Release v1.4.8.

Typo

.gitignore

@@ -7,4 +7,6 @@ coverage/*
 rdoc/*
 pkg
 log
-test/tmp/*
+test/tmp/*
+Gemfile.lock
+

.travis.yml

@@ -3,5 +3,10 @@ rvm:
   - 1.8.7
   - 1.9.2
   - ree
+  - rbx
+  - rbx-2.0
   - jruby
-  - rubinius
+notifications:
+  recipients:
+    - jose.valim@plataformatec.com.br
+    - carlos@plataformatec.com.br

CHANGELOG.rdoc

@@ -1,7 +1,56 @@
+== 1.4.8
+
+* enhancements
+  * Add docs for assets pipeline and Heroku
+
+* bug fix
+  * confirmation_url was not being set under some circumstances
+
+== 1.4.7
+
+* bug fix
+  * Fix backward incompatible change from 1.4.6 for those using custom controllers
+
+== 1.4.6
+
+* enhancements
+  * Allow devise_for :skip => :all
+  * Allow options to be passed to authenticate_user!
+  * Allow --skip-routes to devise generator
+  * Add allow_params_authentication! to make it explicit when params authentication is allowed in a controller
+
+== 1.4.5
+
+* bug fix
+  * Failure app tries the root path if a session one does not exist
+  * No need to finalize Devise helpers all the time (by github.com/bradleypriest)
+  * Reset password shows proper message if user is not active
+  * `clean_up_passwords` sets the accessors to nil to skip validations
+
+== 1.4.4
+
+* bug fix
+  * Do not always skip helpers, instead provide :skip_helpers as option to trigger it manually
+
+== 1.4.3
+
+* enhancements
+  * Improve Rails 3.1 compatibility
+  * Use serialize_into_session and serialize_from_session in Warden serialize to improve extensibility
+
+* bug fix
+  * Generator properly generates a change_table migration if a model already exists
+  * Properly deprecate setup_mail
+  * Fix encoding issues with email regexp
+  * Only generate helpers for the used mappings
+  * Wrap :action constraints in the proper hash
+
+* deprecations
+  * Loosened the used email regexp to simply assert the existent of "@". If someone relies on a more strict regexp, they may use https://github.com/SixArm/sixarm_ruby_email_address_validation
+
 == 1.4.2
 
 * bug fix
-  * Improve Rails 3.1 compatibility
   * Provide a more robust behavior to serializers and add :force_except option
 
 == 1.4.1

Gemfile

@@ -2,17 +2,21 @@ source "http://rubygems.org"
 
 gemspec
 
-gem "rails", "~> 3.0.7"
+gem "rails", "~> 3.1.0"
 gem "oa-oauth", '~> 0.2.0', :require => "omniauth/oauth"
 gem "oa-openid", '~> 0.2.0', :require => "omniauth/openid"
 
+gem "rdoc"
+
 group :test do
   gem "webrat", "0.7.2", :require => false
   gem "mocha", :require => false
 end
 
 platforms :jruby do
+  gem 'activerecord-jdbc-adapter', :git => 'https://github.com/nicksieger/activerecord-jdbc-adapter.git'
   gem 'activerecord-jdbcsqlite3-adapter'
+  gem 'jruby-openssl'
 end
 
 platforms :mri_18 do
@@ -26,7 +30,7 @@ platforms :ruby do
 
   group :mongoid do
     gem "mongo", "~> 1.3.0"
-    gem "mongoid", "2.0.1"
+    gem "mongoid", "~> 2.0"
     gem "bson_ext", "~> 1.3.0"
   end
 end

Gemfile.lock

@@ -1,158 +0,0 @@
-PATH
-  remote: .
-  specs:
-    devise (1.4.1)
-      bcrypt-ruby (~> 2.1.2)
-      orm_adapter (~> 0.0.3)
-      warden (~> 1.0.3)
-
-GEM
-  remote: http://rubygems.org/
-  specs:
-    abstract (1.0.0)
-    actionmailer (3.0.7)
-      actionpack (= 3.0.7)
-      mail (~> 2.2.15)
-    actionpack (3.0.7)
-      activemodel (= 3.0.7)
-      activesupport (= 3.0.7)
-      builder (~> 2.1.2)
-      erubis (~> 2.6.6)
-      i18n (~> 0.5.0)
-      rack (~> 1.2.1)
-      rack-mount (~> 0.6.14)
-      rack-test (~> 0.5.7)
-      tzinfo (~> 0.3.23)
-    activemodel (3.0.7)
-      activesupport (= 3.0.7)
-      builder (~> 2.1.2)
-      i18n (~> 0.5.0)
-    activerecord (3.0.7)
-      activemodel (= 3.0.7)
-      activesupport (= 3.0.7)
-      arel (~> 2.0.2)
-      tzinfo (~> 0.3.23)
-    activerecord-jdbc-adapter (1.1.1)
-    activerecord-jdbcsqlite3-adapter (1.1.1)
-      activerecord-jdbc-adapter (= 1.1.1)
-      jdbc-sqlite3 (~> 3.6.0)
-    activeresource (3.0.7)
-      activemodel (= 3.0.7)
-      activesupport (= 3.0.7)
-    activesupport (3.0.7)
-    addressable (2.2.4)
-    arel (2.0.9)
-    bcrypt-ruby (2.1.4)
-    bson (1.3.0)
-    bson_ext (1.3.0)
-    builder (2.1.2)
-    columnize (0.3.2)
-    erubis (2.6.6)
-      abstract (>= 1.0.0)
-    faraday (0.5.7)
-      addressable (~> 2.2.4)
-      multipart-post (~> 1.1.0)
-      rack (>= 1.1.0, < 2)
-    i18n (0.5.0)
-    jdbc-sqlite3 (3.6.14.2.056-java)
-    linecache (0.43)
-    mail (2.2.19)
-      activesupport (>= 2.3.6)
-      i18n (>= 0.4.0)
-      mime-types (~> 1.16)
-      treetop (~> 1.4.8)
-    mime-types (1.16)
-    mocha (0.9.12)
-    mongo (1.3.0)
-      bson (>= 1.3.0)
-    mongoid (2.0.1)
-      activemodel (~> 3.0)
-      mongo (~> 1.3)
-      tzinfo (~> 0.3.22)
-      will_paginate (~> 3.0.pre)
-    multi_json (0.0.5)
-    multipart-post (1.1.0)
-    nokogiri (1.4.3.1)
-    nokogiri (1.4.3.1-java)
-      weakling (>= 0.0.3)
-    oa-core (0.2.0)
-      rack (~> 1.1)
-    oa-oauth (0.2.0)
-      multi_json (~> 0.0.2)
-      nokogiri (~> 1.4.2)
-      oa-core (= 0.2.0)
-      oauth (~> 0.4.0)
-      oauth2 (~> 0.1.1)
-    oa-openid (0.2.0)
-      oa-core (= 0.2.0)
-      rack-openid (~> 1.2.0)
-      ruby-openid-apps-discovery
-    oauth (0.4.4)
-    oauth2 (0.1.1)
-      faraday (~> 0.5.0)
-      multi_json (~> 0.0.4)
-    orm_adapter (0.0.5)
-    polyglot (0.3.1)
-    rack (1.2.2)
-    rack-mount (0.6.14)
-      rack (>= 1.0.0)
-    rack-openid (1.2.0)
-      rack (>= 1.1.0)
-      ruby-openid (>= 2.1.8)
-    rack-test (0.5.7)
-      rack (>= 1.0)
-    rails (3.0.7)
-      actionmailer (= 3.0.7)
-      actionpack (= 3.0.7)
-      activerecord (= 3.0.7)
-      activeresource (= 3.0.7)
-      activesupport (= 3.0.7)
-      bundler (~> 1.0)
-      railties (= 3.0.7)
-    railties (3.0.7)
-      actionpack (= 3.0.7)
-      activesupport (= 3.0.7)
-      rake (>= 0.8.7)
-      thor (~> 0.14.4)
-    rake (0.8.7)
-    ruby-debug (0.10.4)
-      columnize (>= 0.1)
-      ruby-debug-base (~> 0.10.4.0)
-    ruby-debug-base (0.10.4)
-      linecache (>= 0.3)
-    ruby-openid (2.1.8)
-    ruby-openid-apps-discovery (1.2.0)
-      ruby-openid (>= 2.1.7)
-    sqlite3 (1.3.3)
-    sqlite3-ruby (1.3.3)
-      sqlite3 (>= 1.3.3)
-    thor (0.14.6)
-    treetop (1.4.9)
-      polyglot (>= 0.3.1)
-    tzinfo (0.3.27)
-    warden (1.0.4)
-      rack (>= 1.0)
-    weakling (0.0.4-java)
-    webrat (0.7.2)
-      nokogiri (>= 1.2.0)
-      rack (>= 1.0)
-      rack-test (>= 0.5.3)
-    will_paginate (3.0.pre2)
-
-PLATFORMS
-  java
-  ruby
-
-DEPENDENCIES
-  activerecord-jdbcsqlite3-adapter
-  bson_ext (~> 1.3.0)
-  devise!
-  mocha
-  mongo (~> 1.3.0)
-  mongoid (= 2.0.1)
-  oa-oauth (~> 0.2.0)
-  oa-openid (~> 0.2.0)
-  rails (~> 3.0.7)
-  ruby-debug (>= 0.10.3)
-  sqlite3-ruby
-  webrat (= 0.7.2)

README.rdoc

@@ -7,7 +7,7 @@ Devise is a flexible authentication solution for Rails based on Warden. It:
 * Allows you to have multiple roles (or models/scopes) signed in at the same time;
 * Is based on a modularity concept: use just what you really need.
 
