Merge pull request #1750 from 0x000000/v1.0

Added ability to override redirect_to path after sending reset password ...

CHANGELOG.rdoc

@@ -1,3 +1,35 @@
+== 1.0.11
+
+* bug fix
+  * Make sure xhr requests do not store urls for redirect
+  * Squeeze break lines from cookies to avoid duplicated break lines
+
+== 1.0.10
+
+* bug fix
+  * Use secure compare when comparing passwords
+  * Improve email regexp
+  * Implement handle_unverified_request for Rails 2.3.11
+
+== 1.0.9
+
+* enhancements
+  * Extracted redirect path from Devise failure app to a new method, allowing override in custom failure apps
+  * Added sign_out_via
+
+* bug fix
+  * Email is now case insensitive
+  * Avoid session fixation attacks
+
+== 1.0.8
+
+* enhancements
+  * Support for latest MongoMapper
+  * Added anybody_signed_in? helper (by github.com/SSDany)
+
+* bug fix
+  * confirmation_required? is properly honored on active? calls. (by github.com/paulrosania)
+
 == 1.0.7
 
 * bug fix

README.rdoc

@@ -32,11 +32,11 @@ Devise is based on Warden (http://github.com/hassox/warden), a Rack Authenticati
 
 Install warden gem if you don't have it installed:
 
-  sudo gem install warden
+  gem install warden
 
 Install devise gem:
 
-  sudo gem install devise --version=1.0.6
+  gem install devise --version=1.0.10
 
 Configure warden and devise gems inside your app:
 
@@ -240,6 +240,16 @@ Devise supports both ActiveRecord (default) and MongoMapper, and has experimenta
 
 Please refer to TODO file.
 
+== Security
+
+Needless to say, security is extremely important to Devise. If you find yourself in a possible security issue with Devise, please go through the following steps, trying to reproduce the bug:
+
+1) Look at the source code a bit to find out whether your assumptions are correct;
+2) If possible, provide a way to reproduce the bug: a small app on Github or a step-by-step to reproduce;
+3) E-mail us or send a Github private message instead of using the normal issues;
+
+Being able to reproduce the bug is the first step to fix it. Thanks for your understanding.
+
 == Maintainers
 
 * José Valim (http://github.com/josevalim)
@@ -247,7 +257,9 @@ Please refer to TODO file.
 
 == Contributors
 
-We have a long running list of contributors. Check them in the CHANGELOG or do `git shortlog -s -n` in the cloned repository.
+We have a long running list of contributors. Check them all here:
+
+http://github.com/plataformatec/devise/contributors
 
 == Bugs and Feedback
 

Rakefile

@@ -37,7 +37,7 @@ begin
   require 'jeweler'
   Jeweler::Tasks.new do |s|
     s.name = "devise"
-    s.version = Devise::VERSION
+    s.version = Devise::VERSION.dup
     s.summary = "Flexible authentication solution for Rails with Warden"
     s.email = "contact@plataformatec.com.br"
     s.homepage = "http://github.com/plataformatec/devise"

app/controllers/passwords_controller.rb

@@ -14,7 +14,7 @@ class PasswordsController < ApplicationController
 
     if resource.errors.empty?
       set_flash_message :notice, :send_instructions
-      redirect_to new_session_path(resource_name)
+      redirect_to after_sending_reset_password_instructions_path_for(resource_name)
     else
       render_with_scope :new
     end
@@ -38,4 +38,10 @@ class PasswordsController < ApplicationController
       render_with_scope :edit
     end
   end
+
+  protected
+
+  def after_sending_reset_password_instructions_path_for(resource_name)
+    new_session_path(resource_name)
+  end
 end

app/controllers/registrations_controller.rb

@@ -3,13 +3,13 @@ class RegistrationsController < ApplicationController
   prepend_before_filter :authenticate_scope!, :only => [:edit, :update, :destroy]
   include Devise::Controllers::InternalHelpers
 
-  # GET /resource/sign_in
+  # GET /resource/sign_up
   def new
     build_resource
     render_with_scope :new
   end
 
-  # POST /resource/sign_up
+  # POST /resource
   def create
     build_resource
 
@@ -50,4 +50,4 @@ class RegistrationsController < ApplicationController
       send(:"authenticate_#{resource_name}!")
       self.resource = send(:"current_#{resource_name}").dup
     end
-end
+end

devise.gemspec

@@ -1,174 +1,172 @@
 # Generated by jeweler
 # DO NOT EDIT THIS FILE DIRECTLY
-# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
 
