Release 1.3.1.

Replace success/failure with notice/alert in I18n section.

.travis.yml

@@ -1 +1,6 @@
-script: "rake test"
+script: "rake test"
+rvm:
+  - 1.8.7
+  - 1.9.2
+  - ree
+  - jruby

CHANGELOG.rdoc

@@ -1,3 +1,37 @@
+== 1.3.1
+
+* enhancements
+  * Improve failure_app responses (by github.com/indirect)
+  * sessions/new and registrations/new also respond to xml and json now
+
+* bug fix
+  * Fix a regression that occurred if reset_password_sent_at is not present (by github.com/stevehodgkiss)
+
+== 1.3.0
+
+* enhancements
+  * All controllers can now handle different mime types than html using Responders (by github.com/sikachu)
+  * Added reset_password_within as configuration option to send the token for recovery (by github.com/jdguyot)
+  * Bump password length to 128 characters (by github.com/k33l0r)
+  * Add :only as option to devise_for (by github.com/timoschilling)
+  * Allow to override path after sending password instructions (by github.com/irohiroki)
+  * require_no_authentication has its own flash message (by github.com/jackdempsey)
+
+* bug fix
+  * Fix a bug where configuration options were being included too late
+  * Ensure Devise::TestHelpers can be used to tests Devise internal controllers (by github.com/jwilger)
+  * valid_password? should not choke on empty passwords (by github.com/mikel)
+  * Calling devise more than once does not include previously added modules anymore
+  * downcase_keys before validation
+
+* backward incompatible changes
+  * authentication_keys are no longer considered when creating the e-mail validations, the previous behavior was buggy. You must double check if you were relying on such behavior.
+
+== 1.2.1
+
+* enhancements
+  * Improve update path messages
+
 == 1.2.0
 
 * bug fix

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    devise (1.2.rc2)
+    devise (1.3.0)
       bcrypt-ruby (~> 2.1.2)
       orm_adapter (~> 0.0.3)
       warden (~> 1.0.3)

README.rdoc

@@ -86,7 +86,7 @@ The generator will install an initializer which describes ALL Devise's configura
 
   rails generate devise MODEL
 
-Replace MODEL by the class name you want to add devise, like User, Admin, etc. This will create a model (if one does not exist) and configure it with default Devise modules. The generator will also create a migration file (if your ORM support them) and configure your routes. Continue reading this file to understand exactly what the generator produces and how to use it.
+Replace MODEL by the class name used for the applications users, it's frequently 'User' but could also be 'Admin'. This will create a model (if one does not exist) and configure it with default Devise modules. Next, you'll usually run db:migrate as the generator will have created a migration file (if your ORM supports them). This generator also configures your config/routes.rb file, continue reading this file to understand exactly what the generator produces and how to use it.
 
 Support for Rails 2.3.x can be found by installing Devise 1.0.x from the v1.0 branch.
 
@@ -152,7 +152,7 @@ You can access the session for this scope:
 
 After signing in a user, confirming the account or updating the password, Devise will look for a scoped root path to redirect. Example: For a :user resource, it will use user_root_path if it exists, otherwise default root_path will be used. This means that you need to set the root inside your routes:
 
-  root :to => "home"
+  root :to => "home#index"
 
 You can also overwrite after_sign_in_path_for and after_sign_out_path_for to customize your redirect hooks.
 
@@ -259,7 +259,7 @@ Feel free to choose the one you prefer!
 
 === I18n
 
-Devise uses flash messages with I18n with the flash keys :success and :failure. To customize your app, you can set up your locale file:
+Devise uses flash messages with I18n with the flash keys :notice and :alert. To customize your app, you can set up your locale file:
 
   en:
     devise:
@@ -315,12 +315,11 @@ If you're using RSpec and want the helpers automatically included within all +de
 
 Do not use such helpers for integration tests such as Cucumber or Webrat. Instead, fill in the form or explicitly set the user in session. For more tips, check the wiki (http://wiki.github.com/plataformatec/devise).
 
-=== OAuth2
+=== Omniauth
 
-Devise comes with OAuth support out of the box if you're using Devise from the git repository (for now). You can read more about OAuth2 support in the wiki:
+Devise comes with Omniauth support out of the box to authenticate from other providers. You can read more about Omniauth support in the wiki:
 
-* http://github.com/plataformatec/devise/wiki/OAuth2:-Overview
-* http://github.com/plataformatec/devise/wiki/OAuth2:-Testing
+* https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview
 
 === Other ORMs
 

app/controllers/devise/confirmations_controller.rb

@@ -12,10 +12,10 @@ class Devise::ConfirmationsController < ApplicationController
     self.resource = resource_class.send_confirmation_instructions(params[resource_name])
 
     if resource.errors.empty?
-      set_flash_message :notice, :send_instructions
-      redirect_to new_session_path(resource_name)
+      set_flash_message(:notice, :send_instructions) if is_navigational_format?
+      respond_with resource, :location => after_resending_confirmation_instructions_path_for(resource_name)
     else
-      render_with_scope :new
+      respond_with_navigational(resource){ render_with_scope :new }
     end
   end
 
@@ -24,10 +24,18 @@ class Devise::ConfirmationsController < ApplicationController
     self.resource = resource_class.confirm_by_token(params[:confirmation_token])
 
     if resource.errors.empty?
-      set_flash_message :notice, :confirmed
-      sign_in_and_redirect(resource_name, resource)
+      set_flash_message(:notice, :confirmed) if is_navigational_format?
+      sign_in(resource_name, resource)
+      respond_with_navigational(resource){ redirect_to redirect_location(resource_name, resource) }
     else
-      render_with_scope :new
+      respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render_with_scope :new }
     end
   end
+
+  protected
+
+    # The path used after resending confirmation instructions.
+    def after_resending_confirmation_instructions_path_for(resource_name)
+      new_session_path(resource_name)
+    end
 end

app/controllers/devise/passwords_controller.rb

@@ -13,10 +13,10 @@ class Devise::PasswordsController < ApplicationController
     self.resource = resource_class.send_reset_password_instructions(params[resource_name])
 
     if resource.errors.empty?
-      set_flash_message :notice, :send_instructions
-      redirect_to new_session_path(resource_name)
+      set_flash_message(:notice, :send_instructions) if is_navigational_format?
+      respond_with resource, :location => new_session_path(resource_name)
     else
-      render_with_scope :new
+      respond_with_navigational(resource){ render_with_scope :new }
     end
   end
 
@@ -32,10 +32,11 @@ class Devise::PasswordsController < ApplicationController
     self.resource = resource_class.reset_password_by_token(params[resource_name])
 
     if resource.errors.empty?
-      set_flash_message :notice, :updated
-      sign_in_and_redirect(resource_name, resource)
+      set_flash_message(:notice, :updated) if is_navigational_format?
+      sign_in(resource_name, resource)
+      respond_with resource, :location => redirect_location(resource_name, resource)
     else
-      render_with_scope :edit
+      respond_with_navigational(resource){ render_with_scope :edit }
     end
   end
 end

app/controllers/devise/registrations_controller.rb

@@ -5,8 +5,8 @@ class Devise::RegistrationsController < ApplicationController
 
   # GET /resource/sign_up
   def new
-    build_resource({})
-    render_with_scope :new
+    resource = build_resource({})
+    respond_with_navigational(resource){ render_with_scope :new }
   end
 
   # POST /resource
@@ -15,16 +15,17 @@ class Devise::RegistrationsController < ApplicationController
 
     if resource.save
       if resource.active_for_authentication?
-        set_flash_message :notice, :signed_up
-        sign_in_and_redirect(resource_name, resource)
+        set_flash_message :notice, :signed_up if is_navigational_format?
+        sign_in(resource_name, resource)
+        respond_with resource, :location => redirect_location(resource_name, resource)
       else
-        set_flash_message :notice, :inactive_signed_up, :reason => resource.inactive_message.to_s
+        set_flash_message :notice, :inactive_signed_up, :reason => resource.inactive_message.to_s if is_navigational_format?
         expire_session_data_after_sign_in!
-        redirect_to after_inactive_sign_up_path_for(resource)
+        respond_with resource, :location => after_inactive_sign_up_path_for(resource)
       end
     else
       clean_up_passwords(resource)
-      render_with_scope :new
+      respond_with_navigational(resource) { render_with_scope :new }
     end
   end
 
