- Change compile time loading of configuration to only load permissions allowing the app to change things like ttl or secret key at runtime
- Fix warning about the usage of
Application.get_env
in the module scope - Change Elixir required version to follow https://github.com/ueberauth/.github/blob/master/SECURITY.md#supported-versions
- Check float values of
time
intime_within_drift?/2
.
- Ensure that badly-formatted tokens don't raise an exception when attempting to decode them.
Guardian.Plug.EnsureAuthenticated
will now accept atom keys in the map passed to theclaims
option.
Guardian.Plug.VerifyHeader
andGuardian.Plug.VerifySession
:refresh_from_cookie
option will try refreshing when access token not found, invalid or expired if cookie present #683
- Add
:scheme
option toGuardian.Plug.VerifyHeader
#680 - Add
:refresh_from_cookie
option toGuardian.Plug.VerifyHeader
andGuardian.Plug.VerifySession
to replaceGuardian.Plug.VerifyCookie
plug #675
:realm
option configuration ofGuardian.Plug.VerifyHeader
is deprecated please use:scheme
instead.Guardian.Plug.VerifyCookie
is deprecated in favor of:refresh_from_cookie
option inGuardian.Plug.VerifyHeader
andGuardian.Plug.VerifySession
- Documentation improvements
- Parse the kid from the signing secret to the signature #654
- Fixed issue with remember_me plug not using the correct ttl #649
- Fixed failing compilation if plug was not included as a dep #633
Thanks goes to all contributors
- Documentation improvements
- Add option
halt
to all plugs. This allows to optionally not halt the connection on error so downstream plugs are still called #617 - Added SlidingCookie plug that allows auto refreshing cookie tokens 616
- Documentation updates
- Error when permissions was an empty list, was causes by a wrong default value, 625
- Documentation updates
- Fix
cookie_options
configuration overrides #570
-
Improved
Guardian.Permissions
. NowGuardian.Permissions
accepts multiple encoders. The interface is defined inGuardian.Permissions.PermissionEncoding
. 585To fix the breaking changes, do something as follow.
- Find
use Guardian.Permissions.Bitwise
- Replace with
use Guardian.Permissions, encoding: Guardian.Permissions.BitwiseEncoding
Notice that we added a key called
encoding
, this key will allow you pass the encoding strategy that fit yours needs.Check the list of supported encoding.
Guardian.Permissions.BitwiseEncoding
Guardian.Permissions.AtomEncoding
Guardian.Permissions.TextEncoding
- Find
-
Moved
Guardian.Phoenix.Socket
to guardian_phoenix. You should be installguardian_phoenix
and it should work as today.
- JWT secret fetcher behaviour added
- Let Guardian plug call :revoke on sign_out #458
- Fix an issue where Guardian.Plug tries to clear the wrong keys from the conn #476
- Allow for multiple Guardian setups in a single applications
- Adds pipelines
- Significantly updates Guardian api to be more consistent
- Make Phoenix an optional dependency
- Make Plug an optional dependency
- Permissions as an optional add-in
- Deprecates Hooks in favour of callbacks on particular implementations
- Removes Phoenix macros in favour of plain functions
See the 0.14 to 1.0 Upgrade Guide for detailed updating instructions
Update the poison and phoenix deps to allow a broader version setting
- Fix a param issue in sockets
- Fix function specs
- Renew session on
sign_in
- Add a custom claim key from load resource
- _Really fix pattern matching error with GuardianDB
- Fixed pattern matching error with GuardianDB
- Update to Elixir 1.3
- Added test coverage: #234
- Token exchange: #150
- Adds ensure resource plug #238
- Name collision fix: #215
- Support for
{:system, var}
configuration options - Adds an
allowed_drift
option to allow for clock skew
- Replaced taking a function for configuring secret_key with accepting a tuple {mod, func, args}
- Change default token type from "token" to "access"
- Fix Dialyzer errors
- Target Elixir 1.3+
- Update Jose and Phoenix dependencies
- Fixes for ttl and exp
- Added integration tests
- Add
one_of
to permissions Plug to allow for OR'd sets of permissions as well as AND'd ones - Fix infinite recursion bug when joining channels
- Support for secret keys other than "oct" which provides support for signature algorithms other than HSxxx. See #122
- Fix incorrect param name in channel
- Tighten up log calls
- Fix moar typos
- General code cleanup
- Loosen poison requirement to >= 1.3.0
- Use existing resource on conn if already present
- Fix refresh to correctly use revoke
- Fix error in Guardian.Plug.ErrorHandler when Accept header is unset.
- Adding Guardian.Plug.EnsureNotAuthenticated to validates that user isn't logged
- Fix bug where TTL was not able to be set when generating tokens
- Add a Guardian.Phoenix.Socket module and refactor Guardian.Channel
- Update JOSE to Version 1.6.0. Version 1.6.0 of erlang-jose adds the ability of using libsodium and SHA-3 (keccack) algorithms. This improves speed a lot.
- Adds Travis
- Adds ability to use custom secrets
- Allows peeking at the contents of the token
- Stop compiling permissions. This leads to weird bugs when permissions are changed but not recompiled
- Remove internal calls to Dict
- Store the type of the token in the typ field rather than the aud field The aud field should default to the sub or failing that, the iss. This is to facilitate implementing an OAuth provider or just allowing folks to declare their own audience.
- Fix a bug with logout where it was not checking the session, only the assigns This meant that if you had not verified the session the token would not be revoked.
- Adds basic Phoenix controller helpers
- Remove Joken from the dependencies and use JOSE instead.
- Add a refresh! function
- Adds Guardian.Plug.authenticated?
- Adds simple claim checks to EnsureAuthenticated
- Fix an issue with permissions strings vs atoms (not encoding correctly)
Rename
Guardian.mint -> Guardian.encode_and_sign
Guardian.verify -> Guardian.decode_and_verify
Guardian.Plug.EnsureSession -> Guardian.Plug.EnsureAuthenticated
Guardian.Plug.VerifyAuthorization -> Guardian.Plug.VerifyHeader
Add new hooks on_verify and on_revoke Remove multiple hooks registration
Allow multiple hooks to be registered to Guardian
Use strings for keys in the token.
Remove CSRF tokens support. CSRF tokens are masked and so cannot be adequately implemented.
- Add callback hooks for authentication things
- Update to use new Joken
- Include permissions
Initial Release