devise 3.1.0 → 3.2.0

data/Gemfile.lock

@@ -12,7 +12,7 @@ GIT
 PATH
   remote: .
   specs:
-    devise (3.1.0)
+    devise (3.2.0)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -48,7 +48,7 @@ GEM
       tzinfo (~> 0.3.37)
     arel (4.0.0)
     atomic (1.1.12)
-    bcrypt-ruby (3.1.1)
+    bcrypt-ruby (3.1.2)
     builder (3.1.4)
     erubis (2.7.0)
     faraday (0.8.8)

data/README.md

@@ -35,7 +35,7 @@ Devise is guaranteed to be thread-safe on YARV. Thread-safety support on JRuby i
 
 The Devise Wiki has lots of additional information about Devise including many "how-to" articles and answers to the most frequently asked questions. Please browse the Wiki after finishing this README:
 
-https://wiki.github.com/plataformatec/devise
+https://github.com/plataformatec/devise/wiki
 
 ### Bug reports
 
@@ -445,7 +445,7 @@ https://github.com/hassox/warden
 
 We have a long list of valued contributors. Check them all at:
 
-https://github.com/plataformatec/devise/contributors
+https://github.com/plataformatec/devise/graphs/contributors
 
 ## License
 

data/app/controllers/devise/confirmations_controller.rb

@@ -20,12 +20,7 @@ class Devise::ConfirmationsController < DeviseController
     self.resource = resource_class.confirm_by_token(params[:confirmation_token])
 
     if resource.errors.empty?
-      if Devise.allow_insecure_sign_in_after_confirmation
-        set_flash_message(:notice, :confirmed_and_signed_in) if is_navigational_format?
-        sign_in(resource_name, resource)
-      else
-        set_flash_message(:notice, :confirmed) if is_navigational_format?
-      end
+      set_flash_message(:notice, :confirmed) if is_flashing_format?
       respond_with_navigational(resource){ redirect_to after_confirmation_path_for(resource_name, resource) }
     else
       respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render :new }
@@ -41,8 +36,8 @@ class Devise::ConfirmationsController < DeviseController
 
     # The path used after confirmation.
     def after_confirmation_path_for(resource_name, resource)
-      if Devise.allow_insecure_sign_in_after_confirmation
-        after_sign_in_path_for(resource)
+      if signed_in?
+        signed_in_root_path(resource)
       else
         new_session_path(resource_name)
       end

data/app/controllers/devise/passwords_controller.rb

@@ -32,7 +32,7 @@ class Devise::PasswordsController < DeviseController
     if resource.errors.empty?
       resource.unlock_access! if unlockable?(resource)
       flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
-      set_flash_message(:notice, flash_message) if is_navigational_format?
+      set_flash_message(:notice, flash_message) if is_flashing_format?
       sign_in(resource_name, resource)
       respond_with resource, :location => after_resetting_password_path_for(resource)
     else

data/app/controllers/devise/registrations_controller.rb

@@ -14,12 +14,12 @@ class Devise::RegistrationsController < DeviseController
 
     if resource.save
       if resource.active_for_authentication?
-        set_flash_message :notice, :signed_up if is_navigational_format?
+        set_flash_message :notice, :signed_up if is_flashing_format?
         sign_up(resource_name, resource)
         respond_with resource, :location => after_sign_up_path_for(resource)
       else
-        set_flash_message :notice, :"signed_up_but_#{resource.inactive_message}" if is_navigational_format?
-        expire_session_data_after_sign_in!
+        set_flash_message :notice, :"signed_up_but_#{resource.inactive_message}" if is_flashing_format?
+        expire_data_after_sign_in!
         respond_with resource, :location => after_inactive_sign_up_path_for(resource)
       end
     else
@@ -41,7 +41,7 @@ class Devise::RegistrationsController < DeviseController
     prev_unconfirmed_email = resource.unconfirmed_email if resource.respond_to?(:unconfirmed_email)
 
     if update_resource(resource, account_update_params)
-      if is_navigational_format?
+      if is_flashing_format?
         flash_key = update_needs_confirmation?(resource, prev_unconfirmed_email) ?
           :update_needs_confirmation : :updated
         set_flash_message :notice, flash_key
@@ -58,7 +58,7 @@ class Devise::RegistrationsController < DeviseController
   def destroy
     resource.destroy
     Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name)
-    set_flash_message :notice, :destroyed if is_navigational_format?
+    set_flash_message :notice, :destroyed if is_flashing_format?
     respond_with_navigational(resource){ redirect_to after_sign_out_path_for(resource_name) }
   end
 
