devise 3.0.0 → 3.1.0

data/gemfiles/Gemfile.rails-3.2.x.lock

@@ -1,21 +1,22 @@
 PATH
   remote: ..
   specs:
-    devise (3.0.0.rc)
+    devise (3.1.0)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
-      warden (~> 1.2.1)
+      thread_safe (~> 0.1)
+      warden (~> 1.2.3)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (3.2.13)
-      actionpack (= 3.2.13)
-      mail (~> 2.5.3)
-    actionpack (3.2.13)
-      activemodel (= 3.2.13)
-      activesupport (= 3.2.13)
+    actionmailer (3.2.14)
+      actionpack (= 3.2.14)
+      mail (~> 2.5.4)
+    actionpack (3.2.14)
+      activemodel (= 3.2.14)
+      activesupport (= 3.2.14)
       builder (~> 3.0.0)
       erubis (~> 2.7.0)
       journey (~> 1.0.4)
@@ -23,49 +24,49 @@ GEM
       rack-cache (~> 1.2)
       rack-test (~> 0.6.1)
       sprockets (~> 2.2.1)
-    activemodel (3.2.13)
-      activesupport (= 3.2.13)
+    activemodel (3.2.14)
+      activesupport (= 3.2.14)
       builder (~> 3.0.0)
-    activerecord (3.2.13)
-      activemodel (= 3.2.13)
-      activesupport (= 3.2.13)
+    activerecord (3.2.14)
+      activemodel (= 3.2.14)
+      activesupport (= 3.2.14)
       arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activeresource (3.2.13)
-      activemodel (= 3.2.13)
-      activesupport (= 3.2.13)
-    activesupport (3.2.13)
-      i18n (= 0.6.1)
+    activeresource (3.2.14)
+      activemodel (= 3.2.14)
+      activesupport (= 3.2.14)
+    activesupport (3.2.14)
+      i18n (~> 0.6, >= 0.6.4)
       multi_json (~> 1.0)
     arel (3.0.2)
-    bcrypt-ruby (3.0.1)
+    atomic (1.1.13)
+    bcrypt-ruby (3.1.1)
     builder (3.0.4)
     erubis (2.7.0)
-    faraday (0.8.7)
-      multipart-post (~> 1.1)
+    faraday (0.8.8)
+      multipart-post (~> 1.2.0)
     hashie (1.2.0)
-    hike (1.2.2)
+    hike (1.2.3)
     httpauth (0.2.0)
-    i18n (0.6.1)
+    i18n (0.6.5)
     journey (1.0.4)
-    json (1.7.7)
+    json (1.8.0)
     jwt (0.1.8)
       multi_json (>= 1.5)
-    mail (2.5.3)
-      i18n (>= 0.4.0)
+    mail (2.5.4)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
     metaclass (0.0.1)
     mime-types (1.23)
     mocha (0.13.3)
       metaclass (~> 0.0.1)
-    mongoid (3.1.3)
+    mongoid (3.1.4)
       activemodel (~> 3.2)
-      moped (~> 1.4.2)
+      moped (~> 1.4)
       origin (~> 1.0)
       tzinfo (~> 0.3.22)
-    moped (1.4.5)
-    multi_json (1.7.3)
+    moped (1.5.1)
+    multi_json (1.7.9)
     multipart-post (1.2.0)
     nokogiri (1.5.9)
     oauth2 (0.8.1)
@@ -98,22 +99,22 @@ GEM
       rack
     rack-test (0.6.2)
       rack (>= 1.0)
-    rails (3.2.13)
-      actionmailer (= 3.2.13)
-      actionpack (= 3.2.13)
-      activerecord (= 3.2.13)
-      activeresource (= 3.2.13)
-      activesupport (= 3.2.13)
+    rails (3.2.14)
+      actionmailer (= 3.2.14)
+      actionpack (= 3.2.14)
+      activerecord (= 3.2.14)
+      activeresource (= 3.2.14)
+      activesupport (= 3.2.14)
       bundler (~> 1.0)
-      railties (= 3.2.13)
-    railties (3.2.13)
-      actionpack (= 3.2.13)
-      activesupport (= 3.2.13)
+      railties (= 3.2.14)
+    railties (3.2.14)
+      actionpack (= 3.2.14)
+      activesupport (= 3.2.14)
       rack-ssl (~> 1.3.2)
       rake (>= 0.8.7)
       rdoc (~> 3.4)
       thor (>= 0.14.6, < 2.0)
-    rake (10.0.4)
+    rake (10.1.0)
     rdoc (3.12.2)
       json (~> 1.4)
     ruby-openid (2.2.3)
@@ -124,12 +125,14 @@ GEM
       tilt (~> 1.1, != 1.3.0)
     sqlite3 (1.3.7)
     thor (0.18.1)
-    tilt (1.4.0)
-    treetop (1.4.12)
+    thread_safe (0.1.2)
+      atomic
+    tilt (1.4.1)
+    treetop (1.4.14)
       polyglot
       polyglot (>= 0.3.1)
     tzinfo (0.3.37)
-    warden (1.2.1)
+    warden (1.2.3)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)

