deviseOne 1.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (246) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +12 -0
  3. data/.travis.yml +38 -0
  4. data/.yardopts +9 -0
  5. data/CHANGELOG.md +1117 -0
  6. data/CONTRIBUTING.md +14 -0
  7. data/Gemfile +29 -0
  8. data/Gemfile.lock +199 -0
  9. data/MIT-LICENSE +20 -0
  10. data/README.md +529 -0
  11. data/Rakefile +35 -0
  12. data/app/controllers/devise/confirmations_controller.rb +47 -0
  13. data/app/controllers/devise/omniauth_callbacks_controller.rb +30 -0
  14. data/app/controllers/devise/passwords_controller.rb +71 -0
  15. data/app/controllers/devise/registrations_controller.rb +143 -0
  16. data/app/controllers/devise/sessions_controller.rb +166 -0
  17. data/app/controllers/devise/unlocks_controller.rb +46 -0
  18. data/app/controllers/devise_controller.rb +193 -0
  19. data/app/helpers/devise_helper.rb +25 -0
  20. data/app/mailers/devise/mailer.rb +20 -0
  21. data/app/views/devise/confirmations/new.html.erb +16 -0
  22. data/app/views/devise/mailer/confirmation_instructions.html.erb +5 -0
  23. data/app/views/devise/mailer/reset_password_instructions.html.erb +8 -0
  24. data/app/views/devise/mailer/unlock_instructions.html.erb +7 -0
  25. data/app/views/devise/passwords/edit.html.erb +25 -0
  26. data/app/views/devise/passwords/new.html.erb +16 -0
  27. data/app/views/devise/registrations/edit.html.erb +39 -0
  28. data/app/views/devise/registrations/new.html.erb +29 -0
  29. data/app/views/devise/sessions/new.html.erb +27 -0
  30. data/app/views/devise/shared/_links.html.erb +21 -0
  31. data/app/views/devise/unlocks/new.html.erb +16 -0
  32. data/config/locales/en.yml +70 -0
  33. data/devise.gemspec +33 -0
  34. data/devise.png +0 -0
  35. data/gemfiles/Gemfile.rails-3.2-stable +29 -0
  36. data/gemfiles/Gemfile.rails-3.2-stable.lock +169 -0
  37. data/gemfiles/Gemfile.rails-4.0-stable +29 -0
  38. data/gemfiles/Gemfile.rails-4.0-stable.lock +165 -0
  39. data/gemfiles/Gemfile.rails-4.1-stable +29 -0
  40. data/gemfiles/Gemfile.rails-4.1-stable.lock +170 -0
  41. data/lib/devise.rb +499 -0
  42. data/lib/devise/controllers/helpers.rb +284 -0
  43. data/lib/devise/controllers/rememberable.rb +47 -0
  44. data/lib/devise/controllers/scoped_views.rb +17 -0
  45. data/lib/devise/controllers/sign_in_out.rb +102 -0
  46. data/lib/devise/controllers/store_location.rb +58 -0
  47. data/lib/devise/controllers/url_helpers.rb +69 -0
  48. data/lib/devise/delegator.rb +16 -0
  49. data/lib/devise/failure_app.rb +212 -0
  50. data/lib/devise/hooks/activatable.rb +10 -0
  51. data/lib/devise/hooks/csrf_cleaner.rb +7 -0
  52. data/lib/devise/hooks/forgetable.rb +9 -0
  53. data/lib/devise/hooks/lockable.rb +7 -0
  54. data/lib/devise/hooks/proxy.rb +21 -0
  55. data/lib/devise/hooks/rememberable.rb +7 -0
  56. data/lib/devise/hooks/timeoutable.rb +35 -0
  57. data/lib/devise/hooks/trackable.rb +9 -0
  58. data/lib/devise/mailers/helpers.rb +90 -0
  59. data/lib/devise/mapping.rb +175 -0
  60. data/lib/devise/models.rb +119 -0
  61. data/lib/devise/models/authenticatable.rb +290 -0
  62. data/lib/devise/models/confirmable.rb +305 -0
  63. data/lib/devise/models/database_authenticatable.rb +164 -0
  64. data/lib/devise/models/lockable.rb +196 -0
  65. data/lib/devise/models/omniauthable.rb +27 -0
  66. data/lib/devise/models/recoverable.rb +157 -0
  67. data/lib/devise/models/registerable.rb +25 -0
  68. data/lib/devise/models/rememberable.rb +142 -0
  69. data/lib/devise/models/timeoutable.rb +49 -0
  70. data/lib/devise/models/trackable.rb +38 -0
  71. data/lib/devise/models/validatable.rb +66 -0
  72. data/lib/devise/modules.rb +28 -0
  73. data/lib/devise/omniauth.rb +28 -0
  74. data/lib/devise/omniauth/config.rb +45 -0
  75. data/lib/devise/omniauth/url_helpers.rb +18 -0
  76. data/lib/devise/orm/active_record.rb +3 -0
  77. data/lib/devise/orm/mongoid.rb +3 -0
  78. data/lib/devise/parameter_filter.rb +40 -0
  79. data/lib/devise/parameter_sanitizer.rb +99 -0
  80. data/lib/devise/rails.rb +56 -0
  81. data/lib/devise/rails/routes.rb +495 -0
  82. data/lib/devise/rails/warden_compat.rb +22 -0
  83. data/lib/devise/strategies/authenticatable.rb +173 -0
  84. data/lib/devise/strategies/base.rb +20 -0
  85. data/lib/devise/strategies/database_authenticatable.rb +24 -0
  86. data/lib/devise/strategies/rememberable.rb +59 -0
  87. data/lib/devise/test_helpers.rb +132 -0
  88. data/lib/devise/time_inflector.rb +14 -0
  89. data/lib/devise/token_generator.rb +70 -0
  90. data/lib/devise/version.rb +3 -0
  91. data/lib/generators/active_record/devise_generator.rb +91 -0
  92. data/lib/generators/active_record/templates/migration.rb +18 -0
  93. data/lib/generators/active_record/templates/migration_existing.rb +25 -0
  94. data/lib/generators/devise/controllers_generator.rb +44 -0
  95. data/lib/generators/devise/devise_generator.rb +26 -0
  96. data/lib/generators/devise/install_generator.rb +29 -0
  97. data/lib/generators/devise/orm_helpers.rb +51 -0
  98. data/lib/generators/devise/views_generator.rb +135 -0
  99. data/lib/generators/mongoid/devise_generator.rb +55 -0
  100. data/lib/generators/templates/README +35 -0
  101. data/lib/generators/templates/controllers/README +14 -0
  102. data/lib/generators/templates/controllers/confirmations_controller.rb +28 -0
  103. data/lib/generators/templates/controllers/omniauth_callbacks_controller.rb +28 -0
  104. data/lib/generators/templates/controllers/passwords_controller.rb +32 -0
  105. data/lib/generators/templates/controllers/registrations_controller.rb +60 -0
  106. data/lib/generators/templates/controllers/sessions_controller.rb +25 -0
  107. data/lib/generators/templates/controllers/unlocks_controller.rb +28 -0
  108. data/lib/generators/templates/devise.rb +263 -0
  109. data/lib/generators/templates/markerb/confirmation_instructions.markerb +5 -0
  110. data/lib/generators/templates/markerb/reset_password_instructions.markerb +8 -0
  111. data/lib/generators/templates/markerb/unlock_instructions.markerb +7 -0
  112. data/lib/generators/templates/simple_form_for/confirmations/new.html.erb +16 -0
  113. data/lib/generators/templates/simple_form_for/passwords/edit.html.erb +19 -0
  114. data/lib/generators/templates/simple_form_for/passwords/new.html.erb +15 -0
  115. data/lib/generators/templates/simple_form_for/registrations/edit.html.erb +27 -0
  116. data/lib/generators/templates/simple_form_for/registrations/new.html.erb +17 -0
  117. data/lib/generators/templates/simple_form_for/sessions/new.html.erb +15 -0
  118. data/lib/generators/templates/simple_form_for/unlocks/new.html.erb +16 -0
  119. data/script/cached-bundle +49 -0
  120. data/script/s3-put +71 -0
  121. data/test/controllers/custom_registrations_controller_test.rb +35 -0
  122. data/test/controllers/custom_strategy_test.rb +62 -0
  123. data/test/controllers/helpers_test.rb +316 -0
  124. data/test/controllers/internal_helpers_test.rb +129 -0
  125. data/test/controllers/load_hooks_controller_test.rb +19 -0
  126. data/test/controllers/passwords_controller_test.rb +31 -0
  127. data/test/controllers/sessions_controller_test.rb +102 -0
  128. data/test/controllers/url_helpers_test.rb +65 -0
  129. data/test/delegator_test.rb +19 -0
  130. data/test/devise_test.rb +107 -0
  131. data/test/failure_app_test.rb +275 -0
  132. data/test/generators/active_record_generator_test.rb +109 -0
  133. data/test/generators/controllers_generator_test.rb +48 -0
  134. data/test/generators/devise_generator_test.rb +39 -0
  135. data/test/generators/install_generator_test.rb +13 -0
  136. data/test/generators/mongoid_generator_test.rb +23 -0
  137. data/test/generators/views_generator_test.rb +96 -0
  138. data/test/helpers/devise_helper_test.rb +49 -0
  139. data/test/integration/authenticatable_test.rb +731 -0
  140. data/test/integration/confirmable_test.rb +324 -0
  141. data/test/integration/database_authenticatable_test.rb +94 -0
  142. data/test/integration/http_authenticatable_test.rb +105 -0
  143. data/test/integration/lockable_test.rb +239 -0
  144. data/test/integration/omniauthable_test.rb +133 -0
  145. data/test/integration/recoverable_test.rb +334 -0
  146. data/test/integration/registerable_test.rb +361 -0
  147. data/test/integration/rememberable_test.rb +176 -0
