devise 4.8.1 → 4.9.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 073edbd8314be8f7b4da9e8f1b2eb07f4f25faf77a4400b6ef91f6a7d6905fda
4
- data.tar.gz: 96ba453ccdf7f73d76c40525644d867fe8a699efa7f0b3ab58f5e520af44f0d7
3
+ metadata.gz: c54e76c5bfbf23d58daa91bd3e60678a2030b5c7feefab3962853fd594bcd058
4
+ data.tar.gz: c8ce7e4481ab51ff7a2590ee886f66ae918e5677284d3990b5ce2776c356793f
5
5
  SHA512:
6
- metadata.gz: 3e86e75d88256721b32dc38b9ace70d25ccbdff76885c4a942452da0d01a92f7179c4e4800c55f91a1f535e4a9ecf9cce696523651b94aa4f5ee75b0016c4132
7
- data.tar.gz: 2a42ad0db913c2aa1ae782a06edd48096b0b3bd4dbe47a243cce6a7f923663240ca3e8ad9459aa0148623fa366fa89d3a30959b1bd2e7b399343ebc207beb7bf
6
+ metadata.gz: 0ed7bba03dc2a9eeb7fa4e1a50023a23613e570be7e48a362bf9e017e191c060da75a9b0bbeab8aed80c76ea830f63dc66bb2e4ee72de4ed6b2a0f35a4d52291
7
+ data.tar.gz: f2a73bbbb78c00022906f244170c3ab88a8a8c695fc60c60d721f528bc48c87c92a23057b14d2c48713f1fe4b39a58a2598efcd3da96b0f828b69fb75f90d45b
data/CHANGELOG.md CHANGED
@@ -1,4 +1,33 @@
1
- ### 4.8.1
1
+ ### Unreleased
2
+
3
+
4
+ ### 4.9.0 - 2023-02-17
5
+
6
+ * enhancements
7
+ * Add support for Ruby 3.1/3.2.
8
+ * Add support for Hotwire + Turbo, default in Rails 7+.
9
+ * Devise uses the latest `responders` version (v3.1.0 or higher), which allows configuring the status used for validation error responses (`error_status`) and for redirects after POST/PUT/PATCH/DELETE requests (`redirect_status`). For backwards compatibility, Devise keeps `error_status` as `:ok` which returns a `200 OK` response, and `redirect_status` to `:found` which returns a `302 Found` response, but you can configure it to return `422 Unprocessable Entity` and `303 See Other` respectively, to match the behavior expected by Hotwire/Turbo:
10
+
11
+ ```ruby
12
+ # config/initializers/devise.rb
13
+ Devise.setup do |config|
14
+ # ...
15
+ config.responder.error_status = :unprocessable_entity
16
+ config.responder.redirect_status = :see_other
17
+ # ...
18
+ end
19
+ ```
20
+
21
+ These configs are already generated by default with new apps, and existing apps may opt-in as described above. Trying to set these with an older version of `responders` will issue a warning and have no effect, so please upgrade the `responders` version if you're upgrading Devise for this integration. Note that these defaults may change in future versions of Devise, to better match the Rails + Hotwire/Turbo defaults across the board.
22
+ * If you have a custom responder set on your application and expect it to affect Devise as well, you may need to override the Devise responder entirely with `config.responder = MyApplicationResponder`, so that it uses your custom one. The main reason Devise uses a custom responder is to be able to configure the statuses as described above, but you can also change that config on your own responder if you want. Check the `responders` readme for more info on that.
23
+ * If you have created a custom responder and/or failure app just to customize responses for better Hotwire/Turbo integration, they should no longer be necessary.
24
+ * `:turbo_stream` is now treated as a navigational format, so it works like HTML navigation when using Turbo. Note: if you relied on `:turbo_stream` to be treated as a non-navigational format before, you can reconfigure your `navigational_formats` in the Devise initializer file to exclude it.
25
+ * OmniAuth "Sign in with" links were changed to buttons that generate HTML forms with method=POST, instead of using link + method=POST that required rails-ujs to work. Since rails-ujs is no longer the default for new Rails apps, this allows the OmniAuth buttons to work in any scenario, with or without rails-ujs and/or Turbo. This only affects apps that are using the default `devise/shared/_links.html.erb` partial from Devise with OmniAuth enabled.
26
+ * The "Cancel my account" button was changed to include the `data-turbo-confirm` option, so that it works with both rails-ujs and Turbo by default.
27
+ * Devise does not provide "sign out" links/buttons in its shared views, but if you're using `sign_out_via` with `:delete` (the default), and are using links with `method: :delete`, those need to be updated with `data: { turbo_method: :delete }` instead for Turbo.
28
+ * Check [this upgrade guide](https://github.com/heartcombo/devise/wiki/How-To:-Upgrade-to-Devise-4.9.0-[Hotwire-Turbo-integration]) for more detailed information.
29
+
30
+ ### 4.8.1 - 2021-12-16
2
31
 
