devise 3.5.2 → 4.7.1

data/lib/generators/active_record/devise_generator.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rails/generators/active_record'
 require 'generators/devise/orm_helpers'
 
@@ -6,14 +8,16 @@ module ActiveRecord
     class DeviseGenerator < ActiveRecord::Generators::Base
       argument :attributes, type: :array, default: [], banner: "field:type field:type"
 
+      class_option :primary_key_type, type: :string, desc: "The type for primary key"
+
       include Devise::Generators::OrmHelpers
       source_root File.expand_path("../templates", __FILE__)
 
       def copy_devise_migration
         if (behavior == :invoke && model_exists?) || (behavior == :revoke && migration_exists?(table_name))
-          migration_template "migration_existing.rb", "db/migrate/add_devise_to_#{table_name}.rb"
+          migration_template "migration_existing.rb", "#{migration_path}/add_devise_to_#{table_name}.rb", migration_version: migration_version
         else
-          migration_template "migration.rb", "db/migrate/devise_create_#{table_name}.rb"
+          migration_template "migration.rb", "#{migration_path}/devise_create_#{table_name}.rb", migration_version: migration_version
         end
       end
 
@@ -50,11 +54,11 @@ module ActiveRecord
       t.datetime :remember_created_at
 
       ## Trackable
-      t.integer  :sign_in_count, default: 0, null: false
-      t.datetime :current_sign_in_at
-      t.datetime :last_sign_in_at
-      t.#{ip_column} :current_sign_in_ip
-      t.#{ip_column} :last_sign_in_ip
+      # t.integer  :sign_in_count, default: 0, null: false
+      # t.datetime :current_sign_in_at
+      # t.datetime :last_sign_in_at
+      # t.#{ip_column} :current_sign_in_ip
+      # t.#{ip_column} :last_sign_in_ip
 
       ## Confirmable
       # t.string   :confirmation_token
@@ -75,17 +79,32 @@ RUBY
       end
 
       def inet?
-        rails4? && postgresql?
+        postgresql?
       end
 
-      def rails4?
-        Rails.version.start_with? '4'
+      def rails5_and_up?
+        Rails::VERSION::MAJOR >= 5
       end
 
       def postgresql?
         config = ActiveRecord::Base.configurations[Rails.env]
         config && config['adapter'] == 'postgresql'
       end
+
+     def migration_version
+       if rails5_and_up?
+         "[#{Rails::VERSION::MAJOR}.#{Rails::VERSION::MINOR}]"
+       end
+     end
+
+     def primary_key_type
+       primary_key_string if rails5_and_up?
+     end
+
+     def primary_key_string
+       key_string = options[:primary_key_type]
+       ", id: :#{key_string}" if key_string
+     end
     end
   end
 end

data/lib/generators/active_record/templates/migration.rb

@@ -1,6 +1,8 @@
-class DeviseCreate<%= table_name.camelize %> < ActiveRecord::Migration
+# frozen_string_literal: true
+
+class DeviseCreate<%= table_name.camelize %> < ActiveRecord::Migration<%= migration_version %>
   def change
-    create_table(:<%= table_name %>) do |t|
+    create_table :<%= table_name %><%= primary_key_type %> do |t|
 <%= migration_data -%>
 
 <% attributes.each do |attribute| -%>

data/lib/generators/active_record/templates/migration_existing.rb

@@ -1,6 +1,8 @@
-class AddDeviseTo<%= table_name.camelize %> < ActiveRecord::Migration
+# frozen_string_literal: true
+
+class AddDeviseTo<%= table_name.camelize %> < ActiveRecord::Migration<%= migration_version %>
   def self.up
-    change_table(:<%= table_name %>) do |t|
+    change_table :<%= table_name %> do |t|
 <%= migration_data -%>
 
 <% attributes.each do |attribute| -%>

data/lib/generators/devise/controllers_generator.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rails/generators/base'
 
 module Devise
@@ -16,7 +18,7 @@ module Devise
 
         This will create a controller class at app/controllers/users/sessions_controller.rb like this:
 
