Release 1.1.9

Conflicts:

	lib/devise/models/authenticatable.rb

CHANGELOG.rdoc

@@ -1,3 +1,59 @@
+== 1.1.9
+
+* bugfix
+  * double check if warden has not halted
+
+== 1.1.8
+
+* bugfix
+  * Ensure you can't inject Mongoid queries using token authenticatable
+
+== 1.1.7
+
+* bugfix
+  * Fix a backward incompatible change with versions prior to Rails 3.0.4
+
+== 1.1.6
+
+* bugfix
+  * Use a more secure e-mail regexp
+  * Implement Rails 3.0.4 handle unverified request
+  * Use secure_compare to compare passwords
+
+== 1.1.5
+
+* bugfix
+  * Ensure to convert keys on indifferent hash
+
+* defaults
+  * Set config.http_authenticatable to false to avoid confusion
+
+== 1.1.4
+
+* bugfix
+  * Avoid session fixation attacks
+
+== 1.1.3
+
+* bugfix
+  * Add reply-to to e-mail headers by default
+  * Updated the views generator to respect the rails :template_engine option (by github.com/fredwu)
+  * Check the type of HTTP Authentication before using Basic headers
+  * Avoid invalid_salt errors by checking salt presence (by github.com/thibaudgg)
+  * Forget user deletes the right cookie before logout, not remembering the user anymore (by github.com/emtrane)
+  * Fix for failed first-ever logins on PostgreSQL where column default is nil (by github.com/bensie)
+  * :default options is now honored in migrations
+
+== 1.1.2
+
+* bugfix
+  * Compatibility with latest Rails routes schema
+
+== 1.1.1
+
+* bugfix
+  * Fix a small bug where generated locale file was empty on devise:install
+
 == 1.1.0
 
 * enhancements

Gemfile

@@ -1,23 +1,27 @@
 source "http://rubygems.org"
 
-if File.exist? File.expand_path('../../rails', __FILE__)
-  gem "rails", :path => "../rails"
-else
-  gem "rails", :git => "git://github.com/rails/rails.git"
+gemspec
+
+gem "rails", "~> 3.0.4"
+
+group :test do
+  gem "webrat", "0.7.2", :require => false
+  gem "mocha", :require => false
 end
 
-gem "warden", "0.10.7"
-gem "sqlite3-ruby"
-gem "webrat", "0.7.0"
-gem "mocha", :require => false
-gem "bcrypt-ruby", :require => "bcrypt"
-
-if RUBY_VERSION < '1.9'
-  gem "ruby-debug", ">= 0.10.3"
+platforms :jruby do
+  gem 'activerecord-jdbcsqlite3-adapter'
 end
 
-group :mongoid do
-  gem "mongo"
-  gem "mongoid", :git => "git://github.com/durran/mongoid.git"
-  gem "bson_ext"
-end
+platforms :ruby do
+  group :test do
+    gem "sqlite3-ruby"
+    gem "ruby-debug", ">= 0.10.3" if RUBY_VERSION < '1.9'
+  end
+
+  group :mongoid do
+    gem "mongo", "1.1.2"
+    gem "mongoid", "2.0.0.beta.20"
+    gem "bson_ext", "1.1.2"
+  end
+end

Gemfile.lock

@@ -1,118 +1,115 @@
-GIT
-  remote: git://github.com/durran/mongoid.git
-  revision: a5abe21
-  specs:
-    mongoid (2.0.0.beta9)
-      activemodel (~> 3.0.0.beta)
-      bson (~> 1.0.3)
-      mongo (~> 1.0.3)
-      tzinfo (~> 0.3.22)
-      will_paginate (~> 3.0.pre)
-
 PATH
-  remote: /Users/jose/Work/github/rails
+  remote: .
   specs:
-    actionmailer (3.0.0.beta4)
-      actionpack (= 3.0.0.beta4)
-      mail (~> 2.2.5)
-    actionpack (3.0.0.beta4)
-      activemodel (= 3.0.0.beta4)
-      activesupport (= 3.0.0.beta4)
-      builder (~> 2.1.2)
-      erubis (~> 2.6.6)
-      i18n (~> 0.4.1)
-      rack (~> 1.2.1)
-      rack-mount (~> 0.6.9)
-      rack-test (~> 0.5.4)
-      tzinfo (~> 0.3.22)
-    activemodel (3.0.0.beta4)
-      activesupport (= 3.0.0.beta4)
-      builder (~> 2.1.2)
-      i18n (~> 0.4.1)
-    activerecord (3.0.0.beta4)
-      activemodel (= 3.0.0.beta4)
-      activesupport (= 3.0.0.beta4)
-      arel (~> 0.4.0)
-      tzinfo (~> 0.3.22)
-    activeresource (3.0.0.beta4)
-      activemodel (= 3.0.0.beta4)
-      activesupport (= 3.0.0.beta4)
-    activesupport (3.0.0.beta4)
-    rails (3.0.0.beta4)
-      actionmailer (= 3.0.0.beta4)
-      actionpack (= 3.0.0.beta4)
-      activerecord (= 3.0.0.beta4)
-      activeresource (= 3.0.0.beta4)
-      activesupport (= 3.0.0.beta4)
-      bundler (>= 1.0.0.beta.10)
-      railties (= 3.0.0.beta4)
-    railties (3.0.0.beta4)
-      actionpack (= 3.0.0.beta4)
-      activesupport (= 3.0.0.beta4)
-      rake (>= 0.8.3)
-      thor (~> 0.14.0)
+    devise (1.1.8)
+      bcrypt-ruby (~> 2.1.2)
+      warden (~> 1.0.2)
 
