Release v3.1.2

Splat the arguments to strong_parameters#permit, fixes #2716

CHANGELOG.md

@@ -1,9 +1,24 @@
-== 3.1.0.rc
+== 3.1.2
+
+Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumeration-in-devise-in-paranoid-mode
+
+* bug fix
+  * Avoid e-mail enumeration on sign in when in paranoid mode
+
+== 3.1.1
+
+* bug fix
+  * Improve default message which asked users to sign in even when they were already signed (by @gregates)
+  * Improve error message for when the `config.secret_key` is missing
+
+== 3.1.0
+
+Security announcement: http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/
 
 * backwards incompatible changes
   * Do not store confirmation, unlock and reset password tokens directly in the database. This means tokens previously stored in the database are no longer valid. You can reenable this temporarily by setting `config.allow_insecure_tokens_lookup = true` in your configuration file. It is recommended to keep this configuration set to true just temporarily in your production servers only to aid migration
-  * The Devise mailer and its views were changed to explicitly receive a token as argument. You will need to update your mailers and re-copy the views to your application with `rails g devise:views`
-  * Sanitization of parameters should be done by calling `devise_parameter_sanitizier.sanitize(:action)` instead of `devise_parameter_sanitizier.for(:action)`
+  * The Devise mailer and its views were changed to explicitly receive a token argument as `@token`. You will need to update your mailers and re-copy the views to your application with `rails g devise:views`
+  * Sanitization of parameters should be done by calling `devise_parameter_sanitizer.sanitize(:action)` instead of `devise_parameter_sanitizer.for(:action)`
 
 * deprecations
   * Token authentication is deprecated
@@ -13,6 +28,7 @@
   * Allow easier customization of parameter sanitizer (by @alexpeattie)
 
 * bug fix
+  * Do not confirm e-mail after password reset (by @moll)
   * Do not sign in after confirmation
   * Do not store confirmation, unlock and reset password tokens directly in the database
   * Do not compare directly against confirmation, unlock and reset password tokens
@@ -39,11 +55,14 @@ Security announcement: http://blog.plataformatec.com.br/2013/08/csrf-token-fixat
 * enhancements
   * Rails 4 and Strong Parameters compatibility (by @carlosantoniodasilva, @josevalim, @latortuga, @lucasmazza, @nashby, @rafaelfranca, @spastorino)
   * Drop support for Rails < 3.2 and Ruby < 1.9.3
-  * Enable to skip sending reconfirmation email when reconfirmable is on and skip_confirmation_notification! is invoked (by @tkhr)
+  * Enable to skip sending reconfirmation email when reconfirmable is on and `skip_confirmation_notification!` is invoked (by @tkhr)
 
 * bug fix
   * Errors on unlock are now properly reflected on the first `unlock_keys`
 
+* backwards incompatible changes
+  * Changes on session storage will expire all existing sessions on upgrade
+
 == 2.2.4
 
 * enhancements

Gemfile.lock

@@ -12,7 +12,7 @@ GIT
 PATH
   remote: .
   specs:
-    devise (3.1.0.rc)
+    devise (3.1.2)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -48,7 +48,7 @@ GEM
       tzinfo (~> 0.3.37)
     arel (4.0.0)
     atomic (1.1.12)
-    bcrypt-ruby (3.1.1)
+    bcrypt-ruby (3.1.2)
     builder (3.1.4)
     erubis (2.7.0)
     faraday (0.8.8)

README.md

@@ -2,7 +2,6 @@
 
 By [Plataformatec](http://plataformatec.com.br/).
 
