Merge pull request #1750 from 0x000000/v1.0

Added ability to override redirect_to path after sending reset password ...

CHANGELOG.rdoc

@@ -1,3 +1,88 @@
+== 1.0.11
+
+* bug fix
+  * Make sure xhr requests do not store urls for redirect
+  * Squeeze break lines from cookies to avoid duplicated break lines
+
+== 1.0.10
+
+* bug fix
+  * Use secure compare when comparing passwords
+  * Improve email regexp
+  * Implement handle_unverified_request for Rails 2.3.11
+
+== 1.0.9
+
+* enhancements
+  * Extracted redirect path from Devise failure app to a new method, allowing override in custom failure apps
+  * Added sign_out_via
+
+* bug fix
+  * Email is now case insensitive
+  * Avoid session fixation attacks
+
+== 1.0.8
+
+* enhancements
+  * Support for latest MongoMapper
+  * Added anybody_signed_in? helper (by github.com/SSDany)
+
+* bug fix
+  * confirmation_required? is properly honored on active? calls. (by github.com/paulrosania)
+
+== 1.0.7
+
+* bug fix
+  * Ensure password confirmation is always required
+
+* deprecations
+  * authenticatable was deprecated and renamed to database_authenticatable
+  * confirmable is not included by default on generation
+
+== 1.0.6
+
+* bug fix
+  * Do not allow unlockable strategies based on time to access a controller.
+  * Do not send unlockable email several times.
+  * Allow controller to upstram custom! failures to Warden.
+
+== 1.0.5
+
+* bug fix
+  * Use prepend_before_filter in require_no_authentication.
+  * require_no_authentication on unlockable.
+  * Fix a bug when giving an association proxy to devise.
+  * Do not use lock! on lockable since it's part of ActiveRecord API.
+
+== 1.0.4
+
+* bug fix
+  * Fixed a bug when deleting an account with rememberable
+  * Fixed a bug with custom controllers
+
+== 1.0.3
+
+* enhancements
+  * HTML e-mails now have proper formatting
+  * Do not remove MongoMapper options in find
+
+== 1.0.2
+
+* enhancements
+  * Allows you set mailer content type (by github.com/glennr)
+
+* bug fix
+  * Uses the same content type as request on http authenticatable 401 responses
+
+== 1.0.1
+
+* enhancements
+  * HttpAuthenticatable is not added by default automatically.
+  * Avoid mass assignment error messages with current password.
+
+* bug fix
+  * Fixed encryptors autoload
+
 == 1.0.0
 
 * deprecation
@@ -8,6 +93,7 @@
   * Added Http Basic Authentication support
   * Allow scoped_views to be customized per controller/mailer class
   * [#99] Allow authenticatable to used in change_table statements
+  * Add mailer_content_type configuration parameter (by github.com/glennr)
 
 == 0.9.2
 

README.rdoc

@@ -7,16 +7,18 @@ Devise is a flexible authentication solution for Rails based on Warden. It:
 * Allows you to have multiple roles (or models/scopes) signed in at the same time;
 * Is based on a modularity concept: use just what you really need.
 
-Right now it's composed of ten modules:
+Right now it's composed of 12 modules:
 
-* Authenticatable: responsible for encrypting password and validating authenticity of a user while signing in.
+* Database Authenticatable: responsible for encrypting password and validating authenticity of a user while signing in.
+* Token Authenticatable: validates authenticity of a user while signing in using an authentication token (also known as "single access token").
+* HttpAuthenticatable: sign in users using basic HTTP authentication.
 * Confirmable: responsible for verifying whether an account is already confirmed to sign in, and to send emails with confirmation instructions.
 * Recoverable: takes care of reseting the user password and send reset instructions.
 * Registerable: handles signing up users through a registration process.
 * Rememberable: manages generating and clearing token for remember the user from a saved cookie.
 * Trackable: tracks sign in count, timestamps and ip.
-* Validatable: creates all needed validations for email and password. It's totally optional, so you're able to to customize validations by yourself.
 * Timeoutable: expires sessions without activity in a certain period of time.
+* Validatable: creates all needed validations for email and password. It's totally optional, so you're able to to customize validations by yourself.
 * Lockable: takes care of locking an account based on the number of failed sign in attempts. Handles unlock via expire and email.
 * Activatable: if you need to activate accounts by other means, which are not through confirmation, use this module.
 
@@ -28,17 +30,13 @@ Devise is based on Warden (http://github.com/hassox/warden), a Rack Authenticati
 
 == Installation
 
-All gems are on gemcutter, so you need to add gemcutter to your sources if you haven't yet:
+Install warden gem if you don't have it installed:
 
-  sudo gem sources -a http://gemcutter.org/
-
-Install warden gem if you don't have it installed (requires 0.6.4 or higher):
-
-  sudo gem install warden
+  gem install warden
 
 Install devise gem:
 
-  sudo gem install devise
+  gem install devise --version=1.0.10
 
 Configure warden and devise gems inside your app:
 
@@ -53,6 +51,10 @@ And you're ready to go. The generator will install an initializer which describe
 
   http://rdoc.info/projects/plataformatec/devise
 
+If you want to use Devise with bundler on Rails 2.3, you need to follow the instructions here:
+
+  http://github.com/carlhuda/bundler/issues/issue/83
+
 == Basic Usage
 
 This is a walkthrough with all steps you need to setup a devise resource, including model, migration, route files, and optional configuration. You MUST also check out the *Generators* section below to help you start.
@@ -62,13 +64,13 @@ Devise must be set up within the model (or models) you want to use, and devise r
 We're assuming here you want a User model with some modules, as outlined below:
 
   class User < ActiveRecord::Base
-    devise :authenticatable, :confirmable, :recoverable, :rememberable, :trackable, :validatable
+    devise :database_authenticatable, :confirmable, :recoverable, :rememberable, :trackable, :validatable
   end
 
 After you choose which modules to use, you need to setup your migrations. Luckily, devise has some helpers to save you from this boring work:
 
   create_table :users do |t|
-    t.authenticatable
+    t.database_authenticatable
     t.confirmable
     t.recoverable
     t.rememberable
@@ -126,13 +128,13 @@ Devise let's you setup as many roles as you want, so let's say you already have
 
   # Create a migration with the required fields
   create_table :admins do |t|
-    t.authenticatable
+    t.database_authenticatable
     t.lockable
     t.trackable
   end
 
   # Inside your Admin model
-  devise :authenticatable, :trackable, :timeoutable, :lockable
+  devise :database_authenticatable, :trackable, :timeoutable, :lockable
 
   # Inside your routes
   map.devise_for :admin
@@ -159,9 +161,9 @@ A model configured with all devise modules and attr_accessible for default field
 
 == Model configuration
 
-The devise method in your models also accept some options to configure its modules. For example, you can chose which encryptor to use in authenticatable:
+The devise method in your models also accept some options to configure its modules. For example, you can chose which encryptor to use in database_authenticatable:
 
-  devise :authenticatable, :confirmable, :recoverable, :encryptor => :bcrypt
+  devise :database_authenticatable, :confirmable, :recoverable, :encryptor => :bcrypt
 
 Besides :encryptor, you can provide :pepper, :stretches, :confirm_within, :remember_for, :timeout_in, :unlock_in and others. All those are describer in the initializer created when you invoke the devise_install generator describer above.
 
@@ -175,6 +177,8 @@ By default Devise will use the same views for all roles you have. But what if yo
 
 After doing so you will be able to have views based on the scope like 'sessions/users/new' and 'sessions/admin/new'. If no view is found within the scope, Devise will fallback to the default view.
 
+Devise uses flash messages to let users know if their login is successful or not. Devise expects your application to call 'flash[:notice]' and 'flash[:alert]' as appropriate.
+
 == I18n
 
 Devise uses flash messages with I18n with the flash keys :success and :failure. To customize your app, you can setup your locale file this way:
@@ -236,6 +240,16 @@ Devise supports both ActiveRecord (default) and MongoMapper, and has experimenta
 
 Please refer to TODO file.
 
+== Security
+
+Needless to say, security is extremely important to Devise. If you find yourself in a possible security issue with Devise, please go through the following steps, trying to reproduce the bug:
+
+1) Look at the source code a bit to find out whether your assumptions are correct;
+2) If possible, provide a way to reproduce the bug: a small app on Github or a step-by-step to reproduce;
+3) E-mail us or send a Github private message instead of using the normal issues;
+
+Being able to reproduce the bug is the first step to fix it. Thanks for your understanding.
+
 == Maintainers
 
 * José Valim (http://github.com/josevalim)
@@ -243,7 +257,9 @@ Please refer to TODO file.
 
 == Contributors
 
-We have a long running list of contributors. Check them in the CHANGELOG or do `git shortlog -s -n` in the cloned repository.
+We have a long running list of contributors. Check them all here:
+
+http://github.com/plataformatec/devise/contributors
 
 == Bugs and Feedback
 

Rakefile

@@ -37,17 +37,17 @@ begin
   require 'jeweler'
   Jeweler::Tasks.new do |s|
     s.name = "devise"
-    s.version = Devise::VERSION
+    s.version = Devise::VERSION.dup
     s.summary = "Flexible authentication solution for Rails with Warden"
     s.email = "contact@plataformatec.com.br"
     s.homepage = "http://github.com/plataformatec/devise"
     s.description = "Flexible authentication solution for Rails with Warden"
     s.authors = ['José Valim', 'Carlos Antônio']
-    s.files =  FileList["[A-Z]*", "{app,config,generators,lib}/**/*", "init.rb"]
-    s.add_dependency("warden", "~> 0.9.0")
+    s.files =  FileList["[A-Z]*", "{app,config,generators,lib}/**/*", "rails/init.rb"]
+    s.add_dependency("warden", "~> 0.10.3")
   end
 
   Jeweler::GemcutterTasks.new
 rescue LoadError
-  puts "Jeweler, or one of its dependencies, is not available. Install it with: sudo gem install technicalpickles-jeweler -s http://gems.github.com"
+  puts "Jeweler, or one of its dependencies, is not available. Install it with: gem install jeweler"
 end

TODO

@@ -1,3 +1,2 @@
 * Make test run with DataMapper
-* Add Registerable support
-* Extract Activatable tests from Confirmable
+* Extract Activatable tests from Confirmable

app/controllers/confirmations_controller.rb

@@ -21,7 +21,7 @@ class ConfirmationsController < ApplicationController
 
   # GET /resource/confirmation?confirmation_token=abcdef
   def show
-    self.resource = resource_class.confirm!(:confirmation_token => params[:confirmation_token])
+    self.resource = resource_class.confirm_by_token(params[:confirmation_token])
 
     if resource.errors.empty?
       set_flash_message :notice, :confirmed

app/controllers/passwords_controller.rb

@@ -1,8 +1,7 @@
 class PasswordsController < ApplicationController
+  prepend_before_filter :require_no_authentication
   include Devise::Controllers::InternalHelpers
 
-  before_filter :require_no_authentication
-
   # GET /resource/password/new
   def new
     build_resource
@@ -15,7 +14,7 @@ class PasswordsController < ApplicationController
 
     if resource.errors.empty?
       set_flash_message :notice, :send_instructions
-      redirect_to new_session_path(resource_name)
+      redirect_to after_sending_reset_password_instructions_path_for(resource_name)
     else
       render_with_scope :new
     end
@@ -30,7 +29,7 @@ class PasswordsController < ApplicationController
 
   # PUT /resource/password
   def update
-    self.resource = resource_class.reset_password!(params[resource_name])
+    self.resource = resource_class.reset_password_by_token(params[resource_name])
 
     if resource.errors.empty?
       set_flash_message :notice, :updated
@@ -39,4 +38,10 @@ class PasswordsController < ApplicationController
       render_with_scope :edit
     end
   end
+
+  protected
+
+  def after_sending_reset_password_instructions_path_for(resource_name)
+    new_session_path(resource_name)
+  end
 end

app/controllers/registrations_controller.rb

@@ -1,21 +1,19 @@
 class RegistrationsController < ApplicationController
+  prepend_before_filter :require_no_authentication, :only => [ :new, :create ]
+  prepend_before_filter :authenticate_scope!, :only => [:edit, :update, :destroy]
   include Devise::Controllers::InternalHelpers
 
-  before_filter :require_no_authentication, :only => [ :new, :create ]
-  before_filter :authenticate_scope!, :only => [:edit, :update, :destroy]
-
-  # GET /resource/sign_in
+  # GET /resource/sign_up
   def new
     build_resource
     render_with_scope :new
   end
 
-  # POST /resource/sign_up
+  # POST /resource
   def create
     build_resource
 
     if resource.save
-      flash[:"#{resource_name}_signed_up"] = true
       set_flash_message :notice, :signed_up
       sign_in_and_redirect(resource_name, resource)
     else
@@ -52,4 +50,4 @@ class RegistrationsController < ApplicationController
       send(:"authenticate_#{resource_name}!")
       self.resource = send(:"current_#{resource_name}").dup
     end
-end
+end

app/controllers/sessions_controller.rb

@@ -1,11 +1,10 @@
 class SessionsController < ApplicationController
+  prepend_before_filter :require_no_authentication, :only => [ :new, :create ]
   include Devise::Controllers::InternalHelpers
 