data/lib/devise/controllers/helpers.rb

@@ -117,6 +117,7 @@ module Devise
       #   sign_in :user, @user                      # sign_in(scope, resource)
       #   sign_in @user                             # sign_in(resource)
       #   sign_in @user, :event => :authentication  # sign_in(resource, options)
+      #   sign_in @user, :store => false            # sign_in(resource, options)
       #   sign_in @user, :bypass => true            # sign_in(resource, options)
       #
       def sign_in(resource_or_scope, *args)

data/lib/devise/controllers/rememberable.rb

@@ -21,6 +21,7 @@ module Devise
 
       # Remembers the given resource by setting up a cookie
       def remember_me(resource)
+        return if env["devise.skip_storage"]
         scope = Devise::Mapping.find_scope!(resource)
         resource.remember_me!(resource.extend_remember_period)
         cookies.signed[remember_key(resource, scope)] = remember_cookie_values(resource)

data/lib/devise/hooks/csrf_cleaner.rb

@@ -0,0 +1,5 @@
+Warden::Manager.after_authentication do |record, warden, options|
+  if Devise.clean_up_csrf_token_on_authentication
+    warden.request.session.try(:delete, :_csrf_token)
+  end
+end

data/lib/devise/hooks/lockable.rb

@@ -2,6 +2,6 @@
 # This is only triggered when the user is explicitly set (with set_user)
 Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
   if record.respond_to?(:failed_attempts) && warden.authenticated?(options[:scope])
-    record.update_attribute(:failed_attempts, 0) unless record.failed_attempts.zero?
+    record.update_attribute(:failed_attempts, 0) unless record.failed_attempts.to_i.zero?
   end
 end

data/lib/devise/hooks/rememberable.rb

@@ -1,6 +1,7 @@
 Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
   scope = options[:scope]
-  if record.respond_to?(:remember_me) && record.remember_me && warden.authenticated?(scope)
+  if record.respond_to?(:remember_me) && options[:store] != false &&
+     record.remember_me && warden.authenticated?(scope)
     Devise::Controllers::Rememberable::Proxy.new(warden).remember_me(record)
   end
 end

data/lib/devise/mailers/helpers.rb

@@ -35,12 +35,6 @@ module Devise
           :template_name => action
         }.merge(opts)
 
-        if resource.respond_to?(:headers_for)
-          ActiveSupport::Deprecation.warn "Calling headers_for in the model is no longer supported. " <<
-            "Please customize your mailer instead."
-          headers.merge!(resource.headers_for(action))
-        end
-
         @email = headers[:to]
         headers
       end

data/lib/devise/models/authenticatable.rb

@@ -1,4 +1,5 @@
 require 'devise/hooks/activatable'
+require 'devise/hooks/csrf_cleaner'
 
 module Devise
   module Models
@@ -143,20 +144,20 @@ module Devise
       #
       #       protected
       #
-      #       def send_devise_notification(notification, opts = {})
-      #         # if the record is new or changed then delay the
+      #       def send_devise_notification(notification, *args)
+      #         # If the record is new or changed then delay the
       #         # delivery until the after_commit callback otherwise
       #         # send now because after_commit will not be called.
       #         if new_record? || changed?
-      #           pending_notifications << [notification, opts]
+      #           pending_notifications << [notification, args]
       #         else
-      #           devise_mailer.send(notification, self, opts).deliver
+      #           devise_mailer.send(notification, self, *args).deliver
       #         end
       #       end
       #
       #       def send_pending_notifications
-      #         pending_notifications.each do |n, opts|
-      #           devise_mailer.send(n, self, opts).deliver
+      #         pending_notifications.each do |notification, args|
+      #           devise_mailer.send(notification, self, *args).deliver
       #         end
       #
       #         # Empty the pending notifications array because the
@@ -170,8 +171,8 @@ module Devise
       #       end
       #     end
       #
-      def send_devise_notification(notification, opts={})
-        devise_mailer.send(notification, self, opts).deliver
+      def send_devise_notification(notification, *args)
+        devise_mailer.send(notification, self, *args).deliver
       end
 
