Release v3.5.1

Formatting

.travis.yml

@@ -1,31 +1,41 @@
 language: ruby
-script: "bundle exec rake test"
-install: script/cached-bundle install --deployment --path vendor/bundle
+
 rvm:
   - 1.9.3
   - 2.0.0
-  - 2.1.2
+  - 2.1
+  - 2.2
+
+gemfile:
+  - gemfiles/Gemfile.rails-4.2-stable
+  - gemfiles/Gemfile.rails-4.1-stable
+  - gemfiles/Gemfile.rails-4.0-stable
+  - gemfiles/Gemfile.rails-3.2-stable
+  - Gemfile
+
+matrix:
+  exclude:
+    - rvm: 2.2
+      gemfile: gemfiles/Gemfile.rails-3.2-stable
+
+services:
+  - mongodb
+
+sudo: false
+
+cache: bundler
+
 env:
   matrix:
     - DEVISE_ORM=mongoid
     - DEVISE_ORM=active_record
-  global:
-    # AMAZON_S3_BUCKET
-    - secure: "qkeYGn2mpgsgU5tKS9GWvFp/utUF/9O8++Shch24DMnq8OB01TrV5QQ2Elj7sSjMWqw2Pbe56nUCA9eOWXhPglGyIq2AI9E0umsEGZxdRlqqobpiMWs5wl8KZ0cFD1rZm6CwfL8atmcNfTt5TnvsaQ2l/k3TerOT2e66R/Mibk8="
-    # AMAZON_ACCESS_KEY_ID
-    - secure: "rTYGUFH9SPN0L7QtdE6Liyy/1z7nGKxqDF9LMRsmNsIfsqxoTPKZ8bCctQ4ksuk9svynGQsLfsda5pA+YvuALzjdWmGcID6ENgOGvoFnhZO5LuJ5f6t0k8gFpV9oBquQgDWzhzrcPYvCUrUYg3GSlHjFSXdPdht3SoYn7PiDaNs="
-    # AMAZON_SECRET_ACCESS_KEY
-    - secure: "VJ4qiWMzoleLojCcluX+w0RtaFVc9ybRNo6NODkGhHSaao8+4EX4rETBQG67tNSInk1iuNqCcZAGwC8V/12RXdao3PguRSLD5IiKeT+D78dqFEoP0+yHg4PbmZ6TJXADW3gUv/IOqkW7f/UYGinRaPu7hloyiC498FpQdmMWSNI="
-gemfile:
-  - gemfiles/Gemfile.rails-head
-  - gemfiles/Gemfile.rails-4.0-stable
-  - gemfiles/Gemfile.rails-3.2-stable
-  - Gemfile
-matrix:
-  allow_failures:
-    - gemfile: gemfiles/Gemfile.rails-head
-services:
-  - mongodb
+
+before_install: "rm ${BUNDLE_GEMFILE}.lock"
+
+before_script: "bundle update"
+
+script: "bundle exec rake test"
+
 notifications:
   email: false
   campfire:

CHANGELOG.md

@@ -1,9 +1,64 @@
-### Unreleased
+### 3.5.1 - 2015-05-24
+
+Note: 3.5.0 has been yanked due to a regression
+
+* security improvements
+  * Clean up reset password token whenever e-mail or password changes. thanks to George Deglin & Dennis Charles Hackethal for reporting this bug
+  * Ensure empty `authenticable_salt` cannot be used as remember token. This bug can only affect users who manually implement their own `authenticable_salt` and allow empty values as salt
 
 * enhancements
-* bug fixes
+  * The hint about minimum password length required both `@validatable` and `@minimum_password_length` variables on the views, it now uses only the latter. If you have generated the views relying on the `@validatable` variable, replace it with `@minimum_password_length`.
+  * Added an ActiveSupport load hook for `:devise_controller`. (by @nakhli)
+  * Location fragments are now preserved between requests. (by @jbourassa)
+  * Added an `after_remembered` callback for the Rememerable module. (by @BM5k)
+  * `RegistrationsController#new` and `SessionsController#new` now yields the
+    current resource. (by @mtarnovan, @deivid-rodriguez)
+  * Password length validation is now limited to 72 characters for newer apps. (by @lleger)
+  * Controllers inheriting from any Devise core controller will now use appropriate translations. The i18n scope can be overridden in `translation_scope`.
+  * Allow the user to set the length of friendly token. (by @Angelmmiguel)
 
-### 3.3.0
+* bug fixes
+  * Use router_name from scope if one is available to support isolated engines. (by @cipater)
+  * Do not clean up CSRF on rememberable.
+  * Only use flash if it has been configured in failure app. (by @alex88)
+
+* deprecations
+  * `confirm!` has been deprecated in favor of `confirm`.
+  * `reset_password!` has been deprecated in favor of `reset_password`.
+  * `Devise.bcrypt` has been deprecated in favor of `Devise::Encryptor.digest`".
+
+### 3.4.1 - 2014-10-29
+
+* enhancements
+  * Devise default views now have a similar markup to Rails scaffold views. (by @udaysinghcode, @cllns)
+  * Passing `now: true` to the `set_flash_message` helper now sets the message into
+    the `flash.now` Hash. (by @hbriggs)
+* bugfixes
+  * Fixed an regression with translation of flash messages for when the `authentication_keys`
+  config is a Hash. (by @lucasmazza)
+
+### 3.4.0 - 2014-10-03
+
+* enhancements
+  * Support added for Rails 4.2. Devise now depends on the `responders` gem due
+    the extraction of the `respond_with` API from Rails. (by @lucasmazza)
+  * The Simple Form templates follow the same change from 3.3.0 by using `Log in` and adding
+    a hint about the minimum password length when `validatable` is enabled. (by @aried3r)
+  * Controller generator added as `devise:controllers SCOPE`. You can use the `-c` flag
+    to pick which controllers (`unlocks`, `confirmations`, etc) you want to generate. (by @Chun-Yang)
+  * Removed the hardcoded references for "email" in the flash messages. If you are using
+    different attributes as the `authentication_keys` they will be interpolated in the
+    messages instead. (by @timoschilling)
+* bug fix
+  * Fixed a regression where the devise generator would fail with a `ConnectionNotEstablished`
+    exception when executed inside a mountable engine. (by @lucasmazza)
+  * Ensure to return symbols in find_scope! fixing a previous regression from 3.3.0 (by @micat)
+  * Ensure all causes of failed login have the same error message (by @pjungwir)
+  * The `last_attempt_warning` now takes effect when generating the unauthenticated
+    message for your users. To keep the current behavior, this flag is now `true`
+    by default. (by @lucasmazza)
+
+### 3.3.0 - 2014-08-13
 
 * enhancements
   * Support multiple warden configuration blocks on devise configuration. (by @rossta)
@@ -27,13 +82,13 @@
   * Ensure registration controller block yields happen on failure in addition to success (by @dpehrson)
   * Only valid paths will be stored for redirections (by @parallel588)
 
-### 3.2.4
+### 3.2.4 - 2014-03-17
 
 * enhancements
   * `bcrypt` dependency updated due https://github.com/codahale/bcrypt-ruby/pull/86.
   * View generator now can generate specific views with the `-v` flag, like `rails g devise:views -v sessions` (by @kayline)
 
-### 3.2.3
+### 3.2.3 - 2014-02-20
 
 * enhancements
   * Devise will use the `secret_key_base` on Rails 4+ applications as its `secret_key`.
@@ -42,14 +97,14 @@
 * bug fix
   * Migrations will be properly generated when using rails 4.1.0.
 
-### 3.2.2
+### 3.2.2 - 2013-11-25
 
 * bug fix
   * Ensure timeoutable works when `sign_out_all_scopes` is false (by @louman)
   * Keep the query string when storing location (by @csexton)
   * Require rails generator base class in devise generators
 
-### 3.2.1
+### 3.2.1 - 2013-11-13
 
 Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumeration-in-devise-in-paranoid-mode
 
@@ -61,7 +116,7 @@ Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumerati
   * Bring `password_digest` back to fix compatibility with `devise-encryptable`
   * Avoid e-mail enumeration on sign in when in paranoid mode
 
-### 3.2.0
+### 3.2.0 - 2013-11-06
 
 * enhancements
   * Previously deprecated token authenticatable and insecure lookups have been removed
@@ -80,13 +135,13 @@ Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumerati
 * deprecations
   * `expire_session_data_after_sign_in!` has been deprecated in favor of `expire_data_after_sign_in!`
 
-### 3.1.1
+### 3.1.1 - 2013-10-01
 
 * bug fix
   * Improve default message which asked users to sign in even when they were already signed (by @gregates)
   * Improve error message for when the config.secret_key is missing
 
-### 3.1.0
+### 3.1.0 - 2013-09-05
 
 Security announcement: http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/
 
@@ -109,12 +164,12 @@ Security announcement: http://blog.plataformatec.com.br/2013/08/devise-3-1-now-w
   * Do not compare directly against confirmation, unlock and reset password tokens
   * Skip storage for cookies on unverified requests
 
-### 3.0.2
+### 3.0.2 - 2013-08-09
 
 * bug fix
   * Skip storage for cookies on unverified requests
 
-### 3.0.1
+### 3.0.1 - 2013-08-02
 
 Security announcement: http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/
 
@@ -125,7 +180,7 @@ Security announcement: http://blog.plataformatec.com.br/2013/08/csrf-token-fixat
   * When using rails 3.2, the generator adds 'attr_accessible' to the model (by @jcoyne)
   * Clean up CSRF token after authentication (by @homakov). Notice this change will clean up the CSRF Token after authentication (sign in, sign up, etc). So if you are using AJAX for such features, you will need to fetch a new CSRF token from the server.
 
-### 3.0.0
+### 3.0.0 - 2013-07-14
 
 * enhancements
   * Rails 4 and Strong Parameters compatibility (by @carlosantoniodasilva, @josevalim, @latortuga, @lucasmazza, @nashby, @rafaelfranca, @spastorino)
@@ -135,7 +190,7 @@ Security announcement: http://blog.plataformatec.com.br/2013/08/csrf-token-fixat
 * bug fix
   * Errors on unlock are now properly reflected on the first `unlock_keys`
 
-### 2.2.4
+### 2.2.4 - 2013-05-07
 
 * enhancements
   * Add `destroy_with_password` to `DatabaseAuthenticatable`. Allows destroying a record when `:current_password` matches, similarly to how `update_with_password` works. (by @michiel3)
@@ -154,25 +209,25 @@ Security announcement: http://blog.plataformatec.com.br/2013/08/csrf-token-fixat
 * backwards incompatible changes
   * Changes on session storage will expire all existing sessions on upgrade. For those storing the session in the DB, they can be upgraded according to this gist: https://gist.github.com/moll/6417606
 
-### 2.2.3
+### 2.2.3 - 2013-01-26
 
 Security announcement: http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/
 
 * bug fix
   * Require string conversion for all values
 
-### 2.2.2
+### 2.2.2 - 2013-01-15
 
 * bug fix
   * Fix bug when checking for reconfirmable in templates
 
-### 2.2.1
+### 2.2.1 - 2013-01-11
 
 * bug fix
   * Fix regression with case_insensitive_keys
   * Fix regression when password is blank when it is invalid
 
-### 2.2.0
+### 2.2.0 - 2013-01-08
 
 * backwards incompatible changes
   * `headers_for` is deprecated, customize the mailer directly instead
@@ -203,17 +258,17 @@ Security announcement: http://blog.plataformatec.com.br/2013/01/security-announc
   * `update_with_password` doesn't change encrypted password when it is invalid (by @nashby)
   * Properly handle namespaced models on Active Record generator (by @nashby)
 
-### 2.1.4
+### 2.1.4 - 2013-08-18
 
 * bugfix
   * Do not confirm account after reset password
 
-### 2.1.3
+### 2.1.3 - 2013-01-26
 
 * bugfix
   * Require string conversion for all values
 
-### 2.1.2
+### 2.1.2 - 2012-06-19
 
 * enhancements
   * Handle backwards incompatibility between Rails 3.2.6 and Thor 0.15.x
@@ -221,7 +276,7 @@ Security announcement: http://blog.plataformatec.com.br/2013/01/security-announc
 * bug fix
   * Fix regression on strategy validation on previous release
 
-### 2.1.1 (yanked)
+### 2.1.1 - 2012-06-15 (yanked)
 
 * enhancements
   * `sign_out_all_scopes` now locks warden and does not allow new logins in the same action
@@ -238,7 +293,7 @@ Security announcement: http://blog.plataformatec.com.br/2013/01/security-announc
 * deprecations
   * Strategy#validate() no longer validates nil resources
 
-### 2.1.0
+### 2.1.0 - 2012-05-15
 
 * enhancements
   * Add `check_fields!(model_class)` method on Devise::Models to check if the model includes the fields that Devise uses
@@ -265,7 +320,7 @@ Security announcement: http://blog.plataformatec.com.br/2013/01/security-announc
   * Return `head :no_content` in SessionsController now that most JS libraries handle it (by @julianvargasalvarez)
   * Reverted moving devise/shared/_links.erb to devise/_links.erb
 
-### 2.0.4
+### 2.0.4 - 2012-02-17
 
 Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.0
 
@@ -273,7 +328,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Fix when :host is used with devise_for  (by @mreinsch)
   * Fix a regression that caused Warden to be initialized too late
 
-### 2.0.3 (yanked)
+### 2.0.3 - 2012-06-16 (yanked)
 
 * bug fix
   * Ensure warning is not shown by mistake on apps with mounted engines
@@ -281,7 +336,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Ensure serializable_hash does not depend on accessible attributes
   * Ensure that timeout callback does not run on sign out action
 
-### 2.0.2
+### 2.0.2 - 2012-02-14
 
 * enhancements
   * Add devise_i18n_options to customize I18n message
@@ -293,7 +348,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Show a warning in case someone gives a pluralized name to devise generator
   * Fix test behavior for rspec subject requests (by @sj26)
 
-### 2.0.1
+### 2.0.1 - 2012-02-09
 
 * enhancements
   * Improved error messages on deprecation warnings
@@ -302,7 +357,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * bug fix
   * Removed tmp and log files from gem
 
-### 2.0.0
+### 2.0.0 - 2012-01-26
 
 * enhancements
   * Add support for e-mail reconfirmation on change (by @Mandaryn and @heimidal)
@@ -328,14 +383,14 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Deprecated support to devise.registrations.reasons and devise.registrations.inactive_signed_up in favor of devise.registrations.signed_up_but_*
   * Protected method render_with_scope was removed.
 
-### 1.5.3
+### 1.5.3 - 2011-12-19
 
 * bug fix
   * Ensure delegator converts scope to symbol (by @dmitriy-kiriyenko)
   * Ensure passing :format => false to devise_for is not permanent
   * Ensure path checker does not check invalid routes
 
-### 1.5.2
+### 1.5.2 - 2011-11-30
 
 * enhancements
   * Add support for Rails 3.1 new mass assignment conventions (by @kirs)
@@ -344,12 +399,12 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * bug fix
   * OmniAuth error message now shows the proper option (:strategy_class instead of :klass)
 
-### 1.5.1
+### 1.5.1 - 2011-11-22
 
 * bug fix
   * Devise should not attempt to load OmniAuth strategies. Strategies should be loaded before hand by the developer or explicitly given to Devise.
 
-### 1.5.0
+### 1.5.0 - 2011-11-13
 
 * enhancements
   * Timeoutable also skips tracking if skip_trackable is given
@@ -370,12 +425,12 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * redirect_location is deprecated, please use after_sign_in_path_for
   * after_sign_in_path_for now redirects to session[scope_return_to] if any value is stored in it
 
-### 1.4.9
+### 1.4.9 - 2011-10-19
 
 * bug fix
   * url helpers were not being set under some circumstances
 
-### 1.4.8
+### 1.4.8 - 2011-10-09
 
 * enhancements
   * Add docs for assets pipeline and Heroku
@@ -383,12 +438,12 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * bug fix
   * confirmation_url was not being set under some circumstances
 
-### 1.4.7
+### 1.4.7 - 2011-09-21
 
 * bug fix
   * Fix backward incompatible change from 1.4.6 for those using custom controllers
 
-### 1.4.6 (yanked)
+### 1.4.6 - 2011-09-19 (yanked)
 
 * enhancements
   * Allow devise_for :skip => :all
@@ -396,7 +451,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Allow --skip-routes to devise generator
   * Add allow_params_authentication! to make it explicit when params authentication is allowed in a controller
 
-### 1.4.5
+### 1.4.5 - 2011-09-07
 
 * bug fix
   * Failure app tries the root path if a session one does not exist
@@ -404,12 +459,12 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Reset password shows proper message if user is not active
   * `clean_up_passwords` sets the accessors to nil to skip validations
 
-### 1.4.4
+### 1.4.4 - 2011-08-30
 
 * bug fix
   * Do not always skip helpers, instead provide :skip_helpers as option to trigger it manually
 
-### 1.4.3
+### 1.4.3 - 2011-08-29
 
 * enhancements
   * Improve Rails 3.1 compatibility
@@ -425,12 +480,12 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * deprecations
   * Loosened the used email regexp to simply assert the existent of "@". If someone relies on a more strict regexp, they may use https://github.com/SixArm/sixarm_ruby_email_address_validation
 
-### 1.4.2
+### 1.4.2 - 2011-06-30
 
 * bug fix
   * Provide a more robust behavior to serializers and add :force_except option
 
-### 1.4.1
+### 1.4.1 - 2011-06-29
 
 * enhancements
   * Add :defaults and :format support on router
@@ -441,7 +496,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Ensure to_xml is properly white listened
   * Ensure handle_unverified_request clean up any cached signed-in user
 
-### 1.4.0
+### 1.4.0 - 2011-06-23
 
 * enhancements
   * Added authenticated and unauthenticated to the router to route the used based on their status (by @sj26)
@@ -459,22 +514,22 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Devise now honors routes constraints (by @macmartine)
   * Do not return the user resource when requesting instructions (by @rodrigoflores)
 
-### 1.3.4
+### 1.3.4 - 2011-04-28
 
 * bug fix
   * Do not add formats if html or "*/*"
 
-### 1.3.3
+### 1.3.3 - 2011-04-20
 
 * bug fix
   * Explicitly mark the token as expired if so
 
-### 1.3.2
+### 1.3.2 - 2011-04-20
 
 * bug fix
   * Fix another regression related to reset_password_sent_at (by @alexdreher)
 
-### 1.3.1
+### 1.3.1 - 2011-04-18
 
 * enhancements
   * Improve failure_app responses (by @indirect)
@@ -483,7 +538,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * bug fix
   * Fix a regression that occurred if reset_password_sent_at is not present (by @stevehodgkiss)
 
-### 1.3.0
+### 1.3.0 - 2011-04-15
 
 * enhancements
   * All controllers can now handle different mime types than html using Responders (by @sikachu)
@@ -503,19 +558,19 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * backward incompatible changes
   * authentication_keys are no longer considered when creating the e-mail validations, the previous behavior was buggy. You must double check if you were relying on such behavior.
 
-### 1.2.1
+### 1.2.1 - 2011-03-27
 
 * enhancements
   * Improve update path messages
 
-### 1.2.0
+### 1.2.0 - 2011-03-24
 
 * bug fix
   * Properly ignore path prefix on omniauthable
   * Faster uniqueness queries
   * Rename active? to active_for_authentication? to avoid conflicts
 
-### 1.2.rc2
+### 1.2.rc2 - 2011-03-10
 
 * enhancements
   * Make friendly_token 20 chars long
@@ -545,7 +600,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Removed --haml and --slim view templates
   * Devise::OmniAuth helpers were deprecated and removed in favor of Omniauth.config.test_mode
 
-### 1.2.rc
+### 1.2.rc - 2010-10-25
 
 * deprecations
   * cookie_domain is deprecated in favor of cookie_options
@@ -583,13 +638,13 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Ensure namespaces has proper scoped views
   * Ensure Devise does not set empty flash messages (by @sxross)
 
-### 1.1.6
+### 1.1.6 - 2011-02-14
 
 * Use a more secure e-mail regexp
 * Implement Rails 3.0.4 handle unverified request
 * Use secure_compare to compare passwords
 
-### 1.1.5
+### 1.1.5 - 2010-11-26
 
 * bugfix
   * Ensure to convert keys on indifferent hash
@@ -597,12 +652,12 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * defaults
   * Set config.http_authenticatable to false to avoid confusion
 
-### 1.1.4
+### 1.1.4 - 2010-11-25
 
 * bugfix
   * Avoid session fixation attacks
 
-### 1.1.3
+### 1.1.3 - 2010-09-23
 
 * bugfix
   * Add reply-to to e-mail headers by default
@@ -613,17 +668,17 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Fix for failed first-ever logins on PostgreSQL where column default is nil (by @bensie)
   * :default options is now honored in migrations
 
-### 1.1.2
+### 1.1.2 - 2010-08-25
 
 * bugfix
   * Compatibility with latest Rails routes schema
 
-### 1.1.1
+### 1.1.1 - 2010-07-26
 
 * bugfix
   * Fix a small bug where generated locale file was empty on devise:install
 
-### 1.1.0
+### 1.1.0 - 2010-07-25
 
 * enhancements
   * Rememberable module allows user to be remembered across browsers and is enabled by default (by @trevorturk)
@@ -643,7 +698,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * deprecations
   * use_default_scope is deprecated and has no effect. Use :as or :devise_scope in the router instead
 
-### 1.1.rc2
+### 1.1.rc2 - 2010-06-22
 
 * enhancements
   * Allow to set cookie domain for the remember token. (by @mantas)
@@ -661,7 +716,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * devise.mailer.user.confirmations_instructions now should be devise.mailer.confirmations_instructions.user_subject
   * Generators now use Rails 3 syntax (devise:install) instead of devise_install
 
-### 1.1.rc1
+### 1.1.rc1 - 2010-04-14
 
 * enhancements
   * Rails 3 compatibility
@@ -693,7 +748,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * All messages under devise.sessions, except :signed_in and :signed_out, should be moved to devise.failure
   * :as and :scope in routes is deprecated. Use :path and :singular instead
 
-### 1.0.8
+### 1.0.8 - 2010-06-22
 
 * enhancements
   * Support for latest MongoMapper
@@ -702,7 +757,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * bug fix
   * confirmation_required? is properly honored on active? calls. (by @paulrosania)
 
-### 1.0.7
+### 1.0.7 - 2010-05-02
 
 * bug fix
   * Ensure password confirmation is always required
@@ -711,14 +766,14 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * authenticatable was deprecated and renamed to database_authenticatable
   * confirmable is not included by default on generation
 
-### 1.0.6
+### 1.0.6 - 2010-04-02
 
 * bug fix
   * Do not allow unlockable strategies based on time to access a controller.
   * Do not send unlockable email several times.
   * Allow controller to upstram custom! failures to Warden.
 
-### 1.0.5
+### 1.0.5 - 2010-03-25
 
 * bug fix
   * Use prepend_before_filter in require_no_authentication.
@@ -726,19 +781,19 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Fix a bug when giving an association proxy to devise.
   * Do not use lock! on lockable since it's part of ActiveRecord API.
 
-### 1.0.4
+### 1.0.4 - 2010-03-02
 
 * bug fix
   * Fixed a bug when deleting an account with rememberable
   * Fixed a bug with custom controllers
 
-### 1.0.3
+### 1.0.3 - 2010-02-22
 
 * enhancements
   * HTML e-mails now have proper formatting
   * Do not remove MongoMapper options in find
 
-### 1.0.2
+### 1.0.2 - 2010-02-17
 
 * enhancements
   * Allows you set mailer content type (by @glennr)
@@ -746,7 +801,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * bug fix
   * Uses the same content type as request on http authenticatable 401 responses
 
-### 1.0.1
+### 1.0.1 - 2010-02-16
 
 * enhancements
   * HttpAuthenticatable is not added by default automatically.
@@ -755,7 +810,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * bug fix
   * Fixed encryptors autoload
 
-### 1.0.0
+### 1.0.0 - 2010-02-08
 
 * deprecation
   * :old_password in update_with_password is deprecated, use :current_password instead
@@ -766,7 +821,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Allow scoped_views to be customized per controller/mailer class
   * Allow authenticatable to used in change_table statements
 
-### 0.9.2
+### 0.9.2 - 2010-02-04
 
 * bug fix
   * Ensure inactive user cannot sign in
@@ -776,13 +831,13 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Added gemspec to repo
   * Added token authenticatable (by @grimen)
 
-### 0.9.1
+### 0.9.1 - 2010-01-24
 
 * bug fix
   * Allow bigger salt size (by @jgeiger)
   * Fix relative url root
 
-### 0.9.0
+### 0.9.0 - 2010-01-20
 
 * deprecation
   * devise :all is deprecated
@@ -799,7 +854,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Accept path prefix not starting with slash
   * url helpers should rely on find_scope!
 