-  before_filter :require_no_authentication, :only => [ :new, :create ]
-
   # GET /resource/sign_in
   def new
-    unless resource_just_signed_up?
+    unless flash[:notice].present?
       Devise::FLASH_MESSAGES.each do |message|
         set_now_flash_message :alert, message if params.try(:[], message) == "true"
       end
@@ -20,6 +19,8 @@ class SessionsController < ApplicationController
     if resource = authenticate(resource_name)
       set_flash_message :notice, :signed_in
       sign_in_and_redirect(resource_name, resource, true)
+    elsif [:custom, :redirect].include?(warden.result)
+      throw :warden, :scope => resource_name
     else
       set_now_flash_message :alert, (warden.message || :invalid)
       clean_up_passwords(build_resource)
@@ -35,11 +36,7 @@ class SessionsController < ApplicationController
 
   protected
 
-  def resource_just_signed_up?
-    flash[:"#{resource_name}_signed_up"]
-  end
-
-  def clean_up_passwords(object)
-    object.clean_up_passwords if object.respond_to?(:clean_up_passwords)
-  end
+    def clean_up_passwords(object)
+      object.clean_up_passwords if object.respond_to?(:clean_up_passwords)
+    end
 end

app/controllers/unlocks_controller.rb

@@ -1,4 +1,6 @@
 class UnlocksController < ApplicationController
+  prepend_before_filter :ensure_email_as_unlock_strategy
+  prepend_before_filter :require_no_authentication
   include Devise::Controllers::InternalHelpers
 
   # GET /resource/unlock/new
@@ -21,7 +23,7 @@ class UnlocksController < ApplicationController
 
   # GET /resource/unlock?unlock_token=abcdef
   def show
-    self.resource = resource_class.unlock!(:unlock_token => params[:unlock_token])
+    self.resource = resource_class.unlock_access_by_token(params[:unlock_token])
 
     if resource.errors.empty?
       set_flash_message :notice, :unlocked
@@ -30,4 +32,10 @@ class UnlocksController < ApplicationController
       render_with_scope :new
     end
   end
+
+  protected
+
+  def ensure_email_as_unlock_strategy
+    raise ActionController::UnknownAction unless resource_class.unlock_strategy_enabled?(:email)
+  end
 end

app/models/devise_mailer.rb

@@ -20,14 +20,14 @@ class DeviseMailer < ::ActionMailer::Base
 
     # Configure default email options
     def setup_mail(record, key)
-      mapping = Devise::Mapping.find_by_class(record.class)
-      raise "Invalid devise resource #{record}" unless mapping
+      scope_name = Devise::Mapping.find_scope!(record)
+      mapping    = Devise.mappings[scope_name]
 
       subject      translate(mapping, key)
       from         mailer_sender(mapping)
       recipients   record.email
       sent_on      Time.now
-      content_type 'text/html'
+      content_type Devise.mailer_content_type
       body         render_with_scope(key, mapping, mapping.name => record, :resource => record)
     end
 

app/views/devise_mailer/confirmation_instructions.html.erb

@@ -1,5 +1,5 @@
-Welcome <%= @resource.email %>!
+<p>Welcome <%= @resource.email %>!</p>
 
-You can confirm your account through the link below:
+<p>You can confirm your account through the link below:</p>
 
-<%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @resource.confirmation_token) %>
+<p><%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @resource.confirmation_token) %></p>

app/views/devise_mailer/reset_password_instructions.html.erb

@@ -1,8 +1,8 @@
-Hello <%= @resource.email %>!
+<p>Hello <%= @resource.email %>!</p>
 
-Someone has requested a link to change your password, and you can do this through the link below.
+<p>Someone has requested a link to change your password, and you can do this through the link below.</p>
 
-<%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @resource.reset_password_token) %>
+<p><%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @resource.reset_password_token) %></p>
 
-If you didn't request this, please ignore this email.
-Your password won't change until you access the link above and create a new one.
+<p>If you didn't request this, please ignore this email.</p>
+<p>Your password won't change until you access the link above and create a new one.</p>

app/views/devise_mailer/unlock_instructions.html.erb

@@ -1,7 +1,7 @@
-Hello <%= @resource.email %>!
+<p>Hello <%= @resource.email %>!</p>
 
-Your account has been locked due to an excessive amount of unsuccessful sign in attempts.
+<p>Your account has been locked due to an excessive amount of unsuccessful sign in attempts.</p>
 
-Click the link below to unlock your account:
+<p>Click the link below to unlock your account:</p>
 
-<%= link_to 'Unlock my account', unlock_url(@resource, :unlock_token => @resource.unlock_token) %>
+<p><%= link_to 'Unlock my account', unlock_url(@resource, :unlock_token => @resource.unlock_token) %></p>

devise.gemspec

@@ -1,178 +1,178 @@
 # Generated by jeweler
 # DO NOT EDIT THIS FILE DIRECTLY
-# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
 
 Gem::Specification.new do |s|
   s.name = %q{devise}
-  s.version = "1.0.0"
+  s.version = "1.0.11"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Jos\303\251 Valim", "Carlos Ant\303\264nio"]
-  s.date = %q{2010-02-09}
+  s.date = %q{2011-03-11}
   s.description = %q{Flexible authentication solution for Rails with Warden}
   s.email = %q{contact@plataformatec.com.br}
   s.extra_rdoc_files = [
     "README.rdoc",
-     "TODO"
+    "TODO"
   ]
   s.files = [
     "CHANGELOG.rdoc",
-     "MIT-LICENSE",
-     "README.rdoc",
-     "Rakefile",
-     "TODO",
-     "app/controllers/confirmations_controller.rb",
-     "app/controllers/passwords_controller.rb",
-     "app/controllers/registrations_controller.rb",
-     "app/controllers/sessions_controller.rb",
-     "app/controllers/unlocks_controller.rb",
-     "app/models/devise_mailer.rb",
-     "app/views/confirmations/new.html.erb",
-     "app/views/devise_mailer/confirmation_instructions.html.erb",
-     "app/views/devise_mailer/reset_password_instructions.html.erb",
-     "app/views/devise_mailer/unlock_instructions.html.erb",
-     "app/views/passwords/edit.html.erb",
-     "app/views/passwords/new.html.erb",
-     "app/views/registrations/edit.html.erb",
-     "app/views/registrations/new.html.erb",
-     "app/views/sessions/new.html.erb",
-     "app/views/shared/_devise_links.erb",
-     "app/views/unlocks/new.html.erb",
-     "generators/devise/USAGE",
-     "generators/devise/devise_generator.rb",
-     "generators/devise/lib/route_devise.rb",
-     "generators/devise/templates/migration.rb",
-     "generators/devise/templates/model.rb",
-     "generators/devise_install/USAGE",
-     "generators/devise_install/devise_install_generator.rb",
-     "generators/devise_install/templates/README",
-     "generators/devise_install/templates/devise.rb",
-     "generators/devise_views/USAGE",
-     "generators/devise_views/devise_views_generator.rb",
-     "init.rb",
-     "lib/devise.rb",
-     "lib/devise/controllers/helpers.rb",
-     "lib/devise/controllers/internal_helpers.rb",
-     "lib/devise/controllers/url_helpers.rb",
-     "lib/devise/encryptors/authlogic_sha512.rb",
-     "lib/devise/encryptors/base.rb",
-     "lib/devise/encryptors/bcrypt.rb",
-     "lib/devise/encryptors/clearance_sha1.rb",
-     "lib/devise/encryptors/restful_authentication_sha1.rb",
-     "lib/devise/encryptors/sha1.rb",
-     "lib/devise/encryptors/sha512.rb",
-     "lib/devise/failure_app.rb",
-     "lib/devise/hooks/activatable.rb",
-     "lib/devise/hooks/rememberable.rb",
-     "lib/devise/hooks/timeoutable.rb",
-     "lib/devise/hooks/trackable.rb",
-     "lib/devise/locales/en.yml",
-     "lib/devise/mapping.rb",
-     "lib/devise/models.rb",
-     "lib/devise/models/activatable.rb",
-     "lib/devise/models/authenticatable.rb",
-     "lib/devise/models/confirmable.rb",
-     "lib/devise/models/lockable.rb",
-     "lib/devise/models/recoverable.rb",
-     "lib/devise/models/registerable.rb",
-     "lib/devise/models/rememberable.rb",
-     "lib/devise/models/timeoutable.rb",
-     "lib/devise/models/token_authenticatable.rb",
-     "lib/devise/models/trackable.rb",
-     "lib/devise/models/validatable.rb",
-     "lib/devise/orm/active_record.rb",
-     "lib/devise/orm/data_mapper.rb",
-     "lib/devise/orm/mongo_mapper.rb",
-     "lib/devise/rails.rb",
-     "lib/devise/rails/routes.rb",
-     "lib/devise/rails/warden_compat.rb",
-     "lib/devise/schema.rb",
-     "lib/devise/strategies/authenticatable.rb",
-     "lib/devise/strategies/base.rb",
-     "lib/devise/strategies/http_authenticatable.rb",
-     "lib/devise/strategies/rememberable.rb",
-     "lib/devise/strategies/token_authenticatable.rb",
-     "lib/devise/test_helpers.rb",
-     "lib/devise/version.rb"
+    "MIT-LICENSE",
+    "README.rdoc",
+    "Rakefile",
+    "TODO",
+    "app/controllers/confirmations_controller.rb",
+    "app/controllers/passwords_controller.rb",
+    "app/controllers/registrations_controller.rb",
+    "app/controllers/sessions_controller.rb",
+    "app/controllers/unlocks_controller.rb",
+    "app/models/devise_mailer.rb",
+    "app/views/confirmations/new.html.erb",
+    "app/views/devise_mailer/confirmation_instructions.html.erb",
+    "app/views/devise_mailer/reset_password_instructions.html.erb",
+    "app/views/devise_mailer/unlock_instructions.html.erb",
+    "app/views/passwords/edit.html.erb",
+    "app/views/passwords/new.html.erb",
+    "app/views/registrations/edit.html.erb",
+    "app/views/registrations/new.html.erb",
+    "app/views/sessions/new.html.erb",
+    "app/views/shared/_devise_links.erb",
+    "app/views/unlocks/new.html.erb",
+    "generators/devise/USAGE",
+    "generators/devise/devise_generator.rb",
+    "generators/devise/lib/route_devise.rb",
+    "generators/devise/templates/migration.rb",
+    "generators/devise/templates/model.rb",
+    "generators/devise_install/USAGE",
+    "generators/devise_install/devise_install_generator.rb",
+    "generators/devise_install/templates/README",
+    "generators/devise_install/templates/devise.rb",
+    "generators/devise_views/USAGE",
+    "generators/devise_views/devise_views_generator.rb",
+    "lib/devise.rb",
+    "lib/devise/controllers/helpers.rb",
+    "lib/devise/controllers/internal_helpers.rb",
+    "lib/devise/controllers/url_helpers.rb",
+    "lib/devise/encryptors/authlogic_sha512.rb",
+    "lib/devise/encryptors/base.rb",
+    "lib/devise/encryptors/bcrypt.rb",
+    "lib/devise/encryptors/clearance_sha1.rb",
+    "lib/devise/encryptors/restful_authentication_sha1.rb",
+    "lib/devise/encryptors/sha1.rb",
+    "lib/devise/encryptors/sha512.rb",
+    "lib/devise/failure_app.rb",
+    "lib/devise/hooks/activatable.rb",
+    "lib/devise/hooks/rememberable.rb",
+    "lib/devise/hooks/timeoutable.rb",
+    "lib/devise/hooks/trackable.rb",
+    "lib/devise/locales/en.yml",
+    "lib/devise/mapping.rb",
+    "lib/devise/models.rb",
+    "lib/devise/models/activatable.rb",
+    "lib/devise/models/confirmable.rb",
+    "lib/devise/models/database_authenticatable.rb",
+    "lib/devise/models/http_authenticatable.rb",
+    "lib/devise/models/lockable.rb",
+    "lib/devise/models/recoverable.rb",
+    "lib/devise/models/registerable.rb",
+    "lib/devise/models/rememberable.rb",
+    "lib/devise/models/timeoutable.rb",
+    "lib/devise/models/token_authenticatable.rb",
+    "lib/devise/models/trackable.rb",
+    "lib/devise/models/validatable.rb",
+    "lib/devise/orm/active_record.rb",
+    "lib/devise/orm/data_mapper.rb",
+    "lib/devise/orm/mongo_mapper.rb",
+    "lib/devise/rails.rb",
+    "lib/devise/rails/routes.rb",
+    "lib/devise/rails/warden_compat.rb",
+    "lib/devise/schema.rb",
+    "lib/devise/strategies/base.rb",
+    "lib/devise/strategies/database_authenticatable.rb",
+    "lib/devise/strategies/http_authenticatable.rb",
+    "lib/devise/strategies/rememberable.rb",
+    "lib/devise/strategies/token_authenticatable.rb",
+    "lib/devise/test_helpers.rb",
+    "lib/devise/version.rb",
+    "rails/init.rb"
   ]
   s.homepage = %q{http://github.com/plataformatec/devise}
-  s.rdoc_options = ["--charset=UTF-8"]
   s.require_paths = ["lib"]
-  s.rubygems_version = %q{1.3.5}
+  s.rubygems_version = %q{1.5.3}
   s.summary = %q{Flexible authentication solution for Rails with Warden}
   s.test_files = [
     "test/controllers/helpers_test.rb",
-     "test/controllers/internal_helpers_test.rb",
-     "test/controllers/url_helpers_test.rb",
-     "test/devise_test.rb",
-     "test/encryptors_test.rb",
-     "test/failure_app_test.rb",
-     "test/integration/authenticatable_test.rb",
-     "test/integration/confirmable_test.rb",
-     "test/integration/http_authenticatable_test.rb",
-     "test/integration/lockable_test.rb",
-     "test/integration/recoverable_test.rb",
-     "test/integration/registerable_test.rb",
-     "test/integration/rememberable_test.rb",
-     "test/integration/timeoutable_test.rb",
-     "test/integration/token_authenticatable_test.rb",
-     "test/integration/trackable_test.rb",
-     "test/mailers/confirmation_instructions_test.rb",
-     "test/mailers/reset_password_instructions_test.rb",
-     "test/mailers/unlock_instructions_test.rb",
-     "test/mapping_test.rb",
-     "test/models/authenticatable_test.rb",
-     "test/models/confirmable_test.rb",
-     "test/models/lockable_test.rb",
-     "test/models/recoverable_test.rb",
-     "test/models/rememberable_test.rb",
-     "test/models/timeoutable_test.rb",
-     "test/models/token_authenticatable_test.rb",
-     "test/models/trackable_test.rb",
-     "test/models/validatable_test.rb",
-     "test/models_test.rb",
-     "test/orm/active_record.rb",
-     "test/orm/mongo_mapper.rb",
-     "test/rails_app/app/active_record/admin.rb",
-     "test/rails_app/app/active_record/user.rb",
-     "test/rails_app/app/controllers/admins_controller.rb",
-     "test/rails_app/app/controllers/application_controller.rb",
-     "test/rails_app/app/controllers/home_controller.rb",
-     "test/rails_app/app/controllers/users_controller.rb",
-     "test/rails_app/app/helpers/application_helper.rb",
-     "test/rails_app/app/mongo_mapper/admin.rb",
-     "test/rails_app/app/mongo_mapper/user.rb",
-     "test/rails_app/config/boot.rb",
-     "test/rails_app/config/environment.rb",
-     "test/rails_app/config/environments/development.rb",
-     "test/rails_app/config/environments/production.rb",
-     "test/rails_app/config/environments/test.rb",
-     "test/rails_app/config/initializers/devise.rb",
-     "test/rails_app/config/initializers/inflections.rb",
-     "test/rails_app/config/initializers/new_rails_defaults.rb",
-     "test/rails_app/config/initializers/session_store.rb",
-     "test/rails_app/config/routes.rb",
-     "test/routes_test.rb",
-     "test/support/assertions_helper.rb",
-     "test/support/integration_tests_helper.rb",
-     "test/support/test_silencer.rb",
-     "test/support/tests_helper.rb",
-     "test/test_helper.rb",
-     "test/test_helpers_test.rb"
+    "test/controllers/internal_helpers_test.rb",
+    "test/controllers/url_helpers_test.rb",
+    "test/devise_test.rb",
+    "test/encryptors_test.rb",
+    "test/failure_app_test.rb",
+    "test/integration/authenticatable_test.rb",
+    "test/integration/confirmable_test.rb",
+    "test/integration/http_authenticatable_test.rb",
+    "test/integration/lockable_test.rb",
+    "test/integration/rack_middleware_test.rb",
+    "test/integration/recoverable_test.rb",
+    "test/integration/registerable_test.rb",
+    "test/integration/rememberable_test.rb",
+    "test/integration/timeoutable_test.rb",
+    "test/integration/token_authenticatable_test.rb",
+    "test/integration/trackable_test.rb",
+    "test/mailers/confirmation_instructions_test.rb",
+    "test/mailers/reset_password_instructions_test.rb",
+    "test/mailers/unlock_instructions_test.rb",
+    "test/mapping_test.rb",
+    "test/models/authenticatable_test.rb",
+    "test/models/confirmable_test.rb",
+    "test/models/lockable_test.rb",
+    "test/models/recoverable_test.rb",
+    "test/models/rememberable_test.rb",
+    "test/models/timeoutable_test.rb",
+    "test/models/token_authenticatable_test.rb",
+    "test/models/trackable_test.rb",
+    "test/models/validatable_test.rb",
+    "test/models_test.rb",
+    "test/orm/active_record.rb",
+    "test/orm/mongo_mapper.rb",
+    "test/rails_app/app/active_record/admin.rb",
+    "test/rails_app/app/active_record/user.rb",
+    "test/rails_app/app/controllers/admins_controller.rb",
+    "test/rails_app/app/controllers/application_controller.rb",
+    "test/rails_app/app/controllers/home_controller.rb",
+    "test/rails_app/app/controllers/users_controller.rb",
+    "test/rails_app/app/helpers/application_helper.rb",
+    "test/rails_app/app/mongo_mapper/admin.rb",
+    "test/rails_app/app/mongo_mapper/user.rb",
+    "test/rails_app/config/boot.rb",
+    "test/rails_app/config/environment.rb",
+    "test/rails_app/config/environments/development.rb",
+    "test/rails_app/config/environments/production.rb",
+    "test/rails_app/config/environments/test.rb",
+    "test/rails_app/config/initializers/devise.rb",
+    "test/rails_app/config/initializers/inflections.rb",
+    "test/rails_app/config/initializers/new_rails_defaults.rb",
+    "test/rails_app/config/initializers/session_store.rb",
+    "test/rails_app/config/routes.rb",
+    "test/routes_test.rb",
+    "test/support/assertions_helper.rb",
+    "test/support/integration_tests_helper.rb",
+    "test/support/test_silencer.rb",
+    "test/support/tests_helper.rb",
+    "test/test_helper.rb",
+    "test/test_helpers_test.rb"
   ]
 
