RubyGems - devise - Versions diffs - 3.0.0 → 4.8.0 - Mend

devise 3.0.0 → 4.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (242) hide show

checksums.yaml +7 -0
data/CHANGELOG.md +351 -0
data/MIT-LICENSE +2 -1
data/README.md +422 -130
data/app/controllers/devise/confirmations_controller.rb +17 -6
data/app/controllers/devise/omniauth_callbacks_controller.rb +12 -6
data/app/controllers/devise/passwords_controller.rb +23 -8
data/app/controllers/devise/registrations_controller.rb +70 -28
data/app/controllers/devise/sessions_controller.rb +49 -17
data/app/controllers/devise/unlocks_controller.rb +11 -4
data/app/controllers/devise_controller.rb +74 -34
data/app/helpers/devise_helper.rb +23 -18
data/app/mailers/devise/mailer.rb +25 -10
data/app/views/devise/confirmations/new.html.erb +9 -5
data/app/views/devise/mailer/confirmation_instructions.html.erb +1 -1
data/app/views/devise/mailer/email_changed.html.erb +7 -0
data/app/views/devise/mailer/password_change.html.erb +3 -0
data/app/views/devise/mailer/reset_password_instructions.html.erb +1 -1
data/app/views/devise/mailer/unlock_instructions.html.erb +1 -1
data/app/views/devise/passwords/edit.html.erb +16 -7
data/app/views/devise/passwords/new.html.erb +9 -5
data/app/views/devise/registrations/edit.html.erb +29 -15
data/app/views/devise/registrations/new.html.erb +20 -9
data/app/views/devise/sessions/new.html.erb +19 -10
data/app/views/devise/shared/_error_messages.html.erb +15 -0
data/app/views/devise/shared/{_links.erb → _links.html.erb} +10 -10
data/app/views/devise/unlocks/new.html.erb +9 -5
data/config/locales/en.yml +26 -20
data/lib/devise/controllers/helpers.rb +122 -125
data/lib/devise/controllers/rememberable.rb +14 -14
data/lib/devise/controllers/scoped_views.rb +3 -1
data/lib/devise/controllers/sign_in_out.rb +121 -0
data/lib/devise/controllers/store_location.rb +76 -0
data/lib/devise/controllers/url_helpers.rb +10 -8
data/lib/devise/delegator.rb +2 -0
data/lib/devise/encryptor.rb +24 -0
data/lib/devise/failure_app.rb +132 -42
data/lib/devise/hooks/activatable.rb +7 -6
data/lib/devise/hooks/csrf_cleaner.rb +9 -0
data/lib/devise/hooks/forgetable.rb +3 -1
data/lib/devise/hooks/lockable.rb +5 -3
data/lib/devise/hooks/proxy.rb +23 -0
data/lib/devise/hooks/rememberable.rb +7 -4
data/lib/devise/hooks/timeoutable.rb +18 -8
data/lib/devise/hooks/trackable.rb +3 -1
data/lib/devise/mailers/helpers.rb +15 -18
data/lib/devise/mapping.rb +9 -3
data/lib/devise/models/authenticatable.rb +102 -80
data/lib/devise/models/confirmable.rb +154 -72
data/lib/devise/models/database_authenticatable.rb +125 -25
data/lib/devise/models/lockable.rb +50 -29
data/lib/devise/models/omniauthable.rb +3 -1
data/lib/devise/models/recoverable.rb +72 -50
data/lib/devise/models/registerable.rb +4 -0
data/lib/devise/models/rememberable.rb +65 -32
data/lib/devise/models/timeoutable.rb +4 -8
data/lib/devise/models/trackable.rb +20 -4
data/lib/devise/models/validatable.rb +16 -9
data/lib/devise/models.rb +6 -13
data/lib/devise/modules.rb +12 -11
data/lib/devise/omniauth/config.rb +2 -0
data/lib/devise/omniauth/url_helpers.rb +14 -5
data/lib/devise/omniauth.rb +4 -5
data/lib/devise/orm/active_record.rb +5 -1
data/lib/devise/orm/mongoid.rb +6 -2
data/lib/devise/parameter_filter.rb +4 -0
data/lib/devise/parameter_sanitizer.rb +144 -34
data/lib/devise/rails/deprecated_constant_accessor.rb +39 -0
data/lib/devise/rails/routes.rb +191 -127
data/lib/devise/rails/warden_compat.rb +2 -1
data/lib/devise/rails.rb +13 -20
data/lib/devise/secret_key_finder.rb +27 -0
data/lib/devise/strategies/authenticatable.rb +21 -22
data/lib/devise/strategies/base.rb +3 -1
data/lib/devise/strategies/database_authenticatable.rb +15 -4
data/lib/devise/strategies/rememberable.rb +15 -3
data/lib/devise/test/controller_helpers.rb +167 -0
data/lib/devise/test/integration_helpers.rb +63 -0
data/lib/devise/test_helpers.rb +7 -123
data/lib/devise/time_inflector.rb +4 -2
data/lib/devise/token_generator.rb +32 -0
data/lib/devise/version.rb +3 -1
data/lib/devise.rb +124 -78
data/lib/generators/active_record/devise_generator.rb +64 -15
data/lib/generators/active_record/templates/migration.rb +9 -8
