devise 3.1.2 → 3.2.0

data/lib/devise/controllers/sign_in_out.rb

@@ -0,0 +1,103 @@
+module Devise
+  module Controllers
+    # Provide sign in and sign out functionality.
+    # Included by default in all controllers.
+    module SignInOut
+      # Return true if the given scope is signed in session. If no scope given, return
+      # true if any scope is signed in. Does not run authentication hooks.
+      def signed_in?(scope=nil)
+        [ scope || Devise.mappings.keys ].flatten.any? do |_scope|
+          warden.authenticate?(:scope => _scope)
+        end
+      end
+
+      # Sign in a user that already was authenticated. This helper is useful for logging
+      # users in after sign up.
+      #
+      # All options given to sign_in is passed forward to the set_user method in warden.
+      # The only exception is the :bypass option, which bypass warden callbacks and stores
+      # the user straight in session. This option is useful in cases the user is already
+      # signed in, but we want to refresh the credentials in session.
+      #
+      # Examples:
+      #
+      #   sign_in :user, @user                      # sign_in(scope, resource)
+      #   sign_in @user                             # sign_in(resource)
+      #   sign_in @user, :event => :authentication  # sign_in(resource, options)
+      #   sign_in @user, :store => false            # sign_in(resource, options)
+      #   sign_in @user, :bypass => true            # sign_in(resource, options)
+      #
+      def sign_in(resource_or_scope, *args)
+        options  = args.extract_options!
+        scope    = Devise::Mapping.find_scope!(resource_or_scope)
+        resource = args.last || resource_or_scope
+
+        expire_data_after_sign_in!
+
+        if options[:bypass]
+          warden.session_serializer.store(resource, scope)
+        elsif warden.user(scope) == resource && !options.delete(:force)
+          # Do nothing. User already signed in and we are not forcing it.
+          true
+        else
+          warden.set_user(resource, options.merge!(:scope => scope))
+        end
+      end
+
+      # Sign out a given user or scope. This helper is useful for signing out a user
+      # after deleting accounts. Returns true if there was a logout and false if there
+      # is no user logged in on the referred scope
+      #
+      # Examples:
+      #
+      #   sign_out :user     # sign_out(scope)
+      #   sign_out @user     # sign_out(resource)
+      #
+      def sign_out(resource_or_scope=nil)
+        return sign_out_all_scopes unless resource_or_scope
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        user = warden.user(:scope => scope, :run_callbacks => false) # If there is no user
+
+        warden.raw_session.inspect # Without this inspect here. The session does not clear.
+        warden.logout(scope)
+        warden.clear_strategies_cache!(:scope => scope)
+        instance_variable_set(:"@current_#{scope}", nil)
+
+        !!user
+      end
+
+      # Sign out all active users or scopes. This helper is useful for signing out all roles
+      # in one click. This signs out ALL scopes in warden. Returns true if there was at least one logout
+      # and false if there was no user logged in on all scopes.
+      def sign_out_all_scopes(lock=true)
+        users = Devise.mappings.keys.map { |s| warden.user(:scope => s, :run_callbacks => false) }
+
+        warden.raw_session.inspect
+        warden.logout
+        expire_data_after_sign_out!
+        warden.clear_strategies_cache!
+        warden.lock! if lock
+
+        users.any?
+      end
+
+      private
+
+      def expire_data_after_sign_in!
+        # session.keys will return an empty array if the session is not yet loaded.
+        # This is a bug in both Rack and Rails.
+        # A call to #empty? forces the session to be loaded.
+        session.empty?
+        session.keys.grep(/^devise\./).each { |k| session.delete(k) }
+      end
+
+      def expire_data_after_sign_out!
+        # session.keys will return an empty array if the session is not yet loaded.
+        # This is a bug in both Rack and Rails.
+        # A call to #empty? forces the session to be loaded.
+        session.empty?
+        session.keys.grep(/^devise\./).each { |k| session.delete(k) }
+      end
+    end
+  end
+end

data/lib/devise/failure_app.rb

@@ -64,12 +64,21 @@ module Devise
 
   protected
 
+    def i18n_options(options)
+      options
+    end
+
     def i18n_message(default = nil)
       message = warden_message || default || :unauthenticated
 
       if message.is_a?(Symbol)
-        I18n.t(:"#{scope}.#{message}", :resource_name => scope,
-               :scope => "devise.failure", :default => [message])
+        options = {}
+        options[:resource_name] = scope
+        options[:scope] = "devise.failure"
+        options[:default] = [message]
+        options = i18n_options(options)
+
+        I18n.t(:"#{scope}.#{message}", options)
       else
         message.to_s
       end

