RubyGems - devise - Versions diffs - 1.1.9 → 1.2.rc - Mend

devise 1.1.9 → 1.2.rc

Potentially problematic release.

This version of devise might be problematic. Click here for more details.

Files changed (121) hide show

data/CHANGELOG.rdoc +34 -26
data/README.rdoc +134 -100
data/app/controllers/devise/confirmations_controller.rb +1 -1
data/app/controllers/devise/omniauth_callbacks_controller.rb +26 -0
data/app/controllers/devise/passwords_controller.rb +1 -1
data/app/controllers/devise/registrations_controller.rb +59 -6
data/app/controllers/devise/sessions_controller.rb +3 -2
data/app/controllers/devise/unlocks_controller.rb +1 -1
data/app/helpers/devise_helper.rb +4 -2
data/app/mailers/devise/mailer.rb +27 -10
data/app/views/devise/confirmations/new.html.erb +1 -1
data/app/views/devise/passwords/edit.html.erb +2 -2
data/app/views/devise/passwords/new.html.erb +1 -1
data/app/views/devise/registrations/edit.html.erb +1 -1
data/app/views/devise/registrations/new.html.erb +1 -1
data/app/views/devise/sessions/new.html.erb +1 -1
data/app/views/devise/shared/_links.erb +6 -0
data/app/views/devise/unlocks/new.html.erb +1 -1
data/config/locales/en.yml +9 -2
data/lib/devise.rb +116 -58
data/lib/devise/controllers/helpers.rb +103 -107
data/lib/devise/controllers/internal_helpers.rb +23 -7
data/lib/devise/controllers/scoped_views.rb +4 -6
data/lib/devise/controllers/url_helpers.rb +3 -5
data/lib/devise/encryptors/base.rb +1 -1
data/lib/devise/encryptors/restful_authentication_sha1.rb +4 -4
data/lib/devise/failure_app.rb +29 -21
data/lib/devise/hooks/forgetable.rb +2 -1
data/lib/devise/hooks/rememberable.rb +11 -9
data/lib/devise/mapping.rb +12 -5
data/lib/devise/models.rb +0 -14
data/lib/devise/models/authenticatable.rb +40 -30
data/lib/devise/models/confirmable.rb +11 -15
data/lib/devise/models/database_authenticatable.rb +23 -35
data/lib/devise/models/encryptable.rb +65 -0
data/lib/devise/models/lockable.rb +8 -7
data/lib/devise/models/omniauthable.rb +23 -0
data/lib/devise/models/recoverable.rb +5 -3
data/lib/devise/models/registerable.rb +13 -0
data/lib/devise/models/rememberable.rb +38 -30
data/lib/devise/models/timeoutable.rb +20 -3
data/lib/devise/models/token_authenticatable.rb +19 -7
data/lib/devise/models/validatable.rb +16 -4
data/lib/devise/modules.rb +15 -8
data/lib/devise/omniauth.rb +47 -0
data/lib/devise/omniauth/config.rb +30 -0
data/lib/devise/omniauth/test_helpers.rb +57 -0
data/lib/devise/omniauth/url_helpers.rb +29 -0
data/lib/devise/orm/active_record.rb +2 -0
data/lib/devise/orm/mongoid.rb +4 -2
data/lib/devise/rails.rb +26 -46
data/lib/devise/rails/routes.rb +64 -20
data/lib/devise/rails/warden_compat.rb +18 -20
data/lib/devise/schema.rb +13 -14
data/lib/devise/strategies/authenticatable.rb +33 -7
data/lib/devise/strategies/database_authenticatable.rb +1 -1
data/lib/devise/strategies/rememberable.rb +1 -1
data/lib/devise/strategies/token_authenticatable.rb +6 -2
data/lib/devise/test_helpers.rb +11 -1
