Robust, modular, and extendable user authentication system
MIT License
Published by danschultzer over 4 years ago
Pow.Phoenix.Routes
] Fixed bug where callback route methods is not using the overridden method #418PowPersistentSession.Plug.Cookie
] PowPersistentSession.Plug.Cookie.delete/2
now correctly pulls token during :before_send
callback #420Pow.Plug.Session
] Pow.Plug.Session.delete/2
now correctly pulls session id during :before_send
callback so PowEmailConfirmation
will remove set session #420Published by danschultzer over 4 years ago
Pow.Ecto.Context
] Calls to Pow.Ecto.Context.get_by/2
replaced with Pow.Operations.get_by/2
so custom users context module can be used. The following methods has been updated: #343
Pow.Ecto.Context.authenticate/2
PowEmailConfirmation.Ecto.Context.get_by_confirmation_token/2
PowInvitation.Ecto.Context.get_by_invitation_token/2
PowResetPassword.Ecto.Context.get_by_email/2
Pow.Ecto.Schema.Changeset
] Pow.Ecto.Schema.Changeset.confirm_password_changeset/3
now adds the default Ecto.Changeset.validate_confirmation/3
error instead of the previous not same as password
error #380Pow.Ecto.Schema.Changeset
] Pow.Ecto.Schema.Changeset.confirm_password_changeset/3
now uses the Ecto.Changeset.validate_confirmation/3
for validation and expects :password_confirmation
instead of :confirm_password
in params #379Pow.Ecto.Schema.Changeset
] Pow.Ecto.Schema.Changeset.new_password_changeset/3
now only requires the :password_hash
if there have been no previous errors set in the changeset #391Pow.Ecto.Schema
] No longer adds :confirm_password
virtual field #379Pow.Ecto.Schema
] Now has an @after_compile
callback that ensures all required fields has been defined #376PowInvitation.Phoenix.InvitationView
] Now renders :password_confirmation
field instead of :confirm_password
#379PowResetPassword.Phoenix.ResetPasswordView
] Now renders :password_confirmation
field instead of :confirm_password
#379Pow.Phoenix.RegistrationView
] Now renders :password_confirmation
field instead of :confirm_password
#379PowEmailConfirmation.Ecto.Schema
] No longer validates if :email
has been taken before setting :unconfirmed_email
#379PowEmailConfirmation.Phoenix.ControllerCallbacks
] Now prevents user enumeration attack for PowInvitation.Phoenix.InvitationController.create/2
#384PowPersistentSession.Plug.Cookie
] Changed default cookie name to persistent_session
#385PowPersistentSession.Plug.Cookie
] Removed renewal of cookie as the token will always expire #385PowPersistentSession.Plug.Cookie
] No longer expires invalid cookies #390Pow.Operations
] Added Pow.Operations.fetch_primary_key_values/2
#393PowPersistentSession.Plug.Base
] Now registers :before_send
callbacks #398PowPersistentSession.Plug.Cookie
] Now updates cookie and backend store in :before_send
callback #398Pow.Plug.Base
] Now registers :before_send
callbacks #398Pow.Plug.Session
] Now updates plug session and backend store in :before_send
callback #398Pow.Plug
] Added Pow.Plug.create/3
#405Pow.Plug
] Added Pow.Plug.delete/2
#405PowResetPassword.Phoenix.ResetPasswordController
] Will no longer prevent information leak by checking if PowEmailConfirmation
or registration routes are enabled; instead it'll by default prevent user enumeration, but can be disabled if pow_prevent_user_enumeration: false
is set in conn.private
#384PowPersistentSession.Plug.Base
] With custom :persistent_session_store
now falls back to :cache_store_backend
configuration option #408PowResetPassword.Plug
] With custom :reset_password_token_store
now falls back to :cache_store_backend
configuration option #408Pow.Plug.Base
] With custom :credentials_cache_store
now falls back to :cache_store_backend
configuration option #408Pow.Ecto.Changeset
] Pow.Ecto.Schema.Changeset.confirm_password_changeset/3
has deprecated use of :confirm_password
in params in favor of :password_confirmation
#379Pow.Plug.Session
] :session_store
option has been renamed to :credentials_cache_store
#399Pow.Plug
] Pow.Plug.clear_authenticated_user/1
deprecated in favor of Pow.Plug.delete/1
#405Published by danschultzer almost 5 years ago
Note: This release contains an important security fix.
