Merge pull request #5032 from JanBussieck/pure-signed_in-method

Use warden’s `authenticated?` for query methods to avoid side effects

.travis.yml

@@ -1,86 +1,36 @@
 language: ruby
 
 rvm:
-  - 2.1.10
-  - 2.2.10
   - 2.3.8
-  - 2.4.10
-  - 2.5.8
-  - 2.6.6
-  - 2.7.1
+  - 2.4.5
+  - 2.5.3
+  - 2.6.0
   - ruby-head
 
 gemfile:
   - Gemfile
   - gemfiles/Gemfile.rails-6.0-stable
   - gemfiles/Gemfile.rails-5.2-stable
-  - gemfiles/Gemfile.rails-5.1-stable
   - gemfiles/Gemfile.rails-5.0-stable
-  - gemfiles/Gemfile.rails-4.2-stable
-  - gemfiles/Gemfile.rails-4.1-stable
 
 matrix:
   exclude:
-    - rvm: 2.1.10
-      gemfile: Gemfile
-    - rvm: 2.1.10
-      gemfile: gemfiles/Gemfile.rails-6.0-stable
-    - rvm: 2.1.10
-      gemfile: gemfiles/Gemfile.rails-5.2-stable
-    - rvm: 2.1.10
-      gemfile: gemfiles/Gemfile.rails-5.1-stable
-    - rvm: 2.1.10
-      gemfile: gemfiles/Gemfile.rails-5.0-stable
-    - rvm: 2.2.10
-      gemfile: Gemfile
-    - rvm: 2.2.10
-      gemfile: gemfiles/Gemfile.rails-6.0-stable
-    - rvm: 2.2.10
-      gemfile: gemfiles/Gemfile.rails-5.2-stable
-    - rvm: 2.3.8
-      gemfile: Gemfile
     - rvm: 2.3.8
       gemfile: gemfiles/Gemfile.rails-6.0-stable
-    - rvm: 2.4.10
-      gemfile: Gemfile
-    - rvm: 2.4.10
+    - rvm: 2.4.5
       gemfile: gemfiles/Gemfile.rails-6.0-stable
-    - rvm: 2.4.10
-      gemfile: gemfiles/Gemfile.rails-4.1-stable
-    - rvm: 2.5.8
-      gemfile: gemfiles/Gemfile.rails-4.1-stable
-    - rvm: 2.6.6
-      gemfile: gemfiles/Gemfile.rails-4.1-stable
-    - rvm: 2.6.6
-      gemfile: gemfiles/Gemfile.rails-4.2-stable
-    - rvm: 2.7.1
-      gemfile: gemfiles/Gemfile.rails-4.1-stable
-    - rvm: 2.7.1
-      gemfile: gemfiles/Gemfile.rails-4.1-stable
-    - rvm: 2.7.1
-      gemfile: gemfiles/Gemfile.rails-4.2-stable
-    - rvm: 2.7.1
-      gemfile: gemfiles/Gemfile.rails-5.0-stable
-    - rvm: 2.7.1
-      gemfile: gemfiles/Gemfile.rails-5.1-stable
-    - rvm: 2.7.1
-      gemfile: gemfiles/Gemfile.rails-5.2-stable
-    - rvm: ruby-head
-      gemfile: gemfiles/Gemfile.rails-4.1-stable
-    - rvm: ruby-head
-      gemfile: gemfiles/Gemfile.rails-4.2-stable
+    - rvm: 2.5.3
     - env: DEVISE_ORM=mongoid
       gemfile: Gemfile
     - env: DEVISE_ORM=mongoid
       gemfile: gemfiles/Gemfile.rails-5.0-stable
-    - env: DEVISE_ORM=mongoid
-      gemfile: gemfiles/Gemfile.rails-5.1-stable
     - env: DEVISE_ORM=mongoid
       gemfile: gemfiles/Gemfile.rails-5.2-stable
     - env: DEVISE_ORM=mongoid
       gemfile: gemfiles/Gemfile.rails-6.0-stable
   allow_failures:
     - rvm: ruby-head
+    - gemfile: gemfiles/Gemfile.rails-6.0-stable
 
 services:
   - mongodb
@@ -92,10 +42,7 @@ env:
     - DEVISE_ORM=active_record
     - DEVISE_ORM=mongoid
 
-before_install:
-  - gem uninstall -v '>= 2' -i $(rvm gemdir)@global -ax bundler || true
-  - gem install bundler -v '< 2'
-  - "rm ${BUNDLE_GEMFILE}.lock"
+before_install: "rm ${BUNDLE_GEMFILE}.lock"
 
 before_script: "bundle update"
 

CHANGELOG.md

@@ -1,12 +1,16 @@
-### 4.7.1 - 2020-06-10
+### 5.0.0-rc
 
 * enhancements
-  * Increase default stretches to 12 (by @sergey-alekseev)
-  * Ruby 2.7 support (kwarg warnings removed)
+  * Suport multiple translations according to unlock strategy (by @sivagollapalli)
+  * Use `ActiveSupport::SecurityUtils.secure_compare` inside `Devise.secure_compare` (by @shrirambalakrishnan)
+  * Update trackable fields only in a database sign in (by @waiting-for-dev)
 
-* bug fixes
-  * Generate scoped views with proper scoped errors partial (by @shobhitic)
-  * Allow to set scoped `already_authenticated` error messages (by @gurgelrenan)
+* deprecations
+  * Remove Rails 4, Ruby 2.1 and Ruby 2.2 support (by @feliperenan)
+
+### Unreleased
+* enhancements
+  * Increase default stretches to 12 (by @sergey-alekseev)
 
 ### 4.7.1 - 2019-09-06
 
@@ -29,7 +33,7 @@
 ### 4.6.2 - 2019-03-26
 
 * bug fixes
-  * Revert "Set `encrypted_password` to `nil` when `password` is set to `nil`" since it broke backward compatibility with existing applications. See more on https://github.com/heartcombo/devise/issues/5033#issuecomment-476386275 (by @mracos)
+  * Revert "Set `encrypted_password` to `nil` when `password` is set to `nil`" since it broke backward compatibility with existing applications. See more on https://github.com/plataformatec/devise/issues/5033#issuecomment-476386275 (by @mracos)
 
 ### 4.6.1 - 2019-02-11
 
@@ -76,7 +80,7 @@
   * Add `autocomplete="new-password"` to new password fields (by @gssbzn)
   * Add `autocomplete="current-password"` to current password fields (by @gssbzn)
   * Remove redundant `self` from `database_authenticatable` module (by @abhishekkanojia)
-  * Update `simple_form` templates with changes from https://github.com/heartcombo/devise/commit/16b3d6d67c7e017d461ea17ed29ea9738dc77e83 and https://github.com/heartcombo/devise/commit/6260c29a867b9a656f1e1557abe347a523178fab (by @gssbzn)
+  * Update `simple_form` templates with changes from https://github.com/plataformatec/devise/commit/16b3d6d67c7e017d461ea17ed29ea9738dc77e83 and https://github.com/plataformatec/devise/commit/6260c29a867b9a656f1e1557abe347a523178fab (by @gssbzn)
   * Remove `:trackable` from the default modules in the generators, to be more GDPR-friendly (by @fakenine)
 
 * bug fixes
@@ -323,5 +327,5 @@ configured (by @joshpencheon)
     You can check more examples and explanations on the [README section](README.md#strong-parameters)
     and on the [ParameterSanitizer docs](lib/devise/parameter_sanitizer.rb).
 
-Please check [3-stable](https://github.com/heartcombo/devise/blob/3-stable/CHANGELOG.md)
+Please check [3-stable](https://github.com/plataformatec/devise/blob/3-stable/CHANGELOG.md)
 for previous changes.

CODE_OF_CONDUCT.md

@@ -17,6 +17,6 @@ Project maintainers have the right and responsibility to remove, edit, or reject
 
 This code of conduct applies both within project spaces and in public spaces when an individual is representing the project or its community.
 
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by sending an email to [heartcombo@googlegroups.com](heartcombo@googlegroups.com) or contacting one or more of the project maintainers.
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by sending an email to [conduct@plataformatec.com.br](conduct@plataformatec.com.br) or contacting one or more of the project maintainers.
 
 This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, available at [http://contributor-covenant.org/version/1/2/0/](http://contributor-covenant.org/version/1/2/0/)

CONTRIBUTING.md

@@ -8,7 +8,7 @@ expected to follow our [Code of Conduct](CODE_OF_CONDUCT.md).
 ## Reporting Issues
 
 Before reporting a new issue, please be sure that the issue wasn't already
-reported or fixed by searching on GitHub through our [issues](https://github.com/heartcombo/devise/issues).
+reported or fixed by searching on GitHub through our [issues](https://github.com/plataformatec/devise/issues).
 
 When creating a new issue, be sure to include a **title and clear description**,
 as much relevant information as possible, and either a test case example or
@@ -22,7 +22,7 @@ Please do not attempt to translate Devise built in views. The views are meant
 to be a starting point for fresh apps and not production material - eventually
 all applications will require custom views where you can write your own copy and
 translate it if the application requires it . For historical references, please look into closed
-[Issues/Pull Requests](https://github.com/heartcombo/devise/issues?q=i18n) regarding
+[Issues/Pull Requests](https://github.com/plataformatec/devise/issues?q=i18n) regarding
 internationalization.
 
 Avoid opening new issues to ask questions in our issues tracker. Please go through
@@ -30,7 +30,7 @@ the project wiki, documentation and source code first, or try to ask your questi
 on [Stack Overflow](http://stackoverflow.com/questions/tagged/devise).
 
 **If you find a security bug, do not report it through GitHub. Please send an
-e-mail to [heartcombo@googlegroups.com](mailto:heartcombo@googlegroups.com)
+e-mail to [opensource@plataformatec.com.br](mailto:opensource@plataformatec.com.br)
 instead.**
 
 ## Sending Pull Requests
@@ -50,7 +50,7 @@ are beneficial to a wide range of use cases or it's an application specific chan
 that might not be so valuable to other applications. Some changes can be introduced
 as a new `devise-something` gem instead of belonging to the main codebase.
 
-When adding new settings, you can take advantage of the [`Devise::Models.config`](https://github.com/heartcombo/devise/blob/245b1f9de0b3386b7913e14b60ea24f43b77feb0/lib/devise/models.rb#L13-L50) method to add class and instance level fallbacks
+When adding new settings, you can take advantage of the [`Devise::Models.config`](https://github.com/plataformatec/devise/blob/245b1f9de0b3386b7913e14b60ea24f43b77feb0/lib/devise/models.rb#L13-L50) method to add class and instance level fallbacks
 to the new setting.
 
 We also welcome Pull Requests that improve our existing documentation (both our
@@ -66,7 +66,7 @@ you can do:
 * Help ensure that existing issues follows the recommendations from the
 _[Reporting Issues](#reporting-issues)_ section, providing feedback to the issue's
 author on what might be missing.
-* Review and update the existing content of our [Wiki](https://github.com/heartcombo/devise/wiki)
+* Review and update the existing content of our [Wiki](https://github.com/plataformatec/devise/wiki)
 with up to date instructions and code samples - the wiki was grown with several
 different tutorials and references that we can't keep track of everything, so if
 there is a page that showcases an integration or customization that you are

Gemfile

@@ -4,16 +4,17 @@ source "https://rubygems.org"
 
 gemspec
 
-gem "rails", "~> 6.0.0"
-gem "omniauth"
+gem "rails", "~> 5.2"
+gem "omniauth", "~> 1.3"
+gem "oauth2"
 gem "omniauth-oauth2"
 gem "rdoc"
 
 gem "activemodel-serializers-xml", github: "rails/activemodel-serializers-xml"
 
-gem "rails-controller-testing", github: "rails/rails-controller-testing"
+gem "rails-controller-testing"
 
-gem "responders", "~> 3.0"
+gem "responders", "~> 2.4"
 
 group :test do
   gem "omniauth-facebook"
@@ -23,15 +24,15 @@ group :test do
   gem "mocha", "~> 1.1", require: false
 end
 
-platforms :ruby do
-  gem "sqlite3", "~> 1.4"
+platforms :jruby do
+  gem "activerecord-jdbc-adapter"
+  gem "activerecord-jdbcsqlite3-adapter"
+  gem "jruby-openssl"
 end
 
-# platforms :jruby do
-#   gem "activerecord-jdbc-adapter"
-#   gem "activerecord-jdbcsqlite3-adapter"
-#   gem "jruby-openssl"
-# end
+platforms :ruby do
+  gem "sqlite3", "~> 1.3.6"
+end
 
 # TODO:
 # group :mongoid do

Gemfile.lock

@@ -1,217 +1,202 @@
 GIT
   remote: git://github.com/rails/activemodel-serializers-xml.git
-  revision: 93689638c28525acc65afb638fce866826532641
+  revision: dd9c0acf26aab111ebc647cd8deb99ebc6946531
   specs:
-    activemodel-serializers-xml (1.0.2)
-      activemodel (>= 5.0.0.a)
-      activesupport (>= 5.0.0.a)
+    activemodel-serializers-xml (1.0.1)
+      activemodel (> 5.x)
+      activesupport (> 5.x)
       builder (~> 3.1)
 
-GIT
-  remote: git://github.com/rails/rails-controller-testing.git
-  revision: a60b3da1c1c77959b28606dd087c058c64b5a08f
-  specs:
-    rails-controller-testing (1.0.4)
-      actionpack (>= 5.0.1.rc1)
-      actionview (>= 5.0.1.rc1)
-      activesupport (>= 5.0.1.rc1)
-
 PATH
   remote: .
   specs:
-    devise (4.7.2)
+    devise (4.7.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0)
+      railties (>= 5.0)
       responders
       warden (~> 1.2.3)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (6.0.3.1)
-      actionpack (= 6.0.3.1)
+    actioncable (5.2.0)
+      actionpack (= 5.2.0)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (6.0.3.1)
-      actionpack (= 6.0.3.1)
-      activejob (= 6.0.3.1)
-      activerecord (= 6.0.3.1)
-      activestorage (= 6.0.3.1)
-      activesupport (= 6.0.3.1)
-      mail (>= 2.7.1)
-    actionmailer (6.0.3.1)
-      actionpack (= 6.0.3.1)
-      actionview (= 6.0.3.1)
-      activejob (= 6.0.3.1)
+    actionmailer (5.2.0)
+      actionpack (= 5.2.0)
+      actionview (= 5.2.0)
+      activejob (= 5.2.0)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.0.3.1)
-      actionview (= 6.0.3.1)
-      activesupport (= 6.0.3.1)
-      rack (~> 2.0, >= 2.0.8)
+    actionpack (5.2.0)
+      actionview (= 5.2.0)
+      activesupport (= 5.2.0)
+      rack (~> 2.0)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (6.0.3.1)
-      actionpack (= 6.0.3.1)
-      activerecord (= 6.0.3.1)
-      activestorage (= 6.0.3.1)
-      activesupport (= 6.0.3.1)
-      nokogiri (>= 1.8.5)
-    actionview (6.0.3.1)
-      activesupport (= 6.0.3.1)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    actionview (5.2.0)
+      activesupport (= 5.2.0)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (6.0.3.1)
-      activesupport (= 6.0.3.1)
+      rails-html-sanitizer (~> 1.0, >= 1.0.3)
+    activejob (5.2.0)
+      activesupport (= 5.2.0)
       globalid (>= 0.3.6)
-    activemodel (6.0.3.1)
-      activesupport (= 6.0.3.1)
-    activerecord (6.0.3.1)
-      activemodel (= 6.0.3.1)
-      activesupport (= 6.0.3.1)
-    activestorage (6.0.3.1)
-      actionpack (= 6.0.3.1)
-      activejob (= 6.0.3.1)
-      activerecord (= 6.0.3.1)
+    activemodel (5.2.0)
+      activesupport (= 5.2.0)
+    activerecord (5.2.0)
+      activemodel (= 5.2.0)
+      activesupport (= 5.2.0)
+      arel (>= 9.0)
+    activestorage (5.2.0)
+      actionpack (= 5.2.0)
+      activerecord (= 5.2.0)
       marcel (~> 0.3.1)
-    activesupport (6.0.3.1)
+    activesupport (5.2.0)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
-      zeitwerk (~> 2.2, >= 2.2.2)
+    arel (9.0.0)
     bcrypt (3.1.13)
-    builder (3.2.4)
-    concurrent-ruby (1.1.6)
-    crass (1.0.6)
-    erubi (1.9.0)
-    faraday (1.0.1)
+    builder (3.2.3)
+    concurrent-ruby (1.0.5)
+    crass (1.0.4)
+    erubi (1.7.1)
+    faraday (0.11.0)
       multipart-post (>= 1.2, < 3)
-    globalid (0.4.2)
+    globalid (0.4.1)
       activesupport (>= 4.2.0)
-    hashie (4.1.0)
-    i18n (1.8.3)
+    hashie (3.5.7)
+    i18n (1.0.0)
       concurrent-ruby (~> 1.0)
-    jwt (2.2.1)
-    loofah (2.5.0)
+    jwt (1.5.6)
+    loofah (2.2.2)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
-    mail (2.7.1)
+    mail (2.7.0)
       mini_mime (>= 0.1.1)
-    marcel (0.3.3)
+    marcel (0.3.2)
       mimemagic (~> 0.3.2)
-    method_source (1.0.0)
-    mimemagic (0.3.5)
-    mini_mime (1.0.2)
-    mini_portile2 (2.4.0)
-    minitest (5.14.1)
-    mocha (1.11.2)
-    multi_json (1.14.1)
+    metaclass (0.0.4)
+    method_source (0.9.0)
+    mimemagic (0.3.2)
+    mini_mime (1.0.0)
+    mini_portile2 (2.3.0)
+    minitest (5.11.3)
+    mocha (1.2.1)
+      metaclass (~> 0.0.1)
+    multi_json (1.12.1)
     multi_xml (0.6.0)
-    multipart-post (2.1.1)
-    nio4r (2.5.2)
-    nokogiri (1.10.9)
-      mini_portile2 (~> 2.4.0)
-    oauth2 (1.4.4)
-      faraday (>= 0.8, < 2.0)
-      jwt (>= 1.0, < 3.0)
+    multipart-post (2.0.0)
+    nio4r (2.3.0)
+    nokogiri (1.8.2)
+      mini_portile2 (~> 2.3.0)
+    oauth2 (1.3.1)
+      faraday (>= 0.8, < 0.12)
+      jwt (~> 1.0)
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
-    omniauth (1.9.1)
-      hashie (>= 3.4.6)
+    omniauth (1.8.1)
+      hashie (>= 3.4.6, < 3.6.0)
       rack (>= 1.6.2, < 3)
-    omniauth-facebook (6.0.0)
+    omniauth-facebook (4.0.0)
       omniauth-oauth2 (~> 1.2)
-    omniauth-oauth2 (1.6.0)
-      oauth2 (~> 1.1)
-      omniauth (~> 1.9)
+    omniauth-oauth2 (1.4.0)
+      oauth2 (~> 1.0)
+      omniauth (~> 1.2)
     omniauth-openid (1.0.1)
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
     orm_adapter (0.5.0)
-    rack (2.2.2)
+    rack (2.0.4)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
-    rack-test (1.1.0)
+    rack-test (1.0.0)
       rack (>= 1.0, < 3)
-    rails (6.0.3.1)
-      actioncable (= 6.0.3.1)
-      actionmailbox (= 6.0.3.1)
-      actionmailer (= 6.0.3.1)
-      actionpack (= 6.0.3.1)
-      actiontext (= 6.0.3.1)
-      actionview (= 6.0.3.1)
-      activejob (= 6.0.3.1)
-      activemodel (= 6.0.3.1)
-      activerecord (= 6.0.3.1)
-      activestorage (= 6.0.3.1)
-      activesupport (= 6.0.3.1)
+    rails (5.2.0)
+      actioncable (= 5.2.0)
+      actionmailer (= 5.2.0)
+      actionpack (= 5.2.0)
+      actionview (= 5.2.0)
+      activejob (= 5.2.0)
+      activemodel (= 5.2.0)
+      activerecord (= 5.2.0)
+      activestorage (= 5.2.0)
+      activesupport (= 5.2.0)
       bundler (>= 1.3.0)
-      railties (= 6.0.3.1)
+      railties (= 5.2.0)
       sprockets-rails (>= 2.0.0)
+    rails-controller-testing (1.0.1)
+      actionpack (~> 5.x)
+      actionview (~> 5.x)
+      activesupport (~> 5.x)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.3.0)
-      loofah (~> 2.3)
-    railties (6.0.3.1)
-      actionpack (= 6.0.3.1)
-      activesupport (= 6.0.3.1)
+    rails-html-sanitizer (1.0.4)
+      loofah (~> 2.2, >= 2.2.2)
+    railties (5.2.0)
+      actionpack (= 5.2.0)
+      activesupport (= 5.2.0)
       method_source
       rake (>= 0.8.7)
-      thor (>= 0.20.3, < 2.0)
-    rake (13.0.1)
-    rdoc (6.2.1)
-    responders (3.0.1)
-      actionpack (>= 5.0)
-      railties (>= 5.0)
-    ruby-openid (2.9.2)
-    sprockets (4.0.1)
+      thor (>= 0.18.1, < 2.0)
+    rake (12.3.1)
+    rdoc (5.1.0)
+    responders (2.4.0)
+      actionpack (>= 4.2.0, < 5.3)
+      railties (>= 4.2.0, < 5.3)
+    ruby-openid (2.7.0)
+    sprockets (3.7.1)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
     sprockets-rails (3.2.1)
       actionpack (>= 4.0)
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
-    sqlite3 (1.4.2)
-    thor (1.0.1)
+    sqlite3 (1.3.13)
+    thor (0.20.0)
     thread_safe (0.3.6)
-    timecop (0.9.1)
-    tzinfo (1.2.7)
+    timecop (0.8.1)
+    tzinfo (1.2.5)
       thread_safe (~> 0.1)
-    warden (1.2.8)
-      rack (>= 2.0.6)
+    warden (1.2.7)
+      rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
       rack (>= 1.0)
       rack-test (>= 0.5.3)
-    websocket-driver (0.7.2)
+    websocket-driver (0.7.0)
       websocket-extensions (>= 0.1.0)
-    websocket-extensions (0.1.5)
-    zeitwerk (2.3.0)
+    websocket-extensions (0.1.3)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
   activemodel-serializers-xml!
+  activerecord-jdbc-adapter
+  activerecord-jdbcsqlite3-adapter
   devise!
+  jruby-openssl
   mocha (~> 1.1)
-  omniauth
+  oauth2
+  omniauth (~> 1.3)
   omniauth-facebook
   omniauth-oauth2
   omniauth-openid
-  rails (~> 6.0.0)
-  rails-controller-testing!
+  rails (~> 5.2)
+  rails-controller-testing
   rdoc
-  responders (~> 3.0)
-  sqlite3 (~> 1.4)
+  responders (~> 2.4)
+  sqlite3 (~> 1.3.6)
   timecop
   webrat (= 0.7.3)
 

