Merge pull request #1750 from 0x000000/v1.0

Added ability to override redirect_to path after sending reset password ...

.gitignore

@@ -4,5 +4,4 @@
 coverage/*
 *.sqlite3
 rdoc/*
-devise.gemspec
 pkg

CHANGELOG.rdoc

@@ -1,3 +1,165 @@
+== 1.0.11
+
+* bug fix
+  * Make sure xhr requests do not store urls for redirect
+  * Squeeze break lines from cookies to avoid duplicated break lines
+
+== 1.0.10
+
+* bug fix
+  * Use secure compare when comparing passwords
+  * Improve email regexp
+  * Implement handle_unverified_request for Rails 2.3.11
+
+== 1.0.9
+
+* enhancements
+  * Extracted redirect path from Devise failure app to a new method, allowing override in custom failure apps
+  * Added sign_out_via
+
+* bug fix
+  * Email is now case insensitive
+  * Avoid session fixation attacks
+
+== 1.0.8
+
+* enhancements
+  * Support for latest MongoMapper
+  * Added anybody_signed_in? helper (by github.com/SSDany)
+
+* bug fix
+  * confirmation_required? is properly honored on active? calls. (by github.com/paulrosania)
+
+== 1.0.7
+
+* bug fix
+  * Ensure password confirmation is always required
+
+* deprecations
+  * authenticatable was deprecated and renamed to database_authenticatable
+  * confirmable is not included by default on generation
+
+== 1.0.6
+
+* bug fix
+  * Do not allow unlockable strategies based on time to access a controller.
+  * Do not send unlockable email several times.
+  * Allow controller to upstram custom! failures to Warden.
+
+== 1.0.5
+
+* bug fix
+  * Use prepend_before_filter in require_no_authentication.
+  * require_no_authentication on unlockable.
+  * Fix a bug when giving an association proxy to devise.
+  * Do not use lock! on lockable since it's part of ActiveRecord API.
+
+== 1.0.4
+
+* bug fix
+  * Fixed a bug when deleting an account with rememberable
+  * Fixed a bug with custom controllers
+
+== 1.0.3
+
+* enhancements
+  * HTML e-mails now have proper formatting
+  * Do not remove MongoMapper options in find
+
+== 1.0.2
+
+* enhancements
+  * Allows you set mailer content type (by github.com/glennr)
+
+* bug fix
+  * Uses the same content type as request on http authenticatable 401 responses
+
+== 1.0.1
+
+* enhancements
+  * HttpAuthenticatable is not added by default automatically.
+  * Avoid mass assignment error messages with current password.
+
+* bug fix
+  * Fixed encryptors autoload
+
+== 1.0.0
+
+* deprecation
+  * :old_password in update_with_password is deprecated, use :current_password instead
+
+* enhancements
+  * Added Registerable
+  * Added Http Basic Authentication support
+  * Allow scoped_views to be customized per controller/mailer class
+  * [#99] Allow authenticatable to used in change_table statements
+  * Add mailer_content_type configuration parameter (by github.com/glennr)
+
+== 0.9.2
+
+* bug fix
+  * Ensure inactive user cannot sign in
+  * Ensure redirect to proper url after sign up
+
+* enhancements
+  * Added gemspec to repo
+  * Added token authenticatable (by github.com/grimen)
+
+== 0.9.1
+
+* bug fix
+  * Allow bigger salt size (by github.com/jgeiger)
+  * Fix relative url root
+
+== 0.9.0
+
+* deprecation
+  * devise :all is deprecated
+  * :success and :failure flash messages are now :notice and :alert
+
+* enhancements
+  * Added devise lockable (by github.com/mhfs)
+  * Warden 0.9.0 compatibility
+  * Mongomapper 0.6.10 compatibility
+  * Added Devise.add_module as hooks for extensions (by github.com/grimen)
+  * Ruby 1.9.1 compatibility (by github.com/grimen)
+
+* bug fix
+  * Accept path prefix not starting with slash
+  * url helpers should rely on find_scope!
+
+== 0.8.2
+
+* enhancements
+  * Allow Devise.mailer_sender to be a proc (by github.com/grimen)
+
+* bug fix
+  * Fix bug with passenger, update is required to anyone deploying on passenger (by github.com/dvdpalm)
+
+== 0.8.1
+
+* enhancements
+  * Move salt to encryptors
+  * Devise::Lockable
+  * Moved view links into partial and I18n'ed them
+
+* bug fix
+  * Bcrypt generator was not being loaded neither setting the proper salt
+
+== 0.8.0
+
+* enhancements
+  * Warden 0.8.0 compatibility
+  * Add an easy for map.connect "sign_in", :controller => "sessions", :action => "new" to work
+  * Added :bcrypt encryptor (by github.com/capotej)
+
+* bug fix
+  * sign_in_count is also increased when user signs in via password change, confirmation, etc..
+  * More DataMapper compatibility (by github.com/lancecarlson)
+
+* deprecation
+  * Removed DeviseMailer.sender
+
 == 0.7.5
 
 * enhancements

README.rdoc

@@ -7,36 +7,36 @@ Devise is a flexible authentication solution for Rails based on Warden. It:
 * Allows you to have multiple roles (or models/scopes) signed in at the same time;
 * Is based on a modularity concept: use just what you really need.
 
-Right now it's composed of seven mainly modules:
+Right now it's composed of 12 modules:
 
-* Authenticatable: responsible for encrypting password and validating authenticity of a user while signing in.
+* Database Authenticatable: responsible for encrypting password and validating authenticity of a user while signing in.
+* Token Authenticatable: validates authenticity of a user while signing in using an authentication token (also known as "single access token").
+* HttpAuthenticatable: sign in users using basic HTTP authentication.
 * Confirmable: responsible for verifying whether an account is already confirmed to sign in, and to send emails with confirmation instructions.
 * Recoverable: takes care of reseting the user password and send reset instructions.
+* Registerable: handles signing up users through a registration process.
 * Rememberable: manages generating and clearing token for remember the user from a saved cookie.
-* Activatable: if you need to activate accounts by other means, which are not through confirmation, use this module.
-* Timeoutable: expires sessions without activity in a certain period of time.
 * Trackable: tracks sign in count, timestamps and ip.
+* Timeoutable: expires sessions without activity in a certain period of time.
 * Validatable: creates all needed validations for email and password. It's totally optional, so you're able to to customize validations by yourself.
+* Lockable: takes care of locking an account based on the number of failed sign in attempts. Handles unlock via expire and email.
+* Activatable: if you need to activate accounts by other means, which are not through confirmation, use this module.
 
 There's an example application using Devise at http://github.com/plataformatec/devise_example .
 
 == Dependencies
 
-Devise is based on Warden (http://github.com/hassox/warden), a Rack Authentication Framework so you need to install it as a gem. Please ensure you have it installed in order to use devise (see instalation below).
+Devise is based on Warden (http://github.com/hassox/warden), a Rack Authentication Framework so you need to install it as a gem. Please ensure you have it installed in order to use devise (see installation below).
 
 == Installation
 
-All gems are on gemcutter, so you need to add gemcutter to your sources if you haven't yet:
+Install warden gem if you don't have it installed:
 
-  sudo gem sources -a http://gemcutter.org/
-
-Install warden gem if you don't have it installed (requires 0.6.4 or higher):
-
-  sudo gem install warden
+  gem install warden
 
 Install devise gem:
 
-  sudo gem install devise
+  gem install devise --version=1.0.10
 
 Configure warden and devise gems inside your app:
 
@@ -47,80 +47,53 @@ Run the generator:
 
 	ruby script/generate devise_install
 
-And you're ready to go. The generator will install an initializer which describes Devise's configuration options. Be sure to take a look.
+And you're ready to go. The generator will install an initializer which describes ALL Devise's configuration options, so be sure to take a look at it and the documentation as well:
+
+  http://rdoc.info/projects/plataformatec/devise
+
+If you want to use Devise with bundler on Rails 2.3, you need to follow the instructions here:
+
+  http://github.com/carlhuda/bundler/issues/issue/83
 
 == Basic Usage
 
-This is a walkthrough with all steps you need to setup a devise resource, including model, migration, route files, and optional configuration. You can also check out the *Generators* section below to help you start.
+This is a walkthrough with all steps you need to setup a devise resource, including model, migration, route files, and optional configuration. You MUST also check out the *Generators* section below to help you start.
 
-Devise must be set up within the model (or models) you want to use, and devise routes must be created inside your routes.rb file.
+Devise must be set up within the model (or models) you want to use, and devise routes must be created inside your config/routes.rb file.
 
-We're assuming here you want a User model. First of all you have to setup a migration with the following fields:
+We're assuming here you want a User model with some modules, as outlined below:
+
+  class User < ActiveRecord::Base
+    devise :database_authenticatable, :confirmable, :recoverable, :rememberable, :trackable, :validatable
+  end
+
+After you choose which modules to use, you need to setup your migrations. Luckily, devise has some helpers to save you from this boring work:
 
   create_table :users do |t|
-    t.authenticatable
+    t.database_authenticatable
     t.confirmable
     t.recoverable
     t.rememberable
+    t.trackable
     t.timestamps
   end
 
-You may also want to add some indexes to improve performance:
+Remember that Devise don't rely on _attr_accessible_ or _attr_protected_ inside its modules, so be sure to setup what attributes are accessible or protected in your model.
 
-  add_index :your_table, :email
-  add_index :your_table, :confirmation_token    # for confirmable
-  add_index :your_table, :reset_password_token  # for recoverable
-
-Now let's setup a User model adding the devise line to have your authentication working:
-
-  class User < ActiveRecord::Base
-    devise :authenticatable
-  end
-
-This line adds devise authenticatable inside your User class. Devise don't rely on _attr_accessible_ or _attr_protected_ inside its modules, so be sure to setup what attributes are accessible or protected in your model.
-
-You could also include the other devise modules as below:
-
-  # Include only authenticatable stuff
-  devise :authenticatable
-
-  # Include authenticatable + confirmable
-  devise :authenticatable, :confirmable
-
-  # Include authenticatable + recoverable + rememberable
-  devise :authenticatable, :recoverable, :rememberable
-
-  # Include authenticatable + timeoutable
-  devise :authenticatable, :timeoutable
-
-  # Include all of them
-  devise :all
-
-  # Include all except recoverable
-  devise :all, :except => :recoverable
-
-Note that validations aren't added by default, so you're able to customize it. In order to have automatic validations working just include :validatable.
-
-== Model configuration
-
-In addition to :except, you can provide :pepper, :stretches, :encryptor, :authentication_keys, :confirm_within, :remember_for and :timeout as options to devise method.
-
-All those options are described in "config/initializers/devise.rb", which is generated when you invoke `ruby script/generate devise_install` in your application root.
-
-== Routes
-
-The next step after setting up your model is to configure your routes for devise. You do this by opening up your config/routes.rb and adding:
+The next setup after setting up your model is to configure your routes. You do this by opening up your config/routes.rb and adding:
 
   map.devise_for :users
 
 This is going to look inside you User model and create a set of needed routes (you can see them by running `rake routes`).
 
-There are also some options available for configuring your routes, as :class_name (to set the class for that route), :as and :path_names, where the last two have the same meaning as in common routes. The available :path_names are:
+There are also some options available for configuring your routes, as :class_name (to set the class for that route), :path_prefix, :as and :path_names, where the last two have the same meaning as in common routes. The available :path_names are:
 
-  map.devise_for :users, :as => "usuarios", :path_names => { :sign_in => 'login', :sign_out => 'logout', :password => 'secret', :confirmation => 'verification' }
+  map.devise_for :users, :as => "usuarios", :path_names => { :sign_in => 'login', :sign_out => 'logout', :password => 'secret', :confirmation => 'verification', :unlock => 'unblock' }
 
 Be sure to check devise_for documentation for detailed description.
 
+After this steps, run your migrations, and you are ready to go! But don't finish reading, we still have a lot to tell you:
+
 == Controller filters and helpers
 
 Devise is gonna create some helpers to use inside your controllers and views. To setup a controller that needs user authentication, just add this before_filter:
@@ -139,31 +112,29 @@ You have also access to the session for this scope:
 
   user_session
 
-After signing in a user, confirming it's account or updating it's password, devise will look for a scoped root path to redirect. Example: For a :user resource, it will use user_root_path if it exists, otherwise default root_path will be used. To do it so, you need to create e default root inside your routes for your application:
+After signing in a user, confirming it's account or updating it's password, devise will look for a scoped root path to redirect. Example: For a :user resource, it will use user_root_path if it exists, otherwise default root_path will be used. This means that you need to set the root inside your routes:
 
   map.root :controller => 'home'
 
 You can also overwrite after_sign_in_path_for and after_sign_out_path_for to customize better your redirect hooks.
 
-Finally, if you are using confirmable or recoverable, you also need to setup default url options for the mailer in each environment. Here's is the configuration for config/environments/development.rb:
+Finally, you also need to setup default url options for the mailer in each environment. Here's is the configuration for config/environments/development.rb:
 
   config.action_mailer.default_url_options = { :host => 'localhost:3000' }
 
-== Views
-
-By default devise will use the same views for all scopes/roles you have. But what if you need so different views to each of them? Devise also has an easy way to accomplish it: just setup :scoped_views to true inside your devise config file, and you will be able to have views based on scope like 'sessions/users/new' and 'sessions/admin/new'. If no view is found within the scope, Devise will fallback to the default view.
-
 == Tidying up
 
-Devise let's you setup as many roles as you want, so let's say you already have this User model and also want an Admin model with the same authentication stuff, but not confirmation or password recovery. Just follow the same steps:
+Devise let's you setup as many roles as you want, so let's say you already have this User model and also want an Admin model with just authentication, trackable, lockable and timeoutable stuff and none of confirmation or password recovery. Just follow the same steps:
 
   # Create a migration with the required fields
   create_table :admins do |t|
-    t.authenticatable
+    t.database_authenticatable
+    t.lockable
+    t.trackable
   end
 
   # Inside your Admin model
-  devise :authenticatable, :validatable
+  devise :database_authenticatable, :trackable, :timeoutable, :lockable
 
   # Inside your routes
   map.devise_for :admin
@@ -188,11 +159,25 @@ This will generate an initializer, with a description of all configuration value
 
 A model configured with all devise modules and attr_accessible for default fields will be created. The generator will also create the migration and configure your routes for devise.
 
-You can also copy devise views to your application, being able to modify them based on your needs. To do it so, run the following command:
+== Model configuration
+
+The devise method in your models also accept some options to configure its modules. For example, you can chose which encryptor to use in database_authenticatable:
+
+  devise :database_authenticatable, :confirmable, :recoverable, :encryptor => :bcrypt
+
+Besides :encryptor, you can provide :pepper, :stretches, :confirm_within, :remember_for, :timeout_in, :unlock_in and others. All those are describer in the initializer created when you invoke the devise_install generator describer above.
+
+== Views
+
+Since devise is an engine, it has all default views inside the gem. They are good to get you started, but you will want to customize them at some point. And Devise has a generator to make copy them all to your application:
 
   ruby script/generate devise_views
 
-This is gonna copy all session, password, confirmation and mailer views to your app/views folder.
+By default Devise will use the same views for all roles you have. But what if you need so different views to each of them? Devise also has an easy way to accomplish it: just setup config.scoped_views to true inside "config/initializers/devise.rb".
+
+After doing so you will be able to have views based on the scope like 'sessions/users/new' and 'sessions/admin/new'. If no view is found within the scope, Devise will fallback to the default view.
+
+Devise uses flash messages to let users know if their login is successful or not. Devise expects your application to call 'flash[:notice]' and 'flash[:alert]' as appropriate.
 
 == I18n
 
@@ -249,13 +234,22 @@ Devise implements encryption strategies for Clearance, Authlogic and Restful-Aut
 
 == Other ORMs
 
-Devise was made to work from scratch with ActiveRecord. However it currently supports DataMapper and MongoMapper as well.
-To use it, just set Devise.orm or configure it in the initialization file (which is created with devise_install).
+Devise supports both ActiveRecord (default) and MongoMapper, and has experimental Datamapper supports (in a sense that Devise test suite does not run completely with Datamapper). To choose other ORM, you just need to configure it in the initializer file.
 
 == TODO
 
 Please refer to TODO file.
 
+== Security
+
+Needless to say, security is extremely important to Devise. If you find yourself in a possible security issue with Devise, please go through the following steps, trying to reproduce the bug:
+
+1) Look at the source code a bit to find out whether your assumptions are correct;
+2) If possible, provide a way to reproduce the bug: a small app on Github or a step-by-step to reproduce;
+3) E-mail us or send a Github private message instead of using the normal issues;
+
+Being able to reproduce the bug is the first step to fix it. Thanks for your understanding.
+
 == Maintainers
 
 * José Valim (http://github.com/josevalim)
@@ -263,9 +257,9 @@ Please refer to TODO file.
 
 == Contributors
 
-* Marcelo Silveira (http://github.com/mhfs)
-* Cyril Mougel (http://github.com/shingara)
-* Jonas Grimfelt (http://github.com/grimen)
+We have a long running list of contributors. Check them all here:
+
+http://github.com/plataformatec/devise/contributors
 
 == Bugs and Feedback
 

Rakefile

@@ -37,17 +37,17 @@ begin
   require 'jeweler'
   Jeweler::Tasks.new do |s|
     s.name = "devise"
-    s.version = Devise::VERSION
+    s.version = Devise::VERSION.dup
     s.summary = "Flexible authentication solution for Rails with Warden"
     s.email = "contact@plataformatec.com.br"
     s.homepage = "http://github.com/plataformatec/devise"
     s.description = "Flexible authentication solution for Rails with Warden"
     s.authors = ['José Valim', 'Carlos Antônio']
-    s.files =  FileList["[A-Z]*", "{app,config,generators,lib}/**/*", "init.rb"]
-    s.add_dependency("warden", "~> 0.6.4")
+    s.files =  FileList["[A-Z]*", "{app,config,generators,lib}/**/*", "rails/init.rb"]
+    s.add_dependency("warden", "~> 0.10.3")
   end
 
   Jeweler::GemcutterTasks.new
 rescue LoadError
-  puts "Jeweler, or one of its dependencies, is not available. Install it with: sudo gem install technicalpickles-jeweler -s http://gems.github.com"
+  puts "Jeweler, or one of its dependencies, is not available. Install it with: gem install jeweler"
 end

TODO

@@ -1,6 +1,2 @@
-* Make test run with DataMapper (ActiveRecord, MongoMapper)
-* Add Registerable support
-* Add http authentication support
-* Extract SessionSerializer tests from Authenticatable
-* Extract CookieSerializer tests from Authenticatable
-* Extract Activatable tests from Confirmable
+* Make test run with DataMapper
+* Extract Activatable tests from Confirmable

app/controllers/confirmations_controller.rb

@@ -1,5 +1,5 @@
 class ConfirmationsController < ApplicationController
-  include Devise::Controllers::Helpers
+  include Devise::Controllers::InternalHelpers
 
   # GET /resource/confirmation/new
   def new
@@ -12,7 +12,7 @@ class ConfirmationsController < ApplicationController
     self.resource = resource_class.send_confirmation_instructions(params[resource_name])
 
     if resource.errors.empty?
-      set_flash_message :success, :send_instructions
+      set_flash_message :notice, :send_instructions
       redirect_to new_session_path(resource_name)
     else
       render_with_scope :new
@@ -21,10 +21,10 @@ class ConfirmationsController < ApplicationController
 
   # GET /resource/confirmation?confirmation_token=abcdef
   def show
-    self.resource = resource_class.confirm!(:confirmation_token => params[:confirmation_token])
+    self.resource = resource_class.confirm_by_token(params[:confirmation_token])
 
     if resource.errors.empty?
-      set_flash_message :success, :confirmed
+      set_flash_message :notice, :confirmed
       sign_in_and_redirect(resource_name, resource)
     else
       render_with_scope :new

app/controllers/passwords_controller.rb

@@ -1,7 +1,6 @@
 class PasswordsController < ApplicationController
-  include Devise::Controllers::Helpers
-
-  before_filter :require_no_authentication
+  prepend_before_filter :require_no_authentication
+  include Devise::Controllers::InternalHelpers
 
   # GET /resource/password/new
   def new
@@ -14,8 +13,8 @@ class PasswordsController < ApplicationController
     self.resource = resource_class.send_reset_password_instructions(params[resource_name])
 
     if resource.errors.empty?
-      set_flash_message :success, :send_instructions
-      redirect_to new_session_path(resource_name)
+      set_flash_message :notice, :send_instructions
+      redirect_to after_sending_reset_password_instructions_path_for(resource_name)
     else
       render_with_scope :new
     end
@@ -30,13 +29,19 @@ class PasswordsController < ApplicationController
 
   # PUT /resource/password
   def update
-    self.resource = resource_class.reset_password!(params[resource_name])
+    self.resource = resource_class.reset_password_by_token(params[resource_name])
 
     if resource.errors.empty?
-      set_flash_message :success, :updated
+      set_flash_message :notice, :updated
       sign_in_and_redirect(resource_name, resource)
     else
       render_with_scope :edit
     end
   end
+
+  protected
+
+  def after_sending_reset_password_instructions_path_for(resource_name)
+    new_session_path(resource_name)
+  end
 end

app/controllers/registrations_controller.rb

@@ -0,0 +1,53 @@
+class RegistrationsController < ApplicationController
+  prepend_before_filter :require_no_authentication, :only => [ :new, :create ]
+  prepend_before_filter :authenticate_scope!, :only => [:edit, :update, :destroy]
+  include Devise::Controllers::InternalHelpers
+
+  # GET /resource/sign_up
+  def new
+    build_resource
+    render_with_scope :new
+  end
+
+  # POST /resource
+  def create
+    build_resource
+
+    if resource.save
+      set_flash_message :notice, :signed_up
+      sign_in_and_redirect(resource_name, resource)
+    else
+      render_with_scope :new
+    end
+  end
+
+  # GET /resource/edit
+  def edit
+    render_with_scope :edit
+  end
+
+  # PUT /resource
+  def update
+    if self.resource.update_with_password(params[resource_name])
+      set_flash_message :notice, :updated
+      redirect_to after_sign_in_path_for(self.resource)
+    else
+      render_with_scope :edit
+    end
+  end
+
+  # DELETE /resource
+  def destroy
+    self.resource.destroy
+    set_flash_message :notice, :destroyed
+    sign_out_and_redirect(self.resource)
+  end
+
+  protected
+
+    # Authenticates the current scope and dup the resource
+    def authenticate_scope!
+      send(:"authenticate_#{resource_name}!")
+      self.resource = send(:"current_#{resource_name}").dup
+    end
+end

app/controllers/sessions_controller.rb

@@ -1,33 +1,42 @@
 class SessionsController < ApplicationController
-  include Devise::Controllers::Helpers
-
-  before_filter :require_no_authentication, :only => [ :new, :create ]
+  prepend_before_filter :require_no_authentication, :only => [ :new, :create ]
+  include Devise::Controllers::InternalHelpers
 
   # GET /resource/sign_in
   def new
-    Devise::FLASH_MESSAGES.each do |message|
-      set_now_flash_message :failure, message if params.try(:[], message) == "true"
+    unless flash[:notice].present?
+      Devise::FLASH_MESSAGES.each do |message|
+        set_now_flash_message :alert, message if params.try(:[], message) == "true"
+      end
     end
+
     build_resource
     render_with_scope :new
   end
 
   # POST /resource/sign_in
   def create
-    if authenticate(resource_name)
-      set_flash_message :success, :signed_in
-      sign_in_and_redirect(resource_name)
+    if resource = authenticate(resource_name)
+      set_flash_message :notice, :signed_in
+      sign_in_and_redirect(resource_name, resource, true)
+    elsif [:custom, :redirect].include?(warden.result)
+      throw :warden, :scope => resource_name
     else
-      set_now_flash_message :failure, warden.message || :invalid
-      build_resource
+      set_now_flash_message :alert, (warden.message || :invalid)
+      clean_up_passwords(build_resource)
       render_with_scope :new
     end
   end
 
   # GET /resource/sign_out
   def destroy
-    set_flash_message :success, :signed_out if signed_in?(resource_name)
+    set_flash_message :notice, :signed_out if signed_in?(resource_name)
     sign_out_and_redirect(resource_name)
   end
 
+  protected
+
+    def clean_up_passwords(object)
+      object.clean_up_passwords if object.respond_to?(:clean_up_passwords)
+    end
 end

app/controllers/unlocks_controller.rb

@@ -0,0 +1,41 @@
+class UnlocksController < ApplicationController
+  prepend_before_filter :ensure_email_as_unlock_strategy
+  prepend_before_filter :require_no_authentication
+  include Devise::Controllers::InternalHelpers
+
+  # GET /resource/unlock/new
+  def new
+    build_resource
+    render_with_scope :new
+  end
+
+  # POST /resource/unlock
+  def create
+    self.resource = resource_class.send_unlock_instructions(params[resource_name])
+
+    if resource.errors.empty?
+      set_flash_message :notice, :send_instructions
+      redirect_to new_session_path(resource_name)
+    else
+      render_with_scope :new
+    end
+  end
+
+  # GET /resource/unlock?unlock_token=abcdef
+  def show
+    self.resource = resource_class.unlock_access_by_token(params[:unlock_token])
+
+    if resource.errors.empty?
+      set_flash_message :notice, :unlocked
+      sign_in_and_redirect(resource_name, resource)
+    else
+      render_with_scope :new
+    end
+  end
+
+  protected
+
+  def ensure_email_as_unlock_strategy
+    raise ActionController::UnknownAction unless resource_class.unlock_strategy_enabled?(:email)
+  end
+end

app/models/devise_mailer.rb

@@ -1,15 +1,5 @@
 class DeviseMailer < ::ActionMailer::Base
-
-  # Sets who is sending the e-mail
-  def self.sender=(value)
-    @@sender = value
-  end
-
-  # Reads who is sending the e-mail
-  def self.sender
-    @@sender
-  end
-  self.sender = nil
+  extend Devise::Controllers::InternalHelpers::ScopedViews
 
