devise-jdguyot 1.2.rc → 1.2.rc2

data/CHANGELOG.rdoc

@@ -1,14 +1,21 @@
 * enhancements
-  * rails g devise:views supports slim templates (by github.com/fredwu)
+  * Make friendly_token 20 chars long
+  * Use secure_compare
 
 * bug fix
   * Fix an issue causing infinite redirects in production
   * rails g destroy works properly with devise generators (by github.com/andmej)
   * before_failure callbacks should work on test helpers (by github.com/twinge)
   * rememberable cookie now is httponly by default (by github.com/JamesFerguson)
+  * Add missing confirmation_keys (by github.com/JohnPlummer)
+  * Ensure after_* hooks are called on RegistrationsController
+  * When using database_authenticatable Devise will now only create an email field when appropriate (if using default authentication_keys or custom authentication_keys with email included)
+  * Ensure stateless token does not trigger timeout (by github.com/pixelauthority)
+  * Implement handle_unverified_request for Rails 3.0.4 compatibility and improve FailureApp reliance on symbols
 
 * deprecations
   * Deprecated anybody_signed_in? in favor of signed_in? (by github.com/gavinhughes)
+  * Removed --haml and --slim view templates
 
 == 1.2.rc
 
@@ -48,6 +55,20 @@
   * Ensure namespaces has proper scoped views
   * Ensure Devise does not set empty flash messages (by github.com/sxross)
 
+== 1.1.6
+
+* Use a more secure e-mail regexp
+* Implement Rails 3.0.4 handle unverified request
+* Use secure_compare to compare passwords
+
+== 1.1.5
+
+* bugfix
+  * Ensure to convert keys on indifferent hash
+
+* defaults
+  * Set config.http_authenticatable to false to avoid confusion
+
 == 1.1.4
 
 * bugfix

data/Gemfile

@@ -2,7 +2,7 @@ source "http://rubygems.org"
 
 gemspec
 
-gem "rails", "~> 3.0.0"
+gem "rails", "~> 3.0.4"
 gem "oa-oauth", :require => "omniauth/oauth"
 gem "oa-openid", :require => "omniauth/openid"
 

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    devise (1.2.rc)
+    devise-jdguyot (1.2.rc)
       bcrypt-ruby (~> 2.1.2)
       orm_adapter (~> 0.0.3)
       warden (~> 1.0.3)
@@ -10,58 +10,52 @@ GEM
   remote: http://rubygems.org/
   specs:
     abstract (1.0.0)
-    actionmailer (3.0.3)
-      actionpack (= 3.0.3)
-      mail (~> 2.2.9)
-    actionpack (3.0.3)
-      activemodel (= 3.0.3)
-      activesupport (= 3.0.3)
+    actionmailer (3.0.4)
+      actionpack (= 3.0.4)
+      mail (~> 2.2.15)
+    actionpack (3.0.4)
+      activemodel (= 3.0.4)
+      activesupport (= 3.0.4)
       builder (~> 2.1.2)
       erubis (~> 2.6.6)
       i18n (~> 0.4)
       rack (~> 1.2.1)
       rack-mount (~> 0.6.13)
-      rack-test (~> 0.5.6)
+      rack-test (~> 0.5.7)
       tzinfo (~> 0.3.23)
-    activemodel (3.0.3)
-      activesupport (= 3.0.3)
+    activemodel (3.0.4)
+      activesupport (= 3.0.4)
       builder (~> 2.1.2)
       i18n (~> 0.4)
-    activerecord (3.0.3)
-      activemodel (= 3.0.3)
-      activesupport (= 3.0.3)
+    activerecord (3.0.4)
+      activemodel (= 3.0.4)
+      activesupport (= 3.0.4)
       arel (~> 2.0.2)
       tzinfo (~> 0.3.23)
-    activerecord-jdbc-adapter (1.0.2-java)
-    activerecord-jdbcsqlite3-adapter (1.0.2-java)
-      activerecord-jdbc-adapter (= 1.0.2)
-      jdbc-sqlite3 (~> 3.6.0)
-    activeresource (3.0.3)
-      activemodel (= 3.0.3)
-      activesupport (= 3.0.3)
-    activesupport (3.0.3)
-    addressable (2.2.2)
-    arel (2.0.4)
-    bcrypt-ruby (2.1.2)
-    bson (1.1.2)
+    activeresource (3.0.4)
+      activemodel (= 3.0.4)
+      activesupport (= 3.0.4)
+    activesupport (3.0.4)
+    addressable (2.2.4)
+    arel (2.0.8)
+    bcrypt-ruby (2.1.4)
+    bson (1.2.2)
     bson_ext (1.1.2)
     builder (2.1.2)
     erubis (2.6.6)
       abstract (>= 1.0.0)
-    faraday (0.5.2)
-      addressable (~> 2.2.2)
-      multipart-post (~> 1.0.1)
+    faraday (0.5.6)
+      addressable (~> 2.2.4)
+      multipart-post (~> 1.1.0)
       rack (>= 1.1.0, < 2)
-    i18n (0.4.2)
-    jdbc-sqlite3 (3.6.14.2.056-java)
-    mail (2.2.10)
+    i18n (0.5.0)
+    mail (2.2.15)
       activesupport (>= 2.3.6)
-      i18n (~> 0.4.1)
+      i18n (>= 0.4.0)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
     mime-types (1.16)
-    mocha (0.9.9)
-      rake
+    mocha (0.9.12)
     mongo (1.1.2)
       bson (>= 1.1.1)
     mongoid (2.0.0.beta.20)
@@ -70,10 +64,8 @@ GEM
       tzinfo (~> 0.3.22)
       will_paginate (~> 3.0.pre)
     multi_json (0.0.5)
-    multipart-post (1.0.1)
-    nokogiri (1.4.3.1)
-    nokogiri (1.4.3.1-java)
-      weakling (>= 0.0.3)
+    multipart-post (1.1.0)
+    nokogiri (1.4.4)
     oa-core (0.1.6)
       rack (~> 1.1)
     oa-oauth (0.1.6)
@@ -87,10 +79,10 @@ GEM
       rack-openid (~> 1.2.0)
       ruby-openid-apps-discovery
     oauth (0.4.4)
-    oauth2 (0.1.0)
+    oauth2 (0.1.1)
       faraday (~> 0.5.0)
       multi_json (~> 0.0.4)
-    orm_adapter (0.0.3)
+    orm_adapter (0.0.4)
     polyglot (0.3.1)
     rack (1.2.1)
     rack-mount (0.6.13)
@@ -98,33 +90,34 @@ GEM
     rack-openid (1.2.0)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
-    rack-test (0.5.6)
+    rack-test (0.5.7)
       rack (>= 1.0)
-    rails (3.0.3)
-      actionmailer (= 3.0.3)
-      actionpack (= 3.0.3)
-      activerecord (= 3.0.3)
-      activeresource (= 3.0.3)
-      activesupport (= 3.0.3)
+    rails (3.0.4)
+      actionmailer (= 3.0.4)
+      actionpack (= 3.0.4)
+      activerecord (= 3.0.4)
+      activeresource (= 3.0.4)
+      activesupport (= 3.0.4)
       bundler (~> 1.0)
-      railties (= 3.0.3)
-    railties (3.0.3)
-      actionpack (= 3.0.3)
-      activesupport (= 3.0.3)
+      railties (= 3.0.4)
+    railties (3.0.4)
+      actionpack (= 3.0.4)
+      activesupport (= 3.0.4)
       rake (>= 0.8.7)
       thor (~> 0.14.4)
     rake (0.8.7)
     ruby-openid (2.1.8)
     ruby-openid-apps-discovery (1.2.0)
       ruby-openid (>= 2.1.7)
-    sqlite3-ruby (1.3.2)
+    sqlite3 (1.3.3)
+    sqlite3-ruby (1.3.3)
+      sqlite3 (>= 1.3.3)
     thor (0.14.6)
     treetop (1.4.9)
       polyglot (>= 0.3.1)
-    tzinfo (0.3.23)
+    tzinfo (0.3.24)
     warden (1.0.3)
       rack (>= 1.0.0)
-    weakling (0.0.4-java)
     webrat (0.7.2)
       nokogiri (>= 1.2.0)
       rack (>= 1.0)
@@ -132,21 +125,17 @@ GEM
     will_paginate (3.0.pre2)
 
