Release 2.2.4

Add destroy_with_password method

.travis.yml

@@ -4,18 +4,11 @@ rvm:
   - 1.8.7
   - 1.9.2
   - 1.9.3
-  - ree
 env:
   - DEVISE_ORM=mongoid
   - DEVISE_ORM=active_record
 matrix:
   exclude:
-    - rvm: ree
-      env: DEVISE_ORM=mongoid
-      gemfile: Gemfile
-    - rvm: ree
-      env: DEVISE_ORM=mongoid
-      gemfile: gemfiles/Gemfile.rails-3.1.x
     - rvm: 1.8.7
       env: DEVISE_ORM=mongoid
       gemfile: Gemfile

.yardopts

@@ -0,0 +1,9 @@
+--protected
+--no-private
+--embed-mixin ClassMethods
+-
+README.md
+CHANGELOG.rdoc
+CONTRIBUTING.md
+MIT-LICENSE
+

CHANGELOG.rdoc

@@ -1,5 +1,23 @@
+== 2.2.4
+
+* enhancements
+  * Add `destroy_with_password` to `DatabaseAuthenticatable`. Allows destroying a record when `:current_password` matches, similarly to how `update_with_password` works. (by @michiel3)
+  * Allow to override path after password resetting (by @worker8)
+  * Add `#skip_confirmation_notification!` method to `Confirmable`. Allows skipping confirmation email without auto-confirming. (by @gregates)
+  * allow_unconfirmed_access_for config from `:confirmable` module can be set to `nil` that means unconfirmed access for unlimited time. (by @nashby)
+  * Support Rails' token strategy on authentication (by @robhurring)
+  * Support explicitly setting the http authentication key via `config.http_authentication_key` (by @neo)
+
+* bug fix
+  * Do not redirect when accessing devise API via JSON. (by @sebastianwr)
+  * Generating scoped devise views now uses the correct scoped shared links partial instead of the default devise one (by @nashby)
+  * Fix inheriting mailer templates from `Devise::Mailer`
+  * Fix a bug when procs are used as default mailer in Devise (by @tomasv)
+
 == 2.2.3
 
+Security announcement: http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/
+
 * bug fix
   * Require string conversion for all values
 

Gemfile

@@ -1,4 +1,4 @@
-source "http://rubygems.org"
+source "https://rubygems.org"
 
 gemspec
 
@@ -10,8 +10,8 @@ gem "rdoc"
 group :test do
   gem "omniauth-facebook"
   gem "omniauth-openid", "~> 1.0.1"
-  gem "webrat", "0.7.2", :require => false
-  gem "mocha", "0.10.0", :require => false
+  gem "webrat", "0.7.3", :require => false
+  gem "mocha", "~> 0.13.1", :require => false
 end
 
 platforms :jruby do
@@ -29,4 +29,4 @@ platforms :mri_19 do
   group :mongoid do
     gem "mongoid", "~> 3.0"
   end
-end
+end

Gemfile.lock

@@ -1,74 +1,74 @@
 PATH
   remote: .
   specs:
-    devise (2.2.2)
+    devise (2.2.4)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (~> 3.1)
       warden (~> 1.2.1)
 
 GEM
-  remote: http://rubygems.org/
+  remote: https://rubygems.org/
   specs:
-    actionmailer (3.2.11)
-      actionpack (= 3.2.11)
-      mail (~> 2.4.4)
-    actionpack (3.2.11)
-      activemodel (= 3.2.11)
-      activesupport (= 3.2.11)
+    actionmailer (3.2.13)
+      actionpack (= 3.2.13)
+      mail (~> 2.5.3)
+    actionpack (3.2.13)
+      activemodel (= 3.2.13)
+      activesupport (= 3.2.13)
       builder (~> 3.0.0)
       erubis (~> 2.7.0)
       journey (~> 1.0.4)
-      rack (~> 1.4.0)
+      rack (~> 1.4.5)
       rack-cache (~> 1.2)
       rack-test (~> 0.6.1)
       sprockets (~> 2.2.1)
-    activemodel (3.2.11)
-      activesupport (= 3.2.11)
+    activemodel (3.2.13)
+      activesupport (= 3.2.13)
       builder (~> 3.0.0)
-    activerecord (3.2.11)
-      activemodel (= 3.2.11)
-      activesupport (= 3.2.11)
+    activerecord (3.2.13)
+      activemodel (= 3.2.13)
+      activesupport (= 3.2.13)
       arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activeresource (3.2.11)
-      activemodel (= 3.2.11)
-      activesupport (= 3.2.11)
-    activesupport (3.2.11)
-      i18n (~> 0.6)
+    activeresource (3.2.13)
+      activemodel (= 3.2.13)
+      activesupport (= 3.2.13)
+    activesupport (3.2.13)
+      i18n (= 0.6.1)
       multi_json (~> 1.0)
     arel (3.0.2)
     bcrypt-ruby (3.0.1)
     builder (3.0.4)
     erubis (2.7.0)
-    faraday (0.8.4)
+    faraday (0.8.7)
       multipart-post (~> 1.1)
     hashie (1.2.0)
-    hike (1.2.1)
+    hike (1.2.2)
     httpauth (0.2.0)
     i18n (0.6.1)
     journey (1.0.4)
-    json (1.7.6)
-    jwt (0.1.5)
-      multi_json (>= 1.0)
-    mail (2.4.4)
+    json (1.7.7)
+    jwt (0.1.8)
+      multi_json (>= 1.5)
+    mail (2.5.3)
       i18n (>= 0.4.0)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
     metaclass (0.0.1)
-    mime-types (1.19)
-    mocha (0.10.0)
+    mime-types (1.22)
+    mocha (0.13.3)
       metaclass (~> 0.0.1)
-    mongoid (3.0.16)
-      activemodel (~> 3.1)
-      moped (~> 1.1)
+    mongoid (3.1.2)
+      activemodel (~> 3.2)
+      moped (~> 1.4.2)
       origin (~> 1.0)
       tzinfo (~> 0.3.22)
-    moped (1.3.2)
-    multi_json (1.5.0)
-    multipart-post (1.1.5)
-    nokogiri (1.5.5)
-    oauth2 (0.8.0)
+    moped (1.4.5)
+    multi_json (1.7.2)
+    multipart-post (1.2.0)
+    nokogiri (1.5.9)
+    oauth2 (0.8.1)
       faraday (~> 0.8)
       httpauth (~> 0.1)
       jwt (~> 0.1.4)
@@ -88,50 +88,50 @@ GEM
     origin (1.0.11)
     orm_adapter (0.4.0)
     polyglot (0.3.3)
-    rack (1.4.3)
+    rack (1.4.5)
     rack-cache (1.2)
       rack (>= 0.4)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
-    rack-ssl (1.3.2)
+    rack-ssl (1.3.3)
       rack
     rack-test (0.6.2)
       rack (>= 1.0)
-    rails (3.2.11)
-      actionmailer (= 3.2.11)
-      actionpack (= 3.2.11)
-      activerecord (= 3.2.11)
-      activeresource (= 3.2.11)
-      activesupport (= 3.2.11)
+    rails (3.2.13)
+      actionmailer (= 3.2.13)
+      actionpack (= 3.2.13)
+      activerecord (= 3.2.13)
+      activeresource (= 3.2.13)
+      activesupport (= 3.2.13)
       bundler (~> 1.0)
-      railties (= 3.2.11)
-    railties (3.2.11)
-      actionpack (= 3.2.11)
-      activesupport (= 3.2.11)
+      railties (= 3.2.13)
+    railties (3.2.13)
+      actionpack (= 3.2.13)
+      activesupport (= 3.2.13)
       rack-ssl (~> 1.3.2)
       rake (>= 0.8.7)
       rdoc (~> 3.4)
       thor (>= 0.14.6, < 2.0)
-    rake (10.0.3)
-    rdoc (3.12)
+    rake (10.0.4)
+    rdoc (3.12.2)
       json (~> 1.4)
-    ruby-openid (2.2.2)
+    ruby-openid (2.2.3)
     sprockets (2.2.2)
       hike (~> 1.2)
       multi_json (~> 1.0)
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
-    sqlite3 (1.3.6)
-    thor (0.16.0)
-    tilt (1.3.3)
+    sqlite3 (1.3.7)
+    thor (0.18.1)
+    tilt (1.3.7)
     treetop (1.4.12)
       polyglot
       polyglot (>= 0.3.1)
-    tzinfo (0.3.35)
+    tzinfo (0.3.37)
     warden (1.2.1)
       rack (>= 1.0)
-    webrat (0.7.2)
+    webrat (0.7.3)
       nokogiri (>= 1.2.0)
       rack (>= 1.0)
       rack-test (>= 0.5.3)
@@ -144,7 +144,7 @@ DEPENDENCIES
   activerecord-jdbcsqlite3-adapter
   devise!
   jruby-openssl
-  mocha (= 0.10.0)
+  mocha (~> 0.13.1)
   mongoid (~> 3.0)
   omniauth (~> 1.0.0)
   omniauth-facebook
@@ -153,4 +153,4 @@ DEPENDENCIES
   rails (~> 3.2.6)
   rdoc
   sqlite3
-  webrat (= 0.7.2)
+  webrat (= 0.7.3)

README.md

@@ -1,8 +1,10 @@
-## Devise
+![Devise Logo](https://raw.github.com/plataformatec/devise/master/devise.png)
+
+By [Plataformatec](http://plataformatec.com.br/).
 
-[![Build Status](https://secure.travis-ci.org/plataformatec/devise.png?branch=master)](http://travis-ci.org/plataformatec/devise)
-[![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/plataformatec/devise)
 [![Gem Version](https://fury-badge.herokuapp.com/rb/devise.png)](http://badge.fury.io/rb/devise)
+[![Build Status](https://api.travis-ci.org/plataformatec/devise.png?branch=master)](http://travis-ci.org/plataformatec/devise)
+[![Code Climate](https://codeclimate.com/github/plataformatec/devise.png)](https://codeclimate.com/github/plataformatec/devise)
 
 This README is [also available in a friendly navigable format](http://devise.plataformatec.com.br/).
 
@@ -13,7 +15,7 @@ Devise is a flexible authentication solution for Rails based on Warden. It:
 * Allows you to have multiple roles (or models/scopes) signed in at the same time;
 * Is based on a modularity concept: use just what you really need.
 