 GEM
   remote: http://rubygems.org/
   specs:
     abstract (1.0.0)
-    arel (0.4.0)
-      activesupport (>= 3.0.0.beta)
-    bcrypt-ruby (2.1.2)
-    bson (1.0.4)
-    bson_ext (1.0.4)
+    actionmailer (3.0.4)
+      actionpack (= 3.0.4)
+      mail (~> 2.2.15)
+    actionpack (3.0.4)
+      activemodel (= 3.0.4)
+      activesupport (= 3.0.4)
+      builder (~> 2.1.2)
+      erubis (~> 2.6.6)
+      i18n (~> 0.4)
+      rack (~> 1.2.1)
+      rack-mount (~> 0.6.13)
+      rack-test (~> 0.5.7)
+      tzinfo (~> 0.3.23)
+    activemodel (3.0.4)
+      activesupport (= 3.0.4)
+      builder (~> 2.1.2)
+      i18n (~> 0.4)
+    activerecord (3.0.4)
+      activemodel (= 3.0.4)
+      activesupport (= 3.0.4)
+      arel (~> 2.0.2)
+      tzinfo (~> 0.3.23)
+    activeresource (3.0.4)
+      activemodel (= 3.0.4)
+      activesupport (= 3.0.4)
+    activesupport (3.0.4)
+    arel (2.0.8)
+    bcrypt-ruby (2.1.4)
+    bson (1.1.2)
+    bson_ext (1.1.2)
     builder (2.1.2)
-    columnize (0.3.1)
+    columnize (0.3.2)
     erubis (2.6.6)
       abstract (>= 1.0.0)
-    i18n (0.4.1)
+    i18n (0.5.0)
     linecache (0.43)
-    mail (2.2.5)
+    mail (2.2.15)
       activesupport (>= 2.3.6)
-      mime-types
-      treetop (>= 1.4.5)
+      i18n (>= 0.4.0)
+      mime-types (~> 1.16)
+      treetop (~> 1.4.8)
     mime-types (1.16)
-    mocha (0.9.8)
+    mocha (0.9.9)
       rake
-    mongo (1.0.5)
-      bson (>= 1.0.4)
-    nokogiri (1.4.2)
+    mongo (1.1.2)
+      bson (>= 1.1.1)
+    mongoid (2.0.0.beta.20)
+      activemodel (~> 3.0)
+      mongo (~> 1.1)
+      tzinfo (~> 0.3.22)
+      will_paginate (~> 3.0.pre)
+    nokogiri (1.4.4)
     polyglot (0.3.1)
     rack (1.2.1)
-    rack-mount (0.6.9)
+    rack-mount (0.6.13)
       rack (>= 1.0.0)
-    rack-test (0.5.4)
+    rack-test (0.5.7)
       rack (>= 1.0)
+    rails (3.0.4)
+      actionmailer (= 3.0.4)
+      actionpack (= 3.0.4)
+      activerecord (= 3.0.4)
+      activeresource (= 3.0.4)
+      activesupport (= 3.0.4)
+      bundler (~> 1.0)
+      railties (= 3.0.4)
+    railties (3.0.4)
+      actionpack (= 3.0.4)
+      activesupport (= 3.0.4)
+      rake (>= 0.8.7)
+      thor (~> 0.14.4)
     rake (0.8.7)
-    ruby-debug (0.10.3)
+    ruby-debug (0.10.4)
       columnize (>= 0.1)
-      ruby-debug-base (~> 0.10.3.0)
-    ruby-debug-base (0.10.3)
+      ruby-debug-base (~> 0.10.4.0)
+    ruby-debug-base (0.10.4)
       linecache (>= 0.3)
-    sqlite3-ruby (1.3.1)
-    thor (0.14.0)
-    treetop (1.4.8)
+    sqlite3-ruby (1.3.2)
+    thor (0.14.6)
+    treetop (1.4.9)
       polyglot (>= 0.3.1)
-    tzinfo (0.3.22)
-    warden (0.10.7)
+    tzinfo (0.3.24)
+    warden (1.0.3)
       rack (>= 1.0.0)
-    webrat (0.7.0)
+    webrat (0.7.2)
       nokogiri (>= 1.2.0)
       rack (>= 1.0)
       rack-test (>= 0.5.3)
-    will_paginate (3.0.pre)
+    will_paginate (3.0.pre2)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  bcrypt-ruby
-  bson_ext
+  activerecord-jdbcsqlite3-adapter
+  bson_ext (= 1.1.2)
+  devise!
   mocha
-  mongo
-  mongoid!
-  rails!
+  mongo (= 1.1.2)
+  mongoid (= 2.0.0.beta.20)
+  rails (~> 3.0.4)
   ruby-debug (>= 0.10.3)
   sqlite3-ruby
-  warden (= 0.10.7)
-  webrat (= 0.7.0)
+  webrat (= 0.7.2)

README.rdoc

@@ -24,7 +24,7 @@ Right now it's composed of 11 modules:
 
 Devise 1.1 supports Rails 3 and is NOT backward compatible. You can use the latest Rails 3 beta gem with Devise latest gem:
 
-  gem install devise --version=1.1.rc2
+  gem install devise --version=1.1.7
 
 If you want to use Rails master (from git repository) you need to use Devise from git repository and vice-versa.
 
@@ -42,7 +42,7 @@ Replace MODEL by the class name you want to add devise, like User, Admin, etc. T
 
 If you want to use the Rails 2.3.x version, you should do:
 
-  gem install devise --version=1.0.8
+  gem install devise --version=1.0.10
 
 And please check the README at the v1.0 branch since this one is based on Rails 3:
 

Rakefile

@@ -45,7 +45,7 @@ begin
     s.authors = ['José Valim', 'Carlos Antônio']
     s.files =  FileList["[A-Z]*", "{app,config,lib}/**/*"]
     s.extra_rdoc_files = FileList["[A-Z]*"] - %w(Gemfile Rakefile)
-    s.add_dependency("warden", "~> 0.10.7")
+    s.add_dependency("warden", "~> 1.0.2")
     s.add_dependency("bcrypt-ruby", "~> 2.1.2")
   end
 

app/controllers/devise/registrations_controller.rb

@@ -9,7 +9,7 @@ class Devise::RegistrationsController < ApplicationController
     render_with_scope :new
   end
 
-  # POST /resource/sign_up
+  # POST /resource
   def create
     build_resource
 

devise.gemspec

@@ -1,198 +1,197 @@
 # Generated by jeweler
 # DO NOT EDIT THIS FILE DIRECTLY
-# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
 
