devise 3.3.0 → 3.5.10

data/test/models/lockable_test.rb

@@ -7,16 +7,16 @@ class LockableTest < ActiveSupport::TestCase
 
   test "should respect maximum attempts configuration" do
     user = create_user
-    user.confirm!
+    user.confirm
     swap Devise, maximum_attempts: 2 do
       2.times { user.valid_for_authentication?{ false } }
       assert user.reload.access_locked?
     end
   end
 
-  test "should increment failed_attempts on successfull validation if the user is already locked" do
+  test "should increment failed_attempts on successful validation if the user is already locked" do
     user = create_user
-    user.confirm!
+    user.confirm
 
     swap Devise, maximum_attempts: 2 do
       2.times { user.valid_for_authentication?{ false } }
@@ -29,7 +29,7 @@ class LockableTest < ActiveSupport::TestCase
 
   test "should not touch failed_attempts if lock_strategy is none" do
     user = create_user
-    user.confirm!
+    user.confirm
     swap Devise, lock_strategy: :none, maximum_attempts: 2 do
       3.times { user.valid_for_authentication?{ false } }
       assert !user.access_locked?
@@ -53,7 +53,7 @@ class LockableTest < ActiveSupport::TestCase
 
   test "active_for_authentication? should be the opposite of locked?" do
     user = create_user
-    user.confirm!
+    user.confirm
     assert user.active_for_authentication?
     user.lock_access!
     assert_not user.active_for_authentication?
@@ -230,7 +230,7 @@ class LockableTest < ActiveSupport::TestCase
   test 'should unlock account if lock has expired and increase attempts on failure' do
     swap Devise, unlock_in: 1.minute do
       user = create_user
-      user.confirm!
+      user.confirm
 
       user.failed_attempts = 2
       user.locked_at = 2.minutes.ago
@@ -243,7 +243,7 @@ class LockableTest < ActiveSupport::TestCase
   test 'should unlock account if lock has expired on success' do
     swap Devise, unlock_in: 1.minute do
       user = create_user
-      user.confirm!
+      user.confirm
 
       user.failed_attempts = 2
       user.locked_at = 2.minutes.ago
@@ -299,18 +299,24 @@ class LockableTest < ActiveSupport::TestCase
   end
 
   test 'should return last attempt message if user made next-to-last attempt of password entering' do
-    swap Devise, last_attempt_warning: :true do
-      swap Devise, lock_strategy: :failed_attempts do
-        user = create_user
-        user.failed_attempts = Devise.maximum_attempts - 2
-        assert_equal :invalid, user.unauthenticated_message
+    swap Devise, last_attempt_warning: true, lock_strategy: :failed_attempts do
+      user = create_user
+      user.failed_attempts = Devise.maximum_attempts - 2
+      assert_equal :invalid, user.unauthenticated_message
 
-        user.failed_attempts = Devise.maximum_attempts - 1
-        assert_equal :last_attempt, user.unauthenticated_message
+      user.failed_attempts = Devise.maximum_attempts - 1
+      assert_equal :last_attempt, user.unauthenticated_message
 
-        user.failed_attempts = Devise.maximum_attempts
-        assert_equal :locked, user.unauthenticated_message
-      end
+      user.failed_attempts = Devise.maximum_attempts
+      assert_equal :locked, user.unauthenticated_message
+    end
+  end
+
+  test 'should not return last attempt message if last_attempt_warning is disabled' do
+    swap Devise, last_attempt_warning: false, lock_strategy: :failed_attempts do
+      user = create_user
+      user.failed_attempts = Devise.maximum_attempts - 1
+      assert_equal :invalid, user.unauthenticated_message
     end
   end
 
