devise 1.2.rc → 1.2.rc2

data/lib/devise/hooks/timeoutable.rb

@@ -6,7 +6,7 @@
 Warden::Manager.after_set_user do |record, warden, options|
   scope = options[:scope]
 
-  if record && record.respond_to?(:timedout?) && warden.authenticated?(scope)
+  if record && record.respond_to?(:timedout?) && warden.authenticated?(scope) && options[:store] != false
     last_request_at = warden.session(scope)['last_request_at']
 
     if record.timedout?(last_request_at)

data/lib/devise/models.rb

@@ -2,7 +2,7 @@ module Devise
   module Models
     # Creates configuration values for Devise and for the given module.
     #
-    #   Devise::Models.config(Devise::Authenticable, :stretches, 10)
+    #   Devise::Models.config(Devise::Authenticatable, :stretches, 10)
     #
     # The line above creates:
     #
@@ -47,7 +47,9 @@ module Devise
     def devise(*modules)
       include Devise::Models::Authenticatable
       options = modules.extract_options!
-      self.devise_modules += Devise::ALL & modules.map(&:to_sym).uniq
+      self.devise_modules += modules.map(&:to_sym).uniq.sort_by { |s|
+        Devise::ALL.index(s) || -1  # follow Devise::ALL order
+      }
 
       devise_modules_hook! do
         devise_modules.each { |m| include Devise::Models.const_get(m.to_s.classify) }

data/lib/devise/models/authenticatable.rb

@@ -2,7 +2,7 @@ require 'devise/hooks/activatable'
 
 module Devise
   module Models
-    # Authenticable module. Holds common settings for authentication.
+    # Authenticatable module. Holds common settings for authentication.
     #
     # == Options
     #
@@ -26,7 +26,7 @@ module Devise
     #
     # == Active?
     #
-    # Before authenticating an user and in each request, Devise checks if your model is active by
+    # Before authenticating a user and in each request, Devise checks if your model is active by
     # calling model.active?. This method is overwriten by other devise modules. For instance,
     # :confirmable overwrites .active? to only return true if your model was confirmed.
     #
@@ -100,6 +100,7 @@ module Devise
         #   end
         #
         def find_for_authentication(conditions)
+          filter_auth_params(conditions)
           case_insensitive_keys.each { |k| conditions[k].try(:downcase!) }
           to_adapter.find_first(conditions)
         end
@@ -117,7 +118,7 @@ module Devise
           attributes.delete_if { |key, value| value.blank? }
 
           if attributes.size == required_attributes.size
-            record = to_adapter.find_first(attributes)
+            record = to_adapter.find_first(filter_auth_params(attributes))
           end
           
           unless record
@@ -133,6 +134,15 @@ module Devise
           record
         end
 
+        protected
+
+        # Force keys to be string to avoid injection on mongoid related database.
+        def filter_auth_params(conditions)
+          conditions.each do |k, v|
+            conditions[k] = v.to_s
+          end
+        end
+
         # Generate a token by looping and ensuring does not already exist.
         def generate_token(column)
           loop do

data/lib/devise/models/confirmable.rb

@@ -56,7 +56,7 @@ module Devise
       end
 
       # Overwrites active? from Devise::Models::Activatable for confirmation
-      # by verifying whether an user is active to sign in or not. If the user
+      # by verifying whether a user is active to sign in or not. If the user
       # is already confirmed, it should never be blocked. Otherwise we need to
       # calculate if the confirm time has not expired for this user.
       def active?
@@ -133,7 +133,7 @@ module Devise
         # with an email not found error.
         # Options must contain the user email
         def send_confirmation_instructions(attributes={})
-          confirmable = find_or_initialize_with_error_by(:email, attributes[:email], :not_found)
+          confirmable = find_or_initialize_with_errors(confirmation_keys, attributes, :not_found)
           confirmable.resend_confirmation_token if confirmable.persisted?
           confirmable
         end
@@ -153,7 +153,7 @@ module Devise
           generate_token(:confirmation_token)
         end
 
-        Devise::Models.config(self, :confirm_within)
+        Devise::Models.config(self, :confirm_within, :confirmation_keys)
       end
     end
   end

data/lib/devise/models/database_authenticatable.rb

@@ -3,7 +3,7 @@ require 'bcrypt'
 
 module Devise
   module Models
-    # Authenticable Module, responsible for encrypting password and validating
+    # Authenticatable Module, responsible for encrypting password and validating
     # authenticity of a user while signing in.
     #
     # == Options
@@ -31,9 +31,11 @@ module Devise
         self.encrypted_password = password_digest(@password) if @password.present?
       end
 
