devise 3.0.4 → 3.1.0.rc2

data/lib/devise.rb

@@ -14,6 +14,7 @@ module Devise
   autoload :ParameterSanitizer, 'devise/parameter_sanitizer'
   autoload :TestHelpers,        'devise/test_helpers'
   autoload :TimeInflector,      'devise/time_inflector'
+  autoload :TokenGenerator,     'devise/token_generator'
 
   module Controllers
     autoload :Helpers, 'devise/controllers/helpers'
@@ -45,6 +46,20 @@ module Devise
   # True values used to check params
   TRUE_VALUES = [true, 1, '1', 't', 'T', 'true', 'TRUE']
 
+  # Secret key used by the key generator
+  mattr_accessor :secret_key
+  @@secret_key = nil
+
+  # Allow insecure token lookup. Must be used
+  # temporarily just for migration.
+  mattr_accessor :allow_insecure_token_lookup
+  @@allow_insecure_tokens_lookup = false
+
+  # Allow insecure sign in after confirmation. Must be used
+  # temporarily just for migration.
+  mattr_accessor :allow_insecure_sign_in_after_confirmation
+  @@allow_insecure_sign_in_after_confirmation = false
+
   # Custom domain or key for cookies. Not set by default
   mattr_accessor :rememberable_options
   @@rememberable_options = {}
@@ -227,18 +242,6 @@ module Devise
   mattr_accessor :clean_up_csrf_token_on_authentication
   @@clean_up_csrf_token_on_authentication = true
 
-  def self.encryptor=(value)
-    warn "\n[DEVISE] To select a encryption which isn't bcrypt, you should use devise-encryptable gem.\n"
-  end
-
-  def self.use_salt_as_remember_token=(value)
-    warn "\n[DEVISE] Devise.use_salt_as_remember_token is deprecated and has no effect. Please remove it.\n"
-  end
-
-  def self.apply_schema=(value)
-    warn "\n[DEVISE] Devise.apply_schema is deprecated and has no effect. Please remove it.\n"
-  end
-
   # PRIVATE CONFIGURATION
 
   # Store scopes mappings.
@@ -263,6 +266,10 @@ module Devise
   mattr_accessor :paranoid
   @@paranoid = false
 
+  # Stores the token generator
+  mattr_accessor :token_generator
+  @@token_generator = nil
+
   # Default way to setup Devise. Run rails generate devise_install to create
   # a fresh initializer with all configuration values.
   def self.setup
@@ -451,7 +458,7 @@ module Devise
 
   # Generate a friendly string randomly to be used as token.
   def self.friendly_token
-    SecureRandom.base64(15).tr('+/=lIO0', 'pqrsxyz')
+    SecureRandom.urlsafe_base64(15).tr('lIO0', 'sxyz')
   end
 
   # constant-time comparison algorithm to prevent timing attacks

data/lib/devise/controllers/helpers.rb

@@ -117,6 +117,7 @@ module Devise
       #   sign_in :user, @user                      # sign_in(scope, resource)
       #   sign_in @user                             # sign_in(resource)
       #   sign_in @user, :event => :authentication  # sign_in(resource, options)
+      #   sign_in @user, :store => false            # sign_in(resource, options)
       #   sign_in @user, :bypass => true            # sign_in(resource, options)
       #
       def sign_in(resource_or_scope, *args)

data/lib/devise/hooks/rememberable.rb

@@ -1,6 +1,7 @@
 Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
   scope = options[:scope]
-  if record.respond_to?(:remember_me) && record.remember_me && warden.authenticated?(scope)
+  if record.respond_to?(:remember_me) && options[:store] != false &&
+     record.remember_me && warden.authenticated?(scope)
     Devise::Controllers::Rememberable::Proxy.new(warden).remember_me(record)
   end
 end

data/lib/devise/mailers/helpers.rb

@@ -35,12 +35,6 @@ module Devise
           :template_name => action
         }.merge(opts)
 
-        if resource.respond_to?(:headers_for)
-          ActiveSupport::Deprecation.warn "Calling headers_for in the model is no longer supported. " <<
-            "Please customize your mailer instead."
-          headers.merge!(resource.headers_for(action))
-        end
-
         @email = headers[:to]
         headers
       end

data/lib/devise/models.rb

@@ -56,14 +56,8 @@ module Devise
       klass.devise_modules.each do |mod|
         constant = const_get(mod.to_s.classify)
 
