Prepare for 4.6.2 release

Reverts both "[#4245] Allow password to nil (#4261)" and "Add more tests (#4970)"

CHANGELOG.md

@@ -1,11 +1,24 @@
 ### Unreleased
 
+### 4.6.2 - 2019-03-26
+
+* bug fixes
+  * Revert "Set `encrypted_password` to `nil` when `password` is set to `nil`" since it broke backward compatibility with existing applications. See more on https://github.com/plataformatec/devise/issues/5033#issuecomment-476386275 (by @mracos)
+
+### 4.6.1 - 2019-02-11
+
+* bug fixes
+  * Check if `root_path` is defined with `#respond_to?` instead of `#present` (by @tegon)
+
+### 4.6.0 - 2019-02-07
+
 * enhancements
   * Allow to skip email and password change notifications (by @iorme1)
   * Include the use of `nil` for `allow_unconfirmed_access_for` in the docs (by @joaumg)
   * Ignore useless files into the `.gem` file (by @huacnlee)
   * Explain the code that prevents enumeration attacks inside `Devise::Strategies::DatabaseAuthenticatable` (by @tegon)
   * Refactor the `devise_error_messages!` helper to render a partial (by @prograhamer)
+  * Add an option (`Devise.sign_in_after_change_password`) to not automatically sign in a user after changing a password (by @knjko)
 
 * bug fixes
   * Fix missing comma in Simple Form generator (by @colinross)
@@ -17,6 +30,10 @@
   * `#after_database_authentication` callback was not called after authentication on password reset (by @kanmaniselvan)
   * Fix corner case when `#confirmation_period_valid?` was called at the same second as `confirmation_sent_at` was set. Mostly true for date types that only have second precisions. (by @stanhu)
   * Fix unclosed `li` tag in `error_messages` partial (by @mracos)
+  * Fix Routes issue when devise engine is mounted in another engine on Rails versions lower than 5.1 (by @a-barbieri)
+  * Make `#increment_failed_attempts` concurrency safe (by @tegon)
+  * Apply Test Helper fix to Rails 6.0 as well as 5.x (by @matthewrudy)
+
 
 * deprecations
   * The second argument of `DatabaseAuthenticatable`'s `#update_with_password` and `#update_without_password` is deprecated and will be removed in the next major version. It was added to support a feature deprecated in Rails 4, so you can safely remove it from your code. (by @ihatov08)

Gemfile

@@ -31,7 +31,7 @@ platforms :jruby do
 end
 
 platforms :ruby do
-  gem "sqlite3"
+  gem "sqlite3", "~> 1.3.6"
 end
 
 # TODO:

Gemfile.lock

@@ -10,7 +10,7 @@ GIT
 PATH
   remote: .
   specs:
-    devise (4.5.0)
+    devise (4.6.2)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 6.0)
@@ -196,9 +196,9 @@ DEPENDENCIES
   rails-controller-testing
   rdoc
   responders (~> 2.4)
-  sqlite3
+  sqlite3 (~> 1.3.6)
   timecop
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.16.1
+   1.17.1

ISSUE_TEMPLATE.md

@@ -2,6 +2,7 @@
 
 - Do not use the issues tracker for help or support, try Stack Overflow.
 - For bugs, do a quick search and make sure the bug has not yet been reported
+- If you found a security bug, do not report it through GitHub. Please send an e-mail to opensource@plataformatec.com.br instead.
 - Finally, be nice and have fun!
 
