heartcombo/devise (devise)
### [`v4.9.4`](https://togithub.com/heartcombo/devise/releases/tag/v4.9.4)
[Compare Source](https://togithub.com/heartcombo/devise/compare/v4.9.3...v4.9.4)
https://github.com/heartcombo/devise/blob/v4.9.4/CHANGELOG.md#494---2024-04-10
### [`v4.9.3`](https://togithub.com/heartcombo/devise/blob/HEAD/CHANGELOG.md#493---2023-10-11)
[Compare Source](https://togithub.com/heartcombo/devise/compare/v4.9.2...v4.9.3)
- enhancements
- Add support for Rails 7.1.
- Add `Devise.deprecator` to integrate with new application deprecators in Rails 7.1. ([@soartec-lab](https://togithub.com/soartec-lab), [@etiennebarrie](https://togithub.com/etiennebarrie))
### [`v4.9.2`](https://togithub.com/heartcombo/devise/blob/HEAD/CHANGELOG.md#492---2023-04-03)
[Compare Source](https://togithub.com/heartcombo/devise/compare/v4.9.1...v4.9.2)
- deprecations
- Bring back `Devise.activerecord51?` and deprecate it, in order to avoid breakage with some libraries that apparently relied on it.
### [`v4.9.1`](https://togithub.com/heartcombo/devise/blob/HEAD/CHANGELOG.md#491---2023-03-31)
[Compare Source](https://togithub.com/heartcombo/devise/compare/v4.9.0...v4.9.1)
- enhancements
- Allow resource class scopes to override the global configuration for `sign_in_after_reset_password` behaviour. [#5429](https://togithub.com/heartcombo/devise/pull/5429) [@mattr](https://togithub.com/mattr)
- Refactor conditional dirty tracking logic to a centralized module to simplify usage throughout the codebase. [#5575](https://togithub.com/heartcombo/devise/pull/5575)
- Improve support for Devise in apps with Active Record and Mongoid ORMs loaded, so it does not incorrectly uses new Active Record dirty tracking APIs with a Mongoid Devise model. [#5576](https://togithub.com/heartcombo/devise/pull/5576)
- bug fixes
- Failure app will respond with configured `redirect_status` instead of `error_status` if the recall app returns a redirect status (300..399) [#5573](https://togithub.com/heartcombo/devise/pull/5573)
- Fix frozen string exception in validatable. [#5563](https://togithub.com/heartcombo/devise/pull/5563) [#5465](https://togithub.com/heartcombo/devise/pull/5465) [@mameier](https://togithub.com/mameier)
### [`v4.9.0`](https://togithub.com/heartcombo/devise/blob/HEAD/CHANGELOG.md#490---2023-02-17)
[Compare Source](https://togithub.com/heartcombo/devise/compare/v4.8.1...v4.9.0)
- enhancements
- Add support for Ruby 3.1/3.2.
- Add support for Hotwire + Turbo, default in Rails 7+.
- Devise uses the latest `responders` version (v3.1.0 or higher), which allows configuring the status used for validation error responses (`error_status`) and for redirects after POST/PUT/PATCH/DELETE requests (`redirect_status`). For backwards compatibility, Devise keeps `error_status` as `:ok` which returns a `200 OK` response, and `redirect_status` to `:found` which returns a `302 Found` response, but you can configure it to return `422 Unprocessable Entity` and `303 See Other` respectively, to match the behavior expected by Hotwire/Turbo:
```ruby
```
### config/initializers/devise.rb
Devise.setup do |config|
### ...
config.responder.error_status = :unprocessable_entity
config.responder.redirect_status = :see_other
### ...
end
```
These configs are already generated by default with new apps, and existing apps may opt-in as described above. Trying to set these with an older version of `responders` will issue a warning and have no effect, so please upgrade the `responders` version if you're upgrading Devise for this integration. Note that these defaults may change in future versions of Devise, to better match the Rails + Hotwire/Turbo defaults across the board.
* If you have a custom responder set on your application and expect it to affect Devise as well, you may need to override the Devise responder entirely with `config.responder = MyApplicationResponder`, so that it uses your custom one. The main reason Devise uses a custom responder is to be able to configure the statuses as described above, but you can also change that config on your own responder if you want. Check the `responders` readme for more info on that.
