Merge pull request #1750 from 0x000000/v1.0

Added ability to override redirect_to path after sending reset password ...

CHANGELOG.rdoc

@@ -1,3 +1,79 @@
+== 1.0.11
+
+* bug fix
+  * Make sure xhr requests do not store urls for redirect
+  * Squeeze break lines from cookies to avoid duplicated break lines
+
+== 1.0.10
+
+* bug fix
+  * Use secure compare when comparing passwords
+  * Improve email regexp
+  * Implement handle_unverified_request for Rails 2.3.11
+
+== 1.0.9
+
+* enhancements
+  * Extracted redirect path from Devise failure app to a new method, allowing override in custom failure apps
+  * Added sign_out_via
+
+* bug fix
+  * Email is now case insensitive
+  * Avoid session fixation attacks
+
+== 1.0.8
+
+* enhancements
+  * Support for latest MongoMapper
+  * Added anybody_signed_in? helper (by github.com/SSDany)
+
+* bug fix
+  * confirmation_required? is properly honored on active? calls. (by github.com/paulrosania)
+
+== 1.0.7
+
+* bug fix
+  * Ensure password confirmation is always required
+
+* deprecations
+  * authenticatable was deprecated and renamed to database_authenticatable
+  * confirmable is not included by default on generation
+
+== 1.0.6
+
+* bug fix
+  * Do not allow unlockable strategies based on time to access a controller.
+  * Do not send unlockable email several times.
+  * Allow controller to upstram custom! failures to Warden.
+
+== 1.0.5
+
+* bug fix
+  * Use prepend_before_filter in require_no_authentication.
+  * require_no_authentication on unlockable.
+  * Fix a bug when giving an association proxy to devise.
+  * Do not use lock! on lockable since it's part of ActiveRecord API.
+
+== 1.0.4
+
+* bug fix
+  * Fixed a bug when deleting an account with rememberable
+  * Fixed a bug with custom controllers
+
+== 1.0.3
+
+* enhancements
+  * HTML e-mails now have proper formatting
+  * Do not remove MongoMapper options in find
+
+== 1.0.2
+
+* enhancements
+  * Allows you set mailer content type (by github.com/glennr)
+
+* bug fix
+  * Uses the same content type as request on http authenticatable 401 responses
+
 == 1.0.1
 
 * enhancements
@@ -17,6 +93,7 @@
   * Added Http Basic Authentication support
   * Allow scoped_views to be customized per controller/mailer class
   * [#99] Allow authenticatable to used in change_table statements
+  * Add mailer_content_type configuration parameter (by github.com/glennr)
 
 == 0.9.2
 

README.rdoc

@@ -9,7 +9,7 @@ Devise is a flexible authentication solution for Rails based on Warden. It:
 
 Right now it's composed of 12 modules:
 
-* Authenticatable: responsible for encrypting password and validating authenticity of a user while signing in.
+* Database Authenticatable: responsible for encrypting password and validating authenticity of a user while signing in.
 * Token Authenticatable: validates authenticity of a user while signing in using an authentication token (also known as "single access token").
 * HttpAuthenticatable: sign in users using basic HTTP authentication.
 * Confirmable: responsible for verifying whether an account is already confirmed to sign in, and to send emails with confirmation instructions.
@@ -30,17 +30,13 @@ Devise is based on Warden (http://github.com/hassox/warden), a Rack Authenticati
 
 == Installation
 
-All gems are on gemcutter, so you need to add gemcutter to your sources if you haven't yet:
+Install warden gem if you don't have it installed:
 
-  sudo gem sources -a http://gemcutter.org/
-
-Install warden gem if you don't have it installed (requires 0.6.4 or higher):
-
-  sudo gem install warden
+  gem install warden
 
 Install devise gem:
 
-  sudo gem install devise
+  gem install devise --version=1.0.10
 
 Configure warden and devise gems inside your app:
 
@@ -55,6 +51,10 @@ And you're ready to go. The generator will install an initializer which describe
 
   http://rdoc.info/projects/plataformatec/devise
 
+If you want to use Devise with bundler on Rails 2.3, you need to follow the instructions here:
+
+  http://github.com/carlhuda/bundler/issues/issue/83
+
 == Basic Usage
 
 This is a walkthrough with all steps you need to setup a devise resource, including model, migration, route files, and optional configuration. You MUST also check out the *Generators* section below to help you start.
@@ -64,13 +64,13 @@ Devise must be set up within the model (or models) you want to use, and devise r
 We're assuming here you want a User model with some modules, as outlined below:
 
   class User < ActiveRecord::Base
-    devise :authenticatable, :confirmable, :recoverable, :rememberable, :trackable, :validatable
+    devise :database_authenticatable, :confirmable, :recoverable, :rememberable, :trackable, :validatable
   end
 
 After you choose which modules to use, you need to setup your migrations. Luckily, devise has some helpers to save you from this boring work:
 
   create_table :users do |t|
-    t.authenticatable
+    t.database_authenticatable
     t.confirmable
     t.recoverable
     t.rememberable
@@ -128,13 +128,13 @@ Devise let's you setup as many roles as you want, so let's say you already have
 
   # Create a migration with the required fields
   create_table :admins do |t|
-    t.authenticatable
+    t.database_authenticatable
     t.lockable
     t.trackable
   end
 
   # Inside your Admin model
-  devise :authenticatable, :trackable, :timeoutable, :lockable
+  devise :database_authenticatable, :trackable, :timeoutable, :lockable
 
   # Inside your routes
   map.devise_for :admin
@@ -161,9 +161,9 @@ A model configured with all devise modules and attr_accessible for default field
 
 == Model configuration
 
-The devise method in your models also accept some options to configure its modules. For example, you can chose which encryptor to use in authenticatable:
+The devise method in your models also accept some options to configure its modules. For example, you can chose which encryptor to use in database_authenticatable:
 
-  devise :authenticatable, :confirmable, :recoverable, :encryptor => :bcrypt
+  devise :database_authenticatable, :confirmable, :recoverable, :encryptor => :bcrypt
 
 Besides :encryptor, you can provide :pepper, :stretches, :confirm_within, :remember_for, :timeout_in, :unlock_in and others. All those are describer in the initializer created when you invoke the devise_install generator describer above.
 
@@ -240,6 +240,16 @@ Devise supports both ActiveRecord (default) and MongoMapper, and has experimenta
 
 Please refer to TODO file.
 
+== Security
+
+Needless to say, security is extremely important to Devise. If you find yourself in a possible security issue with Devise, please go through the following steps, trying to reproduce the bug:
+
+1) Look at the source code a bit to find out whether your assumptions are correct;
+2) If possible, provide a way to reproduce the bug: a small app on Github or a step-by-step to reproduce;
+3) E-mail us or send a Github private message instead of using the normal issues;
+
+Being able to reproduce the bug is the first step to fix it. Thanks for your understanding.
+
 == Maintainers
 
 * José Valim (http://github.com/josevalim)
@@ -247,7 +257,9 @@ Please refer to TODO file.
 
 == Contributors
 
-We have a long running list of contributors. Check them in the CHANGELOG or do `git shortlog -s -n` in the cloned repository.
+We have a long running list of contributors. Check them all here:
+
+http://github.com/plataformatec/devise/contributors
 
 == Bugs and Feedback
 

Rakefile

@@ -37,17 +37,17 @@ begin
   require 'jeweler'
   Jeweler::Tasks.new do |s|
     s.name = "devise"
-    s.version = Devise::VERSION
+    s.version = Devise::VERSION.dup
     s.summary = "Flexible authentication solution for Rails with Warden"
     s.email = "contact@plataformatec.com.br"
     s.homepage = "http://github.com/plataformatec/devise"
     s.description = "Flexible authentication solution for Rails with Warden"
     s.authors = ['José Valim', 'Carlos Antônio']
-    s.files =  FileList["[A-Z]*", "{app,config,generators,lib}/**/*", "init.rb"]
-    s.add_dependency("warden", "~> 0.9.0")
+    s.files =  FileList["[A-Z]*", "{app,config,generators,lib}/**/*", "rails/init.rb"]
+    s.add_dependency("warden", "~> 0.10.3")
   end
 
   Jeweler::GemcutterTasks.new
 rescue LoadError
-  puts "Jeweler, or one of its dependencies, is not available. Install it with: sudo gem install technicalpickles-jeweler -s http://gems.github.com"
+  puts "Jeweler, or one of its dependencies, is not available. Install it with: gem install jeweler"
 end

app/controllers/confirmations_controller.rb

@@ -21,7 +21,7 @@ class ConfirmationsController < ApplicationController
 
   # GET /resource/confirmation?confirmation_token=abcdef
   def show
-    self.resource = resource_class.confirm!(:confirmation_token => params[:confirmation_token])
+    self.resource = resource_class.confirm_by_token(params[:confirmation_token])
 
     if resource.errors.empty?
       set_flash_message :notice, :confirmed

app/controllers/passwords_controller.rb

@@ -1,8 +1,7 @@
 class PasswordsController < ApplicationController
+  prepend_before_filter :require_no_authentication
   include Devise::Controllers::InternalHelpers
 
-  before_filter :require_no_authentication
-
   # GET /resource/password/new
   def new
     build_resource
@@ -15,7 +14,7 @@ class PasswordsController < ApplicationController
 
     if resource.errors.empty?
       set_flash_message :notice, :send_instructions
-      redirect_to new_session_path(resource_name)
+      redirect_to after_sending_reset_password_instructions_path_for(resource_name)
     else
       render_with_scope :new
     end
@@ -30,7 +29,7 @@ class PasswordsController < ApplicationController
 
   # PUT /resource/password
   def update
-    self.resource = resource_class.reset_password!(params[resource_name])
+    self.resource = resource_class.reset_password_by_token(params[resource_name])
 
     if resource.errors.empty?
       set_flash_message :notice, :updated
@@ -39,4 +38,10 @@ class PasswordsController < ApplicationController
       render_with_scope :edit
     end
   end
+
+  protected
+
+  def after_sending_reset_password_instructions_path_for(resource_name)
+    new_session_path(resource_name)
+  end
 end

app/controllers/registrations_controller.rb

@@ -1,21 +1,19 @@
 class RegistrationsController < ApplicationController
+  prepend_before_filter :require_no_authentication, :only => [ :new, :create ]
+  prepend_before_filter :authenticate_scope!, :only => [:edit, :update, :destroy]
   include Devise::Controllers::InternalHelpers
 
-  before_filter :require_no_authentication, :only => [ :new, :create ]
-  before_filter :authenticate_scope!, :only => [:edit, :update, :destroy]
-
-  # GET /resource/sign_in
+  # GET /resource/sign_up
   def new
     build_resource
     render_with_scope :new
   end
 
-  # POST /resource/sign_up
+  # POST /resource
   def create
     build_resource
 
     if resource.save
-      flash[:"#{resource_name}_signed_up"] = true
       set_flash_message :notice, :signed_up
       sign_in_and_redirect(resource_name, resource)
     else
@@ -52,4 +50,4 @@ class RegistrationsController < ApplicationController
       send(:"authenticate_#{resource_name}!")
       self.resource = send(:"current_#{resource_name}").dup
     end
-end
+end

app/controllers/sessions_controller.rb

@@ -1,11 +1,10 @@
 class SessionsController < ApplicationController
+  prepend_before_filter :require_no_authentication, :only => [ :new, :create ]
   include Devise::Controllers::InternalHelpers
 
-  before_filter :require_no_authentication, :only => [ :new, :create ]
-
   # GET /resource/sign_in
   def new
-    unless resource_just_signed_up?
+    unless flash[:notice].present?
       Devise::FLASH_MESSAGES.each do |message|
         set_now_flash_message :alert, message if params.try(:[], message) == "true"
       end
@@ -20,6 +19,8 @@ class SessionsController < ApplicationController
     if resource = authenticate(resource_name)
       set_flash_message :notice, :signed_in
       sign_in_and_redirect(resource_name, resource, true)
+    elsif [:custom, :redirect].include?(warden.result)
+      throw :warden, :scope => resource_name
     else
       set_now_flash_message :alert, (warden.message || :invalid)
       clean_up_passwords(build_resource)
@@ -35,11 +36,7 @@ class SessionsController < ApplicationController
 
   protected
 
-  def resource_just_signed_up?
-    flash[:"#{resource_name}_signed_up"]
-  end
-
-  def clean_up_passwords(object)
-    object.clean_up_passwords if object.respond_to?(:clean_up_passwords)
-  end
+    def clean_up_passwords(object)
+      object.clean_up_passwords if object.respond_to?(:clean_up_passwords)
+    end
 end

app/controllers/unlocks_controller.rb

@@ -1,4 +1,6 @@
 class UnlocksController < ApplicationController
+  prepend_before_filter :ensure_email_as_unlock_strategy
+  prepend_before_filter :require_no_authentication
   include Devise::Controllers::InternalHelpers
 