data/lib/generators/active_record/templates/migration_existing.rb +9 -8
data/lib/generators/devise/controllers_generator.rb +46 -0
data/lib/generators/devise/devise_generator.rb +10 -6
data/lib/generators/devise/install_generator.rb +19 -1
data/lib/generators/devise/orm_helpers.rb +17 -9
data/lib/generators/devise/views_generator.rb +51 -28
data/lib/generators/mongoid/devise_generator.rb +24 -24
data/lib/generators/templates/README +13 -12
data/lib/generators/templates/controllers/README +14 -0
data/lib/generators/templates/controllers/confirmations_controller.rb +30 -0
data/lib/generators/templates/controllers/omniauth_callbacks_controller.rb +30 -0
data/lib/generators/templates/controllers/passwords_controller.rb +34 -0
data/lib/generators/templates/controllers/registrations_controller.rb +62 -0
data/lib/generators/templates/controllers/sessions_controller.rb +27 -0
data/lib/generators/templates/controllers/unlocks_controller.rb +30 -0
data/lib/generators/templates/devise.rb +118 -53
data/lib/generators/templates/markerb/confirmation_instructions.markerb +1 -1
data/lib/generators/templates/markerb/email_changed.markerb +7 -0
data/lib/generators/templates/markerb/password_change.markerb +3 -0
data/lib/generators/templates/markerb/reset_password_instructions.markerb +1 -1
data/lib/generators/templates/markerb/unlock_instructions.markerb +1 -1
data/lib/generators/templates/simple_form_for/confirmations/new.html.erb +6 -2
data/lib/generators/templates/simple_form_for/passwords/edit.html.erb +12 -4
data/lib/generators/templates/simple_form_for/passwords/new.html.erb +5 -2
data/lib/generators/templates/simple_form_for/registrations/edit.html.erb +14 -6
data/lib/generators/templates/simple_form_for/registrations/new.html.erb +12 -4
data/lib/generators/templates/simple_form_for/sessions/new.html.erb +11 -6
data/lib/generators/templates/simple_form_for/unlocks/new.html.erb +5 -2
metadata +73 -294
data/.gitignore +0 -10
data/.travis.yml +0 -20
data/.yardopts +0 -9
data/CHANGELOG.rdoc +0 -941
data/CONTRIBUTING.md +0 -14
data/Gemfile +0 -31
data/Gemfile.lock +0 -159
data/Rakefile +0 -35
data/app/views/devise/_links.erb +0 -3
data/devise.gemspec +0 -26
data/devise.png +0 -0
data/gemfiles/Gemfile.rails-3.2.x +0 -31
data/gemfiles/Gemfile.rails-3.2.x.lock +0 -156
data/lib/devise/models/token_authenticatable.rb +0 -89
data/lib/devise/strategies/token_authenticatable.rb +0 -91
data/test/controllers/custom_strategy_test.rb +0 -62
data/test/controllers/helpers_test.rb +0 -253
data/test/controllers/internal_helpers_test.rb +0 -120
data/test/controllers/passwords_controller_test.rb +0 -32
data/test/controllers/sessions_controller_test.rb +0 -99
data/test/controllers/url_helpers_test.rb +0 -59
data/test/delegator_test.rb +0 -19
data/test/devise_test.rb +0 -83
data/test/failure_app_test.rb +0 -221
data/test/generators/active_record_generator_test.rb +0 -73
data/test/generators/devise_generator_test.rb +0 -39
data/test/generators/install_generator_test.rb +0 -13
data/test/generators/mongoid_generator_test.rb +0 -23
data/test/generators/views_generator_test.rb +0 -67
data/test/helpers/devise_helper_test.rb +0 -51
data/test/integration/authenticatable_test.rb +0 -699
data/test/integration/confirmable_test.rb +0 -299
data/test/integration/database_authenticatable_test.rb +0 -84
data/test/integration/http_authenticatable_test.rb +0 -115
data/test/integration/lockable_test.rb +0 -242
data/test/integration/omniauthable_test.rb +0 -133
data/test/integration/recoverable_test.rb +0 -335
data/test/integration/registerable_test.rb +0 -349
data/test/integration/rememberable_test.rb +0 -165
data/test/integration/timeoutable_test.rb +0 -150
data/test/integration/token_authenticatable_test.rb +0 -205
data/test/integration/trackable_test.rb +0 -92
data/test/mailers/confirmation_instructions_test.rb +0 -111
data/test/mailers/reset_password_instructions_test.rb +0 -92
data/test/mailers/unlock_instructions_test.rb +0 -87
data/test/mapping_test.rb +0 -127
data/test/models/authenticatable_test.rb +0 -13
data/test/models/confirmable_test.rb +0 -452
data/test/models/database_authenticatable_test.rb +0 -226
