devise 1.1.pre4 → 1.1.rc0

data/lib/devise/strategies/rememberable.rb

@@ -4,31 +4,35 @@ module Devise
   module Strategies
     # Remember the user through the remember token. This strategy is responsible
     # to verify whether there is a cookie with the remember token, and to
-    # recreate the user from this cookie if it exists.  Must be called *before*
+    # recreate the user from this cookie if it exists. Must be called *before*
     # authenticatable.
     class Rememberable < Devise::Strategies::Base
-
       # A valid strategy for rememberable needs a remember token in the cookies.
       def valid?
-        remember_me_cookie.present? && mapping.to.respond_to?(:serialize_from_cookie)
+        remember_cookie.present?
       end
 
       # To authenticate a user we deserialize the cookie and attempt finding
       # the record in the database. If the attempt fails, we pass to another
       # strategy handle the authentication.
       def authenticate!
-        if resource = mapping.to.serialize_from_cookie(remember_me_cookie)
+        if resource = mapping.to.serialize_from_cookie(*remember_cookie)
           success!(resource)
         else
+          cookies.delete(remember_key)
           pass
         end
       end
 
     private
 
+      def remember_key
+        "remember_#{scope}_token"
+      end
+
       # Accessor for remember cookie
-      def remember_me_cookie
-        @remember_me_cookie ||= request.cookies["remember_#{mapping.name}_token"]
+      def remember_cookie
+        @remember_cookie ||= cookies.signed[remember_key]
       end
     end
   end

data/lib/devise/strategies/token_authenticatable.rb

@@ -2,33 +2,42 @@ require 'devise/strategies/base'
 
 module Devise
   module Strategies
-    # Strategy for signing in a user, based on a authenticatable token.
-    # Redirects to sign_in page if it's not authenticated.
-    class TokenAuthenticatable < Base
-      def valid?
-        mapping.to.respond_to?(:authenticate_with_token) && authentication_token(scope).present?
-      end
-
-      # Authenticate a user based on authenticatable token params, returning to warden
-      # success and the authenticated user if everything is okay. Otherwise redirect
-      # to sign in page.
+    # Strategy for signing in a user, based on a authenticatable token. This works for both params
+    # and http. For the former, all you need to do is to pass the params in the URL:
+    #
+    #   http://myapp.example.com/?user_token=SECRET
+    #
+    # For HTTP, you can pass the token as username. Since some clients may require a password,
+    # you can pass anything and it will simply be ignored.
+    class TokenAuthenticatable < Authenticatable
       def authenticate!
-        if resource = mapping.to.authenticate_with_token(params[scope] || params)
+        if resource = mapping.to.authenticate_with_token(authentication_hash)
           success!(resource)
         else
-          fail!(:invalid_token)
+          fail(:invalid_token)
         end
       end
 
     private
 
-      # Detect authentication token in params: scoped or not.
-      def authentication_token(scope)
-        if params[scope]
-          params[scope][mapping.to.token_authentication_key]
-        else
-          params[mapping.to.token_authentication_key]
-        end
+      # TokenAuthenticatable request is valid for any controller and any verb.
+      def valid_request?
+        true
+      end
+
+      # Do not use remember_me behavir with token.
+      def remember_me?
+        false
+      end
+
+      # Try both scoped and non scoped keys.
+      def params_auth_hash
+        params[scope] || params
+      end
+
+      # Overwrite authentication keys to use token_authentication_key.
+      def authentication_keys
+        @authentication_keys ||= [mapping.to.token_authentication_key]
       end
     end
   end

data/lib/devise/test_helpers.rb

@@ -15,7 +15,7 @@ module Devise
       def initialize(controller)
         @controller = controller
         manager = Warden::Manager.new(nil) do |config|
-          Devise.configure_warden(config)
+          config.merge! Devise.warden_config
         end
         super(controller.request.env, manager)
       end
@@ -24,6 +24,10 @@ module Devise
         catch_with_redirect { super }
       end
 
+      def user(*args)
+        catch_with_redirect { super }
+      end
+
       def catch_with_redirect(&block)
         result = catch(:warden, &block)
 

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "1.1.pre4".freeze
+  VERSION = "1.1.rc0".freeze
 end

data/lib/generators/devise/devise_generator.rb

@@ -18,22 +18,28 @@ class DeviseGenerator < Rails::Generators::NamedBase
     Time.now.utc.strftime("%Y%m%d%H%M%S")
   end
 
