spree_auth_devise 3.5.2 → 4.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 45307062e764620c14c90a2e46698079e68fcc2cf4a275c9b68b4dd7c440e235
-  data.tar.gz: 51a0e596192d24d194635e319ae70894d3d7ff9dcb098c7783c0b70f865f3a53
+  metadata.gz: 0a4c46da7628319c592ae1a9675173fd8add8ca34dbb6fd7d5ffdb92345207c2
+  data.tar.gz: e6d9d38bc3e2fa09ff21fc024193160d04f2ba89c4439d8703b6a19f058a6fcd
 SHA512:
-  metadata.gz: 0467202177d333b27390f4f6fd025e54d8600dfa514419a93d8f9d836740928d7226f8f89a841c215cd5b7e7a83e266bd04f06af4bddd0e961c4faf12d7d944e
-  data.tar.gz: 9d362bd0a46360b6907526dfb50c193b2399551bcd64e7804a65521cc893fc50e49adaf01a7ac981530677dfab3db5345ae65a8f48eb835bd82d6a54378f9327
+  metadata.gz: 7f0c22c01027c613ab423d73af40ce43f02d4a14e26c76865ecd5a381943c2049366c52f2386697c4fa6a394c15d10b91da06b47d563a6f0081e897e948f77a5
+  data.tar.gz: 235a7977bb12281f9c3a0f00c0b99b59f7ee63d609b34e413ab530b1e2fde43384bc82e0dce91b784abf8f3518ae72a61d022916ceaa110394466e1aff854f39

data/.travis.yml

@@ -7,6 +7,7 @@ script:
 
 addons:
   chrome: stable
+  postgresql: 9.4
 
 env:
   - DB=mysql
@@ -17,17 +18,28 @@ language: ruby
 rvm:
   - 2.5.1
   - 2.4.4
-  - 2.3.7
+  - 2.3.8
 
 gemfile:
-  - gemfiles/spree_3_2.gemfile
   - gemfiles/spree_3_5.gemfile
   - gemfiles/spree_3_7.gemfile
+  - gemfiles/spree_4_0.gemfile
   - gemfiles/spree_master.gemfile
 
 matrix:
     allow_failures:
-          - gemfile: gemfiles/spree_master.gemfile
+      - gemfile: gemfiles/spree_master.gemfile
+    exclude:
+      - rvm: 2.3.8
+        gemfile: gemfiles/spree_4_0.gemfile
+      - rvm: 2.4.4
+        gemfile: gemfiles/spree_4_0.gemfile
+      - rvm: 2.3.8
+        gemfile: gemfiles/spree_master.gemfile
+      - rvm: 2.4.4
+        gemfile: gemfiles/spree_master.gemfile
+      - rvm: 2.5.1
+        gemfile: gemfiles/spree_3_5.gemfile
 
 before_install:
   - mysql -u root -e "GRANT ALL ON *.* TO 'travis'@'%';"

data/Appraisals

@@ -1,15 +1,16 @@
-appraise 'spree-3-2' do
-  gem 'spree', '~> 3.2.0'
-  gem 'rails-controller-testing'
-end
-
 appraise 'spree-3-5' do
   gem 'spree', '~> 3.5.0'
   gem 'rails-controller-testing'
 end
 
 appraise 'spree-3-7' do
-  gem 'spree', '~> 3.7.0.rc3'
+  gem 'sass-rails'
+  gem 'spree', '~> 3.7.0'
+  gem 'rails-controller-testing'
+end
+
+appraise 'spree-4-0' do
+  gem 'spree', '~> 4.0.0.rc2'
   gem 'rails-controller-testing'
 end
 

data/README.md

@@ -3,7 +3,7 @@
 [![Build Status](https://travis-ci.org/spree/spree_auth_devise.svg?branch=master)](https://travis-ci.org/spree/spree_auth_devise)
 [![Code Climate](https://codeclimate.com/github/spree/spree_auth_devise/badges/gpa.svg)](https://codeclimate.com/github/spree/spree_auth_devise)
 
-Provides authentication services for Spree, using the Devise gem.
+Provides authentication services for [Spree](https://spreecommerce.org), using the [Devise](https://github.com/plataformatec/devise) gem.
 
