Releases: stitchfix/stitches
Redact expired api keys in logging
API keys that were expired but still allowed to be used during the grace period were being logged along with the warning message. For better security, they are now redacted, showing only the last eight characters.
Add disabled API key leniency
In some cases we may want to allow a leniency period after an API key has been disabled. This release introduces the concept of an optional disabled_at field to the api_clients table. When it is set and the enabled field is set to false, stitches uses the configuration to determine if it should continue to allow the API key to be used with a warning.
Upgrading to this version should include creating a migration to create the new field using the command:
bundle exec rails generate stitches:add_disabled_at_to_api_clients
See the readme for more information on configuration and migration
Use match? over =~ to avoid MatchData object allocation
See #98 for more details and benchmarks.
v4.0.1
- Adds support for
'application/protobuf'mime type
Introducing an API Key cache
Version 4.0.0 of stitches now includes an API Key cache. For some applications this can significantly lower the overhead of each HTTP request.
Also, this release removes the previously deprecated whitelist syntax. If you have not yet updated your use you should do that before upgrading to 4.0.0 courtesy of @davetron5000
Fix Change with Rack Unauthorized Response
to_ary was removed from Response In Rack's update from 2.0.8 to 2.1.1. Stitches inherits from this class and expected a to_ary method to be aliased to Response's finish method.
Apps can't update Rack until this is fixed.
v3.8.1
Remove Apitome runtime dependency
See #82 for details
Take advantage of ActionController::API
Api::ApiController will now inherit from ActionController::API which does not include many of the modules needed for browser support like CSRF protection, Flash, etc.
Because API's only respond with JSON, we can take advantage of ActionController::API and remove the need for stuff like respond_to blocks, skip :verify_authenticity_token or protect_from_forgery.