 Gem::Specification.new do |s|
   s.name = %q{devise}
-  s.version = "1.0.7"
+  s.version = "1.0.11"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Jos\303\251 Valim", "Carlos Ant\303\264nio"]
-  s.date = %q{2010-05-03}
+  s.date = %q{2011-03-11}
   s.description = %q{Flexible authentication solution for Rails with Warden}
   s.email = %q{contact@plataformatec.com.br}
   s.extra_rdoc_files = [
     "README.rdoc",
-     "TODO"
+    "TODO"
   ]
   s.files = [
     "CHANGELOG.rdoc",
-     "MIT-LICENSE",
-     "README.rdoc",
-     "Rakefile",
-     "TODO",
-     "app/controllers/confirmations_controller.rb",
-     "app/controllers/passwords_controller.rb",
-     "app/controllers/registrations_controller.rb",
-     "app/controllers/sessions_controller.rb",
-     "app/controllers/unlocks_controller.rb",
-     "app/models/devise_mailer.rb",
-     "app/views/confirmations/new.html.erb",
-     "app/views/devise_mailer/confirmation_instructions.html.erb",
-     "app/views/devise_mailer/reset_password_instructions.html.erb",
-     "app/views/devise_mailer/unlock_instructions.html.erb",
-     "app/views/passwords/edit.html.erb",
-     "app/views/passwords/new.html.erb",
-     "app/views/registrations/edit.html.erb",
-     "app/views/registrations/new.html.erb",
-     "app/views/sessions/new.html.erb",
-     "app/views/shared/_devise_links.erb",
-     "app/views/unlocks/new.html.erb",
-     "generators/devise/USAGE",
-     "generators/devise/devise_generator.rb",
-     "generators/devise/lib/route_devise.rb",
-     "generators/devise/templates/migration.rb",
-     "generators/devise/templates/model.rb",
-     "generators/devise_install/USAGE",
-     "generators/devise_install/devise_install_generator.rb",
-     "generators/devise_install/templates/README",
-     "generators/devise_install/templates/devise.rb",
-     "generators/devise_views/USAGE",
-     "generators/devise_views/devise_views_generator.rb",
-     "lib/devise.rb",
-     "lib/devise/controllers/helpers.rb",
-     "lib/devise/controllers/internal_helpers.rb",
-     "lib/devise/controllers/url_helpers.rb",
-     "lib/devise/encryptors/authlogic_sha512.rb",
-     "lib/devise/encryptors/base.rb",
-     "lib/devise/encryptors/bcrypt.rb",
-     "lib/devise/encryptors/clearance_sha1.rb",
-     "lib/devise/encryptors/restful_authentication_sha1.rb",
-     "lib/devise/encryptors/sha1.rb",
-     "lib/devise/encryptors/sha512.rb",
-     "lib/devise/failure_app.rb",
-     "lib/devise/hooks/activatable.rb",
-     "lib/devise/hooks/rememberable.rb",
-     "lib/devise/hooks/timeoutable.rb",
-     "lib/devise/hooks/trackable.rb",
-     "lib/devise/locales/en.yml",
-     "lib/devise/mapping.rb",
-     "lib/devise/models.rb",
-     "lib/devise/models/activatable.rb",
-     "lib/devise/models/confirmable.rb",
-     "lib/devise/models/database_authenticatable.rb",
-     "lib/devise/models/http_authenticatable.rb",
-     "lib/devise/models/lockable.rb",
-     "lib/devise/models/recoverable.rb",
-     "lib/devise/models/registerable.rb",
-     "lib/devise/models/rememberable.rb",
-     "lib/devise/models/timeoutable.rb",
-     "lib/devise/models/token_authenticatable.rb",
-     "lib/devise/models/trackable.rb",
-     "lib/devise/models/validatable.rb",
-     "lib/devise/orm/active_record.rb",
-     "lib/devise/orm/data_mapper.rb",
-     "lib/devise/orm/mongo_mapper.rb",
-     "lib/devise/rails.rb",
-     "lib/devise/rails/routes.rb",
-     "lib/devise/rails/warden_compat.rb",
-     "lib/devise/schema.rb",
-     "lib/devise/strategies/base.rb",
-     "lib/devise/strategies/database_authenticatable.rb",
-     "lib/devise/strategies/http_authenticatable.rb",
-     "lib/devise/strategies/rememberable.rb",
-     "lib/devise/strategies/token_authenticatable.rb",
-     "lib/devise/test_helpers.rb",
-     "lib/devise/version.rb",
-     "rails/init.rb"
+    "MIT-LICENSE",
+    "README.rdoc",
+    "Rakefile",
+    "TODO",
+    "app/controllers/confirmations_controller.rb",
+    "app/controllers/passwords_controller.rb",
+    "app/controllers/registrations_controller.rb",
+    "app/controllers/sessions_controller.rb",
+    "app/controllers/unlocks_controller.rb",
+    "app/models/devise_mailer.rb",
+    "app/views/confirmations/new.html.erb",
+    "app/views/devise_mailer/confirmation_instructions.html.erb",
+    "app/views/devise_mailer/reset_password_instructions.html.erb",
+    "app/views/devise_mailer/unlock_instructions.html.erb",
+    "app/views/passwords/edit.html.erb",
+    "app/views/passwords/new.html.erb",
+    "app/views/registrations/edit.html.erb",
+    "app/views/registrations/new.html.erb",
+    "app/views/sessions/new.html.erb",
+    "app/views/shared/_devise_links.erb",
+    "app/views/unlocks/new.html.erb",
+    "generators/devise/USAGE",
+    "generators/devise/devise_generator.rb",
+    "generators/devise/lib/route_devise.rb",
+    "generators/devise/templates/migration.rb",
+    "generators/devise/templates/model.rb",
+    "generators/devise_install/USAGE",
+    "generators/devise_install/devise_install_generator.rb",
+    "generators/devise_install/templates/README",
+    "generators/devise_install/templates/devise.rb",
+    "generators/devise_views/USAGE",
+    "generators/devise_views/devise_views_generator.rb",
+    "lib/devise.rb",
+    "lib/devise/controllers/helpers.rb",
+    "lib/devise/controllers/internal_helpers.rb",
+    "lib/devise/controllers/url_helpers.rb",
+    "lib/devise/encryptors/authlogic_sha512.rb",
+    "lib/devise/encryptors/base.rb",
+    "lib/devise/encryptors/bcrypt.rb",
+    "lib/devise/encryptors/clearance_sha1.rb",
+    "lib/devise/encryptors/restful_authentication_sha1.rb",
+    "lib/devise/encryptors/sha1.rb",
+    "lib/devise/encryptors/sha512.rb",
+    "lib/devise/failure_app.rb",
+    "lib/devise/hooks/activatable.rb",
+    "lib/devise/hooks/rememberable.rb",
+    "lib/devise/hooks/timeoutable.rb",
+    "lib/devise/hooks/trackable.rb",
+    "lib/devise/locales/en.yml",
+    "lib/devise/mapping.rb",
+    "lib/devise/models.rb",
+    "lib/devise/models/activatable.rb",
+    "lib/devise/models/confirmable.rb",
+    "lib/devise/models/database_authenticatable.rb",
+    "lib/devise/models/http_authenticatable.rb",
+    "lib/devise/models/lockable.rb",
+    "lib/devise/models/recoverable.rb",
+    "lib/devise/models/registerable.rb",
+    "lib/devise/models/rememberable.rb",
+    "lib/devise/models/timeoutable.rb",
