Release v4.9.1

Improve support for Devise in apps with multiple ORMs loaded

CHANGELOG.md

@@ -1,6 +1,18 @@
 ### Unreleased
 
 
+
+### 4.9.1 - 2023-03-31
+
+* enhancements
+  * Allow resource class scopes to override the global configuration for `sign_in_after_reset_password` behaviour. [#5429](https://github.com/heartcombo/devise/pull/5429) [@mattr](https://github.com/mattr)
+  * Refactor conditional dirty tracking logic to a centralized module to simplify usage throughout the codebase. [#5575](https://github.com/heartcombo/devise/pull/5575)
+  * Improve support for Devise in apps with Active Record and Mongoid ORMs loaded, so it does not incorrectly uses new Active Record dirty tracking APIs with a Mongoid Devise model. [#5576](https://github.com/heartcombo/devise/pull/5576)
+
+* bug fixes
+  * Failure app will respond with configured `redirect_status` instead of `error_status` if the recall app returns a redirect status (300..399) [#5573](https://github.com/heartcombo/devise/pull/5573)
+  * Fix frozen string exception in validatable. [#5563](https://github.com/heartcombo/devise/pull/5563) [#5465](https://github.com/heartcombo/devise/pull/5465) [@mameier](https://github.com/mameier)
+
 ### 4.9.0 - 2023-02-17
 
 * enhancements

Gemfile

@@ -14,7 +14,6 @@ gem "rails-controller-testing", github: "rails/rails-controller-testing"
 gem "responders", "~> 3.1"
 
 group :test do
-  gem "nokogiri", "< 1.13"
   gem "omniauth-facebook"
   gem "omniauth-openid"
   gem "rexml"

Gemfile.lock

@@ -10,7 +10,7 @@ GIT
 PATH
   remote: .
   specs:
-    devise (4.9.0)
+    devise (4.9.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0)
@@ -20,74 +20,74 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (7.0.4.2)
-      actionpack (= 7.0.4.2)
-      activesupport (= 7.0.4.2)
+    actioncable (7.0.4.3)
+      actionpack (= 7.0.4.3)
+      activesupport (= 7.0.4.3)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (7.0.4.2)
-      actionpack (= 7.0.4.2)
-      activejob (= 7.0.4.2)
-      activerecord (= 7.0.4.2)
-      activestorage (= 7.0.4.2)
-      activesupport (= 7.0.4.2)
+    actionmailbox (7.0.4.3)
+      actionpack (= 7.0.4.3)
+      activejob (= 7.0.4.3)
+      activerecord (= 7.0.4.3)
+      activestorage (= 7.0.4.3)
+      activesupport (= 7.0.4.3)
       mail (>= 2.7.1)
       net-imap
       net-pop
       net-smtp
-    actionmailer (7.0.4.2)
-      actionpack (= 7.0.4.2)
-      actionview (= 7.0.4.2)
-      activejob (= 7.0.4.2)
-      activesupport (= 7.0.4.2)
+    actionmailer (7.0.4.3)
+      actionpack (= 7.0.4.3)
+      actionview (= 7.0.4.3)
+      activejob (= 7.0.4.3)
+      activesupport (= 7.0.4.3)
       mail (~> 2.5, >= 2.5.4)
       net-imap
       net-pop
       net-smtp
       rails-dom-testing (~> 2.0)
-    actionpack (7.0.4.2)
-      actionview (= 7.0.4.2)
-      activesupport (= 7.0.4.2)
+    actionpack (7.0.4.3)
+      actionview (= 7.0.4.3)
+      activesupport (= 7.0.4.3)
       rack (~> 2.0, >= 2.2.0)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (7.0.4.2)
-      actionpack (= 7.0.4.2)
-      activerecord (= 7.0.4.2)
-      activestorage (= 7.0.4.2)
-      activesupport (= 7.0.4.2)
+    actiontext (7.0.4.3)
+      actionpack (= 7.0.4.3)
+      activerecord (= 7.0.4.3)
+      activestorage (= 7.0.4.3)
+      activesupport (= 7.0.4.3)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (7.0.4.2)
-      activesupport (= 7.0.4.2)
+    actionview (7.0.4.3)
+      activesupport (= 7.0.4.3)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (7.0.4.2)
-      activesupport (= 7.0.4.2)
+    activejob (7.0.4.3)
+      activesupport (= 7.0.4.3)
       globalid (>= 0.3.6)
-    activemodel (7.0.4.2)
-      activesupport (= 7.0.4.2)
-    activerecord (7.0.4.2)
-      activemodel (= 7.0.4.2)
-      activesupport (= 7.0.4.2)
-    activestorage (7.0.4.2)
-      actionpack (= 7.0.4.2)
-      activejob (= 7.0.4.2)
-      activerecord (= 7.0.4.2)
-      activesupport (= 7.0.4.2)
+    activemodel (7.0.4.3)
+      activesupport (= 7.0.4.3)
+    activerecord (7.0.4.3)
+      activemodel (= 7.0.4.3)
+      activesupport (= 7.0.4.3)
+    activestorage (7.0.4.3)
+      actionpack (= 7.0.4.3)
+      activejob (= 7.0.4.3)
+      activerecord (= 7.0.4.3)
+      activesupport (= 7.0.4.3)
       marcel (~> 1.0)
       mini_mime (>= 1.1.0)
-    activesupport (7.0.4.2)
+    activesupport (7.0.4.3)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
       tzinfo (~> 2.0)
     bcrypt (3.1.18)
     builder (3.2.4)
-    concurrent-ruby (1.2.0)
+    concurrent-ruby (1.2.2)
     crass (1.0.6)
     date (3.3.3)
     erubi (1.12.0)
@@ -100,11 +100,11 @@ GEM
     hashie (5.0.0)
     i18n (1.12.0)
       concurrent-ruby (~> 1.0)
-    jwt (2.6.0)
+    jwt (2.7.0)
     loofah (2.19.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
-    mail (2.8.0.1)
+    mail (2.8.1)
       mini_mime (>= 0.1.1)
       net-imap
       net-pop
@@ -112,8 +112,8 @@ GEM
     marcel (1.0.2)
     method_source (1.0.0)
     mini_mime (1.1.2)
-    mini_portile2 (2.6.1)
-    minitest (5.17.0)
+    mini_portile2 (2.8.1)
+    minitest (5.18.0)
     mocha (1.16.1)
     multi_xml (0.6.0)
     net-imap (0.3.4)
@@ -126,8 +126,8 @@ GEM
     net-smtp (0.3.3)
       net-protocol
     nio4r (2.5.8)
-    nokogiri (1.12.5)
-      mini_portile2 (~> 2.6.1)
+    nokogiri (1.14.2)
+      mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
     oauth2 (2.0.9)
       faraday (>= 0.17.3, < 3.0)
@@ -149,39 +149,39 @@ GEM
       omniauth (>= 1.0, < 3.0)
       rack-openid (~> 1.4.0)
     orm_adapter (0.5.0)
-    psych (5.0.2)
+    psych (5.1.0)
       stringio
     racc (1.6.2)
-    rack (2.2.6.2)
+    rack (2.2.6.4)
     rack-openid (1.4.2)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
     rack-protection (3.0.5)
       rack
-    rack-test (2.0.2)
+    rack-test (2.1.0)
       rack (>= 1.3)
-    rails (7.0.4.2)
-      actioncable (= 7.0.4.2)
-      actionmailbox (= 7.0.4.2)
-      actionmailer (= 7.0.4.2)
-      actionpack (= 7.0.4.2)
-      actiontext (= 7.0.4.2)
-      actionview (= 7.0.4.2)
-      activejob (= 7.0.4.2)
-      activemodel (= 7.0.4.2)
-      activerecord (= 7.0.4.2)
-      activestorage (= 7.0.4.2)
-      activesupport (= 7.0.4.2)
+    rails (7.0.4.3)
+      actioncable (= 7.0.4.3)
+      actionmailbox (= 7.0.4.3)
+      actionmailer (= 7.0.4.3)
+      actionpack (= 7.0.4.3)
+      actiontext (= 7.0.4.3)
+      actionview (= 7.0.4.3)
+      activejob (= 7.0.4.3)
+      activemodel (= 7.0.4.3)
+      activerecord (= 7.0.4.3)
+      activestorage (= 7.0.4.3)
+      activesupport (= 7.0.4.3)
       bundler (>= 1.15.0)
-      railties (= 7.0.4.2)
+      railties (= 7.0.4.3)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.5.0)
       loofah (~> 2.19, >= 2.19.1)
-    railties (7.0.4.2)
-      actionpack (= 7.0.4.2)
-      activesupport (= 7.0.4.2)
+    railties (7.0.4.3)
+      actionpack (= 7.0.4.3)
+      activesupport (= 7.0.4.3)
       method_source
       rake (>= 12.2)
       thor (~> 1.0)
@@ -198,14 +198,15 @@ GEM
     snaky_hash (2.0.1)
       hashie
       version_gem (~> 1.1, >= 1.1.1)
-    sqlite3 (1.4.4)
-    stringio (3.0.4)
+    sqlite3 (1.6.1)
+      mini_portile2 (~> 2.8.0)
+    stringio (3.0.5)
     thor (1.2.1)
     timecop (0.9.6)
-    timeout (0.3.1)
-    tzinfo (2.0.5)
+    timeout (0.3.2)
+    tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    version_gem (1.1.1)
+    version_gem (1.1.2)
     warden (1.2.9)
       rack (>= 2.0.9)
     webrat (0.7.3)
@@ -215,7 +216,7 @@ GEM
     websocket-driver (0.7.5)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
-    zeitwerk (2.6.6)
+    zeitwerk (2.6.7)
 
 PLATFORMS
   ruby
@@ -223,7 +224,6 @@ PLATFORMS
 DEPENDENCIES
   devise!
   mocha (~> 1.1)
-  nokogiri (< 1.13)
   omniauth
   omniauth-facebook
   omniauth-oauth2

README.md

@@ -382,7 +382,7 @@ $ rails generate devise:views users
 ```
 
 If you would like to generate only a few sets of views, like the ones for the `registerable` and `confirmable` module,
-you can pass a list of modules to the generator with the `-v` flag.
+you can pass a list of views to the generator with the `-v` flag.
 
 ```console
 $ rails generate devise:views -v registrations confirmations
@@ -410,7 +410,7 @@ If the customization at the views level is not enough, you can customize each co
       ...
     end
     ```
-    (Use the -c flag to specify a controller, for example: `rails generate devise:controllers users -c=sessions`)
+    Use the `-c` flag to specify one or more controllers, for example: `rails generate devise:controllers users -c sessions`)
 
 2. Tell the router to use this controller:
 
@@ -418,7 +418,7 @@ If the customization at the views level is not enough, you can customize each co
     devise_for :users, controllers: { sessions: 'users/sessions' }
     ```
 
-3. Copy the views from `devise/sessions` to `users/sessions`. Since the controller was changed, it won't use the default views located in `devise/sessions`.
+3. Recommended but not required: copy (or move) the views from `devise/sessions` to `users/sessions`. Rails will continue using the views from `devise/sessions` due to inheritance if you skip this step, but having the views matching the controller(s) keeps things consistent.
 
