rails/activerecord/CHANGELOG.md

*   Fix migration compatibility to create SQLite references/belongs_to column as integer when migration version is 6.0.

    Reference/belongs_to in migrations with version 6.0 were creating columns as
    bigint instead of integer for the SQLite Adapter.

    *Marcelo Lauxen*

*   Add a deprecation warning when `prepared_statements` configuration is not
    set for the mysql2 adapter.

    *Thiago Araujo and Stefanni Brasil*

*   Fix `QueryMethods#in_order_of` to handle empty order list.

    ```ruby
    Post.in_order_of(:id, []).to_a
    ```

    Also more explicitly set the column as secondary order, so that any other
    value is still ordered.

    *Jean Boussier*

*   Fix quoting of column aliases generated by calculation methods.

    Since the alias is derived from the table name, we can't assume the result
    is a valid identifier.

    ```ruby
    class Test < ActiveRecord::Base
      self.table_name = '1abc'
    end
    Test.group(:id).count
    # syntax error at or near "1" (ActiveRecord::StatementInvalid)
    # LINE 1: SELECT COUNT(*) AS count_all, "1abc"."id" AS 1abc_id FROM "1...
    ```

    *Jean Boussier*

*   Add `authenticate_by` when using `has_secure_password`.

    `authenticate_by` is intended to replace code like the following, which
    returns early when a user with a matching email is not found:

    ```ruby
    User.find_by(email: "...")&.authenticate("...")
    ```

    Such code is vulnerable to timing-based enumeration attacks, wherein an
    attacker can determine if a user account with a given email exists. After
    confirming that an account exists, the attacker can try passwords associated
    with that email address from other leaked databases, in case the user
    re-used a password across multiple sites (a common practice). Additionally,
    knowing an account email address allows the attacker to attempt a targeted
    phishing ("spear phishing") attack.

    `authenticate_by` addresses the vulnerability by taking the same amount of
    time regardless of whether a user with a matching email is found:

    ```ruby
    User.authenticate_by(email: "...", password: "...")
    ```

    *Jonathan Hefner*


Please check [7-0-stable](https://github.com/rails/rails/blob/7-0-stable/activerecord/CHANGELOG.md) for previous changes.
Fix migration compatibility to create SQLite references/belongs_to column as a integer when migration version is 6.0 Since #38717 the `ReferenceDefinition` wasn't being instantiated with the column type as `:integer` in the compatibility module when the adapter is SQLite for 6.0 migrations which make such columns be created as `bigint` instead of `integer`. Differing from the way they are created in prior versions or newer versions, which is always `integer`. Fixes #43168 2021-09-24 01:34:23 +08:00			`* Fix migration compatibility to create SQLite references/belongs_to column as integer when migration version is 6.0.`

			`Reference/belongs_to in migrations with version 6.0 were creating columns as`
			`bigint instead of integer for the SQLite Adapter.`

			`Marcelo Lauxen`

add warning to mysql2 default prepared_statements Co-authored-by: Thiago Araujo <thd.araujo@gmail.com> 2021-09-12 08:08:22 +08:00			* Add a deprecation warning when `prepared_statements` configuration is not
			`set for the mysql2 adapter.`

			`Thiago Araujo and Stefanni Brasil`

Fix `QueryMethods#in_order_of` to handle empty order list Fix: https://github.com/rails/rails/issues/43903 Ref: https://github.com/rails/rails/pull/42061 Simply don't generate the case statement if the order list is empty and fallback to default ordering. 2021-12-17 21:25:48 +08:00			* Fix `QueryMethods#in_order_of` to handle empty order list.

			```ruby
			`Post.in_order_of(:id, []).to_a`
			```

			`Also more explicitly set the column as secondary order, so that any other`
			`value is still ordered.`

			`Jean Boussier`

Properly quote autogenerated column aliases Fix: https://github.com/rails/rails/issues/43878 2021-12-17 18:38:50 +08:00			`* Fix quoting of column aliases generated by calculation methods.`

			`Since the alias is derived from the table name, we can't assume the result`
			`is a valid identifier.`

			```ruby
			`class Test < ActiveRecord::Base`
			`self.table_name = '1abc'`
			`end`
			`Test.group(:id).count`
			`# syntax error at or near "1" (ActiveRecord::StatementInvalid)`
			`# LINE 1: SELECT COUNT(*) AS count_all, "1abc"."id" AS 1abc_id FROM "1...`
			```

			`Jean Boussier`

Add back CHANGELOG entry for `authenticate_by` 2021-12-15 11:47:40 +08:00			* Add `authenticate_by` when using `has_secure_password`.

			`authenticate_by` is intended to replace code like the following, which
			`returns early when a user with a matching email is not found:`

			```ruby
			`User.find_by(email: "...")&.authenticate("...")`
			```

			`Such code is vulnerable to timing-based enumeration attacks, wherein an`
			`attacker can determine if a user account with a given email exists. After`
			`confirming that an account exists, the attacker can try passwords associated`
			`with that email address from other leaked databases, in case the user`
			`re-used a password across multiple sites (a common practice). Additionally,`
			`knowing an account email address allows the attacker to attempt a targeted`
			`phishing ("spear phishing") attack.`

			`authenticate_by` addresses the vulnerability by taking the same amount of
			`time regardless of whether a user with a matching email is found:`

			```ruby
			`User.authenticate_by(email: "...", password: "...")`
			```

			`Jonathan Hefner`


Start Rails 7.1 development 2021-12-07 23:52:30 +08:00			`Please check [7-0-stable](https://github.com/rails/rails/blob/7-0-stable/activerecord/CHANGELOG.md) for previous changes.`