devise 3.2.1 → 4.4.3
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of devise might be problematic. Click here for more details.
- checksums.yaml +7 -0
- data/.travis.yml +58 -10
- data/CHANGELOG.md +199 -979
- data/CODE_OF_CONDUCT.md +22 -0
- data/CONTRIBUTING.md +73 -8
- data/Gemfile +19 -11
- data/Gemfile.lock +152 -119
- data/ISSUE_TEMPLATE.md +19 -0
- data/MIT-LICENSE +1 -1
- data/README.md +347 -93
- data/Rakefile +4 -2
- data/app/controllers/devise/confirmations_controller.rb +11 -5
- data/app/controllers/devise/omniauth_callbacks_controller.rb +12 -6
- data/app/controllers/devise/passwords_controller.rb +20 -8
- data/app/controllers/devise/registrations_controller.rb +34 -19
- data/app/controllers/devise/sessions_controller.rb +47 -17
- data/app/controllers/devise/unlocks_controller.rb +9 -4
- data/app/controllers/devise_controller.rb +67 -31
- data/app/helpers/devise_helper.rb +4 -2
- data/app/mailers/devise/mailer.rb +10 -0
- data/app/views/devise/confirmations/new.html.erb +8 -4
- data/app/views/devise/mailer/confirmation_instructions.html.erb +1 -1
- data/app/views/devise/mailer/email_changed.html.erb +7 -0
- data/app/views/devise/mailer/password_change.html.erb +3 -0
- data/app/views/devise/mailer/reset_password_instructions.html.erb +1 -1
- data/app/views/devise/mailer/unlock_instructions.html.erb +1 -1
- data/app/views/devise/passwords/edit.html.erb +15 -6
- data/app/views/devise/passwords/new.html.erb +8 -4
- data/app/views/devise/registrations/edit.html.erb +28 -14
- data/app/views/devise/registrations/new.html.erb +19 -8
- data/app/views/devise/sessions/new.html.erb +17 -8
- data/app/views/devise/shared/{_links.erb → _links.html.erb} +2 -2
- data/app/views/devise/unlocks/new.html.erb +8 -4
- data/bin/test +13 -0
- data/config/locales/en.yml +22 -17
- data/devise.gemspec +7 -6
- data/gemfiles/Gemfile.rails-4.1-stable +32 -0
- data/gemfiles/Gemfile.rails-4.1-stable.lock +171 -0
- data/gemfiles/Gemfile.rails-4.2-stable +32 -0
- data/gemfiles/Gemfile.rails-4.2-stable.lock +192 -0
- data/gemfiles/Gemfile.rails-5.0-stable +33 -0
- data/gemfiles/Gemfile.rails-5.0-stable.lock +192 -0
- data/gemfiles/Gemfile.rails-5.2-rc1 +26 -0
- data/gemfiles/Gemfile.rails-5.2-rc1.lock +201 -0
- data/guides/bug_report_templates/integration_test.rb +106 -0
- data/lib/devise.rb +107 -84
- data/lib/devise/controllers/helpers.rb +111 -31
- data/lib/devise/controllers/rememberable.rb +15 -6
- data/lib/devise/controllers/scoped_views.rb +3 -1
- data/lib/devise/controllers/sign_in_out.rb +39 -26
- data/lib/devise/controllers/store_location.rb +31 -2
- data/lib/devise/controllers/url_helpers.rb +9 -7
- data/lib/devise/delegator.rb +2 -0
- data/lib/devise/encryptor.rb +24 -0
- data/lib/devise/failure_app.rb +98 -39
- data/lib/devise/hooks/activatable.rb +7 -6
- data/lib/devise/hooks/csrf_cleaner.rb +5 -1
- data/lib/devise/hooks/forgetable.rb +2 -0
- data/lib/devise/hooks/lockable.rb +7 -2
- data/lib/devise/hooks/proxy.rb +4 -2
- data/lib/devise/hooks/rememberable.rb +4 -2
- data/lib/devise/hooks/timeoutable.rb +16 -9
- data/lib/devise/hooks/trackable.rb +3 -1
- data/lib/devise/mailers/helpers.rb +15 -12
- data/lib/devise/mapping.rb +8 -2
- data/lib/devise/models.rb +3 -1
- data/lib/devise/models/authenticatable.rb +63 -36
- data/lib/devise/models/confirmable.rb +121 -41
- data/lib/devise/models/database_authenticatable.rb +66 -23
- data/lib/devise/models/lockable.rb +30 -17
- data/lib/devise/models/omniauthable.rb +3 -1
- data/lib/devise/models/recoverable.rb +62 -26
- data/lib/devise/models/registerable.rb +2 -0
- data/lib/devise/models/rememberable.rb +62 -33
- data/lib/devise/models/timeoutable.rb +4 -8
- data/lib/devise/models/trackable.rb +12 -3
- data/lib/devise/models/validatable.rb +16 -9
- data/lib/devise/modules.rb +12 -10
- data/lib/devise/omniauth.rb +2 -0
- data/lib/devise/omniauth/config.rb +2 -0
- data/lib/devise/omniauth/url_helpers.rb +14 -5
- data/lib/devise/orm/active_record.rb +5 -1
- data/lib/devise/orm/mongoid.rb +6 -2
- data/lib/devise/parameter_filter.rb +2 -0
- data/lib/devise/parameter_sanitizer.rb +131 -69
- data/lib/devise/rails.rb +10 -13
- data/lib/devise/rails/routes.rb +147 -116
- data/lib/devise/rails/warden_compat.rb +3 -10
- data/lib/devise/secret_key_finder.rb +25 -0
- data/lib/devise/strategies/authenticatable.rb +20 -9
- data/lib/devise/strategies/base.rb +3 -1
- data/lib/devise/strategies/database_authenticatable.rb +8 -5
- data/lib/devise/strategies/rememberable.rb +15 -3
- data/lib/devise/test/controller_helpers.rb +165 -0
- data/lib/devise/test/integration_helpers.rb +63 -0
- data/lib/devise/test_helpers.rb +7 -124
