Release 1.1.9

Conflicts:

	lib/devise/models/authenticatable.rb

CHANGELOG.rdoc

@@ -1,8 +1,24 @@
+== 1.1.9
+
+* bugfix
+  * double check if warden has not halted
+
+== 1.1.8
+
+* bugfix
+  * Ensure you can't inject Mongoid queries using token authenticatable
+
+== 1.1.7
+
+* bugfix
+  * Fix a backward incompatible change with versions prior to Rails 3.0.4
+
 == 1.1.6
 
-* Use a more secure e-mail regexp
-* Implement Rails 3.0.4 handle unverified request
-* Use secure_compare to compare passwords
+* bugfix
+  * Use a more secure e-mail regexp
+  * Implement Rails 3.0.4 handle unverified request
+  * Use secure_compare to compare passwords
 
 == 1.1.5
 

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    devise (1.1.5)
+    devise (1.1.8)
       bcrypt-ruby (~> 2.1.2)
       warden (~> 1.0.2)
 
@@ -36,7 +36,7 @@ GEM
       activesupport (= 3.0.4)
     activesupport (3.0.4)
     arel (2.0.8)
-    bcrypt-ruby (2.1.2)
+    bcrypt-ruby (2.1.4)
     bson (1.1.2)
     bson_ext (1.1.2)
     builder (2.1.2)
@@ -91,7 +91,7 @@ GEM
     treetop (1.4.9)
       polyglot (>= 0.3.1)
     tzinfo (0.3.24)
-    warden (1.0.2)
+    warden (1.0.3)
       rack (>= 1.0.0)
     webrat (0.7.2)
       nokogiri (>= 1.2.0)
@@ -104,7 +104,6 @@ PLATFORMS
 
 DEPENDENCIES
   activerecord-jdbcsqlite3-adapter
-  bcrypt-ruby (~> 2.1.2)
   bson_ext (= 1.1.2)
   devise!
   mocha
@@ -113,5 +112,4 @@ DEPENDENCIES
   rails (~> 3.0.4)
   ruby-debug (>= 0.10.3)
   sqlite3-ruby
-  warden (~> 1.0.2)
   webrat (= 0.7.2)

README.rdoc

@@ -24,7 +24,7 @@ Right now it's composed of 11 modules:
 
 Devise 1.1 supports Rails 3 and is NOT backward compatible. You can use the latest Rails 3 beta gem with Devise latest gem:
 
-  gem install devise --version=1.1.3
+  gem install devise --version=1.1.7
 
 If you want to use Rails master (from git repository) you need to use Devise from git repository and vice-versa.
 
@@ -42,7 +42,7 @@ Replace MODEL by the class name you want to add devise, like User, Admin, etc. T
 
 If you want to use the Rails 2.3.x version, you should do:
 
-  gem install devise --version=1.0.8
+  gem install devise --version=1.0.10
 
 And please check the README at the v1.0 branch since this one is based on Rails 3:
 

app/controllers/devise/registrations_controller.rb

@@ -9,7 +9,7 @@ class Devise::RegistrationsController < ApplicationController
     render_with_scope :new
   end
 
-  # POST /resource/sign_up
+  # POST /resource
   def create
     build_resource
 

devise.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{devise}
-  s.version = "1.1.6"
+  s.version = "1.1.9"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Jos\303\251 Valim", "Carlos Ant\303\264nio"]
-  s.date = %q{2011-02-15}
+  s.date = %q{2011-03-25}
   s.description = %q{Flexible authentication solution for Rails with Warden}
   s.email = %q{contact@plataformatec.com.br}
   s.extra_rdoc_files = [
@@ -181,7 +181,6 @@ Gem::Specification.new do |s|
   ]
 
   if s.respond_to? :specification_version then
-    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
     s.specification_version = 3
 
     if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then

lib/devise/failure_app.rb

@@ -104,8 +104,16 @@ module Devise
       session[:"#{scope}_return_to"] = attempted_path if request.get? && !http_auth?
     end
 