 Gem::Specification.new do |s|
   s.name = %q{devise}
-  s.version = "1.1.0"
+  s.version = "1.1.9"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Jos\303\251 Valim", "Carlos Ant\303\264nio"]
-  s.date = %q{2010-07-26}
+  s.date = %q{2011-03-25}
   s.description = %q{Flexible authentication solution for Rails with Warden}
   s.email = %q{contact@plataformatec.com.br}
   s.extra_rdoc_files = [
     "CHANGELOG.rdoc",
-     "Gemfile.lock",
-     "MIT-LICENSE",
-     "README.rdoc",
-     "TODO"
+    "Gemfile.lock",
+    "MIT-LICENSE",
+    "README.rdoc",
+    "TODO"
   ]
   s.files = [
     "CHANGELOG.rdoc",
-     "Gemfile",
-     "Gemfile.lock",
-     "MIT-LICENSE",
-     "README.rdoc",
-     "Rakefile",
-     "TODO",
-     "app/controllers/devise/confirmations_controller.rb",
-     "app/controllers/devise/passwords_controller.rb",
-     "app/controllers/devise/registrations_controller.rb",
-     "app/controllers/devise/sessions_controller.rb",
-     "app/controllers/devise/unlocks_controller.rb",
-     "app/helpers/devise_helper.rb",
-     "app/mailers/devise/mailer.rb",
-     "app/views/devise/confirmations/new.html.erb",
-     "app/views/devise/mailer/confirmation_instructions.html.erb",
-     "app/views/devise/mailer/reset_password_instructions.html.erb",
-     "app/views/devise/mailer/unlock_instructions.html.erb",
-     "app/views/devise/passwords/edit.html.erb",
-     "app/views/devise/passwords/new.html.erb",
-     "app/views/devise/registrations/edit.html.erb",
-     "app/views/devise/registrations/new.html.erb",
-     "app/views/devise/sessions/new.html.erb",
-     "app/views/devise/shared/_links.erb",
-     "app/views/devise/unlocks/new.html.erb",
-     "config/locales/en.yml",
-     "lib/devise.rb",
-     "lib/devise/controllers/helpers.rb",
-     "lib/devise/controllers/internal_helpers.rb",
-     "lib/devise/controllers/scoped_views.rb",
-     "lib/devise/controllers/url_helpers.rb",
-     "lib/devise/encryptors/authlogic_sha512.rb",
-     "lib/devise/encryptors/base.rb",
-     "lib/devise/encryptors/bcrypt.rb",
-     "lib/devise/encryptors/clearance_sha1.rb",
-     "lib/devise/encryptors/restful_authentication_sha1.rb",
-     "lib/devise/encryptors/sha1.rb",
-     "lib/devise/encryptors/sha512.rb",
-     "lib/devise/failure_app.rb",
-     "lib/devise/hooks/activatable.rb",
-     "lib/devise/hooks/forgetable.rb",
-     "lib/devise/hooks/rememberable.rb",
-     "lib/devise/hooks/timeoutable.rb",
-     "lib/devise/hooks/trackable.rb",
-     "lib/devise/mapping.rb",
-     "lib/devise/models.rb",
-     "lib/devise/models/authenticatable.rb",
-     "lib/devise/models/confirmable.rb",
-     "lib/devise/models/database_authenticatable.rb",
-     "lib/devise/models/lockable.rb",
-     "lib/devise/models/recoverable.rb",
-     "lib/devise/models/registerable.rb",
-     "lib/devise/models/rememberable.rb",
-     "lib/devise/models/timeoutable.rb",
-     "lib/devise/models/token_authenticatable.rb",
-     "lib/devise/models/trackable.rb",
-     "lib/devise/models/validatable.rb",
-     "lib/devise/modules.rb",
-     "lib/devise/orm/active_record.rb",
-     "lib/devise/orm/mongoid.rb",
-     "lib/devise/path_checker.rb",
-     "lib/devise/rails.rb",
-     "lib/devise/rails/routes.rb",
-     "lib/devise/rails/warden_compat.rb",
-     "lib/devise/schema.rb",
-     "lib/devise/strategies/authenticatable.rb",
-     "lib/devise/strategies/base.rb",
-     "lib/devise/strategies/database_authenticatable.rb",
-     "lib/devise/strategies/rememberable.rb",
-     "lib/devise/strategies/token_authenticatable.rb",
-     "lib/devise/test_helpers.rb",
-     "lib/devise/version.rb",
-     "lib/generators/active_record/devise_generator.rb",
-     "lib/generators/active_record/templates/migration.rb",
-     "lib/generators/devise/devise_generator.rb",
-     "lib/generators/devise/install_generator.rb",
-     "lib/generators/devise/orm_helpers.rb",
-     "lib/generators/devise/templates/README",
-     "lib/generators/devise/templates/devise.rb",
-     "lib/generators/devise/views_generator.rb",
-     "lib/generators/devise_install_generator.rb",
-     "lib/generators/devise_views_generator.rb",
-     "lib/generators/mongoid/devise_generator.rb"
+    "Gemfile",
+    "Gemfile.lock",
+    "MIT-LICENSE",
+    "README.rdoc",
+    "Rakefile",
+    "TODO",
+    "app/controllers/devise/confirmations_controller.rb",
+    "app/controllers/devise/passwords_controller.rb",
+    "app/controllers/devise/registrations_controller.rb",
+    "app/controllers/devise/sessions_controller.rb",
+    "app/controllers/devise/unlocks_controller.rb",
+    "app/helpers/devise_helper.rb",
+    "app/mailers/devise/mailer.rb",
+    "app/views/devise/confirmations/new.html.erb",
+    "app/views/devise/mailer/confirmation_instructions.html.erb",
+    "app/views/devise/mailer/reset_password_instructions.html.erb",
+    "app/views/devise/mailer/unlock_instructions.html.erb",
+    "app/views/devise/passwords/edit.html.erb",
+    "app/views/devise/passwords/new.html.erb",
+    "app/views/devise/registrations/edit.html.erb",
+    "app/views/devise/registrations/new.html.erb",
+    "app/views/devise/sessions/new.html.erb",
+    "app/views/devise/shared/_links.erb",
+    "app/views/devise/unlocks/new.html.erb",
+    "config/locales/en.yml",
+    "lib/devise.rb",
+    "lib/devise/controllers/helpers.rb",
+    "lib/devise/controllers/internal_helpers.rb",
+    "lib/devise/controllers/scoped_views.rb",
+    "lib/devise/controllers/url_helpers.rb",
+    "lib/devise/encryptors/authlogic_sha512.rb",
+    "lib/devise/encryptors/base.rb",
+    "lib/devise/encryptors/bcrypt.rb",
+    "lib/devise/encryptors/clearance_sha1.rb",
+    "lib/devise/encryptors/restful_authentication_sha1.rb",
+    "lib/devise/encryptors/sha1.rb",
+    "lib/devise/encryptors/sha512.rb",
+    "lib/devise/failure_app.rb",
+    "lib/devise/hooks/activatable.rb",
+    "lib/devise/hooks/forgetable.rb",
+    "lib/devise/hooks/rememberable.rb",
+    "lib/devise/hooks/timeoutable.rb",
+    "lib/devise/hooks/trackable.rb",
+    "lib/devise/mapping.rb",
+    "lib/devise/models.rb",
+    "lib/devise/models/authenticatable.rb",
+    "lib/devise/models/confirmable.rb",
+    "lib/devise/models/database_authenticatable.rb",
+    "lib/devise/models/lockable.rb",
+    "lib/devise/models/recoverable.rb",
+    "lib/devise/models/registerable.rb",
+    "lib/devise/models/rememberable.rb",
+    "lib/devise/models/timeoutable.rb",
+    "lib/devise/models/token_authenticatable.rb",
+    "lib/devise/models/trackable.rb",
+    "lib/devise/models/validatable.rb",
+    "lib/devise/modules.rb",
+    "lib/devise/orm/active_record.rb",
+    "lib/devise/orm/mongoid.rb",
+    "lib/devise/path_checker.rb",
+    "lib/devise/rails.rb",
+    "lib/devise/rails/routes.rb",
+    "lib/devise/rails/warden_compat.rb",
+    "lib/devise/schema.rb",
+    "lib/devise/strategies/authenticatable.rb",
+    "lib/devise/strategies/base.rb",
+    "lib/devise/strategies/database_authenticatable.rb",
+    "lib/devise/strategies/rememberable.rb",
+    "lib/devise/strategies/token_authenticatable.rb",
+    "lib/devise/test_helpers.rb",
+    "lib/devise/version.rb",
