devise 3.5.10 → 4.6.0

data/lib/devise/controllers/rememberable.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Devise
   module Controllers
     # A module that may be optionally included in a controller in order
@@ -18,7 +20,7 @@ module Devise
 
       # Remembers the given resource by setting up a cookie
       def remember_me(resource)
-        return if env["devise.skip_storage"]
+        return if request.env["devise.skip_storage"]
         scope = Devise::Mapping.find_scope!(resource)
         resource.remember_me!
         cookies.signed[remember_key(resource, scope)] = remember_cookie_values(resource)

data/lib/devise/controllers/scoped_views.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Devise
   module Controllers
     module ScopedViews

data/lib/devise/controllers/sign_in_out.rb

@@ -1,10 +1,15 @@
+# frozen_string_literal: true
+
 module Devise
   module Controllers
     # Provide sign in and sign out functionality.
     # Included by default in all controllers.
     module SignInOut
       # Return true if the given scope is signed in session. If no scope given, return
-      # true if any scope is signed in. Does not run authentication hooks.
+      # true if any scope is signed in. This will run authentication hooks, which may
+      # cause exceptions to be thrown from this method; if you simply want to check
+      # if a scope has already previously been authenticated without running
+      # authentication hooks, you can directly call `warden.authenticated?(scope: scope)`
       def signed_in?(scope=nil)
         [scope || Devise.mappings.keys].flatten.any? do |_scope|
           warden.authenticate?(scope: _scope)
@@ -12,20 +17,18 @@ module Devise
       end
 
       # Sign in a user that already was authenticated. This helper is useful for logging
-      # users in after sign up.
-      #
-      # All options given to sign_in is passed forward to the set_user method in warden.
-      # The only exception is the :bypass option, which bypass warden callbacks and stores
-      # the user straight in session. This option is useful in cases the user is already
-      # signed in, but we want to refresh the credentials in session.
+      # users in after sign up. All options given to sign_in is passed forward
+      # to the set_user method in warden.
+      # If you are using a custom warden strategy and the timeoutable module, you have to
+      # set `env["devise.skip_timeout"] = true` in the request to use this method, like we do
+      # in the sessions controller: https://github.com/plataformatec/devise/blob/master/app/controllers/devise/sessions_controller.rb#L7
       #
       # Examples:
       #
       #   sign_in :user, @user                      # sign_in(scope, resource)
       #   sign_in @user                             # sign_in(resource)
-      #   sign_in @user, event: :authentication  # sign_in(resource, options)
-      #   sign_in @user, store: false            # sign_in(resource, options)
-      #   sign_in @user, bypass: true            # sign_in(resource, options)
+      #   sign_in @user, event: :authentication     # sign_in(resource, options)
+      #   sign_in @user, store: false               # sign_in(resource, options)
       #
       def sign_in(resource_or_scope, *args)
         options  = args.extract_options!
@@ -35,6 +38,13 @@ module Devise
         expire_data_after_sign_in!
 
         if options[:bypass]
+          ActiveSupport::Deprecation.warn(<<-DEPRECATION.strip_heredoc, caller)
+          [Devise] bypass option is deprecated and it will be removed in future version of Devise.
+          Please use bypass_sign_in method instead.
+          Example:
+
+            bypass_sign_in(user)
+          DEPRECATION
           warden.session_serializer.store(resource, scope)
         elsif warden.user(scope) == resource && !options.delete(:force)
           # Do nothing. User already signed in and we are not forcing it.
@@ -44,6 +54,20 @@ module Devise
         end
       end
 
