devise-jdguyot 1.2.rc2 → 1.2.rc3

data/.travis.yml

@@ -0,0 +1 @@
+script: "rake test"

data/CHANGELOG.rdoc

@@ -1,3 +1,9 @@
+* bug fix
+  * Properly ignore path prefix on omniauthable
+  * Faster uniqueness queries
+
+== 1.2.rc2
+
 * enhancements
   * Make friendly_token 20 chars long
   * Use secure_compare
@@ -12,10 +18,19 @@
   * When using database_authenticatable Devise will now only create an email field when appropriate (if using default authentication_keys or custom authentication_keys with email included)
   * Ensure stateless token does not trigger timeout (by github.com/pixelauthority)
   * Implement handle_unverified_request for Rails 3.0.4 compatibility and improve FailureApp reliance on symbols
+  * Consider namespaces while generating routes
+  * Custom failure apps no longer ignored in test mode (by github.com/jaghion)
+  * Do not depend on ActiveModel::Dirty
+  * Manual sign_in now triggers remember token
+  * Be sure to halt strategies on failures
+  * Consider SCRIPT_NAME on Omniauth paths
+  * Reset failed attempts when lock is expired
+  * Ensure there is no Mongoid injection
 
 * deprecations
   * Deprecated anybody_signed_in? in favor of signed_in? (by github.com/gavinhughes)
   * Removed --haml and --slim view templates
+  * Devise::OmniAuth helpers were deprecated and removed in favor of Omniauth.config.test_mode
 
 == 1.2.rc
 

data/Gemfile

@@ -3,8 +3,8 @@ source "http://rubygems.org"
 gemspec
 
 gem "rails", "~> 3.0.4"
-gem "oa-oauth", :require => "omniauth/oauth"
-gem "oa-openid", :require => "omniauth/openid"
+gem "oa-oauth", '~> 0.2.0', :require => "omniauth/oauth"
+gem "oa-openid", '~> 0.2.0', :require => "omniauth/openid"
 
 group :test do
   gem "webrat", "0.7.2", :require => false
@@ -24,6 +24,6 @@ platforms :ruby do
   group :mongoid do
     gem "mongo", "1.1.2"
     gem "mongoid", "2.0.0.beta.20"
-    gem "bson_ext", "1.1.2"
+    gem "bson_ext", "1.2.1"
   end
 end

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    devise-jdguyot (1.2.rc)
+    devise-jdguyot (1.2.rc3)
       bcrypt-ruby (~> 2.1.2)
       orm_adapter (~> 0.0.3)
       warden (~> 1.0.3)
@@ -10,12 +10,12 @@ GEM
   remote: http://rubygems.org/
   specs:
     abstract (1.0.0)
-    actionmailer (3.0.4)
-      actionpack (= 3.0.4)
+    actionmailer (3.0.5)
+      actionpack (= 3.0.5)
       mail (~> 2.2.15)
-    actionpack (3.0.4)
-      activemodel (= 3.0.4)
-      activesupport (= 3.0.4)
+    actionpack (3.0.5)
+      activemodel (= 3.0.5)
+      activesupport (= 3.0.5)
       builder (~> 2.1.2)
       erubis (~> 2.6.6)
       i18n (~> 0.4)
@@ -23,32 +23,37 @@ GEM
       rack-mount (~> 0.6.13)
       rack-test (~> 0.5.7)
       tzinfo (~> 0.3.23)
-    activemodel (3.0.4)
-      activesupport (= 3.0.4)
+    activemodel (3.0.5)
+      activesupport (= 3.0.5)
       builder (~> 2.1.2)
       i18n (~> 0.4)
-    activerecord (3.0.4)
-      activemodel (= 3.0.4)
-      activesupport (= 3.0.4)
+    activerecord (3.0.5)
+      activemodel (= 3.0.5)
+      activesupport (= 3.0.5)
       arel (~> 2.0.2)
       tzinfo (~> 0.3.23)
-    activeresource (3.0.4)
-      activemodel (= 3.0.4)
-      activesupport (= 3.0.4)
-    activesupport (3.0.4)
+    activerecord-jdbc-adapter (1.1.1)
+    activerecord-jdbcsqlite3-adapter (1.1.1)
+      activerecord-jdbc-adapter (= 1.1.1)
+      jdbc-sqlite3 (~> 3.6.0)
+    activeresource (3.0.5)
+      activemodel (= 3.0.5)
+      activesupport (= 3.0.5)
+    activesupport (3.0.5)
     addressable (2.2.4)
-    arel (2.0.8)
+    arel (2.0.9)
     bcrypt-ruby (2.1.4)
-    bson (1.2.2)
-    bson_ext (1.1.2)
+    bson (1.2.4)
+    bson_ext (1.2.1)
     builder (2.1.2)
     erubis (2.6.6)
       abstract (>= 1.0.0)
-    faraday (0.5.6)
+    faraday (0.5.7)
       addressable (~> 2.2.4)
       multipart-post (~> 1.1.0)
       rack (>= 1.1.0, < 2)
     i18n (0.5.0)
+    jdbc-sqlite3 (3.6.14.2.056-java)
     mail (2.2.15)
       activesupport (>= 2.3.6)
       i18n (>= 0.4.0)
@@ -66,16 +71,18 @@ GEM
     multi_json (0.0.5)
     multipart-post (1.1.0)
     nokogiri (1.4.4)
-    oa-core (0.1.6)
+    nokogiri (1.4.4-java)
+      weakling (>= 0.0.3)
+    oa-core (0.2.0)
       rack (~> 1.1)
-    oa-oauth (0.1.6)
+    oa-oauth (0.2.0)
       multi_json (~> 0.0.2)
       nokogiri (~> 1.4.2)
-      oa-core (= 0.1.6)
+      oa-core (= 0.2.0)
       oauth (~> 0.4.0)
-      oauth2 (~> 0.1.0)
-    oa-openid (0.1.6)
-      oa-core (= 0.1.6)
+      oauth2 (~> 0.1.1)
+    oa-openid (0.2.0)
+      oa-core (= 0.2.0)
       rack-openid (~> 1.2.0)
       ruby-openid-apps-discovery
     oauth (0.4.4)
@@ -84,7 +91,7 @@ GEM
       multi_json (~> 0.0.4)
     orm_adapter (0.0.4)
     polyglot (0.3.1)
-    rack (1.2.1)
+    rack (1.2.2)
     rack-mount (0.6.13)
       rack (>= 1.0.0)
     rack-openid (1.2.0)
@@ -92,17 +99,17 @@ GEM
       ruby-openid (>= 2.1.8)
     rack-test (0.5.7)
       rack (>= 1.0)
-    rails (3.0.4)
-      actionmailer (= 3.0.4)
-      actionpack (= 3.0.4)
-      activerecord (= 3.0.4)
-      activeresource (= 3.0.4)
-      activesupport (= 3.0.4)
+    rails (3.0.5)
+      actionmailer (= 3.0.5)
+      actionpack (= 3.0.5)
+      activerecord (= 3.0.5)
+      activeresource (= 3.0.5)
+      activesupport (= 3.0.5)
       bundler (~> 1.0)
-      railties (= 3.0.4)
-    railties (3.0.4)
-      actionpack (= 3.0.4)
-      activesupport (= 3.0.4)
+      railties (= 3.0.5)
+    railties (3.0.5)
+      actionpack (= 3.0.5)
+      activesupport (= 3.0.5)
       rake (>= 0.8.7)
       thor (~> 0.14.4)
     rake (0.8.7)
@@ -115,9 +122,10 @@ GEM
     thor (0.14.6)
     treetop (1.4.9)
       polyglot (>= 0.3.1)
-    tzinfo (0.3.24)
+    tzinfo (0.3.25)
     warden (1.0.3)
       rack (>= 1.0.0)
+    weakling (0.0.4-java)
     webrat (0.7.2)
       nokogiri (>= 1.2.0)
       rack (>= 1.0)
@@ -125,17 +133,18 @@ GEM
     will_paginate (3.0.pre2)
 