 PLATFORMS
-  java
   ruby
 
 DEPENDENCIES
   activerecord-jdbcsqlite3-adapter
-  bcrypt-ruby (~> 2.1.2)
   bson_ext (= 1.1.2)
-  devise!
+  devise-jdguyot!
   mocha
   mongo (= 1.1.2)
   mongoid (= 2.0.0.beta.20)
   oa-oauth
   oa-openid
-  orm_adapter (~> 0.0.3)
-  rails (~> 3.0.0)
+  rails (~> 3.0.4)
   sqlite3-ruby
-  warden (~> 1.0.3)
   webrat (= 0.7.2)

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright 2009 Plataforma Tecnologia. http://blog.plataformatec.com.br
+Copyright 2009-2011 Plataforma Tecnologia. http://blog.plataformatec.com.br
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.rdoc

@@ -9,7 +9,7 @@ Devise is a flexible authentication solution for Rails based on Warden. It:
 
 It's composed of 12 modules:
 
-* Database Authenticatable: encrypts and stores a password in the database to validate the authenticity of an user while signing in. The authentication can be done both through POST requests or HTTP Basic Authentication.
+* Database Authenticatable: encrypts and stores a password in the database to validate the authenticity of a user while signing in. The authentication can be done both through POST requests or HTTP Basic Authentication.
 * Token Authenticatable: signs in a user based on an authentication token (also known as "single access token"). The token can be given both through query string or HTTP Basic Authentication.
 * Omniauthable: adds Omniauth (github.com/intridea/omniauth) support;
 * Confirmable: sends emails with confirmation instructions and verifies whether an account is already confirmed during sign in.
@@ -90,6 +90,15 @@ Replace MODEL by the class name you want to add devise, like User, Admin, etc. T
 
 Support for Rails 2.3.x can be found by installing Devise 1.0.x from the v1.0 branch.
 
+== Starting with Rails?
+
+If you are building your first Rails application, we recommend you to *not* use Devise. Devise requires a good understanding of the Rails Framework. In such cases, we advise you to start a simple authentication system from scratch, today we have two resources:
+
+* Michael Hartl's online book: http://railstutorial.org/chapters/modeling-and-viewing-users-two#top
+* Ryan Bates' Railscast: http://railscasts.com/episodes/250-authentication-from-scratch
+
+Once you have solidified you understanding of Rails and authentication mechanisms, we assure you Devise will be very pleasant to work with. :)
+
 == Getting started
 
 This is a walkthrough with all steps you need to setup a devise resource, including model, migration, route files, and optional configuration.
@@ -209,7 +218,7 @@ Devise currently supports generating views for the following template engines (u
 * Haml (http://github.com/nex3/haml)
 * Slim (http://github.com/stonean/slim)
 
-Note: If you are generating Haml or Slim templates, you will need to have a few dependencies such as `hpricot` (for both Haml and Slim) and `haml2slim` (for Slim) installed.
+Note: If you are generating Haml or Slim templates, you will need to have a few dependencies such as `ruby_parser` (for Haml), `hpricot` (for both Haml and Slim) and `haml2slim` (for Slim) installed.
 
