Release 4.2.1

Otherwise we'd be mistakenly displaying the original email in the
message (which is the same we're sending the message to).

Also tweak the messaging a bit in this case, to show that the email "is
being changed" (the change hasn't taken effect yet).

Related to #4455.

.travis.yml

@@ -1,26 +1,29 @@
 language: ruby
 
 rvm:
-  - 2.1.9
-  - 2.2.5
-  - 2.3.1
+  - 2.1.10
+  - 2.2.6
+  - 2.3.3
+  - 2.4.0
   - ruby-head
 
 gemfile:
   - Gemfile
-  - gemfiles/Gemfile.rails-5.0
   - gemfiles/Gemfile.rails-4.2-stable
   - gemfiles/Gemfile.rails-4.1-stable
 
 matrix:
   exclude:
-    - rvm: 2.1.9
-      gemfile: gemfiles/Gemfile.rails-5.0
+    - rvm: 2.1.10
+      gemfile: Gemfile
+    - rvm: 2.4.0
+      gemfile: gemfiles/Gemfile.rails-4.1-stable
+    - rvm: ruby-head
+      gemfile: gemfiles/Gemfile.rails-4.1-stable
     - env: DEVISE_ORM=mongoid
-      gemfile: gemfiles/Gemfile.rails-5.0
+      gemfile: Gemfile
   allow_failures:
     - rvm: ruby-head
-  fast_finish: true
 services:
   - mongodb
 

CHANGELOG.md

@@ -1,4 +1,19 @@
-### Unreleased
+### 4.2.1 - 2017-03-15
+
+* removals
+  * `Devise::Mailer#scope_name` and `Devise::Mailer#resource` are now protected
+    methods instead of public.
+* bug fixes
+  * Attempt to reset password without the password field in the request now results in a `:blank` validation error.
+    Before this change, Devise would accept the reset password request and log the user in, without validating/changing
+    the password. (by @victor-am)
+  * Confirmation links now expire based on UTC time, working properly when using different timezones. (by @jjuliano)
+* enhancements
+  * Notify the original email when it is changed with a new `Devise.send_email_changed_notification` setting.
+    When using `reconfirmable`, the notification will be sent right away instead of when the unconfirmed email is confirmed.
+    (original change by @ethirajsrinivasan)
+
+### 4.2.0 - 2016-07-01
 
 * removals
   * Remove the deprecated `Devise::ParameterSanitizer` API from Devise 3.
@@ -10,6 +25,10 @@
   * Remove the `Devise::Models::Confirmable#confirm!` method, use `confirm` instead.
   * Remove the `Devise::Models::Recoverable#reset_password!` method, use `reset_password` instead.
   * Remove the `Devise::Models::Recoverable#after_password_reset` method.
+* bug fixes
+  * Fix an `ActionDispatch::IllegalStateError` when testing controllers with Rails 5 rc 2(by @hamadata).
+  * Use `ActiveSupport.on_load` hooks to include Devise on `ActiveRecord` and `Mongoid`,
+    avoiding autoloading these constants too soon (by @lucasmazza, @rafaelfranca).
 * enhancements
   * Display the minimum password length on `registrations/edit` view (by @Yanchek99).
   * You can disable Devise's routes reloading on boot by through the `reload_routes = false` config.
@@ -18,6 +37,9 @@
     Devise mappings be loaded during boot time (by @sidonath).
   * Added `Devise::Test::IntegrationHelpers` to bypass the sign in process using
     Warden test API (by @lucasmazza).
+  * Define `inspect` in `Devise::Models::Authenticatable` to help ensure password hashes
+    aren't included in exceptions or otherwise accidentally serialized (by @tkrajcar).
+  * Add missing support of `Rails.application.config.action_controller.relative_url_root` (by @kosdiamantis).
 * deprecations
   * `Devise::TestHelpers` is deprecated in favor of `Devise::Test::ControllerHelpers`
     (by @lucasmazza).

CONTRIBUTING.md

@@ -1,39 +1,79 @@
-### Please read before contributing
+# How to contribute to Devise
 
-1) Do not post questions in the issues tracker. If you have any questions about
-Devise, search the [Wiki](https://github.com/plataformatec/devise/wiki) or use
-the [Mailing List](https://groups.google.com/group/plataformatec-devise) or
-[Stack Overflow](http://stackoverflow.com/questions/tagged/devise).
+Thanks for your interest on contributing to Devise! Here are a few general
+guidelines on contributing and reporting bugs to Devise that we ask you to
+take a look first. Notice that all of your interactions in the project are
+expected to follow our [Code of Conduct](CODE_OF_CONDUCT.md).
 
-2) If you find a security bug, **DO NOT** submit an issue here. Please send an
+## Reporting Issues
+
+Before reporting a new issue, please be sure that the issue wasn't already
+reported or fixed by searching on GitHub through our [issues](https://github.com/plataformatec/devise/issues).
+
+When creating a new issue, be sure to include a **title and clear description**,
+as much relevant information as possible, and either a test case example or
+even better a **sample Rails app that replicates the issue** - Devise has a lot
+of moving parts and it's functionality can be affected by third party gems, so
+we need as much context and details as possible to identify what might be broken
+for you. We have a [test case template](guides/bug_report_templates/integration_test.rb)
+that can be used to replicate issues with minimal setup.
+
+Please do not attempt to translate Devise built in views. The views are meant
+to be a starting point for fresh apps and not production material - eventually
+all applications will require custom views where you can write your own copy and
+translate it if the application requires it . For historical references, please look into closed
+[Issues/Pull Requests](https://github.com/plataformatec/devise/issues?q=i18n) regarding
+internationalization.
+
+Avoid opening new issues to ask questions in our issues tracker. Please go through
+the project wiki, documentation and source code first, or try to ask your question
+on [Stack Overflow](http://stackoverflow.com/questions/tagged/devise).
+
+**If you find a security bug, do not report it through GitHub. Please send an
 e-mail to [opensource@plataformatec.com.br](mailto:opensource@plataformatec.com.br)
-instead.
+instead.**
 
-3) If possible, replicate your issue with our
-[guides/bug_report_templates/integration_test.rb](test case example), and attach
-it to your issue or Pull Request - this way we have an isolated way to replicate
-your issue and investigate it further.
+## Sending Pull Requests
 
-4) Otherwise, please provide a fresh new Rails application that replicates your
-issue on a public GitHub repository, as some scenarios might not be possible to
-replicate using the standalone test case example.
+Before sending a new Pull Request, take a look on existing Pull Requests and Issues
+to see if the proposed change or fix has been discussed in the past, or if the
+change was already implemented but not yet released.
 
-5) Do a small search on the issues tracker before submitting your issue to see
-if it was already reported / fixed. Duplicated issues will be closed to avoid
-too much noise/duplication in the issue tracker.
+We expect new Pull Requests to include enough tests for new or changed behavior,
+and we aim to maintain everything as most backwards compatible as possible,
+reserving breaking changes to be ship in major releases when necessary - you
+can wrap the new code path with a setting toggle from the `Devise` module defined
+as `false` by default to require developers to opt-in for the new behavior.
 
-6) When reporting an issue, include Rails, Devise and Warden versions. If you
-are getting exceptions, please include the full backtrace.
+If your Pull Request includes new or changed behavior, be sure that the changes
+are beneficial to a wide range of use cases or it's an application specific change
+that might not be so valuable to other applications. Some changes can be introduced
+as a new `devise-something` gem instead of belonging to the main codebase.
 
-7) Please do not attempt to translate Devise built in views. The views are meant
-to be a starting point and not a final version. For historical references,
-please look into closed issues/Pull regarding i18n.
+When adding new settings, you can take advantage of the [`Devise::Models.config`](https://github.com/plataformatec/devise/blob/245b1f9de0b3386b7913e14b60ea24f43b77feb0/lib/devise/models.rb#L13-L50) method to add class and instance level fallbacks
+to the new setting.
 
-8) Notice that all of your interactions in the project are expected to follow
-our [Code of Conduct](CODE_OF_CONDUCT.md)
+We also welcome Pull Requests that improve our existing documentation (both our
+`README.md` and the RDoc sections in the source code) or improve existing rough
+edges in our API that might be blocking existing integrations or 3rd party gems.
 
-That's it! The more information you give, the easier it becomes for us to track
-it down and fix it. Ideally, you should provide an application that reproduces
-the error or a test case to Devise's suite.
+## Other ways to contribute
 
-Thanks!
+We welcome anyone that wants to contribute to Devise to triage and reply to
+open issues to help troubleshoot and fix existing bugs on Devise. Here is what
+you can do:
+
+* Help ensure that existing issues follows the recommendations from the
+_[Reporting Issues](#reporting-issues)_ section, providing feeback to the issue's
+author on what might be missing.
+* Review and update the existing content of our [Wiki](https://github.com/plataformatec/devise/wiki)
+with up to date instructions and code samples - the wiki was grown with several
+different tutorials and references that we can't keep track of everything, so if
+there is a page that showcases an integration or customization that you are
+familiar with feel free to update it as necessary.
+* Review existing Pull Requests, and testing patches against real existing
+applications that use Devise.
+
+Thanks again for your interest on contributing to the project!
+
+:heart:

Gemfile

@@ -2,17 +2,23 @@ source "https://rubygems.org"
 
 gemspec
 
-gem "rails", "~> 4.2.6"
-gem "omniauth"
+gem "rails", "~> 5.0.0"
+gem "omniauth", "~> 1.3"
+gem "oauth2"
 gem "omniauth-oauth2"
 gem "rdoc"
 
+gem "activemodel-serializers-xml", github: "rails/activemodel-serializers-xml"
+
+gem "rails-controller-testing"
+
+gem "responders", "~> 2.1"
+
 group :test do
   gem "omniauth-facebook"
   gem "omniauth-openid"
   gem "webrat", "0.7.3", require: false
   gem "mocha", "~> 1.1", require: false
-  gem 'test_after_commit', require: false
 end
 
 platforms :jruby do
@@ -25,6 +31,7 @@ platforms :ruby do
   gem "sqlite3"
 end
 
-group :mongoid do
-  gem "mongoid", "~> 5.0"
-end
+# TODO:
+# group :mongoid do
+#   gem "mongoid", "~> 4.0.0"
+# end

