Release v3.5.0

Merge pull request #3539 from rubyengineer/formatting
Formatting
2026-01-11 08:37:56 -05:00 · 2015-05-23 22:44:49 +02:00 · 2015-05-23 22:23:52 +02:00 · 2015-05-23 22:23:40 +02:00 · 2015-05-23 22:23:09 +02:00 · 2015-05-23 22:15:48 +02:00
87 changed files with 1370 additions and 683 deletions
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,31 +1,41 @@
 language: ruby
-script: "bundle exec rake test"
-install: script/cached-bundle install --deployment --path vendor/bundle
+
 rvm:
  - 1.9.3
  - 2.0.0
-  - 2.1.2
-env:
-  matrix:
-    - DEVISE_ORM=mongoid
-    - DEVISE_ORM=active_record
-  global:
-    # AMAZON_S3_BUCKET
-    - secure: "qkeYGn2mpgsgU5tKS9GWvFp/utUF/9O8++Shch24DMnq8OB01TrV5QQ2Elj7sSjMWqw2Pbe56nUCA9eOWXhPglGyIq2AI9E0umsEGZxdRlqqobpiMWs5wl8KZ0cFD1rZm6CwfL8atmcNfTt5TnvsaQ2l/k3TerOT2e66R/Mibk8="
-    # AMAZON_ACCESS_KEY_ID
-    - secure: "rTYGUFH9SPN0L7QtdE6Liyy/1z7nGKxqDF9LMRsmNsIfsqxoTPKZ8bCctQ4ksuk9svynGQsLfsda5pA+YvuALzjdWmGcID6ENgOGvoFnhZO5LuJ5f6t0k8gFpV9oBquQgDWzhzrcPYvCUrUYg3GSlHjFSXdPdht3SoYn7PiDaNs="
-    # AMAZON_SECRET_ACCESS_KEY
-    - secure: "VJ4qiWMzoleLojCcluX+w0RtaFVc9ybRNo6NODkGhHSaao8+4EX4rETBQG67tNSInk1iuNqCcZAGwC8V/12RXdao3PguRSLD5IiKeT+D78dqFEoP0+yHg4PbmZ6TJXADW3gUv/IOqkW7f/UYGinRaPu7hloyiC498FpQdmMWSNI="
+  - 2.1
+  - 2.2
+
 gemfile:
+  - gemfiles/Gemfile.rails-4.2-stable
  - gemfiles/Gemfile.rails-4.1-stable
  - gemfiles/Gemfile.rails-4.0-stable
  - gemfiles/Gemfile.rails-3.2-stable
  - Gemfile
+
 matrix:
-  allow_failures:
-    - gemfile: gemfiles/Gemfile.rails-head
+  exclude:
+    - rvm: 2.2
+      gemfile: gemfiles/Gemfile.rails-3.2-stable
+
 services:
  - mongodb
+
+sudo: false
+
+cache: bundler
+
+env:
+  matrix:
+    - DEVISE_ORM=mongoid
+    - DEVISE_ORM=active_record
+
+before_install: "rm ${BUNDLE_GEMFILE}.lock"
+
+before_script: "bundle update"
+
+script: "bundle exec rake test"
+
 notifications:
  email: false
  campfire:
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,16 +1,43 @@
-### Unreleased
+### 3.5.0 - 2015-05-23

 * enhancements
-* bugfixes
+  * The hint about minimum password length required both `@validatable` and `@minimum_password_length` variables on the views, it now uses only the latter. If you have generated the views relying on the `@validatable` variable, replace it with `@minimum_password_length`.
+  * Added an ActiveSupport load hook for `:devise_controller`. (by @nakhli)
+  * Location fragments are now preserved between requests. (by @jbourassa)
+  * Added an `after_remembered` callback for the Rememerable module. (by @BM5k)
+  * `RegistrationsController#new` and `SessionsController#new` now yields the
+    current resource. (by @mtarnovan, @deivid-rodriguez)
+  * Password length validation is now limited to 72 characters for newer apps. (by @lleger)
+  * Controllers inheriting from any Devise core controller will now use appropriate translations. The i18n scope can be overridden in `translation_scope`.
+  * Allow the user to set the length of friendly token. (by @Angelmmiguel)

-### 3.4.0
+* bug fixes
+  * Use router_name from scope if one is available to support isolated engines. (by @cipater)
+  * Do not clean up CSRF on rememberable.
+  * Only use flash if it has been configured in failure app. (by @alex88)
+
+* deprecations
+  * `confirm!` has been deprecated in favor of `confirm`.
+  * `reset_password!` has been deprecated in favor of `reset_password`.
+  * `Devise.bcrypt` has been deprecated in favor of `Devise::Encryptor.digest`".
+
+### 3.4.1 - 2014-10-29
+
+* enhancements
+  * Devise default views now have a similar markup to Rails scaffold views. (by @udaysinghcode, @cllns)
+  * Passing `now: true` to the `set_flash_message` helper now sets the message into
+    the `flash.now` Hash. (by @hbriggs)
+* bugfixes
+  * Fixed an regression with translation of flash messages for when the `authentication_keys`
+  config is a Hash. (by @lucasmazza)
+
+### 3.4.0 - 2014-10-03

 * enhancements
  * Support added for Rails 4.2. Devise now depends on the `responders` gem due
    the extraction of the `respond_with` API from Rails. (by @lucasmazza)
  * The Simple Form templates follow the same change from 3.3.0 by using `Log in` and adding
    a hint about the minimum password length when `validatable` is enabled. (by @aried3r)
-  * Remove reloading of routes when eager loading is enabled. This change was added during Rails 3 and it doesn't seem to be relevant to currently supported Rails versions (by @fgro)
  * Controller generator added as `devise:controllers SCOPE`. You can use the `-c` flag
    to pick which controllers (`unlocks`, `confirmations`, etc) you want to generate. (by @Chun-Yang)
  * Removed the hardcoded references for "email" in the flash messages. If you are using
@@ -25,7 +52,7 @@
    message for your users. To keep the current behavior, this flag is now `true`
    by default. (by @lucasmazza)

-### 3.3.0
+### 3.3.0 - 2014-08-13

 * enhancements
  * Support multiple warden configuration blocks on devise configuration. (by @rossta)
@@ -49,13 +76,13 @@
  * Ensure registration controller block yields happen on failure in addition to success (by @dpehrson)
  * Only valid paths will be stored for redirections (by @parallel588)

-### 3.2.4
+### 3.2.4 - 2014-03-17

 * enhancements
  * `bcrypt` dependency updated due https://github.com/codahale/bcrypt-ruby/pull/86.
  * View generator now can generate specific views with the `-v` flag, like `rails g devise:views -v sessions` (by @kayline)

-### 3.2.3
+### 3.2.3 - 2014-02-20

 * enhancements
  * Devise will use the `secret_key_base` on Rails 4+ applications as its `secret_key`.
@@ -64,14 +91,14 @@
 * bug fix
  * Migrations will be properly generated when using rails 4.1.0.

-### 3.2.2
+### 3.2.2 - 2013-11-25

 * bug fix
  * Ensure timeoutable works when `sign_out_all_scopes` is false (by @louman)
  * Keep the query string when storing location (by @csexton)
  * Require rails generator base class in devise generators

-### 3.2.1
+### 3.2.1 - 2013-11-13

 Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumeration-in-devise-in-paranoid-mode

@@ -83,7 +110,7 @@ Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumerati
  * Bring `password_digest` back to fix compatibility with `devise-encryptable`
  * Avoid e-mail enumeration on sign in when in paranoid mode

-### 3.2.0
+### 3.2.0 - 2013-11-06

 * enhancements
  * Previously deprecated token authenticatable and insecure lookups have been removed
@@ -102,13 +129,13 @@ Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumerati
 * deprecations
  * `expire_session_data_after_sign_in!` has been deprecated in favor of `expire_data_after_sign_in!`

-### 3.1.1
+### 3.1.1 - 2013-10-01

 * bug fix
  * Improve default message which asked users to sign in even when they were already signed (by @gregates)
  * Improve error message for when the config.secret_key is missing

-### 3.1.0
+### 3.1.0 - 2013-09-05

 Security announcement: http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/

@@ -131,12 +158,12 @@ Security announcement: http://blog.plataformatec.com.br/2013/08/devise-3-1-now-w
  * Do not compare directly against confirmation, unlock and reset password tokens
  * Skip storage for cookies on unverified requests

-### 3.0.2
+### 3.0.2 - 2013-08-09

 * bug fix
  * Skip storage for cookies on unverified requests

-### 3.0.1
+### 3.0.1 - 2013-08-02

 Security announcement: http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/

@@ -147,7 +174,7 @@ Security announcement: http://blog.plataformatec.com.br/2013/08/csrf-token-fixat
  * When using rails 3.2, the generator adds 'attr_accessible' to the model (by @jcoyne)
  * Clean up CSRF token after authentication (by @homakov). Notice this change will clean up the CSRF Token after authentication (sign in, sign up, etc). So if you are using AJAX for such features, you will need to fetch a new CSRF token from the server.

-### 3.0.0
+### 3.0.0 - 2013-07-14

 * enhancements
  * Rails 4 and Strong Parameters compatibility (by @carlosantoniodasilva, @josevalim, @latortuga, @lucasmazza, @nashby, @rafaelfranca, @spastorino)
@@ -157,7 +184,7 @@ Security announcement: http://blog.plataformatec.com.br/2013/08/csrf-token-fixat
 * bug fix
  * Errors on unlock are now properly reflected on the first `unlock_keys`

-### 2.2.4
+### 2.2.4 - 2013-05-07

 * enhancements
  * Add `destroy_with_password` to `DatabaseAuthenticatable`. Allows destroying a record when `:current_password` matches, similarly to how `update_with_password` works. (by @michiel3)
@@ -176,25 +203,25 @@ Security announcement: http://blog.plataformatec.com.br/2013/08/csrf-token-fixat
 * backwards incompatible changes
  * Changes on session storage will expire all existing sessions on upgrade. For those storing the session in the DB, they can be upgraded according to this gist: https://gist.github.com/moll/6417606

-### 2.2.3
+### 2.2.3 - 2013-01-26

 Security announcement: http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/

 * bug fix
  * Require string conversion for all values

-### 2.2.2
+### 2.2.2 - 2013-01-15

 * bug fix
  * Fix bug when checking for reconfirmable in templates

-### 2.2.1
+### 2.2.1 - 2013-01-11

 * bug fix
  * Fix regression with case_insensitive_keys
  * Fix regression when password is blank when it is invalid

-### 2.2.0
+### 2.2.0 - 2013-01-08

 * backwards incompatible changes
  * `headers_for` is deprecated, customize the mailer directly instead
@@ -225,17 +252,17 @@ Security announcement: http://blog.plataformatec.com.br/2013/01/security-announc
  * `update_with_password` doesn't change encrypted password when it is invalid (by @nashby)
  * Properly handle namespaced models on Active Record generator (by @nashby)

-### 2.1.4
+### 2.1.4 - 2013-08-18

 * bugfix
  * Do not confirm account after reset password

-### 2.1.3
+### 2.1.3 - 2013-01-26

 * bugfix
  * Require string conversion for all values

-### 2.1.2
+### 2.1.2 - 2012-06-19

 * enhancements
  * Handle backwards incompatibility between Rails 3.2.6 and Thor 0.15.x
@@ -243,7 +270,7 @@ Security announcement: http://blog.plataformatec.com.br/2013/01/security-announc
 * bug fix
  * Fix regression on strategy validation on previous release

-### 2.1.1 (yanked)
+### 2.1.1 - 2012-06-15 (yanked)

 * enhancements
  * `sign_out_all_scopes` now locks warden and does not allow new logins in the same action
@@ -260,7 +287,7 @@ Security announcement: http://blog.plataformatec.com.br/2013/01/security-announc
 * deprecations
  * Strategy#validate() no longer validates nil resources

-### 2.1.0
+### 2.1.0 - 2012-05-15

 * enhancements
  * Add `check_fields!(model_class)` method on Devise::Models to check if the model includes the fields that Devise uses
@@ -287,7 +314,7 @@ Security announcement: http://blog.plataformatec.com.br/2013/01/security-announc
  * Return `head :no_content` in SessionsController now that most JS libraries handle it (by @julianvargasalvarez)
  * Reverted moving devise/shared/_links.erb to devise/_links.erb

-### 2.0.4
+### 2.0.4 - 2012-02-17

 Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.0

@@ -295,7 +322,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Fix when :host is used with devise_for  (by @mreinsch)
  * Fix a regression that caused Warden to be initialized too late

-### 2.0.3 (yanked)
+### 2.0.3 - 2012-06-16 (yanked)

 * bug fix
  * Ensure warning is not shown by mistake on apps with mounted engines
@@ -303,7 +330,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Ensure serializable_hash does not depend on accessible attributes
  * Ensure that timeout callback does not run on sign out action

-### 2.0.2
+### 2.0.2 - 2012-02-14

 * enhancements
  * Add devise_i18n_options to customize I18n message
@@ -315,7 +342,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Show a warning in case someone gives a pluralized name to devise generator
  * Fix test behavior for rspec subject requests (by @sj26)

-### 2.0.1
+### 2.0.1 - 2012-02-09

 * enhancements
  * Improved error messages on deprecation warnings
@@ -324,7 +351,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * bug fix
  * Removed tmp and log files from gem

-### 2.0.0
+### 2.0.0 - 2012-01-26

 * enhancements
  * Add support for e-mail reconfirmation on change (by @Mandaryn and @heimidal)
@@ -350,14 +377,14 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Deprecated support to devise.registrations.reasons and devise.registrations.inactive_signed_up in favor of devise.registrations.signed_up_but_*
  * Protected method render_with_scope was removed.

-### 1.5.3
+### 1.5.3 - 2011-12-19

 * bug fix
  * Ensure delegator converts scope to symbol (by @dmitriy-kiriyenko)
  * Ensure passing :format => false to devise_for is not permanent
  * Ensure path checker does not check invalid routes

-### 1.5.2
+### 1.5.2 - 2011-11-30

 * enhancements
  * Add support for Rails 3.1 new mass assignment conventions (by @kirs)
@@ -366,12 +393,12 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * bug fix
  * OmniAuth error message now shows the proper option (:strategy_class instead of :klass)

-### 1.5.1
+### 1.5.1 - 2011-11-22

 * bug fix
  * Devise should not attempt to load OmniAuth strategies. Strategies should be loaded before hand by the developer or explicitly given to Devise.

-### 1.5.0
+### 1.5.0 - 2011-11-13

 * enhancements
  * Timeoutable also skips tracking if skip_trackable is given
@@ -392,12 +419,12 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * redirect_location is deprecated, please use after_sign_in_path_for
  * after_sign_in_path_for now redirects to session[scope_return_to] if any value is stored in it

-### 1.4.9
+### 1.4.9 - 2011-10-19

 * bug fix
  * url helpers were not being set under some circumstances

-### 1.4.8
+### 1.4.8 - 2011-10-09

 * enhancements
  * Add docs for assets pipeline and Heroku
@@ -405,12 +432,12 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * bug fix
  * confirmation_url was not being set under some circumstances

-### 1.4.7
+### 1.4.7 - 2011-09-21

 * bug fix
  * Fix backward incompatible change from 1.4.6 for those using custom controllers

-### 1.4.6 (yanked)
+### 1.4.6 - 2011-09-19 (yanked)

 * enhancements
  * Allow devise_for :skip => :all
@@ -418,7 +445,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Allow --skip-routes to devise generator
  * Add allow_params_authentication! to make it explicit when params authentication is allowed in a controller

-### 1.4.5
+### 1.4.5 - 2011-09-07

 * bug fix
  * Failure app tries the root path if a session one does not exist
@@ -426,12 +453,12 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Reset password shows proper message if user is not active
  * `clean_up_passwords` sets the accessors to nil to skip validations

-### 1.4.4
+### 1.4.4 - 2011-08-30

 * bug fix
  * Do not always skip helpers, instead provide :skip_helpers as option to trigger it manually

-### 1.4.3
+### 1.4.3 - 2011-08-29

 * enhancements
  * Improve Rails 3.1 compatibility
@@ -447,12 +474,12 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * deprecations
  * Loosened the used email regexp to simply assert the existent of "@". If someone relies on a more strict regexp, they may use https://github.com/SixArm/sixarm_ruby_email_address_validation

-### 1.4.2
+### 1.4.2 - 2011-06-30

 * bug fix
  * Provide a more robust behavior to serializers and add :force_except option

-### 1.4.1
+### 1.4.1 - 2011-06-29

 * enhancements
  * Add :defaults and :format support on router
@@ -463,7 +490,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Ensure to_xml is properly white listened
  * Ensure handle_unverified_request clean up any cached signed-in user

-### 1.4.0
+### 1.4.0 - 2011-06-23

 * enhancements
  * Added authenticated and unauthenticated to the router to route the used based on their status (by @sj26)
@@ -481,22 +508,22 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Devise now honors routes constraints (by @macmartine)
  * Do not return the user resource when requesting instructions (by @rodrigoflores)

-### 1.3.4
+### 1.3.4 - 2011-04-28

 * bug fix
  * Do not add formats if html or "*/*"

-### 1.3.3
+### 1.3.3 - 2011-04-20

 * bug fix
  * Explicitly mark the token as expired if so

-### 1.3.2
+### 1.3.2 - 2011-04-20

 * bug fix
  * Fix another regression related to reset_password_sent_at (by @alexdreher)

-### 1.3.1
+### 1.3.1 - 2011-04-18

 * enhancements
  * Improve failure_app responses (by @indirect)
@@ -505,7 +532,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * bug fix
  * Fix a regression that occurred if reset_password_sent_at is not present (by @stevehodgkiss)

-### 1.3.0
+### 1.3.0 - 2011-04-15

 * enhancements
  * All controllers can now handle different mime types than html using Responders (by @sikachu)
@@ -525,19 +552,19 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * backward incompatible changes
  * authentication_keys are no longer considered when creating the e-mail validations, the previous behavior was buggy. You must double check if you were relying on such behavior.

-### 1.2.1
+### 1.2.1 - 2011-03-27

 * enhancements
  * Improve update path messages

-### 1.2.0
+### 1.2.0 - 2011-03-24

 * bug fix
  * Properly ignore path prefix on omniauthable
  * Faster uniqueness queries
  * Rename active? to active_for_authentication? to avoid conflicts

-### 1.2.rc2
+### 1.2.rc2 - 2011-03-10

 * enhancements
  * Make friendly_token 20 chars long
@@ -567,7 +594,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Removed --haml and --slim view templates
  * Devise::OmniAuth helpers were deprecated and removed in favor of Omniauth.config.test_mode

-### 1.2.rc
+### 1.2.rc - 2010-10-25

 * deprecations
  * cookie_domain is deprecated in favor of cookie_options
@@ -605,13 +632,13 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Ensure namespaces has proper scoped views
  * Ensure Devise does not set empty flash messages (by @sxross)

-### 1.1.6
+### 1.1.6 - 2011-02-14

 * Use a more secure e-mail regexp
 * Implement Rails 3.0.4 handle unverified request
 * Use secure_compare to compare passwords

-### 1.1.5
+### 1.1.5 - 2010-11-26

 * bugfix
  * Ensure to convert keys on indifferent hash
@@ -619,12 +646,12 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * defaults
  * Set config.http_authenticatable to false to avoid confusion

-### 1.1.4
+### 1.1.4 - 2010-11-25

 * bugfix
  * Avoid session fixation attacks

-### 1.1.3
+### 1.1.3 - 2010-09-23

 * bugfix
  * Add reply-to to e-mail headers by default
@@ -635,17 +662,17 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Fix for failed first-ever logins on PostgreSQL where column default is nil (by @bensie)
  * :default options is now honored in migrations

-### 1.1.2
+### 1.1.2 - 2010-08-25

 * bugfix
  * Compatibility with latest Rails routes schema

-### 1.1.1
+### 1.1.1 - 2010-07-26

 * bugfix
  * Fix a small bug where generated locale file was empty on devise:install

-### 1.1.0
+### 1.1.0 - 2010-07-25

 * enhancements
  * Rememberable module allows user to be remembered across browsers and is enabled by default (by @trevorturk)
@@ -665,7 +692,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * deprecations
  * use_default_scope is deprecated and has no effect. Use :as or :devise_scope in the router instead

-### 1.1.rc2
+### 1.1.rc2 - 2010-06-22

 * enhancements
  * Allow to set cookie domain for the remember token. (by @mantas)
@@ -683,7 +710,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * devise.mailer.user.confirmations_instructions now should be devise.mailer.confirmations_instructions.user_subject
  * Generators now use Rails 3 syntax (devise:install) instead of devise_install

-### 1.1.rc1
+### 1.1.rc1 - 2010-04-14

 * enhancements
  * Rails 3 compatibility
@@ -715,7 +742,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * All messages under devise.sessions, except :signed_in and :signed_out, should be moved to devise.failure
  * :as and :scope in routes is deprecated. Use :path and :singular instead

-### 1.0.8
+### 1.0.8 - 2010-06-22

 * enhancements
  * Support for latest MongoMapper
@@ -724,7 +751,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * bug fix
  * confirmation_required? is properly honored on active? calls. (by @paulrosania)

-### 1.0.7
+### 1.0.7 - 2010-05-02

 * bug fix
  * Ensure password confirmation is always required
@@ -733,14 +760,14 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * authenticatable was deprecated and renamed to database_authenticatable
  * confirmable is not included by default on generation

-### 1.0.6
+### 1.0.6 - 2010-04-02

 * bug fix
  * Do not allow unlockable strategies based on time to access a controller.
  * Do not send unlockable email several times.
  * Allow controller to upstram custom! failures to Warden.

-### 1.0.5
+### 1.0.5 - 2010-03-25

 * bug fix
  * Use prepend_before_filter in require_no_authentication.
@@ -748,19 +775,19 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Fix a bug when giving an association proxy to devise.
  * Do not use lock! on lockable since it's part of ActiveRecord API.

