devise 3.5.5 → 3.5.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 27090b1b7af510943f0db50b0e362d06eb17bc4f
-  data.tar.gz: c6ccb8c7c4f6b5291dea73624e0a3e1beff05925
+  metadata.gz: 170cbeb51f7e3662d509a920d0dd572ab30f1d8d
+  data.tar.gz: 4b7d78a8f00a0de1dd1b76c89f6614196a8bcdaa
 SHA512:
-  metadata.gz: 7fb6eb7b780edddbd2c495d01a0f9b059ed65c41bfb245d35c71614eb6a693cee76924292214d381ca95ebaffb5c6076ca93fb9d4fb525a311a57224c399304e
-  data.tar.gz: 83e870f314f22e6fe46a65b5bfba51d6857915d095e7080b3fdc3d8424fe727280822a1fd0d1aac7c8a1e66fbdeea25d921faee31114e8fea59c9493beb4aab1
+  metadata.gz: 28952c389b36c41b41230825f0d24fba90b01a7cb7f9a944e047293338a46f9210e30d456a1e3e3959b813276953ee174887bf1b5511072515be3acd1c65d683
+  data.tar.gz: 869c90b6a083ea0e8b60385bc1e1ecbf90469dac0468506b39ca2c96f6545532e3b58ac3310d01bf497c9ec5e8eb66ea7a7ff4715b5c46747edfecf7c332728f

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+### 3.5.6 - 2016-01-02
+
+* bug fixes
+  * Fix type coercion of the rememberable timestamp stored on cookies.
+
 ### 3.5.5 - 2016-22-01
 
 * bug fixes

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    devise (3.5.5)
+    devise (3.5.6)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -153,7 +153,7 @@ GEM
     thread_safe (0.3.5)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
-    warden (1.2.4)
+    warden (1.2.6)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)

data/gemfiles/Gemfile.rails-3.2-stable.lock

@@ -49,7 +49,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (3.5.3)
+    devise (3.5.6)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -142,7 +142,7 @@ GEM
       polyglot
       polyglot (>= 0.3.1)
     tzinfo (0.3.43)
-    warden (1.2.4)
+    warden (1.2.6)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
@@ -169,4 +169,4 @@ DEPENDENCIES
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.10.6
+   1.11.2

