RubyGems - devise - Versions diffs - 3.2.1 → 4.4.3 - Mend

devise 3.2.1 → 4.4.3

Potentially problematic release.

This version of devise might be problematic. Click here for more details.

Files changed (254) hide show

checksums.yaml +7 -0
data/.travis.yml +58 -10
data/CHANGELOG.md +199 -979
data/CODE_OF_CONDUCT.md +22 -0
data/CONTRIBUTING.md +73 -8
data/Gemfile +19 -11
data/Gemfile.lock +152 -119
data/ISSUE_TEMPLATE.md +19 -0
data/MIT-LICENSE +1 -1
data/README.md +347 -93
data/Rakefile +4 -2
data/app/controllers/devise/confirmations_controller.rb +11 -5
data/app/controllers/devise/omniauth_callbacks_controller.rb +12 -6
data/app/controllers/devise/passwords_controller.rb +20 -8
data/app/controllers/devise/registrations_controller.rb +34 -19
data/app/controllers/devise/sessions_controller.rb +47 -17
data/app/controllers/devise/unlocks_controller.rb +9 -4
data/app/controllers/devise_controller.rb +67 -31
data/app/helpers/devise_helper.rb +4 -2
data/app/mailers/devise/mailer.rb +10 -0
data/app/views/devise/confirmations/new.html.erb +8 -4
data/app/views/devise/mailer/confirmation_instructions.html.erb +1 -1
data/app/views/devise/mailer/email_changed.html.erb +7 -0
data/app/views/devise/mailer/password_change.html.erb +3 -0
data/app/views/devise/mailer/reset_password_instructions.html.erb +1 -1
data/app/views/devise/mailer/unlock_instructions.html.erb +1 -1
data/app/views/devise/passwords/edit.html.erb +15 -6
data/app/views/devise/passwords/new.html.erb +8 -4
data/app/views/devise/registrations/edit.html.erb +28 -14
data/app/views/devise/registrations/new.html.erb +19 -8
data/app/views/devise/sessions/new.html.erb +17 -8
data/app/views/devise/shared/{_links.erb → _links.html.erb} +2 -2
data/app/views/devise/unlocks/new.html.erb +8 -4
data/bin/test +13 -0
data/config/locales/en.yml +22 -17
data/devise.gemspec +7 -6
data/gemfiles/Gemfile.rails-4.1-stable +32 -0
data/gemfiles/Gemfile.rails-4.1-stable.lock +171 -0
data/gemfiles/Gemfile.rails-4.2-stable +32 -0
data/gemfiles/Gemfile.rails-4.2-stable.lock +192 -0
data/gemfiles/Gemfile.rails-5.0-stable +33 -0
data/gemfiles/Gemfile.rails-5.0-stable.lock +192 -0
data/gemfiles/Gemfile.rails-5.2-rc1 +26 -0
data/gemfiles/Gemfile.rails-5.2-rc1.lock +201 -0
data/guides/bug_report_templates/integration_test.rb +106 -0
data/lib/devise.rb +107 -84
data/lib/devise/controllers/helpers.rb +111 -31
data/lib/devise/controllers/rememberable.rb +15 -6
data/lib/devise/controllers/scoped_views.rb +3 -1
data/lib/devise/controllers/sign_in_out.rb +39 -26
data/lib/devise/controllers/store_location.rb +31 -2
data/lib/devise/controllers/url_helpers.rb +9 -7
data/lib/devise/delegator.rb +2 -0
data/lib/devise/encryptor.rb +24 -0
data/lib/devise/failure_app.rb +98 -39
data/lib/devise/hooks/activatable.rb +7 -6
data/lib/devise/hooks/csrf_cleaner.rb +5 -1
data/lib/devise/hooks/forgetable.rb +2 -0
data/lib/devise/hooks/lockable.rb +7 -2
data/lib/devise/hooks/proxy.rb +4 -2
data/lib/devise/hooks/rememberable.rb +4 -2
data/lib/devise/hooks/timeoutable.rb +16 -9
data/lib/devise/hooks/trackable.rb +3 -1
data/lib/devise/mailers/helpers.rb +15 -12
data/lib/devise/mapping.rb +8 -2
data/lib/devise/models.rb +3 -1
data/lib/devise/models/authenticatable.rb +63 -36
data/lib/devise/models/confirmable.rb +121 -41
data/lib/devise/models/database_authenticatable.rb +66 -23
data/lib/devise/models/lockable.rb +30 -17
data/lib/devise/models/omniauthable.rb +3 -1
data/lib/devise/models/recoverable.rb +62 -26
data/lib/devise/models/registerable.rb +2 -0
data/lib/devise/models/rememberable.rb +62 -33
data/lib/devise/models/timeoutable.rb +4 -8
data/lib/devise/models/trackable.rb +12 -3
data/lib/devise/models/validatable.rb +16 -9
data/lib/devise/modules.rb +12 -10
data/lib/devise/omniauth.rb +2 -0
data/lib/devise/omniauth/config.rb +2 -0
data/lib/devise/omniauth/url_helpers.rb +14 -5
data/lib/devise/orm/active_record.rb +5 -1
data/lib/devise/orm/mongoid.rb +6 -2
data/lib/devise/parameter_filter.rb +2 -0
data/lib/devise/parameter_sanitizer.rb +131 -69
data/lib/devise/rails.rb +10 -13
data/lib/devise/rails/routes.rb +147 -116
data/lib/devise/rails/warden_compat.rb +3 -10
data/lib/devise/secret_key_finder.rb +25 -0
data/lib/devise/strategies/authenticatable.rb +20 -9
data/lib/devise/strategies/base.rb +3 -1
data/lib/devise/strategies/database_authenticatable.rb +8 -5
data/lib/devise/strategies/rememberable.rb +15 -3
data/lib/devise/test/controller_helpers.rb +165 -0
