Update CHANGELOG.md [ci skip]

* Fix specs on Rails 6 RC2

`ActiveRecord::MigrationContext` now has a `schema_migration` attribute.
Ref: https://github.com/rails/rails/pull/36439/files#diff-8d3c44120f7b67ff79e2fbe6a40d0ad6R1018

* Use `media_type` instead of `content_type`

Before Rails 6 RC2, the `ActionDispatch::Response#content_type` method
would return only the media part of the `Content-Type` header, without any
other parts. Now the `#content_type` method returns the entire header -
as it is - and `#media_type` should be used instead to get the previous
behavior.

Ref:
- https://github.com/rails/rails/pull/36034
- https://github.com/rails/rails/pull/36854

* Use render template instead of render file

Render file will need the full path in order to avoid security breaches.
In this particular case, there's no need to use render file, it's ok to
use render template.

Ref: https://github.com/rails/rails/pull/35688

* Don't set `represent_boolean_as_integer` on Rails 6

* Update comments [ci skip]

.travis.yml

@@ -11,7 +11,7 @@ rvm:
 
 gemfile:
   - Gemfile
-  - gemfiles/Gemfile.rails-6.0-beta
+  - gemfiles/Gemfile.rails-6.0-stable
   - gemfiles/Gemfile.rails-5.2-stable
   - gemfiles/Gemfile.rails-5.0-stable
   - gemfiles/Gemfile.rails-4.2-stable
@@ -22,7 +22,7 @@ matrix:
     - rvm: 2.1.10
       gemfile: Gemfile
     - rvm: 2.1.10
-      gemfile: gemfiles/Gemfile.rails-6.0-beta
+      gemfile: gemfiles/Gemfile.rails-6.0-stable
     - rvm: 2.1.10
       gemfile: gemfiles/Gemfile.rails-5.2-stable
     - rvm: 2.1.10
@@ -30,15 +30,15 @@ matrix:
     - rvm: 2.2.10
       gemfile: Gemfile
     - rvm: 2.2.10
-      gemfile: gemfiles/Gemfile.rails-6.0-beta
+      gemfile: gemfiles/Gemfile.rails-6.0-stable
     - rvm: 2.2.10
       gemfile: gemfiles/Gemfile.rails-5.2-stable
     - rvm: 2.3.8
-      gemfile: gemfiles/Gemfile.rails-6.0-beta
+      gemfile: gemfiles/Gemfile.rails-6.0-stable
     - rvm: 2.4.5
       gemfile: gemfiles/Gemfile.rails-4.1-stable
     - rvm: 2.4.5
-      gemfile: gemfiles/Gemfile.rails-6.0-beta
+      gemfile: gemfiles/Gemfile.rails-6.0-stable
     - rvm: 2.5.3
       gemfile: gemfiles/Gemfile.rails-4.1-stable
     - rvm: 2.6.0
@@ -56,10 +56,10 @@ matrix:
     - env: DEVISE_ORM=mongoid
       gemfile: gemfiles/Gemfile.rails-5.2-stable
     - env: DEVISE_ORM=mongoid
-      gemfile: gemfiles/Gemfile.rails-6.0-beta
+      gemfile: gemfiles/Gemfile.rails-6.0-stable
   allow_failures:
     - rvm: ruby-head
-    - gemfile: gemfiles/Gemfile.rails-6.0-beta
+    - gemfile: gemfiles/Gemfile.rails-6.0-stable
 
 services:
   - mongodb

CHANGELOG.md

@@ -1,11 +1,36 @@
 ### Unreleased
 
+### 4.7.0 - 2019-08-19
+
+* enhancements
+  * Support Rails 6.0
+  * Update CI to rails 6.0.0.beta3 (by @tunnes)
+  * refactor method name to be more consistent (by @saiqulhaq)
+  * Fix rails 6.0.rc1 email uniqueness validation deprecation warning (by @Vasfed)
+
+* bug fixes
+  * Add `autocomplete="new-password"` to `password_confirmation` fields (by @ferrl)
+  * Fix rails_51_and_up? method for Rails 6.rc1 (by @igorkasyanchuk)
+
+### 4.6.2 - 2019-03-26
+
+* bug fixes
+  * Revert "Set `encrypted_password` to `nil` when `password` is set to `nil`" since it broke backward compatibility with existing applications. See more on https://github.com/plataformatec/devise/issues/5033#issuecomment-476386275 (by @mracos)
+
+### 4.6.1 - 2019-02-11
+
+* bug fixes
+  * Check if `root_path` is defined with `#respond_to?` instead of `#present` (by @tegon)
+
+### 4.6.0 - 2019-02-07
+
 * enhancements
   * Allow to skip email and password change notifications (by @iorme1)
   * Include the use of `nil` for `allow_unconfirmed_access_for` in the docs (by @joaumg)
   * Ignore useless files into the `.gem` file (by @huacnlee)
   * Explain the code that prevents enumeration attacks inside `Devise::Strategies::DatabaseAuthenticatable` (by @tegon)
   * Refactor the `devise_error_messages!` helper to render a partial (by @prograhamer)
+  * Add an option (`Devise.sign_in_after_change_password`) to not automatically sign in a user after changing a password (by @knjko)
 
