devise 1.2.rc → 1.2.rc2

data/app/controllers/devise/sessions_controller.rb

@@ -11,8 +11,9 @@ class Devise::SessionsController < ApplicationController
   # POST /resource/sign_in
   def create
     resource = warden.authenticate!(:scope => resource_name, :recall => "#{controller_path}#new")
-    set_flash_message :notice, :signed_in
-    sign_in_and_redirect(resource_name, resource)
+    set_flash_message(:notice, :signed_in) if is_navigational_format?
+    sign_in(resource_name, resource)
+    respond_with resource, :location => redirect_location(resource_name, resource)
   end
 
   # GET /resource/sign_out

data/app/helpers/devise_helper.rb

@@ -1,4 +1,10 @@
 module DeviseHelper
+  # A simple way to show error messages for the current devise resource. If you need
+  # to customize this method, you can either overwrite it in your application helpers or
+  # copy the views to your application.
+  #
+  # This method is intended to stay simple and it is unlikely that we are going to change
+  # it to add more behavior or options.
   def devise_error_messages!
     return "" if resource.errors.empty?
 

data/config/locales/en.yml

@@ -1,3 +1,5 @@
+# Additional translations at http://github.com/plataformatec/devise/wiki/I18n
+
 en:
   errors:
     messages:

data/devise.gemspec

@@ -0,0 +1,25 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "devise/version"
+
+Gem::Specification.new do |s|
+  s.name        = "devise"
+  s.version     = Devise::VERSION.dup
+  s.platform    = Gem::Platform::RUBY  
+  s.summary     = "Flexible authentication solution for Rails with Warden"
+  s.email       = "contact@plataformatec.com.br"
+  s.homepage    = "http://github.com/plataformatec/devise"
+  s.description = "Flexible authentication solution for Rails with Warden"
+  s.authors     = ['José Valim', 'Carlos Antônio']
+
+  s.rubyforge_project = "devise"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  s.add_dependency("warden", "~> 1.0.3")
+  s.add_dependency("orm_adapter", "~> 0.0.3")
+  s.add_dependency("bcrypt-ruby", "~> 2.1.2")
+end

data/lib/devise.rb

@@ -1,3 +1,4 @@
+require 'rails'
 require 'active_support/core_ext/numeric/time'
 require 'active_support/dependencies'
 require 'orm_adapter'
@@ -13,6 +14,7 @@ module Devise
   module Controllers
     autoload :Helpers, 'devise/controllers/helpers'
     autoload :InternalHelpers, 'devise/controllers/internal_helpers'
+    autoload :Rememberable, 'devise/controllers/rememberable'
     autoload :ScopedViews, 'devise/controllers/scoped_views'
     autoload :UrlHelpers, 'devise/controllers/url_helpers'
   end
@@ -68,8 +70,9 @@ module Devise
   @@request_keys = []
 
   # Keys that should be case-insensitive.
+  # Empty by default for backwards compatibility.
   mattr_accessor :case_insensitive_keys
-  @@case_insensitive_keys = [ :email ]
+  @@case_insensitive_keys = []
 
   # If http authentication is enabled by default.
   mattr_accessor :http_authenticatable
@@ -89,7 +92,7 @@ module Devise
 
   # Email regex used to validate email formats. Adapted from authlogic.
   mattr_accessor :email_regexp
-  @@email_regexp = /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i
+  @@email_regexp = /\A([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})\z/i
 
   # Range validation for password length
   mattr_accessor :password_length
@@ -116,6 +119,10 @@ module Devise
   mattr_accessor :confirm_within
   @@confirm_within = 0.days
 
+  # Defines which key will be used when confirming an account
+  mattr_accessor :confirmation_keys
+  @@confirmation_keys = [ :email ]
+
   # Time interval to timeout the user session without activity.
   mattr_accessor :timeout_in
   @@timeout_in = 30.minutes
@@ -143,6 +150,10 @@ module Devise
   mattr_accessor :lock_strategy
   @@lock_strategy = :failed_attempts
 
+  # Defines which key will be used when locking and unlocking an account
+  mattr_accessor :unlock_keys
+  @@unlock_keys = [ :email ]
+
   # Defines which strategy can be used to unlock an account.
   # Values: :email, :time, :both
   mattr_accessor :unlock_strategy
@@ -156,6 +167,10 @@ module Devise
   mattr_accessor :unlock_in
   @@unlock_in = 1.hour
 
+  # Defines which key will be used when recovering the password for an account
+  mattr_accessor :reset_password_keys
+  @@reset_password_keys = [ :email ]
+
   # The default scope which is used by warden.
   mattr_accessor :default_scope
   @@default_scope = nil
@@ -173,10 +188,11 @@ module Devise
   @@stateless_token = false
 