* If you have created a custom responder and/or failure app just to customize responses for better Hotwire/Turbo integration, they should no longer be necessary.
* `:turbo_stream` is now treated as a navigational format, so it works like HTML navigation when using Turbo. Note: if you relied on `:turbo_stream` to be treated as a non-navigational format before, you can reconfigure your `navigational_formats` in the Devise initializer file to exclude it.
* OmniAuth "Sign in with" links were changed to buttons that generate HTML forms with method=POST, instead of using link + method=POST that required rails-ujs to work. Since rails-ujs is no longer the default for new Rails apps, this allows the OmniAuth buttons to work in any scenario, with or without rails-ujs and/or Turbo. This only affects apps that are using the default `devise/shared/_links.html.erb` partial from Devise with OmniAuth enabled.
* The "Cancel my account" button was changed to include the `data-turbo-confirm` option, so that it works with both rails-ujs and Turbo by default.
* Devise does not provide "sign out" links/buttons in its shared views, but if you're using `sign_out_via` with `:delete` (the default), and are using links with `method: :delete`, those need to be updated with `data: { turbo_method: :delete }` instead for Turbo.
* Check [this upgrade guide](https://togithub.com/heartcombo/devise/wiki/How-To:-Upgrade-to-Devise-4.9.0-[Hotwire-Turbo-integration]) for more detailed information.
### [`v4.8.1`](https://togithub.com/heartcombo/devise/blob/HEAD/CHANGELOG.md#481---2021-12-16)
[Compare Source](https://togithub.com/heartcombo/devise/compare/v4.8.0...v4.8.1)
- enhancements
- Add support for Rails 7.0. Please note that Turbo integration is not fully supported by Devise yet.
### [`v4.8.0`](https://togithub.com/heartcombo/devise/blob/HEAD/CHANGELOG.md#480---2021-04-29)
[Compare Source](https://togithub.com/heartcombo/devise/compare/v4.7.3...v4.8.0)
- enhancements
- Devise now enables the upgrade of OmniAuth 2+. Previously Devise would raise an error if you'd try to upgrade. Please note that OmniAuth 2 is considered a security upgrade and recommended to everyone. You can read more about the details (and possible necessary changes to your app as part of the upgrade) in [their release notes](https://togithub.com/omniauth/omniauth/releases/tag/v2.0.0). [Devise's OmniAuth Overview wiki](https://togithub.com/heartcombo/devise/wiki/OmniAuth:-Overview) was also updated to cover OmniAuth 2.0 requirements.
- Note that the upgrade required Devise shared links that initiate the OmniAuth flow to be changed to `method: :post`, which is now a requirement for OmniAuth, part of the security improvement. If you have copied and customized the Devise shared links partial to your app, or if you have other links in your app that initiate the OmniAuth flow, they will have to be updated to use `method: :post`, or changed to use buttons (e.g. `button_to`) to work with OmniAuth 2. (if you're using links with `method: :post`, make sure your app has `rails-ujs` or `jquery-ujs` included in order for these links to work properly.)
- As part of the OmniAuth 2.0 upgrade you might also need to add the [`omniauth-rails_csrf_protection`](https://togithub.com/cookpad/omniauth-rails_csrf_protection) gem to your app if you don't have it already. (and you don't want to roll your own code to verify requests.) Check the OmniAuth v2 release notes for more info.
- Introduce `Lockable#reset_failed_attempts!` model method to reset failed attempts counter to 0 after the user signs in.
- This logic existed inside the lockable warden hook and is triggered automatically after the user signs in. The new model method is an extraction to allow you to override it in the application to implement things like switching to a write database if you're using the new multi-DB infrastructure from Rails for example, similar to how it's already possible with `Trackable#update_tracked_fields!`.
- Add support for Ruby 3.
- Add support for Rails 6.1.
- Move CI to GitHub Actions.
