devise 1.5.4 → 2.0.0.rc

data/lib/devise/strategies/token_authenticatable.rb

@@ -11,7 +11,7 @@ module Devise
     # a password, you can pass "X" as password and it will simply be ignored.
     class TokenAuthenticatable < Authenticatable
       def store?
-        !mapping.to.stateless_token
+        super && !mapping.to.skip_session_storage.include?(:token_auth)
       end
 
       def authenticate!
@@ -27,8 +27,8 @@ module Devise
 
     private
 
-      # TokenAuthenticatable request is valid for any controller and any verb.
-      def valid_request?
+      # Token Authenticatable can be authenticated with params in any controller and any verb.
+      def valid_params_request?
         true
       end
 

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "1.5.4".freeze
+  VERSION = "2.0.0.rc".freeze
 end

data/lib/generators/active_record/devise_generator.rb

@@ -1,7 +1,6 @@
 require 'rails/generators/active_record'
 require 'generators/devise/orm_helpers'
 
-
 module ActiveRecord
   module Generators
     class DeviseGenerator < ActiveRecord::Generators::Base
@@ -21,13 +20,52 @@ module ActiveRecord
       def generate_model
         invoke "active_record:model", [name], :migration => false unless model_exists? && behavior == :invoke
       end
-      
+
       def inject_devise_content
         inject_into_class(model_path, class_name, model_contents + <<CONTENT) if model_exists?
   # Setup accessible (or protected) attributes for your model
   attr_accessible :email, :password, :password_confirmation, :remember_me
 CONTENT
       end
+
+      def migration_data
+<<RUBY
+      ## Database authenticatable
+      t.string :email,              :null => false, :default => ""
+      t.string :encrypted_password, :null => false, :default => ""
+
+      ## Recoverable
+      t.string   :reset_password_token
+      t.datetime :reset_password_sent_at
+
+      ## Rememberable
+      t.datetime :remember_created_at
+
+      ## Trackable
+      t.integer  :sign_in_count, :default => 0
+      t.datetime :current_sign_in_at
+      t.datetime :last_sign_in_at
+      t.string   :current_sign_in_ip
+      t.string   :last_sign_in_ip
+
+      ## Encryptable
+      # t.string :password_salt
+
+      ## Confirmable
+      # t.string   :confirmation_token
+      # t.datetime :confirmed_at
+      # t.datetime :confirmation_sent_at
+      # t.string   :unconfirmed_email # Only if using reconfirmable
+
+      ## Lockable
+      # t.integer  :failed_attempts, :default => 0 # Only if lock strategy is :failed_attempts
+      # t.string   :unlock_token # Only if unlock strategy is :email or :both
+      # t.datetime :locked_at
+
+      # Token authenticatable
+      # t.string :authentication_token
+RUBY
+      end
     end
   end
 end

data/lib/generators/active_record/templates/migration.rb

@@ -5,15 +5,7 @@ class DeviseCreate<%= table_name.camelize %> < ActiveRecord::Migration
   def self.up
 <% end -%>
     create_table(:<%= table_name %>) do |t|
-      t.database_authenticatable :null => false
-      t.recoverable
-      t.rememberable
-      t.trackable
-
-      # t.encryptable
-      # t.confirmable
-      # t.lockable :lock_strategy => :<%= Devise.lock_strategy %>, :unlock_strategy => :<%= Devise.unlock_strategy %>
-      # t.token_authenticatable
+<%= migration_data -%>
 
 <% attributes.each do |attribute| -%>
       t.<%= attribute.type %> :<%= attribute.name %>

data/lib/generators/active_record/templates/migration_existing.rb

@@ -1,15 +1,7 @@
 class AddDeviseTo<%= table_name.camelize %> < ActiveRecord::Migration
   def self.up
     change_table(:<%= table_name %>) do |t|
-      t.database_authenticatable :null => false
-      t.recoverable
-      t.rememberable
-      t.trackable
-
-      # t.encryptable
-      # t.confirmable
-      # t.lockable :lock_strategy => :<%= Devise.lock_strategy %>, :unlock_strategy => :<%= Devise.unlock_strategy %>
-      # t.token_authenticatable
+<%= migration_data -%>
 
