RubyGems - devise - Versions diffs - 3.2.4 → 4.7.1 - Mend

devise 3.2.4 → 4.7.1

Files changed (235) hide show

checksums.yaml +5 -5
data/CHANGELOG.md +259 -994
data/MIT-LICENSE +1 -1
data/README.md +336 -99
data/app/controllers/devise/confirmations_controller.rb +9 -3
data/app/controllers/devise/omniauth_callbacks_controller.rb +12 -6
data/app/controllers/devise/passwords_controller.rb +19 -6
data/app/controllers/devise/registrations_controller.rb +55 -22
data/app/controllers/devise/sessions_controller.rb +44 -14
data/app/controllers/devise/unlocks_controller.rb +7 -2
data/app/controllers/devise_controller.rb +65 -29
data/app/helpers/devise_helper.rb +12 -19
data/app/mailers/devise/mailer.rb +10 -0
data/app/views/devise/confirmations/new.html.erb +8 -4
data/app/views/devise/mailer/email_changed.html.erb +7 -0
data/app/views/devise/mailer/password_change.html.erb +3 -0
data/app/views/devise/passwords/edit.html.erb +15 -6
data/app/views/devise/passwords/new.html.erb +8 -4
data/app/views/devise/registrations/edit.html.erb +27 -13
data/app/views/devise/registrations/new.html.erb +19 -8
data/app/views/devise/sessions/new.html.erb +18 -9
data/app/views/devise/shared/_error_messages.html.erb +15 -0
data/app/views/devise/shared/{_links.erb → _links.html.erb} +9 -9
data/app/views/devise/unlocks/new.html.erb +8 -4
data/config/locales/en.yml +22 -16
data/lib/devise/controllers/helpers.rb +109 -29
data/lib/devise/controllers/rememberable.rb +12 -3
data/lib/devise/controllers/scoped_views.rb +2 -0
data/lib/devise/controllers/sign_in_out.rb +36 -20
data/lib/devise/controllers/store_location.rb +31 -5
data/lib/devise/controllers/url_helpers.rb +9 -7
data/lib/devise/delegator.rb +2 -0
data/lib/devise/encryptor.rb +24 -0
data/lib/devise/failure_app.rb +116 -36
data/lib/devise/hooks/activatable.rb +5 -4
data/lib/devise/hooks/csrf_cleaner.rb +5 -1
data/lib/devise/hooks/forgetable.rb +2 -0
data/lib/devise/hooks/lockable.rb +6 -1
data/lib/devise/hooks/proxy.rb +3 -1
data/lib/devise/hooks/rememberable.rb +2 -0
data/lib/devise/hooks/timeoutable.rb +15 -8
data/lib/devise/hooks/trackable.rb +2 -0
data/lib/devise/mailers/helpers.rb +7 -4
data/lib/devise/mapping.rb +8 -2
data/lib/devise/models/authenticatable.rb +76 -51
data/lib/devise/models/confirmable.rb +129 -34
data/lib/devise/models/database_authenticatable.rb +107 -30
data/lib/devise/models/lockable.rb +19 -9
data/lib/devise/models/omniauthable.rb +2 -0
data/lib/devise/models/recoverable.rb +62 -26
data/lib/devise/models/registerable.rb +4 -0
data/lib/devise/models/rememberable.rb +58 -29
data/lib/devise/models/timeoutable.rb +2 -6
data/lib/devise/models/trackable.rb +20 -4
data/lib/devise/models/validatable.rb +12 -5
data/lib/devise/models.rb +3 -1
data/lib/devise/modules.rb +2 -0
data/lib/devise/omniauth/config.rb +2 -0
data/lib/devise/omniauth/url_helpers.rb +14 -5
data/lib/devise/omniauth.rb +2 -0
data/lib/devise/orm/active_record.rb +5 -1
data/lib/devise/orm/mongoid.rb +6 -2
data/lib/devise/parameter_filter.rb +4 -0
data/lib/devise/parameter_sanitizer.rb +139 -65
data/lib/devise/rails/routes.rb +80 -61
data/lib/devise/rails/warden_compat.rb +3 -10
data/lib/devise/rails.rb +8 -17
data/lib/devise/secret_key_finder.rb +27 -0
data/lib/devise/strategies/authenticatable.rb +18 -7
data/lib/devise/strategies/base.rb +2 -0
data/lib/devise/strategies/database_authenticatable.rb +13 -5
data/lib/devise/strategies/rememberable.rb +15 -3
data/lib/devise/test/controller_helpers.rb +165 -0
data/lib/devise/test/integration_helpers.rb +63 -0
data/lib/devise/test_helpers.rb +7 -124
data/lib/devise/time_inflector.rb +2 -0
data/lib/devise/token_generator.rb +3 -41
data/lib/devise/version.rb +3 -1
data/lib/devise.rb +106 -79
data/lib/generators/active_record/devise_generator.rb +44 -7
data/lib/generators/active_record/templates/migration.rb +5 -3
data/lib/generators/active_record/templates/migration_existing.rb +5 -3
data/lib/generators/devise/controllers_generator.rb +46 -0
data/lib/generators/devise/devise_generator.rb +4 -2
