devise 3.0.0 → 3.1.0

data/lib/devise/models.rb

@@ -56,14 +56,8 @@ module Devise
       klass.devise_modules.each do |mod|
         constant = const_get(mod.to_s.classify)
 
-        if constant.respond_to?(:required_fields)
-          constant.required_fields(klass).each do |field|
-            failed_attributes << field unless instance.respond_to?(field)
-          end
-        else
-          ActiveSupport::Deprecation.warn "The module #{mod} doesn't implement self.required_fields(klass). " \
-            "Devise uses required_fields to warn developers of any missing fields in their models. " \
-            "Please implement #{mod}.required_fields(klass) that returns an array of symbols with the required fields."
+        constant.required_fields(klass).each do |field|
+          failed_attributes << field unless instance.respond_to?(field)
         end
       end
 
@@ -89,11 +83,13 @@ module Devise
 
       devise_modules_hook! do
         include Devise::Models::Authenticatable
-        selected_modules.each do |m|
-          if m == :encryptable && !(defined?(Devise::Models::Encryptable))
-            warn "[DEVISE] You're trying to include :encryptable in your model but it is not bundled with the Devise gem anymore. Please add `devise-encryptable` to your Gemfile to proceed.\n"
-          end
 
+        if selected_modules.include?(:token_authenticatable)
+          ActiveSupport::Deprecation.warn "devise :token_authenticatable is deprecated. " \
+            "Please check Devise 3.1 release notes for more information on how to upgrade."
+        end
+
+        selected_modules.each do |m|
           mod = Devise::Models.const_get(m.to_s.classify)
 
           if mod.const_defined?("ClassMethods")

data/lib/devise/parameter_sanitizer.rb

@@ -13,14 +13,25 @@ module Devise
       if block_given?
         @blocks[kind] = block
       else
-        block = @blocks[kind]
-        block ? block.call(default_params) : fallback_for(kind)
+        default_for(kind)
+      end
+    end
+
+    def sanitize(kind)
+      if block = @blocks[kind]
+        block.call(default_params)
+      else
+        default_sanitize(kind)
       end
     end
 
     private
 
-    def fallback_for(kind)
+    def default_for(kind)
+      raise ArgumentError, "a block is expected in Devise base sanitizer"
+    end
+
+    def default_sanitize(kind)
       default_params
     end
 
@@ -30,34 +41,53 @@ module Devise
   end
 
   class ParameterSanitizer < BaseSanitizer
-    private
-
-    def fallback_for(kind)
-      if respond_to?(kind, true)
-        send(kind)
-      else
-        raise NotImplementedError, "Devise Parameter Sanitizer doesn't know how to sanitize parameters for #{kind}"
-      end
+    def initialize(*)
+      super
+      @permitted = Hash.new { |h,k| h[k] = attributes_for(k) }
     end
 
-    # These are the params used to sign in a user so we don't need to
-    # mass-assign the password param in order to authenticate. Excluding it
-    # here allows us to construct a new user without sensitive information if
-    # authentication fails.
     def sign_in
-      default_params.permit(*auth_keys + [:password, :remember_me])
+      default_params.permit self.for(:sign_in)
     end
 
     def sign_up
-      default_params.permit(*(auth_keys + [:password, :password_confirmation]))
+      default_params.permit self.for(:sign_up)
     end
 
     def account_update
-      default_params.permit(*(auth_keys + [:password, :password_confirmation, :current_password]))
+      default_params.permit self.for(:account_update)
+    end
+
+    private
+
+    # Change for(kind) to return the values in the @permitted
+    # hash, allowing the developer to customize at runtime.
+    def default_for(kind)
+      @permitted[kind] || raise("No sanitizer provided for #{kind}")
+    end
+
+    def default_sanitize(kind)
+      if respond_to?(kind, true)
+        send(kind)
+      else
+        raise NotImplementedError, "Devise doesn't know how to sanitize parameters for #{kind}"
+      end
+    end
+
+    def attributes_for(kind)
+      case kind
+      when :sign_in
+        auth_keys + [:password, :remember_me]
+      when :sign_up
+        auth_keys + [:password, :password_confirmation]
+      when :account_update
+        auth_keys + [:password, :password_confirmation, :current_password]
+      end
     end
 