data/lib/devise/test/integration_helpers.rb +63 -0
data/lib/devise/test_helpers.rb +7 -124
data/lib/devise/time_inflector.rb +4 -2
data/lib/devise/token_generator.rb +3 -41
data/lib/devise/version.rb +3 -1
data/lib/generators/active_record/devise_generator.rb +47 -10
data/lib/generators/active_record/templates/migration.rb +9 -7
data/lib/generators/active_record/templates/migration_existing.rb +9 -7
data/lib/generators/devise/controllers_generator.rb +46 -0
data/lib/generators/devise/devise_generator.rb +9 -5
data/lib/generators/devise/install_generator.rb +22 -0
data/lib/generators/devise/orm_helpers.rb +8 -19
data/lib/generators/devise/views_generator.rb +51 -28
data/lib/generators/mongoid/devise_generator.rb +22 -19
data/lib/generators/templates/README +5 -12
data/lib/generators/templates/controllers/README +14 -0
data/lib/generators/templates/controllers/confirmations_controller.rb +30 -0
data/lib/generators/templates/controllers/omniauth_callbacks_controller.rb +30 -0
data/lib/generators/templates/controllers/passwords_controller.rb +34 -0
data/lib/generators/templates/controllers/registrations_controller.rb +62 -0
data/lib/generators/templates/controllers/sessions_controller.rb +27 -0
data/lib/generators/templates/controllers/unlocks_controller.rb +30 -0
data/lib/generators/templates/devise.rb +64 -35
data/lib/generators/templates/markerb/confirmation_instructions.markerb +1 -1
data/lib/generators/templates/markerb/email_changed.markerb +7 -0
data/lib/generators/templates/markerb/password_change.markerb +3 -0
data/lib/generators/templates/markerb/reset_password_instructions.markerb +1 -1
data/lib/generators/templates/markerb/unlock_instructions.markerb +1 -1
data/lib/generators/templates/simple_form_for/confirmations/new.html.erb +2 -2
data/lib/generators/templates/simple_form_for/passwords/edit.html.erb +4 -4
data/lib/generators/templates/simple_form_for/passwords/new.html.erb +2 -2
data/lib/generators/templates/simple_form_for/registrations/edit.html.erb +6 -6
data/lib/generators/templates/simple_form_for/registrations/new.html.erb +4 -4
data/lib/generators/templates/simple_form_for/sessions/new.html.erb +6 -6
data/lib/generators/templates/simple_form_for/unlocks/new.html.erb +2 -2
data/test/controllers/custom_registrations_controller_test.rb +42 -0
data/test/controllers/custom_strategy_test.rb +10 -6
data/test/controllers/helper_methods_test.rb +24 -0
data/test/controllers/helpers_test.rb +88 -40
data/test/controllers/inherited_controller_i18n_messages_test.rb +53 -0
data/test/controllers/internal_helpers_test.rb +31 -22
data/test/controllers/load_hooks_controller_test.rb +21 -0
data/test/controllers/passwords_controller_test.rb +8 -5
data/test/controllers/sessions_controller_test.rb +42 -33
data/test/controllers/url_helpers_test.rb +13 -5
data/test/delegator_test.rb +3 -1
data/test/devise_test.rb +34 -19
data/test/failure_app_test.rb +150 -42
data/test/generators/active_record_generator_test.rb +58 -31
data/test/generators/controllers_generator_test.rb +50 -0
data/test/generators/devise_generator_test.rb +4 -2
data/test/generators/install_generator_test.rb +16 -3
data/test/generators/mongoid_generator_test.rb +5 -3
data/test/generators/views_generator_test.rb +40 -2
data/test/helpers/devise_helper_test.rb +20 -20
data/test/integration/authenticatable_test.rb +134 -141
data/test/integration/confirmable_test.rb +109 -67
data/test/integration/database_authenticatable_test.rb +36 -23
data/test/integration/http_authenticatable_test.rb +29 -20
data/test/integration/lockable_test.rb +52 -49
data/test/integration/mounted_engine_test.rb +38 -0
data/test/integration/omniauthable_test.rb +30 -15
data/test/integration/recoverable_test.rb +76 -61
data/test/integration/registerable_test.rb +107 -91
data/test/integration/rememberable_test.rb +82 -30
data/test/integration/timeoutable_test.rb +48 -40
data/test/integration/trackable_test.rb +15 -8
data/test/mailers/confirmation_instructions_test.rb +16 -14
data/test/mailers/email_changed_test.rb +132 -0
data/test/mailers/mailer_test.rb +20 -0
data/test/mailers/reset_password_instructions_test.rb +13 -11
data/test/mailers/unlock_instructions_test.rb +12 -10
data/test/mapping_test.rb +15 -6
data/test/models/authenticatable_test.rb +15 -3
data/test/models/confirmable_test.rb +190 -95
data/test/models/database_authenticatable_test.rb +75 -41
data/test/models/lockable_test.rb +115 -61