+    MIME_REFERENCES = Mime::HTML.respond_to?(:ref)
+
     def request_format
-      @request_format ||= request.format.respond_to?(:ref) ? request.format.ref : request.format
+      @request_format ||= if request.format.respond_to?(:ref)
+        request.format.ref
+      elsif MIME_REFERENCES
+        request.format
+      else # Rails < 3.0.4
+        request.format.to_sym
+      end
     end
   end
 end

lib/devise/models/authenticatable.rb

@@ -90,6 +90,7 @@ module Devise
         #   end
         #
         def find_for_authentication(conditions)
+          filter_auth_params(conditions)
           find(:first, :conditions => conditions)
         end
 
@@ -113,6 +114,15 @@ module Devise
           record
         end
 
+        protected
+
+        # Force keys to be string to avoid injection on mongoid related database.
+        def filter_auth_params(conditions)
+          conditions.each do |k, v|
+            conditions[k] = v.to_s
+          end
+        end
+
         # Generate a token by looping and ensuring does not already exist.
         def generate_token(column)
           loop do

lib/devise/strategies/authenticatable.rb

@@ -21,6 +21,7 @@ module Devise
         case result
         when Symbol, String
           fail!(result)
+          false
         else
           result
         end

lib/devise/strategies/database_authenticatable.rb

@@ -10,7 +10,7 @@ module Devise
         if validate(resource){ resource.valid_password?(password) }
           resource.after_database_authentication
           success!(resource)
-        else
+        elsif !halted?
           fail(:invalid)
         end
       end

lib/devise/strategies/rememberable.rb

@@ -20,7 +20,7 @@ module Devise
 
         if validate(resource)
           success!(resource)
-        else
+        elsif !halted?
           cookies.delete(remember_key)
           pass
         end

lib/devise/strategies/token_authenticatable.rb

@@ -16,7 +16,7 @@ module Devise
         if validate(resource)
           resource.after_token_authentication
           success!(resource)
-        else
+        elsif !halted?
           fail(:invalid_token)
         end
       end

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "1.1.6".freeze
+  VERSION = "1.1.9".freeze
 end

test/integration/token_authenticatable_test.rb

@@ -65,6 +65,22 @@ class TokenAuthenticationTest < ActionController::IntegrationTest
     end
   end
 
+  test 'should not be subject to injection' do
+    swap Devise, :token_authentication_key => :secret_token do
+      user1 = create_user()
+
+      # Clean up user cache
+      @user = nil
+
+      user2 = create_user(:email => "another@test.com")
+      user2.update_attribute(:authentication_token, "ANOTHERTOKEN")
+
+      assert_not_equal user1, user2
+      visit users_path(Devise.token_authentication_key.to_s + '[$ne]' => user1.authentication_token)
+      assert_nil warden.user(:user) 
+    end
+  end
+
   private
 
     def sign_in_as_new_user_with_token(options = {})

test/models/token_authenticatable_test.rb

@@ -34,4 +34,16 @@ class TokenAuthenticatableTest < ActiveSupport::TestCase
     assert_nil authenticated_user
   end
 
-end
+  test 'should not be subject to injection' do
+    user1 = create_user
+    user1.ensure_authentication_token!
+    user1.confirm!
+
+    user2 = create_user
+    user2.ensure_authentication_token!
+    user2.confirm!
+
+    user = User.find_for_token_authentication(:auth_token => {'$ne' => user1.authentication_token})
+    assert_nil user
+  end
+end

test/support/integration.rb

@@ -9,7 +9,7 @@ class ActionDispatch::IntegrationTest
     @user ||= begin
       user = User.create!(
         :username => 'usertest',
-        :email => 'user@test.com',
+        :email => options[:email] || 'user@test.com',
         :password => '123456',
         :password_confirmation => '123456',
         :created_at => Time.now.utc