Update CHANGELOG.

Conflicts:

	Gemfile.lock

.travis.yml

@@ -1,7 +1,6 @@
-script: "bundle exec rake test"
+script: "rake test"
 rvm:
   - 1.8.7
   - 1.9.2
   - ree
-  - jruby
-  - rubinius
+  - jruby

CHANGELOG.rdoc

@@ -1,26 +1,3 @@
-== 1.4.0
-
-* enhancements
-  * Added authenticated and unauthenticated to the router to route the used based on his status (by github.com/sj26)
-  * Improve e-mail regexp (by github.com/rodrigoflores)
-  * Add strip_whitespace_keys and default to e-mail (by github.com/swrobel)
-  * Do not run format and uniqueness validations on e-mail if it hasn't changed (by github.com/Thibaut)
-  * Added update_without_password to update models but not allowing the password to change (by github.com/fschwahn)
-  * Added config.paranoid, check the generator for more information (by github.com/rodrigoflores)
-
-* bug fix
-  * password_required? should not affect length validation
-  * User cannot access sign up and similar pages if he is already signed in through a cookie or token
-  * Do not convert booleans to strings on finders (by github.com/xavier)
-  * Run validations even if current_password fails (by github.com/crx)
-  * Devise now honors routes constraints (by github.com/macmartine)
-  * Do not return the user resource when requesting instructions (by github.com/rodrigoflores)
-
-== 1.3.4
-
-* bug fix
-  * Do not add formats if html or "*/*"
-
 == 1.3.3
 
 * bug fix

Gemfile

@@ -2,7 +2,7 @@ source "http://rubygems.org"
 
 gemspec
 
-gem "rails", "~> 3.0.7"
+gem "rails", "~> 3.0.4"
 gem "oa-oauth", '~> 0.2.0', :require => "omniauth/oauth"
 gem "oa-openid", '~> 0.2.0', :require => "omniauth/openid"
 
@@ -15,18 +15,15 @@ platforms :jruby do
   gem 'activerecord-jdbcsqlite3-adapter'
 end
 
-platforms :mri_18 do
-  group :test do
-    gem "ruby-debug", ">= 0.10.3"
-  end
-end
-
 platforms :ruby do
-  gem "sqlite3-ruby"
+  group :test do
+    gem "sqlite3-ruby"
+    gem "ruby-debug", ">= 0.10.3" if RUBY_VERSION < '1.9'
+  end
 
   group :mongoid do
-    gem "mongo", "~> 1.3.0"
-    gem "mongoid", "2.0.1"
-    gem "bson_ext", "~> 1.3.0"
+    gem "mongo", "1.1.2"
+    gem "mongoid", "2.0.0.beta.20"
+    gem "bson_ext", "1.2.1"
   end
 end

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    devise (1.4.0.dev)
+    devise (1.3.1)
       bcrypt-ruby (~> 2.1.2)
       orm_adapter (~> 0.0.3)
       warden (~> 1.0.3)
@@ -10,42 +10,41 @@ GEM
   remote: http://rubygems.org/
   specs:
     abstract (1.0.0)
-    actionmailer (3.0.7)
-      actionpack (= 3.0.7)
+    actionmailer (3.0.4)
+      actionpack (= 3.0.4)
       mail (~> 2.2.15)
-    actionpack (3.0.7)
-      activemodel (= 3.0.7)
-      activesupport (= 3.0.7)
+    actionpack (3.0.4)
+      activemodel (= 3.0.4)
+      activesupport (= 3.0.4)
       builder (~> 2.1.2)
       erubis (~> 2.6.6)
-      i18n (~> 0.5.0)
+      i18n (~> 0.4)
       rack (~> 1.2.1)
-      rack-mount (~> 0.6.14)
+      rack-mount (~> 0.6.13)
       rack-test (~> 0.5.7)
       tzinfo (~> 0.3.23)
-    activemodel (3.0.7)
-      activesupport (= 3.0.7)
+    activemodel (3.0.4)
+      activesupport (= 3.0.4)
       builder (~> 2.1.2)
-      i18n (~> 0.5.0)
-    activerecord (3.0.7)
-      activemodel (= 3.0.7)
-      activesupport (= 3.0.7)
+      i18n (~> 0.4)
+    activerecord (3.0.4)
+      activemodel (= 3.0.4)
+      activesupport (= 3.0.4)
       arel (~> 2.0.2)
       tzinfo (~> 0.3.23)
     activerecord-jdbc-adapter (1.1.1)
     activerecord-jdbcsqlite3-adapter (1.1.1)
       activerecord-jdbc-adapter (= 1.1.1)
       jdbc-sqlite3 (~> 3.6.0)
-    activeresource (3.0.7)
-      activemodel (= 3.0.7)
-      activesupport (= 3.0.7)
-    activesupport (3.0.7)
+    activeresource (3.0.4)
+      activemodel (= 3.0.4)
+      activesupport (= 3.0.4)
+    activesupport (3.0.4)
     addressable (2.2.4)
-    arel (2.0.9)
+    arel (2.0.8)
     bcrypt-ruby (2.1.4)
-    bcrypt-ruby (2.1.4-java)
-    bson (1.3.0)
-    bson_ext (1.3.0)
+    bson (1.2.1)
+    bson_ext (1.2.1)
     builder (2.1.2)
     columnize (0.3.2)
     erubis (2.6.6)
@@ -57,24 +56,24 @@ GEM
     i18n (0.5.0)
     jdbc-sqlite3 (3.6.14.2.056-java)
     linecache (0.43)
-    mail (2.2.19)
+    mail (2.2.15)
       activesupport (>= 2.3.6)
       i18n (>= 0.4.0)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
     mime-types (1.16)
     mocha (0.9.12)
-    mongo (1.3.0)
-      bson (>= 1.3.0)
-    mongoid (2.0.1)
+    mongo (1.1.2)
+      bson (>= 1.1.1)
+    mongoid (2.0.0.beta.20)
       activemodel (~> 3.0)
-      mongo (~> 1.3)
+      mongo (~> 1.1)
       tzinfo (~> 0.3.22)
       will_paginate (~> 3.0.pre)
     multi_json (0.0.5)
     multipart-post (1.1.0)
-    nokogiri (1.4.3.1)
-    nokogiri (1.4.3.1-java)
+    nokogiri (1.4.4)
+    nokogiri (1.4.4-java)
       weakling (>= 0.0.3)
     oa-core (0.2.0)
       rack (~> 1.1)
@@ -94,25 +93,25 @@ GEM
       multi_json (~> 0.0.4)
     orm_adapter (0.0.4)
     polyglot (0.3.1)
-    rack (1.2.2)
-    rack-mount (0.6.14)
+    rack (1.2.1)
+    rack-mount (0.6.13)
       rack (>= 1.0.0)
     rack-openid (1.2.0)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
     rack-test (0.5.7)
       rack (>= 1.0)
-    rails (3.0.7)
-      actionmailer (= 3.0.7)
-      actionpack (= 3.0.7)
-      activerecord (= 3.0.7)
-      activeresource (= 3.0.7)
-      activesupport (= 3.0.7)
+    rails (3.0.4)
+      actionmailer (= 3.0.4)
+      actionpack (= 3.0.4)
+      activerecord (= 3.0.4)
+      activeresource (= 3.0.4)
+      activesupport (= 3.0.4)
       bundler (~> 1.0)
-      railties (= 3.0.7)
-    railties (3.0.7)
-      actionpack (= 3.0.7)
-      activesupport (= 3.0.7)
+      railties (= 3.0.4)
+    railties (3.0.4)
+      actionpack (= 3.0.4)
+      activesupport (= 3.0.4)
       rake (>= 0.8.7)
       thor (~> 0.14.4)
     rake (0.8.7)
@@ -130,7 +129,7 @@ GEM
     thor (0.14.6)
     treetop (1.4.9)
       polyglot (>= 0.3.1)
-    tzinfo (0.3.27)
+    tzinfo (0.3.24)
     warden (1.0.3)
       rack (>= 1.0.0)
     weakling (0.0.4-java)
@@ -146,14 +145,14 @@ PLATFORMS
 
 DEPENDENCIES
   activerecord-jdbcsqlite3-adapter
-  bson_ext (~> 1.3.0)
+  bson_ext (= 1.2.1)
   devise!
   mocha
-  mongo (~> 1.3.0)
-  mongoid (= 2.0.1)
+  mongo (= 1.1.2)
+  mongoid (= 2.0.0.beta.20)
   oa-oauth (~> 0.2.0)
   oa-openid (~> 0.2.0)
-  rails (~> 3.0.7)
+  rails (~> 3.0.4)
   ruby-debug (>= 0.10.3)
   sqlite3-ruby
   webrat (= 0.7.2)

