wip

Add assert to Lockable integration test and Replace mathcer `assert_not` to `refute`

.travis.yml

@@ -11,7 +11,7 @@ rvm:
 
 gemfile:
   - Gemfile
-  - gemfiles/Gemfile.rails-6.0-beta
+  - gemfiles/Gemfile.rails-6.0-stable
   - gemfiles/Gemfile.rails-5.2-stable
   - gemfiles/Gemfile.rails-5.0-stable
   - gemfiles/Gemfile.rails-4.2-stable
@@ -22,7 +22,7 @@ matrix:
     - rvm: 2.1.10
       gemfile: Gemfile
     - rvm: 2.1.10
-      gemfile: gemfiles/Gemfile.rails-6.0-beta
+      gemfile: gemfiles/Gemfile.rails-6.0-stable
     - rvm: 2.1.10
       gemfile: gemfiles/Gemfile.rails-5.2-stable
     - rvm: 2.1.10
@@ -30,15 +30,15 @@ matrix:
     - rvm: 2.2.10
       gemfile: Gemfile
     - rvm: 2.2.10
-      gemfile: gemfiles/Gemfile.rails-6.0-beta
+      gemfile: gemfiles/Gemfile.rails-6.0-stable
     - rvm: 2.2.10
       gemfile: gemfiles/Gemfile.rails-5.2-stable
     - rvm: 2.3.8
-      gemfile: gemfiles/Gemfile.rails-6.0-beta
+      gemfile: gemfiles/Gemfile.rails-6.0-stable
     - rvm: 2.4.5
       gemfile: gemfiles/Gemfile.rails-4.1-stable
     - rvm: 2.4.5
-      gemfile: gemfiles/Gemfile.rails-6.0-beta
+      gemfile: gemfiles/Gemfile.rails-6.0-stable
     - rvm: 2.5.3
       gemfile: gemfiles/Gemfile.rails-4.1-stable
     - rvm: 2.6.0
@@ -56,16 +56,14 @@ matrix:
     - env: DEVISE_ORM=mongoid
       gemfile: gemfiles/Gemfile.rails-5.2-stable
     - env: DEVISE_ORM=mongoid
-      gemfile: gemfiles/Gemfile.rails-6.0-beta
+      gemfile: gemfiles/Gemfile.rails-6.0-stable
   allow_failures:
     - rvm: ruby-head
-    - gemfile: gemfiles/Gemfile.rails-6.0-beta
+    - gemfile: gemfiles/Gemfile.rails-6.0-stable
 
 services:
   - mongodb
 
-sudo: false
-
 cache: bundler
 
 env:

CHANGELOG.md

@@ -1,4 +1,29 @@
 ### Unreleased
+* enhancements
+  * Increase default stretches to 12 (by @sergey-alekseev)
+
+### 4.7.1 - 2019-09-06
+
+* bug fixes
+  * Fix an edge case where records with a blank `confirmation_token` could be confirmed (by @tegon)
+  * Fix typo inside `update_needs_confirmation` i18n key (by @lslm)
+
+### 4.7.0 - 2019-08-19
+
+* enhancements
+  * Support Rails 6.0
+  * Update CI to rails 6.0.0.beta3 (by @tunnes)
+  * refactor method name to be more consistent (by @saiqulhaq)
+  * Fix rails 6.0.rc1 email uniqueness validation deprecation warning (by @Vasfed)
+
+* bug fixes
+  * Add `autocomplete="new-password"` to `password_confirmation` fields (by @ferrl)
+  * Fix rails_51_and_up? method for Rails 6.rc1 (by @igorkasyanchuk)
+
+### 4.6.2 - 2019-03-26
+
+* bug fixes
+  * Revert "Set `encrypted_password` to `nil` when `password` is set to `nil`" since it broke backward compatibility with existing applications. See more on https://github.com/plataformatec/devise/issues/5033#issuecomment-476386275 (by @mracos)
 
 ### 4.6.1 - 2019-02-11
 

Gemfile.lock

@@ -10,10 +10,10 @@ GIT
 PATH
   remote: .
   specs:
-    devise (4.6.1)
+    devise (4.7.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 6.0)
+      railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
 
@@ -62,7 +62,7 @@ GEM
       minitest (~> 5.1)
       tzinfo (~> 1.1)
     arel (9.0.0)
-    bcrypt (3.1.12)
+    bcrypt (3.1.13)
     builder (3.2.3)
     concurrent-ruby (1.0.5)
     crass (1.0.4)
@@ -201,4 +201,4 @@ DEPENDENCIES
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.17.1
+   1.17.3

ISSUE_TEMPLATE.md

@@ -2,6 +2,7 @@
 
 - Do not use the issues tracker for help or support, try Stack Overflow.
 - For bugs, do a quick search and make sure the bug has not yet been reported
+- If you found a security bug, do not report it through GitHub. Please send an e-mail to opensource@plataformatec.com.br instead.
 - Finally, be nice and have fun!
 