@@ -319,4 +325,26 @@ class LockableTest < ActiveSupport::TestCase
     user.lock_access!
     assert_equal :locked, user.unauthenticated_message
   end
+
+  test 'unlock_strategy_enabled? should return true for both, email, and time strategies if :both is used' do
+    swap Devise, unlock_strategy: :both do
+      user = create_user
+      assert_equal true, user.unlock_strategy_enabled?(:both)
+      assert_equal true, user.unlock_strategy_enabled?(:time)
+      assert_equal true, user.unlock_strategy_enabled?(:email)
+      assert_equal false, user.unlock_strategy_enabled?(:none)
+      assert_equal false, user.unlock_strategy_enabled?(:an_undefined_strategy)
+    end
+  end
+
+  test 'unlock_strategy_enabled? should return true only for the configured strategy' do
+    swap Devise, unlock_strategy: :email do
+      user = create_user
+      assert_equal false, user.unlock_strategy_enabled?(:both)
+      assert_equal false, user.unlock_strategy_enabled?(:time)
+      assert_equal true, user.unlock_strategy_enabled?(:email)
+      assert_equal false, user.unlock_strategy_enabled?(:none)
+      assert_equal false, user.unlock_strategy_enabled?(:an_undefined_strategy)
+    end
+  end
 end

data/test/models/recoverable_test.rb

@@ -23,13 +23,13 @@ class RecoverableTest < ActiveSupport::TestCase
 
   test 'should reset password and password confirmation from params' do
     user = create_user
-    user.reset_password!('123456789', '987654321')
+    user.reset_password('123456789', '987654321')
     assert_equal '123456789', user.password
     assert_equal '987654321', user.password_confirmation
   end
 
   test 'should reset password and save the record' do
-    assert create_user.reset_password!('123456789', '123456789')
+    assert create_user.reset_password('123456789', '123456789')
   end
 
   test 'should clear reset password token while reseting the password' do
@@ -38,7 +38,53 @@ class RecoverableTest < ActiveSupport::TestCase
 
     user.send_reset_password_instructions
     assert_present user.reset_password_token
-    assert user.reset_password!('123456789', '123456789')
+    assert user.reset_password('123456789', '123456789')
+    assert_nil user.reset_password_token
+  end
+
+  test 'should not clear reset password token for new user' do
+    user = new_user
+    assert_nil user.reset_password_token
+
+    user.send_reset_password_instructions
+    assert_present user.reset_password_token
+
+    user.save
+    assert_present user.reset_password_token
+  end
+
+  test 'should clear reset password token if changing password' do
+    user = create_user
+    assert_nil user.reset_password_token
+
+    user.send_reset_password_instructions
+    assert_present user.reset_password_token
+    user.password = "123456678"
+    user.password_confirmation = "123456678"
+    user.save!
+    assert_nil user.reset_password_token
+  end
+
+  test 'should clear reset password token if changing email' do
+    user = create_user
+    assert_nil user.reset_password_token
+
+    user.send_reset_password_instructions
+    assert_present user.reset_password_token
+    user.email = "another@example.com"
+    user.save!
+    assert_nil user.reset_password_token
+  end
+
+  test 'should clear reset password successfully even if there is no email' do
+    user = create_user_without_email
+    assert_nil user.reset_password_token
+
+    user.send_reset_password_instructions
+    assert_present user.reset_password_token
+    user.password = "123456678"
+    user.password_confirmation = "123456678"
+    user.save!
     assert_nil user.reset_password_token
   end
 
@@ -46,14 +92,14 @@ class RecoverableTest < ActiveSupport::TestCase
     user = create_user
     user.send_reset_password_instructions
     assert_present user.reset_password_token
-    assert_not user.reset_password!('123456789', '987654321')
+    assert_not user.reset_password('123456789', '987654321')
     assert_present user.reset_password_token
   end
 
   test 'should not reset password with invalid data' do
     user = create_user
     user.stubs(:valid?).returns(false)
-    assert_not user.reset_password!('123456789', '987654321')
+    assert_not user.reset_password('123456789', '987654321')
   end
 
   test 'should reset reset password token and send instructions by email' do
@@ -135,6 +181,7 @@ class RecoverableTest < ActiveSupport::TestCase
     reset_password_user = User.reset_password_by_token(reset_password_token: raw, password: '')
     assert_not reset_password_user.errors.empty?
     assert_match "can't be blank", reset_password_user.errors[:password].join
+    assert_equal raw, reset_password_user.reset_password_token
   end
 
   test 'should reset successfully user password given the new password and confirmation' do
@@ -142,15 +189,17 @@ class RecoverableTest < ActiveSupport::TestCase
     old_password = user.password
     raw  = user.send_reset_password_instructions
 