@@ -36,20 +37,21 @@ class Devise::RegistrationsController < ApplicationController
   # PUT /resource
   def update
     if resource.update_with_password(params[resource_name])
-      set_flash_message :notice, :updated
+      set_flash_message :notice, :updated if is_navigational_format?
       sign_in resource_name, resource, :bypass => true
-      redirect_to after_update_path_for(resource)
+      respond_with resource, :location => after_update_path_for(resource)
     else
       clean_up_passwords(resource)
-      render_with_scope :edit
+      respond_with_navigational(resource){ render_with_scope :edit }
     end
   end
 
   # DELETE /resource
   def destroy
     resource.destroy
-    sign_out_and_redirect(self.resource)
-    set_flash_message :notice, :destroyed
+    Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name)
+    set_flash_message :notice, :destroyed if is_navigational_format?
+    respond_with_navigational(resource){ redirect_to after_sign_out_path_for(resource_name) }
   end
 
   # GET /resource/cancel

app/controllers/devise/sessions_controller.rb

@@ -4,8 +4,9 @@ class Devise::SessionsController < ApplicationController
 
   # GET /resource/sign_in
   def new
-    clean_up_passwords(build_resource)
-    render_with_scope :new
+    resource = build_resource
+    clean_up_passwords(resource)
+    respond_with_navigational(resource, stub_options(resource)){ render_with_scope :new }
   end
 
   # POST /resource/sign_in
@@ -19,7 +20,26 @@ class Devise::SessionsController < ApplicationController
   # GET /resource/sign_out
   def destroy
     signed_in = signed_in?(resource_name)
-    sign_out_and_redirect(resource_name)
+    Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name)
     set_flash_message :notice, :signed_out if signed_in
+
+    # We actually need to hardcode this, as Rails default responder doesn't
+    # support returning empty response on GET request
+    respond_to do |format|
+      format.any(*navigational_formats) { redirect_to after_sign_out_path_for(resource_name) }
+      format.all do
+        method = "to_#{request_format}"
+        text = {}.respond_to?(method) ? {}.send(method) : ""
+        render :text => text, :status => :ok
+      end
+    end
   end
-end
+
+  protected
+
+  def stub_options(resource)
+    array = resource_class.authentication_keys.dup
+    array << :password if resource.respond_to?(:password)
+    { :methods => array, :only => [:password] }
+  end
+end

app/controllers/devise/unlocks_controller.rb

@@ -13,10 +13,10 @@ class Devise::UnlocksController < ApplicationController
     self.resource = resource_class.send_unlock_instructions(params[resource_name])
 
     if resource.errors.empty?
-      set_flash_message :notice, :send_instructions
-      redirect_to new_session_path(resource_name)
+      set_flash_message :notice, :send_instructions if is_navigational_format?
+      respond_with resource, :location => new_session_path(resource_name)
     else
-      render_with_scope :new
+      respond_with_navigational(resource){ render_with_scope :new }
     end
   end
 
@@ -25,10 +25,11 @@ class Devise::UnlocksController < ApplicationController
     self.resource = resource_class.unlock_access_by_token(params[:unlock_token])
 
     if resource.errors.empty?
-      set_flash_message :notice, :unlocked
-      sign_in_and_redirect(resource_name, resource)
+      set_flash_message :notice, :unlocked if is_navigational_format?
+      sign_in(resource_name, resource)
+      respond_with_navigational(resource){ redirect_to redirect_location(resource_name, resource) }
     else
-      render_with_scope :new
+      respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render_with_scope :new }
     end
   end
 end

config/locales/en.yml

@@ -12,6 +12,7 @@ en:
 
   devise:
     failure:
+      already_authenticated: 'You are already signed in.'
       unauthenticated: 'You need to sign in or sign up before continuing.'
       unconfirmed: 'You have to confirm your account before continuing.'
       locked: 'Your account is locked.'

lib/devise.rb

@@ -16,6 +16,7 @@ module Devise
     autoload :InternalHelpers, 'devise/controllers/internal_helpers'
     autoload :Rememberable, 'devise/controllers/rememberable'
     autoload :ScopedViews, 'devise/controllers/scoped_views'
+    autoload :SharedHelpers, 'devise/controllers/shared_helpers'
     autoload :UrlHelpers, 'devise/controllers/url_helpers'
   end
 
@@ -96,7 +97,7 @@ module Devise
 
   # Range validation for password length
   mattr_accessor :password_length
-  @@password_length = 6..20
+  @@password_length = 6..128
 
   # The time the user will be remembered without asking for credentials again.
   mattr_accessor :remember_for
@@ -171,6 +172,10 @@ module Devise
   mattr_accessor :reset_password_keys
   @@reset_password_keys = [ :email ]
 
+  # Time interval you can reset your password with a reset password key 
+  mattr_accessor :reset_password_within
+  @@reset_password_within = nil
+
   # The default scope which is used by warden.
   mattr_accessor :default_scope
   @@default_scope = nil
@@ -238,12 +243,6 @@ module Devise
     omniauth_configs.keys
   end
 
-  def self.cookie_domain=(value)
-    ActiveSupport::Deprecation.warn "Devise.cookie_domain=(value) is deprecated. "
-      "Please use Devise.cookie_options = { :domain => value } instead."
-    self.cookie_options[:domain] = value
-  end
-
   # Get the mailer class from the mailer reference object.
   def self.mailer
     if defined?(ActiveSupport::Dependencies::ClassCache)
@@ -319,7 +318,8 @@ module Devise
 
     if options[:model]
       path = (options[:model] == true ? "devise/models/#{module_name}" : options[:model])
-      Devise::Models.send(:autoload, module_name.to_s.camelize.to_sym, path)
+      camelized = ActiveSupport::Inflector.camelize(module_name.to_s)
+      Devise::Models.send(:autoload, camelized.to_sym, path)
     end
 
     Devise::Mapping.add_module module_name

lib/devise/controllers/helpers.rb

@@ -80,12 +80,6 @@ module Devise
         end
       end
 
-      def anybody_signed_in?
-        ActiveSupport::Deprecation.warn "Devise#anybody_signed_in? is deprecated. "
-          "Please use Devise#signed_in?(nil) instead."
-        signed_in?
-      end
-
       # Sign in a user that already was authenticated. This helper is useful for logging
       # users in after sign up.
       #

lib/devise/controllers/internal_helpers.rb

@@ -6,6 +6,7 @@ module Devise
     module InternalHelpers #:nodoc:
       extend ActiveSupport::Concern
       include Devise::Controllers::ScopedViews
+      include Devise::Controllers::SharedHelpers
 
       included do
         helper DeviseHelper
@@ -54,12 +55,19 @@ module Devise
 
       # Checks whether it's a devise mapped resource or not.
       def is_devise_resource? #:nodoc:
-        unknown_action!("Could not find devise mapping for path #{request.fullpath.inspect}") unless devise_mapping
+        unknown_action! <<-MESSAGE unless devise_mapping
+Could not find devise mapping for path #{request.fullpath.inspect}.
+Maybe you forgot to wrap your route inside the scope block? For example:
+
+    devise_scope :user do
+      match "/some/route" => "some_devise_controller"
+    end
+MESSAGE
       end
 