data/test/models/lockable_test.rb +0 -282
data/test/models/omniauthable_test.rb +0 -7
data/test/models/recoverable_test.rb +0 -222
data/test/models/registerable_test.rb +0 -7
data/test/models/rememberable_test.rb +0 -175
data/test/models/serializable_test.rb +0 -49
data/test/models/timeoutable_test.rb +0 -46
data/test/models/token_authenticatable_test.rb +0 -55
data/test/models/trackable_test.rb +0 -13
data/test/models/validatable_test.rb +0 -127
data/test/models_test.rb +0 -163
data/test/omniauth/config_test.rb +0 -57
data/test/omniauth/url_helpers_test.rb +0 -54
data/test/orm/active_record.rb +0 -10
data/test/orm/mongoid.rb +0 -13
data/test/parameter_sanitizer_test.rb +0 -58
data/test/rails_app/Rakefile +0 -6
data/test/rails_app/app/active_record/admin.rb +0 -6
data/test/rails_app/app/active_record/shim.rb +0 -2
data/test/rails_app/app/active_record/user.rb +0 -6
data/test/rails_app/app/controllers/admins/sessions_controller.rb +0 -6
data/test/rails_app/app/controllers/admins_controller.rb +0 -11
data/test/rails_app/app/controllers/application_controller.rb +0 -9
data/test/rails_app/app/controllers/home_controller.rb +0 -25
data/test/rails_app/app/controllers/publisher/registrations_controller.rb +0 -2
data/test/rails_app/app/controllers/publisher/sessions_controller.rb +0 -2
data/test/rails_app/app/controllers/users/omniauth_callbacks_controller.rb +0 -14
data/test/rails_app/app/controllers/users_controller.rb +0 -31
data/test/rails_app/app/helpers/application_helper.rb +0 -3
data/test/rails_app/app/mailers/users/mailer.rb +0 -12
data/test/rails_app/app/mongoid/admin.rb +0 -29
data/test/rails_app/app/mongoid/shim.rb +0 -23
data/test/rails_app/app/mongoid/user.rb +0 -42
data/test/rails_app/app/views/admins/index.html.erb +0 -1
data/test/rails_app/app/views/admins/sessions/new.html.erb +0 -2
data/test/rails_app/app/views/home/admin_dashboard.html.erb +0 -1
data/test/rails_app/app/views/home/index.html.erb +0 -1
data/test/rails_app/app/views/home/join.html.erb +0 -1
data/test/rails_app/app/views/home/private.html.erb +0 -1
data/test/rails_app/app/views/home/user_dashboard.html.erb +0 -1
data/test/rails_app/app/views/layouts/application.html.erb +0 -24
data/test/rails_app/app/views/users/edit_form.html.erb +0 -1
data/test/rails_app/app/views/users/index.html.erb +0 -1
data/test/rails_app/app/views/users/mailer/confirmation_instructions.erb +0 -1
data/test/rails_app/app/views/users/sessions/new.html.erb +0 -1
data/test/rails_app/bin/bundle +0 -3
data/test/rails_app/bin/rails +0 -4
data/test/rails_app/bin/rake +0 -4
data/test/rails_app/config/application.rb +0 -40
data/test/rails_app/config/boot.rb +0 -8
data/test/rails_app/config/database.yml +0 -18
data/test/rails_app/config/environment.rb +0 -5
data/test/rails_app/config/environments/development.rb +0 -34
data/test/rails_app/config/environments/production.rb +0 -84
data/test/rails_app/config/environments/test.rb +0 -36
data/test/rails_app/config/initializers/backtrace_silencers.rb +0 -7
data/test/rails_app/config/initializers/devise.rb +0 -178
data/test/rails_app/config/initializers/inflections.rb +0 -2
data/test/rails_app/config/initializers/secret_token.rb +0 -8
data/test/rails_app/config/initializers/session_store.rb +0 -1
data/test/rails_app/config/routes.rb +0 -104
data/test/rails_app/config.ru +0 -4
data/test/rails_app/db/migrate/20100401102949_create_tables.rb +0 -74
data/test/rails_app/db/schema.rb +0 -52
data/test/rails_app/lib/shared_admin.rb +0 -14
data/test/rails_app/lib/shared_user.rb +0 -25
data/test/rails_app/public/404.html +0 -26
data/test/rails_app/public/422.html +0 -26
data/test/rails_app/public/500.html +0 -26
data/test/rails_app/public/favicon.ico +0 -0
data/test/routes_test.rb +0 -250
data/test/support/assertions.rb +0 -40
data/test/support/helpers.rb +0 -91
data/test/support/integration.rb +0 -92
data/test/support/locale/en.yml +0 -4
data/test/support/webrat/integrations/rails.rb +0 -24
data/test/test_helper.rb +0 -34
data/test/test_helpers_test.rb +0 -151
data/test/test_models.rb +0 -26

data/lib/devise/models/lockable.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require "devise/hooks/lockable"
