Sha256: f80134db6b8864bcd7e91f8373b9434704c4dc87de3a02c30a3402b222a1d6b5

Contents?: true

Size: 1.47 KB

Versions: 2

Compression:

Stored size: 1.47 KB

Contents

# CHANGELOG

## Unreleased

## 3.0.0
See `UPGRADING.md` for specific help with breaking changes from 2.x to 3.0.0.

- Adds support for Devise 4.
- Relax dependencies to allow attr_encrypted 3.x.
- Blocks the use of attr_encrypted 2.x. There was a significant vulnerability in the encryption implementation in attr_encrypted 2.x, and that version of the gem should not be used.

## 2.2.0
- Use 192 bits, not 1024, as a secret key length. RFC 4226 recommends a minimum length of 128 bits and a recommended length of 160 bits. Google Authenticator doesn't accept 160 bit keys.

## 2.1.0
- Return false if OTP value is nil, instead of an ROTP exception.

## 2.0.1
No user-facing changes.

## 2.0.0
See `UPGRADING.md` for specific help with breaking changes from 1.x to 2.0.0.

- Replace `valid_otp?` method with `validate_and_consume_otp!`.
- Disallow subsequent OTPs once validated via timesteps.

## 1.1.0
- Removes runtimez activemodel dependency.
- Uses `Devise::Encryptor` instead of `Devise.bcrypt`, which is deprecated.
- Bump `rotp` dependency to 2.x.

## 1.0.2
- Makes Railties the only requirement for Rails generators.
- Explicitly check that the `otp_attempt` param is not nil in order to avoid 'ROTP only verifies strings' exceptions.
- Adding warning about recoverable devise strategy and automatic `sign_in` after a password reset.
- Loosen dependency version requirements for rotp, devise, and attr_encrypted.

## 1.0.1
- Add version requirements for dependencies.

## 1.0.0
- Initial release.

Version data entries

2 entries across 2 versions & 1 rubygems

Version Path
devise-two-factor-3.0.1 CHANGELOG.md
devise-two-factor-3.0.0 CHANGELOG.md