devise 3.0.0 → 3.1.0

data/test/generators/active_record_generator_test.rb

@@ -62,11 +62,41 @@ if DEVISE_ORM == :active_record
     destination File.expand_path("../../tmp", __FILE__)
     setup :prepare_destination
 
-    test "all files are properly created" do
+    test "all files are properly created in rails 4.0" do
+      ActiveRecord::Generators::DeviseGenerator.any_instance.stubs(:rails_3?).returns(false)
       simulate_inside_engine(RailsEngine::Engine, RailsEngine) do
         run_generator ["monster"]
 
         assert_file "app/models/rails_engine/monster.rb", /devise/
+        assert_file "app/models/rails_engine/monster.rb" do |content|
+          assert_no_match /attr_accessible :email/, content
+        end
+      end
+    end
+
+    test "all files are properly created in rails 3.2 when strong_parameters gem is not installed" do
+      ActiveRecord::Generators::DeviseGenerator.any_instance.stubs(:rails_3?).returns(true)
+      ActiveRecord::Generators::DeviseGenerator.any_instance.stubs(:strong_parameters_enabled?).returns(false)
+      simulate_inside_engine(RailsEngine::Engine, RailsEngine) do
+        run_generator ["monster"]
+
+        assert_file "app/models/rails_engine/monster.rb", /devise/
+        assert_file "app/models/rails_engine/monster.rb" do |content|
+          assert_match /attr_accessible :email/, content
+        end
+      end
+    end
+
+    test "all files are properly created in rails 3.2 when strong_parameters gem is installed" do
+      ActiveRecord::Generators::DeviseGenerator.any_instance.stubs(:rails_3?).returns(true)
+      ActiveRecord::Generators::DeviseGenerator.any_instance.stubs(:strong_parameters_enabled?).returns(true)
+      simulate_inside_engine(RailsEngine::Engine, RailsEngine) do
+        run_generator ["monster"]
+
+        assert_file "app/models/rails_engine/monster.rb", /devise/
+        assert_file "app/models/rails_engine/monster.rb" do |content|
+          assert_no_match /attr_accessible :email/, content
+        end
       end
     end
   end

data/test/integration/authenticatable_test.rb

@@ -327,6 +327,20 @@ class AuthenticationSessionTest < ActionDispatch::IntegrationTest
     assert_redirected_to new_user_session_path
   end
 
+  test 'refreshes _csrf_token' do
+    ApplicationController.allow_forgery_protection = true
+
+    begin
+      get new_user_session_path
+      token = request.session[:_csrf_token]
+
+      sign_in_as_user
+      assert_not_equal request.session[:_csrf_token], token
+    ensure
+      ApplicationController.allow_forgery_protection = false
+    end
+  end
+
   test 'allows session to be set for a given scope' do
     sign_in_as_user
     get '/users'
@@ -419,7 +433,7 @@ end
 
 class AuthenticationOthersTest < ActionDispatch::IntegrationTest
   test 'handles unverified requests gets rid of caches' do
-    swap UsersController, :allow_forgery_protection => true do
+    swap ApplicationController, :allow_forgery_protection => true do
       post exhibit_user_url(1)
       assert_not warden.authenticated?(:user)
 

data/test/integration/confirmable_test.rb

@@ -28,9 +28,7 @@ class ConfirmationTest < ActionDispatch::IntegrationTest
 
   test 'user should receive a confirmation from a custom mailer' do
     User.any_instance.stubs(:devise_mailer).returns(Users::Mailer)
-
     resend_confirmation
-
     assert_equal ['custom@example.com'], ActionMailer::Base.deliveries.first.from
   end
 
@@ -40,21 +38,11 @@ class ConfirmationTest < ActionDispatch::IntegrationTest
     assert_contain /Confirmation token(.*)invalid/
   end
 