+    "lib/devise/models/token_authenticatable.rb",
+    "lib/devise/models/trackable.rb",
+    "lib/devise/models/validatable.rb",
+    "lib/devise/orm/active_record.rb",
+    "lib/devise/orm/data_mapper.rb",
+    "lib/devise/orm/mongo_mapper.rb",
+    "lib/devise/rails.rb",
+    "lib/devise/rails/routes.rb",
+    "lib/devise/rails/warden_compat.rb",
+    "lib/devise/schema.rb",
+    "lib/devise/strategies/base.rb",
+    "lib/devise/strategies/database_authenticatable.rb",
+    "lib/devise/strategies/http_authenticatable.rb",
+    "lib/devise/strategies/rememberable.rb",
+    "lib/devise/strategies/token_authenticatable.rb",
+    "lib/devise/test_helpers.rb",
+    "lib/devise/version.rb",
+    "rails/init.rb"
   ]
   s.homepage = %q{http://github.com/plataformatec/devise}
-  s.rdoc_options = ["--charset=UTF-8"]
   s.require_paths = ["lib"]
-  s.rubygems_version = %q{1.3.6}
+  s.rubygems_version = %q{1.5.3}
   s.summary = %q{Flexible authentication solution for Rails with Warden}
   s.test_files = [
     "test/controllers/helpers_test.rb",
-     "test/controllers/internal_helpers_test.rb",
-     "test/controllers/url_helpers_test.rb",
-     "test/devise_test.rb",
-     "test/encryptors_test.rb",
-     "test/failure_app_test.rb",
-     "test/integration/authenticatable_test.rb",
-     "test/integration/confirmable_test.rb",
-     "test/integration/http_authenticatable_test.rb",
-     "test/integration/lockable_test.rb",
-     "test/integration/rack_middleware_test.rb",
-     "test/integration/recoverable_test.rb",
-     "test/integration/registerable_test.rb",
-     "test/integration/rememberable_test.rb",
-     "test/integration/timeoutable_test.rb",
-     "test/integration/token_authenticatable_test.rb",
-     "test/integration/trackable_test.rb",
-     "test/mailers/confirmation_instructions_test.rb",
-     "test/mailers/reset_password_instructions_test.rb",
-     "test/mailers/unlock_instructions_test.rb",
-     "test/mapping_test.rb",
-     "test/models/authenticatable_test.rb",
-     "test/models/confirmable_test.rb",
-     "test/models/lockable_test.rb",
-     "test/models/recoverable_test.rb",
-     "test/models/rememberable_test.rb",
-     "test/models/timeoutable_test.rb",
-     "test/models/token_authenticatable_test.rb",
-     "test/models/trackable_test.rb",
-     "test/models/validatable_test.rb",
-     "test/models_test.rb",
-     "test/orm/active_record.rb",
-     "test/orm/mongo_mapper.rb",
-     "test/rails_app/app/active_record/admin.rb",
-     "test/rails_app/app/active_record/user.rb",
-     "test/rails_app/app/controllers/admins_controller.rb",
-     "test/rails_app/app/controllers/application_controller.rb",
-     "test/rails_app/app/controllers/home_controller.rb",
-     "test/rails_app/app/controllers/users_controller.rb",
-     "test/rails_app/app/helpers/application_helper.rb",
-     "test/rails_app/app/mongo_mapper/admin.rb",
-     "test/rails_app/app/mongo_mapper/user.rb",
-     "test/rails_app/config/boot.rb",
-     "test/rails_app/config/environment.rb",
-     "test/rails_app/config/environments/development.rb",
-     "test/rails_app/config/environments/production.rb",
-     "test/rails_app/config/environments/test.rb",
-     "test/rails_app/config/initializers/devise.rb",
-     "test/rails_app/config/initializers/inflections.rb",
-     "test/rails_app/config/initializers/new_rails_defaults.rb",
-     "test/rails_app/config/initializers/session_store.rb",
-     "test/rails_app/config/routes.rb",
-     "test/routes_test.rb",
-     "test/support/assertions_helper.rb",
-     "test/support/integration_tests_helper.rb",
-     "test/support/test_silencer.rb",
-     "test/support/tests_helper.rb",
-     "test/test_helper.rb",
-     "test/test_helpers_test.rb"
+    "test/controllers/internal_helpers_test.rb",
+    "test/controllers/url_helpers_test.rb",
+    "test/devise_test.rb",
+    "test/encryptors_test.rb",
+    "test/failure_app_test.rb",
+    "test/integration/authenticatable_test.rb",
+    "test/integration/confirmable_test.rb",
+    "test/integration/http_authenticatable_test.rb",
+    "test/integration/lockable_test.rb",
+    "test/integration/rack_middleware_test.rb",
+    "test/integration/recoverable_test.rb",
+    "test/integration/registerable_test.rb",
+    "test/integration/rememberable_test.rb",
+    "test/integration/timeoutable_test.rb",
+    "test/integration/token_authenticatable_test.rb",
+    "test/integration/trackable_test.rb",
+    "test/mailers/confirmation_instructions_test.rb",
+    "test/mailers/reset_password_instructions_test.rb",
+    "test/mailers/unlock_instructions_test.rb",
+    "test/mapping_test.rb",
+    "test/models/authenticatable_test.rb",
+    "test/models/confirmable_test.rb",
+    "test/models/lockable_test.rb",
+    "test/models/recoverable_test.rb",
+    "test/models/rememberable_test.rb",
+    "test/models/timeoutable_test.rb",
+    "test/models/token_authenticatable_test.rb",
+    "test/models/trackable_test.rb",
+    "test/models/validatable_test.rb",
+    "test/models_test.rb",
+    "test/orm/active_record.rb",
+    "test/orm/mongo_mapper.rb",
+    "test/rails_app/app/active_record/admin.rb",
+    "test/rails_app/app/active_record/user.rb",
+    "test/rails_app/app/controllers/admins_controller.rb",
+    "test/rails_app/app/controllers/application_controller.rb",
+    "test/rails_app/app/controllers/home_controller.rb",
+    "test/rails_app/app/controllers/users_controller.rb",
+    "test/rails_app/app/helpers/application_helper.rb",
+    "test/rails_app/app/mongo_mapper/admin.rb",
+    "test/rails_app/app/mongo_mapper/user.rb",
+    "test/rails_app/config/boot.rb",
+    "test/rails_app/config/environment.rb",
+    "test/rails_app/config/environments/development.rb",
+    "test/rails_app/config/environments/production.rb",
+    "test/rails_app/config/environments/test.rb",
+    "test/rails_app/config/initializers/devise.rb",
+    "test/rails_app/config/initializers/inflections.rb",
+    "test/rails_app/config/initializers/new_rails_defaults.rb",
+    "test/rails_app/config/initializers/session_store.rb",
+    "test/rails_app/config/routes.rb",
+    "test/routes_test.rb",
+    "test/support/assertions_helper.rb",
+    "test/support/integration_tests_helper.rb",
+    "test/support/test_silencer.rb",
+    "test/support/tests_helper.rb",
+    "test/test_helper.rb",
+    "test/test_helpers_test.rb"
   ]
 