-It's composed of 12 modules:
+It's comprised of 12 modules:
 
 * Database Authenticatable: encrypts and stores a password in the database to validate the authenticity of a user while signing in. The authentication can be done both through POST requests or HTTP Basic Authentication.
 * Token Authenticatable: signs in a user based on an authentication token (also known as "single access token"). The token can be given both through query string or HTTP Basic Authentication.
@@ -97,7 +97,7 @@ If you are building your first Rails application, we recommend you to *not* use
 * Michael Hartl's online book: http://railstutorial.org/chapters/modeling-and-viewing-users-two#top
 * Ryan Bates' Railscast: http://railscasts.com/episodes/250-authentication-from-scratch
 
-Once you have solidified you understanding of Rails and authentication mechanisms, we assure you Devise will be very pleasant to work with. :)
+Once you have solidified your understanding of Rails and authentication mechanisms, we assure you Devise will be very pleasant to work with. :)
 
 == Getting started
 

Rakefile

@@ -1,7 +1,7 @@
 # encoding: UTF-8
 
 require 'rake/testtask'
-require 'rake/rdoctask'
+require 'rdoc/task'
 
 desc 'Default: run tests for all ORMs.'
 task :default => :test

app/controllers/devise/confirmations_controller.rb

@@ -26,7 +26,7 @@ class Devise::ConfirmationsController < ApplicationController
     if resource.errors.empty?
       set_flash_message(:notice, :confirmed) if is_navigational_format?
       sign_in(resource_name, resource)
-      respond_with_navigational(resource){ redirect_to redirect_location(resource_name, resource) }
+      respond_with_navigational(resource){ redirect_to after_confirmation_path_for(resource_name, resource) }
     else
       respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render_with_scope :new }
     end
@@ -38,4 +38,10 @@ class Devise::ConfirmationsController < ApplicationController
     def after_resending_confirmation_instructions_path_for(resource_name)
       new_session_path(resource_name)
     end
+
+    # The path used after confirmation.
+    def after_confirmation_path_for(resource_name, resource)
+      redirect_location(resource_name, resource)
+    end
+
 end

app/controllers/devise/passwords_controller.rb

@@ -32,7 +32,8 @@ class Devise::PasswordsController < ApplicationController
     self.resource = resource_class.reset_password_by_token(params[resource_name])
 
     if resource.errors.empty?
-      set_flash_message(:notice, :updated) if is_navigational_format?
+      flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
+      set_flash_message(:notice, flash_message) if is_navigational_format?
       sign_in(resource_name, resource)
       respond_with resource, :location => redirect_location(resource_name, resource)
     else

app/controllers/devise/registrations_controller.rb

@@ -19,7 +19,7 @@ class Devise::RegistrationsController < ApplicationController
         sign_in(resource_name, resource)
         respond_with resource, :location => redirect_location(resource_name, resource)
       else
-        set_flash_message :notice, :inactive_signed_up, :reason => resource.inactive_message.to_s if is_navigational_format?
+        set_flash_message :notice, :inactive_signed_up, :reason => inactive_reason(resource) if is_navigational_format?
         expire_session_data_after_sign_in!
         respond_with resource, :location => after_inactive_sign_up_path_for(resource)
       end
@@ -84,10 +84,16 @@ class Devise::RegistrationsController < ApplicationController
     end
 
     # Overwrite redirect_for_sign_in so it takes uses after_sign_up_path_for.
-    def redirect_location(scope, resource) #:nodoc:
+    def redirect_location(scope, resource)
       stored_location_for(scope) || after_sign_up_path_for(resource)
     end
 
+    # Returns the inactive reason translated.
+    def inactive_reason(resource)
+      reason = resource.inactive_message.to_s
+      I18n.t("devise.registrations.reasons.#{reason}", :default => reason)
+    end
+
     # The path used after sign up for inactive accounts. You need to overwrite
     # this method in your own RegistrationsController.
     def after_inactive_sign_up_path_for(resource)
@@ -108,7 +114,7 @@ class Devise::RegistrationsController < ApplicationController
 
     # Authenticates the current scope and gets the current resource from the session.
     def authenticate_scope!
-      send(:"authenticate_#{resource_name}!", true)
+      send(:"authenticate_#{resource_name}!", :force => true)
       self.resource = send(:"current_#{resource_name}")
     end
 end

app/controllers/devise/sessions_controller.rb

@@ -1,5 +1,6 @@
 class Devise::SessionsController < ApplicationController
   prepend_before_filter :require_no_authentication, :only => [ :new, :create ]
+  prepend_before_filter :allow_params_authentication!, :only => :create
   include Devise::Controllers::InternalHelpers
 
   # GET /resource/sign_in
@@ -38,8 +39,10 @@ class Devise::SessionsController < ApplicationController
   protected
 
   def stub_options(resource)
-    array = resource_class.authentication_keys.dup
-    array << :password if resource.respond_to?(:password)
-    { :methods => array, :only => [:password] }
+    methods = resource_class.authentication_keys.dup
+    methods = methods.keys if methods.is_a?(Hash)
+    methods << :password if resource.respond_to?(:password)
+    { :methods => methods, :only => [:password] }
   end
-end
+end
+

app/views/devise/confirmations/new.html.erb

@@ -3,10 +3,10 @@
 <%= form_for(resource, :as => resource_name, :url => confirmation_path(resource_name), :html => { :method => :post }) do |f| %>
   <%= devise_error_messages! %>
 
-  <p><%= f.label :email %><br />
-  <%= f.email_field :email %></p>
+  <div><%= f.label :email %><br />
+  <%= f.email_field :email %></div>
 
-  <p><%= f.submit "Resend confirmation instructions" %></p>
+  <div><%= f.submit "Resend confirmation instructions" %></div>
 <% end %>
 
 <%= render :partial => "devise/shared/links" %>

app/views/devise/passwords/edit.html.erb

@@ -4,13 +4,13 @@
   <%= devise_error_messages! %>
   <%= f.hidden_field :reset_password_token %>
 
-  <p><%= f.label :password, "New password" %><br />
-  <%= f.password_field :password %></p>
+  <div><%= f.label :password, "New password" %><br />
+  <%= f.password_field :password %></div>
 
-  <p><%= f.label :password_confirmation, "Confirm new password" %><br />
-  <%= f.password_field :password_confirmation %></p>
+  <div><%= f.label :password_confirmation, "Confirm new password" %><br />
+  <%= f.password_field :password_confirmation %></div>
 
-  <p><%= f.submit "Change my password" %></p>
+  <div><%= f.submit "Change my password" %></div>
 <% end %>
 
 <%= render :partial => "devise/shared/links" %>

app/views/devise/passwords/new.html.erb

@@ -3,10 +3,10 @@
 <%= form_for(resource, :as => resource_name, :url => password_path(resource_name), :html => { :method => :post }) do |f| %>
   <%= devise_error_messages! %>
 
-  <p><%= f.label :email %><br />
-  <%= f.email_field :email %></p>
+  <div><%= f.label :email %><br />
+  <%= f.email_field :email %></div>
 
-  <p><%= f.submit "Send me reset password instructions" %></p>
+  <div><%= f.submit "Send me reset password instructions" %></div>
 <% end %>
 
 <%= render :partial => "devise/shared/links" %>

app/views/devise/registrations/edit.html.erb

@@ -3,19 +3,19 @@
 <%= form_for(resource, :as => resource_name, :url => registration_path(resource_name), :html => { :method => :put }) do |f| %>
   <%= devise_error_messages! %>
 
-  <p><%= f.label :email %><br />
-  <%= f.email_field :email %></p>
+  <div><%= f.label :email %><br />
+  <%= f.email_field :email %></div>
 
-  <p><%= f.label :password %> <i>(leave blank if you don't want to change it)</i><br />
-  <%= f.password_field :password %></p>
+  <div><%= f.label :password %> <i>(leave blank if you don't want to change it)</i><br />
+  <%= f.password_field :password %></div>
 
-  <p><%= f.label :password_confirmation %><br />
-  <%= f.password_field :password_confirmation %></p>
+  <div><%= f.label :password_confirmation %><br />
+  <%= f.password_field :password_confirmation %></div>
 
-  <p><%= f.label :current_password %> <i>(we need your current password to confirm your changes)</i><br />
-  <%= f.password_field :current_password %></p>
+  <div><%= f.label :current_password %> <i>(we need your current password to confirm your changes)</i><br />
+  <%= f.password_field :current_password %></div>
 
-  <p><%= f.submit "Update" %></p>
+  <div><%= f.submit "Update" %></div>
 <% end %>
 
 <h3>Cancel my account</h3>

app/views/devise/registrations/new.html.erb

@@ -3,16 +3,16 @@
 <%= form_for(resource, :as => resource_name, :url => registration_path(resource_name)) do |f| %>
   <%= devise_error_messages! %>
 
-  <p><%= f.label :email %><br />
-  <%= f.email_field :email %></p>
+  <div><%= f.label :email %><br />
+  <%= f.email_field :email %></div>
 
-  <p><%= f.label :password %><br />
-  <%= f.password_field :password %></p>
+  <div><%= f.label :password %><br />
+  <%= f.password_field :password %></div>
 
-  <p><%= f.label :password_confirmation %><br />
-  <%= f.password_field :password_confirmation %></p>
+  <div><%= f.label :password_confirmation %><br />
+  <%= f.password_field :password_confirmation %></div>
 
-  <p><%= f.submit "Sign up" %></p>
+  <div><%= f.submit "Sign up" %></div>
 <% end %>
 
 <%= render :partial => "devise/shared/links" %>

app/views/devise/sessions/new.html.erb

@@ -1,17 +1,17 @@
 <h2>Sign in</h2>
 
 <%= form_for(resource, :as => resource_name, :url => session_path(resource_name)) do |f| %>
-  <p><%= f.label :email %><br />
-  <%= f.email_field :email %></p>
+  <div><%= f.label :email %><br />
+  <%= f.email_field :email %></div>
 
-  <p><%= f.label :password %><br />
-  <%= f.password_field :password %></p>
+  <div><%= f.label :password %><br />
+  <%= f.password_field :password %></div>
 
   <% if devise_mapping.rememberable? -%>
-    <p><%= f.check_box :remember_me %> <%= f.label :remember_me %></p>
+    <div><%= f.check_box :remember_me %> <%= f.label :remember_me %></div>
   <% end -%>
 
-  <p><%= f.submit "Sign in" %></p>
+  <div><%= f.submit "Sign in" %></div>
 <% end %>
 
 <%= render :partial => "devise/shared/links" %>

app/views/devise/unlocks/new.html.erb

@@ -3,10 +3,10 @@
 <%= form_for(resource, :as => resource_name, :url => unlock_path(resource_name), :html => { :method => :post }) do |f| %>
   <%= devise_error_messages! %>
 
-  <p><%= f.label :email %><br />
-  <%= f.email_field :email %></p>
+  <div><%= f.label :email %><br />
+  <%= f.email_field :email %></div>
 
-  <p><%= f.submit "Resend unlock instructions" %></p>
+  <div><%= f.submit "Resend unlock instructions" %></div>
 <% end %>
 
 <%= render :partial => "devise/shared/links" %>

config/locales/en.yml

@@ -27,6 +27,7 @@ en:
     passwords:
       send_instructions: 'You will receive an email with instructions about how to reset your password in a few minutes.'
       updated: 'Your password was changed successfully. You are now signed in.'
+      updated_not_active: 'Your password was changed successfully.'
       send_paranoid_instructions: "If your e-mail exists on our database, you will receive a password recovery link on your e-mail"
     confirmations:
       send_instructions: 'You will receive an email with instructions about how to confirm your account in a few minutes.'
@@ -37,6 +38,10 @@ en:
       inactive_signed_up: 'You have signed up successfully. However, we could not sign you in because your account is %{reason}.'
       updated: 'You updated your account successfully.'
       destroyed: 'Bye! Your account was successfully cancelled. We hope to see you again soon.'
+      reasons:
+        inactive: 'inactive'
+        unconfirmed: 'unconfirmed'
+        locked: 'locked'
     unlocks:
       send_instructions: 'You will receive an email with instructions about how to unlock your account in a few minutes.'
       unlocked: 'Your account was successfully unlocked. You are now signed in.'