   # GET /resource/unlock/new
@@ -21,7 +23,7 @@ class UnlocksController < ApplicationController
 
   # GET /resource/unlock?unlock_token=abcdef
   def show
-    self.resource = resource_class.unlock!(:unlock_token => params[:unlock_token])
+    self.resource = resource_class.unlock_access_by_token(params[:unlock_token])
 
     if resource.errors.empty?
       set_flash_message :notice, :unlocked
@@ -30,4 +32,10 @@ class UnlocksController < ApplicationController
       render_with_scope :new
     end
   end
+
+  protected
+
+  def ensure_email_as_unlock_strategy
+    raise ActionController::UnknownAction unless resource_class.unlock_strategy_enabled?(:email)
+  end
 end

app/models/devise_mailer.rb

@@ -20,14 +20,14 @@ class DeviseMailer < ::ActionMailer::Base
 
     # Configure default email options
     def setup_mail(record, key)
-      mapping = Devise::Mapping.find_by_class(record.class)
-      raise "Invalid devise resource #{record}" unless mapping
+      scope_name = Devise::Mapping.find_scope!(record)
+      mapping    = Devise.mappings[scope_name]
 
       subject      translate(mapping, key)
       from         mailer_sender(mapping)
       recipients   record.email
       sent_on      Time.now
-      content_type 'text/html'
+      content_type Devise.mailer_content_type
       body         render_with_scope(key, mapping, mapping.name => record, :resource => record)
     end
 

app/views/devise_mailer/confirmation_instructions.html.erb

@@ -1,5 +1,5 @@
-Welcome <%= @resource.email %>!
+<p>Welcome <%= @resource.email %>!</p>
 
-You can confirm your account through the link below:
+<p>You can confirm your account through the link below:</p>
 
-<%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @resource.confirmation_token) %>
+<p><%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @resource.confirmation_token) %></p>

app/views/devise_mailer/reset_password_instructions.html.erb

@@ -1,8 +1,8 @@
-Hello <%= @resource.email %>!
+<p>Hello <%= @resource.email %>!</p>
 
-Someone has requested a link to change your password, and you can do this through the link below.
+<p>Someone has requested a link to change your password, and you can do this through the link below.</p>
 
-<%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @resource.reset_password_token) %>
+<p><%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @resource.reset_password_token) %></p>
 
-If you didn't request this, please ignore this email.
-Your password won't change until you access the link above and create a new one.
+<p>If you didn't request this, please ignore this email.</p>
+<p>Your password won't change until you access the link above and create a new one.</p>

app/views/devise_mailer/unlock_instructions.html.erb

@@ -1,7 +1,7 @@
-Hello <%= @resource.email %>!
+<p>Hello <%= @resource.email %>!</p>
 
-Your account has been locked due to an excessive amount of unsuccessful sign in attempts.
+<p>Your account has been locked due to an excessive amount of unsuccessful sign in attempts.</p>
 
-Click the link below to unlock your account:
+<p>Click the link below to unlock your account:</p>
 
-<%= link_to 'Unlock my account', unlock_url(@resource, :unlock_token => @resource.unlock_token) %>
+<p><%= link_to 'Unlock my account', unlock_url(@resource, :unlock_token => @resource.unlock_token) %></p>

devise.gemspec

@@ -1,179 +1,178 @@
 # Generated by jeweler
 # DO NOT EDIT THIS FILE DIRECTLY
-# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
 
 Gem::Specification.new do |s|
   s.name = %q{devise}
-  s.version = "1.0.1"
+  s.version = "1.0.11"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Jos\303\251 Valim", "Carlos Ant\303\264nio"]
-  s.date = %q{2010-02-15}
+  s.date = %q{2011-03-11}
   s.description = %q{Flexible authentication solution for Rails with Warden}
   s.email = %q{contact@plataformatec.com.br}
   s.extra_rdoc_files = [
     "README.rdoc",
-     "TODO"
+    "TODO"
   ]
   s.files = [
     "CHANGELOG.rdoc",
-     "MIT-LICENSE",
-     "README.rdoc",
-     "Rakefile",
-     "TODO",
-     "app/controllers/confirmations_controller.rb",
-     "app/controllers/passwords_controller.rb",
-     "app/controllers/registrations_controller.rb",
-     "app/controllers/sessions_controller.rb",
-     "app/controllers/unlocks_controller.rb",
-     "app/models/devise_mailer.rb",
-     "app/views/confirmations/new.html.erb",
-     "app/views/devise_mailer/confirmation_instructions.html.erb",
-     "app/views/devise_mailer/reset_password_instructions.html.erb",
-     "app/views/devise_mailer/unlock_instructions.html.erb",
-     "app/views/passwords/edit.html.erb",
-     "app/views/passwords/new.html.erb",
-     "app/views/registrations/edit.html.erb",
-     "app/views/registrations/new.html.erb",
-     "app/views/sessions/new.html.erb",
-     "app/views/shared/_devise_links.erb",
-     "app/views/unlocks/new.html.erb",
-     "generators/devise/USAGE",
-     "generators/devise/devise_generator.rb",
-     "generators/devise/lib/route_devise.rb",
-     "generators/devise/templates/migration.rb",
-     "generators/devise/templates/model.rb",
-     "generators/devise_install/USAGE",
-     "generators/devise_install/devise_install_generator.rb",
-     "generators/devise_install/templates/README",
-     "generators/devise_install/templates/devise.rb",
-     "generators/devise_views/USAGE",
-     "generators/devise_views/devise_views_generator.rb",
-     "init.rb",
-     "lib/devise.rb",
-     "lib/devise/controllers/helpers.rb",
-     "lib/devise/controllers/internal_helpers.rb",
-     "lib/devise/controllers/url_helpers.rb",
-     "lib/devise/encryptors/authlogic_sha512.rb",
-     "lib/devise/encryptors/base.rb",
-     "lib/devise/encryptors/bcrypt.rb",
-     "lib/devise/encryptors/clearance_sha1.rb",
-     "lib/devise/encryptors/restful_authentication_sha1.rb",
-     "lib/devise/encryptors/sha1.rb",
-     "lib/devise/encryptors/sha512.rb",
-     "lib/devise/failure_app.rb",
-     "lib/devise/hooks/activatable.rb",
-     "lib/devise/hooks/rememberable.rb",
-     "lib/devise/hooks/timeoutable.rb",
-     "lib/devise/hooks/trackable.rb",
-     "lib/devise/locales/en.yml",
-     "lib/devise/mapping.rb",
-     "lib/devise/models.rb",
-     "lib/devise/models/activatable.rb",
-     "lib/devise/models/authenticatable.rb",
-     "lib/devise/models/confirmable.rb",
-     "lib/devise/models/http_authenticatable.rb",
-     "lib/devise/models/lockable.rb",
-     "lib/devise/models/recoverable.rb",
-     "lib/devise/models/registerable.rb",
-     "lib/devise/models/rememberable.rb",
-     "lib/devise/models/timeoutable.rb",
-     "lib/devise/models/token_authenticatable.rb",
-     "lib/devise/models/trackable.rb",
-     "lib/devise/models/validatable.rb",
-     "lib/devise/orm/active_record.rb",
-     "lib/devise/orm/data_mapper.rb",
-     "lib/devise/orm/mongo_mapper.rb",
-     "lib/devise/rails.rb",
-     "lib/devise/rails/routes.rb",
-     "lib/devise/rails/warden_compat.rb",
-     "lib/devise/schema.rb",
-     "lib/devise/strategies/authenticatable.rb",
-     "lib/devise/strategies/base.rb",
-     "lib/devise/strategies/http_authenticatable.rb",
-     "lib/devise/strategies/rememberable.rb",
-     "lib/devise/strategies/token_authenticatable.rb",
-     "lib/devise/test_helpers.rb",
-     "lib/devise/version.rb"
+    "MIT-LICENSE",
+    "README.rdoc",
+    "Rakefile",
+    "TODO",
+    "app/controllers/confirmations_controller.rb",
+    "app/controllers/passwords_controller.rb",
+    "app/controllers/registrations_controller.rb",
+    "app/controllers/sessions_controller.rb",
+    "app/controllers/unlocks_controller.rb",
+    "app/models/devise_mailer.rb",
+    "app/views/confirmations/new.html.erb",
+    "app/views/devise_mailer/confirmation_instructions.html.erb",
+    "app/views/devise_mailer/reset_password_instructions.html.erb",
+    "app/views/devise_mailer/unlock_instructions.html.erb",
+    "app/views/passwords/edit.html.erb",
+    "app/views/passwords/new.html.erb",
+    "app/views/registrations/edit.html.erb",
+    "app/views/registrations/new.html.erb",
+    "app/views/sessions/new.html.erb",
+    "app/views/shared/_devise_links.erb",
+    "app/views/unlocks/new.html.erb",
+    "generators/devise/USAGE",
+    "generators/devise/devise_generator.rb",
+    "generators/devise/lib/route_devise.rb",
+    "generators/devise/templates/migration.rb",
+    "generators/devise/templates/model.rb",
+    "generators/devise_install/USAGE",
+    "generators/devise_install/devise_install_generator.rb",
+    "generators/devise_install/templates/README",
+    "generators/devise_install/templates/devise.rb",
+    "generators/devise_views/USAGE",
+    "generators/devise_views/devise_views_generator.rb",
+    "lib/devise.rb",
+    "lib/devise/controllers/helpers.rb",
+    "lib/devise/controllers/internal_helpers.rb",
+    "lib/devise/controllers/url_helpers.rb",
+    "lib/devise/encryptors/authlogic_sha512.rb",
+    "lib/devise/encryptors/base.rb",
+    "lib/devise/encryptors/bcrypt.rb",
+    "lib/devise/encryptors/clearance_sha1.rb",
+    "lib/devise/encryptors/restful_authentication_sha1.rb",
+    "lib/devise/encryptors/sha1.rb",
+    "lib/devise/encryptors/sha512.rb",
+    "lib/devise/failure_app.rb",
+    "lib/devise/hooks/activatable.rb",
+    "lib/devise/hooks/rememberable.rb",
+    "lib/devise/hooks/timeoutable.rb",
+    "lib/devise/hooks/trackable.rb",
+    "lib/devise/locales/en.yml",
+    "lib/devise/mapping.rb",
+    "lib/devise/models.rb",
+    "lib/devise/models/activatable.rb",
+    "lib/devise/models/confirmable.rb",
+    "lib/devise/models/database_authenticatable.rb",
+    "lib/devise/models/http_authenticatable.rb",
+    "lib/devise/models/lockable.rb",
+    "lib/devise/models/recoverable.rb",
+    "lib/devise/models/registerable.rb",
+    "lib/devise/models/rememberable.rb",
+    "lib/devise/models/timeoutable.rb",
+    "lib/devise/models/token_authenticatable.rb",
+    "lib/devise/models/trackable.rb",
+    "lib/devise/models/validatable.rb",
+    "lib/devise/orm/active_record.rb",
+    "lib/devise/orm/data_mapper.rb",
+    "lib/devise/orm/mongo_mapper.rb",
+    "lib/devise/rails.rb",
+    "lib/devise/rails/routes.rb",
+    "lib/devise/rails/warden_compat.rb",
+    "lib/devise/schema.rb",
+    "lib/devise/strategies/base.rb",
+    "lib/devise/strategies/database_authenticatable.rb",
+    "lib/devise/strategies/http_authenticatable.rb",
+    "lib/devise/strategies/rememberable.rb",
+    "lib/devise/strategies/token_authenticatable.rb",
+    "lib/devise/test_helpers.rb",
+    "lib/devise/version.rb",
+    "rails/init.rb"
   ]
   s.homepage = %q{http://github.com/plataformatec/devise}
-  s.rdoc_options = ["--charset=UTF-8"]
   s.require_paths = ["lib"]
-  s.rubygems_version = %q{1.3.5}
+  s.rubygems_version = %q{1.5.3}
   s.summary = %q{Flexible authentication solution for Rails with Warden}
   s.test_files = [
     "test/controllers/helpers_test.rb",
-     "test/controllers/internal_helpers_test.rb",
-     "test/controllers/url_helpers_test.rb",
-     "test/devise_test.rb",
-     "test/encryptors_test.rb",
-     "test/failure_app_test.rb",
-     "test/integration/authenticatable_test.rb",
-     "test/integration/confirmable_test.rb",
-     "test/integration/http_authenticatable_test.rb",
-     "test/integration/lockable_test.rb",
-     "test/integration/recoverable_test.rb",
-     "test/integration/registerable_test.rb",
-     "test/integration/rememberable_test.rb",
-     "test/integration/timeoutable_test.rb",
-     "test/integration/token_authenticatable_test.rb",
-     "test/integration/trackable_test.rb",
-     "test/mailers/confirmation_instructions_test.rb",
-     "test/mailers/reset_password_instructions_test.rb",
-     "test/mailers/unlock_instructions_test.rb",
-     "test/mapping_test.rb",
-     "test/models/authenticatable_test.rb",
-     "test/models/confirmable_test.rb",
-     "test/models/lockable_test.rb",
-     "test/models/recoverable_test.rb",
-     "test/models/rememberable_test.rb",
-     "test/models/timeoutable_test.rb",
-     "test/models/token_authenticatable_test.rb",
-     "test/models/trackable_test.rb",
-     "test/models/validatable_test.rb",
-     "test/models_test.rb",
-     "test/orm/active_record.rb",
-     "test/orm/mongo_mapper.rb",
-     "test/rails_app/app/active_record/admin.rb",
-     "test/rails_app/app/active_record/user.rb",
-     "test/rails_app/app/controllers/admins_controller.rb",
-     "test/rails_app/app/controllers/application_controller.rb",
-     "test/rails_app/app/controllers/home_controller.rb",
-     "test/rails_app/app/controllers/users_controller.rb",
-     "test/rails_app/app/helpers/application_helper.rb",
-     "test/rails_app/app/mongo_mapper/admin.rb",
-     "test/rails_app/app/mongo_mapper/user.rb",
-     "test/rails_app/config/boot.rb",
-     "test/rails_app/config/environment.rb",
-     "test/rails_app/config/environments/development.rb",
-     "test/rails_app/config/environments/production.rb",
-     "test/rails_app/config/environments/test.rb",
-     "test/rails_app/config/initializers/devise.rb",
-     "test/rails_app/config/initializers/inflections.rb",
-     "test/rails_app/config/initializers/new_rails_defaults.rb",
-     "test/rails_app/config/initializers/session_store.rb",
-     "test/rails_app/config/routes.rb",
-     "test/routes_test.rb",
-     "test/support/assertions_helper.rb",
-     "test/support/integration_tests_helper.rb",
-     "test/support/test_silencer.rb",
-     "test/support/tests_helper.rb",
-     "test/test_helper.rb",
-     "test/test_helpers_test.rb"
+    "test/controllers/internal_helpers_test.rb",
+    "test/controllers/url_helpers_test.rb",
+    "test/devise_test.rb",
+    "test/encryptors_test.rb",
+    "test/failure_app_test.rb",
+    "test/integration/authenticatable_test.rb",
+    "test/integration/confirmable_test.rb",
+    "test/integration/http_authenticatable_test.rb",
+    "test/integration/lockable_test.rb",
+    "test/integration/rack_middleware_test.rb",
+    "test/integration/recoverable_test.rb",
+    "test/integration/registerable_test.rb",
+    "test/integration/rememberable_test.rb",
+    "test/integration/timeoutable_test.rb",
+    "test/integration/token_authenticatable_test.rb",
+    "test/integration/trackable_test.rb",
+    "test/mailers/confirmation_instructions_test.rb",
+    "test/mailers/reset_password_instructions_test.rb",
+    "test/mailers/unlock_instructions_test.rb",
+    "test/mapping_test.rb",
+    "test/models/authenticatable_test.rb",
+    "test/models/confirmable_test.rb",
+    "test/models/lockable_test.rb",
+    "test/models/recoverable_test.rb",
+    "test/models/rememberable_test.rb",
+    "test/models/timeoutable_test.rb",
+    "test/models/token_authenticatable_test.rb",
+    "test/models/trackable_test.rb",
+    "test/models/validatable_test.rb",
+    "test/models_test.rb",
+    "test/orm/active_record.rb",
+    "test/orm/mongo_mapper.rb",
+    "test/rails_app/app/active_record/admin.rb",
+    "test/rails_app/app/active_record/user.rb",
+    "test/rails_app/app/controllers/admins_controller.rb",
+    "test/rails_app/app/controllers/application_controller.rb",
+    "test/rails_app/app/controllers/home_controller.rb",
+    "test/rails_app/app/controllers/users_controller.rb",
+    "test/rails_app/app/helpers/application_helper.rb",
+    "test/rails_app/app/mongo_mapper/admin.rb",
+    "test/rails_app/app/mongo_mapper/user.rb",
+    "test/rails_app/config/boot.rb",
+    "test/rails_app/config/environment.rb",
+    "test/rails_app/config/environments/development.rb",
+    "test/rails_app/config/environments/production.rb",
+    "test/rails_app/config/environments/test.rb",
+    "test/rails_app/config/initializers/devise.rb",
+    "test/rails_app/config/initializers/inflections.rb",
+    "test/rails_app/config/initializers/new_rails_defaults.rb",
+    "test/rails_app/config/initializers/session_store.rb",
+    "test/rails_app/config/routes.rb",
+    "test/routes_test.rb",
+    "test/support/assertions_helper.rb",
+    "test/support/integration_tests_helper.rb",
+    "test/support/test_silencer.rb",
+    "test/support/tests_helper.rb",
+    "test/test_helper.rb",
+    "test/test_helpers_test.rb"
   ]
 
