devise 3.5.3 → 3.5.4

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of devise might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 1258976e4bec4149281c7764cf903ced83632766
4
- data.tar.gz: 57096bdcca6de6c67b0fa26aee8251c446571c39
3
+ metadata.gz: 9fccc712f1172a24059ea6eecaac413826ee4649
4
+ data.tar.gz: 45c064fa92694a40afd07cdde2693de20e6107ba
5
5
  SHA512:
6
- metadata.gz: e3839e95f5c831805b43974ef72f7e6beca86d37c6c0177dec83ae5e8cc6ebcc5922da78cc505f413157ecdb0ed8b56c3c3499c061743a6ac25708e473ec035c
7
- data.tar.gz: 59eb1f8398ddf1f4bd05a493a6ff4e41fb3f3580d0f3b143ffefed385b435fd3f521b1aaaaf0e8eee97838a1bc81d992081597738c743becfc4b651aa051b97f
6
+ metadata.gz: 4b1abbe976486c5e9d4d3b9fb5cf0199c1d368e9a7fb9dbdbc83f0bf78f073e872144586ed2e0f0030759748be7323ed85ecf6388976c0405e7ae6fd99c5611b
7
+ data.tar.gz: f0eab35d48d39204adf29baf9bf5938bc85c8369ba27cacfe239051a6b8f15783f00f8cad2ceb443e2149c09fcc2754f464592ccee456f78a96ad1465b773f5f
@@ -1,4 +1,7 @@
1
- ### Unreleased
1
+ ### 3.5.4 - 2016-18-01
2
+
3
+ * bug fixes
4
+ * Store creation timestamps on remember cookies
2
5
 
3
6
  ### 3.5.3 - 2015-12-10
4
7
 
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- devise (3.5.3)
4
+ devise (3.5.4)
5
5
  bcrypt (~> 3.0)
6
6
  orm_adapter (~> 0.1)
7
7
  railties (>= 3.2.6, < 5)
@@ -139,8 +139,8 @@ GEM
139
139
  thor (>= 0.18.1, < 2.0)
140
140
  rake (10.4.2)
141
141
  rdoc (4.2.0)
142
- responders (2.1.0)
143
- railties (>= 4.2.0, < 5)
142
+ responders (2.1.1)
143
+ railties (>= 4.2.0, < 5.1)
144
144
  ruby-openid (2.7.0)
145
145
  sprockets (3.2.0)
146
146
  rack (~> 1.0)
@@ -180,4 +180,4 @@ DEPENDENCIES
180
180
  webrat (= 0.7.3)
181
181
 
182
182
  BUNDLED WITH
183
- 1.10.6
183
+ 1.11.2
@@ -116,6 +116,7 @@ module Devise
116
116
  mattr_accessor :remember_for
117
117
  @@remember_for = 2.weeks
118
118
 
119
+ # TODO: extend_remember_period is no longer used
119
120
  # If true, extends the user's remember period when remembered via cookie.
120
121
  mattr_accessor :extend_remember_period
121
122
  @@extend_remember_period = false
@@ -13,7 +13,7 @@ module Devise
13
13
  def remember_me(resource)
14
14
  return if env["devise.skip_storage"]
15
15
  scope = Devise::Mapping.find_scope!(resource)
16
- resource.remember_me!(resource.extend_remember_period)
16
+ resource.remember_me!
17
17
  cookies.signed[remember_key(resource, scope)] = remember_cookie_values(resource)
18
18
  end
19
19
 
@@ -254,7 +254,7 @@ module Devise
254
254
  end
255
255
 
256
256
  def postpone_email_change?
257
- postpone = self.class.reconfirmable && email_changed? && !@bypass_confirmation_postpone && self.email.present?
257
+ postpone = self.class.reconfirmable && email_changed? && email_was.present? && !@bypass_confirmation_postpone && self.email.present?
258
258
  @bypass_confirmation_postpone = false
259
259
  postpone
260
260
  end
@@ -83,7 +83,7 @@ module Devise
83
83
  # reset_password_period_valid? # will always return false
84
84
  #
85
85
  def reset_password_period_valid?
86
- reset_password_sent_at && reset_password_sent_at.utc >= self.class.reset_password_within.ago
86
+ reset_password_sent_at && reset_password_sent_at.utc >= self.class.reset_password_within.ago.utc
87
87
  end
88
88
 
89
89
  protected
@@ -45,11 +45,11 @@ module Devise
45
45
  [:remember_created_at]
46
46
  end
47
47
 
