Release 3.5.7 version.

Now the config `extend_remember_period` is used to:

`true` - Every time the user authentication is validated, the
cookie expiration is updated.
`false` - Does not updates the cookie expiration.

Closes #3994

CHANGELOG.md

@@ -1,3 +1,22 @@
+### Unreleased
+
+### 3.5.7 - 2016-04-18
+
+* bug fixes
+  * Fix the `extend_remember_period` configuration. When set to `false` it does
+    not update the cookie expiration anymore.(by @ulissesalmeida)
+
+### 3.5.6 - 2016-01-02
+
+* bug fixes
+  * Fix type coercion of the rememberable timestamp stored on cookies.
+
+### 3.5.5 - 2016-22-01
+
+* bug fixes
+  * Bring back remember_expired? implementation
+  * Ensure timeouts are not triggered if remember me is being used
+
 ### 3.5.4 - 2016-18-01
 
 * bug fixes

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    devise (3.5.4)
+    devise (3.5.7)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -48,7 +48,7 @@ GEM
       thread_safe (~> 0.3, >= 0.3.4)
       tzinfo (~> 1.1)
     arel (6.0.0)
-    bcrypt (3.1.10)
+    bcrypt (3.1.11)
     bson (3.1.2)
     builder (3.2.2)
     connection_pool (2.2.0)
@@ -139,7 +139,7 @@ GEM
       thor (>= 0.18.1, < 2.0)
     rake (10.4.2)
     rdoc (4.2.0)
-    responders (2.1.1)
+    responders (2.1.2)
       railties (>= 4.2.0, < 5.1)
     ruby-openid (2.7.0)
     sprockets (3.2.0)
@@ -153,7 +153,7 @@ GEM
     thread_safe (0.3.5)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
-    warden (1.2.4)
+    warden (1.2.6)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)

gemfiles/Gemfile.rails-3.2-stable.lock

@@ -49,7 +49,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (3.5.3)
+    devise (3.5.6)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -142,7 +142,7 @@ GEM
       polyglot
       polyglot (>= 0.3.1)
     tzinfo (0.3.43)
-    warden (1.2.4)
+    warden (1.2.6)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
@@ -169,4 +169,4 @@ DEPENDENCIES
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.10.6
+   1.11.2

