Release 4.0.2

A bug that if the unlock strategy was set to `:both`, it would return true for all & any inputs

See #4072

.travis.yml

@@ -3,7 +3,7 @@ language: ruby
 rvm:
   - 2.3.0
   - 2.2.4
-  - 2.1.5
+  - 2.1.8
 
 gemfile:
   - Gemfile
@@ -13,7 +13,7 @@ gemfile:
 
 matrix:
   exclude:
-    - rvm: 2.1.5
+    - rvm: 2.1.8
       gemfile: gemfiles/Gemfile.rails-5.0-beta
     - env: DEVISE_ORM=mongoid
       gemfile: gemfiles/Gemfile.rails-5.0-beta

CHANGELOG.md

@@ -1,5 +1,39 @@
 ### Unreleased
 
+### 4.0.2 - 2016-04-25
+
+* bug fixes
+  * Fix strategy checking in `Lockable#unlock_strategy_enabled?` for `:none`
+  and `:undefined` strategies. (by @f3ndot)
+
+### 4.0.1 - 2016-04-25
+
+* bug fixes
+  * Fix the e-mail confirmation instructions send when a user updates the email
+    address from nil. (by @lmduc)
+  * Remove unnecessary `attribute_will_change!` call. (by @cadejscroggins)
+  * Consistent `permit!` check. (by @ulissesalmeida)
+
+### 4.0.0 - 2016-04-18
+
+* bug fixes
+  * Fix the `extend_remember_period` configuration. When set to `false` it does
+    not update the cookie expiration anymore.(by @ulissesalmeida)
+
+* deprecations
+  * Added a warning of default value change in Devise 4.1 for users that uses
+    the the default configuration of the following configurations: (by @ulissesalmeida)
+    * `strip_whitespace_keys` - The default will be `[:email]`.
+    * `skip_session_storage` - The default will be `[:http_auth]`.
+    * `sign_out_via` - The default will be `:delete`.
+    * `reconfirmable` - The default will be `true`.
+    * `email_regexp` - The default will be `/\A[^@\s]+@[^@\s]+\z/`.
+  * Removed deprecated argument of `Devise::Models::Rememberable#remember_me!` (by @ulissesalmeida)
+  * Removed deprecated private method Devise::Controllers::Helpers#expire_session_data_after_sign_in!
+    (by @bogdanvlviv)
+
+### 4.0.0.rc2 - 2016-03-09
+
 * enhancements
   * Introduced `DeviseController#set_flash_message!` for conditional flash
     messages setting to reduce complexity.

Gemfile

@@ -2,7 +2,7 @@ source "https://rubygems.org"
 
 gemspec
 
-gem "rails", "~> 4.2.5"
+gem "rails", "~> 4.2.6"
 gem "omniauth", "~> 1.3"
 gem "omniauth-oauth2", "~> 1.4"
 gem "rdoc"
@@ -25,5 +25,5 @@ platforms :ruby do
 end
 
