Add changelog entry for rack error status

Rack has deprecated `:unprocessable_entity` in favor of
`:unprocessable_content`, but the former has been used extensively
for years. Rails is now transparently converting that under the hood to
avoid the warnings, but our failure app wasn't going through the same
handling since it's more low level and responds to Rack directly. This
introduces the Rails translation handling if available on newer
versions, falling back to the Rack conversion which might emit the
warning if using `:unprocessable_entity` on Rack 3.1+

To fully fix it, people can configure their `error_status` to
`:unprocessable_content` on newer versions of Rack. The default for new
Devise apps will also change.

https://github.com/rack/rack/pull/2137

.github/workflows/test.yml

@@ -9,47 +9,53 @@ jobs:
           - Gemfile
           - gemfiles/Gemfile-rails-main
           - gemfiles/Gemfile-rails-7-0
-          - gemfiles/Gemfile-rails-6-1
-          - gemfiles/Gemfile-rails-6-0
+          - gemfiles/Gemfile-rails-7-1
+          - gemfiles/Gemfile-rails-7-2
+          - gemfiles/Gemfile-rails-8-0
         ruby:
+          - '4.0'
+          - '3.4'
           - '3.3'
           - '3.2'
           - '3.1'
           - '3.0'
           - '2.7'
-        env:
-          - DEVISE_ORM=active_record
-          - DEVISE_ORM=mongoid
+        orm:
+          - active_record
+          - mongoid
         exclude:
-          - gemfile: gemfiles/Gemfile-rails-main
-            ruby: '2.7' # Rails > 7.1 supports Ruby >= 3.1
-          - gemfile: gemfiles/Gemfile-rails-main
-            ruby: '3.0' # Rails > 7.1 supports Ruby >= 3.1
-          - gemfile: gemfiles/Gemfile-rails-main
-            ruby: '3.1' # Rails >= 8.0 supports Ruby >= 3.2
           - gemfile: Gemfile
-            env: DEVISE_ORM=mongoid
-          - gemfile: gemfiles/Gemfile-rails-main
-            env: DEVISE_ORM=mongoid
-          - gemfile: gemfiles/Gemfile-rails-7-0
-            env: DEVISE_ORM=mongoid
-          - gemfile: gemfiles/Gemfile-rails-6-1
-            env: DEVISE_ORM=mongoid
-          - gemfile: gemfiles/Gemfile-rails-6-0
-            ruby: '3.2'
-          - gemfile: gemfiles/Gemfile-rails-6-0
             ruby: '3.1'
-          - gemfile: gemfiles/Gemfile-rails-6-0
-            env: DEVISE_ORM=mongoid
+          - gemfile: Gemfile
+            ruby: '3.0'
+          - gemfile: Gemfile
+            ruby: '2.7'
+          - gemfile: gemfiles/Gemfile-rails-main
+            ruby: '3.1'
+          - gemfile: gemfiles/Gemfile-rails-main
+            ruby: '3.0'
+          - gemfile: gemfiles/Gemfile-rails-main
+            ruby: '2.7'
+          - gemfile: gemfiles/Gemfile-rails-8-0
+            ruby: '3.1'
+          - gemfile: gemfiles/Gemfile-rails-8-0
+            ruby: '3.0'
+          - gemfile: gemfiles/Gemfile-rails-8-0
+            ruby: '2.7'
+          - gemfile: gemfiles/Gemfile-rails-7-2
+            ruby: '3.0'
+          - gemfile: gemfiles/Gemfile-rails-7-2
+            ruby: '2.7'
     runs-on: ubuntu-latest
     env: # $BUNDLE_GEMFILE must be set at the job level, so it is set for all steps
       BUNDLE_GEMFILE: ${{ matrix.gemfile }}
+      DEVISE_ORM: ${{ matrix.orm }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v6
       - uses: ruby/setup-ruby@v1
         with:
           ruby-version: ${{ matrix.ruby }}
           bundler-cache: true # runs bundle install and caches installed gems automatically
-      - uses: supercharge/mongodb-github-action@1.9.0
-        if: ${{ matrix.env == 'DEVISE_ORM=mongoid' }}
+      - uses: supercharge/mongodb-github-action@1.12.1
+        if: ${{ matrix.orm == 'mongoid' }}
       - run: bundle exec rake

CHANGELOG.md

@@ -2,7 +2,12 @@
 
 * breaking changes
   * Drop support to Ruby < 2.7
-  * Drop support to Rails < 6.0
+  * Drop support to Rails < 7.0
+  * Remove deprecated `:bypass` option from `sign_in` helper, use `bypass_sign_in` instead. [#5803](https://github.com/heartcombo/devise/pull/5803)
+  * Remove deprecated `devise_error_messages!` helper, use `render "devise/shared/error_messages", resource: resource` instead. [#5803](https://github.com/heartcombo/devise/pull/5803)
+  * Remove deprecated `scope` second argument from `sign_in(resource, :admin)` controller test helper, use `sign_in(resource, scope: :admin)` instead. [#5803](https://github.com/heartcombo/devise/pull/5803)
+  * Remove deprecated `Devise::TestHelpers`, use `Devise::Test::ControllerHelpers` instead. [#5803](https://github.com/heartcombo/devise/pull/5803)
+  * Remove deprecated `Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION` [#5598](https://github.com/heartcombo/devise/pull/5598)
   * Remove `SecretKeyFinder` and use `app.secret_key_base` as the default secret key for `Devise.secret_key` if a custom `Devise.secret_key` is not provided.
 
     This is potentially a breaking change because Devise previously used the following order to find a secret key:
@@ -12,12 +17,21 @@
     ```
 
     Now, it always uses `application.secret_key_base`. Make sure you're using the same secret key after the upgrade; otherwise, previously generated tokens for `recoverable`, `lockable`, and `confirmable` will be invalid.
-    https://github.com/heartcombo/devise/pull/5645
+    [#5645](https://github.com/heartcombo/devise/pull/5645)
+  * Change password instructions button label on devise view from `Send me reset password instructions` to `Send me password reset instructions` [#5515](https://github.com/heartcombo/devise/pull/5515)
+  * Change `<br>` tags separating form elements to wrapping them in `<p>` tags [#5494](https://github.com/heartcombo/devise/pull/5494)
+  * Replace `[data-turbo-cache=false]` with `[data-turbo-temporary]` on `devise/shared/error_messages` partial. This has been [deprecated by Turbo since v7.3.0 (released on Mar 1, 2023)](https://github.com/hotwired/turbo/releases/tag/v7.3.0).
+
+    If you are using an older version of Turbo and the default devise template, you'll need to copy it over to your app and change that back to `[data-turbo-cache=false]`.
 
 * enhancements
-  * Removed deprecations warning output for `Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION` (@soartec-lab)
   * Add Rails 8 support.
-    - Routes are lazy-loaded by default in test and development environments now so Devise loads them before `Devise.mappings` call.
+    - Routes are lazy-loaded by default in test and development environments now so Devise loads them before `Devise.mappings` call. [#5728](https://github.com/heartcombo/devise/pull/5728)
+  * New apps using Rack 3.1+ will be generated using `config.responder.error_status = :unprocessable_content`, since [`:unprocessable_entity` has been deprecated by Rack](https://github.com/rack/rack/pull/2137).
+
+    Latest versions of [Rails transparently convert `:unprocessable_entity` -> `:unprocessable_content`](https://github.com/rails/rails/pull/53383), and Devise will use that in the failure app to avoid Rack deprecation warnings for apps that are configured with `:unprocessable_entity`. They can also simply change their `error_status` to `:unprocessable_content` in latest Rack versions to avoid the warning.
+  * Add Ruby 3.4 and 4.0 support.
+  * Reenable Mongoid test suite across all Rails 7+ versions, to ensure we continue supporting it. Changes to dirty tracking to support Mongoid 8.0+. [#5568](https://github.com/heartcombo/devise/pull/5568)
   * Password length validator is changed from
 
     ```
@@ -30,9 +44,15 @@
     validates_length_of :password, minimum: proc { password_length.min }, maximum: proc { password_length.max }, allow_blank: true
     ```
 
-    so it's possible to override `password_length` at runtime. (@manojmj92)
+    so it's possible to override `password_length` at runtime. [#5734](https://github.com/heartcombo/devise/pull/5734)
+
 * bug fixes
-  * Make `Devise` work without `ActionMailer` when `Zeitwerk` autoloader is used.
+  * Make `Devise` work without `ActionMailer` when `Zeitwerk` autoloader is used. [#5731](https://github.com/heartcombo/devise/pull/5731)
+  * Handle defaults `:from` and `:reply_to` as procs correctly by delegating to Rails [#5595](https://github.com/heartcombo/devise/pull/5595)
+  * Use `OmniAuth.config.allowed_request_methods` as routing verbs for the auth path [#5508](https://github.com/heartcombo/devise/pull/5508)
+  * Handle `on` and `ON` as true values to check params [#5514](https://github.com/heartcombo/devise/pull/5514)
+  * Fix passing `format` option to `devise_for` [#5732](https://github.com/heartcombo/devise/pull/5732)
+
 
 Please check [4-stable](https://github.com/heartcombo/devise/blob/4-stable/CHANGELOG.md)
 for previous changes.

