### Unreleased * enhancements * Allow to skip email and password change notifications (by @iorme1) * Include the use of `nil` for `allow_unconfirmed_access_for` in the docs (by @joaumg) * Ignore useless files into the `.gem` file (by @huacnlee) * Explain the code that prevents enumeration attacks inside `Devise::Strategies::DatabaseAuthenticatable` (by @tegon) * Refactor the `devise_error_messages!` helper to render a partial (by @prograhamer) * bug fixes * Fix missing comma in Simple Form generator (by @colinross) * Fix error with migration generator in Rails 6 (by @oystersauce8) * Set `encrypted_password` to `nil` when `password` is set to `nil` (by @sivagollapalli) * Consider whether the request supports flash messages inside `Devise::Controllers::Helpers#is_flashing_format?` (by @colinross) * Fix typo inside `Devise::Generators::ControllersGenerator` (by @kopylovvlad) * Sanitize parameters inside `Devise::Models::Authenticatable#find_or_initialize_with_errors` (by @rlue) * `#after_database_authentication` callback was not called after authentication on password reset (by @kanmaniselvan) * Fix corner case when `#confirmation_period_valid?` was called at the same second as `confirmation_sent_at` was set. Mostly true for date types that only have second precisions. (by @stanhu) * Fix unclosed `li` tag in `error_messages` partial (by @mracos) * Fix Routes issue when devise engine is mounted in another engine on Rails versions lower than 5.1 (by @a-barbieri) * deprecations * The second argument of `DatabaseAuthenticatable`'s `#update_with_password` and `#update_without_password` is deprecated and will be removed in the next major version. It was added to support a feature deprecated in Rails 4, so you can safely remove it from your code. (by @ihatov08) * The `DeviseHelper.devise_error_messages!` is deprecated and will be removed in the next major version. Use the `devise/shared/error_messages` partial instead. (by @mracos) ### 4.5.0 - 2018-08-15 * enhancements * Use `before_action` instead of `before_filter` (by @edenthecat) * Allow people to extend devise failure app, through invoking `ActiveSupport.run_load_hooks` once `Devise::FailureApp` is loaded (by @wnm) * Use `update` instead of `update_attributes` (by @koic) * Split IP resolution from `update_tracked_fields` (by @mckramer) * upgrade dependencies for rails and responders (by @lancecarlson) * Add `autocomplete="new-password"` to new password fields (by @gssbzn) * Add `autocomplete="current-password"` to current password fields (by @gssbzn) * Remove redundant `self` from `database_authenticatable` module (by @abhishekkanojia) * Update `simple_form` templates with changes from https://github.com/plataformatec/devise/commit/16b3d6d67c7e017d461ea17ed29ea9738dc77e83 and https://github.com/plataformatec/devise/commit/6260c29a867b9a656f1e1557abe347a523178fab (by @gssbzn) * Remove `:trackable` from the default modules in the generators, to be more GDPR-friendly (by @fakenine) * bug fixes * Use same string on failed login regardless of whether account exists when in paranoid mode (by @TonyMK9068) * Fix error when params is not a hash inside `Devise::ParameterSanitizer` (by @b0nn1e) * Look for `secret_key_base` inside `Rails.application` (by @gencer) * Ensure `Devise::ParameterFilter` does not add missing keys when called with a hash that has a `default` / `default_proc` configured (by @joshpencheon) * Adds `is_navigational_format?` check to `after_sign_up_path_for` to keep consistency (by @iorme1) ### 4.4.3 - 2018-03-17 * bug fixes * Fix undefined method `rails5?` for Devise::Test:Module (by @tegon) * Fix: secret key was being required to be set inside credentials on Rails 5.2 (by @tegon) ### 4.4.2 - 2018-03-15 * enhancements * Support for :credentials on Rails v5.2.x. (by @gencer) * Improve documentation about the test suite. (by @tegon) * Test with Rails 5.2.rc1 on Travis. (by @jcoyne) * Allow test with Rails 6. (by @Fudoshiki) * Creating a new section for controller configuration on `devise.rb` template (by @Danilo-Araujo-Silva) * bug fixes * Preserve content_type for unauthenticated tests (by @gmcnaughton) * Check if the resource is persisted in `update_tracked_fields!` instead of performing validations (by @tegon) * Revert "Replace log_process_action to append_info_to_payload" (by @tegon) ### 4.4.1 - 2018-01-23 * bug fixes * Ensure Gemspec is loaded as utf-8. (by @segiddins) * Fix `ActiveRecord` check on `Confirmable`. (by @tegon) * Fix `signed_in?` docs without running auth hooks. by (@machty) ### 4.4.0 - 2017-12-29 * enhancements * Add `frozen_string_literal` pragma comment to all Ruby files. (by @pat) * Use `set_flash_method!