Release v3.0.2

Remove trailing whitespaces

CHANGELOG.rdoc

@@ -1,3 +1,19 @@
+== 3.0.2
+
+* bug fix
+  * Skip storage for cookies on unverified requests
+
+== 3.0.1
+
+Security announcement: http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/
+
+* enhancements
+  * Add after_confirmation callback
+
+* bug fix
+  * When using rails 3.2, the generator adds 'attr_accessible' to the model (by @jcoyne)
+  * Clean up CSRF token after authentication (by @homakov). Notice this change will clean up the CSRF Token after authentication (sign in, sign up, etc). So if you are using AJAX for such features, you will need to fetch a new CSRF token from the server.
+
 == 3.0.0
 
 * enhancements

Gemfile.lock

@@ -12,7 +12,7 @@ GIT
 PATH
   remote: .
   specs:
-    devise (3.0.0.rc)
+    devise (3.0.2)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)

README.md

@@ -12,7 +12,7 @@ Devise is a flexible authentication solution for Rails based on Warden. It:
 
 * Is Rack based;
 * Is a complete MVC solution based on Rails engines;
-* Allows you to have multiple roles (or models/scopes) signed in at the same time;
+* Allows you to have multiple models signed in at the same time;
 * Is based on a modularity concept: use just what you really need.
 
 It's composed of 11 modules:
@@ -202,7 +202,7 @@ class ApplicationController < ActionController::Base
 end
 ```
 
-If you have multiple roles, you may want to set up different parameter sanitizer per role. In this case, we recommend inheriting from `Devise::ParameterSanitizer` and add your own logic:
+If you have multiple Devise models, you may want to set up different parameter sanitizer per model. In this case, we recommend inheriting from `Devise::ParameterSanitizer` and add your own logic:
 
 ```ruby
 class User::ParameterSanitizer < Devise::ParameterSanitizer
@@ -240,7 +240,7 @@ Since Devise is an engine, all its views are packaged inside the gem. These view
 rails generate devise:views
 ```
 
-If you have more than one role in your application (such as "User" and "Admin"), you will notice that Devise uses the same views for all roles. Fortunately, Devise offers an easy way to customize views. All you need to do is set "config.scoped_views = true" inside "config/initializers/devise.rb".
+If you have more than one Devise model in your application (such as "User" and "Admin"), you will notice that Devise uses the same views for all models. Fortunately, Devise offers an easy way to customize views. All you need to do is set "config.scoped_views = true" inside "config/initializers/devise.rb".
 
 After doing so, you will be able to have views based on the role like "users/sessions/new" and "admins/sessions/new". If no view is found within the scope, Devise will use the default view at "devise/sessions/new". You can also use the generator to generate scoped views:
 
@@ -384,7 +384,7 @@ You can read more about Omniauth support in the wiki:
 
 ### Configuring multiple models
 
-Devise allows you to set up as many roles as you want. For example, you may have a User model and also want an Admin model with just authentication and timeoutable features. If so, just follow these steps:
+Devise allows you to set up as many Devise models as you want. If you want to have an Admin model with just authentication and timeout features, in addition to the User model above, just run:
 