   if s.respond_to? :specification_version then
-    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
     s.specification_version = 3
 
-    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
-      s.add_runtime_dependency(%q<warden>, ["~> 0.9.0"])
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<warden>, ["~> 0.10.3"])
     else
-      s.add_dependency(%q<warden>, ["~> 0.9.0"])
+      s.add_dependency(%q<warden>, ["~> 0.10.3"])
     end
   else
-    s.add_dependency(%q<warden>, ["~> 0.9.0"])
+    s.add_dependency(%q<warden>, ["~> 0.10.3"])
   end
 end
 

generators/devise/templates/migration.rb

@@ -1,7 +1,7 @@
 class DeviseCreate<%= table_name.camelize %> < ActiveRecord::Migration
   def self.up
     create_table(:<%= table_name %>) do |t|
-      t.authenticatable :encryptor => :sha1, :null => false
+      t.database_authenticatable :null => false
       t.confirmable
       t.recoverable
       t.rememberable

generators/devise/templates/model.rb

@@ -1,7 +1,8 @@
 class <%= class_name %> < ActiveRecord::Base
-  # Include default devise modules.
-  # Others available are :lockable, :timeoutable and :activatable.
-  devise :authenticatable, :confirmable, :recoverable, :rememberable, :trackable, :validatable
+  # Include default devise modules. Others available are:
+  # :http_authenticatable, :token_authenticatable, :confirmable, :lockable, :timeoutable and :activatable
+  devise :registerable, :database_authenticatable, :recoverable,
+         :rememberable, :trackable, :validatable
 
   # Setup accessible (or protected) attributes for your model
   attr_accessible :email, :password, :password_confirmation

generators/devise_install/templates/README

@@ -1,4 +1,3 @@
-
 ===============================================================================
 
 Some setup you must do manually if you haven't yet:
@@ -15,4 +14,10 @@ Some setup you must do manually if you haven't yet:
 
        map.root :controller => 'home'
 
+ 3. Ensure you have a default layout in app/views/layouts and it shows
+     flash messages. For example:
+
+       <p class="notice"><%= flash[:notice] %></p>
+       <p class="alert"><%= flash[:alert] %></p>
+
 ===============================================================================

generators/devise_install/templates/devise.rb

@@ -3,6 +3,9 @@
 Devise.setup do |config|
   # Configure the e-mail address which will be shown in DeviseMailer.
   config.mailer_sender = "please-change-me@config-initializers-devise.com"
+  
+  # Configure the content type of DeviseMailer mails (defaults to text/html")
+  # config.mailer_content_type = "text/plain"
 
   # ==> Configuration for :authenticatable
   # Invoke `rake secret` and use the printed value to setup a pepper to generate

lib/devise.rb

@@ -1,5 +1,6 @@
 module Devise
   autoload :FailureApp, 'devise/failure_app'
+  autoload :Models, 'devise/models'
   autoload :Schema, 'devise/schema'
   autoload :TestHelpers, 'devise/test_helpers'
 
@@ -13,7 +14,7 @@ module Devise
     autoload :Base, 'devise/encryptors/base'
     autoload :Bcrypt, 'devise/encryptors/bcrypt'
     autoload :AuthlogicSha512, 'devise/encryptors/authlogic_sha512'
-    autoload :AuthlogicSha1, 'devise/encryptors/authlogic_sha1'
+    autoload :ClearanceSha1, 'devise/encryptors/clearance_sha1'
     autoload :RestfulAuthenticationSha1, 'devise/encryptors/restful_authentication_sha1'
     autoload :Sha512, 'devise/encryptors/sha512'
     autoload :Sha1, 'devise/encryptors/sha1'
@@ -28,7 +29,7 @@ module Devise
   ALL = []
 
   # Authentication ones first
-  ALL.push :authenticatable, :token_authenticatable, :rememberable
+  ALL.push :database_authenticatable, :http_authenticatable, :token_authenticatable, :rememberable
 
   # Misc after
   ALL.push :recoverable, :registerable, :validatable
@@ -41,7 +42,7 @@ module Devise
 
   # Maps controller names to devise modules.
   CONTROLLERS = {
-    :sessions => [:authenticatable, :token_authenticatable],
+    :sessions => [:database_authenticatable, :token_authenticatable],
     :passwords => [:recoverable],
     :confirmations => [:confirmable],
     :registrations => [:registerable],
@@ -51,7 +52,7 @@ module Devise
   # Routes for generating url helpers.
   ROUTES = [:session, :password, :confirmation, :registration, :unlock]
 
-  STRATEGIES  = [:rememberable, :http_authenticatable, :token_authenticatable, :authenticatable]
+  STRATEGIES  = [:rememberable, :http_authenticatable, :token_authenticatable, :database_authenticatable]
 
   TRUE_VALUES = [true, 1, '1', 't', 'T', 'true', 'TRUE']
 
@@ -71,6 +72,10 @@ module Devise
   # Email regex used to validate email formats. Adapted from authlogic.
   EMAIL_REGEX = /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i
 
+  # Custom domain for cookies. Not set by default
+  mattr_accessor :cookie_options
+  @@cookie_options = {}
+
   # Used to encrypt password. Please generate one with rake secret.
   mattr_accessor :pepper
   @@pepper = nil
@@ -146,6 +151,10 @@ module Devise
   mattr_accessor :mailer_sender
   @@mailer_sender = nil
 
+  # Content Type of Devise e-mails.
+  mattr_accessor :mailer_content_type
+  @@mailer_content_type = 'text/html'
+
   # Authentication token params key name of choice. E.g. /users/sign_in?some_key=...
   mattr_accessor :token_authentication_key
   @@token_authentication_key = :auth_token
@@ -178,7 +187,9 @@ module Devise
 
     # Configure default url options to be used within Devise and ActionController.
     def default_url_options(&block)
-      Devise::Mapping.metaclass.send :define_method, :default_url_options, &block
+      who = Devise::Mapping.respond_to?(:singleton_class) ?
+        Devise::Mapping.singleton_class : Devise::Mapping.metaclass
+      who.send :define_method, :default_url_options, &block
     end
 
     # A method used internally to setup warden manager from the Rails initialize
@@ -203,6 +214,17 @@ module Devise
       ActiveSupport::SecureRandom.base64(15).tr('+/=', '-_ ').strip.delete("\n")
     end
 
+    # constant-time comparison algorithm to prevent timing attacks
+    def secure_compare(a, b)
+      return false unless a.present? && b.present?
+      return false unless a.bytesize == b.bytesize
+      l = a.unpack "C#{a.bytesize}"
+
+      res = 0
+      b.each_byte { |byte| res |= byte ^ l.shift }
+      res == 0
+    end
+
     # Make Devise aware of an 3rd party Devise-module. For convenience.
     #
     # == Options:
@@ -213,6 +235,9 @@ module Devise
     #                   Default is +nil+ (i.e. +false+).
     #   +controller+  - Symbol representing a name of an exisiting or custom *controller* for this module.
     #                   Default is +nil+ (i.e. +false+).
+    #   +route+       - Symbol representing the name of a *route* related to this module which a set of
+    #                   route view helpers should be created for.
+    #                   Default is +nil+ (i.e. +false+).
     #
     # == Examples:
     #
@@ -221,7 +246,7 @@ module Devise
     #   Devise.add_module(:party_module, :model => 'party_module/model')
     #
     def add_module(module_name, options = {})
-      Devise::ALL.unshift module_name        unless Devise::ALL.include?(module_name)
+      Devise::ALL << module_name        unless Devise::ALL.include?(module_name)
       Devise::STRATEGIES.unshift module_name if options[:strategy] && !Devise::STRATEGIES.include?(module_name)
 
       if options[:controller]
@@ -230,6 +255,10 @@ module Devise
         Devise::CONTROLLERS[controller].unshift module_name unless Devise::CONTROLLERS[controller].include?(module_name)
       end
 
+      if options[:route]
+        Devise::ROUTES.unshift options[:route] unless Devise::ROUTES.include?(options[:route])
+      end
+
       if options[:model]
         Devise::Models.module_eval do
           autoload :"#{module_name.to_s.classify}", options[:model]

lib/devise/controllers/helpers.rb

@@ -5,8 +5,8 @@ module Devise
 
       def self.included(base)
         base.class_eval do
-          helper_method :warden, :signed_in?, :devise_controller?,
-                        *Devise.mappings.keys.map { |m| [:"current_#{m}", :"#{m}_signed_in?"] }.flatten
+          helper_method :warden, :signed_in?, :devise_controller?, :anybody_signed_in?,
+                        *Devise.mappings.keys.map { |m| [:"current_#{m}", :"#{m}_signed_in?", :"#{m}_session"] }.flatten
 
           # Use devise default_url_options. We have to declare it here to overwrite
           # default definitions.
@@ -48,6 +48,12 @@ module Devise
         warden.authenticate?(:scope => scope)
       end
 
+      # Check if the any scope is signed in session, without running
+      # authentication hooks.
+      def anybody_signed_in?
+        Devise.mappings.keys.any? { |scope| signed_in?(scope) }
+      end
+
       # Sign in an user that already was authenticated. This helper is useful for logging
       # users in after sign up.
       #
@@ -60,6 +66,7 @@ module Devise
         scope      = Devise::Mapping.find_scope!(resource_or_scope)
         resource ||= resource_or_scope
         warden.set_user(resource, :scope => scope)
+        @_session = request.session # Recalculate session
       end
 
