devise 3.1.2 → 3.2.0

data/Gemfile.lock

@@ -12,7 +12,7 @@ GIT
 PATH
   remote: .
   specs:
-    devise (3.1.2)
+    devise (3.2.0)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)

data/README.md

@@ -35,7 +35,7 @@ Devise is guaranteed to be thread-safe on YARV. Thread-safety support on JRuby i
 
 The Devise Wiki has lots of additional information about Devise including many "how-to" articles and answers to the most frequently asked questions. Please browse the Wiki after finishing this README:
 
-https://wiki.github.com/plataformatec/devise
+https://github.com/plataformatec/devise/wiki
 
 ### Bug reports
 
@@ -445,7 +445,7 @@ https://github.com/hassox/warden
 
 We have a long list of valued contributors. Check them all at:
 
-https://github.com/plataformatec/devise/contributors
+https://github.com/plataformatec/devise/graphs/contributors
 
 ## License
 

data/app/controllers/devise/confirmations_controller.rb

@@ -20,12 +20,7 @@ class Devise::ConfirmationsController < DeviseController
     self.resource = resource_class.confirm_by_token(params[:confirmation_token])
 
     if resource.errors.empty?
-      if Devise.allow_insecure_sign_in_after_confirmation
-        set_flash_message(:notice, :confirmed_and_signed_in) if is_navigational_format?
-        sign_in(resource_name, resource)
-      else
-        set_flash_message(:notice, :confirmed) if is_navigational_format?
-      end
+      set_flash_message(:notice, :confirmed) if is_flashing_format?
       respond_with_navigational(resource){ redirect_to after_confirmation_path_for(resource_name, resource) }
     else
       respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render :new }
@@ -41,9 +36,7 @@ class Devise::ConfirmationsController < DeviseController
 
     # The path used after confirmation.
     def after_confirmation_path_for(resource_name, resource)
-      if Devise.allow_insecure_sign_in_after_confirmation
-        after_sign_in_path_for(resource)
-      elsif signed_in?
+      if signed_in?
         signed_in_root_path(resource)
       else
         new_session_path(resource_name)

data/app/controllers/devise/passwords_controller.rb

@@ -32,7 +32,7 @@ class Devise::PasswordsController < DeviseController
     if resource.errors.empty?
       resource.unlock_access! if unlockable?(resource)
       flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
-      set_flash_message(:notice, flash_message) if is_navigational_format?
+      set_flash_message(:notice, flash_message) if is_flashing_format?
       sign_in(resource_name, resource)
       respond_with resource, :location => after_resetting_password_path_for(resource)
     else

data/app/controllers/devise/registrations_controller.rb

@@ -14,12 +14,12 @@ class Devise::RegistrationsController < DeviseController
 
     if resource.save
       if resource.active_for_authentication?
-        set_flash_message :notice, :signed_up if is_navigational_format?
+        set_flash_message :notice, :signed_up if is_flashing_format?
         sign_up(resource_name, resource)
         respond_with resource, :location => after_sign_up_path_for(resource)
       else
-        set_flash_message :notice, :"signed_up_but_#{resource.inactive_message}" if is_navigational_format?
-        expire_session_data_after_sign_in!
+        set_flash_message :notice, :"signed_up_but_#{resource.inactive_message}" if is_flashing_format?
+        expire_data_after_sign_in!
         respond_with resource, :location => after_inactive_sign_up_path_for(resource)
       end
     else
@@ -41,7 +41,7 @@ class Devise::RegistrationsController < DeviseController
     prev_unconfirmed_email = resource.unconfirmed_email if resource.respond_to?(:unconfirmed_email)
 
     if update_resource(resource, account_update_params)
-      if is_navigational_format?
+      if is_flashing_format?
         flash_key = update_needs_confirmation?(resource, prev_unconfirmed_email) ?
           :update_needs_confirmation : :updated
         set_flash_message :notice, flash_key
@@ -58,7 +58,7 @@ class Devise::RegistrationsController < DeviseController
   def destroy
     resource.destroy
     Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name)
-    set_flash_message :notice, :destroyed if is_navigational_format?
+    set_flash_message :notice, :destroyed if is_flashing_format?
     respond_with_navigational(resource){ redirect_to after_sign_out_path_for(resource_name) }
   end
 
