devise 4.9.4 → 5.0.0.rc

data/lib/devise/failure_app.rb

@@ -77,9 +77,9 @@ module Devise
 
       flash.now[:alert] = i18n_message(:invalid) if is_flashing_format?
       self.response = recall_app(warden_options[:recall]).call(request.env).tap { |response|
-        response[0] = Rack::Utils.status_code(
-          response[0].in?(300..399) ? Devise.responder.redirect_status : Devise.responder.error_status
-        )
+        status = response[0].in?(300..399) ? Devise.responder.redirect_status : Devise.responder.error_status
+        # Avoid warnings translating status to code using Rails if available (e.g. `unprocessable_entity` => `unprocessable_content`)
+        response[0] = ActionDispatch::Response.try(:rack_status_code, status) || Rack::Utils.status_code(status)
       }
     end
 
@@ -111,11 +111,16 @@ module Devise
         options[:scope] = "devise.failure"
         options[:default] = [message]
         auth_keys = scope_class.authentication_keys
-        keys = (auth_keys.respond_to?(:keys) ? auth_keys.keys : auth_keys).map { |key| scope_class.human_attribute_name(key) }
-        options[:authentication_keys] = keys.join(I18n.t(:"support.array.words_connector"))
+        human_keys = (auth_keys.respond_to?(:keys) ? auth_keys.keys : auth_keys).map { |key|
+          scope_class.human_attribute_name(key).downcase
+        }
+        options[:authentication_keys] = human_keys.join(I18n.t(:"support.array.words_connector"))
         options = i18n_options(options)
 
-        I18n.t(:"#{scope}.#{message}", **options)
+        I18n.t(:"#{scope}.#{message}", **options).then { |msg|
+          # Ensure that auth keys at the start of the translated string are properly cased.
+          msg.start_with?(human_keys.first) ? msg.upcase_first : msg
+        }
       else
         message.to_s
       end
@@ -149,7 +154,7 @@ module Devise
       opts  = {}
 
       # Initialize script_name with nil to prevent infinite loops in
-      # authenticated mounted engines in rails 4.2 and 5.0
+      # authenticated mounted engines
       opts[:script_name] = nil
 
       route = route(scope)
@@ -161,13 +166,6 @@ module Devise
 
       if relative_url_root?
         opts[:script_name] = relative_url_root
-
-      # We need to add the rootpath to `script_name` manually for applications that use a Rails
-      # version lower than 5.1. Otherwise, it is going to generate a wrong path for Engines
-      # that use Devise. Remove it when the support of Rails 5.0 is dropped.
-      elsif root_path_defined?(context) && !rails_51_and_up?
-        rootpath = context.routes.url_helpers.root_path
-        opts[:script_name] = rootpath.chomp('/') if rootpath.length > 1
       end
 
       if context.respond_to?(route)
@@ -283,15 +281,5 @@ module Devise
     end
 
     ActiveSupport.run_load_hooks(:devise_failure_app, self)
-
-    private
-
-    def root_path_defined?(context)
-      defined?(context.routes) && context.routes.url_helpers.respond_to?(:root_path)
-    end
-
-    def rails_51_and_up?
-      Rails.gem_version >= Gem::Version.new("5.1")
-    end
   end
 end

data/lib/devise/hooks/activatable.rb

@@ -7,6 +7,6 @@ Warden::Manager.after_set_user do |record, warden, options|
   if record && record.respond_to?(:active_for_authentication?) && !record.active_for_authentication?
     scope = options[:scope]
     warden.logout(scope)
-    throw :warden, scope: scope, message: record.inactive_message
+    throw :warden, scope: scope, message: record.inactive_message, locale: options.fetch(:locale, I18n.locale)
   end
 end

data/lib/devise/hooks/timeoutable.rb

@@ -25,7 +25,7 @@ Warden::Manager.after_set_user do |record, warden, options|
         record.timedout?(last_request_at) &&
         !proxy.remember_me_is_active?(record)
       Devise.sign_out_all_scopes ? proxy.sign_out : proxy.sign_out(scope)
-      throw :warden, scope: scope, message: :timeout
+      throw :warden, scope: scope, message: :timeout, locale: options.fetch(:locale, I18n.locale)
     end
 
     unless env['devise.skip_trackable']

data/lib/devise/mailers/helpers.rb

@@ -33,28 +33,22 @@ module Devise
           subject: subject_for(action),
           to: resource.email,
           from: mailer_sender(devise_mapping),
-          reply_to: mailer_reply_to(devise_mapping),
+          reply_to: mailer_sender(devise_mapping),
           template_path: template_paths,
           template_name: action
-        }.merge(opts)
+        }
+        # Give priority to the mailer's default if they exists.
+        headers.delete(:from) if default_params[:from]
+        headers.delete(:reply_to) if default_params[:reply_to]
+
+        headers.merge!(opts)
 
         @email = headers[:to]
         headers
       end
 
-      def mailer_reply_to(mapping)
-        mailer_sender(mapping, :reply_to)
-      end
-
-      def mailer_from(mapping)
-        mailer_sender(mapping, :from)
-      end
-
-      def mailer_sender(mapping, sender = :from)
-        default_sender = default_params[sender]
-        if default_sender.present?
-          default_sender.respond_to?(:to_proc) ? instance_eval(&default_sender) : default_sender
-        elsif Devise.mailer_sender.is_a?(Proc)
+      def mailer_sender(mapping)
+        if Devise.mailer_sender.is_a?(Proc)
           Devise.mailer_sender.call(mapping.name)
         else
           Devise.mailer_sender

data/lib/devise/mapping.rb

@@ -30,7 +30,7 @@ module Devise
 
     alias :name :singular
 
-    # Receives an object and find a scope for it. If a scope cannot be found,
+    # Receives an object and finds a scope for it. If a scope cannot be found,
     # raises an error. If a symbol is given, it's considered to be the scope.
     def self.find_scope!(obj)
       obj = obj.devise_scope if obj.respond_to?(:devise_scope)

data/lib/devise/models/authenticatable.rb

@@ -2,7 +2,6 @@
 
 require 'devise/hooks/activatable'
 require 'devise/hooks/csrf_cleaner'
-require 'devise/rails/deprecated_constant_accessor'
 
 module Devise
   module Models
@@ -61,9 +60,6 @@ module Devise
         :last_sign_in_ip, :password_salt, :confirmation_token, :confirmed_at, :confirmation_sent_at,
         :remember_token, :unconfirmed_email, :failed_attempts, :unlock_token, :locked_at]
 
-      include Devise::DeprecatedConstantAccessor
-      deprecate_constant "BLACKLIST_FOR_SERIALIZATION", "Devise::Models::Authenticatable::UNSAFE_ATTRIBUTES_FOR_SERIALIZATION", deprecator: Devise.deprecator
-
       included do
         class_attribute :devise_modules, instance_writer: false
         self.devise_modules ||= []
@@ -187,11 +183,8 @@ module Devise
       #         # Deliver later with Active Job's `deliver_later`
       #         if message.respond_to?(:deliver_later)
       #           message.deliver_later
-      #         # Remove once we move to Rails 4.2+ only, as `deliver` is deprecated.
-      #         elsif message.respond_to?(:deliver_now)
-      #           message.deliver_now
       #         else
-      #           message.deliver
+      #           message.deliver_now
       #         end
       #       end
       #
@@ -199,12 +192,7 @@ module Devise
       #
       def send_devise_notification(notification, *args)
         message = devise_mailer.send(notification, self, *args)
-        # Remove once we move to Rails 4.2+ only.
-        if message.respond_to?(:deliver_now)
-          message.deliver_now
-        else
-          message.deliver
-        end
+        message.deliver_now
       end
 
       def downcase_keys

data/lib/devise/models/database_authenticatable.rb

@@ -84,16 +84,7 @@ module Devise
       # users to change relevant information like the e-mail without changing
       # their password). In case the password field is rejected, the confirmation
       # is also rejected as long as it is also blank.
-      def update_with_password(params, *options)
-        if options.present?
-          Devise.deprecator.warn <<-DEPRECATION.strip_heredoc
-            [Devise] The second argument of `DatabaseAuthenticatable#update_with_password`
-            (`options`) is deprecated and it will be removed in the next major version.
-            It was added to support a feature deprecated in Rails 4, so you can safely remove it
-            from your code.
-          DEPRECATION
-        end
-
+      def update_with_password(params)
         current_password = params.delete(:current_password)
 
         if params[:password].blank?
@@ -102,9 +93,9 @@ module Devise
         end
 
         result = if valid_password?(current_password)
-          update(params, *options)
+          update(params)
         else
-          assign_attributes(params, *options)
+          assign_attributes(params)
           valid?
           errors.add(:current_password, current_password.blank? ? :blank : :invalid)
           false
@@ -121,25 +112,16 @@ module Devise
       #
       # Example:
       #
-      #   def update_without_password(params, *options)
+      #   def update_without_password(params)
       #     params.delete(:email)
       #     super(params)
       #   end
       #
-      def update_without_password(params, *options)
-        if options.present?
-          Devise.deprecator.warn <<-DEPRECATION.strip_heredoc
-            [Devise] The second argument of `DatabaseAuthenticatable#update_without_password`
-            (`options`) is deprecated and it will be removed in the next major version.
-            It was added to support a feature deprecated in Rails 4, so you can safely remove it
-            from your code.
-          DEPRECATION
-        end
-
+      def update_without_password(params)
         params.delete(:password)
         params.delete(:password_confirmation)
 
-        result = update(params, *options)
+        result = update(params)
         clean_up_passwords
         result
       end

data/lib/devise/models/lockable.rb

@@ -84,7 +84,7 @@ module Devise
         if_access_locked { send_unlock_instructions }
       end
 
-      # Overwrites active_for_authentication? from Devise::Models::Activatable for locking purposes
+      # Overwrites active_for_authentication? from Devise::Models::Authenticatable for locking purposes
       # by verifying whether a user is active to sign in or not based on locked?
       def active_for_authentication?
         super && !access_locked?

data/lib/devise/models/validatable.rb

@@ -14,6 +14,8 @@ module Devise
     #   * +email_regexp+: the regular expression used to validate e-mails;
     #   * +password_length+: a range expressing password length. Defaults to 6..128.
     #
+    # Since +password_length+ is applied in a proc within `validates_length_of` it can be overridden
+    # at runtime.
     module Validatable
       # All validations used by this module.
       VALIDATIONS = [:validates_presence_of, :validates_uniqueness_of, :validates_format_of,
@@ -34,7 +36,7 @@ module Devise
 
           validates_presence_of     :password, if: :password_required?
           validates_confirmation_of :password, if: :password_required?
-          validates_length_of       :password, within: password_length, allow_blank: true
+          validates_length_of       :password, minimum: proc { password_length.min }, maximum: proc { password_length.max }, allow_blank: true
         end
       end
 

data/lib/devise/orm.rb

@@ -1,22 +1,20 @@
+# frozen_string_literal: true
+
 module Devise
   module Orm # :nodoc:
     def self.active_record?(model)
       defined?(ActiveRecord) && model < ActiveRecord::Base
     end
 
-    def self.active_record_51?(model)
-      active_record?(model) && ActiveRecord.gem_version >= Gem::Version.new("5.1.x")
-    end
-
     def self.included(model)
-      if Devise::Orm.active_record_51?(model)
-        model.include DirtyTrackingNewMethods
+      if Devise::Orm.active_record?(model)
+        model.include DirtyTrackingActiveRecordMethods
       else
-        model.include DirtyTrackingOldMethods
+        model.include DirtyTrackingMongoidMethods
       end
     end
 
-    module DirtyTrackingNewMethods
+    module DirtyTrackingActiveRecordMethods
       def devise_email_before_last_save
         email_before_last_save
       end
@@ -42,9 +40,9 @@ module Devise
       end
     end
 
-    module DirtyTrackingOldMethods
+    module DirtyTrackingMongoidMethods
       def devise_email_before_last_save
-        email_was
+        respond_to?(:email_previously_was) ? email_previously_was : email_was
       end
 
       def devise_email_in_database
@@ -52,11 +50,11 @@ module Devise
       end
 
       def devise_saved_change_to_email?
-        email_changed?
+        respond_to?(:email_previously_changed?) ? email_previously_changed? : email_changed?
       end
 
       def devise_saved_change_to_encrypted_password?
-        encrypted_password_changed?
+        respond_to?(:encrypted_password_previously_changed?) ? encrypted_password_previously_changed? : encrypted_password_changed?
       end
 
       def devise_will_save_change_to_email?

data/lib/devise/parameter_sanitizer.rb

@@ -130,8 +130,7 @@ module Devise
     #
     # Returns an +ActiveSupport::HashWithIndifferentAccess+.
     def cast_to_hash(params)
-      # TODO: Remove the `with_indifferent_access` method call when we only support Rails 5+.
-      params && params.to_h.with_indifferent_access
+      params && params.to_h
     end
 
     def default_params

data/lib/devise/rails/routes.rb

@@ -235,7 +235,6 @@ module ActionDispatch::Routing
       options[:constraints]   = (@scope[:constraints] || {}).merge(options[:constraints] || {})
       options[:defaults]      = (@scope[:defaults] || {}).merge(options[:defaults] || {})
       options[:options]       = @scope[:options] || {}
-      options[:options][:format] = false if options[:format] == false
 
       resources.map!(&:to_sym)
 
@@ -413,7 +412,7 @@ module ActionDispatch::Routing
           controller: controllers[:registrations]
         }
 
-        resource :registration, options do
+        resource :registration, **options do
           get :cancel
         end
       end
@@ -447,7 +446,7 @@ ERROR
           match "#{path_prefix}/#{provider}",
             to: "#{controllers[:omniauth_callbacks]}#passthru",
             as: "#{provider}_omniauth_authorize",
-            via: [:get, :post]
+            via: OmniAuth.config.allowed_request_methods
 
           match "#{path_prefix}/#{provider}/callback",
             to: "#{controllers[:omniauth_callbacks]}##{provider}",
@@ -462,7 +461,7 @@ ERROR
         current_scope = @scope.dup
 
         exclusive = { as: new_as, path: new_path, module: nil }
-        exclusive.merge!(options.slice(:constraints, :defaults, :options))
+        exclusive.merge!(options.slice(:constraints, :format, :defaults, :options))
 
         if @scope.respond_to? :new
           @scope = @scope.new exclusive

data/lib/devise/rails.rb

@@ -38,7 +38,7 @@ module Devise
     end
 
     initializer "devise.secret_key" do |app|
-      Devise.secret_key ||= Devise::SecretKeyFinder.new(app).find
+      Devise.secret_key ||= app.secret_key_base
 
