devise 3.5.4 → 3.5.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9fccc712f1172a24059ea6eecaac413826ee4649
-  data.tar.gz: 45c064fa92694a40afd07cdde2693de20e6107ba
+  metadata.gz: 27090b1b7af510943f0db50b0e362d06eb17bc4f
+  data.tar.gz: c6ccb8c7c4f6b5291dea73624e0a3e1beff05925
 SHA512:
-  metadata.gz: 4b1abbe976486c5e9d4d3b9fb5cf0199c1d368e9a7fb9dbdbc83f0bf78f073e872144586ed2e0f0030759748be7323ed85ecf6388976c0405e7ae6fd99c5611b
-  data.tar.gz: f0eab35d48d39204adf29baf9bf5938bc85c8369ba27cacfe239051a6b8f15783f00f8cad2ceb443e2149c09fcc2754f464592ccee456f78a96ad1465b773f5f
+  metadata.gz: 7fb6eb7b780edddbd2c495d01a0f9b059ed65c41bfb245d35c71614eb6a693cee76924292214d381ca95ebaffb5c6076ca93fb9d4fb525a311a57224c399304e
+  data.tar.gz: 83e870f314f22e6fe46a65b5bfba51d6857915d095e7080b3fdc3d8424fe727280822a1fd0d1aac7c8a1e66fbdeea25d921faee31114e8fea59c9493beb4aab1

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+### 3.5.5 - 2016-22-01
+
+* bug fixes
+  * Bring back remember_expired? implementation
+  * Ensure timeouts are not triggered if remember me is being used
+
 ### 3.5.4 - 2016-18-01
 
 * bug fixes

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    devise (3.5.4)
+    devise (3.5.5)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)

data/lib/devise/controllers/rememberable.rb

@@ -9,6 +9,13 @@ module Devise
         Rails.configuration.session_options.slice(:path, :domain, :secure)
       end
 
+      def remember_me_is_active?(resource)
+        return false unless resource.respond_to?(:remember_me)
+        scope = Devise::Mapping.find_scope!(resource)
+        cookie = cookies.signed[remember_key(resource, scope)]
+        resource.class.serialized_in_cookie?(resource, *cookie)
+      end
+
       # Remembers the given resource by setting up a cookie
       def remember_me(resource)
         return if env["devise.skip_storage"]

data/lib/devise/hooks/timeoutable.rb

@@ -19,9 +19,10 @@ Warden::Manager.after_set_user do |record, warden, options|
 
     proxy = Devise::Hooks::Proxy.new(warden)
 
-    if record.timedout?(last_request_at) && !env['devise.skip_timeout']
+    if record.timedout?(last_request_at) &&
+        !env['devise.skip_timeout'] &&
+        !proxy.remember_me_is_active?(record)
       Devise.sign_out_all_scopes ? proxy.sign_out : proxy.sign_out(scope)
-
       throw :warden, scope: scope, message: :timeout
     end
 

data/lib/devise/models/rememberable.rb

@@ -62,6 +62,11 @@ module Devise
         save(validate: false)
       end
 
+      # Remember token should be expired if expiration time not overpass now.
+      def remember_expired?
+        remember_created_at.nil?
+      end
+
       def remember_expires_at
         self.class.remember_for.from_now
       end
@@ -96,7 +101,6 @@ module Devise
       def after_remembered
       end
 
-    protected
 
       module ClassMethods
         # Create the cookie key using the record id and remember_token
@@ -106,6 +110,25 @@ module Devise
 
         # Recreate the user based on the stored cookie
         def serialize_from_cookie(*args)
+          serialize_from_cookie_with_or_without_record(nil, args)
+        end
+
+        # Check if the given record is the one serialized in cookie
+        def serialized_in_cookie?(record, *args)
+          !!serialize_from_cookie_with_or_without_record(record, args)
+        end
+
+        # Generate a token checking if one does not already exist in the database.
+        def remember_token #:nodoc:
+          loop do
+            token = Devise.friendly_token
+            break token unless to_adapter.find_first({ remember_token: token })
+          end
+        end
+
+        private
+
+        def serialize_from_cookie_with_or_without_record(record, args)
           id, token, generated_at = args
 
           # The token is only valid if:
@@ -117,20 +140,13 @@ module Devise
           # 6. the token matches
           if generated_at &&
              (self.remember_for.ago < generated_at) &&
-             (record = to_adapter.get(id)) &&
+             (record ||= to_adapter.get(id)) && (id == record.to_key) &&
              (generated_at > (record.remember_created_at || Time.now).utc) &&
              Devise.secure_compare(record.rememberable_value, token)
             record
           end
         end
 
-        # Generate a token checking if one does not already exist in the database.
-        def remember_token #:nodoc:
-          loop do
-            token = Devise.friendly_token
-            break token unless to_adapter.find_first({ remember_token: token })
-          end
-        end
 
         # TODO: extend_remember_period is no longer used
         Devise::Models.config(self, :remember_for, :extend_remember_period, :rememberable_options, :expire_all_remember_me_on_sign_out)

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "3.5.4".freeze
+  VERSION = "3.5.5".freeze
 end

data/test/integration/timeoutable_test.rb

@@ -165,7 +165,17 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
     end
   end
 
-  test 'does not crashes when the last_request_at is a String' do
+  test 'time out not triggered if remembered' do
+    user = sign_in_as_user remember_me: true
+    get expire_user_path(user)
+    assert_not_nil last_request_at
+
+    get users_path
+    assert_response :success
+    assert warden.authenticated?(:user)
+  end
+
+  test 'does not crash when the last_request_at is a String' do
     user = sign_in_as_user
 
     get edit_form_user_path(user, last_request_at: Time.now.utc.to_s)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: devise
 version: !ruby/object:Gem::Version
-  version: 3.5.4
+  version: 3.5.5
 platform: ruby
 authors:
 - José Valim
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-01-18 00:00:00.000000000 Z
+date: 2016-01-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: warden