 ## Environment

README.md

@@ -56,6 +56,7 @@ It's composed of 10 modules:
 	- [ActiveJob Integration](#activejob-integration)
 	- [Password reset tokens and Rails logs](#password-reset-tokens-and-rails-logs)
 	- [Other ORMs](#other-orms)
+	- [Rails API mode](#rails-api-mode)
 - [Additional information](#additional-information)
 	- [Heroku](#heroku)
 	- [Warden](#warden)
@@ -173,7 +174,7 @@ If you are building your first Rails application, we recommend you *do not* use
 
 * Michael Hartl's online book: https://www.railstutorial.org/book/modeling_users
 * Ryan Bates' Railscast: http://railscasts.com/episodes/250-authentication-from-scratch
-* Codecademy's Ruby on Rails: Authentication and Authorization: http://www.codecademy.com/en/learn/rails-auth
+* Codecademy's Ruby on Rails: Authentication and Authorization: https://www.codecademy.com/learn/rails-auth
 
 Once you have solidified your understanding of Rails and authentication mechanisms, we assure you Devise will be very pleasant to work with. :smiley:
 
@@ -269,7 +270,7 @@ member_session
 The Devise method in your models also accepts some options to configure its modules. For example, you can choose the cost of the hashing algorithm with:
 
 ```ruby
-devise :database_authenticatable, :registerable, :confirmable, :recoverable, stretches: 12
+devise :database_authenticatable, :registerable, :confirmable, :recoverable, stretches: 13
 ```
 
 Besides `:stretches`, you can define `:pepper`, `:encryptor`, `:confirm_within`, `:remember_for`, `:timeout_in`, `:unlock_in` among other options. For more details, see the initializer file that was created when you invoked the "devise:install" generator described above. This file is usually located at `/config/initializers/devise.rb`.
@@ -288,7 +289,7 @@ There are just three actions in Devise that allow any set of parameters to be pa
 * `sign_up` (`Devise::RegistrationsController#create`) - Permits authentication keys plus `password` and `password_confirmation`
 * `account_update` (`Devise::RegistrationsController#update`) - Permits authentication keys plus `password`, `password_confirmation` and `current_password`
 
