devise 3.2.2 → 4.6.0

data/lib/devise/rails/routes.rb

@@ -1,13 +1,12 @@
+# frozen_string_literal: true
+
 require "active_support/core_ext/object/try"
 require "active_support/core_ext/hash/slice"
 
-module ActionDispatch::Routing
-  class RouteSet #:nodoc:
-    # Ensure Devise modules are included only after loading routes, because we
-    # need devise_for mappings already declared to create filters and helpers.
-    def finalize_with_devise!
-      result = finalize_without_devise!
-
+module Devise
+  module RouteSet
+    def finalize!
+      result = super
       @devise_finalized ||= begin
         if Devise.router_name.nil? && defined?(@devise_finalized) && self != Rails.application.try(:routes)
           warn "[DEVISE] We have detected that you are using devise_for inside engine routes. " \
@@ -21,10 +20,16 @@ module ActionDispatch::Routing
         Devise.regenerate_helpers!
         true
       end
-
       result
     end
-    alias_method_chain :finalize!, :devise
+  end
+end
+
+module ActionDispatch::Routing
+  class RouteSet #:nodoc:
+    # Ensure Devise modules are included only after loading routes, because we
+    # need devise_for mappings already declared to create filters and helpers.
+    prepend Devise::RouteSet
   end
 