 * bug fixes
   * Fix missing comma in Simple Form generator (by @colinross)
@@ -17,6 +42,10 @@
   * `#after_database_authentication` callback was not called after authentication on password reset (by @kanmaniselvan)
   * Fix corner case when `#confirmation_period_valid?` was called at the same second as `confirmation_sent_at` was set. Mostly true for date types that only have second precisions. (by @stanhu)
   * Fix unclosed `li` tag in `error_messages` partial (by @mracos)
+  * Fix Routes issue when devise engine is mounted in another engine on Rails versions lower than 5.1 (by @a-barbieri)
+  * Make `#increment_failed_attempts` concurrency safe (by @tegon)
+  * Apply Test Helper fix to Rails 6.0 as well as 5.x (by @matthewrudy)
+
 
 * deprecations
   * The second argument of `DatabaseAuthenticatable`'s `#update_with_password` and `#update_without_password` is deprecated and will be removed in the next major version. It was added to support a feature deprecated in Rails 4, so you can safely remove it from your code. (by @ihatov08)

Gemfile

@@ -31,7 +31,7 @@ platforms :jruby do
 end
 
 platforms :ruby do
-  gem "sqlite3"
+  gem "sqlite3", "~> 1.3.6"
 end
 
 # TODO:

Gemfile.lock

@@ -10,10 +10,10 @@ GIT
 PATH
   remote: .
   specs:
-    devise (4.5.0)
+    devise (4.7.0)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 6.0)
+      railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
 
@@ -62,7 +62,7 @@ GEM
       minitest (~> 5.1)
       tzinfo (~> 1.1)
     arel (9.0.0)
-    bcrypt (3.1.12)
+    bcrypt (3.1.13)
     builder (3.2.3)
     concurrent-ruby (1.0.5)
     crass (1.0.4)
@@ -196,9 +196,9 @@ DEPENDENCIES
   rails-controller-testing
   rdoc
   responders (~> 2.4)
-  sqlite3
+  sqlite3 (~> 1.3.6)
   timecop
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.16.1
+   1.17.3

ISSUE_TEMPLATE.md

@@ -2,6 +2,7 @@
 
 - Do not use the issues tracker for help or support, try Stack Overflow.
 - For bugs, do a quick search and make sure the bug has not yet been reported
+- If you found a security bug, do not report it through GitHub. Please send an e-mail to opensource@plataformatec.com.br instead.
 - Finally, be nice and have fun!
 
