Release 1.3.0.

Signed-off-by: José Valim <jose.valim@gmail.com>

.travis.yml

@@ -1 +1,7 @@
-script: "rake test"
+script: "rake test"
+rvm:
+  - 1.8.7
+  - 1.9.2
+  - ree
+  - rbx
+  - jruby

CHANGELOG.rdoc

@@ -1,3 +1,35 @@
+== 1.3.0
+
+* enhancements
+  * All controllers can now handle different mime types than html using Responders (by github.com/sikachu)
+  * Added reset_password_within as configuration option to send the token for recovery (by github.com/jdguyot)
+  * Bump password length to 128 characters (by github.com/k33l0r)
+  * Add :only as option to devise_for (by github.com/timoschilling)
+  * Allow to override path after sending password instructions (by github.com/irohiroki)
+  * require_no_authentication has its own flash message (by github.com/jackdempsey)
+
+* bug fix
+  * Fix a bug where configuration options were being included too late
+  * Ensure Devise::TestHelpers can be used to tests Devise internal controllers (by github.com/jwilger)
+  * valid_password? should not choke on empty passwords (by github.com/mikel)
+  * Calling devise more than once does not include previously added modules anymore
+  * downcase_keys before validation
+
+* backward incompatible changes
+  * authentication_keys are no longer considered when creating the e-mail validations, the previous behavior was buggy. You must double check if you were relying on such behavior.
+
+== 1.2.1
+
+* enhancements
+  * Improve update path messages
+
+== 1.2.0
+
+* bug fix
+  * Properly ignore path prefix on omniauthable
+  * Faster uniqueness queries
+  * Rename active? to active_for_authentication? to avoid conflicts
+
 == 1.2.rc2
 
 * enhancements

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    devise (1.2.rc)
+    devise (1.3.0.dev)
       bcrypt-ruby (~> 2.1.2)
       orm_adapter (~> 0.0.3)
       warden (~> 1.0.3)

README.rdoc

@@ -152,7 +152,7 @@ You can access the session for this scope:
 
 After signing in a user, confirming the account or updating the password, Devise will look for a scoped root path to redirect. Example: For a :user resource, it will use user_root_path if it exists, otherwise default root_path will be used. This means that you need to set the root inside your routes:
 
-  root :to => "home"
+  root :to => "home#index"
 
 You can also overwrite after_sign_in_path_for and after_sign_out_path_for to customize your redirect hooks.
 
@@ -212,14 +212,6 @@ Since Devise is an engine, all its views are packaged inside the gem. These view
 
   rails generate devise:views
 
-Devise currently supports generating views for the following template engines (use the `-e` flag for the devise:views generator):
-
-* Erb
-* Haml (http://github.com/nex3/haml)
-* Slim (http://github.com/stonean/slim)
-
-Note: If you are generating Haml or Slim templates, you will need to have a few dependencies such as `ruby_parser` (for Haml), `hpricot` (for both Haml and Slim) and `haml2slim` (for Slim) installed.
-
 If you have more than one role in your application (such as "User" and "Admin"), you will notice that Devise uses the same views for all roles. Fortunately, Devise offers an easy way to customize views. All you need to do is set "config.scoped_views = true" inside "config/initializers/devise.rb".
 
 After doing so, you will be able to have views based on the role like "users/sessions/new" and "admins/sessions/new". If no view is found within the scope, Devise will use the default view at "devise/sessions/new". You can also use the generator to generate scoped views:
@@ -323,12 +315,11 @@ If you're using RSpec and want the helpers automatically included within all +de
 
 Do not use such helpers for integration tests such as Cucumber or Webrat. Instead, fill in the form or explicitly set the user in session. For more tips, check the wiki (http://wiki.github.com/plataformatec/devise).
 
-=== OAuth2
+=== Omniauth
 
-Devise comes with OAuth support out of the box if you're using Devise from the git repository (for now). You can read more about OAuth2 support in the wiki:
+Devise comes with Omniauth support out of the box to authenticate from other providers. You can read more about Omniauth support in the wiki:
 
-* http://github.com/plataformatec/devise/wiki/OAuth2:-Overview
-* http://github.com/plataformatec/devise/wiki/OAuth2:-Testing
+* https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview
 
 === Other ORMs
 

TODO

@@ -1,4 +0,0 @@
-* Move integration tests to Capybara
-* Better ORM integration
-* Add support to automatically refresh the access token for OAuth
-* Add test to generators using the new Rails::Generators::TestCase

app/controllers/devise/confirmations_controller.rb

@@ -12,10 +12,10 @@ class Devise::ConfirmationsController < ApplicationController
     self.resource = resource_class.send_confirmation_instructions(params[resource_name])
 
     if resource.errors.empty?
-      set_flash_message :notice, :send_instructions
-      redirect_to new_session_path(resource_name)
+      set_flash_message(:notice, :send_instructions) if is_navigational_format?
+      respond_with resource, :location => after_resending_confirmation_instructions_path_for(resource_name)
     else
-      render_with_scope :new
+      respond_with_navigational(resource){ render_with_scope :new }
     end
   end
 
@@ -24,10 +24,18 @@ class Devise::ConfirmationsController < ApplicationController
     self.resource = resource_class.confirm_by_token(params[:confirmation_token])
 
     if resource.errors.empty?
-      set_flash_message :notice, :confirmed
-      sign_in_and_redirect(resource_name, resource)
+      set_flash_message(:notice, :confirmed) if is_navigational_format?
+      sign_in(resource_name, resource)
+      respond_with_navigational(resource){ redirect_to redirect_location(resource_name, resource) }
     else
-      render_with_scope :new
+      respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render_with_scope :new }
     end
   end
+
+  protected
+
+    # The path used after resending confirmation instructions.
+    def after_resending_confirmation_instructions_path_for(resource_name)
+      new_session_path(resource_name)
+    end
 end

app/controllers/devise/passwords_controller.rb

@@ -13,10 +13,10 @@ class Devise::PasswordsController < ApplicationController
     self.resource = resource_class.send_reset_password_instructions(params[resource_name])
 
     if resource.errors.empty?
-      set_flash_message :notice, :send_instructions
-      redirect_to new_session_path(resource_name)
+      set_flash_message(:notice, :send_instructions) if is_navigational_format?
+      respond_with resource, :location => new_session_path(resource_name)
     else
-      render_with_scope :new
+      respond_with_navigational(resource){ render_with_scope :new }
     end
   end
 
@@ -32,10 +32,11 @@ class Devise::PasswordsController < ApplicationController
     self.resource = resource_class.reset_password_by_token(params[resource_name])
 
     if resource.errors.empty?
-      set_flash_message :notice, :updated
-      sign_in_and_redirect(resource_name, resource)
+      set_flash_message(:notice, :updated) if is_navigational_format?
+      sign_in(resource_name, resource)
+      respond_with resource, :location => redirect_location(resource_name, resource)
     else
-      render_with_scope :edit
+      respond_with_navigational(resource){ render_with_scope :edit }
     end
   end
 end

app/controllers/devise/registrations_controller.rb

@@ -14,17 +14,18 @@ class Devise::RegistrationsController < ApplicationController
     build_resource
 
     if resource.save
-      if resource.active?
-        set_flash_message :notice, :signed_up
-        sign_in_and_redirect(resource_name, resource)
+      if resource.active_for_authentication?
+        set_flash_message :notice, :signed_up if is_navigational_format?
+        sign_in(resource_name, resource)
+        respond_with resource, :location => redirect_location(resource_name, resource)
       else
-        set_flash_message :notice, :inactive_signed_up, :reason => resource.inactive_message.to_s
+        set_flash_message :notice, :inactive_signed_up, :reason => resource.inactive_message.to_s if is_navigational_format?
         expire_session_data_after_sign_in!
-        redirect_to after_inactive_sign_up_path_for(resource)
+        respond_with resource, :location => after_inactive_sign_up_path_for(resource)
       end
     else
       clean_up_passwords(resource)
-      render_with_scope :new
+      respond_with_navigational(resource) { render_with_scope :new }
     end
   end
 
@@ -36,20 +37,21 @@ class Devise::RegistrationsController < ApplicationController
   # PUT /resource
   def update
     if resource.update_with_password(params[resource_name])
-      set_flash_message :notice, :updated
+      set_flash_message :notice, :updated if is_navigational_format?
       sign_in resource_name, resource, :bypass => true
-      redirect_to after_update_path_for(resource)
+      respond_with resource, :location => after_update_path_for(resource)
     else
       clean_up_passwords(resource)
-      render_with_scope :edit
+      respond_with_navigational(resource){ render_with_scope :edit }
     end
   end
 
