Release 4.1.1

The remember_token should not get overwritten when a user is
signing in and a valid token already exists.

Fixes #3950.

.travis.yml

@@ -3,7 +3,7 @@ language: ruby
 rvm:
   - 2.3.0
   - 2.2.4
-  - 2.1.5
+  - 2.1.8
 
 gemfile:
   - Gemfile
@@ -13,7 +13,7 @@ gemfile:
 
 matrix:
   exclude:
-    - rvm: 2.1.5
+    - rvm: 2.1.8
       gemfile: gemfiles/Gemfile.rails-5.0-beta
     - env: DEVISE_ORM=mongoid
       gemfile: gemfiles/Gemfile.rails-5.0-beta

CHANGELOG.md

@@ -1,4 +1,77 @@
-### Unreleased
+### 4.1.1 - 2016-05-15
+
+* bug fixes
+  * Fix overwriting the remember_token when a valid one already exists (by @ralinchimev).
+
+### 4.1.0
+
+* bug fixes
+  * Fix race condition of sending the confirmation instructions e-mail using background jobs.
+    Using the previous `after_create` callback, the e-mail can be sent before
+    the record be committed on database, generating a `ActiveRecord::NotFound` error.
+    Now the confirmation e-mail will be only sent after the database commit,
+    using the `after_commit` callback.
+    It may break your test suite on Rails 4 if you are testing the sent e-mails
+    or enqueued jobs using transactional fixtures enabled or `DatabaseCleaner` with `transaction` strategy.
+    You can easily fix your test suite using the gem
+    [test_after_commit](https://github.com/grosser/test_after_commit). For example, put in your Gemfile:
+
+    ```ruby
+      gem 'test_after_commit', :group => :test
+    ```
+
+    On Rails 5 `after_commit` callbacks are triggered even using transactional
+    fixtures, then this fix will not break your test suite. If you are using `DatabaseCleaner` with the `deletion` or `truncation` strategies it may not break your tests. (by @allenwq)
+  * Fix strategy checking in `Lockable#unlock_strategy_enabled?` for `:none` and
+  `:undefined` strategies. (by @f3ndot)
+* features
+  * Humanize authentication keys in failure flash message (by @byzg)
+    When you are configuring the translations of `devise.failure.invalid`, the
+    `authentication_keys` is translated now.
+* deprecations
+  * Remove code supporting old session serialization format (by @fphilipe).
+  * Now the `email_regexp` default uses a more permissive regex:
+    `/\A[^@\s]+@[^@\s]+\z/` (by @kimgb)
+  * Now the `strip_whitespace_keys` default is `[:email]` (by @ulissesalmeida)
+  * Now the `reconfirmable` default is `true` (by @ulissesalmeida)
+  * Now the `skip_session_storage` default is `[:http_auth]` (by @ulissesalmeida)
+  * Now the `sign_out_via` default is `:delete` (by @ulissesalmeida)
+* improvements
+  * Avoids extra computation of friendly token for confirmation token (by @sbc100)
+
+### 4.0.2 - 2016-05-02
+
+* bug fixes
+  * Fix strategy checking in `Lockable#unlock_strategy_enabled?` for `:none`
+    and `:undefined` strategies. (by @f3ndot)
+
+### 4.0.1 - 2016-04-25
+
+* bug fixes
+  * Fix the e-mail confirmation instructions send when a user updates the email
+    address from nil. (by @lmduc)
+  * Remove unnecessary `attribute_will_change!` call. (by @cadejscroggins)
+  * Consistent `permit!` check. (by @ulissesalmeida)
+
+### 4.0.0 - 2016-04-18
+
+* bug fixes
+  * Fix the `extend_remember_period` configuration. When set to `false` it does
+    not update the cookie expiration anymore.(by @ulissesalmeida)
+
+* deprecations
+  * Added a warning of default value change in Devise 4.1 for users that uses
+    the the default configuration of the following configurations: (by @ulissesalmeida)
+    * `strip_whitespace_keys` - The default will be `[:email]`.
+    * `skip_session_storage` - The default will be `[:http_auth]`.
+    * `sign_out_via` - The default will be `:delete`.
+    * `reconfirmable` - The default will be `true`.
+    * `email_regexp` - The default will be `/\A[^@\s]+@[^@\s]+\z/`.
+  * Removed deprecated argument of `Devise::Models::Rememberable#remember_me!` (by @ulissesalmeida)
+  * Removed deprecated private method Devise::Controllers::Helpers#expire_session_data_after_sign_in!
+    (by @bogdanvlviv)
+
+### 4.0.0.rc2 - 2016-03-09
 
 * enhancements
   * Introduced `DeviseController#set_flash_message!` for conditional flash

Gemfile

@@ -2,7 +2,7 @@ source "https://rubygems.org"
 
 gemspec
 
-gem "rails", "~> 4.2.5"
+gem "rails", "~> 4.2.6"
 gem "omniauth", "~> 1.3"
 gem "omniauth-oauth2", "~> 1.4"
 gem "rdoc"
@@ -12,6 +12,7 @@ group :test do
   gem "omniauth-openid", "~> 1.0.1"
   gem "webrat", "0.7.3", require: false
   gem "mocha", "~> 1.1", require: false
+  gem 'test_after_commit', require: false
 end
 
 platforms :jruby do
@@ -25,5 +26,5 @@ platforms :ruby do
 end
 
 group :mongoid do
-  gem "mongoid", "~> 4.0"
+  gem "mongoid", "~> 5.0"
 end

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    devise (4.0.0.rc2)
+    devise (4.1.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 5.1)
@@ -48,10 +48,9 @@ GEM
       tzinfo (~> 1.1)
     arel (6.0.3)
     bcrypt (3.1.11)
-    bson (3.2.6)
+    bson (4.0.0)
     builder (3.2.2)
     concurrent-ruby (1.0.1)
-    connection_pool (2.2.0)
     erubis (2.7.0)
     faraday (0.9.2)
       multipart-post (>= 1.2, < 3)
@@ -71,15 +70,13 @@ GEM
     minitest (5.8.4)
     mocha (1.1.0)
       metaclass (~> 0.0.1)
-    mongoid (4.0.2)
+    mongo (2.2.0)
+      bson (~> 4.0)
+    mongoid (5.0.1)
       activemodel (~> 4.0)
-      moped (~> 2.0.0)
+      mongo (~> 2.1)
       origin (~> 2.1)
       tzinfo (>= 0.3.37)
-    moped (2.0.7)
-      bson (~> 3.0)
-      connection_pool (~> 2.0)
-      optionable (~> 0.2.0)
     multi_json (1.11.2)
     multi_xml (0.5.5)
     multipart-post (2.0.0)
@@ -102,7 +99,6 @@ GEM
     omniauth-openid (1.0.1)
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
-    optionable (0.2.0)
     origin (2.2.0)
     orm_adapter (0.5.0)
     rack (1.6.4)
@@ -138,7 +134,7 @@ GEM
     rake (11.0.1)
     rdoc (4.2.2)
       json (~> 1.4)
-    responders (2.1.1)
+    responders (2.2.0)
       railties (>= 4.2.0, < 5.1)
     ruby-openid (2.7.0)
     sprockets (3.5.2)
@@ -149,6 +145,8 @@ GEM
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
     sqlite3 (1.3.11)
+    test_after_commit (1.0.0)
+      activerecord (>= 3.2)
     thor (0.19.1)
     thread_safe (0.3.5)
     tzinfo (1.2.2)
@@ -169,15 +167,16 @@ DEPENDENCIES
   devise!
   jruby-openssl
   mocha (~> 1.1)
-  mongoid (~> 4.0)
+  mongoid (~> 5.0)
   omniauth (~> 1.3)
   omniauth-facebook
   omniauth-oauth2 (~> 1.4)
   omniauth-openid (~> 1.0.1)
-  rails (~> 4.2.5)
+  rails (~> 4.2.6)
   rdoc
   sqlite3
+  test_after_commit
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.11.2
+   1.12.3

