mikker · mikker · Sep 7, 2023 · Jun 21, 2023 · Jun 21, 2023 · Jun 21, 2023
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,17 @@
 
 ### Breaking changes
 
+This major release of Passwordless changes a lot of things and it is almost guaranteed that you will need to change your code to upgrade to this version.
+
+**Note** that there is no _need_ to upgrade. The previous versions of Passwordless will continue to work for the foreseeable future.
+
+The flow is now:
+
+1. User enters email
+1. User is presented with a token input page
+1. User enters token OR clicks link in email
+1. User is signed in
+
 #### 1. Upgrade your database
 
 If you're already running Passwordless, you'll need to update your database schema.
@@ -27,35 +38,39 @@ class UpgradePassswordless < ActiveRecord::Migration[7.0]
 end
 ```
 
-#### 2. Encrypted tokens
+#### 2. Move configuration to `Passwordless.config`
 
-Tokens are now encrypted in the database.
+Passwordless is now configured like this. In `config/initializers/passwordless.rb`:
 
-#### 3. Un-isolated namespace
+```ruby
+Passwordless.configure do |config|
+ config.default_from_address = "[email protected]"
+end
+```
 
-Passwordless no longer [_isolates namespace_](https://guides.rubyonrails.org/engines.html#routes).
+#### 3. Update your views (if you have customized them)
 
-1. Update all your links with eg. `users.sign_in_path` to `users_sign_in_path`
-1. Remove all links with `main_app.whatever_path` to just `whatever_path`
+The existing views have changed and a new one has been added. Regenerate them using `rails generate passwordless:views`.
 
-#### 4. Remove deprecated methods and helpers
+#### 4. Un-isolated namespace
 
-Removes `authenticate_by_cookie` and `upgrade_passwordless_cookie` from controller helpers.
+Passwordless no longer [_isolates namespace_](https://guides.rubyonrails.org/engines.html#routes).
+
+1. Change all your links with eg. `users.sign_in_path` to `users_sign_in_path`
+1. Change all links with `main_app.whatever_path` to just `whatever_path`
 
 #### 5. Stop collecting PII
 
 Passwordless no longer collects users' IP addresses. If you need this information, you can
 add it to your `after_session_save` callback.
 
-#### 6. Move configuration to `Passwordless.config`
+#### 6. Encrypted tokens
 
-Passwordless is now configured like this. In `config/initializers/passwordless.rb`:
+Tokens are now stored encrypted in the database. This means that any tokens that were generated with a previous version of Passwordless will no longer work.
 
-```ruby
-Passwordless.configure do |config|
- config.default_from_address = "[email protected]"
-end
-```
+#### 7. Remove deprecated methods and helpers
+
+Removes `authenticate_by_cookie` and `upgrade_passwordless_cookie` from controller helpers.
 
 ### Added
 

diff --git a/Gemfile b/Gemfile
@@ -1,7 +1,16 @@
-# frozen_string_literal: true
-
 source "https://rubygems.org"
 
 gemspec
 
-gem "codecov", require: false, group: :test
+gem "erb-formatter"
+gem "pry"
+gem "puma"
+gem "sqlite3"
+gem "yard"
+
+group :test do
+ gem "capybara", require: false
+ gem "codecov", require: false
+ gem "minitest"
+ gem "rails-controller-testing"
+end