   # DELETE /resource
   def destroy
     resource.destroy
-    sign_out_and_redirect(self.resource)
-    set_flash_message :notice, :destroyed
+    Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name)
+    set_flash_message :notice, :destroyed if is_navigational_format?
+    respond_with_navigational(resource){ redirect_to after_sign_out_path_for(resource_name) }
   end
 
   # GET /resource/cancel

app/controllers/devise/sessions_controller.rb

@@ -11,6 +11,17 @@ class Devise::SessionsController < ApplicationController
   # POST /resource/sign_in
   def create
     resource = warden.authenticate!(:scope => resource_name, :recall => "#{controller_path}#new")
+
+    # In the running app, the previous line would actually cause this method to
+    # exit by throwing `:warden` if the authentication failed. Unfortunately,
+    # this doesn't happen in the Rails test environment if you have included the
+    # Devise::TestHelpers (see `Devise::TestHelpers::TestWarden#authenticate!`),
+    # which makes it difficult to unit test extensions to this controller. Since
+    # the resource is nil if authentication fails, just short-circuit the method
+    # in that case. This should not affect the running app.
+    
+    return if resource.nil?
+
     set_flash_message(:notice, :signed_in) if is_navigational_format?
     sign_in(resource_name, resource)
     respond_with resource, :location => redirect_location(resource_name, resource)
@@ -19,7 +30,18 @@ class Devise::SessionsController < ApplicationController
   # GET /resource/sign_out
   def destroy
     signed_in = signed_in?(resource_name)
-    sign_out_and_redirect(resource_name)
+    Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name)
     set_flash_message :notice, :signed_out if signed_in
+
+    # We actually need to hardcode this, as Rails default responder doesn't
+    # support returning empty response on GET request
+    respond_to do |format|
+      format.any(*navigational_formats) { redirect_to after_sign_out_path_for(resource_name) }
+      format.all do
+        method = "to_#{request_format}"
+        text = {}.respond_to?(method) ? {}.send(method) : ""
+        render :text => text, :status => :ok
+      end
+    end
   end
 end

app/controllers/devise/unlocks_controller.rb

@@ -13,10 +13,10 @@ class Devise::UnlocksController < ApplicationController
     self.resource = resource_class.send_unlock_instructions(params[resource_name])
 
     if resource.errors.empty?
-      set_flash_message :notice, :send_instructions
-      redirect_to new_session_path(resource_name)
+      set_flash_message :notice, :send_instructions if is_navigational_format?
+      respond_with resource, :location => new_session_path(resource_name)
     else
-      render_with_scope :new
+      respond_with_navigational(resource){ render_with_scope :new }
     end
   end
 
@@ -25,10 +25,11 @@ class Devise::UnlocksController < ApplicationController
     self.resource = resource_class.unlock_access_by_token(params[:unlock_token])
 
     if resource.errors.empty?
-      set_flash_message :notice, :unlocked
-      sign_in_and_redirect(resource_name, resource)
+      set_flash_message :notice, :unlocked if is_navigational_format?
+      sign_in(resource_name, resource)
+      respond_with_navigational(resource){ redirect_to redirect_location(resource_name, resource) }
     else
-      render_with_scope :new
+      respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render_with_scope :new }
     end
   end
 end

config/locales/en.yml

@@ -12,6 +12,7 @@ en:
 
   devise:
     failure:
+      already_authenticated: 'You are already signed in.'
       unauthenticated: 'You need to sign in or sign up before continuing.'
       unconfirmed: 'You have to confirm your account before continuing.'
       locked: 'Your account is locked.'

lib/devise.rb

@@ -70,9 +70,9 @@ module Devise
   @@request_keys = []
 
   # Keys that should be case-insensitive.
-  # Empty by default for backwards compatibility.
+  # False by default for backwards compatibility.
   mattr_accessor :case_insensitive_keys
-  @@case_insensitive_keys = []
+  @@case_insensitive_keys = false
 
   # If http authentication is enabled by default.
   mattr_accessor :http_authenticatable
@@ -96,7 +96,7 @@ module Devise
 
   # Range validation for password length
   mattr_accessor :password_length
-  @@password_length = 6..20
+  @@password_length = 6..128
 
   # The time the user will be remembered without asking for credentials again.
   mattr_accessor :remember_for
@@ -171,6 +171,10 @@ module Devise
   mattr_accessor :reset_password_keys
   @@reset_password_keys = [ :email ]
 
+  # Time interval you can reset your password with a reset password key 
+  mattr_accessor :reset_password_within
+  @@reset_password_within = nil
+
   # The default scope which is used by warden.
   mattr_accessor :default_scope
   @@default_scope = nil
@@ -226,24 +230,30 @@ module Devise
     yield self
   end
 
+  def self.ref(arg)
+    if defined?(ActiveSupport::Dependencies::ClassCache)
+      ActiveSupport::Dependencies::Reference.store(arg)
+    else
+      ActiveSupport::Dependencies.ref(arg)
+    end
+  end
+
   def self.omniauth_providers
     omniauth_configs.keys
   end
 
-  def self.cookie_domain=(value)
-    ActiveSupport::Deprecation.warn "Devise.cookie_domain=(value) is deprecated. "
-      "Please use Devise.cookie_options = { :domain => value } instead."
-    self.cookie_options[:domain] = value
-  end
-
   # Get the mailer class from the mailer reference object.
   def self.mailer
-    @@mailer_ref.get
+    if defined?(ActiveSupport::Dependencies::ClassCache)
+      @@mailer_ref.get "Devise::Mailer"
+    else
+      @@mailer_ref.get
+    end
   end
 
   # Set the mailer reference object to access the mailer.
   def self.mailer=(class_name)
-    @@mailer_ref = ActiveSupport::Dependencies.ref(class_name)
+    @@mailer_ref = ref(class_name)
   end
   self.mailer = "Devise::Mailer"
 
@@ -307,7 +317,8 @@ module Devise
 
     if options[:model]
       path = (options[:model] == true ? "devise/models/#{module_name}" : options[:model])
-      Devise::Models.send(:autoload, module_name.to_s.camelize.to_sym, path)
+      camelized = ActiveSupport::Inflector.camelize(module_name.to_s)
+      Devise::Models.send(:autoload, camelized.to_sym, path)
     end
 
     Devise::Mapping.add_module module_name

lib/devise/controllers/helpers.rb

@@ -80,12 +80,6 @@ module Devise
         end
       end
 
-      def anybody_signed_in?
-        ActiveSupport::Deprecation.warn "Devise#anybody_signed_in? is deprecated. "
-          "Please use Devise#signed_in?(nil) instead."
-        signed_in?
-      end
-
       # Sign in a user that already was authenticated. This helper is useful for logging
       # users in after sign up.
       #

lib/devise/controllers/internal_helpers.rb

@@ -7,6 +7,19 @@ module Devise
       extend ActiveSupport::Concern
       include Devise::Controllers::ScopedViews
 
+      MIME_REFERENCES = Mime::HTML.respond_to?(:ref)
+
+      # Helper used by FailureApp and Devise controllers to retrieve proper formats.
+      def self.request_format(request)
+        if request.format.respond_to?(:ref)
+          request.format.ref
+        elsif MIME_REFERENCES
+          request.format
+        elsif request.format # Rails < 3.0.4
+          request.format.to_sym
+        end
+      end
+
       included do
         helper DeviseHelper
 
@@ -52,14 +65,30 @@ module Devise
 
     protected
 
+      def request_format
+        @request_format ||= Devise::Controllers::InternalHelpers.request_format(request)
+      end
+
       # Checks whether it's a devise mapped resource or not.
       def is_devise_resource? #:nodoc:
-        unknown_action!("Could not find devise mapping for path #{request.fullpath.inspect}") unless devise_mapping
+        unknown_action! <<-MESSAGE unless devise_mapping
+Could not find devise mapping for path #{request.fullpath.inspect}.
+Maybe you forgot to wrap your route inside the scope block? For example:
+
+    devise_scope :user do
+      match "/some/route" => "some_devise_controller"
+    end
+MESSAGE
       end
 