+      # Sign in a user bypassing the warden callbacks and stores the user
+      # straight in session. This option is useful in cases the user is already
+      # signed in, but we want to refresh the credentials in session.
+      #
+      # Examples:
+      #
+      #   bypass_sign_in @user, scope: :user
+      #   bypass_sign_in @user
+      def bypass_sign_in(resource, scope: nil)
+        scope ||= Devise::Mapping.find_scope!(resource)
+        expire_data_after_sign_in!
+        warden.session_serializer.store(resource, scope)
+      end
+
       # Sign out a given user or scope. This helper is useful for signing out a user
       # after deleting accounts. Returns true if there was a logout and false if there
       # is no user logged in on the referred scope
@@ -58,7 +82,6 @@ module Devise
         scope = Devise::Mapping.find_scope!(resource_or_scope)
         user = warden.user(scope: scope, run_callbacks: false) # If there is no user
 
-        warden.raw_session.inspect # Without this inspect here. The session does not clear.
         warden.logout(scope)
         warden.clear_strategies_cache!(scope: scope)
         instance_variable_set(:"@current_#{scope}", nil)

data/lib/devise/controllers/store_location.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "uri"
 
 module Devise
@@ -29,16 +31,13 @@ module Devise
       # Example:
       #
       #   store_location_for(:user, dashboard_path)
-      #   redirect_to user_omniauth_authorize_path(:facebook)
+      #   redirect_to user_facebook_omniauth_authorize_path
       #
       def store_location_for(resource_or_scope, location)
         session_key = stored_location_key_for(resource_or_scope)
-        uri = parse_uri(location)
-        if uri
-          path = [uri.path.sub(/\A\/+/, '/'), uri.query].compact.join('?')
-          path = [path, uri.fragment].compact.join('#')
-          session[session_key] = path
-        end
+        
+        path = extract_path_from_location(location)
+        session[session_key] = path if path
       end
 
       private
@@ -53,6 +52,25 @@ module Devise
         scope = Devise::Mapping.find_scope!(resource_or_scope)
         "#{scope}_return_to"
       end
+
+      def extract_path_from_location(location)
+        uri = parse_uri(location)
+
+        if uri 
+          path = remove_domain_from_uri(uri)
+          path = add_fragment_back_to_path(uri, path)
+
+          path
+        end
+      end
+
+      def remove_domain_from_uri(uri)
+        [uri.path.sub(/\A\/+/, '/'), uri.query].compact.join('?')
+      end
+
+      def add_fragment_back_to_path(uri, path)
+        [path, uri.fragment].compact.join('#')
+      end
     end
   end
 end

data/lib/devise/controllers/url_helpers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Devise
   module Controllers
     # Create url helpers to be used with resource/scope configuration. Acts as

data/lib/devise/delegator.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Devise
   # Checks the scope in the given environment and returns the associated failure app.
   class Delegator

data/lib/devise/encryptor.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'bcrypt'
 
 module Devise
@@ -9,14 +11,14 @@ module Devise
       ::BCrypt::Password.create(password, cost: klass.stretches).to_s
     end
 
-    def self.compare(klass, encrypted_password, password)
-      return false if encrypted_password.blank?
-      bcrypt   = ::BCrypt::Password.new(encrypted_password)
+    def self.compare(klass, hashed_password, password)
+      return false if hashed_password.blank?
+      bcrypt   = ::BCrypt::Password.new(hashed_password)
       if klass.pepper.present?
         password = "#{password}#{klass.pepper}"
       end
       password = ::BCrypt::Engine.hash_secret(password, bcrypt.salt)
-      Devise.secure_compare(password, encrypted_password)
+      Devise.secure_compare(password, hashed_password)
     end
   end
 end

data/lib/devise/failure_app.rb

@@ -1,12 +1,13 @@
+# frozen_string_literal: true
+
 require "action_controller/metal"
 
 module Devise
   # Failure application that will be called every time :warden is thrown from
-  # any strategy or hook. Responsible for redirect the user to the sign in
-  # page based on current scope and mapping. If no scope is given, redirect
-  # to the default_url.
+  # any strategy or hook. It is responsible for redirecting the user to the sign
+  # in page based on current scope and mapping. If no scope is given, it
+  # redirects to the default_url.
   class FailureApp < ActionController::Metal
-    include ActionController::RackDelegation
     include ActionController::UrlFor
     include ActionController::Redirecting
 
