Release 1.1.7.

CHANGELOG.rdoc

@@ -1,3 +1,15 @@
+== 1.1.7
+
+* bugfix
+  * Fix a backward incompatible change with versions prior to Rails 3.0.4
+
+== 1.1.6
+
+* bugfix
+  * Use a more secure e-mail regexp
+  * Implement Rails 3.0.4 handle unverified request
+  * Use secure_compare to compare passwords
+
 == 1.1.5
 
 * bugfix

Gemfile

@@ -2,7 +2,7 @@ source "http://rubygems.org"
 
 gemspec
 
-gem "rails", "~> 3.0.0"
+gem "rails", "~> 3.0.4"
 
 group :test do
   gem "webrat", "0.7.2", :require => false

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    devise (1.1.4)
+    devise (1.1.6)
       bcrypt-ruby (~> 2.1.2)
       warden (~> 1.0.2)
 
@@ -9,33 +9,33 @@ GEM
   remote: http://rubygems.org/
   specs:
     abstract (1.0.0)
-    actionmailer (3.0.3)
-      actionpack (= 3.0.3)
-      mail (~> 2.2.9)
-    actionpack (3.0.3)
-      activemodel (= 3.0.3)
-      activesupport (= 3.0.3)
+    actionmailer (3.0.4)
+      actionpack (= 3.0.4)
+      mail (~> 2.2.15)
+    actionpack (3.0.4)
+      activemodel (= 3.0.4)
+      activesupport (= 3.0.4)
       builder (~> 2.1.2)
       erubis (~> 2.6.6)
       i18n (~> 0.4)
       rack (~> 1.2.1)
       rack-mount (~> 0.6.13)
-      rack-test (~> 0.5.6)
+      rack-test (~> 0.5.7)
       tzinfo (~> 0.3.23)
-    activemodel (3.0.3)
-      activesupport (= 3.0.3)
+    activemodel (3.0.4)
+      activesupport (= 3.0.4)
       builder (~> 2.1.2)
       i18n (~> 0.4)
-    activerecord (3.0.3)
-      activemodel (= 3.0.3)
-      activesupport (= 3.0.3)
+    activerecord (3.0.4)
+      activemodel (= 3.0.4)
+      activesupport (= 3.0.4)
       arel (~> 2.0.2)
       tzinfo (~> 0.3.23)
-    activeresource (3.0.3)
-      activemodel (= 3.0.3)
-      activesupport (= 3.0.3)
-    activesupport (3.0.3)
-    arel (2.0.4)
+    activeresource (3.0.4)
+      activemodel (= 3.0.4)
+      activesupport (= 3.0.4)
+    activesupport (3.0.4)
+    arel (2.0.8)
     bcrypt-ruby (2.1.2)
     bson (1.1.2)
     bson_ext (1.1.2)
@@ -43,11 +43,11 @@ GEM
     columnize (0.3.2)
     erubis (2.6.6)
       abstract (>= 1.0.0)
-    i18n (0.4.2)
+    i18n (0.5.0)
     linecache (0.43)
-    mail (2.2.10)
+    mail (2.2.15)
       activesupport (>= 2.3.6)
-      i18n (~> 0.4.1)
+      i18n (>= 0.4.0)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
     mime-types (1.16)
@@ -65,19 +65,19 @@ GEM
     rack (1.2.1)
     rack-mount (0.6.13)
       rack (>= 1.0.0)
-    rack-test (0.5.6)
+    rack-test (0.5.7)
       rack (>= 1.0)
-    rails (3.0.3)
-      actionmailer (= 3.0.3)
-      actionpack (= 3.0.3)
-      activerecord (= 3.0.3)
-      activeresource (= 3.0.3)
-      activesupport (= 3.0.3)
+    rails (3.0.4)
+      actionmailer (= 3.0.4)
+      actionpack (= 3.0.4)
+      activerecord (= 3.0.4)
+      activeresource (= 3.0.4)
+      activesupport (= 3.0.4)
       bundler (~> 1.0)
-      railties (= 3.0.3)
-    railties (3.0.3)
-      actionpack (= 3.0.3)
-      activesupport (= 3.0.3)
+      railties (= 3.0.4)
+    railties (3.0.4)
+      actionpack (= 3.0.4)
+      activesupport (= 3.0.4)
       rake (>= 0.8.7)
       thor (~> 0.14.4)
     rake (0.8.7)
@@ -90,7 +90,7 @@ GEM
     thor (0.14.6)
     treetop (1.4.9)
       polyglot (>= 0.3.1)
-    tzinfo (0.3.23)
+    tzinfo (0.3.24)
     warden (1.0.2)
       rack (>= 1.0.0)
     webrat (0.7.2)
@@ -110,7 +110,7 @@ DEPENDENCIES
   mocha
   mongo (= 1.1.2)
   mongoid (= 2.0.0.beta.20)
-  rails (~> 3.0.0)
+  rails (~> 3.0.4)
   ruby-debug (>= 0.10.3)
   sqlite3-ruby
   warden (~> 1.0.2)

