devise 3.1.0 → 3.2.0

data/lib/devise/models/database_authenticatable.rb

@@ -2,6 +2,11 @@ require 'devise/strategies/database_authenticatable'
 require 'bcrypt'
 
 module Devise
+  # Digests the password using bcrypt.
+  def self.bcrypt(klass, password)
+    ::BCrypt::Password.create("#{password}#{klass.pepper}", :cost => klass.stretches).to_s
+  end
+
   module Models
     # Authenticatable Module, responsible for encrypting password and validating
     # authenticity of a user while signing in.
@@ -34,7 +39,7 @@ module Devise
       # Generates password encryption based on the given value.
       def password=(new_password)
         @password = new_password
-        self.encrypted_password = password_digest(@password) if @password.present?
+        self.encrypted_password = Devise.bcrypt(self.class, @password) if @password.present?
       end
 
       # Verifies whether an password (ie from sign in) is the user password.
@@ -96,7 +101,7 @@ module Devise
       end
 
       # Destroy record when :current_password matches, otherwise returns
-      # error on :current_password. It also automatically rejects 
+      # error on :current_password. It also automatically rejects
       # :current_password if it is blank.
       def destroy_with_password(current_password)
         result = if valid_password?(current_password)
@@ -110,6 +115,16 @@ module Devise
         result
       end
 
+      # A callback initiated after successfully authenticating. This can be
+      # used to insert your own logic that is only run after the user successfully
+      # authenticates.
+      #
+      # Example:
+      #
+      #   def after_database_authentication
+      #     self.update_attribute(:invite_code, nil)
+      #   end
+      #
       def after_database_authentication
       end
 
@@ -120,11 +135,6 @@ module Devise
 
     protected
 
-      # Digests the password using bcrypt.
-      def password_digest(password)
-        ::BCrypt::Password.create("#{password}#{self.class.pepper}", :cost => self.class.stretches).to_s
-      end
-
       module ClassMethods
         Devise::Models.config(self, :pepper, :stretches)
 

data/lib/devise/models/lockable.rb

@@ -112,6 +112,8 @@ module Devise
         # leaks the existence of an account.
         if Devise.paranoid
           super
+        elsif lock_strategy_enabled?(:failed_attempts) && last_attempt?
+          :last_attempt
         elsif lock_strategy_enabled?(:failed_attempts) && attempts_exceeded?
           :locked
         else
@@ -125,6 +127,10 @@ module Devise
           self.failed_attempts > self.class.maximum_attempts
         end
 
+        def last_attempt?
+          self.failed_attempts == self.class.maximum_attempts
+        end
+
         # Tells if the lock is expired if :time unlock strategy is active
         def lock_expired?
           if unlock_strategy_enabled?(:time)
@@ -165,10 +171,6 @@ module Devise
           unlock_token   = Devise.token_generator.digest(self, :unlock_token, unlock_token)
 
           lockable = find_or_initialize_with_error_by(:unlock_token, unlock_token)
-          if !lockable.persisted? && Devise.allow_insecure_token_lookup
-            lockable = find_or_initialize_with_error_by(:unlock_token, original_token)
-          end
-
           lockable.unlock_access! if lockable.persisted?
           lockable.unlock_token = original_token
           lockable

data/lib/devise/models/recoverable.rb

@@ -101,11 +101,6 @@ module Devise
           recoverable
         end
 
-        # Generate a token checking if one does not already exist in the database.
-        def reset_password_token
-          generate_token(:reset_password_token)
-        end
-
         # Attempt to find a user by its reset_password_token to reset its
         # password. If a user is found and token is still valid, reset its password and automatically
         # try saving the record. If not user is found, returns a new user
@@ -116,9 +111,6 @@ module Devise
           reset_password_token = Devise.token_generator.digest(self, :reset_password_token, original_token)
 
           recoverable = find_or_initialize_with_error_by(:reset_password_token, reset_password_token)
-          if !recoverable.persisted? && Devise.allow_insecure_token_lookup
-            recoverable = find_or_initialize_with_error_by(:reset_password_token, original_token)
-          end
 
           if recoverable.persisted?
             if recoverable.reset_password_period_valid?

data/lib/devise/models.rb

@@ -84,11 +84,6 @@ module Devise
       devise_modules_hook! do
         include Devise::Models::Authenticatable
 