data/lib/devise/version.rb +1 -1
data/lib/generators/active_record/templates/migration.rb +1 -0
data/lib/generators/devise/orm_helpers.rb +3 -2
data/lib/generators/templates/devise.rb +70 -39
data/test/controllers/helpers_test.rb +43 -67
data/test/controllers/internal_helpers_test.rb +29 -8
data/test/controllers/url_helpers_test.rb +2 -1
data/test/failure_app_test.rb +56 -21
data/test/generators/generators_test_helper.rb +4 -0
data/test/generators/install_generator_test.rb +14 -0
data/test/generators/views_generator_test.rb +37 -0
data/test/integration/authenticatable_test.rb +147 -62
data/test/integration/database_authenticatable_test.rb +22 -0
data/test/integration/http_authenticatable_test.rb +12 -2
data/test/integration/omniauthable_test.rb +107 -0
data/test/integration/recoverable_test.rb +39 -20
data/test/integration/registerable_test.rb +30 -4
data/test/integration/rememberable_test.rb +57 -34
data/test/integration/timeoutable_test.rb +10 -1
data/test/integration/token_authenticatable_test.rb +12 -17
data/test/mailers/confirmation_instructions_test.rb +4 -0
data/test/mailers/reset_password_instructions_test.rb +4 -0
data/test/mailers/unlock_instructions_test.rb +4 -0
data/test/mapping_test.rb +37 -3
data/test/models/confirmable_test.rb +3 -3
data/test/models/database_authenticatable_test.rb +14 -71
data/test/models/encryptable_test.rb +65 -0
data/test/models/lockable_test.rb +17 -1
data/test/models/recoverable_test.rb +17 -0
data/test/models/rememberable_test.rb +186 -125
data/test/models/token_authenticatable_test.rb +1 -13
data/test/models_test.rb +5 -5
data/test/omniauth/url_helpers_test.rb +47 -0
data/test/rails_app/app/active_record/admin.rb +4 -1
data/test/rails_app/app/active_record/user.rb +5 -4
data/test/rails_app/app/controllers/{sessions_controller.rb → admins/sessions_controller.rb} +1 -1
data/test/rails_app/app/controllers/home_controller.rb +9 -0
data/test/rails_app/app/controllers/users/omniauth_callbacks_controller.rb +7 -0
data/test/rails_app/app/mongoid/admin.rb +4 -1
data/test/rails_app/app/mongoid/shim.rb +16 -3
data/test/rails_app/app/mongoid/user.rb +5 -5
data/test/rails_app/config/initializers/devise.rb +52 -28
data/test/rails_app/config/routes.rb +14 -6
data/test/rails_app/db/migrate/20100401102949_create_tables.rb +21 -17
data/test/rails_app/db/schema.rb +17 -51
data/test/rails_app/lib/shared_admin.rb +9 -0
data/test/rails_app/lib/shared_user.rb +23 -0
data/test/routes_test.rb +42 -9
data/test/support/integration.rb +3 -3
data/test/support/webrat/integrations/rails.rb +7 -0
data/test/test_helper.rb +2 -0
data/test/test_helpers_test.rb +29 -0
metadata +60 -30
data/Gemfile +0 -27
data/Gemfile.lock +0 -115
data/Rakefile +0 -55
data/TODO +0 -3
data/lib/devise/encryptors/bcrypt.rb +0 -19
data/lib/generators/devise_install_generator.rb +0 -4
data/lib/generators/devise_views_generator.rb +0 -4
data/test/indifferent_hash.rb +0 -33
data/test/support/test_silencer.rb +0 -5