-          class Users::ConfirmationsController < Devise::ConfirmationsController
+          class Users::SessionsController < Devise::SessionsController
             content...
           end
       DESC

data/lib/generators/devise/devise_generator.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rails/generators/named_base'
 
 module Devise
@@ -8,7 +10,7 @@ module Devise
       namespace "devise"
       source_root File.expand_path("../templates", __FILE__)
 
-      desc "Generates a model with the given NAME (if one does not exist) with devise " <<
+      desc "Generates a model with the given NAME (if one does not exist) with devise " \
            "configuration plus a migration file and devise routes."
 
       hook_for :orm
@@ -16,7 +18,7 @@ module Devise
       class_option :routes, desc: "Generate routes", type: :boolean, default: true
 
       def add_devise_routes
-        devise_route  = "devise_for :#{plural_name}"
+        devise_route  = "devise_for :#{plural_name}".dup
         devise_route << %Q(, class_name: "#{class_name}") if class_name.include?("::")
         devise_route << %Q(, skip: :all) unless options.routes?
         route devise_route

data/lib/generators/devise/install_generator.rb

@@ -1,8 +1,12 @@
+# frozen_string_literal: true
+
 require 'rails/generators/base'
 require 'securerandom'
 
 module Devise
   module Generators
+    MissingORMError = Class.new(Thor::Error)
+
     class InstallGenerator < Rails::Generators::Base
       source_root File.expand_path("../../templates", __FILE__)
 
@@ -10,6 +14,19 @@ module Devise
       class_option :orm
 
       def copy_initializer
+        unless options[:orm]
+          raise MissingORMError, <<-ERROR.strip_heredoc
+          An ORM must be set to install Devise in your application.
+
+          Be sure to have an ORM like Active Record or Mongoid loaded in your
+          app or configure your own at `config/application.rb`.
+
+            config.generators do |g|
+              g.orm :your_orm_gem
+            end
+          ERROR
+        end
+
         template "devise.rb", "config/initializers/devise.rb"
       end
 

data/lib/generators/devise/orm_helpers.rb

@@ -1,38 +1,23 @@
+# frozen_string_literal: true
+
 module Devise
   module Generators
     module OrmHelpers
       def model_contents
         buffer = <<-CONTENT
   # Include default devise modules. Others available are:
-  # :confirmable, :lockable, :timeoutable and :omniauthable
+  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
   devise :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :trackable, :validatable
-
-CONTENT
-        buffer += <<-CONTENT if needs_attr_accessible?
-  # Setup accessible (or protected) attributes for your model
-  attr_accessible :email, :password, :password_confirmation, :remember_me
+         :recoverable, :rememberable, :validatable
 
 CONTENT
         buffer
       end
 
-      def needs_attr_accessible?
-        rails_3? && !strong_parameters_enabled?
-      end
-
-      def rails_3?
-        Rails::VERSION::MAJOR == 3
-      end
-
-      def strong_parameters_enabled?
-        defined?(ActionController::StrongParameters)
-      end
-
       private
 
       def model_exists?
-        File.exists?(File.join(destination_root, model_path))
+        File.exist?(File.join(destination_root, model_path))
       end
 
       def migration_exists?(table_name)
@@ -40,7 +25,11 @@ CONTENT
       end
 
       def migration_path
-        @migration_path ||= File.join("db", "migrate")
+        if Rails.version >= '5.0.3'
+          db_migrate_path
+        else
+          @migration_path ||= File.join("db", "migrate")
+        end
       end
 
       def model_path

data/lib/generators/devise/views_generator.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rails/generators/base'
 
 module Devise
@@ -21,13 +23,6 @@ module Devise
         public_task :copy_views
       end
 
-      # TODO: Add this to Rails itself
-      module ClassMethods
-        def hide!
-          Rails::Generators.hide_namespace self.namespace
-        end
-      end
-
       def copy_views
         if options[:views]
           options[:views].each do |directory|
@@ -47,7 +42,7 @@ module Devise
       def view_directory(name, _target_path = nil)
         directory name.to_s, _target_path || "#{target_path}/#{name}" do |content|
           if scope
-            content.gsub "devise/shared/links", "#{scope}/shared/links"
+            content.gsub "devise/shared/links", "#{plural_scope}/shared/links"
           else
             content
           end
@@ -55,7 +50,11 @@ module Devise
       end
 
       def target_path
-        @target_path ||= "app/views/#{scope || :devise}"
+        @target_path ||= "app/views/#{plural_scope || :devise}"
+      end
+
+      def plural_scope
+        @plural_scope ||= scope.presence && scope.underscore.pluralize
       end
     end
 
