== 2.0.0.rc2 Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.0 * bug fix * Fix incorrect message for locked account (by @jigyasa) * Regenerate confirmation token on reconfirmation (by @nashby) * Allow alternate ORMs to run compatibility setup code before Authenticatable is included (by @jm81) * Do not run validations unless on reconfirmable branch * enhancements * Redirect to the previous URL on timeout * Inherit from the same Devise parent controller (by @sj26) * Allow parent_controller to be customizable via Devise.parent_controller, useful for engines * Allow router_name to be customizable via Devise.router_name, useful for engines * deprecation * Move devise/shared/_links.erb to devise/_links.erb * Devise only supports Rails 3.1 forward * Deprecated support for nested devise_for blocks == 2.0.0.rc * enhancements * Add support for e-mail reconfirmation on change (by @Mandaryn and @heimidal) * Redirect users to sign in page after unlock (by @nashby) * deprecation * Devise.apply_schema is deprecated * Devise migration helpers are deprecated * Usage of Devise.remember_across_browsers was deprecated * Usage of Devise.confirm_within was deprecated in favor Devise.allow_unconfirmed_access_for * Usage of rememberable with remember_token was removed * Usage of recoverable without reset_password_sent_at was removed * Usage of Devise.case_insensitive_keys equals to false was removed * Usage of Devise.stateless_token= is deprecated in favor of appending :token_auth to Devise.skip_session_storage == 1.5.3 * bug fix * Ensure delegator converts scope to symbol (by @dmitriy-kiriyenko) * Ensure passing :format => false to devise_for is not permanent * Ensure path checker does not check invalid routes == 1.5.2 * enhancements * Add support for Rails 3.1 new mass assignment conventions (by @kirs) * Add timeout_in method to Timeoutable, it can be overridden in a model (by @lest) * bug fix * OmniAuth error message now shows the proper option (:strategy_class instead of :klass) == 1.5.1 * bug fix * Devise should not attempt to load OmniAuth strategies. Strategies should be loaded before hand by the developer or explicitly given to Devise. == 1.5.0 * enhancements * Timeoutable also skips tracking if skip_trackable is given * devise_for now accepts :failure_app as an option * Models can select the proper mailer via devise_mailer method (by @locomotivecms) * Migration generator now uses the change method (by @nashby) * Support to markerb templates on the mailer generator (by @sbounmy) * Support for Omniauth 1.0 (older versions are no longer supported) (by @TamiasSibiricus) * bug fix * Allow idempotent API requests * Fix bug where logs did not show 401 as status code * Change paranoid settings to behave as success instead of as failure * Fix bug where activation messages were shown first than the credentials error message * Instance variables are expired after sign out * deprecation * redirect_location is deprecated, please use after_sign_in_path_for * after_sign_in_path_for now redirects to session[scope_return_to] if any value is stored in it == 1.4.9 * bug fix * url helpers were not being set under some circumstances == 1.4.8 * enhancements * Add docs for assets pipeline and Heroku * bug fix * confirmation_url was not being set under some circumstances == 1.4.7 * bug fix * Fix backward incompatible change from 1.4.6 for those using custom controllers == 1.4.6 * enhancements * Allow devise_for :skip => :all * Allow options to be passed to authenticate_user! * Allow --skip-routes to devise generator * Add allow_params_authentication! to make it explicit when params authentication is allowed in a controller == 1.4.5 * bug fix * Failure app tries the root path if a session one does not exist * No need to finalize Devise helpers all the time (by @bradleypriest) * Reset password shows proper message if user is not active * `clean_up_passwords` sets the accessors to nil to skip validations == 1.4.4 * bug fix * Do not always skip helpers, instead provide :skip_helpers as option to trigger it manually == 1.4.3 * enhancements * Improve Rails 3.1 compatibility * Use serialize_into_session and serialize_from_session in Warden serialize to improve extensibility * bug fix * Generator properly generates a change_table migration if a model already exists * Properly deprecate setup_mail * Fix encoding issues with email regexp * Only generate helpers for the used mappings * Wrap :action constraints in the proper hash * deprecations * Loosened the used email regexp to simply assert the existent of "@". If someone relies on a more strict regexp, they may use https://github.com/SixArm/sixarm_ruby_email_address_validation == 1.4.2 * bug fix * Provide a more robust behavior to serializers and add :force_except option == 1.4.1 * enhancements * Add :defaults and :format support on router * Add simple form generators * Better localization for devise_error_messages! (by @zedtux) * bug fix * Ensure to_xml is properly white listened * Ensure handle_unverified_request clean up any cached signed-in user == 1.4.0 * enhancements * Added authenticated and unauthenticated to the router to route the used based on his status (by @sj26) * Improve e-mail regexp (by @rodrigoflores) * Add strip_whitespace_keys and default to e-mail (by @swrobel) * Do not run format and uniqueness validations on e-mail if it hasn't changed (by @Thibaut) * Added update_without_password to update models but not allowing the password to change (by @fschwahn) * Added config.paranoid, check the generator for more information (by @rodrigoflores) * bug fix * password_required? should not affect length validation * User cannot access sign up and similar pages if he is already signed in through a cookie or token * Do not convert booleans to strings on finders (by @xavier) * Run validations even if current_password fails (by @crx) * Devise now honors routes constraints (by @macmartine) * Do not return the user resource when requesting instructions (by @rodrigoflores) == 1.3.4 * bug fix * Do not add formats if html or "*/*" == 1.3.3 * bug fix * Explicitly mark the token as expired if so == 1.3.2 * bug fix * Fix another regression related to reset_password_sent_at (by @alexdreher) == 1.3.1 * enhancements * Improve failure_app responses (by @indirect) * sessions/new and registrations/new also respond to xml and json now * bug fix * Fix a regression that occurred if reset_password_sent_at is not present (by @stevehodgkiss) == 1.3.0 * enhancements * All controllers can now handle different mime types than html using Responders (by @sikachu) * Added reset_password_within as configuration option to send the token for recovery (by @jdguyot) * Bump password length to 128 characters (by @k33l0r) * Add :only as option to devise_for (by @timoschilling) * Allow to override path after sending password instructions (by @irohiroki) * require_no_authentication has its own flash message (by @jackdempsey) * bug fix * Fix a bug where configuration options were being included too late * Ensure Devise::TestHelpers can be used to tests Devise internal controllers (by @jwilger) * valid_password? should not choke on empty passwords (by @mikel) * Calling devise more than once does not include previously added modules anymore * downcase_keys before validation * backward incompatible changes * authentication_keys are no longer considered when creating the e-mail validations, the previous behavior was buggy. You must double check if you were relying on such behavior. == 1.2.1 * enhancements * Improve update path messages == 1.2.0 * bug fix * Properly ignore path prefix on omniauthable * Faster uniqueness queries * Rename active? to active_for_authentication? to avoid conflicts == 1.2.rc2 * enhancements * Make friendly_token 20 chars long * Use secure_compare * bug fix * Fix an issue causing infinite redirects in production * rails g destroy works properly with devise generators (by @andmej) * before_failure callbacks should work on test helpers (by @twinge) * rememberable cookie now is httponly by default (by @JamesFerguson) * Add missing confirmation_keys (by @JohnPlummer) * Ensure after_* hooks are called on RegistrationsController * When using database_authenticatable Devise will now only create an email field when appropriate (if using default authentication_keys or custom authentication_keys with email included) * Ensure stateless token does not trigger timeout (by @pixelauthority) * Implement handle_unverified_request for Rails 3.0.4 compatibility and improve FailureApp reliance on symbols * Consider namespaces while generating routes * Custom failure apps no longer ignored in test mode (by @jaghion) * Do not depend on ActiveModel::Dirty * Manual sign_in now triggers remember token * Be sure to halt strategies on failures * Consider SCRIPT_NAME on Omniauth paths * Reset failed attempts when lock is expired * Ensure there is no Mongoid injection * deprecations * Deprecated anybody_signed_in? in favor of signed_in? (by @gavinhughes) * Removed --haml and --slim view templates * Devise::OmniAuth helpers were deprecated and removed in favor of Omniauth.config.test_mode == 1.2.rc * deprecations * cookie_domain is deprecated in favor of cookie_options * after_update_path_for can no longer be defined in ApplicationController * enhancements * Added OmniAuth support * Added ORM adapter to abstract ORM iteraction * sign_out_via is available in the router to configure the method used for sign out (by @martinrehfeld) * Improved Ajax requests handling in failure app (by @spastorino) * Added request_keys to easily use request specific values (like subdomain) in authentication * Increased the size of friendly_token to 60 characters (reduces the chances of a successful brute attack) * Ensure the friendly token does not include "_" or "-" since some e-mails may not autolink it properly (by @rymai) * Extracted encryptors into :encryptable for better bcrypt support * :rememberable is now able to use salt as token if no remember_token is provided * Store the salt in session and expire the session if the user changes his password * Allow :stateless_token to be set to true avoiding users to be stored in session through token authentication * cookie_options uses session_options values by default * Sign up now check if the user is active or not and redirect him accordingly setting the inactive_signed_up message * Use ActiveModel#to_key instead of #id * sign_out_all_scopes now destroys the whole session * Added case_insensitive_keys that automatically downcases the given keys, by default downcases only e-mail (by @adahl) * default behavior changes * sign_out_all_scopes defaults to true as security measure * http authenticatable is disabled by default * Devise does not intercept 401 returned from applications * bugfix * after_sign_in_path_for always receives a resource * Do not execute Warden::Callbacks on Devise::TestHelpers (by @sgronblo) * Allow password recovery and account unlocking to change used keys (by @RStankov) * FailureApp now properly handles nil request.format * Fix a bug causing FailureApp to return with HTTP Auth Headers for IE7 * Ensure namespaces has proper scoped views * Ensure Devise does not set empty flash messages (by @sxross) == 1.1.6 * Use a more secure e-mail regexp * Implement Rails 3.0.4 handle unverified request * Use secure_compare to compare passwords == 1.1.5 * bugfix * Ensure to convert keys on indifferent hash * defaults * Set config.http_authenticatable to false to avoid confusion == 1.1.4 * bugfix * Avoid session fixation attacks == 1.1.3 * bugfix * Add reply-to to e-mail headers by default * Updated the views generator to respect the rails :template_engine option (by @fredwu) * Check the type of HTTP Authentication before using Basic headers * Avoid invalid_salt errors by checking salt presence (by @thibaudgg) * Forget user deletes the right cookie before logout, not remembering the user anymore (by @emtrane) * Fix for failed first-ever logins on PostgreSQL where column default is nil (by @bensie) * :default options is now honored in migrations == 1.1.2 * bugfix * Compatibility with latest Rails routes schema == 1.1.1 * bugfix * Fix a small bug where generated locale file was empty on devise:install == 1.1.0 * enhancements * Rememberable module allows user to be remembered across browsers and is enabled by default (by @trevorturk) * Rememberable module allows you to activate the period the remember me token is extended (by @trevorturk) * devise_for can now be used together with scope method in routes but with a few limitations (check the documentation) * Support `as` or `devise_scope` in the router to specify controller access scope * HTTP Basic Auth can now be disabled/enabled for xhr(ajax) requests using http_authenticatable_on_xhr option (by @pellja) * bug fix * Fix a bug in Devise::TestHelpers where current_user was returning a Response object for non active accounts * Devise should respect script_name and path_info contracts * Fix a bug when accessing a path with (.:format) (by @klacointe) * Do not add unlock routes unless unlock strategy is email or both * Email should be case insensitive * Store classes as string in session, to avoid serialization and stale data issues * deprecations * use_default_scope is deprecated and has no effect. Use :as or :devise_scope in the router instead == 1.1.rc2 * enhancements * Allow to set cookie domain for the remember token. (by @mantas) * Added navigational formats to specify when it should return a 302 and when a 401. * Added authenticate(scope) support in routes (by @wildchild) * Added after_update_path_for to registrations controller (by @thedelchop) * Allow the mailer object to be replaced through config.mailer = "MyOwnMailer" * bug fix * Fix a bug where session was timing out on sign out * deprecations * bcrypt is now the default encryptor * devise.mailer.confirmations_instructions now should be devise.mailer.confirmations_instructions.subject * devise.mailer.user.confirmations_instructions now should be devise.mailer.confirmations_instructions.user_subject * Generators now use Rails 3 syntax (devise:install) instead of devise_install == 1.1.rc1 * enhancements * Rails 3 compatibility * All controllers and views are namespaced, for example: Devise::SessionsController and "devise/sessions" * Devise.orm is deprecated. This reduces the required API to hook your ORM with devise * Use metal for failure app * HTML e-mails now have proper formatting * Allow to give :skip and :controllers in routes * Move trackable logic to the model * E-mails now use any template available in the filesystem. Easy to create multipart e-mails * E-mails asks headers_for in the model to set the proper headers * Allow to specify haml in devise_views * Compatibility with Mongoid * Make config.devise available on config/application.rb * TokenAuthenticatable now works with HTTP Basic Auth * Allow :unlock_strategy to be :none and add :lock_strategy which can be :failed_attempts or none. Setting those values to :none means that you want to handle lock and unlocking by yourself * No need to append ?unauthenticated=true in URLs anymore since Flash was