-        if selected_modules.include?(:token_authenticatable)
-          ActiveSupport::Deprecation.warn "devise :token_authenticatable is deprecated. " \
-            "Please check Devise 3.1 release notes for more information on how to upgrade."
-        end
-
         selected_modules.each do |m|
           mod = Devise::Models.const_get(m.to_s.classify)
 

data/lib/devise/modules.rb

@@ -5,7 +5,6 @@ Devise.with_options :model => true do |d|
   d.with_options :strategy => true do |s|
     routes = [nil, :new, :destroy]
     s.add_module :database_authenticatable, :controller => :sessions, :route => { :session => routes }
-    s.add_module :token_authenticatable,    :controller => :sessions, :route => { :session => routes }, :no_input => true
     s.add_module :rememberable, :no_input => true
   end
 

data/lib/devise/parameter_sanitizer.rb

@@ -47,19 +47,25 @@ module Devise
     end
 
     def sign_in
-      default_params.permit self.for(:sign_in)
+      permit self.for(:sign_in)
     end
 
     def sign_up
-      default_params.permit self.for(:sign_up)
+      permit self.for(:sign_up)
     end
 
     def account_update
-      default_params.permit self.for(:account_update)
+      permit self.for(:account_update)
     end
 
     private
 
+    # TODO: We do need to flatten so it works with strong_parameters
+    # gem. We should drop it once we move to Rails 4 only support.
+    def permit(keys)
+      default_params.permit(*Array(keys))
+    end
+
     # Change for(kind) to return the values in the @permitted
     # hash, allowing the developer to customize at runtime.
     def default_for(kind)

data/lib/devise/rails/routes.rb

@@ -58,6 +58,28 @@ module ActionDispatch::Routing
     #      user_confirmation GET    /users/confirmation(.:format)     {:controller=>"devise/confirmations", :action=>"show"}
     #                        POST   /users/confirmation(.:format)     {:controller=>"devise/confirmations", :action=>"create"}
     #
+    # ==== Routes integration
+    #
+    # +devise_for+ is meant to play nicely with other routes methods. For example,
+    # by calling +devise_for+ inside a namespace, it automatically nests your devise
+    # controllers:
+    #
+    #     namespace :publisher do
+    #       devise_for :account
+    #     end
+    #
+    # The snippet above will use publisher/sessions controller instead of devise/sessions
+    # controller. You can revert this change or configure it directly by passing the :module
+    # option described below to +devise_for+.
+    #
+    # Also note that when you use a namespace it will affect all the helpers and methods
+    # for controllers and views. For example, using the above setup you'll end with
+    # following methods: current_publisher_account, authenticate_publisher_account!,
+    # publisher_account_signed_in, etc.
+    #
+    # The only aspect not affect by the router configuration is the model name. The
+    # model name can be explicitly set via the :class_name option.
+    #
     # ==== Options
     #
     # You can configure your routes with some options:
@@ -104,20 +126,6 @@ module ActionDispatch::Routing
     #
     #      devise_for :users, :module => "users"
     #
-    #    Notice that whenever you use namespace in the router DSL, it automatically sets the module.
-    #    So the following setup:
-    #
-    #      namespace :publisher do
-    #        devise_for :account
-    #      end
-    #
-    #    Will use publisher/sessions controller instead of devise/sessions controller. You can revert
-    #    this by providing the :module option to devise_for.
-    #
-    #    Also pay attention that when you use a namespace it will affect all the helpers and methods for controllers
-    #    and views. For example, using the above setup you'll end with following methods:
-    #    current_publisher_account, authenticate_publisher_account!, publisher_account_signed_in, etc.
-    #
     #  * :skip => tell which controller you want to skip routes from being created:
     #
     #      devise_for :users, :skip => :sessions
@@ -378,8 +386,14 @@ module ActionDispatch::Routing
       end
 
       def devise_omniauth_callback(mapping, controllers) #:nodoc:
+        if mapping.fullpath =~ /:[a-zA-Z_]/
+          raise "[DEVISE] Nesting omniauth callbacks under scopes with dynamic segments " \
+            "is not supported. Please, use Devise.omniauth_path_prefix instead."
+        end
+
         path, @scope[:path] = @scope[:path], nil
-        path_prefix = Devise.omniauth_path_prefix || "/#{mapping.path}/auth".squeeze("/")
+        path_prefix = Devise.omniauth_path_prefix || "/#{mapping.fullpath}/auth".squeeze("/")
+
         set_omniauth_path_prefix!(path_prefix)
 
         providers = Regexp.union(mapping.to.omniauth_providers.map(&:to_s))
@@ -442,6 +456,7 @@ Devise.secret_key was not set. Please add the following to your Devise initializ
 
   config.secret_key = '#{SecureRandom.hex(64)}'
 