 ## Environment

README.md

@@ -56,6 +56,7 @@ It's composed of 10 modules:
 	- [ActiveJob Integration](#activejob-integration)
 	- [Password reset tokens and Rails logs](#password-reset-tokens-and-rails-logs)
 	- [Other ORMs](#other-orms)
+	- [Rails API mode](#rails-api-mode)
 - [Additional information](#additional-information)
 	- [Heroku](#heroku)
 	- [Warden](#warden)
@@ -149,6 +150,24 @@ BUNDLE_GEMFILE=gemfiles/Gemfile.rails-4.1-stable bundle install
 BUNDLE_GEMFILE=gemfiles/Gemfile.rails-4.1-stable DEVISE_ORM=mongoid bin/test
 ```
 
+### Running tests
+Devise uses [Mini Test](https://github.com/seattlerb/minitest) as test framework.
+
+* Running all tests:
+```bash
+bin/test
+```
+
+* Running tests for an specific file:
+```bash
+bin/test test/models/trackable_test.rb
+```
+
+* Running a specific test given a regex:
+```bash
+bin/test test/models/trackable_test.rb:16
+```
+
 ## Starting with Rails?
 
 If you are building your first Rails application, we recommend you *do not* use Devise. Devise requires a good understanding of the Rails Framework. In such cases, we advise you to start a simple authentication system from scratch. Today, we have three resources that should help you get started:
@@ -601,7 +620,7 @@ are executed in your tests.
 
 You can read more about testing your Rails 3 - Rails 4 controllers with RSpec in the wiki:
 
-* https://github.com/plataformatec/devise/wiki/How-To:-Test-controllers-with-Rails-3-and-4-%28and-RSpec%29
+* https://github.com/plataformatec/devise/wiki/How-To:-Test-controllers-with-Rails-(and-RSpec)
 
 ### OmniAuth
 
@@ -676,6 +695,17 @@ config.log_level = :warn
 
 Devise supports ActiveRecord (default) and Mongoid. To select another ORM, simply require it in the initializer file.
 
+### Rails API Mode
+
+Rails 5+ has a built-in [API Mode](https://edgeguides.rubyonrails.org/api_app.html) which optimizes Rails for use as an API (only). One of the side effects is that it changes the order of the middleware stack, and this can cause problems for `Devise::Test::IntegrationHelpers`. This problem usually surfaces as an ```undefined method `[]=' for nil:NilClass``` error when using integration test helpers, such as `#sign_in`. The solution is simply to reorder the middlewares by adding the following to test.rb:
+
+```ruby
+Rails.application.config.middleware.insert_before Warden::Manager, ActionDispatch::Cookies
+Rails.application.config.middleware.insert_before Warden::Manager, ActionDispatch::Session::CookieStore
+```
+
+For a deeper understanding of this, review [this issue](https://github.com/plataformatec/devise/issues/4696).
+
 ## Additional information
 
 ### Heroku

bin/test

@@ -1,13 +1,17 @@
 #!/usr/bin/env ruby
 $: << File.expand_path(File.expand_path('../../test', __FILE__))
 
-require 'bundler/setup'
+# Remove this begin/rescue once Rails 4 support is removed.
 begin
-  require 'rails/test_unit/minitest_plugin'
+  require 'bundler/setup'
+  require 'rails/test_unit/runner'
+  require 'rails/test_unit/reporter'
+  require 'rails/test_unit/line_filtering'
+
+  Rails::TestUnitReporter.executable = 'bin/test'
+
+  Rails::TestUnit::Runner.parse_options(ARGV)
+  Rails::TestUnit::Runner.run(ARGV)
 rescue LoadError
   exec 'rake'
 end
-
-Rails::TestUnitReporter.executable = 'bin/test'
-
-exit Minitest.run(ARGV)

gemfiles/Gemfile.rails-4.1-stable

@@ -8,6 +8,8 @@ gem "rails", github: "rails/rails", branch: "4-1-stable"
 gem "omniauth"
 gem "omniauth-oauth2"
 gem "rdoc", "~> 5.1"
+# Force this version because it's breaking on CI since a higher nokogiri version requires Ruby 2.3+.
+gem "nokogiri", "1.9.1"
 
 group :test do
   gem "omniauth-facebook"
@@ -25,7 +27,7 @@ platforms :jruby do
 end
 
 platforms :ruby do
-  gem "sqlite3"
+  gem "sqlite3", "~> 1.3.6"
 end
 
 group :mongoid do

gemfiles/Gemfile.rails-4.1-stable.lock

@@ -21,7 +21,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.5.0)
+    devise (4.6.2)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 6.0)
@@ -72,7 +72,7 @@ GEM
     mime-types (3.1)
       mime-types-data (~> 3.2015)
     mime-types-data (3.2016.0521)
-    mini_portile2 (2.1.0)
+    mini_portile2 (2.4.0)
     minitest (5.10.1)
     mocha (1.2.1)
       metaclass (~> 0.0.1)