   if s.respond_to? :specification_version then
-    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
     s.specification_version = 3
 
-    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
-      s.add_runtime_dependency(%q<warden>, ["~> 0.9.0"])
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<warden>, ["~> 0.10.3"])
     else
-      s.add_dependency(%q<warden>, ["~> 0.9.0"])
+      s.add_dependency(%q<warden>, ["~> 0.10.3"])
     end
   else
-    s.add_dependency(%q<warden>, ["~> 0.9.0"])
+    s.add_dependency(%q<warden>, ["~> 0.10.3"])
   end
 end
 

generators/devise/templates/migration.rb

@@ -1,7 +1,7 @@
 class DeviseCreate<%= table_name.camelize %> < ActiveRecord::Migration
   def self.up
     create_table(:<%= table_name %>) do |t|
-      t.authenticatable :encryptor => :sha1, :null => false
+      t.database_authenticatable :null => false
       t.confirmable
       t.recoverable
       t.rememberable

generators/devise/templates/model.rb

@@ -1,7 +1,7 @@
 class <%= class_name %> < ActiveRecord::Base
   # Include default devise modules. Others available are:
-  # :http_authenticatable, :token_authenticatable, :lockable, :timeoutable and :activatable
-  devise :registerable, :authenticatable, :confirmable, :recoverable,
+  # :http_authenticatable, :token_authenticatable, :confirmable, :lockable, :timeoutable and :activatable
+  devise :registerable, :database_authenticatable, :recoverable,
          :rememberable, :trackable, :validatable
 
   # Setup accessible (or protected) attributes for your model

generators/devise_install/templates/README

@@ -1,4 +1,3 @@
-
 ===============================================================================
 
 Some setup you must do manually if you haven't yet:
@@ -15,4 +14,10 @@ Some setup you must do manually if you haven't yet:
 
        map.root :controller => 'home'
 
+ 3. Ensure you have a default layout in app/views/layouts and it shows
+     flash messages. For example:
+
+       <p class="notice"><%= flash[:notice] %></p>
+       <p class="alert"><%= flash[:alert] %></p>
+
 ===============================================================================

generators/devise_install/templates/devise.rb

@@ -3,6 +3,9 @@
 Devise.setup do |config|
   # Configure the e-mail address which will be shown in DeviseMailer.
   config.mailer_sender = "please-change-me@config-initializers-devise.com"
+  
+  # Configure the content type of DeviseMailer mails (defaults to text/html")
+  # config.mailer_content_type = "text/plain"
 
   # ==> Configuration for :authenticatable
   # Invoke `rake secret` and use the printed value to setup a pepper to generate

lib/devise.rb

@@ -1,5 +1,6 @@
 module Devise
   autoload :FailureApp, 'devise/failure_app'
+  autoload :Models, 'devise/models'
   autoload :Schema, 'devise/schema'
   autoload :TestHelpers, 'devise/test_helpers'
 
@@ -28,7 +29,7 @@ module Devise
   ALL = []
 
   # Authentication ones first
-  ALL.push :authenticatable, :http_authenticatable, :token_authenticatable, :rememberable
+  ALL.push :database_authenticatable, :http_authenticatable, :token_authenticatable, :rememberable
 
   # Misc after
   ALL.push :recoverable, :registerable, :validatable
@@ -41,7 +42,7 @@ module Devise
 
   # Maps controller names to devise modules.
   CONTROLLERS = {
-    :sessions => [:authenticatable, :token_authenticatable],
+    :sessions => [:database_authenticatable, :token_authenticatable],
     :passwords => [:recoverable],
     :confirmations => [:confirmable],
     :registrations => [:registerable],
@@ -51,7 +52,7 @@ module Devise
   # Routes for generating url helpers.
   ROUTES = [:session, :password, :confirmation, :registration, :unlock]
 
-  STRATEGIES  = [:rememberable, :http_authenticatable, :token_authenticatable, :authenticatable]
+  STRATEGIES  = [:rememberable, :http_authenticatable, :token_authenticatable, :database_authenticatable]
 
   TRUE_VALUES = [true, 1, '1', 't', 'T', 'true', 'TRUE']
 
@@ -71,6 +72,10 @@ module Devise
   # Email regex used to validate email formats. Adapted from authlogic.
   EMAIL_REGEX = /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i
 
+  # Custom domain for cookies. Not set by default
+  mattr_accessor :cookie_options
+  @@cookie_options = {}
+
   # Used to encrypt password. Please generate one with rake secret.
   mattr_accessor :pepper
   @@pepper = nil
@@ -146,6 +151,10 @@ module Devise
   mattr_accessor :mailer_sender
   @@mailer_sender = nil
 
+  # Content Type of Devise e-mails.
+  mattr_accessor :mailer_content_type
+  @@mailer_content_type = 'text/html'
+
   # Authentication token params key name of choice. E.g. /users/sign_in?some_key=...
   mattr_accessor :token_authentication_key
   @@token_authentication_key = :auth_token
@@ -178,7 +187,9 @@ module Devise
 
     # Configure default url options to be used within Devise and ActionController.
     def default_url_options(&block)
-      Devise::Mapping.metaclass.send :define_method, :default_url_options, &block
+      who = Devise::Mapping.respond_to?(:singleton_class) ?
+        Devise::Mapping.singleton_class : Devise::Mapping.metaclass
+      who.send :define_method, :default_url_options, &block
     end
 
     # A method used internally to setup warden manager from the Rails initialize
@@ -203,6 +214,17 @@ module Devise
       ActiveSupport::SecureRandom.base64(15).tr('+/=', '-_ ').strip.delete("\n")
     end
 
+    # constant-time comparison algorithm to prevent timing attacks
+    def secure_compare(a, b)
+      return false unless a.present? && b.present?
+      return false unless a.bytesize == b.bytesize
+      l = a.unpack "C#{a.bytesize}"
+
+      res = 0
+      b.each_byte { |byte| res |= byte ^ l.shift }
+      res == 0
+    end
+
     # Make Devise aware of an 3rd party Devise-module. For convenience.
     #
     # == Options:
@@ -213,6 +235,9 @@ module Devise
     #                   Default is +nil+ (i.e. +false+).
     #   +controller+  - Symbol representing a name of an exisiting or custom *controller* for this module.
     #                   Default is +nil+ (i.e. +false+).
+    #   +route+       - Symbol representing the name of a *route* related to this module which a set of
+    #                   route view helpers should be created for.
+    #                   Default is +nil+ (i.e. +false+).
     #
     # == Examples:
     #
@@ -221,7 +246,7 @@ module Devise
     #   Devise.add_module(:party_module, :model => 'party_module/model')
     #
     def add_module(module_name, options = {})
-      Devise::ALL.unshift module_name        unless Devise::ALL.include?(module_name)
+      Devise::ALL << module_name        unless Devise::ALL.include?(module_name)
       Devise::STRATEGIES.unshift module_name if options[:strategy] && !Devise::STRATEGIES.include?(module_name)
 
       if options[:controller]
@@ -230,6 +255,10 @@ module Devise
         Devise::CONTROLLERS[controller].unshift module_name unless Devise::CONTROLLERS[controller].include?(module_name)
       end
 
+      if options[:route]
+        Devise::ROUTES.unshift options[:route] unless Devise::ROUTES.include?(options[:route])
+      end
+
       if options[:model]
         Devise::Models.module_eval do
           autoload :"#{module_name.to_s.classify}", options[:model]

lib/devise/controllers/helpers.rb

@@ -5,8 +5,8 @@ module Devise
 
       def self.included(base)
         base.class_eval do
-          helper_method :warden, :signed_in?, :devise_controller?,
-                        *Devise.mappings.keys.map { |m| [:"current_#{m}", :"#{m}_signed_in?"] }.flatten
+          helper_method :warden, :signed_in?, :devise_controller?, :anybody_signed_in?,
+                        *Devise.mappings.keys.map { |m| [:"current_#{m}", :"#{m}_signed_in?", :"#{m}_session"] }.flatten
 
           # Use devise default_url_options. We have to declare it here to overwrite
           # default definitions.
@@ -48,6 +48,12 @@ module Devise
         warden.authenticate?(:scope => scope)
       end
 
+      # Check if the any scope is signed in session, without running
+      # authentication hooks.
+      def anybody_signed_in?
+        Devise.mappings.keys.any? { |scope| signed_in?(scope) }
+      end
+
       # Sign in an user that already was authenticated. This helper is useful for logging
       # users in after sign up.
       #
@@ -60,6 +66,7 @@ module Devise
         scope      = Devise::Mapping.find_scope!(resource_or_scope)
         resource ||= resource_or_scope
         warden.set_user(resource, :scope => scope)
+        @_session = request.session # Recalculate session
       end
 
       # Sign out a given user or scope. This helper is useful for signing out an user
@@ -86,7 +93,8 @@ module Devise
       #
       def stored_location_for(resource_or_scope)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
-        session.delete(:"#{scope}.return_to")
+        key = "#{scope}.return_to"
+        session.delete(key) || session.delete(key.to_sym)
       end
 
       # The default url to be used after signing in. This is used by all Devise
@@ -99,13 +107,13 @@ module Devise
       #
       #   map.user_root '/users', :controller => 'users' # creates user_root_path
       #
-      #   map.resources :users do |users|
-      #     users.root # creates user_root_path
+      #   map.namespace :user do |user|
+      #     user.root :controller => 'users' # creates user_root_path
       #   end
       #
       #
-      # If none of these are defined, root_path is used. However, if this default
-      # is not enough, you can customize it, for example:
+      # If the resource root path is not defined, root_path is used. However,
+      # if this default is not enough, you can customize it, for example:
       #
       #   def after_sign_in_path_for(resource)
       #     if resource.is_a?(User) && resource.can_publish?
@@ -117,7 +125,7 @@ module Devise
       #
       def after_sign_in_path_for(resource_or_scope)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
-        home_path = :"#{scope}_root_path"
+        home_path = "#{scope}_root_path"
         respond_to?(home_path, true) ? send(home_path) : root_path
       end
 