 ## Environment

README.md

@@ -56,6 +56,7 @@ It's composed of 10 modules:
 	- [ActiveJob Integration](#activejob-integration)
 	- [Password reset tokens and Rails logs](#password-reset-tokens-and-rails-logs)
 	- [Other ORMs](#other-orms)
+	- [Rails API mode](#rails-api-mode)
 - [Additional information](#additional-information)
 	- [Heroku](#heroku)
 	- [Warden](#warden)
@@ -149,13 +150,31 @@ BUNDLE_GEMFILE=gemfiles/Gemfile.rails-4.1-stable bundle install
 BUNDLE_GEMFILE=gemfiles/Gemfile.rails-4.1-stable DEVISE_ORM=mongoid bin/test
 ```
 
+### Running tests
+Devise uses [Mini Test](https://github.com/seattlerb/minitest) as test framework.
+
+* Running all tests:
+```bash
+bin/test
+```
+
+* Running tests for an specific file:
+```bash
+bin/test test/models/trackable_test.rb
+```
+
+* Running a specific test given a regex:
+```bash
+bin/test test/models/trackable_test.rb:16
+```
+
 ## Starting with Rails?
 
 If you are building your first Rails application, we recommend you *do not* use Devise. Devise requires a good understanding of the Rails Framework. In such cases, we advise you to start a simple authentication system from scratch. Today, we have three resources that should help you get started:
 
 * Michael Hartl's online book: https://www.railstutorial.org/book/modeling_users
 * Ryan Bates' Railscast: http://railscasts.com/episodes/250-authentication-from-scratch
-* Codecademy's Ruby on Rails: Authentication and Authorization: http://www.codecademy.com/en/learn/rails-auth
+* Codecademy's Ruby on Rails: Authentication and Authorization: https://www.codecademy.com/learn/rails-auth
 
 Once you have solidified your understanding of Rails and authentication mechanisms, we assure you Devise will be very pleasant to work with. :smiley:
 
@@ -601,7 +620,7 @@ are executed in your tests.
 
 You can read more about testing your Rails 3 - Rails 4 controllers with RSpec in the wiki:
 
-* https://github.com/plataformatec/devise/wiki/How-To:-Test-controllers-with-Rails-3-and-4-%28and-RSpec%29
+* https://github.com/plataformatec/devise/wiki/How-To:-Test-controllers-with-Rails-(and-RSpec)
 
 ### OmniAuth
 
@@ -676,6 +695,17 @@ config.log_level = :warn
 
 Devise supports ActiveRecord (default) and Mongoid. To select another ORM, simply require it in the initializer file.
 
+### Rails API Mode
+
+Rails 5+ has a built-in [API Mode](https://edgeguides.rubyonrails.org/api_app.html) which optimizes Rails for use as an API (only). One of the side effects is that it changes the order of the middleware stack, and this can cause problems for `Devise::Test::IntegrationHelpers`. This problem usually surfaces as an ```undefined method `[]=' for nil:NilClass``` error when using integration test helpers, such as `#sign_in`. The solution is simply to reorder the middlewares by adding the following to test.rb:
+
+```ruby
+Rails.application.config.middleware.insert_before Warden::Manager, ActionDispatch::Cookies
+Rails.application.config.middleware.insert_before Warden::Manager, ActionDispatch::Session::CookieStore
+```
+
+For a deeper understanding of this, review [this issue](https://github.com/plataformatec/devise/issues/4696).
+
 ## Additional information
 
 ### Heroku
@@ -702,6 +732,6 @@ https://github.com/plataformatec/devise/graphs/contributors
 
 ## License
 
-MIT License. Copyright 2009-2018 Plataformatec. http://plataformatec.com.br
+MIT License. Copyright 2009-2019 Plataformatec. http://plataformatec.com.br
 
 You are not granted rights or licenses to the trademarks of Plataformatec, including without limitation the Devise name or logo.

app/views/devise/passwords/edit.html.erb

@@ -14,7 +14,7 @@
 
   <div class="field">
     <%= f.label :password_confirmation, "Confirm new password" %><br />
-    <%= f.password_field :password_confirmation, autocomplete: "off" %>
+    <%= f.password_field :password_confirmation, autocomplete: "new-password" %>
   </div>
 
   <div class="actions">

bin/test

@@ -1,13 +1,17 @@
 #!/usr/bin/env ruby
 $: << File.expand_path(File.expand_path('../../test', __FILE__))
 
-require 'bundler/setup'
+# Remove this begin/rescue once Rails 4 support is removed.
 begin
-  require 'rails/test_unit/minitest_plugin'
+  require 'bundler/setup'
+  require 'rails/test_unit/runner'
+  require 'rails/test_unit/reporter'
+  require 'rails/test_unit/line_filtering'
+
+  Rails::TestUnitReporter.executable = 'bin/test'
+
+  Rails::TestUnit::Runner.parse_options(ARGV)
+  Rails::TestUnit::Runner.run(ARGV)
 rescue LoadError
   exec 'rake'
 end
-
-Rails::TestUnitReporter.executable = 'bin/test'
-
-exit Minitest.run(ARGV)

devise.gemspec

@@ -22,6 +22,6 @@ Gem::Specification.new do |s|
   s.add_dependency("warden", "~> 1.2.3")
   s.add_dependency("orm_adapter", "~> 0.1")
   s.add_dependency("bcrypt", "~> 3.0")
-  s.add_dependency("railties", ">= 4.1.0", "< 6.0")
+  s.add_dependency("railties", ">= 4.1.0")
   s.add_dependency("responders")
 end

gemfiles/Gemfile.rails-4.1-stable

