devise 3.5.1 → 4.7.1

data/lib/devise/mailers/helpers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Devise
   module Mailers
     module Helpers
@@ -5,15 +7,16 @@ module Devise
 
       included do
         include Devise::Controllers::ScopedViews
-        attr_reader :scope_name, :resource
       end
 
       protected
 
+      attr_reader :scope_name, :resource
+
       # Configure default email options
-      def devise_mail(record, action, opts={})
+      def devise_mail(record, action, opts = {}, &block)
         initialize_from_record(record)
-        mail headers_for(action, opts)
+        mail headers_for(action, opts), &block
       end
 
       def initialize_from_record(record)
@@ -64,7 +67,7 @@ module Devise
         template_path
       end
 
-      # Setup a subject doing an I18n lookup. At first, it attempts to set a subject
+      # Set up a subject doing an I18n lookup. At first, it attempts to set a subject
       # based on the current mapping:
       #
       #   en:

data/lib/devise/mapping.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Devise
   # Responsible for handling devise mappings and routes configuration. Each
   # resource configured by devise_for in routes is actually creating a mapping

data/lib/devise/models/authenticatable.rb

@@ -1,4 +1,5 @@
-require 'active_model/version'
+# frozen_string_literal: true
+
 require 'devise/hooks/activatable'
 require 'devise/hooks/csrf_cleaner'
 
@@ -102,7 +103,7 @@ module Devise
       # and passing a new list of attributes you want to exempt. All attributes
       # given to :except will simply add names to exempt to Devise internal list.
       def serializable_hash(options = nil)
-        options ||= {}
+        options = options.try(:dup) || {}
         options[:except] = Array(options[:except])
 
         if options[:force_except]
@@ -114,6 +115,15 @@ module Devise
         super(options)
       end
 
+      # Redefine inspect using serializable_hash, to ensure we don't accidentally
+      # leak passwords into exceptions.
+      def inspect
+        inspection = serializable_hash.collect do |k,v|
+          "#{k}: #{respond_to?(:attribute_for_inspect) ? attribute_for_inspect(k) : v.inspect}"
+        end
+        "#<#{self.class} #{inspection.join(", ")}>"
+      end
+
       protected
 
       def devise_mailer
@@ -123,16 +133,18 @@ module Devise
       # This is an internal method called every time Devise needs
       # to send a notification/mail. This can be overridden if you
       # need to customize the e-mail delivery logic. For instance,
-      # if you are using a queue to deliver e-mails (delayed job,
-      # sidekiq, resque, etc), you must add the delivery to the queue
+      # if you are using a queue to deliver e-mails (active job, delayed
+      # job, sidekiq, resque, etc), you must add the delivery to the queue
       # just after the transaction was committed. To achieve this,
       # you can override send_devise_notification to store the
-      # deliveries until the after_commit callback is triggered:
+      # deliveries until the after_commit callback is triggered.
+      #
+      # The following example uses Active Job's `deliver_later` :
       #
       #     class User
       #       devise :database_authenticatable, :confirmable
       #
-      #       after_commit :send_pending_notifications
+      #       after_commit :send_pending_devise_notifications
       #
       #       protected
       #
@@ -141,26 +153,43 @@ module Devise
       #         # delivery until the after_commit callback otherwise
       #         # send now because after_commit will not be called.
       #         if new_record? || changed?
-      #           pending_notifications << [notification, args]
+      #           pending_devise_notifications << [notification, args]
       #         else
-      #           devise_mailer.send(notification, self, *args).deliver
+      #           render_and_send_devise_message(notification, *args)
       #         end
       #       end
       #
-      #       def send_pending_notifications
-      #         pending_notifications.each do |notification, args|
-      #           devise_mailer.send(notification, self, *args).deliver
+      #       private
+      #
+      #       def send_pending_devise_notifications
+      #         pending_devise_notifications.each do |notification, args|
+      #           render_and_send_devise_message(notification, *args)
       #         end
       #
       #         # Empty the pending notifications array because the
       #         # after_commit hook can be called multiple times which
       #         # could cause multiple emails to be sent.
-      #         pending_notifications.clear
+      #         pending_devise_notifications.clear
+      #       end
+      #
+      #       def pending_devise_notifications
+      #         @pending_devise_notifications ||= []
       #       end
       #
-      #       def pending_notifications
-      #         @pending_notifications ||= []
+      #       def render_and_send_devise_message(notification, *args)
+      #         message = devise_mailer.send(notification, self, *args)
+      #
+      #         # Deliver later with Active Job's `deliver_later`
+      #         if message.respond_to?(:deliver_later)
+      #           message.deliver_later
+      #         # Remove once we move to Rails 4.2+ only, as `deliver` is deprecated.
+      #         elsif message.respond_to?(:deliver_now)
+      #           message.deliver_now
+      #         else
+      #           message.deliver
+      #         end
       #       end
+      #
       #     end
       #
       def send_devise_notification(notification, *args)
@@ -235,7 +264,7 @@ module Devise
         #   end
         #
         # Finally, notice that Devise also queries for users in other scenarios
-        # besides authentication, for example when retrieving an user to send
+        # besides authentication, for example when retrieving a user to send
         # an e-mail for password reset. In such cases, find_for_authentication
         # is not called.
         def find_for_authentication(tainted_conditions)
@@ -253,24 +282,20 @@ module Devise
 