@@ -68,7 +68,7 @@ class Devise::RegistrationsController < DeviseController
   # cancel oauth signing in/up in the middle of the process,
   # removing all OAuth session data.
   def cancel
-    expire_session_data_after_sign_in!
+    expire_data_after_sign_in!
     redirect_to new_registration_path(resource_name)
   end
 

data/app/controllers/devise/sessions_controller.rb

@@ -1,7 +1,7 @@
 class Devise::SessionsController < DeviseController
   prepend_before_filter :require_no_authentication, :only => [ :new, :create ]
   prepend_before_filter :allow_params_authentication!, :only => :create
-  prepend_before_filter { request.env["devise.skip_timeout"] = true }
+  prepend_before_filter :only => [ :create, :destroy ] { request.env["devise.skip_timeout"] = true }
 
   # GET /resource/sign_in
   def new
@@ -13,7 +13,7 @@ class Devise::SessionsController < DeviseController
   # POST /resource/sign_in
   def create
     self.resource = warden.authenticate!(auth_options)
-    set_flash_message(:notice, :signed_in) if is_navigational_format?
+    set_flash_message(:notice, :signed_in) if is_flashing_format?
     sign_in(resource_name, resource)
     respond_with resource, :location => after_sign_in_path_for(resource)
   end
@@ -22,7 +22,7 @@ class Devise::SessionsController < DeviseController
   def destroy
     redirect_path = after_sign_out_path_for(resource_name)
     signed_out = (Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name))
-    set_flash_message :notice, :signed_out if signed_out && is_navigational_format?
+    set_flash_message :notice, :signed_out if signed_out && is_flashing_format?
 
     # We actually need to hardcode this as Rails default responder doesn't
     # support returning empty response on GET request

data/app/controllers/devise/unlocks_controller.rb

@@ -22,7 +22,7 @@ class Devise::UnlocksController < DeviseController
     self.resource = resource_class.unlock_access_by_token(params[:unlock_token])
 
     if resource.errors.empty?
-      set_flash_message :notice, :unlocked if is_navigational_format?
+      set_flash_message :notice, :unlocked if is_flashing_format?
       respond_with_navigational(resource){ redirect_to after_unlock_path_for(resource) }
     else
       respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render :new }

data/app/controllers/devise_controller.rb

@@ -123,7 +123,7 @@ MESSAGE
     end
 
     if notice
-      set_flash_message :notice, notice if is_navigational_format?
+      set_flash_message :notice, notice if is_flashing_format?
       true
     end
   end
@@ -147,12 +147,16 @@ MESSAGE
     flash[key] = message if message.present?
   end
 
+  def devise_i18n_options(options)
+    options
+  end
+
   # Get message for given
   def find_message(kind, options = {})
     options[:scope] = "devise.#{controller_name}"
     options[:default] = Array(options[:default]).unshift(kind.to_sym)
     options[:resource_name] = resource_name
-    options = devise_i18n_options(options) if respond_to?(:devise_i18n_options, true)
+    options = devise_i18n_options(options)
     I18n.t("#{options[:resource_name]}.#{kind}", options)
   end
 

data/app/mailers/devise/mailer.rb

@@ -1,18 +1,20 @@
-class Devise::Mailer < Devise.parent_mailer.constantize
-  include Devise::Mailers::Helpers
+if defined?(ActionMailer)
+  class Devise::Mailer < Devise.parent_mailer.constantize
+    include Devise::Mailers::Helpers
 
-  def confirmation_instructions(record, token, opts={})
-    @token = token
-    devise_mail(record, :confirmation_instructions, opts)
-  end
+    def confirmation_instructions(record, token, opts={})
+      @token = token
+      devise_mail(record, :confirmation_instructions, opts)
+    end
 
-  def reset_password_instructions(record, token, opts={})
-    @token = token
-    devise_mail(record, :reset_password_instructions, opts)
-  end
+    def reset_password_instructions(record, token, opts={})
+      @token = token
+      devise_mail(record, :reset_password_instructions, opts)
+    end
 
-  def unlock_instructions(record, token, opts={})
-    @token = token
-    devise_mail(record, :unlock_instructions, opts)
+    def unlock_instructions(record, token, opts={})
+      @token = token
+      devise_mail(record, :unlock_instructions, opts)
+    end
   end
 end

data/config/locales/en.yml

@@ -4,15 +4,14 @@ en:
   devise:
     confirmations:
       confirmed: "Your account was successfully confirmed."
-      confirmed_and_signed_in: "Your account was successfully confirmed. You are now signed in."
       send_instructions: "You will receive an email with instructions about how to confirm your account in a few minutes."
       send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions about how to confirm your account in a few minutes."
     failure:
       already_authenticated: "You are already signed in."
       inactive: "Your account is not activated yet."
       invalid: "Invalid email or password."
-      invalid_token: "Invalid authentication token."
       locked: "Your account is locked."
+      last_attempt: "You have one more attempt before your account will be locked."
       not_found_in_database: "Invalid email or password."
       timeout: "Your session expired. Please sign in again to continue."
       unauthenticated: "You need to sign in or sign up before continuing."