-      # Check whether it's navigational format, such as :html or :iphone, or not.
-      def is_navigational_format?
-        Devise.navigational_formats.include?(request.format.to_sym)
+      # Returns real navigational formats which are supported by Rails
+      def navigational_formats
+        @navigational_formats ||= Devise.navigational_formats.select{ |format| Mime::EXTENSION_LOOKUP[format.to_s] }
       end
 
       def unknown_action!(msg)
@@ -85,6 +93,7 @@ module Devise
       def require_no_authentication
         if warden.authenticated?(resource_name)
           resource = warden.user(resource_name)
+          flash[:alert] = I18n.t("devise.failure.already_authenticated")
           redirect_to after_sign_in_path_for(resource)
         end
       end
@@ -114,6 +123,12 @@ module Devise
       def clean_up_passwords(object) #:nodoc:
         object.clean_up_passwords if object.respond_to?(:clean_up_passwords)
       end
+
+      def respond_with_navigational(*args, &block)
+        respond_with(*args) do |format|
+          format.any(*navigational_formats, &block)
+        end
+      end
     end
   end
 end

lib/devise/controllers/shared_helpers.rb

@@ -0,0 +1,26 @@
+module Devise
+  module Controllers
+    # Helpers used in both FailureApp and Devise controllers.
+    module SharedHelpers
+      MIME_REFERENCES = Mime::HTML.respond_to?(:ref)
+
+      protected
+
+      # Helper used by FailureApp and Devise controllers to retrieve proper formats.
+      def request_format
+        @request_format ||= if request.format.respond_to?(:ref)
+          request.format.ref
+        elsif MIME_REFERENCES
+          request.format
+        elsif request.format # Rails < 3.0.4
+          request.format.to_sym
+        end
+      end
+
+      # Check whether it's navigational format, such as :html or :iphone, or not.
+      def is_navigational_format?
+        Devise.navigational_formats.include?(request_format)
+      end
+    end
+  end
+end

lib/devise/failure_app.rb

@@ -10,6 +10,7 @@ module Devise
     include ActionController::UrlFor
     include ActionController::Redirecting
     include Rails.application.routes.url_helpers
+    include Devise::Controllers::SharedHelpers
 
     delegate :flash, :to => :request
 
@@ -83,7 +84,7 @@ module Devise
       if request.xhr?
         Devise.http_authenticatable_on_xhr
       else
-        !(request_format && Devise.navigational_formats.include?(request_format))
+        !(request_format && is_navigational_format?)
       end
     end
 
@@ -96,12 +97,20 @@ module Devise
     def http_auth_body
       return i18n_message unless request_format
       method = "to_#{request_format}"
-      {}.respond_to?(method) ? { :error => i18n_message }.send(method) : i18n_message
+      if method == "to_xml"
+        { :error => i18n_message }.to_xml(:root => "errors")
+      elsif {}.respond_to?(method)
+        { :error => i18n_message }.send(method)
+      else
+        i18n_message
+      end
     end
 
     def recall_app(app)
       controller, action = app.split("#")
-      "#{controller.camelize}Controller".constantize.action(action)
+      controller_name  = ActiveSupport::Inflector.camelize(controller)
+      controller_klass = ActiveSupport::Inflector.constantize("#{controller_name}Controller")
+      controller_klass.action(action)
     end
 
     def warden
@@ -127,17 +136,5 @@ module Devise
     def store_location!
       session["#{scope}_return_to"] = attempted_path if request.get? && !http_auth?
     end
-
-    MIME_REFERENCES = Mime::HTML.respond_to?(:ref)
-
-    def request_format
-      @request_format ||= if request.format.respond_to?(:ref)
-        request.format.ref
-      elsif MIME_REFERENCES
-        request.format
-      else # Rails < 3.0.4
-        request.format.to_sym
-      end
-    end
   end
 end

lib/devise/models.rb

@@ -17,6 +17,9 @@ module Devise
     # inside the given class.
     #
     def self.config(mod, *accessors) #:nodoc:
+      (class << mod; self; end).send :attr_accessor, :available_configs
+      mod.available_configs = accessors
+
       accessors.each do |accessor|
         mod.class_eval <<-METHOD, __FILE__, __LINE__ + 1
           def #{accessor}
@@ -46,13 +49,33 @@ module Devise
     #
     def devise(*modules)
       include Devise::Models::Authenticatable
-      options = modules.extract_options!
-      self.devise_modules += modules.map(&:to_sym).uniq.sort_by { |s|
+      options = modules.extract_options!.dup
+
+      selected_modules = modules.map(&:to_sym).uniq.sort_by do |s|
         Devise::ALL.index(s) || -1  # follow Devise::ALL order
-      }
+      end
 
       devise_modules_hook! do
-        devise_modules.each { |m| include Devise::Models.const_get(m.to_s.classify) }
+        selected_modules.each do |m|
+          mod = Devise::Models.const_get(m.to_s.classify)
+
+          if mod.const_defined?("ClassMethods")
+            class_mod = mod.const_get("ClassMethods")
+            extend class_mod
+
+            if class_mod.respond_to?(:available_configs)
+              available_configs = class_mod.available_configs
+              available_configs.each do |config|
+                next unless options.key?(config)                
+                send(:"#{config}=", options.delete(config))
+              end
+            end
+          end
+
+          include mod
+        end
+
+        self.devise_modules |= selected_modules
         options.each { |key, value| send(:"#{key}=", value) }
       end
     end

lib/devise/models/authenticatable.rb

@@ -65,20 +65,8 @@ module Devise
         end
       end
 
-      def active?
-        ActiveSupport::Deprecation.warn "[DEVISE] active? is deprecated, please use active_for_authentication? instead.", caller
-        active_for_authentication?
-      end
-
       def active_for_authentication?
-        my_methods = self.class.instance_methods(false)
-        if my_methods.include?("active?") || my_methods.include?(:active?)
-          ActiveSupport::Deprecation.warn "[DEVISE] Overriding active? is deprecated to avoid conflicts. " \
-            "Please use active_for_authentication? instead.", caller
-          active?
-        else
-          true
-        end
+        true
       end
 
       def inactive_message
@@ -88,6 +76,19 @@ module Devise
       def authenticatable_salt
       end
 
+      %w(to_xml to_json).each do |method|
+        class_eval <<-RUBY, __FILE__, __LINE__
+          def #{method}(options={})
+            if self.class.respond_to?(:accessible_attributes)
+              options = { :only => self.class.accessible_attributes.to_a }.merge(options || {})
+              super(options)
+            else
+              super
+            end
+          end
+        RUBY
+      end
+
       module ClassMethods
         Devise::Models.config(self, :authentication_keys, :request_keys, :case_insensitive_keys, :http_authenticatable, :params_authenticatable)
 

lib/devise/models/confirmable.rb

@@ -84,7 +84,7 @@ module Devise
         # Checks if the confirmation for the user is within the limit time.
         # We do this by calculating if the difference between today and the
         # confirmation sent date does not exceed the confirm in time configured.
-        # Confirm_in is a model configuration, must always be an integer value.
+        # Confirm_within is a model configuration, must always be an integer value.
         #
         # Example:
         #

lib/devise/models/database_authenticatable.rb

@@ -22,7 +22,7 @@ module Devise
       included do
         attr_reader :password, :current_password
         attr_accessor :password_confirmation
-        before_save :downcase_keys
+        before_validation :downcase_keys
       end
 
       # Generates password encryption based on the given value.
@@ -33,6 +33,7 @@ module Devise
 
       # Verifies whether an password (ie from sign in) is the user password.
       def valid_password?(password)
+        return false if encrypted_password.blank?
         bcrypt   = ::BCrypt::Password.new(self.encrypted_password)
         password = ::BCrypt::Engine.hash_secret("#{password}#{self.class.pepper}", bcrypt.salt)
         Devise.secure_compare(password, self.encrypted_password)
@@ -40,7 +41,7 @@ module Devise
 
       # Set password and password confirmation to nil
       def clean_up_passwords
-        self.password = self.password_confirmation = nil
+        self.password = self.password_confirmation = ""
       end
 
       # Update record attributes when :current_password matches, otherwise returns

lib/devise/models/recoverable.rb

@@ -35,15 +35,45 @@ module Devise
 
       # Resets reset password token and send reset password instructions by email
       def send_reset_password_instructions
-        generate_reset_password_token!
+        generate_reset_password_token! if should_generate_token?
         ::Devise.mailer.reset_password_instructions(self).deliver
       end
 