       def downcase_keys
@@ -278,14 +279,6 @@ module Devise
         def devise_parameter_filter
           @devise_parameter_filter ||= Devise::ParameterFilter.new(case_insensitive_keys, strip_whitespace_keys)
         end
-
-        # Generate a token by looping and ensuring does not already exist.
-        def generate_token(column)
-          loop do
-            token = Devise.friendly_token
-            break token unless to_adapter.find_first({ column => token })
-          end
-        end
       end
     end
   end

data/lib/devise/models/confirmable.rb

@@ -7,7 +7,7 @@ module Devise
     #
     # == Options
     #
-    # Confirmable adds the following options to devise_for:
+    # Confirmable adds the following options to +devise+:
     #
     #   * +allow_unconfirmed_access_for+: the time you want to allow the user to access his account
     #     before confirming it. After this period, the user access is denied. You can
@@ -40,9 +40,10 @@ module Devise
       end
 
       def initialize(*args, &block)
-        @bypass_postpone = false
+        @bypass_confirmation_postpone = false
         @reconfirmation_required = false
         @skip_confirmation_notification = false
+        @raw_confirmation_token = nil
         super
       end
 
@@ -66,7 +67,7 @@ module Devise
           self.confirmation_token = nil
           self.confirmed_at = Time.now.utc
 
-          if self.class.reconfirmable && unconfirmed_email.present?
+          saved = if self.class.reconfirmable && unconfirmed_email.present?
             skip_reconfirmation!
             self.email = unconfirmed_email
             self.unconfirmed_email = nil
@@ -76,6 +77,9 @@ module Devise
           else
             save(:validate => false)
           end
+
+          after_confirmation if saved
+          saved
         end
       end
 
@@ -90,10 +94,12 @@ module Devise
 
       # Send confirmation instructions by email
       def send_confirmation_instructions
-        ensure_confirmation_token!
+        unless @raw_confirmation_token
+          generate_confirmation_token!
+        end
 
         opts = pending_reconfirmation? ? { :to => unconfirmed_email } : { }
-        send_devise_notification(:confirmation_instructions, opts)
+        send_devise_notification(:confirmation_instructions, @raw_confirmation_token, opts)
       end
 
       def send_reconfirmation_instructions
@@ -106,17 +112,11 @@ module Devise
 
       # Resend confirmation token.
       # Regenerates the token if the period is expired.
-      def resend_confirmation_token
+      def resend_confirmation_instructions
         pending_any_confirmation do
-          regenerate_confirmation_token! if confirmation_period_expired?
           send_confirmation_instructions
         end
       end
-      
-      # Generate a confirmation token unless already exists and save the record.
-      def ensure_confirmation_token!
-        generate_confirmation_token! if should_generate_confirmation_token?
-      end 
 
       # Overwrites active_for_authentication? for confirmation
       # by verifying whether a user is active to sign in or not. If the user
@@ -146,19 +146,16 @@ module Devise
       # If you don't want reconfirmation to be sent, neither a code
       # to be generated, call skip_reconfirmation!
       def skip_reconfirmation!
-        @bypass_postpone = true
+        @bypass_confirmation_postpone = true
       end
 
       protected
-        def should_generate_confirmation_token?
-          confirmation_token.nil? || confirmation_period_expired?
-        end
 
         # A callback method used to deliver confirmation
         # instructions on creation. This can be overriden
         # in models to map to a nice sign up e-mail.
         def send_on_create_confirmation_instructions
-          send_devise_notification(:confirmation_instructions)
+          send_confirmation_instructions
         end
 
         # Callback to overwrite if confirmation is required or not.
@@ -218,10 +215,12 @@ module Devise
           end
         end
 
-        # Generates a new random token for confirmation, and stores the time
-        # this token is being generated
+        # Generates a new random token for confirmation, and stores
+        # the time this token is being generated
         def generate_confirmation_token
-          self.confirmation_token = self.class.confirmation_token
+          raw, enc = Devise.token_generator.generate(self.class, :confirmation_token)
+          @raw_confirmation_token   = raw
+          self.confirmation_token   = enc
           self.confirmation_sent_at = Time.now.utc
         end
 
@@ -229,30 +228,16 @@ module Devise
           generate_confirmation_token && save(:validate => false)
         end
 