@@ -88,8 +88,8 @@ GEM
     multi_json (1.12.1)
     multi_xml (0.6.0)
     multipart-post (2.0.0)
-    nokogiri (1.7.0.1)
-      mini_portile2 (~> 2.1.0)
+    nokogiri (1.9.1)
+      mini_portile2 (~> 2.4.0)
     oauth2 (1.3.1)
       faraday (>= 0.8, < 0.12)
       jwt (~> 1.0)
@@ -137,8 +137,8 @@ GEM
     test_after_commit (1.1.0)
       activerecord (>= 3.2)
     thor (0.19.4)
-    timecop (0.8.1)
     thread_safe (0.3.6)
+    timecop (0.8.1)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
     warden (1.2.7)
@@ -158,16 +158,17 @@ DEPENDENCIES
   jruby-openssl
   mocha (~> 1.1)
   mongoid (~> 4.0)
+  nokogiri (= 1.9.1)
   omniauth
   omniauth-facebook
   omniauth-oauth2
   omniauth-openid
   rails!
   rdoc (~> 5.1)
-  sqlite3
+  sqlite3 (~> 1.3.6)
   test_after_commit
   timecop
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.16.1
+   1.17.3

gemfiles/Gemfile.rails-4.2-stable

@@ -26,7 +26,7 @@ platforms :jruby do
 end
 
 platforms :ruby do
-  gem "sqlite3"
+  gem "sqlite3", "~> 1.3.6"
 end
 
 group :mongoid do

gemfiles/Gemfile.rails-4.2-stable.lock

@@ -57,7 +57,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.5.0)
+    devise (4.6.2)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 6.0)
@@ -89,7 +89,7 @@ GEM
     mime-types (3.1)
       mime-types-data (~> 3.2015)
     mime-types-data (3.2016.0521)
-    mini_portile2 (2.1.0)
+    mini_portile2 (2.4.0)
     minitest (5.10.1)
     mocha (1.2.1)
       metaclass (~> 0.0.1)
@@ -105,8 +105,8 @@ GEM
     multi_json (1.12.1)
     multi_xml (0.6.0)
     multipart-post (2.0.0)
-    nokogiri (1.7.0.1)
-      mini_portile2 (~> 2.1.0)
+    nokogiri (1.9.1)
+      mini_portile2 (~> 2.4.0)
     oauth2 (1.3.1)
       faraday (>= 0.8, < 0.12)
       jwt (~> 1.0)
@@ -143,9 +143,9 @@ GEM
       loofah (~> 2.0)
     rake (12.0.0)
     rdoc (5.1.0)
-    responders (2.4.0)
-      actionpack (>= 4.2.0, < 5.3)
-      railties (>= 4.2.0, < 5.3)
+    responders (2.4.1)
+      actionpack (>= 4.2.0, < 6.0)
+      railties (>= 4.2.0, < 6.0)
     ruby-openid (2.7.0)
     sprockets (3.7.1)
       concurrent-ruby (~> 1.0)
@@ -179,16 +179,17 @@ DEPENDENCIES
   jruby-openssl
   mocha (~> 1.1)
   mongoid (~> 4.0)
+  nokogiri (= 1.9.1)
   omniauth
   omniauth-facebook
   omniauth-oauth2
   omniauth-openid
   rails!
   rdoc (~> 5.1)
-  sqlite3
+  sqlite3 (~> 1.3.6)
   test_after_commit
   timecop
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.16.1
+   1.17.3

gemfiles/Gemfile.rails-5.0-stable

@@ -25,7 +25,7 @@ group :test do
 end
 
 platforms :ruby do
-  gem "sqlite3"
+  gem "sqlite3", "~> 1.3.6"
 end
 
 # TODO:

gemfiles/Gemfile.rails-5.0-stable.lock

@@ -10,7 +10,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.5.0)
+    devise (4.6.2)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 6.0)
@@ -185,10 +185,10 @@ DEPENDENCIES
   rails-controller-testing
   rdoc
   responders (~> 2.1)
-  sqlite3
+  sqlite3 (~> 1.3.6)
   test_after_commit
   timecop
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.16.1
+   1.17.1

gemfiles/Gemfile.rails-5.2-stable

@@ -23,5 +23,5 @@ group :test do
 end
 
 platforms :ruby do
-  gem "sqlite3"
+  gem "sqlite3", "~> 1.3.6"
 end

gemfiles/Gemfile.rails-5.2-stable.lock

@@ -10,7 +10,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.5.0)
+    devise (4.6.2)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 6.0)
@@ -194,7 +194,7 @@ DEPENDENCIES
   rails-controller-testing
   rdoc
   responders (~> 2.1)
-  sqlite3
+  sqlite3 (~> 1.3.6)
   test_after_commit
   timecop
   webrat (= 0.7.3)

gemfiles/Gemfile.rails-6.0-beta

@@ -23,5 +23,5 @@ group :test do
 end
 
 platforms :ruby do
-  gem "sqlite3"
+  gem "sqlite3", "~> 1.3.6"
 end

gemfiles/Gemfile.rails-6.0-beta.lock

@@ -10,7 +10,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.5.0)
+    devise (4.6.2)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 6.0)
@@ -207,7 +207,7 @@ DEPENDENCIES
   rails-controller-testing
   rdoc
   responders (~> 2.4)
-  sqlite3
+  sqlite3 (~> 1.3.6)
   test_after_commit
   timecop
   webrat (= 0.7.3)

lib/devise/failure_app.rb

@@ -144,11 +144,20 @@ module Devise
 
       opts[:format] = request_format unless skip_format?
 
-      opts[:script_name] = relative_url_root if relative_url_root?