48
- # Generate a new remember token and save the record without validations
49
- # if remember expired (token is no longer valid) or extend_remember_period is true
50
- def remember_me!(extend_period=false)
51
- self.remember_token = self.class.remember_token if generate_remember_token?
52
- self.remember_created_at = Time.now.utc if generate_remember_timestamp?(extend_period)
48
+ # TODO: We were used to receive a extend period argument but we no longer do.
49
+ # Remove this for Devise 4.0.
50
+ def remember_me!(*)
51
+ self.remember_token = self.class.remember_token if respond_to?(:remember_token)
52
+ self.remember_created_at ||= Time.now.utc
53
53
  save(validate: false) if self.changed?
54
54
  end
55
55
 
@@ -57,19 +57,13 @@ module Devise
57
57
  # it exists), and save the record without validations.
58
58
  def forget_me!
59
59
  return unless persisted?
60
- self.remember_token = nil if respond_to?(:remember_token=)
60
+ self.remember_token = nil if respond_to?(:remember_token)
61
61
  self.remember_created_at = nil if self.class.expire_all_remember_me_on_sign_out
62
62
  save(validate: false)
63
63
  end
64
64
 
65
- # Remember token should be expired if expiration time not overpass now.
66
- def remember_expired?
67
- remember_created_at.nil? || (remember_expires_at <= Time.now.utc)
68
- end
69
-
70
- # Remember token expires at created time + remember_for configuration
71
65
  def remember_expires_at
72
- remember_created_at + self.class.remember_for
66
+ self.class.remember_for.from_now
73
67
  end
74
68
 
75
69
  def rememberable_value
@@ -104,27 +98,30 @@ module Devise
104
98
 
105
99
  protected
106
100
 
107
- def generate_remember_token? #:nodoc:
108
- respond_to?(:remember_token) && remember_expired?
109
- end
110
-
111
- # Generate a timestamp if extend_remember_period is true, if no remember_token
112
- # exists, or if an existing remember token has expired.
113
- def generate_remember_timestamp?(extend_period) #:nodoc:
114
- extend_period || remember_expired?
115
- end
116
-
117
101
  module ClassMethods
118
102
  # Create the cookie key using the record id and remember_token
119
103
  def serialize_into_cookie(record)
120
- [record.to_key, record.rememberable_value]
104
+ [record.to_key, record.rememberable_value, Time.now.utc]
121
105
  end
122
106
 
123
107
  # Recreate the user based on the stored cookie
124
- def serialize_from_cookie(id, remember_token)
125
- record = to_adapter.get(id)
126
- record if record && !record.remember_expired? &&
127
- Devise.secure_compare(record.rememberable_value, remember_token)
108
+ def serialize_from_cookie(*args)
109
+ id, token, generated_at = args
110
+
111
+ # The token is only valid if:
112
+ # 1. we have a date
113
+ # 2. the current time does not pass the expiry period
114
+ # 3. there is a record with the given id
115
+ # 4. the record has a remember_created_at date
116
+ # 5. the token date is bigger than the remember_created_at
117
+ # 6. the token matches
118
+ if generated_at &&
119
+ (self.remember_for.ago < generated_at) &&
120
+ (record = to_adapter.get(id)) &&
121
+ (generated_at > (record.remember_created_at || Time.now).utc) &&
122
+ Devise.secure_compare(record.rememberable_value, token)
123
+ record
124
+ end
128
125
  end
129
126
 
130
127
  # Generate a token checking if one does not already exist in the database.
@@ -135,6 +132,7 @@ module Devise
135
132
  end
136
133
  end
137
134
 
135
+ # TODO: extend_remember_period is no longer used
138
136
  Devise::Models.config(self, :remember_for, :extend_remember_period, :rememberable_options, :expire_all_remember_me_on_sign_out)
139
137
  end
140
138
  end
@@ -26,7 +26,6 @@ module Devise
26
26
 
27
27
  # Checks whether the user session has expired based on configured time.
28
28
  def timedout?(last_access)
29
- return false if remember_exists_and_not_expired?
30
29
  !timeout_in.nil? && last_access && last_access <= timeout_in.ago
31
30
  end
32
31
 