- data/lib/devise/time_inflector.rb +4 -2
- data/lib/devise/token_generator.rb +3 -41
- data/lib/devise/version.rb +3 -1
- data/lib/generators/active_record/devise_generator.rb +47 -10
- data/lib/generators/active_record/templates/migration.rb +9 -7
- data/lib/generators/active_record/templates/migration_existing.rb +9 -7
- data/lib/generators/devise/controllers_generator.rb +46 -0
- data/lib/generators/devise/devise_generator.rb +9 -5
- data/lib/generators/devise/install_generator.rb +22 -0
- data/lib/generators/devise/orm_helpers.rb +8 -19
- data/lib/generators/devise/views_generator.rb +51 -28
- data/lib/generators/mongoid/devise_generator.rb +22 -19
- data/lib/generators/templates/README +5 -12
- data/lib/generators/templates/controllers/README +14 -0
- data/lib/generators/templates/controllers/confirmations_controller.rb +30 -0
- data/lib/generators/templates/controllers/omniauth_callbacks_controller.rb +30 -0
- data/lib/generators/templates/controllers/passwords_controller.rb +34 -0
- data/lib/generators/templates/controllers/registrations_controller.rb +62 -0
- data/lib/generators/templates/controllers/sessions_controller.rb +27 -0
- data/lib/generators/templates/controllers/unlocks_controller.rb +30 -0
- data/lib/generators/templates/devise.rb +64 -35
- data/lib/generators/templates/markerb/confirmation_instructions.markerb +1 -1
- data/lib/generators/templates/markerb/email_changed.markerb +7 -0
- data/lib/generators/templates/markerb/password_change.markerb +3 -0
- data/lib/generators/templates/markerb/reset_password_instructions.markerb +1 -1
- data/lib/generators/templates/markerb/unlock_instructions.markerb +1 -1
- data/lib/generators/templates/simple_form_for/confirmations/new.html.erb +2 -2
- data/lib/generators/templates/simple_form_for/passwords/edit.html.erb +4 -4
- data/lib/generators/templates/simple_form_for/passwords/new.html.erb +2 -2
- data/lib/generators/templates/simple_form_for/registrations/edit.html.erb +6 -6
- data/lib/generators/templates/simple_form_for/registrations/new.html.erb +4 -4
- data/lib/generators/templates/simple_form_for/sessions/new.html.erb +6 -6
- data/lib/generators/templates/simple_form_for/unlocks/new.html.erb +2 -2
- data/test/controllers/custom_registrations_controller_test.rb +42 -0
- data/test/controllers/custom_strategy_test.rb +10 -6
- data/test/controllers/helper_methods_test.rb +24 -0
- data/test/controllers/helpers_test.rb +88 -40
- data/test/controllers/inherited_controller_i18n_messages_test.rb +53 -0
- data/test/controllers/internal_helpers_test.rb +31 -22
- data/test/controllers/load_hooks_controller_test.rb +21 -0
- data/test/controllers/passwords_controller_test.rb +8 -5
- data/test/controllers/sessions_controller_test.rb +42 -33
- data/test/controllers/url_helpers_test.rb +13 -5
- data/test/delegator_test.rb +3 -1
- data/test/devise_test.rb +34 -19
- data/test/failure_app_test.rb +150 -42
- data/test/generators/active_record_generator_test.rb +58 -31
- data/test/generators/controllers_generator_test.rb +50 -0
- data/test/generators/devise_generator_test.rb +4 -2
- data/test/generators/install_generator_test.rb +16 -3
- data/test/generators/mongoid_generator_test.rb +5 -3
- data/test/generators/views_generator_test.rb +40 -2
- data/test/helpers/devise_helper_test.rb +20 -20
- data/test/integration/authenticatable_test.rb +134 -141
- data/test/integration/confirmable_test.rb +109 -67
- data/test/integration/database_authenticatable_test.rb +36 -23
- data/test/integration/http_authenticatable_test.rb +29 -20
- data/test/integration/lockable_test.rb +52 -49
- data/test/integration/mounted_engine_test.rb +38 -0
- data/test/integration/omniauthable_test.rb +30 -15
- data/test/integration/recoverable_test.rb +76 -61
- data/test/integration/registerable_test.rb +107 -91
- data/test/integration/rememberable_test.rb +82 -30
- data/test/integration/timeoutable_test.rb +48 -40
- data/test/integration/trackable_test.rb +15 -8
- data/test/mailers/confirmation_instructions_test.rb +16 -14
- data/test/mailers/email_changed_test.rb +132 -0
- data/test/mailers/mailer_test.rb +20 -0
- data/test/mailers/reset_password_instructions_test.rb +13 -11
- data/test/mailers/unlock_instructions_test.rb +12 -10
- data/test/mapping_test.rb +15 -6
- data/test/models/authenticatable_test.rb +15 -3
- data/test/models/confirmable_test.rb +190 -95
- data/test/models/database_authenticatable_test.rb +75 -41
- data/test/models/lockable_test.rb +115 -61
- data/test/models/omniauthable_test.rb +3 -1
- data/test/models/recoverable_test.rb +116 -37
- data/test/models/registerable_test.rb +3 -1