       Devise.token_generator ||=
         if secret_key = Devise.secret_key
@@ -47,5 +47,11 @@ module Devise
           )
         end
     end
+
+    initializer "devise.configure_zeitwerk" do
+      if Rails.autoloaders.zeitwerk_enabled? && !defined?(ActionMailer)
+        Rails.autoloaders.main.ignore("#{root}/app/mailers/devise/mailer.rb")
+      end
+    end
   end
 end

data/lib/devise/test/controller_helpers.rb

@@ -64,17 +64,7 @@ module Devise
       #
       # sign_in users(:alice)
       # sign_in users(:alice), scope: :admin
-      def sign_in(resource, deprecated = nil, scope: nil)
-        if deprecated.present?
-          scope = resource
-          resource = deprecated
-
-          Devise.deprecator.warn <<-DEPRECATION.strip_heredoc
-            [Devise] sign_in(:#{scope}, resource) on controller tests is deprecated and will be removed from Devise.
-            Please use sign_in(resource, scope: :#{scope}) instead.
-          DEPRECATION
-        end
-
+      def sign_in(resource, scope: nil)
         scope ||= Devise::Mapping.find_scope!(resource)
 
         warden.instance_variable_get(:@users).delete(scope)
@@ -141,7 +131,6 @@ module Devise
 
           status, headers, response = Devise.warden_config[:failure_app].call(env).to_a
           @controller.response.headers.merge!(headers)
-          @controller.response.content_type = headers["Content-Type"] unless Rails::VERSION::MAJOR >= 5
           @controller.status = status
           @controller.response_body = response.body
           nil # causes process return @response

data/lib/devise/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Devise
-  VERSION = "4.9.4".freeze
+  VERSION = "5.0.0.rc".freeze
 end

data/lib/devise.rb

@@ -16,10 +16,8 @@ module Devise
   autoload :Orm,                'devise/orm'
   autoload :ParameterFilter,    'devise/parameter_filter'
   autoload :ParameterSanitizer, 'devise/parameter_sanitizer'
-  autoload :TestHelpers,        'devise/test_helpers'
   autoload :TimeInflector,      'devise/time_inflector'
   autoload :TokenGenerator,     'devise/token_generator'
-  autoload :SecretKeyFinder,    'devise/secret_key_finder'
 
   module Controllers
     autoload :Helpers,        'devise/controllers/helpers'
@@ -61,7 +59,7 @@ module Devise
   NO_INPUT = []
 
   # True values used to check params
-  TRUE_VALUES = [true, 1, '1', 't', 'T', 'true', 'TRUE']
+  TRUE_VALUES = [true, 1, '1', 'on', 'ON', 't', 'T', 'true', 'TRUE']
 
   # Secret key used by the key generator
   mattr_accessor :secret_key
@@ -275,8 +273,14 @@ module Devise
   # PRIVATE CONFIGURATION
 
   # Store scopes mappings.
-  mattr_reader :mappings
   @@mappings = {}
+  def self.mappings
+    # Starting from Rails 8.0, routes are lazy-loaded by default in test and development environments.
+    # However, Devise's mappings are built during the routes loading phase.
+    # To ensure it works correctly, we need to load the routes first before accessing @@mappings.
+    Rails.application.try(:reload_routes_unless_loaded)
+    @@mappings
+  end
 
   # OmniAuth configurations.
   mattr_reader :omniauth_configs
@@ -441,9 +445,9 @@ module Devise
   #  Devise.setup do |config|
   #    config.allow_unconfirmed_access_for = 2.days
   #
-  #    config.warden do |manager|
+  #    config.warden do |warden_config|
   #      # Configure warden to use other strategies, like oauth.
-  #      manager.oauth(:twitter)
+  #      warden_config.oauth(:twitter)
   #    end
   #  end
   def self.warden(&block)
@@ -513,25 +517,13 @@ module Devise
 