   # Deliver confirmation instructions when the user is created or its email is
   # updated, and also when confirmation is manually requested
@@ -22,23 +12,27 @@ class DeviseMailer < ::ActionMailer::Base
     setup_mail(record, :reset_password_instructions)
   end
 
+  def unlock_instructions(record)
+    setup_mail(record, :unlock_instructions)
+  end
+
   private
 
     # Configure default email options
     def setup_mail(record, key)
-      mapping = Devise::Mapping.find_by_class(record.class)
-      raise "Invalid devise resource #{record}" unless mapping
+      scope_name = Devise::Mapping.find_scope!(record)
+      mapping    = Devise.mappings[scope_name]
 
       subject      translate(mapping, key)
-      from         self.class.sender
+      from         mailer_sender(mapping)
       recipients   record.email
       sent_on      Time.now
-      content_type 'text/html'
+      content_type Devise.mailer_content_type
       body         render_with_scope(key, mapping, mapping.name => record, :resource => record)
     end
 
     def render_with_scope(key, mapping, assigns)
-      if Devise.scoped_views
+      if self.class.scoped_views
         begin
           render :file => "devise_mailer/#{mapping.as}/#{key}", :body => assigns
         rescue ActionView::MissingTemplate
@@ -49,6 +43,15 @@ class DeviseMailer < ::ActionMailer::Base
       end
     end
 
+    def mailer_sender(mapping)
+      if Devise.mailer_sender.is_a?(Proc)
+        block_args = mapping.name if Devise.mailer_sender.arity > 0
+        Devise.mailer_sender.call(block_args)
+      else
+        Devise.mailer_sender
+      end
+    end
+
     # Setup subject namespaced by model. It means you're able to setup your
     # messages using specific resource scope, or provide a default one.
     # Example (i18n locale file):

app/views/confirmations/new.html.erb

@@ -9,8 +9,4 @@
   <p><%= f.submit "Resend confirmation instructions" %></p>
 <% end %>
 
-<%= link_to "Sign in", new_session_path(resource_name) %><br />
-
-<%- if devise_mapping.recoverable? %>
-  <%= link_to "Forgot password?", new_password_path(resource_name) %><br />
-<% end -%>
+<%= render :partial => "shared/devise_links" %>

app/views/devise_mailer/confirmation_instructions.html.erb

@@ -1,5 +1,5 @@
-Welcome <%= @resource.email %>!
+<p>Welcome <%= @resource.email %>!</p>
 
-You can confirm your account through the link below:
+<p>You can confirm your account through the link below:</p>
 
-<%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @resource.confirmation_token) %>
+<p><%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @resource.confirmation_token) %></p>

app/views/devise_mailer/reset_password_instructions.html.erb

@@ -1,8 +1,8 @@
-Hello <%= @resource.email %>!
+<p>Hello <%= @resource.email %>!</p>
 
-Someone has requested a link to change your password, and you can do this through the link below.
+<p>Someone has requested a link to change your password, and you can do this through the link below.</p>
 
-<%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @resource.reset_password_token) %>
+<p><%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @resource.reset_password_token) %></p>
 
-If you didn't request this, please ignore this email.
-Your password won't change until you access the link above and create a new one.
+<p>If you didn't request this, please ignore this email.</p>
+<p>Your password won't change until you access the link above and create a new one.</p>

app/views/devise_mailer/unlock_instructions.html.erb

@@ -0,0 +1,7 @@
+<p>Hello <%= @resource.email %>!</p>
+
+<p>Your account has been locked due to an excessive amount of unsuccessful sign in attempts.</p>
+
+<p>Click the link below to unlock your account:</p>
+
+<p><%= link_to 'Unlock my account', unlock_url(@resource, :unlock_token => @resource.unlock_token) %></p>

app/views/passwords/edit.html.erb

@@ -13,8 +13,4 @@
   <p><%= f.submit "Change my password" %></p>
 <% end %>
 
-<%= link_to "Sign in", new_session_path(resource_name) %><br />
-
-<%- if devise_mapping.confirmable? %>
-  <%= link_to "Didn't receive confirmation instructions?", new_confirmation_path(resource_name) %><br />
-<% end -%>
+<%= render :partial => "shared/devise_links" %>

app/views/passwords/new.html.erb

@@ -9,8 +9,4 @@
   <p><%= f.submit "Send me reset password instructions" %></p>
 <% end %>
 
-<%= link_to "Sign in", new_session_path(resource_name) %><br />
-
-<%- if devise_mapping.confirmable? %>
-  <%= link_to "Didn't receive confirmation instructions?", new_confirmation_path(resource_name) %><br />
-<% end -%>
+<%= render :partial => "shared/devise_links" %>

app/views/registrations/edit.html.erb

@@ -0,0 +1,25 @@
+<h2>Edit <%= resource_name.to_s.humanize %></h2>
+
+<% form_for resource_name, resource, :url => registration_path(resource_name), :html => { :method => :put } do |f| -%>
+  <%= f.error_messages %>
+
+  <p><%= f.label :email %></p>
+  <p><%= f.text_field :email %></p>
+
+  <p><%= f.label :password %> <i>(leave blank if you don't want to change it)</i></p>
+  <p><%= f.password_field :password %></p>
+
+  <p><%= f.label :password_confirmation %></p>
+  <p><%= f.password_field :password_confirmation %></p>
+
+  <p><%= f.label :current_password %> <i>(we need your current password to confirm your changes)</i></p>
+  <p><%= f.password_field :current_password %></p>
+
+  <p><%= f.submit "Update" %></p>
+<% end -%>
+
+<h3>Cancel my account</h3>
+
+<p>Unhappy? <%= link_to "Cancel my account", registration_path(resource_name), :confirm => "Are you sure?", :method => :delete %>.</p>
+
+<%= render :partial => "shared/devise_links" %>

app/views/registrations/new.html.erb

@@ -0,0 +1,17 @@
+<h2>Sign up</h2>
+
+<% form_for resource_name, resource, :url => registration_path(resource_name) do |f| -%>
+  <%= f.error_messages %>
+  <p><%= f.label :email %></p>
+  <p><%= f.text_field :email %></p>
+
+  <p><%= f.label :password %></p>
+  <p><%= f.password_field :password %></p>
+
+  <p><%= f.label :password_confirmation %></p>
+  <p><%= f.password_field :password_confirmation %></p>
+
+  <p><%= f.submit "Sign up" %></p>
+<% end -%>
+
+<%= render :partial => "shared/devise_links" %>

app/views/sessions/new.html.erb

@@ -1,25 +1,17 @@
 <h2>Sign in</h2>
 
-<%- if devise_mapping.authenticatable? %>
-  <% form_for resource_name, resource, :url => session_path(resource_name) do |f| -%>
-    <p><%= f.label :email %></p>
-    <p><%= f.text_field :email %></p>
+<% form_for resource_name, resource, :url => session_path(resource_name) do |f| -%>
+  <p><%= f.label :email %></p>
+  <p><%= f.text_field :email %></p>
 
-    <p><%= f.label :password %></p>
-    <p><%= f.password_field :password %></p>
+  <p><%= f.label :password %></p>
+  <p><%= f.password_field :password %></p>
 
-    <% if devise_mapping.rememberable? -%>
-      <p><%= f.check_box :remember_me %> <%= f.label :remember_me %></p>
-    <% end -%>
-
-    <p><%= f.submit "Sign in" %></p>
+  <% if devise_mapping.rememberable? -%>
+    <p><%= f.check_box :remember_me %> <%= f.label :remember_me %></p>
   <% end -%>
-<% end%>
 
-<%- if devise_mapping.recoverable? %>
-  <%= link_to "Forgot password?", new_password_path(resource_name) %><br />
+  <p><%= f.submit "Sign in" %></p>
 <% end -%>
 
-<%- if devise_mapping.confirmable? %>
-  <%= link_to "Didn't receive confirmation instructions?", new_confirmation_path(resource_name) %><br />
-<% end -%>
+<%= render :partial => "shared/devise_links" %>

app/views/shared/_devise_links.erb

@@ -0,0 +1,19 @@
+<%- if controller_name != 'sessions' %>
+  <%= link_to t('devise.sessions.link'), new_session_path(resource_name) %><br />
+<% end -%>
+
+<%- if devise_mapping.registerable? && controller_name != 'registrations' %>
+  <%= link_to t('devise.registrations.link'), new_registration_path(resource_name) %><br />
+<% end -%>
+
+<%- if devise_mapping.recoverable? && controller_name != 'passwords' %>
+  <%= link_to t('devise.passwords.link'), new_password_path(resource_name) %><br />
+<% end -%>
+
+<%- if devise_mapping.confirmable? && controller_name != 'confirmations' %>
+  <%= link_to t('devise.confirmations.link'), new_confirmation_path(resource_name) %><br />
+<% end -%>
+
+<%- if devise_mapping.lockable? && controller_name != 'unlocks' %>
+  <%= link_to t('devise.unlocks.link'), new_unlock_path(resource_name) %><br />
+<% end -%>

app/views/unlocks/new.html.erb

@@ -0,0 +1,12 @@
+<h2>Resend unlock instructions</h2>
+
+<% form_for resource_name, resource, :url => unlock_path(resource_name) do |f| %>
+  <%= f.error_messages %>
+
+  <p><%= f.label :email %></p>
+  <p><%= f.text_field :email %></p>
+
+  <p><%= f.submit "Resend unlock instructions" %></p>
+<% end %>
+
+<%= render :partial => "shared/devise_links" %>

devise.gemspec

@@ -0,0 +1,178 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{devise}
+  s.version = "1.0.11"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Jos\303\251 Valim", "Carlos Ant\303\264nio"]
+  s.date = %q{2011-03-11}
+  s.description = %q{Flexible authentication solution for Rails with Warden}
+  s.email = %q{contact@plataformatec.com.br}
+  s.extra_rdoc_files = [
+    "README.rdoc",
+    "TODO"
+  ]
+  s.files = [
+    "CHANGELOG.rdoc",
+    "MIT-LICENSE",
+    "README.rdoc",
+    "Rakefile",
+    "TODO",
+    "app/controllers/confirmations_controller.rb",
+    "app/controllers/passwords_controller.rb",
+    "app/controllers/registrations_controller.rb",
+    "app/controllers/sessions_controller.rb",
+    "app/controllers/unlocks_controller.rb",
+    "app/models/devise_mailer.rb",
+    "app/views/confirmations/new.html.erb",
+    "app/views/devise_mailer/confirmation_instructions.html.erb",
+    "app/views/devise_mailer/reset_password_instructions.html.erb",
+    "app/views/devise_mailer/unlock_instructions.html.erb",
+    "app/views/passwords/edit.html.erb",
+    "app/views/passwords/new.html.erb",
+    "app/views/registrations/edit.html.erb",
+    "app/views/registrations/new.html.erb",
+    "app/views/sessions/new.html.erb",
+    "app/views/shared/_devise_links.erb",
+    "app/views/unlocks/new.html.erb",
+    "generators/devise/USAGE",
+    "generators/devise/devise_generator.rb",
+    "generators/devise/lib/route_devise.rb",
+    "generators/devise/templates/migration.rb",
+    "generators/devise/templates/model.rb",
+    "generators/devise_install/USAGE",
+    "generators/devise_install/devise_install_generator.rb",
+    "generators/devise_install/templates/README",
+    "generators/devise_install/templates/devise.rb",
+    "generators/devise_views/USAGE",
+    "generators/devise_views/devise_views_generator.rb",
+    "lib/devise.rb",
+    "lib/devise/controllers/helpers.rb",
+    "lib/devise/controllers/internal_helpers.rb",
+    "lib/devise/controllers/url_helpers.rb",
+    "lib/devise/encryptors/authlogic_sha512.rb",
+    "lib/devise/encryptors/base.rb",
+    "lib/devise/encryptors/bcrypt.rb",
+    "lib/devise/encryptors/clearance_sha1.rb",
+    "lib/devise/encryptors/restful_authentication_sha1.rb",
+    "lib/devise/encryptors/sha1.rb",
+    "lib/devise/encryptors/sha512.rb",
+    "lib/devise/failure_app.rb",
+    "lib/devise/hooks/activatable.rb",
+    "lib/devise/hooks/rememberable.rb",
+    "lib/devise/hooks/timeoutable.rb",
+    "lib/devise/hooks/trackable.rb",
+    "lib/devise/locales/en.yml",
+    "lib/devise/mapping.rb",
+    "lib/devise/models.rb",
+    "lib/devise/models/activatable.rb",
+    "lib/devise/models/confirmable.rb",
+    "lib/devise/models/database_authenticatable.rb",
+    "lib/devise/models/http_authenticatable.rb",
+    "lib/devise/models/lockable.rb",
+    "lib/devise/models/recoverable.rb",
+    "lib/devise/models/registerable.rb",
+    "lib/devise/models/rememberable.rb",
+    "lib/devise/models/timeoutable.rb",
+    "lib/devise/models/token_authenticatable.rb",
+    "lib/devise/models/trackable.rb",
+    "lib/devise/models/validatable.rb",
+    "lib/devise/orm/active_record.rb",
+    "lib/devise/orm/data_mapper.rb",
+    "lib/devise/orm/mongo_mapper.rb",
+    "lib/devise/rails.rb",
+    "lib/devise/rails/routes.rb",
+    "lib/devise/rails/warden_compat.rb",
+    "lib/devise/schema.rb",
+    "lib/devise/strategies/base.rb",
+    "lib/devise/strategies/database_authenticatable.rb",
+    "lib/devise/strategies/http_authenticatable.rb",
+    "lib/devise/strategies/rememberable.rb",
+    "lib/devise/strategies/token_authenticatable.rb",
+    "lib/devise/test_helpers.rb",
+    "lib/devise/version.rb",
+    "rails/init.rb"
+  ]
+  s.homepage = %q{http://github.com/plataformatec/devise}
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.5.3}
+  s.summary = %q{Flexible authentication solution for Rails with Warden}
+  s.test_files = [
+    "test/controllers/helpers_test.rb",
+    "test/controllers/internal_helpers_test.rb",
+    "test/controllers/url_helpers_test.rb",
+    "test/devise_test.rb",
+    "test/encryptors_test.rb",
+    "test/failure_app_test.rb",
+    "test/integration/authenticatable_test.rb",
+    "test/integration/confirmable_test.rb",
+    "test/integration/http_authenticatable_test.rb",
+    "test/integration/lockable_test.rb",
+    "test/integration/rack_middleware_test.rb",
+    "test/integration/recoverable_test.rb",
+    "test/integration/registerable_test.rb",
+    "test/integration/rememberable_test.rb",
+    "test/integration/timeoutable_test.rb",
+    "test/integration/token_authenticatable_test.rb",
+    "test/integration/trackable_test.rb",
+    "test/mailers/confirmation_instructions_test.rb",
+    "test/mailers/reset_password_instructions_test.rb",
+    "test/mailers/unlock_instructions_test.rb",
+    "test/mapping_test.rb",
+    "test/models/authenticatable_test.rb",
+    "test/models/confirmable_test.rb",
+    "test/models/lockable_test.rb",
+    "test/models/recoverable_test.rb",
+    "test/models/rememberable_test.rb",
+    "test/models/timeoutable_test.rb",
+    "test/models/token_authenticatable_test.rb",
+    "test/models/trackable_test.rb",
+    "test/models/validatable_test.rb",
+    "test/models_test.rb",
+    "test/orm/active_record.rb",
+    "test/orm/mongo_mapper.rb",
+    "test/rails_app/app/active_record/admin.rb",
+    "test/rails_app/app/active_record/user.rb",
+    "test/rails_app/app/controllers/admins_controller.rb",
+    "test/rails_app/app/controllers/application_controller.rb",
+    "test/rails_app/app/controllers/home_controller.rb",
+    "test/rails_app/app/controllers/users_controller.rb",
+    "test/rails_app/app/helpers/application_helper.rb",
+    "test/rails_app/app/mongo_mapper/admin.rb",
+    "test/rails_app/app/mongo_mapper/user.rb",
+    "test/rails_app/config/boot.rb",
+    "test/rails_app/config/environment.rb",
+    "test/rails_app/config/environments/development.rb",
+    "test/rails_app/config/environments/production.rb",
+    "test/rails_app/config/environments/test.rb",
+    "test/rails_app/config/initializers/devise.rb",
+    "test/rails_app/config/initializers/inflections.rb",
+    "test/rails_app/config/initializers/new_rails_defaults.rb",
+    "test/rails_app/config/initializers/session_store.rb",
+    "test/rails_app/config/routes.rb",
+    "test/routes_test.rb",
+    "test/support/assertions_helper.rb",
+    "test/support/integration_tests_helper.rb",
+    "test/support/test_silencer.rb",
+    "test/support/tests_helper.rb",
+    "test/test_helper.rb",
+    "test/test_helpers_test.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<warden>, ["~> 0.10.3"])
+    else
+      s.add_dependency(%q<warden>, ["~> 0.10.3"])
+    end
+  else
+    s.add_dependency(%q<warden>, ["~> 0.10.3"])
+  end
+end
+

generators/devise/devise_generator.rb

@@ -4,18 +4,11 @@ class DeviseGenerator < Rails::Generator::NamedBase
 
   def manifest
     record do |m|
-      # Model
       m.directory(File.join('app', 'models', class_path))
       m.template 'model.rb', File.join('app', 'models', "#{file_path}.rb")
 
-      # Migration
       m.migration_template 'migration.rb', 'db/migrate', :migration_file_name => "devise_create_#{table_name}"
-
-      # Routing
       m.route_devise table_name
-
-      # Readme
-      m.readme "README"
     end
   end
 

generators/devise/templates/README

@@ -1,22 +0,0 @@
-
-================================================================================
-
-Some setup you must do manually if you haven't yet:
-
-1. Setup defaut url options for your specific environment. Here is an example of development environment:
-
-    config.action_mailer.default_url_options = { :host => 'localhost:3000' }
-
-It's a Rails required configuration. In production it must be the actual host your application is deployed to.
-
-2. Setup default sender for mails. In config/environment.rb:
-
-    DeviseMailer.sender = "test@example.com"
-
-You can also configure this value by running script/generate devise_install and setting config.mailer_sender,
-
-3. Ensure you have defined root_url to *something* in your config/routes.rb:
-
-    map.root :controller => 'home'
-
-================================================================================

generators/devise/templates/migration.rb

@@ -1,11 +1,12 @@
 class DeviseCreate<%= table_name.camelize %> < ActiveRecord::Migration
   def self.up
     create_table(:<%= table_name %>) do |t|
-      t.authenticatable :encryptor => :sha1, :null => false
+      t.database_authenticatable :null => false
       t.confirmable
       t.recoverable
       t.rememberable
       t.trackable
+      # t.lockable
 
       t.timestamps
     end
@@ -13,6 +14,7 @@ class DeviseCreate<%= table_name.camelize %> < ActiveRecord::Migration
     add_index :<%= table_name %>, :email,                :unique => true
     add_index :<%= table_name %>, :confirmation_token,   :unique => true
     add_index :<%= table_name %>, :reset_password_token, :unique => true
+    # add_index :<%= table_name %>, :unlock_token,         :unique => true
   end
 
   def self.down

generators/devise/templates/model.rb

@@ -1,5 +1,9 @@
 class <%= class_name %> < ActiveRecord::Base
-  devise :all
+  # Include default devise modules. Others available are:
+  # :http_authenticatable, :token_authenticatable, :confirmable, :lockable, :timeoutable and :activatable
+  devise :registerable, :database_authenticatable, :recoverable,
+         :rememberable, :trackable, :validatable
+
   # Setup accessible (or protected) attributes for your model
   attr_accessible :email, :password, :password_confirmation
 end

generators/devise_install/devise_install_generator.rb

@@ -7,6 +7,8 @@ class DeviseInstallGenerator < Rails::Generator::Base
 
       m.directory "config/locales"
       m.file      "../../../lib/devise/locales/en.yml", "config/locales/devise.en.yml"
+
+      m.readme "README"
     end
   end
 

generators/devise_install/templates/README

@@ -0,0 +1,23 @@
+===============================================================================
+
+Some setup you must do manually if you haven't yet:
+
+  1. Setup default url options for your specific environment. Here is an
+     example of development environment:
+
+       config.action_mailer.default_url_options = { :host => 'localhost:3000' }
+
+     This is a required Rails configuration. In production is must be the
+     actual host of your application
+
+  2. Ensure you have defined root_url to *something* in your config/routes.rb:
+
+       map.root :controller => 'home'
+
+ 3. Ensure you have a default layout in app/views/layouts and it shows
+     flash messages. For example:
+
+       <p class="notice"><%= flash[:notice] %></p>
+       <p class="alert"><%= flash[:alert] %></p>
+
+===============================================================================

generators/devise_install/templates/devise.rb

@@ -1,15 +1,13 @@
 # Use this hook to configure devise mailer, warden hooks and so forth. The first
 # four configuration values can also be set straight in your models.
 Devise.setup do |config|
-  # Configure Devise modules used by default. You should always set this value
-  # because if Devise adds a new strategy, it won't be added to your application
-  # by default, unless you configure it here.
-  #
-  # Remember that Devise includes other modules on its own (like :activatable
-  # and :timeoutable) which are not included here and also plugins. So be sure
-  # to check the docs for a complete set.
-  config.all = [:authenticatable, :confirmable, :recoverable, :rememberable, :trackable, :validatable]
+  # Configure the e-mail address which will be shown in DeviseMailer.
+  config.mailer_sender = "please-change-me@config-initializers-devise.com"
+  
+  # Configure the content type of DeviseMailer mails (defaults to text/html")
+  # config.mailer_content_type = "text/plain"
 
+  # ==> Configuration for :authenticatable
   # Invoke `rake secret` and use the printed value to setup a pepper to generate
   # the encrypted password. By default no pepper is used.
   # config.pepper = "rake secret output"
@@ -18,10 +16,10 @@ Devise.setup do |config|
   # config.stretches = 10
 
   # Define which will be the encryption algorithm. Supported algorithms are :sha1
-  # (default) and :sha512. Devise also supports encryptors from others authentication
-  # frameworks as :clearance_sha1, :authlogic_sha512 (then you should set stretches
-  # above to 20 for default behavior) and :restful_authentication_sha1 (then you
-  # should set stretches to 10, and copy REST_AUTH_SITE_KEY to pepper)
+  # (default), :sha512 and :bcrypt. Devise also supports encryptors from others
+  # authentication tools as :clearance_sha1, :authlogic_sha512 (then you should set
+  # stretches above to 20 for default behavior) and :restful_authentication_sha1
+  # (then you should set stretches to 10, and copy REST_AUTH_SITE_KEY to pepper)
   # config.encryptor = :sha1
 
   # Configure which keys are used when authenticating an user. By default is
@@ -31,21 +29,43 @@ Devise.setup do |config|
   # session. If you need permissions, you should implement that in a before filter.
   # config.authentication_keys = [ :email ]
 
+  # The realm used in Http Basic Authentication
+  # config.http_authentication_realm = "Application"
+
+  # ==> Configuration for :confirmable
   # The time you want give to your user to confirm his account. During this time
   # he will be able to access your application without confirming. Default is nil.
   # config.confirm_within = 2.days
 
+  # ==> Configuration for :rememberable
   # The time the user will be remembered without asking for credentials again.
   # config.remember_for = 2.weeks
 
+  # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this
   # time the user will be asked for credentials again.
   # config.timeout_in = 10.minutes
 
-  # Configure the e-mail address which will be shown in DeviseMailer.
-  config.mailer_sender = "please-change-me@config-initializers-devise.com"
+  # ==> Configuration for :lockable
+  # Number of authentication tries before locking an account.
+  # config.maximum_attempts = 20
 
-  # Load and configure the ORM. Supports :active_record, :data_mapper and :mongo_mapper.
+  # Defines which strategy will be used to unlock an account.
+  # :email = Sends an unlock link to the user email
+  # :time  = Reanables login after a certain ammount of time (see :unlock_in below)
+  # :both  = enables both strategies
+  # config.unlock_strategy = :both
+
+  # Time interval to unlock the account if :time is enabled as unlock_strategy.
+  # config.unlock_in = 1.hour
+
+  # ==> Configuration for :token_authenticatable
+  # Defines name of the authentication token params key
+  # config.token_authentication_key = :auth_token
+
+  # ==> General configuration
+  # Load and configure the ORM. Supports :active_record (default), :mongo_mapper
+  # (requires mongo_ext installed) and :data_mapper (experimental).
   # require 'devise/orm/mongo_mapper'
   # config.orm = :mongo_mapper
 
@@ -54,6 +74,16 @@ Devise.setup do |config|
   # are using only default views.
   # config.scoped_views = true
 
