phoenix changelog

15 days ago

Here's the scoop on the latest updates and enhancements! We've been hard at work making things better, faster, and more fun. Check out the highlights of what's new and improved in our latest release:

New Feature Alert 🚀: We've added a shiny new method attribute to the global attributes of the button component. This means you can now specify HTTP methods like GET or POST for button actions, making your buttons even more powerful and flexible in your Phoenix apps.
Session Management Overhaul 🔄: We've jazzed up the session management and authentication functions, especially for token reissuing. Say goodbye to session fixation attacks and hello to a smoother, more secure user experience. Plus, we've tidied up the docs for future clarity.
Sudo Mode Gets a Boost 🔐: No more session resets when re-authenticating for sudo-mode protected pages! We've ensured your CSRF token stays intact, keeping your in-progress forms valid and your experience seamless.
Token Lifetimes Tweaked ⏰: Tokens now have a shorter, more secure lifespan—down from 60 days to 14. Plus, we've got a nifty mechanism to reissue them periodically, ensuring your authentication is always up-to-date.
Umbrella Project Fixes ☂️: We've patched up some pesky issues in umbrella project structures. Now your heroicons and code reloading should work like a charm, making development smoother than ever.
OTP 28 Compatibility 🛠️: We've moved regexes out of module attributes in Phoenix.Digester to ensure compatibility with OTP 28. This tweak keeps everything running smoothly without a hitch.
Documentation Cleanup 📝: Corrected the module name in App.Accounts.Scope documentation to avoid any confusion. Now, it accurately reflects its purpose, making things crystal clear.

Enjoy these updates and keep building awesome stuff! 🎉

Included Commits

2025-04-04T13:29:39 See commit

The commit addresses compatibility issues with OTP 28 by moving regular expressions (regexes) out of module attributes in the Phoenix.Digester module. Previously, regexes were defined as module attributes, which caused compatibility problems with the new version of OTP. The changes involve defining the regexes directly within the functions where they are used, allowing for better compatibility and functionality.

Specifically, the commit modifies several functions by replacing the module attribute regex definitions with local variables. This includes regexes for matching digested file names, stylesheet asset references, JavaScript source maps, and JavaScript map files. The adjustments not only resolve the compatibility issue but also maintain the existing functionality of the Phoenix.Digester module. Overall, the changes enhance the module's adaptability to newer OTP versions while preserving its core operations.

Files changed

lib/phoenix/digester.ex

2025-04-05T15:29:51 See commit

This commit addresses an issue with the module documentation for the generated module App.Accounts.Scope. The original documentation inaccurately referred to the module as App.Accounts.UserScope, which could lead to confusion about its purpose and functionality. The change updates the module documentation to correctly reflect the module name, ensuring clarity in the description of its role in allowing public interfaces to receive information about the caller.

To implement this fix, the commit modifies the relevant template file by replacing the incorrect module name with the correct one derived from the scope_config.scope.module. This approach ensures that the documentation accurately represents the module's identity and purpose, enhancing the overall clarity and reliability of the generated documentation. The changes consist of minor adjustments in the code, including one addition and one deletion, resulting in a more precise and informative module documentation.

Files changed

priv/templates/phx.gen.auth/scope.ex

2025-04-05T19:11:35 See commit

The commit addresses an issue with the re-authentication process for pages protected by sudo mode, where the existing session was being cleared, resulting in the invalidation of the CSRF token. This change prevents the session from being reset during re-authentication, allowing the same session ID and CSRF token to be maintained while updating only the CSRF token in the session. This improvement ensures that any open tabs with in-progress forms remain valid, thereby enhancing user experience and security.

Additionally, the commit includes modifications to the renew_session function to avoid unnecessary session renewal when the user is already logged in during sudo mode re-authentication. It also adds tests to verify that the session remains intact when re-authenticating under the same user and is cleared when a different user is involved. These changes contribute to a more robust authentication mechanism and prevent CSRF errors, while the code has been formatted for clarity.