   # constant-time comparison algorithm to prevent timing attacks
   def self.secure_compare(a, b)
-    return false if a.blank? || b.blank? || a.bytesize != b.bytesize
-    l = a.unpack "C#{a.bytesize}"
-
-    res = 0
-    b.each_byte { |byte| res |= byte ^ l.shift }
-    res == 0
+    return false if a.nil? || b.nil?
+    ActiveSupport::SecurityUtils.secure_compare(a, b)
   end
 
   def self.deprecator
     @deprecator ||= ActiveSupport::Deprecation.new("5.0", "Devise")
   end
-
-  def self.activerecord51? # :nodoc:
-    deprecator.warn <<-DEPRECATION.strip_heredoc
-      [Devise] `Devise.activerecord51?` is deprecated and will be removed in the next major version.
-      It is a non-public method that's no longer used internally, but that other libraries have been relying on.
-    DEPRECATION
-    defined?(ActiveRecord) && ActiveRecord.gem_version >= Gem::Version.new("5.1.x")
-  end
 end
 
 require 'warden'

data/lib/generators/active_record/devise_generator.rb

@@ -5,7 +5,7 @@ require 'generators/devise/orm_helpers'
 
 module ActiveRecord
   module Generators
-    class DeviseGenerator < ActiveRecord::Generators::Base
+    class DeviseGenerator < Base
       argument :attributes, type: :array, default: [], banner: "field:type field:type"
 
       class_option :primary_key_type, type: :string, desc: "The type for primary key"
@@ -82,10 +82,6 @@ RUBY
         postgresql?
       end
 
-      def rails5_and_up?
-        Rails::VERSION::MAJOR >= 5
-      end
-
       def rails61_and_up?
         Rails::VERSION::MAJOR > 6 || (Rails::VERSION::MAJOR == 6 && Rails::VERSION::MINOR >= 1)
       end
@@ -106,14 +102,12 @@ RUBY
         end
       end
 
-     def migration_version
-       if rails5_and_up?
-         "[#{Rails::VERSION::MAJOR}.#{Rails::VERSION::MINOR}]"
-       end
-     end
+      def migration_version
+        "[#{Rails::VERSION::MAJOR}.#{Rails::VERSION::MINOR}]"
+      end
 
      def primary_key_type
-       primary_key_string if rails5_and_up?
+       primary_key_string
      end
 
      def primary_key_string

data/lib/generators/devise/controllers_generator.rb

@@ -11,7 +11,7 @@ module Devise
         Create inherited Devise controllers in your app/controllers folder.
 
         Use -c to specify which controller you want to overwrite.
-        If you do no specify a controller, all controllers will be created.
+        If you do not specify a controller, all controllers will be created.
         For example:
 
           rails generate devise:controllers users -c=sessions

data/lib/generators/templates/devise.rb

@@ -157,6 +157,9 @@ Devise.setup do |config|
   # initial account confirmation) to be applied. Requires additional unconfirmed_email
   # db field (see migrations). Until confirmed, new email is stored in
   # unconfirmed_email column, and copied to email column on successful confirmation.
+  # Also, when used in conjunction with `send_email_changed_notification`,
+  # the notification is sent to the original email when the change is requested,
+  # not when the unconfirmed email is confirmed.
   config.reconfirmable = true
 
   # Defines which key will be used when confirming an account
@@ -277,9 +280,9 @@ Devise.setup do |config|
   # If you want to use other strategies, that are not supported by Devise, or
   # change the failure app, you can configure them inside the config.warden block.
   #
-  # config.warden do |manager|
-  #   manager.intercept_401 = false
-  #   manager.default_strategies(scope: :user).unshift :some_external_strategy
+  # config.warden do |warden_config|
+  #   warden_config.intercept_401 = false
+  #   warden_config.default_strategies(scope: :user).unshift :some_external_strategy
   # end
 
   # ==> Mountable engine configurations
@@ -302,7 +305,7 @@ Devise.setup do |config|
   # apps is `200 OK` and `302 Found` respectively, but new apps are generated with
   # these new defaults that match Hotwire/Turbo behavior.
   # Note: These might become the new default in future versions of Devise.
-  config.responder.error_status = :unprocessable_entity
+  config.responder.error_status = <%= Rack::Utils::SYMBOL_TO_STATUS_CODE.key(422).inspect %>
   config.responder.redirect_status = :see_other
 
   # ==> Configuration for :registerable