       # Sign out a given user or scope. This helper is useful for signing out an user
@@ -86,7 +93,8 @@ module Devise
       #
       def stored_location_for(resource_or_scope)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
-        session.delete(:"#{scope}.return_to")
+        key = "#{scope}.return_to"
+        session.delete(key) || session.delete(key.to_sym)
       end
 
       # The default url to be used after signing in. This is used by all Devise
@@ -99,13 +107,13 @@ module Devise
       #
       #   map.user_root '/users', :controller => 'users' # creates user_root_path
       #
-      #   map.resources :users do |users|
-      #     users.root # creates user_root_path
+      #   map.namespace :user do |user|
+      #     user.root :controller => 'users' # creates user_root_path
       #   end
       #
       #
-      # If none of these are defined, root_path is used. However, if this default
-      # is not enough, you can customize it, for example:
+      # If the resource root path is not defined, root_path is used. However,
+      # if this default is not enough, you can customize it, for example:
       #
       #   def after_sign_in_path_for(resource)
       #     if resource.is_a?(User) && resource.can_publish?
@@ -117,7 +125,7 @@ module Devise
       #
       def after_sign_in_path_for(resource_or_scope)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
-        home_path = :"#{scope}_root_path"
+        home_path = "#{scope}_root_path"
         respond_to?(home_path, true) ? send(home_path) : root_path
       end
 
@@ -139,7 +147,11 @@ module Devise
       def sign_in_and_redirect(resource_or_scope, resource=nil, skip=false)
         scope      = Devise::Mapping.find_scope!(resource_or_scope)
         resource ||= resource_or_scope
-        sign_in(scope, resource) unless skip
+        if skip
+          @_session = request.session # Recalculate session
+        else
+          sign_in(scope, resource)
+        end
         redirect_to stored_location_for(scope) || after_sign_in_path_for(resource)
       end
 
@@ -151,6 +163,20 @@ module Devise
         redirect_to after_sign_out_path_for(scope)
       end
 
+      # Sign out all active users or scopes. This helper is useful for signing out all roles
+      # in one click. This signs out ALL scopes in warden.
+      def sign_out_all_scopes
+        Devise.mappings.keys.each { |s| warden.user(s) }
+        warden.raw_session.inspect
+        warden.logout
+      end
+
+      # Override Rails' handle unverified request to sign out all scopes.
+      def handle_unverified_request
+        sign_out_all_scopes
+        super # call the default behaviour which resets the session
+      end
+
       # Define authentication filters and accessor helpers based on mappings.
       # These filters should be used inside the controllers as before_filters,
       # so you can control the scope of the user who should be signed in to
@@ -167,7 +193,7 @@ module Devise
       #     user_signed_in?     # Checks whether there is an user signed in or not
       #     admin_signed_in?    # Checks whether there is an admin signed in or not
       #     current_user        # Current signed in user
-      #     current_admin       # Currend signed in admin
+      #     current_admin       # Current signed in admin
       #     user_session        # Session data available only to the user scope
       #     admin_session       # Session data available only to the admin scope
       #

lib/devise/controllers/internal_helpers.rb

@@ -14,7 +14,7 @@ module Devise
           hide_action   :resource, :scope_name, :resource_name, :resource_class, :devise_mapping, :devise_controller?
 
           skip_before_filter *Devise.mappings.keys.map { |m| :"authenticate_#{m}!" }
-          before_filter :is_devise_resource?
+          prepend_before_filter :is_devise_resource?
         end
       end
 

lib/devise/failure_app.rb

@@ -22,12 +22,8 @@ module Devise
       options = @env['warden.options']
       scope   = options[:scope]
 
-      redirect_path = if mapping = Devise.mappings[scope]
-        "#{mapping.parsed_path}/#{mapping.path_names[:sign_in]}"
-      else
-        "/#{default_url}"
-      end
-      query_string = query_string_for(options)
+      redirect_path = redirect_path_for(scope)
+      query_string  = query_string_for(options)
       store_location!(scope)
 
       headers = {}
@@ -54,12 +50,23 @@ module Devise
       Rack::Utils.build_query(params)
     end
 
+    # Build the path based on current scope.
+    def redirect_path_for(scope)
+      if mapping = Devise.mappings[scope]
+        "#{mapping.parsed_path}/#{mapping.path_names[:sign_in]}"
+      else
+        "/#{default_url}"
+      end
+    end
+
     # Stores requested uri to redirect the user after signing in. We cannot use
     # scoped session provided by warden here, since the user is not authenticated
     # yet, but we still need to store the uri based on scope, so different scopes
     # would never use the same uri to redirect.
     def store_location!(scope)
-      session[:"#{scope}.return_to"] = request.request_uri if request && request.get?
+      if request && request.get? && !request.xhr?
+        session[:"#{scope}.return_to"] = request.request_uri
+      end
     end
   end
 end

lib/devise/hooks/rememberable.rb

@@ -3,7 +3,7 @@
 # that specific user and adds a cookie with this user info to sign in this user
 # automatically without asking for credentials. Refer to rememberable strategy
 # for more info.
-Warden::Manager.after_authentication do |record, warden, options|
+Warden::Manager.prepend_after_authentication do |record, warden, options|
   scope = options[:scope]
   remember_me = warden.params[scope].try(:fetch, :remember_me, nil)
 
@@ -11,20 +11,25 @@ Warden::Manager.after_authentication do |record, warden, options|
      warden.authenticated?(scope) && record.respond_to?(:remember_me!)
     record.remember_me!
 
-    warden.response.set_cookie "remember_#{scope}_token", {
+    cookie_options = {
       :value => record.class.serialize_into_cookie(record),
       :expires => record.remember_expires_at,
       :path => "/"
-    }
+    }.merge record.cookie_options
+
+    warden.response.set_cookie "remember_#{scope}_token", cookie_options
   end
 end
 
 # Before logout hook to forget the user in the given scope, only if rememberable
 # is activated for this scope. Also clear remember token to ensure the user
 # won't be remembered again.
-Warden::Manager.before_logout do |record, warden, scope|
+# Notice that we forget the user if the record is frozen. This usually means the
+# user was just deleted.
+Warden::Manager.before_logout do |record, warden, options|
+  scope = options[:scope]
   if record.respond_to?(:forget_me!)
-    record.forget_me!
-    warden.response.delete_cookie "remember_#{scope}_token"
+    record.forget_me! unless record.frozen?
+    warden.response.delete_cookie "remember_#{scope}_token", :path => "/"
   end
-end
+end

lib/devise/locales/en.yml

@@ -21,7 +21,7 @@ en:
       confirmed: 'Your account was successfully confirmed. You are now signed in.'
     registrations:
       link: 'Sign up'
-      signed_up: 'You have signed up successfully.'
+      signed_up: 'You have signed up successfully. If enabled, a confirmation was sent to your e-mail.'
       updated: 'You updated your account successfully.'
       destroyed: 'Bye! Your account was successfully cancelled. We hope to see you again soon.'
     unlocks:

lib/devise/mapping.rb

@@ -22,7 +22,7 @@ module Devise
   #   # is the modules included in the class
   #
   class Mapping #:nodoc:
-    attr_reader :name, :as, :path_names, :path_prefix, :route_options
+    attr_reader :name, :as, :path_names, :path_prefix, :route_options, :sign_out_via
 
     # Loop through all mappings looking for a map that matches with the requested
     # path (ie /users/sign_in). If a path prefix is given, it's taken into account.
@@ -34,26 +34,19 @@ module Devise
       nil
     end
 
-    # Find a mapping by a given class. It takes into account single table inheritance as well.
-    def self.find_by_class(klass)
-      Devise.mappings.each_value do |mapping|
-        return mapping if klass <= mapping.to
-      end
-      nil
-    end
-
     # Receives an object and find a scope for it. If a scope cannot be found,
     # raises an error. If a symbol is given, it's considered to be the scope.
     def self.find_scope!(duck)
       case duck
       when String, Symbol
-        duck
+        return duck
+      when Class
+        Devise.mappings.each_value { |m| return m.name if duck <= m.to }
       else
-        klass = duck.is_a?(Class) ? duck : duck.class
-        mapping = Devise::Mapping.find_by_class(klass)
-        raise "Could not find a valid mapping for #{duck}" unless mapping
-        mapping.name
+        Devise.mappings.each_value { |m| return m.name if duck.is_a?(m.to) }
       end
+
+      raise "Could not find a valid mapping for #{duck}"
     end
 
     # Default url options which can be used as prefix.
@@ -71,6 +64,8 @@ module Devise
 
       @path_names = Hash.new { |h,k| h[k] = k.to_s }
       @path_names.merge!(options.delete(:path_names) || {})
+
+      @sign_out_via = (options.delete(:sign_out_via) || :get)
     end
 
     # Return modules for the mapping.
@@ -103,13 +98,17 @@ module Devise
 
     # Returns the parsed path taking into account the relative url root and raw path.
     def parsed_path
-      returning (ActionController::Base.relative_url_root.to_s + raw_path) do |path|
+      (ActionController::Base.relative_url_root.to_s + raw_path).tap do |path|
         self.class.default_url_options.each do |key, value|
           path.gsub!(key.inspect, value.to_param)
         end
       end
     end
 
+    def authenticatable?
+      @authenticatable ||= self.for.any? { |m| m.to_s =~ /authenticatable/ }
+    end
+
     # Create magic predicates for verifying what module is activated by this map.
     # Example:
     #

lib/devise/models.rb

@@ -1,7 +1,7 @@
 module Devise
   module Models
     autoload :Activatable, 'devise/models/activatable'
-    autoload :Authenticatable, 'devise/models/authenticatable'
+    autoload :DatabaseAuthenticatable, 'devise/models/database_authenticatable'
     autoload :Confirmable, 'devise/models/confirmable'
     autoload :Lockable, 'devise/models/lockable'
     autoload :Recoverable, 'devise/models/recoverable'
@@ -57,7 +57,12 @@ module Devise
     #
     def devise(*modules)
       raise "You need to give at least one Devise module" if modules.empty?
-      options  = modules.extract_options!
+      options = modules.extract_options!
+
+      if modules.delete(:authenticatable)
+        ActiveSupport::Deprecation.warn ":authenticatable as module is deprecated. Please give :database_authenticatable instead.", caller
+        modules << :database_authenticatable
+      end
 
       @devise_modules = Devise::ALL & modules.map(&:to_sym).uniq
 

lib/devise/models/confirmable.rb

@@ -57,18 +57,13 @@ module Devise
 
       # Send confirmation instructions by email
       def send_confirmation_instructions
+        generate_confirmation_token! if self.confirmation_token.nil?
         ::DeviseMailer.deliver_confirmation_instructions(self)
       end
 
-      # Remove confirmation date and send confirmation instructions, to ensure
-      # after sending these instructions the user won't be able to sign in without
-      # confirming it's account
-      def resend_confirmation!
-        unless_confirmed do
-          generate_confirmation_token
-          save(false)
-          send_confirmation_instructions
-        end
+      # Resend confirmation token. This method does not need to generate a new token.
+      def resend_confirmation_token
+        unless_confirmed { send_confirmation_instructions }
       end
 
       # Overwrites active? from Devise::Models::Activatable for confirmation
@@ -76,16 +71,12 @@ module Devise
       # is already confirmed, it should never be blocked. Otherwise we need to
       # calculate if the confirm time has not expired for this user.
       def active?
-        super && (confirmed? || confirmation_period_valid?)
+        super && (!confirmation_required? || confirmed? || confirmation_period_valid?)
       end
 
       # The message to be shown if the account is inactive.
       def inactive_message
-        if !confirmed?
-          :unconfirmed
-        else
-          super
-        end
+        !confirmed? ? :unconfirmed : super
       end
 
       # If you don't want confirmation to be sent on create, neither a code
@@ -144,6 +135,10 @@ module Devise
           self.confirmation_sent_at = Time.now.utc
         end
 
+        def generate_confirmation_token!
+          generate_confirmation_token && save(false)
+        end
+
       module ClassMethods
         # Attempt to find a user by it's email. If a record is found, send new
         # confirmation instructions to it. If not user is found, returns a new user
@@ -151,7 +146,7 @@ module Devise
         # Options must contain the user email
         def send_confirmation_instructions(attributes={})
           confirmable = find_or_initialize_with_error_by(:email, attributes[:email], :not_found)
-          confirmable.resend_confirmation! unless confirmable.new_record?
+          confirmable.resend_confirmation_token unless confirmable.new_record?
           confirmable
         end
 
@@ -159,8 +154,8 @@ module Devise
         # If no user is found, returns a new user with an error.
         # If the user is already confirmed, create an error for the user
         # Options must have the confirmation_token
-        def confirm!(attributes={})
-          confirmable = find_or_initialize_with_error_by(:confirmation_token, attributes[:confirmation_token])        
+        def confirm_by_token(confirmation_token)
+          confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
           confirmable.confirm! unless confirmable.new_record?
           confirmable
         end

lib/devise/models/database_authenticatable.rb

@@ -1,5 +1,4 @@
-require 'devise/strategies/authenticatable'
-require 'devise/strategies/http_authenticatable'
+require 'devise/strategies/database_authenticatable'
 
 module Devise
   module Models
@@ -27,7 +26,7 @@ module Devise
     #    User.authenticate('email@test.com', 'password123')  # returns authenticated user or nil
     #    User.find(1).valid_password?('password123')         # returns true/false
     #
-    module Authenticatable
+    module DatabaseAuthenticatable
       def self.included(base)
         base.class_eval do
           extend ClassMethods
@@ -56,13 +55,7 @@ module Devise
 
       # Verifies whether an incoming_password (ie from sign in) is the user password.
       def valid_password?(incoming_password)
-        password_digest(incoming_password) == self.encrypted_password
-      end
-
-      # Verifies whether an +incoming_authentication_token+ (i.e. from single access URL)
-      # is the user authentication token.
-      def valid_authentication_token?(incoming_auth_token)
-        incoming_auth_token == self.authentication_token
+        Devise.secure_compare(password_digest(incoming_password), self.encrypted_password)
       end
 
