devise 1.1.pre4 → 1.1.rc0

data/lib/devise/hooks/activatable.rb

@@ -3,13 +3,25 @@ Warden::Manager.after_set_user do |record, warden, options|
   if record && record.respond_to?(:active?) && !record.active?
     scope = options[:scope]
     warden.logout(scope)
+    throw :warden, :scope => scope, :message => record.inactive_message
+  end
+end
 
-    # If winning strategy was set, this is being called after authenticate and
-    # there is no need to force a redirect.
-    if warden.winning_strategy
-      warden.winning_strategy.fail!(record.inactive_message)
-    else
-      throw :warden, :scope => scope, :message => record.inactive_message
+module Devise
+  module Hooks
+    # Overwrite Devise base strategy to only authenticate an user if it's active.
+    # If you have an strategy that does not use Devise::Strategy::Base, don't worry
+    # because the hook above will still avoid it to authenticate.
+    module Activatable
+      def success!(resource)
+        if resource.respond_to?(:active?) && !resource.active?
+          fail!(resource.inactive_message)
+        else
+          super
+        end
+      end
     end
   end
 end
+
+Devise::Strategies::Base.send :include, Devise::Hooks::Activatable

data/lib/devise/hooks/rememberable.rb

@@ -1,32 +1,41 @@
-# After authenticate hook to verify if the user in the given scope asked to be
-# remembered while he does not sign out. Generates a new remember token for
-# that specific user and adds a cookie with this user info to sign in this user
-# automatically without asking for credentials. Refer to rememberable strategy
-# for more info.
-Warden::Manager.prepend_after_authentication do |record, warden, options|
-  scope = options[:scope]
-  remember_me = warden.params[scope].try(:fetch, :remember_me, nil)
+# Before logout hook to forget the user in the given scope, if it responds
+# to forget_me! Also clear remember token to ensure the user won't be
+# remembered again. Notice that we forget the user unless the record is frozen.
+# This avoids forgetting deleted users.
+Warden::Manager.before_logout do |record, warden, scope|
+  if record.respond_to?(:forget_me!)
+    record.forget_me! unless record.frozen?
+    warden.cookies.delete "remember_#{scope}_token"
+  end
+end
+
+module Devise
+  module Hooks
+    # Overwrite success! in authentication strategies allowing users to be remembered.
+    # We choose to implement this as an strategy hook instead of a Devise hook to avoid users
+    # giving a remember_me access in strategies that should not create remember me tokens.
+    module Rememberable #:nodoc:
+      def success!(resource)
+        super
 
-  if Devise::TRUE_VALUES.include?(remember_me) &&
-     warden.authenticated?(scope) && record.respond_to?(:remember_me!)
-    record.remember_me!
+        if succeeded? && resource.respond_to?(:remember_me!) && remember_me?
+          resource.remember_me!
 
-    warden.response.set_cookie "remember_#{scope}_token", {
-      :value => record.class.serialize_into_cookie(record),
-      :expires => record.remember_expires_at,
-      :path => "/"
-    }
+          cookies.signed["remember_#{scope}_token"] = {
+            :value => resource.class.serialize_into_cookie(resource),
+            :expires => resource.remember_expires_at,
+            :path => "/"
+          }
+        end
+      end
+
+      protected
+
+      def remember_me?
+        valid_params? && Devise::TRUE_VALUES.include?(params_auth_hash[:remember_me])
+      end
+    end
   end
 end
 
