Prepare for 4.6.1 release

When an application does not define a `root`, the method will be
undefined instead of returning a falsey value.
This commit also includes a new test with fake objects that mimic this
behavior.

Related resources:

* 1aab449933 (diff-c1be825bdb5f3160081e41432f83d0d7R278)
* https://github.com/plataformatec/devise/issues/5021

.travis.yml

@@ -3,14 +3,16 @@ language: ruby
 rvm:
   - 2.1.10
   - 2.2.10
-  - 2.3.7
-  - 2.4.4
-  - 2.5.1
+  - 2.3.8
+  - 2.4.5
+  - 2.5.3
+  - 2.6.0
   - ruby-head
 
 gemfile:
   - Gemfile
-  - gemfiles/Gemfile.rails-5.2-rc1
+  - gemfiles/Gemfile.rails-6.0-beta
+  - gemfiles/Gemfile.rails-5.2-stable
   - gemfiles/Gemfile.rails-5.0-stable
   - gemfiles/Gemfile.rails-4.2-stable
   - gemfiles/Gemfile.rails-4.1-stable
@@ -20,25 +22,45 @@ matrix:
     - rvm: 2.1.10
       gemfile: Gemfile
     - rvm: 2.1.10
-      gemfile: gemfiles/Gemfile.rails-5.2-rc1
+      gemfile: gemfiles/Gemfile.rails-6.0-beta
+    - rvm: 2.1.10
+      gemfile: gemfiles/Gemfile.rails-5.2-stable
     - rvm: 2.1.10
       gemfile: gemfiles/Gemfile.rails-5.0-stable
     - rvm: 2.2.10
-      gemfile: gemfiles/Gemfile.rails-5.2-rc1
-    - rvm: 2.4.4
+      gemfile: Gemfile
+    - rvm: 2.2.10
+      gemfile: gemfiles/Gemfile.rails-6.0-beta
+    - rvm: 2.2.10
+      gemfile: gemfiles/Gemfile.rails-5.2-stable
+    - rvm: 2.3.8
+      gemfile: gemfiles/Gemfile.rails-6.0-beta
+    - rvm: 2.4.5
       gemfile: gemfiles/Gemfile.rails-4.1-stable
-    - rvm: 2.5.1
+    - rvm: 2.4.5
+      gemfile: gemfiles/Gemfile.rails-6.0-beta
+    - rvm: 2.5.3
       gemfile: gemfiles/Gemfile.rails-4.1-stable
+    - rvm: 2.6.0
+      gemfile: gemfiles/Gemfile.rails-4.1-stable
+    - rvm: 2.6.0
+      gemfile: gemfiles/Gemfile.rails-4.2-stable
     - rvm: ruby-head
       gemfile: gemfiles/Gemfile.rails-4.1-stable
+    - rvm: ruby-head
+      gemfile: gemfiles/Gemfile.rails-4.2-stable
     - env: DEVISE_ORM=mongoid
       gemfile: Gemfile
     - env: DEVISE_ORM=mongoid
       gemfile: gemfiles/Gemfile.rails-5.0-stable
     - env: DEVISE_ORM=mongoid
-      gemfile: gemfiles/Gemfile.rails-5.2-rc1
+      gemfile: gemfiles/Gemfile.rails-5.2-stable
+    - env: DEVISE_ORM=mongoid
+      gemfile: gemfiles/Gemfile.rails-6.0-beta
   allow_failures:
     - rvm: ruby-head
+    - gemfile: gemfiles/Gemfile.rails-6.0-beta
+
 services:
   - mongodb
 
@@ -52,8 +74,8 @@ env:
     - DEVISE_ORM=mongoid
 
 before_install:
-  - gem update --system
-  - gem install bundler
+  - gem uninstall -v '>= 2' -i $(rvm gemdir)@global -ax bundler || true
+  - gem install bundler -v '< 2'
   - "rm ${BUNDLE_GEMFILE}.lock"
 
 before_script: "bundle update"

CHANGELOG.md

@@ -1,5 +1,39 @@
 ### Unreleased
 
+### 4.6.1 - 2019-02-11
+
+* bug fixes
+  * Check if `root_path` is defined with `#respond_to?` instead of `#present` (by @tegon)
+
+### 4.6.0 - 2019-02-07
+
+* enhancements
+  * Allow to skip email and password change notifications (by @iorme1)
+  * Include the use of `nil` for `allow_unconfirmed_access_for` in the docs (by @joaumg)
+  * Ignore useless files into the `.gem` file (by @huacnlee)
+  * Explain the code that prevents enumeration attacks inside `Devise::Strategies::DatabaseAuthenticatable` (by @tegon)
+  * Refactor the `devise_error_messages!` helper to render a partial (by @prograhamer)
+  * Add an option (`Devise.sign_in_after_change_password`) to not automatically sign in a user after changing a password (by @knjko)
+
+* bug fixes
+  * Fix missing comma in Simple Form generator (by @colinross)
+  * Fix error with migration generator in Rails 6 (by @oystersauce8)
+  * Set `encrypted_password` to `nil` when `password` is set to `nil` (by @sivagollapalli)
+  * Consider whether the request supports flash messages inside `Devise::Controllers::Helpers#is_flashing_format?` (by @colinross)
+  * Fix typo inside `Devise::Generators::ControllersGenerator` (by @kopylovvlad)
+  * Sanitize parameters inside `Devise::Models::Authenticatable#find_or_initialize_with_errors` (by @rlue)
+  * `#after_database_authentication` callback was not called after authentication on password reset (by @kanmaniselvan)
+  * Fix corner case when `#confirmation_period_valid?` was called at the same second as `confirmation_sent_at` was set. Mostly true for date types that only have second precisions. (by @stanhu)
+  * Fix unclosed `li` tag in `error_messages` partial (by @mracos)
+  * Fix Routes issue when devise engine is mounted in another engine on Rails versions lower than 5.1 (by @a-barbieri)
+  * Make `#increment_failed_attempts` concurrency safe (by @tegon)
+  * Apply Test Helper fix to Rails 6.0 as well as 5.x (by @matthewrudy)
+
+
+* deprecations
+  * The second argument of `DatabaseAuthenticatable`'s `#update_with_password` and `#update_without_password` is deprecated and will be removed in the next major version. It was added to support a feature deprecated in Rails 4, so you can safely remove it from your code. (by @ihatov08)
+  * The `DeviseHelper.devise_error_messages!` is deprecated and will be removed in the next major version. Use the `devise/shared/error_messages` partial instead. (by @mracos)
+
 ### 4.5.0 - 2018-08-15
 
 * enhancements
@@ -255,7 +289,7 @@ configured (by @joshpencheon)
     end
     ```
 
-    You can check more examples and explanations on the [README section](/plataformatec/devise#strong-parameters)
+    You can check more examples and explanations on the [README section](README.md#strong-parameters)
     and on the [ParameterSanitizer docs](lib/devise/parameter_sanitizer.rb).
 
 Please check [3-stable](https://github.com/plataformatec/devise/blob/3-stable/CHANGELOG.md)

CONTRIBUTING.md

@@ -64,7 +64,7 @@ open issues to help troubleshoot and fix existing bugs on Devise. Here is what
 you can do:
 
 * Help ensure that existing issues follows the recommendations from the
-_[Reporting Issues](#reporting-issues)_ section, providing feeback to the issue's
+_[Reporting Issues](#reporting-issues)_ section, providing feedback to the issue's
 author on what might be missing.
 * Review and update the existing content of our [Wiki](https://github.com/plataformatec/devise/wiki)
 with up to date instructions and code samples - the wiki was grown with several

Gemfile

@@ -19,6 +19,7 @@ gem "responders", "~> 2.4"
 group :test do
   gem "omniauth-facebook"
   gem "omniauth-openid"
+  gem "timecop"
   gem "webrat", "0.7.3", require: false
   gem "mocha", "~> 1.1", require: false
 end
@@ -30,7 +31,7 @@ platforms :jruby do
 end
 
 platforms :ruby do
-  gem "sqlite3"
+  gem "sqlite3", "~> 1.3.6"
 end
 
 # TODO:

Gemfile.lock

@@ -10,7 +10,7 @@ GIT
 PATH
   remote: .
   specs:
-    devise (4.5.0)
+    devise (4.6.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 6.0)
@@ -164,6 +164,7 @@ GEM
     sqlite3 (1.3.13)
     thor (0.20.0)
     thread_safe (0.3.6)
+    timecop (0.8.1)
     tzinfo (1.2.5)
       thread_safe (~> 0.1)
     warden (1.2.7)
@@ -195,8 +196,9 @@ DEPENDENCIES
   rails-controller-testing
   rdoc
   responders (~> 2.4)
-  sqlite3
+  sqlite3 (~> 1.3.6)
+  timecop
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.16.1
+   1.17.1

ISSUE_TEMPLATE.md

@@ -1,4 +1,4 @@
-## Precheck
+## Pre-check
 
 - Do not use the issues tracker for help or support, try Stack Overflow.
 - For bugs, do a quick search and make sure the bug has not yet been reported
@@ -12,7 +12,7 @@
 
 ## Current behavior
 
-Include code samples, errors, steps to reproduce the error and stacktraces if appropriate.
+Include code samples, errors, steps to reproduce the error and stack traces if appropriate.
 
 Will be even more helpful if you provide a sample application or a test case that reproduces the error.
 

MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright 2009-2017 Plataformatec. http://plataformatec.com.br
+Copyright 2009-2019 Plataformatec. http://plataformatec.com.br
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

README.md

@@ -149,6 +149,24 @@ BUNDLE_GEMFILE=gemfiles/Gemfile.rails-4.1-stable bundle install
 BUNDLE_GEMFILE=gemfiles/Gemfile.rails-4.1-stable DEVISE_ORM=mongoid bin/test
 ```
 
+### Running tests
+Devise uses [Mini Test](https://github.com/seattlerb/minitest) as test framework.
+
+* Running all tests:
+```bash
+bin/test
+```
+
+* Running tests for an specific file:
+```bash
+bin/test test/models/trackable_test.rb
+```
+
+* Running a specific test given a regex:
+```bash
+bin/test test/models/trackable_test.rb:16
+```
+
 ## Starting with Rails?
 
 If you are building your first Rails application, we recommend you *do not* use Devise. Devise requires a good understanding of the Rails Framework. In such cases, we advise you to start a simple authentication system from scratch. Today, we have three resources that should help you get started:

app/controllers/devise/passwords_controller.rb

@@ -39,6 +39,7 @@ class Devise::PasswordsController < DeviseController
       if Devise.sign_in_after_reset_password
         flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
         set_flash_message!(:notice, flash_message)
+        resource.after_database_authentication
         sign_in(resource_name, resource)
       else
         set_flash_message!(:notice, :updated_not_active)

app/controllers/devise/registrations_controller.rb

@@ -50,12 +50,9 @@ class Devise::RegistrationsController < DeviseController
     resource_updated = update_resource(resource, account_update_params)
     yield resource if block_given?
     if resource_updated
-      if is_flashing_format?
-        flash_key = update_needs_confirmation?(resource, prev_unconfirmed_email) ?
-          :update_needs_confirmation : :updated
-        set_flash_message :notice, flash_key
-      end
-      bypass_sign_in resource, scope: resource_name
+      set_flash_message_for_update(resource, prev_unconfirmed_email)
+      bypass_sign_in resource, scope: resource_name if sign_in_after_change_password?
+
       respond_with resource, location: after_update_path_for(resource)
     else
       clean_up_passwords resource
@@ -127,7 +124,7 @@ class Devise::RegistrationsController < DeviseController
   # The default url to be used after updating a resource. You need to overwrite
   # this method in your own RegistrationsController.
   def after_update_path_for(resource)
-    signed_in_root_path(resource)
+    sign_in_after_change_password? ? signed_in_root_path(resource) : new_session_path(resource_name)
   end
 
   # Authenticates the current scope and gets the current resource from the session.
@@ -147,4 +144,25 @@ class Devise::RegistrationsController < DeviseController
   def translation_scope
     'devise.registrations'
   end
+
+  private
+
+  def set_flash_message_for_update(resource, prev_unconfirmed_email)
+    return unless is_flashing_format?
+
+    flash_key = if update_needs_confirmation?(resource, prev_unconfirmed_email)
+                  :update_needs_confirmation
+                elsif sign_in_after_change_password?
+                  :updated
+                else
+                  :updated_but_not_signed_in
+                end
+    set_flash_message :notice, flash_key
+  end
+
+  def sign_in_after_change_password?
+    return true if account_update_params[:password].blank?
+
+    Devise.sign_in_after_change_password
+  end
 end

app/helpers/devise_helper.rb

@@ -1,27 +1,18 @@
 # frozen_string_literal: true
 
 module DeviseHelper
-  # A simple way to show error messages for the current devise resource. If you need
-  # to customize this method, you can either overwrite it in your application helpers or
-  # copy the views to your application.
-  #
-  # This method is intended to stay simple and it is unlikely that we are going to change
-  # it to add more behavior or options.
+  # Retain this method for backwards compatibility, deprecated in favour of modifying the
+  # devise/shared/error_messages partial
   def devise_error_messages!
+    ActiveSupport::Deprecation.warn <<-DEPRECATION.strip_heredoc
+      [Devise] `DeviseHelper.devise_error_messages!`
+      is deprecated and it will be removed in the next major version.
+      To customize the errors styles please run `rails g devise:views` and modify the
+      `devise/shared/error_messages` partial.
+    DEPRECATION
+
     return "" if resource.errors.empty?
 
-    messages = resource.errors.full_messages.map { |msg| content_tag(:li, msg) }.join
-    sentence = I18n.t("errors.messages.not_saved",
-                      count: resource.errors.count,
-                      resource: resource.class.model_name.human.downcase)
-
-    html = <<-HTML
-    <div id="error_explanation">
-      <h2>#{sentence}</h2>
-      <ul>#{messages}</ul>
-    </div>
-    HTML
-
-    html.html_safe
+    render "devise/shared/error_messages", resource: resource
   end
 end

app/views/devise/confirmations/new.html.erb

@@ -1,7 +1,7 @@
 <h2>Resend confirmation instructions</h2>
 
 <%= form_for(resource, as: resource_name, url: confirmation_path(resource_name), html: { method: :post }) do |f| %>
-  <%= devise_error_messages! %>
+  <%= render "devise/shared/error_messages", resource: resource %>
 
   <div class="field">
     <%= f.label :email %><br />

app/views/devise/passwords/edit.html.erb

@@ -1,7 +1,7 @@
 <h2>Change your password</h2>
 
 <%= form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :put }) do |f| %>
-  <%= devise_error_messages! %>
+  <%= render "devise/shared/error_messages", resource: resource %>
   <%= f.hidden_field :reset_password_token %>
 
   <div class="field">

app/views/devise/passwords/new.html.erb

@@ -1,7 +1,7 @@
 <h2>Forgot your password?</h2>
 
 <%= form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :post }) do |f| %>
-  <%= devise_error_messages! %>
+  <%= render "devise/shared/error_messages", resource: resource %>
 
   <div class="field">
     <%= f.label :email %><br />

app/views/devise/registrations/edit.html.erb

@@ -1,7 +1,7 @@
 <h2>Edit <%= resource_name.to_s.humanize %></h2>
 
 <%= form_for(resource, as: resource_name, url: registration_path(resource_name), html: { method: :put }) do |f| %>
-  <%= devise_error_messages! %>
+  <%= render "devise/shared/error_messages", resource: resource %>
 
   <div class="field">
     <%= f.label :email %><br />

app/views/devise/registrations/new.html.erb

@@ -1,7 +1,7 @@
 <h2>Sign up</h2>
 
 <%= form_for(resource, as: resource_name, url: registration_path(resource_name)) do |f| %>
-  <%= devise_error_messages! %>
+  <%= render "devise/shared/error_messages", resource: resource %>
 
   <div class="field">
     <%= f.label :email %><br />

app/views/devise/sessions/new.html.erb

@@ -11,12 +11,12 @@
     <%= f.password_field :password, autocomplete: "current-password" %>
   </div>
 
-  <% if devise_mapping.rememberable? -%>
+  <% if devise_mapping.rememberable? %>
     <div class="field">
       <%= f.check_box :remember_me %>
       <%= f.label :remember_me %>
     </div>
-  <% end -%>
+  <% end %>
 
   <div class="actions">
     <%= f.submit "Log in" %>

app/views/devise/shared/_error_messages.html.erb

@@ -0,0 +1,15 @@
+<% if resource.errors.any? %>
+  <div id="error_explanation">
+    <h2>
+      <%= I18n.t("errors.messages.not_saved",
+                 count: resource.errors.count,
+                 resource: resource.class.model_name.human.downcase)
+       %>
+    </h2>
+    <ul>
+      <% resource.errors.full_messages.each do |message| %>
+        <li><%= message %></li>
+      <% end %>
+    </ul>
+  </div>
+<% end %>

app/views/devise/shared/_links.html.erb

@@ -1,25 +1,25 @@
 <%- if controller_name != 'sessions' %>
   <%= link_to "Log in", new_session_path(resource_name) %><br />
-<% end -%>
+<% end %>
 
 <%- if devise_mapping.registerable? && controller_name != 'registrations' %>
   <%= link_to "Sign up", new_registration_path(resource_name) %><br />
-<% end -%>
+<% end %>
 
 <%- if devise_mapping.recoverable? && controller_name != 'passwords' && controller_name != 'registrations' %>
   <%= link_to "Forgot your password?", new_password_path(resource_name) %><br />
-<% end -%>
+<% end %>
 
 <%- if devise_mapping.confirmable? && controller_name != 'confirmations' %>
   <%= link_to "Didn't receive confirmation instructions?", new_confirmation_path(resource_name) %><br />
-<% end -%>
+<% end %>
 
 <%- if devise_mapping.lockable? && resource_class.unlock_strategy_enabled?(:email) && controller_name != 'unlocks' %>
   <%= link_to "Didn't receive unlock instructions?", new_unlock_path(resource_name) %><br />
-<% end -%>
+<% end %>
 
 <%- if devise_mapping.omniauthable? %>
   <%- resource_class.omniauth_providers.each do |provider| %>
     <%= link_to "Sign in with #{OmniAuth::Utils.camelize(provider)}", omniauth_authorize_path(resource_name, provider) %><br />
-  <% end -%>
-<% end -%>
+  <% end %>
+<% end %>

app/views/devise/unlocks/new.html.erb

@@ -1,7 +1,7 @@
 <h2>Resend unlock instructions</h2>
 
 <%= form_for(resource, as: resource_name, url: unlock_path(resource_name), html: { method: :post }) do |f| %>
