RubyGems - devise - Versions diffs - 3.4.1 → 3.5.10 - Mend

devise 3.4.1 → 3.5.10

Potentially problematic release.

This version of devise might be problematic. Click here for more details.

Files changed (116) hide show

checksums.yaml +4 -4
data/.travis.yml +28 -19
data/CHANGELOG.md +193 -104
data/CODE_OF_CONDUCT.md +22 -0
data/CONTRIBUTING.md +2 -0
data/Gemfile +3 -2
data/Gemfile.lock +90 -95
data/MIT-LICENSE +1 -1
data/README.md +55 -34
data/Rakefile +2 -1
data/app/controllers/devise/confirmations_controller.rb +4 -0
data/app/controllers/devise/omniauth_callbacks_controller.rb +4 -0
data/app/controllers/devise/passwords_controller.rb +14 -4
data/app/controllers/devise/registrations_controller.rb +10 -11
data/app/controllers/devise/sessions_controller.rb +7 -2
data/app/controllers/devise/unlocks_controller.rb +3 -0
data/app/controllers/devise_controller.rb +34 -18
data/app/mailers/devise/mailer.rb +4 -0
data/app/views/devise/confirmations/new.html.erb +1 -1
data/app/views/devise/mailer/password_change.html.erb +3 -0
data/app/views/devise/passwords/edit.html.erb +3 -0
data/app/views/devise/registrations/new.html.erb +1 -1
data/app/views/devise/shared/_links.html.erb +1 -1
data/config/locales/en.yml +2 -0
data/devise.gemspec +0 -2
data/gemfiles/Gemfile.rails-3.2-stable.lock +52 -49
data/gemfiles/Gemfile.rails-4.0-stable +1 -0
data/gemfiles/Gemfile.rails-4.0-stable.lock +61 -60
data/gemfiles/Gemfile.rails-4.1-stable +1 -0
data/gemfiles/Gemfile.rails-4.1-stable.lock +66 -65
data/gemfiles/Gemfile.rails-4.2-stable +30 -0
data/gemfiles/Gemfile.rails-4.2-stable.lock +193 -0
data/lib/devise/controllers/helpers.rb +12 -6
data/lib/devise/controllers/rememberable.rb +9 -2
data/lib/devise/controllers/sign_in_out.rb +2 -8
data/lib/devise/controllers/store_location.rb +3 -1
data/lib/devise/controllers/url_helpers.rb +7 -9
data/lib/devise/encryptor.rb +22 -0
data/lib/devise/failure_app.rb +48 -13
data/lib/devise/hooks/timeoutable.rb +5 -7
data/lib/devise/mapping.rb +1 -0
data/lib/devise/models/authenticatable.rb +20 -26
data/lib/devise/models/confirmable.rb +51 -17
data/lib/devise/models/database_authenticatable.rb +17 -11
data/lib/devise/models/lockable.rb +5 -1
data/lib/devise/models/recoverable.rb +23 -15
data/lib/devise/models/rememberable.rb +56 -22
data/lib/devise/models/timeoutable.rb +0 -6
data/lib/devise/models/trackable.rb +1 -2
data/lib/devise/models/validatable.rb +3 -3
data/lib/devise/models.rb +1 -1
data/lib/devise/rails/routes.rb +27 -18
data/lib/devise/rails.rb +1 -1
data/lib/devise/strategies/authenticatable.rb +7 -4
data/lib/devise/strategies/database_authenticatable.rb +1 -1
data/lib/devise/strategies/rememberable.rb +13 -6
data/lib/devise/test_helpers.rb +2 -2
data/lib/devise/version.rb +1 -1
data/lib/devise.rb +37 -36
data/lib/generators/active_record/templates/migration.rb +1 -1
data/lib/generators/active_record/templates/migration_existing.rb +1 -1