  148. data/test/integration/timeoutable_test.rb +189 -0
  149. data/test/integration/trackable_test.rb +92 -0
  150. data/test/mailers/confirmation_instructions_test.rb +115 -0
  151. data/test/mailers/reset_password_instructions_test.rb +96 -0
  152. data/test/mailers/unlock_instructions_test.rb +91 -0
  153. data/test/mapping_test.rb +128 -0
  154. data/test/models/authenticatable_test.rb +23 -0
  155. data/test/models/confirmable_test.rb +461 -0
  156. data/test/models/database_authenticatable_test.rb +249 -0
  157. data/test/models/lockable_test.rb +328 -0
  158. data/test/models/omniauthable_test.rb +7 -0
  159. data/test/models/recoverable_test.rb +205 -0
  160. data/test/models/registerable_test.rb +7 -0
  161. data/test/models/rememberable_test.rb +198 -0
  162. data/test/models/serializable_test.rb +49 -0
  163. data/test/models/timeoutable_test.rb +51 -0
  164. data/test/models/trackable_test.rb +41 -0
  165. data/test/models/validatable_test.rb +127 -0
  166. data/test/models_test.rb +144 -0
  167. data/test/omniauth/config_test.rb +57 -0
  168. data/test/omniauth/url_helpers_test.rb +54 -0
  169. data/test/orm/active_record.rb +10 -0
  170. data/test/orm/mongoid.rb +13 -0
  171. data/test/parameter_sanitizer_test.rb +81 -0
  172. data/test/rails_app/Rakefile +6 -0
  173. data/test/rails_app/app/active_record/admin.rb +6 -0
  174. data/test/rails_app/app/active_record/shim.rb +2 -0
  175. data/test/rails_app/app/active_record/user.rb +6 -0
  176. data/test/rails_app/app/active_record/user_on_engine.rb +7 -0
  177. data/test/rails_app/app/active_record/user_on_main_app.rb +7 -0
  178. data/test/rails_app/app/controllers/admins/sessions_controller.rb +6 -0
  179. data/test/rails_app/app/controllers/admins_controller.rb +11 -0
  180. data/test/rails_app/app/controllers/application_controller.rb +12 -0
  181. data/test/rails_app/app/controllers/application_with_fake_engine.rb +30 -0
  182. data/test/rails_app/app/controllers/custom/registrations_controller.rb +21 -0
  183. data/test/rails_app/app/controllers/home_controller.rb +25 -0
  184. data/test/rails_app/app/controllers/publisher/registrations_controller.rb +2 -0
  185. data/test/rails_app/app/controllers/publisher/sessions_controller.rb +2 -0
  186. data/test/rails_app/app/controllers/users/omniauth_callbacks_controller.rb +14 -0
  187. data/test/rails_app/app/controllers/users_controller.rb +31 -0
  188. data/test/rails_app/app/helpers/application_helper.rb +3 -0
  189. data/test/rails_app/app/mailers/users/from_proc_mailer.rb +3 -0
  190. data/test/rails_app/app/mailers/users/mailer.rb +3 -0
  191. data/test/rails_app/app/mailers/users/reply_to_mailer.rb +4 -0
  192. data/test/rails_app/app/mongoid/admin.rb +29 -0
  193. data/test/rails_app/app/mongoid/shim.rb +23 -0
  194. data/test/rails_app/app/mongoid/user.rb +39 -0
  195. data/test/rails_app/app/mongoid/user_on_engine.rb +39 -0
  196. data/test/rails_app/app/mongoid/user_on_main_app.rb +39 -0
  197. data/test/rails_app/app/views/admins/index.html.erb +1 -0
  198. data/test/rails_app/app/views/admins/sessions/new.html.erb +2 -0
  199. data/test/rails_app/app/views/home/admin_dashboard.html.erb +1 -0
  200. data/test/rails_app/app/views/home/index.html.erb +1 -0
  201. data/test/rails_app/app/views/home/join.html.erb +1 -0
  202. data/test/rails_app/app/views/home/private.html.erb +1 -0
  203. data/test/rails_app/app/views/home/user_dashboard.html.erb +1 -0
  204. data/test/rails_app/app/views/layouts/application.html.erb +24 -0
  205. data/test/rails_app/app/views/users/edit_form.html.erb +1 -0
  206. data/test/rails_app/app/views/users/index.html.erb +1 -0
  207. data/test/rails_app/app/views/users/mailer/confirmation_instructions.erb +1 -0
  208. data/test/rails_app/app/views/users/sessions/new.html.erb +1 -0
  209. data/test/rails_app/bin/bundle +3 -0
  210. data/test/rails_app/bin/rails +4 -0
  211. data/test/rails_app/bin/rake +4 -0
  212. data/test/rails_app/config.ru +4 -0
  213. data/test/rails_app/config/application.rb +40 -0
  214. data/test/rails_app/config/boot.rb +14 -0
  215. data/test/rails_app/config/database.yml +18 -0
  216. data/test/rails_app/config/environment.rb +5 -0
  217. data/test/rails_app/config/environments/development.rb +30 -0
  218. data/test/rails_app/config/environments/production.rb +80 -0
  219. data/test/rails_app/config/environments/test.rb +36 -0
  220. data/test/rails_app/config/initializers/backtrace_silencers.rb +7 -0
  221. data/test/rails_app/config/initializers/devise.rb +180 -0
  222. data/test/rails_app/config/initializers/inflections.rb +2 -0
  223. data/test/rails_app/config/initializers/secret_token.rb +8 -0
  224. data/test/rails_app/config/initializers/session_store.rb +1 -0
  225. data/test/rails_app/config/routes.rb +122 -0
  226. data/test/rails_app/db/migrate/20100401102949_create_tables.rb +71 -0
  227. data/test/rails_app/db/schema.rb +55 -0
  228. data/test/rails_app/lib/shared_admin.rb +17 -0
  229. data/test/rails_app/lib/shared_user.rb +29 -0
  230. data/test/rails_app/lib/shared_user_without_omniauth.rb +13 -0
  231. data/test/rails_app/public/404.html +26 -0
  232. data/test/rails_app/public/422.html +26 -0
  233. data/test/rails_app/public/500.html +26 -0
  234. data/test/rails_app/public/favicon.ico +0 -0
  235. data/test/routes_test.rb +264 -0
  236. data/test/support/action_controller/record_identifier.rb +10 -0
  237. data/test/support/assertions.rb +39 -0
  238. data/test/support/helpers.rb +73 -0
  239. data/test/support/integration.rb +92 -0
  240. data/test/support/locale/en.yml +8 -0
  241. data/test/support/mongoid.yml +6 -0
  242. data/test/support/webrat/integrations/rails.rb +24 -0
  243. data/test/test_helper.rb +34 -0
  244. data/test/test_helpers_test.rb +163 -0
  245. data/test/test_models.rb +33 -0
  246. metadata +531 -0
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 7d92bbc9ff4fdf67faef8d1a29ca0785357aec58
4
+ data.tar.gz: 57e84d805a54e050a7aa3cc1c3320dd102feb565
5
+ SHA512:
6
+ metadata.gz: 12a9b94ebe1fe4b2e9cfdfaef0f456016f30a9d911e81d50e65615d242d44f53542a2549f9e4e453f3d944099fbe50e90ee22bcdadd5e125ac5ece12f305f35c
7
+ data.tar.gz: 17e870d15d87107c38effb3a3cac691d61a5e49188b3cfcb0e0ee12669c039a38d243fee32838dc0544169c84a9b50593298b12c11cb59d0a97590862a8d0dc3
@@ -0,0 +1,12 @@
1
+ test/rails_app/log/*
2
+ test/rails_app/tmp/*
3
+ *~
4
+ coverage/*
5
+ *.sqlite3
6
+ .bundle
7
+ rdoc/*
8
+ pkg
9
+ log
10
+ test/tmp/*
11
+ .rvmrc
12
+ .rvmrc.12.19.2014-14_56_33
@@ -0,0 +1,38 @@
1
+ language: ruby
2
+
3
+ rvm:
4
+ - 1.9.3
5
+ - 2.0.0
6
+ - 2.1
7
+
8
+ gemfile:
9
+ - gemfiles/Gemfile.rails-4.1-stable
10
+ - gemfiles/Gemfile.rails-4.0-stable
11
+ - gemfiles/Gemfile.rails-3.2-stable
12
+ - Gemfile
13
+
14
+ services:
15
+ - mongodb
16
+
17
+ sudo: false
18
+
19
+ cache: bundler
20
+
21
+ env:
22
+ matrix:
23
+ - DEVISE_ORM=mongoid
24
+ - DEVISE_ORM=active_record
25
+
26
+ before_install: "rm ${BUNDLE_GEMFILE}.lock"
27
+
28
+ before_script: "bundle update"
29
+
30
+ script: "bundle exec rake test"
31
+
32
+ notifications:
33
+ email: false
34
+ campfire:
35
+ on_success: change
36
+ on_failure: always
37
+ rooms:
38
+ - secure: "TRiqvuM4i/QmRDWjUSNitE5/P91BOzDkNl53+bZjjtxcISCswZtmECWBR7n9\n3xwqCOU1o2lfohxZ32OHOj/Nj7o+90zWJfWxcv+if0hIXRiil62M5pg0lZUd\nyJ4M5VQ0lSWo5he1OUrXhSabPJeaK3B8yT/tdh+qO5yzR+vb/jc="
@@ -0,0 +1,9 @@
1
+ --protected
2
+ --no-private
3
+ --embed-mixin ClassMethods
4
+ -
5
+ README.md
6
+ CHANGELOG.rdoc
7
+ CONTRIBUTING.md
8
+ MIT-LICENSE
9
+
@@ -0,0 +1,1117 @@
1
+ ### Unreleased
2
+
3
+ * enhancements
4
+ * Added an ActiveSupport load hook for `:devise_controller` (by @nakhli)
5
+ * Location fragments are now preserved between requests (by @jbourassa)
6
+ * Added an `after_remembered` callback for the Rememerable module (by @BM5k)
7
+ * `RegistrationsController#new` and `SessionsController#new` now yields the
8
+ current resource (by @mtarnovan, @deivid-rodriguez)
9
+ * Password length validation is now limited to 72 characters for newer apps (by @lleger)
10
+
11
+ ### 3.4.1 - 2014-10-29
12
+
13
+ * enhancements
14
+ * Devise default views now have a similar markup to Rails scaffold views. (by @udaysinghcode, @cllns)
15
+ * Passing `now: true` to the `set_flash_message` helper now sets the message into