   class Mapper
@@ -43,20 +48,20 @@ module ActionDispatch::Routing
     # needed routes:
     #
     #  # Session routes for Authenticatable (default)
-    #       new_user_session GET    /users/sign_in                    {:controller=>"devise/sessions", :action=>"new"}
-    #           user_session POST   /users/sign_in                    {:controller=>"devise/sessions", :action=>"create"}
-    #   destroy_user_session DELETE /users/sign_out                   {:controller=>"devise/sessions", :action=>"destroy"}
+    #       new_user_session GET    /users/sign_in                    {controller:"devise/sessions", action:"new"}
+    #           user_session POST   /users/sign_in                    {controller:"devise/sessions", action:"create"}
+    #   destroy_user_session DELETE /users/sign_out                   {controller:"devise/sessions", action:"destroy"}
     #
     #  # Password routes for Recoverable, if User model has :recoverable configured
-    #      new_user_password GET    /users/password/new(.:format)     {:controller=>"devise/passwords", :action=>"new"}
-    #     edit_user_password GET    /users/password/edit(.:format)    {:controller=>"devise/passwords", :action=>"edit"}
-    #          user_password PUT    /users/password(.:format)         {:controller=>"devise/passwords", :action=>"update"}
-    #                        POST   /users/password(.:format)         {:controller=>"devise/passwords", :action=>"create"}
+    #      new_user_password GET    /users/password/new(.:format)     {controller:"devise/passwords", action:"new"}
+    #     edit_user_password GET    /users/password/edit(.:format)    {controller:"devise/passwords", action:"edit"}
+    #          user_password PUT    /users/password(.:format)         {controller:"devise/passwords", action:"update"}
+    #                        POST   /users/password(.:format)         {controller:"devise/passwords", action:"create"}
     #
     #  # Confirmation routes for Confirmable, if User model has :confirmable configured
-    #  new_user_confirmation GET    /users/confirmation/new(.:format) {:controller=>"devise/confirmations", :action=>"new"}
-    #      user_confirmation GET    /users/confirmation(.:format)     {:controller=>"devise/confirmations", :action=>"show"}
-    #                        POST   /users/confirmation(.:format)     {:controller=>"devise/confirmations", :action=>"create"}
+    #  new_user_confirmation GET    /users/confirmation/new(.:format) {controller:"devise/confirmations", action:"new"}
+    #      user_confirmation GET    /users/confirmation(.:format)     {controller:"devise/confirmations", action:"show"}
+    #                        POST   /users/confirmation(.:format)     {controller:"devise/confirmations", action:"create"}
     #
     # ==== Routes integration
     #
@@ -84,71 +89,91 @@ module ActionDispatch::Routing
     #
     # You can configure your routes with some options:
     #
-    #  * :class_name => setup a different class to be looked up by devise, if it cannot be
+    #  * class_name: set up a different class to be looked up by devise, if it cannot be
     #    properly found by the route name.
     #
-    #      devise_for :users, :class_name => 'Account'
+    #      devise_for :users, class_name: 'Account'
+    #
+    #  * path: allows you to set up path name that will be used, as rails routes does.
+    #    The following route configuration would set up your route as /accounts instead of /users:
+    #
+    #      devise_for :users, path: 'accounts'
+    #
+    #  * singular: set up the singular name for the given resource. This is used as the helper methods
+    #    names in controller ("authenticate_#{singular}!", "#{singular}_signed_in?", "current_#{singular}"
+    #    and "#{singular}_session"), as the scope name in routes and as the scope given to warden.
     #
-    #  * :path => allows you to setup path name that will be used, as rails routes does.
-    #    The following route configuration would setup your route as /accounts instead of /users:
+    #      devise_for :admins, singular: :manager
     #
-    #      devise_for :users, :path => 'accounts'
+    #      devise_scope :manager do
+    #        ...
+    #      end
     #
-    #  * :singular => setup the singular name for the given resource. This is used as the instance variable
-    #    name in controller, as the name in routes and the scope given to warden.
+    #      class ManagerController < ApplicationController
+    #        before_action authenticate_manager!
     #
-    #      devise_for :users, :singular => :user
+    #        def show
+    #          @manager = current_manager
+    #          ...
+    #        end
+    #      end
     #
-    #  * :path_names => configure different path names to overwrite defaults :sign_in, :sign_out, :sign_up,
+    #  * path_names: configure different path names to overwrite defaults :sign_in, :sign_out, :sign_up,
     #    :password, :confirmation, :unlock.
     #
-    #      devise_for :users, :path_names => { :sign_in => 'login', :sign_out => 'logout',
-    #        :password => 'secret', :confirmation => 'verification', registration: 'register }
+    #      devise_for :users, path_names: {
+    #        sign_in: 'login', sign_out: 'logout',
+    #        password: 'secret', confirmation: 'verification',