@@ -22,7 +23,7 @@ module Devise
       @respond.call(env)
     end
 
-    # Try retrieving the URL options from the parent controller (usually 
+    # Try retrieving the URL options from the parent controller (usually
     # ApplicationController). Instance methods are not supported at the moment,
     # so only the class-level attribute is used.
     def self.default_url_options(*args)
@@ -51,20 +52,27 @@ module Devise
     end
 
     def recall
-      config = Rails.application.config
-
-      if config.try(:relative_url_root)
-        base_path = Pathname.new(config.relative_url_root)
+      header_info = if relative_url_root?
+        base_path = Pathname.new(relative_url_root)
         full_path = Pathname.new(attempted_path)
 
-        env["SCRIPT_NAME"] = config.relative_url_root
-        env["PATH_INFO"] = '/' + full_path.relative_path_from(base_path).to_s
+        { "SCRIPT_NAME" => relative_url_root,
+          "PATH_INFO" => '/' + full_path.relative_path_from(base_path).to_s }
       else
-        env["PATH_INFO"]  = attempted_path
+        { "PATH_INFO" => attempted_path }
+      end
+
+      header_info.each do | var, value|
+        if request.respond_to?(:set_header)
+          request.set_header(var, value)
+        else
+          request.env[var]  = value
+        end
       end
 
       flash.now[:alert] = i18n_message(:invalid) if is_flashing_format?
-      self.response = recall_app(warden_options[:recall]).call(env)
+      # self.response = recall_app(warden_options[:recall]).call(env)
+      self.response = recall_app(warden_options[:recall]).call(request.env)
     end
 
     def redirect
@@ -95,7 +103,7 @@ module Devise
         options[:scope] = "devise.failure"
         options[:default] = [message]
         auth_keys = scope_class.authentication_keys
-        keys = auth_keys.respond_to?(:keys) ? auth_keys.keys : auth_keys
+        keys = (auth_keys.respond_to?(:keys) ? auth_keys.keys : auth_keys).map { |key| scope_class.human_attribute_name(key) }
         options[:authentication_keys] = keys.join(I18n.translate(:"support.array.words_connector"))
         options = i18n_options(options)
 
@@ -127,23 +135,29 @@ module Devise
 
     def scope_url
       opts  = {}
-      route = route(scope)
-      opts[:format] = request_format unless skip_format?
 
-      config = Rails.application.config
+      # Initialize script_name with nil to prevent infinite loops in
+      # authenticated mounted engines in rails 4.2 and 5.0
+      opts[:script_name] = nil
 
-      # Rails 4.2 goes into an infinite loop if opts[:script_name] is unset
-      if (Rails::VERSION::MAJOR >= 4) && (Rails::VERSION::MINOR >= 2)
-        opts[:script_name] = (config.relative_url_root if config.respond_to?(:relative_url_root))
-      else
-        if config.respond_to?(:relative_url_root) && config.relative_url_root.present?
-          opts[:script_name] = config.relative_url_root
-        end
-      end
+      route = route(scope)
+
+      opts[:format] = request_format unless skip_format?
 
       router_name = Devise.mappings[scope].router_name || Devise.available_router_name
       context = send(router_name)
 
+      if relative_url_root?
+        opts[:script_name] = relative_url_root
+
+      # We need to add the rootpath to `script_name` manually for applications that use a Rails
+      # version lower than 5.1. Otherwise, it is going to generate a wrong path for Engines
+      # that use Devise. Remove it when the support of Rails 5.0 is droped.
+      elsif root_path_defined?(context) && rails_5_and_down?
+        rootpath = context.routes.url_helpers.root_path
+        opts[:script_name] = rootpath.chomp('/') if rootpath.length > 1
+      end
+
       if context.respond_to?(route)
         context.send(route, opts)
       elsif respond_to?(:root_url)
@@ -157,12 +171,12 @@ module Devise
       %w(html */*).include? request_format.to_s
     end
 
