Releasing 1.1.rc0 which is compatible with Rails 3.0.0.beta2. There is just one known bug with this new Rails version, which means we are close to a final Devise 'Rock Your Socks Off 1.1' version.

Signed-off-by: José Valim <jose.valim@gmail.com>

.bundle/config

@@ -0,0 +1,2 @@
+--- 
+BUNDLE_WITHOUT: ""

CHANGELOG.rdoc

@@ -3,11 +3,52 @@
 * enhancements
   * Rails 3 compatibility.
   * All controllers and views are namespaced, for example: Devise::SessionsController and "devise/sessions".
-  * You can specify the controller in routes and have specific controllers for each role.
+  * Devise.orm is deprecated. This reduces the required API to hook your ORM with devise.
+  * Use metal for failure app.
+  * HTML e-mails now have proper formatting.
+  * Do not remove options from Datamapper and MongoMapper in find.
+  * Allow to give :skip and :controllers in routes.
+  * Move trackable logic to the model.
+  * E-mails now use any template available in the filesystem. Easy to create multipart e-mails.
+  * E-mails asks headers_for in the model to set the proper headers.
+  * Allow to specify haml in devise_views.
+  * Compatibility with Datamapper and Mongoid.
+  * Make config.devise available on config/application.rb.
+  * TokenAuthenticatable now works with HTTP Basic Auth.
+  * Allow :unlock_strategy to be :none and add :lock_strategy which can be :failed_attempts or none. Setting those values to :none means that you want to handle lock and unlocking by yourself.
+  * No need to append ?unauthenticated=true in URLs anymore since Flash was moved to a middleware in Rails 3.
+  * All messages under devise.sessions, except :signed_in and :signed_out, should be moved to devise.failure.
+
+* bug fix
+  * Do not allow unlockable strategies based on time to access a controller.
+  * Do not send unlockable email several times.
 
 * deprecations
   * Rails 3 compatible only.
   * Scoped views are no longer "sessions/users/new". Now use "users/sessions/new".
+  * Devise.orm is deprecated, just require "devise/orm/YOUR_ORM" instead.
+  * Devise.default_url_options is deprecated, just modify ApplicationController.default_url_options.
+  * All messages under devise.sessions, except :signed_in and :signed_out, should be moved to devise.failure.
+
+== 1.0.5
+
+* bug fix
+  * Use prepend_before_filter in require_no_authentication.
+  * require_no_authentication on unlockable.
+  * Fix a bug when giving an association proxy to devise.
+  * Do not use lock! on lockable since it's part of ActiveRecord API.
+
+== 1.0.4
+
+* bug fix
+  * Fixed a bug when deleting an account with rememberable
+  * Fixed a bug with custom controllers
+
+== 1.0.3
+
+* enhancements
+  * HTML e-mails now have proper formatting
+  * Do not remove MongoMapper options in find
 
 == 1.0.2
 

Gemfile

@@ -1,7 +1,8 @@
 source "http://gemcutter.org"
 
-gem "rails", "3.0.0.beta"
-gem "warden", "0.9.3"
+# Need to install Rails from source
+gem "rails", "3.0.0.beta2"
+gem "warden", "0.10.3"
 gem "sqlite3-ruby", :require => "sqlite3"
 gem "webrat", "0.7"
 gem "mocha", :require => false
@@ -11,8 +12,16 @@ if RUBY_VERSION < '1.9'
   gem "ruby-debug", ">= 0.10.3"
 end
 
-group :mongo_mapper do
-  gem "mongo",        "0.18.3"
-  gem "mongo_ext",    "0.18.3", :require => false
-  gem "mongo_mapper", "0.7.0"
+group :mongoid do
+  gem "mongo",        ">= 0.18.3"
+  gem "mongo_ext",    ">= 0.18.3", :require => false
+  gem "mongoid", :git => "git://github.com/durran/mongoid.git"
+end
+
+group :data_mapper do
+  gem "do_sqlite3", '>= 0.10.1'
+  gem "dm-core", :git => "git://github.com/datamapper/dm-core.git"
+  gem "dm-validations", :git => "git://github.com/datamapper/dm-more.git"
+  gem "dm-timestamps", :git => "git://github.com/datamapper/dm-more.git"
+  gem "dm-rails", :git => "git://github.com/datamapper/dm-rails.git"
 end

README.rdoc

@@ -7,41 +7,38 @@ Devise is a flexible authentication solution for Rails based on Warden. It:
 * Allows you to have multiple roles (or models/scopes) signed in at the same time;
 * Is based on a modularity concept: use just what you really need.
 
-Right now it's composed of 12 modules:
+Right now it's composed of 11 modules:
 
-* Authenticatable: responsible for encrypting password and validating authenticity of a user while signing in.
-* Token Authenticatable: validates authenticity of a user while signing in using an authentication token (also known as "single access token").
-* HttpAuthenticatable: sign in users using basic HTTP authentication.
-* Confirmable: responsible for verifying whether an account is already confirmed to sign in, and to send emails with confirmation instructions.
-* Recoverable: takes care of reseting the user password and send reset instructions.
+* Database Authenticatable: encrypts and stores a password in the database to validate the authenticity of an user while signing in. The authentication can be done both through POST requests or HTTP Basic Authentication.
+* Token Authenticatable: signs in an user based on an authentication token (also known as "single access token"). The token can be given both through query string or HTTP Basic Authentication.
+* Confirmable: sends emails with confirmation instructions and verifies whether an account is already confirmed during sign in.
+* Recoverable: resets the user password and sends reset instructions.
 * Registerable: handles signing up users through a registration process.
-* Rememberable: manages generating and clearing token for remember the user from a saved cookie.
-* Trackable: tracks sign in count, timestamps and ip.
-* Timeoutable: expires sessions without activity in a certain period of time.
-* Validatable: creates all needed validations for email and password. It's totally optional, so you're able to to customize validations by yourself.
-* Lockable: takes care of locking an account based on the number of failed sign in attempts. Handles unlock via expire and email.
-* Activatable: if you need to activate accounts by other means, which are not through confirmation, use this module.
+* Rememberable: manages generating and clearing a token for remembering the user from a saved cookie.
+* Trackable: tracks sign in count, timestamps and IP address.
+* Timeoutable: expires sessions that have no activity in a specified period of time.
+* Validatable: provides validations of email and password. It's optional and can be customized, so you're able to define your own validations.
+* Lockable: locks an account after a specified number of failed sign-in attempts. Can unlock via email or after a specified time period.
+* Activatable: use this module if you need to activate accounts by means other than confirmation.
 
-There's an example application using Devise at http://github.com/plataformatec/devise_example .
+== Examples
+
+* Example application using Devise at http://github.com/plataformatec/devise_example
+* Example Rails 2.3 web app combining subdomains with Devise at http://github.com/fortuity/subdomain-authentication
 
 == Dependencies
 
-Devise is based on Warden (http://github.com/hassox/warden), a Rack Authentication Framework so you need to install it as a gem. Please ensure you have it installed in order to use devise (see installation below).
+Devise is based on Warden (http://github.com/hassox/warden), a Rack Authentication Framework. You need to install Warden as a gem. Please ensure you have it installed in order to use Devise (see installation below).
 
 == Installation
 
-Devise master branch now supports Rails 3 and is NOT backward compatible. You can install it as:
+Devise master branch now supports Rails 3 and is NOT backward compatible. If you are using Rails 3.0.0 beta gem, you need to install devise as a gem:
 
-  sudo gem install devise --version=1.1.pre
+  sudo gem install devise --version=1.1.pre4
 
-After installing them, you need configure warden and devise gems inside your gemfile:
+However, if you are using Rails edge, from the git repository, you also need to use Devise from the git repository. After you install Devise and add it to your gemfile, you need to run the generator:
 
-  gem 'warden'
-  gem 'devise'
-
-And run the generator:
-
-	rails generate devise_install
+  rails generate devise_install
 
 And you're ready to go. The generator will install an initializer which describes ALL Devise's configuration options, so be sure to take a look at it and at the documentation as well:
 
@@ -51,7 +48,7 @@ And you're ready to go. The generator will install an initializer which describe
 
 If you want to use the Rails 2.3.x version, you should do:
 
-  sudo gem install devise --version=1.0.1
+  sudo gem install devise --version=1.0.4
 
 Or checkout from the v1.0 branch:
 
@@ -61,15 +58,15 @@ Or checkout from the v1.0 branch:
 
 This is a walkthrough with all steps you need to setup a devise resource, including model, migration, route files, and optional configuration. You MUST also check out the *Generators* section below to help you start.
 
-Devise must be set up within the model (or models) you want to use, and devise routes must be created inside your config/routes.rb file.
+Devise must be set up within the model (or models) you want to use. Devise routes must be created inside your config/routes.rb file.
 
-We're assuming here you want a User model with some modules, as outlined below:
+We're assuming here you want a User model with some Devise modules, as outlined below:
 
   class User < ActiveRecord::Base
     devise :authenticatable, :confirmable, :recoverable, :rememberable, :trackable, :validatable
   end
 
-After you choose which modules to use, you need to setup your migrations. Luckily, devise has some helpers to save you from this boring work:
+After you choose which modules to use, you need to set up your migrations. Luckily, Devise has some helpers to save you from this boring work:
 
   create_table :users do |t|
     t.authenticatable
@@ -80,53 +77,53 @@ After you choose which modules to use, you need to setup your migrations. Luckil
     t.timestamps
   end
 
-Remember that Devise don't rely on _attr_accessible_ or _attr_protected_ inside its modules, so be sure to setup what attributes are accessible or protected in your model.
+Devise doesn't use _attr_accessible_ or _attr_protected_ inside its modules, so be sure to define attributes as accessible or protected in your model.
 
-The next setup after setting up your model is to configure your routes. You do this by opening up your config/routes.rb and adding:
+Configure your routes after setting up your model. Open your config/routes.rb file and add:
 
   devise_for :users
 
-This is going to look inside you User model and create a set of needed routes (you can see them by running `rake routes`).
+This will use your User model to create a set of needed routes (you can see them by running `rake routes`).
 
-There are also some options available for configuring your routes, as :class_name (to set the class for that route), :path_prefix, :as and :path_names, where the last two have the same meaning as in common routes. The available :path_names are:
+Options for configuring your routes include :class_name (to set the class for that route), :path_prefix, :as and :path_names, where the last two have the same meaning as in common routes. The available :path_names are:
 
-  devise_for :users, :as => "usuarios", :path_names => { :sign_in => 'login', :sign_out => 'logout', :password => 'secret', :confirmation => 'verification', :unlock => 'unblock' }
+  devise_for :users, :as => "usuarios", :path_names => { :sign_in => 'login', :sign_out => 'logout', :sign_up => 'register', :password => 'secret', :confirmation => 'verification', :unlock => 'unblock' }
 
-Be sure to check devise_for documentation for detailed description.
+Be sure to check devise_for documentation for details.
 
-After this steps, run your migrations, and you are ready to go! But don't finish reading, we still have a lot to tell you:
+After creating your models and routes, run your migrations, and you are ready to go! But don't stop reading here, we still have a lot to tell you:
 
 == Controller filters and helpers
 
-Devise is gonna create some helpers to use inside your controllers and views. To setup a controller that needs user authentication, just add this before_filter:
+Devise will create some helpers to use inside your controllers and views. To set up a controller with user authentication, just add this before_filter:
 
   before_filter :authenticate_user!
 
-To verify if a user is signed in, you have the following helper:
+To verify if a user is signed in, use the following helper:
 
   user_signed_in?
 
-And to get the current signed in user this helper is available:
+For the current signed-in user, this helper is available:
 
   current_user
 
-You have also access to the session for this scope:
+You can access the session for this scope:
 
   user_session
 
-After signing in a user, confirming it's account or updating it's password, devise will look for a scoped root path to redirect. Example: For a :user resource, it will use user_root_path if it exists, otherwise default root_path will be used. This means that you need to set the root inside your routes:
+After signing in a user, confirming the account or updating the password, Devise will look for a scoped root path to redirect. Example: For a :user resource, it will use user_root_path if it exists, otherwise default root_path will be used. This means that you need to set the root inside your routes:
 
   root :to => "home"
 
-You can also overwrite after_sign_in_path_for and after_sign_out_path_for to customize better your redirect hooks.
+You can also overwrite after_sign_in_path_for and after_sign_out_path_for to customize your redirect hooks.
 
-Finally, you also need to setup default url options for the mailer in each environment. Here's is the configuration for config/environments/development.rb:
+Finally, you need to set up default url options for the mailer in each environment. Here is the configuration for config/environments/development.rb:
 
   config.action_mailer.default_url_options = { :host => 'localhost:3000' }
 
 == Tidying up
 
-Devise let's you setup as many roles as you want, so let's say you already have this User model and also want an Admin model with just authentication, trackable, lockable and timeoutable stuff and none of confirmation or password recovery. Just follow the same steps:
+Devise allows you to set up as many roles as you want. For example, you may have a User model and also want an Admin model with just authentication, trackable, lockable and timeoutable features and no confirmation or password-recovery features. Just follow these steps:
 
   # Create a migration with the required fields
   create_table :admins do |t|
@@ -151,35 +148,37 @@ Devise let's you setup as many roles as you want, so let's say you already have
 
 == Generators
 
-Devise comes with some generators to help you start:
+Devise has generators to help you get started:
 
   rails generate devise_install
 
-This will generate an initializer, with a description of all configuration values. You can also generate models through:
+This will generate an initializer, with a description of all configuration values.
+
+You can also generate models:
 
   rails generate devise Model
 
-A model configured with all devise modules and attr_accessible for default fields will be created. The generator will also create the migration and configure your routes for devise.
+This will create a model named "Model" configured with default Devise modules and attr_accessible set for default fields. The generator will also create the migration and configure your routes for Devise.
 
 == Model configuration
 
-The devise method in your models also accept some options to configure its modules. For example, you can chose which encryptor to use in authenticatable simply doing:
+The devise method in your models also accepts some options to configure its modules. For example, you can choose which encryptor to use in authenticatable:
 
   devise :authenticatable, :confirmable, :recoverable, :encryptor => :bcrypt
 
-Besides :encryptor, you can provide :pepper, :stretches, :confirm_within, :remember_for, :timeout_in, :unlock_in and others. All those are described in the initializer created when you invoke the devise_install generator describer above.
+Besides :encryptor, you can define :pepper, :stretches, :confirm_within, :remember_for, :timeout_in, :unlock_in and other values. For details, see the initializer file that was created when you invoked the devise_install generator described above.
 
 == Configuring controllers and views
 
-One of Devise goals is to help you bootstrap your application with authentication really fast. Another goal is to not be in your way when you need to customize it.
+We built Devise to help you quickly develop an application that uses authentication. We don't want to be in your way when you need to customize it.
 
-Since devise is an engine, it has all default views inside the gem. They are good to get you started, but you will want to customize them at some point. And Devise has a generator to copy them all to your application:
+Since Devise is an engine, all its default views are packaged inside the gem. The default views will get you started but you may want to customize them. Devise has a generator to copy the default views to your application. After they've been copied to your application, you can make changes as required:
 
   rails generate devise_views
 
-If you have more than one role in your application, you will notice that Devise uses the same views for all roles you have. But what if you need so different views to each of them? Devise also has an easy way to accomplish it: just setup config.scoped_views to true inside "config/initializers/devise.rb".
+If you have more than one role in your application (such as "user" and "admin"), you will notice that Devise uses the same views for all roles. You may need different views for each role. Devise offers an easy way to customize views for each role. Just set config.scoped_views to "true" inside "config/initializers/devise.rb".
 
-After doing so you will be able to have views based on the scope like "users/sessions/new" and "admins/sessions/new". If no view is found within the scope, Devise will fallback to the default view at "devise/sessions/new".
+After doing so you will be able to have views based on the scope like "users/sessions/new" and "admins/sessions/new". If no view is found within the scope, Devise will use the default view at "devise/sessions/new".
 
 Finally, if the customization at the views level is not enough, you can customize each controller by following these steps:
 
@@ -192,13 +191,13 @@ Finally, if the customization at the views level is not enough, you can customiz
 
     devise_for :admins, :controllers => { :sessions = "admin/sessions" }
 
-  3) And finally, since we changed the controller, it won't use "devise/sessions" as views anymore, so remember to make a copy of "devise/sessions" to "admin/sessions".
+  3) And finally, since we changed the controller, it won't use the "devise/sessions" views, so remember to copy "devise/sessions" to "admin/sessions".
 
-Remember that Devise uses flash messages to let users know if sign in wass successful or not. Devise expects your application to call "flash[:notice]" and "flash[:alert]" as appropriate.
+Remember that Devise uses flash messages to let users know if sign in was successful or failed. Devise expects your application to call "flash[:notice]" and "flash[:alert]" as appropriate.
 
 == I18n
 
-Devise uses flash messages with I18n with the flash keys :success and :failure. To customize your app, you can setup your locale file this way:
+Devise uses flash messages with I18n with the flash keys :success and :failure. To customize your app, you can set up your locale file:
 
   en:
     devise:
@@ -215,7 +214,7 @@ You can also create distinct messages based on the resource you've configured us
         admin:
           signed_in: 'Hello admin!'
 
-Devise mailer uses the same pattern to create subject messages:
+The Devise mailer uses the same pattern to create subject messages:
 
   en:
     devise:
@@ -243,15 +242,15 @@ You can include the Devise Test Helpers in all of your tests by adding the follo
     include Devise::TestHelpers
   end
 
-Do not use such helpers for integration tests like Cucumber, Webrat... Just fill in the form or explicitly set the user in session. For more tips, check the wiki (http://wiki.github.com/plataformatec/devise).
+Do not use such helpers for integration tests such as Cucumber or Webrat. Instead, fill in the form or explicitly set the user in session. For more tips, check the wiki (http://wiki.github.com/plataformatec/devise).
 
 == Migrating from other solutions
 
-Devise implements encryption strategies for Clearance, Authlogic and Restful-Authentication. To make use of it set the desired encryptor in the encryptor initializer config option. You might also need to rename your encrypted password and salt columns to match Devises's one (encrypted_password and password_salt).
+Devise implements encryption strategies for Clearance, Authlogic and Restful-Authentication. To make use of these strategies, set the desired encryptor in the encryptor initializer config option. You might also need to rename your encrypted password and salt columns to match Devise's fields (encrypted_password and password_salt).
 
 == Other ORMs
 
-Devise supports both ActiveRecord (default) and MongoMapper, and has experimental Datamapper supports (in a sense that Devise test suite does not run completely with Datamapper). To choose other ORM, you just need to configure it in the initializer file.
+Devise supports ActiveRecord (by default) and Mongoid. We offer experimental Datamapper support (with the limitation that the Devise test suite does not run completely with Datamapper). To choose other ORM, you just need to configure it in the initializer file.
 
 == TODO
 
@@ -264,14 +263,30 @@ Please refer to TODO file.
 
 == Contributors
 
-We have a long running list of contributors. Check them in the CHANGELOG or do `git shortlog -s -n` in the cloned repository.
+We have a long list of valued contributors. See the CHANGELOG or do `git shortlog -s -n` in the cloned repository.
+
+== Devise extensions
+
+* http://github.com/scambra/devise_invitable adds support to Devise for sending invitations by email.
+
+* http://github.com/grimen/devise_facebook_connectable adds support for Facebook Connect authentication, and optionally fetching user info from Facebook in the same step.
+
+* http://github.com/joshk/devise_imapable adds support for imap based authentication, excellent for internal apps when an LDAP server isn't available.
 
 == Bugs and Feedback
 
-If you discover any bugs or want to drop a line, feel free to create an issue on
-GitHub or send an e-mail to the mailing list.
+If you discover any bugs, please create an issue on GitHub.
 
 http://github.com/plataformatec/devise/issues
+
+For support, send an e-mail to the mailing list.
+
 http://groups.google.com/group/plataformatec-devise
 
+See the wiki for additional documentation and support.
+
+http://wiki.github.com/plataformatec/devise/
+
+== License
+
 MIT License. Copyright 2009 Plataforma Tecnologia. http://blog.plataformatec.com.br

Rakefile

@@ -37,7 +37,7 @@ begin
   require 'jeweler'
   Jeweler::Tasks.new do |s|
     s.name = "devise"
-    s.version = Devise::VERSION
+    s.version = Devise::VERSION.dup
     s.summary = "Flexible authentication solution for Rails with Warden"
     s.email = "contact@plataformatec.com.br"
     s.homepage = "http://github.com/plataformatec/devise"
@@ -45,7 +45,7 @@ begin
     s.authors = ['José Valim', 'Carlos Antônio']
     s.files =  FileList["[A-Z]*", "{app,config,lib}/**/*"]
     s.extra_rdoc_files = FileList["[A-Z]*"] - %w(Gemfile Rakefile)
-    s.add_dependency("warden", "~> 0.9.3")
+    s.add_dependency("warden", "~> 0.10.3")
   end
 
   Jeweler::GemcutterTasks.new

TODO

@@ -1,2 +1,3 @@
-* Make test run with DataMapper
 * Extract Activatable tests from Confirmable
+* Move integration tests to Capybara
+* Better ORM integration

app/controllers/devise/confirmations_controller.rb

@@ -21,7 +21,7 @@ class Devise::ConfirmationsController < ApplicationController
 
   # GET /resource/confirmation?confirmation_token=abcdef
   def show
-    self.resource = resource_class.confirm!(:confirmation_token => params[:confirmation_token])
+    self.resource = resource_class.confirm_by_token(params[:confirmation_token])
 
     if resource.errors.empty?
       set_flash_message :notice, :confirmed

app/controllers/devise/passwords_controller.rb

@@ -1,8 +1,7 @@
 class Devise::PasswordsController < ApplicationController
+  prepend_before_filter :require_no_authentication
   include Devise::Controllers::InternalHelpers
 
-  before_filter :require_no_authentication
-
   # GET /resource/password/new
   def new
     build_resource
@@ -30,7 +29,7 @@ class Devise::PasswordsController < ApplicationController
 
   # PUT /resource/password
   def update
-    self.resource = resource_class.reset_password!(params[resource_name])
+    self.resource = resource_class.reset_password_by_token(params[resource_name])
 
     if resource.errors.empty?
       set_flash_message :notice, :updated

app/controllers/devise/registrations_controller.rb

@@ -1,12 +1,11 @@
 class Devise::RegistrationsController < ApplicationController
+  prepend_before_filter :require_no_authentication, :only => [ :new, :create ]
+  prepend_before_filter :authenticate_scope!, :only => [:edit, :update, :destroy]
   include Devise::Controllers::InternalHelpers
 
-  before_filter :require_no_authentication, :only => [ :new, :create ]
-  before_filter :authenticate_scope!, :only => [:edit, :update, :destroy]
-
-  # GET /resource/sign_in
+  # GET /resource/sign_up
   def new
-    build_resource
+    build_resource({})
     render_with_scope :new
   end
 
@@ -15,10 +14,10 @@ class Devise::RegistrationsController < ApplicationController
     build_resource
 
     if resource.save
-      flash[:"#{resource_name}_signed_up"] = true
       set_flash_message :notice, :signed_up
       sign_in_and_redirect(resource_name, resource)
     else
+      clean_up_passwords(resource)
       render_with_scope :new
     end
   end
@@ -30,28 +29,29 @@ class Devise::RegistrationsController < ApplicationController
 
   # PUT /resource
   def update
-    if self.resource.update_with_password(params[resource_name])
+    if resource.update_with_password(params[resource_name])
       set_flash_message :notice, :updated
       redirect_to after_sign_in_path_for(self.resource)
     else
-      build_resource
-      send(:"current_#{resource_name}").reload
+      clean_up_passwords(resource)
       render_with_scope :edit
     end
   end
 
   # DELETE /resource
   def destroy
-    self.resource.destroy
+    resource.destroy
     set_flash_message :notice, :destroyed
     sign_out_and_redirect(self.resource)
   end
 
   protected
 
-    # Authenticates the current scope and dup the resource
+    # Authenticates the current scope and gets a copy of the current resource.
+    # We need to use a copy because we don't want actions like update changing
+    # the current user in place.
     def authenticate_scope!
       send(:"authenticate_#{resource_name}!")
-      self.resource = send(:"current_#{resource_name}")
+      self.resource = resource_class.find(send(:"current_#{resource_name}").id)
     end
-end
+end

app/controllers/devise/sessions_controller.rb

@@ -1,30 +1,18 @@
 class Devise::SessionsController < ApplicationController
+  prepend_before_filter :require_no_authentication, :only => [ :new, :create ]
   include Devise::Controllers::InternalHelpers
 
-  before_filter :require_no_authentication, :only => [ :new, :create ]
-
   # GET /resource/sign_in
   def new
-    unless resource_just_signed_up?
-      Devise::FLASH_MESSAGES.each do |message|
-        set_now_flash_message :alert, message if params.try(:[], message) == "true"
-      end
-    end
-
-    build_resource
+    clean_up_passwords(build_resource)
     render_with_scope :new
   end
 
   # POST /resource/sign_in
   def create
-    if resource = authenticate(resource_name)
-      set_flash_message :notice, :signed_in
-      sign_in_and_redirect(resource_name, resource, true)
-    else
-      set_now_flash_message :alert, (warden.message || :invalid)
-      clean_up_passwords(build_resource)
-      render_with_scope :new
-    end
+    resource = warden.authenticate!(:scope => resource_name, :recall => "new")
+    set_flash_message :notice, :signed_in
+    sign_in_and_redirect(resource_name, resource)
   end
 
   # GET /resource/sign_out
@@ -32,14 +20,4 @@ class Devise::SessionsController < ApplicationController
     set_flash_message :notice, :signed_out if signed_in?(resource_name)
     sign_out_and_redirect(resource_name)
   end
-
-  protected
-
-  def resource_just_signed_up?
-    flash[:"#{resource_name}_signed_up"]
-  end
-
-  def clean_up_passwords(object)
-    object.clean_up_passwords if object.respond_to?(:clean_up_passwords)
-  end
 end

app/controllers/devise/unlocks_controller.rb

@@ -1,4 +1,6 @@
 class Devise::UnlocksController < ApplicationController
+  prepend_before_filter :ensure_email_as_unlock_strategy
+  prepend_before_filter :require_no_authentication
   include Devise::Controllers::InternalHelpers
 
   # GET /resource/unlock/new
@@ -21,7 +23,7 @@ class Devise::UnlocksController < ApplicationController
 
   # GET /resource/unlock?unlock_token=abcdef
   def show
-    self.resource = resource_class.unlock!(:unlock_token => params[:unlock_token])
+    self.resource = resource_class.unlock_access_by_token(params[:unlock_token])
 
     if resource.errors.empty?
       set_flash_message :notice, :unlocked
@@ -30,4 +32,10 @@ class Devise::UnlocksController < ApplicationController
       render_with_scope :new
     end
   end
+
+  protected
+
+  def ensure_email_as_unlock_strategy
+    raise ActionController::UnknownAction unless resource_class.unlock_strategy_enabled?(:email)
+  end
 end

app/models/devise/mailer.rb

@@ -19,21 +19,27 @@ class Devise::Mailer < ::ActionMailer::Base
 
     # Configure default email options
     def setup_mail(record, action)
-      @devise_mapping = Devise::Mapping.find_by_class(record.class)
+      @scope_name     = Devise::Mapping.find_scope!(record)
+      @devise_mapping = Devise.mappings[@scope_name]
+      @resource       = instance_variable_set("@#{@devise_mapping.name}", record)
 
-      raise "Invalid devise resource #{record}" unless @devise_mapping
-      @resource = instance_variable_set("@#{@devise_mapping.name}", record)
+      template_path = ["devise/mailer"]
+      template_path.unshift "#{@devise_mapping.as}/mailer" if self.class.scoped_views?
 
