Prepare for version 4.7.1

As reported in https://github.com/plataformatec/devise/issues/5071, if
for some reason, a user in the database had the `confirmation_token`
column as a blank string, Devise would confirm that user after receiving
a request with a blank `confirmation_token` parameter.
After this commit, a request sending a blank `confirmation_token`
parameter will receive a validation error.
For applications that have users with a blank `confirmation_token` in
the database, it's recommended to manually regenerate or to nullify
them.

.travis.yml

@@ -11,7 +11,7 @@ rvm:
 
 gemfile:
   - Gemfile
-  - gemfiles/Gemfile.rails-6.0-beta
+  - gemfiles/Gemfile.rails-6.0-stable
   - gemfiles/Gemfile.rails-5.2-stable
   - gemfiles/Gemfile.rails-5.0-stable
   - gemfiles/Gemfile.rails-4.2-stable
@@ -22,7 +22,7 @@ matrix:
     - rvm: 2.1.10
       gemfile: Gemfile
     - rvm: 2.1.10
-      gemfile: gemfiles/Gemfile.rails-6.0-beta
+      gemfile: gemfiles/Gemfile.rails-6.0-stable
     - rvm: 2.1.10
       gemfile: gemfiles/Gemfile.rails-5.2-stable
     - rvm: 2.1.10
@@ -30,15 +30,15 @@ matrix:
     - rvm: 2.2.10
       gemfile: Gemfile
     - rvm: 2.2.10
-      gemfile: gemfiles/Gemfile.rails-6.0-beta
+      gemfile: gemfiles/Gemfile.rails-6.0-stable
     - rvm: 2.2.10
       gemfile: gemfiles/Gemfile.rails-5.2-stable
     - rvm: 2.3.8
-      gemfile: gemfiles/Gemfile.rails-6.0-beta
+      gemfile: gemfiles/Gemfile.rails-6.0-stable
     - rvm: 2.4.5
       gemfile: gemfiles/Gemfile.rails-4.1-stable
     - rvm: 2.4.5
-      gemfile: gemfiles/Gemfile.rails-6.0-beta
+      gemfile: gemfiles/Gemfile.rails-6.0-stable
     - rvm: 2.5.3
       gemfile: gemfiles/Gemfile.rails-4.1-stable
     - rvm: 2.6.0
@@ -56,16 +56,14 @@ matrix:
     - env: DEVISE_ORM=mongoid
       gemfile: gemfiles/Gemfile.rails-5.2-stable
     - env: DEVISE_ORM=mongoid
-      gemfile: gemfiles/Gemfile.rails-6.0-beta
+      gemfile: gemfiles/Gemfile.rails-6.0-stable
   allow_failures:
     - rvm: ruby-head
-    - gemfile: gemfiles/Gemfile.rails-6.0-beta
+    - gemfile: gemfiles/Gemfile.rails-6.0-stable
 
 services:
   - mongodb
 
-sudo: false
-
 cache: bundler
 
 env:

CHANGELOG.md

@@ -1,5 +1,23 @@
 ### Unreleased
 
+### 4.7.1 - 2019-09-06
+
+* bug fixes
+  * Fix an edge case where records with a blank `confirmation_token` could be confirmed (by @tegon)
+  * Fix typo inside `update_needs_confirmation` i18n key (by @lslm)
+
+### 4.7.0 - 2019-08-19
+
+* enhancements
+  * Support Rails 6.0
+  * Update CI to rails 6.0.0.beta3 (by @tunnes)
+  * refactor method name to be more consistent (by @saiqulhaq)
+  * Fix rails 6.0.rc1 email uniqueness validation deprecation warning (by @Vasfed)
+
+* bug fixes
+  * Add `autocomplete="new-password"` to `password_confirmation` fields (by @ferrl)
+  * Fix rails_51_and_up? method for Rails 6.rc1 (by @igorkasyanchuk)
+
 ### 4.6.2 - 2019-03-26
 