-  <%= devise_error_messages! %>
+  <%= render "devise/shared/error_messages", resource: resource %>
 
   <div class="field">
     <%= f.label :email %><br />

bin/test

@@ -1,13 +1,17 @@
 #!/usr/bin/env ruby
 $: << File.expand_path(File.expand_path('../../test', __FILE__))
 
-require 'bundler/setup'
+# Remove this begin/rescue once Rails 4 support is removed.
 begin
-  require 'rails/test_unit/minitest_plugin'
+  require 'bundler/setup'
+  require 'rails/test_unit/runner'
+  require 'rails/test_unit/reporter'
+  require 'rails/test_unit/line_filtering'
+
+  Rails::TestUnitReporter.executable = 'bin/test'
+
+  Rails::TestUnit::Runner.parse_options(ARGV)
+  Rails::TestUnit::Runner.run(ARGV)
 rescue LoadError
   exec 'rake'
 end
-
-Rails::TestUnitReporter.executable = 'bin/test'
-
-exit Minitest.run(ARGV)

config/locales/en.yml

@@ -44,6 +44,7 @@ en:
       signed_up_but_unconfirmed: "A message with a confirmation link has been sent to your email address. Please follow the link to activate your account."
       update_needs_confirmation: "You updated your account successfully, but we need to verify your new email address. Please check your email and follow the confirm link to confirm your new email address."
       updated: "Your account has been updated successfully."
+      updated_but_not_signed_in: "Your account has been updated successfully, but since your password was changed, you need to sign in again"
     sessions:
       signed_in: "Signed in successfully."
       signed_out: "Signed out successfully."

devise.gemspec

@@ -15,8 +15,7 @@ Gem::Specification.new do |s|
   s.description = "Flexible authentication solution for Rails with Warden"
   s.authors     = ['José Valim', 'Carlos Antônio']
 
-  s.files         = `git ls-files`.split("\n")
-  s.test_files    = `git ls-files -- test/*`.split("\n")
+  s.files         = Dir["{app,config,lib}/**/*", "CHANGELOG.md", "MIT-LICENSE", "README.md"]
   s.require_paths = ["lib"]
   s.required_ruby_version = '>= 2.1.0'
 

gemfiles/Gemfile.rails-4.1-stable

@@ -12,6 +12,7 @@ gem "rdoc", "~> 5.1"
 group :test do
   gem "omniauth-facebook"
   gem "omniauth-openid"
+  gem "timecop"
   gem "webrat", "0.7.3", require: false
   gem "mocha", "~> 1.1", require: false
   gem 'test_after_commit', require: false
@@ -24,7 +25,7 @@ platforms :jruby do
 end
 
 platforms :ruby do
-  gem "sqlite3"
+  gem "sqlite3", "~> 1.3.6"
 end
 
 group :mongoid do

gemfiles/Gemfile.rails-4.1-stable.lock

@@ -21,7 +21,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.5.0)
+    devise (4.6.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 6.0)
@@ -138,6 +138,7 @@ GEM
       activerecord (>= 3.2)
     thor (0.19.4)
     thread_safe (0.3.6)
+    timecop (0.8.1)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
     warden (1.2.7)
@@ -163,9 +164,10 @@ DEPENDENCIES
   omniauth-openid
   rails!
   rdoc (~> 5.1)
-  sqlite3
+  sqlite3 (~> 1.3.6)
   test_after_commit
+  timecop
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.16.1
+   1.17.3

gemfiles/Gemfile.rails-4.2-stable

@@ -8,10 +8,12 @@ gem "rails", github: "rails/rails", branch: "4-2-stable"
 gem "omniauth"
 gem "omniauth-oauth2"
 gem "rdoc", "~> 5.1"
+gem "nokogiri", "1.9.1"
 
 group :test do
   gem "omniauth-facebook"
   gem "omniauth-openid"
+  gem "timecop"
   gem "webrat", "0.7.3", require: false
   gem "mocha", "~> 1.1", require: false
   gem 'test_after_commit', require: false
@@ -24,7 +26,7 @@ platforms :jruby do
 end
 
 platforms :ruby do
-  gem "sqlite3"
+  gem "sqlite3", "~> 1.3.6"
 end
 
 group :mongoid do

gemfiles/Gemfile.rails-4.2-stable.lock

@@ -57,7 +57,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.5.0)
+    devise (4.6.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 6.0)
@@ -89,7 +89,7 @@ GEM
     mime-types (3.1)
       mime-types-data (~> 3.2015)
     mime-types-data (3.2016.0521)
-    mini_portile2 (2.1.0)
+    mini_portile2 (2.4.0)
     minitest (5.10.1)
     mocha (1.2.1)
       metaclass (~> 0.0.1)
@@ -105,8 +105,8 @@ GEM
     multi_json (1.12.1)
     multi_xml (0.6.0)
     multipart-post (2.0.0)
-    nokogiri (1.7.0.1)
-      mini_portile2 (~> 2.1.0)
+    nokogiri (1.9.1)
+      mini_portile2 (~> 2.4.0)
     oauth2 (1.3.1)
       faraday (>= 0.8, < 0.12)
       jwt (~> 1.0)
@@ -143,9 +143,9 @@ GEM
       loofah (~> 2.0)
     rake (12.0.0)
     rdoc (5.1.0)
-    responders (2.4.0)
-      actionpack (>= 4.2.0, < 5.3)
-      railties (>= 4.2.0, < 5.3)
+    responders (2.4.1)
+      actionpack (>= 4.2.0, < 6.0)
+      railties (>= 4.2.0, < 6.0)
     ruby-openid (2.7.0)
     sprockets (3.7.1)
       concurrent-ruby (~> 1.0)
@@ -159,6 +159,7 @@ GEM
       activerecord (>= 3.2)
     thor (0.19.4)
     thread_safe (0.3.6)
+    timecop (0.8.1)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
     warden (1.2.7)
@@ -178,15 +179,17 @@ DEPENDENCIES
   jruby-openssl
   mocha (~> 1.1)
   mongoid (~> 4.0)
+  nokogiri (= 1.9.1)
   omniauth
   omniauth-facebook
   omniauth-oauth2
   omniauth-openid
   rails!
   rdoc (~> 5.1)
-  sqlite3
+  sqlite3 (~> 1.3.6)
   test_after_commit
+  timecop
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.16.1
+   1.17.3

gemfiles/Gemfile.rails-5.0-stable

@@ -18,13 +18,14 @@ gem "responders", "~> 2.1"
 group :test do
   gem "omniauth-facebook"
   gem "omniauth-openid"
+  gem "timecop"
   gem "webrat", "0.7.3", require: false
   gem "mocha", "~> 1.1", require: false
   gem 'test_after_commit', require: false
 end
 
 platforms :ruby do
-  gem "sqlite3"
+  gem "sqlite3", "~> 1.3.6"
 end
 
 # TODO:

gemfiles/Gemfile.rails-5.0-stable.lock

@@ -10,7 +10,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.5.0)
+    devise (4.6.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 6.0)
@@ -157,6 +157,7 @@ GEM
       activerecord (>= 3.2)
     thor (0.19.4)
     thread_safe (0.3.6)
+    timecop (0.8.1)
     tzinfo (1.2.3)
       thread_safe (~> 0.1)
     warden (1.2.7)
@@ -184,9 +185,10 @@ DEPENDENCIES
   rails-controller-testing
   rdoc
   responders (~> 2.1)
-  sqlite3
+  sqlite3 (~> 1.3.6)
   test_after_commit
+  timecop
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.16.1
+   1.17.1

gemfiles/Gemfile.rails-5.2-stable

@@ -2,7 +2,7 @@ source "https://rubygems.org"
 
 gemspec path: ".."
 
-gem "rails", '~> 5.2.0.rc1'
+gem "rails", '~> 5.2'
 gem "omniauth"
 gem "omniauth-oauth2"
 gem "rdoc"
@@ -16,11 +16,12 @@ gem "responders", "~> 2.1"
 group :test do
   gem "omniauth-facebook"
   gem "omniauth-openid"
+  gem "timecop"
   gem "webrat", "0.7.3", require: false
   gem "mocha", "~> 1.1", require: false
   gem 'test_after_commit', require: false
 end
 
 platforms :ruby do
-  gem "sqlite3"
+  gem "sqlite3", "~> 1.3.6"
 end

gemfiles/Gemfile.rails-5.2-stable.lock

@@ -1,6 +1,6 @@
 GIT
   remote: git://github.com/rails/activemodel-serializers-xml.git
-  revision: 356edf4dfc38fb1fbfee90c87856e4fe5b73c5e1
+  revision: f744aeca2747ed3134e492249c4ee39b548efdf6
   specs:
     activemodel-serializers-xml (1.0.2)
       activemodel (> 5.x)
@@ -10,7 +10,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.5.0)
+    devise (4.6.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 6.0)
@@ -20,81 +20,81 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (5.2.0.rc1)
-      actionpack (= 5.2.0.rc1)
+    actioncable (5.2.1)
+      actionpack (= 5.2.1)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailer (5.2.0.rc1)
-      actionpack (= 5.2.0.rc1)
-      actionview (= 5.2.0.rc1)
-      activejob (= 5.2.0.rc1)
+    actionmailer (5.2.1)
+      actionpack (= 5.2.1)
+      actionview (= 5.2.1)
+      activejob (= 5.2.1)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (5.2.0.rc1)
-      actionview (= 5.2.0.rc1)
-      activesupport (= 5.2.0.rc1)
+    actionpack (5.2.1)
+      actionview (= 5.2.1)
+      activesupport (= 5.2.1)
       rack (~> 2.0)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.2.0.rc1)
-      activesupport (= 5.2.0.rc1)
+    actionview (5.2.1)
+      activesupport (= 5.2.1)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (5.2.0.rc1)
-      activesupport (= 5.2.0.rc1)
+    activejob (5.2.1)
+      activesupport (= 5.2.1)
       globalid (>= 0.3.6)
-    activemodel (5.2.0.rc1)
-      activesupport (= 5.2.0.rc1)
-    activerecord (5.2.0.rc1)
-      activemodel (= 5.2.0.rc1)
-      activesupport (= 5.2.0.rc1)
+    activemodel (5.2.1)
+      activesupport (= 5.2.1)
+    activerecord (5.2.1)
+      activemodel (= 5.2.1)
+      activesupport (= 5.2.1)
       arel (>= 9.0)
-    activestorage (5.2.0.rc1)
-      actionpack (= 5.2.0.rc1)
-      activerecord (= 5.2.0.rc1)
+    activestorage (5.2.1)
+      actionpack (= 5.2.1)
+      activerecord (= 5.2.1)
       marcel (~> 0.3.1)
-    activesupport (5.2.0.rc1)
+    activesupport (5.2.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (~> 0.7)
+      i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
     arel (9.0.0)
     bcrypt (3.1.12)
     builder (3.2.3)
     concurrent-ruby (1.0.5)
-    crass (1.0.3)
-    erubi (1.7.0)
+    crass (1.0.4)
+    erubi (1.7.1)
     faraday (0.12.2)
       multipart-post (>= 1.2, < 3)
     globalid (0.4.1)
       activesupport (>= 4.2.0)
     hashie (3.5.7)
-    i18n (0.9.3)
+    i18n (1.1.0)
