devise 3.5.10 → 4.6.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of devise might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +240 -1147
- data/MIT-LICENSE +1 -1
- data/README.md +240 -65
- data/app/controllers/devise/confirmations_controller.rb +3 -1
- data/app/controllers/devise/omniauth_callbacks_controller.rb +8 -6
- data/app/controllers/devise/passwords_controller.rb +7 -4
- data/app/controllers/devise/registrations_controller.rb +39 -18
- data/app/controllers/devise/sessions_controller.rb +9 -7
- data/app/controllers/devise/unlocks_controller.rb +4 -2
- data/app/controllers/devise_controller.rb +23 -10
- data/app/helpers/devise_helper.rb +12 -19
- data/app/mailers/devise/mailer.rb +6 -0
- data/app/views/devise/confirmations/new.html.erb +2 -2
- data/app/views/devise/mailer/email_changed.html.erb +7 -0
- data/app/views/devise/passwords/edit.html.erb +2 -2
- data/app/views/devise/passwords/new.html.erb +2 -2
- data/app/views/devise/registrations/edit.html.erb +9 -5
- data/app/views/devise/registrations/new.html.erb +4 -4
- data/app/views/devise/sessions/new.html.erb +4 -4
- data/app/views/devise/shared/_error_messages.html.erb +15 -0
- data/app/views/devise/shared/_links.html.erb +7 -7
- data/app/views/devise/unlocks/new.html.erb +2 -2
- data/config/locales/en.yml +3 -0
- data/lib/devise/controllers/helpers.rb +23 -20
- data/lib/devise/controllers/rememberable.rb +3 -1
- data/lib/devise/controllers/scoped_views.rb +2 -0
- data/lib/devise/controllers/sign_in_out.rb +34 -11
- data/lib/devise/controllers/store_location.rb +25 -7
- data/lib/devise/controllers/url_helpers.rb +2 -0
- data/lib/devise/delegator.rb +2 -0
- data/lib/devise/encryptor.rb +6 -4
- data/lib/devise/failure_app.rb +81 -37
- data/lib/devise/hooks/activatable.rb +2 -0
- data/lib/devise/hooks/csrf_cleaner.rb +2 -0
- data/lib/devise/hooks/forgetable.rb +2 -0
- data/lib/devise/hooks/lockable.rb +6 -1
- data/lib/devise/hooks/proxy.rb +3 -1
- data/lib/devise/hooks/rememberable.rb +2 -0
- data/lib/devise/hooks/timeoutable.rb +2 -0
- data/lib/devise/hooks/trackable.rb +2 -0
- data/lib/devise/mailers/helpers.rb +7 -4
- data/lib/devise/mapping.rb +2 -0
- data/lib/devise/models/authenticatable.rb +51 -25
- data/lib/devise/models/confirmable.rb +76 -27
- data/lib/devise/models/database_authenticatable.rb +91 -23
- data/lib/devise/models/lockable.rb +10 -4
- data/lib/devise/models/omniauthable.rb +2 -0
- data/lib/devise/models/recoverable.rb +31 -19
- data/lib/devise/models/registerable.rb +4 -0
- data/lib/devise/models/rememberable.rb +5 -10
- data/lib/devise/models/timeoutable.rb +2 -0
- data/lib/devise/models/trackable.rb +15 -1
- data/lib/devise/models/validatable.rb +10 -3
- data/lib/devise/models.rb +3 -1
- data/lib/devise/modules.rb +2 -0
- data/lib/devise/omniauth/config.rb +2 -0
- data/lib/devise/omniauth/url_helpers.rb +14 -5
- data/lib/devise/omniauth.rb +2 -0
- data/lib/devise/orm/active_record.rb +5 -1
- data/lib/devise/orm/mongoid.rb +6 -2
- data/lib/devise/parameter_filter.rb +4 -0
- data/lib/devise/parameter_sanitizer.rb +139 -65
- data/lib/devise/rails/routes.rb +42 -31
- data/lib/devise/rails/warden_compat.rb +3 -10
- data/lib/devise/rails.rb +7 -16
- data/lib/devise/secret_key_finder.rb +27 -0
- data/lib/devise/strategies/authenticatable.rb +2 -0
- data/lib/devise/strategies/base.rb +2 -0
- data/lib/devise/strategies/database_authenticatable.rb +11 -4
- data/lib/devise/strategies/rememberable.rb +2 -0
- data/lib/devise/test/controller_helpers.rb +165 -0
- data/lib/devise/test/integration_helpers.rb +63 -0
- data/lib/devise/test_helpers.rb +7 -124
- data/lib/devise/time_inflector.rb +2 -0
- data/lib/devise/token_generator.rb +3 -41
- data/lib/devise/version.rb +3 -1
- data/lib/devise.rb +61 -40
- data/lib/generators/active_record/devise_generator.rb +29 -10
- data/lib/generators/active_record/templates/migration.rb +4 -2
- data/lib/generators/active_record/templates/migration_existing.rb +4 -2
- data/lib/generators/devise/controllers_generator.rb +3 -1
- data/lib/generators/devise/devise_generator.rb +4 -2
- data/lib/generators/devise/install_generator.rb +17 -0
- data/lib/generators/devise/orm_helpers.rb +10 -21
- data/lib/generators/devise/views_generator.rb +7 -8
- data/lib/generators/mongoid/devise_generator.rb +7 -5
- data/lib/generators/templates/README +1 -8
- data/lib/generators/templates/controllers/confirmations_controller.rb +2 -0
- data/lib/generators/templates/controllers/omniauth_callbacks_controller.rb +2 -0
- data/lib/generators/templates/controllers/passwords_controller.rb +2 -0
- data/lib/generators/templates/controllers/registrations_controller.rb +6 -4
