devise 1.2.1 → 1.3.0

data/lib/devise/models/authenticatable.rb

@@ -65,20 +65,8 @@ module Devise
         end
       end
 
-      def active?
-        ActiveSupport::Deprecation.warn "[DEVISE] active? is deprecated, please use active_for_authentication? instead.", caller
-        active_for_authentication?
-      end
-
       def active_for_authentication?
-        my_methods = self.class.instance_methods(false)
-        if my_methods.include?("active?") || my_methods.include?(:active?)
-          ActiveSupport::Deprecation.warn "[DEVISE] Overriding active? is deprecated to avoid conflicts. " \
-            "Please use active_for_authentication? instead.", caller
-          active?
-        else
-          true
-        end
+        true
       end
 
       def inactive_message

data/lib/devise/models/confirmable.rb

@@ -84,7 +84,7 @@ module Devise
         # Checks if the confirmation for the user is within the limit time.
         # We do this by calculating if the difference between today and the
         # confirmation sent date does not exceed the confirm in time configured.
-        # Confirm_in is a model configuration, must always be an integer value.
+        # Confirm_within is a model configuration, must always be an integer value.
         #
         # Example:
         #

data/lib/devise/models/database_authenticatable.rb

@@ -22,7 +22,7 @@ module Devise
       included do
         attr_reader :password, :current_password
         attr_accessor :password_confirmation
-        before_save :downcase_keys
+        before_validation :downcase_keys
       end
 
       # Generates password encryption based on the given value.
@@ -33,6 +33,7 @@ module Devise
 
       # Verifies whether an password (ie from sign in) is the user password.
       def valid_password?(password)
+        return false if encrypted_password.blank?
         bcrypt   = ::BCrypt::Password.new(self.encrypted_password)
         password = ::BCrypt::Engine.hash_secret("#{password}#{self.class.pepper}", bcrypt.salt)
         Devise.secure_compare(password, self.encrypted_password)

data/lib/devise/models/recoverable.rb

@@ -35,15 +35,44 @@ module Devise
 
       # Resets reset password token and send reset password instructions by email
       def send_reset_password_instructions
-        generate_reset_password_token!
+        generate_reset_password_token! if should_generate_token?
         ::Devise.mailer.reset_password_instructions(self).deliver
       end
 
+      # Checks if the reset password token sent is within the limit time.
+      # We do this by calculating if the difference between today and the
+      # sending date does not exceed the confirm in time configured.
+      # reset_password_within is a model configuration, must always be an integer value.
+      #
+      # Example:
+      #
+      #   # reset_password_within = 1.day and reset_password_sent_at = today
+      #   reset_password_period_valid?   # returns true
+      #
+      #   # reset_password_within = 5.days and reset_password_sent_at = 4.days.ago
+      #   reset_password_period_valid?   # returns true
+      #
+      #   # reset_password_within = 5.days and reset_password_sent_at = 5.days.ago
+      #   reset_password_period_valid?   # returns false
+      #
+      #   # reset_password_within = 0.days
+      #   reset_password_period_valid?   # will always return false
+      #
+      def reset_password_period_valid?
+        respond_to?(:reset_password_sent_at) && reset_password_sent_at &&
+          reset_password_sent_at.utc >= self.class.reset_password_within.ago
+      end
+
       protected
 
+        def should_generate_token?
+          reset_password_token.nil? || !reset_password_period_valid?
+        end
+
         # Generates a new random token for reset password
         def generate_reset_password_token
           self.reset_password_token = self.class.reset_password_token
+          self.reset_password_sent_at = Time.now.utc if respond_to?(:reset_password_sent_at=)
         end
 
         # Resets the reset password token with and save the record without
@@ -55,6 +84,7 @@ module Devise
         # Removes reset_password token
         def clear_reset_password_token
           self.reset_password_token = nil
+          self.reset_password_sent_at = nil if respond_to?(:reset_password_sent_at=)
         end
 
       module ClassMethods
@@ -73,18 +103,24 @@ module Devise
           generate_token(:reset_password_token)
         end
 
-        # Attempt to find a user by it's reset_password_token to reset it's
-        # password. If a user is found, reset it's password and automatically
+        # Attempt to find a user by it's reset_password_token to reset its
+        # password. If a user is found and token is still valid, reset its password and automatically
         # try saving the record. If not user is found, returns a new user
         # containing an error in reset_password_token attribute.
         # Attributes must contain reset_password_token, password and confirmation
         def reset_password_by_token(attributes={})
           recoverable = find_or_initialize_with_error_by(:reset_password_token, attributes[:reset_password_token])
-          recoverable.reset_password!(attributes[:password], attributes[:password_confirmation]) if recoverable.persisted?
+          if recoverable.persisted?
+            if recoverable.reset_password_period_valid?
+              recoverable.reset_password!(attributes[:password], attributes[:password_confirmation]) 
+            else
+              recoverable.errors.add(:reset_password_token, :invalid)
+            end
+          end
           recoverable
         end
 