 If you have more than one role in your application (such as "User" and "Admin"), you will notice that Devise uses the same views for all roles. Fortunately, Devise offers an easy way to customize views. All you need to do is set "config.scoped_views = true" inside "config/initializers/devise.rb".
 

data/Rakefile

@@ -1,9 +1,7 @@
 # encoding: UTF-8
 
-require 'rake'
 require 'rake/testtask'
 require 'rake/rdoctask'
-require File.join(File.dirname(__FILE__), 'lib', 'devise', 'version')
 
 desc 'Default: run tests for all ORMs.'
 task :default => :pre_commit
@@ -33,4 +31,4 @@ Rake::RDocTask.new(:rdoc) do |rdoc|
   rdoc.options << '--line-numbers' << '--inline-source'
   rdoc.rdoc_files.include('README.rdoc')
   rdoc.rdoc_files.include('lib/**/*.rb')
-end
+end

data/app/controllers/devise/registrations_controller.rb

@@ -78,8 +78,8 @@ class Devise::RegistrationsController < ApplicationController
     end
 
     # Overwrite redirect_for_sign_in so it takes uses after_sign_up_path_for.
-    def redirect_for_sign_in(scope, resource) #:nodoc:
-      redirect_to stored_location_for(scope) || after_sign_up_path_for(resource)
+    def redirect_location(scope, resource) #:nodoc:
+      stored_location_for(scope) || after_sign_up_path_for(resource)
     end
 
     # The path used after sign up for inactive accounts. You need to overwrite

data/lib/devise/controllers/helpers.rb

@@ -21,7 +21,7 @@ module Devise
       #   Generated methods:
       #     authenticate_user!  # Signs user in or redirect
       #     authenticate_admin! # Signs admin in or redirect
-      #     user_signed_in?     # Checks whether there is an user signed in or not
+      #     user_signed_in?     # Checks whether there is a user signed in or not
       #     admin_signed_in?    # Checks whether there is an admin signed in or not
       #     current_user        # Current signed in user
       #     current_admin       # Current signed in admin
@@ -86,7 +86,7 @@ module Devise
         signed_in?
       end
 
-      # Sign in an user that already was authenticated. This helper is useful for logging
+      # Sign in a user that already was authenticated. This helper is useful for logging
       # users in after sign up.
       #
       # All options given to sign_in is passed forward to the set_user method in warden.
@@ -117,7 +117,7 @@ module Devise
         end
       end
 
-      # Sign out a given user or scope. This helper is useful for signing out an user
+      # Sign out a given user or scope. This helper is useful for signing out a user
       # after deleting accounts.
       #
       # Examples:
@@ -136,6 +136,7 @@ module Devise
       # Sign out all active users or scopes. This helper is useful for signing out all roles
       # in one click. This signs out ALL scopes in warden.
       def sign_out_all_scopes
+        Devise.mappings.keys.each { |s| warden.user(s) }
         warden.raw_session.inspect
         warden.logout
       end
@@ -184,7 +185,7 @@ module Devise
         respond_to?(home_path, true) ? send(home_path) : root_path
       end
 
-      # Method used by sessions controller to sign out an user. You can overwrite
+      # Method used by sessions controller to sign out a user. You can overwrite
       # it in your ApplicationController to provide a custom hook for a custom
       # scope. Notice that differently from +after_sign_in_path_for+ this method
       # receives a symbol with the scope, and not the resource.
@@ -194,7 +195,7 @@ module Devise
         root_path
       end
 
-      # Sign in an user and tries to redirect first to the stored location and
+      # Sign in a user and tries to redirect first to the stored location and
       # then to the url specified by after_sign_in_path_for. It accepts the same
       # parameters as the sign_in method.
       def sign_in_and_redirect(resource_or_scope, *args)
@@ -209,7 +210,7 @@ module Devise
         stored_location_for(scope) || after_sign_in_path_for(resource)
       end
 
-      # Sign out an user and tries to redirect to the url specified by
+      # Sign out a user and tries to redirect to the url specified by
       # after_sign_out_path_for.
       def sign_out_and_redirect(resource_or_scope)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
@@ -222,6 +223,12 @@ module Devise
       def expire_session_data_after_sign_in!
         session.keys.grep(/^devise\./).each { |k| session.delete(k) }
       end
+
+      # Overwrite Rails' handle unverified request to sign out all scopes.
+      def handle_unverified_request
+        sign_out_all_scopes
+        super # call the default behaviour which resets the session
+      end
     end
   end
 end

data/lib/devise/failure_app.rb

@@ -64,7 +64,6 @@ module Devise
     end
 
     def redirect_url
-      request_format = request.format.to_sym
       if request_format == :html
         send(:"new_#{scope}_session_path")
       else
@@ -84,7 +83,7 @@ module Devise
       if request.xhr?
         Devise.http_authenticatable_on_xhr
       else
-        !(request.format && Devise.navigational_formats.include?(request.format.to_sym))
+        !(request_format && Devise.navigational_formats.include?(request_format))
       end
     end
 
@@ -95,8 +94,8 @@ module Devise
     end
 
     def http_auth_body
-      return i18n_message unless request.format
-      method = "to_#{request.format.to_sym}"
+      return i18n_message unless request_format
+      method = "to_#{request_format}"
       {}.respond_to?(method) ? { :error => i18n_message }.send(method) : i18n_message
     end
 
@@ -128,5 +127,17 @@ module Devise
     def store_location!
       session["#{scope}_return_to"] = attempted_path if request.get? && !http_auth?
     end
+
+    MIME_REFERENCES = Mime::HTML.respond_to?(:ref)
+
+    def request_format
+      @request_format ||= if request.format.respond_to?(:ref)
+        request.format.ref
+      elsif MIME_REFERENCES
+        request.format
+      else # Rails < 3.0.4
+        request.format.to_sym
+      end
+    end
   end
 end

data/lib/devise/hooks/timeoutable.rb

@@ -6,7 +6,7 @@
 Warden::Manager.after_set_user do |record, warden, options|
   scope = options[:scope]
 
