devise 1.1.9 → 1.2.rc

data/lib/devise/strategies/database_authenticatable.rb

@@ -10,7 +10,7 @@ module Devise
         if validate(resource){ resource.valid_password?(password) }
           resource.after_database_authentication
           success!(resource)
-        elsif !halted?
+        else
           fail(:invalid)
         end
       end

data/lib/devise/strategies/rememberable.rb

@@ -20,7 +20,7 @@ module Devise
 
         if validate(resource)
           success!(resource)
-        elsif !halted?
+        else
           cookies.delete(remember_key)
           pass
         end

data/lib/devise/strategies/token_authenticatable.rb

@@ -10,13 +10,17 @@ module Devise
     # For HTTP, you can pass the token as username and blank password. Since some clients may require
     # a password, you can pass "X" as password and it will simply be ignored.
     class TokenAuthenticatable < Authenticatable
+      def store?
+        !mapping.to.stateless_token
+      end
+
       def authenticate!
         resource = mapping.to.find_for_token_authentication(authentication_hash)
 
         if validate(resource)
           resource.after_token_authentication
           success!(resource)
-        elsif !halted?
+        else
           fail(:invalid_token)
         end
       end
@@ -28,7 +32,7 @@ module Devise
         true
       end
 
-      # Do not use remember_me behavir with token.
+      # Do not use remember_me behavior with token.
       def remember_me?
         false
       end

data/lib/devise/test_helpers.rb

@@ -1,4 +1,11 @@
 module Devise
+  # Devise::TestHelpers provides a facility to test controllers in isolation
+  # when using ActionController::TestCase allowing you to quickly sign_in or
+  # sign_out an user. Do not use Devise::TestHelpers in integration tests.
+  #
+  # Notice you should not test Warden specific behavior (like Warden callbacks)
+  # using Devise::TestHelpers since it is a stub of the actual behavior. Such
+  # callbacks should be tested in your integration suite instead.
   module TestHelpers
     def self.included(base)
       base.class_eval do
@@ -61,6 +68,7 @@ module Devise
     end
 
     # sign_in a given resource by storing its keys in the session.
+    # This method bypass any warden authentication callback.
     #
     # Examples:
     #
@@ -74,6 +82,7 @@ module Devise
     end
 
     # Sign out a given resource or scope by calling logout on Warden.
+    # This method bypass any warden logout callback.
     #
     # Examples:
     #
@@ -83,7 +92,8 @@ module Devise
     def sign_out(resource_or_scope)
       scope = Devise::Mapping.find_scope!(resource_or_scope)
       @controller.instance_variable_set(:"@current_#{scope}", nil)
-      warden.logout(scope)
+      user = warden.instance_variable_get(:@users).delete(scope)
+      warden.session_serializer.delete(scope, user)
     end
 
   end

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "1.1.9".freeze
+  VERSION = "1.2.rc".freeze
 end

data/lib/generators/active_record/templates/migration.rb

@@ -6,6 +6,7 @@ class DeviseCreate<%= table_name.camelize %> < ActiveRecord::Migration
       t.rememberable
       t.trackable
 
+      # t.encryptable
       # t.confirmable
       # t.lockable :lock_strategy => :<%= Devise.lock_strategy %>, :unlock_strategy => :<%= Devise.unlock_strategy %>
       # t.token_authenticatable

data/lib/generators/devise/orm_helpers.rb

@@ -4,7 +4,7 @@ module Devise
       def model_contents
 <<-CONTENT
   # Include default devise modules. Others available are:
-  # :token_authenticatable, :confirmable, :lockable and :timeoutable
+  # :token_authenticatable, :encryptable, :confirmable, :lockable, :timeoutable and :omniauthable
   devise :database_authenticatable, :registerable,
          :recoverable, :rememberable, :trackable, :validatable
 
@@ -12,7 +12,8 @@ CONTENT
       end
 
       def model_exists?
-        File.exists?(File.join(destination_root, model_path))
+        return @model_exists if instance_variable_defined?(:@model_exists)
+        @model_exists = File.exists?(File.join(destination_root, model_path))
       end
 
       def model_path

data/lib/generators/templates/devise.rb

@@ -15,23 +15,37 @@ Devise.setup do |config|
   require 'devise/orm/<%= options[:orm] %>'
 
   # ==> Configuration for any authentication mechanism
-  # Configure which keys are used when authenticating an user. By default is
+  # Configure which keys are used when authenticating a user. The default is
   # just :email. You can configure it to use [:username, :subdomain], so for
-  # authenticating an user, both parameters are required. Remember that those
+  # authenticating a user, both parameters are required. Remember that those
   # parameters are used only when authenticating and not when retrieving from
   # session. If you need permissions, you should implement that in a before filter.
+  # You can also supply a hash where the value is a boolean determining whether
+  # or not authentication should be aborted when the value is not present.
   # config.authentication_keys = [ :email ]
 