@@ -68,7 +68,7 @@ class Devise::RegistrationsController < DeviseController
   # cancel oauth signing in/up in the middle of the process,
   # removing all OAuth session data.
   def cancel
-    expire_session_data_after_sign_in!
+    expire_data_after_sign_in!
     redirect_to new_registration_path(resource_name)
   end
 

data/app/controllers/devise/sessions_controller.rb

@@ -1,7 +1,7 @@
 class Devise::SessionsController < DeviseController
   prepend_before_filter :require_no_authentication, :only => [ :new, :create ]
   prepend_before_filter :allow_params_authentication!, :only => :create
-  prepend_before_filter { request.env["devise.skip_timeout"] = true }
+  prepend_before_filter :only => [ :create, :destroy ] { request.env["devise.skip_timeout"] = true }
 
   # GET /resource/sign_in
   def new
@@ -13,7 +13,7 @@ class Devise::SessionsController < DeviseController
   # POST /resource/sign_in
   def create
     self.resource = warden.authenticate!(auth_options)
-    set_flash_message(:notice, :signed_in) if is_navigational_format?
+    set_flash_message(:notice, :signed_in) if is_flashing_format?
     sign_in(resource_name, resource)
     respond_with resource, :location => after_sign_in_path_for(resource)
   end
@@ -22,7 +22,7 @@ class Devise::SessionsController < DeviseController
   def destroy
     redirect_path = after_sign_out_path_for(resource_name)
     signed_out = (Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name))
-    set_flash_message :notice, :signed_out if signed_out && is_navigational_format?
+    set_flash_message :notice, :signed_out if signed_out && is_flashing_format?
 
     # We actually need to hardcode this as Rails default responder doesn't
     # support returning empty response on GET request

data/app/controllers/devise/unlocks_controller.rb

@@ -22,7 +22,7 @@ class Devise::UnlocksController < DeviseController
     self.resource = resource_class.unlock_access_by_token(params[:unlock_token])
 
     if resource.errors.empty?
-      set_flash_message :notice, :unlocked if is_navigational_format?
+      set_flash_message :notice, :unlocked if is_flashing_format?
       respond_with_navigational(resource){ redirect_to after_unlock_path_for(resource) }
     else
       respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render :new }

data/app/controllers/devise_controller.rb

@@ -123,7 +123,7 @@ MESSAGE
     end
 
     if notice
-      set_flash_message :notice, notice if is_navigational_format?
+      set_flash_message :notice, notice if is_flashing_format?
       true
     end
   end
@@ -147,12 +147,16 @@ MESSAGE
     flash[key] = message if message.present?
   end
 
+  def devise_i18n_options(options)
+    options
+  end
+
   # Get message for given
   def find_message(kind, options = {})
     options[:scope] = "devise.#{controller_name}"
     options[:default] = Array(options[:default]).unshift(kind.to_sym)
     options[:resource_name] = resource_name
-    options = devise_i18n_options(options) if respond_to?(:devise_i18n_options, true)
+    options = devise_i18n_options(options)
     I18n.t("#{options[:resource_name]}.#{kind}", options)
   end
 

data/app/mailers/devise/mailer.rb

@@ -1,18 +1,20 @@
-class Devise::Mailer < Devise.parent_mailer.constantize
-  include Devise::Mailers::Helpers
+if defined?(ActionMailer)
+  class Devise::Mailer < Devise.parent_mailer.constantize
+    include Devise::Mailers::Helpers
 
-  def confirmation_instructions(record, token, opts={})
-    @token = token
-    devise_mail(record, :confirmation_instructions, opts)
-  end
+    def confirmation_instructions(record, token, opts={})
+      @token = token
+      devise_mail(record, :confirmation_instructions, opts)
+    end
 
-  def reset_password_instructions(record, token, opts={})
-    @token = token
-    devise_mail(record, :reset_password_instructions, opts)
-  end
+    def reset_password_instructions(record, token, opts={})
+      @token = token
+      devise_mail(record, :reset_password_instructions, opts)
+    end
 
