Prepare for 4.6.2 release

Reverts both "[#4245] Allow password to nil (#4261)" and "Add more tests (#4970)"

CHANGELOG.md

@@ -1,5 +1,10 @@
 ### Unreleased
 
+### 4.6.2 - 2019-03-26
+
+* bug fixes
+  * Revert "Set `encrypted_password` to `nil` when `password` is set to `nil`" since it broke backward compatibility with existing applications. See more on https://github.com/plataformatec/devise/issues/5033#issuecomment-476386275 (by @mracos)
+
 ### 4.6.1 - 2019-02-11
 
 * bug fixes

Gemfile.lock

@@ -10,7 +10,7 @@ GIT
 PATH
   remote: .
   specs:
-    devise (4.6.1)
+    devise (4.6.2)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 6.0)

ISSUE_TEMPLATE.md

@@ -2,6 +2,7 @@
 
 - Do not use the issues tracker for help or support, try Stack Overflow.
 - For bugs, do a quick search and make sure the bug has not yet been reported
+- If you found a security bug, do not report it through GitHub. Please send an e-mail to opensource@plataformatec.com.br instead.
 - Finally, be nice and have fun!
 
 ## Environment

README.md

@@ -56,6 +56,7 @@ It's composed of 10 modules:
 	- [ActiveJob Integration](#activejob-integration)
 	- [Password reset tokens and Rails logs](#password-reset-tokens-and-rails-logs)
 	- [Other ORMs](#other-orms)
+	- [Rails API mode](#rails-api-mode)
 - [Additional information](#additional-information)
 	- [Heroku](#heroku)
 	- [Warden](#warden)
@@ -619,7 +620,7 @@ are executed in your tests.
 
 You can read more about testing your Rails 3 - Rails 4 controllers with RSpec in the wiki:
 
-* https://github.com/plataformatec/devise/wiki/How-To:-Test-controllers-with-Rails-3-and-4-%28and-RSpec%29
+* https://github.com/plataformatec/devise/wiki/How-To:-Test-controllers-with-Rails-(and-RSpec)
 
 ### OmniAuth
 
@@ -694,6 +695,17 @@ config.log_level = :warn
 
 Devise supports ActiveRecord (default) and Mongoid. To select another ORM, simply require it in the initializer file.
 
+### Rails API Mode
+
+Rails 5+ has a built-in [API Mode](https://edgeguides.rubyonrails.org/api_app.html) which optimizes Rails for use as an API (only). One of the side effects is that it changes the order of the middleware stack, and this can cause problems for `Devise::Test::IntegrationHelpers`. This problem usually surfaces as an ```undefined method `[]=' for nil:NilClass``` error when using integration test helpers, such as `#sign_in`. The solution is simply to reorder the middlewares by adding the following to test.rb:
+
+```ruby
+Rails.application.config.middleware.insert_before Warden::Manager, ActionDispatch::Cookies
+Rails.application.config.middleware.insert_before Warden::Manager, ActionDispatch::Session::CookieStore
+```
+
+For a deeper understanding of this, review [this issue](https://github.com/plataformatec/devise/issues/4696).
+
 ## Additional information
 
 ### Heroku

gemfiles/Gemfile.rails-4.1-stable

@@ -8,6 +8,8 @@ gem "rails", github: "rails/rails", branch: "4-1-stable"
 gem "omniauth"
 gem "omniauth-oauth2"
 gem "rdoc", "~> 5.1"
+# Force this version because it's breaking on CI since a higher nokogiri version requires Ruby 2.3+.
+gem "nokogiri", "1.9.1"
 
 group :test do
   gem "omniauth-facebook"

