devise 2.1.2 → 3.5.10

data/test/models/serializable_test.rb

@@ -6,32 +6,33 @@ class SerializableTest < ActiveSupport::TestCase
   end
 
   test 'should not include unsafe keys on XML' do
-    assert_match /email/, @user.to_xml
-    assert_no_match /confirmation-token/, @user.to_xml
+    assert_match(/email/, @user.to_xml)
+    assert_no_match(/confirmation-token/, @user.to_xml)
   end
 
   test 'should not include unsafe keys on XML even if a new except is provided' do
-    assert_no_match /email/, @user.to_xml(:except => :email)
-    assert_no_match /confirmation-token/, @user.to_xml(:except => :email)
+    assert_no_match(/email/, @user.to_xml(except: :email))
+    assert_no_match(/confirmation-token/, @user.to_xml(except: :email))
   end
 
   test 'should include unsafe keys on XML if a force_except is provided' do
-    assert_no_match /<email/, @user.to_xml(:force_except => :email)
-    assert_match /confirmation-token/, @user.to_xml(:force_except => :email)
+    assert_no_match(/<email/, @user.to_xml(force_except: :email))
+    assert_match(/confirmation-token/, @user.to_xml(force_except: :email))
   end
 
   test 'should not include unsafe keys on JSON' do
-    assert_equal %w(created_at email facebook_token id updated_at username), from_json().keys.sort
+    keys = from_json().keys.select{ |key| !key.include?("id") }
+    assert_equal %w(created_at email facebook_token updated_at username), keys.sort
   end
 
   test 'should not include unsafe keys on JSON even if a new except is provided' do
-    assert_no_key "email", from_json(:except => :email)
-    assert_no_key "confirmation_token", from_json(:except => :email)
+    assert_no_key "email", from_json(except: :email)
+    assert_no_key "confirmation_token", from_json(except: :email)
   end
 
   test 'should include unsafe keys on JSON if a force_except is provided' do
-    assert_no_key "email", from_json(:force_except => :email)
-    assert_key "confirmation_token", from_json(:force_except => :email)
+    assert_no_key "email", from_json(force_except: :email)
+    assert_key "confirmation_token", from_json(force_except: :email)
   end
 
   def assert_key(key, subject)

data/test/models/timeoutable_test.rb

@@ -29,7 +29,7 @@ class TimeoutableTest < ActiveSupport::TestCase
   end
 
   test 'fallback to Devise config option' do
-    swap Devise, :timeout_in => 1.minute do
+    swap Devise, timeout_in: 1.minute do
       user = new_user
       assert user.timedout?(2.minutes.ago)
       assert_not user.timedout?(30.seconds.ago)
@@ -43,4 +43,9 @@ class TimeoutableTest < ActiveSupport::TestCase
   test 'required_fields should contain the fields that Devise uses' do
     assert_same_content Devise::Models::Timeoutable.required_fields(User), []
   end
+
+  test 'should not raise error if remember_created_at is not empty and rememberable is disabled' do
+    user = create_admin(remember_created_at: Time.current)
+    assert user.timedout?(31.minutes.ago)
+  end
 end

data/test/models/trackable_test.rb

@@ -10,4 +10,32 @@ class TrackableTest < ActiveSupport::TestCase
       :sign_in_count
     ]
   end
+
+  test 'update_tracked_fields should only set attributes but not save the record' do
+    user = create_user
+    request = mock
+    request.stubs(:remote_ip).returns("127.0.0.1")
+
+    assert_nil user.current_sign_in_ip
+    assert_nil user.last_sign_in_ip
+    assert_nil user.current_sign_in_at
+    assert_nil user.last_sign_in_at
+    assert_equal 0, user.sign_in_count
+
+    user.update_tracked_fields(request)
+
+    assert_equal "127.0.0.1", user.current_sign_in_ip
+    assert_equal "127.0.0.1", user.last_sign_in_ip
+    assert_not_nil user.current_sign_in_at
+    assert_not_nil user.last_sign_in_at
+    assert_equal 1, user.sign_in_count
+
+    user.reload
+
+    assert_nil user.current_sign_in_ip
+    assert_nil user.last_sign_in_ip
+    assert_nil user.current_sign_in_at
+    assert_nil user.last_sign_in_at
+    assert_equal 0, user.sign_in_count
+  end
 end