 4. Finally, change or extend the desired controller actions.
 

app/controllers/devise/passwords_controller.rb

@@ -36,7 +36,7 @@ class Devise::PasswordsController < DeviseController
 
     if resource.errors.empty?
       resource.unlock_access! if unlockable?(resource)
-      if Devise.sign_in_after_reset_password
+      if resource_class.sign_in_after_reset_password
         flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
         set_flash_message!(:notice, flash_message)
         resource.after_database_authentication
@@ -53,7 +53,7 @@ class Devise::PasswordsController < DeviseController
 
   protected
     def after_resetting_password_path_for(resource)
-      Devise.sign_in_after_reset_password ? after_sign_in_path_for(resource) : new_session_path(resource_name)
+      resource_class.sign_in_after_reset_password ? after_sign_in_path_for(resource) : new_session_path(resource_name)
     end
 
     # The path used after sending reset password instructions

gemfiles/Gemfile-rails-5-0

@@ -14,7 +14,6 @@ gem "rails-controller-testing"
 gem "responders", "~> 2.1"
 
 group :test do
-  gem "nokogiri", "< 1.13"
   gem "omniauth-facebook"
   gem "omniauth-openid"
   gem "timecop"

gemfiles/Gemfile-rails-5-1

@@ -12,7 +12,6 @@ gem "rails-controller-testing"
 gem "responders", "~> 2.1"
 
 group :test do
-  gem "nokogiri", "< 1.13"
   gem "omniauth-facebook"
   gem "omniauth-openid"
   gem "timecop"

gemfiles/Gemfile-rails-5-2

@@ -12,7 +12,6 @@ gem "rails-controller-testing"
 gem "responders", "~> 2.1"
 
 group :test do
-  gem "nokogiri", "< 1.13"
   gem "omniauth-facebook"
   gem "omniauth-openid"
   gem "timecop"

gemfiles/Gemfile-rails-6-0

@@ -12,7 +12,6 @@ gem "rails-controller-testing", github: "rails/rails-controller-testing"
 gem "responders", "~> 3.1"
 
 group :test do
-  gem "nokogiri", "< 1.13"
   gem "omniauth-facebook"
   gem "omniauth-openid"
   gem "rexml"

gemfiles/Gemfile-rails-6-1

@@ -18,7 +18,6 @@ if RUBY_VERSION >= "3.1"
 end
 
 group :test do
-  gem "nokogiri", "< 1.13"
   gem "omniauth-facebook"
   gem "omniauth-openid"
   gem "rexml"

gemfiles/Gemfile-rails-main

@@ -12,7 +12,6 @@ gem "rails-controller-testing", github: "rails/rails-controller-testing"
 gem "responders", "~> 3.1"
 
 group :test do
-  gem "nokogiri", "< 1.13"
   gem "omniauth-facebook"
   gem "omniauth-openid"
   gem "rexml"

lib/devise.rb

@@ -13,6 +13,7 @@ module Devise
   autoload :Encryptor,          'devise/encryptor'
   autoload :FailureApp,         'devise/failure_app'
   autoload :OmniAuth,           'devise/omniauth'
+  autoload :Orm,                'devise/orm'
   autoload :ParameterFilter,    'devise/parameter_filter'
   autoload :ParameterSanitizer, 'devise/parameter_sanitizer'
   autoload :TestHelpers,        'devise/test_helpers'
@@ -307,10 +308,6 @@ module Devise
   mattr_accessor :sign_in_after_change_password
   @@sign_in_after_change_password = true
 
-  def self.activerecord51? # :nodoc:
-    defined?(ActiveRecord) && ActiveRecord.gem_version >= Gem::Version.new("5.1.x")
-  end
-
   # Default way to set up Devise. Run rails generate devise_install to create
   # a fresh initializer with all configuration values.
   def self.setup

lib/devise/failure_app.rb

@@ -72,7 +72,9 @@ module Devise
 
       flash.now[:alert] = i18n_message(:invalid) if is_flashing_format?
       self.response = recall_app(warden_options[:recall]).call(request.env).tap { |response|
-        response[0] = Rack::Utils.status_code(Devise.responder.error_status)
+        response[0] = Rack::Utils.status_code(
+          response[0].in?(300..399) ? Devise.responder.redirect_status : Devise.responder.error_status
+        )
       }
     end
 

lib/devise/models.rb

@@ -84,6 +84,7 @@ module Devise
       end
 
       devise_modules_hook! do
+        include Devise::Orm
         include Devise::Models::Authenticatable
 
         selected_modules.each do |m|

lib/devise/models/confirmable.rb

@@ -48,7 +48,7 @@ module Devise
       included do
         before_create :generate_confirmation_token, if: :confirmation_required?
         after_create :skip_reconfirmation_in_callback!, if: :send_confirmation_notification?
-        if defined?(ActiveRecord) && self < ActiveRecord::Base # ActiveRecord
+        if Devise::Orm.active_record?(self) # ActiveRecord
           after_commit :send_on_create_confirmation_instructions, on: :create, if: :send_confirmation_notification?
           after_commit :send_reconfirmation_instructions, on: :update, if: :reconfirmation_required?
         else # Mongoid
@@ -258,44 +258,23 @@ module Devise
           generate_confirmation_token && save(validate: false)
         end
 
-        if Devise.activerecord51?
-          def postpone_email_change_until_confirmation_and_regenerate_confirmation_token
-            @reconfirmation_required = true
-            self.unconfirmed_email = self.email
-            self.email = self.email_in_database
-            self.confirmation_token = nil
-            generate_confirmation_token
-          end
-        else
-          def postpone_email_change_until_confirmation_and_regenerate_confirmation_token
-            @reconfirmation_required = true
-            self.unconfirmed_email = self.email
-            self.email = self.email_was
-            self.confirmation_token = nil
-            generate_confirmation_token
-          end
+
+        def postpone_email_change_until_confirmation_and_regenerate_confirmation_token
+          @reconfirmation_required = true
+          self.unconfirmed_email = self.email
+          self.email = self.devise_email_in_database
+          self.confirmation_token = nil
+          generate_confirmation_token
         end
 
-        if Devise.activerecord51?
-          def postpone_email_change?
-            postpone = self.class.reconfirmable &&
-              will_save_change_to_email? &&
-              !@bypass_confirmation_postpone &&
-              self.email.present? &&
-              (!@skip_reconfirmation_in_callback || !self.email_in_database.nil?)
-            @bypass_confirmation_postpone = false
-            postpone
-          end
-        else
-          def postpone_email_change?
-            postpone = self.class.reconfirmable &&
-              email_changed? &&
-              !@bypass_confirmation_postpone &&
-              self.email.present? &&
-              (!@skip_reconfirmation_in_callback || !self.email_was.nil?)
-            @bypass_confirmation_postpone = false
-            postpone
-          end
+        def postpone_email_change?
+          postpone = self.class.reconfirmable &&
+            devise_will_save_change_to_email? &&
+            !@bypass_confirmation_postpone &&
+            self.email.present? &&
+            (!@skip_reconfirmation_in_callback || !self.devise_email_in_database.nil?)
+          @bypass_confirmation_postpone = false
+          postpone
         end
 
         def reconfirmation_required?

lib/devise/models/database_authenticatable.rb

@@ -177,16 +177,9 @@ module Devise
         encrypted_password[0,29] if encrypted_password
       end
 
-      if Devise.activerecord51?
-        # Send notification to user when email changes.
-        def send_email_changed_notification
-          send_devise_notification(:email_changed, to: email_before_last_save)
-        end
-      else
-        # Send notification to user when email changes.
-        def send_email_changed_notification
-          send_devise_notification(:email_changed, to: email_was)
-        end
+      # Send notification to user when email changes.
+      def send_email_changed_notification
+        send_devise_notification(:email_changed, to: devise_email_before_last_save)
       end
 
       # Send notification to user when password changes.
@@ -205,24 +198,12 @@ module Devise
         Devise::Encryptor.digest(self.class, password)
       end
 
-      if Devise.activerecord51?
-        def send_email_changed_notification?
-          self.class.send_email_changed_notification && saved_change_to_email? && !@skip_email_changed_notification
-        end
-      else
-        def send_email_changed_notification?
-          self.class.send_email_changed_notification && email_changed? && !@skip_email_changed_notification
-        end
+      def send_email_changed_notification?
+        self.class.send_email_changed_notification && devise_saved_change_to_email? && !@skip_email_changed_notification
       end
 
-      if Devise.activerecord51?
-        def send_password_change_notification?
-          self.class.send_password_change_notification && saved_change_to_encrypted_password? && !@skip_password_change_notification
-        end
-      else
-        def send_password_change_notification?
-          self.class.send_password_change_notification && encrypted_password_changed? && !@skip_password_change_notification
-        end
+      def send_password_change_notification?
+        self.class.send_password_change_notification && devise_saved_change_to_encrypted_password? && !@skip_password_change_notification
       end
 
       module ClassMethods

lib/devise/models/recoverable.rb

@@ -99,24 +99,13 @@ module Devise
           send_devise_notification(:reset_password_instructions, token, {})
         end
 
-        if Devise.activerecord51?
-          def clear_reset_password_token?
-            encrypted_password_changed = respond_to?(:will_save_change_to_encrypted_password?) && will_save_change_to_encrypted_password?
-            authentication_keys_changed = self.class.authentication_keys.any? do |attribute|
-              respond_to?("will_save_change_to_#{attribute}?") && send("will_save_change_to_#{attribute}?")
-            end
-
-            authentication_keys_changed || encrypted_password_changed
+        def clear_reset_password_token?
+          encrypted_password_changed = devise_respond_to_and_will_save_change_to_attribute?(:encrypted_password)
+          authentication_keys_changed = self.class.authentication_keys.any? do |attribute|
+            devise_respond_to_and_will_save_change_to_attribute?(attribute)
           end
-        else
-          def clear_reset_password_token?
-            encrypted_password_changed = respond_to?(:encrypted_password_changed?) && encrypted_password_changed?
-            authentication_keys_changed = self.class.authentication_keys.any? do |attribute|
-              respond_to?("#{attribute}_changed?") && send("#{attribute}_changed?")
-            end
 
-            authentication_keys_changed || encrypted_password_changed
-          end
+          authentication_keys_changed || encrypted_password_changed
         end
 
       module ClassMethods

lib/devise/models/validatable.rb

@@ -29,13 +29,8 @@ module Devise
 
         base.class_eval do
           validates_presence_of   :email, if: :email_required?
-          if Devise.activerecord51?
-            validates_uniqueness_of :email, allow_blank: true, case_sensitive: true, if: :will_save_change_to_email?
-            validates_format_of     :email, with: email_regexp, allow_blank: true, if: :will_save_change_to_email?
-          else
-            validates_uniqueness_of :email, allow_blank: true, if: :email_changed?
-            validates_format_of     :email, with: email_regexp, allow_blank: true, if: :email_changed?
-          end
+          validates_uniqueness_of :email, allow_blank: true, case_sensitive: true, if: :devise_will_save_change_to_email?
+          validates_format_of     :email, with: email_regexp, allow_blank: true, if: :devise_will_save_change_to_email?
 
