devise 1.1.9 → 1.2.rc

data/app/controllers/devise/passwords_controller.rb

@@ -4,7 +4,7 @@ class Devise::PasswordsController < ApplicationController
 
   # GET /resource/password/new
   def new
-    build_resource
+    build_resource({})
     render_with_scope :new
   end
 

data/app/controllers/devise/registrations_controller.rb

@@ -1,5 +1,5 @@
 class Devise::RegistrationsController < ApplicationController
-  prepend_before_filter :require_no_authentication, :only => [ :new, :create ]
+  prepend_before_filter :require_no_authentication, :only => [ :new, :create, :cancel ]
   prepend_before_filter :authenticate_scope!, :only => [:edit, :update, :destroy]
   include Devise::Controllers::InternalHelpers
 
@@ -9,13 +9,19 @@ class Devise::RegistrationsController < ApplicationController
     render_with_scope :new
   end
 
-  # POST /resource
+  # POST /resource/sign_up
   def create
     build_resource
 
     if resource.save
-      set_flash_message :notice, :signed_up
-      sign_in_and_redirect(resource_name, resource)
+      if resource.active?
+        set_flash_message :notice, :signed_up
+        sign_in_and_redirect(resource_name, resource)
+      else
+        set_flash_message :notice, :inactive_signed_up, :reason => resource.inactive_message.to_s
+        expire_session_data_after_sign_in!
+        redirect_to after_inactive_sign_up_path_for(resource)
+      end
     else
       clean_up_passwords(resource)
       render_with_scope :new
@@ -31,6 +37,7 @@ class Devise::RegistrationsController < ApplicationController
   def update
     if resource.update_with_password(params[resource_name])
       set_flash_message :notice, :updated
+      sign_in resource_name, resource, :bypass => true
       redirect_to after_update_path_for(resource)
     else
       clean_up_passwords(resource)
@@ -41,17 +48,63 @@ class Devise::RegistrationsController < ApplicationController
   # DELETE /resource
   def destroy
     resource.destroy
-    set_flash_message :notice, :destroyed
     sign_out_and_redirect(self.resource)
+    set_flash_message :notice, :destroyed
+  end
+
+  # GET /resource/cancel
+  # Forces the session data which is usually expired after sign
+  # in to be expired now. This is useful if the user wants to
+  # cancel oauth signing in/up in the middle of the process,
+  # removing all OAuth session data.
+  def cancel
+    expire_session_data_after_sign_in!
+    redirect_to new_registration_path(resource_name)
   end
 
   protected
 
+    # Build a devise resource passing in the session. Useful to move
+    # temporary session data to the newly created user.
+    def build_resource(hash=nil)
+      hash ||= params[resource_name] || {}
+      self.resource = resource_class.new_with_session(hash, session)
+    end
+
+    # The path used after sign up. You need to overwrite this method
+    # in your own RegistrationsController.
+    def after_sign_up_path_for(resource)
+      after_sign_in_path_for(resource)
+    end
+
+    # Overwrite redirect_for_sign_in so it takes uses after_sign_up_path_for.
+    def redirect_for_sign_in(scope, resource) #:nodoc:
+      redirect_to stored_location_for(scope) || after_sign_up_path_for(resource)
+    end
+
+    # The path used after sign up for inactive accounts. You need to overwrite
+    # this method in your own RegistrationsController.
+    def after_inactive_sign_up_path_for(resource)
+      root_path
+    end
+
+    # The default url to be used after updating a resource. You need to overwrite
+    # this method in your own RegistrationsController.
+    def after_update_path_for(resource)
+      if defined?(super)
+        ActiveSupport::Deprecation.warn "Defining after_update_path_for in ApplicationController " <<
+          "is deprecated. Please add a RegistrationsController to your application and define it there."
+        super
+      else
+        after_sign_in_path_for(resource)
+      end
+    end
+
     # Authenticates the current scope and gets a copy of the current resource.
     # We need to use a copy because we don't want actions like update changing
     # the current user in place.
     def authenticate_scope!
       send(:"authenticate_#{resource_name}!")
-      self.resource = resource_class.find(send(:"current_#{resource_name}").id)
+      self.resource = resource_class.to_adapter.get!(send(:"current_#{resource_name}").to_key)
     end
 end

data/app/controllers/devise/sessions_controller.rb

@@ -10,14 +10,15 @@ class Devise::SessionsController < ApplicationController
 
   # POST /resource/sign_in
   def create
-    resource = warden.authenticate!(:scope => resource_name, :recall => "new")
+    resource = warden.authenticate!(:scope => resource_name, :recall => "#{controller_path}#new")
     set_flash_message :notice, :signed_in
     sign_in_and_redirect(resource_name, resource)
   end
 
