- bug fixes
- Validations were being ignored on singup in the
Trackable#update_tracked_fields!method. (by @AshleyFoster)
- Validations were being ignored on singup in the
- Enhancements
- Dependency support added for Rails 5.1.x.
- removals
Devise::Mailer#scope_nameandDevise::Mailer#resourceare now protected methods instead of public.
- bug fixes
- Attempt to reset password without the password field in the request now results in a
:blankvalidation error. Before this change, Devise would accept the reset password request and log the user in, without validating/changing the password. (by @victor-am) - Confirmation links now expire based on UTC time, working properly when using different timezones. (by @jjuliano)
- Attempt to reset password without the password field in the request now results in a
- enhancements
- Notify the original email when it is changed with a new
Devise.send_email_changed_notificationsetting. When usingreconfirmable, the notification will be sent right away instead of when the unconfirmed email is confirmed. (original change by @ethirajsrinivasan)
- Notify the original email when it is changed with a new
- removals
- Remove the deprecated
Devise::ParameterSanitizerAPI from Devise 3. Please use the#permitand#sanitizemethods over#for. - Remove the deprecated OmniAuth URL helpers. Use the fully qualified helpers
(
user_facebook_omniauth_authorize_path) over the scope based helpers (user_omniauth_authorize_path(:facebook)). - Remove the
Devise.bcryptmethod, useDevise::Encryptor.digestinstead. - Remove the
Devise::Models::Confirmable#confirm!method, useconfirminstead. - Remove the
Devise::Models::Recoverable#reset_password!method, usereset_passwordinstead. - Remove the
Devise::Models::Recoverable#after_password_resetmethod.
- Remove the deprecated
- bug fixes
- Fix an
ActionDispatch::IllegalStateErrorwhen testing controllers with Rails 5 rc 2(by @hamadata). - Use
ActiveSupport.on_loadhooks to include Devise onActiveRecordandMongoid, avoiding autoloading these constants too soon (by @lucasmazza, @rafaelfranca).
- Fix an
- enhancements
- Display the minimum password length on
registrations/editview (by @Yanchek99). - You can disable Devise's routes reloading on boot by through the
reload_routes = falseconfig. This can reduce the time taken to boot the application but it might trigger some errors if you application (mostly your controllers) requires that Devise mappings be loaded during boot time (by @sidonath). - Added
Devise::Test::IntegrationHelpersto bypass the sign in process using Warden test API (by @lucasmazza). - Define
inspectinDevise::Models::Authenticatableto help ensure password hashes aren't included in exceptions or otherwise accidentally serialized (by @tkrajcar). - Add missing support of
Rails.application.config.action_controller.relative_url_root(by @kosdiamantis).
- Display the minimum password length on
- deprecations
Devise::TestHelpersis deprecated in favor ofDevise::Test::ControllerHelpers(by @lucasmazza).- The
sign_intest helper has changed to use keyword arguments when passing a scope.sign_in :admin, users(:alice)should be rewritten assign_in users(:alice), scope: :admin(by @lucasmazza). - The option
bypassofDevise::Controllers::SignInOut#sign_inmethod is deprecated in favor ofDevise::Controllers::SignInOut#bypass_sign_inmethod (by @ulissesalmeida).
- bug fixes
- Fix overwriting the remember_token when a valid one already exists (by @ralinchimev).
- bug fixes
-
Fix race condition of sending the confirmation instructions e-mail using background jobs. Using the previous
after_createcallback, the e-mail can be sent before the record be committed on database, generating aActiveRecord::NotFounderror. Now the confirmation e-mail will be only sent after the database commit, using theafter_commitcallback. It may break your test suite on Rails 4 if you are testing the sent e-mails or enqueued jobs using transactional fixtures enabled orDatabaseCleanerwithtransactionstrategy. You can easily fix your test suite using the gem test_after_commit. For example, put in your Gemfile:gem 'test_after_commit', :group => :test
On Rails 5
after_commitcallbacks are triggered even using transactional fixtures, then this fix will not break your test suite. If you are usingDatabaseCleanerwith thedeletionortruncationstrategies it may not break your tests. (by @allenwq) -
Fix strategy checking in
Lockable#unlock_strategy_enabled?for:noneand:undefinedstrategies. (by @f3ndot)
-
- features
- Humanize authentication keys in failure flash message (by @byzg)
When you are configuring the translations of
devise.failure.invalid, theauthentication_keysis translated now.