Rakefile

@@ -4,7 +4,7 @@ require 'rake/testtask'
 require 'rake/rdoctask'
 
 desc 'Default: run tests for all ORMs.'
-task :default => :test
+task :default => :pre_commit
 
 desc 'Run Devise tests for all ORMs.'
 task :pre_commit do

app/controllers/devise/confirmations_controller.rb

@@ -11,9 +11,9 @@ class Devise::ConfirmationsController < ApplicationController
   def create
     self.resource = resource_class.send_confirmation_instructions(params[resource_name])
 
-    if successful_and_sane?(resource)
+    if resource.errors.empty?
       set_flash_message(:notice, :send_instructions) if is_navigational_format?
-      respond_with({}, :location => after_resending_confirmation_instructions_path_for(resource_name))
+      respond_with resource, :location => after_resending_confirmation_instructions_path_for(resource_name)
     else
       respond_with_navigational(resource){ render_with_scope :new }
     end

app/controllers/devise/passwords_controller.rb

@@ -12,9 +12,9 @@ class Devise::PasswordsController < ApplicationController
   def create
     self.resource = resource_class.send_reset_password_instructions(params[resource_name])
 
-    if successful_and_sane?(resource)
+    if resource.errors.empty?
       set_flash_message(:notice, :send_instructions) if is_navigational_format?
-      respond_with({}, :location => after_sending_reset_password_instructions_path_for(resource_name))
+      respond_with resource, :location => new_session_path(resource_name)
     else
       respond_with_navigational(resource){ render_with_scope :new }
     end
@@ -39,12 +39,4 @@ class Devise::PasswordsController < ApplicationController
       respond_with_navigational(resource){ render_with_scope :edit }
     end
   end
-
-  protected
-
-    # The path used after sending reset password instructions
-    def after_sending_reset_password_instructions_path_for(resource_name)
-      new_session_path(resource_name)
-    end
-
 end

app/controllers/devise/registrations_controller.rb

@@ -35,11 +35,7 @@ class Devise::RegistrationsController < ApplicationController
   end
 
   # PUT /resource
-  # We need to use a copy of the resource because we don't want to change
-  # the current user in place.
   def update
-    self.resource = resource_class.to_adapter.get!(send(:"current_#{resource_name}").to_key)
-
     if resource.update_with_password(params[resource_name])
       set_flash_message :notice, :updated if is_navigational_format?
       sign_in resource_name, resource, :bypass => true
@@ -106,9 +102,11 @@ class Devise::RegistrationsController < ApplicationController
       end
     end
 
-    # Authenticates the current scope and gets the current resource from the session.
+    # Authenticates the current scope and gets a copy of the current resource.
+    # We need to use a copy because we don't want actions like update changing
+    # the current user in place.
     def authenticate_scope!
       send(:"authenticate_#{resource_name}!", true)
-      self.resource = send(:"current_#{resource_name}")
+      self.resource = resource_class.to_adapter.get!(send(:"current_#{resource_name}").to_key)
     end
 end

app/controllers/devise/unlocks_controller.rb

@@ -12,9 +12,9 @@ class Devise::UnlocksController < ApplicationController
   def create
     self.resource = resource_class.send_unlock_instructions(params[resource_name])
 
-    if successful_and_sane?(resource)
+    if resource.errors.empty?
       set_flash_message :notice, :send_instructions if is_navigational_format?
-      respond_with({}, :location => new_session_path(resource_name))
+      respond_with resource, :location => new_session_path(resource_name)
     else
       respond_with_navigational(resource){ render_with_scope :new }
     end

config/locales/en.yml

@@ -27,10 +27,8 @@ en:
     passwords:
       send_instructions: 'You will receive an email with instructions about how to reset your password in a few minutes.'
       updated: 'Your password was changed successfully. You are now signed in.'
-      send_paranoid_instructions: "If your e-mail exists on our database, you will receive a password recovery link on your e-mail"
     confirmations:
       send_instructions: 'You will receive an email with instructions about how to confirm your account in a few minutes.'
-      send_paranoid_instructions: 'If your e-mail exists on our database, you will receive an email with instructions about how to confirm your account in a few minutes.'
       confirmed: 'Your account was successfully confirmed. You are now signed in.'
     registrations:
       signed_up: 'Welcome! You have signed up successfully.'
@@ -40,7 +38,6 @@ en:
     unlocks:
       send_instructions: 'You will receive an email with instructions about how to unlock your account in a few minutes.'
       unlocked: 'Your account was successfully unlocked. You are now signed in.'
-      send_paranoid_instructions: 'If your account exists, you will receive an email with instructions about how to unlock it in a few minutes.'
     omniauth_callbacks:
       success: 'Successfully authorized from %{kind} account.'
       failure: 'Could not authorize you from %{kind} because "%{reason}".'

lib/devise.rb

@@ -3,7 +3,6 @@ require 'active_support/core_ext/numeric/time'
 require 'active_support/dependencies'
 require 'orm_adapter'
 require 'set'
-require 'securerandom'
 
 module Devise
   autoload :FailureApp, 'devise/failure_app'
@@ -11,7 +10,6 @@ module Devise
   autoload :PathChecker, 'devise/path_checker'
   autoload :Schema, 'devise/schema'
   autoload :TestHelpers, 'devise/test_helpers'
-  autoload :Email, 'devise/email'
 
   module Controllers
     autoload :Helpers, 'devise/controllers/helpers'
@@ -44,9 +42,6 @@ module Devise
   STRATEGIES  = ActiveSupport::OrderedHash.new
   URL_HELPERS = ActiveSupport::OrderedHash.new
 
-  # Strategies that do not require user input.
-  NO_INPUT = []
-
   # True values used to check params
   TRUE_VALUES = [true, 1, '1', 't', 'T', 'true', 'TRUE']
 
@@ -79,11 +74,6 @@ module Devise
   # False by default for backwards compatibility.
   mattr_accessor :case_insensitive_keys
   @@case_insensitive_keys = false
-  
-  # Keys that should have whitespace stripped.
-  # False by default for backwards compatibility.
-  mattr_accessor :strip_whitespace_keys
-  @@strip_whitespace_keys = false
 
   # If http authentication is enabled by default.
   mattr_accessor :http_authenticatable
@@ -101,11 +91,9 @@ module Devise
   mattr_accessor :http_authentication_realm
   @@http_authentication_realm = "Application"
 
-  # Email regex used to validate email formats. Based on RFC 822 and
-  # retrieved from Sixarm email validation gem
-  # (https://github.com/SixArm/sixarm_ruby_email_address_validation).
+  # Email regex used to validate email formats. Adapted from authlogic.
   mattr_accessor :email_regexp
-  @@email_regexp = Devise::Email::EXACT_PATTERN
+  @@email_regexp = /\A([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})\z/i
 
   # Range validation for password length
   mattr_accessor :password_length
@@ -184,7 +172,7 @@ module Devise
   mattr_accessor :reset_password_keys
   @@reset_password_keys = [ :email ]
 
-  # Time interval you can reset your password with a reset password key
+  # Time interval you can reset your password with a reset password key 
   mattr_accessor :reset_password_within
   @@reset_password_within = nil
 
@@ -237,30 +225,15 @@ module Devise
   @@warden_config = nil
   @@warden_config_block = nil
 
-  # When true, enter in paranoid mode to avoid user enumeration.
-  mattr_accessor :paranoid
-  @@paranoid = false
-
   # Default way to setup Devise. Run rails generate devise_install to create
   # a fresh initializer with all configuration values.
   def self.setup
     yield self
   end
 
-  class Getter
-    def initialize name
-      @name = name
-    end
-
-    def get
-      ActiveSupport::Dependencies.constantize(@name)
-    end
-  end
-
   def self.ref(arg)
     if defined?(ActiveSupport::Dependencies::ClassCache)
-      ActiveSupport::Dependencies::reference(arg)
-      Getter.new(arg)
+      ActiveSupport::Dependencies::Reference.store(arg)
     else
       ActiveSupport::Dependencies.ref(arg)
     end
@@ -272,7 +245,11 @@ module Devise
 
   # Get the mailer class from the mailer reference object.
   def self.mailer
-    @@mailer_ref.get
+    if defined?(ActiveSupport::Dependencies::ClassCache)
+      @@mailer_ref.get "Devise::Mailer"
+    else
+      @@mailer_ref.get
+    end
   end
 
   # Set the mailer reference object to access the mailer.
@@ -313,17 +290,13 @@ module Devise
     options.assert_valid_keys(:strategy, :model, :controller, :route)
 
     if strategy = options[:strategy]
-      strategy = (strategy == true ? module_name : strategy)
-      STRATEGIES[module_name] = strategy
+      STRATEGIES[module_name] = (strategy == true ? module_name : strategy)
     end
 
     if controller = options[:controller]
-      controller = (controller == true ? module_name : controller)
-      CONTROLLERS[module_name] = controller
+      CONTROLLERS[module_name] = (controller == true ? module_name : controller)
     end
 