 module Devise
@@ -7,7 +9,7 @@ module Devise
     # blocked: email and time. The former will send an email to the user when
     # the lock happens, containing a link to unlock its account. The second
     # will unlock the user automatically after some configured time (ie 2.hours).
-    # It's also possible to setup lockable to use both email and time strategies.
+    # It's also possible to set up lockable to use both email and time strategies.
     #
     # == Options
     #
@@ -22,7 +24,7 @@ module Devise
     module Lockable
       extend  ActiveSupport::Concern
-      delegate :lock_strategy_enabled?, :unlock_strategy_enabled?, :to => "self.class"
+      delegate :lock_strategy_enabled?, :unlock_strategy_enabled?, to: "self.class"
       def self.required_fields(klass)
         attributes = []
@@ -34,14 +36,16 @@ module Devise
       end
       # Lock a user setting its locked_at to actual time.
-      def lock_access!
+      # * +opts+: Hash options if you don't want to send email
+      #   when you lock access, you could pass the next hash
+      #   `{ send_instructions: false } as option`.
+      def lock_access!(opts = { })
         self.locked_at = Time.now.utc
-        if unlock_strategy_enabled?(:email)
-          generate_unlock_token!
+        if unlock_strategy_enabled?(:email) && opts.fetch(:send_instructions, true)
           send_unlock_instructions
         else
-          save(:validate => false)
+          save(validate: false)
         end
       end
@@ -50,7 +54,15 @@ module Devise
         self.locked_at = nil
         self.failed_attempts = 0 if respond_to?(:failed_attempts=)
         self.unlock_token = nil  if respond_to?(:unlock_token=)
-        save(:validate => false)
+        save(validate: false)
+      end
+      # Resets failed attempts counter to 0.
+      def reset_failed_attempts!
+        if respond_to?(:failed_attempts) && !failed_attempts.to_i.zero?
+          self.failed_attempts = 0
+          save(validate: false)
+        end
       end
       # Verifies whether a user is locked or not.
@@ -60,11 +72,15 @@ module Devise
       # Send unlock instructions by email
       def send_unlock_instructions
-        send_devise_notification(:unlock_instructions)
+        raw, enc = Devise.token_generator.generate(self.class, :unlock_token)
+        self.unlock_token = enc
+        save(validate: false)
+        send_devise_notification(:unlock_instructions, raw, {})
+        raw
       end
       # Resend the unlock instructions if the user is locked.
-      def resend_unlock_token
+      def resend_unlock_instructions
         if_access_locked { send_unlock_instructions }
       end
@@ -93,24 +109,30 @@ module Devise
         if super && !access_locked?
           true
         else
-          self.failed_attempts ||= 0
-          self.failed_attempts += 1
+          increment_failed_attempts
           if attempts_exceeded?
             lock_access! unless access_locked?
           else
-            save(:validate => false)
+            save(validate: false)
           end
           false
         end
       end
+      def increment_failed_attempts
+        self.class.increment_counter(:failed_attempts, id)
+        reload
+      end
       def unauthenticated_message
         # If set to paranoid mode, do not show the locked message because it
         # leaks the existence of an account.
         if Devise.paranoid
           super
-        elsif lock_strategy_enabled?(:failed_attempts) && attempts_exceeded?
+        elsif access_locked? || (lock_strategy_enabled?(:failed_attempts) && attempts_exceeded?)
           :locked
+        elsif lock_strategy_enabled?(:failed_attempts) && last_attempt? && self.class.last_attempt_warning
+          :last_attempt
         else
           super
         end
@@ -119,16 +141,11 @@ module Devise
       protected
         def attempts_exceeded?
-          self.failed_attempts > self.class.maximum_attempts
+          self.failed_attempts >= self.class.maximum_attempts
         end
-        # Generates unlock token
-        def generate_unlock_token
-          self.unlock_token = self.class.unlock_token
-        end
-        def generate_unlock_token!