-  def unlock_instructions(record, token, opts={})
-    @token = token
-    devise_mail(record, :unlock_instructions, opts)
+    def unlock_instructions(record, token, opts={})
+      @token = token
+      devise_mail(record, :unlock_instructions, opts)
+    end
   end
 end

data/config/locales/en.yml

@@ -3,16 +3,15 @@
 en:
   devise:
     confirmations:
-      confirmed: "Your account was successfully confirmed. Please sign in."
-      confirmed_and_signed_in: "Your account was successfully confirmed. You are now signed in."
+      confirmed: "Your account was successfully confirmed."
       send_instructions: "You will receive an email with instructions about how to confirm your account in a few minutes."
       send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions about how to confirm your account in a few minutes."
     failure:
       already_authenticated: "You are already signed in."
       inactive: "Your account is not activated yet."
       invalid: "Invalid email or password."
-      invalid_token: "Invalid authentication token."
       locked: "Your account is locked."
+      last_attempt: "You have one more attempt before your account will be locked."
       not_found_in_database: "Invalid email or password."
       timeout: "Your session expired. Please sign in again to continue."
       unauthenticated: "You need to sign in or sign up before continuing."

data/gemfiles/Gemfile.rails-3.2.x.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    devise (3.1.0)
+    devise (3.2.0)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -39,8 +39,8 @@ GEM
       i18n (~> 0.6, >= 0.6.4)
       multi_json (~> 1.0)
     arel (3.0.2)
-    atomic (1.1.13)
-    bcrypt-ruby (3.1.1)
+    atomic (1.1.14)
+    bcrypt-ruby (3.1.2)
     builder (3.0.4)
     erubis (2.7.0)
     faraday (0.8.8)
@@ -125,7 +125,7 @@ GEM
       tilt (~> 1.1, != 1.3.0)
     sqlite3 (1.3.7)
     thor (0.18.1)
-    thread_safe (0.1.2)
+    thread_safe (0.1.3)
       atomic
     tilt (1.4.1)
     treetop (1.4.14)

data/lib/devise/controllers/helpers.rb

@@ -3,6 +3,7 @@ module Devise
     # Those helpers are convenience methods added to ApplicationController.
     module Helpers
       extend ActiveSupport::Concern
+      include Devise::Controllers::SignInOut
 
       included do
         helper_method :warden, :signed_in?, :devise_controller?
@@ -96,84 +97,6 @@ module Devise
         request.env["devise.allow_params_authentication"] = true
       end
 
-      # Return true if the given scope is signed in session. If no scope given, return
-      # true if any scope is signed in. Does not run authentication hooks.
-      def signed_in?(scope=nil)
-        [ scope || Devise.mappings.keys ].flatten.any? do |_scope|
-          warden.authenticate?(:scope => _scope)
-        end
-      end
-
-      # Sign in a user that already was authenticated. This helper is useful for logging
-      # users in after sign up.
-      #
-      # All options given to sign_in is passed forward to the set_user method in warden.
-      # The only exception is the :bypass option, which bypass warden callbacks and stores
-      # the user straight in session. This option is useful in cases the user is already
-      # signed in, but we want to refresh the credentials in session.
-      #
-      # Examples:
-      #
-      #   sign_in :user, @user                      # sign_in(scope, resource)
-      #   sign_in @user                             # sign_in(resource)
-      #   sign_in @user, :event => :authentication  # sign_in(resource, options)
-      #   sign_in @user, :store => false            # sign_in(resource, options)
-      #   sign_in @user, :bypass => true            # sign_in(resource, options)
-      #
-      def sign_in(resource_or_scope, *args)
-        options  = args.extract_options!
-        scope    = Devise::Mapping.find_scope!(resource_or_scope)
-        resource = args.last || resource_or_scope
-
-        expire_session_data_after_sign_in!
-
-        if options[:bypass]
-          warden.session_serializer.store(resource, scope)
-        elsif warden.user(scope) == resource && !options.delete(:force)
-          # Do nothing. User already signed in and we are not forcing it.
-          true
-        else
-          warden.set_user(resource, options.merge!(:scope => scope))
-        end
-      end
-
-      # Sign out a given user or scope. This helper is useful for signing out a user
-      # after deleting accounts. Returns true if there was a logout and false if there
-      # is no user logged in on the referred scope
-      #
-      # Examples:
-      #
-      #   sign_out :user     # sign_out(scope)
-      #   sign_out @user     # sign_out(resource)
-      #
-      def sign_out(resource_or_scope=nil)
-        return sign_out_all_scopes unless resource_or_scope
-        scope = Devise::Mapping.find_scope!(resource_or_scope)
-        user = warden.user(:scope => scope, :run_callbacks => false) # If there is no user
-
-        warden.raw_session.inspect # Without this inspect here. The session does not clear.
-        warden.logout(scope)
-        warden.clear_strategies_cache!(:scope => scope)
-        instance_variable_set(:"@current_#{scope}", nil)
-
-        !!user
-      end
-
-      # Sign out all active users or scopes. This helper is useful for signing out all roles
-      # in one click. This signs out ALL scopes in warden. Returns true if there was at least one logout
-      # and false if there was no user logged in on all scopes.
-      def sign_out_all_scopes(lock=true)
-        users = Devise.mappings.keys.map { |s| warden.user(:scope => s, :run_callbacks => false) }
-
-        warden.raw_session.inspect
-        warden.logout
-        expire_devise_cached_variables!
-        warden.clear_strategies_cache!
-        warden.lock! if lock
-
-        users.any?
-      end
-
       # Returns and delete (if it's navigational format) the url stored in the session for
       # the given scope. Useful for giving redirect backs after sign up:
       #
@@ -257,10 +180,6 @@ module Devise
         redirect_to after_sign_in_path_for(resource)
       end
 