Gemfile.lock

@@ -1,7 +1,16 @@
+GIT
+  remote: git://github.com/rails/activemodel-serializers-xml.git
+  revision: dd9c0acf26aab111ebc647cd8deb99ebc6946531
+  specs:
+    activemodel-serializers-xml (1.0.1)
+      activemodel (> 5.x)
+      activesupport (> 5.x)
+      builder (~> 3.1)
+
 PATH
   remote: .
   specs:
-    devise (4.1.0)
+    devise (4.2.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 5.1)
@@ -11,89 +20,84 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (4.2.6)
-      actionpack (= 4.2.6)
-      actionview (= 4.2.6)
-      activejob (= 4.2.6)
+    actioncable (5.0.2)
+      actionpack (= 5.0.2)
+      nio4r (>= 1.2, < 3.0)
+      websocket-driver (~> 0.6.1)
+    actionmailer (5.0.2)
+      actionpack (= 5.0.2)
+      actionview (= 5.0.2)
+      activejob (= 5.0.2)
       mail (~> 2.5, >= 2.5.4)
-      rails-dom-testing (~> 1.0, >= 1.0.5)
-    actionpack (4.2.6)
-      actionview (= 4.2.6)
-      activesupport (= 4.2.6)
-      rack (~> 1.6)
-      rack-test (~> 0.6.2)
-      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-dom-testing (~> 2.0)
+    actionpack (5.0.2)
+      actionview (= 5.0.2)
+      activesupport (= 5.0.2)
+      rack (~> 2.0)
+      rack-test (~> 0.6.3)
+      rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (4.2.6)
-      activesupport (= 4.2.6)
+    actionview (5.0.2)
+      activesupport (= 5.0.2)
       builder (~> 3.1)
       erubis (~> 2.7.0)
-      rails-dom-testing (~> 1.0, >= 1.0.5)
-      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    activejob (4.2.6)
-      activesupport (= 4.2.6)
-      globalid (>= 0.3.0)
-    activemodel (4.2.6)
-      activesupport (= 4.2.6)
-      builder (~> 3.1)
-    activerecord (4.2.6)
-      activemodel (= 4.2.6)
-      activesupport (= 4.2.6)
-      arel (~> 6.0)
-    activesupport (4.2.6)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.3)
+    activejob (5.0.2)
+      activesupport (= 5.0.2)
+      globalid (>= 0.3.6)
+    activemodel (5.0.2)
+      activesupport (= 5.0.2)
+    activerecord (5.0.2)
+      activemodel (= 5.0.2)
+      activesupport (= 5.0.2)
+      arel (~> 7.0)
+    activesupport (5.0.2)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (~> 0.7)
-      json (~> 1.7, >= 1.7.7)
       minitest (~> 5.1)
-      thread_safe (~> 0.3, >= 0.3.4)
       tzinfo (~> 1.1)
-    arel (6.0.3)
+    arel (7.1.4)
     bcrypt (3.1.11)
-    bson (4.1.1)
-    builder (3.2.2)
-    concurrent-ruby (1.0.2)
+    builder (3.2.3)
+    concurrent-ruby (1.0.5)
     erubis (2.7.0)
-    faraday (0.9.2)
+    faraday (0.11.0)
       multipart-post (>= 1.2, < 3)
-    globalid (0.3.6)
+    globalid (0.3.7)
       activesupport (>= 4.1.0)
-    hashie (3.4.4)
-    i18n (0.7.0)
-    json (1.8.3)
-    jwt (1.5.1)
+    hashie (3.5.5)
+    i18n (0.8.1)
+    jwt (1.5.6)
     loofah (2.0.3)
       nokogiri (>= 1.5.9)
     mail (2.6.4)
       mime-types (>= 1.16, < 4)
     metaclass (0.0.4)
-    mime-types (3.0)
+    method_source (0.8.2)
+    mime-types (3.1)
       mime-types-data (~> 3.2015)
-    mime-types-data (3.2016.0221)
-    mini_portile2 (2.0.0)
-    minitest (5.9.0)
-    mocha (1.1.0)
+    mime-types-data (3.2016.0521)
+    mini_portile2 (2.1.0)
+    minitest (5.10.1)
+    mocha (1.2.1)
       metaclass (~> 0.0.1)
-    mongo (2.2.5)
-      bson (~> 4.0)
-    mongoid (5.1.3)
-      activemodel (~> 4.0)
-      mongo (~> 2.1)
-      origin (~> 2.2)
-      tzinfo (>= 0.3.37)
-    multi_json (1.12.0)
-    multi_xml (0.5.5)
+    multi_json (1.12.1)
+    multi_xml (0.6.0)
     multipart-post (2.0.0)
-    nokogiri (1.6.7.2)
-      mini_portile2 (~> 2.0.0.rc2)
-    oauth2 (1.1.0)
-      faraday (>= 0.8, < 0.10)
-      jwt (~> 1.0, < 1.5.2)
+    nio4r (2.0.0)
+    nokogiri (1.7.0.1)
+      mini_portile2 (~> 2.1.0)
+    oauth2 (1.3.1)
+      faraday (>= 0.8, < 0.12)
+      jwt (~> 1.0)
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
-    omniauth (1.3.1)
-      hashie (>= 1.2, < 4)
-      rack (>= 1.0, < 3)
-    omniauth-facebook (3.0.0)
+    omniauth (1.6.1)
+      hashie (>= 3.4.6, < 3.6.0)
+      rack (>= 1.6.2, < 3)
+    omniauth-facebook (4.0.0)
       omniauth-oauth2 (~> 1.2)
     omniauth-oauth2 (1.4.0)
       oauth2 (~> 1.0)
@@ -101,84 +105,88 @@ GEM
     omniauth-openid (1.0.1)
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
-    origin (2.2.0)
     orm_adapter (0.5.0)
-    rack (1.6.4)
+    rack (2.0.1)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
     rack-test (0.6.3)
       rack (>= 1.0)
-    rails (4.2.6)
-      actionmailer (= 4.2.6)
-      actionpack (= 4.2.6)
-      actionview (= 4.2.6)
-      activejob (= 4.2.6)
-      activemodel (= 4.2.6)
-      activerecord (= 4.2.6)
-      activesupport (= 4.2.6)
+    rails (5.0.2)
+      actioncable (= 5.0.2)
+      actionmailer (= 5.0.2)
+      actionpack (= 5.0.2)
+      actionview (= 5.0.2)
+      activejob (= 5.0.2)
+      activemodel (= 5.0.2)
+      activerecord (= 5.0.2)
+      activesupport (= 5.0.2)
       bundler (>= 1.3.0, < 2.0)
-      railties (= 4.2.6)
-      sprockets-rails
-    rails-deprecated_sanitizer (1.0.3)
-      activesupport (>= 4.2.0.alpha)
-    rails-dom-testing (1.0.7)
-      activesupport (>= 4.2.0.beta, < 5.0)
-      nokogiri (~> 1.6.0)
-      rails-deprecated_sanitizer (>= 1.0.1)
+      railties (= 5.0.2)
+      sprockets-rails (>= 2.0.0)
+    rails-controller-testing (1.0.1)
+      actionpack (~> 5.x)
+      actionview (~> 5.x)
+      activesupport (~> 5.x)
+    rails-dom-testing (2.0.2)
+      activesupport (>= 4.2.0, < 6.0)
+      nokogiri (~> 1.6)
     rails-html-sanitizer (1.0.3)
       loofah (~> 2.0)
-    railties (4.2.6)
-      actionpack (= 4.2.6)
-      activesupport (= 4.2.6)
+    railties (5.0.2)
+      actionpack (= 5.0.2)
+      activesupport (= 5.0.2)
+      method_source
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
-    rake (11.1.2)
-    rdoc (4.2.2)
-      json (~> 1.4)
-    responders (2.2.0)
+    rake (12.0.0)
+    rdoc (5.1.0)
+    responders (2.3.0)
       railties (>= 4.2.0, < 5.1)
     ruby-openid (2.7.0)
-    sprockets (3.6.0)
+    sprockets (3.7.1)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
-    sprockets-rails (3.0.4)
+    sprockets-rails (3.2.0)
       actionpack (>= 4.0)
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
-    sqlite3 (1.3.11)
-    test_after_commit (1.0.0)
-      activerecord (>= 3.2)
-    thor (0.19.1)
-    thread_safe (0.3.5)
+    sqlite3 (1.3.13)
+    thor (0.19.4)
+    thread_safe (0.3.6)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
-    warden (1.2.6)
+    warden (1.2.7)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
       rack (>= 1.0)
       rack-test (>= 0.5.3)
+    websocket-driver (0.6.5)
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.2)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
+  activemodel-serializers-xml!
   activerecord-jdbc-adapter
   activerecord-jdbcsqlite3-adapter
   devise!
   jruby-openssl
   mocha (~> 1.1)
-  mongoid (~> 5.0)
-  omniauth
+  oauth2
+  omniauth (~> 1.3)
   omniauth-facebook
   omniauth-oauth2
   omniauth-openid
-  rails (~> 4.2.6)
+  rails (~> 5.0.0)
+  rails-controller-testing
   rdoc
+  responders (~> 2.1)
   sqlite3
-  test_after_commit
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.11.2
+   1.12.6

README.md

@@ -17,7 +17,7 @@ Devise is a flexible authentication solution for Rails based on Warden. It:
 It's composed of 10 modules:
 
 * [Database Authenticatable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/DatabaseAuthenticatable): hashes and stores a password in the database to validate the authenticity of a user while signing in. The authentication can be done both through POST requests or HTTP Basic Authentication.
-* [Omniauthable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Omniauthable): adds OmniAuth (https://github.com/intridea/omniauth) support.
+* [Omniauthable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Omniauthable): adds OmniAuth (https://github.com/omniauth/omniauth) support.
 * [Confirmable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Confirmable): sends emails with confirmation instructions and verifies whether an account is already confirmed during sign in.
 * [Recoverable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Recoverable): resets the user password and sends reset instructions.
 * [Registerable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Registerable): handles signing up users through a registration process, also allowing them to edit and destroy their account.
@@ -43,9 +43,13 @@ https://github.com/plataformatec/devise/wiki/Bug-reports
 
 If you have discovered a security related bug, please do *NOT* use the GitHub issue tracker. Send an email to opensource@plataformatec.com.br.
 
-### Mailing list
+### StackOverflow and Mailing List
 
-If you have any questions, comments, or concerns, please use the Google Group instead of the GitHub issue tracker:
+If you have any questions, comments, or concerns, please use StackOverflow instead of the GitHub issue tracker:
+
+http://stackoverflow.com/questions/tagged/devise
+
+The deprecated mailing list can still be read on
 
 https://groups.google.com/group/plataformatec-devise
 
@@ -95,29 +99,32 @@ Devise 4.0 works with Rails 4.1 onwards. You can add it to your Gemfile with:
 gem 'devise'
 ```
 
-Run the bundle command to install it.
+Then run `bundle install`
 
-After you install Devise and add it to your Gemfile, you need to run the generator:
+Next, you need to run the generator:
 
 ```console
 $ rails generate devise:install
 ```
 
-The generator will install an initializer which describes ALL of Devise's configuration options. It is *imperative* that you take a look at it. When you are done, you are ready to add Devise to any of your models using the generator:
+At this point, a number of instructions will appear in the console. Among these instructions, you'll need to set up the default URL options for the Devise mailer in each environment. Here is a possible configuration for `config/environments/development.rb`:
+
+```ruby
+config.action_mailer.default_url_options = { host: 'localhost', port: 3000 }
+```
+
+The generator will install an initializer which describes ALL of Devise's configuration options. It is *imperative* that you take a look at it. When you are done, you are ready to add Devise to any of your models using the generator.
+
+
+In the following command you will replace `MODEL` with the class name used for the application’s users (it’s frequently `User` but could also be `Admin`). This will create a model (if one does not exist) and configure it with the default Devise modules. The generator also configures your `config/routes.rb` file to point to the Devise controller.
 
 ```console
 $ rails generate devise MODEL
 ```
 
-Replace MODEL with the class name used for the application’s users (it’s frequently `User` but could also be `Admin`). This will create a model (if one does not exist) and configure it with the default Devise modules. The generator also configures your `config/routes.rb` file to point to the Devise controller.
+Next, check the MODEL for any additional configuration options you might want to add, such as confirmable or lockable. If you add an option, be sure to inspect the migration file (created by the generator if your ORM supports them) and uncomment the appropriate section.  For example, if you add the confirmable option in the model, you'll need to uncomment the Confirmable section in the migration. 
 
-Next, check the MODEL for any additional configuration options you might want to add, such as confirmable or lockable. If you add an option, be sure to inspect the migration file (created by the generator if your ORM supports them) and uncomment the appropriate section.  For example, if you add the confirmable option in the model, you'll need to uncomment the Confirmable section in the migration. Then run `rake db:migrate`
-
-Next, you need to set up the default URL options for the Devise mailer in each environment. Here is a possible configuration for `config/environments/development.rb`:
-
-```ruby
-config.action_mailer.default_url_options = { host: 'localhost', port: 3000 }
-```
+Then run `rake db:migrate`
 
 You should restart your application after changing Devise's configuration options. Otherwise, you will run into strange errors, for example, users being unable to login and route helpers being undefined.
 
@@ -176,7 +183,7 @@ member_session
 The Devise method in your models also accepts some options to configure its modules. For example, you can choose the cost of the hashing algorithm with:
 
 ```ruby
-devise :database_authenticatable, :registerable, :confirmable, :recoverable, stretches: 20
+devise :database_authenticatable, :registerable, :confirmable, :recoverable, stretches: 12
 ```
 
 Besides `:stretches`, you can define `:pepper`, `:encryptor`, `:confirm_within`, `:remember_for`, `:timeout_in`, `:unlock_in` among other options. For more details, see the initializer file that was created when you invoked the "devise:install" generator described above. This file is usually located at `/config/initializers/devise.rb`.
@@ -444,7 +451,7 @@ tests:
 