-In case you want to permit additional parameters (the lazy way™), you can do so using a simple before filter in your `ApplicationController`:
+In case you want to permit additional parameters (the lazy way™), you can do so using a simple before action in your `ApplicationController`:
 
 ```ruby
 class ApplicationController < ActionController::Base
@@ -619,7 +620,7 @@ are executed in your tests.
 
 You can read more about testing your Rails 3 - Rails 4 controllers with RSpec in the wiki:
 
-* https://github.com/plataformatec/devise/wiki/How-To:-Test-controllers-with-Rails-3-and-4-%28and-RSpec%29
+* https://github.com/plataformatec/devise/wiki/How-To:-Test-controllers-with-Rails-(and-RSpec)
 
 ### OmniAuth
 
@@ -694,6 +695,17 @@ config.log_level = :warn
 
 Devise supports ActiveRecord (default) and Mongoid. To select another ORM, simply require it in the initializer file.
 
+### Rails API Mode
+
+Rails 5+ has a built-in [API Mode](https://edgeguides.rubyonrails.org/api_app.html) which optimizes Rails for use as an API (only). One of the side effects is that it changes the order of the middleware stack, and this can cause problems for `Devise::Test::IntegrationHelpers`. This problem usually surfaces as an ```undefined method `[]=' for nil:NilClass``` error when using integration test helpers, such as `#sign_in`. The solution is simply to reorder the middlewares by adding the following to test.rb:
+
+```ruby
+Rails.application.config.middleware.insert_before Warden::Manager, ActionDispatch::Cookies
+Rails.application.config.middleware.insert_before Warden::Manager, ActionDispatch::Session::CookieStore
+```
+
+For a deeper understanding of this, review [this issue](https://github.com/plataformatec/devise/issues/4696).
+
 ## Additional information
 
 ### Heroku
@@ -720,6 +732,6 @@ https://github.com/plataformatec/devise/graphs/contributors
 
 ## License
 
-MIT License. Copyright 2009-2018 Plataformatec. http://plataformatec.com.br
+MIT License. Copyright 2009-2019 Plataformatec. http://plataformatec.com.br
 
 You are not granted rights or licenses to the trademarks of Plataformatec, including without limitation the Devise name or logo.

app/controllers/devise_controller.rb

@@ -112,7 +112,7 @@ MESSAGE
     end
 
     if authenticated && resource = warden.user(resource_name)
-      flash[:alert] = I18n.t("devise.failure.already_authenticated")
+      set_flash_message(:alert, 'already_authenticated', scope: 'devise.failure')
       redirect_to after_sign_in_path_for(resource)
     end
   end

app/views/devise/passwords/edit.html.erb

@@ -14,7 +14,7 @@
 
   <div class="field">
     <%= f.label :password_confirmation, "Confirm new password" %><br />
-    <%= f.password_field :password_confirmation, autocomplete: "off" %>
+    <%= f.password_field :password_confirmation, autocomplete: "new-password" %>
   </div>
 
   <div class="actions">

config/locales/en.yml

@@ -42,7 +42,7 @@ en:
       signed_up_but_inactive: "You have signed up successfully. However, we could not sign you in because your account is not yet activated."
       signed_up_but_locked: "You have signed up successfully. However, we could not sign you in because your account is locked."
       signed_up_but_unconfirmed: "A message with a confirmation link has been sent to your email address. Please follow the link to activate your account."
-      update_needs_confirmation: "You updated your account successfully, but we need to verify your new email address. Please check your email and follow the confirm link to confirm your new email address."
+      update_needs_confirmation: "You updated your account successfully, but we need to verify your new email address. Please check your email and follow the confirmation link to confirm your new email address."
       updated: "Your account has been updated successfully."
       updated_but_not_signed_in: "Your account has been updated successfully, but since your password was changed, you need to sign in again"
     sessions:

devise.gemspec

@@ -22,6 +22,6 @@ Gem::Specification.new do |s|
   s.add_dependency("warden", "~> 1.2.3")
   s.add_dependency("orm_adapter", "~> 0.1")
   s.add_dependency("bcrypt", "~> 3.0")
-  s.add_dependency("railties", ">= 4.1.0", "< 6.0")
+  s.add_dependency("railties", ">= 4.1.0")
   s.add_dependency("responders")
 end

gemfiles/Gemfile.rails-4.1-stable

@@ -8,6 +8,8 @@ gem "rails", github: "rails/rails", branch: "4-1-stable"
 gem "omniauth"
 gem "omniauth-oauth2"
 gem "rdoc", "~> 5.1"
+# Force this version because it's breaking on CI since a higher nokogiri version requires Ruby 2.3+.
+gem "nokogiri", "1.9.1"
 
 group :test do
   gem "omniauth-facebook"

gemfiles/Gemfile.rails-4.1-stable.lock

@@ -21,10 +21,10 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.6.1)
+    devise (4.7.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 6.0)
+      railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
 
@@ -54,7 +54,7 @@ GEM
       thread_safe (~> 0.1)
       tzinfo (~> 1.1)
     arel (5.0.1.20140414130214)
-    bcrypt (3.1.12)
+    bcrypt (3.1.13)
     bson (3.2.6)
     builder (3.2.3)
     concurrent-ruby (1.0.5)
@@ -72,7 +72,7 @@ GEM
     mime-types (3.1)
       mime-types-data (~> 3.2015)
     mime-types-data (3.2016.0521)
-    mini_portile2 (2.1.0)
+    mini_portile2 (2.4.0)
     minitest (5.10.1)
     mocha (1.2.1)
       metaclass (~> 0.0.1)
@@ -88,8 +88,8 @@ GEM
     multi_json (1.12.1)
     multi_xml (0.6.0)
     multipart-post (2.0.0)
-    nokogiri (1.7.0.1)
-      mini_portile2 (~> 2.1.0)
+    nokogiri (1.9.1)
+      mini_portile2 (~> 2.4.0)
     oauth2 (1.3.1)
       faraday (>= 0.8, < 0.12)
       jwt (~> 1.0)
@@ -158,6 +158,7 @@ DEPENDENCIES
   jruby-openssl
   mocha (~> 1.1)
   mongoid (~> 4.0)
+  nokogiri (= 1.9.1)
   omniauth
   omniauth-facebook
   omniauth-oauth2

gemfiles/Gemfile.rails-4.2-stable.lock

@@ -57,10 +57,10 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.6.1)