   if s.respond_to? :specification_version then
-    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
     s.specification_version = 3
 
-    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
       s.add_runtime_dependency(%q<warden>, ["~> 0.10.3"])
     else
       s.add_dependency(%q<warden>, ["~> 0.10.3"])

generators/devise/templates/model.rb

@@ -1,7 +1,7 @@
 class <%= class_name %> < ActiveRecord::Base
   # Include default devise modules. Others available are:
   # :http_authenticatable, :token_authenticatable, :confirmable, :lockable, :timeoutable and :activatable
-  devise :registerable, :authenticatable, :recoverable,
+  devise :registerable, :database_authenticatable, :recoverable,
          :rememberable, :trackable, :validatable
 
   # Setup accessible (or protected) attributes for your model

lib/devise.rb

@@ -72,6 +72,10 @@ module Devise
   # Email regex used to validate email formats. Adapted from authlogic.
   EMAIL_REGEX = /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i
 
+  # Custom domain for cookies. Not set by default
+  mattr_accessor :cookie_options
+  @@cookie_options = {}
+
   # Used to encrypt password. Please generate one with rake secret.
   mattr_accessor :pepper
   @@pepper = nil
@@ -183,7 +187,9 @@ module Devise
 
     # Configure default url options to be used within Devise and ActionController.
     def default_url_options(&block)
-      Devise::Mapping.metaclass.send :define_method, :default_url_options, &block
+      who = Devise::Mapping.respond_to?(:singleton_class) ?
+        Devise::Mapping.singleton_class : Devise::Mapping.metaclass
+      who.send :define_method, :default_url_options, &block
     end
 
     # A method used internally to setup warden manager from the Rails initialize
@@ -208,6 +214,17 @@ module Devise
       ActiveSupport::SecureRandom.base64(15).tr('+/=', '-_ ').strip.delete("\n")
     end
 
+    # constant-time comparison algorithm to prevent timing attacks
+    def secure_compare(a, b)
+      return false unless a.present? && b.present?
+      return false unless a.bytesize == b.bytesize
+      l = a.unpack "C#{a.bytesize}"
+
+      res = 0
+      b.each_byte { |byte| res |= byte ^ l.shift }
+      res == 0
+    end
+
     # Make Devise aware of an 3rd party Devise-module. For convenience.
     #
     # == Options:

lib/devise/controllers/helpers.rb

@@ -5,7 +5,7 @@ module Devise
 
       def self.included(base)
         base.class_eval do
-          helper_method :warden, :signed_in?, :devise_controller?,
+          helper_method :warden, :signed_in?, :devise_controller?, :anybody_signed_in?,
                         *Devise.mappings.keys.map { |m| [:"current_#{m}", :"#{m}_signed_in?", :"#{m}_session"] }.flatten
 
           # Use devise default_url_options. We have to declare it here to overwrite
@@ -48,6 +48,12 @@ module Devise
         warden.authenticate?(:scope => scope)
       end
 
+      # Check if the any scope is signed in session, without running
+      # authentication hooks.
+      def anybody_signed_in?
+        Devise.mappings.keys.any? { |scope| signed_in?(scope) }
+      end
+
       # Sign in an user that already was authenticated. This helper is useful for logging
       # users in after sign up.
       #
@@ -60,6 +66,7 @@ module Devise
         scope      = Devise::Mapping.find_scope!(resource_or_scope)
         resource ||= resource_or_scope
         warden.set_user(resource, :scope => scope)
+        @_session = request.session # Recalculate session
       end
 
       # Sign out a given user or scope. This helper is useful for signing out an user
@@ -86,7 +93,8 @@ module Devise
       #
       def stored_location_for(resource_or_scope)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
-        session.delete(:"#{scope}.return_to")
+        key = "#{scope}.return_to"
+        session.delete(key) || session.delete(key.to_sym)
       end
 
       # The default url to be used after signing in. This is used by all Devise
@@ -99,13 +107,13 @@ module Devise
       #
       #   map.user_root '/users', :controller => 'users' # creates user_root_path
       #
-      #   map.resources :users do |users|
-      #     users.root # creates user_root_path
+      #   map.namespace :user do |user|
+      #     user.root :controller => 'users' # creates user_root_path
       #   end
       #
       #
-      # If none of these are defined, root_path is used. However, if this default
-      # is not enough, you can customize it, for example:
+      # If the resource root path is not defined, root_path is used. However,
+      # if this default is not enough, you can customize it, for example:
       #
       #   def after_sign_in_path_for(resource)
       #     if resource.is_a?(User) && resource.can_publish?
@@ -117,7 +125,7 @@ module Devise
       #
       def after_sign_in_path_for(resource_or_scope)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
-        home_path = :"#{scope}_root_path"
+        home_path = "#{scope}_root_path"
         respond_to?(home_path, true) ? send(home_path) : root_path
       end
 
