heartcombo--devise/CHANGELOG.rdoc

== 1.5.0.dev

* bug fix
  * Allow idempotent API requests
  * Fix bug where logs did not show 401 as status code
  * Change paranoid settings to behave as success instead of as failure

* deprecation
  * redirect_location is deprecated, please use after_sign_in_path_for
  * after_sign_in_path_for now redirects to session[scope_return_to] if any value is stored in it

== 1.4.8

* enhancements
  * Add docs for assets pipeline and Heroku

* bug fix
  * confirmation_url was not being set under some circumstances

== 1.4.7

* bug fix
  * Fix backward incompatible change from 1.4.6 for those using custom controllers

== 1.4.6

* enhancements
  * Allow devise_for :skip => :all
  * Allow options to be passed to authenticate_user!
  * Allow --skip-routes to devise generator
  * Add allow_params_authentication! to make it explicit when params authentication is allowed in a controller

== 1.4.5

* bug fix
  * Failure app tries the root path if a session one does not exist
  * No need to finalize Devise helpers all the time (by github.com/bradleypriest)
  * Reset password shows proper message if user is not active
  * `clean_up_passwords` sets the accessors to nil to skip validations

== 1.4.4

* bug fix
  * Do not always skip helpers, instead provide :skip_helpers as option to trigger it manually

== 1.4.3

* enhancements
  * Improve Rails 3.1 compatibility
  * Use serialize_into_session and serialize_from_session in Warden serialize to improve extensibility

* bug fix
  * Generator properly generates a change_table migration if a model already exists
  * Properly deprecate setup_mail
  * Fix encoding issues with email regexp
  * Only generate helpers for the used mappings
  * Wrap :action constraints in the proper hash

* deprecations
  * Loosened the used email regexp to simply assert the existent of "@". If someone relies on a more strict regexp, they may use https://github.com/SixArm/sixarm_ruby_email_address_validation

== 1.4.2

* bug fix
  * Provide a more robust behavior to serializers and add :force_except option

== 1.4.1

* enhancements
  * Add :defaults and :format support on router
  * Add simple form generators
  * Better localization for devise_error_messages! (by github.com/zedtux)

* bug fix
  * Ensure to_xml is properly white listened
  * Ensure handle_unverified_request clean up any cached signed-in user

== 1.4.0

* enhancements
  * Added authenticated and unauthenticated to the router to route the used based on his status (by github.com/sj26)
  * Improve e-mail regexp (by github.com/rodrigoflores)
  * Add strip_whitespace_keys and default to e-mail (by github.com/swrobel)
  * Do not run format and uniqueness validations on e-mail if it hasn't changed (by github.com/Thibaut)
  * Added update_without_password to update models but not allowing the password to change (by github.com/fschwahn)
  * Added config.paranoid, check the generator for more information (by github.com/rodrigoflores)

* bug fix
  * password_required? should not affect length validation
  * User cannot access sign up and similar pages if he is already signed in through a cookie or token
  * Do not convert booleans to strings on finders (by github.com/xavier)
  * Run validations even if current_password fails (by github.com/crx)
  * Devise now honors routes constraints (by github.com/macmartine)
  * Do not return the user resource when requesting instructions (by github.com/rodrigoflores)

== 1.3.4

* bug fix
  * Do not add formats if html or "*/*"

== 1.3.3

* bug fix
  * Explicitly mark the token as expired if so

== 1.3.2

* bug fix
  * Fix another regression related to reset_password_sent_at (by github.com/alexdreher)

== 1.3.1

* enhancements
  * Improve failure_app responses (by github.com/indirect)
  * sessions/new and registrations/new also respond to xml and json now

* bug fix
  * Fix a regression that occurred if reset_password_sent_at is not present (by github.com/stevehodgkiss)

== 1.3.0

* enhancements
  * All controllers can now handle different mime types than html using Responders (by github.com/sikachu)
  * Added reset_password_within as configuration option to send the token for recovery (by github.com/jdguyot)
  * Bump password length to 128 characters (by github.com/k33l0r)
  * Add :only as option to devise_for (by github.com/timoschilling)
  * Allow to override path after sending password instructions (by github.com/irohiroki)
  * require_no_authentication has its own flash message (by github.com/jackdempsey)

* bug fix
  * Fix a bug where configuration options were being included too late
  * Ensure Devise::TestHelpers can be used to tests Devise internal controllers (by github.com/jwilger)
  * valid_password? should not choke on empty passwords (by github.com/mikel)
  * Calling devise more than once does not include previously added modules anymore
  * downcase_keys before validation

* backward incompatible changes
  * authentication_keys are no longer considered when creating the e-mail validations, the previous behavior was buggy. You must double check if you were relying on such behavior.