-  if record && record.respond_to?(:timedout?) && warden.authenticated?(scope)
+  if record && record.respond_to?(:timedout?) && warden.authenticated?(scope) && options[:store] != false
     last_request_at = warden.session(scope)['last_request_at']
 
     if record.timedout?(last_request_at)

data/lib/devise/models/authenticatable.rb

@@ -26,7 +26,7 @@ module Devise
     #
     # == Active?
     #
-    # Before authenticating an user and in each request, Devise checks if your model is active by
+    # Before authenticating a user and in each request, Devise checks if your model is active by
     # calling model.active?. This method is overwriten by other devise modules. For instance,
     # :confirmable overwrites .active? to only return true if your model was confirmed.
     #

data/lib/devise/models/confirmable.rb

@@ -56,7 +56,7 @@ module Devise
       end
 
       # Overwrites active? from Devise::Models::Activatable for confirmation
-      # by verifying whether an user is active to sign in or not. If the user
+      # by verifying whether a user is active to sign in or not. If the user
       # is already confirmed, it should never be blocked. Otherwise we need to
       # calculate if the confirm time has not expired for this user.
       def active?
@@ -133,7 +133,7 @@ module Devise
         # with an email not found error.
         # Options must contain the user email
         def send_confirmation_instructions(attributes={})
-          confirmable = find_or_initialize_with_error_by(:email, attributes[:email], :not_found)
+          confirmable = find_or_initialize_with_errors(confirmation_keys, attributes, :not_found)
           confirmable.resend_confirmation_token if confirmable.persisted?
           confirmable
         end
@@ -153,7 +153,7 @@ module Devise
           generate_token(:confirmation_token)
         end
 
-        Devise::Models.config(self, :confirm_within)
+        Devise::Models.config(self, :confirm_within, :confirmation_keys)
       end
     end
   end

data/lib/devise/models/database_authenticatable.rb

@@ -31,9 +31,11 @@ module Devise
         self.encrypted_password = password_digest(@password) if @password.present?
       end
 
-      # Verifies whether an incoming_password (ie from sign in) is the user password.
+      # Verifies whether an password (ie from sign in) is the user password.
       def valid_password?(password)
-        ::BCrypt::Password.new(self.encrypted_password) == "#{password}#{self.class.pepper}"
+        bcrypt   = ::BCrypt::Password.new(self.encrypted_password)
+        password = ::BCrypt::Engine.hash_secret("#{password}#{self.class.pepper}", bcrypt.salt)
+        Devise.secure_compare(password, self.encrypted_password)
       end
 
       # Set password and password confirmation to nil

data/lib/devise/models/encryptable.rb

@@ -36,7 +36,7 @@ module Devise
 
       # Verifies whether an incoming_password (ie from sign in) is the user password.
       def valid_password?(incoming_password)
-        password_digest(incoming_password) == self.encrypted_password
+        Devise.secure_compare(password_digest(incoming_password), self.encrypted_password)
       end
 
     protected

data/lib/devise/models/lockable.rb

@@ -22,7 +22,7 @@ module Devise
 
       delegate :lock_strategy_enabled?, :unlock_strategy_enabled?, :to => "self.class"
 
-      # Lock an user setting it's locked_at to actual time.
+      # Lock a user setting it's locked_at to actual time.
       def lock_access!
         self.locked_at = Time.now
 
@@ -34,7 +34,7 @@ module Devise
         save(:validate => false)
       end
 
-      # Unlock an user by cleaning locket_at and failed_attempts.
+      # Unlock a user by cleaning locket_at and failed_attempts.
       def unlock_access!
         if_access_locked do
           self.locked_at = nil
@@ -60,7 +60,7 @@ module Devise
       end
 
       # Overwrites active? from Devise::Models::Activatable for locking purposes
-      # by verifying whether an user is active to sign in or not based on locked?
+      # by verifying whether a user is active to sign in or not based on locked?
       def active?
         super && !access_locked?
       end
@@ -72,7 +72,7 @@ module Devise
       end
 
       # Overwrites valid_for_authentication? from Devise::Models::Authenticatable
-      # for verifying whether an user is allowed to sign in or not. If the user
+      # for verifying whether a user is allowed to sign in or not. If the user
       # is locked, it should never be allowed.
       def valid_for_authentication?
         return super unless persisted? && lock_strategy_enabled?(:failed_attempts)
@@ -82,6 +82,7 @@ module Devise
           return result
         when TrueClass
           self.failed_attempts = 0
+          save(:validate => false)
         when FalseClass
           # PostgreSQL uses nil as the default value for integer columns set to 0
           self.failed_attempts ||= 0
@@ -89,10 +90,11 @@ module Devise
           if attempts_exceeded?
             lock_access!
             return :locked
+          else
+            save(:validate => false)
           end
         end
 
-        save(:validate => false) if changed?
         result
       end
 

data/lib/devise/models/recoverable.rb

@@ -35,7 +35,7 @@ module Devise
 
       # Resets reset password token and send reset password instructions by email
       def send_reset_password_instructions
-        generate_reset_password_token! if self.confirmation_token.nil? or !reset_password_period_valid?
+        generate_reset_password_token! if self.reset_password_token.nil? or !reset_password_period_valid?
         ::Devise.mailer.reset_password_instructions(self).deliver
       end
 

data/lib/devise/models/registerable.rb

@@ -7,7 +7,7 @@ module Devise
 
       module ClassMethods
         # A convenience method that receives both parameters and session to
-        # initialize an user. This can be used by OAuth, for example, to send
+        # initialize a user. This can be used by OAuth, for example, to send
         # in the user token and be stored on initialization.
         #
         # By default discards all information sent by the session by calling

data/lib/devise/schema.rb

@@ -3,7 +3,7 @@ module Devise
   # and overwrite the apply_schema method.
   module Schema
 
-    # Creates email, encrypted_password and password_salt.
+    # Creates email when enabled (on by default), encrypted_password and password_salt.
     #
     # == Options
     # * :null - When true, allow columns to be null.
@@ -15,8 +15,9 @@ module Devise
     def database_authenticatable(options={})
       null    = options[:null] || false
       default = options.key?(:default) ? options[:default] : ("" if null == false)
+      include_email =  !self.respond_to?(:authentication_keys) || self.authentication_keys.include?(:email)
 
