devise 4.7.1 → 4.8.0

data/app/views/devise/shared/_links.html.erb

@@ -20,6 +20,6 @@
 
 <%- if devise_mapping.omniauthable? %>
   <%- resource_class.omniauth_providers.each do |provider| %>
-    <%= link_to "Sign in with #{OmniAuth::Utils.camelize(provider)}", omniauth_authorize_path(resource_name, provider) %><br />
+    <%= link_to "Sign in with #{OmniAuth::Utils.camelize(provider)}", omniauth_authorize_path(resource_name, provider), method: :post %><br />
   <% end %>
 <% end %>

data/config/locales/en.yml

@@ -1,4 +1,4 @@
-# Additional translations at https://github.com/plataformatec/devise/wiki/I18n
+# Additional translations at https://github.com/heartcombo/devise/wiki/I18n
 
 en:
   devise:
@@ -44,7 +44,7 @@ en:
       signed_up_but_unconfirmed: "A message with a confirmation link has been sent to your email address. Please follow the link to activate your account."
       update_needs_confirmation: "You updated your account successfully, but we need to verify your new email address. Please check your email and follow the confirmation link to confirm your new email address."
       updated: "Your account has been updated successfully."
-      updated_but_not_signed_in: "Your account has been updated successfully, but since your password was changed, you need to sign in again"
+      updated_but_not_signed_in: "Your account has been updated successfully, but since your password was changed, you need to sign in again."
     sessions:
       signed_in: "Signed in successfully."
       signed_out: "Signed out successfully."

data/lib/devise.rb

@@ -71,7 +71,7 @@ module Devise
 
   # The number of times to hash the password.
   mattr_accessor :stretches
-  @@stretches = 11
+  @@stretches = 12
 
   # The default key used when authenticating over http auth.
   mattr_accessor :http_authentication_key
@@ -297,10 +297,6 @@ module Devise
   mattr_accessor :sign_in_after_change_password
   @@sign_in_after_change_password = true
 
-  def self.rails51? # :nodoc:
-    Rails.gem_version >= Gem::Version.new("5.1.x")
-  end
-
   def self.activerecord51? # :nodoc:
     defined?(ActiveRecord) && ActiveRecord.gem_version >= Gem::Version.new("5.1.x")
   end

data/lib/devise/controllers/helpers.rb

@@ -36,14 +36,14 @@ module Devise
         #     before_action ->{ authenticate_blogger! :admin }  # Redirects to the admin login page
         #     current_blogger :user                             # Preferably returns a User if one is signed in
         #
-        def devise_group(group_name, opts={})
+        def devise_group(group_name, opts = {})
           mappings = "[#{ opts[:contains].map { |m| ":#{m}" }.join(',') }]"
 
           class_eval <<-METHODS, __FILE__, __LINE__ + 1
-            def authenticate_#{group_name}!(favourite=nil, opts={})
+            def authenticate_#{group_name}!(favorite = nil, opts = {})
               unless #{group_name}_signed_in?
                 mappings = #{mappings}
-                mappings.unshift mappings.delete(favourite.to_sym) if favourite
+                mappings.unshift mappings.delete(favorite.to_sym) if favorite
                 mappings.each do |mapping|
                   opts[:scope] = mapping
                   warden.authenticate!(opts) if !devise_controller? || opts.delete(:force)
@@ -57,9 +57,9 @@ module Devise
               end
             end
 
-            def current_#{group_name}(favourite=nil)
+            def current_#{group_name}(favorite = nil)
               mappings = #{mappings}
-              mappings.unshift mappings.delete(favourite.to_sym) if favourite
+              mappings.unshift mappings.delete(favorite.to_sym) if favorite
               mappings.each do |mapping|
                 current = warden.authenticate(scope: mapping)
                 return current if current
@@ -113,7 +113,7 @@ module Devise
         mapping = mapping.name
 
         class_eval <<-METHODS, __FILE__, __LINE__ + 1
-          def authenticate_#{mapping}!(opts={})
+          def authenticate_#{mapping}!(opts = {})
             opts[:scope] = :#{mapping}
             warden.authenticate!(opts) if !devise_controller? || opts.delete(:force)
           end
@@ -252,7 +252,7 @@ module Devise
       # Overwrite Rails' handle unverified request to sign out all scopes,
       # clear run strategies and remove cached variables.
       def handle_unverified_request
-        super # call the default behaviour which resets/nullifies/raises
+        super # call the default behavior which resets/nullifies/raises
         request.env["devise.skip_storage"] = true
         sign_out_all_scopes(false)
       end

data/lib/devise/controllers/sign_in_out.rb

@@ -10,7 +10,7 @@ module Devise
       # cause exceptions to be thrown from this method; if you simply want to check
       # if a scope has already previously been authenticated without running
       # authentication hooks, you can directly call `warden.authenticated?(scope: scope)`
-      def signed_in?(scope=nil)
+      def signed_in?(scope = nil)
         [scope || Devise.mappings.keys].flatten.any? do |_scope|
           warden.authenticate?(scope: _scope)
         end
@@ -21,7 +21,7 @@ module Devise
       # to the set_user method in warden.
       # If you are using a custom warden strategy and the timeoutable module, you have to
       # set `env["devise.skip_timeout"] = true` in the request to use this method, like we do
-      # in the sessions controller: https://github.com/plataformatec/devise/blob/master/app/controllers/devise/sessions_controller.rb#L7
+      # in the sessions controller: https://github.com/heartcombo/devise/blob/master/app/controllers/devise/sessions_controller.rb#L7
       #
       # Examples:
       #
@@ -77,7 +77,7 @@ module Devise
       #   sign_out :user     # sign_out(scope)
       #   sign_out @user     # sign_out(resource)
       #
-      def sign_out(resource_or_scope=nil)
+      def sign_out(resource_or_scope = nil)
         return sign_out_all_scopes unless resource_or_scope
         scope = Devise::Mapping.find_scope!(resource_or_scope)
         user = warden.user(scope: scope, run_callbacks: false) # If there is no user
@@ -92,7 +92,7 @@ module Devise
       # Sign out all active users or scopes. This helper is useful for signing out all roles
       # in one click. This signs out ALL scopes in warden. Returns true if there was at least one logout
       # and false if there was no user logged in on all scopes.
-      def sign_out_all_scopes(lock=true)
+      def sign_out_all_scopes(lock = true)
         users = Devise.mappings.keys.map { |s| warden.user(scope: s, run_callbacks: false) }
 
         warden.logout
@@ -106,10 +106,12 @@ module Devise
       private
 
       def expire_data_after_sign_in!
+        # TODO: remove once Rails 5.2+ and forward are only supported.
         # session.keys will return an empty array if the session is not yet loaded.
         # This is a bug in both Rack and Rails.
         # A call to #empty? forces the session to be loaded.
         session.empty?
+
         session.keys.grep(/^devise\./).each { |k| session.delete(k) }
       end
 

data/lib/devise/controllers/url_helpers.rb

@@ -34,7 +34,7 @@ module Devise
         end
       end
 
-      def self.generate_helpers!(routes=nil)
+      def self.generate_helpers!(routes = nil)
         routes ||= begin
           mappings = Devise.mappings.values.map(&:used_helpers).flatten.uniq
           Devise::URL_HELPERS.slice(*mappings)

data/lib/devise/failure_app.rb

@@ -71,7 +71,6 @@ module Devise
       end
 
       flash.now[:alert] = i18n_message(:invalid) if is_flashing_format?
-      # self.response = recall_app(warden_options[:recall]).call(env)
       self.response = recall_app(warden_options[:recall]).call(request.env)
     end
 
@@ -107,7 +106,7 @@ module Devise
         options[:authentication_keys] = keys.join(I18n.translate(:"support.array.words_connector"))
         options = i18n_options(options)
 
-        I18n.t(:"#{scope}.#{message}", options)
+        I18n.t(:"#{scope}.#{message}", **options)
       else
         message.to_s
       end
@@ -152,7 +151,7 @@ module Devise
 
       # We need to add the rootpath to `script_name` manually for applications that use a Rails
       # version lower than 5.1. Otherwise, it is going to generate a wrong path for Engines
-      # that use Devise. Remove it when the support of Rails 5.0 is droped.
+      # that use Devise. Remove it when the support of Rails 5.0 is dropped.
       elsif root_path_defined?(context) && !rails_51_and_up?
         rootpath = context.routes.url_helpers.root_path
         opts[:script_name] = rootpath.chomp('/') if rootpath.length > 1

data/lib/devise/hooks/lockable.rb

@@ -3,10 +3,7 @@
 # After each sign in, if resource responds to failed_attempts, sets it to 0
 # This is only triggered when the user is explicitly set (with set_user)
 Warden::Manager.after_set_user except: :fetch do |record, warden, options|
-  if record.respond_to?(:failed_attempts) && warden.authenticated?(options[:scope])
-    unless record.failed_attempts.to_i.zero?
-      record.failed_attempts = 0
-      record.save(validate: false)
-    end
+  if record.respond_to?(:reset_failed_attempts!) && warden.authenticated?(options[:scope])
+    record.reset_failed_attempts!
   end
 end

data/lib/devise/hooks/timeoutable.rb

@@ -21,8 +21,8 @@ Warden::Manager.after_set_user do |record, warden, options|
 
     proxy = Devise::Hooks::Proxy.new(warden)
 
-    if record.timedout?(last_request_at) &&
-        !env['devise.skip_timeout'] &&
+    if !env['devise.skip_timeout'] &&
+        record.timedout?(last_request_at) &&
         !proxy.remember_me_is_active?(record)
       Devise.sign_out_all_scopes ? proxy.sign_out : proxy.sign_out(scope)
       throw :warden, scope: scope, message: :timeout

data/lib/devise/mapping.rb

@@ -46,7 +46,7 @@ module Devise
       raise "Could not find a valid mapping for #{obj.inspect}"
     end
 
-    def self.find_by_path!(path, path_type=:fullpath)
+    def self.find_by_path!(path, path_type = :fullpath)
       Devise.mappings.each_value { |m| return m if path.include?(m.send(path_type)) }
       raise "Could not find a valid mapping for path #{path.inspect}"
     end

data/lib/devise/models/authenticatable.rb

@@ -2,6 +2,7 @@
 
 require 'devise/hooks/activatable'
 require 'devise/hooks/csrf_cleaner'
+require 'devise/rails/deprecated_constant_accessor'
 
 module Devise
   module Models
@@ -55,11 +56,14 @@ module Devise
     module Authenticatable
       extend ActiveSupport::Concern
 
-      BLACKLIST_FOR_SERIALIZATION = [:encrypted_password, :reset_password_token, :reset_password_sent_at,
+      UNSAFE_ATTRIBUTES_FOR_SERIALIZATION = [:encrypted_password, :reset_password_token, :reset_password_sent_at,
         :remember_created_at, :sign_in_count, :current_sign_in_at, :last_sign_in_at, :current_sign_in_ip,
         :last_sign_in_ip, :password_salt, :confirmation_token, :confirmed_at, :confirmation_sent_at,
         :remember_token, :unconfirmed_email, :failed_attempts, :unlock_token, :locked_at]
 
+      include Devise::DeprecatedConstantAccessor
+      deprecate_constant "BLACKLIST_FOR_SERIALIZATION", "Devise::Models::Authenticatable::UNSAFE_ATTRIBUTES_FOR_SERIALIZATION"
+
       included do
         class_attribute :devise_modules, instance_writer: false
         self.devise_modules ||= []
@@ -104,12 +108,12 @@ module Devise
       # given to :except will simply add names to exempt to Devise internal list.
       def serializable_hash(options = nil)
         options = options.try(:dup) || {}
-        options[:except] = Array(options[:except])
+        options[:except] = Array(options[:except]).dup
 
         if options[:force_except]
           options[:except].concat Array(options[:force_except])
         else
-          options[:except].concat BLACKLIST_FOR_SERIALIZATION
+          options[:except].concat UNSAFE_ATTRIBUTES_FOR_SERIALIZATION
         end
 
         super(options)
@@ -152,7 +156,8 @@ module Devise
       #         # If the record is new or changed then delay the
       #         # delivery until the after_commit callback otherwise
       #         # send now because after_commit will not be called.
-      #         if new_record? || changed?
+      #         # For Rails < 6 use `changed?` instead of `saved_changes?`.
+      #         if new_record? || saved_changes?
       #           pending_devise_notifications << [notification, args]
       #         else
       #           render_and_send_devise_message(notification, *args)
@@ -271,17 +276,17 @@ module Devise
           find_first_by_auth_conditions(tainted_conditions)
         end
 
-        def find_first_by_auth_conditions(tainted_conditions, opts={})
+        def find_first_by_auth_conditions(tainted_conditions, opts = {})
           to_adapter.find_first(devise_parameter_filter.filter(tainted_conditions).merge(opts))
         end
 
         # Find or initialize a record setting an error if it can't be found.
-        def find_or_initialize_with_error_by(attribute, value, error=:invalid) #:nodoc:
+        def find_or_initialize_with_error_by(attribute, value, error = :invalid) #:nodoc:
           find_or_initialize_with_errors([attribute], { attribute => value }, error)
         end
 
         # Find or initialize a record with group of attributes based on a list of required attributes.
-        def find_or_initialize_with_errors(required_attributes, attributes, error=:invalid) #:nodoc:
+        def find_or_initialize_with_errors(required_attributes, attributes, error = :invalid) #:nodoc:
           attributes.try(:permit!)
           attributes = attributes.to_h.with_indifferent_access
                                  .slice(*required_attributes)

data/lib/devise/models/confirmable.rb

@@ -76,7 +76,7 @@ module Devise
       # Confirm a user by setting it's confirmed_at to actual time. If the user
       # is already confirmed, add an error to email field. If the user is invalid
       # add errors
-      def confirm(args={})
+      def confirm(args = {})
         pending_any_confirmation do
           if confirmation_period_expired?
             self.errors.add(:email, :confirmation_period_expired,
@@ -334,7 +334,7 @@ module Devise
         # confirmation instructions to it. If not, try searching for a user by unconfirmed_email
         # field. If no user is found, returns a new user with an email not found error.
         # Options must contain the user email
-        def send_confirmation_instructions(attributes={})
+        def send_confirmation_instructions(attributes = {})
           confirmable = find_by_unconfirmed_email_with_errors(attributes) if reconfirmable
           unless confirmable.try(:persisted?)
             confirmable = find_or_initialize_with_errors(confirmation_keys, attributes, :not_found)

data/lib/devise/models/database_authenticatable.rb

@@ -7,6 +7,10 @@ module Devise
     # Authenticatable Module, responsible for hashing the password and
     # validating the authenticity of a user while signing in.
     #
+    # This module defines a `password=` method. This method will hash the argument
+    # and store it in the `encrypted_password` column, bypassing any pre-existing
+    # `password` column if it exists.
+    #
     # == Options
     #
     # DatabaseAuthenticatable adds the following options to devise_for:
@@ -195,7 +199,7 @@ module Devise
       # Hashes the password using bcrypt. Custom hash functions should override
       # this method to apply their own algorithm.
       #
-      # See https://github.com/plataformatec/devise-encryptable for examples
+      # See https://github.com/heartcombo/devise-encryptable for examples
       # of other hashing engines.
       def password_digest(password)
         Devise::Encryptor.digest(self.class, password)

data/lib/devise/models/lockable.rb

@@ -57,6 +57,14 @@ module Devise
         save(validate: false)
       end
 
+      # Resets failed attempts counter to 0.
+      def reset_failed_attempts!
+        if respond_to?(:failed_attempts) && !failed_attempts.to_i.zero?
+          self.failed_attempts = 0
+          save(validate: false)
+        end
+      end
+
       # Verifies whether a user is locked or not.
       def access_locked?
         !!locked_at && !lock_expired?
@@ -110,7 +118,7 @@ module Devise
           false
         end
       end
-      
+
       def increment_failed_attempts
         self.class.increment_counter(:failed_attempts, id)
         reload
@@ -168,7 +176,7 @@ module Devise
         # unlock instructions to it. If not user is found, returns a new user
         # with an email not found error.
         # Options must contain the user's unlock keys
-        def send_unlock_instructions(attributes={})
+        def send_unlock_instructions(attributes = {})
           lockable = find_or_initialize_with_errors(unlock_keys, attributes, :not_found)
           lockable.resend_unlock_instructions if lockable.persisted?
           lockable

data/lib/devise/models/recoverable.rb

@@ -131,7 +131,7 @@ module Devise
         # password instructions to it. If user is not found, returns a new user
         # with an email not found error.
         # Attributes must contain the user's email
-        def send_reset_password_instructions(attributes={})
+        def send_reset_password_instructions(attributes = {})
           recoverable = find_or_initialize_with_errors(reset_password_keys, attributes, :not_found)
           recoverable.send_reset_password_instructions if recoverable.persisted?
           recoverable
@@ -142,7 +142,7 @@ module Devise
         # try saving the record. If not user is found, returns a new user
         # containing an error in reset_password_token attribute.
         # Attributes must contain reset_password_token, password and confirmation
-        def reset_password_by_token(attributes={})
+        def reset_password_by_token(attributes = {})
           original_token       = attributes[:reset_password_token]
           reset_password_token = Devise.token_generator.digest(self, :reset_password_token, original_token)
 

data/lib/devise/models/rememberable.rb

@@ -102,7 +102,7 @@ module Devise
 
       def remember_me?(token, generated_at)
         # TODO: Normalize the JSON type coercion along with the Timeoutable hook
-        # in a single place https://github.com/plataformatec/devise/blob/ffe9d6d406e79108cf32a2c6a1d0b3828849c40b/lib/devise/hooks/timeoutable.rb#L14-L18
+        # in a single place https://github.com/heartcombo/devise/blob/ffe9d6d406e79108cf32a2c6a1d0b3828849c40b/lib/devise/hooks/timeoutable.rb#L14-L18
         if generated_at.is_a?(String)
           generated_at = time_from_json(generated_at)
         end

data/lib/devise/models/trackable.rb

@@ -33,7 +33,7 @@ module Devise
       def update_tracked_fields!(request)
         # We have to check if the user is already persisted before running
         # `save` here because invalid users can be saved if we don't.
-        # See https://github.com/plataformatec/devise/issues/4673 for more details.
+        # See https://github.com/heartcombo/devise/issues/4673 for more details.
         return if new_record?
 
         update_tracked_fields(request)

data/lib/devise/omniauth.rb

@@ -1,17 +1,14 @@
 # frozen_string_literal: true
 
 begin
+  gem "omniauth", ">= 1.0.0"
+
   require "omniauth"
-  require "omniauth/version"
 rescue LoadError
   warn "Could not load 'omniauth'. Please ensure you have the omniauth gem >= 1.0.0 installed and listed in your Gemfile."
   raise
 end
 
-unless OmniAuth::VERSION =~ /^1\./
-  raise "You are using an old OmniAuth version, please ensure you have 1.0.0.pr2 version or later installed."
-end
-
 # Clean up the default path_prefix. It will be automatically set by Devise.
 OmniAuth.config.path_prefix = nil
 

data/lib/devise/rails/deprecated_constant_accessor.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+begin
+  require 'active_support/deprecation/constant_accessor'
+
+  module Devise
+    DeprecatedConstantAccessor = ActiveSupport::Deprecation::DeprecatedConstantAccessor #:nodoc:
+  end
+rescue LoadError
+
+  # Copy of constant deprecation module from Rails / Active Support version 6, so we can use it
+  # with Rails <= 5.0 versions. This can be removed once we support only Rails 5.1 or greater.
+  module Devise
+    module DeprecatedConstantAccessor #:nodoc:
+      def self.included(base)
+        require "active_support/inflector/methods"
+
+        extension = Module.new do
+          def const_missing(missing_const_name)
+            if class_variable_defined?(:@@_deprecated_constants)
+              if (replacement = class_variable_get(:@@_deprecated_constants)[missing_const_name.to_s])
+                replacement[:deprecator].warn(replacement[:message] || "#{name}::#{missing_const_name} is deprecated! Use #{replacement[:new]} instead.", Rails::VERSION::MAJOR == 4 ? caller : caller_locations)
+                return ActiveSupport::Inflector.constantize(replacement[:new].to_s)
+              end
+            end
+            super
+          end
+
+          def deprecate_constant(const_name, new_constant, message: nil, deprecator: ActiveSupport::Deprecation.instance)
+            class_variable_set(:@@_deprecated_constants, {}) unless class_variable_defined?(:@@_deprecated_constants)
+            class_variable_get(:@@_deprecated_constants)[const_name.to_s] = { new: new_constant, message: message, deprecator: deprecator }
+          end
+        end
+        base.singleton_class.prepend extension
+      end
+    end
+  end
+
+end