devise 1.1.9 → 1.2.rc

data/lib/devise/models/omniauthable.rb

@@ -0,0 +1,23 @@
+require 'devise/omniauth'
+
+module Devise
+  module Models
+    # Adds OmniAuth support to your model.
+    #
+    # == Options
+    #
+    # Oauthable adds the following options to devise_for:
+    #
+    #   * +omniauth_providers+: Which providers are avaialble to this model. It expects an array:
+    #
+    #       devise_for :database_authenticatable, :omniauthable, :omniauth_providers => [:twitter]
+    #
+    module Omniauthable
+      extend ActiveSupport::Concern
+
+      module ClassMethods
+        Devise::Models.config(self, :omniauth_providers)
+      end
+    end
+  end
+end

data/lib/devise/models/recoverable.rb

@@ -1,8 +1,9 @@
 module Devise
   module Models
 
-    # Recoverable takes care of reseting the user password and send reset instructions
-    # Examples:
+    # Recoverable takes care of reseting the user password and send reset instructions.
+    #
+    # == Examples
     #
     #   # resets the user password and save the record, true if valid passwords are given, otherwise false
     #   User.find(1).reset_password!('password123', 'password123')
@@ -13,6 +14,7 @@ module Devise
     #
     #   # creates a new token and send it with instructions about how to reset the password
     #   User.find(1).send_reset_password_instructions
+    #
     module Recoverable
       extend ActiveSupport::Concern
 
@@ -55,7 +57,7 @@ module Devise
         # with an email not found error.
         # Attributes must contain the user email
         def send_reset_password_instructions(attributes={})
-          recoverable = find_or_initialize_with_error_by(:email, attributes[:email], :not_found)
+          recoverable = find_or_initialize_with_errors(authentication_keys, attributes, :not_found)
           recoverable.send_reset_password_instructions if recoverable.persisted?
           recoverable
         end

data/lib/devise/models/registerable.rb

@@ -3,6 +3,19 @@ module Devise
     # Registerable is responsible for everything related to registering a new
     # resource (ie user sign up).
     module Registerable
+      extend ActiveSupport::Concern
+
+      module ClassMethods
+        # A convenience method that receives both parameters and session to
+        # initialize an user. This can be used by OAuth, for example, to send
+        # in the user token and be stored on initialization.
+        #
+        # By default discards all information sent by the session by calling
+        # new with params.
+        def new_with_session(params, session)
+          new(params)
+        end
+      end
     end
   end
 end

data/lib/devise/models/rememberable.rb

@@ -11,24 +11,27 @@ module Devise
     # You probably wouldn't use rememberable methods directly, they are used
     # mostly internally for handling the remember token.
     #
-    # Configuration:
+    # == Options
     #
-    #   remember_for: the time you want the user will be remembered without
-    #                 asking for credentials. After this time the user will be
-    #                 blocked and will have to enter his credentials again.
-    #                 This configuration is also used to calculate the expires
-    #                 time for the cookie created to remember the user.
-    #                 2.weeks by default.
+    # Rememberable adds the following options in devise_for:
     #
-    #   remember_across_browsers: if true, a valid remember token can be
-    #                             re-used between multiple browsers.
-    #                             True by default.
+    #   * +remember_for+: the time you want the user will be remembered without
+    #     asking for credentials. After this time the user will be blocked and
+    #     will have to enter his credentials again. This configuration is also
+    #     used to calculate the expires time for the cookie created to remember
+    #     the user. By default remember_for is 2.weeks.
     #
-    #   extend_remember_period: if true, extends the user's remember period
-    #                           when remembered via cookie.
-    #                           False by default.
+    #   * +remember_across_browsers+: if a valid remember token can be re-used
+    #     between multiple browsers. By default remember_across_browsers is true
+    #     and cannot be turned off if you are using password salt instead of remember
+    #     token.
     #
-    # Examples:
+    #   * +extend_remember_period+: if true, extends the user's remember period
+    #     when remembered via cookie. False by default.
+    #
+    #   * +cookie_options+: configuration options passed to the created cookie.
+    #
+    # == Examples
     #
     #   User.find(1).remember_me!  # regenerating the token
     #   User.find(1).forget_me!    # clearing the token
@@ -49,7 +52,7 @@ module Devise
       # Generate a new remember token and save the record without validations
       # unless remember_across_browsers is true and the user already has a valid token.
       def remember_me!(extend_period=false)
-        self.remember_token = self.class.remember_token if generate_remember_token?
+        self.remember_token = self.class.remember_token if respond_to?(:remember_token) && generate_remember_token?
         self.remember_created_at = Time.now.utc if generate_remember_timestamp?(extend_period)
         save(:validate => false)
       end
@@ -57,16 +60,14 @@ module Devise
       # Removes the remember token only if it exists, and save the record
       # without validations.
       def forget_me!
-        if remember_token
-          self.remember_token = nil
-          self.remember_created_at = nil
-          save(:validate => false)
-        end
+        self.remember_token = nil if respond_to?(:remember_token)
+        self.remember_created_at = nil
+        save(:validate => false)
       end
 