-### 0.8.2
+### 0.8.2 - 2010-01-12
 
 * enhancements
   * Allow Devise.mailer_sender to be a proc (by @grimen)
@@ -807,7 +862,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * bug fix
   * Fix bug with passenger, update is required to anyone deploying on passenger (by @dvdpalm)
 
-### 0.8.1
+### 0.8.1 - 2010-01-07
 
 * enhancements
   * Move salt to encryptors
@@ -817,7 +872,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * bug fix
   * Bcrypt generator was not being loaded neither setting the proper salt
 
-### 0.8.0
+### 0.8.0 - 2010-01-06
 
 * enhancements
   * Warden 0.8.0 compatibility
@@ -831,19 +886,19 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * deprecation
   * Removed DeviseMailer.sender
 
-### 0.7.5
+### 0.7.5 - 2010-01-01
 
 * enhancements
   * Set a default value for mailer to avoid find_template issues
   * Add models configuration to MongoMapper::EmbeddedDocument as well
 
-### 0.7.4
+### 0.7.4 - 2009-12-21
 
 * enhancements
   * Extract Activatable from Confirmable
   * Decouple Serializers from Devise modules
 
-### 0.7.3
+### 0.7.3 - 2009-12-15
 
 * bug fix
   * Give scope to the proper model validation
@@ -853,7 +908,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Added update_with_password for authenticatable
   * Allow render_with_scope to accept :controller option
 
-### 0.7.2
+### 0.7.2 - 2009-12-14
 
 * deprecation
   * Renamed reset_confirmation! to resend_confirmation!
@@ -863,12 +918,12 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Fixed render_with_scope to work with all controllers
   * Allow sign in with two different users in Devise::TestHelpers
 
-### 0.7.1
+### 0.7.1 - 2009-12-09
 
 * enhancements
   * Small enhancements for other plugins compatibility (by @grimen)
 
-### 0.7.0
+### 0.7.0 - 2009-12-08
 
 * deprecations
   * :authenticatable is not included by default anymore
@@ -877,25 +932,25 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Improve loading process
   * Extract SessionSerializer from Authenticatable
 
-### 0.6.3
+### 0.6.3 - 2009-12-02
 
 * bug fix
   * Added trackable to migrations
   * Allow inflections to work
 
-### 0.6.2
+### 0.6.2 - 2009-11-25
 
 * enhancements
   * More DataMapper compatibility
   * Devise::Trackable - track sign in count, timestamps and ips
 
-### 0.6.1
+### 0.6.1 - 2009-11-24
 
 * enhancements
   * Devise::Timeoutable - timeout sessions without activity
   * DataMapper now accepts conditions
 
-### 0.6.0
+### 0.6.0 - 2009-11-22
 
 * deprecations
   * :authenticatable is still included by default, but yields a deprecation warning
@@ -906,19 +961,19 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Allow a strategy to be placed after authenticatable
   * Do not rely attribute? methods, since they are not added on Datamapper
 
-### 0.5.6
+### 0.5.6 - 2009-11-21
 
 * enhancements
   * Do not send nil to build (DataMapper compatibility)
   * Allow to have scoped views
 
-### 0.5.5
+### 0.5.5 - 2009-11-20
 
 * enhancements
   * Allow overwriting find for authentication method
   * Remove Ruby 1.8.7 dependency
 
-### 0.5.4
+### 0.5.4 - 2009-11-19
 
 * deprecations
   * Deprecate :singular in devise_for and use :scope instead
@@ -929,7 +984,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Create sign_in_and_redirect and sign_out_and_redirect helpers
   * Warden::Manager.default_scope is automatically configured to the first given scope
 
-### 0.5.3
+### 0.5.3 - 2009-11-18
 
 * bug fix
   * MongoMapper now converts DateTime to Time
@@ -941,20 +996,20 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Added Devise.apply_schema, so you can turn it to false in Datamapper or MongoMapper
     in cases you don't want it be handlded automatically
 
-### 0.5.2
+### 0.5.2 - 2009-11-17
 
 * enhancements
   * Improved sign_in and sign_out helpers to accepts resources
   * Added stored_location_for as a helper
   * Added test helpers
 
-### 0.5.1
+### 0.5.1 - 2009-11-15
 
 * enhancements
   * Added serializers based on Warden ones
   * Allow authentication keys to be set
 
-### 0.5.0
+### 0.5.0 - 2009-11-13
 
 * bug fix
   * Fixed a bug where remember me module was not working properly
@@ -964,13 +1019,13 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Implemented encryptors for Clearance, Authlogic and Restful-Authentication (by @mhfs)
   * Added support for MongoMapper (by @shingara)
 
-### 0.4.3
+### 0.4.3 - 2009-11-10
 
 * bug fix
   * Authentication just fails if user cannot be serialized from session, without raising errors;
   * Default configuration values should not overwrite user values;
 
-### 0.4.2
+### 0.4.2 - 2009-11-06
 
 * deprecations
   * Renamed mail_sender to mailer_sender
@@ -982,12 +1037,12 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Allow :path_prefix to be given to devise_for
   * Allow default_url_options to be configured through devise (:path_prefix => "/:locale" is now supported)
 
-### 0.4.1
+### 0.4.1 - 2009-11-04
 
 * bug fix
   * Ensure options can be set even if models were not loaded
 
-### 0.4.0
+### 0.4.0 - 2009-11-03
 
 * deprecations
   * Notifier is deprecated, use DeviseMailer instead. Remember to rename
@@ -1000,7 +1055,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Allow Warden::Manager to be configured through Devise
   * Created a generator which creates an initializer
 
-### 0.3.0
+### 0.3.0 - 2009-10-30
 
 * bug fix
   * Allow yml messages to be configured by not using engine locales
@@ -1010,7 +1065,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Do not send confirmation messages when user changes their e-mail
   * Renamed authenticable to authenticatable and added deprecation warnings
 
-### 0.2.3
+### 0.2.3 - 2009-10-29
 
 * enhancements
   * Ensure fail! works inside strategies
@@ -1020,12 +1075,12 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Do not redirect on invalid authenticate
   * Allow model configuration to be set to nil
 
-### 0.2.2
+### 0.2.2 - 2009-10-28
 
 * bug fix
   * Fix a bug when using customized resources
 
-### 0.2.1
+### 0.2.1 - 2009-10-27
 
 * refactor
   * Clean devise_views generator to use devise existing views
@@ -1037,7 +1092,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * bug fix
   * Fix a bug with Mongrel and Ruby 1.8.6
 
-### 0.2.0
+### 0.2.0 - 2009-10-24
 
 * enhancements
   * Allow option :null => true in authenticable migration
@@ -1052,12 +1107,12 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * bug fixes
   * Fixed requiring devise strategies
 
-### 0.1.1
+### 0.1.1 - 2009-10-21
 
 * bug fixes
   * Fixed requiring devise mapping
 
-### 0.1.0
+### 0.1.0 - 2009-10-21
 
 * Devise::Authenticable
 * Devise::Confirmable

Gemfile

@@ -2,7 +2,7 @@ source "https://rubygems.org"
 
 gemspec
 
-gem "rails", "~> 4.1.0"
+gem "rails", "4.2.1"
 gem "omniauth", "~> 1.2.0"
 gem "omniauth-oauth2", "~> 1.1.0"
 gem "rdoc"
@@ -25,5 +25,5 @@ platforms :ruby do
 end
 
 group :mongoid do
-  gem "mongoid", "~> 4.0.0"
+  gem "mongoid", github: "mongoid/mongoid", branch: "master"
 end

Gemfile.lock

@@ -1,78 +1,97 @@
 PATH
   remote: .
   specs:
-    devise (3.3.0)
+    devise (3.5.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
+      responders
       thread_safe (~> 0.1)
       warden (~> 1.2.3)
 
-GEM
-  remote: https://rubygems.org/
+GIT
+  remote: git://github.com/mongoid/mongoid.git
+  revision: a4365d7ecfa8221bfcf36a4e7ce7993142fc5940
+  branch: master
   specs:
-    actionmailer (4.1.4)
-      actionpack (= 4.1.4)
-      actionview (= 4.1.4)
-      mail (~> 2.5.4)
-    actionpack (4.1.4)
-      actionview (= 4.1.4)
-      activesupport (= 4.1.4)
-      rack (~> 1.5.2)
-      rack-test (~> 0.6.2)
-    actionview (4.1.4)
-      activesupport (= 4.1.4)
-      builder (~> 3.1)
-      erubis (~> 2.7.0)
-    activemodel (4.1.4)
-      activesupport (= 4.1.4)
-      builder (~> 3.1)
-    activerecord (4.1.4)
-      activemodel (= 4.1.4)
-      activesupport (= 4.1.4)
-      arel (~> 5.0.0)
-    activesupport (4.1.4)
-      i18n (~> 0.6, >= 0.6.9)
-      json (~> 1.7, >= 1.7.7)
-      minitest (~> 5.1)
-      thread_safe (~> 0.1)
-      tzinfo (~> 1.1)
-    arel (5.0.1.20140414130214)
-    bcrypt (3.1.7)
-    bson (2.3.0)
-    builder (3.2.2)
-    connection_pool (2.0.0)
-    erubis (2.7.0)
-    faraday (0.9.0)
-      multipart-post (>= 1.2, < 3)
-    hashie (3.2.0)
-    hike (1.2.3)
-    i18n (0.6.11)
-    json (1.8.1)
-    jwt (1.0.0)
-    mail (2.5.4)
-      mime-types (~> 1.16)
-      treetop (~> 1.4.8)
-    metaclass (0.0.4)
-    mime-types (1.25.1)
-    mini_portile (0.6.0)
-    minitest (5.4.0)
-    mocha (1.1.0)
-      metaclass (~> 0.0.1)
     mongoid (4.0.0)
       activemodel (~> 4.0)
       moped (~> 2.0.0)
       origin (~> 2.1)
       tzinfo (>= 0.3.37)
-    moped (2.0.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actionmailer (4.2.1)
+      actionpack (= 4.2.1)
+      actionview (= 4.2.1)
+      activejob (= 4.2.1)
+      mail (~> 2.5, >= 2.5.4)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+    actionpack (4.2.1)
+      actionview (= 4.2.1)
+      activesupport (= 4.2.1)
+      rack (~> 1.6)
+      rack-test (~> 0.6.2)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.1)
+    actionview (4.2.1)
+      activesupport (= 4.2.1)
+      builder (~> 3.1)
+      erubis (~> 2.7.0)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.1)
+    activejob (4.2.1)
+      activesupport (= 4.2.1)
+      globalid (>= 0.3.0)
+    activemodel (4.2.1)
+      activesupport (= 4.2.1)
+      builder (~> 3.1)
+    activerecord (4.2.1)
+      activemodel (= 4.2.1)
+      activesupport (= 4.2.1)
+      arel (~> 6.0)
+    activesupport (4.2.1)
+      i18n (~> 0.7)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.3, >= 0.3.4)
+      tzinfo (~> 1.1)
+    arel (6.0.0)
+    bcrypt (3.1.10)
+    bson (2.3.0)
+    builder (3.2.2)
+    connection_pool (2.1.3)
+    erubis (2.7.0)
+    faraday (0.9.1)
+      multipart-post (>= 1.2, < 3)
+    globalid (0.3.3)
+      activesupport (>= 4.1.0)
+    hashie (3.4.0)
+    hike (1.2.3)
+    i18n (0.7.0)
+    json (1.8.2)
+    jwt (1.4.1)
+    loofah (2.0.1)
+      nokogiri (>= 1.5.9)
+    mail (2.6.3)
+      mime-types (>= 1.16, < 3)
+    metaclass (0.0.4)
+    mime-types (2.4.3)
+    mini_portile (0.6.2)
+    minitest (5.5.1)
+    mocha (1.1.0)
+      metaclass (~> 0.0.1)
+    moped (2.0.4)
       bson (~> 2.2)
       connection_pool (~> 2.0)
       optionable (~> 0.2.0)
-    multi_json (1.10.1)
+    multi_json (1.11.0)
     multi_xml (0.5.5)
     multipart-post (2.0.0)
-    nokogiri (1.6.3.1)
-      mini_portile (= 0.6.0)
+    nokogiri (1.6.6.2)
+      mini_portile (~> 0.6.0)
     oauth2 (0.9.4)
       faraday (>= 0.8, < 0.10)
       jwt (~> 1.0)
@@ -95,49 +114,55 @@ GEM
     optionable (0.2.0)
     origin (2.1.1)
     orm_adapter (0.5.0)
-    polyglot (0.3.5)
-    rack (1.5.2)
+    rack (1.6.0)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
-    rack-test (0.6.2)
+    rack-test (0.6.3)
       rack (>= 1.0)
-    rails (4.1.4)
-      actionmailer (= 4.1.4)
-      actionpack (= 4.1.4)
-      actionview (= 4.1.4)
-      activemodel (= 4.1.4)
-      activerecord (= 4.1.4)
-      activesupport (= 4.1.4)
+    rails (4.2.1)
+      actionmailer (= 4.2.1)
+      actionpack (= 4.2.1)
+      actionview (= 4.2.1)
+      activejob (= 4.2.1)
+      activemodel (= 4.2.1)
+      activerecord (= 4.2.1)
+      activesupport (= 4.2.1)
       bundler (>= 1.3.0, < 2.0)
-      railties (= 4.1.4)
-      sprockets-rails (~> 2.0)
-    railties (4.1.4)
-      actionpack (= 4.1.4)
-      activesupport (= 4.1.4)
+      railties (= 4.2.1)
+      sprockets-rails
+    rails-deprecated_sanitizer (1.0.3)
+      activesupport (>= 4.2.0.alpha)
+    rails-dom-testing (1.0.6)
+      activesupport (>= 4.2.0.beta, < 5.0)
+      nokogiri (~> 1.6.0)
+      rails-deprecated_sanitizer (>= 1.0.1)
+    rails-html-sanitizer (1.0.2)
+      loofah (~> 2.0)
+    railties (4.2.1)
+      actionpack (= 4.2.1)
+      activesupport (= 4.2.1)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
-    rake (10.3.2)
-    rdoc (4.1.1)
-      json (~> 1.4)
-    ruby-openid (2.5.0)
-    sprockets (2.12.1)
+    rake (10.4.2)
+    rdoc (4.2.0)
+    responders (2.1.0)
+      railties (>= 4.2.0, < 5)
+    ruby-openid (2.7.0)
+    sprockets (2.12.3)
       hike (~> 1.2)
       multi_json (~> 1.0)
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
-    sprockets-rails (2.1.3)
+    sprockets-rails (2.2.4)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
-      sprockets (~> 2.8)
-    sqlite3 (1.3.9)
+      sprockets (>= 2.8, < 4.0)
+    sqlite3 (1.3.10)
     thor (0.19.1)
-    thread_safe (0.3.4)
+    thread_safe (0.3.5)
     tilt (1.4.1)
-    treetop (1.4.15)
-      polyglot
-      polyglot (>= 0.3.1)
-    tzinfo (1.2.1)
+    tzinfo (1.2.2)
       thread_safe (~> 0.1)
     warden (1.2.3)
       rack (>= 1.0)
@@ -155,12 +180,12 @@ DEPENDENCIES
   devise!
   jruby-openssl
   mocha (~> 1.1)
-  mongoid (~> 4.0.0)
+  mongoid!
   omniauth (~> 1.2.0)
   omniauth-facebook
   omniauth-oauth2 (~> 1.1.0)
   omniauth-openid (~> 1.0.1)
-  rails (~> 4.1.0)
+  rails (= 4.2.1)
   rdoc
   sqlite3
   webrat (= 0.7.3)

MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright 2009-2014 Plataformatec. http://plataformatec.com.br
+Copyright 2009-2015 Plataformatec. http://plataformatec.com.br
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

README.md

@@ -2,8 +2,9 @@
 
 By [Plataformatec](http://plataformatec.com.br/).
 
-[![Build Status](https://api.travis-ci.org/plataformatec/devise.png?branch=master)](http://travis-ci.org/plataformatec/devise)
-[![Code Climate](https://codeclimate.com/github/plataformatec/devise.png)](https://codeclimate.com/github/plataformatec/devise)
+[![Build Status](https://api.travis-ci.org/plataformatec/devise.svg?branch=master)](http://travis-ci.org/plataformatec/devise)
+[![Code Climate](https://codeclimate.com/github/plataformatec/devise.svg)](https://codeclimate.com/github/plataformatec/devise)
+[![Security](https://hakiri.io/github/plataformatec/devise/master.svg)](https://hakiri.io/github/plataformatec/devise/master)
 
 This README is [also available in a friendly navigable format](http://devise.plataformatec.com.br/).
 
@@ -12,18 +13,18 @@ Devise is a flexible authentication solution for Rails based on Warden. It:
 * Is Rack based;
 * Is a complete MVC solution based on Rails engines;
 * Allows you to have multiple models signed in at the same time;
-* Is based on a modularity concept: use just what you really need.
+* Is based on a modularity concept: use only what you really need.
 
 It's composed of 10 modules:
 
 * [Database Authenticatable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/DatabaseAuthenticatable): encrypts and stores a password in the database to validate the authenticity of a user while signing in. The authentication can be done both through POST requests or HTTP Basic Authentication.
-* [Omniauthable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Omniauthable): adds Omniauth (https://github.com/intridea/omniauth) support.
+* [Omniauthable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Omniauthable): adds OmniAuth (https://github.com/intridea/omniauth) support.
 * [Confirmable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Confirmable): sends emails with confirmation instructions and verifies whether an account is already confirmed during sign in.
 * [Recoverable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Recoverable): resets the user password and sends reset instructions.
 * [Registerable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Registerable): handles signing up users through a registration process, also allowing them to edit and destroy their account.
 * [Rememberable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Rememberable): manages generating and clearing a token for remembering the user from a saved cookie.
 * [Trackable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Trackable): tracks sign in count, timestamps and IP address.
-* [Timeoutable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Timeoutable): expires sessions that have no activity in a specified period of time.
+* [Timeoutable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Timeoutable): expires sessions that have not been active in a specified period of time.
 * [Validatable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Validatable): provides validations of email and password. It's optional and can be customized, so you're able to define your own validations.
 * [Lockable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Lockable): locks an account after a specified number of failed sign-in attempts. Can unlock via email or after a specified time period.
 
@@ -43,7 +44,7 @@ If you discover a problem with Devise, we would like to know about it. However,
 
 https://github.com/plataformatec/devise/wiki/Bug-reports
 
-If you found a security bug, do *NOT* use the GitHub issue tracker. Send an email to opensource@plataformatec.com.br.
+If you have discovered a security related bug, please do *NOT* use the GitHub issue tracker. Send an email to opensource@plataformatec.com.br.
 
 ### Mailing list
 
@@ -81,12 +82,12 @@ You will usually want to write tests for your changes.  To run the test suite, g
 
 ## Starting with Rails?
 
-If you are building your first Rails application, we recommend you to *not* use Devise. Devise requires a good understanding of the Rails Framework. In such cases, we advise you to start a simple authentication system from scratch, today we have two resources:
+If you are building your first Rails application, we recommend you *do not* use Devise. Devise requires a good understanding of the Rails Framework. In such cases, we advise you to start a simple authentication system from scratch. Today we have two resources that should help you get started:
 
-* Michael Hartl's online book: http://www.railstutorial.org/book/demo_app#sec-modeling_demo_users
+* Michael Hartl's online book: https://www.railstutorial.org/book/modeling_users
 * Ryan Bates' Railscast: http://railscasts.com/episodes/250-authentication-from-scratch
 
-Once you have solidified your understanding of Rails and authentication mechanisms, we assure you Devise will be very pleasant to work with. :)
+Once you have solidified your understanding of Rails and authentication mechanisms, we assure you Devise will be very pleasant to work with. :smiley:
 
 ## Getting started
 
@@ -104,7 +105,7 @@ After you install Devise and add it to your Gemfile, you need to run the generat
 rails generate devise:install
 ```
 
-The generator will install an initializer which describes ALL Devise's configuration options and you MUST take a look at it. When you are done, you are ready to add Devise to any of your models using the generator:
+The generator will install an initializer which describes ALL of Devise's configuration options. It is *imperative* that you take a look at it. When you are done, you are ready to add Devise to any of your models using the generator:
 
 ```console
 rails generate devise MODEL
@@ -120,7 +121,7 @@ Next, you need to set up the default URL options for the Devise mailer in each e
 config.action_mailer.default_url_options = { host: 'localhost', port: 3000 }
 ```
 
-You should restart your application after changing Devise's configuration options. Otherwise you'll run into strange errors like users being unable to login and route helpers being undefined.
+You should restart your application after changing Devise's configuration options. Otherwise, you will run into strange errors, for example, users being unable to login and route helpers being undefined.
 
 ### Controller filters and helpers
 
@@ -150,7 +151,7 @@ You can access the session for this scope:
 user_session
 ```
 
-After signing in a user, confirming the account or updating the password, Devise will look for a scoped root path to redirect. For instance, for a `:user` resource, the `user_root_path` will be used if it exists, otherwise the default `root_path` will be used. This means that you need to set the root inside your routes:
+After signing in a user, confirming the account or updating the password, Devise will look for a scoped root path to redirect to. For instance, when using a `:user` resource, the `user_root_path` will be used if it exists; otherwise, the default `root_path` will be used. This means that you need to set the root inside your routes:
 
 ```ruby
 root to: "home#index"
@@ -178,7 +179,7 @@ The Devise method in your models also accepts some options to configure its modu
 devise :database_authenticatable, :registerable, :confirmable, :recoverable, stretches: 20
 ```
 
-Besides `:stretches`, you can define `:pepper`, `:encryptor`, `:confirm_within`, `:remember_for`, `:timeout_in`, `:unlock_in` among other options. For more details, see the initializer file that was created when you invoked the "devise:install" generator described above.
+Besides `:stretches`, you can define `:pepper`, `:encryptor`, `:confirm_within`, `:remember_for`, `:timeout_in`, `:unlock_in` among other options. For more details, see the initializer file that was created when you invoked the "devise:install" generator described above. This file is usually located at `/config/initializers/devise.rb`.
 