-      mail(:subject => translate(@devise_mapping, action),
-           :from => mailer_sender(@devise_mapping), :to => record.email) do |format|
-        format.html { render_with_scope(action, :controller => "mailer") }
-      end
+      headers = {
+        :subject => translate(@devise_mapping, action),
+        :from => mailer_sender(@devise_mapping),
+        :to => record.email,
+        :template_path => template_path
+      }
+
+      headers.merge!(record.headers_for(action)) if record.respond_to?(:headers_for)
+      mail(headers)
     end
 
     def mailer_sender(mapping)
       if Devise.mailer_sender.is_a?(Proc)
-        block_args = mapping.name if Devise.mailer_sender.arity > 0
-        Devise.mailer_sender.call(block_args)
+        Devise.mailer_sender.call(mapping.name)
       else
         Devise.mailer_sender
       end

app/views/devise/confirmations/new.html.erb

@@ -1,6 +1,6 @@
 <h2>Resend confirmation instructions</h2>
 
-<% form_for resource_name, resource, :url => confirmation_path(resource_name) do |f| %>
+<%= form_for(resource_name, resource, :url => confirmation_path(resource_name)) do |f| %>
   <%= f.error_messages %>
 
   <p><%= f.label :email %></p>

app/views/devise/mailer/confirmation_instructions.html.erb

@@ -1,5 +1,5 @@
-Welcome <%= @resource.email %>!
+<p>Welcome <%= @resource.email %>!</p>
 
-You can confirm your account through the link below:
+<p>You can confirm your account through the link below:</p>
 
-<%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @resource.confirmation_token) %>
+<p><%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @resource.confirmation_token) %></p>

app/views/devise/mailer/reset_password_instructions.html.erb

@@ -1,8 +1,8 @@
-Hello <%= @resource.email %>!
+<p>Hello <%= @resource.email %>!</p>
 
-Someone has requested a link to change your password, and you can do this through the link below.
+<p>Someone has requested a link to change your password, and you can do this through the link below.</p>
 
-<%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @resource.reset_password_token) %>
+<p><%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @resource.reset_password_token) %></p>
 
-If you didn't request this, please ignore this email.
-Your password won't change until you access the link above and create a new one.
+<p>If you didn't request this, please ignore this email.</p>
+<p>Your password won't change until you access the link above and create a new one.</p>

app/views/devise/mailer/unlock_instructions.html.erb

@@ -1,7 +1,7 @@
-Hello <%= @resource.email %>!
+<p>Hello <%= @resource.email %>!</p>
 
-Your account has been locked due to an excessive amount of unsuccessful sign in attempts.
+<p>Your account has been locked due to an excessive amount of unsuccessful sign in attempts.</p>
 
-Click the link below to unlock your account:
+<p>Click the link below to unlock your account:</p>
 
-<%= link_to 'Unlock my account', unlock_url(@resource, :unlock_token => @resource.unlock_token) %>
+<p><%= link_to 'Unlock my account', unlock_url(@resource, :unlock_token => @resource.unlock_token) %></p>

app/views/devise/passwords/edit.html.erb

@@ -1,6 +1,6 @@
 <h2>Change your password</h2>
 
-<% form_for resource_name, resource, :url => password_path(resource_name), :html => { :method => :put } do |f| %>
+<%= form_for(resource_name, resource, :url => password_path(resource_name), :html => { :method => :put }) do |f| %>
   <%= f.error_messages %>
   <%= f.hidden_field :reset_password_token %>
 

app/views/devise/passwords/new.html.erb

@@ -1,6 +1,6 @@
 <h2>Forgot your password?</h2>
 
-<% form_for resource_name, resource, :url => password_path(resource_name) do |f| %>
+<%= form_for(resource_name, resource, :url => password_path(resource_name)) do |f| %>
   <%= f.error_messages %>
 
   <p><%= f.label :email %></p>

app/views/devise/registrations/edit.html.erb

@@ -1,6 +1,6 @@
 <h2>Edit <%= resource_name.to_s.humanize %></h2>
 
-<% form_for resource_name, resource, :url => registration_path(resource_name), :html => { :method => :put } do |f| -%>
+<%= form_for(resource_name, resource, :url => registration_path(resource_name), :html => { :method => :put }) do |f| %>
   <%= f.error_messages %>
 
   <p><%= f.label :email %></p>
@@ -16,7 +16,7 @@
   <p><%= f.password_field :current_password %></p>
 
   <p><%= f.submit "Update" %></p>
-<% end -%>
+<% end %>
 
 <h3>Cancel my account</h3>
 

app/views/devise/registrations/new.html.erb

@@ -1,6 +1,6 @@
 <h2>Sign up</h2>
 
-<% form_for resource_name, resource, :url => registration_path(resource_name) do |f| -%>
+<%= form_for(resource_name, resource, :url => registration_path(resource_name)) do |f| %>
   <%= f.error_messages %>
   <p><%= f.label :email %></p>
   <p><%= f.text_field :email %></p>
@@ -12,6 +12,6 @@
   <p><%= f.password_field :password_confirmation %></p>
 
   <p><%= f.submit "Sign up" %></p>
-<% end -%>
+<% end %>
 
 <%= render :partial => "devise/shared/links" %>

app/views/devise/sessions/new.html.erb

@@ -1,6 +1,6 @@
 <h2>Sign in</h2>
 
-<% form_for resource_name, resource, :url => session_path(resource_name) do |f| -%>
+<%= form_for(resource_name, resource, :url => session_path(resource_name)) do |f| %>
   <p><%= f.label :email %></p>
   <p><%= f.text_field :email %></p>
 
@@ -12,6 +12,6 @@
   <% end -%>
 
   <p><%= f.submit "Sign in" %></p>
-<% end -%>
+<% end %>
 
 <%= render :partial => "devise/shared/links" %>

app/views/devise/shared/_links.erb

@@ -1,19 +1,19 @@
 <%- if controller_name != 'sessions' %>
-  <%= link_to t('devise.sessions.link'), new_session_path(resource_name) %><br />
+  <%= link_to "Sign in", new_session_path(resource_name) %><br />
 <% end -%>
 
 <%- if devise_mapping.registerable? && controller_name != 'registrations' %>
-  <%= link_to t('devise.registrations.link'), new_registration_path(resource_name) %><br />
+  <%= link_to "Sign up", new_registration_path(resource_name) %><br />
 <% end -%>
 
 <%- if devise_mapping.recoverable? && controller_name != 'passwords' %>
-  <%= link_to t('devise.passwords.link'), new_password_path(resource_name) %><br />
+  <%= link_to "Forgot your password?", new_password_path(resource_name) %><br />
 <% end -%>
 
 <%- if devise_mapping.confirmable? && controller_name != 'confirmations' %>
-  <%= link_to t('devise.confirmations.link'), new_confirmation_path(resource_name) %><br />
+  <%= link_to "Didn't receive confirmation instructions?", new_confirmation_path(resource_name) %><br />
 <% end -%>
 
 <%- if devise_mapping.lockable? && controller_name != 'unlocks' %>
-  <%= link_to t('devise.unlocks.link'), new_unlock_path(resource_name) %><br />
+  <%= link_to "Didn't receive unlock instructions?", new_unlock_path(resource_name) %><br />
 <% end -%>

app/views/devise/unlocks/new.html.erb

@@ -1,6 +1,6 @@
 <h2>Resend unlock instructions</h2>
 
-<% form_for resource_name, resource, :url => unlock_path(resource_name) do |f| %>
+<%= form_for(resource_name, resource, :url => unlock_path(resource_name)) do |f| %>
   <%= f.error_messages %>
 
   <p><%= f.label :email %></p>

config/locales/en.yml

@@ -6,10 +6,7 @@ en:
       not_locked: "was not locked"
 
   devise:
-    sessions:
-      link: 'Sign in'
-      signed_in: 'Signed in successfully.'
-      signed_out: 'Signed out successfully.'
+    failure:
       unauthenticated: 'You need to sign in or sign up before continuing.'
       unconfirmed: 'You have to confirm your account before continuing.'
       locked: 'Your account is locked.'
@@ -17,25 +14,23 @@ en:
       invalid_token: 'Invalid authentication token.'
       timeout: 'Your session expired, please sign in again to continue.'
       inactive: 'Your account was not activated yet.'
+    sessions:
+      signed_in: 'Signed in successfully.'
+      signed_out: 'Signed out successfully.'
     passwords:
-      link: 'Forgot password?'
       send_instructions: 'You will receive an email with instructions about how to reset your password in a few minutes.'
       updated: 'Your password was changed successfully. You are now signed in.'
     confirmations:
-      link: "Didn't receive confirmation instructions?"
       send_instructions: 'You will receive an email with instructions about how to confirm your account in a few minutes.'
       confirmed: 'Your account was successfully confirmed. You are now signed in.'
     registrations:
-      link: 'Sign up'
       signed_up: 'You have signed up successfully.'
       updated: 'You updated your account successfully.'
       destroyed: 'Bye! Your account was successfully cancelled. We hope to see you again soon.'
     unlocks:
-      link: "Didn't receive unlock instructions?"
       send_instructions: 'You will receive an email with instructions about how to unlock your account in a few minutes.'
       unlocked: 'Your account was successfully unlocked. You are now signed in.'
     mailer:
       confirmation_instructions: 'Confirmation instructions'
       reset_password_instructions: 'Reset password instructions'
       unlock_instructions: 'Unlock Instructions'
-

devise.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{devise}
-  s.version = "1.1.pre2"
+  s.version = "1.1.rc0"
 
   s.required_rubygems_version = Gem::Requirement.new("> 1.3.1") if s.respond_to? :required_rubygems_version=
   s.authors = ["Jos\303\251 Valim", "Carlos Ant\303\264nio"]
-  s.date = %q{2010-02-18}
+  s.date = %q{2010-04-03}
   s.description = %q{Flexible authentication solution for Rails with Warden}
   s.email = %q{contact@plataformatec.com.br}
   s.extra_rdoc_files = [
@@ -65,7 +65,7 @@ Gem::Specification.new do |s|
      "lib/devise/models/activatable.rb",
      "lib/devise/models/authenticatable.rb",
      "lib/devise/models/confirmable.rb",
-     "lib/devise/models/http_authenticatable.rb",
+     "lib/devise/models/database_authenticatable.rb",
      "lib/devise/models/lockable.rb",
      "lib/devise/models/recoverable.rb",
      "lib/devise/models/registerable.rb",
@@ -74,16 +74,17 @@ Gem::Specification.new do |s|
      "lib/devise/models/token_authenticatable.rb",
      "lib/devise/models/trackable.rb",
      "lib/devise/models/validatable.rb",
+     "lib/devise/modules.rb",
      "lib/devise/orm/active_record.rb",
      "lib/devise/orm/data_mapper.rb",
-     "lib/devise/orm/mongo_mapper.rb",
+     "lib/devise/orm/mongoid.rb",
      "lib/devise/rails.rb",
      "lib/devise/rails/routes.rb",
      "lib/devise/rails/warden_compat.rb",
      "lib/devise/schema.rb",
      "lib/devise/strategies/authenticatable.rb",
      "lib/devise/strategies/base.rb",
-     "lib/devise/strategies/http_authenticatable.rb",
+     "lib/devise/strategies/database_authenticatable.rb",
      "lib/devise/strategies/rememberable.rb",
      "lib/devise/strategies/token_authenticatable.rb",
      "lib/devise/test_helpers.rb",
@@ -98,7 +99,7 @@ Gem::Specification.new do |s|
   s.homepage = %q{http://github.com/plataformatec/devise}
   s.rdoc_options = ["--charset=UTF-8"]
   s.require_paths = ["lib"]
-  s.rubygems_version = %q{1.3.5}
+  s.rubygems_version = %q{1.3.6}
   s.summary = %q{Flexible authentication solution for Rails with Warden}
   s.test_files = [
     "test/controllers/helpers_test.rb",
@@ -107,8 +108,8 @@ Gem::Specification.new do |s|
      "test/devise_test.rb",
      "test/encryptors_test.rb",
      "test/failure_app_test.rb",
-     "test/integration/authenticatable_test.rb",
      "test/integration/confirmable_test.rb",
+     "test/integration/database_authenticatable_test.rb",
      "test/integration/http_authenticatable_test.rb",
      "test/integration/lockable_test.rb",
      "test/integration/recoverable_test.rb",
@@ -121,9 +122,8 @@ Gem::Specification.new do |s|
      "test/mailers/reset_password_instructions_test.rb",
      "test/mailers/unlock_instructions_test.rb",
      "test/mapping_test.rb",
-     "test/models/authenticatable_test.rb",
      "test/models/confirmable_test.rb",
-     "test/models/http_authenticatable_test.rb",
+     "test/models/database_authenticatable_test.rb",
      "test/models/lockable_test.rb",
      "test/models/recoverable_test.rb",
      "test/models/rememberable_test.rb",
@@ -133,7 +133,8 @@ Gem::Specification.new do |s|
      "test/models/validatable_test.rb",
      "test/models_test.rb",
      "test/orm/active_record.rb",
-     "test/orm/mongo_mapper.rb",
+     "test/orm/data_mapper.rb",
+     "test/orm/mongoid.rb",
      "test/rails_app/app/active_record/admin.rb",
      "test/rails_app/app/active_record/user.rb",
      "test/rails_app/app/controllers/admins_controller.rb",
@@ -141,9 +142,11 @@ Gem::Specification.new do |s|
      "test/rails_app/app/controllers/home_controller.rb",
      "test/rails_app/app/controllers/sessions_controller.rb",
      "test/rails_app/app/controllers/users_controller.rb",
+     "test/rails_app/app/data_mapper/admin.rb",
+     "test/rails_app/app/data_mapper/user.rb",
      "test/rails_app/app/helpers/application_helper.rb",
-     "test/rails_app/app/mongo_mapper/admin.rb",
-     "test/rails_app/app/mongo_mapper/user.rb",
+     "test/rails_app/app/mongoid/admin.rb",
+     "test/rails_app/app/mongoid/user.rb",
      "test/rails_app/config/application.rb",
      "test/rails_app/config/boot.rb",
      "test/rails_app/config/environment.rb",
@@ -151,11 +154,11 @@ Gem::Specification.new do |s|
      "test/rails_app/config/environments/production.rb",
      "test/rails_app/config/environments/test.rb",
      "test/rails_app/config/initializers/backtrace_silencers.rb",
-     "test/rails_app/config/initializers/cookie_verification_secret.rb",
      "test/rails_app/config/initializers/devise.rb",
      "test/rails_app/config/initializers/inflections.rb",
-     "test/rails_app/config/initializers/session_store.rb",
      "test/rails_app/config/routes.rb",
+     "test/rails_app/db/migrate/20100401102949_create_tables.rb",
+     "test/rails_app/db/schema.rb",
      "test/routes_test.rb",
      "test/support/assertions.rb",
      "test/support/helpers.rb",
@@ -171,12 +174,12 @@ Gem::Specification.new do |s|
     s.specification_version = 3
 
     if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
-      s.add_runtime_dependency(%q<warden>, ["~> 0.9.3"])
+      s.add_runtime_dependency(%q<warden>, ["~> 0.10.3"])
     else
-      s.add_dependency(%q<warden>, ["~> 0.9.3"])
+      s.add_dependency(%q<warden>, ["~> 0.10.3"])
     end
   else
-    s.add_dependency(%q<warden>, ["~> 0.9.3"])
+    s.add_dependency(%q<warden>, ["~> 0.10.3"])
   end
 end
 

lib/devise.rb

@@ -1,6 +1,7 @@
+require 'active_support/core_ext/numeric/time'
+
 module Devise
   autoload :FailureApp, 'devise/failure_app'
-  autoload :Models, 'devise/models'
   autoload :Schema, 'devise/schema'
   autoload :TestHelpers, 'devise/test_helpers'
 
@@ -21,45 +22,21 @@ module Devise
     autoload :Sha1, 'devise/encryptors/sha1'
   end
 
-  module Orm
-    autoload :ActiveRecord, 'devise/orm/active_record'
-    autoload :DataMapper, 'devise/orm/data_mapper'
-    autoload :MongoMapper, 'devise/orm/mongo_mapper'
+  module Strategies
+    autoload :Base, 'devise/strategies/base'
+    autoload :Authenticatable, 'devise/strategies/authenticatable'
   end
 
-  ALL = []
-
-  # Authentication ones first
-  ALL.push :authenticatable, :http_authenticatable, :token_authenticatable, :rememberable
-
-  # Misc after
-  ALL.push :recoverable, :registerable, :validatable
-
-  # The ones which can sign out after
-  ALL.push :activatable, :confirmable, :lockable, :timeoutable
-
-  # Stats for last, so we make sure the user is really signed in
-  ALL.push :trackable
-
-  # Maps controller names to devise modules.
-  CONTROLLERS = {
-    :sessions => [:authenticatable, :token_authenticatable],
-    :passwords => [:recoverable],
-    :confirmations => [:confirmable],
-    :registrations => [:registerable],
-    :unlocks => [:lockable]
-  }
-
-  # Routes for generating url helpers.
-  ROUTES = [:session, :password, :confirmation, :registration, :unlock]
-
-  STRATEGIES  = [:rememberable, :http_authenticatable, :token_authenticatable, :authenticatable]
+  # Constants which holds devise configuration for extensions. Those should
+  # not be modified by the "end user".
+  ALL         = []
+  CONTROLLERS = ActiveSupport::OrderedHash.new
+  ROUTES      = ActiveSupport::OrderedHash.new
+  STRATEGIES  = ActiveSupport::OrderedHash.new
 
+  # True values used to check params
   TRUE_VALUES = [true, 1, '1', 't', 'T', 'true', 'TRUE']
 
-  # Maps the messages types that are used in flash message.
-  FLASH_MESSAGES = [:unauthenticated, :unconfirmed, :invalid, :invalid_token, :timeout, :inactive, :locked]
-
   # Declare encryptors length which are used in migrations.
   ENCRYPTORS_LENGTH = {
     :sha1   => 40,
@@ -70,9 +47,6 @@ module Devise
     :bcrypt => 60
   }
 
-  # Email regex used to validate email formats. Adapted from authlogic.
-  EMAIL_REGEX = /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i
-
   # Used to encrypt password. Please generate one with rake secret.
   mattr_accessor :pepper
   @@pepper = nil
@@ -85,6 +59,26 @@ module Devise
   mattr_accessor :authentication_keys
   @@authentication_keys = [ :email ]
 
+  # If http authentication is enabled by default.
+  mattr_accessor :http_authenticatable
+  @@http_authenticatable = true
+
+  # If params authenticatable is enabled by default.
+  mattr_accessor :params_authenticatable
+  @@params_authenticatable = true
+
+  # The realm used in Http Basic Authentication.
+  mattr_accessor :http_authentication_realm
+  @@http_authentication_realm = "Application"
+
+  # Email regex used to validate email formats. Adapted from authlogic.
+  mattr_accessor :email_regexp
+  @@email_regexp = /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i
+
+  # Range validation for password length
+  mattr_accessor :password_length
+  @@password_length = 6..20
+
   # Time interval where the remember me token is valid.
   mattr_accessor :remember_for
   @@remember_for = 2.weeks
@@ -105,16 +99,8 @@ module Devise
   mattr_accessor :mappings
   @@mappings = ActiveSupport::OrderedHash.new
 
-  # Stores the chosen ORM.
-  mattr_accessor :orm
-  @@orm = :active_record
-
-  # TODO Remove
-  mattr_accessor :all
-  @@all = []
-
   # Tells if devise should apply the schema in ORMs where devise declaration
-  # and schema belongs to the same class (as Datamapper and MongoMapper).
+  # and schema belongs to the same class (as Datamapper and Mongoid).
   mattr_accessor :apply_schema
   @@apply_schema = true
 
@@ -123,15 +109,20 @@ module Devise
   mattr_accessor :scoped_views
   @@scoped_views = false
 
-  # Number of authentication tries before locking an account
-  mattr_accessor :maximum_attempts
-  @@maximum_attempts = 20
+  # Defines which strategy can be used to lock an account.
+  # Values: :failed_attempts, :none
+  mattr_accessor :lock_strategy
+  @@lock_strategy = :failed_attempts
 
   # Defines which strategy can be used to unlock an account.
   # Values: :email, :time, :both
   mattr_accessor :unlock_strategy
   @@unlock_strategy = :both
 
+  # Number of authentication tries before locking an account
+  mattr_accessor :maximum_attempts
+  @@maximum_attempts = 20
+
   # Time interval to unlock the account if :time is defined as unlock_strategy.
   mattr_accessor :unlock_in
   @@unlock_in = 1.hour
@@ -152,103 +143,107 @@ module Devise
   mattr_accessor :token_authentication_key
   @@token_authentication_key = :auth_token
 
-  # The realm used in Http Basic Authentication
-  mattr_accessor :http_authentication_realm
-  @@http_authentication_realm = "Application"
+  # Private methods to interface with Warden.
+  mattr_accessor :warden_config
+  @@warden_config = nil
+  @@warden_config_block = nil
 
-  class << self
-    # Default way to setup Devise. Run script/generate devise_install to create
-    # a fresh initializer with all configuration values.
-    def setup
-      yield self
-    end
+  # Default way to setup Devise. Run rails generate devise_install to create
+  # a fresh initializer with all configuration values.
+  def self.setup
+    yield self
+  end
 
-    # Sets warden configuration using a block that will be invoked on warden
-    # initialization.
-    #
-    #  Devise.initialize do |config|
-    #    config.confirm_within = 2.days
-    #
-    #    config.warden do |manager|
-    #      # Configure warden to use other strategies, like oauth.
-    #      manager.oauth(:twitter)
-    #    end
-    #  end
-    def warden(&block)
-      @warden_config = block
-    end
+  # Register a model in Devise. You can call this manually if you don't want
+  # to use devise routes. Check devise_for in routes to know which options
+  # are available.
+  def self.register(resource, options)
+    mapping = Devise::Mapping.new(resource, options)
+    self.mappings[mapping.name] = mapping
+    self.default_scope ||= mapping.name
 
-    # Configure default url options to be used within Devise and ActionController.
-    def default_url_options(&block)
-      Devise::Mapping.metaclass.send :define_method, :default_url_options, &block
-    end
+    warden_config.default_scope ||= mapping.name
+    warden_config.scope_defaults mapping.name, :strategies => mapping.strategies
+    mapping
+  end
 