data/test/controllers/internal_helpers_test.rb CHANGED

@@ -22,16 +22,16 @@ class HelpersTest < ActionController::TestCase
   end
   test 'get resource instance variable from env' do
-    @controller.instance_variable_set(:@user, admin = Admin.new)
-    assert_equal admin, @controller.resource
+    @controller.instance_variable_set(:@user, user = User.new)
+    assert_equal user, @controller.resource
   end
   test 'set resource instance variable from env' do
-    admin = @controller.send(:resource_class).new
-    @controller.send(:resource=, admin)
+    user = @controller.send(:resource_class).new
+    @controller.send(:resource=, user)
-    assert_equal admin, @controller.send(:resource)
-    assert_equal admin, @controller.instance_variable_get(:@user)
+    assert_equal user, @controller.send(:resource)
+    assert_equal user, @controller.instance_variable_get(:@user)
   end
   test 'resources methods are not controller actions' do
@@ -39,13 +39,34 @@ class HelpersTest < ActionController::TestCase
   end
   test 'require no authentication tests current mapping' do
-    @controller.expects(:resource_name).returns(:user).twice
     @mock_warden.expects(:authenticated?).with(:user).returns(true)
+    @mock_warden.expects(:user).with(:user).returns(User.new)
     @controller.expects(:redirect_to).with(root_path)
     @controller.send :require_no_authentication
   end
+  test 'signed in resource returns signed in resource for current scope' do
+    @mock_warden.expects(:authenticate).with(:scope => :user).returns(User.new)
+    assert_kind_of User, @controller.signed_in_resource
+  end
   test 'is a devise controller' do
     assert @controller.devise_controller?
   end
+  test 'does not issue blank flash messages' do
+    MyController.send(:public, :set_flash_message)
+    I18n.stubs(:t).returns('   ')
+    @controller.set_flash_message :notice, :send_instructions
+    assert flash[:notice].nil?
+    MyController.send(:protected, :set_flash_message)
+  end
+  test 'issues non-blank flash messages normally' do
+    MyController.send(:public, :set_flash_message)
+    I18n.stubs(:t).returns('non-blank')
+    @controller.set_flash_message :notice, :send_instructions
+    assert flash[:notice] == 'non-blank'
+    MyController.send(:protected, :set_flash_message)
+  end
 end

data/test/controllers/url_helpers_test.rb CHANGED

@@ -20,7 +20,7 @@ class RoutesTest < ActionController::TestCase
                  send(:"#{prepend_path}user_#{name}_url", :param => 123)
     @request.path = nil
-    # With an AR object
+    # With an object
     assert_equal @controller.send(:"#{prepend_path}#{name}_path", User.new),
                  send(:"#{prepend_path}user_#{name}_path")
     assert_equal @controller.send(:"#{prepend_path}#{name}_url", User.new),
@@ -54,5 +54,6 @@ class RoutesTest < ActionController::TestCase
     assert_path_and_url :registration
     assert_path_and_url :registration, :new
     assert_path_and_url :registration, :edit
+    assert_path_and_url :registration, :cancel
   end
 end