+Please ensure you restarted your application after installing Devise or setting the key.
 ERROR
       end
 

data/lib/devise/test_helpers.rb

@@ -108,6 +108,7 @@ module Devise
         Warden::Manager._run_callbacks(:before_failure, env, options)
 
         status, headers, response = Devise.warden_config[:failure_app].call(env).to_a
+        @controller.response.headers.merge!(headers)
         @controller.send :render, :status => status, :text => response.body,
           :content_type => headers["Content-Type"], :location => headers["Location"]
         nil # causes process return @response

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "3.1.0".freeze
+  VERSION = "3.2.0".freeze
 end

data/lib/devise.rb

@@ -20,9 +20,14 @@ module Devise
     autoload :Helpers, 'devise/controllers/helpers'
     autoload :Rememberable, 'devise/controllers/rememberable'
     autoload :ScopedViews, 'devise/controllers/scoped_views'
+    autoload :SignInOut, 'devise/controllers/sign_in_out'
     autoload :UrlHelpers, 'devise/controllers/url_helpers'
   end
 
+  module Hooks
+    autoload :Proxy, 'devise/hooks/proxy'
+  end
+
   module Mailers
     autoload :Helpers, 'devise/mailers/helpers'
   end
@@ -50,15 +55,21 @@ module Devise
   mattr_accessor :secret_key
   @@secret_key = nil
 
-  # Allow insecure token lookup. Must be used
-  # temporarily just for migration.
-  mattr_accessor :allow_insecure_token_lookup
-  @@allow_insecure_tokens_lookup = false
+  [ :allow_insecure_token_lookup,
+    :allow_insecure_sign_in_after_confirmation,
+    :token_authentication_key ].each do |method|
+    class_eval <<-RUBY
+    def self.#{method}
+      ActiveSupport::Deprecation.warn "Devise.#{method} is deprecated " \
+        "and has no effect"
+    end
 
-  # Allow insecure sign in after confirmation. Must be used
-  # temporarily just for migration.
-  mattr_accessor :allow_insecure_sign_in_after_confirmation
-  @@allow_insecure_sign_in_after_confirmation = false
+    def self.#{method}=(val)
+      ActiveSupport::Deprecation.warn "Devise.#{method}= is deprecated " \
+        "and has no effect"
+    end
+    RUBY
+  end
 
   # Custom domain or key for cookies. Not set by default
   mattr_accessor :rememberable_options
@@ -195,10 +206,6 @@ module Devise
   mattr_accessor :mailer_sender
   @@mailer_sender = nil
 
-  # Authentication token params key name of choice. E.g. /users/sign_in?some_key=...
-  mattr_accessor :token_authentication_key
-  @@token_authentication_key = :auth_token
-
   # Skip session storage for the following strategies
   mattr_accessor :skip_session_storage
   @@skip_session_storage = []
@@ -266,6 +273,10 @@ module Devise
   mattr_accessor :paranoid
   @@paranoid = false
 
+  # When true, warn user if he just used next-to-last attempt of authentication
+  mattr_accessor :last_attempt_warning
+  @@last_attempt_warning = false
+
   # Stores the token generator
   mattr_accessor :token_generator
   @@token_generator = nil

data/lib/generators/mongoid/devise_generator.rb

@@ -47,9 +47,6 @@ module Mongoid
   # field :failed_attempts, :type => Integer, :default => 0 # Only if lock strategy is :failed_attempts
   # field :unlock_token,    :type => String # Only if unlock strategy is :email or :both
   # field :locked_at,       :type => Time
-
-  ## Token authenticatable
-  # field :authentication_token, :type => String
 RUBY
       end
     end

data/lib/generators/templates/devise.rb

@@ -56,12 +56,9 @@ Devise.setup do |config|
 
   # Tell if authentication through HTTP Auth is enabled. False by default.
   # It can be set to an array that will enable http authentication only for the
-  # given strategies, for example, `config.http_authenticatable = [:token]` will
-  # enable it only for token authentication. The supported strategies are:
+  # given strategies, for example, `config.http_authenticatable = [:database]` will
+  # enable it only for database authentication. The supported strategies are:
   # :database      = Support basic authentication with authentication key + password
-  # :token         = Support basic authentication with token authentication key
-  # :token_options = Support token authentication with options as defined in
-  #                  http://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token.html
   # config.http_authenticatable = false
 