PowPersistentSession.Plug.Cookie
] Now supports :persistent_session_cookie_opts
to customize any options that will be passed on to Plug.Conn.put_resp_cookie/4
#365PowResetPassword.Phoenix.ResetPasswordController
] Now uses PowResetPassword.Phoenix.Messages.maybe_email_has_been_sent/1
with a generic response that tells the user the email has been sent only if an account was found #349PowResetPassword.Phoenix.ResetPasswordController
] When a user doesn't exist will now return success message if PowEmailConfirmation
extension is enabled #349PowResetPassword.Phoenix.Messages
] Added PowResetPassword.Phoenix.Messages.maybe_email_has_been_sent/1
and let PowResetPassword.Phoenix.Messages.email_has_been_sent/1
fall back to it #349PowEmailConfirmation.Phoenix.ControllerCallbacks
] When a user tries to sign up and the email has already been taken the default e-mail confirmation required message will be shown #350Pow.Plug.Session
] Now renews the Plug session each time the Pow session is created or rolled 578ffd3d8bb8e8a26077b644222186b108da474fPow.Ecto.Schema.Changeset
] Fixed bug where Pow.Ecto.Schema.Changeset.user_id_field_changeset/3
update with nil
value caused an exception to be raised #364PowPersistentSession.Plug.Cookie
] Now expires the cookie 10 seconds after the last request when authenticating to prevent multiple simultaneous requests deletes the cookie immediately #366Pow.Plug.Session
] Added section on session expiration to the docs #367Pow.Store.Backend.Base
] Updated usage example with Cachex 32b0d5a30a2ecd55f31902af3ac2918de4017498Published by danschultzer almost 5 years ago
Pow.Extension.Base
] Extensions are now expected to have a base module with compile-time information whether certain modules are available to prevent unnecessary Code.ensure_compiled?/1
calls: #335
Pow.Extension.Base
modulePowEmailConfirmation
modulePowInvitation
modulePowPersistentSession
modulePowResetPassword
modulePowPersistentSession.Plug.Cookie
] Added support for custom metadata: #332
PowPersistentSession.Plug.Cookie.create/3
now stores a metadata keyword list that can be populatedPowPersistentSession.Plug.Cookie.create/3
will now, instead of adding :session_fingerprint
to the metadata, populate the :session_metadata
keyword list with :fingerprint
PowPersistentSession.Plug.Cookie.authenticate/2
will now populate session metadata with what exists in :session_metadata
key for the persistent session metadataPowPersistentSession.Plug.Cookie.create/3
now ensures to delete the previous persistent session first, if one is found in cookiesPow.Extension.Config
] Added Pow.Extension.Config.extension_modules/2
#334Router.Phoenix.Router
] Fixed bug where resource routes were not filtered correctly according to the path bindings #328Pow.Extension.Config
] Deprecated Pow.Extension.Config.discover_modules/2
#334Published by danschultzer almost 5 years ago
Pow.Phoenix.Router
now only filters routes that has equal number of bindings #292Pow.Phoenix.Routes.user_not_authenticated_path/1
now only puts the :request_path
param if the request is using "GET" method #303{key, value}
record element(s), and keys may be list for easier lookup. #304
Pow.Store.Backend.Base
behaviour now requires to;
Pow.Store.Backend.Base.record/0
values for put/2
Pow.Store.Backend.Base.key/0
for delete/2
and get/2
all/2
keys/1
put/3
Pow.Store.Backend.EtsCache
now uses :ordered_set
instead of :set
for efficiencyPow.Store.Backend.MnesiaCache
now uses :ordered_set
instead of :set
for efficiencyPow.Store.Backend.MnesiaCache
will delete all binary key records when initializedPow.Store.Base
behaviour now requires to;
put/3
instead of put/4
delete/2
instead of put/3
get/2
instead of put/3
keys/2
Pow.Store.Base.all/3
addedPow.Store.Base.put/3
addedPow.Store.Base
will use binary key rather than key list if all/2
doesn't exist in the backend cachePow.Store.CredentialsCache.users/2
Pow.Store.CredentialsCache.sessions/2
Pow.Store.CredentialsCache
now adds a session key rather than appending to a list for the user key to prevent race conditionPow.Plug.Session.create/3
now stores a keyword list with metadata for the session rather than just a timestamp #286Pow.Plug.Session.fetch/2
