devise 2.1.0.rc → 2.1.0.rc2

data/lib/devise/strategies/rememberable.rb

@@ -1,4 +1,4 @@
-require 'devise/strategies/base'
+require 'devise/strategies/authenticatable'
 
 module Devise
   module Strategies

data/lib/devise/test_helpers.rb

@@ -70,22 +70,61 @@ module Devise
     def _catch_warden(&block)
       result = catch(:warden, &block)
 
-      if result.is_a?(Hash) && !warden.custom_failure? && !@controller.send(:performed?)
-        result[:action] ||= :unauthenticated
+      env = @controller.request.env
 
-        env = @controller.request.env
-        env["PATH_INFO"] = "/#{result[:action]}"
-        env["warden.options"] = result
-        Warden::Manager._run_callbacks(:before_failure, env, result)
+      result ||= {}
+
+      # Set the response. In production, the rack result is returned
+      # from Warden::Manager#call, which the following is modelled on.
+      case result
+      when Array
+        if result.first == 401 && intercept_401?(env) # does this happen during testing?
+          _process_unauthenticated(env)
+        else
+          result
+        end
+      when Hash
+        _process_unauthenticated(env, result)
+      else
+        result
+      end
+    end
+
+    def _process_unauthenticated(env, options = {})
+      options[:action] ||= :unauthenticated
+      proxy = env['warden']
+      result = options[:result] || proxy.result
+
+      ret = case result
+      when :redirect
+        body = proxy.message || "You are being redirected to #{proxy.headers['Location']}"
+        [proxy.status, proxy.headers, [body]]
+      when :custom
+        proxy.custom_response
+      else
+        env["PATH_INFO"] = "/#{options[:action]}"
+        env["warden.options"] = options
+        Warden::Manager._run_callbacks(:before_failure, env, options)
 
         status, headers, body = Devise.warden_config[:failure_app].call(env).to_a
         @controller.send :render, :status => status, :text => body,
           :content_type => headers["Content-Type"], :location => headers["Location"]
+        nil # causes process return @response
+      end
 
-        nil
-      else
-        result
+      # ensure that the controller response is set up. In production, this is
+      # not necessary since warden returns the results to rack. However, at
+      # testing time, we want the response to be available to the testing
+      # framework to verify what would be returned to rack.
+      if ret.is_a?(Array)
+        # ensure the controller response is set to our response.
+        @controller.response ||= @response
+        @response.status = ret.first
+        @response.headers = ret.second
+        @response.body = ret.third
       end
+
+      ret
     end
   end
 end

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "2.1.0.rc".freeze
+  VERSION = "2.1.0.rc2".freeze
 end

data/lib/generators/active_record/devise_generator.rb

@@ -22,10 +22,17 @@ module ActiveRecord
       end
 
       def inject_devise_content
-        inject_into_class(model_path, class_name, model_contents + <<CONTENT) if model_exists?
+        content = model_contents + <<CONTENT
   # Setup accessible (or protected) attributes for your model
   attr_accessible :email, :password, :password_confirmation, :remember_me
 CONTENT
+
+        class_path = class_name.to_s.split("::")
+
+        indent_depth = class_path.size - 1
+        content = content.split("\n").map { |line| "  " * indent_depth + line } .join("\n")
+
+        inject_into_class(model_path, class_path.last, content) if model_exists?
       end
 
       def migration_data
@@ -48,9 +55,6 @@ CONTENT
       t.string   :current_sign_in_ip
       t.string   :last_sign_in_ip
 
-      ## Encryptable
-      # t.string :password_salt
-
       ## Confirmable
       # t.string   :confirmation_token
       # t.datetime :confirmed_at

data/lib/generators/devise/orm_helpers.rb

@@ -4,7 +4,8 @@ module Devise
       def model_contents
 <<-CONTENT
   # Include default devise modules. Others available are:
-  # :token_authenticatable, :encryptable, :confirmable, :lockable, :timeoutable and :omniauthable
+  # :token_authenticatable, :confirmable,
+  # :lockable, :timeoutable and :omniauthable
   devise :database_authenticatable, :registerable,
          :recoverable, :rememberable, :trackable, :validatable
 

data/lib/generators/mongoid/devise_generator.rb

@@ -37,9 +37,6 @@ module Mongoid
   field :current_sign_in_ip, :type => String
   field :last_sign_in_ip,    :type => String
 