       concurrent-ruby (~> 1.0)
     jwt (1.5.6)
-    loofah (2.1.1)
+    loofah (2.2.2)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.0)
       mini_mime (>= 0.1.1)
-    marcel (0.3.1)
+    marcel (0.3.3)
       mimemagic (~> 0.3.2)
     metaclass (0.0.4)
     method_source (0.9.0)
     mimemagic (0.3.2)
-    mini_mime (1.0.0)
+    mini_mime (1.0.1)
     mini_portile2 (2.3.0)
     minitest (5.11.3)
-    mocha (1.3.0)
+    mocha (1.7.0)
       metaclass (~> 0.0.1)
     multi_json (1.13.1)
     multi_xml (0.6.0)
     multipart-post (2.0.0)
-    nio4r (2.2.0)
-    nokogiri (1.8.2)
+    nio4r (2.3.1)
+    nokogiri (1.8.5)
       mini_portile2 (~> 2.3.0)
     oauth2 (1.4.0)
       faraday (>= 0.8, < 0.13)
@@ -105,7 +105,7 @@ GEM
     omniauth (1.8.1)
       hashie (>= 3.4.6, < 3.6.0)
       rack (>= 1.6.2, < 3)
-    omniauth-facebook (4.0.0)
+    omniauth-facebook (5.0.0)
       omniauth-oauth2 (~> 1.2)
     omniauth-oauth2 (1.5.0)
       oauth2 (~> 1.1)
@@ -114,24 +114,24 @@ GEM
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
     orm_adapter (0.5.0)
-    rack (2.0.4)
+    rack (2.0.5)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
-    rack-test (0.8.2)
+    rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (5.2.0.rc1)
-      actioncable (= 5.2.0.rc1)
-      actionmailer (= 5.2.0.rc1)
-      actionpack (= 5.2.0.rc1)
-      actionview (= 5.2.0.rc1)
-      activejob (= 5.2.0.rc1)
-      activemodel (= 5.2.0.rc1)
-      activerecord (= 5.2.0.rc1)
-      activestorage (= 5.2.0.rc1)
-      activesupport (= 5.2.0.rc1)
+    rails (5.2.1)
+      actioncable (= 5.2.1)
+      actionmailer (= 5.2.1)
+      actionpack (= 5.2.1)
+      actionview (= 5.2.1)
+      activejob (= 5.2.1)
+      activemodel (= 5.2.1)
+      activerecord (= 5.2.1)
+      activestorage (= 5.2.1)
+      activesupport (= 5.2.1)
       bundler (>= 1.3.0)
-      railties (= 5.2.0.rc1)
+      railties (= 5.2.1)
       sprockets-rails (>= 2.0.0)
     rails-controller-testing (1.0.2)
       actionpack (~> 5.x, >= 5.0.1)
@@ -140,21 +140,21 @@ GEM
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.0.3)
-      loofah (~> 2.0)
-    railties (5.2.0.rc1)
-      actionpack (= 5.2.0.rc1)
-      activesupport (= 5.2.0.rc1)
+    rails-html-sanitizer (1.0.4)
+      loofah (~> 2.2, >= 2.2.2)
+    railties (5.2.1)
+      actionpack (= 5.2.1)
+      activesupport (= 5.2.1)
       method_source
       rake (>= 0.8.7)
-      thor (>= 0.18.1, < 2.0)
-    rake (12.3.0)
-    rdoc (6.0.1)
+      thor (>= 0.19.0, < 2.0)
+    rake (12.3.1)
+    rdoc (6.0.4)
     responders (2.4.0)
       actionpack (>= 4.2.0, < 5.3)
       railties (>= 4.2.0, < 5.3)
     ruby-openid (2.7.0)
-    sprockets (3.7.1)
+    sprockets (3.7.2)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
     sprockets-rails (3.2.1)
@@ -166,6 +166,7 @@ GEM
       activerecord (>= 3.2)
     thor (0.20.0)
     thread_safe (0.3.6)
+    timecop (0.9.1)
     tzinfo (1.2.5)
       thread_safe (~> 0.1)
     warden (1.2.7)
@@ -189,13 +190,14 @@ DEPENDENCIES
   omniauth-facebook
   omniauth-oauth2
   omniauth-openid
-  rails (~> 5.2.0.rc1)
+  rails (~> 5.2)
   rails-controller-testing
   rdoc
   responders (~> 2.1)
-  sqlite3
+  sqlite3 (~> 1.3.6)
   test_after_commit
+  timecop
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.16.1
+   1.17.1

gemfiles/Gemfile.rails-6.0-beta

@@ -0,0 +1,27 @@
+source "https://rubygems.org"
+
+gemspec path: ".."
+
+gem "rails", '6.0.0.beta1'
+gem "omniauth"
+gem "omniauth-oauth2"
+gem "rdoc"
+
+gem "activemodel-serializers-xml", github: "rails/activemodel-serializers-xml"
+
+gem "rails-controller-testing"
+
+gem "responders", "~> 2.4"
+
+group :test do
+  gem "omniauth-facebook"
+  gem "omniauth-openid"
+  gem "timecop"
+  gem "webrat", "0.7.3", require: false
+  gem "mocha", "~> 1.1", require: false
+  gem 'test_after_commit', require: false
+end
+
+platforms :ruby do
+  gem "sqlite3", "~> 1.3.6"
+end

gemfiles/Gemfile.rails-6.0-beta.lock

@@ -0,0 +1,216 @@
+GIT
+  remote: git://github.com/rails/activemodel-serializers-xml.git
+  revision: f744aeca2747ed3134e492249c4ee39b548efdf6
+  specs:
+    activemodel-serializers-xml (1.0.2)
+      activemodel (> 5.x)
+      activesupport (> 5.x)
+      builder (~> 3.1)
+
+PATH
+  remote: ..
+  specs:
+    devise (4.6.1)
+      bcrypt (~> 3.0)
+      orm_adapter (~> 0.1)
+      railties (>= 4.1.0, < 6.0)
+      responders
+      warden (~> 1.2.3)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actioncable (6.0.0.beta1)
+      actionpack (= 6.0.0.beta1)
+      nio4r (~> 2.0)
+      websocket-driver (>= 0.6.1)
+    actionmailbox (6.0.0.beta1)
+      actionpack (= 6.0.0.beta1)
+      activejob (= 6.0.0.beta1)
+      activerecord (= 6.0.0.beta1)
+      activestorage (= 6.0.0.beta1)
+      activesupport (= 6.0.0.beta1)
+      mail (>= 2.7.1)
+    actionmailer (6.0.0.beta1)
+      actionpack (= 6.0.0.beta1)
+      actionview (= 6.0.0.beta1)
+      activejob (= 6.0.0.beta1)
+      mail (~> 2.5, >= 2.5.4)
+      rails-dom-testing (~> 2.0)
+    actionpack (6.0.0.beta1)
+      actionview (= 6.0.0.beta1)
+      activesupport (= 6.0.0.beta1)
+      rack (~> 2.0)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    actiontext (6.0.0.beta1)
+      actionpack (= 6.0.0.beta1)
+      activerecord (= 6.0.0.beta1)
+      activestorage (= 6.0.0.beta1)
+      activesupport (= 6.0.0.beta1)
+      nokogiri (>= 1.8.5)
+    actionview (6.0.0.beta1)
+      activesupport (= 6.0.0.beta1)
+      builder (~> 3.1)
+      erubi (~> 1.4)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.3)
+    activejob (6.0.0.beta1)
+      activesupport (= 6.0.0.beta1)
+      globalid (>= 0.3.6)
+    activemodel (6.0.0.beta1)
+      activesupport (= 6.0.0.beta1)
+    activerecord (6.0.0.beta1)
+      activemodel (= 6.0.0.beta1)
+      activesupport (= 6.0.0.beta1)
+    activestorage (6.0.0.beta1)
+      actionpack (= 6.0.0.beta1)
+      activerecord (= 6.0.0.beta1)
+      marcel (~> 0.3.1)
+    activesupport (6.0.0.beta1)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    bcrypt (3.1.12)
+    builder (3.2.3)
+    concurrent-ruby (1.1.4)
+    crass (1.0.4)
+    erubi (1.8.0)
+    faraday (0.15.4)
+      multipart-post (>= 1.2, < 3)
+    globalid (0.4.2)
+      activesupport (>= 4.2.0)
+    hashie (3.6.0)
+    i18n (1.5.2)
+      concurrent-ruby (~> 1.0)
+    jwt (2.1.0)
+    loofah (2.2.3)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.5.9)
+    mail (2.7.1)
+      mini_mime (>= 0.1.1)
+    marcel (0.3.3)
+      mimemagic (~> 0.3.2)
+    metaclass (0.0.4)
+    method_source (0.9.2)
+    mimemagic (0.3.3)
+    mini_mime (1.0.1)
+    mini_portile2 (2.4.0)
+    minitest (5.11.3)
+    mocha (1.8.0)
+      metaclass (~> 0.0.1)
+    multi_json (1.13.1)
+    multi_xml (0.6.0)
+    multipart-post (2.0.0)
+    nio4r (2.3.1)
+    nokogiri (1.10.1)
+      mini_portile2 (~> 2.4.0)
+    oauth2 (1.4.1)
+      faraday (>= 0.8, < 0.16.0)
+      jwt (>= 1.0, < 3.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 3)
+    omniauth (1.9.0)
+      hashie (>= 3.4.6, < 3.7.0)
+      rack (>= 1.6.2, < 3)
+    omniauth-facebook (5.0.0)
+      omniauth-oauth2 (~> 1.2)
+    omniauth-oauth2 (1.6.0)
+      oauth2 (~> 1.1)
+      omniauth (~> 1.9)
+    omniauth-openid (1.0.1)
+      omniauth (~> 1.0)
+      rack-openid (~> 1.3.1)
+    orm_adapter (0.5.0)
+    rack (2.0.6)
+    rack-openid (1.3.1)
+      rack (>= 1.1.0)
+      ruby-openid (>= 2.1.8)
+    rack-test (1.1.0)
+      rack (>= 1.0, < 3)
+    rails (6.0.0.beta1)
+      actioncable (= 6.0.0.beta1)
+      actionmailbox (= 6.0.0.beta1)
+      actionmailer (= 6.0.0.beta1)
+      actionpack (= 6.0.0.beta1)
+      actiontext (= 6.0.0.beta1)
+      actionview (= 6.0.0.beta1)
+      activejob (= 6.0.0.beta1)
+      activemodel (= 6.0.0.beta1)
+      activerecord (= 6.0.0.beta1)
+      activestorage (= 6.0.0.beta1)
+      activesupport (= 6.0.0.beta1)
+      bundler (>= 1.3.0)
+      railties (= 6.0.0.beta1)
+      sprockets-rails (>= 2.0.0)
+    rails-controller-testing (1.0.4)
+      actionpack (>= 5.0.1.x)
+      actionview (>= 5.0.1.x)
+      activesupport (>= 5.0.1.x)
+    rails-dom-testing (2.0.3)
+      activesupport (>= 4.2.0)
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.0.4)
+      loofah (~> 2.2, >= 2.2.2)
+    railties (6.0.0.beta1)
+      actionpack (= 6.0.0.beta1)
+      activesupport (= 6.0.0.beta1)
+      method_source
+      rake (>= 0.8.7)
+      thor (>= 0.20.3, < 2.0)
+    rake (12.3.2)
+    rdoc (6.1.1)
+    responders (2.4.1)
+      actionpack (>= 4.2.0, < 6.0)
+      railties (>= 4.2.0, < 6.0)
+    ruby-openid (2.7.0)
+    sprockets (3.7.2)
+      concurrent-ruby (~> 1.0)
+      rack (> 1, < 3)
+    sprockets-rails (3.2.1)
+      actionpack (>= 4.0)
+      activesupport (>= 4.0)
+      sprockets (>= 3.0.0)
+    sqlite3 (1.3.13)
+    test_after_commit (1.1.0)
+      activerecord (>= 3.2)
+    thor (0.20.3)
+    thread_safe (0.3.6)
+    timecop (0.9.1)
+    tzinfo (1.2.5)
+      thread_safe (~> 0.1)
+    warden (1.2.8)
+      rack (>= 2.0.6)
+    webrat (0.7.3)
+      nokogiri (>= 1.2.0)
+      rack (>= 1.0)
+      rack-test (>= 0.5.3)
+    websocket-driver (0.7.0)
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.3)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activemodel-serializers-xml!
