devise 1.1.9 → 1.2.rc

data/lib/devise/omniauth/url_helpers.rb

@@ -0,0 +1,29 @@
+module Devise
+  module OmniAuth
+    module UrlHelpers
+      def self.define_helpers(mapping)
+        return unless mapping.omniauthable?
+
+        class_eval <<-URL_HELPERS, __FILE__, __LINE__ + 1
+          def #{mapping.name}_omniauth_authorize_path(provider, params = {})
+            if Devise.omniauth_configs[provider.to_sym]
+              "/#{mapping.path}/auth/\#{provider}\#{'?'+params.to_param if params.present?}"
+            else
+              raise ArgumentError, "Could not find omniauth provider \#{provider.inspect}"
+            end
+          end
+        URL_HELPERS
+      end
+
+      def omniauth_authorize_path(resource_or_scope, *args)
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        send("#{scope}_omniauth_authorize_path", *args)
+      end
+
+      def omniauth_callback_path(resource_or_scope, *args)
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        send("#{scope}_omniauth_callback_path", *args)
+      end
+    end
+  end
+end

data/lib/devise/orm/active_record.rb

@@ -1,3 +1,5 @@
+require 'orm_adapter/adapters/active_record'
+
 module Devise
   module Orm
     # This module contains some helpers and handle schema (migrations):

data/lib/devise/orm/mongoid.rb

@@ -1,3 +1,5 @@
+require 'orm_adapter/adapters/mongoid'
+
 module Devise
   module Orm
     module Mongoid
@@ -16,7 +18,7 @@ module Devise
         # Tell how to apply schema methods
         def apply_devise_schema(name, type, options={})
           type = Time if type == DateTime
-          field name, { :type => type }.merge(options)
+          field name, { :type => type }.merge!(options)
         end
       end
     end
@@ -26,4 +28,4 @@ end
 Mongoid::Document::ClassMethods.class_eval do
   include Devise::Models
   include Devise::Orm::Mongoid::Hook
-end
+end

data/lib/devise/rails.rb

@@ -1,14 +1,11 @@
 require 'devise/rails/routes'
 require 'devise/rails/warden_compat'
 
-# Include UrlHelpers in ActionController and ActionView as soon as they are loaded.
-ActiveSupport.on_load(:action_controller) { include Devise::Controllers::UrlHelpers }
-ActiveSupport.on_load(:action_view) { include Devise::Controllers::UrlHelpers }
-
 module Devise
   class Engine < ::Rails::Engine
     config.devise = Devise
 
+    # Initialize Warden and copy its configurations.
     config.app_middleware.use Warden::Manager do |config|
       Devise.warden_config = config
     end
@@ -16,54 +13,37 @@ module Devise
     # Force routes to be loaded if we are doing any eager load.
     config.before_eager_load { |app| app.reload_routes! }
 
-    config.after_initialize do
-      Devise.encryptor ||= begin
-        warn "[WARNING] config.encryptor is not set in your config/initializers/devise.rb. " \
-          "Devise will then set it to :bcrypt. If you were using the previous default " \
-          "encryptor, please add config.encryptor = :sha1 to your configuration file." if Devise.mailer_sender
-        :bcrypt
-      end
-    end
-
-    initializer "devise.add_filters" do |app|
-      app.config.filter_parameters += [:password, :password_confirmation]
-      app.config.filter_parameters.uniq
+    initializer "devise.url_helpers" do
+      Devise.include_helpers(Devise::Controllers)
     end
 
-    unless Rails.env.production?
-      config.after_initialize do
-        actions = [:confirmation_instructions, :reset_password_instructions, :unlock_instructions]
-
-        translations = begin
-          I18n.t("devise.mailer", :raise => true).map { |k, v| k if v.is_a?(String) }.compact
-        rescue Exception => e # Do not care if something fails
-          []
-        end
-
-        keys = actions & translations
-
-        keys.each do |key|
-          ActiveSupport::Deprecation.warn "The I18n message 'devise.mailer.#{key}' is deprecated. " \
-            "Please use 'devise.mailer.#{key}.subject' instead."
+    initializer "devise.omniauth" do |app|
+      Devise.omniauth_configs.each do |provider, config|
+        app.middleware.use config.strategy_class, *config.args do |strategy|
+          config.strategy = strategy
         end
       end
 
-      config.after_initialize do
-        flash = [:unauthenticated, :unconfirmed, :invalid, :invalid_token, :timeout, :inactive, :locked]
-
-        translations = begin
-          I18n.t("devise.sessions", :raise => true).keys
-        rescue Exception => e # Do not care if something fails
-          []
-        end
-
-        keys = flash & translations
+      if Devise.omniauth_configs.any?
+        Devise.include_helpers(Devise::OmniAuth)
+      end
+    end
 
