devise 3.3.0 → 3.5.10

data/test/integration/http_authenticatable_test.rb

@@ -42,7 +42,7 @@ class HttpAuthenticationTest < ActionDispatch::IntegrationTest
     sign_in_as_new_user_with_http("unknown")
     assert_equal 401, status
     assert_equal "application/xml; charset=utf-8", headers["Content-Type"]
-    assert_match "<error>Invalid email address or password.</error>", response.body
+    assert_match "<error>Invalid email or password.</error>", response.body
   end
 
   test 'returns a custom response with www-authenticate and chosen realm' do

data/test/integration/omniauthable_test.rb

@@ -20,9 +20,11 @@ class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
       "credentials" => {"token" => 'plataformatec'},
       "extra" => {"user_hash" => FACEBOOK_INFO}
     }
+    OmniAuth.config.add_camelization 'facebook', 'FaceBook'
   end
 
   teardown do
+    OmniAuth.config.camelizations.delete('facebook')
     OmniAuth.config.test_mode = false
   end
 
@@ -40,7 +42,7 @@ class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
 
   test "can access omniauth.auth in the env hash" do
     visit "/users/sign_in"
-    click_link "Sign in with Facebook"
+    click_link "Sign in with FaceBook"
 
     json = ActiveSupport::JSON.decode(response.body)
 
@@ -54,7 +56,7 @@ class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
   test "cleans up session on sign up" do
     assert_no_difference "User.count" do
       visit "/users/sign_in"
-      click_link "Sign in with Facebook"
+      click_link "Sign in with FaceBook"
     end
 
     assert session["devise.facebook_data"]
@@ -75,7 +77,7 @@ class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
   test "cleans up session on cancel" do
     assert_no_difference "User.count" do
       visit "/users/sign_in"
-      click_link "Sign in with Facebook"
+      click_link "Sign in with FaceBook"
     end
 
     assert session["devise.facebook_data"]
@@ -86,7 +88,7 @@ class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
   test "cleans up session on sign in" do
     assert_no_difference "User.count" do
       visit "/users/sign_in"
-      click_link "Sign in with Facebook"
+      click_link "Sign in with FaceBook"
     end
 
     assert session["devise.facebook_data"]
@@ -96,13 +98,13 @@ class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
 
   test "sign in and send remember token if configured" do
     visit "/users/sign_in"
-    click_link "Sign in with Facebook"
+    click_link "Sign in with FaceBook"
     assert_nil warden.cookies["remember_user_token"]
 
     stub_action!(:sign_in_facebook) do
       create_user
       visit "/users/sign_in"
-      click_link "Sign in with Facebook"
+      click_link "Sign in with FaceBook"
       assert warden.authenticated?(:user)
       assert warden.cookies["remember_user_token"]
     end
@@ -118,16 +120,16 @@ class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
     OmniAuth.config.mock_auth[:facebook] = :access_denied
     visit "/users/auth/facebook/callback?error=access_denied"
     assert_current_url "/users/sign_in"
-    assert_contain 'Could not authenticate you from Facebook because "Access denied".'
+    assert_contain 'Could not authenticate you from FaceBook because "Access denied".'
   end
 
-  test "handles other exceptions from omniauth" do
+  test "handles other exceptions from OmniAuth" do
     OmniAuth.config.mock_auth[:facebook] = :invalid_credentials
 
     visit "/users/sign_in"
-    click_link "Sign in with Facebook"
+    click_link "Sign in with FaceBook"
 
     assert_current_url "/users/sign_in"
-    assert_contain 'Could not authenticate you from Facebook because "Invalid credentials".'
+    assert_contain 'Could not authenticate you from FaceBook because "Invalid credentials".'
   end
 end

data/test/integration/recoverable_test.rb

@@ -197,6 +197,19 @@ class PasswordTest < ActionDispatch::IntegrationTest
     assert warden.authenticated?(:user)
   end
 