-        if constant.respond_to?(:required_fields)
-          constant.required_fields(klass).each do |field|
-            failed_attributes << field unless instance.respond_to?(field)
-          end
-        else
-          ActiveSupport::Deprecation.warn "The module #{mod} doesn't implement self.required_fields(klass). " \
-            "Devise uses required_fields to warn developers of any missing fields in their models. " \
-            "Please implement #{mod}.required_fields(klass) that returns an array of symbols with the required fields."
+        constant.required_fields(klass).each do |field|
+          failed_attributes << field unless instance.respond_to?(field)
         end
       end
 
@@ -89,11 +83,13 @@ module Devise
 
       devise_modules_hook! do
         include Devise::Models::Authenticatable
-        selected_modules.each do |m|
-          if m == :encryptable && !(defined?(Devise::Models::Encryptable))
-            warn "[DEVISE] You're trying to include :encryptable in your model but it is not bundled with the Devise gem anymore. Please add `devise-encryptable` to your Gemfile to proceed.\n"
-          end
 
+        if selected_modules.include?(:token_authenticatable)
+          ActiveSupport::Deprecation.warn "devise :token_authenticatable is deprecated. " \
+            "Please check Devise 3.1 release notes for more information on how to upgrade."
+        end
+
+        selected_modules.each do |m|
           mod = Devise::Models.const_get(m.to_s.classify)
 
           if mod.const_defined?("ClassMethods")

data/lib/devise/models/authenticatable.rb

@@ -144,20 +144,20 @@ module Devise
       #
       #       protected
       #
-      #       def send_devise_notification(notification, opts = {})
-      #         # if the record is new or changed then delay the
+      #       def send_devise_notification(notification, *args)
+      #         # If the record is new or changed then delay the
       #         # delivery until the after_commit callback otherwise
       #         # send now because after_commit will not be called.
       #         if new_record? || changed?
-      #           pending_notifications << [notification, opts]
+      #           pending_notifications << [notification, args]
       #         else
-      #           devise_mailer.send(notification, self, opts).deliver
+      #           devise_mailer.send(notification, self, *args).deliver
       #         end
       #       end
       #
       #       def send_pending_notifications
-      #         pending_notifications.each do |n, opts|
-      #           devise_mailer.send(n, self, opts).deliver
+      #         pending_notifications.each do |notification, args|
+      #           devise_mailer.send(notification, self, *args).deliver
       #         end
       #
       #         # Empty the pending notifications array because the
@@ -171,8 +171,8 @@ module Devise
       #       end
       #     end
       #
-      def send_devise_notification(notification, opts={})
-        devise_mailer.send(notification, self, opts).deliver
+      def send_devise_notification(notification, *args)
+        devise_mailer.send(notification, self, *args).deliver
       end
 
       def downcase_keys
@@ -279,14 +279,6 @@ module Devise
         def devise_parameter_filter
           @devise_parameter_filter ||= Devise::ParameterFilter.new(case_insensitive_keys, strip_whitespace_keys)
         end
-
-        # Generate a token by looping and ensuring does not already exist.
-        def generate_token(column)
-          loop do
-            token = Devise.friendly_token
-            break token unless to_adapter.find_first({ column => token })
-          end
-        end
       end
     end
   end

data/lib/devise/models/confirmable.rb

@@ -7,7 +7,7 @@ module Devise
     #
     # == Options
     #
-    # Confirmable adds the following options to devise_for:
+    # Confirmable adds the following options to +devise+:
     #
     #   * +allow_unconfirmed_access_for+: the time you want to allow the user to access his account
     #     before confirming it. After this period, the user access is denied. You can
@@ -40,9 +40,10 @@ module Devise
       end
 
       def initialize(*args, &block)
-        @bypass_postpone = false
+        @bypass_confirmation_postpone = false
         @reconfirmation_required = false
         @skip_confirmation_notification = false
+        @raw_confirmation_token = nil
         super
       end
 
@@ -93,10 +94,12 @@ module Devise
 
       # Send confirmation instructions by email
       def send_confirmation_instructions
-        ensure_confirmation_token!
+        unless @raw_confirmation_token
+          generate_confirmation_token!
+        end
 
         opts = pending_reconfirmation? ? { :to => unconfirmed_email } : { }
-        send_devise_notification(:confirmation_instructions, opts)
+        send_devise_notification(:confirmation_instructions, @raw_confirmation_token, opts)
       end
 
       def send_reconfirmation_instructions
@@ -109,17 +112,11 @@ module Devise
 
       # Resend confirmation token.
       # Regenerates the token if the period is expired.
-      def resend_confirmation_token
+      def resend_confirmation_instructions
         pending_any_confirmation do
-          regenerate_confirmation_token! if confirmation_period_expired?
           send_confirmation_instructions
         end
       end
-      
-      # Generate a confirmation token unless already exists and save the record.
-      def ensure_confirmation_token!
-        generate_confirmation_token! if should_generate_confirmation_token?
-      end 
 