data/lib/devise/hooks/forgetable.rb

@@ -4,6 +4,6 @@
 # This avoids forgetting deleted users.
 Warden::Manager.before_logout do |record, warden, options|
   if record.respond_to?(:forget_me!)
-    Devise::Controllers::Rememberable::Proxy.new(warden).forget_me(record)
+    Devise::Hooks::Proxy.new(warden).forget_me(record)
   end
 end

data/lib/devise/hooks/proxy.rb

@@ -0,0 +1,21 @@
+module Devise
+  module Hooks
+    # A small warden proxy so we can remember, forget and
+    # sign out users from hooks.
+    class Proxy #:nodoc:
+      include Devise::Controllers::Rememberable
+      include Devise::Controllers::SignInOut
+
+      attr_reader :warden
+      delegate :cookies, :env, :to => :warden
+
+      def initialize(warden)
+        @warden = warden
+      end
+
+      def session
+        warden.request.session
+      end
+    end
+  end
+end

data/lib/devise/hooks/rememberable.rb

@@ -2,6 +2,6 @@ Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
   scope = options[:scope]
   if record.respond_to?(:remember_me) && options[:store] != false &&
      record.remember_me && warden.authenticated?(scope)
-    Devise::Controllers::Rememberable::Proxy.new(warden).remember_me(record)
+    Devise::Hooks::Proxy.new(warden).remember_me(record)
   end
 end

data/lib/devise/hooks/timeoutable.rb

@@ -9,12 +9,15 @@ Warden::Manager.after_set_user do |record, warden, options|
 
   if record && record.respond_to?(:timedout?) && warden.authenticated?(scope) && options[:store] != false
     last_request_at = warden.session(scope)['last_request_at']
+    proxy = Devise::Hooks::Proxy.new(warden)
 
     if record.timedout?(last_request_at) && !env['devise.skip_timeout']
-      warden.logout(scope)
+      Devise.sign_out_all_scopes ? proxy.sign_out : sign_out(scope)
+
       if record.respond_to?(:expire_auth_token_on_timeout) && record.expire_auth_token_on_timeout
         record.reset_authentication_token!
       end
+
       throw :warden, :scope => scope, :message => :timeout
     end
 

data/lib/devise/models.rb

@@ -84,11 +84,6 @@ module Devise
       devise_modules_hook! do
         include Devise::Models::Authenticatable
 
-        if selected_modules.include?(:token_authenticatable)
-          ActiveSupport::Deprecation.warn "devise :token_authenticatable is deprecated. " \
-            "Please check Devise 3.1 release notes for more information on how to upgrade."
-        end
-
         selected_modules.each do |m|
           mod = Devise::Models.const_get(m.to_s.classify)
 

data/lib/devise/models/authenticatable.rb

@@ -29,9 +29,7 @@ module Devise
     #     It also accepts an array specifying the strategies that should allow params authentication.
     #
     #   * +skip_session_storage+: By default Devise will store the user in session.
-    #     You can skip storage for http and token auth by appending values to array:
-    #     :skip_session_storage => [:token_auth] or :skip_session_storage => [:http_auth, :token_auth],
-    #     by default is set to :skip_session_storage => [:http_auth].
+    #     By default is set to :skip_session_storage => [:http_auth].
     #
     # == active_for_authentication?
     #
@@ -176,23 +174,24 @@ module Devise
       end
 
       def downcase_keys
-        self.class.case_insensitive_keys.each { |k| apply_to_attribute_or_variable(k, :downcase!) }
+        self.class.case_insensitive_keys.each { |k| apply_to_attribute_or_variable(k, :downcase) }
       end
 
       def strip_whitespace
-        self.class.strip_whitespace_keys.each { |k| apply_to_attribute_or_variable(k, :strip!) }
+        self.class.strip_whitespace_keys.each { |k| apply_to_attribute_or_variable(k, :strip) }
       end
 
       def apply_to_attribute_or_variable(attr, method)
         if self[attr]
-          self[attr].try(method)
+          self[attr] = self[attr].try(method)
 