README.md

@@ -109,7 +109,7 @@ The generator will install an initializer which describes ALL of Devise's config
 rails generate devise MODEL
 ```
 
-Replace MODEL with the class name used for the application’s users (it’s frequently `User` but could also be `Admin`). This will create a model (if one does not exist) and configure it with default Devise modules. The generator also configures your `config/routes.rb` file to point to the Devise controller.
+Replace MODEL with the class name used for the application’s users (it’s frequently `User` but could also be `Admin`). This will create a model (if one does not exist) and configure it with the default Devise modules. The generator also configures your `config/routes.rb` file to point to the Devise controller.
 
 Next, check the MODEL for any additional configuration options you might want to add, such as confirmable or lockable. If you add an option, be sure to inspect the migration file (created by the generator if your ORM supports them) and uncomment the appropriate section.  For example, if you add the confirmable option in the model, you'll need to uncomment the Confirmable section in the migration. Then run `rake db:migrate`
 
@@ -129,6 +129,8 @@ Devise will create some helpers to use inside your controllers and views. To set
 before_action :authenticate_user!
 ```
 
+For Rails 5, note that `protect_from_forgery` is no longer prepended to the `before_action` chain, so if you have set `authenticate_user` before `protect_from_forgery`, your request will result in "Can't verify CSRF token authenticity." To resolve this, either change the order in which you call them, or use `protect_from_forgery prepend: true`.
+
 If your devise model is something other than User, replace "_user" with "_yourmodel". The same logic applies to the instructions below.
 
 To verify if a user is signed in, use the following helper:
@@ -187,7 +189,7 @@ Besides `:stretches`, you can define `:pepper`, `:encryptor`, `:confirm_within`,
 
 When you customize your own views, you may end up adding new attributes to forms. Rails 4 moved the parameter sanitization from the model to the controller, causing Devise to handle this concern at the controller as well.
 
-There are just three actions in Devise that allow any set of parameters to be passed down to the model, therefore requiring sanitization. Their names and the permitted parameters by default are:
+There are just three actions in Devise that allow any set of parameters to be passed down to the model, therefore requiring sanitization. Their names and default permitted parameters are:
 
 * `sign_in` (`Devise::SessionsController#create`) - Permits only the authentication keys (like `email`)
 * `sign_up` (`Devise::RegistrationsController#create`) - Permits authentication keys plus `password` and `password_confirmation`

gemfiles/Gemfile.rails-4.1-stable

@@ -12,6 +12,7 @@ group :test do
   gem "omniauth-openid", "~> 1.0.1"
   gem "webrat", "0.7.3", require: false
   gem "mocha", "~> 1.1", require: false
+  gem 'test_after_commit', require: false
 end
 
 platforms :jruby do

gemfiles/Gemfile.rails-4.1-stable.lock

@@ -48,7 +48,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.0.0.rc2)
+    devise (4.0.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 5.1)
@@ -133,6 +133,8 @@ GEM
       activesupport (>= 3.0)
       sprockets (>= 2.8, < 4.0)
     sqlite3 (1.3.11)
+    test_after_commit (1.0.0)
+      activerecord (>= 3.2)
     thor (0.19.1)
     thread_safe (0.3.5)
     tzinfo (1.2.2)
@@ -161,6 +163,7 @@ DEPENDENCIES
   rails!
   rdoc
   sqlite3
+  test_after_commit
   webrat (= 0.7.3)
 
 BUNDLED WITH

gemfiles/Gemfile.rails-4.2-stable

@@ -12,6 +12,7 @@ group :test do
   gem "omniauth-openid", "~> 1.0.1"
   gem "webrat", "0.7.3", require: false
   gem "mocha", "~> 1.1", require: false
+  gem 'test_after_commit', require: false
 end
 
 platforms :jruby do

gemfiles/Gemfile.rails-4.2-stable.lock

@@ -58,7 +58,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.0.0.rc2)
+    devise (4.0.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 5.1)
@@ -144,7 +144,7 @@ GEM
     rake (11.0.1)
     rdoc (4.2.2)
       json (~> 1.4)
-    responders (2.1.1)
+    responders (2.1.2)
       railties (>= 4.2.0, < 5.1)
     ruby-openid (2.7.0)
     sprockets (3.5.2)
@@ -155,6 +155,8 @@ GEM
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
     sqlite3 (1.3.11)
+    test_after_commit (1.0.0)
+      activerecord (>= 3.2)
     thor (0.19.1)
     thread_safe (0.3.5)
     tzinfo (1.2.2)
@@ -183,6 +185,7 @@ DEPENDENCIES
   rails!
   rdoc
   sqlite3
+  test_after_commit
   webrat (= 0.7.3)
 
 BUNDLED WITH

gemfiles/Gemfile.rails-5.0-beta.lock

@@ -1,6 +1,6 @@
 GIT
   remote: git://github.com/rails/activemodel-serializers-xml.git
-  revision: ad5ff3a9262576362792196a991de1d1778c5f48
+  revision: f380ea5ddefcb9a37f4fbc47606ed6fbecdb2b2a
   specs:
     activemodel-serializers-xml (1.0.0)
       activemodel (> 5.x)
@@ -73,11 +73,13 @@ GEM
     jwt (1.5.1)
     loofah (2.0.3)
       nokogiri (>= 1.5.9)
-    mail (2.6.3)
-      mime-types (>= 1.16, < 3)
+    mail (2.6.4)
+      mime-types (>= 1.16, < 4)
     metaclass (0.0.4)
     method_source (0.8.2)
-    mime-types (2.99.1)
+    mime-types (3.0)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2016.0221)
     mini_portile2 (2.0.0)
     minitest (5.8.4)
     mocha (1.1.0)
@@ -143,13 +145,13 @@ GEM
       method_source
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
-    rake (11.0.1)
+    rake (11.1.2)
     rdoc (4.2.2)
       json (~> 1.4)
-    responders (2.1.1)
+    responders (2.1.2)
       railties (>= 4.2.0, < 5.1)
     ruby-openid (2.7.0)
-    sprockets (3.5.2)
+    sprockets (3.6.0)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
     sprockets-rails (3.0.4)

lib/devise.rb

@@ -83,7 +83,7 @@ module Devise
 
   # Keys that should have whitespace stripped.
   mattr_accessor :strip_whitespace_keys
-  @@strip_whitespace_keys = []
+  @@strip_whitespace_keys = [:email]
 
   # If http authentication is enabled by default.
   mattr_accessor :http_authenticatable
@@ -101,11 +101,11 @@ module Devise
   mattr_accessor :http_authentication_realm
   @@http_authentication_realm = "Application"
 
