devise 4.6.1 → 4.8.0

data/app/mailers/devise/mailer.rb

@@ -4,26 +4,26 @@ if defined?(ActionMailer)
   class Devise::Mailer < Devise.parent_mailer.constantize
     include Devise::Mailers::Helpers
 
-    def confirmation_instructions(record, token, opts={})
+    def confirmation_instructions(record, token, opts = {})
       @token = token
       devise_mail(record, :confirmation_instructions, opts)
     end
 
-    def reset_password_instructions(record, token, opts={})
+    def reset_password_instructions(record, token, opts = {})
       @token = token
       devise_mail(record, :reset_password_instructions, opts)
     end
 
-    def unlock_instructions(record, token, opts={})
+    def unlock_instructions(record, token, opts = {})
       @token = token
       devise_mail(record, :unlock_instructions, opts)
     end
 
-    def email_changed(record, opts={})
+    def email_changed(record, opts = {})
       devise_mail(record, :email_changed, opts)
     end
 
-    def password_change(record, opts={})
+    def password_change(record, opts = {})
       devise_mail(record, :password_change, opts)
     end
   end

data/app/views/devise/passwords/edit.html.erb

@@ -14,7 +14,7 @@
 
   <div class="field">
     <%= f.label :password_confirmation, "Confirm new password" %><br />
-    <%= f.password_field :password_confirmation, autocomplete: "off" %>
+    <%= f.password_field :password_confirmation, autocomplete: "new-password" %>
   </div>
 
   <div class="actions">

data/app/views/devise/shared/_links.html.erb

@@ -20,6 +20,6 @@
 
 <%- if devise_mapping.omniauthable? %>
   <%- resource_class.omniauth_providers.each do |provider| %>
-    <%= link_to "Sign in with #{OmniAuth::Utils.camelize(provider)}", omniauth_authorize_path(resource_name, provider) %><br />
+    <%= link_to "Sign in with #{OmniAuth::Utils.camelize(provider)}", omniauth_authorize_path(resource_name, provider), method: :post %><br />
   <% end %>
 <% end %>

data/config/locales/en.yml

@@ -1,4 +1,4 @@
-# Additional translations at https://github.com/plataformatec/devise/wiki/I18n
+# Additional translations at https://github.com/heartcombo/devise/wiki/I18n
 
 en:
   devise:
@@ -42,9 +42,9 @@ en:
       signed_up_but_inactive: "You have signed up successfully. However, we could not sign you in because your account is not yet activated."
       signed_up_but_locked: "You have signed up successfully. However, we could not sign you in because your account is locked."
       signed_up_but_unconfirmed: "A message with a confirmation link has been sent to your email address. Please follow the link to activate your account."
-      update_needs_confirmation: "You updated your account successfully, but we need to verify your new email address. Please check your email and follow the confirm link to confirm your new email address."
+      update_needs_confirmation: "You updated your account successfully, but we need to verify your new email address. Please check your email and follow the confirmation link to confirm your new email address."
       updated: "Your account has been updated successfully."
-      updated_but_not_signed_in: "Your account has been updated successfully, but since your password was changed, you need to sign in again"
+      updated_but_not_signed_in: "Your account has been updated successfully, but since your password was changed, you need to sign in again."
     sessions:
       signed_in: "Signed in successfully."
       signed_out: "Signed out successfully."

data/lib/devise.rb

@@ -71,7 +71,7 @@ module Devise
 
   # The number of times to hash the password.
   mattr_accessor :stretches
-  @@stretches = 11
+  @@stretches = 12
 
   # The default key used when authenticating over http auth.
   mattr_accessor :http_authentication_key
@@ -297,10 +297,6 @@ module Devise
   mattr_accessor :sign_in_after_change_password
   @@sign_in_after_change_password = true
 