 ```ruby
 # Create a migration with the required fields
@@ -409,7 +409,9 @@ current_admin
 admin_session
 ```
 
-On the other hand, you can simply run the generator!
+Alternatively, you can simply run the Devise generator.
+
+Keep in mind that those models will have completely different routes. They **do not** and **cannot** share the same controller for sign in, sign out and so on. In case you want to have different roles sharing the same actions, we recommend you to use a role-based approach, by either providing a role column or using [CanCan](https://github.com/ryanb/cancan).
 
 ### Other ORMs
 

gemfiles/Gemfile.rails-3.2.x.lock

@@ -1,11 +1,11 @@
 PATH
   remote: ..
   specs:
-    devise (3.0.0.rc)
+    devise (3.0.2)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
-      warden (~> 1.2.1)
+      warden (~> 1.2.3)
 
 GEM
   remote: https://rubygems.org/
@@ -38,7 +38,7 @@ GEM
       i18n (= 0.6.1)
       multi_json (~> 1.0)
     arel (3.0.2)
-    bcrypt-ruby (3.0.1)
+    bcrypt-ruby (3.1.1)
     builder (3.0.4)
     erubis (2.7.0)
     faraday (0.8.7)
@@ -129,7 +129,7 @@ GEM
       polyglot
       polyglot (>= 0.3.1)
     tzinfo (0.3.37)
-    warden (1.2.1)
+    warden (1.2.3)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)

lib/devise.rb

@@ -223,6 +223,10 @@ module Devise
   mattr_accessor :omniauth_path_prefix
   @@omniauth_path_prefix = nil
 
+  # Set if we should clean up the CSRF Token on authentication
+  mattr_accessor :clean_up_csrf_token_on_authentication
+  @@clean_up_csrf_token_on_authentication = true
+
   def self.encryptor=(value)
     warn "\n[DEVISE] To select a encryption which isn't bcrypt, you should use devise-encryptable gem.\n"
   end

lib/devise/controllers/rememberable.rb

@@ -21,6 +21,7 @@ module Devise
 
       # Remembers the given resource by setting up a cookie
       def remember_me(resource)
+        return if env["devise.skip_storage"]
         scope = Devise::Mapping.find_scope!(resource)
         resource.remember_me!(resource.extend_remember_period)
         cookies.signed[remember_key(resource, scope)] = remember_cookie_values(resource)

lib/devise/hooks/csrf_cleaner.rb

@@ -0,0 +1,5 @@
+Warden::Manager.after_authentication do |record, warden, options|
+  if Devise.clean_up_csrf_token_on_authentication
+    warden.request.session.try(:delete, :_csrf_token)
+  end
+end

lib/devise/models/authenticatable.rb

@@ -1,4 +1,5 @@
 require 'devise/hooks/activatable'
+require 'devise/hooks/csrf_cleaner'
 
 module Devise
   module Models

lib/devise/models/confirmable.rb

@@ -66,7 +66,7 @@ module Devise
           self.confirmation_token = nil
           self.confirmed_at = Time.now.utc
 
-          if self.class.reconfirmable && unconfirmed_email.present?
+          saved = if self.class.reconfirmable && unconfirmed_email.present?
             skip_reconfirmation!
             self.email = unconfirmed_email
             self.unconfirmed_email = nil
@@ -76,6 +76,9 @@ module Devise
           else
             save(:validate => false)
           end
+
+          after_confirmation if saved
+          saved
         end
       end
 
@@ -264,6 +267,9 @@ module Devise
           confirmation_required? && !@skip_confirmation_notification && !self.email.blank?
         end
 
+        def after_confirmation
+        end
+
       module ClassMethods
         # Attempt to find a user by its email. If a record is found, send new
         # confirmation instructions to it. If not, try searching for a user by unconfirmed_email

lib/devise/models/timeoutable.rb

@@ -37,7 +37,7 @@ module Devise
       private
 
       def remember_exists_and_not_expired?
-        return false unless respond_to?(:remember_created_at)
+        return false unless respond_to?(:remember_created_at) && respond_to?(:remember_expired?)
         remember_created_at && !remember_expired?
       end
 

lib/devise/rails/warden_compat.rb

@@ -3,9 +3,16 @@ module Warden::Mixins::Common
     @request ||= ActionDispatch::Request.new(env)
   end
 
-  # This is called internally by Warden on logout
+  NULL_STORE =
+    defined?(ActionController::RequestForgeryProtection::ProtectionMethods::NullSession::NullSessionHash) ?
+      ActionController::RequestForgeryProtection::ProtectionMethods::NullSession::NullSessionHash : nil
+
   def reset_session!
-    request.reset_session
+    # Calling reset_session on NULL_STORE causes it fail.
+    # This is a bug that needs to be fixed in Rails.
+    unless NULL_STORE && request.session.is_a?(NULL_STORE)
+      request.reset_session
+    end
   end
 
   def cookies

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "3.0.0".freeze
+  VERSION = "3.0.2".freeze
 end

lib/generators/devise/orm_helpers.rb

@@ -2,7 +2,7 @@ module Devise
   module Generators
     module OrmHelpers
       def model_contents
-<<-CONTENT
+        buffer = <<-CONTENT