-      apply_devise_schema :email,              String, :null => null, :default => default
+      apply_devise_schema :email,              String, :null => null, :default => default if include_email
       apply_devise_schema :encrypted_password, String, :null => null, :default => default, :limit => 128
     end
 

data/lib/devise/test_helpers.rb

@@ -1,7 +1,7 @@
 module Devise
   # Devise::TestHelpers provides a facility to test controllers in isolation
   # when using ActionController::TestCase allowing you to quickly sign_in or
-  # sign_out an user. Do not use Devise::TestHelpers in integration tests.
+  # sign_out a user. Do not use Devise::TestHelpers in integration tests.
   #
   # Notice you should not test Warden specific behavior (like Warden callbacks)
   # using Devise::TestHelpers since it is a stub of the actual behavior. Such
@@ -46,7 +46,7 @@ module Devise
           env["warden.options"] = result
           Warden::Manager._run_callbacks(:before_failure, env, result)
 
-          status, headers, body = Devise::FailureApp.call(env).to_a
+          status, headers, body = Devise.warden_config[:failure_app].call(env).to_a
           @controller.send :render, :status => status, :text => body,
             :content_type => headers["Content-Type"], :location => headers["Location"]
 

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "1.2.rc".freeze
+  VERSION = "1.2.rc2".freeze
 end

data/lib/devise.rb

@@ -1,3 +1,4 @@
+require 'rails'
 require 'active_support/core_ext/numeric/time'
 require 'active_support/dependencies'
 require 'orm_adapter'
@@ -68,9 +69,9 @@ module Devise
   @@request_keys = []
 
   # Keys that should be case-insensitive.
-  # Empty by default for backwards compaibility.
+  # Empty by default for backwards compatibility.
   mattr_accessor :case_insensitive_keys
-  @@case_insensitive_keys = [ ]
+  @@case_insensitive_keys = []
 
   # If http authentication is enabled by default.
   mattr_accessor :http_authenticatable
@@ -117,6 +118,10 @@ module Devise
   mattr_accessor :confirm_within
   @@confirm_within = 0.days
 
+  # Defines which key will be used when confirming an account
+  mattr_accessor :confirmation_keys
+  @@confirmation_keys = [ :email ]
+
   # Time interval to timeout the user session without activity.
   mattr_accessor :timeout_in
   @@timeout_in = 30.minutes
@@ -186,10 +191,11 @@ module Devise
   @@stateless_token = false
 
   # Which formats should be treated as navigational.
+  # We need both :"*/*" and "*/*" to work on different Rails versions.
   mattr_accessor :navigational_formats
-  @@navigational_formats = [:"*/*", :html]
+  @@navigational_formats = [:"*/*", "*/*", :html]
 
-  # When set to true, signing out an user signs out all other scopes.
+  # When set to true, signing out a user signs out all other scopes.
   mattr_accessor :sign_out_all_scopes
   @@sign_out_all_scopes = true
 
@@ -370,7 +376,18 @@ module Devise
 
   # Generate a friendly string randomically to be used as token.
   def self.friendly_token
-    ActiveSupport::SecureRandom.base64(44).tr('+/=', 'xyz')
+    ActiveSupport::SecureRandom.base64(15).tr('+/=', 'xyz')
+  end
+
+  # constant-time comparison algorithm to prevent timing attacks
+  def self.secure_compare(a, b)
+    return false unless a.present? && b.present?
+    return false unless a.bytesize == b.bytesize
+    l = a.unpack "C#{a.bytesize}"
+
+    res = 0
+    b.each_byte { |byte| res |= byte ^ l.shift }
+    res == 0
   end
 end
 

data/lib/generators/devise/views_generator.rb

@@ -13,94 +13,14 @@ module Devise
                                      :desc => "Template engine for the views. Available options are 'erb', 'haml' and 'slim'."
 
       def copy_views
-        case options[:template_engine].to_s
-        when "haml"
-          verify_haml_existence
-          verify_haml_version
-          create_and_copy_haml_views
-        when "slim"
-          verify_haml_existence
-          verify_haml_version
-          verify_haml2slim_existence
-          verify_haml2slim_version
-          create_and_copy_slim_views
+        template = options[:template_engine].to_s
+        case template
+        when "haml", "slim"
+          warn "#{template} templates have been removed from Devise gem"
         else
           directory "devise", "app/views/#{scope || :devise}"
         end
       end
-
-    protected
-
-      def verify_haml_existence
-        begin
-          require 'haml'
-        rescue LoadError
-          say "Haml is not installed, or it is not specified in your Gemfile."
-          exit
-        end
-      end
-
-      def verify_haml2slim_existence
-        begin
-          require 'haml2slim'
-        rescue LoadError
-          say "Haml2Slim is not installed, or it is not specified in your Gemfile."
-          exit
-        end
-      end
-
-      def verify_haml_version
-        unless Haml.version[:major] == 2 && Haml.version[:minor] >= 3 || Haml.version[:major] >= 3
-          say "To generate Haml or Slim templates, you need to have Haml 2.3 or above installed."
-          exit
-        end
-      end
-
-      def verify_haml2slim_version
-        unless Haml2Slim::VERSION.to_f >= '0.4.0'.to_f
-          say "To generate Slim templates, you need to have Haml2Slim 0.4.0 or above installed."
-          exit
-        end
-      end
-
-      def create_and_copy_haml_views
-        directory haml_tmp_root, "app/views/#{scope || :devise}"
-        FileUtils.rm_rf(haml_tmp_root)
-      end
-
-      def create_and_copy_slim_views
-        slim_tmp_root = Dir.mktmpdir("devise-slim.")
-        `haml2slim #{haml_tmp_root} #{slim_tmp_root}`
-
-        directory slim_tmp_root, "app/views/#{scope || :devise}"
-
-        FileUtils.rm_rf(haml_tmp_root)
-        FileUtils.rm_rf(slim_tmp_root)
-      end
-
-    private
-
-      def create_haml_views
-        @haml_tmp_root ||= begin
-          html_root     = "#{self.class.source_root}/devise"
-          haml_tmp_root = Dir.mktmpdir("devise-haml.")
-
-          Dir["#{html_root}/**/*"].each do |path|
-            relative_path = path.sub(html_root, "")
-            source_path   = (haml_tmp_root + relative_path).sub(/erb$/, "haml")
-
-            if File.directory?(path)
-              FileUtils.mkdir_p(source_path)
-            else
-              `html2haml -r #{path} #{source_path}`
-            end
-          end
-
-          haml_tmp_root
-        end
-      end
-
-      alias :haml_tmp_root :create_haml_views
     end
   end
 end

data/lib/generators/templates/devise.rb

@@ -65,6 +65,9 @@ Devise.setup do |config|
   # (ie 2 days).
   # config.confirm_within = 2.days
 