ISSUE_TEMPLATE.md

@@ -2,7 +2,7 @@
 
 - Do not use the issues tracker for help or support, try Stack Overflow.
 - For bugs, do a quick search and make sure the bug has not yet been reported
-- If you found a security bug, do not report it through GitHub. Please send an e-mail to heartcombo@googlegroups.com instead.
+- If you found a security bug, do not report it through GitHub. Please send an e-mail to opensource@plataformatec.com.br instead.
 - Finally, be nice and have fun!
 
 ## Environment

MIT-LICENSE

@@ -1,5 +1,4 @@
-Copyright 2020 Rafael França, Leonardo Tegon, Carlos Antônio da Silva.
-Copyright 2009-2019 Plataformatec.
+Copyright 2009-2019 Plataformatec. http://plataformatec.com.br
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

README.md

@@ -1,7 +1,11 @@
-![Devise Logo](https://raw.github.com/heartcombo/devise/master/devise.png)
+![Devise Logo](https://raw.github.com/plataformatec/devise/master/devise.png)
 
-[![Build Status](https://api.travis-ci.org/heartcombo/devise.svg?branch=master)](http://travis-ci.org/heartcombo/devise)
-[![Code Climate](https://codeclimate.com/github/heartcombo/devise.svg)](https://codeclimate.com/github/heartcombo/devise)
+By [Plataformatec](http://plataformatec.com.br/).
+
+[![Build Status](https://api.travis-ci.org/plataformatec/devise.svg?branch=master)](http://travis-ci.org/plataformatec/devise)
+[![Code Climate](https://codeclimate.com/github/plataformatec/devise.svg)](https://codeclimate.com/github/plataformatec/devise)
+
+This README is [also available in a friendly navigable format](http://devise.plataformatec.com.br/).
 
 Devise is a flexible authentication solution for Rails based on Warden. It:
 
@@ -12,16 +16,16 @@ Devise is a flexible authentication solution for Rails based on Warden. It:
 
 It's composed of 10 modules:
 
-* [Database Authenticatable](http://www.rubydoc.info/github/heartcombo/devise/master/Devise/Models/DatabaseAuthenticatable): hashes and stores a password in the database to validate the authenticity of a user while signing in. The authentication can be done both through POST requests or HTTP Basic Authentication.
-* [Omniauthable](http://www.rubydoc.info/github/heartcombo/devise/master/Devise/Models/Omniauthable): adds OmniAuth (https://github.com/omniauth/omniauth) support.
-* [Confirmable](http://www.rubydoc.info/github/heartcombo/devise/master/Devise/Models/Confirmable): sends emails with confirmation instructions and verifies whether an account is already confirmed during sign in.
-* [Recoverable](http://www.rubydoc.info/github/heartcombo/devise/master/Devise/Models/Recoverable): resets the user password and sends reset instructions.
-* [Registerable](http://www.rubydoc.info/github/heartcombo/devise/master/Devise/Models/Registerable): handles signing up users through a registration process, also allowing them to edit and destroy their account.
-* [Rememberable](http://www.rubydoc.info/github/heartcombo/devise/master/Devise/Models/Rememberable): manages generating and clearing a token for remembering the user from a saved cookie.
-* [Trackable](http://www.rubydoc.info/github/heartcombo/devise/master/Devise/Models/Trackable): tracks sign in count, timestamps and IP address.
-* [Timeoutable](http://www.rubydoc.info/github/heartcombo/devise/master/Devise/Models/Timeoutable): expires sessions that have not been active in a specified period of time.
-* [Validatable](http://www.rubydoc.info/github/heartcombo/devise/master/Devise/Models/Validatable): provides validations of email and password. It's optional and can be customized, so you're able to define your own validations.
-* [Lockable](http://www.rubydoc.info/github/heartcombo/devise/master/Devise/Models/Lockable): locks an account after a specified number of failed sign-in attempts. Can unlock via email or after a specified time period.
+* [Database Authenticatable](http://www.rubydoc.info/github/plataformatec/devise/master/Devise/Models/DatabaseAuthenticatable): hashes and stores a password in the database to validate the authenticity of a user while signing in. The authentication can be done both through POST requests or HTTP Basic Authentication.
+* [Omniauthable](http://www.rubydoc.info/github/plataformatec/devise/master/Devise/Models/Omniauthable): adds OmniAuth (https://github.com/omniauth/omniauth) support.
+* [Confirmable](http://www.rubydoc.info/github/plataformatec/devise/master/Devise/Models/Confirmable): sends emails with confirmation instructions and verifies whether an account is already confirmed during sign in.
+* [Recoverable](http://www.rubydoc.info/github/plataformatec/devise/master/Devise/Models/Recoverable): resets the user password and sends reset instructions.
+* [Registerable](http://www.rubydoc.info/github/plataformatec/devise/master/Devise/Models/Registerable): handles signing up users through a registration process, also allowing them to edit and destroy their account.
+* [Rememberable](http://www.rubydoc.info/github/plataformatec/devise/master/Devise/Models/Rememberable): manages generating and clearing a token for remembering the user from a saved cookie.
+* [Trackable](http://www.rubydoc.info/github/plataformatec/devise/master/Devise/Models/Trackable): tracks sign in count, timestamps and IP address.
+* [Timeoutable](http://www.rubydoc.info/github/plataformatec/devise/master/Devise/Models/Timeoutable): expires sessions that have not been active in a specified period of time.
+* [Validatable](http://www.rubydoc.info/github/plataformatec/devise/master/Devise/Models/Validatable): provides validations of email and password. It's optional and can be customized, so you're able to define your own validations.
+* [Lockable](http://www.rubydoc.info/github/plataformatec/devise/master/Devise/Models/Lockable): locks an account after a specified number of failed sign-in attempts. Can unlock via email or after a specified time period.
 
 ## Table of Contents
 
@@ -69,15 +73,15 @@ It's composed of 10 modules:
 
 The Devise Wiki has lots of additional information about Devise including many "how-to" articles and answers to the most frequently asked questions. Please browse the Wiki after finishing this README:
 
-https://github.com/heartcombo/devise/wiki
+https://github.com/plataformatec/devise/wiki
 
 ### Bug reports
 
 If you discover a problem with Devise, we would like to know about it. However, we ask that you please review these guidelines before submitting a bug report:
 
-https://github.com/heartcombo/devise/wiki/Bug-reports
+https://github.com/plataformatec/devise/wiki/Bug-reports
 
-If you have discovered a security related bug, please do *NOT* use the GitHub issue tracker. Send an email to heartcombo@googlegroups.com.
+If you have discovered a security related bug, please do *NOT* use the GitHub issue tracker. Send an email to opensource@plataformatec.com.br.
 
 ### StackOverflow and Mailing List
 
@@ -93,7 +97,7 @@ https://groups.google.com/group/plataformatec-devise
 
 You can view the Devise documentation in RDoc format here:
 
-http://rubydoc.info/github/heartcombo/devise/master/frames
+http://rubydoc.info/github/plataformatec/devise/master/frames
 
 If you need to use Devise with previous versions of Rails, you can always run "gem server" from the command line after you install the gem to access the old documentation.
 
@@ -101,19 +105,19 @@ If you need to use Devise with previous versions of Rails, you can always run "g
 
 There are a few example applications available on GitHub that demonstrate various features of Devise with different versions of Rails. You can view them here:
 
-https://github.com/heartcombo/devise/wiki/Example-Applications
+https://github.com/plataformatec/devise/wiki/Example-Applications
 
 ### Extensions
 
 Our community has created a number of extensions that add functionality above and beyond what is included with Devise. You can view a list of available extensions and add your own here:
 
-https://github.com/heartcombo/devise/wiki/Extensions
+https://github.com/plataformatec/devise/wiki/Extensions
 
 ### Contributing
 
 We hope that you will consider contributing to Devise. Please read this short overview for some information about how to get started:
 
-https://github.com/heartcombo/devise/wiki/Contributing
+https://github.com/plataformatec/devise/wiki/Contributing
 
 You will usually want to write tests for your changes.  To run the test suite, go into Devise's top-level directory and run `bundle install` and `bin/test`.
 Devise works with multiple Ruby and Rails versions, and ActiveRecord and Mongoid ORMs, which means you can run the test suite with some modifiers: `DEVISE_ORM` and `BUNDLE_GEMFILE`.
@@ -132,18 +136,18 @@ Please note that the command output will show the variable value being used.
 
 ### BUNDLE_GEMFILE
 We can use this variable to tell bundler what Gemfile it should use (instead of the one in the current directory).
-Inside the [gemfiles](https://github.com/heartcombo/devise/tree/master/gemfiles) directory, we have one for each version of Rails we support. When you send us a pull request, it may happen that the test suite breaks on Travis using some of them. If that's the case, you can simulate the same environment using the `BUNDLE_GEMFILE` variable.
-For example, if the tests broke using Ruby 2.4.2 and Rails 4.1, you can do the following:
+Inside the [gemfiles](https://github.com/plataformatec/devise/tree/master/gemfiles) directory, we have one for each version of Rails we support. When you send us a pull request, it may happen that the test suite breaks on Travis using some of them. If that's the case, you can simulate the same environment using the `BUNDLE_GEMFILE` variable.
+For example, if the tests broke using Ruby 2.5.0 and Rails 5.0, you can do the following:
 ```bash
-rbenv shell 2.4.2 # or rvm use 2.4.2
-BUNDLE_GEMFILE=gemfiles/Gemfile.rails-4.1-stable bundle install
-BUNDLE_GEMFILE=gemfiles/Gemfile.rails-4.1-stable bin/test
+rbenv shell 2.5.0 # or rvm use 2.5.0
+BUNDLE_GEMFILE=gemfiles/Gemfile.rails-5.0-stable bundle install
+BUNDLE_GEMFILE=gemfiles/Gemfile.rails-5.0-stable bin/test
 ```
 
 You can also combine both of them if the tests broke for Mongoid:
 ```bash
-BUNDLE_GEMFILE=gemfiles/Gemfile.rails-4.1-stable bundle install
-BUNDLE_GEMFILE=gemfiles/Gemfile.rails-4.1-stable DEVISE_ORM=mongoid bin/test
+BUNDLE_GEMFILE=gemfiles/Gemfile.rails-5.0-stable bundle install
+BUNDLE_GEMFILE=gemfiles/Gemfile.rails-5.0-stable DEVISE_ORM=mongoid bin/test
 ```
 
 ### Running tests
@@ -166,17 +170,17 @@ bin/test test/models/trackable_test.rb:16
 
 ## Starting with Rails?
 
-If you are building your first Rails application, we recommend you *do not* use Devise. Devise requires a good understanding of the Rails Framework. In such cases, we advise you to start a simple authentication system from scratch. Here's a few resources that should help you get started:
+If you are building your first Rails application, we recommend you *do not* use Devise. Devise requires a good understanding of the Rails Framework. In such cases, we advise you to start a simple authentication system from scratch. Today, we have three resources that should help you get started:
 
 * Michael Hartl's online book: https://www.railstutorial.org/book/modeling_users
-* Ryan Bates' Railscasts: http://railscasts.com/episodes/250-authentication-from-scratch and http://railscasts.com/episodes/250-authentication-from-scratch-revised
+* Ryan Bates' Railscast: http://railscasts.com/episodes/250-authentication-from-scratch
 * Codecademy's Ruby on Rails: Authentication and Authorization: https://www.codecademy.com/learn/rails-auth
 
 Once you have solidified your understanding of Rails and authentication mechanisms, we assure you Devise will be very pleasant to work with. :smiley:
 
 ## Getting started
 
-Devise 4.0 works with Rails 4.1 onwards. Add the following line to your Gemfile:
+Devise 5.0 works with Rails 5.0 onwards. Add the following line to your Gemfile:
 
 ```ruby
 gem 'devise'
@@ -275,7 +279,7 @@ Besides `:stretches`, you can define `:pepper`, `:encryptor`, `:confirm_within`,
 
 ![The Parameter Sanitizer API has changed for Devise 4](http://messages.hellobits.com/warning.svg?message=The%20Parameter%20Sanitizer%20API%20has%20changed%20for%20Devise%204)
 
-*For previous Devise versions see https://github.com/heartcombo/devise/tree/3-stable#strong-parameters*
+*For previous Devise versions see https://github.com/plataformatec/devise/tree/3-stable#strong-parameters*
 
 When you customize your own views, you may end up adding new attributes to forms. Rails 4 moved the parameter sanitization from the model to the controller, causing Devise to handle this concern at the controller as well.
 
@@ -285,7 +289,7 @@ There are just three actions in Devise that allow any set of parameters to be pa
 * `sign_up` (`Devise::RegistrationsController#create`) - Permits authentication keys plus `password` and `password_confirmation`
 * `account_update` (`Devise::RegistrationsController#update`) - Permits authentication keys plus `password`, `password_confirmation` and `current_password`
 
-In case you want to permit additional parameters (the lazy way™), you can do so using a simple before action in your `ApplicationController`:
+In case you want to permit additional parameters (the lazy way™), you can do so using a simple before filter in your `ApplicationController`:
 
 ```ruby
 class ApplicationController < ActionController::Base
@@ -460,7 +464,7 @@ Devise also ships with default routes. If you need to customize them, you should
 devise_for :users, path: 'auth', path_names: { sign_in: 'login', sign_out: 'logout', password: 'secret', confirmation: 'verification', unlock: 'unblock', registration: 'register', sign_up: 'cmon_let_me_in' }
 ```
 
-Be sure to check `devise_for` [documentation](http://www.rubydoc.info/github/heartcombo/devise/master/ActionDispatch/Routing/Mapper%3Adevise_for) for details.
+Be sure to check `devise_for` [documentation](http://www.rubydoc.info/github/plataformatec/devise/master/ActionDispatch/Routing/Mapper%3Adevise_for) for details.
 
 If you have the need for more deep customization, for instance to also allow "/sign_in" besides "/users/sign_in", all you need to do is create your routes normally and wrap them in a `devise_scope` block in the router:
 
@@ -516,7 +520,7 @@ en:
 
 Take a look at our locale file to check all available messages. You may also be interested in one of the many translations that are available on our wiki:
 
-https://github.com/heartcombo/devise/wiki/I18n
+https://github.com/plataformatec/devise/wiki/I18n
 
 Caution: Devise Controllers inherit from ApplicationController. If your app uses multiple locales, you should be sure to set I18n.locale in ApplicationController.
 
@@ -528,21 +532,15 @@ cases/specs.
 
 ### Controller tests
 
-Controller tests require that you include `Devise::Test::IntegrationHelpers` on
+Controller tests require that you include `Devise::Test::ControllerHelpers` on
 your test case or its parent `ActionController::TestCase` superclass.
-For Rails versions prior to 5, include `Devise::Test::ControllerHelpers` instead, since the superclass
-for controller tests was changed to ActionDispatch::IntegrationTest
+For Rails 5, include `Devise::Test::IntegrationHelpers` instead, since the superclass
+for controller tests has been changed to ActionDispatch::IntegrationTest
 (for more details, see the [Integration tests](#integration-tests) section).
 