-  # Email regex used to validate email formats. It simply asserts that
-  # an one (and only one) @ exists in the given string. This is mainly
-  # to give user feedback and not to assert the e-mail validity.
+  # Email regex used to validate email formats. It asserts that there are no
+  # @ symbols or whitespaces in either the localpart or the domain, and that
+  # there is a single @ symbol separating the localpart and the domain.
   mattr_accessor :email_regexp
-  @@email_regexp = /\A[^@\s]+@([^@\s]+\.)+[^@\W]+\z/
+  @@email_regexp = /\A[^@\s]+@[^@\s]+\z/
 
   # Range validation for password length
   mattr_accessor :password_length
@@ -115,7 +115,6 @@ module Devise
   mattr_accessor :remember_for
   @@remember_for = 2.weeks
 
-  # TODO: extend_remember_period is no longer used
   # If true, extends the user's remember period when remembered via cookie.
   mattr_accessor :extend_remember_period
   @@extend_remember_period = false
@@ -138,9 +137,8 @@ module Devise
   @@confirmation_keys = [:email]
 
   # Defines if email should be reconfirmable.
-  # False by default for backwards compatibility.
   mattr_accessor :reconfirmable
-  @@reconfirmable = false
+  @@reconfirmable = true
 
   # Time interval to timeout the user session without activity.
   mattr_accessor :timeout_in
@@ -203,7 +201,7 @@ module Devise
 
   # Skip session storage for the following strategies
   mattr_accessor :skip_session_storage
-  @@skip_session_storage = []
+  @@skip_session_storage = [:http_auth]
 
   # Which formats should be treated as navigational.
   mattr_accessor :navigational_formats
@@ -215,7 +213,7 @@ module Devise
 
   # The default method used while signing out
   mattr_accessor :sign_out_via
-  @@sign_out_via = :get
+  @@sign_out_via = :delete
 
   # The parent controller all Devise controllers inherits from.
   # Defaults to ApplicationController. This should be set early
@@ -457,10 +455,7 @@ module Devise
           mapping.to.serialize_into_session(record)
         end
 
-        warden_config.serialize_from_session(mapping.name) do |key|
-          # Previous versions contained an additional entry at the beginning of
-          # key with the record's class name.
-          args = key[-2, 2]
+        warden_config.serialize_from_session(mapping.name) do |args|
           mapping.to.serialize_from_session(*args)
         end
       end

lib/devise/controllers/helpers.rb

@@ -271,12 +271,6 @@ module Devise
 
       private
 
-      def expire_session_data_after_sign_in!
-        ActiveSupport::Deprecation.warn "expire_session_data_after_sign_in! is deprecated " \
-          "in favor of expire_data_after_sign_in!"
-        expire_data_after_sign_in!
-      end
-
       def expire_data_after_sign_out!
         Devise.mappings.each { |_,m| instance_variable_set("@current_#{m.name}", nil) }
         super

lib/devise/failure_app.rb

@@ -103,7 +103,7 @@ module Devise
         options[:scope] = "devise.failure"
         options[:default] = [message]
         auth_keys = scope_class.authentication_keys
-        keys = auth_keys.respond_to?(:keys) ? auth_keys.keys : auth_keys
+        keys = (auth_keys.respond_to?(:keys) ? auth_keys.keys : auth_keys).map { |key| scope_class.human_attribute_name(key) }
         options[:authentication_keys] = keys.join(I18n.translate(:"support.array.words_connector"))
         options = i18n_options(options)
 

lib/devise/models/authenticatable.rb

@@ -253,7 +253,7 @@ module Devise
 
         # Find or initialize a record with group of attributes based on a list of required attributes.
         def find_or_initialize_with_errors(required_attributes, attributes, error=:invalid) #:nodoc:
-          attributes = if attributes.respond_to? :permit
+          attributes = if attributes.respond_to? :permit!
             attributes.slice(*required_attributes).permit!.to_h.with_indifferent_access
           else
             attributes.with_indifferent_access.slice(*required_attributes)

lib/devise/models/confirmable.rb

@@ -43,9 +43,15 @@ module Devise
 
       included do
         before_create :generate_confirmation_token, if: :confirmation_required?
-        after_create  :send_on_create_confirmation_instructions, if: :send_confirmation_notification?
+        after_create :skip_reconfirmation!, if: :send_confirmation_notification?
+        if respond_to?(:after_commit) # ActiveRecord
+          after_commit :send_on_create_confirmation_instructions, on: :create, if: :send_confirmation_notification?
+          after_commit :send_reconfirmation_instructions, on: :update, if: :reconfirmation_required?
+        else # Mongoid
+          after_create :send_on_create_confirmation_instructions, if: :send_confirmation_notification?
+          after_update :send_reconfirmation_instructions, if: :reconfirmation_required?
+        end
         before_update :postpone_email_change_until_confirmation_and_regenerate_confirmation_token, if: :postpone_email_change?
-        after_update  :send_reconfirmation_instructions,  if: :reconfirmation_required?
       end
 
       def initialize(*args, &block)
@@ -75,7 +81,7 @@ module Devise
 
           self.confirmed_at = Time.now.utc
 
-          saved = if self.class.reconfirmable && unconfirmed_email.present?
+          saved = if pending_reconfirmation?
             skip_reconfirmation!
             self.email = unconfirmed_email
             self.unconfirmed_email = nil
@@ -234,8 +240,7 @@ module Devise
           if self.confirmation_token && !confirmation_period_expired?
             @raw_confirmation_token = self.confirmation_token
           else
-            raw, _ = Devise.token_generator.generate(self.class, :confirmation_token)
-            self.confirmation_token = @raw_confirmation_token = raw
+            self.confirmation_token = @raw_confirmation_token = Devise.friendly_token
             self.confirmation_sent_at = Time.now.utc
           end
         end
@@ -253,13 +258,13 @@ module Devise
         end
 
         def postpone_email_change?
-          postpone = self.class.reconfirmable && email_changed? && email_was.present? && !@bypass_confirmation_postpone && self.email.present?
+          postpone = self.class.reconfirmable && email_changed? && !@bypass_confirmation_postpone && self.email.present?
           @bypass_confirmation_postpone = false
           postpone
         end
 
         def reconfirmation_required?
-          self.class.reconfirmable && @reconfirmation_required && self.email.present?
+          self.class.reconfirmable && @reconfirmation_required && (self.email.present? || self.unconfirmed_email.present?)
         end
 
         def send_confirmation_notification?

lib/devise/models/database_authenticatable.rb

@@ -41,7 +41,6 @@ module Devise
       # For legacy reasons, we use `encrypted_password` to store
       # the hashed password.
       def password=(new_password)
-        attribute_will_change! 'password'
         @password = new_password
         self.encrypted_password = password_digest(@password) if @password.present?
       end

lib/devise/models/lockable.rb

@@ -64,7 +64,7 @@ module Devise
       def send_unlock_instructions
         raw, enc = Devise.token_generator.generate(self.class, :unlock_token)
         self.unlock_token = enc
-        self.save(validate: false)
+        save(validate: false)
         send_devise_notification(:unlock_instructions, raw, {})
         raw
       end
@@ -155,6 +155,9 @@ module Devise
         end
 
       module ClassMethods
+        # List of strategies that are enabled/supported if :both is used.
+        BOTH_STRATEGIES = [:time, :email]
+
         # Attempt to find a user by its unlock keys. If a record is found, send new
         # unlock instructions to it. If not user is found, returns a new user
         # with an email not found error.
@@ -181,7 +184,8 @@ module Devise
 
