devise 3.1.2 → 3.2.0

data/lib/devise/test_helpers.rb

@@ -108,6 +108,7 @@ module Devise
         Warden::Manager._run_callbacks(:before_failure, env, options)
 
         status, headers, response = Devise.warden_config[:failure_app].call(env).to_a
+        @controller.response.headers.merge!(headers)
         @controller.send :render, :status => status, :text => response.body,
           :content_type => headers["Content-Type"], :location => headers["Location"]
         nil # causes process return @response

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "3.1.2".freeze
+  VERSION = "3.2.0".freeze
 end

data/lib/generators/mongoid/devise_generator.rb

@@ -47,9 +47,6 @@ module Mongoid
   # field :failed_attempts, :type => Integer, :default => 0 # Only if lock strategy is :failed_attempts
   # field :unlock_token,    :type => String # Only if unlock strategy is :email or :both
   # field :locked_at,       :type => Time
-
-  ## Token authenticatable
-  # field :authentication_token, :type => String
 RUBY
       end
     end

data/lib/generators/templates/devise.rb

@@ -56,12 +56,9 @@ Devise.setup do |config|
 
   # Tell if authentication through HTTP Auth is enabled. False by default.
   # It can be set to an array that will enable http authentication only for the
-  # given strategies, for example, `config.http_authenticatable = [:token]` will
-  # enable it only for token authentication. The supported strategies are:
+  # given strategies, for example, `config.http_authenticatable = [:database]` will
+  # enable it only for database authentication. The supported strategies are:
   # :database      = Support basic authentication with authentication key + password
-  # :token         = Support basic authentication with token authentication key
-  # :token_options = Support token authentication with options as defined in
-  #                  http://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token.html
   # config.http_authenticatable = false
 
   # If http headers should be returned for AJAX requests. True by default.
@@ -76,7 +73,7 @@ Devise.setup do |config|
   # config.paranoid = true
 
   # By default Devise will store the user in session. You can skip storage for
-  # :http_auth and :token_auth by adding those symbols to the array below.
+  # particular strategies by setting this option.
   # Notice that if you are skipping storage for all authentication paths, you
   # may want to disable generating routes to Devise's sessions controller by
   # passing :skip => :sessions to `devise_for` in your config/routes.rb
@@ -176,6 +173,9 @@ Devise.setup do |config|
   # Time interval to unlock the account if :time is enabled as unlock_strategy.
   # config.unlock_in = 1.hour
 
+  # Warn on the last attempt before the account is locked.
+  # config.last_attempt_warning = false
+
   # ==> Configuration for :recoverable
   #
   # Defines which key will be used when recovering the password for an account
@@ -196,10 +196,6 @@ Devise.setup do |config|
   # Require the `devise-encryptable` gem when using anything other than bcrypt
   # config.encryptor = :sha512
 
-  # ==> Configuration for :token_authenticatable
-  # Defines name of the authentication token params key
-  # config.token_authentication_key = :auth_token
-
   # ==> Scopes configuration
   # Turn scoped views on. Before rendering "sessions/new", it will first check for
   # "users/sessions/new". It's turned off by default because it's slower if you

data/lib/generators/templates/markerb/confirmation_instructions.markerb

@@ -2,4 +2,4 @@ Welcome <%= @email %>!
 
 You can confirm your account through the link below:
 
-<%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @resource.confirmation_token) %>
+<%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @token) %>

data/lib/generators/templates/markerb/reset_password_instructions.markerb

@@ -2,7 +2,7 @@ Hello <%= @resource.email %>!
 
 Someone has requested a link to change your password, and you can do this through the link below.
 
-<%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @resource.reset_password_token) %>
+<%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @token) %>
 
 If you didn't request this, please ignore this email.
 Your password won't change until you access the link above and create a new one.

data/lib/generators/templates/markerb/unlock_instructions.markerb

@@ -4,4 +4,4 @@ Your account has been locked due to an excessive number of unsuccessful sign in
 
 Click the link below to unlock your account:
 
-<%= link_to 'Unlock my account', unlock_url(@resource, :unlock_token => @resource.unlock_token) %>
+<%= link_to 'Unlock my account', unlock_url(@resource, :unlock_token => @token) %>

data/test/controllers/internal_helpers_test.rb

@@ -55,7 +55,7 @@ class HelpersTest < ActionController::TestCase
   end
 
   test 'require no authentication tests current mapping' do
-    @mock_warden.expects(:authenticate?).with(:rememberable, :token_authenticatable, :scope => :user).returns(true)
+    @mock_warden.expects(:authenticate?).with(:rememberable, :scope => :user).returns(true)
     @mock_warden.expects(:user).with(:user).returns(User.new)
     @controller.expects(:redirect_to).with(root_path)
     @controller.send :require_no_authentication
@@ -71,7 +71,7 @@ class HelpersTest < ActionController::TestCase
   end
 
   test 'require no authentication sets a flash message' do
-    @mock_warden.expects(:authenticate?).with(:rememberable, :token_authenticatable, :scope => :user).returns(true)
+    @mock_warden.expects(:authenticate?).with(:rememberable, :scope => :user).returns(true)
     @mock_warden.expects(:user).with(:user).returns(User.new)
     @controller.expects(:redirect_to).with(root_path)
     @controller.send :require_no_authentication

data/test/controllers/sessions_controller_test.rb

@@ -10,7 +10,7 @@ class SessionsControllerTest < ActionController::TestCase
     end
     request.env["devise.mapping"] = Devise.mappings[:user]
     request.session["user_return_to"] = 'foo.bar'
-    user = create_user
+    create_user
     post :create, :user => {
       :email => "wrong@email.com",
       :password => "wrongpassword"

data/test/devise_test.rb

@@ -11,6 +11,17 @@ module Devise
 end
 
 class DeviseTest < ActiveSupport::TestCase
+  test 'bcrypt on the class' do
+    password = "super secret"
+    klass    = Struct.new(:pepper, :stretches).new("blahblah", 2)
+    hash     = Devise.bcrypt(klass, password)
+    assert_equal ::BCrypt::Password.create(hash), hash
+
+    klass    = Struct.new(:pepper, :stretches).new("bla", 2)
+    hash     = Devise.bcrypt(klass, password)
+    assert_not_equal ::BCrypt::Password.new(hash), hash
+  end
+
   test 'model options can be configured through Devise' do
     swap Devise, :allow_unconfirmed_access_for => 113, :pepper => "foo" do
       assert_equal 113, Devise.allow_unconfirmed_access_for
@@ -59,7 +70,7 @@ class DeviseTest < ActiveSupport::TestCase
     Devise::ALL.delete(:kivi)
     Devise::CONTROLLERS.delete(:kivi)
   end
-  
+
   test 'should complain when comparing empty or different sized passes' do
     [nil, ""].each do |empty|
       assert_not Devise.secure_compare(empty, "something")

data/test/failure_app_test.rb

@@ -8,6 +8,12 @@ class FailureTest < ActiveSupport::TestCase
     end
   end
 
+  class FailureWithI18nOptions < Devise::FailureApp
+    def i18n_options(options)
+      options.merge(:name => 'Steve')
+    end
+  end
+
   def self.context(name, &block)
     instance_eval(&block)
   end
@@ -67,6 +73,11 @@ class FailureTest < ActiveSupport::TestCase
       assert_equal 'http://test.host/users/sign_in', @response.second["Location"]
     end
 
+    test 'uses custom i18n options' do
+      call_failure('warden' => OpenStruct.new(:message => :does_not_exist), :app => FailureWithI18nOptions)
+      assert_equal 'User Steve does not exist', @request.flash[:alert]
+    end
+
     test 'uses the proxy failure message as string' do
       call_failure('warden' => OpenStruct.new(:message => 'Hello world'))
       assert_equal 'Hello world', @request.flash[:alert]

data/test/integration/confirmable_test.rb

@@ -62,18 +62,6 @@ class ConfirmationTest < ActionDispatch::IntegrationTest
     end
   end
 
-  test 'user should be signed in after confirmation if allow_insecure_sign_in_after_confirmation is enabled' do
-    swap Devise, :confirm_within => 3.days, :allow_insecure_sign_in_after_confirmation => true do
-      user = create_user(:confirm => false, :confirmation_sent_at => 2.days.ago)
-      assert_not user.confirmed?
-      visit_user_confirmation_with_token(user.raw_confirmation_token)
-
-      assert_contain 'Your account was successfully confirmed. You are now signed in.'
-      assert_current_url root_url
-      assert user.reload.confirmed?
-    end
-  end
-
   test 'user should be redirected to a custom path after confirmation' do
     Devise::ConfirmationsController.any_instance.stubs(:after_confirmation_path_for).returns("/?custom=1")
 

data/test/integration/http_authenticatable_test.rb

@@ -88,16 +88,6 @@ class HttpAuthenticationTest < ActionDispatch::IntegrationTest
     end
   end
 
-  test 'sign in should authenticate with really long token' do
-    token = "token_containing_so_many_characters_that_the_base64_encoding_will_wrap"
-    user = create_user
-    user.update_attribute :authentication_token, token
-    get users_path(:format => :xml), {}, "HTTP_AUTHORIZATION" => "Basic #{Base64.encode64("#{token}:x")}"
-    assert_response :success
-    assert_match "<email>user@test.com</email>", response.body
-    assert warden.authenticated?(:user)
-  end
-
   private
 
     def sign_in_as_new_user_with_http(username="user@test.com", password="12345678")

data/test/integration/recoverable_test.rb

@@ -190,7 +190,7 @@ class PasswordTest < ActionDispatch::IntegrationTest
   end
 
   test 'sign in user automatically after changing its password' do
-    user = create_user
+    create_user
     request_forgot_password
     reset_password
 
@@ -260,7 +260,7 @@ class PasswordTest < ActionDispatch::IntegrationTest
   end
 
   test 'change password with valid parameters in XML format should return valid response' do
-    user = create_user
+    create_user
     request_forgot_password
     put user_password_path(:format => 'xml'), :user => {
       :reset_password_token => 'abcdef', :password => '987654321', :password_confirmation => '987654321'

data/test/integration/rememberable_test.rb

@@ -64,14 +64,14 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     # since we changed the domain. This is the only difference with the
     # previous test.
     swap Devise, :rememberable_options => { :domain => "omg.somewhere.com" } do
-      user = sign_in_as_user :remember_me => true
+      sign_in_as_user :remember_me => true
       assert_nil request.cookies["remember_user_token"]
     end
   end
 
   test 'generate remember token with a custom key' do
     swap Devise, :rememberable_options => { :key => "v1lat_token" } do
-      user = sign_in_as_user :remember_me => true
+      sign_in_as_user :remember_me => true
       assert request.cookies["v1lat_token"]
     end
   end
@@ -79,7 +79,7 @@ class RememberMeTest < ActionDispatch::IntegrationTest
   test 'generate remember token after sign in setting session options' do
     begin
       Rails.configuration.session_options[:domain] = "omg.somewhere.com"
-      user = sign_in_as_user :remember_me => true
+      sign_in_as_user :remember_me => true
       assert_nil request.cookies["remember_user_token"]
     ensure
       Rails.configuration.session_options.delete(:domain)

data/test/integration/timeoutable_test.rb

@@ -45,6 +45,20 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
     assert_not warden.authenticated?(:user)
   end
 
+  test 'time out all sessions after default limit time when sign_out_all_scopes is true' do
+    swap Devise, sign_out_all_scopes: true do
+      sign_in_as_admin
+
+      user = sign_in_as_user
+      get expire_user_path(user)
+      assert_not_nil last_request_at
+
+      get root_path
+      assert_not warden.authenticated?(:user)
+      assert_not warden.authenticated?(:admin)
+    end
+  end
+
   test 'time out user session after deault limit time and redirect to latest get request' do
     user = sign_in_as_user
     visit edit_form_user_path(user)
@@ -67,6 +81,20 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
     assert_contain 'Signed out successfully'
   end
 
+  test 'expired session is not extended by sign in page' do
+    user = sign_in_as_user
+    get expire_user_path(user)
+    assert warden.authenticated?(:user)
+
+    get "/users/sign_in"
+    assert_redirected_to "/users/sign_in"
+    follow_redirect!
+
+    assert_response :success
+    assert_contain 'Sign in'
+    assert_not warden.authenticated?(:user)
+  end
+
   test 'time out is not triggered on sign in' do
     user = sign_in_as_user
     get expire_user_path(user)

data/test/mapping_test.rb

@@ -50,12 +50,12 @@ class MappingTest < ActiveSupport::TestCase
   end
 
   test 'has strategies depending on the model declaration' do
-    assert_equal [:rememberable, :token_authenticatable, :database_authenticatable], Devise.mappings[:user].strategies
+    assert_equal [:rememberable, :database_authenticatable], Devise.mappings[:user].strategies
     assert_equal [:database_authenticatable], Devise.mappings[:admin].strategies
   end
 
   test 'has no input strategies depending on the model declaration' do
-    assert_equal [:rememberable, :token_authenticatable], Devise.mappings[:user].no_input_strategies
+    assert_equal [:rememberable], Devise.mappings[:user].no_input_strategies
     assert_equal [], Devise.mappings[:admin].no_input_strategies
   end
 

data/test/models/confirmable_test.rb

@@ -51,15 +51,6 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_equal "was already confirmed, please try signing in", user.errors[:email].join
   end
 
-  test 'DEPRECATED: should find and confirm a user automatically' do
-    swap Devise, allow_insecure_token_lookup: true do
-      user = create_user
-      confirmed_user = User.confirm_by_token(user.confirmation_token)
-      assert_equal confirmed_user, user
-      assert user.reload.confirmed?
-    end
-  end
-
   test 'should find and confirm a user automatically based on the raw token' do
     user = create_user
     raw  = user.raw_confirmation_token

data/test/models/database_authenticatable_test.rb

@@ -24,6 +24,15 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert_equal confirmation.downcase, user.email_confirmation
   end
 
+  test 'should not mutate value assigned to case insensitive key' do
+    email          = 'Foo@Bar.com'
+    original_email = email.dup
+    user           = new_user(:email => email)
+
+    user.save!
+    assert_equal original_email, email
+  end
+
   test 'should remove whitespace from strip whitespace keys when saving' do
     # strip_whitespace_keys is set to :email by default.
     email = ' foo@bar.com '
@@ -34,6 +43,15 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert_equal email.strip, user.email
   end
 
+  test 'should not mutate value assigned to string whitespace key' do
+    email          = ' foo@bar.com '
+    original_email = email.dup
+    user           = new_user(:email => email)
+
+    user.save!
+    assert_equal original_email, email
+  end
+
   test "doesn't throw exception when globally configured strip_whitespace_keys are not present on a model" do
     swap Devise, :strip_whitespace_keys => [:fake_key] do
       assert_nothing_raised { create_user }
@@ -203,7 +221,7 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
   end
 
   test 'downcase_keys with validation' do
-    user = User.create(:email => "HEllO@example.com", :password => "123456")
+    User.create(:email => "HEllO@example.com", :password => "123456")
     user = User.create(:email => "HEllO@example.com", :password => "123456")
     assert !user.valid?
   end

data/test/models/lockable_test.rb

@@ -139,16 +139,6 @@ class LockableTest < ActiveSupport::TestCase
     end
   end
 
-  test 'DEPRECATED: should find and unlock a user automatically' do
-    swap Devise, allow_insecure_token_lookup: true do
-      user = create_user
-      user.lock_access!
-      locked_user = User.unlock_access_by_token(user.unlock_token)
-      assert_equal locked_user, user
-      assert_not user.reload.access_locked?
-    end
-  end
-
   test 'should find and unlock a user automatically based on raw token' do
     user = create_user
     raw  = user.send_unlock_instructions
@@ -289,4 +279,20 @@ class LockableTest < ActiveSupport::TestCase
       assert_equal :invalid, user.unauthenticated_message
     end
   end
+
+  test 'should return last attempt message if user made next-to-last attempt of password entering' do
+    swap Devise, :last_attempt_warning => :true do
+      swap Devise, :lock_strategy => :failed_attempts do
+        user = create_user
+        user.failed_attempts = Devise.maximum_attempts - 1
+        assert_equal :invalid, user.unauthenticated_message
+
+        user.failed_attempts = Devise.maximum_attempts
+        assert_equal :last_attempt, user.unauthenticated_message
+
+        user.failed_attempts = Devise.maximum_attempts + 1
+        assert_equal :locked, user.unauthenticated_message
+      end
+    end
+  end
 end

data/test/models/recoverable_test.rb

@@ -108,16 +108,6 @@ class RecoverableTest < ActiveSupport::TestCase
     end
   end
 
-  test 'DEPRECATED: should find a user to reset his password based on reset_password_token' do
-    swap Devise, allow_insecure_token_lookup: true do
-      user = create_user
-      user.send_reset_password_instructions
-
-      reset_password_user = User.reset_password_by_token(:reset_password_token => user.reset_password_token)
-      assert_equal reset_password_user, user
-    end
-  end
-
   test 'should find a user to reset his password based on the raw token' do
     user = create_user
     raw  = user.send_reset_password_instructions

data/test/rails_app/app/mongoid/user.rb

@@ -36,7 +36,4 @@ class User
   field :failed_attempts, :type => Integer, :default => 0 # Only if lock strategy is :failed_attempts
   field :unlock_token,    :type => String # Only if unlock strategy is :email or :both
   field :locked_at,       :type => Time
-
-  ## Token authenticatable
-  field :authentication_token, :type => String
 end

data/test/rails_app/db/migrate/20100401102949_create_tables.rb

@@ -33,9 +33,6 @@ class CreateTables < ActiveRecord::Migration
       t.string   :unlock_token # Only if unlock strategy is :email or :both
       t.datetime :locked_at
 
-      ## Token authenticatable
-      t.string :authentication_token
-
       t.timestamps
     end