data/test/models/omniauthable_test.rb +3 -1
data/test/models/recoverable_test.rb +116 -37
data/test/models/registerable_test.rb +3 -1
data/test/models/rememberable_test.rb +95 -94
data/test/models/serializable_test.rb +19 -8
data/test/models/timeoutable_test.rb +10 -8
data/test/models/trackable_test.rb +50 -1
data/test/models/validatable_test.rb +24 -30
data/test/models_test.rb +19 -8
data/test/omniauth/config_test.rb +15 -11
data/test/omniauth/url_helpers_test.rb +8 -9
data/test/orm/active_record.rb +16 -2
data/test/orm/mongoid.rb +4 -2
data/test/parameter_sanitizer_test.rb +53 -57
data/test/rails_app/app/active_record/admin.rb +2 -0
data/test/rails_app/app/active_record/shim.rb +3 -1
data/test/rails_app/app/active_record/user.rb +14 -0
data/test/rails_app/app/active_record/user_on_engine.rb +9 -0
data/test/rails_app/app/active_record/user_on_main_app.rb +9 -0
data/test/rails_app/app/active_record/user_with_validations.rb +12 -0
data/test/rails_app/app/active_record/user_without_email.rb +10 -0
data/test/rails_app/app/controllers/admins/sessions_controller.rb +3 -1
data/test/rails_app/app/controllers/admins_controller.rb +3 -6
data/test/rails_app/app/controllers/application_controller.rb +7 -3
data/test/rails_app/app/controllers/application_with_fake_engine.rb +32 -0
data/test/rails_app/app/controllers/custom/registrations_controller.rb +33 -0
data/test/rails_app/app/controllers/home_controller.rb +7 -1
data/test/rails_app/app/controllers/publisher/registrations_controller.rb +3 -1
data/test/rails_app/app/controllers/publisher/sessions_controller.rb +3 -1
data/test/rails_app/app/controllers/users/omniauth_callbacks_controller.rb +7 -5
data/test/rails_app/app/controllers/users_controller.rb +8 -6
data/test/rails_app/app/helpers/application_helper.rb +2 -0
data/test/rails_app/app/mailers/users/from_proc_mailer.rb +5 -0
data/test/rails_app/app/mailers/users/mailer.rb +3 -10
data/test/rails_app/app/mailers/users/reply_to_mailer.rb +6 -0
data/test/rails_app/app/mongoid/admin.rb +13 -11
data/test/rails_app/app/mongoid/shim.rb +4 -2
data/test/rails_app/app/mongoid/user.rb +30 -19
data/test/rails_app/app/mongoid/user_on_engine.rb +41 -0
data/test/rails_app/app/mongoid/user_on_main_app.rb +41 -0
data/test/rails_app/app/mongoid/user_with_validations.rb +37 -0
data/test/rails_app/app/mongoid/user_without_email.rb +35 -0
data/test/rails_app/app/views/admins/sessions/new.html.erb +1 -1
data/test/rails_app/app/views/home/admin_dashboard.html.erb +1 -1
data/test/rails_app/app/views/home/index.html.erb +1 -1
data/test/rails_app/app/views/home/join.html.erb +1 -1
data/test/rails_app/app/views/home/user_dashboard.html.erb +1 -1
data/test/rails_app/app/views/layouts/application.html.erb +1 -1
data/test/rails_app/config/application.rb +13 -5
data/test/rails_app/config/boot.rb +17 -4
data/test/rails_app/config/environment.rb +2 -0
data/test/rails_app/config/environments/development.rb +2 -0
data/test/rails_app/config/environments/production.rb +10 -2
data/test/rails_app/config/environments/test.rb +14 -3
data/test/rails_app/config/initializers/backtrace_silencers.rb +2 -0
data/test/rails_app/config/initializers/devise.rb +22 -21
data/test/rails_app/config/initializers/inflections.rb +2 -0
data/test/rails_app/config/initializers/secret_token.rb +3 -6
data/test/rails_app/config/initializers/session_store.rb +2 -0
data/test/rails_app/config/routes.rb +67 -43
data/test/rails_app/db/migrate/20100401102949_create_tables.rb +16 -10
data/test/rails_app/db/schema.rb +2 -0
data/test/rails_app/lib/shared_admin.rb +10 -4
data/test/rails_app/lib/shared_user.rb +4 -1
data/test/rails_app/lib/shared_user_without_email.rb +28 -0
data/test/rails_app/lib/shared_user_without_omniauth.rb +15 -0
data/test/rails_test.rb +11 -0
data/test/routes_test.rb +92 -61
data/test/secret_key_finder_test.rb +97 -0
data/test/support/action_controller/record_identifier.rb +12 -0
data/test/support/assertions.rb +4 -14
data/test/support/helpers.rb +23 -10
data/test/support/http_method_compatibility.rb +53 -0
data/test/support/integration.rb +19 -16
data/test/support/mongoid.yml +6 -0
data/test/support/webrat/integrations/rails.rb +11 -0
data/test/{test_helpers_test.rb → test/controller_helpers_test.rb} +60 -40
data/test/test/integration_helpers_test.rb +34 -0
data/test/test_helper.rb +9 -0
data/test/test_models.rb +8 -6
metadata +123 -53
data/gemfiles/Gemfile.rails-3.2.x +0 -31
data/gemfiles/Gemfile.rails-3.2.x.lock +0 -159