-      def expire_session_data_after_sign_in!
-        session.keys.grep(/^devise\./).each { |k| session.delete(k) }
-      end
-
       # Sign out a user and tries to redirect to the url specified by
       # after_sign_out_path_for.
       def sign_out_and_redirect(resource_or_scope)
@@ -275,7 +194,7 @@ module Devise
       def handle_unverified_request
         sign_out_all_scopes(false)
         request.env["devise.skip_storage"] = true
-        expire_devise_cached_variables!
+        expire_data_after_sign_out!
         super # call the default behaviour which resets the session
       end
 
@@ -287,10 +206,23 @@ module Devise
         Devise.navigational_formats.include?(request_format)
       end
 
+      # Check if flash messages should be emitted. Default is to do it on
+      # navigational formats
+      def is_flashing_format?
+        is_navigational_format?
+      end
+
       private
 
-      def expire_devise_cached_variables!
+      def expire_session_data_after_sign_in!
+        ActiveSupport::Deprecation.warn "expire_session_data_after_sign_in! is deprecated " \
+          "in favor of expire_data_after_sign_in!"
+        expire_data_after_sign_in!
+      end
+
+      def expire_data_after_sign_out!
         Devise.mappings.each { |_,m| instance_variable_set("@current_#{m.name}", nil) }
+        super
       end
     end
   end

data/lib/devise/controllers/rememberable.rb

@@ -1,24 +1,14 @@
 module Devise
   module Controllers
     # A module that may be optionally included in a controller in order
-    # to provide remember me behavior.
+    # to provide remember me behavior. Useful when signing in is done
+    # through a callback, like in Omniauth.
     module Rememberable
       # Return default cookie values retrieved from session options.
       def self.cookie_values
         Rails.configuration.session_options.slice(:path, :domain, :secure)
       end
 
-      # A small warden proxy so we can remember and forget uses from hooks.
-      class Proxy #:nodoc:
-        include Devise::Controllers::Rememberable
-
-        delegate :cookies, :env, :to => :@warden
-
-        def initialize(warden)
-          @warden = warden
-        end
-      end
-
       # Remembers the given resource by setting up a cookie
       def remember_me(resource)
         return if env["devise.skip_storage"]