@@ -83,6 +82,13 @@ module Devise
       source_root File.expand_path("../../templates/simple_form_for", __FILE__)
       desc "Copies simple form enabled views to your application."
       hide!
+
+      def copy_views
+        if options[:views]
+          options[:views].delete('mailer')
+        end
+        super
+      end
     end
 
     class ErbGenerator < Rails::Generators::Base #:nodoc:
@@ -111,7 +117,7 @@ module Devise
       end
 
       def target_path
-        "app/views/#{scope || :devise}/mailer"
+        "app/views/#{plural_scope || :devise}/mailer"
       end
     end
 
@@ -128,7 +134,11 @@ module Devise
                               default: defined?(SimpleForm) ? "simple_form_for" : "form_for"
 
       hook_for :markerb,  desc: "Generate markerb instead of erb mail views",
-                          default: defined?(Markerb) ? :markerb : :erb,
+                          default: defined?(Markerb),
+                          type: :boolean
+
+      hook_for :erb,      desc: "Generate erb mail views",
+                          default: !defined?(Markerb),
                           type: :boolean
     end
   end

data/lib/generators/mongoid/devise_generator.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rails/generators/named_base'
 require 'generators/devise/orm_helpers'
 
@@ -32,11 +34,11 @@ module Mongoid
   field :remember_created_at, type: Time
 
   ## Trackable
-  field :sign_in_count,      type: Integer, default: 0
-  field :current_sign_in_at, type: Time
-  field :last_sign_in_at,    type: Time
-  field :current_sign_in_ip, type: String
-  field :last_sign_in_ip,    type: String
+  # field :sign_in_count,      type: Integer, default: 0
+  # field :current_sign_in_at, type: Time
+  # field :last_sign_in_at,    type: Time
+  # field :current_sign_in_ip, type: String
+  # field :last_sign_in_ip,    type: String
 
   ## Confirmable
   # field :confirmation_token,   type: String

data/lib/generators/templates/README

@@ -21,14 +21,7 @@ Some setup you must do manually if you haven't yet:
        <p class="notice"><%= notice %></p>
        <p class="alert"><%= alert %></p>
 
-  4. If you are deploying on Heroku with Rails 3.2 only, you may want to set:
-
-       config.assets.initialize_on_precompile = false
-
-     On config/application.rb forcing your application to not access the DB
-     or load models when precompiling your assets.
-
-  5. You can copy Devise views (for customization) to your app by running:
+  4. You can copy Devise views (for customization) to your app by running:
 
        rails g devise:views
 

data/lib/generators/templates/controllers/confirmations_controller.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class <%= @scope_prefix %>ConfirmationsController < Devise::ConfirmationsController
   # GET /resource/confirmation/new
   # def new

data/lib/generators/templates/controllers/omniauth_callbacks_controller.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class <%= @scope_prefix %>OmniauthCallbacksController < Devise::OmniauthCallbacksController
   # You should configure your model like this:
   # devise :omniauthable, omniauth_providers: [:twitter]

data/lib/generators/templates/controllers/passwords_controller.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class <%= @scope_prefix %>PasswordsController < Devise::PasswordsController
   # GET /resource/password/new
   # def new

data/lib/generators/templates/controllers/registrations_controller.rb

@@ -1,6 +1,8 @@
+# frozen_string_literal: true
+
 class <%= @scope_prefix %>RegistrationsController < Devise::RegistrationsController
-# before_filter :configure_sign_up_params, only: [:create]
-# before_filter :configure_account_update_params, only: [:update]
+  # before_action :configure_sign_up_params, only: [:create]
+  # before_action :configure_account_update_params, only: [:update]
 
   # GET /resource/sign_up
   # def new
@@ -40,12 +42,12 @@ class <%= @scope_prefix %>RegistrationsController < Devise::RegistrationsControl
 