+  # By default, devise detects the role accessed based on the url. So whenever
+  # accessing "/users/sign_in", it knows you are accessing an User. This makes
+  # routes as "/sign_in" not possible, unless you tell Devise to use the default
+  # scope, setting true below.
+  # config.use_default_scope = true
+
+  # Configure the default scope used by Devise. By default it's the first devise
+  # role declared in your routes.
+  # config.default_scope = :user
+
   # If you want to use other strategies, that are not (yet) supported by Devise,
   # you can configure them inside the config.warden block. The example below
   # allows you to setup OAuth, using http://github.com/roman/warden_oauth
@@ -69,7 +99,6 @@ Devise.setup do |config|
 
   # Configure default_url_options if you are using dynamic segments in :path_prefix
   # for devise_for.
-  #
   # config.default_url_options do
   #   { :locale => I18n.locale }
   # end

lib/devise.rb

@@ -1,18 +1,20 @@
 module Devise
   autoload :FailureApp, 'devise/failure_app'
-  autoload :Mapping, 'devise/mapping'
+  autoload :Models, 'devise/models'
   autoload :Schema, 'devise/schema'
   autoload :TestHelpers, 'devise/test_helpers'
 
   module Controllers
-    autoload :Filters, 'devise/controllers/filters'
     autoload :Helpers, 'devise/controllers/helpers'
+    autoload :InternalHelpers, 'devise/controllers/internal_helpers'
     autoload :UrlHelpers, 'devise/controllers/url_helpers'
   end
 
   module Encryptors
+    autoload :Base, 'devise/encryptors/base'
+    autoload :Bcrypt, 'devise/encryptors/bcrypt'
     autoload :AuthlogicSha512, 'devise/encryptors/authlogic_sha512'
-    autoload :AuthlogicSha1, 'devise/encryptors/authlogic_sha1'
+    autoload :ClearanceSha1, 'devise/encryptors/clearance_sha1'
     autoload :RestfulAuthenticationSha1, 'devise/encryptors/restful_authentication_sha1'
     autoload :Sha512, 'devise/encryptors/sha512'
     autoload :Sha1, 'devise/encryptors/sha1'
@@ -24,22 +26,38 @@ module Devise
     autoload :MongoMapper, 'devise/orm/mongo_mapper'
   end
 
-  ALL = [:authenticatable, :activatable, :confirmable, :recoverable, :rememberable,
-         :timeoutable, :trackable, :validatable]
+  ALL = []
 
-  # Maps controller names to devise modules
+  # Authentication ones first
+  ALL.push :database_authenticatable, :http_authenticatable, :token_authenticatable, :rememberable
+
+  # Misc after
+  ALL.push :recoverable, :registerable, :validatable
+
+  # The ones which can sign out after
+  ALL.push :activatable, :confirmable, :lockable, :timeoutable
+
+  # Stats for last, so we make sure the user is really signed in
+  ALL.push :trackable
+
+  # Maps controller names to devise modules.
   CONTROLLERS = {
-    :sessions => [:authenticatable],
+    :sessions => [:database_authenticatable, :token_authenticatable],
     :passwords => [:recoverable],
-    :confirmations => [:confirmable]
+    :confirmations => [:confirmable],
+    :registrations => [:registerable],
+    :unlocks => [:lockable]
   }
 
-  STRATEGIES  = [:authenticatable]
-  SERIALIZERS = [:session, :cookie]
+  # Routes for generating url helpers.
+  ROUTES = [:session, :password, :confirmation, :registration, :unlock]
+
+  STRATEGIES  = [:rememberable, :http_authenticatable, :token_authenticatable, :database_authenticatable]
+
   TRUE_VALUES = [true, 1, '1', 't', 'T', 'true', 'TRUE']
 
   # Maps the messages types that are used in flash message.
-  FLASH_MESSAGES = [ :unauthenticated, :unconfirmed, :invalid, :timeout, :inactive ]
+  FLASH_MESSAGES = [:unauthenticated, :unconfirmed, :invalid, :invalid_token, :timeout, :inactive, :locked]
 
   # Declare encryptors length which are used in migrations.
   ENCRYPTORS_LENGTH = {
@@ -47,11 +65,16 @@ module Devise
     :sha512 => 128,
     :clearance_sha1 => 40,
     :restful_authentication_sha1 => 40,
-    :authlogic_sha512 => 128
+    :authlogic_sha512 => 128,
+    :bcrypt => 60
   }
 
-  # Email regex used to validate email formats. Retrieved from authlogic.
-  EMAIL_REGEX = /\A[\w\.%\+\-]+@(?:[A-Z0-9\-]+\.)+(?:[A-Z]{2,4}|museum|travel)\z/i
+  # Email regex used to validate email formats. Adapted from authlogic.
+  EMAIL_REGEX = /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i
+
+  # Custom domain for cookies. Not set by default
+  mattr_accessor :cookie_options
+  @@cookie_options = {}
 
   # Used to encrypt password. Please generate one with rake secret.
   mattr_accessor :pepper
@@ -83,15 +106,15 @@ module Devise
 
   # Store scopes mappings.
   mattr_accessor :mappings
-  @@mappings = {}
+  @@mappings = ActiveSupport::OrderedHash.new
 
   # Stores the chosen ORM.
   mattr_accessor :orm
   @@orm = :active_record
 
-  # Configure default options used in :all.
+  # TODO Remove
   mattr_accessor :all
-  @@all = Devise::ALL.dup
+  @@all = []
 
   # Tells if devise should apply the schema in ORMs where devise declaration
   # and schema belongs to the same class (as Datamapper and MongoMapper).
@@ -103,6 +126,43 @@ module Devise
   mattr_accessor :scoped_views
   @@scoped_views = false
 
+  # Number of authentication tries before locking an account
+  mattr_accessor :maximum_attempts
+  @@maximum_attempts = 20
+
+  # Defines which strategy can be used to unlock an account.
+  # Values: :email, :time, :both
+  mattr_accessor :unlock_strategy
+  @@unlock_strategy = :both
+
+  # Time interval to unlock the account if :time is defined as unlock_strategy.
+  mattr_accessor :unlock_in
+  @@unlock_in = 1.hour
+
+  # Tell when to use the default scope, if one cannot be found from routes.
+  mattr_accessor :use_default_scope
+  @@use_default_scope = false
+
+  # The default scope which is used by warden.
+  mattr_accessor :default_scope
+  @@default_scope = nil
+
+  # Address which sends Devise e-mails.
+  mattr_accessor :mailer_sender
+  @@mailer_sender = nil
+
+  # Content Type of Devise e-mails.
+  mattr_accessor :mailer_content_type
+  @@mailer_content_type = 'text/html'
+
+  # Authentication token params key name of choice. E.g. /users/sign_in?some_key=...
+  mattr_accessor :token_authentication_key
+  @@token_authentication_key = :auth_token
+
+  # The realm used in Http Basic Authentication
+  mattr_accessor :http_authentication_realm
+  @@http_authentication_realm = "Application"
+
   class << self
     # Default way to setup Devise. Run script/generate devise_install to create
     # a fresh initializer with all configuration values.
@@ -110,12 +170,6 @@ module Devise
       yield self
     end
 
-    # Sets the sender in DeviseMailer.
-    def mailer_sender=(value)
-      DeviseMailer.sender = value
-    end
-    alias :sender= :mailer_sender=
-
     # Sets warden configuration using a block that will be invoked on warden
     # initialization.
     #
@@ -133,20 +187,21 @@ module Devise
 
     # Configure default url options to be used within Devise and ActionController.
     def default_url_options(&block)
-      Devise::Mapping.metaclass.send :define_method, :default_url_options, &block
+      who = Devise::Mapping.respond_to?(:singleton_class) ?
+        Devise::Mapping.singleton_class : Devise::Mapping.metaclass
+      who.send :define_method, :default_url_options, &block
     end
 
     # A method used internally to setup warden manager from the Rails initialize
     # block.
-    def configure_warden_manager(manager) #:nodoc:
-      manager.default_strategies *Devise::STRATEGIES
-      manager.default_serializers *Devise::SERIALIZERS
-      manager.failure_app = Devise::FailureApp
-      manager.silence_missing_strategies!
-      manager.silence_missing_serializers!
+    def configure_warden(config) #:nodoc:
+      config.default_strategies *Devise::STRATEGIES
+      config.failure_app = Devise::FailureApp
+      config.silence_missing_strategies!
+      config.default_scope = Devise.default_scope
 
       # If the user provided a warden hook, call it now.
-      @warden_config.try :call, manager
+      @warden_config.try :call, config
     end
 
     # The class of the configured ORM
@@ -158,6 +213,60 @@ module Devise
     def friendly_token
       ActiveSupport::SecureRandom.base64(15).tr('+/=', '-_ ').strip.delete("\n")
     end
+
+    # constant-time comparison algorithm to prevent timing attacks
+    def secure_compare(a, b)
+      return false unless a.present? && b.present?
+      return false unless a.bytesize == b.bytesize
+      l = a.unpack "C#{a.bytesize}"
+
+      res = 0
+      b.each_byte { |byte| res |= byte ^ l.shift }
+      res == 0
+    end
+
+    # Make Devise aware of an 3rd party Devise-module. For convenience.
+    #
+    # == Options:
+    #
+    #   +strategy+    - Boolean value representing if this module got a custom *strategy*.
+    #                   Default is +false+. Note: Devise will auto-detect this in such case if this is true.
+    #   +model+       - String representing a load path to a custom *model* for this module (to autoload).
+    #                   Default is +nil+ (i.e. +false+).
+    #   +controller+  - Symbol representing a name of an exisiting or custom *controller* for this module.
+    #                   Default is +nil+ (i.e. +false+).
+    #   +route+       - Symbol representing the name of a *route* related to this module which a set of
+    #                   route view helpers should be created for.
+    #                   Default is +nil+ (i.e. +false+).
+    #
+    # == Examples:
+    #
+    #   Devise.add_module(:party_module)
+    #   Devise.add_module(:party_module, :strategy => true, :controller => :sessions)
+    #   Devise.add_module(:party_module, :model => 'party_module/model')
+    #
+    def add_module(module_name, options = {})
+      Devise::ALL << module_name        unless Devise::ALL.include?(module_name)
+      Devise::STRATEGIES.unshift module_name if options[:strategy] && !Devise::STRATEGIES.include?(module_name)
+
+      if options[:controller]
+        controller = options[:controller].to_sym
+        Devise::CONTROLLERS[controller] ||= []
+        Devise::CONTROLLERS[controller].unshift module_name unless Devise::CONTROLLERS[controller].include?(module_name)
+      end
+
+      if options[:route]
+        Devise::ROUTES.unshift options[:route] unless Devise::ROUTES.include?(options[:route])
+      end
+
+      if options[:model]
+        Devise::Models.module_eval do
+          autoload :"#{module_name.to_s.classify}", options[:model]
+        end
+      end
+
+      Devise::Mapping.register module_name
+    end
   end
 end
 
@@ -168,9 +277,5 @@ rescue
   require 'warden'
 end
 
-# Clear some Warden default configuration which will be overwritten
-Warden::Strategies.clear!
-Warden::Serializers.clear!
-Warden::Manager.default_scope = nil
-
-require 'devise/rails'
+require 'devise/mapping'
+require 'devise/rails'

lib/devise/controllers/filters.rb

@@ -1,186 +0,0 @@
-module Devise
-  module Controllers
-    # Those filters are convenience methods added to ApplicationController to
-    # deal with Warden.
-    module Filters
-
-      def self.included(base)
-        base.class_eval do
-          helper_method :warden, :signed_in?, :devise_controller?,
-                        *Devise.mappings.keys.map { |m| [:"current_#{m}", :"#{m}_signed_in?"] }.flatten
-
-          # Use devise default_url_options. We have to declare it here to overwrite
-          # default definitions.
-          def default_url_options(options=nil)
-            Devise::Mapping.default_url_options
-          end
-        end
-      end
-
-      # The main accessor for the warden proxy instance
-      def warden
-        request.env['warden']
-      end
-
-      # Return true if it's a devise_controller. false to all controllers unless
-      # the controllers defined inside devise. Useful if you want to apply a before
-      # filter to all controller, except the ones in devise:
-      #
-      #   before_filter :my_filter, :unless => { |c| c.devise_controller? }
-      def devise_controller?
-        false
-      end
-
-      # Attempts to authenticate the given scope by running authentication hooks,
-      # but does not redirect in case of failures.
-      def authenticate(scope)
-        warden.authenticate(:scope => scope)
-      end
-
-      # Attempts to authenticate the given scope by running authentication hooks,
-      # redirecting in case of failures.
-      def authenticate!(scope)
-        warden.authenticate!(:scope => scope)
-      end
-
-      # Check if the given scope is signed in session, without running
-      # authentication hooks.
-      def signed_in?(scope)
-        warden.authenticated?(scope)
-      end
-
-      # Sign in an user that already was authenticated. This helper is useful for logging
-      # users in after sign up.
-      #
-      # Examples:
-      #
-      #   sign_in :user, @user    # sign_in(scope, resource)
-      #   sign_in @user           # sign_in(resource)
-      #
-      def sign_in(resource_or_scope, resource=nil)
-        scope    ||= Devise::Mapping.find_scope!(resource_or_scope)
-        resource ||= resource_or_scope
-        warden.set_user(resource, :scope => scope)
-      end
-
-      # Sign out a given user or scope. This helper is useful for signing out an user
-      # after deleting accounts.
-      #
-      # Examples:
-      #
-      #   sign_out :user     # sign_out(scope)
-      #   sign_out @user     # sign_out(resource)
-      #
-      def sign_out(resource_or_scope)
-        scope = Devise::Mapping.find_scope!(resource_or_scope)
-        warden.user(scope) # Without loading user here, before_logout hook is not called
-        warden.raw_session.inspect # Without this inspect here. The session does not clear.
-        warden.logout(scope)
-      end
-
-      # Returns and delete the url stored in the session for the given scope. Useful
-      # for giving redirect backs after sign up:
-      #
-      # Example:
-      #
-      #   redirect_to stored_location_for(:user) || root_path
-      #
-      def stored_location_for(resource_or_scope)
-        scope = Devise::Mapping.find_scope!(resource_or_scope)
-        session.delete(:"#{scope}.return_to")
-      end
-
-      # The default url to be used after signing in. This is used by all Devise
-      # controllers and you can overwrite it in your ApplicationController to
-      # provide a custom hook for a custom resource.
-      #
-      # By default, it first tries to find a resource_root_path, otherwise it
-      # uses the root path. For a user scope, you can define the default url in
-      # the following way:
-      #
-      #   map.user_root '/users', :controller => 'users' # creates user_root_path
-      #
-      #   map.resources :users do |users|
-      #     users.root # creates user_root_path
-      #   end
-      #
-      # If none of these are defined, root_path is used.
-      def after_sign_in_path_for(resource_or_scope)
-        scope = Devise::Mapping.find_scope!(resource_or_scope)
-        home_path = :"#{scope}_root_path"
-        respond_to?(home_path, true) ? send(home_path) : root_path
-      end
-
-      # The default to be used after signing out. This is used by all Devise
-      # controllers and you can overwrite it in your ApplicationController to
-      # provide a custom hook for a custom resource.
-      #
-      # By default is the root_path.
-      def after_sign_out_path_for(resource_or_scope)
-        root_path
-      end
-
-      # Sign in an user and tries to redirect first to the stored location and
-      # then to the url specified by after_sign_in_path_for.
-      #
-      # If just a symbol is given, consider that the user was already signed in
-      # through other means and just perform the redirection.
-      def sign_in_and_redirect(*args)
-        sign_in(*args) unless args.size == 1 && args.first.is_a?(Symbol)
-        redirect_to stored_location_for(args.first) || after_sign_in_path_for(args.first)
-      end
-
-      # Sign out an user and tries to redirect to the url specified by
-      # after_sign_out_path_for.
-      def sign_out_and_redirect(resource_or_scope)
-        sign_out(resource_or_scope)
-        redirect_to after_sign_out_path_for(resource_or_scope)
-      end
-
-      # Define authentication filters and accessor helpers based on mappings.
-      # These filters should be used inside the controllers as before_filters,
-      # so you can control the scope of the user who should be signed in to
-      # access that specific controller/action.
-      # Example:
-      #
-      #   Maps:
-      #     User => :authenticatable
-      #     Admin => :authenticatable
-      #
-      #   Generated methods:
-      #     authenticate_user!  # Signs user in or redirect
-      #     authenticate_admin! # Signs admin in or redirect
-      #     user_signed_in?     # Checks whether there is an user signed in or not
-      #     admin_signed_in?    # Checks whether there is an admin signed in or not
-      #     current_user        # Current signed in user
-      #     current_admin       # Currend signed in admin
-      #     user_session        # Session data available only to the user scope
-      #     admin_session       # Session data available only to the admin scope
-      #
-      #   Use:
-      #     before_filter :authenticate_user!  # Tell devise to use :user map
-      #     before_filter :authenticate_admin! # Tell devise to use :admin map
-      #
-      Devise.mappings.each_key do |mapping|
-        class_eval <<-METHODS, __FILE__, __LINE__
-          def authenticate_#{mapping}!
-            warden.authenticate!(:scope => :#{mapping})
-          end
-
-          def #{mapping}_signed_in?
-            warden.authenticated?(:#{mapping})
-          end
-
-          def current_#{mapping}
-            @current_#{mapping} ||= warden.user(:#{mapping})
-          end
-
-          def #{mapping}_session
-            warden.session(:#{mapping})
-          end
-        METHODS
-      end
-
-    end
-  end
-end

lib/devise/controllers/helpers.rb

@@ -1,114 +1,224 @@
 module Devise
   module Controllers
-    # Those helpers are used only inside Devise controllers and should not be
-    # included in ApplicationController since they all depend on the url being
-    # accessed.
+    # Those helpers are convenience methods added to ApplicationController.
     module Helpers
 
       def self.included(base)
         base.class_eval do
-          unloadable
+          helper_method :warden, :signed_in?, :devise_controller?, :anybody_signed_in?,
+                        *Devise.mappings.keys.map { |m| [:"current_#{m}", :"#{m}_signed_in?", :"#{m}_session"] }.flatten
 
-          helper_method :resource, :scope_name, :resource_name, :resource_class, :devise_mapping, :devise_controller?
-          hide_action   :resource, :scope_name, :resource_name, :resource_class, :devise_mapping, :devise_controller?
-
-          skip_before_filter *Devise.mappings.keys.map { |m| :"authenticate_#{m}!" }
-          before_filter :is_devise_resource?
+          # Use devise default_url_options. We have to declare it here to overwrite
+          # default definitions.
+          def default_url_options(options=nil)
+            Devise::Mapping.default_url_options
+          end
         end
       end
 
-      # Gets the actual resource stored in the instance variable
-      def resource
-        instance_variable_get(:"@#{resource_name}")
+      # The main accessor for the warden proxy instance
+      def warden
+        request.env['warden']
       end
 
-      # Proxy to devise map name
-      def resource_name
-        devise_mapping.name
-      end
-      alias :scope_name :resource_name
-
-      # Proxy to devise map class
-      def resource_class
-        devise_mapping.to
-      end
-
-      # Attempt to find the mapped route for devise based on request path
-      def devise_mapping
-        @devise_mapping ||= Devise::Mapping.find_by_path(request.path)
-      end
-
-      # Overwrites devise_controller? to return true
+      # Return true if it's a devise_controller. false to all controllers unless
+      # the controllers defined inside devise. Useful if you want to apply a before
+      # filter to all controller, except the ones in devise:
+      #
+      #   before_filter :my_filter, :unless => { |c| c.devise_controller? }
       def devise_controller?
-        true
+        false
       end
 
-    protected
-
-      # Checks whether it's a devise mapped resource or not.
-      def is_devise_resource? #:nodoc:
-        raise ActionController::UnknownAction unless devise_mapping && devise_mapping.allows?(controller_name)
+      # Attempts to authenticate the given scope by running authentication hooks,
+      # but does not redirect in case of failures.
+      def authenticate(scope)
+        warden.authenticate(:scope => scope)
       end
 
-      # Sets the resource creating an instance variable
-      def resource=(new_resource)
-        instance_variable_set(:"@#{resource_name}", new_resource)
+      # Attempts to authenticate the given scope by running authentication hooks,
+      # redirecting in case of failures.
+      def authenticate!(scope)
+        warden.authenticate!(:scope => scope)
       end
 
-      # Build a devise resource without setting password and password confirmation fields.
-      def build_resource
-        self.resource ||= begin
-          attributes = params[resource_name].try(:except, :password, :password_confirmation)
-          resource_class.new(attributes || {})
-        end
+      # Check if the given scope is signed in session, without running
+      # authentication hooks.
+      def signed_in?(scope)
+        warden.authenticate?(:scope => scope)
       end
 
-      # Helper for use in before_filters where no authentication is required.
+      # Check if the any scope is signed in session, without running
+      # authentication hooks.
+      def anybody_signed_in?
+        Devise.mappings.keys.any? { |scope| signed_in?(scope) }
+      end
+
+      # Sign in an user that already was authenticated. This helper is useful for logging
+      # users in after sign up.
+      #
+      # Examples:
+      #
+      #   sign_in :user, @user    # sign_in(scope, resource)
+      #   sign_in @user           # sign_in(resource)
+      #
+      def sign_in(resource_or_scope, resource=nil)
+        scope      = Devise::Mapping.find_scope!(resource_or_scope)
+        resource ||= resource_or_scope
+        warden.set_user(resource, :scope => scope)
+        @_session = request.session # Recalculate session
+      end
+
+      # Sign out a given user or scope. This helper is useful for signing out an user
+      # after deleting accounts.
+      #
+      # Examples:
+      #
+      #   sign_out :user     # sign_out(scope)
+      #   sign_out @user     # sign_out(resource)
+      #
+      def sign_out(resource_or_scope)
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        warden.user(scope) # Without loading user here, before_logout hook is not called
+        warden.raw_session.inspect # Without this inspect here. The session does not clear.
+        warden.logout(scope)
+      end
+
+      # Returns and delete the url stored in the session for the given scope. Useful
+      # for giving redirect backs after sign up:
       #
       # Example:
-      #   before_filter :require_no_authentication, :only => :new
-      def require_no_authentication
-        redirect_to after_sign_in_path_for(resource_name) if warden.authenticated?(resource_name)
-      end
-
-      # Sets the flash message with :key, using I18n. By default you are able
-      # to setup your messages using specific resource scope, and if no one is
-      # found we look to default scope.
-      # Example (i18n locale file):
       #
-      #   en:
-      #     devise:
-      #       passwords:
-      #         #default_scope_messages - only if resource_scope is not found
-      #         user:
-      #           #resource_scope_messages
+      #   redirect_to stored_location_for(:user) || root_path
       #
-      # Please refer to README or en.yml locale file to check what messages are
-      # available.
-      def set_flash_message(key, kind, now=false)
-        flash_hash = now ? flash.now : flash
-        flash_hash[key] = I18n.t(:"#{resource_name}.#{kind}",
-                            :scope => [:devise, controller_name.to_sym], :default => kind)
+      def stored_location_for(resource_or_scope)
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        key = "#{scope}.return_to"
+        session.delete(key) || session.delete(key.to_sym)
       end
 
-      # Shortcut to set flash.now message. Same rules applied from set_flash_message
-      def set_now_flash_message(key, kind)
-        set_flash_message(key, kind, true)
+      # The default url to be used after signing in. This is used by all Devise
+      # controllers and you can overwrite it in your ApplicationController to
+      # provide a custom hook for a custom resource.
+      #
+      # By default, it first tries to find a resource_root_path, otherwise it
+      # uses the root path. For a user scope, you can define the default url in
+      # the following way:
+      #
+      #   map.user_root '/users', :controller => 'users' # creates user_root_path
+      #
+      #   map.namespace :user do |user|
+      #     user.root :controller => 'users' # creates user_root_path
+      #   end
+      #
+      #
+      # If the resource root path is not defined, root_path is used. However,
+      # if this default is not enough, you can customize it, for example:
+      #
+      #   def after_sign_in_path_for(resource)
+      #     if resource.is_a?(User) && resource.can_publish?
+      #       publisher_url
+      #     else
+      #       super
+      #     end
+      #   end
+      #
+      def after_sign_in_path_for(resource_or_scope)
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        home_path = "#{scope}_root_path"
+        respond_to?(home_path, true) ? send(home_path) : root_path
       end
 