 ```ruby
 sign_in @user
-sign_in @user, scope: admin
+sign_in @user, scope: :admin
 ```
 
 If you are testing Devise internal controllers or a controller that inherits

app/controllers/devise/omniauth_callbacks_controller.rb

@@ -13,14 +13,14 @@ class Devise::OmniauthCallbacksController < DeviseController
   protected
 
   def failed_strategy
-    request.respond_to?(:get_header) ? request.get_header("omniauth.error.strategy") : env["omniauth.error.strategy"]
+    request.respond_to?(:get_header) ? request.get_header("omniauth.error.strategy") : request.env["omniauth.error.strategy"]
   end
 
   def failure_message
-    exception = request.respond_to?(:get_header) ? request.get_header("omniauth.error") : env["omniauth.error"]
+    exception = request.respond_to?(:get_header) ? request.get_header("omniauth.error") : request.env["omniauth.error"]
     error   = exception.error_reason if exception.respond_to?(:error_reason)
     error ||= exception.error        if exception.respond_to?(:error)
-    error ||= (request.respond_to?(:get_header) ? request.get_header("omniauth.error.type") : env["omniauth.error.type"]).to_s
+    error ||= (request.respond_to?(:get_header) ? request.get_header("omniauth.error.type") : request.env["omniauth.error.type"]).to_s
     error.to_s.humanize if error
   end
 

app/controllers/devise/registrations_controller.rb

@@ -7,7 +7,7 @@ class Devise::RegistrationsController < DeviseController
   def new
     build_resource({})
     yield resource if block_given?
-    respond_with self.resource
+    respond_with resource
   end
 
   # POST /resource
@@ -57,6 +57,7 @@ class Devise::RegistrationsController < DeviseController
       respond_with resource, location: after_update_path_for(resource)
     else
       clean_up_passwords resource
+      set_minimum_password_length
       respond_with resource
     end
   end

app/mailers/devise/mailer.rb

@@ -17,6 +17,10 @@ if defined?(ActionMailer)
       devise_mail(record, :unlock_instructions, opts)
     end
 
+    def email_changed(record, opts={})
+      devise_mail(record, :email_changed, opts)
+    end
+
     def password_change(record, opts={})
       devise_mail(record, :password_change, opts)
     end

app/views/devise/mailer/email_changed.html.erb

@@ -0,0 +1,7 @@
+<p>Hello <%= @email %>!</p>
+
+<% if @resource.try(:unconfirmed_email?) %>
+  <p>We're contacting you to notify you that your email is being changed to <%= @resource.unconfirmed_email %>.</p>
+<% else %>
+  <p>We're contacting you to notify you that your email has been changed to <%= @resource.email %>.</p>
+<% end %>

config/locales/en.yml

@@ -23,6 +23,8 @@ en:
         subject: "Reset password instructions"
       unlock_instructions:
         subject: "Unlock instructions"
+      email_changed:
+        subject: "Email Changed"
       password_change:
         subject: "Password Changed"
     omniauth_callbacks:

gemfiles/Gemfile.rails-4.1-stable.lock

@@ -1,54 +1,27 @@
 GIT
   remote: git://github.com/rails/rails.git
-  revision: 41b4d81b4fd14cbf43060c223bea0f461256d099
+  revision: 0cad778c2605a5204a05a9f1dbd3344e39f248d8
   branch: 4-1-stable
   specs:
-    actionmailer (4.1.15)
-      actionpack (= 4.1.15)
-      actionview (= 4.1.15)
+    actionmailer (4.1.16)
+      actionpack (= 4.1.16)
+      actionview (= 4.1.16)
       mail (~> 2.5, >= 2.5.4)
-    actionpack (4.1.15)
-      actionview (= 4.1.15)
-      activesupport (= 4.1.15)
-      rack (~> 1.5.2)
-      rack-test (~> 0.6.2)
-    actionview (4.1.15)
-      activesupport (= 4.1.15)
-      builder (~> 3.1)
-      erubis (~> 2.7.0)
-    activemodel (4.1.15)
-      activesupport (= 4.1.15)
-      builder (~> 3.1)
-    activerecord (4.1.15)
-      activemodel (= 4.1.15)
-      activesupport (= 4.1.15)
-      arel (~> 5.0.0)
-    activesupport (4.1.15)
-      i18n (~> 0.6, >= 0.6.9)
-      json (~> 1.7, >= 1.7.7)
-      minitest (~> 5.1)
-      thread_safe (~> 0.1)
-      tzinfo (~> 1.1)
-    rails (4.1.15)
-      actionmailer (= 4.1.15)
-      actionpack (= 4.1.15)
-      actionview (= 4.1.15)
-      activemodel (= 4.1.15)
-      activerecord (= 4.1.15)
-      activesupport (= 4.1.15)
+    rails (4.1.16)
+      actionmailer (= 4.1.16)
+      actionpack (= 4.1.16)
+      actionview (= 4.1.16)
+      activemodel (= 4.1.16)
+      activerecord (= 4.1.16)
+      activesupport (= 4.1.16)
       bundler (>= 1.3.0, < 2.0)
-      railties (= 4.1.15)
+      railties (= 4.1.16)
       sprockets-rails (~> 2.0)
-    railties (4.1.15)
-      actionpack (= 4.1.15)
-      activesupport (= 4.1.15)
-      rake (>= 0.8.7)
-      thor (>= 0.18.1, < 2.0)
 
 PATH
   remote: ..
   specs:
-    devise (4.1.0)
+    devise (4.2.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 5.1)
@@ -58,28 +31,50 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
+    actionpack (4.1.16)
+      actionview (= 4.1.16)
+      activesupport (= 4.1.16)
+      rack (~> 1.5.2)
+      rack-test (~> 0.6.2)
+    actionview (4.1.16)
+      activesupport (= 4.1.16)
+      builder (~> 3.1)
+      erubis (~> 2.7.0)
+    activemodel (4.1.16)
+      activesupport (= 4.1.16)
+      builder (~> 3.1)
+    activerecord (4.1.16)
+      activemodel (= 4.1.16)
+      activesupport (= 4.1.16)
+      arel (~> 5.0.0)
+    activesupport (4.1.16)
+      i18n (~> 0.6, >= 0.6.9)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.1)
+      tzinfo (~> 1.1)
     arel (5.0.1.20140414130214)
     bcrypt (3.1.11)
     bson (3.2.6)
-    builder (3.2.2)
-    concurrent-ruby (1.0.2)
-    connection_pool (2.2.0)
+    builder (3.2.3)
+    concurrent-ruby (1.0.5)
+    connection_pool (2.2.1)
     erubis (2.7.0)
-    faraday (0.9.2)
+    faraday (0.11.0)
       multipart-post (>= 1.2, < 3)
-    hashie (3.4.4)
-    i18n (0.7.0)
-    json (1.8.3)
-    jwt (1.5.1)
+    hashie (3.5.5)
+    i18n (0.8.1)
+    json (1.8.6)
+    jwt (1.5.6)
     mail (2.6.4)
       mime-types (>= 1.16, < 4)
     metaclass (0.0.4)
-    mime-types (3.0)
+    mime-types (3.1)
       mime-types-data (~> 3.2015)
-    mime-types-data (3.2016.0221)
-    mini_portile2 (2.0.0)
-    minitest (5.9.0)
-    mocha (1.1.0)
+    mime-types-data (3.2016.0521)
+    mini_portile2 (2.1.0)
+    minitest (5.10.1)
+    mocha (1.2.1)
       metaclass (~> 0.0.1)
     mongoid (4.0.2)
       activemodel (~> 4.0)
@@ -90,21 +85,21 @@ GEM
       bson (~> 3.0)
       connection_pool (~> 2.0)
       optionable (~> 0.2.0)
-    multi_json (1.12.0)
-    multi_xml (0.5.5)
+    multi_json (1.12.1)
+    multi_xml (0.6.0)
     multipart-post (2.0.0)
-    nokogiri (1.6.7.2)
-      mini_portile2 (~> 2.0.0.rc2)
-    oauth2 (1.1.0)
-      faraday (>= 0.8, < 0.10)
-      jwt (~> 1.0, < 1.5.2)
+    nokogiri (1.7.0.1)
+      mini_portile2 (~> 2.1.0)
+    oauth2 (1.3.1)
+      faraday (>= 0.8, < 0.12)
+      jwt (~> 1.0)
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
-    omniauth (1.3.1)
+    omniauth (1.4.2)
       hashie (>= 1.2, < 4)
       rack (>= 1.0, < 3)
-    omniauth-facebook (3.0.0)
+    omniauth-facebook (4.0.0)
       omniauth-oauth2 (~> 1.2)
     omniauth-oauth2 (1.4.0)
       oauth2 (~> 1.0)
@@ -113,7 +108,7 @@ GEM
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
     optionable (0.2.0)
-    origin (2.2.0)
+    origin (2.3.0)
     orm_adapter (0.5.0)
     rack (1.5.5)
     rack-openid (1.3.1)
@@ -121,27 +116,31 @@ GEM
       ruby-openid (>= 2.1.8)
     rack-test (0.6.3)
       rack (>= 1.0)
-    rake (11.1.2)
-    rdoc (4.2.2)
-      json (~> 1.4)
+    railties (4.1.16)
+      actionpack (= 4.1.16)
+      activesupport (= 4.1.16)
+      rake (>= 0.8.7)
+      thor (>= 0.18.1, < 2.0)
+    rake (12.0.0)
+    rdoc (5.1.0)
     responders (1.1.2)
       railties (>= 3.2, < 4.2)
     ruby-openid (2.7.0)
-    sprockets (3.6.0)
+    sprockets (3.7.1)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
     sprockets-rails (2.3.3)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
       sprockets (>= 2.8, < 4.0)
-    sqlite3 (1.3.11)
-    test_after_commit (1.0.0)
+    sqlite3 (1.3.13)
+    test_after_commit (1.1.0)
       activerecord (>= 3.2)
-    thor (0.19.1)
-    thread_safe (0.3.5)
+    thor (0.19.4)
+    thread_safe (0.3.6)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
-    warden (1.2.6)
+    warden (1.2.7)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
@@ -169,4 +168,4 @@ DEPENDENCIES
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.11.2
+   1.12.6

gemfiles/Gemfile.rails-4.2-stable.lock

@@ -1,64 +1,63 @@
 GIT
   remote: git://github.com/rails/rails.git
-  revision: 5be7cfa46e055148c8b74ac5d48982a3435f477c
+  revision: dc3ae21802c316e1639239d28202db7aa7fb7cac
   branch: 4-2-stable
   specs:
-    actionmailer (4.2.6)
-      actionpack (= 4.2.6)
-      actionview (= 4.2.6)
-      activejob (= 4.2.6)
+    actionmailer (4.2.8)
+      actionpack (= 4.2.8)
+      actionview (= 4.2.8)
+      activejob (= 4.2.8)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 1.0, >= 1.0.5)
-    actionpack (4.2.6)
-      actionview (= 4.2.6)
-      activesupport (= 4.2.6)
+    actionpack (4.2.8)
+      actionview (= 4.2.8)
+      activesupport (= 4.2.8)
       rack (~> 1.6)
       rack-test (~> 0.6.2)
       rails-dom-testing (~> 1.0, >= 1.0.5)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (4.2.6)
-      activesupport (= 4.2.6)
+    actionview (4.2.8)
+      activesupport (= 4.2.8)
       builder (~> 3.1)
       erubis (~> 2.7.0)
       rails-dom-testing (~> 1.0, >= 1.0.5)
-      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    activejob (4.2.6)
-      activesupport (= 4.2.6)
+      rails-html-sanitizer (~> 1.0, >= 1.0.3)
+    activejob (4.2.8)
+      activesupport (= 4.2.8)
       globalid (>= 0.3.0)
-    activemodel (4.2.6)
-      activesupport (= 4.2.6)
+    activemodel (4.2.8)
+      activesupport (= 4.2.8)
       builder (~> 3.1)
-    activerecord (4.2.6)
-      activemodel (= 4.2.6)
-      activesupport (= 4.2.6)
+    activerecord (4.2.8)
+      activemodel (= 4.2.8)
+      activesupport (= 4.2.8)
       arel (~> 6.0)
-    activesupport (4.2.6)
+    activesupport (4.2.8)
       i18n (~> 0.7)
-      json (~> 1.7, >= 1.7.7)
       minitest (~> 5.1)
       thread_safe (~> 0.3, >= 0.3.4)
       tzinfo (~> 1.1)
-    rails (4.2.6)
-      actionmailer (= 4.2.6)
-      actionpack (= 4.2.6)
-      actionview (= 4.2.6)
-      activejob (= 4.2.6)
-      activemodel (= 4.2.6)
-      activerecord (= 4.2.6)
-      activesupport (= 4.2.6)
+    rails (4.2.8)
+      actionmailer (= 4.2.8)
+      actionpack (= 4.2.8)
+      actionview (= 4.2.8)
+      activejob (= 4.2.8)
+      activemodel (= 4.2.8)
+      activerecord (= 4.2.8)
+      activesupport (= 4.2.8)
       bundler (>= 1.3.0, < 2.0)
-      railties (= 4.2.6)
+      railties (= 4.2.8)
       sprockets-rails
-    railties (4.2.6)
-      actionpack (= 4.2.6)
-      activesupport (= 4.2.6)
+    railties (4.2.8)
+      actionpack (= 4.2.8)
+      activesupport (= 4.2.8)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
 
 PATH
   remote: ..
   specs:
-    devise (4.1.0)
+    devise (4.2.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 5.1)
@@ -68,32 +67,31 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    arel (6.0.3)
+    arel (6.0.4)
     bcrypt (3.1.11)
     bson (3.2.6)
-    builder (3.2.2)