+  # Configure parameters from the request object used for authentication. Each entry
+  # given should be a request method and it will automatically be passed to the
+  # find_for_authentication method and considered in your model lookup. For instance,
+  # if you set :request_keys to [:subdomain], :subdomain will be used on authentication.
+  # The same considerations mentioned for authentication_keys also apply to request_keys.
+  # config.request_keys = []
+
+  # Configure which authentication keys should be case-insensitive.
+  # These keys will be downcased upon creating or modifying a user and when used
+  # to authenticate or find a user. Default is :email.
+  # config.case_insensitive_keys = [ :email ]
+
   # Tell if authentication through request.params is enabled. True by default.
   # config.params_authenticatable = true
 
   # Tell if authentication through HTTP Basic Auth is enabled. False by default.
   # config.http_authenticatable = false
 
-  # Set this to true to use Basic Auth for AJAX requests.  True by default.
+  # If http headers should be returned for AJAX requests. True by default.
   # config.http_authenticatable_on_xhr = true
 
-  # The realm used in Http Basic Authentication
+  # The realm used in Http Basic Authentication. "Application" by default.
   # config.http_authentication_realm = "Application"
 
   # ==> Configuration for :database_authenticatable
@@ -39,22 +53,13 @@ Devise.setup do |config|
   # using other encryptors, it sets how many times you want the password re-encrypted.
   config.stretches = 10
 
-  # Define which will be the encryption algorithm. Devise also supports encryptors
-  # from others authentication tools as :clearance_sha1, :authlogic_sha512 (then
-  # you should set stretches above to 20 for default behavior) and :restful_authentication_sha1
-  # (then you should set stretches to 10, and copy REST_AUTH_SITE_KEY to pepper)
-  config.encryptor = :bcrypt
-
-  # Setup a pepper to generate the encrypted password.
-  config.pepper = <%= ActiveSupport::SecureRandom.hex(64).inspect %>
-
   # ==> Configuration for :confirmable
   # The time you want to give your user to confirm his account. During this time
-  # he will be able to access your application without confirming. Default is nil.
-  # When confirm_within is zero, the user won't be able to sign in without confirming. 
-  # You can use this to let your user access some features of your application 
-  # without confirming the account, but blocking it after a certain period 
-  # (ie 2 days). 
+  # he will be able to access your application without confirming. Default is 0.days
+  # When confirm_within is zero, the user won't be able to sign in without confirming.
+  # You can use this to let your user access some features of your application
+  # without confirming the account, but blocking it after a certain period
+  # (ie 2 days).
   # config.confirm_within = 2.days
 
   # ==> Configuration for :rememberable
@@ -67,17 +72,21 @@ Devise.setup do |config|
   # If true, extends the user's remember period when remembered via cookie.
   # config.extend_remember_period = false
 
+  # If true, uses the password salt as remember token. This should be turned
+  # to false if you are not using database authenticatable.
+  config.use_salt_as_remember_token = true
+
   # ==> Configuration for :validatable
-  # Range for password length
+  # Range for password length. Default is 6..20.
   # config.password_length = 6..20
 
   # Regex to use to validate the email address
-  # config.email_regexp = /\A([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})\z/i
+  # config.email_regexp = /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i
 
   # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this
-  # time the user will be asked for credentials again.
-  # config.timeout_in = 10.minutes
+  # time the user will be asked for credentials again. Default is 30 minutes.
+  # config.timeout_in = 30.minutes
 
   # ==> Configuration for :lockable
   # Defines which strategy will be used to lock an account.
@@ -99,44 +108,66 @@ Devise.setup do |config|
   # Time interval to unlock the account if :time is enabled as unlock_strategy.
   # config.unlock_in = 1.hour
 
+  # ==> Configuration for :encryptable
+  # Allow you to use another encryption algorithm besides bcrypt (default). You can use
+  # :sha1, :sha512 or encryptors from others authentication tools as :clearance_sha1,
+  # :authlogic_sha512 (then you should set stretches above to 20 for default behavior)
+  # and :restful_authentication_sha1 (then you should set stretches to 10, and copy
+  # REST_AUTH_SITE_KEY to pepper)
+  # config.encryptor = :sha512
+
+  # Setup a pepper to generate the encrypted password.
+  # config.pepper = <%= ActiveSupport::SecureRandom.hex(64).inspect %>
+
   # ==> Configuration for :token_authenticatable
   # Defines name of the authentication token params key
   # config.token_authentication_key = :auth_token
 