   # If http headers should be returned for AJAX requests. True by default.
@@ -76,7 +73,7 @@ Devise.setup do |config|
   # config.paranoid = true
 
   # By default Devise will store the user in session. You can skip storage for
-  # :http_auth and :token_auth by adding those symbols to the array below.
+  # particular strategies by setting this option.
   # Notice that if you are skipping storage for all authentication paths, you
   # may want to disable generating routes to Devise's sessions controller by
   # passing :skip => :sessions to `devise_for` in your config/routes.rb
@@ -176,6 +173,9 @@ Devise.setup do |config|
   # Time interval to unlock the account if :time is enabled as unlock_strategy.
   # config.unlock_in = 1.hour
 
+  # Warn on the last attempt before the account is locked.
+  # config.last_attempt_warning = false
+
   # ==> Configuration for :recoverable
   #
   # Defines which key will be used when recovering the password for an account
@@ -196,10 +196,6 @@ Devise.setup do |config|
   # Require the `devise-encryptable` gem when using anything other than bcrypt
   # config.encryptor = :sha512
 
-  # ==> Configuration for :token_authenticatable
-  # Defines name of the authentication token params key
-  # config.token_authentication_key = :auth_token
-
   # ==> Scopes configuration
   # Turn scoped views on. Before rendering "sessions/new", it will first check for
   # "users/sessions/new". It's turned off by default because it's slower if you

data/lib/generators/templates/markerb/confirmation_instructions.markerb

@@ -2,4 +2,4 @@ Welcome <%= @email %>!
 
 You can confirm your account through the link below:
 
-<%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @resource.confirmation_token) %>
+<%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @token) %>

data/lib/generators/templates/markerb/reset_password_instructions.markerb

@@ -2,7 +2,7 @@ Hello <%= @resource.email %>!
 
 Someone has requested a link to change your password, and you can do this through the link below.
 
-<%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @resource.reset_password_token) %>
+<%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @token) %>
 
 If you didn't request this, please ignore this email.
 Your password won't change until you access the link above and create a new one.

data/lib/generators/templates/markerb/unlock_instructions.markerb

@@ -4,4 +4,4 @@ Your account has been locked due to an excessive number of unsuccessful sign in
 
 Click the link below to unlock your account:
 
-<%= link_to 'Unlock my account', unlock_url(@resource, :unlock_token => @resource.unlock_token) %>
+<%= link_to 'Unlock my account', unlock_url(@resource, :unlock_token => @token) %>

data/test/controllers/internal_helpers_test.rb

@@ -55,7 +55,7 @@ class HelpersTest < ActionController::TestCase
   end
 
   test 'require no authentication tests current mapping' do
-    @mock_warden.expects(:authenticate?).with(:rememberable, :token_authenticatable, :scope => :user).returns(true)
+    @mock_warden.expects(:authenticate?).with(:rememberable, :scope => :user).returns(true)
     @mock_warden.expects(:user).with(:user).returns(User.new)
     @controller.expects(:redirect_to).with(root_path)
     @controller.send :require_no_authentication
@@ -71,7 +71,7 @@ class HelpersTest < ActionController::TestCase
   end
 
   test 'require no authentication sets a flash message' do
-    @mock_warden.expects(:authenticate?).with(:rememberable, :token_authenticatable, :scope => :user).returns(true)
+    @mock_warden.expects(:authenticate?).with(:rememberable, :scope => :user).returns(true)
     @mock_warden.expects(:user).with(:user).returns(User.new)
     @controller.expects(:redirect_to).with(root_path)
     @controller.send :require_no_authentication

data/test/controllers/sessions_controller_test.rb

@@ -10,7 +10,7 @@ class SessionsControllerTest < ActionController::TestCase
     end
     request.env["devise.mapping"] = Devise.mappings[:user]
     request.session["user_return_to"] = 'foo.bar'
-    user = create_user
+    create_user
     post :create, :user => {
       :email => "wrong@email.com",
       :password => "wrongpassword"

