[ci skip] v2.4.0 release

* Update readme with instructions for configuring signed cookies. * Update Gemfile.lock and version for 2.4.0 release.
thoughtbot · Apr 9, 2021 · b4cf731 · b4cf731
1 parent e653b30
commit b4cf731
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 2 deletions.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    clearance (2.3.1)
+    clearance (2.4.0)
       actionmailer (>= 5.0)
       activemodel (>= 5.0)
       activerecord (>= 5.0)

diff --git a/NEWS.md b/NEWS.md
@@ -3,6 +3,14 @@
 The noteworthy changes for each Clearance version are included here. For a
 complete changelog, see the git history for each version via the version links.
 
+## [2.4.0] - March 5, 2021
+
+### Added
+
+- Optionally use signed cookies to prevent remember token timing attacks
+
+[2.4.0]: https://github.com/thoughtbot/clearance/compare/v2.3.1...v2.4.0
+
 ## [2.3.1] - March 5, 2021
 
 ### Fixed
@@ -13,6 +21,8 @@ complete changelog, see the git history for each version via the version links.
 - Revert case sensitivity for email uniqueness
 - Bump nokogiri and actionview dependencies to address security vulnerabilities
 
+[2.3.1]: https://github.com/thoughtbot/clearance/compare/v2.3.0...v2.3.1
+
 ## [2.3.0] - August 14, 2020
 
 ### Fixed

diff --git a/README.md b/README.md
@@ -62,6 +62,7 @@ Clearance.configure do |config|
   config.rotate_csrf_on_sign_in = true
   config.same_site = nil
   config.secure_cookie = false
+  config.signed_cookie = false
   config.sign_in_guards = []
   config.user_model = "User"
   config.parent_controller = "ApplicationController"
@@ -286,6 +287,33 @@ and `password` attributes. Over-riding the `email_optional?` or
 `skip_password_validation?` methods to return `true` will disable those
 validations from being added.
 
+### Signed Cookies
+
+By default, Clearance uses unsigned cookies. If you would like to use signed
+cookies you can do so by overriding the default in an initializer like so:
+
+```ruby
+Clearance.configure do |config|
+  # ... other overrides
+  config.signed_cookie = true
+end
+```
+
+If you are currently not using unsigned cookies but would like to migrate your
+users over to them without breaking current sessions, you can do so by passing
+in `:migrate` rather than `true` as so:
+
+```ruby
+Clearance.configure do |config|
+  # ... other overrides
+  config.signed_cookie = :migrate
+end
+```
+
+You can read more about signed cookies in Clearance and why they are a good idea
+in the [pull request that added them](https://github.com/thoughtbot/clearance/pull/917).
+
+
 ## Extending Sign In
 
 By default, Clearance will sign in any user with valid credentials. If you need

diff --git a/lib/clearance/version.rb b/lib/clearance/version.rb
@@ -1,3 +1,3 @@
 module Clearance
-  VERSION = "2.3.1".freeze
+  VERSION = "2.4.0".freeze
 end