- deprecations
- `Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION` is deprecated in favor of `Devise::Models::Authenticatable::UNSAFE_ATTRIBUTES_FOR_SERIALIZATION` ([@hanachin](https://togithub.com/hanachin))
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
'~> 4.7.1'->'~> 4.9.0'Release Notes
heartcombo/devise (devise)
### [`v4.9.4`](https://togithub.com/heartcombo/devise/releases/tag/v4.9.4) [Compare Source](https://togithub.com/heartcombo/devise/compare/v4.9.3...v4.9.4) https://github.com/heartcombo/devise/blob/v4.9.4/CHANGELOG.md#494---2024-04-10 ### [`v4.9.3`](https://togithub.com/heartcombo/devise/blob/HEAD/CHANGELOG.md#493---2023-10-11) [Compare Source](https://togithub.com/heartcombo/devise/compare/v4.9.2...v4.9.3) - enhancements - Add support for Rails 7.1. - Add `Devise.deprecator` to integrate with new application deprecators in Rails 7.1. ([@soartec-lab](https://togithub.com/soartec-lab), [@etiennebarrie](https://togithub.com/etiennebarrie)) ### [`v4.9.2`](https://togithub.com/heartcombo/devise/blob/HEAD/CHANGELOG.md#492---2023-04-03) [Compare Source](https://togithub.com/heartcombo/devise/compare/v4.9.1...v4.9.2) - deprecations - Bring back `Devise.activerecord51?` and deprecate it, in order to avoid breakage with some libraries that apparently relied on it. ### [`v4.9.1`](https://togithub.com/heartcombo/devise/blob/HEAD/CHANGELOG.md#491---2023-03-31) [Compare Source](https://togithub.com/heartcombo/devise/compare/v4.9.0...v4.9.1) - enhancements - Allow resource class scopes to override the global configuration for `sign_in_after_reset_password` behaviour. [#5429](https://togithub.com/heartcombo/devise/pull/5429) [@mattr](https://togithub.com/mattr) - Refactor conditional dirty tracking logic to a centralized module to simplify usage throughout the codebase. [#5575](https://togithub.com/heartcombo/devise/pull/5575) - Improve support for Devise in apps with Active Record and Mongoid ORMs loaded, so it does not incorrectly uses new Active Record dirty tracking APIs with a Mongoid Devise model. [#5576](https://togithub.com/heartcombo/devise/pull/5576) - bug fixes - Failure app will respond with configured `redirect_status` instead of `error_status` if the recall app returns a redirect status (300..399) [#5573](https://togithub.com/heartcombo/devise/pull/5573) - Fix frozen string exception in validatable. [#5563](https://togithub.com/heartcombo/devise/pull/5563) [#5465](https://togithub.com/heartcombo/devise/pull/5465) [@mameier](https://togithub.com/mameier) ### [`v4.9.0`](https://togithub.com/heartcombo/devise/blob/HEAD/CHANGELOG.md#490---2023-02-17) [Compare Source](https://togithub.com/heartcombo/devise/compare/v4.8.1...v4.9.0) - enhancements - Add support for Ruby 3.1/3.2. - Add support for Hotwire + Turbo, default in Rails 7+. - Devise uses the latest `responders` version (v3.1.0 or higher), which allows configuring the status used for validation error responses (`error_status`) and for redirects after POST/PUT/PATCH/DELETE requests (`redirect_status`). For backwards compatibility, Devise keeps `error_status` as `:ok` which returns a `200 OK` response, and `redirect_status` to `:found` which returns a `302 Found` response, but you can configure it to return `422 Unprocessable Entity` and `303 See Other` respectively, to match the behavior expected by Hotwire/Turbo: ```ruby ``` ### config/initializers/devise.rb Devise.setup do |config| ### ... config.responder.error_status = :unprocessable_entity config.responder.redirect_status = :see_other ### ... end ``` These configs are already generated by default with new apps, and existing apps may opt-in as described above. Trying to set these with an older version of `responders` will issue a warning and have no effect, so please upgrade the `responders` version if you're upgrading Devise for this integration. Note that these defaults may change in future versions of Devise, to better match the Rails + Hotwire/Turbo defaults across the board. * If you have a custom responder set on your application and expect it to affect Devise as well, you may need to override the Devise responder entirely with `config.responder = MyApplicationResponder`, so that it uses your custom one. The main reason Devise uses a custom responder is to be able to configure the statuses as described above, but you can also change that config on your own responder if you