 <% attributes.each do |attribute| -%>
       t.<%= attribute.type %> :<%= attribute.name %>

data/lib/generators/mongoid/devise_generator.rb

@@ -9,9 +9,52 @@ module Mongoid
         invoke "mongoid:model", [name] unless model_exists? && behavior == :invoke
       end
 
+      def inject_field_types
+        inject_into_file model_path, migration_data, :after => "include Mongoid::Document\n" if model_exists?
+      end
+
       def inject_devise_content
         inject_into_file model_path, model_contents, :after => "include Mongoid::Document\n" if model_exists?
       end
+
+      def migration_data
+<<RUBY
+  ## Database authenticatable
+  field :email,              :type => String, :null => false, :default => ""
+  field :encrypted_password, :type => String, :null => false, :default => ""
+
+  ## Recoverable
+  field :reset_password_token,   :type => String
+  field :reset_password_sent_at, :type => Time
+
+  ## Rememberable
+  field :remember_created_at, :type => Time
+
+  ## Trackable
+  field :sign_in_count,      :type => Integer, :default => 0
+  field :current_sign_in_at, :type => Time
+  field :last_sign_in_at,    :type => Time
+  field :current_sign_in_ip, :type => String
+  field :last_sign_in_ip,    :type => String
+
+  ## Encryptable
+  # field :password_salt, :type => String
+
+  ## Confirmable
+  # field :confirmation_token,   :type => String
+  # field :confirmed_at,         :type => Time
+  # field :confirmation_sent_at, :type => Time
+  # field :unconfirmed_email,    :type => String # Only if using reconfirmable
+
+  ## Lockable
+  # field :failed_attempts, :type => Integer, :default => 0 # Only if lock strategy is :failed_attempts
+  # field :unlock_token,    :type => String # Only if unlock strategy is :email or :both
+  # field :locked_at,       :type => Time
+
+  ## Token authenticatable
+  # field :authentication_token, :type => String
+RUBY
+      end
     end
   end
 end

data/lib/generators/templates/devise.rb

@@ -9,6 +9,9 @@ Devise.setup do |config|
   # Configure the class responsible to send e-mails.
   # config.mailer = "Devise::Mailer"
 
+  # Automatically apply schema changes in tableless databases
+  config.apply_schema = false
+
   # ==> ORM configuration
   # Load and configure the ORM. Supports :active_record (default) and
   # :mongoid (bson_ext recommended) by default. Other ORMs may be
@@ -59,6 +62,10 @@ Devise.setup do |config|
   # Does not affect registerable.
   # config.paranoid = true
 
+  # By default Devise will store the user in session. You can skip storage for
+  # :http_auth and :token_auth by adding those symbols to the array below.
+  config.skip_session_storage = [:http_auth]
+
   # ==> Configuration for :database_authenticatable
   # For bcrypt, this is the cost for hashing the password and defaults to 10. If
   # using other encryptors, it sets how many times you want the password re-encrypted.
@@ -77,7 +84,13 @@ Devise.setup do |config|
   # able to access the website for two days without confirming his account,
   # access will be blocked just in the third day. Default is 0.days, meaning
   # the user cannot access the website without confirming his account.
-  # config.confirm_within = 2.days
+  # config.allow_unconfirmed_access_for = 2.days
+
+  # If true, requires any email changes to be confirmed (exctly the same way as
+  # initial account confirmation) to be applied. Requires additional unconfirmed_email
+  # db field (see migrations). Until confirmed new email is stored in
+  # unconfirmed email column, and copied to email column on successful confirmation.
+  config.reconfirmable = true
 
   # Defines which key will be used when confirming an account
   # config.confirmation_keys = [ :email ]
@@ -86,9 +99,6 @@ Devise.setup do |config|
   # The time the user will be remembered without asking for credentials again.
   # config.remember_for = 2.weeks
 
