Releases: janko/rodauth-rails
1.15.2
1.15.1
- Don't pass keyword arguments to
enum
on generated account model for Rails 8.0 compatibility. - Show configuration suggestion for
otp_unlock
feature if generating its migration with a table prefix. - Remove
require_login_redirect { login_path }
from generated configuration, as that's now the default in Rodauth. - Simplify installation instructions, cutting the number of lines by 50%.
1.15.0
New features
-
Migrations and view/email templates have been added for the new otp_unlock, otp_lockout_email, otp_modify_email and webauthn_modify_email features added in Rodauth 2.36.
-
New
rodauth:mailer
generator has been added to accommodate for the increased number of possible emails. Mailer integration isn't generated byrodauth:install
generator anymore. -
The
rodauth.rails_url_options
hash can now be overridden at runtime. This is useful when different mailers have different URL options (e.g. subdomains).class RodauthMailer < ApplicationMailer # ... def rodauth(name, account_id, &block) instance = RodauthApp.rodauth(name).allocate instance.account_from_id(account_id) instance.rails_url_options.merge!(default_url_options) # merge current default URL options instance.instance_eval(&block) if block instance end end
Bug fixes
-
The model instance returned by
rodauth.rails_account
is now refreshed whenrodauth.account
changes. This fixes integration with rodauth-become_account gem. -
Fixed error on Rails 7.2 when Rodauth attempts to redirect to a URLs with query parameters.
Other improvements
-
The generated mailer now uses
rodauth.account_from_id
added in Rodauth 2.36 for setting the current account. -
Explicit index names have been removed from generated migrations in favor of default index names.
-
Added missing email template for the reset_password_notify feature.
-
The generated Rodauth configuration no longer enables the change_password_notify feature.
-
The generated
webauthn_remove
view template now usesrodauth.strftime_format
for displaying last use. -
The
convert_token_id_to_integer?
configuration is now skipped on install when Sequel is used as primary ORM.
1.14.1
1.14.0
-
Controller callbacks can now specify
:only
and:except
to apply just to specific Rodauth routes. For example, the following will execute before the login POST request:class RodauthController < ApplicationController before_action :verify_captcha, only: :login, if: -> { request.post? } end
-
The Rodauth controller and route name are now being instrumented instead of
RodauthApp#call
. This should improve integration with APM agents, which might rely on:controller
referencing and actual controller class name, and also better differentiate between Rodauth routes in APM dashboard. -
The URL format for Rails routes is now being correctly applied when
http_basic_auth
is called in the Rodauth middleware. -
Fixed
data-turbo="false"
being added in the wrong place in reset password request form on login validation errors. -
The Rodauth app middleware subclass now uses
Module#set_temporary_name
on Ruby 3.3+ instead of custom#inspect
output. -
The generated fixtures now retrieve the auth class though the Rodauth app (
RodauthApp.rodauth
instead ofRodauthMain
), to avoid errors with BCrypt gem not being loaded. -
The account model is generated with
include Rodauth::Rails.model
again, to avoid errors with BCrypt gem not being loaded. -
Make generated
convert_token_id_to_integer?
configuration also work when switching to UUID primary key, while still avoiding DB queries at boot time. -
Custom column attributes can now be referenced on
rails_account
before the account is persisted (e.g. in abefore_create_account
callback). -
Dropped support for Ruby 2.3 and 2.4.
1.13.0 🎄
- The
convert_token_id_to_integer?
configuration is now set to avoid DB queries at boot time. The value will be set totrue
unless:primary_key_type
has been set in generator options. - The
login_confirm_param
configuration is now set to"email-confirm"
for consistency with the existinglogin_param
override. This param is only used whenrequire_login_confirmation?
istrue
, which is the case whencreate_account
feature is loaded withoutverify_account
. - When the session middleware is missing in API-only Rails apps, and a request to Rodauth requires sessions, the raised error will now point to Rails docs instead of suggesting to load the Roda
sessions
plugin (which won't work in Rails apps). - A
#rodauth
method has been added to helpers for controller tests. See the wiki for up-to-date controller test guidelines.