   # Which formats should be treated as navigational.
+  # We need both :"*/*" and "*/*" to work on different Rails versions.
   mattr_accessor :navigational_formats
-  @@navigational_formats = [:"*/*", :html]
+  @@navigational_formats = [:"*/*", "*/*", :html]
 
-  # When set to true, signing out an user signs out all other scopes.
+  # When set to true, signing out a user signs out all other scopes.
   mattr_accessor :sign_out_all_scopes
   @@sign_out_all_scopes = true
 
@@ -357,7 +373,17 @@ module Devise
 
   # Generate a friendly string randomically to be used as token.
   def self.friendly_token
-    ActiveSupport::SecureRandom.base64(44).tr('+/=', 'xyz')
+    ActiveSupport::SecureRandom.base64(15).tr('+/=', 'xyz')
+  end
+
+  # constant-time comparison algorithm to prevent timing attacks
+  def self.secure_compare(a, b)
+    return false if a.blank? || b.blank? || a.bytesize != b.bytesize
+    l = a.unpack "C#{a.bytesize}"
+
+    res = 0
+    b.each_byte { |byte| res |= byte ^ l.shift }
+    res == 0
   end
 end
 

data/lib/devise/controllers/helpers.rb

@@ -21,7 +21,7 @@ module Devise
       #   Generated methods:
       #     authenticate_user!  # Signs user in or redirect
       #     authenticate_admin! # Signs admin in or redirect
-      #     user_signed_in?     # Checks whether there is an user signed in or not
+      #     user_signed_in?     # Checks whether there is a user signed in or not
       #     admin_signed_in?    # Checks whether there is an admin signed in or not
       #     current_user        # Current signed in user
       #     current_admin       # Current signed in admin
@@ -36,8 +36,8 @@ module Devise
         mapping = mapping.name
 
         class_eval <<-METHODS, __FILE__, __LINE__ + 1
-          def authenticate_#{mapping}!
-            warden.authenticate!(:scope => :#{mapping})
+          def authenticate_#{mapping}!(force = false)
+            warden.authenticate!(:scope => :#{mapping}) if !devise_controller? || force
           end
 
           def #{mapping}_signed_in?
@@ -72,19 +72,21 @@ module Devise
         false
       end
 
-      # Check if the given scope is signed in session, without running
-      # authentication hooks.
-      def signed_in?(scope)
-        warden.authenticate?(:scope => scope)
+      # Return true if the given scope is signed in session. If no scope given, return
+      # true if any scope is signed in. Does not run authentication hooks.
+      def signed_in?(scope=nil)
+        [ scope || Devise.mappings.keys ].flatten.any? do |scope| 
+          warden.authenticate?(:scope => scope)
+        end
       end
 
-      # Check if the any scope is signed in session, without running
-      # authentication hooks.
       def anybody_signed_in?
-        Devise.mappings.keys.any? { |scope| signed_in?(scope) }
+        ActiveSupport::Deprecation.warn "Devise#anybody_signed_in? is deprecated. "
+          "Please use Devise#signed_in?(nil) instead."
+        signed_in?
       end
 
-      # Sign in an user that already was authenticated. This helper is useful for logging
+      # Sign in a user that already was authenticated. This helper is useful for logging
       # users in after sign up.
       #
       # All options given to sign_in is passed forward to the set_user method in warden.
@@ -108,12 +110,14 @@ module Devise
 
         if options[:bypass]
           warden.session_serializer.store(resource, scope)
+        elsif warden.user(scope) == resource && !options.delete(:force)
+          # Do nothing. User already signed in and we are not forcing it.
         else
           warden.set_user(resource, options.merge!(:scope => scope))
         end
       end
 
-      # Sign out a given user or scope. This helper is useful for signing out an user
+      # Sign out a given user or scope. This helper is useful for signing out a user
       # after deleting accounts.
       #
       # Examples:
@@ -132,6 +136,7 @@ module Devise
       # Sign out all active users or scopes. This helper is useful for signing out all roles
       # in one click. This signs out ALL scopes in warden.
       def sign_out_all_scopes
+        Devise.mappings.keys.each { |s| warden.user(s) }
         warden.raw_session.inspect
         warden.logout
       end
@@ -180,7 +185,7 @@ module Devise
         respond_to?(home_path, true) ? send(home_path) : root_path
       end
 