       # Overwrites active_for_authentication? for confirmation
       # by verifying whether a user is active to sign in or not. If the user
@@ -149,19 +146,16 @@ module Devise
       # If you don't want reconfirmation to be sent, neither a code
       # to be generated, call skip_reconfirmation!
       def skip_reconfirmation!
-        @bypass_postpone = true
+        @bypass_confirmation_postpone = true
       end
 
       protected
-        def should_generate_confirmation_token?
-          confirmation_token.nil? || confirmation_period_expired?
-        end
 
         # A callback method used to deliver confirmation
         # instructions on creation. This can be overriden
         # in models to map to a nice sign up e-mail.
         def send_on_create_confirmation_instructions
-          send_devise_notification(:confirmation_instructions)
+          send_confirmation_instructions
         end
 
         # Callback to overwrite if confirmation is required or not.
@@ -221,10 +215,12 @@ module Devise
           end
         end
 
-        # Generates a new random token for confirmation, and stores the time
-        # this token is being generated
+        # Generates a new random token for confirmation, and stores
+        # the time this token is being generated
         def generate_confirmation_token
-          self.confirmation_token = self.class.confirmation_token
+          raw, enc = Devise.token_generator.generate(self.class, :confirmation_token)
+          @raw_confirmation_token   = raw
+          self.confirmation_token   = enc
           self.confirmation_sent_at = Time.now.utc
         end
 
@@ -232,25 +228,16 @@ module Devise
           generate_confirmation_token && save(:validate => false)
         end
 
-        # Regenerates a new token.
-        def regenerate_confirmation_token
-          generate_confirmation_token
-        end
-
-        def regenerate_confirmation_token!
-          regenerate_confirmation_token && save(:validate => false)
-        end
-
         def postpone_email_change_until_confirmation_and_regenerate_confirmation_token
           @reconfirmation_required = true
           self.unconfirmed_email = self.email
           self.email = self.email_was
-          regenerate_confirmation_token
+          generate_confirmation_token
         end
 
         def postpone_email_change?
-          postpone = self.class.reconfirmable && email_changed? && !@bypass_postpone && !self.email.blank?
-          @bypass_postpone = false
+          postpone = self.class.reconfirmable && email_changed? && !@bypass_confirmation_postpone && !self.email.blank?
+          @bypass_confirmation_postpone = false
           postpone
         end
 
@@ -275,7 +262,7 @@ module Devise
           unless confirmable.try(:persisted?)
             confirmable = find_or_initialize_with_errors(confirmation_keys, attributes, :not_found)
           end
-          confirmable.resend_confirmation_token if confirmable.persisted?
+          confirmable.resend_confirmation_instructions if confirmable.persisted?
           confirmable
         end
 
@@ -284,16 +271,19 @@ module Devise
         # If the user is already confirmed, create an error for the user
         # Options must have the confirmation_token
         def confirm_by_token(confirmation_token)
+          original_token     = confirmation_token
+          confirmation_token = Devise.token_generator.digest(self, :confirmation_token, confirmation_token)
+
           confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
+          if !confirmable.persisted? && Devise.allow_insecure_token_lookup
+            confirmable = find_or_initialize_with_error_by(:confirmation_token, original_token)
+          end
+
           confirmable.confirm! if confirmable.persisted?
+          confirmable.confirmation_token = original_token
           confirmable
         end
 
-        # Generate a token checking if one does not already exist in the database.
-        def confirmation_token
-          generate_token(:confirmation_token)
-        end
-
         # Find a record for confirmation by unconfirmed email field
         def find_by_unconfirmed_email_with_errors(attributes = {})
           unconfirmed_required_attributes = confirmation_keys.map { |k| k == :email ? :unconfirmed_email : k }

data/lib/devise/models/lockable.rb

@@ -38,7 +38,6 @@ module Devise
         self.locked_at = Time.now.utc
 
         if unlock_strategy_enabled?(:email)
-          generate_unlock_token!
           send_unlock_instructions
         else
           save(:validate => false)
@@ -60,11 +59,15 @@ module Devise
 
       # Send unlock instructions by email
       def send_unlock_instructions
-        send_devise_notification(:unlock_instructions)
+        raw, enc = Devise.token_generator.generate(self.class, :unlock_token)
+        self.unlock_token = enc
+        self.save(:validate => false)
+        send_devise_notification(:unlock_instructions, raw, {})
+        raw
       end
 
       # Resend the unlock instructions if the user is locked.
-      def resend_unlock_token
+      def resend_unlock_instructions
         if_access_locked { send_unlock_instructions }
       end
 