-        # Regenerates a new token.
-        def regenerate_confirmation_token
-          generate_confirmation_token
-        end
-
-        def regenerate_confirmation_token!
-          regenerate_confirmation_token && save(:validate => false)
-        end
-
-        def after_password_reset
-          super
-          confirm! unless confirmed?
-        end
-
         def postpone_email_change_until_confirmation_and_regenerate_confirmation_token
           @reconfirmation_required = true
           self.unconfirmed_email = self.email
           self.email = self.email_was
-          regenerate_confirmation_token
+          generate_confirmation_token
         end
 
         def postpone_email_change?
-          postpone = self.class.reconfirmable && email_changed? && !@bypass_postpone && !self.email.blank?
-          @bypass_postpone = false
+          postpone = self.class.reconfirmable && email_changed? && !@bypass_confirmation_postpone && !self.email.blank?
+          @bypass_confirmation_postpone = false
           postpone
         end
 
@@ -264,6 +249,9 @@ module Devise
           confirmation_required? && !@skip_confirmation_notification && !self.email.blank?
         end
 
+        def after_confirmation
+        end
+
       module ClassMethods
         # Attempt to find a user by its email. If a record is found, send new
         # confirmation instructions to it. If not, try searching for a user by unconfirmed_email
@@ -274,7 +262,7 @@ module Devise
           unless confirmable.try(:persisted?)
             confirmable = find_or_initialize_with_errors(confirmation_keys, attributes, :not_found)
           end
-          confirmable.resend_confirmation_token if confirmable.persisted?
+          confirmable.resend_confirmation_instructions if confirmable.persisted?
           confirmable
         end
 
@@ -283,16 +271,19 @@ module Devise
         # If the user is already confirmed, create an error for the user
         # Options must have the confirmation_token
         def confirm_by_token(confirmation_token)
+          original_token     = confirmation_token
+          confirmation_token = Devise.token_generator.digest(self, :confirmation_token, confirmation_token)
+
           confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
+          if !confirmable.persisted? && Devise.allow_insecure_token_lookup
+            confirmable = find_or_initialize_with_error_by(:confirmation_token, original_token)
+          end
+
           confirmable.confirm! if confirmable.persisted?
+          confirmable.confirmation_token = original_token
           confirmable
         end
 
-        # Generate a token checking if one does not already exist in the database.
-        def confirmation_token
-          generate_token(:confirmation_token)
-        end
-
         # Find a record for confirmation by unconfirmed email field
         def find_by_unconfirmed_email_with_errors(attributes = {})
           unconfirmed_required_attributes = confirmation_keys.map { |k| k == :email ? :unconfirmed_email : k }

data/lib/devise/models/lockable.rb

@@ -38,7 +38,6 @@ module Devise
         self.locked_at = Time.now.utc
 
         if unlock_strategy_enabled?(:email)
-          generate_unlock_token!
           send_unlock_instructions
         else
           save(:validate => false)
@@ -60,11 +59,15 @@ module Devise
 
       # Send unlock instructions by email
       def send_unlock_instructions
-        send_devise_notification(:unlock_instructions)
+        raw, enc = Devise.token_generator.generate(self.class, :unlock_token)
+        self.unlock_token = enc
+        self.save(:validate => false)
+        send_devise_notification(:unlock_instructions, raw, {})
+        raw
       end
 
       # Resend the unlock instructions if the user is locked.
-      def resend_unlock_token
+      def resend_unlock_instructions
         if_access_locked { send_unlock_instructions }
       end
 
@@ -122,15 +125,6 @@ module Devise
           self.failed_attempts > self.class.maximum_attempts
         end
 
-        # Generates unlock token
-        def generate_unlock_token
-          self.unlock_token = self.class.unlock_token
-        end
-
-        def generate_unlock_token!
-          generate_unlock_token && save(:validate => false)
-        end
-
         # Tells if the lock is expired if :time unlock strategy is active
         def lock_expired?
           if unlock_strategy_enabled?(:time)
@@ -158,7 +152,7 @@ module Devise
         # Options must contain the user's unlock keys
         def send_unlock_instructions(attributes={})
           lockable = find_or_initialize_with_errors(unlock_keys, attributes, :not_found)
-          lockable.resend_unlock_token if lockable.persisted?
+          lockable.resend_unlock_instructions if lockable.persisted?
           lockable
         end
 
@@ -167,8 +161,16 @@ module Devise
         # If the user is not locked, creates an error for the user
         # Options must have the unlock_token
         def unlock_access_by_token(unlock_token)
+          original_token = unlock_token
+          unlock_token   = Devise.token_generator.digest(self, :unlock_token, unlock_token)
+
           lockable = find_or_initialize_with_error_by(:unlock_token, unlock_token)
+          if !lockable.persisted? && Devise.allow_insecure_token_lookup
+            lockable = find_or_initialize_with_error_by(:unlock_token, original_token)
+          end
+
           lockable.unlock_access! if lockable.persisted?
+          lockable.unlock_token = original_token
           lockable
         end
 