- data/lib/generators/templates/controllers/sessions_controller.rb +4 -2
- data/lib/generators/templates/controllers/unlocks_controller.rb +2 -0
- data/lib/generators/templates/devise.rb +50 -20
- data/lib/generators/templates/markerb/email_changed.markerb +7 -0
- data/lib/generators/templates/markerb/password_change.markerb +2 -2
- data/lib/generators/templates/simple_form_for/confirmations/new.html.erb +5 -1
- data/lib/generators/templates/simple_form_for/passwords/edit.html.erb +6 -1
- data/lib/generators/templates/simple_form_for/passwords/new.html.erb +4 -1
- data/lib/generators/templates/simple_form_for/registrations/edit.html.erb +11 -3
- data/lib/generators/templates/simple_form_for/registrations/new.html.erb +11 -3
- data/lib/generators/templates/simple_form_for/sessions/new.html.erb +7 -2
- data/lib/generators/templates/simple_form_for/unlocks/new.html.erb +4 -1
- metadata +15 -307
- data/.gitignore +0 -10
- data/.travis.yml +0 -44
- data/.yardopts +0 -9
- data/CODE_OF_CONDUCT.md +0 -22
- data/CONTRIBUTING.md +0 -16
- data/Gemfile +0 -30
- data/Gemfile.lock +0 -187
- data/Rakefile +0 -36
- data/devise.gemspec +0 -27
- data/devise.png +0 -0
- data/gemfiles/Gemfile.rails-3.2-stable +0 -29
- data/gemfiles/Gemfile.rails-3.2-stable.lock +0 -172
- data/gemfiles/Gemfile.rails-4.0-stable +0 -30
- data/gemfiles/Gemfile.rails-4.0-stable.lock +0 -166
- data/gemfiles/Gemfile.rails-4.1-stable +0 -30
- data/gemfiles/Gemfile.rails-4.1-stable.lock +0 -171
- data/gemfiles/Gemfile.rails-4.2-stable +0 -30
- data/gemfiles/Gemfile.rails-4.2-stable.lock +0 -193
- data/script/cached-bundle +0 -49
- data/script/s3-put +0 -71
- data/test/controllers/custom_registrations_controller_test.rb +0 -40
- data/test/controllers/custom_strategy_test.rb +0 -62
- data/test/controllers/helper_methods_test.rb +0 -21
- data/test/controllers/helpers_test.rb +0 -316
- data/test/controllers/inherited_controller_i18n_messages_test.rb +0 -51
- data/test/controllers/internal_helpers_test.rb +0 -129
- data/test/controllers/load_hooks_controller_test.rb +0 -19
- data/test/controllers/passwords_controller_test.rb +0 -31
- data/test/controllers/sessions_controller_test.rb +0 -103
- data/test/controllers/url_helpers_test.rb +0 -65
- data/test/delegator_test.rb +0 -19
- data/test/devise_test.rb +0 -107
- data/test/failure_app_test.rb +0 -315
- data/test/generators/active_record_generator_test.rb +0 -109
- data/test/generators/controllers_generator_test.rb +0 -48
- data/test/generators/devise_generator_test.rb +0 -39
- data/test/generators/install_generator_test.rb +0 -13
- data/test/generators/mongoid_generator_test.rb +0 -23
- data/test/generators/views_generator_test.rb +0 -103
- data/test/helpers/devise_helper_test.rb +0 -49
- data/test/integration/authenticatable_test.rb +0 -729
- data/test/integration/confirmable_test.rb +0 -324
- data/test/integration/database_authenticatable_test.rb +0 -95
- data/test/integration/http_authenticatable_test.rb +0 -105
- data/test/integration/lockable_test.rb +0 -239
- data/test/integration/omniauthable_test.rb +0 -135
- data/test/integration/recoverable_test.rb +0 -347
- data/test/integration/registerable_test.rb +0 -359
- data/test/integration/rememberable_test.rb +0 -214
- data/test/integration/timeoutable_test.rb +0 -184
- data/test/integration/trackable_test.rb +0 -92
- data/test/mailers/confirmation_instructions_test.rb +0 -115
- data/test/mailers/reset_password_instructions_test.rb +0 -96
- data/test/mailers/unlock_instructions_test.rb +0 -91
- data/test/mapping_test.rb +0 -134
- data/test/models/authenticatable_test.rb +0 -23
- data/test/models/confirmable_test.rb +0 -511
- data/test/models/database_authenticatable_test.rb +0 -269
- data/test/models/lockable_test.rb +0 -350
- data/test/models/omniauthable_test.rb +0 -7
- data/test/models/recoverable_test.rb +0 -251
- data/test/models/registerable_test.rb +0 -7
- data/test/models/rememberable_test.rb +0 -169
- data/test/models/serializable_test.rb +0 -49
- data/test/models/timeoutable_test.rb +0 -51
- data/test/models/trackable_test.rb +0 -41
- data/test/models/validatable_test.rb +0 -127
- data/test/models_test.rb +0 -153
- data/test/omniauth/config_test.rb +0 -57
- data/test/omniauth/url_helpers_test.rb +0 -54
- data/test/orm/active_record.rb +0 -10
- data/test/orm/mongoid.rb +0 -13
- data/test/parameter_sanitizer_test.rb +0 -81
- data/test/rails_app/Rakefile +0 -6
- data/test/rails_app/app/active_record/admin.rb +0 -6
- data/test/rails_app/app/active_record/shim.rb +0 -2
- data/test/rails_app/app/active_record/user.rb +0 -6
- data/test/rails_app/app/active_record/user_on_engine.rb +0 -7