   # If you have extra params to permit, append them to the sanitizer.
   # def configure_sign_up_params
-  #   devise_parameter_sanitizer.for(:sign_up) << :attribute
+  #   devise_parameter_sanitizer.permit(:sign_up, keys: [:attribute])
   # end
 
   # If you have extra params to permit, append them to the sanitizer.
   # def configure_account_update_params
-  #   devise_parameter_sanitizer.for(:account_update) << :attribute
+  #   devise_parameter_sanitizer.permit(:account_update, keys: [:attribute])
   # end
 
   # The path used after sign up.

data/lib/generators/templates/controllers/sessions_controller.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
 class <%= @scope_prefix %>SessionsController < Devise::SessionsController
-# before_filter :configure_sign_in_params, only: [:create]
+  # before_action :configure_sign_in_params, only: [:create]
 
   # GET /resource/sign_in
   # def new
@@ -20,6 +22,6 @@ class <%= @scope_prefix %>SessionsController < Devise::SessionsController
 
   # If you have extra params to permit, append them to the sanitizer.
   # def configure_sign_in_params
-  #   devise_parameter_sanitizer.for(:sign_in) << :attribute
+  #   devise_parameter_sanitizer.permit(:sign_in, keys: [:attribute])
   # end
 end

data/lib/generators/templates/controllers/unlocks_controller.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class <%= @scope_prefix %>UnlocksController < Devise::UnlocksController
   # GET /resource/unlock/new
   # def new

data/lib/generators/templates/devise.rb

@@ -1,16 +1,18 @@
+# frozen_string_literal: true
+
 # Use this hook to configure devise mailer, warden hooks and so forth.
 # Many of these configuration options can be set straight in your model.
 Devise.setup do |config|
   # The secret key used by Devise. Devise uses this key to generate
   # random tokens. Changing this key will render invalid all existing
   # confirmation, reset password and unlock tokens in the database.
-  # Devise will use the `secret_key_base` on Rails 4+ applications as its `secret_key`
+  # Devise will use the `secret_key_base` as its `secret_key`
   # by default. You can change it below and use your own secret key.
-<% if rails_4? -%>
   # config.secret_key = '<%= SecureRandom.hex(64) %>'
-<% else -%>
-  config.secret_key = '<%= SecureRandom.hex(64) %>'
-<% end -%>
+
+  # ==> Controller configuration
+  # Configure the parent class to the devise controllers.
+  # config.parent_controller = 'DeviseController'
 
   # ==> Mailer Configuration
   # Configure the e-mail address which will be shown in Devise::Mailer,
@@ -21,6 +23,9 @@ Devise.setup do |config|
   # Configure the class responsible to send e-mails.
   # config.mailer = 'Devise::Mailer'
 
+  # Configure the parent class responsible to send e-mails.
+  # config.parent_mailer = 'ActionMailer::Base'
+
   # ==> ORM configuration
   # Load and configure the ORM. Supports :active_record (default) and
   # :mongoid (bson_ext recommended) by default. Other ORMs may be
@@ -91,26 +96,41 @@ Devise.setup do |config|
   # from the server. You can disable this option at your own risk.
   # config.clean_up_csrf_token_on_authentication = true
 
+  # When false, Devise will not attempt to reload routes on eager load.
+  # This can reduce the time taken to boot the app but if your application
+  # requires the Devise mappings to be loaded during boot time the application
+  # won't boot properly.
+  # config.reload_routes = true
+
   # ==> Configuration for :database_authenticatable
-  # For bcrypt, this is the cost for hashing the password and defaults to 10. If
-  # using other encryptors, it sets how many times you want the password re-encrypted.
+  # For bcrypt, this is the cost for hashing the password and defaults to 11. If
+  # using other algorithms, it sets how many times you want the password to be hashed.
   #
   # Limiting the stretches to just one in testing will increase the performance of
   # your test suite dramatically. However, it is STRONGLY RECOMMENDED to not use
   # a value less than 10 in other environments. Note that, for bcrypt (the default
-  # encryptor), the cost increases exponentially with the number of stretches (e.g.
+  # algorithm), the cost increases exponentially with the number of stretches (e.g.
   # a value of 20 is already extremely slow: approx. 60 seconds for 1 calculation).
-  config.stretches = Rails.env.test? ? 1 : 10
+  config.stretches = Rails.env.test? ? 1 : 11
 