gemfiles/Gemfile.rails-4.1-stable.lock

@@ -21,7 +21,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.6.1)
+    devise (4.6.2)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 6.0)
@@ -72,7 +72,7 @@ GEM
     mime-types (3.1)
       mime-types-data (~> 3.2015)
     mime-types-data (3.2016.0521)
-    mini_portile2 (2.1.0)
+    mini_portile2 (2.4.0)
     minitest (5.10.1)
     mocha (1.2.1)
       metaclass (~> 0.0.1)
@@ -88,8 +88,8 @@ GEM
     multi_json (1.12.1)
     multi_xml (0.6.0)
     multipart-post (2.0.0)
-    nokogiri (1.7.0.1)
-      mini_portile2 (~> 2.1.0)
+    nokogiri (1.9.1)
+      mini_portile2 (~> 2.4.0)
     oauth2 (1.3.1)
       faraday (>= 0.8, < 0.12)
       jwt (~> 1.0)
@@ -158,6 +158,7 @@ DEPENDENCIES
   jruby-openssl
   mocha (~> 1.1)
   mongoid (~> 4.0)
+  nokogiri (= 1.9.1)
   omniauth
   omniauth-facebook
   omniauth-oauth2

gemfiles/Gemfile.rails-4.2-stable.lock

@@ -57,7 +57,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.6.1)
+    devise (4.6.2)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 6.0)

gemfiles/Gemfile.rails-5.0-stable.lock

@@ -10,7 +10,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.6.1)
+    devise (4.6.2)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 6.0)

gemfiles/Gemfile.rails-5.2-stable.lock

@@ -10,7 +10,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.6.1)
+    devise (4.6.2)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 6.0)

gemfiles/Gemfile.rails-6.0-beta.lock

@@ -10,7 +10,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (4.6.1)
+    devise (4.6.2)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0, < 6.0)

lib/devise/models/database_authenticatable.rb

@@ -60,7 +60,7 @@ module Devise
       # the hashed password.
       def password=(new_password)
         @password = new_password
-        self.encrypted_password = password_digest(@password) 
+        self.encrypted_password = password_digest(@password) if @password.present?
       end
 
       # Verifies whether a password (ie from sign in) is the user password.
@@ -70,7 +70,7 @@ module Devise
 
       # Set password and password confirmation to nil
       def clean_up_passwords
-        @password = @password_confirmation = nil
+        self.password = self.password_confirmation = nil
       end
 
       # Update record attributes when :current_password matches, otherwise
@@ -198,7 +198,6 @@ module Devise
       # See https://github.com/plataformatec/devise-encryptable for examples
       # of other hashing engines.
       def password_digest(password)
-        return if password.blank?
         Devise::Encryptor.digest(self.class, password)
       end
 

lib/devise/strategies/authenticatable.rb

@@ -28,7 +28,7 @@ module Devise
     private
 
       # Receives a resource and check if it is valid by calling valid_for_authentication?
-      # An optional block that will be triggered while validating can be optionally
+      # A block that will be triggered while validating can be optionally
       # given as parameter. Check Devise::Models::Authenticatable.valid_for_authentication?
       # for more information.
       #

lib/devise/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Devise
-  VERSION = "4.6.1".freeze
+  VERSION = "4.6.2".freeze
 end

test/models/database_authenticatable_test.rb

@@ -117,9 +117,9 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert_nil user.authenticatable_salt
   end
 
-  test 'should set encrypted password to nil if password is nil' do
-    assert_nil new_user(password: nil).encrypted_password
-    assert_nil new_user(password: '').encrypted_password
+  test 'should not generate a hashed password if password is blank' do
+    assert_blank new_user(password: nil).encrypted_password
+    assert_blank new_user(password: '').encrypted_password
   end
 
   test 'should hash password again if password has changed' do
@@ -148,16 +148,6 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     refute user.valid_password?('654321')
   end
 
-  test 'should be invalid if the password is nil' do
-    user = new_user(password: nil)
-    refute user.valid_password?(nil)
-  end
-
-  test 'should be invalid if the password is blank' do
-    user = new_user(password: '')
-    refute user.valid_password?('')
-  end
-
   test 'should respond to current password' do
     assert new_user.respond_to?(:current_password)
   end
@@ -317,11 +307,4 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
       ]
     end
   end
-
-  test 'nil password should be invalid if password is set to nil' do
-    user = User.create(email: "HEllO@example.com", password: "12345678")
-    user.password = nil
-    refute user.valid_password?('12345678')
-    refute user.valid_password?(nil)
-  end
 end