 ```ruby
 class PostsControllerTest < ActionController::TestCase
-  include Devise::Test::IntegrationHelpers # Rails >= 5
-end
-```
-
-```ruby
-class PostsControllerTest < ActionController::TestCase
-  include Devise::Test::ControllerHelpers # Rails < 5
+  include Devise::Test::ControllerHelpers
 end
 ```
 
@@ -622,7 +620,7 @@ are executed in your tests.
 
 You can read more about testing your Rails 3 - Rails 4 controllers with RSpec in the wiki:
 
-* https://github.com/heartcombo/devise/wiki/How-To:-Test-controllers-with-Rails-(and-RSpec)
+* https://github.com/plataformatec/devise/wiki/How-To:-Test-controllers-with-Rails-(and-RSpec)
 
 ### OmniAuth
 
@@ -634,7 +632,7 @@ config.omniauth :github, 'APP_ID', 'APP_SECRET', scope: 'user,public_repo'
 
 You can read more about OmniAuth support in the wiki:
 
-* https://github.com/heartcombo/devise/wiki/OmniAuth:-Overview
+* https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview
 
 ### Configuring multiple models
 
@@ -681,7 +679,7 @@ end
 
 ### Password reset tokens and Rails logs
 
-If you enable the [Recoverable](http://rubydoc.info/github/heartcombo/devise/master/Devise/Models/Recoverable) module, note that a stolen password reset token could give an attacker access to your application. Devise takes effort to generate random, secure tokens, and stores only token digests in the database, never plaintext. However the default logging behavior in Rails can cause plaintext tokens to leak into log files:
+If you enable the [Recoverable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Recoverable) module, note that a stolen password reset token could give an attacker access to your application. Devise takes effort to generate random, secure tokens, and stores only token digests in the database, never plaintext. However the default logging behavior in Rails can cause plaintext tokens to leak into log files:
 
 1. Action Mailer logs the entire contents of all outgoing emails to the DEBUG level. Password reset tokens delivered to users in email will be leaked.
 2. Active Job logs all arguments to every enqueued job at the INFO level. If you configure Devise to use `deliver_later` to send password reset emails, password reset tokens will be leaked.
@@ -699,48 +697,41 @@ Devise supports ActiveRecord (default) and Mongoid. To select another ORM, simpl
 
 ### Rails API Mode
 
-Rails 5+ has a built-in [API Mode](https://edgeguides.rubyonrails.org/api_app.html) which optimizes Rails for use as an API (only). Devise is _somewhat_ able to handle applications that are built in this mode without additional modifications in the sense that it should not raise exceptions and the like. But some issues may still arise during `development`/`testing`, as we still don't know the full extent of this compatibility. (For more information, see [issue #4947](https://github.com/heartcombo/devise/issues/4947/))
-
-#### Supported Authentication Strategies
-API-only applications don't support browser-based authentication via cookies, which is devise's default. Yet, devise can still provide authentication out of the box in those cases with the `http_authenticatable` strategy, which uses HTTP Basic Auth and authenticates the user on each request. (For more info, see this wiki article for [How To: Use HTTP Basic Authentication](https://github.com/heartcombo/devise/wiki/How-To:-Use-HTTP-Basic-Authentication))
-
-The devise default for HTTP Auth is disabled, so it will need to be enabled in the devise initializer for the database strategy:
-
-```ruby
-config.http_authenticatable = [:database]
-```
-
-This restriction does not limit you from implementing custom warden strategies, either in your application or via gem-based extensions for devise.
-A common authentication strategy for APIs is token-based authentication. For more information on extending devise to support this type of authentication and others, see the wiki article for [Simple Token Authentication Examples and alternatives](https://github.com/heartcombo/devise/wiki/How-To:-Simple-Token-Authentication-Example#alternatives) or this blog post on [Custom authentication methods with Devise](http://blog.plataformatec.com.br/2019/01/custom-authentication-methods-with-devise/).
-
-#### Testing
-API Mode changes the order of the middleware stack, and this can cause problems for `Devise::Test::IntegrationHelpers`. This problem usually surfaces as an ```undefined method `[]=' for nil:NilClass``` error when using integration test helpers, such as `#sign_in`. The solution is simply to reorder the middlewares by adding the following to test.rb:
+Rails 5+ has a built-in [API Mode](https://edgeguides.rubyonrails.org/api_app.html) which optimizes Rails for use as an API (only). One of the side effects is that it changes the order of the middleware stack, and this can cause problems for `Devise::Test::IntegrationHelpers`. This problem usually surfaces as an ```undefined method `[]=' for nil:NilClass``` error when using integration test helpers, such as `#sign_in`. The solution is simply to reorder the middlewares by adding the following to test.rb:
 