-It's composed of 12 modules:
+It's composed of 11 modules:
 
 * [Database Authenticatable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/DatabaseAuthenticatable): encrypts and stores a password in the database to validate the authenticity of a user while signing in. The authentication can be done both through POST requests or HTTP Basic Authentication.
 * [Token Authenticatable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/TokenAuthenticatable): signs in a user based on an authentication token (also known as "single access token"). The token can be given both through query string or HTTP Basic Authentication.
@@ -394,3 +396,5 @@ https://github.com/plataformatec/devise/contributors
 ## License
 
 MIT License. Copyright 2009-2013 Plataformatec. http://plataformatec.com.br
+
+You are not granted rights or licenses to the trademarks of the Plataformatec, including without limitation the Devise name or logo.

Rakefile

@@ -22,6 +22,7 @@ Rake::TestTask.new(:test) do |t|
   t.libs << 'test'
   t.pattern = 'test/**/*_test.rb'
   t.verbose = true
+  t.warning = false
 end
 
 desc 'Generate documentation for Devise.'

app/controllers/devise/confirmations_controller.rb

@@ -32,7 +32,7 @@ class Devise::ConfirmationsController < DeviseController
 
     # The path used after resending confirmation instructions.
     def after_resending_confirmation_instructions_path_for(resource_name)
-      new_session_path(resource_name)
+      new_session_path(resource_name) if is_navigational_format?
     end
 
     # The path used after confirmation.

app/controllers/devise/passwords_controller.rb

@@ -34,17 +34,20 @@ class Devise::PasswordsController < DeviseController
       flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
       set_flash_message(:notice, flash_message) if is_navigational_format?
       sign_in(resource_name, resource)
-      respond_with resource, :location => after_sign_in_path_for(resource)
+      respond_with resource, :location => after_resetting_password_path_for(resource)
     else
       respond_with resource
     end
   end
 
   protected
+    def after_resetting_password_path_for(resource)
+      after_sign_in_path_for(resource)
+    end
 
     # The path used after sending reset password instructions
     def after_sending_reset_password_instructions_path_for(resource_name)
-      new_session_path(resource_name)
+      new_session_path(resource_name) if is_navigational_format?
     end
 
     # Check if a reset_password_token is provided in the request

app/controllers/devise/sessions_controller.rb

@@ -45,4 +45,3 @@ class Devise::SessionsController < DeviseController
     { :scope => resource_name, :recall => "#{controller_path}#new" }
   end
 end
-

app/controllers/devise/unlocks_controller.rb

@@ -33,12 +33,12 @@ class Devise::UnlocksController < DeviseController
 
     # The path used after sending unlock password instructions
     def after_sending_unlock_instructions_path_for(resource)
-      new_session_path(resource)
+      new_session_path(resource) if is_navigational_format?
     end
 
     # The path used after unlocking the resource
     def after_unlock_path_for(resource)
-      new_session_path(resource)
+      new_session_path(resource)  if is_navigational_format?
     end
 
 end

app/controllers/devise_controller.rb

@@ -67,7 +67,7 @@ This may happen for two reasons:
 1) You forgot to wrap your route inside the scope block. For example:
 
   devise_scope :user do
-    match "/some/route" => "some_devise_controller"
+    get "/some/route" => "some_devise_controller"
   end
 
 2) You are testing a Devise controller bypassing the router.
@@ -163,13 +163,18 @@ MESSAGE
   #
   # Please refer to README or en.yml locale file to check what messages are
   # available.
-  def set_flash_message(key, kind, options={})
+  def set_flash_message(key, kind, options = {})
+    message = find_message(kind, options)
+    flash[key] = message if message.present?
+  end
+
+  # Get message for given
+  def find_message(kind, options = {})
     options[:scope] = "devise.#{controller_name}"
     options[:default] = Array(options[:default]).unshift(kind.to_sym)
     options[:resource_name] = resource_name
     options = devise_i18n_options(options) if respond_to?(:devise_i18n_options, true)
-    message = I18n.t("#{options[:resource_name]}.#{kind}", options)
-    flash[key] = message if message.present?
+    I18n.t("#{options[:resource_name]}.#{kind}", options)
   end
 
   def clean_up_passwords(object)

app/views/devise/registrations/edit.html.erb

@@ -24,6 +24,6 @@
 
 <h3>Cancel my account</h3>
 
-<p>Unhappy? <%= button_to "Cancel my account", registration_path(resource_name), :data => { :confirm => "Are you sure?" }, :method => :delete %>.</p>
+<p>Unhappy? <%= button_to "Cancel my account", registration_path(resource_name), :data => { :confirm => "Are you sure?" }, :method => :delete %></p>
 
 <%= link_to "Back", :back %>

devise.gemspec

@@ -6,6 +6,7 @@ Gem::Specification.new do |s|
   s.name        = "devise"
   s.version     = Devise::VERSION.dup
   s.platform    = Gem::Platform::RUBY
+  s.licenses    = ["MIT"]
   s.summary     = "Flexible authentication solution for Rails with Warden"
   s.email       = "contact@plataformatec.com.br"
   s.homepage    = "http://github.com/plataformatec/devise"

gemfiles/Gemfile.rails-3.1.x

@@ -1,4 +1,4 @@
-source "http://rubygems.org"
+source "https://rubygems.org"
 
 gem "devise", :path => ".."
 
@@ -10,8 +10,8 @@ gem "rdoc"
 group :test do
   gem "omniauth-facebook"
   gem "omniauth-openid", "~> 1.0.1"
-  gem "webrat", "0.7.2", :require => false
-  gem "mocha", "0.10.0", :require => false
+  gem "webrat", "0.7.3", :require => false
+  gem "mocha", "~> 0.13.1", :require => false
 
   platforms :mri_18 do
     gem "ruby-debug", ">= 0.10.3"
@@ -32,4 +32,4 @@ platforms :mri_19 do
   group :mongoid do
     gem "mongoid", "~> 3.0"
   end
-end
+end

gemfiles/Gemfile.rails-3.1.x.lock

@@ -1,21 +1,21 @@
 PATH
   remote: ..
   specs:
-    devise (2.2.0)
+    devise (2.2.4)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (~> 3.1)
       warden (~> 1.2.1)
 
 GEM
-  remote: http://rubygems.org/
+  remote: https://rubygems.org/
   specs:
-    actionmailer (3.1.10)
-      actionpack (= 3.1.10)
-      mail (~> 2.3.3)
-    actionpack (3.1.10)
-      activemodel (= 3.1.10)
-      activesupport (= 3.1.10)
+    actionmailer (3.1.12)
+      actionpack (= 3.1.12)
+      mail (~> 2.4.4)
+    actionpack (3.1.12)
+      activemodel (= 3.1.12)
+      activesupport (= 3.1.12)
       builder (~> 3.0.0)
       erubis (~> 2.7.0)
       i18n (~> 0.6)
@@ -24,54 +24,54 @@ GEM
       rack-mount (~> 0.8.2)
       rack-test (~> 0.6.1)
       sprockets (~> 2.0.4)
-    activemodel (3.1.10)
-      activesupport (= 3.1.10)
+    activemodel (3.1.12)
+      activesupport (= 3.1.12)
       builder (~> 3.0.0)
       i18n (~> 0.6)
-    activerecord (3.1.10)
-      activemodel (= 3.1.10)
-      activesupport (= 3.1.10)
+    activerecord (3.1.12)
+      activemodel (= 3.1.12)
+      activesupport (= 3.1.12)
       arel (~> 2.2.3)
       tzinfo (~> 0.3.29)
-    activeresource (3.1.10)
-      activemodel (= 3.1.10)
-      activesupport (= 3.1.10)
-    activesupport (3.1.10)
-      multi_json (>= 1.0, < 1.3)
+    activeresource (3.1.12)
+      activemodel (= 3.1.12)
+      activesupport (= 3.1.12)
+    activesupport (3.1.12)
+      multi_json (~> 1.0)
     arel (2.2.3)
     bcrypt-ruby (3.0.1)
     builder (3.0.4)
     columnize (0.3.6)
     erubis (2.7.0)
-    faraday (0.8.4)
+    faraday (0.8.7)
       multipart-post (~> 1.1)
     hashie (1.2.0)
-    hike (1.2.1)
+    hike (1.2.2)
     httpauth (0.2.0)
-    i18n (0.6.1)
-    json (1.7.6)
-    jwt (0.1.5)
-      multi_json (>= 1.0)
+    i18n (0.6.4)
+    json (1.7.7)
+    jwt (0.1.8)
+      multi_json (>= 1.5)
     linecache (0.46)
       rbx-require-relative (> 0.0.4)
-    mail (2.3.3)
+    mail (2.4.4)
       i18n (>= 0.4.0)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
     metaclass (0.0.1)
-    mime-types (1.19)
-    mocha (0.10.0)
+    mime-types (1.23)
+    mocha (0.13.3)
       metaclass (~> 0.0.1)
-    mongoid (3.0.16)
+    mongoid (3.0.23)
       activemodel (~> 3.1)
-      moped (~> 1.1)
+      moped (~> 1.2)
       origin (~> 1.0)
       tzinfo (~> 0.3.22)
-    moped (1.3.2)
-    multi_json (1.2.0)
-    multipart-post (1.1.5)
-    nokogiri (1.5.6)
-    oauth2 (0.8.0)
+    moped (1.4.5)
+    multi_json (1.7.3)
+    multipart-post (1.2.0)
+    nokogiri (1.5.9)
+    oauth2 (0.8.1)
       faraday (~> 0.8)
       httpauth (~> 0.1)
       jwt (~> 0.1.4)
@@ -88,10 +88,10 @@ GEM
     omniauth-openid (1.0.1)
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
-    origin (1.0.11)
+    origin (1.1.0)
     orm_adapter (0.4.0)
     polyglot (0.3.3)
-    rack (1.3.8)
+    rack (1.3.10)
     rack-cache (1.2)
       rack (>= 0.4)
     rack-mount (0.8.3)
@@ -99,49 +99,49 @@ GEM
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
-    rack-ssl (1.3.2)
+    rack-ssl (1.3.3)
       rack
     rack-test (0.6.2)
       rack (>= 1.0)
-    rails (3.1.10)
-      actionmailer (= 3.1.10)
-      actionpack (= 3.1.10)
-      activerecord (= 3.1.10)
-      activeresource (= 3.1.10)
-      activesupport (= 3.1.10)
+    rails (3.1.12)
+      actionmailer (= 3.1.12)
+      actionpack (= 3.1.12)
+      activerecord (= 3.1.12)
+      activeresource (= 3.1.12)
+      activesupport (= 3.1.12)
       bundler (~> 1.0)
-      railties (= 3.1.10)
-    railties (3.1.10)
-      actionpack (= 3.1.10)
-      activesupport (= 3.1.10)
+      railties (= 3.1.12)
+    railties (3.1.12)
+      actionpack (= 3.1.12)
+      activesupport (= 3.1.12)
       rack-ssl (~> 1.3.2)
       rake (>= 0.8.7)
       rdoc (~> 3.4)
       thor (~> 0.14.6)
-    rake (10.0.3)
+    rake (10.0.4)
     rbx-require-relative (0.0.9)
-    rdoc (3.12)
+    rdoc (3.12.2)
       json (~> 1.4)
     ruby-debug (0.10.4)
       columnize (>= 0.1)
       ruby-debug-base (~> 0.10.4.0)
     ruby-debug-base (0.10.4)
       linecache (>= 0.3)
-    ruby-openid (2.2.2)
+    ruby-openid (2.2.3)
     sprockets (2.0.4)
       hike (~> 1.2)
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
-    sqlite3 (1.3.6)
+    sqlite3 (1.3.7)
     thor (0.14.6)
-    tilt (1.3.3)
+    tilt (1.4.0)
     treetop (1.4.12)
       polyglot
       polyglot (>= 0.3.1)
-    tzinfo (0.3.35)
+    tzinfo (0.3.37)
     warden (1.2.1)
       rack (>= 1.0)
-    webrat (0.7.2)
+    webrat (0.7.3)
       nokogiri (>= 1.2.0)
       rack (>= 1.0)
       rack-test (>= 0.5.3)
@@ -154,7 +154,7 @@ DEPENDENCIES
   activerecord-jdbcsqlite3-adapter
   devise!
   jruby-openssl
-  mocha (= 0.10.0)
+  mocha (~> 0.13.1)
   mongoid (~> 3.0)
   omniauth (~> 1.0.0)
   omniauth-facebook
@@ -164,4 +164,4 @@ DEPENDENCIES
   rdoc
   ruby-debug (>= 0.10.3)
   sqlite3
-  webrat (= 0.7.2)
+  webrat (= 0.7.3)