@@ -139,7 +147,11 @@ module Devise
       def sign_in_and_redirect(resource_or_scope, resource=nil, skip=false)
         scope      = Devise::Mapping.find_scope!(resource_or_scope)
         resource ||= resource_or_scope
-        sign_in(scope, resource) unless skip
+        if skip
+          @_session = request.session # Recalculate session
+        else
+          sign_in(scope, resource)
+        end
         redirect_to stored_location_for(scope) || after_sign_in_path_for(resource)
       end
 
@@ -151,6 +163,20 @@ module Devise
         redirect_to after_sign_out_path_for(scope)
       end
 
+      # Sign out all active users or scopes. This helper is useful for signing out all roles
+      # in one click. This signs out ALL scopes in warden.
+      def sign_out_all_scopes
+        Devise.mappings.keys.each { |s| warden.user(s) }
+        warden.raw_session.inspect
+        warden.logout
+      end
+
+      # Override Rails' handle unverified request to sign out all scopes.
+      def handle_unverified_request
+        sign_out_all_scopes
+        super # call the default behaviour which resets the session
+      end
+
       # Define authentication filters and accessor helpers based on mappings.
       # These filters should be used inside the controllers as before_filters,
       # so you can control the scope of the user who should be signed in to
@@ -167,7 +193,7 @@ module Devise
       #     user_signed_in?     # Checks whether there is an user signed in or not
       #     admin_signed_in?    # Checks whether there is an admin signed in or not
       #     current_user        # Current signed in user
-      #     current_admin       # Currend signed in admin
+      #     current_admin       # Current signed in admin
       #     user_session        # Session data available only to the user scope
       #     admin_session       # Session data available only to the admin scope
       #

lib/devise/failure_app.rb

@@ -22,12 +22,8 @@ module Devise
       options = @env['warden.options']
       scope   = options[:scope]
 
-      redirect_path = if mapping = Devise.mappings[scope]
-        "#{mapping.parsed_path}/#{mapping.path_names[:sign_in]}"
-      else
-        "/#{default_url}"
-      end
-      query_string = query_string_for(options)
+      redirect_path = redirect_path_for(scope)
+      query_string  = query_string_for(options)
       store_location!(scope)
 
       headers = {}
@@ -54,12 +50,23 @@ module Devise
       Rack::Utils.build_query(params)
     end
 
+    # Build the path based on current scope.
+    def redirect_path_for(scope)
+      if mapping = Devise.mappings[scope]
+        "#{mapping.parsed_path}/#{mapping.path_names[:sign_in]}"
+      else
+        "/#{default_url}"
+      end
+    end
+
     # Stores requested uri to redirect the user after signing in. We cannot use
     # scoped session provided by warden here, since the user is not authenticated
     # yet, but we still need to store the uri based on scope, so different scopes
     # would never use the same uri to redirect.
     def store_location!(scope)
-      session[:"#{scope}.return_to"] = request.request_uri if request && request.get?
+      if request && request.get? && !request.xhr?
+        session[:"#{scope}.return_to"] = request.request_uri
+      end
     end
   end
 end

lib/devise/hooks/rememberable.rb

@@ -11,11 +11,13 @@ Warden::Manager.prepend_after_authentication do |record, warden, options|
      warden.authenticated?(scope) && record.respond_to?(:remember_me!)
     record.remember_me!
 
-    warden.response.set_cookie "remember_#{scope}_token", {
+    cookie_options = {
       :value => record.class.serialize_into_cookie(record),
       :expires => record.remember_expires_at,
       :path => "/"
-    }
+    }.merge record.cookie_options
+
+    warden.response.set_cookie "remember_#{scope}_token", cookie_options
   end
 end
 
@@ -24,9 +26,10 @@ end
 # won't be remembered again.
 # Notice that we forget the user if the record is frozen. This usually means the
 # user was just deleted.
-Warden::Manager.before_logout do |record, warden, scope|
+Warden::Manager.before_logout do |record, warden, options|
+  scope = options[:scope]
   if record.respond_to?(:forget_me!)
     record.forget_me! unless record.frozen?
-    warden.response.delete_cookie "remember_#{scope}_token"
+    warden.response.delete_cookie "remember_#{scope}_token", :path => "/"
   end
-end
+end

lib/devise/mapping.rb

@@ -22,7 +22,7 @@ module Devise
   #   # is the modules included in the class
   #
   class Mapping #:nodoc:
-    attr_reader :name, :as, :path_names, :path_prefix, :route_options
+    attr_reader :name, :as, :path_names, :path_prefix, :route_options, :sign_out_via
 
     # Loop through all mappings looking for a map that matches with the requested
     # path (ie /users/sign_in). If a path prefix is given, it's taken into account.
@@ -64,6 +64,8 @@ module Devise
 
       @path_names = Hash.new { |h,k| h[k] = k.to_s }
       @path_names.merge!(options.delete(:path_names) || {})
+
+      @sign_out_via = (options.delete(:sign_out_via) || :get)
     end
 
     # Return modules for the mapping.
@@ -96,7 +98,7 @@ module Devise
 
     # Returns the parsed path taking into account the relative url root and raw path.
     def parsed_path
-      returning (ActionController::Base.relative_url_root.to_s + raw_path) do |path|
+      (ActionController::Base.relative_url_root.to_s + raw_path).tap do |path|
         self.class.default_url_options.each do |key, value|
           path.gsub!(key.inspect, value.to_param)
         end

lib/devise/models/confirmable.rb

@@ -57,6 +57,7 @@ module Devise
 
       # Send confirmation instructions by email
       def send_confirmation_instructions
+        generate_confirmation_token! if self.confirmation_token.nil?
         ::DeviseMailer.deliver_confirmation_instructions(self)
       end
 
@@ -70,7 +71,7 @@ module Devise
       # is already confirmed, it should never be blocked. Otherwise we need to
       # calculate if the confirm time has not expired for this user.
       def active?
-        super && (confirmed? || confirmation_period_valid?)
+        super && (!confirmation_required? || confirmed? || confirmation_period_valid?)
       end
 