-    User.reset_password_by_token(
+    reset_password_user = User.reset_password_by_token(
       reset_password_token: raw,
       password: 'new_password',
       password_confirmation: 'new_password'
     )
-    user.reload
+    assert_nil reset_password_user.reset_password_token
 
+    user.reload
     assert_not user.valid_password?(old_password)
     assert user.valid_password?('new_password')
+    assert_nil user.reset_password_token
   end
 
   test 'should not reset password after reset_password_within time' do
@@ -189,6 +238,12 @@ class RecoverableTest < ActiveSupport::TestCase
     assert_equal User.with_reset_password_token(raw), user
   end
 
+  test 'should return the same reset password token as generated' do
+    user = create_user
+    raw  = user.send_reset_password_instructions
+    assert_equal Devise.token_generator.digest(self.class, :reset_password_token, raw), user.reset_password_token
+  end
+
   test 'should return nil if a user based on the raw token is not found' do
     assert_equal User.with_reset_password_token('random-token'), nil
   end

data/test/models/rememberable_test.rb

@@ -13,6 +13,19 @@ class RememberableTest < ActiveSupport::TestCase
     user = create_user
     user.expects(:valid?).never
     user.remember_me!
+    assert user.remember_created_at
+  end
+
+  test 'remember_me should not generate a new token if valid token exists' do
+    user = create_user
+    user.singleton_class.send(:attr_accessor, :remember_token)
+    User.to_adapter.expects(:find_first).returns(nil)
+
+    user.remember_me!
+    existing_token = user.remember_token
+
+    user.remember_me!
+    assert_equal existing_token, user.remember_token
   end
 
   test 'forget_me should not clear remember token if using salt' do
@@ -33,18 +46,68 @@ class RememberableTest < ActiveSupport::TestCase
   test 'serialize into cookie' do
     user = create_user
     user.remember_me!
-    assert_equal [user.to_key, user.authenticatable_salt], User.serialize_into_cookie(user)
+    id, token, date = User.serialize_into_cookie(user)
+    assert_equal id, user.to_key
+    assert_equal token, user.authenticatable_salt
+    assert date.is_a?(String)
   end
 
   test 'serialize from cookie' do
     user = create_user
     user.remember_me!
-    assert_equal user, User.serialize_from_cookie(user.to_key, user.authenticatable_salt)
+    assert_equal user, User.serialize_from_cookie(user.to_key, user.authenticatable_salt, Time.now.utc)
+  end
+
+  test 'serialize from cookie should accept a String with the datetime seconds and microseconds' do
+    user = create_user
+    user.remember_me!
+    assert_equal user, User.serialize_from_cookie(user.to_key, user.authenticatable_salt, Time.now.utc.to_f.to_json)
+  end
+
+  test 'serialize from cookie should return nil with invalid datetime' do
+    user = create_user
+    user.remember_me!
+    assert_nil User.serialize_from_cookie(user.to_key, user.authenticatable_salt, "2013")
   end
 
-  test 'raises a RuntimeError if authenticatable_salt is nil' do
+  test 'serialize from cookie should return nil if no resource is found' do
+    assert_nil resource_class.serialize_from_cookie([0], "123", Time.now.utc)
+  end
+
+  test 'serialize from cookie should return nil if no timestamp' do
+    user = create_user
+    user.remember_me!
+    assert_nil User.serialize_from_cookie(user.to_key, user.authenticatable_salt)
+  end
+
+  test 'serialize from cookie should return nil if timestamp is earlier than token creation' do
+    user = create_user
+    user.remember_me!
+    assert_nil User.serialize_from_cookie(user.to_key, user.authenticatable_salt, 1.day.ago)
+  end
+
+  test 'serialize from cookie should return nil if timestamp is older than remember_for' do
+    user = create_user
+    user.remember_created_at = 1.month.ago
+    user.remember_me!
+    assert_nil User.serialize_from_cookie(user.to_key, user.authenticatable_salt, 3.weeks.ago)
+  end
+
+  test 'serialize from cookie me return nil if is a valid resource with invalid token' do
+    user = create_user
+    user.remember_me!
+    assert_nil User.serialize_from_cookie(user.to_key, "123", Time.now.utc)
+  end
+
+  test 'raises a RuntimeError if authenticatable_salt is nil or empty' do
+    user = User.new
+    def user.authenticable_salt; nil; end
+    assert_raise RuntimeError do
+      user.rememberable_value
+    end
+
     user = User.new
-    user.encrypted_password = nil
+    def user.authenticable_salt; ""; end
     assert_raise RuntimeError do
       user.rememberable_value
     end
@@ -87,28 +150,7 @@ class RememberableTest < ActiveSupport::TestCase
     resource.forget_me!
   end
 
