Release 4.1.0

* Only set for active record orm.
* Only set for Rails versions that supports the config.

CHANGELOG.md

@@ -1,4 +1,44 @@
-### Unreleased
+### 4.1.0
+
+* bug fixes
+  * Fix race condition of sending the confirmation instructions e-mail using background jobs.
+    Using the previous `after_create` callback, the e-mail can be sent before
+    the record be committed on database, generating a `ActiveRecord::NotFound` error.
+    Now the confirmation e-mail will be only sent after the database commit,
+    using the `after_commit` callback.
+    It may break your test suite on Rails 4 if you are testing the sent e-mails
+    or enqueued jobs using transactional fixtures enabled or `DatabaseCleaner` with `transaction` strategy.
+    You can easily fix your test suite using the gem
+    [test_after_commit](https://github.com/grosser/test_after_commit). For example, put in your Gemfile:
+
+    ```ruby
+      gem 'test_after_commit', :group => :test
+    ```
+
+    On Rails 5 `after_commit` callbacks are triggered even using transactional
+    fixtures, then this fix will not break your test suite. If you are using `DatabaseCleaner` with the `deletion` or `truncation` strategies it may not break your tests. (by @allenwq)
+  * Fix strategy checking in `Lockable#unlock_strategy_enabled?` for `:none` and
+  `:undefined` strategies. (by @f3ndot)
+* features
+  * Humanize authentication keys in failure flash message (by @byzg)
+    When you are configuring the translations of `devise.failure.invalid`, the
+    `authentication_keys` is translated now.
+* deprecations
+  * Remove code supporting old session serialization format (by @fphilipe).
+  * Now the `email_regexp` default uses a more permissive regex:
+    `/\A[^@\s]+@[^@\s]+\z/` (by @kimgb)
+  * Now the `strip_whitespace_keys` default is `[:email]` (by @ulissesalmeida)
+  * Now the `reconfirmable` default is `true` (by @ulissesalmeida)
+  * Now the `skip_session_storage` default is `[:http_auth]` (by @ulissesalmeida)
+  * Now the `sign_out_via` default is `:delete` (by @ulissesalmeida)
+* improvements
+  * Avoids extra computation of friendly token for confirmation token (by @sbc100)
+
+### 4.0.2 - 2016-05-02
+
+* bug fixes
+  * Fix strategy checking in `Lockable#unlock_strategy_enabled?` for `:none`
+    and `:undefined` strategies. (by @f3ndot)
 
 ### 4.0.1 - 2016-04-25
 

Gemfile

@@ -12,6 +12,7 @@ group :test do
   gem "omniauth-openid", "~> 1.0.1"
   gem "webrat", "0.7.3", require: false
   gem "mocha", "~> 1.1", require: false
+  gem 'test_after_commit', require: false
 end
 
 platforms :jruby do

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    devise (4.0.1)
+    devise (4.1.0)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 5.1)
@@ -134,7 +134,7 @@ GEM
     rake (11.0.1)
     rdoc (4.2.2)
       json (~> 1.4)
-    responders (2.1.2)
+    responders (2.2.0)
       railties (>= 4.2.0, < 5.1)
     ruby-openid (2.7.0)
     sprockets (3.5.2)
@@ -145,6 +145,8 @@ GEM
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
     sqlite3 (1.3.11)
+    test_after_commit (1.0.0)
+      activerecord (>= 3.2)
     thor (0.19.1)
     thread_safe (0.3.5)
     tzinfo (1.2.2)
@@ -173,6 +175,7 @@ DEPENDENCIES
   rails (~> 4.2.6)
   rdoc
   sqlite3
+  test_after_commit
   webrat (= 0.7.3)
 
 BUNDLED WITH

gemfiles/Gemfile.rails-4.1-stable

@@ -12,6 +12,7 @@ group :test do
   gem "omniauth-openid", "~> 1.0.1"
   gem "webrat", "0.7.3", require: false
   gem "mocha", "~> 1.1", require: false
+  gem 'test_after_commit', require: false
 end
 
 platforms :jruby do

gemfiles/Gemfile.rails-4.1-stable.lock

@@ -48,7 +48,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.0.0.rc2)
+    devise (4.0.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 5.1)
@@ -133,6 +133,8 @@ GEM
       activesupport (>= 3.0)
       sprockets (>= 2.8, < 4.0)
     sqlite3 (1.3.11)
+    test_after_commit (1.0.0)
+      activerecord (>= 3.2)
     thor (0.19.1)
     thread_safe (0.3.5)
     tzinfo (1.2.2)
@@ -161,6 +163,7 @@ DEPENDENCIES
   rails!
   rdoc
   sqlite3
+  test_after_commit
   webrat (= 0.7.3)
 
 BUNDLED WITH

gemfiles/Gemfile.rails-4.2-stable

@@ -12,6 +12,7 @@ group :test do
   gem "omniauth-openid", "~> 1.0.1"
   gem "webrat", "0.7.3", require: false
   gem "mocha", "~> 1.1", require: false
+  gem 'test_after_commit', require: false
 end
 
 platforms :jruby do

gemfiles/Gemfile.rails-4.2-stable.lock

@@ -58,7 +58,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.0.0.rc2)
+    devise (4.0.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 5.1)
@@ -144,7 +144,7 @@ GEM
     rake (11.0.1)
     rdoc (4.2.2)
       json (~> 1.4)
-    responders (2.1.1)
+    responders (2.1.2)
       railties (>= 4.2.0, < 5.1)
     ruby-openid (2.7.0)
     sprockets (3.5.2)
@@ -155,6 +155,8 @@ GEM
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
     sqlite3 (1.3.11)
+    test_after_commit (1.0.0)
+      activerecord (>= 3.2)
     thor (0.19.1)
     thread_safe (0.3.5)
     tzinfo (1.2.2)
@@ -183,6 +185,7 @@ DEPENDENCIES
   rails!
   rdoc
   sqlite3
+  test_after_commit
   webrat (= 0.7.3)
 