data/test/failure_app_test.rb CHANGED

@@ -13,11 +13,11 @@ class FailureTest < ActiveSupport::TestCase
       'REQUEST_METHOD' => 'GET',
       'warden.options' => { :scope => :user },
       'rack.session' => {},
-      'action_dispatch.request.formats' => Array(env_params.delete('formats') || Mime::HTML),
+      'action_dispatch.request.formats' => Array(env_params.delete('formats') || :html),
       'rack.input' => "",
       'warden' => OpenStruct.new(:message => nil)
     }.merge!(env_params)
     @response = Devise::FailureApp.call(env).to_a
     @request  = ActionDispatch::Request.new(env)
   end
@@ -28,6 +28,11 @@ class FailureTest < ActiveSupport::TestCase
       assert_equal 302, @response.first
     end
+    test 'return 302 status for wildcard requests' do
+      call_failure 'action_dispatch.request.formats' => nil, 'HTTP_ACCEPT' => '*/*'
+      assert_equal 302, @response.first
+    end
     test 'return to the default redirect location' do
       call_failure
       assert_equal 'You need to sign in or sign up before continuing.', @request.flash[:alert]
@@ -72,37 +77,68 @@ class FailureTest < ActiveSupport::TestCase
       assert_equal 401, @response.first
     end
-    test 'return WWW-authenticate headers' do
+    test 'return 401 status for unknown formats' do
+      call_failure 'formats' => []
+      assert_equal 401, @response.first
+    end
+    test 'return WWW-authenticate headers if model allows' do
       call_failure('formats' => :xml)
       assert_equal 'Basic realm="Application"', @response.second["WWW-Authenticate"]
     end
-    test 'dont return WWW-authenticate on ajax call if http_authenticatable_on_xhr false' do
-      swap Devise, :http_authenticatable_on_xhr => false do
-        call_failure('formats' => :html, 'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest')
-        assert_equal 302, @response.first
-        assert_equal 'http://test.host/users/sign_in', @response.second["Location"]
-        assert_nil @response.second['WWW-Authenticate']
+    test 'does not return WWW-authenticate headers if model does not allow' do
+      swap Devise, :http_authenticatable => false do
+        call_failure('formats' => :xml)
+        assert_nil @response.second["WWW-Authenticate"]
       end
     end
-    test 'return WWW-authenticate on ajax call if http_authenticatable_on_xhr true' do
-      swap Devise, :http_authenticatable_on_xhr => true do
-        call_failure('formats' => :html, 'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest')
+    test 'works for any non navigational format' do
+      swap Devise, :navigational_formats => [] do
+        call_failure('formats' => :html)
         assert_equal 401, @response.first
-        assert_equal 'Basic realm="Application"', @response.second["WWW-Authenticate"]
       end
     end
-    test 'uses the proxy failure message as response body' do
+    test 'uses the failure message as response body' do
       call_failure('formats' => :xml, 'warden' => OpenStruct.new(:message => :invalid))
       assert_match '<error>Invalid email or password.</error>', @response.third.body
     end
-    test 'works for any non navigational format' do
-      swap Devise, :navigational_formats => [] do
-        call_failure('formats' => :html)
-        assert_equal 401, @response.first
+    context 'on ajax call' do
+      context 'when http_authenticatable_on_xhr is false' do
+        test 'dont return 401 with navigational formats' do
+          swap Devise, :http_authenticatable_on_xhr => false do
+            call_failure('formats' => :html, 'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest')
+            assert_equal 302, @response.first
+            assert_equal 'http://test.host/users/sign_in', @response.second["Location"]
+          end
+        end
+        test 'dont return 401 with non navigational formats' do
+          swap Devise, :http_authenticatable_on_xhr => false do
+            call_failure('formats' => :json, 'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest')
+            assert_equal 302, @response.first
+            assert_equal 'http://test.host/users/sign_in', @response.second["Location"]
+          end
+        end
+      end
+      context 'when http_authenticatable_on_xhr is true' do
+        test 'return 401' do
+          swap Devise, :http_authenticatable_on_xhr => true do
+            call_failure('formats' => :html, 'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest')
+            assert_equal 401, @response.first
+          end
+        end
+        test 'skip WWW-Authenticate header' do
+          swap Devise, :http_authenticatable_on_xhr => true do
+            call_failure('formats' => :html, 'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest')
+            assert_nil @response.second['WWW-Authenticate']
+          end
+        end
       end
     end
   end
@@ -110,8 +146,7 @@ class FailureTest < ActiveSupport::TestCase
   context 'With recall' do
     test 'calls the original controller' do
       env = {
-        "action_dispatch.request.parameters" => { :controller => "devise/sessions" },
-        "warden.options" => { :recall => "new", :attempted_path => "/users/sign_in" },
+        "warden.options" => { :recall => "devise/sessions#new", :attempted_path => "/users/sign_in" },
         "devise.mapping" => Devise.mappings[:user],
         "warden" => stub_everything
       }

data/test/generators/generators_test_helper.rb ADDED

@@ -0,0 +1,4 @@
+require "rubygems"
+require "rails/generators/test_case"
+require File.join(File.dirname(__FILE__), "../../lib/generators/devise/install_generator")
+require File.join(File.dirname(__FILE__), "../../lib/generators/devise/views_generator")

data/test/generators/install_generator_test.rb ADDED

@@ -0,0 +1,14 @@
+require File.join(File.dirname(__FILE__),"generators_test_helper.rb")
+class InstallGeneratorTest < Rails::Generators::TestCase
+  tests Devise::Generators::InstallGenerator
+  destination File.expand_path("../tmp", File.dirname(__FILE__))
+  setup :prepare_destination
+  test "Assert all files are properly created" do
+    run_generator
+    assert_file "config/initializers/devise.rb"
+    assert_file "config/locales/devise.en.yml"
+  end
+end