 PLATFORMS
+  java
   ruby
 
 DEPENDENCIES
   activerecord-jdbcsqlite3-adapter
-  bson_ext (= 1.1.2)
+  bson_ext (= 1.2.1)
   devise-jdguyot!
   mocha
   mongo (= 1.1.2)
   mongoid (= 2.0.0.beta.20)
-  oa-oauth
-  oa-openid
+  oa-oauth (~> 0.2.0)
+  oa-openid (~> 0.2.0)
   rails (~> 3.0.4)
   sqlite3-ruby
   webrat (= 0.7.2)

data/app/controllers/devise/omniauth_callbacks_controller.rb

@@ -9,18 +9,18 @@ class Devise::OmniauthCallbacksController < ApplicationController
   protected
 
   def failed_strategy
-    env["omniauth.failed_strategy"]
+    env["omniauth.error.strategy"]
   end
 
   def failure_message
     exception = env["omniauth.error"]
     error   = exception.error_reason if exception.respond_to?(:error_reason)
     error ||= exception.error        if exception.respond_to?(:error)
-    error ||= env["omniauth.failure_key"]
+    error ||= env["omniauth.error.type"].to_s
     error.to_s.humanize if error
   end
 
   def after_omniauth_failure_path_for(scope)
     new_session_path(scope)
   end
-end
+end

data/app/helpers/devise_helper.rb

@@ -1,4 +1,10 @@
 module DeviseHelper
+  # A simple way to show error messages for the current devise resource. If you need
+  # to customize this method, you can either overwrite it in your application helpers or
+  # copy the views to your application.
+  #
+  # This method is intended to stay simple and it is unlikely that we are going to change
+  # it to add more behavior or options.
   def devise_error_messages!
     return "" if resource.errors.empty?
 

data/config/locales/en.yml

@@ -1,3 +1,5 @@
+# Additional translations at http://github.com/plataformatec/devise/wiki/I18n
+
 en:
   errors:
     messages:

data/lib/devise.rb

@@ -14,6 +14,7 @@ module Devise
   module Controllers
     autoload :Helpers, 'devise/controllers/helpers'
     autoload :InternalHelpers, 'devise/controllers/internal_helpers'
+    autoload :Rememberable, 'devise/controllers/rememberable'
     autoload :ScopedViews, 'devise/controllers/scoped_views'
     autoload :UrlHelpers, 'devise/controllers/url_helpers'
   end
@@ -69,9 +70,9 @@ module Devise
   @@request_keys = []
 
   # Keys that should be case-insensitive.
-  # Empty by default for backwards compatibility.
+  # False by default for backwards compatibility.
   mattr_accessor :case_insensitive_keys
-  @@case_insensitive_keys = []
+  @@case_insensitive_keys = false
 
   # If http authentication is enabled by default.
   mattr_accessor :http_authenticatable
@@ -381,8 +382,7 @@ module Devise
 