data/lib/devise/controllers/sign_in_out.rb

@@ -0,0 +1,103 @@
+module Devise
+  module Controllers
+    # Provide sign in and sign out functionality.
+    # Included by default in all controllers.
+    module SignInOut
+      # Return true if the given scope is signed in session. If no scope given, return
+      # true if any scope is signed in. Does not run authentication hooks.
+      def signed_in?(scope=nil)
+        [ scope || Devise.mappings.keys ].flatten.any? do |_scope|
+          warden.authenticate?(:scope => _scope)
+        end
+      end
+
+      # Sign in a user that already was authenticated. This helper is useful for logging
+      # users in after sign up.
+      #
+      # All options given to sign_in is passed forward to the set_user method in warden.
+      # The only exception is the :bypass option, which bypass warden callbacks and stores
+      # the user straight in session. This option is useful in cases the user is already
+      # signed in, but we want to refresh the credentials in session.
+      #
+      # Examples:
+      #
+      #   sign_in :user, @user                      # sign_in(scope, resource)
+      #   sign_in @user                             # sign_in(resource)
+      #   sign_in @user, :event => :authentication  # sign_in(resource, options)
+      #   sign_in @user, :store => false            # sign_in(resource, options)
+      #   sign_in @user, :bypass => true            # sign_in(resource, options)
+      #
+      def sign_in(resource_or_scope, *args)
+        options  = args.extract_options!
+        scope    = Devise::Mapping.find_scope!(resource_or_scope)
+        resource = args.last || resource_or_scope
+
+        expire_data_after_sign_in!
+
+        if options[:bypass]
+          warden.session_serializer.store(resource, scope)
+        elsif warden.user(scope) == resource && !options.delete(:force)
+          # Do nothing. User already signed in and we are not forcing it.
+          true
+        else
+          warden.set_user(resource, options.merge!(:scope => scope))
+        end
+      end
+
+      # Sign out a given user or scope. This helper is useful for signing out a user
+      # after deleting accounts. Returns true if there was a logout and false if there
+      # is no user logged in on the referred scope
+      #
+      # Examples:
+      #
+      #   sign_out :user     # sign_out(scope)
+      #   sign_out @user     # sign_out(resource)
+      #
+      def sign_out(resource_or_scope=nil)
+        return sign_out_all_scopes unless resource_or_scope
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        user = warden.user(:scope => scope, :run_callbacks => false) # If there is no user
+
+        warden.raw_session.inspect # Without this inspect here. The session does not clear.
+        warden.logout(scope)
+        warden.clear_strategies_cache!(:scope => scope)
+        instance_variable_set(:"@current_#{scope}", nil)
+
+        !!user
+      end
+
+      # Sign out all active users or scopes. This helper is useful for signing out all roles
+      # in one click. This signs out ALL scopes in warden. Returns true if there was at least one logout
+      # and false if there was no user logged in on all scopes.
+      def sign_out_all_scopes(lock=true)
+        users = Devise.mappings.keys.map { |s| warden.user(:scope => s, :run_callbacks => false) }
+
+        warden.raw_session.inspect
+        warden.logout
+        expire_data_after_sign_out!
+        warden.clear_strategies_cache!
+        warden.lock! if lock
+
+        users.any?
+      end
+
+      private
+
+      def expire_data_after_sign_in!
+        # session.keys will return an empty array if the session is not yet loaded.
+        # This is a bug in both Rack and Rails.
+        # A call to #empty? forces the session to be loaded.
+        session.empty?
+        session.keys.grep(/^devise\./).each { |k| session.delete(k) }
+      end
+
+      def expire_data_after_sign_out!
+        # session.keys will return an empty array if the session is not yet loaded.
+        # This is a bug in both Rack and Rails.
+        # A call to #empty? forces the session to be loaded.
+        session.empty?
+        session.keys.grep(/^devise\./).each { |k| session.delete(k) }
+      end
+    end
+  end
+end

data/lib/devise/failure_app.rb

@@ -64,12 +64,21 @@ module Devise
 
   protected
 
+    def i18n_options(options)
+      options
+    end
+
     def i18n_message(default = nil)
       message = warden_message || default || :unauthenticated
 
       if message.is_a?(Symbol)
-        I18n.t(:"#{scope}.#{message}", :resource_name => scope,
-               :scope => "devise.failure", :default => [message])
+        options = {}
+        options[:resource_name] = scope
+        options[:scope] = "devise.failure"
+        options[:default] = [message]
+        options = i18n_options(options)
+
+        I18n.t(:"#{scope}.#{message}", options)
       else
         message.to_s
       end

data/lib/devise/hooks/forgetable.rb

@@ -4,6 +4,6 @@
 # This avoids forgetting deleted users.
 Warden::Manager.before_logout do |record, warden, options|
   if record.respond_to?(:forget_me!)
-    Devise::Controllers::Rememberable::Proxy.new(warden).forget_me(record)
+    Devise::Hooks::Proxy.new(warden).forget_me(record)
   end
 end