CODE_OF_CONDUCT.md

@@ -17,6 +17,6 @@ Project maintainers have the right and responsibility to remove, edit, or reject
 
 This code of conduct applies both within project spaces and in public spaces when an individual is representing the project or its community.
 
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by sending an email to [heartcombo@googlegroups.com](heartcombo@googlegroups.com) or contacting one or more of the project maintainers.
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by sending an email to [heartcombo.oss@gmail.com](heartcombo.oss@gmail.com) or contacting one or more of the project maintainers.
 
 This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, available at [http://contributor-covenant.org/version/1/2/0/](http://contributor-covenant.org/version/1/2/0/)

CONTRIBUTING.md

@@ -30,7 +30,7 @@ the project wiki, documentation and source code first, or try to ask your questi
 on [Stack Overflow](http://stackoverflow.com/questions/tagged/devise).
 
 **If you find a security bug, do not report it through GitHub. Please send an
-e-mail to [heartcombo@googlegroups.com](mailto:heartcombo@googlegroups.com)
+e-mail to [heartcombo.oss@gmail.com](mailto:heartcombo.oss@gmail.com)
 instead.**
 
 ## Sending Pull Requests

Gemfile

@@ -4,35 +4,30 @@ source "https://rubygems.org"
 
 gemspec
 
-gem "rails", "~> 7.1.0"
 gem "omniauth"
 gem "omniauth-oauth2"
+gem "rails", "~> 8.1.0"
 gem "rdoc"
 
-gem "rails-controller-testing", github: "rails/rails-controller-testing"
+gem "rails-controller-testing"
 
 gem "responders", "~> 3.1"
 
 group :test do
+  gem "minitest", "< 6"
+  gem "mocha", "~> 2.1", require: false
   gem "omniauth-facebook"
   gem "omniauth-openid"
   gem "rexml"
   gem "timecop"
-  gem "webrat", "0.7.3", require: false
-  gem "mocha", "~> 2.1", require: false
+  gem "webrat"
+  gem "ostruct"
 end
 
 platforms :ruby do
-  gem "sqlite3", "~> 1.4"
+  gem "sqlite3"
 end
 
-# platforms :jruby do
-#   gem "activerecord-jdbc-adapter"
-#   gem "activerecord-jdbcsqlite3-adapter"
-#   gem "jruby-openssl"
-# end
-
-# TODO:
-# group :mongoid do
-#   gem "mongoid", "~> 4.0.0"
-# end
+group :mongoid do
+  gem "mongoid", "~> 9.0", github: "mongodb/mongoid", branch: "9.0-stable"
+end

Gemfile.lock

@@ -1,11 +1,12 @@
 GIT
-  remote: https://github.com/rails/rails-controller-testing.git
-  revision: c203673f8011a7cdc2a8edf995ae6b3eec3417ca
+  remote: https://github.com/mongodb/mongoid.git
+  revision: 4dcdaddea5d88a819c7c0d98ea0e994e13f515fe
+  branch: 9.0-stable
   specs:
-    rails-controller-testing (1.0.5)
-      actionpack (>= 5.0.1.rc1)
-      actionview (>= 5.0.1.rc1)
-      activesupport (>= 5.0.1.rc1)
+    mongoid (9.0.9)
+      activemodel (>= 5.1, < 8.2, != 7.0.0)
+      concurrent-ruby (>= 1.0.5, < 2.0)
+      mongo (>= 2.18.0, < 3.0.0)
 