- data/test/rails_app/app/active_record/user_on_main_app.rb +0 -7
- data/test/rails_app/app/active_record/user_without_email.rb +0 -8
- data/test/rails_app/app/controllers/admins/sessions_controller.rb +0 -6
- data/test/rails_app/app/controllers/admins_controller.rb +0 -6
- data/test/rails_app/app/controllers/application_controller.rb +0 -12
- data/test/rails_app/app/controllers/application_with_fake_engine.rb +0 -30
- data/test/rails_app/app/controllers/custom/registrations_controller.rb +0 -31
- data/test/rails_app/app/controllers/home_controller.rb +0 -25
- data/test/rails_app/app/controllers/publisher/registrations_controller.rb +0 -2
- data/test/rails_app/app/controllers/publisher/sessions_controller.rb +0 -2
- data/test/rails_app/app/controllers/users/omniauth_callbacks_controller.rb +0 -14
- data/test/rails_app/app/controllers/users_controller.rb +0 -31
- data/test/rails_app/app/helpers/application_helper.rb +0 -3
- data/test/rails_app/app/mailers/users/from_proc_mailer.rb +0 -3
- data/test/rails_app/app/mailers/users/mailer.rb +0 -3
- data/test/rails_app/app/mailers/users/reply_to_mailer.rb +0 -4
- data/test/rails_app/app/mongoid/admin.rb +0 -29
- data/test/rails_app/app/mongoid/shim.rb +0 -23
- data/test/rails_app/app/mongoid/user.rb +0 -39
- data/test/rails_app/app/mongoid/user_on_engine.rb +0 -39
- data/test/rails_app/app/mongoid/user_on_main_app.rb +0 -39
- data/test/rails_app/app/mongoid/user_without_email.rb +0 -33
- data/test/rails_app/app/views/admins/index.html.erb +0 -1
- data/test/rails_app/app/views/admins/sessions/new.html.erb +0 -2
- data/test/rails_app/app/views/home/admin_dashboard.html.erb +0 -1
- data/test/rails_app/app/views/home/index.html.erb +0 -1
- data/test/rails_app/app/views/home/join.html.erb +0 -1
- data/test/rails_app/app/views/home/private.html.erb +0 -1
- data/test/rails_app/app/views/home/user_dashboard.html.erb +0 -1
- data/test/rails_app/app/views/layouts/application.html.erb +0 -24
- data/test/rails_app/app/views/users/edit_form.html.erb +0 -1
- data/test/rails_app/app/views/users/index.html.erb +0 -1
- data/test/rails_app/app/views/users/mailer/confirmation_instructions.erb +0 -1
- data/test/rails_app/app/views/users/sessions/new.html.erb +0 -1
- data/test/rails_app/bin/bundle +0 -3
- data/test/rails_app/bin/rails +0 -4
- data/test/rails_app/bin/rake +0 -4
- data/test/rails_app/config/application.rb +0 -40
- data/test/rails_app/config/boot.rb +0 -14
- data/test/rails_app/config/database.yml +0 -18
- data/test/rails_app/config/environment.rb +0 -5
- data/test/rails_app/config/environments/development.rb +0 -30
- data/test/rails_app/config/environments/production.rb +0 -84
- data/test/rails_app/config/environments/test.rb +0 -41
- data/test/rails_app/config/initializers/backtrace_silencers.rb +0 -7
- data/test/rails_app/config/initializers/devise.rb +0 -180
- data/test/rails_app/config/initializers/inflections.rb +0 -2
- data/test/rails_app/config/initializers/secret_token.rb +0 -8
- data/test/rails_app/config/initializers/session_store.rb +0 -1
- data/test/rails_app/config/routes.rb +0 -125
- data/test/rails_app/config.ru +0 -4
- data/test/rails_app/db/migrate/20100401102949_create_tables.rb +0 -71
- data/test/rails_app/db/schema.rb +0 -55
- data/test/rails_app/lib/shared_admin.rb +0 -17
- data/test/rails_app/lib/shared_user.rb +0 -29
- data/test/rails_app/lib/shared_user_without_email.rb +0 -26
- data/test/rails_app/lib/shared_user_without_omniauth.rb +0 -13
- data/test/rails_app/public/404.html +0 -26
- data/test/rails_app/public/422.html +0 -26
- data/test/rails_app/public/500.html +0 -26
- data/test/rails_app/public/favicon.ico +0 -0
- data/test/rails_test.rb +0 -9
- data/test/routes_test.rb +0 -264
- data/test/support/action_controller/record_identifier.rb +0 -10
- data/test/support/assertions.rb +0 -39
- data/test/support/helpers.rb +0 -77
- data/test/support/integration.rb +0 -92
- data/test/support/locale/en.yml +0 -8
- data/test/support/mongoid.yml +0 -6
- data/test/support/webrat/integrations/rails.rb +0 -24
- data/test/test_helper.rb +0 -34
- data/test/test_helpers_test.rb +0 -178
- data/test/test_models.rb +0 -33
- data/test/time_helpers.rb +0 -137
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
module Devise
|
2
4
|
module Controllers
|
3
5
|
# A module that may be optionally included in a controller in order
|
@@ -18,7 +20,7 @@ module Devise
|
|
18
20
|
|
19
21
|
# Remembers the given resource by setting up a cookie
|
20
22
|
def remember_me(resource)
|
21
|
-
return if env["devise.skip_storage"]
|
23
|
+
return if request.env["devise.skip_storage"]
|
22
24
|
scope = Devise::Mapping.find_scope!(resource)
|
23
25
|
resource.remember_me!