lib/devise.rb

@@ -51,6 +51,10 @@ module Devise
   mattr_accessor :stretches
   @@stretches = 10
 
+  # The default key used when authenticating over http auth.
+  mattr_accessor :http_authentication_key
+  @@http_authentication_key = nil
+
   # Keys used when authenticating a user.
   mattr_accessor :authentication_keys
   @@authentication_keys = [ :email ]
@@ -102,6 +106,7 @@ module Devise
   @@extend_remember_period = false
 
   # Time interval you can access your account before confirming your account.
+  # nil - allows unconfirmed access for unlimited time
   mattr_accessor :allow_unconfirmed_access_for
   @@allow_unconfirmed_access_for = 0.days
 
@@ -310,7 +315,7 @@ module Devise
   # == Options:
   #
   #   +model+      - String representing the load path to a custom *model* for this module (to autoload.)
-  #   +controller+ - Symbol representing the name of an exisiting or custom *controller* for this module.
+  #   +controller+ - Symbol representing the name of an existing or custom *controller* for this module.
   #   +route+      - Symbol representing the named *route* helper for this module.
   #   +strategy+   - Symbol representing if this module got a custom *strategy*.
   #
@@ -420,6 +425,17 @@ module Devise
 
       Devise.mappings.each_value do |mapping|
         warden_config.scope_defaults mapping.name, :strategies => mapping.strategies
+
+        warden_config.serialize_into_session(mapping.name) do |record|
+          mapping.to.serialize_into_session(record)
+        end
+
+        warden_config.serialize_from_session(mapping.name) do |key|
+          # Previous versions contained an additional entry at the beginning of
+          # key with the record's class name.
+          args = key[-2, 2]
+          mapping.to.serialize_from_session(*args)
+        end
       end
 
       @@warden_config_block.try :call, Devise.warden_config
@@ -427,7 +443,7 @@ module Devise
     end
   end
 
-  # Generate a friendly string randomically to be used as token.
+  # Generate a friendly string randomly to be used as token.
   def self.friendly_token
     SecureRandom.base64(15).tr('+/=lIO0', 'pqrsxyz')
   end

lib/devise/mailers/helpers.rb

@@ -54,8 +54,9 @@ module Devise
       end
 
       def mailer_sender(mapping, sender = :from)
-        if default_params[sender].present?
-          default_params[sender]
+        default_sender = default_params[sender]
+        if default_sender.present?
+          default_sender.respond_to?(:to_proc) ? instance_eval(&default_sender) : default_sender
         elsif Devise.mailer_sender.is_a?(Proc)
           Devise.mailer_sender.call(mapping.name)
         else
@@ -64,12 +65,12 @@ module Devise
       end
 
       def template_paths
-        template_path = [self.class.mailer_name]
+        template_path = _prefixes.dup
         template_path.unshift "#{@devise_mapping.scoped_path}/mailer" if self.class.scoped_views?
         template_path
       end
 
-      # Setup a subject doing an I18n lookup. At first, it attemps to set a subject
+      # Setup a subject doing an I18n lookup. At first, it attempts to set a subject
       # based on the current mapping:
       #
       #   en:

lib/devise/models/authenticatable.rb

@@ -10,12 +10,15 @@ module Devise
     #
     #   * +authentication_keys+: parameters used for authentication. By default [:email].
     #
+    #   * +http_authentication_key+: map the username passed via HTTP Auth to this parameter. Defaults to
+    #     the first element in +authentication_keys+.
+    #
     #   * +request_keys+: parameters from the request object used for authentication.
     #     By specifying a symbol (which should be a request method), it will automatically be
     #     passed to find_for_authentication method and considered in your model lookup.
     #
     #     For instance, if you set :request_keys to [:subdomain], :subdomain will be considered
-    #     as key on authentication. This can also be a hash where the value is a boolean expliciting
+    #     as key on authentication. This can also be a hash where the value is a boolean specifying
     #     if the value is required or not.
     #
     #   * +http_authenticatable+: if this model allows http authentication. By default true.
@@ -32,7 +35,7 @@ module Devise
     # == active_for_authentication?
     #
     # After authenticating a user and in each request, Devise checks if your model is active by
-    # calling model.active_for_authentication?. This method is overwriten by other devise modules. For instance,
+    # calling model.active_for_authentication?. This method is overwritten by other devise modules. For instance,
     # :confirmable overwrites .active_for_authentication? to only return true if your model was confirmed.
     #
     # You overwrite this method yourself, but if you do, don't forget to call super:
@@ -140,14 +143,26 @@ module Devise
       #
       #       protected
       #
-      #       def send_devise_notification(notification)
-      #         pending_notifications << notification
+      #       def send_devise_notification(notification, opts = {})
+      #         # if the record is new or changed then delay the
+      #         # delivery until the after_commit callback otherwise
+      #         # send now because after_commit will not be called.
+      #         if new_record? || changed?
+      #           pending_notifications << [notification, opts]
+      #         else
+      #           devise_mailer.send(notification, self, opts).deliver
+      #         end
       #       end
       #
       #       def send_pending_notifications
-      #         pending_notifications.each do |n|
-      #           devise_mailer.send(n, self).deliver
+      #         pending_notifications.each do |n, opts|
+      #           devise_mailer.send(n, self, opts).deliver
       #         end
+      #
+      #         # Empty the pending notifications array because the
+      #         # after_commit hook can be called multiple times which
+      #         # could cause multiple emails to be sent.
+      #         pending_notifications.clear
       #       end
       #
       #       def pending_notifications
@@ -182,7 +197,8 @@ module Devise
 
       module ClassMethods
         Devise::Models.config(self, :authentication_keys, :request_keys, :strip_whitespace_keys,
-          :case_insensitive_keys, :http_authenticatable, :params_authenticatable, :skip_session_storage)
+          :case_insensitive_keys, :http_authenticatable, :params_authenticatable, :skip_session_storage,
+          :http_authentication_key)
 
         def serialize_into_session(record)
           [record.to_key, record.authenticatable_salt]
@@ -215,7 +231,7 @@ module Devise
         # Example:
         #
         #   def self.find_for_authentication(tainted_conditions)
-        #     find_first_by_auth_conditions(tainted_conditions, active: true)
+        #     find_first_by_auth_conditions(tainted_conditions, :active => true)
         #   end
         #
         # Finally, notice that Devise also queries for users in other scenarios

lib/devise/models/confirmable.rb

@@ -34,11 +34,18 @@ module Devise
 
       included do
         before_create :generate_confirmation_token, :if => :confirmation_required?
-        after_create  :send_on_create_confirmation_instructions, :if => :confirmation_required?
+        after_create  :send_on_create_confirmation_instructions, :if => :send_confirmation_notification?
         before_update :postpone_email_change_until_confirmation, :if => :postpone_email_change?
         after_update  :send_confirmation_instructions, :if => :reconfirmation_required?
       end
 
+      def initialize(*args, &block)
+        @bypass_postpone = false
+        @reconfirmation_required = false
+        @skip_confirmation_notification = false
+        super
+      end
+
       def self.required_fields(klass)
         required_methods = [:confirmation_token, :confirmed_at, :confirmation_sent_at]
         required_methods << :unconfirmed_email if klass.reconfirmable
@@ -119,6 +126,12 @@ module Devise
         self.confirmed_at = Time.now.utc
       end
 
+      # Skips sending the confirmation notification email after_create. Unlike
+      # #skip_confirmation!, record still requires confirmation.
+      def skip_confirmation_notification!
+        @skip_confirmation_notification = true
+      end
+
       # If you don't want reconfirmation to be sent, neither a code
       # to be generated, call skip_reconfirmation!
       def skip_reconfirmation!
@@ -158,8 +171,11 @@ module Devise
         #   # allow_unconfirmed_access_for = 0.days
         #   confirmation_period_valid?   # will always return false
         #
+        #   # allow_unconfirmed_access_for = nil
+        #   confirmation_period_valid?   # will always return true
+        #
         def confirmation_period_valid?
-          confirmation_sent_at && confirmation_sent_at.utc >= self.class.allow_unconfirmed_access_for.ago
+          self.class.allow_unconfirmed_access_for.nil? || (confirmation_sent_at && confirmation_sent_at.utc >= self.class.allow_unconfirmed_access_for.ago)
         end
 
         # Checks if the user confirmation happens before the token becomes invalid
@@ -212,7 +228,7 @@ module Devise
 
         def postpone_email_change?
           postpone = self.class.reconfirmable && email_changed? && !@bypass_postpone
-          @bypass_postpone = nil
+          @bypass_postpone = false
           postpone
         end
 
@@ -220,6 +236,10 @@ module Devise
           self.class.reconfirmable && @reconfirmation_required
         end
 