16
+ the `flash.now` Hash. (by @hbriggs)
17
+ * bugfixes
18
+ * Fixed an regression with translation of flash messages for when the `authentication_keys`
19
+ config is a Hash. (by @lucasmazza)
20
+
21
+ ### 3.4.0 - 2014-10-03
22
+
23
+ * enhancements
24
+ * Support added for Rails 4.2. Devise now depends on the `responders` gem due
25
+ the extraction of the `respond_with` API from Rails. (by @lucasmazza)
26
+ * The Simple Form templates follow the same change from 3.3.0 by using `Log in` and adding
27
+ a hint about the minimum password length when `validatable` is enabled. (by @aried3r)
28
+ * Controller generator added as `devise:controllers SCOPE`. You can use the `-c` flag
29
+ to pick which controllers (`unlocks`, `confirmations`, etc) you want to generate. (by @Chun-Yang)
30
+ * Removed the hardcoded references for "email" in the flash messages. If you are using
31
+ different attributes as the `authentication_keys` they will be interpolated in the
32
+ messages instead. (by @timoschilling)
33
+ * bug fix
34
+ * Fixed a regression where the devise generator would fail with a `ConnectionNotEstablished`
35
+ exception when executed inside a mountable engine. (by @lucasmazza)
36
+ * Ensure to return symbols in find_scope! fixing a previous regression from 3.3.0 (by @micat)
37
+ * Ensure all causes of failed login have the same error message (by @pjungwir)
38
+ * The `last_attempt_warning` now takes effect when generating the unauthenticated
39
+ message for your users. To keep the current behavior, this flag is now `true`
40
+ by default. (by @lucasmazza)
41
+
42
+ ### 3.3.0 - 2014-08-13
43
+
44
+ * enhancements
45
+ * Support multiple warden configuration blocks on devise configuration. (by @rossta)
46
+ * Previously, when a user signed out, all remember me tokens for all sessions/browsers would be
47
+ invalidated, and this behavior could not be changed. This behavior is now configurable via
48
+ `expire_all_remember_me_on_sign_out`. The default continues to be true. (by @laurocaetano)
49
+ * Default email messages was updated with grammar fixes, check the diff on
50
+ #2906 for the updated copy (by @p-originate)
51
+ * Allow a resource to be found based on its encrypted password token (by @karlentwistle)
52
+ * Adds `devise_group`, a macro to define controller helpers for multiple mappings at once. (by @dropletzz)
53
+ * The default views now use `Log in` instead of `Sign in` and have a hint about the minimum password length if
54
+ the current scope is using the `validatable` module (by @alexsoble)
55
+
56
+ * bug fix
57
+ * Check if there is a signed in user before executing the `SessionsController#destroy`.
58
+ * `SessionsController#destroy` no longer yields the `resource` to receiving block,
59
+ since the resource isn't loaded in the action. If you need access to the current
60
+ resource when overring the action use the scope helper (like `current_user`) before
61
+ calling `super`
62
+ * Serialize the `last_request_at` entry as an Integer
63
+ * Ensure registration controller block yields happen on failure in addition to success (by @dpehrson)
64
+ * Only valid paths will be stored for redirections (by @parallel588)
65
+
66
+ ### 3.2.4 - 2014-03-17
67
+
68
+ * enhancements
69
+ * `bcrypt` dependency updated due https://github.com/codahale/bcrypt-ruby/pull/86.
70
+ * View generator now can generate specific views with the `-v` flag, like `rails g devise:views -v sessions` (by @kayline)
71
+
72
+ ### 3.2.3 - 2014-02-20
73
+
74
+ * enhancements
75
+ * Devise will use the `secret_key_base` on Rails 4+ applications as its `secret_key`.
76
+ You can change this and use your own secret by changing the `devise.rb` initializer.
77
+
78
+ * bug fix
79
+ * Migrations will be properly generated when using rails 4.1.0.
80
+
81
+ ### 3.2.2 - 2013-11-25
82
+
83
+ * bug fix
84
+ * Ensure timeoutable works when `sign_out_all_scopes` is false (by @louman)
85
+ * Keep the query string when storing location (by @csexton)
86
+ * Require rails generator base class in devise generators
87
+
88
+ ### 3.2.1 - 2013-11-13
89
+
90
+ Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumeration-in-devise-in-paranoid-mode
91
+
92
+ * enhancements
93
+ * Add `store_location_for` helper and ensure it is safe (by @matthewrudy and @homakov)
94
+ * Add `yield` around resource methods in Devise controllers (by @edelpero)
95
+
96
+ * bug fix
97
+ * Bring `password_digest` back to fix compatibility with `devise-encryptable`
98
+ * Avoid e-mail enumeration on sign in when in paranoid mode
99
+
100
+ ### 3.2.0 - 2013-11-06
101
+
102
+ * enhancements
103
+ * Previously deprecated token authenticatable and insecure lookups have been removed
104
+ * Add a class method so you can encrypt passwords from fixtures (by @tenderlove)
105
+ * Send custom message when user enters invalid password and it has only one attempt
106
+ to enter correct password before their account will be locked (by @Lightpower)
107
+ * Prevent mutation of values assigned to case and whitespace santitized members (by @iamvery)
108
+ * Separate redirects and flash messages in `navigational_formats` and `flashing_formats` (by @ssendev)
109
+
110
+ * bug fix
111
+ * A GET to sign_in page shouldn't extend the session (by @drewish)
112
+ * Splat the arguments to `strong_parameters#permit` to work around a limitation in the `strong_parameters` gem (by @memberful)
113
+ * Omniauth now uses `mapping.fullpath` when generating routes. This means if you call `devise_for :users` inside a scope, like `scope "/api"`, the scope will now apply to the omniauth route (by @AlexanderZaytsev)
114
+ * Ensure timeoutable hook respects `Devise.sign_out_all_scopes` configuration
115
+
116
+ * deprecations
117
+ * `expire_session_data_after_sign_in!` has been deprecated in favor of `expire_data_after_sign_in!`
118
+
119
+ ### 3.1.1 - 2013-10-01
120
+
121
+ * bug fix
122
+ * Improve default message which asked users to sign in even when they were already signed (by @gregates)
123
+ * Improve error message for when the config.secret_key is missing
124
+
125
+ ### 3.1.0 - 2013-09-05
126
+
127
+ Security announcement: http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/
128
+
129
+ * backwards incompatible changes
130
+ * Do not store confirmation, unlock and reset password tokens directly in the database. This means tokens previously stored in the database are no longer valid. You can reenable this temporarily by setting `config.allow_insecure_token_lookup = true` in your configuration file. It is recommended to keep this configuration set to true just temporarily in your production servers only to aid migration
131
+ * The Devise mailer and its views were changed to explicitly receive a token argument as `@token`. You will need to update your mailers and re-copy the views to your application with `rails g devise:views`
132
+ * Sanitization of parameters should be done by calling `devise_parameter_sanitizer.sanitize(:action)` instead of `devise_parameter_sanitizer.for(:action)`
133
+
134
+ * deprecations
135
+ * Token authentication is deprecated
136
+
137
+ * enhancements
138
+ * Better security defaults
139
+ * Allow easier customization of parameter sanitizer (by @alexpeattie)
140
+
141
+ * bug fix
142
+ * Do not confirm e-mail after password reset (by @moll)
143
+ * Do not sign in after confirmation
144
+ * Do not store confirmation, unlock and reset password tokens directly in the database
145
+ * Do not compare directly against confirmation, unlock and reset password tokens
146
+ * Skip storage for cookies on unverified requests
147
+
148
+ ### 3.0.2 - 2013-08-09
149
+
150
+ * bug fix
151
+ * Skip storage for cookies on unverified requests
152
+
153
+ ### 3.0.1 - 2013-08-02
154
+
155
+ Security announcement: http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/
156
+
157
+ * enhancements
158
+ * Add after_confirmation callback
159
+
160
+ * bug fix
161
+ * When using rails 3.2, the generator adds 'attr_accessible' to the model (by @jcoyne)
162
+ * Clean up CSRF token after authentication (by @homakov). Notice this change will clean up the CSRF Token after authentication (sign in, sign up, etc). So if you are using AJAX for such features, you will need to fetch a new CSRF token from the server.
