Merge pull request #5043 from maestrano/increment-failed-attempts-concurency

Backport CVE-2019-5421 fix to 3.x

.travis.yml

@@ -38,8 +38,7 @@ script: "bundle exec rake test"
 
 notifications:
   email: false
-  campfire:
+  slack:
     on_success: change
     on_failure: always
-    rooms:
-      - secure: "TRiqvuM4i/QmRDWjUSNitE5/P91BOzDkNl53+bZjjtxcISCswZtmECWBR7n9\n3xwqCOU1o2lfohxZ32OHOj/Nj7o+90zWJfWxcv+if0hIXRiil62M5pg0lZUd\nyJ4M5VQ0lSWo5he1OUrXhSabPJeaK3B8yT/tdh+qO5yzR+vb/jc="
+    secure: Q3M+kmude3FjisibEeeGe0wSMXgvwLH+vL7Zrx9//q4QtkfnrQ/BBMvY9KXxPEsNF+eys4YopYjTkJ8uRmeboUATW/oQ4Jrv3+u3zkIHK2sFn/Q2cQWpK5w+CbgEnHPjKYnUu34b09njXTgDlr/mqtbPqrKeZ1dLlpKXCB/q4GY=

CHANGELOG.md

@@ -1,13 +1,65 @@
+### 3.5.10 - 2016-05-15
+
+* bug fixes
+  * Fix overwriting the remember_token when a valid one already exists (by @ralinchimev).
+
+### 3.5.9 - 2016-05-02
+
+* bug fixes
+  * Fix strategy checking in `Lockable#unlock_strategy_enabled?` for `:none`
+  and `:undefined` strategies. (by @f3ndot)
+
+### 3.5.8 - 2016-04-25
+
+* bug fixes
+  * Fix the e-mail confirmation instructions send when a user updates the email address from nil
+
+### 3.5.7 - 2016-04-18
+
+* bug fixes
+  * Fix the `extend_remember_period` configuration. When set to `false` it does
+    not update the cookie expiration anymore.(by @ulissesalmeida)
+
+### 3.5.6 - 2016-02-01
+
+* bug fixes
+  * Fix type coercion of the rememberable timestamp stored on cookies.
+
+### 3.5.5 - 2016-01-22
+
+* bug fixes
+  * Bring back remember_expired? implementation
+  * Ensure timeouts are not triggered if remember me is being used
+
+### 3.5.4 - 2016-01-18
+
+* bug fixes
+  * Store creation timestamps on remember cookies
+
+### 3.5.3 - 2015-12-10
+
+* bug fixes
+  * Fix password reset for records where `confirmation_required?` is disabled and
+    `confirmation_sent_at` is nil. (by @andygeers)
+  * Allow resources with no `email` field to be recoverable (and do not clear the
+    reset password token if the model was already persisted). (by @seddy, @stanhu)
+
+* enhancements
+  * Upon setting `Devise.send_password_change_notification = true` a user will receive notification when their password has been changed.
+
 ### 3.5.2 - 2015-08-10
 
 * enhancements
   * Perform case insensitive basic authorization matching
 
-* Big fixes
+* bug fixes
   * Do not use digests for password confirmation token
   * Fix infinite redirect in Rails 4.2 authenticated routes
   * Autoload Devise::Encryptor to avoid errors on thread-safe mode
 
+* deprecations
+  * `config.expire_auth_token_on_timeout` was removed
+
 ### 3.5.1 - 2015-05-24
 
 Note: 3.5.0 has been yanked due to a regression

CODE_OF_CONDUCT.md

@@ -0,0 +1,22 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of fostering an open and welcoming community, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free experience for everyone, regardless of level of experience, gender, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information, such as physical or electronic addresses, without explicit permission
+* Other unethical or unprofessional conduct.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers commit themselves to fairly and consistently applying these principles to every aspect of managing this project. Project maintainers who do not follow or enforce the Code of Conduct may be permanently removed from the project team.
+
+This code of conduct applies both within project spaces and in public spaces when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by sending an email to [conduct@plataformatec.com.br](conduct@plataformatec.com.br) or contacting one or more of the project maintainers.
+
+This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, available at [http://contributor-covenant.org/version/1/2/0/](http://contributor-covenant.org/version/1/2/0/)

CONTRIBUTING.md

@@ -8,6 +8,8 @@
 
 4) When reporting an issue, include Rails, Devise and Warden versions. If you are getting exceptions, please include the full backtrace.
 
+5) Notice that all of your interactions in the project are expected to follow our [Code of Conduct](CODE_OF_CONDUCT.md)
+
 That's it! The more information you give, the easier it becomes for us to track it down and fix it.
 Ideally, you should provide an application that reproduces the error or a test case to Devise's suite.
 

Gemfile

@@ -6,6 +6,7 @@ gem "rails", "4.2.2"
 gem "omniauth", "~> 1.2.0"
 gem "omniauth-oauth2", "~> 1.1.0"
 gem "rdoc"
+gem "mime-types", "~> 2.99"
 
 group :test do
   gem "omniauth-facebook"

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    devise (3.5.2)
+    devise (3.5.10)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -47,28 +47,29 @@ GEM
       minitest (~> 5.1)
       thread_safe (~> 0.3, >= 0.3.4)
       tzinfo (~> 1.1)
-    arel (6.0.0)
-    bcrypt (3.1.10)
-    bson (3.1.2)
+    arel (6.0.3)
+    bcrypt (3.1.11)
+    bson (3.2.6)
     builder (3.2.2)
+    concurrent-ruby (1.0.1)
     connection_pool (2.2.0)
     erubis (2.7.0)
-    faraday (0.9.1)
+    faraday (0.9.2)
       multipart-post (>= 1.2, < 3)
-    globalid (0.3.5)
+    globalid (0.3.6)
       activesupport (>= 4.1.0)
-    hashie (3.4.0)
+    hashie (3.4.3)
     i18n (0.7.0)
     json (1.8.3)
-    jwt (1.4.1)
-    loofah (2.0.2)
+    jwt (1.5.4)
+    loofah (2.0.3)
       nokogiri (>= 1.5.9)
-    mail (2.6.3)
-      mime-types (>= 1.16, < 3)
+    mail (2.6.4)
+      mime-types (>= 1.16, < 4)
     metaclass (0.0.4)
-    mime-types (2.6.1)
-    mini_portile (0.6.2)
-    minitest (5.7.0)
+    mime-types (2.99.1)
+    mini_portile2 (2.0.0)
+    minitest (5.8.4)
     mocha (1.1.0)
       metaclass (~> 0.0.1)
     mongoid (4.0.2)
@@ -76,15 +77,15 @@ GEM
       moped (~> 2.0.0)
       origin (~> 2.1)
       tzinfo (>= 0.3.37)
-    moped (2.0.6)
+    moped (2.0.7)
       bson (~> 3.0)
       connection_pool (~> 2.0)
       optionable (~> 0.2.0)
-    multi_json (1.11.1)
+    multi_json (1.11.3)
     multi_xml (0.5.5)
     multipart-post (2.0.0)
-    nokogiri (1.6.6.2)
-      mini_portile (~> 0.6.0)
+    nokogiri (1.6.7.2)
+      mini_portile2 (~> 2.0.0.rc2)
     oauth2 (0.9.4)
       faraday (>= 0.8, < 0.10)
       jwt (~> 1.0)
@@ -105,9 +106,9 @@ GEM
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
     optionable (0.2.0)
-    origin (2.1.1)
+    origin (2.2.0)
     orm_adapter (0.5.0)
-    rack (1.6.2)
+    rack (1.6.4)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
@@ -126,34 +127,36 @@ GEM
       sprockets-rails
     rails-deprecated_sanitizer (1.0.3)
       activesupport (>= 4.2.0.alpha)
-    rails-dom-testing (1.0.6)
+    rails-dom-testing (1.0.7)
       activesupport (>= 4.2.0.beta, < 5.0)
       nokogiri (~> 1.6.0)
       rails-deprecated_sanitizer (>= 1.0.1)
-    rails-html-sanitizer (1.0.2)
+    rails-html-sanitizer (1.0.3)
       loofah (~> 2.0)
     railties (4.2.2)
       actionpack (= 4.2.2)
       activesupport (= 4.2.2)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
-    rake (10.4.2)
-    rdoc (4.2.0)
-    responders (2.1.0)
-      railties (>= 4.2.0, < 5)
+    rake (11.1.2)
+    rdoc (4.2.2)
+      json (~> 1.4)
+    responders (2.2.0)
+      railties (>= 4.2.0, < 5.1)
     ruby-openid (2.7.0)
-    sprockets (3.2.0)
-      rack (~> 1.0)
-    sprockets-rails (2.3.1)
-      actionpack (>= 3.0)
-      activesupport (>= 3.0)
-      sprockets (>= 2.8, < 4.0)
-    sqlite3 (1.3.10)
+    sprockets (3.6.0)
+      concurrent-ruby (~> 1.0)
+      rack (> 1, < 3)
+    sprockets-rails (3.0.4)
+      actionpack (>= 4.0)
+      activesupport (>= 4.0)
+      sprockets (>= 3.0.0)
+    sqlite3 (1.3.11)
     thor (0.19.1)
     thread_safe (0.3.5)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
-    warden (1.2.3)
+    warden (1.2.6)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
@@ -168,6 +171,7 @@ DEPENDENCIES
   activerecord-jdbcsqlite3-adapter
   devise!
   jruby-openssl
+  mime-types (~> 2.99)
   mocha (~> 1.1)
   mongoid (~> 4.0)
   omniauth (~> 1.2.0)
@@ -180,4 +184,4 @@ DEPENDENCIES
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.10.6
+   1.12.3

app/controllers/devise/passwords_controller.rb

@@ -43,6 +43,7 @@ class Devise::PasswordsController < DeviseController
       end
       respond_with resource, location: after_resetting_password_path_for(resource)
     else
+      set_minimum_password_length
       respond_with resource
     end
   end

app/controllers/devise/sessions_controller.rb

@@ -2,7 +2,7 @@ class Devise::SessionsController < DeviseController
   prepend_before_filter :require_no_authentication, only: [:new, :create]
   prepend_before_filter :allow_params_authentication!, only: :create
   prepend_before_filter :verify_signed_out_user, only: :destroy
-  prepend_before_filter only: [:create, :destroy] { request.env["devise.skip_timeout"] = true }
+  prepend_before_filter(only: [:create, :destroy]) { request.env["devise.skip_timeout"] = true }
 
   # GET /resource/sign_in
   def new

app/mailers/devise/mailer.rb

@@ -16,5 +16,9 @@ if defined?(ActionMailer)
       @token = token
       devise_mail(record, :unlock_instructions, opts)
     end
+
+    def password_change(record, opts={})
+      devise_mail(record, :password_change, opts)
+    end
   end
 end

app/views/devise/mailer/password_change.html.erb

@@ -0,0 +1,3 @@
+<p>Hello <%= @resource.email %>!</p>
+
+<p>We're contacting you to notify you that your password has been changed.</p>

app/views/devise/shared/_links.html.erb

@@ -20,6 +20,6 @@
 
 <%- if devise_mapping.omniauthable? %>
   <%- resource_class.omniauth_providers.each do |provider| %>
-    <%= link_to "Sign in with #{provider.to_s.titleize}", omniauth_authorize_path(resource_name, provider) %><br />
+    <%= link_to "Sign in with #{OmniAuth::Utils.camelize(provider)}", omniauth_authorize_path(resource_name, provider) %><br />
   <% end -%>
 <% end -%>

config/locales/en.yml

@@ -23,6 +23,8 @@ en:
         subject: "Reset password instructions"
       unlock_instructions:
         subject: "Unlock instructions"
+      password_change:
+        subject: "Password Changed"
     omniauth_callbacks:
       failure: "Could not authenticate you from %{kind} because \"%{reason}\"."
       success: "Successfully authenticated from %{kind} account."