data/lib/generators/devise/install_generator.rb +17 -0
data/lib/generators/devise/orm_helpers.rb +10 -21
data/lib/generators/devise/views_generator.rb +21 -11
data/lib/generators/mongoid/devise_generator.rb +7 -5
data/lib/generators/templates/README +2 -9
data/lib/generators/templates/controllers/README +14 -0
data/lib/generators/templates/controllers/confirmations_controller.rb +30 -0
data/lib/generators/templates/controllers/omniauth_callbacks_controller.rb +30 -0
data/lib/generators/templates/controllers/passwords_controller.rb +34 -0
data/lib/generators/templates/controllers/registrations_controller.rb +62 -0
data/lib/generators/templates/controllers/sessions_controller.rb +27 -0
data/lib/generators/templates/controllers/unlocks_controller.rb +30 -0
data/lib/generators/templates/devise.rb +69 -30
data/lib/generators/templates/markerb/confirmation_instructions.markerb +1 -1
data/lib/generators/templates/markerb/email_changed.markerb +7 -0
data/lib/generators/templates/markerb/password_change.markerb +3 -0
data/lib/generators/templates/markerb/reset_password_instructions.markerb +1 -1
data/lib/generators/templates/markerb/unlock_instructions.markerb +1 -1
data/lib/generators/templates/simple_form_for/confirmations/new.html.erb +5 -1
data/lib/generators/templates/simple_form_for/passwords/edit.html.erb +10 -2
data/lib/generators/templates/simple_form_for/passwords/new.html.erb +4 -1
data/lib/generators/templates/simple_form_for/registrations/edit.html.erb +11 -3
data/lib/generators/templates/simple_form_for/registrations/new.html.erb +11 -3
data/lib/generators/templates/simple_form_for/sessions/new.html.erb +9 -4
data/lib/generators/templates/simple_form_for/unlocks/new.html.erb +4 -1
metadata +31 -259
data/.gitignore +0 -11
data/.travis.yml +0 -28
data/.yardopts +0 -9
data/CONTRIBUTING.md +0 -14
data/Gemfile +0 -29
data/Gemfile.lock +0 -160
data/Rakefile +0 -35
data/devise.gemspec +0 -27
data/devise.png +0 -0
data/gemfiles/Gemfile.rails-3.2-stable +0 -29
data/gemfiles/Gemfile.rails-4.0-stable +0 -29
data/gemfiles/Gemfile.rails-head +0 -29
data/test/controllers/custom_strategy_test.rb +0 -62
data/test/controllers/helpers_test.rb +0 -276
data/test/controllers/internal_helpers_test.rb +0 -123
data/test/controllers/passwords_controller_test.rb +0 -31
data/test/controllers/sessions_controller_test.rb +0 -103
data/test/controllers/url_helpers_test.rb +0 -59
data/test/delegator_test.rb +0 -19
data/test/devise_test.rb +0 -94
data/test/failure_app_test.rb +0 -232
data/test/generators/active_record_generator_test.rb +0 -103
data/test/generators/devise_generator_test.rb +0 -39
data/test/generators/install_generator_test.rb +0 -13
data/test/generators/mongoid_generator_test.rb +0 -23
data/test/generators/views_generator_test.rb +0 -96
data/test/helpers/devise_helper_test.rb +0 -51
data/test/integration/authenticatable_test.rb +0 -713
data/test/integration/confirmable_test.rb +0 -284
data/test/integration/database_authenticatable_test.rb +0 -84
data/test/integration/http_authenticatable_test.rb +0 -105
data/test/integration/lockable_test.rb +0 -239
data/test/integration/omniauthable_test.rb +0 -133
data/test/integration/recoverable_test.rb +0 -334
data/test/integration/registerable_test.rb +0 -349
data/test/integration/rememberable_test.rb +0 -167
data/test/integration/timeoutable_test.rb +0 -183
data/test/integration/trackable_test.rb +0 -92
data/test/mailers/confirmation_instructions_test.rb +0 -115
data/test/mailers/reset_password_instructions_test.rb +0 -96
data/test/mailers/unlock_instructions_test.rb +0 -91
data/test/mapping_test.rb +0 -127
data/test/models/authenticatable_test.rb +0 -13
data/test/models/confirmable_test.rb +0 -454
data/test/models/database_authenticatable_test.rb +0 -249
data/test/models/lockable_test.rb +0 -316
data/test/models/omniauthable_test.rb +0 -7
data/test/models/recoverable_test.rb +0 -184
data/test/models/registerable_test.rb +0 -7
data/test/models/rememberable_test.rb +0 -183
data/test/models/serializable_test.rb +0 -49
data/test/models/timeoutable_test.rb +0 -51