-    # Choose whether we should respond in a http authentication fashion,
+    # Choose whether we should respond in an HTTP authentication fashion,
     # including 401 and optional headers.
     #
-    # This method allows the user to explicitly disable http authentication
-    # on ajax requests in case they want to redirect on failures instead of
-    # handling the errors on their own. This is useful in case your ajax API
+    # This method allows the user to explicitly disable HTTP authentication
+    # on AJAX requests in case they want to redirect on failures instead of
+    # handling the errors on their own. This is useful in case your AJAX API
     # is the same as your public API and uses a format like JSON (so you
     # cannot mark JSON as a navigational format).
     def http_auth?
@@ -173,7 +187,7 @@ module Devise
       end
     end
 
-    # It does not make sense to send authenticate headers in ajax requests
+    # It doesn't make sense to send authenticate headers in AJAX requests
     # or if the user disabled them.
     def http_auth_header?
       scope_class.http_authenticatable && !request.xhr?
@@ -199,11 +213,11 @@ module Devise
     end
 
     def warden
-      env['warden']
+      request.respond_to?(:get_header) ? request.get_header("warden") : request.env["warden"]
     end
 
     def warden_options
-      env['warden.options']
+      request.respond_to?(:get_header) ? request.get_header("warden.options") : request.env["warden.options"]
     end
 
     def warden_message
@@ -222,10 +236,10 @@ module Devise
       warden_options[:attempted_path]
     end
 
-    # Stores requested uri to redirect the user after signing in. We cannot use
-    # scoped session provided by warden here, since the user is not authenticated
-    # yet, but we still need to store the uri based on scope, so different scopes
-    # would never use the same uri to redirect.
+    # Stores requested URI to redirect the user after signing in. We can't use
+    # the scoped session provided by warden here, since the user is not
+    # authenticated yet, but we still need to store the URI based on scope, so
+    # different scopes would never use the same URI to redirect.
     def store_location!
       store_location_for(scope, attempted_path) if request.get? && !http_auth?
     end
@@ -237,11 +251,41 @@ module Devise
     # Check if flash messages should be emitted. Default is to do it on
     # navigational formats
     def is_flashing_format?
-      is_navigational_format?
+      request.respond_to?(:flash) && is_navigational_format?
     end
 
     def request_format
       @request_format ||= request.format.try(:ref)
     end
+
+    def relative_url_root
+      @relative_url_root ||= begin
+        config = Rails.application.config
+
+        config.try(:relative_url_root) || config.action_controller.try(:relative_url_root)
+      end
+    end
+
+    def relative_url_root?
+      relative_url_root.present?
+    end
+
+    ActiveSupport.run_load_hooks(:devise_failure_app, self)
+
+    private
+
+    def root_path_defined?(context)
+      defined?(context.routes) && context.routes.url_helpers.root_path.present?
+    end
+
+    def rails_5_and_down?
+      return false if rails_5_up?
+
+      Rails::VERSION::MAJOR >= 4
+    end
+
+    def rails_5_up?
+      Rails::VERSION::MAJOR >= 5 && Rails::VERSION::MINOR > 0
+    end
   end
 end

data/lib/devise/hooks/activatable.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Deny user access whenever their account is not active yet.
 # We need this as hook to validate the user activity on each request
 # and in case the user is using other strategies beside Devise ones.

data/lib/devise/hooks/csrf_cleaner.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 Warden::Manager.after_authentication do |record, warden, options|
   clean_up_for_winning_strategy = !warden.winning_strategy.respond_to?(:clean_up_csrf?) ||
     warden.winning_strategy.clean_up_csrf?

data/lib/devise/hooks/forgetable.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Before logout hook to forget the user in the given scope, if it responds
 # to forget_me! Also clear remember token to ensure the user won't be
 # remembered again. Notice that we forget the user unless the record is not persisted.