+    "lib/generators/active_record/devise_generator.rb",
+    "lib/generators/active_record/templates/migration.rb",
+    "lib/generators/devise/devise_generator.rb",
+    "lib/generators/devise/install_generator.rb",
+    "lib/generators/devise/orm_helpers.rb",
+    "lib/generators/devise/views_generator.rb",
+    "lib/generators/devise_install_generator.rb",
+    "lib/generators/devise_views_generator.rb",
+    "lib/generators/mongoid/devise_generator.rb",
+    "lib/generators/templates/README",
+    "lib/generators/templates/devise.rb"
   ]
   s.homepage = %q{http://github.com/plataformatec/devise}
-  s.rdoc_options = ["--charset=UTF-8"]
   s.require_paths = ["lib"]
   s.rubygems_version = %q{1.3.7}
   s.summary = %q{Flexible authentication solution for Rails with Warden}
   s.test_files = [
     "test/controllers/helpers_test.rb",
-     "test/controllers/internal_helpers_test.rb",
-     "test/controllers/url_helpers_test.rb",
-     "test/devise_test.rb",
-     "test/encryptors_test.rb",
-     "test/failure_app_test.rb",
-     "test/integration/authenticatable_test.rb",
-     "test/integration/confirmable_test.rb",
-     "test/integration/database_authenticatable_test.rb",
-     "test/integration/http_authenticatable_test.rb",
-     "test/integration/lockable_test.rb",
-     "test/integration/recoverable_test.rb",
-     "test/integration/registerable_test.rb",
-     "test/integration/rememberable_test.rb",
-     "test/integration/timeoutable_test.rb",
-     "test/integration/token_authenticatable_test.rb",
-     "test/integration/trackable_test.rb",
-     "test/mailers/confirmation_instructions_test.rb",
-     "test/mailers/reset_password_instructions_test.rb",
-     "test/mailers/unlock_instructions_test.rb",
-     "test/mapping_test.rb",
-     "test/models/confirmable_test.rb",
-     "test/models/database_authenticatable_test.rb",
-     "test/models/lockable_test.rb",
-     "test/models/recoverable_test.rb",
-     "test/models/rememberable_test.rb",
-     "test/models/timeoutable_test.rb",
-     "test/models/token_authenticatable_test.rb",
-     "test/models/trackable_test.rb",
-     "test/models/validatable_test.rb",
-     "test/models_test.rb",
-     "test/orm/active_record.rb",
-     "test/orm/mongoid.rb",
-     "test/rails_app/app/active_record/admin.rb",
-     "test/rails_app/app/active_record/shim.rb",
-     "test/rails_app/app/active_record/user.rb",
-     "test/rails_app/app/controllers/admins_controller.rb",
-     "test/rails_app/app/controllers/application_controller.rb",
-     "test/rails_app/app/controllers/home_controller.rb",
-     "test/rails_app/app/controllers/publisher/registrations_controller.rb",
-     "test/rails_app/app/controllers/publisher/sessions_controller.rb",
-     "test/rails_app/app/controllers/sessions_controller.rb",
-     "test/rails_app/app/controllers/users_controller.rb",
-     "test/rails_app/app/helpers/application_helper.rb",
-     "test/rails_app/app/mongoid/admin.rb",
-     "test/rails_app/app/mongoid/shim.rb",
-     "test/rails_app/app/mongoid/user.rb",
-     "test/rails_app/config/application.rb",
-     "test/rails_app/config/boot.rb",
-     "test/rails_app/config/environment.rb",
-     "test/rails_app/config/environments/development.rb",
-     "test/rails_app/config/environments/production.rb",
-     "test/rails_app/config/environments/test.rb",
-     "test/rails_app/config/initializers/backtrace_silencers.rb",
-     "test/rails_app/config/initializers/devise.rb",
-     "test/rails_app/config/initializers/inflections.rb",
-     "test/rails_app/config/initializers/secret_token.rb",
-     "test/rails_app/config/routes.rb",
-     "test/rails_app/db/migrate/20100401102949_create_tables.rb",
-     "test/rails_app/db/schema.rb",
-     "test/routes_test.rb",
-     "test/support/assertions.rb",
-     "test/support/helpers.rb",
-     "test/support/integration.rb",
-     "test/support/test_silencer.rb",
-     "test/support/webrat/integrations/rails.rb",
-     "test/test_helper.rb",
-     "test/test_helpers_test.rb"
+    "test/controllers/internal_helpers_test.rb",
+    "test/controllers/url_helpers_test.rb",
+    "test/devise_test.rb",
+    "test/encryptors_test.rb",
+    "test/failure_app_test.rb",
+    "test/indifferent_hash.rb",
+    "test/integration/authenticatable_test.rb",
+    "test/integration/confirmable_test.rb",
+    "test/integration/database_authenticatable_test.rb",
+    "test/integration/http_authenticatable_test.rb",
+    "test/integration/lockable_test.rb",
+    "test/integration/recoverable_test.rb",
+    "test/integration/registerable_test.rb",
+    "test/integration/rememberable_test.rb",
+    "test/integration/timeoutable_test.rb",
+    "test/integration/token_authenticatable_test.rb",
+    "test/integration/trackable_test.rb",
+    "test/mailers/confirmation_instructions_test.rb",
+    "test/mailers/reset_password_instructions_test.rb",
+    "test/mailers/unlock_instructions_test.rb",
+    "test/mapping_test.rb",
+    "test/models/confirmable_test.rb",
+    "test/models/database_authenticatable_test.rb",
+    "test/models/lockable_test.rb",
+    "test/models/recoverable_test.rb",
+    "test/models/rememberable_test.rb",
+    "test/models/timeoutable_test.rb",
+    "test/models/token_authenticatable_test.rb",
+    "test/models/trackable_test.rb",
+    "test/models/validatable_test.rb",
+    "test/models_test.rb",
+    "test/orm/active_record.rb",
+    "test/orm/mongoid.rb",
+    "test/rails_app/app/active_record/admin.rb",
+    "test/rails_app/app/active_record/shim.rb",
+    "test/rails_app/app/active_record/user.rb",
+    "test/rails_app/app/controllers/admins_controller.rb",
+    "test/rails_app/app/controllers/application_controller.rb",
+    "test/rails_app/app/controllers/home_controller.rb",
+    "test/rails_app/app/controllers/publisher/registrations_controller.rb",
+    "test/rails_app/app/controllers/publisher/sessions_controller.rb",
+    "test/rails_app/app/controllers/sessions_controller.rb",
+    "test/rails_app/app/controllers/users_controller.rb",
+    "test/rails_app/app/helpers/application_helper.rb",
+    "test/rails_app/app/mongoid/admin.rb",
+    "test/rails_app/app/mongoid/shim.rb",
+    "test/rails_app/app/mongoid/user.rb",
+    "test/rails_app/config/application.rb",
+    "test/rails_app/config/boot.rb",
+    "test/rails_app/config/environment.rb",
+    "test/rails_app/config/environments/development.rb",
+    "test/rails_app/config/environments/production.rb",
+    "test/rails_app/config/environments/test.rb",
+    "test/rails_app/config/initializers/backtrace_silencers.rb",
+    "test/rails_app/config/initializers/devise.rb",
+    "test/rails_app/config/initializers/inflections.rb",
+    "test/rails_app/config/initializers/secret_token.rb",
+    "test/rails_app/config/routes.rb",
+    "test/rails_app/db/migrate/20100401102949_create_tables.rb",
+    "test/rails_app/db/schema.rb",
+    "test/routes_test.rb",
+    "test/support/assertions.rb",
+    "test/support/helpers.rb",
+    "test/support/integration.rb",
+    "test/support/test_silencer.rb",
+    "test/support/webrat/integrations/rails.rb",
+    "test/test_helper.rb",
+    "test/test_helpers_test.rb"
   ]
 