-        if keys.any?
-          ActiveSupport::Deprecation.warn "The following I18n messages in 'devise.sessions' " \
-            "are deprecated: #{keys.to_sentence}. Please move them to 'devise.failure' instead."
-        end
+    initializer "devise.encryptor_check" do
+      case Devise.encryptor
+      when :bcrypt
+        puts "[DEVISE] From version 1.2, there is no need to set your encryptor to bcrypt " <<
+          "since encryptors are only enabled if you include :encryptable in your models. " << 
+          "With this change, we can integrate better with bcrypt and get rid of the " <<
+          "password_salt column (since bcrypt stores the salt with password). " <<
+          "Please comment config.encryptor in your initializer to get rid of this warning."
+      when nil
+        # Nothing to say
+      else
+        puts "[DEVISE] You are using #{Devise.encryptor} as encryptor. From version 1.2, " <<
+          "you need to explicitly add `devise :encryptable, :encryptor => #{Devise.encryptor.to_sym}` " <<
+          "to your models and comment the current value in the config/initializers/devise.rb"
       end
     end
   end
-end
+end

data/lib/devise/rails/routes.rb

@@ -5,7 +5,6 @@ module ActionDispatch::Routing
     def finalize_with_devise!
       finalize_without_devise!
       Devise.configure_warden!
-      ActionController::Base.send :include, Devise::Controllers::Helpers
     end
     alias_method_chain :finalize!, :devise
   end
@@ -70,6 +69,13 @@ module ActionDispatch::Routing
     #
     #      devise_for :users, :controllers => { :sessions => "users/sessions" }
     #
+    #  * :sign_out_via => the HTTP method(s) accepted for the :sign_out action (default: :get),
+    #    if you wish to restrict this to accept only :post or :delete requests you should do:
+    #
+    #      devise_for :users, :sign_out_via => [ :post, :delete ]
+    #
+    #    You need to make sure that your sign_out controls trigger a request with a matching HTTP method.
+    #
     #  * :module => the namespace to find controlers. By default, devise will access devise/sessions,
     #    devise/registrations and so on. If you want to namespace all at once, use module:
     #
@@ -85,6 +91,10 @@ module ActionDispatch::Routing
     #    Will use publisher/sessions controller instead of devise/sessions controller. You can revert
     #    this by providing the :module option to devise_for.
     #
+    #    Also pay attention that when you use a namespace it will affect all the helpers and methods for controllers
+    #    and views. For example, using the above setup you'll end with following methods:
+    #    current_publisher_account, authenticate_publisher_account!, pusblisher_account_signed_in, etc.
+    #
     #  * :skip => tell which controller you want to skip routes from being created:
     #
     #      devise_for :users, :skip => :sessions
@@ -113,19 +123,33 @@ module ActionDispatch::Routing
     #     end
     #   end
     #
+    # ==== Adding custom actions to override controllers
+    # 
+    # You can pass a block to devise_for that will add any routes defined in the block to Devise's 
+    # list of known actions.  This is important if you add a custom action to a controller that 
+    # overrides an out of the box Devise controller.
+    # For example:
+    #
+    #    class RegistrationsController < Devise::RegistrationsController
+    #      def update
+    #         # do something different here
+    #      end
+    #
+    #      def deactivate
+    #        # not a standard action
+    #        # deactivate code here
+    #      end
+    #    end
+    #
+    # In order to get Devise to recognize the deactivate action, your devise_for entry should look like this,
+    #
+    #     devise_for :owners, :controllers => { :registrations => "registrations" } do
+    #       post "deactivate", :to => "registrations#deactivate", :as => "deactivate_registration"
+    #     end
+    #
     def devise_for(*resources)
       options = resources.extract_options!
 
-      if as = options.delete(:as)
-        ActiveSupport::Deprecation.warn ":as is deprecated, please use :path instead."
-        options[:path] ||= as
-      end
-
-      if scope = options.delete(:scope)
-        ActiveSupport::Deprecation.warn ":scope is deprecated, please use :singular instead."
-        options[:singular] ||= scope
-      end
-
       options[:as]          ||= @scope[:as]     if @scope[:as].present?
       options[:module]      ||= @scope[:module] if @scope[:module].present?
       options[:path_prefix] ||= @scope[:path]   if @scope[:path].present?
@@ -154,7 +178,7 @@ module ActionDispatch::Routing
         devise_scope mapping.name do
           yield if block_given?
           with_devise_exclusive_scope mapping.fullpath, mapping.name do
-            routes.each { |mod| send(:"devise_#{mod}", mapping, mapping.controllers) }
+            routes.each { |mod| send("devise_#{mod}", mapping, mapping.controllers) }
           end
         end
       end
@@ -203,22 +227,22 @@ module ActionDispatch::Routing
 