   # GET /resource/sign_out
   def destroy
-    set_flash_message :notice, :signed_out if signed_in?(resource_name)
+    signed_in = signed_in?(resource_name)
     sign_out_and_redirect(resource_name)
+    set_flash_message :notice, :signed_out if signed_in
   end
 end

data/app/controllers/devise/unlocks_controller.rb

@@ -4,7 +4,7 @@ class Devise::UnlocksController < ApplicationController
 
   # GET /resource/unlock/new
   def new
-    build_resource
+    build_resource({})
     render_with_scope :new
   end
 

data/app/helpers/devise_helper.rb

@@ -3,7 +3,9 @@ module DeviseHelper
     return "" if resource.errors.empty?
 
     messages = resource.errors.full_messages.map { |msg| content_tag(:li, msg) }.join
-    sentence = "#{pluralize(resource.errors.count, "error")} prohibited this #{resource_name} from being saved:"
+    sentence = I18n.t("errors.messages.not_saved",
+                      :count => resource.errors.count,
+                      :resource => resource_name)
 
     html = <<-HTML
     <div id="error_explanation">
@@ -14,4 +16,4 @@ module DeviseHelper
 
     html.html_safe
   end
-end
+end

data/app/mailers/devise/mailer.rb

@@ -1,6 +1,6 @@
 class Devise::Mailer < ::ActionMailer::Base
   include Devise::Controllers::ScopedViews
-  attr_reader :devise_mapping, :resource
+  attr_reader :scope_name, :resource
 
   def confirmation_instructions(record)
     setup_mail(record, :confirmation_instructions)
@@ -18,19 +18,36 @@ class Devise::Mailer < ::ActionMailer::Base
 
   # Configure default email options
   def setup_mail(record, action)
-    @scope_name     = Devise::Mapping.find_scope!(record)
-    @devise_mapping = Devise.mappings[@scope_name]
-    @resource       = instance_variable_set("@#{@devise_mapping.name}", record)
+    initialize_from_record(record)
+    mail headers_for(action)
+  end
+
+  def initialize_from_record(record)
+    @scope_name = Devise::Mapping.find_scope!(record)
+    @resource   = instance_variable_set("@#{devise_mapping.name}", record)
+  end
+
+  def devise_mapping
+    @devise_mapping ||= Devise.mappings[scope_name]
+  end
 
+  def headers_for(action)
     headers = {
-      :subject => translate(@devise_mapping, action),
-      :from => mailer_sender(@devise_mapping),
-      :to => record.email,
+      :subject       => translate(devise_mapping, action),
+      :from          => mailer_sender(devise_mapping),
+      :to            => resource.email,
       :template_path => template_paths
     }
 
-    headers.merge!(record.headers_for(action)) if record.respond_to?(:headers_for)
-    mail(headers)
+    if resource.respond_to?(:headers_for)
+      headers.merge!(resource.headers_for(action))
+    end
+
+    unless headers.key?(:reply_to)
+      headers[:reply_to] = headers[:from]
+    end
+
+    headers
   end
 
   def mailer_sender(mapping)
@@ -43,7 +60,7 @@ class Devise::Mailer < ::ActionMailer::Base
 
   def template_paths
     template_path = [self.class.mailer_name]
-    template_path.unshift "#{@devise_mapping.plural}/mailer" if self.class.scoped_views?
+    template_path.unshift "#{@devise_mapping.scoped_path}/mailer" if self.class.scoped_views?
     template_path
   end
 

data/app/views/devise/confirmations/new.html.erb

@@ -4,7 +4,7 @@
   <%= devise_error_messages! %>
 
   <p><%= f.label :email %><br />
-  <%= f.text_field :email %></p>
+  <%= f.email_field :email %></p>
 