   if s.respond_to? :specification_version then
-    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
     s.specification_version = 3
 
     if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
-      s.add_runtime_dependency(%q<warden>, ["~> 0.10.7"])
+      s.add_runtime_dependency(%q<warden>, ["~> 1.0.2"])
       s.add_runtime_dependency(%q<bcrypt-ruby>, ["~> 2.1.2"])
     else
-      s.add_dependency(%q<warden>, ["~> 0.10.7"])
+      s.add_dependency(%q<warden>, ["~> 1.0.2"])
       s.add_dependency(%q<bcrypt-ruby>, ["~> 2.1.2"])
     end
   else
-    s.add_dependency(%q<warden>, ["~> 0.10.7"])
+    s.add_dependency(%q<warden>, ["~> 1.0.2"])
     s.add_dependency(%q<bcrypt-ruby>, ["~> 2.1.2"])
   end
 end

lib/devise.rb

@@ -67,7 +67,7 @@ module Devise
 
   # If http authentication is enabled by default.
   mattr_accessor :http_authenticatable
-  @@http_authenticatable = true
+  @@http_authenticatable = false
 
   # If http authentication is used for ajax requests.  True by default.
   mattr_accessor :http_authenticatable_on_xhr
@@ -83,7 +83,7 @@ module Devise
 
   # Email regex used to validate email formats. Adapted from authlogic.
   mattr_accessor :email_regexp
-  @@email_regexp = /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i
+  @@email_regexp = /\A([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})\z/i
 
   # Range validation for password length
   mattr_accessor :password_length
@@ -265,6 +265,11 @@ module Devise
     @@warden_config_block = block
   end
 
+  # Returns true if Rails version is bigger than 3.0.x
+  def self.rack_session?
+    Rails::VERSION::STRING[0,3] != "3.0"
+  end
+
   # A method used internally to setup warden manager from the Rails initialize
   # block.
   def self.configure_warden! #:nodoc:
@@ -285,6 +290,17 @@ module Devise
   def self.friendly_token
     ActiveSupport::SecureRandom.base64(15).tr('+/=', '-_ ').strip.delete("\n")
   end
+
+  # constant-time comparison algorithm to prevent timing attacks
+  def self.secure_compare(a, b)
+    return false unless a.present? && b.present?
+    return false unless a.bytesize == b.bytesize
+    l = a.unpack "C#{a.bytesize}"
+
+    res = 0
+    b.each_byte { |byte| res |= byte ^ l.shift }
+    res == 0
+  end
 end
 
 require 'warden'

lib/devise/controllers/helpers.rb

@@ -83,7 +83,7 @@ module Devise
       #
       def stored_location_for(resource_or_scope)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
-        session.delete(:"#{scope}_return_to")
+        session.delete("#{scope}_return_to")
       end
 
       # The default url to be used after signing in. This is used by all Devise
@@ -114,7 +114,7 @@ module Devise
       #
       def after_sign_in_path_for(resource_or_scope)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
-        home_path = :"#{scope}_root_path"
+        home_path = "#{scope}_root_path"
         respond_to?(home_path, true) ? send(home_path) : root_path
       end
 
@@ -182,6 +182,12 @@ module Devise
         redirect_to after_sign_out_path_for(scope)
       end
 
+      # Override Rails' handle unverified request to sign out all scopes.
+      def handle_unverified_request
+        sign_out_all_scopes
+        super # call the default behaviour which resets the session
+      end
+
       # Define authentication filters and accessor helpers based on mappings.
       # These filters should be used inside the controllers as before_filters,
       # so you can control the scope of the user who should be signed in to

lib/devise/failure_app.rb

@@ -68,11 +68,11 @@ module Devise
     end
 
     def http_auth?
-      !Devise.navigational_formats.include?(request.format.to_sym) || (request.xhr? && Devise.http_authenticatable_on_xhr)
+      !Devise.navigational_formats.include?(request_format) || (request.xhr? && Devise.http_authenticatable_on_xhr)
     end
 
     def http_auth_body
-      method = :"to_#{request.format.to_sym}"
+      method = :"to_#{request_format}"
       {}.respond_to?(method) ? { :error => i18n_message }.send(method) : i18n_message
     end
 
@@ -103,5 +103,17 @@ module Devise
     def store_location!
       session[:"#{scope}_return_to"] = attempted_path if request.get? && !http_auth?
     end
+
+    MIME_REFERENCES = Mime::HTML.respond_to?(:ref)
+
+    def request_format
+      @request_format ||= if request.format.respond_to?(:ref)
+        request.format.ref
+      elsif MIME_REFERENCES
+        request.format
+      else # Rails < 3.0.4
+        request.format.to_sym
+      end
+    end
   end
 end

lib/devise/hooks/forgetable.rb

@@ -5,7 +5,7 @@
 Warden::Manager.before_logout do |record, warden, options|
   if record.respond_to?(:forget_me!)
     record.forget_me! unless record.frozen?
-    options = record.cookie_domain? ? { :domain => record.cookie_domain } : {}
-    warden.cookies.delete("remember_#{options[:scope]}_token", options)
+    cookie_options = record.cookie_domain? ? { :domain => record.cookie_domain } : {}
+    warden.cookies.delete("remember_#{options[:scope]}_token", cookie_options)
   end
 end

lib/devise/models/authenticatable.rb

@@ -90,6 +90,7 @@ module Devise
         #   end
         #
         def find_for_authentication(conditions)
+          filter_auth_params(conditions)
           find(:first, :conditions => conditions)
         end
 
@@ -113,6 +114,15 @@ module Devise
           record
         end
 
+        protected
+
+        # Force keys to be string to avoid injection on mongoid related database.
+        def filter_auth_params(conditions)
+          conditions.each do |k, v|
+            conditions[k] = v.to_s
+          end
+        end
+
         # Generate a token by looping and ensuring does not already exist.
         def generate_token(column)
           loop do

lib/devise/models/database_authenticatable.rb

@@ -44,7 +44,7 @@ module Devise
 
       # Verifies whether an incoming_password (ie from sign in) is the user password.
       def valid_password?(incoming_password)
-        password_digest(incoming_password) == self.encrypted_password
+        Devise.secure_compare(password_digest(incoming_password), self.encrypted_password)
       end
 
       # Set password and password confirmation to nil
@@ -82,7 +82,9 @@ module Devise
 
       # Digests the password using the configured encryptor.
       def password_digest(password)
-        self.class.encryptor_class.digest(password, self.class.stretches, self.password_salt, self.class.pepper)
+        if self.password_salt.present?
+          self.class.encryptor_class.digest(password, self.class.stretches, self.password_salt, self.class.pepper)
+        end
       end
 
       module ClassMethods

lib/devise/models/lockable.rb

@@ -81,6 +81,8 @@ module Devise
         when TrueClass
           self.failed_attempts = 0
         when FalseClass
+          # PostgreSQL uses nil as the default value for integer columns set to 0
+          self.failed_attempts ||= 0
           self.failed_attempts += 1
           if attempts_exceeded?
             lock_access!

lib/devise/rails/routes.rb

@@ -202,10 +202,10 @@ module ActionDispatch::Routing
     protected
 
       def devise_session(mapping, controllers) #:nodoc:
-        scope :controller => controllers[:sessions], :as => :session do
-          get  :new,     :path => mapping.path_names[:sign_in]
-          post :create,  :path => mapping.path_names[:sign_in], :as => ""
-          get  :destroy, :path => mapping.path_names[:sign_out]
+        resource :session, :only => [], :controller => controllers[:sessions], :path => "" do
+          get  :new,     :path => mapping.path_names[:sign_in],  :as => "new"
+          post :create,  :path => mapping.path_names[:sign_in]
+          get  :destroy, :path => mapping.path_names[:sign_out], :as => "destroy"
         end
       end
  

lib/devise/rails/warden_compat.rb

@@ -36,4 +36,87 @@ class Warden::SessionSerializer
       raise
     end
   end
+end
+
+unless Devise.rack_session?
+  # We cannot use Rails Indifferent Hash because it messes up the flash object.
+  class Devise::IndifferentHash < Hash
+    alias_method :regular_writer, :[]= unless method_defined?(:regular_writer)
+    alias_method :regular_update, :update unless method_defined?(:regular_update)
+
+    def [](key)
+      super(convert_key(key))
+    end
+
+    def []=(key, value)
+      regular_writer(convert_key(key), value)
+    end
+
+    alias_method :store, :[]=
+
+    def update(other_hash)
+      other_hash.each_pair { |key, value| regular_writer(convert_key(key), value) }
+      self
+    end
+
+    alias_method :merge!, :update
+
+    def key?(key)
+      super(convert_key(key))
+    end
+
+    alias_method :include?, :key?
+    alias_method :has_key?, :key?
+    alias_method :member?, :key?
+
+    def fetch(key, *extras)
+      super(convert_key(key), *extras)
+    end
+
+    def values_at(*indices)
+      indices.collect {|key| self[convert_key(key)]}
+    end
+
+    def merge(hash)
+      self.dup.update(hash)
+    end
+
+    def delete(key)
+      super(convert_key(key))
+    end
+
+    def stringify_keys!; self end
+    def stringify_keys; dup end
+
+    undef :symbolize_keys!
+    def symbolize_keys; to_hash.symbolize_keys end
+
+    def to_options!; self end
+    def to_hash; Hash.new.update(self) end
+
+    protected
+
+    def convert_key(key)
+      key.kind_of?(Symbol) ? key.to_s : key
+    end
+  end
+
+  class ActionDispatch::Request
+    def reset_session
+      session.destroy if session && session.respond_to?(:destroy)
+      self.session = {}
+      @env['action_dispatch.request.flash_hash'] = nil
+    end
+  end
+
+  Warden::Manager.after_set_user :event => [:set_user, :authentication] do |record, warden, options|
+    if options[:scope] && warden.authenticated?(options[:scope])
+      request, flash = warden.request, warden.env['action_dispatch.request.flash_hash']
+      backup = request.session.to_hash
+      backup.delete("session_id")
+      request.reset_session
+      warden.env['action_dispatch.request.flash_hash'] = flash
+      request.session = Devise::IndifferentHash.new.update(backup)
+    end
+  end
 end

lib/devise/schema.rb

@@ -19,7 +19,7 @@ module Devise
     # encrypter password field in 128 characters.
     def database_authenticatable(options={})
       null    = options[:null] || false
-      default = options[:default] || ""
+      default = options.key?(:default) ? options[:default] : ("" if null == false)
 
       if options.delete(:encryptor)
         ActiveSupport::Deprecation.warn ":encryptor as option is deprecated, simply remove it."

lib/devise/strategies/authenticatable.rb

@@ -21,6 +21,7 @@ module Devise
         case result
         when Symbol, String
           fail!(result)
+          false
         else
           result
         end
@@ -96,8 +97,8 @@ module Devise
 
       # Helper to decode credentials from HTTP.
       def decode_credentials
-        username_and_password = request.authorization.split(' ', 2).last || ''
-        ActiveSupport::Base64.decode64(username_and_password).split(/:/, 2)
+        return [] unless request.authorization && request.authorization =~ /^Basic (.*)/
+        ActiveSupport::Base64.decode64($1).split(/:/, 2)
       end
 
       # Sets the authentication hash and the password from params_auth_hash or http_auth_hash.

lib/devise/strategies/database_authenticatable.rb

@@ -10,7 +10,7 @@ module Devise
         if validate(resource){ resource.valid_password?(password) }
           resource.after_database_authentication
           success!(resource)
-        else
+        elsif !halted?
           fail(:invalid)
         end
       end

lib/devise/strategies/rememberable.rb

@@ -20,7 +20,7 @@ module Devise
 
         if validate(resource)
           success!(resource)
-        else
+        elsif !halted?
           cookies.delete(remember_key)
           pass
         end

lib/devise/strategies/token_authenticatable.rb

@@ -16,7 +16,7 @@ module Devise
         if validate(resource)
           resource.after_token_authentication
           success!(resource)
-        else
+        elsif !halted?
           fail(:invalid_token)
         end
       end

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "1.1.0".freeze
+  VERSION = "1.1.9".freeze
 end

lib/generators/devise/install_generator.rb

@@ -3,7 +3,7 @@ require 'active_support/secure_random'
 module Devise
   module Generators
     class InstallGenerator < Rails::Generators::Base
-      source_root File.expand_path("../templates", __FILE__)
+      source_root File.expand_path("../../templates", __FILE__)
 
       desc "Creates a Devise initializer and copy locale files to your application."
       class_option :orm
@@ -13,11 +13,11 @@ module Devise
       end
 
       def copy_locale
-        copy_file "../../../../config/locales/en.yml", "config/locales/devise.en.yml"
+        copy_file "../../../config/locales/en.yml", "config/locales/devise.en.yml"
       end
 
       def show_readme
-        readme "README"
+        readme "README" if behavior == :invoke
       end
     end
   end

lib/generators/devise/views_generator.rb

@@ -7,7 +7,7 @@ module Devise
       argument :scope, :required => false, :default => nil,
                        :desc => "The scope to copy views to"
 
-      class_option :template_engine, :type => :string, :aliases => "-t", :default => "erb",
+      class_option :template_engine, :type => :string, :aliases => "-t",
                                      :desc => "Template engine for the views. Available options are 'erb' and 'haml'."
 
       def copy_views

lib/generators/templates/devise.rb

@@ -25,8 +25,8 @@ Devise.setup do |config|
   # Tell if authentication through request.params is enabled. True by default.
   # config.params_authenticatable = true
 
-  # Tell if authentication through HTTP Basic Auth is enabled. True by default.
-  # config.http_authenticatable = true
+  # Tell if authentication through HTTP Basic Auth is enabled. False by default.
+  # config.http_authenticatable = false
 
   # Set this to true to use Basic Auth for AJAX requests.  True by default.
   # config.http_authenticatable_on_xhr = true
@@ -72,7 +72,7 @@ Devise.setup do |config|
   # config.password_length = 6..20
 
   # Regex to use to validate the email address
-  # config.email_regexp = /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i
+  # config.email_regexp = /\A([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})\z/i
 
   # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this

test/controllers/helpers_test.rb

@@ -60,26 +60,36 @@ class ControllerAuthenticableTest < ActionController::TestCase
     @controller.anybody_signed_in?
   end
 
-  test 'proxy current_admin to authenticate with admin scope' do
-    @mock_warden.expects(:authenticate).with(:scope => :admin)
-    @controller.current_admin
-  end
-
   test 'proxy current_user to authenticate with user scope' do
     @mock_warden.expects(:authenticate).with(:scope => :user)
     @controller.current_user
   end
 
-  test 'proxy user_authenticate! to authenticate with user scope' do
+  test 'proxy current_admin to authenticate with admin scope' do
+    @mock_warden.expects(:authenticate).with(:scope => :admin)
+    @controller.current_admin
+  end
+
+  test 'proxy current_publisher_account to authenticate with namespaced publisher account scope' do
+    @mock_warden.expects(:authenticate).with(:scope => :publisher_account)
+    @controller.current_publisher_account
+  end
+
+  test 'proxy authenticate_user! to authenticate with user scope' do
     @mock_warden.expects(:authenticate!).with(:scope => :user)
     @controller.authenticate_user!
   end
 
-  test 'proxy admin_authenticate! to authenticate with admin scope' do
+  test 'proxy authenticate_admin! to authenticate with admin scope' do
     @mock_warden.expects(:authenticate!).with(:scope => :admin)
     @controller.authenticate_admin!
   end
 
+  test 'proxy authenticate_publisher_account! to authenticate with namespaced publisher account scope' do
+    @mock_warden.expects(:authenticate!).with(:scope => :publisher_account)
+    @controller.authenticate_publisher_account!
+  end
+
   test 'proxy user_signed_in? to authenticate? with user scope' do
     @mock_warden.expects(:authenticate?).with(:scope => :user)
     @controller.user_signed_in?
@@ -90,6 +100,11 @@ class ControllerAuthenticableTest < ActionController::TestCase
     @controller.admin_signed_in?
   end
 
+  test 'proxy publisher_account_signed_in? to authenticate? with namespaced publisher account scope' do
+    @mock_warden.expects(:authenticate?).with(:scope => :publisher_account)
+    @controller.publisher_account_signed_in?
+  end
+
   test 'proxy user_session to session scope in warden' do
     @mock_warden.expects(:authenticate).with(:scope => :user).returns(true)
     @mock_warden.expects(:session).with(:user).returns({})
@@ -102,6 +117,12 @@ class ControllerAuthenticableTest < ActionController::TestCase
     @controller.admin_session
   end
 
+  test 'proxy publisher_account_session from namespaced scope to session scope in warden' do
+    @mock_warden.expects(:authenticate).with(:scope => :publisher_account).returns(true)
+    @mock_warden.expects(:session).with(:publisher_account).returns({})
+    @controller.publisher_account_session
+  end
+
   test 'sign in proxy to set_user on warden' do
     user = User.new
     @mock_warden.expects(:set_user).with(user, :scope => :user).returns(true)

test/failure_app_test.rb

@@ -13,7 +13,7 @@ class FailureTest < ActiveSupport::TestCase
       'REQUEST_METHOD' => 'GET',
       'warden.options' => { :scope => :user },
       'rack.session' => {},
-      'action_dispatch.request.formats' => Array(env_params.delete('formats') || :html),
+      'action_dispatch.request.formats' => Array(env_params.delete('formats') || Mime::HTML),
       'rack.input' => "",
       'warden' => OpenStruct.new(:message => nil)
     }.merge!(env_params)

test/indifferent_hash.rb

@@ -0,0 +1,33 @@
+require 'test_helper'
+
+class IndifferentHashTest < ActiveSupport::TestCase
+  setup do
+    @hash = Devise::IndifferentHash.new
+  end
+
+  test "it overwrites getter and setter" do
+    @hash[:foo] = "bar"
+    assert_equal "bar", @hash["foo"]
+    assert_equal "bar", @hash[:foo]
+
+    @hash["foo"] = "baz"
+    assert_equal "baz", @hash["foo"]
+    assert_equal "baz", @hash[:foo]
+  end
+
+  test "it overwrites update" do
+    @hash.update :foo => "bar"
+    assert_equal "bar", @hash["foo"]
+    assert_equal "bar", @hash[:foo]
+
+    @hash.update "foo" => "baz"
+    assert_equal "baz", @hash["foo"]
+    assert_equal "baz", @hash[:foo]
+  end
+
+  test "it returns a Hash on to_hash" do
+    @hash[:foo] = "bar"
+    assert_equal Hash["foo", "bar"], @hash.to_hash
+    assert_kind_of Hash, @hash.to_hash
+  end
+end if defined?(Devise::IndifferentHash)

test/integration/authenticatable_test.rb

@@ -236,6 +236,17 @@ class AuthenticationSessionTest < ActionController::IntegrationTest
     get '/users'
     assert_equal "Cart", @controller.user_session[:cart]
   end
+
+  test 'session id is changed on sign in' do
+    get '/users'
+    session_id = request.session["session_id"]
+
+    get '/users'
+    assert_equal session_id, request.session["session_id"]
+
+    sign_in_as_user
+    assert_not_equal session_id, request.session["session_id"]
+  end
 end
 
 class AuthenticationWithScopesTest < ActionController::IntegrationTest
@@ -313,7 +324,7 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
   test 'sign in with script name' do
     assert_nothing_raised do
       get new_user_session_path, {}, "SCRIPT_NAME" => "/omg"
-      fill_in "email", "user@test.com"
+      fill_in "email", :with => "user@test.com"
     end
   end
 

test/integration/http_authenticatable_test.rb

@@ -39,6 +39,14 @@ class HttpAuthenticationTest < ActionController::IntegrationTest
     end
   end
 
+  test 'test request with oauth2 header doesnt get mistaken for basic authentication' do
+    swap Devise, :http_authenticatable => true do
+      add_oauth2_header
+      assert_equal 401, status
+      assert_equal 'Basic realm="Application"', headers["WWW-Authenticate"]
+    end
+  end
+
   private
 
     def sign_in_as_new_user_with_http(username="user@test.com", password="123456")
@@ -46,4 +54,11 @@ class HttpAuthenticationTest < ActionController::IntegrationTest
       get users_path(:format => :xml), {}, "HTTP_AUTHORIZATION" => "Basic #{ActiveSupport::Base64.encode64("#{username}:#{password}")}"
       user
     end
+    
+    # Sign in with oauth2 token. This is just to test that it isn't misinterpreted as basic authentication
+    def add_oauth2_header
+      user = create_user
+      get users_path(:format => :xml), {}, "HTTP_AUTHORIZATION" => "OAuth #{ActiveSupport::Base64.encode64("#{user.email}:123456")}"
+    end
+
 end

test/integration/registerable_test.rb

@@ -66,7 +66,7 @@ class RegistrationTest < ActionController::IntegrationTest
     click_button 'Sign up'
 
     assert_current_url '/users'
-    assert_contain(/Email .* already .* taken/)
+    assert_contain(/Email .* already.*taken/)
 
     assert_not warden.authenticated?(:user)
   end

test/integration/rememberable_test.rb

@@ -48,6 +48,16 @@ class RememberMeTest < ActionController::IntegrationTest
     end
   end
 