+      # Checks if the reset password token sent is within the limit time.
+      # We do this by calculating if the difference between today and the
+      # sending date does not exceed the confirm in time configured.
+      # reset_password_within is a model configuration, must always be an integer value.
+      #
+      # Example:
+      #
+      #   # reset_password_within = 1.day and reset_password_sent_at = today
+      #   reset_password_period_valid?   # returns true
+      #
+      #   # reset_password_within = 5.days and reset_password_sent_at = 4.days.ago
+      #   reset_password_period_valid?   # returns true
+      #
+      #   # reset_password_within = 5.days and reset_password_sent_at = 5.days.ago
+      #   reset_password_period_valid?   # returns false
+      #
+      #   # reset_password_within = 0.days
+      #   reset_password_period_valid?   # will always return false
+      #
+      def reset_password_period_valid?
+        respond_to?(:reset_password_sent_at) && reset_password_sent_at &&
+          reset_password_sent_at.utc >= self.class.reset_password_within.ago
+      end
+
       protected
 
+        def should_generate_token?
+          reset_password_token.nil? || !reset_password_period_valid?
+        end
+
         # Generates a new random token for reset password
         def generate_reset_password_token
           self.reset_password_token = self.class.reset_password_token
+          self.reset_password_sent_at = Time.now.utc if respond_to?(:reset_password_sent_at=)
+          self.reset_password_token
         end
 
         # Resets the reset password token with and save the record without
@@ -55,6 +85,7 @@ module Devise
         # Removes reset_password token
         def clear_reset_password_token
           self.reset_password_token = nil
+          self.reset_password_sent_at = nil if respond_to?(:reset_password_sent_at=)
         end
 
       module ClassMethods
@@ -73,18 +104,24 @@ module Devise
           generate_token(:reset_password_token)
         end
 
-        # Attempt to find a user by it's reset_password_token to reset it's
-        # password. If a user is found, reset it's password and automatically
+        # Attempt to find a user by it's reset_password_token to reset its
+        # password. If a user is found and token is still valid, reset its password and automatically
         # try saving the record. If not user is found, returns a new user
         # containing an error in reset_password_token attribute.
         # Attributes must contain reset_password_token, password and confirmation
         def reset_password_by_token(attributes={})
           recoverable = find_or_initialize_with_error_by(:reset_password_token, attributes[:reset_password_token])
-          recoverable.reset_password!(attributes[:password], attributes[:password_confirmation]) if recoverable.persisted?
+          if recoverable.persisted?
+            if recoverable.reset_password_period_valid?
+              recoverable.reset_password!(attributes[:password], attributes[:password_confirmation]) 
+            else
+              recoverable.errors.add(:reset_password_token, :invalid)
+            end
+          end
           recoverable
         end
 
-        Devise::Models.config(self, :reset_password_keys)
+        Devise::Models.config(self, :reset_password_keys, :reset_password_within)
       end
     end
   end

lib/devise/models/validatable.rb

@@ -10,7 +10,7 @@ module Devise
     # Validatable adds the following options to devise_for:
     #
     #   * +email_regexp+: the regular expression used to validate e-mails;
-    #   * +password_length+: a range expressing password length. Defaults to 6..20.
+    #   * +password_length+: a range expressing password length. Defaults to 6..128.
     #
     module Validatable
       # All validations used by this module.
@@ -23,8 +23,7 @@ module Devise
 
         base.class_eval do
           validates_presence_of   :email, :if => :email_required?
-          validates_uniqueness_of :email, :scope => authentication_keys[1..-1],
-            :case_sensitive => (case_insensitive_keys != false), :allow_blank => true
+          validates_uniqueness_of :email, :case_sensitive => (case_insensitive_keys != false), :allow_blank => true
           validates_format_of     :email, :with  => email_regexp, :allow_blank => true
 
           with_options :if => :password_required? do |v|

lib/devise/omniauth.rb

@@ -14,15 +14,15 @@ OmniAuth.config.path_prefix = nil
 
 OmniAuth.config.on_failure = Proc.new do |env|
   env['devise.mapping'] = Devise::Mapping.find_by_path!(env['PATH_INFO'], :path)
-  controller_klass = "#{env['devise.mapping'].controllers[:omniauth_callbacks].camelize}Controller"
-  controller_klass.constantize.action(:failure).call(env)
+  controller_name  = ActiveSupport::Inflector.camelize(env['devise.mapping'].controllers[:omniauth_callbacks])
+  controller_klass = ActiveSupport::Inflector.constantize("#{controller_name}Controller")
+  controller_klass.action(:failure).call(env)
 end
 
 module Devise
   module OmniAuth
     autoload :Config,      "devise/omniauth/config"
     autoload :UrlHelpers,  "devise/omniauth/url_helpers"
-    autoload :TestHelpers, "devise/omniauth/test_helpers"
 
     class << self
       delegate :short_circuit_authorizers!, :unshort_circuit_authorizers!,

lib/devise/rails.rb

@@ -17,11 +17,14 @@ module Devise
       Devise.include_helpers(Devise::Controllers)
     end
 
-    initializer "devise.navigationals" do
-      formats = Devise.navigational_formats
-      if formats.include?(:"*/*") && formats.exclude?("*/*")
-        puts "[DEVISE] We see the symbol :\"*/*\" in the navigational formats in your initializer " \
-          "but not the string \"*/*\". Due to changes in latest Rails, please include the latter."
+    initializer "devise.auth_keys" do
+      if Devise.authentication_keys.size > 1
+        puts "[DEVISE] You are configuring Devise to use more than one authentication key. " \
+          "In previous versions, we automatically added #{Devise.authentication_keys[1..-1].inspect} " \
+          "as scope to your e-mail validation, but this was changed now. If you were relying in such " \
+          "behavior, you should remove :validatable from your models and add the validations manually. " \
+          "To get rid of this warning, you can comment config.authentication_keys in your initializer " \
+          "and pass the current values as key to the devise call in your model."
       end
     end
 
@@ -36,23 +39,5 @@ module Devise
         Devise.include_helpers(Devise::OmniAuth)
       end
     end
-
-    initializer "devise.encryptor_check" do
-      case Devise.encryptor
-      when :bcrypt
-        puts "[DEVISE] From version 1.2, there is no need to set your encryptor to bcrypt " \
-          "since encryptors are only enabled if you include :encryptable in your models. " \
-          "With this change, we can integrate better with bcrypt and get rid of the " \
-          "password_salt column (since bcrypt stores the salt with password). " \
-          "Please comment config.encryptor in your initializer to get rid of this warning."
-      when nil
-        # Nothing to say
-      else
-        puts "[DEVISE] You are using #{Devise.encryptor} as encryptor. From version 1.2, " \
-          "you need to explicitly add `devise :encryptable, :encryptor => :#{Devise.encryptor}` " \
-          "to your models and comment the current value in the config/initializers/devise.rb. " \
-          "You must also add t.encryptable to your existing migrations."
-      end
-    end
   end
 end

lib/devise/rails/routes.rb

@@ -99,6 +99,11 @@ module ActionDispatch::Routing
     #
     #      devise_for :users, :skip => :sessions
     #
+    #  * :only => the opposite of :skip, tell which controllers only to generate routes to:
+    #
+    #      devise_for :users, :only => :sessions
+    #
+    #
     # ==== Scoping
     #
     # Following Rails 3 routes DSL, you can nest devise_for calls inside a scope:
@@ -173,6 +178,9 @@ module ActionDispatch::Routing
         end
 
         routes  = mapping.routes
+        if options.has_key?(:only)
+          routes  = Array(options.delete(:only)).map { |s| s.to_s.singularize.to_sym } & mapping.routes
+        end
         routes -= Array(options.delete(:skip)).map { |s| s.to_s.singularize.to_sym }
 
         devise_scope mapping.name do

lib/devise/rails/warden_compat.rb

@@ -21,14 +21,14 @@ class Warden::SessionSerializer
   def deserialize(keys)
     if keys.size == 2
       raise "Devise changed how it stores objects in session. If you are seeing this message, " <<
-        "you can fix it by changing one character in your cookie secret or cleaning up your " <<
+        "you can fix it by changing one character in your secret_token or cleaning up your " <<
         "database sessions if you are using a db store."
     end
 
     klass, id, salt = keys
 
     begin
-      record = klass.constantize.to_adapter.get(id)
+      record = ActiveSupport::Inflector.constantize(klass).to_adapter.get(id)
       record if record && record.authenticatable_salt == salt
     rescue NameError => e
       if e.message =~ /uninitialized constant/

lib/devise/schema.rb

@@ -15,7 +15,7 @@ module Devise
     def database_authenticatable(options={})
       null    = options[:null] || false
       default = options.key?(:default) ? options[:default] : ("" if null == false)
-      include_email =  !self.respond_to?(:authentication_keys) || self.authentication_keys.include?(:email)
+      include_email = !respond_to?(:authentication_keys) || self.authentication_keys.include?(:email)
 
       apply_devise_schema :email,              String, :null => null, :default => default if include_email
       apply_devise_schema :encrypted_password, String, :null => null, :default => default, :limit => 128
@@ -38,9 +38,14 @@ module Devise
       apply_devise_schema :confirmation_sent_at, DateTime
     end
 