data/gemfiles/Gemfile.rails-3.2.x.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    devise (3.1.2)
+    devise (3.2.0)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)

data/lib/devise.rb

@@ -20,9 +20,14 @@ module Devise
     autoload :Helpers, 'devise/controllers/helpers'
     autoload :Rememberable, 'devise/controllers/rememberable'
     autoload :ScopedViews, 'devise/controllers/scoped_views'
+    autoload :SignInOut, 'devise/controllers/sign_in_out'
     autoload :UrlHelpers, 'devise/controllers/url_helpers'
   end
 
+  module Hooks
+    autoload :Proxy, 'devise/hooks/proxy'
+  end
+
   module Mailers
     autoload :Helpers, 'devise/mailers/helpers'
   end
@@ -50,15 +55,21 @@ module Devise
   mattr_accessor :secret_key
   @@secret_key = nil
 
-  # Allow insecure token lookup. Must be used
-  # temporarily just for migration.
-  mattr_accessor :allow_insecure_token_lookup
-  @@allow_insecure_tokens_lookup = false
+  [ :allow_insecure_token_lookup,
+    :allow_insecure_sign_in_after_confirmation,
+    :token_authentication_key ].each do |method|
+    class_eval <<-RUBY
+    def self.#{method}
+      ActiveSupport::Deprecation.warn "Devise.#{method} is deprecated " \
+        "and has no effect"
+    end
 
-  # Allow insecure sign in after confirmation. Must be used
-  # temporarily just for migration.
-  mattr_accessor :allow_insecure_sign_in_after_confirmation
-  @@allow_insecure_sign_in_after_confirmation = false
+    def self.#{method}=(val)
+      ActiveSupport::Deprecation.warn "Devise.#{method}= is deprecated " \
+        "and has no effect"
+    end
+    RUBY
+  end
 
   # Custom domain or key for cookies. Not set by default
   mattr_accessor :rememberable_options
@@ -195,10 +206,6 @@ module Devise
   mattr_accessor :mailer_sender
   @@mailer_sender = nil
 
-  # Authentication token params key name of choice. E.g. /users/sign_in?some_key=...
-  mattr_accessor :token_authentication_key
-  @@token_authentication_key = :auth_token
-
   # Skip session storage for the following strategies
   mattr_accessor :skip_session_storage
   @@skip_session_storage = []
@@ -266,6 +273,10 @@ module Devise
   mattr_accessor :paranoid
   @@paranoid = false
 
+  # When true, warn user if he just used next-to-last attempt of authentication
+  mattr_accessor :last_attempt_warning
+  @@last_attempt_warning = false
+
   # Stores the token generator
   mattr_accessor :token_generator
   @@token_generator = nil

data/lib/devise/controllers/helpers.rb

@@ -3,6 +3,7 @@ module Devise
     # Those helpers are convenience methods added to ApplicationController.
     module Helpers
       extend ActiveSupport::Concern
+      include Devise::Controllers::SignInOut
 
       included do
         helper_method :warden, :signed_in?, :devise_controller?
@@ -96,84 +97,6 @@ module Devise
         request.env["devise.allow_params_authentication"] = true
       end
 
