Prevent password reset token leak via HTTP referer

2026-01-12 00:08:34 -05:00 · 2016-09-27 19:34:01 -03:00
45 changed files with 323 additions and 891 deletions
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,29 +1,21 @@
 language: ruby

 rvm:
-  - 2.1.10
-  - 2.2.7
-  - 2.3.4
-  - 2.4.1
+  - 2.1.9
+  - 2.2.5
+  - 2.3.1
  - ruby-head

 gemfile:
  - Gemfile
-  - gemfiles/Gemfile.rails-5.0-stable
  - gemfiles/Gemfile.rails-4.2-stable
  - gemfiles/Gemfile.rails-4.1-stable

 matrix:
  exclude:
-    - rvm: 2.1.10
+    - rvm: 2.1.9
      gemfile: Gemfile
-    - rvm: 2.4.1
-      gemfile: gemfiles/Gemfile.rails-4.1-stable
-    - rvm: ruby-head
-      gemfile: gemfiles/Gemfile.rails-4.1-stable
-    - rvm: 2.1.10
-      gemfile: gemfiles/Gemfile.rails-5.0-stable
-    - rvm: 2.1.10
+    - env: DEVISE_ORM=mongoid
      gemfile: Gemfile
  allow_failures:
    - rvm: ruby-head
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,22 +1,8 @@
-### 4.3.0 - unreleased
-
-* Enhancements
-  * Dependency support added for Rails 5.1.x.
-
-### 4.2.1 - 2017-03-15
+### Unreleased

 * removals
  * `Devise::Mailer#scope_name` and `Devise::Mailer#resource` are now protected
    methods instead of public.
-* bug fixes
-  * Attempt to reset password without the password field in the request now results in a `:blank` validation error.
-    Before this change, Devise would accept the reset password request and log the user in, without validating/changing
-    the password. (by @victor-am)
-  * Confirmation links now expire based on UTC time, working properly when using different timezones. (by @jjuliano)
-* enhancements
-  * Notify the original email when it is changed with a new `Devise.send_email_changed_notification` setting.
-    When using `reconfirmable`, the notification will be sent right away instead of when the unconfirmed email is confirmed.
-    (original change by @ethirajsrinivasan)

 ### 4.2.0 - 2016-07-01

--- a/12
+++ b/12
@@ -2,7 +2,7 @@ source "https://rubygems.org"

 gemspec

-gem "rails", "~> 5.1"
+gem "rails", "~> 5.0.0"
 gem "omniauth", "~> 1.3"
 gem "oauth2"
 gem "omniauth-oauth2"
@@ -14,9 +14,6 @@ gem "rails-controller-testing"

 gem "responders", "~> 2.1"

-# TODO: Remove this line when Rails 5.1.1 is released
-gem "minitest", "< 5.10.2"
-
 group :test do
  gem "omniauth-facebook"
  gem "omniauth-openid"
@@ -34,6 +31,7 @@ platforms :ruby do
  gem "sqlite3"
 end

-group :mongoid do
-  gem "mongoid"
-end
+# TODO:
+# group :mongoid do
+#   gem "mongoid", "~> 4.0.0"
+# end
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,78 +1,79 @@
 GIT
  remote: git://github.com/rails/activemodel-serializers-xml.git
-  revision: dd9c0acf26aab111ebc647cd8deb99ebc6946531
+  revision: 570ee7ed33d60e44ca1f3ccbec3d1fbf61d52cbf
  specs:
    activemodel-serializers-xml (1.0.1)
      activemodel (> 5.x)
+      activerecord (> 5.x)
      activesupport (> 5.x)
      builder (~> 3.1)

 PATH
  remote: .
  specs:
-    devise (4.3.0)
+    devise (4.2.0)
      bcrypt (~> 3.0)
      orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 5.2)
+      railties (>= 4.1.0, < 5.1)
      responders
      warden (~> 1.2.3)

 GEM
  remote: https://rubygems.org/
  specs:
-    actioncable (5.1.0)
-      actionpack (= 5.1.0)
-      nio4r (~> 2.0)
+    actioncable (5.0.0)
+      actionpack (= 5.0.0)
+      nio4r (~> 1.2)
      websocket-driver (~> 0.6.1)
-    actionmailer (5.1.0)
-      actionpack (= 5.1.0)
-      actionview (= 5.1.0)
-      activejob (= 5.1.0)
+    actionmailer (5.0.0)
+      actionpack (= 5.0.0)
+      actionview (= 5.0.0)
+      activejob (= 5.0.0)
      mail (~> 2.5, >= 2.5.4)
      rails-dom-testing (~> 2.0)
-    actionpack (5.1.0)
-      actionview (= 5.1.0)
-      activesupport (= 5.1.0)
+    actionpack (5.0.0)
+      actionview (= 5.0.0)
+      activesupport (= 5.0.0)
      rack (~> 2.0)
      rack-test (~> 0.6.3)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.1.0)
-      activesupport (= 5.1.0)
+    actionview (5.0.0)
+      activesupport (= 5.0.0)
      builder (~> 3.1)
-      erubi (~> 1.4)
+      erubis (~> 2.7.0)
      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (5.1.0)
-      activesupport (= 5.1.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    activejob (5.0.0)
+      activesupport (= 5.0.0)
      globalid (>= 0.3.6)
-    activemodel (5.1.0)
-      activesupport (= 5.1.0)
-    activerecord (5.1.0)
-      activemodel (= 5.1.0)
-      activesupport (= 5.1.0)
-      arel (~> 8.0)
-    activesupport (5.1.0)
+    activemodel (5.0.0)
+      activesupport (= 5.0.0)
+    activerecord (5.0.0)
+      activemodel (= 5.0.0)
+      activesupport (= 5.0.0)
+      arel (~> 7.0)
+    activesupport (5.0.0)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (~> 0.7)
      minitest (~> 5.1)
      tzinfo (~> 1.1)
-    arel (8.0.0)
+    arel (7.0.0)
    bcrypt (3.1.11)
-    bson (4.2.1)
-    builder (3.2.3)
-    concurrent-ruby (1.0.5)
-    erubi (1.6.0)
-    faraday (0.11.0)
+    builder (3.2.2)
+    concurrent-ruby (1.0.2)
+    erubis (2.7.0)
+    faraday (0.9.2)
      multipart-post (>= 1.2, < 3)
-    globalid (0.4.0)
-      activesupport (>= 4.2.0)
-    hashie (3.5.5)
-    i18n (0.8.1)
-    jwt (1.5.6)
+    globalid (0.3.6)
+      activesupport (>= 4.1.0)
+    hashie (3.4.4)
+    i18n (0.7.0)
+    json (1.8.3)
+    jwt (1.5.4)
    loofah (2.0.3)
      nokogiri (>= 1.5.9)
-    mail (2.6.5)
+    mail (2.6.4)
      mime-types (>= 1.16, < 4)
    metaclass (0.0.4)
    method_source (0.8.2)
@@ -80,30 +81,26 @@ GEM
      mime-types-data (~> 3.2015)
    mime-types-data (3.2016.0521)
    mini_portile2 (2.1.0)
-    minitest (5.10.1)
-    mocha (1.2.1)
+    minitest (5.9.0)
+    mocha (1.1.0)
      metaclass (~> 0.0.1)
-    mongo (2.4.1)
-      bson (>= 4.2.1, < 5.0.0)
-    mongoid (6.1.0)
-      activemodel (~> 5.0)
-      mongo (>= 2.4.1, < 3.0.0)
    multi_json (1.12.1)
-    multi_xml (0.6.0)
+    multi_xml (0.5.5)
    multipart-post (2.0.0)
-    nio4r (2.0.0)
-    nokogiri (1.7.1)
+    nio4r (1.2.1)
+    nokogiri (1.6.8)
      mini_portile2 (~> 2.1.0)
-    oauth2 (1.3.1)
-      faraday (>= 0.8, < 0.12)
+      pkg-config (~> 1.1.7)
+    oauth2 (1.2.0)
+      faraday (>= 0.8, < 0.10)
      jwt (~> 1.0)
      multi_json (~> 1.3)
      multi_xml (~> 0.5)
      rack (>= 1.2, < 3)
-    omniauth (1.6.1)
-      hashie (>= 3.4.6, < 3.6.0)
-      rack (>= 1.6.2, < 3)
-    omniauth-facebook (4.0.0)
+    omniauth (1.3.1)
+      hashie (>= 1.2, < 4)
+      rack (>= 1.0, < 3)
+    omniauth-facebook (3.0.0)
      omniauth-oauth2 (~> 1.2)
    omniauth-oauth2 (1.4.0)
      oauth2 (~> 1.0)
@@ -112,64 +109,65 @@ GEM
      omniauth (~> 1.0)
      rack-openid (~> 1.3.1)
    orm_adapter (0.5.0)
+    pkg-config (1.1.7)
    rack (2.0.1)
    rack-openid (1.3.1)
      rack (>= 1.1.0)
      ruby-openid (>= 2.1.8)
    rack-test (0.6.3)
      rack (>= 1.0)
-    rails (5.1.0)
-      actioncable (= 5.1.0)
-      actionmailer (= 5.1.0)
-      actionpack (= 5.1.0)
-      actionview (= 5.1.0)
-      activejob (= 5.1.0)
-      activemodel (= 5.1.0)
-      activerecord (= 5.1.0)
-      activesupport (= 5.1.0)
+    rails (5.0.0)
+      actioncable (= 5.0.0)
+      actionmailer (= 5.0.0)
+      actionpack (= 5.0.0)
+      actionview (= 5.0.0)
+      activejob (= 5.0.0)
+      activemodel (= 5.0.0)
+      activerecord (= 5.0.0)
+      activesupport (= 5.0.0)
      bundler (>= 1.3.0, < 2.0)
-      railties (= 5.1.0)
+      railties (= 5.0.0)
      sprockets-rails (>= 2.0.0)
-    rails-controller-testing (1.0.1)
+    rails-controller-testing (0.1.1)
      actionpack (~> 5.x)
      actionview (~> 5.x)
      activesupport (~> 5.x)
-    rails-dom-testing (2.0.2)
+    rails-dom-testing (2.0.1)
      activesupport (>= 4.2.0, < 6.0)
-      nokogiri (~> 1.6)
+      nokogiri (~> 1.6.0)
    rails-html-sanitizer (1.0.3)
      loofah (~> 2.0)
-    railties (5.1.0)
-      actionpack (= 5.1.0)
-      activesupport (= 5.1.0)
+    railties (5.0.0)
+      actionpack (= 5.0.0)
+      activesupport (= 5.0.0)
      method_source
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)
-    rake (12.0.0)
-    rdoc (5.1.0)
-    responders (2.4.0)
-      actionpack (>= 4.2.0, < 5.3)
-      railties (>= 4.2.0, < 5.3)
+    rake (11.2.2)
+    rdoc (4.2.2)
+      json (~> 1.4)
+    responders (2.2.0)
+      railties (>= 4.2.0, < 5.1)
    ruby-openid (2.7.0)
-    sprockets (3.7.1)
+    sprockets (3.6.2)
      concurrent-ruby (~> 1.0)
      rack (> 1, < 3)
-    sprockets-rails (3.2.0)
+    sprockets-rails (3.1.1)
      actionpack (>= 4.0)
      activesupport (>= 4.0)
      sprockets (>= 3.0.0)
-    sqlite3 (1.3.13)
-    thor (0.19.4)
-    thread_safe (0.3.6)
-    tzinfo (1.2.3)
+    sqlite3 (1.3.11)
+    thor (0.19.1)
+    thread_safe (0.3.5)
+    tzinfo (1.2.2)
      thread_safe (~> 0.1)
-    warden (1.2.7)
+    warden (1.2.6)
      rack (>= 1.0)
    webrat (0.7.3)
      nokogiri (>= 1.2.0)
      rack (>= 1.0)
      rack-test (>= 0.5.3)
-    websocket-driver (0.6.5)
+    websocket-driver (0.6.4)
      websocket-extensions (>= 0.1.0)
    websocket-extensions (0.1.2)