devise.gemspec

@@ -21,5 +21,5 @@ Gem::Specification.new do |s|
 
   s.add_dependency("warden", "~> 1.0.3")
   s.add_dependency("orm_adapter", "~> 0.0.3")
-  s.add_dependency("bcrypt-ruby", "~> 2.1.2")
+  s.add_dependency("bcrypt-ruby", "~> 3.0")
 end

lib/devise.rb

@@ -11,7 +11,6 @@ module Devise
   autoload :PathChecker, 'devise/path_checker'
   autoload :Schema, 'devise/schema'
   autoload :TestHelpers, 'devise/test_helpers'
-  autoload :Email, 'devise/email'
 
   module Controllers
     autoload :Helpers, 'devise/controllers/helpers'
@@ -105,11 +104,11 @@ module Devise
   mattr_accessor :http_authentication_realm
   @@http_authentication_realm = "Application"
 
-  # Email regex used to validate email formats. Based on RFC 822 and
-  # retrieved from Sixarm email validation gem
-  # (https://github.com/SixArm/sixarm_ruby_email_address_validation).
+  # Email regex used to validate email formats. It simply asserts that
+  # an one (and only one) @ exists in the given string. This is mainly
+  # to give user feedback and not to assert the e-mail validity.
   mattr_accessor :email_regexp
-  @@email_regexp = Devise::Email::EXACT_PATTERN
+  @@email_regexp = /\A[^@]+@([^@\.]+\.)+[^@\.]+\z/
 
   # Range validation for password length
   mattr_accessor :password_length
@@ -383,13 +382,10 @@ module Devise
 
   # Include helpers in the given scope to AC and AV.
   def self.include_helpers(scope)
+    Rails.application.routes.url_helpers.send :include, scope::UrlHelpers
+
     ActiveSupport.on_load(:action_controller) do
       include scope::Helpers if defined?(scope::Helpers)
-      include scope::UrlHelpers
-    end
-
-    ActiveSupport.on_load(:action_view) do
-      include scope::UrlHelpers
     end
   end
 
@@ -398,6 +394,12 @@ module Devise
     Rails::VERSION::STRING[0,3] != "3.0"
   end
 
+  # Regenerates url helpers considering Devise.mapping
+  def self.regenerate_helpers!
+    Devise::Controllers::UrlHelpers.remove_helpers!
+    Devise::Controllers::UrlHelpers.generate_helpers!
+  end
+
   # A method used internally to setup warden manager from the Rails initialize
   # block.
   def self.configure_warden! #:nodoc:
@@ -417,7 +419,7 @@ module Devise
 
   # Generate a friendly string randomically to be used as token.
   def self.friendly_token
-    SecureRandom.base64(15).tr('+/=', 'xyz')
+    SecureRandom.base64(15).tr('+/=lIO0', 'pqrsxyz')
   end
 
   # constant-time comparison algorithm to prevent timing attacks

lib/devise/controllers/helpers.rb

@@ -36,8 +36,14 @@ module Devise
         mapping = mapping.name
 
         class_eval <<-METHODS, __FILE__, __LINE__ + 1
-          def authenticate_#{mapping}!(force = false)
-            warden.authenticate!(:scope => :#{mapping}) if !devise_controller? || force
+          def authenticate_#{mapping}!(opts={})
+            if !opts.is_a?(Hash)
+              opts = { :force => opts }
+              ActiveSupport::Deprecation.warn "Passing a boolean to authenticate_#{mapping}! " \
+                "is deprecated, please use :force => \#{opts[:force]} instead", caller
+            end
+            opts[:scope] = :#{mapping}
+            warden.authenticate!(opts) if !devise_controller? || opts.delete(:force)
           end
 
           def #{mapping}_signed_in?
@@ -72,6 +78,11 @@ module Devise
         false
       end
 
+      # Tell warden that params authentication is allowed for that specific page.
+      def allow_params_authentication!
+        request.env["devise.allow_params_authentication"] = true
+      end
+
       # Return true if the given scope is signed in session. If no scope given, return
       # true if any scope is signed in. Does not run authentication hooks.
       def signed_in?(scope=nil)
@@ -106,6 +117,7 @@ module Devise
           warden.session_serializer.store(resource, scope)
         elsif warden.user(scope) == resource && !options.delete(:force)
           # Do nothing. User already signed in and we are not forcing it.
+          true
         else
           warden.set_user(resource, options.merge!(:scope => scope))
         end

lib/devise/controllers/url_helpers.rb

@@ -18,22 +18,37 @@ module Devise
     #
     # Those helpers are added to your ApplicationController.
     module UrlHelpers
+      def self.remove_helpers!
+        self.instance_methods.map(&:to_s).grep(/_(url|path)$/).each do |method|
+          remove_method method
+        end
+      end
 
-      Devise::URL_HELPERS.each do |module_name, actions|
-        [:path, :url].each do |path_or_url|
-          actions.each do |action|
-            action = action ? "#{action}_" : ""
+      def self.generate_helpers!(routes=nil)
+        routes ||= begin
+          mappings = Devise.mappings.values.map(&:used_helpers).flatten.uniq
+          Devise::URL_HELPERS.slice(*mappings)
+        end
 
-            class_eval <<-URL_HELPERS, __FILE__, __LINE__ + 1
-              def #{action}#{module_name}_#{path_or_url}(resource_or_scope, *args)
-                scope = Devise::Mapping.find_scope!(resource_or_scope)
-                send("#{action}\#{scope}_#{module_name}_#{path_or_url}", *args)
-              end
-            URL_HELPERS
+        routes.each do |module_name, actions|
+          [:path, :url].each do |path_or_url|
+            actions.each do |action|
+              action = action ? "#{action}_" : ""
+              method = "#{action}#{module_name}_#{path_or_url}"
+
+              class_eval <<-URL_HELPERS, __FILE__, __LINE__ + 1
+                def #{method}(resource_or_scope, *args)
+                  scope = Devise::Mapping.find_scope!(resource_or_scope)
+                  send("#{action}\#{scope}_#{module_name}_#{path_or_url}", *args)
+                end
+                protected :#{method}
+              URL_HELPERS
+            end
           end
         end
       end
 
+      generate_helpers!(Devise::URL_HELPERS)
     end
   end
 end

lib/devise/email.rb

@@ -1,23 +0,0 @@
-# This e-mail validation regexes were retrieved from SixArm Ruby
-# e-mail validation gem (https://github.com/SixArm/sixarm_ruby_email_address_validation)
-# As said on https://github.com/SixArm/sixarm_ruby_email_address_validation/blob/master/LICENSE.txt,
-# we added it using Ruby license terms.
-
-module Devise
-  module Email
-    QTEXT           = Regexp.new '[^\\x0d\\x22\\x5c\\x80-\\xff]', nil, 'n'
-    DTEXT           = Regexp.new '[^\\x0d\\x5b-\\x5d\\x80-\\xff]', nil, 'n'
-    ATOM            = Regexp.new '[^\\x00-\\x20\\x22\\x28\\x29\\x2c\\x2e\\x3a-\\x3c\\x3e\\x40\\x5b-\\x5d\\x7f-\\xff]+', nil, 'n'
-    QUOTED_PAIR     = Regexp.new '\\x5c[\\x00-\\x7f]', nil, 'n'
-    DOMAIN_LITERAL  = Regexp.new "\\x5b(?:#{DTEXT}|#{QUOTED_PAIR})*\\x5d", nil, 'n'
-    QUOTED_STRING   = Regexp.new "\\x22(?:#{QTEXT}|#{QUOTED_PAIR})*\\x22", nil, 'n'
-    DOMAIN_REF      = ATOM
-    SUB_DOMAIN      = "(?:#{DOMAIN_REF}|#{DOMAIN_LITERAL})"
-    WORD            = "(?:#{ATOM}|#{QUOTED_STRING})"
-    DOMAIN          = "#{SUB_DOMAIN}(?:\\x2e#{SUB_DOMAIN})*"
-    LOCAL_PART      = "#{WORD}(?:\\x2e#{WORD})*"
-    SPEC            = "#{LOCAL_PART}\\x40#{DOMAIN}"
-    PATTERN         = Regexp.new "#{SPEC}", nil, 'n'
-    EXACT_PATTERN   = Regexp.new "\\A#{SPEC}\\z", nil, 'n'
-  end
-end

lib/devise/failure_app.rb

@@ -65,10 +65,14 @@ module Devise
     end
 
     def redirect_url
-      if skip_format?
-        send(:"new_#{scope}_session_path")
+      opts  = {}
+      route = :"new_#{scope}_session_path"
+      opts[:format] = request_format unless skip_format?
+
+      if respond_to?(route)
+        send(route, opts)
       else
-        send(:"new_#{scope}_session_path", :format => request_format)
+        root_path(opts)
       end
     end
 

lib/devise/hooks/timeoutable.rb

@@ -1,7 +1,7 @@
 # Each time a record is set we check whether its session has already timed out
 # or not, based on last request time. If so, the record is logged out and
 # redirected to the sign in page. Also, each time the request comes and the
-# record is set, we set the last request time inside it's scoped session to
+# record is set, we set the last request time inside its scoped session to
 # verify timeout in the following request.
 Warden::Manager.after_set_user do |record, warden, options|
   scope = options[:scope]

lib/devise/mailers/helpers.rb

@@ -10,6 +10,11 @@ module Devise
 
       protected
 
+      def setup_mail(*args)
+        ActiveSupport::Deprecation.warn "setup_mail is deprecated, please use devise_mail instead", caller
+        devise_mail(*args)
+      end
+
       # Configure default email options
       def devise_mail(record, action)
         initialize_from_record(record)
@@ -45,7 +50,9 @@ module Devise
       end
 
       def mailer_sender(mapping)
-        if Devise.mailer_sender.is_a?(Proc)
+        if default_params[:from].present?
+          default_params[:from]
+        elsif Devise.mailer_sender.is_a?(Proc)
           Devise.mailer_sender.call(mapping.name)
         else
           Devise.mailer_sender
@@ -81,4 +88,4 @@ module Devise
       end
     end
   end
-end
+end

lib/devise/mapping.rb

@@ -22,7 +22,8 @@ module Devise
   #   # is the modules included in the class
   #
   class Mapping #:nodoc:
-    attr_reader :singular, :scoped_path, :path, :controllers, :path_names, :class_name, :sign_out_via, :format
+    attr_reader :singular, :scoped_path, :path, :controllers, :path_names,
+                :class_name, :sign_out_via, :format, :used_routes, :used_helpers
     alias :name :singular
 