gemfiles/Gemfile.rails-3.2-stable.lock

@@ -1,14 +1,14 @@
 GIT
   remote: git://github.com/rails/rails.git
-  revision: b344986bc3d94ca7821fc5e0eef1874882ac6cbb
+  revision: f85bbed4cdc1bdfd1e0dbd97bce9db81e44cbd11
   branch: 3-2-stable
   specs:
-    actionmailer (3.2.21)
-      actionpack (= 3.2.21)
+    actionmailer (3.2.22.2)
+      actionpack (= 3.2.22.2)
       mail (~> 2.5.4)
-    actionpack (3.2.21)
-      activemodel (= 3.2.21)
-      activesupport (= 3.2.21)
+    actionpack (3.2.22.2)
+      activemodel (= 3.2.22.2)
+      activesupport (= 3.2.22.2)
       builder (~> 3.0.0)
       erubis (~> 2.7.0)
       journey (~> 1.0.4)
@@ -16,31 +16,31 @@ GIT
       rack-cache (~> 1.2)
       rack-test (~> 0.6.1)
       sprockets (~> 2.2.1)
-    activemodel (3.2.21)
-      activesupport (= 3.2.21)
+    activemodel (3.2.22.2)
+      activesupport (= 3.2.22.2)
       builder (~> 3.0.0)
-    activerecord (3.2.21)
-      activemodel (= 3.2.21)
-      activesupport (= 3.2.21)
+    activerecord (3.2.22.2)
+      activemodel (= 3.2.22.2)
+      activesupport (= 3.2.22.2)
       arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activeresource (3.2.21)
-      activemodel (= 3.2.21)
-      activesupport (= 3.2.21)
-    activesupport (3.2.21)
+    activeresource (3.2.22.2)
+      activemodel (= 3.2.22.2)
+      activesupport (= 3.2.22.2)
+    activesupport (3.2.22.2)
       i18n (~> 0.6, >= 0.6.4)
       multi_json (~> 1.0)
-    rails (3.2.21)
-      actionmailer (= 3.2.21)
-      actionpack (= 3.2.21)
-      activerecord (= 3.2.21)
-      activeresource (= 3.2.21)
-      activesupport (= 3.2.21)
+    rails (3.2.22.2)
+      actionmailer (= 3.2.22.2)
+      actionpack (= 3.2.22.2)
+      activerecord (= 3.2.22.2)
+      activeresource (= 3.2.22.2)
+      activesupport (= 3.2.22.2)
       bundler (~> 1.0)
-      railties (= 3.2.21)
-    railties (3.2.21)
-      actionpack (= 3.2.21)
-      activesupport (= 3.2.21)
+      railties (= 3.2.22.2)
+    railties (3.2.22.2)
+      actionpack (= 3.2.22.2)
+      activesupport (= 3.2.22.2)
       rack-ssl (~> 1.3.2)
       rake (>= 0.8.7)
       rdoc (~> 3.4)
@@ -49,7 +49,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (3.4.1)
+    devise (3.5.8)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -61,36 +61,36 @@ GEM
   remote: https://rubygems.org/
   specs:
     arel (3.0.3)
-    bcrypt (3.1.10)
+    bcrypt (3.1.11)
     builder (3.0.4)
     erubis (2.7.0)
-    faraday (0.9.1)
+    faraday (0.9.2)
       multipart-post (>= 1.2, < 3)
-    hashie (3.4.0)
+    hashie (3.4.3)
     hike (1.2.3)
     i18n (0.7.0)
     journey (1.0.4)
-    json (1.8.2)
-    jwt (1.4.1)
+    json (1.8.3)
+    jwt (1.5.4)
     mail (2.5.4)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
     metaclass (0.0.4)
     mime-types (1.25.1)
-    mini_portile (0.6.2)
+    mini_portile2 (2.0.0)
     mocha (1.1.0)
       metaclass (~> 0.0.1)
-    mongoid (3.1.6)
+    mongoid (3.1.7)
       activemodel (~> 3.2)
       moped (~> 1.4)
       origin (~> 1.0)
       tzinfo (~> 0.3.29)
-    moped (1.5.2)
-    multi_json (1.11.0)
+    moped (1.5.3)
+    multi_json (1.11.3)
     multi_xml (0.5.5)
     multipart-post (2.0.0)
-    nokogiri (1.6.6.2)
-      mini_portile (~> 0.6.0)
+    nokogiri (1.6.7.2)
+      mini_portile2 (~> 2.0.0.rc2)
     oauth2 (0.9.4)
       faraday (>= 0.8, < 0.10)
       jwt (~> 1.0)
@@ -113,8 +113,8 @@ GEM
     origin (1.1.0)
     orm_adapter (0.5.0)
     polyglot (0.3.5)
-    rack (1.4.5)
-    rack-cache (1.2)
+    rack (1.4.7)
+    rack-cache (1.6.1)
       rack (>= 0.4)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
@@ -123,7 +123,7 @@ GEM
       rack
     rack-test (0.6.3)
       rack (>= 1.0)
-    rake (10.4.2)
+    rake (11.1.2)
     rdoc (3.12.2)
       json (~> 1.4)
     responders (1.1.2)
@@ -134,15 +134,15 @@ GEM
       multi_json (~> 1.0)
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
-    sqlite3 (1.3.10)
+    sqlite3 (1.3.11)
     thor (0.19.1)
     thread_safe (0.3.5)
     tilt (1.4.1)
     treetop (1.4.15)
       polyglot
       polyglot (>= 0.3.1)
-    tzinfo (0.3.43)
-    warden (1.2.3)
+    tzinfo (0.3.49)
+    warden (1.2.6)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
@@ -167,3 +167,6 @@ DEPENDENCIES
   rdoc
   sqlite3
   webrat (= 0.7.3)
+
+BUNDLED WITH
+   1.11.2

gemfiles/Gemfile.rails-4.0-stable

@@ -6,6 +6,7 @@ gem "rails", github: 'rails/rails', branch: '4-0-stable'
 gem "omniauth", "~> 1.2.0"
 gem "omniauth-oauth2", "~> 1.1.0"
 gem "rdoc"
+gem "mime-types", "~> 2.99"
 
 group :test do
   gem "omniauth-facebook"

gemfiles/Gemfile.rails-4.0-stable.lock

@@ -1,6 +1,6 @@
 GIT
   remote: git://github.com/rails/rails.git
-  revision: 7ec9c9635bf4d57009135ed11e89d8bf32306d73
+  revision: 9be9597e510d185ca7964d0a05b4ea2a7f2d50d1
   branch: 4-0-stable
   specs:
     actionmailer (4.0.13)
@@ -43,7 +43,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (3.4.1)
+    devise (3.5.8)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -54,24 +54,25 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    activerecord-deprecated_finders (1.0.3)
+    activerecord-deprecated_finders (1.0.4)
     arel (4.0.2)
-    bcrypt (3.1.10)
-    bson (2.3.0)
+    bcrypt (3.1.11)
+    bson (3.2.6)
     builder (3.1.4)
-    connection_pool (2.1.3)
+    concurrent-ruby (1.0.1)
+    connection_pool (2.2.0)
     erubis (2.7.0)
-    faraday (0.9.1)
+    faraday (0.9.2)
       multipart-post (>= 1.2, < 3)
-    hashie (3.4.0)
-    hike (1.2.3)
+    hashie (3.4.3)
     i18n (0.7.0)
-    jwt (1.4.1)
-    mail (2.6.3)
-      mime-types (>= 1.16, < 3)
+    json (1.8.3)
+    jwt (1.5.4)
+    mail (2.6.4)
+      mime-types (>= 1.16, < 4)
     metaclass (0.0.4)
-    mime-types (2.4.3)
-    mini_portile (0.6.2)
+    mime-types (2.99.1)
+    mini_portile2 (2.0.0)
     minitest (4.7.5)
     mocha (1.1.0)
       metaclass (~> 0.0.1)
@@ -80,15 +81,15 @@ GEM
       moped (~> 2.0.0)
       origin (~> 2.1)
       tzinfo (>= 0.3.37)
-    moped (2.0.4)
-      bson (~> 2.2)
+    moped (2.0.7)
+      bson (~> 3.0)
       connection_pool (~> 2.0)
       optionable (~> 0.2.0)
-    multi_json (1.11.0)
+    multi_json (1.11.3)
     multi_xml (0.5.5)
     multipart-post (2.0.0)
-    nokogiri (1.6.6.2)
-      mini_portile (~> 0.6.0)
+    nokogiri (1.6.7.2)
+      mini_portile2 (~> 2.0.0.rc2)
     oauth2 (0.9.4)
       faraday (>= 0.8, < 0.10)
       jwt (~> 1.0)
@@ -109,34 +110,32 @@ GEM
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
     optionable (0.2.0)
-    origin (2.1.1)
+    origin (2.2.0)
     orm_adapter (0.5.0)
-    rack (1.5.2)
+    rack (1.5.5)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
     rack-test (0.6.3)
       rack (>= 1.0)
-    rake (10.4.2)
-    rdoc (4.2.0)
+    rake (11.1.2)
+    rdoc (4.2.2)
+      json (~> 1.4)
     responders (1.1.2)
       railties (>= 3.2, < 4.2)
     ruby-openid (2.7.0)
-    sprockets (2.12.3)
-      hike (~> 1.2)
-      multi_json (~> 1.0)
-      rack (~> 1.0)
-      tilt (~> 1.1, != 1.3.0)
-    sprockets-rails (2.2.4)
+    sprockets (3.6.0)
+      concurrent-ruby (~> 1.0)
+      rack (> 1, < 3)
+    sprockets-rails (2.3.3)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
       sprockets (>= 2.8, < 4.0)
-    sqlite3 (1.3.10)
+    sqlite3 (1.3.11)
     thor (0.19.1)
     thread_safe (0.3.5)
-    tilt (1.4.1)
-    tzinfo (0.3.43)
-    warden (1.2.3)
+    tzinfo (0.3.49)
+    warden (1.2.6)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
@@ -151,6 +150,7 @@ DEPENDENCIES
   activerecord-jdbcsqlite3-adapter
   devise!
   jruby-openssl
+  mime-types (~> 2.99)
   mocha (~> 1.1)
   mongoid (~> 4.0.0)
   omniauth (~> 1.2.0)
@@ -161,3 +161,6 @@ DEPENDENCIES
   rdoc
   sqlite3
   webrat (= 0.7.3)
+
+BUNDLED WITH
+   1.11.2

gemfiles/Gemfile.rails-4.1-stable

@@ -6,6 +6,7 @@ gem "rails", github: 'rails/rails', branch: '4-1-stable'
 gem "omniauth", "~> 1.2.0"
 gem "omniauth-oauth2", "~> 1.1.0"
 gem "rdoc"
+gem "mime-types", "~> 2.99"
 
 group :test do
   gem "omniauth-facebook"