 BUNDLED WITH

lib/devise.rb

@@ -53,12 +53,6 @@ module Devise
   # True values used to check params
   TRUE_VALUES = [true, 1, '1', 't', 'T', 'true', 'TRUE']
 
-  # Track the configs that user explicit changed the default value. It is
-  # helpfull to not warn users about default values changing when they willing
-  # changed.
-  mattr_accessor :app_set_configs
-  @@app_set_configs = Set.new
-
   # Secret key used by the key generator
   mattr_accessor :secret_key
   @@secret_key = nil
@@ -88,19 +82,8 @@ module Devise
   @@case_insensitive_keys = [:email]
 
   # Keys that should have whitespace stripped.
-  # TODO: 4.1 Do: @@strip_whitespace_keys = [:email]
-  mattr_reader :strip_whitespace_keys
-  @@strip_whitespace_keys = []
-
-  def self.strip_whitespace_keys=(strip_whitespace_keys)
-    app_set_configs << :strip_whitespace_keys
-    @@strip_whitespace_keys = strip_whitespace_keys
-  end
-
-  def strip_whitespace_keys=(strip_whitespace_keys)
-    app_set_configs << :strip_whitespace_keys
-    @@strip_whitespace_keys = strip_whitespace_keys
-  end
+  mattr_accessor :strip_whitespace_keys
+  @@strip_whitespace_keys = [:email]
 
   # If http authentication is enabled by default.
   mattr_accessor :http_authenticatable
@@ -118,22 +101,11 @@ module Devise
   mattr_accessor :http_authentication_realm
   @@http_authentication_realm = "Application"
 
-  # Email regex used to validate email formats. It simply asserts that
-  # an one (and only one) @ exists in the given string. This is mainly
-  # to give user feedback and not to assert the e-mail validity.
-  # TODO: 4.1 Do: @@email_regexp = [/\A[^@\s]+@[^@\s]+\z/]
-  mattr_reader :email_regexp
-  @@email_regexp = /\A[^@\s]+@([^@\s]+\.)+[^@\W]+\z/
-
-  def self.email_regexp=(email_regexp)
-    app_set_configs << :email_regexp
-    @@email_regexp = email_regexp
-  end
-
-  def email_regexp=(email_regexp)
-    app_set_configs << :email_regexp
-    @@email_regexp = email_regexp
-  end
+  # Email regex used to validate email formats. It asserts that there are no
+  # @ symbols or whitespaces in either the localpart or the domain, and that
+  # there is a single @ symbol separating the localpart and the domain.
+  mattr_accessor :email_regexp
+  @@email_regexp = /\A[^@\s]+@[^@\s]+\z/
 
   # Range validation for password length
   mattr_accessor :password_length
@@ -165,20 +137,8 @@ module Devise
   @@confirmation_keys = [:email]
 
   # Defines if email should be reconfirmable.
-  # False by default for backwards compatibility.
-  # TODO: 4.1 Do: @@reconfirmable = true
-  mattr_reader :reconfirmable
-  @@reconfirmable = false
-
-  def self.reconfirmable=(reconfirmable)
-    app_set_configs << :reconfirmable
-    @@reconfirmable = reconfirmable
-  end
-
-  def reconfirmable=(reconfirmable)
-    app_set_configs << :reconfirmable
-    @@reconfirmable = reconfirmable
-  end
+  mattr_accessor :reconfirmable
+  @@reconfirmable = true
 
   # Time interval to timeout the user session without activity.
   mattr_accessor :timeout_in
@@ -240,19 +200,8 @@ module Devise
   @@mailer_sender = nil
 
   # Skip session storage for the following strategies
-  # TODO: 4.1 Do: @@skip_session_storage = [:http_auth]
-  mattr_reader :skip_session_storage
-  @@skip_session_storage = []
-
-  def self.skip_session_storage=(skip_session_storage)
-    app_set_configs << :skip_session_storage
-    @@skip_session_storage = skip_session_storage
-  end
-
-  def skip_session_storage=(skip_session_storage)
-    app_set_configs << :skip_session_storage
-    @@skip_session_storage = skip_session_storage
-  end
+  mattr_accessor :skip_session_storage
+  @@skip_session_storage = [:http_auth]
 
   # Which formats should be treated as navigational.
   mattr_accessor :navigational_formats
@@ -263,19 +212,8 @@ module Devise
   @@sign_out_all_scopes = true
 
   # The default method used while signing out
-  # TODO: 4.1 Do: @@sign_out_via = :delete
-  mattr_reader :sign_out_via
-  @@sign_out_via = :get
-
-  def self.sign_out_via=(sign_out_via)
-    app_set_configs << :sign_out_via
-    @@sign_out_via = sign_out_via
-  end
-
-  def sign_out_via=(sign_out_via)
-    app_set_configs << :sign_out_via
-    @@sign_out_via = sign_out_via
-  end
+  mattr_accessor :sign_out_via
+  @@sign_out_via = :delete
 
   # The parent controller all Devise controllers inherits from.
   # Defaults to ApplicationController. This should be set early
@@ -340,32 +278,6 @@ module Devise
   # a fresh initializer with all configuration values.
   def self.setup
     yield self
-
-    warn_default_config_changed(:email_regexp, '/\A[^@\s]+@([^@\s]+\.)+[^@\W]+\z/', '/\A[^@\s]+@[^@\s]+\z/')
-    warn_default_config_changed(:reconfirmable, 'false', 'true')
-    warn_default_config_changed(:sign_out_via, ':get', ':delete')
-    warn_default_config_changed(:skip_session_storage, '[]', '[:http_auth]')
-    warn_default_config_changed(:strip_whitespace_keys, '[]', '[:email]')
-  end
-
-  def self.warn_default_config_changed(config, current_default, new_default)
-    unless app_set_configs.include?(config)
-      warn = <<-MESSAGE.strip_heredoc
-        [Devise] config.#{config} will have a new default on Devise 4.1
-        To keep the current behavior please set in your config/initializers/devise.rb the following:
-
-          Devise.setup do |config|
-            config.#{config} = #{current_default}
-          end
-
-        If you want to use the new default:
-
-          Devise.setup do |config|
-            config.#{config} = #{new_default}
-          end
-      MESSAGE
-      ActiveSupport::Deprecation.warn(warn)
-    end
   end
 
   class Getter
@@ -543,10 +455,7 @@ module Devise
           mapping.to.serialize_into_session(record)
         end
 