3
32
  * enhancements
4
33
  * Add support for Rails 7.0. Please note that Turbo integration is not fully supported by Devise yet.
data/MIT-LICENSE CHANGED
@@ -1,4 +1,4 @@
1
- Copyright 2020 Rafael França, Leonardo Tegon, Carlos Antônio da Silva.
1
+ Copyright 2020-2023 Rafael França, Leonardo Tegon, Carlos Antônio da Silva.
2
2
  Copyright 2009-2019 Plataformatec.
3
3
 
4
4
  Permission is hereby granted, free of charge, to any person obtaining
data/README.md CHANGED
@@ -1,6 +1,4 @@
1
- ![Devise Logo](https://raw.github.com/heartcombo/devise/master/devise.png)
2
-
3
- [![Code Climate](https://codeclimate.com/github/heartcombo/devise.svg)](https://codeclimate.com/github/heartcombo/devise)
1
+ ![Devise Logo](https://raw.github.com/heartcombo/devise/main/devise.png)
4
2
 
5
3
  Devise is a flexible authentication solution for Rails based on Warden. It:
6
4
 
@@ -11,16 +9,16 @@ Devise is a flexible authentication solution for Rails based on Warden. It:
11
9
 
12
10
  It's composed of 10 modules:
13
11
 
14
- * [Database Authenticatable](http://www.rubydoc.info/github/heartcombo/devise/master/Devise/Models/DatabaseAuthenticatable): hashes and stores a password in the database to validate the authenticity of a user while signing in. The authentication can be done both through POST requests or HTTP Basic Authentication.
15
- * [Omniauthable](http://www.rubydoc.info/github/heartcombo/devise/master/Devise/Models/Omniauthable): adds OmniAuth (https://github.com/omniauth/omniauth) support.
16
- * [Confirmable](http://www.rubydoc.info/github/heartcombo/devise/master/Devise/Models/Confirmable): sends emails with confirmation instructions and verifies whether an account is already confirmed during sign in.
17
- * [Recoverable](http://www.rubydoc.info/github/heartcombo/devise/master/Devise/Models/Recoverable): resets the user password and sends reset instructions.
18
- * [Registerable](http://www.rubydoc.info/github/heartcombo/devise/master/Devise/Models/Registerable): handles signing up users through a registration process, also allowing them to edit and destroy their account.
19
- * [Rememberable](http://www.rubydoc.info/github/heartcombo/devise/master/Devise/Models/Rememberable): manages generating and clearing a token for remembering the user from a saved cookie.
20
- * [Trackable](http://www.rubydoc.info/github/heartcombo/devise/master/Devise/Models/Trackable): tracks sign in count, timestamps and IP address.
21
- * [Timeoutable](http://www.rubydoc.info/github/heartcombo/devise/master/Devise/Models/Timeoutable): expires sessions that have not been active in a specified period of time.
22
- * [Validatable](http://www.rubydoc.info/github/heartcombo/devise/master/Devise/Models/Validatable): provides validations of email and password. It's optional and can be customized, so you're able to define your own validations.
23
- * [Lockable](http://www.rubydoc.info/github/heartcombo/devise/master/Devise/Models/Lockable): locks an account after a specified number of failed sign-in attempts. Can unlock via email or after a specified time period.
12
+ * [Database Authenticatable](http://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/DatabaseAuthenticatable): hashes and stores a password in the database to validate the authenticity of a user while signing in. The authentication can be done both through POST requests or HTTP Basic Authentication.
13
+ * [Omniauthable](http://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/Omniauthable): adds OmniAuth (https://github.com/omniauth/omniauth) support.
14
+ * [Confirmable](http://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/Confirmable): sends emails with confirmation instructions and verifies whether an account is already confirmed during sign in.
15
+ * [Recoverable](http://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/Recoverable): resets the user password and sends reset instructions.
16
+ * [Registerable](http://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/Registerable): handles signing up users through a registration process, also allowing them to edit and destroy their account.
17
+ * [Rememberable](http://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/Rememberable): manages generating and clearing a token for remembering the user from a saved cookie.
18
+ * [Trackable](http://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/Trackable): tracks sign in count, timestamps and IP address.
19
+ * [Timeoutable](http://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/Timeoutable): expires sessions that have not been active in a specified period of time.
20
+ * [Validatable](http://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/Validatable): provides validations of email and password. It's optional and can be customized, so you're able to define your own validations.
21
+ * [Lockable](http://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/Lockable): locks an account after a specified number of failed sign-in attempts. Can unlock via email or after a specified time period.
24
22
 