       # Check whether it's navigational format, such as :html or :iphone, or not.
       def is_navigational_format?
-        Devise.navigational_formats.include?(request.format.to_sym)
+        Devise.navigational_formats.include?(request_format)
+      end
+
+      # Returns real navigational formats which are supported by Rails
+      def navigational_formats
+        @navigational_formats ||= Devise.navigational_formats.select{ |format| Mime::EXTENSION_LOOKUP[format.to_s] }
       end
 
       def unknown_action!(msg)
@@ -85,6 +114,7 @@ module Devise
       def require_no_authentication
         if warden.authenticated?(resource_name)
           resource = warden.user(resource_name)
+          flash[:alert] = I18n.t("devise.failure.already_authenticated")
           redirect_to after_sign_in_path_for(resource)
         end
       end
@@ -114,6 +144,12 @@ module Devise
       def clean_up_passwords(object) #:nodoc:
         object.clean_up_passwords if object.respond_to?(:clean_up_passwords)
       end
+
+      def respond_with_navigational(*args, &block)
+        respond_with(*args) do |format|
+          format.any(*navigational_formats, &block)
+        end
+      end
     end
   end
 end

lib/devise/failure_app.rb

@@ -101,7 +101,9 @@ module Devise
 
     def recall_app(app)
       controller, action = app.split("#")
-      "#{controller.camelize}Controller".constantize.action(action)
+      controller_name  = ActiveSupport::Inflector.camelize(controller)
+      controller_klass = ActiveSupport::Inflector.constantize("#{controller_name}Controller")
+      controller_klass.action(action)
     end
 
     def warden
@@ -128,16 +130,8 @@ module Devise
       session["#{scope}_return_to"] = attempted_path if request.get? && !http_auth?
     end
 
-    MIME_REFERENCES = Mime::HTML.respond_to?(:ref)
-
     def request_format
-      @request_format ||= if request.format.respond_to?(:ref)
-        request.format.ref
-      elsif MIME_REFERENCES
-        request.format
-      else # Rails < 3.0.4
-        request.format.to_sym
-      end
+      @request_format ||= Devise::Controllers::InternalHelpers.request_format(request)
     end
   end
 end

lib/devise/hooks/activatable.rb

@@ -1,9 +1,9 @@
 # Deny user access whenever his account is not active yet. All strategies that inherits from
-# Devise::Strategies::Authenticatable and uses the validate already check if the user is active?
+# Devise::Strategies::Authenticatable and uses the validate already check if the user is active_for_authentication?
 # before actively signing him in. However, we need this as hook to validate the user activity
 # in each request and in case the user is using other strategies beside Devise ones.
 Warden::Manager.after_set_user do |record, warden, options|
-  if record && record.respond_to?(:active?) && !record.active?
+  if record && record.respond_to?(:active_for_authentication?) && !record.active_for_authentication?
     scope = options[:scope]
     warden.logout(scope)
     throw :warden, :scope => scope, :message => record.inactive_message

lib/devise/mapping.rb

@@ -50,7 +50,7 @@ module Devise
       @singular = (options[:singular] || @scoped_path.tr('/', '_').singularize).to_sym
 
       @class_name = (options[:class_name] || name.to_s.classify).to_s
-      @ref = ActiveSupport::Dependencies.ref(@class_name)
+      @ref = Devise.ref(@class_name)
 
       @path = (options[:path] || name).to_s
       @path_prefix = options[:path_prefix]
@@ -73,7 +73,11 @@ module Devise
 
     # Gives the class the mapping points to.
     def to
-      @ref.get
+      if defined?(ActiveSupport::Dependencies::ClassCache)
+        @ref.get @class_name
+      else
+        @ref.get
+      end
     end
 
     def strategies

lib/devise/models.rb

@@ -17,6 +17,9 @@ module Devise
     # inside the given class.
     #
     def self.config(mod, *accessors) #:nodoc:
+      (class << mod; self; end).send :attr_accessor, :available_configs
+      mod.available_configs = accessors
+
       accessors.each do |accessor|
         mod.class_eval <<-METHOD, __FILE__, __LINE__ + 1
           def #{accessor}
@@ -46,13 +49,33 @@ module Devise
     #
     def devise(*modules)
       include Devise::Models::Authenticatable
-      options = modules.extract_options!
-      self.devise_modules += modules.map(&:to_sym).uniq.sort_by { |s|
+      options = modules.extract_options!.dup
+
+      selected_modules = modules.map(&:to_sym).uniq.sort_by do |s|
         Devise::ALL.index(s) || -1  # follow Devise::ALL order
-      }
+      end
 
       devise_modules_hook! do
-        devise_modules.each { |m| include Devise::Models.const_get(m.to_s.classify) }
+        selected_modules.each do |m|
+          mod = Devise::Models.const_get(m.to_s.classify)
+
+          if mod.const_defined?("ClassMethods")
+            class_mod = mod.const_get("ClassMethods")
+            extend class_mod
+
+            if class_mod.respond_to?(:available_configs)
+              available_configs = class_mod.available_configs
+              available_configs.each do |config|
+                next unless options.key?(config)                
+                send(:"#{config}=", options.delete(config))
+              end
+            end
+          end
+
+          include mod
+        end
+
+        self.devise_modules |= selected_modules
         options.each { |key, value| send(:"#{key}=", value) }
       end
     end

lib/devise/models/authenticatable.rb

@@ -24,19 +24,19 @@ module Devise
     #   * +params_authenticatable+: if this model allows authentication through request params. By default true.
     #     It also accepts an array specifying the strategies that should allow params authentication.
     #
-    # == Active?
+    # == active_for_authentication?
     #
     # Before authenticating a user and in each request, Devise checks if your model is active by
-    # calling model.active?. This method is overwriten by other devise modules. For instance,
-    # :confirmable overwrites .active? to only return true if your model was confirmed.
+    # calling model.active_for_authentication?. This method is overwriten by other devise modules. For instance,
+    # :confirmable overwrites .active_for_authentication? to only return true if your model was confirmed.
     #
     # You overwrite this method yourself, but if you do, don't forget to call super:
     #
-    #   def active?
+    #   def active_for_authentication?
     #     super && special_condition_is_valid?
     #   end
     #
-    # Whenever active? returns false, Devise asks the reason why your model is inactive using
+    # Whenever active_for_authentication? returns false, Devise asks the reason why your model is inactive using
     # the inactive_message method. You can overwrite it as well:
     #
     #   def inactive_message
@@ -55,17 +55,17 @@ module Devise
       # find_for_authentication are the methods used in a Warden::Strategy to check
       # if a model should be signed in or not.
       #
-      # However, you should not overwrite this method, you should overwrite active? and
-      # inactive_message instead.
+      # However, you should not overwrite this method, you should overwrite active_for_authentication?
+      # and inactive_message instead.
       def valid_for_authentication?
-        if active?
+        if active_for_authentication?
           block_given? ? yield : true
         else
           inactive_message
         end
       end
 
-      def active?
+      def active_for_authentication?
         true
       end
 
@@ -101,7 +101,7 @@ module Devise
         #
         def find_for_authentication(conditions)
           filter_auth_params(conditions)
-          case_insensitive_keys.each { |k| conditions[k].try(:downcase!) }
+          (case_insensitive_keys || []).each { |k| conditions[k].try(:downcase!) }
           to_adapter.find_first(conditions)
         end
 
@@ -112,7 +112,7 @@ module Devise
 
         # Find an initialize a group of attributes based on a list of required attributes.
         def find_or_initialize_with_errors(required_attributes, attributes, error=:invalid) #:nodoc:
-          case_insensitive_keys.each { |k| attributes[k].try(:downcase!) }
+          (case_insensitive_keys || []).each { |k| attributes[k].try(:downcase!) }
           
           attributes = attributes.slice(*required_attributes)
           attributes.delete_if { |key, value| value.blank? }
@@ -140,7 +140,7 @@ module Devise
         def filter_auth_params(conditions)
           conditions.each do |k, v|
             conditions[k] = v.to_s
-          end
+          end if conditions.is_a?(Hash)
         end
 
         # Generate a token by looping and ensuring does not already exist.

lib/devise/models/confirmable.rb

@@ -55,11 +55,11 @@ module Devise
         unless_confirmed { send_confirmation_instructions }
       end
 
