devise 1.1.9 → 1.2.rc

data/test/models/token_authenticatable_test.rb

@@ -34,16 +34,4 @@ class TokenAuthenticatableTest < ActiveSupport::TestCase
     assert_nil authenticated_user
   end
 
-  test 'should not be subject to injection' do
-    user1 = create_user
-    user1.ensure_authentication_token!
-    user1.confirm!
-
-    user2 = create_user
-    user2.ensure_authentication_token!
-    user2.confirm!
-
-    user = User.find_for_token_authentication(:auth_token => {'$ne' => user1.authentication_token})
-    assert_nil user
-  end
-end
+end

data/test/models_test.rb

@@ -1,7 +1,7 @@
 require 'test_helper'
 
 class Configurable < User
-  devise :database_authenticatable, :confirmable, :rememberable, :timeoutable, :lockable,
+  devise :database_authenticatable, :encryptable, :confirmable, :rememberable, :timeoutable, :lockable,
          :stretches => 15, :pepper => 'abcdef', :confirm_within => 5.days,
          :remember_for => 7.days, :timeout_in => 15.minutes, :unlock_in => 10.days
 end
@@ -26,16 +26,16 @@ class ActiveRecordTest < ActiveSupport::TestCase
   end
 
   test 'can cherry pick modules' do
-    assert_include_modules Admin, :database_authenticatable, :registerable, :timeoutable, :recoverable, :lockable
+    assert_include_modules Admin, :database_authenticatable, :registerable, :timeoutable, :recoverable, :lockable, :rememberable, :encryptable
   end
 
   test 'chosen modules are inheritable' do
-    assert_include_modules Inheritable, :database_authenticatable, :registerable, :timeoutable, :recoverable, :lockable
+    assert_include_modules Inheritable, :database_authenticatable, :registerable, :timeoutable, :recoverable, :lockable, :rememberable, :encryptable
   end
 
   test 'order of module inclusion' do
-    correct_module_order   = [:database_authenticatable, :recoverable, :registerable, :lockable, :timeoutable]
-    incorrect_module_order = [:database_authenticatable, :timeoutable, :registerable, :recoverable, :lockable]
+    correct_module_order   = [:database_authenticatable, :rememberable, :encryptable, :recoverable, :registerable, :lockable, :timeoutable]
+    incorrect_module_order = [:database_authenticatable, :timeoutable, :registerable, :recoverable, :lockable, :encryptable, :rememberable]
 
     assert_include_modules Admin, *incorrect_module_order
 

data/test/omniauth/url_helpers_test.rb

@@ -0,0 +1,47 @@
+require 'test_helper'
+
+class OmniAuthRoutesTest < ActionController::TestCase
+  tests ApplicationController
+
+  def assert_path(action, provider, with_param=true)
+    # Resource param
+    assert_equal @controller.send(action, :user, provider),
+                 @controller.send("user_#{action}", provider)
+
+    # With an object
+    assert_equal @controller.send(action, User.new, provider),
+                 @controller.send("user_#{action}", provider)
+
+    if with_param
+      # Default url params
+      assert_equal @controller.send(action, :user, provider, :param => 123),
+                   @controller.send("user_#{action}", provider, :param => 123)
+    end
+  end
+
+  test 'should alias omniauth_callback to mapped user auth_callback' do
+    assert_path :omniauth_callback_path, :facebook
+  end
+
+  test 'should alias omniauth_authorize to mapped user auth_authorize' do
+    assert_path :omniauth_authorize_path, :facebook, false
+  end
+
+  test 'should generate authorization path' do
+    assert_match "/users/auth/facebook", @controller.omniauth_authorize_path(:user, :facebook)
+
+    assert_raise ArgumentError do
+      @controller.omniauth_authorize_path(:user, :github)
+    end
+  end
+
+  test 'should generate authorization path with params' do
+    assert_match "/users/auth/open_id?openid_url=http%3A%2F%2Fyahoo.com",
+                  @controller.omniauth_authorize_path(:user, :open_id, :openid_url => "http://yahoo.com")
+  end
+
+  test 'should not add a "?" if no param was sent' do
+    assert_equal "/users/auth/open_id",
+                  @controller.omniauth_authorize_path(:user, :open_id)
+  end
+end

data/test/rails_app/app/active_record/admin.rb

@@ -1,3 +1,6 @@
+require 'shared_admin'
+
 class Admin < ActiveRecord::Base
-  devise :database_authenticatable, :registerable, :timeoutable, :recoverable, :lockable, :unlock_strategy => :time
+  include Shim
+  include SharedAdmin
 end

data/test/rails_app/app/active_record/user.rb

@@ -1,7 +1,8 @@
+require 'shared_user'
+
 class User < ActiveRecord::Base
-  devise :database_authenticatable, :confirmable, :lockable, :recoverable,
-         :registerable, :rememberable, :timeoutable, :token_authenticatable,
-         :trackable, :validatable
+  include Shim
+  include SharedUser
 