data/test/models/validatable_test.rb

@@ -3,7 +3,7 @@ require 'test_helper'
 
 class ValidatableTest < ActiveSupport::TestCase
   test 'should require email to be set' do
-    user = new_user(:email => nil)
+    user = new_user(email: nil)
     assert user.invalid?
     assert user.errors[:email]
     assert_equal 'can\'t be blank', user.errors[:email].join
@@ -12,7 +12,7 @@ class ValidatableTest < ActiveSupport::TestCase
   test 'should require uniqueness of email if email has changed, allowing blank' do
     existing_user = create_user
 
-    user = new_user(:email => '')
+    user = new_user(email: '')
     assert user.invalid?
     assert_no_match(/taken/, user.errors[:email].join)
 
@@ -20,12 +20,12 @@ class ValidatableTest < ActiveSupport::TestCase
     assert user.invalid?
     assert_match(/taken/, user.errors[:email].join)
 
-    user.save(:validate => false)
+    user.save(validate: false)
     assert user.valid?
   end
 
   test 'should require correct email format if email has changed, allowing blank' do
-    user = new_user(:email => '')
+    user = new_user(email: '')
     assert user.invalid?
     assert_not_equal 'is invalid', user.errors[:email].join
 
@@ -35,31 +35,36 @@ class ValidatableTest < ActiveSupport::TestCase
       assert_equal 'is invalid', user.errors[:email].join
     end
 
-    user.save(:validate => false)
+    user.save(validate: false)
     assert user.valid?
   end
 
   test 'should accept valid emails' do
     %w(a.b.c@example.com test_mail@gmail.com any@any.net email@test.br 123@mail.test 1☃3@mail.test).each do |email|
-      user = new_user(:email => email)
+      user = new_user(email: email)
       assert user.valid?, 'should be valid with email ' << email
       assert_blank user.errors[:email]
     end
   end
 
   test 'should require password to be set when creating a new record' do
-    user = new_user(:password => '', :password_confirmation => '')
+    user = new_user(password: '', password_confirmation: '')
     assert user.invalid?
     assert_equal 'can\'t be blank', user.errors[:password].join
   end
 
   test 'should require confirmation to be set when creating a new record' do
-    user = new_user(:password => 'new_password', :password_confirmation => 'blabla')
+    user = new_user(password: 'new_password', password_confirmation: 'blabla')
     assert user.invalid?
-    assert_equal 'doesn\'t match confirmation', user.errors[:password].join
+
+    if Devise.rails4?
+      assert_equal 'doesn\'t match Password', user.errors[:password_confirmation].join
+    else
+      assert_equal 'doesn\'t match confirmation', user.errors[:password].join
+    end
   end
 
-  test 'should require password when updating/reseting password' do
+  test 'should require password when updating/resetting password' do
     user = create_user
 
     user.password = ''
@@ -69,23 +74,28 @@ class ValidatableTest < ActiveSupport::TestCase
     assert_equal 'can\'t be blank', user.errors[:password].join
   end
 
-  test 'should require confirmation when updating/reseting password' do
+  test 'should require confirmation when updating/resetting password' do
     user = create_user
     user.password_confirmation = 'another_password'
     assert user.invalid?
-    assert_equal 'doesn\'t match confirmation', user.errors[:password].join
+
+    if Devise.rails4?
+      assert_equal 'doesn\'t match Password', user.errors[:password_confirmation].join
+    else
+      assert_equal 'doesn\'t match confirmation', user.errors[:password].join
+    end
   end
 
-  test 'should require a password with minimum of 6 characters' do
-    user = new_user(:password => '12345', :password_confirmation => '12345')
+  test 'should require a password with minimum of 7 characters' do
+    user = new_user(password: '12345', password_confirmation: '12345')
     assert user.invalid?
-    assert_equal 'is too short (minimum is 6 characters)', user.errors[:password].join
+    assert_equal 'is too short (minimum is 7 characters)', user.errors[:password].join
   end
 