want. Check the `responders` readme for more info on that. * If you have created a custom responder and/or failure app just to customize responses for better Hotwire/Turbo integration, they should no longer be necessary. * `:turbo_stream` is now treated as a navigational format, so it works like HTML navigation when using Turbo. Note: if you relied on `:turbo_stream` to be treated as a non-navigational format before, you can reconfigure your `navigational_formats` in the Devise initializer file to exclude it. * OmniAuth "Sign in with" links were changed to buttons that generate HTML forms with method=POST, instead of using link + method=POST that required rails-ujs to work. Since rails-ujs is no longer the default for new Rails apps, this allows the OmniAuth buttons to work in any scenario, with or without rails-ujs and/or Turbo. This only affects apps that are using the default `devise/shared/_links.html.erb` partial from Devise with OmniAuth enabled. * The "Cancel my account" button was changed to include the `data-turbo-confirm` option, so that it works with both rails-ujs and Turbo by default. * Devise does not provide "sign out" links/buttons in its shared views, but if you're using `sign_out_via` with `:delete` (the default), and are using links with `method: :delete`, those need to be updated with `data: { turbo_method: :delete }` instead for Turbo. * Check [this upgrade guide](https://togithub.com/heartcombo/devise/wiki/How-To:-Upgrade-to-Devise-4.9.0-[Hotwire-Turbo-integration]) for more detailed information. ### [`v4.8.1`](https://togithub.com/heartcombo/devise/blob/HEAD/CHANGELOG.md#481---2021-12-16) [Compare Source](https://togithub.com/heartcombo/devise/compare/v4.8.0...v4.8.1) - enhancements - Add support for Rails 7.0. Please note that Turbo integration is not fully supported by Devise yet. ### [`v4.8.0`](https://togithub.com/heartcombo/devise/blob/HEAD/CHANGELOG.md#480---2021-04-29) [Compare Source](https://togithub.com/heartcombo/devise/compare/v4.7.3...v4.8.0) - enhancements - Devise now enables the upgrade of OmniAuth 2+. Previously Devise would raise an error if you'd try to upgrade. Please note that OmniAuth 2 is considered a security upgrade and recommended to everyone. You can read more about the details (and possible necessary changes to your app as part of the upgrade) in [their release notes](https://togithub.com/omniauth/omniauth/releases/tag/v2.0.0). [Devise's OmniAuth Overview wiki](https://togithub.com/heartcombo/devise/wiki/OmniAuth:-Overview) was also updated to cover OmniAuth 2.0 requirements. - Note that the upgrade required Devise shared links that initiate the OmniAuth flow to be changed to `method: :post`, which is now a requirement for OmniAuth, part of the security improvement. If you have copied and customized the Devise shared links partial to your app, or if you have other links in your app that initiate the OmniAuth flow, they will have to be updated to use `method: :post`, or changed to use buttons (e.g. `button_to`) to work with OmniAuth 2. (if you're using links with `method: :post`, make sure your app has `rails-ujs` or `jquery-ujs` included in order for these links to work properly.) - As part of the OmniAuth 2.0 upgrade you might also need to add the [`omniauth-rails_csrf_protection`](https://togithub.com/cookpad/omniauth-rails_csrf_protection) gem to your app if you don't have it already. (and you don't want to roll your own code to verify requests.) Check the OmniAuth v2 release notes for more info. - Introduce `Lockable#reset_failed_attempts!` model method to reset failed attempts counter to 0 after the user signs in. - This logic existed inside the lockable warden hook and is triggered automatically after the user signs in. The new model method is an extraction to allow you to override it in the application to implement things like switching to a write database if you're using the new multi-DB infrastructure from Rails for example, similar to how it's already possible with `Trackable#update_tracked_fields!`. - Add support for Ruby 3. - Add support for Rails 6.1. - Move CI to GitHub Actions. - deprecations - `Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION` is deprecated in favor of `Devise::Models::Authenticatable::UNSAFE_ATTRIBUTES_FOR_SERIALIZATION` ([@hanachin](https://togithub.com/hanachin))Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.