-    NO_INPUT << strategy if strategy && controller != :sessions
-
     if route = options[:route]
       case route
       when TrueClass
@@ -373,8 +346,7 @@ module Devise
   #
   def self.omniauth(provider, *args)
     @@helpers << Devise::OmniAuth::UrlHelpers
-    config = Devise::OmniAuth::Config.new(provider, args)
-    @@omniauth_configs[config.strategy_name.to_sym] = config
+    @@omniauth_configs[provider] = Devise::OmniAuth::Config.new(provider, args)
   end
 
   # Include helpers in the given scope to AC and AV.
@@ -413,7 +385,7 @@ module Devise
 
   # Generate a friendly string randomically to be used as token.
   def self.friendly_token
-    SecureRandom.base64(15).tr('+/=', 'xyz')
+    ActiveSupport::SecureRandom.base64(15).tr('+/=', 'xyz')
   end
 
   # constant-time comparison algorithm to prevent timing attacks

lib/devise/controllers/helpers.rb

@@ -5,7 +5,7 @@ module Devise
       extend ActiveSupport::Concern
 
       included do
-        helper_method :warden, :signed_in?, :devise_controller?
+        helper_method :warden, :signed_in?, :devise_controller?, :anybody_signed_in?
       end
 
       # Define authentication filters and accessor helpers based on mappings.

lib/devise/controllers/internal_helpers.rb

@@ -91,27 +91,13 @@ MESSAGE
       # Example:
       #   before_filter :require_no_authentication, :only => :new
       def require_no_authentication
-        no_input = devise_mapping.no_input_strategies
-        args = no_input.dup.push :scope => resource_name
-        if no_input.present? && warden.authenticate?(*args)
+        if warden.authenticated?(resource_name)
           resource = warden.user(resource_name)
           flash[:alert] = I18n.t("devise.failure.already_authenticated")
           redirect_to after_sign_in_path_for(resource)
         end
       end
 
-      # Helper for use to validate if an resource is errorless. If we are on paranoid mode, we always should assume it is
-      # and return false.
-      def successful_and_sane?(resource)
-        if Devise.paranoid
-          set_flash_message :notice, :send_paranoid_instructions if is_navigational_format?
-          resource.errors.clear
-          false
-        else
-          resource.errors.empty?
-        end
-      end
-
       # Sets the flash message with :key, using I18n. By default you are able
       # to setup your messages using specific resource scope, and if no one is
       # found we look to default scope.

lib/devise/controllers/rememberable.rb

@@ -29,7 +29,7 @@ module Devise
       # Forgets the given resource by deleting a cookie
       def forget_me(resource)
         scope = Devise::Mapping.find_scope!(resource)
-        resource.forget_me!
+        resource.forget_me! unless resource.frozen?
         cookies.delete("remember_#{scope}_token", forget_cookie_values(resource))
       end
 

lib/devise/email.rb

@@ -1,23 +0,0 @@
-# This e-mail validation regexes were retrieved from SixArm Ruby
-# e-mail validation gem (https://github.com/SixArm/sixarm_ruby_email_address_validation)
-# As said on https://github.com/SixArm/sixarm_ruby_email_address_validation/blob/master/LICENSE.txt,
-# we added it using Ruby license terms.
-
-module Devise
-  module Email
-    QTEXT           = Regexp.new '[^\\x0d\\x22\\x5c\\x80-\\xff]', nil, 'n'
-    DTEXT           = Regexp.new '[^\\x0d\\x5b-\\x5d\\x80-\\xff]', nil, 'n'
-    ATOM            = Regexp.new '[^\\x00-\\x20\\x22\\x28\\x29\\x2c\\x2e\\x3a-\\x3c\\x3e\\x40\\x5b-\\x5d\\x7f-\\xff]+', nil, 'n'
-    QUOTED_PAIR     = Regexp.new '\\x5c[\\x00-\\x7f]', nil, 'n'
-    DOMAIN_LITERAL  = Regexp.new "\\x5b(?:#{DTEXT}|#{QUOTED_PAIR})*\\x5d", nil, 'n'
-    QUOTED_STRING   = Regexp.new "\\x22(?:#{QTEXT}|#{QUOTED_PAIR})*\\x22", nil, 'n'
-    DOMAIN_REF      = ATOM
-    SUB_DOMAIN      = "(?:#{DOMAIN_REF}|#{DOMAIN_LITERAL})"
-    WORD            = "(?:#{ATOM}|#{QUOTED_STRING})"
-    DOMAIN          = "#{SUB_DOMAIN}(?:\\x2e#{SUB_DOMAIN})*"
-    LOCAL_PART      = "#{WORD}(?:\\x2e#{WORD})*"
-    SPEC            = "#{LOCAL_PART}\\x40#{DOMAIN}"
-    PATTERN         = Regexp.new "#{SPEC}", nil, 'n'
-    EXACT_PATTERN   = Regexp.new "\\A#{SPEC}\\z", nil, 'n'
-  end
-end

lib/devise/failure_app.rb

@@ -65,17 +65,13 @@ module Devise
     end
 
     def redirect_url
-      if skip_format?
+      if request_format == :html
         send(:"new_#{scope}_session_path")
       else
         send(:"new_#{scope}_session_path", :format => request_format)
       end
     end
 
-    def skip_format?
-      %w(html */*).include? request_format.to_s
-    end
-
     # Choose whether we should respond in a http authentication fashion,
     # including 401 and optional headers.
     #

lib/devise/hooks/forgetable.rb

@@ -1,6 +1,6 @@
 # Before logout hook to forget the user in the given scope, if it responds
 # to forget_me! Also clear remember token to ensure the user won't be
-# remembered again. Notice that we forget the user unless the record is not persisted.
+# remembered again. Notice that we forget the user unless the record is frozen.
 # This avoids forgetting deleted users.
 Warden::Manager.before_logout do |record, warden, options|
   if record.respond_to?(:forget_me!)

lib/devise/hooks/trackable.rb

@@ -3,7 +3,7 @@
 # and on authentication. Retrieving the user from session (:fetch) does
 # not trigger it.
 Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
-  if record.respond_to?(:update_tracked_fields!) && warden.authenticated?(options[:scope]) && !warden.request.env['devise.skip_trackable']
+  if record.respond_to?(:update_tracked_fields!) && warden.authenticated?(options[:scope])
     record.update_tracked_fields!(warden.request)
   end
 end

lib/devise/mapping.rb

@@ -58,14 +58,10 @@ module Devise
       mod = options[:module] || "devise"
       @controllers = Hash.new { |h,k| h[k] = "#{mod}/#{k}" }
       @controllers.merge!(options[:controllers] || {})
-      @controllers.each { |k,v| @controllers[k] = v.to_s }
 
       @path_names = Hash.new { |h,k| h[k] = k.to_s }
       @path_names.merge!(:registration => "")
       @path_names.merge!(options[:path_names] || {})
-      
-      @constraints = Hash.new { |h,k| h[k] = k.to_s }
-      @constraints.merge!(options[:constraints] || {})
 
       @sign_out_via = options[:sign_out_via] || Devise.sign_out_via
     end
@@ -77,17 +73,17 @@ module Devise
 
     # Gives the class the mapping points to.
     def to
-      @ref.get
+      if defined?(ActiveSupport::Dependencies::ClassCache)
+        @ref.get @class_name
+      else
+        @ref.get
+      end
     end
 
     def strategies
       @strategies ||= STRATEGIES.values_at(*self.modules).compact.uniq.reverse
     end
 
-    def no_input_strategies
-      self.strategies & Devise::NO_INPUT
-    end
-
     def routes
       @routes ||= ROUTES.values_at(*self.modules).compact.uniq
     end
@@ -99,11 +95,7 @@ module Devise
     def fullpath
       "/#{@path_prefix}/#{@path}".squeeze("/")
     end
-    
-    def constraints
-      @constraints
-    end
-    
+
     # Create magic predicates for verifying what module is activated by this map.
     # Example:
     #

lib/devise/models/authenticatable.rb

@@ -76,17 +76,21 @@ module Devise
       def authenticatable_salt
       end
 
-      def serializable_hash(options={})
-        if self.class.respond_to?(:accessible_attributes)
-          options = { :only => self.class.accessible_attributes.to_a }.merge(options || {})
-          super(options)
-        else
-          super
-        end
+      %w(to_xml to_json).each do |method|
+        class_eval <<-RUBY, __FILE__, __LINE__
+          def #{method}(options={})
+            if self.class.respond_to?(:accessible_attributes)
+              options = { :only => self.class.accessible_attributes.to_a }.merge(options || {})
+              super(options)
+            else
+              super
+            end
+          end
+        RUBY
       end
 
       module ClassMethods
-        Devise::Models.config(self, :authentication_keys, :request_keys, :strip_whitespace_keys, :case_insensitive_keys, :http_authenticatable, :params_authenticatable)
+        Devise::Models.config(self, :authentication_keys, :request_keys, :case_insensitive_keys, :http_authenticatable, :params_authenticatable)
 
         def params_authenticatable?(strategy)
           params_authenticatable.is_a?(Array) ?
@@ -109,9 +113,8 @@ module Devise
         #   end
         #
         def find_for_authentication(conditions)
-          conditions = filter_auth_params(conditions.dup)
+          filter_auth_params(conditions)
           (case_insensitive_keys || []).each { |k| conditions[k].try(:downcase!) }
-          (strip_whitespace_keys || []).each { |k| conditions[k].try(:strip!) }
           to_adapter.find_first(conditions)
         end
 