-  ## Encryptable
-  # field :password_salt, :type => String
-
   ## Confirmable
   # field :confirmation_token,   :type => String
   # field :confirmed_at,         :type => Time

data/lib/generators/templates/devise.rb

@@ -9,9 +9,6 @@ Devise.setup do |config|
   # Configure the class responsible to send e-mails.
   # config.mailer = "Devise::Mailer"
 
-  # Automatically apply schema changes in tableless databases
-  config.apply_schema = false
-
   # ==> ORM configuration
   # Load and configure the ORM. Supports :active_record (default) and
   # :mongoid (bson_ext recommended) by default. Other ORMs may be
@@ -95,7 +92,7 @@ Devise.setup do |config|
   # the user cannot access the website without confirming his account.
   # config.allow_unconfirmed_access_for = 2.days
 
-  # If true, requires any email changes to be confirmed (exctly the same way as
+  # If true, requires any email changes to be confirmed (exactly the same way as
   # initial account confirmation) to be applied. Requires additional unconfirmed_email
   # db field (see migrations). Until confirmed new email is stored in
   # unconfirmed email column, and copied to email column on successful confirmation.
@@ -111,10 +108,6 @@ Devise.setup do |config|
   # If true, extends the user's remember period when remembered via cookie.
   # config.extend_remember_period = false
 
-  # If true, uses the password salt as remember token. This should be turned
-  # to false if you are not using database authenticatable.
-  config.use_salt_as_remember_token = true
-
   # Options to be passed to the created cookie. For instance, you can set
   # :secure => true in order to force SSL only cookies.
   # config.rememberable_options = {}

data/test/controllers/custom_strategy_test.rb

@@ -0,0 +1,62 @@
+require 'test_helper'
+require 'ostruct'
+require 'warden/strategies/base'
+require 'devise/test_helpers'
+
+class CustomStrategyController < ActionController::Base
+  def new
+    warden.authenticate!(:custom_strategy)
+  end
+end
+
+# These tests are to prove that a warden strategy can successfully
+# return a custom response, including a specific status code and
+# custom http response headers. This does work in production,
+# however, at the time of writing this, the Devise test helpers do
+# not recognise the custom response and proceed to calling the
+# Failure App. This makes it impossible to write tests for a
+# strategy that return a custom response with Devise.
+class CustomStrategy < Warden::Strategies::Base
+  def authenticate!
+    custom_headers = { "X-FOO" => "BAR" }
+    response = Rack::Response.new("BAD REQUEST", 400, custom_headers)
+    custom! response.finish
+  end
+end
+
+class CustomStrategyTest < ActionController::TestCase
+  tests CustomStrategyController
+
+  include Devise::TestHelpers
+
+  setup do
+    Warden::Strategies.add(:custom_strategy, CustomStrategy)
+  end
+
+  teardown do
+    Warden::Strategies._strategies.delete(:custom_strategy)
+  end
+
+  test "custom strategy can return its own status code" do
+    ret = get :new
+
+    # check the returned rack array
+    assert ret.is_a?(Array)
+    assert_equal 400, ret.first
+
+    # check the saved response as well. This is purely so that the response is available to the testing framework
+    # for verification. In production, the above array would be delivered directly to Rack.
+    assert_response 400
+  end
+
+  test "custom strategy can return custom headers" do
+    ret = get :new
+
+    # check the returned rack array
+    assert ret.is_a?(Array)
+    assert_equal ret.third['X-FOO'], 'BAR'
+
+    # check the saved response headers as well.
+    assert_equal response.headers['X-FOO'], 'BAR'
+  end
+end

data/test/controllers/sessions_controller_test.rb

@@ -13,4 +13,24 @@ class SessionsControllerTest < ActionController::TestCase
     assert_equal 200, @response.status
     assert_template "devise/sessions/new"
   end
-end
+ 
+  if defined?(ActiveRecord) 
+    if ActiveRecord::Base.respond_to?(:mass_assignment_sanitizer)
+      test "#new doesn't raise mass-assignment exception even if sign-in key is attr_protected" do
+        request.env["devise.mapping"] = Devise.mappings[:user] 
+
+        ActiveRecord::Base.mass_assignment_sanitizer = :strict
+        User.class_eval { attr_protected :email }
+      
+        begin
+          assert_nothing_raised ActiveModel::MassAssignmentSecurity::Error do
+            get :new, :user => { :email => "allez viens!" }
+          end
+        ensure
+          ActiveRecord::Base.mass_assignment_sanitizer = :logger
+          User.class_eval { attr_accessible :email }
+        end
+      end
+    end
+  end
+end