gemfiles/Gemfile.rails-4.0-stable.lock

@@ -1,6 +1,6 @@
 GIT
   remote: git://github.com/rails/rails.git
-  revision: 7ec9c9635bf4d57009135ed11e89d8bf32306d73
+  revision: 9be9597e510d185ca7964d0a05b4ea2a7f2d50d1
   branch: 4-0-stable
   specs:
     actionmailer (4.0.13)
@@ -43,7 +43,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (3.5.3)
+    devise (3.5.6)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -54,24 +54,24 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    activerecord-deprecated_finders (1.0.3)
+    activerecord-deprecated_finders (1.0.4)
     arel (4.0.2)
     bcrypt (3.1.10)
-    bson (2.3.0)
+    bson (3.2.6)
     builder (3.1.4)
-    connection_pool (2.1.3)
+    concurrent-ruby (1.0.0)
+    connection_pool (2.2.0)
     erubis (2.7.0)
-    faraday (0.9.1)
+    faraday (0.9.2)
       multipart-post (>= 1.2, < 3)
-    hashie (3.4.0)
-    hike (1.2.3)
+    hashie (3.4.3)
     i18n (0.7.0)
-    jwt (1.4.1)
+    jwt (1.5.2)
     mail (2.6.3)
       mime-types (>= 1.16, < 3)
     metaclass (0.0.4)
-    mime-types (2.4.3)
-    mini_portile (0.6.2)
+    mime-types (2.99)
+    mini_portile2 (2.0.0)
     minitest (4.7.5)
     mocha (1.1.0)
       metaclass (~> 0.0.1)
@@ -80,15 +80,15 @@ GEM
       moped (~> 2.0.0)
       origin (~> 2.1)
       tzinfo (>= 0.3.37)
-    moped (2.0.4)
-      bson (~> 2.2)
+    moped (2.0.7)
+      bson (~> 3.0)
       connection_pool (~> 2.0)
       optionable (~> 0.2.0)
-    multi_json (1.11.0)
+    multi_json (1.11.2)
     multi_xml (0.5.5)
     multipart-post (2.0.0)
-    nokogiri (1.6.6.2)
-      mini_portile (~> 0.6.0)
+    nokogiri (1.6.7.2)
+      mini_portile2 (~> 2.0.0.rc2)
     oauth2 (0.9.4)
       faraday (>= 0.8, < 0.10)
       jwt (~> 1.0)
@@ -109,34 +109,31 @@ GEM
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
     optionable (0.2.0)
-    origin (2.1.1)
+    origin (2.2.0)
     orm_adapter (0.5.0)
-    rack (1.5.2)
+    rack (1.5.5)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
     rack-test (0.6.3)
       rack (>= 1.0)
-    rake (10.4.2)
-    rdoc (4.2.0)
+    rake (10.5.0)
+    rdoc (4.2.1)
     responders (1.1.2)
       railties (>= 3.2, < 4.2)
     ruby-openid (2.7.0)
-    sprockets (2.12.3)
-      hike (~> 1.2)
-      multi_json (~> 1.0)
-      rack (~> 1.0)
-      tilt (~> 1.1, != 1.3.0)
-    sprockets-rails (2.2.4)
+    sprockets (3.5.2)
+      concurrent-ruby (~> 1.0)
+      rack (> 1, < 3)
+    sprockets-rails (2.3.3)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
       sprockets (>= 2.8, < 4.0)
-    sqlite3 (1.3.10)
+    sqlite3 (1.3.11)
     thor (0.19.1)
     thread_safe (0.3.5)
-    tilt (1.4.1)
-    tzinfo (0.3.43)
-    warden (1.2.4)
+    tzinfo (0.3.46)
+    warden (1.2.6)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
@@ -163,4 +160,4 @@ DEPENDENCIES
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.10.6
+   1.11.2

gemfiles/Gemfile.rails-4.1-stable.lock

@@ -48,7 +48,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (3.5.3)
+    devise (3.5.6)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -142,7 +142,7 @@ GEM
     tilt (1.4.1)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
-    warden (1.2.4)
+    warden (1.2.6)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
@@ -169,4 +169,4 @@ DEPENDENCIES
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.10.6
+   1.11.2

gemfiles/Gemfile.rails-4.2-stable.lock

@@ -58,7 +58,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (3.5.3)
+    devise (3.5.6)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -146,8 +146,8 @@ GEM
       loofah (~> 2.0)
     rake (10.4.2)
     rdoc (4.2.0)
-    responders (2.1.0)
-      railties (>= 4.2.0, < 5)
+    responders (2.1.1)
+      railties (>= 4.2.0, < 5.1)
     ruby-openid (2.7.0)
     sprockets (2.12.3)
       hike (~> 1.2)
@@ -164,7 +164,7 @@ GEM
     tilt (1.4.1)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
-    warden (1.2.4)
+    warden (1.2.6)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
@@ -191,4 +191,4 @@ DEPENDENCIES
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.10.6
+   1.11.2

lib/devise.rb

@@ -116,7 +116,6 @@ module Devise
   mattr_accessor :remember_for
   @@remember_for = 2.weeks
 
-  # TODO: extend_remember_period is no longer used
   # If true, extends the user's remember period when remembered via cookie.
   mattr_accessor :extend_remember_period
   @@extend_remember_period = false

lib/devise/controllers/rememberable.rb

@@ -9,6 +9,13 @@ module Devise
         Rails.configuration.session_options.slice(:path, :domain, :secure)
       end
 
+      def remember_me_is_active?(resource)
+        return false unless resource.respond_to?(:remember_me)
+        scope = Devise::Mapping.find_scope!(resource)
+        _, token, generated_at = cookies.signed[remember_key(resource, scope)]
+        resource.remember_me?(token, generated_at)
+      end
+
       # Remembers the given resource by setting up a cookie
       def remember_me(resource)
         return if env["devise.skip_storage"]

lib/devise/hooks/timeoutable.rb

@@ -19,9 +19,10 @@ Warden::Manager.after_set_user do |record, warden, options|
 
     proxy = Devise::Hooks::Proxy.new(warden)
 