+  devise!
+  mocha (~> 1.1)
+  omniauth
+  omniauth-facebook
+  omniauth-oauth2
+  omniauth-openid
+  rails (= 6.0.0.beta1)
+  rails-controller-testing
+  rdoc
+  responders (~> 2.4)
+  sqlite3 (~> 1.3.6)
+  test_after_commit
+  timecop
+  webrat (= 0.7.3)
+
+BUNDLED WITH
+   1.17.1

lib/devise.rb

@@ -293,6 +293,10 @@ module Devise
   mattr_accessor :token_generator
   @@token_generator = nil
 
+  # When set to false, changing a password does not automatically sign in a user
+  mattr_accessor :sign_in_after_change_password
+  @@sign_in_after_change_password = true
+
   def self.rails51? # :nodoc:
     Rails.gem_version >= Gem::Version.new("5.1.x")
   end

lib/devise/controllers/helpers.rb

@@ -268,7 +268,7 @@ module Devise
       # Check if flash messages should be emitted. Default is to do it on
       # navigational formats
       def is_flashing_format?
-        is_navigational_format?
+        request.respond_to?(:flash) && is_navigational_format?
       end
 
       private

lib/devise/failure_app.rb

@@ -144,11 +144,20 @@ module Devise
 
       opts[:format] = request_format unless skip_format?
 
-      opts[:script_name] = relative_url_root if relative_url_root?
-
       router_name = Devise.mappings[scope].router_name || Devise.available_router_name
       context = send(router_name)
 
+      if relative_url_root?
+        opts[:script_name] = relative_url_root
+
+      # We need to add the rootpath to `script_name` manually for applications that use a Rails
+      # version lower than 5.1. Otherwise, it is going to generate a wrong path for Engines
+      # that use Devise. Remove it when the support of Rails 5.0 is droped.
+      elsif root_path_defined?(context) && rails_5_and_down?
+        rootpath = context.routes.url_helpers.root_path
+        opts[:script_name] = rootpath.chomp('/') if rootpath.length > 1
+      end
+
       if context.respond_to?(route)
         context.send(route, opts)
       elsif respond_to?(:root_url)
@@ -242,7 +251,7 @@ module Devise
     # Check if flash messages should be emitted. Default is to do it on
     # navigational formats
     def is_flashing_format?
-      is_navigational_format?
+      request.respond_to?(:flash) && is_navigational_format?
     end
 
     def request_format
@@ -262,5 +271,21 @@ module Devise
     end
 
     ActiveSupport.run_load_hooks(:devise_failure_app, self)
+
+    private
+
+    def root_path_defined?(context)
+      defined?(context.routes) && context.routes.url_helpers.respond_to?(:root_path)
+    end
+
+    def rails_5_and_down?
+      return false if rails_5_up?
+
+      Rails::VERSION::MAJOR >= 4
+    end
+
+    def rails_5_up?
+      Rails::VERSION::MAJOR >= 5 && Rails::VERSION::MINOR > 0
+    end
   end
 end

lib/devise/models/authenticatable.rb

@@ -283,28 +283,20 @@ module Devise
 
         # Find or initialize a record with group of attributes based on a list of required attributes.
         def find_or_initialize_with_errors(required_attributes, attributes, error=:invalid) #:nodoc:
-          attributes = if attributes.respond_to? :permit!
-            attributes.slice(*required_attributes).permit!.to_h.with_indifferent_access
-          else
-            attributes.with_indifferent_access.slice(*required_attributes)
-          end
-          attributes.delete_if { |key, value| value.blank? }
+          attributes.try(:permit!)
+          attributes = attributes.to_h.with_indifferent_access
+                                 .slice(*required_attributes)
+                                 .delete_if { |key, value| value.blank? }
 
           if attributes.size == required_attributes.size
-            record = find_first_by_auth_conditions(attributes)
+            record = find_first_by_auth_conditions(attributes) and return record
           end
 
-          unless record
-            record = new
-
+          new(devise_parameter_filter.filter(attributes)).tap do |record|
             required_attributes.each do |key|
-              value = attributes[key]
-              record.send("#{key}=", value)
-              record.errors.add(key, value.present? ? error : :blank)
+              record.errors.add(key, attributes[key].blank? ? :blank : error)
             end
           end
-
-          record
         end
 
         protected

lib/devise/models/confirmable.rb

@@ -211,7 +211,10 @@ module Devise
         #   confirmation_period_valid?   # will always return true
         #
         def confirmation_period_valid?
-          self.class.allow_unconfirmed_access_for.nil? || (confirmation_sent_at && confirmation_sent_at.utc >= self.class.allow_unconfirmed_access_for.ago)
+          return true if self.class.allow_unconfirmed_access_for.nil?
+          return false if self.class.allow_unconfirmed_access_for == 0.days
+
+          confirmation_sent_at && confirmation_sent_at.utc >= self.class.allow_unconfirmed_access_for.ago
         end
 
         # Checks if the user confirmation happens before the token becomes invalid

lib/devise/models/database_authenticatable.rb

@@ -35,6 +35,22 @@ module Devise
         attr_accessor :password_confirmation
       end
 
+      def initialize(*args, &block)
+        @skip_email_changed_notification = false
+        @skip_password_change_notification = false
+        super 
+      end
+
+      # Skips sending the email changed notification after_update
+      def skip_email_changed_notification!
+        @skip_email_changed_notification = true
+      end
+
+      # Skips sending the password change notification after_update
+      def skip_password_change_notification!
+        @skip_password_change_notification = true
+      end
+
       def self.required_fields(klass)
         [:encrypted_password] + klass.authentication_keys
       end
@@ -44,7 +60,7 @@ module Devise
       # the hashed password.
       def password=(new_password)
         @password = new_password
-        self.encrypted_password = password_digest(@password) if @password.present?
+        self.encrypted_password = password_digest(@password) 
       end
 
       # Verifies whether a password (ie from sign in) is the user password.
@@ -54,7 +70,7 @@ module Devise
 
       # Set password and password confirmation to nil
       def clean_up_passwords
-        self.password = self.password_confirmation = nil
+        @password = @password_confirmation = nil
       end
 
       # Update record attributes when :current_password matches, otherwise
@@ -65,6 +81,15 @@ module Devise
       # their password). In case the password field is rejected, the confirmation
       # is also rejected as long as it is also blank.
       def update_with_password(params, *options)
+        if options.present?
+          ActiveSupport::Deprecation.warn <<-DEPRECATION.strip_heredoc
+            [Devise] The second argument of `DatabaseAuthenticatable#update_with_password`
+            (`options`) is deprecated and it will be removed in the next major version.
+            It was added to support a feature deprecated in Rails 4, so you can safely remove it
+            from your code.
+          DEPRECATION
+        end
+
         current_password = params.delete(:current_password)
 
         if params[:password].blank?
@@ -98,6 +123,15 @@ module Devise
       #   end
       #
       def update_without_password(params, *options)
+        if options.present?
+          ActiveSupport::Deprecation.warn <<-DEPRECATION.strip_heredoc
+            [Devise] The second argument of `DatabaseAuthenticatable#update_without_password`
+            (`options`) is deprecated and it will be removed in the next major version.
+            It was added to support a feature deprecated in Rails 4, so you can safely remove it
+            from your code.
+          DEPRECATION
+        end
+
         params.delete(:password)
         params.delete(:password_confirmation)
 
@@ -164,26 +198,27 @@ module Devise
       # See https://github.com/plataformatec/devise-encryptable for examples
       # of other hashing engines.
       def password_digest(password)
+        return if password.blank?
         Devise::Encryptor.digest(self.class, password)
       end
 
       if Devise.activerecord51?
         def send_email_changed_notification?
-          self.class.send_email_changed_notification && saved_change_to_email?
+          self.class.send_email_changed_notification && saved_change_to_email? && !@skip_email_changed_notification
         end
       else
         def send_email_changed_notification?
-          self.class.send_email_changed_notification && email_changed?
+          self.class.send_email_changed_notification && email_changed? && !@skip_email_changed_notification
         end
       end
 
       if Devise.activerecord51?
         def send_password_change_notification?
-          self.class.send_password_change_notification && saved_change_to_encrypted_password?
+          self.class.send_password_change_notification && saved_change_to_encrypted_password? && !@skip_password_change_notification
         end
       else
         def send_password_change_notification?
-          self.class.send_password_change_notification && encrypted_password_changed?