 ### Strong Parameters
 
@@ -186,11 +187,11 @@ When you customize your own views, you may end up adding new attributes to forms
 
 There are just three actions in Devise that allows any set of parameters to be passed down to the model, therefore requiring sanitization. Their names and the permitted parameters by default are:
 
-* `sign_in` (`Devise::SessionsController#new`) - Permits only the authentication keys (like `email`)
+* `sign_in` (`Devise::SessionsController#create`) - Permits only the authentication keys (like `email`)
 * `sign_up` (`Devise::RegistrationsController#create`) - Permits authentication keys plus `password` and `password_confirmation`
 * `account_update` (`Devise::RegistrationsController#update`) - Permits authentication keys plus `password`, `password_confirmation` and `current_password`
 
-In case you want to permit additional parameters (the lazy way™) you can do with a simple before filter in your `ApplicationController`:
+In case you want to permit additional parameters (the lazy way™), you can do so using a simple before filter in your `ApplicationController`:
 
 ```ruby
 class ApplicationController < ActionController::Base
@@ -214,7 +215,7 @@ def configure_permitted_parameters
 end
 ```
 
-If you have some checkboxes that express the roles a user may take on registration, the browser will send those selected checkboxes as an array. An array is not one of Strong Parameters permitted scalars, so we need to configure Devise thusly:
+If you have some checkboxes that express the roles a user may take on registration, the browser will send those selected checkboxes as an array. An array is not one of Strong Parameters' permitted scalars, so we need to configure Devise in the following way:
 
 ```ruby
 def configure_permitted_parameters
@@ -225,7 +226,7 @@ For the list of permitted scalars, and how to declare permitted keys in nested h
 
 https://github.com/rails/strong_parameters#nested-parameters
 
-If you have multiple Devise models, you may want to set up different parameter sanitizer per model. In this case, we recommend inheriting from `Devise::ParameterSanitizer` and add your own logic:
+If you have multiple Devise models, you may want to set up a different parameter sanitizer per model. In this case, we recommend inheriting from `Devise::ParameterSanitizer` and adding your own logic:
 
 ```ruby
 class User::ParameterSanitizer < Devise::ParameterSanitizer
@@ -271,7 +272,7 @@ After doing so, you will be able to have views based on the role like `users/ses
 rails generate devise:views users
 ```
 
-If you want to generate only a few set of views, like the ones for the `registrable` and `confirmable` module,
+If you would like to generate only a few sets of views, like the ones for the `registerable` and `confirmable` module,
 you can pass a list of modules to the generator with the `-v` flag.
 
 ```console
@@ -282,29 +283,39 @@ rails generate devise:views -v registrations confirmations
 
 If the customization at the views level is not enough, you can customize each controller by following these steps:
 
-1. Create your custom controller, for example a `Admins::SessionsController`:
+1. Create your custom controllers using the generator which requires a scope:
 
-    ```ruby
-    class Admins::SessionsController < Devise::SessionsController
-    end
+    ```console
+    rails generate devise:controllers [scope]
     ```
 
-    Note that in the above example, the controller needs to be created in the `app/controllers/admins/` directory.
+    If you specify `users` as the scope, controllers will be created in `app/controllers/users/`.
+    And the sessions controller will look like this:
+
+    ```ruby
+    class Users::SessionsController < Devise::SessionsController
+      # GET /resource/sign_in
+      # def new
+      #   super
+      # end
+      ...
+    end
+    ```
 
 2. Tell the router to use this controller:
 
     ```ruby
-    devise_for :admins, controllers: { sessions: "admins/sessions" }
+    devise_for :users, controllers: { sessions: "users/sessions" }
     ```
 
-3. Copy the views from `devise/sessions` to `admins/sessions`. Since the controller was changed, it won't use the default views located in `devise/sessions`.
+3. Copy the views from `devise/sessions` to `users/sessions`. Since the controller was changed, it won't use the default views located in `devise/sessions`.
 
 4. Finally, change or extend the desired controller actions.
 
     You can completely override a controller action:
 
     ```ruby
-    class Admins::SessionsController < Devise::SessionsController
+    class Users::SessionsController < Devise::SessionsController
       def create
         # custom sign-in code
       end
@@ -314,7 +325,7 @@ If the customization at the views level is not enough, you can customize each co
     Or you can simply add new behaviour to it:
 
     ```ruby
-    class Admins::SessionsController < Devise::SessionsController
+    class Users::SessionsController < Devise::SessionsController
       def create
         super do |resource|
           BackgroundWorker.trigger(resource)
@@ -325,7 +336,7 @@ If the customization at the views level is not enough, you can customize each co
 
     This is useful for triggering background jobs or logging events during certain actions.
 
-Remember that Devise uses flash messages to let users know if sign in was successful or failed. Devise expects your application to call `flash[:notice]` and `flash[:alert]` as appropriate. Do not print the entire flash hash, print only specific keys. In some circumstances, Devise adds a `:timedout` key to the flash hash, which is not meant for display. Remove this key from the hash if you intend to print the entire hash.
+Remember that Devise uses flash messages to let users know if sign in was successful or unsuccessful. Devise expects your application to call `flash[:notice]` and `flash[:alert]` as appropriate. Do not print the entire flash hash, print only specific keys. In some circumstances, Devise adds a `:timedout` key to the flash hash, which is not meant for display. Remove this key from the hash if you intend to print the entire hash.
 
 ### Configuring routes
 
@@ -345,11 +356,11 @@ devise_scope :user do
 end
 ```
 
-This way you tell Devise to use the scope `:user` when "/sign_in" is accessed. Notice `devise_scope` is also aliased as `as` in your router.
+This way, you tell Devise to use the scope `:user` when "/sign_in" is accessed. Notice `devise_scope` is also aliased as `as` in your router.
 
 ### I18n
 
-Devise uses flash messages with I18n with the flash keys :notice and :alert. To customize your app, you can set up your locale file:
+Devise uses flash messages with I18n, in conjunction with the flash keys :notice and :alert. To customize your app, you can set up your locale file:
 
 ```yaml
 en:
@@ -387,7 +398,7 @@ Take a look at our locale file to check all available messages. You may also be
 
 https://github.com/plataformatec/devise/wiki/I18n
 
-Caution: Devise Controllers inherit from ApplicationController. If your app uses multiple locales, you should be sure to set I18n.locale in ApplicationController
+Caution: Devise Controllers inherit from ApplicationController. If your app uses multiple locales, you should be sure to set I18n.locale in ApplicationController.
 
 ### Test helpers
 
@@ -399,7 +410,7 @@ class ActionController::TestCase
 end
 ```
 
-If you're using RSpec, you can put the following inside a file named `spec/support/devise.rb` or in your `spec/spec_helper.rb`:
+If you're using RSpec, you can put the following inside a file named `spec/support/devise.rb` or in your `spec/spec_helper.rb` (or `spec/rails_helper.rb` if you are using rspec-rails):
 
 ```ruby
 RSpec.configure do |config|
@@ -407,6 +418,8 @@ RSpec.configure do |config|
 end
 ```
 
+Just be sure that this inclusion is made *after* the `require 'rspec/rails'` directive.
+
 Now you are ready to use the `sign_in` and `sign_out` methods. Such methods have the same signature as in controllers:
 
 ```ruby
@@ -421,22 +434,26 @@ There are two things that are important to keep in mind:
 
 1. These helpers are not going to work for integration tests driven by Capybara or Webrat. They are meant to be used with functional tests only. Instead, fill in the form or explicitly set the user in session;
 
-2. If you are testing Devise internal controllers or a controller that inherits from Devise's, you need to tell Devise which mapping should be used before a request. This is necessary because Devise gets this information from the router, but since functional tests do not pass through the router, it needs to be told explicitly. For example, if you are testing the user scope, simply do:
+2. If you are testing Devise internal controllers or a controller that inherits from Devise's, you need to tell Devise which mapping should be used before a request. This is necessary because Devise gets this information from the router, but since functional tests do not pass through the router, it needs to be stated explicitly. For example, if you are testing the user scope, simply use:
 
     ```ruby
     @request.env["devise.mapping"] = Devise.mappings[:user]
     get :new
     ```
 
-### Omniauth
+You can read more about testing your Rails 3 - Rails 4 controllers with RSpec in the wiki:
 
-Devise comes with Omniauth support out of the box to authenticate with other providers. To use it, just specify your omniauth configuration in `config/initializers/devise.rb`:
+* https://github.com/plataformatec/devise/wiki/How-To:-Test-controllers-with-Rails-3-and-4-%28and-RSpec%29
+
+### OmniAuth
+
+Devise comes with OmniAuth support out of the box to authenticate with other providers. To use it, simply specify your OmniAuth configuration in `config/initializers/devise.rb`:
 
 ```ruby
 config.omniauth :github, 'APP_ID', 'APP_SECRET', scope: 'user,public_repo'
 ```
 
-You can read more about Omniauth support in the wiki:
+You can read more about OmniAuth support in the wiki:
 
 * https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview
 
@@ -449,7 +466,7 @@ Devise allows you to set up as many Devise models as you want. If you want to ha
 create_table :admins do |t|
   t.string :email
   t.string :encrypted_password
-  t.timestamps
+  t.timestamps null: false
 end
 
 # Inside your Admin model
@@ -469,17 +486,43 @@ admin_session
 
 Alternatively, you can simply run the Devise generator.
 
-Keep in mind that those models will have completely different routes. They **do not** and **cannot** share the same controller for sign in, sign out and so on. In case you want to have different roles sharing the same actions, we recommend you to use a role-based approach, by either providing a role column or using a dedicated gem for authorization.
+Keep in mind that those models will have completely different routes. They **do not** and **cannot** share the same controller for sign in, sign out and so on. In case you want to have different roles sharing the same actions, we recommend that you use a role-based approach, by either providing a role column or using a dedicated gem for authorization.
+
+### ActiveJob Integration
+
+If you are using Rails 4.2 and ActiveJob to deliver ActionMailer messages in the
+background through a queuing back-end, you can send Devise emails through your
+existing queue by overriding the `send_devise_notification` method in your model.
+
+```ruby
+def send_devise_notification(notification, *args)
+  devise_mailer.send(notification, self, *args).deliver_later
+end
+```
+
+### Password reset tokens and Rails logs
+
+If you enable the [Recoverable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Recoverable) module, note that a stolen password reset token could give an attacker access to your application. Devise takes effort to generate random, secure tokens, and stores only token digests in the database, never plaintext. However the default logging behavior in Rails can cause plaintext tokens to leak into log files:
+
+1. Action Mailer logs the entire contents of all outgoing emails to the DEBUG level. Password reset tokens delivered to users in email will be leaked.
+2. Active Job logs all arguments to every enqueued job at the INFO level. If you configure Devise to use `deliver_later` to send password reset emails, password reset tokens will be leaked.
+
+Rails sets the production logger level to DEBUG by default. Consider changing your production logger level to WARN if you wish to prevent tokens from being leaked into your logs. In `config/environments/production.rb`:
+
+```ruby
+config.log_level = :warn
+```
+
 
 ### Other ORMs
 
-Devise supports ActiveRecord (default) and Mongoid. To choose other ORM, you just need to require it in the initializer file.
+Devise supports ActiveRecord (default) and Mongoid. To select another ORM, simply require it in the initializer file.
 