== 1.2.1

* enhancements
  * Improve update path messages

== 1.2.0

* bug fix
  * Properly ignore path prefix on omniauthable
  * Faster uniqueness queries
  * Rename active? to active_for_authentication? to avoid conflicts

== 1.2.rc2

* enhancements
  * Make friendly_token 20 chars long
  * Use secure_compare

* bug fix
  * Fix an issue causing infinite redirects in production
  * rails g destroy works properly with devise generators (by github.com/andmej)
  * before_failure callbacks should work on test helpers (by github.com/twinge)
  * rememberable cookie now is httponly by default (by github.com/JamesFerguson)
  * Add missing confirmation_keys (by github.com/JohnPlummer)
  * Ensure after_* hooks are called on RegistrationsController
  * When using database_authenticatable Devise will now only create an email field when appropriate (if using default authentication_keys or custom authentication_keys with email included)
  * Ensure stateless token does not trigger timeout (by github.com/pixelauthority)
  * Implement handle_unverified_request for Rails 3.0.4 compatibility and improve FailureApp reliance on symbols
  * Consider namespaces while generating routes
  * Custom failure apps no longer ignored in test mode (by github.com/jaghion)
  * Do not depend on ActiveModel::Dirty
  * Manual sign_in now triggers remember token
  * Be sure to halt strategies on failures
  * Consider SCRIPT_NAME on Omniauth paths
  * Reset failed attempts when lock is expired
  * Ensure there is no Mongoid injection

* deprecations
  * Deprecated anybody_signed_in? in favor of signed_in? (by github.com/gavinhughes)
  * Removed --haml and --slim view templates
  * Devise::OmniAuth helpers were deprecated and removed in favor of Omniauth.config.test_mode

== 1.2.rc

* deprecations
  * cookie_domain is deprecated in favor of cookie_options
  * after_update_path_for can no longer be defined in ApplicationController

* enhancements
  * Added OmniAuth support
  * Added ORM adapter to abstract ORM iteraction
  * sign_out_via is available in the router to configure the method used for sign out (by github.com/martinrehfeld)
  * Improved Ajax requests handling in failure app (by github.com/spastorino)
  * Added request_keys to easily use request specific values (like subdomain) in authentication
  * Increased the size of friendly_token to 60 characters (reduces the chances of a successful brute attack)
  * Ensure the friendly token does not include "_" or "-" since some e-mails may not autolink it properly (by github.com/rymai)
  * Extracted encryptors into :encryptable for better bcrypt support
  * :rememberable is now able to use salt as token if no remember_token is provided
  * Store the salt in session and expire the session if the user changes his password
  * Allow :stateless_token to be set to true avoiding users to be stored in session through token authentication
  * cookie_options uses session_options values by default
  * Sign up now check if the user is active or not and redirect him accordingly setting the inactive_signed_up message
  * Use ActiveModel#to_key instead of #id
  * sign_out_all_scopes now destroys the whole session
  * Added case_insensitive_keys that automatically downcases the given keys, by default downcases only e-mail (by github.com/adahl)

* default behavior changes
  * sign_out_all_scopes defaults to true as security measure
  * http authenticatable is disabled by default
  * Devise does not intercept 401 returned from applications

* bugfix
  * after_sign_in_path_for always receives a resource
  * Do not execute Warden::Callbacks on Devise::TestHelpers (by github.com/sgronblo)
  * Allow password recovery and account unlocking to change used keys (by github.com/RStankov)
  * FailureApp now properly handles nil request.format
  * Fix a bug causing FailureApp to return with HTTP Auth Headers for IE7
  * Ensure namespaces has proper scoped views
  * Ensure Devise does not set empty flash messages (by github.com/sxross)

== 1.1.6

* Use a more secure e-mail regexp
* Implement Rails 3.0.4 handle unverified request
* Use secure_compare to compare passwords

== 1.1.5

* bugfix
  * Ensure to convert keys on indifferent hash

* defaults
  * Set config.http_authenticatable to false to avoid confusion

== 1.1.4

* bugfix
  * Avoid session fixation attacks

== 1.1.3

* bugfix
  * Add reply-to to e-mail headers by default
  * Updated the views generator to respect the rails :template_engine option (by github.com/fredwu)
  * Check the type of HTTP Authentication before using Basic headers
  * Avoid invalid_salt errors by checking salt presence (by github.com/thibaudgg)
  * Forget user deletes the right cookie before logout, not remembering the user anymore (by github.com/emtrane)
  * Fix for failed first-ever logins on PostgreSQL where column default is nil (by github.com/bensie)
  * :default options is now honored in migrations