-    concurrent-ruby (1.0.2)
-    connection_pool (2.2.0)
+    builder (3.2.3)
+    concurrent-ruby (1.0.5)
+    connection_pool (2.2.1)
     erubis (2.7.0)
-    faraday (0.9.2)
+    faraday (0.11.0)
       multipart-post (>= 1.2, < 3)
-    globalid (0.3.6)
+    globalid (0.3.7)
       activesupport (>= 4.1.0)
-    hashie (3.4.4)
-    i18n (0.7.0)
-    json (1.8.3)
-    jwt (1.5.1)
+    hashie (3.5.5)
+    i18n (0.8.1)
+    jwt (1.5.6)
     loofah (2.0.3)
       nokogiri (>= 1.5.9)
     mail (2.6.4)
       mime-types (>= 1.16, < 4)
     metaclass (0.0.4)
-    mime-types (3.0)
+    mime-types (3.1)
       mime-types-data (~> 3.2015)
-    mime-types-data (3.2016.0221)
-    mini_portile2 (2.0.0)
-    minitest (5.9.0)
-    mocha (1.1.0)
+    mime-types-data (3.2016.0521)
+    mini_portile2 (2.1.0)
+    minitest (5.10.1)
+    mocha (1.2.1)
       metaclass (~> 0.0.1)
     mongoid (4.0.2)
       activemodel (~> 4.0)
@@ -104,21 +102,21 @@ GEM
       bson (~> 3.0)
       connection_pool (~> 2.0)
       optionable (~> 0.2.0)
-    multi_json (1.12.0)
-    multi_xml (0.5.5)
+    multi_json (1.12.1)
+    multi_xml (0.6.0)
     multipart-post (2.0.0)
-    nokogiri (1.6.7.2)
-      mini_portile2 (~> 2.0.0.rc2)
-    oauth2 (1.1.0)
-      faraday (>= 0.8, < 0.10)
-      jwt (~> 1.0, < 1.5.2)
+    nokogiri (1.7.0.1)
+      mini_portile2 (~> 2.1.0)
+    oauth2 (1.3.1)
+      faraday (>= 0.8, < 0.12)
+      jwt (~> 1.0)
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
-    omniauth (1.3.1)
-      hashie (>= 1.2, < 4)
-      rack (>= 1.0, < 3)
-    omniauth-facebook (3.0.0)
+    omniauth (1.6.1)
+      hashie (>= 3.4.6, < 3.6.0)
+      rack (>= 1.6.2, < 3)
+    omniauth-facebook (4.0.0)
       omniauth-oauth2 (~> 1.2)
     omniauth-oauth2 (1.4.0)
       oauth2 (~> 1.0)
@@ -127,9 +125,9 @@ GEM
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
     optionable (0.2.0)
-    origin (2.2.0)
+    origin (2.3.0)
     orm_adapter (0.5.0)
-    rack (1.6.4)
+    rack (1.6.5)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
@@ -137,33 +135,32 @@ GEM
       rack (>= 1.0)
     rails-deprecated_sanitizer (1.0.3)
       activesupport (>= 4.2.0.alpha)
-    rails-dom-testing (1.0.7)
+    rails-dom-testing (1.0.8)
       activesupport (>= 4.2.0.beta, < 5.0)
-      nokogiri (~> 1.6.0)
+      nokogiri (~> 1.6)
       rails-deprecated_sanitizer (>= 1.0.1)
     rails-html-sanitizer (1.0.3)
       loofah (~> 2.0)
-    rake (11.1.2)
-    rdoc (4.2.2)
-      json (~> 1.4)
-    responders (2.2.0)
+    rake (12.0.0)
+    rdoc (5.1.0)
+    responders (2.3.0)
       railties (>= 4.2.0, < 5.1)
     ruby-openid (2.7.0)
-    sprockets (3.6.0)
+    sprockets (3.7.1)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
-    sprockets-rails (3.0.4)
+    sprockets-rails (3.2.0)
       actionpack (>= 4.0)
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
-    sqlite3 (1.3.11)
-    test_after_commit (1.0.0)
+    sqlite3 (1.3.13)
+    test_after_commit (1.1.0)
       activerecord (>= 3.2)
-    thor (0.19.1)
-    thread_safe (0.3.5)
+    thor (0.19.4)
+    thread_safe (0.3.6)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
-    warden (1.2.6)
+    warden (1.2.7)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
@@ -191,4 +188,4 @@ DEPENDENCIES
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.11.2
+   1.12.6

gemfiles/Gemfile.rails-5.0

@@ -1,37 +0,0 @@
-source "https://rubygems.org"
-
-gemspec path: ".."
-
-gem "rails", "5.0.0.rc1"
-gem "omniauth", " ~> 1.3"
-gem "oauth2"
-gem "omniauth-oauth2"
-gem "rdoc"
-
-gem "activemodel-serializers-xml", github: "rails/activemodel-serializers-xml"
-
-gem "rails-controller-testing"
-
-gem "responders", "~> 2.1"
-
-group :test do
-  gem "omniauth-facebook"
-  gem "omniauth-openid"
-  gem "webrat", "0.7.3", require: false
-  gem "mocha", "~> 1.1", require: false
-end
-
-platforms :jruby do
-  gem "activerecord-jdbc-adapter"
-  gem "activerecord-jdbcsqlite3-adapter"
-  gem "jruby-openssl"
-end
-
-platforms :ruby do
-  gem "sqlite3"
-end
-
-# TODO:
-# group :mongoid do
-#   gem "mongoid", "~> 4.0.0"
-# end

gemfiles/Gemfile.rails-5.0-beta.lock

@@ -1,199 +0,0 @@
-GIT
-  remote: git://github.com/rails/activemodel-serializers-xml.git
-  revision: f380ea5ddefcb9a37f4fbc47606ed6fbecdb2b2a
-  specs:
-    activemodel-serializers-xml (1.0.0)
-      activemodel (> 5.x)
-      activerecord (> 5.x)
-      activesupport (> 5.x)
-      builder (~> 3.1)
-
-PATH
-  remote: ..
-  specs:
-    devise (4.0.0.rc2)
-      bcrypt (~> 3.0)
-      orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 5.1)
-      responders
-      warden (~> 1.2.3)
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    actioncable (5.0.0.beta3)
-      actionpack (= 5.0.0.beta3)
-      nio4r (~> 1.2)
-      websocket-driver (~> 0.6.1)
-    actionmailer (5.0.0.beta3)
-      actionpack (= 5.0.0.beta3)
-      actionview (= 5.0.0.beta3)
-      activejob (= 5.0.0.beta3)
-      mail (~> 2.5, >= 2.5.4)
-      rails-dom-testing (~> 1.0, >= 1.0.5)
-    actionpack (5.0.0.beta3)
-      actionview (= 5.0.0.beta3)
-      activesupport (= 5.0.0.beta3)
-      rack (~> 2.x)
-      rack-test (~> 0.6.3)
-      rails-dom-testing (~> 1.0, >= 1.0.5)
-      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.0.0.beta3)
-      activesupport (= 5.0.0.beta3)
-      builder (~> 3.1)
-      erubis (~> 2.7.0)
-      rails-dom-testing (~> 1.0, >= 1.0.5)
-      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    activejob (5.0.0.beta3)
-      activesupport (= 5.0.0.beta3)
-      globalid (>= 0.3.6)
-    activemodel (5.0.0.beta3)
-      activesupport (= 5.0.0.beta3)
-    activerecord (5.0.0.beta3)
-      activemodel (= 5.0.0.beta3)
-      activesupport (= 5.0.0.beta3)
-      arel (~> 7.0)
-    activesupport (5.0.0.beta3)
-      concurrent-ruby (~> 1.0)
-      i18n (~> 0.7)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-    arel (7.0.0)
-    bcrypt (3.1.11)
-    builder (3.2.2)
-    concurrent-ruby (1.0.1)
-    erubis (2.7.0)
-    faraday (0.9.2)
-      multipart-post (>= 1.2, < 3)
-    globalid (0.3.6)
-      activesupport (>= 4.1.0)
-    hashie (3.4.3)
-    i18n (0.7.0)
-    json (1.8.3)
-    jwt (1.5.1)
-    loofah (2.0.3)
-      nokogiri (>= 1.5.9)
-    mail (2.6.4)
-      mime-types (>= 1.16, < 4)
-    metaclass (0.0.4)
-    method_source (0.8.2)
-    mime-types (3.0)
-      mime-types-data (~> 3.2015)
-    mime-types-data (3.2016.0221)
-    mini_portile2 (2.0.0)
-    minitest (5.8.4)
-    mocha (1.1.0)
-      metaclass (~> 0.0.1)
-    multi_json (1.11.2)
-    multi_xml (0.5.5)
-    multipart-post (2.0.0)
-    nio4r (1.2.1)
-    nokogiri (1.6.7.2)
-      mini_portile2 (~> 2.0.0.rc2)
-    oauth2 (1.1.0)
-      faraday (>= 0.8, < 0.10)
-      jwt (~> 1.0, < 1.5.2)
-      multi_json (~> 1.3)
-      multi_xml (~> 0.5)
-      rack (>= 1.2, < 3)
-    omniauth (1.3.1)
-      hashie (>= 1.2, < 4)
-      rack (>= 1.0, < 3)
-    omniauth-facebook (3.0.0)
-      omniauth-oauth2 (~> 1.2)
-    omniauth-oauth2 (1.4.0)
-      oauth2 (~> 1.0)
-      omniauth (~> 1.2)
-    omniauth-openid (1.0.1)
-      omniauth (~> 1.0)
-      rack-openid (~> 1.3.1)
-    orm_adapter (0.5.0)
-    rack (2.0.0.alpha)
-      json
-    rack-openid (1.3.1)
-      rack (>= 1.1.0)
-      ruby-openid (>= 2.1.8)
-    rack-test (0.6.3)
-      rack (>= 1.0)
-    rails (5.0.0.beta3)
-      actioncable (= 5.0.0.beta3)
-      actionmailer (= 5.0.0.beta3)
-      actionpack (= 5.0.0.beta3)
-      actionview (= 5.0.0.beta3)
-      activejob (= 5.0.0.beta3)
-      activemodel (= 5.0.0.beta3)
-      activerecord (= 5.0.0.beta3)
-      activesupport (= 5.0.0.beta3)
-      bundler (>= 1.3.0, < 2.0)
-      railties (= 5.0.0.beta3)
-      sprockets-rails (>= 2.0.0)
-    rails-controller-testing (0.1.1)
-      actionpack (~> 5.x)
-      actionview (~> 5.x)
-      activesupport (~> 5.x)
-    rails-deprecated_sanitizer (1.0.3)
-      activesupport (>= 4.2.0.alpha)
-    rails-dom-testing (1.0.7)
-      activesupport (>= 4.2.0.beta, < 5.0)
-      nokogiri (~> 1.6.0)
-      rails-deprecated_sanitizer (>= 1.0.1)
-    rails-html-sanitizer (1.0.3)
-      loofah (~> 2.0)
-    railties (5.0.0.beta3)
-      actionpack (= 5.0.0.beta3)
-      activesupport (= 5.0.0.beta3)
-      method_source
-      rake (>= 0.8.7)
-      thor (>= 0.18.1, < 2.0)
-    rake (11.1.2)
-    rdoc (4.2.2)
-      json (~> 1.4)
-    responders (2.1.2)
-      railties (>= 4.2.0, < 5.1)
-    ruby-openid (2.7.0)
-    sprockets (3.6.0)
-      concurrent-ruby (~> 1.0)
-      rack (> 1, < 3)
-    sprockets-rails (3.0.4)
-      actionpack (>= 4.0)
-      activesupport (>= 4.0)
-      sprockets (>= 3.0.0)
-    sqlite3 (1.3.11)
-    thor (0.19.1)
-    thread_safe (0.3.5)
-    tzinfo (1.2.2)
-      thread_safe (~> 0.1)
-    warden (1.2.6)
-      rack (>= 1.0)
-    webrat (0.7.3)
-      nokogiri (>= 1.2.0)
-      rack (>= 1.0)
-      rack-test (>= 0.5.3)
-    websocket-driver (0.6.3)
-      websocket-extensions (>= 0.1.0)
-    websocket-extensions (0.1.2)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  activemodel-serializers-xml!
-  activerecord-jdbc-adapter
-  activerecord-jdbcsqlite3-adapter
-  devise!
-  jruby-openssl
-  mocha (~> 1.1)
-  oauth2
-  omniauth (~> 1.3)
-  omniauth-facebook
-  omniauth-oauth2 (>= 1.2.0, < 1.5.0)
-  omniauth-openid (~> 1.0.1)
-  rails (= 5.0.0.beta3)
-  rails-controller-testing
-  rdoc
-  responders (~> 2.1.1)
-  sqlite3
-  webrat (= 0.7.3)
-
-BUNDLED WITH
-   1.11.2

gemfiles/Gemfile.rails-5.0.lock

@@ -1,199 +0,0 @@
-GIT
-  remote: git://github.com/rails/activemodel-serializers-xml.git
-  revision: 570ee7ed33d60e44ca1f3ccbec3d1fbf61d52cbf
-  specs:
-    activemodel-serializers-xml (1.0.1)
-      activemodel (> 5.x)
-      activerecord (> 5.x)
-      activesupport (> 5.x)
-      builder (~> 3.1)
-
-PATH
-  remote: ..
-  specs:
-    devise (4.1.0)
-      bcrypt (~> 3.0)
-      orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 5.1)
-      responders
-      warden (~> 1.2.3)
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    actioncable (5.0.0.rc1)
-      actionpack (= 5.0.0.rc1)
-      nio4r (~> 1.2)
-      websocket-driver (~> 0.6.1)
-    actionmailer (5.0.0.rc1)
-      actionpack (= 5.0.0.rc1)
-      actionview (= 5.0.0.rc1)
-      activejob (= 5.0.0.rc1)
-      mail (~> 2.5, >= 2.5.4)
-      rails-dom-testing (~> 1.0, >= 1.0.5)
-    actionpack (5.0.0.rc1)
-      actionview (= 5.0.0.rc1)
-      activesupport (= 5.0.0.rc1)
-      rack (~> 2.x)
-      rack-test (~> 0.6.3)
-      rails-dom-testing (~> 1.0, >= 1.0.5)
-      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.0.0.rc1)
-      activesupport (= 5.0.0.rc1)
-      builder (~> 3.1)
-      erubis (~> 2.7.0)
-      rails-dom-testing (~> 1.0, >= 1.0.5)
-      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    activejob (5.0.0.rc1)
-      activesupport (= 5.0.0.rc1)
-      globalid (>= 0.3.6)
-    activemodel (5.0.0.rc1)
-      activesupport (= 5.0.0.rc1)
-    activerecord (5.0.0.rc1)
-      activemodel (= 5.0.0.rc1)
-      activesupport (= 5.0.0.rc1)
-      arel (~> 7.0)
-    activesupport (5.0.0.rc1)
-      concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (~> 0.7)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-    arel (7.0.0)
-    bcrypt (3.1.11)
-    builder (3.2.2)
-    concurrent-ruby (1.0.2)