-  # If true, a valid remember token can be re-used between multiple browsers.
-  # config.remember_across_browsers = true
-
   # If true, extends the user's remember period when remembered via cookie.
   # config.extend_remember_period = false
 
@@ -145,7 +155,7 @@ Devise.setup do |config|
   # Time interval you can reset your password with a reset password key.
   # Don't put a too small interval or your users won't have the time to
   # change their passwords.
-  config.reset_password_within = 2.hours
+  config.reset_password_within = 6.hours
 
   # ==> Configuration for :encryptable
   # Allow you to use another encryption algorithm besides bcrypt (default). You can use
@@ -159,10 +169,6 @@ Devise.setup do |config|
   # Defines name of the authentication token params key
   # config.token_authentication_key = :auth_token
 
-  # If true, authentication through token does not store user in session and needs
-  # to be supplied on each request. Useful if you are using the token as API token.
-  # config.stateless_token = false
-
   # ==> Scopes configuration
   # Turn scoped views on. Before rendering "sessions/new", it will first check for
   # "users/sessions/new". It's turned off by default because it's slower if you

data/test/controllers/internal_helpers_test.rb

@@ -45,10 +45,12 @@ class HelpersTest < ActionController::TestCase
     @controller.send :require_no_authentication
   end
 
-  test 'require no authentication skips if no inputs are available' do
+  test 'require no authentication only checks if already authenticated if no inputs strategies are available' do
     Devise.mappings[:user].expects(:no_input_strategies).returns([])
     @mock_warden.expects(:authenticate?).never
-    @controller.expects(:redirect_to).never
+    @mock_warden.expects(:authenticated?).with(:user).once.returns(true)
+    @mock_warden.expects(:user).with(:user).returns(User.new)
+    @controller.expects(:redirect_to).with(root_path)
     @controller.send :require_no_authentication
   end
 

data/test/devise_test.rb

@@ -12,8 +12,8 @@ end
 
 class DeviseTest < ActiveSupport::TestCase
   test 'model options can be configured through Devise' do
-    swap Devise, :confirm_within => 113, :pepper => "foo" do
-      assert_equal 113, Devise.confirm_within
+    swap Devise, :allow_unconfirmed_access_for => 113, :pepper => "foo" do
+      assert_equal 113, Devise.allow_unconfirmed_access_for
       assert_equal "foo", Devise.pepper
     end
   end

data/test/integration/confirmable_test.rb

@@ -98,7 +98,7 @@ class ConfirmationTest < ActionController::IntegrationTest
   end
 
   test 'not confirmed user with setup to block without confirmation should not be able to sign in' do
-    swap Devise, :confirm_within => 0.days do
+    swap Devise, :allow_unconfirmed_access_for => 0.days do
       sign_in_as_user(:confirm => false)
 
       assert_contain 'You have to confirm your account before continuing'
@@ -107,7 +107,7 @@ class ConfirmationTest < ActionController::IntegrationTest
   end
 
   test 'not confirmed user should not see confirmation message if invalid credentials are given' do
-    swap Devise, :confirm_within => 0.days do
+    swap Devise, :allow_unconfirmed_access_for => 0.days do
       sign_in_as_user(:confirm => false) do
         fill_in 'password', :with => 'invalid'
       end
@@ -118,7 +118,7 @@ class ConfirmationTest < ActionController::IntegrationTest
   end
 
   test 'not confirmed user but configured with some days to confirm should be able to sign in' do
-    swap Devise, :confirm_within => 1.day do
+    swap Devise, :allow_unconfirmed_access_for => 1.day do
       sign_in_as_user(:confirm => false)
 