@@ -8,6 +8,8 @@ gem "rails", github: "rails/rails", branch: "4-1-stable"
 gem "omniauth"
 gem "omniauth-oauth2"
 gem "rdoc", "~> 5.1"
+# Force this version because it's breaking on CI since a higher nokogiri version requires Ruby 2.3+.
+gem "nokogiri", "1.9.1"
 
 group :test do
   gem "omniauth-facebook"
@@ -25,7 +27,7 @@ platforms :jruby do
 end
 
 platforms :ruby do
-  gem "sqlite3"
+  gem "sqlite3", "~> 1.3.6"
 end
 
 group :mongoid do

gemfiles/Gemfile.rails-4.1-stable.lock

@@ -21,7 +21,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.5.0)
+    devise (4.6.2)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 6.0)
@@ -72,7 +72,7 @@ GEM
     mime-types (3.1)
       mime-types-data (~> 3.2015)
     mime-types-data (3.2016.0521)
-    mini_portile2 (2.1.0)
+    mini_portile2 (2.4.0)
     minitest (5.10.1)
     mocha (1.2.1)
       metaclass (~> 0.0.1)
@@ -88,8 +88,8 @@ GEM
     multi_json (1.12.1)
     multi_xml (0.6.0)
     multipart-post (2.0.0)
-    nokogiri (1.7.0.1)
-      mini_portile2 (~> 2.1.0)
+    nokogiri (1.9.1)
+      mini_portile2 (~> 2.4.0)
     oauth2 (1.3.1)
       faraday (>= 0.8, < 0.12)
       jwt (~> 1.0)
@@ -137,8 +137,8 @@ GEM
     test_after_commit (1.1.0)
       activerecord (>= 3.2)
     thor (0.19.4)
-    timecop (0.8.1)
     thread_safe (0.3.6)
+    timecop (0.8.1)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
     warden (1.2.7)
@@ -158,16 +158,17 @@ DEPENDENCIES
   jruby-openssl
   mocha (~> 1.1)
   mongoid (~> 4.0)
+  nokogiri (= 1.9.1)
   omniauth
   omniauth-facebook
   omniauth-oauth2
   omniauth-openid
   rails!
   rdoc (~> 5.1)
-  sqlite3
+  sqlite3 (~> 1.3.6)
   test_after_commit
   timecop
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.16.1
+   1.17.3

gemfiles/Gemfile.rails-4.2-stable

@@ -26,7 +26,7 @@ platforms :jruby do
 end
 
 platforms :ruby do
-  gem "sqlite3"
+  gem "sqlite3", "~> 1.3.6"
 end
 
 group :mongoid do

gemfiles/Gemfile.rails-4.2-stable.lock

@@ -57,7 +57,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.5.0)
+    devise (4.6.2)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 6.0)
@@ -89,7 +89,7 @@ GEM
     mime-types (3.1)
       mime-types-data (~> 3.2015)
     mime-types-data (3.2016.0521)
-    mini_portile2 (2.1.0)
+    mini_portile2 (2.4.0)
     minitest (5.10.1)
     mocha (1.2.1)
       metaclass (~> 0.0.1)
@@ -105,8 +105,8 @@ GEM
     multi_json (1.12.1)
     multi_xml (0.6.0)
     multipart-post (2.0.0)
-    nokogiri (1.7.0.1)
-      mini_portile2 (~> 2.1.0)
+    nokogiri (1.9.1)
+      mini_portile2 (~> 2.4.0)
     oauth2 (1.3.1)
       faraday (>= 0.8, < 0.12)
       jwt (~> 1.0)
@@ -143,9 +143,9 @@ GEM
       loofah (~> 2.0)
     rake (12.0.0)
     rdoc (5.1.0)
-    responders (2.4.0)
-      actionpack (>= 4.2.0, < 5.3)
-      railties (>= 4.2.0, < 5.3)
+    responders (2.4.1)
+      actionpack (>= 4.2.0, < 6.0)
+      railties (>= 4.2.0, < 6.0)
     ruby-openid (2.7.0)
     sprockets (3.7.1)
       concurrent-ruby (~> 1.0)
@@ -179,16 +179,17 @@ DEPENDENCIES
   jruby-openssl
   mocha (~> 1.1)
   mongoid (~> 4.0)
+  nokogiri (= 1.9.1)
   omniauth
   omniauth-facebook
   omniauth-oauth2
   omniauth-openid
   rails!
   rdoc (~> 5.1)
-  sqlite3
+  sqlite3 (~> 1.3.6)
   test_after_commit
   timecop
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.16.1
+   1.17.3

gemfiles/Gemfile.rails-5.0-stable

@@ -25,7 +25,7 @@ group :test do
 end
 
 platforms :ruby do
-  gem "sqlite3"
+  gem "sqlite3", "~> 1.3.6"
 end
 
 # TODO:

gemfiles/Gemfile.rails-5.0-stable.lock

@@ -10,10 +10,10 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.5.0)
+    devise (4.7.0)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 6.0)
+      railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
 
@@ -58,7 +58,7 @@ GEM
       minitest (~> 5.1)
       tzinfo (~> 1.1)
     arel (7.1.4)
-    bcrypt (3.1.12)
+    bcrypt (3.1.13)
     builder (3.2.3)
     concurrent-ruby (1.0.5)
     erubis (2.7.0)
@@ -185,10 +185,10 @@ DEPENDENCIES
   rails-controller-testing
   rdoc
   responders (~> 2.1)
-  sqlite3
+  sqlite3 (~> 1.3.6)
   test_after_commit
   timecop
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.16.1
+   1.17.1

gemfiles/Gemfile.rails-5.2-stable

@@ -23,5 +23,5 @@ group :test do
 end
 
 platforms :ruby do
-  gem "sqlite3"
+  gem "sqlite3", "~> 1.3.6"
 end

gemfiles/Gemfile.rails-5.2-stable.lock

@@ -10,10 +10,10 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.5.0)
+    devise (4.7.0)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 6.0)
+      railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
 
@@ -62,7 +62,7 @@ GEM
       minitest (~> 5.1)
       tzinfo (~> 1.1)
     arel (9.0.0)
-    bcrypt (3.1.12)
+    bcrypt (3.1.13)
     builder (3.2.3)
     concurrent-ruby (1.0.5)
     crass (1.0.4)
@@ -194,7 +194,7 @@ DEPENDENCIES
   rails-controller-testing
   rdoc
   responders (~> 2.1)
-  sqlite3
+  sqlite3 (~> 1.3.6)
   test_after_commit
   timecop
   webrat (= 0.7.3)