-  attr_accessible :username, :email, :password, :password_confirmation
+  attr_accessible :username, :email, :password, :password_confirmation, :remember_me
 end

data/test/rails_app/app/controllers/{sessions_controller.rb → admins/sessions_controller.rb}

@@ -1,4 +1,4 @@
-class SessionsController < Devise::SessionsController
+class Admins::SessionsController < Devise::SessionsController
   def new
     flash[:special] = "Welcome to #{controller_path.inspect} controller!"
     super

data/test/rails_app/app/controllers/home_controller.rb

@@ -4,4 +4,13 @@ class HomeController < ApplicationController
 
   def private
   end
+
+  def set
+    session["devise.foo_bar"] = "something"
+    head :ok
+  end
+
+  def unauthenticated
+    render :text => "unauthenticated", :status => :unauthorized
+  end
 end

data/test/rails_app/app/controllers/users/omniauth_callbacks_controller.rb

@@ -0,0 +1,7 @@
+class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
+  def facebook
+    data = env["omniauth.auth"]
+    session["devise.facebook_data"] = data["extra"]["user_hash"]
+    render :json => data
+  end
+end

data/test/rails_app/app/mongoid/admin.rb

@@ -1,6 +1,9 @@
+require 'shared_admin'
+
 class Admin
   include Mongoid::Document
   include Shim
+  include SharedAdmin
 
-  devise :database_authenticatable, :timeoutable, :registerable, :recoverable, :lockable, :unlock_strategy => :time
+  field :remember_token, :type => String
 end

data/test/rails_app/app/mongoid/shim.rb

@@ -1,16 +1,29 @@
 module Shim
   extend ::ActiveSupport::Concern
-  include ::Mongoid::Timestamps
+
+  included do
+    include ::Mongoid::Timestamps
+    field :created_at, :type => DateTime
+  end
 
   module ClassMethods
     def last(options={})
       options.delete(:order) if options[:order] == "id"
       super(options)
     end
+
+    def find_by_email(email)
+      first(:conditions => { :email => email })
+    end
   end
-  
-  # overwrite equality (because some devise tests use this for asserting model equality) 
+
+  # overwrite equality (because some devise tests use this for asserting model equality)
   def ==(other)
     other.is_a?(self.class) && _id == other._id
   end
+
+  # Mongoid does not have this method in the current beta version (2.0.0.beta.20)
+  def update_attribute(attribute, value)
+    update_attributes(attribute => value)
+  end
 end

data/test/rails_app/app/mongoid/user.rb

@@ -1,10 +1,10 @@
+require 'shared_user'
+
 class User
   include Mongoid::Document
   include Shim
+  include SharedUser
 
-  field :created_at, :type => DateTime
-
-  devise :database_authenticatable, :confirmable, :lockable, :recoverable,
-         :registerable, :rememberable, :timeoutable, :token_authenticatable,
-         :trackable, :validatable
+  field :username, :type => String
+  field :facebook_token, :type => String
 end

data/test/rails_app/config/initializers/devise.rb

@@ -20,15 +20,27 @@ Devise.setup do |config|
   # authenticating an user, both parameters are required. Remember that those
   # parameters are used only when authenticating and not when retrieving from
   # session. If you need permissions, you should implement that in a before filter.
+  # You can also supply hash where the value is a boolean expliciting if authentication
+  # should be aborted or not if the value is not present. By default is empty.
   # config.authentication_keys = [ :email ]
 
+  # Configure parameters from the request object used for authentication. Each entry
+  # given should be a request method and it will automatically be passed to
+  # find_for_authentication method and considered in your model lookup. For instance,
+  # if you set :request_keys to [:subdomain], :subdomain will be used on authentication.
+  # The same considerations mentioned for authentication_keys also apply to request_keys.
+  # config.request_keys = []
+
   # Tell if authentication through request.params is enabled. True by default.
   # config.params_authenticatable = true
 
-  # Tell if authentication through HTTP Basic Auth is enabled. True by default.
+  # Tell if authentication through HTTP Basic Auth is enabled. False by default.
   config.http_authenticatable = true
 
-  # The realm used in Http Basic Authentication
+  # If http headers should be returned for AJAX requests. True by default.
+  # config.http_authenticatable_on_xhr = true
+
+  # The realm used in Http Basic Authentication. "Application" by default.
   # config.http_authentication_realm = "Application"
 