-  test 'remember is expired if not created at timestamp is set' do
-    assert create_resource.remember_expired?
-  end
-
-  test 'serialize should return nil if no resource is found' do
-    assert_nil resource_class.serialize_from_cookie([0], "123")
-  end
-
-  test 'remember me return nil if is a valid resource with invalid token' do
-    resource = create_resource
-    assert_nil resource_class.serialize_from_cookie([resource.id], "123")
-  end
-
-  test 'remember for should fallback to devise remember for default configuration' do
-    swap Devise, remember_for: 1.day do
-      resource = create_resource
-      resource.remember_me!
-      assert_not resource.remember_expired?
-    end
-  end
-
-  test 'remember expires at should sum date of creation with remember for configuration' do
+  test 'remember expires at uses remember for configuration' do
     swap Devise, remember_for: 3.days do
       resource = create_resource
       resource.remember_me!
@@ -119,77 +161,6 @@ class RememberableTest < ActiveSupport::TestCase
     end
   end
 
-  test 'remember should be expired if remember_for is zero' do
-    swap Devise, remember_for: 0.days do
-      Devise.remember_for = 0.days
-      resource = create_resource
-      resource.remember_me!
-      assert resource.remember_expired?
-    end
-  end
-
-  test 'remember should be expired if it was created before limit time' do
-    swap Devise, remember_for: 1.day do
-      resource = create_resource
-      resource.remember_me!
-      resource.remember_created_at = 2.days.ago
-      resource.save
-      assert resource.remember_expired?
-    end
-  end
-
-  test 'remember should not be expired if it was created within the limit time' do
-    swap Devise, remember_for: 30.days do
-      resource = create_resource
-      resource.remember_me!
-      resource.remember_created_at = (30.days.ago + 2.minutes)
-      resource.save
-      assert_not resource.remember_expired?
-    end
-  end
-
-  test 'if extend_remember_period is false, remember_me! should generate a new timestamp if expired' do
-    swap Devise, remember_for: 5.minutes do
-      resource = create_resource
-      resource.remember_me!(false)
-      assert resource.remember_created_at
-
-      resource.remember_created_at = old = 10.minutes.ago
-      resource.save
-
-      resource.remember_me!(false)
-      assert_not_equal old.to_i, resource.remember_created_at.to_i
-    end
-  end
-
-  test 'if extend_remember_period is false, remember_me! should not generate a new timestamp' do
-    swap Devise, remember_for: 1.year do
-      resource = create_resource
-      resource.remember_me!(false)
-      assert resource.remember_created_at
-
-      resource.remember_created_at = old = 10.minutes.ago.utc
-      resource.save
-
-      resource.remember_me!(false)
-      assert_equal old.to_i, resource.remember_created_at.to_i
-    end
-  end
-
-  test 'if extend_remember_period is true, remember_me! should always generate a new timestamp' do
-    swap Devise, remember_for: 1.year do
-      resource = create_resource
-      resource.remember_me!(true)
-      assert resource.remember_created_at
-
-      resource.remember_created_at = old = 10.minutes.ago
-      resource.save
-
-      resource.remember_me!(true)
-      assert_not_equal old, resource.remember_created_at
-    end
-  end
-
   test 'should have the required_fields array' do
     assert_same_content Devise::Models::Rememberable.required_fields(User), [
       :remember_created_at

data/test/models/validatable_test.rb

@@ -92,10 +92,10 @@ class ValidatableTest < ActiveSupport::TestCase
     assert_equal 'is too short (minimum is 7 characters)', user.errors[:password].join
   end
 