- data/test/models/rememberable_test.rb +95 -94
- data/test/models/serializable_test.rb +19 -8
- data/test/models/timeoutable_test.rb +10 -8
- data/test/models/trackable_test.rb +50 -1
- data/test/models/validatable_test.rb +24 -30
- data/test/models_test.rb +19 -8
- data/test/omniauth/config_test.rb +15 -11
- data/test/omniauth/url_helpers_test.rb +8 -9
- data/test/orm/active_record.rb +16 -2
- data/test/orm/mongoid.rb +4 -2
- data/test/parameter_sanitizer_test.rb +53 -57
- data/test/rails_app/app/active_record/admin.rb +2 -0
- data/test/rails_app/app/active_record/shim.rb +3 -1
- data/test/rails_app/app/active_record/user.rb +14 -0
- data/test/rails_app/app/active_record/user_on_engine.rb +9 -0
- data/test/rails_app/app/active_record/user_on_main_app.rb +9 -0
- data/test/rails_app/app/active_record/user_with_validations.rb +12 -0
- data/test/rails_app/app/active_record/user_without_email.rb +10 -0
- data/test/rails_app/app/controllers/admins/sessions_controller.rb +3 -1
- data/test/rails_app/app/controllers/admins_controller.rb +3 -6
- data/test/rails_app/app/controllers/application_controller.rb +7 -3
- data/test/rails_app/app/controllers/application_with_fake_engine.rb +32 -0
- data/test/rails_app/app/controllers/custom/registrations_controller.rb +33 -0
- data/test/rails_app/app/controllers/home_controller.rb +7 -1
- data/test/rails_app/app/controllers/publisher/registrations_controller.rb +3 -1
- data/test/rails_app/app/controllers/publisher/sessions_controller.rb +3 -1
- data/test/rails_app/app/controllers/users/omniauth_callbacks_controller.rb +7 -5
- data/test/rails_app/app/controllers/users_controller.rb +8 -6
- data/test/rails_app/app/helpers/application_helper.rb +2 -0
- data/test/rails_app/app/mailers/users/from_proc_mailer.rb +5 -0
- data/test/rails_app/app/mailers/users/mailer.rb +3 -10
- data/test/rails_app/app/mailers/users/reply_to_mailer.rb +6 -0
- data/test/rails_app/app/mongoid/admin.rb +13 -11
- data/test/rails_app/app/mongoid/shim.rb +4 -2
- data/test/rails_app/app/mongoid/user.rb +30 -19
- data/test/rails_app/app/mongoid/user_on_engine.rb +41 -0
- data/test/rails_app/app/mongoid/user_on_main_app.rb +41 -0
- data/test/rails_app/app/mongoid/user_with_validations.rb +37 -0
- data/test/rails_app/app/mongoid/user_without_email.rb +35 -0
- data/test/rails_app/app/views/admins/sessions/new.html.erb +1 -1
- data/test/rails_app/app/views/home/admin_dashboard.html.erb +1 -1
- data/test/rails_app/app/views/home/index.html.erb +1 -1
- data/test/rails_app/app/views/home/join.html.erb +1 -1
- data/test/rails_app/app/views/home/user_dashboard.html.erb +1 -1
- data/test/rails_app/app/views/layouts/application.html.erb +1 -1
- data/test/rails_app/config/application.rb +13 -5
- data/test/rails_app/config/boot.rb +17 -4
- data/test/rails_app/config/environment.rb +2 -0
- data/test/rails_app/config/environments/development.rb +2 -0
- data/test/rails_app/config/environments/production.rb +10 -2
- data/test/rails_app/config/environments/test.rb +14 -3
- data/test/rails_app/config/initializers/backtrace_silencers.rb +2 -0
- data/test/rails_app/config/initializers/devise.rb +22 -21
- data/test/rails_app/config/initializers/inflections.rb +2 -0
- data/test/rails_app/config/initializers/secret_token.rb +3 -6
- data/test/rails_app/config/initializers/session_store.rb +2 -0
- data/test/rails_app/config/routes.rb +67 -43
- data/test/rails_app/db/migrate/20100401102949_create_tables.rb +16 -10
- data/test/rails_app/db/schema.rb +2 -0
- data/test/rails_app/lib/shared_admin.rb +10 -4
- data/test/rails_app/lib/shared_user.rb +4 -1
- data/test/rails_app/lib/shared_user_without_email.rb +28 -0
- data/test/rails_app/lib/shared_user_without_omniauth.rb +15 -0
- data/test/rails_test.rb +11 -0
- data/test/routes_test.rb +92 -61
- data/test/secret_key_finder_test.rb +97 -0
- data/test/support/action_controller/record_identifier.rb +12 -0
- data/test/support/assertions.rb +4 -14
- data/test/support/helpers.rb +23 -10
- data/test/support/http_method_compatibility.rb +53 -0
- data/test/support/integration.rb +19 -16
- data/test/support/mongoid.yml +6 -0
- data/test/support/webrat/integrations/rails.rb +11 -0
- data/test/{test_helpers_test.rb → test/controller_helpers_test.rb} +60 -40
- data/test/test/integration_helpers_test.rb +34 -0
- data/test/test_helper.rb +9 -0
- data/test/test_models.rb +8 -6
- metadata +123 -53
- data/gemfiles/Gemfile.rails-3.2.x +0 -31
- data/gemfiles/Gemfile.rails-3.2.x.lock +0 -159
@@ -1,19 +1,12 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
module Warden::Mixins::Common
|
2
4
|
def request
|
3
5
|
@request ||= ActionDispatch::Request.new(env)