   # ==> Configuration for :database_authenticatable
@@ -36,15 +48,6 @@ Devise.setup do |config|
   # using other encryptors, it sets how many times you want the password re-encrypted.
   config.stretches = 10
 
-  # Define which will be the encryption algorithm. Devise also supports encryptors
-  # from others authentication tools as :clearance_sha1, :authlogic_sha512 (then
-  # you should set stretches above to 20 for default behavior) and :restful_authentication_sha1
-  # (then you should set stretches to 10, and copy REST_AUTH_SITE_KEY to pepper)
-  config.encryptor = :bcrypt
-
-  # Setup a pepper to generate the encrypted password.
-  config.pepper = "d142367154e5beacca404b1a6a4f8bc52c6fdcfa3ccc3cf8eb49f3458a688ee6ac3b9fae488432a3bfca863b8a90008368a9f3a3dfbe5a962e64b6ab8f3a3a1a"
-
   # ==> Configuration for :confirmable
   # The time you want to give your user to confirm his account. During this time
   # he will be able to access your application without confirming. Default is nil.
@@ -64,8 +67,12 @@ Devise.setup do |config|
   # If true, extends the user's remember period when remembered via cookie.
   # config.extend_remember_period = false
 
+  # If true, uses the password salt as remember token. This should be turned
+  # to false if you are not using database authenticatable.
+  config.use_salt_as_remember_token = true
+
   # ==> Configuration for :validatable
-  # Range for password length
+  # Range for password length. Default is 6..20.
   # config.password_length = 6..20
 
   # Regex to use to validate the email address
@@ -73,8 +80,8 @@ Devise.setup do |config|
 
   # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this
-  # time the user will be asked for credentials again.
-  # config.timeout_in = 10.minutes
+  # time the user will be asked for credentials again. Default is 30 minutes.
+  # config.timeout_in = 30.minutes
 
   # ==> Configuration for :lockable
   # Defines which strategy will be used to lock an account.
@@ -96,24 +103,39 @@ Devise.setup do |config|
   # Time interval to unlock the account if :time is enabled as unlock_strategy.
   # config.unlock_in = 1.hour
 
+  # ==> Configuration for :encryptable
+  # Allow you to use another encryption algorithm besides bcrypt (default). You can use
+  # :sha1, :sha512 or encryptors from others authentication tools as :clearance_sha1,
+  # :authlogic_sha512 (then you should set stretches above to 20 for default behavior)
+  # and :restful_authentication_sha1 (then you should set stretches to 10, and copy
+  # REST_AUTH_SITE_KEY to pepper)
+  config.encryptor = :sha512
+
+  # Setup a pepper to generate the encrypted password.
+  config.pepper = "d142367154e5beacca404b1a6a4f8bc52c6fdcfa3ccc3cf8eb49f3458a688ee6ac3b9fae488432a3bfca863b8a90008368a9f3a3dfbe5a962e64b6ab8f3a3a1a"
+
   # ==> Configuration for :token_authenticatable
   # Defines name of the authentication token params key
   # config.token_authentication_key = :auth_token
 
+  # If true, authentication through token does not store user in session and needs
+  # to be supplied on each request. Useful if you are using the token as API token.
+  # config.stateless_token = false
+
   # ==> Scopes configuration
   # Turn scoped views on. Before rendering "sessions/new", it will first check for
   # "users/sessions/new". It's turned off by default because it's slower if you
   # are using only default views.
-  # config.scoped_views = true
+  # config.scoped_views = false
 
   # Configure the default scope given to Warden. By default it's the first
-  # devise role declared in your routes.
+  # devise role declared in your routes (usually :user).
   # config.default_scope = :user
 
   # Configure sign_out behavior.
-  # By default sign_out is scoped (i.e. /users/sign_out affects only :user scope).
-  # In case of sign_out_all_scopes set to true any logout action will sign out all active scopes.
-  # config.sign_out_all_scopes = false
+  # Sign_out action can be scoped (i.e. /users/sign_out affects only :user scope).
+  # The default is true, which means any logout action will sign out all active scopes.
+  # config.sign_out_all_scopes = true
 
   # ==> Navigation configuration
   # Lists the formats that should be treated as navigational. Formats like
@@ -123,17 +145,19 @@ Devise.setup do |config|
   # should add them to the navigational formats lists. Default is [:html]
   # config.navigational_formats = [:html, :iphone]
 