   <p><%= f.submit "Resend confirmation instructions" %></p>
 <% end %>

data/app/views/devise/passwords/edit.html.erb

@@ -4,10 +4,10 @@
   <%= devise_error_messages! %>
   <%= f.hidden_field :reset_password_token %>
 
-  <p><%= f.label :password %><br />
+  <p><%= f.label :password, "New password" %><br />
   <%= f.password_field :password %></p>
 
-  <p><%= f.label :password_confirmation %><br />
+  <p><%= f.label :password_confirmation, "Confirm new password" %><br />
   <%= f.password_field :password_confirmation %></p>
 
   <p><%= f.submit "Change my password" %></p>

data/app/views/devise/passwords/new.html.erb

@@ -4,7 +4,7 @@
   <%= devise_error_messages! %>
 
   <p><%= f.label :email %><br />
-  <%= f.text_field :email %></p>
+  <%= f.email_field :email %></p>
 
   <p><%= f.submit "Send me reset password instructions" %></p>
 <% end %>

data/app/views/devise/registrations/edit.html.erb

@@ -4,7 +4,7 @@
   <%= devise_error_messages! %>
 
   <p><%= f.label :email %><br />
-  <%= f.text_field :email %></p>
+  <%= f.email_field :email %></p>
 
   <p><%= f.label :password %> <i>(leave blank if you don't want to change it)</i><br />
   <%= f.password_field :password %></p>

data/app/views/devise/registrations/new.html.erb

@@ -4,7 +4,7 @@
   <%= devise_error_messages! %>
 
   <p><%= f.label :email %><br />
-  <%= f.text_field :email %></p>
+  <%= f.email_field :email %></p>
 
   <p><%= f.label :password %><br />
   <%= f.password_field :password %></p>

data/app/views/devise/sessions/new.html.erb

@@ -2,7 +2,7 @@
 
 <%= form_for(resource, :as => resource_name, :url => session_path(resource_name)) do |f| %>
   <p><%= f.label :email %><br />
-  <%= f.text_field :email %></p>
+  <%= f.email_field :email %></p>
 
   <p><%= f.label :password %><br />
   <%= f.password_field :password %></p>

data/app/views/devise/shared/_links.erb

@@ -17,3 +17,9 @@
 <%- if devise_mapping.lockable? && resource_class.unlock_strategy_enabled?(:email) && controller_name != 'unlocks' %>
   <%= link_to "Didn't receive unlock instructions?", new_unlock_path(resource_name) %><br />
 <% end -%>
+
+<%- if devise_mapping.omniauthable? %>
+  <%- resource_class.omniauth_providers.each do |provider| %>
+    <%= link_to "Sign in with #{provider.to_s.titleize}", omniauth_authorize_path(resource_name, provider) %><br />
+  <% end -%>
+<% end -%>

data/app/views/devise/unlocks/new.html.erb

@@ -4,7 +4,7 @@
   <%= devise_error_messages! %>
 
   <p><%= f.label :email %><br />
-  <%= f.text_field :email %></p>
+  <%= f.email_field :email %></p>
 
   <p><%= f.submit "Resend unlock instructions" %></p>
 <% end %>

data/config/locales/en.yml

@@ -2,8 +2,11 @@ en:
   errors:
     messages:
       not_found: "not found"
-      already_confirmed: "was already confirmed"
+      already_confirmed: "was already confirmed, please try signing in"
       not_locked: "was not locked"
+      not_saved:
+        one: "1 error prohibited this %{resource} from being saved:"
+        other: "%{count} errors prohibited this %{resource} from being saved:"
 
