devise 3.5.1 → 3.5.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5903cbd1b3ce2efab3cc2846955883b7832df787
-  data.tar.gz: 59c709239d810077b9c257771315517ac9215d82
+  metadata.gz: b12e8ad372d99f51b3ad7363a604025e4b4351d3
+  data.tar.gz: 2f532aa8b4538594a5dd1429a4613546dbd9f76a
 SHA512:
-  metadata.gz: 09a2bf91129139f2e828e51bfa8b08521a2d6f60cd2883dbd55c45103ac4687240582e8819f7ee4e1a4a515c2630d01a7cbd108ef57d7b6f83d81252175dbb88
-  data.tar.gz: 4a6c3fc92fe1299d9e794bc207a6c17dccb82591e76e0768e8eb23c871a115ee26c7af5c0938c4f9e504924e621f381e476669fb1946649faa07ec9f4d0bb284
+  metadata.gz: c695e4e9960fb2acbc37047b3ec769d30d5a0adfd4925dc886ada51a386f7153ddaec12ea0181bb641f4aec815d7d356474fccf6dd8d19739593c880d5f5e544
+  data.tar.gz: eae590deac848317c9db083a373efacd7f95f8ad84c93bee465d7fbe5a8a3c54b8f12f7a34d7cd602f215458bc9817247ff1eff8f6ad3d7bda6653a25a75f73e

data/CHANGELOG.md

@@ -1,3 +1,13 @@
+### 3.5.2 - 2015-08-10
+
+* enhancements
+  * Perform case insensitive basic authorization matching
+
+* Big fixes
+  * Do not use digests for password confirmation token
+  * Fix infinite redirect in Rails 4.2 authenticated routes
+  * Autoload Devise::Encryptor to avoid errors on thread-safe mode
+
 ### 3.5.1 - 2015-05-24
 
 Note: 3.5.0 has been yanked due to a regression

data/Gemfile

@@ -2,7 +2,7 @@ source "https://rubygems.org"
 
 gemspec
 
-gem "rails", "4.2.1"
+gem "rails", "4.2.2"
 gem "omniauth", "~> 1.2.0"
 gem "omniauth-oauth2", "~> 1.1.0"
 gem "rdoc"
@@ -25,5 +25,5 @@ platforms :ruby do
 end
 
 group :mongoid do
-  gem "mongoid", github: "mongoid/mongoid", branch: "master"
+  gem "mongoid", "~> 4.0"
 end

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    devise (3.5.1)
+    devise (3.5.2)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -9,50 +9,39 @@ PATH
       thread_safe (~> 0.1)
       warden (~> 1.2.3)
 