-      # Overwrites active? from Devise::Models::Activatable for confirmation
+      # Overwrites active_for_authentication? for confirmation
       # by verifying whether a user is active to sign in or not. If the user
       # is already confirmed, it should never be blocked. Otherwise we need to
       # calculate if the confirm time has not expired for this user.
-      def active?
+      def active_for_authentication?
         super && (!confirmation_required? || confirmed? || confirmation_period_valid?)
       end
 
@@ -84,7 +84,7 @@ module Devise
         # Checks if the confirmation for the user is within the limit time.
         # We do this by calculating if the difference between today and the
         # confirmation sent date does not exceed the confirm in time configured.
-        # Confirm_in is a model configuration, must always be an integer value.
+        # Confirm_within is a model configuration, must always be an integer value.
         #
         # Example:
         #

lib/devise/models/database_authenticatable.rb

@@ -22,7 +22,7 @@ module Devise
       included do
         attr_reader :password, :current_password
         attr_accessor :password_confirmation
-        before_save :downcase_keys
+        before_validation :downcase_keys
       end
 
       # Generates password encryption based on the given value.
@@ -33,6 +33,7 @@ module Devise
 
       # Verifies whether an password (ie from sign in) is the user password.
       def valid_password?(password)
+        return false if encrypted_password.blank?
         bcrypt   = ::BCrypt::Password.new(self.encrypted_password)
         password = ::BCrypt::Engine.hash_secret("#{password}#{self.class.pepper}", bcrypt.salt)
         Devise.secure_compare(password, self.encrypted_password)
@@ -78,7 +79,7 @@ module Devise
 
       # Downcase case-insensitive keys
       def downcase_keys
-        self.class.case_insensitive_keys.each { |k| self[k].try(:downcase!) }
+        (self.class.case_insensitive_keys || []).each { |k| self[k].try(:downcase!) }
       end
 
       # Digests the password using bcrypt.

lib/devise/models/lockable.rb

@@ -57,9 +57,9 @@ module Devise
         if_access_locked { send_unlock_instructions }
       end
 
-      # Overwrites active? from Devise::Models::Activatable for locking purposes
+      # Overwrites active_for_authentication? from Devise::Models::Activatable for locking purposes
       # by verifying whether a user is active to sign in or not based on locked?
-      def active?
+      def active_for_authentication?
         super && !access_locked?
       end
 

lib/devise/models/recoverable.rb

@@ -35,15 +35,44 @@ module Devise
 
       # Resets reset password token and send reset password instructions by email
       def send_reset_password_instructions
-        generate_reset_password_token!
+        generate_reset_password_token! if should_generate_token?
         ::Devise.mailer.reset_password_instructions(self).deliver
       end
 
+      # Checks if the reset password token sent is within the limit time.
+      # We do this by calculating if the difference between today and the
+      # sending date does not exceed the confirm in time configured.
+      # reset_password_within is a model configuration, must always be an integer value.
+      #
+      # Example:
+      #
+      #   # reset_password_within = 1.day and reset_password_sent_at = today
+      #   reset_password_period_valid?   # returns true
+      #
+      #   # reset_password_within = 5.days and reset_password_sent_at = 4.days.ago
+      #   reset_password_period_valid?   # returns true
+      #
+      #   # reset_password_within = 5.days and reset_password_sent_at = 5.days.ago
+      #   reset_password_period_valid?   # returns false
+      #
+      #   # reset_password_within = 0.days
+      #   reset_password_period_valid?   # will always return false
+      #
+      def reset_password_period_valid?
+        respond_to?(:reset_password_sent_at) && reset_password_sent_at &&
+          reset_password_sent_at.utc >= self.class.reset_password_within.ago
+      end
+
       protected
 
+        def should_generate_token?
+          reset_password_token.nil? || !reset_password_period_valid?
+        end
+
         # Generates a new random token for reset password
         def generate_reset_password_token
           self.reset_password_token = self.class.reset_password_token
+          self.reset_password_sent_at = Time.now.utc if respond_to?(:reset_password_sent_at=)
         end
 
         # Resets the reset password token with and save the record without
@@ -55,6 +84,7 @@ module Devise
         # Removes reset_password token
         def clear_reset_password_token
           self.reset_password_token = nil
+          self.reset_password_sent_at = nil if respond_to?(:reset_password_sent_at=)
         end
 
       module ClassMethods
@@ -73,18 +103,24 @@ module Devise
           generate_token(:reset_password_token)
         end
 
-        # Attempt to find a user by it's reset_password_token to reset it's
-        # password. If a user is found, reset it's password and automatically
+        # Attempt to find a user by it's reset_password_token to reset its
+        # password. If a user is found and token is still valid, reset its password and automatically
         # try saving the record. If not user is found, returns a new user
         # containing an error in reset_password_token attribute.
         # Attributes must contain reset_password_token, password and confirmation
         def reset_password_by_token(attributes={})
           recoverable = find_or_initialize_with_error_by(:reset_password_token, attributes[:reset_password_token])
-          recoverable.reset_password!(attributes[:password], attributes[:password_confirmation]) if recoverable.persisted?
+          if recoverable.persisted?
+            if recoverable.reset_password_period_valid?
+              recoverable.reset_password!(attributes[:password], attributes[:password_confirmation]) 
+            else
+              recoverable.errors.add(:reset_password_token, :invalid)
+            end
+          end
           recoverable
         end
 
-        Devise::Models.config(self, :reset_password_keys)
+        Devise::Models.config(self, :reset_password_keys, :reset_password_within)
       end
     end
   end

lib/devise/models/validatable.rb

@@ -10,7 +10,7 @@ module Devise
     # Validatable adds the following options to devise_for:
     #
     #   * +email_regexp+: the regular expression used to validate e-mails;
-    #   * +password_length+: a range expressing password length. Defaults to 6..20.
+    #   * +password_length+: a range expressing password length. Defaults to 6..128.
     #
     module Validatable
       # All validations used by this module.
@@ -23,8 +23,7 @@ module Devise
 
         base.class_eval do
           validates_presence_of   :email, :if => :email_required?
-          validates_uniqueness_of :email, :scope => authentication_keys[1..-1],
-            :case_sensitive => case_insensitive_keys.exclude?(:email), :allow_blank => true
+          validates_uniqueness_of :email, :case_sensitive => (case_insensitive_keys != false), :allow_blank => true
           validates_format_of     :email, :with  => email_regexp, :allow_blank => true
 
           with_options :if => :password_required? do |v|

lib/devise/omniauth.rb

@@ -14,15 +14,15 @@ OmniAuth.config.path_prefix = nil
 
 OmniAuth.config.on_failure = Proc.new do |env|
   env['devise.mapping'] = Devise::Mapping.find_by_path!(env['PATH_INFO'], :path)
-  controller_klass = "#{env['devise.mapping'].controllers[:omniauth_callbacks].camelize}Controller"
-  controller_klass.constantize.action(:failure).call(env)
+  controller_name  = ActiveSupport::Inflector.camelize(env['devise.mapping'].controllers[:omniauth_callbacks])
+  controller_klass = ActiveSupport::Inflector.constantize("#{controller_name}Controller")
+  controller_klass.action(:failure).call(env)
 end
 
 module Devise
   module OmniAuth
     autoload :Config,      "devise/omniauth/config"
     autoload :UrlHelpers,  "devise/omniauth/url_helpers"
-    autoload :TestHelpers, "devise/omniauth/test_helpers"
 
     class << self
       delegate :short_circuit_authorizers!, :unshort_circuit_authorizers!,

lib/devise/omniauth/config.rb

@@ -13,18 +13,6 @@ module Devise
       def strategy_class
         ::OmniAuth::Strategies.const_get("#{::OmniAuth::Utils.camelize(@provider.to_s)}")
       end
-
-      def check_if_allow_stubs!
-        raise "OmniAuth strategy for #{@provider} does not allow stubs, only OAuth2 ones do." unless allow_stubs?
-      end
-
-      def allow_stubs?
-        defined?(::OmniAuth::Strategies::OAuth2) && strategy.is_a?(::OmniAuth::Strategies::OAuth2)
-      end
-
-      def build_connection(&block)
-        strategy.client.connection.build(&block)
-      end
     end
   end
 end     

lib/devise/omniauth/test_helpers.rb

@@ -1,31 +0,0 @@
-module Devise
-  module OmniAuth
-    module TestHelpers
-      DEPRECATION_MESSAGE = "Faraday changed the way mocks work in a way incompatible to Devise. Luckily, Omniauth now supports a new test mode, please use it in your tests instead: https://github.com/intridea/omniauth/wiki/Integration-Testing"
-
-      DeprecationError = Class.new(StandardError)
-
-      def self.stub!(*args)
-        raise DeprecationError, DEPRECATION_MESSAGE
-      end
-
-      def self.reset_stubs!(*args)
-        raise DeprecationError, DEPRECATION_MESSAGE
-      end
-
-      def self.test_mode!
-        warn DEPRECATION_MESSAGE
-      end
-
-      def self.short_circuit_authorizers!
-        ::OmniAuth.config.test_mode = true
-        warn DEPRECATION_MESSAGE
-      end
-
-      def self.unshort_circuit_authorizers!
-        ::OmniAuth.config.test_mode = false
-        warn DEPRECATION_MESSAGE
-      end
-    end
-  end
-end

lib/devise/rails.rb

@@ -17,6 +17,17 @@ module Devise
       Devise.include_helpers(Devise::Controllers)
     end
 