       # Remember token should be expired if expiration time not overpass now.
       def remember_expired?
-        remember_created_at && (remember_expires_at <= Time.now.utc)
+        remember_created_at.nil? || (remember_expires_at <= Time.now.utc)
       end
 
       # Remember token expires at created time + remember_for configuration
@@ -74,12 +75,20 @@ module Devise
         remember_created_at + self.class.remember_for
       end
 
-      def cookie_domain
-        self.class.cookie_domain
+      def rememberable_value
+        if respond_to?(:remember_token)
+          remember_token
+        elsif respond_to?(:authenticatable_salt) && (salt = authenticatable_salt)
+          salt
+        else
+          raise "The #{self.class.name} class does not respond to remember_token and " <<
+            "authenticatable_salt returns nil. In order to use rememberable, you must " <<
+            "add a remember_token field to your model or ensure a password is always set."
+        end
       end
 
-      def cookie_domain?
-        self.class.cookie_domain != false
+      def cookie_options
+        self.class.cookie_options
       end
 
     protected
@@ -99,14 +108,13 @@ module Devise
       module ClassMethods
         # Create the cookie key using the record id and remember_token
         def serialize_into_cookie(record)
-          [record.id, record.remember_token]
+          [record.to_key, record.rememberable_value]
         end
 
         # Recreate the user based on the stored cookie
         def serialize_from_cookie(id, remember_token)
-          conditions = { :id => id, :remember_token => remember_token }
-          record = find(:first, :conditions => conditions)
-          record if record && !record.remember_expired?
+          record = to_adapter.get(id)
+          record if record && record.rememberable_value == remember_token && !record.remember_expired?
         end
 
         # Generate a token checking if one does not already exist in the database.
@@ -115,7 +123,7 @@ module Devise
         end
 
         Devise::Models.config(self, :remember_for, :remember_across_browsers,
-          :extend_remember_period, :cookie_domain)
+          :extend_remember_period, :cookie_options)
       end
     end
   end

data/lib/devise/models/timeoutable.rb

@@ -7,17 +7,34 @@ module Devise
     # will be asked for credentials again, it means, he/she will be redirected
     # to the sign in page.
     #
-    # Configuration:
+    # == Options
+    #
+    # Timeoutable adds the following options to devise_for:
+    #
+    #   * +timeout_in+: the interval to timeout the user session without activity.
+    #
+    # == Examples
+    #
+    #   user.timedout?(30.minutes.ago)
     #
-    #   timeout_in: the time you want to timeout the user session without activity.
     module Timeoutable
       extend ActiveSupport::Concern
 
       # Checks whether the user session has expired based on configured time.
       def timedout?(last_access)
+        return false if remember_exists_and_not_expired?
+        
         last_access && last_access <= self.class.timeout_in.ago
       end
-
+      
+      private
+      
+      def remember_exists_and_not_expired?
+        return false unless respond_to?(:remember_expired?)
+        
+        remember_created_at && !remember_expired?
+      end
+      
       module ClassMethods
         Devise::Models.config(self, :timeout_in)
       end

data/lib/devise/models/token_authenticatable.rb

@@ -5,15 +5,27 @@ module Devise
     # The TokenAuthenticatable module is responsible for generating an authentication token and
     # validating the authenticity of the same while signing in.
     #
-    # This module only provides a few helpers to help you manage the token. Creating and resetting
-    # the token is your responsibility.
+    # This module only provides a few helpers to help you manage the token, but it is up to you
+    # to choose how to use it. For example, if you want to have a new token every time the user
+    # saves his account, you can do the following:
     #
-    # == Configuration:
+    #   before_save :reset_authentication_token
     #
-    # You can overwrite configuration values by setting in globally in Devise (+Devise.setup+),
-    # using devise method, or overwriting the respective instance method.
+    # On the other hand, if you want to generate token unless one exists, you should use instead:
     #
-    # +token_authentication_key+ - Defines name of the authentication token params key. E.g. /users/sign_in?some_key=...
+    #   before_save :ensure_authentication_token
+    #
+    # If you want to delete the token after it is used, you can do so in the
+    # after_token_authentication callback.
+    #
+    # == Options
+    #
+    # TokenAuthenticable adds the following options to devise_for:
+    #
+    #   * +token_authentication_key+: Defines name of the authentication token params key. E.g. /users/sign_in?some_key=...
+    #
+    #   * +stateless_token+: By default, when you sign up with a token, Devise will store the user in session
+    #     as any other authentication strategy. You can set stateless_token to true to avoid this.
     #
     module TokenAuthenticatable
       extend ActiveSupport::Concern
@@ -53,7 +65,7 @@ module Devise
           generate_token(:authentication_token)
         end
 