@@ -36,11 +35,6 @@ module Devise
36
35
 
37
36
  private
38
37
 
39
- def remember_exists_and_not_expired?
40
- return false unless respond_to?(:remember_created_at) && respond_to?(:remember_expired?)
41
- remember_created_at && !remember_expired?
42
- end
43
-
44
38
  module ClassMethods
45
39
  Devise::Models.config(self, :timeout_in)
46
40
  end
@@ -1,3 +1,3 @@
1
1
  module Devise
2
- VERSION = "3.5.3".freeze
2
+ VERSION = "3.5.4".freeze
3
3
  end
@@ -4,7 +4,7 @@ class RememberMeTest < ActionDispatch::IntegrationTest
4
4
  def create_user_and_remember(add_to_token='')
5
5
  user = create_user
6
6
  user.remember_me!
7
- raw_cookie = User.serialize_into_cookie(user).tap { |a| a.last << add_to_token }
7
+ raw_cookie = User.serialize_into_cookie(user).tap { |a| a[1] << add_to_token }
8
8
  cookies['remember_user_token'] = generate_signed_cookie(raw_cookie)
9
9
  user
10
10
  end
@@ -135,7 +135,7 @@ class RememberMeTest < ActionDispatch::IntegrationTest
135
135
 
136
136
  test 'do not remember with expired token' do
137
137
  create_user_and_remember
138
- swap Devise, remember_for: 0 do
138
+ swap Devise, remember_for: 0.days do
139
139
  get users_path
140
140
  assert_not warden.authenticated?(:user)
141
141
  assert_redirected_to new_user_session_path
@@ -165,16 +165,6 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
165
165
  end
166
166
  end
167
167
 
168
- test 'time out not triggered if remembered' do
169
- user = sign_in_as_user remember_me: true
170
- get expire_user_path(user)
171
- assert_not_nil last_request_at
172
-
173
- get users_path
174
- assert_response :success
175
- assert warden.authenticated?(:user)
176
- end
177
-
178
168
  test 'does not crashes when the last_request_at is a String' do
179
169
  user = sign_in_as_user
180
170
 
@@ -486,4 +486,18 @@ class ReconfirmableTest < ActiveSupport::TestCase
486
486
  :unconfirmed_email
487
487
  ]
488
488
  end
489
+
490
+ test 'should not require reconfirmation after creating a record' do
491
+ user = create_admin
492
+ assert !user.pending_reconfirmation?
493
+ end
494
+
495
+ test 'should not require reconfirmation after creating a record with #save called in callback' do
496
+ class Admin::WithSaveInCallback < Admin
497
+ after_create :save
498
+ end
499
+
500
+ user = Admin::WithSaveInCallback.create(valid_attributes.except(:username))
501
+ assert !user.pending_reconfirmation?
502
+ end
489
503
  end
@@ -13,6 +13,7 @@ class RememberableTest < ActiveSupport::TestCase
13
13
  user = create_user
14
14
  user.expects(:valid?).never
15
15
  user.remember_me!
16
+ assert user.remember_created_at
16
17
  end
17
18
 
18
19
  test 'forget_me should not clear remember token if using salt' do
@@ -33,13 +34,45 @@ class RememberableTest < ActiveSupport::TestCase
33
34
  test 'serialize into cookie' do
34
35
  user = create_user
35
36
  user.remember_me!
36
- assert_equal [user.to_key, user.authenticatable_salt], User.serialize_into_cookie(user)
37
+ id, token, date = User.serialize_into_cookie(user)
38
+ assert_equal id, user.to_key
39
+ assert_equal token, user.authenticatable_salt
40
+ assert date.is_a?(Time)
37
41
  end
38
42
 
39
43
  test 'serialize from cookie' do
40
44
  user = create_user
41
45
  user.remember_me!
42
- assert_equal user, User.serialize_from_cookie(user.to_key, user.authenticatable_salt)
46
+ assert_equal user, User.serialize_from_cookie(user.to_key, user.authenticatable_salt, Time.now.utc)
47
+ end
48
+
49
+ test 'serialize from cookie should return nil if no resource is found' do
50
+ assert_nil resource_class.serialize_from_cookie([0], "123", Time.now.utc)
51
+ end
52
+
53
+ test 'serialize from cookie should return nil if no timestamp' do
54
+ user = create_user
55
+ user.remember_me!
56
+ assert_nil User.serialize_from_cookie(user.to_key, user.authenticatable_salt)
57
+ end
58
+
59
+ test 'serialize from cookie should return nil if timestamp is earlier than token creation' do
60
+ user = create_user
61
+ user.remember_me!
62
+ assert_nil User.serialize_from_cookie(user.to_key, user.authenticatable_salt, 1.day.ago)
63
+ end
64
+
65
+ test 'serialize from cookie should return nil if timestamp is older than remember_for' do
66
+ user = create_user
67
+ user.remember_created_at = 1.month.ago
68
+ user.remember_me!
69
+ assert_nil User.serialize_from_cookie(user.to_key, user.authenticatable_salt, 3.weeks.ago)
70
+ end
71
+
72
+ test 'serialize from cookie me return nil if is a valid resource with invalid token' do
73
+ user = create_user
74
+ user.remember_me!
75
+ assert_nil User.serialize_from_cookie(user.to_key, "123", Time.now.utc)
43
76
  end
44
77
 