+        def send_confirmation_notification?
+          confirmation_required? && !@skip_confirmation_notification
+        end
+
       module ClassMethods
         # Attempt to find a user by its email. If a record is found, send new
         # confirmation instructions to it. If not, try searching for a user by unconfirmed_email

lib/devise/models/database_authenticatable.rb

@@ -95,6 +95,21 @@ module Devise
         result
       end
 
+      # Destroy record when :current_password matches, otherwise returns
+      # error on :current_password. It also automatically rejects 
+      # :current_password if it is blank.
+      def destroy_with_password(current_password)
+        result = if valid_password?(current_password)
+          destroy
+        else
+          self.valid?
+          self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
+          false
+        end
+
+        result
+      end
+
       def after_database_authentication
       end
 

lib/devise/models/omniauthable.rb

@@ -8,7 +8,7 @@ module Devise
     #
     # Oauthable adds the following options to devise_for:
     #
-    #   * +omniauth_providers+: Which providers are avaialble to this model. It expects an array:
+    #   * +omniauth_providers+: Which providers are available to this model. It expects an array:
     #
     #       devise_for :database_authenticatable, :omniauthable, :omniauth_providers => [:twitter]
     #
@@ -24,4 +24,4 @@ module Devise
       end
     end
   end
-end
+end

lib/devise/models/recoverable.rb

@@ -1,7 +1,7 @@
 module Devise
   module Models
 
-    # Recoverable takes care of reseting the user password and send reset instructions.
+    # Recoverable takes care of resetting the user password and send reset instructions.
     #
     # ==Options
     #

lib/devise/models/timeoutable.rb

@@ -2,7 +2,7 @@ require 'devise/hooks/timeoutable'
 
 module Devise
   module Models
-    # Timeoutable takes care of veryfing whether a user session has already
+    # Timeoutable takes care of verifyng whether a user session has already
     # expired or not. When a session expires after the configured time, the user
     # will be asked for credentials again, it means, he/she will be redirected
     # to the sign in page.

lib/devise/param_filter.rb

@@ -8,16 +8,16 @@ module Devise
     def filter(conditions)
       conditions = stringify_params(conditions.dup)
 
-      @case_insensitive_keys.each do |k|
-        value = conditions[k]
-        next unless value.respond_to?(:downcase)
-        conditions[k] = value.downcase
-      end
+      conditions.merge!(filtered_hash_by_method_for_given_keys(conditions.dup, :downcase, @case_insensitive_keys))
+      conditions.merge!(filtered_hash_by_method_for_given_keys(conditions.dup, :strip, @strip_whitespace_keys))
 
-      @strip_whitespace_keys.each do |k|
+      conditions
+    end
+
+    def filtered_hash_by_method_for_given_keys(conditions, method, condition_keys)
+      condition_keys.each do |k|
         value = conditions[k]
-        next unless value.respond_to?(:strip)
-        conditions[k] = value.strip
+        conditions[k] = value.send(method) if value.respond_to?(method)
       end
 
       conditions

lib/devise/rails/routes.rb

@@ -250,15 +250,11 @@ module ActionDispatch::Routing
     #   end
     #
     #   authenticate :user, lambda {|u| u.role == "admin"} do
-    #     root :to => "admin/dashboard#show"
+    #     root :to => "admin/dashboard#show", :as => :user_root
     #   end
     #
     def authenticate(scope=nil, block=nil)
-      constraint = lambda do |request|
-        request.env["warden"].authenticate!(:scope => scope) && (block.nil? || block.call(request.env["warden"].user(scope)))
-      end
-
-      constraints(constraint) do
+      constraints_for(:authenticate!, scope, block) do
         yield
       end
     end
@@ -268,25 +264,21 @@ module ActionDispatch::Routing
     # a model and allows extra constraints to be done on the instance.
     #
     #   authenticated :admin do
-    #     root :to => 'admin/dashboard#show'
+    #     root :to => 'admin/dashboard#show', :as => :admin_root
     #   end
     #
     #   authenticated do
-    #     root :to => 'dashboard#show'
+    #     root :to => 'dashboard#show', :as => :authenticated_root
     #   end
     #
     #   authenticated :user, lambda {|u| u.role == "admin"} do
-    #     root :to => "admin/dashboard#show"
+    #     root :to => "admin/dashboard#show", :as => :user_root
     #   end
     #
     #   root :to => 'landing#show'
     #
     def authenticated(scope=nil, block=nil)
-      constraint = lambda do |request|
-        request.env["warden"].authenticate?(:scope => scope) && (block.nil? || block.call(request.env["warden"].user(scope)))
-      end
-
-      constraints(constraint) do
+      constraints_for(:authenticate?, scope, block) do
         yield
       end
     end
@@ -329,7 +321,7 @@ module ActionDispatch::Routing
     # good and working example.
     #
     #  devise_scope :user do
-    #    match "/some/route" => "some_devise_controller"
+    #    get "/some/route" => "some_devise_controller"
     #  end
     #  devise_for :users
     #
@@ -401,12 +393,14 @@ module ActionDispatch::Routing
         match "#{path_prefix}/:provider",
           :constraints => { :provider => providers },
           :to => "#{controllers[:omniauth_callbacks]}#passthru",
-          :as => :omniauth_authorize
+          :as => :omniauth_authorize,
+          :via => [:get, :post]
 
         match "#{path_prefix}/:action/callback",
           :constraints => { :action => providers },
           :to => controllers[:omniauth_callbacks],
-          :as => :omniauth_callback
+          :as => :omniauth_callback,
+          :via => [:get, :post]
       ensure
         @scope[:path] = path
       end
@@ -426,6 +420,17 @@ module ActionDispatch::Routing
         @scope.merge!(old)
       end
 
+      def constraints_for(method_to_apply, scope=nil, block=nil)
+        constraint = lambda do |request|
+          request.env['warden'].send(method_to_apply, :scope => scope) &&
+            (block.nil? || block.call(request.env["warden"].user(scope)))
+        end
+
+        constraints(constraint) do
+          yield
+        end
+      end
+
       def set_omniauth_path_prefix!(path_prefix) #:nodoc:
         if ::OmniAuth.config.path_prefix && ::OmniAuth.config.path_prefix != path_prefix
           raise "Wrong OmniAuth configuration. If you are getting this exception, it means that either:\n\n" \

lib/devise/rails/warden_compat.rb

@@ -12,32 +12,3 @@ module Warden::Mixins::Common
     request.cookie_jar
   end
 end
-
-class Warden::SessionSerializer
-  def serialize(record)
-    klass = record.class
-    array = klass.serialize_into_session(record)
-    array.unshift(klass.name)
-  end
-
-  def deserialize(keys)
-    klass_name, *args = keys
-
-    begin
-      klass = ActiveSupport::Inflector.constantize(klass_name)
-      if klass.respond_to? :serialize_from_session
-        klass.serialize_from_session(*args)
-      else
-        Rails.logger.warn "[Devise] Stored serialized class #{klass_name} seems not to be Devise enabled anymore. Did you do that on purpose?"
-        nil
-      end
-    rescue NameError => e
-      if e.message =~ /uninitialized constant/
-        Rails.logger.debug "[Devise] Trying to deserialize invalid class #{klass_name}"
-        nil
-      else
-        raise
-      end
-    end
-  end
-end

lib/devise/strategies/authenticatable.rb

@@ -100,7 +100,7 @@ module Devise
 
       # Extract a hash with attributes:values from the http params.
       def http_auth_hash
-        keys = [authentication_keys.first, :password]
+        keys = [http_authentication_key, :password]
         Hash[*keys.zip(decode_credentials).flatten]
       end
 
@@ -134,24 +134,27 @@ module Devise
         parse_authentication_key_values(request_values, request_keys)
       end
 
-      # Holds the authentication keys.
       def authentication_keys
         @authentication_keys ||= mapping.to.authentication_keys
       end
 
-      # Holds request keys.
+      def http_authentication_key
+        @http_authentication_key ||= mapping.to.http_authentication_key || case authentication_keys
+          when Array then authentication_keys.first
+          when Hash then authentication_keys.keys.first
+        end
+      end
+
       def request_keys
         @request_keys ||= mapping.to.request_keys
       end
 
-      # Returns values from the request object.
       def request_values
         keys = request_keys.respond_to?(:keys) ? request_keys.keys : request_keys
         values = keys.map { |k| self.request.send(k) }
         Hash[keys.zip(values)]
       end
 
-      # Parse authentication keys considering if they should be enforced or not.
       def parse_authentication_key_values(hash, keys)
         keys.each do |key, enforce|
           value = hash[key].presence

lib/devise/strategies/token_authenticatable.rb

@@ -7,13 +7,22 @@ module Devise
     #
     #   http://myapp.example.com/?user_token=SECRET
     #
-    # For HTTP, you can pass the token as username and blank password. Since some clients may require
-    # a password, you can pass "X" as password and it will simply be ignored.
+    # For headers, you can use basic authentication passing the token as username and
+    # blank password. Since some clients may require a password, you can pass "X" as
+    # password and it will simply be ignored.
+    #
+    # You may also pass the token using the Token authentication mechanism provided
+    # by Rails: http://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token.html
+    # The token options are stored in request.env['devise.token_options']
     class TokenAuthenticatable < Authenticatable
       def store?
         super && !mapping.to.skip_session_storage.include?(:token_auth)
       end
 
+      def valid?
+        super || valid_for_token_auth?
+      end
+
       def authenticate!
         resource = mapping.to.find_for_token_authentication(authentication_hash)
         return fail(:invalid_token) unless resource
@@ -36,7 +45,33 @@ module Devise
         false
       end
 
-      # Try both scoped and non scoped keys.
+      # Check if the model accepts this strategy as token authenticatable.
+      def token_authenticatable?
+        mapping.to.http_authenticatable?(:token_options)
+      end
+
+      # Check if this is strategy is valid for token authentication by:
+      #
+      #   * Validating if the model allows http token authentication;
+      #   * If the http auth token exists;
+      #   * If all authentication keys are present;
+      #
+      def valid_for_token_auth?
+        token_authenticatable? && auth_token.present? && with_authentication_hash(:token_auth, token_auth_hash)
+      end
+
+      # Extract the auth token from the request
+      def auth_token
+        @auth_token ||= ActionController::HttpAuthentication::Token.token_and_options(request)
+      end
+
+      # Extract a hash with attributes:values from the auth_token
+      def token_auth_hash
+        request.env['devise.token_options'] = auth_token.last
+        { authentication_keys.first => auth_token.first }
+      end
+
+      # Try both scoped and non scoped keys
       def params_auth_hash
         if params[scope].kind_of?(Hash) && params[scope].has_key?(authentication_keys.first)
           params[scope]

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "2.2.3".freeze
+  VERSION = "2.2.4".freeze
 end

lib/generators/devise/views_generator.rb

@@ -18,7 +18,7 @@ module Devise
         public_task :copy_views
       end
 
-      # TODO: Add this to Rails itslef
+      # TODO: Add this to Rails itself
       module ClassMethods
         def hide!
           Rails::Generators.hide_namespace self.namespace
@@ -36,7 +36,13 @@ module Devise
       protected
 
       def view_directory(name, _target_path = nil)
-        directory name.to_s, _target_path || "#{target_path}/#{name}"
+        directory name.to_s, _target_path || "#{target_path}/#{name}" do |content|
+          if scope
+            content.gsub "devise/shared/links", "#{scope}/shared/links"
+          else
+            content
+          end
+        end
       end
 
       def target_path

lib/generators/templates/devise.rb

@@ -48,10 +48,14 @@ Devise.setup do |config|
   # enable it only for database (email + password) authentication.
   # config.params_authenticatable = true
 
-  # Tell if authentication through HTTP Basic Auth is enabled. False by default.
+  # Tell if authentication through HTTP Auth is enabled. False by default.
   # It can be set to an array that will enable http authentication only for the
   # given strategies, for example, `config.http_authenticatable = [:token]` will
-  # enable it only for token authentication.
+  # enable it only for token authentication. The supported strategies are:
+  # :database      = Support basic authentication with authentication key + password
+  # :token         = Support basic authentication with token authentication key
+  # :token_options = Support token authentication with options as defined in
+  #                  http://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token.html
   # config.http_authenticatable = false
 
   # If http headers should be returned for AJAX requests. True by default.
@@ -125,7 +129,7 @@ Devise.setup do |config|
   config.password_length = 8..128
 
   # Email regex used to validate email formats. It simply asserts that
-  # an one (and only one) @ exists in the given string. This is mainly
+  # one (and only one) @ exists in the given string. This is mainly
   # to give user feedback and not to assert the e-mail validity.
   # config.email_regexp = /\A[^@]+@[^@]+\z/
 
@@ -175,7 +179,9 @@ Devise.setup do |config|
   # :sha1, :sha512 or encryptors from others authentication tools as :clearance_sha1,
   # :authlogic_sha512 (then you should set stretches above to 20 for default behavior)
   # and :restful_authentication_sha1 (then you should set stretches to 10, and copy
-  # REST_AUTH_SITE_KEY to pepper)
+  # REST_AUTH_SITE_KEY to pepper).
+  #
+  # Require the `devise-encryptable` gem when using anything other than bcrypt
   # config.encryptor = :sha512
 
   # ==> Configuration for :token_authenticatable

lib/generators/templates/simple_form_for/registrations/edit.html.erb

@@ -22,6 +22,6 @@
 
 <h3>Cancel my account</h3>
 
-<p>Unhappy? <%= link_to "Cancel my account", registration_path(resource_name), :data => { :confirm => "Are you sure?" }, :method => :delete %>.</p>
+<p>Unhappy? <%= link_to "Cancel my account", registration_path(resource_name), :data => { :confirm => "Are you sure?" }, :method => :delete %></p>
 
 <%= link_to "Back", :back %>

test/controllers/passwords_controller_test.rb

@@ -0,0 +1,32 @@
+require 'test_helper'
+
+class PasswordsControllerTest < ActionController::TestCase
+  tests Devise::PasswordsController
+  include Devise::TestHelpers
+
+  def setup
+    request.env["devise.mapping"] = Devise.mappings[:user]
+
+    @user = create_user
+    @user.send_reset_password_instructions
+  end
+
+  def put_update_with_params
+    put :update, "user" => {
+      "reset_password_token" => @user.reset_password_token, "password" => "123456", "password_confirmation" => "123456"
+    }
+  end
+
+  test 'redirect to after_sign_in_path_for if after_resetting_password_path_for is not overridden' do
+    put_update_with_params
+    assert_redirected_to "http://test.host/"
+  end
+
+  test 'redirect accordingly if after_resetting_password_path_for is overridden' do
+    custom_path = "http://custom.path/"
+    Devise::PasswordsController.any_instance.stubs(:after_resetting_password_path_for).with(@user).returns(custom_path)
+
+    put_update_with_params
+    assert_redirected_to custom_path
+  end
+end

test/failure_app_test.rb

@@ -80,9 +80,9 @@ class FailureTest < ActiveSupport::TestCase
 
     test 'setup a default message' do
       call_failure
-      assert_match /You are being/, @response.last.body
-      assert_match /redirected/, @response.last.body
-      assert_match /users\/sign_in/, @response.last.body
+      assert_match(/You are being/, @response.last.body)
+      assert_match(/redirected/, @response.last.body)
+      assert_match(/users\/sign_in/, @response.last.body)
     end
 
     test 'works for any navigational format' do

test/generators/views_generator_test.rb

@@ -8,14 +8,17 @@ class ViewsGeneratorTest < Rails::Generators::TestCase
   test "Assert all views are properly created with no params" do
     run_generator
     assert_files
+    assert_shared_links
   end
 
-  test "Assert all views are properly created with scope param param" do
+  test "Assert all views are properly created with scope param" do
     run_generator %w(users)
     assert_files "users"
+    assert_shared_links "users"
 
     run_generator %w(admins)
     assert_files "admins"
+    assert_shared_links "admins"
   end
 
   test "Assert views with simple form" do
@@ -49,4 +52,16 @@ class ViewsGeneratorTest < Rails::Generators::TestCase
     assert_file "app/views/#{scope}/shared/_links.erb"
     assert_file "app/views/#{scope}/unlocks/new.html.erb"
   end
+
+  def assert_shared_links(scope = nil)
+    scope = "devise" if scope.nil?
+    link = /<%= render \"#{scope}\/shared\/links\" %>/
+
+    assert_file "app/views/#{scope}/passwords/edit.html.erb", link
+    assert_file "app/views/#{scope}/passwords/new.html.erb", link
+    assert_file "app/views/#{scope}/confirmations/new.html.erb", link
+    assert_file "app/views/#{scope}/registrations/new.html.erb", link
+    assert_file "app/views/#{scope}/sessions/new.html.erb", link
+    assert_file "app/views/#{scope}/unlocks/new.html.erb", link
+  end
 end

test/helpers/devise_helper_test.rb

@@ -1,6 +1,6 @@
 require 'test_helper'
 
-class DeviseHelperTest < ActionController::IntegrationTest
+class DeviseHelperTest < ActionDispatch::IntegrationTest
   setup do
     model_labels = { :models => { :user => "utilisateur" } }
 

test/integration/authenticatable_test.rb

@@ -1,6 +1,6 @@
 require 'test_helper'
 
-class AuthenticationSanityTest < ActionController::IntegrationTest
+class AuthenticationSanityTest < ActionDispatch::IntegrationTest
   test 'home should be accessible without sign in' do
     visit '/'
     assert_response :success
@@ -134,7 +134,7 @@ class AuthenticationSanityTest < ActionController::IntegrationTest
   end
 end
 
-class AuthenticationRoutesRestrictions < ActionController::IntegrationTest
+class AuthenticationRoutesRestrictions < ActionDispatch::IntegrationTest
   test 'not signed in should not be able to access private route (authenticate denied)' do
     get private_path
     assert_redirected_to new_admin_session_path
@@ -254,7 +254,7 @@ class AuthenticationRoutesRestrictions < ActionController::IntegrationTest
   end
 end
 
-class AuthenticationRedirectTest < ActionController::IntegrationTest
+class AuthenticationRedirectTest < ActionDispatch::IntegrationTest
   test 'redirect from warden shows sign in or sign up message' do
     get admins_path
 
@@ -317,7 +317,7 @@ class AuthenticationRedirectTest < ActionController::IntegrationTest
   end
 end
 
-class AuthenticationSessionTest < ActionController::IntegrationTest
+class AuthenticationSessionTest < ActionDispatch::IntegrationTest
   test 'destroyed account is signed out' do
     sign_in_as_user
     get '/users'
@@ -333,22 +333,34 @@ class AuthenticationSessionTest < ActionController::IntegrationTest
     assert_equal "Cart", @controller.user_session[:cart]
   end
 
-  test 'does not explode when invalid user class is stored in session' do
-    klass = User
-    paths = ActiveSupport::Dependencies.autoload_paths.dup
-
+  test 'does not explode when class name is still stored in session' do
+    # In order to test that old sessions do not break with the new scoped
+    # deserialization, we need to serialize the session the old way. This is
+    # done by removing the newly used scoped serialization method
+    # (#user_serialize) and bringing back the old uncsoped #serialize method
+    # that includes the record's class name in the serialization.
     begin
+      Warden::SessionSerializer.class_eval do
+        alias_method :original_serialize, :serialize
+        alias_method :original_user_serialize, :user_serialize
+        remove_method :user_serialize
+
+        def serialize(record)
+          klass = record.class
+          array = klass.serialize_into_session(record)
+          array.unshift(klass.name)
+        end
+      end
+
       sign_in_as_user
       assert warden.authenticated?(:user)
-
-      Object.send :remove_const, :User
-      ActiveSupport::Dependencies.autoload_paths.clear
-
-      visit "/users"
-      assert_not warden.authenticated?(:user)
     ensure
-      Object.const_set(:User, klass)
-      ActiveSupport::Dependencies.autoload_paths.replace(paths)
+      Warden::SessionSerializer.class_eval do
+        alias_method :serialize, :original_serialize
+        remove_method :original_serialize
+        alias_method :user_serialize, :original_user_serialize
+        remove_method :original_user_serialize
+      end
     end
   end
 
@@ -364,7 +376,7 @@ class AuthenticationSessionTest < ActionController::IntegrationTest
   end
 end
 
-class AuthenticationWithScopedViewsTest < ActionController::IntegrationTest
+class AuthenticationWithScopedViewsTest < ActionDispatch::IntegrationTest
   test 'renders the scoped view if turned on and view is available' do
     swap Devise, :scoped_views => true do
       assert_raise Webrat::NotFoundError do
@@ -405,7 +417,7 @@ class AuthenticationWithScopedViewsTest < ActionController::IntegrationTest
   end
 end
 
-class AuthenticationOthersTest < ActionController::IntegrationTest
+class AuthenticationOthersTest < ActionDispatch::IntegrationTest
   test 'handles unverified requests gets rid of caches' do
     swap UsersController, :allow_forgery_protection => true do
       post exhibit_user_url(1)
@@ -504,14 +516,26 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
     assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
   end
 