       # The message to be shown if the account is inactive.
@@ -134,6 +135,10 @@ module Devise
           self.confirmation_sent_at = Time.now.utc
         end
 
+        def generate_confirmation_token!
+          generate_confirmation_token && save(false)
+        end
+
       module ClassMethods
         # Attempt to find a user by it's email. If a record is found, send new
         # confirmation instructions to it. If not user is found, returns a new user

lib/devise/models/database_authenticatable.rb

@@ -55,7 +55,7 @@ module Devise
 
       # Verifies whether an incoming_password (ie from sign in) is the user password.
       def valid_password?(incoming_password)
-        password_digest(incoming_password) == self.encrypted_password
+        Devise.secure_compare(password_digest(incoming_password), self.encrypted_password)
       end
 
       # Checks if a resource is valid upon authentication.

lib/devise/models/http_authenticatable.rb

@@ -3,14 +3,16 @@ require 'devise/strategies/http_authenticatable'
 module Devise
   module Models
     # Adds HttpAuthenticatable behavior to your model. It expects that your
-    # model class responds to authenticate and authentication_keys methods
-    # (which for example are defined in authenticatable).
+    # model class responds to authenticate method
+    # (which for example is defined in authenticatable).
     module HttpAuthenticatable
       def self.included(base)
         base.extend ClassMethods
       end
 
       module ClassMethods
+        Devise::Models.config(self, :authentication_keys)
+
         # Authenticate an user using http.
         def authenticate_with_http(username, password)
           authenticate(authentication_keys.first => username, :password => password)

lib/devise/models/rememberable.rb

@@ -19,6 +19,9 @@ module Devise
     #                 time for the cookie created to remember the user.
     #                 By default remember_for is 2.weeks.
     #
+    #   cookie_options: configuration options passed to the created cookie.
+    #
+    #
     # Examples:
     #
     #   User.find(1).remember_me!  # regenerating the token
@@ -72,6 +75,10 @@ module Devise
         remember_created_at + self.class.remember_for
       end
 
+      def cookie_options
+        self.class.cookie_options
+      end
+
       module ClassMethods
         # Create the cookie key using the record id and remember_token
         def serialize_into_cookie(record)
@@ -85,7 +92,7 @@ module Devise
           record if record.try(:valid_remember_token?, record_token)
         end
 
-        Devise::Models.config(self, :remember_for)
+        Devise::Models.config(self, :remember_for, :cookie_options)
       end
     end
   end

lib/devise/models/validatable.rb

@@ -15,7 +15,7 @@ module Devise
 
         base.class_eval do
           validates_presence_of   :email
-          validates_uniqueness_of :email, :scope => authentication_keys[1..-1], :allow_blank => true
+          validates_uniqueness_of :email, :scope => authentication_keys[1..-1], :case_sensitive => false, :allow_blank => true
           validates_format_of     :email, :with  => EMAIL_REGEX, :allow_blank => true
 
           with_options :if => :password_required? do |v|

lib/devise/orm/mongo_mapper.rb

@@ -43,5 +43,10 @@ module Devise
   end
 end
 
-MongoMapper::Document::ClassMethods.send(:include, Devise::Models)
-MongoMapper::EmbeddedDocument::ClassMethods.send(:include, Devise::Models)
+if MongoMapper::Version >= "0.8.0"
+  MongoMapper::Plugins::Document::ClassMethods.send(:include, Devise::Models)
+  MongoMapper::Plugins::EmbeddedDocument::ClassMethods.send(:include, Devise::Models)
+else
+  MongoMapper::Document::ClassMethods.send(:include, Devise::Models)
+  MongoMapper::EmbeddedDocument::ClassMethods.send(:include, Devise::Models)
+end

lib/devise/rails/routes.rb

@@ -66,6 +66,12 @@ module ActionController::Routing
       #
       #    map.devise_for :users, :path_prefix => "/:locale"
       #
+      #  * :sign_out_via => restirct the HTTP method(s) accepted for the :sign_out action (default: :get), possible values are :post, :get, :put, :delete and :any, e.g. if you wish to restrict this to accept only :delete requests you should do:
+      #
+      #    map.devise_for :users, :sign_out_via => :delete
+      #
+      #    You need to make sure that your sign_out controls trigger a request with a matching HTTP method.
+      #
       #  Any other options will be passed to route definition. If you need conditions for your routes, just map:
       #
       #    map.devise_for :users, :conditions => { :subdomain => /.+/ }
@@ -101,7 +107,9 @@ module ActionController::Routing
           routes.with_options(:controller => 'sessions', :name_prefix => nil) do |session|
             session.send(:"new_#{mapping.name}_session",     mapping.path_names[:sign_in],  :action => 'new',     :conditions => { :method => :get })
             session.send(:"#{mapping.name}_session",         mapping.path_names[:sign_in],  :action => 'create',  :conditions => { :method => :post })
-            session.send(:"destroy_#{mapping.name}_session", mapping.path_names[:sign_out], :action => 'destroy', :conditions => { :method => :get })
+            destroy_options = { :action => 'destroy' }
+            destroy_options.merge! :conditions => { :method => mapping.sign_out_via } unless mapping.sign_out_via == :any
+            session.send(:"destroy_#{mapping.name}_session", mapping.path_names[:sign_out], destroy_options)
           end
         end
 

lib/devise/rails/warden_compat.rb

@@ -22,4 +22,42 @@ class Warden::SessionSerializer
     klass, id = keys
     klass.find(:first, :conditions => { :id => id })
   end
-end
+end
+
+class ActionController::Request
+  def reset_session
+    session.destroy if session && session.respond_to?(:destroy)
+    self.session = {}
+  end
+end
+
+# Solve a bug in Rails where Set-Cookie is returning an array.
+class Devise::CookieSanitizer
+  SET_COOKIE = "Set-Cookie".freeze
+
+  def initialize(app)
+    @app = app
+  end
+
+  def call(env)
+    response = @app.call(env)
+    headers = response[1]
+    cookies = headers[SET_COOKIE]
+    if cookies.respond_to?(:join)
+      headers[SET_COOKIE] = cookies.join("\n").squeeze("\n")
+    end
+    response
+  end
+end
+
+Rails.configuration.middleware.insert_after ActionController::Failsafe, Devise::CookieSanitizer
+
+Warden::Manager.after_set_user :event => [:set_user, :authentication] do |record, warden, options|
+  if options[:scope] && warden.authenticated?(options[:scope])
+    request = warden.request
+    backup = request.session.to_hash
+    backup.delete(:session_id)
+    request.reset_session
+    request.session.update(backup)
+  end
+end