   # constant-time comparison algorithm to prevent timing attacks
   def self.secure_compare(a, b)
-    return false unless a.present? && b.present?
-    return false unless a.bytesize == b.bytesize
+    return false if a.blank? || b.blank? || a.bytesize != b.bytesize
     l = a.unpack "C#{a.bytesize}"
 
     res = 0

data/lib/devise/controllers/rememberable.rb

@@ -0,0 +1,52 @@
+module Devise
+  module Controllers
+    # A module that may be optionally included in a controller in order
+    # to provide remember me behavior.
+    module Rememberable
+      # Return default cookie values retrieved from session options.
+      def self.cookie_values
+        Rails.configuration.session_options.slice(:path, :domain, :secure)
+      end
+
+      # A small warden proxy so we can remember and forget uses from hooks.
+      class Proxy #:nodoc:
+        include Devise::Controllers::Rememberable
+
+        delegate :cookies, :env, :to => :@warden
+
+        def initialize(warden)
+          @warden = warden
+        end
+      end
+
+      # Remembers the given resource by setting up a cookie
+      def remember_me(resource)
+        scope = Devise::Mapping.find_scope!(resource)
+        resource.remember_me!(resource.extend_remember_period)
+        cookies.signed["remember_#{scope}_token"] = remember_cookie_values(resource)
+      end
+
+      # Forgets the given resource by deleting a cookie
+      def forget_me(resource)
+        scope = Devise::Mapping.find_scope!(resource)
+        resource.forget_me! unless resource.frozen?
+        cookies.delete("remember_#{scope}_token", forget_cookie_values(resource))
+      end
+
+      protected
+
+      def forget_cookie_values(resource)
+        Devise::Controllers::Rememberable.cookie_values.merge!(resource.cookie_options)
+      end
+
+      def remember_cookie_values(resource)
+        options = { :httponly => true }
+        options.merge!(forget_cookie_values(resource))
+        options.merge!(
+          :value => resource.class.serialize_into_cookie(resource),
+          :expires => resource.remember_expires_at
+        )
+      end
+    end
+  end
+end

data/lib/devise/hooks/forgetable.rb

@@ -4,9 +4,6 @@
 # This avoids forgetting deleted users.
 Warden::Manager.before_logout do |record, warden, options|
   if record.respond_to?(:forget_me!)
-    record.forget_me! unless record.frozen?
-    cookie_options = Rails.configuration.session_options.slice(:path, :domain, :secure)
-    cookie_options.merge!(record.cookie_options)
-    warden.cookies.delete("remember_#{options[:scope]}_token", cookie_options)
+    Devise::Controllers::Rememberable::Proxy.new(warden).forget_me(record)
   end
 end

data/lib/devise/hooks/rememberable.rb

@@ -1,48 +1,6 @@
-module Devise
-  module Hooks
-    # Overwrite success! in authentication strategies allowing users to be remembered.
-    # We choose to implement this as an strategy hook instead of a warden hook to allow a specific
-    # strategy (like token authenticatable or facebook authenticatable) to turn off remember_me?
-    # cookies.
-    module Rememberable #:nodoc:
-      def success!(resource)
-        super
-
-        if succeeded? && resource.respond_to?(:remember_me!) && remember_me?
-          resource.remember_me!(extend_remember_period?)
-          cookies.signed["remember_#{scope}_token"] = cookie_values(resource)
-        end
-      end
-
-    protected
-
-      def cookie_values(resource)
-        options = Rails.configuration.session_options.slice(:path, :domain, :secure)
-        options[:httponly] = true
-
-        options.merge!(resource.cookie_options)
-        options.merge!(
-          :value => resource.class.serialize_into_cookie(resource),
-          :expires => resource.remember_expires_at
-        )
-
-        options
-      end
-
-      def succeeded?
-        @result == :success
-      end
-
-      def extend_remember_period?
-        false
-      end
-
-      def remember_me?
-        valid_params? && Devise::TRUE_VALUES.include?(params_auth_hash[:remember_me])
-      end
-    end
+Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
+  scope = options[:scope]
+  if record.respond_to?(:remember_me) && record.remember_me && warden.authenticated?(scope)
+    Devise::Controllers::Rememberable::Proxy.new(warden).remember_me(record)
   end
-end
-
-Devise::Strategies::Authenticatable.send :include, Devise::Hooks::Rememberable
-
+end

data/lib/devise/models/authenticatable.rb

@@ -100,7 +100,8 @@ module Devise
         #   end
         #
         def find_for_authentication(conditions)
-          case_insensitive_keys.each { |k| conditions[k].try(:downcase!) }
+          filter_auth_params(conditions)
+          (case_insensitive_keys || []).each { |k| conditions[k].try(:downcase!) }
           to_adapter.find_first(conditions)
         end
 
@@ -111,13 +112,13 @@ module Devise
 
         # Find an initialize a group of attributes based on a list of required attributes.
         def find_or_initialize_with_errors(required_attributes, attributes, error=:invalid) #:nodoc:
-          case_insensitive_keys.each { |k| attributes[k].try(:downcase!) }
+          (case_insensitive_keys || []).each { |k| attributes[k].try(:downcase!) }
           
           attributes = attributes.slice(*required_attributes)
           attributes.delete_if { |key, value| value.blank? }
 
           if attributes.size == required_attributes.size
-            record = to_adapter.find_first(attributes)
+            record = to_adapter.find_first(filter_auth_params(attributes))
           end
           
           unless record
@@ -133,6 +134,15 @@ module Devise
           record
         end
 
+        protected
+
+        # Force keys to be string to avoid injection on mongoid related database.
+        def filter_auth_params(conditions)
+          conditions.each do |k, v|
+            conditions[k] = v.to_s
+          end if conditions.is_a?(Hash)
+        end
+
         # Generate a token by looping and ensuring does not already exist.
         def generate_token(column)
           loop do

data/lib/devise/models/database_authenticatable.rb

@@ -78,7 +78,7 @@ module Devise
 
       # Downcase case-insensitive keys
       def downcase_keys
-        self.class.case_insensitive_keys.each { |k| self[k].try(:downcase!) }
+        (self.class.case_insensitive_keys || []).each { |k| self[k].try(:downcase!) }
       end
 