+          self.class.send_password_change_notification && encrypted_password_changed? && !@skip_password_change_notification
         end
       end
 

lib/devise/models/lockable.rb

@@ -112,8 +112,8 @@ module Devise
       end
       
       def increment_failed_attempts
-        self.failed_attempts ||= 0
-        self.failed_attempts += 1
+        self.class.increment_counter(:failed_attempts, id)
+        reload
       end
 
       def unauthenticated_message

lib/devise/models/registerable.rb

@@ -21,6 +21,8 @@ module Devise
         def new_with_session(params, session)
           new(params)
         end
+
+        Devise::Models.config(self, :sign_in_after_change_password)
       end
     end
   end

lib/devise/strategies/database_authenticatable.rb

@@ -16,6 +16,9 @@ module Devise
           success!(resource)
         end
 
+        # In paranoid mode, hash the password even when a resource doesn't exist for the given authentication key.
+        # This is necessary to prevent enumeration attacks - e.g. the request is faster when a resource doesn't
+        # exist in the database if the password hashing algorithm is not called.
         mapping.to.new.password = password if !hashed && Devise.paranoid
         unless resource
           Devise.paranoid ? fail(:invalid) : fail(:not_found_in_database)

lib/devise/test/controller_helpers.rb

@@ -139,7 +139,7 @@ module Devise
 
           status, headers, response = Devise.warden_config[:failure_app].call(env).to_a
           @controller.response.headers.merge!(headers)
-          @controller.response.content_type = headers["Content-Type"] unless Rails.version.start_with?('5')
+          @controller.response.content_type = headers["Content-Type"] unless Rails::VERSION::MAJOR >= 5
           @controller.status = status
           @controller.response.body = response.body
           nil # causes process return @response

lib/devise/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Devise
-  VERSION = "4.5.0".freeze
+  VERSION = "4.6.1".freeze
 end

lib/generators/active_record/devise_generator.rb

@@ -82,8 +82,8 @@ RUBY
         postgresql?
       end
 
-      def rails5?
-        Rails.version.start_with? '5'
+      def rails5_and_up?
+        Rails::VERSION::MAJOR >= 5
       end
 
       def postgresql?
@@ -92,13 +92,13 @@ RUBY
       end
 
      def migration_version
-       if rails5?
+       if rails5_and_up?
          "[#{Rails::VERSION::MAJOR}.#{Rails::VERSION::MINOR}]"
        end
      end
 
      def primary_key_type
-       primary_key_string if rails5?
+       primary_key_string if rails5_and_up?
      end
 
      def primary_key_string

lib/generators/devise/controllers_generator.rb

@@ -18,7 +18,7 @@ module Devise
 
         This will create a controller class at app/controllers/users/sessions_controller.rb like this:
 
-          class Users::ConfirmationsController < Devise::ConfirmationsController
+          class Users::SessionsController < Devise::SessionsController
             content...
           end
       DESC

lib/generators/templates/devise.rb

@@ -9,7 +9,7 @@ Devise.setup do |config|
   # Devise will use the `secret_key_base` as its `secret_key`
   # by default. You can change it below and use your own secret key.
   # config.secret_key = '<%= SecureRandom.hex(64) %>'
-  
+
   # ==> Controller configuration
   # Configure the parent class to the devise controllers.
   # config.parent_controller = 'DeviseController'
@@ -126,8 +126,11 @@ Devise.setup do |config|
   # A period that the user is allowed to access the website even without
   # confirming their account. For instance, if set to 2.days, the user will be
   # able to access the website for two days without confirming their account,
-  # access will be blocked just in the third day. Default is 0.days, meaning
-  # the user cannot access the website without confirming their account.
+  # access will be blocked just in the third day.
+  # You can also set it to nil, which will allow the user to access the website
+  # without confirming their account.
+  # Default is 0.days, meaning the user cannot access the website without
+  # confirming their account.
   # config.allow_unconfirmed_access_for = 2.days
 
   # A period that the user is allowed to confirm their account before their
@@ -287,4 +290,10 @@ Devise.setup do |config|
   # ActiveSupport.on_load(:devise_failure_app) do
   #   include Turbolinks::Controller
   # end
+
+  # ==> Configuration for :registerable
+
+  # When set to false, does not sign a user in automatically after their password is
+  # changed. Defaults to true, so a user is signed in automatically after changing a password.
+  # config.sign_in_after_change_password = true
 end

lib/generators/templates/simple_form_for/registrations/edit.html.erb

@@ -12,7 +12,7 @@
 
     <%= f.input :password,
                 hint: "leave it blank if you don't want to change it",
-                required: false
+                required: false,
                 input_html: { autocomplete: "new-password" } %>
     <%= f.input :password_confirmation,
                 required: false,

lib/generators/templates/simple_form_for/registrations/new.html.erb

@@ -6,7 +6,7 @@
   <div class="form-inputs">
     <%= f.input :email,
                 required: true,
-                autofocus: true ,
+                autofocus: true,
                 input_html: { autocomplete: "email" }%>
     <%= f.input :password,
                 required: true,

test/controllers/helpers_test.rb

@@ -312,6 +312,16 @@ class ControllerAuthenticatableTest < Devise::ControllerTestCase
     end
   end
 
+  test 'is_flashing_format? depends on is_navigation_format?' do
+    @controller.expects(:is_navigational_format?).returns(true)
+    assert @controller.is_flashing_format?
+  end
+
+  test 'is_flashing_format? is guarded against flash (middleware) not being loaded' do
+    @controller.request.expects(:respond_to?).with(:flash).returns(false)
+    refute @controller.is_flashing_format?
+  end
+
   test 'is not a devise controller' do
     refute @controller.devise_controller?
   end

test/controllers/passwords_controller_test.rb

@@ -31,4 +31,9 @@ class PasswordsControllerTest < Devise::ControllerTestCase
     put_update_with_params
     assert_redirected_to custom_path
   end
+
+  test 'calls after_database_authentication callback after sign_in immediately after password update' do
+    User.any_instance.expects :after_database_authentication
+    put_update_with_params
+  end
 end

test/failure_app_test.rb

@@ -28,6 +28,27 @@ class FailureTest < ActiveSupport::TestCase
     end
   end
 
+  class FailureWithoutRootPath < Devise::FailureApp
+    class FakeURLHelpers
+    end
+
+    class FakeRoutesWithoutRoot
+      def url_helpers
+        FakeURLHelpers.new
+      end
+    end
+
+    class FakeAppWithoutRootPath
+      def routes
+        FakeRoutesWithoutRoot.new
+      end
+    end
+
+    def main_app
+      FakeAppWithoutRootPath.new
+    end
+  end
+
   class FakeEngineApp < Devise::FailureApp
     class FakeEngine
       def new_user_on_engine_session_url _
@@ -44,6 +65,10 @@ class FailureTest < ActiveSupport::TestCase
     end
   end
 
+  class RequestWithoutFlashSupport < ActionDispatch::Request
+    undef_method :flash
+  end
+
   def self.context(name, &block)
     instance_eval(&block)
   end
@@ -66,7 +91,7 @@ class FailureTest < ActiveSupport::TestCase
     end
 
     @response = (env.delete(:app) || Devise::FailureApp).call(env).to_a
-    @request  = ActionDispatch::Request.new(env)
+    @request  = (env.delete(:request_klass) || ActionDispatch::Request).new(env)
   end
 
   context 'When redirecting' do
@@ -99,6 +124,13 @@ class FailureTest < ActiveSupport::TestCase
       end
     end
 
+    test 'returns to the root path even when it\'s not defined' do
+      call_failure app: FailureWithoutRootPath
+      assert_equal 302, @response.first
+      assert_equal 'You need to sign in or sign up before continuing.', @request.flash[:alert]
+      assert_equal 'http://test.host/', @response.second['Location']
+    end
+
     test 'returns to the root path considering subdomain if no session path is available' do
       swap Devise, router_name: :fake_app do
         call_failure app: FailureWithSubdomain
@@ -343,4 +375,11 @@ class FailureTest < ActiveSupport::TestCase
       assert_equal Devise::FailureApp.new.lazy_loading_works?, "yes it does"
     end
   end
+  context "Without Flash Support" do
+    test "returns to the default redirect location without a flash message" do
+      call_failure request_klass: RequestWithoutFlashSupport
+      assert_equal 302, @response.first
+      assert_equal 'http://test.host/users/sign_in', @response.second['Location']
+    end
+  end
 end

test/generators/active_record_generator_test.rb

@@ -84,7 +84,7 @@ if DEVISE_ORM == :active_record
 
     test "add primary key type with rails 5 when specified in rails generator" do
       run_generator ["monster", "--primary_key_type=uuid"]
-      if Rails.version.start_with? '5'
+      if Devise::Test.rails5_and_up?
         assert_migration "db/migrate/devise_create_monsters.rb", /create_table :monsters, id: :uuid do/
       else
         assert_migration "db/migrate/devise_create_monsters.rb", /create_table :monsters do/