gemfiles/Gemfile.rails-6.0-stable

@@ -2,7 +2,7 @@ source "https://rubygems.org"
 
 gemspec path: ".."
 
-gem "rails", '6.0.0.beta1'
+gem "rails", '~> 6.0.0'
 gem "omniauth"
 gem "omniauth-oauth2"
 gem "rdoc"
@@ -11,7 +11,7 @@ gem "activemodel-serializers-xml", github: "rails/activemodel-serializers-xml"
 
 gem "rails-controller-testing"
 
-gem "responders", "~> 2.4"
+gem "responders", "~> 3.0"
 
 group :test do
   gem "omniauth-facebook"
@@ -23,5 +23,5 @@ group :test do
 end
 
 platforms :ruby do
-  gem "sqlite3"
+  gem "sqlite3", "~> 1.4"
 end

gemfiles/Gemfile.rails-6.0-stable.lock

@@ -1,81 +1,83 @@
 GIT
   remote: git://github.com/rails/activemodel-serializers-xml.git
-  revision: f744aeca2747ed3134e492249c4ee39b548efdf6
+  revision: 93689638c28525acc65afb638fce866826532641
   specs:
     activemodel-serializers-xml (1.0.2)
-      activemodel (> 5.x)
-      activesupport (> 5.x)
+      activemodel (>= 5.0.0.a)
+      activesupport (>= 5.0.0.a)
       builder (~> 3.1)
 
 PATH
   remote: ..
   specs:
-    devise (4.5.0)
+    devise (4.7.0)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 6.0)
+      railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (6.0.0.beta1)
-      actionpack (= 6.0.0.beta1)
+    actioncable (6.0.0)
+      actionpack (= 6.0.0)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (6.0.0.beta1)
-      actionpack (= 6.0.0.beta1)
-      activejob (= 6.0.0.beta1)
-      activerecord (= 6.0.0.beta1)
-      activestorage (= 6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
+    actionmailbox (6.0.0)
+      actionpack (= 6.0.0)
+      activejob (= 6.0.0)
+      activerecord (= 6.0.0)
+      activestorage (= 6.0.0)
+      activesupport (= 6.0.0)
       mail (>= 2.7.1)
-    actionmailer (6.0.0.beta1)
-      actionpack (= 6.0.0.beta1)
-      actionview (= 6.0.0.beta1)
-      activejob (= 6.0.0.beta1)
+    actionmailer (6.0.0)
+      actionpack (= 6.0.0)
+      actionview (= 6.0.0)
+      activejob (= 6.0.0)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.0.0.beta1)
-      actionview (= 6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
+    actionpack (6.0.0)
+      actionview (= 6.0.0)
+      activesupport (= 6.0.0)
       rack (~> 2.0)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actiontext (6.0.0.beta1)
-      actionpack (= 6.0.0.beta1)
-      activerecord (= 6.0.0.beta1)
-      activestorage (= 6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
+      rails-html-sanitizer (~> 1.0, >= 1.2.0)
+    actiontext (6.0.0)
+      actionpack (= 6.0.0)
+      activerecord (= 6.0.0)
+      activestorage (= 6.0.0)
+      activesupport (= 6.0.0)
       nokogiri (>= 1.8.5)
-    actionview (6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
+    actionview (6.0.0)
+      activesupport (= 6.0.0)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
+      rails-html-sanitizer (~> 1.1, >= 1.2.0)
+    activejob (6.0.0)
+      activesupport (= 6.0.0)
       globalid (>= 0.3.6)
-    activemodel (6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
-    activerecord (6.0.0.beta1)
-      activemodel (= 6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
-    activestorage (6.0.0.beta1)
-      actionpack (= 6.0.0.beta1)
-      activerecord (= 6.0.0.beta1)
+    activemodel (6.0.0)
+      activesupport (= 6.0.0)
+    activerecord (6.0.0)
+      activemodel (= 6.0.0)
+      activesupport (= 6.0.0)
+    activestorage (6.0.0)
+      actionpack (= 6.0.0)
+      activejob (= 6.0.0)
+      activerecord (= 6.0.0)
       marcel (~> 0.3.1)
-    activesupport (6.0.0.beta1)
+    activesupport (6.0.0)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
-    bcrypt (3.1.12)
+      zeitwerk (~> 2.1, >= 2.1.8)
+    bcrypt (3.1.13)
     builder (3.2.3)
-    concurrent-ruby (1.1.4)
+    concurrent-ruby (1.1.5)
     crass (1.0.4)
     erubi (1.8.0)
     faraday (0.15.4)
@@ -83,9 +85,9 @@ GEM
     globalid (0.4.2)
       activesupport (>= 4.2.0)
     hashie (3.6.0)
-    i18n (1.5.2)
+    i18n (1.6.0)
       concurrent-ruby (~> 1.0)
-    jwt (2.1.0)
+    jwt (2.2.1)
     loofah (2.2.3)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
@@ -96,16 +98,16 @@ GEM
     metaclass (0.0.4)
     method_source (0.9.2)
     mimemagic (0.3.3)
-    mini_mime (1.0.1)
+    mini_mime (1.0.2)
     mini_portile2 (2.4.0)
     minitest (5.11.3)
-    mocha (1.8.0)
+    mocha (1.9.0)
       metaclass (~> 0.0.1)
     multi_json (1.13.1)
     multi_xml (0.6.0)
-    multipart-post (2.0.0)
-    nio4r (2.3.1)
-    nokogiri (1.10.1)
+    multipart-post (2.1.1)
+    nio4r (2.4.0)
+    nokogiri (1.10.4)
       mini_portile2 (~> 2.4.0)
     oauth2 (1.4.1)
       faraday (>= 0.8, < 0.16.0)
@@ -125,26 +127,26 @@ GEM
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
     orm_adapter (0.5.0)
-    rack (2.0.6)
+    rack (2.0.7)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (6.0.0.beta1)
-      actioncable (= 6.0.0.beta1)
-      actionmailbox (= 6.0.0.beta1)
