devise 3.0.0 → 3.1.0

data/{CHANGELOG.rdoc → CHANGELOG.md}

@@ -1,13 +1,55 @@
+== 3.1.0
+
+Security announcement: http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/
+
+* backwards incompatible changes
+  * Do not store confirmation, unlock and reset password tokens directly in the database. This means tokens previously stored in the database are no longer valid. You can reenable this temporarily by setting `config.allow_insecure_tokens_lookup = true` in your configuration file. It is recommended to keep this configuration set to true just temporarily in your production servers only to aid migration
+  * The Devise mailer and its views were changed to explicitly receive a token argument as `@token`. You will need to update your mailers and re-copy the views to your application with `rails g devise:views`
+  * Sanitization of parameters should be done by calling `devise_parameter_sanitizer.sanitize(:action)` instead of `devise_parameter_sanitizer.for(:action)`
+
+* deprecations
+  * Token authentication is deprecated
+
+* enhancements
+  * Better security defaults
+  * Allow easier customization of parameter sanitizer (by @alexpeattie)
+
+* bug fix
+  * Do not confirm e-mail after password reset (by @moll)
+  * Do not sign in after confirmation
+  * Do not store confirmation, unlock and reset password tokens directly in the database
+  * Do not compare directly against confirmation, unlock and reset password tokens
+  * Skip storage for cookies on unverified requests
+
+== 3.0.2
+
+* bug fix
+  * Skip storage for cookies on unverified requests
+
+== 3.0.1
+
+Security announcement: http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/
+
+* enhancements
+  * Add after_confirmation callback
+
+* bug fix
+  * When using rails 3.2, the generator adds 'attr_accessible' to the model (by @jcoyne)
+  * Clean up CSRF token after authentication (by @homakov). Notice this change will clean up the CSRF Token after authentication (sign in, sign up, etc). So if you are using AJAX for such features, you will need to fetch a new CSRF token from the server.
+
 == 3.0.0
 
 * enhancements
   * Rails 4 and Strong Parameters compatibility (by @carlosantoniodasilva, @josevalim, @latortuga, @lucasmazza, @nashby, @rafaelfranca, @spastorino)
   * Drop support for Rails < 3.2 and Ruby < 1.9.3
-  * Enable to skip sending reconfirmation email when reconfirmable is on and skip_confirmation_notification! is invoked (by @tkhr)
+  * Enable to skip sending reconfirmation email when reconfirmable is on and `skip_confirmation_notification!` is invoked (by @tkhr)
 
 * bug fix
   * Errors on unlock are now properly reflected on the first `unlock_keys`
 
+* backwards incompatible changes
+  * Changes on session storage will expire all existing sessions on upgrade
+
 == 2.2.4
 
 * enhancements
@@ -624,7 +666,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Added Registerable
   * Added Http Basic Authentication support
   * Allow scoped_views to be customized per controller/mailer class
-  * [#99] Allow authenticatable to used in change_table statements
+  * Allow authenticatable to used in change_table statements
 
 == 0.9.2
 
@@ -764,19 +806,19 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Added DataMapper support
   * Remove store_location from authenticatable strategy and add it to failure app
   * Allow a strategy to be placed after authenticatable
-  * [#45] Do not rely attribute? methods, since they are not added on Datamapper
+  * Do not rely attribute? methods, since they are not added on Datamapper
 
 == 0.5.6
 
 * enhancements
-  * [#42] Do not send nil to build (DataMapper compatibility)
-  * [#44] Allow to have scoped views
+  * Do not send nil to build (DataMapper compatibility)
+  * Allow to have scoped views
 
 == 0.5.5
 
 * enhancements
   * Allow overwriting find for authentication method
-  * [#38] Remove Ruby 1.8.7 dependency
+  * Remove Ruby 1.8.7 dependency
 
 == 0.5.4
 
@@ -784,7 +826,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Deprecate :singular in devise_for and use :scope instead
 