 
 ## Installation
@@ -119,10 +119,18 @@ This methodology can also be used by gems that extend spree and want/need to add
 
 If you encounter issues when using Ruby 2.5, please run:
 
-```
+```bash
 bundle update devise
 ```
 
+### Creating the default Admin user
+
+If you didn't created the Admin user from the installer you can run this rake task:
+
+```bash
+bundle exec rake spree_auth:admin:create
+```
+
 ## Testing
 
 You need to do a quick one-time creation of a test application and then you can use it to run the tests.

data/app/controllers/metal_decorator.rb

@@ -1,5 +1,5 @@
 # For the API
-ActionController::Metal.class_eval do
+module MetalDecorator
   def spree_current_user
     @spree_current_user ||=  if defined? env
                                env['warden'].user
@@ -8,3 +8,5 @@ ActionController::Metal.class_eval do
                              end
   end
 end
+
+ActionController::Metal.prepend(MetalDecorator)

data/app/views/spree/shared/_login.html.erb

@@ -1,18 +1,18 @@
 <%= form_for Spree::User.new, :as => :spree_user, :url => spree.create_new_session_path do |f| %>
   <div id="password-credentials">
-    <div class="form-group">
+    <p>
       <%= f.label :email, Spree.t(:email) %>
-      <%= f.email_field :email, placeholder: "#{Spree.t(:email)}", :class => 'form-control', :tabindex => 1, autofocus: true %>
-    </div>
-    <div class="form-group">
+      <%= f.email_field :email, :class => 'form-control', :tabindex => 1, autofocus: true %>
+    </p>
+    <p>
       <%= f.label :password, Spree.t(:password) %>
-      <%= f.password_field :password, placeholder: "#{Spree.t(:password)}", :class => 'form-control', :tabindex => 2 %>
-    </div>
-  </div>
-  <div>
-    <%= f.check_box :remember_me, :tabindex => 3 %>
-    <%= f.label :remember_me, Spree.t(:remember_me) %>
+      <%= f.password_field :password, :class => 'form-control', :tabindex => 2 %>
+    </p>
   </div>
+  <p class="form-check">
+    <%= f.check_box :remember_me, :tabindex => 3, :class => 'form-check-input' %>
+    <%= f.label :remember_me, Spree.t(:remember_me), :class => 'form-check-label' %>
+  </p>
 
-  <div><%= f.submit Spree.t(:login), :class => 'btn btn-lg btn-success btn-block', :tabindex => 4 %></div>
-<% end %>
+  <p><%= f.submit Spree.t(:login), :class => 'btn btn-lg btn-success btn-block', :tabindex => 4 %></p>
+<% end %>

data/app/views/spree/user_passwords/edit.html.erb

@@ -1,10 +1,10 @@
 <%= render :partial => 'spree/shared/error_messages', :locals => { :target => @spree_user } %>
-<div class="col-md-6 col-md-offset-3">
-  <div class="panel panel-default">
-    <div class="panel-heading">
-      <h3 class="panel-title"><%= Spree.t(:change_your_password) %></h3>
+<div class="col-lg-6 offset-lg-3">
+  <div class="card mb-3">
+    <div class="card-header">
+      <h3 class="card-title mb-0 h6"><%= Spree.t(:change_your_password) %></h3>
     </div>
-    <div class="panel-body">
+    <div class="card-body">
       <%= form_for @spree_user, :as => :spree_user, :url => spree.update_password_path, :method => :put do |f| %>
         <div class="form-group">
           <%= f.label :password, Spree.t(:password) %>

data/app/views/spree/user_passwords/new.html.erb

@@ -1,10 +1,10 @@
 <%= render :partial => 'spree/shared/error_messages', :locals => { :target => @spree_user } %>
-<div class="col-md-6 col-md-offset-3" id="forgot-password">
-  <div class="panel panel-default">
-    <div class="panel-heading">
-      <h3 class="panel-title"><%= Spree.t(:forgot_password) %></h3>
+<div class="col-lg-6 offset-lg-3" id="forgot-password">
+  <div class="card mb-3">
+    <div class="card-header">
+      <h3 class="card-title mb-0 h6"><%= Spree.t(:forgot_password) %></h3>
     </div>
-    <div class="panel-body">
+    <div class="card-body">
       <p><%= Spree.t(:instructions_to_reset_password) %></p>
 
       <%= form_for Spree::User.new, :as => :spree_user, :url => spree.reset_password_path do |f| %>

data/app/views/spree/user_registrations/new.html.erb

@@ -1,11 +1,11 @@
 <% @body_id = 'signup' %>
 <%= render :partial => 'spree/shared/error_messages', :locals => { :target => @user } %>
-<div class="col-md-6 col-md-offset-3">
-  <div class="panel panel-default">
-      <div class="panel-heading">
-        <h3 class="panel-title"><%= Spree.t(:new_customer) %></h3>
-    </div>
-      <div id="new-customer" class="panel-body" data-hook="login">
+<div class="col-lg-6 offset-lg-3">
+  <div class="card mb-3">
+      <div class="card-header">
+        <h3 class="card-title mb-0 h6"><%= Spree.t(:new_customer) %></h3>
+      </div>
+      <div id="new-customer" class="card-body" data-hook="login">
           <%= form_for resource, :as => :spree_user, :url => spree.registration_path do |f| %>
