v1.0.18

Bug fixes

• [Pow.Phoenix.Routes] Fixed bug where callback route methods is not using the overridden method #418
• [PowPersistentSession.Plug.Cookie] PowPersistentSession.Plug.Cookie.delete/2 now correctly pulls token during :before_send callback #420
• [Pow.Plug.Session] Pow.Plug.Session.delete/2 now correctly pulls session id during :before_send callback so PowEmailConfirmation will remove set session #420

v1.0.17

Enhancements

• [Pow.Ecto.Context] Calls to Pow.Ecto.Context.get_by/2 replaced with Pow.Operations.get_by/2 so custom users context module can be used. The following methods has been updated: #343
  • Pow.Ecto.Context.authenticate/2
  • PowEmailConfirmation.Ecto.Context.get_by_confirmation_token/2
  • PowInvitation.Ecto.Context.get_by_invitation_token/2
  • PowResetPassword.Ecto.Context.get_by_email/2
• [Pow.Ecto.Schema.Changeset] Pow.Ecto.Schema.Changeset.confirm_password_changeset/3 now adds the default Ecto.Changeset.validate_confirmation/3 error instead of the previous not same as password error #380
• [Pow.Ecto.Schema.Changeset] Pow.Ecto.Schema.Changeset.confirm_password_changeset/3 now uses the Ecto.Changeset.validate_confirmation/3 for validation and expects :password_confirmation instead of :confirm_password in params #379
• [Pow.Ecto.Schema.Changeset] Pow.Ecto.Schema.Changeset.new_password_changeset/3 now only requires the :password_hash if there have been no previous errors set in the changeset #391
• [Pow.Ecto.Schema] No longer adds :confirm_password virtual field #379
• [Pow.Ecto.Schema] Now has an @after_compile callback that ensures all required fields has been defined #376
• [PowInvitation.Phoenix.InvitationView] Now renders :password_confirmation field instead of :confirm_password #379
• [PowResetPassword.Phoenix.ResetPasswordView] Now renders :password_confirmation field instead of :confirm_password #379
• [Pow.Phoenix.RegistrationView] Now renders :password_confirmation field instead of :confirm_password #379
• [PowEmailConfirmation.Ecto.Schema] No longer validates if :email has been taken before setting :unconfirmed_email #379
• [PowEmailConfirmation.Phoenix.ControllerCallbacks] Now prevents user enumeration attack for PowInvitation.Phoenix.InvitationController.create/2 #384
• [PowPersistentSession.Plug.Cookie] Changed default cookie name to persistent_session #385
• [PowPersistentSession.Plug.Cookie] Removed renewal of cookie as the token will always expire #385
• [PowPersistentSession.Plug.Cookie] No longer expires invalid cookies #390
• [Pow.Operations] Added Pow.Operations.fetch_primary_key_values/2 #393
• [PowPersistentSession.Plug.Base] Now registers :before_send callbacks #398
• [PowPersistentSession.Plug.Cookie] Now updates cookie and backend store in :before_send callback #398
• [Pow.Plug.Base] Now registers :before_send callbacks #398
• [Pow.Plug.Session] Now updates plug session and backend store in :before_send callback #398
• [Pow.Plug] Added Pow.Plug.create/3 #405
• [Pow.Plug] Added Pow.Plug.delete/2 #405

Removed

• [PowResetPassword.Phoenix.ResetPasswordController] Will no longer prevent information leak by checking if PowEmailConfirmation or registration routes are enabled; instead it'll by default prevent user enumeration, but can be disabled if pow_prevent_user_enumeration: false is set in conn.private #384

Bug fixes

• [PowPersistentSession.Plug.Base] With custom :persistent_session_store now falls back to :cache_store_backend configuration option #408
• [PowResetPassword.Plug] With custom :reset_password_token_store now falls back to :cache_store_backend configuration option #408
• [Pow.Plug.Base] With custom :credentials_cache_store now falls back to :cache_store_backend configuration option #408

Deprecations

• [Pow.Ecto.Changeset] Pow.Ecto.Schema.Changeset.confirm_password_changeset/3 has deprecated use of :confirm_password in params in favor of :password_confirmation #379
• [Pow.Plug.Session] :session_store option has been renamed to :credentials_cache_store #399
• [Pow.Plug] Pow.Plug.clear_authenticated_user/1 deprecated in favor of Pow.Plug.delete/1 #405

v1.0.16

Note: This release contains an important security fix.