-  def self.rails51? # :nodoc:
-    Rails.gem_version >= Gem::Version.new("5.1.x")
-  end
-
   def self.activerecord51? # :nodoc:
     defined?(ActiveRecord) && ActiveRecord.gem_version >= Gem::Version.new("5.1.x")
   end

data/lib/devise/controllers/helpers.rb

@@ -36,14 +36,14 @@ module Devise
         #     before_action ->{ authenticate_blogger! :admin }  # Redirects to the admin login page
         #     current_blogger :user                             # Preferably returns a User if one is signed in
         #
-        def devise_group(group_name, opts={})
+        def devise_group(group_name, opts = {})
           mappings = "[#{ opts[:contains].map { |m| ":#{m}" }.join(',') }]"
 
           class_eval <<-METHODS, __FILE__, __LINE__ + 1
-            def authenticate_#{group_name}!(favourite=nil, opts={})
+            def authenticate_#{group_name}!(favorite = nil, opts = {})
               unless #{group_name}_signed_in?
                 mappings = #{mappings}
-                mappings.unshift mappings.delete(favourite.to_sym) if favourite
+                mappings.unshift mappings.delete(favorite.to_sym) if favorite
                 mappings.each do |mapping|
                   opts[:scope] = mapping
                   warden.authenticate!(opts) if !devise_controller? || opts.delete(:force)
@@ -57,9 +57,9 @@ module Devise
               end
             end
 
-            def current_#{group_name}(favourite=nil)
+            def current_#{group_name}(favorite = nil)
               mappings = #{mappings}
-              mappings.unshift mappings.delete(favourite.to_sym) if favourite
+              mappings.unshift mappings.delete(favorite.to_sym) if favorite
               mappings.each do |mapping|
                 current = warden.authenticate(scope: mapping)
                 return current if current
@@ -113,7 +113,7 @@ module Devise
         mapping = mapping.name
 
         class_eval <<-METHODS, __FILE__, __LINE__ + 1
-          def authenticate_#{mapping}!(opts={})
+          def authenticate_#{mapping}!(opts = {})
             opts[:scope] = :#{mapping}
             warden.authenticate!(opts) if !devise_controller? || opts.delete(:force)
           end
@@ -252,7 +252,7 @@ module Devise
       # Overwrite Rails' handle unverified request to sign out all scopes,
       # clear run strategies and remove cached variables.
       def handle_unverified_request
-        super # call the default behaviour which resets/nullifies/raises
+        super # call the default behavior which resets/nullifies/raises
         request.env["devise.skip_storage"] = true
         sign_out_all_scopes(false)
       end

data/lib/devise/controllers/sign_in_out.rb

@@ -10,7 +10,7 @@ module Devise
       # cause exceptions to be thrown from this method; if you simply want to check
       # if a scope has already previously been authenticated without running
       # authentication hooks, you can directly call `warden.authenticated?(scope: scope)`
-      def signed_in?(scope=nil)
+      def signed_in?(scope = nil)
         [scope || Devise.mappings.keys].flatten.any? do |_scope|
           warden.authenticate?(scope: _scope)
         end
@@ -21,7 +21,7 @@ module Devise
       # to the set_user method in warden.
       # If you are using a custom warden strategy and the timeoutable module, you have to
       # set `env["devise.skip_timeout"] = true` in the request to use this method, like we do
-      # in the sessions controller: https://github.com/plataformatec/devise/blob/master/app/controllers/devise/sessions_controller.rb#L7
+      # in the sessions controller: https://github.com/heartcombo/devise/blob/master/app/controllers/devise/sessions_controller.rb#L7
       #
       # Examples:
       #
@@ -77,7 +77,7 @@ module Devise
       #   sign_out :user     # sign_out(scope)
       #   sign_out @user     # sign_out(resource)
       #
-      def sign_out(resource_or_scope=nil)
+      def sign_out(resource_or_scope = nil)
         return sign_out_all_scopes unless resource_or_scope
         scope = Devise::Mapping.find_scope!(resource_or_scope)
         user = warden.user(scope: scope, run_callbacks: false) # If there is no user
@@ -92,7 +92,7 @@ module Devise
       # Sign out all active users or scopes. This helper is useful for signing out all roles
       # in one click. This signs out ALL scopes in warden. Returns true if there was at least one logout
       # and false if there was no user logged in on all scopes.
-      def sign_out_all_scopes(lock=true)
+      def sign_out_all_scopes(lock = true)
         users = Devise.mappings.keys.map { |s| warden.user(scope: s, run_callbacks: false) }
 