             <div data-hook="signup_inside_form">
               <%= render :partial => 'spree/shared/user_form', :locals => { :f => f } %>

data/app/views/spree/user_sessions/new.html.erb

@@ -1,10 +1,10 @@
 <% @body_id = 'login' %>
-<div class="col-md-6 <%= request.path == spree.login_path ? "col-md-offset-3" : "" %>">
-  <div class="panel panel-default">
-      <div class="panel-heading">
-        <h3 class="panel-title"><%= Spree.t(:login_as_existing) %></h3>
-    </div>
-      <div id="existing-customer" class="panel-body" data-hook="login">
+<div class="col-lg-6 <%= request.path == spree.login_path ? "offset-lg-3" : "" %>">
+  <div class="card mb-3">
+      <div class="card-header">
+        <h3 class="card-title mb-0 h6"><%= Spree.t(:login_as_existing) %></h3>
+      </div>
+      <div id="existing-customer" class="card-body" data-hook="login">
           <%= render :partial => 'spree/shared/login' %>
           <div class="text-center">
             <%= Spree.t(:or) %>

data/config/initializers/devise.rb

@@ -40,7 +40,7 @@ Devise.setup do |config|
   config.stretches = 20
 
   # Setup a pepper to generate the encrypted password.
-  config.pepper = Rails.configuration.secret_token
+  #  config.pepper = '<%= SecureRandom.hex(64) %>'
 
   # ==> Configuration for :confirmable
   # The time you want to give your user to confirm his account. During this time

data/config/locales/en.yml

@@ -41,6 +41,7 @@ en:
     user_registrations:
       destroyed: Bye! Your account was successfully cancelled. We hope to see you again soon.
       inactive_signed_up: 'You have signed up successfully. However, we could not sign you in because your account is %{reason}.'
+      signed_up_but_unconfirmed: You have signed up successfully.
       signed_up: Welcome! You have signed up successfully.
       updated: You updated your account successfully.
     user_sessions:

data/gemfiles/spree_3_7.gemfile

@@ -4,5 +4,6 @@ source "https://rubygems.org"
 
 gem "rails-controller-testing"
 gem "spree", "~> 3.7.0.rc3"
+gem "sass-rails"
 
 gemspec path: "../"

data/gemfiles/spree_4_0.gemfile

@@ -0,0 +1,8 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "rails-controller-testing"
+gem "spree", github: "spree/spree", tag: "v4.0.0.beta"
+
+gemspec path: "../"

data/lib/controllers/backend/spree/admin/{admin_controller_decorator.rb → base_controller_decorator.rb}

@@ -1,4 +1,4 @@
-Spree::Admin::BaseController.class_eval do
+module Spree::Admin::BaseControllerDecorator
   # Redirect as appropriate when an access request fails.  The default action is to redirect to the login screen.
   # Override this method in your controllers if you want to have special behavior in case the user is not authorized
   # to access the requested action.  For example, a popup window might simply close itself.
@@ -22,3 +22,4 @@ Spree::Admin::BaseController.class_eval do
     nil
   end
 end
+Spree::Admin::BaseController.prepend(Spree::Admin::BaseControllerDecorator)

data/lib/controllers/backend/spree/admin/orders/customer_details_controller_decorator.rb

@@ -1,5 +1,8 @@
-Spree::Admin::Orders::CustomerDetailsController.class_eval do
-  before_action :check_authorization
+module Spree::Admin::Orders::CustomerDetailsControllerDecorator
+
+  def self.prepended(base)
+    base.before_action :check_authorization
+  end
 
   private
 
@@ -14,3 +17,4 @@ Spree::Admin::Orders::CustomerDetailsController.class_eval do
     authorize! action, resource, session[:access_token]
   end
 end
+Spree::Admin::Orders::CustomerDetailsController.prepend(Spree::Admin::Orders::CustomerDetailsControllerDecorator)

data/lib/controllers/backend/spree/admin/{admin_orders_controller_decorator.rb → orders_controller_decorator.rb}

@@ -1,5 +1,8 @@
-Spree::Admin::OrdersController.class_eval do
-  before_action :check_authorization
+module Spree::Admin::OrdersControllerDecorator
+
+  def self.prepended(base)
+    base.before_action :check_authorization
+  end
 
   private
 
@@ -19,3 +22,4 @@ Spree::Admin::OrdersController.class_eval do
     end
   end
 end
+Spree::Admin::OrdersController.prepend(Spree::Admin::OrdersControllerDecorator)

data/lib/controllers/backend/spree/admin/resource_controller_decorator.rb

@@ -0,0 +1,6 @@
+module Spree::Admin::ResourceControllerDecorator
+  def self.prepended(base)
+    base.rescue_from CanCan::AccessDenied, with: :unauthorized
+  end
+end
+Spree::Admin::ResourceController.prepend(Spree::Admin::ResourceControllerDecorator)

data/lib/controllers/frontend/spree/checkout_controller_decorator.rb

@@ -1,7 +1,9 @@
 require 'spree/core/validators/email' if Spree.version.to_f < 3.5
-Spree::CheckoutController.class_eval do
-  before_action :check_authorization