       # Checks if a resource is valid upon authentication.
@@ -79,19 +72,17 @@ module Devise
       # error on :current_password. It also automatically rejects :password and
       # :password_confirmation if they are blank.
       def update_with_password(params={})
-        # TODO Remove me in next release
-        if params[:old_password].present?
-          params[:current_password] ||= params[:old_password]
-          ActiveSupport::Deprecation.warn "old_password is deprecated, please use current_password instead", caller
+        current_password = params.delete(:current_password)
+
+        if params[:password].blank?
+          params.delete(:password)
+          params.delete(:password_confirmation) if params[:password_confirmation].blank?
         end
 
-        params.delete(:password) if params[:password].blank?
-        params.delete(:password_confirmation) if params[:password_confirmation].blank?
-
-        result = if valid_password?(params[:current_password])
+        result = if valid_password?(current_password)
           update_attributes(params)
         else
-          message = params[:current_password].blank? ? :blank : :invalid
+          message = current_password.blank? ? :blank : :invalid
           self.class.add_error_on(self, :current_password, message, false)
           self.attributes = params
           false
@@ -103,6 +94,13 @@ module Devise
 
       protected
 
+        # Checks whether a password is needed or not. For validations only.
+        # Passwords are always required if it's a new record, or if the password
+        # or confirmation are being set somewhere.
+        def password_required?
+          new_record? || !password.nil? || !password_confirmation.nil?
+        end
+
         # Digests the password using the configured encryptor.
         def password_digest(password)
           self.class.encryptor_class.digest(password, self.class.stretches, self.password_salt, self.class.pepper)
@@ -120,11 +118,6 @@ module Devise
           resource if resource.try(:valid_for_authentication?, attributes)
         end
 
-        # Authenticate an user using http.
-        def authenticate_with_http(username, password)
-          authenticate(authentication_keys.first => username, :password => password)
-        end
-
         # Returns the class for the configured encryptor.
         def encryptor_class
           @encryptor_class ||= ::Devise::Encryptors.const_get(encryptor.to_s.classify)
@@ -145,7 +138,6 @@ module Devise
         def find_for_authentication(conditions)
           find(:first, :conditions => conditions)
         end
-
       end
     end
   end

lib/devise/models/http_authenticatable.rb

@@ -0,0 +1,23 @@
+require 'devise/strategies/http_authenticatable'
+
+module Devise
+  module Models
+    # Adds HttpAuthenticatable behavior to your model. It expects that your
+    # model class responds to authenticate method
+    # (which for example is defined in authenticatable).
+    module HttpAuthenticatable
+      def self.included(base)
+        base.extend ClassMethods
+      end
+
+      module ClassMethods
+        Devise::Models.config(self, :authentication_keys)
+
+        # Authenticate an user using http.
+        def authenticate_with_http(username, password)
+          authenticate(authentication_keys.first => username, :password => password)
+        end
+      end
+    end
+  end
+end

lib/devise/models/lockable.rb

@@ -27,23 +27,21 @@ module Devise
       end
 
       # Lock an user setting it's locked_at to actual time.
-      def lock
+      def lock_access!
+        return true if access_locked?
         self.locked_at = Time.now
-        if unlock_strategy_enabled?(:email)
+
+        if self.class.unlock_strategy_enabled?(:email)
           generate_unlock_token
           send_unlock_instructions
         end
-      end
 
-      # Lock an user also saving the record.
-      def lock!
-        lock
         save(false)
       end
 
       # Unlock an user by cleaning locket_at and failed_attempts.
-      def unlock!
-        if_locked do
+      def unlock_access!
+        if_access_locked do
           self.locked_at = nil
           self.failed_attempts = 0
           self.unlock_token = nil
@@ -52,7 +50,7 @@ module Devise
       end
 
       # Verifies whether a user is locked or not.
-      def locked?
+      def access_locked?
         locked_at && !lock_expired?
       end
 
@@ -62,28 +60,20 @@ module Devise
       end
 
       # Resend the unlock instructions if the user is locked.
-      def resend_unlock!
-        if_locked do
-          generate_unlock_token unless unlock_token.present?
-          save(false)
-          send_unlock_instructions
-        end
+      def resend_unlock_token
+        if_access_locked { send_unlock_instructions }
       end
 
       # Overwrites active? from Devise::Models::Activatable for locking purposes
       # by verifying whether an user is active to sign in or not based on locked?
       def active?
-        super && !locked?
+        super && !access_locked?
       end
 
       # Overwrites invalid_message from Devise::Models::Authenticatable to define
       # the correct reason for blocking the sign in.
       def inactive_message
-        if locked?
-          :locked
-        else
-          super
-        end
+        access_locked? ? :locked : super
       end
 
       # Overwrites valid_for_authentication? from Devise::Models::Authenticatable
@@ -94,7 +84,7 @@ module Devise
           self.failed_attempts = 0
         else
           self.failed_attempts += 1
-          lock if failed_attempts > self.class.maximum_attempts
+          lock_access! if failed_attempts > self.class.maximum_attempts
         end
         save(false) if changed?
         result
@@ -109,7 +99,7 @@ module Devise
 
         # Tells if the lock is expired if :time unlock strategy is active
         def lock_expired?
-          if unlock_strategy_enabled?(:time)
+          if self.class.unlock_strategy_enabled?(:time)
             locked_at && locked_at < self.class.unlock_in.ago
           else
             false
@@ -118,8 +108,8 @@ module Devise
 
         # Checks whether the record is locked or not, yielding to the block
         # if it's locked, otherwise adds an error to email.
-        def if_locked
-          if locked?
+        def if_access_locked
+          if access_locked?
             yield
           else
             self.class.add_error_on(self, :email, :not_locked)
@@ -127,11 +117,6 @@ module Devise
           end
         end
 
-        # Is the unlock enabled for the given unlock strategy?
-        def unlock_strategy_enabled?(strategy)
-          [:both, strategy].include?(self.class.unlock_strategy)
-        end
-
       module ClassMethods
         # Attempt to find a user by it's email. If a record is found, send new
         # unlock instructions to it. If not user is found, returns a new user
@@ -139,7 +124,7 @@ module Devise
         # Options must contain the user email
         def send_unlock_instructions(attributes={})
          lockable = find_or_initialize_with_error_by(:email, attributes[:email], :not_found)
-         lockable.resend_unlock! unless lockable.new_record?
+         lockable.resend_unlock_token unless lockable.new_record?
          lockable
         end
 
@@ -147,12 +132,17 @@ module Devise
         # If no user is found, returns a new user with an error.
         # If the user is not locked, creates an error for the user
         # Options must have the unlock_token
-        def unlock!(attributes={})
-          lockable = find_or_initialize_with_error_by(:unlock_token, attributes[:unlock_token])
-          lockable.unlock! unless lockable.new_record?
+        def unlock_access_by_token(unlock_token)
+          lockable = find_or_initialize_with_error_by(:unlock_token, unlock_token)
+          lockable.unlock_access! unless lockable.new_record?
           lockable
         end
 
+        # Is the unlock enabled for the given unlock strategy?
+        def unlock_strategy_enabled?(strategy)
+          [:both, strategy].include?(self.unlock_strategy)
+        end
+
         Devise::Models.config(self, :maximum_attempts, :unlock_strategy, :unlock_in)
       end
     end

lib/devise/models/recoverable.rb

@@ -69,7 +69,7 @@ module Devise
         # try saving the record. If not user is found, returns a new user
         # containing an error in reset_password_token attribute.
         # Attributes must contain reset_password_token, password and confirmation
-        def reset_password!(attributes={})
+        def reset_password_by_token(attributes={})
           recoverable = find_or_initialize_with_error_by(:reset_password_token, attributes[:reset_password_token])
           recoverable.reset_password!(attributes[:password], attributes[:password_confirmation]) unless recoverable.new_record?
           recoverable

lib/devise/models/rememberable.rb

@@ -19,6 +19,9 @@ module Devise
     #                 time for the cookie created to remember the user.
     #                 By default remember_for is 2.weeks.
     #
+    #   cookie_options: configuration options passed to the created cookie.
+    #
+    #
     # Examples:
     #
     #   User.find(1).remember_me!  # regenerating the token
@@ -72,6 +75,10 @@ module Devise
         remember_created_at + self.class.remember_for
       end
 
+      def cookie_options
+        self.class.cookie_options
+      end
+
       module ClassMethods
         # Create the cookie key using the record id and remember_token
         def serialize_into_cookie(record)
@@ -85,7 +92,7 @@ module Devise
           record if record.try(:valid_remember_token?, record_token)
         end
 
-        Devise::Models.config(self, :remember_for)
+        Devise::Models.config(self, :remember_for, :cookie_options)
       end
     end
   end

lib/devise/models/token_authenticatable.rb

@@ -3,7 +3,7 @@ require 'devise/strategies/token_authenticatable'
 module Devise
   module Models
     # Token Authenticatable Module, responsible for generate authentication token and validating
-    # authenticity of a user while signing in using a authentication token (say follows an URL).
+    # authenticity of a user while signing in using an authentication token (say follows an URL).
     #
     # == Configuration:
     #

lib/devise/models/validatable.rb

@@ -15,7 +15,7 @@ module Devise
 
         base.class_eval do
           validates_presence_of   :email
-          validates_uniqueness_of :email, :scope => authentication_keys[1..-1], :allow_blank => true
+          validates_uniqueness_of :email, :scope => authentication_keys[1..-1], :case_sensitive => false, :allow_blank => true
           validates_format_of     :email, :with  => EMAIL_REGEX, :allow_blank => true
 
           with_options :if => :password_required? do |v|
@@ -34,15 +34,6 @@ module Devise
                 "to the following methods: #{unavailable_validations.to_sentence}."
         end
       end
-
-      protected
-
-        # Checks whether a password is needed or not. For validations only.
-        # Passwords are always required if it's a new record, or if the password
-        # or confirmation are being set somewhere.
-        def password_required?
-          new_record? || !password.nil? || !password_confirmation.nil?
-        end
     end
   end
 end

lib/devise/orm/mongo_mapper.rb

@@ -22,14 +22,11 @@ module Devise
       end
       
       def find(*args)
-        options = args.extract_options!
         case args.first
-          when :first
-            first(options)
-          when :all
-            all(options)
-          else
-            super
+        when :first, :all
+          send(args.shift, *args)
+        else
+          super
         end
       end
       
@@ -46,5 +43,10 @@ module Devise
   end
 end
 
-MongoMapper::Document::ClassMethods.send(:include, Devise::Models)
-MongoMapper::EmbeddedDocument::ClassMethods.send(:include, Devise::Models)
+if MongoMapper::Version >= "0.8.0"
+  MongoMapper::Plugins::Document::ClassMethods.send(:include, Devise::Models)
+  MongoMapper::Plugins::EmbeddedDocument::ClassMethods.send(:include, Devise::Models)
+else
+  MongoMapper::Document::ClassMethods.send(:include, Devise::Models)
+  MongoMapper::EmbeddedDocument::ClassMethods.send(:include, Devise::Models)
+end

lib/devise/rails/routes.rb

@@ -66,6 +66,12 @@ module ActionController::Routing
       #
       #    map.devise_for :users, :path_prefix => "/:locale"
       #
+      #  * :sign_out_via => restirct the HTTP method(s) accepted for the :sign_out action (default: :get), possible values are :post, :get, :put, :delete and :any, e.g. if you wish to restrict this to accept only :delete requests you should do:
+      #
+      #    map.devise_for :users, :sign_out_via => :delete
+      #
+      #    You need to make sure that your sign_out controls trigger a request with a matching HTTP method.
+      #
       #  Any other options will be passed to route definition. If you need conditions for your routes, just map:
       #
       #    map.devise_for :users, :conditions => { :subdomain => /.+/ }
@@ -97,11 +103,13 @@ module ActionController::Routing
 
       protected
 
-        def authenticatable(routes, mapping)
+        def database_authenticatable(routes, mapping)
           routes.with_options(:controller => 'sessions', :name_prefix => nil) do |session|
             session.send(:"new_#{mapping.name}_session",     mapping.path_names[:sign_in],  :action => 'new',     :conditions => { :method => :get })
             session.send(:"#{mapping.name}_session",         mapping.path_names[:sign_in],  :action => 'create',  :conditions => { :method => :post })
-            session.send(:"destroy_#{mapping.name}_session", mapping.path_names[:sign_out], :action => 'destroy', :conditions => { :method => :get })
+            destroy_options = { :action => 'destroy' }
+            destroy_options.merge! :conditions => { :method => mapping.sign_out_via } unless mapping.sign_out_via == :any
+            session.send(:"destroy_#{mapping.name}_session", mapping.path_names[:sign_out], destroy_options)
           end
         end
 

lib/devise/rails/warden_compat.rb

@@ -22,4 +22,42 @@ class Warden::SessionSerializer
     klass, id = keys
     klass.find(:first, :conditions => { :id => id })
   end
-end
+end
+
+class ActionController::Request
+  def reset_session
+    session.destroy if session && session.respond_to?(:destroy)
+    self.session = {}
+  end
+end
+
+# Solve a bug in Rails where Set-Cookie is returning an array.
+class Devise::CookieSanitizer
+  SET_COOKIE = "Set-Cookie".freeze
+
+  def initialize(app)
+    @app = app
+  end
+
+  def call(env)
+    response = @app.call(env)
+    headers = response[1]
+    cookies = headers[SET_COOKIE]
+    if cookies.respond_to?(:join)
+      headers[SET_COOKIE] = cookies.join("\n").squeeze("\n")
+    end
+    response
+  end
+end
+
+Rails.configuration.middleware.insert_after ActionController::Failsafe, Devise::CookieSanitizer
+
+Warden::Manager.after_set_user :event => [:set_user, :authentication] do |record, warden, options|
+  if options[:scope] && warden.authenticated?(options[:scope])
+    request = warden.request
+    backup = request.session.to_hash
+    backup.delete(:session_id)
+    request.reset_session
+    request.session.update(backup)
+  end
+end

lib/devise/schema.rb

@@ -3,47 +3,55 @@ module Devise
   # and overwrite the apply_schema method.
   module Schema
 