data/test/failure_app_test.rb

@@ -29,20 +29,20 @@ class FailureTest < ActiveSupport::TestCase
   end
 
   context 'When redirecting' do
-    test 'return to the default redirect location' do
+    test 'returns to the default redirect location' do
       call_failure
       assert_equal 302, @response.first
       assert_equal 'You need to sign in or sign up before continuing.', @request.flash[:alert]
       assert_equal 'http://test.host/users/sign_in', @response.second['Location']
     end
 
-    test 'return to the default redirect location for wildcard requests' do
+    test 'returns to the default redirect location for wildcard requests' do
       call_failure 'action_dispatch.request.formats' => nil, 'HTTP_ACCEPT' => '*/*'
       assert_equal 302, @response.first
       assert_equal 'http://test.host/users/sign_in', @response.second['Location']
     end
 
-    test 'return to the root path if no session path is available' do
+    test 'returns to the root path if no session path is available' do
       swap Devise, :router_name => :fake_app do
         call_failure :app => RootFailureApp
         assert_equal 302, @response.first
@@ -51,6 +51,16 @@ class FailureTest < ActiveSupport::TestCase
       end
     end
 
+    if Rails.application.config.respond_to?(:relative_url_root)
+      test 'returns to the default redirect location considering the relative url root' do
+        swap Rails.application.config, :relative_url_root => "/sample" do
+          call_failure
+          assert_equal 302, @response.first
+          assert_equal 'http://test.host/sample/users/sign_in', @response.second['Location']
+        end
+      end
+    end
+
     test 'uses the proxy failure message as symbol' do
       call_failure('warden' => OpenStruct.new(:message => :invalid))
       assert_equal 'Invalid email or password.', @request.flash[:alert]

data/test/generators/active_record_generator_test.rb

@@ -34,4 +34,36 @@ if DEVISE_ORM == :active_record
       assert_no_migration "db/migrate/devise_create_monsters.rb"
     end
   end
+
+  module RailsEngine
+    class Engine < Rails::Engine
+      isolate_namespace RailsEngine
+    end
+  end
+
+  def simulate_inside_engine(engine, namespace)
+    if Rails::Generators.respond_to?(:namespace=)
+      swap Rails::Generators, :namespace => namespace do
+        yield
+      end
+    else
+      swap Rails, :application => engine.instance do
+        yield
+      end
+    end
+  end
+
+  class ActiveRecordEngineGeneratorTest < Rails::Generators::TestCase
+    tests ActiveRecord::Generators::DeviseGenerator
+    destination File.expand_path("../../tmp", __FILE__)
+    setup :prepare_destination
+
+    test "all files are properly created" do
+      simulate_inside_engine(RailsEngine::Engine, RailsEngine) do
+        run_generator ["monster"]
+
+        assert_file "app/models/rails_engine/monster.rb", /devise/,/attr_accessible (:[a-z_]+(, )?)+/
+      end
+    end
+  end
 end

data/test/integration/authenticatable_test.rb

@@ -461,14 +461,14 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
   test 'sign out with xml format returns ok response' do
     sign_in_as_user
     get destroy_user_session_path(:format => 'xml')
-    assert_response :ok
+    assert_response :no_content
     assert_not warden.authenticated?(:user)
   end
 
   test 'sign out with json format returns empty json response' do
     sign_in_as_user
     get destroy_user_session_path(:format => 'json')
-    assert_response :ok
+    assert_response :no_content
     assert_not warden.authenticated?(:user)
   end
 end

data/test/integration/recoverable_test.rb

@@ -284,4 +284,17 @@ class PasswordTest < ActionController::IntegrationTest
       assert_current_url "/users/sign_in"
     end
   end
+
+  test "after recovering a password, should set failed attempts to 0" do
+    user = create_user
+    user.update_attribute(:failed_attempts, 10)
+
+    assert_equal 10, user.failed_attempts
+    request_forgot_password
+    reset_password :reset_password_token => user.reload.reset_password_token
+
+    assert warden.authenticated?(:user)
+    user.reload
+    assert_equal 0, user.failed_attempts
+  end
 end

data/test/integration/token_authenticatable_test.rb

@@ -100,6 +100,19 @@ class TokenAuthenticationTest < ActionController::IntegrationTest
     end
   end
 