-    erubis (2.7.0)
-    faraday (0.9.2)
-      multipart-post (>= 1.2, < 3)
-    globalid (0.3.6)
-      activesupport (>= 4.1.0)
-    hashie (3.4.4)
-    i18n (0.7.0)
-    json (1.8.3)
-    jwt (1.5.1)
-    loofah (2.0.3)
-      nokogiri (>= 1.5.9)
-    mail (2.6.4)
-      mime-types (>= 1.16, < 4)
-    metaclass (0.0.4)
-    method_source (0.8.2)
-    mime-types (3.0)
-      mime-types-data (~> 3.2015)
-    mime-types-data (3.2016.0221)
-    mini_portile2 (2.0.0)
-    minitest (5.9.0)
-    mocha (1.1.0)
-      metaclass (~> 0.0.1)
-    multi_json (1.12.0)
-    multi_xml (0.5.5)
-    multipart-post (2.0.0)
-    nio4r (1.2.1)
-    nokogiri (1.6.7.2)
-      mini_portile2 (~> 2.0.0.rc2)
-    oauth2 (1.1.0)
-      faraday (>= 0.8, < 0.10)
-      jwt (~> 1.0, < 1.5.2)
-      multi_json (~> 1.3)
-      multi_xml (~> 0.5)
-      rack (>= 1.2, < 3)
-    omniauth (1.3.1)
-      hashie (>= 1.2, < 4)
-      rack (>= 1.0, < 3)
-    omniauth-facebook (3.0.0)
-      omniauth-oauth2 (~> 1.2)
-    omniauth-oauth2 (1.4.0)
-      oauth2 (~> 1.0)
-      omniauth (~> 1.2)
-    omniauth-openid (1.0.1)
-      omniauth (~> 1.0)
-      rack-openid (~> 1.3.1)
-    orm_adapter (0.5.0)
-    rack (2.0.0.rc1)
-      json
-    rack-openid (1.3.1)
-      rack (>= 1.1.0)
-      ruby-openid (>= 2.1.8)
-    rack-test (0.6.3)
-      rack (>= 1.0)
-    rails (5.0.0.rc1)
-      actioncable (= 5.0.0.rc1)
-      actionmailer (= 5.0.0.rc1)
-      actionpack (= 5.0.0.rc1)
-      actionview (= 5.0.0.rc1)
-      activejob (= 5.0.0.rc1)
-      activemodel (= 5.0.0.rc1)
-      activerecord (= 5.0.0.rc1)
-      activesupport (= 5.0.0.rc1)
-      bundler (>= 1.3.0, < 2.0)
-      railties (= 5.0.0.rc1)
-      sprockets-rails (>= 2.0.0)
-    rails-controller-testing (0.1.1)
-      actionpack (~> 5.x)
-      actionview (~> 5.x)
-      activesupport (~> 5.x)
-    rails-deprecated_sanitizer (1.0.3)
-      activesupport (>= 4.2.0.alpha)
-    rails-dom-testing (1.0.7)
-      activesupport (>= 4.2.0.beta, < 5.0)
-      nokogiri (~> 1.6.0)
-      rails-deprecated_sanitizer (>= 1.0.1)
-    rails-html-sanitizer (1.0.3)
-      loofah (~> 2.0)
-    railties (5.0.0.rc1)
-      actionpack (= 5.0.0.rc1)
-      activesupport (= 5.0.0.rc1)
-      method_source
-      rake (>= 0.8.7)
-      thor (>= 0.18.1, < 2.0)
-    rake (11.1.2)
-    rdoc (4.2.2)
-      json (~> 1.4)
-    responders (2.2.0)
-      railties (>= 4.2.0, < 5.1)
-    ruby-openid (2.7.0)
-    sprockets (3.6.0)
-      concurrent-ruby (~> 1.0)
-      rack (> 1, < 3)
-    sprockets-rails (3.0.4)
-      actionpack (>= 4.0)
-      activesupport (>= 4.0)
-      sprockets (>= 3.0.0)
-    sqlite3 (1.3.11)
-    thor (0.19.1)
-    thread_safe (0.3.5)
-    tzinfo (1.2.2)
-      thread_safe (~> 0.1)
-    warden (1.2.6)
-      rack (>= 1.0)
-    webrat (0.7.3)
-      nokogiri (>= 1.2.0)
-      rack (>= 1.0)
-      rack-test (>= 0.5.3)
-    websocket-driver (0.6.3)
-      websocket-extensions (>= 0.1.0)
-    websocket-extensions (0.1.2)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  activemodel-serializers-xml!
-  activerecord-jdbc-adapter
-  activerecord-jdbcsqlite3-adapter
-  devise!
-  jruby-openssl
-  mocha (~> 1.1)
-  oauth2
-  omniauth (~> 1.3)
-  omniauth-facebook
-  omniauth-oauth2
-  omniauth-openid
-  rails (= 5.0.0.rc1)
-  rails-controller-testing
-  rdoc
-  responders (~> 2.1)
-  sqlite3
-  webrat (= 0.7.3)
-
-BUNDLED WITH
-   1.11.2

lib/devise.rb

@@ -153,7 +153,11 @@ module Devise
   mattr_accessor :pepper
   @@pepper = nil
 
-  # Used to enable sending notification to user when their password is changed
+  # Used to send notification to the original user email when their email is changed.
+  mattr_accessor :send_email_changed_notification
+  @@send_email_changed_notification = false
+
+  # Used to enable sending notification to user when their password is changed.
   mattr_accessor :send_password_change_notification
   @@send_password_change_notification = false
 

lib/devise/controllers/rememberable.rb

@@ -18,7 +18,7 @@ module Devise
 
       # Remembers the given resource by setting up a cookie
       def remember_me(resource)
-        return if env["devise.skip_storage"]
+        return if request.env["devise.skip_storage"]
         scope = Devise::Mapping.find_scope!(resource)
         resource.remember_me!
         cookies.signed[remember_key(resource, scope)] = remember_cookie_values(resource)

lib/devise/controllers/sign_in_out.rb

@@ -74,7 +74,6 @@ module Devise
         scope = Devise::Mapping.find_scope!(resource_or_scope)
         user = warden.user(scope: scope, run_callbacks: false) # If there is no user
 
-        warden.raw_session.inspect # Without this inspect here. The session does not clear.
         warden.logout(scope)
         warden.clear_strategies_cache!(scope: scope)
         instance_variable_set(:"@current_#{scope}", nil)

lib/devise/controllers/store_location.rb

@@ -29,7 +29,7 @@ module Devise
       # Example:
       #
       #   store_location_for(:user, dashboard_path)
-      #   redirect_to user_omniauth_authorize_path(:facebook)
+      #   redirect_to user_facebook_omniauth_authorize_path
       #
       def store_location_for(resource_or_scope, location)
         session_key = stored_location_key_for(resource_or_scope)

lib/devise/failure_app.rb

@@ -2,9 +2,9 @@ require "action_controller/metal"
 
 module Devise
   # Failure application that will be called every time :warden is thrown from
-  # any strategy or hook. Responsible for redirect the user to the sign in
-  # page based on current scope and mapping. If no scope is given, redirect
-  # to the default_url.
+  # any strategy or hook. It is responsible for redirecting the user to the sign
+  # in page based on current scope and mapping. If no scope is given, it
+  # redirects to the default_url.
   class FailureApp < ActionController::Metal
     include ActionController::UrlFor
     include ActionController::Redirecting
@@ -50,13 +50,11 @@ module Devise
     end
 
     def recall
-      config = Rails.application.config
-
-      header_info = if config.try(:relative_url_root)
-        base_path = Pathname.new(config.relative_url_root)
+      header_info = if relative_url_root?
+        base_path = Pathname.new(relative_url_root)
         full_path = Pathname.new(attempted_path)
 
-        { "SCRIPT_NAME" => config.relative_url_root,
+        { "SCRIPT_NAME" => relative_url_root,
           "PATH_INFO" => '/' + full_path.relative_path_from(base_path).to_s }
       else
         { "PATH_INFO" => attempted_path }
@@ -66,7 +64,7 @@ module Devise
         if request.respond_to?(:set_header)
           request.set_header(var, value)
         else
-          env[var]  = value
+          request.env[var]  = value
         end
       end
 
@@ -135,18 +133,16 @@ module Devise
 
     def scope_url
       opts  = {}
+
+      # Initialize script_name with nil to prevent infinite loops in
+      # authenticated mounted engines in rails 4.2 and 5.0
+      opts[:script_name] = nil
+
       route = route(scope)
+
       opts[:format] = request_format unless skip_format?
 
-      config = Rails.application.config
-
-      if config.respond_to?(:relative_url_root)
-        # Rails 4.2 goes into an infinite loop if opts[:script_name] is unset
-        rails_4_2 = (Rails::VERSION::MAJOR >= 4) && (Rails::VERSION::MINOR >= 2)
-        if config.relative_url_root.present? || rails_4_2
-          opts[:script_name] = config.relative_url_root
-        end
-      end
+      opts[:script_name] = relative_url_root if relative_url_root?
 
       router_name = Devise.mappings[scope].router_name || Devise.available_router_name
       context = send(router_name)
@@ -164,12 +160,12 @@ module Devise
       %w(html */*).include? request_format.to_s
     end
 
-    # Choose whether we should respond in a http authentication fashion,
+    # Choose whether we should respond in an HTTP authentication fashion,
     # including 401 and optional headers.
     #
-    # This method allows the user to explicitly disable http authentication
-    # on ajax requests in case they want to redirect on failures instead of
-    # handling the errors on their own. This is useful in case your ajax API
+    # This method allows the user to explicitly disable HTTP authentication
+    # on AJAX requests in case they want to redirect on failures instead of
+    # handling the errors on their own. This is useful in case your AJAX API
     # is the same as your public API and uses a format like JSON (so you
     # cannot mark JSON as a navigational format).
     def http_auth?
@@ -180,7 +176,7 @@ module Devise
       end
     end
 
-    # It does not make sense to send authenticate headers in ajax requests
+    # It doesn't make sense to send authenticate headers in AJAX requests
     # or if the user disabled them.
     def http_auth_header?
       scope_class.http_authenticatable && !request.xhr?
@@ -206,11 +202,11 @@ module Devise
     end
 
     def warden
-      request.respond_to?(:get_header) ? request.get_header("warden") : env["warden"]
+      request.respond_to?(:get_header) ? request.get_header("warden") : request.env["warden"]
     end
 
     def warden_options
-      request.respond_to?(:get_header) ? request.get_header("warden.options") : env["warden.options"]
+      request.respond_to?(:get_header) ? request.get_header("warden.options") : request.env["warden.options"]
     end
 
     def warden_message
@@ -229,10 +225,10 @@ module Devise
       warden_options[:attempted_path]
     end
 
-    # Stores requested uri to redirect the user after signing in. We cannot use
-    # scoped session provided by warden here, since the user is not authenticated
-    # yet, but we still need to store the uri based on scope, so different scopes
-    # would never use the same uri to redirect.
+    # Stores requested URI to redirect the user after signing in. We can't use
+    # the scoped session provided by warden here, since the user is not
+    # authenticated yet, but we still need to store the URI based on scope, so
+    # different scopes would never use the same URI to redirect.
     def store_location!
       store_location_for(scope, attempted_path) if request.get? && !http_auth?
     end
@@ -250,5 +246,17 @@ module Devise
     def request_format
       @request_format ||= request.format.try(:ref)
     end
+
+    def relative_url_root
+      @relative_url_root ||= begin
+        config = Rails.application.config
+
+        config.try(:relative_url_root) || config.action_controller.try(:relative_url_root)
+      end
+    end
+
+    def relative_url_root?
+      relative_url_root.present?
+    end
   end
 end

lib/devise/hooks/lockable.rb

@@ -2,6 +2,9 @@
 # This is only triggered when the user is explicitly set (with set_user)
 Warden::Manager.after_set_user except: :fetch do |record, warden, options|
   if record.respond_to?(:failed_attempts) && warden.authenticated?(options[:scope])
-    record.update_attribute(:failed_attempts, 0) unless record.failed_attempts.to_i.zero?
+    unless record.failed_attempts.to_i.zero?
+      record.failed_attempts = 0
+      record.save(validate: false)
+    end
   end
 end

lib/devise/hooks/proxy.rb

@@ -7,7 +7,7 @@ module Devise
       include Devise::Controllers::SignInOut
 