data/test/devise_test.rb

@@ -11,6 +11,17 @@ module Devise
 end
 
 class DeviseTest < ActiveSupport::TestCase
+  test 'bcrypt on the class' do
+    password = "super secret"
+    klass    = Struct.new(:pepper, :stretches).new("blahblah", 2)
+    hash     = Devise.bcrypt(klass, password)
+    assert_equal ::BCrypt::Password.create(hash), hash
+
+    klass    = Struct.new(:pepper, :stretches).new("bla", 2)
+    hash     = Devise.bcrypt(klass, password)
+    assert_not_equal ::BCrypt::Password.new(hash), hash
+  end
+
   test 'model options can be configured through Devise' do
     swap Devise, :allow_unconfirmed_access_for => 113, :pepper => "foo" do
       assert_equal 113, Devise.allow_unconfirmed_access_for
@@ -59,7 +70,7 @@ class DeviseTest < ActiveSupport::TestCase
     Devise::ALL.delete(:kivi)
     Devise::CONTROLLERS.delete(:kivi)
   end
-  
+
   test 'should complain when comparing empty or different sized passes' do
     [nil, ""].each do |empty|
       assert_not Devise.secure_compare(empty, "something")

data/test/failure_app_test.rb

@@ -8,6 +8,12 @@ class FailureTest < ActiveSupport::TestCase
     end
   end
 
+  class FailureWithI18nOptions < Devise::FailureApp
+    def i18n_options(options)
+      options.merge(:name => 'Steve')
+    end
+  end
+
   def self.context(name, &block)
     instance_eval(&block)
   end
@@ -67,6 +73,11 @@ class FailureTest < ActiveSupport::TestCase
       assert_equal 'http://test.host/users/sign_in', @response.second["Location"]
     end
 
+    test 'uses custom i18n options' do
+      call_failure('warden' => OpenStruct.new(:message => :does_not_exist), :app => FailureWithI18nOptions)
+      assert_equal 'User Steve does not exist', @request.flash[:alert]
+    end
+
     test 'uses the proxy failure message as string' do
       call_failure('warden' => OpenStruct.new(:message => 'Hello world'))
       assert_equal 'Hello world', @request.flash[:alert]

data/test/integration/confirmable_test.rb

@@ -56,24 +56,12 @@ class ConfirmationTest < ActionDispatch::IntegrationTest
       assert_not user.confirmed?
       visit_user_confirmation_with_token(user.raw_confirmation_token)
 
-      assert_contain 'Your account was successfully confirmed. Please sign in.'
+      assert_contain 'Your account was successfully confirmed.'
       assert_current_url '/users/sign_in'
       assert user.reload.confirmed?
     end
   end
 
-  test 'user should be signed in after confirmation if allow_insecure_sign_in_after_confirmation is enabled' do
-    swap Devise, :confirm_within => 3.days, :allow_insecure_sign_in_after_confirmation => true do
-      user = create_user(:confirm => false, :confirmation_sent_at => 2.days.ago)
-      assert_not user.confirmed?
-      visit_user_confirmation_with_token(user.raw_confirmation_token)
-
-      assert_contain 'Your account was successfully confirmed. You are now signed in.'
-      assert_current_url root_url
-      assert user.reload.confirmed?
-    end
-  end
-
   test 'user should be redirected to a custom path after confirmation' do
     Devise::ConfirmationsController.any_instance.stubs(:after_confirmation_path_for).returns("/?custom=1")
 
@@ -135,6 +123,16 @@ class ConfirmationTest < ActionDispatch::IntegrationTest
     end
   end
 
+  test 'unconfirmed but signed in user should be redirected to their root path' do
+    swap Devise, :allow_unconfirmed_access_for => 1.day do
+      user = sign_in_as_user(:confirm => false)
+
+      visit_user_confirmation_with_token(user.raw_confirmation_token)
+      assert_contain 'Your account was successfully confirmed.'
+      assert_current_url '/'
+    end
+  end
+
   test 'error message is configurable by resource name' do
     store_translations :en, :devise => {
       :failure => { :user => { :unconfirmed => "Not confirmed user" } }

data/test/integration/http_authenticatable_test.rb

@@ -88,16 +88,6 @@ class HttpAuthenticationTest < ActionDispatch::IntegrationTest
     end
   end
 
-  test 'sign in should authenticate with really long token' do
-    token = "token_containing_so_many_characters_that_the_base64_encoding_will_wrap"
-    user = create_user
-    user.update_attribute :authentication_token, token
-    get users_path(:format => :xml), {}, "HTTP_AUTHORIZATION" => "Basic #{Base64.encode64("#{token}:x")}"
-    assert_response :success
-    assert_match "<email>user@test.com</email>", response.body
-    assert warden.authenticated?(:user)
-  end
-
   private
 
     def sign_in_as_new_user_with_http(username="user@test.com", password="12345678")

data/test/integration/recoverable_test.rb

@@ -190,7 +190,7 @@ class PasswordTest < ActionDispatch::IntegrationTest
   end
 
   test 'sign in user automatically after changing its password' do
-    user = create_user
+    create_user
     request_forgot_password
     reset_password
 