-    # A method used internally to setup warden manager from the Rails initialize
-    # block.
-    def configure_warden(config) #:nodoc:
-      config.default_strategies *Devise::STRATEGIES
-      config.failure_app = Devise::FailureApp
-      config.silence_missing_strategies!
-      config.default_scope = Devise.default_scope
+  # Make Devise aware of an 3rd party Devise-module. For convenience.
+  #
+  # == Options:
+  #
+  #   +model+      - String representing the load path to a custom *model* for this module (to autoload.)
+  #   +controller+ - Symbol representing the name of an exisiting or custom *controller* for this module.
+  #   +route+      - Symbol representing the named *route* helper for this module.
+  #   +flash+      - Symbol representing the *flash messages* used by this helper.
+  #   +strategy+   - Symbol representing if this module got a custom *strategy*.
+  #
+  # All values, except :model, accept also a boolean and will have the same name as the given module
+  # name.
+  #
+  # == Examples:
+  #
+  #   Devise.add_module(:party_module)
+  #   Devise.add_module(:party_module, :strategy => true, :controller => :sessions)
+  #   Devise.add_module(:party_module, :model => 'party_module/model')
+  #
+  def self.add_module(module_name, options = {})
+    ALL << module_name
+    options.assert_valid_keys(:strategy, :model, :controller, :route)
 
-      # If the user provided a warden hook, call it now.
-      @warden_config.try :call, config
-    end
+    config = {
+      :strategy => STRATEGIES,
+      :route => ROUTES,
+      :controller => CONTROLLERS
+    }
 
-    # The class of the configured ORM
-    def orm_class
-      Devise::Orm.const_get(@@orm.to_s.camelize.to_sym)
-    end
+    config.each do |key, value|
+      next unless options[key]
+      name = (options[key] == true ? module_name : options[key])
 
-    # Generate a friendly string randomically to be used as token.
-    def friendly_token
-      ActiveSupport::SecureRandom.base64(15).tr('+/=', '-_ ').strip.delete("\n")
-    end
-
-    # Make Devise aware of an 3rd party Devise-module. For convenience.
-    #
-    # == Options:
-    #
-    #   +strategy+    - Boolean value representing if this module got a custom *strategy*.
-    #                   Default is +false+. Note: Devise will auto-detect this in such case if this is true.
-    #   +model+       - String representing a load path to a custom *model* for this module (to autoload).
-    #                   Default is +nil+ (i.e. +false+).
-    #   +controller+  - Symbol representing a name of an exisiting or custom *controller* for this module.
-    #                   Default is +nil+ (i.e. +false+).
-    #
-    # == Examples:
-    #
-    #   Devise.add_module(:party_module)
-    #   Devise.add_module(:party_module, :strategy => true, :controller => :sessions)
-    #   Devise.add_module(:party_module, :model => 'party_module/model')
-    #
-    def add_module(module_name, options = {})
-      Devise::ALL.unshift module_name        unless Devise::ALL.include?(module_name)
-      Devise::STRATEGIES.unshift module_name if options[:strategy] && !Devise::STRATEGIES.include?(module_name)
-
-      if options[:controller]
-        controller = options[:controller].to_sym
-        Devise::CONTROLLERS[controller] ||= []
-        Devise::CONTROLLERS[controller].unshift module_name unless Devise::CONTROLLERS[controller].include?(module_name)
+      if value.is_a?(Hash)
+        value[module_name] = name
+      else
+        value << name unless value.include?(name)
       end
-
-      if options[:model]
-        Devise::Models.module_eval do
-          autoload :"#{module_name.to_s.classify}", options[:model]
-        end
-      end
-
-      Devise::Mapping.register module_name
     end
+
+    if options[:model]
+      model_path = (options[:model] == true ? "devise/models/#{module_name}" : options[:model])
+      Devise::Models.send(:autoload, module_name.to_s.camelize.to_sym, model_path)
+    end
+
+    Devise::Mapping.add_module module_name
+  end
+
+  # Sets warden configuration using a block that will be invoked on warden
+  # initialization.
+  #
+  #  Devise.initialize do |config|
+  #    config.confirm_within = 2.days
+  #
+  #    config.warden do |manager|
+  #      # Configure warden to use other strategies, like oauth.
+  #      manager.oauth(:twitter)
+  #    end
+  #  end
+  def self.warden(&block)
+    @@warden_config_block = block
+  end
+
+  # A method used internally to setup warden manager from the Rails initialize
+  # block.
+  def self.configure_warden! #:nodoc:
+    @@warden_config_block.try :call, Devise.warden_config
+  end
+
+  # Generate a friendly string randomically to be used as token.
+  def self.friendly_token
+    ActiveSupport::SecureRandom.base64(15).tr('+/=', '-_ ').strip.delete("\n")
   end
 end
 
-begin
-  require 'warden'
-rescue
-  gem 'warden'
-  require 'warden'
-end
-
+require 'warden'
 require 'devise/mapping'
+require 'devise/models'
+require 'devise/modules'
 require 'devise/rails'

lib/devise/controllers/helpers.rb

@@ -7,12 +7,6 @@ module Devise
       included do
         helper_method :warden, :signed_in?, :devise_controller?,
                       *Devise.mappings.keys.map { |m| [:"current_#{m}", :"#{m}_signed_in?"] }.flatten
-
-        # Use devise default_url_options. We have to declare it here to overwrite
-        # default definitions.
-        def default_url_options(options=nil)
-          Devise::Mapping.default_url_options
-        end
       end
 
       # The main accessor for the warden proxy instance
@@ -29,18 +23,6 @@ module Devise
         false
       end
 
-      # Attempts to authenticate the given scope by running authentication hooks,
-      # but does not redirect in case of failures.
-      def authenticate(scope)
-        warden.authenticate(:scope => scope)
-      end
-
-      # Attempts to authenticate the given scope by running authentication hooks,
-      # redirecting in case of failures.
-      def authenticate!(scope)
-        warden.authenticate!(:scope => scope)
-      end
-
       # Check if the given scope is signed in session, without running
       # authentication hooks.
       def signed_in?(scope)
@@ -85,7 +67,7 @@ module Devise
       #
       def stored_location_for(resource_or_scope)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
-        session.delete(:"#{scope}.return_to")
+        session.delete(:"#{scope}_return_to")
       end
 
       # The default url to be used after signing in. This is used by all Devise
@@ -135,10 +117,10 @@ module Devise
       #
       # If just a symbol is given, consider that the user was already signed in
       # through other means and just perform the redirection.
-      def sign_in_and_redirect(resource_or_scope, resource=nil, skip=false)
+      def sign_in_and_redirect(resource_or_scope, resource=nil)
         scope      = Devise::Mapping.find_scope!(resource_or_scope)
         resource ||= resource_or_scope
-        sign_in(scope, resource) unless skip
+        sign_in(scope, resource) unless warden.user(scope) == resource
         redirect_to stored_location_for(scope) || after_sign_in_path_for(resource)
       end
 
@@ -156,9 +138,9 @@ module Devise
       # access that specific controller/action.
       # Example:
       #
-      #   Maps:
-      #     User => :authenticatable
-      #     Admin => :authenticatable
+      #   Roles:
+      #     User
+      #     Admin
       #
       #   Generated methods:
       #     authenticate_user!  # Signs user in or redirect

lib/devise/controllers/internal_helpers.rb

@@ -8,13 +8,14 @@ module Devise
       include Devise::Controllers::ScopedViews
 
       included do
-        helpers = [:resource, :scope_name, :resource_name,
-                  :resource_class, :devise_mapping, :devise_controller?]
+        unloadable
 
+        helpers = %w(resource scope_name resource_name
+                     resource_class devise_mapping devise_controller?)
         hide_action *helpers
         helper_method *helpers
 
-        before_filter :is_devise_resource?
+        prepend_before_filter :is_devise_resource?
         skip_before_filter *Devise.mappings.keys.map { |m| :"authenticate_#{m}!" }
       end
 
@@ -52,7 +53,8 @@ module Devise
 
       # Checks whether it's a devise mapped resource or not.
       def is_devise_resource? #:nodoc:
-        raise ActionController::UnknownAction unless devise_mapping && devise_mapping.allows?(controller_name)
+        raise ActionController::UnknownAction unless devise_mapping &&
+          devise_mapping.allowed_controllers.include?(controller_path)
       end
 
       # Sets the resource creating an instance variable
@@ -61,8 +63,9 @@ module Devise
       end
 
       # Build a devise resource.
-      def build_resource
-        self.resource = resource_class.new(params[resource_name] || {})
+      def build_resource(hash=nil)
+        hash ||= params[resource_name] || {}
+        self.resource = resource_class.new(hash)
       end
 
       # Helper for use in before_filters where no authentication is required.
@@ -87,17 +90,14 @@ module Devise
       #
       # Please refer to README or en.yml locale file to check what messages are
       # available.
-      def set_flash_message(key, kind, now=false)
-        flash_hash = now ? flash.now : flash
-        flash_hash[key] = I18n.t(:"#{resource_name}.#{kind}",
+      def set_flash_message(key, kind)
+        flash[key] = I18n.t(:"#{resource_name}.#{kind}", :resource_name => resource_name,
                             :scope => [:devise, controller_name.to_sym], :default => kind)
       end
 
-      # Shortcut to set flash.now message. Same rules applied from set_flash_message
-      def set_now_flash_message(key, kind)
-        set_flash_message(key, kind, true)
+      def clean_up_passwords(object)
+        object.clean_up_passwords if object.respond_to?(:clean_up_passwords)
       end
-
     end
   end
 end

lib/devise/controllers/scoped_views.rb

@@ -4,7 +4,7 @@ module Devise
       extend ActiveSupport::Concern
 
       module ClassMethods
-        def scoped_views
+        def scoped_views?
           defined?(@scoped_views) ? @scoped_views : Devise.scoped_views
         end
 
@@ -20,7 +20,7 @@ module Devise
       def render_with_scope(action, options={})
         controller_name = options.delete(:controller) || self.controller_name
 
-        if self.class.scoped_views
+        if self.class.scoped_views?
           begin
             render :template => "#{devise_mapping.as}/#{controller_name}/#{action}"
           rescue ActionView::MissingTemplate

lib/devise/controllers/url_helpers.rb

@@ -19,7 +19,7 @@ module Devise
     # Those helpers are added to your ApplicationController.
     module UrlHelpers
 
-      Devise::ROUTES.each do |module_name|
+      Devise::ROUTES.values.uniq.each do |module_name|
         [:path, :url].each do |path_or_url|
           actions = [ nil, :new_ ]
           actions << :edit_    if [:password, :registration].include?(module_name)

lib/devise/failure_app.rb

@@ -1,65 +1,102 @@
+require "action_controller/metal"
+
 module Devise
   # Failure application that will be called every time :warden is thrown from
   # any strategy or hook. Responsible for redirect the user to the sign in
   # page based on current scope and mapping. If no scope is given, redirect
   # to the default_url.
-  class FailureApp
-    attr_reader :env
-    include Warden::Mixins::Common
+  class FailureApp < ActionController::Metal
+    include ActionController::RackDelegation
+    include ActionController::UrlFor
+    include ActionController::Redirecting
 
-    cattr_accessor :default_url, :default_message, :instance_writer => false
-    @@default_message = :unauthenticated
+    delegate :flash, :to => :request
 
     def self.call(env)
-      new(env).respond!
+      action(:respond).call(env)
     end
 
-    def initialize(env)
-      @env = env
+    def self.default_url_options(*args)
+      ApplicationController.default_url_options(*args)
     end
 
-    def respond!
-      options = @env['warden.options']
-      scope   = options[:scope]
-
-      redirect_path = if mapping = Devise.mappings[scope]
-        "#{mapping.parsed_path}/#{mapping.path_names[:sign_in]}"
+    def respond
+      if http_auth?
+        http_auth
+      elsif warden_options[:recall]
+        recall
       else
-        "/#{default_url}"
+        redirect
       end
-      query_string = query_string_for(options)
-      store_location!(scope)
-
-      headers = {}
-      headers["Location"] = redirect_path
-      headers["Location"] << "?" << query_string unless query_string.empty?
-      headers["Content-Type"] = 'text/plain'
-
-      [302, headers, ["You are being redirected to #{redirect_path}"]]
     end
 
-    # Build the proper query string based on the given message.
-    def query_string_for(options)
-      message = @env['warden'].try(:message) || options[:message] || default_message
+    def http_auth
+      self.status = 401
+      self.headers["WWW-Authenticate"] = %(Basic realm=#{Devise.http_authentication_realm.inspect})
+      self.content_type = request.format.to_s
+      self.response_body = http_auth_body
+    end
 
-      params = case message
-        when Symbol
-          { message => true }
-        when String
-          { :message => message }
-        else
-          {}
+    def recall
+      env["PATH_INFO"]  = attempted_path
+      flash.now[:alert] = i18n_message(:invalid)
+      self.response = recall_controller.action(warden_options[:recall]).call(env)
+    end
+
+    def redirect
+      store_location!
+      flash[:alert] = i18n_message unless flash[:notice]
+      redirect_to send(:"new_#{scope}_session_path")
+    end
+
+  protected
+
+    def i18n_message(default = nil)
+      message = warden.message || warden_options[:message] || default || :unauthenticated
+
+      if message.is_a?(Symbol)
+        I18n.t(:"#{scope}.#{message}", :resource_name => scope,
+               :scope => "devise.failure", :default => [message, message.to_s])
+      else
+        message.to_s
       end
+    end
 
-      Rack::Utils.build_query(params)
+    def http_auth?
+      request.authorization
+    end
+
+    def http_auth_body
+      method = :"to_#{request.format.to_sym}"
+      {}.respond_to?(method) ? { :error => i18n_message }.send(method) : i18n_message
+    end
+
+    def recall_controller
+      "#{params[:controller].camelize}Controller".constantize
+    end
+
+    def warden
+      env['warden']
+    end
+
+    def warden_options
+      env['warden.options']
+    end
+
+    def scope
+      @scope ||= warden_options[:scope]
+    end
+
+    def attempted_path
+      warden_options[:attempted_path]
     end
 
     # Stores requested uri to redirect the user after signing in. We cannot use
     # scoped session provided by warden here, since the user is not authenticated
     # yet, but we still need to store the uri based on scope, so different scopes
     # would never use the same uri to redirect.
-    def store_location!(scope)
-      session[:"#{scope}.return_to"] = request.request_uri if request && request.get?
+    def store_location!
+      session[:"#{scope}_return_to"] = attempted_path if request && request.get?
     end
   end
 end

lib/devise/hooks/activatable.rb

@@ -3,13 +3,25 @@ Warden::Manager.after_set_user do |record, warden, options|
   if record && record.respond_to?(:active?) && !record.active?
     scope = options[:scope]
     warden.logout(scope)
+    throw :warden, :scope => scope, :message => record.inactive_message
+  end
+end
 
-    # If winning strategy was set, this is being called after authenticate and
-    # there is no need to force a redirect.
-    if warden.winning_strategy
-      warden.winning_strategy.fail!(record.inactive_message)
-    else
-      throw :warden, :scope => scope, :message => record.inactive_message
+module Devise
+  module Hooks
+    # Overwrite Devise base strategy to only authenticate an user if it's active.
+    # If you have an strategy that does not use Devise::Strategy::Base, don't worry
+    # because the hook above will still avoid it to authenticate.
+    module Activatable
+      def success!(resource)
+        if resource.respond_to?(:active?) && !resource.active?
+          fail!(resource.inactive_message)
+        else
+          super
+        end
+      end
     end
   end
 end
+
+Devise::Strategies::Base.send :include, Devise::Hooks::Activatable

lib/devise/hooks/rememberable.rb

@@ -1,30 +1,41 @@
-# After authenticate hook to verify if the user in the given scope asked to be
-# remembered while he does not sign out. Generates a new remember token for
-# that specific user and adds a cookie with this user info to sign in this user
-# automatically without asking for credentials. Refer to rememberable strategy
-# for more info.
-Warden::Manager.prepend_after_authentication do |record, warden, options|
-  scope = options[:scope]
-  remember_me = warden.params[scope].try(:fetch, :remember_me, nil)
-
-  if Devise::TRUE_VALUES.include?(remember_me) &&
-     warden.authenticated?(scope) && record.respond_to?(:remember_me!)
-    record.remember_me!
-
-    warden.response.set_cookie "remember_#{scope}_token", {
-      :value => record.class.serialize_into_cookie(record),
-      :expires => record.remember_expires_at,
-      :path => "/"
-    }
+# Before logout hook to forget the user in the given scope, if it responds
+# to forget_me! Also clear remember token to ensure the user won't be
+# remembered again. Notice that we forget the user unless the record is frozen.
+# This avoids forgetting deleted users.
+Warden::Manager.before_logout do |record, warden, scope|
+  if record.respond_to?(:forget_me!)
+    record.forget_me! unless record.frozen?
+    warden.cookies.delete "remember_#{scope}_token"
   end
 end
 
-# Before logout hook to forget the user in the given scope, only if rememberable
-# is activated for this scope. Also clear remember token to ensure the user
-# won't be remembered again.
-Warden::Manager.before_logout do |record, warden, scope|
-  if record.respond_to?(:forget_me!)
-    record.forget_me!
-    warden.response.delete_cookie "remember_#{scope}_token"
+module Devise
+  module Hooks
+    # Overwrite success! in authentication strategies allowing users to be remembered.
+    # We choose to implement this as an strategy hook instead of a Devise hook to avoid users
+    # giving a remember_me access in strategies that should not create remember me tokens.
+    module Rememberable #:nodoc:
+      def success!(resource)
+        super
+
+        if succeeded? && resource.respond_to?(:remember_me!) && remember_me?
+          resource.remember_me!
+
+          cookies.signed["remember_#{scope}_token"] = {
+            :value => resource.class.serialize_into_cookie(resource),
+            :expires => resource.remember_expires_at,
+            :path => "/"
+          }
+        end
+      end
+
+      protected
+
+      def remember_me?
+        valid_params? && Devise::TRUE_VALUES.include?(params_auth_hash[:remember_me])
+      end
+    end
   end
-end
+end
+
+Devise::Strategies::Authenticatable.send :include, Devise::Hooks::Rememberable

lib/devise/hooks/timeoutable.rb

@@ -1,4 +1,4 @@
-# Each time a record is set we check whether it's session has already timed out
+# Each time a record is set we check whether its session has already timed out
 # or not, based on last request time. If so, the record is logged out and
 # redirected to the sign in page. Also, each time the request comes and the
 # record is set, we set the last request time inside it's scoped session to

lib/devise/hooks/trackable.rb

@@ -1,18 +1,9 @@
 # After each sign in, update sign in time, sign in count and sign in IP.
+# This is only triggered when the user is explicitly set (with set_user)
+# and on authentication. Retrieving the user from session (:fetch) does
+# not trigger it.
 Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
-  scope = options[:scope]
-  if Devise.mappings[scope].try(:trackable?) && warden.authenticated?(scope)
-    old_current, new_current  = record.current_sign_in_at, Time.now
-    record.last_sign_in_at    = old_current || new_current
-    record.current_sign_in_at = new_current
-
-    old_current, new_current  = record.current_sign_in_ip, warden.request.remote_ip
-    record.last_sign_in_ip    = old_current || new_current
-    record.current_sign_in_ip = new_current
-
-    record.sign_in_count ||= 0
-    record.sign_in_count += 1
-
-    record.save(:validate => false)
+  if record.respond_to?(:update_tracked_fields!) && warden.authenticated?(options[:scope])
+    record.update_tracked_fields!(warden.request)
   end
 end

lib/devise/mapping.rb

@@ -18,11 +18,11 @@ module Devise
   #   mapping.to   #=> User
   #   # is the class to be loaded from routes, given in the route as :class_name.
   #
-  #   mapping.for  #=> [:authenticatable]
+  #   mapping.modules  #=> [:authenticatable]
   #   # is the modules included in the class
   #
   class Mapping #:nodoc:
-    attr_reader :name, :as, :path_names, :path_prefix
+    attr_reader :name, :as, :controllers, :path_names, :path_prefix
 
     # Loop through all mappings looking for a map that matches with the requested
     # path (ie /users/sign_in). If a path prefix is given, it's taken into account.
@@ -34,31 +34,19 @@ module Devise
       nil
     end
 
-    # Find a mapping by a given class. It takes into account single table inheritance as well.
-    def self.find_by_class(klass)
-      Devise.mappings.each_value do |mapping|
-        return mapping if klass <= mapping.to
-      end
-      nil
-    end
-
     # Receives an object and find a scope for it. If a scope cannot be found,
     # raises an error. If a symbol is given, it's considered to be the scope.
     def self.find_scope!(duck)
       case duck
       when String, Symbol
-        duck
+        return duck
+      when Class
+        Devise.mappings.each_value { |m| return m.name if duck <= m.to }
       else
-        klass = duck.is_a?(Class) ? duck : duck.class
-        mapping = Devise::Mapping.find_by_class(klass)
-        raise "Could not find a valid mapping for #{duck}" unless mapping
-        mapping.name
+        Devise.mappings.each_value { |m| return m.name if duck.is_a?(m.to) }
       end
-    end
 
-    # Default url options which can be used as prefix.
-    def self.default_url_options
-      {}
+      raise "Could not find a valid mapping for #{duck}"
     end
 
     def initialize(name, options) #:nodoc:
@@ -67,15 +55,20 @@ module Devise
       @name  = (options.delete(:scope) || name.to_s.singularize).to_sym
 
       @path_prefix = "/#{options.delete(:path_prefix)}/".squeeze("/")
+
+      @controllers = Hash.new { |h,k| h[k] = "devise/#{k}" }
+      @controllers.merge!(options.delete(:controllers) || {})
+
       @path_names  = Hash.new { |h,k| h[k] = k.to_s }
       @path_names.merge!(options.delete(:path_names) || {})
     end
 
     # Return modules for the mapping.
-    def for
-      @for ||= to.devise_modules
+    def modules
+      @modules ||= to.devise_modules
     end
 
+    # Gives the class the mapping points to.
     # Reload mapped class each time when cache_classes is false.
     def to
       return @to if @to
@@ -84,9 +77,22 @@ module Devise
       klass
     end
 
-    # Check if the respective controller has a module in the mapping class.
-    def allows?(controller)
-      (self.for & CONTROLLERS[controller.to_sym]).present?
+    def strategies
+      @strategies ||= STRATEGIES.values_at(*self.modules).compact.uniq.reverse
+    end
+
+    def routes
+      @routes ||= ROUTES.values_at(*self.modules).compact.uniq
+    end
+
+    # Keep a list of allowed controllers for this mapping. It's useful to ensure
+    # that an Admin cannot access the registrations controller unless it has
+    # :registerable in the model.
+    def allowed_controllers
+      @allowed_controllers ||= begin
+        canonical = CONTROLLERS.values_at(*self.modules).compact
+        @controllers.values_at(*canonical)
+      end
     end
 
     # Return in which position in the path prefix devise should find the as mapping.
@@ -95,35 +101,27 @@ module Devise
     end
 
     # Returns the raw path using path_prefix and as.
-    def raw_path
+    def path
       path_prefix + as.to_s
     end
 
-    # Returns the parsed path taking into account the relative url root and raw path.
-    def parsed_path
-      returning (ActionController::Base.relative_url_root.to_s + raw_path) do |path|
-        self.class.default_url_options.each do |key, value|
-          path.gsub!(key.inspect, value.to_param)
-        end
-      end
+    def authenticatable?
+      @authenticatable ||= self.modules.any? { |m| m.to_s =~ /authenticatable/ }
     end
 
     # Create magic predicates for verifying what module is activated by this map.
     # Example:
     #
     #   def confirmable?
-    #     self.for.include?(:confirmable)
+    #     self.modules.include?(:confirmable)
     #   end
     #
-    def self.register(*modules)
-      modules.each do |m|
-        class_eval <<-METHOD, __FILE__, __LINE__ + 1
-          def #{m}?
-            self.for.include?(:#{m})
-          end
-        METHOD
-      end
+    def self.add_module(m)
+      class_eval <<-METHOD, __FILE__, __LINE__ + 1
+        def #{m}?
+          self.modules.include?(:#{m})
+        end
+      METHOD
     end
-    Devise::Mapping.register *ALL
   end
 end

lib/devise/models.rb

@@ -1,16 +1,5 @@
 module Devise
   module Models
-    autoload :Activatable, 'devise/models/activatable'
-    autoload :Authenticatable, 'devise/models/authenticatable'
-    autoload :Confirmable, 'devise/models/confirmable'
-    autoload :Lockable, 'devise/models/lockable'
-    autoload :Recoverable, 'devise/models/recoverable'
-    autoload :Rememberable, 'devise/models/rememberable'
-    autoload :Registerable, 'devise/models/registerable'
-    autoload :Timeoutable, 'devise/models/timeoutable'
-    autoload :Trackable, 'devise/models/trackable'
-    autoload :Validatable, 'devise/models/validatable'
-
     # Creates configuration values for Devise and for the given module.
     #
     #   Devise::Models.config(Devise::Authenticable, :stretches, 10)
@@ -49,7 +38,7 @@ module Devise
 
     # Include the chosen devise modules in your model:
     #
-    #   devise :authenticatable, :confirmable, :recoverable
+    #   devise :database_authenticatable, :confirmable, :recoverable
     #
     # You can also give any of the devise configuration values in form of a hash,
     # with specific values for this model. Please check your Devise initializer
@@ -57,15 +46,21 @@ module Devise
     #
     def devise(*modules)
       raise "You need to give at least one Devise module" if modules.empty?
-      options  = modules.extract_options!
+      options = modules.extract_options!
+
+      if modules.delete(:authenticatable)
+        ActiveSupport::Deprecation.warn ":authenticatable as module is deprecated. Please give :database_authenticatable instead.", caller
+        modules << :database_authenticatable
+      end
+
+      if modules.delete(:http_authenticatable)
+        ActiveSupport::Deprecation.warn ":http_authenticatable as module is deprecated and is on by default. Revert by setting :http_authenticatable => false.", caller
+      end
 
