Skip to content

Latest commit

 

History

History
72 lines (49 loc) · 2.4 KB

upgrading_to_1_0.md

File metadata and controls

72 lines (49 loc) · 2.4 KB

Upgrading to Passwordless 1.0

This major release of Passwordless changes a lot of things and it is almost guaranteed that you will need to change your code to upgrade to this version.

Note that there is no need to upgrade. The previous versions of Passwordless will continue to work for the foreseeable future.

From 1.0 the flow is:

  1. User enters email
  2. User is presented with a token input page
  3. User enters token OR clicks link in email
  4. User is signed in

1. Upgrade your database

If you're already running Passwordless, you'll need to update your database schema.

$ bin/rails g migration UpgradePassswordless
class UpgradePasswordless < ActiveRecord::Migration[7.0]
  def change
    # Encrypted tokens
    add_column(:passwordless_sessions, :token_digest, :string)
    add_index(:passwordless_sessions, :token_digest)
    remove_column(:passwordless_sessions, :token, :string, null: false)
    # UUID
    add_column(:passwordless_sessions, :identifier, :string)
    add_index(:passwordless_sessions, :identifier, unique: true)

    # Remove PII
    remove_column(:passwordless_sessions, :user_agent, :string, null: false)
    remove_column(:passwordless_sessions, :remote_addr, :string, null: false)
  end
end

2. Move configuration to Passwordless.config

Passwordless is now configured like this. In config/initializers/passwordless.rb:

Passwordless.configure do |config|
  config.default_from_address = "[email protected]"
end

3. Update your views (if you have customized them)

The existing views have changed and a new one has been added. Regenerate them using rails generate passwordless:views.

4. Un-isolated namespace

Passwordless no longer isolates namespace.

  1. Change all your links with eg. users.sign_in_path to users_sign_in_path
  2. Change all links with main_app.whatever_path to just whatever_path

5. Stop collecting PII

Passwordless no longer collects users' IP addresses. If you need this information, you can add it to your after_session_save callback.

6. Encrypted tokens

Tokens are encrypted at rest in the database. This means that any tokens that were generated with a previous version of Passwordless will no longer work.

7. Remove calls to deprecated methods and helpers

Removes authenticate_by_cookie and upgrade_passwordless_cookie from controller helpers.