-### 1.0.4
+### 1.0.4 - 2010-03-02

 * bug fix
  * Fixed a bug when deleting an account with rememberable
  * Fixed a bug with custom controllers

-### 1.0.3
+### 1.0.3 - 2010-02-22

 * enhancements
  * HTML e-mails now have proper formatting
  * Do not remove MongoMapper options in find

-### 1.0.2
+### 1.0.2 - 2010-02-17

 * enhancements
  * Allows you set mailer content type (by @glennr)
@@ -768,7 +795,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * bug fix
  * Uses the same content type as request on http authenticatable 401 responses

-### 1.0.1
+### 1.0.1 - 2010-02-16

 * enhancements
  * HttpAuthenticatable is not added by default automatically.
@@ -777,7 +804,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * bug fix
  * Fixed encryptors autoload

-### 1.0.0
+### 1.0.0 - 2010-02-08

 * deprecation
  * :old_password in update_with_password is deprecated, use :current_password instead
@@ -788,7 +815,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Allow scoped_views to be customized per controller/mailer class
  * Allow authenticatable to used in change_table statements

-### 0.9.2
+### 0.9.2 - 2010-02-04

 * bug fix
  * Ensure inactive user cannot sign in
@@ -798,13 +825,13 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Added gemspec to repo
  * Added token authenticatable (by @grimen)

-### 0.9.1
+### 0.9.1 - 2010-01-24

 * bug fix
  * Allow bigger salt size (by @jgeiger)
  * Fix relative url root

-### 0.9.0
+### 0.9.0 - 2010-01-20

 * deprecation
  * devise :all is deprecated
@@ -821,7 +848,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Accept path prefix not starting with slash
  * url helpers should rely on find_scope!

-### 0.8.2
+### 0.8.2 - 2010-01-12

 * enhancements
  * Allow Devise.mailer_sender to be a proc (by @grimen)
@@ -829,7 +856,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * bug fix
  * Fix bug with passenger, update is required to anyone deploying on passenger (by @dvdpalm)

-### 0.8.1
+### 0.8.1 - 2010-01-07

 * enhancements
  * Move salt to encryptors
@@ -839,7 +866,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * bug fix
  * Bcrypt generator was not being loaded neither setting the proper salt

-### 0.8.0
+### 0.8.0 - 2010-01-06

 * enhancements
  * Warden 0.8.0 compatibility
@@ -853,19 +880,19 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * deprecation
  * Removed DeviseMailer.sender

-### 0.7.5
+### 0.7.5 - 2010-01-01

 * enhancements
  * Set a default value for mailer to avoid find_template issues
  * Add models configuration to MongoMapper::EmbeddedDocument as well

-### 0.7.4
+### 0.7.4 - 2009-12-21

 * enhancements
  * Extract Activatable from Confirmable
  * Decouple Serializers from Devise modules

-### 0.7.3
+### 0.7.3 - 2009-12-15

 * bug fix
  * Give scope to the proper model validation
@@ -875,7 +902,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Added update_with_password for authenticatable
  * Allow render_with_scope to accept :controller option

-### 0.7.2
+### 0.7.2 - 2009-12-14

 * deprecation
  * Renamed reset_confirmation! to resend_confirmation!
@@ -885,12 +912,12 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Fixed render_with_scope to work with all controllers
  * Allow sign in with two different users in Devise::TestHelpers

-### 0.7.1
+### 0.7.1 - 2009-12-09

 * enhancements
  * Small enhancements for other plugins compatibility (by @grimen)

-### 0.7.0
+### 0.7.0 - 2009-12-08

 * deprecations
  * :authenticatable is not included by default anymore
@@ -899,25 +926,25 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Improve loading process
  * Extract SessionSerializer from Authenticatable

-### 0.6.3
+### 0.6.3 - 2009-12-02

 * bug fix
  * Added trackable to migrations
  * Allow inflections to work

-### 0.6.2
+### 0.6.2 - 2009-11-25

 * enhancements
  * More DataMapper compatibility
  * Devise::Trackable - track sign in count, timestamps and ips

-### 0.6.1
+### 0.6.1 - 2009-11-24

 * enhancements
  * Devise::Timeoutable - timeout sessions without activity
  * DataMapper now accepts conditions

-### 0.6.0
+### 0.6.0 - 2009-11-22

 * deprecations
  * :authenticatable is still included by default, but yields a deprecation warning
@@ -928,19 +955,19 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Allow a strategy to be placed after authenticatable
  * Do not rely attribute? methods, since they are not added on Datamapper

-### 0.5.6
+### 0.5.6 - 2009-11-21

 * enhancements
  * Do not send nil to build (DataMapper compatibility)
  * Allow to have scoped views

-### 0.5.5
+### 0.5.5 - 2009-11-20

 * enhancements
  * Allow overwriting find for authentication method
  * Remove Ruby 1.8.7 dependency

-### 0.5.4
+### 0.5.4 - 2009-11-19

 * deprecations
  * Deprecate :singular in devise_for and use :scope instead
@@ -951,7 +978,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Create sign_in_and_redirect and sign_out_and_redirect helpers
  * Warden::Manager.default_scope is automatically configured to the first given scope

-### 0.5.3
+### 0.5.3 - 2009-11-18

 * bug fix
  * MongoMapper now converts DateTime to Time
@@ -963,20 +990,20 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Added Devise.apply_schema, so you can turn it to false in Datamapper or MongoMapper
    in cases you don't want it be handlded automatically

-### 0.5.2
+### 0.5.2 - 2009-11-17

 * enhancements
  * Improved sign_in and sign_out helpers to accepts resources
  * Added stored_location_for as a helper
  * Added test helpers

-### 0.5.1
+### 0.5.1 - 2009-11-15

 * enhancements
  * Added serializers based on Warden ones
  * Allow authentication keys to be set

-### 0.5.0
+### 0.5.0 - 2009-11-13

 * bug fix
  * Fixed a bug where remember me module was not working properly
@@ -986,13 +1013,13 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Implemented encryptors for Clearance, Authlogic and Restful-Authentication (by @mhfs)
  * Added support for MongoMapper (by @shingara)

-### 0.4.3
+### 0.4.3 - 2009-11-10

 * bug fix
  * Authentication just fails if user cannot be serialized from session, without raising errors;
  * Default configuration values should not overwrite user values;

-### 0.4.2
+### 0.4.2 - 2009-11-06

 * deprecations
  * Renamed mail_sender to mailer_sender
@@ -1004,12 +1031,12 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Allow :path_prefix to be given to devise_for
  * Allow default_url_options to be configured through devise (:path_prefix => "/:locale" is now supported)

-### 0.4.1
+### 0.4.1 - 2009-11-04

 * bug fix
  * Ensure options can be set even if models were not loaded

-### 0.4.0
+### 0.4.0 - 2009-11-03

 * deprecations
  * Notifier is deprecated, use DeviseMailer instead. Remember to rename
@@ -1022,7 +1049,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Allow Warden::Manager to be configured through Devise
  * Created a generator which creates an initializer

-### 0.3.0
+### 0.3.0 - 2009-10-30

 * bug fix
  * Allow yml messages to be configured by not using engine locales
@@ -1032,7 +1059,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Do not send confirmation messages when user changes their e-mail
  * Renamed authenticable to authenticatable and added deprecation warnings

-### 0.2.3
+### 0.2.3 - 2009-10-29

 * enhancements
  * Ensure fail! works inside strategies
@@ -1042,12 +1069,12 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
  * Do not redirect on invalid authenticate
  * Allow model configuration to be set to nil

-### 0.2.2
+### 0.2.2 - 2009-10-28

 * bug fix
  * Fix a bug when using customized resources

-### 0.2.1
+### 0.2.1 - 2009-10-27

 * refactor
  * Clean devise_views generator to use devise existing views
@@ -1059,7 +1086,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * bug fix
  * Fix a bug with Mongrel and Ruby 1.8.6

-### 0.2.0
+### 0.2.0 - 2009-10-24

 * enhancements
  * Allow option :null => true in authenticable migration
@@ -1074,12 +1101,12 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * bug fixes
  * Fixed requiring devise strategies

-### 0.1.1
+### 0.1.1 - 2009-10-21

 * bug fixes
  * Fixed requiring devise mapping

-### 0.1.0
+### 0.1.0 - 2009-10-21

 * Devise::Authenticable
 * Devise::Confirmable
--- a/2
+++ b/2
@@ -2,7 +2,7 @@ source "https://rubygems.org"

 gemspec

-gem "rails", "4.2.0.beta2"
+gem "rails", "4.2.1"
 gem "omniauth", "~> 1.2.0"
 gem "omniauth-oauth2", "~> 1.1.0"
 gem "rdoc"
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,6 +1,17 @@
+PATH
+  remote: .
+  specs:
+    devise (3.5.0)
+      bcrypt (~> 3.0)
+      orm_adapter (~> 0.1)
+      railties (>= 3.2.6, < 5)
+      responders
+      thread_safe (~> 0.1)
+      warden (~> 1.2.3)
+
 GIT
  remote: git://github.com/mongoid/mongoid.git
-  revision: 5ba2e1fb4cb8189c9890e29c19cf4e16c25e4bc5
+  revision: a4365d7ecfa8221bfcf36a4e7ce7993142fc5940
  branch: master
  specs:
    mongoid (4.0.0)
@@ -9,89 +20,78 @@ GIT
      origin (~> 2.1)
      tzinfo (>= 0.3.37)

-PATH
-  remote: .
-  specs:
-    devise (3.4.0)
-      bcrypt (~> 3.0)
-      orm_adapter (~> 0.1)
-      railties (>= 3.2.6, < 5)
-      responders
-      thread_safe (~> 0.1)
-      warden (~> 1.2.3)
-
 GEM
  remote: https://rubygems.org/
  specs:
-    actionmailer (4.2.0.beta2)
-      actionpack (= 4.2.0.beta2)
-      actionview (= 4.2.0.beta2)
-      activejob (= 4.2.0.beta2)
+    actionmailer (4.2.1)
+      actionpack (= 4.2.1)
+      actionview (= 4.2.1)
+      activejob (= 4.2.1)
      mail (~> 2.5, >= 2.5.4)
-      rails-dom-testing (~> 1.0, >= 1.0.3)
-    actionpack (4.2.0.beta2)
-      actionview (= 4.2.0.beta2)
-      activesupport (= 4.2.0.beta2)
-      rack (~> 1.6.0.beta)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+    actionpack (4.2.1)
+      actionview (= 4.2.1)
+      activesupport (= 4.2.1)
+      rack (~> 1.6)
      rack-test (~> 0.6.2)
-      rails-dom-testing (~> 1.0, >= 1.0.3)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
      rails-html-sanitizer (~> 1.0, >= 1.0.1)
-    actionview (4.2.0.beta2)
-      activesupport (= 4.2.0.beta2)
+    actionview (4.2.1)
+      activesupport (= 4.2.1)
      builder (~> 3.1)
      erubis (~> 2.7.0)
-      rails-dom-testing (~> 1.0, >= 1.0.3)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
      rails-html-sanitizer (~> 1.0, >= 1.0.1)
-    activejob (4.2.0.beta2)
-      activesupport (= 4.2.0.beta2)
+    activejob (4.2.1)
+      activesupport (= 4.2.1)
      globalid (>= 0.3.0)
-    activemodel (4.2.0.beta2)
-      activesupport (= 4.2.0.beta2)
+    activemodel (4.2.1)
+      activesupport (= 4.2.1)
      builder (~> 3.1)
-    activerecord (4.2.0.beta2)
-      activemodel (= 4.2.0.beta2)
-      activesupport (= 4.2.0.beta2)
-      arel (>= 6.0.0.beta1, < 6.1)
-    activesupport (4.2.0.beta2)
-      i18n (>= 0.7.0.beta1, < 0.8)
+    activerecord (4.2.1)
+      activemodel (= 4.2.1)
+      activesupport (= 4.2.1)
+      arel (~> 6.0)
+    activesupport (4.2.1)
+      i18n (~> 0.7)
      json (~> 1.7, >= 1.7.7)
      minitest (~> 5.1)
-      thread_safe (~> 0.1)
+      thread_safe (~> 0.3, >= 0.3.4)
      tzinfo (~> 1.1)
-    arel (6.0.0.beta1)
-    bcrypt (3.1.7)
+    arel (6.0.0)
+    bcrypt (3.1.10)
    bson (2.3.0)
    builder (3.2.2)
-    connection_pool (2.0.0)
+    connection_pool (2.1.3)
    erubis (2.7.0)
-    faraday (0.9.0)
+    faraday (0.9.1)
      multipart-post (>= 1.2, < 3)
-    globalid (0.3.0)
+    globalid (0.3.3)
      activesupport (>= 4.1.0)
-    hashie (3.2.0)
+    hashie (3.4.0)
    hike (1.2.3)
-    i18n (0.7.0.beta1)
-    json (1.8.1)
-    jwt (1.0.0)
+    i18n (0.7.0)
+    json (1.8.2)
+    jwt (1.4.1)
    loofah (2.0.1)
      nokogiri (>= 1.5.9)
-    mail (2.6.1)
+    mail (2.6.3)
      mime-types (>= 1.16, < 3)
    metaclass (0.0.4)
-    mime-types (2.3)
-    mini_portile (0.6.0)
-    minitest (5.4.2)
+    mime-types (2.4.3)
+    mini_portile (0.6.2)
+    minitest (5.5.1)
    mocha (1.1.0)
      metaclass (~> 0.0.1)
-    moped (2.0.0)
+    moped (2.0.4)
      bson (~> 2.2)
      connection_pool (~> 2.0)
      optionable (~> 0.2.0)
-    multi_json (1.10.1)
+    multi_json (1.11.0)
    multi_xml (0.5.5)
    multipart-post (2.0.0)
-    nokogiri (1.6.3.1)
-      mini_portile (= 0.6.0)
+    nokogiri (1.6.6.2)
+      mini_portile (~> 0.6.0)
    oauth2 (0.9.4)
      faraday (>= 0.8, < 0.10)
      jwt (~> 1.0)
@@ -114,54 +114,53 @@ GEM
    optionable (0.2.0)
    origin (2.1.1)
    orm_adapter (0.5.0)
-    rack (1.6.0.beta)
+    rack (1.6.0)
    rack-openid (1.3.1)
      rack (>= 1.1.0)
      ruby-openid (>= 2.1.8)
-    rack-test (0.6.2)
+    rack-test (0.6.3)
      rack (>= 1.0)
-    rails (4.2.0.beta2)
-      actionmailer (= 4.2.0.beta2)
-      actionpack (= 4.2.0.beta2)
-      actionview (= 4.2.0.beta2)
-      activejob (= 4.2.0.beta2)
-      activemodel (= 4.2.0.beta2)
-      activerecord (= 4.2.0.beta2)
-      activesupport (= 4.2.0.beta2)
+    rails (4.2.1)
+      actionmailer (= 4.2.1)
+      actionpack (= 4.2.1)
+      actionview (= 4.2.1)
+      activejob (= 4.2.1)
+      activemodel (= 4.2.1)
+      activerecord (= 4.2.1)
+      activesupport (= 4.2.1)
      bundler (>= 1.3.0, < 2.0)
-      railties (= 4.2.0.beta2)
-      sprockets-rails (~> 3.0.0.beta1)
+      railties (= 4.2.1)
+      sprockets-rails
    rails-deprecated_sanitizer (1.0.3)
      activesupport (>= 4.2.0.alpha)
-    rails-dom-testing (1.0.3)
-      activesupport
+    rails-dom-testing (1.0.6)
+      activesupport (>= 4.2.0.beta, < 5.0)
      nokogiri (~> 1.6.0)
      rails-deprecated_sanitizer (>= 1.0.1)
-    rails-html-sanitizer (1.0.1)
+    rails-html-sanitizer (1.0.2)
      loofah (~> 2.0)
-    railties (4.2.0.beta2)
-      actionpack (= 4.2.0.beta2)
-      activesupport (= 4.2.0.beta2)
+    railties (4.2.1)
+      actionpack (= 4.2.1)
+      activesupport (= 4.2.1)
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)
-    rake (10.3.2)
-    rdoc (4.1.1)
-      json (~> 1.4)
-    responders (2.0.0)
-      railties (>= 4.2.0.alpha, < 5)
-    ruby-openid (2.5.0)
-    sprockets (2.12.2)
+    rake (10.4.2)
+    rdoc (4.2.0)
+    responders (2.1.0)
+      railties (>= 4.2.0, < 5)
+    ruby-openid (2.7.0)
+    sprockets (2.12.3)
      hike (~> 1.2)
      multi_json (~> 1.0)
      rack (~> 1.0)
      tilt (~> 1.1, != 1.3.0)
-    sprockets-rails (3.0.0.beta1)
-      actionpack (>= 4.0)
-      activesupport (>= 4.0)
-      sprockets (~> 2.8)
-    sqlite3 (1.3.9)
+    sprockets-rails (2.2.4)
+      actionpack (>= 3.0)
+      activesupport (>= 3.0)
+      sprockets (>= 2.8, < 4.0)
+    sqlite3 (1.3.10)
    thor (0.19.1)
-    thread_safe (0.3.4)
+    thread_safe (0.3.5)
    tilt (1.4.1)
    tzinfo (1.2.2)
      thread_safe (~> 0.1)
@@ -186,7 +185,7 @@ DEPENDENCIES
  omniauth-facebook
  omniauth-oauth2 (~> 1.1.0)
  omniauth-openid (~> 1.0.1)
-  rails (= 4.2.0.beta2)
+  rails (= 4.2.1)
  rdoc
  sqlite3
  webrat (= 0.7.3)
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-Copyright 2009-2014 Plataformatec. http://plataformatec.com.br
+Copyright 2009-2015 Plataformatec. http://plataformatec.com.br

 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the
--- a/README.md
+++ b/README.md
@@ -2,8 +2,8 @@

 By [Plataformatec](http://plataformatec.com.br/).

-[![Build Status](https://api.travis-ci.org/plataformatec/devise.png?branch=master)](http://travis-ci.org/plataformatec/devise)
-[![Code Climate](https://codeclimate.com/github/plataformatec/devise.png)](https://codeclimate.com/github/plataformatec/devise)
+[![Build Status](https://api.travis-ci.org/plataformatec/devise.svg?branch=master)](http://travis-ci.org/plataformatec/devise)
+[![Code Climate](https://codeclimate.com/github/plataformatec/devise.svg)](https://codeclimate.com/github/plataformatec/devise)
 [![Security](https://hakiri.io/github/plataformatec/devise/master.svg)](https://hakiri.io/github/plataformatec/devise/master)

 This README is [also available in a friendly navigable format](http://devise.plataformatec.com.br/).
@@ -13,18 +13,18 @@ Devise is a flexible authentication solution for Rails based on Warden. It:
 * Is Rack based;
 * Is a complete MVC solution based on Rails engines;
 * Allows you to have multiple models signed in at the same time;
-* Is based on a modularity concept: use just what you really need.
+* Is based on a modularity concept: use only what you really need.

 It's composed of 10 modules:

 * [Database Authenticatable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/DatabaseAuthenticatable): encrypts and stores a password in the database to validate the authenticity of a user while signing in. The authentication can be done both through POST requests or HTTP Basic Authentication.
-* [Omniauthable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Omniauthable): adds Omniauth (https://github.com/intridea/omniauth) support.
+* [Omniauthable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Omniauthable): adds OmniAuth (https://github.com/intridea/omniauth) support.
 * [Confirmable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Confirmable): sends emails with confirmation instructions and verifies whether an account is already confirmed during sign in.
 * [Recoverable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Recoverable): resets the user password and sends reset instructions.
 * [Registerable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Registerable): handles signing up users through a registration process, also allowing them to edit and destroy their account.
 * [Rememberable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Rememberable): manages generating and clearing a token for remembering the user from a saved cookie.
 * [Trackable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Trackable): tracks sign in count, timestamps and IP address.
-* [Timeoutable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Timeoutable): expires sessions that have no activity in a specified period of time.
+* [Timeoutable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Timeoutable): expires sessions that have not been active in a specified period of time.
 * [Validatable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Validatable): provides validations of email and password. It's optional and can be customized, so you're able to define your own validations.
 * [Lockable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Lockable): locks an account after a specified number of failed sign-in attempts. Can unlock via email or after a specified time period.

@@ -44,7 +44,7 @@ If you discover a problem with Devise, we would like to know about it. However,

 https://github.com/plataformatec/devise/wiki/Bug-reports

-If you found a security bug, do *NOT* use the GitHub issue tracker. Send an email to opensource@plataformatec.com.br.
+If you have discovered a security related bug, please do *NOT* use the GitHub issue tracker. Send an email to opensource@plataformatec.com.br.