-          generate_unlock_token && save(:validate => false)
+        def last_attempt?
+          self.failed_attempts == self.class.maximum_attempts - 1
         end
         # Tells if the lock is expired if :time unlock strategy is active
@@ -152,13 +169,16 @@ module Devise
         end
       module ClassMethods
+        # List of strategies that are enabled/supported if :both is used.
+        BOTH_STRATEGIES = [:time, :email]
         # Attempt to find a user by its unlock keys. If a record is found, send new
         # unlock instructions to it. If not user is found, returns a new user
         # with an email not found error.
         # Options must contain the user's unlock keys
-        def send_unlock_instructions(attributes={})
+        def send_unlock_instructions(attributes = {})
           lockable = find_or_initialize_with_errors(unlock_keys, attributes, :not_found)
-          lockable.resend_unlock_token if lockable.persisted?
+          lockable.resend_unlock_instructions if lockable.persisted?
           lockable
         end
@@ -167,14 +187,19 @@ module Devise
         # If the user is not locked, creates an error for the user
         # Options must have the unlock_token
         def unlock_access_by_token(unlock_token)
+          original_token = unlock_token
+          unlock_token   = Devise.token_generator.digest(self, :unlock_token, unlock_token)
           lockable = find_or_initialize_with_error_by(:unlock_token, unlock_token)
           lockable.unlock_access! if lockable.persisted?
+          lockable.unlock_token = original_token
           lockable
         end
         # Is the unlock enabled for the given unlock strategy?
         def unlock_strategy_enabled?(strategy)
-          [:both, strategy].include?(self.unlock_strategy)
+          self.unlock_strategy == strategy ||
+            (self.unlock_strategy == :both && BOTH_STRATEGIES.include?(strategy))
         end
         # Is the lock enabled for the given lock strategy?
@@ -182,11 +207,7 @@ module Devise
           self.lock_strategy == strategy
         end
-        def unlock_token
-          Devise.friendly_token
-        end
-        Devise::Models.config(self, :maximum_attempts, :lock_strategy, :unlock_strategy, :unlock_in, :unlock_keys)
+        Devise::Models.config(self, :maximum_attempts, :lock_strategy, :unlock_strategy, :unlock_in, :unlock_keys, :last_attempt_warning)
       end
     end
   end

data/lib/devise/models/omniauthable.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require 'devise/omniauth'
 module Devise
@@ -10,7 +12,7 @@ module Devise
     #
     #   * +omniauth_providers+: Which providers are available to this model. It expects an array:
     #
-    #       devise_for :database_authenticatable, :omniauthable, :omniauth_providers => [:twitter]
+    #       devise_for :database_authenticatable, :omniauthable, omniauth_providers: [:twitter]
     #
     module Omniauthable
       extend ActiveSupport::Concern

data/lib/devise/models/recoverable.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Devise
   module Models
@@ -8,15 +10,13 @@ module Devise
     # Recoverable adds the following options to devise_for:
     #
     #   * +reset_password_keys+: the keys you want to use when recovering the password for an account
+    #   * +reset_password_within+: the time period within which the password must be reset or the token expires.
+    #   * +sign_in_after_reset_password+: whether or not to sign in the user automatically after a password reset.
     #
     # == Examples
     #
     #   # resets the user password and save the record, true if valid passwords are given, otherwise false
-    #   User.find(1).reset_password!('password123', 'password123')
-    #
-    #   # only resets the user password, without saving the record
-    #   user = User.find(1)
-    #   user.reset_password('password123', 'password123')
+    #   User.find(1).reset_password('password123', 'password123')
     #
     #   # creates a new token and send it with instructions about how to reset the password
     #   User.find(1).send_reset_password_instructions
@@ -28,31 +28,32 @@ module Devise
         [:reset_password_sent_at, :reset_password_token]
       end
+      included do
+        before_update :clear_reset_password_token, if: :clear_reset_password_token?
+      end
       # Update password saving the record and clearing token. Returns true if
       # the passwords are valid and the record was saved, false otherwise.
-      def reset_password!(new_password, new_password_confirmation)
-        self.password = new_password
-        self.password_confirmation = new_password_confirmation
-        if valid?
-          clear_reset_password_token
-          after_password_reset
+      def reset_password(new_password, new_password_confirmation)
+        if new_password.present?
+          self.password = new_password
+          self.password_confirmation = new_password_confirmation
+          save
+        else
+          errors.add(:password, :blank)
+          false
         end
-        save
       end
-      # Resets reset password token and send reset password instructions by email
+      # Resets reset password token and send reset password instructions by email.