-  test 'sign out with xml format returns ok response' do
+  test 'sign out with html redirects' do
+    sign_in_as_user
+    get destroy_user_session_path
+    assert_response :redirect
+    assert_current_url '/'
+
+    sign_in_as_user
+    get destroy_user_session_path(:format => 'html')
+    assert_response :redirect
+    assert_current_url '/'
+  end
+
+  test 'sign out with xml format returns no content' do
     sign_in_as_user
     get destroy_user_session_path(:format => 'xml')
     assert_response :no_content
     assert_not warden.authenticated?(:user)
   end
 
-  test 'sign out with json format returns empty json response' do
+  test 'sign out with json format returns no content' do
     sign_in_as_user
     get destroy_user_session_path(:format => 'json')
     assert_response :no_content
@@ -519,7 +543,7 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
   end
 
   test 'sign out with non-navigational format via XHR does not redirect' do
-    swap Devise, :navigational_formats => ['*/*', :html] do 
+    swap Devise, :navigational_formats => ['*/*', :html] do
       sign_in_as_user
       xml_http_request :get, destroy_user_session_path, {}, { "HTTP_ACCEPT" => "application/json,text/javascript,*/*" } # NOTE: Bug is triggered by combination of XHR and */*.
       assert_response :no_content
@@ -529,7 +553,7 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
 
   # Belt and braces ... Perhaps this test is not necessary?
   test 'sign out with navigational format via XHR does redirect' do
-    swap Devise, :navigational_formats => ['*/*', :html] do 
+    swap Devise, :navigational_formats => ['*/*', :html] do
       sign_in_as_user
       xml_http_request :get, destroy_user_session_path, {}, { "HTTP_ACCEPT" => "text/html,*/*" }
       assert_response :redirect
@@ -538,7 +562,7 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
   end
 end
 
-class AuthenticationKeysTest < ActionController::IntegrationTest
+class AuthenticationKeysTest < ActionDispatch::IntegrationTest
   test 'missing authentication keys cause authentication to abort' do
     swap Devise, :authentication_keys => [:subdomain] do
       sign_in_as_user
@@ -555,7 +579,7 @@ class AuthenticationKeysTest < ActionController::IntegrationTest
   end
 end
 
-class AuthenticationRequestKeysTest < ActionController::IntegrationTest
+class AuthenticationRequestKeysTest < ActionDispatch::IntegrationTest
   test 'request keys are used on authentication' do
     host! 'foo.bar.baz'
 
@@ -596,7 +620,7 @@ class AuthenticationRequestKeysTest < ActionController::IntegrationTest
   end
 end
 
-class AuthenticationSignOutViaTest < ActionController::IntegrationTest
+class AuthenticationSignOutViaTest < ActionDispatch::IntegrationTest
   def sign_in!(scope)
     sign_in_as_admin(:visit => send("new_#{scope}_session_path"))
     assert warden.authenticated?(scope)
@@ -650,3 +674,26 @@ class AuthenticationSignOutViaTest < ActionController::IntegrationTest
     assert warden.authenticated?(:sign_out_via_delete_or_post)
   end
 end
+
+class DoubleAuthenticationRedirectTest < ActionDispatch::IntegrationTest
+  test 'signed in as user redirects when visiting user sign in page' do
+    sign_in_as_user
+    get new_user_session_path(:format => :html)
+    assert_redirected_to '/'
+  end
+
+  test 'signed in as admin redirects when visiting admin sign in page' do
+    sign_in_as_admin
+    get new_admin_session_path(:format => :html)
+    assert_redirected_to '/admin_area/home'
+  end
+
+  test 'signed in as both user and admin redirects when visiting admin sign in page' do
+    sign_in_as_user
+    sign_in_as_admin
+    get new_user_session_path(:format => :html)
+    assert_redirected_to '/'
+    get new_admin_session_path(:format => :html)
+    assert_redirected_to '/admin_area/home'
+  end
+end

test/integration/confirmable_test.rb

@@ -1,6 +1,6 @@
 require 'test_helper'
 
-class ConfirmationTest < ActionController::IntegrationTest
+class ConfirmationTest < ActionDispatch::IntegrationTest
 
   def visit_user_confirmation_with_token(confirmation_token)
     visit user_confirmation_path(:confirmation_token => confirmation_token)
@@ -167,7 +167,7 @@ class ConfirmationTest < ActionController::IntegrationTest
   end
 
   test 'resent confirmation token with invalid E-Mail in XML format should return invalid response' do
-    user = create_user(:confirm => false)
+    create_user(:confirm => false)
     post user_confirmation_path(:format => 'xml'), :user => { :email => 'invalid.test@test.com' }
     assert_response :unprocessable_entity
     assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
@@ -181,7 +181,7 @@ class ConfirmationTest < ActionController::IntegrationTest
   end
 
   test 'confirm account with invalid confirmation token in XML format should return invalid response' do
-    user = create_user(:confirm => false)
+    create_user(:confirm => false)
     get user_confirmation_path(:confirmation_token => 'invalid_confirmation', :format => 'xml')
     assert_response :unprocessable_entity
     assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
@@ -226,7 +226,7 @@ class ConfirmationTest < ActionController::IntegrationTest
   end
 end
 
-class ConfirmationOnChangeTest < ActionController::IntegrationTest
+class ConfirmationOnChangeTest < ActionDispatch::IntegrationTest
   def create_second_admin(options={})
     @admin = nil
     create_admin(options)
@@ -275,7 +275,7 @@ class ConfirmationOnChangeTest < ActionController::IntegrationTest
 
     visit_admin_confirmation_with_token(confirmation_token)
     assert_have_selector '#error_explanation'
-    assert_contain /Confirmation token(.*)invalid/
+    assert_contain(/Confirmation token(.*)invalid/)
 
     visit_admin_confirmation_with_token(admin.confirmation_token)
     assert_contain 'Your account was successfully confirmed.'
@@ -293,7 +293,7 @@ class ConfirmationOnChangeTest < ActionController::IntegrationTest
 
     visit_admin_confirmation_with_token(admin.confirmation_token)
     assert_have_selector '#error_explanation'
-    assert_contain /Email.*already.*taken/
+    assert_contain(/Email.*already.*taken/)
     assert admin.reload.pending_reconfirmation?
   end
 end

test/integration/database_authenticatable_test.rb

@@ -1,6 +1,6 @@
 require 'test_helper'
 
-class DatabaseAuthenticationTest < ActionController::IntegrationTest
+class DatabaseAuthenticationTest < ActionDispatch::IntegrationTest
   test 'sign in with email of different case should succeed when email is in the list of case insensitive keys' do
     create_user(:email => 'Foo@Bar.com')
 

test/integration/http_authenticatable_test.rb

@@ -1,6 +1,6 @@
 require 'test_helper'
 
-class HttpAuthenticationTest < ActionController::IntegrationTest
+class HttpAuthenticationTest < ActionDispatch::IntegrationTest
   test 'handles unverified requests gets rid of caches but continues signed in' do
     swap UsersController, :allow_forgery_protection => true do
       create_user
@@ -62,6 +62,24 @@ class HttpAuthenticationTest < ActionController::IntegrationTest
     end
   end
 
+  test 'it uses appropriate authentication_keys when configured with hash' do
+    swap Devise, :authentication_keys => ActiveSupport::OrderedHash[:username, false, :email, false] do
+      sign_in_as_new_user_with_http("usertest")
+      assert_response :success
+      assert_match '<email>user@test.com</email>', response.body
+      assert warden.authenticated?(:user)
+    end
+  end
+
+  test 'it uses the appropriate key when configured explicitly' do
+    swap Devise, :authentication_keys => ActiveSupport::OrderedHash[:email, false, :username, false], :http_authentication_key => :username do
+      sign_in_as_new_user_with_http("usertest")
+      assert_response :success
+      assert_match '<email>user@test.com</email>', response.body
+      assert warden.authenticated?(:user)
+    end
+  end
+
   test 'test request with oauth2 header doesnt get mistaken for basic authentication' do
     swap Devise, :http_authenticatable => true do
       add_oauth2_header

test/integration/lockable_test.rb

@@ -1,6 +1,6 @@
 require 'test_helper'
 
-class LockTest < ActionController::IntegrationTest
+class LockTest < ActionDispatch::IntegrationTest
 
   def visit_user_unlock_with_token(unlock_token)
     visit user_unlock_path(:unlock_token => unlock_token)

test/integration/omniauthable_test.rb

@@ -1,7 +1,7 @@
 require 'test_helper'
 
 
-class OmniauthableIntegrationTest < ActionController::IntegrationTest
+class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
   FACEBOOK_INFO = {
     "id" => '12345',
     "link" => 'http://facebook.com/josevalim',
@@ -90,7 +90,7 @@ class OmniauthableIntegrationTest < ActionController::IntegrationTest
     end
 
     assert session["devise.facebook_data"]
-    user = sign_in_as_user
+    sign_in_as_user
     assert !session["devise.facebook_data"]
   end
 

test/integration/recoverable_test.rb

@@ -1,6 +1,6 @@
 require 'test_helper'
 
-class PasswordTest < ActionController::IntegrationTest
+class PasswordTest < ActionDispatch::IntegrationTest
 
   def visit_new_password_path
     visit new_user_session_path
@@ -270,7 +270,7 @@ class PasswordTest < ActionController::IntegrationTest
   end
 
   test 'change password with invalid token in XML format should return invalid response' do
-    user = create_user
+    create_user
     request_forgot_password
     put user_password_path(:format => 'xml'), :user => {:reset_password_token => 'invalid.token', :password => '987654321', :password_confirmation => '987654321'}
     assert_response :unprocessable_entity

test/integration/registerable_test.rb

@@ -1,6 +1,6 @@
 require 'test_helper'
 
-class RegistrationTest < ActionController::IntegrationTest
+class RegistrationTest < ActionDispatch::IntegrationTest
 
   test 'a guest admin should be able to sign in successfully' do
     get new_admin_session_path
@@ -112,7 +112,7 @@ class RegistrationTest < ActionController::IntegrationTest
     #    https://github.com/mongoid/mongoid/issues/756
     (pending "Fails on Mongoid < 2.1"; break) if defined?(Mongoid) && Mongoid::VERSION.to_f < 2.1
 
-    user = create_user
+    create_user
     get new_user_registration_path
 
     fill_in 'email', :with => 'user@test.com'
@@ -285,14 +285,14 @@ class RegistrationTest < ActionController::IntegrationTest
   end
 
   test 'a user cancel his account in XML format should return valid response' do
-    user = sign_in_as_user
+    sign_in_as_user
     delete user_registration_path(:format => 'xml')
     assert_response :success
     assert_equal User.count, 0
   end
 end
 
-class ReconfirmableRegistrationTest < ActionController::IntegrationTest
+class ReconfirmableRegistrationTest < ActionDispatch::IntegrationTest
   test 'a signed in admin should see a more appropriate flash message when editing his account if reconfirmable is enabled' do
     sign_in_as_admin
     get edit_admin_registration_path

test/integration/rememberable_test.rb

@@ -1,6 +1,6 @@
 require 'test_helper'
 
-class RememberMeTest < ActionController::IntegrationTest
+class RememberMeTest < ActionDispatch::IntegrationTest
   def create_user_and_remember(add_to_token='')
     user = create_user
     user.remember_me!
@@ -26,7 +26,7 @@ class RememberMeTest < ActionController::IntegrationTest
   end
 
   test 'do not remember the user if he has not checked remember me option' do
-    user = sign_in_as_user
+    sign_in_as_user
     assert_nil request.cookies["remember_user_cookie"]
   end
 
@@ -43,7 +43,7 @@ class RememberMeTest < ActionController::IntegrationTest
   end
 
   test 'generate remember token after sign in' do
-    user = sign_in_as_user :remember_me => true
+    sign_in_as_user :remember_me => true
     assert request.cookies["remember_user_token"]
   end
 
@@ -84,7 +84,7 @@ class RememberMeTest < ActionController::IntegrationTest
   end
 
   test 'remember the user before sign up and redirect him to his home' do
-    user = create_user_and_remember
+    create_user_and_remember
     get new_user_registration_path
     assert warden.authenticated?(:user)
     assert_redirected_to root_path
@@ -92,7 +92,7 @@ class RememberMeTest < ActionController::IntegrationTest
 
   test 'cookies are destroyed on unverified requests' do
     swap ApplicationController, :allow_forgery_protection => true do
-      user = create_user_and_remember
+      create_user_and_remember
       get users_path
       assert warden.authenticated?(:user)
       post root_path, :authenticity_token => 'INVALID'
@@ -117,7 +117,7 @@ class RememberMeTest < ActionController::IntegrationTest
   end
 
   test 'do not remember other scopes' do
-    user = create_user_and_remember
+    create_user_and_remember
     get root_path
     assert_response :success
     assert warden.authenticated?(:user)
@@ -125,14 +125,14 @@ class RememberMeTest < ActionController::IntegrationTest
   end
 
   test 'do not remember with invalid token' do
-    user = create_user_and_remember('add')
+    create_user_and_remember('add')
     get users_path
     assert_not warden.authenticated?(:user)
     assert_redirected_to new_user_session_path
   end
 
   test 'do not remember with expired token' do
-    user = create_user_and_remember
+    create_user_and_remember
     swap Devise, :remember_for => 0 do
       get users_path
       assert_not warden.authenticated?(:user)
@@ -141,7 +141,7 @@ class RememberMeTest < ActionController::IntegrationTest
   end
 
   test 'do not remember the user anymore after forget' do
-    user = create_user_and_remember
+    create_user_and_remember
     get users_path
     assert warden.authenticated?(:user)
 

test/integration/timeoutable_test.rb

@@ -1,6 +1,6 @@
 require 'test_helper'
 
-class SessionTimeoutTest < ActionController::IntegrationTest
+class SessionTimeoutTest < ActionDispatch::IntegrationTest
 
   def last_request_at
     @controller.user_session['last_request_at']

test/integration/token_authenticatable_test.rb

@@ -1,6 +1,6 @@
 require 'test_helper'
 
-class TokenAuthenticationTest < ActionController::IntegrationTest
+class TokenAuthenticationTest < ActionDispatch::IntegrationTest
 
   test 'authenticate with valid authentication token key and value through params' do
     swap Devise, :token_authentication_key => :secret_token do
@@ -129,6 +129,46 @@ class TokenAuthenticationTest < ActionController::IntegrationTest
     end
   end
 
+  test 'authenticate with valid authentication token key and value through http header' do
+    swap Devise, :token_authentication_key => :secret_token do
+      sign_in_as_new_user_with_token(:token_auth => true)
+
+      assert_response :success
+      assert_match '<email>user@test.com</email>', response.body
+      assert_equal request.env['devise.token_options'], {}
+      assert warden.authenticated?(:user)
+    end
+  end
+
+  test 'authenticate with valid authentication token key and value through http header, with options' do
+    swap Devise, :token_authentication_key => :secret_token, :http_authenticatable => [:token_options] do
+      signature = "**TESTSIGNATURE**"
+      sign_in_as_new_user_with_token(:token_auth => true, :token_options => {:signature => signature, :nonce => 'def'})
+
+      assert_response :success
+      assert_match '<email>user@test.com</email>', response.body
+      assert_equal request.env['devise.token_options'][:signature], signature
+      assert_equal request.env['devise.token_options'][:nonce], 'def'
+      assert warden.authenticated?(:user)
+    end
+  end
+
+  test 'authenticate with valid authentication token key and value through http header without allowing token authorization setting is denied' do
+    swap Devise, :token_authentication_key => :secret_token, :http_authenticatable => false do
+      sign_in_as_new_user_with_token(:token_auth => true)
+
+      assert_response :unauthorized
+      assert_nil warden.user(:user)
+    end
+  end
+
+  test 'does not authenticate with improper authentication token value in header' do
+    sign_in_as_new_user_with_token(:token_auth => true, :auth_token => '*** INVALID TOKEN ***')
+
+    assert_response :unauthorized
+    assert_nil warden.user(:user)
+  end
+
   private
 
     def sign_in_as_new_user_with_token(options = {})
@@ -140,6 +180,10 @@ class TokenAuthenticationTest < ActionController::IntegrationTest
       if options[:http_auth]
         header = "Basic #{Base64.encode64("#{VALID_AUTHENTICATION_TOKEN}:X")}"
         get users_path(:format => :xml), {}, "HTTP_AUTHORIZATION" => header
+      elsif options[:token_auth]
+        token_options = options[:token_options] || {}
+        header = ActionController::HttpAuthentication::Token.encode_credentials(options[:auth_token], token_options)
+        get users_path(:format => :xml), {}, "HTTP_AUTHORIZATION" => header
       else
         visit users_path(options[:auth_token_key].to_sym => options[:auth_token])
       end

test/integration/trackable_test.rb

@@ -1,6 +1,6 @@
 require 'test_helper'
 
-class TrackableHooksTest < ActionController::IntegrationTest
+class TrackableHooksTest < ActionDispatch::IntegrationTest
 
   test "current and last sign in timestamps are updated on each sign in" do
     user = create_user

test/mailers/confirmation_instructions_test.rb

@@ -46,6 +46,16 @@ class ConfirmationInstructionsTest < ActionMailer::TestCase
     assert_equal ['custom@example.com'], mail.from
   end
 
+  test 'setup sender from custom mailer defaults with proc' do
+    Devise.mailer = 'Users::FromProcMailer'
+    assert_equal ['custom@example.com'], mail.from
+  end
+
+  test 'custom mailer renders parent mailer template' do
+    Devise.mailer = 'Users::Mailer'
+    assert_not_blank mail.body.encoded
+  end
+
   test 'setup reply to as copy from sender' do
     assert_equal ['test@example.com'], mail.reply_to
   end
@@ -56,7 +66,6 @@ class ConfirmationInstructionsTest < ActionMailer::TestCase
     assert_equal ['custom_reply_to@example.com'], mail.reply_to
   end
 
-
   test 'setup subject from I18n' do
     store_translations :en, :devise => { :mailer => { :confirmation_instructions => { :subject => 'Account Confirmation' } } } do
       assert_equal 'Account Confirmation', mail.subject
@@ -70,7 +79,7 @@ class ConfirmationInstructionsTest < ActionMailer::TestCase
   end
 
   test 'body should have user info' do
-    assert_match /#{user.email}/, mail.body.encoded
+    assert_match user.email, mail.body.encoded
   end
 
   test 'body should have link to confirm the account' do

test/mailers/reset_password_instructions_test.rb

@@ -1,7 +1,6 @@
 require 'test_helper'
 
 class ResetPasswordInstructionsTest < ActionMailer::TestCase
-
   def setup
     setup_mailer
     Devise.mailer = 'Devise::Mailer'
@@ -49,6 +48,16 @@ class ResetPasswordInstructionsTest < ActionMailer::TestCase
     assert_equal ['custom@example.com'], mail.from
   end
 
+  test 'setup sender from custom mailer defaults with proc' do
+    Devise.mailer = 'Users::FromProcMailer'
+    assert_equal ['custom@example.com'], mail.from
+  end
+
+  test 'custom mailer renders parent mailer template' do
+    Devise.mailer = 'Users::Mailer'
+    assert_not_blank mail.body.encoded
+  end
+
   test 'setup reply to as copy from sender' do
     assert_equal ['test@example.com'], mail.reply_to
   end
@@ -66,7 +75,7 @@ class ResetPasswordInstructionsTest < ActionMailer::TestCase
   end
 
   test 'body should have user info' do
-    assert_match(/#{user.email}/, mail.body.encoded)
+    assert_match user.email, mail.body.encoded
   end
 
   test 'body should have link to confirm the account' do

test/mailers/unlock_instructions_test.rb

@@ -49,6 +49,16 @@ class UnlockInstructionsTest < ActionMailer::TestCase
     assert_equal ['custom@example.com'], mail.from
   end
 
+  test 'setup sender from custom mailer defaults with proc' do
+    Devise.mailer = 'Users::FromProcMailer'
+    assert_equal ['custom@example.com'], mail.from
+  end
+
+  test 'custom mailer renders parent mailer template' do
+    Devise.mailer = 'Users::Mailer'
+    assert_not_blank mail.body.encoded
+  end
+
   test 'setup reply to as copy from sender' do
     assert_equal ['test@example.com'], mail.reply_to
   end
@@ -66,7 +76,7 @@ class UnlockInstructionsTest < ActionMailer::TestCase
   end
 
   test 'body should have user info' do
-    assert_match(/#{user.email}/, mail.body.encoded)
+    assert_match user.email, mail.body.encoded
   end
 
   test 'body should have link to unlock the account' do

test/models/authenticatable_test.rb

@@ -6,8 +6,8 @@ class AuthenticatableTest < ActiveSupport::TestCase
   end
 
   test 'find_first_by_auth_conditions allows custom filtering parameters' do
-    user = User.create!(email: "example@example.com", password: "123456")
-    assert_equal User.find_first_by_auth_conditions({ email: "example@example.com" }), user
-    assert_equal User.find_first_by_auth_conditions({ email: "example@example.com" }, id: user.id + 1), nil
+    user = User.create!(:email => "example@example.com", :password => "123456")
+    assert_equal User.find_first_by_auth_conditions({ :email => "example@example.com" }), user
+    assert_nil User.find_first_by_auth_conditions({ :email => "example@example.com" }, :id => user.id.to_s.next)
   end
 end

test/models/confirmable_test.rb

@@ -104,6 +104,16 @@ class ConfirmableTest < ActiveSupport::TestCase
     end
   end
 
+  test 'should skip confirmation e-mail without confirming if skip_confirmation_notification! is invoked' do
+    user = new_user
+    user.skip_confirmation_notification!
+
+    assert_email_not_sent do
+      user.save!
+      assert !user.confirmed?
+    end
+  end
+
   test 'should find a user to send confirmation instructions' do
     user = create_user
     confirmation_user = User.send_confirmation_instructions(:email => user.email)
@@ -204,6 +214,13 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_not user.active_for_authentication?
   end
 
+  test 'should be active when we set allow_unconfirmed_access_for to nil' do
+    Devise.allow_unconfirmed_access_for = nil
+    user = create_user
+    user.confirmation_sent_at = Date.today
+    assert user.active_for_authentication?
+  end
+
   test 'should not be active without confirmation' do
     user = create_user
     user.confirmation_sent_at = nil

test/models/database_authenticatable_test.rb

@@ -52,6 +52,18 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert_equal( { "login" => "foo@bar.com", "bool1" => "true", "bool2" => "false", "fixnum" => "123", "will_be_converted" => "1..10" }, conditions)
   end
 
+  test 'param filter should filter case_insensitive_keys as insensitive' do
+    conditions = {'insensitive' => 'insensitive_VAL', 'sensitive' => 'sensitive_VAL'}
+    conditions = Devise::ParamFilter.new(['insensitive'], []).filter(conditions)
+    assert_equal( {'insensitive' => 'insensitive_val', 'sensitive' => 'sensitive_VAL'}, conditions )
+  end
+
+  test 'param filter should filter strip_whitespace_keys stripping whitespaces' do
+    conditions = {'strip_whitespace' => ' strip_whitespace_val ', 'do_not_strip_whitespace' => ' do_not_strip_whitespace_val '}
+    conditions = Devise::ParamFilter.new([], ['strip_whitespace']).filter(conditions)
+    assert_equal( {'strip_whitespace' => 'strip_whitespace_val', 'do_not_strip_whitespace' => ' do_not_strip_whitespace_val '}, conditions )
+  end
+
   test 'should respond to password and password confirmation' do
     user = new_user
     assert user.respond_to?(:password)
@@ -183,6 +195,26 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert user.valid_password?('12345678')
   end
 
+  test 'should destroy user if current password is valid' do
+    user = create_user
+    assert user.destroy_with_password('12345678')
+    assert !user.persisted?
+  end
+
+  test 'should not destroy user with invalid password' do
+    user = create_user
+    assert_not user.destroy_with_password('other')
+    assert user.persisted?
+    assert_match "is invalid", user.errors[:current_password].join
+  end
+
+  test 'should not destroy user with blank password' do
+    user = create_user
+    assert_not user.destroy_with_password(nil)
+    assert user.persisted?
+    assert_match "can't be blank", user.errors[:current_password].join
+  end
+
   test 'downcase_keys with validation' do
     user = User.create(:email => "HEllO@example.com", :password => "123456")
     user = User.create(:email => "HEllO@example.com", :password => "123456")

test/models/lockable_test.rb

@@ -59,7 +59,7 @@ class LockableTest < ActiveSupport::TestCase
     assert_not user.active_for_authentication?
   end
 
-  test "should unlock a user by cleaning locked_at, falied_attempts and unlock_token" do
+  test "should unlock a user by cleaning locked_at, failed_attempts and unlock_token" do
     user = create_user
     user.lock_access!
     assert_not_nil user.reload.locked_at

test/models/rememberable_test.rb

@@ -57,9 +57,10 @@ class RememberableTest < ActiveSupport::TestCase
 
   test 'forget_me should not try to update resource if it has been destroyed' do
     resource = create_resource
-    resource.destroy
     resource.expects(:remember_created_at).never
     resource.expects(:save).never
+
+    resource.destroy
     resource.forget_me!
   end
 
@@ -114,7 +115,7 @@ class RememberableTest < ActiveSupport::TestCase
     end
   end
 
-  test 'remember should not be expired if it was created whitin the limit time' do
+  test 'remember should not be expired if it was created within the limit time' do
     swap Devise, :remember_for => 30.days do
       resource = create_resource
       resource.remember_me!
@@ -166,7 +167,7 @@ class RememberableTest < ActiveSupport::TestCase
     end
   end
 
-  test 'should have the required_fiels array' do
+  test 'should have the required_fields array' do
     assert_same_content Devise::Models::Rememberable.required_fields(User), [
       :remember_created_at
     ]

test/models/serializable_test.rb

@@ -6,18 +6,18 @@ class SerializableTest < ActiveSupport::TestCase
   end
 
   test 'should not include unsafe keys on XML' do
-    assert_match /email/, @user.to_xml
-    assert_no_match /confirmation-token/, @user.to_xml
+    assert_match(/email/, @user.to_xml)
+    assert_no_match(/confirmation-token/, @user.to_xml)
   end
 
   test 'should not include unsafe keys on XML even if a new except is provided' do
-    assert_no_match /email/, @user.to_xml(:except => :email)
-    assert_no_match /confirmation-token/, @user.to_xml(:except => :email)
+    assert_no_match(/email/, @user.to_xml(:except => :email))
+    assert_no_match(/confirmation-token/, @user.to_xml(:except => :email))
   end
 
   test 'should include unsafe keys on XML if a force_except is provided' do
-    assert_no_match /<email/, @user.to_xml(:force_except => :email)
-    assert_match /confirmation-token/, @user.to_xml(:force_except => :email)
+    assert_no_match(/<email/, @user.to_xml(:force_except => :email))
+    assert_match(/confirmation-token/, @user.to_xml(:force_except => :email))
   end
 
   test 'should not include unsafe keys on JSON' do

test/models/validatable_test.rb

@@ -59,7 +59,7 @@ class ValidatableTest < ActiveSupport::TestCase
     assert_equal 'doesn\'t match confirmation', user.errors[:password].join
   end
 
-  test 'should require password when updating/reseting password' do
+  test 'should require password when updating/resetting password' do
     user = create_user
 
     user.password = ''
@@ -69,7 +69,7 @@ class ValidatableTest < ActiveSupport::TestCase
     assert_equal 'can\'t be blank', user.errors[:password].join
   end
 
-  test 'should require confirmation when updating/reseting password' do
+  test 'should require confirmation when updating/resetting password' do
     user = create_user
     user.password_confirmation = 'another_password'
     assert user.invalid?
@@ -98,7 +98,7 @@ class ValidatableTest < ActiveSupport::TestCase
     assert_not (user.errors[:password].join =~ /is too long/)
   end
 
-  test 'should complain about length even if possword is not required' do
+  test 'should complain about length even if password is not required' do
     user = new_user(:password => 'x'*129, :password_confirmation => 'x'*129)
     user.stubs(:password_required?).returns(false)
     assert user.invalid?

test/models_test.rb

@@ -83,7 +83,12 @@ class ActiveRecordTest < ActiveSupport::TestCase
   end
 
   test 'set null fields on migrations' do
-    Admin.create!
+    # Ignore email sending since no email exists.
+    klass = Class.new(Admin) do
+      def send_devise_notification(*); end
+    end
+
+    klass.create!
   end
 end
 

test/rails_app/app/mailers/users/mailer.rb

@@ -5,4 +5,8 @@ end
 class Users::ReplyToMailer < Devise::Mailer
   default :from     => 'custom@example.com'
   default :reply_to => 'custom_reply_to@example.com'
-end
+end
+
+class Users::FromProcMailer < Devise::Mailer
+  default :from     => proc { 'custom@example.com' }
+end

test/rails_app/config/routes.rb

@@ -17,39 +17,39 @@ Rails.application.routes.draw do
   devise_for :users, :controllers => { :omniauth_callbacks => "users/omniauth_callbacks" }
 
   as :user do
-    match "/as/sign_in", :to => "devise/sessions#new"
+    get "/as/sign_in", :to => "devise/sessions#new"
   end
 
-  match "/sign_in", :to => "devise/sessions#new"
+  get "/sign_in", :to => "devise/sessions#new"
 
   # Admin scope
   devise_for :admin, :path => "admin_area", :controllers => { :sessions => :"admins/sessions" }, :skip => :passwords
 
-  match "/admin_area/home", :to => "admins#index", :as => :admin_root
-  match "/anywhere", :to => "foo#bar", :as => :new_admin_password
+  get "/admin_area/home", :to => "admins#index", :as => :admin_root
+  get "/anywhere", :to => "foo#bar", :as => :new_admin_password
 
   authenticate(:admin) do
-    match "/private", :to => "home#private", :as => :private
+    get "/private", :to => "home#private", :as => :private
   end
 
   authenticate(:admin, lambda { |admin| admin.active? }) do
-    match "/private/active", :to => "home#private", :as => :private_active
+    get "/private/active", :to => "home#private", :as => :private_active
   end
 
   authenticated :admin do
-    match "/dashboard", :to => "home#admin_dashboard"
+    get "/dashboard", :to => "home#admin_dashboard"
   end
 
   authenticated :admin, lambda { |admin| admin.active? } do
-    match "/dashboard/active", :to => "home#admin_dashboard"
+    get "/dashboard/active", :to => "home#admin_dashboard"
   end
 
   authenticated do
-    match "/dashboard", :to => "home#user_dashboard"
+    get "/dashboard", :to => "home#user_dashboard"
   end
 
   unauthenticated do
-    match "/join", :to => "home#join"
+    get "/join", :to => "home#join"
   end
 
   # Routes for constraints testing
@@ -92,9 +92,9 @@ Rails.application.routes.draw do
     devise_for :delete_or_posts, :sign_out_via => [:delete, :post], :class_name => "Admin"
   end
 
-  match "/set", :to => "home#set"
-  match "/unauthenticated", :to => "home#unauthenticated"
-  match "/custom_strategy/new"
+  get "/set", :to => "home#set"
+  get "/unauthenticated", :to => "home#unauthenticated"
+  get "/custom_strategy/new"
 
   root :to => "home#index"
 end

test/test_helper.rb

@@ -10,7 +10,7 @@ require "orm/#{DEVISE_ORM}"
 
 I18n.load_path << File.expand_path("../support/locale/en.yml", __FILE__)
 
-require 'mocha'
+require 'mocha/setup'
 require 'webrat'
 Webrat.configure do |config|
   config.mode = :rails