 ### Mailing list

@@ -82,12 +82,12 @@ You will usually want to write tests for your changes.  To run the test suite, g

 ## Starting with Rails?

-If you are building your first Rails application, we recommend you to *not* use Devise. Devise requires a good understanding of the Rails Framework. In such cases, we advise you to start a simple authentication system from scratch, today we have two resources:
+If you are building your first Rails application, we recommend you *do not* use Devise. Devise requires a good understanding of the Rails Framework. In such cases, we advise you to start a simple authentication system from scratch. Today we have two resources that should help you get started:

-* Michael Hartl's online book: http://www.railstutorial.org/book/demo_app#sec-modeling_demo_users
+* Michael Hartl's online book: https://www.railstutorial.org/book/modeling_users
 * Ryan Bates' Railscast: http://railscasts.com/episodes/250-authentication-from-scratch

-Once you have solidified your understanding of Rails and authentication mechanisms, we assure you Devise will be very pleasant to work with. :)
+Once you have solidified your understanding of Rails and authentication mechanisms, we assure you Devise will be very pleasant to work with. :smiley:

 ## Getting started

@@ -105,7 +105,7 @@ After you install Devise and add it to your Gemfile, you need to run the generat
 rails generate devise:install
 ```

-The generator will install an initializer which describes ALL Devise's configuration options and you MUST take a look at it. When you are done, you are ready to add Devise to any of your models using the generator:
+The generator will install an initializer which describes ALL of Devise's configuration options. It is *imperative* that you take a look at it. When you are done, you are ready to add Devise to any of your models using the generator:

 ```console
 rails generate devise MODEL
@@ -121,7 +121,7 @@ Next, you need to set up the default URL options for the Devise mailer in each e
 config.action_mailer.default_url_options = { host: 'localhost', port: 3000 }
 ```

-You should restart your application after changing Devise's configuration options. Otherwise you'll run into strange errors like users being unable to login and route helpers being undefined.
+You should restart your application after changing Devise's configuration options. Otherwise, you will run into strange errors, for example, users being unable to login and route helpers being undefined.

 ### Controller filters and helpers

@@ -151,7 +151,7 @@ You can access the session for this scope:
 user_session
 ```

-After signing in a user, confirming the account or updating the password, Devise will look for a scoped root path to redirect. For instance, for a `:user` resource, the `user_root_path` will be used if it exists, otherwise the default `root_path` will be used. This means that you need to set the root inside your routes:
+After signing in a user, confirming the account or updating the password, Devise will look for a scoped root path to redirect to. For instance, when using a `:user` resource, the `user_root_path` will be used if it exists; otherwise, the default `root_path` will be used. This means that you need to set the root inside your routes:

 ```ruby
 root to: "home#index"
@@ -179,7 +179,7 @@ The Devise method in your models also accepts some options to configure its modu
 devise :database_authenticatable, :registerable, :confirmable, :recoverable, stretches: 20
 ```

-Besides `:stretches`, you can define `:pepper`, `:encryptor`, `:confirm_within`, `:remember_for`, `:timeout_in`, `:unlock_in` among other options. For more details, see the initializer file that was created when you invoked the "devise:install" generator described above.
+Besides `:stretches`, you can define `:pepper`, `:encryptor`, `:confirm_within`, `:remember_for`, `:timeout_in`, `:unlock_in` among other options. For more details, see the initializer file that was created when you invoked the "devise:install" generator described above. This file is usually located at `/config/initializers/devise.rb`.

 ### Strong Parameters

@@ -191,7 +191,7 @@ There are just three actions in Devise that allows any set of parameters to be p
 * `sign_up` (`Devise::RegistrationsController#create`) - Permits authentication keys plus `password` and `password_confirmation`
 * `account_update` (`Devise::RegistrationsController#update`) - Permits authentication keys plus `password`, `password_confirmation` and `current_password`

-In case you want to permit additional parameters (the lazy way™) you can do with a simple before filter in your `ApplicationController`:
+In case you want to permit additional parameters (the lazy way™), you can do so using a simple before filter in your `ApplicationController`:

 ```ruby
 class ApplicationController < ActionController::Base
@@ -215,7 +215,7 @@ def configure_permitted_parameters
 end
 ```

-If you have some checkboxes that express the roles a user may take on registration, the browser will send those selected checkboxes as an array. An array is not one of Strong Parameters permitted scalars, so we need to configure Devise thusly:
+If you have some checkboxes that express the roles a user may take on registration, the browser will send those selected checkboxes as an array. An array is not one of Strong Parameters' permitted scalars, so we need to configure Devise in the following way:

 ```ruby
 def configure_permitted_parameters
@@ -226,7 +226,7 @@ For the list of permitted scalars, and how to declare permitted keys in nested h

 https://github.com/rails/strong_parameters#nested-parameters

-If you have multiple Devise models, you may want to set up different parameter sanitizer per model. In this case, we recommend inheriting from `Devise::ParameterSanitizer` and add your own logic:
+If you have multiple Devise models, you may want to set up a different parameter sanitizer per model. In this case, we recommend inheriting from `Devise::ParameterSanitizer` and adding your own logic:

 ```ruby
 class User::ParameterSanitizer < Devise::ParameterSanitizer
@@ -272,7 +272,7 @@ After doing so, you will be able to have views based on the role like `users/ses
 rails generate devise:views users
 ```

-If you want to generate only a few set of views, like the ones for the `registrable` and `confirmable` module,
+If you would like to generate only a few sets of views, like the ones for the `registerable` and `confirmable` module,
 you can pass a list of modules to the generator with the `-v` flag.

 ```console
@@ -289,11 +289,11 @@ If the customization at the views level is not enough, you can customize each co
    rails generate devise:controllers [scope]
    ```

-    If you specify `admins` as the scope, controllers will be created in `app/controllers/admins/`.
+    If you specify `users` as the scope, controllers will be created in `app/controllers/users/`.
    And the sessions controller will look like this:

    ```ruby
-    class Admins::SessionsController < Devise::SessionsController
+    class Users::SessionsController < Devise::SessionsController
      # GET /resource/sign_in
      # def new
      #   super
@@ -305,17 +305,17 @@ If the customization at the views level is not enough, you can customize each co
 2. Tell the router to use this controller:

    ```ruby
-    devise_for :admins, controllers: { sessions: "admins/sessions" }
+    devise_for :users, controllers: { sessions: "users/sessions" }
    ```

-3. Copy the views from `devise/sessions` to `admins/sessions`. Since the controller was changed, it won't use the default views located in `devise/sessions`.
+3. Copy the views from `devise/sessions` to `users/sessions`. Since the controller was changed, it won't use the default views located in `devise/sessions`.

 4. Finally, change or extend the desired controller actions.

    You can completely override a controller action:

    ```ruby
-    class Admins::SessionsController < Devise::SessionsController
+    class Users::SessionsController < Devise::SessionsController
      def create
        # custom sign-in code
      end
@@ -325,7 +325,7 @@ If the customization at the views level is not enough, you can customize each co
    Or you can simply add new behaviour to it:

    ```ruby
-    class Admins::SessionsController < Devise::SessionsController
+    class Users::SessionsController < Devise::SessionsController
      def create
        super do |resource|
          BackgroundWorker.trigger(resource)
@@ -336,7 +336,7 @@ If the customization at the views level is not enough, you can customize each co

    This is useful for triggering background jobs or logging events during certain actions.

-Remember that Devise uses flash messages to let users know if sign in was successful or failed. Devise expects your application to call `flash[:notice]` and `flash[:alert]` as appropriate. Do not print the entire flash hash, print only specific keys. In some circumstances, Devise adds a `:timedout` key to the flash hash, which is not meant for display. Remove this key from the hash if you intend to print the entire hash.
+Remember that Devise uses flash messages to let users know if sign in was successful or unsuccessful. Devise expects your application to call `flash[:notice]` and `flash[:alert]` as appropriate. Do not print the entire flash hash, print only specific keys. In some circumstances, Devise adds a `:timedout` key to the flash hash, which is not meant for display. Remove this key from the hash if you intend to print the entire hash.

 ### Configuring routes

@@ -356,11 +356,11 @@ devise_scope :user do
 end
 ```

-This way you tell Devise to use the scope `:user` when "/sign_in" is accessed. Notice `devise_scope` is also aliased as `as` in your router.
+This way, you tell Devise to use the scope `:user` when "/sign_in" is accessed. Notice `devise_scope` is also aliased as `as` in your router.

 ### I18n

-Devise uses flash messages with I18n with the flash keys :notice and :alert. To customize your app, you can set up your locale file:
+Devise uses flash messages with I18n, in conjunction with the flash keys :notice and :alert. To customize your app, you can set up your locale file:

 ```yaml
 en:
@@ -398,7 +398,7 @@ Take a look at our locale file to check all available messages. You may also be

 https://github.com/plataformatec/devise/wiki/I18n

-Caution: Devise Controllers inherit from ApplicationController. If your app uses multiple locales, you should be sure to set I18n.locale in ApplicationController
+Caution: Devise Controllers inherit from ApplicationController. If your app uses multiple locales, you should be sure to set I18n.locale in ApplicationController.

 ### Test helpers

@@ -418,6 +418,8 @@ RSpec.configure do |config|
 end
 ```

+Just be sure that this inclusion is made *after* the `require 'rspec/rails'` directive.
+
 Now you are ready to use the `sign_in` and `sign_out` methods. Such methods have the same signature as in controllers:

 ```ruby
@@ -432,22 +434,26 @@ There are two things that are important to keep in mind:

 1. These helpers are not going to work for integration tests driven by Capybara or Webrat. They are meant to be used with functional tests only. Instead, fill in the form or explicitly set the user in session;

-2. If you are testing Devise internal controllers or a controller that inherits from Devise's, you need to tell Devise which mapping should be used before a request. This is necessary because Devise gets this information from the router, but since functional tests do not pass through the router, it needs to be told explicitly. For example, if you are testing the user scope, simply do:
+2. If you are testing Devise internal controllers or a controller that inherits from Devise's, you need to tell Devise which mapping should be used before a request. This is necessary because Devise gets this information from the router, but since functional tests do not pass through the router, it needs to be stated explicitly. For example, if you are testing the user scope, simply use:

    ```ruby
    @request.env["devise.mapping"] = Devise.mappings[:user]
    get :new
    ```

-### Omniauth
+You can read more about testing your Rails 3 - Rails 4 controllers with RSpec in the wiki:

-Devise comes with Omniauth support out of the box to authenticate with other providers. To use it, just specify your omniauth configuration in `config/initializers/devise.rb`:
+* https://github.com/plataformatec/devise/wiki/How-To:-Test-controllers-with-Rails-3-and-4-%28and-RSpec%29
+
+### OmniAuth
+
+Devise comes with OmniAuth support out of the box to authenticate with other providers. To use it, simply specify your OmniAuth configuration in `config/initializers/devise.rb`:

 ```ruby
 config.omniauth :github, 'APP_ID', 'APP_SECRET', scope: 'user,public_repo'
 ```

-You can read more about Omniauth support in the wiki:
+You can read more about OmniAuth support in the wiki:

 * https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview

@@ -460,7 +466,7 @@ Devise allows you to set up as many Devise models as you want. If you want to ha
 create_table :admins do |t|
  t.string :email
  t.string :encrypted_password
-  t.timestamps
+  t.timestamps null: false
 end

 # Inside your Admin model
@@ -480,12 +486,12 @@ admin_session

 Alternatively, you can simply run the Devise generator.

-Keep in mind that those models will have completely different routes. They **do not** and **cannot** share the same controller for sign in, sign out and so on. In case you want to have different roles sharing the same actions, we recommend you to use a role-based approach, by either providing a role column or using a dedicated gem for authorization.
+Keep in mind that those models will have completely different routes. They **do not** and **cannot** share the same controller for sign in, sign out and so on. In case you want to have different roles sharing the same actions, we recommend that you use a role-based approach, by either providing a role column or using a dedicated gem for authorization.

 ### ActiveJob Integration

 If you are using Rails 4.2 and ActiveJob to deliver ActionMailer messages in the
-background through a queueing backend, you can send Devise emails through your
+background through a queuing back-end, you can send Devise emails through your
 existing queue by overriding the `send_devise_notification` method in your model.

 ```ruby
@@ -494,15 +500,29 @@ def send_devise_notification(notification, *args)
 end
 ```

+### Password reset tokens and Rails logs
+
+If you enable the [Recoverable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Recoverable) module, note that a stolen password reset token could give an attacker access to your application. Devise takes effort to generate random, secure tokens, and stores only token digests in the database, never plaintext. However the default logging behavior in Rails can cause plaintext tokens to leak into log files:
+
+1. Action Mailer logs the entire contents of all outgoing emails to the DEBUG level. Password reset tokens delivered to users in email will be leaked.
+2. Active Job logs all arguments to every enqueued job at the INFO level. If you configure Devise to use `deliver_later` to send password reset emails, password reset tokens will be leaked.
+
+Rails sets the production logger level to DEBUG by default. Consider changing your production logger level to WARN if you wish to prevent tokens from being leaked into your logs. In `config/environments/production.rb`:
+
+```ruby
+config.log_level = :warn
+```
+
+
 ### Other ORMs

-Devise supports ActiveRecord (default) and Mongoid. To choose other ORM, you just need to require it in the initializer file.
+Devise supports ActiveRecord (default) and Mongoid. To select another ORM, simply require it in the initializer file.