 ```ruby
 Rails.application.config.middleware.insert_before Warden::Manager, ActionDispatch::Cookies
 Rails.application.config.middleware.insert_before Warden::Manager, ActionDispatch::Session::CookieStore
 ```
 
-For a deeper understanding of this, review [this issue](https://github.com/heartcombo/devise/issues/4696).
-
-Additionally be mindful that without views supported, some email-based flows from Confirmable, Recoverable and Lockable are not supported directly at this time.
+For a deeper understanding of this, review [this issue](https://github.com/plataformatec/devise/issues/4696).
 
 ## Additional information
 
+### Heroku
+
+Using Devise on Heroku with Ruby on Rails 3.2 requires setting:
+
+```ruby
+config.assets.initialize_on_precompile = false
+```
+
+Read more about the potential issues at http://guides.rubyonrails.org/asset_pipeline.html
+
 ### Warden
 
 Devise is based on Warden, which is a general Rack authentication framework created by Daniel Neighman. We encourage you to read more about Warden here:
 
-https://github.com/wardencommunity/warden
+https://github.com/hassox/warden
 
 ### Contributors
 
 We have a long list of valued contributors. Check them all at:
 
-https://github.com/heartcombo/devise/graphs/contributors
+https://github.com/plataformatec/devise/graphs/contributors
 
 ## License
 
-MIT License. Copyright 2020 Rafael França, Leaonardo Tegon, Carlos Antônio da Silva. Copyright 2009-2019 Plataformatec.
+MIT License. Copyright 2009-2019 Plataformatec. http://plataformatec.com.br
 
-The Devise logo is licensed under [Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License](https://creativecommons.org/licenses/by-nc-nd/4.0/).
+You are not granted rights or licenses to the trademarks of Plataformatec, including without limitation the Devise name or logo.

app/controllers/devise/passwords_controller.rb

@@ -47,7 +47,12 @@ class Devise::PasswordsController < DeviseController
       respond_with resource, location: after_resetting_password_path_for(resource)
     else
       set_minimum_password_length
-      respond_with resource
+
+      if expired_token_error?(resource)
+        redirect_to new_password_path(resource_name), alert: t('devise.passwords.expired_token')
+      else
+        respond_with resource
+      end
     end
   end
 
@@ -80,4 +85,9 @@ class Devise::PasswordsController < DeviseController
     def translation_scope
       'devise.passwords'
     end
+
+  private
+    def expired_token_error?(resource)
+      resource.errors.details[:reset_password_token].any? { |error| error[:error] == :expired }
+    end
 end

app/controllers/devise/sessions_controller.rb

@@ -28,7 +28,7 @@ class Devise::SessionsController < DeviseController
     signed_out = (Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name))
     set_flash_message! :notice, :signed_out if signed_out
     yield if block_given?
-    respond_to_on_destroy
+    respond_to_on_destroy(status: :no_content)
   end
 
   protected
@@ -62,7 +62,7 @@ class Devise::SessionsController < DeviseController
     if all_signed_out?
       set_flash_message! :notice, :already_signed_out
 
-      respond_to_on_destroy
+      respond_to_on_destroy(status: :unauthorized)
     end
   end
 
@@ -72,11 +72,11 @@ class Devise::SessionsController < DeviseController
     users.all?(&:blank?)
   end
 
-  def respond_to_on_destroy
+  def respond_to_on_destroy(status:)
     # We actually need to hardcode this as Rails default responder doesn't
     # support returning empty response on GET request
     respond_to do |format|
-      format.all { head :no_content }
+      format.all { head status }
       format.any(*navigational_formats) { redirect_to after_sign_out_path_for(resource_name) }
     end
   end

app/controllers/devise_controller.rb

@@ -112,7 +112,7 @@ MESSAGE
     end
 
     if authenticated && resource = warden.user(resource_name)
-      set_flash_message(:alert, 'already_authenticated', scope: 'devise.failure')
+      flash[:alert] = I18n.t("devise.failure.already_authenticated")
       redirect_to after_sign_in_path_for(resource)
     end
   end
@@ -184,7 +184,7 @@ MESSAGE
     options[:default] = Array(options[:default]).unshift(kind.to_sym)
     options[:resource_name] = resource_name
     options = devise_i18n_options(options)
-    I18n.t("#{options[:resource_name]}.#{kind}", **options)
+    I18n.t("#{options[:resource_name]}.#{kind}", options)
   end
 
   # Controllers inheriting DeviseController are advised to override this

config/locales/en.yml

@@ -1,4 +1,4 @@
-# Additional translations at https://github.com/heartcombo/devise/wiki/I18n
+# Additional translations at https://github.com/plataformatec/devise/wiki/I18n
 
 en:
   devise:
@@ -10,7 +10,11 @@ en:
       already_authenticated: "You are already signed in."
       inactive: "Your account is not activated yet."
       invalid: "Invalid %{authentication_keys} or password."
-      locked: "Your account is locked."
+      locked:                                                                                                 
+        none: "Your account is locked."                                                                       
+        email: "Your account is locked. An email has been sent with instructions on how to unlock your account."
+        time: "Your account is locked. Your account will become available after a certain amount of time."       
+        both: "Your account is locked. An email has been sent with instructions on how to unlock your account, or wait a certain amount of time and try again."
       last_attempt: "You have one more attempt before your account is locked."
       not_found_in_database: "Invalid %{authentication_keys} or password."
       timeout: "Your session expired. Please sign in again to continue."
@@ -36,6 +40,7 @@ en:
       send_paranoid_instructions: "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes."
       updated: "Your password has been changed successfully. You are now signed in."
       updated_not_active: "Your password has been changed successfully."
+      expired_token: "The password recovery link expired. Please request a new one."
     registrations:
       destroyed: "Bye! Your account has been successfully cancelled. We hope to see you again soon."
       signed_up: "Welcome! You have signed up successfully."

devise.gemspec

@@ -10,18 +10,18 @@ Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.licenses    = ["MIT"]
   s.summary     = "Flexible authentication solution for Rails with Warden"
-  s.email       = "heartcombo@googlegroups.com"
-  s.homepage    = "https://github.com/heartcombo/devise"
+  s.email       = "contact@plataformatec.com.br"
+  s.homepage    = "https://github.com/plataformatec/devise"
   s.description = "Flexible authentication solution for Rails with Warden"
   s.authors     = ['José Valim', 'Carlos Antônio']
 
   s.files         = Dir["{app,config,lib}/**/*", "CHANGELOG.md", "MIT-LICENSE", "README.md"]
   s.require_paths = ["lib"]
-  s.required_ruby_version = '>= 2.1.0'
+  s.required_ruby_version = '>= 2.3.0'
 
   s.add_dependency("warden", "~> 1.2.3")
   s.add_dependency("orm_adapter", "~> 0.1")
   s.add_dependency("bcrypt", "~> 3.0")
-  s.add_dependency("railties", ">= 4.1.0")
+  s.add_dependency("railties", ">= 5.0")
   s.add_dependency("responders")
 end

gemfiles/Gemfile.rails-4.1-stable.lock

@@ -7,6 +7,30 @@ GIT
       actionpack (= 4.1.16)
       actionview (= 4.1.16)
       mail (~> 2.5, >= 2.5.4)
+    rails (4.1.16)
+      actionmailer (= 4.1.16)
+      actionpack (= 4.1.16)
+      actionview (= 4.1.16)
+      activemodel (= 4.1.16)
+      activerecord (= 4.1.16)
+      activesupport (= 4.1.16)
+      bundler (>= 1.3.0, < 2.0)
+      railties (= 4.1.16)
+      sprockets-rails (~> 2.0)
+
+PATH
+  remote: ..
+  specs:
+    devise (4.7.1)
+      bcrypt (~> 3.0)
+      orm_adapter (~> 0.1)
+      railties (>= 4.1.0)
+      responders
+      warden (~> 1.2.3)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
     actionpack (4.1.16)
       actionview (= 4.1.16)
       activesupport (= 4.1.16)
@@ -29,55 +53,29 @@ GIT
       minitest (~> 5.1)
       thread_safe (~> 0.1)
       tzinfo (~> 1.1)
-    rails (4.1.16)
-      actionmailer (= 4.1.16)
-      actionpack (= 4.1.16)
-      actionview (= 4.1.16)
-      activemodel (= 4.1.16)
-      activerecord (= 4.1.16)
-      activesupport (= 4.1.16)
-      bundler (>= 1.3.0, < 2.0)
-      railties (= 4.1.16)
-      sprockets-rails (~> 2.0)
-    railties (4.1.16)
-      actionpack (= 4.1.16)
-      activesupport (= 4.1.16)
-      rake (>= 0.8.7)
-      thor (>= 0.18.1, < 2.0)
-
-PATH
-  remote: ..
-  specs:
-    devise (4.7.2)
-      bcrypt (~> 3.0)
-      orm_adapter (~> 0.1)
-      railties (>= 4.1.0)
-      responders
-      warden (~> 1.2.3)
-
-GEM
-  remote: https://rubygems.org/
-  specs:
     arel (5.0.1.20140414130214)
     bcrypt (3.1.13)
-    bson (3.2.7)
-    builder (3.2.4)
-    concurrent-ruby (1.1.6)
-    connection_pool (2.2.3)
+    bson (3.2.6)
+    builder (3.2.3)
+    concurrent-ruby (1.0.5)
+    connection_pool (2.2.1)
     erubis (2.7.0)
-    faraday (1.0.1)
+    faraday (0.11.0)
       multipart-post (>= 1.2, < 3)
-    hashie (3.6.0)
-    i18n (0.9.5)
-      concurrent-ruby (~> 1.0)
+    hashie (3.5.5)
+    i18n (0.8.1)
     json (1.8.6)
-    jwt (2.2.1)
-    mail (2.7.1)
-      mini_mime (>= 0.1.1)
-    mini_mime (1.0.2)
+    jwt (1.5.6)
+    mail (2.6.4)
+      mime-types (>= 1.16, < 4)
+    metaclass (0.0.4)
+    mime-types (3.1)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2016.0521)
     mini_portile2 (2.4.0)
-    minitest (5.14.1)
-    mocha (1.11.2)
+    minitest (5.10.1)
+    mocha (1.2.1)
+      metaclass (~> 0.0.1)
     mongoid (4.0.2)
       activemodel (~> 4.0)
       moped (~> 2.0.0)
@@ -87,30 +85,30 @@ GEM
       bson (~> 3.0)
       connection_pool (~> 2.0)
       optionable (~> 0.2.0)
-    multi_json (1.14.1)
+    multi_json (1.12.1)
     multi_xml (0.6.0)
-    multipart-post (2.1.1)
+    multipart-post (2.0.0)
     nokogiri (1.9.1)
       mini_portile2 (~> 2.4.0)
-    oauth2 (1.4.4)
-      faraday (>= 0.8, < 2.0)
-      jwt (>= 1.0, < 3.0)
+    oauth2 (1.3.1)
+      faraday (>= 0.8, < 0.12)
+      jwt (~> 1.0)
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
     omniauth (1.4.2)
       hashie (>= 1.2, < 4)
       rack (>= 1.0, < 3)
-    omniauth-facebook (6.0.0)
+    omniauth-facebook (4.0.0)
       omniauth-oauth2 (~> 1.2)
-    omniauth-oauth2 (1.5.0)
-      oauth2 (~> 1.1)
+    omniauth-oauth2 (1.4.0)
+      oauth2 (~> 1.0)
       omniauth (~> 1.2)
     omniauth-openid (1.0.1)
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
     optionable (0.2.0)
-    origin (2.3.1)
+    origin (2.3.0)
     orm_adapter (0.5.0)
     rack (1.5.5)
     rack-openid (1.3.1)
@@ -118,12 +116,17 @@ GEM
       ruby-openid (>= 2.1.8)
     rack-test (0.6.3)
       rack (>= 1.0)
-    rake (13.0.1)
+    railties (4.1.16)
+      actionpack (= 4.1.16)
+      activesupport (= 4.1.16)
+      rake (>= 0.8.7)
+      thor (>= 0.18.1, < 2.0)
+    rake (12.0.0)
     rdoc (5.1.0)
     responders (1.1.2)
       railties (>= 3.2, < 4.2)
-    ruby-openid (2.9.2)
-    sprockets (3.7.2)
+    ruby-openid (2.7.0)
+    sprockets (3.7.1)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
     sprockets-rails (2.3.3)
@@ -131,12 +134,12 @@ GEM
       activesupport (>= 3.0)
       sprockets (>= 2.8, < 4.0)
     sqlite3 (1.3.13)
-    test_after_commit (1.2.2)
-      activerecord (>= 3.2, < 5.0)
-    thor (1.0.1)
+    test_after_commit (1.1.0)
+      activerecord (>= 3.2)
+    thor (0.19.4)
     thread_safe (0.3.6)
-    timecop (0.9.1)
-    tzinfo (1.2.7)
+    timecop (0.8.1)
+    tzinfo (1.2.2)
       thread_safe (~> 0.1)
     warden (1.2.7)
       rack (>= 1.0)

gemfiles/Gemfile.rails-4.2-stable.lock

@@ -1,63 +1,63 @@
 GIT
   remote: git://github.com/rails/rails.git
-  revision: c0cb0cbf976a3cf8ad1b0e2d0f813602a712e997
+  revision: dc3ae21802c316e1639239d28202db7aa7fb7cac
   branch: 4-2-stable
   specs:
-    actionmailer (4.2.11.3)
-      actionpack (= 4.2.11.3)
-      actionview (= 4.2.11.3)
-      activejob (= 4.2.11.3)
+    actionmailer (4.2.8)
+      actionpack (= 4.2.8)
+      actionview (= 4.2.8)
+      activejob (= 4.2.8)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 1.0, >= 1.0.5)
-    actionpack (4.2.11.3)
-      actionview (= 4.2.11.3)
-      activesupport (= 4.2.11.3)
+    actionpack (4.2.8)
+      actionview (= 4.2.8)
+      activesupport (= 4.2.8)
       rack (~> 1.6)
       rack-test (~> 0.6.2)
       rails-dom-testing (~> 1.0, >= 1.0.5)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (4.2.11.3)
-      activesupport (= 4.2.11.3)
+    actionview (4.2.8)
+      activesupport (= 4.2.8)
       builder (~> 3.1)
       erubis (~> 2.7.0)
       rails-dom-testing (~> 1.0, >= 1.0.5)
       rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (4.2.11.3)
-      activesupport (= 4.2.11.3)
+    activejob (4.2.8)
+      activesupport (= 4.2.8)
       globalid (>= 0.3.0)
-    activemodel (4.2.11.3)
-      activesupport (= 4.2.11.3)
+    activemodel (4.2.8)
+      activesupport (= 4.2.8)
       builder (~> 3.1)
-    activerecord (4.2.11.3)
-      activemodel (= 4.2.11.3)
-      activesupport (= 4.2.11.3)
+    activerecord (4.2.8)
+      activemodel (= 4.2.8)
+      activesupport (= 4.2.8)
       arel (~> 6.0)
-    activesupport (4.2.11.3)
+    activesupport (4.2.8)
       i18n (~> 0.7)
       minitest (~> 5.1)
       thread_safe (~> 0.3, >= 0.3.4)
       tzinfo (~> 1.1)
-    rails (4.2.11.3)
-      actionmailer (= 4.2.11.3)
-      actionpack (= 4.2.11.3)
-      actionview (= 4.2.11.3)
-      activejob (= 4.2.11.3)
-      activemodel (= 4.2.11.3)
-      activerecord (= 4.2.11.3)
-      activesupport (= 4.2.11.3)
+    rails (4.2.8)
+      actionmailer (= 4.2.8)
+      actionpack (= 4.2.8)
+      actionview (= 4.2.8)
+      activejob (= 4.2.8)
+      activemodel (= 4.2.8)
+      activerecord (= 4.2.8)
+      activesupport (= 4.2.8)
       bundler (>= 1.3.0, < 2.0)
-      railties (= 4.2.11.3)
+      railties (= 4.2.8)
       sprockets-rails
-    railties (4.2.11.3)
-      actionpack (= 4.2.11.3)
-      activesupport (= 4.2.11.3)
+    railties (4.2.8)
+      actionpack (= 4.2.8)
+      activesupport (= 4.2.8)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
 
 PATH
   remote: ..
   specs:
-    devise (4.7.2)
+    devise (4.7.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0)
@@ -69,29 +69,30 @@ GEM
   specs:
     arel (6.0.4)
     bcrypt (3.1.13)
-    bson (3.2.7)
-    builder (3.2.4)
-    concurrent-ruby (1.1.6)
-    connection_pool (2.2.3)
-    crass (1.0.6)
+    bson (3.2.6)
+    builder (3.2.3)
+    concurrent-ruby (1.0.5)
+    connection_pool (2.2.1)
     erubis (2.7.0)
-    faraday (1.0.1)
+    faraday (0.11.0)
       multipart-post (>= 1.2, < 3)
-    globalid (0.4.2)
-      activesupport (>= 4.2.0)
-    hashie (4.1.0)
-    i18n (0.9.5)
-      concurrent-ruby (~> 1.0)
-    jwt (2.2.1)
-    loofah (2.5.0)
-      crass (~> 1.0.2)
+    globalid (0.3.7)
+      activesupport (>= 4.1.0)
+    hashie (3.5.5)
+    i18n (0.8.1)
+    jwt (1.5.6)
+    loofah (2.0.3)
       nokogiri (>= 1.5.9)
-    mail (2.7.1)
-      mini_mime (>= 0.1.1)
-    mini_mime (1.0.2)
+    mail (2.6.4)
+      mime-types (>= 1.16, < 4)
+    metaclass (0.0.4)
+    mime-types (3.1)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2016.0521)
     mini_portile2 (2.4.0)
-    minitest (5.14.1)
-    mocha (1.11.2)
+    minitest (5.10.1)
+    mocha (1.2.1)
+      metaclass (~> 0.0.1)
     mongoid (4.0.2)
       activemodel (~> 4.0)
       moped (~> 2.0.0)
@@ -101,32 +102,32 @@ GEM
       bson (~> 3.0)
       connection_pool (~> 2.0)
       optionable (~> 0.2.0)
-    multi_json (1.14.1)
+    multi_json (1.12.1)
     multi_xml (0.6.0)
-    multipart-post (2.1.1)
+    multipart-post (2.0.0)
     nokogiri (1.9.1)
       mini_portile2 (~> 2.4.0)
-    oauth2 (1.4.4)
-      faraday (>= 0.8, < 2.0)
-      jwt (>= 1.0, < 3.0)
+    oauth2 (1.3.1)
+      faraday (>= 0.8, < 0.12)
+      jwt (~> 1.0)
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
-    omniauth (1.9.1)
-      hashie (>= 3.4.6)
+    omniauth (1.6.1)
+      hashie (>= 3.4.6, < 3.6.0)
       rack (>= 1.6.2, < 3)
-    omniauth-facebook (6.0.0)
+    omniauth-facebook (4.0.0)
       omniauth-oauth2 (~> 1.2)
-    omniauth-oauth2 (1.6.0)
-      oauth2 (~> 1.1)
-      omniauth (~> 1.9)
+    omniauth-oauth2 (1.4.0)
+      oauth2 (~> 1.0)
+      omniauth (~> 1.2)
     omniauth-openid (1.0.1)
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
     optionable (0.2.0)
-    origin (2.3.1)
+    origin (2.3.0)
     orm_adapter (0.5.0)
-    rack (1.6.13)
+    rack (1.6.5)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
@@ -134,32 +135,32 @@ GEM
       rack (>= 1.0)
     rails-deprecated_sanitizer (1.0.3)
       activesupport (>= 4.2.0.alpha)
-    rails-dom-testing (1.0.9)
-      activesupport (>= 4.2.0, < 5.0)
+    rails-dom-testing (1.0.8)
+      activesupport (>= 4.2.0.beta, < 5.0)
       nokogiri (~> 1.6)
       rails-deprecated_sanitizer (>= 1.0.1)
-    rails-html-sanitizer (1.3.0)
-      loofah (~> 2.3)
-    rake (13.0.1)
+    rails-html-sanitizer (1.0.3)
+      loofah (~> 2.0)
+    rake (12.0.0)
     rdoc (5.1.0)
     responders (2.4.1)
       actionpack (>= 4.2.0, < 6.0)
       railties (>= 4.2.0, < 6.0)
-    ruby-openid (2.9.2)
-    sprockets (4.0.1)
+    ruby-openid (2.7.0)
+    sprockets (3.7.1)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
-    sprockets-rails (3.2.1)
+    sprockets-rails (3.2.0)
       actionpack (>= 4.0)
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
     sqlite3 (1.3.13)
-    test_after_commit (1.2.2)
-      activerecord (>= 3.2, < 5.0)
-    thor (1.0.1)
+    test_after_commit (1.1.0)
+      activerecord (>= 3.2)
+    thor (0.19.4)
     thread_safe (0.3.6)
-    timecop (0.9.1)
-    tzinfo (1.2.7)
+    timecop (0.8.1)
+    tzinfo (1.2.2)
       thread_safe (~> 0.1)
     warden (1.2.7)
       rack (>= 1.0)

gemfiles/Gemfile.rails-5.0-stable.lock

@@ -1,171 +1,172 @@
 GIT
   remote: git://github.com/rails/activemodel-serializers-xml.git
-  revision: 93689638c28525acc65afb638fce866826532641
+  revision: dd9c0acf26aab111ebc647cd8deb99ebc6946531
   specs:
-    activemodel-serializers-xml (1.0.2)
-      activemodel (>= 5.0.0.a)
-      activesupport (>= 5.0.0.a)
+    activemodel-serializers-xml (1.0.1)
+      activemodel (> 5.x)
+      activesupport (> 5.x)
       builder (~> 3.1)
 
 PATH
   remote: ..
   specs:
-    devise (4.7.2)
+    devise (4.7.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0)
+      railties (>= 5.0)
       responders
       warden (~> 1.2.3)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (5.0.7.2)
-      actionpack (= 5.0.7.2)
+    actioncable (5.0.2)
+      actionpack (= 5.0.2)
       nio4r (>= 1.2, < 3.0)
       websocket-driver (~> 0.6.1)
-    actionmailer (5.0.7.2)
-      actionpack (= 5.0.7.2)
-      actionview (= 5.0.7.2)
-      activejob (= 5.0.7.2)
+    actionmailer (5.0.2)
+      actionpack (= 5.0.2)
+      actionview (= 5.0.2)
+      activejob (= 5.0.2)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (5.0.7.2)
-      actionview (= 5.0.7.2)
-      activesupport (= 5.0.7.2)
+    actionpack (5.0.2)
+      actionview (= 5.0.2)
+      activesupport (= 5.0.2)
       rack (~> 2.0)
       rack-test (~> 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.0.7.2)
-      activesupport (= 5.0.7.2)