+    #        registration: 'register', edit: 'edit/profile'
+    #      }
     #
-    #  * :controllers => the controller which should be used. All routes by default points to Devise controllers.
+    #  * controllers: the controller which should be used. All routes by default points to Devise controllers.
     #    However, if you want them to point to custom controller, you should do:
     #
-    #      devise_for :users, :controllers => { :sessions => "users/sessions" }
+    #      devise_for :users, controllers: { sessions: "users/sessions" }
     #
-    #  * :failure_app => a rack app which is invoked whenever there is a failure. Strings representing a given
+    #  * failure_app: a rack app which is invoked whenever there is a failure. Strings representing a given
     #    are also allowed as parameter.
     #
-    #  * :sign_out_via => the HTTP method(s) accepted for the :sign_out action (default: :get),
+    #  * sign_out_via: the HTTP method(s) accepted for the :sign_out action (default: :get),
     #    if you wish to restrict this to accept only :post or :delete requests you should do:
     #
-    #      devise_for :users, :sign_out_via => [ :post, :delete ]
+    #      devise_for :users, sign_out_via: [:post, :delete]
     #
     #    You need to make sure that your sign_out controls trigger a request with a matching HTTP method.
     #
-    #  * :module => the namespace to find controllers (default: "devise", thus
+    #  * module: the namespace to find controllers (default: "devise", thus
     #    accessing devise/sessions, devise/registrations, and so on). If you want
     #    to namespace all at once, use module:
     #
-    #      devise_for :users, :module => "users"
+    #      devise_for :users, module: "users"
     #
-    #  * :skip => tell which controller you want to skip routes from being created:
+    #  * skip: tell which controller you want to skip routes from being created.
+    #    It accepts :all as an option, meaning it will not generate any route at all:
     #
-    #      devise_for :users, :skip => :sessions
+    #      devise_for :users, skip: :sessions
     #
-    #  * :only => the opposite of :skip, tell which controllers only to generate routes to:
+    #  * only: the opposite of :skip, tell which controllers only to generate routes to:
     #
-    #      devise_for :users, :only => :sessions
+    #      devise_for :users, only: :sessions
     #
-    #  * :skip_helpers => skip generating Devise url helpers like new_session_path(@user).
+    #  * skip_helpers: skip generating Devise url helpers like new_session_path(@user).
     #    This is useful to avoid conflicts with previous routes and is false by default.
     #    It accepts true as option, meaning it will skip all the helpers for the controllers
     #    given in :skip but it also accepts specific helpers to be skipped:
     #
-    #      devise_for :users, :skip => [:registrations, :confirmations], :skip_helpers => true
-    #      devise_for :users, :skip_helpers => [:registrations, :confirmations]
+    #      devise_for :users, skip: [:registrations, :confirmations], skip_helpers: true
+    #      devise_for :users, skip_helpers: [:registrations, :confirmations]
+    #
+    #  * format: include "(.:format)" in the generated routes? true by default, set to false to disable:
     #
-    #  * :format => include "(.:format)" in the generated routes? true by default, set to false to disable:
+    #      devise_for :users, format: false
     #
-    #      devise_for :users, :format => false
+    #  * constraints: works the same as Rails' constraints
     #
-    #  * :constraints => works the same as Rails' constraints
+    #  * defaults: works the same as Rails' defaults
     #
-    #  * :defaults => works the same as Rails' defaults
+    #  * router_name: allows application level router name to be overwritten for the current scope
     #
     # ==== Scoping
     #
@@ -170,7 +195,7 @@ module ActionDispatch::Routing
     #
     #   class ApplicationController < ActionController::Base
     #     def self.default_url_options
-    #       { :locale => I18n.locale }
+    #       { locale: I18n.locale }
     #     end
     #   end
     #
@@ -195,7 +220,7 @@ module ActionDispatch::Routing
     # In order to get Devise to recognize the deactivate action, your devise_scope entry should look like this:
     #
     #     devise_scope :owner do
-    #       post "deactivate", :to => "registrations#deactivate", :as => "deactivate_registration"
+    #       post "deactivate", to: "registrations#deactivate", as: "deactivate_registration"
     #     end
     #
     def devise_for(*resources)
@@ -221,7 +246,7 @@ module ActionDispatch::Routing
           raise_no_devise_method_error!(mapping.class_name) unless mapping.to.respond_to?(:devise)
         rescue NameError => e
           raise unless mapping.class_name == resource.to_s.classify
-          warn "[WARNING] You provided devise_for #{resource.inspect} but there is " <<
+          warn "[WARNING] You provided devise_for #{resource.inspect} but there is " \
             "no model #{mapping.class_name} defined in your application"
           next
         rescue NoMethodError => e
@@ -229,7 +254,14 @@ module ActionDispatch::Routing
           raise_no_devise_method_error!(mapping.class_name)
         end
 