         # Find or initialize a record with group of attributes based on a list of required attributes.
         def find_or_initialize_with_errors(required_attributes, attributes, error=:invalid) #:nodoc:
-          attributes = attributes.slice(*required_attributes).with_indifferent_access
-          attributes.delete_if { |key, value| value.blank? }
+          attributes.try(:permit!)
+          attributes = attributes.to_h.with_indifferent_access
+                                 .slice(*required_attributes)
+                                 .delete_if { |key, value| value.blank? }
 
           if attributes.size == required_attributes.size
-            record = find_first_by_auth_conditions(attributes)
+            record = find_first_by_auth_conditions(attributes) and return record
           end
 
-          unless record
-            record = new
-
+          new(devise_parameter_filter.filter(attributes)).tap do |record|
             required_attributes.each do |key|
-              value = attributes[key]
-              record.send("#{key}=", value)
-              record.errors.add(key, value.present? ? error : :blank)
+              record.errors.add(key, attributes[key].blank? ? :blank : error)
             end
           end
-
-          record
         end
 
         protected

data/lib/devise/models/confirmable.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Devise
   module Models
     # Confirmable is responsible to verify if an account is already confirmed to
@@ -7,7 +9,7 @@ module Devise
     #
     # Confirmable tracks the following columns:
     #
-    # * confirmation_token   - An OpenSSL::HMAC.hexdigest of @raw_confirmation_token
+    # * confirmation_token   - A unique random token
     # * confirmed_at         - A timestamp when the user clicked the confirmation link
     # * confirmation_sent_at - A timestamp when the confirmation_token was generated (not sent)
     # * unconfirmed_email    - An email address copied from the email attr. After confirmation
@@ -24,11 +26,15 @@ module Devise
     #     By default allow_unconfirmed_access_for is zero, it means users always have to confirm to sign in.
     #   * +reconfirmable+: requires any email changes to be confirmed (exactly the same way as
     #     initial account confirmation) to be applied. Requires additional unconfirmed_email
-    #     db field to be setup (t.reconfirmable in migrations). Until confirmed new email is
+    #     db field to be set up (t.reconfirmable in migrations). Until confirmed, new email is
     #     stored in unconfirmed email column, and copied to email column on successful
-    #     confirmation.
+    #     confirmation. Also, when used in conjunction with `send_email_changed_notification`,
+    #     the notification is sent to the original email when the change is requested,
+    #     not when the unconfirmed email is confirmed.
     #   * +confirm_within+: the time before a sent confirmation token becomes invalid.
     #     You can use this to force the user to confirm within a set period of time.
+    #     Confirmable will not generate a new token if a repeat confirmation is requested
+    #     during this time frame, unless the user's email changed too.
     #
     # == Examples
     #
@@ -38,17 +44,23 @@ module Devise
     #
     module Confirmable
       extend ActiveSupport::Concern
-      include ActionView::Helpers::DateHelper
 