163
+
164
+ ### 3.0.0 - 2013-07-14
165
+
166
+ * enhancements
167
+ * Rails 4 and Strong Parameters compatibility (by @carlosantoniodasilva, @josevalim, @latortuga, @lucasmazza, @nashby, @rafaelfranca, @spastorino)
168
+ * Drop support for Rails < 3.2 and Ruby < 1.9.3
169
+ * Enable to skip sending reconfirmation email when reconfirmable is on and `skip_confirmation_notification!` is invoked (by @tkhr)
170
+
171
+ * bug fix
172
+ * Errors on unlock are now properly reflected on the first `unlock_keys`
173
+
174
+ ### 2.2.4 - 2013-05-07
175
+
176
+ * enhancements
177
+ * Add `destroy_with_password` to `DatabaseAuthenticatable`. Allows destroying a record when `:current_password` matches, similarly to how `update_with_password` works. (by @michiel3)
178
+ * Allow to override path after password resetting (by @worker8)
179
+ * Add `#skip_confirmation_notification!` method to `Confirmable`. Allows skipping confirmation email without auto-confirming. (by @gregates)
180
+ * allow_unconfirmed_access_for config from `:confirmable` module can be set to `nil` that means unconfirmed access for unlimited time. (by @nashby)
181
+ * Support Rails' token strategy on authentication (by @robhurring)
182
+ * Support explicitly setting the http authentication key via `config.http_authentication_key` (by @neo)
183
+
184
+ * bug fix
185
+ * Do not redirect when accessing devise API via JSON. (by @sebastianwr)
186
+ * Generating scoped devise views now uses the correct scoped shared links partial instead of the default devise one (by @nashby)
187
+ * Fix inheriting mailer templates from `Devise::Mailer`
188
+ * Fix a bug when procs are used as default mailer in Devise (by @tomasv)
189
+
190
+ * backwards incompatible changes
191
+ * Changes on session storage will expire all existing sessions on upgrade. For those storing the session in the DB, they can be upgraded according to this gist: https://gist.github.com/moll/6417606
192
+
193
+ ### 2.2.3 - 2013-01-26
194
+
195
+ Security announcement: http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/
196
+
197
+ * bug fix
198
+ * Require string conversion for all values
199
+
200
+ ### 2.2.2 - 2013-01-15
201
+
202
+ * bug fix
203
+ * Fix bug when checking for reconfirmable in templates
204
+
205
+ ### 2.2.1 - 2013-01-11
206
+
207
+ * bug fix
208
+ * Fix regression with case_insensitive_keys
209
+ * Fix regression when password is blank when it is invalid
210
+
211
+ ### 2.2.0 - 2013-01-08
212
+
213
+ * backwards incompatible changes
214
+ * `headers_for` is deprecated, customize the mailer directly instead
215
+ * All mailer methods now expect a second argument with delivery options
216
+ * Default minimum password length is now 8 (by @carlosgaldino)
217
+ * Support alternate sign in error message when email record does not exist (this adds a new I18n key to the locale file) (by @gabetax)
218
+ * DeviseController responds only to HTML requests by default (call `DeviseController.respond_to` or `ApplicationController.respond_to` to add new formats)
219
+ * Support Mongoid 3 onwards (by @durran)
220
+
221
+ * enhancements
222
+ * Fix unlockable which could leak account existence on paranoid mode (by @latortuga)
223
+ * Confirmable now has a confirm_within option to set a period while the confirmation token is still valid (by @promisedlandt)
224
+ * Flash messages in controller now respects `resource_name` (by @latortuga)
225
+ * Separate `sign_in` and `sign_up` on RegistrationsController (by @rubynortheast)
226
+ * Add autofocus to default views (by @Radagaisus)
227
+ * Unlock user on password reset (by @marcinb)
228
+ * Allow validation callbacks to apply to virtual attributes (by @latortuga)
229
+
230
+ * bug fix
231
+ * unconfirmed_email now uses the proper e-mail on salutation
232
+ * Fix default email_regexp config to not allow spaces (by @kukula)
233
+ * Fix a regression introduced on warden 1.2.1 (by @ejfinneran)
234
+ * Properly camelize omniauth strategies (by @saizai)
235
+ * Do not set flash messages for non navigational requests on session sign out (by @mathieul)
236
+ * Set the proper fields as required on the lockable module (by @nickhoffman)
237
+ * Respects Devise mailer default's reply_to (by @mrchrisadams)
238
+ * Properly assign resource on `sign_in` related action (by @adammcnamara)
239
+ * `update_with_password` doesn't change encrypted password when it is invalid (by @nashby)
240
+ * Properly handle namespaced models on Active Record generator (by @nashby)
241
+
242
+ ### 2.1.4 - 2013-08-18
243
+
244
+ * bugfix
245
+ * Do not confirm account after reset password
246
+
247
+ ### 2.1.3 - 2013-01-26
248
+
249
+ * bugfix
250
+ * Require string conversion for all values
251
+
252
+ ### 2.1.2 - 2012-06-19
253
+
254
+ * enhancements
255
+ * Handle backwards incompatibility between Rails 3.2.6 and Thor 0.15.x
256
+
257
+ * bug fix
258
+ * Fix regression on strategy validation on previous release
259
+
260
+ ### 2.1.1 - 2012-06-15 (yanked)
261
+
262
+ * enhancements
263
+ * `sign_out_all_scopes` now locks warden and does not allow new logins in the same action
264
+ * `Devise.omniauth_path_prefix` is available to configure omniauth path prefix
265
+ * Redirect to sign in page when trying to access password#edit without a token (by @gbataille)
266
+ * Allow a lambda in authenticate(d) routes helpers to further select the scope
267
+ * Removed warnings on Rails 3.2.6 (by @nashby)
268
+
269
+ * bug fix
270
+ * `update_with_password` now relies on assign_attributes and forwards the :as option (by @wtn)
271
+ * Do not trigger timeout on sign in related actions
272
+ * Timeout does not explode when reset_authentication_token! is accidentally defined by Active Model (by @remomueller)
273
+
274
+ * deprecations
275
+ * Strategy#validate() no longer validates nil resources
276
+
277
+ ### 2.1.0 - 2012-05-15
278
+
279
+ * enhancements
280
+ * Add `check_fields!(model_class)` method on Devise::Models to check if the model includes the fields that Devise uses
281
+ * Add `skip_reconfirmation!` to skip reconfirmation
282
+ * Devise model generator now works with engines
283
+ * Devise encryptable was moved to its new gem (http://github.com/plataformatec/devise-encryptable)
284
+
285
+ * deprecations
286
+ * Deprecations warnings added on Devise 2.0 are now removed with their features
287
+ * All devise modules should now have a `required_fields(klass)` module method to help gathering missing attributes
288
+ * `use_salt_as_remember_token` and `apply_schema` does not have any effect since 2.0 and are now deprecated