 * enhancements
-  * [#37] Create after_sign_in_path_for and after_sign_out_path_for hooks to be
+  * Create after_sign_in_path_for and after_sign_out_path_for hooks to be
     overwriten in ApplicationController
   * Create sign_in_and_redirect and sign_out_and_redirect helpers
   * Warden::Manager.default_scope is automatically configured to the first given scope
@@ -796,7 +838,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Ensure all controllers are unloadable
 
 * enhancements
-  * [#35] Moved friendly_token to Devise
+  * Moved friendly_token to Devise
   * Added Devise.all, so you can freeze your app strategies
   * Added Devise.apply_schema, so you can turn it to false in Datamapper or MongoMapper
     in cases you don't want it be handlded automatically
@@ -804,9 +846,9 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 == 0.5.2
 
 * enhancements
-  * [#28] Improved sign_in and sign_out helpers to accepts resources
-  * [#28] Added stored_location_for as a helper
-  * [#20] Added test helpers
+  * Improved sign_in and sign_out helpers to accepts resources
+  * Added stored_location_for as a helper
+  * Added test helpers
 
 == 0.5.1
 
@@ -827,7 +869,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 == 0.4.3
 
 * bug fix
-  * [#29] Authentication just fails if user cannot be serialized from session, without raising errors;
+  * Authentication just fails if user cannot be serialized from session, without raising errors;
   * Default configuration values should not overwrite user values;
 
 == 0.4.2
@@ -845,7 +887,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 == 0.4.1
 
 * bug fix
-  * [#21] Ensure options can be set even if models were not loaded
+  * Ensure options can be set even if models were not loaded
 
 == 0.4.0
 
@@ -856,25 +898,25 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * :authenticable calls are deprecated, use :authenticatable instead
 
 * enhancements
-  * [#16] Allow devise to be more agnostic and do not require ActiveRecord to be loaded
+  * Allow devise to be more agnostic and do not require ActiveRecord to be loaded
   * Allow Warden::Manager to be configured through Devise
   * Created a generator which creates an initializer
 
 == 0.3.0
 
 * bug fix
-  * [#15] Allow yml messages to be configured by not using engine locales
+  * Allow yml messages to be configured by not using engine locales
 
 * deprecations
   * Renamed confirm_in to confirm_within
-  * [#14] Do not send confirmation messages when user changes his e-mail
-  * [#13] Renamed authenticable to authenticatable and added deprecation warnings
+  * Do not send confirmation messages when user changes his e-mail
+  * Renamed authenticable to authenticatable and added deprecation warnings
 
 == 0.2.3
 
 * enhancements
   * Ensure fail! works inside strategies
-  * [#12] Make unauthenticated message (when you haven't signed in) different from invalid message
+  * Make unauthenticated message (when you haven't signed in) different from invalid message
 
 * bug fix
   * Do not redirect on invalid authenticate
@@ -883,7 +925,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 == 0.2.2
 
 * bug fix
-  * [#9] Fix a bug when using customized resources
+  * Fix a bug when using customized resources
 
 == 0.2.1
 
@@ -891,17 +933,17 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Clean devise_views generator to use devise existing views
 
 * enhancements
-  * [#7] Create instance variables (like @user) for each devise controller
+  * Create instance variables (like @user) for each devise controller
   * Use Devise::Controller::Helpers only internally
 
 * bug fix
-  * [#6] Fix a bug with Mongrel and Ruby 1.8.6
+  * Fix a bug with Mongrel and Ruby 1.8.6
 
 == 0.2.0
 
 * enhancements
-  * [#4] Allow option :null => true in authenticable migration
-  * [#3] Remove attr_accessible calls from devise modules
+  * Allow option :null => true in authenticable migration
+  * Remove attr_accessible calls from devise modules
   * Customizable time frame for rememberable with :remember_for config
   * Customizable time frame for confirmable with :confirm_in config
   * Generators for creating a resource and copy views
@@ -910,12 +952,12 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Do not load hooks or strategies if they are not used
 