       @devise_modules = Devise::ALL & modules.map(&:to_sym).uniq
 
-      Devise.orm_class.included_modules_hook(self) do
-        devise_modules.each do |m|
-          include Devise::Models.const_get(m.to_s.classify)
-        end
-
+      devise_modules_hook! do
+        @devise_modules.each { |m| include Devise::Models.const_get(m.to_s.classify) }
         options.each { |key, value| send(:"#{key}=", value) }
       end
     end
@@ -76,6 +71,12 @@ module Devise
       @devise_modules ||= []
     end
 
+    # The hook which is called inside devise. So your ORM can include devise
+    # compatibility stuff.
+    def devise_modules_hook!
+      yield
+    end
+
     # Find an initialize a record setting an error if it can't be found.
     def find_or_initialize_with_error_by(attribute, value, error=:invalid)
       if value.present?

lib/devise/models/authenticatable.rb

@@ -1,118 +1,42 @@
-require 'devise/strategies/authenticatable'
-
 module Devise
   module Models
-    # Authenticable Module, responsible for encrypting password and validating
-    # authenticity of a user while signing in.
+    # Authenticable module. Holds common settings for authentication.
     #
     # Configuration:
     #
     # You can overwrite configuration values by setting in globally in Devise,
     # using devise method or overwriting the respective instance method.
     #
-    #   pepper: encryption key used for creating encrypted password. Each time
-    #           password changes, it's gonna be encrypted again, and this key
-    #           is added to the password and salt to create a secure hash.
-    #           Always use `rake secret' to generate a new key.
+    #   authentication_keys: parameters used for authentication. By default [:email].
     #
-    #   stretches: defines how many times the password will be encrypted.
+    #   http_authenticatable: if this model allows http authentication. By default true.
+    #   It also accepts an array specifying the strategies that should allow http.
     #
-    #   encryptor: the encryptor going to be used. By default :sha1.
-    #
-    #   authentication_keys: parameters used for authentication. By default [:email]
-    #
-    # Examples:
-    #
-    #    User.authenticate('email@test.com', 'password123')  # returns authenticated user or nil
-    #    User.find(1).valid_password?('password123')         # returns true/false
+    #   params_authenticatable: if this model allows authentication through request params. By default true.
+    #   It also accepts an array specifying the strategies that should allow params authentication.
     #
     module Authenticatable
       extend ActiveSupport::Concern
 
-      included do
-        attr_reader :password, :current_password
-        attr_accessor :password_confirmation
+      # Yields the given block. This method is overwritten by other modules to provide
+      # hooks around authentication.
+      def valid_for_authentication?
+        yield
       end
 
-      # Regenerates password salt and encrypted password each time password is set,
-      # and then trigger any "after_changed_password"-callbacks.
-      def password=(new_password)
-        @password = new_password
-
-        if @password.present?
-          self.password_salt = self.class.encryptor_class.salt
-          self.encrypted_password = password_digest(@password)
-        end
-      end
-
-      # Verifies whether an incoming_password (ie from sign in) is the user password.
-      def valid_password?(incoming_password)
-        password_digest(incoming_password) == self.encrypted_password
-      end
-
-      # Verifies whether an +incoming_authentication_token+ (i.e. from single access URL)
-      # is the user authentication token.
-      def valid_authentication_token?(incoming_auth_token)
-        incoming_auth_token == self.authentication_token
-      end
-
-      # Checks if a resource is valid upon authentication.
-      def valid_for_authentication?(attributes)
-        valid_password?(attributes[:password])
-      end
-
-      # Set password and password confirmation to nil
-      def clean_up_passwords
-        self.password = self.password_confirmation = nil
-      end
-
-      # Update record attributes when :current_password matches, otherwise returns
-      # error on :current_password. It also automatically rejects :password and
-      # :password_confirmation if they are blank.
-      def update_with_password(params={})
-        current_password = params.delete(:current_password)
-
-        params.delete(:password)              if params[:password].blank?
-        params.delete(:password_confirmation) if params[:password_confirmation].blank?
-
-        result = if valid_password?(current_password)
-          update_attributes(params)
-        else
-          self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
-          self.attributes = params
-          false
-        end
-
-        clean_up_passwords unless result
-        result
-      end
-
-      protected
-
-        # Digests the password using the configured encryptor.
-        def password_digest(password)
-          self.class.encryptor_class.digest(password, self.class.stretches, self.password_salt, self.class.pepper)
-        end
-
       module ClassMethods
-        Devise::Models.config(self, :pepper, :stretches, :encryptor, :authentication_keys)
+        Devise::Models.config(self, :authentication_keys, :http_authenticatable, :params_authenticatable)
 
-        # Authenticate a user based on configured attribute keys. Returns the
-        # authenticated user if it's valid or nil.
-        def authenticate(attributes={})
-          return unless authentication_keys.all? { |k| attributes[k].present? }
-          conditions = attributes.slice(*authentication_keys)
-          resource = find_for_authentication(conditions)
-          resource if resource.try(:valid_for_authentication?, attributes)
+        def params_authenticatable?(strategy)
+          params_authenticatable.is_a?(Array) ?
+            params_authenticatable.include?(strategy) : params_authenticatable
         end
 
-        # Returns the class for the configured encryptor.
-        def encryptor_class
-          @encryptor_class ||= ::Devise::Encryptors.const_get(encryptor.to_s.classify)
+        def http_authenticatable?(strategy)
+          http_authenticatable.is_a?(Array) ?
+            http_authenticatable.include?(strategy) : http_authenticatable
         end
 
-      protected
-
         # Find first record based on conditions given (ie by the sign in form).
         # Overwrite to add customized conditions, create a join, or maybe use a
         # namedscope to filter records while authenticating.
@@ -120,7 +44,7 @@ module Devise
         #
         #   def self.find_for_authentication(conditions={})
         #     conditions[:active] = true
-        #     find(:first, :conditions => conditions)
+        #     super
         #   end
         #
         def find_for_authentication(conditions)
@@ -129,4 +53,4 @@ module Devise
       end
     end
   end
-end
+end

lib/devise/models/confirmable.rb

@@ -49,7 +49,7 @@ module Devise
 
       # Verifies whether a user is confirmed or not
       def confirmed?
-        !new_record? && !confirmed_at.nil?
+        persisted? && !confirmed_at.nil?
       end
 
       # Send confirmation instructions by email
@@ -57,15 +57,9 @@ module Devise
         ::Devise::Mailer.confirmation_instructions(self).deliver
       end
 
-      # Remove confirmation date and send confirmation instructions, to ensure
-      # after sending these instructions the user won't be able to sign in without
-      # confirming it's account
-      def resend_confirmation!
-        unless_confirmed do
-          generate_confirmation_token
-          save(:validate => false)
-          send_confirmation_instructions
-        end
+      # Resend confirmation token. This method does not need to generate a new token.
+      def resend_confirmation_token
+        unless_confirmed { send_confirmation_instructions }
       end
 
       # Overwrites active? from Devise::Models::Activatable for confirmation
@@ -78,11 +72,7 @@ module Devise
 
       # The message to be shown if the account is inactive.
       def inactive_message
-        if !confirmed?
-          :unconfirmed
-        else
-          super
-        end
+        !confirmed? ? :unconfirmed : super
       end
 
       # If you don't want confirmation to be sent on create, neither a code
@@ -137,7 +127,7 @@ module Devise
         # this token is being generated
         def generate_confirmation_token
           self.confirmed_at = nil
-          self.confirmation_token = Devise.friendly_token
+          self.confirmation_token = self.class.confirmation_token
           self.confirmation_sent_at = Time.now.utc
         end
 
@@ -148,7 +138,7 @@ module Devise
         # Options must contain the user email
         def send_confirmation_instructions(attributes={})
           confirmable = find_or_initialize_with_error_by(:email, attributes[:email], :not_found)
-          confirmable.resend_confirmation! unless confirmable.new_record?
+          confirmable.resend_confirmation_token if confirmable.persisted?
           confirmable
         end
 
@@ -156,12 +146,16 @@ module Devise
         # If no user is found, returns a new user with an error.
         # If the user is already confirmed, create an error for the user
         # Options must have the confirmation_token
-        def confirm!(attributes={})
-          confirmable = find_or_initialize_with_error_by(:confirmation_token, attributes[:confirmation_token])        
-          confirmable.confirm! unless confirmable.new_record?
+        def confirm_by_token(confirmation_token)
+          confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
+          confirmable.confirm! if confirmable.persisted?
           confirmable
         end
 
+        def confirmation_token
+          Devise.friendly_token
+        end
+
         Devise::Models.config(self, :confirm_within)
       end
     end

lib/devise/models/database_authenticatable.rb

@@ -0,0 +1,99 @@
+require 'devise/models/authenticatable'
+require 'devise/strategies/database_authenticatable'
+
+module Devise
+  module Models
+    # Authenticable Module, responsible for encrypting password and validating
+    # authenticity of a user while signing in.
+    #
+    # Configuration:
+    #
+    # You can overwrite configuration values by setting in globally in Devise,
+    # using devise method or overwriting the respective instance method.
+    #
+    #   pepper: encryption key used for creating encrypted password. Each time
+    #           password changes, it's gonna be encrypted again, and this key
+    #           is added to the password and salt to create a secure hash.
+    #           Always use `rake secret' to generate a new key.
+    #
+    #   stretches: defines how many times the password will be encrypted.
+    #
+    #   encryptor: the encryptor going to be used. By default :sha1.
+    #
+    # Examples:
+    #
+    #    User.find(1).valid_password?('password123')         # returns true/false
+    #
+    module DatabaseAuthenticatable
+      extend  ActiveSupport::Concern
+      include Devise::Models::Authenticatable
+
+      included do
+        attr_reader :password, :current_password
+        attr_accessor :password_confirmation
+      end
+
+      # Regenerates password salt and encrypted password each time password is set,
+      # and then trigger any "after_changed_password"-callbacks.
+      def password=(new_password)
+        @password = new_password
+
+        if @password.present?
+          self.password_salt = self.class.encryptor_class.salt
+          self.encrypted_password = password_digest(@password)
+        end
+      end
+
+      # Verifies whether an incoming_password (ie from sign in) is the user password.
+      def valid_password?(incoming_password)
+        password_digest(incoming_password) == self.encrypted_password
+      end
+
+      # Set password and password confirmation to nil
+      def clean_up_passwords
+        self.password = self.password_confirmation = nil
+      end
+
+      # Update record attributes when :current_password matches, otherwise returns
+      # error on :current_password. It also automatically rejects :password and
+      # :password_confirmation if they are blank.
+      def update_with_password(params={})
+        current_password = params.delete(:current_password)
+
+        params.delete(:password)              if params[:password].blank?
+        params.delete(:password_confirmation) if params[:password_confirmation].blank?
+
+        result = if valid_password?(current_password)
+          update_attributes(params)
+        else
+          self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
+          self.attributes = params
+          false
+        end
+
+        clean_up_passwords
+        result
+      end
+
+    protected
+
+      # Digests the password using the configured encryptor.
+      def password_digest(password)
+        self.class.encryptor_class.digest(password, self.class.stretches, self.password_salt, self.class.pepper)
+      end
+
+      module ClassMethods
+        Devise::Models.config(self, :pepper, :stretches, :encryptor)
+
+        # Returns the class for the configured encryptor.
+        def encryptor_class
+          @encryptor_class ||= ::Devise::Encryptors.const_get(encryptor.to_s.classify)
+        end
+
+        def find_for_database_authentication(*args)
+          find_for_authentication(*args)
+        end
+      end
+    end
+  end
+end

lib/devise/models/http_authenticatable.rb

@@ -1,19 +0,0 @@
-require 'devise/strategies/http_authenticatable'
-
-module Devise
-  module Models
-    # Adds HttpAuthenticatable behavior to your model. It expects that your
-    # model class responds to authenticate and authentication_keys methods
-    # (which for example are defined in authenticatable).
-    module HttpAuthenticatable
-      extend ActiveSupport::Concern
-
-      module ClassMethods
-        # Authenticate an user using http.
-        def authenticate_with_http(username, password)
-          authenticate(authentication_keys.first => username, :password => password)
-        end
-      end
-    end
-  end
-end

lib/devise/models/lockable.rb

@@ -13,41 +13,41 @@ module Devise
     # Configuration:
     #
     #   maximum_attempts: how many attempts should be accepted before blocking the user.
-    #   unlock_strategy: unlock the user account by :time, :email or :both.
+    #   lock_strategy: lock the user account by :failed_attempts or :none.
+    #   unlock_strategy: unlock the user account by :time, :email, :both or :none.
     #   unlock_in: the time you want to lock the user after to lock happens. Only
     #              available when unlock_strategy is :time or :both.
     #
     module Lockable
-      extend ActiveSupport::Concern
+      extend  ActiveSupport::Concern
       include Devise::Models::Activatable
 
+      delegate :lock_strategy_enabled?, :unlock_strategy_enabled?, :to => "self.class"
+
       # Lock an user setting it's locked_at to actual time.
-      def lock
+      def lock_access!
         self.locked_at = Time.now
+
         if unlock_strategy_enabled?(:email)
           generate_unlock_token
           send_unlock_instructions
         end
-      end
 
-      # Lock an user also saving the record.
-      def lock!
-        lock
         save(:validate => false)
       end
 
       # Unlock an user by cleaning locket_at and failed_attempts.
-      def unlock!
-        if_locked do
+      def unlock_access!
+        if_access_locked do
           self.locked_at = nil
-          self.failed_attempts = 0
-          self.unlock_token = nil
+          self.failed_attempts = 0 if respond_to?(:failed_attempts=)
+          self.unlock_token = nil  if respond_to?(:unlock_token=)
           save(:validate => false)
         end
       end
 
       # Verifies whether a user is locked or not.
-      def locked?
+      def access_locked?
         locked_at && !lock_expired?
       end
 
@@ -57,49 +57,54 @@ module Devise
       end
 
       # Resend the unlock instructions if the user is locked.
-      def resend_unlock!
-        if_locked do
-          generate_unlock_token unless unlock_token.present?
-          save(:validate => false)
-          send_unlock_instructions
-        end
+      def resend_unlock_token
+        if_access_locked { send_unlock_instructions }
       end
 
       # Overwrites active? from Devise::Models::Activatable for locking purposes
       # by verifying whether an user is active to sign in or not based on locked?
       def active?
-        super && !locked?
+        super && !access_locked?
       end
 
       # Overwrites invalid_message from Devise::Models::Authenticatable to define
       # the correct reason for blocking the sign in.
       def inactive_message
-        if locked?
-          :locked
-        else
-          super
-        end
+        access_locked? ? :locked : super
       end
 
       # Overwrites valid_for_authentication? from Devise::Models::Authenticatable
       # for verifying whether an user is allowed to sign in or not. If the user
       # is locked, it should never be allowed.
-      def valid_for_authentication?(attributes)
+      def valid_for_authentication?
+        return :locked if access_locked?
+        return super   unless persisted?
+        return super   unless lock_strategy_enabled?(:failed_attempts)
+
         if result = super
           self.failed_attempts = 0
         else
           self.failed_attempts += 1
-          lock if failed_attempts > self.class.maximum_attempts
+
+          if attempts_exceeded?
+            lock_access!
+            return :locked
+          end
         end
+
         save(:validate => false) if changed?
         result
       end
 
       protected
 
+        def attempts_exceeded?
+          self.failed_attempts > self.class.maximum_attempts
+        end
+
         # Generates unlock token
         def generate_unlock_token
-          self.unlock_token = Devise.friendly_token
+          self.unlock_token = self.class.unlock_token
         end
 
         # Tells if the lock is expired if :time unlock strategy is active
@@ -113,8 +118,8 @@ module Devise
 
         # Checks whether the record is locked or not, yielding to the block
         # if it's locked, otherwise adds an error to email.
-        def if_locked
-          if locked?
+        def if_access_locked
+          if access_locked?
             yield
           else
             self.errors.add(:email, :not_locked)
@@ -122,11 +127,6 @@ module Devise
           end
         end
 
-        # Is the unlock enabled for the given unlock strategy?
-        def unlock_strategy_enabled?(strategy)
-          [:both, strategy].include?(self.class.unlock_strategy)
-        end
-
       module ClassMethods
         # Attempt to find a user by it's email. If a record is found, send new
         # unlock instructions to it. If not user is found, returns a new user
@@ -134,7 +134,7 @@ module Devise
         # Options must contain the user email
         def send_unlock_instructions(attributes={})
          lockable = find_or_initialize_with_error_by(:email, attributes[:email], :not_found)
-         lockable.resend_unlock! unless lockable.new_record?
+         lockable.resend_unlock_token if lockable.persisted?
          lockable
         end
 
@@ -142,13 +142,27 @@ module Devise
         # If no user is found, returns a new user with an error.
         # If the user is not locked, creates an error for the user
         # Options must have the unlock_token
-        def unlock!(attributes={})
-          lockable = find_or_initialize_with_error_by(:unlock_token, attributes[:unlock_token])
-          lockable.unlock! unless lockable.new_record?
+        def unlock_access_by_token(unlock_token)
+          lockable = find_or_initialize_with_error_by(:unlock_token, unlock_token)
+          lockable.unlock_access! if lockable.persisted?
           lockable
         end
 
-        Devise::Models.config(self, :maximum_attempts, :unlock_strategy, :unlock_in)
+        # Is the unlock enabled for the given unlock strategy?
+        def unlock_strategy_enabled?(strategy)
+          [:both, strategy].include?(self.unlock_strategy)
+        end
+
+        # Is the lock enabled for the given lock strategy?
+        def lock_strategy_enabled?(strategy)
+          self.lock_strategy == strategy
+        end
+
+        def unlock_token
+          Devise.friendly_token
+        end
+
+        Devise::Models.config(self, :maximum_attempts, :lock_strategy, :unlock_strategy, :unlock_in)
       end
     end
   end

lib/devise/models/recoverable.rb

@@ -56,7 +56,7 @@ module Devise
         # Attributes must contain the user email
         def send_reset_password_instructions(attributes={})
           recoverable = find_or_initialize_with_error_by(:email, attributes[:email], :not_found)
-          recoverable.send_reset_password_instructions unless recoverable.new_record?
+          recoverable.send_reset_password_instructions if recoverable.persisted?
           recoverable
         end
 
@@ -65,9 +65,9 @@ module Devise
         # try saving the record. If not user is found, returns a new user
         # containing an error in reset_password_token attribute.
         # Attributes must contain reset_password_token, password and confirmation
-        def reset_password!(attributes={})
+        def reset_password_by_token(attributes={})
           recoverable = find_or_initialize_with_error_by(:reset_password_token, attributes[:reset_password_token])
-          recoverable.reset_password!(attributes[:password], attributes[:password_confirmation]) unless recoverable.new_record?
+          recoverable.reset_password!(attributes[:password], attributes[:password_confirmation]) if recoverable.persisted?
           recoverable
         end
       end

lib/devise/models/rememberable.rb

@@ -54,11 +54,6 @@ module Devise
         end
       end
 
-      # Checks whether the incoming token matches or not with the record token.
-      def valid_remember_token?(token)
-        remember_token && !remember_expired? && remember_token == token
-      end
-
       # Remember token should be expired if expiration time not overpass now.
       def remember_expired?
         remember_expires_at <= Time.now.utc
@@ -72,14 +67,14 @@ module Devise
       module ClassMethods
         # Create the cookie key using the record id and remember_token
         def serialize_into_cookie(record)
-          "#{record.id}::#{record.remember_token}"
+          [record.id, record.remember_token]
         end
 
         # Recreate the user based on the stored cookie
-        def serialize_from_cookie(cookie)
-          record_id, record_token = cookie.split('::')
-          record = find(:first, :conditions => { :id => record_id }) if record_id
-          record if record.try(:valid_remember_token?, record_token)
+        def serialize_from_cookie(id, remember_token)
+          conditions = { :id => id, :remember_token => remember_token }
+          record = find(:first, :conditions => conditions)
+          record if record && !record.remember_expired?
         end
 
         Devise::Models.config(self, :remember_for)

lib/devise/models/token_authenticatable.rb

@@ -18,7 +18,8 @@ module Devise
     #    User.find(1).valid_authentication_token?('rI1t6PKQ8yP7VetgwdybB')  # returns true/false
     #
     module TokenAuthenticatable
-      extend ActiveSupport::Concern
+      extend  ActiveSupport::Concern
+      include Devise::Models::Authenticatable
 
       included do
         before_save :ensure_authentication_token
@@ -45,43 +46,35 @@ module Devise
         self.reset_authentication_token! if self.authentication_token.blank?
       end
 
-      # Verifies whether an +incoming_authentication_token+ (i.e. from single access URL)
-      # is the user authentication token.
-      def valid_authentication_token?(incoming_auth_token)
-        incoming_auth_token.present? && incoming_auth_token == self.authentication_token
-      end
-
       module ClassMethods
         ::Devise::Models.config(self, :token_authentication_key)
 
         # Authenticate a user based on authentication token.
         def authenticate_with_token(attributes)
           token = attributes[self.token_authentication_key]
-          resource = self.find_for_token_authentication(token)
-          resource if resource.try(:valid_authentication_token?, token)
+          self.find_for_token_authentication(token)
         end
 
         def authentication_token
           ::Devise.friendly_token
         end
 
-        protected
-
-          # Find first record based on conditions given (ie by the sign in form).
-          # Overwrite to add customized conditions, create a join, or maybe use a
-          # namedscope to filter records while authenticating.
-          #
-          # == Example:
-          #
-          #   def self.find_for_token_authentication(token, conditions = {})
-          #     conditions = {:active => true}
-          #     self.find_by_authentication_token(token, :conditions => conditions)
-          #   end
-          #
-          def find_for_token_authentication(token)
-            self.find(:first, :conditions => { :authentication_token => token})
-          end
+      protected
 
+        # Find first record based on conditions given (ie by the sign in form).
+        # Overwrite to add customized conditions, create a join, or maybe use a
+        # namedscope to filter records while authenticating.
+        #
+        # == Example:
+        #
+        #   def self.find_for_token_authentication(token, conditions = {})
+        #     conditions = {:active => true}
+        #     super
+        #   end
+        #
+        def find_for_token_authentication(token)
+          self.find(:first, :conditions => { :authentication_token => token})
+        end
       end
     end
   end

lib/devise/models/trackable.rb

@@ -11,6 +11,20 @@ module Devise
     # * last_sign_in_at    - Holds the remote ip of the previous sign in
     #
     module Trackable
+      def update_tracked_fields!(request)
+        old_current, new_current = self.current_sign_in_at, Time.now
+        self.last_sign_in_at     = old_current || new_current
+        self.current_sign_in_at  = new_current
+
+        old_current, new_current = self.current_sign_in_ip, request.remote_ip
+        self.last_sign_in_ip     = old_current || new_current
+        self.current_sign_in_ip  = new_current
+
+        self.sign_in_count ||= 0
+        self.sign_in_count += 1
+
+        save(:validate => false)
+      end
     end
   end
 end

lib/devise/models/validatable.rb

@@ -11,17 +11,18 @@ module Devise
                       :validates_confirmation_of, :validates_length_of ].freeze
 
       def self.included(base)
+        base.extend ClassMethods
         assert_validations_api!(base)
 
         base.class_eval do
           validates_presence_of   :email
           validates_uniqueness_of :email, :scope => authentication_keys[1..-1], :allow_blank => true
-          validates_format_of     :email, :with  => EMAIL_REGEX, :allow_blank => true
+          validates_format_of     :email, :with  => email_regexp, :allow_blank => true
 
           with_options :if => :password_required? do |v|
             v.validates_presence_of     :password
             v.validates_confirmation_of :password
-            v.validates_length_of       :password, :within => 6..20, :allow_blank => true
+            v.validates_length_of       :password, :within => password_length, :allow_blank => true
           end
         end
       end
@@ -35,14 +36,18 @@ module Devise
         end
       end
 