-# Before logout hook to forget the user in the given scope, only if rememberable
-# is activated for this scope. Also clear remember token to ensure the user
-# won't be remembered again.
-# Notice that we forget the user if the record is frozen. This usually means the
-# user was just deleted.
-Warden::Manager.before_logout do |record, warden, scope|
-  if record.respond_to?(:forget_me!)
-    record.forget_me! unless record.frozen?
-    warden.response.delete_cookie "remember_#{scope}_token"
-  end
-end
+Devise::Strategies::Authenticatable.send :include, Devise::Hooks::Rememberable

data/lib/devise/hooks/timeoutable.rb

@@ -1,4 +1,4 @@
-# Each time a record is set we check whether it's session has already timed out
+# Each time a record is set we check whether its session has already timed out
 # or not, based on last request time. If so, the record is logged out and
 # redirected to the sign in page. Also, each time the request comes and the
 # record is set, we set the last request time inside it's scoped session to

data/lib/devise/hooks/trackable.rb

@@ -1,7 +1,9 @@
 # After each sign in, update sign in time, sign in count and sign in IP.
+# This is only triggered when the user is explicitly set (with set_user)
+# and on authentication. Retrieving the user from session (:fetch) does
+# not trigger it.
 Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
-  scope = options[:scope]
-  if record.respond_to?(:update_tracked_fields!) && warden.authenticated?(scope)
+  if record.respond_to?(:update_tracked_fields!) && warden.authenticated?(options[:scope])
     record.update_tracked_fields!(warden.request)
   end
 end

data/lib/devise/mapping.rb

@@ -34,26 +34,19 @@ module Devise
       nil
     end
 
-    # Find a mapping by a given class. It takes into account single table inheritance as well.
-    def self.find_by_class(klass)
-      Devise.mappings.each_value do |mapping|
-        return mapping if klass <= mapping.to
-      end
-      nil
-    end
-
     # Receives an object and find a scope for it. If a scope cannot be found,
     # raises an error. If a symbol is given, it's considered to be the scope.
     def self.find_scope!(duck)
       case duck
       when String, Symbol
-        duck
+        return duck
+      when Class
+        Devise.mappings.each_value { |m| return m.name if duck <= m.to }
       else
-        klass = duck.is_a?(Class) ? duck : duck.class
-        mapping = Devise::Mapping.find_by_class(klass)
-        raise "Could not find a valid mapping for #{duck}" unless mapping
-        mapping.name
+        Devise.mappings.each_value { |m| return m.name if duck.is_a?(m.to) }
       end
+
+      raise "Could not find a valid mapping for #{duck}"
     end
 
     def initialize(name, options) #:nodoc:
@@ -84,6 +77,14 @@ module Devise
       klass
     end
 
+    def strategies
+      @strategies ||= STRATEGIES.values_at(*self.modules).compact.uniq.reverse
+    end
+
+    def routes
+      @routes ||= ROUTES.values_at(*self.modules).compact.uniq
+    end
+
     # Keep a list of allowed controllers for this mapping. It's useful to ensure
     # that an Admin cannot access the registrations controller unless it has
     # :registerable in the model.
@@ -104,6 +105,10 @@ module Devise
       path_prefix + as.to_s
     end
 
+    def authenticatable?
+      @authenticatable ||= self.modules.any? { |m| m.to_s =~ /authenticatable/ }
+    end
+
     # Create magic predicates for verifying what module is activated by this map.
     # Example:
     #
@@ -111,7 +116,7 @@ module Devise
     #     self.modules.include?(:confirmable)
     #   end
     #
-    def self.register(m)
+    def self.add_module(m)
       class_eval <<-METHOD, __FILE__, __LINE__ + 1
         def #{m}?
           self.modules.include?(:#{m})

data/lib/devise/models.rb

@@ -38,7 +38,7 @@ module Devise
 
     # Include the chosen devise modules in your model:
     #
-    #   devise :authenticatable, :confirmable, :recoverable
+    #   devise :database_authenticatable, :confirmable, :recoverable
     #
     # You can also give any of the devise configuration values in form of a hash,
     # with specific values for this model. Please check your Devise initializer
@@ -46,12 +46,21 @@ module Devise
     #
     def devise(*modules)
       raise "You need to give at least one Devise module" if modules.empty?
-
       options = modules.extract_options!
+
+      if modules.delete(:authenticatable)
+        ActiveSupport::Deprecation.warn ":authenticatable as module is deprecated. Please give :database_authenticatable instead.", caller
+        modules << :database_authenticatable
+      end
+
+      if modules.delete(:http_authenticatable)
+        ActiveSupport::Deprecation.warn ":http_authenticatable as module is deprecated and is on by default. Revert by setting :http_authenticatable => false.", caller
+      end
+
       @devise_modules = Devise::ALL & modules.map(&:to_sym).uniq
 