           validates_presence_of     :password, if: :password_required?
           validates_confirmation_of :password, if: :password_required?
@@ -47,7 +42,7 @@ module Devise
         unavailable_validations = VALIDATIONS.select { |v| !base.respond_to?(v) }
 
         unless unavailable_validations.empty?
-          raise "Could not use :validatable module since #{base} does not respond " <<
+          raise "Could not use :validatable module since #{base} does not respond " \
                 "to the following methods: #{unavailable_validations.to_sentence}."
         end
       end

lib/devise/orm.rb

@@ -0,0 +1,71 @@
+module Devise
+  module Orm # :nodoc:
+    def self.active_record?(model)
+      defined?(ActiveRecord) && model < ActiveRecord::Base
+    end
+
+    def self.active_record_51?(model)
+      active_record?(model) && ActiveRecord.gem_version >= Gem::Version.new("5.1.x")
+    end
+
+    def self.included(model)
+      if Devise::Orm.active_record_51?(model)
+        model.include DirtyTrackingNewMethods
+      else
+        model.include DirtyTrackingOldMethods
+      end
+    end
+
+    module DirtyTrackingNewMethods
+      def devise_email_before_last_save
+        email_before_last_save
+      end
+
+      def devise_email_in_database
+        email_in_database
+      end
+
+      def devise_saved_change_to_email?
+        saved_change_to_email?
+      end
+
+      def devise_saved_change_to_encrypted_password?
+        saved_change_to_encrypted_password?
+      end
+
+      def devise_will_save_change_to_email?
+        will_save_change_to_email?
+      end
+
+      def devise_respond_to_and_will_save_change_to_attribute?(attribute)
+        respond_to?("will_save_change_to_#{attribute}?") && send("will_save_change_to_#{attribute}?")
+      end
+    end
+
+    module DirtyTrackingOldMethods
+      def devise_email_before_last_save
+        email_was
+      end
+
+      def devise_email_in_database
+        email_was
+      end
+
+      def devise_saved_change_to_email?
+        email_changed?
+      end
+
+      def devise_saved_change_to_encrypted_password?
+        encrypted_password_changed?
+      end
+
+      def devise_will_save_change_to_email?
+        email_changed?
+      end
+
+      def devise_respond_to_and_will_save_change_to_attribute?(attribute)
+        respond_to?("#{attribute}_changed?") && send("#{attribute}_changed?")
+      end
+    end
+  end
+end

lib/devise/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Devise
-  VERSION = "4.9.0".freeze
+  VERSION = "4.9.1".freeze
 end

test/controllers/helper_methods_test.rb

@@ -14,8 +14,8 @@ class HelperMethodsTest < Devise::ControllerTestCase
   end
 
   test 'does not respond_to helper or helper_method' do
-    refute_respond_to @controller.class, :helper
-    refute_respond_to @controller.class, :helper_method
+    assert_not_respond_to @controller.class, :helper
+    assert_not_respond_to @controller.class, :helper_method
   end
 
   test 'defines methods like current_user' do

test/controllers/helpers_test.rb

@@ -98,7 +98,7 @@ class ControllerAuthenticatableTest < Devise::ControllerTestCase
 
   test 'proxy admin_signed_in? to authenticatewith admin scope' do
     @mock_warden.expects(:authenticate).with(scope: :admin)
-    refute @controller.admin_signed_in?
+    assert_not @controller.admin_signed_in?
   end
 
   test 'proxy publisher_account_signed_in? to authenticate with namespaced publisher account scope' do
@@ -319,10 +319,10 @@ class ControllerAuthenticatableTest < Devise::ControllerTestCase
 
   test 'is_flashing_format? is guarded against flash (middleware) not being loaded' do
     @controller.request.expects(:respond_to?).with(:flash).returns(false)
-    refute @controller.is_flashing_format?
+    assert_not @controller.is_flashing_format?
   end
 
   test 'is not a devise controller' do
-    refute @controller.devise_controller?
+    assert_not @controller.devise_controller?
   end
 end

test/controllers/internal_helpers_test.rb

@@ -121,7 +121,7 @@ class HelpersTest < Devise::ControllerTestCase
     MyController.send(:public, :navigational_formats)
 
     swap Devise, navigational_formats: ['*/*', :html] do
-      refute @controller.navigational_formats.include?("*/*")
+      assert_not @controller.navigational_formats.include?("*/*")
     end
 
     MyController.send(:protected, :navigational_formats)

test/devise_test.rb

@@ -71,8 +71,8 @@ class DeviseTest < ActiveSupport::TestCase
   test 'add new module using the helper method' do
     Devise.add_module(:coconut)
     assert_equal 1, Devise::ALL.select { |v| v == :coconut }.size
-    refute Devise::STRATEGIES.include?(:coconut)
-    refute defined?(Devise::Models::Coconut)
+    assert_not Devise::STRATEGIES.include?(:coconut)
+    assert_not defined?(Devise::Models::Coconut)
     Devise::ALL.delete(:coconut)
 
     Devise.add_module(:banana, strategy: :fruits)
@@ -88,11 +88,11 @@ class DeviseTest < ActiveSupport::TestCase
 
   test 'should complain when comparing empty or different sized passes' do
     [nil, ""].each do |empty|
-      refute Devise.secure_compare(empty, "something")
-      refute Devise.secure_compare("something", empty)
-      refute Devise.secure_compare(empty, empty)
+      assert_not Devise.secure_compare(empty, "something")
+      assert_not Devise.secure_compare("something", empty)
+      assert_not Devise.secure_compare(empty, empty)
     end
-    refute Devise.secure_compare("size_1", "size_four")
+    assert_not Devise.secure_compare("size_1", "size_four")
   end
 
   test 'Devise.email_regexp should match valid email addresses' do

test/failure_app_test.rb

@@ -371,6 +371,59 @@ class FailureTest < ActiveSupport::TestCase
         end
       end
     end
+
+    # TODO: remove conditional/else when supporting only responders 3.1+
+    if ActionController::Responder.respond_to?(:error_status=)
+      test 'respects the configured responder `error_status` for the status code' do
+        swap Devise.responder, error_status: :unprocessable_entity do
+          env = {
+            "warden.options" => { recall: "devise/sessions#new", attempted_path: "/users/sign_in" },
+            "devise.mapping" => Devise.mappings[:user],
+            "warden" => stub_everything
+          }
+          call_failure(env)
+
+          assert_equal 422, @response.first
+          assert_includes @response.third.body, 'Invalid Email or password.'
+        end
+      end
+
+      test 'respects the configured responder `redirect_status` if the recall app returns a redirect status code' do
+        swap Devise.responder, redirect_status: :see_other do
+          env = {
+            "warden.options" => { recall: "devise/registrations#cancel", attempted_path: "/users/cancel" },
+            "devise.mapping" => Devise.mappings[:user],
+            "warden" => stub_everything
+          }
+          call_failure(env)
+
+          assert_equal 303, @response.first
+        end
+      end
+    else
+      test 'uses default hardcoded responder `error_status` for the status code since responders version does not support configuring it' do
+        env = {
+          "warden.options" => { recall: "devise/sessions#new", attempted_path: "/users/sign_in" },
+          "devise.mapping" => Devise.mappings[:user],
+          "warden" => stub_everything
+        }
+        call_failure(env)
+
+        assert_equal 200, @response.first
+        assert_includes @response.third.body, 'Invalid Email or password.'
+      end
+
+      test 'users default hardcoded responder `redirect_status` for the status code since responders version does not support configuring it' do
+        env = {
+          "warden.options" => { recall: "devise/registrations#cancel", attempted_path: "/users/cancel" },
+          "devise.mapping" => Devise.mappings[:user],
+          "warden" => stub_everything
+        }
+        call_failure(env)
+
+        assert_equal 302, @response.first
+      end
+    end
   end
 
   context "Lazy loading" do

test/integration/authenticatable_test.rb

@@ -6,7 +6,7 @@ class AuthenticationSanityTest < Devise::IntegrationTest
   test 'sign in should not run model validations' do
     sign_in_as_user
 
-    refute User.validations_performed
+    assert_not User.validations_performed
   end
 
   test 'home should be accessible without sign in' do
@@ -18,13 +18,13 @@ class AuthenticationSanityTest < Devise::IntegrationTest
   test 'sign in as user should not authenticate admin scope' do
     sign_in_as_user
     assert warden.authenticated?(:user)
-    refute warden.authenticated?(:admin)
+    assert_not warden.authenticated?(:admin)
   end
 
   test 'sign in as admin should not authenticate user scope' do
     sign_in_as_admin
     assert warden.authenticated?(:admin)
-    refute warden.authenticated?(:user)
+    assert_not warden.authenticated?(:user)
   end
 
   test 'sign in as both user and admin at same time' do
@@ -39,7 +39,7 @@ class AuthenticationSanityTest < Devise::IntegrationTest
       sign_in_as_user
       sign_in_as_admin
       delete destroy_user_session_path
-      refute warden.authenticated?(:user)
+      assert_not warden.authenticated?(:user)
       assert warden.authenticated?(:admin)
     end
   end
@@ -50,7 +50,7 @@ class AuthenticationSanityTest < Devise::IntegrationTest
       sign_in_as_admin
 
       delete destroy_admin_session_path
-      refute warden.authenticated?(:admin)
+      assert_not warden.authenticated?(:admin)
       assert warden.authenticated?(:user)
     end
   end
@@ -61,8 +61,8 @@ class AuthenticationSanityTest < Devise::IntegrationTest
       sign_in_as_admin
 
       delete destroy_user_session_path
-      refute warden.authenticated?(:user)
-      refute warden.authenticated?(:admin)
+      assert_not warden.authenticated?(:user)
+      assert_not warden.authenticated?(:admin)
     end
   end
 
@@ -72,21 +72,21 @@ class AuthenticationSanityTest < Devise::IntegrationTest
       sign_in_as_admin
 
       delete destroy_admin_session_path
-      refute warden.authenticated?(:admin)
-      refute warden.authenticated?(:user)
+      assert_not warden.authenticated?(:admin)
+      assert_not warden.authenticated?(:user)
     end
   end
 
   test 'not signed in as admin should not be able to access admins actions' do
     get admins_path
     assert_redirected_to new_admin_session_path
-    refute warden.authenticated?(:admin)
+    assert_not warden.authenticated?(:admin)
   end
 
   test 'signed in as user should not be able to access admins actions' do
     sign_in_as_user
     assert warden.authenticated?(:user)
-    refute warden.authenticated?(:admin)
+    assert_not warden.authenticated?(:admin)
 
     get admins_path
     assert_redirected_to new_admin_session_path
@@ -95,7 +95,7 @@ class AuthenticationSanityTest < Devise::IntegrationTest
   test 'signed in as admin should be able to access admin actions' do
     sign_in_as_admin
     assert warden.authenticated?(:admin)
-    refute warden.authenticated?(:user)
+    assert_not warden.authenticated?(:user)
 
     get admins_path
 
@@ -123,7 +123,7 @@ class AuthenticationSanityTest < Devise::IntegrationTest
 
     get root_path
     assert_contain 'Signed out successfully'
-    refute warden.authenticated?(:admin)
+    assert_not warden.authenticated?(:admin)
   end
 
   test 'unauthenticated admin set message on sign out' do
@@ -146,13 +146,13 @@ class AuthenticationRoutesRestrictions < Devise::IntegrationTest
   test 'not signed in should not be able to access private route (authenticate denied)' do
     get private_path
     assert_redirected_to new_admin_session_path
-    refute warden.authenticated?(:admin)
+    assert_not warden.authenticated?(:admin)
   end
 
   test 'signed in as user should not be able to access private route restricted to admins (authenticate denied)' do
     sign_in_as_user
     assert warden.authenticated?(:user)
-    refute warden.authenticated?(:admin)
+    assert_not warden.authenticated?(:admin)
     get private_path
     assert_redirected_to new_admin_session_path
   end
@@ -160,7 +160,7 @@ class AuthenticationRoutesRestrictions < Devise::IntegrationTest
   test 'signed in as admin should be able to access private route restricted to admins (authenticate accepted)' do
     sign_in_as_admin
     assert warden.authenticated?(:admin)
-    refute warden.authenticated?(:user)
+    assert_not warden.authenticated?(:user)
 
     get private_path
 
@@ -172,7 +172,7 @@ class AuthenticationRoutesRestrictions < Devise::IntegrationTest
   test 'signed in as inactive admin should not be able to access private/active route restricted to active admins (authenticate denied)' do
     sign_in_as_admin(active: false)
     assert warden.authenticated?(:admin)
-    refute warden.authenticated?(:user)
+    assert_not warden.authenticated?(:user)
 