-      protected
+    protected
 
-        # Checks whether a password is needed or not. For validations only.
-        # Passwords are always required if it's a new record, or if the password
-        # or confirmation are being set somewhere.
-        def password_required?
-          new_record? || !password.nil? || !password_confirmation.nil?
-        end
+      # Checks whether a password is needed or not. For validations only.
+      # Passwords are always required if it's a new record, or if the password
+      # or confirmation are being set somewhere.
+      def password_required?
+        !persisted? || !password.nil? || !password_confirmation.nil?
+      end
+
+      module ClassMethods
+        Devise::Models.config(self, :email_regexp, :password_length)
+      end
     end
   end
 end

lib/devise/modules.rb

@@ -0,0 +1,24 @@
+require 'active_support/core_ext/object/with_options'
+
+Devise.with_options :model => true do |d|
+  # Strategies first
+  d.with_options :strategy => true do |s|      
+    s.add_module :database_authenticatable, :controller => :sessions, :route => :session
+    s.add_module :token_authenticatable,    :controller => :sessions, :route => :session
+    s.add_module :rememberable
+  end
+
+  # Misc after   
+  d.add_module :recoverable,  :controller => :passwords,     :route => :password
+  d.add_module :registerable, :controller => :registrations, :route => :registration
+  d.add_module :validatable
+
+  # The ones which can sign out after
+  d.add_module :activatable
+  d.add_module :confirmable,  :controller => :confirmations, :route => :confirmation
+  d.add_module :lockable,     :controller => :unlocks,       :route => :unlock
+  d.add_module :timeoutable
+
+  # Stats for last, so we make sure the user is really signed in
+  d.add_module :trackable
+end

lib/devise/orm/active_record.rb

@@ -3,7 +3,7 @@ module Devise
     # This module contains some helpers and handle schema (migrations):
     #
     #   create_table :accounts do |t|
-    #     t.authenticatable
+    #     t.database_authenticatable
     #     t.confirmable
     #     t.recoverable
     #     t.rememberable
@@ -19,16 +19,13 @@ module Devise
     #   add_index "accounts", ["reset_password_token"], :name => "reset_password_token", :unique => true
     #
     module ActiveRecord
-      # Required ORM hook. Just yield the given block in ActiveRecord.
-      def self.included_modules_hook(klass)
-        yield
-      end
+      module Schema
+        include Devise::Schema
 
-      include Devise::Schema
-
-      # Tell how to apply schema methods.
-      def apply_schema(name, type, options={})
-        column name, type.to_s.downcase.to_sym, options
+        # Tell how to apply schema methods.
+        def apply_schema(name, type, options={})
+          column name, type.to_s.downcase.to_sym, options
+        end
       end
     end
   end
@@ -36,6 +33,6 @@ end
 
 if defined?(ActiveRecord)
   ActiveRecord::Base.extend Devise::Models
-  ActiveRecord::ConnectionAdapters::Table.send :include, Devise::Orm::ActiveRecord
-  ActiveRecord::ConnectionAdapters::TableDefinition.send :include, Devise::Orm::ActiveRecord
+  ActiveRecord::ConnectionAdapters::Table.send :include, Devise::Orm::ActiveRecord::Schema
+  ActiveRecord::ConnectionAdapters::TableDefinition.send :include, Devise::Orm::ActiveRecord::Schema
 end

lib/devise/orm/data_mapper.rb

@@ -1,83 +1,99 @@
 module Devise
   module Orm
     module DataMapper
-      module InstanceMethods
-        def save(flag=nil)
-          if flag == false
+      module Hook
+        def devise_modules_hook!
+          extend Schema
+          include Compatibility
+          yield
+          return unless Devise.apply_schema
+          devise_modules.each { |m| send(m) if respond_to?(m, true) }
+        end
+      end
+
+      module Schema
+        include Devise::Schema
+
+        SCHEMA_OPTIONS = {
+          :null  => :required,
+          :limit => :length
+        }
+
+        # Tell how to apply schema methods. This automatically maps :limit to
+        # :length and :null to :required.
+        def apply_schema(name, type, options={})
+          SCHEMA_OPTIONS.each do |old_key, new_key|
+            next unless options.key?(old_key)
+            options[new_key] = options.delete(old_key)
+          end
+
+          options.delete(:default) if options[:default].nil?
+          property name, type, options
+        end
+      end
+
+      module Compatibility
+        extend ActiveSupport::Concern
+
+        module ClassMethods
+          # Hooks for confirmable
+          def before_create(*args)
+            wrap_hook(:before, :create, *args)
+          end
+
+          def after_create(*args)
+            wrap_hook(:after, :create, *args)
+          end
+          
+          def before_save(*args)
+            wrap_hook(:before, :save, *args)
+          end
+
+          def wrap_hook(action, method, *args)
+            options = args.extract_options!
+
+            args.each do |callback|
+              send action, method, callback
+              class_eval <<-METHOD, __FILE__, __LINE__ + 1
+                def #{callback}
+                  super if #{options[:if] || true}
+                end
+              METHOD
+            end
+          end
+
+          # Add ActiveRecord like finder
+          def find(*args)
+            case args.first
+            when :first, :all
+              send(args.shift, *args)
+            else
+              get(*args)
+            end
+          end
+        end
+        
+        def changed?
+          dirty?
+        end
+
+        def save(options=nil)
+          if options.is_a?(Hash) && options[:validate] == false
             save!
           else
             super()
           end
         end
-      end
-
-      def self.included_modules_hook(klass)
-        klass.send :extend,  self
-        klass.send :include, InstanceMethods
-
-        yield
-
-        klass.devise_modules.each do |mod|
-          klass.send(mod) if klass.respond_to?(mod)
+        
+        def update_attributes(*args)
+          update(*args)
         end
       end
-
-      include Devise::Schema
-
-      SCHEMA_OPTIONS = {
-        :null  => :nullable,
-        :limit => :length
-      }
-
-      # Hooks for confirmable
-      def before_create(*args)
-        wrap_hook(:before, *args)
-      end
-
-      def after_create(*args)
-        wrap_hook(:after, *args)
-      end
-
-      def wrap_hook(action, *args)
-        options = args.extract_options!
-
-        args.each do |callback|
-          send action, :create, callback
-          class_eval <<-METHOD, __FILE__, __LINE__ + 1
-            def #{callback}
-              super if #{options[:if] || true}
-            end
-          METHOD
-        end
-      end
-
-      # Add ActiveRecord like finder
-      def find(*args)
-        options = args.extract_options!
-        case args.first
-          when :first
-            first(options)
-          when :all
-            all(options)
-          else
-            get(*args)
-        end
-      end
-
-      # Tell how to apply schema methods. This automatically maps :limit to
-      # :length and :null to :nullable.
-      def apply_schema(name, type, options={})
-        return unless Devise.apply_schema
-
-        SCHEMA_OPTIONS.each do |old_key, new_key|
-          next unless options.key?(old_key)
-          options[new_key] = options.delete(old_key)
-        end
-
-        property name, type, options
-      end
     end
   end
 end
 
-DataMapper::Model.send(:include, Devise::Models)
+DataMapper::Model.class_eval do
+  include Devise::Models
+  include Devise::Orm::DataMapper::Hook
+end

lib/devise/orm/mongo_mapper.rb

@@ -1,39 +0,0 @@
-module Devise
-  module Orm
-    module MongoMapper
-      def self.included_modules_hook(klass)
-        klass.send :extend, self
-        yield
-
-        klass.devise_modules.each do |mod|
-          klass.send(mod) if klass.respond_to?(mod)
-        end
-      end
-      
-      def find(*args)
-        options = args.extract_options!
-        case args.first
-          when :first
-            first(options)
-          when :all
-            all(options)
-          else
-            super
-        end
-      end
-      
-      include Devise::Schema
-
-      # Tell how to apply schema methods. This automatically converts DateTime
-      # to Time, since MongoMapper does not recognize the former.
-      def apply_schema(name, type, options={})
-        return unless Devise.apply_schema
-        type = Time if type == DateTime
-        key name, type, options
-      end
-    end
-  end
-end
-
-MongoMapper::Document::ClassMethods.send(:include, Devise::Models)
-MongoMapper::EmbeddedDocument::ClassMethods.send(:include, Devise::Models)

lib/devise/orm/mongoid.rb

@@ -0,0 +1,40 @@
+module Devise
+  module Orm
+    module Mongoid
+      module Hook
+        def devise_modules_hook!
+          extend Schema
+          include ::Mongoid::Timestamps
+          include Compatibility
+          yield
+          return unless Devise.apply_schema
+          devise_modules.each { |m| send(m) if respond_to?(m, true) }
+        end
+      end
+      
+      module Schema
+        include Devise::Schema
+
+        # Tell how to apply schema methods
+        def apply_schema(name, type, options={})
+          type = Time if type == DateTime
+          field name, { :type => type }.merge(options)
+        end
+      end
+      
+      module Compatibility
+        def save(validate = true)
+          if validate.is_a?(Hash) && validate.has_key?(:validate)
+            validate = validate[:validate]
+          end
+          super(validate)
+        end
+      end
+    end
+  end
+end
+
+Mongoid::Document::ClassMethods.class_eval do
+  include Devise::Models
+  include Devise::Orm::Mongoid::Hook
+end

lib/devise/rails.rb

@@ -3,14 +3,33 @@ require 'devise/rails/warden_compat'
 
 module Devise
   class Engine < ::Rails::Engine
-    engine_name :devise
+    config.devise = Devise
 
-    config.middleware.use Warden::Manager do |config|
-      Devise.configure_warden(config)
+    initializer "devise.add_middleware" do |app|
+      app.config.middleware.use Warden::Manager do |config|
+        Devise.warden_config = config
+        config.failure_app   = Devise::FailureApp
+        config.default_scope = Devise.default_scope
+      end
     end
 
-    initializer "devise.load_orm" do
-      require "devise/orm/#{Devise.orm}"
+    initializer "devise.add_url_helpers" do |app|
+      Devise::FailureApp.send :include, app.routes.url_helpers
+    end
+
+    config.after_initialize do
+      I18n.available_locales
+      flash = [:unauthenticated, :unconfirmed, :invalid, :invalid_token, :timeout, :inactive, :locked]
+
+      I18n.backend.send(:translations).each do |locale, translations|
+        keys = flash & (translations[:devise][:sessions].keys) rescue []
+
+        if keys.any?
+          ActiveSupport::Deprecation.warn "The following I18n messages in 'devise.sessions' " <<
+            "for locale '#{locale}' are deprecated: #{keys.to_sentence}. Please move them to " <<
+            "'devise.failure' instead."
+        end
+      end
     end
   end
 end

lib/devise/rails/routes.rb

@@ -4,11 +4,9 @@ module ActionDispatch::Routing
     # need devise_for mappings already declared to create filters and helpers.
     def finalize_with_devise!
       finalize_without_devise!
-      return if Devise.mappings.empty?
-
+      Devise.configure_warden!
       ActionController::Base.send :include, Devise::Controllers::Helpers
       ActionController::Base.send :include, Devise::Controllers::UrlHelpers
-
       ActionView::Base.send :include, Devise::Controllers::UrlHelpers
     end
     alias_method_chain :finalize!, :devise
@@ -69,11 +67,13 @@ module ActionDispatch::Routing
     #
     #    devise_for :users, :path_prefix => "/:locale"
     #
-    #  If you are using a dynamic prefix, like :locale above, you need to configure default_url_options through Devise.
-    #  You can do that in config/initializers/devise.rb or setting a Devise.default_url_options:
+    #  If you are using a dynamic prefix, like :locale above, you need to configure default_url_options in your ApplicationController
+    #  class level, so Devise can pick it:
     #
-    #    Devise.default_url_options do
-    #      { :locale => I18n.locale }
+    #    class ApplicationController < ActionController::Base
+    #      def self.default_url_options
+    #        { :locale => I18n.locale }
+    #      end
     #    end
     #
     #  * :controllers => the controller which should be used. All routes by default points to Devise controllers.
@@ -81,56 +81,63 @@ module ActionDispatch::Routing
     #
     #    devise_for :users, :controllers => { :sessions => "users/sessions" }
     #
+    #  * :skip => tell which controller you want to skip routes from being created:
+    #
+    #    devise_for :users, :skip => :sessions
+    #
     def devise_for(*resources)
       options = resources.extract_options!
       resources.map!(&:to_sym)
 
-      controllers = Hash.new { |h,k| h[k] = "devise/#{k}" }
-      controllers.merge!(options.delete(:controllers) || {})
-
       resources.each do |resource|
-        mapping = Devise::Mapping.new(resource, options.dup)
+        mapping = Devise.register(resource, options)
 
-        Devise.default_scope ||= mapping.name
-        Devise.mappings[mapping.name] = mapping
+        unless mapping.to.respond_to?(:devise)
+          raise "#{mapping.to.name} does not respond to 'devise' method. This usually means you haven't " <<
+            "loaded your ORM file or it's being loaded too late. To fix it, be sure to require 'devise/orm/YOUR_ORM' " <<
+            "inside 'config/initializers/devise.rb' or before your application definition in 'config/application.rb'"
+        end
 
-        mapping.for.each do |mod|
-          send(mod, mapping, controllers) if self.respond_to?(mod, true)
+        routes  = mapping.routes
+        routes -= Array(options.delete(:skip)).map { |s| s.to_s.singularize.to_sym }
+
+        routes.each do |mod|
+          send(:"devise_#{mod}", mapping, mapping.controllers)
         end
       end
     end
 
     protected
 
-      def authenticatable(mapping, controllers)
-        scope mapping.raw_path do
+      def devise_session(mapping, controllers)
+        scope mapping.path do
           get  mapping.path_names[:sign_in],  :to => "#{controllers[:sessions]}#new",     :as => :"new_#{mapping.name}_session"
           post mapping.path_names[:sign_in],  :to => "#{controllers[:sessions]}#create",  :as => :"#{mapping.name}_session"
           get  mapping.path_names[:sign_out], :to => "#{controllers[:sessions]}#destroy", :as => :"destroy_#{mapping.name}_session"
         end
       end
  
-      def recoverable(mapping, controllers)
-        scope mapping.raw_path, :name_prefix => mapping.name do
+      def devise_password(mapping, controllers)
+        scope mapping.path, :name_prefix => mapping.name do
           resource :password, :only => [:new, :create, :edit, :update], :as => mapping.path_names[:password], :controller => controllers[:passwords]
         end
       end
  
-      def confirmable(mapping, controllers)
-        scope mapping.raw_path, :name_prefix => mapping.name do
+      def devise_confirmation(mapping, controllers)
+        scope mapping.path, :name_prefix => mapping.name do
           resource :confirmation, :only => [:new, :create, :show], :as => mapping.path_names[:confirmation], :controller => controllers[:confirmations]
         end
       end
  
-      def lockable(mapping, controllers)
-        scope mapping.raw_path, :name_prefix => mapping.name do
+      def devise_unlock(mapping, controllers)
+        scope mapping.path, :name_prefix => mapping.name do
           resource :unlock, :only => [:new, :create, :show], :as => mapping.path_names[:unlock], :controller => controllers[:unlocks]
         end
       end
 
-      def registerable(mapping, controllers)
-        scope :name_prefix => mapping.name do
-          resource :registration, :only => [:new, :create, :edit, :update, :destroy], :as => mapping.raw_path[1..-1],
+      def devise_registration(mapping, controllers)
+        scope mapping.path[1..-1], :name_prefix => "#{mapping.name}_registration" do
+          resource :registration, :only => [:new, :create, :edit, :update, :destroy], :as => "",
                    :path_names => { :new => mapping.path_names[:sign_up] }, :controller => controllers[:registrations]
         end
       end

lib/devise/rails/warden_compat.rb

@@ -8,8 +8,8 @@ module Warden::Mixins::Common
     raw_session.clear
   end
 
-  def response
-    @response ||= env['action_controller.instance'].response
+  def cookies
+    request.cookie_jar
   end
 end
 

lib/devise/schema.rb

@@ -3,58 +3,86 @@ module Devise
   # and overwrite the apply_schema method.
   module Schema
 
+    def authenticatable(*args)
+      ActiveSupport::Deprecation.warn "t.authenticatable in migrations is deprecated. Please use t.database_authenticatable instead.", caller
+      database_authenticatable(*args)
+    end
+
     # Creates email, encrypted_password and password_salt.
     #
     # == Options
     # * :null - When true, allow columns to be null.
-    # * :encryptor - The encryptor going to be used, necessary for setting the proper encrypter password length.
-    def authenticatable(options={})
-      null       = options[:null] || false
-      encryptor  = options[:encryptor] || (respond_to?(:encryptor) ? self.encryptor : :sha1)
+    # * :default - Should be set to "" when :null is false.
+    def database_authenticatable(options={})
+      null    = options[:null] || false
+      default = options[:default] || ""
 
-      apply_schema :email,              String, :null => null
-      apply_schema :encrypted_password, String, :null => null, :limit => Devise::ENCRYPTORS_LENGTH[encryptor]
-      apply_schema :password_salt,      String, :null => null
-    end
+      if options.delete(:encryptor)
+        ActiveSupport::Deprecation.warn ":encryptor as option is deprecated, simply remove it."
+      end
+
+      apply_schema :email,              String, :null => null, :default => default
+      apply_schema :encrypted_password, String, :null => null, :default => default, :limit => 128
+      apply_schema :password_salt,      String, :null => null, :default => default
+    end      
 
     # Creates authentication_token.
-    def token_authenticatable
-      apply_schema :authentication_token, String, :limit => 20
+    def token_authenticatable(options={})
+      apply_schema :authentication_token, String
     end
 
     # Creates confirmation_token, confirmed_at and confirmation_sent_at.
     def confirmable
-      apply_schema :confirmation_token,   String, :limit => 20
+      apply_schema :confirmation_token,   String
       apply_schema :confirmed_at,         DateTime
       apply_schema :confirmation_sent_at, DateTime
     end
 
     # Creates reset_password_token.
     def recoverable
-      apply_schema :reset_password_token, String, :limit => 20
+      apply_schema :reset_password_token, String
     end
 
     # Creates remember_token and remember_created_at.
     def rememberable
-      apply_schema :remember_token,      String, :limit => 20
+      apply_schema :remember_token,      String
       apply_schema :remember_created_at, DateTime
     end
 
     # Creates sign_in_count, current_sign_in_at, last_sign_in_at,
     # current_sign_in_ip, last_sign_in_ip.
     def trackable
-      apply_schema :sign_in_count,      Integer
+      apply_schema :sign_in_count,      Integer, :default => 0
       apply_schema :current_sign_in_at, DateTime
       apply_schema :last_sign_in_at,    DateTime
       apply_schema :current_sign_in_ip, String
       apply_schema :last_sign_in_ip,    String
     end
 
-    # Creates failed_attempts, unlock_token and locked_at
-    def lockable
-      apply_schema :failed_attempts, Integer, :default => 0
-      apply_schema :unlock_token,    String, :limit => 20
-      apply_schema :locked_at,       DateTime
+    # Creates failed_attempts, unlock_token and locked_at depending on the options given.
+    #
+    # == Options
+    # * :unlock_strategy - The strategy used for unlock. Can be :time, :email, :both (default), :none.
+    #   If :email or :both, creates a unlock_token field.
+    # * :lock_strategy - The strategy used for locking. Can be :failed_attempts (default) or :none.
+    def lockable(options={})
+      unlock_strategy   = options[:unlock_strategy]
+      unlock_strategy ||= self.unlock_strategy if respond_to?(:unlock_strategy)
+      unlock_strategy ||= :both
+
+      lock_strategy   = options[:lock_strategy]
+      lock_strategy ||= self.lock_strategy if respond_to?(:lock_strategy)
+      lock_strategy ||= :failed_attempts
+
+      if lock_strategy == :failed_attempts
+        apply_schema :failed_attempts, Integer, :default => 0
+      end
+
+      if [:both, :email].include?(unlock_strategy)
+        apply_schema :unlock_token, String
+      end
+
+      apply_schema :locked_at, DateTime
     end
 
     # Overwrite with specific modification to create your own schema.

lib/devise/strategies/authenticatable.rb

@@ -2,35 +2,106 @@ require 'devise/strategies/base'
 
 module Devise
   module Strategies
-    # Default strategy for signing in a user, based on his email and password.
-    # Redirects to sign_in page if it's not authenticated
+    # This strategy should be used as basis for authentication strategies. It retrieves
+    # parameters both from params or from http authorization headers. See database_authenticatable
+    # for an example.
     class Authenticatable < Base
+      attr_accessor :authentication_hash, :password
+
       def valid?
-        valid_controller? && valid_params? && mapping.to.respond_to?(:authenticate)
+        valid_for_http_auth? || valid_for_params_auth?
       end
 
-      # Authenticate a user based on email and password params, returning to warden
-      # success and the authenticated user if everything is okay. Otherwise redirect
-      # to sign in page.
-      def authenticate!
-        if resource = mapping.to.authenticate(params[scope])
-          success!(resource)
+    private
+
+      # Simply invokes valid_for_authentication? with the given block and deal with the result.
+      def validate(resource, &block)
+        result = resource && resource.valid_for_authentication?(&block)
+
+        case result
+        when Symbol, String
+          fail!(result)
         else
-          fail!(:invalid)
-        end
+          result
+        end 
       end
 
-      protected
+      # Check if this is strategy is valid for http authentication.
+      def valid_for_http_auth?
+        http_authenticatable? && request.authorization && with_authentication_hash(http_auth_hash)
+      end
 
-        def valid_controller?
-          params[:controller] =~ /sessions$/
-        end
+      # Check if this is strategy is valid for params authentication.
+      def valid_for_params_auth?
+        params_authenticatable? && valid_request? &&
+          valid_params? && with_authentication_hash(params_auth_hash)
+      end
 
-        def valid_params?
-          params[scope] && params[scope][:password].present?
-        end
+      # Check if the model accepts this strategy as http authenticatable.
+      def http_authenticatable?
+        mapping.to.http_authenticatable?(authenticatable_name)
+      end
+
+      # Check if the model accepts this strategy as params authenticatable.
+      def params_authenticatable?
+        mapping.to.params_authenticatable?(authenticatable_name)
+      end
+
+      # Extract the appropriate subhash for authentication from params.
+      def params_auth_hash
+         params[scope]
+       end
+
+      # Extract a hash with attributes:values from the http params.
+      def http_auth_hash
+        keys = [authentication_keys.first, :password]
+        Hash[*keys.zip(decode_credentials).flatten]
+      end
+
+      # By default, a request is valid  if the controller is allowed and the VERB is POST.
+      def valid_request?
+        valid_controller? && valid_verb?
+      end
+
+      # Check if the controller is valid for params authentication.
+      def valid_controller?
+        mapping.controllers[:sessions] == params[:controller]
+      end
+
+      # Check if the params_auth_hash is valid for params authentication.
+      def valid_verb?
+        request.post?
+      end
+
+      # If the request is valid, finally check if params_auth_hash returns a hash.
+      def valid_params?
+        params_auth_hash.is_a?(Hash)
+      end
+
+      # Helper to decode credentials from HTTP.
+      def decode_credentials
+        username_and_password = request.authorization.split(' ', 2).last || ''
+        ActiveSupport::Base64.decode64(username_and_password).split(/:/, 2)
+      end
+
+      # Sets the authentication hash and the password from params_auth_hash or http_auth_hash.
+      def with_authentication_hash(hash)
+        self.authentication_hash = hash.slice(*authentication_keys)
+        self.password = hash[:password]
+        authentication_keys.all?{ |k| authentication_hash[k].present? }
+      end
+
+      # Holds the authentication keys.
+      def authentication_keys
+        @authentication_keys ||= mapping.to.authentication_keys
+      end
+
+      # Holds the authenticatable name for this class. Devise::Strategies::DatabaseAuthenticatable
+      # becomes simply :database.
+      def authenticatable_name
+        @authenticatable_name ||=
+          self.class.name.split("::").last.underscore.sub("_authenticatable", "").to_sym
+      end
     end
   end
-end
-
-Warden::Strategies.add(:authenticatable, Devise::Strategies::Authenticatable)
+end

lib/devise/strategies/base.rb

@@ -2,8 +2,7 @@ module Devise
   module Strategies
     # Base strategy for Devise. Responsible for verifying correct scope and mapping.
     class Base < ::Warden::Strategies::Base
-      # Checks if a valid scope was given for devise and find mapping based on
-      # this scope.
+      # Checks if a valid scope was given for devise and find mapping based on this scope.
       def mapping
         @mapping ||= begin
           mapping = Devise.mappings[scope]
@@ -11,6 +10,10 @@ module Devise
           mapping
         end
       end
+
+      def succeeded?
+        @result == :success
+      end
     end
   end
-end
+end

lib/devise/strategies/database_authenticatable.rb

@@ -0,0 +1,20 @@
+require 'devise/strategies/authenticatable'
+
+module Devise
+  module Strategies
+    # Default strategy for signing in a user, based on his email and password in the database.
+    class DatabaseAuthenticatable < Authenticatable
+      def authenticate!
+        resource = mapping.to.find_for_database_authentication(authentication_hash)
+
+        if validate(resource){ resource.valid_password?(password) }
+          success!(resource)
+        else
+          fail(:invalid)
+        end
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:database_authenticatable, Devise::Strategies::DatabaseAuthenticatable)

lib/devise/strategies/http_authenticatable.rb

@@ -1,41 +0,0 @@
-require 'devise/strategies/base'
-
-module Devise
-  module Strategies
-    # Sign in an user using HTTP authentication.
-    class HttpAuthenticatable < Base
-      def valid?
-        request.authorization && mapping.to.respond_to?(:authenticate_with_http)
-      end
-
-      def authenticate!
-        username, password = username_and_password
-
-        if resource = mapping.to.authenticate_with_http(username, password)
-          success!(resource)
-        else
-          custom!([401, custom_headers, ["HTTP Basic: Access denied.\n"]])
-        end
-      end
-
-    private
-
-      def username_and_password
-        decode_credentials(request).split(/:/, 2)
-      end
-
-      def decode_credentials(request)
-        ActiveSupport::Base64.decode64(request.authorization.split(' ', 2).last || '')
-      end
-
-      def custom_headers
-        {
-          "Content-Type" => request.format.to_s,
-          "WWW-Authenticate" => %(Basic realm="#{Devise.http_authentication_realm.gsub(/"/, "")}")
-        }
-      end
-    end
-  end
-end
-
-Warden::Strategies.add(:http_authenticatable, Devise::Strategies::HttpAuthenticatable)

lib/devise/strategies/rememberable.rb

@@ -4,31 +4,35 @@ module Devise
   module Strategies
     # Remember the user through the remember token. This strategy is responsible
     # to verify whether there is a cookie with the remember token, and to
-    # recreate the user from this cookie if it exists.  Must be called *before*
+    # recreate the user from this cookie if it exists. Must be called *before*
     # authenticatable.
     class Rememberable < Devise::Strategies::Base
-
       # A valid strategy for rememberable needs a remember token in the cookies.
       def valid?
-        remember_me_cookie.present? && mapping.to.respond_to?(:serialize_from_cookie)
+        remember_cookie.present?
       end
 