|
24
26
|
cookies.signed[remember_key(resource, scope)] = remember_cookie_values(resource)
|
@@ -1,10 +1,15 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
module Devise
|
2
4
|
module Controllers
|
3
5
|
# Provide sign in and sign out functionality.
|
4
6
|
# Included by default in all controllers.
|
5
7
|
module SignInOut
|
6
8
|
# Return true if the given scope is signed in session. If no scope given, return
|
7
|
-
# true if any scope is signed in.
|
9
|
+
# true if any scope is signed in. This will run authentication hooks, which may
|
10
|
+
# cause exceptions to be thrown from this method; if you simply want to check
|
11
|
+
# if a scope has already previously been authenticated without running
|
12
|
+
# authentication hooks, you can directly call `warden.authenticated?(scope: scope)`
|
8
13
|
def signed_in?(scope=nil)
|
9
14
|
[scope || Devise.mappings.keys].flatten.any? do |_scope|
|
10
15
|
warden.authenticate?(scope: _scope)
|
@@ -12,20 +17,18 @@ module Devise
|
|
12
17
|
end
|
13
18
|
|
14
19
|
# Sign in a user that already was authenticated. This helper is useful for logging
|
15
|
-
# users in after sign up.
|
16
|
-
#
|
17
|
-
#
|
18
|
-
#
|
19
|
-
#
|
20
|
-
# signed in, but we want to refresh the credentials in session.
|
20
|
+
# users in after sign up. All options given to sign_in is passed forward
|
21
|
+
# to the set_user method in warden.
|
22
|
+
# If you are using a custom warden strategy and the timeoutable module, you have to
|
23
|
+
# set `env["devise.skip_timeout"] = true` in the request to use this method, like we do
|
24
|
+
# in the sessions controller: https://github.com/plataformatec/devise/blob/master/app/controllers/devise/sessions_controller.rb#L7
|
21
25
|
#
|
22
26
|
# Examples:
|
23
27
|
#
|
24
28
|
# sign_in :user, @user # sign_in(scope, resource)
|
25
29
|
# sign_in @user # sign_in(resource)
|
26
|
-
# sign_in @user, event: :authentication
|
27
|
-
# sign_in @user, store: false
|
28
|
-
# sign_in @user, bypass: true # sign_in(resource, options)
|
30
|
+
# sign_in @user, event: :authentication # sign_in(resource, options)
|
31
|
+
# sign_in @user, store: false # sign_in(resource, options)
|
29
32
|
#
|
30
33
|
def sign_in(resource_or_scope, *args)
|
31
34
|
options = args.extract_options!
|
@@ -35,6 +38,13 @@ module Devise
|
|
35
38
|
expire_data_after_sign_in!
|
36
39
|
|
37
40
|
if options[:bypass]
|
41
|
+
ActiveSupport::Deprecation.warn(<<-DEPRECATION.strip_heredoc, caller)
|
42
|
+
[Devise] bypass option is deprecated and it will be removed in future version of Devise.
|
43
|
+
Please use bypass_sign_in method instead.
|
44
|
+
Example:
|
45
|
+
|
46
|
+
bypass_sign_in(user)
|
47
|
+
DEPRECATION
|
38
48
|
warden.session_serializer.store(resource, scope)
|
39
49
|
elsif warden.user(scope) == resource && !options.delete(:force)
|
40
50
|
# Do nothing. User already signed in and we are not forcing it.
|
@@ -44,6 +54,20 @@ module Devise
|
|
44
54
|
end
|
45
55
|
end
|
46
56
|
|
57
|
+
# Sign in a user bypassing the warden callbacks and stores the user
|
58
|
+
# straight in session. This option is useful in cases the user is already
|
59
|
+
# signed in, but we want to refresh the credentials in session.
|
60
|
+
#
|
61
|
+
# Examples:
|
62
|
+
#
|
63
|
+
# bypass_sign_in @user, scope: :user
|
64
|
+
# bypass_sign_in @user
|
65
|
+
def bypass_sign_in(resource, scope: nil)
|
66
|
+
scope ||= Devise::Mapping.find_scope!(resource)
|
67
|
+
expire_data_after_sign_in!
|
68
|
+
warden.session_serializer.store(resource, scope)
|
69
|
+
end
|
70
|
+
|
47
71
|
# Sign out a given user or scope. This helper is useful for signing out a user
|
48
72
|
# after deleting accounts. Returns true if there was a logout and false if there
|
49
73
|
# is no user logged in on the referred scope
|
@@ -58,7 +82,6 @@ module Devise
|
|
58
82
|
scope = Devise::Mapping.find_scope!(resource_or_scope)
|
59
83
|
user = warden.user(scope: scope, run_callbacks: false) # If there is no user
|
60
84
|
|
61
|
-
warden.raw_session.inspect # Without this inspect here. The session does not clear.
