v5.0.0.rc
Breaking Changes📦 deviseView on GitHub →
⚠ 1 breaking✨ 2 features🐛 2 fixes⚡ 1 deprecations🔧 4 symbols
Summary
Devise v5.0.0.rc introduces MFA support and updates session controller parameter handling, necessitating migration steps for sign-in logic.
⚠️ Breaking Changes
- The `Devise::SessionsController#create` action no longer accepts `params[:session]` for sign-in. You must now use `params[:user]` or `params[:admin]` depending on the scope being used for sign-in.
Migration Steps
- Review all usages of `params[:session]` in custom controllers and update them to use the appropriate scope parameter (e.g., `params[:user]`).
- If using `Devise.sign_out_all_users!`, replace it with `warden.logout` for the specific scope or use `Warden::Proxy#logout` if global sign-out is required.
✨ New Features
- Added support for multi-factor authentication (MFA) integration via the `devise-mfa` gem.
- Introduced a new configuration option `config.allow_unconfirmed_access_for_scopes` to permit certain actions before email confirmation.
🐛 Bug Fixes
- Fixed an issue where password reset tokens were sometimes generated with an incorrect expiration time when using Redis as the token store.
- Resolved a bug where `Devise::Mailer.reset_password_instructions` failed to load the correct locale settings.
🔧 Affected Symbols
Devise::SessionsController#createDevise.sign_out_all_users!Warden::Proxy#logoutDevise::Mailer.reset_password_instructions⚡ Deprecations
- The `Devise.sign_out_all_users!` helper method is deprecated and will be removed in v6.0. Use `Warden::Proxy#logout` directly for session invalidation across all scopes.