+  # The default HTTP method used to sign out a resource. Default is :get.
+  # config.sign_out_via = :get
+
+  # ==> OmniAuth
+  config.omniauth :facebook, 'APP_ID', 'APP_SECRET', :scope => 'email,offline_access'
+  config.omniauth :open_id
+
   # ==> Warden configuration
-  # If you want to use other strategies, that are not (yet) supported by Devise,
-  # you can configure them inside the config.warden block. The example below
-  # allows you to setup OAuth, using http://github.com/roman/warden_oauth
+  # If you want to use other strategies, that are not supported by Devise, or
+  # change the failure app, you can configure them inside the config.warden block.
   #
   # config.warden do |manager|
-  #   manager.oauth(:twitter) do |twitter|
-  #     twitter.consumer_secret = <YOUR CONSUMER SECRET>
-  #     twitter.consumer_key  = <YOUR CONSUMER KEY>
-  #     twitter.options :site => 'http://twitter.com'
-  #   end
-  #   manager.default_strategies(:scope => :user).unshift :twitter_oauth
+  #   manager.failure_app = AnotherApp
+  #   manager.default_strategies(:scope => :user).unshift :some_external_strategy
   # end
 end

data/test/rails_app/config/routes.rb

@@ -8,7 +8,7 @@ Rails.application.routes.draw do
   resources :admins, :only => [:index]
 
   # Users scope
-  devise_for :users do
+  devise_for :users, :controllers => { :omniauth_callbacks => "users/omniauth_callbacks" } do
     match "/devise_for/sign_in", :to => "devise/sessions#new"
   end
 
@@ -19,7 +19,7 @@ Rails.application.routes.draw do
   match "/sign_in", :to => "devise/sessions#new"
 
   # Admin scope
-  devise_for :admin, :path => "admin_area", :controllers => { :sessions => "sessions" }, :skip => :passwords
+  devise_for :admin, :path => "admin_area", :controllers => { :sessions => "admins/sessions" }, :skip => :passwords
 
   match "/admin_area/home", :to => "admins#index", :as => :admin_root
   match "/anywhere", :to => "foo#bar", :as => :new_admin_password
@@ -29,19 +29,27 @@ Rails.application.routes.draw do
   end
 
   # Other routes for routing_test.rb
-  namespace :publisher, :path_names => { :sign_in => "i_don_care", :sign_out => "get_out" } do
-    devise_for :accounts, :class_name => "User", :path_names => { :sign_in => "get_in" }
+  namespace :publisher, :path_names => { :sign_in => "i_dont_care", :sign_out => "get_out" } do
+    devise_for :accounts, :class_name => "Admin", :path_names => { :sign_in => "get_in" }
   end
 
   scope ":locale" do
-    devise_for :accounts, :singular => "manager", :class_name => "User",
+    devise_for :accounts, :singular => "manager", :class_name => "Admin",
       :path_names => {
         :sign_in => "login", :sign_out => "logout",
         :password => "secret", :confirmation => "verification",
         :unlock => "unblock", :sign_up => "register",
-        :registration => "management"
+        :registration => "management", :cancel => "giveup"
       }
   end
 
+  namespace :sign_out_via, :module => "devise" do
+    devise_for :deletes, :sign_out_via => :delete, :class_name => "Admin"
+    devise_for :posts, :sign_out_via => :post, :class_name => "Admin"
+    devise_for :delete_or_posts, :sign_out_via => [:delete, :post], :class_name => "Admin"
+  end
+
+  match "/set", :to => "home#set"
+  match "/unauthenticated", :to => "home#unauthenticated"
   root :to => "home#index"
 end

data/test/rails_app/db/migrate/20100401102949_create_tables.rb

@@ -1,27 +1,31 @@
 class CreateTables < ActiveRecord::Migration
   def self.up
-    [:users, :admins, :accounts].each do |table|
-      create_table table do |t|
-        t.database_authenticatable :null => (table == :admins)
+    create_table :users do |t|
+      t.string :username
+      t.string :facebook_token
 
-        if table != :admin
-          t.string :username
-          t.confirmable
-          t.recoverable
-          t.rememberable
-          t.trackable
-          t.lockable
-          t.token_authenticatable
-        end
+      t.database_authenticatable :null => false
+      t.confirmable
+      t.recoverable
+      t.rememberable
+      t.trackable
+      t.lockable
+      t.token_authenticatable
+      t.timestamps
+    end
 
-        t.timestamps
-      end
+    create_table :admins do |t|
+      t.database_authenticatable :null => true
+      t.encryptable
+      t.rememberable :use_salt => false
+      t.recoverable
+      t.lockable
+      t.timestamps
     end
   end
 
   def self.down
-    [:users, :admins, :accounts].each do |table|
-      drop_table table
-    end
+    drop_table :users
+    drop_table :admins
   end
 end