     assert_raises ActionController::RoutingError do
       get "/private/active"
@@ -182,7 +182,7 @@ class AuthenticationRoutesRestrictions < Devise::IntegrationTest
   test 'signed in as active admin should be able to access private/active route restricted to active admins (authenticate accepted)' do
     sign_in_as_admin(active: true)
     assert warden.authenticated?(:admin)
-    refute warden.authenticated?(:user)
+    assert_not warden.authenticated?(:user)
 
     get private_active_path
 
@@ -194,7 +194,7 @@ class AuthenticationRoutesRestrictions < Devise::IntegrationTest
   test 'signed in as admin should get admin dashboard (authenticated accepted)' do
     sign_in_as_admin
     assert warden.authenticated?(:admin)
-    refute warden.authenticated?(:user)
+    assert_not warden.authenticated?(:user)
 
     get dashboard_path
 
@@ -206,7 +206,7 @@ class AuthenticationRoutesRestrictions < Devise::IntegrationTest
   test 'signed in as user should get user dashboard (authenticated accepted)' do
     sign_in_as_user
     assert warden.authenticated?(:user)
-    refute warden.authenticated?(:admin)
+    assert_not warden.authenticated?(:admin)
 
     get dashboard_path
 
@@ -224,7 +224,7 @@ class AuthenticationRoutesRestrictions < Devise::IntegrationTest
   test 'signed in as inactive admin should not be able to access dashboard/active route restricted to active admins (authenticated denied)' do
     sign_in_as_admin(active: false)
     assert warden.authenticated?(:admin)
-    refute warden.authenticated?(:user)
+    assert_not warden.authenticated?(:user)
 
     assert_raises ActionController::RoutingError do
       get "/dashboard/active"
@@ -234,7 +234,7 @@ class AuthenticationRoutesRestrictions < Devise::IntegrationTest
   test 'signed in as active admin should be able to access dashboard/active route restricted to active admins (authenticated accepted)' do
     sign_in_as_admin(active: true)
     assert warden.authenticated?(:admin)
-    refute warden.authenticated?(:user)
+    assert_not warden.authenticated?(:user)
 
     get dashboard_active_path
 
@@ -246,7 +246,7 @@ class AuthenticationRoutesRestrictions < Devise::IntegrationTest
   test 'signed in user should not see unauthenticated page (unauthenticated denied)' do
     sign_in_as_user
     assert warden.authenticated?(:user)
-    refute warden.authenticated?(:admin)
+    assert_not warden.authenticated?(:admin)
 
     assert_raises ActionController::RoutingError do
       get join_path
@@ -397,7 +397,7 @@ class AuthenticationWithScopedViewsTest < Devise::IntegrationTest
       end
 
       assert_match %r{Special user view}, response.body
-      assert !Devise::PasswordsController.scoped_views?
+      assert_not Devise::PasswordsController.scoped_views?
     ensure
       Devise::SessionsController.send :remove_instance_variable, :@scoped_views
     end
@@ -424,13 +424,13 @@ class AuthenticationOthersTest < Devise::IntegrationTest
   test 'handles unverified requests gets rid of caches' do
     swap ApplicationController, allow_forgery_protection: true do
       post exhibit_user_url(1)
-      refute warden.authenticated?(:user)
+      assert_not warden.authenticated?(:user)
 
       sign_in_as_user
       assert warden.authenticated?(:user)
 
       post exhibit_user_url(1)
-      refute warden.authenticated?(:user)
+      assert_not warden.authenticated?(:user)
       assert_equal "User is not authenticated", response.body
     end
   end
@@ -485,7 +485,7 @@ class AuthenticationOthersTest < Devise::IntegrationTest
   test 'uses the mapping from router' do
     sign_in_as_user visit: "/as/sign_in"
     assert warden.authenticated?(:user)
-    refute warden.authenticated?(:admin)
+    assert_not warden.authenticated?(:admin)
   end
 
   test 'sign in with json format returns json response' do
@@ -527,7 +527,7 @@ class AuthenticationOthersTest < Devise::IntegrationTest
     sign_in_as_user
     delete destroy_user_session_path(format: 'json')
     assert_response :no_content
-    refute warden.authenticated?(:user)
+    assert_not warden.authenticated?(:user)
   end
 
   test 'sign out with non-navigational format via XHR does not redirect' do
@@ -535,7 +535,7 @@ class AuthenticationOthersTest < Devise::IntegrationTest
       sign_in_as_admin
       get destroy_sign_out_via_get_session_path, xhr: true, headers: { "HTTP_ACCEPT" => "application/json,text/javascript,*/*" } # NOTE: Bug is triggered by combination of XHR and */*.
       assert_response :no_content
-      refute warden.authenticated?(:user)
+      assert_not warden.authenticated?(:user)
     end
   end
 
@@ -545,7 +545,7 @@ class AuthenticationOthersTest < Devise::IntegrationTest
       sign_in_as_user
       delete destroy_user_session_path, xhr: true, headers: { "HTTP_ACCEPT" => "text/html,*/*" }
       assert_response :redirect
-      refute warden.authenticated?(:user)
+      assert_not warden.authenticated?(:user)
     end
   end
 end
@@ -555,7 +555,7 @@ class AuthenticationKeysTest < Devise::IntegrationTest
     swap Devise, authentication_keys: [:subdomain] do
       sign_in_as_user
       assert_contain "Invalid Subdomain or password."
-      refute warden.authenticated?(:user)
+      assert_not warden.authenticated?(:user)
     end
   end
 
@@ -584,7 +584,7 @@ class AuthenticationRequestKeysTest < Devise::IntegrationTest
         sign_in_as_user
       end
 
-      refute warden.authenticated?(:user)
+      assert_not warden.authenticated?(:user)
     end
   end
 
@@ -594,7 +594,7 @@ class AuthenticationRequestKeysTest < Devise::IntegrationTest
     swap Devise, request_keys: [:subdomain] do
       sign_in_as_user
       assert_contain "Invalid Email or password."
-      refute warden.authenticated?(:user)
+      assert_not warden.authenticated?(:user)
     end
   end
 
@@ -617,7 +617,7 @@ class AuthenticationSignOutViaTest < Devise::IntegrationTest
   test 'allow sign out via delete when sign_out_via provides only delete' do
     sign_in!(:sign_out_via_delete)
     delete destroy_sign_out_via_delete_session_path
-    refute warden.authenticated?(:sign_out_via_delete)
+    assert_not warden.authenticated?(:sign_out_via_delete)
   end
 
   test 'do not allow sign out via get when sign_out_via provides only delete' do
@@ -631,7 +631,7 @@ class AuthenticationSignOutViaTest < Devise::IntegrationTest
   test 'allow sign out via post when sign_out_via provides only post' do
     sign_in!(:sign_out_via_post)
     post destroy_sign_out_via_post_session_path
-    refute warden.authenticated?(:sign_out_via_post)
+    assert_not warden.authenticated?(:sign_out_via_post)
   end
 
   test 'do not allow sign out via get when sign_out_via provides only post' do
@@ -645,13 +645,13 @@ class AuthenticationSignOutViaTest < Devise::IntegrationTest
   test 'allow sign out via delete when sign_out_via provides delete and post' do
     sign_in!(:sign_out_via_delete_or_post)
     delete destroy_sign_out_via_delete_or_post_session_path
-    refute warden.authenticated?(:sign_out_via_delete_or_post)
+    assert_not warden.authenticated?(:sign_out_via_delete_or_post)
   end
 
   test 'allow sign out via post when sign_out_via provides delete and post' do
     sign_in!(:sign_out_via_delete_or_post)
     post destroy_sign_out_via_delete_or_post_session_path
-    refute warden.authenticated?(:sign_out_via_delete_or_post)
+    assert_not warden.authenticated?(:sign_out_via_delete_or_post)
   end
 
   test 'do not allow sign out via get when sign_out_via provides delete and post' do

test/integration/confirmable_test.rb

@@ -43,12 +43,12 @@ class ConfirmationTest < Devise::IntegrationTest
   test 'user with valid confirmation token should not be able to confirm an account after the token has expired' do
     swap Devise, confirm_within: 3.days do
       user = create_user(confirm: false, confirmation_sent_at: 4.days.ago)
-      refute user.confirmed?
+      assert_not user.confirmed?
       visit_user_confirmation_with_token(user.raw_confirmation_token)
 
       assert_have_selector '#error_explanation'
       assert_contain %r{needs to be confirmed within 3 days}
-      refute user.reload.confirmed?
+      assert_not user.reload.confirmed?
       assert_current_url "/users/confirmation?confirmation_token=#{user.raw_confirmation_token}"
     end
   end
@@ -86,7 +86,7 @@ class ConfirmationTest < Devise::IntegrationTest
   test 'user with valid confirmation token should be able to confirm an account before the token has expired' do
     swap Devise, confirm_within: 3.days do
       user = create_user(confirm: false, confirmation_sent_at: 2.days.ago)
-      refute user.confirmed?
+      assert_not user.confirmed?
       visit_user_confirmation_with_token(user.raw_confirmation_token)
 
       assert_contain 'Your email address has been successfully confirmed.'
@@ -132,7 +132,7 @@ class ConfirmationTest < Devise::IntegrationTest
       sign_in_as_user(confirm: false)
 
       assert_contain 'You have to confirm your email address before continuing'
-      refute warden.authenticated?(:user)
+      assert_not warden.authenticated?(:user)
     end
   end
 
@@ -143,7 +143,7 @@ class ConfirmationTest < Devise::IntegrationTest
       end
 
       assert_contain 'Invalid Email or password'
-      refute warden.authenticated?(:user)
+      assert_not warden.authenticated?(:user)
     end
   end
 
@@ -178,13 +178,13 @@ class ConfirmationTest < Devise::IntegrationTest
   test "should not be able to confirm an email with a blank confirmation token" do
     visit_user_confirmation_with_token("")
 
-    assert_contain "Confirmation token can't be blank"
+    assert_contain %r{Confirmation token can['’]t be blank}
   end
 
   test "should not be able to confirm an email with a nil confirmation token" do
     visit_user_confirmation_with_token(nil)
 
-    assert_contain "Confirmation token can't be blank"
+    assert_contain %r{Confirmation token can['’]t be blank}
   end
 
   test "should not be able to confirm user with blank confirmation token" do
@@ -193,7 +193,7 @@ class ConfirmationTest < Devise::IntegrationTest
 
     visit_user_confirmation_with_token("")
 
-    assert_contain "Confirmation token can't be blank"
+    assert_contain %r{Confirmation token can['’]t be blank}
   end
 
   test "should not be able to confirm user with nil confirmation token" do
@@ -202,7 +202,7 @@ class ConfirmationTest < Devise::IntegrationTest
 
     visit_user_confirmation_with_token(nil)
 
-    assert_contain "Confirmation token can't be blank"
+    assert_contain %r{Confirmation token can['’]t be blank}
   end
 
   test 'error message is configurable by resource name' do
@@ -308,7 +308,7 @@ class ConfirmationOnChangeTest < Devise::IntegrationTest
     assert_contain 'Your email address has been successfully confirmed.'
     assert_current_url '/admin_area/sign_in'
     assert admin.reload.confirmed?
-    refute admin.reload.pending_reconfirmation?
+    assert_not admin.reload.pending_reconfirmation?
   end
 
   test 'admin with previously valid confirmation token should not be able to confirm email after email changed again' do
@@ -330,7 +330,7 @@ class ConfirmationOnChangeTest < Devise::IntegrationTest
     assert_contain 'Your email address has been successfully confirmed.'
     assert_current_url '/admin_area/sign_in'
     assert admin.reload.confirmed?
-    refute admin.reload.pending_reconfirmation?
+    assert_not admin.reload.pending_reconfirmation?
   end
 
   test 'admin email should be unique also within unconfirmed_email' do

test/integration/database_authenticatable_test.rb

@@ -21,7 +21,7 @@ class DatabaseAuthenticationTest < Devise::IntegrationTest
         fill_in 'email', with: 'foo@bar.com'
       end
 