README.rdoc

@@ -24,7 +24,7 @@ Right now it's composed of 11 modules:
 
 Devise 1.1 supports Rails 3 and is NOT backward compatible. You can use the latest Rails 3 beta gem with Devise latest gem:
 
-  gem install devise --version=1.1.3
+  gem install devise --version=1.1.7
 
 If you want to use Rails master (from git repository) you need to use Devise from git repository and vice-versa.
 
@@ -42,7 +42,7 @@ Replace MODEL by the class name you want to add devise, like User, Admin, etc. T
 
 If you want to use the Rails 2.3.x version, you should do:
 
-  gem install devise --version=1.0.8
+  gem install devise --version=1.0.10
 
 And please check the README at the v1.0 branch since this one is based on Rails 3:
 

app/controllers/devise/registrations_controller.rb

@@ -9,7 +9,7 @@ class Devise::RegistrationsController < ApplicationController
     render_with_scope :new
   end
 
-  # POST /resource/sign_up
+  # POST /resource
   def create
     build_resource
 

devise.gemspec

@@ -1,184 +1,183 @@
 # Generated by jeweler
 # DO NOT EDIT THIS FILE DIRECTLY
-# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
 
 Gem::Specification.new do |s|
   s.name = %q{devise}
-  s.version = "1.1.5"
+  s.version = "1.1.7"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Jos\303\251 Valim", "Carlos Ant\303\264nio"]
-  s.date = %q{2010-11-27}
+  s.date = %q{2011-02-16}
   s.description = %q{Flexible authentication solution for Rails with Warden}
   s.email = %q{contact@plataformatec.com.br}
   s.extra_rdoc_files = [
     "CHANGELOG.rdoc",
-     "Gemfile.lock",
-     "MIT-LICENSE",
-     "README.rdoc",
-     "TODO"
+    "Gemfile.lock",
+    "MIT-LICENSE",
+    "README.rdoc",
+    "TODO"
   ]
   s.files = [
     "CHANGELOG.rdoc",
-     "Gemfile",
-     "Gemfile.lock",
-     "MIT-LICENSE",
-     "README.rdoc",
-     "Rakefile",
-     "TODO",
-     "app/controllers/devise/confirmations_controller.rb",
-     "app/controllers/devise/passwords_controller.rb",
-     "app/controllers/devise/registrations_controller.rb",
-     "app/controllers/devise/sessions_controller.rb",
-     "app/controllers/devise/unlocks_controller.rb",
-     "app/helpers/devise_helper.rb",
-     "app/mailers/devise/mailer.rb",
-     "app/views/devise/confirmations/new.html.erb",
-     "app/views/devise/mailer/confirmation_instructions.html.erb",
-     "app/views/devise/mailer/reset_password_instructions.html.erb",
-     "app/views/devise/mailer/unlock_instructions.html.erb",
-     "app/views/devise/passwords/edit.html.erb",
-     "app/views/devise/passwords/new.html.erb",
-     "app/views/devise/registrations/edit.html.erb",
-     "app/views/devise/registrations/new.html.erb",
-     "app/views/devise/sessions/new.html.erb",
-     "app/views/devise/shared/_links.erb",
-     "app/views/devise/unlocks/new.html.erb",
-     "config/locales/en.yml",
-     "lib/devise.rb",
-     "lib/devise/controllers/helpers.rb",
-     "lib/devise/controllers/internal_helpers.rb",
-     "lib/devise/controllers/scoped_views.rb",
-     "lib/devise/controllers/url_helpers.rb",
-     "lib/devise/encryptors/authlogic_sha512.rb",