+  # Defines which key will be used when confirming an account
+  # config.confirmation_keys = [ :email ]
+
   # ==> Configuration for :rememberable
   # The time the user will be remembered without asking for credentials again.
   # config.remember_for = 2.weeks
@@ -163,8 +166,9 @@ Devise.setup do |config|
   # If you have any extra navigational formats, like :iphone or :mobile, you
   # should add them to the navigational formats lists.
   #
-  # The :"*/*" format below is required to match Internet Explorer requests.
-  # config.navigational_formats = [:"*/*", :html]
+  # The :"*/*" and "*/*" formats below is required to match Internet
+  # Explorer requests.
+  # config.navigational_formats = [:"*/*", "*/*", :html]
 
   # The default HTTP method used to sign out a resource. Default is :get.
   # config.sign_out_via = :get

data/test/controllers/helpers_test.rb

@@ -136,11 +136,13 @@ class ControllerAuthenticatableTest < ActionController::TestCase
   end
 
   test 'sign out without args proxy to sign out all scopes' do
+    @mock_warden.expects(:user).times(Devise.mappings.size)
     @mock_warden.expects(:logout).with().returns(true)
     @controller.sign_out
   end
 
   test 'sign out everybody proxy to logout on warden' do
+    @mock_warden.expects(:user).times(Devise.mappings.size)
     @mock_warden.expects(:logout).with().returns(true)
     @controller.sign_out_all_scopes
   end
@@ -224,6 +226,7 @@ class ControllerAuthenticatableTest < ActionController::TestCase
 
   test 'sign out and redirect uses the configured after sign out path when signing out all scopes' do
     swap Devise, :sign_out_all_scopes => true do
+      @mock_warden.expects(:user).times(Devise.mappings.size)
       @mock_warden.expects(:logout).with().returns(true)
       @controller.expects(:redirect_to).with(admin_root_path)
       @controller.instance_eval "def after_sign_out_path_for(resource); admin_root_path; end"

data/test/failure_app_test.rb

@@ -13,7 +13,7 @@ class FailureTest < ActiveSupport::TestCase
       'REQUEST_METHOD' => 'GET',
       'warden.options' => { :scope => :user },
       'rack.session' => {},
-      'action_dispatch.request.formats' => Array(env_params.delete('formats') || :html),
+      'action_dispatch.request.formats' => Array(env_params.delete('formats') || Mime::HTML),
       'rack.input' => "",
       'warden' => OpenStruct.new(:message => nil)
     }.merge!(env_params)

data/test/integration/registerable_test.rb

@@ -15,11 +15,27 @@ class RegistrationTest < ActionController::IntegrationTest
 
     assert_contain 'Welcome! You have signed up successfully.'
     assert warden.authenticated?(:admin)
+    assert_current_url "/admin_area/home"
 
     admin = Admin.last :order => "id"
     assert_equal admin.email, 'new_user@test.com'
   end
 
+  test 'a guest admin should be able to sign in and be redirected to a custom location' do
+    Devise::RegistrationsController.any_instance.stubs(:after_sign_up_path_for).returns("/?custom=1")
+    get new_admin_session_path
+    click_link 'Sign up'
+
+    fill_in 'email', :with => 'new_user@test.com'
+    fill_in 'password', :with => 'new_user123'
+    fill_in 'password confirmation', :with => 'new_user123'
+    click_button 'Sign up'
+
+    assert_contain 'Welcome! You have signed up successfully.'
+    assert warden.authenticated?(:admin)
+    assert_current_url "/?custom=1"
+  end
+
   test 'a guest user should be able to sign up successfully and be blocked by confirmation' do
     get new_user_registration_path
 
@@ -30,6 +46,7 @@ class RegistrationTest < ActionController::IntegrationTest
 
     assert_contain 'You have signed up successfully. However, we could not sign you in because your account is unconfirmed.'
     assert_not_contain 'You have to confirm your account before continuing'
+    assert_current_url "/"
 
     assert_not warden.authenticated?(:user)
 
@@ -38,6 +55,19 @@ class RegistrationTest < ActionController::IntegrationTest
     assert_not user.confirmed?
   end
 
+  test 'a guest user should be blocked by confirmation and redirected to a custom path' do
+    Devise::RegistrationsController.any_instance.stubs(:after_inactive_sign_up_path_for).returns("/?custom=1")
+    get new_user_registration_path
+
+    fill_in 'email', :with => 'new_user@test.com'
+    fill_in 'password', :with => 'new_user123'
+    fill_in 'password confirmation', :with => 'new_user123'
+    click_button 'Sign up'
+
+    assert_current_url "/?custom=1"
+    assert_not warden.authenticated?(:user)
+  end
+
   test 'a guest user cannot sign up with invalid information' do
     get new_user_registration_path
 

data/test/integration/rememberable_test.rb

@@ -72,6 +72,16 @@ class RememberMeTest < ActionController::IntegrationTest
     assert_match /remember_user_token[^\n]*HttpOnly\n/, response.headers["Set-Cookie"], "Expected Set-Cookie header in response to set HttpOnly flag on remember_user_token cookie."
   end
 