 * bug fixes

Gemfile.lock

@@ -10,10 +10,10 @@ GIT
 PATH
   remote: .
   specs:
-    devise (4.6.2)
+    devise (4.7.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 6.0)
+      railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
 
@@ -62,7 +62,7 @@ GEM
       minitest (~> 5.1)
       tzinfo (~> 1.1)
     arel (9.0.0)
-    bcrypt (3.1.12)
+    bcrypt (3.1.13)
     builder (3.2.3)
     concurrent-ruby (1.0.5)
     crass (1.0.4)
@@ -201,4 +201,4 @@ DEPENDENCIES
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.17.1
+   1.17.3

README.md

@@ -174,7 +174,7 @@ If you are building your first Rails application, we recommend you *do not* use
 
 * Michael Hartl's online book: https://www.railstutorial.org/book/modeling_users
 * Ryan Bates' Railscast: http://railscasts.com/episodes/250-authentication-from-scratch
-* Codecademy's Ruby on Rails: Authentication and Authorization: http://www.codecademy.com/en/learn/rails-auth
+* Codecademy's Ruby on Rails: Authentication and Authorization: https://www.codecademy.com/learn/rails-auth
 
 Once you have solidified your understanding of Rails and authentication mechanisms, we assure you Devise will be very pleasant to work with. :smiley:
 
@@ -732,6 +732,6 @@ https://github.com/plataformatec/devise/graphs/contributors
 
 ## License
 
-MIT License. Copyright 2009-2018 Plataformatec. http://plataformatec.com.br
+MIT License. Copyright 2009-2019 Plataformatec. http://plataformatec.com.br
 
 You are not granted rights or licenses to the trademarks of Plataformatec, including without limitation the Devise name or logo.

app/views/devise/passwords/edit.html.erb

@@ -14,7 +14,7 @@
 
   <div class="field">
     <%= f.label :password_confirmation, "Confirm new password" %><br />
-    <%= f.password_field :password_confirmation, autocomplete: "off" %>
+    <%= f.password_field :password_confirmation, autocomplete: "new-password" %>
   </div>
 
   <div class="actions">

config/locales/en.yml

@@ -42,7 +42,7 @@ en:
       signed_up_but_inactive: "You have signed up successfully. However, we could not sign you in because your account is not yet activated."
       signed_up_but_locked: "You have signed up successfully. However, we could not sign you in because your account is locked."
       signed_up_but_unconfirmed: "A message with a confirmation link has been sent to your email address. Please follow the link to activate your account."
-      update_needs_confirmation: "You updated your account successfully, but we need to verify your new email address. Please check your email and follow the confirm link to confirm your new email address."
+      update_needs_confirmation: "You updated your account successfully, but we need to verify your new email address. Please check your email and follow the confirmation link to confirm your new email address."
       updated: "Your account has been updated successfully."
       updated_but_not_signed_in: "Your account has been updated successfully, but since your password was changed, you need to sign in again"
     sessions:

devise.gemspec

@@ -22,6 +22,6 @@ Gem::Specification.new do |s|
   s.add_dependency("warden", "~> 1.2.3")
   s.add_dependency("orm_adapter", "~> 0.1")
   s.add_dependency("bcrypt", "~> 3.0")
-  s.add_dependency("railties", ">= 4.1.0", "< 6.0")
+  s.add_dependency("railties", ">= 4.1.0")
   s.add_dependency("responders")
 end

gemfiles/Gemfile.rails-4.1-stable.lock

@@ -21,10 +21,10 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.6.2)
+    devise (4.7.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 6.0)
+      railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
 
@@ -54,7 +54,7 @@ GEM
       thread_safe (~> 0.1)
       tzinfo (~> 1.1)
     arel (5.0.1.20140414130214)
-    bcrypt (3.1.12)
+    bcrypt (3.1.13)
     bson (3.2.6)
     builder (3.2.3)
     concurrent-ruby (1.0.5)

gemfiles/Gemfile.rails-4.2-stable.lock

@@ -57,10 +57,10 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.6.2)
+    devise (4.7.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 6.0)
+      railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
 