-    if record.timedout?(last_request_at) && !env['devise.skip_timeout']
+    if record.timedout?(last_request_at) &&
+        !env['devise.skip_timeout'] &&
+        !proxy.remember_me_is_active?(record)
       Devise.sign_out_all_scopes ? proxy.sign_out : proxy.sign_out(scope)
-
       throw :warden, scope: scope, message: :timeout
     end
 

lib/devise/models/rememberable.rb

@@ -39,7 +39,7 @@ module Devise
     module Rememberable
       extend ActiveSupport::Concern
 
-      attr_accessor :remember_me, :extend_remember_period
+      attr_accessor :remember_me
 
       def self.required_fields(klass)
         [:remember_created_at]
@@ -62,10 +62,19 @@ module Devise
         save(validate: false)
       end
 
+      # Remember token should be expired if expiration time not overpass now.
+      def remember_expired?
+        remember_created_at.nil?
+      end
+
       def remember_expires_at
         self.class.remember_for.from_now
       end
 
+      def extend_remember_period
+        self.class.extend_remember_period
+      end
+
       def rememberable_value
         if respond_to?(:remember_token)
           remember_token
@@ -96,32 +105,47 @@ module Devise
       def after_remembered
       end
 
-    protected
+      def remember_me?(token, generated_at)
+        # TODO: Normalize the JSON type coercion along with the Timeoutable hook
+        # in a single place https://github.com/plataformatec/devise/blob/ffe9d6d406e79108cf32a2c6a1d0b3828849c40b/lib/devise/hooks/timeoutable.rb#L14-L18
+        if generated_at.is_a?(String)
+          generated_at = time_from_json(generated_at)
+        end
+
+        # The token is only valid if:
+        # 1. we have a date
+        # 2. the current time does not pass the expiry period
+        # 3. the record has a remember_created_at date
+        # 4. the token date is bigger than the remember_created_at
+        # 5. the token matches
+        generated_at.is_a?(Time) &&
+         (self.class.remember_for.ago < generated_at) &&
+         (generated_at > (remember_created_at || Time.now).utc) &&
+         Devise.secure_compare(rememberable_value, token)
+      end
+
+      private
+
+      def time_from_json(value)
+        if value =~ /\A\d+\.\d+\Z/
+          Time.at(value.to_f)
+        else
+          Time.parse(value) rescue nil
+        end
+      end
 
       module ClassMethods
         # Create the cookie key using the record id and remember_token
         def serialize_into_cookie(record)
-          [record.to_key, record.rememberable_value, Time.now.utc]
+          [record.to_key, record.rememberable_value, Time.now.utc.to_f.to_s]
         end
 
         # Recreate the user based on the stored cookie
         def serialize_from_cookie(*args)
-          id, token, generated_at = args
+          id, token, generated_at = *args
 
-          # The token is only valid if:
-          # 1. we have a date
-          # 2. the current time does not pass the expiry period
-          # 3. there is a record with the given id
-          # 4. the record has a remember_created_at date
-          # 5. the token date is bigger than the remember_created_at
-          # 6. the token matches
-          if generated_at &&
-             (self.remember_for.ago < generated_at) &&
-             (record = to_adapter.get(id)) &&
-             (generated_at > (record.remember_created_at || Time.now).utc) &&
-             Devise.secure_compare(record.rememberable_value, token)
-            record
-          end
+          record = to_adapter.get(id)
+          record if record && record.remember_me?(token, generated_at)
         end
 
         # Generate a token checking if one does not already exist in the database.
@@ -132,7 +156,6 @@ module Devise
           end
         end
 
-        # TODO: extend_remember_period is no longer used
         Devise::Models.config(self, :remember_for, :extend_remember_period, :rememberable_options, :expire_all_remember_me_on_sign_out)
       end
     end

lib/devise/strategies/rememberable.rb

@@ -25,8 +25,7 @@ module Devise
         end
 
         if validate(resource)
-          remember_me(resource)
-          extend_remember_me_period(resource)
+          remember_me(resource) if extend_remember_me?(resource)
           resource.after_remembered
           success!(resource)
         end
@@ -43,10 +42,8 @@ module Devise
 
     private
 
-      def extend_remember_me_period(resource)
-        if resource.respond_to?(:extend_remember_period=)
-          resource.extend_remember_period = mapping.to.extend_remember_period
-        end
+      def extend_remember_me?(resource)
+        resource.respond_to?(:extend_remember_period) && resource.extend_remember_period
       end
 
       def remember_me?