+    def authenticatable(*args)
+      ActiveSupport::Deprecation.warn "t.authenticatable in migrations is deprecated. Please use t.database_authenticatable instead.", caller
+      database_authenticatable(*args)
+    end
+
     # Creates email, encrypted_password and password_salt.
     #
     # == Options
     # * :null - When true, allow columns to be null.
-    # * :encryptor - The encryptor going to be used, necessary for setting the proper encrypter password length.
-    def authenticatable(options={})
-      null       = options[:null] || false
-      encryptor  = options[:encryptor] || (respond_to?(:encryptor) ? self.encryptor : :sha1)
+    def database_authenticatable(options={})
+      null    = options[:null] || false
+      default = options[:default] || ""
 
-      apply_schema :email,              String, :null => null
-      apply_schema :encrypted_password, String, :null => null, :limit => Devise::ENCRYPTORS_LENGTH[encryptor]
-      apply_schema :password_salt,      String, :null => null
+      if options.delete(:encryptor)
+        ActiveSupport::Deprecation.warn ":encryptor as option is deprecated, simply remove it."
+      end
+
+      apply_schema :email,              String, :null => null, :default => default
+      apply_schema :encrypted_password, String, :null => null, :default => default, :limit => 128
+      apply_schema :password_salt,      String, :null => null, :default => default
     end
 
     # Creates authentication_token.
     def token_authenticatable
-      apply_schema :authentication_token, String, :limit => 20
+      apply_schema :authentication_token, String
     end
 
     # Creates confirmation_token, confirmed_at and confirmation_sent_at.
     def confirmable
-      apply_schema :confirmation_token,   String, :limit => 20
+      apply_schema :confirmation_token,   String
       apply_schema :confirmed_at,         DateTime
       apply_schema :confirmation_sent_at, DateTime
     end
 
     # Creates reset_password_token.
     def recoverable
-      apply_schema :reset_password_token, String, :limit => 20
+      apply_schema :reset_password_token, String
     end
 
     # Creates remember_token and remember_created_at.
     def rememberable
-      apply_schema :remember_token,      String, :limit => 20
+      apply_schema :remember_token,      String
       apply_schema :remember_created_at, DateTime
     end
 
     # Creates sign_in_count, current_sign_in_at, last_sign_in_at,
     # current_sign_in_ip, last_sign_in_ip.
     def trackable
-      apply_schema :sign_in_count,      Integer
+      apply_schema :sign_in_count,      Integer, :default => 0
       apply_schema :current_sign_in_at, DateTime
       apply_schema :last_sign_in_at,    DateTime
       apply_schema :current_sign_in_ip, String
@@ -53,7 +61,7 @@ module Devise
     # Creates failed_attempts, unlock_token and locked_at
     def lockable
       apply_schema :failed_attempts, Integer, :default => 0
-      apply_schema :unlock_token,    String, :limit => 20
+      apply_schema :unlock_token,    String
       apply_schema :locked_at,       DateTime
     end
 

lib/devise/strategies/database_authenticatable.rb

@@ -4,7 +4,7 @@ module Devise
   module Strategies
     # Default strategy for signing in a user, based on his email and password.
     # Redirects to sign_in page if it's not authenticated
-    class Authenticatable < Base
+    class DatabaseAuthenticatable < Base
       def valid?
         valid_controller? && valid_params? && mapping.to.respond_to?(:authenticate)
       end
@@ -16,14 +16,14 @@ module Devise
         if resource = mapping.to.authenticate(params[scope])
           success!(resource)
         else
-          fail!(:invalid)
+          fail(:invalid)
         end
       end
 
       protected
 
         def valid_controller?
-          params[:controller] == 'sessions'
+          params[:controller] =~ /sessions$/
         end
 
         def valid_params?
@@ -33,4 +33,4 @@ module Devise
   end
 end
 
-Warden::Strategies.add(:authenticatable, Devise::Strategies::Authenticatable)
+Warden::Strategies.add(:database_authenticatable, Devise::Strategies::DatabaseAuthenticatable)

lib/devise/strategies/http_authenticatable.rb

@@ -14,7 +14,7 @@ module Devise
         if resource = mapping.to.authenticate_with_http(username, password)
           success!(resource)
         else
-          custom!([401, custom_headers, ["HTTP Basic: Access denied.\n"]])
+          custom!([401, custom_headers, [response_body]])
         end
       end
 
@@ -24,6 +24,12 @@ module Devise
         decode_credentials(request).split(/:/, 2)
       end
 
+      def response_body
+        body   = "HTTP Basic: Access denied."
+        method = :"to_#{request_format.to_sym}"
+        {}.respond_to?(method) ? { :error => body }.send(method) : body
+      end
+
       def http_authentication
         request.env['HTTP_AUTHORIZATION']   ||
         request.env['X-HTTP_AUTHORIZATION'] ||
@@ -38,10 +44,14 @@ module Devise
 
       def custom_headers
         {
-          "Content-Type" => "text/plain",
+          "Content-Type" => request_format.to_s,
           "WWW-Authenticate" => %(Basic realm="#{Devise.http_authentication_realm.gsub(/"/, "")}")
         }
       end
+
+      def request_format
+        @request_format ||= Mime::Type.lookup_by_extension(request.template_format.to_s)
+      end
     end
   end
 end

lib/devise/test_helpers.rb

@@ -24,6 +24,10 @@ module Devise
         catch_with_redirect { super }
       end
 
+      def user(*args)
+        catch_with_redirect { super }
+      end
+
       def catch_with_redirect(&block)
         result = catch(:warden, &block)
 

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "1.0.0".freeze
+  VERSION = "1.0.11".freeze
 end

test/controllers/helpers_test.rb

@@ -36,6 +36,13 @@ class ControllerAuthenticableTest < ActionController::TestCase
     @controller.signed_in?(:my_scope)
   end
 
+  test 'proxy anybody_signed_in? to signed_in?' do
+    Devise.mappings.keys.each { |scope| # :user, :admin, :manager
+      @controller.expects(:signed_in?).with(scope)
+    }
+    @controller.anybody_signed_in?
+  end
+
   test 'proxy current_admin to authenticate with admin scope' do
     @mock_warden.expects(:authenticate).with(:scope => :admin)
     @controller.current_admin

test/devise_test.rb

@@ -25,7 +25,7 @@ class DeviseTest < ActiveSupport::TestCase
     Devise.configure_warden(config)
 
     assert_equal Devise::FailureApp, config.failure_app
-    assert_equal [:rememberable, :http_authenticatable, :token_authenticatable, :authenticatable], config.default_strategies
+    assert_equal [:rememberable, :http_authenticatable, :token_authenticatable, :database_authenticatable], config.default_strategies
     assert_equal :user, config.default_scope
     assert config.silence_missing_strategies?
   end
@@ -63,6 +63,11 @@ class DeviseTest < ActiveSupport::TestCase
     Devise::ALL.delete(:kivi)
     Devise::CONTROLLERS.delete(:fruits)
 
+    assert_nothing_raised(Exception) { Devise.add_module(:carrot, :route => :vegetable) }
+    assert_equal 1, Devise::ROUTES.select { |v| v == :vegetable }.size
+    Devise::ALL.delete(:carrot)
+    Devise::ROUTES.delete(:vegetable)
+
     assert_nothing_raised(Exception) { Devise.add_module(:authenticatable_again, :model => 'devise/model/authenticatable') }
     assert defined?(Devise::Models::AuthenticatableAgain)
   end

test/integration/authenticatable_test.rb

@@ -190,6 +190,14 @@ class AuthenticationTest < ActionController::IntegrationTest
     assert_nil session[:"user.return_to"]
   end
 
+  test 'xml http requests does not store urls for redirect' do
+    xhr :get, users_path
+    assert_nil session[:"user.return_to"]
+
+    sign_in_as_user
+    assert_template 'home/index'
+  end
+
   test 'redirect to configured home path for a given scope after sign in' do
     sign_in_as_admin
     assert_equal "/admin_area/home", @request.path
@@ -210,6 +218,17 @@ class AuthenticationTest < ActionController::IntegrationTest
     assert_equal "Cart", @controller.user_session[:cart]
   end
 
+  test 'session id is changed on sign in' do
+    get '/users'
+    session_id = request.session[:session_id]
+
+    get '/users'
+    assert_equal session_id, request.session[:session_id]
+
+    sign_in_as_user
+    assert_not_equal session_id, request.session[:session_id]
+  end
+
   test 'renders the scoped view if turned on and view is available' do
     swap Devise, :scoped_views => true do
       assert_raise Webrat::NotFoundError do
@@ -269,3 +288,53 @@ class AuthenticationTest < ActionController::IntegrationTest
     end
   end
 end
+
+class AuthenticationSignOutViaTest < ActionController::IntegrationTest
+  def sign_in!(scope)
+    visit send("new_#{scope}_session_path")
+    sign_in_as_user(:visit => false)
+    assert warden.authenticated?(scope)
+  end
+
+  test 'allow sign out via delete when sign_out_via provides only delete' do
+    sign_in!(:sign_out_via_delete)
+    delete destroy_sign_out_via_delete_session_path
+    assert_not warden.authenticated?(:sign_out_via_delete)
+  end
+
+  test 'do not allow sign out via get when sign_out_via provides only delete' do
+    sign_in!(:sign_out_via_delete)
+    get destroy_sign_out_via_delete_session_path
+    assert warden.authenticated?(:sign_out_via_delete)
+  end
+
+  test 'allow sign out via post when sign_out_via provides only post' do
+    sign_in!(:sign_out_via_post)
+    post destroy_sign_out_via_post_session_path
+    assert_not warden.authenticated?(:sign_out_via_post)
+  end
+
+  test 'do not allow sign out via get when sign_out_via provides only post' do
+    sign_in!(:sign_out_via_post)
+    get destroy_sign_out_via_delete_session_path
+    assert warden.authenticated?(:sign_out_via_post)
+  end
+
+  test 'allow sign out via delete when sign_out_via provides any method' do
+    sign_in!(:sign_out_via_anymethod)
+    delete destroy_sign_out_via_anymethod_session_path
+    assert_not warden.authenticated?(:sign_out_via_anymethod)
+  end
+
+  test 'allow sign out via post when sign_out_via provides any method' do
+    sign_in!(:sign_out_via_anymethod)
+    post destroy_sign_out_via_anymethod_session_path
+    assert_not warden.authenticated?(:sign_out_via_anymethod)
+  end
+
+  test 'allow sign out via get when sign_out_via provides any method' do
+    sign_in!(:sign_out_via_anymethod)
+    get destroy_sign_out_via_anymethod_session_path
+    assert_not warden.authenticated?(:sign_out_via_anymethod)
+  end
+end

test/integration/http_authenticatable_test.rb

@@ -16,6 +16,14 @@ class HttpAuthenticationTest < ActionController::IntegrationTest
     assert_equal 'Basic realm="Application"', headers["WWW-Authenticate"]
   end
 
+  test 'uses the request format as response content type' do
+    sign_in_as_new_user_with_http("unknown", "123456", :xml)
+    assert_equal 401, status
+    assert_equal "application/xml", headers["Content-Type"]
+    # Cannot assert this due to a bug between integration tests and rack on 2.3
+    # assert response.body.include?("<error>HTTP Basic: Access denied.</error>")
+  end
+
   test 'returns a custom response with www-authenticate and chosen realm' do
     swap Devise, :http_authentication_realm => "MyApp" do
       sign_in_as_new_user_with_http("unknown")
@@ -36,9 +44,9 @@ class HttpAuthenticationTest < ActionController::IntegrationTest
 
   private
 
-    def sign_in_as_new_user_with_http(username="user@test.com", password="123456")
+    def sign_in_as_new_user_with_http(username="user@test.com", password="123456", format=:html)
       user = create_user
-      get users_path, {}, :authorization => "Basic #{ActiveSupport::Base64.encode64("#{username}:#{password}")}"
+      get users_path(:format => format), {}, :authorization => "Basic #{ActiveSupport::Base64.encode64("#{username}:#{password}")}"
       user
     end
 end

test/integration/lockable_test.rb

@@ -36,6 +36,16 @@ class LockTest < ActionController::IntegrationTest
     assert_equal 0, ActionMailer::Base.deliveries.size
   end
 
+  test 'unlocked pages should not be available if email strategy is disabled' do
+    visit new_user_unlock_path
+    assert_response :success
+
+    swap Devise, :unlock_strategy => :time do
+      visit new_user_unlock_path
+      assert_response :not_found
+    end
+  end
+
   test 'user with invalid unlock token should not be able to unlock an account' do
     visit_user_unlock_with_token('invalid_token')
 
@@ -47,20 +57,19 @@ class LockTest < ActionController::IntegrationTest
 
   test "locked user should be able to unlock account" do
     user = create_user(:locked => true)
-    assert user.locked?
+    assert user.access_locked?
 
     visit_user_unlock_with_token(user.unlock_token)
 
     assert_template 'home/index'
     assert_contain 'Your account was successfully unlocked.'
 