-  test 'should require a password with maximum of 128 characters long' do
-    user = new_user(password: 'x'*129, password_confirmation: 'x'*129)
+  test 'should require a password with maximum of 72 characters long' do
+    user = new_user(password: 'x'*73, password_confirmation: 'x'*73)
     assert user.invalid?
-    assert_equal 'is too long (maximum is 128 characters)', user.errors[:password].join
+    assert_equal 'is too long (maximum is 72 characters)', user.errors[:password].join
   end
 
   test 'should not require password length when it\'s not changed' do
@@ -109,10 +109,10 @@ class ValidatableTest < ActiveSupport::TestCase
   end
 
   test 'should complain about length even if password is not required' do
-    user = new_user(password: 'x'*129, password_confirmation: 'x'*129)
+    user = new_user(password: 'x'*73, password_confirmation: 'x'*73)
     user.stubs(:password_required?).returns(false)
     assert user.invalid?
-    assert_equal 'is too long (maximum is 128 characters)', user.errors[:password].join
+    assert_equal 'is too long (maximum is 72 characters)', user.errors[:password].join
   end
 
   test 'should not be included in objects with invalid API' do

data/test/models_test.rb

@@ -92,13 +92,20 @@ class ActiveRecordTest < ActiveSupport::TestCase
   end
 end
 
+module StubModelFilters
+  def stub_filter(name)
+    define_singleton_method(name) { |*| nil }
+  end
+end
+
 class CheckFieldsTest < ActiveSupport::TestCase
   test 'checks if the class respond_to the required fields' do
     Player = Class.new do
       extend Devise::Models
+      extend StubModelFilters
 
-      def self.before_validation(instance)
-      end
+      stub_filter :before_validation
+      stub_filter :after_update
 
       devise :database_authenticatable
 
@@ -113,9 +120,10 @@ class CheckFieldsTest < ActiveSupport::TestCase
   test 'raises Devise::Models::MissingAtrribute and shows the missing attribute if the class doesn\'t respond_to one of the attributes' do
     Clown = Class.new do
       extend Devise::Models
+      extend StubModelFilters
 
-      def self.before_validation(instance)
-      end
+      stub_filter :before_validation
+      stub_filter :after_update
 
       devise :database_authenticatable
 
@@ -130,9 +138,10 @@ class CheckFieldsTest < ActiveSupport::TestCase
   test 'raises Devise::Models::MissingAtrribute with all the missing attributes if there is more than one' do
     Magician = Class.new do
       extend Devise::Models
+      extend StubModelFilters
 
-      def self.before_validation(instance)
-      end
+      stub_filter :before_validation
+      stub_filter :after_update
 
       devise :database_authenticatable
     end

data/test/rails_app/app/active_record/user_without_email.rb

@@ -0,0 +1,8 @@
+require "shared_user_without_email"
+
+class UserWithoutEmail < ActiveRecord::Base
+  self.table_name = 'users'
+  include Shim
+  include SharedUserWithoutEmail
+end
+

data/test/rails_app/app/controllers/admins_controller.rb

@@ -3,9 +3,4 @@ class AdminsController < ApplicationController
 
   def index
   end
-
-  def expire
-    admin_session['last_request_at'] = 31.minutes.ago.utc
-    render text: 'Admin will be expired on next request'
-  end
 end

data/test/rails_app/app/controllers/custom/registrations_controller.rb

@@ -1,4 +1,10 @@
 class Custom::RegistrationsController < Devise::RegistrationsController
+  def new
+    super do |resource|
+      @new_block_called = true
+    end
+  end
+
   def create
     super do |resource|
       @create_block_called = true
@@ -18,4 +24,8 @@ class Custom::RegistrationsController < Devise::RegistrationsController
   def update_block_called?
     @update_block_called == true
   end
+
+  def new_block_called?
+    @new_block_called == true
+  end
 end