     def auth_keys
-      resource_class.authentication_keys.respond_to?(:keys) ? resource_class.authentication_keys.keys : resource_class.authentication_keys
+      @auth_keys ||= @resource_class.authentication_keys.respond_to?(:keys) ?
+                       @resource_class.authentication_keys.keys : @resource_class.authentication_keys
     end
   end
 end

data/lib/devise/rails/routes.rb

@@ -80,7 +80,8 @@ module ActionDispatch::Routing
     #  * :path_names => configure different path names to overwrite defaults :sign_in, :sign_out, :sign_up,
     #    :password, :confirmation, :unlock.
     #
-    #      devise_for :users, :path_names => { :sign_in => 'login', :sign_out => 'logout', :password => 'secret', :confirmation => 'verification' }
+    #      devise_for :users, :path_names => { :sign_in => 'login', :sign_out => 'logout',
+    #        :password => 'secret', :confirmation => 'verification', registration: 'register }
     #
     #  * :controllers => the controller which should be used. All routes by default points to Devise controllers.
     #    However, if you want them to point to custom controller, you should do:
@@ -191,6 +192,7 @@ module ActionDispatch::Routing
     #
     def devise_for(*resources)
       @devise_finalized = false
+      raise_no_secret_key unless Devise.secret_key
       options = resources.extract_options!
 
       options[:as]          ||= @scope[:as]     if @scope[:as].present?
@@ -222,14 +224,6 @@ module ActionDispatch::Routing
         routes  = mapping.used_routes
 
         devise_scope mapping.name do
-          if block_given?
-            ActiveSupport::Deprecation.warn "Passing a block to devise_for is deprecated. " \
-              "Please remove the block from devise_for (only the block, the call to " \
-              "devise_for must still exist) and call devise_scope :#{mapping.name} do ... end " \
-              "with the block instead", caller
-            yield
-          end
-
           with_devise_exclusive_scope mapping.fullpath, mapping.name, options do
             routes.each { |mod| send("devise_#{mod}", mapping, mapping.controllers) }
           end
@@ -442,6 +436,15 @@ module ActionDispatch::Routing
         end
       end
 
+      def raise_no_secret_key #:nodoc:
+        raise <<-ERROR
+Devise.secret_key was not set. Please add the following to your Devise initializer:
+
+  config.secret_key = '#{SecureRandom.hex(64)}'
+
+ERROR
+      end
+
       def raise_no_devise_method_error!(klass) #:nodoc:
         raise "#{klass} does not respond to 'devise' method. This usually means you haven't " \
           "loaded your ORM file or it's being loaded too late. To fix it, be sure to require 'devise/orm/YOUR_ORM' " \

data/lib/devise/rails/warden_compat.rb

@@ -3,9 +3,17 @@ module Warden::Mixins::Common
     @request ||= ActionDispatch::Request.new(env)
   end
 
-  # This is called internally by Warden on logout
+  # Deprecate: Remove this check once we move to Rails 4 only.
+  NULL_STORE =
+    defined?(ActionController::RequestForgeryProtection::ProtectionMethods::NullSession::NullSessionHash) ?
+      ActionController::RequestForgeryProtection::ProtectionMethods::NullSession::NullSessionHash : nil
+
   def reset_session!
-    request.reset_session
+    # Calling reset_session on NULL_STORE causes it fail.
+    # This is a bug that needs to be fixed in Rails.
+    unless NULL_STORE && request.session.is_a?(NULL_STORE)
+      request.reset_session
+    end
   end
 
   def cookies

data/lib/devise/rails.rb

@@ -29,21 +29,17 @@ module Devise
       end
     end
 
-    initializer "devise.mongoid_version_warning" do
-      if defined?(Mongoid)
-        require 'mongoid/version'
-        if Mongoid::VERSION.to_f < 2.1
-          puts "\n[DEVISE] Please note that Mongoid versions prior to 2.1 handle dirty model " \
-            "object attributes in such a way that the Devise `validatable` module will not apply " \
-            "its usual uniqueness and format validations for the email field. It is recommended " \
-            "that you upgrade to Mongoid 2.1+ for this and other fixes, but if for some reason you " \
-            "are unable to do so, you should add these validations manually.\n"
+    initializer "devise.secret_key" do
+      Devise.token_generator ||=
+        if secret_key = Devise.secret_key
+          Devise::TokenGenerator.new(
+            Devise::CachingKeyGenerator.new(Devise::KeyGenerator.new(secret_key))
+          )
         end
-      end
     end
 