-        ::Devise::Models.config(self, :token_authentication_key)
+        ::Devise::Models.config(self, :token_authentication_key, :stateless_token)
       end
     end
   end

data/lib/devise/models/validatable.rb

@@ -1,10 +1,17 @@
 module Devise
   module Models
-
     # Validatable creates all needed validations for a user email and password.
     # It's optional, given you may want to create the validations by yourself.
     # Automatically validate if the email is present, unique and it's format is
-    # valid. Also tests presence of password, confirmation and length
+    # valid. Also tests presence of password, confirmation and length.
+    #
+    # == Options
+    #
+    # Validatable adds the following options to devise_for:
+    #
+    #   * +email_regexp+: the regular expression used to validate e-mails;
+    #   * +password_length+: a range expressing password length. Defaults to 6..20.
+    #
     module Validatable
       # All validations used by this module.
       VALIDATIONS = [ :validates_presence_of, :validates_uniqueness_of, :validates_format_of,
@@ -15,8 +22,9 @@ module Devise
         assert_validations_api!(base)
 
         base.class_eval do
-          validates_presence_of   :email
-          validates_uniqueness_of :email, :scope => authentication_keys[1..-1], :case_sensitive => false, :allow_blank => true
+          validates_presence_of   :email, :if => :email_required?
+          validates_uniqueness_of :email, :scope => authentication_keys[1..-1],
+            :case_sensitive => case_insensitive_keys.exclude?(:email), :allow_blank => true
           validates_format_of     :email, :with  => email_regexp, :allow_blank => true
 
           with_options :if => :password_required? do |v|
@@ -45,6 +53,10 @@ module Devise
         !persisted? || !password.nil? || !password_confirmation.nil?
       end
 
+      def email_required?
+        true
+      end
+
       module ClassMethods
         Devise::Models.config(self, :email_regexp, :password_length)
       end

data/lib/devise/modules.rb

@@ -2,20 +2,27 @@ require 'active_support/core_ext/object/with_options'
 
 Devise.with_options :model => true do |d|
   # Strategies first
-  d.with_options :strategy => true do |s|      
-    s.add_module :database_authenticatable, :controller => :sessions, :route => :session
-    s.add_module :token_authenticatable,    :controller => :sessions, :route => :session
+  d.with_options :strategy => true do |s|
+    routes = [nil, :new, :destroy]
+    s.add_module :database_authenticatable, :controller => :sessions, :route => { :session => routes }
+    s.add_module :token_authenticatable,    :controller => :sessions, :route => { :session => routes }
     s.add_module :rememberable
   end
 
-  # Misc after   
-  d.add_module :recoverable,  :controller => :passwords,     :route => :password
-  d.add_module :registerable, :controller => :registrations, :route => :registration
+  # Other authentications
+  d.add_module :encryptable
+  d.add_module :omniauthable, :controller => :omniauth_callbacks,  :route => :omniauth_callback
+
+  # Misc after
+  routes = [nil, :new, :edit]
+  d.add_module :recoverable,  :controller => :passwords,     :route => { :password => routes }
+  d.add_module :registerable, :controller => :registrations, :route => { :registration => (routes << :cancel) }
   d.add_module :validatable
 
   # The ones which can sign out after
-  d.add_module :confirmable,  :controller => :confirmations, :route => :confirmation
-  d.add_module :lockable,     :controller => :unlocks,       :route => :unlock
+  routes = [nil, :new]
+  d.add_module :confirmable,  :controller => :confirmations, :route => { :confirmation => routes }
+  d.add_module :lockable,     :controller => :unlocks,       :route => { :unlock => routes }
   d.add_module :timeoutable
 