       # Digests the password using bcrypt.

data/lib/devise/models/lockable.rb

@@ -36,12 +36,10 @@ module Devise
 
       # Unlock a user by cleaning locket_at and failed_attempts.
       def unlock_access!
-        if_access_locked do
-          self.locked_at = nil
-          self.failed_attempts = 0 if respond_to?(:failed_attempts=)
-          self.unlock_token = nil  if respond_to?(:unlock_token=)
-          save(:validate => false)
-        end
+        self.locked_at = nil
+        self.failed_attempts = 0 if respond_to?(:failed_attempts=)
+        self.unlock_token = nil  if respond_to?(:unlock_token=)
+        save(:validate => false)
       end
 
       # Verifies whether a user is locked or not.
@@ -77,6 +75,10 @@ module Devise
       def valid_for_authentication?
         return super unless persisted? && lock_strategy_enabled?(:failed_attempts)
 
+        # Unlock the user if the lock is expired, no matter
+        # if the user can login or not (wrong password, etc)
+        unlock_access! if lock_expired?
+
         case (result = super)
         when Symbol
           return result

data/lib/devise/models/rememberable.rb

@@ -44,10 +44,7 @@ module Devise
     module Rememberable
       extend ActiveSupport::Concern
 
-      included do
-        # Remember me option available in after_authentication hook.
-        attr_accessor :remember_me
-      end
+      attr_accessor :remember_me, :extend_remember_period
 
       # Generate a new remember token and save the record without validations
       # unless remember_across_browsers is true and the user already has a valid token.
@@ -60,7 +57,7 @@ module Devise
       # Removes the remember token only if it exists, and save the record
       # without validations.
       def forget_me!
-        self.remember_token = nil if respond_to?(:remember_token)
+        self.remember_token = nil if respond_to?(:remember_token=)
         self.remember_created_at = nil
         save(:validate => false)
       end

data/lib/devise/models/validatable.rb

@@ -24,7 +24,7 @@ module Devise
         base.class_eval do
           validates_presence_of   :email, :if => :email_required?
           validates_uniqueness_of :email, :scope => authentication_keys[1..-1],
-            :case_sensitive => case_insensitive_keys.exclude?(:email), :allow_blank => true
+            :case_sensitive => (case_insensitive_keys != false), :allow_blank => true
           validates_format_of     :email, :with  => email_regexp, :allow_blank => true
 
           with_options :if => :password_required? do |v|

data/lib/devise/omniauth.rb

@@ -5,29 +5,14 @@ rescue LoadError => e
   raise
 end
 
-module OmniAuth
-  # TODO HAXES Backport to OmniAuth
-  module Strategy #:nodoc:
-    def initialize(app, name, *args)
-      @app = app
-      @name = name.to_sym
-      @options = args.last.is_a?(Hash) ? args.pop : {}
-      yield self if block_given?
-    end
-
-    def fail!(message_key, exception = nil)
-      self.env['omniauth.error'] = exception
-      self.env['omniauth.failure_key'] = message_key
-      self.env['omniauth.failed_strategy'] = self
-      OmniAuth.config.on_failure.call(self.env, message_key.to_sym)
-    end
-  end
+unless OmniAuth.config.respond_to? :test_mode
+  raise "You are using an old OmniAuth version, please ensure you have 0.2.0.beta version or later installed."
 end
 
 # Clean up the default path_prefix. It will be automatically set by Devise.
 OmniAuth.config.path_prefix = nil
 
-OmniAuth.config.on_failure = Proc.new do |env, key|
+OmniAuth.config.on_failure = Proc.new do |env|
   env['devise.mapping'] = Devise::Mapping.find_by_path!(env['PATH_INFO'], :path)
   controller_klass = "#{env['devise.mapping'].controllers[:omniauth_callbacks].camelize}Controller"
   controller_klass.constantize.action(:failure).call(env)

data/lib/devise/omniauth/config.rb

@@ -13,18 +13,6 @@ module Devise
       def strategy_class
         ::OmniAuth::Strategies.const_get("#{::OmniAuth::Utils.camelize(@provider.to_s)}")
       end
-
-      def check_if_allow_stubs!
-        raise "OmniAuth strategy for #{@provider} does not allow stubs, only OAuth2 ones do." unless allow_stubs?
-      end
-
-      def allow_stubs?
-        defined?(::OmniAuth::Strategies::OAuth2) && strategy.is_a?(::OmniAuth::Strategies::OAuth2)
-      end
-
-      def build_connection(&block)
-        strategy.client.connection.build(&block)
-      end
     end
   end
 end     

data/lib/devise/omniauth/url_helpers.rb

@@ -7,7 +7,11 @@ module Devise
         class_eval <<-URL_HELPERS, __FILE__, __LINE__ + 1
           def #{mapping.name}_omniauth_authorize_path(provider, params = {})
             if Devise.omniauth_configs[provider.to_sym]
-              "/#{mapping.path}/auth/\#{provider}\#{'?'+params.to_param if params.present?}"
+              script_name = request.env["SCRIPT_NAME"]
+
+              path = "\#{script_name}/#{mapping.path}/auth/\#{provider}\".squeeze("/")
+              path << '?' + params.to_param if params.present?
+              path
             else
               raise ArgumentError, "Could not find omniauth provider \#{provider.inspect}"
             end
@@ -26,4 +30,4 @@ module Devise
       end
     end
   end
-end
+end