+  test 'does not sign in user automatically after changing its password if config.sign_in_after_reset_password is false' do
+    swap Devise, sign_in_after_reset_password: false do
+      create_user
+      request_forgot_password
+      reset_password
+
+      assert_contain 'Your password has been changed successfully.'
+      assert_not_contain 'You are now signed in.'
+      assert_equal new_user_session_path, @request.path
+      assert !warden.authenticated?(:user)
+    end
+  end
+
   test 'does not sign in user automatically after changing its password if it\'s locked and unlock strategy is :none or :time' do
     [:none, :time].each do |strategy|
       swap Devise, unlock_strategy: strategy do

data/test/integration/rememberable_test.rb

@@ -1,10 +1,15 @@
 require 'test_helper'
 
 class RememberMeTest < ActionDispatch::IntegrationTest
+  if (Rails::VERSION::MAJOR < 4) || (Rails::VERSION::MAJOR >= 4 && Rails::VERSION::MINOR < 1)
+    require 'time_helpers'
+    include ActiveSupport::Testing::TimeHelpers
+  end
+
   def create_user_and_remember(add_to_token='')
     user = create_user
     user.remember_me!
-    raw_cookie = User.serialize_into_cookie(user).tap { |a| a.last << add_to_token }
+    raw_cookie = User.serialize_into_cookie(user).tap { |a| a[1] << add_to_token }
     cookies['remember_user_token'] = generate_signed_cookie(raw_cookie)
     user
   end
@@ -92,7 +97,6 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     assert_response :success
     assert warden.authenticated?(:user)
     assert warden.user(:user) == user
-    assert_match /remember_user_token[^\n]*HttpOnly/, response.headers["Set-Cookie"], "Expected Set-Cookie header in response to set HttpOnly flag on remember_user_token cookie."
   end
 
   test 'remember the user before sign up and redirect them to their home' do
@@ -118,6 +122,40 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     end
   end
 
+  test 'extends remember period when extend remember period config is true' do
+    swap Devise, extend_remember_period: true, remember_for: 1.year do
+      user = create_user_and_remember
+      old_remember_token = nil
+
+      travel_to 1.day.ago do
+        get root_path
+        old_remember_token = request.cookies['remember_user_token']
+      end
+
+      get root_path
+      current_remember_token = request.cookies['remember_user_token']
+
+      refute_equal old_remember_token, current_remember_token
+    end
+  end
+
+  test 'does not extend remember period when extend period config is false' do
+    swap Devise, extend_remember_period: false, remember_for: 1.year do
+      user = create_user_and_remember
+      old_remember_token = nil
+
+      travel_to 1.day.ago do
+        get root_path
+        old_remember_token = request.cookies['remember_user_token']
+      end
+
+      get root_path
+      current_remember_token = request.cookies['remember_user_token']
+
+      assert_equal old_remember_token, current_remember_token
+    end
+  end
+
   test 'do not remember other scopes' do
     create_user_and_remember
     get root_path
@@ -135,7 +173,7 @@ class RememberMeTest < ActionDispatch::IntegrationTest
 
   test 'do not remember with expired token' do
     create_user_and_remember
-    swap Devise, remember_for: 0 do
+    swap Devise, remember_for: 0.days do
       get users_path
       assert_not warden.authenticated?(:user)
       assert_redirected_to new_user_session_path
@@ -164,4 +202,13 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     get users_path
     assert_not warden.authenticated?(:user)
   end
+
+  test 'valid sign in calls after_remembered callback' do
+    user = create_user_and_remember
+
+    User.expects(:serialize_from_cookie).returns user
+    user.expects :after_remembered
+
+    get new_user_registration_path
+  end
 end

data/test/integration/timeoutable_test.rb

@@ -24,6 +24,18 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
     assert_equal old_last_request, last_request_at
   end
 
