Skip to content

Releases: janko/rodauth-rails

1.15.2

08 Nov 20:07
40507f0
Compare
Choose a tag to compare

1.15.1

26 Oct 17:35
ab365a5
Compare
Choose a tag to compare
  • Don't pass keyword arguments to enum on generated account model for Rails 8.0 compatibility.
  • Show configuration suggestion for otp_unlock feature if generating its migration with a table prefix.
  • Remove require_login_redirect { login_path } from generated configuration, as that's now the default in Rodauth.
  • Simplify installation instructions, cutting the number of lines by 50%.

1.15.0

03 Aug 05:57
aa8298e
Compare
Choose a tag to compare

New features

  • Migrations and view/email templates have been added for the new otp_unlock, otp_lockout_email, otp_modify_email and webauthn_modify_email features added in Rodauth 2.36.

  • New rodauth:mailer generator has been added to accommodate for the increased number of possible emails. Mailer integration isn't generated by rodauth:install generator anymore.

  • The rodauth.rails_url_options hash can now be overridden at runtime. This is useful when different mailers have different URL options (e.g. subdomains).

    class RodauthMailer < ApplicationMailer
      # ...
      def rodauth(name, account_id, &block)
        instance = RodauthApp.rodauth(name).allocate
        instance.account_from_id(account_id)
        instance.rails_url_options.merge!(default_url_options) # merge current default URL options
        instance.instance_eval(&block) if block
        instance
      end
    end

Bug fixes

  • The model instance returned by rodauth.rails_account is now refreshed when rodauth.account changes. This fixes integration with rodauth-become_account gem.

  • Fixed error on Rails 7.2 when Rodauth attempts to redirect to a URLs with query parameters.

Other improvements

  • The generated mailer now uses rodauth.account_from_id added in Rodauth 2.36 for setting the current account.

  • Explicit index names have been removed from generated migrations in favor of default index names.

  • Added missing email template for the reset_password_notify feature.

  • The generated Rodauth configuration no longer enables the change_password_notify feature.

  • The generated webauthn_remove view template now uses rodauth.strftime_format for displaying last use.

  • The convert_token_id_to_integer? configuration is now skipped on install when Sequel is used as primary ORM.

1.14.1

15 May 19:04
6152523
Compare
Choose a tag to compare
  • Fixed matching on account status when passing Active Record object to Rodauth::Rails.account (@dush)

1.14.0

09 Apr 09:27
0b6c0c3
Compare
Choose a tag to compare
  • Controller callbacks can now specify :only and :except to apply just to specific Rodauth routes. For example, the following will execute before the login POST request:

    class RodauthController < ApplicationController
      before_action :verify_captcha, only: :login, if: -> { request.post? }
    end
  • The Rodauth controller and route name are now being instrumented instead of RodauthApp#call. This should improve integration with APM agents, which might rely on :controller referencing and actual controller class name, and also better differentiate between Rodauth routes in APM dashboard.

  • The URL format for Rails routes is now being correctly applied when http_basic_auth is called in the Rodauth middleware.

  • Fixed data-turbo="false" being added in the wrong place in reset password request form on login validation errors.

  • The Rodauth app middleware subclass now uses Module#set_temporary_name on Ruby 3.3+ instead of custom #inspect output.

  • The generated fixtures now retrieve the auth class though the Rodauth app (RodauthApp.rodauth instead of RodauthMain), to avoid errors with BCrypt gem not being loaded.

  • The account model is generated with include Rodauth::Rails.model again, to avoid errors with BCrypt gem not being loaded.

  • Make generated convert_token_id_to_integer? configuration also work when switching to UUID primary key, while still avoiding DB queries at boot time.

  • Custom column attributes can now be referenced on rails_account before the account is persisted (e.g. in a before_create_account callback).

  • Dropped support for Ruby 2.3 and 2.4.

1.13.0 🎄

25 Dec 14:18
e22d02a
Compare
Choose a tag to compare
  • The convert_token_id_to_integer? configuration is now set to avoid DB queries at boot time. The value will be set to true unless :primary_key_type has been set in generator options.
  • The login_confirm_param configuration is now set to "email-confirm" for consistency with the existing login_param override. This param is only used when require_login_confirmation? is true, which is the case when create_account feature is loaded without verify_account.
  • When the session middleware is missing in API-only Rails apps, and a request to Rodauth requires sessions, the raised error will now point to Rails docs instead of suggesting to load the Roda sessions plugin (which won't work in Rails apps).
  • A #rodauth method has been added to helpers for controller tests. See the wiki for up-to-date controller test guidelines.

