v1.8.0

This release adds several security improvements to ActionAuth:

Password Security:

• Add configurable password complexity validation requiring uppercase, lowercase, numbers, and special characters
• Implement better password validation in registration and password reset flows
• Make complexity validation configurable but enabled by default

Session Management:

• Add session timeout functionality (default: 2 weeks)
• Add IP address and user-agent tracking for session security
• Implement suspicious activity detection for changed IP/user-agent
• Add secure cookie settings (HttpOnly, Secure, SameSite=Lax)
• Use HTTPS-only cookies in production environments

Rate Limiting:

• Implement protection against brute force attacks on login
• Add rate limiting on registration attempts
• Add rate limiting on password reset requests
• Add rate limiting on WebAuthn authentication

Environment Handling:

• Properly handle security features across development, test, and production environments
• Skip overly restrictive validations in test environment
• Improve default configurations for better security

Documentation:

• Add new Security Features section to README
• Document all security enhancements with examples
• Update configuration examples with security options
• Add security features to feature list

These changes significantly improve the security posture of ActionAuth without breaking compatibility with existing applications.

v1.7.3

Added rate_limit to the sessions#create to limit 5 requests within 20 seconds. This change requires Rails 7.2 or later.

v1.7.2

On logout the SessionsController#destroy action sets a “Clear-Site-Data” header to clear the browser cache. This is in order to prevent possible data leakage after logout via the browser’s “back/forward cache”.

v1.7.1

Small update to add subdomain support.

config.insert_cookie_domain = true # false by default

Closes #9

v1.7.0

SMS Authentication Added

This feature is disabled by default and should not be used under normal circumstances. However, this feature is useful if your application doesn't need users to enter an email/password and you simply want them to enter their phone number and verify it with an authentication code.

You will need to provide your own implementation of the SMS sending, but the README provides an example.

v1.6.0

Tested and added compatibility for Rails 8.0.0 beta1

v1.5.1

Added installation rake task

bin/rails action_auth:install

Which will install the routes, migrations and configurations.

v1.5.0

Updates and UI Changes

- Added Webauthn Key Types
- Updated text for Passkey Only login that it doesn't work with hardware keys
- Fixed attr_accessors for passkey_only and pwned_enabled

Database Migration!

This release includes a migration. Be sure to run

bin/rails action_auth:install:migrations

v1.4.2

Second times a charm

v1.4.1

Forgot to bump the version.rb.