-        warden_config.serialize_from_session(mapping.name) do |key|
-          # Previous versions contained an additional entry at the beginning of
-          # key with the record's class name.
-          args = key[-2, 2]
+        warden_config.serialize_from_session(mapping.name) do |args|
           mapping.to.serialize_from_session(*args)
         end
       end

lib/devise/failure_app.rb

@@ -103,7 +103,7 @@ module Devise
         options[:scope] = "devise.failure"
         options[:default] = [message]
         auth_keys = scope_class.authentication_keys
-        keys = auth_keys.respond_to?(:keys) ? auth_keys.keys : auth_keys
+        keys = (auth_keys.respond_to?(:keys) ? auth_keys.keys : auth_keys).map { |key| scope_class.human_attribute_name(key) }
         options[:authentication_keys] = keys.join(I18n.translate(:"support.array.words_connector"))
         options = i18n_options(options)
 

lib/devise/models/confirmable.rb

@@ -43,9 +43,15 @@ module Devise
 
       included do
         before_create :generate_confirmation_token, if: :confirmation_required?
-        after_create  :send_on_create_confirmation_instructions, if: :send_confirmation_notification?
+        after_create :skip_reconfirmation!, if: :send_confirmation_notification?
+        if respond_to?(:after_commit) # ActiveRecord
+          after_commit :send_on_create_confirmation_instructions, on: :create, if: :send_confirmation_notification?
+          after_commit :send_reconfirmation_instructions, on: :update, if: :reconfirmation_required?
+        else # Mongoid
+          after_create :send_on_create_confirmation_instructions, if: :send_confirmation_notification?
+          after_update :send_reconfirmation_instructions, if: :reconfirmation_required?
+        end
         before_update :postpone_email_change_until_confirmation_and_regenerate_confirmation_token, if: :postpone_email_change?
-        after_update  :send_reconfirmation_instructions,  if: :reconfirmation_required?
       end
 
       def initialize(*args, &block)
@@ -169,7 +175,6 @@ module Devise
         # in models to map to a nice sign up e-mail.
         def send_on_create_confirmation_instructions
           send_confirmation_instructions
-          skip_reconfirmation!
         end
 
         # Callback to overwrite if confirmation is required or not.
@@ -235,8 +240,7 @@ module Devise
           if self.confirmation_token && !confirmation_period_expired?
             @raw_confirmation_token = self.confirmation_token
           else
-            raw, _ = Devise.token_generator.generate(self.class, :confirmation_token)
-            self.confirmation_token = @raw_confirmation_token = raw
+            self.confirmation_token = @raw_confirmation_token = Devise.friendly_token
             self.confirmation_sent_at = Time.now.utc
           end
         end

lib/devise/models/lockable.rb

@@ -64,7 +64,7 @@ module Devise
       def send_unlock_instructions
         raw, enc = Devise.token_generator.generate(self.class, :unlock_token)
         self.unlock_token = enc
-        self.save(validate: false)
+        save(validate: false)
         send_devise_notification(:unlock_instructions, raw, {})
         raw
       end
@@ -155,6 +155,9 @@ module Devise
         end
 
       module ClassMethods
+        # List of strategies that are enabled/supported if :both is used.
+        BOTH_STRATEGIES = [:time, :email]
+
         # Attempt to find a user by its unlock keys. If a record is found, send new
         # unlock instructions to it. If not user is found, returns a new user
         # with an email not found error.
@@ -181,7 +184,8 @@ module Devise
 
         # Is the unlock enabled for the given unlock strategy?
         def unlock_strategy_enabled?(strategy)
-          [:both, strategy].include?(self.unlock_strategy)
+          self.unlock_strategy == strategy ||
+            (self.unlock_strategy == :both && BOTH_STRATEGIES.include?(strategy))
         end
 
         # Is the lock enabled for the given lock strategy?

lib/devise/models/recoverable.rb

@@ -99,7 +99,7 @@ module Devise
 
           self.reset_password_token   = enc
           self.reset_password_sent_at = Time.now.utc
-          self.save(validate: false)
+          save(validate: false)
           raw
         end
 

lib/devise/omniauth/url_helpers.rb

@@ -9,7 +9,7 @@ module Devise
         class_eval do
           define_method("#{mapping}_omniauth_authorize_path") do |provider, *args|
             ActiveSupport::Deprecation.warn(<<-DEPRECATION.strip_heredoc)
-            [Devise] #{mapping}_omniauth_authorize_path(#{provider.inspect}) is deprecated and it will be removed from Devise 4.1.
+            [Devise] #{mapping}_omniauth_authorize_path(#{provider.inspect}) is deprecated and it will be removed from Devise 4.2.
 
             Please use #{mapping}_#{provider}_omniauth_authorize_path instead.
             DEPRECATION
@@ -18,7 +18,7 @@ module Devise
 
           define_method("#{mapping}_omniauth_authorize_url") do |provider, *args|
             ActiveSupport::Deprecation.warn(<<-DEPRECATION.strip_heredoc)
-            [Devise] #{mapping}_omniauth_authorize_url(#{provider.inspect}) is deprecated and it will be removed from Devise 4.1.
+            [Devise] #{mapping}_omniauth_authorize_url(#{provider.inspect}) is deprecated and it will be removed from Devise 4.2.
 