data/lib/devise/hooks/lockable.rb

@@ -1,7 +1,12 @@
+# frozen_string_literal: true
+
 # After each sign in, if resource responds to failed_attempts, sets it to 0
 # This is only triggered when the user is explicitly set (with set_user)
 Warden::Manager.after_set_user except: :fetch do |record, warden, options|
   if record.respond_to?(:failed_attempts) && warden.authenticated?(options[:scope])
-    record.update_attribute(:failed_attempts, 0) unless record.failed_attempts.to_i.zero?
+    unless record.failed_attempts.to_i.zero?
+      record.failed_attempts = 0
+      record.save(validate: false)
+    end
   end
 end

data/lib/devise/hooks/proxy.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Devise
   module Hooks
     # A small warden proxy so we can remember, forget and
@@ -7,7 +9,7 @@ module Devise
       include Devise::Controllers::SignInOut
 
       attr_reader :warden
-      delegate :cookies, :env, to: :warden
+      delegate :cookies, :request, to: :warden
 
       def initialize(warden)
         @warden = warden

data/lib/devise/hooks/rememberable.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 Warden::Manager.after_set_user except: :fetch do |record, warden, options|
   scope = options[:scope]
   if record.respond_to?(:remember_me) && options[:store] != false &&

data/lib/devise/hooks/timeoutable.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Each time a record is set we check whether its session has already timed out
 # or not, based on last request time. If so, the record is logged out and
 # redirected to the sign in page. Also, each time the request comes and the

data/lib/devise/hooks/trackable.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # After each sign in, update sign in time, sign in count and sign in IP.
 # This is only triggered when the user is explicitly set (with set_user)
 # and on authentication. Retrieving the user from session (:fetch) does

data/lib/devise/mailers/helpers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Devise
   module Mailers
     module Helpers
@@ -5,15 +7,16 @@ module Devise
 
       included do
         include Devise::Controllers::ScopedViews
-        attr_reader :scope_name, :resource
       end
 
       protected
 
+      attr_reader :scope_name, :resource
+
       # Configure default email options
-      def devise_mail(record, action, opts={})
+      def devise_mail(record, action, opts = {}, &block)
         initialize_from_record(record)
-        mail headers_for(action, opts)
+        mail headers_for(action, opts), &block
       end
 
       def initialize_from_record(record)
@@ -64,7 +67,7 @@ module Devise
         template_path
       end
 
-      # Setup a subject doing an I18n lookup. At first, it attempts to set a subject
+      # Set up a subject doing an I18n lookup. At first, it attempts to set a subject
       # based on the current mapping:
       #
       #   en:

data/lib/devise/mapping.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Devise
   # Responsible for handling devise mappings and routes configuration. Each
   # resource configured by devise_for in routes is actually creating a mapping

data/lib/devise/models/authenticatable.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'active_model/version'
 require 'devise/hooks/activatable'
 require 'devise/hooks/csrf_cleaner'
@@ -102,7 +104,7 @@ module Devise
       # and passing a new list of attributes you want to exempt. All attributes
       # given to :except will simply add names to exempt to Devise internal list.
       def serializable_hash(options = nil)
-        options ||= {}
+        options = options.try(:dup) || {}
         options[:except] = Array(options[:except])
 
         if options[:force_except]
@@ -114,6 +116,15 @@ module Devise
         super(options)
       end
 
+      # Redefine inspect using serializable_hash, to ensure we don't accidentally
+      # leak passwords into exceptions.
+      def inspect
+        inspection = serializable_hash.collect do |k,v|
+          "#{k}: #{respond_to?(:attribute_for_inspect) ? attribute_for_inspect(k) : v.inspect}"
+        end
+        "#<#{self.class} #{inspection.join(", ")}>"
+      end
+
       protected
 
