- added new extension library Ember Simple Auth Torii
- Added support for OAuth 2.0 token revocation in the Ember Simple Auth OAuth 2.0 extension library, see #228
- The browserified distribution does not export the
setupfunction anymore, see #235. - All standard Ember methods that are defined in the mixins will now call
this._super, see #232.
- The
crossOriginWhitelistis now loaded fromwindow.ENVcorrectly, see #218.
- [BREAKING] All factory properties that previously had a "Factory" suffix
have been renamed to not include the suffix anymore. If you're currently
setting
storeFactoryorauthorizerFactoryin the configuration be sure to change these tostoreandauthorizer. Also changeauthenticatorFactoryin the login controller toauthenticator. - The file names of the download distribution have been changed to have the "ember-" prefix again.
- [BREAKING] Ember Simple Auth's
SimpleAuthobject is no longer attached to theEmberglobal but is now a global itself (in the browserified distribution that exports that global). When you were referring to e.g.Ember.SimpleAuth.ApplicationRouteMixinyou now have to change that to justSimpleAuth.ApplicationRouteMixin. - [BREAKING] The "namespace" for all components that Ember Simple Auth registers in Ember's container has been changed from 'ember-simple-auth-' to just 'simple-auth-'.
- [BREAKING] The names of the distributed files has changed from "ember-simple-auth-…" to "simple-auth-…".
- [BREAKING] The requirement for defining an initializer and call
SimpleAuth.setupin that has been dropped. Ember Simple Auth will now setup itself once it is loaded. Existing Ember Simple Auth initializers should be removed. - [BREAKING] As
SimpleAuth.setupwas removed there now is a new way to configure Ember Simple Auth. Instead of passing configuration values to thesetupmethod, these values are now defined onwindow.ENV['simple-auth'](andwindow.ENV['simple-auth-oauth']etc. for the extension libraries). See the API Docs forConfigurationfor more information. - [BREAKING] All underscores have been replaced with dashes in filenames. This only affects users that were using the AMD build.
- [BREAKING] The AMD builds are no longer distributed in the 'amd/' subfolder but in the root level along with the browserified versions.
- The
ApplicationRouteMixinnow subscribes to the session's events in thebeforeModelmethod, see #199. - Added documentation on how to disable server sessions when using the Devise extension library, see #204.
- The authorizer will not be used if it is destroyed already, see #191.
- The check for cross origin requests has been simplified, see #190.
- Most of the examples in the READMEs and API docs have been rewritten to focus on Ember CLI and ES6 modules instead of the browserified distribution.
- The cookie store example now implements "remember me" functionality.
- There is a new example that uses the AMD distribution.
- fixed the AMD build so it does not depend on the Ember.SimpleAuth global, see #183.
- Added an example for the devise extension library, see #188.
- Cleaned up the AMD structure so it can better be used with ember-cli, see #189 (all files export the default export now).
- The
ApplicationRouteMixinnow uses the configured session property name, see #184. - The
ApplicationRouteMixinwill not try to invalidate a session that is not authenticated and thus cannot be invalidated, see #185.
- The OAuth 2.0 authenticator does not schedule automatic token refreshs in the test environment anymore, see #181.
- Using any of the mixins is now completely optional; Ember Simple Auth will work without the mixins as well (see example 9).
- The session's
authorizationFailedevent will now be triggered for any failed XHRs and not only for those made in routes'modelhooks. - Fixed the Devise authenticator's
restoremethod, see #171 - The
AuthenticationControllerMixin'sauthenticateaction now returns the promise that's returned from the session'sauthenticateaction. - The authenticator's
'updated'event was renamed to'sessionDataUpdated'. - The store's
'updated'event was renamed to'sessionDataUpdated'. - The API docs now include the events an object might trigger.
- The tests now run with the latest Ember and jQuery versions.
- [BREAKING] Ember Simple Auth's factories are now registered with
"namespaced" names with Ember's container to avoid conflicts, see #159;
this requires all references to these factories (e.g.
authenticatorFactoryin controllers to be prepended with'ember-simple-auth-'). - [BREAKING]
Ember.SimpleAuth.Authorizers.Devisenow sends the user's token and email address in one header that's compatible to Rails' token auth module - [BREAKING]
Ember.SimpleAuth.Authenticators.Devisenow sends the (configurable) resource name for session authentication, see #157 - The name of the property that Ember.SimpleAuth injects the session with into routes and controllers can now be customized, see #159
- fixed
Ember.SimpleAuth.Utils.isSecureUrlso that it checks the passed URL not the current location - improved the instructions for server side setup for ember-simple-auth-devise, see #155
- Fixed a bug where the arguments from session events were not passed to router actions.
