Prepare for 4.4.3 release

When supporting Rails 5.2 credentials on
https://github.com/plataformatec/devise/pull/4712, we ended up breaking
apps that were upgraded to Rails 5.2 and weren't using `credentials`
to store their `secret_key_base`. See
https://github.com/plataformatec/devise/issues/4807 for more context.
To fix it, we're now checking whether the key is present before using it.
Since there weren't any automated test for this - the conditionals were
in a Rails engine initializer - I've extracted it to a new class so that
we are able to test it easily.

Fixes #4807

.travis.yml

@@ -10,6 +10,7 @@ rvm:
 
 gemfile:
   - Gemfile
+  - gemfiles/Gemfile.rails-5.2-rc1
   - gemfiles/Gemfile.rails-5.0-stable
   - gemfiles/Gemfile.rails-4.2-stable
   - gemfiles/Gemfile.rails-4.1-stable
@@ -18,6 +19,8 @@ matrix:
   exclude:
     - rvm: 2.1.10
       gemfile: Gemfile
+    - rvm: 2.1.10
+      gemfile: gemfiles/Gemfile.rails-5.2-rc1
     - rvm: 2.5.0
       gemfile: gemfiles/Gemfile.rails-4.1-stable
     - rvm: 2.4.2
@@ -32,6 +35,8 @@ matrix:
       gemfile: Gemfile
     - env: DEVISE_ORM=mongoid
       gemfile: gemfiles/Gemfile.rails-5.0-stable
+    - env: DEVISE_ORM=mongoid
+      gemfile: gemfiles/Gemfile.rails-5.2-rc1
   allow_failures:
     - rvm: ruby-head
 services:

CHANGELOG.md

@@ -1,5 +1,32 @@
 ### Unreleased
 
+### 4.4.3 - 2018-03-17
+
+* bug fixes
+  * Fix undefined method `rails5?` for Devise::Test:Module (by @tegon)
+  * Fix: secret key was being required to be set inside credentials on Rails 5.2 (by @tegon)
+
+### 4.4.2 - 2018-03-15
+
+* enhancements
+  * Support for :credentials on Rails v5.2.x. (by @gencer)
+  * Improve documentation about the test suite. (by @tegon)
+  * Test with Rails 5.2.rc1 on Travis. (by @jcoyne)
+  * Allow test with Rails 6. (by @Fudoshiki)
+  * Creating a new section for controller configuration on `devise.rb` template (by @Danilo-Araujo-Silva)
+
+* bug fixes
+  * Preserve content_type for unauthenticated tests (by @gmcnaughton)
+  * Check if the resource is persisted in `update_tracked_fields!` instead of performing validations (by @tegon)
+  * Revert "Replace log_process_action to append_info_to_payload" (by @tegon)
+
+### 4.4.1 - 2018-01-23
+
+* bug fixes
+  * Ensure Gemspec is loaded as utf-8. (by @segiddins)
+  * Fix `ActiveRecord` check on `Confirmable`. (by @tegon)
+  * Fix `signed_in?` docs without running auth hooks. by (@machty)
+
 ### 4.4.0 - 2017-12-29
 
 * enhancements

Gemfile.lock

@@ -10,10 +10,10 @@ GIT
 PATH
   remote: .
   specs:
-    devise (4.4.0)
+    devise (4.4.3)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 5.2)
+      railties (>= 4.1.0, < 6.0)
       responders
       warden (~> 1.2.3)
 
@@ -190,4 +190,4 @@ DEPENDENCIES
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.15.3
+   1.16.1