== 1.1.2

* bugfix
  * Compatibility with latest Rails routes schema

== 1.1.1

* bugfix
  * Fix a small bug where generated locale file was empty on devise:install

== 1.1.0

* enhancements
  * Rememberable module allows user to be remembered across browsers and is enabled by default (by github.com/trevorturk)
  * Rememberable module allows you to activate the period the remember me token is extended (by github.com/trevorturk)
  * devise_for can now be used together with scope method in routes but with a few limitations (check the documentation)
  * Support `as` or `devise_scope` in the router to specify controller access scope
  * HTTP Basic Auth can now be disabled/enabled for xhr(ajax) requests using http_authenticatable_on_xhr option (by github.com/pellja)

* bug fix
  * Fix a bug in Devise::TestHelpers where current_user was returning a Response object for non active accounts
  * Devise should respect script_name and path_info contracts
  * Fix a bug when accessing a path with (.:format) (by github.com/klacointe)
  * Do not add unlock routes unless unlock strategy is email or both
  * Email should be case insensitive
  * Store classes as string in session, to avoid serialization and stale data issues

* deprecations
  * use_default_scope is deprecated and has no effect. Use :as or :devise_scope in the router instead

== 1.1.rc2

* enhancements
  * Allow to set cookie domain for the remember token. (by github.com/mantas)
  * Added navigational formats to specify when it should return a 302 and when a 401.
  * Added authenticate(scope) support in routes (by github.com/wildchild)
  * Added after_update_path_for to registrations controller (by github.com/thedelchop)
  * Allow the mailer object to be replaced through config.mailer = "MyOwnMailer"

* bug fix
  * Fix a bug where session was timing out on sign out

* deprecations
  * bcrypt is now the default encryptor
  * devise.mailer.confirmations_instructions now should be devise.mailer.confirmations_instructions.subject
  * devise.mailer.user.confirmations_instructions now should be devise.mailer.confirmations_instructions.user_subject
  * Generators now use Rails 3 syntax (devise:install) instead of devise_install

== 1.1.rc1

* enhancements
  * Rails 3 compatibility
  * All controllers and views are namespaced, for example: Devise::SessionsController and "devise/sessions"
  * Devise.orm is deprecated. This reduces the required API to hook your ORM with devise
  * Use metal for failure app
  * HTML e-mails now have proper formatting
  * Allow to give :skip and :controllers in routes
  * Move trackable logic to the model
  * E-mails now use any template available in the filesystem. Easy to create multipart e-mails
  * E-mails asks headers_for in the model to set the proper headers
  * Allow to specify haml in devise_views
  * Compatibility with Mongoid
  * Make config.devise available on config/application.rb
  * TokenAuthenticatable now works with HTTP Basic Auth
  * Allow :unlock_strategy to be :none and add :lock_strategy which can be :failed_attempts or none. Setting those values to :none means that you want to handle lock and unlocking by yourself
  * No need to append ?unauthenticated=true in URLs anymore since Flash was moved to a middleware in Rails 3
  * :activatable is included by default in your models

* bug fix
  * Fix a bug with STI

* deprecations
  * Rails 3 compatible only
  * Removed support for MongoMapper
  * Scoped views are no longer "sessions/users/new". Now use "users/sessions/new"
  * Devise.orm is deprecated, just require "devise/orm/YOUR_ORM" instead
  * Devise.default_url_options is deprecated, just modify ApplicationController.default_url_options
  * All messages under devise.sessions, except :signed_in and :signed_out, should be moved to devise.failure
  * :as and :scope in routes is deprecated. Use :path and :singular instead

== 1.0.8

* enhancements
  * Support for latest MongoMapper
  * Added anybody_signed_in? helper (by github.com/SSDany)

* bug fix
  * confirmation_required? is properly honored on active? calls. (by github.com/paulrosania)

== 1.0.7

* bug fix
  * Ensure password confirmation is always required

* deprecations
  * authenticatable was deprecated and renamed to database_authenticatable
  * confirmable is not included by default on generation

== 1.0.6

* bug fix
  * Do not allow unlockable strategies based on time to access a controller.
  * Do not send unlockable email several times.
  * Allow controller to upstram custom! failures to Warden.

== 1.0.5

* bug fix
  * Use prepend_before_filter in require_no_authentication.
  * require_no_authentication on unlockable.
  * Fix a bug when giving an association proxy to devise.
  * Do not use lock! on lockable since it's part of ActiveRecord API.

