` tags [#5494](https://github.com/heartcombo/devise/pull/5494) + * Replace `[data-turbo-cache=false]` with `[data-turbo-temporary]` on `devise/shared/error_messages` partial. This has been [deprecated by Turbo since v7.3.0 (released on Mar 1, 2023)](https://github.com/hotwired/turbo/releases/tag/v7.3.0). + + If you are using an older version of Turbo and the default devise template, you'll need to copy it over to your app and change that back to `[data-turbo-cache=false]`. + +* enhancements + * Add Rails 8 support. + - Routes are lazy-loaded by default in test and development environments now so Devise loads them before `Devise.mappings` call. [#5728](https://github.com/heartcombo/devise/pull/5728) + * New apps using Rack 3.1+ will be generated using `config.responder.error_status = :unprocessable_content`, since [`:unprocessable_entity` has been deprecated by Rack](https://github.com/rack/rack/pull/2137). + + Latest versions of [Rails transparently convert `:unprocessable_entity` -> `:unprocessable_content`](https://github.com/rails/rails/pull/53383), and Devise will use that in the failure app to avoid Rack deprecation warnings for apps that are configured with `:unprocessable_entity`. They can also simply change their `error_status` to `:unprocessable_content` in latest Rack versions to avoid the warning. + * Add Ruby 3.4 and 4.0 support. + * Reenable Mongoid test suite across all Rails 7+ versions, to ensure we continue supporting it. Changes to dirty tracking to support Mongoid 8.0+. [#5568](https://github.com/heartcombo/devise/pull/5568) + * Password length validator is changed from + + ``` + validates_length_of :password, within: password_length, allow_blank: true` + ``` + + to + + ``` + validates_length_of :password, minimum: proc { password_length.min }, maximum: proc { password_length.max }, allow_blank: true + ``` + + so it's possible to override `password_length` at runtime. [#5734](https://github.com/heartcombo/devise/pull/5734) + +* bug fixes + * Make `Devise` work without `ActionMailer` when `Zeitwerk` autoloader is used. [#5731](https://github.com/heartcombo/devise/pull/5731) + * Handle defaults `:from` and `:reply_to` as procs correctly by delegating to Rails [#5595](https://github.com/heartcombo/devise/pull/5595) + * Use `OmniAuth.config.allowed_request_methods` as routing verbs for the auth path [#5508](https://github.com/heartcombo/devise/pull/5508) + * Handle `on` and `ON` as true values to check params [#5514](https://github.com/heartcombo/devise/pull/5514) + * Fix passing `format` option to `devise_for` [#5732](https://github.com/heartcombo/devise/pull/5732) + * Use `ActiveRecord::SecurityUtils.secure_compare` in `Devise.secure_compare` to match two empty strings correctly. [#4829](https://github.com/heartcombo/devise/pull/4829) + * Respond with `401 Unauthorized` for non-navigational requests to destroy the session when there is no authenticated resource. [#4878](https://github.com/heartcombo/devise/pull/4878) + * Fix incorrect grammar of invalid authentication message with capitalized attributes, e.g.: "Invalid Email or password" => "Invalid email or password". (originally introduced by [#4014](https://github.com/heartcombo/devise/pull/4014), released on v4.1.0) [#4834](https://github.com/heartcombo/devise/pull/4834) + + +Please check [4-stable](https://github.com/heartcombo/devise/blob/4-stable/CHANGELOG.md) +for previous changes. diff --git a/CHANGELOG.rdoc b/CHANGELOG.rdoc deleted file mode 100644 index c827b4cd39..0000000000 --- a/CHANGELOG.rdoc +++ /dev/null @@ -1,876 +0,0 @@ -* enhancement - * Default minimum password length is now 8 (by @carlosgaldino). - * Confirmable now has a confirm_within option to set a period while the confirmation token is still valid (by @promisedlandt) - -* bug fix - * Fix a regression introduced on warden 1.2.1 (by @ejfinneran) - * Properly camelize omniauth strategies (by @saizai) - * Do not set flash messages for non navigational requests on session sign out (by @mathieul) - * Set the proper fields as required on the lockable module (by @nickhoffman) - * Respects Devise mailer default's reply_to (by @mrchrisadams) - -== 2.1.2 - -* enhancements - * Handle backwards incompatibility between Rails 3.2.6 and Thor 0.15.x - -* bug fix - * Fix regression on strategy validation on previous release - -== 2.1.1 (yanked) - -* enhancements - * `sign_out_all_scopes` now locks warden and does not allow new logins in the same action - * `Devise.omniauth_path_prefix` is available to configure omniauth path prefix - * Redirect to sign in page when trying to access password#edit without a token (by @gbataille) - * Allow a lambda in authenticate(d) routes helpers to further select the scope - * Removed warnings on Rails 3.2.6 (by @nashby) - -* bug fix - * `update_with_password` now relies on assign_attributes and forwards the :as option (by @wtn) - * Do not trigger timeout on sign in related actions - * Timeout does not explode when reset_authentication_token! is accidentally defined by Active Model (by @remomueller) - -* deprecations - * Strategy#validate() no longer validates nil resources - -== 2.1.0 - -* enhancements - * Add `check_fields!(model_class)` method on Devise::Models to check if the model includes the fields that Devise uses - * Add `skip_reconfirmation!` to skip reconfirmation - * Devise model generator now works with engines - * Devise encryptable was moved to its new gem (http://github.com/plataformatec/devise-encryptable) - -* deprecations - * Deprecations warnings added on Devise 2.0 are now removed with their features - * All devise modules should now have a `required_fields(klass)` module method to help gathering missing attributes - * `use_salt_as_remember_token` and `apply_schema` does not have any effect since 2.0 and are now deprecated - * `valid_for_authentication?` must now return a boolean - -* bug fix - * Ensure after sign in hook is not called without a resource - * Fix a term: now on Omniauth related flash messages, we say that we're authenticating from an omniauth provider instead of authorizing - * Fixed redirect when authenticated mounted apps (by @hakanensari) - * Ensure the failure app still respects config.relative_url_root - * `/users/sign_in` doesn't choke on protected attributes used to select sign in scope (by @Paymium) - * `failed_attempts` is set to zero after any sign in (including via reset password) (by @rodrigoflores) - * Added token expiration on timeout (by @antiarchitect) - * Do not accidentally mark `_prefixes` as private - * Better support for custom strategies on test helpers (by @mattconnolly) - * Return `head :no_content` in SessionsController now that most JS libraries handle it (by @julianvargasalvarez) - -== 2.0.4 - -Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.0 - -* bug fix - * Fix when :host is used with devise_for (by @mreinsch) - * Fix a regression that caused Warden to be initialized too late - -== 2.0.3 (yanked) - -* bug fix - * Ensure warning is not shown by mistake on apps with mounted engines - * Fixes related to remember_token and rememberable_options - * Ensure serializable_hash does not depend on accessible attributes - * Ensure that timeout callback does not run on sign out action - -== 2.0.2 - -* enhancements - * Add devise_i18n_options to customize I18n message - -* bug fix - * Ensure Devise.available_router_name defaults to :main_app - * Set autocomplete to off for password on edit forms - * Better error messages in case a trackable model can't be saved - * Show a warning in case someone gives a pluralized name to devise generator - * Fix test behavior for rspec subject requests (by @sj26) - -== 2.0.1 - -* enhancements - * Improved error messages on deprecation warnings - * Hide Devise's internal generators from `rails g` command - -* bug fix - * Removed tmp and log files from gem - -== 2.0.0 - -* enhancements - * Add support for e-mail reconfirmation on change (by @Mandaryn and @heimidal) - * Redirect users to sign in page after unlock (by @nashby) - * Redirect to the previous URL on timeout - * Inherit from the same Devise parent controller (by @sj26) - * Allow parent_controller to be customizable via Devise.parent_controller, useful for engines - * Allow router_name to be customizable via Devise.router_name, useful for engines - * Allow alternate ORMs to run compatibility setup code before Authenticatable is included (by @jm81) - -* deprecation - * Devise now only supports Rails 3.1 forward - * Devise.confirm_within was deprecated in favor Devise.allow_unconfirmed_access_for - * Devise.stateless_token= is deprecated in favor of appending :token_auth to Devise.skip_session_storage - * Usage of Devise.apply_schema is deprecated - * Usage of Devise migration helpers are deprecated - * Usage of Devise.remember_across_browsers was deprecated - * Usage of rememberable with remember_token was removed - * Usage of recoverable without reset_password_sent_at was removed - * Usage of Devise.case_insensitive_keys equals to false was removed - * Move devise/shared/_links.erb to devise/_links.erb - * Deprecated support of nested devise_for blocks - * Deprecated support to devise.registrations.reasons and devise.registrations.inactive_signed_up in favor of devise.registrations.signed_up_but_* - * Protected method render_with_scope was removed. - -== 1.5.3 - -* bug fix - * Ensure delegator converts scope to symbol (by @dmitriy-kiriyenko) - * Ensure passing :format => false to devise_for is not permanent - * Ensure path checker does not check invalid routes - -== 1.5.2 - -* enhancements - * Add support for Rails 3.1 new mass assignment conventions (by @kirs) - * Add timeout_in method to Timeoutable, it can be overridden in a model (by @lest) - -* bug fix - * OmniAuth error message now shows the proper option (:strategy_class instead of :klass) - -== 1.5.1 - -* bug fix - * Devise should not attempt to load OmniAuth strategies. Strategies should be loaded before hand by the developer or explicitly given to Devise. - -== 1.5.0 - -* enhancements - * Timeoutable also skips tracking if skip_trackable is given - * devise_for now accepts :failure_app as an option - * Models can select the proper mailer via devise_mailer method (by @locomotivecms) - * Migration generator now uses the change method (by @nashby) - * Support to markerb templates on the mailer generator (by @sbounmy) - * Support for Omniauth 1.0 (older versions are no longer supported) (by @TamiasSibiricus) - -* bug fix - * Allow idempotent API requests - * Fix bug where logs did not show 401 as status code - * Change paranoid settings to behave as success instead of as failure - * Fix bug where activation messages were shown first than the credentials error message - * Instance variables are expired after sign out - -* deprecation - * redirect_location is deprecated, please use after_sign_in_path_for - * after_sign_in_path_for now redirects to session[scope_return_to] if any value is stored in it - -== 1.4.9 - -* bug fix - * url helpers were not being set under some circumstances - -== 1.4.8 - -* enhancements - * Add docs for assets pipeline and Heroku - -* bug fix - * confirmation_url was not being set under some circumstances - -== 1.4.7 - -* bug fix - * Fix backward incompatible change from 1.4.6 for those using custom controllers - -== 1.4.6 (yanked) - -* enhancements - * Allow devise_for :skip => :all - * Allow options to be passed to authenticate_user! - * Allow --skip-routes to devise generator - * Add allow_params_authentication! to make it explicit when params authentication is allowed in a controller - -== 1.4.5 - -* bug fix - * Failure app tries the root path if a session one does not exist - * No need to finalize Devise helpers all the time (by @bradleypriest) - * Reset password shows proper message if user is not active - * `clean_up_passwords` sets the accessors to nil to skip validations - -== 1.4.4 - -* bug fix - * Do not always skip helpers, instead provide :skip_helpers as option to trigger it manually - -== 1.4.3 - -* enhancements - * Improve Rails 3.1 compatibility - * Use serialize_into_session and serialize_from_session in Warden serialize to improve extensibility - -* bug fix - * Generator properly generates a change_table migration if a model already exists - * Properly deprecate setup_mail - * Fix encoding issues with email regexp - * Only generate helpers for the used mappings - * Wrap :action constraints in the proper hash - -* deprecations - * Loosened the used email regexp to simply assert the existent of "@". If someone relies on a more strict regexp, they may use https://github.com/SixArm/sixarm_ruby_email_address_validation - -== 1.4.2 - -* bug fix - * Provide a more robust behavior to serializers and add :force_except option - -== 1.4.1 - -* enhancements - * Add :defaults and :format support on router - * Add simple form generators - * Better localization for devise_error_messages! (by @zedtux) - -* bug fix - * Ensure to_xml is properly white listened - * Ensure handle_unverified_request clean up any cached signed-in user - -== 1.4.0 - -* enhancements - * Added authenticated and unauthenticated to the router to route the used based on his status (by @sj26) - * Improve e-mail regexp (by @rodrigoflores) - * Add strip_whitespace_keys and default to e-mail (by @swrobel) - * Do not run format and uniqueness validations on e-mail if it hasn't changed (by @Thibaut) - * Added update_without_password to update models but not allowing the password to change (by @fschwahn) - * Added config.paranoid, check the generator for more information (by @rodrigoflores) - -* bug fix - * password_required? should not affect length validation - * User cannot access sign up and similar pages if he is already signed in through a cookie or token - * Do not convert booleans to strings on finders (by @xavier) - * Run validations even if current_password fails (by @crx) - * Devise now honors routes constraints (by @macmartine) - * Do not return the user resource when requesting instructions (by @rodrigoflores) - -== 1.3.4 - -* bug fix - * Do not add formats if html or "*/*" - -== 1.3.3 - -* bug fix - * Explicitly mark the token as expired if so - -== 1.3.2 - -* bug fix - * Fix another regression related to reset_password_sent_at (by @alexdreher) - -== 1.3.1 - -* enhancements - * Improve failure_app responses (by @indirect) - * sessions/new and registrations/new also respond to xml and json now - -* bug fix - * Fix a regression that occurred if reset_password_sent_at is not present (by @stevehodgkiss) - -== 1.3.0 - -* enhancements - * All controllers can now handle different mime types than html using Responders (by @sikachu) - * Added reset_password_within as configuration option to send the token for recovery (by @jdguyot) - * Bump password length to 128 characters (by @k33l0r) - * Add :only as option to devise_for (by @timoschilling) - * Allow to override path after sending password instructions (by @irohiroki) - * require_no_authentication has its own flash message (by @jackdempsey) - -* bug fix - * Fix a bug where configuration options were being included too late - * Ensure Devise::TestHelpers can be used to tests Devise internal controllers (by @jwilger) - * valid_password? should not choke on empty passwords (by @mikel) - * Calling devise more than once does not include previously added modules anymore - * downcase_keys before validation - -* backward incompatible changes - * authentication_keys are no longer considered when creating the e-mail validations, the previous behavior was buggy. You must double check if you were relying on such behavior. - -== 1.2.1 - -* enhancements - * Improve update path messages - -== 1.2.0 - -* bug fix - * Properly ignore path prefix on omniauthable - * Faster uniqueness queries - * Rename active? to active_for_authentication? to avoid conflicts - -== 1.2.rc2 - -* enhancements - * Make friendly_token 20 chars long - * Use secure_compare - -* bug fix - * Fix an issue causing infinite redirects in production - * rails g destroy works properly with devise generators (by @andmej) - * before_failure callbacks should work on test helpers (by @twinge) - * rememberable cookie now is httponly by default (by @JamesFerguson) - * Add missing confirmation_keys (by @JohnPlummer) - * Ensure after_* hooks are called on RegistrationsController - * When using database_authenticatable Devise will now only create an email field when appropriate (if using default authentication_keys or custom authentication_keys with email included) - * Ensure stateless token does not trigger timeout (by @pixelauthority) - * Implement handle_unverified_request for Rails 3.0.4 compatibility and improve FailureApp reliance on symbols - * Consider namespaces while generating routes - * Custom failure apps no longer ignored in test mode (by @jaghion) - * Do not depend on ActiveModel::Dirty - * Manual sign_in now triggers remember token - * Be sure to halt strategies on failures - * Consider SCRIPT_NAME on Omniauth paths - * Reset failed attempts when lock is expired - * Ensure there is no Mongoid injection - -* deprecations - * Deprecated anybody_signed_in? in favor of signed_in? (by @gavinhughes) - * Removed --haml and --slim view templates - * Devise::OmniAuth helpers were deprecated and removed in favor of Omniauth.config.test_mode - -== 1.2.rc - -* deprecations - * cookie_domain is deprecated in favor of cookie_options - * after_update_path_for can no longer be defined in ApplicationController - -* enhancements - * Added OmniAuth support - * Added ORM adapter to abstract ORM iteraction - * sign_out_via is available in the router to configure the method used for sign out (by @martinrehfeld) - * Improved Ajax requests handling in failure app (by @spastorino) - * Added request_keys to easily use request specific values (like subdomain) in authentication - * Increased the size of friendly_token to 60 characters (reduces the chances of a successful brute attack) - * Ensure the friendly token does not include "_" or "-" since some e-mails may not autolink it properly (by @rymai) - * Extracted encryptors into :encryptable for better bcrypt support - * :rememberable is now able to use salt as token if no remember_token is provided - * Store the salt in session and expire the session if the user changes his password - * Allow :stateless_token to be set to true avoiding users to be stored in session through token authentication - * cookie_options uses session_options values by default - * Sign up now check if the user is active or not and redirect him accordingly setting the inactive_signed_up message - * Use ActiveModel#to_key instead of #id - * sign_out_all_scopes now destroys the whole session - * Added case_insensitive_keys that automatically downcases the given keys, by default downcases only e-mail (by @adahl) - -* default behavior changes - * sign_out_all_scopes defaults to true as security measure - * http authenticatable is disabled by default - * Devise does not intercept 401 returned from applications - -* bugfix - * after_sign_in_path_for always receives a resource - * Do not execute Warden::Callbacks on Devise::TestHelpers (by @sgronblo) - * Allow password recovery and account unlocking to change used keys (by @RStankov) - * FailureApp now properly handles nil request.format - * Fix a bug causing FailureApp to return with HTTP Auth Headers for IE7 - * Ensure namespaces has proper scoped views - * Ensure Devise does not set empty flash messages (by @sxross) - -== 1.1.6 - -* Use a more secure e-mail regexp -* Implement Rails 3.0.4 handle unverified request -* Use secure_compare to compare passwords - -== 1.1.5 - -* bugfix - * Ensure to convert keys on indifferent hash - -* defaults - * Set config.http_authenticatable to false to avoid confusion - -== 1.1.4 - -* bugfix - * Avoid session fixation attacks - -== 1.1.3 - -* bugfix - * Add reply-to to e-mail headers by default - * Updated the views generator to respect the rails :template_engine option (by @fredwu) - * Check the type of HTTP Authentication before using Basic headers - * Avoid invalid_salt errors by checking salt presence (by @thibaudgg) - * Forget user deletes the right cookie before logout, not remembering the user anymore (by @emtrane) - * Fix for failed first-ever logins on PostgreSQL where column default is nil (by @bensie) - * :default options is now honored in migrations - -== 1.1.2 - -* bugfix - * Compatibility with latest Rails routes schema - -== 1.1.1 - -* bugfix - * Fix a small bug where generated locale file was empty on devise:install - -== 1.1.0 - -* enhancements - * Rememberable module allows user to be remembered across browsers and is enabled by default (by @trevorturk) - * Rememberable module allows you to activate the period the remember me token is extended (by @trevorturk) - * devise_for can now be used together with scope method in routes but with a few limitations (check the documentation) - * Support `as` or `devise_scope` in the router to specify controller access scope - * HTTP Basic Auth can now be disabled/enabled for xhr(ajax) requests using http_authenticatable_on_xhr option (by @pellja) - -* bug fix - * Fix a bug in Devise::TestHelpers where current_user was returning a Response object for non active accounts - * Devise should respect script_name and path_info contracts - * Fix a bug when accessing a path with (.:format) (by @klacointe) - * Do not add unlock routes unless unlock strategy is email or both - * Email should be case insensitive - * Store classes as string in session, to avoid serialization and stale data issues - -* deprecations - * use_default_scope is deprecated and has no effect. Use :as or :devise_scope in the router instead - -== 1.1.rc2 - -* enhancements - * Allow to set cookie domain for the remember token. (by @mantas) - * Added navigational formats to specify when it should return a 302 and when a 401. - * Added authenticate(scope) support in routes (by @wildchild) - * Added after_update_path_for to registrations controller (by @thedelchop) - * Allow the mailer object to be replaced through config.mailer = "MyOwnMailer" - -* bug fix - * Fix a bug where session was timing out on sign out - -* deprecations - * bcrypt is now the default encryptor - * devise.mailer.confirmations_instructions now should be devise.mailer.confirmations_instructions.subject - * devise.mailer.user.confirmations_instructions now should be devise.mailer.confirmations_instructions.user_subject - * Generators now use Rails 3 syntax (devise:install) instead of devise_install - -== 1.1.rc1 - -* enhancements - * Rails 3 compatibility - * All controllers and views are namespaced, for example: Devise::SessionsController and "devise/sessions" - * Devise.orm is deprecated. This reduces the required API to hook your ORM with devise - * Use metal for failure app - * HTML e-mails now have proper formatting - * Allow to give :skip and :controllers in routes - * Move trackable logic to the model - * E-mails now use any template available in the filesystem. Easy to create multipart e-mails - * E-mails asks headers_for in the model to set the proper headers - * Allow to specify haml in devise_views - * Compatibility with Mongoid - * Make config.devise available on config/application.rb - * TokenAuthenticatable now works with HTTP Basic Auth - * Allow :unlock_strategy to be :none and add :lock_strategy which can be :failed_attempts or none. Setting those values to :none means that you want to handle lock and unlocking by yourself - * No need to append ?unauthenticated=true in URLs anymore since Flash was moved to a middleware in Rails 3 - * :activatable is included by default in your models - -* bug fix - * Fix a bug with STI - -* deprecations - * Rails 3 compatible only - * Removed support for MongoMapper - * Scoped views are no longer "sessions/users/new". Now use "users/sessions/new" - * Devise.orm is deprecated, just require "devise/orm/YOUR_ORM" instead - * Devise.default_url_options is deprecated, just modify ApplicationController.default_url_options - * All messages under devise.sessions, except :signed_in and :signed_out, should be moved to devise.failure - * :as and :scope in routes is deprecated. Use :path and :singular instead - -== 1.0.8 - -* enhancements - * Support for latest MongoMapper - * Added anybody_signed_in? helper (by @SSDany) - -* bug fix - * confirmation_required? is properly honored on active? calls. (by @paulrosania) - -== 1.0.7 - -* bug fix - * Ensure password confirmation is always required - -* deprecations - * authenticatable was deprecated and renamed to database_authenticatable - * confirmable is not included by default on generation - -== 1.0.6 - -* bug fix - * Do not allow unlockable strategies based on time to access a controller. - * Do not send unlockable email several times. - * Allow controller to upstram custom! failures to Warden. - -== 1.0.5 - -* bug fix - * Use prepend_before_filter in require_no_authentication. - * require_no_authentication on unlockable. - * Fix a bug when giving an association proxy to devise. - * Do not use lock! on lockable since it's part of ActiveRecord API. - -== 1.0.4 - -* bug fix - * Fixed a bug when deleting an account with rememberable - * Fixed a bug with custom controllers - -== 1.0.3 - -* enhancements - * HTML e-mails now have proper formatting - * Do not remove MongoMapper options in find - -== 1.0.2 - -* enhancements - * Allows you set mailer content type (by @glennr) - -* bug fix - * Uses the same content type as request on http authenticatable 401 responses - -== 1.0.1 - -* enhancements - * HttpAuthenticatable is not added by default automatically. - * Avoid mass assignment error messages with current password. - -* bug fix - * Fixed encryptors autoload - -== 1.0.0 - -* deprecation - * :old_password in update_with_password is deprecated, use :current_password instead - -* enhancements - * Added Registerable - * Added Http Basic Authentication support - * Allow scoped_views to be customized per controller/mailer class - * [#99] Allow authenticatable to used in change_table statements - -== 0.9.2 - -* bug fix - * Ensure inactive user cannot sign in - * Ensure redirect to proper url after sign up - -* enhancements - * Added gemspec to repo - * Added token authenticatable (by @grimen) - -== 0.9.1 - -* bug fix - * Allow bigger salt size (by @jgeiger) - * Fix relative url root - -== 0.9.0 - -* deprecation - * devise :all is deprecated - * :success and :failure flash messages are now :notice and :alert - -* enhancements - * Added devise lockable (by @mhfs) - * Warden 0.9.0 compatibility - * Mongomapper 0.6.10 compatibility - * Added Devise.add_module as hooks for extensions (by @grimen) - * Ruby 1.9.1 compatibility (by @grimen) - -* bug fix - * Accept path prefix not starting with slash - * url helpers should rely on find_scope! - -== 0.8.2 - -* enhancements - * Allow Devise.mailer_sender to be a proc (by @grimen) - -* bug fix - * Fix bug with passenger, update is required to anyone deploying on passenger (by @dvdpalm) - -== 0.8.1 - -* enhancements - * Move salt to encryptors - * Devise::Lockable - * Moved view links into partial and I18n'ed them - -* bug fix - * Bcrypt generator was not being loaded neither setting the proper salt - -== 0.8.0 - -* enhancements - * Warden 0.8.0 compatibility - * Add an easy for map.connect "sign_in", :controller => "sessions", :action => "new" to work - * Added :bcrypt encryptor (by @capotej) - -* bug fix - * sign_in_count is also increased when user signs in via password change, confirmation, etc.. - * More DataMapper compatibility (by @lancecarlson) - -* deprecation - * Removed DeviseMailer.sender - -== 0.7.5 - -* enhancements - * Set a default value for mailer to avoid find_template issues - * Add models configuration to MongoMapper::EmbeddedDocument as well - -== 0.7.4 - -* enhancements - * Extract Activatable from Confirmable - * Decouple Serializers from Devise modules - -== 0.7.3 - -* bug fix - * Give scope to the proper model validation - -* enhancements - * Mail views are scoped as well - * Added update_with_password for authenticatable - * Allow render_with_scope to accept :controller option - -== 0.7.2 - -* deprecation - * Renamed reset_confirmation! to resend_confirmation! - * Copying locale is part of the installation process - -* bug fix - * Fixed render_with_scope to work with all