         # Is the unlock enabled for the given unlock strategy?
         def unlock_strategy_enabled?(strategy)
-          [:both, strategy].include?(self.unlock_strategy)
+          self.unlock_strategy == strategy ||
+            (self.unlock_strategy == :both && BOTH_STRATEGIES.include?(strategy))
         end
 
         # Is the lock enabled for the given lock strategy?

lib/devise/models/recoverable.rb

@@ -99,7 +99,7 @@ module Devise
 
           self.reset_password_token   = enc
           self.reset_password_sent_at = Time.now.utc
-          self.save(validate: false)
+          save(validate: false)
           raw
         end
 

lib/devise/models/rememberable.rb

@@ -39,16 +39,14 @@ module Devise
     module Rememberable
       extend ActiveSupport::Concern
 
-      attr_accessor :remember_me, :extend_remember_period
+      attr_accessor :remember_me
 
       def self.required_fields(klass)
         [:remember_created_at]
       end
 
-      # TODO: We were used to receive a extend period argument but we no longer do.
-      # Remove this for Devise 4.0.
-      def remember_me!(*)
-        self.remember_token = self.class.remember_token if respond_to?(:remember_token)
+      def remember_me!
+        self.remember_token ||= self.class.remember_token if respond_to?(:remember_token)
         self.remember_created_at ||= Time.now.utc
         save(validate: false) if self.changed?
       end
@@ -66,6 +64,10 @@ module Devise
         self.class.remember_for.from_now
       end
 
+      def extend_remember_period
+        self.class.extend_remember_period
+      end
+
       def rememberable_value
         if respond_to?(:remember_token)
           remember_token
@@ -147,9 +149,6 @@ module Devise
           end
         end
 
-        private
-
-        # TODO: extend_remember_period is no longer used
         Devise::Models.config(self, :remember_for, :extend_remember_period, :rememberable_options, :expire_all_remember_me_on_sign_out)
       end
     end

lib/devise/omniauth/url_helpers.rb

@@ -9,7 +9,7 @@ module Devise
         class_eval do
           define_method("#{mapping}_omniauth_authorize_path") do |provider, *args|
             ActiveSupport::Deprecation.warn(<<-DEPRECATION.strip_heredoc)
-            [Devise] #{mapping}_omniauth_authorize_path(#{provider.inspect}) is deprecated and it will be removed from Devise 4.1.
+            [Devise] #{mapping}_omniauth_authorize_path(#{provider.inspect}) is deprecated and it will be removed from Devise 4.2.
 
             Please use #{mapping}_#{provider}_omniauth_authorize_path instead.
             DEPRECATION
@@ -18,7 +18,7 @@ module Devise
 
           define_method("#{mapping}_omniauth_authorize_url") do |provider, *args|
             ActiveSupport::Deprecation.warn(<<-DEPRECATION.strip_heredoc)
-            [Devise] #{mapping}_omniauth_authorize_url(#{provider.inspect}) is deprecated and it will be removed from Devise 4.1.
+            [Devise] #{mapping}_omniauth_authorize_url(#{provider.inspect}) is deprecated and it will be removed from Devise 4.2.
 
             Please use #{mapping}_#{provider}_omniauth_authorize_url instead.
             DEPRECATION
@@ -27,7 +27,7 @@ module Devise
 
           define_method("#{mapping}_omniauth_callback_path") do |provider, *args|
             ActiveSupport::Deprecation.warn(<<-DEPRECATION.strip_heredoc)
-            [Devise] #{mapping}_omniauth_callback_path(#{provider.inspect}) is deprecated and it will be removed from Devise 4.1.
+            [Devise] #{mapping}_omniauth_callback_path(#{provider.inspect}) is deprecated and it will be removed from Devise 4.2.
 
             Please use #{mapping}_#{provider}_omniauth_callback_path instead.
             DEPRECATION
@@ -36,7 +36,7 @@ module Devise
 
           define_method("#{mapping}_omniauth_callback_url") do |provider, *args|
             ActiveSupport::Deprecation.warn(<<-DEPRECATION.strip_heredoc)
-            [Devise] #{mapping}_omniauth_callback_url(#{provider.inspect}) is deprecated and it will be removed from Devise 4.1.
+            [Devise] #{mapping}_omniauth_callback_url(#{provider.inspect}) is deprecated and it will be removed from Devise 4.2.
 
             Please use #{mapping}_#{provider}_omniauth_callback_url instead.
             DEPRECATION

lib/devise/parameter_sanitizer.rb

@@ -68,7 +68,7 @@ module Devise
     def sanitize(action)
       permissions = @permitted[action]
 
-      # DEPRECATED: Remove this branch on Devise 4.1.
+      # DEPRECATED: Remove this branch on Devise 4.2.
       if respond_to?(action, true)
         deprecate_instance_method_sanitization(action)
         return cast_to_hash send(action)
@@ -127,7 +127,7 @@ module Devise
       end
     end
 
-    # DEPRECATED: Remove this method on Devise 4.1.
+    # DEPRECATED: Remove this method on Devise 4.2.
     def for(action, &block) # :nodoc:
       if block_given?
         deprecate_for_with_block(action)
@@ -169,13 +169,13 @@ module Devise
         If you want to define a new set of parameters to be sanitized use the
         `permit` method first:
 
-          devise_parameter_sanitizer.permit(:#{action}, keys: [:param1, param2, param3])
+          devise_parameter_sanitizer.permit(:#{action}, keys: [:param1, :param2, :param3])
       MESSAGE
     end
 
     def deprecate_for_with_block(action)
       ActiveSupport::Deprecation.warn(<<-MESSAGE.strip_heredoc)
-        [Devise] Changing the sanitized parameters through "#{self.class.name}#for(#{action}) is deprecated and it will be removed from Devise 4.1.
+        [Devise] Changing the sanitized parameters through "#{self.class.name}#for(#{action}) is deprecated and it will be removed from Devise 4.2.
         Please use the `permit` method:
 
           devise_parameter_sanitizer.permit(:#{action}) do |user|
@@ -186,7 +186,7 @@ module Devise
 
     def deprecate_for_without_block(action)
       ActiveSupport::Deprecation.warn(<<-MESSAGE.strip_heredoc)
-        [Devise] Changing the sanitized parameters through "#{self.class.name}#for(#{action}) is deprecated and it will be removed from Devise 4.1.
+        [Devise] Changing the sanitized parameters through "#{self.class.name}#for(#{action}) is deprecated and it will be removed from Devise 4.2.
         Please use the `permit` method to add or remove any key:
 
           To add any new key, use the `keys` keyword argument:
@@ -199,7 +199,7 @@ module Devise
 
     def deprecate_instance_method_sanitization(action)
       ActiveSupport::Deprecation.warn(<<-MESSAGE.strip_heredoc)
-        [Devise] Parameter sanitization through a "#{self.class.name}##{action}" method is deprecated and it will be removed from Devise 4.1.
+        [Devise] Parameter sanitization through a "#{self.class.name}##{action}" method is deprecated and it will be removed from Devise 4.2.
         Please use the `permit` method on your sanitizer `initialize` method.
 
           class #{self.class.name} < Devise::ParameterSanitizer

lib/devise/strategies/rememberable.rb

@@ -25,8 +25,7 @@ module Devise
         end
 
         if validate(resource)
-          remember_me(resource)
-          extend_remember_me_period(resource)
+          remember_me(resource) if extend_remember_me?(resource)
           resource.after_remembered
           success!(resource)
         end
@@ -43,10 +42,8 @@ module Devise
 
     private
 
-      def extend_remember_me_period(resource)
-        if resource.respond_to?(:extend_remember_period=)
-          resource.extend_remember_period = mapping.to.extend_remember_period
-        end
+      def extend_remember_me?(resource)
+        resource.respond_to?(:extend_remember_period) && resource.extend_remember_period
       end
 
       def remember_me?

