devise 3.4.1 → 3.5.10

data/test/integration/recoverable_test.rb

@@ -197,6 +197,19 @@ class PasswordTest < ActionDispatch::IntegrationTest
     assert warden.authenticated?(:user)
   end
 
+  test 'does not sign in user automatically after changing its password if config.sign_in_after_reset_password is false' do
+    swap Devise, sign_in_after_reset_password: false do
+      create_user
+      request_forgot_password
+      reset_password
+
+      assert_contain 'Your password has been changed successfully.'
+      assert_not_contain 'You are now signed in.'
+      assert_equal new_user_session_path, @request.path
+      assert !warden.authenticated?(:user)
+    end
+  end
+
   test 'does not sign in user automatically after changing its password if it\'s locked and unlock strategy is :none or :time' do
     [:none, :time].each do |strategy|
       swap Devise, unlock_strategy: strategy do

data/test/integration/rememberable_test.rb

@@ -1,10 +1,15 @@
 require 'test_helper'
 
 class RememberMeTest < ActionDispatch::IntegrationTest
+  if (Rails::VERSION::MAJOR < 4) || (Rails::VERSION::MAJOR >= 4 && Rails::VERSION::MINOR < 1)
+    require 'time_helpers'
+    include ActiveSupport::Testing::TimeHelpers
+  end
+
   def create_user_and_remember(add_to_token='')
     user = create_user
     user.remember_me!
-    raw_cookie = User.serialize_into_cookie(user).tap { |a| a.last << add_to_token }
+    raw_cookie = User.serialize_into_cookie(user).tap { |a| a[1] << add_to_token }
     cookies['remember_user_token'] = generate_signed_cookie(raw_cookie)
     user
   end
@@ -92,7 +97,6 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     assert_response :success
     assert warden.authenticated?(:user)
     assert warden.user(:user) == user
-    assert_match /remember_user_token[^\n]*HttpOnly/, response.headers["Set-Cookie"], "Expected Set-Cookie header in response to set HttpOnly flag on remember_user_token cookie."
   end
 
   test 'remember the user before sign up and redirect them to their home' do
@@ -118,6 +122,40 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     end
   end
 
+  test 'extends remember period when extend remember period config is true' do
+    swap Devise, extend_remember_period: true, remember_for: 1.year do
+      user = create_user_and_remember
+      old_remember_token = nil
+
+      travel_to 1.day.ago do
+        get root_path
+        old_remember_token = request.cookies['remember_user_token']
+      end
+
+      get root_path
+      current_remember_token = request.cookies['remember_user_token']
+
+      refute_equal old_remember_token, current_remember_token
+    end
+  end
+
+  test 'does not extend remember period when extend period config is false' do
+    swap Devise, extend_remember_period: false, remember_for: 1.year do
+      user = create_user_and_remember
+      old_remember_token = nil
+
+      travel_to 1.day.ago do
+        get root_path
+        old_remember_token = request.cookies['remember_user_token']
+      end
+
+      get root_path
+      current_remember_token = request.cookies['remember_user_token']
+
+      assert_equal old_remember_token, current_remember_token
+    end
+  end
+
   test 'do not remember other scopes' do
     create_user_and_remember
     get root_path
@@ -135,7 +173,7 @@ class RememberMeTest < ActionDispatch::IntegrationTest
 
   test 'do not remember with expired token' do
     create_user_and_remember
-    swap Devise, remember_for: 0 do
+    swap Devise, remember_for: 0.days do
       get users_path
       assert_not warden.authenticated?(:user)
       assert_redirected_to new_user_session_path
@@ -164,4 +202,13 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     get users_path
     assert_not warden.authenticated?(:user)
   end
+
+  test 'valid sign in calls after_remembered callback' do
+    user = create_user_and_remember
+
+    User.expects(:serialize_from_cookie).returns user
+    user.expects :after_remembered
+
+    get new_user_registration_path
+  end
 end

data/test/integration/timeoutable_test.rb

@@ -24,6 +24,18 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
     assert_equal old_last_request, last_request_at
   end
 