     # Receives an object and find a scope for it. If a scope cannot be found,
@@ -72,6 +73,24 @@ module Devise
 
       @sign_out_via = options[:sign_out_via] || Devise.sign_out_via
       @format = options[:format]
+
+      singularizer = lambda { |s| s.to_s.singularize.to_sym }
+
+      if options.has_key?(:only)
+        @used_routes = self.routes & Array(options[:only]).map(&singularizer)
+      elsif options[:skip] == :all
+        @used_routes = []
+      else
+        @used_routes = self.routes - Array(options[:skip]).map(&singularizer)
+      end
+
+      if options[:skip_helpers] == true
+        @used_helpers = @used_routes
+      elsif skip = options[:skip_helpers]
+        @used_helpers = self.routes - Array(skip).map(&singularizer)
+      else
+        @used_helpers = self.routes
+      end
     end
 
     # Return modules for the mapping.

lib/devise/models/authenticatable.rb

@@ -82,6 +82,15 @@ module Devise
       module ClassMethods
         Devise::Models.config(self, :authentication_keys, :request_keys, :strip_whitespace_keys, :case_insensitive_keys, :http_authenticatable, :params_authenticatable)
 
+        def serialize_into_session(record)
+          [record.to_key, record.authenticatable_salt]
+        end
+
+        def serialize_from_session(key, salt)
+          record = to_adapter.get(key)
+          record if record && record.authenticatable_salt == salt
+        end
+
         def params_authenticatable?(strategy)
           params_authenticatable.is_a?(Array) ?
             params_authenticatable.include?(strategy) : params_authenticatable

lib/devise/models/confirmable.rb

@@ -29,7 +29,7 @@ module Devise
         after_create  :send_confirmation_instructions, :if => :confirmation_required?
       end
 
-      # Confirm a user by setting it's confirmed_at to actual time. If the user
+      # Confirm a user by setting its confirmed_at to actual time. If the user
       # is already confirmed, add en error to email field
       def confirm!
         unless_confirmed do
@@ -127,8 +127,13 @@ module Devise
           generate_confirmation_token && save(:validate => false)
         end
 
+        def after_password_reset
+          super
+          confirm! unless confirmed?
+        end
+
       module ClassMethods
-        # Attempt to find a user by it's email. If a record is found, send new
+        # Attempt to find a user by its email. If a record is found, send new
         # confirmation instructions to it. If not user is found, returns a new user
         # with an email not found error.
         # Options must contain the user email
@@ -138,7 +143,7 @@ module Devise
           confirmable
         end
 
-        # Find a user by it's confirmation token and try to confirm it.
+        # Find a user by its confirmation token and try to confirm it.
         # If no user is found, returns a new user with an error.
         # If the user is already confirmed, create an error for the user
         # Options must have the confirmation_token

lib/devise/models/database_authenticatable.rb

@@ -10,6 +10,9 @@ module Devise
     #
     # DatabaseAuthenticable adds the following options to devise_for:
     #
+    #   * +pepper+: a random string used to provide a more secure hash. Use
+    #     `rake secret` to generate new keys.
+    #
     #   * +stretches+: the cost given to bcrypt.
     #
     # == Examples
@@ -42,7 +45,7 @@ module Devise
 
       # Set password and password confirmation to nil
       def clean_up_passwords
-        self.password = self.password_confirmation = ""
+        self.password = self.password_confirmation = nil
       end
 
       # Update record attributes when :current_password matches, otherwise returns

lib/devise/models/lockable.rb

@@ -3,13 +3,13 @@ module Devise
     # Handles blocking a user access after a certain number of attempts.
     # Lockable accepts two different strategies to unlock a user after it's
     # blocked: email and time. The former will send an email to the user when
-    # the lock happens, containing a link to unlock it's account. The second
+    # the lock happens, containing a link to unlock its account. The second
     # will unlock the user automatically after some configured time (ie 2.hours).
     # It's also possible to setup lockable to use both email and time strategies.
     #
     # == Options
     #
-    # Lockable adds the following options to devise_for:
+    # Lockable adds the following options to +devise+:
     #
     #   * +maximum_attempts+: how many attempts should be accepted before blocking the user.
     #   * +lock_strategy+: lock the user account by :failed_attempts or :none.
@@ -22,7 +22,7 @@ module Devise
 
       delegate :lock_strategy_enabled?, :unlock_strategy_enabled?, :to => "self.class"
 
-      # Lock a user setting it's locked_at to actual time.
+      # Lock a user setting its locked_at to actual time.
       def lock_access!
         self.locked_at = Time.now
 
@@ -132,7 +132,7 @@ module Devise
         end
 
       module ClassMethods
-        # Attempt to find a user by it's email. If a record is found, send new
+        # Attempt to find a user by its email. If a record is found, send new
         # unlock instructions to it. If not user is found, returns a new user
         # with an email not found error.
         # Options must contain the user email
@@ -142,7 +142,7 @@ module Devise
          lockable
         end
 
-        # Find a user by it's unlock token and try to unlock it.
+        # Find a user by its unlock token and try to unlock it.
         # If no user is found, returns a new user with an error.
         # If the user is not locked, creates an error for the user
         # Options must have the unlock_token

lib/devise/models/recoverable.rb

@@ -29,7 +29,11 @@ module Devise
       def reset_password!(new_password, new_password_confirmation)
         self.password = new_password
         self.password_confirmation = new_password_confirmation
-        clear_reset_password_token if valid?
+        if valid?
+          clear_reset_password_token
+          after_password_reset
+        end
+
         save
       end
 
@@ -89,8 +93,11 @@ module Devise
           self.reset_password_sent_at = nil if respond_to?(:reset_password_sent_at=)
         end
 
+        def after_password_reset
+        end
+
       module ClassMethods
-        # Attempt to find a user by it's email. If a record is found, send new
+        # Attempt to find a user by its email. If a record is found, send new
         # password instructions to it. If not user is found, returns a new user
         # with an email not found error.
         # Attributes must contain the user email
@@ -105,7 +112,7 @@ module Devise
           generate_token(:reset_password_token)
         end
 
-        # Attempt to find a user by it's reset_password_token to reset its
+        # Attempt to find a user by its reset_password_token to reset its
         # password. If a user is found and token is still valid, reset its password and automatically
         # try saving the record. If not user is found, returns a new user
         # containing an error in reset_password_token attribute.

lib/devise/models/trackable.rb

@@ -5,10 +5,10 @@ module Devise
     # Track information about your user sign in. It tracks the following columns:
     #
     # * sign_in_count      - Increased every time a sign in is made (by form, openid, oauth)
-    # * current_sign_in_at - A tiemstamp updated when the user signs in
+    # * current_sign_in_at - A timestamp updated when the user signs in
     # * last_sign_in_at    - Holds the timestamp of the previous sign in
     # * current_sign_in_ip - The remote ip updated when the user sign in
-    # * last_sign_in_at    - Holds the remote ip of the previous sign in
+    # * last_sign_in_ip    - Holds the remote ip of the previous sign in
     #
     module Trackable
       def update_tracked_fields!(request)

lib/devise/models/validatable.rb

@@ -2,7 +2,7 @@ module Devise
   module Models
     # Validatable creates all needed validations for a user email and password.
     # It's optional, given you may want to create the validations by yourself.
-    # Automatically validate if the email is present, unique and it's format is
+    # Automatically validate if the email is present, unique and its format is
     # valid. Also tests presence of password, confirmation and length.
     #
     # == Options

lib/devise/omniauth/url_helpers.rb

@@ -3,9 +3,10 @@ module Devise
     module UrlHelpers
       def self.define_helpers(mapping)
         return unless mapping.omniauthable?
+        method = "#{mapping.name}_omniauth_authorize_path"
 
         class_eval <<-URL_HELPERS, __FILE__, __LINE__ + 1
-          def #{mapping.name}_omniauth_authorize_path(provider, params = {})
+          def #{method}(provider, params = {})
             if Devise.omniauth_configs[provider.to_sym]
               script_name = request.env["SCRIPT_NAME"]
 
@@ -16,9 +17,12 @@ module Devise
               raise ArgumentError, "Could not find omniauth provider \#{provider.inspect}"
             end
           end
+          protected :#{method}
         URL_HELPERS
       end
 
+      protected
+
       def omniauth_authorize_path(resource_or_scope, *args)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
         send("#{scope}_omniauth_authorize_path", *args)

lib/devise/rails.rb

@@ -39,5 +39,18 @@ module Devise
         Devise.include_helpers(Devise::OmniAuth)
       end
     end
+
+    initializer "devise.mongoid_version_warning" do
+      if defined?(Mongoid)
+        require 'mongoid/version'
+        if Mongoid::VERSION.to_f < 2.1
+          puts "\n[DEVISE] Please note that Mongoid versions prior to 2.1 handle dirty model " \
+            "object attributes in such a way that the Devise `validatable` module will not apply " \
+            "its usual uniqueness and format validations for the email field. It is recommended " \
+            "that you upgrade to Mongoid 2.1+ for this and other fixes, but if for some reason you " \
+            "are unable to do so, you should add these validations manually.\n"
+        end
+      end
+    end
   end
 end

lib/devise/rails/routes.rb

@@ -4,7 +4,12 @@ module ActionDispatch::Routing
     # need devise_for mappings already declared to create filters and helpers.
     def finalize_with_devise!
       finalize_without_devise!
-      Devise.configure_warden!
+
+      @devise_finalized ||= begin
+        Devise.configure_warden!
+        Devise.regenerate_helpers!
+        true
+      end
     end
     alias_method_chain :finalize!, :devise
   end
@@ -93,7 +98,7 @@ module ActionDispatch::Routing
     #
     #    Also pay attention that when you use a namespace it will affect all the helpers and methods for controllers
     #    and views. For example, using the above setup you'll end with following methods:
-    #    current_publisher_account, authenticate_publisher_account!, pusblisher_account_signed_in, etc.
+    #    current_publisher_account, authenticate_publisher_account!, publisher_account_signed_in, etc.
     #
     #  * :skip => tell which controller you want to skip routes from being created:
     #
@@ -103,6 +108,14 @@ module ActionDispatch::Routing
     #
     #      devise_for :users, :only => :sessions
     #
+    #  * :skip_helpers => skip generating Devise url helpers like new_session_path(@user).
+    #    This is useful to avoid conflicts with previous routes and is false by default.
+    #    It accepts true as option, meaning it will skip all the helpers for the controllers
+    #    given in :skip but it also accepts specific helpers to be skipped:
+    #
+    #      devise_for :users, :skip => [:registrations, :confirmations], :skip_helpers => true
+    #      devise_for :users, :skip_helpers => [:registrations, :confirmations]
+    #
     #  * :format => include "(.:format)" in the generated routes? true by default, set to false to disable:
     #
     #      devise_for :users, :format => false
@@ -160,6 +173,7 @@ module ActionDispatch::Routing
     #     end
     #
     def devise_for(*resources)
+      @devise_finalized = false
       options = resources.extract_options!
 