45
78
  test 'raises a RuntimeError if authenticatable_salt is nil or empty' do
@@ -93,28 +126,7 @@ class RememberableTest < ActiveSupport::TestCase
93
126
  resource.forget_me!
94
127
  end
95
128
 
96
- test 'remember is expired if not created at timestamp is set' do
97
- assert create_resource.remember_expired?
98
- end
99
-
100
- test 'serialize should return nil if no resource is found' do
101
- assert_nil resource_class.serialize_from_cookie([0], "123")
102
- end
103
-
104
- test 'remember me return nil if is a valid resource with invalid token' do
105
- resource = create_resource
106
- assert_nil resource_class.serialize_from_cookie([resource.id], "123")
107
- end
108
-
109
- test 'remember for should fallback to devise remember for default configuration' do
110
- swap Devise, remember_for: 1.day do
111
- resource = create_resource
112
- resource.remember_me!
113
- assert_not resource.remember_expired?
114
- end
115
- end
116
-
117
- test 'remember expires at should sum date of creation with remember for configuration' do
129
+ test 'remember expires at uses remember for configuration' do
118
130
  swap Devise, remember_for: 3.days do
119
131
  resource = create_resource
120
132
  resource.remember_me!
@@ -125,77 +137,6 @@ class RememberableTest < ActiveSupport::TestCase
125
137
  end
126
138
  end
127
139
 
128
- test 'remember should be expired if remember_for is zero' do
129
- swap Devise, remember_for: 0.days do
130
- Devise.remember_for = 0.days
131
- resource = create_resource
132
- resource.remember_me!
133
- assert resource.remember_expired?
134
- end
135
- end
136
-
137
- test 'remember should be expired if it was created before limit time' do
138
- swap Devise, remember_for: 1.day do
139
- resource = create_resource
140
- resource.remember_me!
141
- resource.remember_created_at = 2.days.ago
142
- resource.save
143
- assert resource.remember_expired?
144
- end
145
- end
146
-
147
- test 'remember should not be expired if it was created within the limit time' do
148
- swap Devise, remember_for: 30.days do
149
- resource = create_resource
150
- resource.remember_me!
151
- resource.remember_created_at = (30.days.ago + 2.minutes)
152
- resource.save
153
- assert_not resource.remember_expired?
154
- end
155
- end
156
-
157
- test 'if extend_remember_period is false, remember_me! should generate a new timestamp if expired' do
158
- swap Devise, remember_for: 5.minutes do
159
- resource = create_resource
160
- resource.remember_me!(false)
161
- assert resource.remember_created_at
162
-
163
- resource.remember_created_at = old = 10.minutes.ago
164
- resource.save
165
-
166
- resource.remember_me!(false)
167
- assert_not_equal old.to_i, resource.remember_created_at.to_i
168
- end
169
- end
170
-
171
- test 'if extend_remember_period is false, remember_me! should not generate a new timestamp' do
172
- swap Devise, remember_for: 1.year do
173
- resource = create_resource
174
- resource.remember_me!(false)
175
- assert resource.remember_created_at
176
-
177
- resource.remember_created_at = old = 10.minutes.ago.utc
178
- resource.save
179
-
180
- resource.remember_me!(false)
181
- assert_equal old.to_i, resource.remember_created_at.to_i
182
- end
183
- end
184
-
185
- test 'if extend_remember_period is true, remember_me! should always generate a new timestamp' do
186
- swap Devise, remember_for: 1.year do
187
- resource = create_resource
188
- resource.remember_me!(true)
189
- assert resource.remember_created_at
190
-
191
- resource.remember_created_at = old = 10.minutes.ago
192
- resource.save
193
-
194
- resource.remember_me!(true)
195
- assert_not_equal old, resource.remember_created_at
196
- end
197
- end
198
-
199
140
  test 'should have the required_fields array' do
200
141
  assert_same_content Devise::Models::Rememberable.required_fields(User), [
201
142
  :remember_created_at
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: devise
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.5.3
4
+ version: 3.5.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - José Valim
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2015-12-10 00:00:00.000000000 Z
12
+ date: 2016-01-18 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: warden