lib and thus not working for authentication.
- login/logout, optional redirect on login to where the user tried to reach before, configurable redirect for non-logged-in users.
- password encryption, algorithms: bcrypt(default), md5, sha1, sha256, sha512, aes256, custom(yours!), none. Configurable stretches and salt.
- configurable attribute names for username, password and email.
- User activation by email with optional success email.
- configurable attribute names.
- configurable mailer.
- Optionally prevent active users to login.
- Reset password with email verification.
- configurable mailer, method name, and attribute name.
- Remember me with configurable expiration.
- configurable attribute names.
- Configurable session timeout.
- Optionally session timeout will be calculated from last user action.
- Brute force login hammering protection.
- configurable logins before ban, logins within time period before ban, ban time and ban action.