             Please use #{mapping}_#{provider}_omniauth_authorize_url instead.
             DEPRECATION
@@ -27,7 +27,7 @@ module Devise
 
           define_method("#{mapping}_omniauth_callback_path") do |provider, *args|
             ActiveSupport::Deprecation.warn(<<-DEPRECATION.strip_heredoc)
-            [Devise] #{mapping}_omniauth_callback_path(#{provider.inspect}) is deprecated and it will be removed from Devise 4.1.
+            [Devise] #{mapping}_omniauth_callback_path(#{provider.inspect}) is deprecated and it will be removed from Devise 4.2.
 
             Please use #{mapping}_#{provider}_omniauth_callback_path instead.
             DEPRECATION
@@ -36,7 +36,7 @@ module Devise
 
           define_method("#{mapping}_omniauth_callback_url") do |provider, *args|
             ActiveSupport::Deprecation.warn(<<-DEPRECATION.strip_heredoc)
-            [Devise] #{mapping}_omniauth_callback_url(#{provider.inspect}) is deprecated and it will be removed from Devise 4.1.
+            [Devise] #{mapping}_omniauth_callback_url(#{provider.inspect}) is deprecated and it will be removed from Devise 4.2.
 
             Please use #{mapping}_#{provider}_omniauth_callback_url instead.
             DEPRECATION

lib/devise/parameter_sanitizer.rb

@@ -68,7 +68,7 @@ module Devise
     def sanitize(action)
       permissions = @permitted[action]
 
-      # DEPRECATED: Remove this branch on Devise 4.1.
+      # DEPRECATED: Remove this branch on Devise 4.2.
       if respond_to?(action, true)
         deprecate_instance_method_sanitization(action)
         return cast_to_hash send(action)
@@ -127,7 +127,7 @@ module Devise
       end
     end
 
-    # DEPRECATED: Remove this method on Devise 4.1.
+    # DEPRECATED: Remove this method on Devise 4.2.
     def for(action, &block) # :nodoc:
       if block_given?
         deprecate_for_with_block(action)
@@ -175,7 +175,7 @@ module Devise
 
     def deprecate_for_with_block(action)
       ActiveSupport::Deprecation.warn(<<-MESSAGE.strip_heredoc)
-        [Devise] Changing the sanitized parameters through "#{self.class.name}#for(#{action}) is deprecated and it will be removed from Devise 4.1.
+        [Devise] Changing the sanitized parameters through "#{self.class.name}#for(#{action}) is deprecated and it will be removed from Devise 4.2.
         Please use the `permit` method:
 
           devise_parameter_sanitizer.permit(:#{action}) do |user|
@@ -186,7 +186,7 @@ module Devise
 
     def deprecate_for_without_block(action)
       ActiveSupport::Deprecation.warn(<<-MESSAGE.strip_heredoc)
-        [Devise] Changing the sanitized parameters through "#{self.class.name}#for(#{action}) is deprecated and it will be removed from Devise 4.1.
+        [Devise] Changing the sanitized parameters through "#{self.class.name}#for(#{action}) is deprecated and it will be removed from Devise 4.2.
         Please use the `permit` method to add or remove any key:
 
           To add any new key, use the `keys` keyword argument:
@@ -199,7 +199,7 @@ module Devise
 
     def deprecate_instance_method_sanitization(action)
       ActiveSupport::Deprecation.warn(<<-MESSAGE.strip_heredoc)
-        [Devise] Parameter sanitization through a "#{self.class.name}##{action}" method is deprecated and it will be removed from Devise 4.1.
+        [Devise] Parameter sanitization through a "#{self.class.name}##{action}" method is deprecated and it will be removed from Devise 4.2.
         Please use the `permit` method on your sanitizer `initialize` method.
 
           class #{self.class.name} < Devise::ParameterSanitizer

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "4.0.1".freeze
+  VERSION = "4.1.0".freeze
 end

lib/generators/templates/devise.rb

@@ -153,7 +153,7 @@ Devise.setup do |config|
   # Email regex used to validate email formats. It simply asserts that
   # one (and only one) @ exists in the given string. This is mainly
   # to give user feedback and not to assert the e-mail validity.
-  config.email_regexp = /\A[^@]+@[^@]+\z/
+  config.email_regexp = /\A[^@\s]+@[^@\s]+\z/
 
   # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this

test/controllers/sessions_controller_test.rb

@@ -6,7 +6,7 @@ class SessionsControllerTest < Devise::ControllerTestCase
 
   test "#create doesn't raise unpermitted params when sign in fails" do
     begin
-      subscriber = ActiveSupport::Notifications.subscribe /unpermitted_parameters/ do |name, start, finish, id, payload|
+      subscriber = ActiveSupport::Notifications.subscribe %r{unpermitted_parameters} do |name, start, finish, id, payload|
         flunk "Unpermitted params: #{payload}"
       end
       request.env["devise.mapping"] = Devise.mappings[:user]

test/devise_test.rb

@@ -35,33 +35,6 @@ class DeviseTest < ActiveSupport::TestCase
     end
   end
 
-  test 'setup block warns about defaults changing' do
-    Devise.app_set_configs = Set.new
-
-    ActiveSupport::Deprecation.expects(:warn).with() { |value| value =~ /email_regexp/ }
-    ActiveSupport::Deprecation.expects(:warn).with() { |value| value =~ /reconfirmable/ }
-    ActiveSupport::Deprecation.expects(:warn).with() { |value| value =~ /sign_out_via/ }
-    ActiveSupport::Deprecation.expects(:warn).with() { |value| value =~ /skip_session_storage/ }
-    ActiveSupport::Deprecation.expects(:warn).with() { |value| value =~ /strip_whitespace_keys/ }
-
-    Devise.setup do
-    end
-  end
-
-  test 'setup block doest not warns when the change is explicit set' do
-    ActiveSupport::Deprecation.expects(:warn).never
-
-    swap Devise,
-        email_regexp: /@/,
-        reconfirmable: false,
-        sign_out_via: :get,
-        skip_session_storage: [],
-        strip_whitespace_keys: [] do
-        Devise.setup do
-        end
-    end
-  end
-
   test 'stores warden configuration' do
     assert_kind_of Devise::Delegator, Devise.warden_config.failure_app
     assert_equal :user, Devise.warden_config.default_scope
@@ -121,8 +94,8 @@ class DeviseTest < ActiveSupport::TestCase
   end
 