       attr_reader :warden
-      delegate :cookies, :env, to: :warden
+      delegate :cookies, :request, to: :warden
 
       def initialize(warden)
         @warden = warden

lib/devise/mailers/helpers.rb

@@ -5,15 +5,16 @@ module Devise
 
       included do
         include Devise::Controllers::ScopedViews
-        attr_reader :scope_name, :resource
       end
 
       protected
 
+      attr_reader :scope_name, :resource
+
       # Configure default email options
-      def devise_mail(record, action, opts={})
+      def devise_mail(record, action, opts = {}, &block)
         initialize_from_record(record)
-        mail headers_for(action, opts)
+        mail headers_for(action, opts), &block
       end
 
       def initialize_from_record(record)

lib/devise/models.rb

@@ -12,7 +12,7 @@ module Devise
 
     # Creates configuration values for Devise and for the given module.
     #
-    #   Devise::Models.config(Devise::DatabaseAuthenticatable, :stretches)
+    #   Devise::Models.config(Devise::Models::DatabaseAuthenticatable, :stretches)
     #
     # The line above creates:
     #

lib/devise/models/authenticatable.rb

@@ -114,6 +114,15 @@ module Devise
         super(options)
       end
 
+      # Redefine inspect using serializable_hash, to ensure we don't accidentally
+      # leak passwords into exceptions.
+      def inspect
+        inspection = serializable_hash.collect do |k,v|
+          "#{k}: #{respond_to?(:attribute_for_inspect) ? attribute_for_inspect(k) : v.inspect}"
+        end
+        "#<#{self.class} #{inspection.join(", ")}>"
+      end
+
       protected
 
       def devise_mailer

lib/devise/models/confirmable.rb

@@ -26,7 +26,9 @@ module Devise
     #     initial account confirmation) to be applied. Requires additional unconfirmed_email
     #     db field to be set up (t.reconfirmable in migrations). Until confirmed, new email is
     #     stored in unconfirmed email column, and copied to email column on successful
-    #     confirmation.
+    #     confirmation. Also, when used in conjunction with `send_email_changed_notification`,
+    #     the notification is sent to the original email when the change is requested,
+    #     not when the unconfirmed email is confirmed.
     #   * +confirm_within+: the time before a sent confirmation token becomes invalid.
     #     You can use this to force the user to confirm within a set period of time.
     #     Confirmable will not generate a new token if a repeat confirmation is requested
@@ -43,7 +45,7 @@ module Devise
 
       included do
         before_create :generate_confirmation_token, if: :confirmation_required?
-        after_create :skip_reconfirmation!, if: :send_confirmation_notification?
+        after_create :skip_reconfirmation_in_callback!, if: :send_confirmation_notification?
         if respond_to?(:after_commit) # ActiveRecord
           after_commit :send_on_create_confirmation_instructions, on: :create, if: :send_confirmation_notification?
           after_commit :send_reconfirmation_instructions, on: :update, if: :reconfirmation_required?
@@ -56,6 +58,7 @@ module Devise
 
       def initialize(*args, &block)
         @bypass_confirmation_postpone = false
+        @skip_reconfirmation_in_callback = false
         @reconfirmation_required = false
         @skip_confirmation_notification = false
         @raw_confirmation_token = nil
@@ -165,6 +168,12 @@ module Devise
 
       protected
 
+        # To not require reconfirmation after creating with #save called in a
+        # callback call skip_create_confirmation!
+        def skip_reconfirmation_in_callback!
+          @skip_reconfirmation_in_callback = true
+        end
+
         # A callback method used to deliver confirmation
         # instructions on creation. This can be overridden
         # in models to map to a nice sign up e-mail.
@@ -216,7 +225,7 @@ module Devise
         #   confirmation_period_expired?  # will always return false
         #
         def confirmation_period_expired?
-          self.class.confirm_within && self.confirmation_sent_at && (Time.now > self.confirmation_sent_at + self.class.confirm_within)
+          self.class.confirm_within && self.confirmation_sent_at && (Time.now.utc > self.confirmation_sent_at.utc + self.class.confirm_within)
         end
 
         # Checks whether the record requires any confirmation.
@@ -253,7 +262,11 @@ module Devise
         end
 
         def postpone_email_change?
-          postpone = self.class.reconfirmable && email_changed? && !@bypass_confirmation_postpone && self.email.present?
+          postpone = self.class.reconfirmable &&
+            email_changed? &&
+            !@bypass_confirmation_postpone &&
+            self.email.present? &&
+            (!@skip_reconfirmation_in_callback || !self.email_was.nil?)
           @bypass_confirmation_postpone = false
           postpone
         end
@@ -266,6 +279,16 @@ module Devise
           confirmation_required? && !@skip_confirmation_notification && self.email.present?
         end
 
+        # With reconfirmable, notify the original email when the user first
+        # requests the email change, instead of when the change is confirmed.
+        def send_email_changed_notification?
+          if self.class.reconfirmable
+            self.class.send_email_changed_notification && reconfirmation_required?
+          else
+            super
+          end
+        end
+
         # A callback initiated after successfully confirming. This can be
         # used to insert your own logic that is only run after the user successfully
         # confirms.

lib/devise/models/database_authenticatable.rb

@@ -14,6 +14,10 @@ module Devise
     #
     #   * +stretches+: the cost given to bcrypt.
     #
+    #   * +send_email_changed_notification+: notify original email when it changes.
+    #
+    #   * +send_password_change_notification+: notify email when password changes.
+    #
     # == Examples
     #
     #    User.find(1).valid_password?('password123')         # returns true/false
@@ -22,6 +26,7 @@ module Devise
       extend ActiveSupport::Concern
 
       included do
+        after_update :send_email_changed_notification, if: :send_email_changed_notification?
         after_update :send_password_change_notification, if: :send_password_change_notification?
 
         attr_reader :password, :current_password
@@ -132,6 +137,12 @@ module Devise
         encrypted_password[0,29] if encrypted_password
       end
 
+      # Send notification to user when email changes.
+      def send_email_changed_notification
+        send_devise_notification(:email_changed, to: email_was)
+      end
+
+      # Send notification to user when password changes.
       def send_password_change_notification
         send_devise_notification(:password_change)
       end
@@ -147,12 +158,16 @@ module Devise
         Devise::Encryptor.digest(self.class, password)
       end
 
+      def send_email_changed_notification?
+        self.class.send_email_changed_notification && email_changed?
+      end
+
       def send_password_change_notification?
         self.class.send_password_change_notification && encrypted_password_changed?
       end
 
       module ClassMethods
-        Devise::Models.config(self, :pepper, :stretches, :send_password_change_notification)
+        Devise::Models.config(self, :pepper, :stretches, :send_email_changed_notification, :send_password_change_notification)
 
         # We assume this method already gets the sanitized values from the
         # DatabaseAuthenticatable strategy. If you are using this method on

lib/devise/models/recoverable.rb

@@ -27,20 +27,20 @@ module Devise
       end
 
       included do
-        before_update do
-          if (respond_to?(:email_changed?) && email_changed?) || encrypted_password_changed?
-            clear_reset_password_token
-          end
-        end
+        before_update :clear_reset_password_token, if: :clear_reset_password_token?
       end
 
       # Update password saving the record and clearing token. Returns true if
       # the passwords are valid and the record was saved, false otherwise.
       def reset_password(new_password, new_password_confirmation)
-        self.password = new_password
-        self.password_confirmation = new_password_confirmation
-
-        save
+        if new_password.present?
+          self.password = new_password
+          self.password_confirmation = new_password_confirmation
+          save
+        else
+          errors.add(:password, :blank)
+          false
+        end
       end
 
       # Resets reset password token and send reset password instructions by email.
@@ -97,6 +97,15 @@ module Devise
           send_devise_notification(:reset_password_instructions, token, {})
         end
 
+        def clear_reset_password_token?
+          encrypted_password_changed = respond_to?(:encrypted_password_changed?) && encrypted_password_changed?
+          authentication_keys_changed = self.class.authentication_keys.any? do |attribute|
+            respond_to?("#{attribute}_changed?") && send("#{attribute}_changed?")
+          end
+
+          authentication_keys_changed || encrypted_password_changed
+        end
+
       module ClassMethods
         # Attempt to find a user by password reset token. If a user is found, return it
         # If a user is not found, return nil

lib/devise/models/rememberable.rb

@@ -74,7 +74,7 @@ module Devise
         elsif respond_to?(:authenticatable_salt) && (salt = authenticatable_salt.presence)
           salt
         else
-          raise "authenticable_salt returned nil for the #{self.class.name} model. " \
+          raise "authenticatable_salt returned nil for the #{self.class.name} model. " \
             "In order to use rememberable, you must ensure a password is always set " \
             "or have a remember_token column in your model or implement your own " \
             "rememberable_value in the model with custom logic."

lib/devise/orm/active_record.rb

@@ -1,3 +1,5 @@
 require 'orm_adapter/adapters/active_record'
 
-ActiveRecord::Base.extend Devise::Models
+ActiveSupport.on_load(:active_record) do
+  extend Devise::Models
+end

lib/devise/orm/mongoid.rb

@@ -1,3 +1,5 @@
-require 'orm_adapter/adapters/mongoid'
+ActiveSupport.on_load(:mongoid) do
+  require 'orm_adapter/adapters/mongoid'
 
-Mongoid::Document::ClassMethods.send :include, Devise::Models
+  Mongoid::Document::ClassMethods.send :include, Devise::Models
+end

lib/devise/rails/routes.rb

@@ -338,7 +338,7 @@ module ActionDispatch::Routing
 
     # Sets the devise scope to be used in the controller. If you have custom routes,
     # you are required to call this method (also aliased as :as) in order to specify
-    # to which controller it is targetted.
+    # to which controller it is targeted.
     #
     #   as :user do
     #     get "sign_in", to: "devise/sessions#new"

lib/devise/test/controller_helpers.rb

@@ -65,7 +65,7 @@ module Devise
           scope = resource
           resource = deprecated
 
-          ActiveSupport::Deprecation.warn <<-DEPRECATION
+          ActiveSupport::Deprecation.warn <<-DEPRECATION.strip_heredoc
             [Devise] sign_in(:#{scope}, resource) on controller tests is deprecated and will be removed from Devise.