-[![Gem Version](https://fury-badge.herokuapp.com/rb/devise.png)](http://badge.fury.io/rb/devise)
 [![Build Status](https://api.travis-ci.org/plataformatec/devise.png?branch=master)](http://travis-ci.org/plataformatec/devise)
 [![Code Climate](https://codeclimate.com/github/plataformatec/devise.png)](https://codeclimate.com/github/plataformatec/devise)
 

app/controllers/devise/confirmations_controller.rb

@@ -20,8 +20,12 @@ class Devise::ConfirmationsController < DeviseController
     self.resource = resource_class.confirm_by_token(params[:confirmation_token])
 
     if resource.errors.empty?
-      set_flash_message(:notice, :confirmed) if is_navigational_format?
-      sign_in(resource_name, resource) if Devise.allow_insecure_sign_in_after_confirmation
+      if Devise.allow_insecure_sign_in_after_confirmation
+        set_flash_message(:notice, :confirmed_and_signed_in) if is_navigational_format?
+        sign_in(resource_name, resource)
+      else
+        set_flash_message(:notice, :confirmed) if is_navigational_format?
+      end
       respond_with_navigational(resource){ redirect_to after_confirmation_path_for(resource_name, resource) }
     else
       respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render :new }
@@ -39,6 +43,8 @@ class Devise::ConfirmationsController < DeviseController
     def after_confirmation_path_for(resource_name, resource)
       if Devise.allow_insecure_sign_in_after_confirmation
         after_sign_in_path_for(resource)
+      elsif signed_in?
+        signed_in_root_path(resource)
       else
         new_session_path(resource_name)
       end

app/controllers/devise/registrations_controller.rb

@@ -40,7 +40,7 @@ class Devise::RegistrationsController < DeviseController
     self.resource = resource_class.to_adapter.get!(send(:"current_#{resource_name}").to_key)
     prev_unconfirmed_email = resource.unconfirmed_email if resource.respond_to?(:unconfirmed_email)
 
-    if resource.update_with_password(account_update_params)
+    if update_resource(resource, account_update_params)
       if is_navigational_format?
         flash_key = update_needs_confirmation?(resource, prev_unconfirmed_email) ?
           :update_needs_confirmation : :updated
@@ -80,6 +80,12 @@ class Devise::RegistrationsController < DeviseController
       previous != resource.unconfirmed_email
   end
 
+  # By default we want to require a password checks on update.
+  # You can overwrite this method in your own RegistrationsController.
+  def update_resource(resource, params)
+    resource.update_with_password(params)
+  end
+
   # Build a devise resource passing in the session. Useful to move
   # temporary session data to the newly created user.
   def build_resource(hash=nil)

config/locales/en.yml

@@ -3,7 +3,8 @@
 en:
   devise:
     confirmations:
-      confirmed: "Your account was successfully confirmed. You are now signed in."
+      confirmed: "Your account was successfully confirmed."
+      confirmed_and_signed_in: "Your account was successfully confirmed. You are now signed in."
       send_instructions: "You will receive an email with instructions about how to confirm your account in a few minutes."
       send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions about how to confirm your account in a few minutes."
     failure:

gemfiles/Gemfile.rails-3.2.x.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    devise (3.1.0.rc)
+    devise (3.1.2)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -39,8 +39,8 @@ GEM
       i18n (~> 0.6, >= 0.6.4)
       multi_json (~> 1.0)
     arel (3.0.2)
-    atomic (1.1.12)
-    bcrypt-ruby (3.1.1)
+    atomic (1.1.14)
+    bcrypt-ruby (3.1.2)
     builder (3.0.4)
     erubis (2.7.0)
     faraday (0.8.8)
@@ -125,7 +125,7 @@ GEM
       tilt (~> 1.1, != 1.3.0)
     sqlite3 (1.3.7)
     thor (0.18.1)
-    thread_safe (0.1.2)
+    thread_safe (0.1.3)
       atomic
     tilt (1.4.1)
     treetop (1.4.14)

lib/devise/hooks/lockable.rb

@@ -2,6 +2,6 @@
 # This is only triggered when the user is explicitly set (with set_user)
 Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
   if record.respond_to?(:failed_attempts) && warden.authenticated?(options[:scope])
-    record.update_attribute(:failed_attempts, 0) unless record.failed_attempts.zero?
+    record.update_attribute(:failed_attempts, 0) unless record.failed_attempts.to_i.zero?
   end
 end

lib/devise/models/confirmable.rb

@@ -228,11 +228,6 @@ module Devise
           generate_confirmation_token && save(:validate => false)
         end
 