   test 'Devise.email_regexp should match valid email addresses' do
-    valid_emails = ["test@example.com", "jo@jo.co", "f4$_m@you.com", "testing.example@example.com.ua"]
-    non_valid_emails = ["rex", "test@go,com", "test user@example.com", "test_user@example server.com", "test_user@example.com."]
+    valid_emails = ["test@example.com", "jo@jo.co", "f4$_m@you.com", "testing.example@example.com.ua", "test@tt", "test@valid---domain.com"]
+    non_valid_emails = ["rex", "test user@example.com", "test_user@example server.com"]
 
     valid_emails.each do |email|
       assert_match Devise.email_regexp, email

test/failure_app_test.rb

@@ -133,14 +133,14 @@ class FailureTest < ActiveSupport::TestCase
 
     test 'uses the proxy failure message as symbol' do
       call_failure('warden' => OpenStruct.new(message: :invalid))
-      assert_equal 'Invalid email or password.', @request.flash[:alert]
+      assert_equal 'Invalid Email or password.', @request.flash[:alert]
       assert_equal 'http://test.host/users/sign_in', @response.second["Location"]
     end
 
     test 'supports authentication_keys as a Hash for the flash message' do
       swap Devise, authentication_keys: { email: true, login: true } do
         call_failure('warden' => OpenStruct.new(message: :invalid))
-        assert_equal 'Invalid email, login or password.', @request.flash[:alert]
+        assert_equal 'Invalid Email, Login or password.', @request.flash[:alert]
       end
     end
 
@@ -226,7 +226,7 @@ class FailureTest < ActiveSupport::TestCase
 
     test 'uses the failure message as response body' do
       call_failure('formats' => Mime[:xml], 'warden' => OpenStruct.new(message: :invalid))
-      assert_match '<error>Invalid email or password.</error>', @response.third.body
+      assert_match '<error>Invalid Email or password.</error>', @response.third.body
     end
 
     context 'on ajax call' do
@@ -275,7 +275,7 @@ class FailureTest < ActiveSupport::TestCase
       }
       call_failure(env)
       assert @response.third.body.include?('<h2>Log in</h2>')
-      assert @response.third.body.include?('Invalid email or password.')
+      assert @response.third.body.include?('Invalid Email or password.')
     end
 
     test 'calls the original controller if not confirmed email' do
@@ -310,7 +310,7 @@ class FailureTest < ActiveSupport::TestCase
           }
           call_failure(env)
           assert @response.third.body.include?('<h2>Log in</h2>')
-          assert @response.third.body.include?('Invalid email or password.')
+          assert @response.third.body.include?('Invalid Email or password.')
           assert_equal @request.env["SCRIPT_NAME"], '/sample'
           assert_equal @request.env["PATH_INFO"], '/users/sign_in'
         end

test/generators/active_record_generator_test.rb

@@ -74,7 +74,7 @@ if DEVISE_ORM == :active_record
 
         assert_file "app/models/rails_engine/monster.rb", /devise/
         assert_file "app/models/rails_engine/monster.rb" do |content|
-          assert_no_match /attr_accessible :email/, content
+          assert_no_match %r{attr_accessible :email}, content
         end
       end
     end

test/integration/authenticatable_test.rb

@@ -30,7 +30,7 @@ class AuthenticationSanityTest < Devise::IntegrationTest
     swap Devise, sign_out_all_scopes: false do
       sign_in_as_user
       sign_in_as_admin
-      get destroy_user_session_path
+      delete destroy_user_session_path
       assert_not warden.authenticated?(:user)
       assert warden.authenticated?(:admin)
     end
@@ -41,7 +41,7 @@ class AuthenticationSanityTest < Devise::IntegrationTest
       sign_in_as_user
       sign_in_as_admin
 
-      get destroy_admin_session_path
+      delete destroy_admin_session_path
       assert_not warden.authenticated?(:admin)
       assert warden.authenticated?(:user)
     end
@@ -52,7 +52,7 @@ class AuthenticationSanityTest < Devise::IntegrationTest
       sign_in_as_user
       sign_in_as_admin
 
-      get destroy_user_session_path
+      delete destroy_user_session_path
       assert_not warden.authenticated?(:user)
       assert_not warden.authenticated?(:admin)
     end
@@ -63,7 +63,7 @@ class AuthenticationSanityTest < Devise::IntegrationTest
       sign_in_as_user
       sign_in_as_admin
 
-      get destroy_admin_session_path
+      delete destroy_admin_session_path
       assert_not warden.authenticated?(:admin)
       assert_not warden.authenticated?(:user)
     end
@@ -109,7 +109,7 @@ class AuthenticationSanityTest < Devise::IntegrationTest
     sign_in_as_admin
     assert warden.authenticated?(:admin)
 
-    get destroy_admin_session_path
+    delete destroy_admin_session_path
     assert_response :redirect
     assert_redirected_to root_path
 
@@ -119,7 +119,7 @@ class AuthenticationSanityTest < Devise::IntegrationTest
   end
 
   test 'unauthenticated admin set message on sign out' do
-    get destroy_admin_session_path
+    delete destroy_admin_session_path
     assert_response :redirect
     assert_redirected_to root_path
 
@@ -347,37 +347,6 @@ class AuthenticationSessionTest < Devise::IntegrationTest
     assert_equal "Cart", @controller.user_session[:cart]
   end
 