         # Use respond_to? here to avoid a regression where globally
         # configured strip_whitespace_keys or case_insensitive_keys were
-        # attempting to strip! or downcase! when a model didn't have the
+        # attempting to strip or downcase when a model didn't have the
         # globally configured key.
-        elsif respond_to?(attr)
-          send(attr).try(method)
+        elsif respond_to?(attr) && respond_to?("#{attr}=")
+          new_value = send(attr).try(method)
+          send("#{attr}=", new_value)
         end
       end
 

data/lib/devise/models/confirmable.rb

@@ -275,10 +275,6 @@ module Devise
           confirmation_token = Devise.token_generator.digest(self, :confirmation_token, confirmation_token)
 
           confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
-          if !confirmable.persisted? && Devise.allow_insecure_token_lookup
-            confirmable = find_or_initialize_with_error_by(:confirmation_token, original_token)
-          end
-
           confirmable.confirm! if confirmable.persisted?
           confirmable.confirmation_token = original_token
           confirmable

data/lib/devise/models/database_authenticatable.rb

@@ -2,6 +2,11 @@ require 'devise/strategies/database_authenticatable'
 require 'bcrypt'
 
 module Devise
+  # Digests the password using bcrypt.
+  def self.bcrypt(klass, password)
+    ::BCrypt::Password.create("#{password}#{klass.pepper}", :cost => klass.stretches).to_s
+  end
+
   module Models
     # Authenticatable Module, responsible for encrypting password and validating
     # authenticity of a user while signing in.
@@ -34,7 +39,7 @@ module Devise
       # Generates password encryption based on the given value.
       def password=(new_password)
         @password = new_password
-        self.encrypted_password = password_digest(@password) if @password.present?
+        self.encrypted_password = Devise.bcrypt(self.class, @password) if @password.present?
       end
 
       # Verifies whether an password (ie from sign in) is the user password.
@@ -96,7 +101,7 @@ module Devise
       end
 
       # Destroy record when :current_password matches, otherwise returns
-      # error on :current_password. It also automatically rejects 
+      # error on :current_password. It also automatically rejects
       # :current_password if it is blank.
       def destroy_with_password(current_password)
         result = if valid_password?(current_password)
@@ -110,6 +115,16 @@ module Devise
         result
       end
 
+      # A callback initiated after successfully authenticating. This can be
+      # used to insert your own logic that is only run after the user successfully
+      # authenticates.
+      #
+      # Example:
+      #
+      #   def after_database_authentication
+      #     self.update_attribute(:invite_code, nil)
+      #   end
+      #
       def after_database_authentication
       end
 
@@ -120,11 +135,6 @@ module Devise
 
     protected
 
-      # Digests the password using bcrypt.
-      def password_digest(password)
-        ::BCrypt::Password.create("#{password}#{self.class.pepper}", :cost => self.class.stretches).to_s
-      end
-
       module ClassMethods
         Devise::Models.config(self, :pepper, :stretches)
 

data/lib/devise/models/lockable.rb

@@ -112,6 +112,8 @@ module Devise
         # leaks the existence of an account.
         if Devise.paranoid
           super
+        elsif lock_strategy_enabled?(:failed_attempts) && last_attempt?
+          :last_attempt
         elsif lock_strategy_enabled?(:failed_attempts) && attempts_exceeded?
           :locked
         else
@@ -125,6 +127,10 @@ module Devise
           self.failed_attempts > self.class.maximum_attempts
         end
 
+        def last_attempt?
+          self.failed_attempts == self.class.maximum_attempts
+        end
+
         # Tells if the lock is expired if :time unlock strategy is active
         def lock_expired?
           if unlock_strategy_enabled?(:time)
@@ -165,10 +171,6 @@ module Devise
           unlock_token   = Devise.token_generator.digest(self, :unlock_token, unlock_token)
 
           lockable = find_or_initialize_with_error_by(:unlock_token, unlock_token)
-          if !lockable.persisted? && Devise.allow_insecure_token_lookup
-            lockable = find_or_initialize_with_error_by(:unlock_token, original_token)
-          end
-
           lockable.unlock_access! if lockable.persisted?
           lockable.unlock_token = original_token
           lockable

data/lib/devise/models/recoverable.rb

@@ -101,11 +101,6 @@ module Devise
           recoverable
         end
 
-        # Generate a token checking if one does not already exist in the database.
-        def reset_password_token
-          generate_token(:reset_password_token)
-        end
-
         # Attempt to find a user by its reset_password_token to reset its
         # password. If a user is found and token is still valid, reset its password and automatically
         # try saving the record. If not user is found, returns a new user
@@ -116,9 +111,6 @@ module Devise
           reset_password_token = Devise.token_generator.digest(self, :reset_password_token, original_token)
 
           recoverable = find_or_initialize_with_error_by(:reset_password_token, reset_password_token)
-          if !recoverable.persisted? && Devise.allow_insecure_token_lookup
-            recoverable = find_or_initialize_with_error_by(:reset_password_token, original_token)
-          end
 
           if recoverable.persisted?
             if recoverable.reset_password_period_valid?