controllers - * Allow sign in with two different users in Devise::TestHelpers - -== 0.7.1 - -* enhancements - * Small enhancements for other plugins compatibility (by @grimen) - -== 0.7.0 - -* deprecations - * :authenticatable is not included by default anymore - -* enhancements - * Improve loading process - * Extract SessionSerializer from Authenticatable - -== 0.6.3 - -* bug fix - * Added trackable to migrations - * Allow inflections to work - -== 0.6.2 - -* enhancements - * More DataMapper compatibility - * Devise::Trackable - track sign in count, timestamps and ips - -== 0.6.1 - -* enhancements - * Devise::Timeoutable - timeout sessions without activity - * DataMapper now accepts conditions - -== 0.6.0 - -* deprecations - * :authenticatable is still included by default, but yields a deprecation warning - -* enhancements - * Added DataMapper support - * Remove store_location from authenticatable strategy and add it to failure app - * Allow a strategy to be placed after authenticatable - * [#45] Do not rely attribute? methods, since they are not added on Datamapper - -== 0.5.6 - -* enhancements - * [#42] Do not send nil to build (DataMapper compatibility) - * [#44] Allow to have scoped views - -== 0.5.5 - -* enhancements - * Allow overwriting find for authentication method - * [#38] Remove Ruby 1.8.7 dependency - -== 0.5.4 - -* deprecations - * Deprecate :singular in devise_for and use :scope instead - -* enhancements - * [#37] Create after_sign_in_path_for and after_sign_out_path_for hooks to be - overwriten in ApplicationController - * Create sign_in_and_redirect and sign_out_and_redirect helpers - * Warden::Manager.default_scope is automatically configured to the first given scope - -== 0.5.3 - -* bug fix - * MongoMapper now converts DateTime to Time - * Ensure all controllers are unloadable - -* enhancements - * [#35] Moved friendly_token to Devise - * Added Devise.all, so you can freeze your app strategies - * Added Devise.apply_schema, so you can turn it to false in Datamapper or MongoMapper - in cases you don't want it be handlded automatically - -== 0.5.2 - -* enhancements - * [#28] Improved sign_in and sign_out helpers to accepts resources - * [#28] Added stored_location_for as a helper - * [#20] Added test helpers - -== 0.5.1 - -* enhancements - * Added serializers based on Warden ones - * Allow authentication keys to be set - -== 0.5.0 - -* bug fix - * Fixed a bug where remember me module was not working properly - -* enhancements - * Moved encryption strategy into the Encryptors module to allow several algorithms (by @mhfs) - * Implemented encryptors for Clearance, Authlogic and Restful-Authentication (by @mhfs) - * Added support for MongoMapper (by @shingara) - -== 0.4.3 - -* bug fix - * [#29] Authentication just fails if user cannot be serialized from session, without raising errors; - * Default configuration values should not overwrite user values; - -== 0.4.2 - -* deprecations - * Renamed mail_sender to mailer_sender - -* enhancements - * skip_before_filter added in Devise controllers - * Use home_or_root_path on require_no_authentication as well - * Added devise_controller?, useful to select or reject filters in ApplicationController - * Allow :path_prefix to be given to devise_for - * Allow default_url_options to be configured through devise (:path_prefix => "/:locale" is now supported) - -== 0.4.1 - -* bug fix - * [#21] Ensure options can be set even if models were not loaded - -== 0.4.0 - -* deprecations - * Notifier is deprecated, use DeviseMailer instead. Remember to rename - app/views/notifier to app/views/devise_mailer and I18n key from - devise.notifier to devise.mailer - * :authenticable calls are deprecated, use :authenticatable instead - -* enhancements - * [#16] Allow devise to be more agnostic and do not require ActiveRecord to be loaded - * Allow Warden::Manager to be configured through Devise - * Created a generator which creates an initializer - -== 0.3.0 - -* bug fix - * [#15] Allow yml messages to be configured by not using engine locales - -* deprecations - * Renamed confirm_in to confirm_within - * [#14] Do not send confirmation messages when user changes his e-mail - * [#13] Renamed authenticable to authenticatable and added deprecation warnings - -== 0.2.3 - -* enhancements - * Ensure fail! works inside strategies - * [#12] Make unauthenticated message (when you haven't signed in) different from invalid message - -* bug fix - * Do not redirect on invalid authenticate - * Allow model configuration to be set to nil - -== 0.2.2 - -* bug fix - * [#9] Fix a bug when using customized resources - -== 0.2.1 - -* refactor - * Clean devise_views generator to use devise existing views - -* enhancements - * [#7] Create instance variables (like @user) for each devise controller - * Use Devise::Controller::Helpers only internally - -* bug fix - * [#6] Fix a bug with Mongrel and Ruby 1.8.6 - -== 0.2.0 - -* enhancements - * [#4] Allow option :null => true in authenticable migration - * [#3] Remove attr_accessible calls from devise modules - * Customizable time frame for rememberable with :remember_for config - * Customizable time frame for confirmable with :confirm_in config - * Generators for creating a resource and copy views - -* optimize - * Do not load hooks or strategies if they are not used - -* bug fixes - * [#2] Fixed requiring devise strategies - -== 0.1.1 - -* bug fixes - * [#1] Fixed requiring devise mapping - -== 0.1.0 - -* Devise::Authenticable -* Devise::Confirmable -* Devise::Recoverable -* Devise::Validatable -* Devise::Migratable -* Devise::Rememberable - -* SessionsController -* PasswordsController -* ConfirmationsController - -* Create an example app -* devise :all, :except => :rememberable -* Use sign_in and sign_out in SessionsController - -* Mailer subjects namespaced by model -* Allow stretches and pepper per model - -* Store session[:return_to] in session -* Sign user in automatically after confirming or changing it's password diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000000..5d594d2f52 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,22 @@ +# Contributor Code of Conduct + +As contributors and maintainers of this project, and in the interest of fostering an open and welcoming community, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities. + +We are committed to making participation in this project a harassment-free experience for everyone, regardless of level of experience, gender, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, ethnicity, age, religion, or nationality. + +Examples of unacceptable behavior by participants include: + +* The use of sexualized language or imagery +* Personal attacks +* Trolling or insulting/derogatory comments +* Public or private harassment +* Publishing other's private information, such as physical or electronic addresses, without explicit permission +* Other unethical or unprofessional conduct. + +Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers commit themselves to fairly and consistently applying these principles to every aspect of managing this project. Project maintainers who do not follow or enforce the Code of Conduct may be permanently removed from the project team. + +This code of conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. + +Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by sending an email to [heartcombo.oss@gmail.com](heartcombo.oss@gmail.com) or contacting one or more of the project maintainers. + +This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, available at [http://contributor-covenant.org/version/1/2/0/](http://contributor-covenant.org/version/1/2/0/) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 0125b06c31..336d614f40 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,12 +1,79 @@ -### Please read before contributing +# How to contribute to Devise -1) If you have any questions about Devise, search the [Wiki](https://github.com/plataformatec/devise/wiki) or use the [Mailing List](groups.google.com/group/plataformatec-devise) or [Stack Overflow](http://stackoverflow.com/questions/tagged/devise). Do not post questions here. +Thanks for your interest on contributing to Devise! Here are a few general +guidelines on contributing and reporting bugs to Devise that we ask you to +take a look first. Notice that all of your interactions in the project are +expected to follow our [Code of Conduct](CODE_OF_CONDUCT.md). -2) If you find a security bug, **DO NOT** submit an issue here. Please send an e-mail to [developers@plataformatec.com.br](mailto:developers@plataformatec.com.br) instead. +## Reporting Issues -3) Do a small search on the issues tracker before submitting your issue to see if it was already reported / fixed. In case it was not, create your report including Rails, Devise and Warden versions. If you are getting exceptions, please include the full backtrace. +Before reporting a new issue, please be sure that the issue wasn't already +reported or fixed by searching on GitHub through our [issues](https://github.com/heartcombo/devise/issues). -That's it! The more information you give, the more easy it becomes for us to track it down and fix it. Ideal scenario would be adding the issue to Devise test suite or to a sample application. +When creating a new issue, be sure to include a **title and clear description**, +as much relevant information as possible, and either a test case example or +even better a **sample Rails app that replicates the issue** - Devise has a lot +of moving parts and it's functionality can be affected by third party gems, so +we need as much context and details as possible to identify what might be broken +for you. We have a [test case template](guides/bug_report_templates/integration_test.rb) +that can be used to replicate issues with minimal setup. -Thanks! +Please do not attempt to translate Devise built in views. The views are meant +to be a starting point for fresh apps and not production material - eventually +all applications will require custom views where you can write your own copy and +translate it if the application requires it . For historical references, please look into closed +[Issues/Pull Requests](https://github.com/heartcombo/devise/issues?q=i18n) regarding +internationalization. +Avoid opening new issues to ask questions in our issues tracker. Please go through +the project wiki, documentation and source code first, or try to ask your question +on [Stack Overflow](http://stackoverflow.com/questions/tagged/devise). + +**If you find a security bug, do not report it through GitHub. Please send an +e-mail to [heartcombo.oss@gmail.com](mailto:heartcombo.oss@gmail.com) +instead.** + +## Sending Pull Requests + +Before sending a new Pull Request, take a look on existing Pull Requests and Issues +to see if the proposed change or fix has been discussed in the past, or if the +change was already implemented but not yet released. + +We expect new Pull Requests to include enough tests for new or changed behavior, +and we aim to maintain everything as most backwards compatible as possible, +reserving breaking changes to be ship in major releases when necessary - you +can wrap the new code path with a setting toggle from the `Devise` module defined +as `false` by default to require developers to opt-in for the new behavior. + +If your Pull Request includes new or changed behavior, be sure that the changes +are beneficial to a wide range of use cases or it's an application specific change +that might not be so valuable to other applications. Some changes can be introduced +as a new `devise-something` gem instead of belonging to the main codebase. + +When adding new settings, you can take advantage of the [`Devise::Models.config`](https://github.com/heartcombo/devise/blob/245b1f9de0b3386b7913e14b60ea24f43b77feb0/lib/devise/models.rb#L13-L50) method to add class and instance level fallbacks +to the new setting. + +We also welcome Pull Requests that improve our existing documentation (both our +`README.md` and the RDoc sections in the source code) or improve existing rough +edges in our API that might be blocking existing integrations or 3rd party gems. + +## Other ways to contribute + +We welcome anyone that wants to contribute to Devise to triage and reply to +open issues to help troubleshoot and fix existing bugs on Devise. Here is what +you can do: + +* Help ensure that existing issues follows the recommendations from the +_[Reporting Issues](#reporting-issues)_ section, providing feedback to the issue's +author on what might be missing. +* Review and update the existing content of our [Wiki](https://github.com/heartcombo/devise/wiki) +with up to date instructions and code samples - the wiki was grown with several +different tutorials and references that we can't keep track of everything, so if +there is a page that showcases an integration or customization that you are +familiar with feel free to update it as necessary. +* Review existing Pull Requests, and testing patches against real existing +applications that use Devise. + +Thanks again for your interest on contributing to the project! + +:heart: diff --git a/Gemfile b/Gemfile index 25e659ef5c..3fc8499f9c 100644 --- a/Gemfile +++ b/Gemfile @@ -1,31 +1,33 @@ -source "http://rubygems.org" +# frozen_string_literal: true + +source "https://rubygems.org" gemspec -gem "rails", "~> 3.2.6" -gem "omniauth", "~> 1.0.0" -gem "omniauth-oauth2", "~> 1.0.0" +gem "omniauth" +gem "omniauth-oauth2" +gem "rails", "~> 8.1.0" gem "rdoc" +gem "rails-controller-testing" + +gem "responders", "~> 3.1" + group :test do + gem "minitest", "< 6" + gem "mocha", "~> 2.1", require: false gem "omniauth-facebook" - gem "omniauth-openid", "~> 1.0.1" - gem "webrat", "0.7.2", :require => false - gem "mocha", :require => false -end - -platforms :jruby do - gem "activerecord-jdbc-adapter" - gem "activerecord-jdbcsqlite3-adapter" - gem "jruby-openssl" + gem "omniauth-openid" + gem "rexml" + gem "timecop" + gem "webrat" + gem "ostruct" end platforms :ruby do gem "sqlite3" +end - group :mongoid do - gem "mongo", "~> 1.3.0" - gem "mongoid", "~> 2.0" - gem "bson_ext", "~> 1.3.0" - end +group :mongoid do + gem "mongoid", "~> 9.0", github: "mongodb/mongoid", branch: "9.0-stable" end diff --git a/Gemfile.lock b/Gemfile.lock index a13d5de8af..ddd309923f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,155 +1,312 @@ +GIT + remote: https://github.com/mongodb/mongoid.git + revision: dce2e0fa3c5f0dd2086b2c8341086ff05e1b37f9 + branch: 9.0-stable + specs: + mongoid (9.0.9) + activemodel (>= 5.1, < 8.2, != 7.0.0) + concurrent-ruby (>= 1.0.5, < 2.0) + mongo (>= 2.18.0, < 3.0.0) + PATH remote: . specs: - devise (2.1.2) - bcrypt-ruby (~> 3.0) + devise (5.0.0) + bcrypt (~> 3.0) orm_adapter (~> 0.1) - railties (~> 3.1) - warden (~> 1.2.1) + railties (>= 7.0) + responders + warden (~> 1.2.3) GEM - remote: http://rubygems.org/ + remote: https://rubygems.org/ specs: - actionmailer (3.2.6) - actionpack (= 3.2.6) - mail (~> 2.4.4) - actionpack (3.2.6) - activemodel (= 3.2.6) - activesupport (= 3.2.6) - builder (~> 3.0.0) - erubis (~> 2.7.0) - journey (~> 1.0.1) - rack (~> 1.4.0) - rack-cache (~> 1.2) - rack-test (~> 0.6.1) - sprockets (~> 2.1.3) - activemodel (3.2.6) - activesupport (= 3.2.6) - builder (~> 3.0.0) - activerecord (3.2.6) - activemodel (= 3.2.6) - activesupport (= 3.2.6) - arel (~> 3.0.2) - tzinfo (~> 0.3.29) - activeresource (3.2.6) - activemodel (= 3.2.6) - activesupport (= 3.2.6) - activesupport (3.2.6) - i18n (~> 0.6) - multi_json (~> 1.0) - addressable (2.2.6) - arel (3.0.2) - bcrypt-ruby (3.0.1) - bson (1.5.1) - bson_ext (1.3.1) - builder (3.0.0) - erubis (2.7.0) - faraday (0.7.5) - addressable (~> 2.2.6) - multipart-post (~> 1.1.3) - rack (>= 1.1.0, < 2) - hashie (1.2.0) - hike (1.2.1) - i18n (0.6.0) - journey (1.0.4) - json (1.7.3) - mail (2.4.4) - i18n (>= 0.4.0) - mime-types (~> 1.16) - treetop (~> 1.4.8) - metaclass (0.0.1) - mime-types (1.18) - mocha (0.10.0) - metaclass (~> 0.0.1) - mongo (1.3.1) - bson (>= 1.3.1) - mongoid (2.3.4) - activemodel (~> 3.1) - mongo (~> 1.3) - tzinfo (~> 0.3.22) - multi_json (1.0.4) - multipart-post (1.1.4) - nokogiri (1.5.0) - oauth2 (0.5.1) - faraday (~> 0.7.4) - multi_json (~> 1.0.3) - omniauth (1.0.1) - hashie (~> 1.2) - rack - omniauth-facebook (1.0.0) - omniauth-oauth2 (~> 1.0.0) - omniauth-oauth2 (1.0.0) - oauth2 (~> 0.5.0) - omniauth (~> 1.0) - omniauth-openid (1.0.1) - omniauth (~> 1.0) - rack-openid (~> 1.3.1) - orm_adapter (0.3.0) - polyglot (0.3.3) - rack (1.4.1) - rack-cache (1.2) - rack (>= 0.4) - rack-openid (1.3.1) + action_text-trix (2.1.16) + railties + actioncable (8.1.2) + actionpack (= 8.1.2) + activesupport (= 8.1.2) + nio4r (~> 2.0) + websocket-driver (>= 0.6.1) + zeitwerk (~> 2.6) + actionmailbox (8.1.2) + actionpack (= 8.1.2) + activejob (= 8.1.2) + activerecord (= 8.1.2) + activestorage (= 8.1.2) + activesupport (= 8.1.2) + mail (>= 2.8.0) + actionmailer (8.1.2) + actionpack (= 8.1.2) + actionview (= 8.1.2) + activejob (= 8.1.2) + activesupport (= 8.1.2) + mail (>= 2.8.0) + rails-dom-testing (~> 2.2) + actionpack (8.1.2) + actionview (= 8.1.2) + activesupport (= 8.1.2) + nokogiri (>= 1.8.5) + rack (>= 2.2.4) + rack-session (>= 1.0.1) + rack-test (>= 0.6.3) + rails-dom-testing (~> 2.2) + rails-html-sanitizer (~> 1.6) + useragent (~> 0.16) + actiontext (8.1.2) + action_text-trix (~> 2.1.15) + actionpack (= 8.1.2) + activerecord (= 8.1.2) + activestorage (= 8.1.2) + activesupport (= 8.1.2) + globalid (>= 0.6.0) + nokogiri (>= 1.8.5) + actionview (8.1.2) + activesupport (= 8.1.2) + builder (~> 3.1) + erubi (~> 1.11) + rails-dom-testing (~> 2.2) + rails-html-sanitizer (~> 1.6) + activejob (8.1.2) + activesupport (= 8.1.2) + globalid (>= 0.3.6) + activemodel (8.1.2) + activesupport (= 8.1.2) + activerecord (8.1.2) + activemodel (= 8.1.2) + activesupport (= 8.1.2) + timeout (>= 0.4.0) + activestorage (8.1.2) + actionpack (= 8.1.2) + activejob (= 8.1.2) + activerecord (= 8.1.2) + activesupport (= 8.1.2) + marcel (~> 1.0) + activesupport (8.1.2) + base64 + bigdecimal + concurrent-ruby (~> 1.0, >= 1.3.1) + connection_pool (>= 2.2.5) + drb + i18n (>= 1.6, < 2) + json + logger (>= 1.4.2) + minitest (>= 5.1) + securerandom (>= 0.3) + tzinfo (~> 2.0, >= 2.0.5) + uri (>= 0.13.1) + base64 (0.3.0) + bcrypt (3.1.21) + bigdecimal (4.0.1) + bson (5.2.0) + builder (3.3.0) + concurrent-ruby (1.3.6) + connection_pool (3.0.2) + crass (1.0.6) + date (3.5.1) + drb (2.2.3) + erb (6.0.1) + erubi (1.13.1) + faraday (2.14.0) + faraday-net_http (>= 2.0, < 3.5) + json + logger + faraday-net_http (3.4.2) + net-http (~> 0.5) + globalid (1.3.0) + activesupport (>= 6.1) + hashie (5.1.0) + logger + i18n (1.14.8) + concurrent-ruby (~> 1.0) + io-console (0.8.2) + irb (1.16.0) + pp (>= 0.6.0) + rdoc (>= 4.0.0) + reline (>= 0.4.2) + json (2.18.0) + jwt (3.1.2) + base64 + logger (1.7.0) + loofah (2.25.0) + crass (~> 1.0.2) + nokogiri (>= 1.12.0) + mail (2.9.0) + logger + mini_mime (>= 0.1.1) + net-imap + net-pop + net-smtp + marcel (1.1.0) + mini_mime (1.1.5) + mini_portile2 (2.8.9) + minitest (5.27.0) + mocha (2.8.2) + ruby2_keywords (>= 0.0.5) + mongo (2.22.0) + base64 + bson (>= 4.14.1, < 6.0.0) + multi_xml (0.8.1) + bigdecimal (>= 3.1, < 5) + net-http (0.9.1) + uri (>= 0.11.1) + net-imap (0.6.2) + date + net-protocol + net-pop (0.1.2) + net-protocol + net-protocol (0.2.2) + timeout + net-smtp (0.5.1) + net-protocol + nio4r (2.7.5) + nokogiri (1.19.0) + mini_portile2 (~> 2.8.2) + racc (~> 1.4) + oauth2 (2.0.18) + faraday (>= 0.17.3, < 4.0) + jwt (>= 1.0, < 4.0) + logger (~> 1.2) + multi_xml (~> 0.5) + rack (>= 1.2, < 4) + snaky_hash (~> 2.0, >= 2.0.3) + version_gem (~> 1.1, >= 1.1.9) + omniauth (2.1.4) + hashie (>= 3.4.6) + logger + rack (>= 2.2.3) + rack-protection + omniauth-facebook (10.0.0) + bigdecimal + omniauth-oauth2 (>= 1.2, < 3) + omniauth-oauth2 (1.9.0) + oauth2 (>= 2.0.2, < 3) + omniauth (~> 2.0) + omniauth-openid (2.0.2) + omniauth (>= 1.1) + rack-openid (~> 1.4) + ruby-openid (~> 2.1, >= 2.1.8) + version_gem (~> 1.1, >= 1.1.8) + orm_adapter (0.5.0) + ostruct (0.6.3) + pp (0.6.3) + prettyprint + prettyprint (0.2.0) + psych (5.3.1) + date + stringio + racc (1.8.1) + rack (3.2.4) + rack-openid (1.4.2) rack (>= 1.1.0) ruby-openid (>= 2.1.8) - rack-ssl (1.3.2) - rack - rack-test (0.6.1) - rack (>= 1.0) - rails (3.2.6) - actionmailer (= 3.2.6) - actionpack (= 3.2.6) - activerecord (= 3.2.6) - activeresource (= 3.2.6) - activesupport (= 3.2.6) - bundler (~> 1.0) - railties (= 3.2.6) - railties (3.2.6) - actionpack (= 3.2.6) - activesupport (= 3.2.6) - rack-ssl (~> 1.3.2) - rake (>= 0.8.7) - rdoc (~> 3.4) - thor (>= 0.14.6, < 2.0) - rake (0.9.2.2) - rdoc (3.12) - json (~> 1.4) - ruby-openid (2.1.8) - sprockets (2.1.3) - hike (~> 1.2) - rack (~> 1.0) - tilt (~> 1.1, != 1.3.0) - sqlite3 (1.3.5) - thor (0.15.2) - tilt (1.3.3) - treetop (1.4.10) - polyglot - polyglot (>= 0.3.1) - tzinfo (0.3.33) - warden (1.2.1) - rack (>= 1.0) - webrat (0.7.2) + rack-protection (4.2.1) + base64 (>= 0.1.0) + logger (>= 1.6.0) + rack (>= 3.0.0, < 4) + rack-session (2.1.1) + base64 (>= 0.1.0) + rack (>= 3.0.0) + rack-test (2.2.0) + rack (>= 1.3) + rackup (2.3.1) + rack (>= 3) + rails (8.1.2) + actioncable (= 8.1.2) + actionmailbox (= 8.1.2) + actionmailer (= 8.1.2) + actionpack (= 8.1.2) + actiontext (= 8.1.2) + actionview (= 8.1.2) + activejob (= 8.1.2) + activemodel (= 8.1.2) + activerecord (= 8.1.2) + activestorage (= 8.1.2) + activesupport (= 8.1.2) + bundler (>= 1.15.0) + railties (= 8.1.2) + rails-controller-testing (1.0.5) + actionpack (>= 5.0.1.rc1) + actionview (>= 5.0.1.rc1) + activesupport (>= 5.0.1.rc1) + rails-dom-testing (2.3.0) + activesupport (>= 5.0.0) + minitest + nokogiri (>= 1.6) + rails-html-sanitizer (1.6.2) + loofah (~> 2.21) + nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0) + railties (8.1.2) + actionpack (= 8.1.2) + activesupport (= 8.1.2) + irb (~> 1.13) + rackup (>= 1.0.0) + rake (>= 12.2) + thor (~> 1.0, >= 1.2.2) + tsort (>= 0.2) + zeitwerk (~> 2.6) + rake (13.3.1) + rdoc (7.1.0) + erb + psych (>= 4.0.0) + tsort + reline (0.6.3) + io-console (~> 0.5) + responders (3.2.0) + actionpack (>= 7.0) + railties (>= 7.0) + rexml (3.4.4) + ruby-openid (2.9.2) + ruby2_keywords (0.0.5) + securerandom (0.4.1) + snaky_hash (2.0.3) + hashie (>= 0.1.0, < 6) + version_gem (>= 1.1.8, < 3) + sqlite3 (2.9.0) + mini_portile2 (~> 2.8.0) + stringio (3.2.0) + thor (1.5.0) + timecop (0.9.10) + timeout (0.6.0) + tsort (0.2.0) + tzinfo (2.0.6) + concurrent-ruby (~> 1.0) + uri (1.1.1) + useragent (0.16.11) + version_gem (1.1.9) + warden (1.2.9) + rack (>= 2.0.9) + webrat (0.7.3) nokogiri (>= 1.2.0) rack (>= 1.0) rack-test (>= 0.5.3) + websocket-driver (0.8.0) + base64 + websocket-extensions (>= 0.1.0) + websocket-extensions (0.1.5) + zeitwerk (2.7.4) PLATFORMS ruby DEPENDENCIES - activerecord-jdbc-adapter - activerecord-jdbcsqlite3-adapter - bson_ext (~> 1.3.0) devise! - jruby-openssl - mocha - mongo (~> 1.3.0) - mongoid (~> 2.0) - omniauth (~> 1.0.0) + minitest (< 6) + mocha (~> 2.1) + mongoid (~> 9.0)! + omniauth omniauth-facebook - omniauth-oauth2 (~> 1.0.0) - omniauth-openid (~> 1.0.1) - rails (~> 3.2.6) + omniauth-oauth2 + omniauth-openid + ostruct + rails (~> 8.1.0) + rails-controller-testing rdoc + responders (~> 3.1) + rexml sqlite3 - webrat (= 0.7.2) + timecop + webrat + +BUNDLED WITH + 4.0.3 diff --git a/ISSUE_TEMPLATE.md b/ISSUE_TEMPLATE.md new file mode 100644 index 0000000000..445eedba53 --- /dev/null +++ b/ISSUE_TEMPLATE.md @@ -0,0 +1,20 @@ +## Pre-check + +- Do not use the issues tracker for help or support, try Stack Overflow. +- For bugs, do a quick search and make sure the bug has not yet been reported +- If you found a security bug, do not report it through GitHub. Please send an e-mail to heartcombo.oss@gmail.com instead. +- Finally, be nice and have fun! + +## Environment + +- Ruby **[version]** +- Rails **[version]** +- Devise **[version]** + +## Current behavior + +Include code samples, errors, steps to reproduce the error and stack traces if appropriate. + +Will be even more helpful if you provide a sample application or a test case that reproduces the error. + +## Expected behavior diff --git a/MIT-LICENSE b/MIT-LICENSE index fd1e181c9b..ad599708f3 100644 --- a/MIT-LICENSE +++ b/MIT-LICENSE @@ -1,4 +1,5 @@ -Copyright 2009-2012 Plataformatec. http://plataformatec.com.br +Copyright (c) 2020-CURRENT Rafael França, Carlos Antonio da Silva +Copyright (c) 2009-2019 Plataformatec Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the diff --git a/README.md b/README.md index 03d806c13e..426185e6d9 100644 --- a/README.md +++ b/README.md @@ -1,31 +1,63 @@ -*IMPORTANT:* Devise 2.1 is out. If you are upgrading, please read: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.1 - -## Devise - -INFO: This README is [also available in a friendly navigable format](http://devise.plataformatec.com.br/). - -[](http://travis-ci.org/plataformatec/devise) [](https://codeclimate.com/github/plataformatec/devise) + Devise is a flexible authentication solution for Rails based on Warden. It: * Is Rack based; * Is a complete MVC solution based on Rails engines; -* Allows you to have multiple roles (or models/scopes) signed in at the same time; -* Is based on a modularity concept: use just what you really need. - -It's composed of 12 modules: - -* [Database Authenticatable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/DatabaseAuthenticatable): encrypts and stores a password in the database to validate the authenticity of a user while signing in. The authentication can be done both through POST requests or HTTP Basic Authentication. -* [Token Authenticatable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/TokenAuthenticatable): signs in a user based on an authentication token (also known as "single access token"). The token can be given both through query string or HTTP Basic Authentication. -* [Omniauthable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Omniauthable): adds Omniauth (https://github.com/intridea/omniauth) support; -* [Confirmable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Confirmable): sends emails with confirmation instructions and verifies whether an account is already confirmed during sign in. -* [Recoverable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Recoverable): resets the user password and sends reset instructions. -* [Registerable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Registerable): handles signing up users through a registration process, also allowing them to edit and destroy their account. -* [Rememberable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Rememberable): manages generating and clearing a token for remembering the user from a saved cookie. -* [Trackable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Trackable): tracks sign in count, timestamps and IP address. -* [Timeoutable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Timeoutable): expires sessions that have no activity in a specified period of time. -* [Validatable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Validatable): provides validations of email and password. It's optional and can be customized, so you're able to define your own validations. -* [Lockable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Lockable): locks an account after a specified number of failed sign-in attempts. Can unlock via email or after a specified time period. +* Allows you to have multiple models signed in at the same time; +* Is based on a modularity concept: use only what you really need. + +It's composed of 10 modules: + +* [Database Authenticatable](https://www.rubydoc.info/gems/devise/Devise/Models/DatabaseAuthenticatable): hashes and stores a password in the database to validate the authenticity of a user while signing in. The authentication can be done both through POST requests or HTTP Basic Authentication. +* [Omniauthable](https://www.rubydoc.info/gems/devise/Devise/Models/Omniauthable): adds OmniAuth (https://github.com/omniauth/omniauth) support. +* [Confirmable](https://www.rubydoc.info/gems/devise/Devise/Models/Confirmable): sends emails with confirmation instructions and verifies whether an account is already confirmed during sign in. +* [Recoverable](https://www.rubydoc.info/gems/devise/Devise/Models/Recoverable): resets the user password and sends reset