   devise:
     failure:
@@ -24,12 +27,16 @@ en:
       send_instructions: 'You will receive an email with instructions about how to confirm your account in a few minutes.'
       confirmed: 'Your account was successfully confirmed. You are now signed in.'
     registrations:
-      signed_up: 'You have signed up successfully. If enabled, a confirmation was sent to your e-mail.'
+      signed_up: 'Welcome! You have signed up successfully.'
+      inactive_signed_up: 'You have signed up successfully. However, we could not sign you in because your account is %{reason}.'
       updated: 'You updated your account successfully.'
       destroyed: 'Bye! Your account was successfully cancelled. We hope to see you again soon.'
     unlocks:
       send_instructions: 'You will receive an email with instructions about how to unlock your account in a few minutes.'
       unlocked: 'Your account was successfully unlocked. You are now signed in.'
+    omniauth_callbacks:
+      success: 'Successfully authorized from %{kind} account.'
+      failure: 'Could not authorize you from %{kind} because "%{reason}".'
     mailer:
       confirmation_instructions:
         subject: 'Confirmation instructions'

data/lib/devise.rb

@@ -1,8 +1,11 @@
 require 'active_support/core_ext/numeric/time'
 require 'active_support/dependencies'
+require 'orm_adapter'
+require 'set'
 
 module Devise
   autoload :FailureApp, 'devise/failure_app'
+  autoload :OmniAuth, 'devise/omniauth'
   autoload :PathChecker, 'devise/path_checker'
   autoload :Schema, 'devise/schema'
   autoload :TestHelpers, 'devise/test_helpers'
@@ -16,7 +19,6 @@ module Devise
 
   module Encryptors
     autoload :Base, 'devise/encryptors/base'
-    autoload :Bcrypt, 'devise/encryptors/bcrypt'
     autoload :AuthlogicSha512, 'devise/encryptors/authlogic_sha512'
     autoload :ClearanceSha1, 'devise/encryptors/clearance_sha1'
     autoload :RestfulAuthenticationSha1, 'devise/encryptors/restful_authentication_sha1'
@@ -30,11 +32,12 @@ module Devise
   end
 
   # Constants which holds devise configuration for extensions. Those should
-  # not be modified by the "end user".
+  # not be modified by the "end user" (this is why they are constants).
   ALL         = []
   CONTROLLERS = ActiveSupport::OrderedHash.new
   ROUTES      = ActiveSupport::OrderedHash.new
   STRATEGIES  = ActiveSupport::OrderedHash.new
+  URL_HELPERS = ActiveSupport::OrderedHash.new
 
   # True values used to check params
   TRUE_VALUES = [true, 1, '1', 't', 'T', 'true', 'TRUE']
@@ -45,31 +48,34 @@ module Devise
     :sha512 => 128,
     :clearance_sha1 => 40,
     :restful_authentication_sha1 => 40,
-    :authlogic_sha512 => 128,
-    :bcrypt => 60
+    :authlogic_sha512 => 128
   }
 
   # Custom domain for cookies. Not set by default
-  mattr_accessor :cookie_domain
-  @@cookie_domain = false
-
-  # Used to encrypt password. Please generate one with rake secret.
-  mattr_accessor :pepper
-  @@pepper = nil
+  mattr_accessor :cookie_options
+  @@cookie_options = {}
 
   # The number of times to encrypt password.
   mattr_accessor :stretches
   @@stretches = 10
 
-  # Keys used when authenticating an user.
+  # Keys used when authenticating a user.
   mattr_accessor :authentication_keys
   @@authentication_keys = [ :email ]
 
+  # Request keys used when authenticating a user.
+  mattr_accessor :request_keys
+  @@request_keys = []
+
+  # Keys that should be case-insensitive.
+  mattr_accessor :case_insensitive_keys
+  @@case_insensitive_keys = [ :email ]
+
   # If http authentication is enabled by default.
   mattr_accessor :http_authenticatable
   @@http_authenticatable = false
 
-  # If http authentication is used for ajax requests.  True by default.
+  # If http headers should be returned for ajax requests. True by default.
   mattr_accessor :http_authenticatable_on_xhr
   @@http_authenticatable_on_xhr = true
 
@@ -83,7 +89,7 @@ module Devise
 
   # Email regex used to validate email formats. Adapted from authlogic.
   mattr_accessor :email_regexp
-  @@email_regexp = /\A([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})\z/i
+  @@email_regexp = /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i
 
   # Range validation for password length
   mattr_accessor :password_length
@@ -101,6 +107,11 @@ module Devise
   mattr_accessor :extend_remember_period
   @@extend_remember_period = false
 