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "4.0.0.rc2".freeze
+  VERSION = "4.1.1".freeze
 end

lib/generators/devise/orm_helpers.rb

@@ -15,7 +15,7 @@ CONTENT
       private
 
       def model_exists?
-        File.exists?(File.join(destination_root, model_path))
+        File.exist?(File.join(destination_root, model_path))
       end
 
       def migration_exists?(table_name)

lib/generators/templates/devise.rb

@@ -148,12 +148,12 @@ Devise.setup do |config|
 
   # ==> Configuration for :validatable
   # Range for password length.
-  config.password_length = 8..72
+  config.password_length = 6..128
 
   # Email regex used to validate email formats. It simply asserts that
   # one (and only one) @ exists in the given string. This is mainly
   # to give user feedback and not to assert the e-mail validity.
-  # config.email_regexp = /\A[^@]+@[^@]+\z/
+  config.email_regexp = /\A[^@\s]+@[^@\s]+\z/
 
   # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this

test/controllers/sessions_controller_test.rb

@@ -6,7 +6,7 @@ class SessionsControllerTest < Devise::ControllerTestCase
 
   test "#create doesn't raise unpermitted params when sign in fails" do
     begin
-      subscriber = ActiveSupport::Notifications.subscribe /unpermitted_parameters/ do |name, start, finish, id, payload|
+      subscriber = ActiveSupport::Notifications.subscribe %r{unpermitted_parameters} do |name, start, finish, id, payload|
         flunk "Unpermitted params: #{payload}"
       end
       request.env["devise.mapping"] = Devise.mappings[:user]

test/devise_test.rb

@@ -94,8 +94,8 @@ class DeviseTest < ActiveSupport::TestCase
   end
 
   test 'Devise.email_regexp should match valid email addresses' do
-    valid_emails = ["test@example.com", "jo@jo.co", "f4$_m@you.com", "testing.example@example.com.ua"]
-    non_valid_emails = ["rex", "test@go,com", "test user@example.com", "test_user@example server.com", "test_user@example.com."]
+    valid_emails = ["test@example.com", "jo@jo.co", "f4$_m@you.com", "testing.example@example.com.ua", "test@tt", "test@valid---domain.com"]
+    non_valid_emails = ["rex", "test user@example.com", "test_user@example server.com"]
 
     valid_emails.each do |email|
       assert_match Devise.email_regexp, email

test/failure_app_test.rb

@@ -133,14 +133,14 @@ class FailureTest < ActiveSupport::TestCase
 
     test 'uses the proxy failure message as symbol' do
       call_failure('warden' => OpenStruct.new(message: :invalid))
-      assert_equal 'Invalid email or password.', @request.flash[:alert]
+      assert_equal 'Invalid Email or password.', @request.flash[:alert]
       assert_equal 'http://test.host/users/sign_in', @response.second["Location"]
     end
 
     test 'supports authentication_keys as a Hash for the flash message' do
       swap Devise, authentication_keys: { email: true, login: true } do
         call_failure('warden' => OpenStruct.new(message: :invalid))
-        assert_equal 'Invalid email, login or password.', @request.flash[:alert]
+        assert_equal 'Invalid Email, Login or password.', @request.flash[:alert]
       end
     end
 
@@ -226,7 +226,7 @@ class FailureTest < ActiveSupport::TestCase
 
     test 'uses the failure message as response body' do
       call_failure('formats' => Mime[:xml], 'warden' => OpenStruct.new(message: :invalid))
-      assert_match '<error>Invalid email or password.</error>', @response.third.body
+      assert_match '<error>Invalid Email or password.</error>', @response.third.body
     end
 
     context 'on ajax call' do
@@ -275,7 +275,7 @@ class FailureTest < ActiveSupport::TestCase
       }
       call_failure(env)
       assert @response.third.body.include?('<h2>Log in</h2>')
-      assert @response.third.body.include?('Invalid email or password.')
+      assert @response.third.body.include?('Invalid Email or password.')
     end
 
     test 'calls the original controller if not confirmed email' do
@@ -310,7 +310,7 @@ class FailureTest < ActiveSupport::TestCase
           }
           call_failure(env)
           assert @response.third.body.include?('<h2>Log in</h2>')
-          assert @response.third.body.include?('Invalid email or password.')
+          assert @response.third.body.include?('Invalid Email or password.')
           assert_equal @request.env["SCRIPT_NAME"], '/sample'
           assert_equal @request.env["PATH_INFO"], '/users/sign_in'
         end

test/generators/active_record_generator_test.rb

@@ -74,7 +74,7 @@ if DEVISE_ORM == :active_record
 
         assert_file "app/models/rails_engine/monster.rb", /devise/
         assert_file "app/models/rails_engine/monster.rb" do |content|
-          assert_no_match /attr_accessible :email/, content
+          assert_no_match %r{attr_accessible :email}, content
         end
       end
     end

test/integration/authenticatable_test.rb

@@ -30,7 +30,7 @@ class AuthenticationSanityTest < Devise::IntegrationTest
     swap Devise, sign_out_all_scopes: false do
       sign_in_as_user
       sign_in_as_admin
-      get destroy_user_session_path
+      delete destroy_user_session_path
       assert_not warden.authenticated?(:user)
       assert warden.authenticated?(:admin)
     end
@@ -41,7 +41,7 @@ class AuthenticationSanityTest < Devise::IntegrationTest
       sign_in_as_user
       sign_in_as_admin
 
-      get destroy_admin_session_path
+      delete destroy_admin_session_path
       assert_not warden.authenticated?(:admin)
       assert warden.authenticated?(:user)
     end
@@ -52,7 +52,7 @@ class AuthenticationSanityTest < Devise::IntegrationTest
       sign_in_as_user
       sign_in_as_admin
 
-      get destroy_user_session_path
+      delete destroy_user_session_path
       assert_not warden.authenticated?(:user)
       assert_not warden.authenticated?(:admin)
     end
@@ -63,7 +63,7 @@ class AuthenticationSanityTest < Devise::IntegrationTest
       sign_in_as_user
       sign_in_as_admin
 
-      get destroy_admin_session_path
+      delete destroy_admin_session_path
       assert_not warden.authenticated?(:admin)
       assert_not warden.authenticated?(:user)
     end
@@ -109,7 +109,7 @@ class AuthenticationSanityTest < Devise::IntegrationTest
     sign_in_as_admin
     assert warden.authenticated?(:admin)
 
-    get destroy_admin_session_path
+    delete destroy_admin_session_path
     assert_response :redirect
     assert_redirected_to root_path
 
@@ -119,7 +119,7 @@ class AuthenticationSanityTest < Devise::IntegrationTest
   end
 
   test 'unauthenticated admin set message on sign out' do
-    get destroy_admin_session_path
+    delete destroy_admin_session_path
     assert_response :redirect
     assert_redirected_to root_path
 