+    initializer "devise.auth_keys" do
+      if Devise.authentication_keys.size > 1
+        puts "[DEVISE] You are configuring Devise to use more than one authentication key. " \
+          "In previous versions, we automatically added #{Devise.authentication_keys[1..-1].inspect} " \
+          "as scope to your e-mail validation, but this was changed now. If you were relying in such " \
+          "behavior, you should remove :validatable from your models and add the validations manually. " \
+          "To get rid of this warning, you can comment config.authentication_keys in your initializer " \
+          "and pass the current values as key to the devise call in your model."
+      end
+    end
+
     initializer "devise.omniauth" do |app|
       Devise.omniauth_configs.each do |provider, config|
         app.middleware.use config.strategy_class, *config.args do |strategy|
@@ -28,23 +39,5 @@ module Devise
         Devise.include_helpers(Devise::OmniAuth)
       end
     end
-
-    initializer "devise.encryptor_check" do
-      case Devise.encryptor
-      when :bcrypt
-        puts "[DEVISE] From version 1.2, there is no need to set your encryptor to bcrypt " <<
-          "since encryptors are only enabled if you include :encryptable in your models. " << 
-          "With this change, we can integrate better with bcrypt and get rid of the " <<
-          "password_salt column (since bcrypt stores the salt with password). " <<
-          "Please comment config.encryptor in your initializer to get rid of this warning."
-      when nil
-        # Nothing to say
-      else
-        puts "[DEVISE] You are using #{Devise.encryptor} as encryptor. From version 1.2, " <<
-          "you need to explicitly add `devise :encryptable, :encryptor => :#{Devise.encryptor}` " <<
-          "to your models and comment the current value in the config/initializers/devise.rb. " <<
-          "You must also add t.encryptable to your existing migrations."
-      end
-    end
   end
 end

lib/devise/rails/routes.rb

@@ -99,6 +99,11 @@ module ActionDispatch::Routing
     #
     #      devise_for :users, :skip => :sessions
     #
+    #  * :only => the opposite of :skip, tell which controllers only to generate routes to:
+    #
+    #      devise_for :users, :only => :sessions
+    #
+    #
     # ==== Scoping
     #
     # Following Rails 3 routes DSL, you can nest devise_for calls inside a scope:
@@ -173,6 +178,9 @@ module ActionDispatch::Routing
         end
 
         routes  = mapping.routes
+        if options.has_key?(:only)
+          routes  = Array(options.delete(:only)).map { |s| s.to_s.singularize.to_sym } & mapping.routes
+        end
         routes -= Array(options.delete(:skip)).map { |s| s.to_s.singularize.to_sym }
 
         devise_scope mapping.name do
@@ -263,7 +271,8 @@ module ActionDispatch::Routing
       end
 
       def devise_omniauth_callback(mapping, controllers) #:nodoc:
-        path_prefix = "/#{mapping.path}/auth"
+        path, @scope[:path] = @scope[:path], nil
+        path_prefix = "/#{mapping.path}/auth".squeeze("/")
 
         if ::OmniAuth.config.path_prefix && ::OmniAuth.config.path_prefix != path_prefix
           warn "[DEVISE] You can only add :omniauthable behavior to one model."
@@ -271,8 +280,10 @@ module ActionDispatch::Routing
           ::OmniAuth.config.path_prefix = path_prefix
         end
 
-        match "/auth/:action/callback", :action => Regexp.union(mapping.to.omniauth_providers.map(&:to_s)),
+        match "#{path_prefix}/:action/callback", :action => Regexp.union(mapping.to.omniauth_providers.map(&:to_s)),
           :to => controllers[:omniauth_callbacks], :as => :omniauth_callback
+      ensure
+        @scope[:path] = path
       end
 
       def with_devise_exclusive_scope(new_path, new_as) #:nodoc:

lib/devise/rails/warden_compat.rb

@@ -21,14 +21,14 @@ class Warden::SessionSerializer
   def deserialize(keys)
     if keys.size == 2
       raise "Devise changed how it stores objects in session. If you are seeing this message, " <<
-        "you can fix it by changing one character in your cookie secret or cleaning up your " <<
+        "you can fix it by changing one character in your secret_token or cleaning up your " <<
         "database sessions if you are using a db store."
     end
 
     klass, id, salt = keys
 
     begin
-      record = klass.constantize.to_adapter.get(id)
+      record = ActiveSupport::Inflector.constantize(klass).to_adapter.get(id)
       record if record && record.authenticatable_salt == salt
     rescue NameError => e
       if e.message =~ /uninitialized constant/

lib/devise/schema.rb

@@ -15,7 +15,7 @@ module Devise
     def database_authenticatable(options={})
       null    = options[:null] || false
       default = options.key?(:default) ? options[:default] : ("" if null == false)
-      include_email =  !self.respond_to?(:authentication_keys) || self.authentication_keys.include?(:email)
+      include_email = !respond_to?(:authentication_keys) || self.authentication_keys.include?(:email)
 
       apply_devise_schema :email,              String, :null => null, :default => default if include_email
       apply_devise_schema :encrypted_password, String, :null => null, :default => default, :limit => 128
@@ -38,9 +38,14 @@ module Devise
       apply_devise_schema :confirmation_sent_at, DateTime
     end
 
-    # Creates reset_password_token.
-    def recoverable
+    # Creates reset_password_token and reset_password_sent_at.
+    #
+    # == Options
+    # * :reset_within - When true, adds a column that reset passwords within some date
+    def recoverable(options={})
+      use_within = options.fetch(:reset_within, Devise.reset_password_within.present?)
       apply_devise_schema :reset_password_token, String
+      apply_devise_schema :reset_password_sent_at, DateTime if use_within
     end
 
     # Creates remember_token and remember_created_at.

lib/devise/strategies/authenticatable.rb

@@ -157,7 +157,8 @@ module Devise
       # becomes simply :database.
       def authenticatable_name
         @authenticatable_name ||=
-          self.class.name.split("::").last.underscore.sub("_authenticatable", "").to_sym
+          ActiveSupport::Inflector.underscore(self.class.name.split("::").last).
+            sub("_authenticatable", "").to_sym
       end
     end
   end

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "1.2.rc2".freeze
+  VERSION = "1.3.0".freeze
 end

lib/generators/devise/views_generator.rb

@@ -9,17 +9,11 @@ module Devise
       argument :scope, :required => false, :default => nil,
                        :desc => "The scope to copy views to"
 
-      class_option :template_engine, :type => :string, :aliases => "-t",
-                                     :desc => "Template engine for the views. Available options are 'erb', 'haml' and 'slim'."
+      # class_option :template_engine, :type => :string, :aliases => "-t",
+      #                                :desc => "Template engine for the views. Available options are 'erb', 'haml' and 'slim'."
 
       def copy_views
-        template = options[:template_engine].to_s
-        case template
-        when "haml", "slim"
-          warn "#{template} templates have been removed from Devise gem"
-        else
-          directory "devise", "app/views/#{scope || :devise}"
-        end
+        directory "devise", "app/views/#{scope || :devise}"
       end
     end
   end

lib/generators/templates/devise.rb

@@ -82,9 +82,13 @@ Devise.setup do |config|
   # to false if you are not using database authenticatable.
   config.use_salt_as_remember_token = true
 
+  # Options to be passed to the created cookie. For instance, you can set
+  # :secure => true in order to force SSL only cookies.
+  # config.cookie_options = {}
+
   # ==> Configuration for :validatable
-  # Range for password length. Default is 6..20.
-  # config.password_length = 6..20
+  # Range for password length. Default is 6..128.
+  # config.password_length = 6..128
 