instructions. +* [Registerable](https://www.rubydoc.info/gems/devise/Devise/Models/Registerable): handles signing up users through a registration process, also allowing them to edit and destroy their account. +* [Rememberable](https://www.rubydoc.info/gems/devise/Devise/Models/Rememberable): manages generating and clearing a token for remembering the user from a saved cookie. +* [Trackable](https://www.rubydoc.info/gems/devise/Devise/Models/Trackable): tracks sign in count, timestamps and IP address. +* [Timeoutable](https://www.rubydoc.info/gems/devise/Devise/Models/Timeoutable): expires sessions that have not been active in a specified period of time. +* [Validatable](https://www.rubydoc.info/gems/devise/Devise/Models/Validatable): provides validations of email and password. It's optional and can be customized, so you're able to define your own validations. +* [Lockable](https://www.rubydoc.info/gems/devise/Devise/Models/Lockable): locks an account after a specified number of failed sign-in attempts. Can unlock via email or after a specified time period. + +## Table of Contents + + + +- [Information](#information) + - [The Devise wiki](#the-devise-wiki) + - [Bug reports](#bug-reports) + - [StackOverflow and Mailing List](#stackoverflow-and-mailing-list) + - [RDocs](#rdocs) + - [Example applications](#example-applications) + - [Extensions](#extensions) + - [Supported Ruby / Rails versions](#supported-ruby--rails-versions) + - [Contributing](#contributing) +- [Starting with Rails?](#starting-with-rails) +- [Getting started](#getting-started) + - [Controller filters and helpers](#controller-filters-and-helpers) + - [Configuring Models](#configuring-models) + - [Strong Parameters](#strong-parameters) + - [Configuring views](#configuring-views) + - [Configuring controllers](#configuring-controllers) + - [Configuring routes](#configuring-routes) + - [I18n](#i18n) + - [Test helpers](#test-helpers) + - [Controller tests](#controller-tests) + - [Integration tests](#integration-tests) + - [OmniAuth](#omniauth) + - [Configuring multiple models](#configuring-multiple-models) + - [Active Job Integration](#active-job-integration) + - [Password reset tokens and Rails logs](#password-reset-tokens-and-rails-logs) + - [Other ORMs](#other-orms) + - [Rails API mode](#rails-api-mode) +- [Additional information](#additional-information) + - [Warden](#warden) +- [License](#license) + + + + ## Information @@ -33,93 +65,167 @@ It's composed of 12 modules: The Devise Wiki has lots of additional information about Devise including many "how-to" articles and answers to the most frequently asked questions. Please browse the Wiki after finishing this README: -https://wiki.github.com/plataformatec/devise +https://github.com/heartcombo/devise/wiki ### Bug reports If you discover a problem with Devise, we would like to know about it. However, we ask that you please review these guidelines before submitting a bug report: -https://github.com/plataformatec/devise/wiki/Bug-reports +https://github.com/heartcombo/devise/wiki/Bug-reports + +If you have discovered a security related bug, please do *NOT* use the GitHub issue tracker. Send an email to heartcombo.oss@gmail.com. + +### StackOverflow and Mailing List -If you found a security bug, do *NOT* use the GitHub issue tracker. Send an email to the maintainers listed at the bottom of the README. +If you have any questions, comments, or concerns, please use StackOverflow instead of the GitHub issue tracker: -### Mailing list +http://stackoverflow.com/questions/tagged/devise -If you have any questions, comments, or concerns, please use the Google Group instead of the GitHub issue tracker: +The deprecated mailing lists can still be read on: https://groups.google.com/group/plataformatec-devise +https://groups.google.com/group/heartcombo ### RDocs You can view the Devise documentation in RDoc format here: -http://rubydoc.info/github/plataformatec/devise/master/frames +http://rubydoc.info/github/heartcombo/devise/main/frames -If you need to use Devise with Rails 2.3, you can always run "gem server" from the command line after you install the gem to access the old documentation. +If you need to use Devise with previous versions of Rails, you can always run "gem server" from the command line after you install the gem to access the old documentation. ### Example applications There are a few example applications available on GitHub that demonstrate various features of Devise with different versions of Rails. You can view them here: -https://github.com/plataformatec/devise/wiki/Example-Applications +https://github.com/heartcombo/devise/wiki/Example-Applications ### Extensions Our community has created a number of extensions that add functionality above and beyond what is included with Devise. You can view a list of available extensions and add your own here: -https://github.com/plataformatec/devise/wiki/Extensions +https://github.com/heartcombo/devise/wiki/Extensions + +### Supported Ruby / Rails versions + +We intend to maintain support for all Ruby / Rails versions that haven't reached end-of-life. + +For more information about specific versions please check [Ruby](https://www.ruby-lang.org/en/downloads/branches/) +and [Rails](https://guides.rubyonrails.org/maintenance_policy.html) maintenance policies, and our test matrix. ### Contributing We hope that you will consider contributing to Devise. Please read this short overview for some information about how to get started: -https://github.com/plataformatec/devise/wiki/Contributing +https://github.com/heartcombo/devise/wiki/Contributing + +You will usually want to write tests for your changes. To run the test suite, go into Devise's top-level directory and run `bundle install` and `bin/test`. +Devise works with multiple Ruby and Rails versions, and ActiveRecord and Mongoid ORMs, which means you can run the test suite with some modifiers: `DEVISE_ORM` and `BUNDLE_GEMFILE`. + +#### DEVISE_ORM +Since Devise supports both Mongoid and ActiveRecord, we rely on this variable to run specific code for each ORM. +The default value of `DEVISE_ORM` is `active_record`. To run the tests for Mongoid, you can pass `mongoid`: +``` +DEVISE_ORM=mongoid bin/test + +==> Devise.orm = :mongoid +``` +When running the tests for Mongoid, you will need to have a MongoDB server (version 2.0 or newer) running on your system. + +Please note that the command output will show the variable value being used. + +#### BUNDLE_GEMFILE +We can use this variable to tell bundler what Gemfile it should use (instead of the one in the current directory). +Inside the [gemfiles](https://github.com/heartcombo/devise/tree/main/gemfiles) directory, we have one for each version of Rails we support. When you send us a pull request, it may happen that the test suite breaks using some of them. If that's the case, you can simulate the same environment using the `BUNDLE_GEMFILE` variable. +For example, if the tests broke using Ruby 3.4 and Rails 8.0, you can do the following: +```bash +chruby 3.4.0 # or rbenv shell 3.4.0, or rvm use 3.4.0, etc. +BUNDLE_GEMFILE=gemfiles/Gemfile-rails-8-0 bundle install +BUNDLE_GEMFILE=gemfiles/Gemfile-rails-8-0 bin/test +``` -You will usually want to write tests for your changes. To run the test suite, go into Devise's top-level directory and run "bundle install" and "rake". For the tests to pass, you will need to have a MongoDB server (version 2.0 or newer) running on your system. +You can also combine both of them if the tests broke for Mongoid: +```bash +BUNDLE_GEMFILE=gemfiles/Gemfile-rails-8-0 bundle install +BUNDLE_GEMFILE=gemfiles/Gemfile-rails-8-0 DEVISE_ORM=mongoid bin/test +``` + +### Running tests +Devise uses [Mini Test](https://github.com/seattlerb/minitest) as test framework. + +* Running all tests: +```bash +bin/test +``` + +* Running tests for an specific file: +```bash +bin/test test/models/trackable_test.rb +``` + +* Running a specific test given a line number or a regex: +```bash +bin/test test/models/trackable_test.rb:16 +bin/test test/models/trackable_test.rb -n '/update.*record/' +``` ## Starting with Rails? -If you are building your first Rails application, we recommend you to *not* use Devise. Devise requires a good understanding of the Rails Framework. In such cases, we advise you to start a simple authentication system from scratch, today we have two resources: +If you are building your first Rails application, we recommend you *do not* use Devise. Devise requires a good understanding of the Rails Framework. In such cases, we advise you to start a simple authentication system from scratch. Here's a few resources that should help you get started: -* Michael Hartl's online book: http://railstutorial.org/chapters/modeling-and-viewing-users-two#top -* Ryan Bates' Railscast: http://railscasts.com/episodes/250-authentication-from-scratch +* Michael Hartl's online book: https://www.railstutorial.org/book/modeling_users +* Ryan Bates' Railscasts: http://railscasts.com/episodes/250-authentication-from-scratch and http://railscasts.com/episodes/250-authentication-from-scratch-revised +* Codecademy's Ruby on Rails: Authentication and Authorization: https://www.codecademy.com/learn/rails-auth -Once you have solidified your understanding of Rails and authentication mechanisms, we assure you Devise will be very pleasant to work with. :) +Once you have solidified your understanding of Rails and authentication mechanisms, we assure you Devise will be very pleasant to work with. :smiley: ## Getting started -Devise 2.0 works with Rails 3.1 onwards. You can add it to your Gemfile with: +Devise 5 works with Rails 7 onwards. Run: -```ruby -gem 'devise' +```sh +bundle add devise ``` -Run the bundle command to install it. - -After you install Devise and add it to your Gemfile, you need to run the generator: +Next, you need to run the generator: ```console rails generate devise:install ``` -The generator will install an initializer which describes ALL Devise's configuration options and you MUST take a look at it. When you are done, you are ready to add Devise to any of your models using the generator: +At this point, a number of instructions will appear in the console. Among these instructions, you'll need to set up the default URL options for the Devise mailer in each environment. Here is a possible configuration for `config/environments/development.rb`: + +```ruby +config.action_mailer.default_url_options = { host: 'localhost', port: 3000 } +``` + +The generator will install an initializer which describes ALL of Devise's configuration options. It is *imperative* that you take a look at it. When you are done, you are ready to add Devise to any of your models using the generator. + + +In the following command you will replace `MODEL` with the class name used for the application’s users (it’s frequently `User` but could also be `Admin`). This will create a model (if one does not exist) and configure it with the default Devise modules. The generator also configures your `config/routes.rb` file to point to the Devise controller. ```console rails generate devise MODEL ``` -Replace MODEL by the class name used for the applications users, it's frequently 'User' but could also be 'Admin'. This will create a model (if one does not exist) and configure it with default Devise modules. Next, you'll usually run "rake db:migrate" as the generator will have created a migration file (if your ORM supports them). This generator also configures your config/routes.rb file to point to Devise controller. +Next, check the MODEL for any additional configuration options you might want to add, such as confirmable or lockable. If you add an option, be sure to inspect the migration file (created by the generator if your ORM supports them) and uncomment the appropriate section. For example, if you add the confirmable option in the model, you'll need to uncomment the Confirmable section in the migration. + +Then run `rails db:migrate` -Note that you should re-start your app here if you've already started it. Otherwise you'll run into strange errors like users being unable to login and the route helpers being undefined. +You should restart your application after changing Devise's configuration options (this includes stopping spring). Otherwise, you will run into strange errors, for example, users being unable to login and route helpers being undefined. ### Controller filters and helpers -Devise will create some helpers to use inside your controllers and views. To set up a controller with user authentication, just add this before_filter: +Devise will create some helpers to use inside your controllers and views. To set up a controller with user authentication, just add this before_action (assuming your devise model is 'User'): ```ruby -before_filter :authenticate_user! +before_action :authenticate_user! ``` +For Rails 5, note that `protect_from_forgery` is no longer prepended to the `before_action` chain, so if you have set `authenticate_user` before `protect_from_forgery`, your request will result in "Can't verify CSRF token authenticity." To resolve this, either change the order in which you call them, or use `protect_from_forgery prepend: true`. + +If your devise model is something other than User, replace "_user" with "_yourmodel". The same logic applies to the instructions below. + To verify if a user is signed in, use the following helper: ```ruby @@ -138,24 +244,18 @@ You can access the session for this scope: user_session ``` -After signing in a user, confirming the account or updating the password, Devise will look for a scoped root path to redirect. Example: For a :user resource, it will use `user_root_path` if it exists, otherwise default `root_path` will be used. This means that you need to set the root inside your routes: +After signing in a user, confirming the account or updating the password, Devise will look for a scoped root path to redirect to. For instance, when using a `:user` resource, the `user_root_path` will be used if it exists; otherwise, the default `root_path` will be used. This means that you need to set the root inside your routes: ```ruby -root :to => "home#index" +root to: 'home#index' ``` -You