 group :mongoid do
-  gem "mongoid", "~> 4.0"
+  gem "mongoid", "~> 5.0"
 end

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    devise (4.0.0.rc2)
+    devise (4.0.2)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 5.1)
@@ -48,10 +48,9 @@ GEM
       tzinfo (~> 1.1)
     arel (6.0.3)
     bcrypt (3.1.11)
-    bson (3.2.6)
+    bson (4.0.0)
     builder (3.2.2)
     concurrent-ruby (1.0.1)
-    connection_pool (2.2.0)
     erubis (2.7.0)
     faraday (0.9.2)
       multipart-post (>= 1.2, < 3)
@@ -71,15 +70,13 @@ GEM
     minitest (5.8.4)
     mocha (1.1.0)
       metaclass (~> 0.0.1)
-    mongoid (4.0.2)
+    mongo (2.2.0)
+      bson (~> 4.0)
+    mongoid (5.0.1)
       activemodel (~> 4.0)
-      moped (~> 2.0.0)
+      mongo (~> 2.1)
       origin (~> 2.1)
       tzinfo (>= 0.3.37)
-    moped (2.0.7)
-      bson (~> 3.0)
-      connection_pool (~> 2.0)
-      optionable (~> 0.2.0)
     multi_json (1.11.2)
     multi_xml (0.5.5)
     multipart-post (2.0.0)
@@ -102,7 +99,6 @@ GEM
     omniauth-openid (1.0.1)
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
-    optionable (0.2.0)
     origin (2.2.0)
     orm_adapter (0.5.0)
     rack (1.6.4)
@@ -138,7 +134,7 @@ GEM
     rake (11.0.1)
     rdoc (4.2.2)
       json (~> 1.4)
-    responders (2.1.1)
+    responders (2.2.0)
       railties (>= 4.2.0, < 5.1)
     ruby-openid (2.7.0)
     sprockets (3.5.2)
@@ -169,12 +165,12 @@ DEPENDENCIES
   devise!
   jruby-openssl
   mocha (~> 1.1)
-  mongoid (~> 4.0)
+  mongoid (~> 5.0)
   omniauth (~> 1.3)
   omniauth-facebook
   omniauth-oauth2 (~> 1.4)
   omniauth-openid (~> 1.0.1)
-  rails (~> 4.2.5)
+  rails (~> 4.2.6)
   rdoc
   sqlite3
   webrat (= 0.7.3)

README.md

@@ -109,7 +109,7 @@ The generator will install an initializer which describes ALL of Devise's config
 rails generate devise MODEL
 ```
 
-Replace MODEL with the class name used for the application’s users (it’s frequently `User` but could also be `Admin`). This will create a model (if one does not exist) and configure it with default Devise modules. The generator also configures your `config/routes.rb` file to point to the Devise controller.
+Replace MODEL with the class name used for the application’s users (it’s frequently `User` but could also be `Admin`). This will create a model (if one does not exist) and configure it with the default Devise modules. The generator also configures your `config/routes.rb` file to point to the Devise controller.
 
 Next, check the MODEL for any additional configuration options you might want to add, such as confirmable or lockable. If you add an option, be sure to inspect the migration file (created by the generator if your ORM supports them) and uncomment the appropriate section.  For example, if you add the confirmable option in the model, you'll need to uncomment the Confirmable section in the migration. Then run `rake db:migrate`
 
@@ -129,6 +129,8 @@ Devise will create some helpers to use inside your controllers and views. To set
 before_action :authenticate_user!
 ```
 
+For Rails 5, note that `protect_from_forgery` is no longer prepended to the `before_action` chain, so if you have set `authenticate_user` before `protect_from_forgery`, your request will result in "Can't verify CSRF token authenticity." To resolve this, either change the order in which you call them, or use `protect_from_forgery prepend: true`.
+
 If your devise model is something other than User, replace "_user" with "_yourmodel". The same logic applies to the instructions below.
 
 To verify if a user is signed in, use the following helper:
@@ -187,7 +189,7 @@ Besides `:stretches`, you can define `:pepper`, `:encryptor`, `:confirm_within`,
 
 When you customize your own views, you may end up adding new attributes to forms. Rails 4 moved the parameter sanitization from the model to the controller, causing Devise to handle this concern at the controller as well.
 
-There are just three actions in Devise that allow any set of parameters to be passed down to the model, therefore requiring sanitization. Their names and the permitted parameters by default are:
+There are just three actions in Devise that allow any set of parameters to be passed down to the model, therefore requiring sanitization. Their names and default permitted parameters are:
 
 * `sign_in` (`Devise::SessionsController#create`) - Permits only the authentication keys (like `email`)
 * `sign_up` (`Devise::RegistrationsController#create`) - Permits authentication keys plus `password` and `password_confirmation`