 * bug fixes
-  * [#2] Fixed requiring devise strategies
+  * Fixed requiring devise strategies
 
 == 0.1.1
 
 * bug fixes
-  * [#1] Fixed requiring devise mapping
+  * Fixed requiring devise mapping
 
 == 0.1.0
 

data/Gemfile.lock

@@ -1,21 +1,22 @@
 GIT
   remote: git://github.com/mongoid/mongoid.git
-  revision: fe7f43430580860db6d1d89cea27eda24ab60ab1
+  revision: 346a79a7d01aa194de80e649916239a18d38ce13
   branch: master
   specs:
     mongoid (4.0.0)
-      activemodel (~> 4.0.0.rc1)
-      moped (~> 1.4.2)
+      activemodel (~> 4.0.0)
+      moped (~> 1.5)
       origin (~> 1.0)
       tzinfo (~> 0.3.22)
 
 PATH
   remote: .
   specs:
-    devise (3.0.0.rc)
+    devise (3.1.0)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
+      thread_safe (~> 0.1)
       warden (~> 1.2.3)
 
 GEM
@@ -46,17 +47,17 @@ GEM
       thread_safe (~> 0.1)
       tzinfo (~> 0.3.37)
     arel (4.0.0)
-    atomic (1.1.10)
+    atomic (1.1.12)
     bcrypt-ruby (3.1.1)
     builder (3.1.4)
     erubis (2.7.0)
-    faraday (0.8.7)
-      multipart-post (~> 1.1)
+    faraday (0.8.8)
+      multipart-post (~> 1.2.0)
     hashie (1.2.0)
     hike (1.2.3)
     httpauth (0.2.0)
-    i18n (0.6.4)
-    json (1.7.7)
+    i18n (0.6.5)
+    json (1.8.0)
     jwt (0.1.8)
       multi_json (>= 1.5)
     mail (2.5.4)
@@ -67,8 +68,8 @@ GEM
     minitest (4.7.5)
     mocha (0.13.3)
       metaclass (~> 0.0.1)
-    moped (1.4.5)
-    multi_json (1.7.7)
+    moped (1.5.1)
+    multi_json (1.7.9)
     multipart-post (1.2.0)
     nokogiri (1.5.9)
     oauth2 (0.8.1)
@@ -125,7 +126,7 @@ GEM
       sprockets (~> 2.8)
     sqlite3 (1.3.7)
     thor (0.18.1)
-    thread_safe (0.1.0)
+    thread_safe (0.1.2)
       atomic
     tilt (1.4.1)
     treetop (1.4.14)

data/README.md

@@ -2,7 +2,6 @@
 
 By [Plataformatec](http://plataformatec.com.br/).
 
-[![Gem Version](https://fury-badge.herokuapp.com/rb/devise.png)](http://badge.fury.io/rb/devise)
 [![Build Status](https://api.travis-ci.org/plataformatec/devise.png?branch=master)](http://travis-ci.org/plataformatec/devise)
 [![Code Climate](https://codeclimate.com/github/plataformatec/devise.png)](https://codeclimate.com/github/plataformatec/devise)
 
@@ -12,13 +11,12 @@ Devise is a flexible authentication solution for Rails based on Warden. It:
 
 * Is Rack based;
 * Is a complete MVC solution based on Rails engines;
-* Allows you to have multiple roles (or models/scopes) signed in at the same time;
+* Allows you to have multiple models signed in at the same time;
 * Is based on a modularity concept: use just what you really need.
 