-  test 'should require a password with maximum of 128 characters long' do
-    user = new_user(:password => 'x'*129, :password_confirmation => 'x'*129)
+  test 'should require a password with maximum of 72 characters long' do
+    user = new_user(password: 'x'*73, password_confirmation: 'x'*73)
     assert user.invalid?
-    assert_equal 'is too long (maximum is 128 characters)', user.errors[:password].join
+    assert_equal 'is too long (maximum is 72 characters)', user.errors[:password].join
   end
 
   test 'should not require password length when it\'s not changed' do
@@ -98,11 +108,11 @@ class ValidatableTest < ActiveSupport::TestCase
     assert_not (user.errors[:password].join =~ /is too long/)
   end
 
-  test 'should complain about length even if possword is not required' do
-    user = new_user(:password => 'x'*129, :password_confirmation => 'x'*129)
+  test 'should complain about length even if password is not required' do
+    user = new_user(password: 'x'*73, password_confirmation: 'x'*73)
     user.stubs(:password_required?).returns(false)
     assert user.invalid?
-    assert_equal 'is too long (maximum is 128 characters)', user.errors[:password].join
+    assert_equal 'is too long (maximum is 72 characters)', user.errors[:password].join
   end
 
   test 'should not be included in objects with invalid API' do

data/test/models_test.rb

@@ -1,26 +1,5 @@
 require 'test_helper'
-
-class Configurable < User
-  devise :database_authenticatable, :confirmable, :rememberable, :timeoutable, :lockable,
-         :stretches => 15, :pepper => 'abcdef', :allow_unconfirmed_access_for => 5.days,
-         :remember_for => 7.days, :timeout_in => 15.minutes, :unlock_in => 10.days
-end
-
-class WithValidation < Admin
-  devise :database_authenticatable, :validatable, :password_length => 2..6
-end
-
-class UserWithValidation < User
-  validates_presence_of :username
-end
-
-class Several < Admin
-  devise :validatable
-  devise :lockable
-end
-
-class Inheritable < Admin
-end
+require 'test_models'
 
 class ActiveRecordTest < ActiveSupport::TestCase
   def include_module?(klass, mod)
@@ -104,7 +83,18 @@ class ActiveRecordTest < ActiveSupport::TestCase
   end
 
   test 'set null fields on migrations' do
-    Admin.create!
+    # Ignore email sending since no email exists.
+    klass = Class.new(Admin) do
+      def send_devise_notification(*); end
+    end
+
+    klass.create!
+  end
+end
+
+module StubModelFilters
+  def stub_filter(name)
+    define_singleton_method(name) { |*| nil }
   end
 end
 
@@ -112,9 +102,10 @@ class CheckFieldsTest < ActiveSupport::TestCase
   test 'checks if the class respond_to the required fields' do
     Player = Class.new do
       extend Devise::Models
+      extend StubModelFilters
 
-      def self.before_validation(instance)
-      end
+      stub_filter :before_validation
+      stub_filter :after_update
 
       devise :database_authenticatable
 
@@ -129,9 +120,10 @@ class CheckFieldsTest < ActiveSupport::TestCase
   test 'raises Devise::Models::MissingAtrribute and shows the missing attribute if the class doesn\'t respond_to one of the attributes' do
     Clown = Class.new do
       extend Devise::Models
+      extend StubModelFilters
 
-      def self.before_validation(instance)
-      end
+      stub_filter :before_validation
+      stub_filter :after_update
 
       devise :database_authenticatable
 
@@ -146,9 +138,10 @@ class CheckFieldsTest < ActiveSupport::TestCase
   test 'raises Devise::Models::MissingAtrribute with all the missing attributes if there is more than one' do
     Magician = Class.new do
       extend Devise::Models
+      extend StubModelFilters
 