289
+ * `valid_for_authentication?` must now return a boolean
290
+
291
+ * bug fix
292
+ * Ensure after sign in hook is not called without a resource
293
+ * Fix a term: now on Omniauth related flash messages, we say that we're authenticating from an omniauth provider instead of authorizing
294
+ * Fixed redirect when authenticated mounted apps (by @hakanensari)
295
+ * Ensure the failure app still respects config.relative_url_root
296
+ * `/users/sign_in` doesn't choke on protected attributes used to select sign in scope (by @Paymium)
297
+ * `failed_attempts` is set to zero after any sign in (including via reset password) (by @rodrigoflores)
298
+ * Added token expiration on timeout (by @antiarchitect)
299
+ * Do not accidentally mark `_prefixes` as private
300
+ * Better support for custom strategies on test helpers (by @mattconnolly)
301
+ * Return `head :no_content` in SessionsController now that most JS libraries handle it (by @julianvargasalvarez)
302
+ * Reverted moving devise/shared/_links.erb to devise/_links.erb
303
+
304
+ ### 2.0.4 - 2012-02-17
305
+
306
+ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.0
307
+
308
+ * bug fix
309
+ * Fix when :host is used with devise_for (by @mreinsch)
310
+ * Fix a regression that caused Warden to be initialized too late
311
+
312
+ ### 2.0.3 - 2012-06-16 (yanked)
313
+
314
+ * bug fix
315
+ * Ensure warning is not shown by mistake on apps with mounted engines
316
+ * Fixes related to remember_token and rememberable_options
317
+ * Ensure serializable_hash does not depend on accessible attributes
318
+ * Ensure that timeout callback does not run on sign out action
319
+
320
+ ### 2.0.2 - 2012-02-14
321
+
322
+ * enhancements
323
+ * Add devise_i18n_options to customize I18n message
324
+
325
+ * bug fix
326
+ * Ensure Devise.available_router_name defaults to :main_app
327
+ * Set autocomplete to off for password on edit forms
328
+ * Better error messages in case a trackable model can't be saved
329
+ * Show a warning in case someone gives a pluralized name to devise generator
330
+ * Fix test behavior for rspec subject requests (by @sj26)
331
+
332
+ ### 2.0.1 - 2012-02-09
333
+
334
+ * enhancements
335
+ * Improved error messages on deprecation warnings
336
+ * Hide Devise's internal generators from `rails g` command
337
+
338
+ * bug fix
339
+ * Removed tmp and log files from gem
340
+
341
+ ### 2.0.0 - 2012-01-26
342
+
343
+ * enhancements
344
+ * Add support for e-mail reconfirmation on change (by @Mandaryn and @heimidal)
345
+ * Redirect users to sign in page after unlock (by @nashby)
346
+ * Redirect to the previous URL on timeout
347
+ * Inherit from the same Devise parent controller (by @sj26)
348
+ * Allow parent_controller to be customizable via Devise.parent_controller, useful for engines
349
+ * Allow router_name to be customizable via Devise.router_name, useful for engines
350
+ * Allow alternate ORMs to run compatibility setup code before Authenticatable is included (by @jm81)
351
+
352
+ * deprecation
353
+ * Devise now only supports Rails 3.1 forward
354
+ * Devise.confirm_within was deprecated in favor Devise.allow_unconfirmed_access_for
355
+ * Devise.stateless_token= is deprecated in favor of appending :token_auth to Devise.skip_session_storage
356
+ * Usage of Devise.apply_schema is deprecated
357
+ * Usage of Devise migration helpers are deprecated
358
+ * Usage of Devise.remember_across_browsers was deprecated
359
+ * Usage of rememberable with remember_token was removed
360
+ * Usage of recoverable without reset_password_sent_at was removed
361
+ * Usage of Devise.case_insensitive_keys equals to false was removed
362
+ * Move devise/shared/_links.erb to devise/_links.erb
363
+ * Deprecated support of nested devise_for blocks
364
+ * Deprecated support to devise.registrations.reasons and devise.registrations.inactive_signed_up in favor of devise.registrations.signed_up_but_*
365
+ * Protected method render_with_scope was removed.
366
+
367
+ ### 1.5.3 - 2011-12-19
368
+
369
+ * bug fix
370
+ * Ensure delegator converts scope to symbol (by @dmitriy-kiriyenko)
371
+ * Ensure passing :format => false to devise_for is not permanent
372
+ * Ensure path checker does not check invalid routes
373
+
374
+ ### 1.5.2 - 2011-11-30
375
+
376
+ * enhancements
377
+ * Add support for Rails 3.1 new mass assignment conventions (by @kirs)
378
+ * Add timeout_in method to Timeoutable, it can be overridden in a model (by @lest)
379
+
380
+ * bug fix
381
+ * OmniAuth error message now shows the proper option (:strategy_class instead of :klass)
382
+
383
+ ### 1.5.1 - 2011-11-22
384
+
385
+ * bug fix
386
+ * Devise should not attempt to load OmniAuth strategies. Strategies should be loaded before hand by the developer or explicitly given to Devise.
387
+
388
+ ### 1.5.0 - 2011-11-13
389
+
390
+ * enhancements
391
+ * Timeoutable also skips tracking if skip_trackable is given
392
+ * devise_for now accepts :failure_app as an option
393
+ * Models can select the proper mailer via devise_mailer method (by @locomotivecms)
394
+ * Migration generator now uses the change method (by @nashby)
395
+ * Support to markerb templates on the mailer generator (by @sbounmy)
396
+ * Support for Omniauth 1.0 (older versions are no longer supported) (by @TamiasSibiricus)
397
+
398
+ * bug fix
399
+ * Allow idempotent API requests
400
+ * Fix bug where logs did not show 401 as status code
401
+ * Change paranoid settings to behave as success instead of as failure
402
+ * Fix bug where activation messages were shown first than the credentials error message
403
+ * Instance variables are expired after sign out
404
+
405
+ * deprecation
406
+ * redirect_location is deprecated, please use after_sign_in_path_for
407
+ * after_sign_in_path_for now redirects to session[scope_return_to] if any value is stored in it
408
+
409
+ ### 1.4.9 - 2011-10-19
410
+
411
+ * bug fix
412
+ * url helpers were not being set under some circumstances
413
+
414
+ ### 1.4.8 - 2011-10-09
415
+
416
+ * enhancements
417
+ * Add docs for assets pipeline and Heroku
418
+
419
+ * bug fix
420
+ * confirmation_url was not being set under some circumstances
421
+
422
+ ### 1.4.7 - 2011-09-21
423
+
424
+ * bug fix
425
+ * Fix backward incompatible change from 1.4.6 for those using custom controllers
426
+
427
+ ### 1.4.6 - 2011-09-19 (yanked)
428
+
429
+ * enhancements
430
+ * Allow devise_for :skip => :all
431
+ * Allow options to be passed to authenticate_user!