data/lib/devise/controllers/url_helpers.rb CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Devise
   module Controllers
     # Create url helpers to be used with resource/scope configuration. Acts as
@@ -42,14 +44,14 @@ module Devise
           [:path, :url].each do |path_or_url|
             actions.each do |action|
               action = action ? "#{action}_" : ""
-              method = "#{action}#{module_name}_#{path_or_url}"
+              method = :"#{action}#{module_name}_#{path_or_url}"
-              class_eval <<-URL_HELPERS, __FILE__, __LINE__ + 1
-                def #{method}(resource_or_scope, *args)
-                  scope = Devise::Mapping.find_scope!(resource_or_scope)
-                  _devise_route_context.send("#{action}\#{scope}_#{module_name}_#{path_or_url}", *args)
-                end
-              URL_HELPERS
+              define_method method do |resource_or_scope, *args|
+                scope = Devise::Mapping.find_scope!(resource_or_scope)
+                router_name = Devise.mappings[scope].router_name
+                context = router_name ? send(router_name) : _devise_route_context
+                context.send("#{action}#{scope}_#{module_name}_#{path_or_url}", *args)
+              end
             end
           end
         end

data/lib/devise/delegator.rb CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Devise
   # Checks the scope in the given environment and returns the associated failure app.
   class Delegator

data/lib/devise/encryptor.rb ADDED

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+require 'bcrypt'
+module Devise
+  module Encryptor
+    def self.digest(klass, password)
+      if klass.pepper.present?
+        password = "#{password}#{klass.pepper}"
+      end
+      ::BCrypt::Password.create(password, cost: klass.stretches).to_s
+    end
+    def self.compare(klass, hashed_password, password)
+      return false if hashed_password.blank?
+      bcrypt   = ::BCrypt::Password.new(hashed_password)
+      if klass.pepper.present?
+        password = "#{password}#{klass.pepper}"
+      end
+      password = ::BCrypt::Engine.hash_secret(password, bcrypt.salt)
+      Devise.secure_compare(password, hashed_password)
+    end
+  end
+end