data/test/generators/views_generator_test.rb ADDED

@@ -0,0 +1,37 @@
+require File.join(File.dirname(__FILE__),"generators_test_helper.rb")
+class ViewsGeneratorTest < Rails::Generators::TestCase
+  tests Devise::Generators::ViewsGenerator
+  destination File.expand_path("../tmp", File.dirname(__FILE__))
+  setup :prepare_destination
+  test "Assert all views are properly created with no params" do
+    run_generator
+    assert_files
+  end
+  test "Assert all views are properly created with scope param param" do
+    run_generator %w(users)
+    assert_files "users"
+    run_generator %w(admins)
+    assert_files "admins"
+  end
+  def assert_files(scope = nil, template_engine = nil)
+    scope = "devise" if scope.nil?
+    assert_file "app/views/#{scope}/confirmations/new.html.erb"
+    assert_file "app/views/#{scope}/mailer/confirmation_instructions.html.erb"
+    assert_file "app/views/#{scope}/mailer/reset_password_instructions.html.erb"
+    assert_file "app/views/#{scope}/mailer/unlock_instructions.html.erb"
+    assert_file "app/views/#{scope}/passwords/edit.html.erb"
+    assert_file "app/views/#{scope}/passwords/new.html.erb"
+    assert_file "app/views/#{scope}/registrations/new.html.erb"
+    assert_file "app/views/#{scope}/registrations/edit.html.erb"
+    assert_file "app/views/#{scope}/sessions/new.html.erb"
+    assert_file "app/views/#{scope}/shared/_links.erb"
+    assert_file "app/views/#{scope}/unlocks/new.html.erb"
+  end
+end