+  # If true, authentication through token does not store user in session and needs
+  # to be supplied on each request. Useful if you are using the token as API token.
+  # config.stateless_token = false
+
   # ==> Scopes configuration
   # Turn scoped views on. Before rendering "sessions/new", it will first check for
   # "users/sessions/new". It's turned off by default because it's slower if you
   # are using only default views.
-  # config.scoped_views = true
+  # config.scoped_views = false
 
   # Configure the default scope given to Warden. By default it's the first
-  # devise role declared in your routes.
+  # devise role declared in your routes (usually :user).
   # config.default_scope = :user
 
-  # Configure sign_out behavior. 
-  # By default sign_out is scoped (i.e. /users/sign_out affects only :user scope).
-  # In case of sign_out_all_scopes set to true any logout action will sign out all active scopes.
-  # config.sign_out_all_scopes = false
+  # Configure sign_out behavior.
+  # Sign_out action can be scoped (i.e. /users/sign_out affects only :user scope).
+  # The default is true, which means any logout action will sign out all active scopes.
+  # config.sign_out_all_scopes = true
 
   # ==> Navigation configuration
   # Lists the formats that should be treated as navigational. Formats like
   # :html, should redirect to the sign in page when the user does not have
   # access, but formats like :xml or :json, should return 401.
+  #
   # If you have any extra navigational formats, like :iphone or :mobile, you
-  # should add them to the navigational formats lists. Default is [:html]
-  # config.navigational_formats = [:html, :iphone]
+  # should add them to the navigational formats lists.
+  #
+  # The :"*/*" format below is required to match Internet Explorer requests.
+  # config.navigational_formats = [:"*/*", :html]
+
+  # The default HTTP method used to sign out a resource. Default is :get.
+  # config.sign_out_via = :get
+
+  # ==> OmniAuth
+  # Add a new OmniAuth provider. Check the wiki for more information on setting
+  # up on your models and hooks.
+  # config.omniauth :github, 'APP_ID', 'APP_SECRET', :scope => 'user,public_repo'
 
   # ==> Warden configuration
-  # If you want to use other strategies, that are not (yet) supported by Devise,
-  # you can configure them inside the config.warden block. The example below
-  # allows you to setup OAuth, using http://github.com/roman/warden_oauth
+  # If you want to use other strategies, that are not supported by Devise, or
+  # change the failure app, you can configure them inside the config.warden block.
   #
   # config.warden do |manager|
-  #   manager.oauth(:twitter) do |twitter|
-  #     twitter.consumer_secret = <YOUR CONSUMER SECRET>
-  #     twitter.consumer_key  = <YOUR CONSUMER KEY>
-  #     twitter.options :site => 'http://twitter.com'
-  #   end
-  #   manager.default_strategies(:scope => :user).unshift :twitter_oauth
+  #   manager.failure_app   = AnotherApp
+  #   manager.intercept_401 = false
+  #   manager.default_strategies(:scope => :user).unshift :some_external_strategy
   # end
 end

data/test/controllers/helpers_test.rb

@@ -1,51 +1,16 @@
 require 'test_helper'
 require 'ostruct'
 
-class MockController < ApplicationController
-  attr_accessor :env
-
-  def request
-    self
-  end
-
-  def path
-    ''
-  end
-
-  def index
-  end
-
-  def host_with_port
-    "test.host:3000"
-  end
-
-  def protocol
-    "http"
-  end
-
-  def script_name
-    ""
-  end
-
-  def symbolized_path_parameters
-    {}
-  end
-end
-
 class ControllerAuthenticableTest < ActionController::TestCase
-  tests MockController
+  tests ApplicationController
 
   def setup
     @mock_warden = OpenStruct.new
-    @controller.env = { 'warden' => @mock_warden }
-  end
-
-  test 'setup warden' do
-    assert_not_nil @controller.warden
+    @controller.request.env['warden'] = @mock_warden
   end
 
   test 'provide access to warden instance' do
-    assert_equal @controller.warden, @controller.env['warden']
+    assert_equal @mock_warden, @controller.warden
   end
 
   test 'proxy signed_in? to authenticated' do
@@ -54,9 +19,9 @@ class ControllerAuthenticableTest < ActionController::TestCase
   end
 
   test 'proxy anybody_signed_in? to signed_in?' do
-    Devise.mappings.keys.each { |scope| # :user, :admin, :manager
+    Devise.mappings.keys.each do |scope| # :user, :admin, :manager
       @controller.expects(:signed_in?).with(scope)
-    }
+    end
     @controller.anybody_signed_in?
   end
 
@@ -90,18 +55,18 @@ class ControllerAuthenticableTest < ActionController::TestCase
     @controller.authenticate_publisher_account!
   end
 