|
4
6
|
end
|
5
7
|
|
6
|
-
# Deprecate: Remove this check once we move to Rails 4 only.
|
7
|
-
NULL_STORE =
|
8
|
-
defined?(ActionController::RequestForgeryProtection::ProtectionMethods::NullSession::NullSessionHash) ?
|
9
|
-
ActionController::RequestForgeryProtection::ProtectionMethods::NullSession::NullSessionHash : nil
|
10
|
-
|
11
8
|
def reset_session!
|
12
|
-
|
13
|
-
# This is a bug that needs to be fixed in Rails.
|
14
|
-
unless NULL_STORE && request.session.is_a?(NULL_STORE)
|
15
|
-
request.reset_session
|
16
|
-
end
|
9
|
+
request.reset_session
|
17
10
|
end
|
18
11
|
|
19
12
|
def cookies
|
@@ -0,0 +1,25 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Devise
|
4
|
+
class SecretKeyFinder
|
5
|
+
def initialize(application)
|
6
|
+
@application = application
|
7
|
+
end
|
8
|
+
|
9
|
+
def find
|
10
|
+
if @application.respond_to?(:credentials) && key_exists?(@application.credentials)
|
11
|
+
@application.credentials.secret_key_base
|
12
|
+
elsif @application.respond_to?(:secrets) && key_exists?(@application.secrets)
|
13
|
+
@application.secrets.secret_key_base
|
14
|
+
elsif @application.config.respond_to?(:secret_key_base) && key_exists?(@application.config)
|
15
|
+
@application.config.secret_key_base
|
16
|
+
end
|
17
|
+
end
|
18
|
+
|
19
|
+
private
|
20
|
+
|
21
|
+
def key_exists?(object)
|
22
|
+
object.secret_key_base.present?
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require 'devise/strategies/base'
|
2
4
|
|
3
5
|
module Devise
|
@@ -16,11 +18,18 @@ module Devise
|
|
16
18
|
valid_for_params_auth? || valid_for_http_auth?
|
17
19
|
end
|
18
20
|
|
21
|
+
# Override and set to false for things like OmniAuth that technically
|
22
|
+
# run through Authentication (user_set) very often, which would normally
|
23
|
+
# reset CSRF data in the session
|
24
|
+
def clean_up_csrf?
|
25
|
+
true
|
26
|
+
end
|
27
|
+
|
19
28
|
private
|
20
29
|
|
21
30
|
# Receives a resource and check if it is valid by calling valid_for_authentication?
|
22
31
|
# An optional block that will be triggered while validating can be optionally
|
23
|
-
# given as parameter. Check Devise::Models::
|
32
|
+
# given as parameter. Check Devise::Models::Authenticatable.valid_for_authentication?
|
24
33
|
# for more information.
|
25
34
|
#
|
26
35
|
# In case the resource can't be validated, it will fail with the given
|
@@ -29,7 +38,6 @@ module Devise
|
|
29
38
|
result = resource && resource.valid_for_authentication?(&block)
|
30
39
|
|
31
40
|
if result
|
32
|
-
decorate(resource)
|
33
41
|
true
|
34
42
|
else
|
35
43
|
if resource
|
@@ -40,7 +48,7 @@ module Devise
|
|
40
48
|
end
|
41
49
|
|
42
50
|
# Get values from params and set in the resource.
|
43
|
-
def
|
51
|
+
def remember_me(resource)
|
44
52
|
resource.remember_me = remember_me? if resource.respond_to?(:remember_me=)
|
45
53
|
end
|
46
54
|
|
@@ -49,9 +57,9 @@ module Devise
|
|
49
57
|
valid_params? && Devise::TRUE_VALUES.include?(params_auth_hash[:remember_me])
|
50
58
|
end
|
51
59
|
|
52
|
-
# Check if this is
|
60
|
+
# Check if this is a valid strategy for http authentication by:
|
53
61
|
#
|
54
|
-
# * Validating if the model allows
|
62
|
+
# * Validating if the model allows http authentication;
|
55
63
|
# * If any of the authorization headers were sent;
|
56
64
|
# * If all authentication keys are present;
|
57
65
|
#
|
@@ -59,7 +67,7 @@ module Devise
|
|
59
67
|
http_authenticatable? && request.authorization && with_authentication_hash(:http_auth, http_auth_hash)
|
60
68
|
end
|
61
69
|
|
62
|
-
# Check if this is
|
70
|
+
# Check if this is a valid strategy for params authentication by:
|
63
71
|
#
|
64
72
|
# * Validating if the model allows params authentication;
|
65
73
|
# * If the request hits the sessions controller through POST;
|
@@ -102,14 +110,17 @@ module Devise
|
|
102
110
|
params_auth_hash.is_a?(Hash)