-        def after_password_reset
-          super
-          confirm! unless confirmed?
-        end
-
         def postpone_email_change_until_confirmation_and_regenerate_confirmation_token
           @reconfirmation_required = true
           self.unconfirmed_email = self.email

lib/devise/models/rememberable.rb

@@ -110,12 +110,16 @@ module Devise
         # Recreate the user based on the stored cookie
         def serialize_from_cookie(id, remember_token)
           record = to_adapter.get(id)
-          record if record && record.rememberable_value == remember_token && !record.remember_expired?
+          record if record && !record.remember_expired? &&
+                    Devise.secure_compare(record.rememberable_value, remember_token)
         end
 
         # Generate a token checking if one does not already exist in the database.
         def remember_token #:nodoc:
-          generate_token(:remember_token)
+          loop do
+            token = Devise.friendly_token
+            break token unless to_adapter.find_first({ :remember_token => token })
+          end
         end
 
         Devise::Models.config(self, :remember_for, :extend_remember_period, :rememberable_options)

lib/devise/parameter_sanitizer.rb

@@ -47,19 +47,25 @@ module Devise
     end
 
     def sign_in
-      default_params.permit self.for(:sign_in)
+      permit self.for(:sign_in)
     end
 
     def sign_up
-      default_params.permit self.for(:sign_up)
+      permit self.for(:sign_up)
     end
 
     def account_update
-      default_params.permit self.for(:account_update)
+      permit self.for(:account_update)
     end
 
     private
 
+    # TODO: We do need to flatten so it works with strong_parameters
+    # gem. We should drop it once we move to Rails 4 only support.
+    def permit(keys)
+      default_params.permit(*Array(keys))
+    end
+
     # Change for(kind) to return the values in the @permitted
     # hash, allowing the developer to customize at runtime.
     def default_for(kind)

lib/devise/rails.rb

@@ -35,13 +35,6 @@ module Devise
           Devise::TokenGenerator.new(
             Devise::CachingKeyGenerator.new(Devise::KeyGenerator.new(secret_key))
           )
-        else
-          raise <<-ERROR
-Devise.secret_key was not set. Please add the following to your Devise initializer:
-
-  config.secret_key = '#{SecureRandom.hex(64)}'
-
-ERROR
         end
     end
 

lib/devise/rails/routes.rb

@@ -80,7 +80,8 @@ module ActionDispatch::Routing
     #  * :path_names => configure different path names to overwrite defaults :sign_in, :sign_out, :sign_up,
     #    :password, :confirmation, :unlock.
     #
-    #      devise_for :users, :path_names => { :sign_in => 'login', :sign_out => 'logout', :password => 'secret', :confirmation => 'verification' }
+    #      devise_for :users, :path_names => { :sign_in => 'login', :sign_out => 'logout',
+    #        :password => 'secret', :confirmation => 'verification', registration: 'register }
     #
     #  * :controllers => the controller which should be used. All routes by default points to Devise controllers.
     #    However, if you want them to point to custom controller, you should do:
@@ -191,6 +192,7 @@ module ActionDispatch::Routing
     #
     def devise_for(*resources)
       @devise_finalized = false
+      raise_no_secret_key unless Devise.secret_key
       options = resources.extract_options!
 
       options[:as]          ||= @scope[:as]     if @scope[:as].present?
@@ -434,6 +436,16 @@ module ActionDispatch::Routing
         end
       end
 
+      def raise_no_secret_key #:nodoc:
+        raise <<-ERROR
+Devise.secret_key was not set. Please add the following to your Devise initializer:
+
+  config.secret_key = '#{SecureRandom.hex(64)}'
+
+Please ensure you restarted your application after installing Devise or setting the key.
+ERROR
+      end
+
       def raise_no_devise_method_error!(klass) #:nodoc:
         raise "#{klass} does not respond to 'devise' method. This usually means you haven't " \
           "loaded your ORM file or it's being loaded too late. To fix it, be sure to require 'devise/orm/YOUR_ORM' " \

lib/devise/strategies/database_authenticatable.rb

@@ -5,13 +5,16 @@ module Devise
     # Default strategy for signing in a user, based on his email and password in the database.
     class DatabaseAuthenticatable < Authenticatable
       def authenticate!
-        resource = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
-        return fail(:not_found_in_database) unless resource
+        resource  = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
+        encrypted = false
 
-        if validate(resource){ resource.valid_password?(password) }
+        if validate(resource){ encrypted = true; resource.valid_password?(password) }
           resource.after_database_authentication
           success!(resource)
         end
+
+        mapping.to.new.password = password if !encrypted && Devise.paranoid
+        fail(:not_found_in_database) unless resource
       end
     end
   end

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "3.1.0.rc".freeze
+  VERSION = "3.1.2".freeze
 end

lib/generators/active_record/devise_generator.rb

@@ -50,7 +50,7 @@ module ActiveRecord
       t.datetime :remember_created_at
 
       ## Trackable
-      t.integer  :sign_in_count, :default => 0
+      t.integer  :sign_in_count, :default => 0, :null => false
       t.datetime :current_sign_in_at
       t.datetime :last_sign_in_at
       t.string   :current_sign_in_ip
@@ -63,12 +63,9 @@ module ActiveRecord
       # t.string   :unconfirmed_email # Only if using reconfirmable
 
       ## Lockable
-      # t.integer  :failed_attempts, :default => 0 # Only if lock strategy is :failed_attempts
+      # t.integer  :failed_attempts, :default => 0, :null => false # Only if lock strategy is :failed_attempts
       # t.string   :unlock_token # Only if unlock strategy is :email or :both
       # t.datetime :locked_at
-
-      ## Token authenticatable
-      # t.string :authentication_token
 RUBY
       end
     end

lib/generators/active_record/templates/migration.rb

@@ -14,6 +14,5 @@ class DeviseCreate<%= table_name.camelize %> < ActiveRecord::Migration
     add_index :<%= table_name %>, :reset_password_token, :unique => true
     # add_index :<%= table_name %>, :confirmation_token,   :unique => true
     # add_index :<%= table_name %>, :unlock_token,         :unique => true
-    # add_index :<%= table_name %>, :authentication_token, :unique => true
   end
 end

lib/generators/active_record/templates/migration_existing.rb

@@ -15,7 +15,6 @@ class AddDeviseTo<%= table_name.camelize %> < ActiveRecord::Migration
     add_index :<%= table_name %>, :reset_password_token, :unique => true
     # add_index :<%= table_name %>, :confirmation_token,   :unique => true
     # add_index :<%= table_name %>, :unlock_token,         :unique => true
-    # add_index :<%= table_name %>, :authentication_token, :unique => true
   end
 
   def self.down

lib/generators/devise/orm_helpers.rb

@@ -4,8 +4,7 @@ module Devise
       def model_contents
         buffer = <<-CONTENT
   # Include default devise modules. Others available are:
-  # :token_authenticatable, :confirmable,
-  # :lockable, :timeoutable and :omniauthable
+  # :confirmable, :lockable, :timeoutable and :omniauthable
   devise :database_authenticatable, :registerable,
          :recoverable, :rememberable, :trackable, :validatable
 

lib/generators/templates/devise.rb

@@ -98,7 +98,7 @@ Devise.setup do |config|
   config.stretches = Rails.env.test? ? 1 : 10
 