 ## Additional information
 
 ### Heroku
 
-Using Devise on Heroku with Ruby on Rails 3.1 requires setting:
+Using Devise on Heroku with Ruby on Rails 3.2 requires setting:
 
 ```ruby
 config.assets.initialize_on_precompile = false
@@ -501,6 +544,6 @@ https://github.com/plataformatec/devise/graphs/contributors
 
 ## License
 
-MIT License. Copyright 2009-2014 Plataformatec. http://plataformatec.com.br
+MIT License. Copyright 2009-2015 Plataformatec. http://plataformatec.com.br
 
-You are not granted rights or licenses to the trademarks of the Plataformatec, including without limitation the Devise name or logo.
+You are not granted rights or licenses to the trademarks of Plataformatec, including without limitation the Devise name or logo.

Rakefile

@@ -1,5 +1,6 @@
 # encoding: UTF-8
-require "bundler/gem_tasks"
+
+require 'bundler/gem_tasks'
 require 'rake/testtask'
 require 'rdoc/task'
 

app/controllers/devise/confirmations_controller.rb

@@ -33,7 +33,7 @@ class Devise::ConfirmationsController < DeviseController
 
     # The path used after resending confirmation instructions.
     def after_resending_confirmation_instructions_path_for(resource_name)
-      new_session_path(resource_name) if is_navigational_format?
+      is_navigational_format? ? new_session_path(resource_name) : '/'
     end
 
     # The path used after confirmation.
@@ -44,4 +44,8 @@ class Devise::ConfirmationsController < DeviseController
         new_session_path(resource_name)
       end
     end
+
+    def translation_scope
+      'devise.confirmations'
+    end
 end

app/controllers/devise/omniauth_callbacks_controller.rb

@@ -27,4 +27,8 @@ class Devise::OmniauthCallbacksController < DeviseController
   def after_omniauth_failure_path_for(scope)
     new_session_path(scope)
   end
+
+  def translation_scope
+    'devise.omniauth_callbacks'
+  end
 end

app/controllers/devise/passwords_controller.rb

@@ -23,6 +23,7 @@ class Devise::PasswordsController < DeviseController
   # GET /resource/password/edit?reset_password_token=abcdef
   def edit
     self.resource = resource_class.new
+    set_minimum_password_length
     resource.reset_password_token = params[:reset_password_token]
   end
 
@@ -33,10 +34,15 @@ class Devise::PasswordsController < DeviseController
 
     if resource.errors.empty?
       resource.unlock_access! if unlockable?(resource)
-      flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
-      set_flash_message(:notice, flash_message) if is_flashing_format?
-      sign_in(resource_name, resource)
-      respond_with resource, location: after_resetting_password_path_for(resource)
+      if Devise.sign_in_after_reset_password
+        flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
+        set_flash_message(:notice, flash_message) if is_flashing_format?
+        sign_in(resource_name, resource)
+        respond_with resource, location: after_resetting_password_path_for(resource)
+      else
+        set_flash_message(:notice, :updated_not_active) if is_flashing_format?
+        respond_with resource, location: new_session_path(resource_name)
+      end
     else
       respond_with resource
     end
@@ -67,4 +73,8 @@ class Devise::PasswordsController < DeviseController
         resource.respond_to?(:unlock_strategy_enabled?) &&
         resource.unlock_strategy_enabled?(:email)
     end
+
+    def translation_scope
+      'devise.passwords'
+    end
 end

app/controllers/devise/registrations_controller.rb

@@ -1,14 +1,12 @@
 class Devise::RegistrationsController < DeviseController
-  prepend_before_filter :require_no_authentication, only: [ :new, :create, :cancel ]
+  prepend_before_filter :require_no_authentication, only: [:new, :create, :cancel]
   prepend_before_filter :authenticate_scope!, only: [:edit, :update, :destroy]
 
   # GET /resource/sign_up
   def new
     build_resource({})
-    @validatable = devise_mapping.validatable?
-    if @validatable
-      @minimum_password_length = resource_class.password_length.min
-    end
+    set_minimum_password_length
+    yield resource if block_given?
     respond_with self.resource
   end
 
@@ -16,9 +14,9 @@ class Devise::RegistrationsController < DeviseController
   def create
     build_resource(sign_up_params)
 
-    resource_saved = resource.save
+    resource.save
     yield resource if block_given?
-    if resource_saved
+    if resource.persisted?
       if resource.active_for_authentication?
         set_flash_message :notice, :signed_up if is_flashing_format?
         sign_up(resource_name, resource)
@@ -30,10 +28,7 @@ class Devise::RegistrationsController < DeviseController
       end
     else
       clean_up_passwords resource
-      @validatable = devise_mapping.validatable?
-      if @validatable
-        @minimum_password_length = resource_class.password_length.min
-      end
+      set_minimum_password_length
       respond_with resource
     end
   end
@@ -145,4 +140,8 @@ class Devise::RegistrationsController < DeviseController
   def account_update_params
     devise_parameter_sanitizer.sanitize(:account_update)
   end
+
+  def translation_scope
+    'devise.registrations'
+  end
 end

app/controllers/devise/sessions_controller.rb

@@ -1,13 +1,14 @@
 class Devise::SessionsController < DeviseController
-  prepend_before_filter :require_no_authentication, only: [ :new, :create ]
+  prepend_before_filter :require_no_authentication, only: [:new, :create]
   prepend_before_filter :allow_params_authentication!, only: :create
   prepend_before_filter :verify_signed_out_user, only: :destroy
-  prepend_before_filter only: [ :create, :destroy ] { request.env["devise.skip_timeout"] = true }
+  prepend_before_filter only: [:create, :destroy] { request.env["devise.skip_timeout"] = true }
 
   # GET /resource/sign_in
   def new
     self.resource = resource_class.new(sign_in_params)
     clean_up_passwords(resource)
+    yield resource if block_given?
     respond_with(resource, serialize_options(resource))
   end
 
@@ -45,6 +46,10 @@ class Devise::SessionsController < DeviseController
     { scope: resource_name, recall: "#{controller_path}#new" }
   end
 
+  def translation_scope
+    'devise.sessions'
+  end
+
   private
 
   # Check if there is no signed in user before doing the sign out.

app/controllers/devise/unlocks_controller.rb

@@ -43,4 +43,7 @@ class Devise::UnlocksController < DeviseController
       new_session_path(resource)  if is_navigational_format?
     end
 
+    def translation_scope
+      'devise.unlocks'
+    end
 end

app/controllers/devise_controller.rb

@@ -6,12 +6,28 @@ class DeviseController < Devise.parent_controller.constantize
 
   helpers = %w(resource scope_name resource_name signed_in_resource
                resource_class resource_params devise_mapping)
-  hide_action(*helpers)
   helper_method(*helpers)
 
   prepend_before_filter :assert_is_devise_resource!
   respond_to :html if mimes_for_respond_to.empty?
 
+  # Override prefixes to consider the scoped view.
+  # Notice we need to check for the request due to a bug in
+  # Action Controller tests that forces _prefixes to be
+  # loaded before even having a request object.
+  #
+  # This method should be public as it is is in ActionPack
+  # itself. Changing its visibility may break other gems.
+  def _prefixes #:nodoc:
+    @_prefixes ||= if self.class.scoped_views? && request && devise_mapping
+      ["#{devise_mapping.scoped_path}/#{controller_name}"] + super
+    else
+      super
+    end
+  end
+
+  protected
+
   # Gets the actual resource stored in the instance variable
   def resource
     instance_variable_get(:"@#{resource_name}")
@@ -38,22 +54,6 @@ class DeviseController < Devise.parent_controller.constantize
     @devise_mapping ||= request.env["devise.mapping"]
   end
 
-  # Override prefixes to consider the scoped view.
-  # Notice we need to check for the request due to a bug in
-  # Action Controller tests that forces _prefixes to be
-  # loaded before even having a request object.
-  def _prefixes #:nodoc:
-    @_prefixes ||= if self.class.scoped_views? && request && devise_mapping
-      ["#{devise_mapping.scoped_path}/#{controller_name}"] + super
-    else
-      super
-    end
-  end
-
-  hide_action :_prefixes
-
-  protected
-
   # Checks whether it's a devise mapped resource or not.
   def assert_is_devise_resource! #:nodoc:
     unknown_action! <<-MESSAGE unless devise_mapping
@@ -129,8 +129,11 @@ MESSAGE
   end
 
   # Sets the flash message with :key, using I18n. By default you are able
-  # to setup your messages using specific resource scope, and if no one is
-  # found we look to default scope.
+  # to setup your messages using specific resource scope, and if no message is
+  # found we look to the default scope. Set the "now" options key to a true
+  # value to populate the flash.now hash in lieu of the default flash hash (so
+  # the flash message will be available to the current action instead of the
+  # next action).
   # Example (i18n locale file):
   #
   #   en:
@@ -144,7 +147,18 @@ MESSAGE
   # available.
   def set_flash_message(key, kind, options = {})
     message = find_message(kind, options)
-    flash[key] = message if message.present?
+    if options[:now]
+      flash.now[key] = message if message.present?
+    else
+      flash[key] = message if message.present?
+    end
+  end
+
+  # Sets minimum password length to show to user
+  def set_minimum_password_length
+    if devise_mapping.validatable?
+      @minimum_password_length = resource_class.password_length.min
+    end
   end
 
   def devise_i18n_options(options)
@@ -153,13 +167,20 @@ MESSAGE
 
   # Get message for given
   def find_message(kind, options = {})
-    options[:scope] = "devise.#{controller_name}"
+    options[:scope] ||= translation_scope
     options[:default] = Array(options[:default]).unshift(kind.to_sym)
     options[:resource_name] = resource_name
     options = devise_i18n_options(options)
     I18n.t("#{options[:resource_name]}.#{kind}", options)
   end
 
+  # Controllers inheriting DeviseController are advised to override this
+  # method so that other controllers inheriting from them would use
+  # existing translations.
+  def translation_scope
+    "devise.#{controller_name}"
+  end
+
   def clean_up_passwords(object)
     object.clean_up_passwords if object.respond_to?(:clean_up_passwords)
   end
@@ -173,4 +194,6 @@ MESSAGE
   def resource_params
     params.fetch(resource_name, {})
   end
+
+  ActiveSupport.run_load_hooks(:devise_controller, self)
 end

app/views/devise/confirmations/new.html.erb

@@ -3,10 +3,14 @@
 <%= form_for(resource, as: resource_name, url: confirmation_path(resource_name), html: { method: :post }) do |f| %>
   <%= devise_error_messages! %>
 
-  <div><%= f.label :email %><br />
-  <%= f.email_field :email, autofocus: true %></div>
+  <div class="field">
+    <%= f.label :email %><br />
+    <%= f.email_field :email, autofocus: true, value: (resource.pending_reconfirmation? ? resource.unconfirmed_email : resource.email) %> 
+  </div>
 
-  <div><%= f.submit "Resend confirmation instructions" %></div>
+  <div class="actions">
+    <%= f.submit "Resend confirmation instructions" %>
+  </div>
 <% end %>
 
 <%= render "devise/shared/links" %>

app/views/devise/passwords/edit.html.erb

@@ -4,13 +4,22 @@
   <%= devise_error_messages! %>
   <%= f.hidden_field :reset_password_token %>
 
-  <div><%= f.label :password, "New password" %><br />
-    <%= f.password_field :password, autofocus: true, autocomplete: "off" %></div>
+  <div class="field">
+    <%= f.label :password, "New password" %><br />
+    <% if @minimum_password_length %>
+    <em>(<%= @minimum_password_length %> characters minimum)</em>
+    <% end %><br />
+    <%= f.password_field :password, autofocus: true, autocomplete: "off" %>
+  </div>
 
-  <div><%= f.label :password_confirmation, "Confirm new password" %><br />
-    <%= f.password_field :password_confirmation, autocomplete: "off" %></div>
+  <div class="field">
+    <%= f.label :password_confirmation, "Confirm new password" %><br />
+    <%= f.password_field :password_confirmation, autocomplete: "off" %>
+  </div>
 
-  <div><%= f.submit "Change my password" %></div>
+  <div class="actions">
+    <%= f.submit "Change my password" %>
+  </div>
 <% end %>
 
 <%= render "devise/shared/links" %>

app/views/devise/passwords/new.html.erb

@@ -3,10 +3,14 @@
 <%= form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :post }) do |f| %>
   <%= devise_error_messages! %>
 
-  <div><%= f.label :email %><br />
-  <%= f.email_field :email, autofocus: true %></div>
+  <div class="field">
+    <%= f.label :email %><br />
+    <%= f.email_field :email, autofocus: true %>
+  </div>
 
-  <div><%= f.submit "Send me reset password instructions" %></div>
+  <div class="actions">
+    <%= f.submit "Send me reset password instructions" %>
+  </div>
 <% end %>
 
 <%= render "devise/shared/links" %>

app/views/devise/registrations/edit.html.erb

@@ -3,23 +3,33 @@
 <%= form_for(resource, as: resource_name, url: registration_path(resource_name), html: { method: :put }) do |f| %>
   <%= devise_error_messages! %>
 
-  <div><%= f.label :email %><br />
-  <%= f.email_field :email, autofocus: true %></div>
+  <div class="field">
+    <%= f.label :email %><br />
+    <%= f.email_field :email, autofocus: true %>
+  </div>
 
   <% if devise_mapping.confirmable? && resource.pending_reconfirmation? %>
     <div>Currently waiting confirmation for: <%= resource.unconfirmed_email %></div>
   <% end %>
 
-  <div><%= f.label :password %> <i>(leave blank if you don't want to change it)</i><br />
-    <%= f.password_field :password, autocomplete: "off" %></div>
+  <div class="field">
+    <%= f.label :password %> <i>(leave blank if you don't want to change it)</i><br />
+    <%= f.password_field :password, autocomplete: "off" %>
+  </div>
 
-  <div><%= f.label :password_confirmation %><br />
-    <%= f.password_field :password_confirmation, autocomplete: "off" %></div>
+  <div class="field">
+    <%= f.label :password_confirmation %><br />
+    <%= f.password_field :password_confirmation, autocomplete: "off" %>
+  </div>
 
-  <div><%= f.label :current_password %> <i>(we need your current password to confirm your changes)</i><br />
-    <%= f.password_field :current_password, autocomplete: "off" %></div>
+  <div class="field">
+    <%= f.label :current_password %> <i>(we need your current password to confirm your changes)</i><br />
+    <%= f.password_field :current_password, autocomplete: "off" %>
+  </div>
 
-  <div><%= f.submit "Update" %></div>
+  <div class="actions">
+    <%= f.submit "Update" %>
+  </div>
 <% end %>
 
 <h3>Cancel my account</h3>

app/views/devise/registrations/new.html.erb

@@ -3,16 +3,27 @@
 <%= form_for(resource, as: resource_name, url: registration_path(resource_name)) do |f| %>
   <%= devise_error_messages! %>
 
-  <div><%= f.label :email %><br />
-  <%= f.email_field :email, autofocus: true %></div>
+  <div class="field">
+    <%= f.label :email %><br />
+    <%= f.email_field :email, autofocus: true %>
+  </div>
 
-  <div><%= f.label :password %> <% if @validatable %><i>(<%= @minimum_password_length %> characters minimum)</i><% end %><br />
-    <%= f.password_field :password, autocomplete: "off" %></div>
+  <div class="field">
+    <%= f.label :password %>
+    <% if @minimum_password_length %>
+    <em>(<%= @minimum_password_length %> characters minimum)</em>
+    <% end %><br />
+    <%= f.password_field :password, autocomplete: "off" %>
+  </div>
 
-  <div><%= f.label :password_confirmation %><br />
-    <%= f.password_field :password_confirmation, autocomplete: "off" %></div>
+  <div class="field">
+    <%= f.label :password_confirmation %><br />
+    <%= f.password_field :password_confirmation, autocomplete: "off" %>
+  </div>
 
-  <div><%= f.submit "Sign up" %></div>
+  <div class="actions">
+    <%= f.submit "Sign up" %>
+  </div>
 <% end %>
 
 <%= render "devise/shared/links" %>

app/views/devise/sessions/new.html.erb

@@ -1,17 +1,26 @@
 <h2>Log in</h2>
 
 <%= form_for(resource, as: resource_name, url: session_path(resource_name)) do |f| %>
-  <div><%= f.label :email %><br />
-  <%= f.email_field :email, autofocus: true %></div>
+  <div class="field">
+    <%= f.label :email %><br />
+    <%= f.email_field :email, autofocus: true %>
+  </div>
 
-  <div><%= f.label :password %><br />
-    <%= f.password_field :password, autocomplete: "off" %></div>
+  <div class="field">
+    <%= f.label :password %><br />
+    <%= f.password_field :password, autocomplete: "off" %>
+  </div>
 
   <% if devise_mapping.rememberable? -%>
-    <div><%= f.check_box :remember_me %> <%= f.label :remember_me %></div>
+    <div class="field">
+      <%= f.check_box :remember_me %>
+      <%= f.label :remember_me %>
+    </div>
   <% end -%>
 
-  <div><%= f.submit "Log in" %></div>
+  <div class="actions">
+    <%= f.submit "Log in" %>
+  </div>
 <% end %>
 
 <%= render "devise/shared/links" %>

app/views/devise/unlocks/new.html.erb

@@ -3,10 +3,14 @@
 <%= form_for(resource, as: resource_name, url: unlock_path(resource_name), html: { method: :post }) do |f| %>
   <%= devise_error_messages! %>
 
-  <div><%= f.label :email %><br />
-  <%= f.email_field :email, autofocus: true %></div>
+  <div class="field">
+    <%= f.label :email %><br />
+    <%= f.email_field :email, autofocus: true %>
+  </div>
 
-  <div><%= f.submit "Resend unlock instructions" %></div>
+  <div class="actions">
+    <%= f.submit "Resend unlock instructions" %>
+  </div>
 <% end %>
 
 <%= render "devise/shared/links" %>

config/locales/en.yml

@@ -9,10 +9,10 @@ en:
     failure:
       already_authenticated: "You are already signed in."
       inactive: "Your account is not activated yet."
-      invalid: "Invalid email or password."
+      invalid: "Invalid %{authentication_keys} or password."
       locked: "Your account is locked."
       last_attempt: "You have one more attempt before your account is locked."
-      not_found_in_database: "Invalid email address or password."
+      not_found_in_database: "Invalid %{authentication_keys} or password."
       timeout: "Your session expired. Please sign in again to continue."
       unauthenticated: "You need to sign in or sign up before continuing."
       unconfirmed: "You have to confirm your email address before continuing."

devise.gemspec

@@ -18,10 +18,12 @@ Gem::Specification.new do |s|
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- test/*`.split("\n")
   s.require_paths = ["lib"]
+  s.required_ruby_version = '>= 1.9.3'
 
   s.add_dependency("warden", "~> 1.2.3")
   s.add_dependency("orm_adapter", "~> 0.1")
   s.add_dependency("bcrypt", "~> 3.0")
   s.add_dependency("thread_safe", "~> 0.1")
   s.add_dependency("railties", ">= 3.2.6", "< 5")
+  s.add_dependency("responders")
 end

gemfiles/Gemfile.rails-3.2-stable.lock

@@ -1,14 +1,14 @@
 GIT
   remote: git://github.com/rails/rails.git
-  revision: 11fd052aa815ae0255ea5b2463e88138fb3fec61
+  revision: b344986bc3d94ca7821fc5e0eef1874882ac6cbb
   branch: 3-2-stable
   specs:
-    actionmailer (3.2.19)
-      actionpack (= 3.2.19)
+    actionmailer (3.2.21)
+      actionpack (= 3.2.21)
       mail (~> 2.5.4)
-    actionpack (3.2.19)
-      activemodel (= 3.2.19)
-      activesupport (= 3.2.19)
+    actionpack (3.2.21)
+      activemodel (= 3.2.21)
+      activesupport (= 3.2.21)
       builder (~> 3.0.0)
       erubis (~> 2.7.0)
       journey (~> 1.0.4)
@@ -16,31 +16,31 @@ GIT
       rack-cache (~> 1.2)
       rack-test (~> 0.6.1)
       sprockets (~> 2.2.1)
-    activemodel (3.2.19)
-      activesupport (= 3.2.19)
+    activemodel (3.2.21)
+      activesupport (= 3.2.21)
       builder (~> 3.0.0)
-    activerecord (3.2.19)
-      activemodel (= 3.2.19)
-      activesupport (= 3.2.19)
+    activerecord (3.2.21)
+      activemodel (= 3.2.21)
+      activesupport (= 3.2.21)
       arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activeresource (3.2.19)
-      activemodel (= 3.2.19)
-      activesupport (= 3.2.19)
-    activesupport (3.2.19)
+    activeresource (3.2.21)
+      activemodel (= 3.2.21)
+      activesupport (= 3.2.21)
+    activesupport (3.2.21)
       i18n (~> 0.6, >= 0.6.4)
       multi_json (~> 1.0)
-    rails (3.2.19)
-      actionmailer (= 3.2.19)
-      actionpack (= 3.2.19)
-      activerecord (= 3.2.19)
-      activeresource (= 3.2.19)
-      activesupport (= 3.2.19)
+    rails (3.2.21)
+      actionmailer (= 3.2.21)
+      actionpack (= 3.2.21)
+      activerecord (= 3.2.21)
+      activeresource (= 3.2.21)
+      activesupport (= 3.2.21)
       bundler (~> 1.0)
-      railties (= 3.2.19)
-    railties (3.2.19)
-      actionpack (= 3.2.19)
-      activesupport (= 3.2.19)
+      railties (= 3.2.21)
+    railties (3.2.21)
+      actionpack (= 3.2.21)
+      activesupport (= 3.2.21)
       rack-ssl (~> 1.3.2)
       rake (>= 0.8.7)
       rdoc (~> 3.4)
@@ -49,10 +49,11 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (3.3.0)
+    devise (3.4.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
+      responders
       thread_safe (~> 0.1)
       warden (~> 1.2.3)
 
@@ -60,23 +61,23 @@ GEM
   remote: https://rubygems.org/
   specs:
     arel (3.0.3)
-    bcrypt (3.1.7)
+    bcrypt (3.1.10)
     builder (3.0.4)
     erubis (2.7.0)
-    faraday (0.9.0)
+    faraday (0.9.1)
       multipart-post (>= 1.2, < 3)
-    hashie (3.2.0)
+    hashie (3.4.0)
     hike (1.2.3)
-    i18n (0.6.11)
+    i18n (0.7.0)
     journey (1.0.4)
-    json (1.8.1)
-    jwt (1.0.0)
+    json (1.8.2)
+    jwt (1.4.1)
     mail (2.5.4)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
     metaclass (0.0.4)
     mime-types (1.25.1)
-    mini_portile (0.6.0)
+    mini_portile (0.6.2)
     mocha (1.1.0)
       metaclass (~> 0.0.1)
     mongoid (3.1.6)
@@ -85,11 +86,11 @@ GEM
       origin (~> 1.0)
       tzinfo (~> 0.3.29)
     moped (1.5.2)
-    multi_json (1.10.1)
+    multi_json (1.11.0)
     multi_xml (0.5.5)
     multipart-post (2.0.0)
-    nokogiri (1.6.3.1)
-      mini_portile (= 0.6.0)
+    nokogiri (1.6.6.2)
+      mini_portile (~> 0.6.0)
     oauth2 (0.9.4)
       faraday (>= 0.8, < 0.10)
       jwt (~> 1.0)
@@ -120,25 +121,27 @@ GEM
       ruby-openid (>= 2.1.8)
     rack-ssl (1.3.4)
       rack
-    rack-test (0.6.2)
+    rack-test (0.6.3)
       rack (>= 1.0)
-    rake (10.3.2)
+    rake (10.4.2)
     rdoc (3.12.2)
       json (~> 1.4)
-    ruby-openid (2.5.0)
-    sprockets (2.2.2)
+    responders (1.1.2)
+      railties (>= 3.2, < 4.2)
+    ruby-openid (2.7.0)
+    sprockets (2.2.3)
       hike (~> 1.2)
       multi_json (~> 1.0)
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
-    sqlite3 (1.3.9)
+    sqlite3 (1.3.10)
     thor (0.19.1)
-    thread_safe (0.3.4)
+    thread_safe (0.3.5)
     tilt (1.4.1)
     treetop (1.4.15)
       polyglot
       polyglot (>= 0.3.1)
-    tzinfo (0.3.40)
+    tzinfo (0.3.43)
     warden (1.2.3)
       rack (>= 1.0)
     webrat (0.7.3)

gemfiles/Gemfile.rails-4.0-stable.lock

@@ -1,52 +1,53 @@
 GIT
   remote: git://github.com/rails/rails.git
-  revision: 6d95e04c6968fb7597ea5dbd08b31f271fb87c9c
+  revision: 7ec9c9635bf4d57009135ed11e89d8bf32306d73
   branch: 4-0-stable
   specs:
-    actionmailer (4.0.8)
-      actionpack (= 4.0.8)
+    actionmailer (4.0.13)
+      actionpack (= 4.0.13)
       mail (~> 2.5, >= 2.5.4)
-    actionpack (4.0.8)
-      activesupport (= 4.0.8)
+    actionpack (4.0.13)
+      activesupport (= 4.0.13)
       builder (~> 3.1.0)
       erubis (~> 2.7.0)
       rack (~> 1.5.2)
       rack-test (~> 0.6.2)
-    activemodel (4.0.8)
-      activesupport (= 4.0.8)
+    activemodel (4.0.13)
+      activesupport (= 4.0.13)
       builder (~> 3.1.0)
-    activerecord (4.0.8)
-      activemodel (= 4.0.8)
+    activerecord (4.0.13)
+      activemodel (= 4.0.13)
       activerecord-deprecated_finders (~> 1.0.2)
-      activesupport (= 4.0.8)
+      activesupport (= 4.0.13)
       arel (~> 4.0.0)
-    activesupport (4.0.8)
+    activesupport (4.0.13)
       i18n (~> 0.6, >= 0.6.9)
       minitest (~> 4.2)
       multi_json (~> 1.3)
       thread_safe (~> 0.1)
       tzinfo (~> 0.3.37)
-    rails (4.0.8)
-      actionmailer (= 4.0.8)
-      actionpack (= 4.0.8)
-      activerecord (= 4.0.8)
-      activesupport (= 4.0.8)
+    rails (4.0.13)
+      actionmailer (= 4.0.13)
+      actionpack (= 4.0.13)
+      activerecord (= 4.0.13)
+      activesupport (= 4.0.13)
       bundler (>= 1.3.0, < 2.0)
-      railties (= 4.0.8)
+      railties (= 4.0.13)
       sprockets-rails (~> 2.0)
-    railties (4.0.8)
-      actionpack (= 4.0.8)
-      activesupport (= 4.0.8)
+    railties (4.0.13)
+      actionpack (= 4.0.13)
+      activesupport (= 4.0.13)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
 
 PATH
   remote: ..
   specs:
-    devise (3.3.0)
+    devise (3.4.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
+      responders
       thread_safe (~> 0.1)
       warden (~> 1.2.3)
 
@@ -55,40 +56,39 @@ GEM
   specs:
     activerecord-deprecated_finders (1.0.3)
     arel (4.0.2)
-    bcrypt (3.1.7)
+    bcrypt (3.1.10)
     bson (2.3.0)
     builder (3.1.4)
-    connection_pool (2.0.0)
+    connection_pool (2.1.3)
     erubis (2.7.0)
-    faraday (0.9.0)
+    faraday (0.9.1)
       multipart-post (>= 1.2, < 3)
-    hashie (3.2.0)
+    hashie (3.4.0)
     hike (1.2.3)
-    i18n (0.6.11)
-    json (1.8.1)
-    jwt (1.0.0)
-    mail (2.6.1)
+    i18n (0.7.0)
+    jwt (1.4.1)
+    mail (2.6.3)
       mime-types (>= 1.16, < 3)
     metaclass (0.0.4)
-    mime-types (2.3)
-    mini_portile (0.6.0)
+    mime-types (2.4.3)
+    mini_portile (0.6.2)
     minitest (4.7.5)
     mocha (1.1.0)
       metaclass (~> 0.0.1)
-    mongoid (4.0.0)
+    mongoid (4.0.2)
       activemodel (~> 4.0)
       moped (~> 2.0.0)
       origin (~> 2.1)
       tzinfo (>= 0.3.37)
-    moped (2.0.0)
+    moped (2.0.4)
       bson (~> 2.2)
       connection_pool (~> 2.0)
       optionable (~> 0.2.0)
-    multi_json (1.10.1)
+    multi_json (1.11.0)
     multi_xml (0.5.5)
     multipart-post (2.0.0)