@@ -182,15 +180,13 @@ DEPENDENCIES
  activerecord-jdbcsqlite3-adapter
  devise!
  jruby-openssl
-  minitest (< 5.10.2)
  mocha (~> 1.1)
-  mongoid
  oauth2
  omniauth (~> 1.3)
  omniauth-facebook
  omniauth-oauth2
  omniauth-openid
-  rails (~> 5.1)
+  rails (~> 5.0.0)
  rails-controller-testing
  rdoc
  responders (~> 2.1)
@@ -198,4 +194,4 @@ DEPENDENCIES
  webrat (= 0.7.3)

 BUNDLED WITH
-   1.14.6
+   1.12.5
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-Copyright 2009-2017 Plataformatec. http://plataformatec.com.br
+Copyright 2009-2016 Plataformatec. http://plataformatec.com.br

 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the
--- a/README.md
+++ b/README.md
@@ -43,13 +43,9 @@ https://github.com/plataformatec/devise/wiki/Bug-reports

 If you have discovered a security related bug, please do *NOT* use the GitHub issue tracker. Send an email to opensource@plataformatec.com.br.

-### StackOverflow and Mailing List
+### Mailing list

-If you have any questions, comments, or concerns, please use StackOverflow instead of the GitHub issue tracker:
-
-http://stackoverflow.com/questions/tagged/devise
-
-The deprecated mailing list can still be read on
+If you have any questions, comments, or concerns, please use the Google Group instead of the GitHub issue tracker:

 https://groups.google.com/group/plataformatec-devise

@@ -99,7 +95,7 @@ Devise 4.0 works with Rails 4.1 onwards. You can add it to your Gemfile with:
 gem 'devise'
 ```

-Then run `bundle install`
+Run the bundle command to install it.

 Next, you need to run the generator:

@@ -124,7 +120,7 @@ $ rails generate devise MODEL

 Next, check the MODEL for any additional configuration options you might want to add, such as confirmable or lockable. If you add an option, be sure to inspect the migration file (created by the generator if your ORM supports them) and uncomment the appropriate section.  For example, if you add the confirmable option in the model, you'll need to uncomment the Confirmable section in the migration. 

-Then run `rails db:migrate`
+Then run `rake db:migrate`

 You should restart your application after changing Devise's configuration options. Otherwise, you will run into strange errors, for example, users being unable to login and route helpers being undefined.

@@ -183,7 +179,7 @@ member_session
 The Devise method in your models also accepts some options to configure its modules. For example, you can choose the cost of the hashing algorithm with:

 ```ruby
-devise :database_authenticatable, :registerable, :confirmable, :recoverable, stretches: 12
+devise :database_authenticatable, :registerable, :confirmable, :recoverable, stretches: 20
 ```

 Besides `:stretches`, you can define `:pepper`, `:encryptor`, `:confirm_within`, `:remember_for`, `:timeout_in`, `:unlock_in` among other options. For more details, see the initializer file that was created when you invoked the "devise:install" generator described above. This file is usually located at `/config/initializers/devise.rb`.
@@ -610,6 +606,6 @@ https://github.com/plataformatec/devise/graphs/contributors

 ## License

-MIT License. Copyright 2009-2017 Plataformatec. http://plataformatec.com.br
+MIT License. Copyright 2009-2016 Plataformatec. http://plataformatec.com.br

 You are not granted rights or licenses to the trademarks of Plataformatec, including without limitation the Devise name or logo.
--- a/app/controllers/devise/omniauth_callbacks_controller.rb
+++ b/app/controllers/devise/omniauth_callbacks_controller.rb
@@ -2,7 +2,7 @@ class Devise::OmniauthCallbacksController < DeviseController
  prepend_before_action { request.env["devise.skip_timeout"] = true }

  def passthru
-    render status: 404, plain: "Not found. Authentication passthru."
+    render status: 404, text: "Not found. Authentication passthru."
  end

  def failure
--- a/app/controllers/devise/passwords_controller.rb
+++ b/app/controllers/devise/passwords_controller.rb
@@ -24,7 +24,13 @@ class Devise::PasswordsController < DeviseController
  def edit
    self.resource = resource_class.new
    set_minimum_password_length
-    resource.reset_password_token = params[:reset_password_token]
+
+    if params[:reset_password_token]
+      session[:reset_password_token] = params[:reset_password_token]
+      redirect_to edit_user_password_url
+    end
+
+    resource.reset_password_token = session[:reset_password_token]
  end

  # PUT /resource/password
@@ -41,6 +47,7 @@ class Devise::PasswordsController < DeviseController
      else
        set_flash_message!(:notice, :updated_not_active)
      end
+      session[:reset_password_token] = nil
      respond_with resource, location: after_resetting_password_path_for(resource)
    else
      set_minimum_password_length
@@ -60,7 +67,9 @@ class Devise::PasswordsController < DeviseController

    # Check if a reset_password_token is provided in the request
    def assert_reset_token_passed
-      if params[:reset_password_token].blank?
+      reset_token = session[:reset_password_token] || params[:reset_password_token]
+
+      if reset_token.blank?
        set_flash_message(:alert, :no_token)
        redirect_to new_session_path(resource_name)
      end
--- a/app/controllers/devise/registrations_controller.rb
+++ b/app/controllers/devise/registrations_controller.rb
@@ -57,7 +57,6 @@ class Devise::RegistrationsController < DeviseController
      respond_with resource, location: after_update_path_for(resource)
    else
      clean_up_passwords resource
-      set_minimum_password_length
      respond_with resource
    end
  end
--- a/app/mailers/devise/mailer.rb
+++ b/app/mailers/devise/mailer.rb
@@ -17,10 +17,6 @@ if defined?(ActionMailer)
      devise_mail(record, :unlock_instructions, opts)
    end

-    def email_changed(record, opts={})
-      devise_mail(record, :email_changed, opts)
-    end
-
    def password_change(record, opts={})
      devise_mail(record, :password_change, opts)
    end
--- a/app/views/devise/mailer/email_changed.html.erb
+++ b/app/views/devise/mailer/email_changed.html.erb
@@ -1,7 +0,0 @@
-<p>Hello <%= @email %>!</p>
-
-<% if @resource.try(:unconfirmed_email?) %>
-  <p>We're contacting you to notify you that your email is being changed to <%= @resource.unconfirmed_email %>.</p>
-<% else %>
-  <p>We're contacting you to notify you that your email has been changed to <%= @resource.email %>.</p>
-<% end %>
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -23,8 +23,6 @@ en:
        subject: "Reset password instructions"
      unlock_instructions:
        subject: "Unlock instructions"
-      email_changed:
-        subject: "Email Changed"
      password_change:
        subject: "Password Changed"
    omniauth_callbacks:
--- a/devise.gemspec
+++ b/devise.gemspec
@@ -21,6 +21,6 @@ Gem::Specification.new do |s|
  s.add_dependency("warden", "~> 1.2.3")
  s.add_dependency("orm_adapter", "~> 0.1")
  s.add_dependency("bcrypt", "~> 3.0")
-  s.add_dependency("railties", ">= 4.1.0", "< 5.2")
+  s.add_dependency("railties", ">= 4.1.0", "< 5.1")
  s.add_dependency("responders")
 end
--- a/gemfiles/Gemfile.rails-4.1-stable.lock
+++ b/gemfiles/Gemfile.rails-4.1-stable.lock
@@ -1,71 +1,76 @@
 GIT
  remote: git://github.com/rails/rails.git
-  revision: 0cad778c2605a5204a05a9f1dbd3344e39f248d8
+  revision: 9f5cbe613c8a80282970c73b0f00095788d54e34
  branch: 4-1-stable
  specs:
-    actionmailer (4.1.16)
-      actionpack (= 4.1.16)
-      actionview (= 4.1.16)
+    actionmailer (4.1.15)
+      actionpack (= 4.1.15)
+      actionview (= 4.1.15)
      mail (~> 2.5, >= 2.5.4)
-    rails (4.1.16)
-      actionmailer (= 4.1.16)
-      actionpack (= 4.1.16)
-      actionview (= 4.1.16)
-      activemodel (= 4.1.16)
-      activerecord (= 4.1.16)
-      activesupport (= 4.1.16)
+    actionpack (4.1.15)
+      actionview (= 4.1.15)
+      activesupport (= 4.1.15)
+      rack (~> 1.5.2)
+      rack-test (~> 0.6.2)
+    actionview (4.1.15)
+      activesupport (= 4.1.15)
+      builder (~> 3.1)
+      erubis (~> 2.7.0)
+    activemodel (4.1.15)
+      activesupport (= 4.1.15)
+      builder (~> 3.1)
+    activerecord (4.1.15)
+      activemodel (= 4.1.15)
+      activesupport (= 4.1.15)
+      arel (~> 5.0.0)
+    activesupport (4.1.15)
+      i18n (~> 0.6, >= 0.6.9)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.1)
+      tzinfo (~> 1.1)
+    rails (4.1.15)
+      actionmailer (= 4.1.15)
+      actionpack (= 4.1.15)
+      actionview (= 4.1.15)
+      activemodel (= 4.1.15)
+      activerecord (= 4.1.15)
+      activesupport (= 4.1.15)
      bundler (>= 1.3.0, < 2.0)
-      railties (= 4.1.16)
+      railties (= 4.1.15)
      sprockets-rails (~> 2.0)
+    railties (4.1.15)
+      actionpack (= 4.1.15)
+      activesupport (= 4.1.15)
+      rake (>= 0.8.7)
+      thor (>= 0.18.1, < 2.0)

 PATH
  remote: ..
  specs:
-    devise (4.3.0)
+    devise (4.2.0)
      bcrypt (~> 3.0)
      orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 5.2)
+      railties (>= 4.1.0, < 5.1)
      responders
      warden (~> 1.2.3)

 GEM
  remote: https://rubygems.org/
  specs:
-    actionpack (4.1.16)
-      actionview (= 4.1.16)
-      activesupport (= 4.1.16)
-      rack (~> 1.5.2)
-      rack-test (~> 0.6.2)
-    actionview (4.1.16)
-      activesupport (= 4.1.16)
-      builder (~> 3.1)
-      erubis (~> 2.7.0)
-    activemodel (4.1.16)
-      activesupport (= 4.1.16)
-      builder (~> 3.1)
-    activerecord (4.1.16)
-      activemodel (= 4.1.16)
-      activesupport (= 4.1.16)
-      arel (~> 5.0.0)
-    activesupport (4.1.16)
-      i18n (~> 0.6, >= 0.6.9)
-      json (~> 1.7, >= 1.7.7)
-      minitest (~> 5.1)
-      thread_safe (~> 0.1)
-      tzinfo (~> 1.1)
    arel (5.0.1.20140414130214)
    bcrypt (3.1.11)
    bson (3.2.6)
-    builder (3.2.3)
-    concurrent-ruby (1.0.5)
-    connection_pool (2.2.1)
+    builder (3.2.2)
+    concurrent-ruby (1.0.2)
+    connection_pool (2.2.0)
    erubis (2.7.0)
-    faraday (0.11.0)
+    faraday (0.9.2)
      multipart-post (>= 1.2, < 3)
-    hashie (3.5.5)
-    i18n (0.8.1)
-    json (1.8.6)
-    jwt (1.5.6)
+    hashie (3.4.4)
+    i18n (0.7.0)
+    json (1.8.3)
+    jwt (1.5.4)
    mail (2.6.4)
      mime-types (>= 1.16, < 4)
    metaclass (0.0.4)
@@ -73,8 +78,8 @@ GEM
      mime-types-data (~> 3.2015)
    mime-types-data (3.2016.0521)
    mini_portile2 (2.1.0)
-    minitest (5.10.1)
-    mocha (1.2.1)
+    minitest (5.9.0)
+    mocha (1.1.0)
      metaclass (~> 0.0.1)
    mongoid (4.0.2)
      activemodel (~> 4.0)
@@ -86,20 +91,21 @@ GEM
      connection_pool (~> 2.0)
      optionable (~> 0.2.0)
    multi_json (1.12.1)
-    multi_xml (0.6.0)
+    multi_xml (0.5.5)
    multipart-post (2.0.0)
-    nokogiri (1.7.0.1)
+    nokogiri (1.6.8)
      mini_portile2 (~> 2.1.0)
-    oauth2 (1.3.1)
-      faraday (>= 0.8, < 0.12)
+      pkg-config (~> 1.1.7)
+    oauth2 (1.2.0)
+      faraday (>= 0.8, < 0.10)
      jwt (~> 1.0)
      multi_json (~> 1.3)
      multi_xml (~> 0.5)
      rack (>= 1.2, < 3)
-    omniauth (1.4.2)
+    omniauth (1.3.1)
      hashie (>= 1.2, < 4)
      rack (>= 1.0, < 3)
-    omniauth-facebook (4.0.0)
+    omniauth-facebook (3.0.0)
      omniauth-oauth2 (~> 1.2)
    omniauth-oauth2 (1.4.0)
      oauth2 (~> 1.0)
@@ -108,39 +114,36 @@ GEM
      omniauth (~> 1.0)
      rack-openid (~> 1.3.1)