- Ember Simple Auth has been split up into a base library and a set of
extension libraries - the OAuth 2.0 authenticator/authorizer, the cookie
session store as well as the new Devise authenticator/authorizer now reside
in their own extension libraries so everybody can include only what they
need. If you're currently using the OAuth 2.0 authenticator and/or
authorizer, you now need to include the
ember-simple-auth-oauth2.jsfile in your app! If you're using theCookiestore you need to includeember-simple-auth-cookie-store.js. - the new Devise authenticator and authorizer have been added, see README there.
- it is now optional to specify an authorizer; if none is specified no requests
will be authorized. If you're currently using an authorized be sure to
specify it for
Ember.SimpleAuth.setupnow, e.g.:Ember.SimpleAuth.setup(container, application, { authorizerFactory: 'authorizer:oauth2-bearer' });
- the session is no longer injected into models and views - it was probably not working for both for some time anyway and it was also not a good idea to do it in the first place as anything related to the session should be managed by the routes and controllers; see #122.
- the authenticator's update event is now handled correctly so that it might lead to the session being invalidated, see #121.
- examples have been updated
- the OAuth 2.0 authenticator will now try to refresh an expired token on refresh and only reject when that fails, see #102
- removed check for identification and password being present in
LoginControllerMixinso an error is triggered with the server's response - serve both examples and tests with
grunt dev_servertask - README improvements
- improved examples
- Ember Simple Auth now reloads the application's root page on logout so all sensitive in-memory data etc. gets cleared - this also works across tabs now, see #92
- the OAuth 2.0 authenticator rejects restoration when the access token is known to have expired, see #102
- the store is not updated unnecessarily anymore, see #97
- the library is now built with grunt, uses ES6 modules and is tested with mocha - all Ruby dependencies have been removed
- added warnings when credentials/tokens etc. are transmitted via insecure connections (HTTP)
- fixed synchronization of stores, see #91
Ember.SimpleAuth.setupnow expects the container and the application as arguments (Ember.SimpleAuth.setup(container, application);)- the authenticator to use is now looked up via Ember's container instead of the class name which fixes all sorts of problems especially when using Ember AppKit with the new ES6 modules lookup
- the examples will now always build a new release of Ember Simple Auth when starting
- origin validation now works in IE, see #84
- use absolute expiration times for tokens, see #76
- fix for cross origin check in IE, see #72
- make sure errors bubble up, see #79
- added documentation for customizing/extending the library
The Big Rewrite™, see the README and the release notes.
The main changes are:
- all code that is specific to concrete authentication/authorization mechanisms was moved into strategy classes (see e.g. Authenticators.OAuth2, Authorizers.OAuth2)
- instead of persisting the session in cookies, the default store is now
localStorage Ember.SimpleAuth.setupdoes not expect the container as first argument anymore, now takes only the application object- the terms login/logout were replaced by session authentication/session invalidation
- OAuth 2.0 client authentication was removed from the default library as it does not really work for public clients
- fixed cross origin check for Firefox (which doesn't implement location.origin), see #41
- fixed problem that broke integration tests, see #38 and #39
- don't periodically refresh data stored in cookie in testing mode, see #35
- support for client id and client secret, see, #36
- clear password on login, see #29
- fixed prevention of sending
Authorizationheader with cross-origin requests - added Ember.SimpleAuth.crossOriginWhitelist to also sent
Authorizationheader with configured cross-origin requests
- use session cookies to store the session properties (see #30)
- added API docs
- fixed #21
- made the library compliant to RFC 6749
- added the application route mixin with
login,logout,loginSucceeded,loginFailedactions - added callbacks for use with external OpenID/OAuth providers
- more examples
- added automatic token refreshing
- changed header to standard
Authorizationinstead of the custom header, see #15
- fixed content type of
POST /sessionrequest to be application/json, see #13
initial release