 PATH
   remote: .
@@ -20,252 +21,292 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (7.1.0)
-      actionpack (= 7.1.0)
-      activesupport (= 7.1.0)
+    action_text-trix (2.1.15)
+      railties
+    actioncable (8.1.1)
+      actionpack (= 8.1.1)
+      activesupport (= 8.1.1)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
       zeitwerk (~> 2.6)
-    actionmailbox (7.1.0)
-      actionpack (= 7.1.0)
-      activejob (= 7.1.0)
-      activerecord (= 7.1.0)
-      activestorage (= 7.1.0)
-      activesupport (= 7.1.0)
-      mail (>= 2.7.1)
-      net-imap
-      net-pop
-      net-smtp
-    actionmailer (7.1.0)
-      actionpack (= 7.1.0)
-      actionview (= 7.1.0)
-      activejob (= 7.1.0)
-      activesupport (= 7.1.0)
-      mail (~> 2.5, >= 2.5.4)
-      net-imap
-      net-pop
-      net-smtp
+    actionmailbox (8.1.1)
+      actionpack (= 8.1.1)
+      activejob (= 8.1.1)
+      activerecord (= 8.1.1)
+      activestorage (= 8.1.1)
+      activesupport (= 8.1.1)
+      mail (>= 2.8.0)
+    actionmailer (8.1.1)
+      actionpack (= 8.1.1)
+      actionview (= 8.1.1)
+      activejob (= 8.1.1)
+      activesupport (= 8.1.1)
+      mail (>= 2.8.0)
       rails-dom-testing (~> 2.2)
-    actionpack (7.1.0)
-      actionview (= 7.1.0)
-      activesupport (= 7.1.0)
+    actionpack (8.1.1)
+      actionview (= 8.1.1)
+      activesupport (= 8.1.1)
       nokogiri (>= 1.8.5)
       rack (>= 2.2.4)
       rack-session (>= 1.0.1)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    actiontext (7.1.0)
-      actionpack (= 7.1.0)
-      activerecord (= 7.1.0)
-      activestorage (= 7.1.0)
-      activesupport (= 7.1.0)
+      useragent (~> 0.16)
+    actiontext (8.1.1)
+      action_text-trix (~> 2.1.15)
+      actionpack (= 8.1.1)
+      activerecord (= 8.1.1)
+      activestorage (= 8.1.1)
+      activesupport (= 8.1.1)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (7.1.0)
-      activesupport (= 7.1.0)
+    actionview (8.1.1)
+      activesupport (= 8.1.1)
       builder (~> 3.1)
       erubi (~> 1.11)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    activejob (7.1.0)
-      activesupport (= 7.1.0)
+    activejob (8.1.1)
+      activesupport (= 8.1.1)
       globalid (>= 0.3.6)
-    activemodel (7.1.0)
-      activesupport (= 7.1.0)
-    activerecord (7.1.0)
-      activemodel (= 7.1.0)
-      activesupport (= 7.1.0)
+    activemodel (8.1.1)
+      activesupport (= 8.1.1)
+    activerecord (8.1.1)
+      activemodel (= 8.1.1)
+      activesupport (= 8.1.1)
       timeout (>= 0.4.0)
-    activestorage (7.1.0)
-      actionpack (= 7.1.0)
-      activejob (= 7.1.0)
-      activerecord (= 7.1.0)
-      activesupport (= 7.1.0)
+    activestorage (8.1.1)
+      actionpack (= 8.1.1)
+      activejob (= 8.1.1)
+      activerecord (= 8.1.1)
+      activesupport (= 8.1.1)
       marcel (~> 1.0)
-    activesupport (7.1.0)
+    activesupport (8.1.1)
       base64
       bigdecimal
-      concurrent-ruby (~> 1.0, >= 1.0.2)
+      concurrent-ruby (~> 1.0, >= 1.3.1)
       connection_pool (>= 2.2.5)
       drb
       i18n (>= 1.6, < 2)
+      json
+      logger (>= 1.4.2)
       minitest (>= 5.1)
-      mutex_m
-      tzinfo (~> 2.0)
-    base64 (0.1.1)
-    bcrypt (3.1.19)
-    bigdecimal (3.1.4)
-    builder (3.2.4)
-    concurrent-ruby (1.2.2)
-    connection_pool (2.4.1)
+      securerandom (>= 0.3)
+      tzinfo (~> 2.0, >= 2.0.5)
+      uri (>= 0.13.1)
+    base64 (0.3.0)
+    bcrypt (3.1.20)
+    bigdecimal (4.0.1)
+    bson (5.2.0)
+    builder (3.3.0)
+    concurrent-ruby (1.3.6)
+    connection_pool (3.0.2)
     crass (1.0.6)
-    date (3.3.3)
-    drb (2.1.1)
-      ruby2_keywords
-    erubi (1.12.0)
-    faraday (2.7.11)
-      base64
-      faraday-net_http (>= 2.0, < 3.1)
-      ruby2_keywords (>= 0.0.4)
-    faraday-net_http (3.0.2)
-    globalid (1.2.1)
+    date (3.5.1)
+    drb (2.2.3)
+    erb (6.0.1)
+    erubi (1.13.1)
+    faraday (2.14.0)
+      faraday-net_http (>= 2.0, < 3.5)
+      json
+      logger
+    faraday-net_http (3.4.2)
+      net-http (~> 0.5)
+    globalid (1.3.0)
       activesupport (>= 6.1)
-    hashie (5.0.0)
-    i18n (1.14.1)
+    hashie (5.1.0)
+      logger
+    i18n (1.14.8)
       concurrent-ruby (~> 1.0)
-    io-console (0.6.0)
-    irb (1.8.1)
-      rdoc
-      reline (>= 0.3.8)
-    jwt (2.7.1)
-    loofah (2.21.3)
+    io-console (0.8.2)
+    irb (1.16.0)
+      pp (>= 0.6.0)
+      rdoc (>= 4.0.0)
+      reline (>= 0.4.2)
+    json (2.18.0)
+    jwt (3.1.2)
+      base64
+    logger (1.7.0)
+    loofah (2.25.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
-    mail (2.8.1)
+    mail (2.9.0)
+      logger
       mini_mime (>= 0.1.1)
       net-imap
       net-pop
       net-smtp
-    marcel (1.0.2)
+    marcel (1.1.0)
     mini_mime (1.1.5)
-    mini_portile2 (2.8.4)
-    minitest (5.20.0)
-    mocha (2.1.0)
+    mini_portile2 (2.8.9)
+    minitest (5.27.0)
+    mocha (2.8.2)
       ruby2_keywords (>= 0.0.5)
-    multi_xml (0.6.0)
-    mutex_m (0.1.2)
-    net-imap (0.4.1)
+    mongo (2.22.0)
+      base64
+      bson (>= 4.14.1, < 6.0.0)
+    multi_xml (0.8.0)
+      bigdecimal (>= 3.1, < 5)
+    net-http (0.9.1)
+      uri (>= 0.11.1)
+    net-imap (0.6.2)
       date
       net-protocol
     net-pop (0.1.2)
       net-protocol
-    net-protocol (0.2.1)
+    net-protocol (0.2.2)
       timeout
-    net-smtp (0.4.0)
+    net-smtp (0.5.1)
       net-protocol
-    nio4r (2.5.9)
-    nokogiri (1.15.4)
+    nio4r (2.7.5)
+    nokogiri (1.19.0)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    oauth2 (2.0.9)
-      faraday (>= 0.17.3, < 3.0)
-      jwt (>= 1.0, < 3.0)
+    oauth2 (2.0.18)
+      faraday (>= 0.17.3, < 4.0)
+      jwt (>= 1.0, < 4.0)
+      logger (~> 1.2)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 4)
-      snaky_hash (~> 2.0)
-      version_gem (~> 1.1)
-    omniauth (2.1.1)
+      snaky_hash (~> 2.0, >= 2.0.3)
+      version_gem (~> 1.1, >= 1.1.9)
+    omniauth (2.1.4)
       hashie (>= 3.4.6)
+      logger
       rack (>= 2.2.3)
       rack-protection
-    omniauth-facebook (9.0.0)
-      omniauth-oauth2 (~> 1.2)
-    omniauth-oauth2 (1.8.0)
-      oauth2 (>= 1.4, < 3)
+    omniauth-facebook (10.0.0)
+      bigdecimal
+      omniauth-oauth2 (>= 1.2, < 3)
+    omniauth-oauth2 (1.9.0)
+      oauth2 (>= 2.0.2, < 3)
       omniauth (~> 2.0)
-    omniauth-openid (2.0.1)
-      omniauth (>= 1.0, < 3.0)
-      rack-openid (~> 1.4.0)
+    omniauth-openid (2.0.2)
+      omniauth (>= 1.1)
+      rack-openid (~> 1.4)
+      ruby-openid (~> 2.1, >= 2.1.8)
+      version_gem (~> 1.1, >= 1.1.8)
     orm_adapter (0.5.0)
-    psych (5.1.0)
+    ostruct (0.6.3)
+    pp (0.6.3)
+      prettyprint
+    prettyprint (0.2.0)
+    psych (5.3.1)
+      date
       stringio
-    racc (1.7.1)
-    rack (2.2.8)
+    racc (1.8.1)
+    rack (3.2.4)
     rack-openid (1.4.2)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
-    rack-protection (3.1.0)
-      rack (~> 2.2, >= 2.2.4)
-    rack-session (1.0.1)
-      rack (< 3)
-    rack-test (2.1.0)
+    rack-protection (4.2.1)
+      base64 (>= 0.1.0)
+      logger (>= 1.6.0)
+      rack (>= 3.0.0, < 4)
+    rack-session (2.1.1)
+      base64 (>= 0.1.0)
+      rack (>= 3.0.0)
+    rack-test (2.2.0)
       rack (>= 1.3)
-    rackup (1.0.0)
-      rack (< 3)
-      webrick
-    rails (7.1.0)
-      actioncable (= 7.1.0)
-      actionmailbox (= 7.1.0)
-      actionmailer (= 7.1.0)
-      actionpack (= 7.1.0)
-      actiontext (= 7.1.0)
-      actionview (= 7.1.0)
-      activejob (= 7.1.0)
-      activemodel (= 7.1.0)
-      activerecord (= 7.1.0)
-      activestorage (= 7.1.0)
-      activesupport (= 7.1.0)
+    rackup (2.3.1)
+      rack (>= 3)
+    rails (8.1.1)
+      actioncable (= 8.1.1)
+      actionmailbox (= 8.1.1)
+      actionmailer (= 8.1.1)
+      actionpack (= 8.1.1)
+      actiontext (= 8.1.1)
+      actionview (= 8.1.1)
+      activejob (= 8.1.1)
+      activemodel (= 8.1.1)
+      activerecord (= 8.1.1)
+      activestorage (= 8.1.1)
+      activesupport (= 8.1.1)
       bundler (>= 1.15.0)
-      railties (= 7.1.0)
-    rails-dom-testing (2.2.0)
+      railties (= 8.1.1)
+    rails-controller-testing (1.0.5)
+      actionpack (>= 5.0.1.rc1)
+      actionview (>= 5.0.1.rc1)
+      activesupport (>= 5.0.1.rc1)
+    rails-dom-testing (2.3.0)
       activesupport (>= 5.0.0)
       minitest
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.0)
+    rails-html-sanitizer (1.6.2)
       loofah (~> 2.21)
-      nokogiri (~> 1.14)
-    railties (7.1.0)
-      actionpack (= 7.1.0)
-      activesupport (= 7.1.0)
-      irb
+      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
+    railties (8.1.1)
+      actionpack (= 8.1.1)
+      activesupport (= 8.1.1)
+      irb (~> 1.13)
       rackup (>= 1.0.0)
       rake (>= 12.2)
       thor (~> 1.0, >= 1.2.2)
+      tsort (>= 0.2)
       zeitwerk (~> 2.6)
-    rake (13.0.6)
-    rdoc (6.5.0)
+    rake (13.3.1)
+    rdoc (7.0.3)
+      erb
       psych (>= 4.0.0)
-    reline (0.3.9)
+      tsort
+    reline (0.6.3)
       io-console (~> 0.5)
-    responders (3.1.0)
-      actionpack (>= 5.2)
-      railties (>= 5.2)
-    rexml (3.2.6)
+    responders (3.2.0)
+      actionpack (>= 7.0)
+      railties (>= 7.0)
+    rexml (3.4.4)
     ruby-openid (2.9.2)
     ruby2_keywords (0.0.5)
-    snaky_hash (2.0.1)
-      hashie
-      version_gem (~> 1.1, >= 1.1.1)
-    sqlite3 (1.6.6)
+    securerandom (0.4.1)
+    snaky_hash (2.0.3)
+      hashie (>= 0.1.0, < 6)
+      version_gem (>= 1.1.8, < 3)
+    sqlite3 (2.9.0)
       mini_portile2 (~> 2.8.0)
-    stringio (3.0.8)
-    thor (1.2.2)
-    timecop (0.9.8)
-    timeout (0.4.0)
+    stringio (3.2.0)
+    thor (1.4.0)
+    timecop (0.9.10)
+    timeout (0.6.0)
+    tsort (0.2.0)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    version_gem (1.1.3)
+    uri (1.1.1)
+    useragent (0.16.11)
+    version_gem (1.1.9)
     warden (1.2.9)
       rack (>= 2.0.9)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
       rack (>= 1.0)
       rack-test (>= 0.5.3)
-    webrick (1.8.1)
-    websocket-driver (0.7.6)
+    websocket-driver (0.8.0)
+      base64
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
-    zeitwerk (2.6.12)
+    zeitwerk (2.7.4)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
   devise!
+  minitest (< 6)
   mocha (~> 2.1)
+  mongoid (~> 9.0)!
   omniauth
   omniauth-facebook
   omniauth-oauth2
   omniauth-openid
-  rails (~> 7.1.0)
-  rails-controller-testing!
+  ostruct
+  rails (~> 8.1.0)
+  rails-controller-testing
   rdoc
   responders (~> 3.1)
   rexml
-  sqlite3 (~> 1.4)
+  sqlite3
   timecop
-  webrat (= 0.7.3)
+  webrat
 