-  test 'proxy user_signed_in? to authenticate? with user scope' do
-    @mock_warden.expects(:authenticate?).with(:scope => :user)
-    @controller.user_signed_in?
+  test 'proxy user_signed_in? to authenticate with user scope' do
+    @mock_warden.expects(:authenticate).with(:scope => :user).returns("user")
+    assert @controller.user_signed_in?
   end
 
-  test 'proxy admin_signed_in? to authenticate? with admin scope' do
-    @mock_warden.expects(:authenticate?).with(:scope => :admin)
-    @controller.admin_signed_in?
+  test 'proxy admin_signed_in? to authenticatewith admin scope' do
+    @mock_warden.expects(:authenticate).with(:scope => :admin)
+    assert_not @controller.admin_signed_in?
   end
 
-  test 'proxy publisher_account_signed_in? to authenticate? with namespaced publisher account scope' do
-    @mock_warden.expects(:authenticate?).with(:scope => :publisher_account)
+  test 'proxy publisher_account_signed_in? to authenticate with namespaced publisher account scope' do
+    @mock_warden.expects(:authenticate).with(:scope => :publisher_account)
     @controller.publisher_account_signed_in?
   end
 
@@ -135,6 +100,13 @@ class ControllerAuthenticableTest < ActionController::TestCase
     @controller.sign_in(user)
   end
 
+  test 'sign in accepts bypass as option' do
+    user = User.new
+    @mock_warden.expects(:session_serializer).returns(serializer = mock())
+    serializer.expects(:store).with(user, :user)
+    @controller.sign_in(user, :bypass => true)
+  end
+
   test 'sign out proxy to logout on warden' do
     @mock_warden.expects(:user).with(:user).returns(true)
     @mock_warden.expects(:logout).with(:user).returns(true)
@@ -147,12 +119,13 @@ class ControllerAuthenticableTest < ActionController::TestCase
     @controller.sign_out(User.new)
   end
 
-  test 'sign out everybody proxy to logout on warden' do
-    Devise.mappings.keys.each { |scope|
-      @mock_warden.expects(:user).with(scope).returns(true)
-    }
+  test 'sign out without args proxy to sign out all scopes' do
+    @mock_warden.expects(:logout).with().returns(true)
+    @controller.sign_out
+  end
 
-    @mock_warden.expects(:logout).with(*Devise.mappings.keys).returns(true)
+  test 'sign out everybody proxy to logout on warden' do
+    @mock_warden.expects(:logout).with().returns(true)
     @controller.sign_out_all_scopes
   end
 
@@ -182,14 +155,6 @@ class ControllerAuthenticableTest < ActionController::TestCase
     assert_equal admin_root_path, @controller.after_sign_in_path_for(:admin)
   end
 
-  test 'after update path defaults to root path if none by was specified for the given scope' do
-    assert_equal root_path, @controller.after_update_path_for(:user)
-  end
-
-  test 'after update path defaults to the scoped root path' do
-    assert_equal admin_root_path, @controller.after_update_path_for(:admin)
-  end
-
   test 'after sign out path defaults to the root path' do
     assert_equal root_path, @controller.after_sign_out_path_for(:admin)
     assert_equal root_path, @controller.after_sign_out_path_for(:user)
@@ -220,12 +185,23 @@ class ControllerAuthenticableTest < ActionController::TestCase
     @controller.sign_in_and_redirect(admin)
   end
 
-  test 'sign out and redirect uses the configured after sign out path' do
-    @mock_warden.expects(:user).with(:admin).returns(true)
-    @mock_warden.expects(:logout).with(:admin).returns(true)
-    @controller.expects(:redirect_to).with(admin_root_path)
-    @controller.instance_eval "def after_sign_out_path_for(resource); admin_root_path; end"
-    @controller.sign_out_and_redirect(:admin)
+  test 'sign out and redirect uses the configured after sign out path when signing out only the current scope' do
+    swap Devise, :sign_out_all_scopes => false do
+      @mock_warden.expects(:user).with(:admin).returns(true)
+      @mock_warden.expects(:logout).with(:admin).returns(true)
+      @controller.expects(:redirect_to).with(admin_root_path)
+      @controller.instance_eval "def after_sign_out_path_for(resource); admin_root_path; end"
+      @controller.sign_out_and_redirect(:admin)
+    end
+  end
+
+  test 'sign out and redirect uses the configured after sign out path when signing out all scopes' do
+    swap Devise, :sign_out_all_scopes => true do
+      @mock_warden.expects(:logout).with().returns(true)
+      @controller.expects(:redirect_to).with(admin_root_path)
+      @controller.instance_eval "def after_sign_out_path_for(resource); admin_root_path; end"
+      @controller.sign_out_and_redirect(:admin)
+    end
   end
 
   test 'is not a devise controller' do