       devise_modules_hook! do
-        devise_modules.each { |m| include Devise::Models.const_get(m.to_s.classify) }
+        @devise_modules.each { |m| include Devise::Models.const_get(m.to_s.classify) }
         options.each { |key, value| send(:"#{key}=", value) }
       end
     end

data/lib/devise/models/authenticatable.rb

@@ -1,118 +1,42 @@
-require 'devise/strategies/authenticatable'
-
 module Devise
   module Models
-    # Authenticable Module, responsible for encrypting password and validating
-    # authenticity of a user while signing in.
+    # Authenticable module. Holds common settings for authentication.
     #
     # Configuration:
     #
     # You can overwrite configuration values by setting in globally in Devise,
     # using devise method or overwriting the respective instance method.
     #
-    #   pepper: encryption key used for creating encrypted password. Each time
-    #           password changes, it's gonna be encrypted again, and this key
-    #           is added to the password and salt to create a secure hash.
-    #           Always use `rake secret' to generate a new key.
-    #
-    #   stretches: defines how many times the password will be encrypted.
-    #
-    #   encryptor: the encryptor going to be used. By default :sha1.
-    #
-    #   authentication_keys: parameters used for authentication. By default [:email]
+    #   authentication_keys: parameters used for authentication. By default [:email].
     #
-    # Examples:
+    #   http_authenticatable: if this model allows http authentication. By default true.
+    #   It also accepts an array specifying the strategies that should allow http.
     #
-    #    User.authenticate('email@test.com', 'password123')  # returns authenticated user or nil
-    #    User.find(1).valid_password?('password123')         # returns true/false
+    #   params_authenticatable: if this model allows authentication through request params. By default true.
+    #   It also accepts an array specifying the strategies that should allow params authentication.
     #
     module Authenticatable
       extend ActiveSupport::Concern
 
-      included do
-        attr_reader :password, :current_password
-        attr_accessor :password_confirmation
-      end
-
-      # Regenerates password salt and encrypted password each time password is set,
-      # and then trigger any "after_changed_password"-callbacks.
-      def password=(new_password)
-        @password = new_password
-
-        if @password.present?
-          self.password_salt = self.class.encryptor_class.salt
-          self.encrypted_password = password_digest(@password)
-        end
-      end
-
-      # Verifies whether an incoming_password (ie from sign in) is the user password.
-      def valid_password?(incoming_password)
-        password_digest(incoming_password) == self.encrypted_password
-      end
-
-      # Verifies whether an +incoming_authentication_token+ (i.e. from single access URL)
-      # is the user authentication token.
-      def valid_authentication_token?(incoming_auth_token)
-        incoming_auth_token == self.authentication_token
-      end
-
-      # Checks if a resource is valid upon authentication.
-      def valid_for_authentication?(attributes)
-        valid_password?(attributes[:password])
-      end
-
-      # Set password and password confirmation to nil
-      def clean_up_passwords
-        self.password = self.password_confirmation = nil
+      # Yields the given block. This method is overwritten by other modules to provide
+      # hooks around authentication.
+      def valid_for_authentication?
+        yield
       end
 