data/test/models/trackable_test.rb +0 -13
data/test/models/validatable_test.rb +0 -127
data/test/models_test.rb +0 -144
data/test/omniauth/config_test.rb +0 -57
data/test/omniauth/url_helpers_test.rb +0 -54
data/test/orm/active_record.rb +0 -10
data/test/orm/mongoid.rb +0 -13
data/test/parameter_sanitizer_test.rb +0 -81
data/test/rails_app/Rakefile +0 -6
data/test/rails_app/app/active_record/admin.rb +0 -6
data/test/rails_app/app/active_record/shim.rb +0 -2
data/test/rails_app/app/active_record/user.rb +0 -6
data/test/rails_app/app/controllers/admins/sessions_controller.rb +0 -6
data/test/rails_app/app/controllers/admins_controller.rb +0 -11
data/test/rails_app/app/controllers/application_controller.rb +0 -9
data/test/rails_app/app/controllers/home_controller.rb +0 -25
data/test/rails_app/app/controllers/publisher/registrations_controller.rb +0 -2
data/test/rails_app/app/controllers/publisher/sessions_controller.rb +0 -2
data/test/rails_app/app/controllers/users/omniauth_callbacks_controller.rb +0 -14
data/test/rails_app/app/controllers/users_controller.rb +0 -31
data/test/rails_app/app/helpers/application_helper.rb +0 -3
data/test/rails_app/app/mailers/users/mailer.rb +0 -12
data/test/rails_app/app/mongoid/admin.rb +0 -29
data/test/rails_app/app/mongoid/shim.rb +0 -23
data/test/rails_app/app/mongoid/user.rb +0 -39
data/test/rails_app/app/views/admins/index.html.erb +0 -1
data/test/rails_app/app/views/admins/sessions/new.html.erb +0 -2
data/test/rails_app/app/views/home/admin_dashboard.html.erb +0 -1
data/test/rails_app/app/views/home/index.html.erb +0 -1
data/test/rails_app/app/views/home/join.html.erb +0 -1
data/test/rails_app/app/views/home/private.html.erb +0 -1
data/test/rails_app/app/views/home/user_dashboard.html.erb +0 -1
data/test/rails_app/app/views/layouts/application.html.erb +0 -24
data/test/rails_app/app/views/users/edit_form.html.erb +0 -1
data/test/rails_app/app/views/users/index.html.erb +0 -1
data/test/rails_app/app/views/users/mailer/confirmation_instructions.erb +0 -1
data/test/rails_app/app/views/users/sessions/new.html.erb +0 -1
data/test/rails_app/bin/bundle +0 -3
data/test/rails_app/bin/rails +0 -4
data/test/rails_app/bin/rake +0 -4
data/test/rails_app/config/application.rb +0 -40
data/test/rails_app/config/boot.rb +0 -14
data/test/rails_app/config/database.yml +0 -18
data/test/rails_app/config/environment.rb +0 -5
data/test/rails_app/config/environments/development.rb +0 -30
data/test/rails_app/config/environments/production.rb +0 -80
data/test/rails_app/config/environments/test.rb +0 -36
data/test/rails_app/config/initializers/backtrace_silencers.rb +0 -7
data/test/rails_app/config/initializers/devise.rb +0 -181
data/test/rails_app/config/initializers/inflections.rb +0 -2
data/test/rails_app/config/initializers/secret_token.rb +0 -8
data/test/rails_app/config/initializers/session_store.rb +0 -1
data/test/rails_app/config/routes.rb +0 -105
data/test/rails_app/config.ru +0 -4
data/test/rails_app/db/migrate/20100401102949_create_tables.rb +0 -71
data/test/rails_app/db/schema.rb +0 -55
data/test/rails_app/lib/shared_admin.rb +0 -17
data/test/rails_app/lib/shared_user.rb +0 -29
data/test/rails_app/public/404.html +0 -26
data/test/rails_app/public/422.html +0 -26
data/test/rails_app/public/500.html +0 -26
data/test/rails_app/public/favicon.ico +0 -0
data/test/routes_test.rb +0 -262
data/test/support/action_controller/record_identifier.rb +0 -10
data/test/support/assertions.rb +0 -40
data/test/support/helpers.rb +0 -70
data/test/support/integration.rb +0 -92
data/test/support/locale/en.yml +0 -8
data/test/support/mongoid.yml +0 -6
data/test/support/webrat/integrations/rails.rb +0 -24
data/test/test_helper.rb +0 -27
data/test/test_helpers_test.rb +0 -173
data/test/test_models.rb +0 -33

data/lib/devise/models/database_authenticatable.rb CHANGED Viewed

@@ -1,25 +1,25 @@
+# frozen_string_literal: true
 require 'devise/strategies/database_authenticatable'
-require 'bcrypt'
 module Devise
-  # Digests the password using bcrypt.