       def devise_session(mapping, controllers) #:nodoc:
         resource :session, :only => [], :controller => controllers[:sessions], :path => "" do
-          get  :new,     :path => mapping.path_names[:sign_in],  :as => "new"
-          post :create,  :path => mapping.path_names[:sign_in]
-          get  :destroy, :path => mapping.path_names[:sign_out], :as => "destroy"
+          get   :new,     :path => mapping.path_names[:sign_in],  :as => "new"
+          post  :create,  :path => mapping.path_names[:sign_in]
+          match :destroy, :path => mapping.path_names[:sign_out], :as => "destroy", :via => mapping.sign_out_via
         end
       end
- 
+
       def devise_password(mapping, controllers) #:nodoc:
         resource :password, :only => [:new, :create, :edit, :update],
           :path => mapping.path_names[:password], :controller => controllers[:passwords]
       end
- 
+
       def devise_confirmation(mapping, controllers) #:nodoc:
         resource :confirmation, :only => [:new, :create, :show],
           :path => mapping.path_names[:confirmation], :controller => controllers[:confirmations]
       end
- 
+
       def devise_unlock(mapping, controllers) #:nodoc:
         if mapping.to.unlock_strategy_enabled?(:email)
           resource :unlock, :only => [:new, :create, :show],
@@ -227,8 +251,28 @@ module ActionDispatch::Routing
       end
 
       def devise_registration(mapping, controllers) #:nodoc:
-        resource :registration, :only => [:new, :create, :edit, :update, :destroy], :path => mapping.path_names[:registration],
-                 :path_names => { :new => mapping.path_names[:sign_up] }, :controller => controllers[:registrations]
+        path_names = {
+          :new => mapping.path_names[:sign_up],
+          :cancel => mapping.path_names[:cancel]
+        }
+
+        resource :registration, :except => :show, :path => mapping.path_names[:registration],
+                 :path_names => path_names, :controller => controllers[:registrations] do
+          get :cancel
+        end
+      end
+
+      def devise_omniauth_callback(mapping, controllers) #:nodoc:
+        path_prefix = "/#{mapping.path}/auth"
+
+        if ::OmniAuth.config.path_prefix && ::OmniAuth.config.path_prefix != path_prefix
+          warn "[DEVISE] You can only add :omniauthable behavior to one model."
+        else
+          ::OmniAuth.config.path_prefix = path_prefix
+        end
+
+        match "/auth/:action/callback", :action => Regexp.union(mapping.to.omniauth_providers.map(&:to_s)),
+          :to => controllers[:omniauth_callbacks], :as => :omniauth_callback
       end
 
       def with_devise_exclusive_scope(new_path, new_as) #:nodoc:

data/lib/devise/rails/warden_compat.rb

@@ -3,9 +3,9 @@ module Warden::Mixins::Common
     @request ||= ActionDispatch::Request.new(env)
   end
 
+  # This is called internally by Warden on logout
   def reset_session!
-    raw_session.inspect # why do I have to inspect it to get it to clear?
-    raw_session.clear
+    request.reset_session
   end
 
   def cookies
@@ -15,25 +15,28 @@ end
 
 class Warden::SessionSerializer
   def serialize(record)
-    [record.class.name, record.id]
+    [record.class.name, record.to_key, record.authenticatable_salt]
   end
 
   def deserialize(keys)
-    klass, id = keys
-
-    if klass.is_a?(Class)
+    if keys.size == 2
       raise "Devise changed how it stores objects in session. If you are seeing this message, " <<
-        "you can fix it by changing one character in your cookie secret, forcing all previous " <<
-        "cookies to expire, or cleaning up your database sessions if you are using a db store."
+        "you can fix it by changing one character in your cookie secret or cleaning up your " <<
+        "database sessions if you are using a db store."
     end
 
-    klass.constantize.find(:first, :conditions => { :id => id })
-  rescue NameError => e
-    if e.message =~ /uninitialized constant/
-      Rails.logger.debug "Trying to deserialize invalid class #{klass}"
-      nil
-    else
-      raise
+    klass, id, salt = keys
+
+    begin
+      record = klass.constantize.to_adapter.get(id)
+      record if record && record.authenticatable_salt == salt
+    rescue NameError => e
+      if e.message =~ /uninitialized constant/
+        Rails.logger.debug "[Devise] Trying to deserialize invalid class #{klass}"
+        nil
+      else
+        raise
+      end
     end
   end
 end
@@ -44,10 +47,6 @@ unless Devise.rack_session?
     alias_method :regular_writer, :[]= unless method_defined?(:regular_writer)
     alias_method :regular_update, :update unless method_defined?(:regular_update)
 