-
       router_name = Devise.mappings[scope].router_name || Devise.available_router_name
       context = send(router_name)
 
+      if relative_url_root?
+        opts[:script_name] = relative_url_root
+
+      # We need to add the rootpath to `script_name` manually for applications that use a Rails
+      # version lower than 5.1. Otherwise, it is going to generate a wrong path for Engines
+      # that use Devise. Remove it when the support of Rails 5.0 is droped.
+      elsif root_path_defined?(context) && rails_5_and_down?
+        rootpath = context.routes.url_helpers.root_path
+        opts[:script_name] = rootpath.chomp('/') if rootpath.length > 1
+      end
+
       if context.respond_to?(route)
         context.send(route, opts)
       elsif respond_to?(:root_url)
@@ -262,5 +271,21 @@ module Devise
     end
 
     ActiveSupport.run_load_hooks(:devise_failure_app, self)
+
+    private
+
+    def root_path_defined?(context)
+      defined?(context.routes) && context.routes.url_helpers.respond_to?(:root_path)
+    end
+
+    def rails_5_and_down?
+      return false if rails_5_up?
+
+      Rails::VERSION::MAJOR >= 4
+    end
+
+    def rails_5_up?
+      Rails::VERSION::MAJOR >= 5 && Rails::VERSION::MINOR > 0
+    end
   end
 end

lib/devise/models/database_authenticatable.rb

@@ -60,7 +60,7 @@ module Devise
       # the hashed password.
       def password=(new_password)
         @password = new_password
-        self.encrypted_password = password_digest(@password) 
+        self.encrypted_password = password_digest(@password) if @password.present?
       end
 
       # Verifies whether a password (ie from sign in) is the user password.
@@ -70,7 +70,7 @@ module Devise
 
       # Set password and password confirmation to nil
       def clean_up_passwords
-        @password = @password_confirmation = nil
+        self.password = self.password_confirmation = nil
       end
 
       # Update record attributes when :current_password matches, otherwise
@@ -198,7 +198,6 @@ module Devise
       # See https://github.com/plataformatec/devise-encryptable for examples
       # of other hashing engines.
       def password_digest(password)
-        return if password.blank?
         Devise::Encryptor.digest(self.class, password)
       end
 

lib/devise/strategies/authenticatable.rb

@@ -28,7 +28,7 @@ module Devise
     private
 
       # Receives a resource and check if it is valid by calling valid_for_authentication?
-      # An optional block that will be triggered while validating can be optionally
+      # A block that will be triggered while validating can be optionally
       # given as parameter. Check Devise::Models::Authenticatable.valid_for_authentication?
       # for more information.
       #

lib/devise/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Devise
-  VERSION = "4.5.0".freeze
+  VERSION = "4.6.2".freeze
 end

lib/generators/templates/simple_form_for/registrations/new.html.erb

@@ -6,7 +6,7 @@
   <div class="form-inputs">
     <%= f.input :email,
                 required: true,
-                autofocus: true ,
+                autofocus: true,
                 input_html: { autocomplete: "email" }%>
     <%= f.input :password,
                 required: true,

test/failure_app_test.rb

@@ -28,6 +28,27 @@ class FailureTest < ActiveSupport::TestCase
     end
   end
 
+  class FailureWithoutRootPath < Devise::FailureApp
+    class FakeURLHelpers
+    end
+
+    class FakeRoutesWithoutRoot
+      def url_helpers
+        FakeURLHelpers.new
+      end
+    end
+
+    class FakeAppWithoutRootPath
+      def routes
+        FakeRoutesWithoutRoot.new
+      end
+    end
+
+    def main_app
+      FakeAppWithoutRootPath.new
+    end
+  end
+
   class FakeEngineApp < Devise::FailureApp
     class FakeEngine
       def new_user_on_engine_session_url _
@@ -103,6 +124,13 @@ class FailureTest < ActiveSupport::TestCase
       end
     end
 
+    test 'returns to the root path even when it\'s not defined' do
+      call_failure app: FailureWithoutRootPath
+      assert_equal 302, @response.first
+      assert_equal 'You need to sign in or sign up before continuing.', @request.flash[:alert]