     initializer "devise.fix_routes_proxy_missing_respond_to_bug" do
-      # We can get rid of this once we support only Rails > 3.2
+      # Deprecate: Remove once we move to Rails 4 only.
       ActionDispatch::Routing::RoutesProxy.class_eval do
         def respond_to?(method, include_private = false)
           super || routes.url_helpers.respond_to?(method)

data/lib/devise/strategies/authenticatable.rb

@@ -26,20 +26,8 @@ module Devise
       # In case the resource can't be validated, it will fail with the given
       # unauthenticated_message.
       def validate(resource, &block)
-        unless resource
-          ActiveSupport::Deprecation.warn "an empty resource was given to #{self.class.name}#validate. " \
-            "Please ensure the resource is not nil", caller
-        end
-
         result = resource && resource.valid_for_authentication?(&block)
 
-        case result
-        when Symbol, String
-          ActiveSupport::Deprecation.warn "valid_for_authentication? should return a boolean value"
-          fail!(result)
-          return false
-        end
-
         if result
           decorate(resource)
           true

data/lib/devise/token_generator.rb

@@ -0,0 +1,70 @@
+# Deprecate: Copied verbatim from Rails source, remove once we move to Rails 4 only.
+require 'thread_safe'
+require 'openssl'
+require 'securerandom'
+
+module Devise
+  class TokenGenerator
+    def initialize(key_generator, digest="SHA256")
+      @key_generator = key_generator
+      @digest = digest
+    end
+
+    def digest(klass, column, value)
+      value.present? && OpenSSL::HMAC.hexdigest(@digest, key_for(column), value.to_s)
+    end
+
+    def generate(klass, column)
+      key = key_for(column)
+
+      loop do
+        raw = Devise.friendly_token
+        enc = OpenSSL::HMAC.hexdigest(@digest, key, raw)
+        break [raw, enc] unless klass.to_adapter.find_first({ column => enc })
+      end
+    end
+
+    private
+
+    def key_for(column)
+      @key_generator.generate_key("Devise #{column}")
+    end
+  end
+
+  # KeyGenerator is a simple wrapper around OpenSSL's implementation of PBKDF2
+  # It can be used to derive a number of keys for various purposes from a given secret.
+  # This lets Rails applications have a single secure secret, but avoid reusing that
+  # key in multiple incompatible contexts.
+  class KeyGenerator
+    def initialize(secret, options = {})
+      @secret = secret
+      # The default iterations are higher than required for our key derivation uses
+      # on the off chance someone uses this for password storage
+      @iterations = options[:iterations] || 2**16
+    end
+
+    # Returns a derived key suitable for use.  The default key_size is chosen
+    # to be compatible with the default settings of ActiveSupport::MessageVerifier.
+    # i.e. OpenSSL::Digest::SHA1#block_length
+    def generate_key(salt, key_size=64)
+      OpenSSL::PKCS5.pbkdf2_hmac_sha1(@secret, salt, @iterations, key_size)
+    end
+  end
+
+  # CachingKeyGenerator is a wrapper around KeyGenerator which allows users to avoid
+  # re-executing the key generation process when it's called using the same salt and
+  # key_size
+  class CachingKeyGenerator
+    def initialize(key_generator)
+      @key_generator = key_generator
+      @cache_keys = ThreadSafe::Cache.new
+    end
+
+    # Returns a derived key suitable for use.  The default key_size is chosen
+    # to be compatible with the default settings of ActiveSupport::MessageVerifier.
+    # i.e. OpenSSL::Digest::SHA1#block_length
+    def generate_key(salt, key_size=64)
+      @cache_keys["#{salt}#{key_size}"] ||= @key_generator.generate_key(salt, key_size)
+    end
+  end
+end