-  # Setup a pepper to generate the encrypted password.
+  # Set up a pepper to generate the hashed password.
   # config.pepper = '<%= SecureRandom.hex(64) %>'
 
+  # Send a notification to the original email when the user's email is changed.
+  # config.send_email_changed_notification = false
+
+  # Send a notification email when the user's password is changed.
+  # config.send_password_change_notification = false
+
   # ==> Configuration for :confirmable
   # A period that the user is allowed to access the website even without
   # confirming their account. For instance, if set to 2.days, the user will be
   # able to access the website for two days without confirming their account,
-  # access will be blocked just in the third day. Default is 0.days, meaning
-  # the user cannot access the website without confirming their account.
+  # access will be blocked just in the third day.
+  # You can also set it to nil, which will allow the user to access the website
+  # without confirming their account.
+  # Default is 0.days, meaning the user cannot access the website without
+  # confirming their account.
   # config.allow_unconfirmed_access_for = 2.days
 
   # A period that the user is allowed to confirm their account before their
@@ -146,12 +166,12 @@ Devise.setup do |config|
 
   # ==> Configuration for :validatable
   # Range for password length.
-  config.password_length = 8..72
+  config.password_length = 6..128
 
   # Email regex used to validate email formats. It simply asserts that
   # one (and only one) @ exists in the given string. This is mainly
   # to give user feedback and not to assert the e-mail validity.
-  # config.email_regexp = /\A[^@]+@[^@]+\z/
+  config.email_regexp = /\A[^@\s]+@[^@\s]+\z/
 
   # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this
@@ -199,11 +219,11 @@ Devise.setup do |config|
   # config.sign_in_after_reset_password = true
 
   # ==> Configuration for :encryptable
-  # Allow you to use another encryption algorithm besides bcrypt (default). You can use
-  # :sha1, :sha512 or encryptors from others authentication tools as :clearance_sha1,
-  # :authlogic_sha512 (then you should set stretches above to 20 for default behavior)
-  # and :restful_authentication_sha1 (then you should set stretches to 10, and copy
-  # REST_AUTH_SITE_KEY to pepper).
+  # Allow you to use another hashing or encryption algorithm besides bcrypt (default).
+  # You can use :sha1, :sha512 or algorithms from others authentication tools as
+  # :clearance_sha1, :authlogic_sha512 (then you should set stretches above to 20
+  # for default behavior) and :restful_authentication_sha1 (then you should set
+  # stretches to 10, and copy REST_AUTH_SITE_KEY to pepper).
   #
   # Require the `devise-encryptable` gem when using anything other than bcrypt
   # config.encryptor = :sha512
@@ -263,4 +283,17 @@ Devise.setup do |config|
   # When using OmniAuth, Devise cannot automatically set OmniAuth path,
   # so you need to do it manually. For the users scope, it would be:
   # config.omniauth_path_prefix = '/my_engine/users/auth'
+
+  # ==> Turbolinks configuration
+  # If your app is using Turbolinks, Turbolinks::Controller needs to be included to make redirection work correctly:
+  #
+  # ActiveSupport.on_load(:devise_failure_app) do
+  #   include Turbolinks::Controller
+  # end
+
+  # ==> Configuration for :registerable
+
+  # When set to false, does not sign a user in automatically after their password is
+  # changed. Defaults to true, so a user is signed in automatically after changing a password.
+  # config.sign_in_after_change_password = true
 end

data/lib/generators/templates/markerb/confirmation_instructions.markerb

@@ -2,4 +2,4 @@ Welcome <%= @email %>!
 