+      assert_equal 'http://test.host/', @response.second['Location']
+    end
+
     test 'returns to the root path considering subdomain if no session path is available' do
       swap Devise, router_name: :fake_app do
         call_failure app: FailureWithSubdomain

test/integration/mounted_engine_test.rb

@@ -2,10 +2,23 @@
 
 require 'test_helper'
 
-class MyMountableEngine
-  def self.call(env)
-    ['200', { 'Content-Type' => 'text/html' }, ['Rendered content of MyMountableEngine']]
+module MyMountableEngine
+  class Engine < ::Rails::Engine
+    isolate_namespace MyMountableEngine
   end
+  class TestsController < ActionController::Base
+    def index
+      render plain: 'Root test successful'
+    end
+    def inner_route
+      render plain: 'Inner route test successful'
+    end
+  end
+end
+
+MyMountableEngine::Engine.routes.draw do
+  get 'test', to: 'tests#inner_route'
+  root to: 'tests#index'
 end
 
 # If disable_clear_and_finalize is set to true, Rails will not clear other routes when calling
@@ -15,7 +28,7 @@ Rails.application.routes.disable_clear_and_finalize = true
 
 Rails.application.routes.draw do
   authenticate(:user) do
-    mount MyMountableEngine, at: '/mountable_engine'
+    mount MyMountableEngine::Engine, at: '/mountable_engine'
   end
 end
 
@@ -33,6 +46,23 @@ class AuthenticatedMountedEngineTest < Devise::IntegrationTest
     get '/mountable_engine'
 
     assert_response :success
-    assert_contain 'Rendered content of MyMountableEngine'
+    assert_contain 'Root test successful'
+  end
+
+
+  test 'renders a inner route of the mounted engine when authenticated' do
+    sign_in_as_user
+    get '/mountable_engine/test'
+
+    assert_response :success
+    assert_contain 'Inner route test successful'
+  end
+
+  test 'respond properly to a non existing route of the mounted engine' do
+    sign_in_as_user
+    
+    assert_raise ActionController::RoutingError do
+      get '/mountable_engine/non-existing-route'
+    end
   end
 end

test/models/database_authenticatable_test.rb

@@ -117,9 +117,9 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert_nil user.authenticatable_salt
   end
 
-  test 'should set encrypted password to nil if password is nil' do
-    assert_nil new_user(password: nil).encrypted_password
-    assert_nil new_user(password: '').encrypted_password
+  test 'should not generate a hashed password if password is blank' do
+    assert_blank new_user(password: nil).encrypted_password
+    assert_blank new_user(password: '').encrypted_password
   end
 
   test 'should hash password again if password has changed' do
@@ -148,16 +148,6 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     refute user.valid_password?('654321')
   end
 
-  test 'should be invalid if the password is nil' do
-    user = new_user(password: nil)
-    refute user.valid_password?(nil)
-  end
-
-  test 'should be invalid if the password is blank' do
-    user = new_user(password: '')
-    refute user.valid_password?('')
-  end
-
   test 'should respond to current password' do
     assert new_user.respond_to?(:current_password)
   end
@@ -317,11 +307,4 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
       ]
     end
   end
-
-  test 'nil password should be invalid if password is set to nil' do
-    user = User.create(email: "HEllO@example.com", password: "12345678")
-    user.password = nil
-    refute user.valid_password?('12345678')
-    refute user.valid_password?(nil)
-  end
 end

test/rails_app/config/application.rb

@@ -44,5 +44,10 @@ module RailsApp
     config.to_prepare do
       Devise::SessionsController.layout "application"
     end
+
+    # Remove this check once Rails 5.0 support is removed.
+    if Devise::Test.rails52_and_up?
+      Rails.application.config.active_record.sqlite3.represent_boolean_as_integer = true
+    end
   end
 end

test/support/webrat/integrations/rails.rb

@@ -18,6 +18,12 @@ module Webrat
   end
 
   class RailsAdapter
+    # This method is private within webrat gem and after Ruby 2.4 we get a lot of warnings because
+    # Webrat::Session#response is delegated to this method.
+    def response
+      integration_session.response
+    end
+
     protected
 
     def do_request(http_method, url, data, headers)