devise 3.4.1 → 3.5.1

data/lib/devise/controllers/rememberable.rb

@@ -2,7 +2,7 @@ module Devise
   module Controllers
     # A module that may be optionally included in a controller in order
     # to provide remember me behavior. Useful when signing in is done
-    # through a callback, like in Omniauth.
+    # through a callback, like in OmniAuth.
     module Rememberable
       # Return default cookie values retrieved from session options.
       def self.cookie_values

data/lib/devise/controllers/sign_in_out.rb

@@ -6,7 +6,7 @@ module Devise
       # Return true if the given scope is signed in session. If no scope given, return
       # true if any scope is signed in. Does not run authentication hooks.
       def signed_in?(scope=nil)
-        [ scope || Devise.mappings.keys ].flatten.any? do |_scope|
+        [scope || Devise.mappings.keys].flatten.any? do |_scope|
           warden.authenticate?(scope: _scope)
         end
       end

data/lib/devise/controllers/store_location.rb

@@ -35,7 +35,9 @@ module Devise
         session_key = stored_location_key_for(resource_or_scope)
         uri = parse_uri(location)
         if uri
-          session[session_key] = [uri.path.sub(/\A\/+/, '/'), uri.query].compact.join('?')
+          path = [uri.path.sub(/\A\/+/, '/'), uri.query].compact.join('?')
+          path = [path, uri.fragment].compact.join('#')
+          session[session_key] = path
         end
       end
 

data/lib/devise/controllers/url_helpers.rb

@@ -42,16 +42,14 @@ module Devise
           [:path, :url].each do |path_or_url|
             actions.each do |action|
               action = action ? "#{action}_" : ""
-              method = "#{action}#{module_name}_#{path_or_url}"
+              method = :"#{action}#{module_name}_#{path_or_url}"
 
-              class_eval <<-URL_HELPERS, __FILE__, __LINE__ + 1
-                def #{method}(resource_or_scope, *args)
-                  scope = Devise::Mapping.find_scope!(resource_or_scope)
-                  router_name = Devise.mappings[scope].router_name
-                  context = router_name ? send(router_name) : _devise_route_context
-                  context.send("#{action}\#{scope}_#{module_name}_#{path_or_url}", *args)
-                end
-              URL_HELPERS
+              define_method method do |resource_or_scope, *args|
+                scope = Devise::Mapping.find_scope!(resource_or_scope)
+                router_name = Devise.mappings[scope].router_name
+                context = router_name ? send(router_name) : _devise_route_context
+                context.send("#{action}#{scope}_#{module_name}_#{path_or_url}", *args)
+              end
             end
           end
         end

data/lib/devise/encryptor.rb

@@ -0,0 +1,22 @@
+require 'bcrypt'
+
+module Devise
+  module Encryptor
+    def self.digest(klass, password)
+      if klass.pepper.present?
+        password = "#{password}#{klass.pepper}"
+      end
+      ::BCrypt::Password.create(password, cost: klass.stretches).to_s
+    end
+
+    def self.compare(klass, encrypted_password, password)
+      return false if encrypted_password.blank?
+      bcrypt   = ::BCrypt::Password.new(encrypted_password)
+      if klass.pepper.present?
+        password = "#{password}#{klass.pepper}"
+      end
+      password = ::BCrypt::Engine.hash_secret(password, bcrypt.salt)
+      Devise.secure_compare(password, encrypted_password)
+    end
+  end
+end

data/lib/devise/failure_app.rb

@@ -49,17 +49,19 @@ module Devise
 
     def recall
       env["PATH_INFO"]  = attempted_path
-      flash.now[:alert] = i18n_message(:invalid)
+      flash.now[:alert] = i18n_message(:invalid) if is_flashing_format?
       self.response = recall_app(warden_options[:recall]).call(env)
     end
 
     def redirect
       store_location!
-      if flash[:timedout] && flash[:alert]
-        flash.keep(:timedout)
-        flash.keep(:alert)
-      else
-        flash[:alert] = i18n_message
+      if is_flashing_format?
+        if flash[:timedout] && flash[:alert]
+          flash.keep(:timedout)
+          flash.keep(:alert)
+        else
+          flash[:alert] = i18n_message
+        end
       end
       redirect_to redirect_url
     end
@@ -91,7 +93,7 @@ module Devise
 
     def redirect_url
       if warden_message == :timeout
-        flash[:timedout] = true
+        flash[:timedout] = true if is_flashing_format?
 