@@ -260,7 +260,7 @@ class PasswordTest < ActionDispatch::IntegrationTest
   end
 
   test 'change password with valid parameters in XML format should return valid response' do
-    user = create_user
+    create_user
     request_forgot_password
     put user_password_path(:format => 'xml'), :user => {
       :reset_password_token => 'abcdef', :password => '987654321', :password_confirmation => '987654321'

data/test/integration/rememberable_test.rb

@@ -64,14 +64,14 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     # since we changed the domain. This is the only difference with the
     # previous test.
     swap Devise, :rememberable_options => { :domain => "omg.somewhere.com" } do
-      user = sign_in_as_user :remember_me => true
+      sign_in_as_user :remember_me => true
       assert_nil request.cookies["remember_user_token"]
     end
   end
 
   test 'generate remember token with a custom key' do
     swap Devise, :rememberable_options => { :key => "v1lat_token" } do
-      user = sign_in_as_user :remember_me => true
+      sign_in_as_user :remember_me => true
       assert request.cookies["v1lat_token"]
     end
   end
@@ -79,7 +79,7 @@ class RememberMeTest < ActionDispatch::IntegrationTest
   test 'generate remember token after sign in setting session options' do
     begin
       Rails.configuration.session_options[:domain] = "omg.somewhere.com"
-      user = sign_in_as_user :remember_me => true
+      sign_in_as_user :remember_me => true
       assert_nil request.cookies["remember_user_token"]
     ensure
       Rails.configuration.session_options.delete(:domain)

data/test/integration/timeoutable_test.rb

@@ -45,6 +45,20 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
     assert_not warden.authenticated?(:user)
   end
 
+  test 'time out all sessions after default limit time when sign_out_all_scopes is true' do
+    swap Devise, sign_out_all_scopes: true do
+      sign_in_as_admin
+
+      user = sign_in_as_user
+      get expire_user_path(user)
+      assert_not_nil last_request_at
+
+      get root_path
+      assert_not warden.authenticated?(:user)
+      assert_not warden.authenticated?(:admin)
+    end
+  end
+
   test 'time out user session after deault limit time and redirect to latest get request' do
     user = sign_in_as_user
     visit edit_form_user_path(user)
@@ -67,6 +81,20 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
     assert_contain 'Signed out successfully'
   end
 
+  test 'expired session is not extended by sign in page' do
+    user = sign_in_as_user
+    get expire_user_path(user)
+    assert warden.authenticated?(:user)
+
+    get "/users/sign_in"
+    assert_redirected_to "/users/sign_in"
+    follow_redirect!
+
+    assert_response :success
+    assert_contain 'Sign in'
+    assert_not warden.authenticated?(:user)
+  end
+
   test 'time out is not triggered on sign in' do
     user = sign_in_as_user
     get expire_user_path(user)

data/test/mapping_test.rb

@@ -50,12 +50,12 @@ class MappingTest < ActiveSupport::TestCase
   end
 
   test 'has strategies depending on the model declaration' do
-    assert_equal [:rememberable, :token_authenticatable, :database_authenticatable], Devise.mappings[:user].strategies
+    assert_equal [:rememberable, :database_authenticatable], Devise.mappings[:user].strategies
     assert_equal [:database_authenticatable], Devise.mappings[:admin].strategies
   end
 
   test 'has no input strategies depending on the model declaration' do
-    assert_equal [:rememberable, :token_authenticatable], Devise.mappings[:user].no_input_strategies
+    assert_equal [:rememberable], Devise.mappings[:user].no_input_strategies
     assert_equal [], Devise.mappings[:admin].no_input_strategies
   end
 

data/test/models/confirmable_test.rb

@@ -51,15 +51,6 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_equal "was already confirmed, please try signing in", user.errors[:email].join
   end
 
-  test 'DEPRECATED: should find and confirm a user automatically' do
-    swap Devise, allow_insecure_token_lookup: true do
-      user = create_user
-      confirmed_user = User.confirm_by_token(user.confirmation_token)
-      assert_equal confirmed_user, user
-      assert user.reload.confirmed?
-    end
-  end
-
   test 'should find and confirm a user automatically based on the raw token' do
     user = create_user
     raw  = user.raw_confirmation_token