 BUNDLED WITH
-   2.4.5
+   4.0.3

ISSUE_TEMPLATE.md

@@ -2,7 +2,7 @@
 
 - Do not use the issues tracker for help or support, try Stack Overflow.
 - For bugs, do a quick search and make sure the bug has not yet been reported
-- If you found a security bug, do not report it through GitHub. Please send an e-mail to heartcombo@googlegroups.com instead.
+- If you found a security bug, do not report it through GitHub. Please send an e-mail to heartcombo.oss@gmail.com instead.
 - Finally, be nice and have fun!
 
 ## Environment

MIT-LICENSE

@@ -1,5 +1,5 @@
-Copyright 2020-2024 Rafael França, Leonardo Tegon, Carlos Antônio da Silva.
-Copyright 2009-2019 Plataformatec.
+Copyright (c) 2020-2025 Rafael França, Carlos Antonio da Silva
+Copyright (c) 2009-2019 Plataformatec
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

README.md

@@ -9,16 +9,16 @@ Devise is a flexible authentication solution for Rails based on Warden. It:
 
 It's composed of 10 modules:
 
-* [Database Authenticatable](http://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/DatabaseAuthenticatable): hashes and stores a password in the database to validate the authenticity of a user while signing in. The authentication can be done both through POST requests or HTTP Basic Authentication.
-* [Omniauthable](http://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/Omniauthable): adds OmniAuth (https://github.com/omniauth/omniauth) support.
-* [Confirmable](http://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/Confirmable): sends emails with confirmation instructions and verifies whether an account is already confirmed during sign in.
-* [Recoverable](http://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/Recoverable): resets the user password and sends reset instructions.
-* [Registerable](http://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/Registerable): handles signing up users through a registration process, also allowing them to edit and destroy their account.
-* [Rememberable](http://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/Rememberable): manages generating and clearing a token for remembering the user from a saved cookie.
-* [Trackable](http://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/Trackable): tracks sign in count, timestamps and IP address.
-* [Timeoutable](http://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/Timeoutable): expires sessions that have not been active in a specified period of time.
-* [Validatable](http://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/Validatable): provides validations of email and password. It's optional and can be customized, so you're able to define your own validations.
-* [Lockable](http://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/Lockable): locks an account after a specified number of failed sign-in attempts. Can unlock via email or after a specified time period.
+* [Database Authenticatable](https://www.rubydoc.info/gems/devise/Devise/Models/DatabaseAuthenticatable): hashes and stores a password in the database to validate the authenticity of a user while signing in. The authentication can be done both through POST requests or HTTP Basic Authentication.
+* [Omniauthable](https://www.rubydoc.info/gems/devise/Devise/Models/Omniauthable): adds OmniAuth (https://github.com/omniauth/omniauth) support.
+* [Confirmable](https://www.rubydoc.info/gems/devise/Devise/Models/Confirmable): sends emails with confirmation instructions and verifies whether an account is already confirmed during sign in.
+* [Recoverable](https://www.rubydoc.info/gems/devise/Devise/Models/Recoverable): resets the user password and sends reset instructions.
+* [Registerable](https://www.rubydoc.info/gems/devise/Devise/Models/Registerable): handles signing up users through a registration process, also allowing them to edit and destroy their account.
+* [Rememberable](https://www.rubydoc.info/gems/devise/Devise/Models/Rememberable): manages generating and clearing a token for remembering the user from a saved cookie.
+* [Trackable](https://www.rubydoc.info/gems/devise/Devise/Models/Trackable): tracks sign in count, timestamps and IP address.
+* [Timeoutable](https://www.rubydoc.info/gems/devise/Devise/Models/Timeoutable): expires sessions that have not been active in a specified period of time.
+* [Validatable](https://www.rubydoc.info/gems/devise/Devise/Models/Validatable): provides validations of email and password. It's optional and can be customized, so you're able to define your own validations.
+* [Lockable](https://www.rubydoc.info/gems/devise/Devise/Models/Lockable): locks an account after a specified number of failed sign-in attempts. Can unlock via email or after a specified time period.
 
 ## Table of Contents
 
@@ -31,6 +31,7 @@ It's composed of 10 modules:
 	- [RDocs](#rdocs)
 	- [Example applications](#example-applications)
 	- [Extensions](#extensions)
+	- [Supported Ruby / Rails versions](#supported-ruby--rails-versions)
 	- [Contributing](#contributing)
 - [Starting with Rails?](#starting-with-rails)
 - [Getting started](#getting-started)
@@ -52,7 +53,6 @@ It's composed of 10 modules:
 	- [Rails API mode](#rails-api-mode)
 - [Additional information](#additional-information)
 	- [Warden](#warden)
-	- [Contributors](#contributors)
 - [License](#license)
 
 <!-- /TOC -->
@@ -73,7 +73,7 @@ If you discover a problem with Devise, we would like to know about it. However,
 
 https://github.com/heartcombo/devise/wiki/Bug-reports
 
-If you have discovered a security related bug, please do *NOT* use the GitHub issue tracker. Send an email to heartcombo@googlegroups.com.
+If you have discovered a security related bug, please do *NOT* use the GitHub issue tracker. Send an email to heartcombo.oss@gmail.com.
 