       included do
         before_create :generate_confirmation_token, if: :confirmation_required?
-        after_create  :send_on_create_confirmation_instructions, if: :send_confirmation_notification?
+        after_create :skip_reconfirmation_in_callback!, if: :send_confirmation_notification?
+        if defined?(ActiveRecord) && self < ActiveRecord::Base # ActiveRecord
+          after_commit :send_on_create_confirmation_instructions, on: :create, if: :send_confirmation_notification?
+          after_commit :send_reconfirmation_instructions, on: :update, if: :reconfirmation_required?
+        else # Mongoid
+          after_create :send_on_create_confirmation_instructions, if: :send_confirmation_notification?
+          after_update :send_reconfirmation_instructions, if: :reconfirmation_required?
+        end
         before_update :postpone_email_change_until_confirmation_and_regenerate_confirmation_token, if: :postpone_email_change?
-        after_update  :send_reconfirmation_instructions,  if: :reconfirmation_required?
       end
 
       def initialize(*args, &block)
         @bypass_confirmation_postpone = false
+        @skip_reconfirmation_in_callback = false
         @reconfirmation_required = false
         @skip_confirmation_notification = false
         @raw_confirmation_token = nil
@@ -74,7 +86,7 @@ module Devise
 
           self.confirmed_at = Time.now.utc
 
-          saved = if self.class.reconfirmable && unconfirmed_email.present?
+          saved = if pending_reconfirmation?
             skip_reconfirmation!
             self.email = unconfirmed_email
             self.unconfirmed_email = nil
@@ -90,11 +102,6 @@ module Devise
         end
       end
 
-      def confirm!(args={})
-        ActiveSupport::Deprecation.warn "confirm! is deprecated in favor of confirm"
-        confirm(args)
-      end
-
       # Verifies whether a user is confirmed or not
       def confirmed?
         !!confirmed_at
@@ -163,6 +170,12 @@ module Devise
 
       protected
 
+        # To not require reconfirmation after creating with #save called in a
+        # callback call skip_create_confirmation!
+        def skip_reconfirmation_in_callback!
+          @skip_reconfirmation_in_callback = true
+        end
+
         # A callback method used to deliver confirmation
         # instructions on creation. This can be overridden
         # in models to map to a nice sign up e-mail.
@@ -178,7 +191,7 @@ module Devise
         # Checks if the confirmation for the user is within the limit time.
         # We do this by calculating if the difference between today and the
         # confirmation sent date does not exceed the confirm in time configured.
-        # Confirm_within is a model configuration, must always be an integer value.
+        # allow_unconfirmed_access_for is a model configuration, must always be an integer value.
         #
         # Example:
         #
@@ -198,7 +211,10 @@ module Devise
         #   confirmation_period_valid?   # will always return true
         #
         def confirmation_period_valid?
-          self.class.allow_unconfirmed_access_for.nil? || (confirmation_sent_at && confirmation_sent_at.utc >= self.class.allow_unconfirmed_access_for.ago)
+          return true if self.class.allow_unconfirmed_access_for.nil?
+          return false if self.class.allow_unconfirmed_access_for == 0.days
+
+          confirmation_sent_at && confirmation_sent_at.utc >= self.class.allow_unconfirmed_access_for.ago
         end
 
         # Checks if the user confirmation happens before the token becomes invalid
@@ -214,7 +230,7 @@ module Devise
         #   confirmation_period_expired?  # will always return false
         #
         def confirmation_period_expired?
-          self.class.confirm_within && (Time.now > self.confirmation_sent_at + self.class.confirm_within)
+          self.class.confirm_within && self.confirmation_sent_at && (Time.now.utc > self.confirmation_sent_at.utc + self.class.confirm_within)
         end
 