data/lib/generators/devise/views_generator.rb +14 -3
data/lib/generators/templates/controllers/README +2 -2
data/lib/generators/templates/controllers/omniauth_callbacks_controller.rb +1 -1
data/lib/generators/templates/controllers/registrations_controller.rb +2 -2
data/lib/generators/templates/controllers/sessions_controller.rb +1 -1
data/lib/generators/templates/devise.rb +17 -11
data/lib/generators/templates/markerb/confirmation_instructions.markerb +1 -1
data/lib/generators/templates/markerb/password_change.markerb +3 -0
data/lib/generators/templates/markerb/reset_password_instructions.markerb +1 -1
data/lib/generators/templates/markerb/unlock_instructions.markerb +1 -1
data/lib/generators/templates/simple_form_for/passwords/edit.html.erb +1 -1
data/lib/generators/templates/simple_form_for/registrations/new.html.erb +1 -1
data/test/controllers/custom_registrations_controller_test.rb +6 -1
data/test/controllers/helper_methods_test.rb +21 -0
data/test/controllers/helpers_test.rb +5 -0
data/test/controllers/inherited_controller_i18n_messages_test.rb +51 -0
data/test/controllers/internal_helpers_test.rb +4 -4
data/test/controllers/load_hooks_controller_test.rb +19 -0
data/test/controllers/passwords_controller_test.rb +1 -1
data/test/controllers/sessions_controller_test.rb +3 -3
data/test/devise_test.rb +3 -3
data/test/failure_app_test.rb +40 -0
data/test/generators/views_generator_test.rb +7 -0
data/test/integration/database_authenticatable_test.rb +11 -0
data/test/integration/omniauthable_test.rb +12 -10
data/test/integration/recoverable_test.rb +13 -0
data/test/integration/rememberable_test.rb +50 -3
data/test/integration/timeoutable_test.rb +13 -18
data/test/mailers/confirmation_instructions_test.rb +1 -1
data/test/mapping_test.rb +6 -0
data/test/models/confirmable_test.rb +93 -37
data/test/models/database_authenticatable_test.rb +20 -0
data/test/models/lockable_test.rb +29 -7
data/test/models/recoverable_test.rb +62 -7
data/test/models/rememberable_test.rb +68 -97
data/test/models/validatable_test.rb +5 -5
data/test/models_test.rb +15 -6
data/test/rails_app/app/active_record/user_without_email.rb +8 -0
data/test/rails_app/app/controllers/admins_controller.rb +0 -5
data/test/rails_app/app/controllers/custom/registrations_controller.rb +10 -0
data/test/rails_app/app/mongoid/user_without_email.rb +33 -0
data/test/rails_app/config/application.rb +1 -1
data/test/rails_app/config/environments/production.rb +6 -2
data/test/rails_app/config/environments/test.rb +7 -2
data/test/rails_app/config/initializers/devise.rb +12 -15
data/test/rails_app/config/routes.rb +6 -3
data/test/rails_app/lib/shared_user.rb +1 -1
data/test/rails_app/lib/shared_user_without_email.rb +26 -0
data/test/rails_test.rb +9 -0
data/test/support/helpers.rb +4 -0
data/test/support/integration.rb +2 -2
data/test/test_helpers_test.rb +22 -7
data/test/test_models.rb +2 -2
data/test/time_helpers.rb +137 -0
metadata +26 -4