    optionable (0.2.0)
-    origin (2.3.0)
+    origin (2.2.0)
    orm_adapter (0.5.0)
+    pkg-config (1.1.7)
    rack (1.5.5)
    rack-openid (1.3.1)
      rack (>= 1.1.0)
      ruby-openid (>= 2.1.8)
    rack-test (0.6.3)
      rack (>= 1.0)
-    railties (4.1.16)
-      actionpack (= 4.1.16)
-      activesupport (= 4.1.16)
-      rake (>= 0.8.7)
-      thor (>= 0.18.1, < 2.0)
-    rake (12.0.0)
-    rdoc (5.1.0)
+    rake (11.2.2)
+    rdoc (4.2.2)
+      json (~> 1.4)
    responders (1.1.2)
      railties (>= 3.2, < 4.2)
    ruby-openid (2.7.0)
-    sprockets (3.7.1)
+    sprockets (3.6.2)
      concurrent-ruby (~> 1.0)
      rack (> 1, < 3)
    sprockets-rails (2.3.3)
      actionpack (>= 3.0)
      activesupport (>= 3.0)
      sprockets (>= 2.8, < 4.0)
-    sqlite3 (1.3.13)
+    sqlite3 (1.3.11)
    test_after_commit (1.1.0)
      activerecord (>= 3.2)
-    thor (0.19.4)
-    thread_safe (0.3.6)
+    thor (0.19.1)
+    thread_safe (0.3.5)
    tzinfo (1.2.2)
      thread_safe (~> 0.1)
-    warden (1.2.7)
+    warden (1.2.6)
      rack (>= 1.0)
    webrat (0.7.3)
      nokogiri (>= 1.2.0)
@@ -168,4 +171,4 @@ DEPENDENCIES
  webrat (= 0.7.3)

 BUNDLED WITH
-   1.14.6
+   1.12.5
--- a/gemfiles/Gemfile.rails-4.2-stable.lock
+++ b/gemfiles/Gemfile.rails-4.2-stable.lock
@@ -1,86 +1,88 @@
 GIT
  remote: git://github.com/rails/rails.git
-  revision: dc3ae21802c316e1639239d28202db7aa7fb7cac
+  revision: 5a85938418285ab81e3db52ea102d19f95ed7a94
  branch: 4-2-stable
  specs:
-    actionmailer (4.2.8)
-      actionpack (= 4.2.8)
-      actionview (= 4.2.8)
-      activejob (= 4.2.8)
+    actionmailer (4.2.7.rc1)
+      actionpack (= 4.2.7.rc1)
+      actionview (= 4.2.7.rc1)
+      activejob (= 4.2.7.rc1)
      mail (~> 2.5, >= 2.5.4)
      rails-dom-testing (~> 1.0, >= 1.0.5)
-    actionpack (4.2.8)
-      actionview (= 4.2.8)
-      activesupport (= 4.2.8)
+    actionpack (4.2.7.rc1)
+      actionview (= 4.2.7.rc1)
+      activesupport (= 4.2.7.rc1)
      rack (~> 1.6)
      rack-test (~> 0.6.2)
      rails-dom-testing (~> 1.0, >= 1.0.5)
      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (4.2.8)
-      activesupport (= 4.2.8)
+    actionview (4.2.7.rc1)
+      activesupport (= 4.2.7.rc1)
      builder (~> 3.1)
      erubis (~> 2.7.0)
      rails-dom-testing (~> 1.0, >= 1.0.5)
-      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (4.2.8)
-      activesupport (= 4.2.8)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    activejob (4.2.7.rc1)
+      activesupport (= 4.2.7.rc1)
      globalid (>= 0.3.0)
-    activemodel (4.2.8)
-      activesupport (= 4.2.8)
+    activemodel (4.2.7.rc1)
+      activesupport (= 4.2.7.rc1)
      builder (~> 3.1)
-    activerecord (4.2.8)
-      activemodel (= 4.2.8)
-      activesupport (= 4.2.8)
+    activerecord (4.2.7.rc1)
+      activemodel (= 4.2.7.rc1)
+      activesupport (= 4.2.7.rc1)
      arel (~> 6.0)
-    activesupport (4.2.8)
+    activesupport (4.2.7.rc1)
      i18n (~> 0.7)
+      json (~> 1.7, >= 1.7.7)
      minitest (~> 5.1)
      thread_safe (~> 0.3, >= 0.3.4)
      tzinfo (~> 1.1)
-    rails (4.2.8)
-      actionmailer (= 4.2.8)
-      actionpack (= 4.2.8)
-      actionview (= 4.2.8)
-      activejob (= 4.2.8)
-      activemodel (= 4.2.8)
-      activerecord (= 4.2.8)
-      activesupport (= 4.2.8)
+    rails (4.2.7.rc1)
+      actionmailer (= 4.2.7.rc1)
+      actionpack (= 4.2.7.rc1)
+      actionview (= 4.2.7.rc1)
+      activejob (= 4.2.7.rc1)
+      activemodel (= 4.2.7.rc1)
+      activerecord (= 4.2.7.rc1)
+      activesupport (= 4.2.7.rc1)
      bundler (>= 1.3.0, < 2.0)
-      railties (= 4.2.8)
+      railties (= 4.2.7.rc1)
      sprockets-rails
-    railties (4.2.8)
-      actionpack (= 4.2.8)
-      activesupport (= 4.2.8)
+    railties (4.2.7.rc1)
+      actionpack (= 4.2.7.rc1)
+      activesupport (= 4.2.7.rc1)
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)

 PATH
  remote: ..
  specs:
-    devise (4.3.0)
+    devise (4.2.0)
      bcrypt (~> 3.0)
      orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 5.2)
+      railties (>= 4.1.0, < 5.1)
      responders
      warden (~> 1.2.3)

 GEM
  remote: https://rubygems.org/
  specs:
-    arel (6.0.4)
+    arel (6.0.3)
    bcrypt (3.1.11)
    bson (3.2.6)
-    builder (3.2.3)
-    concurrent-ruby (1.0.5)
-    connection_pool (2.2.1)
+    builder (3.2.2)
+    concurrent-ruby (1.0.2)
+    connection_pool (2.2.0)
    erubis (2.7.0)
-    faraday (0.11.0)
+    faraday (0.9.2)
      multipart-post (>= 1.2, < 3)
-    globalid (0.3.7)
+    globalid (0.3.6)
      activesupport (>= 4.1.0)
-    hashie (3.5.5)
-    i18n (0.8.1)
-    jwt (1.5.6)
+    hashie (3.4.4)
+    i18n (0.7.0)
+    json (1.8.3)
+    jwt (1.5.4)
    loofah (2.0.3)
      nokogiri (>= 1.5.9)
    mail (2.6.4)
@@ -90,8 +92,8 @@ GEM
      mime-types-data (~> 3.2015)
    mime-types-data (3.2016.0521)
    mini_portile2 (2.1.0)
-    minitest (5.10.1)
-    mocha (1.2.1)
+    minitest (5.9.0)
+    mocha (1.1.0)
      metaclass (~> 0.0.1)
    mongoid (4.0.2)
      activemodel (~> 4.0)
@@ -103,20 +105,21 @@ GEM
      connection_pool (~> 2.0)
      optionable (~> 0.2.0)
    multi_json (1.12.1)
-    multi_xml (0.6.0)
+    multi_xml (0.5.5)
    multipart-post (2.0.0)
-    nokogiri (1.7.0.1)
+    nokogiri (1.6.8)
      mini_portile2 (~> 2.1.0)
-    oauth2 (1.3.1)
-      faraday (>= 0.8, < 0.12)
+      pkg-config (~> 1.1.7)
+    oauth2 (1.2.0)
+      faraday (>= 0.8, < 0.10)
      jwt (~> 1.0)
      multi_json (~> 1.3)
      multi_xml (~> 0.5)
      rack (>= 1.2, < 3)
-    omniauth (1.6.1)
-      hashie (>= 3.4.6, < 3.6.0)
-      rack (>= 1.6.2, < 3)
-    omniauth-facebook (4.0.0)
+    omniauth (1.3.1)
+      hashie (>= 1.2, < 4)
+      rack (>= 1.0, < 3)
+    omniauth-facebook (3.0.0)
      omniauth-oauth2 (~> 1.2)
    omniauth-oauth2 (1.4.0)
      oauth2 (~> 1.0)
@@ -125,9 +128,10 @@ GEM
      omniauth (~> 1.0)
      rack-openid (~> 1.3.1)
    optionable (0.2.0)
-    origin (2.3.0)
+    origin (2.2.0)
    orm_adapter (0.5.0)
-    rack (1.6.5)
+    pkg-config (1.1.7)
+    rack (1.6.4)
    rack-openid (1.3.1)
      rack (>= 1.1.0)
      ruby-openid (>= 2.1.8)
@@ -135,33 +139,33 @@ GEM
      rack (>= 1.0)
    rails-deprecated_sanitizer (1.0.3)
      activesupport (>= 4.2.0.alpha)
-    rails-dom-testing (1.0.8)
+    rails-dom-testing (1.0.7)
      activesupport (>= 4.2.0.beta, < 5.0)
-      nokogiri (~> 1.6)
+      nokogiri (~> 1.6.0)
      rails-deprecated_sanitizer (>= 1.0.1)
    rails-html-sanitizer (1.0.3)
      loofah (~> 2.0)
-    rake (12.0.0)
-    rdoc (5.1.0)
-    responders (2.4.0)
-      actionpack (>= 4.2.0, < 5.3)
-      railties (>= 4.2.0, < 5.3)
+    rake (11.2.2)
+    rdoc (4.2.2)
+      json (~> 1.4)
+    responders (2.2.0)
+      railties (>= 4.2.0, < 5.1)
    ruby-openid (2.7.0)
-    sprockets (3.7.1)
+    sprockets (3.6.2)
      concurrent-ruby (~> 1.0)
      rack (> 1, < 3)
-    sprockets-rails (3.2.0)
+    sprockets-rails (3.1.1)
      actionpack (>= 4.0)
      activesupport (>= 4.0)
      sprockets (>= 3.0.0)
-    sqlite3 (1.3.13)
+    sqlite3 (1.3.11)
    test_after_commit (1.1.0)
      activerecord (>= 3.2)
-    thor (0.19.4)
-    thread_safe (0.3.6)
+    thor (0.19.1)
+    thread_safe (0.3.5)
    tzinfo (1.2.2)
      thread_safe (~> 0.1)
-    warden (1.2.7)
+    warden (1.2.6)
      rack (>= 1.0)
    webrat (0.7.3)
      nokogiri (>= 1.2.0)
@@ -189,4 +193,4 @@ DEPENDENCIES
  webrat (= 0.7.3)

 BUNDLED WITH
-   1.14.6
+   1.12.5
--- a/gemfiles/Gemfile.rails-5.0-stable
+++ b/gemfiles/Gemfile.rails-5.0-stable
@@ -1,33 +0,0 @@
-source "https://rubygems.org"
-
-gemspec path: ".."
-
-gem "rails", '~> 5.0.0'
-gem "omniauth"
-gem "omniauth-oauth2"
-gem "rdoc"
-
-gem "activemodel-serializers-xml", github: "rails/activemodel-serializers-xml"
-
-gem "rails-controller-testing"
-
-gem "responders", "~> 2.1"
-
-# TODO: Remove this line when Rails 5.0.3 is released
-gem "minitest", "< 5.10.2"
-
-group :test do
-  gem "omniauth-facebook"
-  gem "omniauth-openid"
-  gem "webrat", "0.7.3", require: false
-  gem "mocha", "~> 1.1", require: false
-  gem 'test_after_commit', require: false
-end
-
-platforms :ruby do
-  gem "sqlite3"
-end
-
-group :mongoid do
-  gem "mongoid"
-end
--- a/gemfiles/Gemfile.rails-5.0-stable.lock
+++ b/gemfiles/Gemfile.rails-5.0-stable.lock
@@ -1,200 +0,0 @@
-GIT
-  remote: git://github.com/rails/activemodel-serializers-xml.git
-  revision: dd9c0acf26aab111ebc647cd8deb99ebc6946531
-  specs:
-    activemodel-serializers-xml (1.0.1)
-      activemodel (> 5.x)
-      activesupport (> 5.x)
-      builder (~> 3.1)
-
-PATH
-  remote: ..
-  specs:
-    devise (4.3.0)
-      bcrypt (~> 3.0)
-      orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 5.2)
-      responders
-      warden (~> 1.2.3)
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    actioncable (5.0.2)