-        Devise::Models.config(self, :reset_password_keys)
+        Devise::Models.config(self, :reset_password_keys, :reset_password_within)
       end
     end
   end

data/lib/devise/models/validatable.rb

@@ -10,7 +10,7 @@ module Devise
     # Validatable adds the following options to devise_for:
     #
     #   * +email_regexp+: the regular expression used to validate e-mails;
-    #   * +password_length+: a range expressing password length. Defaults to 6..20.
+    #   * +password_length+: a range expressing password length. Defaults to 6..128.
     #
     module Validatable
       # All validations used by this module.
@@ -23,8 +23,7 @@ module Devise
 
         base.class_eval do
           validates_presence_of   :email, :if => :email_required?
-          validates_uniqueness_of :email, :scope => authentication_keys[1..-1],
-            :case_sensitive => (case_insensitive_keys != false), :allow_blank => true
+          validates_uniqueness_of :email, :case_sensitive => (case_insensitive_keys != false), :allow_blank => true
           validates_format_of     :email, :with  => email_regexp, :allow_blank => true
 
           with_options :if => :password_required? do |v|

data/lib/devise/omniauth.rb

@@ -14,15 +14,15 @@ OmniAuth.config.path_prefix = nil
 
 OmniAuth.config.on_failure = Proc.new do |env|
   env['devise.mapping'] = Devise::Mapping.find_by_path!(env['PATH_INFO'], :path)
-  controller_klass = "#{env['devise.mapping'].controllers[:omniauth_callbacks].camelize}Controller"
-  controller_klass.constantize.action(:failure).call(env)
+  controller_name  = ActiveSupport::Inflector.camelize(env['devise.mapping'].controllers[:omniauth_callbacks])
+  controller_klass = ActiveSupport::Inflector.constantize("#{controller_name}Controller")
+  controller_klass.action(:failure).call(env)
 end
 
 module Devise
   module OmniAuth
     autoload :Config,      "devise/omniauth/config"
     autoload :UrlHelpers,  "devise/omniauth/url_helpers"
-    autoload :TestHelpers, "devise/omniauth/test_helpers"
 
     class << self
       delegate :short_circuit_authorizers!, :unshort_circuit_authorizers!,

data/lib/devise/rails.rb

@@ -17,11 +17,14 @@ module Devise
       Devise.include_helpers(Devise::Controllers)
     end
 
-    initializer "devise.navigationals" do
-      formats = Devise.navigational_formats
-      if formats.include?(:"*/*") && formats.exclude?("*/*")
-        puts "[DEVISE] We see the symbol :\"*/*\" in the navigational formats in your initializer " \
-          "but not the string \"*/*\". Due to changes in latest Rails, please include the latter."
+    initializer "devise.auth_keys" do
+      if Devise.authentication_keys.size > 1
+        puts "[DEVISE] You are configuring Devise to use more than one authentication key. " \
+          "In previous versions, we automatically added #{Devise.authentication_keys[1..-1].inspect} " \
+          "as scope to your e-mail validation, but this was changed now. If you were relying in such " \
+          "behavior, you should remove :validatable from your models and add the validations manually. " \
+          "To get rid of this warning, you can comment config.authentication_keys in your initializer " \
+          "and pass the current values as key to the devise call in your model."
       end
     end
 
@@ -36,25 +39,5 @@ module Devise
         Devise.include_helpers(Devise::OmniAuth)
       end
     end
-
-    initializer "devise.encryptor_check" do
-      case Devise.encryptor
-      when :bcrypt
-        puts "[DEVISE] From version 1.2, there is no need to set your encryptor to bcrypt " \
-          "since encryptors are only enabled if you include :encryptable in your models. " \
-          "To update your app, please:\n\n" \
-          "1) Remove config.encryptor from your initializer;\n" \
-          "2) Add t.encryptable to your old migrations;\n" \
-          "3) [Optional] Remove password_salt in a new recent migration. Bcrypt does not require it anymore.\n"
-      when nil
-        # Nothing to say
-      else
-        puts "[DEVISE] You are using #{Devise.encryptor} as encryptor. From version 1.2, " \
-          "you need to explicitly add encryptable as dependency. To update your app, please:\n\n" \
-          "1) Remove config.encryptor from your initializer;\n" \
-          "2) Add t.encryptable to your old migrations;\n" \
-          "3) Add `devise :encryptable, :encryptor => :#{Devise.encryptor}` to your models.\n"
-      end
-    end
   end
 end