data/lib/devise/failure_app.rb CHANGED

@@ -1,12 +1,13 @@
+# frozen_string_literal: true
 require "action_controller/metal"
 module Devise
   # Failure application that will be called every time :warden is thrown from
-  # any strategy or hook. Responsible for redirect the user to the sign in
-  # page based on current scope and mapping. If no scope is given, redirect
-  # to the default_url.
+  # any strategy or hook. It is responsible for redirecting the user to the sign
+  # in page based on current scope and mapping. If no scope is given, it
+  # redirects to the default_url.
   class FailureApp < ActionController::Metal
-    include ActionController::RackDelegation
     include ActionController::UrlFor
     include ActionController::Redirecting
@@ -15,16 +16,19 @@ module Devise
     include Devise::Controllers::StoreLocation
-    delegate :flash, :to => :request
+    delegate :flash, to: :request
     def self.call(env)
       @respond ||= action(:respond)
       @respond.call(env)
     end
+    # Try retrieving the URL options from the parent controller (usually
+    # ApplicationController). Instance methods are not supported at the moment,
+    # so only the class-level attribute is used.
     def self.default_url_options(*args)
-      if defined?(ApplicationController)
-        ApplicationController.default_url_options(*args)
+      if defined?(Devise.parent_controller.constantize)
+        Devise.parent_controller.constantize.try(:default_url_options) || {}
       else
         {}
       end
@@ -48,18 +52,38 @@ module Devise
     end
     def recall
-      env["PATH_INFO"]  = attempted_path
-      flash.now[:alert] = i18n_message(:invalid)
-      self.response = recall_app(warden_options[:recall]).call(env)
+      header_info = if relative_url_root?
+        base_path = Pathname.new(relative_url_root)
+        full_path = Pathname.new(attempted_path)
+        { "SCRIPT_NAME" => relative_url_root,
+          "PATH_INFO" => '/' + full_path.relative_path_from(base_path).to_s }
+      else
+        { "PATH_INFO" => attempted_path }
+      end
+      header_info.each do | var, value|
+        if request.respond_to?(:set_header)
+          request.set_header(var, value)
+        else
+          request.env[var]  = value
+        end
+      end
+      flash.now[:alert] = i18n_message(:invalid) if is_flashing_format?
+      # self.response = recall_app(warden_options[:recall]).call(env)
+      self.response = recall_app(warden_options[:recall]).call(request.env)
     end
     def redirect
       store_location!
-      if flash[:timedout] && flash[:alert]
-        flash.keep(:timedout)
-        flash.keep(:alert)
-      else
-        flash[:alert] = i18n_message
+      if is_flashing_format?
+        if flash[:timedout] && flash[:alert]
+          flash.keep(:timedout)
+          flash.keep(:alert)
+        else
+          flash[:alert] = i18n_message
+        end
       end
       redirect_to redirect_url
     end
@@ -78,6 +102,9 @@ module Devise
         options[:resource_name] = scope
         options[:scope] = "devise.failure"
         options[:default] = [message]
+        auth_keys = scope_class.authentication_keys
+        keys = (auth_keys.respond_to?(:keys) ? auth_keys.keys : auth_keys).map { |key| scope_class.human_attribute_name(key) }
+        options[:authentication_keys] = keys.join(I18n.translate(:"support.array.words_connector"))
         options = i18n_options(options)
         I18n.t(:"#{scope}.#{message}", options)
@@ -88,7 +115,7 @@ module Devise
     def redirect_url
       if warden_message == :timeout
-        flash[:timedout] = true
+        flash[:timedout] = true if is_flashing_format?
         path = if request.get?
           attempted_path
@@ -96,26 +123,36 @@ module Devise
           request.referrer
         end
-        path || scope_path
+        path || scope_url
       else
-        scope_path
+        scope_url
       end
     end
-    def scope_path
+    def route(scope)
+      :"new_#{scope}_session_url"
+    end
+    def scope_url
       opts  = {}
-      route = :"new_#{scope}_session_path"
+      # Initialize script_name with nil to prevent infinite loops in
+      # authenticated mounted engines in rails 4.2 and 5.0
+      opts[:script_name] = nil
+      route = route(scope)
       opts[:format] = request_format unless skip_format?