== 1.0.4

* bug fix
  * Fixed a bug when deleting an account with rememberable
  * Fixed a bug with custom controllers

== 1.0.3

* enhancements
  * HTML e-mails now have proper formatting
  * Do not remove MongoMapper options in find

== 1.0.2

* enhancements
  * Allows you set mailer content type (by github.com/glennr)

* bug fix
  * Uses the same content type as request on http authenticatable 401 responses

== 1.0.1

* enhancements
  * HttpAuthenticatable is not added by default automatically.
  * Avoid mass assignment error messages with current password.

* bug fix
  * Fixed encryptors autoload

== 1.0.0

* deprecation
  * :old_password in update_with_password is deprecated, use :current_password instead

* enhancements
  * Added Registerable
  * Added Http Basic Authentication support
  * Allow scoped_views to be customized per controller/mailer class
  * [#99] Allow authenticatable to used in change_table statements

== 0.9.2

* bug fix
  * Ensure inactive user cannot sign in
  * Ensure redirect to proper url after sign up

* enhancements
  * Added gemspec to repo
  * Added token authenticatable (by github.com/grimen)

== 0.9.1

* bug fix
  * Allow bigger salt size (by github.com/jgeiger)
  * Fix relative url root

== 0.9.0

* deprecation
  * devise :all is deprecated
  * :success and :failure flash messages are now :notice and :alert

* enhancements
  * Added devise lockable (by github.com/mhfs)
  * Warden 0.9.0 compatibility
  * Mongomapper 0.6.10 compatibility
  * Added Devise.add_module as hooks for extensions (by github.com/grimen)
  * Ruby 1.9.1 compatibility (by github.com/grimen)

* bug fix
  * Accept path prefix not starting with slash
  * url helpers should rely on find_scope!

== 0.8.2

* enhancements
  * Allow Devise.mailer_sender to be a proc (by github.com/grimen)

* bug fix
  * Fix bug with passenger, update is required to anyone deploying on passenger (by github.com/dvdpalm)

== 0.8.1

* enhancements
  * Move salt to encryptors
  * Devise::Lockable
  * Moved view links into partial and I18n'ed them

* bug fix
  * Bcrypt generator was not being loaded neither setting the proper salt

== 0.8.0

* enhancements
  * Warden 0.8.0 compatibility
  * Add an easy for map.connect "sign_in", :controller => "sessions", :action => "new" to work
  * Added :bcrypt encryptor (by github.com/capotej)

* bug fix
  * sign_in_count is also increased when user signs in via password change, confirmation, etc..
  * More DataMapper compatibility (by github.com/lancecarlson)

* deprecation
  * Removed DeviseMailer.sender

== 0.7.5

* enhancements
  * Set a default value for mailer to avoid find_template issues
  * Add models configuration to MongoMapper::EmbeddedDocument as well

== 0.7.4

* enhancements
  * Extract Activatable from Confirmable
  * Decouple Serializers from Devise modules

== 0.7.3

* bug fix
  * Give scope to the proper model validation

* enhancements
  * Mail views are scoped as well
  * Added update_with_password for authenticatable
  * Allow render_with_scope to accept :controller option

== 0.7.2

* deprecation
  * Renamed reset_confirmation! to resend_confirmation!
  * Copying locale is part of the installation process

* bug fix
  * Fixed render_with_scope to work with all controllers
  * Allow sign in with two different users in Devise::TestHelpers

== 0.7.1

* enhancements
  * Small enhancements for other plugins compatibility (by github.com/grimen)

== 0.7.0

* deprecations
  * :authenticatable is not included by default anymore

* enhancements
  * Improve loading process
  * Extract SessionSerializer from Authenticatable

== 0.6.3

* bug fix
  * Added trackable to migrations
  * Allow inflections to work

== 0.6.2

* enhancements
  * More DataMapper compatibility
  * Devise::Trackable - track sign in count, timestamps and ips

== 0.6.1

* enhancements
  * Devise::Timeoutable - timeout sessions without activity
  * DataMapper now accepts conditions

== 0.6.0

* deprecations
  * :authenticatable is still included by default, but yields a deprecation warning

* enhancements
  * Added DataMapper support
  * Remove store_location from authenticatable strategy and add it to failure app
  * Allow a strategy to be placed after authenticatable
  * [#45] Do not rely attribute? methods, since they are not added on Datamapper

== 0.5.6

* enhancements
  * [#42] Do not send nil to build (DataMapper compatibility)
  * [#44] Allow to have scoped views