+  test 'does not set last request at in user session after each request if timeoutable is disabled' do
+    sign_in_as_user
+    old_last_request = last_request_at
+    assert_not_nil last_request_at
+
+    new_time = 2.seconds.from_now
+    Time.stubs(:now).returns(new_time)
+
+    get users_path, {}, 'devise.skip_timeoutable' => true
+    assert_equal old_last_request, last_request_at
+  end
+
   test 'does not time out user session before default limit time' do
     sign_in_as_user
     assert_response :success
@@ -110,23 +122,6 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
     assert_contain 'You are signed in'
   end
 
-  test 'admin does not explode on time out' do
-    admin = sign_in_as_admin
-    get expire_admin_path(admin)
-
-    Admin.send :define_method, :reset_authentication_token! do
-      nil
-    end
-
-    begin
-      get admins_path
-      assert_redirected_to admins_path
-      assert_not warden.authenticated?(:admin)
-    ensure
-      Admin.send(:remove_method, :reset_authentication_token!)
-    end
-  end
-
   test 'user configured timeout limit' do
     swap Devise, timeout_in: 8.minutes do
       user = sign_in_as_user
@@ -180,7 +175,7 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
     assert warden.authenticated?(:user)
   end
 
-  test 'does not crashes when the last_request_at is a String' do
+  test 'does not crash when the last_request_at is a String' do
     user = sign_in_as_user
 
     get edit_form_user_path(user, last_request_at: Time.now.utc.to_s)

data/test/mailers/confirmation_instructions_test.rb

@@ -86,7 +86,7 @@ class ConfirmationInstructionsTest < ActionMailer::TestCase
     host, port = ActionMailer::Base.default_url_options.values_at :host, :port
 
     if mail.body.encoded =~ %r{<a href=\"http://#{host}:#{port}/users/confirmation\?confirmation_token=([^"]+)">}
-      assert_equal Devise.token_generator.digest(user.class, :confirmation_token, $1), user.confirmation_token
+      assert_equal $1, user.confirmation_token
     else
       flunk "expected confirmation url regex to match"
     end

data/test/mapping_test.rb

@@ -62,6 +62,7 @@ class MappingTest < ActiveSupport::TestCase
   test 'find scope for a given object' do
     assert_equal :user, Devise::Mapping.find_scope!(User)
     assert_equal :user, Devise::Mapping.find_scope!(:user)
+    assert_equal :user, Devise::Mapping.find_scope!("user")
     assert_equal :user, Devise::Mapping.find_scope!(User.new)
   end
 
@@ -70,6 +71,12 @@ class MappingTest < ActiveSupport::TestCase
     assert_equal :user, Devise::Mapping.find_scope!(Class.new(User).new)
   end
 
+  test 'find scope uses devise_scope' do
+    user = User.new
+    def user.devise_scope; :special_scope; end
+    assert_equal :special_scope, Devise::Mapping.find_scope!(user)
+  end
+
   test 'find scope raises an error if cannot be found' do
     assert_raise RuntimeError do
       Devise::Mapping.find_scope!(String)

data/test/models/authenticatable_test.rb

@@ -10,4 +10,14 @@ class AuthenticatableTest < ActiveSupport::TestCase
     assert_equal User.find_first_by_auth_conditions({ email: "example@example.com" }), user
     assert_nil User.find_first_by_auth_conditions({ email: "example@example.com" }, id: user.id.to_s.next)
   end
+
+  if defined?(ActionController::Parameters)
+    test 'does not passes an ActionController::Parameters to find_first_by_auth_conditions through find_or_initialize_with_errors' do
+      user = create_user(email: 'example@example.com')
+      attributes = ActionController::Parameters.new(email: 'example@example.com')
+
+      User.expects(:find_first_by_auth_conditions).with('email' => 'example@example.com').returns(user)
+      User.find_or_initialize_with_errors([:email], attributes)
+    end
+  end
 end

data/test/models/confirmable_test.rb

@@ -23,31 +23,24 @@ class ConfirmableTest < ActiveSupport::TestCase
   test 'should confirm a user by updating confirmed at' do
     user = create_user
     assert_nil user.confirmed_at
-    assert user.confirm!
+    assert user.confirm
     assert_not_nil user.confirmed_at
   end
 
-  test 'should clear confirmation token while confirming a user' do
-    user = create_user
-    assert_present user.confirmation_token
-    user.confirm!
-    assert_nil user.confirmation_token
-  end
-
   test 'should verify whether a user is confirmed or not' do
     assert_not new_user.confirmed?
     user = create_user
     assert_not user.confirmed?
-    user.confirm!
+    user.confirm
     assert user.confirmed?
   end
 
   test 'should not confirm a user already confirmed' do
     user = create_user
-    assert user.confirm!
+    assert user.confirm
     assert_blank user.errors[:email]
 
-    assert_not user.confirm!
+    assert_not user.confirm
     assert_equal "was already confirmed, please try signing in", user.errors[:email].join
   end
 
@@ -80,6 +73,16 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_equal "was already confirmed, please try signing in", confirmed_user.errors[:email].join
   end
 
+  test 'should show error when a token has already been used' do
+    user = create_user
+    raw  = user.raw_confirmation_token
+    User.confirm_by_token(raw)
+    assert user.reload.confirmed?
+
+    confirmed_user = User.confirm_by_token(raw)
+    assert_equal "was already confirmed, please try signing in", confirmed_user.errors[:email].join
+  end
+
   test 'should send confirmation instructions by email' do
     assert_email_sent "mynewuser@example.com" do
       create_user email: "mynewuser@example.com"
@@ -111,7 +114,7 @@ class ConfirmableTest < ActiveSupport::TestCase
 
     assert_email_not_sent do
       user.save!
-      assert !user.confirmed?
+      assert_not user.confirmed?
     end
   end
 
@@ -165,18 +168,19 @@ class ConfirmableTest < ActiveSupport::TestCase
 
   test 'should not reset confirmation status or token when updating email' do
     user = create_user
-    user.confirm!
+    original_token = user.confirmation_token
+    user.confirm
     user.email = 'new_test@example.com'
     user.save!
 
     user.reload
     assert user.confirmed?
-    assert_nil user.confirmation_token
+    assert_equal original_token, user.confirmation_token
   end
 
   test 'should not be able to send instructions if the user is already confirmed' do
     user = create_user
-    user.confirm!
+    user.confirm
     assert_not user.resend_confirmation_instructions
     assert user.confirmed?
     assert_equal 'was already confirmed, please try signing in', user.errors[:email].join
@@ -211,7 +215,7 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_not user.confirmed?
     assert_not user.active_for_authentication?
 
-    user.confirm!
+    user.confirm
     assert user.confirmed?
     assert user.active_for_authentication?
   end
@@ -219,15 +223,16 @@ class ConfirmableTest < ActiveSupport::TestCase
   test 'should not be active when confirm in is zero' do
     Devise.allow_unconfirmed_access_for = 0.days
     user = create_user
-    user.confirmation_sent_at = Date.today
+    user.confirmation_sent_at = Time.zone.today
     assert_not user.active_for_authentication?
   end
 
   test 'should be active when we set allow_unconfirmed_access_for to nil' do
-    Devise.allow_unconfirmed_access_for = nil
-    user = create_user
-    user.confirmation_sent_at = Date.today
-    assert user.active_for_authentication?
+    swap Devise, allow_unconfirmed_access_for: nil do
+      user = create_user
+      user.confirmation_sent_at = Time.zone.today
+      assert user.active_for_authentication?
+    end
   end
 
   test 'should not be active without confirmation' do
@@ -245,6 +250,16 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert user.reload.active_for_authentication?
   end
 
+  test 'should not break when a user tries to reset their password in the case where confirmation is not required and confirm_within is set' do
+    swap Devise, confirm_within: 3.days do
+      user = create_user
+      user.instance_eval { def confirmation_required?; false end }
+      user.confirmation_sent_at = nil
+      user.save
+      assert user.reload.confirm!
+    end
+  end
+
   test 'should find a user to send email instructions for the user confirm its email by authentication_keys' do
     swap Devise, authentication_keys: [:username, :email] do
       user = create_user
@@ -286,12 +301,23 @@ class ConfirmableTest < ActiveSupport::TestCase
     end
   end
 
-  test 'always generate a new token on resend' do
+  test 'do not generate a new token on resend' do
     user = create_user
     old  = user.confirmation_token
     user = User.find(user.id)
     user.resend_confirmation_instructions
-    assert_not_equal user.confirmation_token, old
+    assert_equal user.confirmation_token, old
+  end
+
+  test 'generate a new token after first has expired' do
+    swap Devise, confirm_within: 3.days do
+      user = create_user
+      old = user.confirmation_token
+      user.update_attribute(:confirmation_sent_at, 4.days.ago)
+      user = User.find(user.id)
+      user.resend_confirmation_instructions
+      assert_not_equal user.confirmation_token, old
+    end
   end
 
   test 'should call after_confirmation if confirmed' do
@@ -300,43 +326,52 @@ class ConfirmableTest < ActiveSupport::TestCase
       self.username = self.username.to_s + 'updated'
     end
     old = user.username
-    assert user.confirm!
+    assert user.confirm
     assert_not_equal user.username, old
   end
 
   test 'should not call after_confirmation if not confirmed' do
     user = create_user
-    assert user.confirm!
+    assert user.confirm
     user.define_singleton_method :after_confirmation do
       self.username = self.username.to_s + 'updated'
     end
     old = user.username
-    assert_not user.confirm!
+    assert_not user.confirm
     assert_equal user.username, old
   end
+
+  test 'should always perform validations upon confirm when ensure valid true' do
+    admin = create_admin
+    admin.stubs(:valid?).returns(false)
+    assert_not admin.confirm(ensure_valid: true)
+  end
 end
 
 class ReconfirmableTest < ActiveSupport::TestCase
   test 'should not worry about validations on confirm even with reconfirmable' do
     admin = create_admin
     admin.reset_password_token = "a"
-    assert admin.confirm!
+    assert admin.confirm
   end
 
   test 'should generate confirmation token after changing email' do
     admin = create_admin
-    assert admin.confirm!
-    assert_nil admin.confirmation_token
+    assert admin.confirm
+    residual_token = admin.confirmation_token
     assert admin.update_attributes(email: 'new_test@example.com')
-    assert_not_nil admin.confirmation_token
+    assert_not_equal residual_token, admin.confirmation_token
   end
 
-  test 'should not generate confirmation token if skipping reconfirmation after changing email' do
+  test 'should not regenerate confirmation token or require reconfirmation if skipping reconfirmation after changing email' do
     admin = create_admin
-    assert admin.confirm!
+    original_token = admin.confirmation_token
+    assert admin.confirm
     admin.skip_reconfirmation!
     assert admin.update_attributes(email: 'new_test@example.com')
-    assert_nil admin.confirmation_token
+    assert admin.confirmed?
+    assert_not admin.pending_reconfirmation?
+    assert_equal original_token, admin.confirmation_token
   end
 
   test 'should skip sending reconfirmation email when email is changed and skip_confirmation_notification! is invoked' do
@@ -350,7 +385,7 @@ class ReconfirmableTest < ActiveSupport::TestCase
 
   test 'should regenerate confirmation token after changing email' do
     admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
     assert admin.update_attributes(email: 'old_test@example.com')
     token = admin.confirmation_token
     assert admin.update_attributes(email: 'new_test@example.com')
@@ -359,7 +394,15 @@ class ReconfirmableTest < ActiveSupport::TestCase
 
   test 'should send confirmation instructions by email after changing email' do
     admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
+    assert_email_sent "new_test@example.com" do
+      assert admin.update_attributes(email: 'new_test@example.com')
+    end
+    assert_match "new_test@example.com", ActionMailer::Base.deliveries.last.body.encoded
+  end
+
+  test 'should send confirmation instructions by email after changing email from nil' do
+    admin = create_admin(email: nil)
     assert_email_sent "new_test@example.com" do
       assert admin.update_attributes(email: 'new_test@example.com')
     end
@@ -368,7 +411,7 @@ class ReconfirmableTest < ActiveSupport::TestCase
 
   test 'should not send confirmation by email after changing password' do
     admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
     assert_email_not_sent do
       assert admin.update_attributes(password: 'newpass', password_confirmation: 'newpass')
     end
@@ -376,7 +419,7 @@ class ReconfirmableTest < ActiveSupport::TestCase
 
   test 'should not send confirmation by email after changing to a blank email' do
     admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
     assert_email_not_sent do
       admin.email = ''
       admin.save(validate: false)
@@ -385,23 +428,23 @@ class ReconfirmableTest < ActiveSupport::TestCase
 
   test 'should stay confirmed when email is changed' do
     admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
     assert admin.update_attributes(email: 'new_test@example.com')
     assert admin.confirmed?
   end
 
   test 'should update email only when it is confirmed' do
     admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
     assert admin.update_attributes(email: 'new_test@example.com')
     assert_not_equal 'new_test@example.com', admin.email
-    assert admin.confirm!
+    assert admin.confirm
     assert_equal 'new_test@example.com', admin.email
   end
 
   test 'should not allow admin to get past confirmation email by resubmitting their new address' do
     admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
     assert admin.update_attributes(email: 'new_test@example.com')
     assert_not_equal 'new_test@example.com', admin.email
     assert admin.update_attributes(email: 'new_test@example.com')
@@ -410,7 +453,7 @@ class ReconfirmableTest < ActiveSupport::TestCase
 
   test 'should find a admin by send confirmation instructions with unconfirmed_email' do
     admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
     assert admin.update_attributes(email: 'new_test@example.com')
     confirmation_admin = Admin.send_confirmation_instructions(email: admin.unconfirmed_email)
     assert_equal confirmation_admin, admin
@@ -451,4 +494,18 @@ class ReconfirmableTest < ActiveSupport::TestCase
       :unconfirmed_email
     ]
   end
+
+  test 'should not require reconfirmation after creating a record' do
+    admin = create_admin
+    assert !admin.pending_reconfirmation?
+  end
+
+  test 'should not require reconfirmation after creating a record with #save called in callback' do
+    class Admin::WithSaveInCallback < Admin
+      after_create :save
+    end
+
+    admin = Admin::WithSaveInCallback.create(valid_attributes.except(:username))
+    assert !admin.pending_reconfirmation?
+  end
 end

data/test/models/database_authenticatable_test.rb

@@ -3,6 +3,10 @@ require 'test_models'
 require 'digest/sha1'
 
 class DatabaseAuthenticatableTest < ActiveSupport::TestCase
+  def setup
+    setup_mailer
+  end
+
   test 'should downcase case insensitive keys when saving' do
     # case_insensitive_keys is set to :email by default.
     email = 'Foo@Bar.com'
@@ -225,6 +229,22 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert_match "can't be blank", user.errors[:current_password].join
   end
 
+  test 'should not email on password change' do
+    user = create_user
+    assert_email_not_sent do
+      assert user.update_attributes(password: 'newpass', password_confirmation: 'newpass')
+    end
+  end
+
+  test 'should email on password change when configured' do
+    swap Devise, send_password_change_notification: true do
+      user = create_user
+      assert_email_sent user.email do
+        assert user.update_attributes(password: 'newpass', password_confirmation: 'newpass')
+      end
+    end
+  end
+
   test 'downcase_keys with validation' do
     User.create(email: "HEllO@example.com", password: "123456")
     user = User.create(email: "HEllO@example.com", password: "123456")