+    actionview (5.0.2)
+      activesupport (= 5.0.2)
       builder (~> 3.1)
       erubis (~> 2.7.0)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (5.0.7.2)
-      activesupport (= 5.0.7.2)
+    activejob (5.0.2)
+      activesupport (= 5.0.2)
       globalid (>= 0.3.6)
-    activemodel (5.0.7.2)
-      activesupport (= 5.0.7.2)
-    activerecord (5.0.7.2)
-      activemodel (= 5.0.7.2)
-      activesupport (= 5.0.7.2)
+    activemodel (5.0.2)
+      activesupport (= 5.0.2)
+    activerecord (5.0.2)
+      activemodel (= 5.0.2)
+      activesupport (= 5.0.2)
       arel (~> 7.0)
-    activesupport (5.0.7.2)
+    activesupport (5.0.2)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 0.7, < 2)
+      i18n (~> 0.7)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
     arel (7.1.4)
     bcrypt (3.1.13)
-    builder (3.2.4)
-    concurrent-ruby (1.1.6)
-    crass (1.0.6)
+    builder (3.2.3)
+    concurrent-ruby (1.0.5)
     erubis (2.7.0)
-    faraday (1.0.1)
+    faraday (0.11.0)
       multipart-post (>= 1.2, < 3)
-    globalid (0.4.2)
+    globalid (0.4.0)
       activesupport (>= 4.2.0)
-    hashie (4.1.0)
-    i18n (1.8.3)
-      concurrent-ruby (~> 1.0)
-    jwt (2.2.1)
-    loofah (2.5.0)
-      crass (~> 1.0.2)
+    hashie (3.5.5)
+    i18n (0.8.1)
+    jwt (1.5.6)
+    loofah (2.0.3)
       nokogiri (>= 1.5.9)
-    mail (2.7.1)
-      mini_mime (>= 0.1.1)
-    method_source (1.0.0)
-    mini_mime (1.0.2)
-    mini_portile2 (2.4.0)
-    minitest (5.14.1)
-    mocha (1.11.2)
-    multi_json (1.14.1)
+    mail (2.6.5)
+      mime-types (>= 1.16, < 4)
+    metaclass (0.0.4)
+    method_source (0.8.2)
+    mime-types (3.1)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2016.0521)
+    mini_portile2 (2.1.0)
+    minitest (5.10.1)
+    mocha (1.2.1)
+      metaclass (~> 0.0.1)
+    multi_json (1.12.1)
     multi_xml (0.6.0)
-    multipart-post (2.1.1)
-    nio4r (2.5.2)
-    nokogiri (1.10.9)
-      mini_portile2 (~> 2.4.0)
-    oauth2 (1.4.4)
-      faraday (>= 0.8, < 2.0)
-      jwt (>= 1.0, < 3.0)
+    multipart-post (2.0.0)
+    nio4r (2.0.0)
+    nokogiri (1.7.2)
+      mini_portile2 (~> 2.1.0)
+    oauth2 (1.3.1)
+      faraday (>= 0.8, < 0.12)
+      jwt (~> 1.0)
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
-    omniauth (1.9.1)
-      hashie (>= 3.4.6)
+    omniauth (1.6.1)
+      hashie (>= 3.4.6, < 3.6.0)
       rack (>= 1.6.2, < 3)
-    omniauth-facebook (6.0.0)
+    omniauth-facebook (4.0.0)
       omniauth-oauth2 (~> 1.2)
-    omniauth-oauth2 (1.6.0)
-      oauth2 (~> 1.1)
-      omniauth (~> 1.9)
+    omniauth-oauth2 (1.4.0)
+      oauth2 (~> 1.0)
+      omniauth (~> 1.2)
     omniauth-openid (1.0.1)
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
     orm_adapter (0.5.0)
-    rack (2.2.2)
+    rack (2.0.2)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
     rack-test (0.6.3)
       rack (>= 1.0)
-    rails (5.0.7.2)
-      actioncable (= 5.0.7.2)
-      actionmailer (= 5.0.7.2)
-      actionpack (= 5.0.7.2)
-      actionview (= 5.0.7.2)
-      activejob (= 5.0.7.2)
-      activemodel (= 5.0.7.2)
-      activerecord (= 5.0.7.2)
-      activesupport (= 5.0.7.2)
-      bundler (>= 1.3.0)
-      railties (= 5.0.7.2)
+    rails (5.0.2)
+      actioncable (= 5.0.2)
+      actionmailer (= 5.0.2)
+      actionpack (= 5.0.2)
+      actionview (= 5.0.2)
+      activejob (= 5.0.2)
+      activemodel (= 5.0.2)
+      activerecord (= 5.0.2)
+      activesupport (= 5.0.2)
+      bundler (>= 1.3.0, < 2.0)
+      railties (= 5.0.2)
       sprockets-rails (>= 2.0.0)
-    rails-controller-testing (1.0.4)
-      actionpack (>= 5.0.1.x)
-      actionview (>= 5.0.1.x)
-      activesupport (>= 5.0.1.x)
+    rails-controller-testing (1.0.1)
+      actionpack (~> 5.x)
+      actionview (~> 5.x)
+      activesupport (~> 5.x)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.3.0)
-      loofah (~> 2.3)
-    railties (5.0.7.2)
-      actionpack (= 5.0.7.2)
-      activesupport (= 5.0.7.2)
+    rails-html-sanitizer (1.0.3)
+      loofah (~> 2.0)
+    railties (5.0.2)
+      actionpack (= 5.0.2)
+      activesupport (= 5.0.2)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
-    rake (13.0.1)
-    rdoc (6.2.1)
-    responders (2.4.1)
-      actionpack (>= 4.2.0, < 6.0)
-      railties (>= 4.2.0, < 6.0)
-    ruby-openid (2.9.2)
-    sprockets (4.0.1)
+    rake (12.0.0)
+    rdoc (5.1.0)
+    responders (2.4.0)
+      actionpack (>= 4.2.0, < 5.3)
+      railties (>= 4.2.0, < 5.3)
+    ruby-openid (2.7.0)
+    sprockets (3.7.1)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
-    sprockets-rails (3.2.1)
+    sprockets-rails (3.2.0)
       actionpack (>= 4.0)
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
     sqlite3 (1.3.13)
-    thor (1.0.1)
+    thor (0.19.4)
     thread_safe (0.3.6)
-    timecop (0.9.1)
-    tzinfo (1.2.7)
+    timecop (0.8.1)
+    tzinfo (1.2.3)
       thread_safe (~> 0.1)
-    warden (1.2.8)
-      rack (>= 2.0.6)
+    warden (1.2.7)
+      rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
       rack (>= 1.0)
       rack-test (>= 0.5.3)
     websocket-driver (0.6.5)
       websocket-extensions (>= 0.1.0)
-    websocket-extensions (0.1.5)
+    websocket-extensions (0.1.2)
 
 PLATFORMS
   ruby
@@ -183,6 +184,7 @@ DEPENDENCIES
   rdoc
   responders (~> 2.1)
   sqlite3 (~> 1.3.6)
+  test_after_commit
   timecop
   webrat (= 0.7.3)
 

gemfiles/Gemfile.rails-5.1-stable

@@ -1,26 +0,0 @@
-source "https://rubygems.org"
-
-gemspec path: ".."
-
-gem "rails", '~> 5.1.0'
-gem "omniauth"
-gem "omniauth-oauth2"
-gem "rdoc"
-
-gem "activemodel-serializers-xml", github: "rails/activemodel-serializers-xml"
-
-gem "rails-controller-testing"
-
-gem "responders", "~> 2.1"
-
-group :test do
-  gem "omniauth-facebook"
-  gem "omniauth-openid"
-  gem "timecop"
-  gem "webrat", "0.7.3", require: false
-  gem "mocha", "~> 1.1", require: false
-end
-
-platforms :ruby do
-  gem "sqlite3", "~> 1.3.6"
-end

gemfiles/Gemfile.rails-5.1-stable.lock

@@ -1,190 +0,0 @@
-GIT
-  remote: git://github.com/rails/activemodel-serializers-xml.git
-  revision: 93689638c28525acc65afb638fce866826532641
-  specs:
-    activemodel-serializers-xml (1.0.2)
-      activemodel (>= 5.0.0.a)
-      activesupport (>= 5.0.0.a)
-      builder (~> 3.1)
-
-PATH
-  remote: ..
-  specs:
-    devise (4.7.2)
-      bcrypt (~> 3.0)
-      orm_adapter (~> 0.1)
-      railties (>= 4.1.0)
-      responders
-      warden (~> 1.2.3)
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    actioncable (5.1.7)
-      actionpack (= 5.1.7)
-      nio4r (~> 2.0)
-      websocket-driver (~> 0.6.1)
-    actionmailer (5.1.7)
-      actionpack (= 5.1.7)
-      actionview (= 5.1.7)
-      activejob (= 5.1.7)
-      mail (~> 2.5, >= 2.5.4)
-      rails-dom-testing (~> 2.0)
-    actionpack (5.1.7)
-      actionview (= 5.1.7)
-      activesupport (= 5.1.7)
-      rack (~> 2.0)
-      rack-test (>= 0.6.3)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.1.7)
-      activesupport (= 5.1.7)
-      builder (~> 3.1)
-      erubi (~> 1.4)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (5.1.7)
-      activesupport (= 5.1.7)
-      globalid (>= 0.3.6)
-    activemodel (5.1.7)
-      activesupport (= 5.1.7)
-    activerecord (5.1.7)
-      activemodel (= 5.1.7)
-      activesupport (= 5.1.7)
-      arel (~> 8.0)
-    activesupport (5.1.7)
-      concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 0.7, < 2)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-    arel (8.0.0)
-    bcrypt (3.1.13)
-    builder (3.2.4)
-    concurrent-ruby (1.1.6)
-    crass (1.0.6)
-    erubi (1.9.0)
-    faraday (1.0.1)
-      multipart-post (>= 1.2, < 3)
-    globalid (0.4.2)
-      activesupport (>= 4.2.0)
-    hashie (4.1.0)
-    i18n (1.8.3)
-      concurrent-ruby (~> 1.0)
-    jwt (2.2.1)
-    loofah (2.5.0)
-      crass (~> 1.0.2)
-      nokogiri (>= 1.5.9)
-    mail (2.7.1)
-      mini_mime (>= 0.1.1)
-    method_source (1.0.0)
-    mini_mime (1.0.2)
-    mini_portile2 (2.4.0)
-    minitest (5.14.1)
-    mocha (1.11.2)
-    multi_json (1.14.1)
-    multi_xml (0.6.0)
-    multipart-post (2.1.1)
-    nio4r (2.5.2)
-    nokogiri (1.10.9)
-      mini_portile2 (~> 2.4.0)
-    oauth2 (1.4.4)
-      faraday (>= 0.8, < 2.0)
-      jwt (>= 1.0, < 3.0)
-      multi_json (~> 1.3)
-      multi_xml (~> 0.5)
-      rack (>= 1.2, < 3)
-    omniauth (1.9.1)
-      hashie (>= 3.4.6)
-      rack (>= 1.6.2, < 3)
-    omniauth-facebook (6.0.0)
-      omniauth-oauth2 (~> 1.2)
-    omniauth-oauth2 (1.6.0)
-      oauth2 (~> 1.1)
-      omniauth (~> 1.9)
-    omniauth-openid (1.0.1)
-      omniauth (~> 1.0)
-      rack-openid (~> 1.3.1)
-    orm_adapter (0.5.0)
-    rack (2.2.2)
-    rack-openid (1.3.1)
-      rack (>= 1.1.0)
-      ruby-openid (>= 2.1.8)
-    rack-test (1.1.0)
-      rack (>= 1.0, < 3)
-    rails (5.1.7)
-      actioncable (= 5.1.7)
-      actionmailer (= 5.1.7)
-      actionpack (= 5.1.7)
-      actionview (= 5.1.7)
-      activejob (= 5.1.7)
-      activemodel (= 5.1.7)
-      activerecord (= 5.1.7)
-      activesupport (= 5.1.7)
-      bundler (>= 1.3.0)
-      railties (= 5.1.7)
-      sprockets-rails (>= 2.0.0)
-    rails-controller-testing (1.0.4)
-      actionpack (>= 5.0.1.x)
-      actionview (>= 5.0.1.x)
-      activesupport (>= 5.0.1.x)
-    rails-dom-testing (2.0.3)
-      activesupport (>= 4.2.0)
-      nokogiri (>= 1.6)
-    rails-html-sanitizer (1.3.0)
-      loofah (~> 2.3)
-    railties (5.1.7)
-      actionpack (= 5.1.7)
-      activesupport (= 5.1.7)
-      method_source
-      rake (>= 0.8.7)
-      thor (>= 0.18.1, < 2.0)
-    rake (13.0.1)
-    rdoc (6.2.1)
-    responders (2.4.1)
-      actionpack (>= 4.2.0, < 6.0)
-      railties (>= 4.2.0, < 6.0)
-    ruby-openid (2.9.2)
-    sprockets (4.0.1)
-      concurrent-ruby (~> 1.0)
-      rack (> 1, < 3)
-    sprockets-rails (3.2.1)
-      actionpack (>= 4.0)
-      activesupport (>= 4.0)
-      sprockets (>= 3.0.0)
-    sqlite3 (1.3.13)
-    thor (1.0.1)
-    thread_safe (0.3.6)
-    timecop (0.9.1)
-    tzinfo (1.2.7)
-      thread_safe (~> 0.1)
-    warden (1.2.8)
-      rack (>= 2.0.6)
-    webrat (0.7.3)
-      nokogiri (>= 1.2.0)
-      rack (>= 1.0)
-      rack-test (>= 0.5.3)
-    websocket-driver (0.6.5)
-      websocket-extensions (>= 0.1.0)
-    websocket-extensions (0.1.5)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  activemodel-serializers-xml!
-  devise!
-  mocha (~> 1.1)
-  omniauth
-  omniauth-facebook
-  omniauth-oauth2
-  omniauth-openid
-  rails (~> 5.1.0)
-  rails-controller-testing
-  rdoc
-  responders (~> 2.1)
-  sqlite3 (~> 1.3.6)
-  timecop
-  webrat (= 0.7.3)
-
-BUNDLED WITH
-   1.17.3

gemfiles/Gemfile.rails-5.2-stable

@@ -2,7 +2,7 @@ source "https://rubygems.org"
 
 gemspec path: ".."
 
-gem "rails", '~> 5.2.0'
+gem "rails", '~> 5.2'
 gem "omniauth"
 gem "omniauth-oauth2"
 gem "rdoc"

gemfiles/Gemfile.rails-5.2-stable.lock

@@ -1,158 +1,160 @@
 GIT
   remote: git://github.com/rails/activemodel-serializers-xml.git
-  revision: 93689638c28525acc65afb638fce866826532641
+  revision: f744aeca2747ed3134e492249c4ee39b548efdf6
   specs:
     activemodel-serializers-xml (1.0.2)
-      activemodel (>= 5.0.0.a)
-      activesupport (>= 5.0.0.a)
+      activemodel (> 5.x)
+      activesupport (> 5.x)
       builder (~> 3.1)
 
 PATH
   remote: ..
   specs:
-    devise (4.7.2)
+    devise (4.7.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0)
+      railties (>= 5.0)
       responders
       warden (~> 1.2.3)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (5.2.4.3)
-      actionpack (= 5.2.4.3)
+    actioncable (5.2.1)
+      actionpack (= 5.2.1)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailer (5.2.4.3)
-      actionpack (= 5.2.4.3)
-      actionview (= 5.2.4.3)
-      activejob (= 5.2.4.3)
+    actionmailer (5.2.1)
+      actionpack (= 5.2.1)
+      actionview (= 5.2.1)
+      activejob (= 5.2.1)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (5.2.4.3)
-      actionview (= 5.2.4.3)
-      activesupport (= 5.2.4.3)
-      rack (~> 2.0, >= 2.0.8)
+    actionpack (5.2.1)
+      actionview (= 5.2.1)
+      activesupport (= 5.2.1)
+      rack (~> 2.0)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.2.4.3)
-      activesupport (= 5.2.4.3)
+    actionview (5.2.1)
+      activesupport (= 5.2.1)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (5.2.4.3)
-      activesupport (= 5.2.4.3)
+    activejob (5.2.1)
+      activesupport (= 5.2.1)
       globalid (>= 0.3.6)
-    activemodel (5.2.4.3)
-      activesupport (= 5.2.4.3)
-    activerecord (5.2.4.3)
-      activemodel (= 5.2.4.3)
-      activesupport (= 5.2.4.3)
+    activemodel (5.2.1)
+      activesupport (= 5.2.1)
+    activerecord (5.2.1)
+      activemodel (= 5.2.1)
+      activesupport (= 5.2.1)
       arel (>= 9.0)
-    activestorage (5.2.4.3)
-      actionpack (= 5.2.4.3)
-      activerecord (= 5.2.4.3)
+    activestorage (5.2.1)
+      actionpack (= 5.2.1)
+      activerecord (= 5.2.1)
       marcel (~> 0.3.1)
-    activesupport (5.2.4.3)
+    activesupport (5.2.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
     arel (9.0.0)
     bcrypt (3.1.13)
-    builder (3.2.4)
-    concurrent-ruby (1.1.6)
-    crass (1.0.6)
-    erubi (1.9.0)
-    faraday (1.0.1)
+    builder (3.2.3)
+    concurrent-ruby (1.0.5)
+    crass (1.0.4)
+    erubi (1.7.1)
+    faraday (0.12.2)
       multipart-post (>= 1.2, < 3)
-    globalid (0.4.2)
+    globalid (0.4.1)
       activesupport (>= 4.2.0)
-    hashie (4.1.0)
-    i18n (1.8.3)
+    hashie (3.5.7)
+    i18n (1.1.0)
       concurrent-ruby (~> 1.0)
-    jwt (2.2.1)
-    loofah (2.5.0)
+    jwt (1.5.6)
+    loofah (2.2.2)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
-    mail (2.7.1)
+    mail (2.7.0)
       mini_mime (>= 0.1.1)
     marcel (0.3.3)
       mimemagic (~> 0.3.2)
-    method_source (1.0.0)
-    mimemagic (0.3.5)
-    mini_mime (1.0.2)
-    mini_portile2 (2.4.0)
-    minitest (5.14.1)
-    mocha (1.11.2)
-    multi_json (1.14.1)
+    metaclass (0.0.4)
+    method_source (0.9.0)
+    mimemagic (0.3.2)
+    mini_mime (1.0.1)
+    mini_portile2 (2.3.0)
+    minitest (5.11.3)
+    mocha (1.7.0)
+      metaclass (~> 0.0.1)
+    multi_json (1.13.1)
     multi_xml (0.6.0)
-    multipart-post (2.1.1)
-    nio4r (2.5.2)
-    nokogiri (1.10.9)
-      mini_portile2 (~> 2.4.0)
-    oauth2 (1.4.4)
-      faraday (>= 0.8, < 2.0)
-      jwt (>= 1.0, < 3.0)
+    multipart-post (2.0.0)
+    nio4r (2.3.1)
+    nokogiri (1.8.5)
+      mini_portile2 (~> 2.3.0)
+    oauth2 (1.4.0)
+      faraday (>= 0.8, < 0.13)
+      jwt (~> 1.0)
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
-    omniauth (1.9.1)
-      hashie (>= 3.4.6)
+    omniauth (1.8.1)
+      hashie (>= 3.4.6, < 3.6.0)
       rack (>= 1.6.2, < 3)
-    omniauth-facebook (6.0.0)
+    omniauth-facebook (5.0.0)
       omniauth-oauth2 (~> 1.2)
-    omniauth-oauth2 (1.6.0)
+    omniauth-oauth2 (1.5.0)
       oauth2 (~> 1.1)
-      omniauth (~> 1.9)
+      omniauth (~> 1.2)
     omniauth-openid (1.0.1)
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
     orm_adapter (0.5.0)
-    rack (2.2.2)
+    rack (2.0.5)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (5.2.4.3)
-      actioncable (= 5.2.4.3)
-      actionmailer (= 5.2.4.3)
-      actionpack (= 5.2.4.3)
-      actionview (= 5.2.4.3)
-      activejob (= 5.2.4.3)
-      activemodel (= 5.2.4.3)
-      activerecord (= 5.2.4.3)
-      activestorage (= 5.2.4.3)
-      activesupport (= 5.2.4.3)
+    rails (5.2.1)
+      actioncable (= 5.2.1)
+      actionmailer (= 5.2.1)
+      actionpack (= 5.2.1)
+      actionview (= 5.2.1)
+      activejob (= 5.2.1)
+      activemodel (= 5.2.1)
+      activerecord (= 5.2.1)
+      activestorage (= 5.2.1)
+      activesupport (= 5.2.1)
       bundler (>= 1.3.0)
-      railties (= 5.2.4.3)
+      railties (= 5.2.1)
       sprockets-rails (>= 2.0.0)
-    rails-controller-testing (1.0.4)
-      actionpack (>= 5.0.1.x)
-      actionview (>= 5.0.1.x)
-      activesupport (>= 5.0.1.x)
+    rails-controller-testing (1.0.2)
+      actionpack (~> 5.x, >= 5.0.1)
+      actionview (~> 5.x, >= 5.0.1)
+      activesupport (~> 5.x)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.3.0)
-      loofah (~> 2.3)
-    railties (5.2.4.3)
-      actionpack (= 5.2.4.3)
-      activesupport (= 5.2.4.3)
+    rails-html-sanitizer (1.0.4)
+      loofah (~> 2.2, >= 2.2.2)
+    railties (5.2.1)
+      actionpack (= 5.2.1)
+      activesupport (= 5.2.1)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.19.0, < 2.0)
-    rake (13.0.1)
-    rdoc (6.2.1)
-    responders (2.4.1)
-      actionpack (>= 4.2.0, < 6.0)
-      railties (>= 4.2.0, < 6.0)
-    ruby-openid (2.9.2)
-    sprockets (4.0.1)
+    rake (12.3.1)
+    rdoc (6.0.4)
+    responders (2.4.0)
+      actionpack (>= 4.2.0, < 5.3)
+      railties (>= 4.2.0, < 5.3)
+    ruby-openid (2.7.0)
+    sprockets (3.7.2)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
     sprockets-rails (3.2.1)
@@ -160,20 +162,20 @@ GEM
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
     sqlite3 (1.3.13)
-    thor (1.0.1)
+    thor (0.20.0)
     thread_safe (0.3.6)
     timecop (0.9.1)
-    tzinfo (1.2.7)
+    tzinfo (1.2.5)
       thread_safe (~> 0.1)
-    warden (1.2.8)
-      rack (>= 2.0.6)
+    warden (1.2.7)
+      rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
       rack (>= 1.0)
       rack-test (>= 0.5.3)
-    websocket-driver (0.7.2)
+    websocket-driver (0.7.0)
       websocket-extensions (>= 0.1.0)
-    websocket-extensions (0.1.5)
+    websocket-extensions (0.1.3)
 
 PLATFORMS
   ruby
@@ -186,11 +188,12 @@ DEPENDENCIES
   omniauth-facebook
   omniauth-oauth2
   omniauth-openid
-  rails (~> 5.2.0)
+  rails (~> 5.2)
   rails-controller-testing
   rdoc
   responders (~> 2.1)
   sqlite3 (~> 1.3.6)
+  test_after_commit
   timecop
   webrat (= 0.7.3)
 

gemfiles/Gemfile.rails-6.0-stable

@@ -9,7 +9,7 @@ gem "rdoc"
 
 gem "activemodel-serializers-xml", github: "rails/activemodel-serializers-xml"
 
-gem "rails-controller-testing", github: "rails/rails-controller-testing"
+gem "rails-controller-testing"
 
 gem "responders", "~> 3.0"
 
@@ -19,6 +19,7 @@ group :test do
   gem "timecop"
   gem "webrat", "0.7.3", require: false
   gem "mocha", "~> 1.1", require: false
+  gem 'test_after_commit', require: false
 end
 
 platforms :ruby do

gemfiles/Gemfile.rails-6.0-stable.lock

@@ -7,125 +7,118 @@ GIT
       activesupport (>= 5.0.0.a)
       builder (~> 3.1)
 
-GIT
-  remote: git://github.com/rails/rails-controller-testing.git
-  revision: a60b3da1c1c77959b28606dd087c058c64b5a08f
-  specs:
-    rails-controller-testing (1.0.4)
-      actionpack (>= 5.0.1.rc1)
-      actionview (>= 5.0.1.rc1)
-      activesupport (>= 5.0.1.rc1)
-
 PATH
   remote: ..
   specs:
-    devise (4.7.2)
+    devise (4.7.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0)
+      railties (>= 5.0)
       responders
       warden (~> 1.2.3)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (6.0.3.1)
-      actionpack (= 6.0.3.1)
+    actioncable (6.0.0)
+      actionpack (= 6.0.0)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (6.0.3.1)
-      actionpack (= 6.0.3.1)
-      activejob (= 6.0.3.1)
-      activerecord (= 6.0.3.1)
-      activestorage (= 6.0.3.1)
-      activesupport (= 6.0.3.1)
+    actionmailbox (6.0.0)
+      actionpack (= 6.0.0)
+      activejob (= 6.0.0)
+      activerecord (= 6.0.0)
+      activestorage (= 6.0.0)