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "1.0.7".freeze
+  VERSION = "1.0.11".freeze
 end

test/controllers/helpers_test.rb

@@ -36,6 +36,13 @@ class ControllerAuthenticableTest < ActionController::TestCase
     @controller.signed_in?(:my_scope)
   end
 
+  test 'proxy anybody_signed_in? to signed_in?' do
+    Devise.mappings.keys.each { |scope| # :user, :admin, :manager
+      @controller.expects(:signed_in?).with(scope)
+    }
+    @controller.anybody_signed_in?
+  end
+
   test 'proxy current_admin to authenticate with admin scope' do
     @mock_warden.expects(:authenticate).with(:scope => :admin)
     @controller.current_admin

test/integration/authenticatable_test.rb

@@ -190,6 +190,14 @@ class AuthenticationTest < ActionController::IntegrationTest
     assert_nil session[:"user.return_to"]
   end
 
+  test 'xml http requests does not store urls for redirect' do
+    xhr :get, users_path
+    assert_nil session[:"user.return_to"]
+
+    sign_in_as_user
+    assert_template 'home/index'
+  end
+
   test 'redirect to configured home path for a given scope after sign in' do
     sign_in_as_admin
     assert_equal "/admin_area/home", @request.path
@@ -210,6 +218,17 @@ class AuthenticationTest < ActionController::IntegrationTest
     assert_equal "Cart", @controller.user_session[:cart]
   end
 
+  test 'session id is changed on sign in' do
+    get '/users'
+    session_id = request.session[:session_id]
+
+    get '/users'
+    assert_equal session_id, request.session[:session_id]
+
+    sign_in_as_user
+    assert_not_equal session_id, request.session[:session_id]
+  end
+
   test 'renders the scoped view if turned on and view is available' do
     swap Devise, :scoped_views => true do
       assert_raise Webrat::NotFoundError do
@@ -269,3 +288,53 @@ class AuthenticationTest < ActionController::IntegrationTest
     end
   end
 end
+
+class AuthenticationSignOutViaTest < ActionController::IntegrationTest
+  def sign_in!(scope)
+    visit send("new_#{scope}_session_path")
+    sign_in_as_user(:visit => false)
+    assert warden.authenticated?(scope)
+  end
+
+  test 'allow sign out via delete when sign_out_via provides only delete' do
+    sign_in!(:sign_out_via_delete)
+    delete destroy_sign_out_via_delete_session_path
+    assert_not warden.authenticated?(:sign_out_via_delete)
+  end
+
+  test 'do not allow sign out via get when sign_out_via provides only delete' do
+    sign_in!(:sign_out_via_delete)
+    get destroy_sign_out_via_delete_session_path
+    assert warden.authenticated?(:sign_out_via_delete)
+  end
+
+  test 'allow sign out via post when sign_out_via provides only post' do
+    sign_in!(:sign_out_via_post)
+    post destroy_sign_out_via_post_session_path
+    assert_not warden.authenticated?(:sign_out_via_post)
+  end
+
+  test 'do not allow sign out via get when sign_out_via provides only post' do
+    sign_in!(:sign_out_via_post)
+    get destroy_sign_out_via_delete_session_path
+    assert warden.authenticated?(:sign_out_via_post)
+  end
+
+  test 'allow sign out via delete when sign_out_via provides any method' do
+    sign_in!(:sign_out_via_anymethod)
+    delete destroy_sign_out_via_anymethod_session_path
+    assert_not warden.authenticated?(:sign_out_via_anymethod)
+  end
+
+  test 'allow sign out via post when sign_out_via provides any method' do
+    sign_in!(:sign_out_via_anymethod)
+    post destroy_sign_out_via_anymethod_session_path
+    assert_not warden.authenticated?(:sign_out_via_anymethod)
+  end
+
+  test 'allow sign out via get when sign_out_via provides any method' do
+    sign_in!(:sign_out_via_anymethod)
+    get destroy_sign_out_via_anymethod_session_path
+    assert_not warden.authenticated?(:sign_out_via_anymethod)
+  end
+end

test/integration/rememberable_test.rb

@@ -20,6 +20,13 @@ class RememberMeTest < ActionController::IntegrationTest
     assert_not_nil user.reload.remember_token
   end
 
+  test 'cookie_options should be applied to cookies' do
+    swap Devise, :cookie_options => { :value => 'dont-do-that' } do
+      user = sign_in_as_user :remember_me => true
+      assert_equal 'dont-do-that', cookies['remember_user_token']
+    end
+  end
+
   test 'remember the user before sign in' do
     user = create_user_and_remember
     get users_path
@@ -67,5 +74,16 @@ class RememberMeTest < ActionController::IntegrationTest
     get destroy_user_session_path
     get users_path
     assert_not warden.authenticated?(:user)
+    assert_equal cookies['remember_user_token'], ''
+  end
+
+  test 'cookies are destroyed on unverified requests' do
+    swap HomeController, :allow_forgery_protection => true do
+      user = create_user_and_remember
+      get users_path
+      assert warden.authenticated?(:user)
+      post root_path, :authenticity_token => 'INVALID'
+      assert_not warden.authenticated?(:user)
+    end
   end
 end

test/mapping_test.rb

@@ -132,6 +132,16 @@ class MappingTest < ActiveSupport::TestCase
     assert_equal({ :requirements => { :extra => 'value' } }, Devise.mappings[:manager].route_options)
   end
 