data/lib/devise/rails/routes.rb

@@ -263,7 +263,8 @@ module ActionDispatch::Routing
       end
 
       def devise_omniauth_callback(mapping, controllers) #:nodoc:
-        path_prefix = "/#{mapping.path}/auth"
+        path, @scope[:path] = @scope[:path], nil
+        path_prefix = "/#{mapping.path}/auth".squeeze("/")
 
         if ::OmniAuth.config.path_prefix && ::OmniAuth.config.path_prefix != path_prefix
           warn "[DEVISE] You can only add :omniauthable behavior to one model."
@@ -271,8 +272,10 @@ module ActionDispatch::Routing
           ::OmniAuth.config.path_prefix = path_prefix
         end
 
-        match "/auth/:action/callback", :action => Regexp.union(mapping.to.omniauth_providers.map(&:to_s)),
+        match "#{path_prefix}/:action/callback", :action => Regexp.union(mapping.to.omniauth_providers.map(&:to_s)),
           :to => controllers[:omniauth_callbacks], :as => :omniauth_callback
+      ensure
+        @scope[:path] = path
       end
 
       def with_devise_exclusive_scope(new_path, new_as) #:nodoc:

data/lib/devise/strategies/authenticatable.rb

@@ -19,13 +19,27 @@ module Devise
         result = resource && resource.valid_for_authentication?(&block)
 
         case result
-        when Symbol, String
+        when String, Symbol
           fail!(result)
+          false
+        when TrueClass
+          decorate(resource)
+          true
         else
           result
         end
       end
 
+      # Get values from params and set in the resource.
+      def decorate(resource)
+        resource.remember_me = remember_me? if resource.respond_to?(:remember_me=)
+      end
+
+      # Should this resource be marked to be remembered?
+      def remember_me?
+        valid_params? && Devise::TRUE_VALUES.include?(params_auth_hash[:remember_me])
+      end
+
       # Check if this is strategy is valid for http authentication by:
       #
       #   * Validating if the model allows params authentication;

data/lib/devise/strategies/database_authenticatable.rb

@@ -10,7 +10,7 @@ module Devise
         if validate(resource){ resource.valid_password?(password) }
           resource.after_database_authentication
           success!(resource)
-        else
+        elsif !halted?
           fail(:invalid)
         end
       end

data/lib/devise/strategies/rememberable.rb

@@ -20,7 +20,7 @@ module Devise
 
         if validate(resource)
           success!(resource)
-        else
+        elsif !halted?
           cookies.delete(remember_key)
           pass
         end
@@ -28,6 +28,11 @@ module Devise
 
     private
 
+      def decorate(resource)
+        super
+        resource.extend_remember_period = mapping.to.extend_remember_period if resource.respond_to?(:extend_remember_period=)
+      end
+
       def remember_me?
         true
       end
@@ -36,10 +41,6 @@ module Devise
         "remember_#{scope}_token"
       end
 
-      def extend_remember_period?
-        mapping.to.extend_remember_period
-      end
-
       # Accessor for remember cookie
       def remember_cookie
         @remember_cookie ||= cookies.signed[remember_key]

data/lib/devise/strategies/token_authenticatable.rb

@@ -20,7 +20,7 @@ module Devise
         if validate(resource)
           resource.after_token_authentication
           success!(resource)
-        else
+        elsif !halted?
           fail(:invalid_token)
         end
       end

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "1.2.rc2".freeze
+  VERSION = "1.2.rc3".freeze
 end

data/lib/generators/devise/devise_generator.rb

@@ -10,7 +10,9 @@ module Devise
       hook_for :orm
 
       def add_devise_routes
-        route "devise_for :#{table_name}"
+        devise_route  = "devise_for :#{plural_name}"
+        devise_route += %Q(, :class_name => "#{class_name}") if class_name.include?("::")
+        route devise_route
       end
     end
   end

data/test/devise_test.rb

@@ -62,4 +62,14 @@ class DeviseTest < ActiveSupport::TestCase
     assert_nothing_raised(Exception) { Devise.add_module(:authenticatable_again, :model => 'devise/model/authenticatable') }
     assert defined?(Devise::Models::AuthenticatableAgain)
   end
+  
+  test 'should complain when comparing empty or different sized passes' do
+    [nil, ""].each do |empty|
+      assert_not Devise.secure_compare(empty, "something")
+      assert_not Devise.secure_compare("something", empty)
+      assert_not Devise.secure_compare(empty, empty)
+    end
+    assert_not Devise.secure_compare("size_1", "size_four")
+  end
+  
 end

data/test/generators/devise_generator_test.rb

@@ -0,0 +1,33 @@
+require 'test_helper'
+
+require "generators/devise/devise_generator"
+
+class DeviseGeneratorTest < Rails::Generators::TestCase
+  tests Devise::Generators::DeviseGenerator
+  destination File.expand_path("../../tmp", __FILE__)
+
+  setup do
+    prepare_destination
+    copy_routes
+  end
+
+  test "route generation for simple model names" do
+    run_generator %w(monster name:string)
+    assert_file "config/routes.rb", /devise_for :monsters/
+  end
+
+  test "route generation for namespaced model names" do
+    run_generator %w(monster/goblin name:string)
+    match = /devise_for :goblins, :class_name => "Monster::Goblin"/
+    assert_file "config/routes.rb", match
+  end
+
+  def copy_routes
+    routes = File.expand_path("../../rails_app/config/routes.rb", __FILE__)
+    destination = File.join(destination_root, "config")
+
+    FileUtils.mkdir_p(destination)
+    FileUtils.cp routes, destination
+  end
+
+end

