devise 3.1.2 → 3.2.0

data/test/rails_app/db/schema.rb

@@ -44,7 +44,6 @@ ActiveRecord::Schema.define(:version => 20100401102949) do
     t.integer  "failed_attempts",                     :default => 0
     t.string   "unlock_token"
     t.datetime "locked_at"
-    t.string   "authentication_token"
     t.datetime "created_at"
     t.datetime "updated_at"
   end

data/test/rails_app/lib/shared_user.rb

@@ -3,7 +3,7 @@ module SharedUser
 
   included do
     devise :database_authenticatable, :confirmable, :lockable, :recoverable,
-           :registerable, :rememberable, :timeoutable, :token_authenticatable,
+           :registerable, :rememberable, :timeoutable,
            :trackable, :validatable, :omniauthable
 
     attr_accessor :other_key

data/test/support/locale/en.yml

@@ -1,4 +1,8 @@
 en:
+  devise:
+    failure:
+      user:
+        does_not_exist: "User %{name} does not exist"
   errors:
     messages:
       taken: "has already been taken"

data/test/test_helpers_test.rb

@@ -148,4 +148,26 @@ class TestHelpersTest < ActionController::TestCase
     get :index
     assert_match /User ##{second_user.id}/, @response.body
   end
+
+
+  test "passes  given headers from the failure app to the response" do
+
+    begin
+      old_failure_app = Devise.warden_config[:failure_app]
+      class CustomTestFailureApp < Devise::FailureApp
+        def respond
+          self.status = 401
+          self.response.headers["CUSTOMHEADER"] = 1
+        end
+      end
+      Devise.warden_config[:failure_app] = CustomTestFailureApp
+      user = create_user
+      sign_in user
+      get :index
+      assert_equal 1, @response.headers["CUSTOMHEADER"]
+    ensure
+      Devise.warden_config[:failure_app] = old_failure_app
+    end
+  end
+
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: devise
 version: !ruby/object:Gem::Version
-  version: 3.1.2
+  version: 3.2.0
   prerelease: 
 platform: ruby
 authors:
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-11-13 00:00:00.000000000 Z
+date: 2013-11-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: warden
@@ -143,6 +143,7 @@ files:
 - lib/devise/controllers/helpers.rb
 - lib/devise/controllers/rememberable.rb
 - lib/devise/controllers/scoped_views.rb
+- lib/devise/controllers/sign_in_out.rb
 - lib/devise/controllers/url_helpers.rb
 - lib/devise/delegator.rb
 - lib/devise/failure_app.rb
@@ -150,6 +151,7 @@ files:
 - lib/devise/hooks/csrf_cleaner.rb
 - lib/devise/hooks/forgetable.rb
 - lib/devise/hooks/lockable.rb
+- lib/devise/hooks/proxy.rb
 - lib/devise/hooks/rememberable.rb
 - lib/devise/hooks/timeoutable.rb
 - lib/devise/hooks/trackable.rb
@@ -165,7 +167,6 @@ files:
 - lib/devise/models/registerable.rb
 - lib/devise/models/rememberable.rb
 - lib/devise/models/timeoutable.rb
-- lib/devise/models/token_authenticatable.rb
 - lib/devise/models/trackable.rb
 - lib/devise/models/validatable.rb
 - lib/devise/modules.rb
@@ -183,7 +184,6 @@ files:
 - lib/devise/strategies/base.rb
 - lib/devise/strategies/database_authenticatable.rb
 - lib/devise/strategies/rememberable.rb
-- lib/devise/strategies/token_authenticatable.rb
 - lib/devise/test_helpers.rb
 - lib/devise/time_inflector.rb
 - lib/devise/token_generator.rb
@@ -233,7 +233,6 @@ files:
 - test/integration/registerable_test.rb
 - test/integration/rememberable_test.rb
 - test/integration/timeoutable_test.rb
-- test/integration/token_authenticatable_test.rb
 - test/integration/trackable_test.rb
 - test/mailers/confirmation_instructions_test.rb
 - test/mailers/reset_password_instructions_test.rb
@@ -249,7 +248,6 @@ files:
 - test/models/rememberable_test.rb
 - test/models/serializable_test.rb
 - test/models/timeoutable_test.rb
-- test/models/token_authenticatable_test.rb
 - test/models/trackable_test.rb
 - test/models/validatable_test.rb
 - test/models_test.rb
@@ -372,7 +370,6 @@ test_files:
 - test/integration/registerable_test.rb
 - test/integration/rememberable_test.rb
 - test/integration/timeoutable_test.rb
-- test/integration/token_authenticatable_test.rb
 - test/integration/trackable_test.rb
 - test/mailers/confirmation_instructions_test.rb
 - test/mailers/reset_password_instructions_test.rb
@@ -388,7 +385,6 @@ test_files:
 - test/models/rememberable_test.rb
 - test/models/serializable_test.rb
 - test/models/timeoutable_test.rb
-- test/models/token_authenticatable_test.rb
 - test/models/trackable_test.rb
 - test/models/validatable_test.rb
 - test/models_test.rb