+  # If true, uses salt as remember token and does not create it in the database.
+  # By default is false for backwards compatibility.
+  mattr_accessor :use_salt_as_remember_token
+  @@use_salt_as_remember_token = false
+
   # Time interval you can access your account before confirming your account.
   mattr_accessor :confirm_within
   @@confirm_within = 0.days
@@ -109,14 +120,14 @@ module Devise
   mattr_accessor :timeout_in
   @@timeout_in = 30.minutes
 
+  # Used to encrypt password. Please generate one with rake secret.
+  mattr_accessor :pepper
+  @@pepper = nil
+
   # Used to define the password encryption algorithm.
   mattr_accessor :encryptor
   @@encryptor = nil
 
-  # Store scopes mappings.
-  mattr_accessor :mappings
-  @@mappings = ActiveSupport::OrderedHash.new
-
   # Tells if devise should apply the schema in ORMs where devise declaration
   # and schema belongs to the same class (as Datamapper and Mongoid).
   mattr_accessor :apply_schema
@@ -157,32 +168,58 @@ module Devise
   mattr_accessor :token_authentication_key
   @@token_authentication_key = :auth_token
 
+  # If true, authentication through token does not store user in session
+  mattr_accessor :stateless_token
+  @@stateless_token = false
+
   # Which formats should be treated as navigational.
   mattr_accessor :navigational_formats
-  @@navigational_formats = [:html]
+  @@navigational_formats = [:"*/*", :html]
+
+  # When set to true, signing out an user signs out all other scopes.
+  mattr_accessor :sign_out_all_scopes
+  @@sign_out_all_scopes = true
+
+  # The default method used while signing out
+  mattr_accessor :sign_out_via
+  @@sign_out_via = :get
+
+  # PRIVATE CONFIGURATION
+
+  # Store scopes mappings.
+  mattr_reader :mappings
+  @@mappings = ActiveSupport::OrderedHash.new
+
+  # Omniauth configurations.
+  mattr_reader :omniauth_configs
+  @@omniauth_configs = ActiveSupport::OrderedHash.new
+
+  # Define a set of modules that are called when a mapping is added.
+  mattr_reader :helpers
+  @@helpers = Set.new
+  @@helpers << Devise::Controllers::Helpers
 
   # Private methods to interface with Warden.
   mattr_accessor :warden_config
   @@warden_config = nil
   @@warden_config_block = nil
 
-  # When set to true, signing out an user signs out all other scopes.
-  mattr_accessor :sign_out_all_scopes
-  @@sign_out_all_scopes = false
-
-  def self.use_default_scope=(*)
-    ActiveSupport::Deprecation.warn "config.use_default_scope is deprecated and removed from Devise. " <<
-      "If you are using non conventional routes in Devise, all you need to do is to pass the devise " <<
-      "scope in the router DSL:\n\n  as :user do\n    get \"sign_in\", :to => \"devise/sessions\"\n  end\n\n" <<
-      "The method :as is also aliased to :devise_scope. Choose the one you prefer.", caller
-  end
-
   # Default way to setup Devise. Run rails generate devise_install to create
   # a fresh initializer with all configuration values.
   def self.setup
     yield self
   end
 
+  def self.omniauth_providers
+    omniauth_configs.keys
+  end
+
+  def self.cookie_domain=(value)
+    ActiveSupport::Deprecation.warn "Devise.cookie_domain=(value) is deprecated. "
+      "Please use Devise.cookie_options = { :domain => value } instead."
+    self.cookie_options[:domain] = value
+  end
+
   # Get the mailer class from the mailer reference object.
   def self.mailer
     @@mailer_ref.get
@@ -197,19 +234,19 @@ module Devise
   # Small method that adds a mapping to Devise.
   def self.add_mapping(resource, options)
     mapping = Devise::Mapping.new(resource, options)
-    self.mappings[mapping.name] = mapping
-    self.default_scope ||= mapping.name
+    @@mappings[mapping.name] = mapping
+    @@default_scope ||= mapping.name
+    @@helpers.each { |h| h.define_helpers(mapping) }
     mapping
   end
 