data/lib/devise/models/recoverable.rb CHANGED Viewed

@@ -8,15 +8,13 @@ module Devise
     # Recoverable adds the following options to devise_for:
     #
     #   * +reset_password_keys+: the keys you want to use when recovering the password for an account
+    #   * +reset_password_within+: the time period within which the password must be reset or the token expires.
+    #   * +sign_in_after_reset_password+: whether or not to sign in the user automatically after a password reset.
     #
     # == Examples
     #
     #   # resets the user password and save the record, true if valid passwords are given, otherwise false
-    #   User.find(1).reset_password!('password123', 'password123')
-    #
-    #   # only resets the user password, without saving the record
-    #   user = User.find(1)
-    #   user.reset_password('password123', 'password123')
+    #   User.find(1).reset_password('password123', 'password123')
     #
     #   # creates a new token and send it with instructions about how to reset the password
     #   User.find(1).send_reset_password_instructions
@@ -28,20 +26,33 @@ module Devise
         [:reset_password_sent_at, :reset_password_token]
       end
+      included do
+        before_update do
+          if (respond_to?(:email_changed?) && email_changed?) || encrypted_password_changed?
+            clear_reset_password_token
+          end
+        end
+      end
       # Update password saving the record and clearing token. Returns true if
       # the passwords are valid and the record was saved, false otherwise.
-      def reset_password!(new_password, new_password_confirmation)
+      def reset_password(new_password, new_password_confirmation)
         self.password = new_password
         self.password_confirmation = new_password_confirmation
-        if valid?
-          clear_reset_password_token
+        if respond_to?(:after_password_reset) && valid?
+          ActiveSupport::Deprecation.warn "after_password_reset is deprecated"
           after_password_reset
         end
         save
       end
+      def reset_password!(new_password, new_password_confirmation)
+        ActiveSupport::Deprecation.warn "reset_password! is deprecated in favor of reset_password"
+        reset_password(new_password, new_password_confirmation)
+      end
       # Resets reset password token and send reset password instructions by email.
       # Returns the token sent in the e-mail.
       def send_reset_password_instructions
@@ -72,7 +83,7 @@ module Devise
       #   reset_password_period_valid?   # will always return false
       #
       def reset_password_period_valid?
-        reset_password_sent_at && reset_password_sent_at.utc >= self.class.reset_password_within.ago
+        reset_password_sent_at && reset_password_sent_at.utc >= self.class.reset_password_within.ago.utc
       end
       protected
@@ -83,9 +94,6 @@ module Devise
           self.reset_password_sent_at = nil
         end
-        def after_password_reset
-        end
         def set_reset_password_token
           raw, enc = Devise.token_generator.generate(self.class, :reset_password_token)
@@ -130,17 +138,17 @@ module Devise
           if recoverable.persisted?
             if recoverable.reset_password_period_valid?
-              recoverable.reset_password!(attributes[:password], attributes[:password_confirmation])
+              recoverable.reset_password(attributes[:password], attributes[:password_confirmation])
             else
               recoverable.errors.add(:reset_password_token, :expired)
             end
           end
-          recoverable.reset_password_token = original_token
+          recoverable.reset_password_token = original_token if recoverable.reset_password_token.present?
           recoverable
         end
-        Devise::Models.config(self, :reset_password_keys, :reset_password_within)
+        Devise::Models.config(self, :reset_password_keys, :reset_password_within, :sign_in_after_reset_password)
       end
     end
   end