         # Checks whether the record requires any confirmation.
@@ -230,37 +246,76 @@ module Devise
         # Generates a new random token for confirmation, and stores
         # the time this token is being generated in confirmation_sent_at
         def generate_confirmation_token
-          raw, enc = Devise.token_generator.generate(self.class, :confirmation_token)
-          @raw_confirmation_token   = raw
-          self.confirmation_token   = enc
-          self.confirmation_sent_at = Time.now.utc
+          if self.confirmation_token && !confirmation_period_expired?
+            @raw_confirmation_token = self.confirmation_token
+          else
+            self.confirmation_token = @raw_confirmation_token = Devise.friendly_token
+            self.confirmation_sent_at = Time.now.utc
+          end
         end
 
         def generate_confirmation_token!
           generate_confirmation_token && save(validate: false)
         end
 
-        def postpone_email_change_until_confirmation_and_regenerate_confirmation_token
-          @reconfirmation_required = true
-          self.unconfirmed_email = self.email
-          self.email = self.email_was
-          generate_confirmation_token
+        if Devise.activerecord51?
+          def postpone_email_change_until_confirmation_and_regenerate_confirmation_token
+            @reconfirmation_required = true
+            self.unconfirmed_email = self.email
+            self.email = self.email_in_database
+            self.confirmation_token = nil
+            generate_confirmation_token
+          end
+        else
+          def postpone_email_change_until_confirmation_and_regenerate_confirmation_token
+            @reconfirmation_required = true
+            self.unconfirmed_email = self.email
+            self.email = self.email_was
+            self.confirmation_token = nil
+            generate_confirmation_token
+          end
         end
 
-        def postpone_email_change?
-          postpone = self.class.reconfirmable && email_changed? && !@bypass_confirmation_postpone && self.email.present?
-          @bypass_confirmation_postpone = false
-          postpone
+        if Devise.activerecord51?
+          def postpone_email_change?
+            postpone = self.class.reconfirmable &&
+              will_save_change_to_email? &&
+              !@bypass_confirmation_postpone &&
+              self.email.present? &&
+              (!@skip_reconfirmation_in_callback || !self.email_in_database.nil?)
+            @bypass_confirmation_postpone = false
+            postpone
+          end
+        else
+          def postpone_email_change?
+            postpone = self.class.reconfirmable &&
+              email_changed? &&
+              !@bypass_confirmation_postpone &&
+              self.email.present? &&
+              (!@skip_reconfirmation_in_callback || !self.email_was.nil?)
+            @bypass_confirmation_postpone = false
+            postpone
+          end
         end
 
         def reconfirmation_required?
-          self.class.reconfirmable && @reconfirmation_required && self.email.present?
+          self.class.reconfirmable && @reconfirmation_required && (self.email.present? || self.unconfirmed_email.present?)
         end
 
         def send_confirmation_notification?
           confirmation_required? && !@skip_confirmation_notification && self.email.present?
         end
 
+        # With reconfirmable, notify the original email when the user first
+        # requests the email change, instead of when the change is confirmed.
+        def send_email_changed_notification?
+          if self.class.reconfirmable
+            self.class.send_email_changed_notification && reconfirmation_required?
+          else
+            super
+          end
+        end
+
         # A callback initiated after successfully confirming. This can be
         # used to insert your own logic that is only run after the user successfully
         # confirms.
@@ -293,17 +348,35 @@ module Devise
         # If the user is already confirmed, create an error for the user
         # Options must have the confirmation_token
         def confirm_by_token(confirmation_token)
-          original_token     = confirmation_token
-          confirmation_token = Devise.token_generator.digest(self, :confirmation_token, confirmation_token)
+          # When the `confirmation_token` parameter is blank, if there are any users with a blank
+          # `confirmation_token` in the database, the first one would be confirmed here.
+          # The error is being manually added here to ensure no users are confirmed by mistake.
+          # This was done in the model for convenience, since validation errors are automatically
+          # displayed in the view.
+          if confirmation_token.blank?
+            confirmable = new
+            confirmable.errors.add(:confirmation_token, :blank)
+            return confirmable
+          end
+
+          confirmable = find_first_by_auth_conditions(confirmation_token: confirmation_token)
+
+          unless confirmable
+            confirmation_digest = Devise.token_generator.digest(self, :confirmation_token, confirmation_token)
+            confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_digest)
+          end
+
+          # TODO: replace above lines with
+          # confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
+          # after enough time has passed that Devise clients do not use digested tokens
 
