RubyGems - devise - Versions diffs - 3.5.3 → 4.7.1 - Mend

devise 3.5.3 → 4.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (256) hide show

checksums.yaml +5 -5
data/CHANGELOG.md +256 -1099
data/MIT-LICENSE +1 -1
data/README.md +254 -67
data/app/controllers/devise/confirmations_controller.rb +3 -1
data/app/controllers/devise/omniauth_callbacks_controller.rb +8 -6
data/app/controllers/devise/passwords_controller.rb +7 -4
data/app/controllers/devise/registrations_controller.rb +39 -18
data/app/controllers/devise/sessions_controller.rb +9 -7
data/app/controllers/devise/unlocks_controller.rb +4 -2
data/app/controllers/devise_controller.rb +23 -10
data/app/helpers/devise_helper.rb +12 -19
data/app/mailers/devise/mailer.rb +6 -0
data/app/views/devise/confirmations/new.html.erb +2 -2
data/app/views/devise/mailer/email_changed.html.erb +7 -0
data/app/views/devise/passwords/edit.html.erb +3 -3
data/app/views/devise/passwords/new.html.erb +2 -2
data/app/views/devise/registrations/edit.html.erb +9 -5
data/app/views/devise/registrations/new.html.erb +4 -4
data/app/views/devise/sessions/new.html.erb +4 -4
data/app/views/devise/shared/_error_messages.html.erb +15 -0
data/app/views/devise/shared/_links.html.erb +7 -7
data/app/views/devise/unlocks/new.html.erb +2 -2
data/config/locales/en.yml +4 -1
data/lib/devise/controllers/helpers.rb +23 -20
data/lib/devise/controllers/rememberable.rb +11 -2
data/lib/devise/controllers/scoped_views.rb +2 -0
data/lib/devise/controllers/sign_in_out.rb +34 -11
data/lib/devise/controllers/store_location.rb +25 -7
data/lib/devise/controllers/url_helpers.rb +2 -0
data/lib/devise/delegator.rb +2 -0
data/lib/devise/encryptor.rb +6 -4
data/lib/devise/failure_app.rb +75 -37
data/lib/devise/hooks/activatable.rb +2 -0
data/lib/devise/hooks/csrf_cleaner.rb +2 -0
data/lib/devise/hooks/forgetable.rb +2 -0
data/lib/devise/hooks/lockable.rb +6 -1
data/lib/devise/hooks/proxy.rb +3 -1
data/lib/devise/hooks/rememberable.rb +2 -0
data/lib/devise/hooks/timeoutable.rb +5 -2
data/lib/devise/hooks/trackable.rb +2 -0
data/lib/devise/mailers/helpers.rb +7 -4
data/lib/devise/mapping.rb +2 -0
data/lib/devise/models/authenticatable.rb +51 -26
data/lib/devise/models/confirmable.rb +89 -27
data/lib/devise/models/database_authenticatable.rb +88 -21
data/lib/devise/models/lockable.rb +15 -5
data/lib/devise/models/omniauthable.rb +2 -0
data/lib/devise/models/recoverable.rb +32 -20
data/lib/devise/models/registerable.rb +4 -0
data/lib/devise/models/rememberable.rb +42 -26
data/lib/devise/models/timeoutable.rb +2 -6
data/lib/devise/models/trackable.rb +15 -1
data/lib/devise/models/validatable.rb +10 -3
data/lib/devise/models.rb +3 -1
data/lib/devise/modules.rb +2 -0
data/lib/devise/omniauth/config.rb +2 -0
data/lib/devise/omniauth/url_helpers.rb +14 -5
data/lib/devise/omniauth.rb +2 -0
data/lib/devise/orm/active_record.rb +5 -1
data/lib/devise/orm/mongoid.rb +6 -2
data/lib/devise/parameter_filter.rb +4 -0
data/lib/devise/parameter_sanitizer.rb +139 -65
data/lib/devise/rails/routes.rb +44 -33
data/lib/devise/rails/warden_compat.rb +3 -10
data/lib/devise/rails.rb +7 -16
data/lib/devise/secret_key_finder.rb +27 -0
data/lib/devise/strategies/authenticatable.rb +3 -1
data/lib/devise/strategies/base.rb +2 -0
data/lib/devise/strategies/database_authenticatable.rb +11 -4
data/lib/devise/strategies/rememberable.rb +5 -6
data/lib/devise/test/controller_helpers.rb +165 -0
data/lib/devise/test/integration_helpers.rb +63 -0
data/lib/devise/test_helpers.rb +7 -124
data/lib/devise/time_inflector.rb +2 -0
data/lib/devise/token_generator.rb +3 -41
data/lib/devise/version.rb +3 -1
data/lib/devise.rb +61 -40
data/lib/generators/active_record/devise_generator.rb +29 -10
data/lib/generators/active_record/templates/migration.rb +4 -2
data/lib/generators/active_record/templates/migration_existing.rb +4 -2
data/lib/generators/devise/controllers_generator.rb +3 -1
data/lib/generators/devise/devise_generator.rb +4 -2
data/lib/generators/devise/install_generator.rb +17 -0
data/lib/generators/devise/orm_helpers.rb +10 -21
data/lib/generators/devise/views_generator.rb +7 -8
data/lib/generators/mongoid/devise_generator.rb +7 -5
data/lib/generators/templates/README +1 -8
data/lib/generators/templates/controllers/confirmations_controller.rb +2 -0