gemfiles/Gemfile.rails-4.1-stable.lock

@@ -1,54 +1,54 @@
 GIT
   remote: git://github.com/rails/rails.git
-  revision: bf32ec7b8611e6b4c7e9398f7d297a1f0221e9b9
+  revision: 41b4d81b4fd14cbf43060c223bea0f461256d099
   branch: 4-1-stable
   specs:
-    actionmailer (4.1.10)
-      actionpack (= 4.1.10)
-      actionview (= 4.1.10)
+    actionmailer (4.1.15)
+      actionpack (= 4.1.15)
+      actionview (= 4.1.15)
       mail (~> 2.5, >= 2.5.4)
-    actionpack (4.1.10)
-      actionview (= 4.1.10)
-      activesupport (= 4.1.10)
+    actionpack (4.1.15)
+      actionview (= 4.1.15)
+      activesupport (= 4.1.15)
       rack (~> 1.5.2)
       rack-test (~> 0.6.2)
-    actionview (4.1.10)
-      activesupport (= 4.1.10)
+    actionview (4.1.15)
+      activesupport (= 4.1.15)
       builder (~> 3.1)
       erubis (~> 2.7.0)
-    activemodel (4.1.10)
-      activesupport (= 4.1.10)
+    activemodel (4.1.15)
+      activesupport (= 4.1.15)
       builder (~> 3.1)
-    activerecord (4.1.10)
-      activemodel (= 4.1.10)
-      activesupport (= 4.1.10)
+    activerecord (4.1.15)
+      activemodel (= 4.1.15)
+      activesupport (= 4.1.15)
       arel (~> 5.0.0)
-    activesupport (4.1.10)
+    activesupport (4.1.15)
       i18n (~> 0.6, >= 0.6.9)
       json (~> 1.7, >= 1.7.7)
       minitest (~> 5.1)
       thread_safe (~> 0.1)
       tzinfo (~> 1.1)
-    rails (4.1.10)
-      actionmailer (= 4.1.10)
-      actionpack (= 4.1.10)
-      actionview (= 4.1.10)
-      activemodel (= 4.1.10)
-      activerecord (= 4.1.10)
-      activesupport (= 4.1.10)
+    rails (4.1.15)
+      actionmailer (= 4.1.15)
+      actionpack (= 4.1.15)
+      actionview (= 4.1.15)
+      activemodel (= 4.1.15)
+      activerecord (= 4.1.15)
+      activesupport (= 4.1.15)
       bundler (>= 1.3.0, < 2.0)
-      railties (= 4.1.10)
+      railties (= 4.1.15)
       sprockets-rails (~> 2.0)
-    railties (4.1.10)
-      actionpack (= 4.1.10)
-      activesupport (= 4.1.10)
+    railties (4.1.15)
+      actionpack (= 4.1.15)
+      activesupport (= 4.1.15)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
 
 PATH
   remote: ..
   specs:
-    devise (3.4.1)
+    devise (3.5.8)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -60,24 +60,24 @@ GEM
   remote: https://rubygems.org/
   specs:
     arel (5.0.1.20140414130214)
-    bcrypt (3.1.10)
-    bson (2.3.0)
+    bcrypt (3.1.11)
+    bson (3.2.6)
     builder (3.2.2)
-    connection_pool (2.1.3)
+    concurrent-ruby (1.0.1)
+    connection_pool (2.2.0)
     erubis (2.7.0)
-    faraday (0.9.1)
+    faraday (0.9.2)
       multipart-post (>= 1.2, < 3)
-    hashie (3.4.0)
-    hike (1.2.3)
+    hashie (3.4.3)
     i18n (0.7.0)
-    json (1.8.2)
-    jwt (1.4.1)
-    mail (2.6.3)
-      mime-types (>= 1.16, < 3)
+    json (1.8.3)
+    jwt (1.5.4)
+    mail (2.6.4)
+      mime-types (>= 1.16, < 4)
     metaclass (0.0.4)
-    mime-types (2.4.3)
-    mini_portile (0.6.2)
-    minitest (5.5.1)
+    mime-types (2.99.1)
+    mini_portile2 (2.0.0)
+    minitest (5.8.4)
     mocha (1.1.0)
       metaclass (~> 0.0.1)
     mongoid (4.0.2)
@@ -85,15 +85,15 @@ GEM
       moped (~> 2.0.0)
       origin (~> 2.1)
       tzinfo (>= 0.3.37)
-    moped (2.0.4)
-      bson (~> 2.2)
+    moped (2.0.7)
+      bson (~> 3.0)
       connection_pool (~> 2.0)
       optionable (~> 0.2.0)
-    multi_json (1.11.0)
+    multi_json (1.11.3)
     multi_xml (0.5.5)
     multipart-post (2.0.0)
-    nokogiri (1.6.6.2)
-      mini_portile (~> 0.6.0)
+    nokogiri (1.6.7.2)
+      mini_portile2 (~> 2.0.0.rc2)
     oauth2 (0.9.4)
       faraday (>= 0.8, < 0.10)
       jwt (~> 1.0)
@@ -114,35 +114,33 @@ GEM
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
     optionable (0.2.0)
-    origin (2.1.1)
+    origin (2.2.0)
     orm_adapter (0.5.0)
-    rack (1.5.2)
+    rack (1.5.5)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
     rack-test (0.6.3)
       rack (>= 1.0)
-    rake (10.4.2)
-    rdoc (4.2.0)
+    rake (11.1.2)
+    rdoc (4.2.2)
+      json (~> 1.4)
     responders (1.1.2)
       railties (>= 3.2, < 4.2)
     ruby-openid (2.7.0)
-    sprockets (2.12.3)
-      hike (~> 1.2)
-      multi_json (~> 1.0)
-      rack (~> 1.0)
-      tilt (~> 1.1, != 1.3.0)
-    sprockets-rails (2.2.4)
+    sprockets (3.6.0)
+      concurrent-ruby (~> 1.0)
+      rack (> 1, < 3)
+    sprockets-rails (2.3.3)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
       sprockets (>= 2.8, < 4.0)
-    sqlite3 (1.3.10)
+    sqlite3 (1.3.11)
     thor (0.19.1)
     thread_safe (0.3.5)
-    tilt (1.4.1)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
-    warden (1.2.3)
+    warden (1.2.6)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
@@ -157,6 +155,7 @@ DEPENDENCIES
   activerecord-jdbcsqlite3-adapter
   devise!
   jruby-openssl
+  mime-types (~> 2.99)
   mocha (~> 1.1)
   mongoid (~> 4.0.0)
   omniauth (~> 1.2.0)
@@ -167,3 +166,6 @@ DEPENDENCIES
   rdoc
   sqlite3
   webrat (= 0.7.3)
+
+BUNDLED WITH
+   1.11.2

gemfiles/Gemfile.rails-4.2-stable

@@ -6,6 +6,7 @@ gem "rails", github: 'rails/rails', branch: '4-2-stable'
 gem "omniauth", "~> 1.2.2"
 gem "omniauth-oauth2", "~> 1.2.0"
 gem "rdoc"
+gem "mime-types", "~> 2.99"
 
 group :test do
   gem "omniauth-facebook"

gemfiles/Gemfile.rails-4.2-stable.lock

@@ -1,64 +1,64 @@
 GIT
   remote: git://github.com/rails/rails.git
-  revision: f12ff8ddab7b199707ec36d72bd72f206f142c8b
+  revision: 2a1b655bb7db42ed0dbadab5bb129a8515e86a40
   branch: 4-2-stable
   specs:
-    actionmailer (4.2.1)
-      actionpack (= 4.2.1)
-      actionview (= 4.2.1)
-      activejob (= 4.2.1)
+    actionmailer (4.2.6)
+      actionpack (= 4.2.6)
+      actionview (= 4.2.6)
+      activejob (= 4.2.6)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 1.0, >= 1.0.5)
-    actionpack (4.2.1)
-      actionview (= 4.2.1)
-      activesupport (= 4.2.1)
+    actionpack (4.2.6)
+      actionview (= 4.2.6)
+      activesupport (= 4.2.6)
       rack (~> 1.6)
       rack-test (~> 0.6.2)
       rails-dom-testing (~> 1.0, >= 1.0.5)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (4.2.1)
-      activesupport (= 4.2.1)
+    actionview (4.2.6)
+      activesupport (= 4.2.6)
       builder (~> 3.1)
       erubis (~> 2.7.0)
       rails-dom-testing (~> 1.0, >= 1.0.5)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    activejob (4.2.1)
-      activesupport (= 4.2.1)
+    activejob (4.2.6)
+      activesupport (= 4.2.6)
       globalid (>= 0.3.0)
-    activemodel (4.2.1)
-      activesupport (= 4.2.1)
+    activemodel (4.2.6)
+      activesupport (= 4.2.6)
       builder (~> 3.1)
-    activerecord (4.2.1)
-      activemodel (= 4.2.1)
-      activesupport (= 4.2.1)
+    activerecord (4.2.6)
+      activemodel (= 4.2.6)
+      activesupport (= 4.2.6)
       arel (~> 6.0)
-    activesupport (4.2.1)
+    activesupport (4.2.6)
       i18n (~> 0.7)
       json (~> 1.7, >= 1.7.7)
       minitest (~> 5.1)
       thread_safe (~> 0.3, >= 0.3.4)
       tzinfo (~> 1.1)
-    rails (4.2.1)
-      actionmailer (= 4.2.1)
-      actionpack (= 4.2.1)
-      actionview (= 4.2.1)
-      activejob (= 4.2.1)
-      activemodel (= 4.2.1)
-      activerecord (= 4.2.1)
-      activesupport (= 4.2.1)
+    rails (4.2.6)
+      actionmailer (= 4.2.6)
+      actionpack (= 4.2.6)
+      actionview (= 4.2.6)
+      activejob (= 4.2.6)
+      activemodel (= 4.2.6)
+      activerecord (= 4.2.6)
+      activesupport (= 4.2.6)
       bundler (>= 1.3.0, < 2.0)
-      railties (= 4.2.1)
+      railties (= 4.2.6)
       sprockets-rails
-    railties (4.2.1)
-      actionpack (= 4.2.1)
-      activesupport (= 4.2.1)
+    railties (4.2.6)
+      actionpack (= 4.2.6)
+      activesupport (= 4.2.6)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
 
 PATH
   remote: ..
   specs:
-    devise (3.4.1)
+    devise (3.5.8)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -69,29 +69,29 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    arel (6.0.0)
-    bcrypt (3.1.10)
-    bson (2.3.0)
+    arel (6.0.3)
+    bcrypt (3.1.11)
+    bson (3.2.6)
     builder (3.2.2)
-    connection_pool (2.1.3)
+    concurrent-ruby (1.0.1)
+    connection_pool (2.2.0)
     erubis (2.7.0)
-    faraday (0.9.1)
+    faraday (0.9.2)
       multipart-post (>= 1.2, < 3)
-    globalid (0.3.3)
+    globalid (0.3.6)
       activesupport (>= 4.1.0)
-    hashie (3.4.0)
-    hike (1.2.3)
+    hashie (3.4.3)
     i18n (0.7.0)
-    json (1.8.2)
-    jwt (1.4.1)
-    loofah (2.0.1)
+    json (1.8.3)
+    jwt (1.5.1)
+    loofah (2.0.3)
       nokogiri (>= 1.5.9)
-    mail (2.6.3)
-      mime-types (>= 1.16, < 3)
+    mail (2.6.4)
+      mime-types (>= 1.16, < 4)
     metaclass (0.0.4)
-    mime-types (2.4.3)
-    mini_portile (0.6.2)
-    minitest (5.5.1)
+    mime-types (2.99.1)
+    mini_portile2 (2.0.0)
+    minitest (5.8.4)
     mocha (1.1.0)
       metaclass (~> 0.0.1)
     mongoid (4.0.2)
@@ -99,25 +99,25 @@ GEM
       moped (~> 2.0.0)
       origin (~> 2.1)
       tzinfo (>= 0.3.37)
-    moped (2.0.4)
-      bson (~> 2.2)
+    moped (2.0.7)
+      bson (~> 3.0)
       connection_pool (~> 2.0)
       optionable (~> 0.2.0)
-    multi_json (1.11.0)
+    multi_json (1.11.3)
     multi_xml (0.5.5)
     multipart-post (2.0.0)
-    nokogiri (1.6.6.2)
-      mini_portile (~> 0.6.0)
-    oauth2 (1.0.0)
+    nokogiri (1.6.7.2)
+      mini_portile2 (~> 2.0.0.rc2)
+    oauth2 (1.1.0)
       faraday (>= 0.8, < 0.10)
-      jwt (~> 1.0)
+      jwt (~> 1.0, < 1.5.2)
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
-      rack (~> 1.2)
+      rack (>= 1.2, < 3)
     omniauth (1.2.2)
       hashie (>= 1.2, < 4)
       rack (~> 1.0)
-    omniauth-facebook (2.0.1)
+    omniauth-facebook (3.0.0)
       omniauth-oauth2 (~> 1.2)
     omniauth-oauth2 (1.2.0)
       faraday (>= 0.8, < 0.10)
@@ -128,9 +128,9 @@ GEM
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
     optionable (0.2.0)
-    origin (2.1.1)
+    origin (2.2.0)
     orm_adapter (0.5.0)
-    rack (1.6.0)
+    rack (1.6.4)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
@@ -138,33 +138,31 @@ GEM
       rack (>= 1.0)
     rails-deprecated_sanitizer (1.0.3)
       activesupport (>= 4.2.0.alpha)
-    rails-dom-testing (1.0.6)
+    rails-dom-testing (1.0.7)
       activesupport (>= 4.2.0.beta, < 5.0)
       nokogiri (~> 1.6.0)
       rails-deprecated_sanitizer (>= 1.0.1)
-    rails-html-sanitizer (1.0.2)
+    rails-html-sanitizer (1.0.3)
       loofah (~> 2.0)
-    rake (10.4.2)
-    rdoc (4.2.0)
-    responders (2.1.0)
-      railties (>= 4.2.0, < 5)
+    rake (11.1.2)
+    rdoc (4.2.2)
+      json (~> 1.4)
+    responders (2.1.2)
+      railties (>= 4.2.0, < 5.1)
     ruby-openid (2.7.0)
-    sprockets (2.12.3)
-      hike (~> 1.2)
-      multi_json (~> 1.0)
-      rack (~> 1.0)
-      tilt (~> 1.1, != 1.3.0)
-    sprockets-rails (2.2.4)
-      actionpack (>= 3.0)
-      activesupport (>= 3.0)
-      sprockets (>= 2.8, < 4.0)
-    sqlite3 (1.3.10)
+    sprockets (3.6.0)
+      concurrent-ruby (~> 1.0)
+      rack (> 1, < 3)
+    sprockets-rails (3.0.4)
+      actionpack (>= 4.0)
+      activesupport (>= 4.0)
+      sprockets (>= 3.0.0)
+    sqlite3 (1.3.11)
     thor (0.19.1)
     thread_safe (0.3.5)
-    tilt (1.4.1)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
-    warden (1.2.3)
+    warden (1.2.6)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
@@ -179,6 +177,7 @@ DEPENDENCIES
   activerecord-jdbcsqlite3-adapter
   devise!
   jruby-openssl
+  mime-types (~> 2.99)
   mocha (~> 1.1)
   mongoid (~> 4.0.0)
   omniauth (~> 1.2.2)
@@ -189,3 +188,6 @@ DEPENDENCIES
   rdoc
   sqlite3
   webrat (= 0.7.3)
+
+BUNDLED WITH
+   1.11.2

lib/devise.rb

@@ -150,6 +150,10 @@ module Devise
   mattr_accessor :pepper
   @@pepper = nil
 
+  # Used to enable sending notification to user when their password is changed
+  mattr_accessor :send_password_change_notification
+  @@send_password_change_notification = false
+
   # Scoped views. Since it relies on fallbacks to render default views, it's
   # turned off by default.
   mattr_accessor :scoped_views
@@ -325,7 +329,12 @@ module Devise
     mapping
   end
 
-  # Make Devise aware of an 3rd party Devise-module (like invitable). For convenience.
+  # Register available devise modules. For the standard modules that Devise provides, this method is
+  # called from lib/devise/modules.rb. Third-party modules need to be added explicitly using this method.
+  #
+  # Note that adding a module using this method does not cause it to be used in the authentication
+  # process. That requires that the module be listed in the arguments passed to the 'devise' method
+  # in the model class definition.
   #
   # == Options:
   #
@@ -433,8 +442,8 @@ module Devise
     Devise::Controllers::UrlHelpers.generate_helpers!
   end
 
-  # A method used internally to setup warden manager from the Rails initialize
-  # block.
+  # A method used internally to complete the setup of warden manager after routes are loaded.
+  # See lib/devise/rails/routes.rb - ActionDispatch::Routing::RouteSet#finalize_with_devise!
   def self.configure_warden! #:nodoc:
     @@warden_configured ||= begin
       warden_config.failure_app   = Devise::Delegator.new

lib/devise/controllers/helpers.rb

@@ -7,7 +7,9 @@ module Devise
       include Devise::Controllers::StoreLocation
 
       included do
-        helper_method :warden, :signed_in?, :devise_controller?
+        if respond_to?(:helper_method)
+          helper_method :warden, :signed_in?, :devise_controller?
+        end
       end
 
       module ClassMethods
@@ -69,7 +71,9 @@ module Devise
               end.compact
             end
 
-            helper_method "current_#{group_name}", "current_#{group_name.to_s.pluralize}", "#{group_name}_signed_in?"
+            if respond_to?(:helper_method)
+              helper_method "current_#{group_name}", "current_#{group_name.to_s.pluralize}", "#{group_name}_signed_in?"
+            end
           METHODS
         end
 
@@ -126,7 +130,9 @@ module Devise
         METHODS
 
         ActiveSupport.on_load(:action_controller) do
-          helper_method "current_#{mapping}", "#{mapping}_signed_in?", "#{mapping}_session"
+          if respond_to?(:helper_method)
+            helper_method "current_#{mapping}", "#{mapping}_signed_in?", "#{mapping}_session"
+          end
         end
       end
 
@@ -190,10 +196,10 @@ module Devise
       # root path. For a user scope, you can define the default url in
       # the following way:
       #
-      #   map.user_root '/users', controller: 'users' # creates user_root_path
+      #   get '/users' => 'users#index', as: :user_root # creates user_root_path
       #
-      #   map.namespace :user do |user|
-      #     user.root controller: 'users' # creates user_root_path
+      #   namespace :user do
+      #     root 'users#index' # creates user_root_path
       #   end
       #
       # If the resource root path is not defined, root_path is used. However,

lib/devise/controllers/rememberable.rb

@@ -9,11 +9,18 @@ module Devise
         Rails.configuration.session_options.slice(:path, :domain, :secure)
       end
 
+      def remember_me_is_active?(resource)
+        return false unless resource.respond_to?(:remember_me)
+        scope = Devise::Mapping.find_scope!(resource)
+        _, token, generated_at = cookies.signed[remember_key(resource, scope)]
+        resource.remember_me?(token, generated_at)
+      end
+
       # Remembers the given resource by setting up a cookie
       def remember_me(resource)
         return if env["devise.skip_storage"]
         scope = Devise::Mapping.find_scope!(resource)
-        resource.remember_me!(resource.extend_remember_period)
+        resource.remember_me!
         cookies.signed[remember_key(resource, scope)] = remember_cookie_values(resource)
       end
 

lib/devise/failure_app.rb

@@ -22,9 +22,12 @@ module Devise
       @respond.call(env)
     end
 
+    # Try retrieving the URL options from the parent controller (usually 
+    # ApplicationController). Instance methods are not supported at the moment,
+    # so only the class-level attribute is used.
     def self.default_url_options(*args)
-      if defined?(ApplicationController)
-        ApplicationController.default_url_options(*args)
+      if defined?(Devise.parent_controller.constantize)
+        Devise.parent_controller.constantize.try(:default_url_options) || {}
       else
         {}
       end
@@ -48,7 +51,18 @@ module Devise
     end
 
     def recall
-      env["PATH_INFO"]  = attempted_path
+      config = Rails.application.config
+
+      if config.try(:relative_url_root)
+        base_path = Pathname.new(config.relative_url_root)
+        full_path = Pathname.new(attempted_path)
+
+        env["SCRIPT_NAME"] = config.relative_url_root
+        env["PATH_INFO"] = '/' + full_path.relative_path_from(base_path).to_s
+      else
+        env["PATH_INFO"]  = attempted_path
+      end
+
       flash.now[:alert] = i18n_message(:invalid) if is_flashing_format?
       self.response = recall_app(warden_options[:recall]).call(env)
     end

lib/devise/hooks/timeoutable.rb

@@ -7,7 +7,8 @@ Warden::Manager.after_set_user do |record, warden, options|
   scope = options[:scope]
   env   = warden.request.env
 
-  if record && record.respond_to?(:timedout?) && warden.authenticated?(scope) && options[:store] != false
+  if record && record.respond_to?(:timedout?) && warden.authenticated?(scope) &&
+     options[:store] != false && !env['devise.skip_timeoutable']
     last_request_at = warden.session(scope)['last_request_at']
 
     if last_request_at.is_a? Integer
@@ -18,9 +19,10 @@ Warden::Manager.after_set_user do |record, warden, options|
 
     proxy = Devise::Hooks::Proxy.new(warden)
 
-    if record.timedout?(last_request_at) && !env['devise.skip_timeout']
+    if record.timedout?(last_request_at) &&
+        !env['devise.skip_timeout'] &&
+        !proxy.remember_me_is_active?(record)
       Devise.sign_out_all_scopes ? proxy.sign_out : proxy.sign_out(scope)
-
       throw :warden, scope: scope, message: :timeout
     end
 

lib/devise/models.rb

@@ -12,7 +12,7 @@ module Devise
 
     # Creates configuration values for Devise and for the given module.
     #
-    #   Devise::Models.config(Devise::Authenticatable, :stretches, 10)
+    #   Devise::Models.config(Devise::DatabaseAuthenticatable, :stretches)
     #
     # The line above creates:
     #

lib/devise/models/confirmable.rb

@@ -24,7 +24,7 @@ module Devise
     #     By default allow_unconfirmed_access_for is zero, it means users always have to confirm to sign in.
     #   * +reconfirmable+: requires any email changes to be confirmed (exactly the same way as
     #     initial account confirmation) to be applied. Requires additional unconfirmed_email
-    #     db field to be setup (t.reconfirmable in migrations). Until confirmed new email is
+    #     db field to be setup (t.reconfirmable in migrations). Until confirmed, new email is
     #     stored in unconfirmed email column, and copied to email column on successful
     #     confirmation.
     #   * +confirm_within+: the time before a sent confirmation token becomes invalid.
@@ -170,6 +170,7 @@ module Devise
         # in models to map to a nice sign up e-mail.
         def send_on_create_confirmation_instructions
           send_confirmation_instructions
+          skip_reconfirmation!
         end
 
         # Callback to overwrite if confirmation is required or not.
@@ -216,7 +217,7 @@ module Devise
         #   confirmation_period_expired?  # will always return false
         #
         def confirmation_period_expired?
-          self.class.confirm_within && (Time.now > self.confirmation_sent_at + self.class.confirm_within)
+          self.class.confirm_within && self.confirmation_sent_at && (Time.now > self.confirmation_sent_at + self.class.confirm_within)
         end
 
         # Checks whether the record requires any confirmation.
@@ -260,7 +261,7 @@ module Devise
         end
 
         def reconfirmation_required?
-          self.class.reconfirmable && @reconfirmation_required && self.email.present?
+          self.class.reconfirmable && @reconfirmation_required && (self.email.present? || self.unconfirmed_email.present?)
         end
 
         def send_confirmation_notification?

lib/devise/models/database_authenticatable.rb

@@ -12,7 +12,7 @@ module Devise
     #
     # == Options
     #
-    # DatabaseAuthenticable adds the following options to devise_for:
+    # DatabaseAuthenticatable adds the following options to devise_for:
     #
     #   * +pepper+: a random string used to provide a more secure hash. Use
     #     `rake secret` to generate new keys.
@@ -27,6 +27,8 @@ module Devise
       extend ActiveSupport::Concern
 
       included do
+        after_update :send_password_change_notification, if: :send_password_change_notification?
+
         attr_reader :password, :current_password
         attr_accessor :password_confirmation
       end
@@ -133,6 +135,10 @@ module Devise
         encrypted_password[0,29] if encrypted_password
       end
 
+      def send_password_change_notification
+        send_devise_notification(:password_change)
+      end
+
     protected
 
       # Digests the password using bcrypt. Custom encryption should override
@@ -144,8 +150,12 @@ module Devise
         Devise::Encryptor.digest(self.class, password)
       end
 
+      def send_password_change_notification?
+        self.class.send_password_change_notification && encrypted_password_changed?
+      end
+
       module ClassMethods
-        Devise::Models.config(self, :pepper, :stretches)
+        Devise::Models.config(self, :pepper, :stretches, :send_password_change_notification)
 
         # We assume this method already gets the sanitized values from the
         # DatabaseAuthenticatable strategy. If you are using this method on

lib/devise/models/lockable.rb

@@ -99,8 +99,8 @@ module Devise
         if super && !access_locked?
           true
         else
-          self.failed_attempts ||= 0
-          self.failed_attempts += 1
+          self.class.increment_counter(:failed_attempts, id)
+          reload
           if attempts_exceeded?
             lock_access! unless access_locked?
           else
@@ -155,6 +155,9 @@ module Devise
         end
 
       module ClassMethods
+        # List of strategies that are enabled/supported if :both is used.
+        BOTH_STRATEGIES = [:time, :email]
+
         # Attempt to find a user by its unlock keys. If a record is found, send new
         # unlock instructions to it. If not user is found, returns a new user
         # with an email not found error.
@@ -181,7 +184,8 @@ module Devise
 
         # Is the unlock enabled for the given unlock strategy?
         def unlock_strategy_enabled?(strategy)
-          [:both, strategy].include?(self.unlock_strategy)
+          self.unlock_strategy == strategy ||
+            (self.unlock_strategy == :both && BOTH_STRATEGIES.include?(strategy))
         end
 
         # Is the lock enabled for the given lock strategy?

lib/devise/models/recoverable.rb

@@ -16,10 +16,6 @@ module Devise
     #   # resets the user password and save the record, true if valid passwords are given, otherwise false
     #   User.find(1).reset_password('password123', 'password123')
     #
-    #   # only resets the user password, without saving the record
-    #   user = User.find(1)
-    #   user.reset_password('password123', 'password123')
-    #
     #   # creates a new token and send it with instructions about how to reset the password
     #   User.find(1).send_reset_password_instructions
     #
@@ -31,8 +27,8 @@ module Devise
       end
 
       included do
-        before_save do
-          if email_changed? || encrypted_password_changed?
+        before_update do
+          if (respond_to?(:email_changed?) && email_changed?) || encrypted_password_changed?
             clear_reset_password_token
           end
         end
@@ -87,7 +83,7 @@ module Devise
       #   reset_password_period_valid?   # will always return false
       #
       def reset_password_period_valid?
-        reset_password_sent_at && reset_password_sent_at.utc >= self.class.reset_password_within.ago
+        reset_password_sent_at && reset_password_sent_at.utc >= self.class.reset_password_within.ago.utc
       end
 
       protected

lib/devise/models/rememberable.rb

@@ -39,17 +39,17 @@ module Devise
     module Rememberable
       extend ActiveSupport::Concern
 
-      attr_accessor :remember_me, :extend_remember_period
+      attr_accessor :remember_me
 
       def self.required_fields(klass)
         [:remember_created_at]
       end
 
-      # Generate a new remember token and save the record without validations
-      # if remember expired (token is no longer valid) or extend_remember_period is true
-      def remember_me!(extend_period=false)
-        self.remember_token = self.class.remember_token if generate_remember_token?
-        self.remember_created_at = Time.now.utc if generate_remember_timestamp?(extend_period)
+      # TODO: We were used to receive a extend period argument but we no longer do.
+      # Remove this for Devise 4.0.
+      def remember_me!(*)
+        self.remember_token ||= self.class.remember_token if respond_to?(:remember_token)
+        self.remember_created_at ||= Time.now.utc
         save(validate: false) if self.changed?
       end
 
@@ -57,19 +57,22 @@ module Devise
       # it exists), and save the record without validations.
       def forget_me!
         return unless persisted?
-        self.remember_token = nil if respond_to?(:remember_token=)
+        self.remember_token = nil if respond_to?(:remember_token)
         self.remember_created_at = nil if self.class.expire_all_remember_me_on_sign_out
         save(validate: false)
       end
 
       # Remember token should be expired if expiration time not overpass now.
       def remember_expired?
-        remember_created_at.nil? || (remember_expires_at <= Time.now.utc)
+        remember_created_at.nil?
       end
 
-      # Remember token expires at created time + remember_for configuration
       def remember_expires_at
-        remember_created_at + self.class.remember_for
+        self.class.remember_for.from_now
+      end
+
+      def extend_remember_period
+        self.class.extend_remember_period
       end
 
       def rememberable_value
@@ -102,29 +105,47 @@ module Devise
       def after_remembered
       end
 
-    protected
+      def remember_me?(token, generated_at)
+        # TODO: Normalize the JSON type coercion along with the Timeoutable hook
+        # in a single place https://github.com/plataformatec/devise/blob/ffe9d6d406e79108cf32a2c6a1d0b3828849c40b/lib/devise/hooks/timeoutable.rb#L14-L18
+        if generated_at.is_a?(String)
+          generated_at = time_from_json(generated_at)
+        end
 
-      def generate_remember_token? #:nodoc:
-        respond_to?(:remember_token) && remember_expired?
+        # The token is only valid if:
+        # 1. we have a date
+        # 2. the current time does not pass the expiry period
+        # 3. the record has a remember_created_at date
+        # 4. the token date is bigger than the remember_created_at
+        # 5. the token matches
+        generated_at.is_a?(Time) &&
+         (self.class.remember_for.ago < generated_at) &&
+         (generated_at > (remember_created_at || Time.now).utc) &&
+         Devise.secure_compare(rememberable_value, token)
       end
 
-      # Generate a timestamp if extend_remember_period is true, if no remember_token
-      # exists, or if an existing remember token has expired.
-      def generate_remember_timestamp?(extend_period) #:nodoc:
-        extend_period || remember_expired?
+      private
+
+      def time_from_json(value)
+        if value =~ /\A\d+\.\d+\Z/
+          Time.at(value.to_f)
+        else
+          Time.parse(value) rescue nil
+        end
       end
 
       module ClassMethods
         # Create the cookie key using the record id and remember_token
         def serialize_into_cookie(record)
-          [record.to_key, record.rememberable_value]
+          [record.to_key, record.rememberable_value, Time.now.utc.to_f.to_s]
         end
 
         # Recreate the user based on the stored cookie
-        def serialize_from_cookie(id, remember_token)
+        def serialize_from_cookie(*args)
+          id, token, generated_at = *args
+
           record = to_adapter.get(id)
-          record if record && !record.remember_expired? &&
-                    Devise.secure_compare(record.rememberable_value, remember_token)
+          record if record && record.remember_me?(token, generated_at)
         end
 
         # Generate a token checking if one does not already exist in the database.

lib/devise/models/timeoutable.rb

@@ -26,7 +26,6 @@ module Devise
 
       # Checks whether the user session has expired based on configured time.
       def timedout?(last_access)
-        return false if remember_exists_and_not_expired?
         !timeout_in.nil? && last_access && last_access <= timeout_in.ago
       end
 
@@ -36,11 +35,6 @@ module Devise
 
       private
 
-      def remember_exists_and_not_expired?
-        return false unless respond_to?(:remember_created_at) && respond_to?(:remember_expired?)
-        remember_created_at && !remember_expired?
-      end
-
       module ClassMethods
         Devise::Models.config(self, :timeout_in)
       end

lib/devise/rails/routes.rb

@@ -94,10 +94,24 @@ module ActionDispatch::Routing
     #
     #      devise_for :users, path: 'accounts'
     #
-    #  * singular: setup the singular name for the given resource. This is used as the instance variable
-    #    name in controller, as the name in routes and the scope given to warden.
+    #  * singular: setup the singular name for the given resource. This is used as the helper methods
+    #    names in controller ("authenticate_#{singular}!", "#{singular}_signed_in?", "current_#{singular}"
+    #    and "#{singular}_session"), as the scope name in routes and as the scope given to warden.
     #
-    #      devise_for :users, singular: :user
+    #      devise_for :admins, singular: :manager
+    #
+    #      devise_scope :manager do
+    #        ...
+    #      end
+    #
+    #      class ManagerController < ApplicationController
+    #        before_filter authenticate_manager!
+    #
+    #        def show
+    #          @manager = current_manager
+    #          ...
+    #        end
+    #      end
     #
     #  * path_names: configure different path names to overwrite defaults :sign_in, :sign_out, :sign_up,
     #    :password, :confirmation, :unlock.

lib/devise/strategies/authenticatable.rb

@@ -27,7 +27,7 @@ module Devise
 
       # Receives a resource and check if it is valid by calling valid_for_authentication?
       # An optional block that will be triggered while validating can be optionally
-      # given as parameter. Check Devise::Models::Authenticable.valid_for_authentication?
+      # given as parameter. Check Devise::Models::Authenticatable.valid_for_authentication?
       # for more information.
       #
       # In case the resource can't be validated, it will fail with the given

lib/devise/strategies/rememberable.rb

@@ -25,8 +25,7 @@ module Devise
         end
 
         if validate(resource)
-          remember_me(resource)
-          extend_remember_me_period(resource)
+          remember_me(resource) if extend_remember_me?(resource)
           resource.after_remembered
           success!(resource)
         end
@@ -43,10 +42,8 @@ module Devise
 
     private
 
-      def extend_remember_me_period(resource)
-        if resource.respond_to?(:extend_remember_period=)
-          resource.extend_remember_period = mapping.to.extend_remember_period
-        end
+      def extend_remember_me?(resource)
+        resource.respond_to?(:extend_remember_period) && resource.extend_remember_period
       end
 
       def remember_me?

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "3.5.2".freeze
+  VERSION = "3.5.10".freeze
 end

lib/generators/devise/views_generator.rb

@@ -47,7 +47,7 @@ module Devise
       def view_directory(name, _target_path = nil)
         directory name.to_s, _target_path || "#{target_path}/#{name}" do |content|
           if scope
-            content.gsub "devise/shared/links", "#{scope}/shared/links"
+            content.gsub "devise/shared/links", "#{plural_scope}/shared/links"
           else
             content
           end
@@ -55,7 +55,11 @@ module Devise
       end
 
       def target_path
-        @target_path ||= "app/views/#{scope || :devise}"
+        @target_path ||= "app/views/#{plural_scope || :devise}"
+      end
+
+      def plural_scope
+        @plural_scope ||= scope.presence && scope.underscore.pluralize
       end
     end
 
@@ -83,6 +87,13 @@ module Devise
       source_root File.expand_path("../../templates/simple_form_for", __FILE__)
       desc "Copies simple form enabled views to your application."
       hide!
+
+      def copy_views
+        if options[:views]
+          options[:views].delete('mailer')
+        end
+        super
+      end
     end
 
     class ErbGenerator < Rails::Generators::Base #:nodoc:
@@ -111,7 +122,7 @@ module Devise
       end
 
       def target_path
-        "app/views/#{scope || :devise}/mailer"
+        "app/views/#{plural_scope || :devise}/mailer"
       end
     end
 

lib/generators/templates/devise.rb

@@ -105,6 +105,9 @@ Devise.setup do |config|
   # Setup a pepper to generate the encrypted password.
   # config.pepper = '<%= SecureRandom.hex(64) %>'
 
+  # Send a notification email when the user's password is changed
+  # config.send_password_change_notification = false
+
   # ==> Configuration for :confirmable
   # A period that the user is allowed to access the website even without
   # confirming their account. For instance, if set to 2.days, the user will be

lib/generators/templates/markerb/confirmation_instructions.markerb

@@ -2,4 +2,4 @@ Welcome <%= @email %>!
 
 You can confirm your account through the link below:
 
-<%= link_to 'Confirm my account', confirmation_url(@resource, confirmation_token: @token) %>
+[Confirm my account](<%= confirmation_url(@resource, confirmation_token: @token) %>)

lib/generators/templates/markerb/password_change.markerb

@@ -0,0 +1,3 @@
+<p>Hello <%= @resource.email %>!</p>
+
+<p>We're contacting you to notify you that your password has been changed.</p>

lib/generators/templates/markerb/reset_password_instructions.markerb

@@ -2,7 +2,7 @@ Hello <%= @resource.email %>!
 
 Someone has requested a link to change your password, and you can do this through the link below.
 
-<%= link_to 'Change my password', edit_password_url(@resource, reset_password_token: @token) %>
+[Change my password](<%= edit_password_url(@resource, reset_password_token: @token) %>)
 
 If you didn't request this, please ignore this email.
 Your password won't change until you access the link above and create a new one.

lib/generators/templates/markerb/unlock_instructions.markerb

@@ -4,4 +4,4 @@ Your account has been locked due to an excessive number of unsuccessful sign in
 
 Click the link below to unlock your account:
 
-<%= link_to 'Unlock my account', unlock_url(@resource, unlock_token: @token) %>
+[Unlock my account](<%= unlock_url(@resource, unlock_token: @token) %>)

test/controllers/helper_methods_test.rb

@@ -0,0 +1,21 @@
+require 'test_helper'
+
+class ApiController < ActionController::Metal
+  include Devise::Controllers::Helpers
+end
+
+class HelperMethodsTest < ActionController::TestCase
+  tests ApiController
+
+  test 'includes Devise::Controllers::Helpers' do
+    assert_includes @controller.class.ancestors, Devise::Controllers::Helpers
+  end
+
+  test 'does not respond_to helper_method' do
+    refute_respond_to @controller.class, :helper_method
+  end
+
+  test 'defines methods like current_user' do
+    assert_respond_to @controller, :current_user
+  end
+end

test/failure_app_test.rb

@@ -294,5 +294,22 @@ class FailureTest < ActiveSupport::TestCase
       assert @response.third.body.include?('<h2>Log in</h2>')
       assert @response.third.body.include?('Your account is not activated yet.')
     end
+
+    if Rails.application.config.respond_to?(:relative_url_root)
+      test 'calls the original controller with the proper environment considering the relative url root' do
+        swap Rails.application.config, relative_url_root: "/sample" do
+          env = {
+            "warden.options" => { recall: "devise/sessions#new", attempted_path: "/sample/users/sign_in"},
+            "devise.mapping" => Devise.mappings[:user],
+            "warden" => stub_everything
+          }
+          call_failure(env)
+          assert @response.third.body.include?('<h2>Log in</h2>')
+          assert @response.third.body.include?('Invalid email or password.')
+          assert_equal @request.env["SCRIPT_NAME"], '/sample'
+          assert_equal @request.env["PATH_INFO"], '/users/sign_in'
+        end
+      end
+    end
   end
 end

test/generators/views_generator_test.rb

@@ -46,6 +46,13 @@ class ViewsGeneratorTest < Rails::Generators::TestCase
     assert_no_file "app/views/devise/mailer/confirmation_instructions.html.erb"
   end
 
+  test "Assert mailer specific directory with simple form" do
+    run_generator %w(-v mailer -b simple_form_for)
+    assert_file "app/views/devise/mailer/confirmation_instructions.html.erb"
+    assert_file "app/views/devise/mailer/reset_password_instructions.html.erb"
+    assert_file "app/views/devise/mailer/unlock_instructions.html.erb"
+  end
+
   test "Assert specified directories with scope" do
     run_generator %w(users -v sessions)
     assert_file "app/views/users/sessions/new.html.erb"

test/integration/omniauthable_test.rb

@@ -20,9 +20,11 @@ class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
       "credentials" => {"token" => 'plataformatec'},
       "extra" => {"user_hash" => FACEBOOK_INFO}
     }
+    OmniAuth.config.add_camelization 'facebook', 'FaceBook'
   end
 
   teardown do
+    OmniAuth.config.camelizations.delete('facebook')
     OmniAuth.config.test_mode = false
   end
 
@@ -40,7 +42,7 @@ class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
 
   test "can access omniauth.auth in the env hash" do
     visit "/users/sign_in"
-    click_link "Sign in with Facebook"
+    click_link "Sign in with FaceBook"
 
     json = ActiveSupport::JSON.decode(response.body)
 
@@ -54,7 +56,7 @@ class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
   test "cleans up session on sign up" do
     assert_no_difference "User.count" do
       visit "/users/sign_in"
-      click_link "Sign in with Facebook"
+      click_link "Sign in with FaceBook"
     end
 
     assert session["devise.facebook_data"]
@@ -75,7 +77,7 @@ class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
   test "cleans up session on cancel" do
     assert_no_difference "User.count" do
       visit "/users/sign_in"
-      click_link "Sign in with Facebook"
+      click_link "Sign in with FaceBook"
     end
 
     assert session["devise.facebook_data"]
@@ -86,7 +88,7 @@ class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
   test "cleans up session on sign in" do
     assert_no_difference "User.count" do
       visit "/users/sign_in"
-      click_link "Sign in with Facebook"
+      click_link "Sign in with FaceBook"
     end
 
     assert session["devise.facebook_data"]
@@ -96,13 +98,13 @@ class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
 
   test "sign in and send remember token if configured" do
     visit "/users/sign_in"
-    click_link "Sign in with Facebook"
+    click_link "Sign in with FaceBook"
     assert_nil warden.cookies["remember_user_token"]
 
     stub_action!(:sign_in_facebook) do
       create_user
       visit "/users/sign_in"
-      click_link "Sign in with Facebook"
+      click_link "Sign in with FaceBook"
       assert warden.authenticated?(:user)
       assert warden.cookies["remember_user_token"]
     end
@@ -118,16 +120,16 @@ class OmniauthableIntegrationTest < ActionDispatch::IntegrationTest
     OmniAuth.config.mock_auth[:facebook] = :access_denied
     visit "/users/auth/facebook/callback?error=access_denied"
     assert_current_url "/users/sign_in"
-    assert_contain 'Could not authenticate you from Facebook because "Access denied".'
+    assert_contain 'Could not authenticate you from FaceBook because "Access denied".'
   end
 
   test "handles other exceptions from OmniAuth" do
     OmniAuth.config.mock_auth[:facebook] = :invalid_credentials
 
     visit "/users/sign_in"
-    click_link "Sign in with Facebook"
+    click_link "Sign in with FaceBook"
 
     assert_current_url "/users/sign_in"
-    assert_contain 'Could not authenticate you from Facebook because "Invalid credentials".'
+    assert_contain 'Could not authenticate you from FaceBook because "Invalid credentials".'
   end
 end

test/integration/rememberable_test.rb

@@ -1,10 +1,15 @@
 require 'test_helper'
 
 class RememberMeTest < ActionDispatch::IntegrationTest
+  if (Rails::VERSION::MAJOR < 4) || (Rails::VERSION::MAJOR >= 4 && Rails::VERSION::MINOR < 1)
+    require 'time_helpers'
+    include ActiveSupport::Testing::TimeHelpers
+  end
+
   def create_user_and_remember(add_to_token='')
     user = create_user
     user.remember_me!
-    raw_cookie = User.serialize_into_cookie(user).tap { |a| a.last << add_to_token }
+    raw_cookie = User.serialize_into_cookie(user).tap { |a| a[1] << add_to_token }
     cookies['remember_user_token'] = generate_signed_cookie(raw_cookie)
     user
   end
@@ -92,7 +97,6 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     assert_response :success
     assert warden.authenticated?(:user)
     assert warden.user(:user) == user
-    assert_match /remember_user_token[^\n]*HttpOnly/, response.headers["Set-Cookie"], "Expected Set-Cookie header in response to set HttpOnly flag on remember_user_token cookie."
   end
 
   test 'remember the user before sign up and redirect them to their home' do
@@ -118,6 +122,40 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     end
   end
 
+  test 'extends remember period when extend remember period config is true' do
+    swap Devise, extend_remember_period: true, remember_for: 1.year do
+      user = create_user_and_remember
+      old_remember_token = nil
+
+      travel_to 1.day.ago do
+        get root_path
+        old_remember_token = request.cookies['remember_user_token']
+      end
+
+      get root_path
+      current_remember_token = request.cookies['remember_user_token']
+
+      refute_equal old_remember_token, current_remember_token
+    end
+  end
+
+  test 'does not extend remember period when extend period config is false' do
+    swap Devise, extend_remember_period: false, remember_for: 1.year do
+      user = create_user_and_remember
+      old_remember_token = nil
+
+      travel_to 1.day.ago do
+        get root_path
+        old_remember_token = request.cookies['remember_user_token']
+      end
+
+      get root_path
+      current_remember_token = request.cookies['remember_user_token']
+
+      assert_equal old_remember_token, current_remember_token
+    end
+  end
+
   test 'do not remember other scopes' do
     create_user_and_remember
     get root_path
@@ -135,7 +173,7 @@ class RememberMeTest < ActionDispatch::IntegrationTest
 
   test 'do not remember with expired token' do
     create_user_and_remember
-    swap Devise, remember_for: 0 do
+    swap Devise, remember_for: 0.days do
       get users_path
       assert_not warden.authenticated?(:user)
       assert_redirected_to new_user_session_path

test/integration/timeoutable_test.rb

@@ -24,6 +24,18 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
     assert_equal old_last_request, last_request_at
   end
 
+  test 'does not set last request at in user session after each request if timeoutable is disabled' do
+    sign_in_as_user
+    old_last_request = last_request_at
+    assert_not_nil last_request_at
+
+    new_time = 2.seconds.from_now
+    Time.stubs(:now).returns(new_time)
+
+    get users_path, {}, 'devise.skip_timeoutable' => true
+    assert_equal old_last_request, last_request_at
+  end
+
   test 'does not time out user session before default limit time' do
     sign_in_as_user
     assert_response :success
@@ -163,7 +175,7 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
     assert warden.authenticated?(:user)
   end
 
-  test 'does not crashes when the last_request_at is a String' do
+  test 'does not crash when the last_request_at is a String' do
     user = sign_in_as_user
 
     get edit_form_user_path(user, last_request_at: Time.now.utc.to_s)

test/models/confirmable_test.rb

@@ -114,7 +114,7 @@ class ConfirmableTest < ActiveSupport::TestCase
 
     assert_email_not_sent do
       user.save!
-      assert !user.confirmed?
+      assert_not user.confirmed?
     end
   end
 