       # To authenticate a user we deserialize the cookie and attempt finding
       # the record in the database. If the attempt fails, we pass to another
       # strategy handle the authentication.
       def authenticate!
-        if resource = mapping.to.serialize_from_cookie(remember_me_cookie)
+        if resource = mapping.to.serialize_from_cookie(*remember_cookie)
           success!(resource)
         else
+          cookies.delete(remember_key)
           pass
         end
       end
 
     private
 
+      def remember_key
+        "remember_#{scope}_token"
+      end
+
       # Accessor for remember cookie
-      def remember_me_cookie
-        @remember_me_cookie ||= request.cookies["remember_#{mapping.name}_token"]
+      def remember_cookie
+        @remember_cookie ||= cookies.signed[remember_key]
       end
     end
   end

lib/devise/strategies/token_authenticatable.rb

@@ -2,33 +2,42 @@ require 'devise/strategies/base'
 
 module Devise
   module Strategies
-    # Strategy for signing in a user, based on a authenticatable token.
-    # Redirects to sign_in page if it's not authenticated.
-    class TokenAuthenticatable < Base
-      def valid?
-        mapping.to.respond_to?(:authenticate_with_token) && authentication_token(scope).present?
-      end
-
-      # Authenticate a user based on authenticatable token params, returning to warden
-      # success and the authenticated user if everything is okay. Otherwise redirect
-      # to sign in page.
+    # Strategy for signing in a user, based on a authenticatable token. This works for both params
+    # and http. For the former, all you need to do is to pass the params in the URL:
+    #
+    #   http://myapp.example.com/?user_token=SECRET
+    #
+    # For HTTP, you can pass the token as username. Since some clients may require a password,
+    # you can pass anything and it will simply be ignored.
+    class TokenAuthenticatable < Authenticatable
       def authenticate!
-        if resource = mapping.to.authenticate_with_token(params[scope] || params)
+        if resource = mapping.to.authenticate_with_token(authentication_hash)
           success!(resource)
         else
-          fail!(:invalid_token)
+          fail(:invalid_token)
         end
       end
 
     private
 
-      # Detect authentication token in params: scoped or not.
-      def authentication_token(scope)
-        if params[scope]
-          params[scope][mapping.to.token_authentication_key]
-        else
-          params[mapping.to.token_authentication_key]
-        end
+      # TokenAuthenticatable request is valid for any controller and any verb.
+      def valid_request?
+        true
+      end
+
+      # Do not use remember_me behavir with token.
+      def remember_me?
+        false
+      end
+
+      # Try both scoped and non scoped keys.
+      def params_auth_hash
+        params[scope] || params
+      end
+
+      # Overwrite authentication keys to use token_authentication_key.
+      def authentication_keys
+        @authentication_keys ||= [mapping.to.token_authentication_key]
       end
     end
   end

lib/devise/test_helpers.rb

@@ -15,7 +15,7 @@ module Devise
       def initialize(controller)
         @controller = controller
         manager = Warden::Manager.new(nil) do |config|
-          Devise.configure_warden(config)
+          config.merge! Devise.warden_config
         end
         super(controller.request.env, manager)
       end
@@ -24,6 +24,10 @@ module Devise
         catch_with_redirect { super }
       end
 
+      def user(*args)
+        catch_with_redirect { super }
+      end
+
       def catch_with_redirect(&block)
         result = catch(:warden, &block)
 

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "1.1.pre2".freeze
+  VERSION = "1.1.rc0".freeze
 end

lib/generators/devise/devise_generator.rb

@@ -18,22 +18,28 @@ class DeviseGenerator < Rails::Generators::NamedBase
     Time.now.utc.strftime("%Y%m%d%H%M%S")
   end
 
+  class_option :orm
   class_option :migration, :type => :boolean, :default => orm_has_migration?
 
   def invoke_orm_model
-    if File.exists?(File.join(destination_root, model_path))
+    if model_exists?
       say "* Model already exists. Adding Devise behavior."
     else
-      invoke "model", [name], :migration => false
+      invoke "model", [name], :migration => false, :orm => options[:orm]
+
+      unless model_exists?
+        abort "Tried to invoke the model generator for '#{options[:orm]}' but could not find it.\n" <<
+              "Please create your model by hand before calling `rails g devise #{name}`."
+      end
     end
   end
 
   def inject_devise_config_into_model
     inject_into_class model_path, class_name, <<-CONTENT
   # Include default devise modules. Others available are:
-  # :http_authenticatable, :token_authenticatable, :lockable, :timeoutable and :activatable
-  devise :registerable, :authenticatable, :confirmable, :recoverable,
-         :rememberable, :trackable, :validatable
+  # :token_authenticatable, :lockable, :timeoutable and :activatable
+  devise :database_authenticatable, :registerable, :confirmable,
+         :recoverable, :rememberable, :trackable, :validatable
 
   # Setup accessible (or protected) attributes for your model
   attr_accessible :email, :password, :password_confirmation
@@ -51,6 +57,10 @@ CONTENT
 
   protected
 
+    def model_exists?
+      File.exists?(File.join(destination_root, model_path))
+    end
+
     def model_path
       @model_path ||= File.join("app", "models", "#{file_path}.rb")
     end

lib/generators/devise/templates/migration.rb

@@ -1,12 +1,12 @@
 class DeviseCreate<%= table_name.camelize %> < ActiveRecord::Migration
   def self.up
     create_table(:<%= table_name %>) do |t|
-      t.authenticatable :encryptor => :sha1, :null => false
+      t.database_authenticatable :null => false
       t.confirmable
       t.recoverable
       t.rememberable
       t.trackable
-      # t.lockable
+      # t.lockable :lock_strategy => :<%= Devise.lock_strategy %>, :unlock_strategy => :<%= Devise.unlock_strategy %>
 
       t.timestamps
     end

lib/generators/devise_install/templates/devise.rb

@@ -4,7 +4,24 @@ Devise.setup do |config|
   # Configure the e-mail address which will be shown in DeviseMailer.
   config.mailer_sender = "please-change-me@config-initializers-devise.com"
 
-  # ==> Configuration for :authenticatable
+  # ==> Configuration for any authentication mechanism
+  # Configure which keys are used when authenticating an user. By default is
+  # just :email. You can configure it to use [:username, :subdomain], so for
+  # authenticating an user, both parameters are required. Remember that those
+  # parameters are used only when authenticating and not when retrieving from
+  # session. If you need permissions, you should implement that in a before filter.
+  # config.authentication_keys = [ :email ]
+
+  # Tell if authentication through request.params is enabled. True by default.
+  # config.params_authenticatable = true
+
+  # Tell if authentication through HTTP Basic Auth is enabled. True by default.
+  # config.http_authenticatable = true
+
+  # The realm used in Http Basic Authentication
+  # config.http_authentication_realm = "Application"
+
+  # ==> Configuration for :database_authenticatable
   # Invoke `rake secret` and use the printed value to setup a pepper to generate
   # the encrypted password. By default no pepper is used.
   # config.pepper = "rake secret output"
@@ -19,16 +36,6 @@ Devise.setup do |config|
   # (then you should set stretches to 10, and copy REST_AUTH_SITE_KEY to pepper)
   # config.encryptor = :sha1
 
-  # Configure which keys are used when authenticating an user. By default is
-  # just :email. You can configure it to use [:username, :subdomain], so for
-  # authenticating an user, both parameters are required. Remember that those
-  # parameters are used only when authenticating and not when retrieving from
-  # session. If you need permissions, you should implement that in a before filter.
-  # config.authentication_keys = [ :email ]
-
-  # The realm used in Http Basic Authentication
-  # config.http_authentication_realm = "Application"
-
   # ==> Configuration for :confirmable
   # The time you want give to your user to confirm his account. During this time
   # he will be able to access your application without confirming. Default is nil.
@@ -38,21 +45,35 @@ Devise.setup do |config|
   # The time the user will be remembered without asking for credentials again.
   # config.remember_for = 2.weeks
 
+  # ==> Configuration for :validatable
+  # Range for password length
+  # config.password_length = 6..20
+
+  # Regex to use to validate the email address
+  # config.email_regexp = /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i
+
   # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this
   # time the user will be asked for credentials again.
   # config.timeout_in = 10.minutes
 
   # ==> Configuration for :lockable
-  # Number of authentication tries before locking an account.
-  # config.maximum_attempts = 20
+  # Defines which strategy will be used to lock an account.
+  # :failed_attempts = Locks an account after a number of failed attempts to sign in.
+  # :none            = No lock strategy. You should handle locking by yourself.
+  # config.lock_strategy = :failed_attempts
 
   # Defines which strategy will be used to unlock an account.
   # :email = Sends an unlock link to the user email
   # :time  = Reanables login after a certain ammount of time (see :unlock_in below)
-  # :both  = enables both strategies
+  # :both  = Enables both strategies
+  # :none  = No unlock strategy. You should handle unlocking by yourself.
   # config.unlock_strategy = :both
 
+  # Number of authentication tries before locking an account if lock_strategy
+  # is failed attempts.
+  # config.maximum_attempts = 20
+
   # Time interval to unlock the account if :time is enabled as unlock_strategy.
   # config.unlock_in = 1.hour
 
@@ -61,10 +82,9 @@ Devise.setup do |config|
   # config.token_authentication_key = :auth_token
 
   # ==> General configuration
-  # Load and configure the ORM. Supports :active_record (default), :mongo_mapper
+  # Load and configure the ORM. Supports :active_record (default), :mongoid
   # (requires mongo_ext installed) and :data_mapper (experimental).
-  # require 'devise/orm/mongo_mapper'
-  # config.orm = :mongo_mapper
+  require 'devise/orm/active_record'
 
   # Turn scoped views on. Before rendering "sessions/new", it will first check for
   # "sessions/users/new". It's turned off by default because it's slower if you
@@ -91,12 +111,6 @@ Devise.setup do |config|
   #     twitter.consumer_key  = <YOUR CONSUMER KEY>
   #     twitter.options :site => 'http://twitter.com'
   #   end
-  #   manager.default_strategies.unshift :twitter_oauth
-  # end
-
-  # Configure default_url_options if you are using dynamic segments in :path_prefix
-  # for devise_for.
-  # config.default_url_options do
-  #   { :locale => I18n.locale }
+  #   manager.default_strategies(:scope => :user).unshift :twitter_oauth
   # end
 end

lib/generators/devise_views/devise_views_generator.rb

@@ -1,11 +1,62 @@
 class DeviseViewsGenerator < Rails::Generators::Base
   desc "Copies all Devise views to your application."
-
+  
+  argument :scope, :required => false, :default => nil,
+                   :desc => "The scope to copy views to"
+  
+  class_option :template_engine, :type => :string, :aliases => "-t", :default => "erb",
+                                 :desc => "Template engine for the views. Available options are 'erb' and 'haml'."
+  
   def self.source_root
     @_devise_source_root ||= File.expand_path("../../../../app/views", __FILE__)
   end
 
   def copy_views
-    directory "devise"
+    case options[:template_engine]
+    when "haml"
+      verify_haml_existence
+      verify_haml_version
+      create_and_copy_haml_views
+    else
+      directory "devise", "app/views/devise/#{scope}"
+    end
+  end
+  
+  protected
+  
+  def verify_haml_existence
+    begin
+      require 'haml'
+    rescue LoadError
+      say "HAML is not installed, or it is not specified in your Gemfile."
+      exit
+    end
+  end
+  
+  def verify_haml_version
+    unless Haml.version[:major] == 2 and Haml.version[:minor] >= 3 or Haml.version[:major] >= 3
+      say "To generate HAML templates, you need to install HAML 2.3 or above."
+      exit
+    end
+  end
+  
+  def create_and_copy_haml_views
+    require 'tmpdir'
+    html_root = "#{self.class.source_root}/devise"
+
+    Dir.mktmpdir("devise-haml.") do |haml_root|
+      Dir["#{html_root}/**/*"].each do |path|
+        relative_path = path.sub(html_root, "")
+        source_path   = (haml_root + relative_path).sub(/erb$/, "haml")
+
+        if File.directory?(path)
+          FileUtils.mkdir_p(source_path)
+        else
+          `html2haml -r #{path} #{source_path}`
+        end
+      end
+
+      directory haml_root, "app/views/devise/#{scope}"
+    end
   end
 end

test/controllers/helpers_test.rb

@@ -1,4 +1,4 @@
-require 'test/test_helper'
+require 'test_helper'
 require 'ostruct'
 
 class MockController < ApplicationController
@@ -23,6 +23,10 @@ class MockController < ApplicationController
     "http"
   end
 
+  def script_name
+    ""
+  end
+
   def symbolized_path_parameters
     {}
   end
@@ -117,20 +121,20 @@ class ControllerAuthenticableTest < ActionController::TestCase
 
   test 'stored location for returns the location for a given scope' do
     assert_nil @controller.stored_location_for(:user)
-    @controller.session[:"user.return_to"] = "/foo.bar"
+    @controller.session[:"user_return_to"] = "/foo.bar"
     assert_equal "/foo.bar", @controller.stored_location_for(:user)
   end
 
   test 'stored location for accepts a resource as argument' do
     assert_nil @controller.stored_location_for(:user)
-    @controller.session[:"user.return_to"] = "/foo.bar"
+    @controller.session[:"user_return_to"] = "/foo.bar"
     assert_equal "/foo.bar", @controller.stored_location_for(User.new)
   end
 
   test 'stored location cleans information after reading' do
-    @controller.session[:"user.return_to"] = "/foo.bar"
+    @controller.session[:"user_return_to"] = "/foo.bar"
     assert_equal "/foo.bar", @controller.stored_location_for(:user)
-    assert_nil @controller.session[:"user.return_to"]
+    assert_nil @controller.session[:"user_return_to"]
   end
 
   test 'after sign in path defaults to root path if none by was specified for the given scope' do
@@ -148,7 +152,8 @@ class ControllerAuthenticableTest < ActionController::TestCase
 
   test 'sign in and redirect uses the stored location' do
     user = User.new
-    @controller.session[:"user.return_to"] = "/foo.bar"
+    @controller.session[:"user_return_to"] = "/foo.bar"
+    @mock_warden.expects(:user).with(:user).returns(nil)
     @mock_warden.expects(:set_user).with(user, :scope => :user).returns(true)
     @controller.expects(:redirect_to).with("/foo.bar")
     @controller.sign_in_and_redirect(user)
@@ -156,15 +161,18 @@ class ControllerAuthenticableTest < ActionController::TestCase
 
   test 'sign in and redirect uses the configured after sign in path' do
     admin = Admin.new
+    @mock_warden.expects(:user).with(:admin).returns(nil)
     @mock_warden.expects(:set_user).with(admin, :scope => :admin).returns(true)
     @controller.expects(:redirect_to).with(admin_root_path)
     @controller.sign_in_and_redirect(admin)
   end
 
-  test 'only redirect if skip is given' do
+  test 'sign in and redirect does not sign in again if user is already signed' do
     admin = Admin.new
+    @mock_warden.expects(:user).with(:admin).returns(admin)
+    @mock_warden.expects(:set_user).never
     @controller.expects(:redirect_to).with(admin_root_path)
-    @controller.sign_in_and_redirect(:admin, admin, true)
+    @controller.sign_in_and_redirect(admin)
   end
 
   test 'sign out and redirect uses the configured after sign out path' do
@@ -178,13 +186,4 @@ class ControllerAuthenticableTest < ActionController::TestCase
   test 'is not a devise controller' do
     assert_not @controller.devise_controller?
   end
-
-  test 'default url options are retrieved from devise' do
-    begin
-      Devise.default_url_options {{ :locale => I18n.locale }}
-      assert_equal({ :locale => :en }, @controller.send(:default_url_options))
-    ensure
-      Devise.default_url_options {{ }}
-    end
-  end
 end

test/controllers/internal_helpers_test.rb

@@ -1,4 +1,4 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class MyController < ApplicationController
   include Devise::Controllers::InternalHelpers
@@ -7,6 +7,11 @@ end
 class HelpersTest < ActionController::TestCase
   tests MyController
 
+  def setup
+    @mock_warden = OpenStruct.new
+    @controller.request.env['warden'] = @mock_warden
+  end
+
   test 'get resource name from request path' do
     @request.path = '/users/session'
     assert_equal :user, @controller.resource_name

test/controllers/url_helpers_test.rb

@@ -1,9 +1,9 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class RoutesTest < ActionController::TestCase
   tests ApplicationController
 
-  def test_path_and_url(name, prepend_path=nil)
+  def assert_path_and_url(name, prepend_path=nil)
     @request.path = '/users/session'
     prepend_path = "#{prepend_path}_" if prepend_path
 
@@ -29,19 +29,19 @@ class RoutesTest < ActionController::TestCase
 
 
   test 'should alias session to mapped user session' do
-    test_path_and_url :session
-    test_path_and_url :session, :new
-    test_path_and_url :session, :destroy
+    assert_path_and_url :session
+    assert_path_and_url :session, :new
+    assert_path_and_url :session, :destroy
   end
 
   test 'should alias password to mapped user password' do
-    test_path_and_url :password
-    test_path_and_url :password, :new
-    test_path_and_url :password, :edit
+    assert_path_and_url :password
+    assert_path_and_url :password, :new
+    assert_path_and_url :password, :edit
   end
 
   test 'should alias confirmation to mapped user confirmation' do
-    test_path_and_url :confirmation
-    test_path_and_url :confirmation, :new
+    assert_path_and_url :confirmation
+    assert_path_and_url :confirmation, :new
   end
 end

test/devise_test.rb

@@ -1,8 +1,11 @@
-require 'test/test_helper'
+require 'test_helper'
 
 module Devise
-  def self.clean_warden_config!
-    @warden_config = nil
+  def self.yield_and_restore
+    c, b = @@warden_config, @@warden_config_block
+    yield
+  ensure
+    @@warden_config, @@warden_config_block = c, b
   end
 end
 
@@ -20,28 +23,21 @@ class DeviseTest < ActiveSupport::TestCase
     end
   end
 
-  test 'warden manager configuration' do
-    config = Warden::Config.new
-    Devise.configure_warden(config)
-
-    assert_equal Devise::FailureApp, config.failure_app
-    assert_equal [:rememberable, :http_authenticatable, :token_authenticatable, :authenticatable], config.default_strategies
-    assert_equal :user, config.default_scope
-    assert config.silence_missing_strategies?
+  test 'stores warden configuration' do
+    assert_equal Devise::FailureApp, Devise.warden_config.failure_app
+    assert_equal :user, Devise.warden_config.default_scope
   end
 
   test 'warden manager user configuration through a block' do
-    begin
+    Devise.yield_and_restore do
       @executed = false
       Devise.warden do |config|
         @executed = true
         assert_kind_of Warden::Config, config
       end
 
-      Devise.configure_warden(Warden::Config.new)
+      Devise.configure_warden!
       assert @executed
-    ensure
-      Devise.clean_warden_config!
     end
   end
 
@@ -52,16 +48,15 @@ class DeviseTest < ActiveSupport::TestCase
     assert_not defined?(Devise::Models::Coconut)
     Devise::ALL.delete(:coconut)
 
-    assert_nothing_raised(Exception) { Devise.add_module(:banana, :strategy => true) }
-    assert_equal 1, Devise::STRATEGIES.select { |v| v == :banana }.size
+    assert_nothing_raised(Exception) { Devise.add_module(:banana, :strategy => :fruits) }
+    assert_equal :fruits, Devise::STRATEGIES[:banana]
     Devise::ALL.delete(:banana)
     Devise::STRATEGIES.delete(:banana)
 
     assert_nothing_raised(Exception) { Devise.add_module(:kivi, :controller => :fruits) }
-    assert_not_nil Devise::CONTROLLERS[:fruits]
-    assert_equal 1, Devise::CONTROLLERS[:fruits].select { |v| v == :kivi }.size
+    assert_equal :fruits, Devise::CONTROLLERS[:kivi]
     Devise::ALL.delete(:kivi)
-    Devise::CONTROLLERS.delete(:fruits)
+    Devise::CONTROLLERS.delete(:kivi)
 
     assert_nothing_raised(Exception) { Devise.add_module(:authenticatable_again, :model => 'devise/model/authenticatable') }
     assert defined?(Devise::Models::AuthenticatableAgain)

test/encryptors_test.rb

@@ -1,3 +1,5 @@
+require 'test_helper'
+
 class Encryptors < ActiveSupport::TestCase
   test 'should match a password created by authlogic' do
     authlogic = "b623c3bc9c775b0eb8edb218a382453396fec4146422853e66ecc4b6bc32d7162ee42074dcb5f180a770dc38b5df15812f09bbf497a4a1b95fe5e7d2b8eb7eb4"

test/failure_app_test.rb

@@ -1,49 +1,95 @@
-require 'test/test_helper'
+require 'test_helper'
 require 'ostruct'
 
 class FailureTest < ActiveSupport::TestCase
+  def self.context(name, &block)
+    instance_eval(&block)
+  end
 
   def call_failure(env_params={})
     env = {
       'warden.options' => { :scope => :user },
       'REQUEST_URI' => 'http://test.host/',
+      'HTTP_HOST' => 'test.host',
       'REQUEST_METHOD' => 'GET',
-      'rack.session' => {}
+      'rack.session' => {},
+      'rack.input' => "",
+      'warden' => OpenStruct.new(:message => nil)
     }.merge!(env_params)
-    Devise::FailureApp.call(env)
+    
+    @response = Devise::FailureApp.call(env).to_a
+    @request  = ActionDispatch::Request.new(env)
   end
 
-  test 'return 302 status' do
-    assert_equal 302, call_failure.first
+  def call_failure_with_http(env_params={})
+    env = { "HTTP_AUTHORIZATION" => "Basic #{ActiveSupport::Base64.encode64("foo:bar")}" }
+    call_failure(env_params.merge!(env))
   end
 
-  test 'return to the default redirect location' do
-    assert_equal '/users/sign_in?unauthenticated=true', call_failure.second['Location']
+  context 'When redirecting' do
+    test 'return 302 status' do
+      call_failure
+      assert_equal 302, @response.first
+    end
+
+    test 'return to the default redirect location' do
+      call_failure
+      assert_equal 'You need to sign in or sign up before continuing.', @request.flash[:alert]
+      assert_equal 'http://test.host/users/sign_in', @response.second['Location']
+    end
+
+    test 'uses the proxy failure message as symbol' do
+      call_failure('warden' => OpenStruct.new(:message => :test))
+      assert_equal 'test', @request.flash[:alert]
+      assert_equal 'http://test.host/users/sign_in', @response.second["Location"]
+    end
+
+    test 'uses the proxy failure message as string' do
+      call_failure('warden' => OpenStruct.new(:message => 'Hello world'))
+      assert_equal 'Hello world', @request.flash[:alert]
+      assert_equal 'http://test.host/users/sign_in', @response.second["Location"]
+    end
+
+    test 'set content type to default text/html' do
+      call_failure
+      assert_equal 'text/html; charset=utf-8', @response.second['Content-Type']
+    end
+
+    test 'setup a default message' do
+      call_failure
+      assert_match /You are being/, @response.last.body
+      assert_match /redirected/, @response.last.body
+      assert_match /users\/sign_in/, @response.last.body
+    end
   end
 
-  test 'uses the proxy failure message' do
-    warden = OpenStruct.new(:message => :test)
-    location = call_failure('warden' => warden).second['Location']
-    assert_equal '/users/sign_in?test=true', location
+  context 'For HTTP request' do
+    test 'return 401 status' do
+      call_failure_with_http
+      assert_equal 401, @response.first
+    end
+
+    test 'return WWW-authenticate headers' do
+      call_failure_with_http
+      assert_equal 'Basic realm="Application"', @response.second["WWW-Authenticate"]
+    end
+
+    test 'uses the proxy failure message as response body' do
+      call_failure_with_http('warden' => OpenStruct.new(:message => :invalid))
+      assert_equal 'Invalid email or password.', @response.third.body
+    end
   end
 