@@ -182,10 +184,6 @@ module Devise
           self.lock_strategy == strategy
         end
 
-        def unlock_token
-          Devise.friendly_token
-        end
-
         Devise::Models.config(self, :maximum_attempts, :lock_strategy, :unlock_strategy, :unlock_in, :unlock_keys)
       end
     end

data/lib/devise/models/recoverable.rb

@@ -42,17 +42,19 @@ module Devise
         save
       end
 
-      # Resets reset password token and send reset password instructions by email
+      # Resets reset password token and send reset password instructions by email.
+      # Returns the token sent in the e-mail.
       def send_reset_password_instructions
-        ensure_reset_password_token!
-        send_devise_notification(:reset_password_instructions)
+        raw, enc = Devise.token_generator.generate(self.class, :reset_password_token)
+
+        self.reset_password_token   = enc
+        self.reset_password_sent_at = Time.now.utc
+        self.save(:validate => false)
+
+        send_devise_notification(:reset_password_instructions, raw, {})
+        raw
       end
-      
-      # Generate reset password token unless already exists and save the record.
-      def ensure_reset_password_token!
-        generate_reset_password_token! if should_generate_reset_token?
-      end 
-      
+
       # Checks if the reset password token sent is within the limit time.
       # We do this by calculating if the difference between today and the
       # sending date does not exceed the confirm in time configured.
@@ -79,23 +81,6 @@ module Devise
 
       protected
 
-        def should_generate_reset_token?
-          reset_password_token.nil? || !reset_password_period_valid?
-        end
-
-        # Generates a new random token for reset password
-        def generate_reset_password_token
-          self.reset_password_token = self.class.reset_password_token
-          self.reset_password_sent_at = Time.now.utc
-          self.reset_password_token
-        end
-
-        # Resets the reset password token with and save the record without
-        # validating
-        def generate_reset_password_token!
-          generate_reset_password_token && save(:validate => false)
-        end
-
         # Removes reset_password token
         def clear_reset_password_token
           self.reset_password_token = nil
@@ -127,7 +112,14 @@ module Devise
         # containing an error in reset_password_token attribute.
         # Attributes must contain reset_password_token, password and confirmation
         def reset_password_by_token(attributes={})
-          recoverable = find_or_initialize_with_error_by(:reset_password_token, attributes[:reset_password_token])
+          original_token       = attributes[:reset_password_token]
+          reset_password_token = Devise.token_generator.digest(self, :reset_password_token, original_token)
+
+          recoverable = find_or_initialize_with_error_by(:reset_password_token, reset_password_token)
+          if !recoverable.persisted? && Devise.allow_insecure_token_lookup
+            recoverable = find_or_initialize_with_error_by(:reset_password_token, original_token)
+          end
+
           if recoverable.persisted?
             if recoverable.reset_password_period_valid?
               recoverable.reset_password!(attributes[:password], attributes[:password_confirmation])
@@ -135,6 +127,8 @@ module Devise
               recoverable.errors.add(:reset_password_token, :expired)
             end
           end
+
+          recoverable.reset_password_token = original_token
           recoverable
         end
 

data/lib/devise/models/rememberable.rb

@@ -110,12 +110,16 @@ module Devise
         # Recreate the user based on the stored cookie
         def serialize_from_cookie(id, remember_token)
           record = to_adapter.get(id)
-          record if record && record.rememberable_value == remember_token && !record.remember_expired?
+          record if record && !record.remember_expired? &&
+                    Devise.secure_compare(record.rememberable_value, remember_token)
         end
 
         # Generate a token checking if one does not already exist in the database.
         def remember_token #:nodoc:
-          generate_token(:remember_token)
+          loop do
+            token = Devise.friendly_token
+            break token unless to_adapter.find_first({ :remember_token => token })
+          end
         end
 
         Devise::Models.config(self, :remember_for, :extend_remember_period, :rememberable_options)

data/lib/devise/models/timeoutable.rb

@@ -37,7 +37,7 @@ module Devise
       private
 
       def remember_exists_and_not_expired?
-        return false unless respond_to?(:remember_created_at)
+        return false unless respond_to?(:remember_created_at) && respond_to?(:remember_expired?)
         remember_created_at && !remember_expired?
       end
 

data/lib/devise/models/token_authenticatable.rb

@@ -79,7 +79,10 @@ module Devise
 
         # Generate a token checking if one does not already exist in the database.
         def authentication_token
-          generate_token(:authentication_token)
+          loop do
+            token = Devise.friendly_token
+            break token unless to_adapter.find_first({ :authentication_token => token })
+          end
         end
 
         Devise::Models.config(self, :token_authentication_key, :expire_auth_token_on_timeout)