@@ -250,6 +250,16 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert user.reload.active_for_authentication?
   end
 
+  test 'should not break when a user tries to reset their password in the case where confirmation is not required and confirm_within is set' do
+    swap Devise, confirm_within: 3.days do
+      user = create_user
+      user.instance_eval { def confirmation_required?; false end }
+      user.confirmation_sent_at = nil
+      user.save
+      assert user.reload.confirm!
+    end
+  end
+
   test 'should find a user to send email instructions for the user confirm its email by authentication_keys' do
     swap Devise, authentication_keys: [:username, :email] do
       user = create_user
@@ -391,6 +401,14 @@ class ReconfirmableTest < ActiveSupport::TestCase
     assert_match "new_test@example.com", ActionMailer::Base.deliveries.last.body.encoded
   end
 
+  test 'should send confirmation instructions by email after changing email from nil' do
+    admin = create_admin(email: nil)
+    assert_email_sent "new_test@example.com" do
+      assert admin.update_attributes(email: 'new_test@example.com')
+    end
+    assert_match "new_test@example.com", ActionMailer::Base.deliveries.last.body.encoded
+  end
+
   test 'should not send confirmation by email after changing password' do
     admin = create_admin
     assert admin.confirm
@@ -476,4 +494,18 @@ class ReconfirmableTest < ActiveSupport::TestCase
       :unconfirmed_email
     ]
   end
+
+  test 'should not require reconfirmation after creating a record' do
+    admin = create_admin
+    assert !admin.pending_reconfirmation?
+  end
+
+  test 'should not require reconfirmation after creating a record with #save called in callback' do
+    class Admin::WithSaveInCallback < Admin
+      after_create :save
+    end
+
+    admin = Admin::WithSaveInCallback.create(valid_attributes.except(:username))
+    assert !admin.pending_reconfirmation?
+  end
 end

test/models/database_authenticatable_test.rb

@@ -3,6 +3,10 @@ require 'test_models'
 require 'digest/sha1'
 
 class DatabaseAuthenticatableTest < ActiveSupport::TestCase
+  def setup
+    setup_mailer
+  end
+
   test 'should downcase case insensitive keys when saving' do
     # case_insensitive_keys is set to :email by default.
     email = 'Foo@Bar.com'
@@ -225,6 +229,22 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert_match "can't be blank", user.errors[:current_password].join
   end
 
+  test 'should not email on password change' do
+    user = create_user
+    assert_email_not_sent do
+      assert user.update_attributes(password: 'newpass', password_confirmation: 'newpass')
+    end
+  end
+
+  test 'should email on password change when configured' do
+    swap Devise, send_password_change_notification: true do
+      user = create_user
+      assert_email_sent user.email do
+        assert user.update_attributes(password: 'newpass', password_confirmation: 'newpass')
+      end
+    end
+  end
+
   test 'downcase_keys with validation' do
     User.create(email: "HEllO@example.com", password: "123456")
     user = User.create(email: "HEllO@example.com", password: "123456")

test/models/lockable_test.rb

@@ -14,7 +14,7 @@ class LockableTest < ActiveSupport::TestCase
     end
   end
 
-  test "should increment failed_attempts on successfull validation if the user is already locked" do
+  test "should increment failed_attempts on successful validation if the user is already locked" do
     user = create_user
     user.confirm
 
@@ -37,6 +37,17 @@ class LockableTest < ActiveSupport::TestCase
     end
   end
 
+  test "should read failed_attempts from database when incrementing" do
+    user = create_user
+    initial_failed_attempts = user.failed_attempts
+    same_user = User.find(user.id)
+
+    user.valid_for_authentication?{ false }
+    same_user.valid_for_authentication?{ false }
+
+    assert_equal initial_failed_attempts + 2, user.reload.failed_attempts
+  end
+
   test 'should be valid for authentication with a unlocked user' do
     user = create_user
     user.lock_access!
@@ -325,4 +336,26 @@ class LockableTest < ActiveSupport::TestCase
     user.lock_access!
     assert_equal :locked, user.unauthenticated_message
   end
+
+  test 'unlock_strategy_enabled? should return true for both, email, and time strategies if :both is used' do
+    swap Devise, unlock_strategy: :both do
+      user = create_user
+      assert_equal true, user.unlock_strategy_enabled?(:both)
+      assert_equal true, user.unlock_strategy_enabled?(:time)
+      assert_equal true, user.unlock_strategy_enabled?(:email)
+      assert_equal false, user.unlock_strategy_enabled?(:none)
+      assert_equal false, user.unlock_strategy_enabled?(:an_undefined_strategy)
+    end
+  end
+
+  test 'unlock_strategy_enabled? should return true only for the configured strategy' do
+    swap Devise, unlock_strategy: :email do
+      user = create_user
+      assert_equal false, user.unlock_strategy_enabled?(:both)
+      assert_equal false, user.unlock_strategy_enabled?(:time)
+      assert_equal true, user.unlock_strategy_enabled?(:email)
+      assert_equal false, user.unlock_strategy_enabled?(:none)
+      assert_equal false, user.unlock_strategy_enabled?(:an_undefined_strategy)
+    end
+  end
 end

test/models/recoverable_test.rb

@@ -42,6 +42,17 @@ class RecoverableTest < ActiveSupport::TestCase
     assert_nil user.reset_password_token
   end
 
+  test 'should not clear reset password token for new user' do
+    user = new_user
+    assert_nil user.reset_password_token
+
+    user.send_reset_password_instructions
+    assert_present user.reset_password_token
+
+    user.save
+    assert_present user.reset_password_token
+  end
+
   test 'should clear reset password token if changing password' do
     user = create_user
     assert_nil user.reset_password_token
@@ -65,6 +76,18 @@ class RecoverableTest < ActiveSupport::TestCase
     assert_nil user.reset_password_token
   end
 
+  test 'should clear reset password successfully even if there is no email' do
+    user = create_user_without_email
+    assert_nil user.reset_password_token
+
+    user.send_reset_password_instructions
+    assert_present user.reset_password_token
+    user.password = "123456678"
+    user.password_confirmation = "123456678"
+    user.save!
+    assert_nil user.reset_password_token
+  end
+
   test 'should not clear reset password token if record is invalid' do
     user = create_user
     user.send_reset_password_instructions

test/models/rememberable_test.rb

@@ -13,6 +13,19 @@ class RememberableTest < ActiveSupport::TestCase
     user = create_user
     user.expects(:valid?).never
     user.remember_me!
+    assert user.remember_created_at
+  end
+
+  test 'remember_me should not generate a new token if valid token exists' do
+    user = create_user
+    user.singleton_class.send(:attr_accessor, :remember_token)
+    User.to_adapter.expects(:find_first).returns(nil)
+
+    user.remember_me!
+    existing_token = user.remember_token
+
+    user.remember_me!
+    assert_equal existing_token, user.remember_token
   end
 
   test 'forget_me should not clear remember token if using salt' do
@@ -33,13 +46,57 @@ class RememberableTest < ActiveSupport::TestCase
   test 'serialize into cookie' do
     user = create_user
     user.remember_me!
-    assert_equal [user.to_key, user.authenticatable_salt], User.serialize_into_cookie(user)
+    id, token, date = User.serialize_into_cookie(user)
+    assert_equal id, user.to_key
+    assert_equal token, user.authenticatable_salt
+    assert date.is_a?(String)
   end
 
   test 'serialize from cookie' do
     user = create_user
     user.remember_me!
-    assert_equal user, User.serialize_from_cookie(user.to_key, user.authenticatable_salt)
+    assert_equal user, User.serialize_from_cookie(user.to_key, user.authenticatable_salt, Time.now.utc)
+  end
+
+  test 'serialize from cookie should accept a String with the datetime seconds and microseconds' do
+    user = create_user
+    user.remember_me!
+    assert_equal user, User.serialize_from_cookie(user.to_key, user.authenticatable_salt, Time.now.utc.to_f.to_json)
+  end
+
+  test 'serialize from cookie should return nil with invalid datetime' do
+    user = create_user
+    user.remember_me!
+    assert_nil User.serialize_from_cookie(user.to_key, user.authenticatable_salt, "2013")
+  end
+
+  test 'serialize from cookie should return nil if no resource is found' do
+    assert_nil resource_class.serialize_from_cookie([0], "123", Time.now.utc)
+  end
+
+  test 'serialize from cookie should return nil if no timestamp' do
+    user = create_user
+    user.remember_me!
+    assert_nil User.serialize_from_cookie(user.to_key, user.authenticatable_salt)
+  end
+
+  test 'serialize from cookie should return nil if timestamp is earlier than token creation' do
+    user = create_user
+    user.remember_me!
+    assert_nil User.serialize_from_cookie(user.to_key, user.authenticatable_salt, 1.day.ago)
+  end
+
+  test 'serialize from cookie should return nil if timestamp is older than remember_for' do
+    user = create_user
+    user.remember_created_at = 1.month.ago
+    user.remember_me!
+    assert_nil User.serialize_from_cookie(user.to_key, user.authenticatable_salt, 3.weeks.ago)
+  end
+
+  test 'serialize from cookie me return nil if is a valid resource with invalid token' do
+    user = create_user
+    user.remember_me!
+    assert_nil User.serialize_from_cookie(user.to_key, "123", Time.now.utc)
   end
 
   test 'raises a RuntimeError if authenticatable_salt is nil or empty' do
@@ -93,28 +150,7 @@ class RememberableTest < ActiveSupport::TestCase
     resource.forget_me!
   end
 
-  test 'remember is expired if not created at timestamp is set' do
-    assert create_resource.remember_expired?
-  end
-
-  test 'serialize should return nil if no resource is found' do
-    assert_nil resource_class.serialize_from_cookie([0], "123")
-  end
-
-  test 'remember me return nil if is a valid resource with invalid token' do
-    resource = create_resource
-    assert_nil resource_class.serialize_from_cookie([resource.id], "123")
-  end
-
-  test 'remember for should fallback to devise remember for default configuration' do
-    swap Devise, remember_for: 1.day do
-      resource = create_resource
-      resource.remember_me!
-      assert_not resource.remember_expired?
-    end
-  end
-
-  test 'remember expires at should sum date of creation with remember for configuration' do
+  test 'remember expires at uses remember for configuration' do
     swap Devise, remember_for: 3.days do
       resource = create_resource
       resource.remember_me!
@@ -125,77 +161,6 @@ class RememberableTest < ActiveSupport::TestCase
     end
   end
 
-  test 'remember should be expired if remember_for is zero' do
-    swap Devise, remember_for: 0.days do
-      Devise.remember_for = 0.days
-      resource = create_resource
-      resource.remember_me!
-      assert resource.remember_expired?
-    end
-  end
-
-  test 'remember should be expired if it was created before limit time' do
-    swap Devise, remember_for: 1.day do
-      resource = create_resource
-      resource.remember_me!
-      resource.remember_created_at = 2.days.ago
-      resource.save
-      assert resource.remember_expired?
-    end
-  end
-
-  test 'remember should not be expired if it was created within the limit time' do
-    swap Devise, remember_for: 30.days do
-      resource = create_resource
-      resource.remember_me!
-      resource.remember_created_at = (30.days.ago + 2.minutes)
-      resource.save
-      assert_not resource.remember_expired?
-    end
-  end
-
-  test 'if extend_remember_period is false, remember_me! should generate a new timestamp if expired' do
-    swap Devise, remember_for: 5.minutes do
-      resource = create_resource
-      resource.remember_me!(false)
-      assert resource.remember_created_at
-
-      resource.remember_created_at = old = 10.minutes.ago
-      resource.save
-
-      resource.remember_me!(false)
-      assert_not_equal old.to_i, resource.remember_created_at.to_i
-    end
-  end
-
-  test 'if extend_remember_period is false, remember_me! should not generate a new timestamp' do
-    swap Devise, remember_for: 1.year do
-      resource = create_resource
-      resource.remember_me!(false)
-      assert resource.remember_created_at
-
-      resource.remember_created_at = old = 10.minutes.ago.utc
-      resource.save
-
-      resource.remember_me!(false)
-      assert_equal old.to_i, resource.remember_created_at.to_i
-    end
-  end
-
-  test 'if extend_remember_period is true, remember_me! should always generate a new timestamp' do
-    swap Devise, remember_for: 1.year do
-      resource = create_resource
-      resource.remember_me!(true)
-      assert resource.remember_created_at
-
-      resource.remember_created_at = old = 10.minutes.ago
-      resource.save
-
-      resource.remember_me!(true)
-      assert_not_equal old, resource.remember_created_at
-    end
-  end
-
   test 'should have the required_fields array' do
     assert_same_content Devise::Models::Rememberable.required_fields(User), [
       :remember_created_at

test/models_test.rb

@@ -92,13 +92,20 @@ class ActiveRecordTest < ActiveSupport::TestCase
   end
 end
 
+module StubModelFilters
+  def stub_filter(name)
+    define_singleton_method(name) { |*| nil }
+  end
+end
+
 class CheckFieldsTest < ActiveSupport::TestCase
   test 'checks if the class respond_to the required fields' do
     Player = Class.new do
       extend Devise::Models
+      extend StubModelFilters
 
-      def self.before_validation(instance)
-      end
+      stub_filter :before_validation
+      stub_filter :after_update
 
       devise :database_authenticatable
 
@@ -113,9 +120,10 @@ class CheckFieldsTest < ActiveSupport::TestCase
   test 'raises Devise::Models::MissingAtrribute and shows the missing attribute if the class doesn\'t respond_to one of the attributes' do
     Clown = Class.new do
       extend Devise::Models
+      extend StubModelFilters
 
-      def self.before_validation(instance)
-      end
+      stub_filter :before_validation
+      stub_filter :after_update
 
       devise :database_authenticatable
 
@@ -130,9 +138,10 @@ class CheckFieldsTest < ActiveSupport::TestCase
   test 'raises Devise::Models::MissingAtrribute with all the missing attributes if there is more than one' do
     Magician = Class.new do
       extend Devise::Models
+      extend StubModelFilters
 
-      def self.before_validation(instance)
-      end
+      stub_filter :before_validation
+      stub_filter :after_update
 
       devise :database_authenticatable
     end

test/rails_app/app/active_record/user_without_email.rb

@@ -0,0 +1,8 @@
+require "shared_user_without_email"
+
+class UserWithoutEmail < ActiveRecord::Base
+  self.table_name = 'users'
+  include Shim
+  include SharedUserWithoutEmail
+end
+

test/rails_app/app/mongoid/user_without_email.rb

@@ -0,0 +1,33 @@
+require "shared_user_without_email"
+
+class UserWithoutEmail
+  include Mongoid::Document
+  include Shim
+  include SharedUserWithoutEmail
+
+  field :username, type: String
+  field :facebook_token, type: String
+
+  ## Database authenticatable
+  field :email, type: String, default: ""
+  field :encrypted_password, type: String, default: ""
+
+  ## Recoverable
+  field :reset_password_token, type: String
+  field :reset_password_sent_at, type: Time
+
+  ## Rememberable
+  field :remember_created_at, type: Time
+
+  ## Trackable
+  field :sign_in_count, type: Integer, default: 0
+  field :current_sign_in_at, type: Time
+  field :last_sign_in_at, type: Time
+  field :current_sign_in_ip, type: String
+  field :last_sign_in_ip, type: String
+
+  ## Lockable
+  field :failed_attempts, type: Integer, default: 0 # Only if lock strategy is :failed_attempts
+  field :unlock_token, type: String # Only if unlock strategy is :email or :both
+  field :locked_at, type: Time
+end

test/rails_app/config/routes.rb

@@ -28,6 +28,11 @@ Rails.application.routes.draw do
     router_name: :fake_engine,
     module: :devise
 
+  devise_for :user_without_email,
+    class_name: 'UserWithoutEmail',
+    router_name: :main_app,
+    module: :devise
+
   as :user do
     get "/as/sign_in", to: "devise/sessions#new"
   end

test/rails_app/lib/shared_user_without_email.rb

@@ -0,0 +1,26 @@
+module SharedUserWithoutEmail
+  extend ActiveSupport::Concern
+
+  included do
+    # NOTE: This is missing :validatable and :confirmable, as they both require
+    # an email field at the moment. It is also missing :omniauthable because that
+    # adds unnecessary complexity to the setup
+    devise :database_authenticatable, :lockable, :recoverable,
+           :registerable, :rememberable, :timeoutable,
+           :trackable
+  end
+
+  # This test stub is a bit rubbish because it's tied very closely to the
+  # implementation where we care about this one case. However, completely
+  # removing the email field breaks "recoverable" tests completely, so we are
+  # just taking the approach here that "email" is something that is a not an
+  # ActiveRecord field.
+  def email_changed?
+    raise NoMethodError
+  end
+
+  def respond_to?(method_name, include_all=false)
+    return false if method_name.to_sym == :email_changed?
+    super(method_name, include_all)
+  end
+end

test/support/helpers.rb

@@ -46,6 +46,10 @@ class ActiveSupport::TestCase
     Admin.create!(valid_attributes)
   end
 
+  def create_user_without_email(attributes={})
+    UserWithoutEmail.create!(valid_attributes(attributes))
+  end
+
   # Execute the block setting the given values and restoring old values after
   # the block is executed.
   def swap(object, new_values)

test/time_helpers.rb

@@ -0,0 +1,137 @@
+# A copy of Rails time helpers. With this file we can support the `travel_to`
+# helper for Rails versions prior 4.1.
+# File origin: https://github.com/rails/rails/blob/52ce6ece8c8f74064bb64e0a0b1ddd83092718e1/activesupport/lib/active_support/testing/time_helpers.rb
+module ActiveSupport
+  module Testing
+    class SimpleStubs # :nodoc:
+      Stub = Struct.new(:object, :method_name, :original_method)
+
+      def initialize
+        @stubs = {}
+      end
+
+      def stub_object(object, method_name, return_value)
+        key = [object.object_id, method_name]
+
+        if stub = @stubs[key]
+          unstub_object(stub)
+        end
+
+        new_name = "__simple_stub__#{method_name}"
+
+        @stubs[key] = Stub.new(object, method_name, new_name)
+
+        object.singleton_class.send :alias_method, new_name, method_name
+        object.define_singleton_method(method_name) { return_value }
+      end
+
+      def unstub_all!
+        @stubs.each_value do |stub|
+          unstub_object(stub)
+        end
+        @stubs = {}
+      end
+
+      private
+
+        def unstub_object(stub)
+          singleton_class = stub.object.singleton_class
+          singleton_class.send :undef_method, stub.method_name
+          singleton_class.send :alias_method, stub.method_name, stub.original_method
+          singleton_class.send :undef_method, stub.original_method
+        end
+    end
+
+    # Contains helpers that help you test passage of time.
+    module TimeHelpers
+      # Changes current time to the time in the future or in the past by a given time difference by
+      # stubbing +Time.now+, +Date.today+, and +DateTime.now+.
+      #
+      #   Time.current     # => Sat, 09 Nov 2013 15:34:49 EST -05:00
+      #   travel 1.day
+      #   Time.current     # => Sun, 10 Nov 2013 15:34:49 EST -05:00
+      #   Date.current     # => Sun, 10 Nov 2013
+      #   DateTime.current # => Sun, 10 Nov 2013 15:34:49 -0500
+      #
+      # This method also accepts a block, which will return the current time back to its original
+      # state at the end of the block:
+      #
+      #   Time.current # => Sat, 09 Nov 2013 15:34:49 EST -05:00
+      #   travel 1.day do
+      #     User.create.created_at # => Sun, 10 Nov 2013 15:34:49 EST -05:00
+      #   end
+      #   Time.current # => Sat, 09 Nov 2013 15:34:49 EST -05:00
+      def travel(duration, &block)
+        travel_to Time.now + duration, &block
+      end
+
+      # Changes current time to the given time by stubbing +Time.now+,
+      # +Date.today+, and +DateTime.now+ to return the time or date passed into this method.
+      #
+      #   Time.current     # => Sat, 09 Nov 2013 15:34:49 EST -05:00
+      #   travel_to Time.new(2004, 11, 24, 01, 04, 44)
+      #   Time.current     # => Wed, 24 Nov 2004 01:04:44 EST -05:00
+      #   Date.current     # => Wed, 24 Nov 2004
+      #   DateTime.current # => Wed, 24 Nov 2004 01:04:44 -0500
+      #
+      # Dates are taken as their timestamp at the beginning of the day in the
+      # application time zone. <tt>Time.current</tt> returns said timestamp,
+      # and <tt>Time.now</tt> its equivalent in the system time zone. Similarly,
+      # <tt>Date.current</tt> returns a date equal to the argument, and
+      # <tt>Date.today</tt> the date according to <tt>Time.now</tt>, which may
+      # be different. (Note that you rarely want to deal with <tt>Time.now</tt>,
+      # or <tt>Date.today</tt>, in order to honor the application time zone
+      # please always use <tt>Time.current</tt> and <tt>Date.current</tt>.)
+      #
+      # Note that the usec for the time passed will be set to 0 to prevent rounding
+      # errors with external services, like MySQL (which will round instead of floor,
+      # leading to off-by-one-second errors).
+      #
+      # This method also accepts a block, which will return the current time back to its original
+      # state at the end of the block:
+      #
+      #   Time.current # => Sat, 09 Nov 2013 15:34:49 EST -05:00
+      #   travel_to Time.new(2004, 11, 24, 01, 04, 44) do
+      #     Time.current # => Wed, 24 Nov 2004 01:04:44 EST -05:00
+      #   end
+      #   Time.current # => Sat, 09 Nov 2013 15:34:49 EST -05:00
+      def travel_to(date_or_time)
+        if date_or_time.is_a?(Date) && !date_or_time.is_a?(DateTime)
+          now = date_or_time.midnight.to_time
+        else
+          now = date_or_time.to_time.change(usec: 0)
+        end
+
+        simple_stubs.stub_object(Time, :now, now)
+        simple_stubs.stub_object(Date, :today, now.to_date)
+        simple_stubs.stub_object(DateTime, :now, now.to_datetime)
+
+        if block_given?
+          begin
+            yield
+          ensure
+            travel_back
+          end
+        end
+      end
+
+      # Returns the current time back to its original state, by removing the stubs added by
+      # `travel` and `travel_to`.
+      #
+      #   Time.current # => Sat, 09 Nov 2013 15:34:49 EST -05:00
+      #   travel_to Time.new(2004, 11, 24, 01, 04, 44)
+      #   Time.current # => Wed, 24 Nov 2004 01:04:44 EST -05:00
+      #   travel_back
+      #   Time.current # => Sat, 09 Nov 2013 15:34:49 EST -05:00
+      def travel_back
+        simple_stubs.unstub_all!
+      end
+
+      private
+
+        def simple_stubs
+          @simple_stubs ||= SimpleStubs.new
+        end
+    end
+  end
+end