README.md

@@ -123,7 +123,36 @@ We hope that you will consider contributing to Devise. Please read this short ov
 
 https://github.com/plataformatec/devise/wiki/Contributing
 
-You will usually want to write tests for your changes.  To run the test suite, go into Devise's top-level directory and run "bundle install" and "rake".  For the tests to pass, you will need to have a MongoDB server (version 2.0 or newer) running on your system.
+You will usually want to write tests for your changes.  To run the test suite, go into Devise's top-level directory and run `bundle install` and `bin/test`.
+Devise works with multiple Ruby and Rails versions, and ActiveRecord and Mongoid ORMs, which means you can run the test suite with some modifiers: `DEVISE_ORM` and `BUNDLE_GEMFILE`.
+
+### DEVISE_ORM
+Since Devise support both Mongoid and ActiveRecord, we rely on this variable to run specific code for each ORM.
+The default value of `DEVISE_ORM` is `active_record`. To run the tests for mongoid, you can pass `mongoid`:
+```
+DEVISE_ORM=mongoid bin/test
+
+==> Devise.orm = :mongoid
+```
+When running the tests for Mongoid, you will need to have a MongoDB server (version 2.0 or newer) running on your system.
+
+Please note that the command output will show the variable value being used.
+
+### BUNDLE_GEMFILE
+We can use this variable to tell bundler what Gemfile it should use (instead of the one in the current directory).
+Inside the [gemfiles](https://github.com/plataformatec/devise/tree/master/gemfiles) directory, we have one for each version of Rails we support. When you send us a pull request, it may happen that the test suite brakes on Travis using some of them. If that's the case, you can simulate the same environment using the `BUNDLE_GEMFILE` variable.
+For example, if the tests broke using Ruby 2.4.2 and Rails 4.1, you can do the following:
+```bash
+rbenv shell 2.4.2 # or rvm use 2.4.2
+BUNDLE_GEMFILE=gemfiles/Gemfile.rails-4.1-stable bundle install
+BUNDLE_GEMFILE=gemfiles/Gemfile.rails-4.1-stable bin/test
+```
+
+You can also combine both of them if the tests broke for Mongoid:
+```bash
+BUNDLE_GEMFILE=gemfiles/Gemfile.rails-4.1-stable bundle install
+BUNDLE_GEMFILE=gemfiles/Gemfile.rails-4.1-stable DEVISE_ORM=mongoid bin/test
+```
 
 ## Starting with Rails?
 
@@ -674,6 +703,6 @@ https://github.com/plataformatec/devise/graphs/contributors
 
 ## License
 
-MIT License. Copyright 2009-2017 Plataformatec. http://plataformatec.com.br
+MIT License. Copyright 2009-2018 Plataformatec. http://plataformatec.com.br
 
 You are not granted rights or licenses to the trademarks of Plataformatec, including without limitation the Devise name or logo.

devise.gemspec

@@ -1,6 +1,6 @@
+# -*- encoding: utf-8 -*-
 # frozen_string_literal: true
 
-# -*- encoding: utf-8 -*-
 $:.push File.expand_path("../lib", __FILE__)
 require "devise/version"
 
@@ -23,6 +23,6 @@ Gem::Specification.new do |s|
   s.add_dependency("warden", "~> 1.2.3")
   s.add_dependency("orm_adapter", "~> 0.1")
   s.add_dependency("bcrypt", "~> 3.0")
-  s.add_dependency("railties", ">= 4.1.0", "< 5.2")
+  s.add_dependency("railties", ">= 4.1.0", "< 6.0")
   s.add_dependency("responders")
 end

gemfiles/Gemfile.rails-4.1-stable.lock

@@ -21,10 +21,10 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.4.0)
+    devise (4.4.3)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 5.2)
+      railties (>= 4.1.0, < 6.0)
       responders
       warden (~> 1.2.3)
 
@@ -168,4 +168,4 @@ DEPENDENCIES
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.15.3
+   1.16.1

gemfiles/Gemfile.rails-4.2-stable.lock

@@ -57,10 +57,10 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.4.0)
+    devise (4.4.3)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 5.2)
+      railties (>= 4.1.0, < 6.0)
       responders
       warden (~> 1.2.3)
 
@@ -189,4 +189,4 @@ DEPENDENCIES
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.15.3
+   1.16.1

gemfiles/Gemfile.rails-5.0-stable.lock

@@ -10,10 +10,10 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.4.0)
+    devise (4.4.3)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 5.2)
+      railties (>= 4.1.0, < 6.0)
       responders
       warden (~> 1.2.3)
 