-      # Render a view for the specified scope. Turned off by default.
-      # Accepts just :controller as option.
-      def render_with_scope(action, options={})
-        controller_name = options.delete(:controller) || self.controller_name
-        if Devise.scoped_views
-          begin
-            render :template => "#{controller_name}/#{devise_mapping.as}/#{action}"
-          rescue ActionView::MissingTemplate
-            render action, :controller => controller_name
-          end
+      # Method used by sessions controller to sign out an user. You can overwrite
+      # it in your ApplicationController to provide a custom hook for a custom
+      # scope. Notice that differently from +after_sign_in_path_for+ this method
+      # receives a symbol with the scope, and not the resource.
+      #
+      # By default is the root_path.
+      def after_sign_out_path_for(resource_or_scope)
+        root_path
+      end
+
+      # Sign in an user and tries to redirect first to the stored location and
+      # then to the url specified by after_sign_in_path_for.
+      #
+      # If just a symbol is given, consider that the user was already signed in
+      # through other means and just perform the redirection.
+      def sign_in_and_redirect(resource_or_scope, resource=nil, skip=false)
+        scope      = Devise::Mapping.find_scope!(resource_or_scope)
+        resource ||= resource_or_scope
+        if skip
+          @_session = request.session # Recalculate session
         else
-          render action, :controller => controller_name
+          sign_in(scope, resource)
         end
+        redirect_to stored_location_for(scope) || after_sign_in_path_for(resource)
+      end
+
+      # Sign out an user and tries to redirect to the url specified by
+      # after_sign_out_path_for.
+      def sign_out_and_redirect(resource_or_scope)
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        sign_out(scope)
+        redirect_to after_sign_out_path_for(scope)
+      end
+
+      # Sign out all active users or scopes. This helper is useful for signing out all roles
+      # in one click. This signs out ALL scopes in warden.
+      def sign_out_all_scopes
+        Devise.mappings.keys.each { |s| warden.user(s) }
+        warden.raw_session.inspect
+        warden.logout
+      end
+
+      # Override Rails' handle unverified request to sign out all scopes.
+      def handle_unverified_request
+        sign_out_all_scopes
+        super # call the default behaviour which resets the session
+      end
+
+      # Define authentication filters and accessor helpers based on mappings.
+      # These filters should be used inside the controllers as before_filters,
+      # so you can control the scope of the user who should be signed in to
+      # access that specific controller/action.
+      # Example:
+      #
+      #   Maps:
+      #     User => :authenticatable
+      #     Admin => :authenticatable
+      #
+      #   Generated methods:
+      #     authenticate_user!  # Signs user in or redirect
+      #     authenticate_admin! # Signs admin in or redirect
+      #     user_signed_in?     # Checks whether there is an user signed in or not
+      #     admin_signed_in?    # Checks whether there is an admin signed in or not
+      #     current_user        # Current signed in user
+      #     current_admin       # Current signed in admin
+      #     user_session        # Session data available only to the user scope
+      #     admin_session       # Session data available only to the admin scope
+      #
+      #   Use:
+      #     before_filter :authenticate_user!  # Tell devise to use :user map
+      #     before_filter :authenticate_admin! # Tell devise to use :admin map
+      #
+      Devise.mappings.each_key do |mapping|
+        class_eval <<-METHODS, __FILE__, __LINE__ + 1
+          def authenticate_#{mapping}!
+            warden.authenticate!(:scope => :#{mapping})
+          end
+
+          def #{mapping}_signed_in?
+            warden.authenticate?(:scope => :#{mapping})
+          end
+
+          def current_#{mapping}
+            @current_#{mapping} ||= warden.authenticate(:scope => :#{mapping})
+          end
+
+          def #{mapping}_session
+            current_#{mapping} && warden.session(:#{mapping})
+          end
+        METHODS
       end
 
     end

lib/devise/controllers/internal_helpers.rb

@@ -0,0 +1,129 @@
+module Devise
+  module Controllers
+    # Those helpers are used only inside Devise controllers and should not be
+    # included in ApplicationController since they all depend on the url being
+    # accessed.
+    module InternalHelpers #:nodoc:
+
+      def self.included(base)
+        base.class_eval do
+          extend ScopedViews
+          unloadable
+
+          helper_method :resource, :scope_name, :resource_name, :resource_class, :devise_mapping, :devise_controller?
+          hide_action   :resource, :scope_name, :resource_name, :resource_class, :devise_mapping, :devise_controller?
+
+          skip_before_filter *Devise.mappings.keys.map { |m| :"authenticate_#{m}!" }
+          prepend_before_filter :is_devise_resource?
+        end
+      end
+
+      module ScopedViews
+        def scoped_views
+          defined?(@scoped_views) ? @scoped_views : Devise.scoped_views
+        end
+
+        def scoped_views=(value)
+          @scoped_views = value
+        end
+      end
+
+      # Gets the actual resource stored in the instance variable
+      def resource
+        instance_variable_get(:"@#{resource_name}")
+      end
+
+      # Proxy to devise map name
+      def resource_name
+        devise_mapping.name
+      end
+      alias :scope_name :resource_name
+
+      # Proxy to devise map class
+      def resource_class
+        devise_mapping.to
+      end
+
+      # Attempt to find the mapped route for devise based on request path
+      def devise_mapping
+        @devise_mapping ||= begin
+          mapping   = Devise::Mapping.find_by_path(request.path)
+          mapping ||= Devise.mappings[Devise.default_scope] if Devise.use_default_scope
+          mapping
+        end
+      end
+
+      # Overwrites devise_controller? to return true
+      def devise_controller?
+        true
+      end
+
+    protected
+
+      # Checks whether it's a devise mapped resource or not.
+      def is_devise_resource? #:nodoc:
+        raise ActionController::UnknownAction unless devise_mapping && devise_mapping.allows?(controller_name)
+      end
+
+      # Sets the resource creating an instance variable
+      def resource=(new_resource)
+        instance_variable_set(:"@#{resource_name}", new_resource)
+      end
+
+      # Build a devise resource.
+      def build_resource
+        self.resource ||= resource_class.new(params[resource_name] || {})
+      end
+
+      # Helper for use in before_filters where no authentication is required.
+      #
+      # Example:
+      #   before_filter :require_no_authentication, :only => :new
+      def require_no_authentication
+        redirect_to after_sign_in_path_for(resource_name) if warden.authenticated?(resource_name)
+      end
+
+      # Sets the flash message with :key, using I18n. By default you are able
+      # to setup your messages using specific resource scope, and if no one is
+      # found we look to default scope.
+      # Example (i18n locale file):
+      #
+      #   en:
+      #     devise:
+      #       passwords:
+      #         #default_scope_messages - only if resource_scope is not found
+      #         user:
+      #           #resource_scope_messages
+      #
+      # Please refer to README or en.yml locale file to check what messages are
+      # available.
+      def set_flash_message(key, kind, now=false)
+        flash_hash = now ? flash.now : flash
+        flash_hash[key] = I18n.t(:"#{resource_name}.#{kind}",
+                            :scope => [:devise, controller_name.to_sym], :default => kind)
+      end
+
+      # Shortcut to set flash.now message. Same rules applied from set_flash_message
+      def set_now_flash_message(key, kind)
+        set_flash_message(key, kind, true)
+      end
+
+      # Render a view for the specified scope. Turned off by default.
+      # Accepts just :controller as option.
+      def render_with_scope(action, options={})
+        controller_name = options.delete(:controller) || self.controller_name
+
+        if self.class.scoped_views
+          begin
+            render :template => "#{controller_name}/#{devise_mapping.as}/#{action}"
+          rescue ActionView::MissingTemplate
+            render action, :controller => controller_name
+          end
+        else
+          render action, :controller => controller_name
+        end
+      end
+
+    end
+  end
+end

lib/devise/controllers/url_helpers.rb

@@ -19,25 +19,17 @@ module Devise
     # Those helpers are added to your ApplicationController.
     module UrlHelpers
 
-      [:session, :password, :confirmation].each do |module_name|
+      Devise::ROUTES.each do |module_name|
         [:path, :url].each do |path_or_url|
           actions = [ nil, :new_ ]
-          actions << :edit_    if module_name == :password
-          actions << :destroy_ if module_name == :session
+          actions << :edit_    if [:password, :registration].include?(module_name)
+          actions << :destroy_ if [:session].include?(module_name)
 
           actions.each do |action|
-            class_eval <<-URL_HELPERS
-              def #{action}#{module_name}_#{path_or_url}(resource, *args)
-                resource = case resource
-                  when Symbol, String
-                    resource
-                  when Class
-                    resource.name.underscore
-                  else
-                    resource.class.name.underscore
-                end
-
-                send("#{action}\#{resource}_#{module_name}_#{path_or_url}", *args)
+            class_eval <<-URL_HELPERS, __FILE__, __LINE__ + 1
+              def #{action}#{module_name}_#{path_or_url}(resource_or_scope, *args)
+                scope = Devise::Mapping.find_scope!(resource_or_scope)
+                send("#{action}\#{scope}_#{module_name}_#{path_or_url}", *args)
               end
             URL_HELPERS
           end

lib/devise/encryptors/authlogic_sha512.rb

@@ -1,19 +1,12 @@
 require "digest/sha2"
 
 module Devise
-  # Implements a way of adding different encryptions.
-  # The class should implement a self.digest method that taks the following params:
-  #   - password
-  #   - stretches: the number of times the encryption will be applied
-  #   - salt: the password salt as defined by devise
-  #   - pepper: Devise config option
-  #
   module Encryptors
     # = AuthlogicSha512
     # Simulates Authlogic's default encryption mechanism.
     # Warning: it uses Devise's stretches configuration to port Authlogic's one. Should be set to 20 in the initializer to silumate
     #  the default behavior.
-    class AuthlogicSha512
+    class AuthlogicSha512 < Base
       
       # Gererates a default password digest based on salt, pepper and the
       # incoming password.

lib/devise/encryptors/base.rb

@@ -0,0 +1,20 @@
+module Devise
+  # Implements a way of adding different encryptions.
+  # The class should implement a self.digest method that taks the following params:
+  #   - password
+  #   - stretches: the number of times the encryption will be applied
+  #   - salt: the password salt as defined by devise
+  #   - pepper: Devise config option
+  #
+  module Encryptors
+    class Base
+      def self.digest
+        raise NotImplemented
+      end
+
+      def self.salt
+        Devise.friendly_token
+      end
+    end
+  end
+end

lib/devise/encryptors/bcrypt.rb

@@ -0,0 +1,21 @@
+require "bcrypt"
+
+module Devise
+  module Encryptors
+    # = BCrypt
+    # Uses the BCrypt hash algorithm to encrypt passwords.
+    class Bcrypt < Base
+
+      # Gererates a default password digest based on stretches, salt, pepper and the
+      # incoming password. We don't strech it ourselves since BCrypt does so internally.
+      def self.digest(password, stretches, salt, pepper)
+        ::BCrypt::Engine.hash_secret([password, pepper].join, salt, stretches)
+      end
+
+      def self.salt
+        ::BCrypt::Engine.generate_salt
+      end
+
+    end
+  end
+end

lib/devise/encryptors/clearance_sha1.rb

@@ -1,19 +1,12 @@
 require "digest/sha1"
 
 module Devise
-  # Implements a way of adding different encryptions.
-  # The class should implement a self.digest method that taks the following params:
-  #   - password
-  #   - stretches: the number of times the encryption will be applied
-  #   - salt: the password salt as defined by devise
-  #   - pepper: Devise config option
-  #
   module Encryptors
     # = ClearanceSha1
     # Simulates Clearance's default encryption mechanism.
     # Warning: it uses Devise's pepper to port the concept of REST_AUTH_SITE_KEY
     # Warning: it uses Devise's stretches configuration to port the concept of REST_AUTH_DIGEST_STRETCHES
-    class ClearanceSha1
+    class ClearanceSha1 < Base
       
       # Gererates a default password digest based on salt, pepper and the
       # incoming password.

lib/devise/encryptors/restful_authentication_sha1.rb

@@ -1,20 +1,13 @@
 require "digest/sha1"
 
 module Devise
-  # Implements a way of adding different encryptions.
-  # The class should implement a self.digest method that taks the following params:
-  #   - password
-  #   - stretches: the number of times the encryption will be applied
-  #   - salt: the password salt as defined by devise
-  #   - pepper: Devise config option
-  #
   module Encryptors
     # = RestfulAuthenticationSha1
     # Simulates Restful Authentication's default encryption mechanism.
     # Warning: it uses Devise's pepper to port the concept of REST_AUTH_SITE_KEY
     # Warning: it uses Devise's stretches configuration to port the concept of REST_AUTH_DIGEST_STRETCHES. Should be set to 10 in 
     # the initializer to silumate the default behavior.
-    class RestfulAuthenticationSha1
+    class RestfulAuthenticationSha1 < Base
       
       # Gererates a default password digest based on salt, pepper and the
       # incoming password.

lib/devise/encryptors/sha1.rb

@@ -1,17 +1,10 @@
 require "digest/sha1"
 
 module Devise
-  # Implements a way of adding different encryptions.
-  # The class should implement a self.digest method that taks the following params:
-  #   - password
-  #   - stretches: the number of times the encryption will be applied
-  #   - salt: the password salt as defined by devise
-  #   - pepper: Devise config option
-  #
   module Encryptors
     # = Sha1
     # Uses the Sha1 hash algorithm to encrypt passwords.
-    class Sha1
+    class Sha1 < Base
       
       # Gererates a default password digest based on stretches, salt, pepper and the
       # incoming password.

lib/devise/encryptors/sha512.rb

@@ -1,17 +1,10 @@
 require "digest/sha2"
 
 module Devise
-  # Implements a way of adding different encryptions.
-  # The class should implement a self.digest method that taks the following params:
-  #   - password
-  #   - stretches: the number of times the encryption will be applied
-  #   - salt: the password salt as defined by devise
-  #   - pepper: Devise config option
-  #
   module Encryptors
     # = Sha512
     # Uses the Sha512 hash algorithm to encrypt passwords.
-    class Sha512
+    class Sha512 < Base
       
       # Gererates a default password digest based on salt, pepper and the
       # incoming password.

lib/devise/failure_app.rb

@@ -22,12 +22,8 @@ module Devise
       options = @env['warden.options']
       scope   = options[:scope]
 
-      redirect_path = if mapping = Devise.mappings[scope]
-        "#{mapping.parsed_path}/#{mapping.path_names[:sign_in]}"
-      else
-        "/#{default_url}"
-      end
-      query_string = query_string_for(options)
+      redirect_path = redirect_path_for(scope)
+      query_string  = query_string_for(options)
       store_location!(scope)
 
       headers = {}
@@ -54,12 +50,23 @@ module Devise
       Rack::Utils.build_query(params)
     end
 
+    # Build the path based on current scope.
+    def redirect_path_for(scope)
+      if mapping = Devise.mappings[scope]
+        "#{mapping.parsed_path}/#{mapping.path_names[:sign_in]}"
+      else
+        "/#{default_url}"
+      end
+    end
+
     # Stores requested uri to redirect the user after signing in. We cannot use
     # scoped session provided by warden here, since the user is not authenticated
     # yet, but we still need to store the uri based on scope, so different scopes
     # would never use the same uri to redirect.
     def store_location!(scope)
-      session[:"#{scope}.return_to"] ||= request.request_uri if request && request.get?
+      if request && request.get? && !request.xhr?
+        session[:"#{scope}.return_to"] = request.request_uri
+      end
     end
   end
 end

lib/devise/hooks/activatable.rb

@@ -1,7 +1,4 @@
-# Each time the user is set we verify if it is still able to really sign in.
-# This is done by checking the time frame the user is able to sign in without
-# confirming it's account. If the user has not confirmed it's account during
-# this time frame, he/she will not able to sign in anymore.
+# Deny user access whenever his account is not active yet.
 Warden::Manager.after_set_user do |record, warden, options|
   if record && record.respond_to?(:active?) && !record.active?
     scope = options[:scope]

lib/devise/hooks/rememberable.rb

@@ -0,0 +1,35 @@
+# After authenticate hook to verify if the user in the given scope asked to be
+# remembered while he does not sign out. Generates a new remember token for
+# that specific user and adds a cookie with this user info to sign in this user
+# automatically without asking for credentials. Refer to rememberable strategy
+# for more info.
+Warden::Manager.prepend_after_authentication do |record, warden, options|
+  scope = options[:scope]
+  remember_me = warden.params[scope].try(:fetch, :remember_me, nil)
+
+  if Devise::TRUE_VALUES.include?(remember_me) &&
+     warden.authenticated?(scope) && record.respond_to?(:remember_me!)
+    record.remember_me!
+
+    cookie_options = {
+      :value => record.class.serialize_into_cookie(record),
+      :expires => record.remember_expires_at,
+      :path => "/"
+    }.merge record.cookie_options
+
+    warden.response.set_cookie "remember_#{scope}_token", cookie_options
+  end
+end
+
+# Before logout hook to forget the user in the given scope, only if rememberable
+# is activated for this scope. Also clear remember token to ensure the user
+# won't be remembered again.
+# Notice that we forget the user if the record is frozen. This usually means the
+# user was just deleted.
+Warden::Manager.before_logout do |record, warden, options|
+  scope = options[:scope]
+  if record.respond_to?(:forget_me!)
+    record.forget_me! unless record.frozen?
+    warden.response.delete_cookie "remember_#{scope}_token", :path => "/"
+  end
+end

lib/devise/hooks/timeoutable.rb

@@ -5,12 +5,14 @@
 # verify timeout in the following request.
 Warden::Manager.after_set_user do |record, warden, options|
   scope = options[:scope]
-  if record && record.respond_to?(:timeout?) && warden.authenticated?(scope)
+  if record && record.respond_to?(:timedout?) && warden.authenticated?(scope)
     last_request_at = warden.session(scope)['last_request_at']
-    if record.timeout?(last_request_at)
+
+    if record.timedout?(last_request_at)
       warden.logout(scope)
       throw :warden, :scope => scope, :message => :timeout
     end
+
     warden.session(scope)['last_request_at'] = Time.now.utc
   end
 end

lib/devise/hooks/trackable.rb

@@ -1,5 +1,5 @@
 # After each sign in, update sign in time, sign in count and sign in IP.
-Warden::Manager.after_authentication do |record, warden, options|
+Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
   scope = options[:scope]
   if Devise.mappings[scope].try(:trackable?) && warden.authenticated?(scope)
     old_current, new_current  = record.current_sign_in_at, Time.now

lib/devise/locales/en.yml

@@ -1,21 +1,35 @@
 en:
   devise:
     sessions:
+      link: 'Sign in'
       signed_in: 'Signed in successfully.'
       signed_out: 'Signed out successfully.'
       unauthenticated: 'You need to sign in or sign up before continuing.'
       unconfirmed: 'You have to confirm your account before continuing.'
+      locked: 'Your account is locked.'
       invalid: 'Invalid email or password.'
+      invalid_token: 'Invalid authentication token.'
       timeout: 'Your session expired, please sign in again to continue.'
       inactive: 'Your account was not activated yet.'
     passwords:
+      link: 'Forgot password?'
       send_instructions: 'You will receive an email with instructions about how to reset your password in a few minutes.'
       updated: 'Your password was changed successfully. You are now signed in.'
     confirmations:
+      link: "Didn't receive confirmation instructions?"
       send_instructions: 'You will receive an email with instructions about how to confirm your account in a few minutes.'
       confirmed: 'Your account was successfully confirmed. You are now signed in.'
+    registrations:
+      link: 'Sign up'
+      signed_up: 'You have signed up successfully. If enabled, a confirmation was sent to your e-mail.'
+      updated: 'You updated your account successfully.'
+      destroyed: 'Bye! Your account was successfully cancelled. We hope to see you again soon.'
+    unlocks:
+      link: "Didn't receive unlock instructions?"
+      send_instructions: 'You will receive an email with instructions about how to unlock your account in a few minutes.'
+      unlocked: 'Your account was successfully unlocked. You are now signed in.'
     mailer:
       confirmation_instructions: 'Confirmation instructions'
       reset_password_instructions: 'Reset password instructions'
-
+      unlock_instructions: 'Unlock Instructions'
 

lib/devise/mapping.rb

@@ -22,34 +22,31 @@ module Devise
   #   # is the modules included in the class
   #
   class Mapping #:nodoc:
-    attr_reader :name, :as, :path_names, :path_prefix, :route_options
+    attr_reader :name, :as, :path_names, :path_prefix, :route_options, :sign_out_via
 
     # Loop through all mappings looking for a map that matches with the requested
     # path (ie /users/sign_in). If a path prefix is given, it's taken into account.
     def self.find_by_path(path)
       Devise.mappings.each_value do |mapping|
         route = path.split("/")[mapping.as_position]
-        return mapping if mapping.as == route.to_sym
+        return mapping if route && mapping.as == route.to_sym
       end
       nil
     end
 
-    # Find a mapping by a given class. It takes into account single table inheritance as well.
-    def self.find_by_class(klass)
-      Devise.mappings.values.find { |m| return m if klass <= m.to }
-    end
-
     # Receives an object and find a scope for it. If a scope cannot be found,
     # raises an error. If a symbol is given, it's considered to be the scope.
     def self.find_scope!(duck)
-      if duck.is_a?(Symbol)
-        duck
+      case duck
+      when String, Symbol
+        return duck
+      when Class
+        Devise.mappings.each_value { |m| return m.name if duck <= m.to }
       else
-        klass = duck.is_a?(Class) ? duck : duck.class
-        mapping = Devise::Mapping.find_by_class(klass)
-        raise "Could not find a valid mapping for #{duck}" unless mapping
-        mapping.name
+        Devise.mappings.each_value { |m| return m.name if duck.is_a?(m.to) }
       end
+
+      raise "Could not find a valid mapping for #{duck}"
     end
 
     # Default url options which can be used as prefix.
@@ -61,12 +58,14 @@ module Devise
       @as    = (options.delete(:as) || name).to_sym
       @klass = (options.delete(:class_name) || name.to_s.classify).to_s
       @name  = (options.delete(:scope) || name.to_s.singularize).to_sym
-      @path_names  = options.delete(:path_names) || {}
-      @path_prefix = options.delete(:path_prefix).to_s
-      @path_prefix << "/" unless @path_prefix[-1] == ?/
+
+      @path_prefix   = "/#{options.delete(:path_prefix)}/".squeeze("/")
       @route_options = options || {}
 
-      setup_path_names
+      @path_names = Hash.new { |h,k| h[k] = k.to_s }
+      @path_names.merge!(options.delete(:path_names) || {})
+
+      @sign_out_via = (options.delete(:sign_out_via) || :get)
     end
 
     # Return modules for the mapping.
@@ -97,18 +96,19 @@ module Devise
       path_prefix + as.to_s
     end
 
-    # Returns the parsed path. If you need meta information in your path_prefix,
-    # you should overwrite this method to use it. The only information supported
-    # by default is I18n.locale.
-    #
+    # Returns the parsed path taking into account the relative url root and raw path.
     def parsed_path
-      returning raw_path do |path|
+      (ActionController::Base.relative_url_root.to_s + raw_path).tap do |path|
         self.class.default_url_options.each do |key, value|
-          path.gsub!(key.inspect, value.to_s)
+          path.gsub!(key.inspect, value.to_param)
         end
       end
     end
 
+    def authenticatable?
+      @authenticatable ||= self.for.any? { |m| m.to_s =~ /authenticatable/ }
+    end
+
     # Create magic predicates for verifying what module is activated by this map.
     # Example:
     #
@@ -116,22 +116,15 @@ module Devise
     #     self.for.include?(:confirmable)
     #   end
     #
-    ALL.each do |m|
-      class_eval <<-METHOD, __FILE__, __LINE__
-        def #{m}?
-          self.for.include?(:#{m})
-        end
-      METHOD
-    end
-
-    private
-
-      # Configure default path names, allowing the user overwrite defaults by
-      # passing a hash in :path_names.
-      def setup_path_names
-        [:sign_in, :sign_out, :password, :confirmation].each do |path_name|
-          @path_names[path_name] ||= path_name.to_s
-        end
+    def self.register(*modules)
+      modules.each do |m|
+        class_eval <<-METHOD, __FILE__, __LINE__ + 1
+          def #{m}?
+            self.for.include?(:#{m})
+          end
+        METHOD
       end
+    end
+    Devise::Mapping.register *ALL
   end
 end

lib/devise/models.rb

@@ -1,14 +1,15 @@
 module Devise
   module Models
     autoload :Activatable, 'devise/models/activatable'
-    autoload :Authenticatable, 'devise/models/authenticatable' 
-    autoload :Confirmable, 'devise/models/confirmable' 
-    autoload :Recoverable, 'devise/models/recoverable' 
+    autoload :DatabaseAuthenticatable, 'devise/models/database_authenticatable'
+    autoload :Confirmable, 'devise/models/confirmable'
+    autoload :Lockable, 'devise/models/lockable'
+    autoload :Recoverable, 'devise/models/recoverable'
     autoload :Rememberable, 'devise/models/rememberable'
-    autoload :SessionSerializer, 'devise/models/session_serializer'
-    autoload :Timeoutable, 'devise/models/timeoutable' 
-    autoload :Trackable, 'devise/models/trackable' 
-    autoload :Validatable, 'devise/models/validatable' 
+    autoload :Registerable, 'devise/models/registerable'
+    autoload :Timeoutable, 'devise/models/timeoutable'
+    autoload :Trackable, 'devise/models/trackable'
+    autoload :Validatable, 'devise/models/validatable'
 
     # Creates configuration values for Devise and for the given module.
     #
@@ -28,7 +29,7 @@ module Devise
     #
     def self.config(mod, *accessors) #:nodoc:
       accessors.each do |accessor|
-        mod.class_eval <<-METHOD, __FILE__, __LINE__
+        mod.class_eval <<-METHOD, __FILE__, __LINE__ + 1
           def #{accessor}
             if defined?(@#{accessor})
               @#{accessor}
@@ -46,49 +47,27 @@ module Devise
       end
     end
 
-    # Shortcut method for including all devise modules inside your model.
-    # You can give some extra options while declaring devise in your model:
+    # Include the chosen devise modules in your model:
     #
-    # * except: convenient option that allows you to add all devise modules,
-    #   removing only the modules you setup here:
+    #   devise :authenticatable, :confirmable, :recoverable
     #
-    #    devise :all, :except => :rememberable
-    #
-    # You can also give the following configuration values in a hash: :pepper,
-    # :stretches, :confirm_within and :remember_for. Please check your Devise
-    # initialiazer for a complete description on those values.
-    #
-    # Examples:
-    #
-    #   # include only authenticatable module
-    #   devise :authenticatable
-    #
-    #   # include authenticatable + confirmable modules
-    #   devise :authenticatable, :confirmable
-    #
-    #   # include authenticatable + recoverable modules
-    #   devise :authenticatable, :recoverable
-    #
-    #   # include authenticatable + rememberable + validatable modules
-    #   devise :authenticatable, :rememberable, :validatable
-    #
-    #   # shortcut to include all available modules
-    #   devise :all
-    #
-    #   # include all except recoverable
-    #   devise :all, :except => :recoverable
+    # You can also give any of the devise configuration values in form of a hash,
+    # with specific values for this model. Please check your Devise initializer
+    # for a complete description on those values.
     #
     def devise(*modules)
       raise "You need to give at least one Devise module" if modules.empty?
+      options = modules.extract_options!
 