-  def self.bcrypt(klass, password)
-    ::BCrypt::Password.create("#{password}#{klass.pepper}", cost: klass.stretches).to_s
-  end
   module Models
-    # Authenticatable Module, responsible for encrypting password and validating
-    # authenticity of a user while signing in.
+    # Authenticatable Module, responsible for hashing the password and
+    # validating the authenticity of a user while signing in.
     #
     # == Options
     #
-    # DatabaseAuthenticable adds the following options to devise_for:
+    # DatabaseAuthenticatable adds the following options to devise_for:
     #
     #   * +pepper+: a random string used to provide a more secure hash. Use
-    #     `rake secret` to generate new keys.
+    #     `rails secret` to generate new keys.
     #
     #   * +stretches+: the cost given to bcrypt.
     #
+    #   * +send_email_changed_notification+: notify original email when it changes.
+    #
+    #   * +send_password_change_notification+: notify email when password changes.
+    #
     # == Examples
     #
     #    User.find(1).valid_password?('password123')         # returns true/false
@@ -28,26 +28,44 @@ module Devise
       extend ActiveSupport::Concern
       included do
+        after_update :send_email_changed_notification, if: :send_email_changed_notification?
+        after_update :send_password_change_notification, if: :send_password_change_notification?
         attr_reader :password, :current_password
         attr_accessor :password_confirmation
       end
+      def initialize(*args, &block)
+        @skip_email_changed_notification = false
+        @skip_password_change_notification = false
+        super
+      end
+      # Skips sending the email changed notification after_update
+      def skip_email_changed_notification!
+        @skip_email_changed_notification = true
+      end
+      # Skips sending the password change notification after_update
+      def skip_password_change_notification!
+        @skip_password_change_notification = true
+      end
       def self.required_fields(klass)
         [:encrypted_password] + klass.authentication_keys
       end
-      # Generates password encryption based on the given value.
+      # Generates a hashed password based on the given value.
+      # For legacy reasons, we use `encrypted_password` to store
+      # the hashed password.
       def password=(new_password)
         @password = new_password
         self.encrypted_password = password_digest(@password) if @password.present?
       end
-      # Verifies whether an password (ie from sign in) is the user password.
+      # Verifies whether a password (ie from sign in) is the user password.
       def valid_password?(password)
-        return false if encrypted_password.blank?
-        bcrypt   = ::BCrypt::Password.new(encrypted_password)
-        password = ::BCrypt::Engine.hash_secret("#{password}#{self.class.pepper}", bcrypt.salt)
-        Devise.secure_compare(password, encrypted_password)
+        Devise::Encryptor.compare(self.class, encrypted_password, password)
       end
       # Set password and password confirmation to nil
@@ -55,10 +73,23 @@ module Devise
         self.password = self.password_confirmation = nil
       end
-      # Update record attributes when :current_password matches, otherwise returns
-      # error on :current_password. It also automatically rejects :password and
-      # :password_confirmation if they are blank.
+      # Update record attributes when :current_password matches, otherwise
+      # returns error on :current_password.
+      #
+      # This method also rejects the password field if it is blank (allowing
+      # users to change relevant information like the e-mail without changing
+      # their password). In case the password field is rejected, the confirmation
+      # is also rejected as long as it is also blank.
       def update_with_password(params, *options)
+        if options.present?
+          ActiveSupport::Deprecation.warn <<-DEPRECATION.strip_heredoc
+            [Devise] The second argument of `DatabaseAuthenticatable#update_with_password`
+            (`options`) is deprecated and it will be removed in the next major version.
+            It was added to support a feature deprecated in Rails 4, so you can safely remove it
+            from your code.