moved to a middleware in Rails 3 * :activatable is included by default in your models * bug fix * Fix a bug with STI * deprecations * Rails 3 compatible only * Removed support for MongoMapper * Scoped views are no longer "sessions/users/new". Now use "users/sessions/new" * Devise.orm is deprecated, just require "devise/orm/YOUR_ORM" instead * Devise.default_url_options is deprecated, just modify ApplicationController.default_url_options * All messages under devise.sessions, except :signed_in and :signed_out, should be moved to devise.failure * :as and :scope in routes is deprecated. Use :path and :singular instead == 1.0.8 * enhancements * Support for latest MongoMapper * Added anybody_signed_in? helper (by @SSDany) * bug fix * confirmation_required? is properly honored on active? calls. (by @paulrosania) == 1.0.7 * bug fix * Ensure password confirmation is always required * deprecations * authenticatable was deprecated and renamed to database_authenticatable * confirmable is not included by default on generation == 1.0.6 * bug fix * Do not allow unlockable strategies based on time to access a controller. * Do not send unlockable email several times. * Allow controller to upstram custom! failures to Warden. == 1.0.5 * bug fix * Use prepend_before_filter in require_no_authentication. * require_no_authentication on unlockable. * Fix a bug when giving an association proxy to devise. * Do not use lock! on lockable since it's part of ActiveRecord API. == 1.0.4 * bug fix * Fixed a bug when deleting an account with rememberable * Fixed a bug with custom controllers == 1.0.3 * enhancements * HTML e-mails now have proper formatting * Do not remove MongoMapper options in find == 1.0.2 * enhancements * Allows you set mailer content type (by @glennr) * bug fix * Uses the same content type as request on http authenticatable 401 responses == 1.0.1 * enhancements * HttpAuthenticatable is not added by default automatically. * Avoid mass assignment error messages with current password. * bug fix * Fixed encryptors autoload == 1.0.0 * deprecation * :old_password in update_with_password is deprecated, use :current_password instead * enhancements * Added Registerable * Added Http Basic Authentication support * Allow scoped_views to be customized per controller/mailer class * [#99] Allow authenticatable to used in change_table statements == 0.9.2 * bug fix * Ensure inactive user cannot sign in * Ensure redirect to proper url after sign up * enhancements * Added gemspec to repo * Added token authenticatable (by @grimen) == 0.9.1 * bug fix * Allow bigger salt size (by @jgeiger) * Fix relative url root == 0.9.0 * deprecation * devise :all is deprecated * :success and :failure flash messages are now :notice and :alert * enhancements * Added devise lockable (by @mhfs) * Warden 0.9.0 compatibility * Mongomapper 0.6.10 compatibility * Added Devise.add_module as hooks for extensions (by @grimen) * Ruby 1.9.1 compatibility (by @grimen) * bug fix * Accept path prefix not starting with slash * url helpers should rely on find_scope! == 0.8.2 * enhancements * Allow Devise.mailer_sender to be a proc (by @grimen) * bug fix * Fix bug with passenger, update is required to anyone deploying on passenger (by @dvdpalm) == 0.8.1 * enhancements * Move salt to encryptors * Devise::Lockable * Moved view links into partial and I18n'ed them * bug fix * Bcrypt generator was not being loaded neither setting the proper salt == 0.8.0 * enhancements * Warden 0.8.0 compatibility * Add an easy for map.connect "sign_in", :controller => "sessions", :action => "new" to work * Added :bcrypt encryptor (by @capotej) * bug fix * sign_in_count is also increased when user signs in via password change, confirmation, etc.. * More DataMapper compatibility (by @lancecarlson) * deprecation * Removed DeviseMailer.sender == 0.7.5 * enhancements * Set a default value for mailer to avoid find_template issues * Add models configuration to MongoMapper::EmbeddedDocument as well == 0.7.4 * enhancements * Extract Activatable from Confirmable * Decouple Serializers from Devise modules == 0.7.3 * bug fix * Give scope to the proper model validation * enhancements * Mail views are scoped as well * Added update_with_password for authenticatable * Allow render_with_scope to accept :controller option == 0.7.2 * deprecation * Renamed reset_confirmation! to resend_confirmation! * Copying locale is part of the installation process * bug fix * Fixed render_with_scope to work with all controllers * Allow sign in with two different users in Devise::TestHelpers == 0.7.1 * enhancements * Small enhancements for other plugins compatibility (by @grimen) == 0.7.0 * deprecations * :authenticatable is not included by default anymore * enhancements * Improve loading process * Extract SessionSerializer from Authenticatable == 0.6.3 * bug fix * Added trackable to migrations * Allow inflections to work == 0.6.2 * enhancements * More DataMapper compatibility * Devise::Trackable - track sign in count, timestamps and ips == 0.6.1 * enhancements * Devise::Timeoutable - timeout sessions without activity * DataMapper now accepts conditions == 0.6.0 * deprecations * :authenticatable is still included by default, but yields a deprecation warning * enhancements * Added DataMapper support * Remove store_location from authenticatable strategy and add it to failure app * Allow a strategy to be placed after authenticatable * [#45] Do not rely attribute? methods, since they are not added on Datamapper == 0.5.6 * enhancements * [#42] Do not send nil to build (DataMapper compatibility) * [#44] Allow to have scoped views == 0.5.5 * enhancements * Allow overwriting find for authentication method * [#38] Remove Ruby 1.8.7 dependency == 0.5.4 * deprecations * Deprecate :singular in devise_for and use :scope instead * enhancements * [#37] Create after_sign_in_path_for and after_sign_out_path_for hooks to be overwriten in ApplicationController * Create sign_in_and_redirect and sign_out_and_redirect helpers * Warden::Manager.default_scope is automatically configured to the first given scope == 0.5.3 * bug fix * MongoMapper now converts DateTime to Time * Ensure all controllers are unloadable * enhancements * [#35] Moved friendly_token to Devise * Added Devise.all, so you can freeze your app strategies * Added Devise.apply_schema, so you can turn it to false in Datamapper or MongoMapper in cases you don't want it be handlded automatically == 0.5.2 * enhancements * [#28] Improved sign_in and sign_out helpers to accepts resources * [#28] Added stored_location_for as a helper * [#20] Added test helpers == 0.5.1 * enhancements * Added serializers based on Warden ones * Allow authentication keys to be set == 0.5.0 * bug fix * Fixed a bug where remember me module was not working properly * enhancements * Moved encryption strategy into the Encryptors module to allow several algorithms (by @mhfs) * Implemented encryptors for Clearance, Authlogic and Restful-Authentication (by @mhfs) * Added support for MongoMapper (by @shingara) == 0.4.3 * bug fix * [#29] Authentication just fails if user cannot be serialized from session, without raising errors; * Default configuration values should not overwrite user values; == 0.4.2 * deprecations * Renamed mail_sender to mailer_sender * enhancements * skip_before_filter added in Devise controllers * Use home_or_root_path on require_no_authentication as well * Added devise_controller?, useful to select or reject filters in ApplicationController * Allow :path_prefix to be given to devise_for * Allow default_url_options to be configured through devise (:path_prefix => "/:locale" is now supported) == 0.4.1 * bug fix * [#21] Ensure options can be set even if models were not loaded == 0.4.0 * deprecations * Notifier is deprecated, use DeviseMailer instead. Remember to rename app/views/notifier to app/views/devise_mailer and I18n key from devise.notifier to devise.mailer * :authenticable calls are deprecated, use :authenticatable instead * enhancements * [#16] Allow devise to be more agnostic and do not require ActiveRecord to be loaded * Allow Warden::Manager to be configured through Devise * Created a generator which creates an initializer == 0.3.0 * bug fix * [#15] Allow yml messages to be configured by not using engine locales * deprecations * Renamed confirm_in to confirm_within * [#14] Do not send confirmation messages when user changes his e-mail * [#13] Renamed authenticable to authenticatable and added deprecation warnings == 0.2.3 * enhancements * Ensure fail! works inside strategies * [#12] Make unauthenticated message (when you haven't signed in) different from invalid message * bug fix * Do not redirect on invalid authenticate * Allow model configuration to be set to nil == 0.2.2 * bug fix * [#9] Fix a bug when using customized resources == 0.2.1 * refactor * Clean devise_views generator to use devise existing views * enhancements * [#7] Create instance variables (like @user) for each devise controller * Use Devise::Controller::Helpers only internally * bug fix * [#6] Fix a bug with Mongrel and Ruby 1.8.6 == 0.2.0 * enhancements * [#4] Allow option :null => true in authenticable migration * [#3] Remove attr_accessible calls from devise modules * Customizable time frame for rememberable with :remember_for config * Customizable time frame for confirmable with :confirm_in config * Generators for creating a resource and copy views * optimize * Do not load hooks or strategies if they are not used * bug fixes * [#2] Fixed requiring devise strategies == 0.1.1 * bug fixes * [#1] Fixed requiring devise mapping == 0.1.0 * Devise::Authenticable * Devise::Confirmable * Devise::Recoverable * Devise::Validatable * Devise::Migratable * Devise::Rememberable * SessionsController * PasswordsController * ConfirmationsController * Create an example app * devise :all, :except => :rememberable * Use sign_in and sign_out in SessionsController * Mailer subjects namespaced by model * Allow stretches and pepper per model * Store session[:return_to] in session * Sign user in automatically after confirming or changing it's password