1.12.0
-
The
#rails_cookies
shorthand was added onRodauth::Rails::App
andRodauth::Rails::Auth
for accessing the Rails request's cookie jar (the same as#cookies
in controllers). -
The
#turbo_stream
method is now exposed onRodauth::Rails::Auth
when using the turbo-rails gem, for easier generation of turbo stream responses. -
When running
rodauth:install
with--jwt
or--argon2
options, the generatedjwt_secret
andargon2_secret
now default tohmac_secret
(which in turn defaults to Rails secret key base), instead of having a hardcoded secret. -
The
rodauth:install
generator now includesRodauth::Model(RodauthMain)
into the account model, which is essentially whatRodauth::Rails.model
did. This makesRodauth::Rails.model
soft-deprecated. -
The Rodauth app now forwards all unhandled requests to the Rails router, even those that partially matched a Roda matcher.
-
The
rodauth:views
generator can now generate the view template for theconfirm_password
feature as well (thanks to @igor-alexandrov).
1.11.0
-
The
Rodauth::Rails.authenticate
routing constraint has been added, which callsrodauth.require_account
instead ofrodauth.require_authentication
, and this way handles if the account has been deleted or closed from the console.Rails.application.routes.draw do constraints Rodauth::Rails.authenticate do mount Sidekiq::Web => "/sidekiq" end end
The previous
Rodauth::Rails.authenticated
routing constraint is now deprecated. -
The
Rodauth::Rails.lib
method now accept plugin options as well, just likeRodauth.lib
.RodauthMain = Rodauth::Rails.lib(render: false) do # ... end
-
Loading of Roda's
render
plugin and the Tilt gem will now be skipped whenrender: false
plugin option is passed in.class RodauthApp < Rodauth::Rails::App configure RodauthMain, render: false # skips loading render plugin and Tilt end
-
There have been several improvements to the
rodauth:routes
Rake task:- it now has a description and shows up in
rails -T
- two factor manage & auth JSON POST routes are now listed
- HTTP verbs are separated with
|
symbol, just like inrails routes
- the JS routes for WebAuthn features are excluded, since they stop being relevant with custom JS
- it now has a description and shows up in
1.10.0
-
The
Rodauth::Rails.lib
method has been added (counterpart forRodauth.lib
) for using Rodauth as a library in Rails apps, using the internal_request feature.# Gemfile gem "rodauth-rails", require: false # avoid inserting middleware
# app/misc/rodauth_main.rb require "rodauth/rails" require "sequel/core" RodauthMain = Rodauth::Rails.lib do enable :create_account, :login, :close_account db Sequel.postgres(extensions: :activerecord_connection, keep_reference: false) # ... end
RodauthMain.create_account(login: "[email protected]", password: "secret123") RodauthMain.login(login: "[email protected]", password: "secret123") RodauthMain.close_account(account_login: "[email protected]")
1.9.0
New features
-
The
rodauth:views
generator now supports the new webauthn_autofill feature added in Rodauth 5.30.Existing applications can upgrade by using
rodauth.login_form_footer
method instead of rendering the partial directly, and usingrodauth.login_field_autocomplete_value
for theautocomplete
attribute value on the email field in the login form.
Other improvements
-
The
rodauth:views
generator now requires explicitly specifying thetwo_factor_base
feature in order to generate its view templates. Previously these view templates were generated automatically with a dependent feature (otp
,sms_codes
,recovery_codes
,webauthn
). -
The generated
app/misc/rodauth_main.rb
now setslogin_param "email"
for better compatibility with other authentication frameworks such as Devise. -
The generated mailer now prepends
rodauth.email_subject_prefix
to all email subjects, just like Rodauth does by default. -
The Trilogy adapter is now better handled in generators. Note that you'll be able to use it starting from Sequel 5.69, which will include the corresponding Sequel adapter.
-
Fixed a typo in the
unlock_account
email template (thanks to @zavan)
Backwards compatibility
-
The
#rails_account
method now leverages Rodauth's newaccount!
method, which greatly simplifies the logic. As a result, the#rails_account
method no longer clears the session if the logged in account was deleted. The primary goal behind that functionality was for easier development, but the session cookie never actually got cleared when Rails rendered an error response. If you were relying on this behavior, I recommend usingrodauth.require_account
instead ofrodauth.require_authentication
, and possibly even using theactive_sessions
feature. -
Support for Rails 4.2 has been dropped.