@@ -139,7 +147,11 @@ module Devise
       def sign_in_and_redirect(resource_or_scope, resource=nil, skip=false)
         scope      = Devise::Mapping.find_scope!(resource_or_scope)
         resource ||= resource_or_scope
-        sign_in(scope, resource) unless skip
+        if skip
+          @_session = request.session # Recalculate session
+        else
+          sign_in(scope, resource)
+        end
         redirect_to stored_location_for(scope) || after_sign_in_path_for(resource)
       end
 
@@ -151,6 +163,20 @@ module Devise
         redirect_to after_sign_out_path_for(scope)
       end
 
+      # Sign out all active users or scopes. This helper is useful for signing out all roles
+      # in one click. This signs out ALL scopes in warden.
+      def sign_out_all_scopes
+        Devise.mappings.keys.each { |s| warden.user(s) }
+        warden.raw_session.inspect
+        warden.logout
+      end
+
+      # Override Rails' handle unverified request to sign out all scopes.
+      def handle_unverified_request
+        sign_out_all_scopes
+        super # call the default behaviour which resets the session
+      end
+
       # Define authentication filters and accessor helpers based on mappings.
       # These filters should be used inside the controllers as before_filters,
       # so you can control the scope of the user who should be signed in to
@@ -167,7 +193,7 @@ module Devise
       #     user_signed_in?     # Checks whether there is an user signed in or not
       #     admin_signed_in?    # Checks whether there is an admin signed in or not
       #     current_user        # Current signed in user
-      #     current_admin       # Currend signed in admin
+      #     current_admin       # Current signed in admin
       #     user_session        # Session data available only to the user scope
       #     admin_session       # Session data available only to the admin scope
       #

lib/devise/controllers/internal_helpers.rb

@@ -14,7 +14,7 @@ module Devise
           hide_action   :resource, :scope_name, :resource_name, :resource_class, :devise_mapping, :devise_controller?
 
           skip_before_filter *Devise.mappings.keys.map { |m| :"authenticate_#{m}!" }
-          before_filter :is_devise_resource?
+          prepend_before_filter :is_devise_resource?
         end
       end
 

lib/devise/failure_app.rb

@@ -22,12 +22,8 @@ module Devise
       options = @env['warden.options']
       scope   = options[:scope]
 
-      redirect_path = if mapping = Devise.mappings[scope]
-        "#{mapping.parsed_path}/#{mapping.path_names[:sign_in]}"
-      else
-        "/#{default_url}"
-      end
-      query_string = query_string_for(options)
+      redirect_path = redirect_path_for(scope)
+      query_string  = query_string_for(options)
       store_location!(scope)
 
       headers = {}
@@ -54,12 +50,23 @@ module Devise
       Rack::Utils.build_query(params)
     end
 
+    # Build the path based on current scope.
+    def redirect_path_for(scope)
+      if mapping = Devise.mappings[scope]
+        "#{mapping.parsed_path}/#{mapping.path_names[:sign_in]}"
+      else
+        "/#{default_url}"
+      end
+    end
+
     # Stores requested uri to redirect the user after signing in. We cannot use
     # scoped session provided by warden here, since the user is not authenticated
     # yet, but we still need to store the uri based on scope, so different scopes
     # would never use the same uri to redirect.
     def store_location!(scope)
-      session[:"#{scope}.return_to"] = request.request_uri if request && request.get?
+      if request && request.get? && !request.xhr?
+        session[:"#{scope}.return_to"] = request.request_uri
+      end
     end
   end
 end

lib/devise/hooks/rememberable.rb

@@ -3,7 +3,7 @@
 # that specific user and adds a cookie with this user info to sign in this user
 # automatically without asking for credentials. Refer to rememberable strategy
 # for more info.
-Warden::Manager.after_authentication do |record, warden, options|
+Warden::Manager.prepend_after_authentication do |record, warden, options|
   scope = options[:scope]
   remember_me = warden.params[scope].try(:fetch, :remember_me, nil)
 
@@ -11,20 +11,25 @@ Warden::Manager.after_authentication do |record, warden, options|
      warden.authenticated?(scope) && record.respond_to?(:remember_me!)
     record.remember_me!
 
-    warden.response.set_cookie "remember_#{scope}_token", {
+    cookie_options = {
       :value => record.class.serialize_into_cookie(record),
       :expires => record.remember_expires_at,
       :path => "/"
-    }
+    }.merge record.cookie_options
+
+    warden.response.set_cookie "remember_#{scope}_token", cookie_options
   end
 end
 
 # Before logout hook to forget the user in the given scope, only if rememberable
 # is activated for this scope. Also clear remember token to ensure the user
 # won't be remembered again.
-Warden::Manager.before_logout do |record, warden, scope|
+# Notice that we forget the user if the record is frozen. This usually means the
+# user was just deleted.
+Warden::Manager.before_logout do |record, warden, options|
+  scope = options[:scope]
   if record.respond_to?(:forget_me!)
-    record.forget_me!
-    warden.response.delete_cookie "remember_#{scope}_token"
+    record.forget_me! unless record.frozen?
+    warden.response.delete_cookie "remember_#{scope}_token", :path => "/"
   end
-end
+end

lib/devise/locales/en.yml

@@ -21,7 +21,7 @@ en:
       confirmed: 'Your account was successfully confirmed. You are now signed in.'
     registrations:
       link: 'Sign up'
-      signed_up: 'You have signed up successfully.'
+      signed_up: 'You have signed up successfully. If enabled, a confirmation was sent to your e-mail.'
       updated: 'You updated your account successfully.'
       destroyed: 'Bye! Your account was successfully cancelled. We hope to see you again soon.'
     unlocks:

lib/devise/mapping.rb

@@ -22,7 +22,7 @@ module Devise
   #   # is the modules included in the class
   #
   class Mapping #:nodoc:
-    attr_reader :name, :as, :path_names, :path_prefix, :route_options
+    attr_reader :name, :as, :path_names, :path_prefix, :route_options, :sign_out_via
 
     # Loop through all mappings looking for a map that matches with the requested
     # path (ie /users/sign_in). If a path prefix is given, it's taken into account.
@@ -34,26 +34,19 @@ module Devise
       nil
     end
 
-    # Find a mapping by a given class. It takes into account single table inheritance as well.
-    def self.find_by_class(klass)
-      Devise.mappings.each_value do |mapping|
-        return mapping if klass <= mapping.to
-      end
-      nil
-    end
-
     # Receives an object and find a scope for it. If a scope cannot be found,
     # raises an error. If a symbol is given, it's considered to be the scope.
     def self.find_scope!(duck)
       case duck
       when String, Symbol
-        duck
+        return duck
+      when Class
+        Devise.mappings.each_value { |m| return m.name if duck <= m.to }
       else
-        klass = duck.is_a?(Class) ? duck : duck.class
-        mapping = Devise::Mapping.find_by_class(klass)
-        raise "Could not find a valid mapping for #{duck}" unless mapping
-        mapping.name
+        Devise.mappings.each_value { |m| return m.name if duck.is_a?(m.to) }
       end
+
+      raise "Could not find a valid mapping for #{duck}"
     end
 
     # Default url options which can be used as prefix.
@@ -71,6 +64,8 @@ module Devise
 
       @path_names = Hash.new { |h,k| h[k] = k.to_s }
       @path_names.merge!(options.delete(:path_names) || {})
+
+      @sign_out_via = (options.delete(:sign_out_via) || :get)
     end
 
     # Return modules for the mapping.
@@ -103,13 +98,17 @@ module Devise
 
     # Returns the parsed path taking into account the relative url root and raw path.
     def parsed_path
-      returning (ActionController::Base.relative_url_root.to_s + raw_path) do |path|
+      (ActionController::Base.relative_url_root.to_s + raw_path).tap do |path|
         self.class.default_url_options.each do |key, value|
           path.gsub!(key.inspect, value.to_param)
         end
       end
     end
 
+    def authenticatable?
+      @authenticatable ||= self.for.any? { |m| m.to_s =~ /authenticatable/ }
+    end
+
     # Create magic predicates for verifying what module is activated by this map.
     # Example:
     #

lib/devise/models.rb

@@ -1,7 +1,7 @@
 module Devise
   module Models
     autoload :Activatable, 'devise/models/activatable'
-    autoload :Authenticatable, 'devise/models/authenticatable'
+    autoload :DatabaseAuthenticatable, 'devise/models/database_authenticatable'
     autoload :Confirmable, 'devise/models/confirmable'
     autoload :Lockable, 'devise/models/lockable'
     autoload :Recoverable, 'devise/models/recoverable'
@@ -57,7 +57,12 @@ module Devise
     #
     def devise(*modules)
       raise "You need to give at least one Devise module" if modules.empty?
-      options  = modules.extract_options!
+      options = modules.extract_options!
+
+      if modules.delete(:authenticatable)
+        ActiveSupport::Deprecation.warn ":authenticatable as module is deprecated. Please give :database_authenticatable instead.", caller
+        modules << :database_authenticatable
+      end
 
       @devise_modules = Devise::ALL & modules.map(&:to_sym).uniq
 

lib/devise/models/confirmable.rb

@@ -57,18 +57,13 @@ module Devise
 
       # Send confirmation instructions by email
       def send_confirmation_instructions
+        generate_confirmation_token! if self.confirmation_token.nil?
         ::DeviseMailer.deliver_confirmation_instructions(self)
       end
 
-      # Remove confirmation date and send confirmation instructions, to ensure
-      # after sending these instructions the user won't be able to sign in without
-      # confirming it's account
-      def resend_confirmation!
-        unless_confirmed do
-          generate_confirmation_token
-          save(false)
-          send_confirmation_instructions
-        end
+      # Resend confirmation token. This method does not need to generate a new token.
+      def resend_confirmation_token
+        unless_confirmed { send_confirmation_instructions }
       end
 
       # Overwrites active? from Devise::Models::Activatable for confirmation
@@ -76,16 +71,12 @@ module Devise
       # is already confirmed, it should never be blocked. Otherwise we need to
       # calculate if the confirm time has not expired for this user.
       def active?
-        super && (confirmed? || confirmation_period_valid?)
+        super && (!confirmation_required? || confirmed? || confirmation_period_valid?)
       end
 
       # The message to be shown if the account is inactive.
       def inactive_message
-        if !confirmed?
-          :unconfirmed
-        else
-          super
-        end
+        !confirmed? ? :unconfirmed : super
       end
 
       # If you don't want confirmation to be sent on create, neither a code
@@ -144,6 +135,10 @@ module Devise
           self.confirmation_sent_at = Time.now.utc
         end
 
+        def generate_confirmation_token!
+          generate_confirmation_token && save(false)
+        end
+
       module ClassMethods
         # Attempt to find a user by it's email. If a record is found, send new
         # confirmation instructions to it. If not user is found, returns a new user
@@ -151,7 +146,7 @@ module Devise
         # Options must contain the user email
         def send_confirmation_instructions(attributes={})
           confirmable = find_or_initialize_with_error_by(:email, attributes[:email], :not_found)
-          confirmable.resend_confirmation! unless confirmable.new_record?
+          confirmable.resend_confirmation_token unless confirmable.new_record?
           confirmable
         end
 
@@ -159,8 +154,8 @@ module Devise
         # If no user is found, returns a new user with an error.
         # If the user is already confirmed, create an error for the user
         # Options must have the confirmation_token
-        def confirm!(attributes={})
-          confirmable = find_or_initialize_with_error_by(:confirmation_token, attributes[:confirmation_token])        
+        def confirm_by_token(confirmation_token)
+          confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
           confirmable.confirm! unless confirmable.new_record?
           confirmable
         end

lib/devise/models/database_authenticatable.rb

@@ -1,4 +1,4 @@
-require 'devise/strategies/authenticatable'
+require 'devise/strategies/database_authenticatable'
 
 module Devise
   module Models
@@ -26,7 +26,7 @@ module Devise
     #    User.authenticate('email@test.com', 'password123')  # returns authenticated user or nil
     #    User.find(1).valid_password?('password123')         # returns true/false
     #
-    module Authenticatable
+    module DatabaseAuthenticatable
       def self.included(base)
         base.class_eval do
           extend ClassMethods
@@ -55,13 +55,7 @@ module Devise
 
       # Verifies whether an incoming_password (ie from sign in) is the user password.
       def valid_password?(incoming_password)
-        password_digest(incoming_password) == self.encrypted_password
-      end
-
-      # Verifies whether an +incoming_authentication_token+ (i.e. from single access URL)
-      # is the user authentication token.
-      def valid_authentication_token?(incoming_auth_token)
-        incoming_auth_token == self.authentication_token
+        Devise.secure_compare(password_digest(incoming_password), self.encrypted_password)
       end
 
       # Checks if a resource is valid upon authentication.
@@ -78,16 +72,13 @@ module Devise
       # error on :current_password. It also automatically rejects :password and
       # :password_confirmation if they are blank.
       def update_with_password(params={})
-        # TODO Remove me in next release
-        if params[:old_password].present?
-          params[:current_password] ||= params[:old_password]
-          ActiveSupport::Deprecation.warn "old_password is deprecated, please use current_password instead", caller
-        end
-
-        params.delete(:password) if params[:password].blank?
-        params.delete(:password_confirmation) if params[:password_confirmation].blank?
         current_password = params.delete(:current_password)
 