data/lib/generators/templates/controllers/omniauth_callbacks_controller.rb +2 -0
data/lib/generators/templates/controllers/passwords_controller.rb +2 -0
data/lib/generators/templates/controllers/registrations_controller.rb +6 -4
data/lib/generators/templates/controllers/sessions_controller.rb +4 -2
data/lib/generators/templates/controllers/unlocks_controller.rb +2 -0
data/lib/generators/templates/devise.rb +50 -20
data/lib/generators/templates/markerb/email_changed.markerb +7 -0
data/lib/generators/templates/markerb/password_change.markerb +2 -2
data/lib/generators/templates/simple_form_for/confirmations/new.html.erb +5 -1
data/lib/generators/templates/simple_form_for/passwords/edit.html.erb +10 -2
data/lib/generators/templates/simple_form_for/passwords/new.html.erb +4 -1
data/lib/generators/templates/simple_form_for/registrations/edit.html.erb +11 -3
data/lib/generators/templates/simple_form_for/registrations/new.html.erb +11 -3
data/lib/generators/templates/simple_form_for/sessions/new.html.erb +7 -2
data/lib/generators/templates/simple_form_for/unlocks/new.html.erb +4 -1
metadata +13 -310
data/.gitignore +0 -10
data/.travis.yml +0 -44
data/.yardopts +0 -9
data/CODE_OF_CONDUCT.md +0 -22
data/CONTRIBUTING.md +0 -16
data/Gemfile +0 -29
data/Gemfile.lock +0 -183
data/Rakefile +0 -36
data/devise.gemspec +0 -27
data/devise.png +0 -0
data/gemfiles/Gemfile.rails-3.2-stable +0 -29
data/gemfiles/Gemfile.rails-3.2-stable.lock +0 -172
data/gemfiles/Gemfile.rails-4.0-stable +0 -29
data/gemfiles/Gemfile.rails-4.0-stable.lock +0 -166
data/gemfiles/Gemfile.rails-4.1-stable +0 -29
data/gemfiles/Gemfile.rails-4.1-stable.lock +0 -172
data/gemfiles/Gemfile.rails-4.2-stable +0 -29
data/gemfiles/Gemfile.rails-4.2-stable.lock +0 -194
data/script/cached-bundle +0 -49
data/script/s3-put +0 -71
data/test/controllers/custom_registrations_controller_test.rb +0 -40
data/test/controllers/custom_strategy_test.rb +0 -62
data/test/controllers/helper_methods_test.rb +0 -21
data/test/controllers/helpers_test.rb +0 -316
data/test/controllers/inherited_controller_i18n_messages_test.rb +0 -51
data/test/controllers/internal_helpers_test.rb +0 -129
data/test/controllers/load_hooks_controller_test.rb +0 -19
data/test/controllers/passwords_controller_test.rb +0 -31
data/test/controllers/sessions_controller_test.rb +0 -103
data/test/controllers/url_helpers_test.rb +0 -65
data/test/delegator_test.rb +0 -19
data/test/devise_test.rb +0 -107
data/test/failure_app_test.rb +0 -315
data/test/generators/active_record_generator_test.rb +0 -109
data/test/generators/controllers_generator_test.rb +0 -48
data/test/generators/devise_generator_test.rb +0 -39
data/test/generators/install_generator_test.rb +0 -13
data/test/generators/mongoid_generator_test.rb +0 -23
data/test/generators/views_generator_test.rb +0 -103
data/test/helpers/devise_helper_test.rb +0 -49
data/test/integration/authenticatable_test.rb +0 -729
data/test/integration/confirmable_test.rb +0 -324
data/test/integration/database_authenticatable_test.rb +0 -95
data/test/integration/http_authenticatable_test.rb +0 -105
data/test/integration/lockable_test.rb +0 -239
data/test/integration/omniauthable_test.rb +0 -135
data/test/integration/recoverable_test.rb +0 -347
data/test/integration/registerable_test.rb +0 -359
data/test/integration/rememberable_test.rb +0 -176
data/test/integration/timeoutable_test.rb +0 -184
data/test/integration/trackable_test.rb +0 -92
data/test/mailers/confirmation_instructions_test.rb +0 -115
data/test/mailers/reset_password_instructions_test.rb +0 -96
data/test/mailers/unlock_instructions_test.rb +0 -91
data/test/mapping_test.rb +0 -134
data/test/models/authenticatable_test.rb +0 -23
data/test/models/confirmable_test.rb +0 -489
data/test/models/database_authenticatable_test.rb +0 -269
data/test/models/lockable_test.rb +0 -328
data/test/models/omniauthable_test.rb +0 -7
data/test/models/recoverable_test.rb +0 -251
data/test/models/registerable_test.rb +0 -7
data/test/models/rememberable_test.rb +0 -204
data/test/models/serializable_test.rb +0 -49
data/test/models/timeoutable_test.rb +0 -51
data/test/models/trackable_test.rb +0 -41
data/test/models/validatable_test.rb +0 -127
data/test/models_test.rb +0 -153
data/test/omniauth/config_test.rb +0 -57
data/test/omniauth/url_helpers_test.rb +0 -54
data/test/orm/active_record.rb +0 -10