-      # Return true if the given scope is signed in session. If no scope given, return
-      # true if any scope is signed in. Does not run authentication hooks.
-      def signed_in?(scope=nil)
-        [ scope || Devise.mappings.keys ].flatten.any? do |_scope|
-          warden.authenticate?(:scope => _scope)
-        end
-      end
-
-      # Sign in a user that already was authenticated. This helper is useful for logging
-      # users in after sign up.
-      #
-      # All options given to sign_in is passed forward to the set_user method in warden.
-      # The only exception is the :bypass option, which bypass warden callbacks and stores
-      # the user straight in session. This option is useful in cases the user is already
-      # signed in, but we want to refresh the credentials in session.
-      #
-      # Examples:
-      #
-      #   sign_in :user, @user                      # sign_in(scope, resource)
-      #   sign_in @user                             # sign_in(resource)
-      #   sign_in @user, :event => :authentication  # sign_in(resource, options)
-      #   sign_in @user, :store => false            # sign_in(resource, options)
-      #   sign_in @user, :bypass => true            # sign_in(resource, options)
-      #
-      def sign_in(resource_or_scope, *args)
-        options  = args.extract_options!
-        scope    = Devise::Mapping.find_scope!(resource_or_scope)
-        resource = args.last || resource_or_scope
-
-        expire_session_data_after_sign_in!
-
-        if options[:bypass]
-          warden.session_serializer.store(resource, scope)
-        elsif warden.user(scope) == resource && !options.delete(:force)
-          # Do nothing. User already signed in and we are not forcing it.
-          true
-        else
-          warden.set_user(resource, options.merge!(:scope => scope))
-        end
-      end
-
-      # Sign out a given user or scope. This helper is useful for signing out a user
-      # after deleting accounts. Returns true if there was a logout and false if there
-      # is no user logged in on the referred scope
-      #
-      # Examples:
-      #
-      #   sign_out :user     # sign_out(scope)
-      #   sign_out @user     # sign_out(resource)
-      #
-      def sign_out(resource_or_scope=nil)
-        return sign_out_all_scopes unless resource_or_scope
-        scope = Devise::Mapping.find_scope!(resource_or_scope)
-        user = warden.user(:scope => scope, :run_callbacks => false) # If there is no user
-
-        warden.raw_session.inspect # Without this inspect here. The session does not clear.
-        warden.logout(scope)
-        warden.clear_strategies_cache!(:scope => scope)
-        instance_variable_set(:"@current_#{scope}", nil)
-
-        !!user
-      end
-
-      # Sign out all active users or scopes. This helper is useful for signing out all roles
-      # in one click. This signs out ALL scopes in warden. Returns true if there was at least one logout
-      # and false if there was no user logged in on all scopes.
-      def sign_out_all_scopes(lock=true)
-        users = Devise.mappings.keys.map { |s| warden.user(:scope => s, :run_callbacks => false) }
-
-        warden.raw_session.inspect
-        warden.logout
-        expire_devise_cached_variables!
-        warden.clear_strategies_cache!
-        warden.lock! if lock
-
-        users.any?
-      end
-
       # Returns and delete (if it's navigational format) the url stored in the session for
       # the given scope. Useful for giving redirect backs after sign up:
       #
@@ -257,10 +180,6 @@ module Devise
         redirect_to after_sign_in_path_for(resource)
       end
 
-      def expire_session_data_after_sign_in!
-        session.keys.grep(/^devise\./).each { |k| session.delete(k) }
-      end
-
       # Sign out a user and tries to redirect to the url specified by
       # after_sign_out_path_for.
       def sign_out_and_redirect(resource_or_scope)
@@ -275,7 +194,7 @@ module Devise
       def handle_unverified_request
         sign_out_all_scopes(false)
         request.env["devise.skip_storage"] = true
-        expire_devise_cached_variables!
+        expire_data_after_sign_out!
         super # call the default behaviour which resets the session
       end
 
@@ -287,10 +206,23 @@ module Devise
         Devise.navigational_formats.include?(request_format)
       end
 
+      # Check if flash messages should be emitted. Default is to do it on
+      # navigational formats
+      def is_flashing_format?
+        is_navigational_format?
+      end
+
       private
 
-      def expire_devise_cached_variables!
+      def expire_session_data_after_sign_in!
+        ActiveSupport::Deprecation.warn "expire_session_data_after_sign_in! is deprecated " \
+          "in favor of expire_data_after_sign_in!"
+        expire_data_after_sign_in!
+      end
+
+      def expire_data_after_sign_out!
         Devise.mappings.each { |_,m| instance_variable_set("@current_#{m.name}", nil) }
+        super
       end
     end
   end

data/lib/devise/controllers/rememberable.rb

@@ -1,24 +1,14 @@
 module Devise
   module Controllers
     # A module that may be optionally included in a controller in order
-    # to provide remember me behavior.
+    # to provide remember me behavior. Useful when signing in is done
+    # through a callback, like in Omniauth.
     module Rememberable
       # Return default cookie values retrieved from session options.
       def self.cookie_values
         Rails.configuration.session_options.slice(:path, :domain, :secure)
       end
 
-      # A small warden proxy so we can remember and forget uses from hooks.
-      class Proxy #:nodoc:
-        include Devise::Controllers::Rememberable
-
-        delegate :cookies, :env, :to => :@warden
-
-        def initialize(warden)
-          @warden = warden
-        end
-      end
-
       # Remembers the given resource by setting up a cookie
       def remember_me(resource)
         return if env["devise.skip_storage"]