-      # Method used by sessions controller to sign out an user. You can overwrite
+      # Method used by sessions controller to sign out a user. You can overwrite
       # it in your ApplicationController to provide a custom hook for a custom
       # scope. Notice that differently from +after_sign_in_path_for+ this method
       # receives a symbol with the scope, and not the resource.
@@ -190,36 +195,26 @@ module Devise
         root_path
       end
 
-      # Sign in an user and tries to redirect first to the stored location and
+      # Sign in a user and tries to redirect first to the stored location and
       # then to the url specified by after_sign_in_path_for. It accepts the same
       # parameters as the sign_in method.
       def sign_in_and_redirect(resource_or_scope, *args)
         options  = args.extract_options!
         scope    = Devise::Mapping.find_scope!(resource_or_scope)
         resource = args.last || resource_or_scope
-
-        if warden.user(scope) == resource
-          expire_session_data_after_sign_in!
-        else
-          sign_in(scope, resource, options)
-        end
-
-        redirect_for_sign_in(scope, resource)
+        sign_in(scope, resource, options)
+        redirect_to redirect_location(scope, resource)
       end
 
-      def redirect_for_sign_in(scope, resource) #:nodoc:
-        redirect_to stored_location_for(scope) || after_sign_in_path_for(resource)
+      def redirect_location(scope, resource) #:nodoc:
+        stored_location_for(scope) || after_sign_in_path_for(resource)
       end
 
-      # Sign out an user and tries to redirect to the url specified by
+      # Sign out a user and tries to redirect to the url specified by
       # after_sign_out_path_for.
       def sign_out_and_redirect(resource_or_scope)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
         Devise.sign_out_all_scopes ? sign_out : sign_out(scope)
-        redirect_for_sign_out(scope)
-      end
-
-      def redirect_for_sign_out(scope) #:nodoc:
         redirect_to after_sign_out_path_for(scope)
       end
 
@@ -228,6 +223,12 @@ module Devise
       def expire_session_data_after_sign_in!
         session.keys.grep(/^devise\./).each { |k| session.delete(k) }
       end
+
+      # Overwrite Rails' handle unverified request to sign out all scopes.
+      def handle_unverified_request
+        sign_out_all_scopes
+        super # call the default behaviour which resets the session
+      end
     end
   end
 end

data/lib/devise/controllers/internal_helpers.rb

@@ -16,7 +16,7 @@ module Devise
         helper_method *helpers
 
         prepend_before_filter :is_devise_resource?
-        skip_before_filter *Devise.mappings.keys.map { |m| :"authenticate_#{m}!" }
+        respond_to *Mime::SET.map(&:to_sym) if mimes_for_respond_to.empty?
       end
 
       # Gets the actual resource stored in the instance variable
@@ -57,6 +57,11 @@ module Devise
         unknown_action!("Could not find devise mapping for path #{request.fullpath.inspect}") unless devise_mapping
       end
 
+      # Check whether it's navigational format, such as :html or :iphone, or not.
+      def is_navigational_format?
+        Devise.navigational_formats.include?(request.format.to_sym)
+      end
+
       def unknown_action!(msg)
         logger.debug "[Devise] #{msg}" if logger
         raise ActionController::UnknownAction, msg

data/lib/devise/controllers/rememberable.rb

@@ -0,0 +1,52 @@
+module Devise
+  module Controllers
+    # A module that may be optionally included in a controller in order
+    # to provide remember me behavior.
+    module Rememberable
+      # Return default cookie values retrieved from session options.
+      def self.cookie_values
+        Rails.configuration.session_options.slice(:path, :domain, :secure)
+      end
+
+      # A small warden proxy so we can remember and forget uses from hooks.
+      class Proxy #:nodoc:
+        include Devise::Controllers::Rememberable
+
+        delegate :cookies, :env, :to => :@warden
+
+        def initialize(warden)
+          @warden = warden
+        end
+      end
+
+      # Remembers the given resource by setting up a cookie
+      def remember_me(resource)
+        scope = Devise::Mapping.find_scope!(resource)
+        resource.remember_me!(resource.extend_remember_period)
+        cookies.signed["remember_#{scope}_token"] = remember_cookie_values(resource)
+      end
+
+      # Forgets the given resource by deleting a cookie
+      def forget_me(resource)
+        scope = Devise::Mapping.find_scope!(resource)
+        resource.forget_me! unless resource.frozen?
+        cookies.delete("remember_#{scope}_token", forget_cookie_values(resource))
+      end
+
+      protected
+
+      def forget_cookie_values(resource)
+        Devise::Controllers::Rememberable.cookie_values.merge!(resource.cookie_options)
+      end
+
+      def remember_cookie_values(resource)
+        options = { :httponly => true }
+        options.merge!(forget_cookie_values(resource))
+        options.merge!(
+          :value => resource.class.serialize_into_cookie(resource),
+          :expires => resource.remember_expires_at
+        )
+      end
+    end
+  end
+end