-  test 'does not explode when class name is still stored in session' do
-    # In order to test that old sessions do not break with the new scoped
-    # deserialization, we need to serialize the session the old way. This is
-    # done by removing the newly used scoped serialization method
-    # (#user_serialize) and bringing back the old uncsoped #serialize method
-    # that includes the record's class name in the serialization.
-    begin
-      Warden::SessionSerializer.class_eval do
-        alias_method :original_serialize, :serialize
-        alias_method :original_user_serialize, :user_serialize
-        remove_method :user_serialize
-
-        def serialize(record)
-          klass = record.class
-          array = klass.serialize_into_session(record)
-          array.unshift(klass.name)
-        end
-      end
-
-      sign_in_as_user
-      assert warden.authenticated?(:user)
-    ensure
-      Warden::SessionSerializer.class_eval do
-        alias_method :serialize, :original_serialize
-        remove_method :original_serialize
-        alias_method :user_serialize, :original_user_serialize
-        remove_method :original_user_serialize
-      end
-    end
-  end
-
   test 'session id is changed on sign in' do
     get '/users'
     session_id = request.session["session_id"]
@@ -396,7 +365,7 @@ class AuthenticationWithScopedViewsTest < Devise::IntegrationTest
       assert_raise Webrat::NotFoundError do
         sign_in_as_user
       end
-      assert_match /Special user view/, response.body
+      assert_match %r{Special user view}, response.body
     end
   end
 
@@ -407,7 +376,7 @@ class AuthenticationWithScopedViewsTest < Devise::IntegrationTest
         sign_in_as_user
       end
 
-      assert_match /Special user view/, response.body
+      assert_match %r{Special user view}, response.body
       assert !Devise::PasswordsController.scoped_views?
     ensure
       Devise::SessionsController.send :remove_instance_variable, :@scoped_views
@@ -480,7 +449,7 @@ class AuthenticationOthersTest < Devise::IntegrationTest
   test 'sign in stub in xml format' do
     get new_user_session_path(format: 'xml')
     assert_match '<?xml version="1.0" encoding="UTF-8"?>', response.body
-    assert_match /<user>.*<\/user>/m, response.body
+    assert_match %r{<user>.*</user>}m, response.body
     assert_match '<email></email>', response.body
     assert_match '<password nil="true"', response.body
   end
@@ -532,34 +501,34 @@ class AuthenticationOthersTest < Devise::IntegrationTest
 
   test 'sign out with html redirects' do
     sign_in_as_user
-    get destroy_user_session_path
+    delete destroy_user_session_path
     assert_response :redirect
     assert_current_url '/'
 
     sign_in_as_user
-    get destroy_user_session_path(format: 'html')
+    delete destroy_user_session_path(format: 'html')
     assert_response :redirect
     assert_current_url '/'
   end
 
   test 'sign out with xml format returns no content' do
     sign_in_as_user
-    get destroy_user_session_path(format: 'xml')
+    delete destroy_user_session_path(format: 'xml')
     assert_response :no_content
     assert_not warden.authenticated?(:user)
   end
 
   test 'sign out with json format returns no content' do
     sign_in_as_user
-    get destroy_user_session_path(format: 'json')
+    delete destroy_user_session_path(format: 'json')
     assert_response :no_content
     assert_not warden.authenticated?(:user)
   end
 
   test 'sign out with non-navigational format via XHR does not redirect' do
     swap Devise, navigational_formats: ['*/*', :html] do
-      sign_in_as_user
-      get destroy_user_session_path, xhr: true, headers: { "HTTP_ACCEPT" => "application/json,text/javascript,*/*" } # NOTE: Bug is triggered by combination of XHR and */*.
+      sign_in_as_admin
+      get destroy_sign_out_via_get_session_path, xhr: true, headers: { "HTTP_ACCEPT" => "application/json,text/javascript,*/*" } # NOTE: Bug is triggered by combination of XHR and */*.
       assert_response :no_content
       assert_not warden.authenticated?(:user)
     end
@@ -569,7 +538,7 @@ class AuthenticationOthersTest < Devise::IntegrationTest
   test 'sign out with navigational format via XHR does redirect' do
     swap Devise, navigational_formats: ['*/*', :html] do
       sign_in_as_user
-      get destroy_user_session_path, xhr: true, headers: { "HTTP_ACCEPT" => "text/html,*/*" }
+      delete destroy_user_session_path, xhr: true, headers: { "HTTP_ACCEPT" => "text/html,*/*" }
       assert_response :redirect
       assert_not warden.authenticated?(:user)
     end
@@ -580,7 +549,7 @@ class AuthenticationKeysTest < Devise::IntegrationTest
   test 'missing authentication keys cause authentication to abort' do
     swap Devise, authentication_keys: [:subdomain] do
       sign_in_as_user
-      assert_contain "Invalid subdomain or password."
+      assert_contain "Invalid Subdomain or password."
       assert_not warden.authenticated?(:user)
     end
   end
@@ -619,7 +588,7 @@ class AuthenticationRequestKeysTest < Devise::IntegrationTest
 
     swap Devise, request_keys: [:subdomain] do
       sign_in_as_user
-      assert_contain "Invalid email or password."
+      assert_contain "Invalid Email or password."
       assert_not warden.authenticated?(:user)
     end
   end

test/integration/confirmable_test.rb

@@ -35,7 +35,7 @@ class ConfirmationTest < Devise::IntegrationTest
   test 'user with invalid confirmation token should not be able to confirm an account' do
     visit_user_confirmation_with_token('invalid_confirmation')
     assert_have_selector '#error_explanation'
-    assert_contain /Confirmation token(.*)invalid/
+    assert_contain %r{Confirmation token(.*)invalid}
   end
 
   test 'user with valid confirmation token should not be able to confirm an account after the token has expired' do
@@ -45,7 +45,7 @@ class ConfirmationTest < Devise::IntegrationTest
       visit_user_confirmation_with_token(user.raw_confirmation_token)
 
       assert_have_selector '#error_explanation'
-      assert_contain /needs to be confirmed within 3 days/
+      assert_contain %r{needs to be confirmed within 3 days}
       assert_not user.reload.confirmed?
       assert_current_url "/users/confirmation?confirmation_token=#{user.raw_confirmation_token}"
     end
@@ -140,7 +140,7 @@ class ConfirmationTest < Devise::IntegrationTest
         fill_in 'password', with: 'invalid'
       end
 
