v1.3.1

v1.3.1

Security

• If flash[:proceed_to] is a protocol-relative URI, the callback controller will now raise a Violation exception. Previously it was possible to use a protocol-relative URI to redirect the user to another origin. See GHSA-5jch-xhw4-r43v for more information. Resolves CVE-2025-58067 #75 @flavorjones

v1.3.0

v1.3.0

Security

• If flash[:proceed_to] is a malformed URL, the callback controller will now raise a Violation exception. Previously it was possible to craft a malformed URL to redirect the user to another origin. See GHSA-7pwc-wh6m-44q3 for more information. Resolves CVE-2025-57821 #73 @flavorjones

Improved

• Configurable authorize_url so we can pass disallow_webview=true. #65 @jeremy
• Clear entries from the session after verified callbacks. #66 @jorgemanrubia

v1.2.1

What's Changed

• Make compatible with Rails 7 by @terracatta in #58

Full Changelog: v1.2.0...v1.2.1

v1.2.0

Bring released gem in line with latest source.

v1.1.2

• Upgrades to a newer Google token endpoint to fix that ID tokens sometimes didn’t contain name or avatar URL data even when it was available (095bbcf)

v1.1.1

• Prepends routes instead of appending them to accommodate catch-all routes (52f71b3)

v1.1.0

• Adds GoogleSignIn::Identity#hosted_domain (#15)
• Increases the size of the OAuth state token, which protects against cross-site request forgery, on Google’s recommendation (c2a122a)

v1.0.2

• Generates a local form to keep Rails UJS from handling redirects to Google (5338fbe)

v1.0.1

• Avoids logging authorization codes from request parameters (605f35f)

v1.0.0

Switches from Google’s JS Platform Library to server-side OAuth 2.0 (#13). This fixes signing in with third-party cookies disabled, or with a tracker-blocker restricting Google’s JS.

• Previous versions of this gem required setting GoogleSignIn::Identity.client_id in an initializer. Instead, you’ll now provide an OAuth 2.0 client ID and client secret. See the README for details.

• The google_sign_in helper has been replaced by google_sign_in_button:

  <%= google_sign_in_button 'Sign in with my Google account', proceed_to: create_login_url %>
  
  <%= google_sign_in_button image_tag('google_logo.png', alt: 'Google'), proceed_to: create_login_url %>
  
  <%= google_sign_in_button proceed_to: create_login_url do %>
    Sign in with my <%= image_tag('google_logo.png', alt: 'Google') %> account
  <% end %>

  The proceed_to argument is required. After authenticating with Google, the gem redirects to proceed_to, providing a Google ID token in flash[:google_sign_in_token]. See the README for examples.

• <%= yield :head %> is no longer required. The gem no longer injects a <script> tag that loads the Google Platform Library.