@@ -189,4 +189,4 @@ DEPENDENCIES
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.15.3
+   1.16.1

gemfiles/Gemfile.rails-5.2-rc1

@@ -0,0 +1,26 @@
+source "https://rubygems.org"
+
+gemspec path: ".."
+
+gem "rails", '~> 5.2.0.rc1'
+gem "omniauth"
+gem "omniauth-oauth2"
+gem "rdoc"
+
+gem "activemodel-serializers-xml", github: "rails/activemodel-serializers-xml"
+
+gem "rails-controller-testing"
+
+gem "responders", "~> 2.1"
+
+group :test do
+  gem "omniauth-facebook"
+  gem "omniauth-openid"
+  gem "webrat", "0.7.3", require: false
+  gem "mocha", "~> 1.1", require: false
+  gem 'test_after_commit', require: false
+end
+
+platforms :ruby do
+  gem "sqlite3"
+end

gemfiles/Gemfile.rails-5.2-rc1.lock

@@ -0,0 +1,201 @@
+GIT
+  remote: git://github.com/rails/activemodel-serializers-xml.git
+  revision: 356edf4dfc38fb1fbfee90c87856e4fe5b73c5e1
+  specs:
+    activemodel-serializers-xml (1.0.2)
+      activemodel (> 5.x)
+      activesupport (> 5.x)
+      builder (~> 3.1)
+
+PATH
+  remote: ..
+  specs:
+    devise (4.4.3)
+      bcrypt (~> 3.0)
+      orm_adapter (~> 0.1)
+      railties (>= 4.1.0, < 6.0)
+      responders
+      warden (~> 1.2.3)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actioncable (5.2.0.rc1)
+      actionpack (= 5.2.0.rc1)
+      nio4r (~> 2.0)
+      websocket-driver (>= 0.6.1)
+    actionmailer (5.2.0.rc1)
+      actionpack (= 5.2.0.rc1)
+      actionview (= 5.2.0.rc1)
+      activejob (= 5.2.0.rc1)
+      mail (~> 2.5, >= 2.5.4)
+      rails-dom-testing (~> 2.0)
+    actionpack (5.2.0.rc1)
+      actionview (= 5.2.0.rc1)
+      activesupport (= 5.2.0.rc1)
+      rack (~> 2.0)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    actionview (5.2.0.rc1)
+      activesupport (= 5.2.0.rc1)
+      builder (~> 3.1)
+      erubi (~> 1.4)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.3)
+    activejob (5.2.0.rc1)
+      activesupport (= 5.2.0.rc1)
+      globalid (>= 0.3.6)
+    activemodel (5.2.0.rc1)
+      activesupport (= 5.2.0.rc1)
+    activerecord (5.2.0.rc1)
+      activemodel (= 5.2.0.rc1)
+      activesupport (= 5.2.0.rc1)
+      arel (>= 9.0)
+    activestorage (5.2.0.rc1)
+      actionpack (= 5.2.0.rc1)
+      activerecord (= 5.2.0.rc1)
+      marcel (~> 0.3.1)
+    activesupport (5.2.0.rc1)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (~> 0.7)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    arel (9.0.0)
+    bcrypt (3.1.11)
+    builder (3.2.3)
+    concurrent-ruby (1.0.5)
+    crass (1.0.3)
+    erubi (1.7.0)
+    faraday (0.12.2)
+      multipart-post (>= 1.2, < 3)
+    globalid (0.4.1)
+      activesupport (>= 4.2.0)
+    hashie (3.5.7)
+    i18n (0.9.3)
+      concurrent-ruby (~> 1.0)
+    jwt (1.5.6)
+    loofah (2.1.1)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.5.9)
+    mail (2.7.0)
+      mini_mime (>= 0.1.1)
+    marcel (0.3.1)
+      mimemagic (~> 0.3.2)
+    metaclass (0.0.4)
+    method_source (0.9.0)
+    mimemagic (0.3.2)
+    mini_mime (1.0.0)
+    mini_portile2 (2.3.0)
+    minitest (5.11.3)