+  test 'cookies are destroyed on unverified requests' do
+    swap ApplicationController, :allow_forgery_protection => true do
+      user = create_user_and_remember
+      get users_path
+      assert warden.authenticated?(:user)
+      post root_path, :authenticity_token => 'INVALID'
+      assert_not warden.authenticated?(:user)
+    end
+  end
+
   test 'remember the user before sign in' do
     user = create_user_and_remember
     get users_path
@@ -131,6 +141,7 @@ class RememberMeTest < ActionController::IntegrationTest
     get destroy_user_session_path
     assert_not warden.authenticated?(:user)
     assert_nil user.reload.remember_token
+    assert_nil warden.cookies['remember_user_token']
   end
 
   test 'do not remember the user anymore after forget' do
@@ -140,5 +151,6 @@ class RememberMeTest < ActionController::IntegrationTest
     get destroy_user_session_path
     get users_path
     assert_not warden.authenticated?(:user)
+    assert_nil warden.cookies['remember_user_token']
   end
 end

test/integration/token_authenticatable_test.rb

@@ -65,6 +65,22 @@ class TokenAuthenticationTest < ActionController::IntegrationTest
     end
   end
 
+  test 'should not be subject to injection' do
+    swap Devise, :token_authentication_key => :secret_token do
+      user1 = create_user()
+
+      # Clean up user cache
+      @user = nil
+
+      user2 = create_user(:email => "another@test.com")
+      user2.update_attribute(:authentication_token, "ANOTHERTOKEN")
+
+      assert_not_equal user1, user2
+      visit users_path(Devise.token_authentication_key.to_s + '[$ne]' => user1.authentication_token)
+      assert_nil warden.user(:user) 
+    end
+  end
+
   private
 
     def sign_in_as_new_user_with_token(options = {})

test/models/database_authenticatable_test.rb

@@ -98,6 +98,13 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert_not user.valid_password?('654321')
   end
 
+  test 'should not validate password when salt is nil' do
+    admin = create_admin
+    admin.password_salt = nil
+    admin.save
+    assert_not admin.valid_password?('123456')
+  end
+
   test 'should respond to current password' do
     assert new_user.respond_to?(:current_password)
   end

test/models/token_authenticatable_test.rb

@@ -34,4 +34,16 @@ class TokenAuthenticatableTest < ActiveSupport::TestCase
     assert_nil authenticated_user
   end
 
-end
+  test 'should not be subject to injection' do
+    user1 = create_user
+    user1.ensure_authentication_token!
+    user1.confirm!
+
+    user2 = create_user
+    user2.ensure_authentication_token!
+    user2.confirm!
+
+    user = User.find_for_token_authentication(:auth_token => {'$ne' => user1.authentication_token})
+    assert_nil user
+  end
+end

test/orm/mongoid.rb

@@ -1,5 +1,6 @@
 Mongoid.configure do |config|
-  config.master = Mongo::Connection.new('127.0.0.1', 27017).db("devise-test-suite")
+  config.master  = Mongo::Connection.new('127.0.0.1', 27017).db("devise-test-suite")
+  config.use_utc = true
 end
 
 class ActiveSupport::TestCase
@@ -7,4 +8,4 @@ class ActiveSupport::TestCase
     User.delete_all
     Admin.delete_all
   end
-end
+end

test/rails_app/config/boot.rb

@@ -7,7 +7,7 @@ begin
 rescue LoadError
   require 'rubygems'
   require 'bundler'
-  Bundler.setup :default, DEVISE_ORM
+  Bundler.setup :default, :test, DEVISE_ORM
 end
 
-$:.unshift File.expand_path('../../../../lib', __FILE__)
+$:.unshift File.expand_path('../../../../lib', __FILE__)

test/rails_app/config/initializers/devise.rb

@@ -26,7 +26,7 @@ Devise.setup do |config|
   # config.params_authenticatable = true
 
   # Tell if authentication through HTTP Basic Auth is enabled. True by default.
-  # config.http_authenticatable = true
+  config.http_authenticatable = true
 
   # The realm used in Http Basic Authentication
   # config.http_authentication_realm = "Application"

test/support/helpers.rb

@@ -37,6 +37,12 @@ class ActiveSupport::TestCase
     User.create!(valid_attributes(attributes))
   end
 
+  def create_admin(attributes={})
+    valid_attributes = valid_attributes(attributes)
+    valid_attributes.delete(:username)
+    Admin.create!(valid_attributes)
+  end
+
   # Execute the block setting the given values and restoring old values after
   # the block is executed.
   def swap(object, new_values)

test/support/integration.rb

@@ -9,7 +9,7 @@ class ActionDispatch::IntegrationTest
     @user ||= begin
       user = User.create!(
         :username => 'usertest',
-        :email => 'user@test.com',
+        :email => options[:email] || 'user@test.com',
         :password => '123456',
         :password_confirmation => '123456',
         :created_at => Time.now.utc

test/support/webrat/integrations/rails.rb

@@ -1,9 +1,9 @@
-require 'webrat/core/elements/field'
+require 'webrat/core/elements/form'
 require 'action_dispatch/testing/integration'
 
 module Webrat
-  Field.class_eval do
-    def parse_rails_request_params(params)
+  Form.class_eval do
+    def self.parse_rails_request_params(params)
       Rack::Utils.parse_nested_query(params)
     end
   end
@@ -13,20 +13,5 @@ module ActionDispatch #:nodoc:
   IntegrationTest.class_eval do
     include Webrat::Methods
     include Webrat::Matchers
- 
-    # The Rails version of within supports passing in a model and Webrat
-    # will apply a scope based on Rails' dom_id for that model.
-    #
-    # Example:
-    #   within User.last do
-    #     click_link "Delete"
-    #   end
-    def within(selector_or_object, &block)
-      if selector_or_object.is_a?(String)
-        super
-      else
-        super('#' + RecordIdentifier.dom_id(selector_or_object), &block)
-      end
-    end
   end
-end
+end

test/test_helper.rb

@@ -9,8 +9,9 @@ require "rails/test_help"
 require "orm/#{DEVISE_ORM}"
 
 I18n.load_path << File.expand_path("../support/locale/en.yml", __FILE__)
-require 'mocha'
 
+require 'mocha'
+require 'webrat'
 Webrat.configure do |config|
   config.mode = :rails
   config.open_error_files = false
@@ -18,4 +19,4 @@ end
 
 # Add support to load paths so we can overwrite broken webrat setup
 $:.unshift File.expand_path('../support', __FILE__)
-Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each { |f| require f }
+Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each { |f| require f }