   # Include default devise modules. Others available are:
   # :token_authenticatable, :confirmable,
   # :lockable, :timeoutable and :omniauthable
@@ -10,16 +10,36 @@ module Devise
          :recoverable, :rememberable, :trackable, :validatable
 
 CONTENT
+        buffer += <<-CONTENT if needs_attr_accessible?
+  # Setup accessible (or protected) attributes for your model
+  attr_accessible :email, :password, :password_confirmation, :remember_me
+
+CONTENT
+        buffer
       end
 
+      def needs_attr_accessible?
+        rails_3? && !strong_parameters_enabled?
+      end
+
+      def rails_3?
+        Rails::VERSION::MAJOR == 3
+      end
+
+      def strong_parameters_enabled?
+        defined?(ActionController::StrongParameters)
+      end
+
+      private
+
       def model_exists?
         File.exists?(File.join(destination_root, model_path))
       end
-      
+
       def migration_exists?(table_name)
         Dir.glob("#{File.join(destination_root, migration_path)}/[0-9]*_*.rb").grep(/\d+_add_devise_to_#{table_name}.rb$/).first
       end
-      
+
       def migration_path
         @migration_path ||= File.join("db", "migrate")
       end
@@ -29,4 +49,4 @@ CONTENT
       end
     end
   end
-end
+end

lib/generators/mongoid/devise_generator.rb

@@ -22,7 +22,7 @@ module Mongoid
   ## Database authenticatable
   field :email,              :type => String, :default => ""
   field :encrypted_password, :type => String, :default => ""
-  
+
   ## Recoverable
   field :reset_password_token,   :type => String
   field :reset_password_sent_at, :type => Time
@@ -54,4 +54,4 @@ RUBY
       end
     end
   end
-end
+end

lib/generators/templates/devise.rb

@@ -76,6 +76,12 @@ Devise.setup do |config|
   # passing :skip => :sessions to `devise_for` in your config/routes.rb
   config.skip_session_storage = [:http_auth]
 
+  # By default, Devise cleans up the CSRF token on authentication to
+  # avoid CSRF token fixation attacks. This means that, when using AJAX
+  # requests for sign in and sign up, you need to get a new CSRF token
+  # from the server. You can disable this option at your own risk.
+  # config.clean_up_csrf_token_on_authentication = true
+
   # ==> Configuration for :database_authenticatable
   # For bcrypt, this is the cost for hashing the password and defaults to 10. If
   # using other encryptors, it sets how many times you want the password re-encrypted.

test/controllers/helpers_test.rb

@@ -202,7 +202,7 @@ class ControllerAuthenticatableTest < ActionController::TestCase
 
   test 'sign in and redirect uses the stored location' do
     user = User.new
-    @controller.session[:"user_return_to"] = "/foo.bar"
+    @controller.session[:user_return_to] = "/foo.bar"
     @mock_warden.expects(:user).with(:user).returns(nil)
     @mock_warden.expects(:set_user).with(user, :scope => :user).returns(true)
     @controller.expects(:redirect_to).with("/foo.bar")

test/generators/active_record_generator_test.rb

@@ -62,11 +62,41 @@ if DEVISE_ORM == :active_record
     destination File.expand_path("../../tmp", __FILE__)
     setup :prepare_destination
 
-    test "all files are properly created" do
+    test "all files are properly created in rails 4.0" do
+      ActiveRecord::Generators::DeviseGenerator.any_instance.stubs(:rails_3?).returns(false)
       simulate_inside_engine(RailsEngine::Engine, RailsEngine) do
         run_generator ["monster"]
 
         assert_file "app/models/rails_engine/monster.rb", /devise/
+        assert_file "app/models/rails_engine/monster.rb" do |content|
+          assert_no_match /attr_accessible :email/, content
+        end
+      end
+    end
+
+    test "all files are properly created in rails 3.2 when strong_parameters gem is not installed" do
+      ActiveRecord::Generators::DeviseGenerator.any_instance.stubs(:rails_3?).returns(true)
+      ActiveRecord::Generators::DeviseGenerator.any_instance.stubs(:strong_parameters_enabled?).returns(false)
+      simulate_inside_engine(RailsEngine::Engine, RailsEngine) do
+        run_generator ["monster"]
+
+        assert_file "app/models/rails_engine/monster.rb", /devise/
+        assert_file "app/models/rails_engine/monster.rb" do |content|
+          assert_match /attr_accessible :email/, content
+        end
+      end
+    end
+
+    test "all files are properly created in rails 3.2 when strong_parameters gem is installed" do
+      ActiveRecord::Generators::DeviseGenerator.any_instance.stubs(:rails_3?).returns(true)
+      ActiveRecord::Generators::DeviseGenerator.any_instance.stubs(:strong_parameters_enabled?).returns(true)
+      simulate_inside_engine(RailsEngine::Engine, RailsEngine) do
+        run_generator ["monster"]
+
+        assert_file "app/models/rails_engine/monster.rb", /devise/
+        assert_file "app/models/rails_engine/monster.rb" do |content|
+          assert_no_match /attr_accessible :email/, content
+        end
       end
     end
   end