-GIT
-  remote: git://github.com/mongoid/mongoid.git
-  revision: a4365d7ecfa8221bfcf36a4e7ce7993142fc5940
-  branch: master
-  specs:
-    mongoid (4.0.0)
-      activemodel (~> 4.0)
-      moped (~> 2.0.0)
-      origin (~> 2.1)
-      tzinfo (>= 0.3.37)
-
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (4.2.1)
-      actionpack (= 4.2.1)
-      actionview (= 4.2.1)
-      activejob (= 4.2.1)
+    actionmailer (4.2.2)
+      actionpack (= 4.2.2)
+      actionview (= 4.2.2)
+      activejob (= 4.2.2)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 1.0, >= 1.0.5)
-    actionpack (4.2.1)
-      actionview (= 4.2.1)
-      activesupport (= 4.2.1)
+    actionpack (4.2.2)
+      actionview (= 4.2.2)
+      activesupport (= 4.2.2)
       rack (~> 1.6)
       rack-test (~> 0.6.2)
       rails-dom-testing (~> 1.0, >= 1.0.5)
       rails-html-sanitizer (~> 1.0, >= 1.0.1)
-    actionview (4.2.1)
-      activesupport (= 4.2.1)
+    actionview (4.2.2)
+      activesupport (= 4.2.2)
       builder (~> 3.1)
       erubis (~> 2.7.0)
       rails-dom-testing (~> 1.0, >= 1.0.5)
       rails-html-sanitizer (~> 1.0, >= 1.0.1)
-    activejob (4.2.1)
-      activesupport (= 4.2.1)
+    activejob (4.2.2)
+      activesupport (= 4.2.2)
       globalid (>= 0.3.0)
-    activemodel (4.2.1)
-      activesupport (= 4.2.1)
+    activemodel (4.2.2)
+      activesupport (= 4.2.2)
       builder (~> 3.1)
-    activerecord (4.2.1)
-      activemodel (= 4.2.1)
-      activesupport (= 4.2.1)
+    activerecord (4.2.2)
+      activemodel (= 4.2.2)
+      activesupport (= 4.2.2)
       arel (~> 6.0)
-    activesupport (4.2.1)
+    activesupport (4.2.2)
       i18n (~> 0.7)
       json (~> 1.7, >= 1.7.7)
       minitest (~> 5.1)
@@ -60,34 +49,38 @@ GEM
       tzinfo (~> 1.1)
     arel (6.0.0)
     bcrypt (3.1.10)
-    bson (2.3.0)
+    bson (3.1.2)
     builder (3.2.2)
-    connection_pool (2.1.3)
+    connection_pool (2.2.0)
     erubis (2.7.0)
     faraday (0.9.1)
       multipart-post (>= 1.2, < 3)
-    globalid (0.3.3)
+    globalid (0.3.5)
       activesupport (>= 4.1.0)
     hashie (3.4.0)
-    hike (1.2.3)
     i18n (0.7.0)
-    json (1.8.2)
+    json (1.8.3)
     jwt (1.4.1)
-    loofah (2.0.1)
+    loofah (2.0.2)
       nokogiri (>= 1.5.9)
     mail (2.6.3)
       mime-types (>= 1.16, < 3)
     metaclass (0.0.4)
-    mime-types (2.4.3)
+    mime-types (2.6.1)
     mini_portile (0.6.2)
-    minitest (5.5.1)
+    minitest (5.7.0)
     mocha (1.1.0)
       metaclass (~> 0.0.1)
-    moped (2.0.4)
-      bson (~> 2.2)
+    mongoid (4.0.2)
+      activemodel (~> 4.0)
+      moped (~> 2.0.0)
+      origin (~> 2.1)
+      tzinfo (>= 0.3.37)
+    moped (2.0.6)
+      bson (~> 3.0)
       connection_pool (~> 2.0)
       optionable (~> 0.2.0)
-    multi_json (1.11.0)
+    multi_json (1.11.1)
     multi_xml (0.5.5)
     multipart-post (2.0.0)
     nokogiri (1.6.6.2)
@@ -114,22 +107,22 @@ GEM
     optionable (0.2.0)
     origin (2.1.1)
     orm_adapter (0.5.0)
-    rack (1.6.0)
+    rack (1.6.2)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
     rack-test (0.6.3)
       rack (>= 1.0)
-    rails (4.2.1)
-      actionmailer (= 4.2.1)
-      actionpack (= 4.2.1)
-      actionview (= 4.2.1)
-      activejob (= 4.2.1)
-      activemodel (= 4.2.1)
-      activerecord (= 4.2.1)
-      activesupport (= 4.2.1)
+    rails (4.2.2)
+      actionmailer (= 4.2.2)
+      actionpack (= 4.2.2)
+      actionview (= 4.2.2)
+      activejob (= 4.2.2)
+      activemodel (= 4.2.2)
+      activerecord (= 4.2.2)
+      activesupport (= 4.2.2)
       bundler (>= 1.3.0, < 2.0)
-      railties (= 4.2.1)
+      railties (= 4.2.2)
       sprockets-rails
     rails-deprecated_sanitizer (1.0.3)
       activesupport (>= 4.2.0.alpha)
@@ -139,9 +132,9 @@ GEM
       rails-deprecated_sanitizer (>= 1.0.1)
     rails-html-sanitizer (1.0.2)
       loofah (~> 2.0)
-    railties (4.2.1)
-      actionpack (= 4.2.1)
-      activesupport (= 4.2.1)
+    railties (4.2.2)
+      actionpack (= 4.2.2)
+      activesupport (= 4.2.2)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
     rake (10.4.2)
@@ -149,19 +142,15 @@ GEM
     responders (2.1.0)
       railties (>= 4.2.0, < 5)
     ruby-openid (2.7.0)
-    sprockets (2.12.3)
-      hike (~> 1.2)
-      multi_json (~> 1.0)
+    sprockets (3.2.0)
       rack (~> 1.0)
-      tilt (~> 1.1, != 1.3.0)
-    sprockets-rails (2.2.4)
+    sprockets-rails (2.3.1)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
       sprockets (>= 2.8, < 4.0)
     sqlite3 (1.3.10)
     thor (0.19.1)
     thread_safe (0.3.5)
-    tilt (1.4.1)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
     warden (1.2.3)
@@ -180,12 +169,15 @@ DEPENDENCIES
   devise!
   jruby-openssl
   mocha (~> 1.1)
-  mongoid!
+  mongoid (~> 4.0)
   omniauth (~> 1.2.0)
   omniauth-facebook
   omniauth-oauth2 (~> 1.1.0)
   omniauth-openid (~> 1.0.1)
-  rails (= 4.2.1)
+  rails (= 4.2.2)
   rdoc
   sqlite3
   webrat (= 0.7.3)
+
+BUNDLED WITH
+   1.10.6