+        if params[:password].blank?
+          params.delete(:password)
+          params.delete(:password_confirmation) if params[:password_confirmation].blank?
+        end
+
         result = if valid_password?(current_password)
           update_attributes(params)
         else
@@ -103,6 +94,13 @@ module Devise
 
       protected
 
+        # Checks whether a password is needed or not. For validations only.
+        # Passwords are always required if it's a new record, or if the password
+        # or confirmation are being set somewhere.
+        def password_required?
+          new_record? || !password.nil? || !password_confirmation.nil?
+        end
+
         # Digests the password using the configured encryptor.
         def password_digest(password)
           self.class.encryptor_class.digest(password, self.class.stretches, self.password_salt, self.class.pepper)

lib/devise/models/http_authenticatable.rb

@@ -3,14 +3,16 @@ require 'devise/strategies/http_authenticatable'
 module Devise
   module Models
     # Adds HttpAuthenticatable behavior to your model. It expects that your
-    # model class responds to authenticate and authentication_keys methods
-    # (which for example are defined in authenticatable).
+    # model class responds to authenticate method
+    # (which for example is defined in authenticatable).
     module HttpAuthenticatable
       def self.included(base)
         base.extend ClassMethods
       end
 
       module ClassMethods
+        Devise::Models.config(self, :authentication_keys)
+
         # Authenticate an user using http.
         def authenticate_with_http(username, password)
           authenticate(authentication_keys.first => username, :password => password)

lib/devise/models/lockable.rb

@@ -27,23 +27,21 @@ module Devise
       end
 
       # Lock an user setting it's locked_at to actual time.
-      def lock
+      def lock_access!
+        return true if access_locked?
         self.locked_at = Time.now
-        if unlock_strategy_enabled?(:email)
+
+        if self.class.unlock_strategy_enabled?(:email)
           generate_unlock_token
           send_unlock_instructions
         end
-      end
 
-      # Lock an user also saving the record.
-      def lock!
-        lock
         save(false)
       end
 
       # Unlock an user by cleaning locket_at and failed_attempts.
-      def unlock!
-        if_locked do
+      def unlock_access!
+        if_access_locked do
           self.locked_at = nil
           self.failed_attempts = 0
           self.unlock_token = nil
@@ -52,7 +50,7 @@ module Devise
       end
 
       # Verifies whether a user is locked or not.
-      def locked?
+      def access_locked?
         locked_at && !lock_expired?
       end
 
@@ -62,28 +60,20 @@ module Devise
       end
 
       # Resend the unlock instructions if the user is locked.
-      def resend_unlock!
-        if_locked do
-          generate_unlock_token unless unlock_token.present?
-          save(false)
-          send_unlock_instructions
-        end
+      def resend_unlock_token
+        if_access_locked { send_unlock_instructions }
       end
 
       # Overwrites active? from Devise::Models::Activatable for locking purposes
       # by verifying whether an user is active to sign in or not based on locked?
       def active?
-        super && !locked?
+        super && !access_locked?
       end
 
       # Overwrites invalid_message from Devise::Models::Authenticatable to define
       # the correct reason for blocking the sign in.
       def inactive_message
-        if locked?
-          :locked
-        else
-          super
-        end
+        access_locked? ? :locked : super
       end
 
       # Overwrites valid_for_authentication? from Devise::Models::Authenticatable
@@ -94,7 +84,7 @@ module Devise
           self.failed_attempts = 0
         else
           self.failed_attempts += 1
-          lock if failed_attempts > self.class.maximum_attempts
+          lock_access! if failed_attempts > self.class.maximum_attempts
         end
         save(false) if changed?
         result
@@ -109,7 +99,7 @@ module Devise
 
         # Tells if the lock is expired if :time unlock strategy is active
         def lock_expired?
-          if unlock_strategy_enabled?(:time)
+          if self.class.unlock_strategy_enabled?(:time)
             locked_at && locked_at < self.class.unlock_in.ago
           else
             false
@@ -118,8 +108,8 @@ module Devise
 
         # Checks whether the record is locked or not, yielding to the block
         # if it's locked, otherwise adds an error to email.
-        def if_locked
-          if locked?
+        def if_access_locked
+          if access_locked?
             yield
           else
             self.class.add_error_on(self, :email, :not_locked)
@@ -127,11 +117,6 @@ module Devise
           end
         end
 
-        # Is the unlock enabled for the given unlock strategy?
-        def unlock_strategy_enabled?(strategy)
-          [:both, strategy].include?(self.class.unlock_strategy)
-        end
-
       module ClassMethods
         # Attempt to find a user by it's email. If a record is found, send new
         # unlock instructions to it. If not user is found, returns a new user
@@ -139,7 +124,7 @@ module Devise
         # Options must contain the user email
         def send_unlock_instructions(attributes={})
          lockable = find_or_initialize_with_error_by(:email, attributes[:email], :not_found)
-         lockable.resend_unlock! unless lockable.new_record?
+         lockable.resend_unlock_token unless lockable.new_record?
          lockable
         end
 
@@ -147,12 +132,17 @@ module Devise
         # If no user is found, returns a new user with an error.
         # If the user is not locked, creates an error for the user
         # Options must have the unlock_token
-        def unlock!(attributes={})
-          lockable = find_or_initialize_with_error_by(:unlock_token, attributes[:unlock_token])
-          lockable.unlock! unless lockable.new_record?
+        def unlock_access_by_token(unlock_token)
+          lockable = find_or_initialize_with_error_by(:unlock_token, unlock_token)
+          lockable.unlock_access! unless lockable.new_record?
           lockable
         end
 
+        # Is the unlock enabled for the given unlock strategy?
+        def unlock_strategy_enabled?(strategy)
+          [:both, strategy].include?(self.unlock_strategy)
+        end
+
         Devise::Models.config(self, :maximum_attempts, :unlock_strategy, :unlock_in)
       end
     end

lib/devise/models/recoverable.rb

@@ -69,7 +69,7 @@ module Devise
         # try saving the record. If not user is found, returns a new user
         # containing an error in reset_password_token attribute.
         # Attributes must contain reset_password_token, password and confirmation
-        def reset_password!(attributes={})
+        def reset_password_by_token(attributes={})
           recoverable = find_or_initialize_with_error_by(:reset_password_token, attributes[:reset_password_token])
           recoverable.reset_password!(attributes[:password], attributes[:password_confirmation]) unless recoverable.new_record?
           recoverable

lib/devise/models/rememberable.rb

@@ -19,6 +19,9 @@ module Devise
     #                 time for the cookie created to remember the user.
     #                 By default remember_for is 2.weeks.
     #
+    #   cookie_options: configuration options passed to the created cookie.
+    #
+    #
     # Examples:
     #
     #   User.find(1).remember_me!  # regenerating the token
@@ -72,6 +75,10 @@ module Devise
         remember_created_at + self.class.remember_for
       end
 
+      def cookie_options
+        self.class.cookie_options
+      end
+
       module ClassMethods
         # Create the cookie key using the record id and remember_token
         def serialize_into_cookie(record)
@@ -85,7 +92,7 @@ module Devise
           record if record.try(:valid_remember_token?, record_token)
         end
 
-        Devise::Models.config(self, :remember_for)
+        Devise::Models.config(self, :remember_for, :cookie_options)
       end
     end
   end

lib/devise/models/validatable.rb

@@ -15,7 +15,7 @@ module Devise
 
         base.class_eval do
           validates_presence_of   :email
-          validates_uniqueness_of :email, :scope => authentication_keys[1..-1], :allow_blank => true
+          validates_uniqueness_of :email, :scope => authentication_keys[1..-1], :case_sensitive => false, :allow_blank => true
           validates_format_of     :email, :with  => EMAIL_REGEX, :allow_blank => true
 
           with_options :if => :password_required? do |v|
@@ -34,15 +34,6 @@ module Devise
                 "to the following methods: #{unavailable_validations.to_sentence}."
         end
       end
-
-      protected
-
-        # Checks whether a password is needed or not. For validations only.
-        # Passwords are always required if it's a new record, or if the password
-        # or confirmation are being set somewhere.
-        def password_required?
-          new_record? || !password.nil? || !password_confirmation.nil?
-        end
     end
   end
 end

lib/devise/orm/mongo_mapper.rb

@@ -22,14 +22,11 @@ module Devise
       end
       
       def find(*args)
-        options = args.extract_options!
         case args.first
-          when :first
-            first(options)
-          when :all
-            all(options)
-          else
-            super
+        when :first, :all
+          send(args.shift, *args)
+        else
+          super
         end
       end
       
@@ -46,5 +43,10 @@ module Devise
   end
 end
 
-MongoMapper::Document::ClassMethods.send(:include, Devise::Models)
-MongoMapper::EmbeddedDocument::ClassMethods.send(:include, Devise::Models)
+if MongoMapper::Version >= "0.8.0"
+  MongoMapper::Plugins::Document::ClassMethods.send(:include, Devise::Models)
+  MongoMapper::Plugins::EmbeddedDocument::ClassMethods.send(:include, Devise::Models)
+else
+  MongoMapper::Document::ClassMethods.send(:include, Devise::Models)
+  MongoMapper::EmbeddedDocument::ClassMethods.send(:include, Devise::Models)
+end

lib/devise/rails/routes.rb

@@ -66,6 +66,12 @@ module ActionController::Routing
       #
       #    map.devise_for :users, :path_prefix => "/:locale"
       #
+      #  * :sign_out_via => restirct the HTTP method(s) accepted for the :sign_out action (default: :get), possible values are :post, :get, :put, :delete and :any, e.g. if you wish to restrict this to accept only :delete requests you should do:
+      #
+      #    map.devise_for :users, :sign_out_via => :delete
+      #
+      #    You need to make sure that your sign_out controls trigger a request with a matching HTTP method.
+      #
       #  Any other options will be passed to route definition. If you need conditions for your routes, just map:
       #
       #    map.devise_for :users, :conditions => { :subdomain => /.+/ }
@@ -97,11 +103,13 @@ module ActionController::Routing
 
       protected
 
-        def authenticatable(routes, mapping)
+        def database_authenticatable(routes, mapping)
           routes.with_options(:controller => 'sessions', :name_prefix => nil) do |session|
             session.send(:"new_#{mapping.name}_session",     mapping.path_names[:sign_in],  :action => 'new',     :conditions => { :method => :get })
             session.send(:"#{mapping.name}_session",         mapping.path_names[:sign_in],  :action => 'create',  :conditions => { :method => :post })
-            session.send(:"destroy_#{mapping.name}_session", mapping.path_names[:sign_out], :action => 'destroy', :conditions => { :method => :get })
+            destroy_options = { :action => 'destroy' }
+            destroy_options.merge! :conditions => { :method => mapping.sign_out_via } unless mapping.sign_out_via == :any
+            session.send(:"destroy_#{mapping.name}_session", mapping.path_names[:sign_out], destroy_options)
           end
         end
 

lib/devise/rails/warden_compat.rb

@@ -22,4 +22,42 @@ class Warden::SessionSerializer
     klass, id = keys
     klass.find(:first, :conditions => { :id => id })
   end
-end
+end
+
+class ActionController::Request
+  def reset_session
+    session.destroy if session && session.respond_to?(:destroy)
+    self.session = {}
+  end
+end
+
+# Solve a bug in Rails where Set-Cookie is returning an array.
+class Devise::CookieSanitizer
+  SET_COOKIE = "Set-Cookie".freeze
+
+  def initialize(app)
+    @app = app
+  end
+
+  def call(env)
+    response = @app.call(env)
+    headers = response[1]
+    cookies = headers[SET_COOKIE]
+    if cookies.respond_to?(:join)
+      headers[SET_COOKIE] = cookies.join("\n").squeeze("\n")
+    end
+    response
+  end
+end
+
+Rails.configuration.middleware.insert_after ActionController::Failsafe, Devise::CookieSanitizer
+
+Warden::Manager.after_set_user :event => [:set_user, :authentication] do |record, warden, options|
+  if options[:scope] && warden.authenticated?(options[:scope])
+    request = warden.request
+    backup = request.session.to_hash
+    backup.delete(:session_id)
+    request.reset_session
+    request.session.update(backup)
+  end
+end

lib/devise/schema.rb

@@ -3,47 +3,55 @@ module Devise
   # and overwrite the apply_schema method.
   module Schema
 
+    def authenticatable(*args)
+      ActiveSupport::Deprecation.warn "t.authenticatable in migrations is deprecated. Please use t.database_authenticatable instead.", caller
+      database_authenticatable(*args)
+    end
+
     # Creates email, encrypted_password and password_salt.
     #
     # == Options
     # * :null - When true, allow columns to be null.
-    # * :encryptor - The encryptor going to be used, necessary for setting the proper encrypter password length.
-    def authenticatable(options={})
-      null       = options[:null] || false
-      encryptor  = options[:encryptor] || (respond_to?(:encryptor) ? self.encryptor : :sha1)
+    def database_authenticatable(options={})
+      null    = options[:null] || false
+      default = options[:default] || ""
 
-      apply_schema :email,              String, :null => null
-      apply_schema :encrypted_password, String, :null => null, :limit => Devise::ENCRYPTORS_LENGTH[encryptor]
-      apply_schema :password_salt,      String, :null => null
+      if options.delete(:encryptor)
+        ActiveSupport::Deprecation.warn ":encryptor as option is deprecated, simply remove it."
+      end
+
+      apply_schema :email,              String, :null => null, :default => default
+      apply_schema :encrypted_password, String, :null => null, :default => default, :limit => 128
+      apply_schema :password_salt,      String, :null => null, :default => default
     end
 