data/lib/devise/rails/routes.rb

@@ -99,6 +99,11 @@ module ActionDispatch::Routing
     #
     #      devise_for :users, :skip => :sessions
     #
+    #  * :only => the opposite of :skip, tell which controllers only to generate routes to:
+    #
+    #      devise_for :users, :only => :sessions
+    #
+    #
     # ==== Scoping
     #
     # Following Rails 3 routes DSL, you can nest devise_for calls inside a scope:
@@ -173,6 +178,9 @@ module ActionDispatch::Routing
         end
 
         routes  = mapping.routes
+        if options.has_key?(:only)
+          routes  = Array(options.delete(:only)).map { |s| s.to_s.singularize.to_sym } & mapping.routes
+        end
         routes -= Array(options.delete(:skip)).map { |s| s.to_s.singularize.to_sym }
 
         devise_scope mapping.name do

data/lib/devise/rails/warden_compat.rb

@@ -21,14 +21,14 @@ class Warden::SessionSerializer
   def deserialize(keys)
     if keys.size == 2
       raise "Devise changed how it stores objects in session. If you are seeing this message, " <<
-        "you can fix it by changing one character in your cookie secret or cleaning up your " <<
+        "you can fix it by changing one character in your secret_token or cleaning up your " <<
         "database sessions if you are using a db store."
     end
 
     klass, id, salt = keys
 
     begin
-      record = klass.constantize.to_adapter.get(id)
+      record = ActiveSupport::Inflector.constantize(klass).to_adapter.get(id)
       record if record && record.authenticatable_salt == salt
     rescue NameError => e
       if e.message =~ /uninitialized constant/

data/lib/devise/schema.rb

@@ -15,7 +15,7 @@ module Devise
     def database_authenticatable(options={})
       null    = options[:null] || false
       default = options.key?(:default) ? options[:default] : ("" if null == false)
-      include_email =  !self.respond_to?(:authentication_keys) || self.authentication_keys.include?(:email)
+      include_email = !respond_to?(:authentication_keys) || self.authentication_keys.include?(:email)
 
       apply_devise_schema :email,              String, :null => null, :default => default if include_email
       apply_devise_schema :encrypted_password, String, :null => null, :default => default, :limit => 128
@@ -38,9 +38,14 @@ module Devise
       apply_devise_schema :confirmation_sent_at, DateTime
     end
 
-    # Creates reset_password_token.
-    def recoverable
+    # Creates reset_password_token and reset_password_sent_at.
+    #
+    # == Options
+    # * :reset_within - When true, adds a column that reset passwords within some date
+    def recoverable(options={})
+      use_within = options.fetch(:reset_within, Devise.reset_password_within.present?)
       apply_devise_schema :reset_password_token, String
+      apply_devise_schema :reset_password_sent_at, DateTime if use_within
     end
 
     # Creates remember_token and remember_created_at.

data/lib/devise/strategies/authenticatable.rb

@@ -157,7 +157,8 @@ module Devise
       # becomes simply :database.
       def authenticatable_name
         @authenticatable_name ||=
-          self.class.name.split("::").last.underscore.sub("_authenticatable", "").to_sym
+          ActiveSupport::Inflector.underscore(self.class.name.split("::").last).
+            sub("_authenticatable", "").to_sym
       end
     end
   end

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "1.2.1".freeze
+  VERSION = "1.3.0".freeze
 end

data/lib/generators/devise/views_generator.rb

@@ -9,17 +9,11 @@ module Devise
       argument :scope, :required => false, :default => nil,
                        :desc => "The scope to copy views to"
 
-      class_option :template_engine, :type => :string, :aliases => "-t",
-                                     :desc => "Template engine for the views. Available options are 'erb', 'haml' and 'slim'."
+      # class_option :template_engine, :type => :string, :aliases => "-t",
+      #                                :desc => "Template engine for the views. Available options are 'erb', 'haml' and 'slim'."
 
       def copy_views
-        template = options[:template_engine].to_s
-        case template
-        when "haml", "slim"
-          warn "#{template} templates have been removed from Devise gem"
-        else
-          directory "devise", "app/views/#{scope || :devise}"
-        end
+        directory "devise", "app/views/#{scope || :devise}"
       end
     end
   end

data/lib/generators/templates/devise.rb

@@ -82,9 +82,13 @@ Devise.setup do |config|
   # to false if you are not using database authenticatable.
   config.use_salt_as_remember_token = true
 
+  # Options to be passed to the created cookie. For instance, you can set
+  # :secure => true in order to force SSL only cookies.
+  # config.cookie_options = {}
+
   # ==> Configuration for :validatable
-  # Range for password length. Default is 6..20.
-  # config.password_length = 6..20
+  # Range for password length. Default is 6..128.
+  # config.password_length = 6..128
 
   # Regex to use to validate the email address
   # config.email_regexp = /\A([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})\z/i
@@ -122,6 +126,11 @@ Devise.setup do |config|
   # Defines which key will be used when recovering the password for an account
   # config.reset_password_keys = [ :email ]
 