data/gemfiles/Gemfile.rails-4.0-stable.lock

@@ -1,6 +1,6 @@
 GIT
   remote: git://github.com/rails/rails.git
-  revision: 7ec9c9635bf4d57009135ed11e89d8bf32306d73
+  revision: 9be9597e510d185ca7964d0a05b4ea2a7f2d50d1
   branch: 4-0-stable
   specs:
     actionmailer (4.0.13)
@@ -43,7 +43,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (3.5.3)
+    devise (3.5.6)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -54,24 +54,24 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    activerecord-deprecated_finders (1.0.3)
+    activerecord-deprecated_finders (1.0.4)
     arel (4.0.2)
     bcrypt (3.1.10)
-    bson (2.3.0)
+    bson (3.2.6)
     builder (3.1.4)
-    connection_pool (2.1.3)
+    concurrent-ruby (1.0.0)
+    connection_pool (2.2.0)
     erubis (2.7.0)
-    faraday (0.9.1)
+    faraday (0.9.2)
       multipart-post (>= 1.2, < 3)
-    hashie (3.4.0)
-    hike (1.2.3)
+    hashie (3.4.3)
     i18n (0.7.0)
-    jwt (1.4.1)
+    jwt (1.5.2)
     mail (2.6.3)
       mime-types (>= 1.16, < 3)
     metaclass (0.0.4)
-    mime-types (2.4.3)
-    mini_portile (0.6.2)
+    mime-types (2.99)
+    mini_portile2 (2.0.0)
     minitest (4.7.5)
     mocha (1.1.0)
       metaclass (~> 0.0.1)
@@ -80,15 +80,15 @@ GEM
       moped (~> 2.0.0)
       origin (~> 2.1)
       tzinfo (>= 0.3.37)
-    moped (2.0.4)
-      bson (~> 2.2)
+    moped (2.0.7)
+      bson (~> 3.0)
       connection_pool (~> 2.0)
       optionable (~> 0.2.0)
-    multi_json (1.11.0)
+    multi_json (1.11.2)
     multi_xml (0.5.5)
     multipart-post (2.0.0)
-    nokogiri (1.6.6.2)
-      mini_portile (~> 0.6.0)
+    nokogiri (1.6.7.2)
+      mini_portile2 (~> 2.0.0.rc2)
     oauth2 (0.9.4)
       faraday (>= 0.8, < 0.10)
       jwt (~> 1.0)
@@ -109,34 +109,31 @@ GEM
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
     optionable (0.2.0)
-    origin (2.1.1)
+    origin (2.2.0)
     orm_adapter (0.5.0)
-    rack (1.5.2)
+    rack (1.5.5)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
     rack-test (0.6.3)
       rack (>= 1.0)
-    rake (10.4.2)
-    rdoc (4.2.0)
+    rake (10.5.0)
+    rdoc (4.2.1)
     responders (1.1.2)
       railties (>= 3.2, < 4.2)
     ruby-openid (2.7.0)
-    sprockets (2.12.3)
-      hike (~> 1.2)
-      multi_json (~> 1.0)
-      rack (~> 1.0)
-      tilt (~> 1.1, != 1.3.0)
-    sprockets-rails (2.2.4)
+    sprockets (3.5.2)
+      concurrent-ruby (~> 1.0)
+      rack (> 1, < 3)
+    sprockets-rails (2.3.3)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
       sprockets (>= 2.8, < 4.0)
-    sqlite3 (1.3.10)
+    sqlite3 (1.3.11)
     thor (0.19.1)
     thread_safe (0.3.5)
-    tilt (1.4.1)
-    tzinfo (0.3.43)
-    warden (1.2.4)
+    tzinfo (0.3.46)
+    warden (1.2.6)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
@@ -163,4 +160,4 @@ DEPENDENCIES
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.10.6
+   1.11.2

data/gemfiles/Gemfile.rails-4.1-stable.lock

@@ -48,7 +48,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (3.5.3)
+    devise (3.5.6)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -142,7 +142,7 @@ GEM
     tilt (1.4.1)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
-    warden (1.2.4)
+    warden (1.2.6)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
@@ -169,4 +169,4 @@ DEPENDENCIES
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.10.6
+   1.11.2

data/gemfiles/Gemfile.rails-4.2-stable.lock

@@ -58,7 +58,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (3.5.3)
+    devise (3.5.6)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -146,8 +146,8 @@ GEM
       loofah (~> 2.0)
     rake (10.4.2)
     rdoc (4.2.0)
-    responders (2.1.0)
-      railties (>= 4.2.0, < 5)
+    responders (2.1.1)
+      railties (>= 4.2.0, < 5.1)
     ruby-openid (2.7.0)
     sprockets (2.12.3)
       hike (~> 1.2)
@@ -164,7 +164,7 @@ GEM
     tilt (1.4.1)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
-    warden (1.2.4)
+    warden (1.2.6)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
@@ -191,4 +191,4 @@ DEPENDENCIES
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.10.6
+   1.11.2

data/lib/devise/controllers/rememberable.rb

@@ -12,8 +12,8 @@ module Devise
       def remember_me_is_active?(resource)
         return false unless resource.respond_to?(:remember_me)
         scope = Devise::Mapping.find_scope!(resource)
-        cookie = cookies.signed[remember_key(resource, scope)]
-        resource.class.serialized_in_cookie?(resource, *cookie)
+        _, token, generated_at = cookies.signed[remember_key(resource, scope)]
+        resource.remember_me?(token, generated_at)
       end
 