-      assert_contain 'Invalid email or password'
+      assert_contain 'Invalid Email or password'
       assert_not warden.authenticated?(:user)
     end
   end

test/integration/database_authenticatable_test.rb

@@ -68,7 +68,7 @@ class DatabaseAuthenticationTest < Devise::IntegrationTest
       fill_in 'password', with: 'abcdef'
     end
 
-    assert_contain 'Invalid email or password'
+    assert_contain 'Invalid Email or password'
     assert_not warden.authenticated?(:admin)
   end
 

test/integration/http_authenticatable_test.rb

@@ -11,13 +11,15 @@ class HttpAuthenticationTest < Devise::IntegrationTest
   end
 
   test 'sign in should authenticate with http' do
-    sign_in_as_new_user_with_http
-    assert_response 200
-    assert_match '<email>user@test.com</email>', response.body
-    assert warden.authenticated?(:user)
+    swap Devise, skip_session_storage: [] do
+      sign_in_as_new_user_with_http
+      assert_response 200
+      assert_match '<email>user@test.com</email>', response.body
+      assert warden.authenticated?(:user)
 
-    get users_path(format: :xml)
-    assert_response 200
+      get users_path(format: :xml)
+      assert_response 200
+    end
   end
 
   test 'sign in should authenticate with http but not emit a cookie if skipping session storage' do
@@ -42,7 +44,7 @@ class HttpAuthenticationTest < Devise::IntegrationTest
     sign_in_as_new_user_with_http("unknown")
     assert_equal 401, status
     assert_equal "application/xml; charset=utf-8", headers["Content-Type"]
-    assert_match "<error>Invalid email or password.</error>", response.body
+    assert_match "<error>Invalid Email or password.</error>", response.body
   end
 
   test 'returns a custom response with www-authenticate and chosen realm' do

test/integration/lockable_test.rb

@@ -75,7 +75,7 @@ class LockTest < Devise::IntegrationTest
     assert_response :success
     assert_current_url '/users/unlock?unlock_token=invalid_token'
     assert_have_selector '#error_explanation'
-    assert_contain /Unlock token(.*)invalid/
+    assert_contain %r{Unlock token(.*)invalid}
   end
 
   test "locked user should be able to unlock account" do

test/integration/recoverable_test.rb

@@ -146,7 +146,7 @@ class PasswordTest < Devise::IntegrationTest
     assert_response :success
     assert_current_url '/users/password'
     assert_have_selector '#error_explanation'
-    assert_contain /Reset password token(.*)invalid/
+    assert_contain %r{Reset password token(.*)invalid}
     assert_not user.reload.valid_password?('987654321')
   end
 
@@ -212,7 +212,7 @@ class PasswordTest < Devise::IntegrationTest
   test 'does not sign in user automatically after changing its password if it\'s locked and unlock strategy is :none or :time' do
     [:none, :time].each do |strategy|
       swap Devise, unlock_strategy: strategy do
-        user = create_user(locked: true)
+        create_user(locked: true)
         request_forgot_password
         reset_password
 

test/integration/rememberable_test.rb

@@ -121,7 +121,7 @@ class RememberMeTest < Devise::IntegrationTest
 
   test 'extends remember period when extend remember period config is true' do
     swap Devise, extend_remember_period: true, remember_for: 1.year do
-      user = create_user_and_remember
+      create_user_and_remember
       old_remember_token = nil
 
       travel_to 1.day.ago do
@@ -138,7 +138,7 @@ class RememberMeTest < Devise::IntegrationTest
 
   test 'does not extend remember period when extend period config is false' do
     swap Devise, extend_remember_period: false, remember_for: 1.year do
-      user = create_user_and_remember
+      create_user_and_remember
       old_remember_token = nil
 
       travel_to 1.day.ago do
@@ -182,7 +182,7 @@ class RememberMeTest < Devise::IntegrationTest
     get users_path
     assert warden.authenticated?(:user)
 
-    get destroy_user_session_path
+    delete destroy_user_session_path
     assert_not warden.authenticated?(:user)
     assert_nil warden.cookies['remember_user_token']
 

test/integration/timeoutable_test.rb

@@ -89,7 +89,7 @@ class SessionTimeoutTest < Devise::IntegrationTest
     user = sign_in_as_user
     get expire_user_path(user)
 
-    get destroy_user_session_path
+    delete destroy_user_session_path
 
     assert_response :redirect
     assert_redirected_to root_path

test/integration/trackable_test.rb

@@ -16,7 +16,7 @@ class TrackableHooksTest < Devise::IntegrationTest
     assert_equal user.current_sign_in_at, user.last_sign_in_at
     assert user.current_sign_in_at >= user.created_at
 
-    visit destroy_user_session_path
+    delete destroy_user_session_path
     new_time = 2.seconds.from_now
     Time.stubs(:now).returns(new_time)
 
@@ -56,7 +56,7 @@ class TrackableHooksTest < Devise::IntegrationTest
     user.reload
     assert_equal 1, user.sign_in_count
 
-    visit destroy_user_session_path
+    delete destroy_user_session_path
     sign_in_as_user
     user.reload
     assert_equal 2, user.sign_in_count
@@ -80,7 +80,7 @@ class TrackableHooksTest < Devise::IntegrationTest
     end
     user.reload
     assert_equal 0, user.sign_in_count
-    visit destroy_user_session_path
+    delete destroy_user_session_path
 
     sign_in_as_user do
       header 'devise.skip_trackable', false

test/mapping_test.rb

@@ -35,8 +35,8 @@ class MappingTest < ActiveSupport::TestCase
     assert_equal [], Devise.mappings[:skip_admin].used_routes
   end
 