-  before_action :check_registration, except: [:registration, :update_registration]
+module Spree::CheckoutControllerDecorator
+  def self.prepended(base)
+    base.before_action :check_authorization
+    base.before_action :check_registration, except: [:registration, :update_registration]
+  end
 
   def registration
     @user = Spree::User.new
@@ -39,3 +41,4 @@ Spree::CheckoutController.class_eval do
     redirect_to spree.checkout_registration_path
   end
 end
+Spree::CheckoutController.prepend(Spree::CheckoutControllerDecorator)

data/lib/controllers/frontend/spree/store_controller_decorator.rb

@@ -1,6 +1,7 @@
-Spree::StoreController.class_eval do
+module Spree::StoreControllerDecorator
   def account_link
     render partial: 'spree/shared/link_to_account'
     fresh_when(spree_current_user)
   end
 end
+Spree::StoreController.prepend(Spree::StoreControllerDecorator)

data/lib/controllers/frontend/spree/users_controller.rb

@@ -1,11 +1,11 @@
 class Spree::UsersController < Spree::StoreController
-  skip_before_action :set_current_order, only: :show
-  prepend_before_action :load_object, only: [:show, :edit, :update]
+skip_before_action :set_current_order, only: :show
   prepend_before_action :authorize_actions, only: :new
 
   include Spree::Core::ControllerHelpers
 
   def show
+    load_object
     @orders = @user.orders.complete.order('completed_at desc')
   end
 
@@ -23,8 +23,13 @@ class Spree::UsersController < Spree::StoreController
     end
   end
 
+  def edit
+    load_object
+  end
+
   def update
-    if @user.update_attributes(user_params)
+    load_object
+    if @user.update(user_params)
       if params[:user][:password].present?
         # this logic needed b/c devise wants to log us out after password changes
         Spree::User.reset_password_by_token(params[:user])

data/lib/views/backend/spree/admin/user_sessions/new.html.erb

@@ -2,8 +2,8 @@
   <div class="alert alert-danger"><%= flash[:alert] %></div>
 <% end %>
 
-<div data-hook="login" class="panel">
-  <div class="panel-body">
+<div data-hook="login" class="card border-0">
+  <div class="card-body">
     <%= form_for Spree::User.new, :as => :spree_user, :url => spree.admin_create_new_session_path do |f| %>
       <div id="password-credentials">
         <div class="form-group text-center">
@@ -17,13 +17,13 @@
       </div>
       <div class="checkbox form-group">
         <div class="row">
-          <div class="col-md-6">
+          <div class="col-lg-6">
             <%= f.label :remember_me do %>
               <%= f.check_box :remember_me, :tabindex => 3 %>
               <%= Spree.t(:remember_me) %>
             <% end %>  
           </div>
-          <div class="col-md-6 text-right">
+          <div class="col-lg-6 text-right">
             <%= link_to Spree.t(:forgot_password), spree.recover_password_path %>
           </div>  
         </div>      

data/lib/views/backend/spree/layouts/login.html.erb

@@ -8,11 +8,11 @@
     <%= render partial: 'spree/admin/shared/head' %>
   </head>
 
-  <body>
+  <body class="pt-5">
     <div class="container">
 
       <div class="row">
-        <div class="col-md-4 col-md-offset-4">
+        <div class="col-lg-6 offset-lg-3">
           <%= render partial: 'spree/admin/shared/header' %>
 
           <%= flash_alert(flash) %>

data/lib/views/frontend/spree/checkout/_new_user.html.erb

@@ -1,9 +1,9 @@
-<div class="col-md-6">
-  <div class="panel panel-default">
-    <div class="panel-heading">
-      <h3 class="panel-title"><%= Spree.t(:create_a_new_account) %></h3>
+<div>
+  <div class="card mb-3">
+    <div class="card-header">
+      <h3 class="card-title mb-0 h6"><%= Spree.t(:create_a_new_account) %></h3>
     </div>
-    <div id="new-customer" class="panel-body" data-hook="login">
+    <div id="new-customer" class="card-body" data-hook="login">
       <%= form_for @user, :as => :spree_user, :url => spree.registration_path(@user) do |f| %>
         <div data-hook="signup_inside_form">
           <%= render :partial => 'spree/shared/user_form', :locals => { :f => f } %>

data/lib/views/frontend/spree/checkout/registration.html.erb

@@ -1,16 +1,16 @@
 <%= render :partial => 'spree/shared/error_messages', :locals => { :target => @user } %>
 <h1><%= Spree.t(:registration) %></h1>
 <div id="registration" class="row" data-hook>
-  <div id="account">
+  <div id="account" class="col-lg-6">
     <%= render :partial => 'new_user' %>
   </div>
   <% if Spree::Config[:allow_guest_checkout] %>
-    <div class="col-md-6">
-      <div class="panel panel-default">
-        <div class="panel-heading">
-          <h3 class="panel-title"><%= Spree.t(:guest_user_account) %></h3>
+    <div class="col-lg-6">
+      <div class="card mb-3">
+        <div class="card-header">