-      actionmailer (= 6.0.0.beta1)
-      actionpack (= 6.0.0.beta1)
-      actiontext (= 6.0.0.beta1)
-      actionview (= 6.0.0.beta1)
-      activejob (= 6.0.0.beta1)
-      activemodel (= 6.0.0.beta1)
-      activerecord (= 6.0.0.beta1)
-      activestorage (= 6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
+    rails (6.0.0)
+      actioncable (= 6.0.0)
+      actionmailbox (= 6.0.0)
+      actionmailer (= 6.0.0)
+      actionpack (= 6.0.0)
+      actiontext (= 6.0.0)
+      actionview (= 6.0.0)
+      activejob (= 6.0.0)
+      activemodel (= 6.0.0)
+      activerecord (= 6.0.0)
+      activestorage (= 6.0.0)
+      activesupport (= 6.0.0)
       bundler (>= 1.3.0)
-      railties (= 6.0.0.beta1)
+      railties (= 6.0.0)
       sprockets-rails (>= 2.0.0)
     rails-controller-testing (1.0.4)
       actionpack (>= 5.0.1.x)
@@ -153,19 +155,19 @@ GEM
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.0.4)
+    rails-html-sanitizer (1.2.0)
       loofah (~> 2.2, >= 2.2.2)
-    railties (6.0.0.beta1)
-      actionpack (= 6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
+    railties (6.0.0)
+      actionpack (= 6.0.0)
+      activesupport (= 6.0.0)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.20.3, < 2.0)
-    rake (12.3.2)
+    rake (12.3.3)
     rdoc (6.1.1)
-    responders (2.4.1)
-      actionpack (>= 4.2.0, < 6.0)
-      railties (>= 4.2.0, < 6.0)
+    responders (3.0.0)
+      actionpack (>= 5.0)
+      railties (>= 5.0)
     ruby-openid (2.7.0)
     sprockets (3.7.2)
       concurrent-ruby (~> 1.0)
@@ -174,7 +176,7 @@ GEM
       actionpack (>= 4.0)
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
-    sqlite3 (1.3.13)
+    sqlite3 (1.4.1)
     test_after_commit (1.1.0)
       activerecord (>= 3.2)
     thor (0.20.3)
@@ -188,9 +190,10 @@ GEM
       nokogiri (>= 1.2.0)
       rack (>= 1.0)
       rack-test (>= 0.5.3)
-    websocket-driver (0.7.0)
+    websocket-driver (0.7.1)
       websocket-extensions (>= 0.1.0)
-    websocket-extensions (0.1.3)
+    websocket-extensions (0.1.4)
+    zeitwerk (2.1.9)
 
 PLATFORMS
   ruby
@@ -203,14 +206,14 @@ DEPENDENCIES
   omniauth-facebook
   omniauth-oauth2
   omniauth-openid
-  rails (= 6.0.0.beta1)
+  rails (~> 6.0.0)
   rails-controller-testing
   rdoc
-  responders (~> 2.4)
-  sqlite3
+  responders (~> 3.0)
+  sqlite3 (~> 1.4)
   test_after_commit
   timecop
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.17.1
+   1.17.2

lib/devise/failure_app.rb

@@ -144,11 +144,20 @@ module Devise
 
       opts[:format] = request_format unless skip_format?
 
-      opts[:script_name] = relative_url_root if relative_url_root?
-
       router_name = Devise.mappings[scope].router_name || Devise.available_router_name
       context = send(router_name)
 
+      if relative_url_root?
+        opts[:script_name] = relative_url_root
+
+      # We need to add the rootpath to `script_name` manually for applications that use a Rails
+      # version lower than 5.1. Otherwise, it is going to generate a wrong path for Engines
+      # that use Devise. Remove it when the support of Rails 5.0 is droped.
+      elsif root_path_defined?(context) && !rails_51_and_up?
+        rootpath = context.routes.url_helpers.root_path
+        opts[:script_name] = rootpath.chomp('/') if rootpath.length > 1
+      end
+
       if context.respond_to?(route)
         context.send(route, opts)
       elsif respond_to?(:root_url)
@@ -262,5 +271,15 @@ module Devise
     end
 
     ActiveSupport.run_load_hooks(:devise_failure_app, self)
+
+    private
+
+    def root_path_defined?(context)
+      defined?(context.routes) && context.routes.url_helpers.respond_to?(:root_path)
+    end
+
+    def rails_51_and_up?
+      Rails.gem_version >= Gem::Version.new("5.1")
+    end
   end
 end

lib/devise/models/authenticatable.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require 'active_model/version'
 require 'devise/hooks/activatable'
 require 'devise/hooks/csrf_cleaner'
 

lib/devise/models/database_authenticatable.rb

@@ -60,7 +60,7 @@ module Devise
       # the hashed password.
       def password=(new_password)
         @password = new_password
-        self.encrypted_password = password_digest(@password) 
+        self.encrypted_password = password_digest(@password) if @password.present?
       end
 
       # Verifies whether a password (ie from sign in) is the user password.
@@ -70,7 +70,7 @@ module Devise
 
       # Set password and password confirmation to nil
       def clean_up_passwords
-        @password = @password_confirmation = nil
+        self.password = self.password_confirmation = nil
       end
 
       # Update record attributes when :current_password matches, otherwise
@@ -198,7 +198,6 @@ module Devise
       # See https://github.com/plataformatec/devise-encryptable for examples
       # of other hashing engines.
       def password_digest(password)
-        return if password.blank?
         Devise::Encryptor.digest(self.class, password)