   # Regex to use to validate the email address
   # config.email_regexp = /\A([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})\z/i
@@ -122,6 +126,11 @@ Devise.setup do |config|
   # Defines which key will be used when recovering the password for an account
   # config.reset_password_keys = [ :email ]
 
+  # Time interval you can reset your password with a reset password key.
+  # Don't put a too small interval or your users won't have the time to
+  # change their passwords.
+  config.reset_password_within = 2.hours
+
   # ==> Configuration for :encryptable
   # Allow you to use another encryption algorithm besides bcrypt (default). You can use
   # :sha1, :sha512 or encryptors from others authentication tools as :clearance_sha1,

test/controllers/internal_helpers_test.rb

@@ -45,6 +45,14 @@ class HelpersTest < ActionController::TestCase
     @controller.send :require_no_authentication
   end
 
+  test 'require no authentication sets a flash message' do
+    @mock_warden.expects(:authenticated?).with(:user).returns(true)
+    @mock_warden.expects(:user).with(:user).returns(User.new)
+    @controller.expects(:redirect_to).with(root_path)
+    @controller.send :require_no_authentication
+    assert flash[:alert] == I18n.t("devise.failure.already_authenticated")
+  end
+
   test 'signed in resource returns signed in resource for current scope' do
     @mock_warden.expects(:authenticate).with(:scope => :user).returns(User.new)
     assert_kind_of User, @controller.signed_in_resource
@@ -69,4 +77,11 @@ class HelpersTest < ActionController::TestCase
     assert flash[:notice] == 'non-blank'
     MyController.send(:protected, :set_flash_message)
   end
+
+  test 'navigational_formats not returning a wild card' do
+    MyController.send(:public, :navigational_formats)
+    Devise.navigational_formats = [:"*/*", :html]
+    assert_not @controller.navigational_formats.include?(:"*/*")
+    MyController.send(:protected, :navigational_formats)
+  end
 end

test/controllers/sessions_controller_test.rb

@@ -0,0 +1,17 @@
+require 'test_helper'
+
+class SessionsControllerTest < ActionController::TestCase
+  tests Devise::SessionsController
+  include Devise::TestHelpers
+
+  test "#create doesn't raise exception after Warden authentication fails " \
+     + "when TestHelpers included" do
+    request.env["devise.mapping"] = Devise.mappings[:user]
+    assert_nothing_raised(NoMethodError) do
+      post :create, :user => {
+        :email => "nosuchuser@example.com",
+        :password => "wevdude"
+      }
+    end
+  end
+end

test/devise_test.rb

@@ -58,9 +58,6 @@ class DeviseTest < ActiveSupport::TestCase
     assert_equal :fruits, Devise::CONTROLLERS[:kivi]
     Devise::ALL.delete(:kivi)
     Devise::CONTROLLERS.delete(:kivi)
-
-    assert_nothing_raised(Exception) { Devise.add_module(:authenticatable_again, :model => 'devise/model/authenticatable') }
-    assert defined?(Devise::Models::AuthenticatableAgain)
   end
   
   test 'should complain when comparing empty or different sized passes' do

test/integration/authenticatable_test.rb

@@ -205,17 +205,16 @@ class AuthenticationRedirectTest < ActionController::IntegrationTest
     assert_nil session[:"user_return_to"]
   end
 
-  test 'sign in with xml format returns xml response' do
-    create_user
-    post user_session_path(:format => 'xml', :user => {:email => "user@test.com", :password => '123456'})
-    assert_response :success
-    assert_match /<\?xml version="1.0" encoding="UTF-8"\?>/, response.body
-  end
-
   test 'redirect to configured home path for a given scope after sign in' do
     sign_in_as_admin
     assert_equal "/admin_area/home", @request.path
   end
+
+  test 'require_no_authentication should set the already_authenticated flash message' do
+    sign_in_as_user
+    visit new_user_session_path
+    assert_equal flash[:alert], I18n.t("devise.failure.already_authenticated")
+  end
 end
 
 class AuthenticationSessionTest < ActionController::IntegrationTest
@@ -354,6 +353,27 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
     assert warden.authenticated?(:user)
     assert_not warden.authenticated?(:admin)
   end
+
+  test 'sign in with xml format returns xml response' do
+    create_user
+    post user_session_path(:format => 'xml'), :user => {:email => "user@test.com", :password => '123456'}
+    assert_response :success
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
+  end
+
+  test 'sign out with xml format returns ok response' do
+    sign_in_as_user
+    get destroy_user_session_path(:format => 'xml')
+    assert_response :ok
+    assert_not warden.authenticated?(:user)
+  end
+
+  test 'sign out with json format returns empty json response' do
+    sign_in_as_user
+    get destroy_user_session_path(:format => 'json')
+    assert_response :ok
+    assert_not warden.authenticated?(:user)
+  end
 end
 
 class AuthenticationRequestKeysTest < ActionController::IntegrationTest

test/integration/confirmable_test.rb

@@ -101,4 +101,32 @@ class ConfirmationTest < ActionController::IntegrationTest
       assert_contain 'Not confirmed user'
     end
   end
+
+  test 'resent confirmation token with valid E-Mail in XML format should return valid response' do
+    user = create_user(:confirm => false)
+    post user_confirmation_path(:format => 'xml'), :user => { :email => user.email }
+    assert_response :success
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
+  end
+
+  test 'resent confirmation token with invalid E-Mail in XML format should return invalid response' do
+    user = create_user(:confirm => false)
+    post user_confirmation_path(:format => 'xml'), :user => { :email => 'invalid.test@test.com' }
+    assert_response :unprocessable_entity
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
+  end
+
+  test 'confirm account with valid confirmation token in XML format should return valid response' do
+    user = create_user(:confirm => false)
+    get user_confirmation_path(:confirmation_token => user.confirmation_token, :format => 'xml')
+    assert_response :success
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
+  end
+
+  test 'confirm account with invalid confirmation token in XML format should return invalid response' do
+    user = create_user(:confirm => false)
+    get user_confirmation_path(:confirmation_token => 'invalid_confirmation', :format => 'xml')
+    assert_response :unprocessable_entity
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
+  end
 end

test/integration/lockable_test.rb

@@ -1,7 +1,7 @@
 require 'test_helper'
 
 class LockTest < ActionController::IntegrationTest
-  
+
   def visit_user_unlock_with_token(unlock_token)
     visit user_unlock_path(:unlock_token => unlock_token)
   end
@@ -106,4 +106,38 @@ class LockTest < ActionController::IntegrationTest
     end
   end
 
+  test 'user should be able to request a new unlock token via XML request' do
+    user = create_user(:locked => true)
+    ActionMailer::Base.deliveries.clear
+
+    post user_unlock_path(:format => 'xml'), :user => {:email => user.email}
+    assert_response :success
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
+    assert_equal 1, ActionMailer::Base.deliveries.size
+  end
+
+  test 'unlocked user should not be able to request a unlock token via XML request' do
+    user = create_user(:locked => false)
+    ActionMailer::Base.deliveries.clear
+
+    post user_unlock_path(:format => 'xml'), :user => {:email => user.email}
+    assert_response :unprocessable_entity
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
+    assert_equal 0, ActionMailer::Base.deliveries.size
+  end
+
+  test 'user with valid unlock token should be able to unlock account via XML request' do
+    user = create_user(:locked => true)
+    assert user.access_locked?
+    get user_unlock_path(:format => 'xml', :unlock_token => user.unlock_token)
+    assert_response :success
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
+  end
+
+
+  test 'user with invalid unlock token should not be able to unlock the account via XML request' do
+    get user_unlock_path(:format => 'xml', :unlock_token => 'invalid_token')
+    assert_response :unprocessable_entity
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
+  end
 end

test/integration/omniauthable_test.rb

@@ -119,24 +119,20 @@ class OmniauthableIntegrationTest < ActionController::IntegrationTest
     assert_equal '/q/users/auth/facebook', current_url
   end
 