-      def self.before_validation(instance)
-      end
+      stub_filter :before_validation
+      stub_filter :after_update
 
       devise :database_authenticatable
     end
@@ -157,23 +150,4 @@ class CheckFieldsTest < ActiveSupport::TestCase
       Devise::Models.check_fields!(Magician)
     end
   end
-
-  test "doesn't raise a NoMethodError exception when the module doesn't have a required_field(klass) class method" do
-    driver = Class.new do
-      extend Devise::Models
-
-      def self.before_validation(instance)
-      end
-
-      attr_accessor :encrypted_password, :email
-
-      devise :database_authenticatable
-    end
-
-    swap_module_method_existence Devise::Models::DatabaseAuthenticatable, :required_fields do
-      assert_deprecated do
-        Devise::Models.check_fields!(driver)
-      end
-    end
-  end
 end

data/test/omniauth/config_test.rb

@@ -11,12 +11,12 @@ class OmniAuthConfigTest < ActiveSupport::TestCase
   end
 
   test 'strategy_name returns provider if no name option are given' do
-    config = Devise::OmniAuth::Config.new :facebook, [{ :other => :option }]
+    config = Devise::OmniAuth::Config.new :facebook, [{ other: :option }]
     assert_equal :facebook, config.strategy_name
   end
 
   test 'returns name option when have a name' do
-    config = Devise::OmniAuth::Config.new :facebook, [{ :name => :github }]
+    config = Devise::OmniAuth::Config.new :facebook, [{ name: :github }]
     assert_equal :github, config.strategy_name
   end
 
@@ -50,8 +50,8 @@ class OmniAuthConfigTest < ActiveSupport::TestCase
   end
 
   test 'allows the user to define a custom require path' do
-    config = Devise::OmniAuth::Config.new :my_strategy, [{:strategy_class => MyStrategy}]
+    config = Devise::OmniAuth::Config.new :my_strategy, [{strategy_class: MyStrategy}]
     config_class = config.strategy_class
     assert_equal MyStrategy, config_class
   end
-end
+end

data/test/omniauth/url_helpers_test.rb

@@ -1,6 +1,9 @@
 require 'test_helper'
 
 class OmniAuthRoutesTest < ActionController::TestCase
+  ExpectedUrlGeneratiorError = Devise.rails4? ?
+    ActionController::UrlGenerationError : ActionController::RoutingError
+
   tests ApplicationController
 
   def assert_path(action, provider, with_param=true)
@@ -14,8 +17,8 @@ class OmniAuthRoutesTest < ActionController::TestCase
 
     if with_param
       # Default url params
-      assert_equal @controller.send(action, :user, provider, :param => 123),
-                   @controller.send("user_#{action}", provider, :param => 123)
+      assert_equal @controller.send(action, :user, provider, param: 123),
+                   @controller.send("user_#{action}", provider, param: 123)
     end
   end
 
@@ -30,7 +33,7 @@ class OmniAuthRoutesTest < ActionController::TestCase
   test 'should generate authorization path' do
     assert_match "/users/auth/facebook", @controller.omniauth_authorize_path(:user, :facebook)
 
-    assert_raise ActionController::RoutingError do
+    assert_raise ExpectedUrlGeneratiorError do
       @controller.omniauth_authorize_path(:user, :github)
     end
   end
@@ -41,7 +44,7 @@ class OmniAuthRoutesTest < ActionController::TestCase
 
   test 'should generate authorization path with params' do
     assert_match "/users/auth/openid?openid_url=http%3A%2F%2Fyahoo.com",
-                  @controller.omniauth_authorize_path(:user, :openid, :openid_url => "http://yahoo.com")
+                  @controller.omniauth_authorize_path(:user, :openid, openid_url: "http://yahoo.com")
   end
 
   test 'should not add a "?" if no param was sent' do

data/test/orm/active_record.rb

@@ -1,5 +1,6 @@
 ActiveRecord::Migration.verbose = false
 ActiveRecord::Base.logger = Logger.new(nil)
+ActiveRecord::Base.include_root_in_json = true
 