|
103
111
|
end
|
104
112
|
|
105
|
-
#
|
113
|
+
# Note: unlike `Model.valid_password?`, this method does not actually
|
114
|
+
# ensure that the password in the params matches the password stored in
|
115
|
+
# the database. It only checks if the password is *present*. Do not rely
|
116
|
+
# on this method for validating that a given password is correct.
|
106
117
|
def valid_password?
|
107
|
-
password.present?
|
118
|
+
password.present?
|
108
119
|
end
|
109
120
|
|
110
121
|
# Helper to decode credentials from HTTP.
|
111
122
|
def decode_credentials
|
112
|
-
return [] unless request.authorization && request.authorization =~ /^Basic (.*)/
|
123
|
+
return [] unless request.authorization && request.authorization =~ /^Basic (.*)/mi
|
113
124
|
Base64.decode64($1).split(/:/, 2)
|
114
125
|
end
|
115
126
|
|
@@ -1,19 +1,22 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require 'devise/strategies/authenticatable'
|
2
4
|
|
3
5
|
module Devise
|
4
6
|
module Strategies
|
5
|
-
# Default strategy for signing in a user, based on
|
7
|
+
# Default strategy for signing in a user, based on their email and password in the database.
|
6
8
|
class DatabaseAuthenticatable < Authenticatable
|
7
9
|
def authenticate!
|
8
|
-
resource =
|
9
|
-
|
10
|
+
resource = password.present? && mapping.to.find_for_database_authentication(authentication_hash)
|
11
|
+
hashed = false
|
10
12
|
|
11
|
-
if validate(resource){
|
13
|
+
if validate(resource){ hashed = true; resource.valid_password?(password) }
|
14
|
+
remember_me(resource)
|
12
15
|
resource.after_database_authentication
|
13
16
|
success!(resource)
|
14
17
|
end
|
15
18
|
|
16
|
-
mapping.to.new.password = password if !
|
19
|
+
mapping.to.new.password = password if !hashed && Devise.paranoid
|
17
20
|
fail(:not_found_in_database) unless resource
|
18
21
|
end
|
19
22
|
end
|
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require 'devise/strategies/authenticatable'
|
2
4
|
|
3
5
|
module Devise
|
@@ -25,15 +27,25 @@ module Devise
|
|
25
27
|
end
|
26
28
|
|
27
29
|
if validate(resource)
|
30
|
+
remember_me(resource) if extend_remember_me?(resource)
|
31
|
+
resource.after_remembered
|
28
32
|
success!(resource)
|
29
33
|
end
|
30
34
|
end
|
31
35
|
|
36
|
+
# No need to clean up the CSRF when using rememberable.
|
37
|
+
# In fact, cleaning it up here would be a bug because
|
38
|
+
# rememberable is triggered on GET requests which means
|
39
|
+
# we would render a page on first access with all csrf
|
40
|
+
# tokens expired.
|
41
|
+
def clean_up_csrf?
|
42
|
+
false
|
43
|
+
end
|
44
|
+
|
32
45
|
private
|
33
46
|
|
34
|
-
def
|
35
|
-
|
36
|
-
resource.extend_remember_period = mapping.to.extend_remember_period if resource.respond_to?(:extend_remember_period=)
|
47
|
+
def extend_remember_me?(resource)
|
48
|
+
resource.respond_to?(:extend_remember_period) && resource.extend_remember_period
|
37
49
|
end
|
38
50
|
|
39
51
|
def remember_me?