-    # Creates reset_password_token.
-    def recoverable
+    # Creates reset_password_token and reset_password_sent_at.
+    #
+    # == Options
+    # * :reset_within - When true, adds a column that reset passwords within some date
+    def recoverable(options={})
+      use_within = options.fetch(:reset_within, Devise.reset_password_within.present?)
       apply_devise_schema :reset_password_token, String
+      apply_devise_schema :reset_password_sent_at, DateTime if use_within
     end
 
     # Creates remember_token and remember_created_at.

lib/devise/strategies/authenticatable.rb

@@ -157,7 +157,8 @@ module Devise
       # becomes simply :database.
       def authenticatable_name
         @authenticatable_name ||=
-          self.class.name.split("::").last.underscore.sub("_authenticatable", "").to_sym
+          ActiveSupport::Inflector.underscore(self.class.name.split("::").last).
+            sub("_authenticatable", "").to_sym
       end
     end
   end

lib/devise/test_helpers.rb

@@ -13,48 +13,11 @@ module Devise
       end
     end
 
-    # This is a Warden::Proxy customized for functional tests. It's meant to
-    # some of Warden::Manager responsibilities, as retrieving configuration
-    # options and calling the FailureApp.
-    class TestWarden < Warden::Proxy #:nodoc:
-      attr_reader :controller
-
-      def initialize(controller)
-        @controller = controller
-        manager = Warden::Manager.new(nil) do |config|
-          config.merge! Devise.warden_config
-        end
-        super(controller.request.env, manager)
-      end
-
-      def authenticate!(*args)
-        catch_with_redirect { super }
-      end
-
-      def user(*args)
-        catch_with_redirect { super }
-      end
-
-      def catch_with_redirect(&block)
-        result = catch(:warden, &block)
-
-        if result.is_a?(Hash) && !custom_failure? && !@controller.send(:performed?)
-          result[:action] ||= :unauthenticated
-
-          env = @controller.request.env
-          env["PATH_INFO"] = "/#{result[:action]}"
-          env["warden.options"] = result
-          Warden::Manager._run_callbacks(:before_failure, env, result)
-
-          status, headers, body = Devise.warden_config[:failure_app].call(env).to_a
-          @controller.send :render, :status => status, :text => body,
-            :content_type => headers["Content-Type"], :location => headers["Location"]
-
-          nil
-        else
-          result
-        end
-      end
+    # Override process to consider warden.
+    def process(*)
+      result = nil
+      _catch_warden { result = super }
+      result
     end
 
     # We need to setup the environment variables and the response in the controller.
@@ -64,7 +27,12 @@ module Devise
 
     # Quick access to Warden::Proxy.
     def warden #:nodoc:
-      @warden ||= (@request.env['warden'] = TestWarden.new(@controller))
+      @warden ||= begin
+        manager = Warden::Manager.new(nil) do |config|
+          config.merge! Devise.warden_config
+        end
+        @request.env['warden'] = Warden::Proxy.new(@request.env, manager)
+      end
     end
 
     # sign_in a given resource by storing its keys in the session.
@@ -96,5 +64,27 @@ module Devise
       warden.session_serializer.delete(scope, user)
     end
 
+    protected
+
+    def _catch_warden(&block)
+      result = catch(:warden, &block)
+
+      if result.is_a?(Hash) && !warden.custom_failure? && !@controller.send(:performed?)
+        result[:action] ||= :unauthenticated
+
+        env = @controller.request.env
+        env["PATH_INFO"] = "/#{result[:action]}"
+        env["warden.options"] = result
+        Warden::Manager._run_callbacks(:before_failure, env, result)
+
+        status, headers, body = Devise.warden_config[:failure_app].call(env).to_a
+        @controller.send :render, :status => status, :text => body,
+          :content_type => headers["Content-Type"], :location => headers["Location"]
+
+        nil
+      else
+        result
+      end
+    end
   end
 end

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "1.2.0".freeze
+  VERSION = "1.3.1".freeze
 end

lib/generators/devise/views_generator.rb

@@ -9,17 +9,11 @@ module Devise
       argument :scope, :required => false, :default => nil,
                        :desc => "The scope to copy views to"
 
-      class_option :template_engine, :type => :string, :aliases => "-t",
-                                     :desc => "Template engine for the views. Available options are 'erb', 'haml' and 'slim'."
+      # class_option :template_engine, :type => :string, :aliases => "-t",
+      #                                :desc => "Template engine for the views. Available options are 'erb', 'haml' and 'slim'."
 
       def copy_views
-        template = options[:template_engine].to_s
-        case template
-        when "haml", "slim"
-          warn "#{template} templates have been removed from Devise gem"
-        else
-          directory "devise", "app/views/#{scope || :devise}"
-        end
+        directory "devise", "app/views/#{scope || :devise}"
       end
     end
   end

lib/generators/templates/devise.rb

@@ -3,7 +3,7 @@
 Devise.setup do |config|
   # ==> Mailer Configuration
   # Configure the e-mail address which will be shown in DeviseMailer.
-  config.mailer_sender = "please-change-me@config-initializers-devise.com"
+  config.mailer_sender = "please-change-me-at-config-initializers-devise@example.com"
 
   # Configure the class responsible to send e-mails.
   # config.mailer = "Devise::Mailer"
@@ -82,9 +82,13 @@ Devise.setup do |config|
   # to false if you are not using database authenticatable.
   config.use_salt_as_remember_token = true
 
+  # Options to be passed to the created cookie. For instance, you can set
+  # :secure => true in order to force SSL only cookies.
+  # config.cookie_options = {}
+
   # ==> Configuration for :validatable
-  # Range for password length. Default is 6..20.
-  # config.password_length = 6..20
+  # Range for password length. Default is 6..128.
+  # config.password_length = 6..128
 
   # Regex to use to validate the email address
   # config.email_regexp = /\A([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})\z/i
@@ -122,6 +126,11 @@ Devise.setup do |config|
   # Defines which key will be used when recovering the password for an account
   # config.reset_password_keys = [ :email ]
 
+  # Time interval you can reset your password with a reset password key.
+  # Don't put a too small interval or your users won't have the time to
+  # change their passwords.
+  config.reset_password_within = 2.hours
+
   # ==> Configuration for :encryptable
   # Allow you to use another encryption algorithm besides bcrypt (default). You can use
   # :sha1, :sha512 or encryptors from others authentication tools as :clearance_sha1,

test/controllers/internal_helpers_test.rb

@@ -45,6 +45,14 @@ class HelpersTest < ActionController::TestCase
     @controller.send :require_no_authentication
   end
 