data/README.md

@@ -82,10 +82,11 @@ You will usually want to write tests for your changes.  To run the test suite, g
 
 ## Starting with Rails?
 
-If you are building your first Rails application, we recommend you *do not* use Devise. Devise requires a good understanding of the Rails Framework. In such cases, we advise you to start a simple authentication system from scratch. Today we have two resources that should help you get started:
+If you are building your first Rails application, we recommend you *do not* use Devise. Devise requires a good understanding of the Rails Framework. In such cases, we advise you to start a simple authentication system from scratch. Today, we have three resources that should help you get started:
 
 * Michael Hartl's online book: https://www.railstutorial.org/book/modeling_users
 * Ryan Bates' Railscast: http://railscasts.com/episodes/250-authentication-from-scratch
+* Codecademy's Ruby on Rails: Authentication and Authorization: http://www.codecademy.com/en/learn/rails-auth
 
 Once you have solidified your understanding of Rails and authentication mechanisms, we assure you Devise will be very pleasant to work with. :smiley:
 
@@ -185,7 +186,7 @@ Besides `:stretches`, you can define `:pepper`, `:encryptor`, `:confirm_within`,
 
 When you customize your own views, you may end up adding new attributes to forms. Rails 4 moved the parameter sanitization from the model to the controller, causing Devise to handle this concern at the controller as well.
 
-There are just three actions in Devise that allows any set of parameters to be passed down to the model, therefore requiring sanitization. Their names and the permitted parameters by default are:
+There are just three actions in Devise that allow any set of parameters to be passed down to the model, therefore requiring sanitization. Their names and the permitted parameters by default are:
 
 * `sign_in` (`Devise::SessionsController#create`) - Permits only the authentication keys (like `email`)
 * `sign_up` (`Devise::RegistrationsController#create`) - Permits authentication keys plus `password` and `password_confirmation`
@@ -348,7 +349,7 @@ devise_for :users, path: "auth", path_names: { sign_in: 'login', sign_out: 'logo
 
 Be sure to check `devise_for` documentation for details.
 
-If you have the need for more deep customization, for instance to also allow "/sign_in" besides "/users/sign_in", all you need to do is to create your routes normally and wrap them in a `devise_scope` block in the router:
+If you have the need for more deep customization, for instance to also allow "/sign_in" besides "/users/sign_in", all you need to do is create your routes normally and wrap them in a `devise_scope` block in the router:
 
 ```ruby
 devise_scope :user do

data/app/controllers/devise/passwords_controller.rb

@@ -38,11 +38,10 @@ class Devise::PasswordsController < DeviseController
         flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
         set_flash_message(:notice, flash_message) if is_flashing_format?
         sign_in(resource_name, resource)
-        respond_with resource, location: after_resetting_password_path_for(resource)
       else
         set_flash_message(:notice, :updated_not_active) if is_flashing_format?
-        respond_with resource, location: new_session_path(resource_name)
       end
+      respond_with resource, location: after_resetting_password_path_for(resource)
     else
       respond_with resource
     end
@@ -50,7 +49,7 @@ class Devise::PasswordsController < DeviseController
 
   protected
     def after_resetting_password_path_for(resource)
-      after_sign_in_path_for(resource)
+      Devise.sign_in_after_reset_password ? after_sign_in_path_for(resource) : new_session_path(resource_name)
     end
 
     # The path used after sending reset password instructions

data/app/views/devise/passwords/edit.html.erb

@@ -7,8 +7,8 @@
   <div class="field">
     <%= f.label :password, "New password" %><br />
     <% if @minimum_password_length %>
-    <em>(<%= @minimum_password_length %> characters minimum)</em>
-    <% end %><br />
+      <em>(<%= @minimum_password_length %> characters minimum)</em><br />
+    <% end %>
     <%= f.password_field :password, autofocus: true, autocomplete: "off" %>
   </div>
 

data/devise.gemspec

@@ -13,8 +13,6 @@ Gem::Specification.new do |s|
   s.description = "Flexible authentication solution for Rails with Warden"
   s.authors     = ['José Valim', 'Carlos Antônio']
 
-  s.rubyforge_project = "devise"
-
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- test/*`.split("\n")
   s.require_paths = ["lib"]

data/lib/devise.rb

@@ -8,6 +8,7 @@ require 'responders'
 
 module Devise
   autoload :Delegator,          'devise/delegator'
+  autoload :Encryptor,          'devise/encryptor'
   autoload :FailureApp,         'devise/failure_app'
   autoload :OmniAuth,           'devise/omniauth'
   autoload :ParameterFilter,    'devise/parameter_filter'
@@ -105,7 +106,7 @@ module Devise
   # an one (and only one) @ exists in the given string. This is mainly
   # to give user feedback and not to assert the e-mail validity.
   mattr_accessor :email_regexp
-  @@email_regexp = /\A[^@\s]+@([^@\s]+\.)+[^@\s]+\z/
+  @@email_regexp = /\A[^@\s]+@([^@\s]+\.)+[^@\W]+\z/
 
   # Range validation for password length
   mattr_accessor :password_length
@@ -145,10 +146,6 @@ module Devise
   mattr_accessor :timeout_in
   @@timeout_in = 30.minutes
 
-  # Authentication token expiration on timeout
-  mattr_accessor :expire_auth_token_on_timeout
-  @@expire_auth_token_on_timeout = false
-
   # Used to encrypt password. Please generate one with rake secret.
   mattr_accessor :pepper
   @@pepper = nil

data/lib/devise/controllers/sign_in_out.rb

@@ -90,13 +90,7 @@ module Devise
         session.keys.grep(/^devise\./).each { |k| session.delete(k) }
       end
 
-      def expire_data_after_sign_out!
-        # session.keys will return an empty array if the session is not yet loaded.
-        # This is a bug in both Rack and Rails.
-        # A call to #empty? forces the session to be loaded.
-        session.empty?
-        session.keys.grep(/^devise\./).each { |k| session.delete(k) }
-      end
+      alias :expire_data_after_sign_out! :expire_data_after_sign_in!
     end
   end
 end

data/lib/devise/failure_app.rb

@@ -118,8 +118,13 @@ module Devise
 
       config = Rails.application.config
 
-      if config.respond_to?(:relative_url_root) && config.relative_url_root.present?
-        opts[:script_name] = config.relative_url_root
+      # Rails 4.2 goes into an infinite loop if opts[:script_name] is unset
+      if (Rails::VERSION::MAJOR >= 4) && (Rails::VERSION::MINOR >= 2)
+        opts[:script_name] = (config.relative_url_root if config.respond_to?(:relative_url_root))
+      else
+        if config.respond_to?(:relative_url_root) && config.relative_url_root.present?
+          opts[:script_name] = config.relative_url_root
+        end
       end
 
       router_name = Devise.mappings[scope].router_name || Devise.available_router_name

data/lib/devise/hooks/timeoutable.rb

@@ -21,10 +21,6 @@ Warden::Manager.after_set_user do |record, warden, options|
     if record.timedout?(last_request_at) && !env['devise.skip_timeout']
       Devise.sign_out_all_scopes ? proxy.sign_out : proxy.sign_out(scope)
 
-      if record.respond_to?(:expire_auth_token_on_timeout) && record.expire_auth_token_on_timeout
-        record.reset_authentication_token!
-      end
-
       throw :warden, scope: scope, message: :timeout
     end
 

data/lib/devise/models/confirmable.rb

@@ -7,7 +7,7 @@ module Devise
     #
     # Confirmable tracks the following columns:
     #
-    # * confirmation_token   - An OpenSSL::HMAC.hexdigest of @raw_confirmation_token
+    # * confirmation_token   - A unique random token
     # * confirmed_at         - A timestamp when the user clicked the confirmation link
     # * confirmation_sent_at - A timestamp when the confirmation_token was generated (not sent)
     # * unconfirmed_email    - An email address copied from the email attr. After confirmation
@@ -29,6 +29,8 @@ module Devise
     #     confirmation.
     #   * +confirm_within+: the time before a sent confirmation token becomes invalid.
     #     You can use this to force the user to confirm within a set period of time.
+    #     Confirmable will not generate a new token if a repeat confirmation is requested
+    #     during this time frame, unless the user's email changed too.
     #
     # == Examples
     #
@@ -230,10 +232,13 @@ module Devise
         # Generates a new random token for confirmation, and stores
         # the time this token is being generated in confirmation_sent_at
         def generate_confirmation_token
-          raw, enc = Devise.token_generator.generate(self.class, :confirmation_token)
-          @raw_confirmation_token   = raw
-          self.confirmation_token   = enc
-          self.confirmation_sent_at = Time.now.utc
+          if self.confirmation_token && !confirmation_period_expired?
+            @raw_confirmation_token = self.confirmation_token
+          else
+            raw, _ = Devise.token_generator.generate(self.class, :confirmation_token)
+            self.confirmation_token = @raw_confirmation_token = raw
+            self.confirmation_sent_at = Time.now.utc
+          end
         end
 
         def generate_confirmation_token!
@@ -244,6 +249,7 @@ module Devise
           @reconfirmation_required = true
           self.unconfirmed_email = self.email
           self.email = self.email_was
+          self.confirmation_token = nil
           generate_confirmation_token
         end
 
@@ -293,12 +299,17 @@ module Devise
         # If the user is already confirmed, create an error for the user
         # Options must have the confirmation_token
         def confirm_by_token(confirmation_token)
-          original_token     = confirmation_token
-          confirmation_token = Devise.token_generator.digest(self, :confirmation_token, confirmation_token)
+          confirmable = find_first_by_auth_conditions(confirmation_token: confirmation_token)
+          unless confirmable
+            confirmation_digest = Devise.token_generator.digest(self, :confirmation_token, confirmation_token)
+            confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_digest)
+          end
+
+          # TODO: replace above lines with
+          # confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
+          # after enough time has passed that Devise clients do not use digested tokens
 
-          confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
           confirmable.confirm if confirmable.persisted?
-          confirmable.confirmation_token = original_token
           confirmable
         end
 

data/lib/devise/models/database_authenticatable.rb

@@ -1,5 +1,4 @@
 require 'devise/strategies/database_authenticatable'
-require 'devise/encryptor'
 
 module Devise
   def self.bcrypt(klass, password)

data/lib/devise/rails/routes.rb

@@ -404,19 +404,14 @@ module ActionDispatch::Routing
           raise <<-ERROR
 Devise does not support scoping OmniAuth callbacks under a dynamic segment
 and you have set #{mapping.fullpath.inspect}. You can work around by passing
-`skip: :omniauth_callbacks` and manually defining the routes. Here is an example:
-
-    match "/users/auth/:provider",
-      constraints: { provider: /google|facebook/ },
-      to: "devise/omniauth_callbacks#passthru",
-      as: :omniauth_authorize,
-      via: [:get, :post]
-
-    match "/users/auth/:action/callback",
-      constraints: { action: /google|facebook/ },
-      to: "devise/omniauth_callbacks#:action",
-      as: :omniauth_callback,
-      via: [:get, :post]
+`skip: :omniauth_callbacks` to the `devise_for` call and extract omniauth
+options to another `devise_for` call outside the scope. Here is an example:
+
+    devise_for :users, only: :omniauth_callbacks, controllers: {omniauth_callbacks: 'users/omniauth_callbacks'}
+
+    scope '/(:locale)', locale: /ru|en/ do
+      devise_for :users, skip: :omniauth_callbacks
+    end
 ERROR
         end
 

data/lib/devise/strategies/authenticatable.rb

@@ -118,7 +118,7 @@ module Devise
 
       # Helper to decode credentials from HTTP.
       def decode_credentials
-        return [] unless request.authorization && request.authorization =~ /^Basic (.*)/m
+        return [] unless request.authorization && request.authorization =~ /^Basic (.*)/mi
         Base64.decode64($1).split(/:/, 2)
       end
 

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "3.5.1".freeze
+  VERSION = "3.5.2".freeze
 end

data/lib/generators/templates/controllers/README

@@ -2,7 +2,7 @@
 
 Some setup you must do manually if you haven't yet:
 
-  Ensure you have overridden routes for generated controllers in your route.rb.
+  Ensure you have overridden routes for generated controllers in your routes.rb.
   For example:
 
     Rails.application.routes.draw do

data/lib/generators/templates/devise.rb

@@ -158,9 +158,6 @@ Devise.setup do |config|
   # time the user will be asked for credentials again. Default is 30 minutes.
   # config.timeout_in = 30.minutes
 
-  # If true, expires auth token on session timeout.
-  # config.expire_auth_token_on_timeout = false
-
   # ==> Configuration for :lockable
   # Defines which strategy will be used to lock an account.
   # :failed_attempts = Locks an account after a number of failed attempts to sign in.

data/test/devise_test.rb

@@ -95,7 +95,7 @@ class DeviseTest < ActiveSupport::TestCase
 
   test 'Devise.email_regexp should match valid email addresses' do
     valid_emails = ["test@example.com", "jo@jo.co", "f4$_m@you.com", "testing.example@example.com.ua"]
-    non_valid_emails = ["rex", "test@go,com", "test user@example.com", "test_user@example server.com"]
+    non_valid_emails = ["rex", "test@go,com", "test user@example.com", "test_user@example server.com", "test_user@example.com."]
 
     valid_emails.each do |email|
       assert_match Devise.email_regexp, email

data/test/integration/timeoutable_test.rb

@@ -110,23 +110,6 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
     assert_contain 'You are signed in'
   end
 
-  test 'admin does not explode on time out' do
-    admin = sign_in_as_admin
-    get expire_admin_path(admin)
-
-    Admin.send :define_method, :reset_authentication_token! do
-      nil
-    end
-
-    begin
-      get admins_path
-      assert_redirected_to admins_path
-      assert_not warden.authenticated?(:admin)
-    ensure
-      Admin.send(:remove_method, :reset_authentication_token!)
-    end
-  end
-
   test 'user configured timeout limit' do
     swap Devise, timeout_in: 8.minutes do