-      refute warden.authenticated?(:user)
+      assert_not warden.authenticated?(:user)
     end
   end
 
@@ -43,14 +43,14 @@ class DatabaseAuthenticationTest < Devise::IntegrationTest
         fill_in 'email', with: ' foo@bar.com '
       end
 
-      refute warden.authenticated?(:user)
+      assert_not warden.authenticated?(:user)
     end
   end
 
   test 'sign in should not authenticate if not using proper authentication keys' do
     swap Devise, authentication_keys: [:username] do
       sign_in_as_user
-      refute warden.authenticated?(:user)
+      assert_not warden.authenticated?(:user)
     end
   end
 
@@ -61,7 +61,7 @@ class DatabaseAuthenticationTest < Devise::IntegrationTest
       end
 
       assert_contain 'Invalid email address'
-      refute warden.authenticated?(:admin)
+      assert_not warden.authenticated?(:admin)
     end
   end
 
@@ -71,7 +71,7 @@ class DatabaseAuthenticationTest < Devise::IntegrationTest
     end
 
     assert_contain 'Invalid Email or password'
-    refute warden.authenticated?(:admin)
+    assert_not warden.authenticated?(:admin)
   end
 
   test 'when in paranoid mode and without a valid e-mail' do

test/integration/http_authenticatable_test.rb

@@ -6,7 +6,7 @@ class HttpAuthenticationTest < Devise::IntegrationTest
   test 'sign in with HTTP should not run model validations' do
     sign_in_as_new_user_with_http
 
-    refute User.validations_performed
+    assert_not User.validations_performed
   end
 
   test 'handles unverified requests gets rid of caches but continues signed in' do

test/integration/lockable_test.rb

@@ -87,7 +87,7 @@ class LockTest < Devise::IntegrationTest
 
     assert_current_url "/users/sign_in"
     assert_contain 'Your account has been unlocked successfully. Please sign in to continue.'
-    refute user.reload.access_locked?
+    assert_not user.reload.access_locked?
   end
 
   test "user should not send a new e-mail if already locked" do

test/integration/omniauthable_test.rb

@@ -52,7 +52,7 @@ class OmniauthableIntegrationTest < Devise::IntegrationTest
       follow_redirect!
       assert warden.authenticated?(:user)
 
-      refute User.validations_performed
+      assert_not User.validations_performed
     end
   end
 
@@ -87,7 +87,7 @@ class OmniauthableIntegrationTest < Devise::IntegrationTest
     assert_current_url "/"
     assert_contain "You have signed up successfully."
     assert_contain "Hello User user@example.com"
-    refute session["devise.facebook_data"]
+    assert_not session["devise.facebook_data"]
   end
 
   test "cleans up session on cancel" do
@@ -98,7 +98,7 @@ class OmniauthableIntegrationTest < Devise::IntegrationTest
 
     assert session["devise.facebook_data"]
     visit "/users/cancel"
-    assert !session["devise.facebook_data"]
+    assert_not session["devise.facebook_data"]
   end
 
   test "cleans up session on sign in" do
@@ -109,7 +109,7 @@ class OmniauthableIntegrationTest < Devise::IntegrationTest
 
     assert session["devise.facebook_data"]
     sign_in_as_user
-    assert !session["devise.facebook_data"]
+    assert_not session["devise.facebook_data"]
   end
 
   test "sign in and send remember token if configured" do

test/integration/recoverable_test.rb

@@ -12,7 +12,7 @@ class PasswordTest < Devise::IntegrationTest
   def request_forgot_password(&block)
     visit_new_password_path
     assert_response :success
-    refute warden.authenticated?(:user)
+    assert_not warden.authenticated?(:user)
 
     fill_in 'email', with: 'user@test.com'
     yield if block_given?
@@ -160,7 +160,7 @@ class PasswordTest < Devise::IntegrationTest
     assert_current_url '/users/password'
     assert_have_selector '#error_explanation'
     assert_contain %r{Reset password token(.*)invalid}
-    refute user.reload.valid_password?('987654321')
+    assert_not user.reload.valid_password?('987654321')
   end
 
   test 'not authenticated user with valid reset password token but invalid password should not be able to change their password' do
@@ -173,8 +173,8 @@ class PasswordTest < Devise::IntegrationTest
     assert_response :success
     assert_current_url '/users/password'
     assert_have_selector '#error_explanation'
-    assert_contain "Password confirmation doesn't match Password"
-    refute user.reload.valid_password?('987654321')
+    assert_contain %r{Password confirmation doesn['’]t match Password}
+    assert_not user.reload.valid_password?('987654321')
   end
 
   test 'not authenticated user with valid data should be able to change their password' do
@@ -194,7 +194,7 @@ class PasswordTest < Devise::IntegrationTest
     reset_password {  fill_in 'Confirm new password', with: 'other_password' }
     assert_response :success
     assert_have_selector '#error_explanation'
-    refute user.reload.valid_password?('987654321')
+    assert_not user.reload.valid_password?('987654321')
 
     reset_password visit: false
     assert_contain 'Your password has been changed successfully.'
@@ -218,7 +218,32 @@ class PasswordTest < Devise::IntegrationTest
       assert_contain 'Your password has been changed successfully.'
       assert_not_contain 'You are now signed in.'
       assert_equal new_user_session_path, @request.path
-      assert !warden.authenticated?(:user)
+      assert_not warden.authenticated?(:user)
+    end
+  end
+
+  test 'does not sign in user automatically after changing its password if resource_class.sign_in_after_reset_password is false' do
+    swap_model_config User, sign_in_after_reset_password: false do
+      create_user
+      request_forgot_password
+      reset_password
+
+      assert_contain 'Your password has been changed successfully'
+      assert_not_contain 'You are now signed in.'
+      assert_equal new_user_session_path, @request.path
+      assert_not warden.authenticated?(:user)
+    end
+  end
+
+  test 'sign in user automatically after changing its password if resource_class.sign_in_after_reset_password is true' do
+    swap Devise, sign_in_after_reset_password: false do
+      swap_model_config User, sign_in_after_reset_password: true do
+        create_user
+        request_forgot_password
+        reset_password
+
+        assert warden.authenticated?(:user)
+      end
     end
   end
 
@@ -232,7 +257,7 @@ class PasswordTest < Devise::IntegrationTest
         assert_contain 'Your password has been changed successfully.'
         assert_not_contain 'You are now signed in.'
         assert_equal new_user_session_path, @request.path
-        assert !warden.authenticated?(:user)
+        assert_not warden.authenticated?(:user)
       end
     end
   end
@@ -244,7 +269,7 @@ class PasswordTest < Devise::IntegrationTest
       reset_password
 
       assert_contain 'Your password has been changed successfully.'
-      assert !user.reload.access_locked?
+      assert_not user.reload.access_locked?
       assert warden.authenticated?(:user)
     end
   end
@@ -256,7 +281,7 @@ class PasswordTest < Devise::IntegrationTest
       reset_password
 
       assert_contain 'Your password has been changed successfully.'
-      assert !user.reload.access_locked?
+      assert_not user.reload.access_locked?
       assert warden.authenticated?(:user)
     end
   end

test/integration/registerable_test.rb

@@ -66,11 +66,11 @@ class RegistrationTest < Devise::IntegrationTest
     assert_not_contain 'You have to confirm your account before continuing'
     assert_current_url "/"
 
-    refute warden.authenticated?(:user)
+    assert_not warden.authenticated?(:user)
 
     user = User.to_adapter.find_first(order: [:id, :desc])
     assert_equal 'new_user@test.com', user.email
-    refute user.confirmed?
+    assert_not user.confirmed?
   end
 
   test 'a guest user should receive the confirmation instructions from the default mailer' do
@@ -94,7 +94,7 @@ class RegistrationTest < Devise::IntegrationTest
     click_button 'Sign up'
 
     assert_current_url "/?custom=1"
-    refute warden.authenticated?(:user)
+    assert_not warden.authenticated?(:user)
   end
 
   test 'a guest user cannot sign up with invalid information' do
@@ -112,11 +112,11 @@ class RegistrationTest < Devise::IntegrationTest
     assert_template 'registrations/new'
     assert_have_selector '#error_explanation'
     assert_contain "Email is invalid"
-    assert_contain "Password confirmation doesn't match Password"
+    assert_contain %r{Password confirmation doesn['’]t match Password}
     assert_contain "2 errors prohibited"
     assert_nil User.to_adapter.find_first
 
-    refute warden.authenticated?(:user)
+    assert_not warden.authenticated?(:user)
   end
 
   test 'a guest should not sign up with email/password that already exists' do
@@ -135,7 +135,7 @@ class RegistrationTest < Devise::IntegrationTest
     assert_current_url '/users'
     assert_contain(/Email.*already.*taken/)
 
-    refute warden.authenticated?(:user)
+    assert_not warden.authenticated?(:user)
   end
 
   test 'a guest should not be able to change account' do
@@ -191,7 +191,7 @@ class RegistrationTest < Devise::IntegrationTest
 
       assert_contain 'Your account has been updated successfully, but since your password was changed, you need to sign in again.'
       assert_equal new_user_session_path, @request.path
-      refute warden.authenticated?(:user)
+      assert_not warden.authenticated?(:user)
     end
   end
 
@@ -251,8 +251,8 @@ class RegistrationTest < Devise::IntegrationTest
     fill_in 'current password', with: '12345678'
     click_button 'Update'
 
-    assert_contain "Password confirmation doesn't match Password"
-    refute User.to_adapter.find_first.valid_password?('pas123')
+    assert_contain %r{Password confirmation doesn['’]t match Password}
+    assert_not User.to_adapter.find_first.valid_password?('pas123')
   end
 
   test 'a signed in user should see a warning about minimum password length' do

test/integration/rememberable_test.rb

@@ -41,12 +41,12 @@ class RememberMeTest < Devise::IntegrationTest
   test 'handle unverified requests gets rid of caches' do
     swap ApplicationController, allow_forgery_protection: true do
       post exhibit_user_url(1)
-      refute warden.authenticated?(:user)
+      assert_not warden.authenticated?(:user)
 
       create_user_and_remember
       post exhibit_user_url(1)
       assert_equal "User is not authenticated", response.body
-      refute warden.authenticated?(:user)
+      assert_not warden.authenticated?(:user)
     end
   end
 
@@ -59,8 +59,8 @@ class RememberMeTest < Devise::IntegrationTest
           authenticity_token: "oops",
           user: { email: "jose.valim@gmail.com", password: "123456", remember_me: "1" }
         }
-      refute warden.authenticated?(:user)
-      refute request.cookies['remember_user_token']
+      assert_not warden.authenticated?(:user)
+      assert_not request.cookies['remember_user_token']
     end
   end
 
@@ -140,7 +140,7 @@ class RememberMeTest < Devise::IntegrationTest
       get root_path
       current_remember_token = request.cookies['remember_user_token']
 
-      refute_equal old_remember_token, current_remember_token
+      assert_not_equal old_remember_token, current_remember_token
     end
   end
 