gemfiles/Gemfile.rails-5.0-beta.lock

@@ -1,6 +1,6 @@
 GIT
   remote: git://github.com/rails/activemodel-serializers-xml.git
-  revision: ad5ff3a9262576362792196a991de1d1778c5f48
+  revision: f380ea5ddefcb9a37f4fbc47606ed6fbecdb2b2a
   specs:
     activemodel-serializers-xml (1.0.0)
       activemodel (> 5.x)
@@ -73,11 +73,13 @@ GEM
     jwt (1.5.1)
     loofah (2.0.3)
       nokogiri (>= 1.5.9)
-    mail (2.6.3)
-      mime-types (>= 1.16, < 3)
+    mail (2.6.4)
+      mime-types (>= 1.16, < 4)
     metaclass (0.0.4)
     method_source (0.8.2)
-    mime-types (2.99.1)
+    mime-types (3.0)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2016.0221)
     mini_portile2 (2.0.0)
     minitest (5.8.4)
     mocha (1.1.0)
@@ -143,13 +145,13 @@ GEM
       method_source
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
-    rake (11.0.1)
+    rake (11.1.2)
     rdoc (4.2.2)
       json (~> 1.4)
-    responders (2.1.1)
+    responders (2.1.2)
       railties (>= 4.2.0, < 5.1)
     ruby-openid (2.7.0)
-    sprockets (3.5.2)
+    sprockets (3.6.0)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
     sprockets-rails (3.0.4)

lib/devise.rb

@@ -53,6 +53,12 @@ module Devise
   # True values used to check params
   TRUE_VALUES = [true, 1, '1', 't', 'T', 'true', 'TRUE']
 
+  # Track the configs that user explicit changed the default value. It is
+  # helpfull to not warn users about default values changing when they willing
+  # changed.
+  mattr_accessor :app_set_configs
+  @@app_set_configs = Set.new
+
   # Secret key used by the key generator
   mattr_accessor :secret_key
   @@secret_key = nil
@@ -82,9 +88,20 @@ module Devise
   @@case_insensitive_keys = [:email]
 
   # Keys that should have whitespace stripped.
-  mattr_accessor :strip_whitespace_keys
+  # TODO: 4.1 Do: @@strip_whitespace_keys = [:email]
+  mattr_reader :strip_whitespace_keys
   @@strip_whitespace_keys = []
 
+  def self.strip_whitespace_keys=(strip_whitespace_keys)
+    app_set_configs << :strip_whitespace_keys
+    @@strip_whitespace_keys = strip_whitespace_keys
+  end
+
+  def strip_whitespace_keys=(strip_whitespace_keys)
+    app_set_configs << :strip_whitespace_keys
+    @@strip_whitespace_keys = strip_whitespace_keys
+  end
+
   # If http authentication is enabled by default.
   mattr_accessor :http_authenticatable
   @@http_authenticatable = false
@@ -104,9 +121,20 @@ module Devise
   # Email regex used to validate email formats. It simply asserts that
   # an one (and only one) @ exists in the given string. This is mainly
   # to give user feedback and not to assert the e-mail validity.
-  mattr_accessor :email_regexp
+  # TODO: 4.1 Do: @@email_regexp = [/\A[^@\s]+@[^@\s]+\z/]
+  mattr_reader :email_regexp
   @@email_regexp = /\A[^@\s]+@([^@\s]+\.)+[^@\W]+\z/
 
+  def self.email_regexp=(email_regexp)
+    app_set_configs << :email_regexp
+    @@email_regexp = email_regexp
+  end
+
+  def email_regexp=(email_regexp)
+    app_set_configs << :email_regexp
+    @@email_regexp = email_regexp
+  end
+
   # Range validation for password length
   mattr_accessor :password_length
   @@password_length = 6..128
@@ -115,7 +143,6 @@ module Devise
   mattr_accessor :remember_for
   @@remember_for = 2.weeks
 
-  # TODO: extend_remember_period is no longer used
   # If true, extends the user's remember period when remembered via cookie.
   mattr_accessor :extend_remember_period
   @@extend_remember_period = false
@@ -139,9 +166,20 @@ module Devise
 
   # Defines if email should be reconfirmable.
   # False by default for backwards compatibility.
-  mattr_accessor :reconfirmable
+  # TODO: 4.1 Do: @@reconfirmable = true
+  mattr_reader :reconfirmable
   @@reconfirmable = false
 
+  def self.reconfirmable=(reconfirmable)
+    app_set_configs << :reconfirmable
+    @@reconfirmable = reconfirmable
+  end
+
+  def reconfirmable=(reconfirmable)
+    app_set_configs << :reconfirmable
+    @@reconfirmable = reconfirmable
+  end
+
   # Time interval to timeout the user session without activity.
   mattr_accessor :timeout_in
   @@timeout_in = 30.minutes
@@ -202,9 +240,20 @@ module Devise
   @@mailer_sender = nil
 