         path = if request.get?
           attempted_path
@@ -105,15 +107,23 @@ module Devise
       end
     end
 
+    def route(scope)
+      :"new_#{scope}_session_url"
+    end
+
     def scope_url
       opts  = {}
-      route = :"new_#{scope}_session_url"
+      route = route(scope)
       opts[:format] = request_format unless skip_format?
 
       config = Rails.application.config
-      opts[:script_name] = (config.relative_url_root if config.respond_to?(:relative_url_root))
 
-      context = send(Devise.available_router_name)
+      if config.respond_to?(:relative_url_root) && config.relative_url_root.present?
+        opts[:script_name] = config.relative_url_root
+      end
+
+      router_name = Devise.mappings[scope].router_name || Devise.available_router_name
+      context = send(router_name)
 
       if context.respond_to?(route)
         context.send(route, opts)
@@ -205,6 +215,12 @@ module Devise
       Devise.navigational_formats.include?(request_format)
     end
 
+    # Check if flash messages should be emitted. Default is to do it on
+    # navigational formats
+    def is_flashing_format?
+      is_navigational_format?
+    end
+
     def request_format
       @request_format ||= request.format.try(:ref)
     end

data/lib/devise/mapping.rb

@@ -31,6 +31,7 @@ module Devise
     # Receives an object and find a scope for it. If a scope cannot be found,
     # raises an error. If a symbol is given, it's considered to be the scope.
     def self.find_scope!(obj)
+      obj = obj.devise_scope if obj.respond_to?(:devise_scope)
       case obj
       when String, Symbol
         return obj.to_sym

data/lib/devise/models/authenticatable.rb

@@ -1,3 +1,4 @@
+require 'active_model/version'
 require 'devise/hooks/activatable'
 require 'devise/hooks/csrf_cleaner'
 
@@ -37,7 +38,7 @@ module Devise
     # calling model.active_for_authentication?. This method is overwritten by other devise modules. For instance,
     # :confirmable overwrites .active_for_authentication? to only return true if your model was confirmed.
     #
-    # You overwrite this method yourself, but if you do, don't forget to call super:
+    # You can overwrite this method yourself, but if you do, don't forget to call super:
     #
     #   def active_for_authentication?
     #     super && special_condition_is_valid?
@@ -95,29 +96,22 @@ module Devise
       def authenticatable_salt
       end
 
-      array = %w(serializable_hash)
-      # to_xml does not call serializable_hash on 3.1
-      array << "to_xml" if Rails::VERSION::STRING[0,3] == "3.1"
-
-      array.each do |method|
-        class_eval <<-RUBY, __FILE__, __LINE__
-          # Redefine to_xml and serializable_hash in models for more secure defaults.
-          # By default, it removes from the serializable model all attributes that
-          # are *not* accessible. You can remove this default by using :force_except
-          # and passing a new list of attributes you want to exempt. All attributes
-          # given to :except will simply add names to exempt to Devise internal list.
-          def #{method}(options=nil)
-            options ||= {}
-            options[:except] = Array(options[:except])
-
-            if options[:force_except]
-              options[:except].concat Array(options[:force_except])
-            else
-              options[:except].concat BLACKLIST_FOR_SERIALIZATION
-            end
-            super(options)
-          end
-        RUBY
+      # Redefine serializable_hash in models for more secure defaults.
+      # By default, it removes from the serializable model all attributes that
+      # are *not* accessible. You can remove this default by using :force_except
+      # and passing a new list of attributes you want to exempt. All attributes
+      # given to :except will simply add names to exempt to Devise internal list.
+      def serializable_hash(options = nil)
+        options ||= {}
+        options[:except] = Array(options[:except])
+
+        if options[:force_except]
+          options[:except].concat Array(options[:force_except])
+        else
+          options[:except].concat BLACKLIST_FOR_SERIALIZATION
+        end
+
+        super(options)
       end
 
       protected
@@ -252,12 +246,12 @@ module Devise
           to_adapter.find_first(devise_parameter_filter.filter(tainted_conditions).merge(opts))
         end
 
-        # Find an initialize a record setting an error if it can't be found.
+        # Find or initialize a record setting an error if it can't be found.
         def find_or_initialize_with_error_by(attribute, value, error=:invalid) #:nodoc:
           find_or_initialize_with_errors([attribute], { attribute => value }, error)
         end
 