             Please use sign_in(resource, scope: :#{scope}) instead.
           DEPRECATION
@@ -121,7 +121,7 @@ module Devise
 
       def _process_unauthenticated(env, options = {})
         options[:action] ||= :unauthenticated
-        proxy = env['warden']
+        proxy = request.env['warden']
         result = options[:result] || proxy.result
 
         ret = case result
@@ -131,15 +131,14 @@ module Devise
         when :custom
           proxy.custom_response
         else
-          env["PATH_INFO"] = "/#{options[:action]}"
-          env["warden.options"] = options
+          request.env["PATH_INFO"] = "/#{options[:action]}"
+          request.env["warden.options"] = options
           Warden::Manager._run_callbacks(:before_failure, env, options)
 
           status, headers, response = Devise.warden_config[:failure_app].call(env).to_a
           @controller.response.headers.merge!(headers)
-          r_opts = { status: status, content_type: headers["Content-Type"], location: headers["Location"] }
-          r_opts[Rails.version.start_with?('5') ? :body : :text] = response.body
-          @controller.send :render, r_opts
+          @controller.status = status
+          @controller.response.body = response.body
           nil # causes process return @response
         end
 
@@ -148,12 +147,12 @@ module Devise
         # testing time, we want the response to be available to the testing
         # framework to verify what would be returned to rack.
         if ret.is_a?(Array)
+          status, headers, body = *ret
           # ensure the controller response is set to our response.
           @controller.response ||= @response
-          @response.status = ret.first
-          @response.headers.clear
-          ret.second.each { |k,v| @response[k] = v }
-          @response.body = ret.third
+          @response.status = status
+          @response.headers.merge!(headers)
+          @response.body = body
         end
 
         ret

lib/devise/test_helpers.rb

@@ -2,7 +2,7 @@ module Devise
   module TestHelpers
     def self.included(base)
       base.class_eval do
-        ActiveSupport::Deprecation.warn <<-DEPRECATION
+        ActiveSupport::Deprecation.warn <<-DEPRECATION.strip_heredoc
           [Devise] including `Devise::TestHelpers` is deprecated and will be removed from Devise.
           For controller tests, please include `Devise::Test::ControllerHelpers` instead.
         DEPRECATION

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "4.1.0".freeze
+  VERSION = "4.2.1".freeze
 end

lib/generators/templates/controllers/registrations_controller.rb

@@ -1,6 +1,6 @@
 class <%= @scope_prefix %>RegistrationsController < Devise::RegistrationsController
-# before_action :configure_sign_up_params, only: [:create]
-# before_action :configure_account_update_params, only: [:update]
+  # before_action :configure_sign_up_params, only: [:create]
+  # before_action :configure_account_update_params, only: [:update]
 
   # GET /resource/sign_up
   # def new

lib/generators/templates/controllers/sessions_controller.rb

@@ -1,5 +1,5 @@
 class <%= @scope_prefix %>SessionsController < Devise::SessionsController
-# before_action :configure_sign_in_params, only: [:create]
+  # before_action :configure_sign_in_params, only: [:create]
 
   # GET /resource/sign_in
   # def new

lib/generators/templates/devise.rb

@@ -110,7 +110,10 @@ Devise.setup do |config|
   # Set up a pepper to generate the hashed password.
   # config.pepper = '<%= SecureRandom.hex(64) %>'
 
-  # Send a notification email when the user's password is changed
+  # Send a notification to the original email when the user's email is changed.
+  # config.send_email_changed_notification = false
+
+  # Send a notification email when the user's password is changed.
   # config.send_password_change_notification = false
 
   # ==> Configuration for :confirmable

lib/generators/templates/markerb/email_changed.markerb

@@ -0,0 +1,7 @@
+Hello <%= @email %>!
+
+<% if @resource.try(:unconfirmed_email?) %>
+We're contacting you to notify you that your email is being changed to <%= @resource.unconfirmed_email %>.
+<% else %>
+We're contacting you to notify you that your email has been changed to <%= @resource.email %>.
+<% end %>

lib/generators/templates/markerb/password_change.markerb

@@ -1,3 +1,3 @@
-<p>Hello <%= @resource.email %>!</p>
+Hello <%= @resource.email %>!
 
-<p>We're contacting you to notify you that your password has been changed.</p>
+We're contacting you to notify you that your password has been changed.

test/controllers/helpers_test.rb

@@ -164,8 +164,8 @@ class ControllerAuthenticatableTest < Devise::ControllerTestCase
     @controller.instance_variable_set(:@current_user, user)
     @controller.instance_variable_set(:@current_admin, user)
     @controller.sign_out
-    assert_equal nil, @controller.instance_variable_get(:@current_user)
-    assert_equal nil, @controller.instance_variable_get(:@current_admin)
+    assert_nil @controller.instance_variable_get(:@current_user)
+    assert_nil @controller.instance_variable_get(:@current_admin)
   end
 
   test 'sign out logs out and clears up any signed in user by scope' do
@@ -175,7 +175,7 @@ class ControllerAuthenticatableTest < Devise::ControllerTestCase
     @mock_warden.expects(:clear_strategies_cache!).with(scope: :user).returns(true)
     @controller.instance_variable_set(:@current_user, user)
     @controller.sign_out(:user)
-    assert_equal nil, @controller.instance_variable_get(:@current_user)
+    assert_nil @controller.instance_variable_get(:@current_user)
   end
 
   test 'sign out accepts a resource as argument' do

test/controllers/sessions_controller_test.rb

@@ -94,7 +94,7 @@ class SessionsControllerTest < Devise::ControllerTestCase
       User.class_eval { attr_protected :email }
 
       begin
-        assert_nothing_raised ActiveModel::MassAssignmentSecurity::Error do
+        assert_nothing_raised do
           get :new, user: { email: "allez viens!" }
         end
       ensure

test/devise_test.rb

@@ -67,18 +67,18 @@ class DeviseTest < ActiveSupport::TestCase
   end
 
   test 'add new module using the helper method' do
-    assert_nothing_raised(Exception) { Devise.add_module(:coconut) }
+    Devise.add_module(:coconut)
     assert_equal 1, Devise::ALL.select { |v| v == :coconut }.size
     refute Devise::STRATEGIES.include?(:coconut)
     refute defined?(Devise::Models::Coconut)
     Devise::ALL.delete(:coconut)
 
-    assert_nothing_raised(Exception) { Devise.add_module(:banana, strategy: :fruits) }
+    Devise.add_module(:banana, strategy: :fruits)
     assert_equal :fruits, Devise::STRATEGIES[:banana]
     Devise::ALL.delete(:banana)
     Devise::STRATEGIES.delete(:banana)
 
-    assert_nothing_raised(Exception) { Devise.add_module(:kivi, controller: :fruits) }
+    Devise.add_module(:kivi, controller: :fruits)
     assert_equal :fruits, Devise::CONTROLLERS[:kivi]
     Devise::ALL.delete(:kivi)
     Devise::CONTROLLERS.delete(:kivi)

test/failure_app_test.rb

@@ -131,6 +131,24 @@ class FailureTest < ActiveSupport::TestCase
       end
     end
 
+    if Rails.application.config.action_controller.respond_to?(:relative_url_root)
+      test "returns to the default redirect location considering action_controller's relative url root" do
+        swap Rails.application.config.action_controller, relative_url_root: "/sample" do
+          call_failure
+          assert_equal 302, @response.first
+          assert_equal 'http://test.host/sample/users/sign_in', @response.second['Location']
+        end
+      end
+
+      test "returns to the default redirect location considering action_controller's relative url root and subdomain" do
+        swap Rails.application.config.action_controller, relative_url_root: "/sample" do
+          call_failure('warden.options' => { scope: :subdomain_user })
+          assert_equal 302, @response.first
+          assert_equal 'http://sub.test.host/sample/subdomain_users/sign_in', @response.second['Location']
+        end
+      end
+    end
+
     test 'uses the proxy failure message as symbol' do
       call_failure('warden' => OpenStruct.new(message: :invalid))
       assert_equal 'Invalid Email or password.', @request.flash[:alert]

test/integration/authenticatable_test.rb

@@ -245,7 +245,7 @@ class AuthenticationRoutesRestrictions < Devise::IntegrationTest
     end
   end
 
-  test 'not signed in users should see unautheticated page (unauthenticated accepted)' do
+  test 'not signed in users should see unauthenticated page (unauthenticated accepted)' do
     get join_path
 
     assert_response :success

test/integration/mounted_engine_test.rb

@@ -0,0 +1,36 @@
+require 'test_helper'
+
+class MyMountableEngine
+  def self.call(env)
+    ['200', { 'Content-Type' => 'text/html' }, ['Rendered content of MyMountableEngine']]
+  end
+end
+
+# If disable_clear_and_finalize is set to true, Rails will not clear other routes when calling
+# again the draw method. Look at the source code at:
+# http://www.rubydoc.info/docs/rails/ActionDispatch/Routing/RouteSet:draw
+Rails.application.routes.disable_clear_and_finalize = true
+
+Rails.application.routes.draw do
+  authenticate(:user) do
+    mount MyMountableEngine, at: '/mountable_engine'
+  end
+end
+
+class AuthenticatedMountedEngineTest < Devise::IntegrationTest
+  test 'redirects to the sign in page when not authenticated' do
+    get '/mountable_engine'
+    follow_redirect!
+
+    assert_response :ok
+    assert_contain 'You need to sign in or sign up before continuing.'
+  end
+
+  test 'renders the mounted engine when authenticated' do
+    sign_in_as_user
+    get '/mountable_engine'
+
+    assert_response :success
+    assert_contain 'Rendered content of MyMountableEngine'
+  end
+end

test/mailers/email_changed_test.rb

@@ -0,0 +1,130 @@
+require 'test_helper'
+
+class EmailChangedTest < ActionMailer::TestCase
+  def setup
+    setup_mailer
+    Devise.mailer = 'Devise::Mailer'
+    Devise.mailer_sender = 'test@example.com'
+    Devise.send_email_changed_notification = true
+  end
+
+  def teardown
+    Devise.mailer = 'Devise::Mailer'
+    Devise.mailer_sender = 'please-change-me@config-initializers-devise.com'
+    Devise.send_email_changed_notification = false
+  end
+
+  def user
+    @user ||= create_user.tap { |u|
+      @original_user_email = u.email
+      u.update_attributes!(email: 'new-email@example.com')
+    }
+  end
+
+  def mail
+    @mail ||= begin
+      user
+      ActionMailer::Base.deliveries.last
+    end
+  end
+
+  test 'email sent after changing the user email' do
+    assert_not_nil mail
+  end
+
+  test 'content type should be set to html' do
+    assert mail.content_type.include?('text/html')
+  end
+
+  test 'send email changed to the original user email' do
+    mail
+    assert_equal [@original_user_email], mail.to
+  end
+
+  test 'set up sender from configuration' do
+    assert_equal ['test@example.com'], mail.from
+  end
+
+  test 'set up sender from custom mailer defaults' do
+    Devise.mailer = 'Users::Mailer'
+    assert_equal ['custom@example.com'], mail.from
+  end
+
+  test 'set up sender from custom mailer defaults with proc' do
+    Devise.mailer = 'Users::FromProcMailer'