+    mocha (1.3.0)
+      metaclass (~> 0.0.1)
+    multi_json (1.13.1)
+    multi_xml (0.6.0)
+    multipart-post (2.0.0)
+    nio4r (2.2.0)
+    nokogiri (1.8.2)
+      mini_portile2 (~> 2.3.0)
+    oauth2 (1.4.0)
+      faraday (>= 0.8, < 0.13)
+      jwt (~> 1.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 3)
+    omniauth (1.8.1)
+      hashie (>= 3.4.6, < 3.6.0)
+      rack (>= 1.6.2, < 3)
+    omniauth-facebook (4.0.0)
+      omniauth-oauth2 (~> 1.2)
+    omniauth-oauth2 (1.5.0)
+      oauth2 (~> 1.1)
+      omniauth (~> 1.2)
+    omniauth-openid (1.0.1)
+      omniauth (~> 1.0)
+      rack-openid (~> 1.3.1)
+    orm_adapter (0.5.0)
+    rack (2.0.4)
+    rack-openid (1.3.1)
+      rack (>= 1.1.0)
+      ruby-openid (>= 2.1.8)
+    rack-test (0.8.2)
+      rack (>= 1.0, < 3)
+    rails (5.2.0.rc1)
+      actioncable (= 5.2.0.rc1)
+      actionmailer (= 5.2.0.rc1)
+      actionpack (= 5.2.0.rc1)
+      actionview (= 5.2.0.rc1)
+      activejob (= 5.2.0.rc1)
+      activemodel (= 5.2.0.rc1)
+      activerecord (= 5.2.0.rc1)
+      activestorage (= 5.2.0.rc1)
+      activesupport (= 5.2.0.rc1)
+      bundler (>= 1.3.0)
+      railties (= 5.2.0.rc1)
+      sprockets-rails (>= 2.0.0)
+    rails-controller-testing (1.0.2)
+      actionpack (~> 5.x, >= 5.0.1)
+      actionview (~> 5.x, >= 5.0.1)
+      activesupport (~> 5.x)
+    rails-dom-testing (2.0.3)
+      activesupport (>= 4.2.0)
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.0.3)
+      loofah (~> 2.0)
+    railties (5.2.0.rc1)
+      actionpack (= 5.2.0.rc1)
+      activesupport (= 5.2.0.rc1)
+      method_source
+      rake (>= 0.8.7)
+      thor (>= 0.18.1, < 2.0)
+    rake (12.3.0)
+    rdoc (6.0.1)
+    responders (2.4.0)
+      actionpack (>= 4.2.0, < 5.3)
+      railties (>= 4.2.0, < 5.3)
+    ruby-openid (2.7.0)
+    sprockets (3.7.1)
+      concurrent-ruby (~> 1.0)
+      rack (> 1, < 3)
+    sprockets-rails (3.2.1)
+      actionpack (>= 4.0)
+      activesupport (>= 4.0)
+      sprockets (>= 3.0.0)
+    sqlite3 (1.3.13)
+    test_after_commit (1.1.0)
+      activerecord (>= 3.2)
+    thor (0.20.0)
+    thread_safe (0.3.6)
+    tzinfo (1.2.5)
+      thread_safe (~> 0.1)
+    warden (1.2.7)
+      rack (>= 1.0)
+    webrat (0.7.3)
+      nokogiri (>= 1.2.0)
+      rack (>= 1.0)
+      rack-test (>= 0.5.3)
+    websocket-driver (0.7.0)
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.3)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activemodel-serializers-xml!
+  devise!
+  mocha (~> 1.1)
+  omniauth
+  omniauth-facebook
+  omniauth-oauth2
+  omniauth-openid
+  rails (~> 5.2.0.rc1)
+  rails-controller-testing
+  rdoc
+  responders (~> 2.1)
+  sqlite3
+  test_after_commit
+  webrat (= 0.7.3)
+
+BUNDLED WITH
+   1.16.1

lib/devise.rb

@@ -18,6 +18,7 @@ module Devise
   autoload :TestHelpers,        'devise/test_helpers'
   autoload :TimeInflector,      'devise/time_inflector'
   autoload :TokenGenerator,     'devise/token_generator'
+  autoload :SecretKeyFinder,    'devise/secret_key_finder'
 
   module Controllers
     autoload :Helpers,        'devise/controllers/helpers'

lib/devise/controllers/helpers.rb

@@ -12,11 +12,6 @@ module Devise
         if respond_to?(:helper_method)
           helper_method :warden, :signed_in?, :devise_controller?
         end
-
-        def append_info_to_payload(payload)
-          super
-          payload[:status] ||= 401 unless payload[:exception]
-        end
       end
 
       module ClassMethods
@@ -83,6 +78,11 @@ module Devise
             end
           METHODS
         end
+
+        def log_process_action(payload)
+          payload[:status] ||= 401 unless payload[:exception]
+          super
+        end
       end
 
       # Define authentication filters and accessor helpers based on mappings.

lib/devise/controllers/sign_in_out.rb

@@ -6,7 +6,10 @@ module Devise
     # Included by default in all controllers.
     module SignInOut
       # Return true if the given scope is signed in session. If no scope given, return
-      # true if any scope is signed in. Does not run authentication hooks.
+      # true if any scope is signed in. This will run authentication hooks, which may
+      # cause exceptions to be thrown from this method; if you simply want to check
+      # if a scope has already previously been authenticated without running
+      # authentication hooks, you can directly call `warden.authenticated?(scope: scope)`
       def signed_in?(scope=nil)
         [scope || Devise.mappings.keys].flatten.any? do |_scope|
           warden.authenticate?(scope: _scope)

lib/devise/models/confirmable.rb

@@ -48,7 +48,7 @@ module Devise
       included do
         before_create :generate_confirmation_token, if: :confirmation_required?
         after_create :skip_reconfirmation_in_callback!, if: :send_confirmation_notification?
-        if defined?(ActiveRecord) && self.is_a?(ActiveRecord::Base) # ActiveRecord
+        if defined?(ActiveRecord) && self < ActiveRecord::Base # ActiveRecord
           after_commit :send_on_create_confirmation_instructions, on: :create, if: :send_confirmation_notification?
           after_commit :send_reconfirmation_instructions, on: :update, if: :reconfirmation_required?
         else # Mongoid

lib/devise/models/trackable.rb

@@ -31,8 +31,13 @@ module Devise
       end
 
       def update_tracked_fields!(request)
+        # We have to check if the user is already persisted before running
+        # `save` here because invalid users can be saved if we don't.
+        # See https://github.com/plataformatec/devise/issues/4673 for more details.
+        return if new_record?
+
         update_tracked_fields(request)
-        save
+        save(validate: false)
       end
     end
   end

lib/devise/rails.rb

@@ -34,11 +34,7 @@ module Devise
     end
 
     initializer "devise.secret_key" do |app|
-      if app.respond_to?(:secrets)
-        Devise.secret_key ||= app.secrets.secret_key_base
-      elsif app.config.respond_to?(:secret_key_base)
-        Devise.secret_key ||= app.config.secret_key_base
-      end
+      Devise.secret_key ||= Devise::SecretKeyFinder.new(app).find
 
       Devise.token_generator ||=
         if secret_key = Devise.secret_key

lib/devise/secret_key_finder.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Devise
+  class SecretKeyFinder
+    def initialize(application)
+      @application = application
+    end
+
+    def find
+      if @application.respond_to?(:credentials) && key_exists?(@application.credentials)
+        @application.credentials.secret_key_base
+      elsif @application.respond_to?(:secrets) && key_exists?(@application.secrets)
+        @application.secrets.secret_key_base
+      elsif @application.config.respond_to?(:secret_key_base) && key_exists?(@application.config)
+        @application.config.secret_key_base
+      end
+    end
+
+    private
+
+    def key_exists?(object)
+      object.secret_key_base.present?
+    end
+  end
+end

lib/devise/test/controller_helpers.rb

@@ -139,6 +139,7 @@ module Devise
 
           status, headers, response = Devise.warden_config[:failure_app].call(env).to_a
           @controller.response.headers.merge!(headers)
+          @controller.response.content_type = headers["Content-Type"] unless Rails.version.start_with?('5')
           @controller.status = status
           @controller.response.body = response.body
           nil # causes process return @response

lib/devise/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Devise
-  VERSION = "4.4.0".freeze
+  VERSION = "4.4.3".freeze
 end

lib/generators/templates/devise.rb

@@ -9,6 +9,10 @@ Devise.setup do |config|
   # Devise will use the `secret_key_base` as its `secret_key`
   # by default. You can change it below and use your own secret key.
   # config.secret_key = '<%= SecureRandom.hex(64) %>'
+  
+  # ==> Controller configuration
+  # Configure the parent class to the devise controllers.
+  # config.parent_controller = 'DeviseController'
 
   # ==> Mailer Configuration
   # Configure the e-mail address which will be shown in Devise::Mailer,

test/integration/authenticatable_test.rb

@@ -3,6 +3,12 @@
 require 'test_helper'
 
 class AuthenticationSanityTest < Devise::IntegrationTest
+  test 'sign in should not run model validations' do
+    sign_in_as_user
+
+    refute User.validations_performed
+  end
+
   test 'home should be accessible without sign in' do
     visit '/'
     assert_response :success
@@ -545,18 +551,6 @@ class AuthenticationOthersTest < Devise::IntegrationTest
       refute warden.authenticated?(:user)
     end
   end
-
-  test 'not signed in should return notification payload with 401 status' do
-    begin
-      subscriber = ActiveSupport::Notifications.subscribe /process_action.action_controller/ do |_name, _start, _finish, _id, payload|
-        assert_equal 401, payload[:status]
-      end
-
-      get admins_path
-    ensure
-      ActiveSupport::Notifications.unsubscribe(subscriber)
-    end
-  end
 end
 
 class AuthenticationKeysTest < Devise::IntegrationTest

test/integration/http_authenticatable_test.rb

@@ -3,6 +3,12 @@
 require 'test_helper'
 
 class HttpAuthenticationTest < Devise::IntegrationTest
+  test 'sign in with HTTP should not run model validations' do
+    sign_in_as_new_user_with_http
+
+    refute User.validations_performed
+  end
+
   test 'handles unverified requests gets rid of caches but continues signed in' do
     swap ApplicationController, allow_forgery_protection: true do
       create_user

test/integration/omniauthable_test.rb

@@ -42,6 +42,17 @@ class OmniauthableIntegrationTest < Devise::IntegrationTest
     end
   end
 
+  test "omniauth sign in should not run model validations" do
+    stub_action!(:sign_in_facebook) do
+      create_user
+      visit "/users/sign_in"
+      click_link "Sign in with FaceBook"
+      assert warden.authenticated?(:user)
+
+      refute User.validations_performed
+    end
+  end
+
   test "can access omniauth.auth in the env hash" do
     visit "/users/sign_in"
     click_link "Sign in with FaceBook"

test/integration/rememberable_test.rb

@@ -12,7 +12,7 @@ class RememberMeTest < Devise::IntegrationTest
   end
 
   def generate_signed_cookie(raw_cookie)
-    request = if Devise::Test.rails51?
+    request = if Devise::Test.rails51? || Devise::Test.rails52?
       ActionController::TestRequest.create(Class.new) # needs a "controller class"
     elsif Devise::Test.rails5?
       ActionController::TestRequest.create

test/integration/trackable_test.rb

@@ -3,6 +3,11 @@
 require 'test_helper'
 
 class TrackableHooksTest < Devise::IntegrationTest
+  test "trackable should not run model validations" do
+    sign_in_as_user
+
+    refute User.validations_performed
+  end
 
   test "current and last sign in timestamps are updated on each sign in" do
     user = create_user

test/models/confirmable_test.rb

@@ -8,6 +8,17 @@ class ConfirmableTest < ActiveSupport::TestCase
     setup_mailer
   end
 