@@ -166,13 +166,13 @@ class RememberMeTest < Devise::IntegrationTest
     get root_path
     assert_response :success
     assert warden.authenticated?(:user)
-    refute warden.authenticated?(:admin)
+    assert_not warden.authenticated?(:admin)
   end
 
   test 'do not remember with invalid token' do
     create_user_and_remember('add')
     get users_path
-    refute warden.authenticated?(:user)
+    assert_not warden.authenticated?(:user)
     assert_redirected_to new_user_session_path
   end
 
@@ -180,7 +180,7 @@ class RememberMeTest < Devise::IntegrationTest
     create_user_and_remember
     swap Devise, remember_for: 0.days do
       get users_path
-      refute warden.authenticated?(:user)
+      assert_not warden.authenticated?(:user)
       assert_redirected_to new_user_session_path
     end
   end
@@ -191,11 +191,11 @@ class RememberMeTest < Devise::IntegrationTest
     assert warden.authenticated?(:user)
 
     delete destroy_user_session_path
-    refute warden.authenticated?(:user)
+    assert_not warden.authenticated?(:user)
     assert_nil warden.cookies['remember_user_token']
 
     get users_path
-    refute warden.authenticated?(:user)
+    assert_not warden.authenticated?(:user)
   end
 
   test 'changing user password expires remember me token' do
@@ -205,7 +205,7 @@ class RememberMeTest < Devise::IntegrationTest
     user.save!
 
     get users_path
-    refute warden.authenticated?(:user)
+    assert_not warden.authenticated?(:user)
   end
 
   test 'valid sign in calls after_remembered callback' do

test/integration/timeoutable_test.rb

@@ -58,7 +58,7 @@ class SessionTimeoutTest < Devise::IntegrationTest
 
       get users_path
       assert_redirected_to users_path
-      refute warden.authenticated?(:user)
+      assert_not warden.authenticated?(:user)
       assert warden.authenticated?(:admin)
     end
   end
@@ -72,8 +72,8 @@ class SessionTimeoutTest < Devise::IntegrationTest
       assert_not_nil last_request_at
 
       get root_path
-      refute warden.authenticated?(:user)
-      refute warden.authenticated?(:admin)
+      assert_not warden.authenticated?(:user)
+      assert_not warden.authenticated?(:admin)
     end
   end
 
@@ -110,7 +110,7 @@ class SessionTimeoutTest < Devise::IntegrationTest
 
     assert_response :success
     assert_contain 'Log in'
-    refute warden.authenticated?(:user)
+    assert_not warden.authenticated?(:user)
   end
 
   test 'time out is not triggered on sign in' do
@@ -136,7 +136,7 @@ class SessionTimeoutTest < Devise::IntegrationTest
       get expire_user_path(user)
       get users_path
       assert_redirected_to users_path
-      refute warden.authenticated?(:user)
+      assert_not warden.authenticated?(:user)
     end
   end
 

test/integration/trackable_test.rb

@@ -6,7 +6,7 @@ class TrackableHooksTest < Devise::IntegrationTest
   test "trackable should not run model validations" do
     sign_in_as_user
 
-    refute User.validations_performed
+    assert_not User.validations_performed
   end
 
   test "current and last sign in timestamps are updated on each sign in" do

test/mapping_test.rb

@@ -117,7 +117,7 @@ class MappingTest < ActiveSupport::TestCase
     assert mapping.authenticatable?
     assert mapping.recoverable?
     assert mapping.lockable?
-    refute mapping.omniauthable?
+    assert_not mapping.omniauthable?
   end
 
   test 'find mapping by path' do

test/models/authenticatable_test.rb

@@ -30,12 +30,12 @@ class AuthenticatableTest < ActiveSupport::TestCase
 
   test 'find_or_initialize_with_errors adds blank error' do
     user_with_error = User.find_or_initialize_with_errors([:email], { email: "" })
-    assert_equal ["Email can't be blank"], user_with_error.errors.full_messages_for(:email)
+    assert user_with_error.errors.added?(:email, :blank)
   end
 
   test 'find_or_initialize_with_errors adds invalid error' do
     user_with_error = User.find_or_initialize_with_errors([:email], { email: "example@example.com" })
-    assert_equal ["Email is invalid"], user_with_error.errors.full_messages_for(:email)
+    assert user_with_error.errors.added?(:email, :invalid)
   end
 
   if defined?(ActionController::Parameters)

test/models/confirmable_test.rb

@@ -28,7 +28,7 @@ class ConfirmableTest < ActiveSupport::TestCase
     confirmation_tokens = []
     3.times do
       token = create_user.confirmation_token
-      refute_includes confirmation_tokens, token
+      assert_not_includes confirmation_tokens, token
       confirmation_tokens << token
     end
   end
@@ -41,9 +41,9 @@ class ConfirmableTest < ActiveSupport::TestCase
   end
 
   test 'should verify whether a user is confirmed or not' do
-    refute new_user.confirmed?
+    assert_not new_user.confirmed?
     user = create_user
-    refute user.confirmed?
+    assert_not user.confirmed?
     user.confirm
     assert user.confirmed?
   end
@@ -53,7 +53,7 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert user.confirm
     assert_blank user.errors[:email]
 
-    refute user.confirm
+    assert_not user.confirm
     assert_equal "was already confirmed, please try signing in", user.errors[:email].join
   end
 
@@ -67,14 +67,14 @@ class ConfirmableTest < ActiveSupport::TestCase
 
   test 'should return a new record with errors when a invalid token is given' do
     confirmed_user = User.confirm_by_token('invalid_confirmation_token')
-    refute confirmed_user.persisted?
+    assert_not confirmed_user.persisted?
     assert_equal "is invalid", confirmed_user.errors[:confirmation_token].join
   end
 
   test 'should return a new record with errors when a blank token is given' do
     confirmed_user = User.confirm_by_token('')
-    refute confirmed_user.persisted?
-    assert_equal "can't be blank", confirmed_user.errors[:confirmation_token].join
+    assert_not confirmed_user.persisted?
+    assert confirmed_user.errors.added?(:confirmation_token, :blank)
   end
 
   test 'should return a new record with errors when a blank token is given and a record exists on the database' do
@@ -82,8 +82,8 @@ class ConfirmableTest < ActiveSupport::TestCase
 
     confirmed_user = User.confirm_by_token('')
 
-    refute user.reload.confirmed?
-    assert_equal "can't be blank", confirmed_user.errors[:confirmation_token].join
+    assert_not user.reload.confirmed?
+    assert confirmed_user.errors.added?(:confirmation_token, :blank)
   end
 
   test 'should return a new record with errors when a nil token is given and a record exists on the database' do
@@ -91,8 +91,8 @@ class ConfirmableTest < ActiveSupport::TestCase
 
     confirmed_user = User.confirm_by_token(nil)
 
-    refute user.reload.confirmed?
-    assert_equal "can't be blank", confirmed_user.errors[:confirmation_token].join
+    assert_not user.reload.confirmed?
+    assert confirmed_user.errors.added?(:confirmation_token, :blank)
   end
 
   test 'should generate errors for a user email if user is already confirmed' do
@@ -145,7 +145,7 @@ class ConfirmableTest < ActiveSupport::TestCase
 
     assert_email_not_sent do
       user.save!
-      refute user.confirmed?
+      assert_not user.confirmed?
     end
   end
 
@@ -165,7 +165,7 @@ class ConfirmableTest < ActiveSupport::TestCase
 
   test 'should return a new user if no email was found' do
     confirmation_user = User.send_confirmation_instructions(email: "invalid@example.com")
-    refute confirmation_user.persisted?
+    assert_not confirmation_user.persisted?
   end
 
   test 'should add error to new user email if no email was found' do
@@ -212,7 +212,7 @@ class ConfirmableTest < ActiveSupport::TestCase
   test 'should not be able to send instructions if the user is already confirmed' do
     user = create_user
     user.confirm
-    refute user.resend_confirmation_instructions
+    assert_not user.resend_confirmation_instructions
     assert user.confirmed?
     assert_equal 'was already confirmed, please try signing in', user.errors[:email].join
   end
@@ -221,7 +221,7 @@ class ConfirmableTest < ActiveSupport::TestCase
     swap Devise, allow_unconfirmed_access_for: 1.day do
       user = create_user
       user.confirmation_sent_at = 2.days.ago
-      refute user.active_for_authentication?
+      assert_not user.active_for_authentication?
 
       Devise.allow_unconfirmed_access_for = 3.days
       assert user.active_for_authentication?
@@ -237,14 +237,14 @@ class ConfirmableTest < ActiveSupport::TestCase
       assert user.active_for_authentication?
 
       user.confirmation_sent_at = 5.days.ago
-      refute user.active_for_authentication?
+      assert_not user.active_for_authentication?
     end
   end
 
   test 'should be active when already confirmed' do
     user = create_user
-    refute user.confirmed?
-    refute user.active_for_authentication?
+    assert_not user.confirmed?
+    assert_not user.active_for_authentication?
 
     user.confirm
     assert user.confirmed?
@@ -255,7 +255,7 @@ class ConfirmableTest < ActiveSupport::TestCase
     Devise.allow_unconfirmed_access_for = 0.days
     user = create_user
     user.confirmation_sent_at = Time.zone.today
-    refute user.active_for_authentication?
+    assert_not user.active_for_authentication?
   end
 
   test 'should not be active when confirm period is set to 0 days' do
@@ -264,7 +264,7 @@ class ConfirmableTest < ActiveSupport::TestCase
 
     Timecop.freeze(Time.zone.today) do
       user.confirmation_sent_at = Time.zone.today
-      refute user.active_for_authentication?
+      assert_not user.active_for_authentication?
     end
   end
 
@@ -280,7 +280,7 @@ class ConfirmableTest < ActiveSupport::TestCase
     user = create_user
     user.confirmation_sent_at = nil
     user.save
-    refute user.reload.active_for_authentication?
+    assert_not user.reload.active_for_authentication?
   end
 
   test 'should be active without confirmation when confirmation is not required' do
@@ -313,8 +313,8 @@ class ConfirmableTest < ActiveSupport::TestCase
     swap Devise, confirmation_keys: [:username, :email] do
       user = create_user
       confirm_user = User.send_confirmation_instructions(email: user.email)
-      refute confirm_user.persisted?
-      assert_equal "can't be blank", confirm_user.errors[:username].join
+      assert_not confirm_user.persisted?
+      assert confirm_user.errors.added?(:username, :blank)
     end
   end
 
@@ -338,7 +338,7 @@ class ConfirmableTest < ActiveSupport::TestCase
 
   test 'should not accept confirmation email token after 4 days when expiration is set to 3 days' do
     swap Devise, confirm_within: 3.days do
-      refute confirm_user_by_token_with_confirmation_sent_at(4.days.ago)
+      assert_not confirm_user_by_token_with_confirmation_sent_at(4.days.ago)
     end
   end
 
@@ -378,14 +378,14 @@ class ConfirmableTest < ActiveSupport::TestCase
       self.username = self.username.to_s + 'updated'
     end
     old = user.username
-    refute user.confirm
+    assert_not user.confirm
     assert_equal user.username, old
   end
 
   test 'should always perform validations upon confirm when ensure valid true' do
     admin = create_admin
     admin.stubs(:valid?).returns(false)
-    refute admin.confirm(ensure_valid: true)
+    assert_not admin.confirm(ensure_valid: true)
   end
 end
 
@@ -411,7 +411,7 @@ class ReconfirmableTest < ActiveSupport::TestCase
     admin.skip_reconfirmation!
     assert admin.update(email: 'new_test@example.com')
     assert admin.confirmed?
-    refute admin.pending_reconfirmation?
+    assert_not admin.pending_reconfirmation?
     assert_equal original_token, admin.confirmation_token
   end
 