Enhancements

• [PowPersistentSession.Plug.Cookie] Now supports :persistent_session_cookie_opts to customize any options that will be passed on to Plug.Conn.put_resp_cookie/4 #365
• [PowResetPassword.Phoenix.ResetPasswordController] Now uses PowResetPassword.Phoenix.Messages.maybe_email_has_been_sent/1 with a generic response that tells the user the email has been sent only if an account was found #349
• [PowResetPassword.Phoenix.ResetPasswordController] When a user doesn't exist will now return success message if PowEmailConfirmation extension is enabled #349
• [PowResetPassword.Phoenix.Messages] Added PowResetPassword.Phoenix.Messages.maybe_email_has_been_sent/1 and let PowResetPassword.Phoenix.Messages.email_has_been_sent/1 fall back to it #349
• [PowEmailConfirmation.Phoenix.ControllerCallbacks] When a user tries to sign up and the email has already been taken the default e-mail confirmation required message will be shown #350
• [Pow.Plug.Session] Now renews the Plug session each time the Pow session is created or rolled 578ffd3

Bug fixes

• [Pow.Ecto.Schema.Changeset] Fixed bug where Pow.Ecto.Schema.Changeset.user_id_field_changeset/3 update with nil value caused an exception to be raised #364
• [PowPersistentSession.Plug.Cookie] Now expires the cookie 10 seconds after the last request when authenticating to prevent multiple simultaneous requests deletes the cookie immediately #366

Documentation

• Added mailer rate limitation section to production checklist guide #368
• [Pow.Plug.Session] Added section on session expiration to the docs #367
• Updated instructions in umbrella project guide to Elixir 1.9 d38efab
• [Pow.Store.Backend.Base] Updated usage example with Cachex 32b0d5a
• Added security practices page #372

v1.0.15

Enhancements

• [Pow.Extension.Base] Extensions are now expected to have a base module with compile-time information whether certain modules are available to prevent unnecessary Code.ensure_compiled?/1 calls: #335
  • Added Pow.Extension.Base module
  • Added PowEmailConfirmation module
  • Added PowInvitation module
  • Added PowPersistentSession module
  • Added PowResetPassword module
• [PowPersistentSession.Plug.Cookie] Added support for custom metadata: #332
  • PowPersistentSession.Plug.Cookie.create/3 now stores a metadata keyword list that can be populated
  • PowPersistentSession.Plug.Cookie.create/3 will now, instead of adding :session_fingerprint to the metadata, populate the :session_metadata keyword list with :fingerprint
  • PowPersistentSession.Plug.Cookie.authenticate/2 will now populate session metadata with what exists in :session_metadata key for the persistent session metadata
  • PowPersistentSession.Plug.Cookie.create/3 now ensures to delete the previous persistent session first, if one is found in cookies
• [Pow.Extension.Config] Added Pow.Extension.Config.extension_modules/2 #334

Bug fixes

• [Router.Phoenix.Router] Fixed bug where resource routes were not filtered correctly according to the path bindings #328

Deprecations

• [Pow.Extension.Config] Deprecated Pow.Extension.Config.discover_modules/2 #334

v1.0.14

Changes

• Changed minmum password length to 8 (OWASP/NIST recommendations) #274
• Pow.Phoenix.Router now only filters routes that has equal number of bindings #292
• Pow.Phoenix.Routes.user_not_authenticated_path/1 now only puts the :request_path param if the request is using "GET" method #303
• The stores has been refactored so the command conforms with ETS store. This means that put commands now accept {key, value} record element(s), and keys may be list for easier lookup. #304
  • Pow.Store.Backend.Base behaviour now requires to;
    • Accept Pow.Store.Backend.Base.record/0 values for put/2
    • Accept Pow.Store.Backend.Base.key/0 for delete/2 and get/2
    • Implement all/2
    • Remove keys/1
    • Remove put/3
  • Pow.Store.Backend.EtsCache now uses :ordered_set instead of :set for efficiency
  • Pow.Store.Backend.MnesiaCache now uses :ordered_set instead of :set for efficiency
  • Pow.Store.Backend.MnesiaCache will delete all binary key records when initialized
  • Pow.Store.Base behaviour now requires to;
    • Accept erlang term value for keys in all methods
    • Implement put/3 instead of put/4
    • Implement delete/2 instead of put/3
    • Implement get/2 instead of put/3
    • Remove keys/2
  • Pow.Store.Base.all/3 added
  • Pow.Store.Base.put/3 added
  • Pow.Store.Base will use binary key rather than key list if all/2 doesn't exist in the backend cache
  • Added Pow.Store.CredentialsCache.users/2
  • Added Pow.Store.CredentialsCache.sessions/2
  • Pow.Store.CredentialsCache now adds a session key rather than appending to a list for the user key to prevent race condition
• Pow.Plug.Session.create/3 now stores a keyword list with metadata for the session rather than just a timestamp #286
• Pow.Plug.Session.fetch/2 and Pow.Plug.Session.create/3 now assigns :pow_session_metadata in conn.private with the session metadata #287
• Pow.Plug.Session.create/3 will use the metadata found in conn.private[:pow_session_metadata] if it exists and otherwise add a randomly unique id for :fingerprint #287
• PowPersistentSession.Plug.Cookie.create/3 will use the value of conn.private[:pow_session_metadata][:fingerprint] if it exists as :session_fingerprint in the persistent session metadata #287
• PowPersistentSession.Plug.Cookie.authenticate/2 will assign :fingerprint to conn.private[:pow_session_metadata] if it exists in the persistent session metadata #287
• Pow.Store.CredentialsCache.put/3 will invalidate any other sessions with the same :fingerprint if any is set in session metadata #287
• PowResetPassword.Phoenix.ResetPasswordController.create/2 when a user doesn't exist will now only return success message if the registration routes has been disabled, otherwise the form with an error message will be returned #314
• Added PowResetPassword.Phoenix.Messages.user_not_found/1 #314

Bug fixes

• Fixed bug where Pow.Store.CredentialsCache wasn't used due to how Pow.Store.Base macro worked #286
• Fixed bug where PowEmailConfirmation.Phoenix.ControllerCallbacks couldn't deliver email #309

Deprecations

• Deprecated Pow.Store.Backend.EtsCache.keys/1 #304
• Deprecated Pow.Store.Backend.EtsCache.put/3 #304
• Deprecated Pow.Store.Backend.MnesiaCache.keys/1 #304
• Deprecated Pow.Store.Backend.MnesiaCache.put/3 #304
• Deprecated Pow.Store.Base.keys/2 #304
• Deprecated Pow.Store.Base.put/4 #304
• Deprecated Pow.Store.CredentialsCache.user_session_keys/3 #304
• Deprecated Pow.Store.CredentialsCache.sessions/3 #304

v1.0.13

Changes

• Updated PowEmailConfirmation.Ecto.Schema.changeset/3 so; (#259)
  • when :email is identical to :unconfirmed_email it won't generate new :email_confirmation_token
  • when :email is identical to the persisted :email value both :email_confirmation_token and :unconfirmed_email will be set to nil
  • when there is no :email value in the params nothing happens
• Updated PowEmailConfirmation.Ecto.Schema.confirm_email_changeset/1 so now :email_confirmation_token is set to nil (#259)
• Updated Pow.Ecto.Schema.Changeset.user_id_field_changeset/3 so the e-mail validator now accepts unicode e-mails (#257)
• Added PowEmailConfirmation.Ecto.Context.current_email_unconfirmed?/2 and PowEmailConfirmation.Plug.pending_email_change?/1 (#256)
• Added :email_validator configuration option to Pow.Ecto.Schema.Changeset (#257)
• Added Pow.Ecto.Schema.Changeset.validate_email/1 (#257)
• Fixed bug in PowEmailConfirmation.Phoenix.ControllerCallbacks.send_confirmation_email/2 where the confirmation e-mail wasn't send to the updated e-mail address (#256)

v1.0.12

Changes

• Added API integration guide #247
• Added :reset_password_token_store configuration setting #245
• To prevent timing attacks, Pow.Ecto.Context.authenticate/2 now verifies password on a blank user struct when no user can be found for the provided user id, but will always return nil. The blank user struct has a nil :password_hash value. The struct will be passed along with a blank password to the verify_password/2 method in the user schema module. #239
• To prevent timing attacks, when Pow.Ecto.Schema.Changeset.verify_password/3 receives a struct with a nil :password_hash value, it'll hash a blank password, but always return false. #239
• To prevent timing attacks, the UUID is always generated in PowResetPassword.Plug.create_reset_token/2 whether the user exists or not. #239
• PowPersistentSession.Plug.Base now accepts :persistent_session_ttl which will pass the TTL to the cache backend and used for the max age of the sesion cookie in PowPersistentSession.Plug.Cookie #236
• Deprecated :persistent_session_cookie_max_age configuration setting #236
• Pow.Store.Backend.MnesiaCache can now auto join clusters #233
• Pow.Store.Backend.MnesiaCache.Unsplit module added for self-healing after network split #233
• Removed :nodes config option for Pow.Store.Backend.MnesiaCache #233

v1.0.11

Changes

• Fixed bug in router filters with Phoenix 1.4.7 #224

v1.0.10

Changes

• Prevent browser cache of Pow.Phoenix.SessionController.new/2, Pow.Phoenix.RegistrationController.new/2 and PowInvitation.Phoenix.InvitationController.edit/2 by setting "Cache-Control" header unless it already has been customized #213
• All links in docs generated with mix docs and on hexdocs.pm now works #211
• Generated docs now uses lower case file name except for README, CONTRIBUTING and CHANGELOG #211
• Removed duplicate call for Pow.Plug.Session.delete/2 in Pow.Plug.Sesssion.create/3 (a91de81)

v1.0.9

Changes

• Pow.Phoenix.Router will now only add specific routes if there is no matching route already defined #199
• Added Pow.Plug.get_plug/1 and instead of :mod, :plug is used in config #207
• Pow.Ecto.Context.authenticate/2 now returns nil if user id or password is nil #201

Bug fixes

• Fixed bug with exception raised in Pow.Ecto.Schema.normalize_user_id_field_value/1 when calling Pow.Ecto.Context.get_by/2 with a non binary user id #201
• Fixed bug with exception raised in Pow.Ecto.Schema.normalize_user_id_field_value/1 when calling Pow.Ecto.Context.authenticate/2 with a non binary user id #201

Deprecations

• Deprecated Pow.Plug.get_mod/1 #207
• Removed call to Pow.Ecto.Context.repo/1 b66912f