test/integration/mounted_engine_test.rb

@@ -2,10 +2,23 @@
 
 require 'test_helper'
 
-class MyMountableEngine
-  def self.call(env)
-    ['200', { 'Content-Type' => 'text/html' }, ['Rendered content of MyMountableEngine']]
+module MyMountableEngine
+  class Engine < ::Rails::Engine
+    isolate_namespace MyMountableEngine
   end
+  class TestsController < ActionController::Base
+    def index
+      render plain: 'Root test successful'
+    end
+    def inner_route
+      render plain: 'Inner route test successful'
+    end
+  end
+end
+
+MyMountableEngine::Engine.routes.draw do
+  get 'test', to: 'tests#inner_route'
+  root to: 'tests#index'
 end
 
 # If disable_clear_and_finalize is set to true, Rails will not clear other routes when calling
@@ -15,7 +28,7 @@ Rails.application.routes.disable_clear_and_finalize = true
 
 Rails.application.routes.draw do
   authenticate(:user) do
-    mount MyMountableEngine, at: '/mountable_engine'
+    mount MyMountableEngine::Engine, at: '/mountable_engine'
   end
 end
 
@@ -33,6 +46,23 @@ class AuthenticatedMountedEngineTest < Devise::IntegrationTest
     get '/mountable_engine'
 
     assert_response :success
-    assert_contain 'Rendered content of MyMountableEngine'
+    assert_contain 'Root test successful'
+  end
+
+
+  test 'renders a inner route of the mounted engine when authenticated' do
+    sign_in_as_user
+    get '/mountable_engine/test'
+
+    assert_response :success
+    assert_contain 'Inner route test successful'
+  end
+
+  test 'respond properly to a non existing route of the mounted engine' do
+    sign_in_as_user
+    
+    assert_raise ActionController::RoutingError do
+      get '/mountable_engine/non-existing-route'
+    end
   end
 end

test/integration/registerable_test.rb

@@ -179,6 +179,39 @@ class RegistrationTest < Devise::IntegrationTest
     assert warden.authenticated?(:user)
   end
 
+  test 'a signed in user should not be able to use the website after changing their password if config.sign_in_after_change_password is false' do
+    swap Devise, sign_in_after_change_password: false do
+      sign_in_as_user
+      get edit_user_registration_path
+
+      fill_in 'password', with: '1234567890'
+      fill_in 'password confirmation', with: '1234567890'
+      fill_in 'current password', with: '12345678'
+      click_button 'Update'
+
+      assert_contain 'Your account has been updated successfully, but since your password was changed, you need to sign in again'
+      assert_equal new_user_session_path, @request.path
+      refute warden.authenticated?(:user)
+    end
+  end
+
+  test 'a signed in user should be able to use the website after changing its email with config.sign_in_after_change_password is false' do
+    swap Devise, sign_in_after_change_password: false do
+      sign_in_as_user
+      get edit_user_registration_path
+
+      fill_in 'email', with: 'user.new@example.com'
+      fill_in 'current password', with: '12345678'
+      click_button 'Update'
+
+      assert_current_url '/'
+      assert_contain 'Your account has been updated successfully.'
+
+      assert warden.authenticated?(:user)
+      assert_equal "user.new@example.com", User.to_adapter.find_first.email
+    end
+  end
+
   test 'a signed in user should not change their current user with invalid password' do
     sign_in_as_user
     get edit_user_registration_path

test/integration/rememberable_test.rb

@@ -12,7 +12,7 @@ class RememberMeTest < Devise::IntegrationTest
   end
 
   def generate_signed_cookie(raw_cookie)
-    request = if Devise::Test.rails51? || Devise::Test.rails52?
+    request = if Devise::Test.rails51? || Devise::Test.rails52_and_up?
       ActionController::TestRequest.create(Class.new) # needs a "controller class"
     elsif Devise::Test.rails5?
       ActionController::TestRequest.create

test/models/authenticatable_test.rb

@@ -13,6 +13,31 @@ class AuthenticatableTest < ActiveSupport::TestCase
     assert_nil User.find_first_by_auth_conditions({ email: "example@example.com" }, id: user.id.to_s.next)
   end
 
+  # assumes default configuration of
+  # config.case_insensitive_keys = [:email]
+  # config.strip_whitespace_keys = [:email]
+  test 'find_or_initialize_with_errors uses parameter filter on find' do
+    user = User.create!(email: "example@example.com", password: "1234567")
+    assert_equal User.find_or_initialize_with_errors([:email], { email: " EXAMPLE@example.com " }), user
+  end
+
+  # assumes default configuration of
+  # config.case_insensitive_keys = [:email]
+  # config.strip_whitespace_keys = [:email]
+  test 'find_or_initialize_with_errors uses parameter filter on initialize' do
+    assert_equal User.find_or_initialize_with_errors([:email], { email: " EXAMPLE@example.com " }).email, "example@example.com"
+  end
+
+  test 'find_or_initialize_with_errors adds blank error' do
+    user_with_error = User.find_or_initialize_with_errors([:email], { email: "" })
+    assert_equal [:email, "can't be blank"], user_with_error.errors.first
+  end
+
+  test 'find_or_initialize_with_errors adds invalid error' do
+    user_with_error = User.find_or_initialize_with_errors([:email], { email: "example@example.com" })
+    assert_equal [:email, "is invalid"], user_with_error.errors.first
+  end
+
   if defined?(ActionController::Parameters)
     test 'does not passes an ActionController::Parameters to find_first_by_auth_conditions through find_or_initialize_with_errors' do
       user = create_user(email: 'example@example.com')

test/models/confirmable_test.rb

@@ -240,6 +240,16 @@ class ConfirmableTest < ActiveSupport::TestCase
     refute user.active_for_authentication?
   end
 
+  test 'should not be active when confirm period is set to 0 days' do
+    Devise.allow_unconfirmed_access_for = 0.days
+    user = create_user
+
+    Timecop.freeze(Time.zone.today) do
+      user.confirmation_sent_at = Time.zone.today
+      refute user.active_for_authentication?
+    end
+  end
+
   test 'should be active when we set allow_unconfirmed_access_for to nil' do
     swap Devise, allow_unconfirmed_access_for: nil do
       user = create_user

test/models/database_authenticatable_test.rb

@@ -117,9 +117,9 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert_nil user.authenticatable_salt
   end
 
-  test 'should not generate a hashed password if password is blank' do
-    assert_blank new_user(password: nil).encrypted_password
-    assert_blank new_user(password: '').encrypted_password
+  test 'should set encrypted password to nil if password is nil' do
+    assert_nil new_user(password: nil).encrypted_password
+    assert_nil new_user(password: '').encrypted_password
   end
 
   test 'should hash password again if password has changed' do
@@ -148,6 +148,16 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     refute user.valid_password?('654321')
   end
 
+  test 'should be invalid if the password is nil' do
+    user = new_user(password: nil)
+    refute user.valid_password?(nil)
+  end
+
+  test 'should be invalid if the password is blank' do
+    user = new_user(password: '')
+    refute user.valid_password?('')
+  end
+
   test 'should respond to current password' do
     assert new_user.respond_to?(:current_password)
   end
@@ -266,6 +276,26 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     end
   end
 
+  test 'should not notify email on password change even when configured if skip_password_change_notification! is invoked' do
+    swap Devise, send_password_change_notification: true do
+      user = create_user
+      user.skip_password_change_notification!
+      assert_email_not_sent do
+        assert user.update(password: 'newpass', password_confirmation: 'newpass')
+      end
+    end
+  end
+
+  test 'should not notify email on email change even when configured if skip_email_changed_notification! is invoked' do
+    swap Devise, send_email_changed_notification: true do
+      user = create_user
+      user.skip_email_changed_notification!
+      assert_email_not_sent do
+        assert user.update(email: 'new-email@example.com')
+      end
+    end
+  end
+
   test 'downcase_keys with validation' do
     User.create(email: "HEllO@example.com", password: "123456")
     user = User.create(email: "HEllO@example.com", password: "123456")
@@ -287,4 +317,11 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
       ]
     end
   end
+
+  test 'nil password should be invalid if password is set to nil' do
+    user = User.create(email: "HEllO@example.com", password: "12345678")
+    user.password = nil
+    refute user.valid_password?('12345678')
+    refute user.valid_password?(nil)
+  end
 end

test/models/lockable_test.rb

@@ -39,6 +39,17 @@ class LockableTest < ActiveSupport::TestCase
     end
   end
 
+  test "should read failed_attempts from database when incrementing" do
+    user = create_user
+    initial_failed_attempts = user.failed_attempts
+    same_user = User.find(user.id)
+
+    user.increment_failed_attempts
+    same_user.increment_failed_attempts
+
+    assert_equal initial_failed_attempts + 2, user.reload.failed_attempts
+  end
+
   test 'should be valid for authentication with a unlocked user' do
     user = create_user
     user.lock_access!

test/orm/active_record.rb