data/lib/devise/models/token_authenticatable.rb

@@ -1,92 +0,0 @@
-require 'devise/strategies/token_authenticatable'
-
-module Devise
-  module Models
-    # The TokenAuthenticatable module is responsible for generating an authentication token and
-    # validating the authenticity of the same while signing in.
-    #
-    # This module only provides a few helpers to help you manage the token, but it is up to you
-    # to choose how to use it. For example, if you want to have a new token every time the user
-    # saves his account, you can do the following:
-    #
-    #   before_save :reset_authentication_token
-    #
-    # On the other hand, if you want to generate token unless one exists, you should use instead:
-    #
-    #   before_save :ensure_authentication_token
-    #
-    # If you want to delete the token after it is used, you can do so in the
-    # after_token_authentication callback.
-    #
-    # == APIs
-    #
-    # If you are using token authentication with APIs and using trackable. Every
-    # request will be considered as a new sign in (since there is no session in
-    # APIs). You can disable this by creating a before filter as follow:
-    #
-    #   before_filter :skip_trackable
-    #
-    #   def skip_trackable
-    #     request.env['devise.skip_trackable'] = true
-    #   end
-    #
-    # == Options
-    #
-    # TokenAuthenticatable adds the following options to devise_for:
-    #
-    #   * +token_authentication_key+: Defines name of the authentication token params key. E.g. /users/sign_in?some_key=...
-    #
-    module TokenAuthenticatable
-      extend ActiveSupport::Concern
-
-      def self.required_fields(klass)
-        [:authentication_token]
-      end
-
-      # Generate new authentication token (a.k.a. "single access token").
-      def reset_authentication_token
-        self.authentication_token = self.class.authentication_token
-      end
-
-      # Generate new authentication token and save the record.
-      def reset_authentication_token!
-        reset_authentication_token
-        save(:validate => false)
-      end
-
-      # Generate authentication token unless already exists.
-      def ensure_authentication_token
-        reset_authentication_token if authentication_token.blank?
-      end
-
-      # Generate authentication token unless already exists and save the record.
-      def ensure_authentication_token!
-        reset_authentication_token! if authentication_token.blank?
-      end
-
-      # Hook called after token authentication.
-      def after_token_authentication
-      end
-
-      def expire_auth_token_on_timeout
-        self.class.expire_auth_token_on_timeout
-      end
-
-      module ClassMethods
-        def find_for_token_authentication(conditions)
-          find_for_authentication(:authentication_token => conditions[token_authentication_key])
-        end
-
-        # Generate a token checking if one does not already exist in the database.
-        def authentication_token
-          loop do
-            token = Devise.friendly_token
-            break token unless to_adapter.find_first({ :authentication_token => token })
-          end
-        end
-
-        Devise::Models.config(self, :token_authentication_key, :expire_auth_token_on_timeout)
-      end
-    end
-  end
-end

data/lib/devise/strategies/token_authenticatable.rb

@@ -1,91 +0,0 @@
-require 'devise/strategies/base'
-
-module Devise
-  module Strategies
-    # Strategy for signing in a user, based on a authenticatable token. This works for both params
-    # and http. For the former, all you need to do is to pass the params in the URL:
-    #
-    #   http://myapp.example.com/?user_token=SECRET
-    #
-    # For headers, you can use basic authentication passing the token as username and
-    # blank password. Since some clients may require a password, you can pass "X" as
-    # password and it will simply be ignored.
-    #
-    # You may also pass the token using the Token authentication mechanism provided
-    # by Rails: http://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token.html
-    # The token options are stored in request.env['devise.token_options']
-    class TokenAuthenticatable < Authenticatable
-      def store?
-        super && !mapping.to.skip_session_storage.include?(:token_auth)
-      end
-
-      def valid?
-        super || valid_for_token_auth?
-      end
-
-      def authenticate!
-        resource = mapping.to.find_for_token_authentication(authentication_hash)
-        return fail(:invalid_token) unless resource
-
-        if validate(resource)
-          resource.after_token_authentication
-          success!(resource)
-        end
-      end
-
-    private
-
-      # Token Authenticatable can be authenticated with params in any controller and any verb.
-      def valid_params_request?
-        true
-      end
-
-      # Do not use remember_me behavior with token.
-      def remember_me?
-        false
-      end
-
-      # Check if the model accepts this strategy as token authenticatable.
-      def token_authenticatable?
-        mapping.to.http_authenticatable?(:token_options)
-      end
-
-      # Check if this is strategy is valid for token authentication by:
-      #
-      #   * Validating if the model allows http token authentication;
-      #   * If the http auth token exists;
-      #   * If all authentication keys are present;
-      #
-      def valid_for_token_auth?
-        token_authenticatable? && auth_token.present? && with_authentication_hash(:token_auth, token_auth_hash)
-      end
-
-      # Extract the auth token from the request
-      def auth_token
-        @auth_token ||= ActionController::HttpAuthentication::Token.token_and_options(request)
-      end
-
-      # Extract a hash with attributes:values from the auth_token
-      def token_auth_hash
-        request.env['devise.token_options'] = auth_token.last
-        { authentication_keys.first => auth_token.first }
-      end
-
-      # Try both scoped and non scoped keys
-      def params_auth_hash
-        if params[scope].kind_of?(Hash) && params[scope].has_key?(authentication_keys.first)
-          params[scope]
-        else
-          params
-        end
-      end
-
-      # Overwrite authentication keys to use token_authentication_key.
-      def authentication_keys
-        @authentication_keys ||= [mapping.to.token_authentication_key]
-      end
-    end
-  end
-end
-
-Warden::Strategies.add(:token_authenticatable, Devise::Strategies::TokenAuthenticatable)