-  test 'user with valid confirmation token should be able to confirm an account' do
-    user = create_user(:confirm => false)
-    assert_not user.confirmed?
-    visit_user_confirmation_with_token(user.confirmation_token)
-
-    assert_contain 'Your account was successfully confirmed.'
-    assert_current_url '/'
-    assert user.reload.confirmed?
-  end
-
   test 'user with valid confirmation token should not be able to confirm an account after the token has expired' do
     swap Devise, :confirm_within => 3.days do
       user = create_user(:confirm => false, :confirmation_sent_at => 4.days.ago)
       assert_not user.confirmed?
-      visit_user_confirmation_with_token(user.confirmation_token)
+      visit_user_confirmation_with_token(user.raw_confirmation_token)
 
       assert_have_selector '#error_explanation'
       assert_contain /needs to be confirmed within 3 days/
@@ -66,10 +54,22 @@ class ConfirmationTest < ActionDispatch::IntegrationTest
     swap Devise, :confirm_within => 3.days do
       user = create_user(:confirm => false, :confirmation_sent_at => 2.days.ago)
       assert_not user.confirmed?
-      visit_user_confirmation_with_token(user.confirmation_token)
+      visit_user_confirmation_with_token(user.raw_confirmation_token)
 
-      assert_contain 'Your account was successfully confirmed.'
-      assert_current_url '/'
+      assert_contain 'Your account was successfully confirmed. Please sign in.'
+      assert_current_url '/users/sign_in'
+      assert user.reload.confirmed?
+    end
+  end
+
+  test 'user should be signed in after confirmation if allow_insecure_sign_in_after_confirmation is enabled' do
+    swap Devise, :confirm_within => 3.days, :allow_insecure_sign_in_after_confirmation => true do
+      user = create_user(:confirm => false, :confirmation_sent_at => 2.days.ago)
+      assert_not user.confirmed?
+      visit_user_confirmation_with_token(user.raw_confirmation_token)
+
+      assert_contain 'Your account was successfully confirmed. You are now signed in.'
+      assert_current_url root_url
       assert user.reload.confirmed?
     end
   end
@@ -78,7 +78,7 @@ class ConfirmationTest < ActionDispatch::IntegrationTest
     Devise::ConfirmationsController.any_instance.stubs(:after_confirmation_path_for).returns("/?custom=1")
 
     user = create_user(:confirm => false)
-    visit_user_confirmation_with_token(user.confirmation_token)
+    visit_user_confirmation_with_token(user.raw_confirmation_token)
 
     assert_current_url "/?custom=1"
   end
@@ -87,7 +87,7 @@ class ConfirmationTest < ActionDispatch::IntegrationTest
     user = create_user(:confirm => false)
     user.confirmed_at = Time.now
     user.save
-    visit_user_confirmation_with_token(user.confirmation_token)
+    visit_user_confirmation_with_token(user.raw_confirmation_token)
 
     assert_have_selector '#error_explanation'
     assert_contain 'already confirmed'
@@ -98,7 +98,7 @@ class ConfirmationTest < ActionDispatch::IntegrationTest
     user.confirmed_at = Time.now
     user.save
 
-    visit_user_confirmation_with_token(user.confirmation_token)
+    visit_user_confirmation_with_token(user.raw_confirmation_token)
     assert_contain 'already confirmed'
 
     fill_in 'email', :with => user.email
@@ -106,21 +106,6 @@ class ConfirmationTest < ActionDispatch::IntegrationTest
     assert_contain 'already confirmed'
   end
 
-  test 'sign in user automatically after confirming its email' do
-    user = create_user(:confirm => false)
-    visit_user_confirmation_with_token(user.confirmation_token)
-
-    assert warden.authenticated?(:user)
-  end
-
-  test 'increases sign count when signed in through confirmation' do
-    user = create_user(:confirm => false)
-    visit_user_confirmation_with_token(user.confirmation_token)
-
-    user.reload
-    assert_equal 1, user.sign_in_count
-  end
-
   test 'not confirmed user with setup to block without confirmation should not be able to sign in' do
     swap Devise, :allow_unconfirmed_access_for => 0.days do
       sign_in_as_user(:confirm => false)
@@ -175,7 +160,7 @@ class ConfirmationTest < ActionDispatch::IntegrationTest
 