 ActiveRecord::Migrator.migrate(File.expand_path("../../rails_app/db/migrate/", __FILE__))
 

data/test/orm/mongoid.rb

@@ -1,14 +1,13 @@
 require 'mongoid/version'
 
 Mongoid.configure do |config|
-  config.master  = Mongo::Connection.new('127.0.0.1', 27017).db("devise-test-suite")
+  config.load!('test/support/mongoid.yml')
   config.use_utc = true
   config.include_root_in_json = true
 end
 
 class ActiveSupport::TestCase
   setup do
-    User.delete_all
-    Admin.delete_all
+    Mongoid.purge!
   end
 end

data/test/parameter_sanitizer_test.rb

@@ -0,0 +1,81 @@
+require 'test_helper'
+require 'devise/parameter_sanitizer'
+
+class BaseSanitizerTest < ActiveSupport::TestCase
+  def sanitizer(params)
+    Devise::BaseSanitizer.new(User, :user, params)
+  end
+
+  test 'returns chosen params' do
+    sanitizer = sanitizer(user: { "email" => "jose" })
+    assert_equal({ "email" => "jose" }, sanitizer.sanitize(:sign_in))
+  end
+end
+
+if defined?(ActionController::StrongParameters)
+  require 'active_model/forbidden_attributes_protection'
+
+  class ParameterSanitizerTest < ActiveSupport::TestCase
+    def sanitizer(params)
+      params = ActionController::Parameters.new(params)
+      Devise::ParameterSanitizer.new(User, :user, params)
+    end
+
+    test 'filters some parameters on sign in by default' do
+      sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid", "remember_me" => "1" })
+      assert_equal({ "email" => "jose", "password" => "invalid", "remember_me" => "1" }, sanitizer.sanitize(:sign_in))
+    end
+
+    test 'handles auth keys as a hash' do
+      swap Devise, authentication_keys: {email: true} do
+        sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid" })
+        assert_equal({ "email" => "jose", "password" => "invalid" }, sanitizer.sanitize(:sign_in))
+      end
+    end
+
+    test 'filters some parameters on sign up by default' do
+      sanitizer = sanitizer(user: { "email" => "jose", "role" => "invalid" })
+      assert_equal({ "email" => "jose" }, sanitizer.sanitize(:sign_up))
+    end
+
+    test 'filters some parameters on account update by default' do
+      sanitizer = sanitizer(user: { "email" => "jose", "role" => "invalid" })
+      assert_equal({ "email" => "jose" }, sanitizer.sanitize(:account_update))
+    end
+
+    test 'allows custom hooks' do
+      sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid" })
+      sanitizer.for(:sign_in) { |user| user.permit(:email, :password) }
+      assert_equal({ "email" => "jose", "password" => "invalid" }, sanitizer.sanitize(:sign_in))
+    end
+
+    test 'adding multiple permitted parameters' do
+      sanitizer = sanitizer(user: { "email" => "jose", "username" => "jose1", "role" => "valid" })
+      sanitizer.for(:sign_in).concat([:username, :role])
+      assert_equal({ "email" => "jose", "username" => "jose1", "role" => "valid" }, sanitizer.sanitize(:sign_in))
+    end
+
+    test 'removing multiple default parameters' do
+      sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid", "remember_me" => "1" })
+      sanitizer.for(:sign_in).delete(:email)
+      sanitizer.for(:sign_in).delete(:password)
+      assert_equal({ "remember_me" => "1" }, sanitizer.sanitize(:sign_in))
+    end
+
+    test 'raises on unknown hooks' do
+      sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid" })
+      assert_raise NotImplementedError do
+        sanitizer.sanitize(:unknown)
+      end
+    end
+
+    test 'passes parameters to filter as arguments to sanitizer' do
+      params = {user: stub}
+      sanitizer = Devise::ParameterSanitizer.new(User, :user, params)
+
+      params[:user].expects(:permit).with(kind_of(Symbol), kind_of(Symbol), kind_of(Symbol))
+
+      sanitizer.sanitize(:sign_in)
+    end
+  end
+end