-    nokogiri (1.6.3.1)
-      mini_portile (= 0.6.0)
+    nokogiri (1.6.6.2)
+      mini_portile (~> 0.6.0)
     oauth2 (0.9.4)
       faraday (>= 0.8, < 0.10)
       jwt (~> 1.0)
@@ -115,26 +115,27 @@ GEM
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
-    rack-test (0.6.2)
+    rack-test (0.6.3)
       rack (>= 1.0)
-    rake (10.3.2)
-    rdoc (4.1.1)
-      json (~> 1.4)
-    ruby-openid (2.5.0)
-    sprockets (2.12.1)
+    rake (10.4.2)
+    rdoc (4.2.0)
+    responders (1.1.2)
+      railties (>= 3.2, < 4.2)
+    ruby-openid (2.7.0)
+    sprockets (2.12.3)
       hike (~> 1.2)
       multi_json (~> 1.0)
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
-    sprockets-rails (2.1.3)
+    sprockets-rails (2.2.4)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
-      sprockets (~> 2.8)
-    sqlite3 (1.3.9)
+      sprockets (>= 2.8, < 4.0)
+    sqlite3 (1.3.10)
     thor (0.19.1)
-    thread_safe (0.3.4)
+    thread_safe (0.3.5)
     tilt (1.4.1)
-    tzinfo (0.3.40)
+    tzinfo (0.3.43)
     warden (1.2.3)
       rack (>= 1.0)
     webrat (0.7.3)

gemfiles/Gemfile.rails-4.1-stable

@@ -2,10 +2,7 @@ source "https://rubygems.org"
 
 gemspec path: '..'
 
-gem "rails", github: "rails/rails"
-gem "arel", github: "rails/arel"
-gem "rack", github: "rack/rack"
-gem "i18n", github: "svenfuchs/i18n"
+gem "rails", github: 'rails/rails', branch: '4-1-stable'
 gem "omniauth", "~> 1.2.0"
 gem "omniauth-oauth2", "~> 1.1.0"
 gem "rdoc"
@@ -28,5 +25,5 @@ platforms :ruby do
 end
 
 group :mongoid do
-  gem "mongoid", github: "mongoid/mongoid", branch: "master"
+  gem "mongoid", "~> 4.0.0"
 end

gemfiles/Gemfile.rails-4.1-stable.lock

@@ -1,119 +1,99 @@
-GIT
-  remote: git://github.com/mongoid/mongoid.git
-  revision: 8cb17e9839973b76295cf87189e91a5ffcc03ab0
-  branch: master
-  specs:
-    mongoid (4.0.0)
-      activemodel (~> 4.0)
-      moped (~> 2.0.0)
-      origin (~> 2.1)
-      tzinfo (>= 0.3.37)
-
-GIT
-  remote: git://github.com/rack/rack.git
-  revision: 92811eec6e86cb4dba52b3969c4dd66e639df158
-  specs:
-    rack (1.6.0.alpha)
-
-GIT
-  remote: git://github.com/rails/arel.git
-  revision: 66cee768bc163537087037a583f60639eae49fc3
-  specs:
-    arel (6.0.0.20140505020427)
-
 GIT
   remote: git://github.com/rails/rails.git
-  revision: d5be08347fb7ff758572775ec93247a3ca886004
+  revision: bf32ec7b8611e6b4c7e9398f7d297a1f0221e9b9
+  branch: 4-1-stable
   specs:
-    actionmailer (4.2.0.alpha)
-      actionpack (= 4.2.0.alpha)
-      actionview (= 4.2.0.alpha)
+    actionmailer (4.1.10)
+      actionpack (= 4.1.10)
+      actionview (= 4.1.10)
       mail (~> 2.5, >= 2.5.4)
-    actionpack (4.2.0.alpha)
-      actionview (= 4.2.0.alpha)
-      activesupport (= 4.2.0.alpha)
-      rack (~> 1.6.0.alpha)
+    actionpack (4.1.10)
+      actionview (= 4.1.10)
+      activesupport (= 4.1.10)
+      rack (~> 1.5.2)
       rack-test (~> 0.6.2)
-    actionview (4.2.0.alpha)
-      activesupport (= 4.2.0.alpha)
+    actionview (4.1.10)
+      activesupport (= 4.1.10)
       builder (~> 3.1)
       erubis (~> 2.7.0)
-    activemodel (4.2.0.alpha)
-      activesupport (= 4.2.0.alpha)
+    activemodel (4.1.10)
+      activesupport (= 4.1.10)
       builder (~> 3.1)
-    activerecord (4.2.0.alpha)
-      activemodel (= 4.2.0.alpha)
-      activesupport (= 4.2.0.alpha)
-      arel (~> 6.0.0)
-    activesupport (4.2.0.alpha)
-      i18n (>= 0.7.0.dev, < 0.8)
+    activerecord (4.1.10)
+      activemodel (= 4.1.10)
+      activesupport (= 4.1.10)
+      arel (~> 5.0.0)
+    activesupport (4.1.10)
+      i18n (~> 0.6, >= 0.6.9)
       json (~> 1.7, >= 1.7.7)
       minitest (~> 5.1)
       thread_safe (~> 0.1)
       tzinfo (~> 1.1)
-    rails (4.2.0.alpha)
-      actionmailer (= 4.2.0.alpha)
-      actionpack (= 4.2.0.alpha)
-      actionview (= 4.2.0.alpha)
-      activemodel (= 4.2.0.alpha)
-      activerecord (= 4.2.0.alpha)
-      activesupport (= 4.2.0.alpha)
+    rails (4.1.10)
+      actionmailer (= 4.1.10)
+      actionpack (= 4.1.10)
+      actionview (= 4.1.10)
+      activemodel (= 4.1.10)
+      activerecord (= 4.1.10)
+      activesupport (= 4.1.10)
       bundler (>= 1.3.0, < 2.0)
-      railties (= 4.2.0.alpha)
-      sprockets-rails (~> 2.1)
-    railties (4.2.0.alpha)
-      actionpack (= 4.2.0.alpha)
-      activesupport (= 4.2.0.alpha)
+      railties (= 4.1.10)
+      sprockets-rails (~> 2.0)
+    railties (4.1.10)
+      actionpack (= 4.1.10)
+      activesupport (= 4.1.10)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
 
-GIT
-  remote: git://github.com/svenfuchs/i18n.git
-  revision: cb679b8cdbab675703a3f88de4d48a48f7b50e06
-  specs:
-    i18n (0.7.0.dev)
-
 PATH
   remote: ..
   specs:
-    devise (3.3.0)
+    devise (3.4.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
+      responders
       thread_safe (~> 0.1)
       warden (~> 1.2.3)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    bcrypt (3.1.7)
+    arel (5.0.1.20140414130214)
+    bcrypt (3.1.10)
     bson (2.3.0)
     builder (3.2.2)
-    connection_pool (2.0.0)
+    connection_pool (2.1.3)
     erubis (2.7.0)
-    faraday (0.9.0)
+    faraday (0.9.1)
       multipart-post (>= 1.2, < 3)
-    hashie (3.2.0)
+    hashie (3.4.0)
     hike (1.2.3)
-    json (1.8.1)
-    jwt (1.0.0)
-    mail (2.6.1)
+    i18n (0.7.0)
+    json (1.8.2)
+    jwt (1.4.1)
+    mail (2.6.3)
       mime-types (>= 1.16, < 3)
     metaclass (0.0.4)
-    mime-types (2.3)
-    mini_portile (0.6.0)
-    minitest (5.4.0)
+    mime-types (2.4.3)
+    mini_portile (0.6.2)
+    minitest (5.5.1)
     mocha (1.1.0)
       metaclass (~> 0.0.1)
-    moped (2.0.0)
+    mongoid (4.0.2)
+      activemodel (~> 4.0)
+      moped (~> 2.0.0)
+      origin (~> 2.1)
+      tzinfo (>= 0.3.37)
+    moped (2.0.4)
       bson (~> 2.2)
       connection_pool (~> 2.0)
       optionable (~> 0.2.0)
-    multi_json (1.10.1)
+    multi_json (1.11.0)
     multi_xml (0.5.5)
     multipart-post (2.0.0)
-    nokogiri (1.6.3.1)
-      mini_portile (= 0.6.0)
+    nokogiri (1.6.6.2)
+      mini_portile (~> 0.6.0)
     oauth2 (0.9.4)
       faraday (>= 0.8, < 0.10)
       jwt (~> 1.0)
@@ -136,29 +116,31 @@ GEM
     optionable (0.2.0)
     origin (2.1.1)
     orm_adapter (0.5.0)
+    rack (1.5.2)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
-    rack-test (0.6.2)
+    rack-test (0.6.3)
       rack (>= 1.0)
-    rake (10.3.2)
-    rdoc (4.1.1)
-      json (~> 1.4)
-    ruby-openid (2.5.0)
-    sprockets (2.12.1)
+    rake (10.4.2)
+    rdoc (4.2.0)
+    responders (1.1.2)
+      railties (>= 3.2, < 4.2)
+    ruby-openid (2.7.0)
+    sprockets (2.12.3)
       hike (~> 1.2)
       multi_json (~> 1.0)
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
-    sprockets-rails (2.1.3)
+    sprockets-rails (2.2.4)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
-      sprockets (~> 2.8)
-    sqlite3 (1.3.9)
+      sprockets (>= 2.8, < 4.0)
+    sqlite3 (1.3.10)
     thor (0.19.1)
-    thread_safe (0.3.4)
+    thread_safe (0.3.5)
     tilt (1.4.1)
-    tzinfo (1.2.1)
+    tzinfo (1.2.2)
       thread_safe (~> 0.1)
     warden (1.2.3)
       rack (>= 1.0)
@@ -173,17 +155,14 @@ PLATFORMS
 DEPENDENCIES
   activerecord-jdbc-adapter
   activerecord-jdbcsqlite3-adapter
-  arel!
   devise!
-  i18n!
   jruby-openssl
   mocha (~> 1.1)
-  mongoid!
+  mongoid (~> 4.0.0)
   omniauth (~> 1.2.0)
   omniauth-facebook
   omniauth-oauth2 (~> 1.1.0)
   omniauth-openid (~> 1.0.1)
-  rack!
   rails!
   rdoc
   sqlite3

gemfiles/Gemfile.rails-4.2-stable

@@ -0,0 +1,29 @@
+source "https://rubygems.org"
+
+gemspec path: '..'
+
+gem "rails", github: 'rails/rails', branch: '4-2-stable'
+gem "omniauth", "~> 1.2.2"
+gem "omniauth-oauth2", "~> 1.2.0"
+gem "rdoc"
+
+group :test do
+  gem "omniauth-facebook"
+  gem "omniauth-openid", "~> 1.0.1"
+  gem "webrat", "0.7.3", require: false
+  gem "mocha", "~> 1.1", require: false
+end
+
+platforms :jruby do
+  gem "activerecord-jdbc-adapter"
+  gem "activerecord-jdbcsqlite3-adapter"
+  gem "jruby-openssl"
+end
+
+platforms :ruby do
+  gem "sqlite3"
+end
+
+group :mongoid do
+  gem "mongoid", "~> 4.0.0"
+end

gemfiles/Gemfile.rails-4.2-stable.lock

@@ -0,0 +1,191 @@
+GIT
+  remote: git://github.com/rails/rails.git
+  revision: f12ff8ddab7b199707ec36d72bd72f206f142c8b
+  branch: 4-2-stable
+  specs:
+    actionmailer (4.2.1)
+      actionpack (= 4.2.1)
+      actionview (= 4.2.1)
+      activejob (= 4.2.1)
+      mail (~> 2.5, >= 2.5.4)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+    actionpack (4.2.1)
+      actionview (= 4.2.1)
+      activesupport (= 4.2.1)
+      rack (~> 1.6)
+      rack-test (~> 0.6.2)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    actionview (4.2.1)
+      activesupport (= 4.2.1)
+      builder (~> 3.1)
+      erubis (~> 2.7.0)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    activejob (4.2.1)
+      activesupport (= 4.2.1)
+      globalid (>= 0.3.0)
+    activemodel (4.2.1)
+      activesupport (= 4.2.1)
+      builder (~> 3.1)
+    activerecord (4.2.1)
+      activemodel (= 4.2.1)
+      activesupport (= 4.2.1)
+      arel (~> 6.0)
+    activesupport (4.2.1)
+      i18n (~> 0.7)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.3, >= 0.3.4)
+      tzinfo (~> 1.1)
+    rails (4.2.1)
+      actionmailer (= 4.2.1)
+      actionpack (= 4.2.1)
+      actionview (= 4.2.1)
+      activejob (= 4.2.1)
+      activemodel (= 4.2.1)
+      activerecord (= 4.2.1)
+      activesupport (= 4.2.1)
+      bundler (>= 1.3.0, < 2.0)
+      railties (= 4.2.1)
+      sprockets-rails
+    railties (4.2.1)
+      actionpack (= 4.2.1)
+      activesupport (= 4.2.1)
+      rake (>= 0.8.7)
+      thor (>= 0.18.1, < 2.0)
+
+PATH
+  remote: ..
+  specs:
+    devise (3.4.1)
+      bcrypt (~> 3.0)
+      orm_adapter (~> 0.1)
+      railties (>= 3.2.6, < 5)
+      responders
+      thread_safe (~> 0.1)
+      warden (~> 1.2.3)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    arel (6.0.0)
+    bcrypt (3.1.10)
+    bson (2.3.0)
+    builder (3.2.2)
+    connection_pool (2.1.3)
+    erubis (2.7.0)
+    faraday (0.9.1)
+      multipart-post (>= 1.2, < 3)
+    globalid (0.3.3)
+      activesupport (>= 4.1.0)
+    hashie (3.4.0)
+    hike (1.2.3)
+    i18n (0.7.0)
+    json (1.8.2)
+    jwt (1.4.1)
+    loofah (2.0.1)
+      nokogiri (>= 1.5.9)
+    mail (2.6.3)
+      mime-types (>= 1.16, < 3)
+    metaclass (0.0.4)
+    mime-types (2.4.3)
+    mini_portile (0.6.2)
+    minitest (5.5.1)
+    mocha (1.1.0)
+      metaclass (~> 0.0.1)
+    mongoid (4.0.2)
+      activemodel (~> 4.0)
+      moped (~> 2.0.0)
+      origin (~> 2.1)
+      tzinfo (>= 0.3.37)
+    moped (2.0.4)
+      bson (~> 2.2)
+      connection_pool (~> 2.0)
+      optionable (~> 0.2.0)
+    multi_json (1.11.0)
+    multi_xml (0.5.5)
+    multipart-post (2.0.0)
+    nokogiri (1.6.6.2)
+      mini_portile (~> 0.6.0)
+    oauth2 (1.0.0)
+      faraday (>= 0.8, < 0.10)
+      jwt (~> 1.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (~> 1.2)
+    omniauth (1.2.2)
+      hashie (>= 1.2, < 4)
+      rack (~> 1.0)
+    omniauth-facebook (2.0.1)
+      omniauth-oauth2 (~> 1.2)
+    omniauth-oauth2 (1.2.0)
+      faraday (>= 0.8, < 0.10)
+      multi_json (~> 1.3)
+      oauth2 (~> 1.0)
+      omniauth (~> 1.2)
+    omniauth-openid (1.0.1)
+      omniauth (~> 1.0)
+      rack-openid (~> 1.3.1)
+    optionable (0.2.0)
+    origin (2.1.1)
+    orm_adapter (0.5.0)
+    rack (1.6.0)
+    rack-openid (1.3.1)
+      rack (>= 1.1.0)
+      ruby-openid (>= 2.1.8)
+    rack-test (0.6.3)
+      rack (>= 1.0)
+    rails-deprecated_sanitizer (1.0.3)
+      activesupport (>= 4.2.0.alpha)
+    rails-dom-testing (1.0.6)
+      activesupport (>= 4.2.0.beta, < 5.0)
+      nokogiri (~> 1.6.0)
+      rails-deprecated_sanitizer (>= 1.0.1)
+    rails-html-sanitizer (1.0.2)
+      loofah (~> 2.0)
+    rake (10.4.2)
+    rdoc (4.2.0)
+    responders (2.1.0)
+      railties (>= 4.2.0, < 5)
+    ruby-openid (2.7.0)
+    sprockets (2.12.3)
+      hike (~> 1.2)
+      multi_json (~> 1.0)
+      rack (~> 1.0)
+      tilt (~> 1.1, != 1.3.0)
+    sprockets-rails (2.2.4)
+      actionpack (>= 3.0)
+      activesupport (>= 3.0)
+      sprockets (>= 2.8, < 4.0)
+    sqlite3 (1.3.10)
+    thor (0.19.1)
+    thread_safe (0.3.5)
+    tilt (1.4.1)
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+    warden (1.2.3)
+      rack (>= 1.0)
+    webrat (0.7.3)
+      nokogiri (>= 1.2.0)
+      rack (>= 1.0)
+      rack-test (>= 0.5.3)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activerecord-jdbc-adapter
+  activerecord-jdbcsqlite3-adapter
+  devise!
+  jruby-openssl
+  mocha (~> 1.1)
+  mongoid (~> 4.0.0)
+  omniauth (~> 1.2.2)
+  omniauth-facebook
+  omniauth-oauth2 (~> 1.2.0)
+  omniauth-openid (~> 1.0.1)
+  rails!
+  rdoc
+  sqlite3
+  webrat (= 0.7.3)

lib/devise.rb

@@ -4,6 +4,7 @@ require 'active_support/dependencies'
 require 'orm_adapter'
 require 'set'
 require 'securerandom'
+require 'responders'
 
 module Devise
   autoload :Delegator,          'devise/delegator'
@@ -56,22 +57,6 @@ module Devise
   mattr_accessor :secret_key
   @@secret_key = nil
 
-  [ :allow_insecure_token_lookup,
-    :allow_insecure_sign_in_after_confirmation,
-    :token_authentication_key ].each do |method|
-    class_eval <<-RUBY
-    def self.#{method}
-      ActiveSupport::Deprecation.warn "Devise.#{method} is deprecated " \
-        "and has no effect"
-    end
-
-    def self.#{method}=(val)
-      ActiveSupport::Deprecation.warn "Devise.#{method}= is deprecated " \
-        "and has no effect"
-    end
-    RUBY
-  end
-
   # Custom domain or key for cookies. Not set by default
   mattr_accessor :rememberable_options
   @@rememberable_options = {}
@@ -86,7 +71,7 @@ module Devise
 
   # Keys used when authenticating a user.
   mattr_accessor :authentication_keys
-  @@authentication_keys = [ :email ]
+  @@authentication_keys = [:email]
 
   # Request keys used when authenticating a user.
   mattr_accessor :request_keys
@@ -94,7 +79,7 @@ module Devise
 
   # Keys that should be case-insensitive.
   mattr_accessor :case_insensitive_keys
-  @@case_insensitive_keys = [ :email ]
+  @@case_insensitive_keys = [:email]
 
   # Keys that should have whitespace stripped.
   mattr_accessor :strip_whitespace_keys
@@ -149,7 +134,7 @@ module Devise
 
   # Defines which key will be used when confirming an account.
   mattr_accessor :confirmation_keys
-  @@confirmation_keys = [ :email ]
+  @@confirmation_keys = [:email]
 
   # Defines if email should be reconfirmable.
   # False by default for backwards compatibility.
@@ -180,7 +165,7 @@ module Devise
 
   # Defines which key will be used when locking and unlocking an account
   mattr_accessor :unlock_keys
-  @@unlock_keys = [ :email ]
+  @@unlock_keys = [:email]
 
   # Defines which strategy can be used to unlock an account.
   # Values: :email, :time, :both
@@ -197,12 +182,16 @@ module Devise
 
   # Defines which key will be used when recovering the password for an account
   mattr_accessor :reset_password_keys
-  @@reset_password_keys = [ :email ]
+  @@reset_password_keys = [:email]
 
   # Time interval you can reset your password with a reset password key
   mattr_accessor :reset_password_within
   @@reset_password_within = 6.hours
 
+  # When set to false, resetting a password does not automatically sign in a user
+  mattr_accessor :sign_in_after_reset_password
+  @@sign_in_after_reset_password = true
+
   # The default scope which is used by warden.
   mattr_accessor :default_scope
   @@default_scope = nil
@@ -245,7 +234,7 @@ module Devise
   mattr_accessor :router_name
   @@router_name = nil
 
-  # Set the omniauth path prefix so it can be overridden when
+  # Set the OmniAuth path prefix so it can be overridden when
   # Devise is used in a mountable engine
   mattr_accessor :omniauth_path_prefix
   @@omniauth_path_prefix = nil
@@ -260,7 +249,7 @@ module Devise
   mattr_reader :mappings
   @@mappings = ActiveSupport::OrderedHash.new
 
-  # Omniauth configurations.
+  # OmniAuth configurations.
   mattr_reader :omniauth_configs
   @@omniauth_configs = ActiveSupport::OrderedHash.new
 
@@ -280,7 +269,7 @@ module Devise
 
   # When true, warn user if they just used next-to-last attempt of authentication
   mattr_accessor :last_attempt_warning
-  @@last_attempt_warning = false
+  @@last_attempt_warning = true
 
   # Stores the token generator
   mattr_accessor :token_generator
@@ -347,6 +336,7 @@ module Devise
   #   +controller+ - Symbol representing the name of an existing or custom *controller* for this module.
   #   +route+      - Symbol representing the named *route* helper for this module.
   #   +strategy+   - Symbol representing if this module got a custom *strategy*.
+  #   +insert_at+  - Integer representing the order in which this module's model will be included
   #
   # All values, except :model, accept also a boolean and will have the same name as the given module
   # name.
@@ -356,10 +346,12 @@ module Devise
   #   Devise.add_module(:party_module)
   #   Devise.add_module(:party_module, strategy: true, controller: :sessions)
   #   Devise.add_module(:party_module, model: 'party_module/model')
+  #   Devise.add_module(:party_module, insert_at: 0)
   #
   def self.add_module(module_name, options = {})
-    ALL << module_name
-    options.assert_valid_keys(:strategy, :model, :controller, :route, :no_input)
+    options.assert_valid_keys(:strategy, :model, :controller, :route, :no_input, :insert_at)
+
+    ALL.insert (options[:insert_at] || -1), module_name
 
     if strategy = options[:strategy]
       strategy = (strategy == true ? module_name : strategy)
@@ -416,7 +408,7 @@ module Devise
     @@warden_config_blocks << block
   end
 
-  # Specify an omniauth provider.
+  # Specify an OmniAuth provider.
   #
   #   config.omniauth :github, APP_ID, APP_SECRET
   #
@@ -473,8 +465,12 @@ module Devise
   end
 
   # Generate a friendly string randomly to be used as token.
-  def self.friendly_token
-    SecureRandom.urlsafe_base64(15).tr('lIO0', 'sxyz')
+  # By default, length is 20 characters.
+  def self.friendly_token(length = 20)
+    # To calculate real characters, we must perform this operation.
+    # See SecureRandom.urlsafe_base64
+    rlength = (length * 3) / 4
+    SecureRandom.urlsafe_base64(rlength).tr('lIO0', 'sxyz')
   end
 
   # constant-time comparison algorithm to prevent timing attacks

lib/devise/controllers/rememberable.rb

@@ -2,7 +2,7 @@ module Devise
   module Controllers
     # A module that may be optionally included in a controller in order
     # to provide remember me behavior. Useful when signing in is done
-    # through a callback, like in Omniauth.
+    # through a callback, like in OmniAuth.
     module Rememberable
       # Return default cookie values retrieved from session options.
       def self.cookie_values

lib/devise/controllers/sign_in_out.rb

@@ -6,7 +6,7 @@ module Devise
       # Return true if the given scope is signed in session. If no scope given, return
       # true if any scope is signed in. Does not run authentication hooks.
       def signed_in?(scope=nil)
-        [ scope || Devise.mappings.keys ].flatten.any? do |_scope|
+        [scope || Devise.mappings.keys].flatten.any? do |_scope|
           warden.authenticate?(scope: _scope)
         end
       end

lib/devise/controllers/store_location.rb

@@ -35,7 +35,9 @@ module Devise
         session_key = stored_location_key_for(resource_or_scope)
         uri = parse_uri(location)
         if uri
-          session[session_key] = [uri.path.sub(/\A\/+/, '/'), uri.query].compact.join('?')
+          path = [uri.path.sub(/\A\/+/, '/'), uri.query].compact.join('?')
+          path = [path, uri.fragment].compact.join('#')
+          session[session_key] = path
         end
       end
 

lib/devise/controllers/url_helpers.rb

@@ -42,16 +42,14 @@ module Devise
           [:path, :url].each do |path_or_url|
             actions.each do |action|
               action = action ? "#{action}_" : ""
-              method = "#{action}#{module_name}_#{path_or_url}"
+              method = :"#{action}#{module_name}_#{path_or_url}"
 
-              class_eval <<-URL_HELPERS, __FILE__, __LINE__ + 1
-                def #{method}(resource_or_scope, *args)
-                  scope = Devise::Mapping.find_scope!(resource_or_scope)
-                  router_name = Devise.mappings[scope].router_name
-                  context = router_name ? send(router_name) : _devise_route_context
-                  context.send("#{action}\#{scope}_#{module_name}_#{path_or_url}", *args)
-                end
-              URL_HELPERS
+              define_method method do |resource_or_scope, *args|
+                scope = Devise::Mapping.find_scope!(resource_or_scope)
+                router_name = Devise.mappings[scope].router_name
+                context = router_name ? send(router_name) : _devise_route_context
+                context.send("#{action}#{scope}_#{module_name}_#{path_or_url}", *args)
+              end
             end
           end
         end

lib/devise/encryptor.rb

@@ -0,0 +1,22 @@
+require 'bcrypt'
+
+module Devise
+  module Encryptor
+    def self.digest(klass, password)
+      if klass.pepper.present?
+        password = "#{password}#{klass.pepper}"
+      end
+      ::BCrypt::Password.create(password, cost: klass.stretches).to_s
+    end
+
+    def self.compare(klass, encrypted_password, password)
+      return false if encrypted_password.blank?
+      bcrypt   = ::BCrypt::Password.new(encrypted_password)
+      if klass.pepper.present?
+        password = "#{password}#{klass.pepper}"
+      end
+      password = ::BCrypt::Engine.hash_secret(password, bcrypt.salt)
+      Devise.secure_compare(password, encrypted_password)
+    end
+  end
+end

lib/devise/failure_app.rb

@@ -49,17 +49,19 @@ module Devise
 
     def recall
       env["PATH_INFO"]  = attempted_path
-      flash.now[:alert] = i18n_message(:invalid)
+      flash.now[:alert] = i18n_message(:invalid) if is_flashing_format?
       self.response = recall_app(warden_options[:recall]).call(env)
     end
 
     def redirect
       store_location!
-      if flash[:timedout] && flash[:alert]
-        flash.keep(:timedout)
-        flash.keep(:alert)
-      else
-        flash[:alert] = i18n_message
+      if is_flashing_format?
+        if flash[:timedout] && flash[:alert]
+          flash.keep(:timedout)
+          flash.keep(:alert)
+        else
+          flash[:alert] = i18n_message
+        end
       end
       redirect_to redirect_url
     end
@@ -78,6 +80,9 @@ module Devise
         options[:resource_name] = scope
         options[:scope] = "devise.failure"
         options[:default] = [message]
+        auth_keys = scope_class.authentication_keys
+        keys = auth_keys.respond_to?(:keys) ? auth_keys.keys : auth_keys
+        options[:authentication_keys] = keys.join(I18n.translate(:"support.array.words_connector"))
         options = i18n_options(options)
 
         I18n.t(:"#{scope}.#{message}", options)
@@ -88,7 +93,7 @@ module Devise
 
     def redirect_url
       if warden_message == :timeout
-        flash[:timedout] = true
+        flash[:timedout] = true if is_flashing_format?
 
         path = if request.get?
           attempted_path
@@ -102,15 +107,23 @@ module Devise
       end
     end
 
+    def route(scope)
+      :"new_#{scope}_session_url"
+    end
+
     def scope_url
       opts  = {}
-      route = :"new_#{scope}_session_url"
+      route = route(scope)
       opts[:format] = request_format unless skip_format?
 
       config = Rails.application.config
-      opts[:script_name] = (config.relative_url_root if config.respond_to?(:relative_url_root))
 
-      context = send(Devise.available_router_name)
+      if config.respond_to?(:relative_url_root) && config.relative_url_root.present?
+        opts[:script_name] = config.relative_url_root
+      end
+
+      router_name = Devise.mappings[scope].router_name || Devise.available_router_name
+      context = send(router_name)
 
       if context.respond_to?(route)
         context.send(route, opts)
@@ -144,7 +157,7 @@ module Devise
     # It does not make sense to send authenticate headers in ajax requests
     # or if the user disabled them.
     def http_auth_header?
-      Devise.mappings[scope].to.http_authenticatable && !request.xhr?
+      scope_class.http_authenticatable && !request.xhr?
     end
 
     def http_auth_body
@@ -182,6 +195,10 @@ module Devise
       @scope ||= warden_options[:scope] || Devise.default_scope
     end
 
+    def scope_class
+      @scope_class ||= Devise.mappings[scope].to
+    end
+
     def attempted_path
       warden_options[:attempted_path]
     end
@@ -198,6 +215,12 @@ module Devise
       Devise.navigational_formats.include?(request_format)
     end
 
+    # Check if flash messages should be emitted. Default is to do it on
+    # navigational formats
+    def is_flashing_format?
+      is_navigational_format?
+    end
+
     def request_format
       @request_format ||= request.format.try(:ref)
     end

lib/devise/mapping.rb

@@ -31,9 +31,10 @@ module Devise
     # Receives an object and find a scope for it. If a scope cannot be found,
     # raises an error. If a symbol is given, it's considered to be the scope.
     def self.find_scope!(obj)
+      obj = obj.devise_scope if obj.respond_to?(:devise_scope)
       case obj
       when String, Symbol
-        return obj
+        return obj.to_sym
       when Class
         Devise.mappings.each_value { |m| return m.name if obj <= m.to }
       else

lib/devise/models/authenticatable.rb

@@ -1,3 +1,4 @@
+require 'active_model/version'
 require 'devise/hooks/activatable'
 require 'devise/hooks/csrf_cleaner'
 
@@ -37,7 +38,7 @@ module Devise
     # calling model.active_for_authentication?. This method is overwritten by other devise modules. For instance,
     # :confirmable overwrites .active_for_authentication? to only return true if your model was confirmed.
     #
-    # You overwrite this method yourself, but if you do, don't forget to call super:
+    # You can overwrite this method yourself, but if you do, don't forget to call super:
     #
     #   def active_for_authentication?
     #     super && special_condition_is_valid?
@@ -95,29 +96,22 @@ module Devise
       def authenticatable_salt
       end
 
-      array = %w(serializable_hash)
-      # to_xml does not call serializable_hash on 3.1
-      array << "to_xml" if Rails::VERSION::STRING[0,3] == "3.1"
+      # Redefine serializable_hash in models for more secure defaults.
+      # By default, it removes from the serializable model all attributes that
+      # are *not* accessible. You can remove this default by using :force_except
+      # and passing a new list of attributes you want to exempt. All attributes
+      # given to :except will simply add names to exempt to Devise internal list.
+      def serializable_hash(options = nil)
+        options ||= {}
+        options[:except] = Array(options[:except])
 
-      array.each do |method|
-        class_eval <<-RUBY, __FILE__, __LINE__
-          # Redefine to_xml and serializable_hash in models for more secure defaults.
-          # By default, it removes from the serializable model all attributes that
-          # are *not* accessible. You can remove this default by using :force_except
-          # and passing a new list of attributes you want to exempt. All attributes
-          # given to :except will simply add names to exempt to Devise internal list.
-          def #{method}(options=nil)
-            options ||= {}
-            options[:except] = Array(options[:except])
+        if options[:force_except]
+          options[:except].concat Array(options[:force_except])
+        else
+          options[:except].concat BLACKLIST_FOR_SERIALIZATION
+        end
 
-            if options[:force_except]
-              options[:except].concat Array(options[:force_except])
-            else
-              options[:except].concat BLACKLIST_FOR_SERIALIZATION
-            end
-            super(options)
-          end
-        RUBY
+        super(options)
       end
 
       protected
@@ -170,7 +164,13 @@ module Devise
       #     end
       #
       def send_devise_notification(notification, *args)
-        devise_mailer.send(notification, self, *args).deliver
+        message = devise_mailer.send(notification, self, *args)
+        # Remove once we move to Rails 4.2+ only.
+        if message.respond_to?(:deliver_now)
+          message.deliver_now
+        else
+          message.deliver
+        end
       end
 
       def downcase_keys
@@ -246,14 +246,14 @@ module Devise
           to_adapter.find_first(devise_parameter_filter.filter(tainted_conditions).merge(opts))
         end
 
-        # Find an initialize a record setting an error if it can't be found.
+        # Find or initialize a record setting an error if it can't be found.
         def find_or_initialize_with_error_by(attribute, value, error=:invalid) #:nodoc:
           find_or_initialize_with_errors([attribute], { attribute => value }, error)
         end
 
-        # Find an initialize a group of attributes based on a list of required attributes.
+        # Find or initialize a record with group of attributes based on a list of required attributes.
         def find_or_initialize_with_errors(required_attributes, attributes, error=:invalid) #:nodoc:
-          attributes = attributes.slice(*required_attributes)
+          attributes = attributes.slice(*required_attributes).with_indifferent_access
           attributes.delete_if { |key, value| value.blank? }
 
           if attributes.size == required_attributes.size

lib/devise/models/confirmable.rb

@@ -5,6 +5,14 @@ module Devise
     # Confirmation instructions are sent to the user email after creating a
     # record and when manually requested by a new confirmation instruction request.
     #
+    # Confirmable tracks the following columns:
+    #
+    # * confirmation_token   - An OpenSSL::HMAC.hexdigest of @raw_confirmation_token
+    # * confirmed_at         - A timestamp when the user clicked the confirmation link
+    # * confirmation_sent_at - A timestamp when the confirmation_token was generated (not sent)
+    # * unconfirmed_email    - An email address copied from the email attr. After confirmation
+    #                          this value is copied to the email attr then cleared
+    #
     # == Options
     #
     # Confirmable adds the following options to +devise+:
@@ -24,7 +32,7 @@ module Devise
     #
     # == Examples
     #
-    #   User.find(1).confirm!      # returns true unless it's already confirmed
+    #   User.find(1).confirm       # returns true unless it's already confirmed
     #   User.find(1).confirmed?    # true/false
     #   User.find(1).send_confirmation_instructions # manually send instructions
     #
@@ -56,7 +64,7 @@ module Devise
       # Confirm a user by setting it's confirmed_at to actual time. If the user
       # is already confirmed, add an error to email field. If the user is invalid
       # add errors
-      def confirm!
+      def confirm(args={})
         pending_any_confirmation do
           if confirmation_period_expired?
             self.errors.add(:email, :confirmation_period_expired,
@@ -64,7 +72,6 @@ module Devise
             return false
           end
 
-          self.confirmation_token = nil
           self.confirmed_at = Time.now.utc
 
           saved = if self.class.reconfirmable && unconfirmed_email.present?
@@ -75,7 +82,7 @@ module Devise
             # We need to validate in such cases to enforce e-mail uniqueness
             save(validate: true)
           else
-            save(validate: false)
+            save(validate: args[:ensure_valid] == true)
           end
 
           after_confirmation if saved
@@ -83,6 +90,11 @@ module Devise
         end
       end
 
+      def confirm!(args={})
+        ActiveSupport::Deprecation.warn "confirm! is deprecated in favor of confirm"
+        confirm(args)
+      end
+
       # Verifies whether a user is confirmed or not
       def confirmed?
         !!confirmed_at
@@ -202,7 +214,7 @@ module Devise
         #   confirmation_period_expired?  # will always return false
         #
         def confirmation_period_expired?
-          self.class.confirm_within && (Time.now > self.confirmation_sent_at + self.class.confirm_within )
+          self.class.confirm_within && (Time.now > self.confirmation_sent_at + self.class.confirm_within)
         end
 
         # Checks whether the record requires any confirmation.
@@ -216,7 +228,7 @@ module Devise
         end
 
         # Generates a new random token for confirmation, and stores
-        # the time this token is being generated
+        # the time this token is being generated in confirmation_sent_at
         def generate_confirmation_token
           raw, enc = Devise.token_generator.generate(self.class, :confirmation_token)
           @raw_confirmation_token   = raw
@@ -249,6 +261,16 @@ module Devise
           confirmation_required? && !@skip_confirmation_notification && self.email.present?
         end
 
+        # A callback initiated after successfully confirming. This can be
+        # used to insert your own logic that is only run after the user successfully
+        # confirms.
+        #
+        # Example:
+        #
+        #   def after_confirmation
+        #     self.update_attribute(:invite_code, nil)
+        #   end
+        #
         def after_confirmation
         end
 
@@ -275,7 +297,7 @@ module Devise
           confirmation_token = Devise.token_generator.digest(self, :confirmation_token, confirmation_token)
 
           confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
-          confirmable.confirm! if confirmable.persisted?
+          confirmable.confirm if confirmable.persisted?
           confirmable.confirmation_token = original_token
           confirmable
         end

lib/devise/models/database_authenticatable.rb

@@ -1,10 +1,10 @@
 require 'devise/strategies/database_authenticatable'
-require 'bcrypt'
+require 'devise/encryptor'
 
 module Devise
-  # Digests the password using bcrypt.
   def self.bcrypt(klass, password)
-    ::BCrypt::Password.create("#{password}#{klass.pepper}", cost: klass.stretches).to_s
+    ActiveSupport::Deprecation.warn "Devise.bcrypt is deprecated; use Devise::Encryptor.digest instead"
+    Devise::Encryptor.digest(klass, password)
   end
 
   module Models
@@ -42,12 +42,9 @@ module Devise
         self.encrypted_password = password_digest(@password) if @password.present?
       end
 
-      # Verifies whether an password (ie from sign in) is the user password.
+      # Verifies whether a password (ie from sign in) is the user password.
       def valid_password?(password)
-        return false if encrypted_password.blank?
-        bcrypt   = ::BCrypt::Password.new(encrypted_password)
-        password = ::BCrypt::Engine.hash_secret("#{password}#{self.class.pepper}", bcrypt.salt)
-        Devise.secure_compare(password, encrypted_password)
+        Devise::Encryptor.compare(self.class, encrypted_password, password)
       end
 
       # Set password and password confirmation to nil
@@ -145,7 +142,7 @@ module Devise
       # See https://github.com/plataformatec/devise-encryptable for examples
       # of other encryption engines.
       def password_digest(password)
-        Devise.bcrypt(self.class, password)
+        Devise::Encryptor.digest(self.class, password)
       end
 
       module ClassMethods

lib/devise/models/lockable.rb

@@ -117,7 +117,7 @@ module Devise
           super
         elsif access_locked? || (lock_strategy_enabled?(:failed_attempts) && attempts_exceeded?)
           :locked
-        elsif lock_strategy_enabled?(:failed_attempts) && last_attempt?
+        elsif lock_strategy_enabled?(:failed_attempts) && last_attempt? && self.class.last_attempt_warning
           :last_attempt
         else
           super
@@ -189,7 +189,7 @@ module Devise
           self.lock_strategy == strategy
         end
 
-        Devise::Models.config(self, :maximum_attempts, :lock_strategy, :unlock_strategy, :unlock_in, :unlock_keys)
+        Devise::Models.config(self, :maximum_attempts, :lock_strategy, :unlock_strategy, :unlock_in, :unlock_keys, :last_attempt_warning)
       end
     end
   end

lib/devise/models/recoverable.rb

@@ -8,11 +8,13 @@ module Devise
     # Recoverable adds the following options to devise_for:
     #
     #   * +reset_password_keys+: the keys you want to use when recovering the password for an account
+    #   * +reset_password_within+: the time period within which the password must be reset or the token expires.
+    #   * +sign_in_after_reset_password+: whether or not to sign in the user automatically after a password reset.
     #
     # == Examples
     #
     #   # resets the user password and save the record, true if valid passwords are given, otherwise false
-    #   User.find(1).reset_password!('password123', 'password123')
+    #   User.find(1).reset_password('password123', 'password123')
     #
     #   # only resets the user password, without saving the record
     #   user = User.find(1)
@@ -28,20 +30,33 @@ module Devise
         [:reset_password_sent_at, :reset_password_token]
       end
 
+      included do
+        before_save do
+          if email_changed? || encrypted_password_changed?
+            clear_reset_password_token
+          end
+        end
+      end
+
       # Update password saving the record and clearing token. Returns true if
       # the passwords are valid and the record was saved, false otherwise.
-      def reset_password!(new_password, new_password_confirmation)
+      def reset_password(new_password, new_password_confirmation)
         self.password = new_password
         self.password_confirmation = new_password_confirmation
 
-        if valid?
-          clear_reset_password_token
+        if respond_to?(:after_password_reset) && valid?
+          ActiveSupport::Deprecation.warn "after_password_reset is deprecated"
           after_password_reset
         end
 
         save
       end
 
+      def reset_password!(new_password, new_password_confirmation)
+        ActiveSupport::Deprecation.warn "reset_password! is deprecated in favor of reset_password"
+        reset_password(new_password, new_password_confirmation)
+      end
+
       # Resets reset password token and send reset password instructions by email.
       # Returns the token sent in the e-mail.
       def send_reset_password_instructions
@@ -83,9 +98,6 @@ module Devise
           self.reset_password_sent_at = nil
         end
 
-        def after_password_reset
-        end
-
         def set_reset_password_token
           raw, enc = Devise.token_generator.generate(self.class, :reset_password_token)
 
@@ -130,17 +142,17 @@ module Devise
 
           if recoverable.persisted?
             if recoverable.reset_password_period_valid?
-              recoverable.reset_password!(attributes[:password], attributes[:password_confirmation])
+              recoverable.reset_password(attributes[:password], attributes[:password_confirmation])
             else
               recoverable.errors.add(:reset_password_token, :expired)
             end
           end
 
-          recoverable.reset_password_token = original_token
+          recoverable.reset_password_token = original_token if recoverable.reset_password_token.present?
           recoverable
         end
 
-        Devise::Models.config(self, :reset_password_keys, :reset_password_within)
+        Devise::Models.config(self, :reset_password_keys, :reset_password_within, :sign_in_after_reset_password)
       end
     end
   end

lib/devise/models/rememberable.rb

@@ -46,7 +46,7 @@ module Devise
       end
 
       # Generate a new remember token and save the record without validations
-      # unless remember_across_browsers is true and the user already has a valid token.
+      # if remember expired (token is no longer valid) or extend_remember_period is true
       def remember_me!(extend_period=false)
         self.remember_token = self.class.remember_token if generate_remember_token?
         self.remember_created_at = Time.now.utc if generate_remember_timestamp?(extend_period)
@@ -75,7 +75,7 @@ module Devise
       def rememberable_value
         if respond_to?(:remember_token)
           remember_token
-        elsif respond_to?(:authenticatable_salt) && (salt = authenticatable_salt)
+        elsif respond_to?(:authenticatable_salt) && (salt = authenticatable_salt.presence)
           salt
         else
           raise "authenticable_salt returned nil for the #{self.class.name} model. " \
@@ -89,6 +89,19 @@ module Devise
         self.class.rememberable_options
       end
 
+      # A callback initiated after successfully being remembered. This can be
+      # used to insert your own logic that is only run after the user is
+      # remembered.
+      #
+      # Example:
+      #
+      #   def after_remembered
+      #     self.update_attribute(:invite_code, nil)
+      #   end
+      #
+      def after_remembered
+      end
+
     protected
 
       def generate_remember_token? #:nodoc:
@@ -98,7 +111,7 @@ module Devise
       # Generate a timestamp if extend_remember_period is true, if no remember_token
       # exists, or if an existing remember token has expired.
       def generate_remember_timestamp?(extend_period) #:nodoc:
-        extend_period || remember_created_at.nil? || remember_expired?
+        extend_period || remember_expired?
       end
 
       module ClassMethods

lib/devise/models/trackable.rb

@@ -30,8 +30,7 @@ module Devise
 
       def update_tracked_fields!(request)
         update_tracked_fields(request)
-        save(validate: false) or raise "Devise trackable could not save #{inspect}." \
-          "Please make sure a model using trackable can be saved at sign in."
+        save(validate: false)
       end
     end
   end

lib/devise/models/validatable.rb

@@ -10,12 +10,12 @@ module Devise
     # Validatable adds the following options to devise_for:
     #
     #   * +email_regexp+: the regular expression used to validate e-mails;
-    #   * +password_length+: a range expressing password length. Defaults to 8..128.
+    #   * +password_length+: a range expressing password length. Defaults to 8..72.
     #
     module Validatable
       # All validations used by this module.
-      VALIDATIONS = [ :validates_presence_of, :validates_uniqueness_of, :validates_format_of,
-                      :validates_confirmation_of, :validates_length_of ].freeze
+      VALIDATIONS = [:validates_presence_of, :validates_uniqueness_of, :validates_format_of,
+                     :validates_confirmation_of, :validates_length_of].freeze
 
       def self.required_fields(klass)
         []

lib/devise/rails.rb

@@ -17,7 +17,7 @@ module Devise
       Devise.include_helpers(Devise::Controllers)
     end
 
-    initializer "devise.omniauth" do |app|
+    initializer "devise.omniauth", after: :load_config_initializers, before: :build_middleware_stack do |app|
       Devise.omniauth_configs.each do |provider, config|
         app.middleware.use config.strategy_class, *config.args do |strategy|
           config.strategy = strategy

lib/devise/rails/routes.rb

@@ -119,7 +119,7 @@ module ActionDispatch::Routing
     #  * sign_out_via: the HTTP method(s) accepted for the :sign_out action (default: :get),
     #    if you wish to restrict this to accept only :post or :delete requests you should do:
     #
-    #      devise_for :users, sign_out_via: [ :post, :delete ]
+    #      devise_for :users, sign_out_via: [:post, :delete]
     #
     #    You need to make sure that your sign_out controls trigger a request with a matching HTTP method.
     #
@@ -402,7 +402,7 @@ module ActionDispatch::Routing
       def devise_omniauth_callback(mapping, controllers) #:nodoc:
         if mapping.fullpath =~ /:[a-zA-Z_]/
           raise <<-ERROR
-Devise does not support scoping omniauth callbacks under a dynamic segment
+Devise does not support scoping OmniAuth callbacks under a dynamic segment
 and you have set #{mapping.fullpath.inspect}. You can work around by passing
 `skip: :omniauth_callbacks` and manually defining the routes. Here is an example:
 
@@ -414,7 +414,7 @@ and you have set #{mapping.fullpath.inspect}. You can work around by passing
 
     match "/users/auth/:action/callback",
       constraints: { action: /google|facebook/ },
-      to: "devise/omniauth_callbacks",
+      to: "devise/omniauth_callbacks#:action",
       as: :omniauth_callback,
       via: [:get, :post]
 ERROR
@@ -435,26 +435,23 @@ ERROR
 
         match "#{path_prefix}/:action/callback",
           constraints: { action: providers },
-          to: controllers[:omniauth_callbacks],
+          to: "#{controllers[:omniauth_callbacks]}#:action",
           as: :omniauth_callback,
           via: [:get, :post]
       ensure
         @scope[:path] = path
       end
 
-      DEVISE_SCOPE_KEYS = [:as, :path, :module, :constraints, :defaults, :options]
-
       def with_devise_exclusive_scope(new_path, new_as, options) #:nodoc:
-        old = {}
-        DEVISE_SCOPE_KEYS.each { |k| old[k] = @scope[k] }
+        current_scope = @scope.dup
 
-        new = { as: new_as, path: new_path, module: nil }
-        new.merge!(options.slice(:constraints, :defaults, :options))
+        exclusive = { as: new_as, path: new_path, module: nil }
+        exclusive.merge!(options.slice(:constraints, :defaults, :options))
 
-        @scope.merge!(new)
+        exclusive.each_pair { |key, value| @scope[key] = value }
         yield
       ensure
-        @scope.merge!(old)
+        @scope = current_scope
       end
 
       def constraints_for(method_to_apply, scope=nil, block=nil)

lib/devise/strategies/authenticatable.rb

@@ -36,7 +36,6 @@ module Devise
         result = resource && resource.valid_for_authentication?(&block)
 
         if result
-          decorate(resource)
           true
         else
           if resource
@@ -47,7 +46,7 @@ module Devise
       end
 
       # Get values from params and set in the resource.
-      def decorate(resource)
+      def remember_me(resource)
         resource.remember_me = remember_me? if resource.respond_to?(:remember_me=)
       end
 
@@ -58,7 +57,7 @@ module Devise
 
       # Check if this is a valid strategy for http authentication by:
       #
-      #   * Validating if the model allows params authentication;
+      #   * Validating if the model allows http authentication;
       #   * If any of the authorization headers were sent;
       #   * If all authentication keys are present;
       #
@@ -109,7 +108,10 @@ module Devise
         params_auth_hash.is_a?(Hash)
       end
 
-      # Check if password is present.
+      # Note: unlike `Model.valid_password?`, this method does not actually
+      # ensure that the password in the params matches the password stored in
+      # the database. It only checks if the password is *present*. Do not rely
+      # on this method for validating that a given password is correct.
       def valid_password?
         password.present?
       end

lib/devise/strategies/database_authenticatable.rb

@@ -5,10 +5,11 @@ module Devise
     # Default strategy for signing in a user, based on their email and password in the database.
     class DatabaseAuthenticatable < Authenticatable
       def authenticate!
-        resource  = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
+        resource  = password.present? && mapping.to.find_for_database_authentication(authentication_hash)
         encrypted = false
 
         if validate(resource){ encrypted = true; resource.valid_password?(password) }
+          remember_me(resource)
           resource.after_database_authentication
           success!(resource)
         end

lib/devise/strategies/rememberable.rb

@@ -25,15 +25,28 @@ module Devise
         end
 
         if validate(resource)
+          remember_me(resource)
+          extend_remember_me_period(resource)
+          resource.after_remembered
           success!(resource)
         end
       end
 
+      # No need to clean up the CSRF when using rememberable.
+      # In fact, cleaning it up here would be a bug because
+      # rememberable is triggered on GET requests which means
+      # we would render a page on first access with all csrf
+      # tokens expired.
+      def clean_up_csrf?
+        false
+      end
+
     private
 
-      def decorate(resource)
-        super
-        resource.extend_remember_period = mapping.to.extend_remember_period if resource.respond_to?(:extend_remember_period=)
+      def extend_remember_me_period(resource)
+        if resource.respond_to?(:extend_remember_period=)
+          resource.extend_remember_period = mapping.to.extend_remember_period
+        end
       end
 
       def remember_me?

lib/devise/test_helpers.rb

@@ -26,11 +26,11 @@ module Devise
 
     # Quick access to Warden::Proxy.
     def warden #:nodoc:
-      @warden ||= begin
+      @request.env['warden'] ||= begin
         manager = Warden::Manager.new(nil) do |config|
           config.merge! Devise.warden_config
         end
-        @request.env['warden'] = Warden::Proxy.new(@request.env, manager)
+        Warden::Proxy.new(@request.env, manager)
       end
     end
 

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "3.3.0".freeze
+  VERSION = "3.5.1".freeze
 end

lib/generators/active_record/devise_generator.rb

@@ -83,7 +83,8 @@ RUBY
       end
 
       def postgresql?
-        ActiveRecord::Base.connection.adapter_name.downcase == "postgresql"
+        config = ActiveRecord::Base.configurations[Rails.env]
+        config && config['adapter'] == 'postgresql'
       end
     end
   end

lib/generators/active_record/templates/migration.rb

@@ -7,7 +7,7 @@ class DeviseCreate<%= table_name.camelize %> < ActiveRecord::Migration
       t.<%= attribute.type %> :<%= attribute.name %>
 <% end -%>
 
-      t.timestamps
+      t.timestamps null: false
     end
 
     add_index :<%= table_name %>, :email,                unique: true

lib/generators/active_record/templates/migration_existing.rb

@@ -8,7 +8,7 @@ class AddDeviseTo<%= table_name.camelize %> < ActiveRecord::Migration
 <% end -%>
 
       # Uncomment below if timestamps were not included in your original model.
-      # t.timestamps
+      # t.timestamps null: false
     end
 
     add_index :<%= table_name %>, :email,                unique: true

lib/generators/devise/controllers_generator.rb

@@ -0,0 +1,44 @@
+require 'rails/generators/base'
+
+module Devise
+  module Generators
+    class ControllersGenerator < Rails::Generators::Base
+      CONTROLLERS = %w(confirmations passwords registrations sessions unlocks omniauth_callbacks).freeze
+
+      desc <<-DESC.strip_heredoc
+        Create inherited Devise controllers in your app/controllers folder.
+
+        Use -c to specify which controller you want to overwrite.
+        If you do no specify a controller, all controllers will be created.
+        For example:
+
+          rails generate devise:controllers users -c=sessions
+
+        This will create a controller class at app/controllers/users/sessions_controller.rb like this:
+
+          class Users::ConfirmationsController < Devise::ConfirmationsController
+            content...
+          end
+      DESC
+
+      source_root File.expand_path("../../templates/controllers", __FILE__)
+      argument :scope, required: true,
+        desc: "The scope to create controllers in, e.g. users, admins"
+      class_option :controllers, aliases: "-c", type: :array,
+        desc: "Select specific controllers to generate (#{CONTROLLERS.join(', ')})"
+
+      def create_controllers
+        @scope_prefix = scope.blank? ? '' : (scope.camelize + '::')
+        controllers = options[:controllers] || CONTROLLERS
+        controllers.each do |name|
+          template "#{name}_controller.rb",
+                   "app/controllers/#{scope}/#{name}_controller.rb"
