Now supports ecto_sql
3.8.x and requires Elixir 1.11+.
Now supports Phoenix 1.6.x.
- [
PowAssent.Ecto.UserIdentities.Context
] The macro no longer throws warning in Elixir 1.12
- [
PowAssent.Plug
] Fixed bug where the:cache_store_backend
was not being loaded from the application environment correctly
- [
PowAssent.Plug
] Now stores a session cookie instead of usingPlug.Session
to prevent SameSite policy issue inform_post
flow - [
PowAssent.Plug
]PowAssent.Plug.callback/4
now adds theuserinfo
with claims to the user identity params
- [
PowAssent.Plug
] AddedPowAssent.Plug.put_create_session_callback/2
- [
PowAssent.Plug
] AddedPowAssent.Plug.fetch_config/1
- [
PowAssent.Plug
] Now calls create session callbacks set withPowAssent.Plug.put_create_session_callback/2
when a session is created - [
PowAssent.Plug.Reauthorization
] Added plug to enable reauthorization - [
PowAssent.Phoenix.AuthorizationController
] Now instead of raising an exception for strategy errors, the user is redirected to the sign in page with a generic error message - [
PowAssent.Config
] AddedPowAssent.Config.merge_provider_config/3
- [
PowAssent.Plug
] AddedPowAssent.Plug.merge_provider_config/3
Now support Phoenix 1.5 and requires Pow ~> 1.0.19
and Elixir 1.7.
The callback flow has been changed so sessions are now stored in the backend cache with PowAssent.Store.SessionCache
instead of using Plug.Session
. This prevents exposure of sensitive data, as the only thing stored in the Plug session is a random UUID.
Updated Pow requirement to ~> 1.0.17
.
- [
PowAssent.Plug
] AddedPowAssent.Plug.change_user/4
- [
PowAssent.Operations
] AddedPowAssent.Operations.user_identity_changeset/4
- [
PowAssent.Phoenix.AuthorizationController
] Now prevents user enumeration attack usingPowEmailConfirmation.Phoenix.ControllerCallbacks
whenPowEmailConfirmation
extension is enabled - [
PowAssent.Phoenix.AuthorizationController
] Now stores:changeset
in session when redirecting to:add_user_id
page - [
PowAssent.Phoenix.RegistrationController
] Now prevents user enumeration attack usingPowEmailConfirmation.Phoenix.ControllerCallbacks
whenPowEmailConfirmation
extension is enabled - [
PowAssent.Phoenix.RegistrationController
] Now uses:changeset
stored in the session when rendering:add_user_id
page - [
PowAssent.Plug
] Moved business logic away fromPowAssent.Phoenix.AuthorizationController
intoPowAssent.Plug.callback_upsert/4
that will authenticate, upsert user identity, or create user - [
PowAssent.Store.SessionCache
] Added session store module - [
PowAssent.Plug
] AddedPowAssent.Plug.init_session/1
- [
PowAssent.Plug
] AddedPowAssent.Plug.put_session/3
- [
PowAssent.Plug
] AddedPowAssent.Plug.delete_session/2
- [
PowAssent.Ecto.Schema
] Fixed issue inPowAssent.Ecto.Schema.changeset/2
where confirmation token was not set thus allowing users with unconfirmed email to sign in
- Added legacy migration guide
- Added API guide
- [
PowAssent.Phoenix.AuthorizationController
] Now supports:request_path
param so the user will be redirected back to:request_path
after successful authorization - [
PowAssent.Phoenix.ViewHelpers
]PowAssent.Phoenix.ViewHelpers.authorization_link/3
now adds:request_path
to the query param if assigned to the conn - [
PowAssent.Phoenix.ViewHelpers
]PowAssent.Phoenix.ViewHelpers.authorization_link/3
,PowAssent.Phoenix.ViewHelpers.deauthorization_link/3
, andPowAssent.Phoenix.ViewHelpers.provider_links/2
now accepts keyword list with options to be passed on to the link generation
Note: This release contains an important security fix.