-          confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
           confirmable.confirm if confirmable.persisted?
-          confirmable.confirmation_token = original_token
           confirmable
         end
 
         # Find a record for confirmation by unconfirmed email field
         def find_by_unconfirmed_email_with_errors(attributes = {})
+          attributes = attributes.slice(*confirmation_keys).permit!.to_h if attributes.respond_to? :permit
           unconfirmed_required_attributes = confirmation_keys.map { |k| k == :email ? :unconfirmed_email : k }
           unconfirmed_attributes = attributes.symbolize_keys
           unconfirmed_attributes[:unconfirmed_email] = unconfirmed_attributes.delete(:email)

data/lib/devise/models/database_authenticatable.rb

@@ -1,25 +1,25 @@
+# frozen_string_literal: true
+
 require 'devise/strategies/database_authenticatable'
-require 'devise/encryptor'
 
 module Devise
-  def self.bcrypt(klass, password)
-    ActiveSupport::Deprecation.warn "Devise.bcrypt is deprecated; use Devise::Encryptor.digest instead"
-    Devise::Encryptor.digest(klass, password)
-  end
-
   module Models
-    # Authenticatable Module, responsible for encrypting password and validating
-    # authenticity of a user while signing in.
+    # Authenticatable Module, responsible for hashing the password and
+    # validating the authenticity of a user while signing in.
     #
     # == Options
     #
-    # DatabaseAuthenticable adds the following options to devise_for:
+    # DatabaseAuthenticatable adds the following options to devise_for:
     #
     #   * +pepper+: a random string used to provide a more secure hash. Use
-    #     `rake secret` to generate new keys.
+    #     `rails secret` to generate new keys.
     #
     #   * +stretches+: the cost given to bcrypt.
     #
+    #   * +send_email_changed_notification+: notify original email when it changes.
+    #
+    #   * +send_password_change_notification+: notify email when password changes.
+    #
     # == Examples
     #
     #    User.find(1).valid_password?('password123')         # returns true/false
@@ -28,15 +28,36 @@ module Devise
       extend ActiveSupport::Concern
 
       included do
+        after_update :send_email_changed_notification, if: :send_email_changed_notification?
+        after_update :send_password_change_notification, if: :send_password_change_notification?
+
         attr_reader :password, :current_password
         attr_accessor :password_confirmation
       end
 
+      def initialize(*args, &block)
+        @skip_email_changed_notification = false
+        @skip_password_change_notification = false
+        super 
+      end
+
+      # Skips sending the email changed notification after_update
+      def skip_email_changed_notification!
+        @skip_email_changed_notification = true
+      end
+
+      # Skips sending the password change notification after_update
+      def skip_password_change_notification!
+        @skip_password_change_notification = true
+      end
+
       def self.required_fields(klass)
         [:encrypted_password] + klass.authentication_keys
       end
 