+  test 'require no authentication sets a flash message' do
+    @mock_warden.expects(:authenticated?).with(:user).returns(true)
+    @mock_warden.expects(:user).with(:user).returns(User.new)
+    @controller.expects(:redirect_to).with(root_path)
+    @controller.send :require_no_authentication
+    assert flash[:alert] == I18n.t("devise.failure.already_authenticated")
+  end
+
   test 'signed in resource returns signed in resource for current scope' do
     @mock_warden.expects(:authenticate).with(:scope => :user).returns(User.new)
     assert_kind_of User, @controller.signed_in_resource
@@ -69,4 +77,11 @@ class HelpersTest < ActionController::TestCase
     assert flash[:notice] == 'non-blank'
     MyController.send(:protected, :set_flash_message)
   end
+
+  test 'navigational_formats not returning a wild card' do
+    MyController.send(:public, :navigational_formats)
+    Devise.navigational_formats = [:"*/*", :html]
+    assert_not @controller.navigational_formats.include?(:"*/*")
+    MyController.send(:protected, :navigational_formats)
+  end
 end

test/controllers/sessions_controller_test.rb

@@ -0,0 +1,16 @@
+require 'test_helper'
+
+class SessionsControllerTest < ActionController::TestCase
+  tests Devise::SessionsController
+  include Devise::TestHelpers
+
+  test "#create doesn't raise exception after Warden authentication fails when TestHelpers included" do
+    request.env["devise.mapping"] = Devise.mappings[:user]
+    post :create, :user => {
+      :email => "nosuchuser@example.com",
+      :password => "wevdude"
+    }
+    assert_equal 200, @response.status
+    assert_template "devise/sessions/new"
+  end
+end

test/devise_test.rb

@@ -58,9 +58,6 @@ class DeviseTest < ActiveSupport::TestCase
     assert_equal :fruits, Devise::CONTROLLERS[:kivi]
     Devise::ALL.delete(:kivi)
     Devise::CONTROLLERS.delete(:kivi)
-
-    assert_nothing_raised(Exception) { Devise.add_module(:authenticatable_again, :model => 'devise/model/authenticatable') }
-    assert defined?(Devise::Models::AuthenticatableAgain)
   end
   
   test 'should complain when comparing empty or different sized passes' do

test/failure_app_test.rb

@@ -84,6 +84,18 @@ class FailureTest < ActiveSupport::TestCase
       assert_equal 401, @response.first
     end
 
+    test 'return appropriate body for xml' do
+      call_failure('formats' => :xml)
+      result = %(<?xml version="1.0" encoding="UTF-8"?>\n<errors>\n  <error>You need to sign in or sign up before continuing.</error>\n</errors>\n)
+      assert_equal result, @response.last.body
+    end
+
+    test 'return appropriate body for json' do
+      call_failure('formats' => :json)
+      result = %({"error":"You need to sign in or sign up before continuing."})
+      assert_equal result, @response.last.body
+    end
+
     test 'return 401 status for unknown formats' do
       call_failure 'formats' => []
       assert_equal 401, @response.first

test/integration/authenticatable_test.rb

@@ -205,17 +205,16 @@ class AuthenticationRedirectTest < ActionController::IntegrationTest
     assert_nil session[:"user_return_to"]
   end
 
-  test 'sign in with xml format returns xml response' do
-    create_user
-    post user_session_path(:format => 'xml', :user => {:email => "user@test.com", :password => '123456'})
-    assert_response :success
-    assert_match /<\?xml version="1.0" encoding="UTF-8"\?>/, response.body
-  end
-
   test 'redirect to configured home path for a given scope after sign in' do
     sign_in_as_admin
     assert_equal "/admin_area/home", @request.path
   end
+
+  test 'require_no_authentication should set the already_authenticated flash message' do
+    sign_in_as_user
+    visit new_user_session_path
+    assert_equal flash[:alert], I18n.t("devise.failure.already_authenticated")
+  end
 end
 
 class AuthenticationSessionTest < ActionController::IntegrationTest
@@ -337,9 +336,24 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
     end
   end
 
-  test 'registration in xml format works when recognizing path' do
-    assert_nothing_raised do
-      post user_registration_path(:format => 'xml', :user => {:email => "test@example.com", :password => "invalid"} )
+  test 'sign in stub in xml format' do
+    get new_user_session_path(:format => 'xml')
+    assert_equal "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>\n  <email></email>\n  <password></password>\n</user>\n", response.body
+  end
+
+  test 'sign in stub in json format' do
+    get new_user_session_path(:format => 'json')
+    assert_match '{"user":{', response.body
+    assert_match '"email":""', response.body
+    assert_match '"password":""', response.body
+  end
+
+  test 'sign in stub in json with non attribute key' do
+    swap Devise, :authentication_keys => [:other_key] do
+      get new_user_session_path(:format => 'json')
+      assert_match '{"user":{', response.body
+      assert_match '"other_key":null', response.body
+      assert_match '"password":""', response.body
     end
   end
 
@@ -354,6 +368,27 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
     assert warden.authenticated?(:user)
     assert_not warden.authenticated?(:admin)
   end
+
+  test 'sign in with xml format returns xml response' do
+    create_user
+    post user_session_path(:format => 'xml'), :user => {:email => "user@test.com", :password => '123456'}
+    assert_response :success
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
+  end
+
+  test 'sign out with xml format returns ok response' do
+    sign_in_as_user
+    get destroy_user_session_path(:format => 'xml')
+    assert_response :ok
+    assert_not warden.authenticated?(:user)
+  end
+
+  test 'sign out with json format returns empty json response' do
+    sign_in_as_user
+    get destroy_user_session_path(:format => 'json')
+    assert_response :ok
+    assert_not warden.authenticated?(:user)
+  end
 end
 
 class AuthenticationRequestKeysTest < ActionController::IntegrationTest

test/integration/confirmable_test.rb

@@ -101,4 +101,32 @@ class ConfirmationTest < ActionController::IntegrationTest
       assert_contain 'Not confirmed user'
     end
   end
+
+  test 'resent confirmation token with valid E-Mail in XML format should return valid response' do
+    user = create_user(:confirm => false)
+    post user_confirmation_path(:format => 'xml'), :user => { :email => user.email }
+    assert_response :success
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
+  end
+
+  test 'resent confirmation token with invalid E-Mail in XML format should return invalid response' do
+    user = create_user(:confirm => false)
+    post user_confirmation_path(:format => 'xml'), :user => { :email => 'invalid.test@test.com' }
+    assert_response :unprocessable_entity
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
+  end
+
+  test 'confirm account with valid confirmation token in XML format should return valid response' do
+    user = create_user(:confirm => false)
+    get user_confirmation_path(:confirmation_token => user.confirmation_token, :format => 'xml')
+    assert_response :success
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
+  end
+
+  test 'confirm account with invalid confirmation token in XML format should return invalid response' do
+    user = create_user(:confirm => false)
+    get user_confirmation_path(:confirmation_token => 'invalid_confirmation', :format => 'xml')
+    assert_response :unprocessable_entity
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
+  end
 end

test/integration/lockable_test.rb

@@ -1,7 +1,7 @@
 require 'test_helper'
 
 class LockTest < ActionController::IntegrationTest
-  
+
   def visit_user_unlock_with_token(unlock_token)
     visit user_unlock_path(:unlock_token => unlock_token)
   end
@@ -106,4 +106,38 @@ class LockTest < ActionController::IntegrationTest
     end
   end
 
+  test 'user should be able to request a new unlock token via XML request' do
+    user = create_user(:locked => true)
+    ActionMailer::Base.deliveries.clear
+
+    post user_unlock_path(:format => 'xml'), :user => {:email => user.email}
+    assert_response :success
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
+    assert_equal 1, ActionMailer::Base.deliveries.size
+  end
+
+  test 'unlocked user should not be able to request a unlock token via XML request' do
+    user = create_user(:locked => false)
+    ActionMailer::Base.deliveries.clear
+
+    post user_unlock_path(:format => 'xml'), :user => {:email => user.email}
+    assert_response :unprocessable_entity
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
+    assert_equal 0, ActionMailer::Base.deliveries.size
+  end
+
+  test 'user with valid unlock token should be able to unlock account via XML request' do
+    user = create_user(:locked => true)
+    assert user.access_locked?
+    get user_unlock_path(:format => 'xml', :unlock_token => user.unlock_token)
+    assert_response :success
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
+  end
+
+
+  test 'user with invalid unlock token should not be able to unlock the account via XML request' do
+    get user_unlock_path(:format => 'xml', :unlock_token => 'invalid_token')
+    assert_response :unprocessable_entity
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
+  end
 end

test/integration/recoverable_test.rb

@@ -157,4 +157,41 @@ class PasswordTest < ActionController::IntegrationTest
     assert !warden.authenticated?(:user)
   end
 