-      actionpack (= 5.0.2)
-      nio4r (>= 1.2, < 3.0)
-      websocket-driver (~> 0.6.1)
-    actionmailer (5.0.2)
-      actionpack (= 5.0.2)
-      actionview (= 5.0.2)
-      activejob (= 5.0.2)
-      mail (~> 2.5, >= 2.5.4)
-      rails-dom-testing (~> 2.0)
-    actionpack (5.0.2)
-      actionview (= 5.0.2)
-      activesupport (= 5.0.2)
-      rack (~> 2.0)
-      rack-test (~> 0.6.3)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.0.2)
-      activesupport (= 5.0.2)
-      builder (~> 3.1)
-      erubis (~> 2.7.0)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (5.0.2)
-      activesupport (= 5.0.2)
-      globalid (>= 0.3.6)
-    activemodel (5.0.2)
-      activesupport (= 5.0.2)
-    activerecord (5.0.2)
-      activemodel (= 5.0.2)
-      activesupport (= 5.0.2)
-      arel (~> 7.0)
-    activesupport (5.0.2)
-      concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (~> 0.7)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-    arel (7.1.4)
-    bcrypt (3.1.11)
-    bson (4.2.1)
-    builder (3.2.3)
-    concurrent-ruby (1.0.5)
-    erubis (2.7.0)
-    faraday (0.11.0)
-      multipart-post (>= 1.2, < 3)
-    globalid (0.4.0)
-      activesupport (>= 4.2.0)
-    hashie (3.5.5)
-    i18n (0.8.1)
-    jwt (1.5.6)
-    loofah (2.0.3)
-      nokogiri (>= 1.5.9)
-    mail (2.6.5)
-      mime-types (>= 1.16, < 4)
-    metaclass (0.0.4)
-    method_source (0.8.2)
-    mime-types (3.1)
-      mime-types-data (~> 3.2015)
-    mime-types-data (3.2016.0521)
-    mini_portile2 (2.1.0)
-    minitest (5.10.1)
-    mocha (1.2.1)
-      metaclass (~> 0.0.1)
-    mongo (2.4.1)
-      bson (>= 4.2.1, < 5.0.0)
-    mongoid (6.1.0)
-      activemodel (~> 5.0)
-      mongo (>= 2.4.1, < 3.0.0)
-    multi_json (1.12.1)
-    multi_xml (0.6.0)
-    multipart-post (2.0.0)
-    nio4r (2.0.0)
-    nokogiri (1.7.2)
-      mini_portile2 (~> 2.1.0)
-    oauth2 (1.3.1)
-      faraday (>= 0.8, < 0.12)
-      jwt (~> 1.0)
-      multi_json (~> 1.3)
-      multi_xml (~> 0.5)
-      rack (>= 1.2, < 3)
-    omniauth (1.6.1)
-      hashie (>= 3.4.6, < 3.6.0)
-      rack (>= 1.6.2, < 3)
-    omniauth-facebook (4.0.0)
-      omniauth-oauth2 (~> 1.2)
-    omniauth-oauth2 (1.4.0)
-      oauth2 (~> 1.0)
-      omniauth (~> 1.2)
-    omniauth-openid (1.0.1)
-      omniauth (~> 1.0)
-      rack-openid (~> 1.3.1)
-    orm_adapter (0.5.0)
-    rack (2.0.2)
-    rack-openid (1.3.1)
-      rack (>= 1.1.0)
-      ruby-openid (>= 2.1.8)
-    rack-test (0.6.3)
-      rack (>= 1.0)
-    rails (5.0.2)
-      actioncable (= 5.0.2)
-      actionmailer (= 5.0.2)
-      actionpack (= 5.0.2)
-      actionview (= 5.0.2)
-      activejob (= 5.0.2)
-      activemodel (= 5.0.2)
-      activerecord (= 5.0.2)
-      activesupport (= 5.0.2)
-      bundler (>= 1.3.0, < 2.0)
-      railties (= 5.0.2)
-      sprockets-rails (>= 2.0.0)
-    rails-controller-testing (1.0.1)
-      actionpack (~> 5.x)
-      actionview (~> 5.x)
-      activesupport (~> 5.x)
-    rails-dom-testing (2.0.3)
-      activesupport (>= 4.2.0)
-      nokogiri (>= 1.6)
-    rails-html-sanitizer (1.0.3)
-      loofah (~> 2.0)
-    railties (5.0.2)
-      actionpack (= 5.0.2)
-      activesupport (= 5.0.2)
-      method_source
-      rake (>= 0.8.7)
-      thor (>= 0.18.1, < 2.0)
-    rake (12.0.0)
-    rdoc (5.1.0)
-    responders (2.4.0)
-      actionpack (>= 4.2.0, < 5.3)
-      railties (>= 4.2.0, < 5.3)
-    ruby-openid (2.7.0)
-    sprockets (3.7.1)
-      concurrent-ruby (~> 1.0)
-      rack (> 1, < 3)
-    sprockets-rails (3.2.0)
-      actionpack (>= 4.0)
-      activesupport (>= 4.0)
-      sprockets (>= 3.0.0)
-    sqlite3 (1.3.13)
-    test_after_commit (1.1.0)
-      activerecord (>= 3.2)
-    thor (0.19.4)
-    thread_safe (0.3.6)
-    tzinfo (1.2.3)
-      thread_safe (~> 0.1)
-    warden (1.2.7)
-      rack (>= 1.0)
-    webrat (0.7.3)
-      nokogiri (>= 1.2.0)
-      rack (>= 1.0)
-      rack-test (>= 0.5.3)
-    websocket-driver (0.6.5)
-      websocket-extensions (>= 0.1.0)
-    websocket-extensions (0.1.2)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  activemodel-serializers-xml!
-  devise!
-  minitest (< 5.10.2)
-  mocha (~> 1.1)
-  mongoid
-  omniauth
-  omniauth-facebook
-  omniauth-oauth2
-  omniauth-openid
-  rails (~> 5.0.0)
-  rails-controller-testing
-  rdoc
-  responders (~> 2.1)
-  sqlite3
-  test_after_commit
-  webrat (= 0.7.3)
-
-BUNDLED WITH
-   1.14.6
--- a/lib/devise.rb
+++ b/lib/devise.rb
@@ -153,11 +153,7 @@ module Devise
  mattr_accessor :pepper
  @@pepper = nil

-  # Used to send notification to the original user email when their email is changed.
-  mattr_accessor :send_email_changed_notification
-  @@send_email_changed_notification = false
-
-  # Used to enable sending notification to user when their password is changed.
+  # Used to enable sending notification to user when their password is changed
  mattr_accessor :send_password_change_notification
  @@send_password_change_notification = false

@@ -290,14 +286,6 @@ module Devise
  mattr_accessor :token_generator
  @@token_generator = nil

-  def self.rails51? # :nodoc:
-    Rails.gem_version >= Gem::Version.new("5.1.x")
-  end
-
-  def self.activerecord51? # :nodoc:
-    defined?(ActiveRecord) && ActiveRecord.gem_version >= Gem::Version.new("5.1.x")
-  end
-
  # Default way to set up Devise. Run rails generate devise_install to create
  # a fresh initializer with all configuration values.
  def self.setup
--- a/lib/devise/models.rb
+++ b/lib/devise/models.rb
@@ -12,7 +12,7 @@ module Devise

    # Creates configuration values for Devise and for the given module.
    #
-    #   Devise::Models.config(Devise::Models::DatabaseAuthenticatable, :stretches)
+    #   Devise::Models.config(Devise::DatabaseAuthenticatable, :stretches)
    #
    # The line above creates:
    #
--- a/lib/devise/models/confirmable.rb
+++ b/lib/devise/models/confirmable.rb
@@ -26,9 +26,7 @@ module Devise
    #     initial account confirmation) to be applied. Requires additional unconfirmed_email
    #     db field to be set up (t.reconfirmable in migrations). Until confirmed, new email is
    #     stored in unconfirmed email column, and copied to email column on successful
-    #     confirmation. Also, when used in conjunction with `send_email_changed_notification`,
-    #     the notification is sent to the original email when the change is requested,
-    #     not when the unconfirmed email is confirmed.
+    #     confirmation.
    #   * +confirm_within+: the time before a sent confirmation token becomes invalid.
    #     You can use this to force the user to confirm within a set period of time.
    #     Confirmable will not generate a new token if a repeat confirmation is requested
@@ -225,7 +223,7 @@ module Devise
        #   confirmation_period_expired?  # will always return false
        #
        def confirmation_period_expired?
-          self.class.confirm_within && self.confirmation_sent_at && (Time.now.utc > self.confirmation_sent_at.utc + self.class.confirm_within)
+          self.class.confirm_within && self.confirmation_sent_at && (Time.now > self.confirmation_sent_at + self.class.confirm_within)
        end

        # Checks whether the record requires any confirmation.
@@ -253,44 +251,22 @@ module Devise
          generate_confirmation_token && save(validate: false)
        end

-        if Devise.activerecord51?
-          def postpone_email_change_until_confirmation_and_regenerate_confirmation_token
-            @reconfirmation_required = true
-            self.unconfirmed_email = self.email
-            self.email = self.email_in_database
-            self.confirmation_token = nil
-            generate_confirmation_token
-          end
-        else
-          def postpone_email_change_until_confirmation_and_regenerate_confirmation_token
-            @reconfirmation_required = true
-            self.unconfirmed_email = self.email
-            self.email = self.email_was
-            self.confirmation_token = nil
-            generate_confirmation_token
-          end
+        def postpone_email_change_until_confirmation_and_regenerate_confirmation_token
+          @reconfirmation_required = true
+          self.unconfirmed_email = self.email
+          self.email = self.email_was
+          self.confirmation_token = nil
+          generate_confirmation_token
        end

-        if Devise.activerecord51?
-          def postpone_email_change?
-            postpone = self.class.reconfirmable &&
-              will_save_change_to_email? &&
-              !@bypass_confirmation_postpone &&
-              self.email.present? &&
-              (!@skip_reconfirmation_in_callback || !self.email_in_database.nil?)
-            @bypass_confirmation_postpone = false
-            postpone
-          end
-        else