25
23
  ## Table of Contents
26
24
 
@@ -91,7 +89,7 @@ https://groups.google.com/group/plataformatec-devise
91
89
 
92
90
  You can view the Devise documentation in RDoc format here:
93
91
 
94
- http://rubydoc.info/github/heartcombo/devise/master/frames
92
+ http://rubydoc.info/github/heartcombo/devise/main/frames
95
93
 
96
94
  If you need to use Devise with previous versions of Rails, you can always run "gem server" from the command line after you install the gem to access the old documentation.
97
95
 
@@ -130,7 +128,7 @@ Please note that the command output will show the variable value being used.
130
128
 
131
129
  ### BUNDLE_GEMFILE
132
130
  We can use this variable to tell bundler what Gemfile it should use (instead of the one in the current directory).
133
- Inside the [gemfiles](https://github.com/heartcombo/devise/tree/master/gemfiles) directory, we have one for each version of Rails we support. When you send us a pull request, it may happen that the test suite breaks using some of them. If that's the case, you can simulate the same environment using the `BUNDLE_GEMFILE` variable.
131
+ Inside the [gemfiles](https://github.com/heartcombo/devise/tree/main/gemfiles) directory, we have one for each version of Rails we support. When you send us a pull request, it may happen that the test suite breaks using some of them. If that's the case, you can simulate the same environment using the `BUNDLE_GEMFILE` variable.
134
132
  For example, if the tests broke using Ruby 2.4.2 and Rails 4.1, you can do the following:
135
133
  ```bash
136
134
  rbenv shell 2.4.2 # or rvm use 2.4.2
@@ -458,7 +456,7 @@ Devise also ships with default routes. If you need to customize them, you should
458
456
  devise_for :users, path: 'auth', path_names: { sign_in: 'login', sign_out: 'logout', password: 'secret', confirmation: 'verification', unlock: 'unblock', registration: 'register', sign_up: 'cmon_let_me_in' }
459
457
  ```
460
458
 
461
- Be sure to check `devise_for` [documentation](http://www.rubydoc.info/github/heartcombo/devise/master/ActionDispatch/Routing/Mapper%3Adevise_for) for details.
459
+ Be sure to check `devise_for` [documentation](http://www.rubydoc.info/github/heartcombo/devise/main/ActionDispatch/Routing/Mapper%3Adevise_for) for details.
462
460
 
463
461
  If you have the need for more deep customization, for instance to also allow "/sign_in" besides "/users/sign_in", all you need to do is create your routes normally and wrap them in a `devise_scope` block in the router:
464
462
 
@@ -476,6 +474,36 @@ Please note: You will still need to add `devise_for` in your routes in order to
476
474
  devise_for :users, skip: :all
477
475
  ```
478
476
 
477
+ ### Hotwire/Turbo
478
+
479
+ Devise integrates with Hotwire/Turbo by treating such requests as navigational, and configuring certain responses for errors and redirects to match the expected behavior. New apps are generated with the following response configuration by default, and existing apps may opt-in by adding the config to their Devise initializers:
480
+
481
+ ```ruby
482
+ Devise.setup do |config|
483
+ # ...
484
+ # When using Devise with Hotwire/Turbo, the http status for error responses
485
+ # and some redirects must match the following. The default in Devise for existing
486
+ # apps is `200 OK` and `302 Found respectively`, but new apps are generated with
487
+ # these new defaults that match Hotwire/Turbo behavior.
488
+ # Note: These might become the new default in future versions of Devise.
489
+ config.responder.error_status = :unprocessable_entity
490
+ config.responder.redirect_status = :see_other
491
+ end
492
+ ```
493
+
494
+ **Important**: these custom responses require the `responders` gem version to be `3.1.0` or higher, please make sure you update it if you're going to use this configuration. Check [this upgrade guide](https://github.com/heartcombo/devise/wiki/How-To:-Upgrade-to-Devise-4.9.0-[Hotwire-Turbo-integration]) for more info.
495
+
496
+ _Note_: the above statuses configuration may become the default for Devise in a future release.
497
+
498
+ There are a couple other changes you might need to make in your app to work with Hotwire/Turbo, if you're migrating from rails-ujs:
499
+
500
+ * The `data-confirm` option that adds a confirmation modal to buttons/forms before submission needs to change to `data-turbo-confirm`, so that Turbo handles those appropriately.
501
+ * The `data-method` option that sets the request method for link submissions needs to change to `data-turbo-method`. This is not necessary for `button_to` or `form`s since Turbo can handle those.
502
+
503
+ If you're setting up Devise to sign out via `:delete`, and you're using links (instead of buttons wrapped in a form) to sign out with the `method: :delete` option, they will need to be updated as described above. (Devise does not provide sign out links/buttons in its shared views.)
504
+
505
+ Make sure to inspect your views looking for those, and change appropriately.
506
+
479
507
  ### I18n
480
508
 
481
509
  Devise uses flash messages with I18n, in conjunction with the flash keys :notice and :alert. To customize your app, you can set up your locale file:
@@ -679,7 +707,7 @@ end
679
707
 
680
708
  ### Password reset tokens and Rails logs
681
709
 
682
- If you enable the [Recoverable](http://rubydoc.info/github/heartcombo/devise/master/Devise/Models/Recoverable) module, note that a stolen password reset token could give an attacker access to your application. Devise takes effort to generate random, secure tokens, and stores only token digests in the database, never plaintext. However the default logging behavior in Rails can cause plaintext tokens to leak into log files:
710
+ If you enable the [Recoverable](http://rubydoc.info/github/heartcombo/devise/main/Devise/Models/Recoverable) module, note that a stolen password reset token could give an attacker access to your application. Devise takes effort to generate random, secure tokens, and stores only token digests in the database, never plaintext. However the default logging behavior in Rails can cause plaintext tokens to leak into log files:
683
711
 
684
712
  1. Action Mailer logs the entire contents of all outgoing emails to the DEBUG level. Password reset tokens delivered to users in email will be leaked.
685
713
  2. Active Job logs all arguments to every enqueued job at the INFO level. If you configure Devise to use `deliver_later` to send password reset emails, password reset tokens will be leaked.
@@ -739,6 +767,6 @@ https://github.com/heartcombo/devise/graphs/contributors
739
767
 
740
768
  ## License
741
769
 
742
- MIT License. Copyright 2020 Rafael França, Leonardo Tegon, Carlos Antônio da Silva. Copyright 2009-2019 Plataformatec.
770
+ MIT License. Copyright 2020-2023 Rafael França, Leonardo Tegon, Carlos Antônio da Silva. Copyright 2009-2019 Plataformatec.
743
771
 
744
772
  The Devise logo is licensed under [Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License](https://creativecommons.org/licenses/by-nc-nd/4.0/).
@@ -27,6 +27,7 @@ class Devise::ConfirmationsController < DeviseController
27
27
  set_flash_message!(:notice, :confirmed)
28
28
  respond_with_navigational(resource){ redirect_to after_confirmation_path_for(resource_name, resource) }
29
29
  else
30
+ # TODO: use `error_status` when the default changes to `:unprocessable_entity`.
30
31
  respond_with_navigational(resource.errors, status: :unprocessable_entity){ render :new }
31
32
  end
32
33
  end
@@ -67,7 +67,7 @@ class Devise::RegistrationsController < DeviseController
67
67
  Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name)
68
68
  set_flash_message! :notice, :destroyed
69
69
  yield resource if block_given?
70
- respond_with_navigational(resource){ redirect_to after_sign_out_path_for(resource_name) }
70
+ respond_with_navigational(resource){ redirect_to after_sign_out_path_for(resource_name), status: Devise.responder.redirect_status }
71
71
  end
72
72
 
73
73
  # GET /resource/cancel
@@ -77,7 +77,7 @@ class Devise::SessionsController < DeviseController
77
77
  # support returning empty response on GET request
78
78
  respond_to do |format|
79
79
  format.all { head :no_content }
80
- format.any(*navigational_formats) { redirect_to after_sign_out_path_for(resource_name) }
80
+ format.any(*navigational_formats) { redirect_to after_sign_out_path_for(resource_name), status: Devise.responder.redirect_status }
81
81
  end
82
82
  end
83
83
  end
@@ -29,6 +29,7 @@ class Devise::UnlocksController < DeviseController
29
29
  set_flash_message! :notice, :unlocked
30
30
  respond_with_navigational(resource){ redirect_to after_unlock_path_for(resource) }
31
31
  else
32
+ # TODO: use `error_status` when the default changes to `:unprocessable_entity`.
32
33
  respond_with_navigational(resource.errors, status: :unprocessable_entity){ render :new }
33
34
  end
34
35
  end
@@ -15,6 +15,7 @@ class DeviseController < Devise.parent_controller.constantize
15
15
  end
16
16
 
17
17
  prepend_before_action :assert_is_devise_resource!
18
+ self.responder = Devise.responder
18
19
  respond_to :html if mimes_for_respond_to.empty?
19
20
 
20
21
  # Override prefixes to consider the scoped view.
@@ -38,6 +38,6 @@
38
38
 
39
39
  <h3>Cancel my account</h3>
40
40
 
41
- <p>Unhappy? <%= button_to "Cancel my account", registration_path(resource_name), data: { confirm: "Are you sure?" }, method: :delete %></p>
41
+ <div>Unhappy? <%= button_to "Cancel my account", registration_path(resource_name), data: { confirm: "Are you sure?", turbo_confirm: "Are you sure?" }, method: :delete %></div>
42
42
 
43
43
  <%= link_to "Back", :back %>
@@ -1,5 +1,5 @@
1
1
  <% if resource.errors.any? %>
2
- <div id="error_explanation">
2
+ <div id="error_explanation" data-turbo-cache="false">
3
3
  <h2>
4
4
  <%= I18n.t("errors.messages.not_saved",
5
5
  count: resource.errors.count,
@@ -20,6 +20,6 @@
20
20
 
21
21
  <%- if devise_mapping.omniauthable? %>
22
22
  <%- resource_class.omniauth_providers.each do |provider| %>
23
- <%= link_to "Sign in with #{OmniAuth::Utils.camelize(provider)}", omniauth_authorize_path(resource_name, provider), method: :post %><br />
23
+ <%= button_to "Sign in with #{OmniAuth::Utils.camelize(provider)}", omniauth_authorize_path(resource_name, provider), data: { turbo: false } %><br />
24
24
  <% end %>
25
25
  <% end %>
@@ -0,0 +1,35 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Devise
4
+ module Controllers
5
+ # Custom Responder to configure default statuses that only apply to Devise,
6
+ # and allow to integrate more easily with Hotwire/Turbo.
7
+ class Responder < ActionController::Responder
8
+ if respond_to?(:error_status=) && respond_to?(:redirect_status=)
9
+ self.error_status = :ok
10
+ self.redirect_status = :found
11
+ else
12
+ # TODO: remove this support for older Rails versions, which aren't supported by Turbo
13
+ # and/or responders. It won't allow configuring a custom response, but it allows Devise
14
+ # to use these methods and defaults across the implementation more easily.
15
+ def self.error_status
16
+ :ok
17
+ end
18
+
19
+ def self.redirect_status
20
+ :found
21
+ end
22
+
23
+ def self.error_status=(*)
24
+ warn "[DEVISE] Setting the error status on the Devise responder has no effect with this " \