|
62
85
|
warden.logout(scope)
|
63
86
|
warden.clear_strategies_cache!(scope: scope)
|
64
87
|
instance_variable_set(:"@current_#{scope}", nil)
|
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require "uri"
|
2
4
|
|
3
5
|
module Devise
|
@@ -29,16 +31,13 @@ module Devise
|
|
29
31
|
# Example:
|
30
32
|
#
|
31
33
|
# store_location_for(:user, dashboard_path)
|
32
|
-
# redirect_to
|
34
|
+
# redirect_to user_facebook_omniauth_authorize_path
|
33
35
|
#
|
34
36
|
def store_location_for(resource_or_scope, location)
|
35
37
|
session_key = stored_location_key_for(resource_or_scope)
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
path = [path, uri.fragment].compact.join('#')
|
40
|
-
session[session_key] = path
|
41
|
-
end
|
38
|
+
|
39
|
+
path = extract_path_from_location(location)
|
40
|
+
session[session_key] = path if path
|
42
41
|
end
|
43
42
|
|
44
43
|
private
|
@@ -53,6 +52,25 @@ module Devise
|
|
53
52
|
scope = Devise::Mapping.find_scope!(resource_or_scope)
|
54
53
|
"#{scope}_return_to"
|
55
54
|
end
|
55
|
+
|
56
|
+
def extract_path_from_location(location)
|
57
|
+
uri = parse_uri(location)
|
58
|
+
|
59
|
+
if uri
|
60
|
+
path = remove_domain_from_uri(uri)
|
61
|
+
path = add_fragment_back_to_path(uri, path)
|
62
|
+
|
63
|
+
path
|
64
|
+
end
|
65
|
+
end
|
66
|
+
|
67
|
+
def remove_domain_from_uri(uri)
|
68
|
+
[uri.path.sub(/\A\/+/, '/'), uri.query].compact.join('?')
|
69
|
+
end
|
70
|
+
|
71
|
+
def add_fragment_back_to_path(uri, path)
|
72
|
+
[path, uri.fragment].compact.join('#')
|
73
|
+
end
|
56
74
|
end
|
57
75
|
end
|
58
76
|
end
|
data/lib/devise/delegator.rb
CHANGED
data/lib/devise/encryptor.rb
CHANGED
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require 'bcrypt'
|
2
4
|
|
3
5
|
module Devise
|
@@ -9,14 +11,14 @@ module Devise
|
|
9
11
|
::BCrypt::Password.create(password, cost: klass.stretches).to_s
|
10
12
|
end
|
11
13
|
|
12
|
-
def self.compare(klass,
|
13
|
-
return false if
|
14
|
-
bcrypt = ::BCrypt::Password.new(
|
14
|
+
def self.compare(klass, hashed_password, password)
|
15
|
+
return false if hashed_password.blank?
|
16
|
+
bcrypt = ::BCrypt::Password.new(hashed_password)
|
15
17
|
if klass.pepper.present?
|
16
18
|
password = "#{password}#{klass.pepper}"
|
17
19
|
end
|
18
20
|
password = ::BCrypt::Engine.hash_secret(password, bcrypt.salt)
|
19
|
-
Devise.secure_compare(password,
|
21
|
+
Devise.secure_compare(password, hashed_password)
|
20
22
|
end
|
21
23
|
end
|
22
24
|
end
|
data/lib/devise/failure_app.rb
CHANGED
@@ -1,12 +1,13 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require "action_controller/metal"
|
2
4
|
|
3
5
|
module Devise
|
4
6
|
# Failure application that will be called every time :warden is thrown from
|
5
|
-
# any strategy or hook.
|
6
|
-
# page based on current scope and mapping. If no scope is given,
|
7
|
-
# to the default_url.
|
7
|
+
# any strategy or hook. It is responsible for redirecting the user to the sign
|
8
|
+
# in page based on current scope and mapping. If no scope is given, it
|
9
|
+
# redirects to the default_url.
|
8
10
|
class FailureApp < ActionController::Metal
|
9
|
-
include ActionController::RackDelegation
|
10
11
|
include ActionController::UrlFor
|
11
12
|
include ActionController::Redirecting
|
12
13
|
|
@@ -22,7 +23,7 @@ module Devise
|
|
22
23
|
@respond.call(env)
|
23
24
|
end
|
24
25
|
|
25
|
-
# Try retrieving the URL options from the parent controller (usually
|
26
|
+
# Try retrieving the URL options from the parent controller (usually
|
26
27
|
# ApplicationController). Instance methods are not supported at the moment,
|
27
28
|
# so only the class-level attribute is used.
|
28
29
|
def self.default_url_options(*args)
|
@@ -51,20 +52,27 @@ module Devise
|
|
51
52
|
end
|
52
53
|
|
53
54
|
def recall
|
54
|
-
|
55
|
-
|
56
|
-
if config.try(:relative_url_root)
|
57
|
-
base_path = Pathname.new(config.relative_url_root)
|
55
|
+
header_info = if relative_url_root?
|
56
|
+
base_path = Pathname.new(relative_url_root)
|
58
57
|
full_path = Pathname.new(attempted_path)
|
59
58
|
|
60
|
-
|
61
|
-
|
59
|
+
{ "SCRIPT_NAME" => relative_url_root,
|
60
|
+
"PATH_INFO" => '/' + full_path.relative_path_from(base_path).to_s }
|
62
61
|
else
|
63
|
-
|
62
|
+
{ "PATH_INFO" => attempted_path }
|
63
|
+
end
|
64
|
+
|
65
|
+
header_info.each do | var, value|
|
66
|
+
if request.respond_to?(:set_header)
|
67
|
+
request.set_header(var, value)
|
68
|
+
else
|
69
|
+
request.env[var] = value
|
70
|
+
end
|
64
71
|
end
|
65
72
|
|
66
73
|
flash.now[:alert] = i18n_message(:invalid) if is_flashing_format?