@@ -123,15 +126,14 @@ module Devise
         # Find an initialize a group of attributes based on a list of required attributes.
         def find_or_initialize_with_errors(required_attributes, attributes, error=:invalid) #:nodoc:
           (case_insensitive_keys || []).each { |k| attributes[k].try(:downcase!) }
-          (strip_whitespace_keys || []).each { |k| attributes[k].try(:strip!) }
-
+          
           attributes = attributes.slice(*required_attributes)
           attributes.delete_if { |key, value| value.blank? }
 
           if attributes.size == required_attributes.size
             record = to_adapter.find_first(filter_auth_params(attributes))
           end
-
+          
           unless record
             record = new
 
@@ -150,14 +152,9 @@ module Devise
         # Force keys to be string to avoid injection on mongoid related database.
         def filter_auth_params(conditions)
           conditions.each do |k, v|
-            conditions[k] = v.to_s if auth_param_requires_string_conversion?(v)
+            conditions[k] = v.to_s
           end if conditions.is_a?(Hash)
         end
-        
-        # Determine which values should be transformed to string or passed as-is to the query builder underneath
-        def auth_param_requires_string_conversion?(value)
-          true unless value.is_a?(TrueClass) || value.is_a?(FalseClass) || value.is_a?(Fixnum)
-        end
 
         # Generate a token by looping and ensuring does not already exist.
         def generate_token(column)

lib/devise/models/database_authenticatable.rb

@@ -23,7 +23,6 @@ module Devise
         attr_reader :password, :current_password
         attr_accessor :password_confirmation
         before_validation :downcase_keys
-        before_validation :strip_whitespace
       end
 
       # Generates password encryption based on the given value.
@@ -59,9 +58,8 @@ module Devise
         result = if valid_password?(current_password)
           update_attributes(params)
         else
-          self.attributes = params
-          self.valid?
           self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
+          self.attributes = params
           false
         end
 
@@ -69,17 +67,6 @@ module Devise
         result
       end
 
-      # Updates record attributes without asking for the current password.
-      # Never allows to change the current password
-      def update_without_password(params={})
-        params.delete(:password)
-        params.delete(:password_confirmation)
-
-        result = update_attributes(params)
-        clean_up_passwords
-        result
-      end
-      
       def after_database_authentication
       end
 
@@ -94,10 +81,6 @@ module Devise
       def downcase_keys
         (self.class.case_insensitive_keys || []).each { |k| self[k].try(:downcase!) }
       end
-      
-      def strip_whitespace
-        (self.class.strip_whitespace_keys || []).each { |k| self[k].try(:strip!) }
-      end
 
       # Digests the password using bcrypt.
       def password_digest(password)

lib/devise/models/recoverable.rb

@@ -42,7 +42,7 @@ module Devise
       # Checks if the reset password token sent is within the limit time.
       # We do this by calculating if the difference between today and the
       # sending date does not exceed the confirm in time configured.
-      # Returns true if the resource is not responding to reset_password_sent_at at all.
+      # Returns true if the ressource is not responding to reset_password_sent_at at all.
       # reset_password_within is a model configuration, must always be an integer value.
       #
       # Example:

lib/devise/models/rememberable.rb

@@ -54,14 +54,12 @@ module Devise
         save(:validate => false)
       end
 
-      # If the record is persisted, remove the remember token (but only if
-      # it exists), and save the record without validations.
+      # Removes the remember token only if it exists, and save the record
+      # without validations.
       def forget_me!
-        if persisted?
-          self.remember_token = nil if respond_to?(:remember_token=)
-          self.remember_created_at = nil
-          save(:validate => false)
-        end
+        self.remember_token = nil if respond_to?(:remember_token=)
+        self.remember_created_at = nil
+        save(:validate => false)
       end
 
       # Remember token should be expired if expiration time not overpass now.

lib/devise/models/validatable.rb

@@ -23,12 +23,14 @@ module Devise
 
         base.class_eval do
           validates_presence_of   :email, :if => :email_required?
-          validates_uniqueness_of :email, :case_sensitive => (case_insensitive_keys != false), :allow_blank => true, :if => :email_changed?
-          validates_format_of     :email, :with  => email_regexp, :allow_blank => true, :if => :email_changed?
+          validates_uniqueness_of :email, :case_sensitive => (case_insensitive_keys != false), :allow_blank => true
+          validates_format_of     :email, :with  => email_regexp, :allow_blank => true
 
-          validates_presence_of     :password, :if => :password_required?
-          validates_confirmation_of :password, :if => :password_required?
-          validates_length_of       :password, :within => password_length, :allow_blank => true
+          with_options :if => :password_required? do |v|
+            v.validates_presence_of     :password
+            v.validates_confirmation_of :password
+            v.validates_length_of       :password, :within => password_length, :allow_blank => true
+          end
         end
       end
 

lib/devise/modules.rb

@@ -5,7 +5,7 @@ Devise.with_options :model => true do |d|
   d.with_options :strategy => true do |s|
     routes = [nil, :new, :destroy]
     s.add_module :database_authenticatable, :controller => :sessions, :route => { :session => routes }
-    s.add_module :token_authenticatable
+    s.add_module :token_authenticatable,    :controller => :sessions, :route => { :session => routes }
     s.add_module :rememberable
   end
 

lib/devise/omniauth.rb

@@ -23,5 +23,10 @@ module Devise
   module OmniAuth
     autoload :Config,      "devise/omniauth/config"
     autoload :UrlHelpers,  "devise/omniauth/url_helpers"
+
+    class << self
+      delegate :short_circuit_authorizers!, :unshort_circuit_authorizers!,
+        :test_mode!, :stub!, :reset_stubs!, :to => "Devise::OmniAuth::TestHelpers"
+    end
   end
 end

lib/devise/omniauth/config.rb

@@ -10,12 +10,6 @@ module Devise
         @strategy = nil
       end
 
-      # open_id strategy can have configurable name
-      def strategy_name
-        options = @args.last.is_a?(Hash) && @args.last
-        options && options[:name] ? options[:name] : @provider
-      end
-
       def strategy_class
         ::OmniAuth::Strategies.const_get("#{::OmniAuth::Utils.camelize(@provider.to_s)}")
       end

lib/devise/rails/routes.rb

@@ -129,9 +129,9 @@ module ActionDispatch::Routing
     #   end
     #
     # ==== Adding custom actions to override controllers
-    #
-    # You can pass a block to devise_for that will add any routes defined in the block to Devise's
-    # list of known actions.  This is important if you add a custom action to a controller that
+    # 
+    # You can pass a block to devise_for that will add any routes defined in the block to Devise's 
+    # list of known actions.  This is important if you add a custom action to a controller that 
     # overrides an out of the box Devise controller.
     # For example:
     #
@@ -159,7 +159,6 @@ module ActionDispatch::Routing
       options[:module]      ||= @scope[:module] if @scope[:module].present?
       options[:path_prefix] ||= @scope[:path]   if @scope[:path].present?
       options[:path_names]    = (@scope[:path_names] || {}).merge(options[:path_names] || {})
-      options[:constraints]   = (@scope[:constraints] || {}).merge(options[:constraints] || {})
 
       resources.map!(&:to_sym)
 
@@ -186,7 +185,7 @@ module ActionDispatch::Routing
 
         devise_scope mapping.name do
           yield if block_given?
-          with_devise_exclusive_scope mapping.fullpath, mapping.name, mapping.constraints do
+          with_devise_exclusive_scope mapping.fullpath, mapping.name do
             routes.each { |mod| send("devise_#{mod}", mapping, mapping.controllers) }
           end
         end
@@ -209,50 +208,6 @@ module ActionDispatch::Routing
       end
     end
 