data/lib/devise/models/rememberable.rb CHANGED Viewed

@@ -39,17 +39,17 @@ module Devise
     module Rememberable
       extend ActiveSupport::Concern
-      attr_accessor :remember_me, :extend_remember_period
+      attr_accessor :remember_me
       def self.required_fields(klass)
         [:remember_created_at]
       end
-      # Generate a new remember token and save the record without validations
-      # unless remember_across_browsers is true and the user already has a valid token.
-      def remember_me!(extend_period=false)
-        self.remember_token = self.class.remember_token if generate_remember_token?
-        self.remember_created_at = Time.now.utc if generate_remember_timestamp?(extend_period)
+      # TODO: We were used to receive a extend period argument but we no longer do.
+      # Remove this for Devise 4.0.
+      def remember_me!(*)
+        self.remember_token ||= self.class.remember_token if respond_to?(:remember_token)
+        self.remember_created_at ||= Time.now.utc
         save(validate: false) if self.changed?
       end
@@ -57,25 +57,28 @@ module Devise
       # it exists), and save the record without validations.
       def forget_me!
         return unless persisted?
-        self.remember_token = nil if respond_to?(:remember_token=)
+        self.remember_token = nil if respond_to?(:remember_token)
         self.remember_created_at = nil if self.class.expire_all_remember_me_on_sign_out
         save(validate: false)
       end
       # Remember token should be expired if expiration time not overpass now.
       def remember_expired?
-        remember_created_at.nil? || (remember_expires_at <= Time.now.utc)
+        remember_created_at.nil?
       end
-      # Remember token expires at created time + remember_for configuration
       def remember_expires_at
-        remember_created_at + self.class.remember_for
+        self.class.remember_for.from_now
+      end
+      def extend_remember_period
+        self.class.extend_remember_period
       end
       def rememberable_value
         if respond_to?(:remember_token)
           remember_token
-        elsif respond_to?(:authenticatable_salt) && (salt = authenticatable_salt)
+        elsif respond_to?(:authenticatable_salt) && (salt = authenticatable_salt.presence)
           salt
         else
           raise "authenticable_salt returned nil for the #{self.class.name} model. " \
@@ -89,29 +92,60 @@ module Devise
         self.class.rememberable_options
       end
-    protected
+      # A callback initiated after successfully being remembered. This can be
+      # used to insert your own logic that is only run after the user is
+      # remembered.
+      #
+      # Example:
+      #
+      #   def after_remembered
+      #     self.update_attribute(:invite_code, nil)
+      #   end
+      #
+      def after_remembered
+      end
+      def remember_me?(token, generated_at)
+        # TODO: Normalize the JSON type coercion along with the Timeoutable hook
+        # in a single place https://github.com/plataformatec/devise/blob/ffe9d6d406e79108cf32a2c6a1d0b3828849c40b/lib/devise/hooks/timeoutable.rb#L14-L18
+        if generated_at.is_a?(String)
+          generated_at = time_from_json(generated_at)
+        end
-      def generate_remember_token? #:nodoc:
-        respond_to?(:remember_token) && remember_expired?
+        # The token is only valid if:
+        # 1. we have a date
+        # 2. the current time does not pass the expiry period
+        # 3. the record has a remember_created_at date
+        # 4. the token date is bigger than the remember_created_at
+        # 5. the token matches
+        generated_at.is_a?(Time) &&
+         (self.class.remember_for.ago < generated_at) &&
+         (generated_at > (remember_created_at || Time.now).utc) &&
+         Devise.secure_compare(rememberable_value, token)
       end
-      # Generate a timestamp if extend_remember_period is true, if no remember_token
-      # exists, or if an existing remember token has expired.
-      def generate_remember_timestamp?(extend_period) #:nodoc:
-        extend_period || remember_created_at.nil? || remember_expired?
+      private
+      def time_from_json(value)
+        if value =~ /\A\d+\.\d+\Z/
+          Time.at(value.to_f)
+        else
+          Time.parse(value) rescue nil
+        end
       end
       module ClassMethods
         # Create the cookie key using the record id and remember_token
         def serialize_into_cookie(record)
-          [record.to_key, record.rememberable_value]
+          [record.to_key, record.rememberable_value, Time.now.utc.to_f.to_s]
         end
         # Recreate the user based on the stored cookie
-        def serialize_from_cookie(id, remember_token)
+        def serialize_from_cookie(*args)
+          id, token, generated_at = *args
           record = to_adapter.get(id)
-          record if record && !record.remember_expired? &&
-                    Devise.secure_compare(record.rememberable_value, remember_token)
+          record if record && record.remember_me?(token, generated_at)
         end
         # Generate a token checking if one does not already exist in the database.

data/lib/devise/models/timeoutable.rb CHANGED Viewed

@@ -26,7 +26,6 @@ module Devise
       # Checks whether the user session has expired based on configured time.
       def timedout?(last_access)
-        return false if remember_exists_and_not_expired?
         !timeout_in.nil? && last_access && last_access <= timeout_in.ago
       end
@@ -36,11 +35,6 @@ module Devise
       private
-      def remember_exists_and_not_expired?
-        return false unless respond_to?(:remember_created_at) && respond_to?(:remember_expired?)
-        remember_created_at && !remember_expired?
-      end
       module ClassMethods
         Devise::Models.config(self, :timeout_in)
       end

data/lib/devise/models/trackable.rb CHANGED Viewed

@@ -30,8 +30,7 @@ module Devise
       def update_tracked_fields!(request)
         update_tracked_fields(request)
-        save(validate: false) or raise "Devise trackable could not save #{inspect}." \
-          "Please make sure a model using trackable can be saved at sign in."
+        save(validate: false)
       end
     end
   end