@@ -347,37 +347,6 @@ class AuthenticationSessionTest < Devise::IntegrationTest
     assert_equal "Cart", @controller.user_session[:cart]
   end
 
-  test 'does not explode when class name is still stored in session' do
-    # In order to test that old sessions do not break with the new scoped
-    # deserialization, we need to serialize the session the old way. This is
-    # done by removing the newly used scoped serialization method
-    # (#user_serialize) and bringing back the old uncsoped #serialize method
-    # that includes the record's class name in the serialization.
-    begin
-      Warden::SessionSerializer.class_eval do
-        alias_method :original_serialize, :serialize
-        alias_method :original_user_serialize, :user_serialize
-        remove_method :user_serialize
-
-        def serialize(record)
-          klass = record.class
-          array = klass.serialize_into_session(record)
-          array.unshift(klass.name)
-        end
-      end
-
-      sign_in_as_user
-      assert warden.authenticated?(:user)
-    ensure
-      Warden::SessionSerializer.class_eval do
-        alias_method :serialize, :original_serialize
-        remove_method :original_serialize
-        alias_method :user_serialize, :original_user_serialize
-        remove_method :original_user_serialize
-      end
-    end
-  end
-
   test 'session id is changed on sign in' do
     get '/users'
     session_id = request.session["session_id"]
@@ -396,7 +365,7 @@ class AuthenticationWithScopedViewsTest < Devise::IntegrationTest
       assert_raise Webrat::NotFoundError do
         sign_in_as_user
       end
-      assert_match /Special user view/, response.body
+      assert_match %r{Special user view}, response.body
     end
   end
 
@@ -407,7 +376,7 @@ class AuthenticationWithScopedViewsTest < Devise::IntegrationTest
         sign_in_as_user
       end
 
-      assert_match /Special user view/, response.body
+      assert_match %r{Special user view}, response.body
       assert !Devise::PasswordsController.scoped_views?
     ensure
       Devise::SessionsController.send :remove_instance_variable, :@scoped_views
@@ -480,7 +449,7 @@ class AuthenticationOthersTest < Devise::IntegrationTest
   test 'sign in stub in xml format' do
     get new_user_session_path(format: 'xml')
     assert_match '<?xml version="1.0" encoding="UTF-8"?>', response.body
-    assert_match /<user>.*<\/user>/m, response.body
+    assert_match %r{<user>.*</user>}m, response.body
     assert_match '<email></email>', response.body
     assert_match '<password nil="true"', response.body
   end
@@ -532,34 +501,34 @@ class AuthenticationOthersTest < Devise::IntegrationTest
 
   test 'sign out with html redirects' do
     sign_in_as_user
-    get destroy_user_session_path
+    delete destroy_user_session_path
     assert_response :redirect
     assert_current_url '/'
 
     sign_in_as_user
-    get destroy_user_session_path(format: 'html')
+    delete destroy_user_session_path(format: 'html')
     assert_response :redirect
     assert_current_url '/'
   end
 
   test 'sign out with xml format returns no content' do
     sign_in_as_user
-    get destroy_user_session_path(format: 'xml')
+    delete destroy_user_session_path(format: 'xml')
     assert_response :no_content
     assert_not warden.authenticated?(:user)
   end
 
   test 'sign out with json format returns no content' do
     sign_in_as_user
-    get destroy_user_session_path(format: 'json')
+    delete destroy_user_session_path(format: 'json')
     assert_response :no_content
     assert_not warden.authenticated?(:user)
   end
 
   test 'sign out with non-navigational format via XHR does not redirect' do
     swap Devise, navigational_formats: ['*/*', :html] do
-      sign_in_as_user
-      get destroy_user_session_path, xhr: true, headers: { "HTTP_ACCEPT" => "application/json,text/javascript,*/*" } # NOTE: Bug is triggered by combination of XHR and */*.
+      sign_in_as_admin
+      get destroy_sign_out_via_get_session_path, xhr: true, headers: { "HTTP_ACCEPT" => "application/json,text/javascript,*/*" } # NOTE: Bug is triggered by combination of XHR and */*.
       assert_response :no_content
       assert_not warden.authenticated?(:user)
     end
@@ -569,7 +538,7 @@ class AuthenticationOthersTest < Devise::IntegrationTest
   test 'sign out with navigational format via XHR does redirect' do
     swap Devise, navigational_formats: ['*/*', :html] do
       sign_in_as_user
-      get destroy_user_session_path, xhr: true, headers: { "HTTP_ACCEPT" => "text/html,*/*" }
+      delete destroy_user_session_path, xhr: true, headers: { "HTTP_ACCEPT" => "text/html,*/*" }
       assert_response :redirect
       assert_not warden.authenticated?(:user)
     end
@@ -580,7 +549,7 @@ class AuthenticationKeysTest < Devise::IntegrationTest
   test 'missing authentication keys cause authentication to abort' do
     swap Devise, authentication_keys: [:subdomain] do
       sign_in_as_user
-      assert_contain "Invalid subdomain or password."
+      assert_contain "Invalid Subdomain or password."
       assert_not warden.authenticated?(:user)
     end
   end
@@ -619,7 +588,7 @@ class AuthenticationRequestKeysTest < Devise::IntegrationTest
 
     swap Devise, request_keys: [:subdomain] do
       sign_in_as_user
-      assert_contain "Invalid email or password."
+      assert_contain "Invalid Email or password."
       assert_not warden.authenticated?(:user)
     end
   end

test/integration/confirmable_test.rb

@@ -35,7 +35,7 @@ class ConfirmationTest < Devise::IntegrationTest
   test 'user with invalid confirmation token should not be able to confirm an account' do
     visit_user_confirmation_with_token('invalid_confirmation')
     assert_have_selector '#error_explanation'
-    assert_contain /Confirmation token(.*)invalid/
+    assert_contain %r{Confirmation token(.*)invalid}
   end
 
   test 'user with valid confirmation token should not be able to confirm an account after the token has expired' do
@@ -45,7 +45,7 @@ class ConfirmationTest < Devise::IntegrationTest
       visit_user_confirmation_with_token(user.raw_confirmation_token)
 
       assert_have_selector '#error_explanation'
-      assert_contain /needs to be confirmed within 3 days/
+      assert_contain %r{needs to be confirmed within 3 days}
       assert_not user.reload.confirmed?
       assert_current_url "/users/confirmation?confirmation_token=#{user.raw_confirmation_token}"
     end
@@ -140,7 +140,7 @@ class ConfirmationTest < Devise::IntegrationTest
         fill_in 'password', with: 'invalid'
       end
 
-      assert_contain 'Invalid email or password'
+      assert_contain 'Invalid Email or password'
       assert_not warden.authenticated?(:user)
     end
   end

test/integration/database_authenticatable_test.rb

@@ -68,7 +68,7 @@ class DatabaseAuthenticationTest < Devise::IntegrationTest
       fill_in 'password', with: 'abcdef'
     end
 
-    assert_contain 'Invalid email or password'
+    assert_contain 'Invalid Email or password'
     assert_not warden.authenticated?(:admin)
   end
 

test/integration/http_authenticatable_test.rb

@@ -11,13 +11,15 @@ class HttpAuthenticationTest < Devise::IntegrationTest
   end
 
   test 'sign in should authenticate with http' do
-    sign_in_as_new_user_with_http
-    assert_response 200
-    assert_match '<email>user@test.com</email>', response.body
-    assert warden.authenticated?(:user)
+    swap Devise, skip_session_storage: [] do
+      sign_in_as_new_user_with_http
+      assert_response 200
+      assert_match '<email>user@test.com</email>', response.body
+      assert warden.authenticated?(:user)
 