-        # Find an initialize a group of attributes based on a list of required attributes.
+        # Find or initialize a record with group of attributes based on a list of required attributes.
         def find_or_initialize_with_errors(required_attributes, attributes, error=:invalid) #:nodoc:
           attributes = attributes.slice(*required_attributes).with_indifferent_access
           attributes.delete_if { |key, value| value.blank? }

data/lib/devise/models/confirmable.rb

@@ -5,6 +5,14 @@ module Devise
     # Confirmation instructions are sent to the user email after creating a
     # record and when manually requested by a new confirmation instruction request.
     #
+    # Confirmable tracks the following columns:
+    #
+    # * confirmation_token   - An OpenSSL::HMAC.hexdigest of @raw_confirmation_token
+    # * confirmed_at         - A timestamp when the user clicked the confirmation link
+    # * confirmation_sent_at - A timestamp when the confirmation_token was generated (not sent)
+    # * unconfirmed_email    - An email address copied from the email attr. After confirmation
+    #                          this value is copied to the email attr then cleared
+    #
     # == Options
     #
     # Confirmable adds the following options to +devise+:
@@ -24,7 +32,7 @@ module Devise
     #
     # == Examples
     #
-    #   User.find(1).confirm!      # returns true unless it's already confirmed
+    #   User.find(1).confirm       # returns true unless it's already confirmed
     #   User.find(1).confirmed?    # true/false
     #   User.find(1).send_confirmation_instructions # manually send instructions
     #
@@ -56,7 +64,7 @@ module Devise
       # Confirm a user by setting it's confirmed_at to actual time. If the user
       # is already confirmed, add an error to email field. If the user is invalid
       # add errors
-      def confirm!
+      def confirm(args={})
         pending_any_confirmation do
           if confirmation_period_expired?
             self.errors.add(:email, :confirmation_period_expired,
@@ -64,7 +72,6 @@ module Devise
             return false
           end
 
-          self.confirmation_token = nil
           self.confirmed_at = Time.now.utc
 
           saved = if self.class.reconfirmable && unconfirmed_email.present?
@@ -75,7 +82,7 @@ module Devise
             # We need to validate in such cases to enforce e-mail uniqueness
             save(validate: true)
           else
-            save(validate: false)
+            save(validate: args[:ensure_valid] == true)
           end
 
           after_confirmation if saved
@@ -83,6 +90,11 @@ module Devise
         end
       end
 
+      def confirm!(args={})
+        ActiveSupport::Deprecation.warn "confirm! is deprecated in favor of confirm"
+        confirm(args)
+      end
+
       # Verifies whether a user is confirmed or not
       def confirmed?
         !!confirmed_at
@@ -202,7 +214,7 @@ module Devise
         #   confirmation_period_expired?  # will always return false
         #
         def confirmation_period_expired?
-          self.class.confirm_within && (Time.now > self.confirmation_sent_at + self.class.confirm_within )
+          self.class.confirm_within && (Time.now > self.confirmation_sent_at + self.class.confirm_within)
         end
 
         # Checks whether the record requires any confirmation.
@@ -216,7 +228,7 @@ module Devise
         end
 
         # Generates a new random token for confirmation, and stores
-        # the time this token is being generated
+        # the time this token is being generated in confirmation_sent_at
         def generate_confirmation_token
           raw, enc = Devise.token_generator.generate(self.class, :confirmation_token)
           @raw_confirmation_token   = raw
@@ -249,6 +261,16 @@ module Devise
           confirmation_required? && !@skip_confirmation_notification && self.email.present?
         end
 
+        # A callback initiated after successfully confirming. This can be
+        # used to insert your own logic that is only run after the user successfully
+        # confirms.
+        #
+        # Example:
+        #
+        #   def after_confirmation
+        #     self.update_attribute(:invite_code, nil)
+        #   end
+        #
         def after_confirmation
         end
 
@@ -275,7 +297,7 @@ module Devise
           confirmation_token = Devise.token_generator.digest(self, :confirmation_token, confirmation_token)
 
           confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
-          confirmable.confirm! if confirmable.persisted?
+          confirmable.confirm if confirmable.persisted?
           confirmable.confirmation_token = original_token
           confirmable
         end

data/lib/devise/models/database_authenticatable.rb

@@ -1,10 +1,10 @@
 require 'devise/strategies/database_authenticatable'
-require 'bcrypt'
+require 'devise/encryptor'
 
 module Devise
-  # Digests the password using bcrypt.
   def self.bcrypt(klass, password)
-    ::BCrypt::Password.create("#{password}#{klass.pepper}", cost: klass.stretches).to_s
+    ActiveSupport::Deprecation.warn "Devise.bcrypt is deprecated; use Devise::Encryptor.digest instead"
+    Devise::Encryptor.digest(klass, password)
   end
 
   module Models
@@ -42,12 +42,9 @@ module Devise
         self.encrypted_password = password_digest(@password) if @password.present?
       end
 
-      # Verifies whether an password (ie from sign in) is the user password.
+      # Verifies whether a password (ie from sign in) is the user password.
       def valid_password?(password)
-        return false if encrypted_password.blank?
-        bcrypt   = ::BCrypt::Password.new(encrypted_password)
-        password = ::BCrypt::Engine.hash_secret("#{password}#{self.class.pepper}", bcrypt.salt)
-        Devise.secure_compare(password, encrypted_password)
+        Devise::Encryptor.compare(self.class, encrypted_password, password)
       end
 
       # Set password and password confirmation to nil
@@ -145,7 +142,7 @@ module Devise
       # See https://github.com/plataformatec/devise-encryptable for examples
       # of other encryption engines.
       def password_digest(password)
-        Devise.bcrypt(self.class, password)
+        Devise::Encryptor.digest(self.class, password)
       end
 
       module ClassMethods

data/lib/devise/models/recoverable.rb

@@ -8,11 +8,13 @@ module Devise
     # Recoverable adds the following options to devise_for:
     #
     #   * +reset_password_keys+: the keys you want to use when recovering the password for an account
+    #   * +reset_password_within+: the time period within which the password must be reset or the token expires.
+    #   * +sign_in_after_reset_password+: whether or not to sign in the user automatically after a password reset.
     #
     # == Examples
     #
     #   # resets the user password and save the record, true if valid passwords are given, otherwise false
-    #   User.find(1).reset_password!('password123', 'password123')
+    #   User.find(1).reset_password('password123', 'password123')
     #
     #   # only resets the user password, without saving the record
     #   user = User.find(1)
@@ -28,20 +30,33 @@ module Devise
         [:reset_password_sent_at, :reset_password_token]
       end
 
+      included do
+        before_save do
+          if email_changed? || encrypted_password_changed?
+            clear_reset_password_token
+          end
+        end
+      end
+
       # Update password saving the record and clearing token. Returns true if
       # the passwords are valid and the record was saved, false otherwise.
-      def reset_password!(new_password, new_password_confirmation)
+      def reset_password(new_password, new_password_confirmation)
         self.password = new_password
         self.password_confirmation = new_password_confirmation
 
-        if valid?
-          clear_reset_password_token
+        if respond_to?(:after_password_reset) && valid?
+          ActiveSupport::Deprecation.warn "after_password_reset is deprecated"
           after_password_reset
         end
 
         save
       end
 
+      def reset_password!(new_password, new_password_confirmation)
+        ActiveSupport::Deprecation.warn "reset_password! is deprecated in favor of reset_password"
+        reset_password(new_password, new_password_confirmation)
+      end
+
       # Resets reset password token and send reset password instructions by email.
       # Returns the token sent in the e-mail.
       def send_reset_password_instructions
@@ -83,9 +98,6 @@ module Devise
           self.reset_password_sent_at = nil
         end
 
-        def after_password_reset
-        end
-
         def set_reset_password_token
           raw, enc = Devise.token_generator.generate(self.class, :reset_password_token)
 
@@ -130,17 +142,17 @@ module Devise
 
           if recoverable.persisted?
             if recoverable.reset_password_period_valid?
-              recoverable.reset_password!(attributes[:password], attributes[:password_confirmation])
+              recoverable.reset_password(attributes[:password], attributes[:password_confirmation])
             else
               recoverable.errors.add(:reset_password_token, :expired)
             end
           end
 
-          recoverable.reset_password_token = original_token
+          recoverable.reset_password_token = original_token if recoverable.reset_password_token.present?
           recoverable
         end
 
-        Devise::Models.config(self, :reset_password_keys, :reset_password_within)
+        Devise::Models.config(self, :reset_password_keys, :reset_password_within, :sign_in_after_reset_password)
       end
     end
   end