432
+ * Allow --skip-routes to devise generator
433
+ * Add allow_params_authentication! to make it explicit when params authentication is allowed in a controller
434
+
435
+ ### 1.4.5 - 2011-09-07
436
+
437
+ * bug fix
438
+ * Failure app tries the root path if a session one does not exist
439
+ * No need to finalize Devise helpers all the time (by @bradleypriest)
440
+ * Reset password shows proper message if user is not active
441
+ * `clean_up_passwords` sets the accessors to nil to skip validations
442
+
443
+ ### 1.4.4 - 2011-08-30
444
+
445
+ * bug fix
446
+ * Do not always skip helpers, instead provide :skip_helpers as option to trigger it manually
447
+
448
+ ### 1.4.3 - 2011-08-29
449
+
450
+ * enhancements
451
+ * Improve Rails 3.1 compatibility
452
+ * Use serialize_into_session and serialize_from_session in Warden serialize to improve extensibility
453
+
454
+ * bug fix
455
+ * Generator properly generates a change_table migration if a model already exists
456
+ * Properly deprecate setup_mail
457
+ * Fix encoding issues with email regexp
458
+ * Only generate helpers for the used mappings
459
+ * Wrap :action constraints in the proper hash
460
+
461
+ * deprecations
462
+ * Loosened the used email regexp to simply assert the existent of "@". If someone relies on a more strict regexp, they may use https://github.com/SixArm/sixarm_ruby_email_address_validation
463
+
464
+ ### 1.4.2 - 2011-06-30
465
+
466
+ * bug fix
467
+ * Provide a more robust behavior to serializers and add :force_except option
468
+
469
+ ### 1.4.1 - 2011-06-29
470
+
471
+ * enhancements
472
+ * Add :defaults and :format support on router
473
+ * Add simple form generators
474
+ * Better localization for devise_error_messages! (by @zedtux)
475
+
476
+ * bug fix
477
+ * Ensure to_xml is properly white listened
478
+ * Ensure handle_unverified_request clean up any cached signed-in user
479
+
480
+ ### 1.4.0 - 2011-06-23
481
+
482
+ * enhancements
483
+ * Added authenticated and unauthenticated to the router to route the used based on their status (by @sj26)
484
+ * Improve e-mail regexp (by @rodrigoflores)
485
+ * Add strip_whitespace_keys and default to e-mail (by @swrobel)
486
+ * Do not run format and uniqueness validations on e-mail if it hasn't changed (by @Thibaut)
487
+ * Added update_without_password to update models but not allowing the password to change (by @fschwahn)
488
+ * Added config.paranoid, check the generator for more information (by @rodrigoflores)
489
+
490
+ * bug fix
491
+ * password_required? should not affect length validation
492
+ * User cannot access sign up and similar pages if they are already signed in through a cookie or token
493
+ * Do not convert booleans to strings on finders (by @xavier)
494
+ * Run validations even if current_password fails (by @crx)
495
+ * Devise now honors routes constraints (by @macmartine)
496
+ * Do not return the user resource when requesting instructions (by @rodrigoflores)
497
+
498
+ ### 1.3.4 - 2011-04-28
499
+
500
+ * bug fix
501
+ * Do not add formats if html or "*/*"
502
+
503
+ ### 1.3.3 - 2011-04-20
504
+
505
+ * bug fix
506
+ * Explicitly mark the token as expired if so
507
+
508
+ ### 1.3.2 - 2011-04-20
509
+
510
+ * bug fix
511
+ * Fix another regression related to reset_password_sent_at (by @alexdreher)
512
+
513
+ ### 1.3.1 - 2011-04-18
514
+
515
+ * enhancements
516
+ * Improve failure_app responses (by @indirect)
517
+ * sessions/new and registrations/new also respond to xml and json now
518
+
519
+ * bug fix
520
+ * Fix a regression that occurred if reset_password_sent_at is not present (by @stevehodgkiss)
521
+
522
+ ### 1.3.0 - 2011-04-15
523
+
524
+ * enhancements
525
+ * All controllers can now handle different mime types than html using Responders (by @sikachu)
526
+ * Added reset_password_within as configuration option to send the token for recovery (by @jdguyot)
527
+ * Bump password length to 128 characters (by @k33l0r)
528
+ * Add :only as option to devise_for (by @timoschilling)
529
+ * Allow to override path after sending password instructions (by @irohiroki)
530
+ * require_no_authentication has its own flash message (by @jackdempsey)
531
+
532
+ * bug fix
533
+ * Fix a bug where configuration options were being included too late
534
+ * Ensure Devise::TestHelpers can be used to tests Devise internal controllers (by @jwilger)
535
+ * valid_password? should not choke on empty passwords (by @mikel)
536
+ * Calling devise more than once does not include previously added modules anymore
537
+ * downcase_keys before validation
538
+
539
+ * backward incompatible changes
540
+ * authentication_keys are no longer considered when creating the e-mail validations, the previous behavior was buggy. You must double check if you were relying on such behavior.
541
+
542
+ ### 1.2.1 - 2011-03-27
543
+
544
+ * enhancements
545
+ * Improve update path messages
546
+
547
+ ### 1.2.0 - 2011-03-24
548
+
549
+ * bug fix
550
+ * Properly ignore path prefix on omniauthable
551
+ * Faster uniqueness queries
552
+ * Rename active? to active_for_authentication? to avoid conflicts
553
+
554
+ ### 1.2.rc2 - 2011-03-10
555
+
556
+ * enhancements
557
+ * Make friendly_token 20 chars long
558
+ * Use secure_compare
559
+
560
+ * bug fix
561
+ * Fix an issue causing infinite redirects in production
562
+ * rails g destroy works properly with devise generators (by @andmej)
563
+ * before_failure callbacks should work on test helpers (by @twinge)
564
+ * rememberable cookie now is httponly by default (by @JamesFerguson)
565
+ * Add missing confirmation_keys (by @JohnPlummer)
566
+ * Ensure after_* hooks are called on RegistrationsController
567
+ * When using database_authenticatable Devise will now only create an email field when appropriate (if using default authentication_keys or custom authentication_keys with email included)
568
+ * Ensure stateless token does not trigger timeout (by @pixelauthority)
569
+ * Implement handle_unverified_request for Rails 3.0.4 compatibility and improve FailureApp reliance on symbols
570
+ * Consider namespaces while generating routes
571
+ * Custom failure apps no longer ignored in test mode (by @jaghion)
572
+ * Do not depend on ActiveModel::Dirty
573
+ * Manual sign_in now triggers remember token
574
+ * Be sure to halt strategies on failures
575
+ * Consider SCRIPT_NAME on Omniauth paths
576
+ * Reset failed attempts when lock is expired
577
+ * Ensure there is no Mongoid injection
578
+
579
+ * deprecations
580
+ * Deprecated anybody_signed_in? in favor of signed_in? (by @gavinhughes)
581
+ * Removed --haml and --slim view templates
582
+ * Devise::OmniAuth helpers were deprecated and removed in favor of Omniauth.config.test_mode
583
+
584
+ ### 1.2.rc - 2010-10-25
585
+
586
+ * deprecations
587
+ * cookie_domain is deprecated in favor of cookie_options
588
+ * after_update_path_for can no longer be defined in ApplicationController
589
+
590
+ * enhancements
591
+ * Added OmniAuth support
592
+ * Added ORM adapter to abstract ORM iteraction
593
+ * sign_out_via is available in the router to configure the method used for sign out (by @martinrehfeld)
594
+ * Improved Ajax requests handling in failure app (by @spastorino)
595
+ * Added request_keys to easily use request specific values (like subdomain) in authentication
596
+ * Increased the size of friendly_token to 60 characters (reduces the chances of a successful brute attack)
597
+ * Ensure the friendly token does not include "_" or "-" since some e-mails may not autolink it properly (by @rymai)
598
+ * Extracted encryptors into :encryptable for better bcrypt support
599
+ * :rememberable is now able to use salt as token if no remember_token is provided
600
+ * Store the salt in session and expire the session if the user changes their password
601
+ * Allow :stateless_token to be set to true avoiding users to be stored in session through token authentication
602
+ * cookie_options uses session_options values by default
603
+ * Sign up now checks if the user is active or not and redirect them accordingly, setting the inactive_signed_up message
604
+ * Use ActiveModel#to_key instead of #id
605
+ * sign_out_all_scopes now destroys the whole session
606
+ * Added case_insensitive_keys that automatically downcases the given keys, by default downcases only e-mail (by @adahl)
607
+
608
+ * default behavior changes
609
+ * sign_out_all_scopes defaults to true as security measure
610
+ * http authenticatable is disabled by default
611
+ * Devise does not intercept 401 returned from applications
612
+
613
+ * bugfix
614
+ * after_sign_in_path_for always receives a resource
615
+ * Do not execute Warden::Callbacks on Devise::TestHelpers (by @sgronblo)
616
+ * Allow password recovery and account unlocking to change used keys (by @RStankov)
617
+ * FailureApp now properly handles nil request.format
618
+ * Fix a bug causing FailureApp to return with HTTP Auth Headers for IE7
619
+ * Ensure namespaces has proper scoped views
620
+ * Ensure Devise does not set empty flash messages (by @sxross)
621
+
622
+ ### 1.1.6 - 2011-02-14
623
+
624
+ * Use a more secure e-mail regexp
625
+ * Implement Rails 3.0.4 handle unverified request
626
+ * Use secure_compare to compare passwords
627
+
628
+ ### 1.1.5 - 2010-11-26
629
+
630
+ * bugfix
631
+ * Ensure to convert keys on indifferent hash
632
+
633
+ * defaults
634
+ * Set config.http_authenticatable to false to avoid confusion
635
+
636
+ ### 1.1.4 - 2010-11-25
637
+
638
+ * bugfix
639
+ * Avoid session fixation attacks
640
+
641
+ ### 1.1.3 - 2010-09-23
642
+
643
+ * bugfix
644
+ * Add reply-to to e-mail headers by default
645
+ * Updated the views generator to respect the rails :template_engine option (by @fredwu)
646
+ * Check the type of HTTP Authentication before using Basic headers
647
+ * Avoid invalid_salt errors by checking salt presence (by @thibaudgg)
648
+ * Forget user deletes the right cookie before logout, not remembering the user anymore (by @emtrane)
649
+ * Fix for failed first-ever logins on PostgreSQL where column default is nil (by @bensie)
650
+ * :default options is now honored in migrations
651
+
652
+ ### 1.1.2 - 2010-08-25
653
+
654
+ * bugfix
655
+ * Compatibility with latest Rails routes schema
656
+
657
+ ### 1.1.1 - 2010-07-26
658
+
659
+ * bugfix
660
+ * Fix a small bug where generated locale file was empty on devise:install
661
+
662
+ ### 1.1.0 - 2010-07-25
663
+
664
+ * enhancements
665
+ * Rememberable module allows user to be remembered across browsers and is enabled by default (by @trevorturk)
666
+ * Rememberable module allows you to activate the period the remember me token is extended (by @trevorturk)
667
+ * devise_for can now be used together with scope method in routes but with a few limitations (check the documentation)
668
+ * Support `as` or `devise_scope` in the router to specify controller access scope
669
+ * HTTP Basic Auth can now be disabled/enabled for xhr(ajax) requests using http_authenticatable_on_xhr option (by @pellja)
670
+
671
+ * bug fix
672
+ * Fix a bug in Devise::TestHelpers where current_user was returning a Response object for non active accounts
673
+ * Devise should respect script_name and path_info contracts
674
+ * Fix a bug when accessing a path with (.:format) (by @klacointe)
675
+ * Do not add unlock routes unless unlock strategy is email or both
676
+ * Email should be case insensitive
677
+ * Store classes as string in session, to avoid serialization and stale data issues
678
+
679
+ * deprecations
680
+ * use_default_scope is deprecated and has no effect. Use :as or :devise_scope in the router instead
681
+
682
+ ### 1.1.rc2 - 2010-06-22
683
+
684
+ * enhancements
685
+ * Allow to set cookie domain for the remember token. (by @mantas)
686
+ * Added navigational formats to specify when it should return a 302 and when a 401.