-          def postpone_email_change?
-            postpone = self.class.reconfirmable &&
-              email_changed? &&
-              !@bypass_confirmation_postpone &&
-              self.email.present? &&
-              (!@skip_reconfirmation_in_callback || !self.email_was.nil?)
-            @bypass_confirmation_postpone = false
-            postpone
-          end
+        def postpone_email_change?
+          postpone = self.class.reconfirmable &&
+            email_changed? &&
+            !@bypass_confirmation_postpone &&
+            self.email.present? &&
+            (!@skip_reconfirmation_in_callback || !self.email_was.nil?)
+          @bypass_confirmation_postpone = false
+          postpone
        end

        def reconfirmation_required?
@@ -301,16 +277,6 @@ module Devise
          confirmation_required? && !@skip_confirmation_notification && self.email.present?
        end

-        # With reconfirmable, notify the original email when the user first
-        # requests the email change, instead of when the change is confirmed.
-        def send_email_changed_notification?
-          if self.class.reconfirmable
-            self.class.send_email_changed_notification && reconfirmation_required?
-          else
-            super
-          end
-        end
-
        # A callback initiated after successfully confirming. This can be
        # used to insert your own logic that is only run after the user successfully
        # confirms.
--- a/lib/devise/models/database_authenticatable.rb
+++ b/lib/devise/models/database_authenticatable.rb
@@ -14,10 +14,6 @@ module Devise
    #
    #   * +stretches+: the cost given to bcrypt.
    #
-    #   * +send_email_changed_notification+: notify original email when it changes.
-    #
-    #   * +send_password_change_notification+: notify email when password changes.
-    #
    # == Examples
    #
    #    User.find(1).valid_password?('password123')         # returns true/false
@@ -26,7 +22,6 @@ module Devise
      extend ActiveSupport::Concern

      included do
-        after_update :send_email_changed_notification, if: :send_email_changed_notification?
        after_update :send_password_change_notification, if: :send_password_change_notification?

        attr_reader :password, :current_password
@@ -137,19 +132,6 @@ module Devise
        encrypted_password[0,29] if encrypted_password
      end

-      if Devise.activerecord51?
-        # Send notification to user when email changes.
-        def send_email_changed_notification
-          send_devise_notification(:email_changed, to: email_before_last_save)
-        end
-      else
-        # Send notification to user when email changes.
-        def send_email_changed_notification
-          send_devise_notification(:email_changed, to: email_was)
-        end
-      end
-
-      # Send notification to user when password changes.
      def send_password_change_notification
        send_devise_notification(:password_change)
      end
@@ -165,28 +147,12 @@ module Devise
        Devise::Encryptor.digest(self.class, password)
      end

-      if Devise.activerecord51?
-        def send_email_changed_notification?
-          self.class.send_email_changed_notification && saved_change_to_email?
-        end
-      else
-        def send_email_changed_notification?
-          self.class.send_email_changed_notification && email_changed?
-        end
-      end
-
-      if Devise.activerecord51?
-        def send_password_change_notification?
-          self.class.send_password_change_notification && saved_change_to_encrypted_password?
-        end
-      else
-        def send_password_change_notification?
-          self.class.send_password_change_notification && encrypted_password_changed?
-        end
+      def send_password_change_notification?
+        self.class.send_password_change_notification && encrypted_password_changed?
      end

      module ClassMethods
-        Devise::Models.config(self, :pepper, :stretches, :send_email_changed_notification, :send_password_change_notification)
+        Devise::Models.config(self, :pepper, :stretches, :send_password_change_notification)

        # We assume this method already gets the sanitized values from the
        # DatabaseAuthenticatable strategy. If you are using this method on
--- a/lib/devise/models/recoverable.rb
+++ b/lib/devise/models/recoverable.rb
@@ -33,14 +33,10 @@ module Devise
      # Update password saving the record and clearing token. Returns true if
      # the passwords are valid and the record was saved, false otherwise.
      def reset_password(new_password, new_password_confirmation)
-        if new_password.present?
-          self.password = new_password
-          self.password_confirmation = new_password_confirmation
-          save
-        else
-          errors.add(:password, :blank)
-          false
-        end
+        self.password = new_password
+        self.password_confirmation = new_password_confirmation
+
+        save
      end

      # Resets reset password token and send reset password instructions by email.
@@ -97,24 +93,13 @@ module Devise
          send_devise_notification(:reset_password_instructions, token, {})
        end

-        if Devise.activerecord51?
-          def clear_reset_password_token?
-            encrypted_password_changed = respond_to?(:will_save_change_to_encrypted_password?) && will_save_change_to_encrypted_password?
-            authentication_keys_changed = self.class.authentication_keys.any? do |attribute|
-              respond_to?("will_save_change_to_#{attribute}?") && send("will_save_change_to_#{attribute}?")
-            end
-
-            authentication_keys_changed || encrypted_password_changed
+        def clear_reset_password_token?
+          encrypted_password_changed = respond_to?(:encrypted_password_changed?) && encrypted_password_changed?
+          authentication_keys_changed = self.class.authentication_keys.any? do |attribute|
+            respond_to?("#{attribute}_changed?") && send("#{attribute}_changed?")
          end
-        else
-          def clear_reset_password_token?
-            encrypted_password_changed = respond_to?(:encrypted_password_changed?) && encrypted_password_changed?
-            authentication_keys_changed = self.class.authentication_keys.any? do |attribute|
-              respond_to?("#{attribute}_changed?") && send("#{attribute}_changed?")
-            end

-            authentication_keys_changed || encrypted_password_changed
-          end
+          authentication_keys_changed || encrypted_password_changed
        end

      module ClassMethods
--- a/lib/devise/models/rememberable.rb
+++ b/lib/devise/models/rememberable.rb
@@ -74,7 +74,7 @@ module Devise
        elsif respond_to?(:authenticatable_salt) && (salt = authenticatable_salt.presence)
          salt
        else
-          raise "authenticatable_salt returned nil for the #{self.class.name} model. " \
+          raise "authenticable_salt returned nil for the #{self.class.name} model. " \
            "In order to use rememberable, you must ensure a password is always set " \
            "or have a remember_token column in your model or implement your own " \
            "rememberable_value in the model with custom logic."
--- a/lib/devise/models/validatable.rb
+++ b/lib/devise/models/validatable.rb
@@ -27,13 +27,8 @@ module Devise

        base.class_eval do
          validates_presence_of   :email, if: :email_required?
-          if Devise.activerecord51?
-            validates_uniqueness_of :email, allow_blank: true, if: :will_save_change_to_email?
-            validates_format_of     :email, with: email_regexp, allow_blank: true, if: :will_save_change_to_email?
-          else
-            validates_uniqueness_of :email, allow_blank: true, if: :email_changed?
-            validates_format_of     :email, with: email_regexp, allow_blank: true, if: :email_changed?
-          end
+          validates_uniqueness_of :email, allow_blank: true, if: :email_changed?
+          validates_format_of     :email, with: email_regexp, allow_blank: true, if: :email_changed?

          validates_presence_of     :password, if: :password_required?
          validates_confirmation_of :password, if: :password_required?
--- a/lib/devise/version.rb
+++ b/lib/devise/version.rb
@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "4.3.0".freeze
+  VERSION = "4.2.0".freeze
 end
--- a/lib/generators/templates/devise.rb
+++ b/lib/generators/templates/devise.rb
@@ -110,10 +110,7 @@ Devise.setup do |config|
  # Set up a pepper to generate the hashed password.
  # config.pepper = '<%= SecureRandom.hex(64) %>'

-  # Send a notification to the original email when the user's email is changed.
-  # config.send_email_changed_notification = false
-