-        routes  = mapping.used_routes
+        if options[:controllers] && options[:controllers][:omniauth_callbacks]
+          unless mapping.omniauthable?
+            raise ArgumentError, "Mapping omniauth_callbacks on a resource that is not omniauthable\n" \
+              "Please add `devise :omniauthable` to the `#{mapping.class_name}` model"
+          end
+        end
+
+        routes = mapping.used_routes
 
         devise_scope mapping.name do
           with_devise_exclusive_scope mapping.fullpath, mapping.name, options do
@@ -252,7 +284,7 @@ module ActionDispatch::Routing
     #   end
     #
     #   authenticate :user, lambda {|u| u.role == "admin"} do
-    #     root :to => "admin/dashboard#show", :as => :user_root
+    #     root to: "admin/dashboard#show", as: :user_root
     #   end
     #
     def authenticate(scope=nil, block=nil)
@@ -266,18 +298,18 @@ module ActionDispatch::Routing
     # a model and allows extra constraints to be done on the instance.
     #
     #   authenticated :admin do
-    #     root :to => 'admin/dashboard#show', :as => :admin_root
+    #     root to: 'admin/dashboard#show', as: :admin_root
     #   end
     #
     #   authenticated do
-    #     root :to => 'dashboard#show', :as => :authenticated_root
+    #     root to: 'dashboard#show', as: :authenticated_root
     #   end
     #
     #   authenticated :user, lambda {|u| u.role == "admin"} do
-    #     root :to => "admin/dashboard#show", :as => :user_root
+    #     root to: "admin/dashboard#show", as: :user_root
     #   end
     #
-    #   root :to => 'landing#show'
+    #   root to: 'landing#show'
     #
     def authenticated(scope=nil, block=nil)
       constraints_for(:authenticate?, scope, block) do
@@ -290,15 +322,15 @@ module ActionDispatch::Routing
     #
     #   unauthenticated do
     #     as :user do
-    #       root :to => 'devise/registrations#new'
+    #       root to: 'devise/registrations#new'
     #     end
     #   end
     #
-    #   root :to => 'dashboard#show'
+    #   root to: 'dashboard#show'
     #
     def unauthenticated(scope=nil)
       constraint = lambda do |request|
-        not request.env["warden"].authenticate? :scope => scope
+        not request.env["warden"].authenticate? scope: scope
       end
 
       constraints(constraint) do
@@ -308,10 +340,10 @@ module ActionDispatch::Routing
 
     # Sets the devise scope to be used in the controller. If you have custom routes,
     # you are required to call this method (also aliased as :as) in order to specify
-    # to which controller it is targetted.
+    # to which controller it is targeted.
     #
     #   as :user do
-    #     get "sign_in", :to => "devise/sessions#new"
+    #     get "sign_in", to: "devise/sessions#new"
     #   end
     #
     # Notice you cannot have two scopes mapping to the same URL. And remember, if
@@ -343,41 +375,42 @@ module ActionDispatch::Routing
     protected
 
       def devise_session(mapping, controllers) #:nodoc:
-        resource :session, :only => [], :controller => controllers[:sessions], :path => "" do
-          get   :new,     :path => mapping.path_names[:sign_in],  :as => "new"
-          post  :create,  :path => mapping.path_names[:sign_in]
-          match :destroy, :path => mapping.path_names[:sign_out], :as => "destroy", :via => mapping.sign_out_via
+        resource :session, only: [], controller: controllers[:sessions], path: "" do
+          get   :new,     path: mapping.path_names[:sign_in],  as: "new"
+          post  :create,  path: mapping.path_names[:sign_in]
+          match :destroy, path: mapping.path_names[:sign_out], as: "destroy", via: mapping.sign_out_via
         end
       end
 
       def devise_password(mapping, controllers) #:nodoc:
-        resource :password, :only => [:new, :create, :edit, :update],
-          :path => mapping.path_names[:password], :controller => controllers[:passwords]
+        resource :password, only: [:new, :create, :edit, :update],
+          path: mapping.path_names[:password], controller: controllers[:passwords]
       end
 
       def devise_confirmation(mapping, controllers) #:nodoc:
-        resource :confirmation, :only => [:new, :create, :show],
-          :path => mapping.path_names[:confirmation], :controller => controllers[:confirmations]
+        resource :confirmation, only: [:new, :create, :show],
+          path: mapping.path_names[:confirmation], controller: controllers[:confirmations]
       end
 