` instead of `set_flash_method` in `Devise::OmniauthCallbacksController#failure`. (by @saichander17) * Clarify how `store_location_for` modifies URIs. (by @olivierlacan) * Move `failed_attempts` increment into its own function. by (@mobilutz) * Add `autocomplete="email"` to email fields. by (@MikeRogers0) * Add the ability to change the default migrations path introduced in Rails 5.0.3. (by @alexhifer) * Delete unnecessary condition for helper method. (by @davydovanton) * Support `id: :uuid` option for migrations. (by @filip373) * bug fixes * Fix syntax for MRI 2.5.0. (by @pat) * Validations were being ignored on singup in the `Trackable#update_tracked_fields!` method. (by @AshleyFoster) * Do not modify options for `#serializable_hash`. (by @guigs) * Email confirmations were being sent on sign in/sign out for application using `mongoid` and `mongoid-paperclip` gems. This is because previously we were checking if a model is from Active Record by checking if the method `after_commit` was defined - since `mongoid` doesn' have one - but `mongoid-paperclip` gem does define one, which cause this issue. (by @fjg) ### 4.3.0 - 2017-05-14 * Enhancements * Dependency support added for Rails 5.1.x. ### 4.2.1 - 2017-03-15 * removals * `Devise::Mailer#scope_name` and `Devise::Mailer#resource` are now protected methods instead of public. * bug fixes * Attempt to reset password without the password field in the request now results in a `:blank` validation error. Before this change, Devise would accept the reset password request and log the user in, without validating/changing the password. (by @victor-am) * Confirmation links now expire based on UTC time, working properly when using different timezones. (by @jjuliano) * enhancements * Notify the original email when it is changed with a new `Devise.send_email_changed_notification` setting. When using `reconfirmable`, the notification will be sent right away instead of when the unconfirmed email is confirmed. (original change by @ethirajsrinivasan) ### 4.2.0 - 2016-07-01 * removals * Remove the deprecated `Devise::ParameterSanitizer` API from Devise 3. Please use the `#permit` and `#sanitize` methods over `#for`. * Remove the deprecated OmniAuth URL helpers. Use the fully qualified helpers (`user_facebook_omniauth_authorize_path`) over the scope based helpers ( `user_omniauth_authorize_path(:facebook)`). * Remove the `Devise.bcrypt` method, use `Devise::Encryptor.digest` instead. * Remove the `Devise::Models::Confirmable#confirm!` method, use `confirm` instead. * Remove the `Devise::Models::Recoverable#reset_password!` method, use `reset_password` instead. * Remove the `Devise::Models::Recoverable#after_password_reset` method. * bug fixes * Fix an `ActionDispatch::IllegalStateError` when testing controllers with Rails 5 rc 2(by @hamadata). * Use `ActiveSupport.on_load` hooks to include Devise on `ActiveRecord` and `Mongoid`, avoiding autoloading these constants too soon (by @lucasmazza, @rafaelfranca). * enhancements * Display the minimum password length on `registrations/edit` view (by @Yanchek99). * You can disable Devise's routes reloading on boot by through the `reload_routes = false` config. This can reduce the time taken to boot the application but it might trigger some errors if you application (mostly your controllers) requires that Devise mappings be loaded during boot time (by @sidonath). * Added `Devise::Test::IntegrationHelpers` to bypass the sign in process using Warden test API (by @lucasmazza). * Define `inspect` in `Devise::Models::Authenticatable` to help ensure password hashes aren't included in exceptions or otherwise accidentally serialized (by @tkrajcar). * Add missing support of `Rails.application.config.action_controller.relative_url_root` (by @kosdiamantis). * deprecations * `Devise::TestHelpers` is deprecated in favor of `Devise::Test::ControllerHelpers` (by @lucasmazza). * The `sign_in` test helper has changed to use keyword arguments when passing a scope. `sign_in :admin, users(:alice)` should be rewritten as `sign_in users(:alice), scope: :admin` (by @lucasmazza). * The option `bypass` of `Devise::Controllers::SignInOut#sign_in` method is deprecated in favor of `Devise::Controllers::SignInOut#bypass_sign_in` method (by @ulissesalmeida). ### 4.1.1 - 2016-05-15 * bug fixes * Fix overwriting the remember_token when a valid one already exists (by @ralinchimev). ### 4.1.0 * bug fixes * Fix race condition of sending the confirmation instructions e-mail using background jobs. Using the previous `after_create` callback, the e-mail can be sent before the record be committed on database, generating a `ActiveRecord::NotFound` error. Now the confirmation e-mail will be only sent after the database commit, using the `after_commit` callback. It may break your test suite on Rails 4 if you are testing the sent e-mails or enqueued jobs using transactional fixtures enabled or `DatabaseCleaner` with `transaction` strategy. You can easily fix your test suite using the gem [test_after_commit](https://github.com/grosser/test_after_commit). For example, put in your Gemfile: ```ruby gem 'test_after_commit', :group => :test ``` On Rails 5 `after_commit` callbacks are triggered even using transactional fixtures, then this fix will not break your test suite. If you are using `DatabaseCleaner` with the `deletion` or `truncation` strategies it may not break your tests. (by @allenwq) * Fix strategy checking in `Lockable#unlock_strategy_enabled?