+  test 'does not set last request at in user session after each request if timeoutable is disabled' do
+    sign_in_as_user
+    old_last_request = last_request_at
+    assert_not_nil last_request_at
+
+    new_time = 2.seconds.from_now
+    Time.stubs(:now).returns(new_time)
+
+    get users_path, {}, 'devise.skip_timeoutable' => true
+    assert_equal old_last_request, last_request_at
+  end
+
   test 'does not time out user session before default limit time' do
     sign_in_as_user
     assert_response :success
@@ -110,23 +122,6 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
     assert_contain 'You are signed in'
   end
 
-  test 'admin does not explode on time out' do
-    admin = sign_in_as_admin
-    get expire_admin_path(admin)
-
-    Admin.send :define_method, :reset_authentication_token! do
-      nil
-    end
-
-    begin
-      get admins_path
-      assert_redirected_to admins_path
-      assert_not warden.authenticated?(:admin)
-    ensure
-      Admin.send(:remove_method, :reset_authentication_token!)
-    end
-  end
-
   test 'user configured timeout limit' do
     swap Devise, timeout_in: 8.minutes do
       user = sign_in_as_user
@@ -180,7 +175,7 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
     assert warden.authenticated?(:user)
   end
 
-  test 'does not crashes when the last_request_at is a String' do
+  test 'does not crash when the last_request_at is a String' do
     user = sign_in_as_user
 
     get edit_form_user_path(user, last_request_at: Time.now.utc.to_s)

data/test/mailers/confirmation_instructions_test.rb

@@ -86,7 +86,7 @@ class ConfirmationInstructionsTest < ActionMailer::TestCase
     host, port = ActionMailer::Base.default_url_options.values_at :host, :port
 
     if mail.body.encoded =~ %r{<a href=\"http://#{host}:#{port}/users/confirmation\?confirmation_token=([^"]+)">}
-      assert_equal Devise.token_generator.digest(user.class, :confirmation_token, $1), user.confirmation_token
+      assert_equal $1, user.confirmation_token
     else
       flunk "expected confirmation url regex to match"
     end

data/test/mapping_test.rb

@@ -71,6 +71,12 @@ class MappingTest < ActiveSupport::TestCase
     assert_equal :user, Devise::Mapping.find_scope!(Class.new(User).new)
   end
 
+  test 'find scope uses devise_scope' do
+    user = User.new
+    def user.devise_scope; :special_scope; end
+    assert_equal :special_scope, Devise::Mapping.find_scope!(user)
+  end
+
   test 'find scope raises an error if cannot be found' do
     assert_raise RuntimeError do
       Devise::Mapping.find_scope!(String)

data/test/models/confirmable_test.rb

@@ -23,31 +23,24 @@ class ConfirmableTest < ActiveSupport::TestCase
   test 'should confirm a user by updating confirmed at' do
     user = create_user
     assert_nil user.confirmed_at
-    assert user.confirm!
+    assert user.confirm
     assert_not_nil user.confirmed_at
   end
 
-  test 'should clear confirmation token while confirming a user' do
-    user = create_user
-    assert_present user.confirmation_token
-    user.confirm!
-    assert_nil user.confirmation_token
-  end
-
   test 'should verify whether a user is confirmed or not' do
     assert_not new_user.confirmed?
     user = create_user
     assert_not user.confirmed?
-    user.confirm!
+    user.confirm
     assert user.confirmed?
   end
 
   test 'should not confirm a user already confirmed' do
     user = create_user
-    assert user.confirm!
+    assert user.confirm
     assert_blank user.errors[:email]
 
-    assert_not user.confirm!
+    assert_not user.confirm
     assert_equal "was already confirmed, please try signing in", user.errors[:email].join
   end
 
@@ -80,6 +73,16 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_equal "was already confirmed, please try signing in", confirmed_user.errors[:email].join
   end
 
+  test 'should show error when a token has already been used' do
+    user = create_user
+    raw  = user.raw_confirmation_token
+    User.confirm_by_token(raw)
+    assert user.reload.confirmed?
+
+    confirmed_user = User.confirm_by_token(raw)
+    assert_equal "was already confirmed, please try signing in", confirmed_user.errors[:email].join
+  end
+
   test 'should send confirmation instructions by email' do
     assert_email_sent "mynewuser@example.com" do
       create_user email: "mynewuser@example.com"
@@ -111,7 +114,7 @@ class ConfirmableTest < ActiveSupport::TestCase
 
     assert_email_not_sent do
       user.save!
-      assert !user.confirmed?
+      assert_not user.confirmed?
     end
   end
 
