Releases: stitchfix/stitches
v5.0.0
What's Changed
Most significantly, API key use is now optional. By default, v5 will not enable API Key auth or generate the api_client tables. To disable API Key auth on your app, there's a new configuration parameter you can add to the initializer documented in the README.
This might be useful if your platform has alternative approaches for restricting access to services.
You can read more about the changes here:
Here's a full breakdown:
- Add sqlite to circleci job by @stitchfixsam in #105
- these configuration details don't work for newer versions of Rails by @taboularasa in #107
- Update to the latest Ruby point release by @fixbot in #108
- update CODEOWNERS to dev-platform by @zackse in #109
- Update to the latest Ruby point release by @fixbot in #110
- Updating eng-runtime team name to dev-platform by @nshemonsky in #111
- Update to the latest Ruby point release by @fixbot in #112
- Remove support for old versions of Rails by @ebarendt in #113
- Update to the latest Ruby point release by @fixbot in #115
- Update to the latest Ruby point release by @fixbot in #116
- Make App Platform CODEOWNER by @samsm in #117
- Update CODEOWNERS by @brettfishman in #122
- Get CI Passing by @benortiz in #121
- Configuration to disable api key support by @benortiz in #123
- Separate API Key auth support generation by @benortiz in #124
- Update to the latest Ruby point release by @fixbot in #125
New Contributors
- @stitchfixsam made their first contribution in #105
- @zackse made their first contribution in #109
- @nshemonsky made their first contribution in #111
- @ebarendt made their first contribution in #113
- @samsm made their first contribution in #117
- @benortiz made their first contribution in #121
Full Changelog: v4.2.2...v5.0.0
Contributors
Assets 2
Redact expired api keys in logging
API keys that were expired but still allowed to be used during the grace period were being logged along with the warning message. For better security, they are now redacted, showing only the last eight characters.
Add disabled API key leniency
In some cases we may want to allow a leniency period after an API key has been disabled. This release introduces the concept of an optional disabled_at field to the api_clients table. When it is set and the enabled field is set to false, stitches uses the configuration to determine if it should continue to allow the API key to be used with a warning.
Upgrading to this version should include creating a migration to create the new field using the command:
bundle exec rails generate stitches:add_disabled_at_to_api_clients
See the readme for more information on configuration and migration
Use match? over =~ to avoid MatchData object allocation
See #98 for more details and benchmarks.
v4.0.1
- Adds support for
'application/protobuf'mime type
Introducing an API Key cache
Version 4.0.0 of stitches now includes an API Key cache. For some applications this can significantly lower the overhead of each HTTP request.
Also, this release removes the previously deprecated whitelist syntax. If you have not yet updated your use you should do that before upgrading to 4.0.0 courtesy of @davetron5000
Fix Change with Rack Unauthorized Response
to_ary was removed from Response In Rack's update from 2.0.8 to 2.1.1. Stitches inherits from this class and expected a to_ary method to be aliased to Response's finish method.
Apps can't update Rack until this is fixed.
v3.8.1
Remove Apitome runtime dependency
See #82 for details
Take advantage of ActionController::API
Api::ApiController will now inherit from ActionController::API which does not include many of the modules needed for browser support like CSRF protection, Flash, etc.
Because API's only respond with JSON, we can take advantage of ActionController::API and remove the need for stuff like respond_to blocks, skip :verify_authenticity_token or protect_from_forgery.