|
@@ -0,0 +1,165 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Devise
|
4
|
+
module Test
|
5
|
+
# `Devise::Test::ControllerHelpers` provides a facility to test controllers
|
6
|
+
# in isolation when using `ActionController::TestCase` allowing you to
|
7
|
+
# quickly sign_in or sign_out a user. Do not use
|
8
|
+
# `Devise::Test::ControllerHelpers` in integration tests.
|
9
|
+
#
|
10
|
+
# Examples
|
11
|
+
#
|
12
|
+
# class PostsTest < ActionController::TestCase
|
13
|
+
# include Devise::Test::ControllerHelpers
|
14
|
+
#
|
15
|
+
# test 'authenticated users can GET index' do
|
16
|
+
# sign_in users(:bob)
|
17
|
+
#
|
18
|
+
# get :index
|
19
|
+
# assert_response :success
|
20
|
+
# end
|
21
|
+
# end
|
22
|
+
#
|
23
|
+
# Important: you should not test Warden specific behavior (like callbacks)
|
24
|
+
# using `Devise::Test::ControllerHelpers` since it is a stub of the actual
|
25
|
+
# behavior. Such callbacks should be tested in your integration suite instead.
|
26
|
+
module ControllerHelpers
|
27
|
+
extend ActiveSupport::Concern
|
28
|
+
|
29
|
+
included do
|
30
|
+
setup :setup_controller_for_warden, :warden
|
31
|
+
end
|
32
|
+
|
33
|
+
# Override process to consider warden.
|
34
|
+
def process(*)
|
35
|
+
_catch_warden { super }
|
36
|
+
|
37
|
+
@response
|
38
|
+
end
|
39
|
+
|
40
|
+
# We need to set up the environment variables and the response in the controller.
|
41
|
+
def setup_controller_for_warden #:nodoc:
|
42
|
+
@request.env['action_controller.instance'] = @controller
|
43
|
+
end
|
44
|
+
|
45
|
+
# Quick access to Warden::Proxy.
|
46
|
+
def warden #:nodoc:
|
47
|
+
@request.env['warden'] ||= begin
|
48
|
+
manager = Warden::Manager.new(nil) do |config|
|
49
|
+
config.merge! Devise.warden_config
|
50
|
+
end
|
51
|
+
Warden::Proxy.new(@request.env, manager)
|
52
|
+
end
|
53
|
+
end
|
54
|
+
|
55
|
+
# sign_in a given resource by storing its keys in the session.
|
56
|
+
# This method bypass any warden authentication callback.
|
57
|
+
#
|
58
|
+
# * +resource+ - The resource that should be authenticated
|
59
|
+
# * +scope+ - An optional +Symbol+ with the scope where the resource
|
60
|
+
# should be signed in with.
|
61
|
+
# Examples:
|
62
|
+
#
|
63
|
+
# sign_in users(:alice)
|
64
|
+
# sign_in users(:alice), scope: :admin
|
65
|
+
def sign_in(resource, deprecated = nil, scope: nil)
|
66
|
+
if deprecated.present?
|
67
|
+
scope = resource
|
68
|
+
resource = deprecated
|
69
|
+
|
70
|
+
ActiveSupport::Deprecation.warn <<-DEPRECATION.strip_heredoc
|
71
|
+
[Devise] sign_in(:#{scope}, resource) on controller tests is deprecated and will be removed from Devise.
|
72
|
+
Please use sign_in(resource, scope: :#{scope}) instead.
|
73
|
+
DEPRECATION
|
74
|
+
end
|
75
|
+
|
76
|
+
scope ||= Devise::Mapping.find_scope!(resource)
|
77
|
+
|
78
|
+
warden.instance_variable_get(:@users).delete(scope)
|
79
|
+
warden.session_serializer.store(resource, scope)
|
80
|
+
end
|
81
|
+
|
82
|
+
# Sign out a given resource or scope by calling logout on Warden.
|
83
|
+
# This method bypass any warden logout callback.
|
84
|
+
#
|
85
|
+
# Examples:
|
86
|
+
#
|
87
|
+
# sign_out :user # sign_out(scope)
|
88
|
+
# sign_out @user # sign_out(resource)
|
89
|
+
#
|
90
|
+
def sign_out(resource_or_scope)
|
91
|
+
scope = Devise::Mapping.find_scope!(resource_or_scope)
|
92
|
+
@controller.instance_variable_set(:"@current_#{scope}", nil)
|
93
|
+
user = warden.instance_variable_get(:@users).delete(scope)
|
94
|
+
warden.session_serializer.delete(scope, user)
|
95
|
+
end
|
96
|
+
|
97
|
+
protected
|
98
|
+
|
99
|
+
# Catch warden continuations and handle like the middleware would.
|
100
|
+
# Returns nil when interrupted, otherwise the normal result of the block.
|
101
|
+
def _catch_warden(&block)
|
102
|
+
result = catch(:warden, &block)
|
103
|
+
|
104
|
+
env = @controller.request.env
|
105
|
+
|
106
|
+
result ||= {}
|
107
|
+
|
108
|
+
# Set the response. In production, the rack result is returned
|
109
|
+
# from Warden::Manager#call, which the following is modelled on.
|
110
|
+
case result
|
111
|
+
when Array
|
112
|
+
if result.first == 401 && intercept_401?(env) # does this happen during testing?
|
113
|
+
_process_unauthenticated(env)
|
114
|
+
else
|
115
|
+
result
|
116
|
+
end
|
117
|
+
when Hash
|
118
|
+
_process_unauthenticated(env, result)
|
119
|
+
else
|
120
|
+
result
|
121
|
+
end
|
122
|
+
end
|
123
|
+
|
124
|
+
def _process_unauthenticated(env, options = {})
|
125
|
+
options[:action] ||= :unauthenticated
|
126
|
+
proxy = request.env['warden']
|
127
|
+
result = options[:result] || proxy.result
|
128
|
+
|
129
|
+
ret = case result
|
130
|
+
when :redirect
|
131
|
+
body = proxy.message || "You are being redirected to #{proxy.headers['Location']}"
|
132
|
+
[proxy.status, proxy.headers, [body]]
|
133
|
+
when :custom
|
134
|
+
proxy.custom_response
|
135
|
+
else
|
136
|
+
request.env["PATH_INFO"] = "/#{options[:action]}"
|
137
|
+
request.env["warden.options"] = options
|
138
|
+
Warden::Manager._run_callbacks(:before_failure, env, options)
|
139
|
+
|
140
|
+
status, headers, response = Devise.warden_config[:failure_app].call(env).to_a
|
141
|
+
@controller.response.headers.merge!(headers)
|
142
|
+
@controller.response.content_type = headers["Content-Type"] unless Rails.version.start_with?('5')