-    get users_path(format: :xml)
-    assert_response 200
+      get users_path(format: :xml)
+      assert_response 200
+    end
   end
 
   test 'sign in should authenticate with http but not emit a cookie if skipping session storage' do
@@ -42,7 +44,7 @@ class HttpAuthenticationTest < Devise::IntegrationTest
     sign_in_as_new_user_with_http("unknown")
     assert_equal 401, status
     assert_equal "application/xml; charset=utf-8", headers["Content-Type"]
-    assert_match "<error>Invalid email or password.</error>", response.body
+    assert_match "<error>Invalid Email or password.</error>", response.body
   end
 
   test 'returns a custom response with www-authenticate and chosen realm' do

test/integration/lockable_test.rb

@@ -75,7 +75,7 @@ class LockTest < Devise::IntegrationTest
     assert_response :success
     assert_current_url '/users/unlock?unlock_token=invalid_token'
     assert_have_selector '#error_explanation'
-    assert_contain /Unlock token(.*)invalid/
+    assert_contain %r{Unlock token(.*)invalid}
   end
 
   test "locked user should be able to unlock account" do

test/integration/recoverable_test.rb

@@ -146,7 +146,7 @@ class PasswordTest < Devise::IntegrationTest
     assert_response :success
     assert_current_url '/users/password'
     assert_have_selector '#error_explanation'
-    assert_contain /Reset password token(.*)invalid/
+    assert_contain %r{Reset password token(.*)invalid}
     assert_not user.reload.valid_password?('987654321')
   end
 
@@ -212,7 +212,7 @@ class PasswordTest < Devise::IntegrationTest
   test 'does not sign in user automatically after changing its password if it\'s locked and unlock strategy is :none or :time' do
     [:none, :time].each do |strategy|
       swap Devise, unlock_strategy: strategy do
-        user = create_user(locked: true)
+        create_user(locked: true)
         request_forgot_password
         reset_password
 

test/integration/rememberable_test.rb

@@ -94,7 +94,6 @@ class RememberMeTest < Devise::IntegrationTest
     assert_response :success
     assert warden.authenticated?(:user)
     assert warden.user(:user) == user
-    assert_match /remember_user_token[^\n]*HttpOnly/, response.headers["Set-Cookie"], "Expected Set-Cookie header in response to set HttpOnly flag on remember_user_token cookie."
   end
 
   test 'remember the user before sign up and redirect them to their home' do
@@ -120,6 +119,40 @@ class RememberMeTest < Devise::IntegrationTest
     end
   end
 
+  test 'extends remember period when extend remember period config is true' do
+    swap Devise, extend_remember_period: true, remember_for: 1.year do
+      create_user_and_remember
+      old_remember_token = nil
+
+      travel_to 1.day.ago do
+        get root_path
+        old_remember_token = request.cookies['remember_user_token']
+      end
+
+      get root_path
+      current_remember_token = request.cookies['remember_user_token']
+
+      refute_equal old_remember_token, current_remember_token
+    end
+  end
+
+  test 'does not extend remember period when extend period config is false' do
+    swap Devise, extend_remember_period: false, remember_for: 1.year do
+      create_user_and_remember
+      old_remember_token = nil
+
+      travel_to 1.day.ago do
+        get root_path
+        old_remember_token = request.cookies['remember_user_token']
+      end
+
+      get root_path
+      current_remember_token = request.cookies['remember_user_token']
+
+      assert_equal old_remember_token, current_remember_token
+    end
+  end
+
   test 'do not remember other scopes' do
     create_user_and_remember
     get root_path
@@ -149,7 +182,7 @@ class RememberMeTest < Devise::IntegrationTest
     get users_path
     assert warden.authenticated?(:user)
 
-    get destroy_user_session_path
+    delete destroy_user_session_path
     assert_not warden.authenticated?(:user)
     assert_nil warden.cookies['remember_user_token']
 

test/integration/timeoutable_test.rb

@@ -89,7 +89,7 @@ class SessionTimeoutTest < Devise::IntegrationTest
     user = sign_in_as_user
     get expire_user_path(user)
 
-    get destroy_user_session_path
+    delete destroy_user_session_path
 
     assert_response :redirect
     assert_redirected_to root_path

test/integration/trackable_test.rb

@@ -16,7 +16,7 @@ class TrackableHooksTest < Devise::IntegrationTest
     assert_equal user.current_sign_in_at, user.last_sign_in_at
     assert user.current_sign_in_at >= user.created_at
 
-    visit destroy_user_session_path
+    delete destroy_user_session_path
     new_time = 2.seconds.from_now
     Time.stubs(:now).returns(new_time)
 
@@ -56,7 +56,7 @@ class TrackableHooksTest < Devise::IntegrationTest
     user.reload
     assert_equal 1, user.sign_in_count
 
-    visit destroy_user_session_path
+    delete destroy_user_session_path
     sign_in_as_user
     user.reload
     assert_equal 2, user.sign_in_count
@@ -80,7 +80,7 @@ class TrackableHooksTest < Devise::IntegrationTest
     end
     user.reload
     assert_equal 0, user.sign_in_count
-    visit destroy_user_session_path
+    delete destroy_user_session_path
 
     sign_in_as_user do
       header 'devise.skip_trackable', false

test/mapping_test.rb

@@ -35,8 +35,8 @@ class MappingTest < ActiveSupport::TestCase
     assert_equal [], Devise.mappings[:skip_admin].used_routes
   end
 
-  test 'sign_out_via defaults to :get' do
-    assert_equal :get, Devise.mappings[:user].sign_out_via
+  test 'sign_out_via defaults to :delete' do
+    assert_equal :delete, Devise.mappings[:user].sign_out_via
   end
 
   test 'allows custom sign_out_via to be given' do

test/models/confirmable_test.rb

@@ -114,7 +114,7 @@ class ConfirmableTest < ActiveSupport::TestCase
 
     assert_email_not_sent do
       user.save!
-      assert !user.confirmed?
+      assert_not user.confirmed?
     end
   end
 
@@ -401,6 +401,14 @@ class ReconfirmableTest < ActiveSupport::TestCase
     assert_match "new_test@example.com", ActionMailer::Base.deliveries.last.body.encoded
   end
 
+  test 'should send confirmation instructions by email after changing email from nil' do
+    admin = create_admin(email: nil)
+    assert_email_sent "new_test@example.com" do
+      assert admin.update_attributes(email: 'new_test@example.com')
+    end
+    assert_match "new_test@example.com", ActionMailer::Base.deliveries.last.body.encoded
+  end
+
   test 'should not send confirmation by email after changing password' do
     admin = create_admin
     assert admin.confirm
@@ -488,8 +496,8 @@ class ReconfirmableTest < ActiveSupport::TestCase
   end
 
   test 'should not require reconfirmation after creating a record' do
-    user = create_admin
-    assert !user.pending_reconfirmation?
+    admin = create_admin
+    assert !admin.pending_reconfirmation?
   end
 
   test 'should not require reconfirmation after creating a record with #save called in callback' do
@@ -497,7 +505,7 @@ class ReconfirmableTest < ActiveSupport::TestCase
       after_create :save
     end
 