can also overwrite `after_sign_in_path_for` and `after_sign_out_path_for` to customize your redirect hooks. - -Finally, you need to set up default url options for the mailer in each environment. Here is the configuration for "config/environments/development.rb": - -```ruby -config.action_mailer.default_url_options = { :host => 'localhost:3000' } -``` +You can also override `after_sign_in_path_for` and `after_sign_out_path_for` to customize your redirect hooks. -Notice that if your devise model is not called "user" but "member", then the helpers you should use are: +Notice that if your Devise model is called `Member` instead of `User`, for example, then the helpers available are: ```ruby -before_filter :authenticate_member! +before_action :authenticate_member! member_signed_in? @@ -166,42 +266,109 @@ member_session ### Configuring Models -The devise method in your models also accepts some options to configure its modules. For example, you can choose the cost of the encryption algorithm with: +The Devise method in your models also accepts some options to configure its modules. For example, you can choose the cost of the hashing algorithm with: ```ruby -devise :database_authenticatable, :registerable, :confirmable, :recoverable, :stretches => 20 +devise :database_authenticatable, :registerable, :confirmable, :recoverable, stretches: 13 ``` -Besides :stretches, you can define :pepper, :encryptor, :confirm_within, :remember_for, :timeout_in, :unlock_in and other values. For details, see the initializer file that was created when you invoked the "devise:install" generator described above. +Besides `:stretches`, you can define `:pepper`, `:encryptor`, `:confirm_within`, `:remember_for`, `:timeout_in`, `:unlock_in` among other options. For more details, see the initializer file that was created when you invoked the "devise:install" generator described above. This file is usually located at `/config/initializers/devise.rb`. -### Configuring multiple models +### Strong Parameters + +The Parameter Sanitizer API has changed for Devise 4 :warning: + +*For previous Devise versions see https://github.com/heartcombo/devise/tree/3-stable#strong-parameters* + +When you customize your own views, you may end up adding new attributes to forms. Rails 4 moved the parameter sanitization from the model to the controller, causing Devise to handle this concern at the controller as well. + +There are just three actions in Devise that allow any set of parameters to be passed down to the model, therefore requiring sanitization. Their names and default permitted parameters are: + +* `sign_in` (`Devise::SessionsController#create`) - Permits only the authentication keys (like `email`) +* `sign_up` (`Devise::RegistrationsController#create`) - Permits authentication keys plus `password` and `password_confirmation` +* `account_update` (`Devise::RegistrationsController#update`) - Permits authentication keys plus `password`, `password_confirmation` and `current_password` -Devise allows you to set up as many roles as you want. For example, you may have a User model and also want an Admin model with just authentication and timeoutable features. If so, just follow these steps: +In case you want to permit additional parameters (the lazy way™), you can do so using a simple before action in your `ApplicationController`: ```ruby -# Create a migration with the required fields -create_table :admins do |t| - t.string :email - t.string :encrypted_password - t.timestamps +class ApplicationController < ActionController::Base + before_action :configure_permitted_parameters, if: :devise_controller? + + protected + + def configure_permitted_parameters + devise_parameter_sanitizer.permit(:sign_up, keys: [:username]) + end end +``` -# Inside your Admin model -devise :database_authenticatable, :timeoutable +The above works for any additional fields where the parameters are simple scalar types. If you have nested attributes (say you're using `accepts_nested_attributes_for`), then you will need to tell devise about those nestings and types: -# Inside your routes -devise_for :admins +```ruby +class ApplicationController < ActionController::Base + before_action :configure_permitted_parameters, if: :devise_controller? -# Inside your protected controller -before_filter :authenticate_admin! + protected -# Inside your controllers and views -admin_signed_in? -current_admin -admin_session + def configure_permitted_parameters + devise_parameter_sanitizer.permit(:sign_up, keys: [:first_name, :last_name, address_attributes: [:country, :state, :city, :area, :postal_code]]) + end +end +``` + +Devise allows you to completely change Devise defaults or invoke custom behavior by passing a block: + +To permit simple scalar values for username and email, use this + +```ruby +def configure_permitted_parameters + devise_parameter_sanitizer.permit(:sign_in) do |user_params| + user_params.permit(:username, :email) + end +end +``` + +If you have some checkboxes that express the roles a user may take on registration, the browser will send those selected checkboxes as an array. An array is not one of Strong Parameters' permitted scalars, so we need to configure Devise in the following way: + +```ruby +def configure_permitted_parameters + devise_parameter_sanitizer.permit(:sign_up) do |user_params| + user_params.permit({ roles: [] }, :email, :password, :password_confirmation) + end +end +``` +For the list of permitted scalars, and how to declare permitted keys in nested hashes and arrays, see + +https://github.com/rails/strong_parameters#nested-parameters + +If you have multiple Devise models, you may want to set up a different parameter sanitizer per model. In this case, we recommend inheriting from `Devise::ParameterSanitizer` and adding your own logic: + +```ruby +class User::ParameterSanitizer < Devise::ParameterSanitizer + def initialize(*) + super + permit(:sign_up, keys: [:username, :email]) + end +end ``` -On the other hand, you can simply run the generator! +And then configure your controllers to use it: + +```ruby +class ApplicationController < ActionController::Base + protected + + def devise_parameter_sanitizer + if resource_class == User + User::ParameterSanitizer.new(User, :user, params) + else + super # Use the default one + end + end +end +``` + +The example above overrides the permitted parameters for the user to be both `:username` and `:email`. The non-lazy way to configure parameters would be by defining the before filter above in a custom controller. We detail how to configure and customize controllers in some sections below. ### Configuring views @@ -213,58 +380,141 @@ Since Devise is an engine, all its views are packaged inside the gem. These view rails generate devise:views ``` -If you have more than one role in your application (such as "User" and "Admin"), you will notice that Devise uses the same views for all roles. Fortunately, Devise offers an easy way to customize views. All you need to do is set "config.scoped_views = true" inside "config/initializers/devise.rb". +If you have more than one Devise model in your application (such as `User` and `Admin`), you will notice that Devise uses the same views for all models. Fortunately, Devise offers an easy way to customize views. All you need to do is set `config.scoped_views = true` inside the `config/initializers/devise.rb` file. -After doing so, you will be able to have views based on the role like "users/sessions/new" and "admins/sessions/new". If no view is found within the scope, Devise will use the default view at "devise/sessions/new". You can also use the generator to generate scoped views: +After doing so, you will be able to have views based on the role like `users/sessions/new` and `admins/sessions/new`. If no view is found within the scope, Devise will use the default view at `devise/sessions/new`. You can also use the generator to generate scoped views: ```console rails generate devise:views users ``` +If you would like to generate only a few sets of views, like the ones for the `registerable` and `confirmable` module, +you can pass a list of views to the generator with the `-v` flag. + +```console +rails generate devise:views -v registrations confirmations +``` + ### Configuring controllers If the customization at the views level is not enough, you can customize each controller by following these steps: -1) Create your custom controller, for example a Admins::SessionsController: +1. Create your custom controllers using the generator which requires a scope: -```ruby -class Admins::SessionsController < Devise::SessionsController -end -``` + ```console + rails generate devise:controllers [scope] + ``` -2) Tell the router to use this controller: + If you specify `users` as the scope, controllers will be created in `app/controllers/users/`. + And the sessions controller will look like this: -```ruby -devise_for :admins, :controllers => { :sessions => "admins/sessions" } -``` + ```ruby + class Users::SessionsController < Devise::SessionsController + # GET /resource/sign_in + # def new + # super + # end + ... + end + ``` + Use the `-c` flag to specify one or more controllers, for example: `rails generate devise:controllers users -c sessions` + +2. Tell the router to use this controller: + + ```ruby + devise_for :users, controllers: { sessions: 'users/sessions' } + ``` + +3. Recommended but not required: copy (or move) the views from `devise/sessions` to `users/sessions`. Rails will continue using the views from `devise/sessions` due to inheritance if you skip this step, but having the views matching the controller(s) keeps things consistent. + +4. Finally, change or extend the desired controller actions. + + You can completely override a controller action: + + ```ruby + class Users::SessionsController < Devise::SessionsController + def create + # custom sign-in code + end + end + ``` + + Or you can simply add new behavior to it: -3) And since we changed the controller, it won't use the "devise/sessions" views, so remember to copy "devise/sessions" to "admin/sessions". + ```ruby + class Users::SessionsController < Devise::SessionsController + def create + super do |resource| + BackgroundWorker.trigger(resource) + end + end + end + ``` -Remember that Devise uses flash messages to let users know if sign in was successful or failed. Devise expects your application to call "flash[:notice]" and "flash[:alert]" as appropriate. Do not print the entire flash hash, print specific keys or at least remove the `:timedout` key from the hash as Devise adds this key in some circumstances, this key is not meant for display. + This is useful for triggering background jobs or logging events during certain actions. + +Remember that Devise uses flash messages to let users know if sign in was successful or unsuccessful. Devise expects your application to call `flash[:notice]` and `flash[:alert]` as appropriate. Do not print the entire flash hash, print only specific keys. In some circumstances, Devise adds a `:timedout` key to the flash hash, which is not meant for display. Remove this key from the hash if you intend to print the entire hash. ### Configuring routes Devise also ships with default routes. If you need to customize them, you should probably be able to do it through the devise_for method. It accepts several options like :class_name, :path_prefix and so on, including the possibility to change path names for I18n: ```ruby -devise_for :users, :path => "usuarios", :path_names => { :sign_in => 'login', :sign_out => 'logout', :password => 'secret', :confirmation => 'verification', :unlock => 'unblock', :registration => 'register', :sign_up => 'cmon_let_me_in' } +devise_for :users, path: 'auth', path_names: { sign_in: 'login', sign_out: 'logout', password: 'secret', confirmation: 'verification', unlock: 'unblock', registration: 'register', sign_up: 'cmon_let_me_in' } ``` -Be sure to check `devise_for` documentation for details. +Be sure to check `devise_for` [documentation](https://www.rubydoc.info/gems/devise/ActionDispatch/Routing/Mapper#devise_for-instance_method) for details. -If you have the need for more deep customization, for instance to also allow "/sign_in" besides "/users/sign_in", all you need to do is to create your routes normally and wrap them in a `devise_scope` block in the router: +If you have the need for more deep customization, for instance to also allow "/sign_in" besides "/users/sign_in", all you need to do is create your routes normally and wrap them in a `devise_scope` block in the router: ```ruby devise_scope :user do - get "sign_in", :to => "devise/sessions#new" + get 'sign_in', to: 'devise/sessions#new' end ``` -This way you tell devise to use the scope :user when "/sign_in" is accessed. Notice `devise_scope` is also aliased as `as` in your router. +This way, you tell Devise to use the scope `:user` when "/sign_in" is accessed. Notice `devise_scope` is also aliased as `as` in your router. + +Please note: You will still need to add `devise_for` in your routes in order to use helper methods such as `current_user`. + +```ruby +devise_for :users, skip: :all +``` + +### Hotwire/Turbo + +Devise integrates with Hotwire/Turbo by treating such requests as navigational, and configuring certain responses for errors and redirects to match the expected behavior. New apps are generated with the following response configuration by default, and existing apps may opt-in by adding the config to their Devise initializers: + +```ruby +Devise.setup do |config| + # ... + # When using Devise with Hotwire/Turbo, the http status for error responses + # and some redirects must match the following. The default in Devise for existing + # apps is `200 OK` and `302 Found` respectively, but new apps are generated with + # these new defaults that match Hotwire/Turbo behavior. + # Note: These might become the new default in future versions of Devise. + config.responder.error_status = :unprocessable_content # for Rack 3.1 or higher + # config.responder.error_status = :unprocessable_entity # for Rack 3.0 or lower + config.responder.redirect_status = :see_other +end +``` + +**Important**: these custom responses require the `responders` gem