-      options  = modules.extract_options!
-      modules += Devise.all if modules.delete(:all)
-      modules -= Array(options.delete(:except))
-      modules  = Devise::ALL & modules.uniq
+      if modules.delete(:authenticatable)
+        ActiveSupport::Deprecation.warn ":authenticatable as module is deprecated. Please give :database_authenticatable instead.", caller
+        modules << :database_authenticatable
+      end
 
-      Devise.orm_class.included_modules_hook(self, modules) do
-        modules.each do |m|
-          devise_modules << m.to_sym
+      @devise_modules = Devise::ALL & modules.map(&:to_sym).uniq
+
+      Devise.orm_class.included_modules_hook(self) do
+        devise_modules.each do |m|
           include Devise::Models.const_get(m.to_s.classify)
         end
 
@@ -135,4 +114,4 @@ module Devise
       end
     end
   end
-end
+end

lib/devise/models/activatable.rb

@@ -5,7 +5,7 @@ module Devise
     # This module implements the default API required in activatable hook. 
     module Activatable
       def active?
-        raise NotImplementedError
+        true
       end
 
       def inactive_message

lib/devise/models/confirmable.rb

@@ -57,18 +57,13 @@ module Devise
 
       # Send confirmation instructions by email
       def send_confirmation_instructions
+        generate_confirmation_token! if self.confirmation_token.nil?
         ::DeviseMailer.deliver_confirmation_instructions(self)
       end
 
-      # Remove confirmation date and send confirmation instructions, to ensure
-      # after sending these instructions the user won't be able to sign in without
-      # confirming it's account
-      def resend_confirmation!
-        unless_confirmed do
-          generate_confirmation_token
-          save(false)
-          send_confirmation_instructions
-        end
+      # Resend confirmation token. This method does not need to generate a new token.
+      def resend_confirmation_token
+        unless_confirmed { send_confirmation_instructions }
       end
 
       # Overwrites active? from Devise::Models::Activatable for confirmation
@@ -76,12 +71,12 @@ module Devise
       # is already confirmed, it should never be blocked. Otherwise we need to
       # calculate if the confirm time has not expired for this user.
       def active?
-        confirmed? || confirmation_period_valid?
+        super && (!confirmation_required? || confirmed? || confirmation_period_valid?)
       end
 
       # The message to be shown if the account is inactive.
       def inactive_message
-        :unconfirmed
+        !confirmed? ? :unconfirmed : super
       end
 
       # If you don't want confirmation to be sent on create, neither a code
@@ -140,6 +135,10 @@ module Devise
           self.confirmation_sent_at = Time.now.utc
         end
 
+        def generate_confirmation_token!
+          generate_confirmation_token && save(false)
+        end
+
       module ClassMethods
         # Attempt to find a user by it's email. If a record is found, send new
         # confirmation instructions to it. If not user is found, returns a new user
@@ -147,7 +146,7 @@ module Devise
         # Options must contain the user email
         def send_confirmation_instructions(attributes={})
           confirmable = find_or_initialize_with_error_by(:email, attributes[:email], :not_found)
-          confirmable.resend_confirmation! unless confirmable.new_record?
+          confirmable.resend_confirmation_token unless confirmable.new_record?
           confirmable
         end
 
@@ -155,8 +154,8 @@ module Devise
         # If no user is found, returns a new user with an error.
         # If the user is already confirmed, create an error for the user
         # Options must have the confirmation_token
-        def confirm!(attributes={})
-          confirmable = find_or_initialize_with_error_by(:confirmation_token, attributes[:confirmation_token])        
+        def confirm_by_token(confirmation_token)
+          confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
           confirmable.confirm! unless confirmable.new_record?
           confirmable
         end

lib/devise/models/cookie_serializer.rb

@@ -1,21 +0,0 @@
-require 'devise/serializers/cookie'
-
-module Devise
-  module Models
-    module CookieSerializer
-      # Create the cookie key using the record id and remember_token
-      def serialize_into_cookie(record)
-        "#{record.id}::#{record.remember_token}"
-      end
-
-      # Recreate the user based on the stored cookie
-      def serialize_from_cookie(cookie)
-        record_id, record_token = cookie.split('::')
-        record = find(:first, :conditions => { :id => record_id }) if record_id
-        record if record.try(:valid_remember_token?, record_token)
-      end
-
-      Devise::Models.config(self, :remember_for)
-    end
-  end
-end

lib/devise/models/database_authenticatable.rb

@@ -1,5 +1,4 @@
-require 'devise/strategies/authenticatable'
-require 'devise/models/session_serializer'
+require 'devise/strategies/database_authenticatable'
 
 module Devise
   module Models
@@ -27,30 +26,36 @@ module Devise
     #    User.authenticate('email@test.com', 'password123')  # returns authenticated user or nil
     #    User.find(1).valid_password?('password123')         # returns true/false
     #
-    module Authenticatable
+    module DatabaseAuthenticatable
       def self.included(base)
         base.class_eval do
           extend ClassMethods
-          extend SessionSerializer
 
-          attr_reader :password, :old_password
+          attr_reader :password, :current_password
           attr_accessor :password_confirmation
         end
       end
 
-      # Regenerates password salt and encrypted password each time password is set.
+      # TODO Remove me in next release
+      def old_password
+        ActiveSupport::Deprecation.warn "old_password is deprecated, please use current_password instead", caller
+        @old_password
+      end
+
+      # Regenerates password salt and encrypted password each time password is set,
+      # and then trigger any "after_changed_password"-callbacks.
       def password=(new_password)
         @password = new_password
 
         if @password.present?
-          self.password_salt = Devise.friendly_token
+          self.password_salt = self.class.encryptor_class.salt
           self.encrypted_password = password_digest(@password)
         end
       end
 
       # Verifies whether an incoming_password (ie from sign in) is the user password.
       def valid_password?(incoming_password)
-        password_digest(incoming_password) == encrypted_password
+        Devise.secure_compare(password_digest(incoming_password), self.encrypted_password)
       end
 
       # Checks if a resource is valid upon authentication.
@@ -58,39 +63,59 @@ module Devise
         valid_password?(attributes[:password])
       end
 
-      # Update record attributes when :old_password matches, otherwise returns
-      # error on :old_password.
+      # Set password and password confirmation to nil
+      def clean_up_passwords
+        self.password = self.password_confirmation = nil
+      end
+
+      # Update record attributes when :current_password matches, otherwise returns
+      # error on :current_password. It also automatically rejects :password and
+      # :password_confirmation if they are blank.
       def update_with_password(params={})
-        if valid_password?(params[:old_password])
+        current_password = params.delete(:current_password)
+
+        if params[:password].blank?
+          params.delete(:password)
+          params.delete(:password_confirmation) if params[:password_confirmation].blank?
+        end
+
+        result = if valid_password?(current_password)
           update_attributes(params)
         else
-          self.class.add_error_on(self, :old_password, :invalid, false)
+          message = current_password.blank? ? :blank : :invalid
+          self.class.add_error_on(self, :current_password, message, false)
+          self.attributes = params
           false
         end
+
+        clean_up_passwords unless result
+        result
       end
 
       protected
 
+        # Checks whether a password is needed or not. For validations only.
+        # Passwords are always required if it's a new record, or if the password
+        # or confirmation are being set somewhere.
+        def password_required?
+          new_record? || !password.nil? || !password_confirmation.nil?
+        end
+
         # Digests the password using the configured encryptor.
         def password_digest(password)
-          self.class.encryptor_class.digest(password, self.class.stretches, password_salt, self.class.pepper)
+          self.class.encryptor_class.digest(password, self.class.stretches, self.password_salt, self.class.pepper)
         end
 
       module ClassMethods
+        Devise::Models.config(self, :pepper, :stretches, :encryptor, :authentication_keys)
+
         # Authenticate a user based on configured attribute keys. Returns the
-        # authenticated user if it's valid or nil. Attributes are by default
-        # :email and :password, but the latter is always required.
+        # authenticated user if it's valid or nil.
         def authenticate(attributes={})
           return unless authentication_keys.all? { |k| attributes[k].present? }
           conditions = attributes.slice(*authentication_keys)
           resource = find_for_authentication(conditions)
-          if respond_to?(:valid_for_authentication)
-            ActiveSupport::Deprecation.warn "valid_for_authentication class method is deprecated. " <<
-              "Use valid_for_authentication? in the instance instead."
-            valid_for_authentication(resource, attributes)
-          elsif resource.try(:valid_for_authentication?, attributes)
-            resource
-          end
+          resource if resource.try(:valid_for_authentication?, attributes)
         end
 
         # Returns the class for the configured encryptor.
@@ -113,8 +138,6 @@ module Devise
         def find_for_authentication(conditions)
           find(:first, :conditions => conditions)
         end
-
-        Devise::Models.config(self, :pepper, :stretches, :encryptor, :authentication_keys)
       end
     end
   end

lib/devise/models/http_authenticatable.rb

@@ -0,0 +1,23 @@
+require 'devise/strategies/http_authenticatable'
+
+module Devise
+  module Models
+    # Adds HttpAuthenticatable behavior to your model. It expects that your
+    # model class responds to authenticate method
+    # (which for example is defined in authenticatable).
+    module HttpAuthenticatable
+      def self.included(base)
+        base.extend ClassMethods
+      end
+
+      module ClassMethods
+        Devise::Models.config(self, :authentication_keys)
+
+        # Authenticate an user using http.
+        def authenticate_with_http(username, password)
+          authenticate(authentication_keys.first => username, :password => password)
+        end
+      end
+    end
+  end
+end

lib/devise/models/lockable.rb

@@ -0,0 +1,150 @@
+require 'devise/models/activatable'
+
+module Devise
+  module Models
+
+    # Handles blocking a user access after a certain number of attempts.
+    # Lockable accepts two different strategies to unlock a user after it's
+    # blocked: email and time. The former will send an email to the user when
+    # the lock happens, containing a link to unlock it's account. The second
+    # will unlock the user automatically after some configured time (ie 2.hours).
+    # It's also possible to setup lockable to use both email and time strategies.
+    #
+    # Configuration:
+    #
+    #   maximum_attempts: how many attempts should be accepted before blocking the user.
+    #   unlock_strategy: unlock the user account by :time, :email or :both.
+    #   unlock_in: the time you want to lock the user after to lock happens. Only
+    #              available when unlock_strategy is :time or :both.
+    #
+    module Lockable
+      include Devise::Models::Activatable
+
+      def self.included(base)
+        base.class_eval do
+          extend ClassMethods
+        end
+      end
+
+      # Lock an user setting it's locked_at to actual time.
+      def lock_access!
+        return true if access_locked?
+        self.locked_at = Time.now
+
+        if self.class.unlock_strategy_enabled?(:email)
+          generate_unlock_token
+          send_unlock_instructions
+        end
+
+        save(false)
+      end
+
+      # Unlock an user by cleaning locket_at and failed_attempts.
+      def unlock_access!
+        if_access_locked do
+          self.locked_at = nil
+          self.failed_attempts = 0
+          self.unlock_token = nil
+          save(false)
+        end
+      end
+
+      # Verifies whether a user is locked or not.
+      def access_locked?
+        locked_at && !lock_expired?
+      end
+
+      # Send unlock instructions by email
+      def send_unlock_instructions
+        ::DeviseMailer.deliver_unlock_instructions(self)
+      end
+
+      # Resend the unlock instructions if the user is locked.
+      def resend_unlock_token
+        if_access_locked { send_unlock_instructions }
+      end
+
+      # Overwrites active? from Devise::Models::Activatable for locking purposes
+      # by verifying whether an user is active to sign in or not based on locked?
+      def active?
+        super && !access_locked?
+      end
+
+      # Overwrites invalid_message from Devise::Models::Authenticatable to define
+      # the correct reason for blocking the sign in.
+      def inactive_message
+        access_locked? ? :locked : super
+      end
+
+      # Overwrites valid_for_authentication? from Devise::Models::Authenticatable
+      # for verifying whether an user is allowed to sign in or not. If the user
+      # is locked, it should never be allowed.
+      def valid_for_authentication?(attributes)
+        if result = super
+          self.failed_attempts = 0
+        else
+          self.failed_attempts += 1
+          lock_access! if failed_attempts > self.class.maximum_attempts
+        end
+        save(false) if changed?
+        result
+      end
+
+      protected
+
+        # Generates unlock token
+        def generate_unlock_token
+          self.unlock_token = Devise.friendly_token
+        end
+
+        # Tells if the lock is expired if :time unlock strategy is active
+        def lock_expired?
+          if self.class.unlock_strategy_enabled?(:time)
+            locked_at && locked_at < self.class.unlock_in.ago
+          else
+            false
+          end
+        end
+
+        # Checks whether the record is locked or not, yielding to the block
+        # if it's locked, otherwise adds an error to email.
+        def if_access_locked
+          if access_locked?
+            yield
+          else
+            self.class.add_error_on(self, :email, :not_locked)
+            false
+          end
+        end
+
+      module ClassMethods
+        # Attempt to find a user by it's email. If a record is found, send new
+        # unlock instructions to it. If not user is found, returns a new user
+        # with an email not found error.
+        # Options must contain the user email
+        def send_unlock_instructions(attributes={})
+         lockable = find_or_initialize_with_error_by(:email, attributes[:email], :not_found)
+         lockable.resend_unlock_token unless lockable.new_record?
+         lockable
+        end
+
+        # Find a user by it's unlock token and try to unlock it.
+        # If no user is found, returns a new user with an error.
+        # If the user is not locked, creates an error for the user
+        # Options must have the unlock_token
+        def unlock_access_by_token(unlock_token)
+          lockable = find_or_initialize_with_error_by(:unlock_token, unlock_token)
+          lockable.unlock_access! unless lockable.new_record?
+          lockable
+        end
+
+        # Is the unlock enabled for the given unlock strategy?
+        def unlock_strategy_enabled?(strategy)
+          [:both, strategy].include?(self.unlock_strategy)
+        end
+
+        Devise::Models.config(self, :maximum_attempts, :unlock_strategy, :unlock_in)
+      end
+    end
+  end
+end

lib/devise/models/recoverable.rb

@@ -69,7 +69,7 @@ module Devise
         # try saving the record. If not user is found, returns a new user
         # containing an error in reset_password_token attribute.
         # Attributes must contain reset_password_token, password and confirmation
-        def reset_password!(attributes={})
+        def reset_password_by_token(attributes={})
           recoverable = find_or_initialize_with_error_by(:reset_password_token, attributes[:reset_password_token])
           recoverable.reset_password!(attributes[:password], attributes[:password_confirmation]) unless recoverable.new_record?
           recoverable

lib/devise/models/registerable.rb

@@ -0,0 +1,8 @@
+module Devise
+  module Models
+    # Registerable is responsible for everything related to registering a new
+    # resource (ie user sign up).
+    module Registerable
+    end
+  end
+end

lib/devise/models/rememberable.rb

@@ -1,4 +1,5 @@
-require 'devise/models/cookie_serializer'
+require 'devise/strategies/rememberable'
+require 'devise/hooks/rememberable'
 
 module Devise
   module Models
@@ -18,6 +19,9 @@ module Devise
     #                 time for the cookie created to remember the user.
     #                 By default remember_for is 2.weeks.
     #
+    #   cookie_options: configuration options passed to the created cookie.
+    #
+    #
     # Examples:
     #
     #   User.find(1).remember_me!  # regenerating the token
@@ -32,7 +36,7 @@ module Devise
 
       def self.included(base)
         base.class_eval do
-          extend CookieSerializer
+          extend ClassMethods
 
           # Remember me option available in after_authentication hook.
           attr_accessor :remember_me
@@ -70,6 +74,26 @@ module Devise
       def remember_expires_at
         remember_created_at + self.class.remember_for
       end
+
+      def cookie_options
+        self.class.cookie_options
+      end
+
+      module ClassMethods
+        # Create the cookie key using the record id and remember_token
+        def serialize_into_cookie(record)
+          "#{record.id}::#{record.remember_token}"
+        end
+
+        # Recreate the user based on the stored cookie
+        def serialize_from_cookie(cookie)
+          record_id, record_token = cookie.split('::')
+          record = find(:first, :conditions => { :id => record_id }) if record_id
+          record if record.try(:valid_remember_token?, record_token)
+        end
+
+        Devise::Models.config(self, :remember_for, :cookie_options)
+      end
     end
   end
 end

lib/devise/models/session_serializer.rb

@@ -1,19 +0,0 @@
-require 'devise/serializers/session'
-
-module Devise
-  module Models
-    module SessionSerializer
-      # Hook to serialize user into session. Overwrite if you want.
-      def serialize_into_session(record)
-        [record.class, record.id]
-      end
-
-      # Hook to serialize user from session. Overwrite if you want.
-      def serialize_from_session(keys)
-        klass, id = keys
-        raise "#{self} cannot serialize from #{klass} session since it's not one of its ancestors" unless klass <= self
-        klass.find(:first, :conditions => { :id => id })
-      end
-    end
-  end
-end

lib/devise/models/timeoutable.rb

@@ -2,7 +2,6 @@ require 'devise/hooks/timeoutable'
 
 module Devise
   module Models
-
     # Timeoutable takes care of veryfing whether a user session has already
     # expired or not. When a session expires after the configured time, the user
     # will be asked for credentials again, it means, he/she will be redirected
@@ -10,15 +9,14 @@ module Devise
     #
     # Configuration:
     #
-    #   timeout: the time you want to timeout the user session without activity.
+    #   timeout_in: the time you want to timeout the user session without activity.
     module Timeoutable
-
       def self.included(base)
         base.extend ClassMethods
       end
 
       # Checks whether the user session has expired based on configured time.
-      def timeout?(last_access)
+      def timedout?(last_access)
         last_access && last_access <= self.class.timeout_in.ago
       end
 

lib/devise/models/token_authenticatable.rb

@@ -0,0 +1,89 @@
+require 'devise/strategies/token_authenticatable'
+
+module Devise
+  module Models
+    # Token Authenticatable Module, responsible for generate authentication token and validating
+    # authenticity of a user while signing in using an authentication token (say follows an URL).
+    #
+    # == Configuration:
+    #
+    # You can overwrite configuration values by setting in globally in Devise (+Devise.setup+),
+    # using devise method, or overwriting the respective instance method.
+    #
+    # +token_authentication_key+ - Defines name of the authentication token params key. E.g. /users/sign_in?some_key=...
+    #
+    # == Examples:
+    #
+    #    User.authenticate_with_token(:auth_token => '123456789')           # returns authenticated user or nil
+    #    User.find(1).valid_authentication_token?('rI1t6PKQ8yP7VetgwdybB')  # returns true/false
+    #
+    module TokenAuthenticatable
+      def self.included(base)
+        base.class_eval do
+          extend ClassMethods
+          before_save :ensure_authentication_token
+        end
+      end
+
+      # Generate new authentication token (a.k.a. "single access token").
+      def reset_authentication_token
+        self.authentication_token = self.class.authentication_token
+      end
+
+      # Generate new authentication token and save the record.
+      def reset_authentication_token!
+        reset_authentication_token
+        self.save
+      end
+
+      # Generate authentication token unless already exists.
+      def ensure_authentication_token
+        self.reset_authentication_token if self.authentication_token.blank?
+      end
+
+      # Generate authentication token unless already exists and save the record.
+      def ensure_authentication_token!
+        self.reset_authentication_token! if self.authentication_token.blank?
+      end
+
+      # Verifies whether an +incoming_authentication_token+ (i.e. from single access URL)
+      # is the user authentication token.
+      def valid_authentication_token?(incoming_auth_token)
+        incoming_auth_token.present? && incoming_auth_token == self.authentication_token
+      end
+
+      module ClassMethods
+        ::Devise::Models.config(self, :token_authentication_key)
+
+        # Authenticate a user based on authentication token.
+        def authenticate_with_token(attributes)
+          token = attributes[self.token_authentication_key]
+          resource = self.find_for_token_authentication(token)
+          resource if resource.try(:valid_authentication_token?, token)
+        end
+
+        def authentication_token
+          ::Devise.friendly_token
+        end
+
+        protected
+
+          # Find first record based on conditions given (ie by the sign in form).
+          # Overwrite to add customized conditions, create a join, or maybe use a
+          # namedscope to filter records while authenticating.
+          #
+          # == Example:
+          #
+          #   def self.find_for_token_authentication(token, conditions = {})
+          #     conditions = {:active => true}
+          #     self.find_by_authentication_token(token, :conditions => conditions)
+          #   end
+          #
+          def find_for_token_authentication(token)
+            self.find(:first, :conditions => { :authentication_token => token})
+          end
+
+      end
+    end
+  end
+end

lib/devise/models/validatable.rb

@@ -15,7 +15,7 @@ module Devise
 
         base.class_eval do
           validates_presence_of   :email
-          validates_uniqueness_of :email, :scope => authentication_keys[1..-1], :allow_blank => true
+          validates_uniqueness_of :email, :scope => authentication_keys[1..-1], :case_sensitive => false, :allow_blank => true
           validates_format_of     :email, :with  => EMAIL_REGEX, :allow_blank => true
 
           with_options :if => :password_required? do |v|
@@ -34,15 +34,6 @@ module Devise
                 "to the following methods: #{unavailable_validations.to_sentence}."
         end
       end
-
-      protected
-
-        # Checks whether a password is needed or not. For validations only.
-        # Passwords are always required if it's a new record, or if the password
-        # or confirmation are being set somewhere.
-        def password_required?
-          new_record? || !password.nil? || !password_confirmation.nil?
-        end
     end
   end
 end

lib/devise/orm/active_record.rb

@@ -7,6 +7,8 @@ module Devise
     #     t.confirmable
     #     t.recoverable
     #     t.rememberable
+    #     t.trackable
+    #     t.lockable
     #     t.timestamps
     #   end
     #
@@ -18,7 +20,7 @@ module Devise
     #
     module ActiveRecord
       # Required ORM hook. Just yield the given block in ActiveRecord.
-      def self.included_modules_hook(klass, modules)
+      def self.included_modules_hook(klass)
         yield
       end
 
@@ -34,5 +36,6 @@ end
 
 if defined?(ActiveRecord)
   ActiveRecord::Base.extend Devise::Models
+  ActiveRecord::ConnectionAdapters::Table.send :include, Devise::Orm::ActiveRecord
   ActiveRecord::ConnectionAdapters::TableDefinition.send :include, Devise::Orm::ActiveRecord
-end
+end

lib/devise/orm/data_mapper.rb

@@ -1,11 +1,23 @@
 module Devise
   module Orm
     module DataMapper
-      def self.included_modules_hook(klass, modules)
-        klass.send :extend, self
+      module InstanceMethods
+        def save(flag=nil)
+          if flag == false
+            save!
+          else
+            super()
+          end
+        end
+      end
+
+      def self.included_modules_hook(klass)
+        klass.send :extend,  self
+        klass.send :include, InstanceMethods
+
         yield
 
-        modules.each do |mod|
+        klass.devise_modules.each do |mod|
           klass.send(mod) if klass.respond_to?(mod)
         end
       end
@@ -19,11 +31,24 @@ module Devise
 
       # Hooks for confirmable
       def before_create(*args)
-        before :create, *args
+        wrap_hook(:before, *args)
       end
 
       def after_create(*args)
-        after :create, *args
+        wrap_hook(:after, *args)
+      end
+
+      def wrap_hook(action, *args)
+        options = args.extract_options!
+
+        args.each do |callback|
+          send action, :create, callback
+          class_eval <<-METHOD, __FILE__, __LINE__ + 1
+            def #{callback}
+              super if #{options[:if] || true}
+            end
+          METHOD
+        end
       end
 
       # Add ActiveRecord like finder
@@ -39,15 +64,6 @@ module Devise
         end
       end
 
-      # In Datamapper, we need to call save! if we don't want to execute callbacks.
-      def save(flag=nil)
-        if flag == false
-          save!
-        else
-          super()
-        end
-      end
-
       # Tell how to apply schema methods. This automatically maps :limit to
       # :length and :null to :nullable.
       def apply_schema(name, type, options={})

lib/devise/orm/mongo_mapper.rb

@@ -1,15 +1,35 @@
 module Devise
   module Orm
     module MongoMapper
-      def self.included_modules_hook(klass, modules)
-        klass.send :extend, self
-        yield
-
-        modules.each do |mod|
-          klass.send(mod) if klass.respond_to?(mod)
+      module InstanceMethods
+        def save(options={})
+          if options == false
+            super(:validate => false)
+          else
+            super
+          end
         end
       end
 
+      def self.included_modules_hook(klass)
+        klass.send :extend,  self
+        klass.send :include, InstanceMethods
+        yield
+
+        klass.devise_modules.each do |mod|
+          klass.send(mod) if klass.respond_to?(mod)
+        end
+      end
+      
+      def find(*args)
+        case args.first
+        when :first, :all
+          send(args.shift, *args)
+        else
+          super
+        end
+      end
+      
       include Devise::Schema
 
       # Tell how to apply schema methods. This automatically converts DateTime
@@ -23,5 +43,10 @@ module Devise
   end
 end
 
-MongoMapper::Document::ClassMethods.send(:include, Devise::Models)
-MongoMapper::EmbeddedDocument::ClassMethods.send(:include, Devise::Models)
+if MongoMapper::Version >= "0.8.0"
+  MongoMapper::Plugins::Document::ClassMethods.send(:include, Devise::Models)
+  MongoMapper::Plugins::EmbeddedDocument::ClassMethods.send(:include, Devise::Models)
+else
+  MongoMapper::Document::ClassMethods.send(:include, Devise::Models)
+  MongoMapper::EmbeddedDocument::ClassMethods.send(:include, Devise::Models)
+end

lib/devise/rails.rb

@@ -6,8 +6,8 @@ Rails.configuration.after_initialize do
 
   # Adds Warden Manager to Rails middleware stack, configuring default devise
   # strategy and also the failure app.
-  Rails.configuration.middleware.use Warden::Manager do |manager|
-    Devise.configure_warden_manager(manager)
+  Rails.configuration.middleware.use Warden::Manager do |config|
+    Devise.configure_warden(config)
   end
 
   I18n.load_path.unshift File.expand_path(File.join(File.dirname(__FILE__), 'locales', 'en.yml'))

lib/devise/rails/routes.rb

@@ -8,7 +8,7 @@ module ActionController::Routing
       load_routes_without_devise!
       return if Devise.mappings.empty?
 
