Pow v1.0.19 Release Notes

Release Date: 2020-03-13 // about 4 years ago
  • Warning: This release will now sign and verify all tokens, causing previous tokens to no longer work. Any sessions and persistent sessions will be invalidated.

    ✨ Enhancements

    • 🔒 [Pow.Plug.Session] Now sets a global lock when renewing the session #414
    • 🔒 [PowPersistentSession.Plug.Cookie] Now sets a global lock when authenticating the user #414
    • [PowEmailConfirmation.Plug] Added PowEmailConfirmation.Plug.sign_confirmation_token/2 to sign the email_confirmation_token to prevent timing attacks #417
    • 👉 [PowEmailConfirmation.Plug] Added PowEmailConfirmation.Plug.load_user_by_token/2 to verify the signed email_confirmation_token to prevent timing attacks #446
    • [PowEmailConfirmation.Plug] Added PowEmailConfirmation.Plug.confirm_email/2 with map as second argument #446
    • [PowInvitation.Plug] Added PowInvitation.Plug.sign_invitation_token/2 to sign the invitation_token #417
    • [PowInvitation.Plug] Added PowInvitation.Plug.load_invited_user_by_token/2 to verify the signed invitation_token to prevent timing attacks #417
    • [PowResetPassword.Plug] Changed PowResetPassword.Plug.create_reset_token/2 to sign the :token #417
    • 👉 [PowResetPassword.Plug] Added PowResetPassword.Plug.load_user_by_token/2 to verify the signed token to prevent timing attacks #417
    • 👉 [PowResetPassword.Plug] Changed PowResetPassword.Plug.update_user_password/2 so it decodes the signed token #417
    • [PowPersistentSession.Plug.Cookie] Now uses signed tokens to prevent timing attacks #417
    • [Pow.Plug.Session] Now uses signed session ID's to prevent timing attacks #417
    • [Pow.Plug] Added Pow.Plug.sign_token/4 to sign tokens #417
    • [Pow.Plug] Added Pow.Plug.verify_token/4 to decode and verify signed tokens #417
    • [Pow.Plug.MessageVerifier] Added Pow.Plug.MessageVerifier module to sign and verify messages #417
    • [PowEmailConfirmation.Ecto.Context] Added PowEmailConfirmation.Ecto.Context.confirm_email/3 #446
    • [PowEmailConfirmation.Ecto.Schema] Added confirm_email_changeset/2 and pow_confirm_email_changeset/2 to the macro #446
    • [PowEmailConfirmation.Ecto.Schema] Added PowEmailConfirmation.Ecto.Schema.confirm_email_changeset/2 #446
    • [PowInvitation.Ecto.Schema] Added accept_invitation_changeset/2 and pow_accept_invitation_changeset/2 to the macro #446
    • [PowResetPassword.Ecto.Schema] Added reset_password_changeset/2 and pow_reset_password_changeset/2 to the macro #446
    • ⚠ [Pow.Ecto.Schema] Now emits a warning instead of raising error with missing fields/associations #455

    🗄 Deprecations

    • 🗄 [PowEmailConfirmation.Plug] PowEmailConfirmation.Plug.confirm_email/2 with token param as second argument has been deprecated in favor of PowEmailConfirmation.Plug.load_user_by_token/2, and PowEmailConfirmation.Plug.confirm_email/2 with map as second argument #446
    • 👉 [PowInvitation.Plug] PowInvitation.Plug.invited_user_from_token/2 has been deprecated in favor of PowInvitation.Plug.load_invited_user_by_token/2 #417
    • [PowInvitation.Plug] PowInvitation.Plug.assign_invited_user/2 has been deprecated #417
    • [PowResetPassword.Plug] PowResetPassword.Plug.user_from_token/2 has been deprecated in favor of PowResetPassword.Plug.load_user_by_token/2 #417
    • [PowResetPassword.Plug] PowResetPassword.Plug.assign_reset_password_user/2 has been deprecated #417
    • 🗄 [PowEmailConfirmation.Ecto.Context] PowEmailConfirmation.Ecto.Context.confirm_email/2 deprecated in favor of PowEmailConfirmation.Ecto.Context.confirm_email/3 #446
    • [PowEmailConfirmation.Ecto.Schema] PowEmailConfirmation.Ecto.Schema.confirm_email_changeset/1 deprecated in favor of PowEmailConfirmation.Ecto.Schema.confirm_email_changeset/2 #446

    📚 Documentation