       assert_response :success
@@ -201,3 +201,55 @@ class ConfirmationTest < ActionController::IntegrationTest
     end
   end
 end
+
+class ConfirmationOnChangeTest < ActionController::IntegrationTest
+  def create_second_admin(options={})
+    @admin = nil
+    create_admin(options)
+  end
+
+  def visit_admin_confirmation_with_token(confirmation_token)
+    visit admin_confirmation_path(:confirmation_token => confirmation_token)
+  end
+
+  test 'admin should be able to request a new confirmation after email changed' do
+    admin = create_admin
+    admin.update_attributes(:email => 'new_test@example.com')
+
+    visit new_admin_session_path
+    click_link "Didn't receive confirmation instructions?"
+
+    fill_in 'email', :with => admin.unconfirmed_email
+    assert_difference "ActionMailer::Base.deliveries.size" do
+      click_button 'Resend confirmation instructions'
+    end
+
+    assert_current_url '/admin_area/sign_in'
+    assert_contain 'You will receive an email with instructions about how to confirm your account in a few minutes'
+  end
+
+  test 'admin with valid confirmation token should be able to confirm email after email changed' do
+    admin = create_admin
+    admin.update_attributes(:email => 'new_test@example.com')
+    assert_equal 'new_test@example.com', admin.unconfirmed_email
+    visit_admin_confirmation_with_token(admin.confirmation_token)
+
+    assert_contain 'Your account was successfully confirmed.'
+    assert_current_url '/admin_area/home'
+    assert admin.reload.confirmed?
+    assert_not admin.reload.pending_reconfirmation?
+  end
+
+  test 'admin email should be unique also within unconfirmed_email' do
+    admin = create_admin
+    admin.update_attributes(:email => 'new_admin_test@example.com')
+    assert_equal 'new_admin_test@example.com', admin.unconfirmed_email
+
+    create_second_admin(:email => "new_admin_test@example.com")
+
+    visit_admin_confirmation_with_token(admin.confirmation_token)
+    assert_have_selector '#error_explanation'
+    assert_contain /Email.*already.*taken/
+    assert admin.reload.pending_reconfirmation?
+  end
+end

data/test/integration/http_authenticatable_test.rb

@@ -12,9 +12,24 @@ class HttpAuthenticationTest < ActionController::IntegrationTest
 
   test 'sign in should authenticate with http' do
     sign_in_as_new_user_with_http
-    assert_response :success
+    assert_response 200
     assert_match '<email>user@test.com</email>', response.body
     assert warden.authenticated?(:user)
+
+    get users_path(:format => :xml)
+    assert_response 200
+  end
+
+  test 'sign in should authenticate with http but not emit a cookie if skipping session storage' do
+    swap Devise, :skip_session_storage => [:http_auth] do
+      sign_in_as_new_user_with_http
+      assert_response 200
+      assert_match '<email>user@test.com</email>', response.body
+      assert warden.authenticated?(:user)
+
+      get users_path(:format => :xml)
+      assert_response 401
+    end
   end
 
   test 'returns a custom response with www-authenticate header on failures' do

data/test/integration/lockable_test.rb

@@ -80,16 +80,16 @@ class LockTest < ActionController::IntegrationTest
 
     visit_user_unlock_with_token(user.unlock_token)
 
-    assert_current_url '/'
+    assert_current_url "/users/sign_in"
     assert_contain 'Your account was successfully unlocked.'
 
     assert_not user.reload.access_locked?
   end
 
-  test "sign in user automatically after unlocking its account" do
+  test "redirect user to sign in page after unlocking its account" do
     user = create_user(:locked => true)
     visit_user_unlock_with_token(user.unlock_token)
-    assert warden.authenticated?(:user)
+    assert_not warden.authenticated?(:user)
   end
 
   test "user should not be able to sign in when locked" do

data/test/integration/registerable_test.rb

@@ -13,7 +13,7 @@ class RegistrationTest < ActionController::IntegrationTest
     fill_in 'password confirmation', :with => 'new_user123'
     click_button 'Sign up'
 
-    assert_contain 'Welcome! You have signed up successfully.'
+    assert_contain 'You have signed up successfully'
     assert warden.authenticated?(:admin)
     assert_current_url "/admin_area/home"
 
@@ -291,3 +291,34 @@ class RegistrationTest < ActionController::IntegrationTest
     assert_equal User.count, 0
   end
 end
+
+class ReconfirmableRegistrationTest < ActionController::IntegrationTest
+  test 'a signed in admin should see a more appropriate flash message when editing his account if reconfirmable is enabled' do
+    sign_in_as_admin
+    get edit_admin_registration_path
+
+    fill_in 'email', :with => 'admin.new@example.com'
+    fill_in 'current password', :with => '123456'
+    click_button 'Update'
+
+    assert_current_url '/admin_area/home'
+    assert_contain 'but we need to verify your new email address'
+
+    assert_equal "admin.new@example.com", Admin.first.unconfirmed_email
+  end
+
+  test 'a signed in admin should not see a reconfirmation message if they did not change their password' do
+    sign_in_as_admin
+    get edit_admin_registration_path
+
+    fill_in 'password', :with => 'pas123'
+    fill_in 'password confirmation', :with => 'pas123'
+    fill_in 'current password', :with => '123456'
+    click_button 'Update'
+
+    assert_current_url '/admin_area/home'
+    assert_contain 'You updated your account successfully.'
+
+    assert Admin.first.valid_password?('pas123')
+  end
+end

data/test/integration/rememberable_test.rb

@@ -9,14 +9,6 @@ class RememberMeTest < ActionController::IntegrationTest
     user
   end
 
-  def create_admin_and_remember
-    admin = create_admin
-    admin.remember_me!
-    raw_cookie = Admin.serialize_into_cookie(admin)
-    cookies['remember_admin_token'] = generate_signed_cookie(raw_cookie)
-    admin
-  end
-
   def generate_signed_cookie(raw_cookie)
     request = ActionDispatch::TestRequest.new
     request.cookie_jar.signed['raw_cookie'] = raw_cookie
@@ -117,34 +109,6 @@ class RememberMeTest < ActionController::IntegrationTest
     end
   end
 
-  test 'if both extend_remember_period and remember_across_browsers are true, sends the same token with a new expire date' do
-    swap Devise, :remember_across_browsers => true, :extend_remember_period => true, :remember_for => 1.year do
-      admin = create_admin_and_remember
-      token = admin.remember_token
-
-      admin.remember_created_at = old = 10.minutes.ago
-      admin.save!
-
-      get root_path
-      assert (cookie_expires("remember_admin_token") - 1.year) > (old + 5.minutes)
-      assert_equal token, signed_cookie("remember_admin_token").last
-    end
-  end
-
-  test 'if both extend_remember_period and remember_across_browsers are false, sends a new token with old expire date' do
-    swap Devise, :remember_across_browsers => false, :extend_remember_period => false, :remember_for => 1.year do
-      admin = create_admin_and_remember
-      token = admin.remember_token
-
-      admin.remember_created_at = old = 10.minutes.ago
-      admin.save!
-
-      get root_path
-      assert (cookie_expires("remember_admin_token") - 1.year) < (old + 5.minutes)
-      assert_not_equal token, signed_cookie("remember_admin_token").last
-    end
-  end
-
   test 'do not remember other scopes' do
     user = create_user_and_remember
     get root_path
@@ -182,20 +146,6 @@ class RememberMeTest < ActionController::IntegrationTest
     assert_not warden.authenticated?(:user)
   end
 
-  test 'do not remember the admin anymore after forget' do
-    admin = create_admin_and_remember
-    get root_path
-    assert warden.authenticated?(:admin)
-
-    get destroy_admin_session_path
-    assert_not warden.authenticated?(:admin)
-    assert_nil admin.reload.remember_token
-    assert_nil warden.cookies['remember_admin_token']
-
-    get root_path
-    assert_not warden.authenticated?(:admin)
-  end
-
   test 'changing user password expires remember me token' do
     user = create_user_and_remember
     user.password = "another_password"