Notes: github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.0
-
bug fix
-
Fix incorrect message for locked account (by @jigyasa)
-
Regenerate confirmation token on reconfirmation (by @nashby)
-
Allow alternate ORMs to run compatibility setup code before Authenticatable is included (by @jm81)
-
Do not run validations unless on reconfirmable branch
-
-
enhancements
-
Inherit from the same Devise parent controller (by @sj26)
-
Allow parent_controller to be customizable via Devise.parent_controller, useful for engines
-
Allow router_name to be customizable via Devise.router_name, useful for engines
-
-
deprecation
-
Move devise/shared/_links.erb to devise/_links.erb
-
Devise only supports Rails 3.1 forward
-
-
enhancements
-
Add support for e-mail reconfirmation on change (by @Mandaryn and @heimidal)
-
Redirect users to sign in page after unlock (by @nashby)
-
-
deprecation
-
Devise.apply_schema is deprecated
-
Devise migration helpers are deprecated
-
Usage of Devise.remember_across_browsers was deprecated
-
Usage of Devise.confirm_within was deprecated in favor Devise.allow_unconfirmed_access_for
-
Usage of rememberable with remember_token was removed
-
Usage of recoverable without reset_password_sent_at was removed
-
Usage of Devise.case_insensitive_keys equals to false was removed
-
Usage of Devise.stateless_token= is deprecated in favor of appending :token_auth to Devise.skip_session_storage
-
-
bug fix
-
Ensure delegator converts scope to symbol (by @dmitriy-kiriyenko)
-
Ensure passing :format => false to devise_for is not permanent
-
Ensure path checker does not check invalid routes
-
-
enhancements
-
Add support for Rails 3.1 new mass assignment conventions (by @kirs)
-
Add timeout_in method to Timeoutable, it can be overridden in a model (by @lest)
-
-
bug fix
-
OmniAuth error message now shows the proper option (:strategy_class instead of :klass)
-
-
bug fix
-
Devise should not attempt to load OmniAuth strategies. Strategies should be loaded before hand by the developer or explicitly given to Devise.
-
-
enhancements
-
Timeoutable also skips tracking if skip_trackable is given
-
devise_for now accepts :failure_app as an option
-
Models can select the proper mailer via devise_mailer method (by @locomotivecms)
-
Migration generator now uses the change method (by @nashby)
-
Support to markerb templates on the mailer generator (by @sbounmy)
-
Support for Omniauth 1.0 (older versions are no longer supported) (by @TamiasSibiricus)
-
-
bug fix
-
Allow idempotent API requests
-
Fix bug where logs did not show 401 as status code
-
Change paranoid settings to behave as success instead of as failure
-
Fix bug where activation messages were shown first than the credentials error message
-
Instance variables are expired after sign out
-
-
deprecation
-
redirect_location is deprecated, please use after_sign_in_path_for
-
after_sign_in_path_for now redirects to session if any value is stored in it
-
-
bug fix
-
url helpers were not being set under some circumstances
-
-
enhancements
-
Add docs for assets pipeline and Heroku
-
-
bug fix
-
confirmation_url was not being set under some circumstances
-
-
bug fix
-
Fix backward incompatible change from 1.4.6 for those using custom controllers
-
-
enhancements
-
Allow devise_for :skip => :all
-
Allow options to be passed to authenticate_user!
-
Allow –skip-routes to devise generator
-
Add allow_params_authentication! to make it explicit when params authentication is allowed in a controller
-
-
bug fix
-
Failure app tries the root path if a session one does not exist
-
No need to finalize Devise helpers all the time (by @bradleypriest)
-
Reset password shows proper message if user is not active
-
‘clean_up_passwords` sets the accessors to nil to skip validations
-
-
bug fix
-
Do not always skip helpers, instead provide :skip_helpers as option to trigger it manually
-
-
enhancements
-
Improve Rails 3.1 compatibility
-
Use serialize_into_session and serialize_from_session in Warden serialize to improve extensibility
-
-
bug fix
-
Generator properly generates a change_table migration if a model already exists
-
Properly deprecate setup_mail
-
Fix encoding issues with email regexp
-
Only generate helpers for the used mappings
-
Wrap :action constraints in the proper hash
-
-
deprecations
-
Loosened the used email regexp to simply assert the existent of “@”. If someone relies on a more strict regexp, they may use github.com/SixArm/sixarm_ruby_email_address_validation
-
-
bug fix
-
Provide a more robust behavior to serializers and add :force_except option
-
-
enhancements
-
Add :defaults and :format support on router
-
Add simple form generators
-
Better localization for devise_error_messages! (by @zedtux)
-
-
bug fix
-
Ensure to_xml is properly white listened
-
Ensure handle_unverified_request clean up any cached signed-in user
-
-
enhancements
-
Added authenticated and unauthenticated to the router to route the used based on his status (by @sj26)
-
Improve e-mail regexp (by @rodrigoflores)
-
Add strip_whitespace_keys and default to e-mail (by @swrobel)
-
Do not run format and uniqueness validations on e-mail if it hasn’t changed (by @Thibaut)
-
Added update_without_password to update models but not allowing the password to change (by @fschwahn)
-
Added config.paranoid, check the generator for more information (by @rodrigoflores)
-
-
bug fix
-
password_required? should not affect length validation
-
User cannot access sign up and similar pages if he is already signed in through a cookie or token
-
Do not convert booleans to strings on finders (by @xavier)
-
Run validations even if current_password fails (by @crx)
-
Devise now honors routes constraints (by @macmartine)
-
Do not return the user resource when requesting instructions (by @rodrigoflores)
-
-
bug fix
-
Do not add formats if html or “/”
-
-
bug fix
-
Explicitly mark the token as expired if so
-
-
bug fix
-
Fix another regression related to reset_password_sent_at (by @alexdreher)
-
-
enhancements
-
Improve failure_app responses (by @indirect)
-
sessions/new and registrations/new also respond to xml and json now
-
-
bug fix
-
Fix a regression that occurred if reset_password_sent_at is not present (by @stevehodgkiss)
-
-
enhancements
-
All controllers can now handle different mime types than html using Responders (by @sikachu)
-
Added reset_password_within as configuration option to send the token for recovery (by @jdguyot)
-
Bump password length to 128 characters (by @k33l0r)
-
Add :only as option to devise_for (by @timoschilling)
-
Allow to override path after sending password instructions (by @irohiroki)
-
require_no_authentication has its own flash message (by @jackdempsey)
-
-
bug fix
-
Fix a bug where configuration options were being included too late
-
Ensure Devise::TestHelpers can be used to tests Devise internal controllers (by @jwilger)
-
valid_password? should not choke on empty passwords (by @mikel)
-
Calling devise more than once does not include previously added modules anymore
-
downcase_keys before validation
-
-
backward incompatible changes
-
authentication_keys are no longer considered when creating the e-mail validations, the previous behavior was buggy. You must double check if you were relying on such behavior.
-
-
enhancements
-
Improve update path messages
-
-
bug fix
-
Properly ignore path prefix on omniauthable
-
Faster uniqueness queries
-
Rename active? to active_for_authentication? to avoid conflicts
-
-
enhancements
-
Make friendly_token 20 chars long
-
Use secure_compare
-
-
bug fix
-
Fix an issue causing infinite redirects in production
-
rails g destroy works properly with devise generators (by @andmej)
-
before_failure callbacks should work on test helpers (by @twinge)
-
rememberable cookie now is httponly by default (by @JamesFerguson)
-
Add missing confirmation_keys (by @JohnPlummer)
-
Ensure after_* hooks are called on RegistrationsController
-
When using database_authenticatable Devise will now only create an email field when appropriate (if using default authentication_keys or custom authentication_keys with email included)
-
Ensure stateless token does not trigger timeout (by @pixelauthority)
-
Implement handle_unverified_request for Rails 3.0.4 compatibility and improve FailureApp reliance on symbols
-
Consider namespaces while generating routes
-
Custom failure apps no longer ignored in test mode (by @jaghion)
-
Do not depend on ActiveModel::Dirty
-
Manual sign_in now triggers remember token
-
Be sure to halt strategies on failures
-
Consider SCRIPT_NAME on Omniauth paths
-
Reset failed attempts when lock is expired
-
Ensure there is no Mongoid injection
-
-
deprecations
-
Deprecated anybody_signed_in? in favor of signed_in? (by @gavinhughes)
-
Removed –haml and –slim view templates
-
Devise::OmniAuth helpers were deprecated and removed in favor of Omniauth.config.test_mode
-
-
deprecations
-
cookie_domain is deprecated in favor of cookie_options
-
after_update_path_for can no longer be defined in ApplicationController
-
-
enhancements
-
Added OmniAuth support
-
Added ORM adapter to abstract ORM iteraction
-
sign_out_via is available in the router to configure the method used for sign out (by @martinrehfeld)
-
Improved Ajax requests handling in failure app (by @spastorino)
-
Added request_keys to easily use request specific values (like subdomain) in authentication
-
Increased the size of friendly_token to 60 characters (reduces the chances of a successful brute attack)
-
Ensure the friendly token does not include “_” or “-” since some e-mails may not autolink it properly (by @rymai)
-
Extracted encryptors into :encryptable for better bcrypt support
-
:rememberable is now able to use salt as token if no remember_token is provided
-
Store the salt in session and expire the session if the user changes his password
-
Allow :stateless_token to be set to true avoiding users to be stored in session through token authentication
-
cookie_options uses session_options values by default
-
Sign up now check if the user is active or not and redirect him accordingly setting the inactive_signed_up message
-
Use ActiveModel#to_key instead of #id
-
sign_out_all_scopes now destroys the whole session
-
Added case_insensitive_keys that automatically downcases the given keys, by default downcases only e-mail (by @adahl)
-
-
default behavior changes
-
sign_out_all_scopes defaults to true as security measure
-
http authenticatable is disabled by default
-
Devise does not intercept 401 returned from applications
-
-
bugfix
-
after_sign_in_path_for always receives a resource
-
Do not execute Warden::Callbacks on Devise::TestHelpers (by @sgronblo)
-
Allow password recovery and account unlocking to change used keys (by @RStankov)
-
FailureApp now properly handles nil request.format
-
Fix a bug causing FailureApp to return with HTTP Auth Headers for IE7
-
Ensure namespaces has proper scoped views
-
Ensure Devise does not set empty flash messages (by @sxross)
-
-
Use a more secure e-mail regexp
-
Implement Rails 3.0.4 handle unverified request
-
Use secure_compare to compare passwords
-
bugfix
-
Ensure to convert keys on indifferent hash
-
-
defaults
-
Set config.http_authenticatable to false to avoid confusion
-
-
bugfix
-
Avoid session fixation attacks
-
-
bugfix
-
Add reply-to to e-mail headers by default
-
Updated the views generator to respect the rails :template_engine option (by @fredwu)
-
Check the type of HTTP Authentication before using Basic headers
-
Avoid invalid_salt errors by checking salt presence (by @thibaudgg)
-
Forget user deletes the right cookie before logout, not remembering the user anymore (by @emtrane)
-
Fix for failed first-ever logins on PostgreSQL where column default is nil (by @bensie)
-
:default options is now honored in migrations
-
-
bugfix
-
Compatibility with latest Rails routes schema
-
-
bugfix
-
Fix a small bug where generated locale file was empty on devise:install
-
-
enhancements
-
Rememberable module allows user to be remembered across browsers and is enabled by default (by @trevorturk)
-
Rememberable module allows you to activate the period the remember me token is extended (by @trevorturk)
-
devise_for can now be used together with scope method in routes but with a few limitations (check the documentation)
-
Support ‘as` or `devise_scope` in the router to specify controller access scope
-
HTTP Basic Auth can now be disabled/enabled for xhr(ajax) requests using http_authenticatable_on_xhr option (by @pellja)
-
-
bug fix
-
Fix a bug in Devise::TestHelpers where current_user was returning a Response object for non active accounts
-
Devise should respect script_name and path_info contracts
-
Fix a bug when accessing a path with (.:format) (by @klacointe)
-
Do not add unlock routes unless unlock strategy is email or both
-
Email should be case insensitive
-
Store classes as string in session, to avoid serialization and stale data issues
-
-
deprecations
-
use_default_scope is deprecated and has no effect. Use :as or :devise_scope in the router instead
-
-
enhancements
-
Allow to set cookie domain for the remember token. (by @mantas)
-
Added navigational formats to specify when it should return a 302 and when a 401.
-
Added authenticate(scope) support in routes (by @wildchild)
-
Added after_update_path_for to registrations controller (by @thedelchop)
-
Allow the mailer object to be replaced through config.mailer = “MyOwnMailer”
-
-
bug fix
-
Fix a bug where session was timing out on sign out
-
-
deprecations
-
bcrypt is now the default encryptor
-
devise.mailer.confirmations_instructions now should be devise.mailer.confirmations_instructions.subject
-
devise.mailer.user.confirmations_instructions now should be devise.mailer.confirmations_instructions.user_subject
-
Generators now use Rails 3 syntax (devise:install) instead of devise_install
-
-
enhancements
-
Rails 3 compatibility
-
All controllers and views are namespaced, for example: Devise::SessionsController and “devise/sessions”
-
Devise.orm is deprecated. This reduces the required API to hook your ORM with devise
-
Use metal for failure app
-
HTML e-mails now have proper formatting
-
Allow to give :skip and :controllers in routes
-
Move trackable logic to the model
-
E-mails now use any template available in the filesystem. Easy to create multipart e-mails
-
E-mails asks headers_for in the model to set the proper headers
-
Allow to specify haml in devise_views
-
Compatibility with Mongoid
-
Make config.devise available on config/application.rb
-
TokenAuthenticatable now works with HTTP Basic Auth
-
Allow :unlock_strategy to be :none and add :lock_strategy which can be :failed_attempts or none. Setting those values to :none means that you want to handle lock and unlocking by yourself
-
No need to append ?unauthenticated=true in URLs anymore since Flash was moved to a middleware in Rails 3
-
:activatable is included by default in your models
-
-
bug fix
-
Fix a bug with STI
-
-
deprecations
-
Rails 3 compatible only
-
Removed support for MongoMapper
-
Scoped views are no longer “sessions/users/new”. Now use “users/sessions/new”
-
Devise.orm is deprecated, just require “devise/orm/YOUR_ORM” instead
-
Devise.default_url_options is deprecated, just modify ApplicationController.default_url_options
-
All messages under devise.sessions, except :signed_in and :signed_out, should be moved to devise.failure
-
:as and :scope in routes is deprecated. Use :path and :singular instead
-
-
enhancements
-
Support for latest MongoMapper
-
Added anybody_signed_in? helper (by @SSDany)
-
-
bug fix
-
confirmation_required? is properly honored on active? calls. (by @paulrosania)
-
-
bug fix
-
Ensure password confirmation is always required
-
-
deprecations
-
authenticatable was deprecated and renamed to database_authenticatable
-
confirmable is not included by default on generation
-
-
bug fix
-
Do not allow unlockable strategies based on time to access a controller.
-
Do not send unlockable email several times.
-
Allow controller to upstram custom! failures to Warden.
-
-
bug fix
-
Use prepend_before_filter in require_no_authentication.
-
require_no_authentication on unlockable.
-
Fix a bug when giving an association proxy to devise.
-
Do not use lock! on lockable since it’s part of ActiveRecord API.
-
-
bug fix
-
Fixed a bug when deleting an account with rememberable
-
Fixed a bug with custom controllers
-
-
enhancements
-
HTML e-mails now have proper formatting
-
Do not remove MongoMapper options in find
-
-
enhancements
-
Allows you set mailer content type (by @glennr)
-
-
bug fix
-
Uses the same content type as request on http authenticatable 401 responses
-
-
enhancements
-
HttpAuthenticatable is not added by default automatically.
-
Avoid mass assignment error messages with current password.
-
-
bug fix
-
Fixed encryptors autoload
-
-
deprecation
-
:old_password in update_with_password is deprecated, use :current_password instead
-
-
enhancements
-
Added Registerable
-
Added Http Basic Authentication support
-
Allow scoped_views to be customized per controller/mailer class
- #99
-
Allow authenticatable to used in change_table statements
-
-
bug fix
-
Ensure inactive user cannot sign in
-
Ensure redirect to proper url after sign up
-
-
enhancements
-
Added gemspec to repo
-
Added token authenticatable (by @grimen)
-
-
bug fix
-
Allow bigger salt size (by @jgeiger)
-
Fix relative url root
-
-
deprecation
-
devise :all is deprecated
-
:success and :failure flash messages are now :notice and :alert
-
-
enhancements
-
Added devise lockable (by @mhfs)
-
Warden 0.9.0 compatibility
-
Mongomapper 0.6.10 compatibility
-
Added Devise.add_module as hooks for extensions (by @grimen)
-
Ruby 1.9.1 compatibility (by @grimen)
-
-
bug fix
-
Accept path prefix not starting with slash
-
url helpers should rely on find_scope!
-
-
enhancements
-
Allow Devise.mailer_sender to be a proc (by @grimen)
-
-
bug fix
-
Fix bug with passenger, update is required to anyone deploying on passenger (by @dvdpalm)
-
-
enhancements
-
Move salt to encryptors
-
Devise::Lockable
-
Moved view links into partial and I18n’ed them
-
-
bug fix
-
Bcrypt generator was not being loaded neither setting the proper salt
-
-
enhancements
-
Warden 0.8.0 compatibility
-
Add an easy for map.connect “sign_in”, :controller => “sessions”, :action => “new” to work
-
Added :bcrypt encryptor (by @capotej)
-
-
bug fix
-
sign_in_count is also increased when user signs in via password change, confirmation, etc..
-
More DataMapper compatibility (by @lancecarlson)
-
-
deprecation
-
Removed DeviseMailer.sender
-
-
enhancements
-
Set a default value for mailer to avoid find_template issues
-
Add models configuration to MongoMapper::EmbeddedDocument as well
-
-
enhancements
-
Extract Activatable from Confirmable
-
Decouple Serializers from Devise modules
-
-
bug fix
-
Give scope to the proper model validation
-
-
enhancements
-
Mail views are scoped as well
-
Added update_with_password for authenticatable
-
Allow render_with_scope to accept :controller option
-
-
deprecation
-
Renamed reset_confirmation! to resend_confirmation!
-
Copying locale is part of the installation process
-
-
bug fix
-
Fixed render_with_scope to work with all controllers
-
Allow sign in with two different users in Devise::TestHelpers
-
-
enhancements
-
Small enhancements for other plugins compatibility (by @grimen)
-
-
deprecations
-
:authenticatable is not included by default anymore
-
-
enhancements
-
Improve loading process
-
Extract SessionSerializer from Authenticatable
-
-
bug fix
-
Added trackable to migrations
-
Allow inflections to work
-
-
enhancements
-
More DataMapper compatibility
-
Devise::Trackable - track sign in count, timestamps and ips
-
-
enhancements
-
Devise::Timeoutable - timeout sessions without activity
-
DataMapper now accepts conditions
-
-
deprecations
-
:authenticatable is still included by default, but yields a deprecation warning
-
-
enhancements
-
Added DataMapper support
-
Remove store_location from authenticatable strategy and add it to failure app
-
Allow a strategy to be placed after authenticatable
- #45
-
Do not rely attribute? methods, since they are not added on Datamapper
-
-
enhancements
- #42
-
Do not send nil to build (DataMapper compatibility)
- #44
-
Allow to have scoped views
-
enhancements
-
Allow overwriting find for authentication method
- #38
-
Remove Ruby 1.8.7 dependency
-
-
deprecations
-
Deprecate :singular in devise_for and use :scope instead
-
-
enhancements
- #37
-
Create after_sign_in_path_for and after_sign_out_path_for hooks to be
overwriten in ApplicationController
-
Create sign_in_and_redirect and sign_out_and_redirect helpers
-
Warden::Manager.default_scope is automatically configured to the first given scope
-
bug fix
-
MongoMapper now converts DateTime to Time
-
Ensure all controllers are unloadable
-
-
enhancements
- #35
-
Moved friendly_token to Devise
-
Added Devise.all, so you can freeze your app strategies
-
Added Devise.apply_schema, so you can turn it to false in Datamapper or MongoMapper in cases you don’t want it be handlded automatically
-
enhancements
- #28
-
Improved sign_in and sign_out helpers to accepts resources
- #28
-
Added stored_location_for as a helper
- #20
-
Added test helpers
-
enhancements
-
Added serializers based on Warden ones
-
Allow authentication keys to be set
-
-
bug fix
-
Fixed a bug where remember me module was not working properly
-
-
enhancements
-
Moved encryption strategy into the Encryptors module to allow several algorithms (by @mhfs)
-
Implemented encryptors for Clearance, Authlogic and Restful-Authentication (by @mhfs)
-
Added support for MongoMapper (by @shingara)
-
-
bug fix
- #29
-
Authentication just fails if user cannot be serialized from session, without raising errors;
-
Default configuration values should not overwrite user values;
-
deprecations
-
Renamed mail_sender to mailer_sender
-
-
enhancements
-
skip_before_filter added in Devise controllers
-
Use home_or_root_path on require_no_authentication as well
-
Added devise_controller?, useful to select or reject filters in ApplicationController
-
Allow :path_prefix to be given to devise_for
-
Allow default_url_options to be configured through devise (:path_prefix => “/:locale” is now supported)
-
-
bug fix
- #21
-
Ensure options can be set even if models were not loaded
-
deprecations
-
Notifier is deprecated, use DeviseMailer instead. Remember to rename app/views/notifier to app/views/devise_mailer and I18n key from devise.notifier to devise.mailer
-
:authenticable calls are deprecated, use :authenticatable instead
-
-
enhancements
- #16
-
Allow devise to be more agnostic and do not require ActiveRecord to be loaded
-
Allow Warden::Manager to be configured through Devise
-
Created a generator which creates an initializer
-
bug fix
- #15
-
Allow yml messages to be configured by not using engine locales
-
deprecations
-
Renamed confirm_in to confirm_within
- #14
-
Do not send confirmation messages when user changes his e-mail
- #13
-
Renamed authenticable to authenticatable and added deprecation warnings
-
-
enhancements
-
Ensure fail! works inside strategies
- #12
-
Make unauthenticated message (when you haven’t signed in) different from invalid message
-
-
bug fix
-
Do not redirect on invalid authenticate
-
Allow model configuration to be set to nil
-
-
bug fix
- #9
-
Fix a bug when using customized resources
-
refactor
-
Clean devise_views generator to use devise existing views
-
-
enhancements
- #7
-
Create instance variables (like @user) for each devise controller
-
Use Devise::Controller::Helpers only internally
-
bug fix
- #6
-
Fix a bug with Mongrel and Ruby 1.8.6
-
enhancements
- #4
-
Allow option :null => true in authenticable migration
- #3
-
Remove attr_accessible calls from devise modules
-
Customizable time frame for rememberable with :remember_for config
-
Customizable time frame for confirmable with :confirm_in config
-
Generators for creating a resource and copy views
-
optimize
-
Do not load hooks or strategies if they are not used
-
-
bug fixes
- #2
-
Fixed requiring devise strategies
-
bug fixes
- #1
-
Fixed requiring devise mapping
-
Devise::Authenticable
-
Devise::Confirmable
-
Devise::Recoverable
-
Devise::Validatable
-
Devise::Migratable
-
Devise::Rememberable
-
SessionsController
-
PasswordsController
-
ConfirmationsController
-
Create an example app
-
devise :all, :except => :rememberable
-
Use sign_in and sign_out in SessionsController
-
Mailer subjects namespaced by model
-
Allow stretches and pepper per model
-
Store session in session
-
Sign user in automatically after confirming or changing it’s password