|
67
|
-
self.response = recall_app(warden_options[:recall]).call(env)
|
74
|
+
# self.response = recall_app(warden_options[:recall]).call(env)
|
75
|
+
self.response = recall_app(warden_options[:recall]).call(request.env)
|
68
76
|
end
|
69
77
|
|
70
78
|
def redirect
|
@@ -95,7 +103,7 @@ module Devise
|
|
95
103
|
options[:scope] = "devise.failure"
|
96
104
|
options[:default] = [message]
|
97
105
|
auth_keys = scope_class.authentication_keys
|
98
|
-
keys = auth_keys.respond_to?(:keys) ? auth_keys.keys : auth_keys
|
106
|
+
keys = (auth_keys.respond_to?(:keys) ? auth_keys.keys : auth_keys).map { |key| scope_class.human_attribute_name(key) }
|
99
107
|
options[:authentication_keys] = keys.join(I18n.translate(:"support.array.words_connector"))
|
100
108
|
options = i18n_options(options)
|
101
109
|
|
@@ -127,23 +135,29 @@ module Devise
|
|
127
135
|
|
128
136
|
def scope_url
|
129
137
|
opts = {}
|
130
|
-
route = route(scope)
|
131
|
-
opts[:format] = request_format unless skip_format?
|
132
138
|
|
133
|
-
|
139
|
+
# Initialize script_name with nil to prevent infinite loops in
|
140
|
+
# authenticated mounted engines in rails 4.2 and 5.0
|
141
|
+
opts[:script_name] = nil
|
134
142
|
|
135
|
-
|
136
|
-
|
137
|
-
|
138
|
-
else
|
139
|
-
if config.respond_to?(:relative_url_root) && config.relative_url_root.present?
|
140
|
-
opts[:script_name] = config.relative_url_root
|
141
|
-
end
|
142
|
-
end
|
143
|
+
route = route(scope)
|
144
|
+
|
145
|
+
opts[:format] = request_format unless skip_format?
|
143
146
|
|
144
147
|
router_name = Devise.mappings[scope].router_name || Devise.available_router_name
|
145
148
|
context = send(router_name)
|
146
149
|
|
150
|
+
if relative_url_root?
|
151
|
+
opts[:script_name] = relative_url_root
|
152
|
+
|
153
|
+
# We need to add the rootpath to `script_name` manually for applications that use a Rails
|
154
|
+
# version lower than 5.1. Otherwise, it is going to generate a wrong path for Engines
|
155
|
+
# that use Devise. Remove it when the support of Rails 5.0 is droped.
|
156
|
+
elsif root_path_defined?(context) && rails_5_and_down?
|
157
|
+
rootpath = context.routes.url_helpers.root_path
|
158
|
+
opts[:script_name] = rootpath.chomp('/') if rootpath.length > 1
|
159
|
+
end
|
160
|
+
|
147
161
|
if context.respond_to?(route)
|
148
162
|
context.send(route, opts)
|
149
163
|
elsif respond_to?(:root_url)
|
@@ -157,12 +171,12 @@ module Devise
|
|
157
171
|
%w(html */*).include? request_format.to_s
|
158
172
|
end
|
159
173
|
|
160
|
-
# Choose whether we should respond in
|
174
|
+
# Choose whether we should respond in an HTTP authentication fashion,
|
161
175
|
# including 401 and optional headers.
|
162
176
|
#
|
163
|
-
# This method allows the user to explicitly disable
|
164
|
-
# on
|
165
|
-
# handling the errors on their own. This is useful in case your
|
177
|
+
# This method allows the user to explicitly disable HTTP authentication
|
178
|
+
# on AJAX requests in case they want to redirect on failures instead of
|
179
|
+
# handling the errors on their own. This is useful in case your AJAX API
|
166
180
|
# is the same as your public API and uses a format like JSON (so you
|
167
181
|
# cannot mark JSON as a navigational format).
|
168
182
|
def http_auth?
|
@@ -173,7 +187,7 @@ module Devise
|
|
173
187
|
end
|
174
188
|
end
|
175
189
|
|
176
|
-
# It
|
190
|
+
# It doesn't make sense to send authenticate headers in AJAX requests
|
177
191
|
# or if the user disabled them.
|
178
192
|
def http_auth_header?
|
179
193
|
scope_class.http_authenticatable && !request.xhr?
|
@@ -199,11 +213,11 @@ module Devise
|
|
199
213
|
end
|
200
214
|
|
201
215
|
def warden
|
202
|
-
env[
|
216
|
+
request.respond_to?(:get_header) ? request.get_header("warden") : request.env["warden"]
|
203
217
|
end
|
204
218
|
|
205
219
|
def warden_options
|
206
|
-
env[
|
220
|
+
request.respond_to?(:get_header) ? request.get_header("warden.options") : request.env["warden.options"]
|
207
221
|
end
|
208
222
|
|
209
223
|
def warden_message
|
@@ -222,10 +236,10 @@ module Devise
|
|
222
236
|
warden_options[:attempted_path]
|
223
237
|
end
|
224
238
|
|
225
|
-
# Stores requested
|
226
|
-
# scoped session provided by warden here, since the user is not
|
227
|
-
# yet, but we still need to store the
|
228
|
-
# would never use the same
|
239
|
+
# Stores requested URI to redirect the user after signing in. We can't use
|
240
|
+
# the scoped session provided by warden here, since the user is not
|
241
|
+
# authenticated yet, but we still need to store the URI based on scope, so
|
242
|
+
# different scopes would never use the same URI to redirect.
|
229
243
|
def store_location!
|
230
244
|
store_location_for(scope, attempted_path) if request.get? && !http_auth?