@@ -165,18 +168,19 @@ class ConfirmableTest < ActiveSupport::TestCase
 
   test 'should not reset confirmation status or token when updating email' do
     user = create_user
-    user.confirm!
+    original_token = user.confirmation_token
+    user.confirm
     user.email = 'new_test@example.com'
     user.save!
 
     user.reload
     assert user.confirmed?
-    assert_nil user.confirmation_token
+    assert_equal original_token, user.confirmation_token
   end
 
   test 'should not be able to send instructions if the user is already confirmed' do
     user = create_user
-    user.confirm!
+    user.confirm
     assert_not user.resend_confirmation_instructions
     assert user.confirmed?
     assert_equal 'was already confirmed, please try signing in', user.errors[:email].join
@@ -211,7 +215,7 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_not user.confirmed?
     assert_not user.active_for_authentication?
 
-    user.confirm!
+    user.confirm
     assert user.confirmed?
     assert user.active_for_authentication?
   end
@@ -246,6 +250,16 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert user.reload.active_for_authentication?
   end
 
+  test 'should not break when a user tries to reset their password in the case where confirmation is not required and confirm_within is set' do
+    swap Devise, confirm_within: 3.days do
+      user = create_user
+      user.instance_eval { def confirmation_required?; false end }
+      user.confirmation_sent_at = nil
+      user.save
+      assert user.reload.confirm!
+    end
+  end
+
   test 'should find a user to send email instructions for the user confirm its email by authentication_keys' do
     swap Devise, authentication_keys: [:username, :email] do
       user = create_user
@@ -287,12 +301,23 @@ class ConfirmableTest < ActiveSupport::TestCase
     end
   end
 
-  test 'always generate a new token on resend' do
+  test 'do not generate a new token on resend' do
     user = create_user
     old  = user.confirmation_token
     user = User.find(user.id)
     user.resend_confirmation_instructions
-    assert_not_equal user.confirmation_token, old
+    assert_equal user.confirmation_token, old
+  end
+
+  test 'generate a new token after first has expired' do
+    swap Devise, confirm_within: 3.days do
+      user = create_user
+      old = user.confirmation_token
+      user.update_attribute(:confirmation_sent_at, 4.days.ago)
+      user = User.find(user.id)
+      user.resend_confirmation_instructions
+      assert_not_equal user.confirmation_token, old
+    end
   end
 
   test 'should call after_confirmation if confirmed' do
@@ -301,43 +326,52 @@ class ConfirmableTest < ActiveSupport::TestCase
       self.username = self.username.to_s + 'updated'
     end
     old = user.username
-    assert user.confirm!
+    assert user.confirm
     assert_not_equal user.username, old
   end
 
   test 'should not call after_confirmation if not confirmed' do
     user = create_user
-    assert user.confirm!
+    assert user.confirm
     user.define_singleton_method :after_confirmation do
       self.username = self.username.to_s + 'updated'
     end
     old = user.username
-    assert_not user.confirm!
+    assert_not user.confirm
     assert_equal user.username, old
   end
+
+  test 'should always perform validations upon confirm when ensure valid true' do
+    admin = create_admin
+    admin.stubs(:valid?).returns(false)
+    assert_not admin.confirm(ensure_valid: true)
+  end
 end
 
 class ReconfirmableTest < ActiveSupport::TestCase
   test 'should not worry about validations on confirm even with reconfirmable' do
     admin = create_admin
     admin.reset_password_token = "a"
-    assert admin.confirm!
+    assert admin.confirm
   end
 
   test 'should generate confirmation token after changing email' do
     admin = create_admin
-    assert admin.confirm!
-    assert_nil admin.confirmation_token
+    assert admin.confirm
+    residual_token = admin.confirmation_token
     assert admin.update_attributes(email: 'new_test@example.com')
-    assert_not_nil admin.confirmation_token
+    assert_not_equal residual_token, admin.confirmation_token
   end
 