@@ -5,14 +5,14 @@ ActiveRecord::Base.logger = Logger.new(nil)
 ActiveRecord::Base.include_root_in_json = true
 
 migrate_path = File.expand_path("../../rails_app/db/migrate/", __FILE__)
-if Devise::Test.rails52?
+if Devise::Test.rails52_and_up?
   ActiveRecord::MigrationContext.new(migrate_path).migrate
 else
   ActiveRecord::Migrator.migrate(migrate_path)
 end
 
 class ActiveSupport::TestCase
-  if Devise::Test.rails5?
+  if Devise::Test.rails5_and_up?
     self.use_transactional_tests = true
   else
     # Let `after_commit` work with transactional fixtures, however this is not needed for Rails 5.

test/rails_app/app/active_record/user.rb

@@ -5,7 +5,7 @@ require 'shared_user'
 class User < ActiveRecord::Base
   include Shim
   include SharedUser
-  include ActiveModel::Serializers::Xml if Devise::Test.rails5?
+  include ActiveModel::Serializers::Xml if Devise::Test.rails5_and_up?
 
   validates :sign_in_count, presence: true
 

test/rails_app/app/controllers/home_controller.rb

@@ -22,7 +22,7 @@ class HomeController < ApplicationController
   end
 
   def unauthenticated
-    if Devise::Test.rails5?
+    if Devise::Test.rails5_and_up?
       render body: "unauthenticated", status: :unauthorized
     else
       render text: "unauthenticated", status: :unauthorized

test/rails_app/app/controllers/users/omniauth_callbacks_controller.rb

@@ -11,6 +11,6 @@ class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
     user = User.to_adapter.find_first(email: 'user@test.com')
     user.remember_me = true
     sign_in user
-    render (Devise::Test.rails5? ? :body : :text) => ""
+    render (Devise::Test.rails5_and_up? ? :body : :text) => ""
   end
 end

test/rails_app/app/controllers/users_controller.rb

@@ -15,7 +15,7 @@ class UsersController < ApplicationController
   end
 
   def update_form
-    render (Devise::Test.rails5? ? :body : :text) => 'Update'
+    render (Devise::Test.rails5_and_up? ? :body : :text) => 'Update'
   end
 
   def accept
@@ -23,11 +23,11 @@ class UsersController < ApplicationController
   end
 
   def exhibit
-    render (Devise::Test.rails5? ? :body : :text) => current_user ? "User is authenticated" : "User is not authenticated"
+    render (Devise::Test.rails5_and_up? ? :body : :text) => current_user ? "User is authenticated" : "User is not authenticated"
   end
 
   def expire
     user_session['last_request_at'] = 31.minutes.ago.utc
-    render (Devise::Test.rails5? ? :body : :text) => 'User will be expired on next request'
+    render (Devise::Test.rails5_and_up? ? :body : :text) => 'User will be expired on next request'
   end
 end

test/rails_app/config/application.rb

@@ -44,5 +44,10 @@ module RailsApp
     config.to_prepare do
       Devise::SessionsController.layout "application"
     end
+
+    # Remove this check once Rails 5.0 support is removed.
+    if Devise::Test.rails52_and_up?
+      Rails.application.config.active_record.sqlite3.represent_boolean_as_integer = true
+    end
   end
 end

test/rails_app/config/boot.rb

@@ -8,6 +8,10 @@ module Devise
   module Test
     # Detection for minor differences between Rails 4 and 5, 5.1, and 5.2 in tests.
     
+    def self.rails52_and_up?
+      Rails::VERSION::MAJOR > 5 || rails52?
+    end
+
     def self.rails52?
       Rails.version.start_with? '5.2'
     end
@@ -16,6 +20,10 @@ module Devise
       Rails.version.start_with? '5.1'
     end
 
+    def self.rails5_and_up?
+      Rails::VERSION::MAJOR >= 5
+    end
+
     def self.rails5?
       Rails.version.start_with? '5'
     end

test/rails_app/config/environments/production.rb

@@ -22,7 +22,7 @@ RailsApp::Application.configure do
   # config.action_dispatch.rack_cache = true
 
   # Disable Rails's static asset server (Apache or nginx will already do this).
-  if Rails.version >= "5.0.0"
+  if Devise::Test.rails5_and_up?
     config.public_file_server.enabled = false
   elsif Rails.version >= "4.2.0"
     config.serve_static_files = false

test/rails_app/config/environments/test.rb

@@ -16,7 +16,7 @@ RailsApp::Application.configure do
 
   # Disable serving static files from the `/public` folder by default since
   # Apache or NGINX already handles this.
-  if Rails.version >= "5.0.0"
+  if Devise::Test.rails5_and_up?
     config.public_file_server.enabled = true
     config.public_file_server.headers = {'Cache-Control' => 'public, max-age=3600'}
   elsif Rails.version >= "4.2.0"

test/rails_app/config/initializers/devise.rb

@@ -180,6 +180,12 @@ Devise.setup do |config|
   #   manager.default_strategies(scope: :user).unshift :some_external_strategy
   # end
 
+  # ==> Configuration for :registerable
+
+  # When set to false, does not sign a user in automatically after their password is
+  # changed. Defaults to true, so a user is signed in automatically after changing a password.
+  # config.sign_in_after_change_password = true
+
   ActiveSupport.on_load(:devise_failure_app) do
     require "lazy_load_test_module"
     include LazyLoadTestModule

test/routes_test.rb

@@ -205,7 +205,7 @@ class CustomizedRoutingTest < ActionController::TestCase
 
   test 'map with format false for sessions' do
     expected_params = {controller: 'devise/sessions', action: 'new'}
-    expected_params[:format] = false if Devise::Test.rails5?
+    expected_params[:format] = false if Devise::Test.rails5_and_up?
 
     assert_recognizes(expected_params, {path: '/htmlonly_admin/sign_in', method: :get})
     assert_raise ExpectedRoutingError do
@@ -215,7 +215,7 @@ class CustomizedRoutingTest < ActionController::TestCase
 
   test 'map with format false for passwords' do
     expected_params = {controller: 'devise/passwords', action: 'create'}
-    expected_params[:format] = false if Devise::Test.rails5?
+    expected_params[:format] = false if Devise::Test.rails5_and_up?
 
     assert_recognizes(expected_params, {path: '/htmlonly_admin/password', method: :post})
     assert_raise ExpectedRoutingError do
@@ -225,7 +225,7 @@ class CustomizedRoutingTest < ActionController::TestCase
 
   test 'map with format false for registrations' do
     expected_params = {controller: 'devise/registrations', action: 'new'}
-    expected_params[:format] = false if Devise::Test.rails5?
+    expected_params[:format] = false if Devise::Test.rails5_and_up?
 
     assert_recognizes(expected_params, {path: '/htmlonly_admin/sign_up', method: :get})
     assert_raise ExpectedRoutingError do
@@ -235,7 +235,7 @@ class CustomizedRoutingTest < ActionController::TestCase
 
   test 'map with format false for confirmations' do
     expected_params = {controller: 'devise/confirmations', action: 'show'}
-    expected_params[:format] = false if Devise::Test.rails5?
+    expected_params[:format] = false if Devise::Test.rails5_and_up?
 
     assert_recognizes(expected_params, {path: '/htmlonly_users/confirmation', method: :get})
     assert_raise ExpectedRoutingError do
@@ -245,7 +245,7 @@ class CustomizedRoutingTest < ActionController::TestCase
 
   test 'map with format false for unlocks' do
     expected_params = {controller: 'devise/unlocks', action: 'show'}
-    expected_params[:format] = false if Devise::Test.rails5?
+    expected_params[:format] = false if Devise::Test.rails5_and_up?
 
     assert_recognizes(expected_params, {path: '/htmlonly_users/unlock', method: :get})
     assert_raise ExpectedRoutingError do

test/support/http_method_compatibility.rb

@@ -6,7 +6,7 @@ module Devise
     #           xhr get_via_redirect post_via_redirect
     #         ).each do |method|
     %w( get post put ).each do |method|
-      if Rails.version >= '5.0.0'
+      if Devise::Test.rails5_and_up?
         define_method(method) do |url, options={}|
           if options.empty?
             super url
@@ -31,7 +31,7 @@ module Devise
     #           xhr get_via_redirect post_via_redirect
     #         ).each do |method|
     %w( get post put ).each do |method|
-      if Rails.version >= '5.0.0'
+      if Devise::Test.rails5_and_up?
         define_method(method) do |action, options={}|
           if options.empty?
             super action

test/support/webrat/integrations/rails.rb

@@ -18,6 +18,12 @@ module Webrat
   end
 
   class RailsAdapter
+    # This method is private within webrat gem and after Ruby 2.4 we get a lot of warnings because
+    # Webrat::Session#response is delegated to this method.
+    def response
+      integration_session.response
+    end
+
     protected
 
     def do_request(http_method, url, data, headers)

test/test/controller_helpers_test.rb

@@ -171,7 +171,7 @@ class TestControllerHelpersTest < Devise::ControllerTestCase
   test "creates a new warden proxy if the request object has changed" do
     old_warden_proxy = warden
 
-    @request = if Devise::Test.rails51? || Devise::Test.rails52?
+    @request = if Devise::Test.rails51? || Devise::Test.rails52_and_up?
       ActionController::TestRequest.create(Class.new) # needs a "controller class"
     elsif Devise::Test.rails5?
       ActionController::TestRequest.create

test/test_helper.rb

@@ -13,6 +13,7 @@ require "orm/#{DEVISE_ORM}"
 I18n.load_path << File.expand_path("../support/locale/en.yml", __FILE__)
 
 require 'mocha/setup'
+require 'timecop'
 require 'webrat'
 Webrat.configure do |config|
   config.mode = :rails