 ## Additional information

 ### Heroku

-Using Devise on Heroku with Ruby on Rails 3.1 requires setting:
+Using Devise on Heroku with Ruby on Rails 3.2 requires setting:

 ```ruby
 config.assets.initialize_on_precompile = false
@@ -524,6 +544,6 @@ https://github.com/plataformatec/devise/graphs/contributors

 ## License

-MIT License. Copyright 2009-2014 Plataformatec. http://plataformatec.com.br
+MIT License. Copyright 2009-2015 Plataformatec. http://plataformatec.com.br

-You are not granted rights or licenses to the trademarks of the Plataformatec, including without limitation the Devise name or logo.
+You are not granted rights or licenses to the trademarks of Plataformatec, including without limitation the Devise name or logo.
--- a/3
+++ b/3
@@ -1,5 +1,6 @@
 # encoding: UTF-8
-require "bundler/gem_tasks"
+
+require 'bundler/gem_tasks'
 require 'rake/testtask'
 require 'rdoc/task'

--- a/app/controllers/devise/confirmations_controller.rb
+++ b/app/controllers/devise/confirmations_controller.rb
@@ -44,4 +44,8 @@ class Devise::ConfirmationsController < DeviseController
        new_session_path(resource_name)
      end
    end
+
+    def translation_scope
+      'devise.confirmations'
+    end
 end
--- a/app/controllers/devise/omniauth_callbacks_controller.rb
+++ b/app/controllers/devise/omniauth_callbacks_controller.rb
@@ -27,4 +27,8 @@ class Devise::OmniauthCallbacksController < DeviseController
  def after_omniauth_failure_path_for(scope)
    new_session_path(scope)
  end
+
+  def translation_scope
+    'devise.omniauth_callbacks'
+  end
 end
--- a/app/controllers/devise/passwords_controller.rb
+++ b/app/controllers/devise/passwords_controller.rb
@@ -23,6 +23,7 @@ class Devise::PasswordsController < DeviseController
  # GET /resource/password/edit?reset_password_token=abcdef
  def edit
    self.resource = resource_class.new
+    set_minimum_password_length
    resource.reset_password_token = params[:reset_password_token]
  end

@@ -33,10 +34,15 @@ class Devise::PasswordsController < DeviseController

    if resource.errors.empty?
      resource.unlock_access! if unlockable?(resource)
-      flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
-      set_flash_message(:notice, flash_message) if is_flashing_format?
-      sign_in(resource_name, resource)
-      respond_with resource, location: after_resetting_password_path_for(resource)
+      if Devise.sign_in_after_reset_password
+        flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
+        set_flash_message(:notice, flash_message) if is_flashing_format?
+        sign_in(resource_name, resource)
+        respond_with resource, location: after_resetting_password_path_for(resource)
+      else
+        set_flash_message(:notice, :updated_not_active) if is_flashing_format?
+        respond_with resource, location: new_session_path(resource_name)
+      end
    else
      respond_with resource
    end
@@ -67,4 +73,8 @@ class Devise::PasswordsController < DeviseController
        resource.respond_to?(:unlock_strategy_enabled?) &&
        resource.unlock_strategy_enabled?(:email)
    end
+
+    def translation_scope
+      'devise.passwords'
+    end
 end
--- a/app/controllers/devise/registrations_controller.rb
+++ b/app/controllers/devise/registrations_controller.rb
@@ -1,14 +1,12 @@
 class Devise::RegistrationsController < DeviseController
-  prepend_before_filter :require_no_authentication, only: [ :new, :create, :cancel ]
+  prepend_before_filter :require_no_authentication, only: [:new, :create, :cancel]
  prepend_before_filter :authenticate_scope!, only: [:edit, :update, :destroy]

  # GET /resource/sign_up
  def new
    build_resource({})
-    @validatable = devise_mapping.validatable?
-    if @validatable
-      @minimum_password_length = resource_class.password_length.min
-    end
+    set_minimum_password_length
+    yield resource if block_given?
    respond_with self.resource
  end

@@ -16,9 +14,9 @@ class Devise::RegistrationsController < DeviseController
  def create
    build_resource(sign_up_params)

-    resource_saved = resource.save
+    resource.save
    yield resource if block_given?
-    if resource_saved
+    if resource.persisted?
      if resource.active_for_authentication?
        set_flash_message :notice, :signed_up if is_flashing_format?
        sign_up(resource_name, resource)
@@ -30,10 +28,7 @@ class Devise::RegistrationsController < DeviseController
      end
    else
      clean_up_passwords resource
-      @validatable = devise_mapping.validatable?
-      if @validatable
-        @minimum_password_length = resource_class.password_length.min
-      end
+      set_minimum_password_length
      respond_with resource
    end
  end
@@ -145,4 +140,8 @@ class Devise::RegistrationsController < DeviseController
  def account_update_params
    devise_parameter_sanitizer.sanitize(:account_update)
  end
+
+  def translation_scope
+    'devise.registrations'
+  end
 end
--- a/app/controllers/devise/sessions_controller.rb
+++ b/app/controllers/devise/sessions_controller.rb
@@ -1,13 +1,14 @@
 class Devise::SessionsController < DeviseController
-  prepend_before_filter :require_no_authentication, only: [ :new, :create ]
+  prepend_before_filter :require_no_authentication, only: [:new, :create]
  prepend_before_filter :allow_params_authentication!, only: :create
  prepend_before_filter :verify_signed_out_user, only: :destroy
-  prepend_before_filter only: [ :create, :destroy ] { request.env["devise.skip_timeout"] = true }
+  prepend_before_filter only: [:create, :destroy] { request.env["devise.skip_timeout"] = true }

  # GET /resource/sign_in
  def new
    self.resource = resource_class.new(sign_in_params)
    clean_up_passwords(resource)
+    yield resource if block_given?
    respond_with(resource, serialize_options(resource))
  end

@@ -45,6 +46,10 @@ class Devise::SessionsController < DeviseController
    { scope: resource_name, recall: "#{controller_path}#new" }
  end

+  def translation_scope
+    'devise.sessions'
+  end
+
  private

  # Check if there is no signed in user before doing the sign out.
--- a/app/controllers/devise/unlocks_controller.rb
+++ b/app/controllers/devise/unlocks_controller.rb
@@ -43,4 +43,7 @@ class Devise::UnlocksController < DeviseController
      new_session_path(resource)  if is_navigational_format?
    end

+    def translation_scope
+      'devise.unlocks'
+    end
 end
--- a/app/controllers/devise_controller.rb
+++ b/app/controllers/devise_controller.rb
@@ -6,12 +6,13 @@ class DeviseController < Devise.parent_controller.constantize

  helpers = %w(resource scope_name resource_name signed_in_resource
               resource_class resource_params devise_mapping)
-  hide_action(*helpers)
  helper_method(*helpers)

  prepend_before_filter :assert_is_devise_resource!
  respond_to :html if mimes_for_respond_to.empty?

+  protected
+
  # Gets the actual resource stored in the instance variable
  def resource
    instance_variable_get(:"@#{resource_name}")
@@ -38,6 +39,7 @@ class DeviseController < Devise.parent_controller.constantize
    @devise_mapping ||= request.env["devise.mapping"]
  end

+
  # Override prefixes to consider the scoped view.
  # Notice we need to check for the request due to a bug in
  # Action Controller tests that forces _prefixes to be
@@ -50,9 +52,6 @@ class DeviseController < Devise.parent_controller.constantize
    end
  end

-  hide_action :_prefixes
-
-  protected

  # Checks whether it's a devise mapped resource or not.
  def assert_is_devise_resource! #:nodoc:
@@ -129,8 +128,11 @@ MESSAGE
  end

  # Sets the flash message with :key, using I18n. By default you are able
-  # to setup your messages using specific resource scope, and if no one is
-  # found we look to default scope.
+  # to setup your messages using specific resource scope, and if no message is
+  # found we look to the default scope. Set the "now" options key to a true
+  # value to populate the flash.now hash in lieu of the default flash hash (so
+  # the flash message will be available to the current action instead of the
+  # next action).
  # Example (i18n locale file):
  #
  #   en:
@@ -144,7 +146,18 @@ MESSAGE
  # available.
  def set_flash_message(key, kind, options = {})
    message = find_message(kind, options)
-    flash[key] = message if message.present?
+    if options[:now]
+      flash.now[key] = message if message.present?
+    else
+      flash[key] = message if message.present?
+    end
+  end
+
+  # Sets minimum password length to show to user
+  def set_minimum_password_length
+    if devise_mapping.validatable?
+      @minimum_password_length = resource_class.password_length.min
+    end
  end

  def devise_i18n_options(options)
@@ -153,13 +166,20 @@ MESSAGE

  # Get message for given
  def find_message(kind, options = {})
-    options[:scope] = "devise.#{controller_name}"
+    options[:scope] ||= translation_scope
    options[:default] = Array(options[:default]).unshift(kind.to_sym)
    options[:resource_name] = resource_name
    options = devise_i18n_options(options)
    I18n.t("#{options[:resource_name]}.#{kind}", options)
  end

+  # Controllers inheriting DeviseController are advised to override this
+  # method so that other controllers inheriting from them would use
+  # existing translations.
+  def translation_scope
+    "devise.#{controller_name}"
+  end
+
  def clean_up_passwords(object)
    object.clean_up_passwords if object.respond_to?(:clean_up_passwords)
  end
@@ -173,4 +193,6 @@ MESSAGE
  def resource_params
    params.fetch(resource_name, {})
  end
+
+  ActiveSupport.run_load_hooks(:devise_controller, self)
 end
--- a/app/views/devise/confirmations/new.html.erb
+++ b/app/views/devise/confirmations/new.html.erb
@@ -3,10 +3,14 @@
 <%= form_for(resource, as: resource_name, url: confirmation_path(resource_name), html: { method: :post }) do |f| %>
  <%= devise_error_messages! %>

-  <div><%= f.label :email %><br />
-  <%= f.email_field :email, autofocus: true %></div>
+  <div class="field">
+    <%= f.label :email %><br />
+    <%= f.email_field :email, autofocus: true, value: (resource.pending_reconfirmation? ? resource.unconfirmed_email : resource.email) %> 
+  </div>

-  <div><%= f.submit "Resend confirmation instructions" %></div>
+  <div class="actions">
+    <%= f.submit "Resend confirmation instructions" %>
+  </div>
 <% end %>

 <%= render "devise/shared/links" %>
--- a/app/views/devise/passwords/edit.html.erb
+++ b/app/views/devise/passwords/edit.html.erb
@@ -4,13 +4,22 @@
  <%= devise_error_messages! %>
  <%= f.hidden_field :reset_password_token %>

-  <div><%= f.label :password, "New password" %><br />
-    <%= f.password_field :password, autofocus: true, autocomplete: "off" %></div>
+  <div class="field">
+    <%= f.label :password, "New password" %><br />
+    <% if @minimum_password_length %>
+    <em>(<%= @minimum_password_length %> characters minimum)</em>
+    <% end %><br />
+    <%= f.password_field :password, autofocus: true, autocomplete: "off" %>
+  </div>

-  <div><%= f.label :password_confirmation, "Confirm new password" %><br />
-    <%= f.password_field :password_confirmation, autocomplete: "off" %></div>
+  <div class="field">
+    <%= f.label :password_confirmation, "Confirm new password" %><br />
+    <%= f.password_field :password_confirmation, autocomplete: "off" %>
+  </div>

-  <div><%= f.submit "Change my password" %></div>
+  <div class="actions">
+    <%= f.submit "Change my password" %>
+  </div>
 <% end %>

 <%= render "devise/shared/links" %>
--- a/app/views/devise/passwords/new.html.erb
+++ b/app/views/devise/passwords/new.html.erb
@@ -3,10 +3,14 @@
 <%= form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :post }) do |f| %>
  <%= devise_error_messages! %>

-  <div><%= f.label :email %><br />
-  <%= f.email_field :email, autofocus: true %></div>
+  <div class="field">
+    <%= f.label :email %><br />
+    <%= f.email_field :email, autofocus: true %>
+  </div>

-  <div><%= f.submit "Send me reset password instructions" %></div>
+  <div class="actions">
+    <%= f.submit "Send me reset password instructions" %>
+  </div>
 <% end %>

 <%= render "devise/shared/links" %>
--- a/app/views/devise/registrations/edit.html.erb
+++ b/app/views/devise/registrations/edit.html.erb
@@ -3,23 +3,33 @@
 <%= form_for(resource, as: resource_name, url: registration_path(resource_name), html: { method: :put }) do |f| %>
  <%= devise_error_messages! %>

-  <div><%= f.label :email %><br />
-  <%= f.email_field :email, autofocus: true %></div>
+  <div class="field">
+    <%= f.label :email %><br />
+    <%= f.email_field :email, autofocus: true %>
+  </div>

  <% if devise_mapping.confirmable? && resource.pending_reconfirmation? %>
    <div>Currently waiting confirmation for: <%= resource.unconfirmed_email %></div>
  <% end %>

-  <div><%= f.label :password %> <i>(leave blank if you don't want to change it)</i><br />
-    <%= f.password_field :password, autocomplete: "off" %></div>
+  <div class="field">
+    <%= f.label :password %> <i>(leave blank if you don't want to change it)</i><br />
+    <%= f.password_field :password, autocomplete: "off" %>
+  </div>

-  <div><%= f.label :password_confirmation %><br />
-    <%= f.password_field :password_confirmation, autocomplete: "off" %></div>
+  <div class="field">
+    <%= f.label :password_confirmation %><br />
+    <%= f.password_field :password_confirmation, autocomplete: "off" %>
+  </div>

-  <div><%= f.label :current_password %> <i>(we need your current password to confirm your changes)</i><br />
-    <%= f.password_field :current_password, autocomplete: "off" %></div>
+  <div class="field">
+    <%= f.label :current_password %> <i>(we need your current password to confirm your changes)</i><br />
+    <%= f.password_field :current_password, autocomplete: "off" %>
+  </div>

-  <div><%= f.submit "Update" %></div>
+  <div class="actions">
+    <%= f.submit "Update" %>
+  </div>
 <% end %>

 <h3>Cancel my account</h3>
--- a/app/views/devise/registrations/new.html.erb
+++ b/app/views/devise/registrations/new.html.erb
@@ -3,16 +3,27 @@
 <%= form_for(resource, as: resource_name, url: registration_path(resource_name)) do |f| %>
  <%= devise_error_messages! %>

-  <div><%= f.label :email %><br />
-  <%= f.email_field :email, autofocus: true %></div>
+  <div class="field">
+    <%= f.label :email %><br />
+    <%= f.email_field :email, autofocus: true %>
+  </div>

-  <div><%= f.label :password %> <% if @validatable %><i>(<%= @minimum_password_length %> characters minimum)</i><% end %><br />
-    <%= f.password_field :password, autocomplete: "off" %></div>
+  <div class="field">
+    <%= f.label :password %>
+    <% if @minimum_password_length %>
+    <em>(<%= @minimum_password_length %> characters minimum)</em>
+    <% end %><br />
+    <%= f.password_field :password, autocomplete: "off" %>
+  </div>

-  <div><%= f.label :password_confirmation %><br />
-    <%= f.password_field :password_confirmation, autocomplete: "off" %></div>
+  <div class="field">
+    <%= f.label :password_confirmation %><br />
+    <%= f.password_field :password_confirmation, autocomplete: "off" %>
+  </div>

-  <div><%= f.submit "Sign up" %></div>
+  <div class="actions">
+    <%= f.submit "Sign up" %>
+  </div>
 <% end %>

 <%= render "devise/shared/links" %>
--- a/app/views/devise/sessions/new.html.erb
+++ b/app/views/devise/sessions/new.html.erb
@@ -1,17 +1,26 @@
 <h2>Log in</h2>

 <%= form_for(resource, as: resource_name, url: session_path(resource_name)) do |f| %>
-  <div><%= f.label :email %><br />
-  <%= f.email_field :email, autofocus: true %></div>
+  <div class="field">
+    <%= f.label :email %><br />
+    <%= f.email_field :email, autofocus: true %>
+  </div>

-  <div><%= f.label :password %><br />
-    <%= f.password_field :password, autocomplete: "off" %></div>
+  <div class="field">
+    <%= f.label :password %><br />
+    <%= f.password_field :password, autocomplete: "off" %>
+  </div>

  <% if devise_mapping.rememberable? -%>
-    <div><%= f.check_box :remember_me %> <%= f.label :remember_me %></div>
+    <div class="field">
+      <%= f.check_box :remember_me %>
+      <%= f.label :remember_me %>
+    </div>
  <% end -%>

-  <div><%= f.submit "Log in" %></div>
+  <div class="actions">
+    <%= f.submit "Log in" %>
+  </div>
 <% end %>

 <%= render "devise/shared/links" %>
--- a/app/views/devise/unlocks/new.html.erb
+++ b/app/views/devise/unlocks/new.html.erb
@@ -3,10 +3,14 @@
 <%= form_for(resource, as: resource_name, url: unlock_path(resource_name), html: { method: :post }) do |f| %>
  <%= devise_error_messages! %>

-  <div><%= f.label :email %><br />
-  <%= f.email_field :email, autofocus: true %></div>
+  <div class="field">
+    <%= f.label :email %><br />
+    <%= f.email_field :email, autofocus: true %>
+  </div>

-  <div><%= f.submit "Resend unlock instructions" %></div>
+  <div class="actions">
+    <%= f.submit "Resend unlock instructions" %>
+  </div>
 <% end %>

 <%= render "devise/shared/links" %>
--- a/devise.gemspec
+++ b/devise.gemspec
@@ -18,6 +18,7 @@ Gem::Specification.new do |s|
  s.files         = `git ls-files`.split("\n")
  s.test_files    = `git ls-files -- test/*`.split("\n")
  s.require_paths = ["lib"]
+  s.required_ruby_version = '>= 1.9.3'

  s.add_dependency("warden", "~> 1.2.3")
  s.add_dependency("orm_adapter", "~> 0.1")
--- a/gemfiles/Gemfile.rails-3.2-stable.lock
+++ b/gemfiles/Gemfile.rails-3.2-stable.lock
@@ -1,14 +1,14 @@
 GIT
  remote: git://github.com/rails/rails.git
-  revision: 11fd052aa815ae0255ea5b2463e88138fb3fec61
+  revision: b344986bc3d94ca7821fc5e0eef1874882ac6cbb
  branch: 3-2-stable
  specs:
-    actionmailer (3.2.19)
-      actionpack (= 3.2.19)
+    actionmailer (3.2.21)
+      actionpack (= 3.2.21)
      mail (~> 2.5.4)
-    actionpack (3.2.19)
-      activemodel (= 3.2.19)
-      activesupport (= 3.2.19)
+    actionpack (3.2.21)
+      activemodel (= 3.2.21)
+      activesupport (= 3.2.21)
      builder (~> 3.0.0)
      erubis (~> 2.7.0)
      journey (~> 1.0.4)
@@ -16,31 +16,31 @@ GIT
      rack-cache (~> 1.2)
      rack-test (~> 0.6.1)
      sprockets (~> 2.2.1)
-    activemodel (3.2.19)
-      activesupport (= 3.2.19)
+    activemodel (3.2.21)
+      activesupport (= 3.2.21)
      builder (~> 3.0.0)
-    activerecord (3.2.19)
-      activemodel (= 3.2.19)
-      activesupport (= 3.2.19)
+    activerecord (3.2.21)
+      activemodel (= 3.2.21)
+      activesupport (= 3.2.21)
      arel (~> 3.0.2)
      tzinfo (~> 0.3.29)
-    activeresource (3.2.19)
-      activemodel (= 3.2.19)
-      activesupport (= 3.2.19)
-    activesupport (3.2.19)
+    activeresource (3.2.21)
+      activemodel (= 3.2.21)
+      activesupport (= 3.2.21)
+    activesupport (3.2.21)
      i18n (~> 0.6, >= 0.6.4)
      multi_json (~> 1.0)
-    rails (3.2.19)
-      actionmailer (= 3.2.19)
-      actionpack (= 3.2.19)
-      activerecord (= 3.2.19)
-      activeresource (= 3.2.19)
-      activesupport (= 3.2.19)
+    rails (3.2.21)
+      actionmailer (= 3.2.21)
+      actionpack (= 3.2.21)
+      activerecord (= 3.2.21)
+      activeresource (= 3.2.21)
+      activesupport (= 3.2.21)
      bundler (~> 1.0)
-      railties (= 3.2.19)
-    railties (3.2.19)
-      actionpack (= 3.2.19)
-      activesupport (= 3.2.19)
+      railties (= 3.2.21)
+    railties (3.2.21)
+      actionpack (= 3.2.21)
+      activesupport (= 3.2.21)
      rack-ssl (~> 1.3.2)
      rake (>= 0.8.7)
      rdoc (~> 3.4)
@@ -49,7 +49,7 @@ GIT
 PATH
  remote: ..
  specs:
-    devise (3.4.0)
+    devise (3.4.1)
      bcrypt (~> 3.0)
      orm_adapter (~> 0.1)
      railties (>= 3.2.6, < 5)
@@ -61,23 +61,23 @@ GEM
  remote: https://rubygems.org/
  specs:
    arel (3.0.3)
-    bcrypt (3.1.7)
+    bcrypt (3.1.10)
    builder (3.0.4)
    erubis (2.7.0)
-    faraday (0.9.0)
+    faraday (0.9.1)
      multipart-post (>= 1.2, < 3)
-    hashie (3.2.0)
+    hashie (3.4.0)
    hike (1.2.3)
-    i18n (0.6.11)
+    i18n (0.7.0)
    journey (1.0.4)
-    json (1.8.1)
-    jwt (1.0.0)
+    json (1.8.2)
+    jwt (1.4.1)
    mail (2.5.4)
      mime-types (~> 1.16)
      treetop (~> 1.4.8)
    metaclass (0.0.4)
    mime-types (1.25.1)
-    mini_portile (0.6.0)
+    mini_portile (0.6.2)
    mocha (1.1.0)
      metaclass (~> 0.0.1)
    mongoid (3.1.6)
@@ -86,11 +86,11 @@ GEM
      origin (~> 1.0)
      tzinfo (~> 0.3.29)
    moped (1.5.2)
-    multi_json (1.10.1)
+    multi_json (1.11.0)
    multi_xml (0.5.5)
    multipart-post (2.0.0)
-    nokogiri (1.6.3.1)
-      mini_portile (= 0.6.0)
+    nokogiri (1.6.6.2)
+      mini_portile (~> 0.6.0)
    oauth2 (0.9.4)
      faraday (>= 0.8, < 0.10)
      jwt (~> 1.0)
@@ -121,27 +121,27 @@ GEM
      ruby-openid (>= 2.1.8)
    rack-ssl (1.3.4)
      rack
-    rack-test (0.6.2)
+    rack-test (0.6.3)
      rack (>= 1.0)
-    rake (10.3.2)
+    rake (10.4.2)
    rdoc (3.12.2)
      json (~> 1.4)
-    responders (1.1.1)
+    responders (1.1.2)
      railties (>= 3.2, < 4.2)
-    ruby-openid (2.5.0)
-    sprockets (2.2.2)
+    ruby-openid (2.7.0)
+    sprockets (2.2.3)
      hike (~> 1.2)
      multi_json (~> 1.0)
      rack (~> 1.0)
      tilt (~> 1.1, != 1.3.0)
-    sqlite3 (1.3.9)
+    sqlite3 (1.3.10)
    thor (0.19.1)
-    thread_safe (0.3.4)
+    thread_safe (0.3.5)
    tilt (1.4.1)
    treetop (1.4.15)
      polyglot
      polyglot (>= 0.3.1)
-    tzinfo (0.3.41)
+    tzinfo (0.3.43)
    warden (1.2.3)
      rack (>= 1.0)
    webrat (0.7.3)
--- a/gemfiles/Gemfile.rails-4.0-stable.lock
+++ b/gemfiles/Gemfile.rails-4.0-stable.lock
@@ -1,49 +1,49 @@
 GIT
  remote: git://github.com/rails/rails.git
-  revision: 2d8886e05104316273a0f95dfbcd171d3b12678b
+  revision: 7ec9c9635bf4d57009135ed11e89d8bf32306d73
  branch: 4-0-stable
  specs:
-    actionmailer (4.0.9)
-      actionpack (= 4.0.9)
+    actionmailer (4.0.13)
+      actionpack (= 4.0.13)
      mail (~> 2.5, >= 2.5.4)
-    actionpack (4.0.9)
-      activesupport (= 4.0.9)
+    actionpack (4.0.13)
+      activesupport (= 4.0.13)
      builder (~> 3.1.0)
      erubis (~> 2.7.0)
      rack (~> 1.5.2)
      rack-test (~> 0.6.2)
-    activemodel (4.0.9)
-      activesupport (= 4.0.9)
+    activemodel (4.0.13)
+      activesupport (= 4.0.13)
      builder (~> 3.1.0)
-    activerecord (4.0.9)
-      activemodel (= 4.0.9)
+    activerecord (4.0.13)
+      activemodel (= 4.0.13)
      activerecord-deprecated_finders (~> 1.0.2)
-      activesupport (= 4.0.9)
+      activesupport (= 4.0.13)
      arel (~> 4.0.0)
-    activesupport (4.0.9)
+    activesupport (4.0.13)
      i18n (~> 0.6, >= 0.6.9)
      minitest (~> 4.2)
      multi_json (~> 1.3)
      thread_safe (~> 0.1)
      tzinfo (~> 0.3.37)
-    rails (4.0.9)
-      actionmailer (= 4.0.9)
-      actionpack (= 4.0.9)
-      activerecord (= 4.0.9)
-      activesupport (= 4.0.9)
+    rails (4.0.13)
+      actionmailer (= 4.0.13)
+      actionpack (= 4.0.13)
+      activerecord (= 4.0.13)
+      activesupport (= 4.0.13)
      bundler (>= 1.3.0, < 2.0)
-      railties (= 4.0.9)