-  test 'sign_out_via defaults to :get' do
-    assert_equal :get, Devise.mappings[:user].sign_out_via
+  test 'sign_out_via defaults to :delete' do
+    assert_equal :delete, Devise.mappings[:user].sign_out_via
   end
 
   test 'allows custom sign_out_via to be given' do

test/models/lockable_test.rb

@@ -325,4 +325,26 @@ class LockableTest < ActiveSupport::TestCase
     user.lock_access!
     assert_equal :locked, user.unauthenticated_message
   end
+
+  test 'unlock_strategy_enabled? should return true for both, email, and time strategies if :both is used' do
+    swap Devise, unlock_strategy: :both do
+      user = create_user
+      assert_equal true, user.unlock_strategy_enabled?(:both)
+      assert_equal true, user.unlock_strategy_enabled?(:time)
+      assert_equal true, user.unlock_strategy_enabled?(:email)
+      assert_equal false, user.unlock_strategy_enabled?(:none)
+      assert_equal false, user.unlock_strategy_enabled?(:an_undefined_strategy)
+    end
+  end
+
+  test 'unlock_strategy_enabled? should return true only for the configured strategy' do
+    swap Devise, unlock_strategy: :email do
+      user = create_user
+      assert_equal false, user.unlock_strategy_enabled?(:both)
+      assert_equal false, user.unlock_strategy_enabled?(:time)
+      assert_equal true, user.unlock_strategy_enabled?(:email)
+      assert_equal false, user.unlock_strategy_enabled?(:none)
+      assert_equal false, user.unlock_strategy_enabled?(:an_undefined_strategy)
+    end
+  end
 end

test/models/validatable_test.rb

@@ -29,7 +29,7 @@ class ValidatableTest < ActiveSupport::TestCase
     assert user.invalid?
     assert_not_equal 'is invalid', user.errors[:email].join
 
-    %w{invalid_email_format 123 $$$ () ☃ bla@bla.}.each do |email|
+    %w{invalid_email_format 123 $$$ () ☃}.each do |email|
       user.email = email
       assert user.invalid?, 'should be invalid with email ' << email
       assert_equal 'is invalid', user.errors[:email].join

test/orm/active_record.rb

@@ -5,9 +5,11 @@ ActiveRecord::Base.include_root_in_json = true
 ActiveRecord::Migrator.migrate(File.expand_path("../../rails_app/db/migrate/", __FILE__))
 
 class ActiveSupport::TestCase
-  if Rails.version >= '5.0.0'
+  if Devise.rails5?
     self.use_transactional_tests = true
   else
+    # Let `after_commit` work with transactional fixtures, however this is not needed for Rails 5.
+    require 'test_after_commit'
     self.use_transactional_fixtures = true
   end
 

test/rails_app/app/controllers/application_controller.rb

@@ -5,8 +5,7 @@ class ApplicationController < ActionController::Base
   protect_from_forgery
   before_action :current_user, unless: :devise_controller?
   before_action :authenticate_user!, if: :devise_controller?
-  respond_to *Mime::SET.map(&:to_sym)
+  respond_to(*Mime::SET.map(&:to_sym))
 
   devise_group :commenter, contains: [:user, :admin]
 end
-

test/rails_app/config/application.rb

@@ -32,6 +32,10 @@ module RailsApp
 
     config.action_mailer.default_url_options = { host: "localhost", port: 3000 }
 
+    if DEVISE_ORM == :active_record && (Rails::VERSION::MAJOR >= 4 && Rails::VERSION::MINOR >= 2)
+      config.active_record.raise_in_transactional_callbacks = true
+    end
+
     # This was used to break devise in some situations
     config.to_prepare do
       Devise::SessionsController.layout "application"

test/rails_app/config/routes.rb

@@ -114,6 +114,7 @@ Rails.application.routes.draw do
   namespace :sign_out_via, module: "devise" do
     devise_for :deletes, sign_out_via: :delete, class_name: "Admin"
     devise_for :posts, sign_out_via: :post, class_name: "Admin"
+    devise_for :gets, sign_out_via: :get, class_name: "Admin"
     devise_for :delete_or_posts, sign_out_via: [:delete, :post], class_name: "Admin"
   end
 

test/rails_app/lib/shared_user.rb

@@ -4,7 +4,8 @@ module SharedUser
   included do
     devise :database_authenticatable, :confirmable, :lockable, :recoverable,
            :registerable, :rememberable, :timeoutable,
-           :trackable, :validatable, :omniauthable, password_length: 7..72
+           :trackable, :validatable, :omniauthable, password_length: 7..72,
+           reconfirmable: false
 
     attr_accessor :other_key
 

test/rails_app/lib/shared_user_without_omniauth.rb

@@ -4,7 +4,7 @@ module SharedUserWithoutOmniauth
   included do
     devise :database_authenticatable, :confirmable, :lockable, :recoverable,
       :registerable, :rememberable, :timeoutable,
-      :trackable, :validatable
+      :trackable, :validatable, reconfirmable: false
   end
 
   def raw_confirmation_token

test/routes_test.rb

@@ -14,7 +14,7 @@ class DefaultRoutingTest < ActionController::TestCase
   end
 
   test 'map destroy user session' do
-    assert_recognizes({controller: 'devise/sessions', action: 'destroy'}, {path: 'users/sign_out', method: :get})
+    assert_recognizes({controller: 'devise/sessions', action: 'destroy'}, {path: 'users/sign_out', method: :delete})
     assert_named_route "/users/sign_out", :destroy_user_session_path
   end
 
@@ -146,7 +146,7 @@ class CustomizedRoutingTest < ActionController::TestCase
   end
 
   test 'map account with custom path name for session sign out' do
-    assert_recognizes({controller: 'devise/sessions', action: 'destroy', locale: 'en'}, '/en/accounts/logout')
+    assert_recognizes({controller: 'devise/sessions', action: 'destroy', locale: 'en'}, {path: '/en/accounts/logout', method: :delete })
   end
 
   test 'map account with custom path name for password' do