+          DEPRECATION
+        end
         current_password = params.delete(:current_password)
         if params[:password].blank?
@@ -67,11 +98,11 @@ module Devise
         end
         result = if valid_password?(current_password)
-          update_attributes(params, *options)
+          update(params, *options)
         else
-          self.assign_attributes(params, *options)
-          self.valid?
-          self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
+          assign_attributes(params, *options)
+          valid?
+          errors.add(:current_password, current_password.blank? ? :blank : :invalid)
           false
         end
@@ -92,10 +123,19 @@ module Devise
       #   end
       #
       def update_without_password(params, *options)
+        if options.present?
+          ActiveSupport::Deprecation.warn <<-DEPRECATION.strip_heredoc
+            [Devise] The second argument of `DatabaseAuthenticatable#update_without_password`
+            (`options`) is deprecated and it will be removed in the next major version.
+            It was added to support a feature deprecated in Rails 4, so you can safely remove it
+            from your code.
+          DEPRECATION
+        end
         params.delete(:password)
         params.delete(:password_confirmation)
-        result = update_attributes(params, *options)
+        result = update(params, *options)
         clean_up_passwords
         result
       end
@@ -107,8 +147,8 @@ module Devise
         result = if valid_password?(current_password)
           destroy
         else
-          self.valid?
-          self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
+          valid?
+          errors.add(:current_password, current_password.blank? ? :blank : :invalid)
           false
         end
@@ -133,19 +173,56 @@ module Devise
         encrypted_password[0,29] if encrypted_password
       end
+      if Devise.activerecord51?
+        # Send notification to user when email changes.
+        def send_email_changed_notification
+          send_devise_notification(:email_changed, to: email_before_last_save)
+        end
+      else
+        # Send notification to user when email changes.
+        def send_email_changed_notification
+          send_devise_notification(:email_changed, to: email_was)
+        end
+      end
+      # Send notification to user when password changes.
+      def send_password_change_notification
+        send_devise_notification(:password_change)
+      end
     protected
-      # Digests the password using bcrypt. Custom encryption should override
+      # Hashes the password using bcrypt. Custom hash functions should override
       # this method to apply their own algorithm.
       #
       # See https://github.com/plataformatec/devise-encryptable for examples
-      # of other encryption engines.
+      # of other hashing engines.
       def password_digest(password)
-        Devise.bcrypt(self.class, password)
+        Devise::Encryptor.digest(self.class, password)
+      end
+      if Devise.activerecord51?
+        def send_email_changed_notification?
+          self.class.send_email_changed_notification && saved_change_to_email? && !@skip_email_changed_notification
+        end
+      else
+        def send_email_changed_notification?
+          self.class.send_email_changed_notification && email_changed? && !@skip_email_changed_notification
+        end
+      end
+      if Devise.activerecord51?
+        def send_password_change_notification?
+          self.class.send_password_change_notification && saved_change_to_encrypted_password? && !@skip_password_change_notification
+        end
+      else
+        def send_password_change_notification?
+          self.class.send_password_change_notification && encrypted_password_changed? && !@skip_password_change_notification
+        end
       end
       module ClassMethods
-        Devise::Models.config(self, :pepper, :stretches)
+        Devise::Models.config(self, :pepper, :stretches, :send_email_changed_notification, :send_password_change_notification)
         # We assume this method already gets the sanitized values from the
         # DatabaseAuthenticatable strategy. If you are using this method on

data/lib/devise/models/lockable.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require "devise/hooks/lockable"
 module Devise
@@ -7,7 +9,7 @@ module Devise
     # blocked: email and time. The former will send an email to the user when
     # the lock happens, containing a link to unlock its account. The second
     # will unlock the user automatically after some configured time (ie 2.hours).
-    # It's also possible to setup lockable to use both email and time strategies.
+    # It's also possible to set up lockable to use both email and time strategies.
     #
     # == Options
     #
@@ -64,7 +66,7 @@ module Devise
       def send_unlock_instructions
         raw, enc = Devise.token_generator.generate(self.class, :unlock_token)
         self.unlock_token = enc
-        self.save(validate: false)
+        save(validate: false)
         send_devise_notification(:unlock_instructions, raw, {})
         raw
       end
@@ -99,8 +101,7 @@ module Devise
         if super && !access_locked?
           true
         else
-          self.failed_attempts ||= 0
-          self.failed_attempts += 1
+          increment_failed_attempts
           if attempts_exceeded?
             lock_access! unless access_locked?
           else
@@ -109,16 +110,21 @@ module Devise
           false
         end
       end
+      def increment_failed_attempts
+        self.class.increment_counter(:failed_attempts, id)
+        reload
+      end
       def unauthenticated_message
         # If set to paranoid mode, do not show the locked message because it
         # leaks the existence of an account.
         if Devise.paranoid
           super
-        elsif lock_strategy_enabled?(:failed_attempts) && last_attempt?
