Bump version to 2.41.0

jeremyevans · jeremyevans · commit 42a3682ab72b · 2025-10-08T08:10:21.000-07:00
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,4 +1,4 @@
-=== master
+=== 2.41.0 (2025-10-08)
 
 * Clear account tokens when an account change is made (jeremyevans)
 
diff --git a/doc/release_notes/2.41.0.txt b/doc/release_notes/2.41.0.txt
@@ -0,0 +1,55 @@
+= Improvements
+
+* When making a change to an account (e.g. changing a login), tokens
+  for the account are now cleared or reset. Previously, if you
+  requested a password reset, then requested a login change, and then
+  changed the login, the password reset link would still be valid
+  after the login change was made, until the password reset token
+  expired (default: 1 day). If the reason you are chaging your login
+  is that you suspect your email may be compromised, you probably
+  wouldn't want the reset password link to still be valid after the
+  login change.
+
+  The following account changes trigger clearing of tokens:
+  
+  * change login
+  * close account
+  * reset password
+  * unlock account
+  * verify account
+  
+  The following account tokens are cleared upon such changes:
+  
+  * active sessions (other than logged in session)
+  * email auth
+  * jwt refresh (if not logged in)
+  * lockout (updates token if it exists)
+  * remember (creates and uses new remember token if logged in via
+    remember token)
+  * reset password
+  * single session (if not logged in)
+  * verify account
+  * verify login change
+
+  This is a more secure default, and it is expected that it will
+  not negatively affect the vast majority of Rodauth installations.
+  However, due to Rodauth's very configurable nature, it is possible
+  it will cause issues for some installations.
+
+= Backwards Compatibility
+
+* If clearing tokens on account change causes problems for your
+  application, you can revert to clearing tokens only on account
+  close:
+
+    clear_tokens do |reason|
+      super(reason) if reason == :close_account
+    end
+
+* If you were calling after_close_account directly to clear tokens,
+  you should now also call:
+
+    clear_tokens(:close_account)
+
+  As some token clearing now occurs in clear_tokens and not in
+  after_close_account.
diff --git a/lib/rodauth/version.rb b/lib/rodauth/version.rb
@@ -6,7 +6,7 @@ module Rodauth
   MAJOR = 2
 
   # The minor version of Rodauth, updated for new feature releases of Rodauth.
-  MINOR = 40
+  MINOR = 41
 
   # The patch version of Rodauth, updated only for bug fixes from the last
   # feature release.

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-=== master`
	`1`	`+=== 2.41.0 (2025-10-08)`
`2`	`2`
`3`	`3`	`* Clear account tokens when an account change is made (jeremyevans)`
`4`	`4`