-      config = Rails.application.config
-      opts[:script_name] = (config.relative_url_root if config.respond_to?(:relative_url_root))
+      opts[:script_name] = relative_url_root if relative_url_root?
-      context = send(Devise.available_router_name)
+      router_name = Devise.mappings[scope].router_name || Devise.available_router_name
+      context = send(router_name)
       if context.respond_to?(route)
         context.send(route, opts)
-      elsif respond_to?(:root_path)
-        root_path(opts)
+      elsif respond_to?(:root_url)
+        root_url(opts)
       else
         "/"
       end
@@ -125,12 +162,12 @@ module Devise
       %w(html */*).include? request_format.to_s
     end
-    # Choose whether we should respond in a http authentication fashion,
+    # Choose whether we should respond in an HTTP authentication fashion,
     # including 401 and optional headers.
     #
-    # This method allows the user to explicitly disable http authentication
-    # on ajax requests in case they want to redirect on failures instead of
-    # handling the errors on their own. This is useful in case your ajax API
+    # This method allows the user to explicitly disable HTTP authentication
+    # on AJAX requests in case they want to redirect on failures instead of
+    # handling the errors on their own. This is useful in case your AJAX API
     # is the same as your public API and uses a format like JSON (so you
     # cannot mark JSON as a navigational format).
     def http_auth?
@@ -141,19 +178,19 @@ module Devise
       end
     end
-    # It does not make sense to send authenticate headers in ajax requests
+    # It doesn't make sense to send authenticate headers in AJAX requests
     # or if the user disabled them.
     def http_auth_header?
-      Devise.mappings[scope].to.http_authenticatable && !request.xhr?
+      scope_class.http_authenticatable && !request.xhr?
     end
     def http_auth_body
       return i18n_message unless request_format
       method = "to_#{request_format}"
       if method == "to_xml"
-        { :error => i18n_message }.to_xml(:root => "errors")
+        { error: i18n_message }.to_xml(root: "errors")
       elsif {}.respond_to?(method)
-        { :error => i18n_message }.send(method)
+        { error: i18n_message }.send(method)
       else
         i18n_message
       end
@@ -167,11 +204,11 @@ module Devise
     end
     def warden
-      env['warden']
+      request.respond_to?(:get_header) ? request.get_header("warden") : request.env["warden"]
     end
     def warden_options
-      env['warden.options']
+      request.respond_to?(:get_header) ? request.get_header("warden.options") : request.env["warden.options"]
     end
     def warden_message
@@ -182,14 +219,18 @@ module Devise
       @scope ||= warden_options[:scope] || Devise.default_scope
     end
+    def scope_class
+      @scope_class ||= Devise.mappings[scope].to
+    end
     def attempted_path
       warden_options[:attempted_path]
     end
-    # Stores requested uri to redirect the user after signing in. We cannot use
-    # scoped session provided by warden here, since the user is not authenticated
-    # yet, but we still need to store the uri based on scope, so different scopes
-    # would never use the same uri to redirect.
+    # Stores requested URI to redirect the user after signing in. We can't use
+    # the scoped session provided by warden here, since the user is not
+    # authenticated yet, but we still need to store the URI based on scope, so
+    # different scopes would never use the same URI to redirect.
     def store_location!
       store_location_for(scope, attempted_path) if request.get? && !http_auth?
     end
@@ -198,8 +239,26 @@ module Devise
       Devise.navigational_formats.include?(request_format)
     end
+    # Check if flash messages should be emitted. Default is to do it on
+    # navigational formats
+    def is_flashing_format?
+      is_navigational_format?
+    end
     def request_format
       @request_format ||= request.format.try(:ref)
     end
+    def relative_url_root
+      @relative_url_root ||= begin
+        config = Rails.application.config
+        config.try(:relative_url_root) || config.action_controller.try(:relative_url_root)
+      end
+    end
+    def relative_url_root?
+      relative_url_root.present?
+    end
   end
 end