+  class_option :orm
   class_option :migration, :type => :boolean, :default => orm_has_migration?
 
   def invoke_orm_model
-    if File.exists?(File.join(destination_root, model_path))
+    if model_exists?
       say "* Model already exists. Adding Devise behavior."
     else
-      invoke "model", [name], :migration => false
+      invoke "model", [name], :migration => false, :orm => options[:orm]
+
+      unless model_exists?
+        abort "Tried to invoke the model generator for '#{options[:orm]}' but could not find it.\n" <<
+              "Please create your model by hand before calling `rails g devise #{name}`."
+      end
     end
   end
 
   def inject_devise_config_into_model
     inject_into_class model_path, class_name, <<-CONTENT
   # Include default devise modules. Others available are:
-  # :http_authenticatable, :token_authenticatable, :lockable, :timeoutable and :activatable
-  devise :registerable, :authenticatable, :confirmable, :recoverable,
-         :rememberable, :trackable, :validatable
+  # :token_authenticatable, :lockable, :timeoutable and :activatable
+  devise :database_authenticatable, :registerable, :confirmable,
+         :recoverable, :rememberable, :trackable, :validatable
 
   # Setup accessible (or protected) attributes for your model
   attr_accessible :email, :password, :password_confirmation
@@ -51,6 +57,10 @@ CONTENT
 
   protected
 
+    def model_exists?
+      File.exists?(File.join(destination_root, model_path))
+    end
+
     def model_path
       @model_path ||= File.join("app", "models", "#{file_path}.rb")
     end

data/lib/generators/devise/templates/migration.rb

@@ -1,12 +1,12 @@
 class DeviseCreate<%= table_name.camelize %> < ActiveRecord::Migration
   def self.up
     create_table(:<%= table_name %>) do |t|
-      t.authenticatable :encryptor => :sha1, :null => false
+      t.database_authenticatable :null => false
       t.confirmable
       t.recoverable
       t.rememberable
       t.trackable
-      # t.lockable
+      # t.lockable :lock_strategy => :<%= Devise.lock_strategy %>, :unlock_strategy => :<%= Devise.unlock_strategy %>
 
       t.timestamps
     end

data/lib/generators/devise_install/templates/devise.rb

@@ -4,7 +4,24 @@ Devise.setup do |config|
   # Configure the e-mail address which will be shown in DeviseMailer.
   config.mailer_sender = "please-change-me@config-initializers-devise.com"
 
-  # ==> Configuration for :authenticatable
+  # ==> Configuration for any authentication mechanism
+  # Configure which keys are used when authenticating an user. By default is
+  # just :email. You can configure it to use [:username, :subdomain], so for
+  # authenticating an user, both parameters are required. Remember that those
+  # parameters are used only when authenticating and not when retrieving from
+  # session. If you need permissions, you should implement that in a before filter.
+  # config.authentication_keys = [ :email ]
+
+  # Tell if authentication through request.params is enabled. True by default.
+  # config.params_authenticatable = true
+
+  # Tell if authentication through HTTP Basic Auth is enabled. True by default.
+  # config.http_authenticatable = true
+
+  # The realm used in Http Basic Authentication
+  # config.http_authentication_realm = "Application"
+
+  # ==> Configuration for :database_authenticatable
   # Invoke `rake secret` and use the printed value to setup a pepper to generate
   # the encrypted password. By default no pepper is used.
   # config.pepper = "rake secret output"
@@ -19,16 +36,6 @@ Devise.setup do |config|
   # (then you should set stretches to 10, and copy REST_AUTH_SITE_KEY to pepper)
   # config.encryptor = :sha1
 
-  # Configure which keys are used when authenticating an user. By default is
-  # just :email. You can configure it to use [:username, :subdomain], so for
-  # authenticating an user, both parameters are required. Remember that those
-  # parameters are used only when authenticating and not when retrieving from
-  # session. If you need permissions, you should implement that in a before filter.
-  # config.authentication_keys = [ :email ]
-
-  # The realm used in Http Basic Authentication
-  # config.http_authentication_realm = "Application"
-
   # ==> Configuration for :confirmable
   # The time you want give to your user to confirm his account. During this time
   # he will be able to access your application without confirming. Default is nil.
@@ -38,21 +45,35 @@ Devise.setup do |config|
   # The time the user will be remembered without asking for credentials again.
   # config.remember_for = 2.weeks
 
+  # ==> Configuration for :validatable
+  # Range for password length
+  # config.password_length = 6..20
+
+  # Regex to use to validate the email address
+  # config.email_regexp = /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i
+
   # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this
   # time the user will be asked for credentials again.
   # config.timeout_in = 10.minutes
 