+  test 'cookies are destroyed on unverified requests' do
+    swap ApplicationController, :allow_forgery_protection => true do
+      user = create_user_and_remember
+      get users_path
+      assert warden.authenticated?(:user)
+      post root_path, :authenticity_token => 'INVALID'
+      assert_not warden.authenticated?(:user)
+    end
+  end
+
   test 'does not extend remember period through sign in' do
     swap Devise, :extend_remember_period => true, :remember_for => 1.year do
       user = create_user

data/test/integration/token_authenticatable_test.rb

@@ -76,15 +76,26 @@ class TokenAuthenticationTest < ActionController::IntegrationTest
     end
   end
 
+  test 'authenticate with valid authentication token key and do not store if stateless and timeoutable are enabled' do
+    swap Devise, :token_authentication_key => :secret_token, :stateless_token => true, :timeout_in => (0.1).second do
+      user = sign_in_as_new_user_with_token
+      assert warden.authenticated?(:user)
+
+      # Expiring does not work because we are setting the session value when accessing it
+      sleep 0.3
+
+      get_users_path_as_existing_user(user)
+      assert warden.authenticated?(:user)
+    end
+  end
+
   private
 
     def sign_in_as_new_user_with_token(options = {})
-      options[:auth_token_key] ||= Devise.token_authentication_key
-      options[:auth_token]     ||= VALID_AUTHENTICATION_TOKEN
+      user = options.delete(:user) || create_user_with_authentication_token(options)
 
-      user = create_user(options)
-      user.authentication_token = VALID_AUTHENTICATION_TOKEN
-      user.save
+      options[:auth_token_key] ||= Devise.token_authentication_key
+      options[:auth_token]     ||= user.authentication_token
 
       if options[:http_auth]
         header = "Basic #{ActiveSupport::Base64.encode64("#{VALID_AUTHENTICATION_TOKEN}:X")}"
@@ -96,4 +107,14 @@ class TokenAuthenticationTest < ActionController::IntegrationTest
       user
     end
 
+    def create_user_with_authentication_token(options)
+      user = create_user(options)
+      user.authentication_token = VALID_AUTHENTICATION_TOKEN
+      user.save
+      user
+    end
+
+    def get_users_path_as_existing_user(user)
+      sign_in_as_new_user_with_token(:user => user)
+    end
 end

data/test/models/confirmable_test.rb

@@ -51,7 +51,7 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_equal "was already confirmed, please try signing in", user.errors[:email].join
   end
 
-  test 'should find and confirm an user automatically' do
+  test 'should find and confirm a user automatically' do
     user = create_user
     confirmed_user = User.confirm_by_token(user.confirmation_token)
     assert_equal confirmed_user, user
@@ -127,7 +127,7 @@ class ConfirmableTest < ActiveSupport::TestCase
       User.send_confirmation_instructions(:email => user.email)
     end
   end
-  
+
   test 'should always have confirmation token when email is sent' do
     user = new_user
     user.instance_eval { def confirmation_required?; false end }
@@ -210,7 +210,7 @@ class ConfirmableTest < ActiveSupport::TestCase
     user.save
     assert_not user.reload.active?
   end
-  
+
   test 'should be active without confirmation when confirmation is not required' do
     user = create_user
     user.instance_eval { def confirmation_required?; false end }
@@ -218,4 +218,21 @@ class ConfirmableTest < ActiveSupport::TestCase
     user.save
     assert user.reload.active?
   end
+
+  test 'should find a user to send email instructions for the user confirm it\'s email by authentication_keys' do
+    swap Devise, :authentication_keys => [:username, :email] do
+      user = create_user
+      confirm_user = User.send_confirmation_instructions(:email => user.email, :username => user.username)
+      assert_equal confirm_user, user
+    end
+  end
+
+  test 'should require all confirmation_keys' do
+    swap Devise, :confirmation_keys => [:username, :email] do
+      user = create_user
+      confirm_user = User.send_confirmation_instructions(:email => user.email)
+      assert_not confirm_user.persisted?
+      assert_equal "can't be blank", confirm_user.errors[:username].join
+    end
+  end
 end

data/test/models/encryptable_test.rb

@@ -31,7 +31,7 @@ class EncryptableTest < ActiveSupport::TestCase
 
   test 'should generate a base64 hash using SecureRandom for password salt' do
     swap_with_encryptor Admin, :sha1 do
-      ActiveSupport::SecureRandom.expects(:base64).with(44).returns('friendly_token')
+      ActiveSupport::SecureRandom.expects(:base64).with(15).returns('friendly_token')
       assert_equal 'friendly_token', create_admin.password_salt
     end
   end

data/test/models/lockable_test.rb

@@ -55,7 +55,7 @@ class LockableTest < ActiveSupport::TestCase
     assert_not user.active?
   end
 
-  test "should unlock an user by cleaning locked_at, falied_attempts and unlock_token" do
+  test "should unlock a user by cleaning locked_at, falied_attempts and unlock_token" do
     user = create_user
     user.lock_access!
     assert_not_nil user.reload.locked_at
@@ -141,7 +141,7 @@ class LockableTest < ActiveSupport::TestCase
     end
   end
 
-  test 'should find and unlock an user automatically' do
+  test 'should find and unlock a user automatically' do
     user = create_user
     user.lock_access!
     locked_user = User.unlock_access_by_token(user.unlock_token)

data/test/models/recoverable_test.rb

@@ -116,18 +116,27 @@ class RecoverableTest < ActiveSupport::TestCase
     assert_equal reset_password_user, user
   end
 
-  test 'should a new record with errors if no reset_password_token is found' do
+  test 'should return a new record with errors if no reset_password_token is found' do
     reset_password_user = User.reset_password_by_token(:reset_password_token => 'invalid_token')
     assert_not reset_password_user.persisted?
     assert_equal "is invalid", reset_password_user.errors[:reset_password_token].join
   end
 
-  test 'should a new record with errors if reset_password_token is blank' do
+  test 'should return a new record with errors if reset_password_token is blank' do
     reset_password_user = User.reset_password_by_token(:reset_password_token => '')
     assert_not reset_password_user.persisted?
     assert_match "can't be blank", reset_password_user.errors[:reset_password_token].join
   end
 