+      railties (= 4.0.13)
      sprockets-rails (~> 2.0)
-    railties (4.0.9)
-      actionpack (= 4.0.9)
-      activesupport (= 4.0.9)
+    railties (4.0.13)
+      actionpack (= 4.0.13)
+      activesupport (= 4.0.13)
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)

 PATH
  remote: ..
  specs:
-    devise (3.4.0)
+    devise (3.4.1)
      bcrypt (~> 3.0)
      orm_adapter (~> 0.1)
      railties (>= 3.2.6, < 5)
@@ -56,40 +56,39 @@ GEM
  specs:
    activerecord-deprecated_finders (1.0.3)
    arel (4.0.2)
-    bcrypt (3.1.7)
+    bcrypt (3.1.10)
    bson (2.3.0)
    builder (3.1.4)
-    connection_pool (2.0.0)
+    connection_pool (2.1.3)
    erubis (2.7.0)
-    faraday (0.9.0)
+    faraday (0.9.1)
      multipart-post (>= 1.2, < 3)
-    hashie (3.2.0)
+    hashie (3.4.0)
    hike (1.2.3)
-    i18n (0.6.11)
-    json (1.8.1)
-    jwt (1.0.0)
-    mail (2.6.1)
+    i18n (0.7.0)
+    jwt (1.4.1)
+    mail (2.6.3)
      mime-types (>= 1.16, < 3)
    metaclass (0.0.4)
-    mime-types (2.3)
-    mini_portile (0.6.0)
+    mime-types (2.4.3)
+    mini_portile (0.6.2)
    minitest (4.7.5)
    mocha (1.1.0)
      metaclass (~> 0.0.1)
-    mongoid (4.0.0)
+    mongoid (4.0.2)
      activemodel (~> 4.0)
      moped (~> 2.0.0)
      origin (~> 2.1)
      tzinfo (>= 0.3.37)
-    moped (2.0.0)
+    moped (2.0.4)
      bson (~> 2.2)
      connection_pool (~> 2.0)
      optionable (~> 0.2.0)
-    multi_json (1.10.1)
+    multi_json (1.11.0)
    multi_xml (0.5.5)
    multipart-post (2.0.0)
-    nokogiri (1.6.3.1)
-      mini_portile (= 0.6.0)
+    nokogiri (1.6.6.2)
+      mini_portile (~> 0.6.0)
    oauth2 (0.9.4)
      faraday (>= 0.8, < 0.10)
      jwt (~> 1.0)
@@ -116,28 +115,27 @@ GEM
    rack-openid (1.3.1)
      rack (>= 1.1.0)
      ruby-openid (>= 2.1.8)
-    rack-test (0.6.2)
+    rack-test (0.6.3)
      rack (>= 1.0)
-    rake (10.3.2)
-    rdoc (4.1.1)
-      json (~> 1.4)
-    responders (1.1.1)
+    rake (10.4.2)
+    rdoc (4.2.0)
+    responders (1.1.2)
      railties (>= 3.2, < 4.2)
-    ruby-openid (2.5.0)
-    sprockets (2.12.1)
+    ruby-openid (2.7.0)
+    sprockets (2.12.3)
      hike (~> 1.2)
      multi_json (~> 1.0)
      rack (~> 1.0)
      tilt (~> 1.1, != 1.3.0)
-    sprockets-rails (2.1.3)
+    sprockets-rails (2.2.4)
      actionpack (>= 3.0)
      activesupport (>= 3.0)
-      sprockets (~> 2.8)
-    sqlite3 (1.3.9)
+      sprockets (>= 2.8, < 4.0)
+    sqlite3 (1.3.10)
    thor (0.19.1)
-    thread_safe (0.3.4)
+    thread_safe (0.3.5)
    tilt (1.4.1)
-    tzinfo (0.3.41)
+    tzinfo (0.3.43)
    warden (1.2.3)
      rack (>= 1.0)
    webrat (0.7.3)
--- a/gemfiles/Gemfile.rails-4.1-stable.lock
+++ b/gemfiles/Gemfile.rails-4.1-stable.lock
@@ -1,54 +1,54 @@
 GIT
  remote: git://github.com/rails/rails.git
-  revision: 90b70cd453e6b88b2ad484861ad9913f70bd15c9
+  revision: bf32ec7b8611e6b4c7e9398f7d297a1f0221e9b9
  branch: 4-1-stable
  specs:
-    actionmailer (4.1.5)
-      actionpack (= 4.1.5)
-      actionview (= 4.1.5)
+    actionmailer (4.1.10)
+      actionpack (= 4.1.10)
+      actionview (= 4.1.10)
      mail (~> 2.5, >= 2.5.4)
-    actionpack (4.1.5)
-      actionview (= 4.1.5)
-      activesupport (= 4.1.5)
+    actionpack (4.1.10)
+      actionview (= 4.1.10)
+      activesupport (= 4.1.10)
      rack (~> 1.5.2)
      rack-test (~> 0.6.2)
-    actionview (4.1.5)
-      activesupport (= 4.1.5)
+    actionview (4.1.10)
+      activesupport (= 4.1.10)
      builder (~> 3.1)
      erubis (~> 2.7.0)
-    activemodel (4.1.5)
-      activesupport (= 4.1.5)
+    activemodel (4.1.10)
+      activesupport (= 4.1.10)
      builder (~> 3.1)
-    activerecord (4.1.5)
-      activemodel (= 4.1.5)
-      activesupport (= 4.1.5)
+    activerecord (4.1.10)
+      activemodel (= 4.1.10)
+      activesupport (= 4.1.10)
      arel (~> 5.0.0)
-    activesupport (4.1.5)
+    activesupport (4.1.10)
      i18n (~> 0.6, >= 0.6.9)
      json (~> 1.7, >= 1.7.7)
      minitest (~> 5.1)
      thread_safe (~> 0.1)
      tzinfo (~> 1.1)
-    rails (4.1.5)
-      actionmailer (= 4.1.5)
-      actionpack (= 4.1.5)
-      actionview (= 4.1.5)
-      activemodel (= 4.1.5)
-      activerecord (= 4.1.5)
-      activesupport (= 4.1.5)
+    rails (4.1.10)
+      actionmailer (= 4.1.10)
+      actionpack (= 4.1.10)
+      actionview (= 4.1.10)
+      activemodel (= 4.1.10)
+      activerecord (= 4.1.10)
+      activesupport (= 4.1.10)
      bundler (>= 1.3.0, < 2.0)
-      railties (= 4.1.5)
+      railties (= 4.1.10)
      sprockets-rails (~> 2.0)
-    railties (4.1.5)
-      actionpack (= 4.1.5)
-      activesupport (= 4.1.5)
+    railties (4.1.10)
+      actionpack (= 4.1.10)
+      activesupport (= 4.1.10)
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)

 PATH
  remote: ..
  specs:
-    devise (3.4.0)
+    devise (3.4.1)
      bcrypt (~> 3.0)
      orm_adapter (~> 0.1)
      railties (>= 3.2.6, < 5)
@@ -60,40 +60,40 @@ GEM
  remote: https://rubygems.org/
  specs:
    arel (5.0.1.20140414130214)
-    bcrypt (3.1.7)
+    bcrypt (3.1.10)
    bson (2.3.0)
    builder (3.2.2)
-    connection_pool (2.0.0)
+    connection_pool (2.1.3)
    erubis (2.7.0)
-    faraday (0.9.0)
+    faraday (0.9.1)
      multipart-post (>= 1.2, < 3)
-    hashie (3.2.0)
+    hashie (3.4.0)
    hike (1.2.3)
-    i18n (0.6.11)
-    json (1.8.1)
-    jwt (1.0.0)
-    mail (2.6.1)
+    i18n (0.7.0)
+    json (1.8.2)
+    jwt (1.4.1)
+    mail (2.6.3)
      mime-types (>= 1.16, < 3)
    metaclass (0.0.4)
-    mime-types (2.3)
-    mini_portile (0.6.0)
-    minitest (5.4.0)
+    mime-types (2.4.3)
+    mini_portile (0.6.2)
+    minitest (5.5.1)
    mocha (1.1.0)
      metaclass (~> 0.0.1)
-    mongoid (4.0.0)
+    mongoid (4.0.2)
      activemodel (~> 4.0)
      moped (~> 2.0.0)
      origin (~> 2.1)
      tzinfo (>= 0.3.37)
-    moped (2.0.0)
+    moped (2.0.4)
      bson (~> 2.2)
      connection_pool (~> 2.0)
      optionable (~> 0.2.0)
-    multi_json (1.10.1)
+    multi_json (1.11.0)
    multi_xml (0.5.5)
    multipart-post (2.0.0)
-    nokogiri (1.6.3.1)
-      mini_portile (= 0.6.0)
+    nokogiri (1.6.6.2)
+      mini_portile (~> 0.6.0)
    oauth2 (0.9.4)
      faraday (>= 0.8, < 0.10)
      jwt (~> 1.0)
@@ -120,26 +120,25 @@ GEM
    rack-openid (1.3.1)
      rack (>= 1.1.0)
      ruby-openid (>= 2.1.8)
-    rack-test (0.6.2)
+    rack-test (0.6.3)
      rack (>= 1.0)
-    rake (10.3.2)
-    rdoc (4.1.1)
-      json (~> 1.4)
-    responders (1.1.1)
+    rake (10.4.2)
+    rdoc (4.2.0)
+    responders (1.1.2)
      railties (>= 3.2, < 4.2)
-    ruby-openid (2.5.0)
-    sprockets (2.12.1)
+    ruby-openid (2.7.0)
+    sprockets (2.12.3)
      hike (~> 1.2)
      multi_json (~> 1.0)
      rack (~> 1.0)
      tilt (~> 1.1, != 1.3.0)
-    sprockets-rails (2.1.3)
+    sprockets-rails (2.2.4)
      actionpack (>= 3.0)
      activesupport (>= 3.0)
-      sprockets (~> 2.8)
-    sqlite3 (1.3.9)
+      sprockets (>= 2.8, < 4.0)
+    sqlite3 (1.3.10)
    thor (0.19.1)
-    thread_safe (0.3.4)
+    thread_safe (0.3.5)
    tilt (1.4.1)
    tzinfo (1.2.2)
      thread_safe (~> 0.1)
--- a/gemfiles/Gemfile.rails-4.2-stable
+++ b/gemfiles/Gemfile.rails-4.2-stable
@@ -0,0 +1,29 @@
+source "https://rubygems.org"
+
+gemspec path: '..'
+
+gem "rails", github: 'rails/rails', branch: '4-2-stable'
+gem "omniauth", "~> 1.2.2"
+gem "omniauth-oauth2", "~> 1.2.0"
+gem "rdoc"
+
+group :test do
+  gem "omniauth-facebook"
+  gem "omniauth-openid", "~> 1.0.1"
+  gem "webrat", "0.7.3", require: false
+  gem "mocha", "~> 1.1", require: false
+end
+
+platforms :jruby do
+  gem "activerecord-jdbc-adapter"
+  gem "activerecord-jdbcsqlite3-adapter"
+  gem "jruby-openssl"
+end
+
+platforms :ruby do
+  gem "sqlite3"
+end
+
+group :mongoid do
+  gem "mongoid", "~> 4.0.0"
+end
--- a/gemfiles/Gemfile.rails-4.2-stable.lock
+++ b/gemfiles/Gemfile.rails-4.2-stable.lock
@@ -0,0 +1,191 @@
+GIT
+  remote: git://github.com/rails/rails.git
+  revision: f12ff8ddab7b199707ec36d72bd72f206f142c8b
+  branch: 4-2-stable
+  specs:
+    actionmailer (4.2.1)
+      actionpack (= 4.2.1)
+      actionview (= 4.2.1)
+      activejob (= 4.2.1)
+      mail (~> 2.5, >= 2.5.4)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+    actionpack (4.2.1)
+      actionview (= 4.2.1)
+      activesupport (= 4.2.1)
+      rack (~> 1.6)
+      rack-test (~> 0.6.2)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    actionview (4.2.1)
+      activesupport (= 4.2.1)
+      builder (~> 3.1)
+      erubis (~> 2.7.0)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    activejob (4.2.1)
+      activesupport (= 4.2.1)
+      globalid (>= 0.3.0)
+    activemodel (4.2.1)
+      activesupport (= 4.2.1)
+      builder (~> 3.1)
+    activerecord (4.2.1)
+      activemodel (= 4.2.1)
+      activesupport (= 4.2.1)
+      arel (~> 6.0)
+    activesupport (4.2.1)
+      i18n (~> 0.7)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.3, >= 0.3.4)
+      tzinfo (~> 1.1)
+    rails (4.2.1)
+      actionmailer (= 4.2.1)
+      actionpack (= 4.2.1)
+      actionview (= 4.2.1)
+      activejob (= 4.2.1)
+      activemodel (= 4.2.1)
+      activerecord (= 4.2.1)
+      activesupport (= 4.2.1)
+      bundler (>= 1.3.0, < 2.0)
+      railties (= 4.2.1)
+      sprockets-rails
+    railties (4.2.1)
+      actionpack (= 4.2.1)
+      activesupport (= 4.2.1)
+      rake (>= 0.8.7)
+      thor (>= 0.18.1, < 2.0)
+
+PATH
+  remote: ..
+  specs:
+    devise (3.4.1)
+      bcrypt (~> 3.0)
+      orm_adapter (~> 0.1)
+      railties (>= 3.2.6, < 5)
+      responders
+      thread_safe (~> 0.1)
+      warden (~> 1.2.3)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    arel (6.0.0)
+    bcrypt (3.1.10)
+    bson (2.3.0)
+    builder (3.2.2)
+    connection_pool (2.1.3)
+    erubis (2.7.0)
+    faraday (0.9.1)
+      multipart-post (>= 1.2, < 3)
+    globalid (0.3.3)
+      activesupport (>= 4.1.0)
+    hashie (3.4.0)
+    hike (1.2.3)
+    i18n (0.7.0)
+    json (1.8.2)
+    jwt (1.4.1)
+    loofah (2.0.1)
+      nokogiri (>= 1.5.9)
+    mail (2.6.3)
+      mime-types (>= 1.16, < 3)
+    metaclass (0.0.4)
+    mime-types (2.4.3)
+    mini_portile (0.6.2)
+    minitest (5.5.1)
+    mocha (1.1.0)
+      metaclass (~> 0.0.1)
+    mongoid (4.0.2)
+      activemodel (~> 4.0)
+      moped (~> 2.0.0)
+      origin (~> 2.1)
+      tzinfo (>= 0.3.37)
+    moped (2.0.4)
+      bson (~> 2.2)
+      connection_pool (~> 2.0)
+      optionable (~> 0.2.0)
+    multi_json (1.11.0)
+    multi_xml (0.5.5)
+    multipart-post (2.0.0)
+    nokogiri (1.6.6.2)
+      mini_portile (~> 0.6.0)
+    oauth2 (1.0.0)
+      faraday (>= 0.8, < 0.10)
+      jwt (~> 1.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (~> 1.2)
+    omniauth (1.2.2)
+      hashie (>= 1.2, < 4)
+      rack (~> 1.0)
+    omniauth-facebook (2.0.1)
+      omniauth-oauth2 (~> 1.2)
+    omniauth-oauth2 (1.2.0)
+      faraday (>= 0.8, < 0.10)
+      multi_json (~> 1.3)
+      oauth2 (~> 1.0)
+      omniauth (~> 1.2)
+    omniauth-openid (1.0.1)
+      omniauth (~> 1.0)
+      rack-openid (~> 1.3.1)
+    optionable (0.2.0)
+    origin (2.1.1)
+    orm_adapter (0.5.0)
+    rack (1.6.0)
+    rack-openid (1.3.1)
+      rack (>= 1.1.0)
+      ruby-openid (>= 2.1.8)
+    rack-test (0.6.3)
+      rack (>= 1.0)
+    rails-deprecated_sanitizer (1.0.3)
+      activesupport (>= 4.2.0.alpha)
+    rails-dom-testing (1.0.6)
+      activesupport (>= 4.2.0.beta, < 5.0)
+      nokogiri (~> 1.6.0)
+      rails-deprecated_sanitizer (>= 1.0.1)
+    rails-html-sanitizer (1.0.2)
+      loofah (~> 2.0)
+    rake (10.4.2)
+    rdoc (4.2.0)
+    responders (2.1.0)
+      railties (>= 4.2.0, < 5)
+    ruby-openid (2.7.0)
+    sprockets (2.12.3)
+      hike (~> 1.2)
+      multi_json (~> 1.0)
+      rack (~> 1.0)
+      tilt (~> 1.1, != 1.3.0)
+    sprockets-rails (2.2.4)
+      actionpack (>= 3.0)
+      activesupport (>= 3.0)
+      sprockets (>= 2.8, < 4.0)
+    sqlite3 (1.3.10)
+    thor (0.19.1)
+    thread_safe (0.3.5)
+    tilt (1.4.1)
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+    warden (1.2.3)
+      rack (>= 1.0)
+    webrat (0.7.3)
+      nokogiri (>= 1.2.0)
+      rack (>= 1.0)
+      rack-test (>= 0.5.3)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activerecord-jdbc-adapter
+  activerecord-jdbcsqlite3-adapter
+  devise!
+  jruby-openssl
+  mocha (~> 1.1)
+  mongoid (~> 4.0.0)
+  omniauth (~> 1.2.2)
+  omniauth-facebook
+  omniauth-oauth2 (~> 1.2.0)
+  omniauth-openid (~> 1.0.1)
+  rails!
+  rdoc
+  sqlite3
+  webrat (= 0.7.3)
--- a/lib/devise.rb
+++ b/lib/devise.rb
@@ -57,22 +57,6 @@ module Devise
  mattr_accessor :secret_key
  @@secret_key = nil

-  [ :allow_insecure_token_lookup,
-    :allow_insecure_sign_in_after_confirmation,
-    :token_authentication_key ].each do |method|
-    class_eval <<-RUBY
-    def self.#{method}
-      ActiveSupport::Deprecation.warn "Devise.#{method} is deprecated " \
-        "and has no effect"
-    end
-
-    def self.#{method}=(val)
-      ActiveSupport::Deprecation.warn "Devise.#{method}= is deprecated " \
-        "and has no effect"
-    end
-    RUBY
-  end
-
  # Custom domain or key for cookies. Not set by default
  mattr_accessor :rememberable_options
  @@rememberable_options = {}
@@ -87,7 +71,7 @@ module Devise

  # Keys used when authenticating a user.
  mattr_accessor :authentication_keys
-  @@authentication_keys = [ :email ]
+  @@authentication_keys = [:email]

  # Request keys used when authenticating a user.
  mattr_accessor :request_keys
@@ -95,7 +79,7 @@ module Devise

  # Keys that should be case-insensitive.
  mattr_accessor :case_insensitive_keys
-  @@case_insensitive_keys = [ :email ]
+  @@case_insensitive_keys = [:email]

  # Keys that should have whitespace stripped.
  mattr_accessor :strip_whitespace_keys
@@ -150,7 +134,7 @@ module Devise

  # Defines which key will be used when confirming an account.
  mattr_accessor :confirmation_keys
-  @@confirmation_keys = [ :email ]
+  @@confirmation_keys = [:email]

  # Defines if email should be reconfirmable.
  # False by default for backwards compatibility.
@@ -181,7 +165,7 @@ module Devise

  # Defines which key will be used when locking and unlocking an account
  mattr_accessor :unlock_keys
-  @@unlock_keys = [ :email ]
+  @@unlock_keys = [:email]

  # Defines which strategy can be used to unlock an account.
  # Values: :email, :time, :both
@@ -198,12 +182,16 @@ module Devise

  # Defines which key will be used when recovering the password for an account
  mattr_accessor :reset_password_keys
-  @@reset_password_keys = [ :email ]
+  @@reset_password_keys = [:email]

  # Time interval you can reset your password with a reset password key
  mattr_accessor :reset_password_within
  @@reset_password_within = 6.hours

+  # When set to false, resetting a password does not automatically sign in a user
+  mattr_accessor :sign_in_after_reset_password
+  @@sign_in_after_reset_password = true
+
  # The default scope which is used by warden.
  mattr_accessor :default_scope
  @@default_scope = nil
@@ -246,7 +234,7 @@ module Devise
  mattr_accessor :router_name
  @@router_name = nil

-  # Set the omniauth path prefix so it can be overridden when
+  # Set the OmniAuth path prefix so it can be overridden when
  # Devise is used in a mountable engine
  mattr_accessor :omniauth_path_prefix
  @@omniauth_path_prefix = nil
@@ -261,7 +249,7 @@ module Devise
  mattr_reader :mappings
  @@mappings = ActiveSupport::OrderedHash.new

-  # Omniauth configurations.
+  # OmniAuth configurations.
  mattr_reader :omniauth_configs
  @@omniauth_configs = ActiveSupport::OrderedHash.new

@@ -348,6 +336,7 @@ module Devise
  #   +controller+ - Symbol representing the name of an existing or custom *controller* for this module.
  #   +route+      - Symbol representing the named *route* helper for this module.
  #   +strategy+   - Symbol representing if this module got a custom *strategy*.
+  #   +insert_at+  - Integer representing the order in which this module's model will be included
  #
  # All values, except :model, accept also a boolean and will have the same name as the given module
  # name.
@@ -357,10 +346,12 @@ module Devise
  #   Devise.add_module(:party_module)
  #   Devise.add_module(:party_module, strategy: true, controller: :sessions)
  #   Devise.add_module(:party_module, model: 'party_module/model')
+  #   Devise.add_module(:party_module, insert_at: 0)
  #
  def self.add_module(module_name, options = {})
-    ALL << module_name
-    options.assert_valid_keys(:strategy, :model, :controller, :route, :no_input)
+    options.assert_valid_keys(:strategy, :model, :controller, :route, :no_input, :insert_at)
+
+    ALL.insert (options[:insert_at] || -1), module_name

    if strategy = options[:strategy]
      strategy = (strategy == true ? module_name : strategy)
@@ -417,7 +408,7 @@ module Devise
    @@warden_config_blocks << block
  end

-  # Specify an omniauth provider.
+  # Specify an OmniAuth provider.
  #
  #   config.omniauth :github, APP_ID, APP_SECRET
  #
@@ -474,8 +465,12 @@ module Devise
  end

  # Generate a friendly string randomly to be used as token.
-  def self.friendly_token
-    SecureRandom.urlsafe_base64(15).tr('lIO0', 'sxyz')
+  # By default, length is 20 characters.
+  def self.friendly_token(length = 20)
+    # To calculate real characters, we must perform this operation.
+    # See SecureRandom.urlsafe_base64
+    rlength = (length * 3) / 4
+    SecureRandom.urlsafe_base64(rlength).tr('lIO0', 'sxyz')
  end

  # constant-time comparison algorithm to prevent timing attacks
--- a/lib/devise/controllers/rememberable.rb
+++ b/lib/devise/controllers/rememberable.rb
@@ -2,7 +2,7 @@ module Devise
  module Controllers
    # A module that may be optionally included in a controller in order
    # to provide remember me behavior. Useful when signing in is done
-    # through a callback, like in Omniauth.
+    # through a callback, like in OmniAuth.
    module Rememberable
      # Return default cookie values retrieved from session options.
      def self.cookie_values
--- a/lib/devise/controllers/sign_in_out.rb
+++ b/lib/devise/controllers/sign_in_out.rb
@@ -6,7 +6,7 @@ module Devise
      # Return true if the given scope is signed in session. If no scope given, return
      # true if any scope is signed in. Does not run authentication hooks.
      def signed_in?(scope=nil)
-        [ scope || Devise.mappings.keys ].flatten.any? do |_scope|
+        [scope || Devise.mappings.keys].flatten.any? do |_scope|
          warden.authenticate?(scope: _scope)
        end
      end
--- a/lib/devise/controllers/store_location.rb
+++ b/lib/devise/controllers/store_location.rb
@@ -35,7 +35,9 @@ module Devise
        session_key = stored_location_key_for(resource_or_scope)
        uri = parse_uri(location)
        if uri
-          session[session_key] = [uri.path.sub(/\A\/+/, '/'), uri.query].compact.join('?')
+          path = [uri.path.sub(/\A\/+/, '/'), uri.query].compact.join('?')
+          path = [path, uri.fragment].compact.join('#')
+          session[session_key] = path
        end
      end

--- a/lib/devise/controllers/url_helpers.rb
+++ b/lib/devise/controllers/url_helpers.rb
@@ -42,16 +42,14 @@ module Devise
          [:path, :url].each do |path_or_url|
            actions.each do |action|
              action = action ? "#{action}_" : ""
-              method = "#{action}#{module_name}_#{path_or_url}"
+              method = :"#{action}#{module_name}_#{path_or_url}"

-              class_eval <<-URL_HELPERS, __FILE__, __LINE__ + 1
-                def #{method}(resource_or_scope, *args)
-                  scope = Devise::Mapping.find_scope!(resource_or_scope)
-                  router_name = Devise.mappings[scope].router_name
-                  context = router_name ? send(router_name) : _devise_route_context
-                  context.send("#{action}\#{scope}_#{module_name}_#{path_or_url}", *args)
-                end
-              URL_HELPERS
+              define_method method do |resource_or_scope, *args|
+                scope = Devise::Mapping.find_scope!(resource_or_scope)
+                router_name = Devise.mappings[scope].router_name
+                context = router_name ? send(router_name) : _devise_route_context
+                context.send("#{action}#{scope}_#{module_name}_#{path_or_url}", *args)
+              end
            end
          end
        end
--- a/lib/devise/encryptor.rb
+++ b/lib/devise/encryptor.rb
@@ -0,0 +1,22 @@
+require 'bcrypt'
+
+module Devise
+  module Encryptor
+    def self.digest(klass, password)
+      if klass.pepper.present?
+        password = "#{password}#{klass.pepper}"
+      end
+      ::BCrypt::Password.create(password, cost: klass.stretches).to_s
+    end
+
+    def self.compare(klass, encrypted_password, password)
+      return false if encrypted_password.blank?
+      bcrypt   = ::BCrypt::Password.new(encrypted_password)
+      if klass.pepper.present?
+        password = "#{password}#{klass.pepper}"
+      end
+      password = ::BCrypt::Engine.hash_secret(password, bcrypt.salt)
+      Devise.secure_compare(password, encrypted_password)
+    end
+  end
+end
--- a/lib/devise/failure_app.rb
+++ b/lib/devise/failure_app.rb
@@ -49,17 +49,19 @@ module Devise

    def recall
      env["PATH_INFO"]  = attempted_path
-      flash.now[:alert] = i18n_message(:invalid)
+      flash.now[:alert] = i18n_message(:invalid) if is_flashing_format?
      self.response = recall_app(warden_options[:recall]).call(env)
    end

    def redirect
      store_location!
-      if flash[:timedout] && flash[:alert]
-        flash.keep(:timedout)
-        flash.keep(:alert)
-      else
-        flash[:alert] = i18n_message
+      if is_flashing_format?
+        if flash[:timedout] && flash[:alert]
+          flash.keep(:timedout)
+          flash.keep(:alert)
+        else
+          flash[:alert] = i18n_message
+        end
      end
      redirect_to redirect_url
    end
@@ -78,7 +80,9 @@ module Devise
        options[:resource_name] = scope
        options[:scope] = "devise.failure"
        options[:default] = [message]
-        options[:authentication_keys] = scope_class.authentication_keys.join(I18n.translate(:"support.array.words_connector"))
+        auth_keys = scope_class.authentication_keys
+        keys = auth_keys.respond_to?(:keys) ? auth_keys.keys : auth_keys
+        options[:authentication_keys] = keys.join(I18n.translate(:"support.array.words_connector"))
        options = i18n_options(options)

        I18n.t(:"#{scope}.#{message}", options)
@@ -89,7 +93,7 @@ module Devise

    def redirect_url
      if warden_message == :timeout
-        flash[:timedout] = true
+        flash[:timedout] = true if is_flashing_format?

        path = if request.get?
          attempted_path
@@ -103,15 +107,23 @@ module Devise
      end
    end

+    def route(scope)
+      :"new_#{scope}_session_url"
+    end
+
    def scope_url
      opts  = {}
-      route = :"new_#{scope}_session_url"
+      route = route(scope)
