github/devise
1
1
Fork 0
mirror of https://github.com/heartcombo/devise.git synced 2026-01-09 14:58:05 -05:00
Code Issues Packages Projects Releases Wiki Activity

Remove deprecated token lookups

Browse Source
This commit is contained in:
José Valim
2013-09-02 19:23:15 -03:00
parent dff7891b97
commit 6b3b0c5e8c
11 changed files with 21 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGELOG.md
View File

@@ -1,3 +1,8 @@
== 3.2.0-dev
* enchancements
* Previously deprecated token authenticatable and insecure lookups have been removed
== 3.1.0
Security announcement: http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/

13
app/controllers/devise/confirmations_controller.rb
View File

@@ -20,12 +20,7 @@ class Devise::ConfirmationsController < DeviseController
self.resource = resource_class.confirm_by_token(params[:confirmation_token])
if resource.errors.empty?
if Devise.allow_insecure_sign_in_after_confirmation
set_flash_message(:notice, :confirmed_and_signed_in) if is_navigational_format?
sign_in(resource_name, resource)
else
set_flash_message(:notice, :confirmed) if is_navigational_format?
end
set_flash_message(:notice, :confirmed) if is_navigational_format?
respond_with_navigational(resource){ redirect_to after_confirmation_path_for(resource_name, resource) }
else
respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render :new }
@@ -41,10 +36,6 @@ class Devise::ConfirmationsController < DeviseController
# The path used after confirmation.
def after_confirmation_path_for(resource_name, resource)
if Devise.allow_insecure_sign_in_after_confirmation
after_sign_in_path_for(resource)
else
new_session_path(resource_name)
end
new_session_path(resource_name)
end
end

1
config/locales/en.yml
View File

@@ -4,7 +4,6 @@ en:
devise:
confirmations:
confirmed: "Your account was successfully confirmed. Please sign in."
confirmed_and_signed_in: "Your account was successfully confirmed. You are now signed in."
send_instructions: "You will receive an email with instructions about how to confirm your account in a few minutes."
send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions about how to confirm your account in a few minutes."
failure:

26
lib/devise.rb
View File

@@ -50,15 +50,21 @@ module Devise
mattr_accessor :secret_key
@@secret_key = nil
# Allow insecure token lookup. Must be used
# temporarily just for migration.
mattr_accessor :allow_insecure_token_lookup
@@allow_insecure_tokens_lookup = false
[ :allow_insecure_token_lookup,
:allow_insecure_sign_in_after_confirmation,
:token_authentication_key ].each do |method|
class_eval <<-RUBY
def self.#{method}
ActiveSupport::Deprecation.warn "Devise.#{method} is deprecated " \
"and has no effect"
end
# Allow insecure sign in after confirmation. Must be used
# temporarily just for migration.
mattr_accessor :allow_insecure_sign_in_after_confirmation
@@allow_insecure_sign_in_after_confirmation = false
def self.#{method}=(val)
ActiveSupport::Deprecation.warn "Devise.#{method}= is deprecated " \
"and has no effect"
end
RUBY
end
# Custom domain or key for cookies. Not set by default
mattr_accessor :rememberable_options
@@ -195,10 +201,6 @@ module Devise
mattr_accessor :mailer_sender
@@mailer_sender = nil
# Authentication token params key name of choice. E.g. /users/sign_in?some_key=...
mattr_accessor :token_authentication_key
@@token_authentication_key = :auth_token
# Skip session storage for the following strategies
mattr_accessor :skip_session_storage
@@skip_session_storage = []

4
lib/devise/models/confirmable.rb
View File

@@ -275,10 +275,6 @@ module Devise
confirmation_token = Devise.token_generator.digest(self, :confirmation_token, confirmation_token)
confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
if !confirmable.persisted? && Devise.allow_insecure_token_lookup
confirmable = find_or_initialize_with_error_by(:confirmation_token, original_token)
end
confirmable.confirm! if confirmable.persisted?
confirmable.confirmation_token = original_token
confirmable

