devise 3.5.4 → 3.5.5

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of devise might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 9fccc712f1172a24059ea6eecaac413826ee4649
4
- data.tar.gz: 45c064fa92694a40afd07cdde2693de20e6107ba
3
+ metadata.gz: 27090b1b7af510943f0db50b0e362d06eb17bc4f
4
+ data.tar.gz: c6ccb8c7c4f6b5291dea73624e0a3e1beff05925
5
5
  SHA512:
6
- metadata.gz: 4b1abbe976486c5e9d4d3b9fb5cf0199c1d368e9a7fb9dbdbc83f0bf78f073e872144586ed2e0f0030759748be7323ed85ecf6388976c0405e7ae6fd99c5611b
7
- data.tar.gz: f0eab35d48d39204adf29baf9bf5938bc85c8369ba27cacfe239051a6b8f15783f00f8cad2ceb443e2149c09fcc2754f464592ccee456f78a96ad1465b773f5f
6
+ metadata.gz: 7fb6eb7b780edddbd2c495d01a0f9b059ed65c41bfb245d35c71614eb6a693cee76924292214d381ca95ebaffb5c6076ca93fb9d4fb525a311a57224c399304e
7
+ data.tar.gz: 83e870f314f22e6fe46a65b5bfba51d6857915d095e7080b3fdc3d8424fe727280822a1fd0d1aac7c8a1e66fbdeea25d921faee31114e8fea59c9493beb4aab1
@@ -1,3 +1,9 @@
1
+ ### 3.5.5 - 2016-22-01
2
+
3
+ * bug fixes
4
+ * Bring back remember_expired? implementation
5
+ * Ensure timeouts are not triggered if remember me is being used
6
+
1
7
  ### 3.5.4 - 2016-18-01
2
8
 
3
9
  * bug fixes
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- devise (3.5.4)
4
+ devise (3.5.5)
5
5
  bcrypt (~> 3.0)
6
6
  orm_adapter (~> 0.1)
7
7
  railties (>= 3.2.6, < 5)
@@ -9,6 +9,13 @@ module Devise
9
9
  Rails.configuration.session_options.slice(:path, :domain, :secure)
10
10
  end
11
11
 
12
+ def remember_me_is_active?(resource)
13
+ return false unless resource.respond_to?(:remember_me)
14
+ scope = Devise::Mapping.find_scope!(resource)
15
+ cookie = cookies.signed[remember_key(resource, scope)]
16
+ resource.class.serialized_in_cookie?(resource, *cookie)
17
+ end
18
+
12
19
  # Remembers the given resource by setting up a cookie
13
20
  def remember_me(resource)
14
21
  return if env["devise.skip_storage"]
@@ -19,9 +19,10 @@ Warden::Manager.after_set_user do |record, warden, options|
19
19
 
20
20
  proxy = Devise::Hooks::Proxy.new(warden)
21
21
 
22
- if record.timedout?(last_request_at) && !env['devise.skip_timeout']
22
+ if record.timedout?(last_request_at) &&
23
+ !env['devise.skip_timeout'] &&
24
+ !proxy.remember_me_is_active?(record)
23
25
  Devise.sign_out_all_scopes ? proxy.sign_out : proxy.sign_out(scope)
24
-
25
26
  throw :warden, scope: scope, message: :timeout
26
27
  end
27
28
 
@@ -62,6 +62,11 @@ module Devise
62
62
  save(validate: false)
63
63
  end
64
64
 
65
+ # Remember token should be expired if expiration time not overpass now.
66
+ def remember_expired?
67
+ remember_created_at.nil?
68
+ end
69
+
65
70
  def remember_expires_at
66
71
  self.class.remember_for.from_now
67
72
  end
@@ -96,7 +101,6 @@ module Devise
96
101
  def after_remembered
97
102
  end
98
103
 
99
- protected
100
104
 
101
105
  module ClassMethods
102
106
  # Create the cookie key using the record id and remember_token
@@ -106,6 +110,25 @@ module Devise
106
110
 
107
111
  # Recreate the user based on the stored cookie
108
112
  def serialize_from_cookie(*args)
113
+ serialize_from_cookie_with_or_without_record(nil, args)
114
+ end
115
+
116
+ # Check if the given record is the one serialized in cookie
117
+ def serialized_in_cookie?(record, *args)
118
+ !!serialize_from_cookie_with_or_without_record(record, args)
119
+ end
120
+
121
+ # Generate a token checking if one does not already exist in the database.
122
+ def remember_token #:nodoc:
123
+ loop do
124
+ token = Devise.friendly_token
125
+ break token unless to_adapter.find_first({ remember_token: token })
126
+ end
127
+ end
128
+
129
+ private
130
+
131
+ def serialize_from_cookie_with_or_without_record(record, args)
109
132
  id, token, generated_at = args
110
133
 
111
134
  # The token is only valid if:
@@ -117,20 +140,13 @@ module Devise
117
140
  # 6. the token matches
118
141
  if generated_at &&
119
142
  (self.remember_for.ago < generated_at) &&
120
- (record = to_adapter.get(id)) &&
143
+ (record ||= to_adapter.get(id)) && (id == record.to_key) &&
121
144
  (generated_at > (record.remember_created_at || Time.now).utc) &&
122
145
  Devise.secure_compare(record.rememberable_value, token)
123
146
  record
124
147
  end
125
148
  end
126
149
 
127
- # Generate a token checking if one does not already exist in the database.
128
- def remember_token #:nodoc:
129
- loop do
130
- token = Devise.friendly_token
131
- break token unless to_adapter.find_first({ remember_token: token })
132
- end
133
- end
134
150
 
135
151
  # TODO: extend_remember_period is no longer used
136
152
  Devise::Models.config(self, :remember_for, :extend_remember_period, :rememberable_options, :expire_all_remember_me_on_sign_out)
@@ -1,3 +1,3 @@
1
1
  module Devise
2
- VERSION = "3.5.4".freeze
2
+ VERSION = "3.5.5".freeze
3
3
  end
@@ -165,7 +165,17 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
165
165
  end
166
166
  end
167
167
 
168
- test 'does not crashes when the last_request_at is a String' do
168
+ test 'time out not triggered if remembered' do
169
+ user = sign_in_as_user remember_me: true
170
+ get expire_user_path(user)
171
+ assert_not_nil last_request_at
172
+
173
+ get users_path
174
+ assert_response :success
175
+ assert warden.authenticated?(:user)
176
+ end
177
+
178
+ test 'does not crash when the last_request_at is a String' do
169
179
  user = sign_in_as_user
170
180
 
171
181
  get edit_form_user_path(user, last_request_at: Time.now.utc.to_s)
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: devise
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.5.4
4
+ version: 3.5.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - José Valim
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2016-01-18 00:00:00.000000000 Z
12
+ date: 2016-01-22 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: warden