data/test/orm/mongoid.rb +0 -13
data/test/parameter_sanitizer_test.rb +0 -81
data/test/rails_app/Rakefile +0 -6
data/test/rails_app/app/active_record/admin.rb +0 -6
data/test/rails_app/app/active_record/shim.rb +0 -2
data/test/rails_app/app/active_record/user.rb +0 -6
data/test/rails_app/app/active_record/user_on_engine.rb +0 -7
data/test/rails_app/app/active_record/user_on_main_app.rb +0 -7
data/test/rails_app/app/active_record/user_without_email.rb +0 -8
data/test/rails_app/app/controllers/admins/sessions_controller.rb +0 -6
data/test/rails_app/app/controllers/admins_controller.rb +0 -6
data/test/rails_app/app/controllers/application_controller.rb +0 -12
data/test/rails_app/app/controllers/application_with_fake_engine.rb +0 -30
data/test/rails_app/app/controllers/custom/registrations_controller.rb +0 -31
data/test/rails_app/app/controllers/home_controller.rb +0 -25
data/test/rails_app/app/controllers/publisher/registrations_controller.rb +0 -2
data/test/rails_app/app/controllers/publisher/sessions_controller.rb +0 -2
data/test/rails_app/app/controllers/users/omniauth_callbacks_controller.rb +0 -14
data/test/rails_app/app/controllers/users_controller.rb +0 -31
data/test/rails_app/app/helpers/application_helper.rb +0 -3
data/test/rails_app/app/mailers/users/from_proc_mailer.rb +0 -3
data/test/rails_app/app/mailers/users/mailer.rb +0 -3
data/test/rails_app/app/mailers/users/reply_to_mailer.rb +0 -4
data/test/rails_app/app/mongoid/admin.rb +0 -29
data/test/rails_app/app/mongoid/shim.rb +0 -23
data/test/rails_app/app/mongoid/user.rb +0 -39
data/test/rails_app/app/mongoid/user_on_engine.rb +0 -39
data/test/rails_app/app/mongoid/user_on_main_app.rb +0 -39
data/test/rails_app/app/mongoid/user_without_email.rb +0 -33
data/test/rails_app/app/views/admins/index.html.erb +0 -1
data/test/rails_app/app/views/admins/sessions/new.html.erb +0 -2
data/test/rails_app/app/views/home/admin_dashboard.html.erb +0 -1
data/test/rails_app/app/views/home/index.html.erb +0 -1
data/test/rails_app/app/views/home/join.html.erb +0 -1
data/test/rails_app/app/views/home/private.html.erb +0 -1
data/test/rails_app/app/views/home/user_dashboard.html.erb +0 -1
data/test/rails_app/app/views/layouts/application.html.erb +0 -24
data/test/rails_app/app/views/users/edit_form.html.erb +0 -1
data/test/rails_app/app/views/users/index.html.erb +0 -1
data/test/rails_app/app/views/users/mailer/confirmation_instructions.erb +0 -1
data/test/rails_app/app/views/users/sessions/new.html.erb +0 -1
data/test/rails_app/bin/bundle +0 -3
data/test/rails_app/bin/rails +0 -4
data/test/rails_app/bin/rake +0 -4
data/test/rails_app/config/application.rb +0 -40
data/test/rails_app/config/boot.rb +0 -14
data/test/rails_app/config/database.yml +0 -18
data/test/rails_app/config/environment.rb +0 -5
data/test/rails_app/config/environments/development.rb +0 -30
data/test/rails_app/config/environments/production.rb +0 -84
data/test/rails_app/config/environments/test.rb +0 -41
data/test/rails_app/config/initializers/backtrace_silencers.rb +0 -7
data/test/rails_app/config/initializers/devise.rb +0 -180
data/test/rails_app/config/initializers/inflections.rb +0 -2
data/test/rails_app/config/initializers/secret_token.rb +0 -8
data/test/rails_app/config/initializers/session_store.rb +0 -1
data/test/rails_app/config/routes.rb +0 -125
data/test/rails_app/config.ru +0 -4
data/test/rails_app/db/migrate/20100401102949_create_tables.rb +0 -71
data/test/rails_app/db/schema.rb +0 -55
data/test/rails_app/lib/shared_admin.rb +0 -17
data/test/rails_app/lib/shared_user.rb +0 -29
data/test/rails_app/lib/shared_user_without_email.rb +0 -26
data/test/rails_app/lib/shared_user_without_omniauth.rb +0 -13
data/test/rails_app/public/404.html +0 -26
data/test/rails_app/public/422.html +0 -26
data/test/rails_app/public/500.html +0 -26
data/test/rails_app/public/favicon.ico +0 -0
data/test/rails_test.rb +0 -9
data/test/routes_test.rb +0 -264
data/test/support/action_controller/record_identifier.rb +0 -10
data/test/support/assertions.rb +0 -39
data/test/support/helpers.rb +0 -77
data/test/support/integration.rb +0 -92
data/test/support/locale/en.yml +0 -8
data/test/support/mongoid.yml +0 -6
data/test/support/webrat/integrations/rails.rb +0 -24
data/test/test_helper.rb +0 -34
data/test/test_helpers_test.rb +0 -178
data/test/test_models.rb +0 -33