-  # Make Devise aware of an 3rd party Devise-module. For convenience.
+  # Make Devise aware of an 3rd party Devise-module (like invitable). For convenience.
   #
   # == Options:
   #
   #   +model+      - String representing the load path to a custom *model* for this module (to autoload.)
   #   +controller+ - Symbol representing the name of an exisiting or custom *controller* for this module.
   #   +route+      - Symbol representing the named *route* helper for this module.
-  #   +flash+      - Symbol representing the *flash messages* used by this helper.
   #   +strategy+   - Symbol representing if this module got a custom *strategy*.
   #
   # All values, except :model, accept also a boolean and will have the same name as the given module
@@ -225,26 +262,36 @@ module Devise
     ALL << module_name
     options.assert_valid_keys(:strategy, :model, :controller, :route)
 
-    config = {
-      :strategy => STRATEGIES,
-      :route => ROUTES,
-      :controller => CONTROLLERS
-    }
+    if strategy = options[:strategy]
+      STRATEGIES[module_name] = (strategy == true ? module_name : strategy)
+    end
 
-    config.each do |key, value|
-      next unless options[key]
-      name = (options[key] == true ? module_name : options[key])
+    if controller = options[:controller]
+      CONTROLLERS[module_name] = (controller == true ? module_name : controller)
+    end
 
-      if value.is_a?(Hash)
-        value[module_name] = name
+    if route = options[:route]
+      case route
+      when TrueClass
+        key, value = module_name, []
+      when Symbol
+        key, value = route, []
+      when Hash
+        key, value = route.keys.first, route.values.flatten
       else
-        value << name unless value.include?(name)
+        raise ArgumentError, ":route should be true, a Symbol or a Hash"
       end
+
+      URL_HELPERS[key] ||= []
+      URL_HELPERS[key].concat(value)
+      URL_HELPERS[key].uniq!
+
+      ROUTES[module_name] = key
     end
 
     if options[:model]
-      model_path = (options[:model] == true ? "devise/models/#{module_name}" : options[:model])
-      Devise::Models.send(:autoload, module_name.to_s.camelize.to_sym, model_path)
+      path = (options[:model] == true ? "devise/models/#{module_name}" : options[:model])
+      Devise::Models.send(:autoload, module_name.to_s.camelize.to_sym, path)
     end
 
     Devise::Mapping.add_module module_name
@@ -265,6 +312,27 @@ module Devise
     @@warden_config_block = block
   end
 
+  # Specify an omniauth provider.
+  #
+  #   config.omniauth :github, APP_ID, APP_SECRET
+  #
+  def self.omniauth(provider, *args)
+    @@helpers << Devise::OmniAuth::UrlHelpers
+    @@omniauth_configs[provider] = Devise::OmniAuth::Config.new(provider, args)
+  end
+
+  # Include helpers in the given scope to AC and AV.
+  def self.include_helpers(scope)
+    ActiveSupport.on_load(:action_controller) do
+      include scope::Helpers if defined?(scope::Helpers)
+      include scope::UrlHelpers
+    end
+
+    ActiveSupport.on_load(:action_view) do
+      include scope::UrlHelpers
+    end
+  end
+
   # Returns true if Rails version is bigger than 3.0.x
   def self.rack_session?
     Rails::VERSION::STRING[0,3] != "3.0"
@@ -276,6 +344,7 @@ module Devise
     @@warden_configured ||= begin
       warden_config.failure_app   = Devise::FailureApp
       warden_config.default_scope = Devise.default_scope
+      warden_config.intercept_401 = false
 
       Devise.mappings.each_value do |mapping|
         warden_config.scope_defaults mapping.name, :strategies => mapping.strategies
@@ -288,18 +357,7 @@ module Devise
 
   # Generate a friendly string randomically to be used as token.
   def self.friendly_token
-    ActiveSupport::SecureRandom.base64(15).tr('+/=', '-_ ').strip.delete("\n")
-  end
-
-  # constant-time comparison algorithm to prevent timing attacks
-  def self.secure_compare(a, b)
-    return false unless a.present? && b.present?
-    return false unless a.bytesize == b.bytesize
-    l = a.unpack "C#{a.bytesize}"
-
-    res = 0
-    b.each_byte { |byte| res |= byte ^ l.shift }
-    res == 0
+    ActiveSupport::SecureRandom.base64(44).tr('+/=', 'xyz')
   end
 end