+    devise (4.7.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 6.0)
+      railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
 
@@ -68,7 +68,7 @@ GEM
   remote: https://rubygems.org/
   specs:
     arel (6.0.4)
-    bcrypt (3.1.12)
+    bcrypt (3.1.13)
     bson (3.2.6)
     builder (3.2.3)
     concurrent-ruby (1.0.5)

gemfiles/Gemfile.rails-5.0-stable.lock

@@ -10,10 +10,10 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.6.1)
+    devise (4.7.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 6.0)
+      railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
 
@@ -58,7 +58,7 @@ GEM
       minitest (~> 5.1)
       tzinfo (~> 1.1)
     arel (7.1.4)
-    bcrypt (3.1.12)
+    bcrypt (3.1.13)
     builder (3.2.3)
     concurrent-ruby (1.0.5)
     erubis (2.7.0)
@@ -191,4 +191,4 @@ DEPENDENCIES
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.17.1
+   1.17.3

gemfiles/Gemfile.rails-5.2-stable.lock

@@ -10,10 +10,10 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.6.1)
+    devise (4.7.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 6.0)
+      railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
 
@@ -62,7 +62,7 @@ GEM
       minitest (~> 5.1)
       tzinfo (~> 1.1)
     arel (9.0.0)
-    bcrypt (3.1.12)
+    bcrypt (3.1.13)
     builder (3.2.3)
     concurrent-ruby (1.0.5)
     crass (1.0.4)
@@ -200,4 +200,4 @@ DEPENDENCIES
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.17.1
+   1.17.3

gemfiles/Gemfile.rails-6.0-stable

@@ -2,7 +2,7 @@ source "https://rubygems.org"
 
 gemspec path: ".."
 
-gem "rails", '6.0.0.beta1'
+gem "rails", '~> 6.0.0'
 gem "omniauth"
 gem "omniauth-oauth2"
 gem "rdoc"
@@ -11,7 +11,7 @@ gem "activemodel-serializers-xml", github: "rails/activemodel-serializers-xml"
 
 gem "rails-controller-testing"
 
-gem "responders", "~> 2.4"
+gem "responders", "~> 3.0"
 
 group :test do
   gem "omniauth-facebook"
@@ -23,5 +23,5 @@ group :test do
 end
 
 platforms :ruby do
-  gem "sqlite3", "~> 1.3.6"
+  gem "sqlite3", "~> 1.4"
 end

gemfiles/Gemfile.rails-6.0-stable.lock

@@ -1,81 +1,83 @@
 GIT
   remote: git://github.com/rails/activemodel-serializers-xml.git
-  revision: f744aeca2747ed3134e492249c4ee39b548efdf6
+  revision: 93689638c28525acc65afb638fce866826532641
   specs:
     activemodel-serializers-xml (1.0.2)
-      activemodel (> 5.x)
-      activesupport (> 5.x)
+      activemodel (>= 5.0.0.a)
+      activesupport (>= 5.0.0.a)
       builder (~> 3.1)
 
 PATH
   remote: ..
   specs:
-    devise (4.6.1)
+    devise (4.7.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 6.0)
+      railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (6.0.0.beta1)
-      actionpack (= 6.0.0.beta1)
+    actioncable (6.0.0)
+      actionpack (= 6.0.0)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (6.0.0.beta1)
-      actionpack (= 6.0.0.beta1)
-      activejob (= 6.0.0.beta1)
-      activerecord (= 6.0.0.beta1)
-      activestorage (= 6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
+    actionmailbox (6.0.0)
+      actionpack (= 6.0.0)
+      activejob (= 6.0.0)
+      activerecord (= 6.0.0)
+      activestorage (= 6.0.0)
+      activesupport (= 6.0.0)
       mail (>= 2.7.1)
-    actionmailer (6.0.0.beta1)
-      actionpack (= 6.0.0.beta1)
-      actionview (= 6.0.0.beta1)
-      activejob (= 6.0.0.beta1)
+    actionmailer (6.0.0)
+      actionpack (= 6.0.0)
+      actionview (= 6.0.0)
+      activejob (= 6.0.0)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.0.0.beta1)
-      actionview (= 6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
+    actionpack (6.0.0)
+      actionview (= 6.0.0)
+      activesupport (= 6.0.0)
       rack (~> 2.0)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actiontext (6.0.0.beta1)
-      actionpack (= 6.0.0.beta1)
-      activerecord (= 6.0.0.beta1)
-      activestorage (= 6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
+      rails-html-sanitizer (~> 1.0, >= 1.2.0)
+    actiontext (6.0.0)
+      actionpack (= 6.0.0)
+      activerecord (= 6.0.0)
+      activestorage (= 6.0.0)
+      activesupport (= 6.0.0)
       nokogiri (>= 1.8.5)
-    actionview (6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
+    actionview (6.0.0)
+      activesupport (= 6.0.0)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
+      rails-html-sanitizer (~> 1.1, >= 1.2.0)
+    activejob (6.0.0)
+      activesupport (= 6.0.0)
       globalid (>= 0.3.6)
-    activemodel (6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
-    activerecord (6.0.0.beta1)
-      activemodel (= 6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
-    activestorage (6.0.0.beta1)
-      actionpack (= 6.0.0.beta1)
-      activerecord (= 6.0.0.beta1)
+    activemodel (6.0.0)
+      activesupport (= 6.0.0)
+    activerecord (6.0.0)
+      activemodel (= 6.0.0)
+      activesupport (= 6.0.0)
+    activestorage (6.0.0)
+      actionpack (= 6.0.0)
+      activejob (= 6.0.0)
+      activerecord (= 6.0.0)
       marcel (~> 0.3.1)
-    activesupport (6.0.0.beta1)
+    activesupport (6.0.0)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
-    bcrypt (3.1.12)
+      zeitwerk (~> 2.1, >= 2.1.8)
+    bcrypt (3.1.13)
     builder (3.2.3)
-    concurrent-ruby (1.1.4)
+    concurrent-ruby (1.1.5)
     crass (1.0.4)
     erubi (1.8.0)
     faraday (0.15.4)
@@ -83,9 +85,9 @@ GEM
     globalid (0.4.2)
       activesupport (>= 4.2.0)
     hashie (3.6.0)
-    i18n (1.5.2)
+    i18n (1.6.0)
       concurrent-ruby (~> 1.0)
-    jwt (2.1.0)
+    jwt (2.2.1)
     loofah (2.2.3)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
@@ -96,16 +98,16 @@ GEM
     metaclass (0.0.4)
     method_source (0.9.2)
     mimemagic (0.3.3)
-    mini_mime (1.0.1)
+    mini_mime (1.0.2)
     mini_portile2 (2.4.0)
     minitest (5.11.3)
-    mocha (1.8.0)
+    mocha (1.9.0)
       metaclass (~> 0.0.1)
     multi_json (1.13.1)