version to be `3.1.0` or higher, please make sure you update it if you're going to use this configuration. Check [this upgrade guide](https://github.com/heartcombo/devise/wiki/How-To:-Upgrade-to-Devise-4.9.0-[Hotwire-Turbo-integration]) for more info. + +_Note_: the above statuses configuration may become the default for Devise in a future release. + +There are a couple other changes you might need to make in your app to work with Hotwire/Turbo, if you're migrating from rails-ujs: + +* The `data-confirm` option that adds a confirmation modal to buttons/forms before submission needs to change to `data-turbo-confirm`, so that Turbo handles those appropriately. +* The `data-method` option that sets the request method for link submissions needs to change to `data-turbo-method`. This is not necessary for `button_to` or `form`s since Turbo can handle those. + +If you're setting up Devise to sign out via `:delete`, and you're using links (instead of buttons wrapped in a form) to sign out with the `method: :delete` option, they will need to be updated as described above. (Devise does not provide sign out links/buttons in its shared views.) + +Make sure to inspect your views looking for those, and change appropriately. ### I18n -Devise uses flash messages with I18n with the flash keys :notice and :alert. To customize your app, you can set up your locale file: +Devise uses flash messages with I18n, in conjunction with the flash keys :notice and :alert. To customize your app, you can set up your locale file: ```yaml en: @@ -300,91 +550,227 @@ en: Take a look at our locale file to check all available messages. You may also be interested in one of the many translations that are available on our wiki: -https://github.com/plataformatec/devise/wiki/I18n +https://github.com/heartcombo/devise/wiki/I18n + +Caution: Devise Controllers inherit from ApplicationController. If your app uses multiple locales, you should be sure to set I18n.locale in ApplicationController. ### Test helpers -Devise includes some tests helpers for functional specs. In order to use them, you need to include Devise in your functional tests by adding the following to the bottom of your `test/test_helper.rb` file: +Devise includes some test helpers for controller and integration tests. +In order to use them, you need to include the respective module in your test +cases/specs. + +### Controller tests + +Controller tests require that you include `Devise::Test::IntegrationHelpers` on +your test case or its parent `ActionController::TestCase` superclass. +For Rails versions prior to 5, include `Devise::Test::ControllerHelpers` instead, since the superclass +for controller tests was changed to ActionDispatch::IntegrationTest +(for more details, see the [Integration tests](#integration-tests) section). ```ruby -class ActionController::TestCase - include Devise::TestHelpers +class PostsControllerTest < ActionController::TestCase + include Devise::Test::IntegrationHelpers # Rails >= 5 end ``` -If you're using RSpec, you can put the following inside a file named `spec/support/devise.rb`: +```ruby +class PostsControllerTest < ActionController::TestCase + include Devise::Test::ControllerHelpers # Rails < 5 +end +``` + +If you're using RSpec, you can put the following inside a file named +`spec/support/devise.rb` or in your `spec/spec_helper.rb` (or +`spec/rails_helper.rb` if you are using `rspec-rails`): ```ruby RSpec.configure do |config| - config.include Devise::TestHelpers, :type => :controller + config.include Devise::Test::ControllerHelpers, type: :controller + config.include Devise::Test::ControllerHelpers, type: :view end ``` -Now you are ready to use the `sign_in` and `sign_out` methods. Such methods have the same signature as in controllers: +Just be sure that this inclusion is made *after* the `require 'rspec/rails'` directive. + +Now you are ready to use the `sign_in` and `sign_out` methods on your controller +tests: ```ruby -sign_in :user, @user # sign_in(scope, resource) -sign_in @user # sign_in(resource) +sign_in @user +sign_in @user, scope: :admin +``` -sign_out :user # sign_out(scope) -sign_out @user # sign_out(resource) +If you are testing Devise internal controllers or a controller that inherits +from Devise's, you need to tell Devise which mapping should be used before a +request. This is necessary because Devise gets this information from the router, +but since controller tests do not pass through the router, it needs to be stated +explicitly. For example, if you are testing the user scope, simply use: + +```ruby +test 'GET new' do + # Mimic the router behavior of setting the Devise scope through the env. + @request.env['devise.mapping'] = Devise.mappings[:user] + + # Use the sign_in helper to sign in a fixture `User` record. + sign_in users(:alice) + + get :new + + # assert something +end ``` -There are two things that is important to keep in mind: +### Integration tests -1) These helpers are not going to work for integration tests driven by Capybara or Webrat. They are meant to be used with functional tests only. Instead, fill in the form or explicitly set the user in session; +Integration test helpers are available by including the +`Devise::Test::IntegrationHelpers` module. -2) If you are testing Devise internal controllers or a controller that inherits from Devise's, you need to tell Devise which mapping should be used before a request. This is necessary because Devise gets this information from router, but since functional tests do not pass through the router, it needs to be told explicitly. For example, if you are testing the user scope, simply do: +```ruby +class PostsTests < ActionDispatch::IntegrationTest + include Devise::Test::IntegrationHelpers +end +``` - @request.env["devise.mapping"] = Devise.mappings[:user] - get :new +Now you can use the following `sign_in` and `sign_out` methods in your integration +tests: -### Omniauth +```ruby +sign_in users(:bob) +sign_in users(:bob), scope: :admin -Devise comes with Omniauth support out of the box to authenticate from other providers. You can read more about Omniauth support in the wiki: +sign_out :user +``` -* https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview +RSpec users can include the `IntegrationHelpers` module on their `:feature` specs. -### Other ORMs +```ruby +RSpec.configure do |config| + config.include Devise::Test::IntegrationHelpers, type: :feature +end +``` + +Unlike controller tests, integration tests do not need to supply the +`devise.mapping` `env` value, as the mapping can be inferred by the routes that +are executed in your tests. + +You can read more about testing your Rails controllers with RSpec in the wiki: + +* https://github.com/heartcombo/devise/wiki/How-To:-Test-controllers-with-Rails-(and-RSpec) -Devise supports ActiveRecord (default) and Mongoid. To choose other ORM, you just need to require it in the initializer file. +### OmniAuth -### Migrating from other solutions +Devise comes with OmniAuth support out of the box to authenticate with other providers. To use it, simply specify your OmniAuth configuration in `config/initializers/devise.rb`: -Devise implements encryption strategies for Clearance, Authlogic and Restful-Authentication. To make use of these strategies, you need set the desired encryptor in the encryptor initializer config option and add :encryptable to your model. You might also need to rename your encrypted password and salt columns to match Devise's fields (encrypted_password and password_salt). +```ruby +config.omniauth :github, 'APP_ID', 'APP_SECRET', scope: 'user,public_repo' +``` + +You can read more about OmniAuth support in the wiki: -## Troubleshooting +* https://github.com/heartcombo/devise/wiki/OmniAuth:-Overview -### Heroku +### Configuring multiple models -Using devise on Heroku with Ruby on Rails 3.1 requires setting: +Devise allows you to set up as many Devise models as you want. If you want to have an Admin model with just authentication and timeout features, in addition to the User model above, just run: ```ruby -config.assets.initialize_on_precompile = false +# Create a migration with the required fields +create_table :admins do |t| + t.string :email + t.string :encrypted_password + t.timestamps null: false +end + +# Inside your Admin model +devise :database_authenticatable, :timeoutable + +# Inside your routes +devise_for :admins + +# Inside your protected controller +before_action :authenticate_admin! + +# Inside your controllers and views +admin_signed_in? +current_admin +admin_session ``` -Read more about the potential issues at http://guides.rubyonrails.org/asset_pipeline.html +Alternatively, you can simply run the Devise generator. -## Additional information +Keep in mind that those models will have completely different routes. They **do not** and **cannot** share the same controller for sign in, sign out and so on. In case you want to have different roles sharing the same actions, we recommend that you use a role-based approach, by either providing a role column or using a dedicated gem for authorization. -### Warden +### Active Job Integration -Devise is based on Warden, which is a general Rack authentication framework created by Daniel Neighman. We encourage you to read more about Warden here: +If you are using Active Job to deliver Action Mailer messages in the +background through a queuing back-end, you can send Devise emails through your +existing queue by overriding the `send_devise_notification` method in your model. + +```ruby +def send_devise_notification(notification, *args) + devise_mailer.send(notification, self, *args).deliver_later +end +``` + +### Password reset tokens and Rails logs + +If you enable the [Recoverable](https://www.rubydoc.info/gems/devise/Devise/Models/Recoverable) module, note that a stolen password reset token could give an attacker access to your application. Devise takes effort to generate random, secure tokens, and stores only token digests in the database, never plaintext. However the default logging behavior in Rails can cause plaintext tokens to leak into log files: -https://github.com/hassox/warden +1. Action Mailer logs the entire contents of all outgoing emails to the DEBUG level. Password reset tokens delivered to users in email will be leaked. +2. Active Job logs all arguments to every enqueued job at the INFO level. If you configure Devise to use `deliver_later` to send password reset emails, password reset tokens will be leaked. -### Contributors +Rails sets the production logger level to INFO by default. Consider changing your production logger level to WARN if you wish to prevent tokens from being leaked into your logs. In `config/environments/production.rb`: -We have a long list of valued contributors. Check them all at: +```ruby +config.log_level = :warn +``` + + +### Other ORMs + +Devise supports ActiveRecord (default) and Mongoid. To select another ORM, simply require it in the initializer file. + +### Rails API Mode -https://github.com/plataformatec/devise/contributors +Rails 5+ has a built-in [API Mode](https://edgeguides.rubyonrails.org/api_app.html) which optimizes Rails for use as an API (only). Devise is _somewhat_ able to handle applications that are built in this mode without additional modifications in the sense that it should not raise exceptions and the like. But some issues may still arise during `development`/`testing`, as we still don't know the full extent of this compatibility. (For more information, see [issue #4947](https://github.com/heartcombo/devise/issues/4947/)) -### Maintainers +#### Supported Authentication Strategies +API-only applications don't support browser-based authentication via cookies, which is devise's default. Yet, devise can still provide authentication out of the box in those cases with the `http_authenticatable` strategy, which uses HTTP Basic Auth and authenticates the user on each request. (For more info, see this wiki article for [How To: Use HTTP Basic Authentication](https://github.com/heartcombo/devise/wiki/How-To:-Use-HTTP-Basic-Authentication)) -* José Valim (https://github.com/josevalim) -* Carlos Antônio da Silva (https://github.com/carlosantoniodasilva) -* Rodrigo Flores (https://github.com/rodrigoflores) +The devise default for HTTP Auth is disabled, so it will need to be enabled in the devise initializer for the database strategy: + +```ruby +config.http_authenticatable = [:database] +``` + +This restriction does not limit you from implementing custom warden strategies, either in your application or via gem-based extensions for devise. +A common authentication strategy for APIs is token-based authentication. For more information on extending devise to support this type of authentication and others, see the wiki article for [Simple Token Authentication Examples and alternatives](https://github.com/heartcombo/devise/wiki/How-To:-Simple-Token-Authentication-Example#alternatives) or this blog post on [Custom authentication methods with Devise](http://blog.plataformatec.com.br/2019/01/custom-authentication-methods-with-devise/). + +#### Testing +API Mode changes the order of the middleware stack, and this can cause problems for `Devise::Test::IntegrationHelpers`. This problem usually surfaces as an ```undefined method `[]=' for nil:NilClass``` error when using integration test helpers, such as `#sign_in`. The solution is simply to reorder the middlewares by adding the following to test.rb: + +```ruby +Rails.application.config.middleware.insert_before Warden::Manager, ActionDispatch::Cookies +Rails.application.config.middleware.insert_before Warden::Manager, ActionDispatch::Session::CookieStore +``` + +For a deeper understanding of this, review [this issue](https://github.com/heartcombo/devise/issues/4696). + +Additionally be mindful that without views supported, some email-based flows from Confirmable, Recoverable and Lockable are not supported directly at this time. + +## Additional information + +### Warden + +Devise is based on Warden, which is a general Rack authentication framework created by Daniel Neighman. We encourage you to read more about Warden here: + +https://github.com/wardencommunity/warden ## License -MIT License. Copyright 2012 Plataformatec. http://plataformatec.com.br +MIT License. +Copyright 2020-CURRENT Rafael França, Carlos Antonio da Silva. +Copyright 2009-2019 Plataformatec. + +The Devise logo is licensed under [Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License](https://creativecommons.org/licenses/by-nc-nd/4.0/). diff --git a/Rakefile b/Rakefile index 8a0ac62459..6e2ab1802a 100644 --- a/Rakefile +++ b/Rakefile @@ -1,10 +1,12 @@ # encoding: UTF-8 -require "bundler/gem_tasks" +# frozen_string_literal: true + +require 'bundler/gem_tasks' require 'rake/testtask' require 'rdoc/task' desc 'Default: run tests for all ORMs.' -task :default => :test +task default: :test desc 'Run Devise tests for all ORMs.' task :pre_commit do @@ -22,6 +24,7 @@ Rake::TestTask.new(:test) do |t| t.libs << 'test' t.pattern = 'test/**/*_test.rb' t.verbose = true + t.warning = false end desc 'Generate documentation for Devise.' diff --git a/app/controllers/devise/confirmations_controller.rb b/app/controllers/devise/confirmations_controller.rb index 68014c92bd..39ff669be7 100644 --- a/app/controllers/devise/confirmations_controller.rb +++ b/app/controllers/devise/confirmations_controller.rb @@ -1,15 +1,18 @@ +# frozen_string_literal: true + class Devise::ConfirmationsController < DeviseController # GET /resource/confirmation/new def new - build_resource({}) + self.resource = resource_class.new end # POST /resource/confirmation def create self.resource = resource_class.send_confirmation_instructions(resource_params) + yield resource if block_given? if successfully_sent?