+  test 'reset password request with valid E-Mail in XML format should return valid response' do
+    create_user
+    post user_password_path(:format => 'xml'), :user => {:email => "user@test.com"}
+    assert_response :success
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
+  end
+
+  test 'reset password request with invalid E-Mail in XML format should return valid response' do
+    create_user
+    post user_password_path(:format => 'xml'), :user => {:email => "invalid.test@test.com"}
+    assert_response :unprocessable_entity
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
+  end
+
+  test 'change password with valid parameters in XML format should return valid response' do
+    user = create_user
+    request_forgot_password
+    put user_password_path(:format => 'xml'), :user => {:reset_password_token => user.reload.reset_password_token, :password => '987654321', :password_confirmation => '987654321'}
+    assert_response :success
+    assert warden.authenticated?(:user)
+  end
+
+  test 'change password with invalid token in XML format should return invalid response' do
+    user = create_user
+    request_forgot_password
+    put user_password_path(:format => 'xml'), :user => {:reset_password_token => 'invalid.token', :password => '987654321', :password_confirmation => '987654321'}
+    assert_response :unprocessable_entity
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
+  end
+
+  test 'change password with invalid new password in XML format should return invalid response' do
+    user = create_user
+    request_forgot_password
+    put user_password_path(:format => 'xml'), :user => {:reset_password_token => user.reload.reset_password_token, :password => '', :password_confirmation => '987654321'}
+    assert_response :unprocessable_entity
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
+  end
 end

test/integration/registerable_test.rb

@@ -118,14 +118,14 @@ class RegistrationTest < ActionController::IntegrationTest
     sign_in_as_user
     get edit_user_registration_path
 
-    fill_in 'email', :with => 'user.new@email.com'
+    fill_in 'email', :with => 'user.new@example.com'
     fill_in 'current password', :with => '123456'
     click_button 'Update'
 
     assert_current_url '/'
     assert_contain 'You updated your account successfully.'
 
-    assert_equal "user.new@email.com", User.first.email
+    assert_equal "user.new@example.com", User.first.email
   end
 
   test 'a signed in user should still be able to use the website after changing his password' do
@@ -146,13 +146,13 @@ class RegistrationTest < ActionController::IntegrationTest
     sign_in_as_user
     get edit_user_registration_path
 
-    fill_in 'email', :with => 'user.new@email.com'
+    fill_in 'email', :with => 'user.new@example.com'
     fill_in 'current password', :with => 'invalid'
     click_button 'Update'
 
     assert_template 'registrations/edit'
     assert_contain 'user@test.com'
-    assert_have_selector 'form input[value="user.new@email.com"]'
+    assert_have_selector 'form input[value="user.new@example.com"]'
 
     assert_equal "user@test.com", User.first.email
   end
@@ -206,4 +206,63 @@ class RegistrationTest < ActionController::IntegrationTest
     assert_nil @request.session["devise.foo_bar"]
     assert_redirected_to new_user_registration_path
   end
+
+  test 'a user with XML sign up stub' do
+    get new_user_registration_path(:format => 'xml')
+    assert_response :success
+    assert_match %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>), response.body
+    assert_no_match(/<confirmation_token>/, response.body) if DEVISE_ORM == :active_record
+  end
+
+  test 'a user with JSON sign up stub' do
+    get new_user_registration_path(:format => 'json')
+    assert_response :success
+    assert_match %({"user":), response.body
+    assert_no_match(/"confirmation_token"/, response.body) if DEVISE_ORM == :active_record
+  end
+
+  test 'an admin sign up with valid information in XML format should return valid response' do
+    post admin_registration_path(:format => 'xml'), :admin => { :email => 'new_user@test.com', :password => 'new_user123', :password_confirmation => 'new_user123' }
+    assert_response :success
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<admin>)
+
+    admin = Admin.last :order => "id"
+    assert_equal admin.email, 'new_user@test.com'
+  end
+
+  test 'a user sign up with valid information in XML format should return valid response' do
+    post user_registration_path(:format => 'xml'), :user => { :email => 'new_user@test.com', :password => 'new_user123', :password_confirmation => 'new_user123' }
+    assert_response :success
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
+
+    user = User.last :order => "id"
+    assert_equal user.email, 'new_user@test.com'
+  end
+
+  test 'a user sign up with invalid information in XML format should return invalid response' do
+    post user_registration_path(:format => 'xml'), :user => { :email => 'new_user@test.com', :password => 'new_user123', :password_confirmation => 'invalid' }
+    assert_response :unprocessable_entity
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
+  end
+
+  test 'a user update information with valid data in XML format should return valid response' do
+    user = sign_in_as_user
+    put user_registration_path(:format => 'xml'), :user => { :current_password => '123456', :email => 'user.new@test.com' }
+    assert_response :success
+    assert_equal user.reload.email, 'user.new@test.com'
+  end
+
+  test 'a user update information with invalid data in XML format should return invalid response' do
+    user = sign_in_as_user
+    put user_registration_path(:format => 'xml'), :user => { :current_password => 'invalid', :email => 'user.new@test.com' }
+    assert_response :unprocessable_entity
+    assert_equal user.reload.email, 'user@test.com'
+  end
+
+  test 'a user cancel his account in XML format should return valid response' do
+    user = sign_in_as_user
+    delete user_registration_path(:format => 'xml')
+    assert_response :success
+    assert_equal User.count, 0
+  end
 end

test/models/confirmable_test.rb

@@ -111,12 +111,12 @@ class ConfirmableTest < ActiveSupport::TestCase
   end
 
   test 'should return a new user if no email was found' do
-    confirmation_user = User.send_confirmation_instructions(:email => "invalid@email.com")
+    confirmation_user = User.send_confirmation_instructions(:email => "invalid@example.com")
     assert_not confirmation_user.persisted?
   end
 
   test 'should add error to new user email if no email was found' do
-    confirmation_user = User.send_confirmation_instructions(:email => "invalid@email.com")
+    confirmation_user = User.send_confirmation_instructions(:email => "invalid@example.com")
     assert confirmation_user.errors[:email]
     assert_equal "not found", confirmation_user.errors[:email].join
   end

test/models/database_authenticatable_test.rb

@@ -6,12 +6,12 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     # case_insensitive_keys is set to :email by default.
     email = 'Foo@Bar.com'
     user = new_user(:email => email)
-    
+
     assert_equal email, user.email
     user.save!
     assert_equal email.downcase, user.email
   end
-  
+
   test 'should respond to password and password confirmation' do
     user = new_user
     assert user.respond_to?(:password)
@@ -48,6 +48,18 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert_not user.valid_password?('654321')
   end
 
+  test 'should not raise error with an empty password' do
+    user = create_user
+    user.encrypted_password = ''
+    assert_nothing_raised { user.valid_password?('123456') }
+  end
+
+  test 'should be an invalid password if the user has an empty password' do
+    user = create_user
+    user.encrypted_password = ''
+    assert_not user.valid_password?('654321')
+  end
+
   test 'should respond to current password' do
     assert new_user.respond_to?(:current_password)
   end
@@ -77,8 +89,8 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
 
   test 'should ignore password and its confirmation if they are blank' do
     user = create_user
-    assert user.update_with_password(:current_password => '123456', :email => "new@email.com")
-    assert_equal "new@email.com", user.email
+    assert user.update_with_password(:current_password => '123456', :email => "new@example.com")
+    assert_equal "new@example.com", user.email
   end
 
   test 'should not update password with invalid confirmation' do
@@ -95,4 +107,10 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert user.password.blank?
     assert user.password_confirmation.blank?
   end
+
+  test 'downcase_keys with validation' do
+    user = User.create(:email => "HEllO@example.com", :password => "123456")
+    user = User.create(:email => "HEllO@example.com", :password => "123456")
+    assert !user.valid?
+  end
 end

test/models/lockable_test.rb

@@ -163,12 +163,12 @@ class LockableTest < ActiveSupport::TestCase
   end
 
   test 'should return a new user if no email was found' do
-    unlock_user = User.send_unlock_instructions(:email => "invalid@email.com")
+    unlock_user = User.send_unlock_instructions(:email => "invalid@example.com")
     assert_not unlock_user.persisted?
   end
 
   test 'should add error to new user email if no email was found' do
-    unlock_user = User.send_unlock_instructions(:email => "invalid@email.com")
+    unlock_user = User.send_unlock_instructions(:email => "invalid@example.com")
     assert_equal 'not found', unlock_user.errors[:email].join
   end
 

test/models/recoverable_test.rb

@@ -10,15 +10,6 @@ class RecoverableTest < ActiveSupport::TestCase
     assert_nil new_user.reset_password_token
   end
 