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "3.0.0".freeze
+  VERSION = "3.1.0".freeze
 end

data/lib/devise.rb

@@ -14,6 +14,7 @@ module Devise
   autoload :ParameterSanitizer, 'devise/parameter_sanitizer'
   autoload :TestHelpers,        'devise/test_helpers'
   autoload :TimeInflector,      'devise/time_inflector'
+  autoload :TokenGenerator,     'devise/token_generator'
 
   module Controllers
     autoload :Helpers, 'devise/controllers/helpers'
@@ -45,6 +46,20 @@ module Devise
   # True values used to check params
   TRUE_VALUES = [true, 1, '1', 't', 'T', 'true', 'TRUE']
 
+  # Secret key used by the key generator
+  mattr_accessor :secret_key
+  @@secret_key = nil
+
+  # Allow insecure token lookup. Must be used
+  # temporarily just for migration.
+  mattr_accessor :allow_insecure_token_lookup
+  @@allow_insecure_tokens_lookup = false
+
+  # Allow insecure sign in after confirmation. Must be used
+  # temporarily just for migration.
+  mattr_accessor :allow_insecure_sign_in_after_confirmation
+  @@allow_insecure_sign_in_after_confirmation = false
+
   # Custom domain or key for cookies. Not set by default
   mattr_accessor :rememberable_options
   @@rememberable_options = {}
@@ -223,17 +238,9 @@ module Devise
   mattr_accessor :omniauth_path_prefix
   @@omniauth_path_prefix = nil
 
-  def self.encryptor=(value)
-    warn "\n[DEVISE] To select a encryption which isn't bcrypt, you should use devise-encryptable gem.\n"
-  end
-
-  def self.use_salt_as_remember_token=(value)
-    warn "\n[DEVISE] Devise.use_salt_as_remember_token is deprecated and has no effect. Please remove it.\n"
-  end
-
-  def self.apply_schema=(value)
-    warn "\n[DEVISE] Devise.apply_schema is deprecated and has no effect. Please remove it.\n"
-  end
+  # Set if we should clean up the CSRF Token on authentication
+  mattr_accessor :clean_up_csrf_token_on_authentication
+  @@clean_up_csrf_token_on_authentication = true
 
   # PRIVATE CONFIGURATION
 
@@ -259,6 +266,10 @@ module Devise
   mattr_accessor :paranoid
   @@paranoid = false
 
+  # Stores the token generator
+  mattr_accessor :token_generator
+  @@token_generator = nil
+
   # Default way to setup Devise. Run rails generate devise_install to create
   # a fresh initializer with all configuration values.
   def self.setup
@@ -447,7 +458,7 @@ module Devise
 
   # Generate a friendly string randomly to be used as token.
   def self.friendly_token
-    SecureRandom.base64(15).tr('+/=lIO0', 'pqrsxyz')
+    SecureRandom.urlsafe_base64(15).tr('lIO0', 'sxyz')
   end
 
   # constant-time comparison algorithm to prevent timing attacks

data/lib/generators/active_record/devise_generator.rb

@@ -50,7 +50,7 @@ module ActiveRecord
       t.datetime :remember_created_at
 
       ## Trackable
-      t.integer  :sign_in_count, :default => 0
+      t.integer  :sign_in_count, :default => 0, :null => false
       t.datetime :current_sign_in_at
       t.datetime :last_sign_in_at
       t.string   :current_sign_in_ip
@@ -63,12 +63,9 @@ module ActiveRecord
       # t.string   :unconfirmed_email # Only if using reconfirmable
 
       ## Lockable
-      # t.integer  :failed_attempts, :default => 0 # Only if lock strategy is :failed_attempts
+      # t.integer  :failed_attempts, :default => 0, :null => false # Only if lock strategy is :failed_attempts
       # t.string   :unlock_token # Only if unlock strategy is :email or :both
       # t.datetime :locked_at
-
-      ## Token authenticatable
-      # t.string :authentication_token
 RUBY
       end
     end

data/lib/generators/active_record/templates/migration.rb

@@ -14,6 +14,5 @@ class DeviseCreate<%= table_name.camelize %> < ActiveRecord::Migration
     add_index :<%= table_name %>, :reset_password_token, :unique => true
     # add_index :<%= table_name %>, :confirmation_token,   :unique => true
     # add_index :<%= table_name %>, :unlock_token,         :unique => true
-    # add_index :<%= table_name %>, :authentication_token, :unique => true
   end
 end