   # Skip session storage for the following strategies
-  mattr_accessor :skip_session_storage
+  # TODO: 4.1 Do: @@skip_session_storage = [:http_auth]
+  mattr_reader :skip_session_storage
   @@skip_session_storage = []
 
+  def self.skip_session_storage=(skip_session_storage)
+    app_set_configs << :skip_session_storage
+    @@skip_session_storage = skip_session_storage
+  end
+
+  def skip_session_storage=(skip_session_storage)
+    app_set_configs << :skip_session_storage
+    @@skip_session_storage = skip_session_storage
+  end
+
   # Which formats should be treated as navigational.
   mattr_accessor :navigational_formats
   @@navigational_formats = ["*/*", :html]
@@ -214,9 +263,20 @@ module Devise
   @@sign_out_all_scopes = true
 
   # The default method used while signing out
-  mattr_accessor :sign_out_via
+  # TODO: 4.1 Do: @@sign_out_via = :delete
+  mattr_reader :sign_out_via
   @@sign_out_via = :get
 
+  def self.sign_out_via=(sign_out_via)
+    app_set_configs << :sign_out_via
+    @@sign_out_via = sign_out_via
+  end
+
+  def sign_out_via=(sign_out_via)
+    app_set_configs << :sign_out_via
+    @@sign_out_via = sign_out_via
+  end
+
   # The parent controller all Devise controllers inherits from.
   # Defaults to ApplicationController. This should be set early
   # in the initialization process and should be set to a string.
@@ -280,6 +340,32 @@ module Devise
   # a fresh initializer with all configuration values.
   def self.setup
     yield self
+
+    warn_default_config_changed(:email_regexp, '/\A[^@\s]+@([^@\s]+\.)+[^@\W]+\z/', '/\A[^@\s]+@[^@\s]+\z/')
+    warn_default_config_changed(:reconfirmable, 'false', 'true')
+    warn_default_config_changed(:sign_out_via, ':get', ':delete')
+    warn_default_config_changed(:skip_session_storage, '[]', '[:http_auth]')
+    warn_default_config_changed(:strip_whitespace_keys, '[]', '[:email]')
+  end
+
+  def self.warn_default_config_changed(config, current_default, new_default)
+    unless app_set_configs.include?(config)
+      warn = <<-MESSAGE.strip_heredoc
+        [Devise] config.#{config} will have a new default on Devise 4.1
+        To keep the current behavior please set in your config/initializers/devise.rb the following:
+
+          Devise.setup do |config|
+            config.#{config} = #{current_default}
+          end
+
+        If you want to use the new default:
+
+          Devise.setup do |config|
+            config.#{config} = #{new_default}
+          end
+      MESSAGE
+      ActiveSupport::Deprecation.warn(warn)
+    end
   end
 
   class Getter

lib/devise/controllers/helpers.rb

@@ -271,12 +271,6 @@ module Devise
 
       private
 
-      def expire_session_data_after_sign_in!
-        ActiveSupport::Deprecation.warn "expire_session_data_after_sign_in! is deprecated " \
-          "in favor of expire_data_after_sign_in!"
-        expire_data_after_sign_in!
-      end
-
       def expire_data_after_sign_out!
         Devise.mappings.each { |_,m| instance_variable_set("@current_#{m.name}", nil) }
         super

lib/devise/models/authenticatable.rb

@@ -253,7 +253,7 @@ module Devise
 
         # Find or initialize a record with group of attributes based on a list of required attributes.
         def find_or_initialize_with_errors(required_attributes, attributes, error=:invalid) #:nodoc:
-          attributes = if attributes.respond_to? :permit
+          attributes = if attributes.respond_to? :permit!
             attributes.slice(*required_attributes).permit!.to_h.with_indifferent_access
           else
             attributes.with_indifferent_access.slice(*required_attributes)

lib/devise/models/confirmable.rb

@@ -75,7 +75,7 @@ module Devise
 
           self.confirmed_at = Time.now.utc
 
-          saved = if self.class.reconfirmable && unconfirmed_email.present?
+          saved = if pending_reconfirmation?
             skip_reconfirmation!
             self.email = unconfirmed_email
             self.unconfirmed_email = nil
@@ -169,6 +169,7 @@ module Devise
         # in models to map to a nice sign up e-mail.
         def send_on_create_confirmation_instructions
           send_confirmation_instructions
+          skip_reconfirmation!
         end
 