test/integration/authenticatable_test.rb

@@ -327,6 +327,20 @@ class AuthenticationSessionTest < ActionDispatch::IntegrationTest
     assert_redirected_to new_user_session_path
   end
 
+  test 'refreshes _csrf_token' do
+    ApplicationController.allow_forgery_protection = true
+
+    begin
+      get new_user_session_path
+      token = request.session[:_csrf_token]
+
+      sign_in_as_user
+      assert_not_equal request.session[:_csrf_token], token
+    ensure
+      ApplicationController.allow_forgery_protection = false
+    end
+  end
+
   test 'allows session to be set for a given scope' do
     sign_in_as_user
     get '/users'
@@ -419,7 +433,7 @@ end
 
 class AuthenticationOthersTest < ActionDispatch::IntegrationTest
   test 'handles unverified requests gets rid of caches' do
-    swap UsersController, :allow_forgery_protection => true do
+    swap ApplicationController, :allow_forgery_protection => true do
       post exhibit_user_url(1)
       assert_not warden.authenticated?(:user)
 

test/integration/http_authenticatable_test.rb

@@ -2,7 +2,7 @@ require 'test_helper'
 
 class HttpAuthenticationTest < ActionDispatch::IntegrationTest
   test 'handles unverified requests gets rid of caches but continues signed in' do
-    swap UsersController, :allow_forgery_protection => true do
+    swap ApplicationController, :allow_forgery_protection => true do
       create_user
       post exhibit_user_url(1), {}, "HTTP_AUTHORIZATION" => "Basic #{Base64.encode64("user@test.com:12345678")}"
       assert warden.authenticated?(:user)

test/integration/rememberable_test.rb

@@ -30,8 +30,8 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     assert_nil request.cookies["remember_user_cookie"]
   end
 
-  test 'handles unverified requests gets rid of caches' do
-    swap UsersController, :allow_forgery_protection => true do
+  test 'handle unverified requests gets rid of caches' do
+    swap ApplicationController, :allow_forgery_protection => true do
       post exhibit_user_url(1)
       assert_not warden.authenticated?(:user)
 
@@ -42,9 +42,21 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     end
   end
 
+  test 'handle unverified requests does not create cookies on sign in' do
+    swap ApplicationController, :allow_forgery_protection => true do
+      get new_user_session_path
+      assert request.session[:_csrf_token]
+
+      post user_session_path, :authenticity_token => "oops", :user =>
+           { email: "jose.valim@gmail.com", password: "123456", :remember_me => "1" }
+      assert_not warden.authenticated?(:user)
+      assert_not request.cookies['remember_user_token']
+    end
+  end
+
   test 'generate remember token after sign in' do
     sign_in_as_user :remember_me => true
-    assert request.cookies["remember_user_token"]
+    assert request.cookies['remember_user_token']
   end
 
   test 'generate remember token after sign in setting cookie options' do
@@ -90,16 +102,6 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     assert_redirected_to root_path
   end
 
-  test 'cookies are destroyed on unverified requests' do
-    swap ApplicationController, :allow_forgery_protection => true do
-      create_user_and_remember
-      get users_path
-      assert warden.authenticated?(:user)
-      post root_path, :authenticity_token => 'INVALID'
-      assert_not warden.authenticated?(:user)
-    end
-  end
-
   test 'does not extend remember period through sign in' do
     swap Devise, :extend_remember_period => true, :remember_for => 1.year do
       user = create_user

test/models/confirmable_test.rb

@@ -312,6 +312,27 @@ class ConfirmableTest < ActiveSupport::TestCase
     user.ensure_confirmation_token!
     assert_equal user.confirmation_token, old
   end
+
+  test 'should call after_confirmation if confirmed' do
+    user = create_user
+    user.define_singleton_method :after_confirmation do
+      self.username = self.username.to_s + 'updated'
+    end
+    old = user.username
+    assert user.confirm!
+    assert_not_equal user.username, old
+  end
+
+  test 'should not call after_confirmation if not confirmed' do
+    user = create_user
+    assert user.confirm!
+    user.define_singleton_method :after_confirmation do
+      self.username = self.username.to_s + 'updated'
+    end
+    old = user.username
+    assert_not user.confirm!
+    assert_equal user.username, old
+  end
 end
 
 class ReconfirmableTest < ActiveSupport::TestCase

test/models/timeoutable_test.rb

@@ -43,4 +43,9 @@ class TimeoutableTest < ActiveSupport::TestCase
   test 'required_fields should contain the fields that Devise uses' do
     assert_same_content Devise::Models::Timeoutable.required_fields(User), []
   end
+
+  test 'should not raise error if remember_created_at is not empty and rememberable is disabled' do
+    user = create_admin(remember_created_at: Time.current)
+    assert user.timedout?(31.minutes.ago)
+  end
 end