-    def [](key)
-      super(convert_key(key))
-    end
-
     def []=(key, value)
       regular_writer(convert_key(key), value)
     end
@@ -92,7 +91,6 @@ unless Devise.rack_session?
     def symbolize_keys; to_hash.symbolize_keys end
 
     def to_options!; self end
-    def to_hash; Hash.new.update(self) end
 
     protected
 

data/lib/devise/schema.rb

@@ -3,11 +3,6 @@ module Devise
   # and overwrite the apply_schema method.
   module Schema
 
-    def authenticatable(*args)
-      ActiveSupport::Deprecation.warn "t.authenticatable in migrations is deprecated. Please use t.database_authenticatable instead.", caller
-      database_authenticatable(*args)
-    end
-
     # Creates email, encrypted_password and password_salt.
     #
     # == Options
@@ -21,17 +16,17 @@ module Devise
       null    = options[:null] || false
       default = options.key?(:default) ? options[:default] : ("" if null == false)
 
-      if options.delete(:encryptor)
-        ActiveSupport::Deprecation.warn ":encryptor as option is deprecated, simply remove it."
-      end
-
       apply_devise_schema :email,              String, :null => null, :default => default
       apply_devise_schema :encrypted_password, String, :null => null, :default => default, :limit => 128
-      apply_devise_schema :password_salt,      String, :null => null, :default => default
-    end      
+    end
+
+    # Creates password salt for encryption support.
+    def encryptable
+      apply_devise_schema :password_salt, String
+    end
 
     # Creates authentication_token.
-    def token_authenticatable(options={})
+    def token_authenticatable
       apply_devise_schema :authentication_token, String
     end
 
@@ -48,8 +43,12 @@ module Devise
     end
 
     # Creates remember_token and remember_created_at.
-    def rememberable
-      apply_devise_schema :remember_token,      String
+    #
+    # == Options
+    # * :use_salt - When true, does not create a remember_token and use password_salt instead.
+    def rememberable(options={})
+      use_salt = options.fetch(:use_salt, Devise.use_salt_as_remember_token)
+      apply_devise_schema :remember_token,      String unless use_salt
       apply_devise_schema :remember_created_at, DateTime
     end
 

data/lib/devise/strategies/authenticatable.rb

@@ -9,7 +9,7 @@ module Devise
       attr_accessor :authentication_hash, :password
 
       def valid?
-        valid_for_http_auth? || valid_for_params_auth?
+        valid_for_params_auth? || valid_for_http_auth?
       end
 
     private
@@ -21,7 +21,6 @@ module Devise
         case result
         when Symbol, String
           fail!(result)
-          false
         else
           result
         end
@@ -97,15 +96,17 @@ module Devise
 
       # Helper to decode credentials from HTTP.
       def decode_credentials
-        return [] unless request.authorization && request.authorization =~ /^Basic (.*)/
+        return [] unless request.authorization && request.authorization =~ /^Basic (.*)/m
         ActiveSupport::Base64.decode64($1).split(/:/, 2)
       end
 
       # Sets the authentication hash and the password from params_auth_hash or http_auth_hash.
-      def with_authentication_hash(hash)
-        self.authentication_hash = hash.slice(*authentication_keys)
-        self.password = hash[:password]
-        authentication_keys.all?{ |k| authentication_hash[k].present? }
+      def with_authentication_hash(auth_values)
+        self.authentication_hash = {}
+        self.password = auth_values[:password]
+
+        parse_authentication_key_values(auth_values, authentication_keys) &&
+        parse_authentication_key_values(request_values, request_keys)
       end
 
       # Holds the authentication keys.
@@ -113,6 +114,31 @@ module Devise
         @authentication_keys ||= mapping.to.authentication_keys
       end
 
+      # Holds request keys.
+      def request_keys
+        @request_keys ||= mapping.to.request_keys
+      end
+
+      # Returns values from the request object.
+      def request_values
+        keys = request_keys.respond_to?(:keys) ? request_keys.keys : request_keys
+        values = keys.map { |k| self.request.send(k) }
+        Hash[keys.zip(values)]
+      end
+
+      # Parse authentication keys considering if they should be enforced or not.
+      def parse_authentication_key_values(hash, keys)
+        keys.each do |key, enforce|
+          value = hash[key].presence
+          if value
+            self.authentication_hash[key] = value
+          else
+            return false unless enforce == false
+          end
+        end
+        true
+      end
+
       # Holds the authenticatable name for this class. Devise::Strategies::DatabaseAuthenticatable
       # becomes simply :database.
       def authenticatable_name