-    assert_not user.reload.locked?
+    assert_not user.reload.access_locked?
   end
 
   test "sign in user automatically after unlocking it's account" do
     user = create_user(:locked => true)
     visit_user_unlock_with_token(user.unlock_token)
-
     assert warden.authenticated?(:user)
   end
 
@@ -71,6 +80,16 @@ class LockTest < ActionController::IntegrationTest
     assert_not warden.authenticated?(:user)
   end
 
+  test "user should not send a new e-mail if already locked" do
+    user = create_user(:locked => true)
+    user.update_attribute(:failed_attempts, User.maximum_attempts + 1)
+    ActionMailer::Base.deliveries.clear
+
+    sign_in_as_user(:password => "invalid")
+    assert_contain 'Invalid email or password.'
+    assert ActionMailer::Base.deliveries.empty?
+  end
+
   test 'error message is configurable by resource name' do
     store_translations :en, :devise => {
       :sessions => { :admin => { :locked => "You are locked!" } }

test/integration/rack_middleware_test.rb

@@ -0,0 +1,47 @@
+require "test/test_helper"
+require "rack/test"
+
+class RackMiddlewareTest < Test::Unit::TestCase
+  include Rack::Test::Methods
+
+  def app
+    ActionController::Dispatcher.new
+  end
+
+  def warden
+    last_request.env['warden']
+  end
+
+  def with_custom_strategy
+    get '/'
+
+    Warden::Strategies.add(:custom_test) do
+      def valid?
+        true
+      end
+
+      def authenticate!
+        custom! [599, {
+            "X-Custom-Response" => "Custom response test",
+            "Content-type" => "text/plain"
+          }, "Custom response test"]
+      end
+    end
+
+    #ActionController::Dispatcher.middleware.use CustomStrategyInterceptor
+    default_strategies = warden.manager.config.default_strategies
+    warden.manager.config.default_strategies :custom_test
+    yield
+    warden.manager.config.default_strategies default_strategies
+  end
+
+  def test_custom_strategy_response
+    with_custom_strategy do
+      post('/users/sign_in')
+
+      assert_equal 599, last_response.status
+      assert_equal "Custom response test", last_response.body
+      assert_equal "Custom response test", last_response.headers["X-Custom-Response"]
+    end
+  end
+end

test/integration/registerable_test.rb

@@ -28,8 +28,7 @@ class RegistrationTest < ActionController::IntegrationTest
     fill_in 'password confirmation', :with => 'new_user123'
     click_button 'Sign up'
 
-    assert_equal true, @controller.send(:flash)[:"user_signed_up"]
-    assert_equal "You have signed up successfully.", @controller.send(:flash)[:notice]
+    assert_equal "You have signed up successfully. If enabled, a confirmation was sent to your e-mail.", @controller.send(:flash)[:notice]
 
     # For some reason flash is not being set correctly, so instead of getting the
     # "signed_up" message we get the unconfirmed one. Seems to be an issue with
@@ -38,6 +37,8 @@ class RegistrationTest < ActionController::IntegrationTest
     # assert_contain 'You have signed up successfully.'
     # assert_not_contain 'confirm your account'
 
+    follow_redirect!
+    assert_contain 'Sign in'
     assert_not warden.authenticated?(:user)
 
     user = User.last
@@ -118,6 +119,19 @@ class RegistrationTest < ActionController::IntegrationTest
     assert User.first.valid_password?('pas123')
   end
 
+  test 'a signed in user should not be able to edit his password with invalid confirmation' do
+    sign_in_as_user
+    get edit_user_registration_path
+  
+    fill_in 'password', :with => 'pas123'
+    fill_in 'password confirmation', :with => ''
+    fill_in 'current password', :with => '123456'
+    click_button 'Update'
+  
+    assert_contain "Password doesn't match confirmation"
+    assert_not User.first.valid_password?('pas123')
+  end
+
   test 'a signed in user should be able to cancel his account' do
     sign_in_as_user
     visit edit_user_registration_path

test/integration/rememberable_test.rb

@@ -20,6 +20,13 @@ class RememberMeTest < ActionController::IntegrationTest
     assert_not_nil user.reload.remember_token
   end
 
+  test 'cookie_options should be applied to cookies' do
+    swap Devise, :cookie_options => { :value => 'dont-do-that' } do
+      user = sign_in_as_user :remember_me => true
+      assert_equal 'dont-do-that', cookies['remember_user_token']
+    end
+  end
+
   test 'remember the user before sign in' do
     user = create_user_and_remember
     get users_path
@@ -28,6 +35,14 @@ class RememberMeTest < ActionController::IntegrationTest
     assert warden.user(:user) == user
   end
 
+  test 'does not remember other scopes' do
+    user = create_user_and_remember
+    get root_path
+    assert_response :success
+    assert warden.authenticated?(:user)
+    assert_not warden.authenticated?(:admin)
+  end
+
   test 'do not remember with invalid token' do
     user = create_user_and_remember('add')
     get users_path
@@ -59,5 +74,16 @@ class RememberMeTest < ActionController::IntegrationTest
     get destroy_user_session_path
     get users_path
     assert_not warden.authenticated?(:user)
+    assert_equal cookies['remember_user_token'], ''
+  end
+
+  test 'cookies are destroyed on unverified requests' do
+    swap HomeController, :allow_forgery_protection => true do
+      user = create_user_and_remember
+      get users_path
+      assert warden.authenticated?(:user)
+      post root_path, :authenticity_token => 'INVALID'
+      assert_not warden.authenticated?(:user)
+    end
   end
 end

test/integration/trackable_test.rb

@@ -39,7 +39,7 @@ class TrackableHooksTest < ActionController::IntegrationTest
 
   test "increase sign in count" do
     user = create_user
-    assert_nil user.sign_in_count
+    assert_equal 0, user.sign_in_count
 
     sign_in_as_user
     user.reload

test/mailers/confirmation_instructions_test.rb

@@ -63,6 +63,12 @@ class ConfirmationInstructionsTest < ActionMailer::TestCase
     end
   end
 
+  test 'content type should be set to plain when manually configured' do
+    swap Devise, :mailer_content_type => "text/plain" do
+      assert_equal "text/plain", mail.content_type
+    end
+  end
+
   test 'renders a scoped if scoped_views is set in the mailer class' do
     begin
       DeviseMailer.scoped_views = true

test/mailers/unlock_instructions_test.rb

@@ -10,7 +10,7 @@ class UnlockInstructionsTest < ActionMailer::TestCase
   def user
     @user ||= begin
       user = create_user
-      user.lock!
+      user.lock_access!
       user
     end
   end

test/mapping_test.rb

@@ -39,22 +39,17 @@ class MappingTest < ActiveSupport::TestCase
     assert_equal Devise.mappings[:admin], Devise::Mapping.find_by_path("/admin_area/session")
   end
 
-  test 'find mapping by class' do
-    assert_nil Devise::Mapping.find_by_class(String)
-    assert_equal Devise.mappings[:user], Devise::Mapping.find_by_class(User)
-  end
-
-  test 'find mapping by class works with single table inheritance' do
-    klass = Class.new(User)
-    assert_equal Devise.mappings[:user], Devise::Mapping.find_by_class(klass)
-  end
-
   test 'find scope for a given object' do
     assert_equal :user, Devise::Mapping.find_scope!(User)
     assert_equal :user, Devise::Mapping.find_scope!(:user)
     assert_equal :user, Devise::Mapping.find_scope!(User.new)
   end
 
+  test 'find scope works with single table inheritance' do
+    assert_equal :user, Devise::Mapping.find_scope!(Class.new(User))
+    assert_equal :user, Devise::Mapping.find_scope!(Class.new(User).new)
+  end
+
   test 'find scope raises an error if cannot be found' do
     assert_raise RuntimeError do
       Devise::Mapping.find_scope!(String)
@@ -137,6 +132,16 @@ class MappingTest < ActiveSupport::TestCase
     assert_equal({ :requirements => { :extra => 'value' } }, Devise.mappings[:manager].route_options)
   end
 
+  test 'sign_out_via defaults to :get' do
+    assert_equal :get, Devise.mappings[:user].sign_out_via
+  end
+
+  test 'allows custom sign_out_via to be given' do
+    assert_equal :delete, Devise.mappings[:sign_out_via_delete].sign_out_via
+    assert_equal :post,   Devise.mappings[:sign_out_via_post].sign_out_via
+    assert_equal :any,    Devise.mappings[:sign_out_via_anymethod].sign_out_via
+  end
+
   test 'magic predicates' do
     mapping = Devise.mappings[:user]
     assert mapping.authenticatable?

test/models/confirmable_test.rb

@@ -11,15 +11,6 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_not_nil create_user.confirmation_token
   end
 
-  test 'should regenerate confirmation token each time' do
-    user = create_user
-    3.times do
-      token = user.confirmation_token
-      user.resend_confirmation!
-      assert_not_equal token, user.confirmation_token
-    end
-  end
-
   test 'should never generate the same confirmation token for different users' do
     confirmation_tokens = []
     3.times do
@@ -62,19 +53,19 @@ class ConfirmableTest < ActiveSupport::TestCase
 
   test 'should find and confirm an user automatically' do
     user = create_user
-    confirmed_user = User.confirm!(:confirmation_token => user.confirmation_token)
+    confirmed_user = User.confirm_by_token(user.confirmation_token)
     assert_equal confirmed_user, user
     assert user.reload.confirmed?
   end
 
   test 'should return a new record with errors when a invalid token is given' do
-    confirmed_user = User.confirm!(:confirmation_token => 'invalid_confirmation_token')
+    confirmed_user = User.confirm_by_token('invalid_confirmation_token')
     assert confirmed_user.new_record?
     assert_match /invalid/, confirmed_user.errors[:confirmation_token]
   end
 
   test 'should return a new record with errors when a blank token is given' do
-    confirmed_user = User.confirm!(:confirmation_token => '')
+    confirmed_user = User.confirm_by_token('')
     assert confirmed_user.new_record?
     assert_match /blank/, confirmed_user.errors[:confirmation_token]
   end
@@ -83,7 +74,7 @@ class ConfirmableTest < ActiveSupport::TestCase
     user = create_user
     user.confirmed_at = Time.now
     user.save
-    confirmed_user = User.confirm!(:confirmation_token => user.confirmation_token)
+    confirmed_user = User.confirm_by_token(user.confirmation_token)
     assert confirmed_user.confirmed?
     assert confirmed_user.errors[:email]
   end
@@ -137,19 +128,20 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_equal 'not found', confirmation_user.errors[:email]
   end
 
-  test 'should generate a confirmation token before send the confirmation instructions email' do
-    user = create_user
-    token = user.confirmation_token
-    confirmation_user = User.send_confirmation_instructions(:email => user.email)
-    assert_not_equal token, user.reload.confirmation_token
-  end
-
   test 'should send email instructions for the user confirm it\'s email' do
     user = create_user
     assert_email_sent do
       User.send_confirmation_instructions(:email => user.email)
     end
   end
+  
+  test 'should always have confirmation token when email is sent' do
+    user = new_user
+    user.instance_eval { def confirmation_required?; false end }
+    user.save
+    user.send_confirmation_instructions
+    assert_not_nil user.reload.confirmation_token
+  end
 
   test 'should not resend email instructions if the user change his email' do
     user = create_user
@@ -173,7 +165,7 @@ class ConfirmableTest < ActiveSupport::TestCase
   test 'should not be able to send instructions if the user is already confirmed' do
     user = create_user
     user.confirm!
-    assert_not user.resend_confirmation!
+    assert_not user.resend_confirmation_token
     assert user.confirmed?
     assert_equal 'already confirmed', user.errors[:email]
   end
@@ -216,7 +208,7 @@ class ConfirmableTest < ActiveSupport::TestCase
     Devise.confirm_within = 0.days
     user = create_user
     user.confirmation_sent_at = Date.today
-    assert_not user.active?
+    assert_not user.reload.active?
   end
 
   test 'should not be active without confirmation' do
@@ -225,4 +217,12 @@ class ConfirmableTest < ActiveSupport::TestCase
     user.save
     assert_not user.reload.active?
   end
+  
+  test 'should be active without confirmation when confirmation is not required' do
+    user = create_user
+    user.instance_eval { def confirmation_required?; false end }
+    user.confirmation_sent_at = nil
+    user.save
+    assert user.reload.active?
+  end
 end

test/models/lockable_test.rb

@@ -17,14 +17,14 @@ class LockableTest < ActiveSupport::TestCase
     user = create_user
     attempts = Devise.maximum_attempts + 1
     attempts.times { authenticated_user = User.authenticate(:email => user.email, :password => "anotherpassword") }
-    assert user.reload.locked?
+    assert user.reload.access_locked?
   end
 
   test "should respect maximum attempts configuration" do
     user = create_user
     swap Devise, :maximum_attempts => 2 do
       3.times { authenticated_user = User.authenticate(:email => user.email, :password => "anotherpassword") }
-      assert user.reload.locked?
+      assert user.reload.access_locked?
     end
   end
 
@@ -36,40 +36,50 @@ class LockableTest < ActiveSupport::TestCase
     assert_equal 0, user.reload.failed_attempts
   end
 
-  test "should verify wheter a user is locked or not" do
+  test "should verify whether a user is locked or not" do
     user = create_user
-    assert_not user.locked?
-    user.lock!
-    assert user.locked?
+    assert_not user.access_locked?
+    user.lock_access!
+    assert user.access_locked?
   end
 
   test "active? should be the opposite of locked?" do
     user = create_user
     user.confirm!
     assert user.active?
-    user.lock!
+    user.lock_access!
     assert_not user.active?
   end
 
   test "should unlock an user by cleaning locked_at, falied_attempts and unlock_token" do
     user = create_user
-    user.lock!
+    user.lock_access!
     assert_not_nil user.reload.locked_at
     assert_not_nil user.reload.unlock_token
-    user.unlock!
+
+    user.unlock_access!
     assert_nil user.reload.locked_at
     assert_nil user.reload.unlock_token
     assert 0, user.reload.failed_attempts
   end
 
+  test "should not lock a locked account" do
+    user = create_user
+    user.lock_access!
+    assert_no_difference "ActionMailer::Base.deliveries.size" do
+      user.lock_access!
+    end
+  end
+
   test 'should not unlock an unlocked user' do
     user = create_user
-    assert_not user.unlock!
+
+    assert_not user.unlock_access!
     assert_match /not locked/, user.errors[:email]
   end
 
   test "new user should not be locked and should have zero failed_attempts" do
-    assert_not new_user.locked?
+    assert_not new_user.access_locked?
     assert_equal 0, create_user.failed_attempts
   end
 
@@ -77,10 +87,10 @@ class LockableTest < ActiveSupport::TestCase
     swap Devise, :unlock_in => 3.hours do
       user = new_user
       user.locked_at = 2.hours.ago
-      assert user.locked?
+      assert user.access_locked?
 