-  test 'should not generate confirmation token if skipping reconfirmation after changing email' do
+  test 'should not regenerate confirmation token or require reconfirmation if skipping reconfirmation after changing email' do
     admin = create_admin
-    assert admin.confirm!
+    original_token = admin.confirmation_token
+    assert admin.confirm
     admin.skip_reconfirmation!
     assert admin.update_attributes(email: 'new_test@example.com')
-    assert_nil admin.confirmation_token
+    assert admin.confirmed?
+    assert_not admin.pending_reconfirmation?
+    assert_equal original_token, admin.confirmation_token
   end
 
   test 'should skip sending reconfirmation email when email is changed and skip_confirmation_notification! is invoked' do
@@ -351,7 +385,7 @@ class ReconfirmableTest < ActiveSupport::TestCase
 
   test 'should regenerate confirmation token after changing email' do
     admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
     assert admin.update_attributes(email: 'old_test@example.com')
     token = admin.confirmation_token
     assert admin.update_attributes(email: 'new_test@example.com')
@@ -360,7 +394,15 @@ class ReconfirmableTest < ActiveSupport::TestCase
 
   test 'should send confirmation instructions by email after changing email' do
     admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
+    assert_email_sent "new_test@example.com" do
+      assert admin.update_attributes(email: 'new_test@example.com')
+    end
+    assert_match "new_test@example.com", ActionMailer::Base.deliveries.last.body.encoded
+  end
+
+  test 'should send confirmation instructions by email after changing email from nil' do
+    admin = create_admin(email: nil)
     assert_email_sent "new_test@example.com" do
       assert admin.update_attributes(email: 'new_test@example.com')
     end
@@ -369,7 +411,7 @@ class ReconfirmableTest < ActiveSupport::TestCase
 
   test 'should not send confirmation by email after changing password' do
     admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
     assert_email_not_sent do
       assert admin.update_attributes(password: 'newpass', password_confirmation: 'newpass')
     end
@@ -377,7 +419,7 @@ class ReconfirmableTest < ActiveSupport::TestCase
 
   test 'should not send confirmation by email after changing to a blank email' do
     admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
     assert_email_not_sent do
       admin.email = ''
       admin.save(validate: false)
@@ -386,23 +428,23 @@ class ReconfirmableTest < ActiveSupport::TestCase
 
   test 'should stay confirmed when email is changed' do
     admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
     assert admin.update_attributes(email: 'new_test@example.com')
     assert admin.confirmed?
   end
 
   test 'should update email only when it is confirmed' do
     admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
     assert admin.update_attributes(email: 'new_test@example.com')
     assert_not_equal 'new_test@example.com', admin.email
-    assert admin.confirm!
+    assert admin.confirm
     assert_equal 'new_test@example.com', admin.email
   end
 
   test 'should not allow admin to get past confirmation email by resubmitting their new address' do
     admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
     assert admin.update_attributes(email: 'new_test@example.com')
     assert_not_equal 'new_test@example.com', admin.email
     assert admin.update_attributes(email: 'new_test@example.com')
@@ -411,7 +453,7 @@ class ReconfirmableTest < ActiveSupport::TestCase
 
   test 'should find a admin by send confirmation instructions with unconfirmed_email' do
     admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
     assert admin.update_attributes(email: 'new_test@example.com')
     confirmation_admin = Admin.send_confirmation_instructions(email: admin.unconfirmed_email)
     assert_equal confirmation_admin, admin
@@ -452,4 +494,18 @@ class ReconfirmableTest < ActiveSupport::TestCase
       :unconfirmed_email
     ]
   end
+
+  test 'should not require reconfirmation after creating a record' do
+    admin = create_admin
+    assert !admin.pending_reconfirmation?
+  end
+
+  test 'should not require reconfirmation after creating a record with #save called in callback' do
+    class Admin::WithSaveInCallback < Admin
+      after_create :save
+    end
+
+    admin = Admin::WithSaveInCallback.create(valid_attributes.except(:username))
+    assert !admin.pending_reconfirmation?
+  end
 end

data/test/models/database_authenticatable_test.rb

@@ -3,6 +3,10 @@ require 'test_models'
 require 'digest/sha1'
 
 class DatabaseAuthenticatableTest < ActiveSupport::TestCase
+  def setup
+    setup_mailer
+  end
+
   test 'should downcase case insensitive keys when saving' do
     # case_insensitive_keys is set to :email by default.
     email = 'Foo@Bar.com'
@@ -225,6 +229,22 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert_match "can't be blank", user.errors[:current_password].join
   end
 