- [
PowAssent.Plug
] Now usesString.to_existing_atom/1
inPowAssent.Plug.providers_for_current_user/1
- [
PowAssent.Plug
] Fixed security issue by removingString.to_atom/1
for user provided binary inPowAssent.Plug.authorize_url/3
andPowAssent.Plug.callback/4
- [
PowAssent.Config
]PowAssent.Config.get_provider_config/2
now accepts binary provider
- Removed
:phoenix_html
dependency requirement - Added Pow minimum requirement
~> 1.0.15
- Use
Pow.Extension.Base
macro for new extension setup
- Added support for POST callback from provider:
- Added
pow_assent_authorization_post_callback_routes/0
macro toPowAssent.Phoenix.Router
- Added
:skip_csrf_protection
pipeline example and scope withpow_assent_authorization_post_callback_routes/0
call to the docs - Use
Pow.Phoenix.Router
macros to dynamically filter duplicate routes
- Added
- Use Assent
v0.1.2
and set:redirect_uri
in config for OAuth 2.0 callback phase
This release consists of major breaking changes.
You'll have to change the :strategy
setting in your provider configurations. For the most part it would just consists of renaming PowAssent.Strategy.STRATEGY
to Assent.Strategy.STRATEGY
.
If you have custom built strategies, you should can use Assent.Strategy.normalize_userinfo/2
to conform the userinfo response from the API. sub
is now expected instead of uid
.
-
Use
:assent
package for strategies. The following modules has been removed in favor ofAssent
modules:PowAssent.CallbackError
PowAssent.CallbackCSRFError
PowAssent.RequestError
PowAssent.ConfigurationError
PowAssent.HTTPAdapter
PowAssent.HTTPAdapter.Httpc
PowAssent.HTTPAdapter.Mint
PowAssent.Strategy.Auth0
PowAssent.Strategy.AzureOAuth2
PowAssent.Strategy.Basecamp
PowAssent.Strategy.Discord
PowAssent.Strategy.Facebook
PowAssent.Strategy.Github
PowAssent.Strategy.Gitlab
PowAssent.Strategy.Google
PowAssent.Strategy.Instagram
PowAssent.Strategy.OAuth
PowAssent.Strategy.OAuth.Base
PowAssent.Strategy.OAuth2
PowAssent.Strategy.OAuth2.Base
PowAssent.Strategy.Slack
PowAssent.Strategy.Twitter
PowAssent.Strategy.VK
PowAssent.Strategy
-
Callback params now conforms to OpenID Connect Core 1.0 Standard Claims spec. During the callback phase, the following param keys will be renamed:
sub
touid
preferred_username
tousername
-
The e-mail is no longer considered confirmed unless the callback params has an
email_verified
key set to true -
PowAssent.Plug.authorize_url/3
generates a random nonce ifnonce: true
is set in the provider configuration -
Support for OpenID Connect and Apple Sign In through Assent
- All links in docs generated with
mix docs
and on hexdocs.pm now works - Generated docs now uses lower case file name except for
README
andCHANGELOG
- Added Auth0 strategy
- Added Gitlab strategy
- Added Pow minimum requirement
~> 1.0.9
- Added repo
:prefix
support - User identities are now upserted on authorization so additional params can be updated on authorization request. Following methods has been deprecated:
PowAssent.Ecto.UserIdentities.Context.create/3
in favor ofPowAssent.Ecto.UserIdentities.Context.upsert/3
MyApp.UserIdentities.create/2
in favor ofMyApp.UserIdentities.upsert/2
MyApp.UserIdentities.pow_assent_create/2
in favor ofMyApp.UserIdentities.upsert/2
PowAssent.Operations.create/3
in favor ofPowAssent.Operations.upsert/3
PowAssent.Plug.create_identity/2
in favor ofPowAssent.Plug.upsert_identity/2
- Use
Pow.Plug.get_plug/1
instead of pulling:mod
from the config - Fixed so
uid
can be an integer value inPowAssent.Ecto.UserIdentities.Context
. Strategies are no longer expected to convert theuid
value to binary. The following methods will accepts integeruid