+      # Returns the token sent in the e-mail.
       def send_reset_password_instructions
-        ensure_reset_password_token!
-        send_devise_notification(:reset_password_instructions)
+        token = set_reset_password_token
+        send_reset_password_instructions_notification(token)
+        token
       end
-      # Generate reset password token unless already exists and save the record.
-      def ensure_reset_password_token!
-        generate_reset_password_token! if should_generate_reset_token?
-      end
       # Checks if the reset password token sent is within the limit time.
       # We do this by calculating if the difference between today and the
       # sending date does not exceed the confirm in time configured.
@@ -74,71 +75,92 @@ module Devise
       #   reset_password_period_valid?   # will always return false
       #
       def reset_password_period_valid?
-        reset_password_sent_at && reset_password_sent_at.utc >= self.class.reset_password_within.ago
+        reset_password_sent_at && reset_password_sent_at.utc >= self.class.reset_password_within.ago.utc
       end
       protected
-        def should_generate_reset_token?
-          reset_password_token.nil? || !reset_password_period_valid?
+        # Removes reset_password token
+        def clear_reset_password_token
+          self.reset_password_token = nil
+          self.reset_password_sent_at = nil
         end
-        # Generates a new random token for reset password
-        def generate_reset_password_token
-          self.reset_password_token = self.class.reset_password_token
+        def set_reset_password_token
+          raw, enc = Devise.token_generator.generate(self.class, :reset_password_token)
+          self.reset_password_token   = enc
           self.reset_password_sent_at = Time.now.utc
-          self.reset_password_token
+          save(validate: false)
+          raw
         end
-        # Resets the reset password token with and save the record without
-        # validating
-        def generate_reset_password_token!
-          generate_reset_password_token && save(:validate => false)
+        def send_reset_password_instructions_notification(token)
+          send_devise_notification(:reset_password_instructions, token, {})
         end
-        # Removes reset_password token
-        def clear_reset_password_token
-          self.reset_password_token = nil
-          self.reset_password_sent_at = nil
-        end
+        if Devise.activerecord51?
+          def clear_reset_password_token?
+            encrypted_password_changed = respond_to?(:will_save_change_to_encrypted_password?) && will_save_change_to_encrypted_password?
+            authentication_keys_changed = self.class.authentication_keys.any? do |attribute|
+              respond_to?("will_save_change_to_#{attribute}?") && send("will_save_change_to_#{attribute}?")
+            end
-        def after_password_reset
+            authentication_keys_changed || encrypted_password_changed
+          end
+        else
+          def clear_reset_password_token?
+            encrypted_password_changed = respond_to?(:encrypted_password_changed?) && encrypted_password_changed?
+            authentication_keys_changed = self.class.authentication_keys.any? do |attribute|
+              respond_to?("#{attribute}_changed?") && send("#{attribute}_changed?")
+            end
+            authentication_keys_changed || encrypted_password_changed
+          end
         end
       module ClassMethods
+        # Attempt to find a user by password reset token. If a user is found, return it
+        # If a user is not found, return nil
+        def with_reset_password_token(token)
+          reset_password_token = Devise.token_generator.digest(self, :reset_password_token, token)
+          to_adapter.find_first(reset_password_token: reset_password_token)
+        end
         # Attempt to find a user by its email. If a record is found, send new
         # password instructions to it. If user is not found, returns a new user
         # with an email not found error.
         # Attributes must contain the user's email
-        def send_reset_password_instructions(attributes={})
+        def send_reset_password_instructions(attributes = {})
           recoverable = find_or_initialize_with_errors(reset_password_keys, attributes, :not_found)
           recoverable.send_reset_password_instructions if recoverable.persisted?
           recoverable
         end
-        # Generate a token checking if one does not already exist in the database.
-        def reset_password_token
-          generate_token(:reset_password_token)
-        end
         # Attempt to find a user by its reset_password_token to reset its
         # password. If a user is found and token is still valid, reset its password and automatically
         # try saving the record. If not user is found, returns a new user
         # containing an error in reset_password_token attribute.
         # Attributes must contain reset_password_token, password and confirmation
-        def reset_password_by_token(attributes={})
-          recoverable = find_or_initialize_with_error_by(:reset_password_token, attributes[:reset_password_token])
+        def reset_password_by_token(attributes = {})
+          original_token       = attributes[:reset_password_token]
+          reset_password_token = Devise.token_generator.digest(self, :reset_password_token, original_token)
+          recoverable = find_or_initialize_with_error_by(:reset_password_token, reset_password_token)
           if recoverable.persisted?
             if recoverable.reset_password_period_valid?