data/test/integration/omniauthable_test.rb

@@ -2,32 +2,42 @@ require 'test_helper'
 
 class OmniauthableIntegrationTest < ActionController::IntegrationTest
   FACEBOOK_INFO = {
-    :id => '12345',
-    :link => 'http://facebook.com/josevalim',
-    :email => 'user@example.com',
-    :first_name => 'Jose',
-    :last_name => 'Valim',
-    :website => 'http://blog.plataformatec.com.br'
-  }
-
-  ACCESS_TOKEN = {
-    :access_token => "plataformatec"
+    "id" => '12345',
+    "link" => 'http://facebook.com/josevalim',
+    "email" => 'user@example.com',
+    "first_name" => 'Jose',
+    "last_name" => 'Valim',
+    "website" => 'http://blog.plataformatec.com.br'
   }
 
   setup do
+    OmniAuth.config.test_mode = true
     stub_facebook!
-    Devise::OmniAuth.short_circuit_authorizers!
   end
 
   teardown do
-    Devise::OmniAuth.unshort_circuit_authorizers!
-    Devise::OmniAuth.reset_stubs!
+    OmniAuth.config.test_mode = false
   end
 
   def stub_facebook!
-    Devise::OmniAuth.stub!(:facebook) do |b|
-      b.post('/oauth/access_token') { [200, {}, ACCESS_TOKEN.to_json] }
-      b.get('/me?access_token=plataformatec') { [200, {}, FACEBOOK_INFO.to_json] }
+    OmniAuth.config.mock_auth[:facebook] = {
+      "uid" => '12345',
+      "provider" => 'facebook',
+      "user_info" => {"nickname" => 'josevalim'},
+      "credentials" => {"token" => 'plataformatec'},
+      "extra" => {"user_hash" => FACEBOOK_INFO}
+    }
+  end
+
+  def stub_action!(name)
+    Users::OmniauthCallbacksController.class_eval do
+      alias_method :__old_facebook, :facebook
+      alias_method :facebook, name
+    end
+    yield
+  ensure
+    Users::OmniauthCallbacksController.class_eval do
+      alias_method :facebook, :__old_facebook
     end
   end
 
@@ -40,11 +50,11 @@ class OmniauthableIntegrationTest < ActionController::IntegrationTest
     assert_equal "12345",         json["uid"]
     assert_equal "facebook",      json["provider"]
     assert_equal "josevalim",     json["user_info"]["nickname"]
-    assert_equal FACEBOOK_INFO,   json["extra"]["user_hash"].symbolize_keys
+    assert_equal FACEBOOK_INFO,   json["extra"]["user_hash"]
     assert_equal "plataformatec", json["credentials"]["token"]
   end
 
-  test "cleans up session on sign up" do  
+  test "cleans up session on sign up" do
     assert_no_difference "User.count" do
       visit "/users/sign_in"
       click_link "Sign in with Facebook"
@@ -65,7 +75,7 @@ class OmniauthableIntegrationTest < ActionController::IntegrationTest
     assert_not session["devise.facebook_data"]
   end
 
-  test "cleans up session on cancel" do  
+  test "cleans up session on cancel" do
     assert_no_difference "User.count" do
       visit "/users/sign_in"
       click_link "Sign in with Facebook"
@@ -76,7 +86,7 @@ class OmniauthableIntegrationTest < ActionController::IntegrationTest
     assert !session["devise.facebook_data"]
   end
 
-  test "cleans up session on sign in" do  
+  test "cleans up session on sign in" do
     assert_no_difference "User.count" do
       visit "/users/sign_in"
       click_link "Sign in with Facebook"
@@ -87,16 +97,37 @@ class OmniauthableIntegrationTest < ActionController::IntegrationTest
     assert !session["devise.facebook_data"]
   end
 
+  test "sign in and send remember token if configured" do
+    visit "/users/sign_in"
+    click_link "Sign in with Facebook"
+    assert_nil warden.cookies["remember_user_token"]
+
+    stub_action!(:sign_in_facebook) do
+      create_user
+      visit "/users/sign_in"
+      click_link "Sign in with Facebook"
+      assert warden.authenticated?(:user)
+      assert warden.cookies["remember_user_token"]
+    end
+  end
+
+  test "generates a proper link when SCRIPT_NAME is set" do
+    header 'SCRIPT_NAME', '/q'
+    visit "/users/sign_in"
+    click_link "Sign in with Facebook"
+
+    assert_equal '/q/users/auth/facebook', current_url
+  end
+
   test "handles callback error parameter according to the specification" do
+    OmniAuth.config.mock_auth[:facebook] = :access_denied
     visit "/users/auth/facebook/callback?error=access_denied"
     assert_current_url "/users/sign_in"
     assert_contain 'Could not authorize you from Facebook because "Access denied".'
   end
 
   test "handles other exceptions from omniauth" do
-    Devise::OmniAuth.stub!(:facebook) do |b|
-      b.post('/oauth/access_token') { [401, {}, {}.to_json] }
-    end
+    OmniAuth.config.mock_auth[:facebook] = :invalid_credentials
 
     visit "/users/sign_in"
     click_link "Sign in with facebook"
@@ -104,4 +135,4 @@ class OmniauthableIntegrationTest < ActionController::IntegrationTest
     assert_current_url "/users/sign_in"
     assert_contain 'Could not authorize you from Facebook because "Invalid credentials".'
   end
-end
+end

data/test/integration/rememberable_test.rb

@@ -30,7 +30,7 @@ class RememberMeTest < ActionController::IntegrationTest
   def cookie_expires(key)
     cookie  = response.headers["Set-Cookie"].split("\n").grep(/^#{key}/).first
     expires = cookie.split(";").map(&:strip).grep(/^expires=/).first
-    Time.parse(expires)
+    Time.parse(expires).utc
   end
 
   test 'do not remember the user if he has not checked remember me option' do
@@ -161,7 +161,6 @@ class RememberMeTest < ActionController::IntegrationTest
 
     get users_path
     assert_not warden.authenticated?(:user)
-    assert_nil warden.cookies['remember_user_token']
   end
 
   test 'do not remember the admin anymore after forget' do
@@ -171,11 +170,11 @@ class RememberMeTest < ActionController::IntegrationTest
 
     get destroy_admin_session_path
     assert_not warden.authenticated?(:admin)
+    assert_nil admin.reload.remember_token
     assert_nil warden.cookies['remember_admin_token']
 
     get root_path
     assert_not warden.authenticated?(:admin)
-    assert_nil warden.cookies['remember_admin_token']
   end
 
   test 'changing user password expires remember me token' do

data/test/integration/token_authenticatable_test.rb

@@ -89,6 +89,22 @@ class TokenAuthenticationTest < ActionController::IntegrationTest
     end
   end
 
+  test 'should not be subject to injection' do
+    swap Devise, :token_authentication_key => :secret_token do
+      user1 = create_user_with_authentication_token()
+
+      # Clean up user cache
+      @user = nil
+
+      user2 = create_user_with_authentication_token(:email => "another@test.com")
+      user2.update_attribute(:authentication_token, "ANOTHERTOKEN")
+
+      assert_not_equal user1, user2
+      visit users_path(Devise.token_authentication_key.to_s + '[$ne]' => user1.authentication_token)
+      assert_nil warden.user(:user) 
+    end
+  end
+
   private
 
     def sign_in_as_new_user_with_token(options = {})
@@ -107,7 +123,7 @@ class TokenAuthenticationTest < ActionController::IntegrationTest
       user
     end
 
-    def create_user_with_authentication_token(options)
+    def create_user_with_authentication_token(options={})
       user = create_user(options)
       user.authentication_token = VALID_AUTHENTICATION_TOKEN
       user.save
@@ -117,4 +133,5 @@ class TokenAuthenticationTest < ActionController::IntegrationTest
     def get_users_path_as_existing_user(user)
       sign_in_as_new_user_with_token(:user => user)
     end
+
 end

data/test/models/lockable_test.rb

@@ -67,12 +67,6 @@ class LockableTest < ActiveSupport::TestCase
     assert_equal 0, user.reload.failed_attempts
   end
 
-  test 'should not unlock an unlocked user' do
-    user = create_user
-    assert_not user.unlock_access!
-    assert_match "was not locked", user.errors[:email].join
-  end
-
   test "new user should not be locked and should have zero failed_attempts" do
     assert_not new_user.access_locked?
     assert_equal 0, create_user.failed_attempts
@@ -201,4 +195,31 @@ class LockableTest < ActiveSupport::TestCase
     assert_not user.access_locked?
     assert_equal 'was not locked', user.errors[:email].join
   end
+
+  test 'should unlock account if lock has expired and increase attempts on failure' do
+    swap Devise, :unlock_in => 1.minute do
+      user = create_user
+      user.confirm!
+
+      user.failed_attempts = 2
+      user.locked_at = 2.minutes.ago
+
+      user.valid_for_authentication? { false }
+      assert_equal 1, user.failed_attempts
+    end
+  end
+
+  test 'should unlock account if lock has expired on success' do
+    swap Devise, :unlock_in => 1.minute do
+      user = create_user
+      user.confirm!
+
+      user.failed_attempts = 2
+      user.locked_at = 2.minutes.ago
+
+      user.valid_for_authentication? { true }
+      assert_equal 0, user.failed_attempts
+      assert_nil user.locked_at
+    end
+  end
 end

data/test/models/token_authenticatable_test.rb

@@ -27,7 +27,12 @@ class TokenAuthenticatableTest < ActiveSupport::TestCase
   end
 
   test 'should return nil when authenticating an invalid user by authentication token' do
-    skip 'Currently raises an exception with Mongoid.' if DEVISE_ORM == :mongoid
+    if DEVISE_ORM == :mongoid
+      raise 'There is an incompatibility between Devise and Mongoid'  <<
+            ' that makes this test break. For more information, check' <<
+            ' this issue: https://github.com/mongoid/mongoid/issues/725'
+    end
+
     user = create_user
     user.ensure_authentication_token!
     user.confirm!
@@ -35,4 +40,16 @@ class TokenAuthenticatableTest < ActiveSupport::TestCase
     assert_nil authenticated_user
   end
 