data/lib/devise/hooks/activatable.rb CHANGED

@@ -1,11 +1,12 @@
-# Deny user access whenever his account is not active yet. All strategies that inherits from
-# Devise::Strategies::Authenticatable and uses the validate already check if the user is active_for_authentication?
-# before actively signing him in. However, we need this as hook to validate the user activity
-# in each request and in case the user is using other strategies beside Devise ones.
+# frozen_string_literal: true
+# Deny user access whenever their account is not active yet.
+# We need this as hook to validate the user activity on each request
+# and in case the user is using other strategies beside Devise ones.
 Warden::Manager.after_set_user do |record, warden, options|
   if record && record.respond_to?(:active_for_authentication?) && !record.active_for_authentication?
     scope = options[:scope]
     warden.logout(scope)
-    throw :warden, :scope => scope, :message => record.inactive_message
+    throw :warden, scope: scope, message: record.inactive_message
   end
-end
+end

data/lib/devise/hooks/csrf_cleaner.rb CHANGED

@@ -1,5 +1,9 @@
+# frozen_string_literal: true
 Warden::Manager.after_authentication do |record, warden, options|
-  if Devise.clean_up_csrf_token_on_authentication
+  clean_up_for_winning_strategy = !warden.winning_strategy.respond_to?(:clean_up_csrf?) ||
+    warden.winning_strategy.clean_up_csrf?
+  if Devise.clean_up_csrf_token_on_authentication && clean_up_for_winning_strategy
     warden.request.session.try(:delete, :_csrf_token)
   end
 end

data/lib/devise/hooks/forgetable.rb CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 # Before logout hook to forget the user in the given scope, if it responds
 # to forget_me! Also clear remember token to ensure the user won't be
 # remembered again. Notice that we forget the user unless the record is not persisted.