-  test 'uses the given message' do
-    warden = OpenStruct.new(:message => 'Hello world')
-    location = call_failure('warden' => warden).second['Location']
-    assert_equal '/users/sign_in?message=Hello+world', location
-  end
-
-  test 'setup default url' do
-    Devise::FailureApp.default_url = 'test/sign_in'
-    location = call_failure('warden.options' => { :scope => nil }).second['Location']
-    assert_equal '/test/sign_in?unauthenticated=true', location
-  end
-
-  test 'set content type to default text/plain' do
-    assert_equal 'text/plain', call_failure.second['Content-Type']
-  end
-
-  test 'setup a default message' do
-    assert_equal ['You are being redirected to /users/sign_in?unauthenticated=true'], call_failure.last
+  context 'With recall' do
+    test 'calls the original controller' do
+      env = {
+        "action_dispatch.request.parameters" => { :controller => "devise/sessions" },
+        "warden.options" => { :recall => "new", :attempted_path => "/users/sign_in" },
+        "warden" => stub_everything
+      }
+      call_failure(env)
+      assert @response.third.body.include?('<h2>Sign in</h2>')
+      assert @response.third.body.include?('Invalid email or password.')
+    end
   end
 end

test/integration/confirmable_test.rb

@@ -1,4 +1,4 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class ConfirmationTest < ActionController::IntegrationTest
 
@@ -11,7 +11,7 @@ class ConfirmationTest < ActionController::IntegrationTest
     ActionMailer::Base.deliveries.clear
 
     visit new_user_session_path
-    click_link 'Didn\'t receive confirmation instructions?'
+    click_link "Didn't receive confirmation instructions?"
 
     fill_in 'email', :with => user.email
     click_button 'Resend confirmation instructions'
@@ -88,9 +88,9 @@ class ConfirmationTest < ActionController::IntegrationTest
 
   test 'error message is configurable by resource name' do
     store_translations :en, :devise => {
-      :sessions => { :admin => { :unconfirmed => "Not confirmed user" } }
+      :failure => { :user => { :unconfirmed => "Not confirmed user" } }
     } do
-      get new_admin_session_path(:unconfirmed => true)
+      sign_in_as_user(:confirm => false)
       assert_contain 'Not confirmed user'
     end
   end

test/integration/database_authenticatable_test.rb

@@ -1,6 +1,6 @@
-require 'test/test_helper'
+require 'test_helper'
 
-class AuthenticationSanityTest < ActionController::IntegrationTest
+class DatabaseAuthenticationSanityTest < ActionController::IntegrationTest
   test 'home should be accessible without sign in' do
     visit '/'
     assert_response :success
@@ -50,7 +50,7 @@ class AuthenticationSanityTest < ActionController::IntegrationTest
   test 'not signed in as admin should not be able to access admins actions' do
     get admins_path
 
-    assert_redirected_to new_admin_session_path(:unauthenticated => true)
+    assert_redirected_to new_admin_session_path
     assert_not warden.authenticated?(:admin)
   end
 
@@ -60,7 +60,7 @@ class AuthenticationSanityTest < ActionController::IntegrationTest
     assert_not warden.authenticated?(:admin)
 
     get admins_path
-    assert_redirected_to new_admin_session_path(:unauthenticated => true)
+    assert_redirected_to new_admin_session_path
   end
 
   test 'signed in as admin should be able to access admin actions' do
@@ -134,7 +134,7 @@ class AuthenticationTest < ActionController::IntegrationTest
   end
 
   test 'error message is configurable by resource name' do
-    store_translations :en, :devise => { :sessions => { :admin => { :invalid => "Invalid credentials" } } } do
+    store_translations :en, :devise => { :failure => { :admin => { :invalid => "Invalid credentials" } } } do
       sign_in_as_admin do
         fill_in 'password', :with => 'abcdef'
       end
@@ -146,7 +146,7 @@ class AuthenticationTest < ActionController::IntegrationTest
   test 'redirect from warden shows sign in or sign up message' do
     get admins_path
 
-    warden_path = new_admin_session_path(:unauthenticated => true)
+    warden_path = new_admin_session_path
     assert_redirected_to warden_path
 
     get warden_path
@@ -157,35 +157,35 @@ class AuthenticationTest < ActionController::IntegrationTest
     sign_in_as_user
 
     assert_template 'home/index'
-    assert_nil session[:"user.return_to"]
+    assert_nil session[:"user_return_to"]
   end
 
   test 'redirect to requested url after sign in' do
     get users_path
-    assert_redirected_to new_user_session_path(:unauthenticated => true)
-    assert_equal users_path, session[:"user.return_to"]
+    assert_redirected_to new_user_session_path
+    assert_equal users_path, session[:"user_return_to"]
 
     follow_redirect!
     sign_in_as_user :visit => false
 
     assert_template 'users/index'
-    assert_nil session[:"user.return_to"]
+    assert_nil session[:"user_return_to"]
   end
 
   test 'redirect to last requested url overwriting the stored return_to option' do
     get expire_user_path(create_user)
-    assert_redirected_to new_user_session_path(:unauthenticated => true)
-    assert_equal expire_user_path(create_user), session[:"user.return_to"]
+    assert_redirected_to new_user_session_path
+    assert_equal expire_user_path(create_user), session[:"user_return_to"]
 
     get users_path
-    assert_redirected_to new_user_session_path(:unauthenticated => true)
-    assert_equal users_path, session[:"user.return_to"]
+    assert_redirected_to new_user_session_path
+    assert_equal users_path, session[:"user_return_to"]
 
     follow_redirect!
     sign_in_as_user :visit => false
 
     assert_template 'users/index'
-    assert_nil session[:"user.return_to"]
+    assert_nil session[:"user_return_to"]
   end
 
   test 'redirect to configured home path for a given scope after sign in' do
@@ -199,7 +199,7 @@ class AuthenticationTest < ActionController::IntegrationTest
 
     User.destroy_all
     get '/users'
-    assert_redirected_to '/users/sign_in?unauthenticated=true'
+    assert_redirected_to new_user_session_path
   end
 
   test 'allows session to be set by a given scope' do
@@ -226,7 +226,7 @@ class AuthenticationTest < ActionController::IntegrationTest
       end
 
       assert_match /Special user view/, response.body
-      assert !Devise::PasswordsController.scoped_views
+      assert !Devise::PasswordsController.scoped_views?
     ensure
       Devise::SessionsController.send :remove_instance_variable, :@scoped_views
     end
@@ -265,6 +265,24 @@ class AuthenticationTest < ActionController::IntegrationTest
     assert_contain 'Welcome to "sessions/new" view!'
   end
 
+  # Custom strategy invoking custom!
+  test 'custom strategy invoking custom on sign up bevahes as expected' do
+    Warden::Strategies.add(:custom) do
+      def authenticate!
+        custom!([401, {"Content-Type" => "text/html"}, ["Custom strategy"]])
+      end
+    end
+
+    begin
+      Devise.warden_config.default_strategies(:scope => :user).unshift(:custom)
+      sign_in_as_user
+      assert_equal 401, status
+      assert_contain 'Custom strategy'
+    ensure
+      Devise.warden_config.default_strategies(:scope => :user).shift
+    end
+  end
+
   # Access
   test 'render 404 on roles without permission' do
     get '/admin_area/password/new', {}, "action_dispatch.show_exceptions" => true

test/integration/http_authenticatable_test.rb

@@ -1,4 +1,4 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class HttpAuthenticationTest < ActionController::IntegrationTest
 
@@ -19,7 +19,8 @@ class HttpAuthenticationTest < ActionController::IntegrationTest
   test 'uses the request format as response content type' do
     sign_in_as_new_user_with_http("unknown", "123456", :xml)
     assert_equal 401, status
-    assert_equal "application/xml", headers["Content-Type"]
+    assert_equal "application/xml; charset=utf-8", headers["Content-Type"]
+    assert response.body.include?("<error>Invalid email or password.</error>")
   end
 
   test 'returns a custom response with www-authenticate and chosen realm' do

test/integration/lockable_test.rb

@@ -1,4 +1,4 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class LockTest < ActionController::IntegrationTest
   
@@ -11,7 +11,7 @@ class LockTest < ActionController::IntegrationTest
     ActionMailer::Base.deliveries.clear
 
     visit new_user_session_path
-    click_link 'Didn\'t receive unlock instructions?'
+    click_link "Didn't receive unlock instructions?"
 
     fill_in 'email', :with => user.email
     click_button 'Resend unlock instructions'
@@ -26,7 +26,7 @@ class LockTest < ActionController::IntegrationTest
     ActionMailer::Base.deliveries.clear
 
     visit new_user_session_path
-    click_link 'Didn\'t receive unlock instructions?'
+    click_link "Didn't receive unlock instructions?"
 
     fill_in 'email', :with => user.email
     click_button 'Resend unlock instructions'
@@ -36,6 +36,15 @@ class LockTest < ActionController::IntegrationTest
     assert_equal 0, ActionMailer::Base.deliveries.size
   end
 
+  test 'unlocked pages should not be available if email strategy is disabled' do
+    visit new_user_unlock_path
+    swap Devise, :unlock_strategy => :time do
+      assert_raise AbstractController::ActionNotFound do
+        visit new_user_unlock_path
+      end
+    end
+  end
+
   test 'user with invalid unlock token should not be able to unlock an account' do
     visit_user_unlock_with_token('invalid_token')
 
@@ -47,20 +56,19 @@ class LockTest < ActionController::IntegrationTest
 
   test "locked user should be able to unlock account" do
     user = create_user(:locked => true)
-    assert user.locked?
+    assert user.access_locked?
 
     visit_user_unlock_with_token(user.unlock_token)
 
     assert_template 'home/index'
     assert_contain 'Your account was successfully unlocked.'
 
-    assert_not user.reload.locked?
+    assert_not user.reload.access_locked?
   end
 
   test "sign in user automatically after unlocking it's account" do
     user = create_user(:locked => true)
     visit_user_unlock_with_token(user.unlock_token)
-
     assert warden.authenticated?(:user)
   end
 
@@ -71,11 +79,23 @@ class LockTest < ActionController::IntegrationTest
     assert_not warden.authenticated?(:user)
   end
 
+  test "user should not send a new e-mail if already locked" do
+    user = create_user(:locked => true)
+    user.failed_attempts = User.maximum_attempts + 1
+    user.save!
+
+    ActionMailer::Base.deliveries.clear
+
+    sign_in_as_user(:password => "invalid")
+    assert_contain 'Your account is locked.'
+    assert ActionMailer::Base.deliveries.empty?
+  end
+
   test 'error message is configurable by resource name' do
     store_translations :en, :devise => {
-      :sessions => { :admin => { :locked => "You are locked!" } }
+      :failure => { :user => { :locked => "You are locked!" } }
     } do
-      get new_admin_session_path(:locked => true)
+      user = sign_in_as_user(:locked => true)
       assert_contain 'You are locked!'
     end
   end

test/integration/recoverable_test.rb

@@ -1,10 +1,10 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class PasswordTest < ActionController::IntegrationTest
 
   def visit_new_password_path
     visit new_user_session_path
-    click_link 'Forgot password?'
+    click_link 'Forgot your password?'
   end
 
   def request_forgot_password(&block)
@@ -134,7 +134,7 @@ class PasswordTest < ActionController::IntegrationTest
     request_forgot_password
     reset_password :reset_password_token => user.reload.reset_password_token
 
-    assert_current_path new_user_session_path(:unconfirmed => true)
+    assert_equal new_user_session_path, @request.path
     assert !warden.authenticated?(:user)
   end
 

test/integration/registerable_test.rb

@@ -1,4 +1,4 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class RegistrationTest < ActionController::IntegrationTest
 
@@ -16,7 +16,7 @@ class RegistrationTest < ActionController::IntegrationTest
     assert_contain 'You have signed up successfully.'
     assert warden.authenticated?(:admin)
 
-    admin = Admin.last
+    admin = Admin.last :order => "id"
     assert_equal admin.email, 'new_user@test.com'
   end
 
@@ -28,13 +28,13 @@ class RegistrationTest < ActionController::IntegrationTest
     fill_in 'password confirmation', :with => 'new_user123'
     click_button 'Sign up'
 
-    assert_contain 'You have signed up successfully.'
+    assert_contain 'You have signed up successfully'
     assert_contain 'Sign in'
-    assert_not_contain 'Confirm your account'
+    assert_not_contain 'You have to confirm your account before continuing'
 
     assert_not warden.authenticated?(:user)
 
-    user = User.last
+    user = User.last :order => "id"
     assert_equal user.email, 'new_user@test.com'
     assert_not user.confirmed?
   end
@@ -73,7 +73,9 @@ class RegistrationTest < ActionController::IntegrationTest
 
   test 'a guest should not be able to change account' do
     get edit_user_registration_path
-    assert_redirected_to new_user_session_path(:unauthenticated => true)
+    assert_redirected_to new_user_session_path
+    follow_redirect!
+    assert_contain 'You need to sign in or sign up before continuing.'
   end
 
   test 'a signed in user should not be able to access sign up' do

test/integration/rememberable_test.rb

@@ -1,4 +1,4 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class RememberMeTest < ActionController::IntegrationTest
 
@@ -6,10 +6,17 @@ class RememberMeTest < ActionController::IntegrationTest
     Devise.remember_for = 1
     user = create_user
     user.remember_me!
-    cookies['remember_user_token'] = User.serialize_into_cookie(user) + add_to_token
+    raw_cookie = User.serialize_into_cookie(user).tap { |a| a.last << add_to_token }
+    cookies['remember_user_token'] = generate_signed_cookie(raw_cookie)
     user
   end
 
+  def generate_signed_cookie(raw_cookie)
+    request = ActionDispatch::Request.new({})
+    request.cookie_jar.signed['raw_cookie'] = raw_cookie
+    request.cookie_jar['raw_cookie']
+  end
+
   test 'do not remember the user if he has not checked remember me option' do
     user = sign_in_as_user
     assert_nil user.reload.remember_token
@@ -28,11 +35,19 @@ class RememberMeTest < ActionController::IntegrationTest
     assert warden.user(:user) == user
   end
 
+  test 'does not remember other scopes' do
+    user = create_user_and_remember
+    get root_path
+    assert_response :success
+    assert warden.authenticated?(:user)
+    assert_not warden.authenticated?(:admin)
+  end
+
   test 'do not remember with invalid token' do
     user = create_user_and_remember('add')
     get users_path
     assert_not warden.authenticated?(:user)
-    assert_redirected_to new_user_session_path(:unauthenticated => true)
+    assert_redirected_to new_user_session_path
   end
 
   test 'do not remember with token expired' do
@@ -40,7 +55,7 @@ class RememberMeTest < ActionController::IntegrationTest
     swap Devise, :remember_for => 0 do
       get users_path
       assert_not warden.authenticated?(:user)
-      assert_redirected_to new_user_session_path(:unauthenticated => true)
+      assert_redirected_to new_user_session_path
     end
   end
 

test/integration/timeoutable_test.rb

@@ -1,4 +1,4 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class SessionTimeoutTest < ActionController::IntegrationTest
 
@@ -32,7 +32,7 @@ class SessionTimeoutTest < ActionController::IntegrationTest
     assert_not_nil last_request_at
 
     get users_path
-    assert_redirected_to new_user_session_path(:timeout => true)
+    assert_redirected_to new_user_session_path
     assert_not warden.authenticated?(:user)
   end
 
@@ -47,14 +47,14 @@ class SessionTimeoutTest < ActionController::IntegrationTest
 
       get expire_user_path(user)
       get users_path
-      assert_redirected_to new_user_session_path(:timeout => true)
+      assert_redirected_to new_user_session_path
       assert_not warden.authenticated?(:user)
     end
   end
 
   test 'error message with i18n' do
     store_translations :en, :devise => {
-      :sessions => { :user => { :timeout => 'Session expired!' } }
+      :failure => { :user => { :timeout => 'Session expired!' } }
     } do
       user = sign_in_as_user
 

test/integration/token_authenticatable_test.rb

@@ -1,10 +1,10 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class TokenAuthenticationTest < ActionController::IntegrationTest
 
-  test 'sign in should authenticate with valid authentication token and proper authentication token key' do
+  test 'authenticate with valid authentication token key and value through params' do
     swap Devise, :token_authentication_key => :secret_token do
-      sign_in_as_new_user_with_token(:auth_token_key => :secret_token)
+      sign_in_as_new_user_with_token
 
       assert_response :success
       assert_template 'users/index'
@@ -13,10 +13,20 @@ class TokenAuthenticationTest < ActionController::IntegrationTest
     end
   end
 
-  test 'signing in with valid authentication token - but improper authentication token key - return to sign in form with error message' do
-    swap Devise, :token_authentication_key => :donald_duck_token do
-      sign_in_as_new_user_with_token(:auth_token_key => :secret_token)
-      assert_current_path new_user_session_path(:unauthenticated => true)
+  test 'authenticate with valid authentication token key and value through http' do
+    swap Devise, :token_authentication_key => :secret_token do
+      sign_in_as_new_user_with_token(:http_auth => true)
+
+      assert_response :success
+      assert_template 'users/index'
+      assert_contain 'Welcome'
+      assert warden.authenticated?(:user)
+    end
+  end
+
+  test 'does authenticate with valid authentication token key and value through params if not configured' do
+    swap Devise, :token_authentication_key => :secret_token, :params_authenticatable => [:database] do
+      sign_in_as_new_user_with_token
 
       assert_contain 'You need to sign in or sign up before continuing'
       assert_contain 'Sign in'
@@ -24,12 +34,32 @@ class TokenAuthenticationTest < ActionController::IntegrationTest
     end
   end
 
-  test 'signing in with invalid authentication token should return to sign in form with error message' do
-    store_translations :en, :devise => {:sessions => {:invalid_token => 'LOL, that was not a single character correct.'}} do
-      sign_in_as_new_user_with_token(:auth_token => '*** INVALID TOKEN ***')
-      assert_current_path new_user_session_path(:invalid_token => true)
+  test 'does authenticate with valid authentication token key and value through http if not configured' do
+    swap Devise, :token_authentication_key => :secret_token, :http_authenticatable => [:database] do
+      sign_in_as_new_user_with_token(:http_auth => true)
+
+      assert_response 401
+      assert_contain 'Invalid email or password.'
+      assert_not warden.authenticated?(:user)
+    end
+  end
+
+  test 'does not authenticate with improper authentication token key' do
+    swap Devise, :token_authentication_key => :donald_duck_token do
+      sign_in_as_new_user_with_token(:auth_token_key => :secret_token)
+      assert_equal new_user_session_path, @request.path
+
+      assert_contain 'You need to sign in or sign up before continuing'
+      assert_contain 'Sign in'
+      assert_not warden.authenticated?(:user)
+    end
+  end
+
+  test 'does not authenticate with improper authentication token value' do
+    store_translations :en, :devise => {:failure => {:invalid_token => 'LOL, that was not a single character correct.'}} do
+      sign_in_as_new_user_with_token(:auth_token => '*** INVALID TOKEN ***')
+      assert_equal new_user_session_path, @request.path
 
-      assert_response :success
       assert_contain 'LOL, that was not a single character correct.'
       assert_contain 'Sign in'
       assert_not warden.authenticated?(:user)
@@ -46,7 +76,13 @@ class TokenAuthenticationTest < ActionController::IntegrationTest
       user.authentication_token = VALID_AUTHENTICATION_TOKEN
       user.save
 
-      visit users_path(options[:auth_token_key].to_sym => options[:auth_token])
+      if options[:http_auth]
+        header = "Basic #{ActiveSupport::Base64.encode64("#{VALID_AUTHENTICATION_TOKEN}:X")}"
+        get users_path, {}, "HTTP_AUTHORIZATION" => header
+      else
+        visit users_path(options[:auth_token_key].to_sym => options[:auth_token])
+      end
+
       user
     end
 

test/integration/trackable_test.rb

@@ -1,4 +1,4 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class TrackableHooksTest < ActionController::IntegrationTest
 
@@ -39,7 +39,7 @@ class TrackableHooksTest < ActionController::IntegrationTest
 
   test "increase sign in count" do
     user = create_user
-    assert_nil user.sign_in_count
+    assert_equal 0, user.sign_in_count
 
     sign_in_as_user
     user.reload

test/mailers/confirmation_instructions_test.rb

@@ -1,4 +1,4 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class ConfirmationInstructionsTest < ActionMailer::TestCase
 
@@ -23,7 +23,7 @@ class ConfirmationInstructionsTest < ActionMailer::TestCase
   end
 
   test 'content type should be set to html' do
-    assert_equal 'text/html', mail.content_type
+    assert mail.content_type.include?('text/html')
   end
 
   test 'send confirmation instructions to the user email' do
@@ -48,13 +48,13 @@ class ConfirmationInstructionsTest < ActionMailer::TestCase
   end
 
   test 'body should have user info' do
-    assert_match /#{user.email}/, mail.body
+    assert_match /#{user.email}/, mail.body.encoded
   end
 
   test 'body should have link to confirm the account' do
     host = ActionMailer::Base.default_url_options[:host]
     confirmation_url_regexp = %r{<a href=\"http://#{host}/users/confirmation\?confirmation_token=#{user.confirmation_token}">}
-    assert_match confirmation_url_regexp, mail.body
+    assert_match confirmation_url_regexp, mail.body.encoded
   end
 
   test 'renders a scoped if scoped_views is set to true' do
@@ -73,7 +73,7 @@ class ConfirmationInstructionsTest < ActionMailer::TestCase
   end
 
   test 'mailer sender accepts a proc' do
-    swap Devise, :mailer_sender => lambda { "another@example.com" } do
+    swap Devise, :mailer_sender => proc { "another@example.com" } do
       assert_equal ['another@example.com'], mail.from
     end
   end

test/mailers/reset_password_instructions_test.rb

@@ -1,4 +1,4 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class ResetPasswordInstructionsTest < ActionMailer::TestCase
 
@@ -27,7 +27,7 @@ class ResetPasswordInstructionsTest < ActionMailer::TestCase
   end
 
   test 'content type should be set to html' do
-    assert_equal 'text/html', mail.content_type
+    assert mail.content_type.include?('text/html')
   end
 
   test 'send confirmation instructions to the user email' do
@@ -51,17 +51,17 @@ class ResetPasswordInstructionsTest < ActionMailer::TestCase
   end
 
   test 'body should have user info' do
-    assert_match /#{user.email}/, mail.body
+    assert_match(/#{user.email}/, mail.body.encoded)
   end
 
   test 'body should have link to confirm the account' do
     host = ActionMailer::Base.default_url_options[:host]
     reset_url_regexp = %r{<a href=\"http://#{host}/users/password/edit\?reset_password_token=#{user.reset_password_token}">}
-    assert_match reset_url_regexp, mail.body
+    assert_match reset_url_regexp, mail.body.encoded
   end
 
   test 'mailer sender accepts a proc' do
-    swap Devise, :mailer_sender => lambda { "another@example.com" } do
+    swap Devise, :mailer_sender => proc { "another@example.com" } do
       assert_equal ['another@example.com'], mail.from
     end
   end

test/mailers/unlock_instructions_test.rb

@@ -1,4 +1,4 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class UnlockInstructionsTest < ActionMailer::TestCase
 
@@ -10,7 +10,7 @@ class UnlockInstructionsTest < ActionMailer::TestCase
   def user
     @user ||= begin
       user = create_user
-      user.lock!
+      user.lock_access!
       user
     end
   end
@@ -27,7 +27,7 @@ class UnlockInstructionsTest < ActionMailer::TestCase
   end
 
   test 'content type should be set to html' do
-    assert_equal 'text/html', mail.content_type
+    assert mail.content_type.include?('text/html')
   end
 
   test 'send unlock instructions to the user email' do
@@ -51,12 +51,12 @@ class UnlockInstructionsTest < ActionMailer::TestCase
   end
 
   test 'body should have user info' do
-    assert_match /#{user.email}/, mail.body
+    assert_match(/#{user.email}/, mail.body.encoded)
   end
 
   test 'body should have link to unlock the account' do
     host = ActionMailer::Base.default_url_options[:host]
     unlock_url_regexp = %r{<a href=\"http://#{host}/users/unlock\?unlock_token=#{user.unlock_token}">}
-    assert_match unlock_url_regexp, mail.body
+    assert_match unlock_url_regexp, mail.body.encoded
   end
 end

test/mapping_test.rb

@@ -1,12 +1,11 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class MappingTest < ActiveSupport::TestCase
 
   test 'store options' do
     mapping = Devise.mappings[:user]
-
     assert_equal User,                mapping.to
-    assert_equal User.devise_modules, mapping.for
+    assert_equal User.devise_modules, mapping.modules
     assert_equal :users,              mapping.as
   end
 
@@ -14,20 +13,25 @@ class MappingTest < ActiveSupport::TestCase
     assert_equal :admin_area, Devise.mappings[:admin].as
   end
 
-  test 'allow custom scope to be given' do
+  test 'allows custom scope to be given' do
     assert_equal :accounts, Devise.mappings[:manager].as
   end
 
   test 'allows a controller depending on the mapping' do
-    mapping = Devise.mappings[:user]
-    assert mapping.allows?(:sessions)
-    assert mapping.allows?(:confirmations)
-    assert mapping.allows?(:passwords)
+    allowed = Devise.mappings[:user].allowed_controllers
+    assert allowed.include?("devise/sessions")
+    assert allowed.include?("devise/confirmations")
+    assert allowed.include?("devise/passwords")
 