         warden.logout
@@ -106,10 +106,12 @@ module Devise
       private
 
       def expire_data_after_sign_in!
+        # TODO: remove once Rails 5.2+ and forward are only supported.
         # session.keys will return an empty array if the session is not yet loaded.
         # This is a bug in both Rack and Rails.
         # A call to #empty? forces the session to be loaded.
         session.empty?
+
         session.keys.grep(/^devise\./).each { |k| session.delete(k) }
       end
 

data/lib/devise/controllers/url_helpers.rb

@@ -34,7 +34,7 @@ module Devise
         end
       end
 
-      def self.generate_helpers!(routes=nil)
+      def self.generate_helpers!(routes = nil)
         routes ||= begin
           mappings = Devise.mappings.values.map(&:used_helpers).flatten.uniq
           Devise::URL_HELPERS.slice(*mappings)

data/lib/devise/failure_app.rb

@@ -71,7 +71,6 @@ module Devise
       end
 
       flash.now[:alert] = i18n_message(:invalid) if is_flashing_format?
-      # self.response = recall_app(warden_options[:recall]).call(env)
       self.response = recall_app(warden_options[:recall]).call(request.env)
     end
 
@@ -107,7 +106,7 @@ module Devise
         options[:authentication_keys] = keys.join(I18n.translate(:"support.array.words_connector"))
         options = i18n_options(options)
 
-        I18n.t(:"#{scope}.#{message}", options)
+        I18n.t(:"#{scope}.#{message}", **options)
       else
         message.to_s
       end
@@ -152,8 +151,8 @@ module Devise
 
       # We need to add the rootpath to `script_name` manually for applications that use a Rails
       # version lower than 5.1. Otherwise, it is going to generate a wrong path for Engines
-      # that use Devise. Remove it when the support of Rails 5.0 is droped.
-      elsif root_path_defined?(context) && rails_5_and_down?
+      # that use Devise. Remove it when the support of Rails 5.0 is dropped.
+      elsif root_path_defined?(context) && !rails_51_and_up?
         rootpath = context.routes.url_helpers.root_path
         opts[:script_name] = rootpath.chomp('/') if rootpath.length > 1
       end
@@ -278,14 +277,8 @@ module Devise
       defined?(context.routes) && context.routes.url_helpers.respond_to?(:root_path)
     end
 
-    def rails_5_and_down?
-      return false if rails_5_up?
-
-      Rails::VERSION::MAJOR >= 4
-    end
-
-    def rails_5_up?
-      Rails::VERSION::MAJOR >= 5 && Rails::VERSION::MINOR > 0
+    def rails_51_and_up?
+      Rails.gem_version >= Gem::Version.new("5.1")
     end
   end
 end

data/lib/devise/hooks/lockable.rb

@@ -3,10 +3,7 @@
 # After each sign in, if resource responds to failed_attempts, sets it to 0
 # This is only triggered when the user is explicitly set (with set_user)
 Warden::Manager.after_set_user except: :fetch do |record, warden, options|
-  if record.respond_to?(:failed_attempts) && warden.authenticated?(options[:scope])
-    unless record.failed_attempts.to_i.zero?
-      record.failed_attempts = 0
-      record.save(validate: false)
-    end
+  if record.respond_to?(:reset_failed_attempts!) && warden.authenticated?(options[:scope])
+    record.reset_failed_attempts!
   end
 end

data/lib/devise/hooks/timeoutable.rb

@@ -21,8 +21,8 @@ Warden::Manager.after_set_user do |record, warden, options|
 
     proxy = Devise::Hooks::Proxy.new(warden)
 
-    if record.timedout?(last_request_at) &&
-        !env['devise.skip_timeout'] &&
+    if !env['devise.skip_timeout'] &&
+        record.timedout?(last_request_at) &&
         !proxy.remember_me_is_active?(record)
       Devise.sign_out_all_scopes ? proxy.sign_out : proxy.sign_out(scope)
       throw :warden, scope: scope, message: :timeout

data/lib/devise/mapping.rb

@@ -46,7 +46,7 @@ module Devise
       raise "Could not find a valid mapping for #{obj.inspect}"
     end
 
-    def self.find_by_path!(path, path_type=:fullpath)
+    def self.find_by_path!(path, path_type = :fullpath)
       Devise.mappings.each_value { |m| return m if path.include?(m.send(path_type)) }
       raise "Could not find a valid mapping for path #{path.inspect}"
     end

data/lib/devise/models/authenticatable.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
-require 'active_model/version'
 require 'devise/hooks/activatable'
 require 'devise/hooks/csrf_cleaner'
+require 'devise/rails/deprecated_constant_accessor'
 
 module Devise
   module Models
@@ -56,11 +56,14 @@ module Devise
     module Authenticatable
       extend ActiveSupport::Concern
 
-      BLACKLIST_FOR_SERIALIZATION = [:encrypted_password, :reset_password_token, :reset_password_sent_at,
+      UNSAFE_ATTRIBUTES_FOR_SERIALIZATION = [:encrypted_password, :reset_password_token, :reset_password_sent_at,
         :remember_created_at, :sign_in_count, :current_sign_in_at, :last_sign_in_at, :current_sign_in_ip,
         :last_sign_in_ip, :password_salt, :confirmation_token, :confirmed_at, :confirmation_sent_at,
         :remember_token, :unconfirmed_email, :failed_attempts, :unlock_token, :locked_at]
 
+      include Devise::DeprecatedConstantAccessor
+      deprecate_constant "BLACKLIST_FOR_SERIALIZATION", "Devise::Models::Authenticatable::UNSAFE_ATTRIBUTES_FOR_SERIALIZATION"
+
       included do
         class_attribute :devise_modules, instance_writer: false
         self.devise_modules ||= []
@@ -105,12 +108,12 @@ module Devise
       # given to :except will simply add names to exempt to Devise internal list.
       def serializable_hash(options = nil)
         options = options.try(:dup) || {}
-        options[:except] = Array(options[:except])
+        options[:except] = Array(options[:except]).dup
 
         if options[:force_except]
           options[:except].concat Array(options[:force_except])
         else
-          options[:except].concat BLACKLIST_FOR_SERIALIZATION
+          options[:except].concat UNSAFE_ATTRIBUTES_FOR_SERIALIZATION
         end
 
         super(options)
@@ -153,7 +156,8 @@ module Devise
       #         # If the record is new or changed then delay the
       #         # delivery until the after_commit callback otherwise
       #         # send now because after_commit will not be called.
-      #         if new_record? || changed?
+      #         # For Rails < 6 use `changed?` instead of `saved_changes?`.
+      #         if new_record? || saved_changes?
       #           pending_devise_notifications << [notification, args]
       #         else
       #           render_and_send_devise_message(notification, *args)
@@ -272,17 +276,17 @@ module Devise
           find_first_by_auth_conditions(tainted_conditions)
         end
 
-        def find_first_by_auth_conditions(tainted_conditions, opts={})
+        def find_first_by_auth_conditions(tainted_conditions, opts = {})
           to_adapter.find_first(devise_parameter_filter.filter(tainted_conditions).merge(opts))
         end
 
         # Find or initialize a record setting an error if it can't be found.
-        def find_or_initialize_with_error_by(attribute, value, error=:invalid) #:nodoc:
+        def find_or_initialize_with_error_by(attribute, value, error = :invalid) #:nodoc:
           find_or_initialize_with_errors([attribute], { attribute => value }, error)
         end
 
         # Find or initialize a record with group of attributes based on a list of required attributes.
-        def find_or_initialize_with_errors(required_attributes, attributes, error=:invalid) #:nodoc:
+        def find_or_initialize_with_errors(required_attributes, attributes, error = :invalid) #:nodoc:
           attributes.try(:permit!)
           attributes = attributes.to_h.with_indifferent_access
                                  .slice(*required_attributes)