     multi_xml (0.6.0)
-    multipart-post (2.0.0)
-    nio4r (2.3.1)
-    nokogiri (1.10.1)
+    multipart-post (2.1.1)
+    nio4r (2.4.0)
+    nokogiri (1.10.4)
       mini_portile2 (~> 2.4.0)
     oauth2 (1.4.1)
       faraday (>= 0.8, < 0.16.0)
@@ -125,26 +127,26 @@ GEM
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
     orm_adapter (0.5.0)
-    rack (2.0.6)
+    rack (2.0.7)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (6.0.0.beta1)
-      actioncable (= 6.0.0.beta1)
-      actionmailbox (= 6.0.0.beta1)
-      actionmailer (= 6.0.0.beta1)
-      actionpack (= 6.0.0.beta1)
-      actiontext (= 6.0.0.beta1)
-      actionview (= 6.0.0.beta1)
-      activejob (= 6.0.0.beta1)
-      activemodel (= 6.0.0.beta1)
-      activerecord (= 6.0.0.beta1)
-      activestorage (= 6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
+    rails (6.0.0)
+      actioncable (= 6.0.0)
+      actionmailbox (= 6.0.0)
+      actionmailer (= 6.0.0)
+      actionpack (= 6.0.0)
+      actiontext (= 6.0.0)
+      actionview (= 6.0.0)
+      activejob (= 6.0.0)
+      activemodel (= 6.0.0)
+      activerecord (= 6.0.0)
+      activestorage (= 6.0.0)
+      activesupport (= 6.0.0)
       bundler (>= 1.3.0)
-      railties (= 6.0.0.beta1)
+      railties (= 6.0.0)
       sprockets-rails (>= 2.0.0)
     rails-controller-testing (1.0.4)
       actionpack (>= 5.0.1.x)
@@ -153,19 +155,19 @@ GEM
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.0.4)
+    rails-html-sanitizer (1.2.0)
       loofah (~> 2.2, >= 2.2.2)
-    railties (6.0.0.beta1)
-      actionpack (= 6.0.0.beta1)
-      activesupport (= 6.0.0.beta1)
+    railties (6.0.0)
+      actionpack (= 6.0.0)
+      activesupport (= 6.0.0)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.20.3, < 2.0)
-    rake (12.3.2)
+    rake (12.3.3)
     rdoc (6.1.1)
-    responders (2.4.1)
-      actionpack (>= 4.2.0, < 6.0)
-      railties (>= 4.2.0, < 6.0)
+    responders (3.0.0)
+      actionpack (>= 5.0)
+      railties (>= 5.0)
     ruby-openid (2.7.0)
     sprockets (3.7.2)
       concurrent-ruby (~> 1.0)
@@ -174,7 +176,7 @@ GEM
       actionpack (>= 4.0)
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
-    sqlite3 (1.3.13)
+    sqlite3 (1.4.1)
     test_after_commit (1.1.0)
       activerecord (>= 3.2)
     thor (0.20.3)
@@ -188,9 +190,10 @@ GEM
       nokogiri (>= 1.2.0)
       rack (>= 1.0)
       rack-test (>= 0.5.3)
-    websocket-driver (0.7.0)
+    websocket-driver (0.7.1)
       websocket-extensions (>= 0.1.0)
-    websocket-extensions (0.1.3)
+    websocket-extensions (0.1.4)
+    zeitwerk (2.1.9)
 
 PLATFORMS
   ruby
@@ -203,14 +206,14 @@ DEPENDENCIES
   omniauth-facebook
   omniauth-oauth2
   omniauth-openid
-  rails (= 6.0.0.beta1)
+  rails (~> 6.0.0)
   rails-controller-testing
   rdoc
-  responders (~> 2.4)
-  sqlite3 (~> 1.3.6)
+  responders (~> 3.0)
+  sqlite3 (~> 1.4)
   test_after_commit
   timecop
   webrat (= 0.7.3)
 
 BUNDLED WITH
-   1.17.1
+   1.17.3

lib/devise.rb

@@ -71,7 +71,7 @@ module Devise
 
   # The number of times to hash the password.
   mattr_accessor :stretches
-  @@stretches = 11
+  @@stretches = 12
 
   # The default key used when authenticating over http auth.
   mattr_accessor :http_authentication_key
@@ -305,6 +305,10 @@ module Devise
     defined?(ActiveRecord) && ActiveRecord.gem_version >= Gem::Version.new("5.1.x")
   end
 
+  def self.rails6_and_up?
+    Rails.gem_version >= Gem::Version.new("6.0.x")
+  end
+
   # Default way to set up Devise. Run rails generate devise_install to create
   # a fresh initializer with all configuration values.
   def self.setup

lib/devise/failure_app.rb

@@ -153,7 +153,7 @@ module Devise
       # We need to add the rootpath to `script_name` manually for applications that use a Rails
       # version lower than 5.1. Otherwise, it is going to generate a wrong path for Engines
       # that use Devise. Remove it when the support of Rails 5.0 is droped.
-      elsif root_path_defined?(context) && rails_5_and_down?
+      elsif root_path_defined?(context) && !rails_51_and_up?
         rootpath = context.routes.url_helpers.root_path
         opts[:script_name] = rootpath.chomp('/') if rootpath.length > 1
       end
@@ -278,14 +278,8 @@ module Devise
       defined?(context.routes) && context.routes.url_helpers.respond_to?(:root_path)
     end
 
-    def rails_5_and_down?
-      return false if rails_5_up?
-
-      Rails::VERSION::MAJOR >= 4
-    end
-
-    def rails_5_up?
-      Rails::VERSION::MAJOR >= 5 && Rails::VERSION::MINOR > 0
+    def rails_51_and_up?
+      Rails.gem_version >= Gem::Version.new("5.1")
     end
   end
 end

lib/devise/models/authenticatable.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require 'active_model/version'
 require 'devise/hooks/activatable'
 require 'devise/hooks/csrf_cleaner'
 
@@ -153,7 +152,8 @@ module Devise
       #         # If the record is new or changed then delay the
       #         # delivery until the after_commit callback otherwise
       #         # send now because after_commit will not be called.
-      #         if new_record? || changed?
+      #         # For Rails < 6 is `changed?` instead of `saved_changes?`.
+      #         if new_record? || saved_changes?
       #           pending_devise_notifications << [notification, args]
       #         else
       #           render_and_send_devise_message(notification, *args)

lib/devise/models/confirmable.rb

@@ -348,7 +348,19 @@ module Devise
         # If the user is already confirmed, create an error for the user
         # Options must have the confirmation_token
         def confirm_by_token(confirmation_token)
+          # When the `confirmation_token` parameter is blank, if there are any users with a blank
+          # `confirmation_token` in the database, the first one would be confirmed here.
+          # The error is being manually added here to ensure no users are confirmed by mistake.