data/lib/devise/models/validatable.rb CHANGED Viewed

@@ -10,12 +10,12 @@ module Devise
     # Validatable adds the following options to devise_for:
     #
     #   * +email_regexp+: the regular expression used to validate e-mails;
-    #   * +password_length+: a range expressing password length. Defaults to 8..128.
+    #   * +password_length+: a range expressing password length. Defaults to 8..72.
     #
     module Validatable
       # All validations used by this module.
-      VALIDATIONS = [ :validates_presence_of, :validates_uniqueness_of, :validates_format_of,
-                      :validates_confirmation_of, :validates_length_of ].freeze
+      VALIDATIONS = [:validates_presence_of, :validates_uniqueness_of, :validates_format_of,
+                     :validates_confirmation_of, :validates_length_of].freeze
       def self.required_fields(klass)
         []

data/lib/devise/models.rb CHANGED Viewed

@@ -12,7 +12,7 @@ module Devise
     # Creates configuration values for Devise and for the given module.
     #
-    #   Devise::Models.config(Devise::Authenticatable, :stretches, 10)
+    #   Devise::Models.config(Devise::DatabaseAuthenticatable, :stretches)
     #
     # The line above creates:
     #

data/lib/devise/rails/routes.rb CHANGED Viewed

@@ -94,10 +94,24 @@ module ActionDispatch::Routing
     #
     #      devise_for :users, path: 'accounts'
     #
-    #  * singular: setup the singular name for the given resource. This is used as the instance variable
-    #    name in controller, as the name in routes and the scope given to warden.
+    #  * singular: setup the singular name for the given resource. This is used as the helper methods
+    #    names in controller ("authenticate_#{singular}!", "#{singular}_signed_in?", "current_#{singular}"
+    #    and "#{singular}_session"), as the scope name in routes and as the scope given to warden.
     #
-    #      devise_for :users, singular: :user
+    #      devise_for :admins, singular: :manager
+    #
+    #      devise_scope :manager do
+    #        ...
+    #      end
+    #
+    #      class ManagerController < ApplicationController
+    #        before_filter authenticate_manager!
+    #
+    #        def show
+    #          @manager = current_manager
+    #          ...
+    #        end
+    #      end
     #
     #  * path_names: configure different path names to overwrite defaults :sign_in, :sign_out, :sign_up,
     #    :password, :confirmation, :unlock.
@@ -119,7 +133,7 @@ module ActionDispatch::Routing
     #  * sign_out_via: the HTTP method(s) accepted for the :sign_out action (default: :get),
     #    if you wish to restrict this to accept only :post or :delete requests you should do:
     #
-    #      devise_for :users, sign_out_via: [ :post, :delete ]
+    #      devise_for :users, sign_out_via: [:post, :delete]
     #
     #    You need to make sure that your sign_out controls trigger a request with a matching HTTP method.
     #
@@ -402,21 +416,16 @@ module ActionDispatch::Routing
       def devise_omniauth_callback(mapping, controllers) #:nodoc:
         if mapping.fullpath =~ /:[a-zA-Z_]/
           raise <<-ERROR
-Devise does not support scoping omniauth callbacks under a dynamic segment
+Devise does not support scoping OmniAuth callbacks under a dynamic segment
 and you have set #{mapping.fullpath.inspect}. You can work around by passing
-`skip: :omniauth_callbacks` and manually defining the routes. Here is an example:
-    match "/users/auth/:provider",
-      constraints: { provider: /google|facebook/ },
-      to: "devise/omniauth_callbacks#passthru",
-      as: :omniauth_authorize,
-      via: [:get, :post]
-    match "/users/auth/:action/callback",
-      constraints: { action: /google|facebook/ },
-      to: "devise/omniauth_callbacks",
-      as: :omniauth_callback,
-      via: [:get, :post]
+`skip: :omniauth_callbacks` to the `devise_for` call and extract omniauth
+options to another `devise_for` call outside the scope. Here is an example:
+    devise_for :users, only: :omniauth_callbacks, controllers: {omniauth_callbacks: 'users/omniauth_callbacks'}
+    scope '/(:locale)', locale: /ru|en/ do
+      devise_for :users, skip: :omniauth_callbacks
+    end
 ERROR
         end