data/lib/devise/models/recoverable.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Devise
   module Models
@@ -27,30 +29,20 @@ module Devise
       end
       included do
-        before_update do
-          if (respond_to?(:email_changed?) && email_changed?) || encrypted_password_changed?
-            clear_reset_password_token
-          end
-        end
+        before_update :clear_reset_password_token, if: :clear_reset_password_token?
       end
       # Update password saving the record and clearing token. Returns true if
       # the passwords are valid and the record was saved, false otherwise.
       def reset_password(new_password, new_password_confirmation)
-        self.password = new_password
-        self.password_confirmation = new_password_confirmation
-        if respond_to?(:after_password_reset) && valid?
-          ActiveSupport::Deprecation.warn "after_password_reset is deprecated"
-          after_password_reset
+        if new_password.present?
+          self.password = new_password
+          self.password_confirmation = new_password_confirmation
+          save
+        else
+          errors.add(:password, :blank)
+          false
         end
-        save
-      end
-      def reset_password!(new_password, new_password_confirmation)
-        ActiveSupport::Deprecation.warn "reset_password! is deprecated in favor of reset_password"
-        reset_password(new_password, new_password_confirmation)
       end
       # Resets reset password token and send reset password instructions by email.
@@ -83,7 +75,7 @@ module Devise
       #   reset_password_period_valid?   # will always return false
       #
       def reset_password_period_valid?
-        reset_password_sent_at && reset_password_sent_at.utc >= self.class.reset_password_within.ago
+        reset_password_sent_at && reset_password_sent_at.utc >= self.class.reset_password_within.ago.utc
       end
       protected
@@ -99,7 +91,7 @@ module Devise
           self.reset_password_token   = enc
           self.reset_password_sent_at = Time.now.utc
-          self.save(validate: false)
+          save(validate: false)
           raw
         end
@@ -107,6 +99,26 @@ module Devise
           send_devise_notification(:reset_password_instructions, token, {})
         end
+        if Devise.activerecord51?
+          def clear_reset_password_token?
+            encrypted_password_changed = respond_to?(:will_save_change_to_encrypted_password?) && will_save_change_to_encrypted_password?
+            authentication_keys_changed = self.class.authentication_keys.any? do |attribute|
+              respond_to?("will_save_change_to_#{attribute}?") && send("will_save_change_to_#{attribute}?")
+            end
+            authentication_keys_changed || encrypted_password_changed
+          end
+        else
+          def clear_reset_password_token?
+            encrypted_password_changed = respond_to?(:encrypted_password_changed?) && encrypted_password_changed?
+            authentication_keys_changed = self.class.authentication_keys.any? do |attribute|
+              respond_to?("#{attribute}_changed?") && send("#{attribute}_changed?")
+            end
+            authentication_keys_changed || encrypted_password_changed
+          end
+        end
       module ClassMethods
         # Attempt to find a user by password reset token. If a user is found, return it
         # If a user is not found, return nil

data/lib/devise/models/registerable.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Devise
   module Models
     # Registerable is responsible for everything related to registering a new
@@ -19,6 +21,8 @@ module Devise
         def new_with_session(params, session)
           new(params)
         end
+        Devise::Models.config(self, :sign_in_after_change_password)
       end
     end
   end

data/lib/devise/models/rememberable.rb CHANGED Viewed

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
 require 'devise/strategies/rememberable'
 require 'devise/hooks/rememberable'
 require 'devise/hooks/forgetable'
 module Devise
   module Models
-    # Rememberable manages generating and clearing token for remember the user
+    # Rememberable manages generating and clearing token for remembering the user
     # from a saved cookie. Rememberable also has utility methods for dealing
     # with serializing the user into the cookie and back from the cookie, trying
     # to lookup the record based on the saved information.
@@ -39,17 +41,15 @@ module Devise
     module Rememberable
       extend ActiveSupport::Concern
-      attr_accessor :remember_me, :extend_remember_period
+      attr_accessor :remember_me
       def self.required_fields(klass)
         [:remember_created_at]
       end
-      # Generate a new remember token and save the record without validations
-      # if remember expired (token is no longer valid) or extend_remember_period is true
-      def remember_me!(extend_period=false)
-        self.remember_token = self.class.remember_token if generate_remember_token?
-        self.remember_created_at = Time.now.utc if generate_remember_timestamp?(extend_period)
+      def remember_me!
+        self.remember_token ||= self.class.remember_token if respond_to?(:remember_token)
+        self.remember_created_at ||= Time.now.utc
         save(validate: false) if self.changed?
       end
@@ -57,19 +57,17 @@ module Devise
       # it exists), and save the record without validations.
       def forget_me!
         return unless persisted?
-        self.remember_token = nil if respond_to?(:remember_token=)
+        self.remember_token = nil if respond_to?(:remember_token)
         self.remember_created_at = nil if self.class.expire_all_remember_me_on_sign_out
         save(validate: false)
       end
-      # Remember token should be expired if expiration time not overpass now.
-      def remember_expired?
-        remember_created_at.nil? || (remember_expires_at <= Time.now.utc)
+      def remember_expires_at
+        self.class.remember_for.from_now
       end
-      # Remember token expires at created time + remember_for configuration
-      def remember_expires_at
-        remember_created_at + self.class.remember_for
+      def extend_remember_period
+        self.class.extend_remember_period
       end
       def rememberable_value
@@ -78,7 +76,7 @@ module Devise
         elsif respond_to?(:authenticatable_salt) && (salt = authenticatable_salt.presence)
           salt
         else
-          raise "authenticable_salt returned nil for the #{self.class.name} model. " \
+          raise "authenticatable_salt returned nil for the #{self.class.name} model. " \
             "In order to use rememberable, you must ensure a password is always set " \
             "or have a remember_token column in your model or implement your own " \
             "rememberable_value in the model with custom logic."
@@ -102,29 +100,47 @@ module Devise
       def after_remembered
       end
-    protected
+      def remember_me?(token, generated_at)
+        # TODO: Normalize the JSON type coercion along with the Timeoutable hook
+        # in a single place https://github.com/plataformatec/devise/blob/ffe9d6d406e79108cf32a2c6a1d0b3828849c40b/lib/devise/hooks/timeoutable.rb#L14-L18
+        if generated_at.is_a?(String)
+          generated_at = time_from_json(generated_at)
+        end
-      def generate_remember_token? #:nodoc:
-        respond_to?(:remember_token) && remember_expired?
+        # The token is only valid if:
+        # 1. we have a date
+        # 2. the current time does not pass the expiry period
+        # 3. the record has a remember_created_at date
+        # 4. the token date is bigger than the remember_created_at
+        # 5. the token matches
+        generated_at.is_a?(Time) &&
+         (self.class.remember_for.ago < generated_at) &&
+         (generated_at > (remember_created_at || Time.now).utc) &&
+         Devise.secure_compare(rememberable_value, token)
       end
-      # Generate a timestamp if extend_remember_period is true, if no remember_token
-      # exists, or if an existing remember token has expired.
-      def generate_remember_timestamp?(extend_period) #:nodoc:
-        extend_period || remember_expired?
+      private
+      def time_from_json(value)
+        if value =~ /\A\d+\.\d+\Z/
+          Time.at(value.to_f)
+        else
+          Time.parse(value) rescue nil
+        end
       end
       module ClassMethods
         # Create the cookie key using the record id and remember_token
         def serialize_into_cookie(record)
-          [record.to_key, record.rememberable_value]
+          [record.to_key, record.rememberable_value, Time.now.utc.to_f.to_s]
         end
         # Recreate the user based on the stored cookie
-        def serialize_from_cookie(id, remember_token)
+        def serialize_from_cookie(*args)
+          id, token, generated_at = *args
           record = to_adapter.get(id)
-          record if record && !record.remember_expired? &&
-                    Devise.secure_compare(record.rememberable_value, remember_token)
+          record if record && record.remember_me?(token, generated_at)
         end
         # Generate a token checking if one does not already exist in the database.