data/test/integration/token_authenticatable_test.rb

@@ -1,205 +0,0 @@
-require 'test_helper'
-
-class TokenAuthenticationTest < ActionDispatch::IntegrationTest
-
-  test 'authenticate with valid authentication token key and value through params' do
-    swap Devise, :token_authentication_key => :secret_token do
-      sign_in_as_new_user_with_token
-
-      assert_response :success
-      assert_current_url "/users?secret_token=#{VALID_AUTHENTICATION_TOKEN}"
-      assert_contain 'Welcome'
-      assert warden.authenticated?(:user)
-    end
-  end
-
-  test 'authenticate with valid authentication token key and value through params, when params with the same key as scope exist' do
-    swap Devise, :token_authentication_key => :secret_token do
-      user = create_user_with_authentication_token
-      post exhibit_user_path(user), Devise.token_authentication_key => user.authentication_token, :user => { :some => "data" }
-
-      assert_response :success
-      assert_contain 'User is authenticated'
-      assert warden.authenticated?(:user)
-    end
-  end
-
-  test 'authenticate with valid authentication token key but does not store if stateless' do
-    swap Devise, :token_authentication_key => :secret_token, :skip_session_storage => [:token_auth] do
-      sign_in_as_new_user_with_token
-      assert warden.authenticated?(:user)
-
-      get users_path
-      assert_redirected_to new_user_session_path
-      assert_not warden.authenticated?(:user)
-    end
-  end
-
-  test 'authenticate with valid authentication token key and value through http' do
-    swap Devise, :token_authentication_key => :secret_token do
-      sign_in_as_new_user_with_token(:http_auth => true)
-
-      assert_response :success
-      assert_match '<email>user@test.com</email>', response.body
-      assert warden.authenticated?(:user)
-    end
-  end
-
-  test 'does authenticate with valid authentication token key and value through params if not configured' do
-    swap Devise, :token_authentication_key => :secret_token, :params_authenticatable => [:database] do
-      sign_in_as_new_user_with_token
-
-      assert_contain 'You need to sign in or sign up before continuing'
-      assert_contain 'Sign in'
-      assert_not warden.authenticated?(:user)
-    end
-  end
-
-  test 'does authenticate with valid authentication token key and value through http if not configured' do
-    swap Devise, :token_authentication_key => :secret_token, :http_authenticatable => [:database] do
-      sign_in_as_new_user_with_token(:http_auth => true)
-
-      assert_response 401
-      assert_contain 'Invalid email or password.'
-      assert_not warden.authenticated?(:user)
-    end
-  end
-
-  test 'does not authenticate with improper authentication token key' do
-    swap Devise, :token_authentication_key => :donald_duck_token do
-      sign_in_as_new_user_with_token(:auth_token_key => :secret_token)
-      assert_equal new_user_session_path, @request.path
-
-      assert_contain 'You need to sign in or sign up before continuing'
-      assert_contain 'Sign in'
-      assert_not warden.authenticated?(:user)
-    end
-  end
-
-  test 'does not authenticate with improper authentication token value' do
-    store_translations :en, :devise => {:failure => {:invalid_token => 'LOL, that was not a single character correct.'}} do
-      sign_in_as_new_user_with_token(:auth_token => '*** INVALID TOKEN ***')
-      assert_equal new_user_session_path, @request.path
-
-      assert_contain 'LOL, that was not a single character correct.'
-      assert_contain 'Sign in'
-      assert_not warden.authenticated?(:user)
-    end
-  end
-
-  test 'authenticate with valid authentication token key and do not store if stateless and timeoutable are enabled' do
-    swap Devise, :token_authentication_key => :secret_token, :skip_session_storage => [:token_auth], :timeout_in => (0.1).second do
-      user = sign_in_as_new_user_with_token
-      assert warden.authenticated?(:user)
-
-      # Expiring does not work because we are setting the session value when accessing it
-      sleep 0.3
-
-      get_users_path_as_existing_user(user)
-      assert warden.authenticated?(:user)