data/lib/devise/rails.rb CHANGED Viewed

@@ -17,7 +17,7 @@ module Devise
       Devise.include_helpers(Devise::Controllers)
     end
-    initializer "devise.omniauth" do |app|
+    initializer "devise.omniauth", after: :load_config_initializers, before: :build_middleware_stack do |app|
       Devise.omniauth_configs.each do |provider, config|
         app.middleware.use config.strategy_class, *config.args do |strategy|
           config.strategy = strategy

data/lib/devise/strategies/authenticatable.rb CHANGED Viewed

@@ -27,7 +27,7 @@ module Devise
       # Receives a resource and check if it is valid by calling valid_for_authentication?
       # An optional block that will be triggered while validating can be optionally
-      # given as parameter. Check Devise::Models::Authenticable.valid_for_authentication?
+      # given as parameter. Check Devise::Models::Authenticatable.valid_for_authentication?
       # for more information.
       #
       # In case the resource can't be validated, it will fail with the given
@@ -57,7 +57,7 @@ module Devise
       # Check if this is a valid strategy for http authentication by:
       #
-      #   * Validating if the model allows params authentication;
+      #   * Validating if the model allows http authentication;
       #   * If any of the authorization headers were sent;
       #   * If all authentication keys are present;
       #
@@ -108,14 +108,17 @@ module Devise
         params_auth_hash.is_a?(Hash)
       end
-      # Check if password is present.
+      # Note: unlike `Model.valid_password?`, this method does not actually
+      # ensure that the password in the params matches the password stored in
+      # the database. It only checks if the password is *present*. Do not rely
+      # on this method for validating that a given password is correct.
       def valid_password?
         password.present?
       end
       # Helper to decode credentials from HTTP.
       def decode_credentials
-        return [] unless request.authorization && request.authorization =~ /^Basic (.*)/m
+        return [] unless request.authorization && request.authorization =~ /^Basic (.*)/mi
         Base64.decode64($1).split(/:/, 2)
       end

data/lib/devise/strategies/database_authenticatable.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module Devise
     # Default strategy for signing in a user, based on their email and password in the database.
     class DatabaseAuthenticatable < Authenticatable
       def authenticate!
-        resource  = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
+        resource  = password.present? && mapping.to.find_for_database_authentication(authentication_hash)
         encrypted = false
         if validate(resource){ encrypted = true; resource.valid_password?(password) }

data/lib/devise/strategies/rememberable.rb CHANGED Viewed

@@ -25,18 +25,25 @@ module Devise
         end
         if validate(resource)
-          remember_me(resource)
-          extend_remember_me_period(resource)
+          remember_me(resource) if extend_remember_me?(resource)
+          resource.after_remembered
           success!(resource)
         end
       end
+      # No need to clean up the CSRF when using rememberable.
+      # In fact, cleaning it up here would be a bug because
+      # rememberable is triggered on GET requests which means
+      # we would render a page on first access with all csrf
+      # tokens expired.
+      def clean_up_csrf?
+        false
+      end
     private
-      def extend_remember_me_period(resource)
-        if resource.respond_to?(:extend_remember_period=)
-          resource.extend_remember_period = mapping.to.extend_remember_period
-        end
+      def extend_remember_me?(resource)
+        resource.respond_to?(:extend_remember_period) && resource.extend_remember_period
       end
       def remember_me?

data/lib/devise/test_helpers.rb CHANGED Viewed

@@ -26,11 +26,11 @@ module Devise
     # Quick access to Warden::Proxy.
     def warden #:nodoc:
-      @warden ||= begin
+      @request.env['warden'] ||= begin
         manager = Warden::Manager.new(nil) do |config|
           config.merge! Devise.warden_config
         end
-        @request.env['warden'] = Warden::Proxy.new(@request.env, manager)
+        Warden::Proxy.new(@request.env, manager)
       end
     end

data/lib/devise/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "3.4.1".freeze
+  VERSION = "3.5.10".freeze
 end