-It's composed of 11 modules:
+It's composed of 10 modules:
 
 * [Database Authenticatable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/DatabaseAuthenticatable): encrypts and stores a password in the database to validate the authenticity of a user while signing in. The authentication can be done both through POST requests or HTTP Basic Authentication.
-* [Token Authenticatable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/TokenAuthenticatable): signs in a user based on an authentication token (also known as "single access token"). The token can be given both through query string or HTTP Basic Authentication.
 * [Omniauthable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Omniauthable): adds Omniauth (https://github.com/intridea/omniauth) support;
 * [Confirmable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Confirmable): sends emails with confirmation instructions and verifies whether an account is already confirmed during sign in.
 * [Recoverable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Recoverable): resets the user password and sends reset instructions.
@@ -188,7 +186,7 @@ There are just three actions in Devise that allows any set of parameters to be p
 * `sign_up` (`Devise::RegistrationsController#create`) - Permits authentication keys plus `password` and `password_confirmation`
 * `account_update` (`Devise::RegistrationsController#update`) - Permits authentication keys plus `password`, `password_confirmation` and `current_password`
 
-In case you want to customize the permitted parameters (the lazy way™) you can do with a simple before filter in your `ApplicationController`:
+In case you want to permit additional parameters (the lazy way™) you can do with a simple before filter in your `ApplicationController`:
 
 ```ruby
 class ApplicationController < ActionController::Base
@@ -197,12 +195,20 @@ class ApplicationController < ActionController::Base
   protected
 
   def configure_permitted_parameters
-    devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:username, :email) }
+    devise_parameter_sanitizer.for(:sign_up) << :username
   end
 end
 ```
 
-If you have multiple roles, you may want to set up different parameter sanitizer per role. In this case, we recommend inheriting from `Devise::ParameterSanitizer` and add your own logic:
+To completely change Devise defaults or invoke custom behaviour, you can also pass a block:
+
+```ruby
+def configure_permitted_parameters
+  devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:username, :email) }
+end
+```
+
+If you have multiple Devise models, you may want to set up different parameter sanitizer per model. In this case, we recommend inheriting from `Devise::ParameterSanitizer` and add your own logic:
 
 ```ruby
 class User::ParameterSanitizer < Devise::ParameterSanitizer
@@ -240,7 +246,7 @@ Since Devise is an engine, all its views are packaged inside the gem. These view
 rails generate devise:views
 ```
 
-If you have more than one role in your application (such as "User" and "Admin"), you will notice that Devise uses the same views for all roles. Fortunately, Devise offers an easy way to customize views. All you need to do is set "config.scoped_views = true" inside "config/initializers/devise.rb".
+If you have more than one Devise model in your application (such as "User" and "Admin"), you will notice that Devise uses the same views for all models. Fortunately, Devise offers an easy way to customize views. All you need to do is set "config.scoped_views = true" inside "config/initializers/devise.rb".
 
 After doing so, you will be able to have views based on the role like "users/sessions/new" and "admins/sessions/new". If no view is found within the scope, Devise will use the default view at "devise/sessions/new". You can also use the generator to generate scoped views:
 
@@ -252,7 +258,7 @@ rails generate devise:views users
 
 If the customization at the views level is not enough, you can customize each controller by following these steps:
 
-1. Create your custom controller, for example a `Admins::SessionsController`:  
+1. Create your custom controller, for example a `Admins::SessionsController`:
 
     ```ruby
     class Admins::SessionsController < Devise::SessionsController
@@ -384,7 +390,7 @@ You can read more about Omniauth support in the wiki:
 
 ### Configuring multiple models
 
-Devise allows you to set up as many roles as you want. For example, you may have a User model and also want an Admin model with just authentication and timeoutable features. If so, just follow these steps:
+Devise allows you to set up as many Devise models as you want. If you want to have an Admin model with just authentication and timeout features, in addition to the User model above, just run:
 
 ```ruby
 # Create a migration with the required fields
@@ -409,7 +415,9 @@ current_admin
 admin_session
 ```
 
-On the other hand, you can simply run the generator!
+Alternatively, you can simply run the Devise generator.
+
+Keep in mind that those models will have completely different routes. They **do not** and **cannot** share the same controller for sign in, sign out and so on. In case you want to have different roles sharing the same actions, we recommend you to use a role-based approach, by either providing a role column or using [CanCan](https://github.com/ryanb/cancan).
 