      opts[:format] = request_format unless skip_format?

      config = Rails.application.config
-      opts[:script_name] = (config.relative_url_root if config.respond_to?(:relative_url_root))

-      context = send(Devise.available_router_name)
+      if config.respond_to?(:relative_url_root) && config.relative_url_root.present?
+        opts[:script_name] = config.relative_url_root
+      end
+
+      router_name = Devise.mappings[scope].router_name || Devise.available_router_name
+      context = send(router_name)

      if context.respond_to?(route)
        context.send(route, opts)
@@ -203,6 +215,12 @@ module Devise
      Devise.navigational_formats.include?(request_format)
    end

+    # Check if flash messages should be emitted. Default is to do it on
+    # navigational formats
+    def is_flashing_format?
+      is_navigational_format?
+    end
+
    def request_format
      @request_format ||= request.format.try(:ref)
    end
--- a/lib/devise/mapping.rb
+++ b/lib/devise/mapping.rb
@@ -31,6 +31,7 @@ module Devise
    # Receives an object and find a scope for it. If a scope cannot be found,
    # raises an error. If a symbol is given, it's considered to be the scope.
    def self.find_scope!(obj)
+      obj = obj.devise_scope if obj.respond_to?(:devise_scope)
      case obj
      when String, Symbol
        return obj.to_sym
--- a/lib/devise/models/authenticatable.rb
+++ b/lib/devise/models/authenticatable.rb
@@ -1,3 +1,4 @@
+require 'active_model/version'
 require 'devise/hooks/activatable'
 require 'devise/hooks/csrf_cleaner'

@@ -37,7 +38,7 @@ module Devise
    # calling model.active_for_authentication?. This method is overwritten by other devise modules. For instance,
    # :confirmable overwrites .active_for_authentication? to only return true if your model was confirmed.
    #
-    # You overwrite this method yourself, but if you do, don't forget to call super:
+    # You can overwrite this method yourself, but if you do, don't forget to call super:
    #
    #   def active_for_authentication?
    #     super && special_condition_is_valid?
@@ -95,29 +96,22 @@ module Devise
      def authenticatable_salt
      end

-      array = %w(serializable_hash)
-      # to_xml does not call serializable_hash on 3.1
-      array << "to_xml" if Rails::VERSION::STRING[0,3] == "3.1"
+      # Redefine serializable_hash in models for more secure defaults.
+      # By default, it removes from the serializable model all attributes that
+      # are *not* accessible. You can remove this default by using :force_except
+      # and passing a new list of attributes you want to exempt. All attributes
+      # given to :except will simply add names to exempt to Devise internal list.
+      def serializable_hash(options = nil)
+        options ||= {}
+        options[:except] = Array(options[:except])

-      array.each do |method|
-        class_eval <<-RUBY, __FILE__, __LINE__
-          # Redefine to_xml and serializable_hash in models for more secure defaults.
-          # By default, it removes from the serializable model all attributes that
-          # are *not* accessible. You can remove this default by using :force_except
-          # and passing a new list of attributes you want to exempt. All attributes
-          # given to :except will simply add names to exempt to Devise internal list.
-          def #{method}(options=nil)
-            options ||= {}
-            options[:except] = Array(options[:except])
+        if options[:force_except]
+          options[:except].concat Array(options[:force_except])
+        else
+          options[:except].concat BLACKLIST_FOR_SERIALIZATION
+        end

-            if options[:force_except]
-              options[:except].concat Array(options[:force_except])
-            else
-              options[:except].concat BLACKLIST_FOR_SERIALIZATION
-            end
-            super(options)
-          end
-        RUBY
+        super(options)
      end

      protected
@@ -252,12 +246,12 @@ module Devise
          to_adapter.find_first(devise_parameter_filter.filter(tainted_conditions).merge(opts))
        end

-        # Find an initialize a record setting an error if it can't be found.
+        # Find or initialize a record setting an error if it can't be found.
        def find_or_initialize_with_error_by(attribute, value, error=:invalid) #:nodoc:
          find_or_initialize_with_errors([attribute], { attribute => value }, error)
        end

-        # Find an initialize a group of attributes based on a list of required attributes.
+        # Find or initialize a record with group of attributes based on a list of required attributes.
        def find_or_initialize_with_errors(required_attributes, attributes, error=:invalid) #:nodoc:
          attributes = attributes.slice(*required_attributes).with_indifferent_access
          attributes.delete_if { |key, value| value.blank? }
--- a/lib/devise/models/confirmable.rb
+++ b/lib/devise/models/confirmable.rb
@@ -5,6 +5,14 @@ module Devise
    # Confirmation instructions are sent to the user email after creating a
    # record and when manually requested by a new confirmation instruction request.
    #
+    # Confirmable tracks the following columns:
+    #
+    # * confirmation_token   - An OpenSSL::HMAC.hexdigest of @raw_confirmation_token
+    # * confirmed_at         - A timestamp when the user clicked the confirmation link
+    # * confirmation_sent_at - A timestamp when the confirmation_token was generated (not sent)
+    # * unconfirmed_email    - An email address copied from the email attr. After confirmation
+    #                          this value is copied to the email attr then cleared
+    #
    # == Options
    #
    # Confirmable adds the following options to +devise+:
@@ -24,7 +32,7 @@ module Devise
    #
    # == Examples
    #
-    #   User.find(1).confirm!      # returns true unless it's already confirmed
+    #   User.find(1).confirm       # returns true unless it's already confirmed
    #   User.find(1).confirmed?    # true/false
    #   User.find(1).send_confirmation_instructions # manually send instructions
    #
@@ -56,7 +64,7 @@ module Devise
      # Confirm a user by setting it's confirmed_at to actual time. If the user
      # is already confirmed, add an error to email field. If the user is invalid
      # add errors
-      def confirm!
+      def confirm(args={})
        pending_any_confirmation do
          if confirmation_period_expired?
            self.errors.add(:email, :confirmation_period_expired,
@@ -64,7 +72,6 @@ module Devise
            return false
          end

-          self.confirmation_token = nil
          self.confirmed_at = Time.now.utc

          saved = if self.class.reconfirmable && unconfirmed_email.present?
@@ -75,7 +82,7 @@ module Devise
            # We need to validate in such cases to enforce e-mail uniqueness
            save(validate: true)
          else
-            save(validate: false)
+            save(validate: args[:ensure_valid] == true)
          end

          after_confirmation if saved
@@ -83,6 +90,11 @@ module Devise
        end
      end

+      def confirm!(args={})
+        ActiveSupport::Deprecation.warn "confirm! is deprecated in favor of confirm"
+        confirm(args)
+      end
+
      # Verifies whether a user is confirmed or not
      def confirmed?
        !!confirmed_at
@@ -202,7 +214,7 @@ module Devise
        #   confirmation_period_expired?  # will always return false
        #
        def confirmation_period_expired?
-          self.class.confirm_within && (Time.now > self.confirmation_sent_at + self.class.confirm_within )
+          self.class.confirm_within && (Time.now > self.confirmation_sent_at + self.class.confirm_within)
        end

        # Checks whether the record requires any confirmation.
@@ -216,7 +228,7 @@ module Devise
        end

        # Generates a new random token for confirmation, and stores
-        # the time this token is being generated
+        # the time this token is being generated in confirmation_sent_at
        def generate_confirmation_token
          raw, enc = Devise.token_generator.generate(self.class, :confirmation_token)
          @raw_confirmation_token   = raw
@@ -249,6 +261,16 @@ module Devise
          confirmation_required? && !@skip_confirmation_notification && self.email.present?
        end

+        # A callback initiated after successfully confirming. This can be
+        # used to insert your own logic that is only run after the user successfully
+        # confirms.
+        #
+        # Example:
+        #
+        #   def after_confirmation
+        #     self.update_attribute(:invite_code, nil)
+        #   end
+        #
        def after_confirmation
        end

@@ -275,7 +297,7 @@ module Devise
          confirmation_token = Devise.token_generator.digest(self, :confirmation_token, confirmation_token)

          confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
-          confirmable.confirm! if confirmable.persisted?
+          confirmable.confirm if confirmable.persisted?
          confirmable.confirmation_token = original_token
          confirmable
        end
--- a/lib/devise/models/database_authenticatable.rb
+++ b/lib/devise/models/database_authenticatable.rb
@@ -1,10 +1,10 @@
 require 'devise/strategies/database_authenticatable'
-require 'bcrypt'
+require 'devise/encryptor'

 module Devise
-  # Digests the password using bcrypt.
  def self.bcrypt(klass, password)
-    ::BCrypt::Password.create("#{password}#{klass.pepper}", cost: klass.stretches).to_s
+    ActiveSupport::Deprecation.warn "Devise.bcrypt is deprecated; use Devise::Encryptor.digest instead"
+    Devise::Encryptor.digest(klass, password)
  end

  module Models
@@ -42,12 +42,9 @@ module Devise
        self.encrypted_password = password_digest(@password) if @password.present?
      end

-      # Verifies whether an password (ie from sign in) is the user password.
+      # Verifies whether a password (ie from sign in) is the user password.
      def valid_password?(password)
-        return false if encrypted_password.blank?
-        bcrypt   = ::BCrypt::Password.new(encrypted_password)
-        password = ::BCrypt::Engine.hash_secret("#{password}#{self.class.pepper}", bcrypt.salt)
-        Devise.secure_compare(password, encrypted_password)
+        Devise::Encryptor.compare(self.class, encrypted_password, password)
      end

      # Set password and password confirmation to nil
@@ -145,7 +142,7 @@ module Devise
      # See https://github.com/plataformatec/devise-encryptable for examples
      # of other encryption engines.
      def password_digest(password)
-        Devise.bcrypt(self.class, password)
+        Devise::Encryptor.digest(self.class, password)
      end

      module ClassMethods
--- a/lib/devise/models/recoverable.rb
+++ b/lib/devise/models/recoverable.rb
@@ -8,11 +8,13 @@ module Devise
    # Recoverable adds the following options to devise_for:
    #
    #   * +reset_password_keys+: the keys you want to use when recovering the password for an account
+    #   * +reset_password_within+: the time period within which the password must be reset or the token expires.
+    #   * +sign_in_after_reset_password+: whether or not to sign in the user automatically after a password reset.
    #
    # == Examples
    #
    #   # resets the user password and save the record, true if valid passwords are given, otherwise false
-    #   User.find(1).reset_password!('password123', 'password123')
+    #   User.find(1).reset_password('password123', 'password123')
    #
    #   # only resets the user password, without saving the record
    #   user = User.find(1)
@@ -30,7 +32,7 @@ module Devise

      # Update password saving the record and clearing token. Returns true if
      # the passwords are valid and the record was saved, false otherwise.
-      def reset_password!(new_password, new_password_confirmation)
+      def reset_password(new_password, new_password_confirmation)
        self.password = new_password
        self.password_confirmation = new_password_confirmation

@@ -42,6 +44,11 @@ module Devise
        save
      end

+      def reset_password!(new_password, new_password_confirmation)
+        ActiveSupport::Deprecation.warn "reset_password! is deprecated in favor of reset_password"
+        reset_password(new_password, new_password_confirmation)
+      end
+
      # Resets reset password token and send reset password instructions by email.
      # Returns the token sent in the e-mail.
      def send_reset_password_instructions
@@ -83,6 +90,16 @@ module Devise
          self.reset_password_sent_at = nil
        end

+        # A callback initiated after password is successfully reset. This can
+        # be used to insert your own logic that is only run after the user
+        # successfully resets their password.
+        #
+        # Example:
+        #
+        #   def after_password_reset
+        #     self.update_attribute(:invite_code, nil)
+        #   end
+        #
        def after_password_reset
        end

@@ -130,17 +147,17 @@ module Devise

          if recoverable.persisted?
            if recoverable.reset_password_period_valid?
-              recoverable.reset_password!(attributes[:password], attributes[:password_confirmation])
+              recoverable.reset_password(attributes[:password], attributes[:password_confirmation])
            else
              recoverable.errors.add(:reset_password_token, :expired)
            end
          end

-          recoverable.reset_password_token = original_token
+          recoverable.reset_password_token = original_token if recoverable.reset_password_token.present?
          recoverable
        end

-        Devise::Models.config(self, :reset_password_keys, :reset_password_within)
+        Devise::Models.config(self, :reset_password_keys, :reset_password_within, :sign_in_after_reset_password)
      end
    end
  end
--- a/lib/devise/models/rememberable.rb
+++ b/lib/devise/models/rememberable.rb
@@ -46,7 +46,7 @@ module Devise
      end

      # Generate a new remember token and save the record without validations
-      # unless remember_across_browsers is true and the user already has a valid token.
+      # if remember expired (token is no longer valid) or extend_remember_period is true
      def remember_me!(extend_period=false)
        self.remember_token = self.class.remember_token if generate_remember_token?
        self.remember_created_at = Time.now.utc if generate_remember_timestamp?(extend_period)
@@ -89,6 +89,19 @@ module Devise
        self.class.rememberable_options
      end

+      # A callback initiated after successfully being remembered. This can be
+      # used to insert your own logic that is only run after the user is
+      # remembered.
+      #
+      # Example:
+      #
+      #   def after_remembered
+      #     self.update_attribute(:invite_code, nil)
+      #   end
+      #
+      def after_remembered
+      end
+
    protected

      def generate_remember_token? #:nodoc:
@@ -98,7 +111,7 @@ module Devise
      # Generate a timestamp if extend_remember_period is true, if no remember_token
      # exists, or if an existing remember token has expired.
      def generate_remember_timestamp?(extend_period) #:nodoc:
-        extend_period || remember_created_at.nil? || remember_expired?
+        extend_period || remember_expired?
      end

      module ClassMethods
--- a/lib/devise/models/trackable.rb
+++ b/lib/devise/models/trackable.rb
@@ -30,8 +30,7 @@ module Devise

      def update_tracked_fields!(request)
        update_tracked_fields(request)
-        save(validate: false) or raise "Devise trackable could not save #{inspect}." \
-          "Please make sure a model using trackable can be saved at sign in."
+        save(validate: false)
      end
    end
  end
--- a/lib/devise/models/validatable.rb
+++ b/lib/devise/models/validatable.rb
@@ -10,12 +10,12 @@ module Devise
    # Validatable adds the following options to devise_for:
    #
    #   * +email_regexp+: the regular expression used to validate e-mails;
-    #   * +password_length+: a range expressing password length. Defaults to 8..128.
+    #   * +password_length+: a range expressing password length. Defaults to 8..72.
    #
    module Validatable
      # All validations used by this module.
-      VALIDATIONS = [ :validates_presence_of, :validates_uniqueness_of, :validates_format_of,
-                      :validates_confirmation_of, :validates_length_of ].freeze
+      VALIDATIONS = [:validates_presence_of, :validates_uniqueness_of, :validates_format_of,
+                     :validates_confirmation_of, :validates_length_of].freeze

      def self.required_fields(klass)
        []
--- a/lib/devise/rails.rb
+++ b/lib/devise/rails.rb
@@ -17,7 +17,7 @@ module Devise
      Devise.include_helpers(Devise::Controllers)
    end

-    initializer "devise.omniauth" do |app|
+    initializer "devise.omniauth", after: :load_config_initializers, before: :build_middleware_stack do |app|
      Devise.omniauth_configs.each do |provider, config|
        app.middleware.use config.strategy_class, *config.args do |strategy|
          config.strategy = strategy
--- a/lib/devise/rails/routes.rb
+++ b/lib/devise/rails/routes.rb
@@ -119,7 +119,7 @@ module ActionDispatch::Routing
    #  * sign_out_via: the HTTP method(s) accepted for the :sign_out action (default: :get),
    #    if you wish to restrict this to accept only :post or :delete requests you should do:
    #
-    #      devise_for :users, sign_out_via: [ :post, :delete ]
+    #      devise_for :users, sign_out_via: [:post, :delete]
    #
    #    You need to make sure that your sign_out controls trigger a request with a matching HTTP method.
    #
@@ -402,7 +402,7 @@ module ActionDispatch::Routing
      def devise_omniauth_callback(mapping, controllers) #:nodoc:
        if mapping.fullpath =~ /:[a-zA-Z_]/
          raise <<-ERROR
-Devise does not support scoping omniauth callbacks under a dynamic segment
+Devise does not support scoping OmniAuth callbacks under a dynamic segment
 and you have set #{mapping.fullpath.inspect}. You can work around by passing
 `skip: :omniauth_callbacks` and manually defining the routes. Here is an example:

@@ -414,7 +414,7 @@ and you have set #{mapping.fullpath.inspect}. You can work around by passing

    match "/users/auth/:action/callback",
      constraints: { action: /google|facebook/ },
-      to: "devise/omniauth_callbacks",
+      to: "devise/omniauth_callbacks#:action",
      as: :omniauth_callback,
      via: [:get, :post]
 ERROR
--- a/lib/devise/strategies/authenticatable.rb
+++ b/lib/devise/strategies/authenticatable.rb
@@ -57,7 +57,7 @@ module Devise

      # Check if this is a valid strategy for http authentication by:
      #
-      #   * Validating if the model allows params authentication;
+      #   * Validating if the model allows http authentication;
      #   * If any of the authorization headers were sent;
      #   * If all authentication keys are present;
      #
@@ -108,7 +108,10 @@ module Devise
        params_auth_hash.is_a?(Hash)
      end

-      # Check if password is present.
+      # Note: unlike `Model.valid_password?`, this method does not actually
+      # ensure that the password in the params matches the password stored in
+      # the database. It only checks if the password is *present*. Do not rely
+      # on this method for validating that a given password is correct.
      def valid_password?
        password.present?
      end
--- a/lib/devise/strategies/database_authenticatable.rb
+++ b/lib/devise/strategies/database_authenticatable.rb
@@ -5,7 +5,7 @@ module Devise
    # Default strategy for signing in a user, based on their email and password in the database.
    class DatabaseAuthenticatable < Authenticatable
      def authenticate!
-        resource  = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
+        resource  = password.present? && mapping.to.find_for_database_authentication(authentication_hash)
        encrypted = false

        if validate(resource){ encrypted = true; resource.valid_password?(password) }
--- a/lib/devise/strategies/rememberable.rb
+++ b/lib/devise/strategies/rememberable.rb
@@ -27,10 +27,20 @@ module Devise
        if validate(resource)
          remember_me(resource)
          extend_remember_me_period(resource)
+          resource.after_remembered
          success!(resource)
        end
      end

+      # No need to clean up the CSRF when using rememberable.
+      # In fact, cleaning it up here would be a bug because
+      # rememberable is triggered on GET requests which means
+      # we would render a page on first access with all csrf
+      # tokens expired.
+      def clean_up_csrf?
+        false
+      end
+
    private

      def extend_remember_me_period(resource)
--- a/lib/devise/test_helpers.rb
+++ b/lib/devise/test_helpers.rb
@@ -26,11 +26,11 @@ module Devise

    # Quick access to Warden::Proxy.
    def warden #:nodoc:
-      @warden ||= begin
+      @request.env['warden'] ||= begin
        manager = Warden::Manager.new(nil) do |config|
          config.merge! Devise.warden_config
        end
-        @request.env['warden'] = Warden::Proxy.new(@request.env, manager)
+        Warden::Proxy.new(@request.env, manager)
      end
    end

--- a/lib/devise/version.rb
+++ b/lib/devise/version.rb
@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "3.4.0".freeze
+  VERSION = "3.5.0".freeze
 end
--- a/lib/generators/active_record/templates/migration.rb
+++ b/lib/generators/active_record/templates/migration.rb
@@ -7,7 +7,7 @@ class DeviseCreate<%= table_name.camelize %> < ActiveRecord::Migration
      t.<%= attribute.type %> :<%= attribute.name %>
 <% end -%>

-      t.timestamps
+      t.timestamps null: false
    end

    add_index :<%= table_name %>, :email,                unique: true
--- a/lib/generators/active_record/templates/migration_existing.rb
+++ b/lib/generators/active_record/templates/migration_existing.rb
@@ -8,7 +8,7 @@ class AddDeviseTo<%= table_name.camelize %> < ActiveRecord::Migration
 <% end -%>

      # Uncomment below if timestamps were not included in your original model.
-      # t.timestamps
+      # t.timestamps null: false
    end

    add_index :<%= table_name %>, :email,                unique: true
--- a/lib/generators/devise/controllers_generator.rb
+++ b/lib/generators/devise/controllers_generator.rb
@@ -8,7 +8,7 @@ module Devise
      desc <<-DESC.strip_heredoc
        Create inherited Devise controllers in your app/controllers folder.

-        User -c to specify which controller you want to overwrite.
+        Use -c to specify which controller you want to overwrite.
        If you do no specify a controller, all controllers will be created.
        For example:

--- a/lib/generators/templates/controllers/README
+++ b/lib/generators/templates/controllers/README