Files changed

priv/templates/phx.gen.auth/auth.ex
priv/templates/phx.gen.auth/auth_test.exs

2025-04-05T19:12:06 See commit

This commit introduces a new attribute, method, to the global attributes of the button component within the Phoenix framework. The change was made in the core_components.ex file, where the attr :rest line was modified to include method alongside existing attributes like href, navigate, and patch.

By adding this attribute, developers can now specify the HTTP method (such as GET or POST) for button actions, enhancing the flexibility and functionality of buttons in web applications built with Phoenix. The modification involved a single addition and deletion, reflecting a straightforward yet impactful update to the component's capabilities.

Files changed

installer/templates/phx_web/components/core_components.ex

2025-04-06T14:03:10 See commit

This commit introduces several enhancements to the token management system in the phx.gen.auth codebase. Notably, it reduces the token lifetime from 60 days to 14 days and implements a mechanism to reissue new tokens periodically. Specifically, if a request is made after 7 days, a new token is issued, which will be valid for another 14 days from that point. Additionally, the handling of "sudo" mode has been updated to rely on the authenticated_at field of the UserToken, ensuring that reissued tokens do not incorrectly grant elevated privileges.

Moreover, the commit addresses a bug where sessions restored from cookies did not maintain the remember_me preference after a forced login via sudo. It also includes updates to the generated tests to ensure they reflect the new token management behaviors. The commit is co-authored by José Valim and includes modifications across various files related to authentication, including the generation templates and test cases.

Files changed

lib/mix/tasks/phx.gen.auth.ex
priv/templates/phx.gen.auth/auth.ex
priv/templates/phx.gen.auth/auth_test.exs
priv/templates/phx.gen.auth/conn_case.exs
priv/templates/phx.gen.auth/context_fixtures_functions.ex
priv/templates/phx.gen.auth/context_functions.ex
priv/templates/phx.gen.auth/migration.ex
priv/templates/phx.gen.auth/schema_token.ex
priv/templates/phx.gen.auth/settings_controller_test.exs
priv/templates/phx.gen.auth/settings_live_test.exs
priv/templates/phx.gen.auth/test_cases.exs

2025-04-06T23:32:21 See commit

This commit addresses issues related to the umbrella project structure, specifically targeting fixes that close issue #6165. The changes primarily involve modifications to two files: heroicons.js and mix.exs. In heroicons.js, the path for the icons directory has been adjusted to correctly reference the location of the heroicons when the project is organized as an umbrella. The modification ensures that the path is dynamically constructed based on whether the project is running in an umbrella context.

In the mix.exs file, the commit introduces a new configuration element by adding listeners: [Phoenix.CodeReloader] to the project configuration. This addition enhances the application's ability to reload code changes automatically during development, improving the development workflow. Overall, these changes aim to enhance the functionality and structure of the umbrella project, making it more robust and easier to work with.

Files changed

installer/templates/phx_assets/heroicons.js
installer/templates/phx_umbrella/mix.exs

2025-04-07T14:07:40 See commit

This commit focuses on enhancing the session management and authentication functions within a Phoenix application, particularly for token reissuing. Key changes include the refactoring of the log_in_<%= schema.singular %> function to streamline session creation and token management, replacing the previous method of renewing sessions with a more efficient create_or_extend_session function. Additionally, it addresses issues such as the removal of duplicate function definitions and updates to documentation for better clarity. The changes aim to improve security by avoiding session fixation attacks and ensuring a seamless user experience during authentication.

The commit also includes modifications to documentation, ensuring that future Phoenix generator invocations will correctly pass scoped data structures to controllers and LiveViews. These updates are crucial for maintaining user-specific data integrity and permissions as applications grow in complexity. Overall, the commit improves both the functionality and security of user authentication processes within the application while enhancing the clarity of associated documentation.

Files changed

guides/authn_authz/mix_phx_gen_auth.md
priv/templates/phx.gen.auth/auth.ex