-     "lib/devise/encryptors/base.rb",
-     "lib/devise/encryptors/bcrypt.rb",
-     "lib/devise/encryptors/clearance_sha1.rb",
-     "lib/devise/encryptors/restful_authentication_sha1.rb",
-     "lib/devise/encryptors/sha1.rb",
-     "lib/devise/encryptors/sha512.rb",
-     "lib/devise/failure_app.rb",
-     "lib/devise/hooks/activatable.rb",
-     "lib/devise/hooks/forgetable.rb",
-     "lib/devise/hooks/rememberable.rb",
-     "lib/devise/hooks/timeoutable.rb",
-     "lib/devise/hooks/trackable.rb",
-     "lib/devise/mapping.rb",
-     "lib/devise/models.rb",
-     "lib/devise/models/authenticatable.rb",
-     "lib/devise/models/confirmable.rb",
-     "lib/devise/models/database_authenticatable.rb",
-     "lib/devise/models/lockable.rb",
-     "lib/devise/models/recoverable.rb",
-     "lib/devise/models/registerable.rb",
-     "lib/devise/models/rememberable.rb",
-     "lib/devise/models/timeoutable.rb",
-     "lib/devise/models/token_authenticatable.rb",
-     "lib/devise/models/trackable.rb",
-     "lib/devise/models/validatable.rb",
-     "lib/devise/modules.rb",
-     "lib/devise/orm/active_record.rb",
-     "lib/devise/orm/mongoid.rb",
-     "lib/devise/path_checker.rb",
-     "lib/devise/rails.rb",
-     "lib/devise/rails/routes.rb",
-     "lib/devise/rails/warden_compat.rb",
-     "lib/devise/schema.rb",
-     "lib/devise/strategies/authenticatable.rb",
-     "lib/devise/strategies/base.rb",
-     "lib/devise/strategies/database_authenticatable.rb",
-     "lib/devise/strategies/rememberable.rb",
-     "lib/devise/strategies/token_authenticatable.rb",
-     "lib/devise/test_helpers.rb",
-     "lib/devise/version.rb",
-     "lib/generators/active_record/devise_generator.rb",
-     "lib/generators/active_record/templates/migration.rb",
-     "lib/generators/devise/devise_generator.rb",
-     "lib/generators/devise/install_generator.rb",
-     "lib/generators/devise/orm_helpers.rb",
-     "lib/generators/devise/views_generator.rb",
-     "lib/generators/devise_install_generator.rb",
-     "lib/generators/devise_views_generator.rb",
-     "lib/generators/mongoid/devise_generator.rb",
-     "lib/generators/templates/README",
-     "lib/generators/templates/devise.rb"
+    "Gemfile",
+    "Gemfile.lock",
+    "MIT-LICENSE",
+    "README.rdoc",
+    "Rakefile",
+    "TODO",
+    "app/controllers/devise/confirmations_controller.rb",
+    "app/controllers/devise/passwords_controller.rb",
+    "app/controllers/devise/registrations_controller.rb",
+    "app/controllers/devise/sessions_controller.rb",
+    "app/controllers/devise/unlocks_controller.rb",
+    "app/helpers/devise_helper.rb",
+    "app/mailers/devise/mailer.rb",
+    "app/views/devise/confirmations/new.html.erb",
+    "app/views/devise/mailer/confirmation_instructions.html.erb",
+    "app/views/devise/mailer/reset_password_instructions.html.erb",
+    "app/views/devise/mailer/unlock_instructions.html.erb",
+    "app/views/devise/passwords/edit.html.erb",
+    "app/views/devise/passwords/new.html.erb",
+    "app/views/devise/registrations/edit.html.erb",
+    "app/views/devise/registrations/new.html.erb",
+    "app/views/devise/sessions/new.html.erb",
+    "app/views/devise/shared/_links.erb",
+    "app/views/devise/unlocks/new.html.erb",
+    "config/locales/en.yml",
+    "lib/devise.rb",
+    "lib/devise/controllers/helpers.rb",
+    "lib/devise/controllers/internal_helpers.rb",
+    "lib/devise/controllers/scoped_views.rb",
+    "lib/devise/controllers/url_helpers.rb",
+    "lib/devise/encryptors/authlogic_sha512.rb",
+    "lib/devise/encryptors/base.rb",
+    "lib/devise/encryptors/bcrypt.rb",
+    "lib/devise/encryptors/clearance_sha1.rb",
+    "lib/devise/encryptors/restful_authentication_sha1.rb",
+    "lib/devise/encryptors/sha1.rb",
+    "lib/devise/encryptors/sha512.rb",
+    "lib/devise/failure_app.rb",
+    "lib/devise/hooks/activatable.rb",
+    "lib/devise/hooks/forgetable.rb",
+    "lib/devise/hooks/rememberable.rb",
+    "lib/devise/hooks/timeoutable.rb",
+    "lib/devise/hooks/trackable.rb",
+    "lib/devise/mapping.rb",
+    "lib/devise/models.rb",
+    "lib/devise/models/authenticatable.rb",
+    "lib/devise/models/confirmable.rb",
+    "lib/devise/models/database_authenticatable.rb",
+    "lib/devise/models/lockable.rb",
+    "lib/devise/models/recoverable.rb",
+    "lib/devise/models/registerable.rb",
+    "lib/devise/models/rememberable.rb",
+    "lib/devise/models/timeoutable.rb",
+    "lib/devise/models/token_authenticatable.rb",
+    "lib/devise/models/trackable.rb",
+    "lib/devise/models/validatable.rb",
+    "lib/devise/modules.rb",
+    "lib/devise/orm/active_record.rb",
+    "lib/devise/orm/mongoid.rb",
+    "lib/devise/path_checker.rb",
+    "lib/devise/rails.rb",
+    "lib/devise/rails/routes.rb",
+    "lib/devise/rails/warden_compat.rb",
+    "lib/devise/schema.rb",
+    "lib/devise/strategies/authenticatable.rb",
+    "lib/devise/strategies/base.rb",
+    "lib/devise/strategies/database_authenticatable.rb",
+    "lib/devise/strategies/rememberable.rb",
+    "lib/devise/strategies/token_authenticatable.rb",
+    "lib/devise/test_helpers.rb",
+    "lib/devise/version.rb",
+    "lib/generators/active_record/devise_generator.rb",
+    "lib/generators/active_record/templates/migration.rb",
+    "lib/generators/devise/devise_generator.rb",
+    "lib/generators/devise/install_generator.rb",
+    "lib/generators/devise/orm_helpers.rb",
+    "lib/generators/devise/views_generator.rb",
+    "lib/generators/devise_install_generator.rb",
+    "lib/generators/devise_views_generator.rb",
+    "lib/generators/mongoid/devise_generator.rb",
+    "lib/generators/templates/README",
+    "lib/generators/templates/devise.rb"
   ]
   s.homepage = %q{http://github.com/plataformatec/devise}
-  s.rdoc_options = ["--charset=UTF-8"]
   s.require_paths = ["lib"]
   s.rubygems_version = %q{1.3.7}
   s.summary = %q{Flexible authentication solution for Rails with Warden}
   s.test_files = [
     "test/controllers/helpers_test.rb",
-     "test/controllers/internal_helpers_test.rb",
-     "test/controllers/url_helpers_test.rb",
-     "test/devise_test.rb",
-     "test/encryptors_test.rb",
-     "test/failure_app_test.rb",
-     "test/indifferent_hash.rb",
-     "test/integration/authenticatable_test.rb",
-     "test/integration/confirmable_test.rb",
-     "test/integration/database_authenticatable_test.rb",
-     "test/integration/http_authenticatable_test.rb",
-     "test/integration/lockable_test.rb",
-     "test/integration/recoverable_test.rb",
-     "test/integration/registerable_test.rb",
-     "test/integration/rememberable_test.rb",
-     "test/integration/timeoutable_test.rb",
-     "test/integration/token_authenticatable_test.rb",
-     "test/integration/trackable_test.rb",
-     "test/mailers/confirmation_instructions_test.rb",
-     "test/mailers/reset_password_instructions_test.rb",
-     "test/mailers/unlock_instructions_test.rb",
-     "test/mapping_test.rb",
-     "test/models/confirmable_test.rb",
-     "test/models/database_authenticatable_test.rb",
-     "test/models/lockable_test.rb",
-     "test/models/recoverable_test.rb",
-     "test/models/rememberable_test.rb",
-     "test/models/timeoutable_test.rb",
-     "test/models/token_authenticatable_test.rb",
-     "test/models/trackable_test.rb",
-     "test/models/validatable_test.rb",
-     "test/models_test.rb",
-     "test/orm/active_record.rb",
-     "test/orm/mongoid.rb",
-     "test/rails_app/app/active_record/admin.rb",
-     "test/rails_app/app/active_record/shim.rb",
-     "test/rails_app/app/active_record/user.rb",
-     "test/rails_app/app/controllers/admins_controller.rb",
-     "test/rails_app/app/controllers/application_controller.rb",
-     "test/rails_app/app/controllers/home_controller.rb",
-     "test/rails_app/app/controllers/publisher/registrations_controller.rb",
-     "test/rails_app/app/controllers/publisher/sessions_controller.rb",
-     "test/rails_app/app/controllers/sessions_controller.rb",
-     "test/rails_app/app/controllers/users_controller.rb",
-     "test/rails_app/app/helpers/application_helper.rb",
-     "test/rails_app/app/mongoid/admin.rb",
-     "test/rails_app/app/mongoid/shim.rb",
-     "test/rails_app/app/mongoid/user.rb",
-     "test/rails_app/config/application.rb",
-     "test/rails_app/config/boot.rb",
-     "test/rails_app/config/environment.rb",
-     "test/rails_app/config/environments/development.rb",
-     "test/rails_app/config/environments/production.rb",
-     "test/rails_app/config/environments/test.rb",
-     "test/rails_app/config/initializers/backtrace_silencers.rb",
-     "test/rails_app/config/initializers/devise.rb",
-     "test/rails_app/config/initializers/inflections.rb",
-     "test/rails_app/config/initializers/secret_token.rb",
-     "test/rails_app/config/routes.rb",
-     "test/rails_app/db/migrate/20100401102949_create_tables.rb",
-     "test/rails_app/db/schema.rb",
-     "test/routes_test.rb",
-     "test/support/assertions.rb",
-     "test/support/helpers.rb",
-     "test/support/integration.rb",
-     "test/support/test_silencer.rb",
-     "test/support/webrat/integrations/rails.rb",
-     "test/test_helper.rb",
-     "test/test_helpers_test.rb"
+    "test/controllers/internal_helpers_test.rb",
+    "test/controllers/url_helpers_test.rb",
+    "test/devise_test.rb",
+    "test/encryptors_test.rb",
+    "test/failure_app_test.rb",
+    "test/indifferent_hash.rb",
+    "test/integration/authenticatable_test.rb",
+    "test/integration/confirmable_test.rb",
+    "test/integration/database_authenticatable_test.rb",
+    "test/integration/http_authenticatable_test.rb",
+    "test/integration/lockable_test.rb",
+    "test/integration/recoverable_test.rb",
+    "test/integration/registerable_test.rb",
+    "test/integration/rememberable_test.rb",
+    "test/integration/timeoutable_test.rb",
+    "test/integration/token_authenticatable_test.rb",
+    "test/integration/trackable_test.rb",
+    "test/mailers/confirmation_instructions_test.rb",
+    "test/mailers/reset_password_instructions_test.rb",
+    "test/mailers/unlock_instructions_test.rb",
+    "test/mapping_test.rb",
+    "test/models/confirmable_test.rb",
+    "test/models/database_authenticatable_test.rb",
+    "test/models/lockable_test.rb",
+    "test/models/recoverable_test.rb",
+    "test/models/rememberable_test.rb",
+    "test/models/timeoutable_test.rb",
+    "test/models/token_authenticatable_test.rb",
+    "test/models/trackable_test.rb",
+    "test/models/validatable_test.rb",
+    "test/models_test.rb",
+    "test/orm/active_record.rb",
+    "test/orm/mongoid.rb",
+    "test/rails_app/app/active_record/admin.rb",
+    "test/rails_app/app/active_record/shim.rb",
+    "test/rails_app/app/active_record/user.rb",
+    "test/rails_app/app/controllers/admins_controller.rb",
+    "test/rails_app/app/controllers/application_controller.rb",
+    "test/rails_app/app/controllers/home_controller.rb",
+    "test/rails_app/app/controllers/publisher/registrations_controller.rb",
+    "test/rails_app/app/controllers/publisher/sessions_controller.rb",
+    "test/rails_app/app/controllers/sessions_controller.rb",
+    "test/rails_app/app/controllers/users_controller.rb",
+    "test/rails_app/app/helpers/application_helper.rb",
+    "test/rails_app/app/mongoid/admin.rb",
+    "test/rails_app/app/mongoid/shim.rb",
+    "test/rails_app/app/mongoid/user.rb",
+    "test/rails_app/config/application.rb",
+    "test/rails_app/config/boot.rb",
+    "test/rails_app/config/environment.rb",
+    "test/rails_app/config/environments/development.rb",
+    "test/rails_app/config/environments/production.rb",
+    "test/rails_app/config/environments/test.rb",
+    "test/rails_app/config/initializers/backtrace_silencers.rb",
+    "test/rails_app/config/initializers/devise.rb",
+    "test/rails_app/config/initializers/inflections.rb",
+    "test/rails_app/config/initializers/secret_token.rb",
+    "test/rails_app/config/routes.rb",
+    "test/rails_app/db/migrate/20100401102949_create_tables.rb",
+    "test/rails_app/db/schema.rb",
+    "test/routes_test.rb",
+    "test/support/assertions.rb",
+    "test/support/helpers.rb",
+    "test/support/integration.rb",
+    "test/support/test_silencer.rb",
+    "test/support/webrat/integrations/rails.rb",
+    "test/test_helper.rb",
+    "test/test_helpers_test.rb"
   ]
 