687
+ * Added authenticate(scope) support in routes (by @wildchild)
688
+ * Added after_update_path_for to registrations controller (by @thedelchop)
689
+ * Allow the mailer object to be replaced through config.mailer = "MyOwnMailer"
690
+
691
+ * bug fix
692
+ * Fix a bug where session was timing out on sign out
693
+
694
+ * deprecations
695
+ * bcrypt is now the default encryptor
696
+ * devise.mailer.confirmations_instructions now should be devise.mailer.confirmations_instructions.subject
697
+ * devise.mailer.user.confirmations_instructions now should be devise.mailer.confirmations_instructions.user_subject
698
+ * Generators now use Rails 3 syntax (devise:install) instead of devise_install
699
+
700
+ ### 1.1.rc1 - 2010-04-14
701
+
702
+ * enhancements
703
+ * Rails 3 compatibility
704
+ * All controllers and views are namespaced, for example: Devise::SessionsController and "devise/sessions"
705
+ * Devise.orm is deprecated. This reduces the required API to hook your ORM with devise
706
+ * Use metal for failure app
707
+ * HTML e-mails now have proper formatting
708
+ * Allow to give :skip and :controllers in routes
709
+ * Move trackable logic to the model
710
+ * E-mails now use any template available in the filesystem. Easy to create multipart e-mails
711
+ * E-mails asks headers_for in the model to set the proper headers
712
+ * Allow to specify haml in devise_views
713
+ * Compatibility with Mongoid
714
+ * Make config.devise available on config/application.rb
715
+ * TokenAuthenticatable now works with HTTP Basic Auth
716
+ * Allow :unlock_strategy to be :none and add :lock_strategy which can be :failed_attempts or none. Setting those values to :none means that you want to handle lock and unlocking by yourself
717
+ * No need to append ?unauthenticated=true in URLs anymore since Flash was moved to a middleware in Rails 3
718
+ * :activatable is included by default in your models
719
+
720
+ * bug fix
721
+ * Fix a bug with STI
722
+
723
+ * deprecations
724
+ * Rails 3 compatible only
725
+ * Removed support for MongoMapper
726
+ * Scoped views are no longer "sessions/users/new". Now use "users/sessions/new"
727
+ * Devise.orm is deprecated, just require "devise/orm/YOUR_ORM" instead
728
+ * Devise.default_url_options is deprecated, just modify ApplicationController.default_url_options
729
+ * All messages under devise.sessions, except :signed_in and :signed_out, should be moved to devise.failure
730
+ * :as and :scope in routes is deprecated. Use :path and :singular instead
731
+
732
+ ### 1.0.8 - 2010-06-22
733
+
734
+ * enhancements
735
+ * Support for latest MongoMapper
736
+ * Added anybody_signed_in? helper (by @SSDany)
737
+
738
+ * bug fix
739
+ * confirmation_required? is properly honored on active? calls. (by @paulrosania)
740
+
741
+ ### 1.0.7 - 2010-05-02
742
+
743
+ * bug fix
744
+ * Ensure password confirmation is always required
745
+
746
+ * deprecations
747
+ * authenticatable was deprecated and renamed to database_authenticatable
748
+ * confirmable is not included by default on generation
749
+
750
+ ### 1.0.6 - 2010-04-02
751
+
752
+ * bug fix
753
+ * Do not allow unlockable strategies based on time to access a controller.
754
+ * Do not send unlockable email several times.
755
+ * Allow controller to upstram custom! failures to Warden.
756
+
757
+ ### 1.0.5 - 2010-03-25
758
+
759
+ * bug fix
760
+ * Use prepend_before_filter in require_no_authentication.
761
+ * require_no_authentication on unlockable.
762
+ * Fix a bug when giving an association proxy to devise.
763
+ * Do not use lock! on lockable since it's part of ActiveRecord API.
764
+
765
+ ### 1.0.4 - 2010-03-02
766
+
767
+ * bug fix
768
+ * Fixed a bug when deleting an account with rememberable
769
+ * Fixed a bug with custom controllers
770
+
771
+ ### 1.0.3 - 2010-02-22
772
+
773
+ * enhancements
774
+ * HTML e-mails now have proper formatting
775
+ * Do not remove MongoMapper options in find
776
+
777
+ ### 1.0.2 - 2010-02-17
778
+
779
+ * enhancements
780
+ * Allows you set mailer content type (by @glennr)
781
+
782
+ * bug fix
783
+ * Uses the same content type as request on http authenticatable 401 responses
784
+
785
+ ### 1.0.1 - 2010-02-16
786
+
787
+ * enhancements
788
+ * HttpAuthenticatable is not added by default automatically.
789
+ * Avoid mass assignment error messages with current password.
790
+
791
+ * bug fix
792
+ * Fixed encryptors autoload
793
+
794
+ ### 1.0.0 - 2010-02-08
795
+
796
+ * deprecation
797
+ * :old_password in update_with_password is deprecated, use :current_password instead
798
+
799
+ * enhancements
800
+ * Added Registerable
801
+ * Added Http Basic Authentication support
802
+ * Allow scoped_views to be customized per controller/mailer class
803
+ * Allow authenticatable to used in change_table statements
804
+
805
+ ### 0.9.2 - 2010-02-04
806
+
807
+ * bug fix
808
+ * Ensure inactive user cannot sign in
809
+ * Ensure redirect to proper url after sign up
810
+
811
+ * enhancements
812
+ * Added gemspec to repo
813
+ * Added token authenticatable (by @grimen)
814
+
815
+ ### 0.9.1 - 2010-01-24
816
+
817
+ * bug fix
818
+ * Allow bigger salt size (by @jgeiger)
819
+ * Fix relative url root
820
+
821
+ ### 0.9.0 - 2010-01-20
822
+
823
+ * deprecation
824
+ * devise :all is deprecated
825
+ * :success and :failure flash messages are now :notice and :alert
826
+
827
+ * enhancements
828
+ * Added devise lockable (by @mhfs)
829
+ * Warden 0.9.0 compatibility
830
+ * Mongomapper 0.6.10 compatibility
831
+ * Added Devise.add_module as hooks for extensions (by @grimen)
832
+ * Ruby 1.9.1 compatibility (by @grimen)
833
+
834
+ * bug fix
835
+ * Accept path prefix not starting with slash
836
+ * url helpers should rely on find_scope!
837
+
838
+ ### 0.8.2 - 2010-01-12
839
+
840
+ * enhancements
841
+ * Allow Devise.mailer_sender to be a proc (by @grimen)
842
+
843
+ * bug fix
844
+ * Fix bug with passenger, update is required to anyone deploying on passenger (by @dvdpalm)
845
+
846
+ ### 0.8.1 - 2010-01-07
847
+
848
+ * enhancements
849
+ * Move salt to encryptors
850
+ * Devise::Lockable
851
+ * Moved view links into partial and I18n'ed them
852
+
853
+ * bug fix
854
+ * Bcrypt generator was not being loaded neither setting the proper salt
855
+
856
+ ### 0.8.0 - 2010-01-06
857
+
858
+ * enhancements
859
+ * Warden 0.8.0 compatibility
860
+ * Add an easy for map.connect "sign_in", :controller => "sessions", :action => "new" to work
861
+ * Added :bcrypt encryptor (by @capotej)
862
+
863
+ * bug fix
864
+ * sign_in_count is also increased when user signs in via password change, confirmation, etc..
865
+ * More DataMapper compatibility (by @lancecarlson)
866
+
867
+ * deprecation
868
+ * Removed DeviseMailer.sender
869
+
870
+ ### 0.7.5 - 2010-01-01
871
+
872
+ * enhancements
873
+ * Set a default value for mailer to avoid find_template issues
874
+ * Add models configuration to MongoMapper::EmbeddedDocument as well
875
+
876
+ ### 0.7.4 - 2009-12-21
877
+
878
+ * enhancements
879
+ * Extract Activatable from Confirmable
880
+ * Decouple Serializers from Devise modules
881
+
882
+ ### 0.7.3 - 2009-12-15
883
+
884
+ * bug fix
885
+ * Give scope to the proper model validation
886
+
887
+ * enhancements
888
+ * Mail views are scoped as well
889
+ * Added update_with_password for authenticatable
890
+ * Allow render_with_scope to accept :controller option
891
+
892
+ ### 0.7.2 - 2009-12-14
893
+
894
+ * deprecation
895
+ * Renamed reset_confirmation! to resend_confirmation!