   # Stats for last, so we make sure the user is really signed in

data/lib/devise/omniauth.rb

@@ -0,0 +1,47 @@
+begin
+  require "omniauth/core"
+rescue LoadError => e
+  warn "Could not load 'omniauth/core'. Please ensure you have the oa-core gem installed and listed in your Gemfile."
+  raise
+end
+
+module OmniAuth
+  # TODO HAXES Backport to OmniAuth
+  module Strategy #:nodoc:
+    def initialize(app, name, *args)
+      @app = app
+      @name = name.to_sym
+      @options = args.last.is_a?(Hash) ? args.pop : {}
+      yield self if block_given?
+    end
+
+    def fail!(message_key, exception = nil)
+      self.env['omniauth.error'] = exception
+      self.env['omniauth.failure_key'] = message_key
+      self.env['omniauth.failed_strategy'] = self
+      OmniAuth.config.on_failure.call(self.env, message_key.to_sym)
+    end
+  end
+end
+
+# Clean up the default path_prefix. It will be automatically set by Devise.
+OmniAuth.config.path_prefix = nil
+
+OmniAuth.config.on_failure = Proc.new do |env, key|
+  env['devise.mapping'] = Devise::Mapping.find_by_path!(env['PATH_INFO'], :path)
+  controller_klass = "#{env['devise.mapping'].controllers[:omniauth_callbacks].camelize}Controller"
+  controller_klass.constantize.action(:failure).call(env)
+end
+
+module Devise
+  module OmniAuth
+    autoload :Config,      "devise/omniauth/config"
+    autoload :UrlHelpers,  "devise/omniauth/url_helpers"
+    autoload :TestHelpers, "devise/omniauth/test_helpers"
+
+    class << self
+      delegate :short_circuit_authorizers!, :unshort_circuit_authorizers!,
+        :test_mode!, :stub!, :reset_stubs!, :to => "Devise::OmniAuth::TestHelpers"
+    end
+  end
+end

data/lib/devise/omniauth/config.rb

@@ -0,0 +1,30 @@
+module Devise
+  module OmniAuth
+    class Config
+      attr_accessor :strategy
+      attr_reader :args
+
+      def initialize(provider, args)
+        @provider = provider
+        @args     = args
+        @strategy = nil
+      end
+
+      def strategy_class
+        ::OmniAuth::Strategies.const_get("#{::OmniAuth::Utils.camelize(@provider.to_s)}")
+      end
+
+      def check_if_allow_stubs!
+        raise "OmniAuth strategy for #{@provider} does not allow stubs, only OAuth2 ones do." unless allow_stubs?
+      end
+
+      def allow_stubs?
+        defined?(::OmniAuth::Strategies::OAuth2) && strategy.is_a?(::OmniAuth::Strategies::OAuth2)
+      end
+
+      def build_connection(&block)
+        strategy.client.connection.build(&block)
+      end
+    end
+  end
+end     

data/lib/devise/omniauth/test_helpers.rb

@@ -0,0 +1,57 @@
+module Devise
+  module OmniAuth
+    module TestHelpers
+      def self.test_mode!
+        Faraday.default_adapter = :test if defined?(Faraday)
+        ActiveSupport.on_load(:action_controller) { include Devise::OmniAuth::TestHelpers }
+        ActiveSupport.on_load(:action_view) { include Devise::OmniAuth::TestHelpers }
+      end
+
+      def self.stub!(provider, stubs=nil, &block)
+        raise "You either need to pass stubs as a block or as a parameter" unless block_given? || stubs
+
+        config = Devise.omniauth_configs[provider]
+        raise "Could not find configuration for #{provider.to_s} omniauth provider" unless config
+
+        config.check_if_allow_stubs!
+        stubs ||= Faraday::Adapter::Test::Stubs.new(&block)
+
+        config.build_connection do |b|
+          b.adapter :test, stubs
+        end
+      end
+
+      def self.reset_stubs!(*providers)
+        target = providers.any? ? Devise.omniauth_configs.slice(*providers) : Devise.omniauth_configs
+        target.each_value do |config|
+          next unless config.allow_stubs?
+          config.build_connection { |b| b.adapter Faraday.default_adapter }
+        end
+      end
+
+      def self.short_circuit_authorizers!
+        module_eval <<-ALIASES, __FILE__, __LINE__ + 1
+          def omniauth_authorize_path(*args)
+            omniauth_callback_path(*args)
+          end
+        ALIASES
+
+        Devise.mappings.each_value do |m|
+          next unless m.omniauthable?
+
+          module_eval <<-ALIASES, __FILE__, __LINE__ + 1
+            def #{m.name}_omniauth_authorize_path(provider)
+              #{m.name}_omniauth_callback_path(provider)
+            end
+          ALIASES
+        end
+      end
+
+      def self.unshort_circuit_authorizers!
+        module_eval do
+          instance_methods.each { |m| remove_method(m) }
+        end
+      end
+    end
+  end
+end