|
143
|
+
@controller.status = status
|
144
|
+
@controller.response.body = response.body
|
145
|
+
nil # causes process return @response
|
146
|
+
end
|
147
|
+
|
148
|
+
# ensure that the controller response is set up. In production, this is
|
149
|
+
# not necessary since warden returns the results to rack. However, at
|
150
|
+
# testing time, we want the response to be available to the testing
|
151
|
+
# framework to verify what would be returned to rack.
|
152
|
+
if ret.is_a?(Array)
|
153
|
+
status, headers, body = *ret
|
154
|
+
# ensure the controller response is set to our response.
|
155
|
+
@controller.response ||= @response
|
156
|
+
@response.status = status
|
157
|
+
@response.headers.merge!(headers)
|
158
|
+
@response.body = body
|
159
|
+
end
|
160
|
+
|
161
|
+
ret
|
162
|
+
end
|
163
|
+
end
|
164
|
+
end
|
165
|
+
end
|
@@ -0,0 +1,63 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Devise
|
4
|
+
# Devise::Test::IntegrationHelpers is a helper module for facilitating
|
5
|
+
# authentication on Rails integration tests to bypass the required steps for
|
6
|
+
# signin in or signin out a record.
|
7
|
+
#
|
8
|
+
# Examples
|
9
|
+
#
|
10
|
+
# class PostsTest < ActionDispatch::IntegrationTest
|
11
|
+
# include Devise::Test::IntegrationHelpers
|
12
|
+
#
|
13
|
+
# test 'authenticated users can see posts' do
|
14
|
+
# sign_in users(:bob)
|
15
|
+
#
|
16
|
+
# get '/posts'
|
17
|
+
# assert_response :success
|
18
|
+
# end
|
19
|
+
# end
|
20
|
+
module Test
|
21
|
+
module IntegrationHelpers
|
22
|
+
def self.included(base)
|
23
|
+
base.class_eval do
|
24
|
+
include Warden::Test::Helpers
|
25
|
+
|
26
|
+
setup :setup_integration_for_devise
|
27
|
+
teardown :teardown_integration_for_devise
|
28
|
+
end
|
29
|
+
end
|
30
|
+
|
31
|
+
# Signs in a specific resource, mimicking a successfull sign in
|
32
|
+
# operation through +Devise::SessionsController#create+.
|
33
|
+
#
|
34
|
+
# * +resource+ - The resource that should be authenticated
|
35
|
+
# * +scope+ - An optional +Symbol+ with the scope where the resource
|
36
|
+
# should be signed in with.
|
37
|
+
def sign_in(resource, scope: nil)
|
38
|
+
scope ||= Devise::Mapping.find_scope!(resource)
|
39
|
+
|
40
|
+
login_as(resource, scope: scope)
|
41
|
+
end
|
42
|
+
|
43
|
+
# Signs out a specific scope from the session.
|
44
|
+
#
|
45
|
+
# * +resource_or_scope+ - The resource or scope that should be signed out.
|
46
|
+
def sign_out(resource_or_scope)
|
47
|
+
scope = Devise::Mapping.find_scope!(resource_or_scope)
|
48
|
+
|
49
|
+
logout scope
|
50
|
+
end
|
51
|
+
|
52
|
+
protected
|
53
|
+
|
54
|
+
def setup_integration_for_devise
|
55
|
+
Warden.test_mode!
|
56
|
+
end
|
57
|
+
|
58
|
+
def teardown_integration_for_devise
|
59
|
+
Warden.test_reset!
|
60
|
+
end
|
61
|
+
end
|
62
|
+
end
|
63
|
+
end
|
data/lib/devise/test_helpers.rb
CHANGED
@@ -1,132 +1,15 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
module Devise
|
2
|
-
# Devise::TestHelpers provides a facility to test controllers in isolation
|
3
|
-
# when using ActionController::TestCase allowing you to quickly sign_in or
|
4
|
-
# sign_out a user. Do not use Devise::TestHelpers in integration tests.
|
5
|
-
#
|
6
|
-
# Notice you should not test Warden specific behavior (like Warden callbacks)
|
7
|
-
# using Devise::TestHelpers since it is a stub of the actual behavior. Such
|
8
|
-
# callbacks should be tested in your integration suite instead.
|
9
4
|
module TestHelpers
|
10
5
|
def self.included(base)
|
11
6
|
base.class_eval do
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
def process(*)
|
18
|
-
# Make sure we always return @response, a la ActionController::TestCase::Behaviour#process, even if warden interrupts
|
19
|
-
_catch_warden { super } || @response
|
20
|
-
end
|
21
|
-
|
22
|
-
# We need to setup the environment variables and the response in the controller.
|
23
|
-
def setup_controller_for_warden #:nodoc:
|
24
|
-
@request.env['action_controller.instance'] = @controller
|
25
|
-
end
|
26
|
-
|
27
|
-
# Quick access to Warden::Proxy.
|
28
|
-
def warden #:nodoc:
|
29
|
-
@warden ||= begin
|
30
|
-
manager = Warden::Manager.new(nil) do |config|
|
31
|
-
config.merge! Devise.warden_config
|
32
|
-
end
|
33
|
-
@request.env['warden'] = Warden::Proxy.new(@request.env, manager)
|
7
|
+
ActiveSupport::Deprecation.warn <<-DEPRECATION.strip_heredoc
|
8
|
+
[Devise] including `Devise::TestHelpers` is deprecated and will be removed from Devise.
|
9
|
+
For controller tests, please include `Devise::Test::ControllerHelpers` instead.
|
10
|
+
DEPRECATION
|
11
|
+
include Devise::Test::ControllerHelpers
|
34
12
|
end
|
35
13
|
end
|
36
|
-
|
37
|
-
# sign_in a given resource by storing its keys in the session.
|
38
|
-
# This method bypass any warden authentication callback.
|
39
|
-
#
|
40
|
-
# Examples:
|
41
|
-
#
|
42
|
-
# sign_in :user, @user # sign_in(scope, resource)
|
43
|
-
# sign_in @user # sign_in(resource)
|
44
|
-
#
|
45
|
-
def sign_in(resource_or_scope, resource=nil)
|
46
|
-
scope ||= Devise::Mapping.find_scope!(resource_or_scope)
|
47
|
-
resource ||= resource_or_scope
|
48
|
-
warden.instance_variable_get(:@users).delete(scope)
|
49
|
-
warden.session_serializer.store(resource, scope)
|
50
|
-
end
|
51
|
-
|
52
|
-
# Sign out a given resource or scope by calling logout on Warden.
|
53
|
-
# This method bypass any warden logout callback.
|
54
|
-
#
|
55
|
-
# Examples:
|
56
|
-
#
|
57
|
-
# sign_out :user # sign_out(scope)
|
58
|
-
# sign_out @user # sign_out(resource)
|
59
|
-
#
|
60
|
-
def sign_out(resource_or_scope)
|
61
|
-
scope = Devise::Mapping.find_scope!(resource_or_scope)
|
62
|
-
@controller.instance_variable_set(:"@current_#{scope}", nil)
|
63
|
-
user = warden.instance_variable_get(:@users).delete(scope)
|
64
|
-
warden.session_serializer.delete(scope, user)
|
65
|
-
end
|
66
|
-
|
67
|
-
protected
|
68
|
-
|
69
|
-
# Catch warden continuations and handle like the middleware would.
|
70
|
-
# Returns nil when interrupted, otherwise the normal result of the block.
|
71
|
-
def _catch_warden(&block)
|
72
|
-
result = catch(:warden, &block)
|
73
|
-
|
74
|
-
env = @controller.request.env
|
75
|
-
|
76
|
-
result ||= {}
|
77
|
-
|
78
|
-
# Set the response. In production, the rack result is returned
|
79
|
-
# from Warden::Manager#call, which the following is modelled on.
|
80
|
-
case result
|
81
|
-
when Array
|
82
|
-
if result.first == 401 && intercept_401?(env) # does this happen during testing?
|
83
|
-
_process_unauthenticated(env)
|
84
|
-
else
|
85
|
-
result
|
86
|
-
end
|
87
|
-
when Hash
|
88
|
-
_process_unauthenticated(env, result)
|
89
|
-
else
|
90
|
-
result
|
91
|
-
end
|
92
|
-
end
|
93
|
-
|
94
|
-
def _process_unauthenticated(env, options = {})
|
95
|
-
options[:action] ||= :unauthenticated
|
96
|
-
proxy = env['warden']
|
97
|
-
result = options[:result] || proxy.result
|
98
|
-
|
99
|
-
ret = case result
|
100
|
-
when :redirect
|
101
|
-
body = proxy.message || "You are being redirected to #{proxy.headers['Location']}"
|
102
|
-
[proxy.status, proxy.headers, [body]]
|
103
|
-
when :custom
|
104
|
-
proxy.custom_response
|
105
|
-
else
|
106
|
-
env["PATH_INFO"] = "/#{options[:action]}"
|
107
|
-
env["warden.options"] = options
|
108
|
-
Warden::Manager._run_callbacks(:before_failure, env, options)
|
109
|
-
|
110
|
-
status, headers, response = Devise.warden_config[:failure_app].call(env).to_a
|
111
|
-
@controller.response.headers.merge!(headers)
|
112
|
-
@controller.send :render, :status => status, :text => response.body,
|
113
|
-
:content_type => headers["Content-Type"], :location => headers["Location"]
|
114
|
-
nil # causes process return @response
|
115
|
-
end
|
116
|
-
|
117
|
-
# ensure that the controller response is set up. In production, this is
|
118
|
-
# not necessary since warden returns the results to rack. However, at
|
119
|
-
# testing time, we want the response to be available to the testing
|
120
|
-
# framework to verify what would be returned to rack.
|
121
|
-
if ret.is_a?(Array)
|
122
|
-
# ensure the controller response is set to our response.
|
123
|
-
@controller.response ||= @response
|
124
|
-
@response.status = ret.first
|
125
|
-
@response.headers = ret.second
|
126
|
-
@response.body = ret.third
|
127
|
-
end
|
128
|
-
|
129
|
-
ret
|
130
|
-
end
|
131
14
|
end
|
132
15
|
end
|