 ### StackOverflow and Mailing List
 
@@ -81,9 +81,10 @@ If you have any questions, comments, or concerns, please use StackOverflow inste
 
 http://stackoverflow.com/questions/tagged/devise
 
-The deprecated mailing list can still be read on
+The deprecated mailing lists can still be read on:
 
 https://groups.google.com/group/plataformatec-devise
+https://groups.google.com/group/heartcombo
 
 ### RDocs
 
@@ -105,6 +106,13 @@ Our community has created a number of extensions that add functionality above an
 
 https://github.com/heartcombo/devise/wiki/Extensions
 
+### Supported Ruby / Rails versions
+
+We intend to maintain support for all Ruby / Rails versions that haven't reached end-of-life.
+
+For more information about specific versions please check [Ruby](https://www.ruby-lang.org/en/downloads/branches/)
+and [Rails](https://guides.rubyonrails.org/maintenance_policy.html) maintenance policies, and our test matrix.
+
 ### Contributing
 
 We hope that you will consider contributing to Devise. Please read this short overview for some information about how to get started:
@@ -114,7 +122,7 @@ https://github.com/heartcombo/devise/wiki/Contributing
 You will usually want to write tests for your changes.  To run the test suite, go into Devise's top-level directory and run `bundle install` and `bin/test`.
 Devise works with multiple Ruby and Rails versions, and ActiveRecord and Mongoid ORMs, which means you can run the test suite with some modifiers: `DEVISE_ORM` and `BUNDLE_GEMFILE`.
 
-### DEVISE_ORM
+#### DEVISE_ORM
 Since Devise supports both Mongoid and ActiveRecord, we rely on this variable to run specific code for each ORM.
 The default value of `DEVISE_ORM` is `active_record`. To run the tests for Mongoid, you can pass `mongoid`:
 ```
@@ -126,7 +134,7 @@ When running the tests for Mongoid, you will need to have a MongoDB server (vers
 
 Please note that the command output will show the variable value being used.
 
-### BUNDLE_GEMFILE
+#### BUNDLE_GEMFILE
 We can use this variable to tell bundler what Gemfile it should use (instead of the one in the current directory).
 Inside the [gemfiles](https://github.com/heartcombo/devise/tree/main/gemfiles) directory, we have one for each version of Rails we support. When you send us a pull request, it may happen that the test suite breaks using some of them. If that's the case, you can simulate the same environment using the `BUNDLE_GEMFILE` variable.
 For example, if the tests broke using Ruby 3.0.0 and Rails 6.0, you can do the following:
@@ -155,9 +163,10 @@ bin/test
 bin/test test/models/trackable_test.rb
 ```
 
-* Running a specific test given a regex:
+* Running a specific test given a line number or a regex:
 ```bash
 bin/test test/models/trackable_test.rb:16
+bin/test test/models/trackable_test.rb -n '/update.*record/'
 ```
 
 ## Starting with Rails?
@@ -454,7 +463,7 @@ Devise also ships with default routes. If you need to customize them, you should
 devise_for :users, path: 'auth', path_names: { sign_in: 'login', sign_out: 'logout', password: 'secret', confirmation: 'verification', unlock: 'unblock', registration: 'register', sign_up: 'cmon_let_me_in' }
 ```
 
-Be sure to check `devise_for` [documentation](http://www.rubydoc.info/github/heartcombo/devise/main/ActionDispatch/Routing/Mapper%3Adevise_for) for details.
+Be sure to check `devise_for` [documentation](https://www.rubydoc.info/gems/devise/ActionDispatch/Routing/Mapper#devise_for-instance_method) for details.
 
 If you have the need for more deep customization, for instance to also allow "/sign_in" besides "/users/sign_in", all you need to do is create your routes normally and wrap them in a `devise_scope` block in the router:
 
@@ -484,7 +493,8 @@ Devise.setup do |config|
   # apps is `200 OK` and `302 Found` respectively, but new apps are generated with
   # these new defaults that match Hotwire/Turbo behavior.
   # Note: These might become the new default in future versions of Devise.
-  config.responder.error_status = :unprocessable_entity
+  config.responder.error_status = :unprocessable_content # for Rack 3.1 or higher
+  # config.responder.error_status = :unprocessable_entity # for Rack 3.0 or lower
   config.responder.redirect_status = :see_other
 end
 ```
@@ -705,7 +715,7 @@ end
 
 ### Password reset tokens and Rails logs
 
-If you enable the [Recoverable](http://rubydoc.info/github/heartcombo/devise/main/Devise/Models/Recoverable) module, note that a stolen password reset token could give an attacker access to your application. Devise takes effort to generate random, secure tokens, and stores only token digests in the database, never plaintext. However the default logging behavior in Rails can cause plaintext tokens to leak into log files:
+If you enable the [Recoverable](https://www.rubydoc.info/gems/devise/Devise/Models/Recoverable) module, note that a stolen password reset token could give an attacker access to your application. Devise takes effort to generate random, secure tokens, and stores only token digests in the database, never plaintext. However the default logging behavior in Rails can cause plaintext tokens to leak into log files:
 
 1. Action Mailer logs the entire contents of all outgoing emails to the DEBUG level. Password reset tokens delivered to users in email will be leaked.
 2. Active Job logs all arguments to every enqueued job at the INFO level. If you configure Devise to use `deliver_later` to send password reset emails, password reset tokens will be leaked.
@@ -757,14 +767,10 @@ Devise is based on Warden, which is a general Rack authentication framework crea
 
 https://github.com/wardencommunity/warden
 
-### Contributors
-
-We have a long list of valued contributors. Check them all at:
-
-https://github.com/heartcombo/devise/graphs/contributors
-
 ## License
 
-MIT License. Copyright 2020-2024 Rafael França, Leonardo Tegon, Carlos Antônio da Silva. Copyright 2009-2019 Plataformatec.
+MIT License.
+Copyright 2020-2025 Rafael França, Carlos Antonio da Silva.
+Copyright 2009-2019 Plataformatec.
 
 The Devise logo is licensed under [Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License](https://creativecommons.org/licenses/by-nc-nd/4.0/).

app/controllers/devise/confirmations_controller.rb

@@ -27,7 +27,7 @@ class Devise::ConfirmationsController < DeviseController
       set_flash_message!(:notice, :confirmed)
       respond_with_navigational(resource){ redirect_to after_confirmation_path_for(resource_name, resource) }
     else
-      # TODO: use `error_status` when the default changes to `:unprocessable_entity`.
+      # TODO: use `error_status` when the default changes to `:unprocessable_entity` / `:unprocessable_content`.
       respond_with_navigational(resource.errors, status: :unprocessable_entity){ render :new }
     end
   end

app/controllers/devise/unlocks_controller.rb

@@ -29,7 +29,7 @@ class Devise::UnlocksController < DeviseController
       set_flash_message! :notice, :unlocked
       respond_with_navigational(resource){ redirect_to after_unlock_path_for(resource) }
     else
-      # TODO: use `error_status` when the default changes to `:unprocessable_entity`.
+      # TODO: use `error_status` when the default changes to `:unprocessable_entity` / `:unprocessable_content`.
       respond_with_navigational(resource.errors, status: :unprocessable_entity){ render :new }
     end
   end

app/helpers/devise_helper.rb

@@ -1,30 +1,5 @@
 # frozen_string_literal: true
 
+# Keeping the helper around for backward compatibility.
 module DeviseHelper
-  # Retain this method for backwards compatibility, deprecated in favor of modifying the
-  # devise/shared/error_messages partial.
-  def devise_error_messages!
-    Devise.deprecator.warn <<-DEPRECATION.strip_heredoc
-      [Devise] `DeviseHelper#devise_error_messages!` is deprecated and will be
-      removed in the next major version.
-
-      Devise now uses a partial under "devise/shared/error_messages" to display
-      error messages by default, and make them easier to customize. Update your
-      views changing calls from:
-
-          <%= devise_error_messages! %>
-
-      to:
-
-          <%= render "devise/shared/error_messages", resource: resource %>
-
-      To start customizing how errors are displayed, you can copy the partial
-      from devise to your `app/views` folder. Alternatively, you can run
-      `rails g devise:views` which will copy all of them again to your app.
-    DEPRECATION
-
-    return "" if resource.errors.empty?
-
-    render "devise/shared/error_messages", resource: resource
-  end
 end