896
+ * Copying locale is part of the installation process
897
+
898
+ * bug fix
899
+ * Fixed render_with_scope to work with all controllers
900
+ * Allow sign in with two different users in Devise::TestHelpers
901
+
902
+ ### 0.7.1 - 2009-12-09
903
+
904
+ * enhancements
905
+ * Small enhancements for other plugins compatibility (by @grimen)
906
+
907
+ ### 0.7.0 - 2009-12-08
908
+
909
+ * deprecations
910
+ * :authenticatable is not included by default anymore
911
+
912
+ * enhancements
913
+ * Improve loading process
914
+ * Extract SessionSerializer from Authenticatable
915
+
916
+ ### 0.6.3 - 2009-12-02
917
+
918
+ * bug fix
919
+ * Added trackable to migrations
920
+ * Allow inflections to work
921
+
922
+ ### 0.6.2 - 2009-11-25
923
+
924
+ * enhancements
925
+ * More DataMapper compatibility
926
+ * Devise::Trackable - track sign in count, timestamps and ips
927
+
928
+ ### 0.6.1 - 2009-11-24
929
+
930
+ * enhancements
931
+ * Devise::Timeoutable - timeout sessions without activity
932
+ * DataMapper now accepts conditions
933
+
934
+ ### 0.6.0 - 2009-11-22
935
+
936
+ * deprecations
937
+ * :authenticatable is still included by default, but yields a deprecation warning
938
+
939
+ * enhancements
940
+ * Added DataMapper support
941
+ * Remove store_location from authenticatable strategy and add it to failure app
942
+ * Allow a strategy to be placed after authenticatable
943
+ * Do not rely attribute? methods, since they are not added on Datamapper
944
+
945
+ ### 0.5.6 - 2009-11-21
946
+
947
+ * enhancements
948
+ * Do not send nil to build (DataMapper compatibility)
949
+ * Allow to have scoped views
950
+
951
+ ### 0.5.5 - 2009-11-20
952
+
953
+ * enhancements
954
+ * Allow overwriting find for authentication method
955
+ * Remove Ruby 1.8.7 dependency
956
+
957
+ ### 0.5.4 - 2009-11-19
958
+
959
+ * deprecations
960
+ * Deprecate :singular in devise_for and use :scope instead
961
+
962
+ * enhancements
963
+ * Create after_sign_in_path_for and after_sign_out_path_for hooks to be
964
+ overwriten in ApplicationController
965
+ * Create sign_in_and_redirect and sign_out_and_redirect helpers
966
+ * Warden::Manager.default_scope is automatically configured to the first given scope
967
+
968
+ ### 0.5.3 - 2009-11-18
969
+
970
+ * bug fix
971
+ * MongoMapper now converts DateTime to Time
972
+ * Ensure all controllers are unloadable
973
+
974
+ * enhancements
975
+ * Moved friendly_token to Devise
976
+ * Added Devise.all, so you can freeze your app strategies
977
+ * Added Devise.apply_schema, so you can turn it to false in Datamapper or MongoMapper
978
+ in cases you don't want it be handlded automatically
979
+
980
+ ### 0.5.2 - 2009-11-17
981
+
982
+ * enhancements
983
+ * Improved sign_in and sign_out helpers to accepts resources
984
+ * Added stored_location_for as a helper
985
+ * Added test helpers
986
+
987
+ ### 0.5.1 - 2009-11-15
988
+
989
+ * enhancements
990
+ * Added serializers based on Warden ones
991
+ * Allow authentication keys to be set
992
+
993
+ ### 0.5.0 - 2009-11-13
994
+
995
+ * bug fix
996
+ * Fixed a bug where remember me module was not working properly
997
+
998
+ * enhancements
999
+ * Moved encryption strategy into the Encryptors module to allow several algorithms (by @mhfs)
1000
+ * Implemented encryptors for Clearance, Authlogic and Restful-Authentication (by @mhfs)
1001
+ * Added support for MongoMapper (by @shingara)
1002
+
1003
+ ### 0.4.3 - 2009-11-10
1004
+
1005
+ * bug fix
1006
+ * Authentication just fails if user cannot be serialized from session, without raising errors;
1007
+ * Default configuration values should not overwrite user values;
1008
+
1009
+ ### 0.4.2 - 2009-11-06
1010
+
1011
+ * deprecations
1012
+ * Renamed mail_sender to mailer_sender
1013
+
1014
+ * enhancements
1015
+ * skip_before_filter added in Devise controllers
1016
+ * Use home_or_root_path on require_no_authentication as well
1017
+ * Added devise_controller?, useful to select or reject filters in ApplicationController
1018
+ * Allow :path_prefix to be given to devise_for
1019
+ * Allow default_url_options to be configured through devise (:path_prefix => "/:locale" is now supported)
1020
+
1021
+ ### 0.4.1 - 2009-11-04
1022
+
1023
+ * bug fix
1024
+ * Ensure options can be set even if models were not loaded
1025
+
1026
+ ### 0.4.0 - 2009-11-03
1027
+
1028
+ * deprecations
1029
+ * Notifier is deprecated, use DeviseMailer instead. Remember to rename
1030
+ app/views/notifier to app/views/devise_mailer and I18n key from
1031
+ devise.notifier to devise.mailer
1032
+ * :authenticable calls are deprecated, use :authenticatable instead
1033
+
1034
+ * enhancements
1035
+ * Allow devise to be more agnostic and do not require ActiveRecord to be loaded
1036
+ * Allow Warden::Manager to be configured through Devise
1037
+ * Created a generator which creates an initializer
1038
+
1039
+ ### 0.3.0 - 2009-10-30
1040
+
1041
+ * bug fix
1042
+ * Allow yml messages to be configured by not using engine locales
1043
+
1044
+ * deprecations
1045
+ * Renamed confirm_in to confirm_within
1046
+ * Do not send confirmation messages when user changes their e-mail
1047
+ * Renamed authenticable to authenticatable and added deprecation warnings
1048
+
1049
+ ### 0.2.3 - 2009-10-29
1050
+
1051
+ * enhancements
1052
+ * Ensure fail! works inside strategies
1053
+ * Make unauthenticated message (when you haven't signed in) different from invalid message
1054
+
1055
+ * bug fix
1056
+ * Do not redirect on invalid authenticate
1057
+ * Allow model configuration to be set to nil
1058
+
1059
+ ### 0.2.2 - 2009-10-28
1060
+
1061
+ * bug fix
1062
+ * Fix a bug when using customized resources
1063
+
1064
+ ### 0.2.1 - 2009-10-27
1065
+
1066
+ * refactor
1067
+ * Clean devise_views generator to use devise existing views
1068
+
1069
+ * enhancements
1070
+ * Create instance variables (like @user) for each devise controller
1071
+ * Use Devise::Controller::Helpers only internally
1072
+
1073
+ * bug fix
1074
+ * Fix a bug with Mongrel and Ruby 1.8.6
1075
+
1076
+ ### 0.2.0 - 2009-10-24
1077
+
1078
+ * enhancements
1079
+ * Allow option :null => true in authenticable migration
1080
+ * Remove attr_accessible calls from devise modules
1081
+ * Customizable time frame for rememberable with :remember_for config
1082
+ * Customizable time frame for confirmable with :confirm_in config
1083
+ * Generators for creating a resource and copy views
1084
+
1085
+ * optimize
1086
+ * Do not load hooks or strategies if they are not used
1087
+
1088
+ * bug fixes
1089
+ * Fixed requiring devise strategies
1090
+
1091
+ ### 0.1.1 - 2009-10-21
1092
+
1093
+ * bug fixes
1094
+ * Fixed requiring devise mapping
1095
+
1096
+ ### 0.1.0 - 2009-10-21
1097
+
1098
+ * Devise::Authenticable
1099
+ * Devise::Confirmable
1100
+ * Devise::Recoverable
1101
+ * Devise::Validatable
1102
+ * Devise::Migratable
1103
+ * Devise::Rememberable
1104
+
1105
+ * SessionsController
1106
+ * PasswordsController
1107
+ * ConfirmationsController
1108
+
1109
+ * Create an example app
1110
+ * devise :all, :except => :rememberable
1111
+ * Use sign_in and sign_out in SessionsController
1112
+
1113
+ * Mailer subjects namespaced by model
1114
+ * Allow stretches and pepper per model
1115
+
1116
+ * Store session[:return_to] in session
1117
+ * Sign user in automatically after confirming or changing it's password