@@ -68,7 +68,7 @@ GEM
   remote: https://rubygems.org/
   specs:
     arel (6.0.4)
-    bcrypt (3.1.12)
+    bcrypt (3.1.13)
     bson (3.2.6)
     builder (3.2.3)
     concurrent-ruby (1.0.5)

gemfiles/Gemfile.rails-5.0-stable.lock

@@ -10,10 +10,10 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.6.2)
+    devise (4.7.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 6.0)
+      railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
 
@@ -58,7 +58,7 @@ GEM
       minitest (~> 5.1)
       tzinfo (~> 1.1)
     arel (7.1.4)
-    bcrypt (3.1.12)
+    bcrypt (3.1.13)
     builder (3.2.3)
     concurrent-ruby (1.0.5)
     erubis (2.7.0)
@@ -191,4 +191,4 @@ DEPENDENCIES
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.17.1
+   1.17.3

gemfiles/Gemfile.rails-5.2-stable.lock

@@ -10,10 +10,10 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.6.2)
+    devise (4.7.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 6.0)
+      railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
 
@@ -62,7 +62,7 @@ GEM
       minitest (~> 5.1)
       tzinfo (~> 1.1)
     arel (9.0.0)
-    bcrypt (3.1.12)
+    bcrypt (3.1.13)
     builder (3.2.3)
     concurrent-ruby (1.0.5)
     crass (1.0.4)
@@ -200,4 +200,4 @@ DEPENDENCIES
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.17.1
+   1.17.3

gemfiles/Gemfile.rails-6.0-stable

@@ -2,7 +2,7 @@ source "https://rubygems.org"
 
 gemspec path: ".."
 
-gem "rails", '6.0.0.beta1'
+gem "rails", '~> 6.0.0'
 gem "omniauth"
 gem "omniauth-oauth2"
 gem "rdoc"
@@ -11,7 +11,7 @@ gem "activemodel-serializers-xml", github: "rails/activemodel-serializers-xml"
 
 gem "rails-controller-testing"
 
-gem "responders", "~> 2.4"
+gem "responders", "~> 3.0"
 
 group :test do
   gem "omniauth-facebook"
@@ -23,5 +23,5 @@ group :test do
 end
 
 platforms :ruby do
-  gem "sqlite3", "~> 1.3.6"
+  gem "sqlite3", "~> 1.4"
 end

gemfiles/Gemfile.rails-6.0-stable.lock

@@ -1,81 +1,83 @@
 GIT
   remote: git://github.com/rails/activemodel-serializers-xml.git
-  revision: f744aeca2747ed3134e492249c4ee39b548efdf6
+  revision: 93689638c28525acc65afb638fce866826532641
   specs:
     activemodel-serializers-xml (1.0.2)
-      activemodel (> 5.x)
-      activesupport (> 5.x)
+      activemodel (>= 5.0.0.a)
+      activesupport (>= 5.0.0.a)
       builder (~> 3.1)
 
