- Upgrade gemspec to support Rails v7.2
Breaking changes:
- Require confirmation token before enabling Two Factor Authentication (2FA) to ensure that user has added OTP token properly to their device
- Update DeviseAuthenticatable to redirect user (rather than login user) when OTP is enabled
- Remove OtpAuthenticatable callbacks for setting OTP credentials on create action (no longer needed)
- Replace OtpAuthenticatable "reset_otp_credentials" methods with "clear_otp_fields!" method
- Update otp_tokens#edit to populate OTP secrets (rather than assuming they are populated via callbacks in OTPDeviseAuthenticatable module)
- Repurpose otp_tokens#destroy to disable 2FA and clear OTP secrets (rather than resetting them)
- Add reset token action and hide/repurpose disable token action
- Update disable action to preserve the existing token secret
- Hide button for mandatory OTP
- Add Refreshable hook, and tie into after_set_user calback
- Utilize native warden session for scoping of credentials_refreshed_at and refresh_return_url properties
- Require adding "ensure_mandatory_{scope}_otp! to controllers for mandatory OTP
- Update locales to support the new workflow
Regenerate your views with rails g devise_otp:views and update locales.
Changes to locales:
- Remove:
- otp_tokens.enable_request
- otp_tokens.status
- otp_tokens.submit
- Add to otp_tokens scope:
- enable_link
- Move/rename devise.otp.token_secret.reset_* values to devise.otp.otp_tokens.disable_* (for consistency with "enable_link")
- disable_link
- disable_explain
- disable_explain_warn
- Add to new edit_otp_token scope:
- title
- lead_in
- step1
- step2
- confirmation_code
- submit
- Move "explain" to new edit_otp_token scope
- Add devise.otp.otp_tokens.could_not_confirm
- Rename "successfully_reset_creds" to "successfully_disabled_otp"
You can grab the full locale file here.
Improvements:
- support rails 6.1 by @cotcomsol in #67
Fixes:
- mandatory otp fix by @cotcomsol in #68
- remove success message by @strzibny in #69