-    end
-  end
-
-  test 'should reset token and not authenticate when expire_auth_token_on_timeout is set to true, timeoutable is enabled and we have a timed out session' do
-    swap Devise, :token_authentication_key => :secret_token, :expire_auth_token_on_timeout => true, :timeout_in => (-1).minute do
-      user = sign_in_as_new_user_with_token
-      assert warden.authenticated?(:user)
-      token = user.authentication_token
-
-      get_users_path_as_existing_user(user)
-      assert_not warden.authenticated?(:user)
-      user.reload
-      assert_not_equal token, user.authentication_token
-    end
-  end
-
-  test 'should not be subject to injection' do
-    swap Devise, :token_authentication_key => :secret_token do
-      user1 = create_user_with_authentication_token()
-
-      # Clean up user cache
-      @user = nil
-
-      user2 = create_user_with_authentication_token(:email => "another@test.com")
-      user2.update_attribute(:authentication_token, "ANOTHERTOKEN")
-
-      assert_not_equal user1, user2
-      visit users_path(Devise.token_authentication_key.to_s + '[$ne]' => user1.authentication_token)
-      assert_nil warden.user(:user)
-    end
-  end
-
-  test 'authenticate with valid authentication token key and value through http header' do
-    swap Devise, :token_authentication_key => :secret_token do
-      sign_in_as_new_user_with_token(:token_auth => true)
-
-      assert_response :success
-      assert_match '<email>user@test.com</email>', response.body
-      assert_equal request.env['devise.token_options'], {}
-      assert warden.authenticated?(:user)
-    end
-  end
-
-  test 'authenticate with valid authentication token key and value through http header, with options' do
-    swap Devise, :token_authentication_key => :secret_token, :http_authenticatable => [:token_options] do
-      signature = "**TESTSIGNATURE**"
-      sign_in_as_new_user_with_token(:token_auth => true, :token_options => {:signature => signature, :nonce => 'def'})
-
-      assert_response :success
-      assert_match '<email>user@test.com</email>', response.body
-      assert_equal request.env['devise.token_options'][:signature], signature
-      assert_equal request.env['devise.token_options'][:nonce], 'def'
-      assert warden.authenticated?(:user)
-    end
-  end
-
-  test 'authenticate with valid authentication token key and value through http header without allowing token authorization setting is denied' do
-    swap Devise, :token_authentication_key => :secret_token, :http_authenticatable => false do
-      sign_in_as_new_user_with_token(:token_auth => true)
-
-      assert_response :unauthorized
-      assert_nil warden.user(:user)
-    end
-  end
-
-  test 'does not authenticate with improper authentication token value in header' do
-    sign_in_as_new_user_with_token(:token_auth => true, :auth_token => '*** INVALID TOKEN ***')
-
-    assert_response :unauthorized
-    assert_nil warden.user(:user)
-  end
-
-  private
-
-    def sign_in_as_new_user_with_token(options = {})
-      user = options.delete(:user) || create_user_with_authentication_token(options)
-
-      options[:auth_token_key] ||= Devise.token_authentication_key
-      options[:auth_token]     ||= user.authentication_token
-
-      if options[:http_auth]
-        header = "Basic #{Base64.encode64("#{VALID_AUTHENTICATION_TOKEN}:X")}"
-        get users_path(:format => :xml), {}, "HTTP_AUTHORIZATION" => header
-      elsif options[:token_auth]
-        token_options = options[:token_options] || {}
-        header = ActionController::HttpAuthentication::Token.encode_credentials(options[:auth_token], token_options)
-        get users_path(:format => :xml), {}, "HTTP_AUTHORIZATION" => header
-      else
-        visit users_path(options[:auth_token_key].to_sym => options[:auth_token])
-      end
-
-      user
-    end
-
-    def create_user_with_authentication_token(options={})
-      user = create_user(options)
-      user.authentication_token = VALID_AUTHENTICATION_TOKEN
-      user.save
-      user
-    end
-
-    def get_users_path_as_existing_user(user)
-      sign_in_as_new_user_with_token(:user => user)
-    end
-
-end