-          :last_attempt
-        elsif lock_strategy_enabled?(:failed_attempts) && attempts_exceeded?
+        elsif access_locked? || (lock_strategy_enabled?(:failed_attempts) && attempts_exceeded?)
           :locked
+        elsif lock_strategy_enabled?(:failed_attempts) && last_attempt? && self.class.last_attempt_warning
+          :last_attempt
         else
           super
         end
@@ -155,6 +161,9 @@ module Devise
         end
       module ClassMethods
+        # List of strategies that are enabled/supported if :both is used.
+        BOTH_STRATEGIES = [:time, :email]
         # Attempt to find a user by its unlock keys. If a record is found, send new
         # unlock instructions to it. If not user is found, returns a new user
         # with an email not found error.
@@ -181,7 +190,8 @@ module Devise
         # Is the unlock enabled for the given unlock strategy?
         def unlock_strategy_enabled?(strategy)
-          [:both, strategy].include?(self.unlock_strategy)
+          self.unlock_strategy == strategy ||
+            (self.unlock_strategy == :both && BOTH_STRATEGIES.include?(strategy))
         end
         # Is the lock enabled for the given lock strategy?
@@ -189,7 +199,7 @@ module Devise
           self.lock_strategy == strategy
         end
-        Devise::Models.config(self, :maximum_attempts, :lock_strategy, :unlock_strategy, :unlock_in, :unlock_keys)
+        Devise::Models.config(self, :maximum_attempts, :lock_strategy, :unlock_strategy, :unlock_in, :unlock_keys, :last_attempt_warning)
       end
     end
   end

data/lib/devise/models/omniauthable.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require 'devise/omniauth'
 module Devise

data/lib/devise/models/recoverable.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Devise
   module Models
@@ -8,15 +10,13 @@ module Devise
     # Recoverable adds the following options to devise_for:
     #
     #   * +reset_password_keys+: the keys you want to use when recovering the password for an account
+    #   * +reset_password_within+: the time period within which the password must be reset or the token expires.
+    #   * +sign_in_after_reset_password+: whether or not to sign in the user automatically after a password reset.
     #
     # == Examples
     #
     #   # resets the user password and save the record, true if valid passwords are given, otherwise false
-    #   User.find(1).reset_password!('password123', 'password123')
-    #
-    #   # only resets the user password, without saving the record
-    #   user = User.find(1)
-    #   user.reset_password('password123', 'password123')
+    #   User.find(1).reset_password('password123', 'password123')
     #
     #   # creates a new token and send it with instructions about how to reset the password
     #   User.find(1).send_reset_password_instructions
@@ -28,31 +28,30 @@ module Devise
         [:reset_password_sent_at, :reset_password_token]
       end
+      included do
+        before_update :clear_reset_password_token, if: :clear_reset_password_token?
+      end
       # Update password saving the record and clearing token. Returns true if
       # the passwords are valid and the record was saved, false otherwise.
-      def reset_password!(new_password, new_password_confirmation)
-        self.password = new_password
-        self.password_confirmation = new_password_confirmation
-        if valid?
-          clear_reset_password_token
-          after_password_reset
+      def reset_password(new_password, new_password_confirmation)
+        if new_password.present?
+          self.password = new_password
+          self.password_confirmation = new_password_confirmation
+          save
+        else
+          errors.add(:password, :blank)
+          false
         end
-        save
       end
       # Resets reset password token and send reset password instructions by email.
       # Returns the token sent in the e-mail.
       def send_reset_password_instructions
-        raw, enc = Devise.token_generator.generate(self.class, :reset_password_token)
-        self.reset_password_token   = enc
-        self.reset_password_sent_at = Time.now.utc
-        self.save(validate: false)
+        token = set_reset_password_token
+        send_reset_password_instructions_notification(token)
-        send_devise_notification(:reset_password_instructions, raw, {})
-        raw
+        token
       end
       # Checks if the reset password token sent is within the limit time.
@@ -76,7 +75,7 @@ module Devise
       #   reset_password_period_valid?   # will always return false
       #
       def reset_password_period_valid?