+      activesupport (= 6.0.0)
       mail (>= 2.7.1)
-    actionmailer (6.0.3.1)
-      actionpack (= 6.0.3.1)
-      actionview (= 6.0.3.1)
-      activejob (= 6.0.3.1)
+    actionmailer (6.0.0)
+      actionpack (= 6.0.0)
+      actionview (= 6.0.0)
+      activejob (= 6.0.0)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.0.3.1)
-      actionview (= 6.0.3.1)
-      activesupport (= 6.0.3.1)
-      rack (~> 2.0, >= 2.0.8)
+    actionpack (6.0.0)
+      actionview (= 6.0.0)
+      activesupport (= 6.0.0)
+      rack (~> 2.0)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (6.0.3.1)
-      actionpack (= 6.0.3.1)
-      activerecord (= 6.0.3.1)
-      activestorage (= 6.0.3.1)
-      activesupport (= 6.0.3.1)
+    actiontext (6.0.0)
+      actionpack (= 6.0.0)
+      activerecord (= 6.0.0)
+      activestorage (= 6.0.0)
+      activesupport (= 6.0.0)
       nokogiri (>= 1.8.5)
-    actionview (6.0.3.1)
-      activesupport (= 6.0.3.1)
+    actionview (6.0.0)
+      activesupport (= 6.0.0)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (6.0.3.1)
-      activesupport (= 6.0.3.1)
+    activejob (6.0.0)
+      activesupport (= 6.0.0)
       globalid (>= 0.3.6)
-    activemodel (6.0.3.1)
-      activesupport (= 6.0.3.1)
-    activerecord (6.0.3.1)
-      activemodel (= 6.0.3.1)
-      activesupport (= 6.0.3.1)
-    activestorage (6.0.3.1)
-      actionpack (= 6.0.3.1)
-      activejob (= 6.0.3.1)
-      activerecord (= 6.0.3.1)
+    activemodel (6.0.0)
+      activesupport (= 6.0.0)
+    activerecord (6.0.0)
+      activemodel (= 6.0.0)
+      activesupport (= 6.0.0)
+    activestorage (6.0.0)
+      actionpack (= 6.0.0)
+      activejob (= 6.0.0)
+      activerecord (= 6.0.0)
       marcel (~> 0.3.1)
-    activesupport (6.0.3.1)
+    activesupport (6.0.0)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
-      zeitwerk (~> 2.2, >= 2.2.2)
+      zeitwerk (~> 2.1, >= 2.1.8)
     bcrypt (3.1.13)
-    builder (3.2.4)
-    concurrent-ruby (1.1.6)
-    crass (1.0.6)
-    erubi (1.9.0)
-    faraday (1.0.1)
+    builder (3.2.3)
+    concurrent-ruby (1.1.5)
+    crass (1.0.4)
+    erubi (1.8.0)
+    faraday (0.15.4)
       multipart-post (>= 1.2, < 3)
     globalid (0.4.2)
       activesupport (>= 4.2.0)
-    hashie (4.1.0)
-    i18n (1.8.3)
+    hashie (3.6.0)
+    i18n (1.6.0)
       concurrent-ruby (~> 1.0)
     jwt (2.2.1)
-    loofah (2.5.0)
+    loofah (2.2.3)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
       mini_mime (>= 0.1.1)
     marcel (0.3.3)
       mimemagic (~> 0.3.2)
-    method_source (1.0.0)
-    mimemagic (0.3.5)
+    metaclass (0.0.4)
+    method_source (0.9.2)
+    mimemagic (0.3.3)
     mini_mime (1.0.2)
     mini_portile2 (2.4.0)
-    minitest (5.14.1)
-    mocha (1.11.2)
-    multi_json (1.14.1)
+    minitest (5.11.3)
+    mocha (1.9.0)
+      metaclass (~> 0.0.1)
+    multi_json (1.13.1)
     multi_xml (0.6.0)
     multipart-post (2.1.1)
-    nio4r (2.5.2)
-    nokogiri (1.10.9)
+    nio4r (2.4.0)
+    nokogiri (1.10.4)
       mini_portile2 (~> 2.4.0)
-    oauth2 (1.4.4)
-      faraday (>= 0.8, < 2.0)
+    oauth2 (1.4.1)
+      faraday (>= 0.8, < 0.16.0)
       jwt (>= 1.0, < 3.0)
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
-    omniauth (1.9.1)
-      hashie (>= 3.4.6)
+    omniauth (1.9.0)
+      hashie (>= 3.4.6, < 3.7.0)
       rack (>= 1.6.2, < 3)
-    omniauth-facebook (6.0.0)
+    omniauth-facebook (5.0.0)
       omniauth-oauth2 (~> 1.2)
     omniauth-oauth2 (1.6.0)
       oauth2 (~> 1.1)
@@ -134,56 +127,62 @@ GEM
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
     orm_adapter (0.5.0)
-    rack (2.2.2)
+    rack (2.0.7)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (6.0.3.1)
-      actioncable (= 6.0.3.1)
-      actionmailbox (= 6.0.3.1)
-      actionmailer (= 6.0.3.1)
-      actionpack (= 6.0.3.1)
-      actiontext (= 6.0.3.1)
-      actionview (= 6.0.3.1)
-      activejob (= 6.0.3.1)
-      activemodel (= 6.0.3.1)
-      activerecord (= 6.0.3.1)
-      activestorage (= 6.0.3.1)
-      activesupport (= 6.0.3.1)
+    rails (6.0.0)
+      actioncable (= 6.0.0)
+      actionmailbox (= 6.0.0)
+      actionmailer (= 6.0.0)
+      actionpack (= 6.0.0)
+      actiontext (= 6.0.0)
+      actionview (= 6.0.0)
+      activejob (= 6.0.0)
+      activemodel (= 6.0.0)
+      activerecord (= 6.0.0)
+      activestorage (= 6.0.0)
+      activesupport (= 6.0.0)
       bundler (>= 1.3.0)
-      railties (= 6.0.3.1)
+      railties (= 6.0.0)
       sprockets-rails (>= 2.0.0)
+    rails-controller-testing (1.0.4)
+      actionpack (>= 5.0.1.x)
+      actionview (>= 5.0.1.x)
+      activesupport (>= 5.0.1.x)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.3.0)
-      loofah (~> 2.3)
-    railties (6.0.3.1)
-      actionpack (= 6.0.3.1)
-      activesupport (= 6.0.3.1)
+    rails-html-sanitizer (1.2.0)
+      loofah (~> 2.2, >= 2.2.2)
+    railties (6.0.0)
+      actionpack (= 6.0.0)
+      activesupport (= 6.0.0)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.20.3, < 2.0)
-    rake (13.0.1)
-    rdoc (6.2.1)
-    responders (3.0.1)
+    rake (12.3.3)
+    rdoc (6.1.1)
+    responders (3.0.0)
       actionpack (>= 5.0)
       railties (>= 5.0)
-    ruby-openid (2.9.2)
-    sprockets (4.0.1)
+    ruby-openid (2.7.0)
+    sprockets (3.7.2)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
     sprockets-rails (3.2.1)
       actionpack (>= 4.0)
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
-    sqlite3 (1.4.2)
-    thor (1.0.1)
+    sqlite3 (1.4.1)
+    test_after_commit (1.1.0)
+      activerecord (>= 3.2)
+    thor (0.20.3)
     thread_safe (0.3.6)
     timecop (0.9.1)
-    tzinfo (1.2.7)
+    tzinfo (1.2.5)
       thread_safe (~> 0.1)
     warden (1.2.8)
       rack (>= 2.0.6)
@@ -191,10 +190,10 @@ GEM
       nokogiri (>= 1.2.0)
       rack (>= 1.0)
       rack-test (>= 0.5.3)
-    websocket-driver (0.7.2)
+    websocket-driver (0.7.1)
       websocket-extensions (>= 0.1.0)
-    websocket-extensions (0.1.5)
-    zeitwerk (2.3.0)
+    websocket-extensions (0.1.4)
+    zeitwerk (2.1.9)
 
 PLATFORMS
   ruby
@@ -208,10 +207,11 @@ DEPENDENCIES
   omniauth-oauth2
   omniauth-openid
   rails (~> 6.0.0)
-  rails-controller-testing!
+  rails-controller-testing
   rdoc
   responders (~> 3.0)
   sqlite3 (~> 1.4)
+  test_after_commit
   timecop
   webrat (= 0.7.3)
 

lib/devise.rb

@@ -297,6 +297,10 @@ module Devise
   mattr_accessor :sign_in_after_change_password
   @@sign_in_after_change_password = true
 
+  def self.rails51? # :nodoc:
+    Rails.gem_version >= Gem::Version.new("5.1.x")
+  end
+
   def self.activerecord51? # :nodoc:
     defined?(ActiveRecord) && ActiveRecord.gem_version >= Gem::Version.new("5.1.x")
   end
@@ -498,12 +502,8 @@ module Devise
 
   # constant-time comparison algorithm to prevent timing attacks
   def self.secure_compare(a, b)
-    return false if a.blank? || b.blank? || a.bytesize != b.bytesize
-    l = a.unpack "C#{a.bytesize}"
-
-    res = 0
-    b.each_byte { |byte| res |= byte ^ l.shift }
-    res == 0
+    return false if a.nil? || b.nil?
+    ActiveSupport::SecurityUtils.secure_compare(a, b)
   end
 end
 

lib/devise/controllers/helpers.rb

@@ -53,7 +53,7 @@ module Devise
 
             def #{group_name}_signed_in?
               #{mappings}.any? do |mapping|
-                warden.authenticate?(scope: mapping)
+                warden.authenticated?(scope: mapping)
               end
             end
 
@@ -119,7 +119,7 @@ module Devise
           end
 
           def #{mapping}_signed_in?
-            !!current_#{mapping}
+            !!(@current_#{mapping} || warden.authenticated?(scope: :#{mapping}))
           end
 
           def current_#{mapping}

lib/devise/controllers/sign_in_out.rb

@@ -12,7 +12,7 @@ module Devise
       # authentication hooks, you can directly call `warden.authenticated?(scope: scope)`
       def signed_in?(scope=nil)
         [scope || Devise.mappings.keys].flatten.any? do |_scope|
-          warden.authenticate?(scope: _scope)
+          warden.authenticated?(scope: _scope)
         end
       end
 
@@ -21,7 +21,7 @@ module Devise
       # to the set_user method in warden.
       # If you are using a custom warden strategy and the timeoutable module, you have to
       # set `env["devise.skip_timeout"] = true` in the request to use this method, like we do
-      # in the sessions controller: https://github.com/heartcombo/devise/blob/master/app/controllers/devise/sessions_controller.rb#L7
+      # in the sessions controller: https://github.com/plataformatec/devise/blob/master/app/controllers/devise/sessions_controller.rb#L7
       #
       # Examples:
       #
@@ -51,6 +51,7 @@ module Devise
           true
         else
           warden.set_user(resource, options.merge!(scope: scope))
+          resource.update_tracked_fields!(warden.request) if resource.respond_to?(:update_tracked_fields!)
         end
       end
 

lib/devise/failure_app.rb

@@ -103,11 +103,14 @@ module Devise
         options[:scope] = "devise.failure"
         options[:default] = [message]
         auth_keys = scope_class.authentication_keys
-        keys = (auth_keys.respond_to?(:keys) ? auth_keys.keys : auth_keys).map { |key| scope_class.human_attribute_name(key) }
+        keys = (auth_keys.respond_to?(:keys) ? auth_keys.keys : auth_keys).map { |key| scope_class.human_attribute_name(key).downcase }
         options[:authentication_keys] = keys.join(I18n.translate(:"support.array.words_connector"))
         options = i18n_options(options)
+        translated_message = I18n.t(:"#{scope}.#{message}", options)
 
-        I18n.t(:"#{scope}.#{message}", **options)
+        # only call `#humanize` when the message is `:invalid` to ensure the original format
+        # of other messages - like `:does_not_exist` - is kept.
+        message == :invalid ? translated_message.humanize : translated_message
       else
         message.to_s
       end
@@ -152,7 +155,7 @@ module Devise
 
       # We need to add the rootpath to `script_name` manually for applications that use a Rails
       # version lower than 5.1. Otherwise, it is going to generate a wrong path for Engines
-      # that use Devise. Remove it when the support of Rails 5.0 is dropped.
+      # that use Devise. Remove it when the support of Rails 5.0 is droped.
       elsif root_path_defined?(context) && !rails_51_and_up?
         rootpath = context.routes.url_helpers.root_path
         opts[:script_name] = rootpath.chomp('/') if rootpath.length > 1

lib/devise/hooks/timeoutable.rb

@@ -21,8 +21,8 @@ Warden::Manager.after_set_user do |record, warden, options|
 
     proxy = Devise::Hooks::Proxy.new(warden)
 
-    if !env['devise.skip_timeout'] &&
-        record.timedout?(last_request_at) &&
+    if record.timedout?(last_request_at) &&
+        !env['devise.skip_timeout'] &&
         !proxy.remember_me_is_active?(record)
       Devise.sign_out_all_scopes ? proxy.sign_out : proxy.sign_out(scope)
       throw :warden, scope: scope, message: :timeout

lib/devise/hooks/trackable.rb

@@ -1,11 +0,0 @@
-# frozen_string_literal: true
-
-# After each sign in, update sign in time, sign in count and sign in IP.
-# This is only triggered when the user is explicitly set (with set_user)
-# and on authentication. Retrieving the user from session (:fetch) does
-# not trigger it.
-Warden::Manager.after_set_user except: :fetch do |record, warden, options|
-  if record.respond_to?(:update_tracked_fields!) && warden.authenticated?(options[:scope]) && !warden.request.env['devise.skip_trackable']
-    record.update_tracked_fields!(warden.request)
-  end
-end

lib/devise/models/authenticatable.rb

@@ -152,8 +152,7 @@ module Devise
       #         # If the record is new or changed then delay the
       #         # delivery until the after_commit callback otherwise
       #         # send now because after_commit will not be called.
-      #         # For Rails < 6 use `changed?` instead of `saved_changes?`.
-      #         if new_record? || saved_changes?
+      #         if new_record? || changed?
       #           pending_devise_notifications << [notification, args]
       #         else
       #           render_and_send_devise_message(notification, *args)
@@ -183,11 +182,8 @@ module Devise
       #         # Deliver later with Active Job's `deliver_later`
       #         if message.respond_to?(:deliver_later)
       #           message.deliver_later
-      #         # Remove once we move to Rails 4.2+ only, as `deliver` is deprecated.
-      #         elsif message.respond_to?(:deliver_now)
-      #           message.deliver_now
       #         else
-      #           message.deliver
+      #           message.deliver_now
       #         end
       #       end
       #
@@ -195,12 +191,7 @@ module Devise
       #
       def send_devise_notification(notification, *args)
         message = devise_mailer.send(notification, self, *args)
-        # Remove once we move to Rails 4.2+ only.
-        if message.respond_to?(:deliver_now)
-          message.deliver_now
-        else
-          message.deliver
-        end
+        message.deliver_now
       end
 
       def downcase_keys

lib/devise/models/database_authenticatable.rb

@@ -7,10 +7,6 @@ module Devise
     # Authenticatable Module, responsible for hashing the password and
     # validating the authenticity of a user while signing in.
     #
-    # This module defines a `password=` method. This method will hash the argument
-    # and store it in the `encrypted_password` column, bypassing any pre-existing
-    # `password` column if it exists.
-    #
     # == Options
     #
     # DatabaseAuthenticatable adds the following options to devise_for:
@@ -84,16 +80,7 @@ module Devise
       # users to change relevant information like the e-mail without changing
       # their password). In case the password field is rejected, the confirmation
       # is also rejected as long as it is also blank.
-      def update_with_password(params, *options)
-        if options.present?
-          ActiveSupport::Deprecation.warn <<-DEPRECATION.strip_heredoc
-            [Devise] The second argument of `DatabaseAuthenticatable#update_with_password`
-            (`options`) is deprecated and it will be removed in the next major version.
-            It was added to support a feature deprecated in Rails 4, so you can safely remove it
-            from your code.
-          DEPRECATION
-        end
-
+      def update_with_password(params)
         current_password = params.delete(:current_password)
 
         if params[:password].blank?
@@ -102,9 +89,9 @@ module Devise
         end
 
         result = if valid_password?(current_password)
-          update(params, *options)
+          update(params)
         else
-          assign_attributes(params, *options)
+          assign_attributes(params)
           valid?
           errors.add(:current_password, current_password.blank? ? :blank : :invalid)
           false
@@ -126,20 +113,11 @@ module Devise
       #     super(params)
       #   end
       #
-      def update_without_password(params, *options)
-        if options.present?
-          ActiveSupport::Deprecation.warn <<-DEPRECATION.strip_heredoc
-            [Devise] The second argument of `DatabaseAuthenticatable#update_without_password`
-            (`options`) is deprecated and it will be removed in the next major version.
-            It was added to support a feature deprecated in Rails 4, so you can safely remove it
-            from your code.
-          DEPRECATION
-        end
-
+      def update_without_password(params)
         params.delete(:password)
         params.delete(:password_confirmation)
 
-        result = update(params, *options)
+        result = update(params)
         clean_up_passwords
         result
       end
@@ -199,7 +177,7 @@ module Devise
       # Hashes the password using bcrypt. Custom hash functions should override
       # this method to apply their own algorithm.
       #
-      # See https://github.com/heartcombo/devise-encryptable for examples
+      # See https://github.com/plataformatec/devise-encryptable for examples
       # of other hashing engines.
       def password_digest(password)
         Devise::Encryptor.digest(self.class, password)

lib/devise/models/lockable.rb

@@ -122,7 +122,15 @@ module Devise
         if Devise.paranoid
           super
         elsif access_locked? || (lock_strategy_enabled?(:failed_attempts) && attempts_exceeded?)
-          :locked
+          if unlock_strategy_enabled?(:both)
+            'locked.both'.to_sym
+          elsif unlock_strategy_enabled?(:email)
+            'locked.email'.to_sym
+          elsif unlock_strategy_enabled?(:time)
+            'locked.time'.to_sym
+          else
+            'locked.none'.to_sym
+          end
         elsif lock_strategy_enabled?(:failed_attempts) && last_attempt? && self.class.last_attempt_warning
           :last_attempt
         else

lib/devise/models/rememberable.rb

@@ -102,7 +102,7 @@ module Devise
 
       def remember_me?(token, generated_at)
         # TODO: Normalize the JSON type coercion along with the Timeoutable hook
-        # in a single place https://github.com/heartcombo/devise/blob/ffe9d6d406e79108cf32a2c6a1d0b3828849c40b/lib/devise/hooks/timeoutable.rb#L14-L18
+        # in a single place https://github.com/plataformatec/devise/blob/ffe9d6d406e79108cf32a2c6a1d0b3828849c40b/lib/devise/hooks/timeoutable.rb#L14-L18
         if generated_at.is_a?(String)
           generated_at = time_from_json(generated_at)
         end

lib/devise/models/trackable.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require 'devise/hooks/trackable'
-
 module Devise
   module Models
     # Track information about your user sign in. It tracks the following columns:
@@ -33,9 +31,11 @@ module Devise
       def update_tracked_fields!(request)
         # We have to check if the user is already persisted before running
         # `save` here because invalid users can be saved if we don't.
-        # See https://github.com/heartcombo/devise/issues/4673 for more details.
+        # See https://github.com/plataformatec/devise/issues/4673 for more details.
         return if new_record?
 
+        return if skip_trackable_and_not_active_for_authentication?(request)
+
         update_tracked_fields(request)
         save(validate: false)
       end
@@ -46,6 +46,11 @@ module Devise
         request.remote_ip
       end
 
+      private
+
+      def skip_trackable_and_not_active_for_authentication?(request)
+        request.env['devise.skip_trackable'] || !active_for_authentication?
+      end
     end
   end
 end

lib/devise/parameter_sanitizer.rb

@@ -130,8 +130,7 @@ module Devise
     #
     # Returns an +ActiveSupport::HashWithIndifferentAccess+.
     def cast_to_hash(params)
-      # TODO: Remove the `with_indifferent_access` method call when we only support Rails 5+.
-      params && params.to_h.with_indifferent_access
+      params && params.to_h
     end
 
     def default_params

lib/devise/strategies/database_authenticatable.rb

@@ -12,6 +12,7 @@ module Devise
 
         if validate(resource){ hashed = true; resource.valid_password?(password) }
           remember_me(resource)
+          resource.update_tracked_fields!(request) if resource.respond_to?(:update_tracked_fields!)
           resource.after_database_authentication
           success!(resource)
         end

lib/devise/test/controller_helpers.rb

@@ -37,8 +37,6 @@ module Devise
         @response
       end
 
-      ruby2_keywords(:process) if respond_to?(:ruby2_keywords, true)
-
       # We need to set up the environment variables and the response in the controller.
       def setup_controller_for_warden #:nodoc:
         @request.env['action_controller.instance'] = @controller
@@ -141,7 +139,6 @@ module Devise
 
           status, headers, response = Devise.warden_config[:failure_app].call(env).to_a
           @controller.response.headers.merge!(headers)
-          @controller.response.content_type = headers["Content-Type"] unless Rails::VERSION::MAJOR >= 5
           @controller.status = status
           @controller.response.body = response.body
           nil # causes process return @response

lib/devise/test/integration_helpers.rb

@@ -28,7 +28,7 @@ module Devise
         end
       end
 
-      # Signs in a specific resource, mimicking a successful sign in
+      # Signs in a specific resource, mimicking a successfull sign in
       # operation through +Devise::SessionsController#create+.
       #
       # * +resource+ - The resource that should be authenticated

lib/devise/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Devise
-  VERSION = "4.7.2".freeze
+  VERSION = "4.7.1".freeze
 end

lib/generators/active_record/devise_generator.rb

@@ -82,23 +82,17 @@ RUBY
         postgresql?
       end
 
-      def rails5_and_up?
-        Rails::VERSION::MAJOR >= 5
-      end
-
       def postgresql?
         config = ActiveRecord::Base.configurations[Rails.env]
         config && config['adapter'] == 'postgresql'
       end
 
      def migration_version
-       if rails5_and_up?
-         "[#{Rails::VERSION::MAJOR}.#{Rails::VERSION::MINOR}]"
-       end
+       "[#{Rails::VERSION::MAJOR}.#{Rails::VERSION::MINOR}]"
      end
 
      def primary_key_type
-       primary_key_string if rails5_and_up?
+       primary_key_string
      end
 
      def primary_key_string

lib/generators/devise/devise_generator.rb

@@ -13,7 +13,7 @@ module Devise
       desc "Generates a model with the given NAME (if one does not exist) with devise " \
            "configuration plus a migration file and devise routes."
 
-      hook_for :orm, type: :boolean
+      hook_for :orm
 
       class_option :routes, desc: "Generate routes", type: :boolean, default: true
 

lib/generators/devise/views_generator.rb

@@ -42,7 +42,7 @@ module Devise
       def view_directory(name, _target_path = nil)
         directory name.to_s, _target_path || "#{target_path}/#{name}" do |content|
           if scope
-            content.gsub("devise/shared", "#{plural_scope}/shared")
+            content.gsub("devise/shared/links", "#{plural_scope}/shared/links").gsub("devise/shared/error_messages", "#{plural_scope}/shared/error_messages")
           else
             content
           end

lib/generators/templates/README

@@ -1,6 +1,6 @@
 ===============================================================================
 
-Depending on your application's configuration some manual setup may be required:
+Some setup you must do manually if you haven't yet:
 
   1. Ensure you have defined default url options in your environments files. Here
      is an example of default_url_options appropriate for a development environment
@@ -10,14 +10,10 @@ Depending on your application's configuration some manual setup may be required:
 
      In production, :host should be set to the actual host of your application.
 
-     * Required for all applications. *
-
   2. Ensure you have defined root_url to *something* in your config/routes.rb.
      For example:
 
        root to: "home#index"
-     
-     * Not required for API-only Applications *
 
   3. Ensure you have flash messages in app/views/layouts/application.html.erb.
      For example:
@@ -25,12 +21,8 @@ Depending on your application's configuration some manual setup may be required:
        <p class="notice"><%= notice %></p>
        <p class="alert"><%= alert %></p>
 
-     * Not required for API-only Applications *
-
   4. You can copy Devise views (for customization) to your app by running:
 
        rails g devise:views
-       
-     * Not required *
 
 ===============================================================================

lib/generators/templates/controllers/omniauth_callbacks_controller.rb

@@ -9,7 +9,7 @@ class <%= @scope_prefix %>OmniauthCallbacksController < Devise::OmniauthCallback
   # end
 
   # More info at:
-  # https://github.com/heartcombo/devise#omniauth
+  # https://github.com/plataformatec/devise#omniauth
 
   # GET|POST /resource/auth/twitter
   # def passthru

lib/generators/templates/devise.rb

@@ -1,11 +1,5 @@
 # frozen_string_literal: true
 
-# Assuming you have not yet modified this file, each configuration option below
-# is set to its default value. Note that some are commented out while others
-# are not: uncommented lines are intended to protect your configuration from
-# breaking changes in upgrades (i.e., in the event that future versions of
-# Devise change the default values for those options).
-#
 # Use this hook to configure devise mailer, warden hooks and so forth.
 # Many of these configuration options can be set straight in your model.
 Devise.setup do |config|
@@ -74,10 +68,7 @@ Devise.setup do |config|
   # Tell if authentication through HTTP Auth is enabled. False by default.
   # It can be set to an array that will enable http authentication only for the
   # given strategies, for example, `config.http_authenticatable = [:database]` will
-  # enable it only for database authentication.
-  # For API-only applications to support authentication "out-of-the-box", you will likely want to
-  # enable this with :database unless you are using a custom strategy.
-  # The supported strategies are:
+  # enable it only for database authentication. The supported strategies are:
   # :database      = Support basic authentication with authentication key + password
   # config.http_authenticatable = false
 
@@ -114,9 +105,6 @@ Devise.setup do |config|
   # ==> Configuration for :database_authenticatable
   # For bcrypt, this is the cost for hashing the password and defaults to 12. If
   # using other algorithms, it sets how many times you want the password to be hashed.
-  # The number of stretches used for generating the hashed password are stored
-  # with the hashed password. This allows you to change the stretches without
-  # invalidating existing passwords.
   #
   # Limiting the stretches to just one in testing will increase the performance of
   # your test suite dramatically. However, it is STRONGLY RECOMMENDED to not use

test/controllers/helpers_test.rb

@@ -15,21 +15,21 @@ class ControllerAuthenticatableTest < Devise::ControllerTestCase
     assert_equal @mock_warden, @controller.warden
   end
 
-  test 'proxy signed_in?(scope) to authenticate?' do
-    @mock_warden.expects(:authenticate?).with(scope: :my_scope)
+  test 'proxy signed_in?(scope) to authenticated?' do
+    @mock_warden.expects(:authenticated?).with(scope: :my_scope)
     @controller.signed_in?(:my_scope)
   end
 
-  test 'proxy signed_in?(nil) to authenticate?' do
+  test 'proxy signed_in?(nil) to authenticated?' do
     Devise.mappings.keys.each do |scope| # :user, :admin, :manager
-      @mock_warden.expects(:authenticate?).with(scope: scope)
+      @mock_warden.expects(:authenticated?).with(scope: scope)
     end
     @controller.signed_in?
   end
 
-  test 'proxy [group]_signed_in? to authenticate? with each scope' do
+  test 'proxy [group]_signed_in? to authenticated? with each scope' do
     [:user, :admin].each do |scope|
-      @mock_warden.expects(:authenticate?).with(scope: scope).returns(false)
+      @mock_warden.expects(:authenticated?).with(scope: scope).returns(false)
     end
     @controller.commenter_signed_in?
   end
@@ -81,7 +81,7 @@ class ControllerAuthenticatableTest < Devise::ControllerTestCase
   test 'proxy authenticate_[group]! to authenticate!? with each scope' do
     [:user, :admin].each do |scope|
       @mock_warden.expects(:authenticate!).with(scope: scope)
-      @mock_warden.expects(:authenticate?).with(scope: scope).returns(false)
+      @mock_warden.expects(:authenticated?).with(scope: scope).returns(false)
     end
     @controller.authenticate_commenter!
   end
@@ -91,18 +91,18 @@ class ControllerAuthenticatableTest < Devise::ControllerTestCase
     @controller.authenticate_publisher_account!
   end
 
-  test 'proxy user_signed_in? to authenticate with user scope' do
-    @mock_warden.expects(:authenticate).with(scope: :user).returns("user")
+  test 'proxy user_signed_in? to authenticated? with user scope' do
+    @mock_warden.expects(:authenticated?).with(scope: :user).returns("user")
     assert @controller.user_signed_in?
   end
 
-  test 'proxy admin_signed_in? to authenticatewith admin scope' do
-    @mock_warden.expects(:authenticate).with(scope: :admin)
+  test 'proxy admin_signed_in? to authenticated? with admin scope' do
+    @mock_warden.expects(:authenticated?).with(scope: :admin)
     refute @controller.admin_signed_in?
   end
 
-  test 'proxy publisher_account_signed_in? to authenticate with namespaced publisher account scope' do
-    @mock_warden.expects(:authenticate).with(scope: :publisher_account)
+  test 'proxy publisher_account_signed_in? to authenticated? with namespaced publisher account scope' do
+    @mock_warden.expects(:authenticated?).with(scope: :publisher_account)
     @controller.publisher_account_signed_in?
   end
 

test/controllers/passwords_controller_test.rb

@@ -36,4 +36,10 @@ class PasswordsControllerTest < Devise::ControllerTestCase
     User.any_instance.expects :after_database_authentication
     put_update_with_params
   end
+
+  test 'redirects to new_password_path when token has expired' do
+    @user.update(reset_password_sent_at: Time.now - 1.year)
+    put_update_with_params
+    assert_redirected_to new_user_password_path
+  end
 end

test/controllers/sessions_controller_test.rb

@@ -74,7 +74,7 @@ class SessionsControllerTest < Devise::ControllerTestCase
     assert_template "devise/sessions/new"
   end
 
-  test "#destroy doesn't set the flash if the requested format is not navigational" do
+  test "#destroy doesn't set the flash and returns 204 status if the requested format is not navigational" do
     request.env["devise.mapping"] = Devise.mappings[:user]
     user = create_user
     user.confirm
@@ -88,6 +88,17 @@ class SessionsControllerTest < Devise::ControllerTestCase
     assert_equal 204, @response.status
   end
 
+  test "#destroy returns 401 status if user is not signed in and the requested format is not navigational" do
+    delete :destroy, format: 'json'
+    assert_equal 401, @response.status
+  end
+
+  test "#destroy returns 302 status if user is not signed in and the requested format is navigational" do
+    request.env["devise.mapping"] = Devise.mappings[:user]
+    delete :destroy
+    assert_equal 302, @response.status
+  end
+
   if defined?(ActiveRecord) && ActiveRecord::Base.respond_to?(:mass_assignment_sanitizer)
     test "#new doesn't raise mass-assignment exception even if sign-in key is attr_protected" do
       request.env["devise.mapping"] = Devise.mappings[:user]

test/devise_test.rb

@@ -90,11 +90,14 @@ class DeviseTest < ActiveSupport::TestCase
     [nil, ""].each do |empty|
       refute Devise.secure_compare(empty, "something")
       refute Devise.secure_compare("something", empty)
-      refute Devise.secure_compare(empty, empty)
     end
     refute Devise.secure_compare("size_1", "size_four")
   end
 
+  test 'Devise.secure_compare should return true if strings are same' do
+    assert Devise.secure_compare('', '')
+  end
+
   test 'Devise.email_regexp should match valid email addresses' do
     valid_emails = ["test@example.com", "jo@jo.co", "f4$_m@you.com", "testing.example@example.com.ua", "test@tt", "test@valid---domain.com"]
     non_valid_emails = ["rex", "test user@example.com", "test_user@example server.com"]

test/failure_app_test.rb

@@ -185,17 +185,27 @@ class FailureTest < ActiveSupport::TestCase
 
     test 'uses the proxy failure message as symbol' do
       call_failure('warden' => OpenStruct.new(message: :invalid))
-      assert_equal 'Invalid Email or password.', @request.flash[:alert]
+      assert_equal 'Invalid email or password.', @request.flash[:alert]
       assert_equal 'http://test.host/users/sign_in', @response.second["Location"]
     end
 
     test 'supports authentication_keys as a Hash for the flash message' do
       swap Devise, authentication_keys: { email: true, login: true } do
         call_failure('warden' => OpenStruct.new(message: :invalid))
-        assert_equal 'Invalid Email, Login or password.', @request.flash[:alert]
+        assert_equal 'Invalid email, login or password.', @request.flash[:alert]
       end
     end
 
+    test 'downcases authentication_keys for the flash message' do
+      call_failure('warden' => OpenStruct.new(message: :invalid))
+      assert_equal 'Invalid email or password.', @request.flash[:alert]
+    end
+
+    test 'humanizes the flash message' do
+      call_failure('warden' => OpenStruct.new(message: :invalid))
+      assert_equal @request.flash[:alert], @request.flash[:alert].humanize
+    end
+
     test 'uses custom i18n options' do
       call_failure('warden' => OpenStruct.new(message: :does_not_exist), app: FailureWithI18nOptions)
       assert_equal 'User Steve does not exist', @request.flash[:alert]
@@ -278,7 +288,7 @@ class FailureTest < ActiveSupport::TestCase
 
     test 'uses the failure message as response body' do
       call_failure('formats' => Mime[:xml], 'warden' => OpenStruct.new(message: :invalid))
-      assert_match '<error>Invalid Email or password.</error>', @response.third.body
+      assert_match '<error>Invalid email or password.</error>', @response.third.body
     end
 
     context 'on ajax call' do
@@ -327,7 +337,7 @@ class FailureTest < ActiveSupport::TestCase
       }
       call_failure(env)
       assert @response.third.body.include?('<h2>Log in</h2>')
-      assert @response.third.body.include?('Invalid Email or password.')
+      assert @response.third.body.include?('Invalid email or password.')
     end
 
     test 'calls the original controller if not confirmed email' do
@@ -362,7 +372,7 @@ class FailureTest < ActiveSupport::TestCase
           }
           call_failure(env)
           assert @response.third.body.include?('<h2>Log in</h2>')
-          assert @response.third.body.include?('Invalid Email or password.')
+          assert @response.third.body.include?('Invalid email or password.')
           assert_equal @request.env["SCRIPT_NAME"], '/sample'
           assert_equal @request.env["PATH_INFO"], '/users/sign_in'
         end

test/generators/active_record_generator_test.rb

@@ -48,7 +48,6 @@ if DEVISE_ORM == :active_record
       run_generator %w(monster)
       assert_file "app/models/monster.rb"
       run_generator %w(monster)
-
       if Rails.version >= '5.0.3'
         assert_migration "db2/migrate/add_devise_to_monsters.rb"
       else
@@ -84,11 +83,7 @@ if DEVISE_ORM == :active_record
 
     test "add primary key type with rails 5 when specified in rails generator" do
       run_generator ["monster", "--primary_key_type=uuid"]
-      if Devise::Test.rails5_and_up?
-        assert_migration "db/migrate/devise_create_monsters.rb", /create_table :monsters, id: :uuid do/
-      else
-        assert_migration "db/migrate/devise_create_monsters.rb", /create_table :monsters do/
-      end
+      assert_migration "db/migrate/devise_create_monsters.rb", /create_table :monsters, id: :uuid do/
     end
   end
 

test/integration/authenticatable_test.rb

@@ -323,14 +323,6 @@ class AuthenticationRedirectTest < Devise::IntegrationTest
     visit new_user_session_path
     assert_equal flash[:alert], I18n.t("devise.failure.already_authenticated")
   end
-
-  test 'require_no_authentication should set the already_authenticated flash message as admin' do
-    store_translations :en, devise: { failure: { admin: { already_authenticated: 'You are already signed in as admin.' } } } do
-      sign_in_as_admin
-      visit new_admin_session_path
-      assert_equal flash[:alert], "You are already signed in as admin."
-    end
-  end
 end
 
 class AuthenticationSessionTest < Devise::IntegrationTest
@@ -565,7 +557,7 @@ class AuthenticationKeysTest < Devise::IntegrationTest
   test 'missing authentication keys cause authentication to abort' do
     swap Devise, authentication_keys: [:subdomain] do
       sign_in_as_user
-      assert_contain "Invalid Subdomain or password."
+      assert_contain "Invalid subdomain or password."
       refute warden.authenticated?(:user)
     end
   end
@@ -604,7 +596,7 @@ class AuthenticationRequestKeysTest < Devise::IntegrationTest
 
     swap Devise, request_keys: [:subdomain] do
       sign_in_as_user
-      assert_contain "Invalid Email or password."
+      assert_contain "Invalid email or password."
       refute warden.authenticated?(:user)
     end
   end

test/integration/confirmable_test.rb

@@ -142,7 +142,7 @@ class ConfirmationTest < Devise::IntegrationTest
         fill_in 'password', with: 'invalid'
       end
 
-      assert_contain 'Invalid Email or password'
+      assert_contain 'Invalid email or password'
       refute warden.authenticated?(:user)
     end
   end

test/integration/database_authenticatable_test.rb

@@ -65,12 +65,12 @@ class DatabaseAuthenticationTest < Devise::IntegrationTest
     end
   end
 
-  test 'sign in with invalid password should return to sign in form with error message' do
+  test 'sign in with invalid pasword should return to sign in form with error message' do
     sign_in_as_admin do
       fill_in 'password', with: 'abcdef'
     end
 
-    assert_contain 'Invalid Email or password'
+    assert_contain 'Invalid email or password'
     refute warden.authenticated?(:admin)
   end
 
@@ -80,9 +80,9 @@ class DatabaseAuthenticationTest < Devise::IntegrationTest
         sign_in_as_user do
           fill_in 'email', with: 'wrongemail@test.com'
         end
-
+        
         assert_not_contain 'Not found in database'
-        assert_contain 'Invalid Email or password.'
+        assert_contain 'Invalid email or password.'
       end
     end
   end

test/integration/http_authenticatable_test.rb

@@ -52,7 +52,7 @@ class HttpAuthenticationTest < Devise::IntegrationTest
     sign_in_as_new_user_with_http("unknown")
     assert_equal 401, status
     assert_equal "application/xml; charset=utf-8", headers["Content-Type"]
-    assert_match "<error>Invalid Email or password.</error>", response.body
+    assert_match "<error>Invalid email or password.</error>", response.body
   end
 
   test 'returns a custom response with www-authenticate and chosen realm' do

test/integration/lockable_test.rb

@@ -104,7 +104,7 @@ class LockTest < Devise::IntegrationTest
 
   test 'error message is configurable by resource name' do
     store_translations :en, devise: {
-        failure: {user: {locked: "You are locked!"}}
+        failure: {user: {locked: { both: "You are locked!" }}}
     } do
 
       user = create_user(locked: true)
@@ -118,7 +118,7 @@ class LockTest < Devise::IntegrationTest
 
   test "user should not be able to sign in when locked" do
     store_translations :en, devise: {
-        failure: {user: {locked: "You are locked!"}}
+        failure: {user: {locked: {both: "You are locked!"}}}
     } do
 
       user = create_user(locked: true)

test/integration/recoverable_test.rb

@@ -33,17 +33,6 @@ class PasswordTest < Devise::IntegrationTest
     click_button 'Change my password'
   end
 
-  test 'reset password should send to user record email and avoid case mapping collisions' do
-    create_user(email: 'user@github.com')
-
-    request_forgot_password do
-      fill_in 'email', with: 'user@gıthub.com'
-    end
-
-    mail = ActionMailer::Base.deliveries.last
-    assert_equal ['user@github.com'], mail.to
-  end
-
   test 'reset password with email of different case should succeed when email is in the list of case insensitive keys' do
     create_user(email: 'Foo@Bar.com')
 
@@ -163,6 +152,19 @@ class PasswordTest < Devise::IntegrationTest
     refute user.reload.valid_password?('987654321')
   end
 
+  test 'not authenticated user with expired reset password token should be redirected to new password path' do
+    user = create_user
+    request_forgot_password
+    user.update(reset_password_sent_at: Time.now - 1.year)
+
+    visit edit_user_password_path(reset_password_token: 'abcdef')
+    fill_in 'New password', with: '987654321'
+    fill_in 'Confirm new password', with: '987654321'
+    click_button 'Change my password'
+
+    assert_contain 'The password recovery link expired. Please request a new one.'
+  end
+
   test 'not authenticated user with valid reset password token but invalid password should not be able to change their password' do
     user = create_user
     request_forgot_password

test/integration/rememberable_test.rb

@@ -14,10 +14,8 @@ class RememberMeTest < Devise::IntegrationTest
   def generate_signed_cookie(raw_cookie)
     request = if Devise::Test.rails51? || Devise::Test.rails52_and_up?
       ActionController::TestRequest.create(Class.new) # needs a "controller class"
-    elsif Devise::Test.rails5?
-      ActionController::TestRequest.create
     else
-      ActionController::TestRequest.new
+      ActionController::TestRequest.create
     end
     request.cookie_jar.signed['raw_cookie'] = raw_cookie
     request.cookie_jar['raw_cookie']

test/integration/timeoutable_test.rb

@@ -77,7 +77,7 @@ class SessionTimeoutTest < Devise::IntegrationTest
     end
   end
 
-  test 'time out user session after default limit time and redirect to latest get request' do
+  test 'time out user session after deault limit time and redirect to latest get request' do
     user = sign_in_as_user
     visit edit_form_user_path(user)
 

test/integration/trackable_test.rb

@@ -44,7 +44,7 @@ class TrackableHooksTest < Devise::IntegrationTest
     assert_equal "127.0.0.1", user.last_sign_in_ip
   end
 
-  test "current and last sign in remote ip returns original ip behind a non transparent proxy" do
+  test "current remote ip returns original ip behind a non transparent proxy" do
     user = create_user
 
     arbitrary_ip = '200.121.1.69'
@@ -53,7 +53,6 @@ class TrackableHooksTest < Devise::IntegrationTest
     end
     user.reload
     assert_equal arbitrary_ip, user.current_sign_in_ip
-    assert_equal arbitrary_ip, user.last_sign_in_ip
   end
 
   test "increase sign in count" do
@@ -96,5 +95,4 @@ class TrackableHooksTest < Devise::IntegrationTest
     user.reload
     assert_equal 1, user.sign_in_count
   end
-
 end

test/mailers/reset_password_instructions_test.rb

@@ -29,7 +29,7 @@ class ResetPasswordInstructionsTest < ActionMailer::TestCase
     end
   end
 
-  test 'email sent after resetting the user password' do
+  test 'email sent after reseting the user password' do
     assert_not_nil mail
   end
 

test/models/lockable_test.rb

@@ -312,7 +312,7 @@ class LockableTest < ActiveSupport::TestCase
   end
 
   test 'should return last attempt message if user made next-to-last attempt of password entering' do
-    swap Devise, last_attempt_warning: true, lock_strategy: :failed_attempts do
+    swap Devise, last_attempt_warning: true, lock_strategy: :failed_attempts, unlock_strategy: :none do
       user = create_user
       user.failed_attempts = Devise.maximum_attempts - 2
       assert_equal :invalid, user.unauthenticated_message
@@ -321,7 +321,7 @@ class LockableTest < ActiveSupport::TestCase
       assert_equal :last_attempt, user.unauthenticated_message
 
       user.failed_attempts = Devise.maximum_attempts
-      assert_equal :locked, user.unauthenticated_message
+      assert_equal :'locked.none', user.unauthenticated_message
     end
   end
 
@@ -336,7 +336,22 @@ class LockableTest < ActiveSupport::TestCase
   test 'should return locked message if user was programatically locked' do
     user = create_user
     user.lock_access!
-    assert_equal :locked, user.unauthenticated_message
+
+    swap Devise, unlock_strategy: :none do
+      assert_equal :'locked.none', user.unauthenticated_message
+    end
+
+    swap Devise, unlock_strategy: :both do
+      assert_equal :'locked.both', user.unauthenticated_message
+    end
+
+    swap Devise, unlock_strategy: :email do
+      assert_equal :'locked.email', user.unauthenticated_message
+    end
+
+    swap Devise, unlock_strategy: :time do
+      assert_equal :'locked.time', user.unauthenticated_message
+    end
   end
 
   test 'unlock_strategy_enabled? should return true for both, email, and time strategies if :both is used' do

test/models/recoverable_test.rb

@@ -34,7 +34,7 @@ class RecoverableTest < ActiveSupport::TestCase
     assert create_user.reset_password('123456789', '123456789')
   end
 
-  test 'should clear reset password token while resetting the password' do
+  test 'should clear reset password token while reseting the password' do
     user = create_user
     assert_nil user.reset_password_token
 

test/models/trackable_test.rb

@@ -60,6 +60,39 @@ class TrackableTest < ActiveSupport::TestCase
     assert_not user.update_tracked_fields!(request)
   end
 
+  test "update_tracked_fields! runs when isn't a new record and the validations are ok" do
+    user = create_user
+    user.stubs(:active_for_authentication?).returns(true)
+
+    request = mock
+    request.stubs(:remote_ip).returns("127.0.0.1")
+    request.stubs(:env).returns('devise.skip_trackable' => nil)
+
+    assert user.update_tracked_fields!(request)
+  end
+
+  test "update_tracked_fields! should not run when skip trackable is turned on" do
+    user = create_user
+    user.stubs(:active_for_authentication?).returns(true)
+
+    request = mock
+    request.stubs(:remote_ip).returns("127.0.0.1")
+    request.stubs(:env).returns('devise.skip_trackable' => 1)
+
+    assert_not user.update_tracked_fields!(request)
+  end
+
+  test "update_tracked_fields! should not run when the user is not active for authentication" do
+    user = create_user
+    user.stubs(:active_for_authentication?).returns(false)
+
+    request = mock
+    request.stubs(:remote_ip).returns("127.0.0.1")
+    request.stubs(:env).returns('devise.skip_trackable' => nil)
+
+    assert_not user.update_tracked_fields!(request)
+  end
+
   test 'extract_ip_from should be overridable' do
     class UserWithOverride < User
       protected

test/orm/active_record.rb

@@ -14,13 +14,7 @@ else
 end
 
 class ActiveSupport::TestCase
-  if Devise::Test.rails5_and_up?
-    self.use_transactional_tests = true
-  else
-    # Let `after_commit` work with transactional fixtures, however this is not needed for Rails 5.
-    require 'test_after_commit'
-    self.use_transactional_fixtures = true
-  end
+  self.use_transactional_tests = true
 
   self.use_instantiated_fixtures  = false
 end

test/rails_app/app/active_record/user.rb

@@ -5,7 +5,7 @@ require 'shared_user'
 class User < ActiveRecord::Base
   include Shim
   include SharedUser
-  include ActiveModel::Serializers::Xml if Devise::Test.rails5_and_up?
+  include ActiveModel::Serializers::Xml
 
   validates :sign_in_count, presence: true
 

test/rails_app/app/controllers/home_controller.rb

@@ -22,10 +22,6 @@ class HomeController < ApplicationController
   end
 
   def unauthenticated
-    if Devise::Test.rails5_and_up?
-      render body: "unauthenticated", status: :unauthorized
-    else
-      render text: "unauthenticated", status: :unauthorized
-    end
+    render body: "unauthenticated", status: :unauthorized
   end
 end

test/rails_app/app/controllers/users/omniauth_callbacks_controller.rb

@@ -11,6 +11,6 @@ class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
     user = User.to_adapter.find_first(email: 'user@test.com')
     user.remember_me = true
     sign_in user
-    render (Devise::Test.rails5_and_up? ? :body : :text) => ""
+    render body: ""
   end
 end

test/rails_app/app/controllers/users_controller.rb

@@ -15,7 +15,7 @@ class UsersController < ApplicationController
   end
 
   def update_form
-    render (Devise::Test.rails5_and_up? ? :body : :text) => 'Update'
+    render body: 'Update'
   end
 
   def accept
@@ -23,11 +23,11 @@ class UsersController < ApplicationController
   end
 
   def exhibit
-    render (Devise::Test.rails5_and_up? ? :body : :text) => current_user ? "User is authenticated" : "User is not authenticated"
+    render body: current_user ? "User is authenticated" : "User is not authenticated"
   end
 
   def expire
     user_session['last_request_at'] = 31.minutes.ago.utc
-    render (Devise::Test.rails5_and_up? ? :body : :text) => 'User will be expired on next request'
+    render body: 'User will be expired on next request'
   end
 end

test/rails_app/config/application.rb

@@ -33,12 +33,6 @@ module RailsApp
     # config.assets.enabled = false
 
     config.action_mailer.default_url_options = { host: "localhost", port: 3000 }
-    rails_version = Gem::Version.new(Rails.version)
-    if DEVISE_ORM == :active_record &&
-       rails_version >= Gem::Version.new('4.2.0') &&
-       rails_version < Gem::Version.new('5.1.0')
-      config.active_record.raise_in_transactional_callbacks = true
-    end
 
     # This was used to break devise in some situations
     config.to_prepare do

test/rails_app/config/boot.rb

@@ -7,7 +7,6 @@ end
 module Devise
   module Test
     # Detection for minor differences between Rails versions in tests.
-    
     def self.rails6?
       Rails.version.start_with? '6'
     end
@@ -23,14 +22,6 @@ module Devise
     def self.rails51?
       Rails.version.start_with? '5.1'
     end
-
-    def self.rails5_and_up?
-      Rails::VERSION::MAJOR >= 5
-    end
-
-    def self.rails5?
-      Rails.version.start_with? '5'
-    end
   end
 end
 

test/rails_app/config/environments/production.rb

@@ -22,13 +22,7 @@ RailsApp::Application.configure do
   # config.action_dispatch.rack_cache = true
 
   # Disable Rails's static asset server (Apache or nginx will already do this).
-  if Devise::Test.rails5_and_up?
-    config.public_file_server.enabled = false
-  elsif Rails.version >= "4.2.0"
-    config.serve_static_files = false
-  else
-    config.serve_static_assets = false
-  end
+  config.public_file_server.enabled = false
 
   # Compress JavaScripts and CSS.
   config.assets.js_compressor  = :uglifier

test/rails_app/config/environments/test.rb

@@ -16,16 +16,8 @@ RailsApp::Application.configure do
 
   # Disable serving static files from the `/public` folder by default since
   # Apache or NGINX already handles this.
-  if Devise::Test.rails5_and_up?
-    config.public_file_server.enabled = true
-    config.public_file_server.headers = {'Cache-Control' => 'public, max-age=3600'}
-  elsif Rails.version >= "4.2.0"
-    config.serve_static_files = true
-    config.static_cache_control = "public, max-age=3600"
-  else
-    config.serve_static_assets = true
-    config.static_cache_control = "public, max-age=3600"
-  end
+  config.public_file_server.enabled = true
+  config.public_file_server.headers = {'Cache-Control' => 'public, max-age=3600'}
 
   # Show full error reports and disable caching.
   config.consider_all_requests_local       = true

test/rails_app/config/initializers/devise.rb

@@ -3,12 +3,6 @@
 require "omniauth-facebook"
 require "omniauth-openid"
 
-# Assuming you have not yet modified this file, each configuration option below
-# is set to its default value. Note that some are commented out while others
-# are not: uncommented lines are intended to protect your configuration from
-# breaking changes in upgrades (i.e., in the event that future versions of
-# Devise change the default values for those options).
-#
 # Use this hook to configure devise mailer, warden hooks and so forth. The first
 # four configuration values can also be set straight in your models.
 Devise.setup do |config|

test/rails_app/db/migrate/20100401102949_create_tables.rb

@@ -1,10 +1,6 @@
 # frozen_string_literal: true
 
-superclass = ActiveRecord::Migration
-# TODO: Inherit from the 5.0 Migration class directly when we drop support for Rails 4.
-superclass = ActiveRecord::Migration[5.0] if superclass.respond_to?(:[])
-
-class CreateTables < superclass
+ class CreateTables < ActiveRecord::Migration[5.0]
   def self.up
     create_table :users do |t|
       t.string :username

test/routes_test.rb

@@ -204,8 +204,7 @@ class CustomizedRoutingTest < ActionController::TestCase
   end
 
   test 'map with format false for sessions' do
-    expected_params = {controller: 'devise/sessions', action: 'new'}
-    expected_params[:format] = false if Devise::Test.rails5_and_up?
+    expected_params = {controller: 'devise/sessions', action: 'new', format: false}
 
     assert_recognizes(expected_params, {path: '/htmlonly_admin/sign_in', method: :get})
     assert_raise ExpectedRoutingError do
@@ -214,8 +213,7 @@ class CustomizedRoutingTest < ActionController::TestCase
   end
 
   test 'map with format false for passwords' do
-    expected_params = {controller: 'devise/passwords', action: 'create'}
-    expected_params[:format] = false if Devise::Test.rails5_and_up?
+    expected_params = {controller: 'devise/passwords', action: 'create', format: false}
 
     assert_recognizes(expected_params, {path: '/htmlonly_admin/password', method: :post})
     assert_raise ExpectedRoutingError do
@@ -224,8 +222,7 @@ class CustomizedRoutingTest < ActionController::TestCase
   end
 
   test 'map with format false for registrations' do
-    expected_params = {controller: 'devise/registrations', action: 'new'}
-    expected_params[:format] = false if Devise::Test.rails5_and_up?
+    expected_params = {controller: 'devise/registrations', action: 'new', format: false}
 
     assert_recognizes(expected_params, {path: '/htmlonly_admin/sign_up', method: :get})
     assert_raise ExpectedRoutingError do
@@ -234,8 +231,7 @@ class CustomizedRoutingTest < ActionController::TestCase
   end
 
   test 'map with format false for confirmations' do
-    expected_params = {controller: 'devise/confirmations', action: 'show'}
-    expected_params[:format] = false if Devise::Test.rails5_and_up?
+    expected_params = {controller: 'devise/confirmations', action: 'show', format: false}
 
     assert_recognizes(expected_params, {path: '/htmlonly_users/confirmation', method: :get})
     assert_raise ExpectedRoutingError do
@@ -244,8 +240,7 @@ class CustomizedRoutingTest < ActionController::TestCase
   end
 
   test 'map with format false for unlocks' do
-    expected_params = {controller: 'devise/unlocks', action: 'show'}
-    expected_params[:format] = false if Devise::Test.rails5_and_up?
+    expected_params = {controller: 'devise/unlocks', action: 'show', format: false}
 
     assert_recognizes(expected_params, {path: '/htmlonly_users/unlock', method: :get})
     assert_raise ExpectedRoutingError do

test/secret_key_finder_test.rb

@@ -44,38 +44,12 @@ class Rails52SecretKeyBase
   def config
     OpenStruct.new(secret_key_base: nil)
   end
-  
+
   def secret_key_base
     'secret_key_base'
   end
 end
 
-class Rails41Secrets
-  def secrets
-    OpenStruct.new(secret_key_base: 'secrets')
-  end
-
-  def config
-    OpenStruct.new(secret_key_base: nil)
-  end
-end
-
-class Rails41Config
-  def secrets
-    OpenStruct.new(secret_key_base: nil)
-  end
-
-  def config
-    OpenStruct.new(secret_key_base: 'config')
-  end
-end
-
-class Rails40Config
-  def config
-    OpenStruct.new(secret_key_base: 'config')
-  end
-end
-
 class SecretKeyFinderTest < ActiveSupport::TestCase
   test "rails 5.2 uses credentials when they're available" do
     secret_key_finder = Devise::SecretKeyFinder.new(Rails52Credentials.new)
@@ -100,22 +74,4 @@ class SecretKeyFinderTest < ActiveSupport::TestCase
 
     assert_equal 'secret_key_base', secret_key_finder.find
   end
-
-  test "rails 4.1 uses secrets" do
-    secret_key_finder = Devise::SecretKeyFinder.new(Rails41Secrets.new)
-
-    assert_equal 'secrets', secret_key_finder.find
-  end
-
-  test "rails 4.1 uses config when secrets are empty" do
-    secret_key_finder = Devise::SecretKeyFinder.new(Rails41Config.new)
-
-    assert_equal 'config', secret_key_finder.find
-  end
-
-  test "rails 4.0 uses config" do
-    secret_key_finder = Devise::SecretKeyFinder.new(Rails40Config.new)
-
-    assert_equal 'config', secret_key_finder.find
-  end
 end

test/support/http_method_compatibility.rb

@@ -5,14 +5,12 @@ module Devise
     # %w( get post patch put head delete xml_http_request
     #           xhr get_via_redirect post_via_redirect
     #         ).each do |method|
-    unless Devise::Test.rails5_and_up?
-      %w( get post put ).each do |method|
-        define_method(method) do |url, options = {}|
-          if options[:xhr] == true
-            xml_http_request __method__, url, options[:params] || {}, options[:headers]
-          else
-            super url, options[:params] || {}, options[:headers]
-          end
+    %w( get post put ).each do |method|
+      define_method(method) do |url, options={}|
+        if options.empty?
+          super url
+        else
+          super url, options
         end
       end
     end
@@ -22,14 +20,12 @@ module Devise
     # %w( get post patch put head delete xml_http_request
     #           xhr get_via_redirect post_via_redirect
     #         ).each do |method|
-    unless Devise::Test.rails5_and_up?
-      %w( get post put ).each do |method|
-        define_method(method) do |action, options = {}|
-          if options[:xhr] == true
-            xml_http_request __method__, action, options[:params] || {}, options[:headers]
-          else
-            super action, options[:params] || {}, options[:headers]
-          end
+    %w( get post put ).each do |method|
+      define_method(method) do |action, options={}|
+        if options.empty?
+          super action
+        else
+          super action, options
         end
       end
     end

test/test/controller_helpers_test.rb

@@ -178,10 +178,8 @@ class TestControllerHelpersTest < Devise::ControllerTestCase
 
     @request = if Devise::Test.rails51? || Devise::Test.rails52_and_up?
       ActionController::TestRequest.create(Class.new) # needs a "controller class"
-    elsif Devise::Test.rails5?
-      ActionController::TestRequest.create
     else
-      ActionController::TestRequest.new
+      ActionController::TestRequest.create
     end
 
     new_warden_proxy = warden

test/test_helper.rb

@@ -12,7 +12,7 @@ require "orm/#{DEVISE_ORM}"
 
 I18n.load_path << File.expand_path("../support/locale/en.yml", __FILE__)
 
-require 'mocha/minitest'
+require 'mocha/setup'
 require 'timecop'
 require 'webrat'
 Webrat.configure do |config|