+  # Time interval you can reset your password with a reset password key.
+  # Don't put a too small interval or your users won't have the time to
+  # change their passwords.
+  config.reset_password_within = 2.hours
+
   # ==> Configuration for :encryptable
   # Allow you to use another encryption algorithm besides bcrypt (default). You can use
   # :sha1, :sha512 or encryptors from others authentication tools as :clearance_sha1,

data/test/controllers/internal_helpers_test.rb

@@ -45,6 +45,14 @@ class HelpersTest < ActionController::TestCase
     @controller.send :require_no_authentication
   end
 
+  test 'require no authentication sets a flash message' do
+    @mock_warden.expects(:authenticated?).with(:user).returns(true)
+    @mock_warden.expects(:user).with(:user).returns(User.new)
+    @controller.expects(:redirect_to).with(root_path)
+    @controller.send :require_no_authentication
+    assert flash[:alert] == I18n.t("devise.failure.already_authenticated")
+  end
+
   test 'signed in resource returns signed in resource for current scope' do
     @mock_warden.expects(:authenticate).with(:scope => :user).returns(User.new)
     assert_kind_of User, @controller.signed_in_resource
@@ -69,4 +77,11 @@ class HelpersTest < ActionController::TestCase
     assert flash[:notice] == 'non-blank'
     MyController.send(:protected, :set_flash_message)
   end
+
+  test 'navigational_formats not returning a wild card' do
+    MyController.send(:public, :navigational_formats)
+    Devise.navigational_formats = [:"*/*", :html]
+    assert_not @controller.navigational_formats.include?(:"*/*")
+    MyController.send(:protected, :navigational_formats)
+  end
 end

data/test/controllers/sessions_controller_test.rb

@@ -0,0 +1,17 @@
+require 'test_helper'
+
+class SessionsControllerTest < ActionController::TestCase
+  tests Devise::SessionsController
+  include Devise::TestHelpers
+
+  test "#create doesn't raise exception after Warden authentication fails " \
+     + "when TestHelpers included" do
+    request.env["devise.mapping"] = Devise.mappings[:user]
+    assert_nothing_raised(NoMethodError) do
+      post :create, :user => {
+        :email => "nosuchuser@example.com",
+        :password => "wevdude"
+      }
+    end
+  end
+end

data/test/devise_test.rb

@@ -58,9 +58,6 @@ class DeviseTest < ActiveSupport::TestCase
     assert_equal :fruits, Devise::CONTROLLERS[:kivi]
     Devise::ALL.delete(:kivi)
     Devise::CONTROLLERS.delete(:kivi)
-
-    assert_nothing_raised(Exception) { Devise.add_module(:authenticatable_again, :model => 'devise/model/authenticatable') }
-    assert defined?(Devise::Models::AuthenticatableAgain)
   end
   
   test 'should complain when comparing empty or different sized passes' do

data/test/integration/authenticatable_test.rb

@@ -205,17 +205,16 @@ class AuthenticationRedirectTest < ActionController::IntegrationTest
     assert_nil session[:"user_return_to"]
   end
 
-  test 'sign in with xml format returns xml response' do
-    create_user
-    post user_session_path(:format => 'xml', :user => {:email => "user@test.com", :password => '123456'})
-    assert_response :success
-    assert_match /<\?xml version="1.0" encoding="UTF-8"\?>/, response.body
-  end
-
   test 'redirect to configured home path for a given scope after sign in' do
     sign_in_as_admin
     assert_equal "/admin_area/home", @request.path
   end
+
+  test 'require_no_authentication should set the already_authenticated flash message' do
+    sign_in_as_user
+    visit new_user_session_path
+    assert_equal flash[:alert], I18n.t("devise.failure.already_authenticated")
+  end
 end
 
 class AuthenticationSessionTest < ActionController::IntegrationTest
@@ -354,6 +353,27 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
     assert warden.authenticated?(:user)
     assert_not warden.authenticated?(:admin)
   end
+
+  test 'sign in with xml format returns xml response' do
+    create_user
+    post user_session_path(:format => 'xml'), :user => {:email => "user@test.com", :password => '123456'}
+    assert_response :success
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
+  end
+
+  test 'sign out with xml format returns ok response' do
+    sign_in_as_user
+    get destroy_user_session_path(:format => 'xml')
+    assert_response :ok
+    assert_not warden.authenticated?(:user)
+  end
+
+  test 'sign out with json format returns empty json response' do
+    sign_in_as_user
+    get destroy_user_session_path(:format => 'json')
+    assert_response :ok
+    assert_not warden.authenticated?(:user)
+  end
 end
 
 class AuthenticationRequestKeysTest < ActionController::IntegrationTest