Friend changelog
Friend is now tracking Ring v1.2.0 betas, minimally requiring
[ring/ring-core "1.2.0-beta1"].
Core API
:rolesin authentication maps may now optionally be a function returning a collection of roles (gh-21, gh-55)
Workflows
- All included workflows now properly account for the in-force Ring context, if any. (gh-52, gh-53, gh-56)
Core API
- Fixed handling of the optional authorization-error map that may be provided
to
authorize(gh-46)
Misc
- Various minor documentation improvements.
Core API
cemerick.friend/current-authenticationcan now accept either a ring request map or a Friend identity mapcemerick.friend/authenticatedcan now accept more than one body form (gh-32)- A new
cemerick.friend/authenticateoption,:unauthenticated-handler, allows one to provide a separate Ring handler to control how to respond to unauthenticated requests when authentication is required (either via setting:allow-anontofalse, or via use ofcemerick.friend/authenticated). The prior behaviour (redirecting to the URI specified by:login-uri) is currently retained by the default:unauthenticated-handler,cemerick.friend/default-unauthenticated-handler. (gh-38)
Workflows
- The
http-basicworkflow no longer produces a 401 Unauthorized response when no HTTP Basic credentials are supplied. (gh-38) - The OpenID workflow now offers a
:consumer-manageroption for providing a fully-configuredorg.openid4java.consumer.ConsumerManager(to be used instead of the in-memory default) (gh-35) - Usernames provided as part of an interactive-form workflow authentication are now URL-encoded in the resulting redirect when authentication fails (gh-41)
Misc
- New function
cemerick.friend.credentials/bcrypt-verifynow available to verify bcrypt-hashed strings outside ofcemerick.friend.credentials/bcrypt-credential-fnand the workflow/authentication process - All HTTP redirect responses sent by Friend now use an absolute URL in the
Locationheader per the HTTP spec (gh-42) - The transitive dependency on Google Guice (needed by the openid4java dependency) has been updated to use the coordinates available via Maven Central
Core API
- Credential functions may now return maps with a
:cemerick.friend.credentials/password-keyslot in their metadata to indicate the key within the credential map itself which holds the password. - The value of the
:cemerick.friend/redirect-on-auth?key in workflow may now be a string URI to which the user will be redirected (instead of the:default-landing-uriprovided to theauthenticatemiddleware). - Friend now plays much nicer with Ring sessions; in particular, it no longer quashes session data set by lower-level handlers and middleware. (gh-24, gh-26)
Workflows
- The
http-basicworkflow now properly supports empty usernames and passwords (gh-28)
Bricked, don't use.
Core API
:login-urinow actually defaults to"/login"as indicated in documentation (Yoshito Komatsu, gh-13)- Authorization failures are now handled more sanely (gh-19):
:unauthorized-redirect-uriis no longer used (was nonsensical)- additional data may now be added to the stone thrown upon unauthorized
access (see
cemerick.friend/authorize,cemerick.friend/authenticated, andthrow-authorized) - data added to stone thrown by
cemerick.friend/throw-authorizedis now added to the request passed to:unauthorized-handlerin the:cemerick.friend/authorization-failureslot
- HTTP 401 is now used instead of 403 to properly indicate unauthorized authenticated request (gh-20)
cemerick.friend/logout*is now public (John Szakmeister)
Workflows
- http-basic workflow now properly responds with www-authenticate challenge when
no credentials are provided and
:allow-anon?is false (gh-16) - the OpenID workflow's
:max-nonce-agemust now be specified in milliseconds instead of seconds - the OpenID workflow no longer adds unprintable objects to the ring session
Misc
- Documentation for
cemerick.friend/identityfixed