       end
 

lib/devise/models/validatable.rb

@@ -30,7 +30,7 @@ module Devise
         base.class_eval do
           validates_presence_of   :email, if: :email_required?
           if Devise.activerecord51?
-            validates_uniqueness_of :email, allow_blank: true, if: :will_save_change_to_email?
+            validates_uniqueness_of :email, allow_blank: true, case_sensitive: true, if: :will_save_change_to_email?
             validates_format_of     :email, with: email_regexp, allow_blank: true, if: :will_save_change_to_email?
           else
             validates_uniqueness_of :email, allow_blank: true, if: :email_changed?

lib/devise/rails/routes.rb

@@ -135,10 +135,10 @@ module ActionDispatch::Routing
     #  * failure_app: a rack app which is invoked whenever there is a failure. Strings representing a given
     #    are also allowed as parameter.
     #
-    #  * sign_out_via: the HTTP method(s) accepted for the :sign_out action (default: :get),
+    #  * sign_out_via: the HTTP method(s) accepted for the :sign_out action (default: :delete),
     #    if you wish to restrict this to accept only :post or :delete requests you should do:
     #
-    #      devise_for :users, sign_out_via: [:post, :delete]
+    #      devise_for :users, sign_out_via: [:get, :post]
     #
     #    You need to make sure that your sign_out controls trigger a request with a matching HTTP method.
     #

lib/devise/strategies/authenticatable.rb

@@ -28,7 +28,7 @@ module Devise
     private
 
       # Receives a resource and check if it is valid by calling valid_for_authentication?
-      # An optional block that will be triggered while validating can be optionally
+      # A block that will be triggered while validating can be optionally
       # given as parameter. Check Devise::Models::Authenticatable.valid_for_authentication?
       # for more information.
       #

lib/devise/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Devise
-  VERSION = "4.5.0".freeze
+  VERSION = "4.7.0".freeze
 end

lib/generators/templates/simple_form_for/passwords/edit.html.erb

@@ -13,7 +13,10 @@
                 autofocus: true,
                 hint: ("#{@minimum_password_length} characters minimum" if @minimum_password_length),
                 input_html: { autocomplete: "new-password" } %>
-    <%= f.input :password_confirmation, label: "Confirm your new password", required: true %>
+    <%= f.input :password_confirmation,
+                label: "Confirm your new password",
+                required: true,
+                input_html: { autocomplete: "new-password" } %>
   </div>
 
   <div class="form-actions">

lib/generators/templates/simple_form_for/registrations/new.html.erb

@@ -6,7 +6,7 @@
   <div class="form-inputs">
     <%= f.input :email,
                 required: true,
-                autofocus: true ,
+                autofocus: true,
                 input_html: { autocomplete: "email" }%>
     <%= f.input :password,
                 required: true,

test/failure_app_test.rb

@@ -28,6 +28,27 @@ class FailureTest < ActiveSupport::TestCase
     end
   end
 
+  class FailureWithoutRootPath < Devise::FailureApp
+    class FakeURLHelpers
+    end
+
+    class FakeRoutesWithoutRoot
+      def url_helpers
+        FakeURLHelpers.new
+      end
+    end
+
+    class FakeAppWithoutRootPath
+      def routes
+        FakeRoutesWithoutRoot.new
+      end
+    end
+
+    def main_app
+      FakeAppWithoutRootPath.new
+    end
+  end
+
   class FakeEngineApp < Devise::FailureApp
     class FakeEngine
       def new_user_on_engine_session_url _
@@ -103,6 +124,13 @@ class FailureTest < ActiveSupport::TestCase
       end
     end
 
+    test 'returns to the root path even when it\'s not defined' do
+      call_failure app: FailureWithoutRootPath
+      assert_equal 302, @response.first
+      assert_equal 'You need to sign in or sign up before continuing.', @request.flash[:alert]
+      assert_equal 'http://test.host/', @response.second['Location']
+    end
+
     test 'returns to the root path considering subdomain if no session path is available' do
       swap Devise, router_name: :fake_app do
         call_failure app: FailureWithSubdomain

test/integration/mounted_engine_test.rb

@@ -2,10 +2,23 @@
 
 require 'test_helper'
 
-class MyMountableEngine
-  def self.call(env)
-    ['200', { 'Content-Type' => 'text/html' }, ['Rendered content of MyMountableEngine']]
+module MyMountableEngine
+  class Engine < ::Rails::Engine
+    isolate_namespace MyMountableEngine
   end
+  class TestsController < ActionController::Base
+    def index
+      render plain: 'Root test successful'
+    end
+    def inner_route
+      render plain: 'Inner route test successful'
+    end
+  end
+end
+
+MyMountableEngine::Engine.routes.draw do
+  get 'test', to: 'tests#inner_route'
+  root to: 'tests#index'
 end
 