-      ActionController::Base.send :include, Devise::Controllers::Filters
+      ActionController::Base.send :include, Devise::Controllers::Helpers
       ActionController::Base.send :include, Devise::Controllers::UrlHelpers
 
       ActionView::Base.send :include, Devise::Controllers::UrlHelpers
@@ -66,6 +66,12 @@ module ActionController::Routing
       #
       #    map.devise_for :users, :path_prefix => "/:locale"
       #
+      #  * :sign_out_via => restirct the HTTP method(s) accepted for the :sign_out action (default: :get), possible values are :post, :get, :put, :delete and :any, e.g. if you wish to restrict this to accept only :delete requests you should do:
+      #
+      #    map.devise_for :users, :sign_out_via => :delete
+      #
+      #    You need to make sure that your sign_out controls trigger a request with a matching HTTP method.
+      #
       #  Any other options will be passed to route definition. If you need conditions for your routes, just map:
       #
       #    map.devise_for :users, :conditions => { :subdomain => /.+/ }
@@ -82,14 +88,14 @@ module ActionController::Routing
         resources.map!(&:to_sym)
         resources.each do |resource|
           mapping = Devise::Mapping.new(resource, options.dup)
-          Warden::Manager.default_scope ||= mapping.name
+          Devise.default_scope ||= mapping.name
           Devise.mappings[mapping.name] = mapping
 
           route_options = mapping.route_options.merge(:path_prefix => mapping.raw_path, :name_prefix => "#{mapping.name}_")
 
           with_options(route_options) do |routes|
-            mapping.for.each do |strategy|
-              send(strategy, routes, mapping) if self.respond_to?(strategy, true)
+            mapping.for.each do |mod|
+              send(mod, routes, mapping) if self.respond_to?(mod, true)
             end
           end
         end
@@ -97,22 +103,31 @@ module ActionController::Routing
 
       protected
 
-        def authenticatable(routes, mapping)
+        def database_authenticatable(routes, mapping)
           routes.with_options(:controller => 'sessions', :name_prefix => nil) do |session|
             session.send(:"new_#{mapping.name}_session",     mapping.path_names[:sign_in],  :action => 'new',     :conditions => { :method => :get })
             session.send(:"#{mapping.name}_session",         mapping.path_names[:sign_in],  :action => 'create',  :conditions => { :method => :post })
-            session.send(:"destroy_#{mapping.name}_session", mapping.path_names[:sign_out], :action => 'destroy', :conditions => { :method => :get })
+            destroy_options = { :action => 'destroy' }
+            destroy_options.merge! :conditions => { :method => mapping.sign_out_via } unless mapping.sign_out_via == :any
+            session.send(:"destroy_#{mapping.name}_session", mapping.path_names[:sign_out], destroy_options)
           end
         end
 
-        def recoverable(routes, mapping)
-          routes.resource :password, :only => [:new, :create, :edit, :update], :as => mapping.path_names[:password]
-        end
-
         def confirmable(routes, mapping)
           routes.resource :confirmation, :only => [:new, :create, :show], :as => mapping.path_names[:confirmation]
         end
 
+        def lockable(routes, mapping)
+          routes.resource :unlock, :only => [:new, :create, :show], :as => mapping.path_names[:unlock]
+        end
+
+        def recoverable(routes, mapping)
+          routes.resource :password, :only => [:new, :create, :edit, :update], :as => mapping.path_names[:password]
+        end
+
+        def registerable(routes, mapping)
+          routes.resource :registration, :only => [:new, :create, :edit, :update, :destroy], :as => mapping.raw_path[1..-1], :path_prefix => nil, :path_names => { :new => mapping.path_names[:sign_up] }
+        end
     end
   end
 end

lib/devise/rails/warden_compat.rb

@@ -1,12 +1,6 @@
-# Taken from RailsWarden, thanks to Hassox. http://github.com/hassox/rails_warden
 module Warden::Mixins::Common
   def request
-    return @request if @request
-    if env['action_controller.rescue.request']
-      @request = env['action_controller.rescue.request']
-    else
-      Rack::Request.new(env)
-    end
+    @request ||= env['action_controller.rescue.request']
   end
 
   def reset_session!
@@ -15,11 +9,55 @@ module Warden::Mixins::Common
   end
 
   def response
-    return @response if @response
-    if env['action_controller.rescue.response']
-      @response = env['action_controller.rescue.response']
-    else
-      Rack::Response.new(env)
-    end
+    @response ||= env['action_controller.rescue.response']
+  end
+end
+
+class Warden::SessionSerializer
+  def serialize(record)
+    [record.class, record.id]
+  end
+
+  def deserialize(keys)
+    klass, id = keys
+    klass.find(:first, :conditions => { :id => id })
+  end
+end
+
+class ActionController::Request
+  def reset_session
+    session.destroy if session && session.respond_to?(:destroy)
+    self.session = {}
+  end
+end
+
+# Solve a bug in Rails where Set-Cookie is returning an array.
+class Devise::CookieSanitizer
+  SET_COOKIE = "Set-Cookie".freeze
+
+  def initialize(app)
+    @app = app
+  end
+
+  def call(env)
+    response = @app.call(env)
+    headers = response[1]
+    cookies = headers[SET_COOKIE]
+    if cookies.respond_to?(:join)
+      headers[SET_COOKIE] = cookies.join("\n").squeeze("\n")
+    end
+    response
+  end
+end
+
+Rails.configuration.middleware.insert_after ActionController::Failsafe, Devise::CookieSanitizer
+
+Warden::Manager.after_set_user :event => [:set_user, :authentication] do |record, warden, options|
+  if options[:scope] && warden.authenticated?(options[:scope])
+    request = warden.request
+    backup = request.session.to_hash
+    backup.delete(:session_id)
+    request.reset_session
+    request.session.update(backup)
   end
 end

lib/devise/schema.rb

@@ -3,48 +3,68 @@ module Devise
   # and overwrite the apply_schema method.
   module Schema
 
+    def authenticatable(*args)
+      ActiveSupport::Deprecation.warn "t.authenticatable in migrations is deprecated. Please use t.database_authenticatable instead.", caller
+      database_authenticatable(*args)
+    end
+
     # Creates email, encrypted_password and password_salt.
     #
     # == Options
     # * :null - When true, allow columns to be null.
-    # * :encryptor - The encryptor going to be used, necessary for setting the proper encrypter password length.
-    def authenticatable(options={})
-      null       = options[:null] || false
-      encryptor  = options[:encryptor] || (respond_to?(:encryptor) ? self.encryptor : :sha1)
+    def database_authenticatable(options={})
+      null    = options[:null] || false
+      default = options[:default] || ""
 
-      apply_schema :email,              String, :null => null, :limit => 100
-      apply_schema :encrypted_password, String, :null => null, :limit => Devise::ENCRYPTORS_LENGTH[encryptor]
-      apply_schema :password_salt,      String, :null => null, :limit => 20
+      if options.delete(:encryptor)
+        ActiveSupport::Deprecation.warn ":encryptor as option is deprecated, simply remove it."
+      end
+
+      apply_schema :email,              String, :null => null, :default => default
+      apply_schema :encrypted_password, String, :null => null, :default => default, :limit => 128
+      apply_schema :password_salt,      String, :null => null, :default => default
+    end
+
+    # Creates authentication_token.
+    def token_authenticatable
+      apply_schema :authentication_token, String
     end
 
     # Creates confirmation_token, confirmed_at and confirmation_sent_at.
     def confirmable
-      apply_schema :confirmation_token,   String, :limit => 20
+      apply_schema :confirmation_token,   String
       apply_schema :confirmed_at,         DateTime
       apply_schema :confirmation_sent_at, DateTime
     end
 
     # Creates reset_password_token.
     def recoverable
-      apply_schema :reset_password_token, String, :limit => 20
+      apply_schema :reset_password_token, String
     end
 
     # Creates remember_token and remember_created_at.
     def rememberable
-      apply_schema :remember_token,      String, :limit => 20
+      apply_schema :remember_token,      String
       apply_schema :remember_created_at, DateTime
     end
 
     # Creates sign_in_count, current_sign_in_at, last_sign_in_at,
     # current_sign_in_ip, last_sign_in_ip.
     def trackable
-      apply_schema :sign_in_count,      Integer
+      apply_schema :sign_in_count,      Integer, :default => 0
       apply_schema :current_sign_in_at, DateTime
       apply_schema :last_sign_in_at,    DateTime
       apply_schema :current_sign_in_ip, String
       apply_schema :last_sign_in_ip,    String
     end
 
+    # Creates failed_attempts, unlock_token and locked_at
+    def lockable
+      apply_schema :failed_attempts, Integer, :default => 0
+      apply_schema :unlock_token,    String
+      apply_schema :locked_at,       DateTime
+    end
+
     # Overwrite with specific modification to create your own schema.
     def apply_schema(name, type, options={})
       raise NotImplementedError

lib/devise/serializers/base.rb

@@ -1,23 +0,0 @@
-require 'devise/strategies/base'
-
-module Devise
-  module Serializers
-    module Base
-      include Devise::Strategies::Base
-      attr_reader :scope
-
-      def serialize(record)
-        record.class.send(:"serialize_into_#{klass_type}", record)
-      end
-
-      def deserialize(keys)
-        mapping.to.send(:"serialize_from_#{klass_type}", keys)
-      end
-
-      def fetch(scope)
-        @scope = scope
-        super
-      end
-    end
-  end
-end

lib/devise/serializers/cookie.rb

@@ -1,43 +0,0 @@
-require 'devise/serializers/base'
-
-module Devise
-  module Serializers
-    # This is a cookie serializer which stores the information if a :remember_me
-    # is sent in the params and if the model responds to remember_me! as well.
-    # As in Session serializer, the invoked methods are:
-    #
-    #   User.serialize_into_cookie(@user)
-    #   User.serialize_from_cookie(*args)
-    #
-    # An implementation for such methods can be found at Devise::Models::Rememberable.
-    #
-    # Differently from session, this approach is based in a token which is stored in
-    # the database. So if you want to sign out all clients at once, you just need to
-    # clean up the token column.
-    #
-    class Cookie < Warden::Serializers::Cookie
-      include Devise::Serializers::Base
-
-      def store(record, scope)
-        remember_me = params[scope].try(:fetch, :remember_me, nil)
-        if Devise::TRUE_VALUES.include?(remember_me) && record.respond_to?(:remember_me!)
-          record.remember_me!
-          super
-        end
-      end
-
-      def default_options(record)
-        super.merge!(:expires => record.remember_expires_at)
-      end
-
-      def delete(scope, record=nil)
-        if record && record.respond_to?(:forget_me!)
-          record.forget_me! 
-          super
-        end
-      end
-    end
-  end
-end
-
-Warden::Serializers.add(:cookie, Devise::Serializers::Cookie)

lib/devise/serializers/session.rb

@@ -1,22 +0,0 @@
-require 'devise/serializers/base'
-
-module Devise
-  module Serializers
-    # This serializer stores sign in information in th client session. It just
-    # extends Warden own serializer to move all the serialization logic to a
-    # class. For example, if a @user resource is given, it will call the following
-    # two methods to serialize and deserialize a record:
-    #
-    #   User.serialize_into_session(@user)
-    #   User.serialize_from_session(*args)
-    #
-    # This can be used any strategy and the default implementation is available
-    # at Devise::Models::SessionSerializer.
-    #
-    class Session < Warden::Serializers::Session
-      include Devise::Serializers::Base
-    end
-  end
-end
-
-Warden::Serializers.add(:session, Devise::Serializers::Session)

lib/devise/strategies/base.rb

@@ -1,23 +1,15 @@
 module Devise
   module Strategies
     # Base strategy for Devise. Responsible for verifying correct scope and mapping.
-    module Base
-      # Validate strategy. By default will raise an error if no scope or an
-      # invalid mapping is found.
-      def valid?
-        raise "Could not find mapping for #{scope}" unless mapping
-        mapping.for.include?(klass_type)
-      end
-
+    class Base < ::Warden::Strategies::Base
       # Checks if a valid scope was given for devise and find mapping based on
       # this scope.
       def mapping
-        Devise.mappings[scope]
-      end
-
-      # Store this class type.
-      def klass_type
-        @klass_type ||= self.class.name.split("::").last.underscore.to_sym
+        @mapping ||= begin
+          mapping = Devise.mappings[scope]
+          raise "Could not find mapping for #{scope}" unless mapping
+          mapping
+        end
       end
     end
   end

lib/devise/strategies/database_authenticatable.rb

@@ -4,11 +4,9 @@ module Devise
   module Strategies
     # Default strategy for signing in a user, based on his email and password.
     # Redirects to sign_in page if it's not authenticated
-    class Authenticatable < Warden::Strategies::Base
-      include Devise::Strategies::Base
-
+    class DatabaseAuthenticatable < Base
       def valid?
-        super && params[scope] && params[scope][:password].present?
+        valid_controller? && valid_params? && mapping.to.respond_to?(:authenticate)
       end
 
       # Authenticate a user based on email and password params, returning to warden
@@ -18,11 +16,21 @@ module Devise
         if resource = mapping.to.authenticate(params[scope])
           success!(resource)
         else
-          fail!(:invalid)
+          fail(:invalid)
         end
       end
+
+      protected
+
+        def valid_controller?
+          params[:controller] =~ /sessions$/
+        end
+
+        def valid_params?
+          params[scope] && params[scope][:password].present?
+        end
     end
   end
 end
 
-Warden::Strategies.add(:authenticatable, Devise::Strategies::Authenticatable)
+Warden::Strategies.add(:database_authenticatable, Devise::Strategies::DatabaseAuthenticatable)

lib/devise/strategies/http_authenticatable.rb

@@ -0,0 +1,59 @@
+require 'devise/strategies/base'
+
+module Devise
+  module Strategies
+    # Sign in an user using HTTP authentication.
+    class HttpAuthenticatable < Base
+      def valid?
+        http_authentication? && mapping.to.respond_to?(:authenticate_with_http)
+      end
+
+      def authenticate!
+        username, password = username_and_password
+
+        if resource = mapping.to.authenticate_with_http(username, password)
+          success!(resource)
+        else
+          custom!([401, custom_headers, [response_body]])
+        end
+      end
+
+    private
+
+      def username_and_password
+        decode_credentials(request).split(/:/, 2)
+      end
+
+      def response_body
+        body   = "HTTP Basic: Access denied."
+        method = :"to_#{request_format.to_sym}"
+        {}.respond_to?(method) ? { :error => body }.send(method) : body
+      end
+
+      def http_authentication
+        request.env['HTTP_AUTHORIZATION']   ||
+        request.env['X-HTTP_AUTHORIZATION'] ||
+        request.env['X_HTTP_AUTHORIZATION'] ||
+        request.env['REDIRECT_X_HTTP_AUTHORIZATION']
+      end
+      alias :http_authentication? :http_authentication
+
+      def decode_credentials(request)
+        ActiveSupport::Base64.decode64(http_authentication.split(' ', 2).last || '')
+      end
+
+      def custom_headers
+        {
+          "Content-Type" => request_format.to_s,
+          "WWW-Authenticate" => %(Basic realm="#{Devise.http_authentication_realm.gsub(/"/, "")}")
+        }
+      end
+
+      def request_format
+        @request_format ||= Mime::Type.lookup_by_extension(request.template_format.to_s)
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:http_authenticatable, Devise::Strategies::HttpAuthenticatable)

lib/devise/strategies/rememberable.rb

@@ -0,0 +1,37 @@
+require 'devise/strategies/base'
+
+module Devise
+  module Strategies
+    # Remember the user through the remember token. This strategy is responsible
+    # to verify whether there is a cookie with the remember token, and to
+    # recreate the user from this cookie if it exists.  Must be called *before*
+    # authenticatable.
+    class Rememberable < Devise::Strategies::Base
+
+      # A valid strategy for rememberable needs a remember token in the cookies.
+      def valid?
+        remember_me_cookie.present? && mapping.to.respond_to?(:serialize_from_cookie)
+      end
+
+      # To authenticate a user we deserialize the cookie and attempt finding
+      # the record in the database. If the attempt fails, we pass to another
+      # strategy handle the authentication.
+      def authenticate!
+        if resource = mapping.to.serialize_from_cookie(remember_me_cookie)
+          success!(resource)
+        else
+          pass
+        end
+      end
+
+    private
+
+      # Accessor for remember cookie
+      def remember_me_cookie
+        @remember_me_cookie ||= request.cookies["remember_#{mapping.name}_token"]
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:rememberable, Devise::Strategies::Rememberable)

lib/devise/strategies/token_authenticatable.rb

@@ -0,0 +1,37 @@
+require 'devise/strategies/base'
+
+module Devise
+  module Strategies
+    # Strategy for signing in a user, based on a authenticatable token.
+    # Redirects to sign_in page if it's not authenticated.
+    class TokenAuthenticatable < Base
+      def valid?
+        mapping.to.respond_to?(:authenticate_with_token) && authentication_token(scope).present?
+      end
+
+      # Authenticate a user based on authenticatable token params, returning to warden
+      # success and the authenticated user if everything is okay. Otherwise redirect
+      # to sign in page.
+      def authenticate!
+        if resource = mapping.to.authenticate_with_token(params[scope] || params)
+          success!(resource)
+        else
+          fail!(:invalid_token)
+        end
+      end
+
+    private
+
+      # Detect authentication token in params: scoped or not.
+      def authentication_token(scope)
+        if params[scope]
+          params[scope][mapping.to.token_authentication_key]
+        else
+          params[mapping.to.token_authentication_key]
+        end
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:token_authenticatable, Devise::Strategies::TokenAuthenticatable)

lib/devise/test_helpers.rb

@@ -7,23 +7,27 @@ module Devise
     end
 
     # This is a Warden::Proxy customized for functional tests. It's meant to
-    # some of Warden::Manager resposnabilities, as retrieving configuration
+    # some of Warden::Manager responsibilities, as retrieving configuration
     # options and calling the FailureApp.
     class TestWarden < Warden::Proxy #:nodoc:
       attr_reader :controller
 
       def initialize(controller)
         @controller = controller
-        manager = Warden::Manager.new(nil) do |manager|
-          Devise.configure_warden_manager(manager)
+        manager = Warden::Manager.new(nil) do |config|
+          Devise.configure_warden(config)
         end
-        super(controller.request.env, manager.config)
+        super(controller.request.env, manager)
       end
 
       def authenticate!(*args)
         catch_with_redirect { super }
       end
 
+      def user(*args)
+        catch_with_redirect { super }
+      end
+
       def catch_with_redirect(&block)
         result = catch(:warden, &block)
 
@@ -66,7 +70,7 @@ module Devise
     def sign_in(resource_or_scope, resource=nil)
       scope    ||= Devise::Mapping.find_scope!(resource_or_scope)
       resource ||= resource_or_scope
-      session["warden.user.#{scope}.key"] = resource.class.serialize_into_session(resource)
+      warden.session_serializer.store(resource, scope)
     end
 
     # Sign out a given resource or scope by calling logout on Warden.

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "0.7.5".freeze
+  VERSION = "1.0.11".freeze
 end

test/controllers/filters_test.rb

@@ -1,177 +0,0 @@
-require 'test/test_helper'
-require 'ostruct'
-
-class MockController < ApplicationController
-  attr_accessor :env
-
-  def request
-    self
-  end
-
-  def path
-    ''
-  end
-end
-
-class ControllerAuthenticableTest < ActionController::TestCase
-  tests MockController
-
-  def setup
-    @controller = MockController.new
-    @mock_warden = OpenStruct.new
-    @controller.env = { 'warden' => @mock_warden }
-    @controller.session = {}
-  end
-
-  test 'setup warden' do
-    assert_not_nil @controller.warden
-  end
-
-  test 'provide access to warden instance' do
-    assert_equal @controller.warden, @controller.env['warden']
-  end
-
-  test 'run authenticate? with scope on warden' do
-    @mock_warden.expects(:authenticated?).with(:my_scope)
-    @controller.signed_in?(:my_scope)
-  end
-
-  test 'proxy signed_in? to authenticated' do
-    @mock_warden.expects(:authenticated?).with(:my_scope)
-    @controller.signed_in?(:my_scope)
-  end
-
-  test 'run user with scope on warden' do
-    @mock_warden.expects(:user).with(:admin).returns(true)
-    @controller.current_admin
-
-    @mock_warden.expects(:user).with(:user).returns(true)
-    @controller.current_user
-  end
-
-  test 'proxy user_authenticate! to authenticate with user scope' do
-    @mock_warden.expects(:authenticate!).with(:scope => :user)
-    @controller.authenticate_user!
-  end
-
-  test 'proxy admin_authenticate! to authenticate with admin scope' do
-    @mock_warden.expects(:authenticate!).with(:scope => :admin)
-    @controller.authenticate_admin!
-  end
-
-  test 'proxy user_authenticated? to authenticate with user scope' do
-    @mock_warden.expects(:authenticated?).with(:user)
-    @controller.user_signed_in?
-  end
-
-  test 'proxy admin_authenticated? to authenticate with admin scope' do
-    @mock_warden.expects(:authenticated?).with(:admin)
-    @controller.admin_signed_in?
-  end
-
-  test 'proxy user_session to session scope in warden' do
-    @mock_warden.expects(:session).with(:user).returns({})
-    @controller.user_session
-  end
-
-  test 'proxy admin_session to session scope in warden' do
-    @mock_warden.expects(:session).with(:admin).returns({})
-    @controller.admin_session
-  end
-
-  test 'sign in proxy to set_user on warden' do
-    user = User.new
-    @mock_warden.expects(:set_user).with(user, :scope => :user).returns(true)
-    @controller.sign_in(:user, user)
-  end
-
-  test 'sign in accepts a resource as argument' do
-    user = User.new
-    @mock_warden.expects(:set_user).with(user, :scope => :user).returns(true)
-    @controller.sign_in(user)
-  end
-
-  test 'sign out proxy to logout on warden' do
-    @mock_warden.expects(:user).with(:user).returns(true)
-    @mock_warden.expects(:logout).with(:user).returns(true)
-    @controller.sign_out(:user)
-  end
-
-  test 'sign out accepts a resource as argument' do
-    @mock_warden.expects(:user).with(:user).returns(true)
-    @mock_warden.expects(:logout).with(:user).returns(true)
-    @controller.sign_out(User.new)
-  end
-
-  test 'stored location for returns the location for a given scope' do
-    assert_nil @controller.stored_location_for(:user)
-    @controller.session[:"user.return_to"] = "/foo.bar"
-    assert_equal "/foo.bar", @controller.stored_location_for(:user)
-  end
-
-  test 'stored location for accepts a resource as argument' do
-    assert_nil @controller.stored_location_for(:user)
-    @controller.session[:"user.return_to"] = "/foo.bar"
-    assert_equal "/foo.bar", @controller.stored_location_for(User.new)
-  end
-
-  test 'stored location cleans information after reading' do
-    @controller.session[:"user.return_to"] = "/foo.bar"
-    assert_equal "/foo.bar", @controller.stored_location_for(:user)
-    assert_nil @controller.session[:"user.return_to"]
-  end
-
-  test 'after sign in path defaults to root path if none by was specified for the given scope' do
-    assert_equal root_path, @controller.after_sign_in_path_for(:user)
-  end
-
-  test 'after sign in path defaults to the scoped root path' do
-    assert_equal admin_root_path, @controller.after_sign_in_path_for(:admin)
-  end
-
-  test 'after sign out path defaults to the root path' do
-    assert_equal root_path, @controller.after_sign_out_path_for(:admin)
-    assert_equal root_path, @controller.after_sign_out_path_for(:user)
-  end
-
-  test 'sign in and redirect uses the stored location' do
-    user = User.new
-    @controller.session[:"user.return_to"] = "/foo.bar"
-    @mock_warden.expects(:set_user).with(user, :scope => :user).returns(true)
-    @controller.expects(:redirect_to).with("/foo.bar")
-    @controller.sign_in_and_redirect(user)
-  end
-
-  test 'sign in and redirect uses the configured after sign in path' do
-    admin = Admin.new
-    @mock_warden.expects(:set_user).with(admin, :scope => :admin).returns(true)
-    @controller.expects(:redirect_to).with(admin_root_path)
-    @controller.sign_in_and_redirect(admin)
-  end
-
-  test 'only redirect if just a symbol is given' do
-    @controller.expects(:redirect_to).with(admin_root_path)
-    @controller.sign_in_and_redirect(:admin)
-  end
-
-  test 'sign out and redirect uses the configured after sign out path' do
-    @mock_warden.expects(:user).with(:admin).returns(true)
-    @mock_warden.expects(:logout).with(:admin).returns(true)
-    @controller.expects(:redirect_to).with(admin_root_path)
-    @controller.instance_eval "def after_sign_out_path_for(resource); admin_root_path; end"
-    @controller.sign_out_and_redirect(:admin)
-  end
-
-  test 'is not a devise controller' do
-    assert_not @controller.devise_controller?
-  end
-
-  test 'default url options are retrieved from devise' do
-    begin
-      Devise.default_url_options {{ :locale => I18n.locale }}
-      assert_equal({ :locale => :en }, @controller.send(:default_url_options))
-    ensure
-      Devise.default_url_options {{ }}
-    end
-  end
-end

test/controllers/helpers_test.rb

@@ -1,55 +1,184 @@
 require 'test/test_helper'
+require 'ostruct'
 