data/lib/devise/models/timeoutable.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require 'devise/hooks/timeoutable'
 module Devise
@@ -26,7 +28,6 @@ module Devise
       # Checks whether the user session has expired based on configured time.
       def timedout?(last_access)
-        return false if remember_exists_and_not_expired?
         !timeout_in.nil? && last_access && last_access <= timeout_in.ago
       end
@@ -36,11 +37,6 @@ module Devise
       private
-      def remember_exists_and_not_expired?
-        return false unless respond_to?(:remember_created_at) && respond_to?(:remember_expired?)
-        remember_created_at && !remember_expired?
-      end
       module ClassMethods
         Devise::Models.config(self, :timeout_in)
       end

data/lib/devise/models/trackable.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require 'devise/hooks/trackable'
 module Devise
@@ -20,7 +22,7 @@ module Devise
         self.last_sign_in_at     = old_current || new_current
         self.current_sign_in_at  = new_current
-        old_current, new_current = self.current_sign_in_ip, request.remote_ip
+        old_current, new_current = self.current_sign_in_ip, extract_ip_from(request)
         self.last_sign_in_ip     = old_current || new_current
         self.current_sign_in_ip  = new_current
@@ -29,9 +31,21 @@ module Devise
       end
       def update_tracked_fields!(request)
+        # We have to check if the user is already persisted before running
+        # `save` here because invalid users can be saved if we don't.
+        # See https://github.com/plataformatec/devise/issues/4673 for more details.
+        return if new_record?
         update_tracked_fields(request)
         save(validate: false)
       end
+      protected
+      def extract_ip_from(request)
+        request.remote_ip
+      end
     end
   end
 end

data/lib/devise/models/validatable.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Devise
   module Models
     # Validatable creates all needed validations for a user email and password.
@@ -10,7 +12,7 @@ module Devise
     # Validatable adds the following options to devise_for:
     #
     #   * +email_regexp+: the regular expression used to validate e-mails;
-    #   * +password_length+: a range expressing password length. Defaults to 8..72.
+    #   * +password_length+: a range expressing password length. Defaults to 6..128.
     #
     module Validatable
       # All validations used by this module.
@@ -27,8 +29,13 @@ module Devise
         base.class_eval do
           validates_presence_of   :email, if: :email_required?
-          validates_uniqueness_of :email, allow_blank: true, if: :email_changed?
-          validates_format_of     :email, with: email_regexp, allow_blank: true, if: :email_changed?
+          if Devise.activerecord51?
+            validates_uniqueness_of :email, allow_blank: true, case_sensitive: true, if: :will_save_change_to_email?
+            validates_format_of     :email, with: email_regexp, allow_blank: true, if: :will_save_change_to_email?
+          else
+            validates_uniqueness_of :email, allow_blank: true, if: :email_changed?
+            validates_format_of     :email, with: email_regexp, allow_blank: true, if: :email_changed?
+          end
           validates_presence_of     :password, if: :password_required?
           validates_confirmation_of :password, if: :password_required?

data/lib/devise/models.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Devise
   module Models
     class MissingAttribute < StandardError
@@ -12,7 +14,7 @@ module Devise
     # Creates configuration values for Devise and for the given module.
     #
-    #   Devise::Models.config(Devise::DatabaseAuthenticatable, :stretches)
+    #   Devise::Models.config(Devise::Models::DatabaseAuthenticatable, :stretches)
     #
     # The line above creates:
     #

data/lib/devise/modules.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require 'active_support/core_ext/object/with_options'
 Devise.with_options model: true do |d|

data/lib/devise/omniauth/config.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Devise
   module OmniAuth
     class StrategyNotFound < NameError

data/lib/devise/omniauth/url_helpers.rb CHANGED Viewed

@@ -1,17 +1,26 @@
+# frozen_string_literal: true
 module Devise
   module OmniAuth
     module UrlHelpers
-      def self.define_helpers(mapping)
+      def omniauth_authorize_path(resource_or_scope, provider, *args)
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        _devise_route_context.send("#{scope}_#{provider}_omniauth_authorize_path", *args)
+      end
+      def omniauth_authorize_url(resource_or_scope, provider, *args)
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        _devise_route_context.send("#{scope}_#{provider}_omniauth_authorize_url", *args)
       end
-      def omniauth_authorize_path(resource_or_scope, *args)
+      def omniauth_callback_path(resource_or_scope, provider, *args)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
-        _devise_route_context.send("#{scope}_omniauth_authorize_path", *args)
+        _devise_route_context.send("#{scope}_#{provider}_omniauth_callback_path", *args)
       end
-      def omniauth_callback_path(resource_or_scope, *args)
+      def omniauth_callback_url(resource_or_scope, provider, *args)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
-        _devise_route_context.send("#{scope}_omniauth_callback_path", *args)
+        _devise_route_context.send("#{scope}_#{provider}_omniauth_callback_url", *args)
       end
     end
   end