-  test 'should regenerate reset password token each time' do
-    user = create_user
-    3.times do
-      token = user.reset_password_token
-      user.send_reset_password_instructions
-      assert_not_equal token, user.reset_password_token
-    end
-  end
-
   test 'should never generate the same reset password token for different users' do
     reset_password_tokens = []
     3.times do
@@ -81,7 +72,7 @@ class RecoverableTest < ActiveSupport::TestCase
   end
 
   test 'should return a new record with errors if user was not found by e-mail' do
-    reset_password_user = User.send_reset_password_instructions(:email => "invalid@email.com")
+    reset_password_user = User.send_reset_password_instructions(:email => "invalid@example.com")
     assert_not reset_password_user.persisted?
     assert_equal "not found", reset_password_user.errors[:email].join
   end
@@ -161,4 +152,56 @@ class RecoverableTest < ActiveSupport::TestCase
     assert_not user.valid_password?(old_password)
     assert user.valid_password?('new_password')
   end
+
+  test 'should not reset reset password token during reset_password_within time' do
+    swap Devise, :reset_password_within => 1.hour do
+      user = create_user
+      user.send_reset_password_instructions
+      3.times do
+        token = user.reset_password_token
+        user.send_reset_password_instructions
+        assert_equal token, user.reset_password_token
+      end
+    end
+  end
+
+  test 'should reset reset password token after reset_password_within time' do
+    swap Devise, :reset_password_within => 1.hour do
+      user = create_user
+      user.reset_password_sent_at = 2.days.ago
+      token = user.reset_password_token
+      user.send_reset_password_instructions
+      assert_not_equal token, user.reset_password_token
+    end
+  end
+
+  test 'should not reset password after reset_password_within time' do
+    swap Devise, :reset_password_within => 1.hour do
+      user = create_user
+      old_password = user.password
+      user.send :generate_reset_password_token!
+      user.reset_password_sent_at = 2.days.ago
+      user.save!
+
+      reset_password_user = User.reset_password_by_token(
+        :reset_password_token => user.reset_password_token,
+        :password => 'new_password',
+        :password_confirmation => 'new_password'
+      )
+      user.reload
+
+      assert user.valid_password?(old_password)
+      assert_not user.valid_password?('new_password')
+      assert_equal "is invalid", reset_password_user.errors[:reset_password_token].join
+    end
+  end
+
+  test 'should save the model when the reset_password_sent_at doesnt exist' do
+    user = create_user
+    user.stubs(:respond_to?).with(:reset_password_sent_at=).returns(false)
+    user.stubs(:respond_to?).with(:headers_for).returns(false)
+    user.send_reset_password_instructions
+    user.reload
+    assert_not_nil user.reset_password_token
+  end
 end

test/models/validatable_test.rb

@@ -75,10 +75,10 @@ class ValidatableTest < ActiveSupport::TestCase
     assert_equal 'is too short (minimum is 6 characters)', user.errors[:password].join
   end
 
-  test 'should require a password with maximum of 20 characters long' do
-    user = new_user(:password => 'x'*21, :password_confirmation => 'x'*21)
+  test 'should require a password with maximum of 128 characters long' do
+    user = new_user(:password => 'x'*129, :password_confirmation => 'x'*129)
     assert user.invalid?
-    assert_equal 'is too long (maximum is 20 characters)', user.errors[:password].join
+    assert_equal 'is too long (maximum is 128 characters)', user.errors[:password].join
   end
 
   test 'should not require password length when it\'s not changed' do

test/models_test.rb

@@ -6,6 +6,15 @@ class Configurable < User
          :remember_for => 7.days, :timeout_in => 15.minutes, :unlock_in => 10.days
 end
 
+class WithValidation < Admin
+  devise :database_authenticatable, :validatable, :password_length => 2..6
+end
+
+class Several < Admin
+  devise :validatable
+  devise :lockable
+end
+
 class Inheritable < Admin
 end
 
@@ -29,6 +38,20 @@ class ActiveRecordTest < ActiveSupport::TestCase
     assert_include_modules Admin, :database_authenticatable, :registerable, :timeoutable, :recoverable, :lockable, :rememberable, :encryptable
   end
 
+  if DEVISE_ORM == :active_record
+    test 'validations options are not applied to late' do
+      validators = WithValidation.validators_on :password
+      length = validators.find { |v| v.kind == :length }
+      assert_equal 2, length.options[:minimum]
+      assert_equal 6, length.options[:maximum]
+    end
+
+    test 'validations are applied just once' do
+      validators = Several.validators_on :password
+      assert_equal 1, validators.select{ |v| v.kind == :length }.length
+    end
+  end
+
   test 'chosen modules are inheritable' do
     assert_include_modules Inheritable, :database_authenticatable, :registerable, :timeoutable, :recoverable, :lockable, :rememberable, :encryptable
   end

test/rails_app/config/initializers/devise.rb

@@ -80,8 +80,8 @@ Devise.setup do |config|
   config.use_salt_as_remember_token = true
 
   # ==> Configuration for :validatable
-  # Range for password length. Default is 6..20.
-  # config.password_length = 6..20
+  # Range for password length. Default is 6..128.
+  # config.password_length = 6..128
 
   # Regex to use to validate the email address
   # config.email_regexp = /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i
@@ -119,6 +119,11 @@ Devise.setup do |config|
   # Defines which key will be used when recovering the password for an account
   # config.reset_password_keys = [ :email ]
 
+  # Time interval you can reset your password with a reset password key.
+  # Don't put a too small interval or your users won't have the time to
+  # change their passwords.
+  config.reset_password_within = 2.hours
+
   # ==> Configuration for :encryptable
   # Allow you to use another encryption algorithm besides bcrypt (default). You can use
   # :sha1, :sha512 or encryptors from others authentication tools as :clearance_sha1,

test/rails_app/config/routes.rb

@@ -29,6 +29,8 @@ Rails.application.routes.draw do
   end
 
   # Other routes for routing_test.rb
+  devise_for :reader, :class_name => "User", :only => :passwords
+
   namespace :publisher, :path_names => { :sign_in => "i_dont_care", :sign_out => "get_out" } do
     devise_for :accounts, :class_name => "Admin", :path_names => { :sign_in => "get_in" }
   end

test/rails_app/lib/shared_user.rb

@@ -6,6 +6,8 @@ module SharedUser
            :registerable, :rememberable, :timeoutable, :token_authenticatable,
            :trackable, :validatable, :omniauthable
 
+    attr_accessor :other_key
+
     # They need to be included after Devise is called.
     extend ExtendMethods
   end

test/routes_test.rb

@@ -123,6 +123,13 @@ class CustomizedRoutingTest < ActionController::TestCase
     end
   end
 
+  test 'does only map reader password' do
+    assert_raise ActionController::RoutingError do
+      assert_recognizes({:controller => 'devise/sessions', :action => 'new'}, 'reader/sessions/new')
+    end
+    assert_recognizes({:controller => 'devise/passwords', :action => 'new'}, 'reader/password/new')
+  end
+
   test 'map account with custom path name for session sign in' do
     assert_recognizes({:controller => 'devise/sessions', :action => 'new', :locale => 'en'}, '/en/accounts/login')
   end

test/support/helpers.rb

@@ -19,7 +19,7 @@ class ActiveSupport::TestCase
   def generate_unique_email
     @@email_count ||= 0
     @@email_count += 1
-    "test#{@@email_count}@email.com"
+    "test#{@@email_count}@example.com"
   end
 
   def valid_attributes(attributes={})
@@ -57,4 +57,4 @@ class ActiveSupport::TestCase
       object.send :"#{key}=", value
     end
   end
-end
+end