+        end
+      end
+
+      def show_readme
+        readme "README" if behavior == :invoke
+      end
+    end
+  end
+end

lib/generators/templates/controllers/README

@@ -0,0 +1,14 @@
+===============================================================================
+
+Some setup you must do manually if you haven't yet:
+
+  Ensure you have overridden routes for generated controllers in your route.rb.
+  For example:
+
+    Rails.application.routes.draw do
+      devise_for :users, controllers: {
+        sessions: 'users/sessions'
+      }
+    end
+
+===============================================================================

lib/generators/templates/controllers/confirmations_controller.rb

@@ -0,0 +1,28 @@
+class <%= @scope_prefix %>ConfirmationsController < Devise::ConfirmationsController
+  # GET /resource/confirmation/new
+  # def new
+  #   super
+  # end
+
+  # POST /resource/confirmation
+  # def create
+  #   super
+  # end
+
+  # GET /resource/confirmation?confirmation_token=abcdef
+  # def show
+  #   super
+  # end
+
+  # protected
+
+  # The path used after resending confirmation instructions.
+  # def after_resending_confirmation_instructions_path_for(resource_name)
+  #   super(resource_name)
+  # end
+
+  # The path used after confirmation.
+  # def after_confirmation_path_for(resource_name, resource)
+  #   super(resource_name, resource)
+  # end
+end

lib/generators/templates/controllers/omniauth_callbacks_controller.rb

@@ -0,0 +1,28 @@
+class <%= @scope_prefix %>OmniauthCallbacksController < Devise::OmniauthCallbacksController
+  # You should configure your model like this:
+  # devise :omniauthable, omniauth_providers: [:twitter]
+
+  # You should also create an action method in this controller like this:
+  # def twitter
+  # end
+
+  # More info at:
+  # https://github.com/plataformatec/devise#omniauth
+
+  # GET|POST /resource/auth/twitter
+  # def passthru
+  #   super
+  # end
+
+  # GET|POST /users/auth/twitter/callback
+  # def failure
+  #   super
+  # end
+
+  # protected
+
+  # The path used when OmniAuth fails
+  # def after_omniauth_failure_path_for(scope)
+  #   super(scope)
+  # end
+end

lib/generators/templates/controllers/passwords_controller.rb

@@ -0,0 +1,32 @@
+class <%= @scope_prefix %>PasswordsController < Devise::PasswordsController
+  # GET /resource/password/new
+  # def new
+  #   super
+  # end
+
+  # POST /resource/password
+  # def create
+  #   super
+  # end
+
+  # GET /resource/password/edit?reset_password_token=abcdef
+  # def edit
+  #   super
+  # end
+
+  # PUT /resource/password
+  # def update
+  #   super
+  # end
+
+  # protected
+
+  # def after_resetting_password_path_for(resource)
+  #   super(resource)
+  # end
+
+  # The path used after sending reset password instructions
+  # def after_sending_reset_password_instructions_path_for(resource_name)
+  #   super(resource_name)
+  # end
+end

lib/generators/templates/controllers/registrations_controller.rb

@@ -0,0 +1,60 @@
+class <%= @scope_prefix %>RegistrationsController < Devise::RegistrationsController
+# before_filter :configure_sign_up_params, only: [:create]
+# before_filter :configure_account_update_params, only: [:update]
+
+  # GET /resource/sign_up
+  # def new
+  #   super
+  # end
+
+  # POST /resource
+  # def create
+  #   super
+  # end
+
+  # GET /resource/edit
+  # def edit
+  #   super
+  # end
+
+  # PUT /resource
+  # def update
+  #   super
+  # end
+
+  # DELETE /resource
+  # def destroy
+  #   super
+  # end
+
+  # GET /resource/cancel
+  # Forces the session data which is usually expired after sign
+  # in to be expired now. This is useful if the user wants to
+  # cancel oauth signing in/up in the middle of the process,
+  # removing all OAuth session data.
+  # def cancel
+  #   super
+  # end
+
+  # protected
+
+  # If you have extra params to permit, append them to the sanitizer.
+  # def configure_sign_up_params
+  #   devise_parameter_sanitizer.for(:sign_up) << :attribute
+  # end
+
+  # If you have extra params to permit, append them to the sanitizer.
+  # def configure_account_update_params
+  #   devise_parameter_sanitizer.for(:account_update) << :attribute
+  # end
+
+  # The path used after sign up.
+  # def after_sign_up_path_for(resource)
+  #   super(resource)
+  # end
+
+  # The path used after sign up for inactive accounts.
+  # def after_inactive_sign_up_path_for(resource)
+  #   super(resource)
+  # end
+end

lib/generators/templates/controllers/sessions_controller.rb

@@ -0,0 +1,25 @@
+class <%= @scope_prefix %>SessionsController < Devise::SessionsController
+# before_filter :configure_sign_in_params, only: [:create]
+
+  # GET /resource/sign_in
+  # def new
+  #   super
+  # end
+
+  # POST /resource/sign_in
+  # def create
+  #   super
+  # end
+
+  # DELETE /resource/sign_out
+  # def destroy
+  #   super
+  # end
+
+  # protected
+
+  # If you have extra params to permit, append them to the sanitizer.
+  # def configure_sign_in_params
+  #   devise_parameter_sanitizer.for(:sign_in) << :attribute
+  # end
+end

lib/generators/templates/controllers/unlocks_controller.rb

@@ -0,0 +1,28 @@
+class <%= @scope_prefix %>UnlocksController < Devise::UnlocksController
+  # GET /resource/unlock/new
+  # def new
+  #   super
+  # end
+
+  # POST /resource/unlock
+  # def create
+  #   super
+  # end
+
+  # GET /resource/unlock?unlock_token=abcdef
+  # def show
+  #   super
+  # end
+
+  # protected
+
+  # The path used after sending unlock password instructions
+  # def after_sending_unlock_instructions_path_for(resource)
+  #   super(resource)
+  # end
+
+  # The path used after unlocking the resource
+  # def after_unlock_path_for(resource)
+  #   super(resource)
+  # end
+end

lib/generators/templates/devise.rb

@@ -4,6 +4,8 @@ Devise.setup do |config|
   # The secret key used by Devise. Devise uses this key to generate
   # random tokens. Changing this key will render invalid all existing
   # confirmation, reset password and unlock tokens in the database.
+  # Devise will use the `secret_key_base` on Rails 4+ applications as its `secret_key`
+  # by default. You can change it below and use your own secret key.
 <% if  rails_4? -%>
   # config.secret_key = '<%= SecureRandom.hex(64) %>'
 <% else -%>
@@ -33,7 +35,7 @@ Devise.setup do |config|
   # session. If you need permissions, you should implement that in a before filter.
   # You can also supply a hash where the value is a boolean determining whether
   # or not authentication should be aborted when the value is not present.
-  # config.authentication_keys = [ :email ]
+  # config.authentication_keys = [:email]
 
   # Configure parameters from the request object used for authentication. Each entry
   # given should be a request method and it will automatically be passed to the
@@ -45,12 +47,12 @@ Devise.setup do |config|
   # Configure which authentication keys should be case-insensitive.
   # These keys will be downcased upon creating or modifying a user and when used
   # to authenticate or find a user. Default is :email.
-  config.case_insensitive_keys = [ :email ]
+  config.case_insensitive_keys = [:email]
 
   # Configure which authentication keys should have whitespace stripped.
   # These keys will have whitespace before and after removed upon creating or
   # modifying a user and when used to authenticate or find a user. Default is :email.
-  config.strip_whitespace_keys = [ :email ]
+  config.strip_whitespace_keys = [:email]
 
   # Tell if authentication through request.params is enabled. True by default.
   # It can be set to an array that will enable params authentication only for the
@@ -65,7 +67,7 @@ Devise.setup do |config|
   # :database      = Support basic authentication with authentication key + password
   # config.http_authenticatable = false
 
-  # If http headers should be returned for AJAX requests. True by default.
+  # If 401 status code should be returned for AJAX requests. True by default.
   # config.http_authenticatable_on_xhr = true
 
   # The realm used in Http Basic Authentication. 'Application' by default.
@@ -126,7 +128,7 @@ Devise.setup do |config|
   config.reconfirmable = true
 
   # Defines which key will be used when confirming an account
-  # config.confirmation_keys = [ :email ]
+  # config.confirmation_keys = [:email]
 
   # ==> Configuration for :rememberable
   # The time the user will be remembered without asking for credentials again.
@@ -144,7 +146,7 @@ Devise.setup do |config|
 
   # ==> Configuration for :validatable
   # Range for password length.
-  config.password_length = 8..128
+  config.password_length = 8..72
 
   # Email regex used to validate email formats. It simply asserts that
   # one (and only one) @ exists in the given string. This is mainly
@@ -166,7 +168,7 @@ Devise.setup do |config|
   # config.lock_strategy = :failed_attempts
 
   # Defines which key will be used when locking and unlocking an account
-  # config.unlock_keys = [ :email ]
+  # config.unlock_keys = [:email]
 
   # Defines which strategy will be used to unlock an account.
   # :email = Sends an unlock link to the user email
@@ -183,18 +185,22 @@ Devise.setup do |config|
   # config.unlock_in = 1.hour
 
   # Warn on the last attempt before the account is locked.
-  # config.last_attempt_warning = false
+  # config.last_attempt_warning = true
 
   # ==> Configuration for :recoverable
   #
   # Defines which key will be used when recovering the password for an account
-  # config.reset_password_keys = [ :email ]
+  # config.reset_password_keys = [:email]
 
   # Time interval you can reset your password with a reset password key.
   # Don't put a too small interval or your users won't have the time to
   # change their passwords.
   config.reset_password_within = 6.hours
 
+  # When set to false, does not sign a user in automatically after their password is
+  # reset. Defaults to true, so a user is signed in automatically after a reset.
+  # config.sign_in_after_reset_password = true
+
   # ==> Configuration for :encryptable
   # Allow you to use another encryption algorithm besides bcrypt (default). You can use
   # :sha1, :sha512 or encryptors from others authentication tools as :clearance_sha1,
@@ -257,7 +263,7 @@ Devise.setup do |config|
   # The router that invoked `devise_for`, in the example above, would be:
   # config.router_name = :my_engine
   #
-  # When using omniauth, Devise cannot automatically set Omniauth path,
+  # When using OmniAuth, Devise cannot automatically set OmniAuth path,
   # so you need to do it manually. For the users scope, it would be:
   # config.omniauth_path_prefix = '/my_engine/users/auth'
 end

lib/generators/templates/simple_form_for/passwords/edit.html.erb

@@ -7,7 +7,7 @@
   <%= f.full_error :reset_password_token %>
 
   <div class="form-inputs">
-    <%= f.input :password, label: "New password", required: true, autofocus: true %>
+    <%= f.input :password, label: "New password", required: true, autofocus: true, hint: ("#{@minimum_password_length} characters minimum" if @minimum_password_length) %>
     <%= f.input :password_confirmation, label: "Confirm your new password", required: true %>
   </div>
 

lib/generators/templates/simple_form_for/registrations/new.html.erb

@@ -5,7 +5,7 @@
 
   <div class="form-inputs">
     <%= f.input :email, required: true, autofocus: true %>
-    <%= f.input :password, required: true %>
+    <%= f.input :password, required: true, hint: ("#{@minimum_password_length} characters minimum" if @minimum_password_length) %>
     <%= f.input :password_confirmation, required: true %>
   </div>
 

lib/generators/templates/simple_form_for/sessions/new.html.erb

@@ -1,4 +1,4 @@
-<h2>Sign in</h2>
+<h2>Log in</h2>
 
 <%= simple_form_for(resource, as: resource_name, url: session_path(resource_name)) do |f| %>
   <div class="form-inputs">
@@ -8,7 +8,7 @@
   </div>
 
   <div class="form-actions">
-    <%= f.button :submit, "Sign in" %>
+    <%= f.button :submit, "Log in" %>
   </div>
 <% end %>
 

test/controllers/custom_registrations_controller_test.rb

@@ -8,7 +8,7 @@ class CustomRegistrationsControllerTest < ActionController::TestCase
   setup do
     request.env["devise.mapping"] = Devise.mappings[:user]
     @password = 'password'
-    @user = create_user(password: @password, password_confirmation: @password).tap(&:confirm!)
+    @user = create_user(password: @password, password_confirmation: @password).tap(&:confirm)
   end
 
   test "yield resource to block on create success" do
@@ -32,4 +32,9 @@ class CustomRegistrationsControllerTest < ActionController::TestCase
     put :update, { user: { } }
     assert @controller.update_block_called?, "update failed to yield resource to provided block"
   end
+
+  test "yield resource to block on new" do
+    get :new
+    assert @controller.new_block_called?, "new failed to yield resource to provided block"
+  end
 end

test/controllers/helpers_test.rb

@@ -245,6 +245,11 @@ class ControllerAuthenticatableTest < ActionController::TestCase
     assert_equal "/foo?bar=baz", @controller.stored_location_for(:user)
   end
 
+  test 'store location for stores fragments' do
+    @controller.store_location_for(:user, "/foo#bar")
+    assert_equal "/foo#bar", @controller.stored_location_for(:user)
+  end
+
   test 'after sign in path defaults to root path if none by was specified for the given scope' do
     assert_equal root_path, @controller.after_sign_in_path_for(:user)
   end

test/controllers/inherited_controller_i18n_messages_test.rb

@@ -0,0 +1,51 @@
+require 'test_helper'
+
+class SessionsInheritedController < Devise::SessionsController
+  def test_i18n_scope
+    set_flash_message(:notice, :signed_in)
+  end
+end
+
+class AnotherInheritedController < SessionsInheritedController
+  protected
+
+  def translation_scope
+    'another'
+  end
+end
+
+class InheritedControllerTest < ActionController::TestCase
+  tests SessionsInheritedController
+
+  def setup
+    @mock_warden = OpenStruct.new
+    @controller.request.env['warden'] = @mock_warden
+    @controller.request.env['devise.mapping'] = Devise.mappings[:user]
+  end
+
+  test 'I18n scope is inherited from Devise::Sessions' do
+    I18n.expects(:t).with do |message, options|
+      message == 'user.signed_in' &&
+        options[:scope] == 'devise.sessions'
+    end
+    @controller.test_i18n_scope
+  end
+end
+
+class AnotherInheritedControllerTest < ActionController::TestCase
+  tests AnotherInheritedController
+
+  def setup
+    @mock_warden = OpenStruct.new
+    @controller.request.env['warden'] = @mock_warden
+    @controller.request.env['devise.mapping'] = Devise.mappings[:user]
+  end
+
+  test 'I18n scope is overridden' do
+    I18n.expects(:t).with do |message, options|
+      message == 'user.signed_in' &&
+        options[:scope] == 'another'
+    end
+    @controller.test_i18n_scope
+  end
+end

test/controllers/internal_helpers_test.rb

@@ -13,16 +13,16 @@ class HelpersTest < ActionController::TestCase
   end
 
   test 'get resource name from env' do
-    assert_equal :user, @controller.resource_name
+    assert_equal :user, @controller.send(:resource_name)
   end
 
   test 'get resource class from env' do
-    assert_equal User, @controller.resource_class
+    assert_equal User, @controller.send(:resource_class)
   end
 
   test 'get resource instance variable from env' do
     @controller.instance_variable_set(:@user, user = User.new)
-    assert_equal user, @controller.resource
+    assert_equal user, @controller.send(:resource)
   end
 
   test 'set resource instance variable from env' do
@@ -80,7 +80,7 @@ class HelpersTest < ActionController::TestCase
 
   test 'signed in resource returns signed in resource for current scope' do
     @mock_warden.expects(:authenticate).with(scope: :user).returns(User.new)
-    assert_kind_of User, @controller.signed_in_resource
+    assert_kind_of User, @controller.send(:signed_in_resource)
   end
 
   test 'is a devise controller' do
@@ -99,6 +99,12 @@ class HelpersTest < ActionController::TestCase
     assert_equal 'non-blank', flash[:notice]
   end
 
+  test 'issues non-blank flash.now messages normally' do
+    I18n.stubs(:t).returns('non-blank')
+    @controller.send :set_flash_message, :notice, :send_instructions, { now: true }
+    assert_equal 'non-blank', flash.now[:notice]
+  end
+
   test 'uses custom i18n options' do
     @controller.stubs(:devise_i18n_options).returns(default: "devise custom options")
     @controller.send :set_flash_message, :notice, :invalid_i18n_messagesend_instructions

test/controllers/load_hooks_controller_test.rb

@@ -0,0 +1,19 @@
+require 'test_helper'
+
+class LoadHooksControllerTest < ActionController::TestCase
+  setup do
+    ActiveSupport.on_load(:devise_controller) do
+      define_method :defined_by_load_hook do
+        puts 'I am defined dynamically by activesupport load hook'
+      end
+    end
+  end
+
+  teardown do
+    DeviseController.class_eval { undef :defined_by_load_hook }
+  end
+
+  test 'load hook called when controller is loaded' do
+    assert DeviseController.instance_methods.include? :defined_by_load_hook
+  end
+end

test/controllers/passwords_controller_test.rb

@@ -6,7 +6,7 @@ class PasswordsControllerTest < ActionController::TestCase
 
   setup do
     request.env["devise.mapping"] = Devise.mappings[:user]
-    @user = create_user.tap(&:confirm!)
+    @user = create_user.tap(&:confirm)
     @raw  = @user.send_reset_password_instructions
   end
 

test/controllers/sessions_controller_test.rb

@@ -36,7 +36,7 @@ class SessionsControllerTest < ActionController::TestCase
     request.session["user_return_to"] = 'foo.bar'
 
     user = create_user
-    user.confirm!
+    user.confirm
     post :create, user: {
       email: user.email,
       password: user.password
@@ -50,7 +50,7 @@ class SessionsControllerTest < ActionController::TestCase
     request.session["user_return_to"] = 'foo.bar'
 
     user = create_user
-    user.confirm!
+    user.confirm
     post :create, format: 'json', user: {
       email: user.email,
       password: user.password
@@ -72,7 +72,7 @@ class SessionsControllerTest < ActionController::TestCase
   test "#destroy doesn't set the flash if the requested format is not navigational" do
     request.env["devise.mapping"] = Devise.mappings[:user]
     user = create_user
-    user.confirm!
+    user.confirm
     post :create, format: 'json', user: {
       email: user.email,
       password: user.password

test/controllers/url_helpers_test.rb

@@ -13,6 +13,12 @@ class RoutesTest < ActionController::TestCase
     assert_equal @controller.send(:"#{prepend_path}#{name}_url", :user),
                  send(:"#{prepend_path}user_#{name}_url")
 
+    # With string
+    assert_equal @controller.send(:"#{prepend_path}#{name}_path", "user"),
+                 send(:"#{prepend_path}user_#{name}_path")
+    assert_equal @controller.send(:"#{prepend_path}#{name}_url", "user"),
+                 send(:"#{prepend_path}user_#{name}_url")
+
     # Default url params
     assert_equal @controller.send(:"#{prepend_path}#{name}_path", :user, param: 123),
                  send(:"#{prepend_path}user_#{name}_path", param: 123)

test/devise_test.rb

@@ -14,11 +14,11 @@ class DeviseTest < ActiveSupport::TestCase
   test 'bcrypt on the class' do
     password = "super secret"
     klass    = Struct.new(:pepper, :stretches).new("blahblah", 2)
-    hash     = Devise.bcrypt(klass, password)
+    hash     = Devise::Encryptor.digest(klass, password)
     assert_equal ::BCrypt::Password.create(hash), hash
 
     klass    = Struct.new(:pepper, :stretches).new("bla", 2)
-    hash     = Devise.bcrypt(klass, password)
+    hash     = Devise::Encryptor.digest(klass, password)
     assert_not_equal ::BCrypt::Password.new(hash), hash
   end
 

test/failure_app_test.rb

@@ -26,6 +26,22 @@ class FailureTest < ActiveSupport::TestCase
     end
   end
 
+  class FakeEngineApp < Devise::FailureApp
+    class FakeEngine
+      def new_user_on_engine_session_url _
+        '/user_on_engines/sign_in'
+      end
+    end
+
+    def main_app
+      raise 'main_app router called instead of fake_engine'
+    end
+
+    def fake_engine
+      @fake_engine ||= FakeEngine.new
+    end
+  end
+
   def self.context(name, &block)
     instance_eval(&block)
   end
@@ -85,6 +101,13 @@ class FailureTest < ActiveSupport::TestCase
       end
     end
 
+    test 'returns to the default redirect location considering the router for supplied scope' do
+      call_failure app: FakeEngineApp, 'warden.options' => { scope: :user_on_engine }
+      assert_equal 302, @response.first
+      assert_equal 'You need to sign in or sign up before continuing.', @request.flash[:alert]
+      assert_equal 'http://test.host/user_on_engines/sign_in', @response.second['Location']
+    end
+
     if Rails.application.config.respond_to?(:relative_url_root)
       test 'returns to the default redirect location considering the relative url root' do
         swap Rails.application.config, relative_url_root: "/sample" do
@@ -109,6 +132,13 @@ class FailureTest < ActiveSupport::TestCase
       assert_equal 'http://test.host/users/sign_in', @response.second["Location"]
     end
 
+    test 'supports authentication_keys as a Hash for the flash message' do
+      swap Devise, authentication_keys: { email: true, login: true } do
+        call_failure('warden' => OpenStruct.new(message: :invalid))
+        assert_equal 'Invalid email, login or password.', @request.flash[:alert]
+      end
+    end
+
     test 'uses custom i18n options' do
       call_failure('warden' => OpenStruct.new(message: :does_not_exist), app: FailureWithI18nOptions)
       assert_equal 'User Steve does not exist', @request.flash[:alert]

test/generators/controllers_generator_test.rb

@@ -0,0 +1,48 @@
+require "test_helper"
+
+class ControllersGeneratorTest < Rails::Generators::TestCase
+  tests Devise::Generators::ControllersGenerator
+  destination File.expand_path("../../tmp", __FILE__)
+  setup :prepare_destination
+
+  test "Assert no controllers are created with no params" do
+    capture(:stderr) { run_generator }
+    assert_no_file "app/controllers/sessions_controller.rb"
+    assert_no_file "app/controllers/registrations_controller.rb"
+    assert_no_file "app/controllers/confirmations_controller.rb"
+    assert_no_file "app/controllers/passwords_controller.rb"
+    assert_no_file "app/controllers/unlocks_controller.rb"
+    assert_no_file "app/controllers/omniauth_callbacks_controller.rb"
+  end
+
+  test "Assert all controllers are properly created with scope param" do
+    run_generator %w(users)
+    assert_class_names 'users'
+
+    run_generator %w(admins)
+    assert_class_names 'admins'
+  end
+
+  test "Assert specified controllers with scope" do
+    run_generator %w(users -c sessions)
+    assert_file "app/controllers/users/sessions_controller.rb"
+    assert_no_file "app/controllers/users/registrations_controller.rb"
+    assert_no_file "app/controllers/users/confirmations_controller.rb"
+    assert_no_file "app/controllers/users/passwords_controller.rb"
+    assert_no_file "app/controllers/users/unlocks_controller.rb"
+    assert_no_file "app/controllers/users/omniauth_callbacks_controller.rb"
+  end
+
+  private
+
+    def assert_class_names(scope, options = {})
+      base_dir = "app/controllers#{scope.blank? ? '' : ('/' + scope)}"
+      scope_prefix = scope.blank? ? '' : (scope.camelize + '::')
+      controllers = options[:controllers] ||
+        %w(confirmations passwords registrations sessions unlocks omniauth_callbacks)
+
+      controllers.each do |c|
+        assert_file "#{base_dir}/#{c}_controller.rb", /#{scope_prefix + c.camelize}/
+      end
+    end
+end

test/generators/views_generator_test.rb

@@ -78,7 +78,7 @@ class ViewsGeneratorTest < Rails::Generators::TestCase
     assert_file "app/views/#{scope}/registrations/new.html.erb"
     assert_file "app/views/#{scope}/registrations/edit.html.erb"
     assert_file "app/views/#{scope}/sessions/new.html.erb"
-    assert_file "app/views/#{scope}/shared/_links.erb"
+    assert_file "app/views/#{scope}/shared/_links.html.erb"
     assert_file "app/views/#{scope}/unlocks/new.html.erb"
   end
 

test/helpers/devise_helper_test.rb

@@ -2,25 +2,22 @@ require 'test_helper'
 
 class DeviseHelperTest < ActionDispatch::IntegrationTest
   setup do
-    model_labels = { models: { user: "utilisateur" } }
-    # TODO: Remove this hack that fixes the I18n performance safeguards that
-    # breaks the custom locale.
-    I18n.available_locales += [:fr]
-    I18n.backend.store_translations :fr,
-    {
+    model_labels = { models: { user: "the user" } }
+    translations = {
       errors: { messages: { not_saved: {
-        one: "Erreur lors de l'enregistrement de '%{resource}': 1 erreur.",
-        other: "Erreur lors de l'enregistrement de '%{resource}': %{count} erreurs."
+        one: "Can't save %{resource} because of 1 error",
+        other: "Can't save %{resource} because of %{count} errors",
       } } },
       activerecord: model_labels,
       mongoid: model_labels
     }
 
-    I18n.locale = 'fr'
+    I18n.available_locales
+    I18n.backend.store_translations(:en, translations)
   end
 
   teardown do
-    I18n.locale = 'en'
+    I18n.reload!
   end
 
   test 'test errors.messages.not_saved with single error from i18n' do
@@ -31,7 +28,7 @@ class DeviseHelperTest < ActionDispatch::IntegrationTest
     click_button 'Sign up'
 
     assert_have_selector '#error_explanation'
-    assert_contain "Erreur lors de l'enregistrement de 'utilisateur': 1 erreur"
+    assert_contain "Can't save the user because of 1 error"
   end
 
   test 'test errors.messages.not_saved with multiple errors from i18n' do
@@ -47,6 +44,6 @@ class DeviseHelperTest < ActionDispatch::IntegrationTest
     click_button 'Sign up'
 
     assert_have_selector '#error_explanation'
-    assert_contain "Erreur lors de l'enregistrement de 'utilisateur': 2 erreurs"