+          # This was done in the model for convenience, since validation errors are automatically
+          # displayed in the view.
+          if confirmation_token.blank?
+            confirmable = new
+            confirmable.errors.add(:confirmation_token, :blank)
+            return confirmable
+          end
+
           confirmable = find_first_by_auth_conditions(confirmation_token: confirmation_token)
+
           unless confirmable
             confirmation_digest = Devise.token_generator.digest(self, :confirmation_token, confirmation_token)
             confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_digest)

lib/devise/models/database_authenticatable.rb

@@ -60,7 +60,7 @@ module Devise
       # the hashed password.
       def password=(new_password)
         @password = new_password
-        self.encrypted_password = password_digest(@password) 
+        self.encrypted_password = password_digest(@password) if @password.present?
       end
 
       # Verifies whether a password (ie from sign in) is the user password.
@@ -70,7 +70,7 @@ module Devise
 
       # Set password and password confirmation to nil
       def clean_up_passwords
-        @password = @password_confirmation = nil
+        self.password = self.password_confirmation = nil
       end
 
       # Update record attributes when :current_password matches, otherwise
@@ -198,7 +198,6 @@ module Devise
       # See https://github.com/plataformatec/devise-encryptable for examples
       # of other hashing engines.
       def password_digest(password)
-        return if password.blank?
         Devise::Encryptor.digest(self.class, password)
       end
 

lib/devise/models/validatable.rb

@@ -30,7 +30,7 @@ module Devise
         base.class_eval do
           validates_presence_of   :email, if: :email_required?
           if Devise.activerecord51?
-            validates_uniqueness_of :email, allow_blank: true, if: :will_save_change_to_email?
+            validates_uniqueness_of :email, allow_blank: true, case_sensitive: true, if: :will_save_change_to_email?
             validates_format_of     :email, with: email_regexp, allow_blank: true, if: :will_save_change_to_email?
           else
             validates_uniqueness_of :email, allow_blank: true, if: :email_changed?

lib/devise/rails.rb

@@ -43,5 +43,11 @@ module Devise
           )
         end
     end
+
+    initializer "devise.zeitwerk" do
+      if Devise.rails6_and_up? && Rails.autoloaders.zeitwerk_enabled? && !Object.const_defined?(Devise.parent_mailer)
+        Rails.autoloaders.main.ignore("#{__dir__}/app/mailers/devise/mailer.rb")
+      end
+    end
   end
 end

lib/devise/rails/routes.rb

@@ -135,10 +135,10 @@ module ActionDispatch::Routing
     #  * failure_app: a rack app which is invoked whenever there is a failure. Strings representing a given
     #    are also allowed as parameter.
     #
-    #  * sign_out_via: the HTTP method(s) accepted for the :sign_out action (default: :get),
+    #  * sign_out_via: the HTTP method(s) accepted for the :sign_out action (default: :delete),
     #    if you wish to restrict this to accept only :post or :delete requests you should do:
     #
-    #      devise_for :users, sign_out_via: [:post, :delete]
+    #      devise_for :users, sign_out_via: [:get, :post]
     #
     #    You need to make sure that your sign_out controls trigger a request with a matching HTTP method.
     #

lib/devise/strategies/authenticatable.rb

@@ -28,7 +28,7 @@ module Devise
     private
 
       # Receives a resource and check if it is valid by calling valid_for_authentication?
-      # An optional block that will be triggered while validating can be optionally
+      # A block that will be triggered while validating can be optionally
       # given as parameter. Check Devise::Models::Authenticatable.valid_for_authentication?
       # for more information.
       #

lib/devise/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Devise
-  VERSION = "4.6.1".freeze
+  VERSION = "4.7.1".freeze
 end

lib/generators/devise/views_generator.rb

@@ -42,7 +42,7 @@ module Devise
       def view_directory(name, _target_path = nil)
         directory name.to_s, _target_path || "#{target_path}/#{name}" do |content|
           if scope
-            content.gsub "devise/shared/links", "#{plural_scope}/shared/links"
+            content.gsub("devise/shared/links", "#{plural_scope}/shared/links").gsub("devise/shared/error_messages", "#{plural_scope}/shared/error_messages")
           else
             content
           end

lib/generators/templates/devise.rb

@@ -1,5 +1,11 @@
 # frozen_string_literal: true
 
+# Assuming you have not yet modified this file, each configuration option below
+# is set to its default value. Note that some are commented out while others
+# are not: uncommented lines are intended to protect your configuration from
+# breaking changes in upgrades (i.e., in the event that future versions of
+# Devise change the default values for those options).
+#
 # Use this hook to configure devise mailer, warden hooks and so forth.
 # Many of these configuration options can be set straight in your model.
 Devise.setup do |config|
@@ -103,7 +109,7 @@ Devise.setup do |config|
   # config.reload_routes = true
 
   # ==> Configuration for :database_authenticatable
-  # For bcrypt, this is the cost for hashing the password and defaults to 11. If
+  # For bcrypt, this is the cost for hashing the password and defaults to 12. If
   # using other algorithms, it sets how many times you want the password to be hashed.
   #
   # Limiting the stretches to just one in testing will increase the performance of
@@ -111,7 +117,7 @@ Devise.setup do |config|
   # a value less than 10 in other environments. Note that, for bcrypt (the default
   # algorithm), the cost increases exponentially with the number of stretches (e.g.
   # a value of 20 is already extremely slow: approx. 60 seconds for 1 calculation).
-  config.stretches = Rails.env.test? ? 1 : 11