       options[:as]          ||= @scope[:as]     if @scope[:as].present?
@@ -168,7 +182,6 @@ module ActionDispatch::Routing
       options[:path_names]    = (@scope[:path_names] || {}).merge(options[:path_names] || {})
       options[:constraints]   = (@scope[:constraints] || {}).merge(options[:constraints] || {})
       options[:defaults]      = (@scope[:defaults] || {}).merge(options[:defaults] || {})
-
       @scope[:options]        = (@scope[:options] || {}).merge({:format => false}) if options[:format] == false
 
       resources.map!(&:to_sym)
@@ -188,11 +201,7 @@ module ActionDispatch::Routing
           raise_no_devise_method_error!(mapping.class_name)
         end
 
-        routes  = mapping.routes
-        if options.has_key?(:only)
-          routes  = Array(options.delete(:only)).map { |s| s.to_s.singularize.to_sym } & mapping.routes
-        end
-        routes -= Array(options.delete(:skip)).map { |s| s.to_s.singularize.to_sym }
+        routes  = mapping.used_routes
 
         devise_scope mapping.name do
           yield if block_given?
@@ -205,11 +214,15 @@ module ActionDispatch::Routing
 
     # Allow you to add authentication request from the router:
     #
-    #   authenticate(:user) do
+    #   authenticate do
     #     resources :post
     #   end
     #
-    def authenticate(scope)
+    #   authenticate(:admin) do
+    #     resources :users
+    #   end
+    #
+    def authenticate(scope=nil)
       constraint = lambda do |request|
         request.env["warden"].authenticate!(:scope => scope)
       end
@@ -274,6 +287,17 @@ module ActionDispatch::Routing
     # Notice you cannot have two scopes mapping to the same URL. And remember, if
     # you try to access a devise controller without specifying a scope, it will
     # raise ActionNotFound error.
+    #
+    # Also be aware of that 'devise_scope' and 'as' use the singular form of the
+    # noun where other devise route commands expect the plural form. This would be a
+    # good and working example.
+    #
+    #  devise_scope :user do
+    #    match "/some/route" => "some_devise_controller"
+    #  end
+    #  devise_for :users
+    #
+    # Notice and be aware of the differences above between :user and :users
     def devise_scope(scope)
       constraint = lambda do |request|
         request.env["devise.mapping"] = Devise.mappings[scope]
@@ -319,7 +343,7 @@ module ActionDispatch::Routing
           :cancel => mapping.path_names[:cancel]
         }
 
-        resource :registration, :except => :show, :path => mapping.path_names[:registration],
+        resource :registration, :only => [:new, :create, :edit, :update, :destroy], :path => mapping.path_names[:registration],
                  :path_names => path_names, :controller => controllers[:registrations] do
           get :cancel
         end
@@ -335,7 +359,7 @@ module ActionDispatch::Routing
           ::OmniAuth.config.path_prefix = path_prefix
         end
 
-        match "#{path_prefix}/:action/callback", :action => Regexp.union(mapping.to.omniauth_providers.map(&:to_s)),
+        match "#{path_prefix}/:action/callback", :constraints => { :action => Regexp.union(mapping.to.omniauth_providers.map(&:to_s)) },
           :to => controllers[:omniauth_callbacks], :as => :omniauth_callback
       ensure
         @scope[:path] = path

lib/devise/rails/warden_compat.rb

@@ -15,21 +15,16 @@ end
 
 class Warden::SessionSerializer
   def serialize(record)
-    [record.class.name, record.to_key, record.authenticatable_salt]
+    klass = record.class
+    array = klass.serialize_into_session(record)
+    array.unshift(klass.name)
   end
 
   def deserialize(keys)
-    if keys.size == 2
-      raise "Devise changed how it stores objects in session. If you are seeing this message, " <<
-        "you can fix it by changing one character in your secret_token or cleaning up your " <<
-        "database sessions if you are using a db store."
-    end
-
-    klass, id, salt = keys
+    klass, *args = keys
 
     begin
-      record = ActiveSupport::Inflector.constantize(klass).to_adapter.get(id)
-      record if record && record.authenticatable_salt == salt
+      ActiveSupport::Inflector.constantize(klass).serialize_from_session(*args)
     rescue NameError => e
       if e.message =~ /uninitialized constant/
         Rails.logger.debug "[Devise] Trying to deserialize invalid class #{klass}"

lib/devise/schema.rb

@@ -3,11 +3,12 @@ module Devise
   # and overwrite the apply_schema method.
   module Schema
 
-    # Creates email when enabled (on by default), encrypted_password and password_salt.
+    # Creates encrypted_password, and email when it is used as an authentication
+    # key (default).
     #
     # == Options
     # * :null - When true, allow columns to be null.
-    # * :default - Should be set to "" when :null is false.
+    # * :default - Set to "" when :null is false, unless overridden.
     #
     # == Notes
     # For Datamapper compatibility, we explicitly hardcode the limit for the
@@ -21,7 +22,8 @@ module Devise
       apply_devise_schema :encrypted_password, String, :null => null, :default => default, :limit => 128
     end
 
-    # Creates password salt for encryption support.
+    # Creates password salt for encryption support when using encryptors other
+    # than the database_authenticable default of bcrypt.
     def encryptable
       apply_devise_schema :password_salt, String
     end

lib/devise/strategies/authenticatable.rb

@@ -85,17 +85,17 @@ module Devise
 
       # By default, a request is valid  if the controller is allowed and the VERB is POST.
       def valid_request?
-        valid_controller? && valid_verb?
-      end
-
-      # Check if the controller is the one registered for authentication.
-      def valid_controller?
-        mapping.controllers[:sessions] == params[:controller]
-      end
-
-      # Check if it was a POST request.
-      def valid_verb?
-        request.post?
+        if env["devise.allow_params_authentication"]
+          true
+        elsif request.post? && mapping.controllers[:sessions] == params[:controller]
+          ActiveSupport::Deprecation.warn "It seems that you are using a custom SessionsController. " \
+            "In order for it to work from Devise 1.4.6 forward, you need to add the following:" \
+            "\n\n  prepend_before_filter :allow_params_authentication!, :only => :create\n\n" \
+            "This will ensure your controller can authenticate from params for the create action.", caller
+          true
+        else
+          false
+        end
       end
 
       # If the request is valid, finally check if params_auth_hash returns a hash.

lib/devise/strategies/token_authenticatable.rb

@@ -39,7 +39,11 @@ module Devise
 
       # Try both scoped and non scoped keys.
       def params_auth_hash
-        params[scope] || params
+        if params[scope].kind_of?(Hash) && params[scope].has_key?(authentication_keys.first)
+          params[scope]
+        else
+          params
+        end
       end
 
       # Overwrite authentication keys to use token_authentication_key.

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "1.4.2".freeze
+  VERSION = "1.4.8".freeze
 end

lib/generators/active_record/devise_generator.rb

@@ -1,6 +1,7 @@
 require 'rails/generators/active_record'
 require 'generators/devise/orm_helpers'
 
+
 module ActiveRecord
   module Generators
     class DeviseGenerator < ActiveRecord::Generators::Base
@@ -9,14 +10,18 @@ module ActiveRecord
       include Devise::Generators::OrmHelpers
       source_root File.expand_path("../templates", __FILE__)
 
+      def copy_devise_migration
+        if (behavior == :invoke && model_exists?) || (behavior == :revoke && migration_exists?(table_name))
+          migration_template "migration_existing.rb", "db/migrate/add_devise_to_#{table_name}"
+        else
+          migration_template "migration.rb", "db/migrate/devise_create_#{table_name}"
+        end
+      end
+
       def generate_model
         invoke "active_record:model", [name], :migration => false unless model_exists? && behavior == :invoke
       end
-
-      def copy_devise_migration
-        migration_template "migration.rb", "db/migrate/devise_create_#{table_name}"
-      end
-
+      
       def inject_devise_content
         inject_into_class(model_path, class_name, model_contents + <<CONTENT) if model_exists?
   # Setup accessible (or protected) attributes for your model

lib/generators/active_record/templates/migration_existing.rb

@@ -0,0 +1,34 @@
+class AddDeviseTo<%= table_name.camelize %> < ActiveRecord::Migration
+  def self.up
+    change_table(:<%= table_name %>) do |t|
+      t.database_authenticatable :null => false
+      t.recoverable
+      t.rememberable
+      t.trackable
+    
+      # t.encryptable
+      # t.confirmable
+      # t.lockable :lock_strategy => :<%= Devise.lock_strategy %>, :unlock_strategy => :<%= Devise.unlock_strategy %>
+      # t.token_authenticatable
+
+<% for  attribute in attributes -%>
+      t.<%= attribute.type %> :<%= attribute.name %>
+<% end -%>
+
+      # Uncomment below if timestamps were not included in your original model.
+      # t.timestamps
+    end
+
+    add_index :<%= table_name %>, :email,                :unique => true
+    add_index :<%= table_name %>, :reset_password_token, :unique => true
+    # add_index :<%= table_name %>, :confirmation_token,   :unique => true
+    # add_index :<%= table_name %>, :unlock_token,         :unique => true
+    # add_index :<%= table_name %>, :authentication_token, :unique => true
+  end
+
+  def self.down
+    # By default, we don't want to make any assumption about how to roll back a migration when your
+    # model already existed. Please edit below which fields you would like to remove in this migration.
+    raise ActiveRecord::IrreversibleMigration   
+  end
+end

lib/generators/devise/devise_generator.rb

@@ -9,9 +9,12 @@ module Devise
 
       hook_for :orm
 
+      class_option :routes, :desc => "Generate routes", :type => :boolean, :default => true
+
       def add_devise_routes
         devise_route  = "devise_for :#{plural_name}"
-        devise_route += %Q(, :class_name => "#{class_name}") if class_name.include?("::")
+        devise_route << %Q(, :class_name => "#{class_name}") if class_name.include?("::")
+        devise_route << %Q(, :skip => :all) unless options.routes?
         route devise_route
       end
     end

lib/generators/devise/orm_helpers.rb

@@ -14,6 +14,14 @@ CONTENT
       def model_exists?
         File.exists?(File.join(destination_root, model_path))
       end
+      
+      def migration_exists?(table_name)
+        Dir.glob("#{File.join(destination_root, migration_path)}/[0-9]*_*.rb").grep(/\d+_add_devise_to_#{table_name}.rb$/).first
+      end
+      
+      def migration_path
+        @migration_path ||= File.join("db", "migrate")
+      end
 
       def model_path
         @model_path ||= File.join("app", "models", "#{file_path}.rb")

lib/generators/templates/README

@@ -22,4 +22,11 @@ Some setup you must do manually if you haven't yet:
        <p class="notice"><%= notice %></p>
        <p class="alert"><%= alert %></p>
 
+  4. If you are deploying Rails 3.1 on Heroku, you may want to set:
+
+       config.assets.initialize_on_precompile = false
+
+     On config/application.rb forcing your application to not access the DB
+     or load models when precompiling your assets.
+
 ===============================================================================

lib/generators/templates/devise.rb

@@ -2,7 +2,8 @@
 # four configuration values can also be set straight in your models.
 Devise.setup do |config|
   # ==> Mailer Configuration
-  # Configure the e-mail address which will be shown in DeviseMailer.
+  # Configure the e-mail address which will be shown in Devise::Mailer,
+  # note that it will be overwritten if you use your own mailer class with default "from" parameter.
   config.mailer_sender = "please-change-me-at-config-initializers-devise@example.com"
 