+    assert_contain "Can't save the user because of 2 errors"
   end
 end

test/integration/authenticatable_test.rb

@@ -580,7 +580,7 @@ class AuthenticationKeysTest < ActionDispatch::IntegrationTest
   test 'missing authentication keys cause authentication to abort' do
     swap Devise, authentication_keys: [:subdomain] do
       sign_in_as_user
-      assert_contain "Invalid email or password."
+      assert_contain "Invalid subdomain or password."
       assert_not warden.authenticated?(:user)
     end
   end

test/integration/database_authenticatable_test.rb

@@ -81,4 +81,15 @@ class DatabaseAuthenticationTest < ActionDispatch::IntegrationTest
       assert_contain 'Invalid credentials'
     end
   end
+
+  test 'valid sign in calls after_database_authentication callback' do
+    user = create_user(email: ' foo@bar.com ')
+
+    User.expects(:find_for_database_authentication).returns user
+    user.expects :after_database_authentication
+
+    sign_in_as_user do
+      fill_in 'email', with: 'foo@bar.com'
+    end
+  end
 end

test/integration/http_authenticatable_test.rb

@@ -42,7 +42,7 @@ class HttpAuthenticationTest < ActionDispatch::IntegrationTest
     sign_in_as_new_user_with_http("unknown")
     assert_equal 401, status
     assert_equal "application/xml; charset=utf-8", headers["Content-Type"]
-    assert_match "<error>Invalid email address or password.</error>", response.body
+    assert_match "<error>Invalid email or password.</error>", response.body
   end
 
   test 'returns a custom response with www-authenticate and chosen realm' do

test/integration/omniauthable_test.rb

@@ -121,7 +121,7 @@ class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
     assert_contain 'Could not authenticate you from Facebook because "Access denied".'
   end
 
-  test "handles other exceptions from omniauth" do
+  test "handles other exceptions from OmniAuth" do
     OmniAuth.config.mock_auth[:facebook] = :invalid_credentials
 
     visit "/users/sign_in"

test/integration/recoverable_test.rb

@@ -197,6 +197,19 @@ class PasswordTest < ActionDispatch::IntegrationTest
     assert warden.authenticated?(:user)
   end
 
+  test 'does not sign in user automatically after changing its password if config.sign_in_after_reset_password is false' do
+    swap Devise, sign_in_after_reset_password: false do
+      create_user
+      request_forgot_password
+      reset_password
+
+      assert_contain 'Your password has been changed successfully.'
+      assert_not_contain 'You are now signed in.'
+      assert_equal new_user_session_path, @request.path
+      assert !warden.authenticated?(:user)
+    end
+  end
+
   test 'does not sign in user automatically after changing its password if it\'s locked and unlock strategy is :none or :time' do
     [:none, :time].each do |strategy|
       swap Devise, unlock_strategy: strategy do

test/integration/rememberable_test.rb

@@ -164,4 +164,13 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     get users_path
     assert_not warden.authenticated?(:user)
   end
+
+  test 'valid sign in calls after_remembered callback' do
+    user = create_user_and_remember
+
+    User.expects(:serialize_from_cookie).returns user
+    user.expects :after_remembered
+
+    get new_user_registration_path
+  end
 end

test/mapping_test.rb

@@ -62,6 +62,7 @@ class MappingTest < ActiveSupport::TestCase
   test 'find scope for a given object' do
     assert_equal :user, Devise::Mapping.find_scope!(User)
     assert_equal :user, Devise::Mapping.find_scope!(:user)
+    assert_equal :user, Devise::Mapping.find_scope!("user")
     assert_equal :user, Devise::Mapping.find_scope!(User.new)
   end
 
@@ -70,6 +71,12 @@ class MappingTest < ActiveSupport::TestCase
     assert_equal :user, Devise::Mapping.find_scope!(Class.new(User).new)
   end
 
+  test 'find scope uses devise_scope' do
+    user = User.new
+    def user.devise_scope; :special_scope; end
+    assert_equal :special_scope, Devise::Mapping.find_scope!(user)
+  end
+
   test 'find scope raises an error if cannot be found' do
     assert_raise RuntimeError do
       Devise::Mapping.find_scope!(String)

test/models/authenticatable_test.rb

@@ -10,4 +10,14 @@ class AuthenticatableTest < ActiveSupport::TestCase
     assert_equal User.find_first_by_auth_conditions({ email: "example@example.com" }), user
     assert_nil User.find_first_by_auth_conditions({ email: "example@example.com" }, id: user.id.to_s.next)
   end
+
+  if defined?(ActionController::Parameters)
+    test 'does not passes an ActionController::Parameters to find_first_by_auth_conditions through find_or_initialize_with_errors' do
+      user = create_user(email: 'example@example.com')
+      attributes = ActionController::Parameters.new(email: 'example@example.com')
+
+      User.expects(:find_first_by_auth_conditions).with('email' => 'example@example.com').returns(user)
+      User.find_or_initialize_with_errors([:email], attributes)
+    end
+  end
 end

test/models/confirmable_test.rb

@@ -23,31 +23,24 @@ class ConfirmableTest < ActiveSupport::TestCase
   test 'should confirm a user by updating confirmed at' do
     user = create_user
     assert_nil user.confirmed_at
-    assert user.confirm!
+    assert user.confirm
     assert_not_nil user.confirmed_at
   end
 
-  test 'should clear confirmation token while confirming a user' do
-    user = create_user
-    assert_present user.confirmation_token
-    user.confirm!
-    assert_nil user.confirmation_token
-  end
-
   test 'should verify whether a user is confirmed or not' do
     assert_not new_user.confirmed?
     user = create_user
     assert_not user.confirmed?
-    user.confirm!
+    user.confirm
     assert user.confirmed?
   end
 
   test 'should not confirm a user already confirmed' do
     user = create_user
-    assert user.confirm!
+    assert user.confirm
     assert_blank user.errors[:email]
 
-    assert_not user.confirm!
+    assert_not user.confirm
     assert_equal "was already confirmed, please try signing in", user.errors[:email].join
   end
 
@@ -80,6 +73,16 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_equal "was already confirmed, please try signing in", confirmed_user.errors[:email].join
   end
 
+  test 'should show error when a token has already been used' do
+    user = create_user
+    raw  = user.raw_confirmation_token
+    User.confirm_by_token(raw)
+    assert user.reload.confirmed?
+
+    confirmed_user = User.confirm_by_token(raw)
+    assert_equal "was already confirmed, please try signing in", confirmed_user.errors[:email].join
+  end
+
   test 'should send confirmation instructions by email' do
     assert_email_sent "mynewuser@example.com" do
       create_user email: "mynewuser@example.com"
@@ -165,18 +168,19 @@ class ConfirmableTest < ActiveSupport::TestCase
 
   test 'should not reset confirmation status or token when updating email' do
     user = create_user
-    user.confirm!
+    original_token = user.confirmation_token
+    user.confirm
     user.email = 'new_test@example.com'
     user.save!
 
     user.reload
     assert user.confirmed?
-    assert_nil user.confirmation_token
+    assert_equal original_token, user.confirmation_token
   end
 
   test 'should not be able to send instructions if the user is already confirmed' do
     user = create_user
-    user.confirm!
+    user.confirm
     assert_not user.resend_confirmation_instructions
     assert user.confirmed?
     assert_equal 'was already confirmed, please try signing in', user.errors[:email].join
@@ -211,7 +215,7 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_not user.confirmed?
     assert_not user.active_for_authentication?
 
-    user.confirm!
+    user.confirm
     assert user.confirmed?
     assert user.active_for_authentication?
   end
@@ -219,15 +223,16 @@ class ConfirmableTest < ActiveSupport::TestCase
   test 'should not be active when confirm in is zero' do
     Devise.allow_unconfirmed_access_for = 0.days
     user = create_user
-    user.confirmation_sent_at = Date.today
+    user.confirmation_sent_at = Time.zone.today
     assert_not user.active_for_authentication?
   end
 
   test 'should be active when we set allow_unconfirmed_access_for to nil' do
-    Devise.allow_unconfirmed_access_for = nil
-    user = create_user
-    user.confirmation_sent_at = Date.today
-    assert user.active_for_authentication?
+    swap Devise, allow_unconfirmed_access_for: nil do
+      user = create_user
+      user.confirmation_sent_at = Time.zone.today
+      assert user.active_for_authentication?
+    end
   end
 
   test 'should not be active without confirmation' do
@@ -300,43 +305,52 @@ class ConfirmableTest < ActiveSupport::TestCase
       self.username = self.username.to_s + 'updated'
     end
     old = user.username
-    assert user.confirm!
+    assert user.confirm
     assert_not_equal user.username, old
   end
 
   test 'should not call after_confirmation if not confirmed' do
     user = create_user
-    assert user.confirm!
+    assert user.confirm
     user.define_singleton_method :after_confirmation do
       self.username = self.username.to_s + 'updated'
     end
     old = user.username
-    assert_not user.confirm!
+    assert_not user.confirm
     assert_equal user.username, old
   end
+
+  test 'should always perform validations upon confirm when ensure valid true' do
+    admin = create_admin
+    admin.stubs(:valid?).returns(false)
+    assert_not admin.confirm(ensure_valid: true)
+  end
 end
 
 class ReconfirmableTest < ActiveSupport::TestCase
   test 'should not worry about validations on confirm even with reconfirmable' do
     admin = create_admin
     admin.reset_password_token = "a"
-    assert admin.confirm!
+    assert admin.confirm
   end
 
   test 'should generate confirmation token after changing email' do
     admin = create_admin
-    assert admin.confirm!
-    assert_nil admin.confirmation_token
+    assert admin.confirm
+    residual_token = admin.confirmation_token
     assert admin.update_attributes(email: 'new_test@example.com')
-    assert_not_nil admin.confirmation_token
+    assert_not_equal residual_token, admin.confirmation_token
   end
 
-  test 'should not generate confirmation token if skipping reconfirmation after changing email' do
+  test 'should not regenerate confirmation token or require reconfirmation if skipping reconfirmation after changing email' do
     admin = create_admin
-    assert admin.confirm!
+    original_token = admin.confirmation_token
+    assert admin.confirm
     admin.skip_reconfirmation!
     assert admin.update_attributes(email: 'new_test@example.com')
-    assert_nil admin.confirmation_token
+    assert admin.confirmed?
+    assert_not admin.pending_reconfirmation?
+    assert_equal original_token, admin.confirmation_token
   end
 
   test 'should skip sending reconfirmation email when email is changed and skip_confirmation_notification! is invoked' do
@@ -350,7 +364,7 @@ class ReconfirmableTest < ActiveSupport::TestCase
 
   test 'should regenerate confirmation token after changing email' do
     admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
     assert admin.update_attributes(email: 'old_test@example.com')
     token = admin.confirmation_token
     assert admin.update_attributes(email: 'new_test@example.com')
@@ -359,7 +373,7 @@ class ReconfirmableTest < ActiveSupport::TestCase
 
   test 'should send confirmation instructions by email after changing email' do
     admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
     assert_email_sent "new_test@example.com" do
       assert admin.update_attributes(email: 'new_test@example.com')
     end
@@ -368,7 +382,7 @@ class ReconfirmableTest < ActiveSupport::TestCase
 
   test 'should not send confirmation by email after changing password' do
     admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
     assert_email_not_sent do
       assert admin.update_attributes(password: 'newpass', password_confirmation: 'newpass')
     end
@@ -376,7 +390,7 @@ class ReconfirmableTest < ActiveSupport::TestCase
 
   test 'should not send confirmation by email after changing to a blank email' do
     admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
     assert_email_not_sent do
       admin.email = ''
       admin.save(validate: false)
@@ -385,23 +399,23 @@ class ReconfirmableTest < ActiveSupport::TestCase
 
   test 'should stay confirmed when email is changed' do
     admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
     assert admin.update_attributes(email: 'new_test@example.com')
     assert admin.confirmed?
   end
 
   test 'should update email only when it is confirmed' do
     admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
     assert admin.update_attributes(email: 'new_test@example.com')
     assert_not_equal 'new_test@example.com', admin.email
-    assert admin.confirm!
+    assert admin.confirm
     assert_equal 'new_test@example.com', admin.email
   end
 
   test 'should not allow admin to get past confirmation email by resubmitting their new address' do
     admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
     assert admin.update_attributes(email: 'new_test@example.com')
     assert_not_equal 'new_test@example.com', admin.email
     assert admin.update_attributes(email: 'new_test@example.com')
@@ -410,7 +424,7 @@ class ReconfirmableTest < ActiveSupport::TestCase
 
   test 'should find a admin by send confirmation instructions with unconfirmed_email' do
     admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
     assert admin.update_attributes(email: 'new_test@example.com')
     confirmation_admin = Admin.send_confirmation_instructions(email: admin.unconfirmed_email)
     assert_equal confirmation_admin, admin

test/models/lockable_test.rb

@@ -7,7 +7,7 @@ class LockableTest < ActiveSupport::TestCase
 
   test "should respect maximum attempts configuration" do
     user = create_user
-    user.confirm!
+    user.confirm
     swap Devise, maximum_attempts: 2 do
       2.times { user.valid_for_authentication?{ false } }
       assert user.reload.access_locked?
@@ -16,7 +16,7 @@ class LockableTest < ActiveSupport::TestCase
 
   test "should increment failed_attempts on successfull validation if the user is already locked" do
     user = create_user
-    user.confirm!
+    user.confirm
 
     swap Devise, maximum_attempts: 2 do
       2.times { user.valid_for_authentication?{ false } }
@@ -29,7 +29,7 @@ class LockableTest < ActiveSupport::TestCase
 
   test "should not touch failed_attempts if lock_strategy is none" do
     user = create_user
-    user.confirm!
+    user.confirm
     swap Devise, lock_strategy: :none, maximum_attempts: 2 do
       3.times { user.valid_for_authentication?{ false } }
       assert !user.access_locked?
@@ -53,7 +53,7 @@ class LockableTest < ActiveSupport::TestCase
 
   test "active_for_authentication? should be the opposite of locked?" do
     user = create_user
-    user.confirm!
+    user.confirm
     assert user.active_for_authentication?
     user.lock_access!
     assert_not user.active_for_authentication?
@@ -230,7 +230,7 @@ class LockableTest < ActiveSupport::TestCase
   test 'should unlock account if lock has expired and increase attempts on failure' do
     swap Devise, unlock_in: 1.minute do
       user = create_user
-      user.confirm!
+      user.confirm
 
       user.failed_attempts = 2
       user.locked_at = 2.minutes.ago
@@ -243,7 +243,7 @@ class LockableTest < ActiveSupport::TestCase
   test 'should unlock account if lock has expired on success' do
     swap Devise, unlock_in: 1.minute do
       user = create_user
-      user.confirm!
+      user.confirm
 
       user.failed_attempts = 2
       user.locked_at = 2.minutes.ago
@@ -299,18 +299,24 @@ class LockableTest < ActiveSupport::TestCase
   end
 
   test 'should return last attempt message if user made next-to-last attempt of password entering' do
-    swap Devise, last_attempt_warning: :true do
-      swap Devise, lock_strategy: :failed_attempts do
-        user = create_user
-        user.failed_attempts = Devise.maximum_attempts - 2
-        assert_equal :invalid, user.unauthenticated_message
+    swap Devise, last_attempt_warning: true, lock_strategy: :failed_attempts do
+      user = create_user
+      user.failed_attempts = Devise.maximum_attempts - 2
+      assert_equal :invalid, user.unauthenticated_message
 
-        user.failed_attempts = Devise.maximum_attempts - 1
-        assert_equal :last_attempt, user.unauthenticated_message
+      user.failed_attempts = Devise.maximum_attempts - 1
+      assert_equal :last_attempt, user.unauthenticated_message
 
-        user.failed_attempts = Devise.maximum_attempts
-        assert_equal :locked, user.unauthenticated_message
-      end
+      user.failed_attempts = Devise.maximum_attempts
+      assert_equal :locked, user.unauthenticated_message
+    end
+  end
+
+  test 'should not return last attempt message if last_attempt_warning is disabled' do
+    swap Devise, last_attempt_warning: false, lock_strategy: :failed_attempts do
+      user = create_user
+      user.failed_attempts = Devise.maximum_attempts - 1
+      assert_equal :invalid, user.unauthenticated_message
     end
   end
 

test/models/recoverable_test.rb

@@ -23,13 +23,13 @@ class RecoverableTest < ActiveSupport::TestCase
 
   test 'should reset password and password confirmation from params' do
     user = create_user
-    user.reset_password!('123456789', '987654321')
+    user.reset_password('123456789', '987654321')
     assert_equal '123456789', user.password
     assert_equal '987654321', user.password_confirmation
   end
 
   test 'should reset password and save the record' do
-    assert create_user.reset_password!('123456789', '123456789')
+    assert create_user.reset_password('123456789', '123456789')
   end
 
   test 'should clear reset password token while reseting the password' do
@@ -38,7 +38,30 @@ class RecoverableTest < ActiveSupport::TestCase
 
     user.send_reset_password_instructions
     assert_present user.reset_password_token
-    assert user.reset_password!('123456789', '123456789')
+    assert user.reset_password('123456789', '123456789')
+    assert_nil user.reset_password_token
+  end
+
+  test 'should clear reset password token if changing password' do
+    user = create_user
+    assert_nil user.reset_password_token
+
+    user.send_reset_password_instructions
+    assert_present user.reset_password_token
+    user.password = "123456678"
+    user.password_confirmation = "123456678"
+    user.save!
+    assert_nil user.reset_password_token
+  end
+
+  test 'should clear reset password token if changing email' do
+    user = create_user
+    assert_nil user.reset_password_token
+
+    user.send_reset_password_instructions
+    assert_present user.reset_password_token
+    user.email = "another@example.com"
+    user.save!
     assert_nil user.reset_password_token
   end
 
@@ -46,14 +69,14 @@ class RecoverableTest < ActiveSupport::TestCase
     user = create_user
     user.send_reset_password_instructions
     assert_present user.reset_password_token
-    assert_not user.reset_password!('123456789', '987654321')
+    assert_not user.reset_password('123456789', '987654321')
     assert_present user.reset_password_token
   end
 
   test 'should not reset password with invalid data' do
     user = create_user
     user.stubs(:valid?).returns(false)
-    assert_not user.reset_password!('123456789', '987654321')
+    assert_not user.reset_password('123456789', '987654321')
   end
 
   test 'should reset reset password token and send instructions by email' do
@@ -135,6 +158,7 @@ class RecoverableTest < ActiveSupport::TestCase
     reset_password_user = User.reset_password_by_token(reset_password_token: raw, password: '')
     assert_not reset_password_user.errors.empty?
     assert_match "can't be blank", reset_password_user.errors[:password].join
+    assert_equal raw, reset_password_user.reset_password_token
   end
 
   test 'should reset successfully user password given the new password and confirmation' do
@@ -142,15 +166,17 @@ class RecoverableTest < ActiveSupport::TestCase
     old_password = user.password
     raw  = user.send_reset_password_instructions
 
-    User.reset_password_by_token(
+    reset_password_user = User.reset_password_by_token(
       reset_password_token: raw,
       password: 'new_password',
       password_confirmation: 'new_password'
     )
-    user.reload
+    assert_nil reset_password_user.reset_password_token
 
+    user.reload
     assert_not user.valid_password?(old_password)
     assert user.valid_password?('new_password')
+    assert_nil user.reset_password_token
   end
 
   test 'should not reset password after reset_password_within time' do
@@ -189,6 +215,12 @@ class RecoverableTest < ActiveSupport::TestCase
     assert_equal User.with_reset_password_token(raw), user
   end
 
+  test 'should return the same reset password token as generated' do
+    user = create_user
+    raw  = user.send_reset_password_instructions
+    assert_equal Devise.token_generator.digest(self.class, :reset_password_token, raw), user.reset_password_token
+  end
+
   test 'should return nil if a user based on the raw token is not found' do
     assert_equal User.with_reset_password_token('random-token'), nil
   end

test/models/rememberable_test.rb

@@ -42,9 +42,15 @@ class RememberableTest < ActiveSupport::TestCase
     assert_equal user, User.serialize_from_cookie(user.to_key, user.authenticatable_salt)
   end
 
-  test 'raises a RuntimeError if authenticatable_salt is nil' do
+  test 'raises a RuntimeError if authenticatable_salt is nil or empty' do
     user = User.new
-    user.encrypted_password = nil
+    def user.authenticable_salt; nil; end
+    assert_raise RuntimeError do
+      user.rememberable_value
+    end
+
+    user = User.new
+    def user.authenticable_salt; ""; end
     assert_raise RuntimeError do
       user.rememberable_value
     end

test/models/validatable_test.rb

@@ -92,10 +92,10 @@ class ValidatableTest < ActiveSupport::TestCase
     assert_equal 'is too short (minimum is 7 characters)', user.errors[:password].join
   end
 
-  test 'should require a password with maximum of 128 characters long' do
-    user = new_user(password: 'x'*129, password_confirmation: 'x'*129)
+  test 'should require a password with maximum of 72 characters long' do
+    user = new_user(password: 'x'*73, password_confirmation: 'x'*73)
     assert user.invalid?
-    assert_equal 'is too long (maximum is 128 characters)', user.errors[:password].join
+    assert_equal 'is too long (maximum is 72 characters)', user.errors[:password].join
   end
 
   test 'should not require password length when it\'s not changed' do
@@ -109,10 +109,10 @@ class ValidatableTest < ActiveSupport::TestCase
   end
 
   test 'should complain about length even if password is not required' do
-    user = new_user(password: 'x'*129, password_confirmation: 'x'*129)
+    user = new_user(password: 'x'*73, password_confirmation: 'x'*73)
     user.stubs(:password_required?).returns(false)
     assert user.invalid?
-    assert_equal 'is too long (maximum is 128 characters)', user.errors[:password].join
+    assert_equal 'is too long (maximum is 72 characters)', user.errors[:password].join
   end
 
   test 'should not be included in objects with invalid API' do

test/rails_app/app/controllers/custom/registrations_controller.rb

@@ -1,4 +1,10 @@
 class Custom::RegistrationsController < Devise::RegistrationsController
+  def new
+    super do |resource|
+      @new_block_called = true
+    end
+  end
+
   def create
     super do |resource|
       @create_block_called = true
@@ -18,4 +24,8 @@ class Custom::RegistrationsController < Devise::RegistrationsController
   def update_block_called?
     @update_block_called == true
   end
+
+  def new_block_called?
+    @new_block_called == true
+  end
 end

test/rails_app/app/mailers/users/from_proc_mailer.rb

@@ -0,0 +1,3 @@
+class Users::FromProcMailer < Devise::Mailer
+  default from: proc { 'custom@example.com' }
+end

test/rails_app/app/mailers/users/mailer.rb

@@ -1,12 +1,3 @@
 class Users::Mailer < Devise::Mailer
   default from: 'custom@example.com'
 end
-
-class Users::ReplyToMailer < Devise::Mailer
-  default from: 'custom@example.com'
-  default reply_to: 'custom_reply_to@example.com'
-end
-
-class Users::FromProcMailer < Devise::Mailer
-  default from: proc { 'custom@example.com' }
-end

test/rails_app/app/mailers/users/reply_to_mailer.rb

@@ -0,0 +1,4 @@
+class Users::ReplyToMailer < Devise::Mailer
+  default from: 'custom@example.com'
+  default reply_to: 'custom_reply_to@example.com'
+end

test/rails_app/config/application.rb

@@ -17,7 +17,7 @@ module RailsApp
   class Application < Rails::Application
     # Add additional load paths for your own custom dirs
     config.autoload_paths.reject!{ |p| p =~ /\/app\/(\w+)$/ && !%w(controllers helpers mailers views).include?($1) }
-    config.autoload_paths += [ "#{config.root}/app/#{DEVISE_ORM}" ]
+    config.autoload_paths += ["#{config.root}/app/#{DEVISE_ORM}"]
 
     # Configure generators values. Many other options are available, be sure to check the documentation.
     # config.generators do |g|

test/rails_app/config/environments/production.rb

@@ -20,7 +20,11 @@ RailsApp::Application.configure do
   # config.action_dispatch.rack_cache = true
 
   # Disable Rails's static asset server (Apache or nginx will already do this).
-  config.serve_static_assets = false
+  if Rails.version >= "4.2.0"
+    config.serve_static_files = false
+  else
+    config.serve_static_assets = false
+  end
 
   # Compress JavaScripts and CSS.
   config.assets.js_compressor  = :uglifier
@@ -46,7 +50,7 @@ RailsApp::Application.configure do
   config.log_level = :info
 
   # Prepend all log lines with the following tags.
-  # config.log_tags = [ :subdomain, :uuid ]
+  # config.log_tags = [:subdomain, :uuid]
 
   # Use a different logger for distributed setups.
   # config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)