       Devise.unlock_in = 1.hour
-      assert_not user.locked?
+      assert_not user.access_locked?
     end
   end
 
@@ -88,32 +98,22 @@ class LockableTest < ActiveSupport::TestCase
     swap Devise, :unlock_strategy => :email do
       user = new_user
       user.locked_at = 2.hours.ago
-      assert user.locked?
+      assert user.access_locked?
     end
   end
 
   test "should set unlock_token when locking" do
     user = create_user
     assert_nil user.unlock_token
-    user.lock!
+    user.lock_access!
     assert_not_nil user.unlock_token
   end
 
-  test 'should not regenerate unlock token if it already exists' do
-    user = create_user
-    user.lock!
-    3.times do
-      token = user.unlock_token
-      user.resend_unlock!
-      assert_equal token, user.unlock_token
-    end
-  end
-
   test "should never generate the same unlock token for different users" do
     unlock_tokens = []
     3.times do
       user = create_user
-      user.lock!
+      user.lock_access!
       token = user.unlock_token
       assert !unlock_tokens.include?(token)
       unlock_tokens << token
@@ -123,7 +123,7 @@ class LockableTest < ActiveSupport::TestCase
   test "should not generate unlock_token when :email is not an unlock strategy" do
     swap Devise, :unlock_strategy => :time do
       user = create_user
-      user.lock!
+      user.lock_access!
       assert_nil user.unlock_token
     end
   end
@@ -132,7 +132,7 @@ class LockableTest < ActiveSupport::TestCase
     swap Devise, :unlock_strategy => :email do
       user = create_user
       assert_email_sent do
-        user.lock!
+        user.lock_access!
       end
     end
   end
@@ -141,42 +141,42 @@ class LockableTest < ActiveSupport::TestCase
     swap Devise, :unlock_strategy => :time do
       user = create_user
       assert_email_not_sent do
-        user.lock!
+        user.lock_access!
       end
     end
   end
 
   test 'should find and unlock an user automatically' do
     user = create_user
-    user.lock!
-    locked_user = User.unlock!(:unlock_token => user.unlock_token)
+    user.lock_access!
+    locked_user = User.unlock_access_by_token(user.unlock_token)
     assert_equal locked_user, user
-    assert_not user.reload.locked?
+    assert_not user.reload.access_locked?
   end
 
   test 'should return a new record with errors when a invalid token is given' do
-    locked_user = User.unlock!(:unlock_token => 'invalid_token')
+    locked_user = User.unlock_access_by_token('invalid_token')
     assert locked_user.new_record?
     assert_match /invalid/, locked_user.errors[:unlock_token]
   end
 
   test 'should return a new record with errors when a blank token is given' do
-    locked_user = User.unlock!(:unlock_token => '')
+    locked_user = User.unlock_access_by_token('')
     assert locked_user.new_record?
     assert_match /blank/, locked_user.errors[:unlock_token]
   end
 
   test 'should authenticate a unlocked user' do
     user = create_user
-    user.lock!
-    user.unlock!
+    user.lock_access!
+    user.unlock_access!
     authenticated_user = User.authenticate(:email => user.email, :password => user.password)
     assert_equal authenticated_user, user
   end
 
   test 'should find a user to send unlock instructions' do
     user = create_user
-    user.lock!
+    user.lock_access!
     unlock_user = User.send_unlock_instructions(:email => user.email)
     assert_equal unlock_user, user
   end
@@ -194,8 +194,8 @@ class LockableTest < ActiveSupport::TestCase
 
   test 'should not be able to send instructions if the user is not locked' do
     user = create_user
-    assert_not user.resend_unlock!
-    assert_not user.locked?
+    assert_not user.resend_unlock_token
+    assert_not user.access_locked?
     assert_equal 'not locked', user.errors[:email]
   end
 

test/models/recoverable_test.rb

@@ -104,18 +104,18 @@ class RecoverableTest < ActiveSupport::TestCase
     user = create_user
     user.send :generate_reset_password_token!
 
-    reset_password_user = User.reset_password!(:reset_password_token => user.reset_password_token)
+    reset_password_user = User.reset_password_by_token(:reset_password_token => user.reset_password_token)
     assert_equal reset_password_user, user
   end
 
   test 'should a new record with errors if no reset_password_token is found' do
-    reset_password_user = User.reset_password!(:reset_password_token => 'invalid_token')
+    reset_password_user = User.reset_password_by_token(:reset_password_token => 'invalid_token')
     assert reset_password_user.new_record?
     assert_match /invalid/, reset_password_user.errors[:reset_password_token]
   end
 
   test 'should a new record with errors if reset_password_token is blank' do
-    reset_password_user = User.reset_password!(:reset_password_token => '')
+    reset_password_user = User.reset_password_by_token(:reset_password_token => '')
     assert reset_password_user.new_record?
     assert_match /blank/, reset_password_user.errors[:reset_password_token]
   end
@@ -125,7 +125,7 @@ class RecoverableTest < ActiveSupport::TestCase
     old_password = user.password
     user.send :generate_reset_password_token!
 
-    reset_password_user = User.reset_password!(
+    reset_password_user = User.reset_password_by_token(
       :reset_password_token => user.reset_password_token,
       :password => 'new_password',
       :password_confirmation => 'new_password'

test/models_test.rb

@@ -1,7 +1,7 @@
 require 'test/test_helper'
 
 class Configurable < User
-  devise :authenticatable, :confirmable, :rememberable, :timeoutable, :lockable,
+  devise :database_authenticatable, :confirmable, :rememberable, :timeoutable, :lockable,
          :stretches => 15, :pepper => 'abcdef', :confirm_within => 5.days,
          :remember_for => 7.days, :timeout_in => 15.minutes, :unlock_in => 10.days
 end
@@ -23,7 +23,21 @@ class ActiveRecordTest < ActiveSupport::TestCase
   end
 
   test 'add modules cherry pick' do
-    assert_include_modules Admin, :authenticatable, :registerable, :timeoutable
+    assert_include_modules Admin, :database_authenticatable, :registerable, :timeoutable
+  end
+
+  test 'order of module inclusion' do
+    correct_module_order   = [:database_authenticatable, :registerable, :timeoutable]
+    incorrect_module_order = [:database_authenticatable, :timeoutable, :registerable]
+
+    assert_include_modules Admin, *incorrect_module_order
+
+    # get module constants from symbol list
+    module_constants = correct_module_order.collect { |mod| Devise::Models::const_get(mod.to_s.classify) }
+
+    # confirm that they adhere to the order in ALL
+    # get included modules, filter out the noise, and reverse the order
+    assert_equal module_constants, (Admin.included_modules & module_constants).reverse
   end
 
   test 'set a default value for stretches' do

test/orm/active_record.rb

@@ -8,7 +8,7 @@ ActiveRecord::Base.establish_connection(:adapter => "sqlite3", :database => ":me
 ActiveRecord::Schema.define(:version => 1) do
   [:users, :admins, :accounts].each do |table|
     create_table table do |t|
-      t.authenticatable :null => table == :admins
+      t.database_authenticatable :null => table == :admins
 
       if table != :admin
         t.string :username

test/rails_app/app/active_record/admin.rb

@@ -1,5 +1,5 @@
 class Admin < ActiveRecord::Base
-  devise :authenticatable, :registerable, :timeoutable
+  devise :database_authenticatable, :registerable, :timeoutable
 
   def self.find_for_authentication(conditions)
     last(:conditions => conditions)

test/rails_app/app/active_record/user.rb

@@ -1,7 +1,7 @@
 class User < ActiveRecord::Base
-  devise :authenticatable, :confirmable, :lockable, :recoverable,
-         :registerable, :rememberable, :timeoutable, :token_authenticatable,
-         :trackable, :validatable
+  devise :database_authenticatable, :http_authenticatable, :confirmable,
+         :lockable, :recoverable, :registerable, :rememberable, :timeoutable,
+         :token_authenticatable, :trackable, :validatable
 
   attr_accessible :username, :email, :password, :password_confirmation
 end

test/rails_app/app/controllers/application_controller.rb

@@ -7,4 +7,6 @@ class ApplicationController < ActionController::Base
 
   # Scrub sensitive parameters from your log
   filter_parameter_logging :password
+
+  before_filter :current_user
 end

test/rails_app/app/mongo_mapper/admin.rb

@@ -1,9 +1,13 @@
 class Admin
   include MongoMapper::Document
-
-  devise :authenticatable, :timeoutable
+  devise :authenticatable, :registerable, :timeoutable
 
   def self.find_for_authentication(conditions)
-    last(:conditions => conditions, :order => "email")
+    last(:conditions => conditions)
+  end
+
+  def self.last(options={})
+    options.merge!(:order => 'email')
+    super options
   end
 end

test/rails_app/app/mongo_mapper/user.rb

@@ -1,7 +1,14 @@
 class User
   include MongoMapper::Document
   key :created_at, DateTime
-  devise :authenticatable, :confirmable, :recoverable, :rememberable, :trackable,
-         :validatable, :timeoutable, :lockable, :token_authenticatable
+  devise :authenticatable, :http_authenticatable, :confirmable, :lockable, :recoverable,
+         :registerable, :rememberable, :timeoutable, :token_authenticatable,
+         :trackable, :validatable
   # attr_accessible :username, :email, :password, :password_confirmation
+
+  def self.last(options={})
+    options.merge!(:order => 'email')
+    super options
+  end
+
 end

test/rails_app/config/environment.rb

@@ -1,7 +1,7 @@
 # Be sure to restart your server when you modify this file
 
 # Specifies gem version of Rails to use when vendor/rails is not present
-RAILS_GEM_VERSION = '2.3.5' unless defined? RAILS_GEM_VERSION
+RAILS_GEM_VERSION = '2.3.11' unless defined? RAILS_GEM_VERSION
 DEVISE_ORM = :active_record unless defined? DEVISE_ORM
 
 # Bootstrap the Rails environment, frameworks, and default configuration
@@ -13,7 +13,7 @@ Rails::Initializer.run do |config|
   # -- all .rb files in that directory are automatically loaded.
 
   # Add additional load paths for your own custom dirs
-  config.load_paths += [ "#{RAILS_ROOT}/app/#{DEVISE_ORM}/" ]
+  config.autoload_paths += [ "#{RAILS_ROOT}/app/#{DEVISE_ORM}/" ]
 
   # Specify gems that this application depends on and have them installed with rake gems:install
   # config.gem "bj"

test/rails_app/config/initializers/devise.rb

@@ -35,6 +35,9 @@ Devise.setup do |config|
 
   # Configure the e-mail address which will be shown in DeviseMailer.
   config.mailer_sender = "please-change-me-omg@yourapp.com"
+  
+  # Configure the content type of DeviseMailer mails (defaults to text/html")
+  # config.mailer_content_type = "text/plain"
 
   # Load and configure the ORM. Supports :active_record, :data_mapper and :mongo_mapper.
   require "devise/orm/#{DEVISE_ORM}"

test/rails_app/config/routes.rb

@@ -12,6 +12,10 @@ ActionController::Routing::Routes.draw do |map|
   map.resources :admins, :only => :index
   map.root :controller => :home
 
+  map.devise_for :sign_out_via_deletes, :sign_out_via => :delete, :class_name => "User"
+  map.devise_for :sign_out_via_posts, :sign_out_via => :post, :class_name => "User"
+  map.devise_for :sign_out_via_anymethods, :sign_out_via => :any, :class_name => "User"
+
   map.connect '/admin_area/password/new', :controller => "passwords", :action => "new"
   map.admin_root '/admin_area/home', :controller => "admins", :action => "index"
 

test/routes_test.rb

@@ -107,4 +107,25 @@ class MapRoutingTest < ActionController::TestCase
   test 'map account with custom path name for registration' do
     assert_recognizes({:controller => 'registrations', :action => 'new', :locale => 'en', :extra => 'value'}, '/en/accounts/register')
   end
+
+  test 'map deletes with :sign_out_via option' do
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via_deletes/sign_out', :method => :delete})
+    assert_raise ActionController::MethodNotAllowed do
+      assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via_deletes/sign_out', :method => :get})
+    end
+  end
+
+  test 'map posts with :sign_out_via option' do
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via_posts/sign_out', :method => :post})
+    assert_raise ActionController::MethodNotAllowed do
+      assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via_posts/sign_out', :method => :get})
+    end
+  end
+
+  test 'map any methods with :sign_out_via option' do
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via_anymethods/sign_out', :method => :get})
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via_anymethods/sign_out', :method => :post})
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via_anymethods/sign_out', :method => :delete})
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via_anymethods/sign_out', :method => :put})
+  end
 end

test/support/integration_tests_helper.rb

@@ -14,7 +14,7 @@ class ActionController::IntegrationTest
         :created_at => Time.now.utc
       )
       user.confirm! unless options[:confirm] == false
-      user.lock! if options[:locked] == true
+      user.lock_access! if options[:locked] == true
       user
     end
   end
@@ -32,7 +32,7 @@ class ActionController::IntegrationTest
     user = create_user(options)
     visit new_user_session_path unless options[:visit] == false
     fill_in 'email', :with => 'user@test.com'
-    fill_in 'password', :with => '123456'
+    fill_in 'password', :with => options[:password] || '123456'
     check 'remember me' if options[:remember_me] == true
     yield if block_given?
     click_button 'Sign In'