       def devise_unlock(mapping, controllers) #:nodoc:
         if mapping.to.unlock_strategy_enabled?(:email)
-          resource :unlock, :only => [:new, :create, :show],
-            :path => mapping.path_names[:unlock], :controller => controllers[:unlocks]
+          resource :unlock, only: [:new, :create, :show],
+            path: mapping.path_names[:unlock], controller: controllers[:unlocks]
         end
       end
 
       def devise_registration(mapping, controllers) #:nodoc:
         path_names = {
-          :new => mapping.path_names[:sign_up],
-          :cancel => mapping.path_names[:cancel]
+          new: mapping.path_names[:sign_up],
+          edit: mapping.path_names[:edit],
+          cancel: mapping.path_names[:cancel]
         }
 
         options = {
-          :only => [:new, :create, :edit, :update, :destroy],
-          :path => mapping.path_names[:registration],
-          :path_names => path_names,
-          :controller => controllers[:registrations]
+          only: [:new, :create, :edit, :update, :destroy],
+          path: mapping.path_names[:registration],
+          path_names: path_names,
+          controller: controllers[:registrations]
         }
 
         resource :registration, options do
@@ -388,64 +421,62 @@ module ActionDispatch::Routing
       def devise_omniauth_callback(mapping, controllers) #:nodoc:
         if mapping.fullpath =~ /:[a-zA-Z_]/
           raise <<-ERROR
-Devise does not support scoping omniauth callbacks under a dynamic segment
+Devise does not support scoping OmniAuth callbacks under a dynamic segment
 and you have set #{mapping.fullpath.inspect}. You can work around by passing
-`skip: :omniauth_callbacks` and manually defining the routes. Here is an example:
-
-    match "/users/auth/:provider",
-      :constraints => { :provider => /\A(google|facebook)\z/ },
-      :to => "devise/omniauth_callbacks#passthru",
-      :as => :omniauth_authorize,
-      :via => [:get, :post]
-
-    match "/users/auth/:action/callback",
-      :constraints => { :action => /\A(google|facebook)\z/ },
-      :to => "devise/omniauth_callbacks",
-      :as => :omniauth_callback,
-      :via => [:get, :post]
+`skip: :omniauth_callbacks` to the `devise_for` call and extract omniauth
+options to another `devise_for` call outside the scope. Here is an example:
+
+    devise_for :users, only: :omniauth_callbacks, controllers: {omniauth_callbacks: 'users/omniauth_callbacks'}
+
+    scope '/(:locale)', locale: /ru|en/ do
+      devise_for :users, skip: :omniauth_callbacks
+    end
 ERROR
         end
-
-        path, @scope[:path] = @scope[:path], nil
+        current_scope = @scope.dup
+        if @scope.respond_to? :new
+          @scope = @scope.new path: nil
+        else
+          @scope[:path] = nil
+        end
         path_prefix = Devise.omniauth_path_prefix || "/#{mapping.fullpath}/auth".squeeze("/")
 
         set_omniauth_path_prefix!(path_prefix)
 
-        providers = Regexp.union(mapping.to.omniauth_providers.map(&:to_s))
-
-        match "#{path_prefix}/:provider",
-          :constraints => { :provider => providers },
-          :to => "#{controllers[:omniauth_callbacks]}#passthru",
-          :as => :omniauth_authorize,
-          :via => [:get, :post]
+        mapping.to.omniauth_providers.each do |provider|
+          match "#{path_prefix}/#{provider}",
+            to: "#{controllers[:omniauth_callbacks]}#passthru",
+            as: "#{provider}_omniauth_authorize",
+            via: [:get, :post]
 
-        match "#{path_prefix}/:action/callback",
-          :constraints => { :action => providers },
-          :to => controllers[:omniauth_callbacks],
-          :as => :omniauth_callback,
-          :via => [:get, :post]
+          match "#{path_prefix}/#{provider}/callback",
+            to: "#{controllers[:omniauth_callbacks]}##{provider}",
+            as: "#{provider}_omniauth_callback",
+            via: [:get, :post]
+        end
       ensure
-        @scope[:path] = path
+        @scope = current_scope
       end
 
-      DEVISE_SCOPE_KEYS = [:as, :path, :module, :constraints, :defaults, :options]
-
       def with_devise_exclusive_scope(new_path, new_as, options) #:nodoc:
-        old = {}
-        DEVISE_SCOPE_KEYS.each { |k| old[k] = @scope[k] }
+        current_scope = @scope.dup
 
-        new = { :as => new_as, :path => new_path, :module => nil }
-        new.merge!(options.slice(:constraints, :defaults, :options))
+        exclusive = { as: new_as, path: new_path, module: nil }
+        exclusive.merge!(options.slice(:constraints, :defaults, :options))
 
-        @scope.merge!(new)
+        if @scope.respond_to? :new
+          @scope = @scope.new exclusive
+        else
+          exclusive.each_pair { |key, value| @scope[key] = value }
+        end
         yield
       ensure
-        @scope.merge!(old)
+        @scope = current_scope
       end
 
       def constraints_for(method_to_apply, scope=nil, block=nil)
         constraint = lambda do |request|
-          request.env['warden'].send(method_to_apply, :scope => scope) &&
+          request.env['warden'].send(method_to_apply, scope: scope) &&
             (block.nil? || block.call(request.env["warden"].user(scope)))
         end
 

data/lib/devise/rails/warden_compat.rb

@@ -1,19 +1,12 @@
+# frozen_string_literal: true
+
 module Warden::Mixins::Common
   def request
     @request ||= ActionDispatch::Request.new(env)
   end
 
-  # Deprecate: Remove this check once we move to Rails 4 only.
-  NULL_STORE =
-    defined?(ActionController::RequestForgeryProtection::ProtectionMethods::NullSession::NullSessionHash) ?
-      ActionController::RequestForgeryProtection::ProtectionMethods::NullSession::NullSessionHash : nil
-
   def reset_session!
-    # Calling reset_session on NULL_STORE causes it fail.
-    # This is a bug that needs to be fixed in Rails.
-    unless NULL_STORE && request.session.is_a?(NULL_STORE)
-      request.reset_session
-    end
+    request.reset_session
   end
 
   def cookies

data/lib/devise/rails.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'devise/rails/routes'
 require 'devise/rails/warden_compat'
 
@@ -11,13 +13,15 @@ module Devise
     end
 
     # Force routes to be loaded if we are doing any eager load.
-    config.before_eager_load { |app| app.reload_routes! }
+    config.before_eager_load do |app|
+      app.reload_routes! if Devise.reload_routes
+    end
 
     initializer "devise.url_helpers" do
       Devise.include_helpers(Devise::Controllers)
     end
 
-    initializer "devise.omniauth" do |app|
+    initializer "devise.omniauth", after: :load_config_initializers, before: :build_middleware_stack do |app|
       Devise.omniauth_configs.each do |provider, config|
         app.middleware.use config.strategy_class, *config.args do |strategy|
           config.strategy = strategy
@@ -29,22 +33,15 @@ module Devise
       end
     end
 
-    initializer "devise.secret_key" do
+    initializer "devise.secret_key" do |app|
+      Devise.secret_key ||= Devise::SecretKeyFinder.new(app).find
+
       Devise.token_generator ||=
         if secret_key = Devise.secret_key
           Devise::TokenGenerator.new(
-            Devise::CachingKeyGenerator.new(Devise::KeyGenerator.new(secret_key))
+            ActiveSupport::CachingKeyGenerator.new(ActiveSupport::KeyGenerator.new(secret_key))
           )
         end
     end
-
-    initializer "devise.fix_routes_proxy_missing_respond_to_bug" do
-      # Deprecate: Remove once we move to Rails 4 only.
-      ActionDispatch::Routing::RoutesProxy.class_eval do
-        def respond_to?(method, include_private = false)
-          super || routes.url_helpers.respond_to?(method)
-        end
-      end
-    end
   end
 end

data/lib/devise/secret_key_finder.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Devise
+  class SecretKeyFinder
+    def initialize(application)
+      @application = application
+    end
+
+    def find
+      if @application.respond_to?(:credentials) && key_exists?(@application.credentials)
+        @application.credentials.secret_key_base
+      elsif @application.respond_to?(:secrets) && key_exists?(@application.secrets)
+        @application.secrets.secret_key_base
+      elsif @application.config.respond_to?(:secret_key_base) && key_exists?(@application.config)
+        @application.config.secret_key_base
+      elsif @application.respond_to?(:secret_key_base) && key_exists?(@application)
+        @application.secret_key_base
+      end
+    end
+
+    private
+
+    def key_exists?(object)
+      object.secret_key_base.present?
+    end
+  end
+end

data/lib/devise/strategies/authenticatable.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'devise/strategies/base'
 
 module Devise
@@ -16,11 +18,18 @@ module Devise
         valid_for_params_auth? || valid_for_http_auth?
       end
 
+      # Override and set to false for things like OmniAuth that technically
+      # run through Authentication (user_set) very often, which would normally
+      # reset CSRF data in the session
+      def clean_up_csrf?
+        true
+      end
+
     private
 
       # Receives a resource and check if it is valid by calling valid_for_authentication?
       # An optional block that will be triggered while validating can be optionally
-      # given as parameter. Check Devise::Models::Authenticable.valid_for_authentication?
+      # given as parameter. Check Devise::Models::Authenticatable.valid_for_authentication?
       # for more information.
       #
       # In case the resource can't be validated, it will fail with the given
@@ -29,7 +38,6 @@ module Devise
         result = resource && resource.valid_for_authentication?(&block)
 
         if result
-          decorate(resource)
           true
         else
           if resource
@@ -40,7 +48,7 @@ module Devise
       end
 
       # Get values from params and set in the resource.
-      def decorate(resource)
+      def remember_me(resource)
         resource.remember_me = remember_me? if resource.respond_to?(:remember_me=)
       end
 
@@ -49,9 +57,9 @@ module Devise
         valid_params? && Devise::TRUE_VALUES.include?(params_auth_hash[:remember_me])
       end
 
-      # Check if this is strategy is valid for http authentication by:
+      # Check if this is a valid strategy for http authentication by:
       #
-      #   * Validating if the model allows params authentication;
+      #   * Validating if the model allows http authentication;
       #   * If any of the authorization headers were sent;
       #   * If all authentication keys are present;
       #
@@ -59,7 +67,7 @@ module Devise
         http_authenticatable? && request.authorization && with_authentication_hash(:http_auth, http_auth_hash)
       end
 
-      # Check if this is strategy is valid for params authentication by:
+      # Check if this is a valid strategy for params authentication by:
       #
       #   * Validating if the model allows params authentication;
       #   * If the request hits the sessions controller through POST;
@@ -102,14 +110,17 @@ module Devise
         params_auth_hash.is_a?(Hash)
       end
 
-      # Check if password is present and is not equal to "X" (default value for token).
+      # Note: unlike `Model.valid_password?`, this method does not actually
+      # ensure that the password in the params matches the password stored in
+      # the database. It only checks if the password is *present*. Do not rely
+      # on this method for validating that a given password is correct.
       def valid_password?
-        password.present? && password != "X"
+        password.present?
       end
 
       # Helper to decode credentials from HTTP.
       def decode_credentials
-        return [] unless request.authorization && request.authorization =~ /^Basic (.*)/m
+        return [] unless request.authorization && request.authorization =~ /^Basic (.*)/mi
         Base64.decode64($1).split(/:/, 2)
       end
 

data/lib/devise/strategies/base.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Devise
   module Strategies
     # Base strategy for Devise. Responsible for verifying correct scope and mapping.
@@ -17,4 +19,4 @@ module Devise
       end
     end
   end
-end
+end