4
lib/devise/models/lockable.rb
View File

@@ -165,10 +165,6 @@ module Devise
unlock_token = Devise.token_generator.digest(self, :unlock_token, unlock_token)
lockable = find_or_initialize_with_error_by(:unlock_token, unlock_token)
if !lockable.persisted? && Devise.allow_insecure_token_lookup
lockable = find_or_initialize_with_error_by(:unlock_token, original_token)
end
lockable.unlock_access! if lockable.persisted?
lockable.unlock_token = original_token
lockable

3
lib/devise/models/recoverable.rb
View File

@@ -116,9 +116,6 @@ module Devise
reset_password_token = Devise.token_generator.digest(self, :reset_password_token, original_token)
recoverable = find_or_initialize_with_error_by(:reset_password_token, reset_password_token)
if !recoverable.persisted? && Devise.allow_insecure_token_lookup
recoverable = find_or_initialize_with_error_by(:reset_password_token, original_token)
end
if recoverable.persisted?
if recoverable.reset_password_period_valid?

21
test/integration/confirmable_test.rb
View File

@@ -62,27 +62,6 @@ class ConfirmationTest < ActionDispatch::IntegrationTest
end
end
test 'user should be signed in after confirmation if allow_insecure_sign_in_after_confirmation is enabled' do
swap Devise, :confirm_within => 3.days, :allow_insecure_sign_in_after_confirmation => true do
user = create_user(:confirm => false, :confirmation_sent_at => 2.days.ago)
assert_not user.confirmed?
visit_user_confirmation_with_token(user.raw_confirmation_token)
assert_contain 'Your account was successfully confirmed. You are now signed in.'
assert_current_url root_url
assert user.reload.confirmed?
end
end
test 'user should be redirected to a custom path after confirmation' do
Devise::ConfirmationsController.any_instance.stubs(:after_confirmation_path_for).returns("/?custom=1")
user = create_user(:confirm => false)
visit_user_confirmation_with_token(user.raw_confirmation_token)
assert_current_url "/?custom=1"
end
test 'already confirmed user should not be able to confirm the account again' do
user = create_user(:confirm => false)
user.confirmed_at = Time.now

9
test/models/confirmable_test.rb
View File

@@ -51,15 +51,6 @@ class ConfirmableTest < ActiveSupport::TestCase
assert_equal "was already confirmed, please try signing in", user.errors[:email].join
end
test 'DEPRECATED: should find and confirm a user automatically' do
swap Devise, allow_insecure_token_lookup: true do
user = create_user
confirmed_user = User.confirm_by_token(user.confirmation_token)
assert_equal confirmed_user, user
assert user.reload.confirmed?
end
end
test 'should find and confirm a user automatically based on the raw token' do
user = create_user
raw = user.raw_confirmation_token

10
test/models/lockable_test.rb
View File

@@ -139,16 +139,6 @@ class LockableTest < ActiveSupport::TestCase
end
end
test 'DEPRECATED: should find and unlock a user automatically' do
swap Devise, allow_insecure_token_lookup: true do
user = create_user
user.lock_access!
locked_user = User.unlock_access_by_token(user.unlock_token)
assert_equal locked_user, user
assert_not user.reload.access_locked?
end
end
test 'should find and unlock a user automatically based on raw token' do
user = create_user
raw = user.send_unlock_instructions

10
test/models/recoverable_test.rb
View File

@@ -108,16 +108,6 @@ class RecoverableTest < ActiveSupport::TestCase
end
end
test 'DEPRECATED: should find a user to reset his password based on reset_password_token' do
swap Devise, allow_insecure_token_lookup: true do
user = create_user
user.send_reset_password_instructions
reset_password_user = User.reset_password_by_token(:reset_password_token => user.reset_password_token)
assert_equal reset_password_user, user
end
end
test 'should find a user to reset his password based on the raw token' do
user = create_user
raw = user.send_reset_password_instructions