@@ -7,7 +7,7 @@ Some setup you must do manually if you haven't yet:

    Rails.application.routes.draw do
      devise_for :users, controllers: {
-        sessions: 'sessions'
+        sessions: 'users/sessions'
      }
    end

--- a/lib/generators/templates/controllers/omniauth_callbacks_controller.rb
+++ b/lib/generators/templates/controllers/omniauth_callbacks_controller.rb
@@ -21,7 +21,7 @@ class <%= @scope_prefix %>OmniauthCallbacksController < Devise::OmniauthCallback

  # protected

-  # The path used when omniauth fails
+  # The path used when OmniAuth fails
  # def after_omniauth_failure_path_for(scope)
  #   super(scope)
  # end
--- a/lib/generators/templates/controllers/registrations_controller.rb
+++ b/lib/generators/templates/controllers/registrations_controller.rb
@@ -38,12 +38,12 @@ class <%= @scope_prefix %>RegistrationsController < Devise::RegistrationsControl

  # protected

-  # You can put the params you want to permit in the empty array.
+  # If you have extra params to permit, append them to the sanitizer.
  # def configure_sign_up_params
  #   devise_parameter_sanitizer.for(:sign_up) << :attribute
  # end

-  # You can put the params you want to permit in the empty array.
+  # If you have extra params to permit, append them to the sanitizer.
  # def configure_account_update_params
  #   devise_parameter_sanitizer.for(:account_update) << :attribute
  # end
--- a/lib/generators/templates/controllers/sessions_controller.rb
+++ b/lib/generators/templates/controllers/sessions_controller.rb
@@ -18,7 +18,7 @@ class <%= @scope_prefix %>SessionsController < Devise::SessionsController

  # protected

-  # You can put the params you want to permit in the empty array.
+  # If you have extra params to permit, append them to the sanitizer.
  # def configure_sign_in_params
  #   devise_parameter_sanitizer.for(:sign_in) << :attribute
  # end
--- a/lib/generators/templates/devise.rb
+++ b/lib/generators/templates/devise.rb
@@ -4,6 +4,8 @@ Devise.setup do |config|
  # The secret key used by Devise. Devise uses this key to generate
  # random tokens. Changing this key will render invalid all existing
  # confirmation, reset password and unlock tokens in the database.
+  # Devise will use the `secret_key_base` on Rails 4+ applications as its `secret_key`
+  # by default. You can change it below and use your own secret key.
 <% if  rails_4? -%>
  # config.secret_key = '<%= SecureRandom.hex(64) %>'
 <% else -%>
@@ -33,7 +35,7 @@ Devise.setup do |config|
  # session. If you need permissions, you should implement that in a before filter.
  # You can also supply a hash where the value is a boolean determining whether
  # or not authentication should be aborted when the value is not present.
-  # config.authentication_keys = [ :email ]
+  # config.authentication_keys = [:email]

  # Configure parameters from the request object used for authentication. Each entry
  # given should be a request method and it will automatically be passed to the
@@ -45,12 +47,12 @@ Devise.setup do |config|
  # Configure which authentication keys should be case-insensitive.
  # These keys will be downcased upon creating or modifying a user and when used
  # to authenticate or find a user. Default is :email.
-  config.case_insensitive_keys = [ :email ]
+  config.case_insensitive_keys = [:email]

  # Configure which authentication keys should have whitespace stripped.
  # These keys will have whitespace before and after removed upon creating or
  # modifying a user and when used to authenticate or find a user. Default is :email.
-  config.strip_whitespace_keys = [ :email ]
+  config.strip_whitespace_keys = [:email]

  # Tell if authentication through request.params is enabled. True by default.
  # It can be set to an array that will enable params authentication only for the
@@ -126,7 +128,7 @@ Devise.setup do |config|
  config.reconfirmable = true

  # Defines which key will be used when confirming an account
-  # config.confirmation_keys = [ :email ]
+  # config.confirmation_keys = [:email]

  # ==> Configuration for :rememberable
  # The time the user will be remembered without asking for credentials again.
@@ -144,7 +146,7 @@ Devise.setup do |config|

  # ==> Configuration for :validatable
  # Range for password length.
-  config.password_length = 8..128
+  config.password_length = 8..72

  # Email regex used to validate email formats. It simply asserts that
  # one (and only one) @ exists in the given string. This is mainly
@@ -166,7 +168,7 @@ Devise.setup do |config|
  # config.lock_strategy = :failed_attempts

  # Defines which key will be used when locking and unlocking an account
-  # config.unlock_keys = [ :email ]
+  # config.unlock_keys = [:email]

  # Defines which strategy will be used to unlock an account.
  # :email = Sends an unlock link to the user email
@@ -188,13 +190,17 @@ Devise.setup do |config|
  # ==> Configuration for :recoverable
  #
  # Defines which key will be used when recovering the password for an account
-  # config.reset_password_keys = [ :email ]
+  # config.reset_password_keys = [:email]

  # Time interval you can reset your password with a reset password key.
  # Don't put a too small interval or your users won't have the time to
  # change their passwords.
  config.reset_password_within = 6.hours

+  # When set to false, does not sign a user in automatically after their password is
+  # reset. Defaults to true, so a user is signed in automatically after a reset.
+  # config.sign_in_after_reset_password = true
+
  # ==> Configuration for :encryptable
  # Allow you to use another encryption algorithm besides bcrypt (default). You can use
  # :sha1, :sha512 or encryptors from others authentication tools as :clearance_sha1,
@@ -257,7 +263,7 @@ Devise.setup do |config|
  # The router that invoked `devise_for`, in the example above, would be:
  # config.router_name = :my_engine
  #
-  # When using omniauth, Devise cannot automatically set Omniauth path,
+  # When using OmniAuth, Devise cannot automatically set OmniAuth path,
  # so you need to do it manually. For the users scope, it would be:
  # config.omniauth_path_prefix = '/my_engine/users/auth'
 end
--- a/lib/generators/templates/simple_form_for/passwords/edit.html.erb
+++ b/lib/generators/templates/simple_form_for/passwords/edit.html.erb
@@ -7,7 +7,7 @@
  <%= f.full_error :reset_password_token %>

  <div class="form-inputs">
-    <%= f.input :password, label: "New password", required: true, autofocus: true %>
+    <%= f.input :password, label: "New password", required: true, autofocus: true, hint: ("#{@minimum_password_length} characters minimum" if @minimum_password_length) %>
    <%= f.input :password_confirmation, label: "Confirm your new password", required: true %>
  </div>

--- a/lib/generators/templates/simple_form_for/registrations/new.html.erb
+++ b/lib/generators/templates/simple_form_for/registrations/new.html.erb
@@ -5,7 +5,7 @@

  <div class="form-inputs">
    <%= f.input :email, required: true, autofocus: true %>
-    <%= f.input :password, required: true, hint: ("#{@minimum_password_length} characters minimum" if @validatable) %>
+    <%= f.input :password, required: true, hint: ("#{@minimum_password_length} characters minimum" if @minimum_password_length) %>
    <%= f.input :password_confirmation, required: true %>
  </div>

--- a/test/controllers/custom_registrations_controller_test.rb
+++ b/test/controllers/custom_registrations_controller_test.rb
@@ -8,7 +8,7 @@ class CustomRegistrationsControllerTest < ActionController::TestCase
  setup do
    request.env["devise.mapping"] = Devise.mappings[:user]
    @password = 'password'
-    @user = create_user(password: @password, password_confirmation: @password).tap(&:confirm!)
+    @user = create_user(password: @password, password_confirmation: @password).tap(&:confirm)
  end

  test "yield resource to block on create success" do
@@ -32,4 +32,9 @@ class CustomRegistrationsControllerTest < ActionController::TestCase
    put :update, { user: { } }
    assert @controller.update_block_called?, "update failed to yield resource to provided block"
  end
+
+  test "yield resource to block on new" do
+    get :new
+    assert @controller.new_block_called?, "new failed to yield resource to provided block"
+  end
 end
--- a/test/controllers/helpers_test.rb
+++ b/test/controllers/helpers_test.rb
@@ -245,6 +245,11 @@ class ControllerAuthenticatableTest < ActionController::TestCase
    assert_equal "/foo?bar=baz", @controller.stored_location_for(:user)
  end

+  test 'store location for stores fragments' do
+    @controller.store_location_for(:user, "/foo#bar")
+    assert_equal "/foo#bar", @controller.stored_location_for(:user)
+  end
+
  test 'after sign in path defaults to root path if none by was specified for the given scope' do
    assert_equal root_path, @controller.after_sign_in_path_for(:user)
  end
--- a/test/controllers/inherited_controller_i18n_messages_test.rb
+++ b/test/controllers/inherited_controller_i18n_messages_test.rb
@@ -0,0 +1,51 @@
+require 'test_helper'
+
+class SessionsInheritedController < Devise::SessionsController
+  def test_i18n_scope
+    set_flash_message(:notice, :signed_in)
+  end
+end
+
+class AnotherInheritedController < SessionsInheritedController
+  protected
+
+  def translation_scope
+    'another'
+  end
+end
+
+class InheritedControllerTest < ActionController::TestCase
+  tests SessionsInheritedController
+
+  def setup
+    @mock_warden = OpenStruct.new
+    @controller.request.env['warden'] = @mock_warden
+    @controller.request.env['devise.mapping'] = Devise.mappings[:user]
+  end
+
+  test 'I18n scope is inherited from Devise::Sessions' do
+    I18n.expects(:t).with do |message, options|
+      message == 'user.signed_in' &&
+        options[:scope] == 'devise.sessions'
+    end
+    @controller.test_i18n_scope
+  end
+end
+
+class AnotherInheritedControllerTest < ActionController::TestCase
+  tests AnotherInheritedController
+
+  def setup
+    @mock_warden = OpenStruct.new
+    @controller.request.env['warden'] = @mock_warden
+    @controller.request.env['devise.mapping'] = Devise.mappings[:user]
+  end
+
+  test 'I18n scope is overridden' do
+    I18n.expects(:t).with do |message, options|
+      message == 'user.signed_in' &&
+        options[:scope] == 'another'
+    end
+    @controller.test_i18n_scope
+  end
+end
--- a/test/controllers/internal_helpers_test.rb
+++ b/test/controllers/internal_helpers_test.rb
@@ -13,16 +13,16 @@ class HelpersTest < ActionController::TestCase
  end

  test 'get resource name from env' do
-    assert_equal :user, @controller.resource_name
+    assert_equal :user, @controller.send(:resource_name)
  end

  test 'get resource class from env' do
-    assert_equal User, @controller.resource_class
+    assert_equal User, @controller.send(:resource_class)
  end

  test 'get resource instance variable from env' do
    @controller.instance_variable_set(:@user, user = User.new)
-    assert_equal user, @controller.resource
+    assert_equal user, @controller.send(:resource)
  end

  test 'set resource instance variable from env' do
@@ -80,7 +80,7 @@ class HelpersTest < ActionController::TestCase

  test 'signed in resource returns signed in resource for current scope' do
    @mock_warden.expects(:authenticate).with(scope: :user).returns(User.new)
-    assert_kind_of User, @controller.signed_in_resource
+    assert_kind_of User, @controller.send(:signed_in_resource)
  end

  test 'is a devise controller' do
@@ -99,6 +99,12 @@ class HelpersTest < ActionController::TestCase
    assert_equal 'non-blank', flash[:notice]
  end

+  test 'issues non-blank flash.now messages normally' do
+    I18n.stubs(:t).returns('non-blank')
+    @controller.send :set_flash_message, :notice, :send_instructions, { now: true }
+    assert_equal 'non-blank', flash.now[:notice]
+  end
+
  test 'uses custom i18n options' do
    @controller.stubs(:devise_i18n_options).returns(default: "devise custom options")
    @controller.send :set_flash_message, :notice, :invalid_i18n_messagesend_instructions
--- a/test/controllers/load_hooks_controller_test.rb
+++ b/test/controllers/load_hooks_controller_test.rb
@@ -0,0 +1,19 @@
+require 'test_helper'
+
+class LoadHooksControllerTest < ActionController::TestCase
+  setup do
+    ActiveSupport.on_load(:devise_controller) do
+      define_method :defined_by_load_hook do
+        puts 'I am defined dynamically by activesupport load hook'
+      end
+    end
+  end
+
+  teardown do
+    DeviseController.class_eval { undef :defined_by_load_hook }
+  end
+
+  test 'load hook called when controller is loaded' do
+    assert DeviseController.instance_methods.include? :defined_by_load_hook
+  end
+end
--- a/test/controllers/passwords_controller_test.rb
+++ b/test/controllers/passwords_controller_test.rb
@@ -6,7 +6,7 @@ class PasswordsControllerTest < ActionController::TestCase

  setup do
    request.env["devise.mapping"] = Devise.mappings[:user]
-    @user = create_user.tap(&:confirm!)
+    @user = create_user.tap(&:confirm)
    @raw  = @user.send_reset_password_instructions
  end

--- a/test/controllers/sessions_controller_test.rb
+++ b/test/controllers/sessions_controller_test.rb
@@ -36,7 +36,7 @@ class SessionsControllerTest < ActionController::TestCase
    request.session["user_return_to"] = 'foo.bar'

    user = create_user
-    user.confirm!
+    user.confirm
    post :create, user: {
      email: user.email,
      password: user.password
@@ -50,7 +50,7 @@ class SessionsControllerTest < ActionController::TestCase
    request.session["user_return_to"] = 'foo.bar'

    user = create_user
-    user.confirm!
+    user.confirm
    post :create, format: 'json', user: {
      email: user.email,
      password: user.password
@@ -72,7 +72,7 @@ class SessionsControllerTest < ActionController::TestCase
  test "#destroy doesn't set the flash if the requested format is not navigational" do
    request.env["devise.mapping"] = Devise.mappings[:user]
    user = create_user
-    user.confirm!
+    user.confirm
    post :create, format: 'json', user: {
      email: user.email,
      password: user.password
--- a/test/devise_test.rb
+++ b/test/devise_test.rb
@@ -14,11 +14,11 @@ class DeviseTest < ActiveSupport::TestCase
  test 'bcrypt on the class' do
    password = "super secret"
    klass    = Struct.new(:pepper, :stretches).new("blahblah", 2)
-    hash     = Devise.bcrypt(klass, password)
+    hash     = Devise::Encryptor.digest(klass, password)
    assert_equal ::BCrypt::Password.create(hash), hash

    klass    = Struct.new(:pepper, :stretches).new("bla", 2)
-    hash     = Devise.bcrypt(klass, password)
+    hash     = Devise::Encryptor.digest(klass, password)
    assert_not_equal ::BCrypt::Password.new(hash), hash
  end

--- a/test/failure_app_test.rb
+++ b/test/failure_app_test.rb
@@ -26,6 +26,22 @@ class FailureTest < ActiveSupport::TestCase
    end
  end

+  class FakeEngineApp < Devise::FailureApp
+    class FakeEngine
+      def new_user_on_engine_session_url _
+        '/user_on_engines/sign_in'
+      end
+    end
+
+    def main_app
+      raise 'main_app router called instead of fake_engine'
+    end
+
+    def fake_engine
+      @fake_engine ||= FakeEngine.new
+    end
+  end
+
  def self.context(name, &block)
    instance_eval(&block)
  end
@@ -85,6 +101,13 @@ class FailureTest < ActiveSupport::TestCase
      end
    end

+    test 'returns to the default redirect location considering the router for supplied scope' do
+      call_failure app: FakeEngineApp, 'warden.options' => { scope: :user_on_engine }
+      assert_equal 302, @response.first
+      assert_equal 'You need to sign in or sign up before continuing.', @request.flash[:alert]
+      assert_equal 'http://test.host/user_on_engines/sign_in', @response.second['Location']
+    end
+
    if Rails.application.config.respond_to?(:relative_url_root)
      test 'returns to the default redirect location considering the relative url root' do
        swap Rails.application.config, relative_url_root: "/sample" do
@@ -109,6 +132,13 @@ class FailureTest < ActiveSupport::TestCase
      assert_equal 'http://test.host/users/sign_in', @response.second["Location"]
    end

+    test 'supports authentication_keys as a Hash for the flash message' do
+      swap Devise, authentication_keys: { email: true, login: true } do
+        call_failure('warden' => OpenStruct.new(message: :invalid))
+        assert_equal 'Invalid email, login or password.', @request.flash[:alert]
+      end
+    end
+
    test 'uses custom i18n options' do
      call_failure('warden' => OpenStruct.new(message: :does_not_exist), app: FailureWithI18nOptions)
      assert_equal 'User Steve does not exist', @request.flash[:alert]
--- a/test/integration/database_authenticatable_test.rb
+++ b/test/integration/database_authenticatable_test.rb
@@ -81,4 +81,15 @@ class DatabaseAuthenticationTest < ActionDispatch::IntegrationTest
      assert_contain 'Invalid credentials'
    end
  end
+
+  test 'valid sign in calls after_database_authentication callback' do
+    user = create_user(email: ' foo@bar.com ')
+
+    User.expects(:find_for_database_authentication).returns user
+    user.expects :after_database_authentication
+
+    sign_in_as_user do
+      fill_in 'email', with: 'foo@bar.com'
+    end
+  end
 end
--- a/test/integration/omniauthable_test.rb
+++ b/test/integration/omniauthable_test.rb
@@ -121,7 +121,7 @@ class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
    assert_contain 'Could not authenticate you from Facebook because "Access denied".'
  end

-  test "handles other exceptions from omniauth" do
+  test "handles other exceptions from OmniAuth" do
    OmniAuth.config.mock_auth[:facebook] = :invalid_credentials

    visit "/users/sign_in"
--- a/test/integration/recoverable_test.rb
+++ b/test/integration/recoverable_test.rb
@@ -197,6 +197,19 @@ class PasswordTest < ActionDispatch::IntegrationTest
    assert warden.authenticated?(:user)
  end

+  test 'does not sign in user automatically after changing its password if config.sign_in_after_reset_password is false' do
+    swap Devise, sign_in_after_reset_password: false do
+      create_user
+      request_forgot_password
+      reset_password
+
+      assert_contain 'Your password has been changed successfully.'
+      assert_not_contain 'You are now signed in.'
+      assert_equal new_user_session_path, @request.path
+      assert !warden.authenticated?(:user)
+    end
+  end
+
  test 'does not sign in user automatically after changing its password if it\'s locked and unlock strategy is :none or :time' do
    [:none, :time].each do |strategy|
      swap Devise, unlock_strategy: strategy do
--- a/test/integration/rememberable_test.rb
+++ b/test/integration/rememberable_test.rb
@@ -164,4 +164,13 @@ class RememberMeTest < ActionDispatch::IntegrationTest
    get users_path
    assert_not warden.authenticated?(:user)
  end
+
+  test 'valid sign in calls after_remembered callback' do
+    user = create_user_and_remember
+
+    User.expects(:serialize_from_cookie).returns user
+    user.expects :after_remembered
+
+    get new_user_registration_path
+  end
 end
--- a/test/mapping_test.rb
+++ b/test/mapping_test.rb
@@ -71,6 +71,12 @@ class MappingTest < ActiveSupport::TestCase
    assert_equal :user, Devise::Mapping.find_scope!(Class.new(User).new)
  end

+  test 'find scope uses devise_scope' do
+    user = User.new
+    def user.devise_scope; :special_scope; end
+    assert_equal :special_scope, Devise::Mapping.find_scope!(user)
+  end
+
  test 'find scope raises an error if cannot be found' do
    assert_raise RuntimeError do
      Devise::Mapping.find_scope!(String)
--- a/test/models/confirmable_test.rb
+++ b/test/models/confirmable_test.rb
@@ -23,31 +23,24 @@ class ConfirmableTest < ActiveSupport::TestCase
  test 'should confirm a user by updating confirmed at' do
    user = create_user
    assert_nil user.confirmed_at
-    assert user.confirm!
+    assert user.confirm
    assert_not_nil user.confirmed_at
  end

-  test 'should clear confirmation token while confirming a user' do
-    user = create_user
-    assert_present user.confirmation_token
-    user.confirm!
-    assert_nil user.confirmation_token
-  end
-
  test 'should verify whether a user is confirmed or not' do
    assert_not new_user.confirmed?
    user = create_user
    assert_not user.confirmed?
-    user.confirm!
+    user.confirm
    assert user.confirmed?
  end

  test 'should not confirm a user already confirmed' do
    user = create_user
-    assert user.confirm!
+    assert user.confirm
    assert_blank user.errors[:email]

-    assert_not user.confirm!
+    assert_not user.confirm
    assert_equal "was already confirmed, please try signing in", user.errors[:email].join
  end

@@ -80,6 +73,16 @@ class ConfirmableTest < ActiveSupport::TestCase
    assert_equal "was already confirmed, please try signing in", confirmed_user.errors[:email].join
  end

+  test 'should show error when a token has already been used' do
+    user = create_user
+    raw  = user.raw_confirmation_token
+    User.confirm_by_token(raw)
+    assert user.reload.confirmed?
+
+    confirmed_user = User.confirm_by_token(raw)
+    assert_equal "was already confirmed, please try signing in", confirmed_user.errors[:email].join
+  end
+
  test 'should send confirmation instructions by email' do
    assert_email_sent "mynewuser@example.com" do
      create_user email: "mynewuser@example.com"
@@ -165,18 +168,19 @@ class ConfirmableTest < ActiveSupport::TestCase

  test 'should not reset confirmation status or token when updating email' do
    user = create_user
-    user.confirm!
+    original_token = user.confirmation_token
+    user.confirm
    user.email = 'new_test@example.com'
    user.save!

    user.reload
    assert user.confirmed?
-    assert_nil user.confirmation_token
+    assert_equal original_token, user.confirmation_token
  end

  test 'should not be able to send instructions if the user is already confirmed' do
    user = create_user
-    user.confirm!
+    user.confirm
    assert_not user.resend_confirmation_instructions
    assert user.confirmed?
    assert_equal 'was already confirmed, please try signing in', user.errors[:email].join
@@ -211,7 +215,7 @@ class ConfirmableTest < ActiveSupport::TestCase
    assert_not user.confirmed?
    assert_not user.active_for_authentication?

-    user.confirm!
+    user.confirm
    assert user.confirmed?
    assert user.active_for_authentication?
  end
@@ -219,14 +223,14 @@ class ConfirmableTest < ActiveSupport::TestCase
  test 'should not be active when confirm in is zero' do
    Devise.allow_unconfirmed_access_for = 0.days
    user = create_user
-    user.confirmation_sent_at = Date.today
+    user.confirmation_sent_at = Time.zone.today
    assert_not user.active_for_authentication?
  end

  test 'should be active when we set allow_unconfirmed_access_for to nil' do
    swap Devise, allow_unconfirmed_access_for: nil do
      user = create_user