-              recoverable.reset_password!(attributes[:password], attributes[:password_confirmation])
+              recoverable.reset_password(attributes[:password], attributes[:password_confirmation])
             else
               recoverable.errors.add(:reset_password_token, :expired)
             end
           end
+          recoverable.reset_password_token = original_token if recoverable.reset_password_token.present?
           recoverable
         end
-        Devise::Models.config(self, :reset_password_keys, :reset_password_within)
+        Devise::Models.config(self, :reset_password_keys, :reset_password_within, :sign_in_after_reset_password)
       end
     end
   end

data/lib/devise/models/registerable.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Devise
   module Models
     # Registerable is responsible for everything related to registering a new
@@ -19,6 +21,8 @@ module Devise
         def new_with_session(params, session)
           new(params)
         end
+        Devise::Models.config(self, :sign_in_after_change_password)
       end
     end
   end

data/lib/devise/models/rememberable.rb CHANGED Viewed

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
 require 'devise/strategies/rememberable'
 require 'devise/hooks/rememberable'
 require 'devise/hooks/forgetable'
 module Devise
   module Models
-    # Rememberable manages generating and clearing token for remember the user
+    # Rememberable manages generating and clearing token for remembering the user
     # from a saved cookie. Rememberable also has utility methods for dealing
     # with serializing the user into the cookie and back from the cookie, trying
     # to lookup the record based on the saved information.
@@ -17,7 +19,7 @@ module Devise
     #
     #   * +remember_for+: the time you want the user will be remembered without
     #     asking for credentials. After this time the user will be blocked and
-    #     will have to enter his credentials again. This configuration is also
+    #     will have to enter their credentials again. This configuration is also
     #     used to calculate the expires time for the cookie created to remember
     #     the user. By default remember_for is 2.weeks.
     #
@@ -39,46 +41,42 @@ module Devise
     module Rememberable
       extend ActiveSupport::Concern
-      attr_accessor :remember_me, :extend_remember_period
+      attr_accessor :remember_me
       def self.required_fields(klass)
         [:remember_created_at]
       end
-      # Generate a new remember token and save the record without validations
-      # unless remember_across_browsers is true and the user already has a valid token.
-      def remember_me!(extend_period=false)
-        self.remember_token = self.class.remember_token if generate_remember_token?
-        self.remember_created_at = Time.now.utc if generate_remember_timestamp?(extend_period)
-        save(:validate => false) if self.changed?
+      def remember_me!
+        self.remember_token ||= self.class.remember_token if respond_to?(:remember_token)
+        self.remember_created_at ||= Time.now.utc
+        save(validate: false) if self.changed?
       end
       # If the record is persisted, remove the remember token (but only if
       # it exists), and save the record without validations.
       def forget_me!
         return unless persisted?
-        self.remember_token = nil if respond_to?(:remember_token=)
-        self.remember_created_at = nil
-        save(:validate => false)
+        self.remember_token = nil if respond_to?(:remember_token)
+        self.remember_created_at = nil if self.class.expire_all_remember_me_on_sign_out
+        save(validate: false)
       end
-      # Remember token should be expired if expiration time not overpass now.
-      def remember_expired?
-        remember_created_at.nil? || (remember_expires_at <= Time.now.utc)
+      def remember_expires_at
+        self.class.remember_for.from_now
       end
-      # Remember token expires at created time + remember_for configuration
-      def remember_expires_at
-        remember_created_at + self.class.remember_for
+      def extend_remember_period
+        self.class.extend_remember_period
       end
       def rememberable_value
         if respond_to?(:remember_token)
           remember_token
-        elsif respond_to?(:authenticatable_salt) && (salt = authenticatable_salt)
+        elsif respond_to?(:authenticatable_salt) && (salt = authenticatable_salt.presence)
           salt
         else
-          raise "authenticable_salt returned nil for the #{self.class.name} model. " \
+          raise "authenticatable_salt returned nil for the #{self.class.name} model. " \
             "In order to use rememberable, you must ensure a password is always set " \
             "or have a remember_token column in your model or implement your own " \
             "rememberable_value in the model with custom logic."
@@ -89,36 +87,71 @@ module Devise
         self.class.rememberable_options
       end
-    protected
+      # A callback initiated after successfully being remembered. This can be
+      # used to insert your own logic that is only run after the user is
+      # remembered.
+      #
+      # Example:
+      #
+      #   def after_remembered
+      #     self.update_attribute(:invite_code, nil)
+      #   end
+      #
+      def after_remembered
+      end
+      def remember_me?(token, generated_at)
+        # TODO: Normalize the JSON type coercion along with the Timeoutable hook
+        # in a single place https://github.com/heartcombo/devise/blob/ffe9d6d406e79108cf32a2c6a1d0b3828849c40b/lib/devise/hooks/timeoutable.rb#L14-L18
+        if generated_at.is_a?(String)
+          generated_at = time_from_json(generated_at)
+        end
-      def generate_remember_token? #:nodoc:
-        respond_to?(:remember_token) && remember_expired?
