v2.7.1

2.7.1 - May 8, 2024

Fixed

• Updated sqlite3 and erb_lint gems (#1017)

Thank you to our community contributor who provided this fix while attending RailsConf 2024 - Jos O'shea (@whatnotery) 🎉

v2.7.0

2.7.0 - April 19, 2024

Added

• Call dynamic README workflow (#1004)
• Add configuration options for failure method redirects (#1002) Dan Sharp

Fixed

• Update specs to match on translations (#1015)

Removed

• Drop Ruby 2.76 and Rails 6.0 (#1005)

Thank you to our community contributor Dan Sharp (@drsharp)!

v2.6.2

2.6.2 - January 15, 2024

Added

• Add CODEOWNERS file (#994)
• Add support for Rails 7.1 (#995) Samuel Giddens
• Add Ruby 3.2.2 to testing matrix (#991)

Fixed

• Fix typo in Clearance::Token docs (#1000) Gabe Berke-Williams
• Fix for setup & CI for Rails 7.1 support, update "MiniTest" to "Minitest", add handling for different versions of Rack::Utils.set_cookie_header!, remove deprecated active record handling in application.rb (#998)
• Fix broken thoughtbot logo on README.md

Changed

• Replace mentions of NEWS.md with CHANGELOG.md (#982)
• Update argon2 to v2.2.0 (#989) Georg Leciejewski
• Prefer literal hash creation notation (#984) Ivan Marynych

Thank you to our community contributors Samuel (@segiddins), Georg (@schorsch), Ivan (@loqimean), Gabe (@gabebw)!

v2.6.1

2.6.1 - September 23, 2022

• Document how to report security issues
• Only update the env["QUERY_STRING"] if the as parameter is present in
  backdoor middleware

v2.5.0

[2.5.0] - September 10, 2021

Fixed

• Fix open redirect vulnerability

Changed

• Rename default branch to main

v2.4.0

2.4.0 - March 5, 2021

Added

• Optionally use signed cookies to prevent remember token timing attacks. Big thank you for @gingerlime!

v2.3.1

Fixed

• Support for accessing Rails 6.x primary_key_type in generator.
• Fix password reset URLs when using a custom model
• Fix flaky test that relied on too specific time delta
• Revert case sensitivity for email uniqueness
• Bump nokogiri and actionview dependencies to address security vulnerabilities

v2.3.0

2.3.0 - August 14, 2020

Fixed

• Delete cookie correctly when a callable object is set as the custom domain
  setting.
• Strip as parameter when signing in through the back door.
• Remove broken autoload for deprecated password strategies.

Changed

• Deliver password reset email inline rather than in the background.
• Remove unnecessary unsafe interpolation in erb templates.

v2.2.1

Fixed

• Prevent user enumeration by timing attacks. Trying to log in with an
  unrecognized email address will now take the same amount of time as for a user
  that does exist in the system.

v2.2.0

Added

• Add an Argon2 password strategy

Fixed

• Use strings instead of classes on guard classes, avoids Rails deprecation
  warning.
• Use find_by style for finders, improves neo4j support
• Provide explicit case sensitivity option for email uniqueness, avoid Rails
  deprecation warning.