   # Setup a pepper to generate the encrypted password.
-  # config.pepper = <%= SecureRandom.hex(64).inspect %>
+  # config.pepper = '<%= SecureRandom.hex(64) %>'
 
   # ==> Configuration for :confirmable
   # A period that the user is allowed to access the website even without

test/controllers/passwords_controller_test.rb

@@ -6,7 +6,7 @@ class PasswordsControllerTest < ActionController::TestCase
 
   setup do
     request.env["devise.mapping"] = Devise.mappings[:user]
-    @user = create_user
+    @user = create_user.tap(&:confirm!)
     @raw  = @user.send_reset_password_instructions
   end
 

test/integration/confirmable_test.rb

@@ -62,6 +62,18 @@ class ConfirmationTest < ActionDispatch::IntegrationTest
     end
   end
 
+  test 'user should be signed in after confirmation if allow_insecure_sign_in_after_confirmation is enabled' do
+    swap Devise, :confirm_within => 3.days, :allow_insecure_sign_in_after_confirmation => true do
+      user = create_user(:confirm => false, :confirmation_sent_at => 2.days.ago)
+      assert_not user.confirmed?
+      visit_user_confirmation_with_token(user.raw_confirmation_token)
+
+      assert_contain 'Your account was successfully confirmed. You are now signed in.'
+      assert_current_url root_url
+      assert user.reload.confirmed?
+    end
+  end
+
   test 'user should be redirected to a custom path after confirmation' do
     Devise::ConfirmationsController.any_instance.stubs(:after_confirmation_path_for).returns("/?custom=1")
 
@@ -123,6 +135,16 @@ class ConfirmationTest < ActionDispatch::IntegrationTest
     end
   end
 
+  test 'unconfirmed but signed in user should be redirected to their root path' do
+    swap Devise, :allow_unconfirmed_access_for => 1.day do
+      user = sign_in_as_user(:confirm => false)
+
+      visit_user_confirmation_with_token(user.raw_confirmation_token)
+      assert_contain 'Your account was successfully confirmed.'
+      assert_current_url '/'
+    end
+  end
+
   test 'error message is configurable by resource name' do
     store_translations :en, :devise => {
       :failure => { :user => { :unconfirmed => "Not confirmed user" } }

test/integration/recoverable_test.rb

@@ -236,15 +236,6 @@ class PasswordTest < ActionDispatch::IntegrationTest
     end
   end
 
-  test 'sign in user automatically and confirm after changing its password if it\'s not confirmed' do
-    user = create_user(:confirm => false)
-    request_forgot_password
-    reset_password
-
-    assert warden.authenticated?(:user)
-    assert user.reload.confirmed?
-  end
-
   test 'reset password request with valid E-Mail in XML format should return valid response' do
     create_user
     post user_password_path(:format => 'xml'), :user => {:email => "user@test.com"}

test/models/rememberable_test.rb

@@ -22,6 +22,14 @@ class RememberableTest < ActiveSupport::TestCase
     user.forget_me!
   end
 
+  test 'can generate remember token' do
+    user = create_user
+    user.singleton_class.send(:attr_accessor, :remember_token)
+    User.to_adapter.expects(:find_first).returns(nil)
+    user.remember_me!
+    assert user.remember_token
+  end
+
   test 'serialize into cookie' do
     user = create_user
     user.remember_me!

test/parameter_sanitizer_test.rb

@@ -68,5 +68,14 @@ if defined?(ActionController::StrongParameters)
         sanitizer.sanitize(:unknown)
       end
     end
+
+    test 'passes parameters to filter as arguments to sanitizer' do
+      params = {user: stub}
+      sanitizer = Devise::ParameterSanitizer.new(User, :user, params)
+
+      params[:user].expects(:permit).with(kind_of(Symbol), kind_of(Symbol), kind_of(Symbol))
+
+      sanitizer.sanitize(:sign_in)
+    end
   end
 end