   test 'confirm account with valid confirmation token in XML format should return valid response' do
     user = create_user(:confirm => false)
-    get user_confirmation_path(:confirmation_token => user.confirmation_token, :format => 'xml')
+    get user_confirmation_path(:confirmation_token => user.raw_confirmation_token, :format => 'xml')
     assert_response :success
     assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
   end
@@ -256,10 +241,10 @@ class ConfirmationOnChangeTest < ActionDispatch::IntegrationTest
     admin = create_admin
     admin.update_attributes(:email => 'new_test@example.com')
     assert_equal 'new_test@example.com', admin.unconfirmed_email
-    visit_admin_confirmation_with_token(admin.confirmation_token)
+    visit_admin_confirmation_with_token(admin.raw_confirmation_token)
 
     assert_contain 'Your account was successfully confirmed.'
-    assert_current_url '/admin_area/home'
+    assert_current_url '/admin_area/sign_in'
     assert admin.reload.confirmed?
     assert_not admin.reload.pending_reconfirmation?
   end
@@ -269,17 +254,19 @@ class ConfirmationOnChangeTest < ActionDispatch::IntegrationTest
     admin.update_attributes(:email => 'first_test@example.com')
     assert_equal 'first_test@example.com', admin.unconfirmed_email
 
-    confirmation_token = admin.confirmation_token
+    raw_confirmation_token = admin.raw_confirmation_token
+    admin = Admin.find(admin.id)
+
     admin.update_attributes(:email => 'second_test@example.com')
     assert_equal 'second_test@example.com', admin.unconfirmed_email
 
-    visit_admin_confirmation_with_token(confirmation_token)
+    visit_admin_confirmation_with_token(raw_confirmation_token)
     assert_have_selector '#error_explanation'
     assert_contain(/Confirmation token(.*)invalid/)
 
-    visit_admin_confirmation_with_token(admin.confirmation_token)
+    visit_admin_confirmation_with_token(admin.raw_confirmation_token)
     assert_contain 'Your account was successfully confirmed.'
-    assert_current_url '/admin_area/home'
+    assert_current_url '/admin_area/sign_in'
     assert admin.reload.confirmed?
     assert_not admin.reload.pending_reconfirmation?
   end
@@ -291,7 +278,7 @@ class ConfirmationOnChangeTest < ActionDispatch::IntegrationTest
 
     create_second_admin(:email => "new_admin_test@example.com")
 
-    visit_admin_confirmation_with_token(admin.confirmation_token)
+    visit_admin_confirmation_with_token(admin.raw_confirmation_token)
     assert_have_selector '#error_explanation'
     assert_contain(/Email.*already.*taken/)
     assert admin.reload.pending_reconfirmation?

data/test/integration/http_authenticatable_test.rb

@@ -2,7 +2,7 @@ require 'test_helper'
 
 class HttpAuthenticationTest < ActionDispatch::IntegrationTest
   test 'handles unverified requests gets rid of caches but continues signed in' do
-    swap UsersController, :allow_forgery_protection => true do
+    swap ApplicationController, :allow_forgery_protection => true do
       create_user
       post exhibit_user_url(1), {}, "HTTP_AUTHORIZATION" => "Basic #{Base64.encode64("user@test.com:12345678")}"
       assert warden.authenticated?(:user)

data/test/integration/lockable_test.rb

@@ -13,6 +13,7 @@ class LockTest < ActionDispatch::IntegrationTest
     visit new_user_session_path
     click_link "Didn't receive unlock instructions?"
 