@@ -502,7 +502,7 @@ class ReconfirmableTest < ActiveSupport::TestCase
 
   test 'should return a new admin if no email or unconfirmed_email was found' do
     confirmation_admin = Admin.send_confirmation_instructions(email: "invalid@email.com")
-    refute confirmation_admin.persisted?
+    assert_not confirmation_admin.persisted?
   end
 
   test 'should add error to new admin email if no email or unconfirmed_email was found' do
@@ -538,7 +538,7 @@ class ReconfirmableTest < ActiveSupport::TestCase
 
   test 'should not require reconfirmation after creating a record' do
     admin = create_admin
-    assert !admin.pending_reconfirmation?
+    assert_not admin.pending_reconfirmation?
   end
 
   test 'should not require reconfirmation after creating a record with #save called in callback' do
@@ -547,12 +547,12 @@ class ReconfirmableTest < ActiveSupport::TestCase
     end
 
     admin = Admin::WithSaveInCallback.create(valid_attributes.except(:username))
-    assert !admin.pending_reconfirmation?
+    assert_not admin.pending_reconfirmation?
   end
 
   test 'should require reconfirmation after creating a record and updating the email' do
     admin = create_admin
-    assert !admin.instance_variable_get(:@bypass_confirmation_postpone)
+    assert_not admin.instance_variable_get(:@bypass_confirmation_postpone)
     admin.email = "new_test@email.com"
     admin.save
     assert admin.pending_reconfirmation?

test/models/database_authenticatable_test.rb

@@ -133,7 +133,7 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
   test 'should test for a valid password' do
     user = create_user
     assert user.valid_password?('12345678')
-    refute user.valid_password?('654321')
+    assert_not user.valid_password?('654321')
   end
 
   test 'should not raise error with an empty password' do
@@ -145,7 +145,7 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
   test 'should be an invalid password if the user has an empty password' do
     user = create_user
     user.encrypted_password = ''
-    refute user.valid_password?('654321')
+    assert_not user.valid_password?('654321')
   end
 
   test 'should respond to current password' do
@@ -161,7 +161,7 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
 
   test 'should add an error to current password when it is invalid' do
     user = create_user
-    refute user.update_with_password(current_password: 'other',
+    assert_not user.update_with_password(current_password: 'other',
       password: 'pass4321', password_confirmation: 'pass4321')
     assert user.reload.valid_password?('12345678')
     assert_match "is invalid", user.errors[:current_password].join
@@ -169,19 +169,19 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
 
   test 'should add an error to current password when it is blank' do
     user = create_user
-    refute user.update_with_password(password: 'pass4321',
+    assert_not user.update_with_password(password: 'pass4321',
       password_confirmation: 'pass4321')
     assert user.reload.valid_password?('12345678')
-    assert_match "can't be blank", user.errors[:current_password].join
+    assert user.errors.added?(:current_password, :blank)
   end
 
   test 'should run validations even when current password is invalid or blank' do
     user = UserWithValidation.create!(valid_attributes)
     user.save
     assert user.persisted?
-    refute user.update_with_password(username: "")
+    assert_not user.update_with_password(username: "")
     assert_match "usertest", user.reload.username
-    assert_match "can't be blank", user.errors[:username].join
+    assert user.errors.added?(:username, :blank)
   end
 
   test 'should ignore password and its confirmation if they are blank' do
@@ -192,14 +192,14 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
 
   test 'should not update password with invalid confirmation' do
     user = create_user
-    refute user.update_with_password(current_password: '12345678',
+    assert_not user.update_with_password(current_password: '12345678',
       password: 'pass4321', password_confirmation: 'other')
     assert user.reload.valid_password?('12345678')
   end
 
   test 'should clean up password fields on failure' do
     user = create_user
-    refute user.update_with_password(current_password: '12345678',
+    assert_not user.update_with_password(current_password: '12345678',
       password: 'pass4321', password_confirmation: 'other')
     assert user.password.blank?
     assert user.password_confirmation.blank?
@@ -214,28 +214,28 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
   test 'should not update password without password' do
     user = create_user
     user.update_without_password(password: 'pass4321', password_confirmation: 'pass4321')
-    assert !user.reload.valid_password?('pass4321')
+    assert_not user.reload.valid_password?('pass4321')
     assert user.valid_password?('12345678')
   end
 
   test 'should destroy user if current password is valid' do
     user = create_user
     assert user.destroy_with_password('12345678')
-    assert !user.persisted?
+    assert_not user.persisted?
   end
 
   test 'should not destroy user with invalid password' do
     user = create_user
-    refute user.destroy_with_password('other')
+    assert_not user.destroy_with_password('other')
     assert user.persisted?
     assert_match "is invalid", user.errors[:current_password].join
   end
 
   test 'should not destroy user with blank password' do
     user = create_user
-    refute user.destroy_with_password(nil)
+    assert_not user.destroy_with_password(nil)
     assert user.persisted?
-    assert_match "can't be blank", user.errors[:current_password].join
+    assert user.errors.added?(:current_password, :blank)
   end
 
   test 'should not email on password change' do
@@ -289,7 +289,7 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
   test 'downcase_keys with validation' do
     User.create(email: "HEllO@example.com", password: "123456")
     user = User.create(email: "HEllO@example.com", password: "123456")
-    assert !user.valid?
+    assert_not user.valid?
   end
 
   test 'required_fields should be encryptable_password and the email field by default' do

test/models/lockable_test.rb

@@ -34,7 +34,7 @@ class LockableTest < ActiveSupport::TestCase
     user.confirm
     swap Devise, lock_strategy: :none, maximum_attempts: 2 do
       3.times { user.valid_for_authentication?{ false } }
-      assert !user.access_locked?
+      assert_not user.access_locked?
       assert_equal 0, user.failed_attempts
     end
   end
@@ -72,8 +72,8 @@ class LockableTest < ActiveSupport::TestCase
   test "reset_failed_attempts! does not try to reset if not using failed attempts strategy" do
     admin = create_admin
 
-    refute_respond_to admin, :failed_attempts
-    refute admin.reset_failed_attempts!
+    assert_not_respond_to admin, :failed_attempts
+    assert_not admin.reset_failed_attempts!
   end
 
   test 'should be valid for authentication with a unlocked user' do
@@ -85,7 +85,7 @@ class LockableTest < ActiveSupport::TestCase
 
   test "should verify whether a user is locked or not" do
     user = create_user
-    refute user.access_locked?
+    assert_not user.access_locked?
     user.lock_access!
     assert user.access_locked?
   end
@@ -95,7 +95,7 @@ class LockableTest < ActiveSupport::TestCase
     user.confirm
     assert user.active_for_authentication?
     user.lock_access!
-    refute user.active_for_authentication?
+    assert_not user.active_for_authentication?
   end
 
   test "should unlock a user by cleaning locked_at, failed_attempts and unlock_token" do
@@ -111,7 +111,7 @@ class LockableTest < ActiveSupport::TestCase
   end
 
   test "new user should not be locked and should have zero failed_attempts" do
-    refute new_user.access_locked?
+    assert_not new_user.access_locked?
     assert_equal 0, create_user.failed_attempts
   end
 
@@ -122,7 +122,7 @@ class LockableTest < ActiveSupport::TestCase
       assert user.access_locked?
 
       Devise.unlock_in = 1.hour
-      refute user.access_locked?
+      assert_not user.access_locked?
     end
   end
 
@@ -147,7 +147,7 @@ class LockableTest < ActiveSupport::TestCase
       user = create_user
       user.lock_access!
       token = user.unlock_token
-      refute_includes unlock_tokens, token
+      assert_not_includes unlock_tokens, token
       unlock_tokens << token
     end
   end
@@ -201,19 +201,19 @@ class LockableTest < ActiveSupport::TestCase
     raw  = user.send_unlock_instructions
     locked_user = User.unlock_access_by_token(raw)
     assert_equal user, locked_user
-    refute user.reload.access_locked?
+    assert_not user.reload.access_locked?
   end
 
   test 'should return a new record with errors when a invalid token is given' do
     locked_user = User.unlock_access_by_token('invalid_token')
-    refute locked_user.persisted?
+    assert_not locked_user.persisted?
     assert_equal "is invalid", locked_user.errors[:unlock_token].join
   end
 
   test 'should return a new record with errors when a blank token is given' do
     locked_user = User.unlock_access_by_token('')
-    refute locked_user.persisted?
-    assert_equal "can't be blank", locked_user.errors[:unlock_token].join
+    assert_not locked_user.persisted?
+    assert locked_user.errors.added?(:unlock_token, :blank)
   end
 
   test 'should find a user to send unlock instructions' do
@@ -225,7 +225,7 @@ class LockableTest < ActiveSupport::TestCase
 
   test 'should return a new user if no email was found' do
     unlock_user = User.send_unlock_instructions(email: "invalid@example.com")
-    refute unlock_user.persisted?
+    assert_not unlock_user.persisted?
   end
 
   test 'should add error to new user email if no email was found' do
@@ -245,23 +245,23 @@ class LockableTest < ActiveSupport::TestCase
     swap Devise, unlock_keys: [:username, :email] do
       user = create_user
       unlock_user = User.send_unlock_instructions(email: user.email)
-      refute unlock_user.persisted?
-      assert_equal "can't be blank", unlock_user.errors[:username].join
+      assert_not unlock_user.persisted?
+      assert unlock_user.errors.added?(:username, :blank)
     end
   end
 
   test 'should not be able to send instructions if the user is not locked' do
     user = create_user
-    refute user.resend_unlock_instructions
-    refute user.access_locked?
+    assert_not user.resend_unlock_instructions
+    assert_not user.access_locked?
     assert_equal 'was not locked', user.errors[:email].join
   end
 
   test 'should not be able to send instructions if the user if not locked and have username as unlock key' do
     swap Devise, unlock_keys: [:username] do
       user = create_user
-      refute user.resend_unlock_instructions
-      refute user.access_locked?
+      assert_not user.resend_unlock_instructions
+      assert_not user.access_locked?
       assert_equal 'was not locked', user.errors[:username].join
     end
   end

test/models/recoverable_test.rb

@@ -18,7 +18,7 @@ class RecoverableTest < ActiveSupport::TestCase
       user = create_user
       user.send_reset_password_instructions
       token = user.reset_password_token
-      refute_includes reset_password_tokens, token
+      assert_not_includes reset_password_tokens, token
       reset_password_tokens << token
     end
   end
@@ -94,14 +94,14 @@ class RecoverableTest < ActiveSupport::TestCase
     user = create_user
     user.send_reset_password_instructions
     assert_present user.reset_password_token
-    refute user.reset_password('123456789', '987654321')
+    assert_not user.reset_password('123456789', '987654321')
     assert_present user.reset_password_token
   end
 
   test 'should not reset password with invalid data' do
     user = create_user
     user.stubs(:valid?).returns(false)
-    refute user.reset_password('123456789', '987654321')
+    assert_not user.reset_password('123456789', '987654321')
   end
 
   test 'should reset reset password token and send instructions by email' do
@@ -121,7 +121,7 @@ class RecoverableTest < ActiveSupport::TestCase
 
   test 'should return a new record with errors if user was not found by e-mail' do
     reset_password_user = User.send_reset_password_instructions(email: "invalid@example.com")
-    refute reset_password_user.persisted?
+    assert_not reset_password_user.persisted?
     assert_equal "not found", reset_password_user.errors[:email].join
   end
 