-    # Allow you to route based on whether a scope is authenticated. You
-    # can optionally specify which scope.
-    #
-    #   authenticated :admin do
-    #     root :to => 'admin/dashboard#show'
-    #   end
-    #
-    #   authenticated do
-    #     root :to => 'dashboard#show'
-    #   end
-    #
-    #   root :to => 'landing#show'
-    #
-    def authenticated(scope=nil)
-      constraint = lambda do |request|
-        request.env["warden"].authenticate? :scope => scope
-      end
-
-      constraints(constraint) do
-        yield
-      end
-    end
-
-    # Allow you to route based on whether a scope is *not* authenticated.
-    # You can optionally specify which scope.
-    #
-    #   unauthenticated do
-    #     as :user do
-    #       root :to => 'devise/registrations#new'
-    #     end
-    #   end
-    #
-    #   root :to => 'dashboard#show'
-    #
-    def unauthenticated(scope=nil)
-      constraint = lambda do |request|
-        not request.env["warden"].authenticate? :scope => scope
-      end
-
-      constraints(constraint) do
-        yield
-      end
-    end
-
     # Sets the devise scope to be used in the controller. If you have custom routes,
     # you are required to call this method (also aliased as :as) in order to specify
     # to which controller it is targetted.
@@ -331,12 +286,12 @@ module ActionDispatch::Routing
         @scope[:path] = path
       end
 
-      def with_devise_exclusive_scope(new_path, new_as, new_constraints) #:nodoc:
-        old_as, old_path, old_module, old_constraints = @scope[:as], @scope[:path], @scope[:module], @scope[:constraints]
-        @scope[:as], @scope[:path], @scope[:module], @scope[:constraints] = new_as, new_path, nil, new_constraints
+      def with_devise_exclusive_scope(new_path, new_as) #:nodoc:
+        old_as, old_path, old_module = @scope[:as], @scope[:path], @scope[:module]
+        @scope[:as], @scope[:path], @scope[:module] = new_as, new_path, nil
         yield
       ensure
-        @scope[:as], @scope[:path], @scope[:module], @scope[:constraints] = old_as, old_path, old_module, old_constraints
+        @scope[:as], @scope[:path], @scope[:module] = old_as, old_path, old_module
       end
 
       def raise_no_devise_method_error!(klass) #:nodoc:

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "1.4.0".freeze
+  VERSION = "1.3.3".freeze
 end

lib/generators/devise/install_generator.rb

@@ -1,4 +1,4 @@
-require 'securerandom'
+require 'active_support/secure_random'
 
 module Devise
   module Generators
@@ -21,4 +21,4 @@ module Devise
       end
     end
   end
-end
+end

lib/generators/templates/devise.rb

@@ -35,11 +35,6 @@ Devise.setup do |config|
   # These keys will be downcased upon creating or modifying a user and when used
   # to authenticate or find a user. Default is :email.
   config.case_insensitive_keys = [ :email ]
-  
-  # Configure which authentication keys should have whitespace stripped.
-  # These keys will have whitespace before and after removed upon creating or
-  # modifying a user and when used to authenticate or find a user. Default is :email.
-  config.strip_whitespace_keys = [ :email ]
 
   # Tell if authentication through request.params is enabled. True by default.
   # config.params_authenticatable = true
@@ -53,18 +48,13 @@ Devise.setup do |config|
   # The realm used in Http Basic Authentication. "Application" by default.
   # config.http_authentication_realm = "Application"
 
-  # It will change confirmation, password recovery and other workflows
-  # to behave the same regardless if the e-mail provided was right or wrong.
-  # Does not affect registerable.
-  # config.paranoid = true
-
   # ==> Configuration for :database_authenticatable
   # For bcrypt, this is the cost for hashing the password and defaults to 10. If
   # using other encryptors, it sets how many times you want the password re-encrypted.
   config.stretches = 10
 
   # Setup a pepper to generate the encrypted password.
-  # config.pepper = <%= SecureRandom.hex(64).inspect %>
+  # config.pepper = <%= ActiveSupport::SecureRandom.hex(64).inspect %>
 
   # ==> Configuration for :confirmable
   # The time you want to give your user to confirm his account. During this time

test/controllers/internal_helpers_test.rb

@@ -39,21 +39,14 @@ class HelpersTest < ActionController::TestCase
   end
 
   test 'require no authentication tests current mapping' do
-    @mock_warden.expects(:authenticate?).with(:rememberable, :token_authenticatable, :scope => :user).returns(true)
+    @mock_warden.expects(:authenticated?).with(:user).returns(true)
     @mock_warden.expects(:user).with(:user).returns(User.new)
     @controller.expects(:redirect_to).with(root_path)
     @controller.send :require_no_authentication
   end
 
-  test 'require no authentication skips if no inputs are available' do
-    Devise.mappings[:user].expects(:no_input_strategies).returns([])
-    @mock_warden.expects(:authenticate?).never
-    @controller.expects(:redirect_to).never
-    @controller.send :require_no_authentication
-  end
-
   test 'require no authentication sets a flash message' do
-    @mock_warden.expects(:authenticate?).with(:rememberable, :token_authenticatable, :scope => :user).returns(true)
+    @mock_warden.expects(:authenticated?).with(:user).returns(true)
     @mock_warden.expects(:user).with(:user).returns(User.new)
     @controller.expects(:redirect_to).with(root_path)
     @controller.send :require_no_authentication

test/failure_app_test.rb

@@ -39,11 +39,6 @@ class FailureTest < ActiveSupport::TestCase
       assert_equal 'http://test.host/users/sign_in', @response.second['Location']
     end
 
-    test 'return to the default redirect location for wildcard requests' do
-      call_failure 'action_dispatch.request.formats' => nil, 'HTTP_ACCEPT' => '*/*'
-      assert_equal 'http://test.host/users/sign_in', @response.second['Location']
-    end
-
     test 'uses the proxy failure message as symbol' do
       call_failure('warden' => OpenStruct.new(:message => :test))
       assert_equal 'test', @request.flash[:alert]

test/integration/authenticatable_test.rb

@@ -101,54 +101,6 @@ class AuthenticationSanityTest < ActionController::IntegrationTest
     assert_contain 'Private!'
   end
 
-  test 'signed in as admin should get admin dashboard' do
-    sign_in_as_admin
-    assert warden.authenticated?(:admin)
-    assert_not warden.authenticated?(:user)
-
-    get dashboard_path
-
-    assert_response :success
-    assert_template 'home/admin'
-    assert_contain 'Admin dashboard'
-  end
-
-  test 'signed in as user should get user dashboard' do
-    sign_in_as_user
-    assert warden.authenticated?(:user)
-    assert_not warden.authenticated?(:admin)
-
-    get dashboard_path
-
-    assert_response :success
-    assert_template 'home/user'
-    assert_contain 'User dashboard'
-  end
-
-  test 'not signed in should get no dashboard' do
-    assert_raises ActionController::RoutingError do
-      get dashboard_path
-    end
-  end
-
-  test 'signed in user should not see join page' do
-    sign_in_as_user
-    assert warden.authenticated?(:user)
-    assert_not warden.authenticated?(:admin)
-
-    assert_raises ActionController::RoutingError do
-      get join_path
-    end
-  end
-
-  test 'not signed in should see join page' do
-    get join_path
-
-    assert_response :success
-    assert_template 'home/join'
-    assert_contain 'Join'
-  end
-
   test 'signed in as user should not be able to access admins actions' do
     sign_in_as_user
     assert warden.authenticated?(:user)
@@ -362,9 +314,8 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
   end
 
   test 'render 404 on roles without routes' do
-    assert_raise ActionController::RoutingError do
-      get '/admin_area/password/new'
-    end
+    get '/admin_area/password/new'
+    assert_equal 404, response.status
   end
 
   test 'does not intercept Rails 401 responses' do
@@ -495,9 +446,7 @@ class AuthenticationSignOutViaTest < ActionController::IntegrationTest
 
   test 'do not allow sign out via get when sign_out_via provides only delete' do
     sign_in!(:sign_out_via_delete)
-    assert_raise ActionController::RoutingError do
-      get destroy_sign_out_via_delete_session_path
-    end
+    get destroy_sign_out_via_delete_session_path
     assert warden.authenticated?(:sign_out_via_delete)
   end
 
@@ -509,9 +458,7 @@ class AuthenticationSignOutViaTest < ActionController::IntegrationTest
 
   test 'do not allow sign out via get when sign_out_via provides only post' do
     sign_in!(:sign_out_via_post)
-    assert_raise ActionController::RoutingError do
-      get destroy_sign_out_via_delete_session_path
-    end
+    get destroy_sign_out_via_delete_session_path
     assert warden.authenticated?(:sign_out_via_post)
   end
 
@@ -529,9 +476,7 @@ class AuthenticationSignOutViaTest < ActionController::IntegrationTest
 
   test 'do not allow sign out via get when sign_out_via provides delete and post' do
     sign_in!(:sign_out_via_delete_or_post)
-    assert_raise ActionController::RoutingError do
-      get destroy_sign_out_via_delete_or_post_session_path
-    end
+    get destroy_sign_out_via_delete_or_post_session_path
     assert warden.authenticated?(:sign_out_via_delete_or_post)
   end
 end

test/integration/confirmable_test.rb

@@ -106,7 +106,7 @@ class ConfirmationTest < ActionController::IntegrationTest
     user = create_user(:confirm => false)
     post user_confirmation_path(:format => 'xml'), :user => { :email => user.email }
     assert_response :success
-    assert_equal response.body, {}.to_xml
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
   end
 
   test 'resent confirmation token with invalid E-Mail in XML format should return invalid response' do
@@ -129,42 +129,4 @@ class ConfirmationTest < ActionController::IntegrationTest
     assert_response :unprocessable_entity
     assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
   end
-
-  test 'request an account confirmation account with JSON, should return an empty JSON' do
-    user = create_user(:confirm => false)
-
-    post user_confirmation_path, :user => { :email => user.email }, :format => :json
-    assert_response :success
-    assert_equal response.body, {}.to_json
-  end
-
-  test "when in paranoid mode and with a valid e-mail, should not say that the e-mail is valid" do
-    swap Devise, :paranoid => true do
-      user = create_user(:confirm => false)
-      visit new_user_session_path
-
-      click_link "Didn't receive confirmation instructions?"
-      fill_in 'email', :with => user.email
-      click_button 'Resend confirmation instructions'
-
-      assert_contain "If your e-mail exists on our database, you will receive an email with instructions about how to confirm your account in a few minutes."
-      assert_current_url "/users/confirmation"
-    end
-  end
-
-  test "when in paranoid mode and with a invalid e-mail, should not say that the e-mail is invalid" do
-    swap Devise, :paranoid => true do
-      visit new_user_session_path
-
-      click_link "Didn't receive confirmation instructions?"
-      fill_in 'email', :with => "idonthavethisemail@gmail.com"
-      click_button 'Resend confirmation instructions'
-
-      assert_not_contain "1 error prohibited this user from being saved:"
-      assert_not_contain "Email not found"
-
-      assert_contain "If your e-mail exists on our database, you will receive an email with instructions about how to confirm your account in a few minutes."
-      assert_current_url "/users/confirmation"
-    end
-  end
 end

test/integration/database_authenticatable_test.rb

@@ -22,28 +22,6 @@ class DatabaseAuthenticationTest < ActionController::IntegrationTest
       assert_not warden.authenticated?(:user)
     end
   end
-  
-  test 'sign in with email including extra spaces should succeed when email is in the list of strip whitespace keys' do
-    create_user(:email => ' foo@bar.com ')
-    
-    sign_in_as_user do
-      fill_in 'email', :with => 'foo@bar.com'
-    end
-    
-    assert warden.authenticated?(:user)
-  end
-
-  test 'sign in with email including extra spaces should fail when email is NOT the list of strip whitespace keys' do
-    swap Devise, :strip_whitespace_keys => [] do
-      create_user(:email => 'foo@bar.com')
-      
-      sign_in_as_user do
-        fill_in 'email', :with => ' foo@bar.com '
-      end
-      
-      assert_not warden.authenticated?(:user)
-    end
-  end
 
   test 'sign in should not authenticate if not using proper authentication keys' do
     swap Devise, :authentication_keys => [:username] do

test/integration/lockable_test.rb

@@ -37,7 +37,7 @@ class LockTest < ActionController::IntegrationTest
   end
 
   test 'unlocked pages should not be available if email strategy is disabled' do
-    visit "/admin_area/sign_in"
+    visit "/admins/sign_in"
 
     assert_raise Webrat::NotFoundError do
       click_link "Didn't receive unlock instructions?"
@@ -47,9 +47,8 @@ class LockTest < ActionController::IntegrationTest
       visit new_admin_unlock_path
     end
 
-    assert_raise ActionController::RoutingError do
-      visit "/admin_area/unlock/new"
-    end
+    visit "/admins/unlock/new"
+    assert_response :not_found
   end
 
   test 'user with invalid unlock token should not be able to unlock an account' do
@@ -113,7 +112,7 @@ class LockTest < ActionController::IntegrationTest
 
     post user_unlock_path(:format => 'xml'), :user => {:email => user.email}
     assert_response :success
-    assert_equal response.body, {}.to_xml
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
     assert_equal 1, ActionMailer::Base.deliveries.size
   end
 
@@ -141,61 +140,4 @@ class LockTest < ActionController::IntegrationTest
     assert_response :unprocessable_entity
     assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
   end
-
-  test "when using json to ask a unlock request, should not return the user" do
-    user = create_user(:locked => true)
-    post  user_unlock_path(:format => "json", :user => {:email => user.email})
-    assert_response :success
-    assert_equal response.body, {}.to_json
-  end
-
-  test "in paranoid mode, when trying to unlock an user that exists it should not say that it exists if it is locked" do
-    swap Devise, :paranoid => true do
-      user = create_user(:locked => true)
-
-      visit new_user_session_path
-      click_link "Didn't receive unlock instructions?"
-
-      fill_in 'email', :with => user.email
-      click_button 'Resend unlock instructions'
-
-      assert_current_url "/users/unlock"
-
-      assert_contain "If your account exists, you will receive an email with instructions about how to unlock it in a few minutes."
-    end
-  end
-
-  test "in paranoid mode, when trying to unlock an user that exists it should not say that it exists if it is not locked" do
-    swap Devise, :paranoid => true do
-      user = create_user(:locked => false)
-
-      visit new_user_session_path
-      click_link "Didn't receive unlock instructions?"
-
-      fill_in 'email', :with => user.email
-      click_button 'Resend unlock instructions'
-
-      assert_current_url "/users/unlock"
-
-      assert_contain "If your account exists, you will receive an email with instructions about how to unlock it in a few minutes."
-    end
-  end
-
-  test "in paranoid mode, when trying to unlock an user that does not exists it should not say that it does not exists" do
-    swap Devise, :paranoid => true do
-      visit new_user_session_path
-      click_link "Didn't receive unlock instructions?"
-
-      fill_in 'email', :with => "arandomemail@hotmail.com"
-      click_button 'Resend unlock instructions'
-
-      assert_not_contain "1 error prohibited this user from being saved:"
-      assert_not_contain "Email not found"
-      assert_current_url "/users/unlock"
-
-      assert_contain "If your account exists, you will receive an email with instructions about how to unlock it in a few minutes."
-
-    end
-  end
-
 end

test/integration/omniauthable_test.rb

@@ -114,7 +114,9 @@ class OmniauthableIntegrationTest < ActionController::IntegrationTest
   test "generates a proper link when SCRIPT_NAME is set" do
     header 'SCRIPT_NAME', '/q'
     visit "/users/sign_in"
-    assert_select "a", :href => "/q/users/auth/facebook"
+    click_link "Sign in with Facebook"
+
+    assert_equal '/q/users/auth/facebook', current_url
   end
 
   test "handles callback error parameter according to the specification" do

test/integration/recoverable_test.rb

@@ -17,7 +17,7 @@ class PasswordTest < ActionController::IntegrationTest
     click_button 'Send me reset password instructions'
   end
 
-  def reset_password(options={}, &block)
+  def reset_password(options={}, &block)    
     visit edit_user_password_path(:reset_password_token => options[:reset_password_token]) unless options[:visit] == false
     assert_response :success
 
@@ -29,11 +29,11 @@ class PasswordTest < ActionController::IntegrationTest
 
   test 'reset password with email of different case should succeed when email is in the list of case insensitive keys' do
     create_user(:email => 'Foo@Bar.com')
-
+    
     request_forgot_password do
       fill_in 'email', :with => 'foo@bar.com'
     end
-
+    
     assert_current_url '/users/sign_in'
     assert_contain 'You will receive an email with instructions about how to reset your password in a few minutes.'
   end
@@ -41,11 +41,11 @@ class PasswordTest < ActionController::IntegrationTest
   test 'reset password with email of different case should fail when email is NOT the list of case insensitive keys' do
     swap Devise, :case_insensitive_keys => [] do
       create_user(:email => 'Foo@Bar.com')
-
+      
       request_forgot_password do
         fill_in 'email', :with => 'foo@bar.com'
       end
-
+      
       assert_response :success
       assert_current_url '/users/password'
       assert_have_selector "input[type=email][value='foo@bar.com']"
@@ -53,32 +53,6 @@ class PasswordTest < ActionController::IntegrationTest
     end
   end
 