-class MyController < ApplicationController
-  include Devise::Controllers::Helpers
-end
+class MockController < ApplicationController
+  attr_accessor :env
 
-class HelpersTest < ActionController::TestCase
-  tests MyController
-
-  test 'get resource name from request path' do
-    @request.path = '/users/session'
-    assert_equal :user, @controller.resource_name
+  def request
+    self
   end
 
-  test 'get resource name from specific request path' do
-    @request.path = '/admin_area/session'
-    assert_equal :admin, @controller.resource_name
-  end
-
-  test 'get resource class from request path' do
-    @request.path = '/users/session'
-    assert_equal User, @controller.resource_class
-  end
-
-  test 'get resource instance variable from request path' do
-    @request.path = '/admin_area/session'
-    @controller.instance_variable_set(:@admin, admin = Admin.new)
-    assert_equal admin, @controller.resource
-  end
-
-  test 'set resource instance variable from request path' do
-    @request.path = '/admin_area/session'
-
-    admin = @controller.send(:resource_class).new
-    @controller.send(:resource=, admin)
-
-    assert_equal admin, @controller.send(:resource)
-    assert_equal admin, @controller.instance_variable_get(:@admin)
-  end
-
-  test 'resources methods are not controller actions' do
-    assert @controller.class.action_methods.empty?
-  end
-
-  test 'require no authentication tests current mapping' do
-    @controller.expects(:resource_name).returns(:user).twice
-    @mock_warden.expects(:authenticated?).with(:user).returns(true)
-    @controller.expects(:redirect_to).with(root_path)
-    @controller.send :require_no_authentication
-  end
-  
-  test 'is a devise controller' do
-    assert @controller.devise_controller?
+  def path
+    ''
+  end
+end
+
+class ControllerAuthenticableTest < ActionController::TestCase
+  tests MockController
+
+  def setup
+    @controller = MockController.new
+    @mock_warden = OpenStruct.new
+    @controller.env = { 'warden' => @mock_warden }
+    @controller.session = {}
+  end
+
+  test 'setup warden' do
+    assert_not_nil @controller.warden
+  end
+
+  test 'provide access to warden instance' do
+    assert_equal @controller.warden, @controller.env['warden']
+  end
+
+  test 'proxy signed_in? to authenticated' do
+    @mock_warden.expects(:authenticate?).with(:scope => :my_scope)
+    @controller.signed_in?(:my_scope)
+  end
+
+  test 'proxy anybody_signed_in? to signed_in?' do
+    Devise.mappings.keys.each { |scope| # :user, :admin, :manager
+      @controller.expects(:signed_in?).with(scope)
+    }
+    @controller.anybody_signed_in?
+  end
+
+  test 'proxy current_admin to authenticate with admin scope' do
+    @mock_warden.expects(:authenticate).with(:scope => :admin)
+    @controller.current_admin
+  end
+
+  test 'proxy current_user to authenticate with user scope' do
+    @mock_warden.expects(:authenticate).with(:scope => :user)
+    @controller.current_user
+  end
+
+  test 'proxy user_authenticate! to authenticate with user scope' do
+    @mock_warden.expects(:authenticate!).with(:scope => :user)
+    @controller.authenticate_user!
+  end
+
+  test 'proxy admin_authenticate! to authenticate with admin scope' do
+    @mock_warden.expects(:authenticate!).with(:scope => :admin)
+    @controller.authenticate_admin!
+  end
+
+  test 'proxy user_signed_in? to authenticate? with user scope' do
+    @mock_warden.expects(:authenticate?).with(:scope => :user)
+    @controller.user_signed_in?
+  end
+
+  test 'proxy admin_signed_in? to authenticate? with admin scope' do
+    @mock_warden.expects(:authenticate?).with(:scope => :admin)
+    @controller.admin_signed_in?
+  end
+
+  test 'proxy user_session to session scope in warden' do
+    @mock_warden.expects(:authenticate).with(:scope => :user).returns(true)
+    @mock_warden.expects(:session).with(:user).returns({})
+    @controller.user_session
+  end
+
+  test 'proxy admin_session to session scope in warden' do
+    @mock_warden.expects(:authenticate).with(:scope => :admin).returns(true)
+    @mock_warden.expects(:session).with(:admin).returns({})
+    @controller.admin_session
+  end
+
+  test 'sign in proxy to set_user on warden' do
+    user = User.new
+    @mock_warden.expects(:set_user).with(user, :scope => :user).returns(true)
+    @controller.sign_in(:user, user)
+  end
+
+  test 'sign in accepts a resource as argument' do
+    user = User.new
+    @mock_warden.expects(:set_user).with(user, :scope => :user).returns(true)
+    @controller.sign_in(user)
+  end
+
+  test 'sign out proxy to logout on warden' do
+    @mock_warden.expects(:user).with(:user).returns(true)
+    @mock_warden.expects(:logout).with(:user).returns(true)
+    @controller.sign_out(:user)
+  end
+
+  test 'sign out accepts a resource as argument' do
+    @mock_warden.expects(:user).with(:user).returns(true)
+    @mock_warden.expects(:logout).with(:user).returns(true)
+    @controller.sign_out(User.new)
+  end
+
+  test 'stored location for returns the location for a given scope' do
+    assert_nil @controller.stored_location_for(:user)
+    @controller.session[:"user.return_to"] = "/foo.bar"
+    assert_equal "/foo.bar", @controller.stored_location_for(:user)
+  end
+
+  test 'stored location for accepts a resource as argument' do
+    assert_nil @controller.stored_location_for(:user)
+    @controller.session[:"user.return_to"] = "/foo.bar"
+    assert_equal "/foo.bar", @controller.stored_location_for(User.new)
+  end
+
+  test 'stored location cleans information after reading' do
+    @controller.session[:"user.return_to"] = "/foo.bar"
+    assert_equal "/foo.bar", @controller.stored_location_for(:user)
+    assert_nil @controller.session[:"user.return_to"]
+  end
+
+  test 'after sign in path defaults to root path if none by was specified for the given scope' do
+    assert_equal root_path, @controller.after_sign_in_path_for(:user)
+  end
+
+  test 'after sign in path defaults to the scoped root path' do
+    assert_equal admin_root_path, @controller.after_sign_in_path_for(:admin)
+  end
+
+  test 'after sign out path defaults to the root path' do
+    assert_equal root_path, @controller.after_sign_out_path_for(:admin)
+    assert_equal root_path, @controller.after_sign_out_path_for(:user)
+  end
+
+  test 'sign in and redirect uses the stored location' do
+    user = User.new
+    @controller.session[:"user.return_to"] = "/foo.bar"
+    @mock_warden.expects(:set_user).with(user, :scope => :user).returns(true)
+    @controller.expects(:redirect_to).with("/foo.bar")
+    @controller.sign_in_and_redirect(user)
+  end
+
+  test 'sign in and redirect uses the configured after sign in path' do
+    admin = Admin.new
+    @mock_warden.expects(:set_user).with(admin, :scope => :admin).returns(true)
+    @controller.expects(:redirect_to).with(admin_root_path)
+    @controller.sign_in_and_redirect(admin)
+  end
+
+  test 'only redirect if skip is given' do
+    admin = Admin.new
+    @controller.expects(:redirect_to).with(admin_root_path)
+    @controller.sign_in_and_redirect(:admin, admin, true)
+  end
+
+  test 'sign out and redirect uses the configured after sign out path' do
+    @mock_warden.expects(:user).with(:admin).returns(true)
+    @mock_warden.expects(:logout).with(:admin).returns(true)
+    @controller.expects(:redirect_to).with(admin_root_path)
+    @controller.instance_eval "def after_sign_out_path_for(resource); admin_root_path; end"
+    @controller.sign_out_and_redirect(:admin)
+  end
+
+  test 'is not a devise controller' do
+    assert_not @controller.devise_controller?
+  end
+
+  test 'default url options are retrieved from devise' do
+    begin
+      Devise.default_url_options {{ :locale => I18n.locale }}
+      assert_equal({ :locale => :en }, @controller.send(:default_url_options))
+    ensure
+      Devise.default_url_options {{ }}
+    end
   end
 end

test/controllers/internal_helpers_test.rb

@@ -0,0 +1,55 @@
+require 'test/test_helper'
+
+class MyController < ApplicationController
+  include Devise::Controllers::InternalHelpers
+end
+
+class HelpersTest < ActionController::TestCase
+  tests MyController
+
+  test 'get resource name from request path' do
+    @request.path = '/users/session'
+    assert_equal :user, @controller.resource_name
+  end
+
+  test 'get resource name from specific request path' do
+    @request.path = '/admin_area/session'
+    assert_equal :admin, @controller.resource_name
+  end
+
+  test 'get resource class from request path' do
+    @request.path = '/users/session'
+    assert_equal User, @controller.resource_class
+  end
+
+  test 'get resource instance variable from request path' do
+    @request.path = '/admin_area/session'
+    @controller.instance_variable_set(:@admin, admin = Admin.new)
+    assert_equal admin, @controller.resource
+  end
+
+  test 'set resource instance variable from request path' do
+    @request.path = '/admin_area/session'
+
+    admin = @controller.send(:resource_class).new
+    @controller.send(:resource=, admin)
+
+    assert_equal admin, @controller.send(:resource)
+    assert_equal admin, @controller.instance_variable_get(:@admin)
+  end
+
+  test 'resources methods are not controller actions' do
+    assert @controller.class.action_methods.empty?
+  end
+
+  test 'require no authentication tests current mapping' do
+    @controller.expects(:resource_name).returns(:user).twice
+    @mock_warden.expects(:authenticated?).with(:user).returns(true)
+    @controller.expects(:redirect_to).with(root_path)
+    @controller.send :require_no_authentication
+  end
+  
+  test 'is a devise controller' do
+    assert @controller.devise_controller?
+  end
+end

test/devise_test.rb

@@ -2,48 +2,11 @@ require 'test/test_helper'
 
 module Devise
   def self.clean_warden_config!
-    @warden_config = nil 
+    @warden_config = nil
   end
 end
 
 class DeviseTest < ActiveSupport::TestCase
-  class MockManager
-    attr_accessor :failure_app
-    attr_reader :default_strategies, :silence_missing_strategies
-
-    def silence_missing_strategies!
-      @silence_missing_strategies = true
-    end
-
-    def silence_missing_serializers!
-      @silence_missing_serializers = true
-    end
-
-    def default_strategies(*args)
-      if args.empty?
-        @default_strategies
-      else
-        @default_strategies = args
-      end
-    end
-
-    def default_serializers(*args)
-      if args.empty?
-        @default_serializers
-      else
-        @default_serializers = args
-      end
-    end
-  end
-
-  test 'DeviseMailer.sender can be configured through Devise' do
-    swap DeviseMailer, :sender => "foo@bar" do
-      assert_equal "foo@bar", DeviseMailer.sender
-      Devise.mailer_sender = "bar@foo"
-      assert_equal "bar@foo", DeviseMailer.sender
-    end
-  end
-
   test 'model options can be configured through Devise' do
     swap Devise, :confirm_within => 113, :pepper => "foo" do
       assert_equal 113, Devise.confirm_within
@@ -58,31 +21,54 @@ class DeviseTest < ActiveSupport::TestCase
   end
 
   test 'warden manager configuration' do
-    manager = MockManager.new
-    Devise.configure_warden_manager(manager)
+    config = Warden::Config.new
+    Devise.configure_warden(config)
 
-    assert_equal Devise::FailureApp, manager.failure_app
-    assert_equal [:authenticatable], manager.default_strategies
-    assert manager.silence_missing_strategies
-  end
-
-  test 'warden default scope is set' do
-    assert_equal :user, Warden::Manager.default_scope
+    assert_equal Devise::FailureApp, config.failure_app
+    assert_equal [:rememberable, :http_authenticatable, :token_authenticatable, :database_authenticatable], config.default_strategies
+    assert_equal :user, config.default_scope
+    assert config.silence_missing_strategies?
   end
 
   test 'warden manager user configuration through a block' do
     begin
       @executed = false
-      Devise.warden do |manager|
+      Devise.warden do |config|
         @executed = true
-        assert_kind_of MockManager, manager
+        assert_kind_of Warden::Config, config
       end
 
-      manager = MockManager.new
-      Devise.configure_warden_manager(manager)
+      Devise.configure_warden(Warden::Config.new)
       assert @executed
     ensure
       Devise.clean_warden_config!
     end
   end
+
+  test 'add new module using the helper method' do
+    assert_nothing_raised(Exception) { Devise.add_module(:coconut) }
+    assert_equal 1, Devise::ALL.select { |v| v == :coconut }.size
+    assert_not Devise::STRATEGIES.include?(:coconut)
+    assert_not defined?(Devise::Models::Coconut)
+    Devise::ALL.delete(:coconut)
+
+    assert_nothing_raised(Exception) { Devise.add_module(:banana, :strategy => true) }
+    assert_equal 1, Devise::STRATEGIES.select { |v| v == :banana }.size
+    Devise::ALL.delete(:banana)
+    Devise::STRATEGIES.delete(:banana)
+
+    assert_nothing_raised(Exception) { Devise.add_module(:kivi, :controller => :fruits) }
+    assert_not_nil Devise::CONTROLLERS[:fruits]
+    assert_equal 1, Devise::CONTROLLERS[:fruits].select { |v| v == :kivi }.size
+    Devise::ALL.delete(:kivi)
+    Devise::CONTROLLERS.delete(:fruits)
+
+    assert_nothing_raised(Exception) { Devise.add_module(:carrot, :route => :vegetable) }
+    assert_equal 1, Devise::ROUTES.select { |v| v == :vegetable }.size
+    Devise::ALL.delete(:carrot)
+    Devise::ROUTES.delete(:vegetable)
+
+    assert_nothing_raised(Exception) { Devise.add_module(:authenticatable_again, :model => 'devise/model/authenticatable') }
+    assert defined?(Devise::Models::AuthenticatableAgain)
+  end
 end

test/encryptors_test.rb

@@ -1,3 +1,5 @@
+gem 'bcrypt-ruby'
+
 class Encryptors < ActiveSupport::TestCase
 
   test 'should match a password created by authlogic' do
@@ -21,7 +23,8 @@ class Encryptors < ActiveSupport::TestCase
   Devise::ENCRYPTORS_LENGTH.each do |key, value|
     test "should have length #{value} for #{key.inspect}" do
       swap Devise, :encryptor => key do
-        assert_equal value, Devise::Encryptors.const_get(key.to_s.classify).digest('a', 2, 'b', 'c').size
+        encryptor = Devise::Encryptors.const_get(key.to_s.classify)
+        assert_equal value, encryptor.digest('a', 4, encryptor.salt, nil).size
       end
     end
   end

test/integration/authenticatable_test.rb

@@ -1,8 +1,7 @@
 require 'test/test_helper'
 
-class AuthenticationTest < ActionController::IntegrationTest
-
-  test 'home should be accessible without signed in' do
+class AuthenticationSanityTest < ActionController::IntegrationTest
+  test 'home should be accessible without sign in' do
     visit '/'
     assert_response :success
     assert_template 'home/index'
@@ -76,43 +75,6 @@ class AuthenticationTest < ActionController::IntegrationTest
     assert_contain 'Welcome Admin'
   end
 
-  test 'sign in as user should not authenticate if not using proper authentication keys' do
-    swap Devise, :authentication_keys => [:username] do
-      sign_in_as_user
-      assert_not warden.authenticated?(:user)
-    end
-  end
-
-  test 'admin signing in with invalid email should return to sign in form with error message' do
-    sign_in_as_admin do
-      fill_in 'email', :with => 'wrongemail@test.com'
-    end
-
-    assert_contain 'Invalid email or password'
-    assert_not warden.authenticated?(:admin)
-  end
-
-  test 'admin signing in with invalid pasword should return to sign in form with error message' do
-    sign_in_as_admin do
-      fill_in 'password', :with => 'abcdef'
-    end
-
-    assert_contain 'Invalid email or password'
-    assert_not warden.authenticated?(:admin)
-  end
-
-  test 'error message is configurable by resource name' do
-    store_translations :en, :devise => {
-      :sessions => { :admin => { :invalid => "Invalid credentials" } }
-    } do
-      sign_in_as_admin do
-        fill_in 'password', :with => 'abcdef'
-      end
-
-      assert_contain 'Invalid credentials'
-    end
-  end
-
   test 'authenticated admin should not be able to sign as admin again' do
     sign_in_as_admin
     get new_admin_session_path
@@ -143,6 +105,45 @@ class AuthenticationTest < ActionController::IntegrationTest
     get root_path
     assert_not_contain 'Signed out successfully'
   end
+end
+
+class AuthenticationTest < ActionController::IntegrationTest
+  test 'sign in should not authenticate if not using proper authentication keys' do
+    swap Devise, :authentication_keys => [:username] do
+      sign_in_as_user
+      assert_not warden.authenticated?(:user)
+    end
+  end
+
+  test 'sign in with invalid email should return to sign in form with error message' do
+    sign_in_as_admin do
+      fill_in 'email', :with => 'wrongemail@test.com'
+    end
+
+    assert_contain 'Invalid email or password'
+    assert_not warden.authenticated?(:admin)
+  end
+
+  test 'sign in with invalid pasword should return to sign in form with error message' do
+    sign_in_as_admin do
+      fill_in 'password', :with => 'abcdef'
+    end
+
+    assert_contain 'Invalid email or password'
+    assert_not warden.authenticated?(:admin)
+  end
+
+  test 'error message is configurable by resource name' do
+    store_translations :en, :devise => {
+      :sessions => { :admin => { :invalid => "Invalid credentials" } }
+    } do
+      sign_in_as_admin do
+        fill_in 'password', :with => 'abcdef'
+      end
+
+      assert_contain 'Invalid credentials'
+    end
+  end
 
   test 'redirect from warden shows sign in or sign up message' do
     get admins_path
@@ -154,47 +155,78 @@ class AuthenticationTest < ActionController::IntegrationTest
     assert_contain 'You need to sign in or sign up before continuing.'
   end
 
-  test 'render 404 on roles without permission' do
-    get 'admin_area/password/new'
-    assert_response :not_found
-    assert_not_contain 'Send me reset password instructions'
-  end
-
-  test 'return to default url if no other was requested' do
+  test 'redirect to default url if no other was configured' do
     sign_in_as_user
 
     assert_template 'home/index'
-    assert_nil session[:return_to]
+    assert_nil session[:"user.return_to"]
   end
 
-  test 'return to given url after sign in' do
+  test 'redirect to requested url after sign in' do
     get users_path
     assert_redirected_to new_user_session_path(:unauthenticated => true)
     assert_equal users_path, session[:"user.return_to"]
-    follow_redirect!
 
+    follow_redirect!
     sign_in_as_user :visit => false
+
     assert_template 'users/index'
     assert_nil session[:"user.return_to"]
   end
 
-  test 'return to configured home path after sign in' do
+  test 'redirect to last requested url overwriting the stored return_to option' do
+    get expire_user_path(create_user)
+    assert_redirected_to new_user_session_path(:unauthenticated => true)
+    assert_equal expire_user_path(create_user), session[:"user.return_to"]
+
+    get users_path
+    assert_redirected_to new_user_session_path(:unauthenticated => true)
+    assert_equal users_path, session[:"user.return_to"]
+
+    follow_redirect!
+    sign_in_as_user :visit => false
+
+    assert_template 'users/index'
+    assert_nil session[:"user.return_to"]
+  end
+
+  test 'xml http requests does not store urls for redirect' do
+    xhr :get, users_path
+    assert_nil session[:"user.return_to"]
+
+    sign_in_as_user
+    assert_template 'home/index'
+  end
+
+  test 'redirect to configured home path for a given scope after sign in' do
     sign_in_as_admin
     assert_equal "/admin_area/home", @request.path
   end
 
+  test 'destroyed account is signed out' do
+    sign_in_as_user
+    visit 'users/index'
+
+    User.destroy_all
+    visit 'users/index'
+    assert_redirected_to '/users/sign_in?unauthenticated=true'
+  end
+
   test 'allows session to be set by a given scope' do
     sign_in_as_user
     visit 'users/index'
     assert_equal "Cart", @controller.user_session[:cart]
   end
 
-  test 'destroyed account is logged out' do
+  test 'session id is changed on sign in' do
+    get '/users'
+    session_id = request.session[:session_id]
+
+    get '/users'
+    assert_equal session_id, request.session[:session_id]
+
     sign_in_as_user
-    visit 'users/index'
-    User.destroy_all
-    visit 'users/index'
-    assert_redirected_to '/users/sign_in?unauthenticated=true'
+    assert_not_equal session_id, request.session[:session_id]
   end
 
   test 'renders the scoped view if turned on and view is available' do
@@ -206,6 +238,20 @@ class AuthenticationTest < ActionController::IntegrationTest
     end
   end
 
+  test 'renders the scoped view if turned on in an specific controller' do
+    begin
+      SessionsController.scoped_views = true
+      assert_raise Webrat::NotFoundError do
+        sign_in_as_user
+      end
+
+      assert_match /Special user view/, response.body
+      assert !PasswordsController.scoped_views
+    ensure
+      SessionsController.send :remove_instance_variable, :@scoped_views
+    end
+  end
+
   test 'does not render the scoped view if turned off' do
     swap Devise, :scoped_views => false do
       assert_nothing_raised do
@@ -221,4 +267,74 @@ class AuthenticationTest < ActionController::IntegrationTest
       end
     end
   end
+
+  test 'render 404 on roles without permission' do
+    get 'admin_area/password/new'
+    assert_response :not_found
+    assert_not_contain 'Send me reset password instructions'
+  end
+
+  test 'render 404 on roles without mapping' do
+    get 'sign_in'
+    assert_response :not_found
+    assert_not_contain 'Sign in'
+  end
+
+  test 'uses the mapping from the default scope if specified' do
+    swap Devise, :use_default_scope => true do
+      get 'sign_in'
+      assert_response :ok
+      assert_contain 'Sign in'
+    end
+  end
+end
+
+class AuthenticationSignOutViaTest < ActionController::IntegrationTest
+  def sign_in!(scope)
+    visit send("new_#{scope}_session_path")
+    sign_in_as_user(:visit => false)
+    assert warden.authenticated?(scope)
+  end
+
+  test 'allow sign out via delete when sign_out_via provides only delete' do
+    sign_in!(:sign_out_via_delete)
+    delete destroy_sign_out_via_delete_session_path
+    assert_not warden.authenticated?(:sign_out_via_delete)
+  end
+
+  test 'do not allow sign out via get when sign_out_via provides only delete' do
+    sign_in!(:sign_out_via_delete)
+    get destroy_sign_out_via_delete_session_path
+    assert warden.authenticated?(:sign_out_via_delete)
+  end
+
+  test 'allow sign out via post when sign_out_via provides only post' do
+    sign_in!(:sign_out_via_post)
+    post destroy_sign_out_via_post_session_path
+    assert_not warden.authenticated?(:sign_out_via_post)
+  end
+
+  test 'do not allow sign out via get when sign_out_via provides only post' do
+    sign_in!(:sign_out_via_post)
+    get destroy_sign_out_via_delete_session_path
+    assert warden.authenticated?(:sign_out_via_post)
+  end
+
+  test 'allow sign out via delete when sign_out_via provides any method' do
+    sign_in!(:sign_out_via_anymethod)
+    delete destroy_sign_out_via_anymethod_session_path
+    assert_not warden.authenticated?(:sign_out_via_anymethod)
+  end
+
+  test 'allow sign out via post when sign_out_via provides any method' do
+    sign_in!(:sign_out_via_anymethod)
+    post destroy_sign_out_via_anymethod_session_path
+    assert_not warden.authenticated?(:sign_out_via_anymethod)
+  end
+
+  test 'allow sign out via get when sign_out_via provides any method' do
+    sign_in!(:sign_out_via_anymethod)
+    get destroy_sign_out_via_anymethod_session_path
+    assert_not warden.authenticated?(:sign_out_via_anymethod)
+  end
 end

test/integration/confirmable_test.rb

@@ -60,6 +60,14 @@ class ConfirmationTest < ActionController::IntegrationTest
     assert warden.authenticated?(:user)
   end
 