data/lib/generators/active_record/templates/migration_existing.rb

@@ -15,7 +15,6 @@ class AddDeviseTo<%= table_name.camelize %> < ActiveRecord::Migration
     add_index :<%= table_name %>, :reset_password_token, :unique => true
     # add_index :<%= table_name %>, :confirmation_token,   :unique => true
     # add_index :<%= table_name %>, :unlock_token,         :unique => true
-    # add_index :<%= table_name %>, :authentication_token, :unique => true
   end
 
   def self.down

data/lib/generators/devise/orm_helpers.rb

@@ -2,24 +2,43 @@ module Devise
   module Generators
     module OrmHelpers
       def model_contents
-<<-CONTENT
+        buffer = <<-CONTENT
   # Include default devise modules. Others available are:
-  # :token_authenticatable, :confirmable,
-  # :lockable, :timeoutable and :omniauthable
+  # :confirmable, :lockable, :timeoutable and :omniauthable
   devise :database_authenticatable, :registerable,
          :recoverable, :rememberable, :trackable, :validatable
 
 CONTENT
+        buffer += <<-CONTENT if needs_attr_accessible?
+  # Setup accessible (or protected) attributes for your model
+  attr_accessible :email, :password, :password_confirmation, :remember_me
+
+CONTENT
+        buffer
+      end
+
+      def needs_attr_accessible?
+        rails_3? && !strong_parameters_enabled?
+      end
+
+      def rails_3?
+        Rails::VERSION::MAJOR == 3
       end
 
+      def strong_parameters_enabled?
+        defined?(ActionController::StrongParameters)
+      end
+
+      private
+
       def model_exists?
         File.exists?(File.join(destination_root, model_path))
       end
-      
+
       def migration_exists?(table_name)
         Dir.glob("#{File.join(destination_root, migration_path)}/[0-9]*_*.rb").grep(/\d+_add_devise_to_#{table_name}.rb$/).first
       end
-      
+
       def migration_path
         @migration_path ||= File.join("db", "migrate")
       end
@@ -29,4 +48,4 @@ CONTENT
       end
     end
   end
-end
+end

data/lib/generators/mongoid/devise_generator.rb

@@ -22,7 +22,7 @@ module Mongoid
   ## Database authenticatable
   field :email,              :type => String, :default => ""
   field :encrypted_password, :type => String, :default => ""
-  
+
   ## Recoverable
   field :reset_password_token,   :type => String
   field :reset_password_sent_at, :type => Time
@@ -54,4 +54,4 @@ RUBY
       end
     end
   end
-end
+end

data/lib/generators/templates/devise.rb

@@ -1,13 +1,19 @@
 # Use this hook to configure devise mailer, warden hooks and so forth.
 # Many of these configuration options can be set straight in your model.
 Devise.setup do |config|
+  # The secret key used by Devise. Devise uses this key to generate
+  # random tokens. Changing this key will render invalid all existing
+  # confirmation, reset password and unlock tokens in the database.
+  config.secret_key = '<%= SecureRandom.hex(64) %>'
+
   # ==> Mailer Configuration
   # Configure the e-mail address which will be shown in Devise::Mailer,
-  # note that it will be overwritten if you use your own mailer class with default "from" parameter.
-  config.mailer_sender = "please-change-me-at-config-initializers-devise@example.com"
+  # note that it will be overwritten if you use your own mailer class
+  # with default "from" parameter.
+  config.mailer_sender = 'please-change-me-at-config-initializers-devise@example.com'
 
   # Configure the class responsible to send e-mails.
-  # config.mailer = "Devise::Mailer"
+  # config.mailer = 'Devise::Mailer'
 
   # ==> ORM configuration
   # Load and configure the ORM. Supports :active_record (default) and
@@ -61,8 +67,8 @@ Devise.setup do |config|
   # If http headers should be returned for AJAX requests. True by default.
   # config.http_authenticatable_on_xhr = true
 