     # Creates authentication_token.
     def token_authenticatable
-      apply_schema :authentication_token, String, :limit => 20
+      apply_schema :authentication_token, String
     end
 
     # Creates confirmation_token, confirmed_at and confirmation_sent_at.
     def confirmable
-      apply_schema :confirmation_token,   String, :limit => 20
+      apply_schema :confirmation_token,   String
       apply_schema :confirmed_at,         DateTime
       apply_schema :confirmation_sent_at, DateTime
     end
 
     # Creates reset_password_token.
     def recoverable
-      apply_schema :reset_password_token, String, :limit => 20
+      apply_schema :reset_password_token, String
     end
 
     # Creates remember_token and remember_created_at.
     def rememberable
-      apply_schema :remember_token,      String, :limit => 20
+      apply_schema :remember_token,      String
       apply_schema :remember_created_at, DateTime
     end
 
     # Creates sign_in_count, current_sign_in_at, last_sign_in_at,
     # current_sign_in_ip, last_sign_in_ip.
     def trackable
-      apply_schema :sign_in_count,      Integer
+      apply_schema :sign_in_count,      Integer, :default => 0
       apply_schema :current_sign_in_at, DateTime
       apply_schema :last_sign_in_at,    DateTime
       apply_schema :current_sign_in_ip, String
@@ -53,7 +61,7 @@ module Devise
     # Creates failed_attempts, unlock_token and locked_at
     def lockable
       apply_schema :failed_attempts, Integer, :default => 0
-      apply_schema :unlock_token,    String, :limit => 20
+      apply_schema :unlock_token,    String
       apply_schema :locked_at,       DateTime
     end
 

lib/devise/strategies/database_authenticatable.rb

@@ -4,7 +4,7 @@ module Devise
   module Strategies
     # Default strategy for signing in a user, based on his email and password.
     # Redirects to sign_in page if it's not authenticated
-    class Authenticatable < Base
+    class DatabaseAuthenticatable < Base
       def valid?
         valid_controller? && valid_params? && mapping.to.respond_to?(:authenticate)
       end
@@ -16,14 +16,14 @@ module Devise
         if resource = mapping.to.authenticate(params[scope])
           success!(resource)
         else
-          fail!(:invalid)
+          fail(:invalid)
         end
       end
 
       protected
 
         def valid_controller?
-          params[:controller] == 'sessions'
+          params[:controller] =~ /sessions$/
         end
 
         def valid_params?
@@ -33,4 +33,4 @@ module Devise
   end
 end
 
-Warden::Strategies.add(:authenticatable, Devise::Strategies::Authenticatable)
+Warden::Strategies.add(:database_authenticatable, Devise::Strategies::DatabaseAuthenticatable)

lib/devise/strategies/http_authenticatable.rb

@@ -14,7 +14,7 @@ module Devise
         if resource = mapping.to.authenticate_with_http(username, password)
           success!(resource)
         else
-          custom!([401, custom_headers, ["HTTP Basic: Access denied.\n"]])
+          custom!([401, custom_headers, [response_body]])
         end
       end
 
@@ -24,6 +24,12 @@ module Devise
         decode_credentials(request).split(/:/, 2)
       end
 
+      def response_body
+        body   = "HTTP Basic: Access denied."
+        method = :"to_#{request_format.to_sym}"
+        {}.respond_to?(method) ? { :error => body }.send(method) : body
+      end
+
       def http_authentication
         request.env['HTTP_AUTHORIZATION']   ||
         request.env['X-HTTP_AUTHORIZATION'] ||
@@ -38,10 +44,14 @@ module Devise
 
       def custom_headers
         {
-          "Content-Type" => "text/plain",
+          "Content-Type" => request_format.to_s,
           "WWW-Authenticate" => %(Basic realm="#{Devise.http_authentication_realm.gsub(/"/, "")}")
         }
       end
+
+      def request_format
+        @request_format ||= Mime::Type.lookup_by_extension(request.template_format.to_s)
+      end
     end
   end
 end

lib/devise/test_helpers.rb

@@ -24,6 +24,10 @@ module Devise
         catch_with_redirect { super }
       end
 
+      def user(*args)
+        catch_with_redirect { super }
+      end
+
       def catch_with_redirect(&block)
         result = catch(:warden, &block)
 

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "1.0.1".freeze
+  VERSION = "1.0.11".freeze
 end

test/controllers/helpers_test.rb

@@ -36,6 +36,13 @@ class ControllerAuthenticableTest < ActionController::TestCase
     @controller.signed_in?(:my_scope)
   end
 
+  test 'proxy anybody_signed_in? to signed_in?' do
+    Devise.mappings.keys.each { |scope| # :user, :admin, :manager
+      @controller.expects(:signed_in?).with(scope)
+    }
+    @controller.anybody_signed_in?
+  end
+
   test 'proxy current_admin to authenticate with admin scope' do
     @mock_warden.expects(:authenticate).with(:scope => :admin)
     @controller.current_admin

test/devise_test.rb

@@ -25,7 +25,7 @@ class DeviseTest < ActiveSupport::TestCase
     Devise.configure_warden(config)
 
     assert_equal Devise::FailureApp, config.failure_app
-    assert_equal [:rememberable, :http_authenticatable, :token_authenticatable, :authenticatable], config.default_strategies
+    assert_equal [:rememberable, :http_authenticatable, :token_authenticatable, :database_authenticatable], config.default_strategies
     assert_equal :user, config.default_scope
     assert config.silence_missing_strategies?
   end
@@ -63,6 +63,11 @@ class DeviseTest < ActiveSupport::TestCase
     Devise::ALL.delete(:kivi)
     Devise::CONTROLLERS.delete(:fruits)
 
+    assert_nothing_raised(Exception) { Devise.add_module(:carrot, :route => :vegetable) }
+    assert_equal 1, Devise::ROUTES.select { |v| v == :vegetable }.size
+    Devise::ALL.delete(:carrot)
+    Devise::ROUTES.delete(:vegetable)
+
     assert_nothing_raised(Exception) { Devise.add_module(:authenticatable_again, :model => 'devise/model/authenticatable') }
     assert defined?(Devise::Models::AuthenticatableAgain)
   end

test/integration/authenticatable_test.rb

@@ -190,6 +190,14 @@ class AuthenticationTest < ActionController::IntegrationTest
     assert_nil session[:"user.return_to"]
   end
 
+  test 'xml http requests does not store urls for redirect' do
+    xhr :get, users_path
+    assert_nil session[:"user.return_to"]
+
+    sign_in_as_user
+    assert_template 'home/index'
+  end
+
   test 'redirect to configured home path for a given scope after sign in' do
     sign_in_as_admin
     assert_equal "/admin_area/home", @request.path
@@ -210,6 +218,17 @@ class AuthenticationTest < ActionController::IntegrationTest
     assert_equal "Cart", @controller.user_session[:cart]
   end
 
+  test 'session id is changed on sign in' do
+    get '/users'
+    session_id = request.session[:session_id]
+
+    get '/users'
+    assert_equal session_id, request.session[:session_id]
+
+    sign_in_as_user
+    assert_not_equal session_id, request.session[:session_id]
+  end
+
   test 'renders the scoped view if turned on and view is available' do
     swap Devise, :scoped_views => true do
       assert_raise Webrat::NotFoundError do
@@ -269,3 +288,53 @@ class AuthenticationTest < ActionController::IntegrationTest
     end
   end
 end
+
+class AuthenticationSignOutViaTest < ActionController::IntegrationTest
+  def sign_in!(scope)
+    visit send("new_#{scope}_session_path")
+    sign_in_as_user(:visit => false)
+    assert warden.authenticated?(scope)
+  end
+
+  test 'allow sign out via delete when sign_out_via provides only delete' do
+    sign_in!(:sign_out_via_delete)
+    delete destroy_sign_out_via_delete_session_path
+    assert_not warden.authenticated?(:sign_out_via_delete)
+  end
+
+  test 'do not allow sign out via get when sign_out_via provides only delete' do
+    sign_in!(:sign_out_via_delete)
+    get destroy_sign_out_via_delete_session_path
+    assert warden.authenticated?(:sign_out_via_delete)
+  end
+
+  test 'allow sign out via post when sign_out_via provides only post' do
+    sign_in!(:sign_out_via_post)
+    post destroy_sign_out_via_post_session_path
+    assert_not warden.authenticated?(:sign_out_via_post)
+  end
+
+  test 'do not allow sign out via get when sign_out_via provides only post' do
+    sign_in!(:sign_out_via_post)
+    get destroy_sign_out_via_delete_session_path
+    assert warden.authenticated?(:sign_out_via_post)
+  end
+
+  test 'allow sign out via delete when sign_out_via provides any method' do
+    sign_in!(:sign_out_via_anymethod)
+    delete destroy_sign_out_via_anymethod_session_path
+    assert_not warden.authenticated?(:sign_out_via_anymethod)
+  end
+
+  test 'allow sign out via post when sign_out_via provides any method' do
+    sign_in!(:sign_out_via_anymethod)
+    post destroy_sign_out_via_anymethod_session_path
+    assert_not warden.authenticated?(:sign_out_via_anymethod)
+  end
+
+  test 'allow sign out via get when sign_out_via provides any method' do
+    sign_in!(:sign_out_via_anymethod)
+    get destroy_sign_out_via_anymethod_session_path
+    assert_not warden.authenticated?(:sign_out_via_anymethod)
+  end
+end

test/integration/http_authenticatable_test.rb

@@ -16,6 +16,14 @@ class HttpAuthenticationTest < ActionController::IntegrationTest
     assert_equal 'Basic realm="Application"', headers["WWW-Authenticate"]
   end
 
+  test 'uses the request format as response content type' do
+    sign_in_as_new_user_with_http("unknown", "123456", :xml)
+    assert_equal 401, status
+    assert_equal "application/xml", headers["Content-Type"]
+    # Cannot assert this due to a bug between integration tests and rack on 2.3
+    # assert response.body.include?("<error>HTTP Basic: Access denied.</error>")
+  end
+
   test 'returns a custom response with www-authenticate and chosen realm' do
     swap Devise, :http_authentication_realm => "MyApp" do
       sign_in_as_new_user_with_http("unknown")
@@ -36,9 +44,9 @@ class HttpAuthenticationTest < ActionController::IntegrationTest
 
   private
 
-    def sign_in_as_new_user_with_http(username="user@test.com", password="123456")
+    def sign_in_as_new_user_with_http(username="user@test.com", password="123456", format=:html)
       user = create_user
-      get users_path, {}, :authorization => "Basic #{ActiveSupport::Base64.encode64("#{username}:#{password}")}"
+      get users_path(:format => format), {}, :authorization => "Basic #{ActiveSupport::Base64.encode64("#{username}:#{password}")}"
       user
     end
 end

test/integration/lockable_test.rb

@@ -36,6 +36,16 @@ class LockTest < ActionController::IntegrationTest
     assert_equal 0, ActionMailer::Base.deliveries.size
   end
 
+  test 'unlocked pages should not be available if email strategy is disabled' do
+    visit new_user_unlock_path
+    assert_response :success
+
+    swap Devise, :unlock_strategy => :time do
+      visit new_user_unlock_path
+      assert_response :not_found
+    end
+  end
+
   test 'user with invalid unlock token should not be able to unlock an account' do
     visit_user_unlock_with_token('invalid_token')
 
@@ -47,20 +57,19 @@ class LockTest < ActionController::IntegrationTest
 
   test "locked user should be able to unlock account" do
     user = create_user(:locked => true)
-    assert user.locked?
+    assert user.access_locked?
 
     visit_user_unlock_with_token(user.unlock_token)
 
     assert_template 'home/index'
     assert_contain 'Your account was successfully unlocked.'
 