 ### Other ORMs
 
@@ -439,12 +447,6 @@ We have a long list of valued contributors. Check them all at:
 
 https://github.com/plataformatec/devise/contributors
 
-### Maintainers
-
-* José Valim (https://github.com/josevalim)
-* Carlos Antônio da Silva (https://github.com/carlosantoniodasilva)
-* Rodrigo Flores (https://github.com/rodrigoflores)
-
 ## License
 
 MIT License. Copyright 2009-2013 Plataformatec. http://plataformatec.com.br

data/app/controllers/devise/confirmations_controller.rb

@@ -20,8 +20,12 @@ class Devise::ConfirmationsController < DeviseController
     self.resource = resource_class.confirm_by_token(params[:confirmation_token])
 
     if resource.errors.empty?
-      set_flash_message(:notice, :confirmed) if is_navigational_format?
-      sign_in(resource_name, resource)
+      if Devise.allow_insecure_sign_in_after_confirmation
+        set_flash_message(:notice, :confirmed_and_signed_in) if is_navigational_format?
+        sign_in(resource_name, resource)
+      else
+        set_flash_message(:notice, :confirmed) if is_navigational_format?
+      end
       respond_with_navigational(resource){ redirect_to after_confirmation_path_for(resource_name, resource) }
     else
       respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render :new }
@@ -37,6 +41,10 @@ class Devise::ConfirmationsController < DeviseController
 
     # The path used after confirmation.
     def after_confirmation_path_for(resource_name, resource)
-      after_sign_in_path_for(resource)
+      if Devise.allow_insecure_sign_in_after_confirmation
+        after_sign_in_path_for(resource)
+      else
+        new_session_path(resource_name)
+      end
     end
 end

data/app/controllers/devise/registrations_controller.rb

@@ -40,7 +40,7 @@ class Devise::RegistrationsController < DeviseController
     self.resource = resource_class.to_adapter.get!(send(:"current_#{resource_name}").to_key)
     prev_unconfirmed_email = resource.unconfirmed_email if resource.respond_to?(:unconfirmed_email)
 
-    if resource.update_with_password(account_update_params)
+    if update_resource(resource, account_update_params)
       if is_navigational_format?
         flash_key = update_needs_confirmation?(resource, prev_unconfirmed_email) ?
           :update_needs_confirmation : :updated
@@ -80,6 +80,12 @@ class Devise::RegistrationsController < DeviseController
       previous != resource.unconfirmed_email
   end
 
+  # By default we want to require a password checks on update.
+  # You can overwrite this method in your own RegistrationsController.
+  def update_resource(resource, params)
+    resource.update_with_password(params)
+  end
+
   # Build a devise resource passing in the session. Useful to move
   # temporary session data to the newly created user.
   def build_resource(hash=nil)
@@ -117,10 +123,10 @@ class Devise::RegistrationsController < DeviseController
   end
 
   def sign_up_params
-    devise_parameter_sanitizer.for(:sign_up)
+    devise_parameter_sanitizer.sanitize(:sign_up)
   end
 
   def account_update_params
-    devise_parameter_sanitizer.for(:account_update)
+    devise_parameter_sanitizer.sanitize(:account_update)
   end
 end

data/app/controllers/devise/sessions_controller.rb

@@ -35,7 +35,7 @@ class Devise::SessionsController < DeviseController
   protected
 
   def sign_in_params
-    devise_parameter_sanitizer.for(:sign_in)
+    devise_parameter_sanitizer.sanitize(:sign_in)
   end
 
   def serialize_options(resource)

data/app/mailers/devise/mailer.rb

@@ -1,15 +1,18 @@
 class Devise::Mailer < Devise.parent_mailer.constantize
   include Devise::Mailers::Helpers
 