+  config.stretches = Rails.env.test? ? 1 : 12
 
   # Set up a pepper to generate the hashed password.
   # config.pepper = '<%= SecureRandom.hex(64) %>'

lib/generators/templates/simple_form_for/passwords/edit.html.erb

@@ -13,7 +13,10 @@
                 autofocus: true,
                 hint: ("#{@minimum_password_length} characters minimum" if @minimum_password_length),
                 input_html: { autocomplete: "new-password" } %>
-    <%= f.input :password_confirmation, label: "Confirm your new password", required: true %>
+    <%= f.input :password_confirmation,
+                label: "Confirm your new password",
+                required: true,
+                input_html: { autocomplete: "new-password" } %>
   </div>
 
   <div class="form-actions">

test/generators/views_generator_test.rb

@@ -11,16 +11,19 @@ class ViewsGeneratorTest < Rails::Generators::TestCase
     run_generator
     assert_files
     assert_shared_links
+    assert_error_messages
   end
 
   test "Assert all views are properly created with scope param" do
     run_generator %w(users)
     assert_files "users"
     assert_shared_links "users"
+    assert_error_messages "users"
 
     run_generator %w(admins)
     assert_files "admins"
     assert_shared_links "admins"
+    assert_error_messages "admins"
   end
 
   test "Assert views with simple form" do
@@ -88,6 +91,7 @@ class ViewsGeneratorTest < Rails::Generators::TestCase
     assert_file "app/views/#{scope}/registrations/edit.html.erb"
     assert_file "app/views/#{scope}/sessions/new.html.erb"
     assert_file "app/views/#{scope}/shared/_links.html.erb"
+    assert_file "app/views/#{scope}/shared/_error_messages.html.erb"
     assert_file "app/views/#{scope}/unlocks/new.html.erb"
   end
 
@@ -102,4 +106,16 @@ class ViewsGeneratorTest < Rails::Generators::TestCase
     assert_file "app/views/#{scope}/sessions/new.html.erb", link
     assert_file "app/views/#{scope}/unlocks/new.html.erb", link
   end
+
+  def assert_error_messages(scope = nil)
+    scope = "devise" if scope.nil?
+    link = /<%= render \"#{scope}\/shared\/error_messages\", resource: resource %>/
+
+    assert_file "app/views/#{scope}/passwords/edit.html.erb", link
+    assert_file "app/views/#{scope}/passwords/new.html.erb", link
+    assert_file "app/views/#{scope}/confirmations/new.html.erb", link
+    assert_file "app/views/#{scope}/registrations/new.html.erb", link
+    assert_file "app/views/#{scope}/registrations/edit.html.erb", link
+    assert_file "app/views/#{scope}/unlocks/new.html.erb", link
+  end
 end

test/integration/authenticatable_test.rb

@@ -323,6 +323,14 @@ class AuthenticationRedirectTest < Devise::IntegrationTest
     visit new_user_session_path
     assert_equal flash[:alert], I18n.t("devise.failure.already_authenticated")
   end
+
+  test 'require_no_authentication should set the already_authenticated flash message as admin' do
+    store_translations :en, devise: { failure: { admin: { already_authenticated: 'You are already signed in as admin.' } } } do
+      sign_in_as_admin
+      visit new_admin_session_path
+      assert_equal flash[:alert], "You are already signed in as admin."
+    end
+  end
 end
 
 class AuthenticationSessionTest < Devise::IntegrationTest

test/integration/confirmable_test.rb

@@ -175,6 +175,36 @@ class ConfirmationTest < Devise::IntegrationTest
     assert_current_url '/users/sign_in'
   end
 
+  test "should not be able to confirm an email with a blank confirmation token" do
+    visit_user_confirmation_with_token("")
+
+    assert_contain "Confirmation token can't be blank"
+  end
+
+  test "should not be able to confirm an email with a nil confirmation token" do
+    visit_user_confirmation_with_token(nil)
+
+    assert_contain "Confirmation token can't be blank"
+  end
+
+  test "should not be able to confirm user with blank confirmation token" do
+    user = create_user(confirm: false)
+    user.update_attribute(:confirmation_token, "")
+
+    visit_user_confirmation_with_token("")
+
+    assert_contain "Confirmation token can't be blank"
+  end
+
+  test "should not be able to confirm user with nil confirmation token" do
+    user = create_user(confirm: false)
+    user.update_attribute(:confirmation_token, nil)
+
+    visit_user_confirmation_with_token(nil)
+
+    assert_contain "Confirmation token can't be blank"
+  end
+
   test 'error message is configurable by resource name' do
     store_translations :en, devise: {
       failure: { user: { unconfirmed: "Not confirmed user" } }

test/integration/trackable_test.rb

@@ -44,7 +44,7 @@ class TrackableHooksTest < Devise::IntegrationTest
     assert_equal "127.0.0.1", user.last_sign_in_ip
   end
 
-  test "current remote ip returns original ip behind a non transparent proxy" do
+  test "current and last sign in remote ip returns original ip behind a non transparent proxy" do
     user = create_user
 
     arbitrary_ip = '200.121.1.69'
@@ -53,6 +53,7 @@ class TrackableHooksTest < Devise::IntegrationTest
     end
     user.reload
     assert_equal arbitrary_ip, user.current_sign_in_ip
+    assert_equal arbitrary_ip, user.last_sign_in_ip
   end
 
   test "increase sign in count" do

test/models/confirmable_test.rb

@@ -77,6 +77,24 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_equal "can't be blank", confirmed_user.errors[:confirmation_token].join
   end
 
+  test 'should return a new record with errors when a blank token is given and a record exists on the database' do
+    user = create_user(confirmation_token: '')
+
+    confirmed_user = User.confirm_by_token('')
+
+    refute user.reload.confirmed?
+    assert_equal "can't be blank", confirmed_user.errors[:confirmation_token].join
+  end
+
+  test 'should return a new record with errors when a nil token is given and a record exists on the database' do