-  # Send a notification email when the user's password is changed.
+  # Send a notification email when the user's password is changed
  # config.send_password_change_notification = false

  # ==> Configuration for :confirmable
--- a/lib/generators/templates/markerb/email_changed.markerb
+++ b/lib/generators/templates/markerb/email_changed.markerb
@@ -1,7 +0,0 @@
-Hello <%= @email %>!
-
-<% if @resource.try(:unconfirmed_email?) %>
-We're contacting you to notify you that your email is being changed to <%= @resource.unconfirmed_email %>.
-<% else %>
-We're contacting you to notify you that your email has been changed to <%= @resource.email %>.
-<% end %>
--- a/lib/generators/templates/markerb/password_change.markerb
+++ b/lib/generators/templates/markerb/password_change.markerb
@@ -1,3 +1,3 @@
-Hello <%= @resource.email %>!
+<p>Hello <%= @resource.email %>!</p>

-We're contacting you to notify you that your password has been changed.
+<p>We're contacting you to notify you that your password has been changed.</p>
--- a/test/controllers/helpers_test.rb
+++ b/test/controllers/helpers_test.rb
@@ -164,8 +164,8 @@ class ControllerAuthenticatableTest < Devise::ControllerTestCase
    @controller.instance_variable_set(:@current_user, user)
    @controller.instance_variable_set(:@current_admin, user)
    @controller.sign_out
-    assert_nil @controller.instance_variable_get(:@current_user)
-    assert_nil @controller.instance_variable_get(:@current_admin)
+    assert_equal nil, @controller.instance_variable_get(:@current_user)
+    assert_equal nil, @controller.instance_variable_get(:@current_admin)
  end

  test 'sign out logs out and clears up any signed in user by scope' do
@@ -175,7 +175,7 @@ class ControllerAuthenticatableTest < Devise::ControllerTestCase
    @mock_warden.expects(:clear_strategies_cache!).with(scope: :user).returns(true)
    @controller.instance_variable_set(:@current_user, user)
    @controller.sign_out(:user)
-    assert_nil @controller.instance_variable_get(:@current_user)
+    assert_equal nil, @controller.instance_variable_get(:@current_user)
  end

  test 'sign out accepts a resource as argument' do
--- a/test/integration/recoverable_test.rb
+++ b/test/integration/recoverable_test.rb
@@ -22,7 +22,7 @@ class PasswordTest < Devise::IntegrationTest
  def reset_password(options={}, &block)
    unless options[:visit] == false
      visit edit_user_password_path(reset_password_token: options[:reset_password_token] || "abcdef")
-      assert_response :success
+      assert_current_url '/users/password/edit'
    end

    fill_in 'New password', with: '987654321'
--- a/test/integration/rememberable_test.rb
+++ b/test/integration/rememberable_test.rb
@@ -10,13 +10,7 @@ class RememberMeTest < Devise::IntegrationTest
  end

  def generate_signed_cookie(raw_cookie)
-    request = if Devise::Test.rails51?
-      ActionController::TestRequest.create(Class.new) # needs a "controller class"
-    elsif Devise::Test.rails5?
-      ActionController::TestRequest.create
-    else
-      ActionController::TestRequest.new
-    end
+    request = Devise.rails5? ? ActionDispatch::TestRequest.create : ActionDispatch::TestRequest.new
    request.cookie_jar.signed['raw_cookie'] = raw_cookie
    request.cookie_jar['raw_cookie']
  end
--- a/test/mailers/email_changed_test.rb
+++ b/test/mailers/email_changed_test.rb
@@ -1,130 +0,0 @@
-require 'test_helper'
-
-class EmailChangedTest < ActionMailer::TestCase
-  def setup
-    setup_mailer
-    Devise.mailer = 'Devise::Mailer'
-    Devise.mailer_sender = 'test@example.com'
-    Devise.send_email_changed_notification = true
-  end
-
-  def teardown
-    Devise.mailer = 'Devise::Mailer'
-    Devise.mailer_sender = 'please-change-me@config-initializers-devise.com'
-    Devise.send_email_changed_notification = false
-  end
-
-  def user
-    @user ||= create_user.tap { |u|
-      @original_user_email = u.email
-      u.update_attributes!(email: 'new-email@example.com')
-    }
-  end
-
-  def mail
-    @mail ||= begin
-      user
-      ActionMailer::Base.deliveries.last
-    end
-  end
-
-  test 'email sent after changing the user email' do
-    assert_not_nil mail
-  end
-
-  test 'content type should be set to html' do
-    assert mail.content_type.include?('text/html')
-  end
-
-  test 'send email changed to the original user email' do
-    mail
-    assert_equal [@original_user_email], mail.to
-  end
-
-  test 'set up sender from configuration' do
-    assert_equal ['test@example.com'], mail.from
-  end
-
-  test 'set up sender from custom mailer defaults' do
-    Devise.mailer = 'Users::Mailer'
-    assert_equal ['custom@example.com'], mail.from
-  end
-
-  test 'set up sender from custom mailer defaults with proc' do
-    Devise.mailer = 'Users::FromProcMailer'
-    assert_equal ['custom@example.com'], mail.from
-  end
-
-  test 'custom mailer renders parent mailer template' do
-    Devise.mailer = 'Users::Mailer'
-    assert_present mail.body.encoded
-  end
-
-  test 'set up reply to as copy from sender' do
-    assert_equal ['test@example.com'], mail.reply_to
-  end
-
-  test 'set up reply to as different if set in defaults' do
-    Devise.mailer = 'Users::ReplyToMailer'
-    assert_equal ['custom@example.com'], mail.from
-    assert_equal ['custom_reply_to@example.com'], mail.reply_to
-  end
-
-  test 'set up subject from I18n' do
-    store_translations :en, devise: { mailer: { email_changed: { subject: 'Email Has Changed' } } } do
-      assert_equal 'Email Has Changed', mail.subject
-    end
-  end
-
-  test 'subject namespaced by model' do
-    store_translations :en, devise: { mailer: { email_changed: { user_subject: 'User Email Has Changed' } } } do
-      assert_equal 'User Email Has Changed', mail.subject
-    end
-  end
-
-  test 'body should have user info' do
-    body = mail.body.encoded
-    assert_match "Hello #{@original_user_email}", body
-    assert_match "has been changed to #{user.email}", body
-  end
-end
-
-class EmailChangedReconfirmationTest < ActionMailer::TestCase
-  def setup
-    setup_mailer
-    Devise.mailer = 'Devise::Mailer'
-    Devise.mailer_sender = 'test@example.com'
-    Devise.send_email_changed_notification = true
-  end
-
-  def teardown
-    Devise.mailer = 'Devise::Mailer'
-    Devise.mailer_sender = 'please-change-me@config-initializers-devise.com'
-    Devise.send_email_changed_notification = false
-  end
-
-  def admin
-    @admin ||= create_admin.tap { |u|
-      @original_admin_email = u.email
-      u.update_attributes!(email: 'new-email@example.com')
-    }
-  end
-
-  def mail
-    @mail ||= begin
-      admin
-      ActionMailer::Base.deliveries[-2]
-    end
-  end
-
-  test 'send email changed to the original user email' do
-    mail
-    assert_equal [@original_admin_email], mail.to
-  end
-
-  test 'body should have unconfirmed user info' do
-    body = mail.body.encoded
-    assert_match admin.email, body
-    assert_match "is being changed to #{admin.unconfirmed_email}", body
-  end
-end
--- a/test/models/confirmable_test.rb
+++ b/test/models/confirmable_test.rb
@@ -516,21 +516,4 @@ class ReconfirmableTest < ActiveSupport::TestCase
    admin.save
    assert admin.pending_reconfirmation?
  end
-
-  test 'should notify previous email on email change when configured' do
-    swap Devise, send_email_changed_notification: true do
-      admin = create_admin
-      original_email = admin.email
-
-      assert_difference 'ActionMailer::Base.deliveries.size', 2 do
-        assert admin.update_attributes(email: 'new-email@example.com')
-      end
-      assert_equal original_email, ActionMailer::Base.deliveries[-2]['to'].to_s
-      assert_equal 'new-email@example.com', ActionMailer::Base.deliveries[-1]['to'].to_s
-
-      assert_email_not_sent do
-        assert admin.confirm
-      end
-    end
-  end
 end
--- a/test/models/database_authenticatable_test.rb
+++ b/test/models/database_authenticatable_test.rb
@@ -236,24 +236,12 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
    end
  end

-  test 'should notify previous email on email change when configured' do
-    swap Devise, send_email_changed_notification: true do
-      user = create_user
-      original_email = user.email
-      assert_email_sent original_email do
-        assert user.update_attributes(email: 'new-email@example.com')
-      end
-      assert_match original_email, ActionMailer::Base.deliveries.last.body.encoded
-    end
-  end
-
-  test 'should notify email on password change when configured' do
+  test 'should email on password change when configured' do
    swap Devise, send_password_change_notification: true do
      user = create_user
      assert_email_sent user.email do
        assert user.update_attributes(password: 'newpass', password_confirmation: 'newpass')
      end
-      assert_match user.email, ActionMailer::Base.deliveries.last.body.encoded