-  # The following two tests are commented because OmniAuth's test
-  # support is not yet able to support failure scenarios.
-  #
-  # test "handles callback error parameter according to the specification" do
-  #   visit "/users/auth/facebook/callback?error=access_denied"
-  #   assert_current_url "/users/sign_in"
-  #   assert_contain 'Could not authorize you from Facebook because "Access denied".'
-  # end
+  test "handles callback error parameter according to the specification" do
+    OmniAuth.config.mock_auth[:facebook] = :access_denied
+    visit "/users/auth/facebook/callback?error=access_denied"
+    assert_current_url "/users/sign_in"
+    assert_contain 'Could not authorize you from Facebook because "Access denied".'
+  end
 
-  # test "handles other exceptions from omniauth" do
-  #   Devise::OmniAuth.stub!(:facebook) do |b|
-  #     b.post('/oauth/access_token') { [401, {}, {}.to_json] }
-  #   end
+  test "handles other exceptions from omniauth" do
+    OmniAuth.config.mock_auth[:facebook] = :invalid_credentials
 
-  #   visit "/users/sign_in"
-  #   click_link "Sign in with facebook"
+    visit "/users/sign_in"
+    click_link "Sign in with facebook"
 
-  #   assert_current_url "/users/sign_in"
-  #   assert_contain 'Could not authorize you from Facebook because "Invalid credentials".'
-  # end
+    assert_current_url "/users/sign_in"
+    assert_contain 'Could not authorize you from Facebook because "Invalid credentials".'
+  end
 end

test/integration/recoverable_test.rb

@@ -157,4 +157,41 @@ class PasswordTest < ActionController::IntegrationTest
     assert !warden.authenticated?(:user)
   end
 
+  test 'reset password request with valid E-Mail in XML format should return valid response' do
+    create_user
+    post user_password_path(:format => 'xml'), :user => {:email => "user@test.com"}
+    assert_response :success
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
+  end
+
+  test 'reset password request with invalid E-Mail in XML format should return valid response' do
+    create_user
+    post user_password_path(:format => 'xml'), :user => {:email => "invalid.test@test.com"}
+    assert_response :unprocessable_entity
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
+  end
+
+  test 'change password with valid parameters in XML format should return valid response' do
+    user = create_user
+    request_forgot_password
+    put user_password_path(:format => 'xml'), :user => {:reset_password_token => user.reload.reset_password_token, :password => '987654321', :password_confirmation => '987654321'}
+    assert_response :success
+    assert warden.authenticated?(:user)
+  end
+
+  test 'change password with invalid token in XML format should return invalid response' do
+    user = create_user
+    request_forgot_password
+    put user_password_path(:format => 'xml'), :user => {:reset_password_token => 'invalid.token', :password => '987654321', :password_confirmation => '987654321'}
+    assert_response :unprocessable_entity
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
+  end
+
+  test 'change password with invalid new password in XML format should return invalid response' do
+    user = create_user
+    request_forgot_password
+    put user_password_path(:format => 'xml'), :user => {:reset_password_token => user.reload.reset_password_token, :password => '', :password_confirmation => '987654321'}
+    assert_response :unprocessable_entity
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
+  end
 end

test/integration/registerable_test.rb

@@ -206,4 +206,49 @@ class RegistrationTest < ActionController::IntegrationTest
     assert_nil @request.session["devise.foo_bar"]
     assert_redirected_to new_user_registration_path
   end
+
+  test 'an admin sign up with valid information in XML format should return valid response' do
+    post admin_registration_path(:format => 'xml'), :admin => { :email => 'new_user@test.com', :password => 'new_user123', :password_confirmation => 'new_user123' }
+    assert_response :success
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<admin>)
+
+    admin = Admin.last :order => "id"
+    assert_equal admin.email, 'new_user@test.com'
+  end
+
+  test 'a user sign up with valid information in XML format should return valid response' do
+    post user_registration_path(:format => 'xml'), :user => { :email => 'new_user@test.com', :password => 'new_user123', :password_confirmation => 'new_user123' }
+    assert_response :success
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
+
+    user = User.last :order => "id"
+    assert_equal user.email, 'new_user@test.com'
+  end
+
+  test 'a user sign up with invalid information in XML format should return invalid response' do
+    post user_registration_path(:format => 'xml'), :user => { :email => 'new_user@test.com', :password => 'new_user123', :password_confirmation => 'invalid' }
+    assert_response :unprocessable_entity
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
+  end
+
+  test 'a user update information with valid data in XML format should return valid response' do
+    user = sign_in_as_user
+    put user_registration_path(:format => 'xml'), :user => { :current_password => '123456', :email => 'user.new@test.com' }
+    assert_response :success
+    assert_equal user.reload.email, 'user.new@test.com'
+  end
+
+  test 'a user update information with invalid data in XML format should return invalid response' do
+    user = sign_in_as_user
+    put user_registration_path(:format => 'xml'), :user => { :current_password => 'invalid', :email => 'user.new@test.com' }
+    assert_response :unprocessable_entity
+    assert_equal user.reload.email, 'user@test.com'
+  end
+
+  test 'a user cancel his account in XML format should return valid response' do
+    user = sign_in_as_user
+    delete user_registration_path(:format => 'xml')
+    assert_response :success
+    assert_equal User.count, 0
+  end
 end

test/models/confirmable_test.rb

@@ -167,10 +167,10 @@ class ConfirmableTest < ActiveSupport::TestCase
     swap Devise, :confirm_within => 1.day do
       user = new_user
       user.confirmation_sent_at = 2.days.ago
-      assert_not user.active?
+      assert_not user.active_for_authentication?
 
       Devise.confirm_within = 3.days
-      assert user.active?
+      assert user.active_for_authentication?
     end
   end
 
@@ -180,35 +180,35 @@ class ConfirmableTest < ActiveSupport::TestCase
       user = create_user
 
       user.confirmation_sent_at = 4.days.ago
-      assert user.active?
+      assert user.active_for_authentication?
 
       user.confirmation_sent_at = 5.days.ago
-      assert_not user.active?
+      assert_not user.active_for_authentication?
     end
   end
 
   test 'should be active when already confirmed' do
     user = create_user
     assert_not user.confirmed?
-    assert_not user.active?
+    assert_not user.active_for_authentication?
 
     user.confirm!
     assert user.confirmed?
-    assert user.active?
+    assert user.active_for_authentication?
   end
 
   test 'should not be active when confirm in is zero' do
     Devise.confirm_within = 0.days
     user = create_user
     user.confirmation_sent_at = Date.today
-    assert_not user.active?
+    assert_not user.active_for_authentication?
   end
 
   test 'should not be active without confirmation' do
     user = create_user
     user.confirmation_sent_at = nil
     user.save
-    assert_not user.reload.active?
+    assert_not user.reload.active_for_authentication?
   end
 
   test 'should be active without confirmation when confirmation is not required' do
@@ -216,7 +216,7 @@ class ConfirmableTest < ActiveSupport::TestCase
     user.instance_eval { def confirmation_required?; false end }
     user.confirmation_sent_at = nil
     user.save
-    assert user.reload.active?
+    assert user.reload.active_for_authentication?
   end
 
   test 'should find a user to send email instructions for the user confirm it\'s email by authentication_keys' do

test/models/database_authenticatable_test.rb

@@ -6,12 +6,12 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     # case_insensitive_keys is set to :email by default.
     email = 'Foo@Bar.com'
     user = new_user(:email => email)
-    
+
     assert_equal email, user.email
     user.save!
     assert_equal email.downcase, user.email
   end
-  
+
   test 'should respond to password and password confirmation' do
     user = new_user
     assert user.respond_to?(:password)
@@ -48,6 +48,18 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert_not user.valid_password?('654321')
   end
 
+  test 'should not raise error with an empty password' do
+    user = create_user
+    user.encrypted_password = ''
+    assert_nothing_raised { user.valid_password?('123456') }
+  end
+
+  test 'should be an invalid password if the user has an empty password' do
+    user = create_user
+    user.encrypted_password = ''
+    assert_not user.valid_password?('654321')
+  end
+
   test 'should respond to current password' do
     assert new_user.respond_to?(:current_password)
   end
@@ -95,4 +107,10 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert user.password.blank?
     assert user.password_confirmation.blank?
   end
+
+  test 'downcase_keys with validation' do
+    user = User.create(:email => "HEllO@example.com", :password => "123456")
+    user = User.create(:email => "HEllO@example.com", :password => "123456")
+    assert !user.valid?
+  end
 end

test/models/lockable_test.rb

@@ -47,12 +47,12 @@ class LockableTest < ActiveSupport::TestCase
     assert user.access_locked?
   end
 