data/lib/devise.rb CHANGED Viewed

@@ -8,6 +8,7 @@ require 'responders'
 module Devise
   autoload :Delegator,          'devise/delegator'
+  autoload :Encryptor,          'devise/encryptor'
   autoload :FailureApp,         'devise/failure_app'
   autoload :OmniAuth,           'devise/omniauth'
   autoload :ParameterFilter,    'devise/parameter_filter'
@@ -57,22 +58,6 @@ module Devise
   mattr_accessor :secret_key
   @@secret_key = nil
-  [ :allow_insecure_token_lookup,
-    :allow_insecure_sign_in_after_confirmation,
-    :token_authentication_key ].each do |method|
-    class_eval <<-RUBY
-    def self.#{method}
-      ActiveSupport::Deprecation.warn "Devise.#{method} is deprecated " \
-        "and has no effect"
-    end
-    def self.#{method}=(val)
-      ActiveSupport::Deprecation.warn "Devise.#{method}= is deprecated " \
-        "and has no effect"
-    end
-    RUBY
-  end
   # Custom domain or key for cookies. Not set by default
   mattr_accessor :rememberable_options
   @@rememberable_options = {}
@@ -87,7 +72,7 @@ module Devise
   # Keys used when authenticating a user.
   mattr_accessor :authentication_keys
-  @@authentication_keys = [ :email ]
+  @@authentication_keys = [:email]
   # Request keys used when authenticating a user.
   mattr_accessor :request_keys
@@ -95,7 +80,7 @@ module Devise
   # Keys that should be case-insensitive.
   mattr_accessor :case_insensitive_keys
-  @@case_insensitive_keys = [ :email ]
+  @@case_insensitive_keys = [:email]
   # Keys that should have whitespace stripped.
   mattr_accessor :strip_whitespace_keys
@@ -121,7 +106,7 @@ module Devise
   # an one (and only one) @ exists in the given string. This is mainly
   # to give user feedback and not to assert the e-mail validity.
   mattr_accessor :email_regexp
-  @@email_regexp = /\A[^@\s]+@([^@\s]+\.)+[^@\s]+\z/
+  @@email_regexp = /\A[^@\s]+@([^@\s]+\.)+[^@\W]+\z/
   # Range validation for password length
   mattr_accessor :password_length
@@ -150,7 +135,7 @@ module Devise
   # Defines which key will be used when confirming an account.
   mattr_accessor :confirmation_keys
-  @@confirmation_keys = [ :email ]
+  @@confirmation_keys = [:email]
   # Defines if email should be reconfirmable.
   # False by default for backwards compatibility.
@@ -161,14 +146,14 @@ module Devise
   mattr_accessor :timeout_in
   @@timeout_in = 30.minutes
-  # Authentication token expiration on timeout
-  mattr_accessor :expire_auth_token_on_timeout
-  @@expire_auth_token_on_timeout = false
   # Used to encrypt password. Please generate one with rake secret.
   mattr_accessor :pepper
   @@pepper = nil
+  # Used to enable sending notification to user when their password is changed
+  mattr_accessor :send_password_change_notification
+  @@send_password_change_notification = false
   # Scoped views. Since it relies on fallbacks to render default views, it's
   # turned off by default.
   mattr_accessor :scoped_views
@@ -181,7 +166,7 @@ module Devise
   # Defines which key will be used when locking and unlocking an account
   mattr_accessor :unlock_keys
-  @@unlock_keys = [ :email ]
+  @@unlock_keys = [:email]
   # Defines which strategy can be used to unlock an account.
   # Values: :email, :time, :both
@@ -198,12 +183,16 @@ module Devise
   # Defines which key will be used when recovering the password for an account
   mattr_accessor :reset_password_keys
-  @@reset_password_keys = [ :email ]
+  @@reset_password_keys = [:email]
   # Time interval you can reset your password with a reset password key
   mattr_accessor :reset_password_within
   @@reset_password_within = 6.hours
+  # When set to false, resetting a password does not automatically sign in a user
+  mattr_accessor :sign_in_after_reset_password
+  @@sign_in_after_reset_password = true
   # The default scope which is used by warden.
   mattr_accessor :default_scope
   @@default_scope = nil
@@ -246,7 +235,7 @@ module Devise
   mattr_accessor :router_name
   @@router_name = nil
-  # Set the omniauth path prefix so it can be overridden when
+  # Set the OmniAuth path prefix so it can be overridden when
   # Devise is used in a mountable engine
   mattr_accessor :omniauth_path_prefix
   @@omniauth_path_prefix = nil
@@ -261,7 +250,7 @@ module Devise
   mattr_reader :mappings
   @@mappings = ActiveSupport::OrderedHash.new
-  # Omniauth configurations.
+  # OmniAuth configurations.
   mattr_reader :omniauth_configs
   @@omniauth_configs = ActiveSupport::OrderedHash.new
@@ -340,7 +329,12 @@ module Devise
     mapping
   end
-  # Make Devise aware of an 3rd party Devise-module (like invitable). For convenience.
+  # Register available devise modules. For the standard modules that Devise provides, this method is
+  # called from lib/devise/modules.rb. Third-party modules need to be added explicitly using this method.
+  #
+  # Note that adding a module using this method does not cause it to be used in the authentication
+  # process. That requires that the module be listed in the arguments passed to the 'devise' method
+  # in the model class definition.
   #
   # == Options:
   #
@@ -348,6 +342,7 @@ module Devise
   #   +controller+ - Symbol representing the name of an existing or custom *controller* for this module.
   #   +route+      - Symbol representing the named *route* helper for this module.
   #   +strategy+   - Symbol representing if this module got a custom *strategy*.
+  #   +insert_at+  - Integer representing the order in which this module's model will be included
   #
   # All values, except :model, accept also a boolean and will have the same name as the given module
   # name.
@@ -357,10 +352,12 @@ module Devise
   #   Devise.add_module(:party_module)
   #   Devise.add_module(:party_module, strategy: true, controller: :sessions)
   #   Devise.add_module(:party_module, model: 'party_module/model')
+  #   Devise.add_module(:party_module, insert_at: 0)
   #
   def self.add_module(module_name, options = {})
-    ALL << module_name
-    options.assert_valid_keys(:strategy, :model, :controller, :route, :no_input)
+    options.assert_valid_keys(:strategy, :model, :controller, :route, :no_input, :insert_at)
+    ALL.insert (options[:insert_at] || -1), module_name
     if strategy = options[:strategy]
       strategy = (strategy == true ? module_name : strategy)
@@ -417,7 +414,7 @@ module Devise
     @@warden_config_blocks << block
   end
-  # Specify an omniauth provider.
+  # Specify an OmniAuth provider.
   #
   #   config.omniauth :github, APP_ID, APP_SECRET
   #
@@ -445,8 +442,8 @@ module Devise
     Devise::Controllers::UrlHelpers.generate_helpers!
   end
-  # A method used internally to setup warden manager from the Rails initialize
-  # block.
+  # A method used internally to complete the setup of warden manager after routes are loaded.
+  # See lib/devise/rails/routes.rb - ActionDispatch::Routing::RouteSet#finalize_with_devise!
   def self.configure_warden! #:nodoc:
     @@warden_configured ||= begin
       warden_config.failure_app   = Devise::Delegator.new
@@ -474,8 +471,12 @@ module Devise
   end
   # Generate a friendly string randomly to be used as token.
-  def self.friendly_token
-    SecureRandom.urlsafe_base64(15).tr('lIO0', 'sxyz')
+  # By default, length is 20 characters.
+  def self.friendly_token(length = 20)
+    # To calculate real characters, we must perform this operation.
+    # See SecureRandom.urlsafe_base64
+    rlength = (length * 3) / 4
+    SecureRandom.urlsafe_base64(rlength).tr('lIO0', 'sxyz')
   end
   # constant-time comparison algorithm to prevent timing attacks

data/lib/generators/active_record/templates/migration.rb CHANGED Viewed

@@ -7,7 +7,7 @@ class DeviseCreate<%= table_name.camelize %> < ActiveRecord::Migration
       t.<%= attribute.type %> :<%= attribute.name %>
 <% end -%>
-      t.timestamps
+      t.timestamps null: false
     end
     add_index :<%= table_name %>, :email,                unique: true