data/test/integration/authenticatable_test.rb CHANGED

@@ -1,15 +1,6 @@
 require 'test_helper'
 class AuthenticationSanityTest < ActionController::IntegrationTest
-  def setup
-    Devise.sign_out_all_scopes = false
-  end
-  def teardown
-    Devise.sign_out_all_scopes = false
-  end
   test 'home should be accessible without sign in' do
     visit '/'
     assert_response :success
@@ -18,14 +9,12 @@ class AuthenticationSanityTest < ActionController::IntegrationTest
   test 'sign in as user should not authenticate admin scope' do
     sign_in_as_user
     assert warden.authenticated?(:user)
     assert_not warden.authenticated?(:admin)
   end
   test 'sign in as admin should not authenticate user scope' do
     sign_in_as_admin
     assert warden.authenticated?(:admin)
     assert_not warden.authenticated?(:user)
   end
@@ -33,59 +22,61 @@ class AuthenticationSanityTest < ActionController::IntegrationTest
   test 'sign in as both user and admin at same time' do
     sign_in_as_user
     sign_in_as_admin
     assert warden.authenticated?(:user)
     assert warden.authenticated?(:admin)
   end
   test 'sign out as user should not touch admin authentication if sign_out_all_scopes is false' do
-    sign_in_as_user
-    sign_in_as_admin
-    get destroy_user_session_path
-    assert_not warden.authenticated?(:user)
-    assert warden.authenticated?(:admin)
+    swap Devise, :sign_out_all_scopes => false do
+      sign_in_as_user
+      sign_in_as_admin
+      get destroy_user_session_path
+      assert_not warden.authenticated?(:user)
+      assert warden.authenticated?(:admin)
+    end
   end
   test 'sign out as admin should not touch user authentication if sign_out_all_scopes is false' do
-    sign_in_as_user
-    sign_in_as_admin
+    swap Devise, :sign_out_all_scopes => false do
+      sign_in_as_user
+      sign_in_as_admin
-    get destroy_admin_session_path
-    assert_not warden.authenticated?(:admin)
-    assert warden.authenticated?(:user)
+      get destroy_admin_session_path
+      assert_not warden.authenticated?(:admin)
+      assert warden.authenticated?(:user)
+    end
   end
   test 'sign out as user should also sign out admin if sign_out_all_scopes is true' do
-    Devise.sign_out_all_scopes = true
-    sign_in_as_user
-    sign_in_as_admin
+    swap Devise, :sign_out_all_scopes => true do
+      sign_in_as_user
+      sign_in_as_admin
-    get destroy_user_session_path
-    assert_not warden.authenticated?(:user)
-    assert_not warden.authenticated?(:admin)
+      get destroy_user_session_path
+      assert_not warden.authenticated?(:user)
+      assert_not warden.authenticated?(:admin)
+    end
   end
   test 'sign out as admin should also sign out user if sign_out_all_scopes is true' do
-    Devise.sign_out_all_scopes = true
-    sign_in_as_user
-    sign_in_as_admin
+    swap Devise, :sign_out_all_scopes => true do
+      sign_in_as_user
+      sign_in_as_admin
-    get destroy_admin_session_path
-    assert_not warden.authenticated?(:admin)
-    assert_not warden.authenticated?(:user)
+      get destroy_admin_session_path
+      assert_not warden.authenticated?(:admin)
+      assert_not warden.authenticated?(:user)
+    end
   end
   test 'not signed in as admin should not be able to access admins actions' do
     get admins_path
     assert_redirected_to new_admin_session_path
     assert_not warden.authenticated?(:admin)
   end
   test 'not signed in as admin should not be able to access private route restricted to admins' do
     get private_path
     assert_redirected_to new_admin_session_path
     assert_not warden.authenticated?(:admin)
   end
@@ -94,7 +85,6 @@ class AuthenticationSanityTest < ActionController::IntegrationTest
     sign_in_as_user
     assert warden.authenticated?(:user)
     assert_not warden.authenticated?(:admin)
     get private_path
     assert_redirected_to new_admin_session_path
   end
@@ -237,6 +227,25 @@ class AuthenticationSessionTest < ActionController::IntegrationTest
     assert_equal "Cart", @controller.user_session[:cart]
   end
+  test 'does not explode when invalid user class is stored in session' do
+    klass = User
+    paths = ActiveSupport::Dependencies.autoload_paths.dup
+    begin
+      sign_in_as_user
+      assert warden.authenticated?(:user)
+      Object.send :remove_const, :User
+      ActiveSupport::Dependencies.autoload_paths.clear
+      visit "/users"
+      assert_not warden.authenticated?(:user)
+    ensure
+      Object.const_set(:User, klass)
+      ActiveSupport::Dependencies.autoload_paths.replace(paths)
+    end
+  end
   test 'session id is changed on sign in' do
     get '/users'
     session_id = request.session["session_id"]
@@ -288,25 +297,13 @@ class AuthenticationWithScopesTest < ActionController::IntegrationTest
       end
     end
   end
-  test 'uses the mapping from router' do
-    sign_in_as_user :visit => "/as/sign_in"
-    assert warden.authenticated?(:user)
-    assert_not warden.authenticated?(:admin)
-  end
-  test 'uses the mapping from nested devise_for call' do
-    sign_in_as_user :visit => "/devise_for/sign_in"