   # ==> Configuration for :lockable
-  # Number of authentication tries before locking an account.
-  # config.maximum_attempts = 20
+  # Defines which strategy will be used to lock an account.
+  # :failed_attempts = Locks an account after a number of failed attempts to sign in.
+  # :none            = No lock strategy. You should handle locking by yourself.
+  # config.lock_strategy = :failed_attempts
 
   # Defines which strategy will be used to unlock an account.
   # :email = Sends an unlock link to the user email
   # :time  = Reanables login after a certain ammount of time (see :unlock_in below)
-  # :both  = enables both strategies
+  # :both  = Enables both strategies
+  # :none  = No unlock strategy. You should handle unlocking by yourself.
   # config.unlock_strategy = :both
 
+  # Number of authentication tries before locking an account if lock_strategy
+  # is failed attempts.
+  # config.maximum_attempts = 20
+
   # Time interval to unlock the account if :time is enabled as unlock_strategy.
   # config.unlock_in = 1.hour
 
@@ -61,7 +82,7 @@ Devise.setup do |config|
   # config.token_authentication_key = :auth_token
 
   # ==> General configuration
-  # Load and configure the ORM. Supports :active_record (default), :mongo_mapper
+  # Load and configure the ORM. Supports :active_record (default), :mongoid
   # (requires mongo_ext installed) and :data_mapper (experimental).
   require 'devise/orm/active_record'
 
@@ -90,6 +111,6 @@ Devise.setup do |config|
   #     twitter.consumer_key  = <YOUR CONSUMER KEY>
   #     twitter.options :site => 'http://twitter.com'
   #   end
-  #   manager.default_strategies.unshift :twitter_oauth
+  #   manager.default_strategies(:scope => :user).unshift :twitter_oauth
   # end
 end

data/lib/generators/devise_views/devise_views_generator.rb

@@ -1,15 +1,62 @@
 class DeviseViewsGenerator < Rails::Generators::Base
   desc "Copies all Devise views to your application."
-
+  
+  argument :scope, :required => false, :default => nil,
+                   :desc => "The scope to copy views to"
+  
+  class_option :template_engine, :type => :string, :aliases => "-t", :default => "erb",
+                                 :desc => "Template engine for the views. Available options are 'erb' and 'haml'."
+  
   def self.source_root
     @_devise_source_root ||= File.expand_path("../../../../app/views", __FILE__)
   end
 
   def copy_views
-    directory "devise"
+    case options[:template_engine]
+    when "haml"
+      verify_haml_existence
+      verify_haml_version
+      create_and_copy_haml_views
+    else
+      directory "devise", "app/views/devise/#{scope}"
+    end
+  end
+  
+  protected
+  
+  def verify_haml_existence
+    begin
+      require 'haml'
+    rescue LoadError
+      say "HAML is not installed, or it is not specified in your Gemfile."
+      exit
+    end
+  end
+  
+  def verify_haml_version
+    unless Haml.version[:major] == 2 and Haml.version[:minor] >= 3 or Haml.version[:major] >= 3
+      say "To generate HAML templates, you need to install HAML 2.3 or above."
+      exit
+    end
   end
+  
+  def create_and_copy_haml_views
+    require 'tmpdir'
+    html_root = "#{self.class.source_root}/devise"
+
+    Dir.mktmpdir("devise-haml.") do |haml_root|
+      Dir["#{html_root}/**/*"].each do |path|
+        relative_path = path.sub(html_root, "")
+        source_path   = (haml_root + relative_path).sub(/erb$/, "haml")
+
+        if File.directory?(path)
+          FileUtils.mkdir_p(source_path)
+        else
+          `html2haml -r #{path} #{source_path}`
+        end
+      end
 
-  def say_restart_server
-    say "Views copied. Please restart your server."
+      directory haml_root, "app/views/devise/#{scope}"
+    end
   end
 end

data/test/controllers/helpers_test.rb

@@ -1,4 +1,4 @@
-require 'test/test_helper'
+require 'test_helper'
 require 'ostruct'
 
 class MockController < ApplicationController
@@ -23,6 +23,10 @@ class MockController < ApplicationController
     "http"
   end
 