+    user = create_user(confirmation_token: nil)
+
+    confirmed_user = User.confirm_by_token(nil)
+
+    refute user.reload.confirmed?
+    assert_equal "can't be blank", confirmed_user.errors[:confirmation_token].join
+  end
+
   test 'should generate errors for a user email if user is already confirmed' do
     user = create_user
     user.confirmed_at = Time.now

test/models/database_authenticatable_test.rb

@@ -117,9 +117,9 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert_nil user.authenticatable_salt
   end
 
-  test 'should set encrypted password to nil if password is nil' do
-    assert_nil new_user(password: nil).encrypted_password
-    assert_nil new_user(password: '').encrypted_password
+  test 'should not generate a hashed password if password is blank' do
+    assert_blank new_user(password: nil).encrypted_password
+    assert_blank new_user(password: '').encrypted_password
   end
 
   test 'should hash password again if password has changed' do
@@ -148,16 +148,6 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     refute user.valid_password?('654321')
   end
 
-  test 'should be invalid if the password is nil' do
-    user = new_user(password: nil)
-    refute user.valid_password?(nil)
-  end
-
-  test 'should be invalid if the password is blank' do
-    user = new_user(password: '')
-    refute user.valid_password?('')
-  end
-
   test 'should respond to current password' do
     assert new_user.respond_to?(:current_password)
   end
@@ -317,11 +307,4 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
       ]
     end
   end
-
-  test 'nil password should be invalid if password is set to nil' do
-    user = User.create(email: "HEllO@example.com", password: "12345678")
-    user.password = nil
-    refute user.valid_password?('12345678')
-    refute user.valid_password?(nil)
-  end
 end

test/orm/active_record.rb

@@ -5,7 +5,9 @@ ActiveRecord::Base.logger = Logger.new(nil)
 ActiveRecord::Base.include_root_in_json = true
 
 migrate_path = File.expand_path("../../rails_app/db/migrate/", __FILE__)
-if Devise::Test.rails52_and_up?
+if Devise::Test.rails6?
+  ActiveRecord::MigrationContext.new(migrate_path, ActiveRecord::SchemaMigration).migrate
+elsif Devise::Test.rails52_and_up?
   ActiveRecord::MigrationContext.new(migrate_path).migrate
 else
   ActiveRecord::Migrator.migrate(migrate_path)

test/rails_app/app/views/admins/sessions/new.html.erb

@@ -1,2 +1,2 @@
 Welcome to "sessions/new" view!
-<%= render file: "devise/sessions/new" %>
+<%= render template: "devise/sessions/new" %>

test/rails_app/config/application.rb

@@ -45,9 +45,13 @@ module RailsApp
       Devise::SessionsController.layout "application"
     end
 
-    # Remove this check once Rails 5.0 support is removed.
-    if Devise::Test.rails52_and_up?
+    # Remove the first check once Rails 5.0 support is removed.
+    if Devise::Test.rails52_and_up? && !Devise::Test.rails6?
       Rails.application.config.active_record.sqlite3.represent_boolean_as_integer = true
     end
+
+    if Devise.rails6_and_up?
+      config.autoloader = :zeitwerk
+    end
   end
 end

test/rails_app/config/boot.rb

@@ -6,8 +6,12 @@ end
 
 module Devise
   module Test
-    # Detection for minor differences between Rails 4 and 5, 5.1, and 5.2 in tests.
+    # Detection for minor differences between Rails versions in tests.
     
+    def self.rails6?
+      Rails.version.start_with? '6'
+    end
+
     def self.rails52_and_up?
       Rails::VERSION::MAJOR > 5 || rails52?
     end

test/rails_app/config/initializers/devise.rb

@@ -3,6 +3,12 @@
 require "omniauth-facebook"
 require "omniauth-openid"
 
+# Assuming you have not yet modified this file, each configuration option below
+# is set to its default value. Note that some are commented out while others
+# are not: uncommented lines are intended to protect your configuration from
+# breaking changes in upgrades (i.e., in the event that future versions of
+# Devise change the default values for those options).
+#
 # Use this hook to configure devise mailer, warden hooks and so forth. The first
 # four configuration values can also be set straight in your models.
 Devise.setup do |config|

test/rails_test.rb

@@ -8,4 +8,24 @@ class RailsTest < ActiveSupport::TestCase
     assert_equal :load_config_initializers, initializer.after
     assert_equal :build_middleware_stack, initializer.before
   end
+
+  test 'ignore devise mailer loading when ActionMailer is not defined with zeitwerk' do
+    if Devise.rails6_and_up?
+      begin
+        swap Devise, parent_mailer: 'NotDefinedParentMailer' do
+          Devise::Engine.initializers.detect { |initializer| initializer.name == 'devise.zeitwerk' }.block.call
+          assert Rails.autoloaders.main.ignored_glob_patterns.any? { |pattern| pattern.include?("mailer.rb") }
+        end
+      ensure
+        Rails.autoloaders.main.instance_variable_set(:@ignored_glob_patterns, Set.new)
+      end
+    end
+  end
+
+  test 'load devise mailer file when Devise.parent_mailer is defined with zeitwerk' do
+    if Devise.rails6_and_up?
+      Devise::Engine.initializers.detect { |initializer| initializer.name == 'devise.zeitwerk' }.block.call
+      refute Rails.autoloaders.main.ignored_glob_patterns.any? { |pattern| pattern.include?("mailer.rb") }
+    end
+  end
 end

test/test/controller_helpers_test.rb

@@ -102,7 +102,12 @@ class TestControllerHelpersTest < Devise::ControllerTestCase
 
   test "returns the content type of a failure app" do
     get :index, params: { format: :xml }
-    assert response.content_type.include?('application/xml')
+
+    if Devise::Test.rails6?
+      assert response.media_type.include?('application/xml')
+    else
+      assert response.content_type.include?('application/xml')
+    end
   end
 
   test "defined Warden after_authentication callback should not be called when sign_in is called" do