 PATH
   remote: ..
   specs:
-    devise (4.6.2)
+    devise (4.7.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 6.0)
+      railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (6.0.0.beta1)
-      actionpack (= 6.0.0.beta1)
+    actioncable (6.0.0)
+      actionpack (= 6.0.0)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (6.0.0.beta1)
-      actionpack (= 6.0.0.beta1)
-      activejob (= 6.0.0.beta1)
-      activerecord (= 6.0.0.beta1)
-      activestorage (= 6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
+    actionmailbox (6.0.0)
+      actionpack (= 6.0.0)
+      activejob (= 6.0.0)
+      activerecord (= 6.0.0)
+      activestorage (= 6.0.0)
+      activesupport (= 6.0.0)
       mail (>= 2.7.1)
-    actionmailer (6.0.0.beta1)
-      actionpack (= 6.0.0.beta1)
-      actionview (= 6.0.0.beta1)
-      activejob (= 6.0.0.beta1)
+    actionmailer (6.0.0)
+      actionpack (= 6.0.0)
+      actionview (= 6.0.0)
+      activejob (= 6.0.0)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.0.0.beta1)
-      actionview (= 6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
+    actionpack (6.0.0)
+      actionview (= 6.0.0)
+      activesupport (= 6.0.0)
       rack (~> 2.0)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actiontext (6.0.0.beta1)
-      actionpack (= 6.0.0.beta1)
-      activerecord (= 6.0.0.beta1)
-      activestorage (= 6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
+      rails-html-sanitizer (~> 1.0, >= 1.2.0)
+    actiontext (6.0.0)
+      actionpack (= 6.0.0)
+      activerecord (= 6.0.0)
+      activestorage (= 6.0.0)
+      activesupport (= 6.0.0)
       nokogiri (>= 1.8.5)
-    actionview (6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
+    actionview (6.0.0)
+      activesupport (= 6.0.0)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
+      rails-html-sanitizer (~> 1.1, >= 1.2.0)
+    activejob (6.0.0)
+      activesupport (= 6.0.0)
       globalid (>= 0.3.6)
-    activemodel (6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
-    activerecord (6.0.0.beta1)
-      activemodel (= 6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
-    activestorage (6.0.0.beta1)
-      actionpack (= 6.0.0.beta1)
-      activerecord (= 6.0.0.beta1)
+    activemodel (6.0.0)
+      activesupport (= 6.0.0)
+    activerecord (6.0.0)
+      activemodel (= 6.0.0)
+      activesupport (= 6.0.0)
+    activestorage (6.0.0)
+      actionpack (= 6.0.0)
+      activejob (= 6.0.0)
+      activerecord (= 6.0.0)
       marcel (~> 0.3.1)
-    activesupport (6.0.0.beta1)
+    activesupport (6.0.0)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
-    bcrypt (3.1.12)
+      zeitwerk (~> 2.1, >= 2.1.8)
+    bcrypt (3.1.13)
     builder (3.2.3)
-    concurrent-ruby (1.1.4)
+    concurrent-ruby (1.1.5)
     crass (1.0.4)
     erubi (1.8.0)
     faraday (0.15.4)
@@ -83,9 +85,9 @@ GEM
     globalid (0.4.2)
       activesupport (>= 4.2.0)
     hashie (3.6.0)
-    i18n (1.5.2)
+    i18n (1.6.0)
       concurrent-ruby (~> 1.0)
-    jwt (2.1.0)
+    jwt (2.2.1)
     loofah (2.2.3)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
@@ -96,16 +98,16 @@ GEM
     metaclass (0.0.4)
     method_source (0.9.2)
     mimemagic (0.3.3)
-    mini_mime (1.0.1)
+    mini_mime (1.0.2)
     mini_portile2 (2.4.0)
     minitest (5.11.3)
-    mocha (1.8.0)
+    mocha (1.9.0)
       metaclass (~> 0.0.1)
     multi_json (1.13.1)
     multi_xml (0.6.0)
-    multipart-post (2.0.0)
-    nio4r (2.3.1)
-    nokogiri (1.10.1)
+    multipart-post (2.1.1)
+    nio4r (2.4.0)
+    nokogiri (1.10.4)
       mini_portile2 (~> 2.4.0)
     oauth2 (1.4.1)
       faraday (>= 0.8, < 0.16.0)
@@ -125,26 +127,26 @@ GEM
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
     orm_adapter (0.5.0)
-    rack (2.0.6)
+    rack (2.0.7)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (6.0.0.beta1)
-      actioncable (= 6.0.0.beta1)
-      actionmailbox (= 6.0.0.beta1)
-      actionmailer (= 6.0.0.beta1)
-      actionpack (= 6.0.0.beta1)
-      actiontext (= 6.0.0.beta1)
-      actionview (= 6.0.0.beta1)
-      activejob (= 6.0.0.beta1)
-      activemodel (= 6.0.0.beta1)
-      activerecord (= 6.0.0.beta1)
-      activestorage (= 6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
+    rails (6.0.0)
+      actioncable (= 6.0.0)
+      actionmailbox (= 6.0.0)
+      actionmailer (= 6.0.0)
+      actionpack (= 6.0.0)
+      actiontext (= 6.0.0)
+      actionview (= 6.0.0)
+      activejob (= 6.0.0)
+      activemodel (= 6.0.0)
+      activerecord (= 6.0.0)
+      activestorage (= 6.0.0)
+      activesupport (= 6.0.0)
       bundler (>= 1.3.0)
-      railties (= 6.0.0.beta1)
+      railties (= 6.0.0)
       sprockets-rails (>= 2.0.0)
     rails-controller-testing (1.0.4)
       actionpack (>= 5.0.1.x)
@@ -153,19 +155,19 @@ GEM
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.0.4)
+    rails-html-sanitizer (1.2.0)
       loofah (~> 2.2, >= 2.2.2)
-    railties (6.0.0.beta1)
-      actionpack (= 6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
+    railties (6.0.0)
+      actionpack (= 6.0.0)
+      activesupport (= 6.0.0)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.20.3, < 2.0)
-    rake (12.3.2)
+    rake (12.3.3)
     rdoc (6.1.1)
-    responders (2.4.1)
-      actionpack (>= 4.2.0, < 6.0)
-      railties (>= 4.2.0, < 6.0)
+    responders (3.0.0)
+      actionpack (>= 5.0)
+      railties (>= 5.0)
     ruby-openid (2.7.0)
     sprockets (3.7.2)
       concurrent-ruby (~> 1.0)
@@ -174,7 +176,7 @@ GEM
       actionpack (>= 4.0)
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
-    sqlite3 (1.3.13)
+    sqlite3 (1.4.1)
     test_after_commit (1.1.0)
       activerecord (>= 3.2)
     thor (0.20.3)
@@ -188,9 +190,10 @@ GEM
       nokogiri (>= 1.2.0)
       rack (>= 1.0)
       rack-test (>= 0.5.3)
-    websocket-driver (0.7.0)
+    websocket-driver (0.7.1)
       websocket-extensions (>= 0.1.0)
-    websocket-extensions (0.1.3)
+    websocket-extensions (0.1.4)
+    zeitwerk (2.1.9)
 
 PLATFORMS
   ruby
@@ -203,14 +206,14 @@ DEPENDENCIES
   omniauth-facebook
   omniauth-oauth2
   omniauth-openid
-  rails (= 6.0.0.beta1)
+  rails (~> 6.0.0)
   rails-controller-testing
   rdoc
-  responders (~> 2.4)
-  sqlite3 (~> 1.3.6)
+  responders (~> 3.0)
+  sqlite3 (~> 1.4)
   test_after_commit
   timecop
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.17.1
+   1.17.3

lib/devise/failure_app.rb

@@ -153,7 +153,7 @@ module Devise
       # We need to add the rootpath to `script_name` manually for applications that use a Rails
       # version lower than 5.1. Otherwise, it is going to generate a wrong path for Engines
       # that use Devise. Remove it when the support of Rails 5.0 is droped.
-      elsif root_path_defined?(context) && rails_5_and_down?
+      elsif root_path_defined?(context) && !rails_51_and_up?
         rootpath = context.routes.url_helpers.root_path
         opts[:script_name] = rootpath.chomp('/') if rootpath.length > 1
       end
@@ -278,14 +278,8 @@ module Devise
       defined?(context.routes) && context.routes.url_helpers.respond_to?(:root_path)
     end
 
-    def rails_5_and_down?
-      return false if rails_5_up?
-
-      Rails::VERSION::MAJOR >= 4
-    end
-
-    def rails_5_up?
-      Rails::VERSION::MAJOR >= 5 && Rails::VERSION::MINOR > 0
+    def rails_51_and_up?
+      Rails.gem_version >= Gem::Version.new("5.1")
     end
   end
 end

lib/devise/models/authenticatable.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require 'active_model/version'
 require 'devise/hooks/activatable'
 require 'devise/hooks/csrf_cleaner'
 

lib/devise/models/confirmable.rb

@@ -348,7 +348,19 @@ module Devise
         # If the user is already confirmed, create an error for the user
         # Options must have the confirmation_token
         def confirm_by_token(confirmation_token)
+          # When the `confirmation_token` parameter is blank, if there are any users with a blank
+          # `confirmation_token` in the database, the first one would be confirmed here.
+          # The error is being manually added here to ensure no users are confirmed by mistake.
+          # This was done in the model for convenience, since validation errors are automatically
+          # displayed in the view.
+          if confirmation_token.blank?
+            confirmable = new
+            confirmable.errors.add(:confirmation_token, :blank)
+            return confirmable
+          end
+
           confirmable = find_first_by_auth_conditions(confirmation_token: confirmation_token)
+
           unless confirmable
             confirmation_digest = Devise.token_generator.digest(self, :confirmation_token, confirmation_token)
             confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_digest)

lib/devise/models/validatable.rb

@@ -30,7 +30,7 @@ module Devise
         base.class_eval do
           validates_presence_of   :email, if: :email_required?
           if Devise.activerecord51?
-            validates_uniqueness_of :email, allow_blank: true, if: :will_save_change_to_email?
+            validates_uniqueness_of :email, allow_blank: true, case_sensitive: true, if: :will_save_change_to_email?
             validates_format_of     :email, with: email_regexp, allow_blank: true, if: :will_save_change_to_email?
           else
             validates_uniqueness_of :email, allow_blank: true, if: :email_changed?

lib/devise/rails/routes.rb

@@ -135,10 +135,10 @@ module ActionDispatch::Routing
     #  * failure_app: a rack app which is invoked whenever there is a failure. Strings representing a given
     #    are also allowed as parameter.
     #
-    #  * sign_out_via: the HTTP method(s) accepted for the :sign_out action (default: :get),
+    #  * sign_out_via: the HTTP method(s) accepted for the :sign_out action (default: :delete),
     #    if you wish to restrict this to accept only :post or :delete requests you should do:
     #
-    #      devise_for :users, sign_out_via: [:post, :delete]
+    #      devise_for :users, sign_out_via: [:get, :post]
     #
     #    You need to make sure that your sign_out controls trigger a request with a matching HTTP method.
     #

lib/devise/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Devise
-  VERSION = "4.6.2".freeze
+  VERSION = "4.7.1".freeze
 end

lib/generators/templates/simple_form_for/passwords/edit.html.erb

@@ -13,7 +13,10 @@
                 autofocus: true,
                 hint: ("#{@minimum_password_length} characters minimum" if @minimum_password_length),
                 input_html: { autocomplete: "new-password" } %>
-    <%= f.input :password_confirmation, label: "Confirm your new password", required: true %>
+    <%= f.input :password_confirmation,
+                label: "Confirm your new password",
+                required: true,
+                input_html: { autocomplete: "new-password" } %>
   </div>
 
   <div class="form-actions">

test/integration/confirmable_test.rb

@@ -175,6 +175,36 @@ class ConfirmationTest < Devise::IntegrationTest
     assert_current_url '/users/sign_in'
   end
 
+  test "should not be able to confirm an email with a blank confirmation token" do
+    visit_user_confirmation_with_token("")
+
+    assert_contain "Confirmation token can't be blank"
+  end
+
+  test "should not be able to confirm an email with a nil confirmation token" do
+    visit_user_confirmation_with_token(nil)
+
+    assert_contain "Confirmation token can't be blank"
+  end
+
+  test "should not be able to confirm user with blank confirmation token" do
+    user = create_user(confirm: false)
+    user.update_attribute(:confirmation_token, "")
+
+    visit_user_confirmation_with_token("")
+
+    assert_contain "Confirmation token can't be blank"
+  end
+
+  test "should not be able to confirm user with nil confirmation token" do
+    user = create_user(confirm: false)
+    user.update_attribute(:confirmation_token, nil)
+
+    visit_user_confirmation_with_token(nil)
+
+    assert_contain "Confirmation token can't be blank"
+  end
+
   test 'error message is configurable by resource name' do
     store_translations :en, devise: {
       failure: { user: { unconfirmed: "Not confirmed user" } }

test/models/confirmable_test.rb

@@ -77,6 +77,24 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_equal "can't be blank", confirmed_user.errors[:confirmation_token].join
   end
 
+  test 'should return a new record with errors when a blank token is given and a record exists on the database' do
+    user = create_user(confirmation_token: '')
+
+    confirmed_user = User.confirm_by_token('')
+
+    refute user.reload.confirmed?
+    assert_equal "can't be blank", confirmed_user.errors[:confirmation_token].join
+  end
+
+  test 'should return a new record with errors when a nil token is given and a record exists on the database' do
+    user = create_user(confirmation_token: nil)
+
+    confirmed_user = User.confirm_by_token(nil)
+
+    refute user.reload.confirmed?
+    assert_equal "can't be blank", confirmed_user.errors[:confirmation_token].join
+  end
+
   test 'should generate errors for a user email if user is already confirmed' do
     user = create_user
     user.confirmed_at = Time.now

test/orm/active_record.rb

@@ -5,7 +5,9 @@ ActiveRecord::Base.logger = Logger.new(nil)
 ActiveRecord::Base.include_root_in_json = true
 
 migrate_path = File.expand_path("../../rails_app/db/migrate/", __FILE__)
-if Devise::Test.rails52_and_up?
+if Devise::Test.rails6?
+  ActiveRecord::MigrationContext.new(migrate_path, ActiveRecord::SchemaMigration).migrate
+elsif Devise::Test.rails52_and_up?
   ActiveRecord::MigrationContext.new(migrate_path).migrate
 else
   ActiveRecord::Migrator.migrate(migrate_path)

test/rails_app/app/views/admins/sessions/new.html.erb

@@ -1,2 +1,2 @@
 Welcome to "sessions/new" view!
-<%= render file: "devise/sessions/new" %>
+<%= render template: "devise/sessions/new" %>

test/rails_app/config/application.rb

@@ -45,8 +45,8 @@ module RailsApp
       Devise::SessionsController.layout "application"
     end
 
-    # Remove this check once Rails 5.0 support is removed.
-    if Devise::Test.rails52_and_up?
+    # Remove the first check once Rails 5.0 support is removed.
+    if Devise::Test.rails52_and_up? && !Devise::Test.rails6?
       Rails.application.config.active_record.sqlite3.represent_boolean_as_integer = true
     end
   end

test/rails_app/config/boot.rb

@@ -6,8 +6,12 @@ end
 
 module Devise
   module Test
-    # Detection for minor differences between Rails 4 and 5, 5.1, and 5.2 in tests.
+    # Detection for minor differences between Rails versions in tests.
     
+    def self.rails6?
+      Rails.version.start_with? '6'
+    end
+
     def self.rails52_and_up?
       Rails::VERSION::MAJOR > 5 || rails52?
     end

test/test/controller_helpers_test.rb

@@ -102,7 +102,12 @@ class TestControllerHelpersTest < Devise::ControllerTestCase
 
   test "returns the content type of a failure app" do
     get :index, params: { format: :xml }
-    assert response.content_type.include?('application/xml')
+
+    if Devise::Test.rails6?
+      assert response.media_type.include?('application/xml')
+    else
+      assert response.content_type.include?('application/xml')
+    end
   end
 
   test "defined Warden after_authentication callback should not be called when sign_in is called" do