         # Callback to overwrite if confirmation is required or not.
@@ -253,13 +254,13 @@ module Devise
         end
 
         def postpone_email_change?
-          postpone = self.class.reconfirmable && email_changed? && email_was.present? && !@bypass_confirmation_postpone && self.email.present?
+          postpone = self.class.reconfirmable && email_changed? && !@bypass_confirmation_postpone && self.email.present?
           @bypass_confirmation_postpone = false
           postpone
         end
 
         def reconfirmation_required?
-          self.class.reconfirmable && @reconfirmation_required && self.email.present?
+          self.class.reconfirmable && @reconfirmation_required && (self.email.present? || self.unconfirmed_email.present?)
         end
 
         def send_confirmation_notification?

lib/devise/models/database_authenticatable.rb

@@ -41,7 +41,6 @@ module Devise
       # For legacy reasons, we use `encrypted_password` to store
       # the hashed password.
       def password=(new_password)
-        attribute_will_change! 'password'
         @password = new_password
         self.encrypted_password = password_digest(@password) if @password.present?
       end

lib/devise/models/lockable.rb

@@ -155,6 +155,9 @@ module Devise
         end
 
       module ClassMethods
+        # List of strategies that are enabled/supported if :both is used.
+        BOTH_STRATEGIES = [:time, :email]
+
         # Attempt to find a user by its unlock keys. If a record is found, send new
         # unlock instructions to it. If not user is found, returns a new user
         # with an email not found error.
@@ -181,7 +184,8 @@ module Devise
 
         # Is the unlock enabled for the given unlock strategy?
         def unlock_strategy_enabled?(strategy)
-          [:both, strategy].include?(self.unlock_strategy)
+          self.unlock_strategy == strategy ||
+            (self.unlock_strategy == :both && BOTH_STRATEGIES.include?(strategy))
         end
 
         # Is the lock enabled for the given lock strategy?

lib/devise/models/rememberable.rb

@@ -39,15 +39,13 @@ module Devise
     module Rememberable
       extend ActiveSupport::Concern
 
-      attr_accessor :remember_me, :extend_remember_period
+      attr_accessor :remember_me
 
       def self.required_fields(klass)
         [:remember_created_at]
       end
 
-      # TODO: We were used to receive a extend period argument but we no longer do.
-      # Remove this for Devise 4.0.
-      def remember_me!(*)
+      def remember_me!
         self.remember_token = self.class.remember_token if respond_to?(:remember_token)
         self.remember_created_at ||= Time.now.utc
         save(validate: false) if self.changed?
@@ -66,6 +64,10 @@ module Devise
         self.class.remember_for.from_now
       end
 
+      def extend_remember_period
+        self.class.extend_remember_period
+      end
+
       def rememberable_value
         if respond_to?(:remember_token)
           remember_token
@@ -147,9 +149,6 @@ module Devise
           end
         end
 
-        private
-
-        # TODO: extend_remember_period is no longer used
         Devise::Models.config(self, :remember_for, :extend_remember_period, :rememberable_options, :expire_all_remember_me_on_sign_out)
       end
     end

lib/devise/parameter_sanitizer.rb

@@ -169,7 +169,7 @@ module Devise
         If you want to define a new set of parameters to be sanitized use the
         `permit` method first:
 
-          devise_parameter_sanitizer.permit(:#{action}, keys: [:param1, param2, param3])
+          devise_parameter_sanitizer.permit(:#{action}, keys: [:param1, :param2, :param3])
       MESSAGE
     end
 

lib/devise/strategies/rememberable.rb

@@ -25,8 +25,7 @@ module Devise
         end
 
         if validate(resource)
-          remember_me(resource)
-          extend_remember_me_period(resource)
+          remember_me(resource) if extend_remember_me?(resource)
           resource.after_remembered
           success!(resource)
         end
@@ -43,10 +42,8 @@ module Devise
 
     private
 
-      def extend_remember_me_period(resource)
-        if resource.respond_to?(:extend_remember_period=)
-          resource.extend_remember_period = mapping.to.extend_remember_period
-        end
+      def extend_remember_me?(resource)
+        resource.respond_to?(:extend_remember_period) && resource.extend_remember_period
       end
 
       def remember_me?