1.12.0

20 Oct 15:10
991a0d1
Compare
Choose a tag to compare
  • The #rails_cookies shorthand was added on Rodauth::Rails::App and Rodauth::Rails::Auth for accessing the Rails request's cookie jar (the same as #cookies in controllers).

  • The #turbo_stream method is now exposed on Rodauth::Rails::Auth when using the turbo-rails gem, for easier generation of turbo stream responses.

  • When running rodauth:install with --jwt or --argon2 options, the generated jwt_secret and argon2_secret now default to hmac_secret (which in turn defaults to Rails secret key base), instead of having a hardcoded secret.

  • The rodauth:install generator now includes Rodauth::Model(RodauthMain) into the account model, which is essentially what Rodauth::Rails.model did. This makes Rodauth::Rails.model soft-deprecated.

  • The Rodauth app now forwards all unhandled requests to the Rails router, even those that partially matched a Roda matcher.

  • The rodauth:views generator can now generate the view template for the confirm_password feature as well (thanks to @igor-alexandrov).

1.11.0

21 Aug 17:08
9f0c0a1
Compare
Choose a tag to compare
  • The Rodauth::Rails.authenticate routing constraint has been added, which calls rodauth.require_account instead of rodauth.require_authentication, and this way handles if the account has been deleted or closed from the console.

    Rails.application.routes.draw do
      constraints Rodauth::Rails.authenticate do
        mount Sidekiq::Web => "/sidekiq"
      end
    end

    The previous Rodauth::Rails.authenticated routing constraint is now deprecated.

  • The Rodauth::Rails.lib method now accept plugin options as well, just like Rodauth.lib.

    RodauthMain = Rodauth::Rails.lib(render: false) do
      # ...
    end
  • Loading of Roda's render plugin and the Tilt gem will now be skipped when render: false plugin option is passed in.

    class RodauthApp < Rodauth::Rails::App
      configure RodauthMain, render: false # skips loading render plugin and Tilt
    end
  • There have been several improvements to the rodauth:routes Rake task:

    • it now has a description and shows up in rails -T
    • two factor manage & auth JSON POST routes are now listed
    • HTTP verbs are separated with | symbol, just like in rails routes
    • the JS routes for WebAuthn features are excluded, since they stop being relevant with custom JS

1.10.0

26 Jul 09:15
27bf13b
Compare
Choose a tag to compare
  • The Rodauth::Rails.lib method has been added (counterpart for Rodauth.lib) for using Rodauth as a library in Rails apps, using the internal_request feature.

    # Gemfile
    gem "rodauth-rails", require: false # avoid inserting middleware
    # app/misc/rodauth_main.rb
    require "rodauth/rails"
    require "sequel/core"
    
    RodauthMain = Rodauth::Rails.lib do
      enable :create_account, :login, :close_account
      db Sequel.postgres(extensions: :activerecord_connection, keep_reference: false)
      # ...
    end
    RodauthMain.create_account(login: "[email protected]", password: "secret123")
    RodauthMain.login(login: "[email protected]", password: "secret123")
    RodauthMain.close_account(account_login: "[email protected]")

1.9.0

22 May 18:18
5c1878d
Compare
Choose a tag to compare

New features

  • The rodauth:views generator now supports the new webauthn_autofill feature added in Rodauth 5.30.

    Existing applications can upgrade by using rodauth.login_form_footer method instead of rendering the partial directly, and using rodauth.login_field_autocomplete_value for the autocomplete attribute value on the email field in the login form.

Other improvements

  • The rodauth:views generator now requires explicitly specifying the two_factor_base feature in order to generate its view templates. Previously these view templates were generated automatically with a dependent feature (otp, sms_codes, recovery_codes, webauthn).

  • The generated app/misc/rodauth_main.rb now sets login_param "email" for better compatibility with other authentication frameworks such as Devise.

  • The generated mailer now prepends rodauth.email_subject_prefix to all email subjects, just like Rodauth does by default.

  • The Trilogy adapter is now better handled in generators. Note that you'll be able to use it starting from Sequel 5.69, which will include the corresponding Sequel adapter.

  • Fixed a typo in the unlock_account email template (thanks to @zavan)

Backwards compatibility

  • The #rails_account method now leverages Rodauth's new account! method, which greatly simplifies the logic. As a result, the #rails_account method no longer clears the session if the logged in account was deleted. The primary goal behind that functionality was for easier development, but the session cookie never actually got cleared when Rails rendered an error response. If you were relying on this behavior, I recommend using rodauth.require_account instead of rodauth.require_authentication, and possibly even using the active_sessions feature.

  • Support for Rails 4.2 has been dropped.