== 0.5.5

* enhancements
  * Allow overwriting find for authentication method
  * [#38] Remove Ruby 1.8.7 dependency

== 0.5.4

* deprecations
  * Deprecate :singular in devise_for and use :scope instead

* enhancements
  * [#37] Create after_sign_in_path_for and after_sign_out_path_for hooks to be
    overwriten in ApplicationController
  * Create sign_in_and_redirect and sign_out_and_redirect helpers
  * Warden::Manager.default_scope is automatically configured to the first given scope

== 0.5.3

* bug fix
  * MongoMapper now converts DateTime to Time
  * Ensure all controllers are unloadable

* enhancements
  * [#35] Moved friendly_token to Devise
  * Added Devise.all, so you can freeze your app strategies
  * Added Devise.apply_schema, so you can turn it to false in Datamapper or MongoMapper
    in cases you don't want it be handlded automatically

== 0.5.2

* enhancements
  * [#28] Improved sign_in and sign_out helpers to accepts resources
  * [#28] Added stored_location_for as a helper
  * [#20] Added test helpers

== 0.5.1

* enhancements
  * Added serializers based on Warden ones
  * Allow authentication keys to be set

== 0.5.0

* bug fix
  * Fixed a bug where remember me module was not working properly

* enhancements
  * Moved encryption strategy into the Encryptors module to allow several algorithms (by github.com/mhfs)
  * Implemented encryptors for Clearance, Authlogic and Restful-Authentication (by github.com/mhfs)
  * Added support for MongoMapper (by github.com/shingara)

== 0.4.3

* bug fix
  * [#29] Authentication just fails if user cannot be serialized from session, without raising errors;
  * Default configuration values should not overwrite user values;

== 0.4.2

* deprecations
  * Renamed mail_sender to mailer_sender

* enhancements
  * skip_before_filter added in Devise controllers
  * Use home_or_root_path on require_no_authentication as well
  * Added devise_controller?, useful to select or reject filters in ApplicationController
  * Allow :path_prefix to be given to devise_for
  * Allow default_url_options to be configured through devise (:path_prefix => "/:locale" is now supported)

== 0.4.1

* bug fix
  * [#21] Ensure options can be set even if models were not loaded

== 0.4.0

* deprecations
  * Notifier is deprecated, use DeviseMailer instead. Remember to rename
    app/views/notifier to app/views/devise_mailer and I18n key from
    devise.notifier to devise.mailer
  * :authenticable calls are deprecated, use :authenticatable instead

* enhancements
  * [#16] Allow devise to be more agnostic and do not require ActiveRecord to be loaded
  * Allow Warden::Manager to be configured through Devise
  * Created a generator which creates an initializer

== 0.3.0

* bug fix
  * [#15] Allow yml messages to be configured by not using engine locales

* deprecations
  * Renamed confirm_in to confirm_within
  * [#14] Do not send confirmation messages when user changes his e-mail
  * [#13] Renamed authenticable to authenticatable and added deprecation warnings

== 0.2.3

* enhancements
  * Ensure fail! works inside strategies
  * [#12] Make unauthenticated message (when you haven't signed in) different from invalid message

* bug fix
  * Do not redirect on invalid authenticate
  * Allow model configuration to be set to nil

== 0.2.2

* bug fix
  * [#9] Fix a bug when using customized resources

== 0.2.1

* refactor
  * Clean devise_views generator to use devise existing views

* enhancements
  * [#7] Create instance variables (like @user) for each devise controller
  * Use Devise::Controller::Helpers only internally

* bug fix
  * [#6] Fix a bug with Mongrel and Ruby 1.8.6

== 0.2.0

* enhancements
  * [#4] Allow option :null => true in authenticable migration
  * [#3] Remove attr_accessible calls from devise modules
  * Customizable time frame for rememberable with :remember_for config
  * Customizable time frame for confirmable with :confirm_in config
  * Generators for creating a resource and copy views

* optimize
  * Do not load hooks or strategies if they are not used

* bug fixes
  * [#2] Fixed requiring devise strategies

== 0.1.1

* bug fixes
  * [#1] Fixed requiring devise mapping

== 0.1.0

* Devise::Authenticable
* Devise::Confirmable
* Devise::Recoverable
* Devise::Validatable
* Devise::Migratable
* Devise::Rememberable

* SessionsController
* PasswordsController
* ConfirmationsController

* Create an example app
* devise :all, :except => :rememberable
* Use sign_in and sign_out in SessionsController

* Mailer subjects namespaced by model
* Allow stretches and pepper per model

* Store session[:return_to] in session
* Sign user in automatically after confirming or changing it's password