+  test 'should set callbacks to send the mail' do
+    if DEVISE_ORM == :active_record
+      defined_callbacks = User._commit_callbacks.map(&:filter)
+      assert_includes defined_callbacks, :send_on_create_confirmation_instructions
+      assert_includes defined_callbacks, :send_reconfirmation_instructions
+    elsif DEVISE_ORM == :mongoid
+      assert_includes User._create_callbacks.map(&:filter), :send_on_create_confirmation_instructions
+      assert_includes User._update_callbacks.map(&:filter), :send_reconfirmation_instructions
+    end
+  end
+
   test 'should generate confirmation token after creating a record' do
     assert_nil new_user.confirmation_token
     assert_not_nil create_user.confirmation_token

test/models/trackable_test.rb

@@ -41,7 +41,7 @@ class TrackableTest < ActiveSupport::TestCase
     assert_equal 0, user.sign_in_count
   end
 
-  test 'update_tracked_fields should run model validations' do
+  test "update_tracked_fields! should not persist invalid records" do
     user = UserWithValidations.new
     request = mock
     request.stubs(:remote_ip).returns("127.0.0.1")
@@ -49,4 +49,14 @@ class TrackableTest < ActiveSupport::TestCase
     assert_not user.update_tracked_fields!(request)
     assert_not user.persisted?
   end
+
+  test "update_tracked_fields! should not run model validations" do
+    user = User.new
+    request = mock
+    request.stubs(:remote_ip).returns("127.0.0.1")
+
+    user.expects(:after_validation_callback).never
+
+    assert_not user.update_tracked_fields!(request)
+  end
 end

test/orm/active_record.rb

@@ -4,7 +4,12 @@ ActiveRecord::Migration.verbose = false
 ActiveRecord::Base.logger = Logger.new(nil)
 ActiveRecord::Base.include_root_in_json = true
 
-ActiveRecord::Migrator.migrate(File.expand_path("../../rails_app/db/migrate/", __FILE__))
+migrate_path = File.expand_path("../../rails_app/db/migrate/", __FILE__)
+if Devise::Test.rails52?
+  ActiveRecord::MigrationContext.new(migrate_path).migrate
+else
+  ActiveRecord::Migrator.migrate(migrate_path)
+end
 
 class ActiveSupport::TestCase
   if Devise::Test.rails5?

test/rails_app/app/active_record/user.rb

@@ -8,4 +8,13 @@ class User < ActiveRecord::Base
   include ActiveModel::Serializers::Xml if Devise::Test.rails5?
 
   validates :sign_in_count, presence: true
+
+  cattr_accessor :validations_performed
+
+  after_validation :after_validation_callback
+
+  def after_validation_callback
+    # used to check in our test if the validations were called
+    @@validations_performed = true
+  end
 end

test/rails_app/app/mongoid/user.rb

@@ -38,4 +38,13 @@ class User
   field :failed_attempts, type: Integer, default: 0 # Only if lock strategy is :failed_attempts
   field :unlock_token,    type: String # Only if unlock strategy is :email or :both
   field :locked_at,       type: Time
+
+  cattr_accessor :validations_performed
+
+  after_validation :after_validation_callback
+
+  def after_validation_callback
+    # used to check in our test if the validations were called
+    @@validations_performed = true
+  end
 end

test/rails_app/config/application.rb

@@ -33,8 +33,10 @@ module RailsApp
     # config.assets.enabled = false
 
     config.action_mailer.default_url_options = { host: "localhost", port: 3000 }
-
-    if DEVISE_ORM == :active_record && (Rails::VERSION::MAJOR >= 4 && Rails::VERSION::MINOR >= 2)
+    rails_version = Gem::Version.new(Rails.version)
+    if DEVISE_ORM == :active_record &&
+       rails_version >= Gem::Version.new('4.2.0') &&
+       rails_version < Gem::Version.new('5.1.0')
       config.active_record.raise_in_transactional_callbacks = true
     end
 

test/rails_app/config/boot.rb

@@ -6,7 +6,12 @@ end
 
 module Devise
   module Test
-    # Detection for minor differences between Rails 4 and 5, and 5.1 in tests.
+    # Detection for minor differences between Rails 4 and 5, 5.1, and 5.2 in tests.
+    
+    def self.rails52?
+      Rails.version.start_with? '5.2'
+    end
+
     def self.rails51?
       Rails.version.start_with? '5.1'
     end

test/secret_key_finder_test.rb

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class Rails52Credentials
+  def credentials
+    OpenStruct.new(secret_key_base: 'credentials')
+  end
+end
+
+class Rails52Secrets
+  def credentials
+    OpenStruct.new(secret_key_base: nil)
+  end
+
+  def secrets
+    OpenStruct.new(secret_key_base: 'secrets')
+  end
+end
+
+class Rails52Config
+  def credentials
+    OpenStruct.new(secret_key_base: nil)
+  end
+
+  def secrets
+    OpenStruct.new(secret_key_base: nil)
+  end
+
+  def config
+    OpenStruct.new(secret_key_base: 'config')
+  end
+end
+
+class Rails41Secrets
+  def secrets
+    OpenStruct.new(secret_key_base: 'secrets')
+  end
+
+  def config
+    OpenStruct.new(secret_key_base: nil)
+  end
+end
+
+class Rails41Config
+  def secrets
+    OpenStruct.new(secret_key_base: nil)
+  end
+
+  def config
+    OpenStruct.new(secret_key_base: 'config')
+  end
+end
+
+class Rails40Config
+  def config
+    OpenStruct.new(secret_key_base: 'config')
+  end
+end
+
+class SecretKeyFinderTest < ActiveSupport::TestCase
+  test "rails 5.2 uses credentials when they're available" do
+    secret_key_finder = Devise::SecretKeyFinder.new(Rails52Credentials.new)
+
+    assert_equal 'credentials', secret_key_finder.find
+  end
+
+  test "rails 5.2 uses secrets when credentials are empty" do
+    secret_key_finder = Devise::SecretKeyFinder.new(Rails52Secrets.new)
+
+    assert_equal 'secrets', secret_key_finder.find
+  end
+
+  test "rails 5.2 uses config when secrets are empty" do
+    secret_key_finder = Devise::SecretKeyFinder.new(Rails52Config.new)
+
+    assert_equal 'config', secret_key_finder.find
+  end
+
+  test "rails 4.1 uses secrets" do
+    secret_key_finder = Devise::SecretKeyFinder.new(Rails41Secrets.new)
+
+    assert_equal 'secrets', secret_key_finder.find
+  end
+
+  test "rails 4.1 uses config when secrets are empty" do
+    secret_key_finder = Devise::SecretKeyFinder.new(Rails41Config.new)
+
+    assert_equal 'config', secret_key_finder.find
+  end
+
+  test "rails 4.0 uses config" do
+    secret_key_finder = Devise::SecretKeyFinder.new(Rails40Config.new)
+
+    assert_equal 'config', secret_key_finder.find
+  end
+end

test/support/integration.rb

@@ -19,6 +19,7 @@ class ActionDispatch::IntegrationTest
       user.update_attribute(:confirmation_sent_at, options[:confirmation_sent_at]) if options[:confirmation_sent_at]
       user.confirm unless options[:confirm] == false
       user.lock_access! if options[:locked] == true
+      User.validations_performed = false
       user
     end
   end

test/test/controller_helpers_test.rb

@@ -100,6 +100,11 @@ class TestControllerHelpersTest < Devise::ControllerTestCase
     assert_equal response.body, "<html><body>You are being <a href=\"http://test.host/users/sign_in\">redirected</a>.</body></html>"
   end
 
+  test "returns the content type of a failure app" do
+    get :index, params: { format: :xml }
+    assert response.content_type.include?('application/xml')
+  end
+
   test "defined Warden after_authentication callback should not be called when sign_in is called" do
     begin
       Warden::Manager.after_authentication do |user, auth, opts|
@@ -166,7 +171,7 @@ class TestControllerHelpersTest < Devise::ControllerTestCase
   test "creates a new warden proxy if the request object has changed" do
     old_warden_proxy = warden
 
-    @request = if Devise::Test.rails51?
+    @request = if Devise::Test.rails51? || Devise::Test.rails52?
       ActionController::TestRequest.create(Class.new) # needs a "controller class"
     elsif Devise::Test.rails5?
       ActionController::TestRequest.create