` for `:none` and `:undefined` strategies. (by @f3ndot) * features * Humanize authentication keys in failure flash message (by @byzg) When you are configuring the translations of `devise.failure.invalid`, the `authentication_keys` is translated now. * deprecations * Remove code supporting old session serialization format (by @fphilipe). * Now the `email_regexp` default uses a more permissive regex: `/\A[^@\s]+@[^@\s]+\z/` (by @kimgb) * Now the `strip_whitespace_keys` default is `[:email]` (by @ulissesalmeida) * Now the `reconfirmable` default is `true` (by @ulissesalmeida) * Now the `skip_session_storage` default is `[:http_auth]` (by @ulissesalmeida) * Now the `sign_out_via` default is `:delete` (by @ulissesalmeida) * improvements * Avoids extra computation of friendly token for confirmation token (by @sbc100) ### 4.0.3 - 2016-05-15 * bug fixes * Fix overwriting the remember_token when a valid one already exists (by @ralinchimev). ### 4.0.2 - 2016-05-02 * bug fixes * Fix strategy checking in `Lockable#unlock_strategy_enabled?` for `:none` and `:undefined` strategies. (by @f3ndot) ### 4.0.1 - 2016-04-25 * bug fixes * Fix the e-mail confirmation instructions send when a user updates the email address from nil. (by @lmduc) * Remove unnecessary `attribute_will_change!` call. (by @cadejscroggins) * Consistent `permit!` check. (by @ulissesalmeida) ### 4.0.0 - 2016-04-18 * bug fixes * Fix the `extend_remember_period` configuration. When set to `false` it does not update the cookie expiration anymore.(by @ulissesalmeida) * deprecations * Added a warning of default value change in Devise 4.1 for users that uses the the default configuration of the following configurations: (by @ulissesalmeida) * `strip_whitespace_keys` - The default will be `[:email]`. * `skip_session_storage` - The default will be `[:http_auth]`. * `sign_out_via` - The default will be `:delete`. * `reconfirmable` - The default will be `true`. * `email_regexp` - The default will be `/\A[^@\s]+@[^@\s]+\z/`. * Removed deprecated argument of `Devise::Models::Rememberable#remember_me!` (by @ulissesalmeida) * Removed deprecated private method Devise::Controllers::Helpers#expire_session_data_after_sign_in! (by @bogdanvlviv) ### 4.0.0.rc2 - 2016-03-09 * enhancements * Introduced `DeviseController#set_flash_message!` for conditional flash messages setting to reduce complexity. * `rails g devise:install` will fail if the app does not have a ORM configured (by @arjunsharma) * Support to Rails 5 versioned migrations added. * deprecations * omniauth routes are no longer defined with a wildcard `:provider` parameter, and provider specific routes are defined instead, so route helpers like `user_omniauth_authorize_path(:github)` are deprecated in favor of `user_github_omniauth_authorize_path`. You can still use `omniauth_authorize_path(:user, :github)` if you need to call the helpers dynamically. ### 4.0.0.rc1 - 2016-02-01 * Support added to Rails 5 (by @twalpole). * Devise no longer supports Rails 3.2 and 4.0. * Devise no longer supports Ruby 1.9 and 2.0. * deprecations * The `devise_parameter_sanitize` API has changed: The `for` method was deprecated in favor of `permit`: ```ruby def configure_permitted_parameters devise_parameter_sanitizer.for(:sign_up) << :subscribe_newsletter # Should become the following. devise_parameter_sanitizer.permit(:sign_up, keys: [:subscribe_newsletter]) end ``` The customization through instance methods on the sanitizer implementation should be done through it's `initialize` method: ```ruby class User::ParameterSanitizer < Devise::ParameterSanitizer def sign_up default_params.permit(:username, :email) end end # The `sign_up` method can be a `permit` call on the sanitizer `initialize`. class User::ParameterSanitizer < Devise::ParameterSanitizer def initialize(*) super permit(:sign_up, keys: [:username, :email]) end end ``` You can check more examples and explanations on the [README section](README.md#strong-parameters) and on the [ParameterSanitizer docs](lib/devise/parameter_sanitizer.rb). Please check [3-stable](https://github.com/plataformatec/devise/blob/3-stable/CHANGELOG.md) for previous changes.