+    Devise.stubs(:friendly_token).returns("abcdef")
     fill_in 'email', :with => user.email
     click_button 'Resend unlock instructions'
   end
@@ -22,8 +23,11 @@ class LockTest < ActionDispatch::IntegrationTest
 
     assert_template 'sessions/new'
     assert_contain 'You will receive an email with instructions about how to unlock your account in a few minutes'
+
+    mail = ActionMailer::Base.deliveries.last
     assert_equal 1, ActionMailer::Base.deliveries.size
-    assert_equal ['please-change-me@config-initializers-devise.com'], ActionMailer::Base.deliveries.first.from
+    assert_equal ['please-change-me@config-initializers-devise.com'], mail.from
+    assert_match user_unlock_path(unlock_token: 'abcdef'), mail.body.encoded
   end
 
   test 'user should receive the instructions from a custom mailer' do
@@ -75,23 +79,15 @@ class LockTest < ActionDispatch::IntegrationTest
   end
 
   test "locked user should be able to unlock account" do
-    user = create_user(:locked => true)
-    assert user.access_locked?
-
-    visit_user_unlock_with_token(user.unlock_token)
+    user = create_user
+    raw  = user.lock_access!
+    visit_user_unlock_with_token(raw)
 
     assert_current_url "/users/sign_in"
     assert_contain 'Your account has been unlocked successfully. Please sign in to continue.'
-
     assert_not user.reload.access_locked?
   end
 
-  test "redirect user to sign in page after unlocking its account" do
-    user = create_user(:locked => true)
-    visit_user_unlock_with_token(user.unlock_token)
-    assert_not warden.authenticated?(:user)
-  end
-
   test "user should not send a new e-mail if already locked" do
     user = create_user(:locked => true)
     user.failed_attempts = User.maximum_attempts + 1
@@ -153,9 +149,10 @@ class LockTest < ActionDispatch::IntegrationTest
   end
 
   test 'user with valid unlock token should be able to unlock account via XML request' do
-    user = create_user(:locked => true)
+    user = create_user()
+    raw  = user.lock_access!
     assert user.access_locked?
-    get user_unlock_path(:format => 'xml', :unlock_token => user.unlock_token)
+    get user_unlock_path(:format => 'xml', :unlock_token => raw)
     assert_response :success
     assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
   end

data/test/integration/recoverable_test.rb

@@ -14,12 +14,16 @@ class PasswordTest < ActionDispatch::IntegrationTest
 
     fill_in 'email', :with => 'user@test.com'
     yield if block_given?
+
+    Devise.stubs(:friendly_token).returns("abcdef")
     click_button 'Send me reset password instructions'
   end
 
   def reset_password(options={}, &block)
-    visit edit_user_password_path(:reset_password_token => options[:reset_password_token]) unless options[:visit] == false
-    assert_response :success
+    unless options[:visit] == false
+      visit edit_user_password_path(:reset_password_token => options[:reset_password_token] || "abcdef")
+      assert_response :success
+    end
 
     fill_in 'New password', :with => '987654321'
     fill_in 'Confirm new password', :with => '987654321'
@@ -45,7 +49,10 @@ class PasswordTest < ActionDispatch::IntegrationTest
     request_forgot_password do
       fill_in 'email', :with => 'foo@bar.com'
     end
-    assert_equal ['custom@example.com'], ActionMailer::Base.deliveries.last.from
+
+    mail = ActionMailer::Base.deliveries.last
+    assert_equal ['custom@example.com'], mail.from
+    assert_match edit_user_password_path(reset_password_token: 'abcdef'), mail.body.encoded
   end
 
   test 'reset password with email of different case should fail when email is NOT the list of case insensitive keys' do
@@ -146,7 +153,7 @@ class PasswordTest < ActionDispatch::IntegrationTest
   test 'not authenticated user with valid reset password token but invalid password should not be able to change his password' do
     user = create_user
     request_forgot_password
-    reset_password :reset_password_token => user.reload.reset_password_token do
+    reset_password do
       fill_in 'Confirm new password', :with => 'other_password'
     end
 
@@ -161,7 +168,7 @@ class PasswordTest < ActionDispatch::IntegrationTest
   test 'not authenticated user with valid data should be able to change his password' do
     user = create_user
     request_forgot_password
-    reset_password :reset_password_token => user.reload.reset_password_token
+    reset_password
 
     assert_current_url '/'
     assert_contain 'Your password was changed successfully. You are now signed in.'
@@ -171,14 +178,13 @@ class PasswordTest < ActionDispatch::IntegrationTest
   test 'after entering invalid data user should still be able to change his password' do
     user = create_user
     request_forgot_password
-    reset_password :reset_password_token => user.reload.reset_password_token do
-      fill_in 'Confirm new password', :with => 'other_password'
-    end
+
+    reset_password {  fill_in 'Confirm new password', :with => 'other_password' }
     assert_response :success
     assert_have_selector '#error_explanation'
     assert_not user.reload.valid_password?('987654321')
 
-    reset_password :reset_password_token => user.reload.reset_password_token, :visit => false
+    reset_password :visit => false
     assert_contain 'Your password was changed successfully.'
     assert user.reload.valid_password?('987654321')
   end
@@ -186,7 +192,7 @@ class PasswordTest < ActionDispatch::IntegrationTest
   test 'sign in user automatically after changing its password' do
     user = create_user
     request_forgot_password
-    reset_password :reset_password_token => user.reload.reset_password_token
+    reset_password
 
     assert warden.authenticated?(:user)
   end
@@ -196,7 +202,7 @@ class PasswordTest < ActionDispatch::IntegrationTest
       swap Devise, :unlock_strategy => strategy do
         user = create_user(:locked => true)
         request_forgot_password
-        reset_password :reset_password_token => user.reload.reset_password_token
+        reset_password
 
         assert_contain 'Your password was changed successfully.'
         assert_not_contain 'You are now signed in.'
@@ -210,7 +216,7 @@ class PasswordTest < ActionDispatch::IntegrationTest
     swap Devise, :unlock_strategy => :email do
       user = create_user(:locked => true)
       request_forgot_password
-      reset_password :reset_password_token => user.reload.reset_password_token
+      reset_password
 
       assert_contain 'Your password was changed successfully.'
       assert !user.reload.access_locked?
@@ -222,7 +228,7 @@ class PasswordTest < ActionDispatch::IntegrationTest
     swap Devise, :unlock_strategy => :both do
       user = create_user(:locked => true)
       request_forgot_password
-      reset_password :reset_password_token => user.reload.reset_password_token
+      reset_password
 
       assert_contain 'Your password was changed successfully.'
       assert !user.reload.access_locked?
@@ -230,15 +236,6 @@ class PasswordTest < ActionDispatch::IntegrationTest
     end
   end
 
-  test 'sign in user automatically and confirm after changing its password if it\'s not confirmed' do
-    user = create_user(:confirm => false)
-    request_forgot_password
-    reset_password :reset_password_token => user.reload.reset_password_token
-
-    assert warden.authenticated?(:user)
-    assert user.reload.confirmed?
-  end
-
   test 'reset password request with valid E-Mail in XML format should return valid response' do
     create_user
     post user_password_path(:format => 'xml'), :user => {:email => "user@test.com"}
@@ -265,7 +262,9 @@ class PasswordTest < ActionDispatch::IntegrationTest
   test 'change password with valid parameters in XML format should return valid response' do
     user = create_user
     request_forgot_password
-    put user_password_path(:format => 'xml'), :user => {:reset_password_token => user.reload.reset_password_token, :password => '987654321', :password_confirmation => '987654321'}
+    put user_password_path(:format => 'xml'), :user => {
+      :reset_password_token => 'abcdef', :password => '987654321', :password_confirmation => '987654321'
+    }
     assert_response :success
     assert warden.authenticated?(:user)
   end
@@ -326,7 +325,7 @@ class PasswordTest < ActionDispatch::IntegrationTest
 
     assert_equal 10, user.failed_attempts
     request_forgot_password
-    reset_password :reset_password_token => user.reload.reset_password_token
+    reset_password
 
     assert warden.authenticated?(:user)
     user.reload

data/test/integration/rememberable_test.rb

@@ -30,8 +30,8 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     assert_nil request.cookies["remember_user_cookie"]
   end
 
-  test 'handles unverified requests gets rid of caches' do
-    swap UsersController, :allow_forgery_protection => true do
+  test 'handle unverified requests gets rid of caches' do
+    swap ApplicationController, :allow_forgery_protection => true do
       post exhibit_user_url(1)
       assert_not warden.authenticated?(:user)
 
@@ -42,9 +42,21 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     end
   end
 
+  test 'handle unverified requests does not create cookies on sign in' do
+    swap ApplicationController, :allow_forgery_protection => true do
+      get new_user_session_path
+      assert request.session[:_csrf_token]
+
+      post user_session_path, :authenticity_token => "oops", :user =>
+           { email: "jose.valim@gmail.com", password: "123456", :remember_me => "1" }
+      assert_not warden.authenticated?(:user)
+      assert_not request.cookies['remember_user_token']
+    end
+  end
+
   test 'generate remember token after sign in' do
     sign_in_as_user :remember_me => true
-    assert request.cookies["remember_user_token"]
+    assert request.cookies['remember_user_token']
   end
 
   test 'generate remember token after sign in setting cookie options' do
@@ -90,16 +102,6 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     assert_redirected_to root_path
   end
 
-  test 'cookies are destroyed on unverified requests' do
-    swap ApplicationController, :allow_forgery_protection => true do
-      create_user_and_remember
-      get users_path
-      assert warden.authenticated?(:user)
-      post root_path, :authenticity_token => 'INVALID'
-      assert_not warden.authenticated?(:user)
-    end
-  end
-
   test 'does not extend remember period through sign in' do
     swap Devise, :extend_remember_period => true, :remember_for => 1.year do
       user = create_user

data/test/mailers/confirmation_instructions_test.rb

@@ -84,8 +84,12 @@ class ConfirmationInstructionsTest < ActionMailer::TestCase
 
   test 'body should have link to confirm the account' do
     host = ActionMailer::Base.default_url_options[:host]
-    confirmation_url_regexp = %r{<a href=\"http://#{host}/users/confirmation\?confirmation_token=#{user.confirmation_token}">}
-    assert_match confirmation_url_regexp, mail.body.encoded
+
+    if mail.body.encoded =~ %r{<a href=\"http://#{host}/users/confirmation\?confirmation_token=([^"]+)">}
+      assert_equal Devise.token_generator.digest(user.class, :confirmation_token, $1), user.confirmation_token
+    else
+      flunk "expected confirmation url regex to match"
+    end
   end
 
   test 'renders a scoped if scoped_views is set to true' do

data/test/mailers/reset_password_instructions_test.rb

@@ -80,8 +80,12 @@ class ResetPasswordInstructionsTest < ActionMailer::TestCase
 
   test 'body should have link to confirm the account' do
     host = ActionMailer::Base.default_url_options[:host]
-    reset_url_regexp = %r{<a href=\"http://#{host}/users/password/edit\?reset_password_token=#{user.reset_password_token}">}
-    assert_match reset_url_regexp, mail.body.encoded
+
+    if mail.body.encoded =~ %r{<a href=\"http://#{host}/users/password/edit\?reset_password_token=([^"]+)">}
+      assert_equal Devise.token_generator.digest(user.class, :reset_password_token, $1), user.reset_password_token
+    else
+      flunk "expected reset password url regex to match"
+    end
   end
 
   test 'mailer sender accepts a proc' do

data/test/mailers/unlock_instructions_test.rb

@@ -81,7 +81,11 @@ class UnlockInstructionsTest < ActionMailer::TestCase
 
   test 'body should have link to unlock the account' do
     host = ActionMailer::Base.default_url_options[:host]
-    unlock_url_regexp = %r{<a href=\"http://#{host}/users/unlock\?unlock_token=#{user.unlock_token}">}
-    assert_match unlock_url_regexp, mail.body.encoded
+
+    if mail.body.encoded =~ %r{<a href=\"http://#{host}/users/unlock\?unlock_token=([^"]+)">}
+      assert_equal Devise.token_generator.digest(user.class, :unlock_token, $1), user.unlock_token
+    else
+      flunk "expected unlock url regex to match"
+    end
   end
 end

data/test/models/confirmable_test.rb

@@ -51,9 +51,19 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_equal "was already confirmed, please try signing in", user.errors[:email].join
   end
 
-  test 'should find and confirm a user automatically' do
+  test 'DEPRECATED: should find and confirm a user automatically' do
+    swap Devise, allow_insecure_token_lookup: true do
+      user = create_user
+      confirmed_user = User.confirm_by_token(user.confirmation_token)
+      assert_equal confirmed_user, user
+      assert user.reload.confirmed?
+    end
+  end
+
+  test 'should find and confirm a user automatically based on the raw token' do
     user = create_user
-    confirmed_user = User.confirm_by_token(user.confirmation_token)
+    raw  = user.raw_confirmation_token
+    confirmed_user = User.confirm_by_token(raw)
     assert_equal confirmed_user, user
     assert user.reload.confirmed?
   end
@@ -74,7 +84,7 @@ class ConfirmableTest < ActiveSupport::TestCase
     user = create_user
     user.confirmed_at = Time.now
     user.save
-    confirmed_user = User.confirm_by_token(user.confirmation_token)
+    confirmed_user = User.confirm_by_token(user.raw_confirmation_token)
     assert confirmed_user.confirmed?
     assert_equal "was already confirmed, please try signing in", confirmed_user.errors[:email].join
   end
@@ -176,7 +186,7 @@ class ConfirmableTest < ActiveSupport::TestCase
   test 'should not be able to send instructions if the user is already confirmed' do
     user = create_user
     user.confirm!
-    assert_not user.resend_confirmation_token
+    assert_not user.resend_confirmation_instructions
     assert user.confirmed?
     assert_equal 'was already confirmed, please try signing in', user.errors[:email].join
   end
@@ -264,7 +274,7 @@ class ConfirmableTest < ActiveSupport::TestCase
   def confirm_user_by_token_with_confirmation_sent_at(confirmation_sent_at)
     user = create_user
     user.update_attribute(:confirmation_sent_at, confirmation_sent_at)
-    confirmed_user = User.confirm_by_token(user.confirmation_token)
+    confirmed_user = User.confirm_by_token(user.raw_confirmation_token)
     assert_equal confirmed_user, user
     user.reload.confirmed?
   end
@@ -285,32 +295,33 @@ class ConfirmableTest < ActiveSupport::TestCase
     end
   end
 
-  test 'should generate a new token if the previous one has expired' do
-    swap Devise, :confirm_within => 3.days do
-      user = create_user
-      user.update_attribute(:confirmation_sent_at, 4.days.ago)
-      old = user.confirmation_token
-      user.resend_confirmation_token
-      assert_not_equal user.confirmation_token, old
-    end
+  test 'always generate a new token on resend' do
+    user = create_user
+    old  = user.confirmation_token
+    user = User.find(user.id)
+    user.resend_confirmation_instructions
+    assert_not_equal user.confirmation_token, old
   end
-  
-  test 'should generate a new token when a valid one does not exist' do
-    swap Devise, :confirm_within => 3.days do
-      user = create_user
-      user.update_attribute(:confirmation_sent_at, 4.days.ago)
-      old = user.confirmation_token
-      user.ensure_confirmation_token!
-      assert_not_equal user.confirmation_token, old
+
+  test 'should call after_confirmation if confirmed' do
+    user = create_user
+    user.define_singleton_method :after_confirmation do
+      self.username = self.username.to_s + 'updated'
     end
+    old = user.username
+    assert user.confirm!
+    assert_not_equal user.username, old
   end
-  
-  test 'should not generate a new token when a valid one exists' do
+
+  test 'should not call after_confirmation if not confirmed' do
     user = create_user
-    assert_not_nil user.confirmation_token
-    old = user.confirmation_token
-    user.ensure_confirmation_token!
-    assert_equal user.confirmation_token, old
+    assert user.confirm!
+    user.define_singleton_method :after_confirmation do
+      self.username = self.username.to_s + 'updated'
+    end
+    old = user.username
+    assert_not user.confirm!
+    assert_equal user.username, old
   end
 end