-        reset_password_sent_at && reset_password_sent_at.utc >= self.class.reset_password_within.ago
+        reset_password_sent_at && reset_password_sent_at.utc >= self.class.reset_password_within.ago.utc
       end
       protected
@@ -87,10 +86,47 @@ module Devise
           self.reset_password_sent_at = nil
         end
-        def after_password_reset
+        def set_reset_password_token
+          raw, enc = Devise.token_generator.generate(self.class, :reset_password_token)
+          self.reset_password_token   = enc
+          self.reset_password_sent_at = Time.now.utc
+          save(validate: false)
+          raw
+        end
+        def send_reset_password_instructions_notification(token)
+          send_devise_notification(:reset_password_instructions, token, {})
+        end
+        if Devise.activerecord51?
+          def clear_reset_password_token?
+            encrypted_password_changed = respond_to?(:will_save_change_to_encrypted_password?) && will_save_change_to_encrypted_password?
+            authentication_keys_changed = self.class.authentication_keys.any? do |attribute|
+              respond_to?("will_save_change_to_#{attribute}?") && send("will_save_change_to_#{attribute}?")
+            end
+            authentication_keys_changed || encrypted_password_changed
+          end
+        else
+          def clear_reset_password_token?
+            encrypted_password_changed = respond_to?(:encrypted_password_changed?) && encrypted_password_changed?
+            authentication_keys_changed = self.class.authentication_keys.any? do |attribute|
+              respond_to?("#{attribute}_changed?") && send("#{attribute}_changed?")
+            end
+            authentication_keys_changed || encrypted_password_changed
+          end
         end
       module ClassMethods
+        # Attempt to find a user by password reset token. If a user is found, return it
+        # If a user is not found, return nil
+        def with_reset_password_token(token)
+          reset_password_token = Devise.token_generator.digest(self, :reset_password_token, token)
+          to_adapter.find_first(reset_password_token: reset_password_token)
+        end
         # Attempt to find a user by its email. If a record is found, send new
         # password instructions to it. If user is not found, returns a new user
         # with an email not found error.
@@ -114,17 +150,17 @@ module Devise
           if recoverable.persisted?
             if recoverable.reset_password_period_valid?
-              recoverable.reset_password!(attributes[:password], attributes[:password_confirmation])
+              recoverable.reset_password(attributes[:password], attributes[:password_confirmation])
             else
               recoverable.errors.add(:reset_password_token, :expired)
             end
           end
-          recoverable.reset_password_token = original_token
+          recoverable.reset_password_token = original_token if recoverable.reset_password_token.present?
           recoverable
         end
-        Devise::Models.config(self, :reset_password_keys, :reset_password_within)
+        Devise::Models.config(self, :reset_password_keys, :reset_password_within, :sign_in_after_reset_password)
       end
     end
   end

data/lib/devise/models/registerable.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Devise
   module Models
     # Registerable is responsible for everything related to registering a new
@@ -19,6 +21,8 @@ module Devise
         def new_with_session(params, session)
           new(params)
         end
+        Devise::Models.config(self, :sign_in_after_change_password)
       end
     end
   end

data/lib/devise/models/rememberable.rb CHANGED Viewed

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
 require 'devise/strategies/rememberable'
 require 'devise/hooks/rememberable'
 require 'devise/hooks/forgetable'
 module Devise
   module Models
-    # Rememberable manages generating and clearing token for remember the user
+    # Rememberable manages generating and clearing token for remembering the user
     # from a saved cookie. Rememberable also has utility methods for dealing
     # with serializing the user into the cookie and back from the cookie, trying
     # to lookup the record based on the saved information.
@@ -39,17 +41,15 @@ module Devise
     module Rememberable
       extend ActiveSupport::Concern
-      attr_accessor :remember_me, :extend_remember_period
+      attr_accessor :remember_me
       def self.required_fields(klass)
         [:remember_created_at]
       end
-      # Generate a new remember token and save the record without validations
-      # unless remember_across_browsers is true and the user already has a valid token.
-      def remember_me!(extend_period=false)
-        self.remember_token = self.class.remember_token if generate_remember_token?
-        self.remember_created_at = Time.now.utc if generate_remember_timestamp?(extend_period)
+      def remember_me!
+        self.remember_token ||= self.class.remember_token if respond_to?(:remember_token)
+        self.remember_created_at ||= Time.now.utc
         save(validate: false) if self.changed?
       end
@@ -57,28 +57,26 @@ module Devise
       # it exists), and save the record without validations.
       def forget_me!
         return unless persisted?
-        self.remember_token = nil if respond_to?(:remember_token=)
-        self.remember_created_at = nil
+        self.remember_token = nil if respond_to?(:remember_token)
+        self.remember_created_at = nil if self.class.expire_all_remember_me_on_sign_out
         save(validate: false)
       end
-      # Remember token should be expired if expiration time not overpass now.