   # Configure the class responsible to send e-mails.
@@ -35,7 +36,7 @@ Devise.setup do |config|
   # These keys will be downcased upon creating or modifying a user and when used
   # to authenticate or find a user. Default is :email.
   config.case_insensitive_keys = [ :email ]
-  
+
   # Configure which authentication keys should have whitespace stripped.
   # These keys will have whitespace before and after removed upon creating or
   # modifying a user and when used to authenticate or find a user. Default is :email.
@@ -61,18 +62,21 @@ Devise.setup do |config|
   # ==> Configuration for :database_authenticatable
   # For bcrypt, this is the cost for hashing the password and defaults to 10. If
   # using other encryptors, it sets how many times you want the password re-encrypted.
-  config.stretches = 10
+  #
+  # Limiting the stretches to just one in testing will increase the performance of
+  # your test suite dramatically. However, it is STRONGLY RECOMMENDED to not use
+  # a value less than 10 in other environments.
+  config.stretches = Rails.env.test? ? 1 : 10
 
   # Setup a pepper to generate the encrypted password.
   # config.pepper = <%= SecureRandom.hex(64).inspect %>
 
   # ==> Configuration for :confirmable
-  # The time you want to give your user to confirm his account. During this time
-  # he will be able to access your application without confirming. Default is 0.days
-  # When confirm_within is zero, the user won't be able to sign in without confirming.
-  # You can use this to let your user access some features of your application
-  # without confirming the account, but blocking it after a certain period
-  # (ie 2 days).
+  # A period that the user is allowed to access the website even without
+  # confirming his account. For instance, if set to 2.days, the user will be
+  # able to access the website for two days without confirming his account,
+  # access will be blocked just in the third day. Default is 0.days, meaning
+  # the user cannot access the website without confirming his account.
   # config.confirm_within = 2.days
 
   # Defines which key will be used when confirming an account
@@ -100,8 +104,10 @@ Devise.setup do |config|
   # Range for password length. Default is 6..128.
   # config.password_length = 6..128
 
-  # Regex to use to validate the email address
-  # config.email_regexp = /\A([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})\z/i
+  # Email regex used to validate email formats. It simply asserts that
+  # an one (and only one) @ exists in the given string. This is mainly
+  # to give user feedback and not to assert the e-mail validity.
+  # config.email_regexp = /\A[^@]+@[^@]+\z/
 
   # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this

lib/generators/templates/simple_form_for/registrations/edit.html.erb

@@ -4,7 +4,7 @@
   <%= f.error_notification %>
 
   <div class="inputs">
-    <%= f.input :email, :autofocus => true %>
+    <%= f.input :email, :required => true, :autofocus => true %>
     <%= f.input :password, :hint => "leave it blank if you don't want to change it", :required => false %>
     <%= f.input :password_confirmation, :required => false %>
     <%= f.input :current_password, :hint => "we need your current password to confirm your changes", :required => true %>

lib/generators/templates/simple_form_for/registrations/new.html.erb

@@ -4,9 +4,9 @@
   <%= f.error_notification %>
 
   <div class="inputs">
-    <%= f.input :email, :autofocus => true %>
-    <%= f.input :password %>
-    <%= f.input :password_confirmation %>
+    <%= f.input :email, :required => true, :autofocus => true %>
+    <%= f.input :password, :required => true %>
+    <%= f.input :password_confirmation, :required => true %>
   </div>
 
   <div class="actions">

test/controllers/helpers_test.rb

@@ -45,6 +45,11 @@ class ControllerAuthenticatableTest < ActionController::TestCase
     @controller.authenticate_user!
   end
 
+  test 'proxy authenticate_user! options to authenticate with user scope' do
+    @mock_warden.expects(:authenticate!).with(:scope => :user, :recall => "foo")
+    @controller.authenticate_user!(:recall => "foo")
+  end
+
   test 'proxy authenticate_admin! to authenticate with admin scope' do
     @mock_warden.expects(:authenticate!).with(:scope => :admin)
     @controller.authenticate_admin!
@@ -106,7 +111,7 @@ class ControllerAuthenticatableTest < ActionController::TestCase
     user = User.new
     @mock_warden.expects(:user).returns(user)
     @mock_warden.expects(:set_user).never
-    @controller.sign_in(user)
+    assert @controller.sign_in(user)
   end
 
   test 'sign in again when the user is already in only if force is given' do

test/controllers/internal_helpers_test.rb

@@ -35,7 +35,7 @@ class HelpersTest < ActionController::TestCase
   end
 
   test 'resources methods are not controller actions' do
-    assert @controller.class.action_methods.empty?
+    assert @controller.class.action_methods.empty?, "Expected empty, got #{@controller.class.action_methods.inspect}"
   end
 
   test 'require no authentication tests current mapping' do

test/failure_app_test.rb

@@ -2,6 +2,10 @@ require 'test_helper'
 require 'ostruct'
 
 class FailureTest < ActiveSupport::TestCase
+  class RootFailureApp < Devise::FailureApp
+    undef_method :new_user_session_path
+  end
+
   def self.context(name, &block)
     instance_eval(&block)
   end
@@ -18,32 +22,31 @@ class FailureTest < ActiveSupport::TestCase
       'warden' => OpenStruct.new(:message => nil)
     }.merge!(env_params)
 
-    @response = Devise::FailureApp.call(env).to_a
+    @response = (env.delete(:app) || Devise::FailureApp).call(env).to_a
     @request  = ActionDispatch::Request.new(env)
   end
 
   context 'When redirecting' do
-    test 'return 302 status' do
-      call_failure
-      assert_equal 302, @response.first
-    end
-
-    test 'return 302 status for wildcard requests' do
-      call_failure 'action_dispatch.request.formats' => nil, 'HTTP_ACCEPT' => '*/*'
-      assert_equal 302, @response.first
-    end
-
     test 'return to the default redirect location' do
       call_failure
+      assert_equal 302, @response.first
       assert_equal 'You need to sign in or sign up before continuing.', @request.flash[:alert]
       assert_equal 'http://test.host/users/sign_in', @response.second['Location']
     end
 
     test 'return to the default redirect location for wildcard requests' do
       call_failure 'action_dispatch.request.formats' => nil, 'HTTP_ACCEPT' => '*/*'
+      assert_equal 302, @response.first
       assert_equal 'http://test.host/users/sign_in', @response.second['Location']
     end
 
+    test 'return to the root path if no session path is available' do
+      call_failure :app => RootFailureApp
+      assert_equal 302, @response.first
+      assert_equal 'You need to sign in or sign up before continuing.', @request.flash[:alert]
+      assert_equal 'http://test.host/', @response.second['Location']
+    end
+
     test 'uses the proxy failure message as symbol' do
       call_failure('warden' => OpenStruct.new(:message => :test))
       assert_equal 'test', @request.flash[:alert]
@@ -74,7 +77,7 @@ class FailureTest < ActiveSupport::TestCase
         assert_equal 302, @response.first
       end
     end
-    
+
     test 'redirects the correct format if it is a non-html format request' do
       swap Devise, :navigational_formats => [:js] do
         call_failure('formats' => :js)
@@ -178,7 +181,7 @@ class FailureTest < ActiveSupport::TestCase
       assert @response.third.body.include?('<h2>Sign in</h2>')
       assert @response.third.body.include?('Invalid email or password.')
     end
-    
+
     test 'calls the original controller if not confirmed email' do
       env = {
         "warden.options" => { :recall => "devise/sessions#new", :attempted_path => "/users/sign_in", :message => :unconfirmed },
@@ -187,9 +190,9 @@ class FailureTest < ActiveSupport::TestCase
       }
       call_failure(env)
       assert @response.third.body.include?('<h2>Sign in</h2>')
-      assert @response.third.body.include?('You have to confirm your account before continuing.')     
+      assert @response.third.body.include?('You have to confirm your account before continuing.')
     end
-    
+
     test 'calls the original controller if inactive account' do
       env = {
         "warden.options" => { :recall => "devise/sessions#new", :attempted_path => "/users/sign_in", :message => :inactive },
@@ -198,7 +201,7 @@ class FailureTest < ActiveSupport::TestCase
       }
       call_failure(env)
       assert @response.third.body.include?('<h2>Sign in</h2>')
-      assert @response.third.body.include?('Your account was not activated yet.')     
+      assert @response.third.body.include?('Your account was not activated yet.')
     end
   end
 end

test/generators/active_record_generator_test.rb

@@ -13,9 +13,22 @@ if DEVISE_ORM == :active_record
       assert_file "app/models/monster.rb", /devise/, /attr_accessible (:[a-z_]+(, )?)+/
       assert_migration "db/migrate/devise_create_monsters.rb"
     end
+    
+    test "update model migration when model exists" do
+      run_generator %w(monster)
+      assert_file "app/models/monster.rb"
+      run_generator %w(monster)
+      assert_migration "db/migrate/add_devise_to_monsters.rb"
+    end
   
     test "all files are properly deleted" do
       run_generator %w(monster)
+      run_generator %w(monster)
+      assert_migration "db/migrate/devise_create_monsters.rb"
+      assert_migration "db/migrate/add_devise_to_monsters.rb"
+      run_generator %w(monster), :behavior => :revoke
+      assert_no_migration "db/migrate/add_devise_to_monsters.rb"
+      assert_migration "db/migrate/devise_create_monsters.rb"
       run_generator %w(monster), :behavior => :revoke
       assert_no_file "app/models/monster.rb"
       assert_no_migration "db/migrate/devise_create_monsters.rb"

test/generators/devise_generator_test.rb

@@ -22,6 +22,12 @@ class DeviseGeneratorTest < Rails::Generators::TestCase
     assert_file "config/routes.rb", match
   end
 
+  test "route generation with skip routes" do
+    run_generator %w(monster name:string --skip-routes)
+    match = /devise_for :monsters, :skip => :all/
+    assert_file "config/routes.rb", match
+  end
+
   def copy_routes
     routes = File.expand_path("../../rails_app/config/routes.rb", __FILE__)
     destination = File.join(destination_root, "config")

test/generators/mongoid_generator_test.rb

@@ -1,7 +1,7 @@
 require "test_helper"
 
-if DEVISE_ORM == :mongo_id
-  require "generators/mongo_id/devise_generator"
+if DEVISE_ORM == :mongoid
+  require "generators/mongoid/devise_generator"
 
   class MongoidGeneratorTest < Rails::Generators::TestCase
     tests Mongoid::Generators::DeviseGenerator
@@ -19,4 +19,5 @@ if DEVISE_ORM == :mongo_id
       assert_no_file "app/models/monster.rb"
     end
   end
-end
+end
+

test/helpers/devise_helper_test.rb

@@ -2,13 +2,16 @@ require 'test_helper'
 
 class DeviseHelperTest < ActionController::IntegrationTest
   setup do
+    model_labels = { :models => { :user => "utilisateur" } }
+
     I18n.backend.store_translations :fr,
     {
       :errors => { :messages => { :not_saved => {
         :one => "Erreur lors de l'enregistrement de '%{resource}': 1 erreur.",
         :other => "Erreur lors de l'enregistrement de '%{resource}': %{count} erreurs."
       } } },
-      :activerecord => { :models => { :user => "utilisateur" } }
+      :activerecord => model_labels,
+      :mongoid => model_labels
     }
 
     I18n.locale = 'fr'
@@ -30,6 +33,10 @@ class DeviseHelperTest < ActionController::IntegrationTest
   end
 
   test 'test errors.messages.not_saved with multiple errors from i18n' do
+    # Dirty tracking behavior prevents email validations from being applied:
+    #    https://github.com/mongoid/mongoid/issues/756
+    (pending "Fails on Mongoid < 2.1"; break) if defined?(Mongoid) && Mongoid::VERSION.to_f < 2.1
+
     get new_user_registration_path
 
     fill_in 'email', :with => 'invalid_email'
@@ -40,4 +47,5 @@ class DeviseHelperTest < ActionController::IntegrationTest
     assert_have_selector '#error_explanation'
     assert_contain "Erreur lors de l'enregistrement de 'utilisateur': 2 erreurs"
   end
-end
+end
+

test/integration/authenticatable_test.rb

@@ -401,14 +401,14 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
 
   test 'sign in stub in xml format' do
     get new_user_session_path(:format => 'xml')
-    assert_equal "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>\n  <email></email>\n  <password></password>\n</user>\n", response.body
+    assert_equal "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>\n  <email></email>\n  <password nil=\"true\"></password>\n</user>\n", response.body
   end
 
   test 'sign in stub in json format' do
     get new_user_session_path(:format => 'json')
     assert_match '{"user":{', response.body
     assert_match '"email":""', response.body
-    assert_match '"password":""', response.body
+    assert_match '"password":null', response.body
   end
 
   test 'sign in stub in json with non attribute key' do
@@ -416,7 +416,7 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
       get new_user_session_path(:format => 'json')
       assert_match '{"user":{', response.body
       assert_match '"other_key":null', response.body
-      assert_match '"password":""', response.body
+      assert_match '"password":null', response.body
     end
   end
 
@@ -454,6 +454,23 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
   end
 end
 
+class AuthenticationKeysTest < ActionController::IntegrationTest
+  test 'missing authentication keys cause authentication to abort' do
+    swap Devise, :authentication_keys => [:subdomain] do
+      sign_in_as_user
+      assert_contain "Invalid email or password."
+      assert_not warden.authenticated?(:user)
+    end
+  end
+
+  test 'missing authentication keys cause authentication to abort unless marked as not required' do
+    swap Devise, :authentication_keys => { :email => true, :subdomain => false } do
+      sign_in_as_user
+      assert warden.authenticated?(:user)
+    end
+  end
+end
+
 class AuthenticationRequestKeysTest < ActionController::IntegrationTest
   test 'request keys are used on authentication' do
     host! 'foo.bar.baz'

test/integration/confirmable_test.rb

@@ -37,6 +37,15 @@ class ConfirmationTest < ActionController::IntegrationTest
     assert user.reload.confirmed?
   end
 
+  test 'user should be redirected to a custom path after confirmation' do
+    Devise::ConfirmationsController.any_instance.stubs(:after_confirmation_path_for).returns("/?custom=1")
+
+    user = create_user(:confirm => false)
+    visit_user_confirmation_with_token(user.confirmation_token)
+
+    assert_current_url "/?custom=1"
+  end
+
   test 'already confirmed user should not be able to confirm the account again' do
     user = create_user(:confirm => false)
     user.confirmed_at = Time.now
@@ -60,7 +69,7 @@ class ConfirmationTest < ActionController::IntegrationTest
     assert_contain 'already confirmed'
   end
 
-  test 'sign in user automatically after confirming it\'s email' do
+  test 'sign in user automatically after confirming its email' do
     user = create_user(:confirm => false)
     visit_user_confirmation_with_token(user.confirmation_token)
 

test/integration/lockable_test.rb

@@ -73,7 +73,7 @@ class LockTest < ActionController::IntegrationTest
     assert_not user.reload.access_locked?
   end
 
-  test "sign in user automatically after unlocking it's account" do
+  test "sign in user automatically after unlocking its account" do
     user = create_user(:locked => true)
     visit_user_unlock_with_token(user.unlock_token)
     assert warden.authenticated?(:user)

test/integration/recoverable_test.rb

@@ -147,7 +147,7 @@ class PasswordTest < ActionController::IntegrationTest
     reset_password :reset_password_token => user.reload.reset_password_token
 
     assert_current_url '/'
-    assert_contain 'Your password was changed successfully.'
+    assert_contain 'Your password was changed successfully. You are now signed in.'
     assert user.reload.valid_password?('987654321')
   end
 
@@ -166,7 +166,7 @@ class PasswordTest < ActionController::IntegrationTest
     assert user.reload.valid_password?('987654321')
   end
 
-  test 'sign in user automatically after changing it\'s password' do
+  test 'sign in user automatically after changing its password' do
     user = create_user
     request_forgot_password
     reset_password :reset_password_token => user.reload.reset_password_token
@@ -174,13 +174,24 @@ class PasswordTest < ActionController::IntegrationTest
     assert warden.authenticated?(:user)
   end
 
-  test 'does not sign in user automatically after changing it\'s password if it\'s not active' do
+  test 'does not sign in user automatically after changing its password if it\'s locked' do
+    user = create_user(:locked => true)
+    request_forgot_password
+    reset_password :reset_password_token => user.reload.reset_password_token
+
+    assert_contain 'Your password was changed successfully.'
+    assert_not_contain 'You are now signed in.'
+    assert_equal new_user_session_path, @request.path
+    assert !warden.authenticated?(:user)
+  end
+
+  test 'sign in user automatically and confirm after changing its password if it\'s not confirmed' do
     user = create_user(:confirm => false)
     request_forgot_password
     reset_password :reset_password_token => user.reload.reset_password_token
 
-    assert_equal new_user_session_path, @request.path
-    assert !warden.authenticated?(:user)
+    assert warden.authenticated?(:user)
+    assert user.reload.confirmed?
   end
 
   test 'reset password request with valid E-Mail in XML format should return valid response' do

test/integration/registerable_test.rb

@@ -69,6 +69,10 @@ class RegistrationTest < ActionController::IntegrationTest
   end
 
   test 'a guest user cannot sign up with invalid information' do
+    # Dirty tracking behavior prevents email validations from being applied:
+    #    https://github.com/mongoid/mongoid/issues/756
+    (pending "Fails on Mongoid < 2.1"; break) if defined?(Mongoid) && Mongoid::VERSION.to_f < 2.1
+
     get new_user_registration_path
 
     fill_in 'email', :with => 'invalid_email'
@@ -87,6 +91,10 @@ class RegistrationTest < ActionController::IntegrationTest
   end
 
   test 'a guest should not sign up with email/password that already exists' do
+    # Dirty tracking behavior prevents email validations from being applied:
+    #    https://github.com/mongoid/mongoid/issues/756
+    (pending "Fails on Mongoid < 2.1"; break) if defined?(Mongoid) && Mongoid::VERSION.to_f < 2.1
+
     user = create_user
     get new_user_registration_path
 
@@ -211,14 +219,14 @@ class RegistrationTest < ActionController::IntegrationTest
     get new_user_registration_path(:format => 'xml')
     assert_response :success
     assert_match %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>), response.body
-    assert_no_match(/<confirmation-token/, response.body) if DEVISE_ORM == :active_record
+    assert_no_match(/<confirmation-token/, response.body)
   end
 
   test 'a user with JSON sign up stub' do
     get new_user_registration_path(:format => 'json')
     assert_response :success
     assert_match %({"user":), response.body
-    assert_no_match(/"confirmation_token"/, response.body) if DEVISE_ORM == :active_record
+    assert_no_match(/"confirmation_token"/, response.body)
   end
 
   test 'an admin sign up with valid information in XML format should return valid response' do

test/integration/token_authenticatable_test.rb

@@ -13,6 +13,17 @@ class TokenAuthenticationTest < ActionController::IntegrationTest
     end
   end
 
+  test 'authenticate with valid authentication token key and value through params, when params with the same key as scope exist' do
+    swap Devise, :token_authentication_key => :secret_token do
+      user = create_user_with_authentication_token
+      post exhibit_user_path(user), Devise.token_authentication_key => user.authentication_token, :user => { :some => "data" }
+
+      assert_response :success
+      assert_contain 'User is authenticated'
+      assert warden.authenticated?(:user)
+    end
+  end
+
   test 'authenticate with valid authentication token key but does not store if stateless' do
     swap Devise, :token_authentication_key => :secret_token, :stateless_token => true do
       sign_in_as_new_user_with_token

test/mailers/confirmation_instructions_test.rb

@@ -4,6 +4,7 @@ class ConfirmationInstructionsTest < ActionMailer::TestCase
 
   def setup
     setup_mailer
+    Devise.mailer = 'Devise::Mailer'
     Devise.mailer_sender = 'test@example.com'
   end
 
@@ -35,6 +36,11 @@ class ConfirmationInstructionsTest < ActionMailer::TestCase
     assert_equal ['test@example.com'], mail.from
   end
 
+  test 'setup sender from custom mailer defaults' do
+    Devise.mailer = 'Users::Mailer'
+    assert_equal ['custom@example.com'], mail.from
+  end
+
   test 'setup reply to as copy from sender' do
     assert_equal ['test@example.com'], mail.reply_to
   end

test/mailers/reset_password_instructions_test.rb

@@ -4,6 +4,7 @@ class ResetPasswordInstructionsTest < ActionMailer::TestCase
 
   def setup
     setup_mailer
+    Devise.mailer = 'Devise::Mailer'
     Devise.mailer_sender = 'test@example.com'
   end
 
@@ -38,6 +39,11 @@ class ResetPasswordInstructionsTest < ActionMailer::TestCase
     assert_equal ['test@example.com'], mail.from
   end
 
+  test 'setup sender from custom mailer defaults' do
+    Devise.mailer = 'Users::Mailer'
+    assert_equal ['custom@example.com'], mail.from
+  end
+
   test 'setup reply to as copy from sender' do
     assert_equal ['test@example.com'], mail.reply_to
   end

test/mailers/unlock_instructions_test.rb

@@ -4,6 +4,7 @@ class UnlockInstructionsTest < ActionMailer::TestCase
 
   def setup
     setup_mailer
+    Devise.mailer = 'Devise::Mailer'
     Devise.mailer_sender = 'test@example.com'
   end
 
@@ -38,6 +39,11 @@ class UnlockInstructionsTest < ActionMailer::TestCase
     assert_equal ['test@example.com'], mail.from
   end
 