-  test 'reset password with email with extra whitespace should succeed when email is in the list of strip whitespace keys' do
-    create_user(:email => 'foo@bar.com')
-
-    request_forgot_password do
-      fill_in 'email', :with => ' foo@bar.com '
-    end
-
-    assert_current_url '/users/sign_in'
-    assert_contain 'You will receive an email with instructions about how to reset your password in a few minutes.'
-  end
-
-  test 'reset password with email with extra whitespace should fail when email is NOT the list of strip whitespace keys' do
-    swap Devise, :strip_whitespace_keys => [] do
-      create_user(:email => 'foo@bar.com')
-
-      request_forgot_password do
-        fill_in 'email', :with => ' foo@bar.com '
-      end
-
-      assert_response :success
-      assert_current_url '/users/password'
-      assert_have_selector "input[type=email][value=' foo@bar.com ']"
-      assert_contain 'not found'
-    end
-  end
-
   test 'authenticated user should not be able to visit forgot password page' do
     sign_in_as_user
     assert warden.authenticated?(:user)
@@ -187,7 +161,7 @@ class PasswordTest < ActionController::IntegrationTest
     create_user
     post user_password_path(:format => 'xml'), :user => {:email => "user@test.com"}
     assert_response :success
-    assert_equal response.body, { }.to_xml
+    assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
   end
 
   test 'reset password request with invalid E-Mail in XML format should return valid response' do
@@ -220,38 +194,4 @@ class PasswordTest < ActionController::IntegrationTest
     assert_response :unprocessable_entity
     assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
   end
-
-  test "when using json requests to ask a confirmable request, should not return the object" do
-    user = create_user(:confirm => false)
-
-    post user_password_path(:format => :json), :user => { :email => user.email }
-
-    assert_response :success
-    assert_equal response.body, "{}"
-  end
-
-  test "when in paranoid mode and with an invalid e-mail, asking to reset a password should display a message that does not indicates that the e-mail does not exists in the database" do
-    swap Devise, :paranoid => true do
-      visit_new_password_path
-      fill_in "email", :with => "arandomemail@test.com"
-      click_button 'Send me reset password instructions'
-
-      assert_not_contain "1 error prohibited this user from being saved:"
-      assert_not_contain "Email not found"
-      assert_contain "If your e-mail exists on our database, you will receive a password recovery link on your e-mail"
-      assert_current_url "/users/password"
-    end
-  end
-
-  test "when in paranoid mode and with a valid e-mail, asking to reset password should display a message that does not indicates that the email exists in the database and redirect to the failure route" do
-    swap Devise, :paranoid => true do
-      user = create_user
-      visit_new_password_path
-      fill_in 'email', :with => user.email
-      click_button 'Send me reset password instructions'
-
-      assert_contain "If your e-mail exists on our database, you will receive a password recovery link on your e-mail"
-      assert_current_url "/users/password"
-    end
-  end
 end

test/integration/rememberable_test.rb

@@ -69,14 +69,7 @@ class RememberMeTest < ActionController::IntegrationTest
     assert_response :success
     assert warden.authenticated?(:user)
     assert warden.user(:user) == user
-    assert_match /remember_user_token[^\n]*HttpOnly/, response.headers["Set-Cookie"], "Expected Set-Cookie header in response to set HttpOnly flag on remember_user_token cookie."
-  end
-
-  test 'remember the user before sign up and redirect him to his home' do
-    user = create_user_and_remember
-    get new_user_registration_path
-    assert warden.authenticated?(:user)
-    assert_redirected_to root_path
+    assert_match /remember_user_token[^\n]*HttpOnly\n/, response.headers["Set-Cookie"], "Expected Set-Cookie header in response to set HttpOnly flag on remember_user_token cookie."
   end
 
   test 'cookies are destroyed on unverified requests' do

test/integration/trackable_test.rb

@@ -61,21 +61,4 @@ class TrackableHooksTest < ActionController::IntegrationTest
       assert_nil user.last_sign_in_at
     end
   end
-  
-  test "do not track if devise.skip_trackable is set" do
-    user = create_user
-    sign_in_as_user do
-      header 'devise.skip_trackable', '1'
-    end
-    user.reload
-    assert_equal 0, user.sign_in_count
-    visit destroy_user_session_path
-    
-    sign_in_as_user do
-      header 'devise.skip_trackable', false
-    end
-    user.reload
-    assert_equal 1, user.sign_in_count
-  end
-
 end

test/mapping_test.rb

@@ -50,11 +50,6 @@ class MappingTest < ActiveSupport::TestCase
     assert_equal [:rememberable, :database_authenticatable], Devise.mappings[:admin].strategies
   end
 
-  test 'has no input strategies depending on the model declaration' do
-    assert_equal [:rememberable, :token_authenticatable], Devise.mappings[:user].no_input_strategies
-    assert_equal [:rememberable], Devise.mappings[:admin].no_input_strategies
-  end
-
   test 'find scope for a given object' do
     assert_equal :user, Devise::Mapping.find_scope!(User)
     assert_equal :user, Devise::Mapping.find_scope!(:user)

test/models/database_authenticatable_test.rb

@@ -11,39 +11,6 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     user.save!
     assert_equal email.downcase, user.email
   end
-  
-  test 'should remove whitespace from strip whitespace keys when saving' do
-    # strip_whitespace_keys is set to :email by default.
-    email = ' foo@bar.com '
-    user = new_user(:email => email)
-
-    assert_equal email, user.email
-    user.save!
-    assert_equal email.strip, user.email
-  end
-
-  test 'find_for_authentication and filter_auth_params should not modify the conditions hash' do
-    FilterAuthUser = Class.new(User) do
-      def self.filter_auth_params(conditions)
-        if conditions.is_a?(Hash) && login = conditions.delete('login')
-          key = login.include?('@') ? :email : :username
-          conditions[key] = login
-        end
-        super(conditions)
-      end
-    end
-
-    conditions = { 'login' => 'foo@bar.com' }
-    FilterAuthUser.find_for_authentication(conditions)
-
-    assert_equal({ 'login' => 'foo@bar.com' }, conditions)
-  end
-  
-  test "filter_auth_params should not convert booleans and integer to strings" do
-    conditions = { 'login' => 'foo@bar.com', "bool1" => true, "bool2" => false, "fixnum" => 123, "will_be_converted" => (1..10) }
-    conditions = User.__send__(:filter_auth_params, conditions)
-    assert_equal( { 'login' => 'foo@bar.com', "bool1" => true, "bool2" => false, "fixnum" => 123, "will_be_converted" => "1..10" }, conditions)
-  end
 
   test 'should respond to password and password confirmation' do
     user = new_user
@@ -103,7 +70,7 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
       :password => 'pass321', :password_confirmation => 'pass321')
     assert user.reload.valid_password?('pass321')
   end
-  
+
   test 'should add an error to current password when it is invalid' do
     user = create_user
     assert_not user.update_with_password(:current_password => 'other',
@@ -120,15 +87,6 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert_match "can't be blank", user.errors[:current_password].join
   end
 
-  test 'should run validations even when current password is invalid or blank' do
-    user = UserWithValidation.create!(valid_attributes)
-    user.save
-    assert user.persisted?
-    assert_not user.update_with_password(:username => "")
-    assert_match "usertest", user.reload.username
-    assert_match "can't be blank", user.errors[:username].join
-  end
-
   test 'should ignore password and its confirmation if they are blank' do
     user = create_user
     assert user.update_with_password(:current_password => '123456', :email => "new@example.com")
@@ -150,19 +108,6 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert user.password_confirmation.blank?
   end
 
-  test 'should update the user without password' do
-    user = create_user
-    user.update_without_password(:email => 'new@example.com')
-    assert_equal 'new@example.com', user.email
-  end
-
-  test 'should not update password without password' do
-    user = create_user
-    user.update_without_password(:password => 'pass321', :password_confirmation => 'pass321')
-    assert !user.reload.valid_password?('pass321')
-    assert user.valid_password?('123456')
-  end
-
   test 'downcase_keys with validation' do
     user = User.create(:email => "HEllO@example.com", :password => "123456")
     user = User.create(:email => "HEllO@example.com", :password => "123456")

test/models/encryptable_test.rb

@@ -31,7 +31,7 @@ class EncryptableTest < ActiveSupport::TestCase
 
   test 'should generate a base64 hash using SecureRandom for password salt' do
     swap_with_encryptor Admin, :sha1 do
-      SecureRandom.expects(:base64).with(15).returns('friendly_token')
+      ActiveSupport::SecureRandom.expects(:base64).with(15).returns('friendly_token')
       assert_equal 'friendly_token', create_admin.password_salt
     end
   end

test/models/recoverable_test.rb

@@ -198,13 +198,8 @@ class RecoverableTest < ActiveSupport::TestCase
 
   test 'should save the model when the reset_password_sent_at doesnt exist' do
     user = create_user
-    def user.respond_to?(meth, *)
-      if meth == :reset_password_sent_at=
-        false
-      else
-        super
-      end
-    end
+    user.stubs(:respond_to?).with(:reset_password_sent_at=).returns(false)
+    user.stubs(:respond_to?).with(:headers_for).returns(false)
     user.send_reset_password_instructions
     user.reload
     assert_not_nil user.reset_password_token
@@ -212,13 +207,7 @@ class RecoverableTest < ActiveSupport::TestCase
 
   test 'should have valid period if does not respond to reset_password_sent_at' do
     user = create_user
-    def user.respond_to?(meth, *)
-      if meth == :reset_password_sent_at
-        false
-      else
-        super
-      end
-    end
+    user.stubs(:respond_to?).with(:reset_password_sent_at).returns(false)
     assert user.reset_password_period_valid?
   end
 

test/models/rememberable_test.rb

@@ -15,14 +15,6 @@ module SharedRememberableTest
     resource.forget_me!
     assert resource.remember_created_at.nil?
   end
-  
-  test 'forget_me should not try to update resource if it has been destroyed' do
-    resource = create_resource
-    resource.destroy
-    resource.expects(:remember_created_at).never
-    resource.expects(:save).never
-    resource.forget_me!
-  end
 
   test 'remember is expired if not created at timestamp is set' do
     assert create_resource.remember_expired?