+  test 'should not email on password change' do
+    user = create_user
+    assert_email_not_sent do
+      assert user.update_attributes(password: 'newpass', password_confirmation: 'newpass')
+    end
+  end
+
+  test 'should email on password change when configured' do
+    swap Devise, send_password_change_notification: true do
+      user = create_user
+      assert_email_sent user.email do
+        assert user.update_attributes(password: 'newpass', password_confirmation: 'newpass')
+      end
+    end
+  end
+
   test 'downcase_keys with validation' do
     User.create(email: "HEllO@example.com", password: "123456")
     user = User.create(email: "HEllO@example.com", password: "123456")

data/test/models/lockable_test.rb

@@ -7,16 +7,16 @@ class LockableTest < ActiveSupport::TestCase
 
   test "should respect maximum attempts configuration" do
     user = create_user
-    user.confirm!
+    user.confirm
     swap Devise, maximum_attempts: 2 do
       2.times { user.valid_for_authentication?{ false } }
       assert user.reload.access_locked?
     end
   end
 
-  test "should increment failed_attempts on successfull validation if the user is already locked" do
+  test "should increment failed_attempts on successful validation if the user is already locked" do
     user = create_user
-    user.confirm!
+    user.confirm
 
     swap Devise, maximum_attempts: 2 do
       2.times { user.valid_for_authentication?{ false } }
@@ -29,7 +29,7 @@ class LockableTest < ActiveSupport::TestCase
 
   test "should not touch failed_attempts if lock_strategy is none" do
     user = create_user
-    user.confirm!
+    user.confirm
     swap Devise, lock_strategy: :none, maximum_attempts: 2 do
       3.times { user.valid_for_authentication?{ false } }
       assert !user.access_locked?
@@ -53,7 +53,7 @@ class LockableTest < ActiveSupport::TestCase
 
   test "active_for_authentication? should be the opposite of locked?" do
     user = create_user
-    user.confirm!
+    user.confirm
     assert user.active_for_authentication?
     user.lock_access!
     assert_not user.active_for_authentication?
@@ -230,7 +230,7 @@ class LockableTest < ActiveSupport::TestCase
   test 'should unlock account if lock has expired and increase attempts on failure' do
     swap Devise, unlock_in: 1.minute do
       user = create_user
-      user.confirm!
+      user.confirm
 
       user.failed_attempts = 2
       user.locked_at = 2.minutes.ago
@@ -243,7 +243,7 @@ class LockableTest < ActiveSupport::TestCase
   test 'should unlock account if lock has expired on success' do
     swap Devise, unlock_in: 1.minute do
       user = create_user
-      user.confirm!
+      user.confirm
 
       user.failed_attempts = 2
       user.locked_at = 2.minutes.ago
@@ -325,4 +325,26 @@ class LockableTest < ActiveSupport::TestCase
     user.lock_access!
     assert_equal :locked, user.unauthenticated_message
   end
+
+  test 'unlock_strategy_enabled? should return true for both, email, and time strategies if :both is used' do
+    swap Devise, unlock_strategy: :both do
+      user = create_user
+      assert_equal true, user.unlock_strategy_enabled?(:both)
+      assert_equal true, user.unlock_strategy_enabled?(:time)
+      assert_equal true, user.unlock_strategy_enabled?(:email)
+      assert_equal false, user.unlock_strategy_enabled?(:none)
+      assert_equal false, user.unlock_strategy_enabled?(:an_undefined_strategy)
+    end
+  end
+
+  test 'unlock_strategy_enabled? should return true only for the configured strategy' do
+    swap Devise, unlock_strategy: :email do
+      user = create_user
+      assert_equal false, user.unlock_strategy_enabled?(:both)
+      assert_equal false, user.unlock_strategy_enabled?(:time)
+      assert_equal true, user.unlock_strategy_enabled?(:email)
+      assert_equal false, user.unlock_strategy_enabled?(:none)
+      assert_equal false, user.unlock_strategy_enabled?(:an_undefined_strategy)
+    end
+  end
 end