-    assert warden.authenticated?(:user)
-    assert_not warden.authenticated?(:admin)
-  end
 end
 class AuthenticationOthersTest < ActionController::IntegrationTest
   test 'uses the custom controller with the custom controller view' do
     get '/admin_area/sign_in'
     assert_contain 'Sign in'
-    assert_contain 'Welcome to "sessions" controller!'
+    assert_contain 'Welcome to "admins/sessions" controller!'
     assert_contain 'Welcome to "sessions/new" view!'
   end
@@ -315,6 +312,11 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
     assert_equal 404, response.status
   end
+  test 'does not intercept Rails 401 responses' do
+    get '/unauthenticated'
+    assert_equal 401, response.status
+  end
   test 'render 404 on roles without mapping' do
     assert_raise AbstractController::ActionNotFound do
       get '/sign_in'
@@ -328,28 +330,111 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
     end
   end
-  test 'registration in xml format' do
+  test 'registration in xml format works when recognizing path' do
     assert_nothing_raised do
       post user_registration_path(:format => 'xml', :user => {:email => "test@example.com", :password => "invalid"} )
     end
   end
-  test 'does not explode when invalid user class is stored in session' do
-    klass = User
-    paths = ActiveSupport::Dependencies.autoload_paths.dup
+  test 'uses the mapping from router' do
+    sign_in_as_user :visit => "/as/sign_in"
+    assert warden.authenticated?(:user)
+    assert_not warden.authenticated?(:admin)
+  end
-    begin
+  test 'uses the mapping from nested devise_for call' do
+    sign_in_as_user :visit => "/devise_for/sign_in"
+    assert warden.authenticated?(:user)
+    assert_not warden.authenticated?(:admin)
+  end
+end
+class AuthenticationRequestKeysTest < ActionController::IntegrationTest
+  test 'request keys are used on authentication' do
+    host! 'foo.bar.baz'
+    swap Devise, :request_keys => [:subdomain] do
+      User.expects(:find_for_authentication).with(:subdomain => 'foo', :email => 'user@test.com').returns(create_user)
       sign_in_as_user
       assert warden.authenticated?(:user)
+    end
+  end
-      Object.send :remove_const, :User
-      ActiveSupport::Dependencies.autoload_paths.clear
+  test 'invalid request keys raises NoMethodError' do
+    swap Devise, :request_keys => [:unknown_method] do
+      assert_raise NoMethodError do
+        sign_in_as_user
+      end
-      visit "/users"
       assert_not warden.authenticated?(:user)
-    ensure
-      Object.const_set(:User, klass)
-      ActiveSupport::Dependencies.autoload_paths.replace(paths)
     end
   end
+  test 'blank request keys cause authentication to abort' do
+    host! 'test.com'
+    swap Devise, :request_keys => [:subdomain] do
+      sign_in_as_user
+      assert_contain "Invalid email or password."
+      assert_not warden.authenticated?(:user)
+    end
+  end
+  test 'blank request keys cause authentication to abort unless if marked as not required' do
+    host! 'test.com'
+    swap Devise, :request_keys => { :subdomain => false } do
+      sign_in_as_user
+      assert warden.authenticated?(:user)
+    end
+  end
+end
+class AuthenticationSignOutViaTest < ActionController::IntegrationTest
+  def sign_in!(scope)
+    sign_in_as_admin(:visit => send("new_#{scope}_session_path"))
+    assert warden.authenticated?(scope)
+  end
+  test 'allow sign out via delete when sign_out_via provides only delete' do
+    sign_in!(:sign_out_via_delete)
+    delete destroy_sign_out_via_delete_session_path
+    assert_not warden.authenticated?(:sign_out_via_delete)
+  end
+  test 'do not allow sign out via get when sign_out_via provides only delete' do
+    sign_in!(:sign_out_via_delete)
+    get destroy_sign_out_via_delete_session_path
+    assert warden.authenticated?(:sign_out_via_delete)
+  end
+  test 'allow sign out via post when sign_out_via provides only post' do
+    sign_in!(:sign_out_via_post)
+    post destroy_sign_out_via_post_session_path
+    assert_not warden.authenticated?(:sign_out_via_post)
+  end
+  test 'do not allow sign out via get when sign_out_via provides only post' do
+    sign_in!(:sign_out_via_post)
+    get destroy_sign_out_via_delete_session_path
+    assert warden.authenticated?(:sign_out_via_post)
+  end
+  test 'allow sign out via delete when sign_out_via provides delete and post' do
+    sign_in!(:sign_out_via_delete_or_post)
+    delete destroy_sign_out_via_delete_or_post_session_path
+    assert_not warden.authenticated?(:sign_out_via_delete_or_post)
+  end
+  test 'allow sign out via post when sign_out_via provides delete and post' do
+    sign_in!(:sign_out_via_delete_or_post)
+    post destroy_sign_out_via_delete_or_post_session_path
+    assert_not warden.authenticated?(:sign_out_via_delete_or_post)
+  end
+  test 'do not allow sign out via get when sign_out_via provides delete and post' do
+    sign_in!(:sign_out_via_delete_or_post)
+    get destroy_sign_out_via_delete_or_post_session_path
+    assert warden.authenticated?(:sign_out_via_delete_or_post)
+  end
 end