-      def remember_expired?
-        remember_created_at.nil? || (remember_expires_at <= Time.now.utc)
+      def remember_expires_at
+        self.class.remember_for.from_now
       end
-      # Remember token expires at created time + remember_for configuration
-      def remember_expires_at
-        remember_created_at + self.class.remember_for
+      def extend_remember_period
+        self.class.extend_remember_period
       end
       def rememberable_value
         if respond_to?(:remember_token)
           remember_token
-        elsif respond_to?(:authenticatable_salt) && (salt = authenticatable_salt)
+        elsif respond_to?(:authenticatable_salt) && (salt = authenticatable_salt.presence)
           salt
         else
-          raise "authenticable_salt returned nil for the #{self.class.name} model. " \
+          raise "authenticatable_salt returned nil for the #{self.class.name} model. " \
             "In order to use rememberable, you must ensure a password is always set " \
             "or have a remember_token column in your model or implement your own " \
             "rememberable_value in the model with custom logic."
@@ -89,29 +87,60 @@ module Devise
         self.class.rememberable_options
       end
-    protected
+      # A callback initiated after successfully being remembered. This can be
+      # used to insert your own logic that is only run after the user is
+      # remembered.
+      #
+      # Example:
+      #
+      #   def after_remembered
+      #     self.update_attribute(:invite_code, nil)
+      #   end
+      #
+      def after_remembered
+      end
+      def remember_me?(token, generated_at)
+        # TODO: Normalize the JSON type coercion along with the Timeoutable hook
+        # in a single place https://github.com/plataformatec/devise/blob/ffe9d6d406e79108cf32a2c6a1d0b3828849c40b/lib/devise/hooks/timeoutable.rb#L14-L18
+        if generated_at.is_a?(String)
+          generated_at = time_from_json(generated_at)
+        end
-      def generate_remember_token? #:nodoc:
-        respond_to?(:remember_token) && remember_expired?
+        # The token is only valid if:
+        # 1. we have a date
+        # 2. the current time does not pass the expiry period
+        # 3. the record has a remember_created_at date
+        # 4. the token date is bigger than the remember_created_at
+        # 5. the token matches
+        generated_at.is_a?(Time) &&
+         (self.class.remember_for.ago < generated_at) &&
+         (generated_at > (remember_created_at || Time.now).utc) &&
+         Devise.secure_compare(rememberable_value, token)
       end
-      # Generate a timestamp if extend_remember_period is true, if no remember_token
-      # exists, or if an existing remember token has expired.
-      def generate_remember_timestamp?(extend_period) #:nodoc:
-        extend_period || remember_created_at.nil? || remember_expired?
+      private
+      def time_from_json(value)
+        if value =~ /\A\d+\.\d+\Z/
+          Time.at(value.to_f)
+        else
+          Time.parse(value) rescue nil
+        end
       end
       module ClassMethods
         # Create the cookie key using the record id and remember_token
         def serialize_into_cookie(record)
-          [record.to_key, record.rememberable_value]
+          [record.to_key, record.rememberable_value, Time.now.utc.to_f.to_s]
         end
         # Recreate the user based on the stored cookie
-        def serialize_from_cookie(id, remember_token)
+        def serialize_from_cookie(*args)
+          id, token, generated_at = *args
           record = to_adapter.get(id)
-          record if record && !record.remember_expired? &&
-                    Devise.secure_compare(record.rememberable_value, remember_token)
+          record if record && record.remember_me?(token, generated_at)
         end
         # Generate a token checking if one does not already exist in the database.
@@ -122,7 +151,7 @@ module Devise
           end
         end
-        Devise::Models.config(self, :remember_for, :extend_remember_period, :rememberable_options)
+        Devise::Models.config(self, :remember_for, :extend_remember_period, :rememberable_options, :expire_all_remember_me_on_sign_out)
       end
     end
   end

data/lib/devise/models/timeoutable.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require 'devise/hooks/timeoutable'
 module Devise
@@ -26,7 +28,6 @@ module Devise
       # Checks whether the user session has expired based on configured time.
       def timedout?(last_access)
-        return false if remember_exists_and_not_expired?
         !timeout_in.nil? && last_access && last_access <= timeout_in.ago
       end
@@ -36,11 +37,6 @@ module Devise
       private
-      def remember_exists_and_not_expired?
-        return false unless respond_to?(:remember_created_at) && respond_to?(:remember_expired?)
-        remember_created_at && !remember_expired?
-      end
       module ClassMethods
         Devise::Models.config(self, :timeout_in)
       end