-      # Update record attributes when :current_password matches, otherwise returns
-      # error on :current_password. It also automatically rejects :password and
-      # :password_confirmation if they are blank.
-      def update_with_password(params={})
-        current_password = params.delete(:current_password)
-
-        params.delete(:password)              if params[:password].blank?
-        params.delete(:password_confirmation) if params[:password_confirmation].blank?
-
-        result = if valid_password?(current_password)
-          update_attributes(params)
-        else
-          self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
-          self.attributes = params
-          false
-        end
-
-        clean_up_passwords unless result
-        result
-      end
-
-      protected
-
-        # Digests the password using the configured encryptor.
-        def password_digest(password)
-          self.class.encryptor_class.digest(password, self.class.stretches, self.password_salt, self.class.pepper)
-        end
-
       module ClassMethods
-        Devise::Models.config(self, :pepper, :stretches, :encryptor, :authentication_keys)
+        Devise::Models.config(self, :authentication_keys, :http_authenticatable, :params_authenticatable)
 
-        # Authenticate a user based on configured attribute keys. Returns the
-        # authenticated user if it's valid or nil.
-        def authenticate(attributes={})
-          return unless authentication_keys.all? { |k| attributes[k].present? }
-          conditions = attributes.slice(*authentication_keys)
-          resource = find_for_authentication(conditions)
-          resource if resource.try(:valid_for_authentication?, attributes)
+        def params_authenticatable?(strategy)
+          params_authenticatable.is_a?(Array) ?
+            params_authenticatable.include?(strategy) : params_authenticatable
         end
 
-        # Returns the class for the configured encryptor.
-        def encryptor_class
-          @encryptor_class ||= ::Devise::Encryptors.const_get(encryptor.to_s.classify)
+        def http_authenticatable?(strategy)
+          http_authenticatable.is_a?(Array) ?
+            http_authenticatable.include?(strategy) : http_authenticatable
         end
 
-      protected
-
         # Find first record based on conditions given (ie by the sign in form).
         # Overwrite to add customized conditions, create a join, or maybe use a
         # namedscope to filter records while authenticating.
@@ -120,7 +44,7 @@ module Devise
         #
         #   def self.find_for_authentication(conditions={})
         #     conditions[:active] = true
-        #     find(:first, :conditions => conditions)
+        #     super
         #   end
         #
         def find_for_authentication(conditions)
@@ -129,4 +53,4 @@ module Devise
       end
     end
   end
-end
+end

data/lib/devise/models/confirmable.rb

@@ -49,7 +49,7 @@ module Devise
 
       # Verifies whether a user is confirmed or not
       def confirmed?
-        !new_record? && !confirmed_at.nil?
+        persisted? && !confirmed_at.nil?
       end
 
       # Send confirmation instructions by email
@@ -57,15 +57,9 @@ module Devise
         ::Devise::Mailer.confirmation_instructions(self).deliver
       end
 
-      # Remove confirmation date and send confirmation instructions, to ensure
-      # after sending these instructions the user won't be able to sign in without
-      # confirming it's account
-      def resend_confirmation!
-        unless_confirmed do
-          generate_confirmation_token
-          save(:validate => false)
-          send_confirmation_instructions
-        end
+      # Resend confirmation token. This method does not need to generate a new token.
+      def resend_confirmation_token
+        unless_confirmed { send_confirmation_instructions }
       end
 
       # Overwrites active? from Devise::Models::Activatable for confirmation
@@ -78,11 +72,7 @@ module Devise
 
       # The message to be shown if the account is inactive.
       def inactive_message
-        if !confirmed?
-          :unconfirmed
-        else
-          super
-        end
+        !confirmed? ? :unconfirmed : super
       end
 
       # If you don't want confirmation to be sent on create, neither a code
@@ -137,7 +127,7 @@ module Devise
         # this token is being generated
         def generate_confirmation_token
           self.confirmed_at = nil
-          self.confirmation_token = Devise.friendly_token
+          self.confirmation_token = self.class.confirmation_token
           self.confirmation_sent_at = Time.now.utc
         end
 
@@ -148,7 +138,7 @@ module Devise
         # Options must contain the user email
         def send_confirmation_instructions(attributes={})
           confirmable = find_or_initialize_with_error_by(:email, attributes[:email], :not_found)
-          confirmable.resend_confirmation! unless confirmable.new_record?
+          confirmable.resend_confirmation_token if confirmable.persisted?
           confirmable
         end
 
@@ -156,12 +146,16 @@ module Devise
         # If no user is found, returns a new user with an error.
         # If the user is already confirmed, create an error for the user
         # Options must have the confirmation_token
-        def confirm!(attributes={})
-          confirmable = find_or_initialize_with_error_by(:confirmation_token, attributes[:confirmation_token])        
-          confirmable.confirm! unless confirmable.new_record?
+        def confirm_by_token(confirmation_token)
+          confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
+          confirmable.confirm! if confirmable.persisted?
           confirmable
         end
 
+        def confirmation_token
+          Devise.friendly_token
+        end
+
         Devise::Models.config(self, :confirm_within)
       end
     end

data/lib/devise/models/database_authenticatable.rb

@@ -0,0 +1,99 @@
+require 'devise/models/authenticatable'
+require 'devise/strategies/database_authenticatable'
+
+module Devise
+  module Models
+    # Authenticable Module, responsible for encrypting password and validating
+    # authenticity of a user while signing in.
+    #
+    # Configuration:
+    #
+    # You can overwrite configuration values by setting in globally in Devise,
+    # using devise method or overwriting the respective instance method.
+    #
+    #   pepper: encryption key used for creating encrypted password. Each time
+    #           password changes, it's gonna be encrypted again, and this key
+    #           is added to the password and salt to create a secure hash.
+    #           Always use `rake secret' to generate a new key.
+    #
+    #   stretches: defines how many times the password will be encrypted.
+    #
+    #   encryptor: the encryptor going to be used. By default :sha1.
+    #
+    # Examples:
+    #
+    #    User.find(1).valid_password?('password123')         # returns true/false
+    #
+    module DatabaseAuthenticatable
+      extend  ActiveSupport::Concern
+      include Devise::Models::Authenticatable
+
+      included do
+        attr_reader :password, :current_password
+        attr_accessor :password_confirmation
+      end
+
+      # Regenerates password salt and encrypted password each time password is set,
+      # and then trigger any "after_changed_password"-callbacks.
+      def password=(new_password)
+        @password = new_password
+
+        if @password.present?
+          self.password_salt = self.class.encryptor_class.salt
+          self.encrypted_password = password_digest(@password)
+        end
+      end
+
+      # Verifies whether an incoming_password (ie from sign in) is the user password.
+      def valid_password?(incoming_password)
+        password_digest(incoming_password) == self.encrypted_password
+      end
+
+      # Set password and password confirmation to nil
+      def clean_up_passwords
+        self.password = self.password_confirmation = nil
+      end
+
+      # Update record attributes when :current_password matches, otherwise returns
+      # error on :current_password. It also automatically rejects :password and
+      # :password_confirmation if they are blank.
+      def update_with_password(params={})
+        current_password = params.delete(:current_password)
+
+        params.delete(:password)              if params[:password].blank?
+        params.delete(:password_confirmation) if params[:password_confirmation].blank?
+
+        result = if valid_password?(current_password)
+          update_attributes(params)
+        else
+          self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
+          self.attributes = params
+          false
+        end
+
+        clean_up_passwords
+        result
+      end
+
+    protected
+
+      # Digests the password using the configured encryptor.
+      def password_digest(password)
+        self.class.encryptor_class.digest(password, self.class.stretches, self.password_salt, self.class.pepper)
+      end
+
+      module ClassMethods
+        Devise::Models.config(self, :pepper, :stretches, :encryptor)
+
+        # Returns the class for the configured encryptor.
+        def encryptor_class
+          @encryptor_class ||= ::Devise::Encryptors.const_get(encryptor.to_s.classify)
+        end
+
+        def find_for_database_authentication(*args)
+          find_for_authentication(*args)
+        end
+      end
+    end
+  end
+end