+        # The token is only valid if:
+        # 1. we have a date
+        # 2. the current time does not pass the expiry period
+        # 3. the record has a remember_created_at date
+        # 4. the token date is bigger than the remember_created_at
+        # 5. the token matches
+        generated_at.is_a?(Time) &&
+         (self.class.remember_for.ago < generated_at) &&
+         (generated_at > (remember_created_at || Time.now).utc) &&
+         Devise.secure_compare(rememberable_value, token)
       end
-      # Generate a timestamp if extend_remember_period is true, if no remember_token
-      # exists, or if an existing remember token has expired.
-      def generate_remember_timestamp?(extend_period) #:nodoc:
-        extend_period || remember_created_at.nil? || remember_expired?
+      private
+      def time_from_json(value)
+        if value =~ /\A\d+\.\d+\Z/
+          Time.at(value.to_f)
+        else
+          Time.parse(value) rescue nil
+        end
       end
       module ClassMethods
         # Create the cookie key using the record id and remember_token
         def serialize_into_cookie(record)
-          [record.to_key, record.rememberable_value]
+          [record.to_key, record.rememberable_value, Time.now.utc.to_f.to_s]
         end
         # Recreate the user based on the stored cookie
-        def serialize_from_cookie(id, remember_token)
+        def serialize_from_cookie(*args)
+          id, token, generated_at = *args
           record = to_adapter.get(id)
-          record if record && record.rememberable_value == remember_token && !record.remember_expired?
+          record if record && record.remember_me?(token, generated_at)
         end
         # Generate a token checking if one does not already exist in the database.
         def remember_token #:nodoc:
-          generate_token(:remember_token)
+          loop do
+            token = Devise.friendly_token
+            break token unless to_adapter.find_first({ remember_token: token })
+          end
         end
-        Devise::Models.config(self, :remember_for, :extend_remember_period, :rememberable_options)
+        Devise::Models.config(self, :remember_for, :extend_remember_period, :rememberable_options, :expire_all_remember_me_on_sign_out)
       end
     end
   end

data/lib/devise/models/timeoutable.rb CHANGED Viewed

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
 require 'devise/hooks/timeoutable'
 module Devise
   module Models
-    # Timeoutable takes care of verifyng whether a user session has already
+    # Timeoutable takes care of verifying whether a user session has already
     # expired or not. When a session expires after the configured time, the user
-    # will be asked for credentials again, it means, he/she will be redirected
+    # will be asked for credentials again, it means, they will be redirected
     # to the sign in page.
     #
     # == Options
@@ -26,7 +28,6 @@ module Devise
       # Checks whether the user session has expired based on configured time.
       def timedout?(last_access)
-        return false if remember_exists_and_not_expired?
         !timeout_in.nil? && last_access && last_access <= timeout_in.ago
       end
@@ -36,11 +37,6 @@ module Devise
       private
-      def remember_exists_and_not_expired?
-        return false unless respond_to?(:remember_created_at)
-        remember_created_at && !remember_expired?
-      end
       module ClassMethods
         Devise::Models.config(self, :timeout_in)
       end

data/lib/devise/models/trackable.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require 'devise/hooks/trackable'
 module Devise
@@ -15,21 +17,35 @@ module Devise
         [:current_sign_in_at, :current_sign_in_ip, :last_sign_in_at, :last_sign_in_ip, :sign_in_count]
       end
-      def update_tracked_fields!(request)
+      def update_tracked_fields(request)
         old_current, new_current = self.current_sign_in_at, Time.now.utc
         self.last_sign_in_at     = old_current || new_current
         self.current_sign_in_at  = new_current
-        old_current, new_current = self.current_sign_in_ip, request.remote_ip
+        old_current, new_current = self.current_sign_in_ip, extract_ip_from(request)
         self.last_sign_in_ip     = old_current || new_current
         self.current_sign_in_ip  = new_current
         self.sign_in_count ||= 0
         self.sign_in_count += 1
+      end
+      def update_tracked_fields!(request)
+        # We have to check if the user is already persisted before running
+        # `save` here because invalid users can be saved if we don't.
+        # See https://github.com/heartcombo/devise/issues/4673 for more details.
+        return if new_record?
-        save(:validate => false) or raise "Devise trackable could not save #{inspect}." \
-          "Please make sure a model using trackable can be saved at sign in."
+        update_tracked_fields(request)
+        save(validate: false)
       end
+      protected
+      def extract_ip_from(request)
+        request.remote_ip
+      end
     end
   end
 end