-      # Generates password encryption based on the given value.
+      # Generates a hashed password based on the given value.
+      # For legacy reasons, we use `encrypted_password` to store
+      # the hashed password.
       def password=(new_password)
         @password = new_password
         self.encrypted_password = password_digest(@password) if @password.present?
@@ -60,6 +81,15 @@ module Devise
       # their password). In case the password field is rejected, the confirmation
       # is also rejected as long as it is also blank.
       def update_with_password(params, *options)
+        if options.present?
+          ActiveSupport::Deprecation.warn <<-DEPRECATION.strip_heredoc
+            [Devise] The second argument of `DatabaseAuthenticatable#update_with_password`
+            (`options`) is deprecated and it will be removed in the next major version.
+            It was added to support a feature deprecated in Rails 4, so you can safely remove it
+            from your code.
+          DEPRECATION
+        end
+
         current_password = params.delete(:current_password)
 
         if params[:password].blank?
@@ -68,11 +98,11 @@ module Devise
         end
 
         result = if valid_password?(current_password)
-          update_attributes(params, *options)
+          update(params, *options)
         else
-          self.assign_attributes(params, *options)
-          self.valid?
-          self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
+          assign_attributes(params, *options)
+          valid?
+          errors.add(:current_password, current_password.blank? ? :blank : :invalid)
           false
         end
 
@@ -93,10 +123,19 @@ module Devise
       #   end
       #
       def update_without_password(params, *options)
+        if options.present?
+          ActiveSupport::Deprecation.warn <<-DEPRECATION.strip_heredoc
+            [Devise] The second argument of `DatabaseAuthenticatable#update_without_password`
+            (`options`) is deprecated and it will be removed in the next major version.
+            It was added to support a feature deprecated in Rails 4, so you can safely remove it
+            from your code.
+          DEPRECATION
+        end
+
         params.delete(:password)
         params.delete(:password_confirmation)
 
-        result = update_attributes(params, *options)
+        result = update(params, *options)
         clean_up_passwords
         result
       end
@@ -108,8 +147,8 @@ module Devise
         result = if valid_password?(current_password)
           destroy
         else
-          self.valid?
-          self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
+          valid?
+          errors.add(:current_password, current_password.blank? ? :blank : :invalid)
           false
         end
 
@@ -134,19 +173,56 @@ module Devise
         encrypted_password[0,29] if encrypted_password
       end
 
+      if Devise.activerecord51?
+        # Send notification to user when email changes.
+        def send_email_changed_notification
+          send_devise_notification(:email_changed, to: email_before_last_save)
+        end
+      else
+        # Send notification to user when email changes.
+        def send_email_changed_notification
+          send_devise_notification(:email_changed, to: email_was)
+        end
+      end
+
+      # Send notification to user when password changes.
+      def send_password_change_notification
+        send_devise_notification(:password_change)
+      end
+
     protected
 
-      # Digests the password using bcrypt. Custom encryption should override
+      # Hashes the password using bcrypt. Custom hash functions should override
       # this method to apply their own algorithm.
       #
       # See https://github.com/plataformatec/devise-encryptable for examples
-      # of other encryption engines.
+      # of other hashing engines.
       def password_digest(password)
         Devise::Encryptor.digest(self.class, password)
       end
 
+      if Devise.activerecord51?
+        def send_email_changed_notification?
+          self.class.send_email_changed_notification && saved_change_to_email? && !@skip_email_changed_notification
+        end
+      else
+        def send_email_changed_notification?
+          self.class.send_email_changed_notification && email_changed? && !@skip_email_changed_notification
+        end
+      end
+
+      if Devise.activerecord51?
+        def send_password_change_notification?
+          self.class.send_password_change_notification && saved_change_to_encrypted_password? && !@skip_password_change_notification
+        end
+      else
+        def send_password_change_notification?
+          self.class.send_password_change_notification && encrypted_password_changed? && !@skip_password_change_notification
+        end
+      end
+
       module ClassMethods
-        Devise::Models.config(self, :pepper, :stretches)
+        Devise::Models.config(self, :pepper, :stretches, :send_email_changed_notification, :send_password_change_notification)
 
         # We assume this method already gets the sanitized values from the
         # DatabaseAuthenticatable strategy. If you are using this method on