-    user = Admin::WithSaveInCallback.create(valid_attributes.except(:username))
-    assert !user.pending_reconfirmation?
+    admin = Admin::WithSaveInCallback.create(valid_attributes.except(:username))
+    assert !admin.pending_reconfirmation?
   end
 end

test/models/lockable_test.rb

@@ -325,4 +325,26 @@ class LockableTest < ActiveSupport::TestCase
     user.lock_access!
     assert_equal :locked, user.unauthenticated_message
   end
+
+  test 'unlock_strategy_enabled? should return true for both, email, and time strategies if :both is used' do
+    swap Devise, unlock_strategy: :both do
+      user = create_user
+      assert_equal true, user.unlock_strategy_enabled?(:both)
+      assert_equal true, user.unlock_strategy_enabled?(:time)
+      assert_equal true, user.unlock_strategy_enabled?(:email)
+      assert_equal false, user.unlock_strategy_enabled?(:none)
+      assert_equal false, user.unlock_strategy_enabled?(:an_undefined_strategy)
+    end
+  end
+
+  test 'unlock_strategy_enabled? should return true only for the configured strategy' do
+    swap Devise, unlock_strategy: :email do
+      user = create_user
+      assert_equal false, user.unlock_strategy_enabled?(:both)
+      assert_equal false, user.unlock_strategy_enabled?(:time)
+      assert_equal true, user.unlock_strategy_enabled?(:email)
+      assert_equal false, user.unlock_strategy_enabled?(:none)
+      assert_equal false, user.unlock_strategy_enabled?(:an_undefined_strategy)
+    end
+  end
 end

test/models/rememberable_test.rb

@@ -16,6 +16,18 @@ class RememberableTest < ActiveSupport::TestCase
     assert user.remember_created_at
   end
 
+  test 'remember_me should not generate a new token if valid token exists' do
+    user = create_user
+    user.singleton_class.send(:attr_accessor, :remember_token)
+    User.to_adapter.expects(:find_first).returns(nil)
+
+    user.remember_me!
+    existing_token = user.remember_token
+
+    user.remember_me!
+    assert_equal existing_token, user.remember_token
+  end
+
   test 'forget_me should not clear remember token if using salt' do
     user = create_user
     user.remember_me!

test/models/validatable_test.rb

@@ -29,7 +29,7 @@ class ValidatableTest < ActiveSupport::TestCase
     assert user.invalid?
     assert_not_equal 'is invalid', user.errors[:email].join
 
-    %w{invalid_email_format 123 $$$ () ☃ bla@bla.}.each do |email|
+    %w{invalid_email_format 123 $$$ () ☃}.each do |email|
       user.email = email
       assert user.invalid?, 'should be invalid with email ' << email
       assert_equal 'is invalid', user.errors[:email].join

test/orm/active_record.rb

@@ -5,9 +5,11 @@ ActiveRecord::Base.include_root_in_json = true
 ActiveRecord::Migrator.migrate(File.expand_path("../../rails_app/db/migrate/", __FILE__))
 
 class ActiveSupport::TestCase
-  if Rails.version >= '5.0.0'
+  if Devise.rails5?
     self.use_transactional_tests = true
   else
+    # Let `after_commit` work with transactional fixtures, however this is not needed for Rails 5.
+    require 'test_after_commit'
     self.use_transactional_fixtures = true
   end
 

test/rails_app/app/active_record/user.rb

@@ -1,6 +1,4 @@
 require 'shared_user'
-require 'active_model/serializers/xml' if Devise.rails5?
-require 'active_model-serializers' if Devise.rails5?
 
 class User < ActiveRecord::Base
   include Shim

test/rails_app/app/controllers/application_controller.rb

@@ -5,8 +5,7 @@ class ApplicationController < ActionController::Base
   protect_from_forgery
   before_action :current_user, unless: :devise_controller?
   before_action :authenticate_user!, if: :devise_controller?
-  respond_to *Mime::SET.map(&:to_sym)
+  respond_to(*Mime::SET.map(&:to_sym))
 
   devise_group :commenter, contains: [:user, :admin]
 end
-

test/rails_app/config/application.rb

@@ -32,6 +32,10 @@ module RailsApp
 
     config.action_mailer.default_url_options = { host: "localhost", port: 3000 }
 
+    if DEVISE_ORM == :active_record && (Rails::VERSION::MAJOR >= 4 && Rails::VERSION::MINOR >= 2)
+      config.active_record.raise_in_transactional_callbacks = true
+    end
+
     # This was used to break devise in some situations
     config.to_prepare do
       Devise::SessionsController.layout "application"

test/rails_app/config/boot.rb

@@ -11,4 +11,4 @@ end
 
 # Set up gems listed in the Gemfile.
 ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../../../Gemfile', __FILE__)
-require 'bundler/setup' if File.exists?(ENV['BUNDLE_GEMFILE'])
+require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])

test/rails_app/config/routes.rb

@@ -114,6 +114,7 @@ Rails.application.routes.draw do
   namespace :sign_out_via, module: "devise" do
     devise_for :deletes, sign_out_via: :delete, class_name: "Admin"
     devise_for :posts, sign_out_via: :post, class_name: "Admin"
+    devise_for :gets, sign_out_via: :get, class_name: "Admin"
     devise_for :delete_or_posts, sign_out_via: [:delete, :post], class_name: "Admin"
   end
 

test/rails_app/lib/shared_user.rb

@@ -4,7 +4,8 @@ module SharedUser
   included do
     devise :database_authenticatable, :confirmable, :lockable, :recoverable,
            :registerable, :rememberable, :timeoutable,
-           :trackable, :validatable, :omniauthable, password_length: 7..72
+           :trackable, :validatable, :omniauthable, password_length: 7..72,
+           reconfirmable: false
 
     attr_accessor :other_key
 

test/rails_app/lib/shared_user_without_omniauth.rb

@@ -4,7 +4,7 @@ module SharedUserWithoutOmniauth
   included do
     devise :database_authenticatable, :confirmable, :lockable, :recoverable,
       :registerable, :rememberable, :timeoutable,
-      :trackable, :validatable
+      :trackable, :validatable, reconfirmable: false
   end
 
   def raw_confirmation_token

test/routes_test.rb

@@ -14,7 +14,7 @@ class DefaultRoutingTest < ActionController::TestCase
   end
 
   test 'map destroy user session' do
-    assert_recognizes({controller: 'devise/sessions', action: 'destroy'}, {path: 'users/sign_out', method: :get})
+    assert_recognizes({controller: 'devise/sessions', action: 'destroy'}, {path: 'users/sign_out', method: :delete})
     assert_named_route "/users/sign_out", :destroy_user_session_path
   end
 
@@ -146,7 +146,7 @@ class CustomizedRoutingTest < ActionController::TestCase
   end
 
   test 'map account with custom path name for session sign out' do
-    assert_recognizes({controller: 'devise/sessions', action: 'destroy', locale: 'en'}, '/en/accounts/logout')
+    assert_recognizes({controller: 'devise/sessions', action: 'destroy', locale: 'en'}, {path: '/en/accounts/logout', method: :delete })
   end
 
   test 'map account with custom path name for password' do

test/support/mongoid.yml

@@ -1,5 +1,5 @@
 test:
-  sessions:
+  <%= Mongoid::VERSION.to_i > 4 ? 'clients' : 'sessions' %>:
     default:
       database: devise-test-suite
       hosts: