Release 1.1.9

Conflicts:

	lib/devise/models/authenticatable.rb

CHANGELOG.rdoc

@@ -1,3 +1,13 @@
+== 1.1.9
+
+* bugfix
+  * double check if warden has not halted
+
+== 1.1.8
+
+* bugfix
+  * Ensure you can't inject Mongoid queries using token authenticatable
+
 == 1.1.7
 
 * bugfix

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    devise (1.1.6)
+    devise (1.1.8)
       bcrypt-ruby (~> 2.1.2)
       warden (~> 1.0.2)
 
@@ -36,7 +36,7 @@ GEM
       activesupport (= 3.0.4)
     activesupport (3.0.4)
     arel (2.0.8)
-    bcrypt-ruby (2.1.2)
+    bcrypt-ruby (2.1.4)
     bson (1.1.2)
     bson_ext (1.1.2)
     builder (2.1.2)
@@ -91,7 +91,7 @@ GEM
     treetop (1.4.9)
       polyglot (>= 0.3.1)
     tzinfo (0.3.24)
-    warden (1.0.2)
+    warden (1.0.3)
       rack (>= 1.0.0)
     webrat (0.7.2)
       nokogiri (>= 1.2.0)
@@ -104,7 +104,6 @@ PLATFORMS
 
 DEPENDENCIES
   activerecord-jdbcsqlite3-adapter
-  bcrypt-ruby (~> 2.1.2)
   bson_ext (= 1.1.2)
   devise!
   mocha
@@ -113,5 +112,4 @@ DEPENDENCIES
   rails (~> 3.0.4)
   ruby-debug (>= 0.10.3)
   sqlite3-ruby
-  warden (~> 1.0.2)
   webrat (= 0.7.2)

devise.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{devise}
-  s.version = "1.1.7"
+  s.version = "1.1.9"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Jos\303\251 Valim", "Carlos Ant\303\264nio"]
-  s.date = %q{2011-02-16}
+  s.date = %q{2011-03-25}
   s.description = %q{Flexible authentication solution for Rails with Warden}
   s.email = %q{contact@plataformatec.com.br}
   s.extra_rdoc_files = [
@@ -181,7 +181,6 @@ Gem::Specification.new do |s|
   ]
 
   if s.respond_to? :specification_version then
-    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
     s.specification_version = 3
 
     if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then

lib/devise/models/authenticatable.rb

@@ -90,6 +90,7 @@ module Devise
         #   end
         #
         def find_for_authentication(conditions)
+          filter_auth_params(conditions)
           find(:first, :conditions => conditions)
         end
 
@@ -113,6 +114,15 @@ module Devise
           record
         end
 
+        protected
+
+        # Force keys to be string to avoid injection on mongoid related database.
+        def filter_auth_params(conditions)
+          conditions.each do |k, v|
+            conditions[k] = v.to_s
+          end
+        end
+
         # Generate a token by looping and ensuring does not already exist.
         def generate_token(column)
           loop do

lib/devise/strategies/authenticatable.rb

@@ -21,6 +21,7 @@ module Devise
         case result
         when Symbol, String
           fail!(result)
+          false
         else
           result
         end

lib/devise/strategies/database_authenticatable.rb

@@ -10,7 +10,7 @@ module Devise
         if validate(resource){ resource.valid_password?(password) }
           resource.after_database_authentication
           success!(resource)
-        else
+        elsif !halted?
           fail(:invalid)
         end
       end

lib/devise/strategies/rememberable.rb

@@ -20,7 +20,7 @@ module Devise
 
         if validate(resource)
           success!(resource)
-        else
+        elsif !halted?
           cookies.delete(remember_key)
           pass
         end

lib/devise/strategies/token_authenticatable.rb

@@ -16,7 +16,7 @@ module Devise
         if validate(resource)
           resource.after_token_authentication
           success!(resource)
-        else
+        elsif !halted?
           fail(:invalid_token)
         end
       end

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "1.1.7".freeze
+  VERSION = "1.1.9".freeze
 end

test/integration/token_authenticatable_test.rb

@@ -65,6 +65,22 @@ class TokenAuthenticationTest < ActionController::IntegrationTest
     end
   end
 
+  test 'should not be subject to injection' do
+    swap Devise, :token_authentication_key => :secret_token do
+      user1 = create_user()
+
+      # Clean up user cache
+      @user = nil
+
+      user2 = create_user(:email => "another@test.com")
+      user2.update_attribute(:authentication_token, "ANOTHERTOKEN")
+
+      assert_not_equal user1, user2
+      visit users_path(Devise.token_authentication_key.to_s + '[$ne]' => user1.authentication_token)
+      assert_nil warden.user(:user) 
+    end
+  end
+
   private
 
     def sign_in_as_new_user_with_token(options = {})

test/models/token_authenticatable_test.rb

@@ -34,4 +34,16 @@ class TokenAuthenticatableTest < ActiveSupport::TestCase
     assert_nil authenticated_user
   end
 
-end
+  test 'should not be subject to injection' do
+    user1 = create_user
+    user1.ensure_authentication_token!
+    user1.confirm!
+
+    user2 = create_user
+    user2.ensure_authentication_token!
+    user2.confirm!
+
+    user = User.find_for_token_authentication(:auth_token => {'$ne' => user1.authentication_token})
+    assert_nil user
+  end
+end

test/support/integration.rb

@@ -9,7 +9,7 @@ class ActionDispatch::IntegrationTest
     @user ||= begin
       user = User.create!(
         :username => 'usertest',
-        :email => 'user@test.com',
+        :email => options[:email] || 'user@test.com',
         :password => '123456',
         :password_confirmation => '123456',
         :created_at => Time.now.utc