       # Remembers the given resource by setting up a cookie

data/lib/devise/models/rememberable.rb

@@ -101,21 +101,47 @@ module Devise
       def after_remembered
       end
 
+      def remember_me?(token, generated_at)
+        # TODO: Normalize the JSON type coercion along with the Timeoutable hook
+        # in a single place https://github.com/plataformatec/devise/blob/ffe9d6d406e79108cf32a2c6a1d0b3828849c40b/lib/devise/hooks/timeoutable.rb#L14-L18
+        if generated_at.is_a?(String)
+          generated_at = time_from_json(generated_at)
+        end
+
+        # The token is only valid if:
+        # 1. we have a date
+        # 2. the current time does not pass the expiry period
+        # 3. the record has a remember_created_at date
+        # 4. the token date is bigger than the remember_created_at
+        # 5. the token matches
+        generated_at.is_a?(Time) &&
+         (self.class.remember_for.ago < generated_at) &&
+         (generated_at > (remember_created_at || Time.now).utc) &&
+         Devise.secure_compare(rememberable_value, token)
+      end
+
+      private
+
+      def time_from_json(value)
+        if value =~ /\A\d+\.\d+\Z/
+          Time.at(value.to_f)
+        else
+          Time.parse(value) rescue nil
+        end
+      end
 
       module ClassMethods
         # Create the cookie key using the record id and remember_token
         def serialize_into_cookie(record)
-          [record.to_key, record.rememberable_value, Time.now.utc]
+          [record.to_key, record.rememberable_value, Time.now.utc.to_f.to_s]
         end
 
         # Recreate the user based on the stored cookie
         def serialize_from_cookie(*args)
-          serialize_from_cookie_with_or_without_record(nil, args)
-        end
+          id, token, generated_at = *args
 
-        # Check if the given record is the one serialized in cookie
-        def serialized_in_cookie?(record, *args)
-          !!serialize_from_cookie_with_or_without_record(record, args)
+          record = to_adapter.get(id)
+          record if record && record.remember_me?(token, generated_at)
         end
 
         # Generate a token checking if one does not already exist in the database.
@@ -128,26 +154,6 @@ module Devise
 
         private
 
-        def serialize_from_cookie_with_or_without_record(record, args)
-          id, token, generated_at = args
-
-          # The token is only valid if:
-          # 1. we have a date
-          # 2. the current time does not pass the expiry period
-          # 3. there is a record with the given id
-          # 4. the record has a remember_created_at date
-          # 5. the token date is bigger than the remember_created_at
-          # 6. the token matches
-          if generated_at &&
-             (self.remember_for.ago < generated_at) &&
-             (record ||= to_adapter.get(id)) && (id == record.to_key) &&
-             (generated_at > (record.remember_created_at || Time.now).utc) &&
-             Devise.secure_compare(record.rememberable_value, token)
-            record
-          end
-        end
-
-
         # TODO: extend_remember_period is no longer used
         Devise::Models.config(self, :remember_for, :extend_remember_period, :rememberable_options, :expire_all_remember_me_on_sign_out)
       end

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "3.5.5".freeze
+  VERSION = "3.5.6".freeze
 end

data/test/models/rememberable_test.rb

@@ -37,7 +37,7 @@ class RememberableTest < ActiveSupport::TestCase
     id, token, date = User.serialize_into_cookie(user)
     assert_equal id, user.to_key
     assert_equal token, user.authenticatable_salt
-    assert date.is_a?(Time)
+    assert date.is_a?(String)
   end
 
   test 'serialize from cookie' do
@@ -46,6 +46,18 @@ class RememberableTest < ActiveSupport::TestCase
     assert_equal user, User.serialize_from_cookie(user.to_key, user.authenticatable_salt, Time.now.utc)
   end
 
+  test 'serialize from cookie should accept a String with the datetime seconds and microseconds' do
+    user = create_user
+    user.remember_me!
+    assert_equal user, User.serialize_from_cookie(user.to_key, user.authenticatable_salt, Time.now.utc.to_f.to_json)
+  end
+
+  test 'serialize from cookie should return nil with invalid datetime' do
+    user = create_user
+    user.remember_me!
+    assert_nil User.serialize_from_cookie(user.to_key, user.authenticatable_salt, "2013")
+  end
+
   test 'serialize from cookie should return nil if no resource is found' do
     assert_nil resource_class.serialize_from_cookie([0], "123", Time.now.utc)
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: devise
 version: !ruby/object:Gem::Version
-  version: 3.5.5
+  version: 3.5.6
 platform: ruby
 authors:
 - José Valim
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-01-22 00:00:00.000000000 Z
+date: 2016-02-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: warden
@@ -383,7 +383,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5
+rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
 summary: Flexible authentication solution for Rails with Warden