-      # Verifies whether an incoming_password (ie from sign in) is the user password.
+      # Verifies whether an password (ie from sign in) is the user password.
       def valid_password?(password)
-        ::BCrypt::Password.new(self.encrypted_password) == "#{password}#{self.class.pepper}"
+        bcrypt   = ::BCrypt::Password.new(self.encrypted_password)
+        password = ::BCrypt::Engine.hash_secret("#{password}#{self.class.pepper}", bcrypt.salt)
+        Devise.secure_compare(password, self.encrypted_password)
       end
 
       # Set password and password confirmation to nil

data/lib/devise/models/encryptable.rb

@@ -36,7 +36,7 @@ module Devise
 
       # Verifies whether an incoming_password (ie from sign in) is the user password.
       def valid_password?(incoming_password)
-        password_digest(incoming_password) == self.encrypted_password
+        Devise.secure_compare(password_digest(incoming_password), self.encrypted_password)
       end
 
     protected
@@ -53,7 +53,14 @@ module Devise
 
         # Returns the class for the configured encryptor.
         def encryptor_class
-          @encryptor_class ||= ::Devise::Encryptors.const_get(encryptor.to_s.classify)
+          @encryptor_class ||= case encryptor
+            when :bcrypt
+              raise "In order to use bcrypt as encryptor, simply remove :encryptable from your devise model"
+            when nil
+              raise "You need to give an :encryptor as option in order to use :encryptable"
+            else
+              ::Devise::Encryptors.const_get(encryptor.to_s.classify)
+          end
         end
 
         def password_salt

data/lib/devise/models/lockable.rb

@@ -15,13 +15,14 @@ module Devise
     #   * +lock_strategy+: lock the user account by :failed_attempts or :none.
     #   * +unlock_strategy+: unlock the user account by :time, :email, :both or :none.
     #   * +unlock_in+: the time you want to lock the user after to lock happens. Only available when unlock_strategy is :time or :both.
+    #   * +unlock_keys+: the keys you want to use when locking and unlocking an account
     #
     module Lockable
       extend  ActiveSupport::Concern
 
       delegate :lock_strategy_enabled?, :unlock_strategy_enabled?, :to => "self.class"
 
-      # Lock an user setting it's locked_at to actual time.
+      # Lock a user setting it's locked_at to actual time.
       def lock_access!
         self.locked_at = Time.now
 
@@ -33,14 +34,12 @@ module Devise
         save(:validate => false)
       end
 
-      # Unlock an user by cleaning locket_at and failed_attempts.
+      # Unlock a user by cleaning locket_at and failed_attempts.
       def unlock_access!
-        if_access_locked do
-          self.locked_at = nil
-          self.failed_attempts = 0 if respond_to?(:failed_attempts=)
-          self.unlock_token = nil  if respond_to?(:unlock_token=)
-          save(:validate => false)
-        end
+        self.locked_at = nil
+        self.failed_attempts = 0 if respond_to?(:failed_attempts=)
+        self.unlock_token = nil  if respond_to?(:unlock_token=)
+        save(:validate => false)
       end
 
       # Verifies whether a user is locked or not.
@@ -59,7 +58,7 @@ module Devise
       end
 
       # Overwrites active? from Devise::Models::Activatable for locking purposes
-      # by verifying whether an user is active to sign in or not based on locked?
+      # by verifying whether a user is active to sign in or not based on locked?
       def active?
         super && !access_locked?
       end
@@ -71,16 +70,21 @@ module Devise
       end
 
       # Overwrites valid_for_authentication? from Devise::Models::Authenticatable
-      # for verifying whether an user is allowed to sign in or not. If the user
+      # for verifying whether a user is allowed to sign in or not. If the user
       # is locked, it should never be allowed.
       def valid_for_authentication?
         return super unless persisted? && lock_strategy_enabled?(:failed_attempts)
 
+        # Unlock the user if the lock is expired, no matter
+        # if the user can login or not (wrong password, etc)
+        unlock_access! if lock_expired?
+
         case (result = super)
         when Symbol
           return result
         when TrueClass
           self.failed_attempts = 0
+          save(:validate => false)
         when FalseClass
           # PostgreSQL uses nil as the default value for integer columns set to 0
           self.failed_attempts ||= 0
@@ -88,10 +92,11 @@ module Devise
           if attempts_exceeded?
             lock_access!
             return :locked
+          else
+            save(:validate => false)
           end
         end
 