data/lib/devise/hooks/proxy.rb

@@ -0,0 +1,21 @@
+module Devise
+  module Hooks
+    # A small warden proxy so we can remember, forget and
+    # sign out users from hooks.
+    class Proxy #:nodoc:
+      include Devise::Controllers::Rememberable
+      include Devise::Controllers::SignInOut
+
+      attr_reader :warden
+      delegate :cookies, :env, :to => :warden
+
+      def initialize(warden)
+        @warden = warden
+      end
+
+      def session
+        warden.request.session
+      end
+    end
+  end
+end

data/lib/devise/hooks/rememberable.rb

@@ -2,6 +2,6 @@ Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
   scope = options[:scope]
   if record.respond_to?(:remember_me) && options[:store] != false &&
      record.remember_me && warden.authenticated?(scope)
-    Devise::Controllers::Rememberable::Proxy.new(warden).remember_me(record)
+    Devise::Hooks::Proxy.new(warden).remember_me(record)
   end
 end

data/lib/devise/hooks/timeoutable.rb

@@ -9,12 +9,15 @@ Warden::Manager.after_set_user do |record, warden, options|
 
   if record && record.respond_to?(:timedout?) && warden.authenticated?(scope) && options[:store] != false
     last_request_at = warden.session(scope)['last_request_at']
+    proxy = Devise::Hooks::Proxy.new(warden)
 
     if record.timedout?(last_request_at) && !env['devise.skip_timeout']
-      warden.logout(scope)
+      Devise.sign_out_all_scopes ? proxy.sign_out : sign_out(scope)
+
       if record.respond_to?(:expire_auth_token_on_timeout) && record.expire_auth_token_on_timeout
         record.reset_authentication_token!
       end
+
       throw :warden, :scope => scope, :message => :timeout
     end
 

data/lib/devise/models/authenticatable.rb

@@ -29,9 +29,7 @@ module Devise
     #     It also accepts an array specifying the strategies that should allow params authentication.
     #
     #   * +skip_session_storage+: By default Devise will store the user in session.
-    #     You can skip storage for http and token auth by appending values to array:
-    #     :skip_session_storage => [:token_auth] or :skip_session_storage => [:http_auth, :token_auth],
-    #     by default is set to :skip_session_storage => [:http_auth].
+    #     By default is set to :skip_session_storage => [:http_auth].
     #
     # == active_for_authentication?
     #
@@ -176,23 +174,24 @@ module Devise
       end
 
       def downcase_keys
-        self.class.case_insensitive_keys.each { |k| apply_to_attribute_or_variable(k, :downcase!) }
+        self.class.case_insensitive_keys.each { |k| apply_to_attribute_or_variable(k, :downcase) }
       end
 
       def strip_whitespace
-        self.class.strip_whitespace_keys.each { |k| apply_to_attribute_or_variable(k, :strip!) }
+        self.class.strip_whitespace_keys.each { |k| apply_to_attribute_or_variable(k, :strip) }
       end
 
       def apply_to_attribute_or_variable(attr, method)
         if self[attr]
-          self[attr].try(method)
+          self[attr] = self[attr].try(method)
 
         # Use respond_to? here to avoid a regression where globally
         # configured strip_whitespace_keys or case_insensitive_keys were
-        # attempting to strip! or downcase! when a model didn't have the
+        # attempting to strip or downcase when a model didn't have the
         # globally configured key.
-        elsif respond_to?(attr)
-          send(attr).try(method)
+        elsif respond_to?(attr) && respond_to?("#{attr}=")
+          new_value = send(attr).try(method)
+          send("#{attr}=", new_value)
         end
       end
 

data/lib/devise/models/confirmable.rb

@@ -275,10 +275,6 @@ module Devise
           confirmation_token = Devise.token_generator.digest(self, :confirmation_token, confirmation_token)
 
           confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
-          if !confirmable.persisted? && Devise.allow_insecure_token_lookup
-            confirmable = find_or_initialize_with_error_by(:confirmation_token, original_token)
-          end
-
           confirmable.confirm! if confirmable.persisted?
           confirmable.confirmation_token = original_token
           confirmable