-    assert_not user.reload.locked?
+    assert_not user.reload.access_locked?
   end
 
   test "sign in user automatically after unlocking it's account" do
     user = create_user(:locked => true)
     visit_user_unlock_with_token(user.unlock_token)
-
     assert warden.authenticated?(:user)
   end
 
@@ -71,6 +80,16 @@ class LockTest < ActionController::IntegrationTest
     assert_not warden.authenticated?(:user)
   end
 
+  test "user should not send a new e-mail if already locked" do
+    user = create_user(:locked => true)
+    user.update_attribute(:failed_attempts, User.maximum_attempts + 1)
+    ActionMailer::Base.deliveries.clear
+
+    sign_in_as_user(:password => "invalid")
+    assert_contain 'Invalid email or password.'
+    assert ActionMailer::Base.deliveries.empty?
+  end
+
   test 'error message is configurable by resource name' do
     store_translations :en, :devise => {
       :sessions => { :admin => { :locked => "You are locked!" } }

test/integration/rack_middleware_test.rb

@@ -0,0 +1,47 @@
+require "test/test_helper"
+require "rack/test"
+
+class RackMiddlewareTest < Test::Unit::TestCase
+  include Rack::Test::Methods
+
+  def app
+    ActionController::Dispatcher.new
+  end
+
+  def warden
+    last_request.env['warden']
+  end
+
+  def with_custom_strategy
+    get '/'
+
+    Warden::Strategies.add(:custom_test) do
+      def valid?
+        true
+      end
+
+      def authenticate!
+        custom! [599, {
+            "X-Custom-Response" => "Custom response test",
+            "Content-type" => "text/plain"
+          }, "Custom response test"]
+      end
+    end
+
+    #ActionController::Dispatcher.middleware.use CustomStrategyInterceptor
+    default_strategies = warden.manager.config.default_strategies
+    warden.manager.config.default_strategies :custom_test
+    yield
+    warden.manager.config.default_strategies default_strategies
+  end
+
+  def test_custom_strategy_response
+    with_custom_strategy do
+      post('/users/sign_in')
+
+      assert_equal 599, last_response.status
+      assert_equal "Custom response test", last_response.body
+      assert_equal "Custom response test", last_response.headers["X-Custom-Response"]
+    end
+  end
+end

test/integration/registerable_test.rb

@@ -28,8 +28,7 @@ class RegistrationTest < ActionController::IntegrationTest
     fill_in 'password confirmation', :with => 'new_user123'
     click_button 'Sign up'
 
-    assert_equal true, @controller.send(:flash)[:"user_signed_up"]
-    assert_equal "You have signed up successfully.", @controller.send(:flash)[:notice]
+    assert_equal "You have signed up successfully. If enabled, a confirmation was sent to your e-mail.", @controller.send(:flash)[:notice]
 
     # For some reason flash is not being set correctly, so instead of getting the
     # "signed_up" message we get the unconfirmed one. Seems to be an issue with
@@ -38,6 +37,8 @@ class RegistrationTest < ActionController::IntegrationTest
     # assert_contain 'You have signed up successfully.'
     # assert_not_contain 'confirm your account'
 
+    follow_redirect!
+    assert_contain 'Sign in'
     assert_not warden.authenticated?(:user)
 
     user = User.last
@@ -118,6 +119,19 @@ class RegistrationTest < ActionController::IntegrationTest
     assert User.first.valid_password?('pas123')
   end
 
+  test 'a signed in user should not be able to edit his password with invalid confirmation' do
+    sign_in_as_user
+    get edit_user_registration_path
+  
+    fill_in 'password', :with => 'pas123'
+    fill_in 'password confirmation', :with => ''
+    fill_in 'current password', :with => '123456'
+    click_button 'Update'
+  
+    assert_contain "Password doesn't match confirmation"
+    assert_not User.first.valid_password?('pas123')
+  end
+
   test 'a signed in user should be able to cancel his account' do
     sign_in_as_user
     visit edit_user_registration_path

test/integration/rememberable_test.rb

@@ -20,6 +20,13 @@ class RememberMeTest < ActionController::IntegrationTest
     assert_not_nil user.reload.remember_token
   end
 
+  test 'cookie_options should be applied to cookies' do
+    swap Devise, :cookie_options => { :value => 'dont-do-that' } do
+      user = sign_in_as_user :remember_me => true
+      assert_equal 'dont-do-that', cookies['remember_user_token']
+    end
+  end
+
   test 'remember the user before sign in' do
     user = create_user_and_remember
     get users_path
@@ -28,6 +35,14 @@ class RememberMeTest < ActionController::IntegrationTest
     assert warden.user(:user) == user
   end
 
+  test 'does not remember other scopes' do
+    user = create_user_and_remember
+    get root_path
+    assert_response :success
+    assert warden.authenticated?(:user)
+    assert_not warden.authenticated?(:admin)
+  end
+
   test 'do not remember with invalid token' do
     user = create_user_and_remember('add')
     get users_path
@@ -59,5 +74,16 @@ class RememberMeTest < ActionController::IntegrationTest
     get destroy_user_session_path
     get users_path
     assert_not warden.authenticated?(:user)
+    assert_equal cookies['remember_user_token'], ''
+  end
+
+  test 'cookies are destroyed on unverified requests' do
+    swap HomeController, :allow_forgery_protection => true do
+      user = create_user_and_remember
+      get users_path
+      assert warden.authenticated?(:user)
+      post root_path, :authenticity_token => 'INVALID'
+      assert_not warden.authenticated?(:user)
+    end
   end
 end

test/integration/trackable_test.rb

@@ -39,7 +39,7 @@ class TrackableHooksTest < ActionController::IntegrationTest
 
   test "increase sign in count" do
     user = create_user
-    assert_nil user.sign_in_count
+    assert_equal 0, user.sign_in_count
 
     sign_in_as_user
     user.reload

test/mailers/confirmation_instructions_test.rb

@@ -63,6 +63,12 @@ class ConfirmationInstructionsTest < ActionMailer::TestCase
     end
   end
 
+  test 'content type should be set to plain when manually configured' do
+    swap Devise, :mailer_content_type => "text/plain" do
+      assert_equal "text/plain", mail.content_type
+    end
+  end
+
   test 'renders a scoped if scoped_views is set in the mailer class' do
     begin
       DeviseMailer.scoped_views = true

test/mailers/unlock_instructions_test.rb

@@ -10,7 +10,7 @@ class UnlockInstructionsTest < ActionMailer::TestCase
   def user
     @user ||= begin
       user = create_user
-      user.lock!
+      user.lock_access!
       user
     end
   end

test/mapping_test.rb

@@ -39,22 +39,17 @@ class MappingTest < ActiveSupport::TestCase
     assert_equal Devise.mappings[:admin], Devise::Mapping.find_by_path("/admin_area/session")
   end
 
-  test 'find mapping by class' do
-    assert_nil Devise::Mapping.find_by_class(String)
-    assert_equal Devise.mappings[:user], Devise::Mapping.find_by_class(User)
-  end
-
-  test 'find mapping by class works with single table inheritance' do
-    klass = Class.new(User)
-    assert_equal Devise.mappings[:user], Devise::Mapping.find_by_class(klass)
-  end
-
   test 'find scope for a given object' do
     assert_equal :user, Devise::Mapping.find_scope!(User)
     assert_equal :user, Devise::Mapping.find_scope!(:user)
     assert_equal :user, Devise::Mapping.find_scope!(User.new)
   end
 
+  test 'find scope works with single table inheritance' do
+    assert_equal :user, Devise::Mapping.find_scope!(Class.new(User))
+    assert_equal :user, Devise::Mapping.find_scope!(Class.new(User).new)
+  end
+
   test 'find scope raises an error if cannot be found' do
     assert_raise RuntimeError do
       Devise::Mapping.find_scope!(String)
@@ -137,6 +132,16 @@ class MappingTest < ActiveSupport::TestCase
     assert_equal({ :requirements => { :extra => 'value' } }, Devise.mappings[:manager].route_options)
   end
 
+  test 'sign_out_via defaults to :get' do
+    assert_equal :get, Devise.mappings[:user].sign_out_via
+  end
+
+  test 'allows custom sign_out_via to be given' do
+    assert_equal :delete, Devise.mappings[:sign_out_via_delete].sign_out_via
+    assert_equal :post,   Devise.mappings[:sign_out_via_post].sign_out_via
+    assert_equal :any,    Devise.mappings[:sign_out_via_anymethod].sign_out_via
+  end
+
   test 'magic predicates' do
     mapping = Devise.mappings[:user]
     assert mapping.authenticatable?

test/models/confirmable_test.rb

@@ -11,15 +11,6 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_not_nil create_user.confirmation_token
   end
 
-  test 'should regenerate confirmation token each time' do
-    user = create_user
-    3.times do
-      token = user.confirmation_token
-      user.resend_confirmation!
-      assert_not_equal token, user.confirmation_token
-    end
-  end
-
   test 'should never generate the same confirmation token for different users' do
     confirmation_tokens = []
     3.times do
@@ -62,19 +53,19 @@ class ConfirmableTest < ActiveSupport::TestCase
 
   test 'should find and confirm an user automatically' do
     user = create_user
-    confirmed_user = User.confirm!(:confirmation_token => user.confirmation_token)
+    confirmed_user = User.confirm_by_token(user.confirmation_token)
     assert_equal confirmed_user, user
     assert user.reload.confirmed?
   end
 
   test 'should return a new record with errors when a invalid token is given' do
-    confirmed_user = User.confirm!(:confirmation_token => 'invalid_confirmation_token')
+    confirmed_user = User.confirm_by_token('invalid_confirmation_token')
     assert confirmed_user.new_record?
     assert_match /invalid/, confirmed_user.errors[:confirmation_token]
   end
 
   test 'should return a new record with errors when a blank token is given' do
-    confirmed_user = User.confirm!(:confirmation_token => '')
+    confirmed_user = User.confirm_by_token('')
     assert confirmed_user.new_record?
     assert_match /blank/, confirmed_user.errors[:confirmation_token]
   end
@@ -83,7 +74,7 @@ class ConfirmableTest < ActiveSupport::TestCase
     user = create_user
     user.confirmed_at = Time.now
     user.save
-    confirmed_user = User.confirm!(:confirmation_token => user.confirmation_token)
+    confirmed_user = User.confirm_by_token(user.confirmation_token)
     assert confirmed_user.confirmed?
     assert confirmed_user.errors[:email]
   end
@@ -137,19 +128,20 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_equal 'not found', confirmation_user.errors[:email]
   end
 
-  test 'should generate a confirmation token before send the confirmation instructions email' do
-    user = create_user
-    token = user.confirmation_token
-    confirmation_user = User.send_confirmation_instructions(:email => user.email)
-    assert_not_equal token, user.reload.confirmation_token
-  end
-
   test 'should send email instructions for the user confirm it\'s email' do
     user = create_user
     assert_email_sent do
       User.send_confirmation_instructions(:email => user.email)
     end
   end
+  
+  test 'should always have confirmation token when email is sent' do
+    user = new_user
+    user.instance_eval { def confirmation_required?; false end }
+    user.save
+    user.send_confirmation_instructions
+    assert_not_nil user.reload.confirmation_token
+  end
 
   test 'should not resend email instructions if the user change his email' do
     user = create_user
@@ -173,7 +165,7 @@ class ConfirmableTest < ActiveSupport::TestCase
   test 'should not be able to send instructions if the user is already confirmed' do
     user = create_user
     user.confirm!
-    assert_not user.resend_confirmation!
+    assert_not user.resend_confirmation_token
     assert user.confirmed?
     assert_equal 'already confirmed', user.errors[:email]
   end
@@ -216,7 +208,7 @@ class ConfirmableTest < ActiveSupport::TestCase
     Devise.confirm_within = 0.days
     user = create_user
     user.confirmation_sent_at = Date.today
-    assert_not user.active?
+    assert_not user.reload.active?
   end
 
   test 'should not be active without confirmation' do
@@ -225,4 +217,12 @@ class ConfirmableTest < ActiveSupport::TestCase
     user.save
     assert_not user.reload.active?
   end
+  
+  test 'should be active without confirmation when confirmation is not required' do
+    user = create_user
+    user.instance_eval { def confirmation_required?; false end }
+    user.confirmation_sent_at = nil
+    user.save
+    assert user.reload.active?
+  end
 end

test/models/lockable_test.rb

@@ -17,14 +17,14 @@ class LockableTest < ActiveSupport::TestCase
     user = create_user
     attempts = Devise.maximum_attempts + 1
     attempts.times { authenticated_user = User.authenticate(:email => user.email, :password => "anotherpassword") }
-    assert user.reload.locked?
+    assert user.reload.access_locked?
   end
 
   test "should respect maximum attempts configuration" do
     user = create_user
     swap Devise, :maximum_attempts => 2 do
       3.times { authenticated_user = User.authenticate(:email => user.email, :password => "anotherpassword") }
-      assert user.reload.locked?
+      assert user.reload.access_locked?
     end
   end
 
@@ -36,40 +36,50 @@ class LockableTest < ActiveSupport::TestCase
     assert_equal 0, user.reload.failed_attempts
   end
 
-  test "should verify wheter a user is locked or not" do
+  test "should verify whether a user is locked or not" do
     user = create_user
-    assert_not user.locked?
-    user.lock!
-    assert user.locked?
+    assert_not user.access_locked?
+    user.lock_access!
+    assert user.access_locked?
   end
 
   test "active? should be the opposite of locked?" do
     user = create_user
     user.confirm!
     assert user.active?
-    user.lock!
+    user.lock_access!
     assert_not user.active?
   end
 
   test "should unlock an user by cleaning locked_at, falied_attempts and unlock_token" do
     user = create_user
-    user.lock!
+    user.lock_access!
     assert_not_nil user.reload.locked_at
     assert_not_nil user.reload.unlock_token
-    user.unlock!
+
+    user.unlock_access!
     assert_nil user.reload.locked_at
     assert_nil user.reload.unlock_token
     assert 0, user.reload.failed_attempts
   end
 
+  test "should not lock a locked account" do
+    user = create_user
+    user.lock_access!
+    assert_no_difference "ActionMailer::Base.deliveries.size" do
+      user.lock_access!
+    end
+  end
+
   test 'should not unlock an unlocked user' do
     user = create_user
-    assert_not user.unlock!
+
+    assert_not user.unlock_access!
     assert_match /not locked/, user.errors[:email]
   end
 
   test "new user should not be locked and should have zero failed_attempts" do
-    assert_not new_user.locked?
+    assert_not new_user.access_locked?
     assert_equal 0, create_user.failed_attempts
   end
 
@@ -77,10 +87,10 @@ class LockableTest < ActiveSupport::TestCase
     swap Devise, :unlock_in => 3.hours do
       user = new_user
       user.locked_at = 2.hours.ago
-      assert user.locked?
+      assert user.access_locked?
 