:PowAssent.Ecto.UserIdentities.Context.get_user_by_provider_uid/3
PowAssent.Ecto.UserIdentities.Context.upsert/3
PowAssent.Ecto.UserIdentities.Context.create_user/4
- Fixed bug where invited user was not signed in after succesful authorization
- Fixed bug where releases with Elixir 1.9.0 didn't have
:httpc
available
- Added
PowAssent.Phoenix.ViewHelpers.authorization_link/2
andPowAssent.Phoenix.ViewHelpers.deauthorization_link/2
- Removed
PowAssent.Phoenix.ViewHelpers.provider_link/3
- Rewritten plug methods and controller handling so they now pass through additional params such as access token. This makes it possible to e.g. capture access tokens. Now there is a clear distinction between user identity params and user params, and most methods now accepts or returns two separate params. Following methods updated:
MyApp.UserIdentities.create/3
changed toMyApp.UserIdentities.create/2
MyApp.UserIdentities.pow_assent_create/3
changed toMyApp.UserIdentities.pow_assent_create/2
PowAssent.Ecto.UserIdentities.Context.create/4
changed toPowAssent.Ecto.UserIdentities.Context.create/3
MyApp.UserIdentities.create_user/4
changed toMyApp.UserIdentities.create_user/3
MyApp.UserIdentities.pow_assent_create_user/4
changed toMyApp.UserIdentities.pow_assent_create_user/3
PowAssent.Ecto.UserIdentities.Context.create_user/5
changed toPowAssent.Ecto.UserIdentities.Context.create_user/4
PowAssent.Operations.create/4
changed toPowAssent.Operations.create/3
PowAssent.Operations.create_user/5
changed toPowAssent.Operations.create_user/4
PowAssent.Plug.callback/4
now returns a tuple with{:ok, user_identity_params, user_params, conn}
PowAssent.Plug.authenticate/3
changed toPowAssent.Plug.authenticate/2
PowAssent.Plug.create_identity/3
changed toPowAssent.Plug.create_identity/2
PowAssent.Plug.create_user/4
now acceptsuser_identity_params
instead ofprovider
as second argumentPowAssent.Plug.create_user/4
now expectsuser_identity_params
rather thanprovider
as second argument
- Fixed so OAuth 2.0 access token request params are in the POST body in accordance with RFC 6749
- Added
:authorization_params
config option toPowAssent.Strategy.OAuth
- Plug and Phoenix controller now handles
:session_params
rather than:state
for any params that needs to be stored temporarily during authorization - Added handling of
oauth_token_secret
to OAuth strategies - Support any
:plug
version below2.0.0
- Fixed bug in
mix pow_assent.ecto.gen.migration
task where--binary-id
flag didn't generate correct migration - Support
:pow
version1.0.5
- Fixed issue where user couldn't be created when PowEmailConfirmation was enabled
- Improve mix task instructions
- Detached
Plug
from strategies - Moved callback registration/session logic from plug to controllers
- Allow for disabling registration by setting just
pow_assent_authorize_routes/0
macro in router - Ensure only
:pow_assent_params
session value only can be read with the same provider param used for the callback token
now included inPowAssent.Strategy.OAuth.callback/2
response- Use
account_already_bound_to_other_user/1
message for already taken user identity inPowAssent.Phoenix.RegistrationController
Strategies no longer has access to a Plug.Conn
struct. If you use a custom strategy, please update it so it reflects this setup:
defmodule TestProvider do
@behaviour PowAssent.Strategy
@spec authorize_url(Keyword.t()) :: {:ok, %{url: binary()}} | {:error, term()}
def authorize_url(config) do
# Generate authorization url
end
@spec callback(Keyword.t(), map()) :: {:ok, %{user: map()}} | {:error, term()}
def callback(config, params) do
# Handle callback response
end
end
- Initial release