+          <h3 class="card-title mb-0 h6"><%= Spree.t(:guest_user_account) %></h3>
         </div>
-        <div id="guest_checkout" class="panel-body" data-hook>
+        <div id="guest_checkout" class="card-body" data-hook>
           <%= form_for @order, :url => update_checkout_registration_path, :method => :put, :html => { :id => 'checkout_form_registration' } do |f| %>
             <div class="form-group">
               <%= f.label :email, Spree.t(:email), class: 'required', title: 'required' %>

data/lib/views/frontend/spree/shared/_link_to_account.html.erb

@@ -1,6 +1,6 @@
 <% if spree_current_user %>
-  <li><%= link_to Spree.t(:my_account), spree.account_path %></li>
-  <li><%= link_to Spree.t(:logout), spree.logout_path %></li>
+  <li class="nav-item"><%= link_to Spree.t(:my_account), spree.account_path, :class => 'nav-link text-white' %></li>
+  <li class="nav-item"><%= link_to Spree.t(:logout), spree.logout_path, :class => 'nav-link text-white' %></li>
 <% else %>
-  <li id="link-to-login"><%= link_to Spree.t(:login), spree.login_path %></li>
+  <li id="link-to-login" class="nav-item"><%= link_to Spree.t(:login), spree.login_path, :class => 'nav-link text-white' %></li>
 <% end %>

data/lib/views/frontend/spree/users/edit.html.erb

@@ -1,9 +1,9 @@
-<div class="col-md-6 col-md-offset-3">
-  <div class="panel panel-default">
-    <div class="panel-heading">
-      <h3 class="panel-title"><%= Spree.t(:editing_user) %></h3>
+<div class="col-lg-6 offset-lg-3">
+  <div class="card mb-3">
+    <div class="card-header">
+      <h3 class="card-title mb-0 h6"><%= Spree.t(:editing_user) %></h3>
     </div>
-    <div class="panel-body">
+    <div class="card-body">
       <%= render :partial => 'spree/shared/error_messages', :locals => { :target => @user } %>
 
       <%= form_for Spree::User.new, :as => @user, :url => spree.user_path(@user), :method => :put do |f| %>

data/lib/views/frontend/spree/users/show.html.erb

@@ -1,7 +1,7 @@
 <h1><%= accurate_title %></h1>
 
-<div data-hook="account_summary" class="account-summary well">
-  <dl id="user-info">
+<div data-hook="account_summary" class="account-summary card bg-light mb-3">
+  <dl id="user-info" class="card-body">
     <dt><%= Spree.t(:email) %></dt>
     <dd><%= @user.email %> (<%= link_to Spree.t(:edit), spree.edit_account_path %>)</dd>
     <br />
@@ -41,7 +41,7 @@
       </tbody>
     </table>
   <% else %>
-    <div class="alert alert-info"><%= Spree.t(:you_have_no_orders_yet) %></div>
+    <div class="alert alert-info" role="alert"><%= Spree.t(:you_have_no_orders_yet) %></div>
   <% end %>
   <br />
 

data/spec/controllers/spree/checkout_controller_spec.rb

@@ -91,7 +91,11 @@ RSpec.describe Spree::CheckoutController, type: :controller do
         before do
           allow(controller).to receive(:spree_current_user) { user }
           allow(order).to receive(:user) { user }
-          allow(order).to receive(:guest_token) { nil }
+          if Spree.version.to_f > 3.6
+            allow(order).to receive(:token) { nil }
+          else
+            allow(order).to receive(:guest_token) { nil }
+          end
         end
 
         it 'redirects to the standard order view' do
@@ -111,7 +115,11 @@ RSpec.describe Spree::CheckoutController, type: :controller do
 
     it 'checks if the user is authorized for :edit' do
       expect(controller).to receive(:authorize!).with(:edit, order, token)
-      request.cookie_jar.signed[:guest_token] = token
+      if Spree.version.to_f > 3.6
+        request.cookie_jar.signed[:token] = token
+      else
+        request.cookie_jar.signed[:guest_token] = token
+      end
       spree_get :registration, {}
     end
   end
@@ -121,7 +129,7 @@ RSpec.describe Spree::CheckoutController, type: :controller do
 
     it 'does not check registration' do
       controller.stub :check_authorization
-      order.stub update_attributes: true
+      order.stub update: true
       controller.should_not_receive :check_registration
       spree_put :update_registration, { order: {} }
     end
@@ -134,15 +142,19 @@ RSpec.describe Spree::CheckoutController, type: :controller do
     end
 
     it 'redirects to the checkout_path after saving' do
-      allow(order).to receive(:update_attributes) { true }
+      allow(order).to receive(:update) { true }
       allow(controller).to receive(:check_authorization)
       spree_put :update_registration, { order: { email: 'jobs@spreecommerce.com' } }
       expect(response).to redirect_to spree.checkout_state_path(:address)
     end
 
     it 'checks if the user is authorized for :edit' do
-      request.cookie_jar.signed[:guest_token] = token
-      allow(order).to receive(:update_attributes) { true }
+      if Spree.version.to_f > 3.6
+        request.cookie_jar.signed[:token] = token
+      else
+        request.cookie_jar.signed[:guest_token] = token
+      end
+      allow(order).to receive(:update) { true }
       expect(controller).to receive(:authorize!).with(:edit, order, token)
       spree_put :update_registration, { order: { email: 'jobs@spreecommerce.com' } }
     end

data/spec/controllers/spree/user_registrations_controller_spec.rb

@@ -11,11 +11,19 @@ RSpec.describe Spree::UserRegistrationsController, type: :controller do
 
     context 'with a guest token present' do
       before do
-        request.cookie_jar.signed[:guest_token] = 'ABC'
+        if Spree.version.to_f > 3.6
+          request.cookie_jar.signed[:token] = 'ABC'
+        else
+          request.cookie_jar.signed[:guest_token] = 'ABC'
+        end
       end
 
       it 'assigns orders with the correct token and no user present' do
-        order = create(:order, guest_token: 'ABC', user_id: nil, created_by_id: nil)
+        if Spree.version.to_f > 3.6
+          order = create(:order, token: 'ABC', user_id: nil, created_by_id: nil)
+        else
+          order = create(:order, guest_token: 'ABC', user_id: nil, created_by_id: nil)
+        end
         spree_post :create, spree_user: { email: 'foobar@example.com', password: 'foobar123', password_confirmation: 'foobar123' }
         user = Spree::User.find_by_email('foobar@example.com')
 
@@ -25,14 +33,22 @@ RSpec.describe Spree::UserRegistrationsController, type: :controller do
       end
 
       it 'does not assign orders with an existing user' do
-        order = create(:order, guest_token: 'ABC', user_id: 200)
+        if Spree.version.to_f > 3.6
+          order = create(:order, token: 'ABC', user_id: 200)
+        else
+          order = create(:order, guest_token: 'ABC', user_id: 200)
+        end
         spree_post :create, spree_user: { email: 'foobar@example.com', password: 'foobar123', password_confirmation: 'foobar123' }
 
         expect(order.reload.user_id).to eq 200
       end
 
       it 'does not assign orders with a different token' do
-        order = create(:order, guest_token: 'DEF', user_id: nil, created_by_id: nil)
+        if Spree.version.to_f > 3.6
+          order = create(:order, token: 'DEF', user_id: nil, created_by_id: nil)
+        else
+          order = create(:order, guest_token: 'DEF', user_id: nil, created_by_id: nil)
+        end
         spree_post :create, spree_user: { email: 'foobar@example.com', password: 'foobar123', password_confirmation: 'foobar123' }
 
         expect(order.reload.user_id).to be_nil

data/spec/controllers/spree/user_sessions_controller_spec.rb

@@ -59,11 +59,19 @@ RSpec.describe Spree::UserSessionsController, type: :controller do
 
       context 'with a guest token present' do
         before do
-          request.cookie_jar.signed[:guest_token] = 'ABC'
+          if Spree.version.to_f > 3.6
+            request.cookie_jar.signed[:token] = 'ABC'
+          else
+            request.cookie_jar.signed[:guest_token] = 'ABC'
+          end
         end
 
         it 'assigns orders with the correct token and no user present' do
-          order = create(:order, email: user.email, guest_token: 'ABC', user_id: nil, created_by_id: nil)
+          if Spree.version.to_f > 3.6
+            order = create(:order, email: user.email, token: 'ABC', user_id: nil, created_by_id: nil)
+          else
+            order = create(:order, email: user.email, guest_token: 'ABC', user_id: nil, created_by_id: nil)
+          end
           spree_post :create, spree_user: { email: user.email, password: 'secret' }
 
           order.reload
@@ -72,7 +80,11 @@ RSpec.describe Spree::UserSessionsController, type: :controller do
         end
 
         it 'assigns orders with the correct token and no user or email present' do
-          order = create(:order, guest_token: 'ABC', user_id: nil, created_by_id: nil)
+          if Spree.version.to_f > 3.6
+            order = create(:order, token: 'ABC', user_id: nil, created_by_id: nil)
+          else
+            order = create(:order, guest_token: 'ABC', user_id: nil, created_by_id: nil)
+          end
           spree_post :create, spree_user: { email: user.email, password: 'secret' }
 
           order.reload
@@ -81,9 +93,15 @@ RSpec.describe Spree::UserSessionsController, type: :controller do
         end
 
         it 'does not assign completed orders' do
-          order = create(:order, email: user.email, guest_token: 'ABC',
-                         user_id: nil, created_by_id: nil,
-                         completed_at: 1.minute.ago)
+          if Spree.version.to_f > 3.6
+            order = create(:order, email: user.email, token: 'ABC',
+                           user_id: nil, created_by_id: nil,
+                           completed_at: 1.minute.ago)
+          else
+            order = create(:order, email: user.email, guest_token: 'ABC',
+                           user_id: nil, created_by_id: nil,
+                           completed_at: 1.minute.ago)
+          end
           spree_post :create, spree_user: { email: user.email, password: 'secret' }
 
           order.reload
@@ -92,14 +110,22 @@ RSpec.describe Spree::UserSessionsController, type: :controller do
         end
 
         it 'does not assign orders with an existing user' do
-          order = create(:order, guest_token: 'ABC', user_id: 200)
+          if Spree.version.to_f > 3.6
+              order = create(:order, token: 'ABC', user_id: 200)
+          else
+              order = create(:order, guest_token: 'ABC', user_id: 200)
+          end
           spree_post :create, spree_user: { email: user.email, password: 'secret' }
 
           expect(order.reload.user_id).to eq 200
         end
 
         it 'does not assign orders with a different token' do
-          order = create(:order, guest_token: 'DEF', user_id: nil, created_by_id: nil)
+          if Spree.version.to_f > 3.6
+              order = create(:order, token: 'DEF', user_id: nil, created_by_id: nil)
+          else
+              order = create(:order, guest_token: 'DEF', user_id: nil, created_by_id: nil)
+          end
           spree_post :create, spree_user: { email: user.email, password: 'secret' }
 
           expect(order.reload.user_id).to be_nil

data/spec/features/checkout_spec.rb

@@ -133,11 +133,10 @@ RSpec.feature 'Checkout', :js, type: :feature do
 
       expect(page).to have_text 'Registration'
 
-      fill_in 'Email', with: 'email@person.com'
+      fill_in 'Email', with: 'email@person.com', match: :first
       fill_in 'Password', with: 'spree123'
       fill_in 'Password Confirmation', with: 'spree123'
       click_button 'Create'
-
       expect(page).to have_text 'You have signed up successfully.'
 
       str_addr = 'bill_address'

data/spec/requests/spree/frontend/user_update_spec.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+RSpec.feature 'User update', type: :request do
+  context 'CSRF protection' do
+    %i[exception reset_session null_session].each do |strategy|
+      # Completely clean the configuration of forgery protection for the
+      # controller and reset it after the expectations. However, besides `:with`,
+      # the options given to `protect_from_forgery` are processed on the fly.
+      # I.e., there's no way to retain them. The initial setup corresponds to the
+      # dummy application, which uses the default Rails skeleton in that regard.
+      # So, if at some point Rails changed the given options, we should update it
+      # here.
+      around do |example|
+        controller = Spree::UsersController
+        old_allow_forgery_protection_value = controller.allow_forgery_protection
+        old_forgery_protection_strategy = controller.forgery_protection_strategy
+        controller.skip_forgery_protection
+        controller.allow_forgery_protection = true
+        controller.protect_from_forgery with: strategy
+
+        example.run
+
+        controller.allow_forgery_protection = old_allow_forgery_protection_value
+        controller.forgery_protection_strategy = old_forgery_protection_strategy
+      end
+
+      it "is not possible to take account over with the #{strategy} forgery protection strategy" do
+        user = create(:user, email: 'legit@mail.com', password: 'password')
+
+        post '/login', params: "spree_user[email]=legit@mail.com&spree_user[password]=password"
+        begin
+          put '/users/123456', params: 'user[email]=hacked@example.com'
+        rescue
+          # testing that the account is not compromised regardless of any raised
+          # exception
+        end
+
+        expect(user.reload.email).to eq('legit@mail.com')
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -22,6 +22,12 @@ RSpec.configure do |config|
 
   config.order = :random
   Kernel.srand(config.seed)
+
+  config.before(:each) do
+    allow(RSpec::Rails::ViewRendering::EmptyTemplateHandler)
+      .to receive(:call)
+      .and_return(%("")) if Rails.gem_version >= Gem::Version.new('6.0.0.beta1')
+  end
 end
 
 Dir[File.join(File.dirname(__FILE__), 'support/**/*.rb')].each { |f| require f }

data/spree_auth_devise.gemspec

@@ -3,7 +3,7 @@
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = 'spree_auth_devise'
-  s.version     = '3.5.2'
+  s.version     = '4.0.1'
   s.summary     = 'Provides authentication and authorization services for use with Spree by using Devise and CanCan.'
   s.description = s.summary
 
@@ -19,12 +19,13 @@ Gem::Specification.new do |s|
   s.require_path = 'lib'
   s.requirements << 'none'
 
-  s.add_dependency 'devise', '>= 4.4', '< 4.7'
+  s.add_dependency 'devise', '~> 4.7'
   s.add_dependency 'devise-encryptable', '0.2.0'
 
-  spree_version = '>= 3.1.0', '< 4.0'
+  spree_version = '>= 3.1.0', '< 4.1'
   s.add_dependency 'spree_core', spree_version
   s.add_dependency 'spree_extension'
+  s.add_dependency 'deface', '~> 1.0'
 
   s.add_development_dependency 'capybara', '~> 2.7'
   s.add_development_dependency 'capybara-screenshot'

metadata

@@ -1,33 +1,27 @@
 --- !ruby/object:Gem::Specification
 name: spree_auth_devise
 version: !ruby/object:Gem::Version
-  version: 3.5.2
+  version: 4.0.1
 platform: ruby
 authors:
 - Sean Schofield
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-07-03 00:00:00.000000000 Z
+date: 2021-11-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '4.4'
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '4.7'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '4.4'
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '4.7'
 - !ruby/object:Gem::Dependency
@@ -53,7 +47,7 @@ dependencies:
         version: 3.1.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '4.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -63,7 +57,7 @@ dependencies:
         version: 3.1.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '4.1'
 - !ruby/object:Gem::Dependency
   name: spree_extension
   requirement: !ruby/object:Gem::Requirement
@@ -78,6 +72,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: deface
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: capybara
   requirement: !ruby/object:Gem::Requirement
@@ -311,7 +319,7 @@ dependencies:
         version: 3.1.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '4.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -321,7 +329,7 @@ dependencies:
         version: 3.1.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '4.1'
 - !ruby/object:Gem::Dependency
   name: spree_frontend
   requirement: !ruby/object:Gem::Requirement
@@ -331,7 +339,7 @@ dependencies:
         version: 3.1.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '4.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -341,7 +349,7 @@ dependencies:
         version: 3.1.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '4.1'
 - !ruby/object:Gem::Dependency
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
@@ -432,16 +440,17 @@ files:
 - gemfiles/spree_3_2.gemfile
 - gemfiles/spree_3_5.gemfile
 - gemfiles/spree_3_7.gemfile
+- gemfiles/spree_4_0.gemfile
 - gemfiles/spree_master.gemfile
 - lib/assets/javascripts/spree/backend/spree_auth.js.erb
 - lib/assets/javascripts/spree/frontend/account.js
 - lib/assets/javascripts/spree/frontend/spree_auth.js.erb
 - lib/assets/stylesheets/spree/backend/spree_auth.css.erb
 - lib/assets/stylesheets/spree/frontend/spree_auth.css.erb
-- lib/controllers/backend/spree/admin/admin_controller_decorator.rb
-- lib/controllers/backend/spree/admin/admin_orders_controller_decorator.rb
-- lib/controllers/backend/spree/admin/admin_resource_controller_decorator.rb
+- lib/controllers/backend/spree/admin/base_controller_decorator.rb
 - lib/controllers/backend/spree/admin/orders/customer_details_controller_decorator.rb
+- lib/controllers/backend/spree/admin/orders_controller_decorator.rb
+- lib/controllers/backend/spree/admin/resource_controller_decorator.rb
 - lib/controllers/backend/spree/admin/user_passwords_controller.rb
 - lib/controllers/backend/spree/admin/user_sessions_controller.rb
 - lib/controllers/frontend/spree/checkout_controller_decorator.rb
@@ -495,6 +504,7 @@ files:
 - spec/mailers/user_mailer_spec.rb
 - spec/models/order_spec.rb
 - spec/models/user_spec.rb
+- spec/requests/spree/frontend/user_update_spec.rb
 - spec/spec_helper.rb
 - spec/support/ability.rb
 - spec/support/add_to_cart.rb
@@ -513,7 +523,7 @@ homepage: https://spreecommerce.org
 licenses:
 - BSD-3-Clause
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -529,8 +539,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.0.2
-signing_key: 
+rubygems_version: 3.1.4
+signing_key:
 specification_version: 4
 summary: Provides authentication and authorization services for use with Spree by
   using Devise and CanCan.
@@ -562,6 +572,7 @@ test_files:
 - spec/mailers/user_mailer_spec.rb
 - spec/models/order_spec.rb
 - spec/models/user_spec.rb
+- spec/requests/spree/frontend/user_update_spec.rb
 - spec/spec_helper.rb
 - spec/support/ability.rb
 - spec/support/add_to_cart.rb

data/lib/controllers/backend/spree/admin/admin_resource_controller_decorator.rb

@@ -1,3 +0,0 @@
-Spree::Admin::ResourceController.class_eval do
-  rescue_from CanCan::AccessDenied, with: :unauthorized
-end