and Pow.Plug.Session.create/3
now assigns :pow_session_metadata
in conn.private
with the session metadata #287Pow.Plug.Session.create/3
will use the metadata found in conn.private[:pow_session_metadata]
if it exists and otherwise add a randomly unique id for :fingerprint
#287PowPersistentSession.Plug.Cookie.create/3
will use the value of conn.private[:pow_session_metadata][:fingerprint]
if it exists as :session_fingerprint
in the persistent session metadata #287PowPersistentSession.Plug.Cookie.authenticate/2
will assign :fingerprint
to conn.private[:pow_session_metadata]
if it exists in the persistent session metadata #287Pow.Store.CredentialsCache.put/3
will invalidate any other sessions with the same :fingerprint
if any is set in session metadata #287PowResetPassword.Phoenix.ResetPasswordController.create/2
when a user doesn't exist will now only return success message if the registration routes has been disabled, otherwise the form with an error message will be returned #314PowResetPassword.Phoenix.Messages.user_not_found/1
#314Pow.Store.CredentialsCache
wasn't used due to how Pow.Store.Base
macro worked #286PowEmailConfirmation.Phoenix.ControllerCallbacks
couldn't deliver email #309Pow.Store.Backend.EtsCache.keys/1
#304Pow.Store.Backend.EtsCache.put/3
#304Pow.Store.Backend.MnesiaCache.keys/1
#304Pow.Store.Backend.MnesiaCache.put/3
#304Pow.Store.Base.keys/2
#304Pow.Store.Base.put/4
#304Pow.Store.CredentialsCache.user_session_keys/3
#304Pow.Store.CredentialsCache.sessions/3
#304Published by danschultzer about 5 years ago
PowEmailConfirmation.Ecto.Schema.changeset/3
so; (#259)
:email
is identical to :unconfirmed_email
it won't generate new :email_confirmation_token
:email
is identical to the persisted :email
value both :email_confirmation_token
and :unconfirmed_email
will be set to nil
:email
value in the params nothing happensPowEmailConfirmation.Ecto.Schema.confirm_email_changeset/1
so now :email_confirmation_token
is set to nil
(#259)Pow.Ecto.Schema.Changeset.user_id_field_changeset/3
so the e-mail validator now accepts unicode e-mails (#257)PowEmailConfirmation.Ecto.Context.current_email_unconfirmed?/2
and PowEmailConfirmation.Plug.pending_email_change?/1
(#256):email_validator
configuration option to Pow.Ecto.Schema.Changeset
(#257)Pow.Ecto.Schema.Changeset.validate_email/1
(#257)PowEmailConfirmation.Phoenix.ControllerCallbacks.send_confirmation_email/2
where the confirmation e-mail wasn't send to the updated e-mail address (#256)Published by danschultzer about 5 years ago
:reset_password_token_store
configuration setting #245Pow.Ecto.Context.authenticate/2
now verifies password on a blank user struct when no user can be found for the provided user id, but will always return nil. The blank user struct has a nil :password_hash
value. The struct will be passed along with a blank password to the verify_password/2
method in the user schema module. #239Pow.Ecto.Schema.Changeset.verify_password/3
receives a struct with a nil :password_hash
value, it'll hash a blank password, but always return false. #239PowResetPassword.Plug.create_reset_token/2
whether the user exists or not. #239PowPersistentSession.Plug.Base
now accepts :persistent_session_ttl
which will pass the TTL to the cache backend and used for the max age of the sesion cookie in PowPersistentSession.Plug.Cookie
#236:persistent_session_cookie_max_age
configuration setting #236Pow.Store.Backend.MnesiaCache
can now auto join clusters #233Pow.Store.Backend.MnesiaCache.Unsplit
module added for self-healing after network split #233:nodes
config option for Pow.Store.Backend.MnesiaCache
#233Published by danschultzer over 5 years ago
Published by danschultzer over 5 years ago
Pow.Phoenix.SessionController.new/2
, Pow.Phoenix.RegistrationController.new/2
and PowInvitation.Phoenix.InvitationController.edit/2
by setting "Cache-Control" header unless it already has been customized #213mix docs
and on hexdocs.pm now works #211README
, CONTRIBUTING
and CHANGELOG
#211Pow.Plug.Session.delete/2
in Pow.Plug.Sesssion.create/3
(a91de812a437e8cfb4e886ef88ffc70f6eea3637)Published by danschultzer over 5 years ago
Pow.Phoenix.Router