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "3.5.4".freeze
+  VERSION = "3.5.7".freeze
 end

test/integration/rememberable_test.rb

@@ -92,7 +92,6 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     assert_response :success
     assert warden.authenticated?(:user)
     assert warden.user(:user) == user
-    assert_match /remember_user_token[^\n]*HttpOnly/, response.headers["Set-Cookie"], "Expected Set-Cookie header in response to set HttpOnly flag on remember_user_token cookie."
   end
 
   test 'remember the user before sign up and redirect them to their home' do
@@ -118,6 +117,40 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     end
   end
 
+  test 'extends remember period when extend remember period config is true' do
+    swap Devise, extend_remember_period: true, remember_for: 1.year do
+      user = create_user_and_remember
+      old_remember_token = nil
+
+      travel_to 1.day.ago do
+        get root_path
+        old_remember_token = request.cookies['remember_user_token']
+      end
+
+      get root_path
+      current_remember_token = request.cookies['remember_user_token']
+
+      refute_equal old_remember_token, current_remember_token
+    end
+  end
+
+  test 'does not extend remember period when extend period config is false' do
+    swap Devise, extend_remember_period: false, remember_for: 1.year do
+      user = create_user_and_remember
+      old_remember_token = nil
+
+      travel_to 1.day.ago do
+        get root_path
+        old_remember_token = request.cookies['remember_user_token']
+      end
+
+      get root_path
+      current_remember_token = request.cookies['remember_user_token']
+
+      assert_equal old_remember_token, current_remember_token
+    end
+  end
+
   test 'do not remember other scopes' do
     create_user_and_remember
     get root_path

test/integration/timeoutable_test.rb

@@ -165,7 +165,17 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
     end
   end
 
-  test 'does not crashes when the last_request_at is a String' do
+  test 'time out not triggered if remembered' do
+    user = sign_in_as_user remember_me: true
+    get expire_user_path(user)
+    assert_not_nil last_request_at
+
+    get users_path
+    assert_response :success
+    assert warden.authenticated?(:user)
+  end
+
+  test 'does not crash when the last_request_at is a String' do
     user = sign_in_as_user
 
     get edit_form_user_path(user, last_request_at: Time.now.utc.to_s)

test/models/rememberable_test.rb

@@ -37,7 +37,7 @@ class RememberableTest < ActiveSupport::TestCase
     id, token, date = User.serialize_into_cookie(user)
     assert_equal id, user.to_key
     assert_equal token, user.authenticatable_salt
-    assert date.is_a?(Time)
+    assert date.is_a?(String)
   end
 
   test 'serialize from cookie' do
@@ -46,6 +46,18 @@ class RememberableTest < ActiveSupport::TestCase
     assert_equal user, User.serialize_from_cookie(user.to_key, user.authenticatable_salt, Time.now.utc)
   end
 
+  test 'serialize from cookie should accept a String with the datetime seconds and microseconds' do
+    user = create_user
+    user.remember_me!
+    assert_equal user, User.serialize_from_cookie(user.to_key, user.authenticatable_salt, Time.now.utc.to_f.to_json)
+  end
+
+  test 'serialize from cookie should return nil with invalid datetime' do
+    user = create_user
+    user.remember_me!
+    assert_nil User.serialize_from_cookie(user.to_key, user.authenticatable_salt, "2013")
+  end
+
   test 'serialize from cookie should return nil if no resource is found' do
     assert_nil resource_class.serialize_from_cookie([0], "123", Time.now.utc)
   end