 You can confirm your account through the link below:
 
-<%= link_to 'Confirm my account', confirmation_url(@resource, confirmation_token: @token) %>
+[Confirm my account](<%= confirmation_url(@resource, confirmation_token: @token) %>)

data/lib/generators/templates/markerb/email_changed.markerb

@@ -0,0 +1,7 @@
+Hello <%= @email %>!
+
+<% if @resource.try(:unconfirmed_email?) %>
+We're contacting you to notify you that your email is being changed to <%= @resource.unconfirmed_email %>.
+<% else %>
+We're contacting you to notify you that your email has been changed to <%= @resource.email %>.
+<% end %>

data/lib/generators/templates/markerb/password_change.markerb

@@ -0,0 +1,3 @@
+Hello <%= @resource.email %>!
+
+We're contacting you to notify you that your password has been changed.

data/lib/generators/templates/markerb/reset_password_instructions.markerb

@@ -2,7 +2,7 @@ Hello <%= @resource.email %>!
 
 Someone has requested a link to change your password, and you can do this through the link below.
 
-<%= link_to 'Change my password', edit_password_url(@resource, reset_password_token: @token) %>
+[Change my password](<%= edit_password_url(@resource, reset_password_token: @token) %>)
 
 If you didn't request this, please ignore this email.
 Your password won't change until you access the link above and create a new one.

data/lib/generators/templates/markerb/unlock_instructions.markerb

@@ -4,4 +4,4 @@ Your account has been locked due to an excessive number of unsuccessful sign in
 
 Click the link below to unlock your account:
 
-<%= link_to 'Unlock my account', unlock_url(@resource, unlock_token: @token) %>
+[Unlock my account](<%= unlock_url(@resource, unlock_token: @token) %>)

data/lib/generators/templates/simple_form_for/confirmations/new.html.erb

@@ -5,7 +5,11 @@
   <%= f.full_error :confirmation_token %>
 
   <div class="form-inputs">
-    <%= f.input :email, required: true, autofocus: true %>
+    <%= f.input :email,
+                required: true,
+                autofocus: true,
+                value: (resource.pending_reconfirmation? ? resource.unconfirmed_email : resource.email),
+                input_html: { autocomplete: "email" } %>
   </div>
 
   <div class="form-actions">

data/lib/generators/templates/simple_form_for/passwords/edit.html.erb

@@ -7,8 +7,16 @@
   <%= f.full_error :reset_password_token %>
 
   <div class="form-inputs">
-    <%= f.input :password, label: "New password", required: true, autofocus: true, hint: ("#{@minimum_password_length} characters minimum" if @minimum_password_length) %>
-    <%= f.input :password_confirmation, label: "Confirm your new password", required: true %>
+    <%= f.input :password,
+                label: "New password",
+                required: true,
+                autofocus: true,
+                hint: ("#{@minimum_password_length} characters minimum" if @minimum_password_length),
+                input_html: { autocomplete: "new-password" } %>
+    <%= f.input :password_confirmation,
+                label: "Confirm your new password",
+                required: true,
+                input_html: { autocomplete: "new-password" } %>
   </div>
 
   <div class="form-actions">

data/lib/generators/templates/simple_form_for/passwords/new.html.erb

@@ -4,7 +4,10 @@
   <%= f.error_notification %>
 
   <div class="form-inputs">
-    <%= f.input :email, required: true, autofocus: true %>
+    <%= f.input :email,
+                required: true,
+                autofocus: true,
+                input_html: { autocomplete: "email" } %>
   </div>
 
   <div class="form-actions">

data/lib/generators/templates/simple_form_for/registrations/edit.html.erb

@@ -10,9 +10,17 @@
       <p>Currently waiting confirmation for: <%= resource.unconfirmed_email %></p>
     <% end %>
 
-    <%= f.input :password, autocomplete: "off", hint: "leave it blank if you don't want to change it", required: false %>
-    <%= f.input :password_confirmation, required: false %>
-    <%= f.input :current_password, hint: "we need your current password to confirm your changes", required: true %>
+    <%= f.input :password,
+                hint: "leave it blank if you don't want to change it",
+                required: false,
+                input_html: { autocomplete: "new-password" } %>
+    <%= f.input :password_confirmation,
+                required: false,
+                input_html: { autocomplete: "new-password" } %>
+    <%= f.input :current_password,
+                hint: "we need your current password to confirm your changes",
+                required: true,
+                input_html: { autocomplete: "current-password" } %>
   </div>
 
   <div class="form-actions">