+  test 'setup sender from custom mailer defaults' do
+    Devise.mailer = 'Users::Mailer'
+    assert_equal ['custom@example.com'], mail.from
+  end
+
   test 'setup reply to as copy from sender' do
     assert_equal ['test@example.com'], mail.reply_to
   end

test/mapping_test.rb

@@ -31,6 +31,10 @@ class MappingTest < ActiveSupport::TestCase
     assert_equal "admin_area", Devise.mappings[:admin].path
   end
 
+  test 'allows to skip all routes' do
+    assert_equal [], Devise.mappings[:skip_admin].used_routes
+  end
+
   test 'sign_out_via defaults to :get' do
     assert_equal :get, Devise.mappings[:user].sign_out_via
   end

test/models/confirmable_test.rb

@@ -121,7 +121,7 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_equal "not found", confirmation_user.errors[:email].join
   end
 
-  test 'should send email instructions for the user confirm it\'s email' do
+  test 'should send email instructions for the user confirm its email' do
     user = create_user
     assert_email_sent do
       User.send_confirmation_instructions(:email => user.email)
@@ -219,7 +219,7 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert user.reload.active_for_authentication?
   end
 
-  test 'should find a user to send email instructions for the user confirm it\'s email by authentication_keys' do
+  test 'should find a user to send email instructions for the user confirm its email by authentication_keys' do
     swap Devise, :authentication_keys => [:username, :email] do
       user = create_user
       confirm_user = User.send_confirmation_instructions(:email => user.email, :username => user.username)

test/models/encryptable_test.rb

@@ -31,8 +31,10 @@ class EncryptableTest < ActiveSupport::TestCase
 
   test 'should generate a base64 hash using SecureRandom for password salt' do
     swap_with_encryptor Admin, :sha1 do
-      SecureRandom.expects(:base64).with(15).returns('friendly_token')
-      assert_equal 'friendly_token', create_admin.password_salt
+      SecureRandom.expects(:base64).with(15).returns('01lI')
+      salt = create_admin.password_salt
+      assert_not_equal '01lI', salt
+      assert_equal 4, salt.size
     end
   end
 

test/models/validatable_test.rb

@@ -1,3 +1,4 @@
+# encoding: UTF-8
 require 'test_helper'
 
 class ValidatableTest < ActiveSupport::TestCase
@@ -28,7 +29,7 @@ class ValidatableTest < ActiveSupport::TestCase
     assert user.invalid?
     assert_not_equal 'is invalid', user.errors[:email].join
 
-    %w(invalid_email_format 123 $$$ \(\) ).each do |email|
+    %w{invalid_email_format 123 $$$ () ☃ bla@bla.}.each do |email|
       user.email = email
       assert user.invalid?, 'should be invalid with email ' << email
       assert_equal 'is invalid', user.errors[:email].join
@@ -39,7 +40,7 @@ class ValidatableTest < ActiveSupport::TestCase
   end
 
   test 'should accept valid emails' do
-    %w(a.b.c@example.com test_mail@gmail.com any@any.net email@test.br 123@mail.test).each do |email|
+    %w(a.b.c@example.com test_mail@gmail.com any@any.net email@test.br 123@mail.test 1☃3@mail.test).each do |email|
       user = new_user(:email => email)
       assert user.valid?, 'should be valid with email ' << email
       assert_blank user.errors[:email]

test/models_test.rb

@@ -42,18 +42,16 @@ class ActiveRecordTest < ActiveSupport::TestCase
     assert_include_modules Admin, :database_authenticatable, :registerable, :timeoutable, :recoverable, :lockable, :rememberable, :encryptable
   end
 
-  if DEVISE_ORM == :active_record
-    test 'validations options are not applied to late' do
-      validators = WithValidation.validators_on :password
-      length = validators.find { |v| v.kind == :length }
-      assert_equal 2, length.options[:minimum]
-      assert_equal 6, length.options[:maximum]
-    end
+  test 'validations options are not applied too late' do
+    validators = WithValidation.validators_on :password
+    length = validators.find { |v| v.kind == :length }
+    assert_equal 2, length.options[:minimum]
+    assert_equal 6, length.options[:maximum]
+  end
 
-    test 'validations are applied just once' do
-      validators = Several.validators_on :password
-      assert_equal 1, validators.select{ |v| v.kind == :length }.length
-    end
+  test 'validations are applied just once' do
+    validators = Several.validators_on :password
+    assert_equal 1, validators.select{ |v| v.kind == :length }.length
   end
 
   test 'chosen modules are inheritable' do

test/omniauth/url_helpers_test.rb

@@ -28,31 +28,31 @@ class OmniAuthRoutesTest < ActionController::TestCase
   end
 
   test 'should generate authorization path' do
-    assert_match "/users/auth/facebook", @controller.omniauth_authorize_path(:user, :facebook)
+    assert_match "/users/auth/facebook", @controller.send(:omniauth_authorize_path, :user, :facebook)
 
     assert_raise ArgumentError do
-      @controller.omniauth_authorize_path(:user, :github)
+      @controller.send :omniauth_authorize_path, :user, :github
     end
   end
 
   test 'should generate authorization path for named open_id omniauth' do
-    assert_match "/users/auth/google", @controller.omniauth_authorize_path(:user, :google)
+    assert_match "/users/auth/google", @controller.send(:omniauth_authorize_path, :user, :google)
   end
 
   test 'should generate authorization path with params' do
     assert_match "/users/auth/open_id?openid_url=http%3A%2F%2Fyahoo.com",
-                  @controller.omniauth_authorize_path(:user, :open_id, :openid_url => "http://yahoo.com")
+                  @controller.send(:omniauth_authorize_path, :user, :open_id, :openid_url => "http://yahoo.com")
   end
 
   test 'should not add a "?" if no param was sent' do
     assert_equal "/users/auth/open_id",
-                  @controller.omniauth_authorize_path(:user, :open_id)
+                  @controller.send(:omniauth_authorize_path, :user, :open_id)
   end
 
   test 'should set script name in the path if present' do
     @request.env['SCRIPT_NAME'] = '/q'
 
     assert_equal "/q/users/auth/facebook",
-                 @controller.omniauth_authorize_path(:user, :facebook)
+                 @controller.send(:omniauth_authorize_path, :user, :facebook)
   end
 end

test/orm/mongoid.rb

@@ -1,6 +1,9 @@
+require 'mongoid/version'
+
 Mongoid.configure do |config|
   config.master  = Mongo::Connection.new('127.0.0.1', 27017).db("devise-test-suite")
   config.use_utc = true
+  config.include_root_in_json = true
 end
 
 class ActiveSupport::TestCase

test/rails_app/app/active_record/user.rb

@@ -3,6 +3,4 @@ require 'shared_user'
 class User < ActiveRecord::Base
   include Shim
   include SharedUser
-
-  attr_accessible :username, :email, :password, :password_confirmation, :remember_me
 end

test/rails_app/app/mailers/users/mailer.rb

@@ -0,0 +1,3 @@
+class Users::Mailer < Devise::Mailer
+  default :from => 'custom@example.com'
+end

test/rails_app/app/mongoid/shim.rb

@@ -21,9 +21,4 @@ module Shim
   def ==(other)
     other.is_a?(self.class) && _id == other._id
   end
-
-  # Mongoid does not have this method in the current beta version (2.0.0.beta.20)
-  def update_attribute(attribute, value)
-    update_attributes(attribute => value)
-  end
 end

test/rails_app/config/application.rb

@@ -29,6 +29,7 @@ module RailsApp
 
     # Configure sensitive parameters which will be filtered from the log file.
     config.filter_parameters << :password
+    config.assets.enabled = false
 
     config.action_mailer.default_url_options = { :host => "localhost:3000" }
 

test/rails_app/config/boot.rb

@@ -2,12 +2,7 @@ unless defined?(DEVISE_ORM)
   DEVISE_ORM = (ENV["DEVISE_ORM"] || :active_record).to_sym
 end
 
-begin
-  require File.expand_path("../../../../.bundle/environment", __FILE__)
-rescue LoadError
-  require 'rubygems'
-  require 'bundler'
-  Bundler.setup :default, :test, DEVISE_ORM
-end
+require 'rubygems'
+require 'bundler/setup'
 
-$:.unshift File.expand_path('../../../../lib', __FILE__)
+$:.unshift File.expand_path('../../../../lib', __FILE__)

test/rails_app/config/initializers/devise.rb

@@ -2,7 +2,8 @@
 # four configuration values can also be set straight in your models.
 Devise.setup do |config|
   # ==> Mailer Configuration
-  # Configure the e-mail address which will be shown in DeviseMailer.
+  # Configure the e-mail address which will be shown in Devise::Mailer,
+  # note that it will be overwritten if you use your own mailer class with default "from" parameter.
   config.mailer_sender = "please-change-me@config-initializers-devise.com"
 
   # Configure the class responsible to send e-mails.
@@ -35,7 +36,7 @@ Devise.setup do |config|
   # These keys will be downcased upon creating or modifying a user and when used
   # to authenticate or find a user. Default is :email.
   config.case_insensitive_keys = [ :email ]
-  
+
   # Configure which authentication keys should have whitespace stripped.
   # These keys will have whitespace before and after removed upon creating or
   # modifying a user and when used to authenticate or find a user. Default is :email.

test/rails_app/config/routes.rb

@@ -4,7 +4,7 @@ Rails.application.routes.draw do
     get :expire, :on => :member
     get :accept, :on => :member
 
-    authenticate :user do
+    authenticate do
       post :exhibit, :on => :member
     end
   end
@@ -50,10 +50,12 @@ Rails.application.routes.draw do
   constraints(:host => /192\.168\.1\.\d\d\d/) do
     devise_for :homebase_admin, :class_name => "Admin", :path => "homebase"
   end
+
+  devise_for :skip_admin, :class_name => "Admin", :skip => :all
   
   # Routes for format=false testing
-  devise_for :htmlonly_admin, :class_name => "Admin", :skip => [:confirmations, :unlocks], :path => "htmlonly_admin", :format => false
-  devise_for :htmlonly_users, :class_name => "User", :only => [:confirmations, :unlocks], :path => "htmlonly_users", :format => false
+  devise_for :htmlonly_admin, :class_name => "Admin", :skip => [:confirmations, :unlocks], :path => "htmlonly_admin", :format => false, :skip_helpers => [:confirmations, :unlocks]
+  devise_for :htmlonly_users, :class_name => "User", :only => [:confirmations, :unlocks], :path => "htmlonly_users", :format => false, :skip_helpers => true
   
   # Other routes for routing_test.rb
   devise_for :reader, :class_name => "User", :only => :passwords

test/rails_app/lib/shared_user.rb

@@ -7,6 +7,7 @@ module SharedUser
            :trackable, :validatable, :omniauthable
 
     attr_accessor :other_key
+    attr_accessible :username, :email, :password, :password_confirmation, :remember_me
 
     # They need to be included after Devise is called.
     extend ExtendMethods