+    assert_equal ['custom@example.com'], mail.from
+  end
+
+  test 'custom mailer renders parent mailer template' do
+    Devise.mailer = 'Users::Mailer'
+    assert_present mail.body.encoded
+  end
+
+  test 'set up reply to as copy from sender' do
+    assert_equal ['test@example.com'], mail.reply_to
+  end
+
+  test 'set up reply to as different if set in defaults' do
+    Devise.mailer = 'Users::ReplyToMailer'
+    assert_equal ['custom@example.com'], mail.from
+    assert_equal ['custom_reply_to@example.com'], mail.reply_to
+  end
+
+  test 'set up subject from I18n' do
+    store_translations :en, devise: { mailer: { email_changed: { subject: 'Email Has Changed' } } } do
+      assert_equal 'Email Has Changed', mail.subject
+    end
+  end
+
+  test 'subject namespaced by model' do
+    store_translations :en, devise: { mailer: { email_changed: { user_subject: 'User Email Has Changed' } } } do
+      assert_equal 'User Email Has Changed', mail.subject
+    end
+  end
+
+  test 'body should have user info' do
+    body = mail.body.encoded
+    assert_match "Hello #{@original_user_email}", body
+    assert_match "has been changed to #{user.email}", body
+  end
+end
+
+class EmailChangedReconfirmationTest < ActionMailer::TestCase
+  def setup
+    setup_mailer
+    Devise.mailer = 'Devise::Mailer'
+    Devise.mailer_sender = 'test@example.com'
+    Devise.send_email_changed_notification = true
+  end
+
+  def teardown
+    Devise.mailer = 'Devise::Mailer'
+    Devise.mailer_sender = 'please-change-me@config-initializers-devise.com'
+    Devise.send_email_changed_notification = false
+  end
+
+  def admin
+    @admin ||= create_admin.tap { |u|
+      @original_admin_email = u.email
+      u.update_attributes!(email: 'new-email@example.com')
+    }
+  end
+
+  def mail
+    @mail ||= begin
+      admin
+      ActionMailer::Base.deliveries[-2]
+    end
+  end
+
+  test 'send email changed to the original user email' do
+    mail
+    assert_equal [@original_admin_email], mail.to
+  end
+
+  test 'body should have unconfirmed user info' do
+    body = mail.body.encoded
+    assert_match admin.email, body
+    assert_match "is being changed to #{admin.unconfirmed_email}", body
+  end
+end

test/mailers/mailer_test.rb

@@ -0,0 +1,18 @@
+require "test_helper"
+
+class MailerTest < ActionMailer::TestCase
+  test "pass given block to #mail call" do
+    class TestMailer < Devise::Mailer
+      def confirmation_instructions(record, token, opts = {})
+        @token = token
+        devise_mail(record, :confirmation_instructions, opts) do |format|
+          format.html(content_transfer_encoding: "7bit")
+        end
+      end
+    end
+
+    mail = TestMailer.confirmation_instructions(create_user, "confirmation-token")
+
+    assert mail.content_transfer_encoding, "7bit"
+  end
+end

test/models/confirmable_test.rb

@@ -508,4 +508,29 @@ class ReconfirmableTest < ActiveSupport::TestCase
     admin = Admin::WithSaveInCallback.create(valid_attributes.except(:username))
     assert !admin.pending_reconfirmation?
   end
+
+  test 'should require reconfirmation after creating a record and updating the email' do
+    admin = create_admin
+    assert !admin.instance_variable_get(:@bypass_confirmation_postpone)
+    admin.email = "new_test@email.com"
+    admin.save
+    assert admin.pending_reconfirmation?
+  end
+
+  test 'should notify previous email on email change when configured' do
+    swap Devise, send_email_changed_notification: true do
+      admin = create_admin
+      original_email = admin.email
+
+      assert_difference 'ActionMailer::Base.deliveries.size', 2 do
+        assert admin.update_attributes(email: 'new-email@example.com')
+      end
+      assert_equal original_email, ActionMailer::Base.deliveries[-2]['to'].to_s
+      assert_equal 'new-email@example.com', ActionMailer::Base.deliveries[-1]['to'].to_s
+
+      assert_email_not_sent do
+        assert admin.confirm
+      end
+    end
+  end
 end

test/models/database_authenticatable_test.rb

@@ -236,12 +236,24 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     end
   end
 
-  test 'should email on password change when configured' do
+  test 'should notify previous email on email change when configured' do
+    swap Devise, send_email_changed_notification: true do
+      user = create_user
+      original_email = user.email
+      assert_email_sent original_email do
+        assert user.update_attributes(email: 'new-email@example.com')
+      end
+      assert_match original_email, ActionMailer::Base.deliveries.last.body.encoded
+    end
+  end
+
+  test 'should notify email on password change when configured' do
     swap Devise, send_password_change_notification: true do
       user = create_user
       assert_email_sent user.email do
         assert user.update_attributes(password: 'newpass', password_confirmation: 'newpass')
       end
+      assert_match user.email, ActionMailer::Base.deliveries.last.body.encoded
     end
   end
 

test/models/recoverable_test.rb

@@ -184,6 +184,16 @@ class RecoverableTest < ActiveSupport::TestCase
     assert_equal raw, reset_password_user.reset_password_token
   end
 
+  test 'should return a new record with errors if password is not provided' do
+    user = create_user
+    raw  = user.send_reset_password_instructions
+
+    reset_password_user = User.reset_password_by_token(reset_password_token: raw)
+    refute reset_password_user.errors.empty?
+    assert_match "can't be blank", reset_password_user.errors[:password].join
+    assert_equal raw, reset_password_user.reset_password_token
+  end
+
   test 'should reset successfully user password given the new password and confirmation' do
     user = create_user
     old_password = user.password
@@ -245,7 +255,7 @@ class RecoverableTest < ActiveSupport::TestCase
   end
 
   test 'should return nil if a user based on the raw token is not found' do
-    assert_equal User.with_reset_password_token('random-token'), nil
+    assert_nil User.with_reset_password_token('random-token')
   end
 
 end

test/models/rememberable_test.rb

@@ -99,15 +99,28 @@ class RememberableTest < ActiveSupport::TestCase
     assert_nil User.serialize_from_cookie(user.to_key, "123", Time.now.utc)
   end
 
+  test 'raises a RuntimeError if the user does not implements a rememberable value' do
+    user = User.new
+    assert_raise(RuntimeError) { user.rememberable_value }
+
+    user_with_remember_token = User.new
+    def user_with_remember_token.remember_token; '123-token'; end
+    assert_equal '123-token', user_with_remember_token.rememberable_value
+
+    user_with_salt = User.new
+    def user_with_salt.authenticatable_salt; '123-salt'; end
+    assert_equal '123-salt', user_with_salt.rememberable_value
+  end
+
   test 'raises a RuntimeError if authenticatable_salt is nil or empty' do
     user = User.new
-    def user.authenticable_salt; nil; end
+    def user.authenticatable_salt; nil; end
     assert_raise RuntimeError do
       user.rememberable_value
     end
 
     user = User.new
-    def user.authenticable_salt; ""; end
+    def user.authenticatable_salt; ""; end
     assert_raise RuntimeError do
       user.rememberable_value
     end

test/models/serializable_test.rb

@@ -35,6 +35,11 @@ class SerializableTest < ActiveSupport::TestCase
     assert_key "confirmation_token", from_json(force_except: :email)
   end
 
+  test 'should not include unsafe keys in inspect' do
+    assert_match(/email/, @user.inspect)
+    assert_no_match(/confirmation_token/, @user.inspect)
+  end
+
   def assert_key(key, subject)
     assert subject.key?(key), "Expected #{subject.inspect} to have key #{key.inspect}"
   end

test/models_test.rb

@@ -112,7 +112,7 @@ class CheckFieldsTest < ActiveSupport::TestCase
       attr_accessor :encrypted_password, :email
     end
 
-    assert_nothing_raised Devise::Models::MissingAttribute do
+    assert_nothing_raised do
       Devise::Models.check_fields!(Player)
     end
   end

test/omniauth/config_test.rb

@@ -25,19 +25,21 @@ class OmniAuthConfigTest < ActiveSupport::TestCase
     assert_equal OmniAuth::Strategies::Facebook, config.strategy_class
   end
 
-  test "finds the strategy in OmniAuth's list by name" do
-    NamedTestStrategy = Class.new
-    NamedTestStrategy.send :include, OmniAuth::Strategy
-    NamedTestStrategy.option :name, :the_one
+  class NamedTestStrategy
+    include OmniAuth::Strategy
+    option :name, :the_one
+  end
 
+  test "finds the strategy in OmniAuth's list by name" do
     config = Devise::OmniAuth::Config.new :the_one, [{}]
     assert_equal NamedTestStrategy, config.strategy_class
   end
 
-  test "finds the strategy in OmniAuth's list by class name" do
-    UnNamedTestStrategy = Class.new
-    UnNamedTestStrategy.send :include, OmniAuth::Strategy
+  class UnNamedTestStrategy
+    include OmniAuth::Strategy
+  end
 
+  test "finds the strategy in OmniAuth's list by class name" do
     config = Devise::OmniAuth::Config.new :un_named_test_strategy, [{}]
     assert_equal UnNamedTestStrategy, config.strategy_class
   end

test/rails_app/app/controllers/users/omniauth_callbacks_controller.rb

@@ -1,6 +1,6 @@
 class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
   def facebook
-    data = request.respond_to?(:get_header) ? request.get_header("omniauth.auth") : env["omniauth.auth"]
+    data = request.respond_to?(:get_header) ? request.get_header("omniauth.auth") : request.env["omniauth.auth"]
     session["devise.facebook_data"] = data["extra"]["user_hash"]
     render json: data
   end

test/rails_app/config/environments/production.rb

@@ -20,7 +20,9 @@ RailsApp::Application.configure do
   # config.action_dispatch.rack_cache = true
 
   # Disable Rails's static asset server (Apache or nginx will already do this).
-  if Rails.version >= "4.2.0"
+  if Rails.version >= "5.0.0"
+    config.public_file_server.enabled = false
+  elsif Rails.version >= "4.2.0"
     config.serve_static_files = false
   else
     config.serve_static_assets = false

test/rails_app/config/environments/test.rb

@@ -14,15 +14,14 @@ RailsApp::Application.configure do
 
   # Disable serving static files from the `/public` folder by default since
   # Apache or NGINX already handles this.
-  if Rails.version >= "4.2.0"
+  if Rails.version >= "5.0.0"
+    config.public_file_server.enabled = true
+    config.public_file_server.headers = {'Cache-Control' => 'public, max-age=3600'}
+  elsif Rails.version >= "4.2.0"
     config.serve_static_files = true
+    config.static_cache_control = "public, max-age=3600"
   else
     config.serve_static_assets = true
-  end
-
-  if Rails.version >= "5.0.0"
-    config.public_file_server.headers = {'Cache-Control' => 'public, max-age=3600'}
-  else
     config.static_cache_control = "public, max-age=3600"
   end
 

test/rails_app/db/migrate/20100401102949_create_tables.rb

@@ -1,4 +1,8 @@
-class CreateTables < ActiveRecord::Migration
+superclass = ActiveRecord::Migration
+# TODO: Inherit from the 5.0 Migration class directly when we drop support for Rails 4.
+superclass = ActiveRecord::Migration[5.0] if superclass.respond_to?(:[])
+
+class CreateTables < superclass
   def self.up
     create_table :users do |t|
       t.string :username