will now only add specific routes if there is no matching route already defined #199Pow.Plug.get_plug/1
and instead of :mod
, :plug
is used in config #207Pow.Ecto.Context.authenticate/2
now returns nil if user id or password is nil #201Pow.Ecto.Schema.normalize_user_id_field_value/1
when calling Pow.Ecto.Context.get_by/2
with a non binary user id #201Pow.Ecto.Schema.normalize_user_id_field_value/1
when calling Pow.Ecto.Context.authenticate/2
with a non binary user id #201Pow.Plug.get_mod/1
#207Pow.Ecto.Context.repo/1
b66912f02f14a24f8f715d6a59bf57bc84a709d5Published by danschultzer over 5 years ago
Pow.Phoenix.Mailer.Mail
by setting conn.private[:pow_mailer_layout]
same way as the Phoenix layout with conn.private[:phoenix_layout]
#191:prefix
repo opts support to use in multitenant apps #147@changeset.data.__struct__.pow_user_id_field()
in template in favor of using Pow.Ecto.Schema.user_id_field/1
#192Pow.Ecto.Schema.Changeset.current_password_changeset/3
where an exception would be thrown if the virtual :current_password
field of the user struct was set and either the :current_password
change was blank or identical #177Mix.Pow.Ecto.Migration.create_migration_files/3
and moved it to Mix.Pow.Ecto.Migration.create_migration_file/3
#184Pow.Ecto.Context.repo/1
and moved it to Pow.Config.repo!/1
#184Pow.Ecto.Context.user_schema_mod/1
and moved it to Pow.Config.user!/1
#184Published by danschultzer over 5 years ago
Published by danschultzer over 5 years ago
Pow.Phoenix.ViewHelpers.layout/1
#160Published by danschultzer over 5 years ago
extension_messages/1
to extension controllers and callbacks #142mix pow.extension.phoenix.gen.templates
and mix pow.extension.phoenix.mailer.gen.templates
tasks #145Pow.Phoenix.PlugErrorHandler
if the error message is nil #156references/2
wasn't called with options #150:plug
version below 2.0.0
#155Pow.Extension.Ecto.Context.Base
#146Published by danschultzer over 5 years ago
PowInvitation
to the mix pow.extension.phoenix.gen.templates
and mix pow.extension.phoenix.mailer.gen.templates
tasks #132:namespace
environment config can be used as web app module name #137:ecto
or :phoenix
are included in the dependency list for the app to run respective mix tasks #136Mix.Pow.context_app/0
#134Mix.Pow.ensure_dep!/3
#136Mix.Pow.context_base/1
#137Published by danschultzer over 5 years ago
PowInvitation
extension #113Pow.Ecto.Schema
for Ecto associations fields #126Pow.Extension.Ecto.Schema
through __using__/1
macro in extension ecto schema module #113pow.install
, pow.ecto.install
, pow.ecto.gen.migration
, and pow.ecto.gen.schema
mix tasks #128PowEmailConfirmation
now redirects unconfirmed users to after_registration_path/1
or after_sign_in_path/1
rather than pow_session_path(conn, :new)
#119mix pow.install
task with custom schema #123Pow.Extension.Phoenix.Router.Base
and Pow.Extension.Phoenix.Messages
where the full extension name wasn't used to namespace methods #120Pow.Extension.Config.underscore_extension/1
#120PowResetPassword.Ecto.Context.password_changeset/2
#127Pow.Ecto.Schema.filter_new_fields/2
#129:messages_backend_fallback
setting for extension controllers #115router_helpers/1
in Pow.Phoenix.Controller
#120Published by danschultzer over 5 years ago
new_password_changeset/3
and confirm_password_changeset/3
to Pow.Ecto.Schema.Changeset
#91mix pow.phoenix.gen.templates
task #92Pow.Config.get/3
when no key is set in the provided config #108Pow.Store.Backend.MnesiaCache.keys/1
and Pow.Store.Backend.EtsCache.keys/1
so they now return keys without namespace #112Pow.Store.Backend.MnesiaCache.put/3
now raises an error if TTL is not provided #112PowResetPassword.Plug.reset_password_token/1
has been removed #112Published by danschultzer over 5 years ago
pow.extension.ecto.gen.migrations
mix task will output warning when a migration file won't be generated for any particular extension #59pow_routes/0
or pow_extension_routes/0
are used inside router scopes with aliases #23[user: user, conn: conn]
along with the template specific assigns #70[conn: conn]
#70pow_registration_routes/0
, pow_session_routes/0
and pow_scope/1
macros to the router module #71Published by danschultzer almost 6 years ago