data/lib/devise/omniauth.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 begin
   require "omniauth"
   require "omniauth/version"

data/lib/devise/orm/active_record.rb CHANGED Viewed

@@ -1,3 +1,7 @@
+# frozen_string_literal: true
 require 'orm_adapter/adapters/active_record'
-ActiveRecord::Base.extend Devise::Models
+ActiveSupport.on_load(:active_record) do
+  extend Devise::Models
+end

data/lib/devise/orm/mongoid.rb CHANGED Viewed

@@ -1,3 +1,7 @@
-require 'orm_adapter/adapters/mongoid'
+# frozen_string_literal: true
-Mongoid::Document::ClassMethods.send :include, Devise::Models
+ActiveSupport.on_load(:mongoid) do
+  require 'orm_adapter/adapters/mongoid'
+  Mongoid::Document::ClassMethods.send :include, Devise::Models
+end

data/lib/devise/parameter_filter.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Devise
   class ParameterFilter
     def initialize(case_insensitive_keys, strip_whitespace_keys)
@@ -16,6 +18,8 @@ module Devise
     def filtered_hash_by_method_for_given_keys(conditions, method, condition_keys)
       condition_keys.each do |k|
+        next unless conditions.key?(k)
         value = conditions[k]
         conditions[k] = value.send(method) if value.respond_to?(method)
       end