- Humanize authentication keys in failure flash message (by @byzg)
When you are configuring the translations of
- deprecations
- Remove code supporting old session serialization format (by @fphilipe).
- Now the
email_regexpdefault uses a more permissive regex:/\A[^@\s]+@[^@\s]+\z/(by @kimgb) - Now the
strip_whitespace_keysdefault is[:email](by @ulissesalmeida) - Now the
reconfirmabledefault istrue(by @ulissesalmeida) - Now the
skip_session_storagedefault is[:http_auth](by @ulissesalmeida) - Now the
sign_out_viadefault is:delete(by @ulissesalmeida)
- improvements
- Avoids extra computation of friendly token for confirmation token (by @sbc100)
- bug fixes
- Fix overwriting the remember_token when a valid one already exists (by @ralinchimev).
- bug fixes
- Fix strategy checking in
Lockable#unlock_strategy_enabled?for:noneand:undefinedstrategies. (by @f3ndot)
- Fix strategy checking in
- bug fixes
- Fix the e-mail confirmation instructions send when a user updates the email address from nil. (by @lmduc)
- Remove unnecessary
attribute_will_change!call. (by @cadejscroggins) - Consistent
permit!check. (by @ulissesalmeida)
-
bug fixes
- Fix the
extend_remember_periodconfiguration. When set tofalseit does not update the cookie expiration anymore.(by @ulissesalmeida)
- Fix the
-
deprecations
- Added a warning of default value change in Devise 4.1 for users that uses
the the default configuration of the following configurations: (by @ulissesalmeida)
strip_whitespace_keys- The default will be[:email].skip_session_storage- The default will be[:http_auth].sign_out_via- The default will be:delete.reconfirmable- The default will betrue.email_regexp- The default will be/\A[^@\s]+@[^@\s]+\z/.
- Removed deprecated argument of
Devise::Models::Rememberable#remember_me!(by @ulissesalmeida) - Removed deprecated private method Devise::Controllers::Helpers#expire_session_data_after_sign_in! (by @bogdanvlviv)
- Added a warning of default value change in Devise 4.1 for users that uses
the the default configuration of the following configurations: (by @ulissesalmeida)
-
enhancements
- Introduced
DeviseController#set_flash_message!for conditional flash messages setting to reduce complexity. rails g devise:installwill fail if the app does not have a ORM configured (by @arjunsharma)- Support to Rails 5 versioned migrations added.
- Introduced
-
deprecations
- omniauth routes are no longer defined with a wildcard
:providerparameter, and provider specific routes are defined instead, so route helpers likeuser_omniauth_authorize_path(:github)are deprecated in favor ofuser_github_omniauth_authorize_path. You can still useomniauth_authorize_path(:user, :github)if you need to call the helpers dynamically.
- omniauth routes are no longer defined with a wildcard
-
Support added to Rails 5 (by @twalpole).
-
Devise no longer supports Rails 3.2 and 4.0.
-
Devise no longer supports Ruby 1.9 and 2.0.
-
deprecations
-
The
devise_parameter_sanitizeAPI has changed: Theformethod was deprecated in favor ofpermit:def configure_permitted_parameters devise_parameter_sanitizer.for(:sign_up) << :subscribe_newsletter # Should become the following. devise_parameter_sanitizer.permit(:sign_up, keys: [:subscribe_newsletter]) end
The customization through instance methods on the sanitizer implementation should be done through it's
initializemethod:class User::ParameterSanitizer < Devise::ParameterSanitizer def sign_up default_params.permit(:username, :email) end end # The `sign_up` method can be a `permit` call on the sanitizer `initialize`. class User::ParameterSanitizer < Devise::ParameterSanitizer def initialize(*) super permit(:sign_up, keys: [:username, :email]) end end
You can check more examples and explanations on the README section and on the ParameterSanitizer docs.
-
Please check 3-stable for previous changes.