-      user.confirmation_sent_at = Date.today
+      user.confirmation_sent_at = Time.zone.today
      assert user.active_for_authentication?
    end
  end
@@ -301,43 +305,52 @@ class ConfirmableTest < ActiveSupport::TestCase
      self.username = self.username.to_s + 'updated'
    end
    old = user.username
-    assert user.confirm!
+    assert user.confirm
    assert_not_equal user.username, old
  end

  test 'should not call after_confirmation if not confirmed' do
    user = create_user
-    assert user.confirm!
+    assert user.confirm
    user.define_singleton_method :after_confirmation do
      self.username = self.username.to_s + 'updated'
    end
    old = user.username
-    assert_not user.confirm!
+    assert_not user.confirm
    assert_equal user.username, old
  end
+
+  test 'should always perform validations upon confirm when ensure valid true' do
+    admin = create_admin
+    admin.stubs(:valid?).returns(false)
+    assert_not admin.confirm(ensure_valid: true)
+  end
 end

 class ReconfirmableTest < ActiveSupport::TestCase
  test 'should not worry about validations on confirm even with reconfirmable' do
    admin = create_admin
    admin.reset_password_token = "a"
-    assert admin.confirm!
+    assert admin.confirm
  end

  test 'should generate confirmation token after changing email' do
    admin = create_admin
-    assert admin.confirm!
-    assert_nil admin.confirmation_token
+    assert admin.confirm
+    residual_token = admin.confirmation_token
    assert admin.update_attributes(email: 'new_test@example.com')
-    assert_not_nil admin.confirmation_token
+    assert_not_equal residual_token, admin.confirmation_token
  end

-  test 'should not generate confirmation token if skipping reconfirmation after changing email' do
+  test 'should not regenerate confirmation token or require reconfirmation if skipping reconfirmation after changing email' do
    admin = create_admin
-    assert admin.confirm!
+    original_token = admin.confirmation_token
+    assert admin.confirm
    admin.skip_reconfirmation!
    assert admin.update_attributes(email: 'new_test@example.com')
-    assert_nil admin.confirmation_token
+    assert admin.confirmed?
+    assert_not admin.pending_reconfirmation?
+    assert_equal original_token, admin.confirmation_token
  end

  test 'should skip sending reconfirmation email when email is changed and skip_confirmation_notification! is invoked' do
@@ -351,7 +364,7 @@ class ReconfirmableTest < ActiveSupport::TestCase

  test 'should regenerate confirmation token after changing email' do
    admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
    assert admin.update_attributes(email: 'old_test@example.com')
    token = admin.confirmation_token
    assert admin.update_attributes(email: 'new_test@example.com')
@@ -360,7 +373,7 @@ class ReconfirmableTest < ActiveSupport::TestCase

  test 'should send confirmation instructions by email after changing email' do
    admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
    assert_email_sent "new_test@example.com" do
      assert admin.update_attributes(email: 'new_test@example.com')
    end
@@ -369,7 +382,7 @@ class ReconfirmableTest < ActiveSupport::TestCase

  test 'should not send confirmation by email after changing password' do
    admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
    assert_email_not_sent do
      assert admin.update_attributes(password: 'newpass', password_confirmation: 'newpass')
    end
@@ -377,7 +390,7 @@ class ReconfirmableTest < ActiveSupport::TestCase

  test 'should not send confirmation by email after changing to a blank email' do
    admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
    assert_email_not_sent do
      admin.email = ''
      admin.save(validate: false)
@@ -386,23 +399,23 @@ class ReconfirmableTest < ActiveSupport::TestCase

  test 'should stay confirmed when email is changed' do
    admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
    assert admin.update_attributes(email: 'new_test@example.com')
    assert admin.confirmed?
  end

  test 'should update email only when it is confirmed' do
    admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
    assert admin.update_attributes(email: 'new_test@example.com')
    assert_not_equal 'new_test@example.com', admin.email
-    assert admin.confirm!
+    assert admin.confirm
    assert_equal 'new_test@example.com', admin.email
  end

  test 'should not allow admin to get past confirmation email by resubmitting their new address' do
    admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
    assert admin.update_attributes(email: 'new_test@example.com')
    assert_not_equal 'new_test@example.com', admin.email
    assert admin.update_attributes(email: 'new_test@example.com')
@@ -411,7 +424,7 @@ class ReconfirmableTest < ActiveSupport::TestCase

  test 'should find a admin by send confirmation instructions with unconfirmed_email' do
    admin = create_admin
-    assert admin.confirm!
+    assert admin.confirm
    assert admin.update_attributes(email: 'new_test@example.com')
    confirmation_admin = Admin.send_confirmation_instructions(email: admin.unconfirmed_email)
    assert_equal confirmation_admin, admin
--- a/test/models/lockable_test.rb
+++ b/test/models/lockable_test.rb
@@ -7,7 +7,7 @@ class LockableTest < ActiveSupport::TestCase

  test "should respect maximum attempts configuration" do
    user = create_user
-    user.confirm!
+    user.confirm
    swap Devise, maximum_attempts: 2 do
      2.times { user.valid_for_authentication?{ false } }
      assert user.reload.access_locked?
@@ -16,7 +16,7 @@ class LockableTest < ActiveSupport::TestCase

  test "should increment failed_attempts on successfull validation if the user is already locked" do
    user = create_user
-    user.confirm!
+    user.confirm

    swap Devise, maximum_attempts: 2 do
      2.times { user.valid_for_authentication?{ false } }
@@ -29,7 +29,7 @@ class LockableTest < ActiveSupport::TestCase

  test "should not touch failed_attempts if lock_strategy is none" do
    user = create_user
-    user.confirm!
+    user.confirm
    swap Devise, lock_strategy: :none, maximum_attempts: 2 do
      3.times { user.valid_for_authentication?{ false } }
      assert !user.access_locked?
@@ -53,7 +53,7 @@ class LockableTest < ActiveSupport::TestCase

  test "active_for_authentication? should be the opposite of locked?" do
    user = create_user
-    user.confirm!
+    user.confirm
    assert user.active_for_authentication?
    user.lock_access!
    assert_not user.active_for_authentication?
@@ -230,7 +230,7 @@ class LockableTest < ActiveSupport::TestCase
  test 'should unlock account if lock has expired and increase attempts on failure' do
    swap Devise, unlock_in: 1.minute do
      user = create_user
-      user.confirm!
+      user.confirm

      user.failed_attempts = 2
      user.locked_at = 2.minutes.ago
@@ -243,7 +243,7 @@ class LockableTest < ActiveSupport::TestCase
  test 'should unlock account if lock has expired on success' do
    swap Devise, unlock_in: 1.minute do
      user = create_user
-      user.confirm!
+      user.confirm

      user.failed_attempts = 2
      user.locked_at = 2.minutes.ago
--- a/test/models/recoverable_test.rb
+++ b/test/models/recoverable_test.rb
@@ -23,13 +23,13 @@ class RecoverableTest < ActiveSupport::TestCase

  test 'should reset password and password confirmation from params' do
    user = create_user
-    user.reset_password!('123456789', '987654321')
+    user.reset_password('123456789', '987654321')
    assert_equal '123456789', user.password
    assert_equal '987654321', user.password_confirmation
  end

  test 'should reset password and save the record' do
-    assert create_user.reset_password!('123456789', '123456789')
+    assert create_user.reset_password('123456789', '123456789')
  end

  test 'should clear reset password token while reseting the password' do
@@ -38,7 +38,7 @@ class RecoverableTest < ActiveSupport::TestCase

    user.send_reset_password_instructions
    assert_present user.reset_password_token
-    assert user.reset_password!('123456789', '123456789')
+    assert user.reset_password('123456789', '123456789')
    assert_nil user.reset_password_token
  end

@@ -46,14 +46,14 @@ class RecoverableTest < ActiveSupport::TestCase
    user = create_user
    user.send_reset_password_instructions
    assert_present user.reset_password_token
-    assert_not user.reset_password!('123456789', '987654321')
+    assert_not user.reset_password('123456789', '987654321')
    assert_present user.reset_password_token
  end

  test 'should not reset password with invalid data' do
    user = create_user
    user.stubs(:valid?).returns(false)
-    assert_not user.reset_password!('123456789', '987654321')
+    assert_not user.reset_password('123456789', '987654321')
  end

  test 'should reset reset password token and send instructions by email' do
@@ -135,6 +135,7 @@ class RecoverableTest < ActiveSupport::TestCase
    reset_password_user = User.reset_password_by_token(reset_password_token: raw, password: '')
    assert_not reset_password_user.errors.empty?
    assert_match "can't be blank", reset_password_user.errors[:password].join
+    assert_equal raw, reset_password_user.reset_password_token
  end

  test 'should reset successfully user password given the new password and confirmation' do
@@ -142,15 +143,17 @@ class RecoverableTest < ActiveSupport::TestCase
    old_password = user.password
    raw  = user.send_reset_password_instructions

-    User.reset_password_by_token(
+    reset_password_user = User.reset_password_by_token(
      reset_password_token: raw,
      password: 'new_password',
      password_confirmation: 'new_password'
    )
-    user.reload
+    assert_nil reset_password_user.reset_password_token

+    user.reload
    assert_not user.valid_password?(old_password)
    assert user.valid_password?('new_password')
+    assert_nil user.reset_password_token
  end

  test 'should not reset password after reset_password_within time' do
@@ -189,6 +192,12 @@ class RecoverableTest < ActiveSupport::TestCase
    assert_equal User.with_reset_password_token(raw), user
  end

+  test 'should return the same reset password token as generated' do
+    user = create_user
+    raw  = user.send_reset_password_instructions
+    assert_equal Devise.token_generator.digest(self.class, :reset_password_token, raw), user.reset_password_token
+  end
+
  test 'should return nil if a user based on the raw token is not found' do
    assert_equal User.with_reset_password_token('random-token'), nil
  end
--- a/test/models/validatable_test.rb
+++ b/test/models/validatable_test.rb
@@ -92,10 +92,10 @@ class ValidatableTest < ActiveSupport::TestCase
    assert_equal 'is too short (minimum is 7 characters)', user.errors[:password].join
  end

-  test 'should require a password with maximum of 128 characters long' do
-    user = new_user(password: 'x'*129, password_confirmation: 'x'*129)
+  test 'should require a password with maximum of 72 characters long' do
+    user = new_user(password: 'x'*73, password_confirmation: 'x'*73)
    assert user.invalid?
-    assert_equal 'is too long (maximum is 128 characters)', user.errors[:password].join
+    assert_equal 'is too long (maximum is 72 characters)', user.errors[:password].join
  end

  test 'should not require password length when it\'s not changed' do
@@ -109,10 +109,10 @@ class ValidatableTest < ActiveSupport::TestCase
  end

  test 'should complain about length even if password is not required' do
-    user = new_user(password: 'x'*129, password_confirmation: 'x'*129)
+    user = new_user(password: 'x'*73, password_confirmation: 'x'*73)
    user.stubs(:password_required?).returns(false)
    assert user.invalid?
-    assert_equal 'is too long (maximum is 128 characters)', user.errors[:password].join
+    assert_equal 'is too long (maximum is 72 characters)', user.errors[:password].join
  end

  test 'should not be included in objects with invalid API' do
--- a/test/rails_app/app/controllers/custom/registrations_controller.rb
+++ b/test/rails_app/app/controllers/custom/registrations_controller.rb
@@ -1,4 +1,10 @@
 class Custom::RegistrationsController < Devise::RegistrationsController
+  def new
+    super do |resource|
+      @new_block_called = true
+    end
+  end
+
  def create
    super do |resource|
      @create_block_called = true
@@ -18,4 +24,8 @@ class Custom::RegistrationsController < Devise::RegistrationsController
  def update_block_called?
    @update_block_called == true
  end
+
+  def new_block_called?
+    @new_block_called == true
+  end
 end
--- a/test/rails_app/config/application.rb
+++ b/test/rails_app/config/application.rb
@@ -17,7 +17,7 @@ module RailsApp
  class Application < Rails::Application
    # Add additional load paths for your own custom dirs
    config.autoload_paths.reject!{ |p| p =~ /\/app\/(\w+)$/ && !%w(controllers helpers mailers views).include?($1) }
-    config.autoload_paths += [ "#{config.root}/app/#{DEVISE_ORM}" ]
+    config.autoload_paths += ["#{config.root}/app/#{DEVISE_ORM}"]

    # Configure generators values. Many other options are available, be sure to check the documentation.
    # config.generators do |g|
--- a/test/rails_app/config/environments/production.rb
+++ b/test/rails_app/config/environments/production.rb
@@ -20,7 +20,11 @@ RailsApp::Application.configure do
  # config.action_dispatch.rack_cache = true

  # Disable Rails's static asset server (Apache or nginx will already do this).
-  config.serve_static_assets = false
+  if Rails.version >= "4.2.0"
+    config.serve_static_files = false
+  else
+    config.serve_static_assets = false
+  end

  # Compress JavaScripts and CSS.
  config.assets.js_compressor  = :uglifier
@@ -46,7 +50,7 @@ RailsApp::Application.configure do
  config.log_level = :info

  # Prepend all log lines with the following tags.
-  # config.log_tags = [ :subdomain, :uuid ]
+  # config.log_tags = [:subdomain, :uuid]

  # Use a different logger for distributed setups.
  # config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
--- a/test/rails_app/config/environments/test.rb
+++ b/test/rails_app/config/environments/test.rb
@@ -12,8 +12,13 @@ RailsApp::Application.configure do
  # preloads Rails for running tests, you may have to set it to true.
  config.eager_load = false

-  # Configure static asset server for tests with Cache-Control for performance.
-  config.serve_static_assets = true
+  # Disable serving static files from the `/public` folder by default since
+  # Apache or NGINX already handles this.
+  if Rails.version >= "4.2.0"
+    config.serve_static_files = true
+  else
+    config.serve_static_assets = true
+  end
  config.static_cache_control = "public, max-age=3600"

  # Show full error reports and disable caching.
--- a/test/rails_app/config/initializers/devise.rb
+++ b/test/rails_app/config/initializers/devise.rb
@@ -31,7 +31,7 @@ Devise.setup do |config|
  # session. If you need permissions, you should implement that in a before filter.
  # You can also supply hash where the value is a boolean expliciting if authentication
  # should be aborted or not if the value is not present. By default is empty.
-  # config.authentication_keys = [ :email ]
+  # config.authentication_keys = [:email]

  # Configure parameters from the request object used for authentication. Each entry
  # given should be a request method and it will automatically be passed to
@@ -43,12 +43,12 @@ Devise.setup do |config|
  # Configure which authentication keys should be case-insensitive.
  # These keys will be downcased upon creating or modifying a user and when used
  # to authenticate or find a user. Default is :email.
-  config.case_insensitive_keys = [ :email ]
+  config.case_insensitive_keys = [:email]

  # Configure which authentication keys should have whitespace stripped.
  # These keys will have whitespace before and after removed upon creating or
  # modifying a user and when used to authenticate or find a user. Default is :email.
-  config.strip_whitespace_keys = [ :email ]
+  config.strip_whitespace_keys = [:email]

  # Tell if authentication through request.params is enabled. True by default.
  # config.params_authenticatable = true
@@ -77,21 +77,18 @@ Devise.setup do |config|
  # config.allow_unconfirmed_access_for = 2.days

  # Defines which key will be used when confirming an account
-  # config.confirmation_keys = [ :email ]
+  # config.confirmation_keys = [:email]

  # ==> Configuration for :rememberable
  # The time the user will be remembered without asking for credentials again.
  # config.remember_for = 2.weeks

-  # If true, a valid remember token can be re-used between multiple browsers.
-  # config.remember_across_browsers = true
-
  # If true, extends the user's remember period when remembered via cookie.
  # config.extend_remember_period = false

  # ==> Configuration for :validatable
-  # Range for password length. Default is 8..128.
-  # config.password_length = 8..128
+  # Range for password length. Default is 8..72.
+  # config.password_length = 8..72

  # Regex to use to validate the email address
  # config.email_regexp = /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i
@@ -108,7 +105,7 @@ Devise.setup do |config|
  # config.lock_strategy = :failed_attempts

  # Defines which key will be used when locking and unlocking an account
-  # config.unlock_keys = [ :email ]
+  # config.unlock_keys = [:email]

  # Defines which strategy will be used to unlock an account.
  # :email = Sends an unlock link to the user email
@@ -127,20 +124,20 @@ Devise.setup do |config|
  # ==> Configuration for :recoverable
  #
  # Defines which key will be used when recovering the password for an account
-  # config.reset_password_keys = [ :email ]
+  # config.reset_password_keys = [:email]

  # Time interval you can reset your password with a reset password key.
  # Don't put a too small interval or your users won't have the time to
  # change their passwords.
  config.reset_password_within = 2.hours

+  # When set to false, does not sign a user in automatically after their password is
+  # reset. Defaults to true, so a user is signed in automatically after a reset.
+  # config.sign_in_after_reset_password = true
+
  # Setup a pepper to generate the encrypted password.
  config.pepper = "d142367154e5beacca404b1a6a4f8bc52c6fdcfa3ccc3cf8eb49f3458a688ee6ac3b9fae488432a3bfca863b8a90008368a9f3a3dfbe5a962e64b6ab8f3a3a1a"

-  # ==> Configuration for :token_authenticatable
-  # Defines name of the authentication token params key
-  # config.token_authentication_key = :auth_token
-
  # ==> Scopes configuration
  # Turn scoped views on. Before rendering "sessions/new", it will first check for
  # "users/sessions/new". It's turned off by default because it's slower if you
--- a/test/rails_app/lib/shared_user.rb
+++ b/test/rails_app/lib/shared_user.rb
@@ -4,7 +4,7 @@ module SharedUser
  included do
    devise :database_authenticatable, :confirmable, :lockable, :recoverable,
           :registerable, :rememberable, :timeoutable,
-           :trackable, :validatable, :omniauthable, password_length: 7..128
+           :trackable, :validatable, :omniauthable, password_length: 7..72

    attr_accessor :other_key

--- a/test/rails_test.rb
+++ b/test/rails_test.rb
@@ -0,0 +1,9 @@
+require 'test_helper'
+
+class RailsTest < ActiveSupport::TestCase
+  test 'correct initializer position' do
+    initializer = Devise::Engine.initializers.detect { |i| i.name == 'devise.omniauth' }
+    assert_equal :load_config_initializers, initializer.after
+    assert_equal :build_middleware_stack, initializer.before
+  end
+end
--- a/test/support/integration.rb
+++ b/test/support/integration.rb
@@ -15,7 +15,7 @@ class ActionDispatch::IntegrationTest
        created_at: Time.now.utc
      )
      user.update_attribute(:confirmation_sent_at, options[:confirmation_sent_at]) if options[:confirmation_sent_at]
-      user.confirm! unless options[:confirm] == false
+      user.confirm unless options[:confirm] == false
      user.lock_access! if options[:locked] == true
      user
    end
@@ -28,7 +28,7 @@ class ActionDispatch::IntegrationTest
        password: '123456', password_confirmation: '123456',
        active: options[:active]
      )
-      admin.confirm! unless options[:confirm] == false
+      admin.confirm unless options[:confirm] == false
      admin
    end
  end
--- a/test/test_helpers_test.rb
+++ b/test/test_helpers_test.rb
@@ -34,7 +34,7 @@ class TestHelpersTest < ActionController::TestCase

  test "does not redirect with valid user" do
    user = create_user
-    user.confirm!
+    user.confirm

    sign_in user
    get :index
@@ -46,7 +46,7 @@ class TestHelpersTest < ActionController::TestCase
    assert_response :redirect

    user = create_user
-    user.confirm!
+    user.confirm

    sign_in user
    get :index
@@ -55,7 +55,7 @@ class TestHelpersTest < ActionController::TestCase

  test "redirects if valid user signed out" do
    user = create_user
-    user.confirm!
+    user.confirm

    sign_in user
    get :index
@@ -105,7 +105,7 @@ class TestHelpersTest < ActionController::TestCase
      end

      user = create_user
-      user.confirm!
+      user.confirm
      sign_in user
    ensure
      Warden::Manager._after_set_user.pop
@@ -118,7 +118,7 @@ class TestHelpersTest < ActionController::TestCase
        flunk "callback was called while it should not"
      end
      user = create_user
-      user.confirm!
+      user.confirm

      sign_in user
      sign_out user
@@ -146,7 +146,7 @@ class TestHelpersTest < ActionController::TestCase

  test "allows to sign in with different users" do
    first_user = create_user
-    first_user.confirm!
+    first_user.confirm

    sign_in first_user
    get :index
@@ -154,10 +154,25 @@ class TestHelpersTest < ActionController::TestCase
    sign_out first_user

    second_user = create_user
-    second_user.confirm!
+    second_user.confirm

    sign_in second_user
    get :index
    assert_match /User ##{second_user.id}/, @response.body
  end
+
+  test "creates a new warden proxy if the request object has changed" do
+    old_warden_proxy = warden
+    @request = ActionController::TestRequest.new
+    new_warden_proxy = warden
+
+    assert_not_equal old_warden_proxy, new_warden_proxy
+  end
+
+  test "doesn't create a new warden proxy if the request object hasn't changed" do
+    old_warden_proxy = warden
+    new_warden_proxy = warden
+
+    assert_equal old_warden_proxy, new_warden_proxy
+  end
 end
--- a/test/test_models.rb
+++ b/test/test_models.rb
@@ -20,8 +20,8 @@ class UserWithCustomEncryption < User
 end

 class UserWithVirtualAttributes < User
-  devise case_insensitive_keys: [ :email, :email_confirmation ]
-  validates :email, presence: true, confirmation: {on: :create}
+  devise case_insensitive_keys: [:email, :email_confirmation]
+  validates :email, presence: true, confirmation: { on: :create }
 end

 class Several < Admin