25
+ "version of `responders`, please make sure you're using a newer version. Check the changelog for more info."
26
+ end
27
+
28
+ def self.redirect_status=(*)
29
+ warn "[DEVISE] Setting the redirect status on the Devise responder has no effect with this " \
30
+ "version of `responders`, please make sure you're using a newer version. Check the changelog for more info."
31
+ end
32
+ end
33
+ end
34
+ end
35
+ end
@@ -21,7 +21,7 @@ module Devise
21
21
  # to the set_user method in warden.
22
22
  # If you are using a custom warden strategy and the timeoutable module, you have to
23
23
  # set `env["devise.skip_timeout"] = true` in the request to use this method, like we do
24
- # in the sessions controller: https://github.com/heartcombo/devise/blob/master/app/controllers/devise/sessions_controller.rb#L7
24
+ # in the sessions controller: https://github.com/heartcombo/devise/blob/main/app/controllers/devise/sessions_controller.rb#L7
25
25
  #
26
26
  # Examples:
27
27
  #
@@ -71,7 +71,9 @@ module Devise
71
71
  end
72
72
 
73
73
  flash.now[:alert] = i18n_message(:invalid) if is_flashing_format?
74
- self.response = recall_app(warden_options[:recall]).call(request.env)
74
+ self.response = recall_app(warden_options[:recall]).call(request.env).tap { |response|
75
+ response[0] = Rack::Utils.status_code(Devise.responder.error_status)
76
+ }
75
77
  end
76
78
 
77
79
  def redirect
@@ -167,7 +169,7 @@ module Devise
167
169
  end
168
170
 
169
171
  def skip_format?
170
- %w(html */*).include? request_format.to_s
172
+ %w(html */* turbo_stream).include? request_format.to_s
171
173
  end
172
174
 
173
175
  # Choose whether we should respond in an HTTP authentication fashion,
@@ -4,6 +4,11 @@ Warden::Manager.after_authentication do |record, warden, options|
4
4
  clean_up_for_winning_strategy = !warden.winning_strategy.respond_to?(:clean_up_csrf?) ||
5
5
  warden.winning_strategy.clean_up_csrf?
6
6
  if Devise.clean_up_csrf_token_on_authentication && clean_up_for_winning_strategy
7
- warden.request.session.try(:delete, :_csrf_token)
7
+ if warden.request.respond_to?(:reset_csrf_token)
8
+ # Rails 7.1+
9
+ warden.request.reset_csrf_token
10
+ else
11
+ warden.request.session.try(:delete, :_csrf_token)
12
+ end
8
13
  end
9
14
  end
@@ -18,7 +18,7 @@ module Devise
18
18
  # * +maximum_attempts+: how many attempts should be accepted before blocking the user.
19
19
  # * +lock_strategy+: lock the user account by :failed_attempts or :none.
20
20
  # * +unlock_strategy+: unlock the user account by :time, :email, :both or :none.
21
- # * +unlock_in+: the time you want to lock the user after to lock happens. Only available when unlock_strategy is :time or :both.
21
+ # * +unlock_in+: the time you want to unlock the user after lock happens. Only available when unlock_strategy is :time or :both.
22
22
  # * +unlock_keys+: the keys you want to use when locking and unlocking an account
23
23
  #
24
24
  module Lockable
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Devise
4
- VERSION = "4.8.1".freeze
4
+ VERSION = "4.9.0".freeze
5
5
  end
data/lib/devise.rb CHANGED
@@ -23,6 +23,7 @@ module Devise
23
23
  module Controllers
24
24
  autoload :Helpers, 'devise/controllers/helpers'
25
25
  autoload :Rememberable, 'devise/controllers/rememberable'
26
+ autoload :Responder, 'devise/controllers/responder'
26
27
  autoload :ScopedViews, 'devise/controllers/scoped_views'
27
28
  autoload :SignInOut, 'devise/controllers/sign_in_out'
28
29
  autoload :StoreLocation, 'devise/controllers/store_location'
@@ -217,7 +218,16 @@ module Devise
217
218
 
218
219
  # Which formats should be treated as navigational.
219
220
  mattr_accessor :navigational_formats
220
- @@navigational_formats = ["*/*", :html]
221
+ @@navigational_formats = ["*/*", :html, :turbo_stream]
222
+
223
+ # The default responder used by Devise, used to customize status codes with:
224
+ #
225
+ # `config.responder.error_status`
226
+ # `config.responder.redirect_status`
227
+ #
228
+ # Can be replaced by a custom application responder.
229
+ mattr_accessor :responder
230
+ @@responder = Devise::Controllers::Responder
221
231
 
222
232
  # When set to true, signing out a user signs out all other scopes.
223
233
  mattr_accessor :sign_out_all_scopes
@@ -256,14 +256,14 @@ Devise.setup do |config|
256
256
 
257
257
  # ==> Navigation configuration
258
258