+  test 'should return a new record with errors if password is blank' do
+    user = create_user
+    user.send :generate_reset_password_token!
+
+    reset_password_user = User.reset_password_by_token(:reset_password_token => user.reset_password_token, :password => '')
+    assert_not reset_password_user.errors.empty?
+    assert_match "can't be blank", reset_password_user.errors[:password].join
+  end
+
   test 'should reset successfully user password given the new password and confirmation' do
     user = create_user
     old_password = user.password

data/test/models/token_authenticatable_test.rb

@@ -27,6 +27,7 @@ class TokenAuthenticatableTest < ActiveSupport::TestCase
   end
 
   test 'should return nil when authenticating an invalid user by authentication token' do
+    skip 'Currently raises an exception with Mongoid.' if DEVISE_ORM == :mongoid
     user = create_user
     user.ensure_authentication_token!
     user.confirm!

data/test/rails_app/config/initializers/devise.rb

@@ -15,9 +15,9 @@ Devise.setup do |config|
   require "devise/orm/#{DEVISE_ORM}"
 
   # ==> Configuration for any authentication mechanism
-  # Configure which keys are used when authenticating an user. By default is
+  # Configure which keys are used when authenticating a user. By default is
   # just :email. You can configure it to use [:username, :subdomain], so for
-  # authenticating an user, both parameters are required. Remember that those
+  # authenticating a user, both parameters are required. Remember that those
   # parameters are used only when authenticating and not when retrieving from
   # session. If you need permissions, you should implement that in a before filter.
   # You can also supply hash where the value is a boolean expliciting if authentication
@@ -62,6 +62,9 @@ Devise.setup do |config|
   # (ie 2 days).
   # config.confirm_within = 2.days
 
+  # Defines which key will be used when confirming an account
+  # config.confirmation_keys = [ :email ]
+
   # ==> Configuration for :rememberable
   # The time the user will be remembered without asking for credentials again.
   # config.remember_for = 2.weeks

data/test/schema_test.rb

@@ -0,0 +1,33 @@
+if DEVISE_ORM == :mongoid
+
+  require 'test_helper'
+
+  class User2
+    include Mongoid::Document
+    devise :database_authenticatable
+  end
+
+  class User3
+    include Mongoid::Document
+    devise :database_authenticatable, :authentication_keys => [:username, :email]
+   end
+
+  class User4
+    include Mongoid::Document
+    devise :database_authenticatable, :authentication_keys => [:username]
+  end
+
+  class SchemaTest < ActiveSupport::TestCase
+    test 'should create an email field if there are no custom authentication keys' do
+      assert_not_equal User2.fields['email'], nil
+    end
+
+    test 'should create an email field if there are custom authentication keys and they include email' do
+      assert_not_equal User3.fields['email'], nil
+    end
+
+    test 'should not create an email field if there are custom authentication keys they don\'t include email' do
+      assert_equal User4.fields['email'], nil
+    end
+  end
+end

data/test/test_helpers_test.rb

@@ -4,6 +4,12 @@ class TestHelpersTest < ActionController::TestCase
   tests UsersController
   include Devise::TestHelpers
 
+  class CustomFailureApp < Devise::FailureApp
+    def redirect
+      self.status = 306
+    end
+  end
+  
   test "redirects if attempting to access a page unauthenticated" do
     get :index
     assert_redirected_to new_user_session_path
@@ -52,6 +58,16 @@ class TestHelpersTest < ActionController::TestCase
     get :index
     assert_redirected_to new_user_session_path
   end
+  
+  test "respects custom failure app" do
+    begin
+      Devise.warden_config.failure_app = CustomFailureApp
+      get :index
+      assert_response 306
+    ensure
+      Devise.warden_config.failure_app = Devise::FailureApp
+    end
+  end
 
   test "defined Warden after_authentication callback should not be called when sign_in is called" do
     begin

metadata

@@ -1,12 +1,8 @@
 --- !ruby/object:Gem::Specification 
 name: devise-jdguyot
 version: !ruby/object:Gem::Version 
-  prerelease: true
-  segments: 
-  - 1
-  - 2
-  - rc
-  version: 1.2.rc
+  prerelease: 4
+  version: 1.2.rc2
 platform: ruby
 authors: 
 - "Jos\xC3\xA9 Valim"
@@ -15,7 +11,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-01-25 00:00:00 +01:00
+date: 2011-02-22 00:00:00 +01:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -26,10 +22,6 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        segments: 
-        - 1
-        - 0
-        - 3
         version: 1.0.3
   type: :runtime
   version_requirements: *id001
@@ -41,10 +33,6 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        segments: 
-        - 0
-        - 0
-        - 3
         version: 0.0.3
   type: :runtime
   version_requirements: *id002
@@ -56,10 +44,6 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        segments: 
-        - 2
-        - 1
-        - 2
         version: 2.1.2
   type: :runtime
   version_requirements: *id003
@@ -249,6 +233,7 @@ files:
 - test/rails_app/public/favicon.ico
 - test/rails_app/script/rails
 - test/routes_test.rb
+- test/schema_test.rb
 - test/support/assertions.rb
 - test/support/helpers.rb
 - test/support/integration.rb
@@ -270,23 +255,17 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
-      segments: 
-      - 0
       version: "0"
 required_rubygems_version: !ruby/object:Gem::Requirement 
   none: false
   requirements: 
   - - ">"
     - !ruby/object:Gem::Version 
-      segments: 
-      - 1
-      - 3
-      - 1
       version: 1.3.1
 requirements: []
 
 rubyforge_project: devise
-rubygems_version: 1.3.7
+rubygems_version: 1.5.2
 signing_key: 
 specification_version: 3
 summary: Flexible authentication solution for Rails with Warden
@@ -379,6 +358,7 @@ test_files:
 - test/rails_app/public/favicon.ico
 - test/rails_app/script/rails
 - test/routes_test.rb
+- test/schema_test.rb
 - test/support/assertions.rb
 - test/support/helpers.rb
 - test/support/integration.rb