app/views/devise/shared/_error_messages.html.erb

@@ -1,5 +1,5 @@
 <% if resource.errors.any? %>
-  <div id="error_explanation" data-turbo-cache="false">
+  <div id="error_explanation" data-turbo-temporary>
     <h2>
       <%= I18n.t("errors.messages.not_saved",
                  count: resource.errors.count,

devise.gemspec

@@ -10,7 +10,7 @@ Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.licenses    = ["MIT"]
   s.summary     = "Flexible authentication solution for Rails with Warden"
-  s.email       = "heartcombo@googlegroups.com"
+  s.email       = "heartcombo.oss@gmail.com"
   s.homepage    = "https://github.com/heartcombo/devise"
   s.description = "Flexible authentication solution for Rails with Warden"
   s.authors     = ['José Valim', 'Carlos Antônio']
@@ -32,11 +32,4 @@ Gem::Specification.new do |s|
   s.add_dependency("bcrypt", "~> 3.0")
   s.add_dependency("railties", ">= 6.0.0")
   s.add_dependency("responders")
-
-  s.post_install_message = %q{
-[DEVISE] Please review the [changelog] and [upgrade guide] for more info on Hotwire / Turbo integration.
-
-  [changelog] https://github.com/heartcombo/devise/blob/main/CHANGELOG.md
-  [upgrade guide] https://github.com/heartcombo/devise/wiki/How-To:-Upgrade-to-Devise-4.9.0-%5BHotwire-Turbo-integration%5D
-  }
 end

gemfiles/Gemfile-rails-7-0

@@ -1,5 +1,3 @@
-# frozen_string_literal: true
-
 source "https://rubygems.org"
 
 gemspec path: ".."
@@ -9,7 +7,7 @@ gem "omniauth"
 gem "omniauth-oauth2"
 gem "rdoc"
 
-gem "rails-controller-testing", github: "rails/rails-controller-testing"
+gem "rails-controller-testing"
 
 gem "responders", "~> 3.1"
 
@@ -20,19 +18,14 @@ group :test do
   gem "timecop"
   gem "webrat", "0.7.3", require: false
   gem "mocha", "~> 2.1", require: false
+  gem "minitest", "< 6"
+  gem "ostruct"
 end
 
 platforms :ruby do
   gem "sqlite3", "~> 1.4"
 end
 
-# platforms :jruby do
-#   gem "activerecord-jdbc-adapter"
-#   gem "activerecord-jdbcsqlite3-adapter"
-#   gem "jruby-openssl"
-# end
-
-# TODO:
-# group :mongoid do
-#   gem "mongoid", "~> 4.0.0"
-# end
+group :mongoid do
+  gem "mongoid", "~> 7.5"
+end

gemfiles/Gemfile-rails-7-1

@@ -2,12 +2,12 @@ source "https://rubygems.org"
 
 gemspec path: ".."
 
-gem "rails", '~> 6.0.0', github: 'rails/rails', branch: '6-0-stable'
+gem "rails", "~> 7.1.0"
 gem "omniauth"
 gem "omniauth-oauth2"
 gem "rdoc"
 
-gem "rails-controller-testing", github: "rails/rails-controller-testing"
+gem "rails-controller-testing"
 
 gem "responders", "~> 3.1"
 
@@ -16,10 +16,16 @@ group :test do
   gem "omniauth-openid"
   gem "rexml"
   gem "timecop"
-  gem "webrat", "0.7.3", require: false
+  gem "webrat"
   gem "mocha", "~> 2.1", require: false
+  gem "minitest", "< 6"
+  gem "ostruct"
 end
 
 platforms :ruby do
   gem "sqlite3", "~> 1.4"
 end
+
+group :mongoid do
+  gem "mongoid", "~> 8.1"
+end

gemfiles/Gemfile-rails-7-2

@@ -2,30 +2,31 @@ source "https://rubygems.org"
 
 gemspec path: ".."
 
-gem "rails", '~> 6.1.0'
+gem "rails", "~> 7.1.0"
+
 gem "omniauth"
 gem "omniauth-oauth2"
 gem "rdoc"
 
-gem "rails-controller-testing", github: "rails/rails-controller-testing"
+gem "rails-controller-testing"
 
 gem "responders", "~> 3.1"
 
-if RUBY_VERSION >= "3.1"
-  gem "net-smtp", require: false
-  gem "net-imap", require: false
-  gem "net-pop", require: false
-end
-
 group :test do
   gem "omniauth-facebook"
   gem "omniauth-openid"
   gem "rexml"
   gem "timecop"
-  gem "webrat", "0.7.3", require: false
+  gem "webrat", require: false
   gem "mocha", "~> 2.1", require: false
+  gem "minitest", "< 6"
+  gem "ostruct"
 end
 
 platforms :ruby do
-  gem "sqlite3", "~> 1.4"
+  gem "sqlite3"
+end
+
+group :mongoid do
+  gem "mongoid", "~> 8.1"
 end

gemfiles/Gemfile-rails-8-0

@@ -0,0 +1,31 @@
+source "https://rubygems.org"
+
+gemspec path: ".."
+
+gem "rails", "~> 8.0.0"
+gem "omniauth"
+gem "omniauth-oauth2"
+gem "rdoc"
+
+gem "rails-controller-testing"
+
+gem "responders", "~> 3.1"
+
+group :test do
+  gem "omniauth-facebook"
+  gem "omniauth-openid"
+  gem "rexml"
+  gem "timecop"
+  gem 'webrat'
+  gem "mocha", "~> 2.1", require: false
+  gem "minitest", "< 6"
+  gem "ostruct"
+end
+
+platforms :ruby do
+  gem "sqlite3"
+end
+
+group :mongoid do
+  gem "mongoid", "~> 8.1"
+end

gemfiles/Gemfile-rails-main

@@ -7,7 +7,7 @@ gem "omniauth"
 gem "omniauth-oauth2"
 gem "rdoc"
 
-gem "rails-controller-testing", github: "rails/rails-controller-testing"
+gem "rails-controller-testing"
 
 gem "responders", "~> 3.1"
 
@@ -18,8 +18,14 @@ group :test do
   gem "timecop"
   gem "webrat", "0.7.3", require: false
   gem "mocha", "~> 2.1", require: false
+  gem "minitest", "< 6"
+  gem "ostruct"
 end
 
 platforms :ruby do
-  gem "sqlite3", "~> 2.0"
+  gem "sqlite3"
+end
+
+group :mongoid do
+  gem "mongoid", github: "mongodb/mongoid", branch: "master"
 end

lib/devise.rb

@@ -16,7 +16,6 @@ module Devise
   autoload :Orm,                'devise/orm'
   autoload :ParameterFilter,    'devise/parameter_filter'
   autoload :ParameterSanitizer, 'devise/parameter_sanitizer'
-  autoload :TestHelpers,        'devise/test_helpers'
   autoload :TimeInflector,      'devise/time_inflector'
   autoload :TokenGenerator,     'devise/token_generator'
 
@@ -446,9 +445,9 @@ module Devise
   #  Devise.setup do |config|
   #    config.allow_unconfirmed_access_for = 2.days
   #
-  #    config.warden do |manager|
+  #    config.warden do |warden_config|
   #      # Configure warden to use other strategies, like oauth.
-  #      manager.oauth(:twitter)
+  #      warden_config.oauth(:twitter)
   #    end
   #  end
   def self.warden(&block)

lib/devise/controllers/sign_in_out.rb

@@ -37,16 +37,7 @@ module Devise
 
         expire_data_after_sign_in!
 
-        if options[:bypass]
-          Devise.deprecator.warn(<<-DEPRECATION.strip_heredoc, caller)
-          [Devise] bypass option is deprecated and it will be removed in future version of Devise.
-          Please use bypass_sign_in method instead.
-          Example:
-
-            bypass_sign_in(user)
-          DEPRECATION
-          warden.session_serializer.store(resource, scope)
-        elsif warden.user(scope) == resource && !options.delete(:force)
+        if warden.user(scope) == resource && !options.delete(:force)
           # Do nothing. User already signed in and we are not forcing it.
           true
         else

lib/devise/failure_app.rb

@@ -77,9 +77,9 @@ module Devise
 
       flash.now[:alert] = i18n_message(:invalid) if is_flashing_format?
       self.response = recall_app(warden_options[:recall]).call(request.env).tap { |response|
-        response[0] = Rack::Utils.status_code(
-          response[0].in?(300..399) ? Devise.responder.redirect_status : Devise.responder.error_status
-        )
+        status = response[0].in?(300..399) ? Devise.responder.redirect_status : Devise.responder.error_status
+        # Avoid warnings translating status to code using Rails if available (e.g. `unprocessable_entity` => `unprocessable_content`)
+        response[0] = ActionDispatch::Response.try(:rack_status_code, status) || Rack::Utils.status_code(status)
       }
     end
 

lib/devise/hooks/activatable.rb

@@ -7,6 +7,6 @@ Warden::Manager.after_set_user do |record, warden, options|
   if record && record.respond_to?(:active_for_authentication?) && !record.active_for_authentication?
     scope = options[:scope]
     warden.logout(scope)
-    throw :warden, scope: scope, message: record.inactive_message
+    throw :warden, scope: scope, message: record.inactive_message, locale: options.fetch(:locale, I18n.locale)
   end
 end

lib/devise/hooks/timeoutable.rb

@@ -25,7 +25,7 @@ Warden::Manager.after_set_user do |record, warden, options|
         record.timedout?(last_request_at) &&
         !proxy.remember_me_is_active?(record)
       Devise.sign_out_all_scopes ? proxy.sign_out : proxy.sign_out(scope)
-      throw :warden, scope: scope, message: :timeout
+      throw :warden, scope: scope, message: :timeout, locale: options.fetch(:locale, I18n.locale)
     end
 
     unless env['devise.skip_trackable']

lib/devise/models/lockable.rb

@@ -84,7 +84,7 @@ module Devise
         if_access_locked { send_unlock_instructions }
       end
 
-      # Overwrites active_for_authentication? from Devise::Models::Activatable for locking purposes
+      # Overwrites active_for_authentication? from Devise::Models::Authenticatable for locking purposes
       # by verifying whether a user is active to sign in or not based on locked?
       def active_for_authentication?
         super && !access_locked?

lib/devise/orm.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Devise
   module Orm # :nodoc:
     def self.active_record?(model)
@@ -5,10 +7,14 @@ module Devise
     end
 
     def self.included(model)
-      model.include DirtyTrackingMethods
+      if Devise::Orm.active_record?(model)
+        model.include DirtyTrackingActiveRecordMethods
+      else
+        model.include DirtyTrackingMongoidMethods
+      end
     end
 
-    module DirtyTrackingMethods
+    module DirtyTrackingActiveRecordMethods
       def devise_email_before_last_save
         email_before_last_save
       end
@@ -33,5 +39,31 @@ module Devise
         respond_to?("will_save_change_to_#{attribute}?") && send("will_save_change_to_#{attribute}?")
       end
     end
+
+    module DirtyTrackingMongoidMethods
+      def devise_email_before_last_save
+        respond_to?(:email_previously_was) ? email_previously_was : email_was
+      end
+
+      def devise_email_in_database
+        email_was
+      end
+
+      def devise_saved_change_to_email?
+        respond_to?(:email_previously_changed?) ? email_previously_changed? : email_changed?
+      end
+
+      def devise_saved_change_to_encrypted_password?
+        respond_to?(:encrypted_password_previously_changed?) ? encrypted_password_previously_changed? : encrypted_password_changed?
+      end
+
+      def devise_will_save_change_to_email?
+        email_changed?
+      end
+
+      def devise_respond_to_and_will_save_change_to_attribute?(attribute)
+        respond_to?("#{attribute}_changed?") && send("#{attribute}_changed?")
+      end
+    end
   end
 end

lib/devise/test/controller_helpers.rb

@@ -64,17 +64,7 @@ module Devise
       #
       # sign_in users(:alice)
       # sign_in users(:alice), scope: :admin
-      def sign_in(resource, deprecated = nil, scope: nil)
-        if deprecated.present?
-          scope = resource
-          resource = deprecated
-
-          Devise.deprecator.warn <<-DEPRECATION.strip_heredoc
-            [Devise] sign_in(:#{scope}, resource) on controller tests is deprecated and will be removed from Devise.
-            Please use sign_in(resource, scope: :#{scope}) instead.
-          DEPRECATION
-        end
-
+      def sign_in(resource, scope: nil)
         scope ||= Devise::Mapping.find_scope!(resource)
 
         warden.instance_variable_get(:@users).delete(scope)

lib/devise/test_helpers.rb

@@ -1,15 +0,0 @@
-# frozen_string_literal: true
-
-module Devise
-  module TestHelpers
-    def self.included(base)
-      base.class_eval do
-        Devise.deprecator.warn <<-DEPRECATION.strip_heredoc
-          [Devise] including `Devise::TestHelpers` is deprecated and will be removed from Devise.
-          For controller tests, please include `Devise::Test::ControllerHelpers` instead.
-        DEPRECATION
-        include Devise::Test::ControllerHelpers
-      end
-    end
-  end
-end

lib/generators/devise/controllers_generator.rb

@@ -11,7 +11,7 @@ module Devise
         Create inherited Devise controllers in your app/controllers folder.
 
         Use -c to specify which controller you want to overwrite.
-        If you do no specify a controller, all controllers will be created.
+        If you do not specify a controller, all controllers will be created.
         For example:
 
           rails generate devise:controllers users -c=sessions

lib/generators/templates/devise.rb

@@ -157,6 +157,9 @@ Devise.setup do |config|
   # initial account confirmation) to be applied. Requires additional unconfirmed_email
   # db field (see migrations). Until confirmed, new email is stored in
   # unconfirmed_email column, and copied to email column on successful confirmation.
+  # Also, when used in conjunction with `send_email_changed_notification`,
+  # the notification is sent to the original email when the change is requested,
+  # not when the unconfirmed email is confirmed.
   config.reconfirmable = true
 
   # Defines which key will be used when confirming an account
@@ -277,9 +280,9 @@ Devise.setup do |config|
   # If you want to use other strategies, that are not supported by Devise, or
   # change the failure app, you can configure them inside the config.warden block.
   #
-  # config.warden do |manager|
-  #   manager.intercept_401 = false
-  #   manager.default_strategies(scope: :user).unshift :some_external_strategy
+  # config.warden do |warden_config|
+  #   warden_config.intercept_401 = false
+  #   warden_config.default_strategies(scope: :user).unshift :some_external_strategy
   # end
 
   # ==> Mountable engine configurations
@@ -302,7 +305,7 @@ Devise.setup do |config|
   # apps is `200 OK` and `302 Found` respectively, but new apps are generated with
   # these new defaults that match Hotwire/Turbo behavior.
   # Note: These might become the new default in future versions of Devise.
-  config.responder.error_status = :unprocessable_entity
+  config.responder.error_status = <%= Rack::Utils::SYMBOL_TO_STATUS_CODE.key(422).inspect %>
   config.responder.redirect_status = :see_other
 
   # ==> Configuration for :registerable

test/controllers/custom_strategy_test.rb

@@ -3,7 +3,7 @@
 require 'test_helper'
 require 'ostruct'
 require 'warden/strategies/base'
-require 'devise/test_helpers'
+require 'devise/test/controller_helpers'
 
 class CustomStrategyController < ActionController::Base
   def new

test/controllers/sessions_controller_test.rb

@@ -87,22 +87,4 @@ class SessionsControllerTest < Devise::ControllerTestCase
     assert flash[:notice].blank?, "flash[:notice] should be blank, not #{flash[:notice].inspect}"
     assert_equal 204, @response.status
   end
-
-  if defined?(ActiveRecord) && ActiveRecord::Base.respond_to?(:mass_assignment_sanitizer)
-    test "#new doesn't raise mass-assignment exception even if sign-in key is attr_protected" do
-      request.env["devise.mapping"] = Devise.mappings[:user]
-
-      ActiveRecord::Base.mass_assignment_sanitizer = :strict
-      User.class_eval { attr_protected :email }
-
-      begin
-        assert_nothing_raised do
-          get :new, user: { email: "allez viens!" }
-        end
-      ensure
-        ActiveRecord::Base.mass_assignment_sanitizer = :logger
-        User.class_eval { attr_accessible :email }
-      end
-    end
-  end
 end

test/generators/devise_generator_test.rb

@@ -37,5 +37,4 @@ class DeviseGeneratorTest < Rails::Generators::TestCase
     FileUtils.mkdir_p(destination)
     FileUtils.cp routes, destination
   end
-
 end

test/generators/install_generator_test.rb

@@ -23,4 +23,12 @@ class InstallGeneratorTest < Rails::Generators::TestCase
     assert_no_file "config/initializers/devise.rb"
     assert_no_file "config/locales/devise.en.yml"
   end
+
+  test "responder error_status based on rack version" do
+    run_generator(["--orm=active_record"])
+
+    error_status = Rack::VERSION >= "3.1" ? :unprocessable_content : :unprocessable_entity
+
+    assert_file "config/initializers/devise.rb", /config\.responder\.error_status = #{error_status.inspect}/
+  end
 end

test/helpers/devise_helper_test.rb

@@ -34,10 +34,6 @@ class DeviseHelperTest < Devise::IntegrationTest
   end
 
   test 'test errors.messages.not_saved with multiple errors from i18n' do
-    # Dirty tracking behavior prevents email validations from being applied:
-    #    https://github.com/mongoid/mongoid/issues/756
-    (pending "Fails on Mongoid < 2.1"; break) if defined?(Mongoid) && Mongoid::VERSION.to_f < 2.1
-
     get new_user_registration_path
 
     fill_in 'email', with: 'invalid_email'

test/integration/confirmable_test.rb

@@ -136,6 +136,15 @@ class ConfirmationTest < Devise::IntegrationTest
     end
   end
 
+  test 'not confirmed user redirect respects i18n locale set' do
+    swap Devise, allow_unconfirmed_access_for: 0.days do
+      sign_in_as_user(confirm: false, visit: new_user_session_path(locale: "pt-BR"))
+
+      assert_contain 'Você precisa confirmar seu email para continuar'
+      assert_not warden.authenticated?(:user)
+    end
+  end
+
   test 'not confirmed user should not see confirmation message if invalid credentials are given' do
     swap Devise, allow_unconfirmed_access_for: 0.days do
       sign_in_as_user(confirm: false) do

test/integration/registerable_test.rb

@@ -98,10 +98,6 @@ class RegistrationTest < Devise::IntegrationTest
   end
 
   test 'a guest user cannot sign up with invalid information' do
-    # Dirty tracking behavior prevents email validations from being applied:
-    #    https://github.com/mongoid/mongoid/issues/756
-    (pending "Fails on Mongoid < 2.1"; break) if defined?(Mongoid) && Mongoid::VERSION.to_f < 2.1
-
     get new_user_registration_path
 
     fill_in 'email', with: 'invalid_email'
@@ -120,10 +116,6 @@ class RegistrationTest < Devise::IntegrationTest
   end
 
   test 'a guest should not sign up with email/password that already exists' do
-    # Dirty tracking behavior prevents email validations from being applied:
-    #    https://github.com/mongoid/mongoid/issues/756
-    (pending "Fails on Mongoid < 2.1"; break) if defined?(Mongoid) && Mongoid::VERSION.to_f < 2.1
-
     create_user
     get new_user_registration_path
 

test/integration/timeoutable_test.rb

@@ -167,6 +167,17 @@ class SessionTimeoutTest < Devise::IntegrationTest
     end
   end
 
+  test 'error message redirect respects i18n locale set' do
+    user = sign_in_as_user
+
+    get expire_user_path(user)
+    get root_path(locale: "pt-BR")
+    follow_redirect!
+
+    assert_contain 'Sua sessão expirou. Por favor faça o login novamente para continuar.'
+    assert_not warden.authenticated?(:user)
+  end
+
   test 'time out not triggered if remembered' do
     user = sign_in_as_user remember_me: true
     get expire_user_path(user)

test/orm/mongoid.rb

@@ -10,6 +10,6 @@ end
 
 class ActiveSupport::TestCase
   setup do
-    Mongoid.default_session.drop
+    Mongoid::Config.purge!
   end
 end

test/rails_app/app/controllers/admins_controller.rb

@@ -1,15 +1,8 @@
 # frozen_string_literal: true
 
 class AdminsController < ApplicationController
-  around_action :set_locale
   before_action :authenticate_admin!
 
   def index
   end
-
-  private
-
-  def set_locale
-    I18n.with_locale(params[:locale] || I18n.default_locale) { yield }
-  end
 end

test/rails_app/app/controllers/application_controller.rb

@@ -5,9 +5,20 @@
 
 class ApplicationController < ActionController::Base
   protect_from_forgery
+  around_action :set_locale
   before_action :current_user, unless: :devise_controller?
   before_action :authenticate_user!, if: :devise_controller?
   respond_to(*Mime::SET.map(&:to_sym))
 
   devise_group :commenter, contains: [:user, :admin]
+
+  private
+
+  def set_locale
+    I18n.with_locale(params[:locale] || I18n.default_locale) { yield }
+  end
+
+  def default_url_options
+    {locale: params[:locale]}.compact
+  end
 end

test/rails_app/config/application.rb

@@ -2,6 +2,7 @@
 
 require File.expand_path('../boot', __FILE__)
 
+require "logger"
 require "action_controller/railtie"
 require "action_mailer/railtie"
 require "rails/test_unit/railtie"
@@ -39,8 +40,10 @@ module RailsApp
       Devise::SessionsController.layout "application"
     end
 
-    if Devise::Test.rails70?
-      config.active_record.legacy_connection_handling = false
+    if DEVISE_ORM == :active_record
+      if Devise::Test.rails70?
+        config.active_record.legacy_connection_handling = false
+      end
     end
 
     if Devise::Test.rails70_and_up?

test/rails_app/config/initializers/devise.rb

@@ -181,9 +181,9 @@ Devise.setup do |config|
   # If you want to use other strategies, that are not supported by Devise, or
   # change the failure app, you can configure them inside the config.warden block.
   #
-  # config.warden do |manager|
-  #   manager.failure_app = AnotherApp
-  #   manager.default_strategies(scope: :user).unshift :some_external_strategy
+  # config.warden do |warden_config|
+  #   warden_config.failure_app = AnotherApp
+  #   warden_config.default_strategies(scope: :user).unshift :some_external_strategy
   # end
 
   # ==> Configuration for :registerable

test/support/locale/pt-BR.yml

@@ -3,3 +3,5 @@ pt-BR:
     failure:
       invalid: "%{authentication_keys} ou senha inválidos."
       unauthenticated: "Para continuar, faça login ou registre-se."
+      timeout: "Sua sessão expirou. Por favor faça o login novamente para continuar."
+      unconfirmed: "Você precisa confirmar seu email para continuar."

test/support/mongoid.yml

@@ -1,5 +1,5 @@
 test:
-  <%= Mongoid::VERSION.to_i > 4 ? 'clients' : 'sessions' %>:
+  clients:
     default:
       database: devise-test-suite
       hosts:

test/support/webrat/matchers.rb

@@ -3,10 +3,14 @@ module Webrat
   module Matchers
     class HaveSelector
       def query
-        Nokogiri::CSS.parse(@expected.to_s).map do |ast|
-          ast.to_xpath("//", Nokogiri::CSS::XPathVisitor.new)
+        Nokogiri::CSS::Parser.new.parse(@expected.to_s).map do |ast|
+          if ::Gem::Version.new(Nokogiri::VERSION) < ::Gem::Version.new('1.17.2')
+            ast.to_xpath('//', Nokogiri::CSS::XPathVisitor.new)
+          else
+            ast.to_xpath(Nokogiri::CSS::XPathVisitor.new)
+          end
         end.first
       end
     end
   end
-end
+end