  # Lists the formats that should be treated as navigational. Formats like
259
- # :html, should redirect to the sign in page when the user does not have
259
+ # :html should redirect to the sign in page when the user does not have
260
260
  # access, but formats like :xml or :json, should return 401.
261
261
  #
262
262
  # If you have any extra navigational formats, like :iphone or :mobile, you
263
263
  # should add them to the navigational formats lists.
264
264
  #
265
265
  # The "*/*" below is required to match Internet Explorer requests.
266
- # config.navigational_formats = ['*/*', :html]
266
+ # config.navigational_formats = ['*/*', :html, :turbo_stream]
267
267
 
268
268
  # The default HTTP method used to sign out a resource. Default is :delete.
269
269
  config.sign_out_via = :delete
@@ -296,12 +296,14 @@ Devise.setup do |config|
296
296
  # so you need to do it manually. For the users scope, it would be:
297
297
  # config.omniauth_path_prefix = '/my_engine/users/auth'
298
298
 
299
- # ==> Turbolinks configuration
300
- # If your app is using Turbolinks, Turbolinks::Controller needs to be included to make redirection work correctly:
301
- #
302
- # ActiveSupport.on_load(:devise_failure_app) do
303
- # include Turbolinks::Controller
304
- # end
299
+ # ==> Hotwire/Turbo configuration
300
+ # When using Devise with Hotwire/Turbo, the http status for error responses
301
+ # and some redirects must match the following. The default in Devise for existing
302
+ # apps is `200 OK` and `302 Found respectively`, but new apps are generated with
303
+ # these new defaults that match Hotwire/Turbo behavior.
304
+ # Note: These might become the new default in future versions of Devise.
305
+ config.responder.error_status = :unprocessable_entity
306
+ config.responder.redirect_status = :see_other
305
307
 
306
308
  # ==> Configuration for :registerable
307
309
 
@@ -30,6 +30,6 @@
30
30
 
31
31
  <h3>Cancel my account</h3>
32
32
 
33
- <p>Unhappy? <%= link_to "Cancel my account", registration_path(resource_name), data: { confirm: "Are you sure?" }, method: :delete %></p>
33
+ <div>Unhappy? <%= button_to "Cancel my account", registration_path(resource_name), data: { confirm: "Are you sure?", turbo_confirm: "Are you sure?" }, method: :delete %></div>
34
34
 
35
35
  <%= link_to "Back", :back %>
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: devise
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.8.1
4
+ version: 4.9.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - José Valim
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2021-12-16 00:00:00.000000000 Z
12
+ date: 2023-02-17 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: warden
@@ -117,6 +117,7 @@ files:
117
117
  - lib/devise.rb
118
118
  - lib/devise/controllers/helpers.rb
119
119
  - lib/devise/controllers/rememberable.rb
120
+ - lib/devise/controllers/responder.rb
120
121
  - lib/devise/controllers/scoped_views.rb
121
122
  - lib/devise/controllers/sign_in_out.rb
122
123
  - lib/devise/controllers/store_location.rb
@@ -205,11 +206,14 @@ licenses:
205
206
  metadata:
206
207
  homepage_uri: https://github.com/heartcombo/devise
207
208
  documentation_uri: https://rubydoc.info/github/heartcombo/devise
208
- changelog_uri: https://github.com/heartcombo/devise/blob/master/CHANGELOG.md
209
+ changelog_uri: https://github.com/heartcombo/devise/blob/main/CHANGELOG.md
209
210
  source_code_uri: https://github.com/heartcombo/devise
210
211
  bug_tracker_uri: https://github.com/heartcombo/devise/issues
211
212
  wiki_uri: https://github.com/heartcombo/devise/wiki
212
- post_install_message:
213
+ post_install_message: "\n[DEVISE] Please review the [changelog] and [upgrade guide]
214
+ for more info on Hotwire / Turbo integration.\n\n [changelog] https://github.com/heartcombo/devise/blob/main/CHANGELOG.md\n
215
+ \ [upgrade guide] https://github.com/heartcombo/devise/wiki/How-To:-Upgrade-to-Devise-4.9.0-%5BHotwire-Turbo-integration%5D\n
216
+ \ "
213
217
  rdoc_options: []
214
218
  require_paths:
215
219
  - lib
@@ -224,7 +228,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
224
228
  - !ruby/object:Gem::Version
225
229
  version: '0'
226
230
  requirements: []
227
- rubygems_version: 3.1.6
231
+ rubygems_version: 3.4.5
228
232
  signing_key:
229
233
  specification_version: 4
230
234
  summary: Flexible authentication solution for Rails with Warden