-        save(:validate => false) if changed?
         result
       end
 
@@ -132,7 +137,7 @@ module Devise
         # with an email not found error.
         # Options must contain the user email
         def send_unlock_instructions(attributes={})
-         lockable = find_or_initialize_with_errors(authentication_keys, attributes, :not_found)
+         lockable = find_or_initialize_with_errors(unlock_keys, attributes, :not_found)
          lockable.resend_unlock_token if lockable.persisted?
          lockable
         end
@@ -161,7 +166,7 @@ module Devise
           Devise.friendly_token
         end
 
-        Devise::Models.config(self, :maximum_attempts, :lock_strategy, :unlock_strategy, :unlock_in)
+        Devise::Models.config(self, :maximum_attempts, :lock_strategy, :unlock_strategy, :unlock_in, :unlock_keys)
       end
     end
   end

data/lib/devise/models/recoverable.rb

@@ -3,6 +3,12 @@ module Devise
 
     # Recoverable takes care of reseting the user password and send reset instructions.
     #
+    # ==Options
+    #
+    # Recoverable adds the following options to devise_for:
+    #
+    #   * +reset_password_keys+: the keys you want to use when recovering the password for an account
+    #
     # == Examples
     #
     #   # resets the user password and save the record, true if valid passwords are given, otherwise false
@@ -57,7 +63,7 @@ module Devise
         # with an email not found error.
         # Attributes must contain the user email
         def send_reset_password_instructions(attributes={})
-          recoverable = find_or_initialize_with_errors(authentication_keys, attributes, :not_found)
+          recoverable = find_or_initialize_with_errors(reset_password_keys, attributes, :not_found)
           recoverable.send_reset_password_instructions if recoverable.persisted?
           recoverable
         end
@@ -77,6 +83,8 @@ module Devise
           recoverable.reset_password!(attributes[:password], attributes[:password_confirmation]) if recoverable.persisted?
           recoverable
         end
+
+        Devise::Models.config(self, :reset_password_keys)
       end
     end
   end

data/lib/devise/models/registerable.rb

@@ -7,7 +7,7 @@ module Devise
 
       module ClassMethods
         # A convenience method that receives both parameters and session to
-        # initialize an user. This can be used by OAuth, for example, to send
+        # initialize a user. This can be used by OAuth, for example, to send
         # in the user token and be stored on initialization.
         #
         # By default discards all information sent by the session by calling

data/lib/devise/models/rememberable.rb

@@ -44,10 +44,7 @@ module Devise
     module Rememberable
       extend ActiveSupport::Concern
 
-      included do
-        # Remember me option available in after_authentication hook.
-        attr_accessor :remember_me
-      end
+      attr_accessor :remember_me, :extend_remember_period
 
       # Generate a new remember token and save the record without validations
       # unless remember_across_browsers is true and the user already has a valid token.
@@ -60,7 +57,7 @@ module Devise
       # Removes the remember token only if it exists, and save the record
       # without validations.
       def forget_me!
-        self.remember_token = nil if respond_to?(:remember_token)
+        self.remember_token = nil if respond_to?(:remember_token=)
         self.remember_created_at = nil
         save(:validate => false)
       end

data/lib/devise/models/token_authenticatable.rb

@@ -20,7 +20,7 @@ module Devise
     #
     # == Options
     #
-    # TokenAuthenticable adds the following options to devise_for:
+    # TokenAuthenticatable adds the following options to devise_for:
     #
     #   * +token_authentication_key+: Defines name of the authentication token params key. E.g. /users/sign_in?some_key=...
     #
@@ -38,17 +38,17 @@ module Devise
       # Generate new authentication token and save the record.
       def reset_authentication_token!
         reset_authentication_token
-        self.save(:validate => false)
+        save(:validate => false)
       end
 
       # Generate authentication token unless already exists.
       def ensure_authentication_token
-        self.reset_authentication_token if self.authentication_token.blank?
+        reset_authentication_token if authentication_token.blank?
       end
 
       # Generate authentication token unless already exists and save the record.
       def ensure_authentication_token!
-        self.reset_authentication_token! if self.authentication_token.blank?
+        reset_authentication_token! if authentication_token.blank?
       end
 
       # Hook called after token authentication.

data/lib/devise/omniauth.rb

@@ -5,29 +5,14 @@ rescue LoadError => e
   raise
 end
 
-module OmniAuth
-  # TODO HAXES Backport to OmniAuth
-  module Strategy #:nodoc:
-    def initialize(app, name, *args)
-      @app = app
-      @name = name.to_sym
-      @options = args.last.is_a?(Hash) ? args.pop : {}
-      yield self if block_given?
-    end
-
-    def fail!(message_key, exception = nil)
-      self.env['omniauth.error'] = exception
-      self.env['omniauth.failure_key'] = message_key
-      self.env['omniauth.failed_strategy'] = self
-      OmniAuth.config.on_failure.call(self.env, message_key.to_sym)
-    end
-  end
+unless OmniAuth.config.respond_to? :test_mode
+  raise "You are using an old OmniAuth version, please ensure you have 0.2.0.beta version or later installed."
 end
 
 # Clean up the default path_prefix. It will be automatically set by Devise.
 OmniAuth.config.path_prefix = nil
 
-OmniAuth.config.on_failure = Proc.new do |env, key|
+OmniAuth.config.on_failure = Proc.new do |env|
   env['devise.mapping'] = Devise::Mapping.find_by_path!(env['PATH_INFO'], :path)
   controller_klass = "#{env['devise.mapping'].controllers[:omniauth_callbacks].camelize}Controller"
   controller_klass.constantize.action(:failure).call(env)

data/lib/devise/omniauth/test_helpers.rb

@@ -1,57 +1,31 @@
 module Devise
   module OmniAuth
     module TestHelpers
-      def self.test_mode!
-        Faraday.default_adapter = :test if defined?(Faraday)
-        ActiveSupport.on_load(:action_controller) { include Devise::OmniAuth::TestHelpers }
-        ActiveSupport.on_load(:action_view) { include Devise::OmniAuth::TestHelpers }
-      end
+      DEPRECATION_MESSAGE = "Faraday changed the way mocks work in a way incompatible to Devise. Luckily, Omniauth now supports a new test mode, please use it in your tests instead: https://github.com/intridea/omniauth/wiki/Integration-Testing"
 
-      def self.stub!(provider, stubs=nil, &block)
-        raise "You either need to pass stubs as a block or as a parameter" unless block_given? || stubs
+      DeprecationError = Class.new(StandardError)
 
-        config = Devise.omniauth_configs[provider]
-        raise "Could not find configuration for #{provider.to_s} omniauth provider" unless config
-
-        config.check_if_allow_stubs!
-        stubs ||= Faraday::Adapter::Test::Stubs.new(&block)
+      def self.stub!(*args)
+        raise DeprecationError, DEPRECATION_MESSAGE
+      end
 
-        config.build_connection do |b|
-          b.adapter :test, stubs
-        end
+      def self.reset_stubs!(*args)
+        raise DeprecationError, DEPRECATION_MESSAGE
       end
 
-      def self.reset_stubs!(*providers)
-        target = providers.any? ? Devise.omniauth_configs.slice(*providers) : Devise.omniauth_configs
-        target.each_value do |config|
-          next unless config.allow_stubs?
-          config.build_connection { |b| b.adapter Faraday.default_adapter }
-        end
+      def self.test_mode!
+        warn DEPRECATION_MESSAGE
       end
 
       def self.short_circuit_authorizers!
-        module_eval <<-ALIASES, __FILE__, __LINE__ + 1
-          def omniauth_authorize_path(*args)
-            omniauth_callback_path(*args)
-          end
-        ALIASES
-
-        Devise.mappings.each_value do |m|
-          next unless m.omniauthable?
-
-          module_eval <<-ALIASES, __FILE__, __LINE__ + 1
-            def #{m.name}_omniauth_authorize_path(provider)
-              #{m.name}_omniauth_callback_path(provider)
-            end
-          ALIASES
-        end
+        ::OmniAuth.config.test_mode = true
+        warn DEPRECATION_MESSAGE
       end
 
       def self.unshort_circuit_authorizers!
-        module_eval do
-          instance_methods.each { |m| remove_method(m) }
-        end
+        ::OmniAuth.config.test_mode = false
+        warn DEPRECATION_MESSAGE
       end
     end
   end
-end
+end