-  # The realm used in Http Basic Authentication. "Application" by default.
-  # config.http_authentication_realm = "Application"
+  # The realm used in Http Basic Authentication. 'Application' by default.
+  # config.http_authentication_realm = 'Application'
 
   # It will change confirmation, password recovery and other workflows
   # to behave the same regardless if the e-mail provided was right or wrong.
@@ -76,6 +82,12 @@ Devise.setup do |config|
   # passing :skip => :sessions to `devise_for` in your config/routes.rb
   config.skip_session_storage = [:http_auth]
 
+  # By default, Devise cleans up the CSRF token on authentication to
+  # avoid CSRF token fixation attacks. This means that, when using AJAX
+  # requests for sign in and sign up, you need to get a new CSRF token
+  # from the server. You can disable this option at your own risk.
+  # config.clean_up_csrf_token_on_authentication = true
+
   # ==> Configuration for :database_authenticatable
   # For bcrypt, this is the cost for hashing the password and defaults to 10. If
   # using other encryptors, it sets how many times you want the password re-encrypted.
@@ -86,7 +98,7 @@ Devise.setup do |config|
   config.stretches = Rails.env.test? ? 1 : 10
 
   # Setup a pepper to generate the encrypted password.
-  # config.pepper = <%= SecureRandom.hex(64).inspect %>
+  # config.pepper = '<%= SecureRandom.hex(64) %>'
 
   # ==> Configuration for :confirmable
   # A period that the user is allowed to access the website even without
@@ -211,7 +223,7 @@ Devise.setup do |config|
   # should add them to the navigational formats lists.
   #
   # The "*/*" below is required to match Internet Explorer requests.
-  # config.navigational_formats = ["*/*", :html]
+  # config.navigational_formats = ['*/*', :html]
 
   # The default HTTP method used to sign out a resource. Default is :delete.
   config.sign_out_via = :delete
@@ -235,12 +247,12 @@ Devise.setup do |config|
   # is mountable, there are some extra configurations to be taken into account.
   # The following options are available, assuming the engine is mounted as:
   #
-  #     mount MyEngine, at: "/my_engine"
+  #     mount MyEngine, at: '/my_engine'
   #
   # The router that invoked `devise_for`, in the example above, would be:
   # config.router_name = :my_engine
   #
   # When using omniauth, Devise cannot automatically set Omniauth path,
   # so you need to do it manually. For the users scope, it would be:
-  # config.omniauth_path_prefix = "/my_engine/users/auth"
+  # config.omniauth_path_prefix = '/my_engine/users/auth'
 end

data/test/controllers/helpers_test.rb

@@ -202,7 +202,7 @@ class ControllerAuthenticatableTest < ActionController::TestCase
 
   test 'sign in and redirect uses the stored location' do
     user = User.new
-    @controller.session[:"user_return_to"] = "/foo.bar"
+    @controller.session[:user_return_to] = "/foo.bar"
     @mock_warden.expects(:user).with(:user).returns(nil)
     @mock_warden.expects(:set_user).with(user, :scope => :user).returns(true)
     @controller.expects(:redirect_to).with("/foo.bar")

data/test/controllers/passwords_controller_test.rb

@@ -4,16 +4,15 @@ class PasswordsControllerTest < ActionController::TestCase
   tests Devise::PasswordsController
   include Devise::TestHelpers
 
-  def setup
+  setup do
     request.env["devise.mapping"] = Devise.mappings[:user]
-
-    @user = create_user
-    @user.send_reset_password_instructions
+    @user = create_user.tap(&:confirm!)
+    @raw  = @user.send_reset_password_instructions
   end
 
   def put_update_with_params
     put :update, "user" => {
-      "reset_password_token" => @user.reset_password_token, "password" => "123456", "password_confirmation" => "123456"
+      "reset_password_token" => @raw, "password" => "123456", "password_confirmation" => "123456"
     }
   end
 

data/test/failure_app_test.rb

@@ -215,7 +215,7 @@ class FailureTest < ActiveSupport::TestCase
       }
       call_failure(env)
       assert @response.third.body.include?('<h2>Sign in</h2>')
-      assert @response.third.body.include?('Your account was not activated yet.')
+      assert @response.third.body.include?('Your account is not activated yet.')
     end
   end
 end