data/lib/devise/encryptors/authlogic_sha512.rb

@@ -4,7 +4,7 @@ module Devise
   module Encryptors
     # = AuthlogicSha512
     # Simulates Authlogic's default encryption mechanism.
-    # Warning: it uses Devise's stretches configuration to port Authlogic's one. Should be set to 20 in the initializer to silumate
+    # Warning: it uses Devise's stretches configuration to port Authlogic's one. Should be set to 20 in the initializer to simulate
     #  the default behavior.
     class AuthlogicSha512 < Base
       # Gererates a default password digest based on salt, pepper and the

data/lib/devise/failure_app.rb

@@ -64,7 +64,11 @@ module Devise
     end
 
     def redirect_url
-      send(:"new_#{scope}_session_path")
+      if request_format == :html
+        send(:"new_#{scope}_session_path")
+      else
+        send(:"new_#{scope}_session_path", :format => request_format)
+      end
     end
 
     # Choose whether we should respond in a http authentication fashion,
@@ -79,7 +83,7 @@ module Devise
       if request.xhr?
         Devise.http_authenticatable_on_xhr
       else
-        !(request.format && Devise.navigational_formats.include?(request.format.to_sym))
+        !(request_format && Devise.navigational_formats.include?(request_format))
       end
     end
 
@@ -90,8 +94,8 @@ module Devise
     end
 
     def http_auth_body
-      return i18n_message unless request.format
-      method = "to_#{request.format.to_sym}"
+      return i18n_message unless request_format
+      method = "to_#{request_format}"
       {}.respond_to?(method) ? { :error => i18n_message }.send(method) : i18n_message
     end
 
@@ -123,5 +127,17 @@ module Devise
     def store_location!
       session["#{scope}_return_to"] = attempted_path if request.get? && !http_auth?
     end
+
+    MIME_REFERENCES = Mime::HTML.respond_to?(:ref)
+
+    def request_format
+      @request_format ||= if request.format.respond_to?(:ref)
+        request.format.ref
+      elsif MIME_REFERENCES
+        request.format
+      else # Rails < 3.0.4
+        request.format.to_sym
+      end
+    end
   end
 end

data/lib/devise/hooks/forgetable.rb

@@ -4,9 +4,6 @@
 # This avoids forgetting deleted users.
 Warden::Manager.before_logout do |record, warden, options|
   if record.respond_to?(:forget_me!)
-    record.forget_me! unless record.frozen?
-    cookie_options = Rails.configuration.session_options.slice(:path, :domain, :secure)
-    cookie_options.merge!(record.cookie_options)
-    warden.cookies.delete("remember_#{options[:scope]}_token", cookie_options)
+    Devise::Controllers::Rememberable::Proxy.new(warden).forget_me(record)
   end
 end

data/lib/devise/hooks/rememberable.rb

@@ -1,45 +1,6 @@
-module Devise
-  module Hooks
-    # Overwrite success! in authentication strategies allowing users to be remembered.
-    # We choose to implement this as an strategy hook instead of a warden hook to allow a specific
-    # strategy (like token authenticatable or facebook authenticatable) to turn off remember_me?
-    # cookies.
-    module Rememberable #:nodoc:
-      def success!(resource)
-        super
-
-        if succeeded? && resource.respond_to?(:remember_me!) && remember_me?
-          resource.remember_me!(extend_remember_period?)
-          cookies.signed["remember_#{scope}_token"] = cookie_values(resource)
-        end
-      end
-
-    protected
-
-      def cookie_values(resource)
-        options = Rails.configuration.session_options.slice(:path, :domain, :secure)
-        options.merge!(resource.cookie_options)
-        options.merge!(
-          :value => resource.class.serialize_into_cookie(resource),
-          :expires => resource.remember_expires_at
-        )
-        options
-      end
-
-      def succeeded?
-        @result == :success
-      end
-
-      def extend_remember_period?
-        false
-      end
-
-      def remember_me?
-        valid_params? && Devise::TRUE_VALUES.include?(params_auth_hash[:remember_me])
-      end
-    end
+Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
+  scope = options[:scope]
+  if record.respond_to?(:remember_me) && record.remember_me && warden.authenticated?(scope)
+    Devise::Controllers::Rememberable::Proxy.new(warden).remember_me(record)
   end
-end
-
-Devise::Strategies::Authenticatable.send :include, Devise::Hooks::Rememberable
-
+end