data/lib/devise/models/confirmable.rb

@@ -76,7 +76,7 @@ module Devise
       # Confirm a user by setting it's confirmed_at to actual time. If the user
       # is already confirmed, add an error to email field. If the user is invalid
       # add errors
-      def confirm(args={})
+      def confirm(args = {})
         pending_any_confirmation do
           if confirmation_period_expired?
             self.errors.add(:email, :confirmation_period_expired,
@@ -334,7 +334,7 @@ module Devise
         # confirmation instructions to it. If not, try searching for a user by unconfirmed_email
         # field. If no user is found, returns a new user with an email not found error.
         # Options must contain the user email
-        def send_confirmation_instructions(attributes={})
+        def send_confirmation_instructions(attributes = {})
           confirmable = find_by_unconfirmed_email_with_errors(attributes) if reconfirmable
           unless confirmable.try(:persisted?)
             confirmable = find_or_initialize_with_errors(confirmation_keys, attributes, :not_found)
@@ -348,7 +348,19 @@ module Devise
         # If the user is already confirmed, create an error for the user
         # Options must have the confirmation_token
         def confirm_by_token(confirmation_token)
+          # When the `confirmation_token` parameter is blank, if there are any users with a blank
+          # `confirmation_token` in the database, the first one would be confirmed here.
+          # The error is being manually added here to ensure no users are confirmed by mistake.
+          # This was done in the model for convenience, since validation errors are automatically
+          # displayed in the view.
+          if confirmation_token.blank?
+            confirmable = new
+            confirmable.errors.add(:confirmation_token, :blank)
+            return confirmable
+          end
+
           confirmable = find_first_by_auth_conditions(confirmation_token: confirmation_token)
+
           unless confirmable
             confirmation_digest = Devise.token_generator.digest(self, :confirmation_token, confirmation_token)
             confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_digest)

data/lib/devise/models/database_authenticatable.rb

@@ -7,6 +7,10 @@ module Devise
     # Authenticatable Module, responsible for hashing the password and
     # validating the authenticity of a user while signing in.
     #
+    # This module defines a `password=` method. This method will hash the argument
+    # and store it in the `encrypted_password` column, bypassing any pre-existing
+    # `password` column if it exists.
+    #
     # == Options
     #
     # DatabaseAuthenticatable adds the following options to devise_for:
@@ -60,7 +64,7 @@ module Devise
       # the hashed password.
       def password=(new_password)
         @password = new_password
-        self.encrypted_password = password_digest(@password) 
+        self.encrypted_password = password_digest(@password) if @password.present?
       end
 
       # Verifies whether a password (ie from sign in) is the user password.
@@ -70,7 +74,7 @@ module Devise
 
       # Set password and password confirmation to nil
       def clean_up_passwords
-        @password = @password_confirmation = nil
+        self.password = self.password_confirmation = nil
       end
 
       # Update record attributes when :current_password matches, otherwise
@@ -195,10 +199,9 @@ module Devise
       # Hashes the password using bcrypt. Custom hash functions should override
       # this method to apply their own algorithm.
       #
-      # See https://github.com/plataformatec/devise-encryptable for examples
+      # See https://github.com/heartcombo/devise-encryptable for examples
       # of other hashing engines.
       def password_digest(password)
-        return if password.blank?
         Devise::Encryptor.digest(self.class, password)
       end
 

data/lib/devise/models/lockable.rb

@@ -57,6 +57,14 @@ module Devise
         save(validate: false)
       end
 
+      # Resets failed attempts counter to 0.
+      def reset_failed_attempts!
+        if respond_to?(:failed_attempts) && !failed_attempts.to_i.zero?
+          self.failed_attempts = 0
+          save(validate: false)
+        end
+      end
+
       # Verifies whether a user is locked or not.
       def access_locked?
         !!locked_at && !lock_expired?
@@ -110,7 +118,7 @@ module Devise
           false
         end
       end
-      
+
       def increment_failed_attempts
         self.class.increment_counter(:failed_attempts, id)
         reload
@@ -168,7 +176,7 @@ module Devise
         # unlock instructions to it. If not user is found, returns a new user
         # with an email not found error.
         # Options must contain the user's unlock keys
-        def send_unlock_instructions(attributes={})
+        def send_unlock_instructions(attributes = {})
           lockable = find_or_initialize_with_errors(unlock_keys, attributes, :not_found)
           lockable.resend_unlock_instructions if lockable.persisted?
           lockable