    end
  end

--- a/test/models/recoverable_test.rb
+++ b/test/models/recoverable_test.rb
@@ -184,16 +184,6 @@ class RecoverableTest < ActiveSupport::TestCase
    assert_equal raw, reset_password_user.reset_password_token
  end

-  test 'should return a new record with errors if password is not provided' do
-    user = create_user
-    raw  = user.send_reset_password_instructions
-
-    reset_password_user = User.reset_password_by_token(reset_password_token: raw)
-    refute reset_password_user.errors.empty?
-    assert_match "can't be blank", reset_password_user.errors[:password].join
-    assert_equal raw, reset_password_user.reset_password_token
-  end
-
  test 'should reset successfully user password given the new password and confirmation' do
    user = create_user
    old_password = user.password
@@ -255,7 +245,7 @@ class RecoverableTest < ActiveSupport::TestCase
  end

  test 'should return nil if a user based on the raw token is not found' do
-    assert_nil User.with_reset_password_token('random-token')
+    assert_equal User.with_reset_password_token('random-token'), nil
  end

 end
--- a/test/omniauth/config_test.rb
+++ b/test/omniauth/config_test.rb
@@ -25,21 +25,19 @@ class OmniAuthConfigTest < ActiveSupport::TestCase
    assert_equal OmniAuth::Strategies::Facebook, config.strategy_class
  end

-  class NamedTestStrategy
-    include OmniAuth::Strategy
-    option :name, :the_one
-  end
-
  test "finds the strategy in OmniAuth's list by name" do
+    NamedTestStrategy = Class.new
+    NamedTestStrategy.send :include, OmniAuth::Strategy
+    NamedTestStrategy.option :name, :the_one
+
    config = Devise::OmniAuth::Config.new :the_one, [{}]
    assert_equal NamedTestStrategy, config.strategy_class
  end

-  class UnNamedTestStrategy
-    include OmniAuth::Strategy
-  end
-
  test "finds the strategy in OmniAuth's list by class name" do
+    UnNamedTestStrategy = Class.new
+    UnNamedTestStrategy.send :include, OmniAuth::Strategy
+
    config = Devise::OmniAuth::Config.new :un_named_test_strategy, [{}]
    assert_equal UnNamedTestStrategy, config.strategy_class
  end
--- a/test/orm/active_record.rb
+++ b/test/orm/active_record.rb
@@ -5,7 +5,7 @@ ActiveRecord::Base.include_root_in_json = true
 ActiveRecord::Migrator.migrate(File.expand_path("../../rails_app/db/migrate/", __FILE__))

 class ActiveSupport::TestCase
-  if Devise::Test.rails5?
+  if Devise.rails5?
    self.use_transactional_tests = true
  else
    # Let `after_commit` work with transactional fixtures, however this is not needed for Rails 5.
--- a/test/rails_app/app/active_record/user.rb
+++ b/test/rails_app/app/active_record/user.rb
@@ -3,5 +3,5 @@ require 'shared_user'
 class User < ActiveRecord::Base
  include Shim
  include SharedUser
-  include ActiveModel::Serializers::Xml if Devise::Test.rails5?
+  include ActiveModel::Serializers::Xml if Devise.rails5?
 end
--- a/test/rails_app/app/controllers/home_controller.rb
+++ b/test/rails_app/app/controllers/home_controller.rb
@@ -20,7 +20,7 @@ class HomeController < ApplicationController
  end

  def unauthenticated
-    if Devise::Test.rails5?
+    if Devise.rails5?
      render body: "unauthenticated", status: :unauthorized
    else
      render text: "unauthenticated", status: :unauthorized
--- a/test/rails_app/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/test/rails_app/app/controllers/users/omniauth_callbacks_controller.rb
@@ -9,6 +9,6 @@ class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
    user = User.to_adapter.find_first(email: 'user@test.com')
    user.remember_me = true
    sign_in user
-    render (Devise::Test.rails5? ? :body : :text) => ""
+    render (Devise.rails5? ? :body : :text) => ""
  end
 end
--- a/test/rails_app/app/controllers/users_controller.rb
+++ b/test/rails_app/app/controllers/users_controller.rb
@@ -13,7 +13,7 @@ class UsersController < ApplicationController
  end

  def update_form
-    render (Devise::Test.rails5? ? :body : :text) => 'Update'
+    render (Devise.rails5? ? :body : :text) => 'Update'
  end

  def accept
@@ -21,11 +21,11 @@ class UsersController < ApplicationController
  end

  def exhibit
-    render (Devise::Test.rails5? ? :body : :text) => current_user ? "User is authenticated" : "User is not authenticated"
+    render (Devise.rails5? ? :body : :text) => current_user ? "User is authenticated" : "User is not authenticated"
  end

  def expire
    user_session['last_request_at'] = 31.minutes.ago.utc
-    render (Devise::Test.rails5? ? :body : :text) => 'User will be expired on next request'
+    render (Devise.rails5? ? :body : :text) => 'User will be expired on next request'
  end
 end
--- a/test/rails_app/config/boot.rb
+++ b/test/rails_app/config/boot.rb
@@ -3,15 +3,9 @@ unless defined?(DEVISE_ORM)
 end

 module Devise
-  module Test
-    # Detection for minor differences between Rails 4 and 5, and 5.1 in tests.
-    def self.rails51?
-      Rails.version.start_with? '5.1'
-    end
-
-    def self.rails5?
-      Rails.version.start_with? '5'
-    end
+  # Detection for minor differences between Rails 4 and 5 in tests.
+  def self.rails5?
+    Rails.version.start_with? '5'
  end
 end

--- a/test/rails_app/lib/shared_admin.rb
+++ b/test/rails_app/lib/shared_admin.rb
@@ -8,11 +8,7 @@ module SharedAdmin
           allow_unconfirmed_access_for: 2.weeks, reconfirmable: true

    validates_length_of     :reset_password_token, minimum: 3, allow_blank: true
-    if Devise::Test.rails51?
-      validates_uniqueness_of :email, allow_blank: true, if: :will_save_change_to_email?
-    else
-      validates_uniqueness_of :email, allow_blank: true, if: :email_changed?
-    end
+    validates_uniqueness_of :email, allow_blank: true, if: :email_changed?
  end

  def raw_confirmation_token
--- a/test/routes_test.rb
+++ b/test/routes_test.rb
@@ -203,7 +203,7 @@ class CustomizedRoutingTest < ActionController::TestCase

  test 'map with format false for sessions' do
    expected_params = {controller: 'devise/sessions', action: 'new'}
-    expected_params[:format] = false if Devise::Test.rails5?
+    expected_params[:format] = false if Devise.rails5?

    assert_recognizes(expected_params, {path: '/htmlonly_admin/sign_in', method: :get})
    assert_raise ExpectedRoutingError do
@@ -213,7 +213,7 @@ class CustomizedRoutingTest < ActionController::TestCase

  test 'map with format false for passwords' do
    expected_params = {controller: 'devise/passwords', action: 'create'}
-    expected_params[:format] = false if Devise::Test.rails5?
+    expected_params[:format] = false if Devise.rails5?

    assert_recognizes(expected_params, {path: '/htmlonly_admin/password', method: :post})
    assert_raise ExpectedRoutingError do
@@ -223,7 +223,7 @@ class CustomizedRoutingTest < ActionController::TestCase

  test 'map with format false for registrations' do
    expected_params = {controller: 'devise/registrations', action: 'new'}
-    expected_params[:format] = false if Devise::Test.rails5?
+    expected_params[:format] = false if Devise.rails5?

    assert_recognizes(expected_params, {path: '/htmlonly_admin/sign_up', method: :get})
    assert_raise ExpectedRoutingError do
@@ -233,7 +233,7 @@ class CustomizedRoutingTest < ActionController::TestCase

  test 'map with format false for confirmations' do
    expected_params = {controller: 'devise/confirmations', action: 'show'}
-    expected_params[:format] = false if Devise::Test.rails5?
+    expected_params[:format] = false if Devise.rails5?

    assert_recognizes(expected_params, {path: '/htmlonly_users/confirmation', method: :get})
    assert_raise ExpectedRoutingError do
@@ -243,7 +243,7 @@ class CustomizedRoutingTest < ActionController::TestCase

  test 'map with format false for unlocks' do
    expected_params = {controller: 'devise/unlocks', action: 'show'}
-    expected_params[:format] = false if Devise::Test.rails5?
+    expected_params[:format] = false if Devise.rails5?

    assert_recognizes(expected_params, {path: '/htmlonly_users/unlock', method: :get})
    assert_raise ExpectedRoutingError do
--- a/test/test/controller_helpers_test.rb
+++ b/test/test/controller_helpers_test.rb
@@ -163,15 +163,7 @@ class TestControllerHelpersTest < Devise::ControllerTestCase

  test "creates a new warden proxy if the request object has changed" do
    old_warden_proxy = warden
-
-    @request = if Devise::Test.rails51?
-      ActionController::TestRequest.create(Class.new) # needs a "controller class"
-    elsif Devise::Test.rails5?
-      ActionController::TestRequest.create
-    else
-      ActionController::TestRequest.new
-    end
-
+    @request = Devise.rails5? ? ActionController::TestRequest.create : ActionController::TestRequest.new
    new_warden_proxy = warden

    assert_not_equal old_warden_proxy, new_warden_proxy