       def devise_mailer
@@ -123,16 +134,18 @@ module Devise
       # This is an internal method called every time Devise needs
       # to send a notification/mail. This can be overridden if you
       # need to customize the e-mail delivery logic. For instance,
-      # if you are using a queue to deliver e-mails (delayed job,
-      # sidekiq, resque, etc), you must add the delivery to the queue
+      # if you are using a queue to deliver e-mails (active job, delayed
+      # job, sidekiq, resque, etc), you must add the delivery to the queue
       # just after the transaction was committed. To achieve this,
       # you can override send_devise_notification to store the
-      # deliveries until the after_commit callback is triggered:
+      # deliveries until the after_commit callback is triggered.
+      #
+      # The following example uses Active Job's `deliver_later` :
       #
       #     class User
       #       devise :database_authenticatable, :confirmable
       #
-      #       after_commit :send_pending_notifications
+      #       after_commit :send_pending_devise_notifications
       #
       #       protected
       #
@@ -141,26 +154,43 @@ module Devise
       #         # delivery until the after_commit callback otherwise
       #         # send now because after_commit will not be called.
       #         if new_record? || changed?
-      #           pending_notifications << [notification, args]
+      #           pending_devise_notifications << [notification, args]
       #         else
-      #           devise_mailer.send(notification, self, *args).deliver
+      #           render_and_send_devise_message(notification, *args)
       #         end
       #       end
       #
-      #       def send_pending_notifications
-      #         pending_notifications.each do |notification, args|
-      #           devise_mailer.send(notification, self, *args).deliver
+      #       private
+      #
+      #       def send_pending_devise_notifications
+      #         pending_devise_notifications.each do |notification, args|
+      #           render_and_send_devise_message(notification, *args)
       #         end
       #
       #         # Empty the pending notifications array because the
       #         # after_commit hook can be called multiple times which
       #         # could cause multiple emails to be sent.
-      #         pending_notifications.clear
+      #         pending_devise_notifications.clear
+      #       end
+      #
+      #       def pending_devise_notifications
+      #         @pending_devise_notifications ||= []
       #       end
       #
-      #       def pending_notifications
-      #         @pending_notifications ||= []
+      #       def render_and_send_devise_message(notification, *args)
+      #         message = devise_mailer.send(notification, self, *args)
+      #
+      #         # Deliver later with Active Job's `deliver_later`
+      #         if message.respond_to?(:deliver_later)
+      #           message.deliver_later
+      #         # Remove once we move to Rails 4.2+ only, as `deliver` is deprecated.
+      #         elsif message.respond_to?(:deliver_now)
+      #           message.deliver_now
+      #         else
+      #           message.deliver
+      #         end
       #       end
+      #
       #     end
       #
       def send_devise_notification(notification, *args)
@@ -235,7 +265,7 @@ module Devise
         #   end
         #
         # Finally, notice that Devise also queries for users in other scenarios
-        # besides authentication, for example when retrieving an user to send
+        # besides authentication, for example when retrieving a user to send
         # an e-mail for password reset. In such cases, find_for_authentication
         # is not called.
         def find_for_authentication(tainted_conditions)
@@ -253,24 +283,20 @@ module Devise
 
         # Find or initialize a record with group of attributes based on a list of required attributes.
         def find_or_initialize_with_errors(required_attributes, attributes, error=:invalid) #:nodoc:
-          attributes = attributes.slice(*required_attributes).with_indifferent_access
-          attributes.delete_if { |key, value| value.blank? }
+          attributes.try(:permit!)
+          attributes = attributes.to_h.with_indifferent_access
+                                 .slice(*required_attributes)
+                                 .delete_if { |key, value| value.blank? }
 
           if attributes.size == required_attributes.size
-            record = find_first_by_auth_conditions(attributes)
+            record = find_first_by_auth_conditions(attributes) and return record
           end
 
-          unless record
-            record = new
-
+          new(devise_parameter_filter.filter(attributes)).tap do |record|
             required_attributes.each do |key|
-              value = attributes[key]
-              record.send("#{key}=", value)
-              record.errors.add(key, value.present? ? error : :blank)
+              record.errors.add(key, attributes[key].blank? ? :blank : error)
             end
           end
-
-          record
         end
 
         protected