+  def script_name
+    ""
+  end
+
   def symbolized_path_parameters
     {}
   end
@@ -117,20 +121,20 @@ class ControllerAuthenticableTest < ActionController::TestCase
 
   test 'stored location for returns the location for a given scope' do
     assert_nil @controller.stored_location_for(:user)
-    @controller.session[:"user.return_to"] = "/foo.bar"
+    @controller.session[:"user_return_to"] = "/foo.bar"
     assert_equal "/foo.bar", @controller.stored_location_for(:user)
   end
 
   test 'stored location for accepts a resource as argument' do
     assert_nil @controller.stored_location_for(:user)
-    @controller.session[:"user.return_to"] = "/foo.bar"
+    @controller.session[:"user_return_to"] = "/foo.bar"
     assert_equal "/foo.bar", @controller.stored_location_for(User.new)
   end
 
   test 'stored location cleans information after reading' do
-    @controller.session[:"user.return_to"] = "/foo.bar"
+    @controller.session[:"user_return_to"] = "/foo.bar"
     assert_equal "/foo.bar", @controller.stored_location_for(:user)
-    assert_nil @controller.session[:"user.return_to"]
+    assert_nil @controller.session[:"user_return_to"]
   end
 
   test 'after sign in path defaults to root path if none by was specified for the given scope' do
@@ -148,7 +152,8 @@ class ControllerAuthenticableTest < ActionController::TestCase
 
   test 'sign in and redirect uses the stored location' do
     user = User.new
-    @controller.session[:"user.return_to"] = "/foo.bar"
+    @controller.session[:"user_return_to"] = "/foo.bar"
+    @mock_warden.expects(:user).with(:user).returns(nil)
     @mock_warden.expects(:set_user).with(user, :scope => :user).returns(true)
     @controller.expects(:redirect_to).with("/foo.bar")
     @controller.sign_in_and_redirect(user)
@@ -156,15 +161,18 @@ class ControllerAuthenticableTest < ActionController::TestCase
 
   test 'sign in and redirect uses the configured after sign in path' do
     admin = Admin.new
+    @mock_warden.expects(:user).with(:admin).returns(nil)
     @mock_warden.expects(:set_user).with(admin, :scope => :admin).returns(true)
     @controller.expects(:redirect_to).with(admin_root_path)
     @controller.sign_in_and_redirect(admin)
   end
 
-  test 'only redirect if skip is given' do
+  test 'sign in and redirect does not sign in again if user is already signed' do
     admin = Admin.new
+    @mock_warden.expects(:user).with(:admin).returns(admin)
+    @mock_warden.expects(:set_user).never
     @controller.expects(:redirect_to).with(admin_root_path)
-    @controller.sign_in_and_redirect(:admin, admin, true)
+    @controller.sign_in_and_redirect(admin)
   end
 
   test 'sign out and redirect uses the configured after sign out path' do

data/test/controllers/internal_helpers_test.rb

@@ -1,4 +1,4 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class MyController < ApplicationController
   include Devise::Controllers::InternalHelpers
@@ -7,6 +7,11 @@ end
 class HelpersTest < ActionController::TestCase
   tests MyController
 
+  def setup
+    @mock_warden = OpenStruct.new
+    @controller.request.env['warden'] = @mock_warden
+  end
+
   test 'get resource name from request path' do
     @request.path = '/users/session'
     assert_equal :user, @controller.resource_name

data/test/controllers/url_helpers_test.rb

@@ -1,9 +1,9 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class RoutesTest < ActionController::TestCase
   tests ApplicationController
 
-  def test_path_and_url(name, prepend_path=nil)
+  def assert_path_and_url(name, prepend_path=nil)
     @request.path = '/users/session'
     prepend_path = "#{prepend_path}_" if prepend_path
 
@@ -29,19 +29,19 @@ class RoutesTest < ActionController::TestCase
 
 
   test 'should alias session to mapped user session' do
-    test_path_and_url :session
-    test_path_and_url :session, :new
-    test_path_and_url :session, :destroy
+    assert_path_and_url :session
+    assert_path_and_url :session, :new
+    assert_path_and_url :session, :destroy
   end
 
   test 'should alias password to mapped user password' do
-    test_path_and_url :password
-    test_path_and_url :password, :new
-    test_path_and_url :password, :edit
+    assert_path_and_url :password
+    assert_path_and_url :password, :new
+    assert_path_and_url :password, :edit
   end
 
   test 'should alias confirmation to mapped user confirmation' do
-    test_path_and_url :confirmation
-    test_path_and_url :confirmation, :new
+    assert_path_and_url :confirmation
+    assert_path_and_url :confirmation, :new
   end
 end