data/test/rails_app/app/mailers/users/from_proc_mailer.rb

@@ -0,0 +1,3 @@
+class Users::FromProcMailer < Devise::Mailer
+  default from: proc { 'custom@example.com' }
+end

data/test/rails_app/app/mailers/users/mailer.rb

@@ -1,12 +1,3 @@
 class Users::Mailer < Devise::Mailer
   default from: 'custom@example.com'
 end
-
-class Users::ReplyToMailer < Devise::Mailer
-  default from: 'custom@example.com'
-  default reply_to: 'custom_reply_to@example.com'
-end
-
-class Users::FromProcMailer < Devise::Mailer
-  default from: proc { 'custom@example.com' }
-end

data/test/rails_app/app/mailers/users/reply_to_mailer.rb

@@ -0,0 +1,4 @@
+class Users::ReplyToMailer < Devise::Mailer
+  default from: 'custom@example.com'
+  default reply_to: 'custom_reply_to@example.com'
+end

data/test/rails_app/app/mongoid/user_without_email.rb

@@ -0,0 +1,33 @@
+require "shared_user_without_email"
+
+class UserWithoutEmail
+  include Mongoid::Document
+  include Shim
+  include SharedUserWithoutEmail
+
+  field :username, type: String
+  field :facebook_token, type: String
+
+  ## Database authenticatable
+  field :email, type: String, default: ""
+  field :encrypted_password, type: String, default: ""
+
+  ## Recoverable
+  field :reset_password_token, type: String
+  field :reset_password_sent_at, type: Time
+
+  ## Rememberable
+  field :remember_created_at, type: Time
+
+  ## Trackable
+  field :sign_in_count, type: Integer, default: 0
+  field :current_sign_in_at, type: Time
+  field :last_sign_in_at, type: Time
+  field :current_sign_in_ip, type: String
+  field :last_sign_in_ip, type: String
+
+  ## Lockable
+  field :failed_attempts, type: Integer, default: 0 # Only if lock strategy is :failed_attempts
+  field :unlock_token, type: String # Only if unlock strategy is :email or :both
+  field :locked_at, type: Time
+end

data/test/rails_app/config/application.rb

@@ -17,7 +17,7 @@ module RailsApp
   class Application < Rails::Application
     # Add additional load paths for your own custom dirs
     config.autoload_paths.reject!{ |p| p =~ /\/app\/(\w+)$/ && !%w(controllers helpers mailers views).include?($1) }
-    config.autoload_paths += [ "#{config.root}/app/#{DEVISE_ORM}" ]
+    config.autoload_paths += ["#{config.root}/app/#{DEVISE_ORM}"]
 
     # Configure generators values. Many other options are available, be sure to check the documentation.
     # config.generators do |g|

data/test/rails_app/config/environments/production.rb

@@ -20,7 +20,11 @@ RailsApp::Application.configure do
   # config.action_dispatch.rack_cache = true
 
   # Disable Rails's static asset server (Apache or nginx will already do this).
-  config.serve_static_assets = false
+  if Rails.version >= "4.2.0"
+    config.serve_static_files = false
+  else
+    config.serve_static_assets = false
+  end
 
   # Compress JavaScripts and CSS.
   config.assets.js_compressor  = :uglifier
@@ -46,7 +50,7 @@ RailsApp::Application.configure do
   config.log_level = :info
 
   # Prepend all log lines with the following tags.
-  # config.log_tags = [ :subdomain, :uuid ]
+  # config.log_tags = [:subdomain, :uuid]
 
   # Use a different logger for distributed setups.
   # config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)

data/test/rails_app/config/environments/test.rb

@@ -12,8 +12,13 @@ RailsApp::Application.configure do
   # preloads Rails for running tests, you may have to set it to true.
   config.eager_load = false
 
-  # Configure static asset server for tests with Cache-Control for performance.
-  config.serve_static_assets = true
+  # Disable serving static files from the `/public` folder by default since
+  # Apache or NGINX already handles this.
+  if Rails.version >= "4.2.0"
+    config.serve_static_files = true
+  else
+    config.serve_static_assets = true
+  end
   config.static_cache_control = "public, max-age=3600"
 
   # Show full error reports and disable caching.