data/lib/devise/modules.rb

@@ -5,7 +5,6 @@ Devise.with_options :model => true do |d|
   d.with_options :strategy => true do |s|
     routes = [nil, :new, :destroy]
     s.add_module :database_authenticatable, :controller => :sessions, :route => { :session => routes }
-    s.add_module :token_authenticatable,    :controller => :sessions, :route => { :session => routes }, :no_input => true
     s.add_module :rememberable, :no_input => true
   end
 

data/lib/devise/rails/routes.rb

@@ -58,6 +58,28 @@ module ActionDispatch::Routing
     #      user_confirmation GET    /users/confirmation(.:format)     {:controller=>"devise/confirmations", :action=>"show"}
     #                        POST   /users/confirmation(.:format)     {:controller=>"devise/confirmations", :action=>"create"}
     #
+    # ==== Routes integration
+    #
+    # +devise_for+ is meant to play nicely with other routes methods. For example,
+    # by calling +devise_for+ inside a namespace, it automatically nests your devise
+    # controllers:
+    #
+    #     namespace :publisher do
+    #       devise_for :account
+    #     end
+    #
+    # The snippet above will use publisher/sessions controller instead of devise/sessions
+    # controller. You can revert this change or configure it directly by passing the :module
+    # option described below to +devise_for+.
+    #
+    # Also note that when you use a namespace it will affect all the helpers and methods
+    # for controllers and views. For example, using the above setup you'll end with
+    # following methods: current_publisher_account, authenticate_publisher_account!,
+    # publisher_account_signed_in, etc.
+    #
+    # The only aspect not affect by the router configuration is the model name. The
+    # model name can be explicitly set via the :class_name option.
+    #
     # ==== Options
     #
     # You can configure your routes with some options:
@@ -104,20 +126,6 @@ module ActionDispatch::Routing
     #
     #      devise_for :users, :module => "users"
     #
-    #    Notice that whenever you use namespace in the router DSL, it automatically sets the module.
-    #    So the following setup:
-    #
-    #      namespace :publisher do
-    #        devise_for :account
-    #      end
-    #
-    #    Will use publisher/sessions controller instead of devise/sessions controller. You can revert
-    #    this by providing the :module option to devise_for.
-    #
-    #    Also pay attention that when you use a namespace it will affect all the helpers and methods for controllers
-    #    and views. For example, using the above setup you'll end with following methods:
-    #    current_publisher_account, authenticate_publisher_account!, publisher_account_signed_in, etc.
-    #
     #  * :skip => tell which controller you want to skip routes from being created:
     #
     #      devise_for :users, :skip => :sessions
@@ -378,8 +386,14 @@ module ActionDispatch::Routing
       end
 
       def devise_omniauth_callback(mapping, controllers) #:nodoc:
+        if mapping.fullpath =~ /:[a-zA-Z_]/
+          raise "[DEVISE] Nesting omniauth callbacks under scopes with dynamic segments " \
+            "is not supported. Please, use Devise.omniauth_path_prefix instead."
+        end
+
         path, @scope[:path] = @scope[:path], nil
-        path_prefix = Devise.omniauth_path_prefix || "/#{mapping.path}/auth".squeeze("/")
+        path_prefix = Devise.omniauth_path_prefix || "/#{mapping.fullpath}/auth".squeeze("/")
+
         set_omniauth_path_prefix!(path_prefix)
 
         providers = Regexp.union(mapping.to.omniauth_providers.map(&:to_s))

data/lib/devise/strategies/database_authenticatable.rb

@@ -5,16 +5,13 @@ module Devise
     # Default strategy for signing in a user, based on his email and password in the database.
     class DatabaseAuthenticatable < Authenticatable
       def authenticate!
-        resource  = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
-        encrypted = false
+        resource = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
+        return fail(:not_found_in_database) unless resource
 
-        if validate(resource){ encrypted = true; resource.valid_password?(password) }
+        if validate(resource){ resource.valid_password?(password) }
           resource.after_database_authentication
           success!(resource)
         end
-
-        mapping.to.new.password = password if !encrypted && Devise.paranoid
-        fail(:not_found_in_database) unless resource
       end
     end
   end