   if s.respond_to? :specification_version then

lib/devise.rb

@@ -83,7 +83,7 @@ module Devise
 
   # Email regex used to validate email formats. Adapted from authlogic.
   mattr_accessor :email_regexp
-  @@email_regexp = /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i
+  @@email_regexp = /\A([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})\z/i
 
   # Range validation for password length
   mattr_accessor :password_length
@@ -290,6 +290,17 @@ module Devise
   def self.friendly_token
     ActiveSupport::SecureRandom.base64(15).tr('+/=', '-_ ').strip.delete("\n")
   end
+
+  # constant-time comparison algorithm to prevent timing attacks
+  def self.secure_compare(a, b)
+    return false unless a.present? && b.present?
+    return false unless a.bytesize == b.bytesize
+    l = a.unpack "C#{a.bytesize}"
+
+    res = 0
+    b.each_byte { |byte| res |= byte ^ l.shift }
+    res == 0
+  end
 end
 
 require 'warden'

lib/devise/controllers/helpers.rb

@@ -182,6 +182,12 @@ module Devise
         redirect_to after_sign_out_path_for(scope)
       end
 
+      # Override Rails' handle unverified request to sign out all scopes.
+      def handle_unverified_request
+        sign_out_all_scopes
+        super # call the default behaviour which resets the session
+      end
+
       # Define authentication filters and accessor helpers based on mappings.
       # These filters should be used inside the controllers as before_filters,
       # so you can control the scope of the user who should be signed in to

lib/devise/failure_app.rb

@@ -68,11 +68,11 @@ module Devise
     end
 
     def http_auth?
-      !Devise.navigational_formats.include?(request.format.to_sym) || (request.xhr? && Devise.http_authenticatable_on_xhr)
+      !Devise.navigational_formats.include?(request_format) || (request.xhr? && Devise.http_authenticatable_on_xhr)
     end
 
     def http_auth_body
-      method = :"to_#{request.format.to_sym}"
+      method = :"to_#{request_format}"
       {}.respond_to?(method) ? { :error => i18n_message }.send(method) : i18n_message
     end
 
@@ -103,5 +103,17 @@ module Devise
     def store_location!
       session[:"#{scope}_return_to"] = attempted_path if request.get? && !http_auth?
     end
+
+    MIME_REFERENCES = Mime::HTML.respond_to?(:ref)
+
+    def request_format
+      @request_format ||= if request.format.respond_to?(:ref)
+        request.format.ref
+      elsif MIME_REFERENCES
+        request.format
+      else # Rails < 3.0.4
+        request.format.to_sym
+      end
+    end
   end
 end

lib/devise/models/database_authenticatable.rb

@@ -44,7 +44,7 @@ module Devise
 
       # Verifies whether an incoming_password (ie from sign in) is the user password.
       def valid_password?(incoming_password)
-        password_digest(incoming_password) == self.encrypted_password
+        Devise.secure_compare(password_digest(incoming_password), self.encrypted_password)
       end
 
       # Set password and password confirmation to nil

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "1.1.5".freeze
+  VERSION = "1.1.7".freeze
 end

lib/generators/templates/devise.rb

@@ -72,7 +72,7 @@ Devise.setup do |config|
   # config.password_length = 6..20
 
   # Regex to use to validate the email address
-  # config.email_regexp = /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i
+  # config.email_regexp = /\A([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})\z/i
 
   # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this

test/failure_app_test.rb

@@ -13,7 +13,7 @@ class FailureTest < ActiveSupport::TestCase
       'REQUEST_METHOD' => 'GET',
       'warden.options' => { :scope => :user },
       'rack.session' => {},
-      'action_dispatch.request.formats' => Array(env_params.delete('formats') || :html),
+      'action_dispatch.request.formats' => Array(env_params.delete('formats') || Mime::HTML),
       'rack.input' => "",
       'warden' => OpenStruct.new(:message => nil)
     }.merge!(env_params)

test/integration/rememberable_test.rb

@@ -48,6 +48,16 @@ class RememberMeTest < ActionController::IntegrationTest
     end
   end
 
+  test 'cookies are destroyed on unverified requests' do
+    swap ApplicationController, :allow_forgery_protection => true do
+      user = create_user_and_remember
+      get users_path
+      assert warden.authenticated?(:user)
+      post root_path, :authenticity_token => 'INVALID'
+      assert_not warden.authenticated?(:user)
+    end
+  end
+
   test 'remember the user before sign in' do
     user = create_user_and_remember
     get users_path