test/models/validatable_test.rb

@@ -8,7 +8,7 @@ class ValidatableTest < ActiveSupport::TestCase
     assert_equal 'can\'t be blank', user.errors[:email].join
   end
 
-  test 'should require uniqueness of email if email has changed, allowing blank' do
+  test 'should require uniqueness of email, allowing blank' do
     existing_user = create_user
 
     user = new_user(:email => '')
@@ -18,24 +18,18 @@ class ValidatableTest < ActiveSupport::TestCase
     user.email = existing_user.email
     assert user.invalid?
     assert_match(/taken/, user.errors[:email].join)
-
-    user.save(:validate => false)
-    assert user.valid?
   end
 
-  test 'should require correct email format if email has changed, allowing blank' do
+  test 'should require correct email format, allowing blank' do
     user = new_user(:email => '')
     assert user.invalid?
     assert_not_equal 'is invalid', user.errors[:email].join
 
-    %w(invalid_email_format 123 $$$ \(\) ).each do |email|
+    %w(invalid_email_format email@invalid invalid$character@mail.com other@not 123).each do |email|
       user.email = email
       assert user.invalid?, 'should be invalid with email ' << email
       assert_equal 'is invalid', user.errors[:email].join
     end
-
-    user.save(:validate => false)
-    assert user.valid?
   end
 
   test 'should accept valid emails' do
@@ -91,19 +85,12 @@ class ValidatableTest < ActiveSupport::TestCase
     user = create_user.reload
     user.password = user.password_confirmation = nil
     assert user.valid?
-
+  
     user.password_confirmation = 'confirmation'
     assert user.invalid?
     assert_not (user.errors[:password].join =~ /is too long/)
   end
 
-  test 'should complain about length even if possword is not required' do
-    user = new_user(:password => 'x'*129, :password_confirmation => 'x'*129)
-    user.stubs(:password_required?).returns(false)
-    assert user.invalid?
-    assert_equal 'is too long (maximum is 128 characters)', user.errors[:password].join
-  end
-
   test 'shuold not be included in objects with invalid API' do
     assert_raise RuntimeError do
       Class.new.send :include, Devise::Models::Validatable

test/models_test.rb

@@ -10,10 +10,6 @@ class WithValidation < Admin
   devise :database_authenticatable, :validatable, :password_length => 2..6
 end
 
-class UserWithValidation < User
-  validates_presence_of :username
-end
-
 class Several < Admin
   devise :validatable
   devise :lockable

test/omniauth/url_helpers_test.rb

@@ -35,10 +35,6 @@ class OmniAuthRoutesTest < ActionController::TestCase
     end
   end
 
-  test 'should generate authorization path for named open_id omniauth' do
-    assert_match "/users/auth/google", @controller.omniauth_authorize_path(:user, :google)
-  end
-
   test 'should generate authorization path with params' do
     assert_match "/users/auth/open_id?openid_url=http%3A%2F%2Fyahoo.com",
                   @controller.omniauth_authorize_path(:user, :open_id, :openid_url => "http://yahoo.com")

test/rails_app/app/controllers/home_controller.rb

@@ -5,15 +5,6 @@ class HomeController < ApplicationController
   def private
   end
 
-  def user_dashboard
-  end
-
-  def admin_dashboard
-  end
-
-  def join
-  end
-
   def set
     session["devise.foo_bar"] = "something"
     head :ok

test/rails_app/app/views/home/admin_dashboard.html.erb

@@ -1 +0,0 @@
-Admin dashboard

test/rails_app/app/views/home/join.html.erb

@@ -1 +0,0 @@
-Join

test/rails_app/app/views/home/user_dashboard.html.erb

@@ -1 +0,0 @@
-User dashboard

test/rails_app/config/initializers/devise.rb

@@ -35,11 +35,6 @@ Devise.setup do |config|
   # These keys will be downcased upon creating or modifying a user and when used
   # to authenticate or find a user. Default is :email.
   config.case_insensitive_keys = [ :email ]
-  
-  # Configure which authentication keys should have whitespace stripped.
-  # These keys will have whitespace before and after removed upon creating or
-  # modifying a user and when used to authenticate or find a user. Default is :email.
-  config.strip_whitespace_keys = [ :email ]
 
   # Tell if authentication through request.params is enabled. True by default.
   # config.params_authenticatable = true
@@ -177,7 +172,6 @@ Devise.setup do |config|
   # ==> OmniAuth
   config.omniauth :facebook, 'APP_ID', 'APP_SECRET', :scope => 'email,offline_access'
   config.omniauth :open_id
-  config.omniauth :open_id, :name => 'google', :identifier => 'https://www.google.com/accounts/o8/id'
 
   # ==> Warden configuration
   # If you want to use other strategies, that are not supported by Devise, or

test/rails_app/config/routes.rb

@@ -19,7 +19,7 @@ Rails.application.routes.draw do
   match "/sign_in", :to => "devise/sessions#new"
 
   # Admin scope
-  devise_for :admin, :path => "admin_area", :controllers => { :sessions => :"admins/sessions" }, :skip => :passwords
+  devise_for :admin, :path => "admin_area", :controllers => { :sessions => "admins/sessions" }, :skip => :passwords
 
   match "/admin_area/home", :to => "admins#index", :as => :admin_root
   match "/anywhere", :to => "foo#bar", :as => :new_admin_password
@@ -28,25 +28,6 @@ Rails.application.routes.draw do
     match "/private", :to => "home#private", :as => :private
   end
 
-  authenticated :admin do
-    match "/dashboard", :to => "home#admin_dashboard"
-  end
-
-  authenticated do
-    match "/dashboard", :to => "home#user_dashboard"
-  end
-
-  unauthenticated do
-    match "/join", :to => "home#join"
-  end
-
-  # Routes for constraints testing
-  devise_for :headquarters_admin, :class_name => "Admin", :path => "headquarters", :constraints => {:host => /192\.168\.1\.\d\d\d/}
-  
-  constraints(:host => /192\.168\.1\.\d\d\d/) do
-    devise_for :homebase_admin, :class_name => "Admin", :path => "homebase"
-  end
-  
   # Other routes for routing_test.rb
   devise_for :reader, :class_name => "User", :only => :passwords
 

test/routes_test.rb

@@ -96,11 +96,6 @@ class DefaultRoutingTest < ActionController::TestCase
     assert_recognizes({:controller => 'users/omniauth_callbacks', :action => 'facebook'}, {:path => 'users/auth/facebook/callback', :method => :post})
     assert_named_route "/users/auth/facebook/callback", :user_omniauth_callback_path, :facebook
 
-    # named open_id
-    assert_recognizes({:controller => 'users/omniauth_callbacks', :action => 'google'}, {:path => 'users/auth/google/callback', :method => :get})
-    assert_recognizes({:controller => 'users/omniauth_callbacks', :action => 'google'}, {:path => 'users/auth/google/callback', :method => :post})
-    assert_named_route "/users/auth/google/callback", :user_omniauth_callback_path, :google
-
     assert_raise ActionController::RoutingError do
       assert_recognizes({:controller => 'ysers/omniauth_callbacks', :action => 'twitter'}, {:path => 'users/auth/twitter/callback', :method => :get})
     end
@@ -176,20 +171,6 @@ class CustomizedRoutingTest < ActionController::TestCase
       assert_recognizes({:controller => 'devise/sessions', :action => 'destroy'}, {:path => '/sign_out_via/delete_or_posts/sign_out', :method => :get})
     end
   end
-  
-  test 'map with constraints defined in hash' do
-    assert_recognizes({:controller => 'devise/registrations', :action => 'new'}, {:path => 'http://192.168.1.100/headquarters/sign_up', :method => :get})
-    assert_raise ActionController::RoutingError do
-      assert_recognizes({:controller => 'devise/registrations', :action => 'new'}, {:path => 'http://10.0.0.100/headquarters/sign_up', :method => :get})
-    end
-  end
-  
-  test 'map with constraints defined in block' do
-    assert_recognizes({:controller => 'devise/registrations', :action => 'new'}, {:path => 'http://192.168.1.100/homebase/sign_up', :method => :get})
-    assert_raise ActionController::RoutingError do
-      assert_recognizes({:controller => 'devise/registrations', :action => 'new'}, {:path => 'http://10.0.0.100//homebase/sign_up', :method => :get})
-    end
-  end
 end
 
 class ScopedRoutingTest < ActionController::TestCase