-    mapping = Devise.mappings[:admin]
-    assert mapping.allows?(:sessions)
-    assert_not mapping.allows?(:confirmations)
-    assert_not mapping.allows?(:passwords)
+    allowed = Devise.mappings[:admin].allowed_controllers
+    assert allowed.include?("sessions")
+    assert_not allowed.include?("devise/confirmations")
+    assert_not allowed.include?("devise/unlocks")
+  end
+
+  test 'has strategies depending on the model declaration' do
+    assert_equal [:rememberable, :token_authenticatable, :database_authenticatable], Devise.mappings[:user].strategies
+    assert_equal [:database_authenticatable], Devise.mappings[:admin].strategies
   end
 
   test 'find mapping by path' do
@@ -39,22 +43,17 @@ class MappingTest < ActiveSupport::TestCase
     assert_equal Devise.mappings[:admin], Devise::Mapping.find_by_path("/admin_area/session")
   end
 
-  test 'find mapping by class' do
-    assert_nil Devise::Mapping.find_by_class(String)
-    assert_equal Devise.mappings[:user], Devise::Mapping.find_by_class(User)
-  end
-
-  test 'find mapping by class works with single table inheritance' do
-    klass = Class.new(User)
-    assert_equal Devise.mappings[:user], Devise::Mapping.find_by_class(klass)
-  end
-
   test 'find scope for a given object' do
     assert_equal :user, Devise::Mapping.find_scope!(User)
     assert_equal :user, Devise::Mapping.find_scope!(:user)
     assert_equal :user, Devise::Mapping.find_scope!(User.new)
   end
 
+  test 'find scope works with single table inheritance' do
+    assert_equal :user, Devise::Mapping.find_scope!(Class.new(User))
+    assert_equal :user, Devise::Mapping.find_scope!(Class.new(User).new)
+  end
+
   test 'find scope raises an error if cannot be found' do
     assert_raise RuntimeError do
       Devise::Mapping.find_scope!(String)
@@ -96,37 +95,9 @@ class MappingTest < ActiveSupport::TestCase
     assert_equal 2, Devise.mappings[:manager].as_position
   end
 
-  test 'raw path is returned' do
-    assert_equal '/users', Devise.mappings[:user].raw_path
-    assert_equal '/:locale/accounts', Devise.mappings[:manager].raw_path
-  end
-
-  test 'raw path ignores the relative_url_root' do
-    swap ActionController::Base, :relative_url_root => "/abc" do
-      assert_equal '/users', Devise.mappings[:user].raw_path
-    end
-  end
-
-  test 'parsed path is returned' do
-    begin
-      Devise.default_url_options {{ :locale => I18n.locale }}
-      assert_equal '/users', Devise.mappings[:user].parsed_path
-      assert_equal '/en/accounts', Devise.mappings[:manager].parsed_path
-    ensure
-      Devise.default_url_options {{ }}
-    end
-  end
-
-  test 'parsed path adds in the relative_url_root' do
-    swap ActionController::Base, :relative_url_root => '/abc' do
-      assert_equal '/abc/users', Devise.mappings[:user].parsed_path
-    end
-  end
-
-  test 'parsed path deals with a nil relative_url_root' do
-    swap ActionController::Base, :relative_url_root => nil do
-      assert_equal '/users', Devise.mappings[:user].raw_path
-    end
+  test 'path is returned with path prefix and as' do
+    assert_equal '/users', Devise.mappings[:user].path
+    assert_equal '/:locale/accounts', Devise.mappings[:manager].path
   end
 
   test 'magic predicates' do
@@ -139,8 +110,9 @@ class MappingTest < ActiveSupport::TestCase
 
     mapping = Devise.mappings[:admin]
     assert mapping.authenticatable?
+    assert mapping.recoverable?
     assert_not mapping.confirmable?
-    assert_not mapping.recoverable?
+    assert_not mapping.lockable?
     assert_not mapping.rememberable?
   end
 end

test/models/confirmable_test.rb

@@ -1,4 +1,4 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class ConfirmableTest < ActiveSupport::TestCase
 
@@ -11,15 +11,6 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_not_nil create_user.confirmation_token
   end
 
-  test 'should regenerate confirmation token each time' do
-    user = create_user
-    3.times do
-      token = user.confirmation_token
-      user.resend_confirmation!
-      assert_not_equal token, user.confirmation_token
-    end
-  end
-
   test 'should never generate the same confirmation token for different users' do
     confirmation_tokens = []
     3.times do
@@ -62,20 +53,20 @@ class ConfirmableTest < ActiveSupport::TestCase
 
   test 'should find and confirm an user automatically' do
     user = create_user
-    confirmed_user = User.confirm!(:confirmation_token => user.confirmation_token)
+    confirmed_user = User.confirm_by_token(user.confirmation_token)
     assert_equal confirmed_user, user
     assert user.reload.confirmed?
   end
 
   test 'should return a new record with errors when a invalid token is given' do
-    confirmed_user = User.confirm!(:confirmation_token => 'invalid_confirmation_token')
-    assert confirmed_user.new_record?
+    confirmed_user = User.confirm_by_token('invalid_confirmation_token')
+    assert_not confirmed_user.persisted?
     assert_equal "is invalid", confirmed_user.errors[:confirmation_token].join
   end
 
   test 'should return a new record with errors when a blank token is given' do
-    confirmed_user = User.confirm!(:confirmation_token => '')
-    assert confirmed_user.new_record?
+    confirmed_user = User.confirm_by_token('')
+    assert_not confirmed_user.persisted?
     assert_equal "can't be blank", confirmed_user.errors[:confirmation_token].join
   end
 
@@ -83,18 +74,11 @@ class ConfirmableTest < ActiveSupport::TestCase
     user = create_user
     user.confirmed_at = Time.now
     user.save
-    confirmed_user = User.confirm!(:confirmation_token => user.confirmation_token)
+    confirmed_user = User.confirm_by_token(user.confirmation_token)
     assert confirmed_user.confirmed?
     assert_equal "was already confirmed", confirmed_user.errors[:email].join
   end
 
-  test 'should authenticate a confirmed user' do
-    user = create_user
-    user.confirm!
-    authenticated_user = User.authenticate(:email => user.email, :password => user.password)
-    assert_equal authenticated_user, user
-  end
-
   test 'should send confirmation instructions by email' do
     assert_email_sent do
       create_user
@@ -128,7 +112,7 @@ class ConfirmableTest < ActiveSupport::TestCase
 
   test 'should return a new user if no email was found' do
     confirmation_user = User.send_confirmation_instructions(:email => "invalid@email.com")
-    assert confirmation_user.new_record?
+    assert_not confirmation_user.persisted?
   end
 
   test 'should add error to new user email if no email was found' do
@@ -137,13 +121,6 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_equal "not found", confirmation_user.errors[:email].join
   end
 
-  test 'should generate a confirmation token before send the confirmation instructions email' do
-    user = create_user
-    token = user.confirmation_token
-    confirmation_user = User.send_confirmation_instructions(:email => user.email)
-    assert_not_equal token, user.reload.confirmation_token
-  end
-
   test 'should send email instructions for the user confirm it\'s email' do
     user = create_user
     assert_email_sent do
@@ -173,7 +150,7 @@ class ConfirmableTest < ActiveSupport::TestCase
   test 'should not be able to send instructions if the user is already confirmed' do
     user = create_user
     user.confirm!
-    assert_not user.resend_confirmation!
+    assert_not user.resend_confirmation_token
     assert user.confirmed?
     assert_equal 'was already confirmed', user.errors[:email].join
   end

test/models/database_authenticatable_test.rb

@@ -1,7 +1,7 @@
-require 'test/test_helper'
+require 'test_helper'
 require 'digest/sha1'
 
-class AuthenticatableTest < ActiveSupport::TestCase
+class DatabaseAuthenticatableTest < ActiveSupport::TestCase
 
   def encrypt_password(user, pepper=User.pepper, stretches=User.stretches, encryptor=::Devise::Encryptors::Sha1)
     encryptor.digest('123456', stretches, user.password_salt, pepper)
@@ -98,38 +98,6 @@ class AuthenticatableTest < ActiveSupport::TestCase
     assert_not user.valid_password?('654321')
   end
 
-  test 'should authenticate a valid user with email and password and return it' do
-    user = create_user
-    user.confirm!
-    authenticated_user = User.authenticate(:email => user.email, :password => user.password)
-    assert_equal authenticated_user, user
-  end
-
-  test 'should return nil when authenticating an invalid user by email' do
-    user = create_user
-    authenticated_user = User.authenticate(:email => 'another.email@email.com', :password => user.password)
-    assert_nil authenticated_user
-  end
-
-  test 'should return nil when authenticating an invalid user by password' do
-    user = create_user
-    authenticated_user = User.authenticate(:email => user.email, :password => 'another_password')
-    assert_nil authenticated_user
-  end
-
-  test 'should use authentication keys to retrieve users' do
-    swap Devise, :authentication_keys => [:username] do
-      user = create_user
-      assert_nil User.authenticate(:email => user.email, :password => user.password)
-      assert_not_nil User.authenticate(:username => user.username, :password => user.password)
-    end
-  end
-
-  test 'should allow overwriting find for authentication conditions' do
-    admin = Admin.create!(valid_attributes)
-    assert_not_nil Admin.authenticate(:email => admin.email, :password => admin.password)
-  end
-
   test 'should respond to current password' do
     assert new_user.respond_to?(:current_password)
   end

test/models/http_authenticatable_test.rb

@@ -1,19 +0,0 @@
-require 'test/test_helper'
-
-class HttpAuthenticatableTest < ActiveSupport::TestCase
-  test 'should authenticate a valid user with email and password and return it' do
-    user = create_user
-    user.confirm!
-
-    authenticated_user = User.authenticate_with_http(user.email, user.password)
-    assert_equal authenticated_user, user
-  end
-
-  test 'should return nil when authenticating an invalid user by email' do
-    user = create_user
-    user.confirm!
-
-    authenticated_user = User.authenticate_with_http('another.email@email.com', user.password)
-    assert_nil authenticated_user
-  end
-end

test/models/lockable_test.rb

@@ -1,64 +1,64 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class LockableTest < ActiveSupport::TestCase
-
   def setup
     setup_mailer
   end
 
-  test "should increment failed attempts on unsuccessful authentication" do
-    user = create_user
-    assert_equal 0, user.failed_attempts
-
-    authenticated_user = User.authenticate(:email => user.email, :password => "anotherpassword")
-    assert_equal 1, user.reload.failed_attempts
-  end
-
-  test "should lock account base on maximum_attempts" do
-    user = create_user
-    attempts = Devise.maximum_attempts + 1
-    attempts.times { authenticated_user = User.authenticate(:email => user.email, :password => "anotherpassword") }
-    assert user.reload.locked?
-  end
-
   test "should respect maximum attempts configuration" do
     user = create_user
     swap Devise, :maximum_attempts => 2 do
-      3.times { authenticated_user = User.authenticate(:email => user.email, :password => "anotherpassword") }
-      assert user.reload.locked?
+      3.times { user.valid_for_authentication?{ false } }
+      assert user.reload.access_locked?
     end
   end
 
-  test "should clear failed_attempts on successfull sign in" do
+  test "should clear failed_attempts on successfull validation" do
     user = create_user
-    User.authenticate(:email => user.email, :password => "anotherpassword")
+    user.valid_for_authentication?{ false }
     assert_equal 1, user.reload.failed_attempts
-    User.authenticate(:email => user.email, :password => "123456")
+    user.valid_for_authentication?{ true }
     assert_equal 0, user.reload.failed_attempts
   end
 
-  test "should verify wheter a user is locked or not" do
+  test "should not touch failed_attempts if lock_strategy is none" do
     user = create_user
-    assert_not user.locked?
-    user.lock!
-    assert user.locked?
+    swap Devise, :lock_strategy => :none, :maximum_attempts => 2 do
+      3.times { user.valid_for_authentication?{ false } }
+      assert !user.access_locked?
+      assert_equal 0, user.failed_attempts
+    end
+  end
+
+  test 'should be valid for authentication with a unlocked user' do
+    user = create_user
+    user.lock_access!
+    user.unlock_access!
+    assert user.valid_for_authentication?{ true }
+  end
+
+  test "should verify whether a user is locked or not" do
+    user = create_user
+    assert_not user.access_locked?
+    user.lock_access!
+    assert user.access_locked?
   end
 
   test "active? should be the opposite of locked?" do
     user = create_user
     user.confirm!
     assert user.active?
-    user.lock!
+    user.lock_access!
     assert_not user.active?
   end
 
   test "should unlock an user by cleaning locked_at, falied_attempts and unlock_token" do
     user = create_user
-    user.lock!
+    user.lock_access!
     assert_not_nil user.reload.locked_at
     assert_not_nil user.reload.unlock_token
 
-    user.unlock!
+    user.unlock_access!
     assert_nil user.reload.locked_at
     assert_nil user.reload.unlock_token
     assert 0, user.reload.failed_attempts
@@ -66,12 +66,12 @@ class LockableTest < ActiveSupport::TestCase
 
   test 'should not unlock an unlocked user' do
     user = create_user
-    assert_not user.unlock!
+    assert_not user.unlock_access!
     assert_match "was not locked", user.errors[:email].join
   end
 
   test "new user should not be locked and should have zero failed_attempts" do
-    assert_not new_user.locked?
+    assert_not new_user.access_locked?
     assert_equal 0, create_user.failed_attempts
   end
 
@@ -79,10 +79,10 @@ class LockableTest < ActiveSupport::TestCase
     swap Devise, :unlock_in => 3.hours do
       user = new_user
       user.locked_at = 2.hours.ago
-      assert user.locked?
+      assert user.access_locked?
 
       Devise.unlock_in = 1.hour
-      assert_not user.locked?
+      assert_not user.access_locked?
     end
   end
 
@@ -90,32 +90,22 @@ class LockableTest < ActiveSupport::TestCase
     swap Devise, :unlock_strategy => :email do
       user = new_user
       user.locked_at = 2.hours.ago
-      assert user.locked?
+      assert user.access_locked?
     end
   end
 
   test "should set unlock_token when locking" do
     user = create_user
     assert_nil user.unlock_token
-    user.lock!
+    user.lock_access!
     assert_not_nil user.unlock_token
   end
 
-  test 'should not regenerate unlock token if it already exists' do
-    user = create_user
-    user.lock!
-    3.times do
-      token = user.unlock_token
-      user.resend_unlock!
-      assert_equal token, user.unlock_token
-    end
-  end
-
   test "should never generate the same unlock token for different users" do
     unlock_tokens = []
     3.times do
       user = create_user
-      user.lock!
+      user.lock_access!
       token = user.unlock_token
       assert !unlock_tokens.include?(token)
       unlock_tokens << token
@@ -125,7 +115,7 @@ class LockableTest < ActiveSupport::TestCase
   test "should not generate unlock_token when :email is not an unlock strategy" do
     swap Devise, :unlock_strategy => :time do
       user = create_user
-      user.lock!
+      user.lock_access!
       assert_nil user.unlock_token
     end
   end
@@ -134,7 +124,7 @@ class LockableTest < ActiveSupport::TestCase
     swap Devise, :unlock_strategy => :email do
       user = create_user
       assert_email_sent do
-        user.lock!
+        user.lock_access!
       end
     end
   end
@@ -143,49 +133,41 @@ class LockableTest < ActiveSupport::TestCase
     swap Devise, :unlock_strategy => :time do
       user = create_user
       assert_email_not_sent do
-        user.lock!
+        user.lock_access!
       end
     end
   end
 
   test 'should find and unlock an user automatically' do
     user = create_user
-    user.lock!
-    locked_user = User.unlock!(:unlock_token => user.unlock_token)
+    user.lock_access!
+    locked_user = User.unlock_access_by_token(user.unlock_token)
     assert_equal locked_user, user
-    assert_not user.reload.locked?
+    assert_not user.reload.access_locked?
   end
 
   test 'should return a new record with errors when a invalid token is given' do
-    locked_user = User.unlock!(:unlock_token => 'invalid_token')
-    assert locked_user.new_record?
+    locked_user = User.unlock_access_by_token('invalid_token')
+    assert_not locked_user.persisted?
     assert_equal "is invalid", locked_user.errors[:unlock_token].join
   end
 
   test 'should return a new record with errors when a blank token is given' do
-    locked_user = User.unlock!(:unlock_token => '')
-    assert locked_user.new_record?
+    locked_user = User.unlock_access_by_token('')
+    assert_not locked_user.persisted?
     assert_equal "can't be blank", locked_user.errors[:unlock_token].join
   end
 
-  test 'should authenticate a unlocked user' do
-    user = create_user
-    user.lock!
-    user.unlock!
-    authenticated_user = User.authenticate(:email => user.email, :password => user.password)
-    assert_equal authenticated_user, user
-  end
-
   test 'should find a user to send unlock instructions' do
     user = create_user
-    user.lock!
+    user.lock_access!
     unlock_user = User.send_unlock_instructions(:email => user.email)
     assert_equal unlock_user, user
   end
 
   test 'should return a new user if no email was found' do
     unlock_user = User.send_unlock_instructions(:email => "invalid@email.com")
-    assert unlock_user.new_record?
+    assert_not unlock_user.persisted?
   end
 
   test 'should add error to new user email if no email was found' do
@@ -195,8 +177,8 @@ class LockableTest < ActiveSupport::TestCase
 
   test 'should not be able to send instructions if the user is not locked' do
     user = create_user
-    assert_not user.resend_unlock!
-    assert_not user.locked?
+    assert_not user.resend_unlock_token
+    assert_not user.access_locked?
     assert_equal 'was not locked', user.errors[:email].join
   end
 

test/models/recoverable_test.rb

@@ -1,4 +1,4 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class RecoverableTest < ActiveSupport::TestCase
 
@@ -82,7 +82,7 @@ class RecoverableTest < ActiveSupport::TestCase
 
   test 'should return a new record with errors if user was not found by e-mail' do
     reset_password_user = User.send_reset_password_instructions(:email => "invalid@email.com")
-    assert reset_password_user.new_record?
+    assert_not reset_password_user.persisted?
     assert_equal "not found", reset_password_user.errors[:email].join
   end
 
@@ -104,19 +104,19 @@ class RecoverableTest < ActiveSupport::TestCase
     user = create_user
     user.send :generate_reset_password_token!
 
-    reset_password_user = User.reset_password!(:reset_password_token => user.reset_password_token)
+    reset_password_user = User.reset_password_by_token(:reset_password_token => user.reset_password_token)
     assert_equal reset_password_user, user
   end
 
   test 'should a new record with errors if no reset_password_token is found' do
-    reset_password_user = User.reset_password!(:reset_password_token => 'invalid_token')
-    assert reset_password_user.new_record?
+    reset_password_user = User.reset_password_by_token(:reset_password_token => 'invalid_token')
+    assert_not reset_password_user.persisted?
     assert_equal "is invalid", reset_password_user.errors[:reset_password_token].join
   end
 
   test 'should a new record with errors if reset_password_token is blank' do
-    reset_password_user = User.reset_password!(:reset_password_token => '')
-    assert reset_password_user.new_record?
+    reset_password_user = User.reset_password_by_token(:reset_password_token => '')
+    assert_not reset_password_user.persisted?
     assert_match "can't be blank", reset_password_user.errors[:reset_password_token].join
   end
 
@@ -125,7 +125,7 @@ class RecoverableTest < ActiveSupport::TestCase
     old_password = user.password
     user.send :generate_reset_password_token!
 
-    reset_password_user = User.reset_password!(
+    reset_password_user = User.reset_password_by_token(
       :reset_password_token => user.reset_password_token,
       :password => 'new_password',
       :password_confirmation => 'new_password'

test/models/rememberable_test.rb

@@ -1,4 +1,4 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class RememberableTest < ActiveSupport::TestCase
   test 'should respond to remember_me attribute' do
@@ -39,47 +39,25 @@ class RememberableTest < ActiveSupport::TestCase
     user.forget_me!
   end
 
-  test 'valid remember token' do
-    user = create_user
-    assert_not user.valid_remember_token?(user.remember_token)
-    user.remember_me!
-    assert user.valid_remember_token?(user.remember_token)
-    user.forget_me!
-    assert_not user.valid_remember_token?(user.remember_token)
-  end
-
-  test 'valid remember token should also verify if remember is not expired' do
-    swap Devise, :remember_for => 1.day do
-      user = create_user
-      user.remember_me!
-      user.remember_created_at = 3.days.ago
-      user.save
-      assert_not user.valid_remember_token?(user.remember_token)
-    end
-  end
-
   test 'serialize into cookie' do
     user = create_user
     user.remember_me!
-    assert_equal "#{user.id}::#{user.remember_token}", User.serialize_into_cookie(user)
+    assert_equal [user.id, user.remember_token], User.serialize_into_cookie(user)
   end
 
   test 'serialize from cookie' do
     user = create_user
     user.remember_me!
-    assert_equal user, User.serialize_from_cookie("#{user.id}::#{user.remember_token}")
+    assert_equal user, User.serialize_from_cookie(user.id, user.remember_token)
   end
 
-  # MongoMapper cries if an invalid ID is given, so this does not need to be tested
-  unless DEVISE_ORM == :mongo_mapper
-    test 'serialize should return nil if no user is found' do
-      assert_nil User.serialize_from_cookie('0::123')
-    end
+  test 'serialize should return nil if no user is found' do
+    assert_nil User.serialize_from_cookie(0, "123")
   end
 
   test 'remember me return nil if is a valid user with invalid token' do
     user = create_user
-    assert_nil User.serialize_from_cookie("#{user.id}::#{user.remember_token}123")
+    assert_nil User.serialize_from_cookie(user.id, "123")
   end
 
   test 'remember for should fallback to devise remember for default configuration' do

test/models/timeoutable_test.rb

@@ -1,4 +1,4 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class TimeoutableTest < ActiveSupport::TestCase
 

test/models/token_authenticatable_test.rb

@@ -1,4 +1,4 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class TokenAuthenticatableTest < ActiveSupport::TestCase
 
@@ -25,13 +25,6 @@ class TokenAuthenticatableTest < ActiveSupport::TestCase
     assert_equal previous_token, user.authentication_token
   end
 
-  test 'should test for a valid authentication token' do
-    User.expects(:authentication_token).returns(VALID_AUTHENTICATION_TOKEN)
-    user = create_user
-    assert user.valid_authentication_token?(VALID_AUTHENTICATION_TOKEN)
-    assert_not user.valid_authentication_token?(VALID_AUTHENTICATION_TOKEN.reverse)
-  end
-
   test 'should authenticate a valid user with authentication token and return it' do
     User.expects(:authentication_token).returns(VALID_AUTHENTICATION_TOKEN)
     user = create_user

test/models/trackable_test.rb

@@ -1,4 +1,4 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class TrackableTest < ActiveSupport::TestCase
 

test/models/validatable_test.rb

@@ -1,7 +1,7 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class ValidatableTest < ActiveSupport::TestCase
-  extend Devise::TestSilencer if [:mongo_mapper, :data_mapper].include?(DEVISE_ORM)
+  extend Devise::TestSilencer if [:mongoid, :data_mapper].include?(DEVISE_ORM)
 
   test 'should require email to be set' do
     user = new_user(:email => nil)

test/models_test.rb

@@ -1,4 +1,4 @@
-require 'test/test_helper'
+require 'test_helper'
 
 class Configurable < User
   devise :authenticatable, :confirmable, :rememberable, :timeoutable, :lockable,
@@ -23,7 +23,21 @@ class ActiveRecordTest < ActiveSupport::TestCase
   end
 
   test 'add modules cherry pick' do
-    assert_include_modules Admin, :authenticatable, :registerable, :timeoutable
+    assert_include_modules Admin, :database_authenticatable, :registerable, :timeoutable, :recoverable
+  end
+
+  test 'order of module inclusion' do
+    correct_module_order   = [:database_authenticatable, :recoverable, :registerable, :timeoutable]
+    incorrect_module_order = [:database_authenticatable, :timeoutable, :registerable, :recoverable]
+
+    assert_include_modules Admin, *incorrect_module_order
+
+    # get module constants from symbol list
+    module_constants = correct_module_order.collect { |mod| Devise::Models::const_get(mod.to_s.classify) }
+
+    # confirm that they adhere to the order in ALL
+    # get included modules, filter out the noise, and reverse the order
+    assert_equal module_constants, (Admin.included_modules & module_constants).reverse
   end
 
   test 'set a default value for stretches' do

test/orm/active_record.rb

@@ -1,28 +1,7 @@
-require File.expand_path('../../rails_app/config/environment', __FILE__)
-require 'rails/test_help'
-
 ActiveRecord::Migration.verbose = false
 ActiveRecord::Base.logger = Logger.new(nil)
 
-ActiveRecord::Schema.define(:version => 1) do
-  [:users, :admins, :accounts].each do |table|
-    create_table table do |t|
-      t.authenticatable :null => table == :admins
-
-      if table != :admin
-        t.string :username
-        t.confirmable
-        t.recoverable
-        t.rememberable
-        t.trackable
-        t.lockable
-        t.token_authenticatable
-      end
-
-      t.timestamps
-    end
-  end
-end
+ActiveRecord::Migrator.migrate(File.expand_path("../../rails_app/db/migrate/", __FILE__))
 
 class ActiveSupport::TestCase
   self.use_transactional_fixtures = true