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "4.0.0.rc2".freeze
+  VERSION = "4.0.2".freeze
 end

lib/generators/devise/orm_helpers.rb

@@ -15,7 +15,7 @@ CONTENT
       private
 
       def model_exists?
-        File.exists?(File.join(destination_root, model_path))
+        File.exist?(File.join(destination_root, model_path))
       end
 
       def migration_exists?(table_name)

lib/generators/templates/devise.rb

@@ -148,12 +148,12 @@ Devise.setup do |config|
 
   # ==> Configuration for :validatable
   # Range for password length.
-  config.password_length = 8..72
+  config.password_length = 6..128
 
   # Email regex used to validate email formats. It simply asserts that
   # one (and only one) @ exists in the given string. This is mainly
   # to give user feedback and not to assert the e-mail validity.
-  # config.email_regexp = /\A[^@]+@[^@]+\z/
+  config.email_regexp = /\A[^@]+@[^@]+\z/
 
   # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this

test/devise_test.rb

@@ -35,6 +35,33 @@ class DeviseTest < ActiveSupport::TestCase
     end
   end
 
+  test 'setup block warns about defaults changing' do
+    Devise.app_set_configs = Set.new
+
+    ActiveSupport::Deprecation.expects(:warn).with() { |value| value =~ /email_regexp/ }
+    ActiveSupport::Deprecation.expects(:warn).with() { |value| value =~ /reconfirmable/ }
+    ActiveSupport::Deprecation.expects(:warn).with() { |value| value =~ /sign_out_via/ }
+    ActiveSupport::Deprecation.expects(:warn).with() { |value| value =~ /skip_session_storage/ }
+    ActiveSupport::Deprecation.expects(:warn).with() { |value| value =~ /strip_whitespace_keys/ }
+
+    Devise.setup do
+    end
+  end
+
+  test 'setup block doest not warns when the change is explicit set' do
+    ActiveSupport::Deprecation.expects(:warn).never
+
+    swap Devise,
+        email_regexp: /@/,
+        reconfirmable: false,
+        sign_out_via: :get,
+        skip_session_storage: [],
+        strip_whitespace_keys: [] do
+        Devise.setup do
+        end
+    end
+  end
+
   test 'stores warden configuration' do
     assert_kind_of Devise::Delegator, Devise.warden_config.failure_app
     assert_equal :user, Devise.warden_config.default_scope

test/integration/rememberable_test.rb

@@ -94,7 +94,6 @@ class RememberMeTest < Devise::IntegrationTest
     assert_response :success
     assert warden.authenticated?(:user)
     assert warden.user(:user) == user
-    assert_match /remember_user_token[^\n]*HttpOnly/, response.headers["Set-Cookie"], "Expected Set-Cookie header in response to set HttpOnly flag on remember_user_token cookie."
   end
 
   test 'remember the user before sign up and redirect them to their home' do
@@ -120,6 +119,40 @@ class RememberMeTest < Devise::IntegrationTest
     end
   end
 
+  test 'extends remember period when extend remember period config is true' do
+    swap Devise, extend_remember_period: true, remember_for: 1.year do
+      user = create_user_and_remember
+      old_remember_token = nil
+
+      travel_to 1.day.ago do
+        get root_path
+        old_remember_token = request.cookies['remember_user_token']
+      end
+
+      get root_path
+      current_remember_token = request.cookies['remember_user_token']
+
+      refute_equal old_remember_token, current_remember_token
+    end
+  end
+
+  test 'does not extend remember period when extend period config is false' do
+    swap Devise, extend_remember_period: false, remember_for: 1.year do
+      user = create_user_and_remember
+      old_remember_token = nil
+
+      travel_to 1.day.ago do
+        get root_path
+        old_remember_token = request.cookies['remember_user_token']
+      end
+
+      get root_path
+      current_remember_token = request.cookies['remember_user_token']
+
+      assert_equal old_remember_token, current_remember_token
+    end
+  end
+
   test 'do not remember other scopes' do
     create_user_and_remember
     get root_path

test/models/confirmable_test.rb

@@ -114,7 +114,7 @@ class ConfirmableTest < ActiveSupport::TestCase
 
     assert_email_not_sent do
       user.save!
-      assert !user.confirmed?
+      assert_not user.confirmed?
     end
   end
 
