AtHeartEngineer/devise
1
1
Fork 0
mirror of https://github.com/heartcombo/devise.git synced 2026-01-09 23:58:06 -05:00
Code Issues Packages Projects Releases Wiki Activity
3,095 Commits 28 Branches 145 Tags
3-stable
Commit Graph

314 Commits

Author SHA1 Message Date
Olivier Brisse
36690f33a4 Make #increment_failed_attempts concurrency safe 
Backported from https://github.com/plataformatec/devise/pull/4996
 2019-03-15 09:54:25 +11:00
Ralin Chimev
a7dcf98f7e Fix overwriting the remember_token when a valid one already exists (#4101) 
The remember_token should not get overwritten when a user is
signing in and a valid token already exists.

Fixes #3950.
 2016-05-15 12:12:48 -03:00
Justin Bull
07e907ec26 🪲 Fix strategy checking in #unlock_strategy_enabled? for :none and undefined strategies 
A bug that if the unlock strategy was set to `:both`, it would return true for all & any inputs

See #4072
 2016-05-02 23:46:08 -03:00
MatBi
1d57169c7b Send confirmation instructions when a user updates the email address from nil 2016-04-25 16:51:40 -03:00
Lucas Mazza
57fdae1e48 Attempt to coerce the generated_at cookie to a Time object. 
Time objects aren't properly coerced back when using the JSON cookie serialization,
so we need to do it ourselves.

To avoid any new JSON serialization issues, we now store the `generated_at` as
an String with the timestamp seconds + miliseconds in the cookie but still the
previous JSON encoded format.

Thanks to @boblail at https://github.com/plataformatec/devise/pull/3917 for the
initial patch.
 2016-01-31 16:25:10 -02:00
José Valim
048d05a553 Ensure generated_at is a Time 2016-01-25 11:17:05 +01:00
José Valim
c92996646a Store creation timestamp on remember cookies 
Signed-off-by: José Valim <jose.valim@plataformatec.com.br>
 2016-01-18 14:47:31 +01:00
Kacper Walanus
ba5dd0a41a test for save in after_create hook breaks devise confirmation [3787] 2015-12-15 11:41:48 -02:00
Stan Hu
f71d843f93 Only clear the reset token on an update 
This solves the issue where a package might do:

```
user = User.new
user.email = 'test@test.com'
token = user.generate_reset_token
user.save

send_reset_email(token)
```

Since the save clears the reset token, the user will receive a stale token that no longer works.

Closes #3774
 2015-12-09 11:14:50 -08:00
José Valim
19b1e2a6bc Merge pull request #3846 from seddy/make_email_optional_on_recoverable 
Allow resources with no email field to be recoverable
 2015-12-09 14:39:32 +01:00
José Valim
901919f25f Revert "Merge pull request #3774 from stanhu/reset-token-only-if-not-persisted" 
This reverts commit 15c38d918f, reversing
changes made to 508c3418f9.
 2015-12-09 14:21:09 +01:00
Lucas Mazza
15c38d918f Merge pull request #3774 from stanhu/reset-token-only-if-not-persisted 
Only clear the reset password token if the model has already been persisted
 2015-12-09 10:54:36 -02:00
Ed Saunders
d98e98fe77 Add a test for when a recoverable resource has a non-AR email field 2015-12-08 16:01:39 +00:00
Andy Geers
d3f521925e Write unit test for bug fix 2015-11-18 22:21:03 +00:00
Stan Hu
619128cb9b Only clear the reset password token if the model has already been persisted 
If a new user is created with a reset password token, the previous behavior
would automatically clear the token even when it was desired for setting
the password for the first time.
 2015-10-02 12:30:57 -07:00
Adrian Mugnolo
c334179c95 Fix typo: successful 2015-09-30 19:31:49 -03:00
Jon Phenow
e9c82472ff quick comment touch-ups 2015-08-27 10:26:12 -05:00
Jon Phenow
c744dcf07a tests 2015-08-27 10:26:12 -05:00
Vincent Woo
eb640ed344 Do not use digests for confirmation tokens 2015-07-30 01:55:50 -07:00
José Valim
e641b4b7b9 Also reset password token on email change 2015-05-26 15:09:07 +02:00
José Valim
fe49e625e8 Do not accept empty authentication_salt too 2015-05-26 15:04:27 +02:00
José Valim
31901bc862 Clear up reset password token whenever encrypted password changes 2015-05-26 15:00:12 +02:00
Nicolas Viennot
c22e7133b6 Removes the bang in confirm! and reset_password! 
Closes #3412 and #3570.
 2015-04-19 11:47:44 -04:00
Ronald Chan
3f95ac8fec Keep used confirmation tokens for more user friendly error message (fixes #3429) 2015-01-19 22:30:13 +13:00
Brent Wheeldon
cb89e4435c Only set token back if password reset fails. 
This prevents the digested version of the token being saved when a reset
is successful.
 2014-12-01 17:58:18 -05:00
Irfan Ahmed
0e218d8a01 ensuse digested token for reset password token is valid 2014-11-25 18:32:58 +06:00
Tim Scott
3b882dadac Made ensure valid a named param for confirm!, and added a test. 2014-11-19 16:48:35 -06:00
Logan Leger
c7cc91cb65 Update password length validation to 72 characters max 
BCrypt has a limit of 72 characters for the password. Anything beyond 72
characters is truncated. This commit updates the validation to limit
passwords to less than 72 characters, keeping within the limitation.
 2014-11-18 23:10:01 -06:00
James Kiesel
c1864663aa Localize confirmable tests 2014-10-21 02:28:58 +13:00
Lucas Mazza
8e5c098e3a Merge pull request #3153 from plataformatec/lm-rails-4-2 
Rails 4.2 compatibility
 2014-10-03 14:07:59 -03:00
Lucas Mazza
1d8890b773 Merge branch 'master' into lm-rails-4-2 2014-10-03 09:41:23 -03:00
Lucas Mazza
8b15184a25 Use the last_attempt_warning configuration with the lockable unauthenticated_message message. 
This configuration was added in #2687 but it was never used in the real code that
defines what message should be used by the app.
 2014-10-02 18:50:48 -03:00
Lucas Mazza
ed109ac3d5 Merge swap usage into a single method call. 2014-10-02 18:42:46 -03:00
Lucas Mazza
7eeaac9db1 Merge branch 'master' into lm-rails-4-2 2014-09-29 17:30:30 -03:00
Lucas Mazza
39ed332299 Ensure that we sanitize any AC::Parameters in find_or_initialize_with_errors. 
As we are already slicing the Hash, we must be sure that this method will send
 a "safe" object down to the other finder methods that will use the Hash entries
 to do the querying.
 2014-09-18 18:21:05 -03:00
Lucas Mazza
716d128e27 Restore global allow_unconfirmed_access_for after test 2014-09-08 17:38:06 -03:00
alexsoble
039b75ba83 Incorporated edits from @lucasmazza, wrote integration tests for password reminder feature 2014-08-06 11:04:46 -04:00
Lucas Mazza
08d8591dfd Merge pull request #3038 from kushkella/non-bang-method-trackable 
added non-bang version of update_tracked_fields
 2014-05-24 00:58:06 -03:00
Kush Kella
dd56dc7da6 added test for update_tracked_fields method 2014-05-22 11:11:13 -07:00
randoum
4ee2402cd7 lock_access! better failure message 2014-05-16 06:02:11 +08:00
randoum
d8ee3e49cb lock_access! better failure message 2014-05-16 05:57:18 +08:00
Lauro Caetano
f7fdde1ab0 Add the invalidate_all_sessions_on_logout configuration to invalidate 
all the remember me tokens when the user signs out.
 2014-04-04 16:17:26 -03:00
Karl Entwistle
de57ef83fb Find a resource based off its encrypted reset_password_token 2014-03-31 14:58:52 +01:00
Anshul Sharma
dc1b399a8b Updated ruby 1.9 hash syntax 2014-02-25 22:12:55 +05:30
Tobin Juday
2ba8275dcc Fix off-by-one error in Lockable module 
When using the maximum_attempts config, Devise actually let you fail n
+ 1 times, not n times.

See https://github.com/plataformatec/devise/issues/2825 for details.
 2014-01-06 23:51:45 -05:00
Moises Vargas M
be236fa6dd lock_access! without sending email 2013-12-24 11:51:24 -05:00
Erik Michaels-Ober
3f03ec02ad Cleanup trailing whitespace 2013-12-05 09:03:32 +01:00
Erik Michaels-Ober
26e85c44e2 Removed use of gendered pronouns 2013-12-02 10:02:17 +01:00
Rodrigo Navarro
3e3a3ad102 Small typo. 2013-11-28 09:00:59 -02:00
Lucas Mazza
bf5bcd52cb Bring password_digest back. 
This method is part of the protected API and is used by custom
encryption engines (like `devise-encryptable`) to hook the custom
encryption logic in the models.

Fixes #2730
 2013-11-08 16:22:31 -02:00