data/lib/devise/parameter_sanitizer.rb CHANGED Viewed

@@ -1,99 +1,173 @@
+# frozen_string_literal: true
 module Devise
-  class BaseSanitizer
-    attr_reader :params, :resource_name, :resource_class
+  # The +ParameterSanitizer+ deals with permitting specific parameters values
+  # for each +Devise+ scope in the application.
+  #
+  # The sanitizer knows about Devise default parameters (like +password+ and
+  # +password_confirmation+ for the `RegistrationsController`), and you can
+  # extend or change the permitted parameters list on your controllers.
+  #
+  # === Permitting new parameters
+  #
+  # You can add new parameters to the permitted list using the +permit+ method
+  # in a +before_action+ method, for instance.
+  #
+  #    class ApplicationController < ActionController::Base
+  #      before_action :configure_permitted_parameters, if: :devise_controller?
+  #
+  #      protected
+  #
+  #      def configure_permitted_parameters
+  #        # Permit the `subscribe_newsletter` parameter along with the other
+  #        # sign up parameters.
+  #        devise_parameter_sanitizer.permit(:sign_up, keys: [:subscribe_newsletter])
+  #      end
+  #    end
+  #
+  # Using a block yields an +ActionController::Parameters+ object so you can
+  # permit nested parameters and have more control over how the parameters are
+  # permitted in your controller.
+  #
+  #    def configure_permitted_parameters
+  #      devise_parameter_sanitizer.permit(:sign_up) do |user|
+  #        user.permit(newsletter_preferences: [])
+  #      end
+  #    end
+  class ParameterSanitizer
+    DEFAULT_PERMITTED_ATTRIBUTES = {
+      sign_in: [:password, :remember_me],
+      sign_up: [:password, :password_confirmation],
+      account_update: [:password, :password_confirmation, :current_password]
+    }
     def initialize(resource_class, resource_name, params)
-      @resource_class = resource_class
-      @resource_name  = resource_name
+      @auth_keys      = extract_auth_keys(resource_class)
       @params         = params
-      @blocks         = Hash.new
-    end
+      @resource_name  = resource_name
+      @permitted      = {}
-    def for(kind, &block)
-      if block_given?
-        @blocks[kind] = block
-      else
-        default_for(kind)
+      DEFAULT_PERMITTED_ATTRIBUTES.each_pair do |action, keys|
+        permit(action, keys: keys)
       end
     end
-    def sanitize(kind)
-      if block = @blocks[kind]
-        block.call(default_params)
+    # Sanitize the parameters for a specific +action+.
+    #
+    # === Arguments
+    #
+    # * +action+ - A +Symbol+ with the action that the controller is
+    #   performing, like +sign_up+, +sign_in+, etc.
+    #
+    # === Examples
+    #
+    #    # Inside the `RegistrationsController#create` action.
+    #    resource = build_resource(devise_parameter_sanitizer.sanitize(:sign_up))
+    #    resource.save
+    #
+    # Returns an +ActiveSupport::HashWithIndifferentAccess+ with the permitted
+    # attributes.
+    def sanitize(action)
+      permissions = @permitted[action]
+      if permissions.respond_to?(:call)
+        cast_to_hash permissions.call(default_params)
+      elsif permissions.present?
+        cast_to_hash permit_keys(default_params, permissions)
       else
-        default_sanitize(kind)
+        unknown_action!(action)
       end
     end
-    private
+    # Add or remove new parameters to the permitted list of an +action+.
+    #
+    # === Arguments
+    #
+    # * +action+ - A +Symbol+ with the action that the controller is
+    #   performing, like +sign_up+, +sign_in+, etc.
+    # * +keys:+     - An +Array+ of keys that also should be permitted.
+    # * +except:+   - An +Array+ of keys that shouldn't be permitted.
+    # * +block+     - A block that should be used to permit the action
+    #   parameters instead of the +Array+ based approach. The block will be
+    #   called with an +ActionController::Parameters+ instance.
+    #
+    # === Examples
+    #
+    #   # Adding new parameters to be permitted in the `sign_up` action.
+    #   devise_parameter_sanitizer.permit(:sign_up, keys: [:subscribe_newsletter])
+    #
+    #   # Removing the `password` parameter from the `account_update` action.
+    #   devise_parameter_sanitizer.permit(:account_update, except: [:password])
+    #
+    #   # Using the block form to completely override how we permit the
+    #   # parameters for the `sign_up` action.
+    #   devise_parameter_sanitizer.permit(:sign_up) do |user|
+    #     user.permit(:email, :password, :password_confirmation)
+    #   end
+    #
+    #
+    # Returns nothing.
+    def permit(action, keys: nil, except: nil, &block)
+      if block_given?
+        @permitted[action] = block
+      end
-    def default_for(kind)
-      raise ArgumentError, "a block is expected in Devise base sanitizer"
-    end
+      if keys.present?
+        @permitted[action] ||= @auth_keys.dup
+        @permitted[action].concat(keys)
+      end
-    def default_sanitize(kind)
-      default_params
+      if except.present?
+        @permitted[action] ||= @auth_keys.dup
+        @permitted[action] = @permitted[action] - except
+      end
     end
-    def default_params
-      params.fetch(resource_name, {})
-    end
-  end
+    private
-  class ParameterSanitizer < BaseSanitizer
-    def initialize(*)
-      super
-      @permitted = Hash.new { |h,k| h[k] = attributes_for(k) }
+    # Cast a sanitized +ActionController::Parameters+ to a +HashWithIndifferentAccess+
+    # that can be used elsewhere.
+    #
+    # Returns an +ActiveSupport::HashWithIndifferentAccess+.
+    def cast_to_hash(params)
+      # TODO: Remove the `with_indifferent_access` method call when we only support Rails 5+.
+      params && params.to_h.with_indifferent_access
     end
-    def sign_in
-      permit self.for(:sign_in)
+    def default_params
+      if hashable_resource_params?
+        @params.fetch(@resource_name)
+      else
+        empty_params
+      end
     end
-    def sign_up
-      permit self.for(:sign_up)
+    def hashable_resource_params?
+      @params[@resource_name].respond_to?(:permit)
     end
-    def account_update
-      permit self.for(:account_update)
+    def empty_params
+      ActionController::Parameters.new({})
     end
-    private
-    # TODO: We do need to flatten so it works with strong_parameters
-    # gem. We should drop it once we move to Rails 4 only support.
-    def permit(keys)
-      default_params.permit(*Array(keys))
+    def permit_keys(parameters, keys)
+      parameters.permit(*keys)
     end
-    # Change for(kind) to return the values in the @permitted
-    # hash, allowing the developer to customize at runtime.
-    def default_for(kind)
-      @permitted[kind] || raise("No sanitizer provided for #{kind}")
-    end
+    def extract_auth_keys(klass)
+      auth_keys = klass.authentication_keys
-    def default_sanitize(kind)
-      if respond_to?(kind, true)
-        send(kind)
-      else
-        raise NotImplementedError, "Devise doesn't know how to sanitize parameters for #{kind}"
-      end
+      auth_keys.respond_to?(:keys) ? auth_keys.keys : auth_keys
     end
-    def attributes_for(kind)
-      case kind
-      when :sign_in
-        auth_keys + [:password, :remember_me]
-      when :sign_up
-        auth_keys + [:password, :password_confirmation]
-      when :account_update
-        auth_keys + [:password, :password_confirmation, :current_password]
-      end
-    end
+    def unknown_action!(action)
+      raise NotImplementedError, <<-MESSAGE.strip_heredoc
+        "Devise doesn't know how to sanitize parameters for '#{action}'".
+        If you want to define a new set of parameters to be sanitized use the
+        `permit` method first:
-    def auth_keys
-      @auth_keys ||= @resource_class.authentication_keys.respond_to?(:keys) ?
-                       @resource_class.authentication_keys.keys : @resource_class.authentication_keys
+          devise_parameter_sanitizer.permit(:#{action}, keys: [:param1, :param2, :param3])
+      MESSAGE
     end
   end
 end