       user = sign_in_as_user

data/test/mailers/confirmation_instructions_test.rb

@@ -86,7 +86,7 @@ class ConfirmationInstructionsTest < ActionMailer::TestCase
     host, port = ActionMailer::Base.default_url_options.values_at :host, :port
 
     if mail.body.encoded =~ %r{<a href=\"http://#{host}:#{port}/users/confirmation\?confirmation_token=([^"]+)">}
-      assert_equal Devise.token_generator.digest(user.class, :confirmation_token, $1), user.confirmation_token
+      assert_equal $1, user.confirmation_token
     else
       flunk "expected confirmation url regex to match"
     end

data/test/models/confirmable_test.rb

@@ -291,12 +291,23 @@ class ConfirmableTest < ActiveSupport::TestCase
     end
   end
 
-  test 'always generate a new token on resend' do
+  test 'do not generate a new token on resend' do
     user = create_user
     old  = user.confirmation_token
     user = User.find(user.id)
     user.resend_confirmation_instructions
-    assert_not_equal user.confirmation_token, old
+    assert_equal user.confirmation_token, old
+  end
+
+  test 'generate a new token after first has expired' do
+    swap Devise, confirm_within: 3.days do
+      user = create_user
+      old = user.confirmation_token
+      user.update_attribute(:confirmation_sent_at, 4.days.ago)
+      user = User.find(user.id)
+      user.resend_confirmation_instructions
+      assert_not_equal user.confirmation_token, old
+    end
   end
 
   test 'should call after_confirmation if confirmed' do

data/test/rails_app/app/controllers/admins_controller.rb

@@ -3,9 +3,4 @@ class AdminsController < ApplicationController
 
   def index
   end
-
-  def expire
-    admin_session['last_request_at'] = 31.minutes.ago.utc
-    render text: 'Admin will be expired on next request'
-  end
 end

data/test/rails_app/config/routes.rb

@@ -13,9 +13,7 @@ Rails.application.routes.draw do
     end
   end
 
-  resources :admins, only: [:index] do
-    get :expire, on: :member
-  end
+  resources :admins, only: [:index]
 
   # Users scope
   devise_for :users, controllers: { omniauth_callbacks: "users/omniauth_callbacks" }

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: devise
 version: !ruby/object:Gem::Version
-  version: 3.5.1
+  version: 3.5.2
 platform: ruby
 authors:
 - José Valim
@@ -9,96 +9,96 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-05-26 00:00:00.000000000 Z
+date: 2015-08-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: warden
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: 1.2.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: 1.2.3
 - !ruby/object:Gem::Dependency
   name: orm_adapter
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '0.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '0.1'
 - !ruby/object:Gem::Dependency
   name: bcrypt
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '3.0'
 - !ruby/object:Gem::Dependency
   name: thread_safe
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '0.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '0.1'
 - !ruby/object:Gem::Dependency
   name: railties
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
         version: 3.2.6
-    - - "<"
+    - - <
       - !ruby/object:Gem::Version
         version: '5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
         version: 3.2.6
-    - - "<"
+    - - <
       - !ruby/object:Gem::Version
         version: '5'
 - !ruby/object:Gem::Dependency
   name: responders
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 description: Flexible authentication solution for Rails with Warden
@@ -107,9 +107,9 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".gitignore"
-- ".travis.yml"
-- ".yardopts"
+- .gitignore
+- .travis.yml
+- .yardopts
 - CHANGELOG.md
 - CONTRIBUTING.md
 - Gemfile
@@ -366,17 +366,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - '>='
     - !ruby/object:Gem::Version
       version: 1.9.3
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: devise
-rubygems_version: 2.2.2
+rubyforge_project: 
+rubygems_version: 2.0.3
 signing_key: 
 specification_version: 4
 summary: Flexible authentication solution for Rails with Warden