-  test "active? should be the opposite of locked?" do
+  test "active_for_authentication? should be the opposite of locked?" do
     user = create_user
     user.confirm!
-    assert user.active?
+    assert user.active_for_authentication?
     user.lock_access!
-    assert_not user.active?
+    assert_not user.active_for_authentication?
   end
 
   test "should unlock a user by cleaning locked_at, falied_attempts and unlock_token" do

test/models/recoverable_test.rb

@@ -10,15 +10,6 @@ class RecoverableTest < ActiveSupport::TestCase
     assert_nil new_user.reset_password_token
   end
 
-  test 'should regenerate reset password token each time' do
-    user = create_user
-    3.times do
-      token = user.reset_password_token
-      user.send_reset_password_instructions
-      assert_not_equal token, user.reset_password_token
-    end
-  end
-
   test 'should never generate the same reset password token for different users' do
     reset_password_tokens = []
     3.times do
@@ -161,4 +152,48 @@ class RecoverableTest < ActiveSupport::TestCase
     assert_not user.valid_password?(old_password)
     assert user.valid_password?('new_password')
   end
+
+  test 'should not reset reset password token during reset_password_within time' do
+    swap Devise, :reset_password_within => 1.hour do
+      user = create_user
+      user.send_reset_password_instructions
+      3.times do
+        token = user.reset_password_token
+        user.send_reset_password_instructions
+        assert_equal token, user.reset_password_token
+      end
+    end
+  end
+
+  test 'should reset reset password token after reset_password_within time' do
+    swap Devise, :reset_password_within => 1.hour do
+      user = create_user
+      user.reset_password_sent_at = 2.days.ago
+      token = user.reset_password_token
+      user.send_reset_password_instructions
+      assert_not_equal token, user.reset_password_token
+    end
+  end
+
+  test 'should not reset password after reset_password_within time' do
+    swap Devise, :reset_password_within => 1.hour do
+      user = create_user
+      old_password = user.password
+      user.send :generate_reset_password_token!
+      user.reset_password_sent_at = 2.days.ago
+      user.save!
+
+      reset_password_user = User.reset_password_by_token(
+        :reset_password_token => user.reset_password_token,
+        :password => 'new_password',
+        :password_confirmation => 'new_password'
+      )
+      user.reload
+
+      assert user.valid_password?(old_password)
+      assert_not user.valid_password?('new_password')
+      assert_equal "is invalid", reset_password_user.errors[:reset_password_token].join
+    end
+  end
+
 end

test/models/validatable_test.rb

@@ -75,10 +75,10 @@ class ValidatableTest < ActiveSupport::TestCase
     assert_equal 'is too short (minimum is 6 characters)', user.errors[:password].join
   end
 
-  test 'should require a password with maximum of 20 characters long' do
-    user = new_user(:password => 'x'*21, :password_confirmation => 'x'*21)
+  test 'should require a password with maximum of 128 characters long' do
+    user = new_user(:password => 'x'*129, :password_confirmation => 'x'*129)
     assert user.invalid?
-    assert_equal 'is too long (maximum is 20 characters)', user.errors[:password].join
+    assert_equal 'is too long (maximum is 128 characters)', user.errors[:password].join
   end
 
   test 'should not require password length when it\'s not changed' do

test/models_test.rb

@@ -6,6 +6,15 @@ class Configurable < User
          :remember_for => 7.days, :timeout_in => 15.minutes, :unlock_in => 10.days
 end
 
+class WithValidation < Admin
+  devise :database_authenticatable, :validatable, :password_length => 2..6
+end
+
+class Several < Admin
+  devise :validatable
+  devise :lockable
+end
+
 class Inheritable < Admin
 end
 
@@ -29,6 +38,20 @@ class ActiveRecordTest < ActiveSupport::TestCase
     assert_include_modules Admin, :database_authenticatable, :registerable, :timeoutable, :recoverable, :lockable, :rememberable, :encryptable
   end
 
+  if DEVISE_ORM == :active_record
+    test 'validations options are not applied to late' do
+      validators = WithValidation.validators_on :password
+      length = validators.find { |v| v.kind == :length }
+      assert_equal 2, length.options[:minimum]
+      assert_equal 6, length.options[:maximum]
+    end
+
+    test 'validations are applied just once' do
+      validators = Several.validators_on :password
+      assert_equal 1, validators.select{ |v| v.kind == :length }.length
+    end
+  end
+
   test 'chosen modules are inheritable' do
     assert_include_modules Inheritable, :database_authenticatable, :registerable, :timeoutable, :recoverable, :lockable, :rememberable, :encryptable
   end

test/omniauth/test_helpers_test.rb

@@ -1,25 +0,0 @@
-require 'test_helper'
-
-class OmniAuthTestHelpersTest < ActiveSupport::TestCase
-  test "Assert that stub! raises deprecation error" do
-    assert_raises Devise::OmniAuth::TestHelpers::DeprecationError do
-      Devise::OmniAuth::TestHelpers.stub!
-    end
-  end
-
-  test "Assert that reset_stubs! raises deprecation error" do
-    assert_raises Devise::OmniAuth::TestHelpers::DeprecationError do
-      Devise::OmniAuth::TestHelpers.reset_stubs!
-    end
-  end
-
-  test "Assert that short_circuit_authorizers! warns about deprecation" do
-    Devise::OmniAuth::TestHelpers.short_circuit_authorizers!
-    assert ::OmniAuth.config.test_mode
-  end
-
-  test "Assert that unshort_circuit_authorizers! warns about deprecation" do
-    Devise::OmniAuth::TestHelpers.unshort_circuit_authorizers!
-    assert ! ::OmniAuth.config.test_mode
-  end
-end

test/rails_app/config/initializers/devise.rb

@@ -80,8 +80,8 @@ Devise.setup do |config|
   config.use_salt_as_remember_token = true
 
   # ==> Configuration for :validatable
-  # Range for password length. Default is 6..20.
-  # config.password_length = 6..20
+  # Range for password length. Default is 6..128.
+  # config.password_length = 6..128
 
   # Regex to use to validate the email address
   # config.email_regexp = /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i
@@ -119,6 +119,11 @@ Devise.setup do |config|
   # Defines which key will be used when recovering the password for an account
   # config.reset_password_keys = [ :email ]
 
+  # Time interval you can reset your password with a reset password key.
+  # Don't put a too small interval or your users won't have the time to
+  # change their passwords.
+  config.reset_password_within = 2.hours
+
   # ==> Configuration for :encryptable
   # Allow you to use another encryption algorithm besides bcrypt (default). You can use
   # :sha1, :sha512 or encryptors from others authentication tools as :clearance_sha1,

test/rails_app/config/routes.rb

@@ -29,6 +29,8 @@ Rails.application.routes.draw do
   end
 
   # Other routes for routing_test.rb
+  devise_for :reader, :class_name => "User", :only => :passwords
+
   namespace :publisher, :path_names => { :sign_in => "i_dont_care", :sign_out => "get_out" } do
     devise_for :accounts, :class_name => "Admin", :path_names => { :sign_in => "get_in" }
   end

test/routes_test.rb

@@ -123,6 +123,13 @@ class CustomizedRoutingTest < ActionController::TestCase
     end
   end
 
+  test 'does only map reader password' do
+    assert_raise ActionController::RoutingError do
+      assert_recognizes({:controller => 'devise/sessions', :action => 'new'}, 'reader/sessions/new')
+    end
+    assert_recognizes({:controller => 'devise/passwords', :action => 'new'}, 'reader/password/new')
+  end
+
   test 'map account with custom path name for session sign in' do
     assert_recognizes({:controller => 'devise/sessions', :action => 'new', :locale => 'en'}, '/en/accounts/login')
   end

test/test_helpers_test.rb

@@ -19,7 +19,7 @@ class TestHelpersTest < ActionController::TestCase
   test "redirects if attempting to access a page with an unconfirmed account" do
     swap Devise, :confirm_within => 0 do
       user = create_user
-      assert !user.active?
+      assert !user.active_for_authentication?
 
       sign_in user
       get :index
@@ -30,7 +30,7 @@ class TestHelpersTest < ActionController::TestCase
   test "returns nil if accessing current_user with an unconfirmed account" do
     swap Devise, :confirm_within => 0 do
       user = create_user
-      assert !user.active?
+      assert !user.active_for_authentication?
 
       sign_in user
       get :accept, :id => user