@@ -134,12 +134,12 @@ class RecoverableTest < ActiveSupport::TestCase
   end
 
   test 'should require all reset_password_keys' do
-      swap Devise, reset_password_keys: [:username, :email] do
-          user = create_user
-          reset_password_user = User.send_reset_password_instructions(email: user.email)
-          refute reset_password_user.persisted?
-          assert_equal "can't be blank", reset_password_user.errors[:username].join
-      end
+    swap Devise, reset_password_keys: [:username, :email] do
+      user = create_user
+      reset_password_user = User.send_reset_password_instructions(email: user.email)
+      assert_not reset_password_user.persisted?
+      assert reset_password_user.errors.added?(:username, :blank)
+    end
   end
 
   test 'should reset reset_password_token before send the reset instructions email' do
@@ -166,14 +166,14 @@ class RecoverableTest < ActiveSupport::TestCase
 
   test 'should return a new record with errors if no reset_password_token is found' do
     reset_password_user = User.reset_password_by_token(reset_password_token: 'invalid_token')
-    refute reset_password_user.persisted?
+    assert_not reset_password_user.persisted?
     assert_equal "is invalid", reset_password_user.errors[:reset_password_token].join
   end
 
   test 'should return a new record with errors if reset_password_token is blank' do
     reset_password_user = User.reset_password_by_token(reset_password_token: '')
-    refute reset_password_user.persisted?
-    assert_match "can't be blank", reset_password_user.errors[:reset_password_token].join
+    assert_not reset_password_user.persisted?
+    assert reset_password_user.errors.added?(:reset_password_token, :blank)
   end
 
   test 'should return a new record with errors if password is blank' do
@@ -181,8 +181,8 @@ class RecoverableTest < ActiveSupport::TestCase
     raw  = user.send_reset_password_instructions
 
     reset_password_user = User.reset_password_by_token(reset_password_token: raw, password: '')
-    refute reset_password_user.errors.empty?
-    assert_match "can't be blank", reset_password_user.errors[:password].join
+    assert_not reset_password_user.errors.empty?
+    assert reset_password_user.errors.added?(:password, :blank)
     assert_equal raw, reset_password_user.reset_password_token
   end
 
@@ -191,8 +191,8 @@ class RecoverableTest < ActiveSupport::TestCase
     raw  = user.send_reset_password_instructions
 
     reset_password_user = User.reset_password_by_token(reset_password_token: raw)
-    refute reset_password_user.errors.empty?
-    assert_match "can't be blank", reset_password_user.errors[:password].join
+    assert_not reset_password_user.errors.empty?
+    assert reset_password_user.errors.added?(:password, :blank)
     assert_equal raw, reset_password_user.reset_password_token
   end
 
@@ -209,7 +209,7 @@ class RecoverableTest < ActiveSupport::TestCase
     assert_nil reset_password_user.reset_password_token
 
     user.reload
-    refute user.valid_password?(old_password)
+    assert_not user.valid_password?(old_password)
     assert user.valid_password?('new_password')
     assert_nil user.reset_password_token
   end
@@ -231,7 +231,7 @@ class RecoverableTest < ActiveSupport::TestCase
       user.reload
 
       assert user.valid_password?(old_password)
-      refute user.valid_password?('new_password')
+      assert_not user.valid_password?('new_password')
       assert_equal "has expired, please request a new one", reset_password_user.errors[:reset_password_token].join
     end
   end

test/models/serializable_test.rb

@@ -40,7 +40,7 @@ class SerializableTest < ActiveSupport::TestCase
   end
 
   def assert_no_key(key, subject)
-    assert !subject.key?(key), "Expected #{subject.inspect} to not have key #{key.inspect}"
+    assert_not subject.key?(key), "Expected #{subject.inspect} to not have key #{key.inspect}"
   end
 
   def from_json(options = nil)

test/models/timeoutable_test.rb

@@ -9,11 +9,11 @@ class TimeoutableTest < ActiveSupport::TestCase
   end
 
   test 'should not be expired' do
-    refute new_user.timedout?(29.minutes.ago)
+    assert_not new_user.timedout?(29.minutes.ago)
   end
 
   test 'should not be expired when params is nil' do
-    refute new_user.timedout?(nil)
+    assert_not new_user.timedout?(nil)
   end
 
   test 'should use timeout_in method' do
@@ -21,23 +21,23 @@ class TimeoutableTest < ActiveSupport::TestCase
     user.instance_eval { def timeout_in; 10.minutes end }
 
     assert user.timedout?(12.minutes.ago)
-    refute user.timedout?(8.minutes.ago)
+    assert_not user.timedout?(8.minutes.ago)
   end
 
   test 'should not be expired when timeout_in method returns nil' do
     user = new_user
     user.instance_eval { def timeout_in; nil end }
-    refute user.timedout?(10.hours.ago)
+    assert_not user.timedout?(10.hours.ago)
   end
 
   test 'fallback to Devise config option' do
     swap Devise, timeout_in: 1.minute do
       user = new_user
       assert user.timedout?(2.minutes.ago)
-      refute user.timedout?(30.seconds.ago)
+      assert_not user.timedout?(30.seconds.ago)
 
       Devise.timeout_in = 5.minutes
-      refute user.timedout?(2.minutes.ago)
+      assert_not user.timedout?(2.minutes.ago)
       assert user.timedout?(6.minutes.ago)
     end
   end

test/models/validatable_test.rb

@@ -8,7 +8,7 @@ class ValidatableTest < ActiveSupport::TestCase
     user = new_user(email: nil)
     assert user.invalid?
     assert user.errors[:email]
-    assert_equal 'can\'t be blank', user.errors[:email].join
+    assert user.errors.added?(:email, :blank)
   end
 
   test 'should require uniqueness of email if email has changed, allowing blank' do
@@ -52,14 +52,14 @@ class ValidatableTest < ActiveSupport::TestCase
   test 'should require password to be set when creating a new record' do
     user = new_user(password: '', password_confirmation: '')
     assert user.invalid?
-    assert_equal 'can\'t be blank', user.errors[:password].join
+    assert user.errors.added?(:password, :blank)
   end
 
   test 'should require confirmation to be set when creating a new record' do
     user = new_user(password: 'new_password', password_confirmation: 'blabla')
     assert user.invalid?
 
-    assert_equal 'doesn\'t match Password', user.errors[:password_confirmation].join
+    assert user.errors.added?(:password_confirmation, :confirmation, attribute: "Password")
   end
 
   test 'should require password when updating/resetting password' do
@@ -69,7 +69,7 @@ class ValidatableTest < ActiveSupport::TestCase
     user.password_confirmation = ''
 
     assert user.invalid?
-    assert_equal 'can\'t be blank', user.errors[:password].join
+    assert user.errors.added?(:password, :blank)
   end
 
   test 'should require confirmation when updating/resetting password' do
@@ -77,7 +77,7 @@ class ValidatableTest < ActiveSupport::TestCase
     user.password_confirmation = 'another_password'
     assert user.invalid?
 
-    assert_equal 'doesn\'t match Password', user.errors[:password_confirmation].join
+    assert user.errors.added?(:password_confirmation, :confirmation, attribute: "Password")
   end
 
   test 'should require a password with minimum of 7 characters' do
@@ -99,7 +99,7 @@ class ValidatableTest < ActiveSupport::TestCase
 
     user.password_confirmation = 'confirmation'
     assert user.invalid?
-    refute (user.errors[:password].join =~ /is too long/)
+    assert_not (user.errors[:password].join =~ /is too long/)
   end
 
   test 'should complain about length even if password is not required' do
@@ -110,9 +110,12 @@ class ValidatableTest < ActiveSupport::TestCase
   end
 
   test 'should not be included in objects with invalid API' do
-    assert_raise RuntimeError do
+    exception = assert_raise RuntimeError do
       Class.new.send :include, Devise::Models::Validatable
     end
+
+    expected_message = /Could not use :validatable module since .* does not respond to the following methods: validates_presence_of.*/
+    assert_match expected_message, exception.message
   end
 
   test 'required_fields should be an empty array' do

test/models_test.rb

@@ -15,7 +15,7 @@ class ActiveRecordTest < ActiveSupport::TestCase
     end
 
     (Devise::ALL - modules).each do |mod|
-      refute include_module?(klass, mod)
+      assert_not include_module?(klass, mod)
     end
   end
 

test/rails_app/lib/shared_admin.rb

@@ -10,11 +10,7 @@ module SharedAdmin
            allow_unconfirmed_access_for: 2.weeks, reconfirmable: true
 
     validates_length_of     :reset_password_token, minimum: 3, allow_blank: true
-    if Devise::Test.rails51?
-      validates_uniqueness_of :email, allow_blank: true, if: :will_save_change_to_email?
-    else
-      validates_uniqueness_of :email, allow_blank: true, if: :email_changed?
-    end
+    validates_uniqueness_of :email, allow_blank: true, if: :devise_will_save_change_to_email?
   end
 
   def raw_confirmation_token

test/support/helpers.rb

@@ -3,8 +3,6 @@
 require 'active_support/test_case'
 
 class ActiveSupport::TestCase
-  VALID_AUTHENTICATION_TOKEN = 'AbCdEfGhIjKlMnOpQrSt'.freeze
-
   def setup_mailer
     ActionMailer::Base.deliveries = []
   end
@@ -73,6 +71,17 @@ class ActiveSupport::TestCase
     end
   end
 
+  def swap_model_config(model, new_values)
+    new_values.each do |key, value|
+      model.send :"#{key}=", value
+    end
+    yield
+  ensure
+    new_values.each_key do |key|
+      model.remove_instance_variable :"@#{key}"
+    end
+  end
+
   def clear_cached_variables(options)
     if options.key?(:case_insensitive_keys) || options.key?(:strip_whitespace_keys)
       Devise.mappings.each do |_, mapping|

test/support/webrat/matchers.rb

@@ -0,0 +1,12 @@
+# Monkey patch for Nokogiri changes - https://github.com/sparklemotion/nokogiri/issues/2469
+module Webrat
+  module Matchers
+    class HaveSelector
+      def query
+        Nokogiri::CSS.parse(@expected.to_s).map do |ast|
+          ast.to_xpath("//", Nokogiri::CSS::XPathVisitor.new)
+        end.first
+      end
+    end
+  end
+end

test/test/controller_helpers_test.rb

@@ -15,7 +15,7 @@ class TestControllerHelpersTest < Devise::ControllerTestCase
   test "redirects if attempting to access a page with an unconfirmed account" do
     swap Devise, allow_unconfirmed_access_for: 0.days do
       user = create_user
-      assert !user.active_for_authentication?
+      assert_not user.active_for_authentication?
 
       sign_in user
       get :index
@@ -26,7 +26,7 @@ class TestControllerHelpersTest < Devise::ControllerTestCase
   test "returns nil if accessing current_user with an unconfirmed account" do
     swap Devise, allow_unconfirmed_access_for: 0.days do
       user = create_user
-      assert !user.active_for_authentication?
+      assert_not user.active_for_authentication?
 
       sign_in user
       get :accept, params: { id: user }

test/test/integration_helpers_test.rb

@@ -18,7 +18,7 @@ class TestIntegrationsHelpersTest < Devise::IntegrationTest
     sign_out user
 
     visit '/'
-    refute warden.authenticated?(:user)
+    assert_not warden.authenticated?(:user)
   end
 
   test '#sign_out does not signs out other scopes' do
@@ -28,7 +28,7 @@ class TestIntegrationsHelpersTest < Devise::IntegrationTest
 
     visit '/'
 
-    refute warden.authenticated?(:user)
+    assert_not warden.authenticated?(:user)
     assert warden.authenticated?(:admin)
   end
 end