@@ -122,15 +125,6 @@ module Devise
           self.failed_attempts > self.class.maximum_attempts
         end
 
-        # Generates unlock token
-        def generate_unlock_token
-          self.unlock_token = self.class.unlock_token
-        end
-
-        def generate_unlock_token!
-          generate_unlock_token && save(:validate => false)
-        end
-
         # Tells if the lock is expired if :time unlock strategy is active
         def lock_expired?
           if unlock_strategy_enabled?(:time)
@@ -158,7 +152,7 @@ module Devise
         # Options must contain the user's unlock keys
         def send_unlock_instructions(attributes={})
           lockable = find_or_initialize_with_errors(unlock_keys, attributes, :not_found)
-          lockable.resend_unlock_token if lockable.persisted?
+          lockable.resend_unlock_instructions if lockable.persisted?
           lockable
         end
 
@@ -167,8 +161,16 @@ module Devise
         # If the user is not locked, creates an error for the user
         # Options must have the unlock_token
         def unlock_access_by_token(unlock_token)
+          original_token = unlock_token
+          unlock_token   = Devise.token_generator.digest(self, :unlock_token, unlock_token)
+
           lockable = find_or_initialize_with_error_by(:unlock_token, unlock_token)
+          if !lockable.persisted? && Devise.allow_insecure_token_lookup
+            lockable = find_or_initialize_with_error_by(:unlock_token, original_token)
+          end
+
           lockable.unlock_access! if lockable.persisted?
+          lockable.unlock_token = original_token
           lockable
         end
 
@@ -182,10 +184,6 @@ module Devise
           self.lock_strategy == strategy
         end
 
-        def unlock_token
-          Devise.friendly_token
-        end
-
         Devise::Models.config(self, :maximum_attempts, :lock_strategy, :unlock_strategy, :unlock_in, :unlock_keys)
       end
     end

data/lib/devise/models/recoverable.rb

@@ -42,17 +42,19 @@ module Devise
         save
       end
 
-      # Resets reset password token and send reset password instructions by email
+      # Resets reset password token and send reset password instructions by email.
+      # Returns the token sent in the e-mail.
       def send_reset_password_instructions
-        ensure_reset_password_token!
-        send_devise_notification(:reset_password_instructions)
+        raw, enc = Devise.token_generator.generate(self.class, :reset_password_token)
+
+        self.reset_password_token   = enc
+        self.reset_password_sent_at = Time.now.utc
+        self.save(:validate => false)
+
+        send_devise_notification(:reset_password_instructions, raw, {})
+        raw
       end
-      
-      # Generate reset password token unless already exists and save the record.
-      def ensure_reset_password_token!
-        generate_reset_password_token! if should_generate_reset_token?
-      end 
-      
+
       # Checks if the reset password token sent is within the limit time.
       # We do this by calculating if the difference between today and the
       # sending date does not exceed the confirm in time configured.
@@ -79,23 +81,6 @@ module Devise
 
       protected
 
-        def should_generate_reset_token?
-          reset_password_token.nil? || !reset_password_period_valid?
-        end
-
-        # Generates a new random token for reset password
-        def generate_reset_password_token
-          self.reset_password_token = self.class.reset_password_token
-          self.reset_password_sent_at = Time.now.utc
-          self.reset_password_token
-        end
-
-        # Resets the reset password token with and save the record without
-        # validating
-        def generate_reset_password_token!
-          generate_reset_password_token && save(:validate => false)
-        end
-
         # Removes reset_password token
         def clear_reset_password_token
           self.reset_password_token = nil
@@ -127,7 +112,14 @@ module Devise
         # containing an error in reset_password_token attribute.
         # Attributes must contain reset_password_token, password and confirmation
         def reset_password_by_token(attributes={})
-          recoverable = find_or_initialize_with_error_by(:reset_password_token, attributes[:reset_password_token])
+          original_token       = attributes[:reset_password_token]
+          reset_password_token = Devise.token_generator.digest(self, :reset_password_token, original_token)
+
+          recoverable = find_or_initialize_with_error_by(:reset_password_token, reset_password_token)
+          if !recoverable.persisted? && Devise.allow_insecure_token_lookup
+            recoverable = find_or_initialize_with_error_by(:reset_password_token, original_token)
+          end
+
           if recoverable.persisted?
             if recoverable.reset_password_period_valid?
               recoverable.reset_password!(attributes[:password], attributes[:password_confirmation])
@@ -135,6 +127,8 @@ module Devise
               recoverable.errors.add(:reset_password_token, :expired)
             end
           end
+
+          recoverable.reset_password_token = original_token
           recoverable
         end