+  test 'sign_out_via defaults to :get' do
+    assert_equal :get, Devise.mappings[:user].sign_out_via
+  end
+
+  test 'allows custom sign_out_via to be given' do
+    assert_equal :delete, Devise.mappings[:sign_out_via_delete].sign_out_via
+    assert_equal :post,   Devise.mappings[:sign_out_via_post].sign_out_via
+    assert_equal :any,    Devise.mappings[:sign_out_via_anymethod].sign_out_via
+  end
+
   test 'magic predicates' do
     mapping = Devise.mappings[:user]
     assert mapping.authenticatable?

test/models/confirmable_test.rb

@@ -134,6 +134,14 @@ class ConfirmableTest < ActiveSupport::TestCase
       User.send_confirmation_instructions(:email => user.email)
     end
   end
+  
+  test 'should always have confirmation token when email is sent' do
+    user = new_user
+    user.instance_eval { def confirmation_required?; false end }
+    user.save
+    user.send_confirmation_instructions
+    assert_not_nil user.reload.confirmation_token
+  end
 
   test 'should not resend email instructions if the user change his email' do
     user = create_user
@@ -209,4 +217,12 @@ class ConfirmableTest < ActiveSupport::TestCase
     user.save
     assert_not user.reload.active?
   end
+  
+  test 'should be active without confirmation when confirmation is not required' do
+    user = create_user
+    user.instance_eval { def confirmation_required?; false end }
+    user.confirmation_sent_at = nil
+    user.save
+    assert user.reload.active?
+  end
 end

test/models_test.rb

@@ -1,7 +1,7 @@
 require 'test/test_helper'
 
 class Configurable < User
-  devise :authenticatable, :confirmable, :rememberable, :timeoutable, :lockable,
+  devise :database_authenticatable, :confirmable, :rememberable, :timeoutable, :lockable,
          :stretches => 15, :pepper => 'abcdef', :confirm_within => 5.days,
          :remember_for => 7.days, :timeout_in => 15.minutes, :unlock_in => 10.days
 end

test/orm/active_record.rb

@@ -8,7 +8,7 @@ ActiveRecord::Base.establish_connection(:adapter => "sqlite3", :database => ":me
 ActiveRecord::Schema.define(:version => 1) do
   [:users, :admins, :accounts].each do |table|
     create_table table do |t|
-      t.authenticatable :null => table == :admins
+      t.database_authenticatable :null => table == :admins
 
       if table != :admin
         t.string :username

test/rails_app/app/active_record/admin.rb

@@ -1,5 +1,5 @@
 class Admin < ActiveRecord::Base
-  devise :authenticatable, :registerable, :timeoutable
+  devise :database_authenticatable, :registerable, :timeoutable
 
   def self.find_for_authentication(conditions)
     last(:conditions => conditions)

test/rails_app/app/active_record/user.rb

@@ -1,7 +1,7 @@
 class User < ActiveRecord::Base
-  devise :authenticatable, :http_authenticatable, :confirmable, :lockable, :recoverable,
-         :registerable, :rememberable, :timeoutable, :token_authenticatable,
-         :trackable, :validatable
+  devise :database_authenticatable, :http_authenticatable, :confirmable,
+         :lockable, :recoverable, :registerable, :rememberable, :timeoutable,
+         :token_authenticatable, :trackable, :validatable
 
   attr_accessible :username, :email, :password, :password_confirmation
 end

test/rails_app/config/environment.rb

@@ -1,7 +1,7 @@
 # Be sure to restart your server when you modify this file
 
 # Specifies gem version of Rails to use when vendor/rails is not present
-RAILS_GEM_VERSION = '2.3.5' unless defined? RAILS_GEM_VERSION
+RAILS_GEM_VERSION = '2.3.11' unless defined? RAILS_GEM_VERSION
 DEVISE_ORM = :active_record unless defined? DEVISE_ORM
 
 # Bootstrap the Rails environment, frameworks, and default configuration
@@ -13,7 +13,7 @@ Rails::Initializer.run do |config|
   # -- all .rb files in that directory are automatically loaded.
 
   # Add additional load paths for your own custom dirs
-  config.load_paths += [ "#{RAILS_ROOT}/app/#{DEVISE_ORM}/" ]
+  config.autoload_paths += [ "#{RAILS_ROOT}/app/#{DEVISE_ORM}/" ]
 
   # Specify gems that this application depends on and have them installed with rake gems:install
   # config.gem "bj"

test/rails_app/config/routes.rb

@@ -12,6 +12,10 @@ ActionController::Routing::Routes.draw do |map|
   map.resources :admins, :only => :index
   map.root :controller => :home
 
+  map.devise_for :sign_out_via_deletes, :sign_out_via => :delete, :class_name => "User"
+  map.devise_for :sign_out_via_posts, :sign_out_via => :post, :class_name => "User"
+  map.devise_for :sign_out_via_anymethods, :sign_out_via => :any, :class_name => "User"
+
   map.connect '/admin_area/password/new', :controller => "passwords", :action => "new"
   map.admin_root '/admin_area/home', :controller => "admins", :action => "index"
 

test/routes_test.rb

@@ -107,4 +107,25 @@ class MapRoutingTest < ActionController::TestCase
   test 'map account with custom path name for registration' do
     assert_recognizes({:controller => 'registrations', :action => 'new', :locale => 'en', :extra => 'value'}, '/en/accounts/register')
   end
+
+  test 'map deletes with :sign_out_via option' do
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via_deletes/sign_out', :method => :delete})
+    assert_raise ActionController::MethodNotAllowed do
+      assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via_deletes/sign_out', :method => :get})
+    end
+  end
+
+  test 'map posts with :sign_out_via option' do
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via_posts/sign_out', :method => :post})
+    assert_raise ActionController::MethodNotAllowed do
+      assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via_posts/sign_out', :method => :get})
+    end
+  end
+
+  test 'map any methods with :sign_out_via option' do
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via_anymethods/sign_out', :method => :get})
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via_anymethods/sign_out', :method => :post})
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via_anymethods/sign_out', :method => :delete})
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via_anymethods/sign_out', :method => :put})
+  end
 end