What's Changed

• Add Ruby 3.4 to CI by @tejasbubane in #1142
• Add after_request_phase callback hook by @gerardo-navarro in #1147

Full Changelog: v2.1.3...v2.1.4

You may now configure an after_request_phase callback on your omniauth builder instance. This callback will be run after the request phase before returning the request result.

What's Changed

• Test against Ruby 3.3 by @enomotodev in #1128
• Exclude (macos, 2.5) from test matrix by @TastyPi in #1137
• Avoid using URI::ABS_URI by @mame in #1136
• Do not override omniauth.origin in environment in test mode by @TastyPi in #1134

New Contributors

• @TastyPi made their first contribution in #1137
• @mame made their first contribution in #1136

Full Changelog: v2.1.2...v2.1.3

What's Changed

• Fix bundle install step on CI for TruffleRuby by @andrykonchin in #1104
• Use GET with :developer strategy. by @cycomachead in #1106
• Test against Ruby 3.2 by @enomotodev in #1113
• ci: use ubuntu-latest runner by @nschonni in #1109
• chore: add Dependabot for version updates by @nschonni in #1110
• Added Ruby 3.2 to workflow. by @madogiwa0124 in #1102
• chore: Remove conditions for old (J)Ruby by @nschonni in #1118
• fix: conditional delegate require Rack/JRuby by @nschonni in #1122

New Contributors

• @andrykonchin made their first contribution in #1104
• @cycomachead made their first contribution in #1106
• @nschonni made their first contribution in #1109
• @madogiwa0124 made their first contribution in #1102

Full Changelog: v2.1.1...v2.1.2

What's Changed

• Separate jruby and truffle ruby workflows by @BobbyMcWho in #1065
• Added docs showing how to integrate omniauth with rack_csrf by @HoneyryderChuck in #1070
• Fixed nil error in callback_path by @shreyakurian02 in #1092

New Contributors

• @HoneyryderChuck made their first contribution in #1070
• @shreyakurian02 made their first contribution in #1092

Full Changelog: v2.1.0...v2.1.1

Backports a vulnerability fix that was included in Omniauth 2.0 release to the 1.9 channel.

https://nvd.nist.gov/vuln/detail/CVE-2020-36599

Current Omniauth security policy maintains v2.0 and v2.1 channels for security releases, and security patches should not be typically expected for the v1.9 channel.

This release adds Ruby 3.0+ support.

Due to kwarg changes in ruby 3, we have bumped the minimum required version of Rack to 2.2.3, which is where ruby3 support was added.

Releasing as a minor as dependency resolution should fail at install if an application is locked to a rack below new minimum.

Full Changelog: v2.0.4...v2.1.0

This release removes unnecessary warning logging when accessing GET routes that are not related to the OmniAuth request path.

Thanks to @charlie-wasp and @sponomarev at Evil Martians for the bug find and subsequent PR.

As a consequence of the changes that were merged in #689, errors
thrown by strategies that utilize other_phase (or more specifically
call_app!), would be caught by omniauth, causing headaches for folks
looking to have those errors handled by their application. This
should allow for errors that come from the app to pass through, while
passing errors that come from the authentication phases to the fail!
handler.

Resolves #1030

@jsdalton gave an awesome report of the issue present in test_mode in #1033

The current implementation of mock_call was verifying the token for all requests, regardless of whether the current path is on the omniauth request path. The change was introduced recently in 1b784ff. See #1032 for details.

This creates two problems:

1. When test mode is on, the authenticity verification logic is run inappropriately against requests where this may not even be wanted.
2. The behavior varies from actual production behavior, potentially allowing bugs to be introduced by unwary developers.

Note that this bug was only present when OmniAuth was configured for test_mode and using the mock_call phases.

This release now properly allows an instance of OmniAuth::AuthenticityTokenProtection (with passed in rack-protection configuration) to be used as the request_validation_phase.

Thanks @jkowens #1027

If you haven't already read the release notes for v2.0.0, you should do so.