@@ -401,6 +401,14 @@ class ReconfirmableTest < ActiveSupport::TestCase
     assert_match "new_test@example.com", ActionMailer::Base.deliveries.last.body.encoded
   end
 
+  test 'should send confirmation instructions by email after changing email from nil' do
+    admin = create_admin(email: nil)
+    assert_email_sent "new_test@example.com" do
+      assert admin.update_attributes(email: 'new_test@example.com')
+    end
+    assert_match "new_test@example.com", ActionMailer::Base.deliveries.last.body.encoded
+  end
+
   test 'should not send confirmation by email after changing password' do
     admin = create_admin
     assert admin.confirm
@@ -488,8 +496,8 @@ class ReconfirmableTest < ActiveSupport::TestCase
   end
 
   test 'should not require reconfirmation after creating a record' do
-    user = create_admin
-    assert !user.pending_reconfirmation?
+    admin = create_admin
+    assert !admin.pending_reconfirmation?
   end
 
   test 'should not require reconfirmation after creating a record with #save called in callback' do
@@ -497,7 +505,7 @@ class ReconfirmableTest < ActiveSupport::TestCase
       after_create :save
     end
 
-    user = Admin::WithSaveInCallback.create(valid_attributes.except(:username))
-    assert !user.pending_reconfirmation?
+    admin = Admin::WithSaveInCallback.create(valid_attributes.except(:username))
+    assert !admin.pending_reconfirmation?
   end
 end

test/models/lockable_test.rb

@@ -325,4 +325,26 @@ class LockableTest < ActiveSupport::TestCase
     user.lock_access!
     assert_equal :locked, user.unauthenticated_message
   end
+
+  test 'unlock_strategy_enabled? should return true for both, email, and time strategies if :both is used' do
+    swap Devise, unlock_strategy: :both do
+      user = create_user
+      assert_equal true, user.unlock_strategy_enabled?(:both)
+      assert_equal true, user.unlock_strategy_enabled?(:time)
+      assert_equal true, user.unlock_strategy_enabled?(:email)
+      assert_equal false, user.unlock_strategy_enabled?(:none)
+      assert_equal false, user.unlock_strategy_enabled?(:an_undefined_strategy)
+    end
+  end
+
+  test 'unlock_strategy_enabled? should return true only for the configured strategy' do
+    swap Devise, unlock_strategy: :email do
+      user = create_user
+      assert_equal false, user.unlock_strategy_enabled?(:both)
+      assert_equal false, user.unlock_strategy_enabled?(:time)
+      assert_equal true, user.unlock_strategy_enabled?(:email)
+      assert_equal false, user.unlock_strategy_enabled?(:none)
+      assert_equal false, user.unlock_strategy_enabled?(:an_undefined_strategy)
+    end
+  end
 end

test/rails_app/app/active_record/user.rb

@@ -1,6 +1,4 @@
 require 'shared_user'
-require 'active_model/serializers/xml' if Devise.rails5?
-require 'active_model-serializers' if Devise.rails5?
 
 class User < ActiveRecord::Base
   include Shim

test/rails_app/config/boot.rb

@@ -11,4 +11,4 @@ end
 
 # Set up gems listed in the Gemfile.
 ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../../../Gemfile', __FILE__)
-require 'bundler/setup' if File.exists?(ENV['BUNDLE_GEMFILE'])
+require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])

test/support/mongoid.yml

@@ -1,5 +1,5 @@
 test:
-  sessions:
+  <%= Mongoid::VERSION.to_i > 4 ? 'clients' : 'sessions' %>:
     default:
       database: devise-test-suite
       hosts: