Timeout does not explode when reset_authentication_token! is accidentally defined by Active Model

2026-01-10 08:08:00 -05:00 · 2012-06-16 14:04:29 +02:00
parent b1633f2454
commit 4bc2ff997a
5 changed files with 29 additions and 2 deletions
--- a/CHANGELOG.rdoc
+++ b/CHANGELOG.rdoc
@@ -7,6 +7,7 @@
 * bug fix
  * `update_with_password` now relies on assign_attributes and forwards the :as option (by @wtn)
  * Do not trigger timeout on sign in related actions
+  * Timeout does not explode when reset_authentication_token! is accidentally defined by Active Model (by @remomueller)

 * deprecations
  * Strategy#validate() no longer validates nil resources
--- a/lib/devise/hooks/timeoutable.rb
+++ b/lib/devise/hooks/timeoutable.rb
@@ -12,7 +12,9 @@ Warden::Manager.after_set_user do |record, warden, options|

    if record.timedout?(last_request_at) && !env['devise.skip_timeout']
      warden.logout(scope)
-      record.reset_authentication_token! if record.respond_to?(:reset_authentication_token!) && record.expire_auth_token_on_timeout
+      if record.respond_to?(:expire_auth_token_on_timeout) && record.expire_auth_token_on_timeout
+        record.reset_authentication_token!
+      end
      throw :warden, :scope => scope, :message => :timeout
    end

--- a/test/integration/timeoutable_test.rb
+++ b/test/integration/timeoutable_test.rb
@@ -68,6 +68,23 @@ class SessionTimeoutTest < ActionController::IntegrationTest
    assert_contain 'You are signed in'
  end

+  test 'admin does not explode on time out' do
+    admin = sign_in_as_admin
+    get expire_admin_path(admin)
+
+    Admin.send :define_method, :reset_authentication_token! do
+      nil
+    end
+
+    begin
+      get admins_path
+      assert_redirected_to admins_path
+      assert_not warden.authenticated?(:admin)
+    ensure
+      Admin.send(:remove_method, :reset_authentication_token!)
+    end
+  end
+
  test 'user configured timeout limit' do
    swap Devise, :timeout_in => 8.minutes do
      user = sign_in_as_user
--- a/test/rails_app/app/controllers/admins_controller.rb
+++ b/test/rails_app/app/controllers/admins_controller.rb
@@ -3,4 +3,9 @@ class AdminsController < ApplicationController

  def index
  end
+
+  def expire
+    admin_session['last_request_at'] = 31.minutes.ago.utc
+    render :text => 'Admin will be expired on next request'
+  end
 end
--- a/test/rails_app/config/routes.rb
+++ b/test/rails_app/config/routes.rb
@@ -9,7 +9,9 @@ Rails.application.routes.draw do
    end
  end

-  resources :admins, :only => [:index]
+  resources :admins, :only => [:index] do
+    get :expire, :on => :member
+  end

  # Users scope
  devise_for :users, :controllers => { :omniauth_callbacks => "users/omniauth_callbacks" }