-  def confirmation_instructions(record, opts={})
+  def confirmation_instructions(record, token, opts={})
+    @token = token
     devise_mail(record, :confirmation_instructions, opts)
   end
 
-  def reset_password_instructions(record, opts={})
+  def reset_password_instructions(record, token, opts={})
+    @token = token
     devise_mail(record, :reset_password_instructions, opts)
   end
 
-  def unlock_instructions(record, opts={})
+  def unlock_instructions(record, token, opts={})
+    @token = token
     devise_mail(record, :unlock_instructions, opts)
   end
 end

data/app/views/devise/mailer/confirmation_instructions.html.erb

@@ -2,4 +2,4 @@
 
 <p>You can confirm your account email through the link below:</p>
 
-<p><%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @resource.confirmation_token) %></p>
+<p><%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @token) %></p>

data/app/views/devise/mailer/reset_password_instructions.html.erb

@@ -2,7 +2,7 @@
 
 <p>Someone has requested a link to change your password. You can do this through the link below.</p>
 
-<p><%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @resource.reset_password_token) %></p>
+<p><%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @token) %></p>
 
 <p>If you didn't request this, please ignore this email.</p>
 <p>Your password won't change until you access the link above and create a new one.</p>

data/app/views/devise/mailer/unlock_instructions.html.erb

@@ -4,4 +4,4 @@
 
 <p>Click the link below to unlock your account:</p>
 
-<p><%= link_to 'Unlock my account', unlock_url(@resource, :unlock_token => @resource.unlock_token) %></p>
+<p><%= link_to 'Unlock my account', unlock_url(@resource, :unlock_token => @token) %></p>

data/app/views/devise/shared/_links.erb

@@ -6,7 +6,7 @@
   <%= link_to "Sign up", new_registration_path(resource_name) %><br />
 <% end -%>
 
-<%- if devise_mapping.recoverable? && controller_name != 'passwords' %>
+<%- if devise_mapping.recoverable? && controller_name != 'passwords' && controller_name != 'registrations' %>
   <%= link_to "Forgot your password?", new_password_path(resource_name) %><br />
 <% end -%>
 
@@ -22,4 +22,4 @@
   <%- resource_class.omniauth_providers.each do |provider| %>
     <%= link_to "Sign in with #{provider.to_s.titleize}", omniauth_authorize_path(resource_name, provider) %><br />
   <% end -%>
-<% end -%>
+<% end -%>

data/config/locales/en.yml

@@ -3,17 +3,18 @@
 en:
   devise:
     confirmations:
-      confirmed: "Your account was successfully confirmed. You are now signed in."
+      confirmed: "Your account was successfully confirmed. Please sign in."
+      confirmed_and_signed_in: "Your account was successfully confirmed. You are now signed in."
       send_instructions: "You will receive an email with instructions about how to confirm your account in a few minutes."
       send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions about how to confirm your account in a few minutes."
     failure:
       already_authenticated: "You are already signed in."
-      inactive: "Your account was not activated yet."
+      inactive: "Your account is not activated yet."
       invalid: "Invalid email or password."
       invalid_token: "Invalid authentication token."
       locked: "Your account is locked."
       not_found_in_database: "Invalid email or password."
-      timeout: "Your session expired, please sign in again to continue."
+      timeout: "Your session expired. Please sign in again to continue."
       unauthenticated: "You need to sign in or sign up before continuing."
       unconfirmed: "You have to confirm your account before continuing."
     mailer:

data/devise.gemspec

@@ -22,5 +22,6 @@ Gem::Specification.new do |s|
   s.add_dependency("warden", "~> 1.2.3")
   s.add_dependency("orm_adapter", "~> 0.1")
   s.add_dependency("bcrypt-ruby", "~> 3.0")
+  s.add_dependency("thread_safe", "~> 0.1")
   s.add_dependency("railties", ">= 3.2.6", "< 5")
 end