-end
+  test 'should not be subject to injection' do
+    user1 = create_user
+    user1.ensure_authentication_token!
+    user1.confirm!
+
+    user2 = create_user
+    user2.ensure_authentication_token!
+    user2.confirm!
+
+    user = User.find_for_token_authentication(:auth_token => {'$ne' => user1.authentication_token})
+    assert_nil user
+  end
+end

data/test/omniauth/url_helpers_test.rb

@@ -44,4 +44,11 @@ class OmniAuthRoutesTest < ActionController::TestCase
     assert_equal "/users/auth/open_id",
                   @controller.omniauth_authorize_path(:user, :open_id)
   end
+
+  test 'should set script name in the path if present' do
+    @request.env['SCRIPT_NAME'] = '/q'
+
+    assert_equal "/q/users/auth/facebook",
+                 @controller.omniauth_authorize_path(:user, :facebook)
+  end
 end

data/test/rails_app/app/controllers/users/omniauth_callbacks_controller.rb

@@ -4,4 +4,11 @@ class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
     session["devise.facebook_data"] = data["extra"]["user_hash"]
     render :json => data
   end
+
+  def sign_in_facebook
+    user = User.find_by_email('user@test.com')
+    user.remember_me = true
+    sign_in user
+    render :text => ""
+  end
 end

data/test/test_helper.rb

@@ -17,8 +17,6 @@ Webrat.configure do |config|
   config.open_error_files = false
 end
 
-Devise::OmniAuth.test_mode!
-
 # Add support to load paths so we can overwrite broken webrat setup
 $:.unshift File.expand_path('../support', __FILE__)
 Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each { |f| require f }
@@ -26,4 +24,4 @@ Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each { |f| require f }
 # For generators
 require "rails/generators/test_case"
 require "generators/devise/install_generator"
-require "generators/devise/views_generator"
+require "generators/devise/views_generator"

metadata

@@ -2,7 +2,7 @@
 name: devise-jdguyot
 version: !ruby/object:Gem::Version 
   prerelease: 4
-  version: 1.2.rc2
+  version: 1.2.rc3
 platform: ruby
 authors: 
 - "Jos\xC3\xA9 Valim"
@@ -11,7 +11,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-02-22 00:00:00 +01:00
+date: 2011-03-16 00:00:00 +01:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -57,6 +57,7 @@ extra_rdoc_files: []
 
 files: 
 - .gitignore
+- .travis.yml
 - CHANGELOG.rdoc
 - Gemfile
 - Gemfile.lock
@@ -88,6 +89,7 @@ files:
 - lib/devise.rb
 - lib/devise/controllers/helpers.rb
 - lib/devise/controllers/internal_helpers.rb
+- lib/devise/controllers/rememberable.rb
 - lib/devise/controllers/scoped_views.rb
 - lib/devise/controllers/url_helpers.rb
 - lib/devise/encryptors/authlogic_sha512.rb
@@ -120,7 +122,6 @@ files:
 - lib/devise/modules.rb
 - lib/devise/omniauth.rb
 - lib/devise/omniauth/config.rb
-- lib/devise/omniauth/test_helpers.rb
 - lib/devise/omniauth/url_helpers.rb
 - lib/devise/orm/active_record.rb
 - lib/devise/orm/mongoid.rb
@@ -152,6 +153,7 @@ files:
 - test/encryptors_test.rb
 - test/failure_app_test.rb
 - test/generators/active_record_generator_test.rb
+- test/generators/devise_generator_test.rb
 - test/generators/install_generator_test.rb
 - test/generators/mongoid_generator_test.rb
 - test/generators/views_generator_test.rb
@@ -277,6 +279,7 @@ test_files:
 - test/encryptors_test.rb
 - test/failure_app_test.rb
 - test/generators/active_record_generator_test.rb
+- test/generators/devise_generator_test.rb
 - test/generators/install_generator_test.rb
 - test/generators/mongoid_generator_test.rb
 - test/generators/views_generator_test.rb

data/lib/devise/omniauth/test_helpers.rb

@@ -1,57 +0,0 @@
-module Devise
-  module OmniAuth
-    module TestHelpers
-      def self.test_mode!
-        Faraday.default_adapter = :test if defined?(Faraday)
-        ActiveSupport.on_load(:action_controller) { include Devise::OmniAuth::TestHelpers }
-        ActiveSupport.on_load(:action_view) { include Devise::OmniAuth::TestHelpers }
-      end
-
-      def self.stub!(provider, stubs=nil, &block)
-        raise "You either need to pass stubs as a block or as a parameter" unless block_given? || stubs
-
-        config = Devise.omniauth_configs[provider]
-        raise "Could not find configuration for #{provider.to_s} omniauth provider" unless config
-
-        config.check_if_allow_stubs!
-        stubs ||= Faraday::Adapter::Test::Stubs.new(&block)
-
-        config.build_connection do |b|
-          b.adapter :test, stubs
-        end
-      end
-
-      def self.reset_stubs!(*providers)
-        target = providers.any? ? Devise.omniauth_configs.slice(*providers) : Devise.omniauth_configs
-        target.each_value do |config|
-          next unless config.allow_stubs?
-          config.build_connection { |b| b.adapter Faraday.default_adapter }
-        end
-      end
-
-      def self.short_circuit_authorizers!
-        module_eval <<-ALIASES, __FILE__, __LINE__ + 1
-          def omniauth_authorize_path(*args)
-            omniauth_callback_path(*args)
-          end
-        ALIASES
-
-        Devise.mappings.each_value do |m|
-          next unless m.omniauthable?
-
-          module_eval <<-ALIASES, __FILE__, __LINE__ + 1
-            def #{m.name}_omniauth_authorize_path(provider, params = {})
-              #{m.name}_omniauth_callback_path(provider, params)
-            end
-          ALIASES
-        end
-      end
-
-      def self.unshort_circuit_authorizers!
-        module_eval do
-          instance_methods.each { |m| remove_method(m) }
-        end
-      end
-    end
-  end
-end