- Remove faker dev dependency
- Insert two_factor_authenticatable at the top of the devise module list
- README and CI improvements
Breaking Changes
- attr_encrypted has been deprecated in favor of native Rails attribute encryption. See UPGRADING.md for details on how to migrate your records. You must use or build a migration strategy (see examples in UPGRADING.md) to use existing data!
- Rails 7 is now required.
- Add support for attr_encrypted v4
- Add Rails 7.0 support
- Renew signing certificate
- Use
after
option of TOTP#verify for additional timestamp verification
- Convert CI from Travis CI to Github Actions (#198)
- Fix ActiveSupport::Testing::TimeHelpers require in shared examples (#191)
- Accept whitespace in provided codes (#195)
- Add Truffleruby head to CI (#200)
- [breaking] Drop support for Ruby <= 2.2
- Update ROTP
- Add Rails 6.1 support
- Remove timecop dependency
- Clarify changes in project ownership
- Bugfixes & cleanup
- Add Rails 6.0 support
- New gem signing certificate
- Fix paranoid-mode being ignored
- Add Rails 5.2 support
- Add Rails 5.1 support
- Qualify call to rspec shared_examples
See UPGRADING.md
for specific help with breaking changes from 2.x to 3.0.0.
- Adds support for Devise 4.
- Relax dependencies to allow attr_encrypted 3.x.
- Blocks the use of attr_encrypted 2.x. There was a significant vulnerability in the encryption implementation in attr_encrypted 2.x, and that version of the gem should not be used.
- Use 192 bits, not 1024, as a secret key length. RFC 4226 recommends a minimum length of 128 bits and a recommended length of 160 bits. Google Authenticator doesn't accept 160 bit keys.
- Return false if OTP value is nil, instead of an ROTP exception.
No user-facing changes.
See UPGRADING.md
for specific help with breaking changes from 1.x to 2.0.0.
- Replace
valid_otp?
method withvalidate_and_consume_otp!
. - Disallow subsequent OTPs once validated via timesteps.
- Removes runtimez activemodel dependency.
- Uses
Devise::Encryptor
instead ofDevise.bcrypt
, which is deprecated. - Bump
rotp
dependency to 2.x.
- Makes Railties the only requirement for Rails generators.
- Explicitly check that the
otp_attempt
param is not nil in order to avoid 'ROTP only verifies strings' exceptions. - Adding warning about recoverable devise strategy and automatic
sign_in
after a password reset. - Loosen dependency version requirements for rotp, devise, and attr_encrypted.
- Add version requirements for dependencies.
- Initial release.