|
231
245
|
end
|
@@ -237,11 +251,41 @@ module Devise
|
|
237
251
|
# Check if flash messages should be emitted. Default is to do it on
|
238
252
|
# navigational formats
|
239
253
|
def is_flashing_format?
|
240
|
-
is_navigational_format?
|
254
|
+
request.respond_to?(:flash) && is_navigational_format?
|
241
255
|
end
|
242
256
|
|
243
257
|
def request_format
|
244
258
|
@request_format ||= request.format.try(:ref)
|
245
259
|
end
|
260
|
+
|
261
|
+
def relative_url_root
|
262
|
+
@relative_url_root ||= begin
|
263
|
+
config = Rails.application.config
|
264
|
+
|
265
|
+
config.try(:relative_url_root) || config.action_controller.try(:relative_url_root)
|
266
|
+
end
|
267
|
+
end
|
268
|
+
|
269
|
+
def relative_url_root?
|
270
|
+
relative_url_root.present?
|
271
|
+
end
|
272
|
+
|
273
|
+
ActiveSupport.run_load_hooks(:devise_failure_app, self)
|
274
|
+
|
275
|
+
private
|
276
|
+
|
277
|
+
def root_path_defined?(context)
|
278
|
+
defined?(context.routes) && context.routes.url_helpers.root_path.present?
|
279
|
+
end
|
280
|
+
|
281
|
+
def rails_5_and_down?
|
282
|
+
return false if rails_5_up?
|
283
|
+
|
284
|
+
Rails::VERSION::MAJOR >= 4
|
285
|
+
end
|
286
|
+
|
287
|
+
def rails_5_up?
|
288
|
+
Rails::VERSION::MAJOR >= 5 && Rails::VERSION::MINOR > 0
|
289
|
+
end
|
246
290
|
end
|
247
291
|
end
|
@@ -1,7 +1,12 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
# After each sign in, if resource responds to failed_attempts, sets it to 0
|
2
4
|
# This is only triggered when the user is explicitly set (with set_user)
|
3
5
|
Warden::Manager.after_set_user except: :fetch do |record, warden, options|
|
4
6
|
if record.respond_to?(:failed_attempts) && warden.authenticated?(options[:scope])
|
5
|
-
|
7
|
+
unless record.failed_attempts.to_i.zero?
|
8
|
+
record.failed_attempts = 0
|
9
|
+
record.save(validate: false)
|
10
|
+
end
|
6
11
|
end
|
7
12
|
end
|
data/lib/devise/hooks/proxy.rb
CHANGED
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
module Devise
|
2
4
|
module Hooks
|
3
5
|
# A small warden proxy so we can remember, forget and
|
@@ -7,7 +9,7 @@ module Devise
|
|
7
9
|
include Devise::Controllers::SignInOut
|
8
10
|
|
9
11
|
attr_reader :warden
|
10
|
-
delegate :cookies, :
|
12
|
+
delegate :cookies, :request, to: :warden
|
11
13
|
|
12
14
|
def initialize(warden)
|
13
15
|
@warden = warden
|
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
module Devise
|
2
4
|
module Mailers
|
3
5
|
module Helpers
|
@@ -5,15 +7,16 @@ module Devise
|
|
5
7
|
|
6
8
|
included do
|
7
9
|
include Devise::Controllers::ScopedViews
|
8
|
-
attr_reader :scope_name, :resource
|
9
10
|
end
|
10
11
|
|
11
12
|
protected
|
12
13
|
|
14
|
+
attr_reader :scope_name, :resource
|
15
|
+
|
13
16
|
# Configure default email options
|
14
|
-
def devise_mail(record, action, opts={})
|
17
|
+
def devise_mail(record, action, opts = {}, &block)
|
15
18
|
initialize_from_record(record)
|
16
|
-
mail headers_for(action, opts)
|
19
|
+
mail headers_for(action, opts), &block
|
17
20
|
end
|
18
21
|
|
19
22
|
def initialize_from_record(record)
|
@@ -64,7 +67,7 @@ module Devise
|
|
64
67
|
template_path
|
65
68
|
end
|
66
69
|
|
67
|
-
#
|
70
|
+
# Set up a subject doing an I18n lookup. At first, it attempts to set a subject
|
68
71
|
# based on the current mapping:
|
69
72
|
#
|
70
73
|
# en:
|
data/lib/devise/mapping.rb
CHANGED
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require 'active_model/version'
|
2
4
|
require 'devise/hooks/activatable'
|
3
5
|
require 'devise/hooks/csrf_cleaner'
|
@@ -102,7 +104,7 @@ module Devise
|
|
102
104
|
# and passing a new list of attributes you want to exempt. All attributes
|
103
105
|
# given to :except will simply add names to exempt to Devise internal list.
|
104
106
|
def serializable_hash(options = nil)
|
105
|
-
options
|
107
|
+
options = options.try(:dup) || {}
|
106
108
|
options[:except] = Array(options[:except])
|
107
109
|
|
108
110
|
if options[:force_except]
|
@@ -114,6 +116,15 @@ module Devise
|
|
114
116
|
super(options)