       Devise.unlock_in = 1.hour
-      assert_not user.locked?
+      assert_not user.access_locked?
     end
   end
 
@@ -88,32 +98,22 @@ class LockableTest < ActiveSupport::TestCase
     swap Devise, :unlock_strategy => :email do
       user = new_user
       user.locked_at = 2.hours.ago
-      assert user.locked?
+      assert user.access_locked?
     end
   end
 
   test "should set unlock_token when locking" do
     user = create_user
     assert_nil user.unlock_token
-    user.lock!
+    user.lock_access!
     assert_not_nil user.unlock_token
   end
 
-  test 'should not regenerate unlock token if it already exists' do
-    user = create_user
-    user.lock!
-    3.times do
-      token = user.unlock_token
-      user.resend_unlock!
-      assert_equal token, user.unlock_token
-    end
-  end
-
   test "should never generate the same unlock token for different users" do
     unlock_tokens = []
     3.times do
       user = create_user
-      user.lock!
+      user.lock_access!
       token = user.unlock_token
       assert !unlock_tokens.include?(token)
       unlock_tokens << token
@@ -123,7 +123,7 @@ class LockableTest < ActiveSupport::TestCase
   test "should not generate unlock_token when :email is not an unlock strategy" do
     swap Devise, :unlock_strategy => :time do
       user = create_user
-      user.lock!
+      user.lock_access!
       assert_nil user.unlock_token
     end
   end
@@ -132,7 +132,7 @@ class LockableTest < ActiveSupport::TestCase
     swap Devise, :unlock_strategy => :email do
       user = create_user
       assert_email_sent do
-        user.lock!
+        user.lock_access!
       end
     end
   end
@@ -141,42 +141,42 @@ class LockableTest < ActiveSupport::TestCase
     swap Devise, :unlock_strategy => :time do
       user = create_user
       assert_email_not_sent do
-        user.lock!
+        user.lock_access!
       end
     end
   end
 
   test 'should find and unlock an user automatically' do
     user = create_user
-    user.lock!
-    locked_user = User.unlock!(:unlock_token => user.unlock_token)
+    user.lock_access!
+    locked_user = User.unlock_access_by_token(user.unlock_token)
     assert_equal locked_user, user
-    assert_not user.reload.locked?
+    assert_not user.reload.access_locked?
   end
 
   test 'should return a new record with errors when a invalid token is given' do
-    locked_user = User.unlock!(:unlock_token => 'invalid_token')
+    locked_user = User.unlock_access_by_token('invalid_token')
     assert locked_user.new_record?
     assert_match /invalid/, locked_user.errors[:unlock_token]
   end
 
   test 'should return a new record with errors when a blank token is given' do
-    locked_user = User.unlock!(:unlock_token => '')
+    locked_user = User.unlock_access_by_token('')
     assert locked_user.new_record?
     assert_match /blank/, locked_user.errors[:unlock_token]
   end
 
   test 'should authenticate a unlocked user' do
     user = create_user
-    user.lock!
-    user.unlock!
+    user.lock_access!
+    user.unlock_access!
     authenticated_user = User.authenticate(:email => user.email, :password => user.password)
     assert_equal authenticated_user, user
   end
 
   test 'should find a user to send unlock instructions' do
     user = create_user
-    user.lock!
+    user.lock_access!
     unlock_user = User.send_unlock_instructions(:email => user.email)
     assert_equal unlock_user, user
   end
@@ -194,8 +194,8 @@ class LockableTest < ActiveSupport::TestCase
 
   test 'should not be able to send instructions if the user is not locked' do
     user = create_user
-    assert_not user.resend_unlock!
-    assert_not user.locked?
+    assert_not user.resend_unlock_token
+    assert_not user.access_locked?
     assert_equal 'not locked', user.errors[:email]
   end
 

test/models/recoverable_test.rb

@@ -104,18 +104,18 @@ class RecoverableTest < ActiveSupport::TestCase
     user = create_user
     user.send :generate_reset_password_token!
 
-    reset_password_user = User.reset_password!(:reset_password_token => user.reset_password_token)
+    reset_password_user = User.reset_password_by_token(:reset_password_token => user.reset_password_token)
     assert_equal reset_password_user, user
   end
 
   test 'should a new record with errors if no reset_password_token is found' do
-    reset_password_user = User.reset_password!(:reset_password_token => 'invalid_token')
+    reset_password_user = User.reset_password_by_token(:reset_password_token => 'invalid_token')
     assert reset_password_user.new_record?
     assert_match /invalid/, reset_password_user.errors[:reset_password_token]
   end
 
   test 'should a new record with errors if reset_password_token is blank' do
-    reset_password_user = User.reset_password!(:reset_password_token => '')
+    reset_password_user = User.reset_password_by_token(:reset_password_token => '')
     assert reset_password_user.new_record?
     assert_match /blank/, reset_password_user.errors[:reset_password_token]
   end
@@ -125,7 +125,7 @@ class RecoverableTest < ActiveSupport::TestCase
     old_password = user.password
     user.send :generate_reset_password_token!
 
-    reset_password_user = User.reset_password!(
+    reset_password_user = User.reset_password_by_token(
       :reset_password_token => user.reset_password_token,
       :password => 'new_password',
       :password_confirmation => 'new_password'

test/models_test.rb

@@ -1,7 +1,7 @@
 require 'test/test_helper'
 
 class Configurable < User
-  devise :authenticatable, :confirmable, :rememberable, :timeoutable, :lockable,
+  devise :database_authenticatable, :confirmable, :rememberable, :timeoutable, :lockable,
          :stretches => 15, :pepper => 'abcdef', :confirm_within => 5.days,
          :remember_for => 7.days, :timeout_in => 15.minutes, :unlock_in => 10.days
 end
@@ -23,7 +23,21 @@ class ActiveRecordTest < ActiveSupport::TestCase
   end
 
   test 'add modules cherry pick' do
-    assert_include_modules Admin, :authenticatable, :registerable, :timeoutable
+    assert_include_modules Admin, :database_authenticatable, :registerable, :timeoutable
+  end
+
+  test 'order of module inclusion' do
+    correct_module_order   = [:database_authenticatable, :registerable, :timeoutable]
+    incorrect_module_order = [:database_authenticatable, :timeoutable, :registerable]
+
+    assert_include_modules Admin, *incorrect_module_order
+
+    # get module constants from symbol list
+    module_constants = correct_module_order.collect { |mod| Devise::Models::const_get(mod.to_s.classify) }
+
+    # confirm that they adhere to the order in ALL
+    # get included modules, filter out the noise, and reverse the order
+    assert_equal module_constants, (Admin.included_modules & module_constants).reverse
   end
 
   test 'set a default value for stretches' do

test/orm/active_record.rb

@@ -8,7 +8,7 @@ ActiveRecord::Base.establish_connection(:adapter => "sqlite3", :database => ":me
 ActiveRecord::Schema.define(:version => 1) do
   [:users, :admins, :accounts].each do |table|
     create_table table do |t|
-      t.authenticatable :null => table == :admins
+      t.database_authenticatable :null => table == :admins
 
       if table != :admin
         t.string :username

test/rails_app/app/active_record/admin.rb

@@ -1,5 +1,5 @@
 class Admin < ActiveRecord::Base
-  devise :authenticatable, :registerable, :timeoutable
+  devise :database_authenticatable, :registerable, :timeoutable
 
   def self.find_for_authentication(conditions)
     last(:conditions => conditions)

test/rails_app/app/active_record/user.rb

@@ -1,7 +1,7 @@
 class User < ActiveRecord::Base
-  devise :authenticatable, :http_authenticatable, :confirmable, :lockable, :recoverable,
-         :registerable, :rememberable, :timeoutable, :token_authenticatable,
-         :trackable, :validatable
+  devise :database_authenticatable, :http_authenticatable, :confirmable,
+         :lockable, :recoverable, :registerable, :rememberable, :timeoutable,
+         :token_authenticatable, :trackable, :validatable
 
   attr_accessible :username, :email, :password, :password_confirmation
 end

test/rails_app/app/controllers/application_controller.rb

@@ -7,4 +7,6 @@ class ApplicationController < ActionController::Base
 
   # Scrub sensitive parameters from your log
   filter_parameter_logging :password
+
+  before_filter :current_user
 end

test/rails_app/app/mongo_mapper/admin.rb

@@ -1,9 +1,13 @@
 class Admin
   include MongoMapper::Document
-
-  devise :authenticatable, :timeoutable
+  devise :authenticatable, :registerable, :timeoutable
 
   def self.find_for_authentication(conditions)
-    last(:conditions => conditions, :order => "email")
+    last(:conditions => conditions)
+  end
+
+  def self.last(options={})
+    options.merge!(:order => 'email')
+    super options
   end
 end

test/rails_app/app/mongo_mapper/user.rb

@@ -1,8 +1,14 @@
 class User
   include MongoMapper::Document
   key :created_at, DateTime
-  devise :authenticatable, :http_authenticatable, :confirmable, :recoverable,
-         :rememberable, :trackable, :validatable, :timeoutable, :lockable,
-         :token_authenticatable
+  devise :authenticatable, :http_authenticatable, :confirmable, :lockable, :recoverable,
+         :registerable, :rememberable, :timeoutable, :token_authenticatable,
+         :trackable, :validatable
   # attr_accessible :username, :email, :password, :password_confirmation
+
+  def self.last(options={})
+    options.merge!(:order => 'email')
+    super options
+  end
+
 end

test/rails_app/config/environment.rb

@@ -1,7 +1,7 @@
 # Be sure to restart your server when you modify this file
 
 # Specifies gem version of Rails to use when vendor/rails is not present
-RAILS_GEM_VERSION = '2.3.5' unless defined? RAILS_GEM_VERSION
+RAILS_GEM_VERSION = '2.3.11' unless defined? RAILS_GEM_VERSION
 DEVISE_ORM = :active_record unless defined? DEVISE_ORM
 
 # Bootstrap the Rails environment, frameworks, and default configuration
@@ -13,7 +13,7 @@ Rails::Initializer.run do |config|
   # -- all .rb files in that directory are automatically loaded.
 
   # Add additional load paths for your own custom dirs
-  config.load_paths += [ "#{RAILS_ROOT}/app/#{DEVISE_ORM}/" ]
+  config.autoload_paths += [ "#{RAILS_ROOT}/app/#{DEVISE_ORM}/" ]
 
   # Specify gems that this application depends on and have them installed with rake gems:install
   # config.gem "bj"

test/rails_app/config/initializers/devise.rb

@@ -35,6 +35,9 @@ Devise.setup do |config|
 
   # Configure the e-mail address which will be shown in DeviseMailer.
   config.mailer_sender = "please-change-me-omg@yourapp.com"
+  
+  # Configure the content type of DeviseMailer mails (defaults to text/html")
+  # config.mailer_content_type = "text/plain"
 
   # Load and configure the ORM. Supports :active_record, :data_mapper and :mongo_mapper.
   require "devise/orm/#{DEVISE_ORM}"

test/rails_app/config/routes.rb

@@ -12,6 +12,10 @@ ActionController::Routing::Routes.draw do |map|
   map.resources :admins, :only => :index
   map.root :controller => :home
 
+  map.devise_for :sign_out_via_deletes, :sign_out_via => :delete, :class_name => "User"
+  map.devise_for :sign_out_via_posts, :sign_out_via => :post, :class_name => "User"
+  map.devise_for :sign_out_via_anymethods, :sign_out_via => :any, :class_name => "User"
+
   map.connect '/admin_area/password/new', :controller => "passwords", :action => "new"
   map.admin_root '/admin_area/home', :controller => "admins", :action => "index"
 

test/routes_test.rb

@@ -107,4 +107,25 @@ class MapRoutingTest < ActionController::TestCase
   test 'map account with custom path name for registration' do
     assert_recognizes({:controller => 'registrations', :action => 'new', :locale => 'en', :extra => 'value'}, '/en/accounts/register')
   end
+
+  test 'map deletes with :sign_out_via option' do
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via_deletes/sign_out', :method => :delete})
+    assert_raise ActionController::MethodNotAllowed do
+      assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via_deletes/sign_out', :method => :get})
+    end
+  end
+
+  test 'map posts with :sign_out_via option' do
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via_posts/sign_out', :method => :post})
+    assert_raise ActionController::MethodNotAllowed do
+      assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via_posts/sign_out', :method => :get})
+    end
+  end
+
+  test 'map any methods with :sign_out_via option' do
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via_anymethods/sign_out', :method => :get})
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via_anymethods/sign_out', :method => :post})
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via_anymethods/sign_out', :method => :delete})
+    assert_recognizes({:controller => 'sessions', :action => 'destroy'}, {:path => '/sign_out_via_anymethods/sign_out', :method => :put})
+  end
 end

test/support/integration_tests_helper.rb

@@ -14,7 +14,7 @@ class ActionController::IntegrationTest
         :created_at => Time.now.utc
       )
       user.confirm! unless options[:confirm] == false
-      user.lock! if options[:locked] == true
+      user.lock_access! if options[:locked] == true
       user
     end
   end
@@ -32,7 +32,7 @@ class ActionController::IntegrationTest
     user = create_user(options)
     visit new_user_session_path unless options[:visit] == false
     fill_in 'email', :with => 'user@test.com'
-    fill_in 'password', :with => '123456'
+    fill_in 'password', :with => options[:password] || '123456'
     check 'remember me' if options[:remember_me] == true
     yield if block_given?
     click_button 'Sign In'