+  test 'should reset token and not authenticate when expire_auth_token_on_timeout is set to true, timeoutable is enabled and we have a timed out session' do
+    swap Devise, :token_authentication_key => :secret_token, :expire_auth_token_on_timeout => true, :timeout_in => (-1).minute do
+      user = sign_in_as_new_user_with_token
+      assert warden.authenticated?(:user)
+      token = user.authentication_token
+
+      get_users_path_as_existing_user(user)
+      assert_not warden.authenticated?(:user)
+      user.reload
+      assert_not_equal token, user.authentication_token
+    end
+  end
+
   test 'should not be subject to injection' do
     swap Devise, :token_authentication_key => :secret_token do
       user1 = create_user_with_authentication_token()

data/test/models/lockable_test.rb

@@ -14,15 +14,6 @@ class LockableTest < ActiveSupport::TestCase
     end
   end
 
-  test "should clear failed_attempts on successfull validation" do
-    user = create_user
-    user.confirm!
-    user.valid_for_authentication?{ false }
-    assert_equal 1, user.reload.failed_attempts
-    user.valid_for_authentication?{ true }
-    assert_equal 0, user.reload.failed_attempts
-  end
-
   test "should increment failed_attempts on successfull validation if the user is already locked" do
     user = create_user
     user.confirm!

data/test/models/rememberable_test.rb

@@ -168,8 +168,7 @@ class RememberableTest < ActiveSupport::TestCase
 
   test 'should have the required_fiels array' do
     assert_same_content Devise::Models::Rememberable.required_fields(User), [
-      :remember_created_at,
-      :remember_token
+      :remember_created_at
     ]
   end
 end

data/test/models_test.rb

@@ -1,7 +1,7 @@
 require 'test_helper'
 
 class Configurable < User
-  devise :database_authenticatable, :encryptable, :confirmable, :rememberable, :timeoutable, :lockable,
+  devise :database_authenticatable, :confirmable, :rememberable, :timeoutable, :lockable,
          :stretches => 15, :pepper => 'abcdef', :allow_unconfirmed_access_for => 5.days,
          :remember_for => 7.days, :timeout_in => 15.minutes, :unlock_in => 10.days
 end
@@ -39,7 +39,7 @@ class ActiveRecordTest < ActiveSupport::TestCase
   end
 
   test 'can cherry pick modules' do
-    assert_include_modules Admin, :database_authenticatable, :registerable, :timeoutable, :recoverable, :lockable, :encryptable, :confirmable
+    assert_include_modules Admin, :database_authenticatable, :registerable, :timeoutable, :recoverable, :lockable, :confirmable
   end
 
   test 'validations options are not applied too late' do
@@ -55,12 +55,12 @@ class ActiveRecordTest < ActiveSupport::TestCase
   end
 
   test 'chosen modules are inheritable' do
-    assert_include_modules Inheritable, :database_authenticatable, :registerable, :timeoutable, :recoverable, :lockable, :encryptable, :confirmable
+    assert_include_modules Inheritable, :database_authenticatable, :registerable, :timeoutable, :recoverable, :lockable, :confirmable
   end
 
   test 'order of module inclusion' do
-    correct_module_order   = [:database_authenticatable, :encryptable, :recoverable, :registerable, :confirmable, :lockable, :timeoutable]
-    incorrect_module_order = [:database_authenticatable, :timeoutable, :registerable, :recoverable, :lockable, :encryptable, :confirmable]
+    correct_module_order   = [:database_authenticatable, :recoverable, :registerable, :confirmable, :lockable, :timeoutable]
+    incorrect_module_order = [:database_authenticatable, :timeoutable, :registerable, :recoverable, :lockable, :confirmable]
 
     assert_include_modules Admin, *incorrect_module_order