|
115
117
|
end
|
116
118
|
|
119
|
+
# Redefine inspect using serializable_hash, to ensure we don't accidentally
|
120
|
+
# leak passwords into exceptions.
|
121
|
+
def inspect
|
122
|
+
inspection = serializable_hash.collect do |k,v|
|
123
|
+
"#{k}: #{respond_to?(:attribute_for_inspect) ? attribute_for_inspect(k) : v.inspect}"
|
124
|
+
end
|
125
|
+
"#<#{self.class} #{inspection.join(", ")}>"
|
126
|
+
end
|
127
|
+
|
117
128
|
protected
|
118
129
|
|
119
130
|
def devise_mailer
|
@@ -123,16 +134,18 @@ module Devise
|
|
123
134
|
# This is an internal method called every time Devise needs
|
124
135
|
# to send a notification/mail. This can be overridden if you
|
125
136
|
# need to customize the e-mail delivery logic. For instance,
|
126
|
-
# if you are using a queue to deliver e-mails (
|
127
|
-
# sidekiq, resque, etc), you must add the delivery to the queue
|
137
|
+
# if you are using a queue to deliver e-mails (active job, delayed
|
138
|
+
# job, sidekiq, resque, etc), you must add the delivery to the queue
|
128
139
|
# just after the transaction was committed. To achieve this,
|
129
140
|
# you can override send_devise_notification to store the
|
130
|
-
# deliveries until the after_commit callback is triggered
|
141
|
+
# deliveries until the after_commit callback is triggered.
|
142
|
+
#
|
143
|
+
# The following example uses Active Job's `deliver_later` :
|
131
144
|
#
|
132
145
|
# class User
|
133
146
|
# devise :database_authenticatable, :confirmable
|
134
147
|
#
|
135
|
-
# after_commit :
|
148
|
+
# after_commit :send_pending_devise_notifications
|
136
149
|
#
|
137
150
|
# protected
|
138
151
|
#
|
@@ -141,26 +154,43 @@ module Devise
|
|
141
154
|
# # delivery until the after_commit callback otherwise
|
142
155
|
# # send now because after_commit will not be called.
|
143
156
|
# if new_record? || changed?
|
144
|
-
#
|
157
|
+
# pending_devise_notifications << [notification, args]
|
145
158
|
# else
|
146
|
-
#
|
159
|
+
# render_and_send_devise_message(notification, *args)
|
147
160
|
# end
|
148
161
|
# end
|
149
162
|
#
|
150
|
-
#
|
151
|
-
#
|
152
|
-
#
|
163
|
+
# private
|
164
|
+
#
|
165
|
+
# def send_pending_devise_notifications
|
166
|
+
# pending_devise_notifications.each do |notification, args|
|
167
|
+
# render_and_send_devise_message(notification, *args)
|
153
168
|
# end
|
154
169
|
#
|
155
170
|
# # Empty the pending notifications array because the
|
156
171
|
# # after_commit hook can be called multiple times which
|
157
172
|
# # could cause multiple emails to be sent.
|
158
|
-
#
|
173
|
+
# pending_devise_notifications.clear
|
174
|
+
# end
|
175
|
+
#
|
176
|
+
# def pending_devise_notifications
|
177
|
+
# @pending_devise_notifications ||= []
|
159
178
|
# end
|
160
179
|
#
|
161
|
-
# def
|
162
|
-
#
|
180
|
+
# def render_and_send_devise_message(notification, *args)
|
181
|
+
# message = devise_mailer.send(notification, self, *args)
|
182
|
+
#
|
183
|
+
# # Deliver later with Active Job's `deliver_later`
|
184
|
+
# if message.respond_to?(:deliver_later)
|
185
|
+
# message.deliver_later
|
186
|
+
# # Remove once we move to Rails 4.2+ only, as `deliver` is deprecated.
|
187
|
+
# elsif message.respond_to?(:deliver_now)
|
188
|
+
# message.deliver_now
|
189
|
+
# else
|
190
|
+
# message.deliver
|
191
|
+
# end
|
163
192
|
# end
|
193
|
+
#
|
164
194
|
# end
|
165
195
|
#
|
166
196
|
def send_devise_notification(notification, *args)
|
@@ -235,7 +265,7 @@ module Devise
|
|
235
265
|
# end
|
236
266
|
#
|
237
267
|
# Finally, notice that Devise also queries for users in other scenarios
|
238
|
-
# besides authentication, for example when retrieving
|
268
|
+
# besides authentication, for example when retrieving a user to send
|
239
269
|
# an e-mail for password reset. In such cases, find_for_authentication
|
240
270
|
# is not called.
|
241
271
|
def find_for_authentication(tainted_conditions)
|
@@ -253,24 +283,20 @@ module Devise
|
|
253
283
|
|
254
284
|
# Find or initialize a record with group of attributes based on a list of required attributes.
|
255
285
|
def find_or_initialize_with_errors(required_attributes, attributes, error=:invalid) #:nodoc:
|
256
|
-
attributes
|
257
|
-
attributes
|
286
|
+
attributes.try(:permit!)
|
287
|
+
attributes = attributes.to_h.with_indifferent_access
|
288
|
+
.slice(*required_attributes)
|
289
|
+
.delete_if { |key, value| value.blank? }
|
258
290
|
|
259
291
|
if attributes.size == required_attributes.size
|
260
|
-
record = find_first_by_auth_conditions(attributes)
|
292
|
+
record = find_first_by_auth_conditions(attributes) and return record
|
261
293
|
end
|
262
294
|
|
263
|
-
|
264
|
-
record = new
|
265
|
-
|
295
|
+
new(devise_parameter_filter.filter(attributes)).tap do |record|
|
266
296
|
required_attributes.each do |key|
|
267
|
-
|
268
|
-
record.send("#{key}=", value)
|
269
|
-
record.errors.add(key, value.present? ? error : :blank)
|
297
|
+
record.errors.add(key, attributes[key].blank? ? :blank : error)
|
270
298
|
end
|
271
299
|
end
|
272
|
-
|
273
|
-
record
|
274
300
|
end
|
275
301
|
|
276
302
|
protected
|