 # If disable_clear_and_finalize is set to true, Rails will not clear other routes when calling
@@ -15,7 +28,7 @@ Rails.application.routes.disable_clear_and_finalize = true
 
 Rails.application.routes.draw do
   authenticate(:user) do
-    mount MyMountableEngine, at: '/mountable_engine'
+    mount MyMountableEngine::Engine, at: '/mountable_engine'
   end
 end
 
@@ -33,6 +46,23 @@ class AuthenticatedMountedEngineTest < Devise::IntegrationTest
     get '/mountable_engine'
 
     assert_response :success
-    assert_contain 'Rendered content of MyMountableEngine'
+    assert_contain 'Root test successful'
+  end
+
+
+  test 'renders a inner route of the mounted engine when authenticated' do
+    sign_in_as_user
+    get '/mountable_engine/test'
+
+    assert_response :success
+    assert_contain 'Inner route test successful'
+  end
+
+  test 'respond properly to a non existing route of the mounted engine' do
+    sign_in_as_user
+    
+    assert_raise ActionController::RoutingError do
+      get '/mountable_engine/non-existing-route'
+    end
   end
 end

test/models/database_authenticatable_test.rb

@@ -117,9 +117,9 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert_nil user.authenticatable_salt
   end
 
-  test 'should set encrypted password to nil if password is nil' do
-    assert_nil new_user(password: nil).encrypted_password
-    assert_nil new_user(password: '').encrypted_password
+  test 'should not generate a hashed password if password is blank' do
+    assert_blank new_user(password: nil).encrypted_password
+    assert_blank new_user(password: '').encrypted_password
   end
 
   test 'should hash password again if password has changed' do
@@ -148,16 +148,6 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     refute user.valid_password?('654321')
   end
 
-  test 'should be invalid if the password is nil' do
-    user = new_user(password: nil)
-    refute user.valid_password?(nil)
-  end
-
-  test 'should be invalid if the password is blank' do
-    user = new_user(password: '')
-    refute user.valid_password?('')
-  end
-
   test 'should respond to current password' do
     assert new_user.respond_to?(:current_password)
   end
@@ -317,11 +307,4 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
       ]
     end
   end
-
-  test 'nil password should be invalid if password is set to nil' do
-    user = User.create(email: "HEllO@example.com", password: "12345678")
-    user.password = nil
-    refute user.valid_password?('12345678')
-    refute user.valid_password?(nil)
-  end
 end

test/orm/active_record.rb

@@ -5,7 +5,9 @@ ActiveRecord::Base.logger = Logger.new(nil)
 ActiveRecord::Base.include_root_in_json = true
 
 migrate_path = File.expand_path("../../rails_app/db/migrate/", __FILE__)
-if Devise::Test.rails52_and_up?
+if Devise::Test.rails6?
+  ActiveRecord::MigrationContext.new(migrate_path, ActiveRecord::SchemaMigration).migrate
+elsif Devise::Test.rails52_and_up?
   ActiveRecord::MigrationContext.new(migrate_path).migrate
 else
   ActiveRecord::Migrator.migrate(migrate_path)

test/rails_app/app/views/admins/sessions/new.html.erb

@@ -1,2 +1,2 @@
 Welcome to "sessions/new" view!
-<%= render file: "devise/sessions/new" %>
+<%= render template: "devise/sessions/new" %>

test/rails_app/config/application.rb

@@ -44,5 +44,10 @@ module RailsApp
     config.to_prepare do
       Devise::SessionsController.layout "application"
     end
+
+    # Remove the first check once Rails 5.0 support is removed.
+    if Devise::Test.rails52_and_up? && !Devise::Test.rails6?
+      Rails.application.config.active_record.sqlite3.represent_boolean_as_integer = true
+    end
   end
 end

test/rails_app/config/boot.rb

@@ -6,8 +6,12 @@ end
 
 module Devise
   module Test
-    # Detection for minor differences between Rails 4 and 5, 5.1, and 5.2 in tests.
+    # Detection for minor differences between Rails versions in tests.
     
+    def self.rails6?
+      Rails.version.start_with? '6'
+    end
+
     def self.rails52_and_up?
       Rails::VERSION::MAJOR > 5 || rails52?
     end

test/support/webrat/integrations/rails.rb

@@ -18,6 +18,12 @@ module Webrat
   end
 
   class RailsAdapter
+    # This method is private within webrat gem and after Ruby 2.4 we get a lot of warnings because
+    # Webrat::Session#response is delegated to this method.
+    def response
+      integration_session.response
+    end
+
     protected
 
     def do_request(http_method, url, data, headers)

test/test/controller_helpers_test.rb

@@ -102,7 +102,12 @@ class TestControllerHelpersTest < Devise::ControllerTestCase
 
   test "returns the content type of a failure app" do
     get :index, params: { format: :xml }
-    assert response.content_type.include?('application/xml')
+
+    if Devise::Test.rails6?
+      assert response.media_type.include?('application/xml')
+    else
+      assert response.content_type.include?('application/xml')
+    end
   end
 
   test "defined Warden after_authentication callback should not be called when sign_in is called" do