+  test 'increases sign count when signed in through confirmation' do
+    user = create_user(:confirm => false)
+    visit_user_confirmation_with_token(user.confirmation_token)
+
+    user.reload
+    assert_equal 1, user.sign_in_count
+  end
+
   test 'not confirmed user with setup to block without confirmation should not be able to sign in' do
     swap Devise, :confirm_within => 0.days do
       sign_in_as_user(:confirm => false)

test/integration/http_authenticatable_test.rb

@@ -0,0 +1,52 @@
+require 'test/test_helper'
+
+class HttpAuthenticationTest < ActionController::IntegrationTest
+
+  test 'sign in should authenticate with http' do
+    sign_in_as_new_user_with_http
+    assert_response :success
+    assert_template 'users/index'
+    assert_contain 'Welcome'
+    assert warden.authenticated?(:user)
+  end
+
+  test 'returns a custom response with www-authenticate header on failures' do
+    sign_in_as_new_user_with_http("unknown")
+    assert_equal 401, status
+    assert_equal 'Basic realm="Application"', headers["WWW-Authenticate"]
+  end
+
+  test 'uses the request format as response content type' do
+    sign_in_as_new_user_with_http("unknown", "123456", :xml)
+    assert_equal 401, status
+    assert_equal "application/xml", headers["Content-Type"]
+    # Cannot assert this due to a bug between integration tests and rack on 2.3
+    # assert response.body.include?("<error>HTTP Basic: Access denied.</error>")
+  end
+
+  test 'returns a custom response with www-authenticate and chosen realm' do
+    swap Devise, :http_authentication_realm => "MyApp" do
+      sign_in_as_new_user_with_http("unknown")
+      assert_equal 401, status
+      assert_equal 'Basic realm="MyApp"', headers["WWW-Authenticate"]
+    end
+  end
+
+  test 'sign in should authenticate with http even with specific authentication keys' do
+    swap Devise, :authentication_keys => [:username] do
+      sign_in_as_new_user_with_http "usertest"
+      assert_response :success
+      assert_template 'users/index'
+      assert_contain 'Welcome'
+      assert warden.authenticated?(:user)
+    end
+  end
+
+  private
+
+    def sign_in_as_new_user_with_http(username="user@test.com", password="123456", format=:html)
+      user = create_user
+      get users_path(:format => format), {}, :authorization => "Basic #{ActiveSupport::Base64.encode64("#{username}:#{password}")}"
+      user
+    end
+end

test/integration/lockable_test.rb

@@ -0,0 +1,102 @@
+require 'test/test_helper'
+
+class LockTest < ActionController::IntegrationTest
+  
+  def visit_user_unlock_with_token(unlock_token)
+    visit user_unlock_path(:unlock_token => unlock_token)
+  end
+
+  test 'user should be able to request a new unlock token' do
+    user = create_user(:locked => true)
+    ActionMailer::Base.deliveries.clear
+
+    visit new_user_session_path
+    click_link 'Didn\'t receive unlock instructions?'
+
+    fill_in 'email', :with => user.email
+    click_button 'Resend unlock instructions'
+
+    assert_template 'sessions/new'
+    assert_contain 'You will receive an email with instructions about how to unlock your account in a few minutes'
+    assert_equal 1, ActionMailer::Base.deliveries.size
+  end
+
+  test 'unlocked user should not be able to request a unlock token' do
+    user = create_user(:locked => false)
+    ActionMailer::Base.deliveries.clear
+
+    visit new_user_session_path
+    click_link 'Didn\'t receive unlock instructions?'
+
+    fill_in 'email', :with => user.email
+    click_button 'Resend unlock instructions'
+
+    assert_template 'unlocks/new'
+    assert_contain 'not locked'
+    assert_equal 0, ActionMailer::Base.deliveries.size
+  end
+
+  test 'unlocked pages should not be available if email strategy is disabled' do
+    visit new_user_unlock_path
+    assert_response :success
+
+    swap Devise, :unlock_strategy => :time do
+      visit new_user_unlock_path
+      assert_response :not_found
+    end
+  end
+
+  test 'user with invalid unlock token should not be able to unlock an account' do
+    visit_user_unlock_with_token('invalid_token')
+
+    assert_response :success
+    assert_template 'unlocks/new'
+    assert_have_selector '#errorExplanation'
+    assert_contain /Unlock token(.*)invalid/
+  end
+
+  test "locked user should be able to unlock account" do
+    user = create_user(:locked => true)
+    assert user.access_locked?
+
+    visit_user_unlock_with_token(user.unlock_token)
+
+    assert_template 'home/index'
+    assert_contain 'Your account was successfully unlocked.'
+
+    assert_not user.reload.access_locked?
+  end
+
+  test "sign in user automatically after unlocking it's account" do
+    user = create_user(:locked => true)
+    visit_user_unlock_with_token(user.unlock_token)
+    assert warden.authenticated?(:user)
+  end
+
+  test "user should not be able to sign in when locked" do
+    user = sign_in_as_user(:locked => true)
+    assert_template 'sessions/new'
+    assert_contain 'Your account is locked.'
+    assert_not warden.authenticated?(:user)
+  end
+
+  test "user should not send a new e-mail if already locked" do
+    user = create_user(:locked => true)
+    user.update_attribute(:failed_attempts, User.maximum_attempts + 1)
+    ActionMailer::Base.deliveries.clear
+
+    sign_in_as_user(:password => "invalid")
+    assert_contain 'Invalid email or password.'
+    assert ActionMailer::Base.deliveries.empty?
+  end
+
+  test 'error message is configurable by resource name' do
+    store_translations :en, :devise => {
+      :sessions => { :admin => { :locked => "You are locked!" } }
+    } do
+      get new_admin_session_path(:locked => true)
+      assert_contain 'You are locked!'
+    end
+  end
+
+end

test/integration/rack_middleware_test.rb

@@ -0,0 +1,47 @@
+require "test/test_helper"
+require "rack/test"
+
+class RackMiddlewareTest < Test::Unit::TestCase
+  include Rack::Test::Methods
+
+  def app
+    ActionController::Dispatcher.new
+  end
+
+  def warden
+    last_request.env['warden']
+  end
+
+  def with_custom_strategy
+    get '/'
+
+    Warden::Strategies.add(:custom_test) do
+      def valid?
+        true
+      end
+
+      def authenticate!
+        custom! [599, {
+            "X-Custom-Response" => "Custom response test",
+            "Content-type" => "text/plain"
+          }, "Custom response test"]
+      end
+    end
+
+    #ActionController::Dispatcher.middleware.use CustomStrategyInterceptor
+    default_strategies = warden.manager.config.default_strategies
+    warden.manager.config.default_strategies :custom_test
+    yield
+    warden.manager.config.default_strategies default_strategies
+  end
+
+  def test_custom_strategy_response
+    with_custom_strategy do
+      post('/users/sign_in')
+
+      assert_equal 599, last_response.status
+      assert_equal "Custom response test", last_response.body
+      assert_equal "Custom response test", last_response.headers["X-Custom-Response"]
+    end
+  end
+end

test/integration/recoverable_test.rb

@@ -128,4 +128,14 @@ class PasswordTest < ActionController::IntegrationTest
 
     assert warden.authenticated?(:user)
   end
+
+  test 'does not sign in user automatically after changing it\'s password if it\'s not active' do
+    user = create_user(:confirm => false)
+    request_forgot_password
+    reset_password :reset_password_token => user.reload.reset_password_token
+
+    assert_redirected_to new_user_session_path(:unconfirmed => true)
+    assert !warden.authenticated?(:user)
+  end
+
 end

test/integration/registerable_test.rb

@@ -0,0 +1,144 @@
+require 'test/test_helper'
+
+class RegistrationTest < ActionController::IntegrationTest
+
+  test 'a guest admin should be able to sign in successfully' do
+    visit new_admin_session_path
+    click_link 'Sign up'
+
+    assert_template 'registrations/new'
+
+    fill_in 'email', :with => 'new_user@test.com'
+    fill_in 'password', :with => 'new_user123'
+    fill_in 'password confirmation', :with => 'new_user123'
+    click_button 'Sign up'
+
+    assert_contain 'You have signed up successfully.'
+    assert warden.authenticated?(:admin)
+
+    admin = Admin.last
+    assert_equal admin.email, 'new_user@test.com'
+  end
+
+  test 'a guest user should be able to sign up successfully and be blocked by confirmation' do
+    visit new_user_registration_path
+
+    fill_in 'email', :with => 'new_user@test.com'
+    fill_in 'password', :with => 'new_user123'
+    fill_in 'password confirmation', :with => 'new_user123'
+    click_button 'Sign up'
+
+    assert_equal "You have signed up successfully. If enabled, a confirmation was sent to your e-mail.", @controller.send(:flash)[:notice]
+
+    # For some reason flash is not being set correctly, so instead of getting the
+    # "signed_up" message we get the unconfirmed one. Seems to be an issue with
+    # the internal redirect by the hook and the tests.
+    # follow_redirect!
+    # assert_contain 'You have signed up successfully.'
+    # assert_not_contain 'confirm your account'
+
+    follow_redirect!
+    assert_contain 'Sign in'
+    assert_not warden.authenticated?(:user)
+
+    user = User.last
+    assert_equal user.email, 'new_user@test.com'
+    assert_not user.confirmed?
+  end
+
+  test 'a guest user cannot sign up with invalid information' do
+    visit new_user_registration_path
+
+    fill_in 'email', :with => 'invalid_email'
+    fill_in 'password', :with => 'new_user123'
+    fill_in 'password confirmation', :with => 'new_user321'
+    click_button 'Sign up'
+
+    assert_template 'registrations/new'
+    assert_have_selector '#errorExplanation'
+    assert_contain "Email is invalid"
+    assert_contain "Password doesn't match confirmation"
+    assert_nil User.first
+
+    assert_not warden.authenticated?(:user)
+  end
+
+  test 'a guest should not sign up with email/password that already exists' do
+    user = create_user
+    visit new_user_registration_path
+
+    fill_in 'email', :with => 'user@test.com'
+    fill_in 'password', :with => '123456'
+    fill_in 'password confirmation', :with => '123456'
+    click_button 'Sign up'
+
+    assert_template 'registrations/new'
+    assert_contain 'Email has already been taken'
+
+    assert_not warden.authenticated?(:user)
+  end
+
+  test 'a guest should not be able to change account' do
+    visit edit_user_registration_path
+    follow_redirect!
+    assert_template 'sessions/new'
+  end
+
+  test 'a signed in user should not be able to access sign up' do
+    sign_in_as_user
+    visit new_user_registration_path
+    assert_template 'home/index'
+  end
+
+  test 'a signed in user should be able to edit his account' do
+    sign_in_as_user
+    visit edit_user_registration_path
+
+    fill_in 'email', :with => 'user.new@email.com'
+    fill_in 'current password', :with => '123456'
+    click_button 'Update'
+
+    assert_template 'home/index'
+    assert_contain 'You updated your account successfully.'
+
+    assert_equal "user.new@email.com", User.first.email
+  end
+
+  test 'a signed in user should be able to edit his password' do
+    sign_in_as_user
+    visit edit_user_registration_path
+
+    fill_in 'password', :with => 'pas123'
+    fill_in 'password confirmation', :with => 'pas123'
+    fill_in 'current password', :with => '123456'
+    click_button 'Update'
+
+    assert_template 'home/index'
+    assert_contain 'You updated your account successfully.'
+
+    assert User.first.valid_password?('pas123')
+  end
+
+  test 'a signed in user should not be able to edit his password with invalid confirmation' do
+    sign_in_as_user
+    get edit_user_registration_path
+  
+    fill_in 'password', :with => 'pas123'
+    fill_in 'password confirmation', :with => ''
+    fill_in 'current password', :with => '123456'
+    click_button 'Update'
+  
+    assert_contain "Password doesn't match confirmation"
+    assert_not User.first.valid_password?('pas123')
+  end
+
+  test 'a signed in user should be able to cancel his account' do
+    sign_in_as_user
+    visit edit_user_registration_path
+
+    click_link "Cancel my account"
+    assert_contain "Bye! Your account was successfully cancelled. We hope to see you again soon."
+
+    assert User.all.empty?
+  end
+end

test/integration/rememberable_test.rb

@@ -6,7 +6,7 @@ class RememberMeTest < ActionController::IntegrationTest
     Devise.remember_for = 1
     user = create_user
     user.remember_me!
-    cookies['warden.user.user.key'] = User.serialize_into_cookie(user) + add_to_token
+    cookies['remember_user_token'] = User.serialize_into_cookie(user) + add_to_token
     user
   end
 
@@ -20,6 +20,13 @@ class RememberMeTest < ActionController::IntegrationTest
     assert_not_nil user.reload.remember_token
   end
 
+  test 'cookie_options should be applied to cookies' do
+    swap Devise, :cookie_options => { :value => 'dont-do-that' } do
+      user = sign_in_as_user :remember_me => true
+      assert_equal 'dont-do-that', cookies['remember_user_token']
+    end
+  end
+
   test 'remember the user before sign in' do
     user = create_user_and_remember
     get users_path
@@ -28,6 +35,14 @@ class RememberMeTest < ActionController::IntegrationTest
     assert warden.user(:user) == user
   end
 
+  test 'does not remember other scopes' do
+    user = create_user_and_remember
+    get root_path
+    assert_response :success
+    assert warden.authenticated?(:user)
+    assert_not warden.authenticated?(:admin)
+  end
+
   test 'do not remember with invalid token' do
     user = create_user_and_remember('add')
     get users_path
@@ -59,5 +74,16 @@ class RememberMeTest < ActionController::IntegrationTest
     get destroy_user_session_path
     get users_path
     assert_not warden.authenticated?(:user)
+    assert_equal cookies['remember_user_token'], ''
+  end
+
+  test 'cookies are destroyed on unverified requests' do
+    swap HomeController, :allow_forgery_protection => true do
+      user = create_user_and_remember
+      get users_path
+      assert warden.authenticated?(:user)
+      post root_path, :authenticity_token => 'INVALID'
+      assert_not warden.authenticated?(:user)
+    end
   end
 end

test/integration/token_authenticatable_test.rb

@@ -0,0 +1,55 @@
+require 'test/test_helper'
+
+class TokenAuthenticationTest < ActionController::IntegrationTest
+
+  test 'sign in should authenticate with valid authentication token and proper authentication token key' do
+    swap Devise, :token_authentication_key => :secret_token do
+      sign_in_as_new_user_with_token(:auth_token_key => :secret_token)
+
+      assert_response :success
+      assert_template 'users/index'
+      assert_contain 'Welcome'
+      assert warden.authenticated?(:user)
+    end
+  end
+
+  test 'signing in with valid authentication token - but improper authentication token key - return to sign in form with error message' do
+    swap Devise, :token_authentication_key => :donald_duck_token do
+      sign_in_as_new_user_with_token(:auth_token_key => :secret_token)
+      assert_redirected_to new_user_session_path(:unauthenticated => true)
+      follow_redirect!
+
+      assert_contain 'You need to sign in or sign up before continuing'
+      assert_contain 'Sign in'
+      assert_not warden.authenticated?(:user)
+    end
+  end
+
+  test 'signing in with invalid authentication token should return to sign in form with error message' do
+    store_translations :en, :devise => {:sessions => {:invalid_token => 'LOL, that was not a single character correct.'}} do
+      sign_in_as_new_user_with_token(:auth_token => '*** INVALID TOKEN ***')
+      assert_redirected_to new_user_session_path(:invalid_token => true)
+      follow_redirect!
+
+      assert_response :success
+      assert_contain 'LOL, that was not a single character correct.'
+      assert_contain 'Sign in'
+      assert_not warden.authenticated?(:user)
+    end
+  end
+
+  private
+
+    def sign_in_as_new_user_with_token(options = {})
+      options[:auth_token_key] ||= Devise.token_authentication_key
+      options[:auth_token]     ||= VALID_AUTHENTICATION_TOKEN
+
+      user = create_user(options)
+      user.authentication_token = VALID_AUTHENTICATION_TOKEN
+      user.save
+
+      visit users_path(options[:auth_token_key].to_sym => options[:auth_token])
+      user
+    end
+
+end

test/integration/trackable_test.rb

@@ -39,7 +39,7 @@ class TrackableHooksTest < ActionController::IntegrationTest
 
   test "increase sign in count" do
     user = create_user
-    assert_nil user.sign_in_count
+    assert_equal 0, user.sign_in_count
 
     sign_in_as_user
     user.reload
@@ -51,7 +51,7 @@ class TrackableHooksTest < ActionController::IntegrationTest
     assert_equal 2, user.sign_in_count
   end
 
-  test "does not update anything if user is signed out along the way" do
+  test "does not update anything if user has signed out along the way" do
     swap Devise, :confirm_within => 0 do
       user = create_user(:confirm => false)
       sign_in_as_user

test/mailers/confirmation_instructions_test.rb

@@ -4,7 +4,7 @@ class ConfirmationInstructionsTest < ActionMailer::TestCase
 
   def setup
     setup_mailer
-    DeviseMailer.sender = 'test@example.com'
+    Devise.mailer_sender = 'test@example.com'
   end
 
   def user
@@ -62,4 +62,25 @@ class ConfirmationInstructionsTest < ActionMailer::TestCase
       assert_equal user.email, mail.body
     end
   end
+
+  test 'content type should be set to plain when manually configured' do
+    swap Devise, :mailer_content_type => "text/plain" do
+      assert_equal "text/plain", mail.content_type
+    end
+  end
+
+  test 'renders a scoped if scoped_views is set in the mailer class' do
+    begin
+      DeviseMailer.scoped_views = true
+      assert_equal user.email, mail.body
+    ensure
+      DeviseMailer.send :remove_instance_variable, :@scoped_views
+    end
+  end
+
+  test 'mailer sender accepts a proc' do
+    swap Devise, :mailer_sender => lambda { "another@example.com" } do
+      assert_equal ['another@example.com'], mail.from
+    end
+  end
 end

test/mailers/reset_password_instructions_test.rb

@@ -4,7 +4,7 @@ class ResetPasswordInstructionsTest < ActionMailer::TestCase
 
   def setup
     setup_mailer
-    DeviseMailer.sender = 'test@example.com'
+    Devise.mailer_sender = 'test@example.com'
   end
 
   def user
@@ -59,4 +59,10 @@ class ResetPasswordInstructionsTest < ActionMailer::TestCase
     reset_url_regexp = %r{<a href=\"http://#{host}/users/password/edit\?reset_password_token=#{user.reset_password_token}">}
     assert_match reset_url_regexp, mail.body
   end
+
+  test 'mailer sender accepts a proc' do
+    swap Devise, :mailer_sender => lambda { "another@example.com" } do
+      assert_equal ['another@example.com'], mail.from
+    end
+  end
 end

test/mailers/unlock_instructions_test.rb

@@ -0,0 +1,62 @@
+require 'test/test_helper'
+
+class UnlockInstructionsTest < ActionMailer::TestCase
+
+  def setup
+    setup_mailer
+    Devise.mailer_sender = 'test@example.com'
+  end
+
+  def user
+    @user ||= begin
+      user = create_user
+      user.lock_access!
+      user
+    end
+  end
+
+  def mail
+    @mail ||= begin
+      user
+      ActionMailer::Base.deliveries.last
+    end
+  end
+
+  test 'email sent after locking the user' do
+    assert_not_nil mail
+  end
+
+  test 'content type should be set to html' do
+    assert_equal 'text/html', mail.content_type
+  end
+
+  test 'send unlock instructions to the user email' do
+    assert_equal [user.email], mail.to
+  end
+
+  test 'setup sender from configuration' do
+    assert_equal ['test@example.com'], mail.from
+  end
+
+  test 'setup subject from I18n' do
+    store_translations :en, :devise => { :mailer => { :unlock_instructions => 'Unlock instructions' } } do
+      assert_equal 'Unlock instructions', mail.subject
+    end
+  end
+
+  test 'subject namespaced by model' do
+    store_translations :en, :devise => { :mailer => { :user => { :unlock_instructions => 'User Unlock Instructions' } } } do
+      assert_equal 'User Unlock Instructions', mail.subject
+    end
+  end
+
+  test 'body should have user info' do
+    assert_match /#{user.email}/, mail.body
+  end
+
+  test 'body should have link to unlock the account' do
+    host = ActionMailer::Base.default_url_options[:host]
+    unlock_url_regexp = %r{<a href=\"http://#{host}/users/unlock\?unlock_token=#{user.unlock_token}">}
+    assert_match unlock_url_regexp, mail.body
+  end
+end

test/mapping_test.rb

@@ -39,22 +39,17 @@ class MappingTest < ActiveSupport::TestCase
     assert_equal Devise.mappings[:admin], Devise::Mapping.find_by_path("/admin_area/session")
   end
 
-  test 'find mapping by class' do
-    assert_nil Devise::Mapping.find_by_class(String)
-    assert_equal Devise.mappings[:user], Devise::Mapping.find_by_class(User)
-  end
-
-  test 'find mapping by class works with single table inheritance' do
-    klass = Class.new(User)
-    assert_equal Devise.mappings[:user], Devise::Mapping.find_by_class(klass)
-  end
-
   test 'find scope for a given object' do
     assert_equal :user, Devise::Mapping.find_scope!(User)
     assert_equal :user, Devise::Mapping.find_scope!(:user)
     assert_equal :user, Devise::Mapping.find_scope!(User.new)
   end
 
+  test 'find scope works with single table inheritance' do
+    assert_equal :user, Devise::Mapping.find_scope!(Class.new(User))
+    assert_equal :user, Devise::Mapping.find_scope!(Class.new(User).new)
+  end
+
   test 'find scope raises an error if cannot be found' do
     assert_raise RuntimeError do
       Devise::Mapping.find_scope!(String)
@@ -63,18 +58,22 @@ class MappingTest < ActiveSupport::TestCase
 
   test 'return default path names' do
     mapping = Devise.mappings[:user]
-    assert_equal 'sign_in', mapping.path_names[:sign_in]
-    assert_equal 'sign_out', mapping.path_names[:sign_out]
-    assert_equal 'password', mapping.path_names[:password]
+    assert_equal 'sign_in',      mapping.path_names[:sign_in]
+    assert_equal 'sign_out',     mapping.path_names[:sign_out]
+    assert_equal 'password',     mapping.path_names[:password]
     assert_equal 'confirmation', mapping.path_names[:confirmation]
+    assert_equal 'sign_up', mapping.path_names[:sign_up]
+    assert_equal 'unlock',       mapping.path_names[:unlock]
   end
 
   test 'allow custom path names to be given' do
     mapping = Devise.mappings[:manager]
-    assert_equal 'login', mapping.path_names[:sign_in]
-    assert_equal 'logout', mapping.path_names[:sign_out]
-    assert_equal 'secret', mapping.path_names[:password]
+    assert_equal 'login',        mapping.path_names[:sign_in]
+    assert_equal 'logout',       mapping.path_names[:sign_out]
+    assert_equal 'secret',       mapping.path_names[:password]
     assert_equal 'verification', mapping.path_names[:confirmation]
+    assert_equal 'register',     mapping.path_names[:sign_up]
+    assert_equal 'unblock',      mapping.path_names[:unlock]
   end
 
   test 'has an empty path as default path prefix' do
@@ -97,6 +96,12 @@ class MappingTest < ActiveSupport::TestCase
     assert_equal '/:locale/accounts', Devise.mappings[:manager].raw_path
   end
 
+  test 'raw path ignores the relative_url_root' do
+    swap ActionController::Base, :relative_url_root => "/abc" do
+      assert_equal '/users', Devise.mappings[:user].raw_path
+    end
+  end
+
   test 'parsed path is returned' do
     begin
       Devise.default_url_options {{ :locale => I18n.locale }}
@@ -107,6 +112,18 @@ class MappingTest < ActiveSupport::TestCase
     end
   end
 
+  test 'parsed path adds in the relative_url_root' do
+    swap ActionController::Base, :relative_url_root => '/abc' do
+      assert_equal '/abc/users', Devise.mappings[:user].parsed_path
+    end
+  end
+
+  test 'parsed path deals with a nil relative_url_root' do
+    swap ActionController::Base, :relative_url_root => nil do
+      assert_equal '/users', Devise.mappings[:user].raw_path
+    end
+  end
+
   test 'should have default route options' do
     assert_equal({}, Devise.mappings[:user].route_options)
   end
@@ -115,6 +132,16 @@ class MappingTest < ActiveSupport::TestCase
     assert_equal({ :requirements => { :extra => 'value' } }, Devise.mappings[:manager].route_options)
   end
 
+  test 'sign_out_via defaults to :get' do
+    assert_equal :get, Devise.mappings[:user].sign_out_via
+  end
+
+  test 'allows custom sign_out_via to be given' do
+    assert_equal :delete, Devise.mappings[:sign_out_via_delete].sign_out_via
+    assert_equal :post,   Devise.mappings[:sign_out_via_post].sign_out_via
+    assert_equal :any,    Devise.mappings[:sign_out_via_anymethod].sign_out_via
+  end
+
   test 'magic predicates' do
     mapping = Devise.mappings[:user]
     assert mapping.authenticatable?