data/lib/devise/hooks/lockable.rb CHANGED

@@ -1,7 +1,12 @@
+# frozen_string_literal: true
 # After each sign in, if resource responds to failed_attempts, sets it to 0
 # This is only triggered when the user is explicitly set (with set_user)
-Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
+Warden::Manager.after_set_user except: :fetch do |record, warden, options|
   if record.respond_to?(:failed_attempts) && warden.authenticated?(options[:scope])
-    record.update_attribute(:failed_attempts, 0) unless record.failed_attempts.to_i.zero?
+    unless record.failed_attempts.to_i.zero?
+      record.failed_attempts = 0
+      record.save(validate: false)
+    end
   end
 end

data/lib/devise/hooks/proxy.rb CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Devise
   module Hooks
     # A small warden proxy so we can remember, forget and
@@ -7,7 +9,7 @@ module Devise
       include Devise::Controllers::SignInOut
       attr_reader :warden
-      delegate :cookies, :env, :to => :warden
+      delegate :cookies, :request, to: :warden
       def initialize(warden)
         @warden = warden
@@ -18,4 +20,4 @@ module Devise
       end
     end
   end
-end
+end

data/lib/devise/hooks/rememberable.rb CHANGED

@@ -1,7 +1,9 @@
-Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
+# frozen_string_literal: true
+Warden::Manager.after_set_user except: :fetch do |record, warden, options|
   scope = options[:scope]
   if record.respond_to?(:remember_me) && options[:store] != false &&
      record.remember_me && warden.authenticated?(scope)
     Devise::Hooks::Proxy.new(warden).remember_me(record)
   end
-end
+end

data/lib/devise/hooks/timeoutable.rb CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 # Each time a record is set we check whether its session has already timed out
 # or not, based on last request time. If so, the record is logged out and
 # redirected to the sign in page. Also, each time the request comes and the
@@ -7,22 +9,27 @@ Warden::Manager.after_set_user do |record, warden, options|
   scope = options[:scope]
   env   = warden.request.env
-  if record && record.respond_to?(:timedout?) && warden.authenticated?(scope) && options[:store] != false
+  if record && record.respond_to?(:timedout?) && warden.authenticated?(scope) &&
+     options[:store] != false && !env['devise.skip_timeoutable']
     last_request_at = warden.session(scope)['last_request_at']
-    proxy = Devise::Hooks::Proxy.new(warden)
-    if record.timedout?(last_request_at) && !env['devise.skip_timeout']
-      Devise.sign_out_all_scopes ? proxy.sign_out : sign_out(scope)
+    if last_request_at.is_a? Integer
+      last_request_at = Time.at(last_request_at).utc
+    elsif last_request_at.is_a? String
+      last_request_at = Time.parse(last_request_at)
+    end
-      if record.respond_to?(:expire_auth_token_on_timeout) && record.expire_auth_token_on_timeout
-        record.reset_authentication_token!
-      end
+    proxy = Devise::Hooks::Proxy.new(warden)
-      throw :warden, :scope => scope, :message => :timeout
+    if record.timedout?(last_request_at) &&
+        !env['devise.skip_timeout'] &&
+        !proxy.remember_me_is_active?(record)
+      Devise.sign_out_all_scopes ? proxy.sign_out : proxy.sign_out(scope)
+      throw :warden, scope: scope, message: :timeout
     end
     unless env['devise.skip_trackable']
-      warden.session(scope)['last_request_at'] = Time.now.utc
+      warden.session(scope)['last_request_at'] = Time.now.utc.to_i
     end
   end
 end

data/lib/devise/hooks/trackable.rb CHANGED

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
 # After each sign in, update sign in time, sign in count and sign in IP.
 # This is only triggered when the user is explicitly set (with set_user)
 # and on authentication. Retrieving the user from session (:fetch) does
 # not trigger it.
-Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
+Warden::Manager.after_set_user except: :fetch do |record, warden, options|
   if record.respond_to?(:update_tracked_fields!) && warden.authenticated?(options[:scope]) && !warden.request.env['devise.skip_trackable']
     record.update_tracked_fields!(warden.request)
   end