(resource) - respond_with({}, :location => after_resending_confirmation_instructions_path_for(resource_name)) + respond_with({}, location: after_resending_confirmation_instructions_path_for(resource_name)) else respond_with(resource) end @@ -18,13 +21,14 @@ def create # GET /resource/confirmation?confirmation_token=abcdef def show self.resource = resource_class.confirm_by_token(params[:confirmation_token]) + yield resource if block_given? if resource.errors.empty? - set_flash_message(:notice, :confirmed) if is_navigational_format? - sign_in(resource_name, resource) + set_flash_message!(:notice, :confirmed) respond_with_navigational(resource){ redirect_to after_confirmation_path_for(resource_name, resource) } else - respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render :new } + # TODO: use `error_status` when the default changes to `:unprocessable_entity` / `:unprocessable_content`. + respond_with_navigational(resource.errors, status: :unprocessable_entity){ render :new } end end @@ -32,12 +36,19 @@ def show # The path used after resending confirmation instructions. def after_resending_confirmation_instructions_path_for(resource_name) - new_session_path(resource_name) + is_navigational_format? ? new_session_path(resource_name) : '/' end # The path used after confirmation. def after_confirmation_path_for(resource_name, resource) - after_sign_in_path_for(resource) + if signed_in?(resource_name) + signed_in_root_path(resource) + else + new_session_path(resource_name) + end end + def translation_scope + 'devise.confirmations' + end end diff --git a/app/controllers/devise/omniauth_callbacks_controller.rb b/app/controllers/devise/omniauth_callbacks_controller.rb index 14b5ee1c5c..a9a2c30ea7 100644 --- a/app/controllers/devise/omniauth_callbacks_controller.rb +++ b/app/controllers/devise/omniauth_callbacks_controller.rb @@ -1,30 +1,36 @@ +# frozen_string_literal: true + class Devise::OmniauthCallbacksController < DeviseController - prepend_before_filter { request.env["devise.skip_timeout"] = true } + prepend_before_action { request.env["devise.skip_timeout"] = true } def passthru - render :status => 404, :text => "Not found. Authentication passthru." + render status: 404, plain: "Not found. Authentication passthru." end def failure - set_flash_message :alert, :failure, :kind => OmniAuth::Utils.camelize(failed_strategy.name), :reason => failure_message + set_flash_message! :alert, :failure, kind: OmniAuth::Utils.camelize(failed_strategy.name), reason: failure_message redirect_to after_omniauth_failure_path_for(resource_name) end protected def failed_strategy - env["omniauth.error.strategy"] + request.respond_to?(:get_header) ? request.get_header("omniauth.error.strategy") : request.env["omniauth.error.strategy"] end def failure_message - exception = env["omniauth.error"] + exception = request.respond_to?(:get_header) ? request.get_header("omniauth.error") : request.env["omniauth.error"] error = exception.error_reason if exception.respond_to?(:error_reason) error ||= exception.error if exception.respond_to?(:error) - error ||= env["omniauth.error.type"].to_s + error ||= (request.respond_to?(:get_header) ? request.get_header("omniauth.error.type") : request.env["omniauth.error.type"]).to_s error.to_s.humanize if error end def after_omniauth_failure_path_for(scope) new_session_path(scope) end + + def translation_scope + 'devise.omniauth_callbacks' + end end diff --git a/app/controllers/devise/passwords_controller.rb b/app/controllers/devise/passwords_controller.rb index 46b323d23c..3af1f864b7 100644 --- a/app/controllers/devise/passwords_controller.rb +++ b/app/controllers/devise/passwords_controller.rb @@ -1,19 +1,22 @@ +# frozen_string_literal: true + class Devise::PasswordsController < DeviseController - prepend_before_filter :require_no_authentication + prepend_before_action :require_no_authentication # Render the #edit only if coming from a reset password email link - append_before_filter :assert_reset_token_passed, :only => :edit + append_before_action :assert_reset_token_passed, only: :edit # GET /resource/password/new def new - build_resource({}) + self.resource = resource_class.new end # POST /resource/password def create self.resource = resource_class.send_reset_password_instructions(resource_params) + yield resource if block_given? if successfully_sent?(resource) - respond_with({}, :location => after_sending_reset_password_instructions_path_for(resource_name)) + respond_with({}, location: after_sending_reset_password_instructions_path_for(resource_name)) else respond_with(resource) end @@ -22,35 +25,59 @@ def create # GET /resource/password/edit?reset_password_token=abcdef def edit self.resource = resource_class.new + set_minimum_password_length resource.reset_password_token = params[:reset_password_token] end # PUT /resource/password def update self.resource = resource_class.reset_password_by_token(resource_params) + yield resource if block_given? if resource.errors.empty? - flash_message = resource.active_for_authentication? ? :updated : :updated_not_active - set_flash_message(:notice, flash_message) if is_navigational_format? - sign_in(resource_name, resource) - respond_with resource, :location => after_sign_in_path_for(resource) + resource.unlock_access! if unlockable?(resource) + if resource_class.sign_in_after_reset_password + flash_message = resource.active_for_authentication? ? :updated : :updated_not_active + set_flash_message!(:notice, flash_message) + resource.after_database_authentication + sign_in(resource_name, resource) + else + set_flash_message!(:notice, :updated_not_active) + end + respond_with resource, location: after_resetting_password_path_for(resource) else + set_minimum_password_length respond_with resource end end protected + def after_resetting_password_path_for(resource) + resource_class.sign_in_after_reset_password ? after_sign_in_path_for(resource) : new_session_path(resource_name) + end # The path used after sending reset password instructions def after_sending_reset_password_instructions_path_for(resource_name) - new_session_path(resource_name) + new_session_path(resource_name) if is_navigational_format? end # Check if a reset_password_token is provided in the request def assert_reset_token_passed if params[:reset_password_token].blank? - set_flash_message(:error, :no_token) + set_flash_message(:alert, :no_token) redirect_to new_session_path(resource_name) end end + + # Check if proper Lockable module methods are present & unlock strategy + # allows to unlock resource on password reset + def unlockable?(resource) + resource.respond_to?(:unlock_access!) && + resource.respond_to?(:unlock_strategy_enabled?) && + resource.unlock_strategy_enabled?(:email) + end + + def translation_scope + 'devise.passwords' + end end diff --git a/app/controllers/devise/registrations_controller.rb b/app/controllers/devise/registrations_controller.rb index 6c0ede94d2..f1292b4d90 100644 --- a/app/controllers/devise/registrations_controller.rb +++ b/app/controllers/devise/registrations_controller.rb @@ -1,29 +1,36 @@ +# frozen_string_literal: true + class Devise::RegistrationsController < DeviseController - prepend_before_filter :require_no_authentication, :only => [ :new, :create, :cancel ] - prepend_before_filter :authenticate_scope!, :only => [:edit, :update, :destroy] + prepend_before_action :require_no_authentication, only: [:new, :create, :cancel] + prepend_before_action :authenticate_scope!, only: [:edit, :update, :destroy] + prepend_before_action :set_minimum_password_length, only: [:new, :edit] # GET /resource/sign_up def new - resource = build_resource({}) + build_resource + yield resource if block_given? respond_with resource end # POST /resource def create - build_resource + build_resource(sign_up_params) - if resource.save + resource.save + yield resource if block_given? + if resource.persisted? if resource.active_for_authentication? - set_flash_message :notice, :signed_up if is_navigational_format? - sign_in(resource_name, resource) - respond_with resource, :location => after_sign_up_path_for(resource) + set_flash_message! :notice, :signed_up + sign_up(resource_name, resource) + respond_with resource, location: after_sign_up_path_for(resource) else - set_flash_message :notice, :"signed_up_but_#{resource.inactive_message}" if is_navigational_format? - expire_session_data_after_sign_in! - respond_with resource, :location => after_inactive_sign_up_path_for(resource) + set_flash_message! :notice, :"signed_up_but_#{resource.inactive_message}" + expire_data_after_sign_in! + respond_with resource, location: after_inactive_sign_up_path_for(resource) end else clean_up_passwords resource + set_minimum_password_length respond_with resource end end @@ -40,16 +47,16 @@ def update self.resource = resource_class.to_adapter.get!(send(:"current_#{resource_name}").to_key) prev_unconfirmed_email = resource.unconfirmed_email if resource.respond_to?(:unconfirmed_email) - if resource.update_with_password(resource_params) - if is_navigational_format? - flash_key = update_needs_confirmation?(resource, prev_unconfirmed_email) ? - :update_needs_confirmation : :updated - set_flash_message :notice, flash_key - end - sign_in resource_name, resource, :bypass => true - respond_with resource, :location => after_update_path_for(resource) + resource_updated = update_resource(resource, account_update_params) + yield resource if block_given? + if resource_updated + set_flash_message_for_update(resource, prev_unconfirmed_email) + bypass_sign_in resource, scope: resource_name if sign_in_after_change_password? + + respond_with resource, location: after_update_path_for(resource) else clean_up_passwords resource + set_minimum_password_length respond_with resource end end @@ -58,8 +65,9 @@ def update def destroy resource.destroy Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name) - set_flash_message :notice, :destroyed if is_navigational_format? - respond_with_navigational(resource){ redirect_to after_sign_out_path_for(resource_name) } + set_flash_message! :notice, :destroyed + yield resource if block_given? + respond_with_navigational(resource){ redirect_to after_sign_out_path_for(resource_name), status: Devise.responder.redirect_status } end # GET /resource/cancel @@ -68,7 +76,7 @@ def destroy # cancel oauth signing in/up in the middle of the process, # removing all OAuth session data. def cancel - expire_session_data_after_sign_in! + expire_data_after_sign_in! redirect_to new_registration_path(resource_name) end @@ -80,34 +88,81 @@ def update_needs_confirmation?(resource, previous) previous != resource.unconfirmed_email end + # By default we want to require a password checks on update. + # You can overwrite this method in your own RegistrationsController. + def update_resource(resource, params) + resource.update_with_password(params) + end + # Build a devise resource passing in the session. Useful to move # temporary session data to the newly created user. - def build_resource(hash=nil) - hash ||= resource_params || {} + def build_resource(hash = {}) self.resource = resource_class.new_with_session(hash, session) end + # Signs in a user on sign up. You can overwrite this method in your own + # RegistrationsController. + def sign_up(resource_name, resource) + sign_in(resource_name, resource) + end + # The path used after sign up. You need to overwrite this method # in your own RegistrationsController. def after_sign_up_path_for(resource) - after_sign_in_path_for(resource) + after_sign_in_path_for(resource) if is_navigational_format? end # The path used after sign up for inactive accounts. You need to overwrite # this method in your own RegistrationsController. def after_inactive_sign_up_path_for(resource) - respond_to?(:root_path) ? root_path : "/" + scope = Devise::Mapping.find_scope!(resource) + router_name = Devise.mappings[scope].router_name + context = router_name ? send(router_name) : self + context.respond_to?(:root_path) ? context.root_path : "/" end # The default url to be used after updating a resource. You need to overwrite # this method in your own RegistrationsController. def after_update_path_for(resource) - signed_in_root_path(resource) + sign_in_after_change_password? ? signed_in_root_path(resource) : new_session_path(resource_name) end # Authenticates the current scope and gets the current resource from the session. def authenticate_scope! - send(:"authenticate_#{resource_name}!", :force => true) + send(:"authenticate_#{resource_name}!", force: true) self.resource = send(:"current_#{resource_name}") end + + def sign_up_params + devise_parameter_sanitizer.sanitize(:sign_up) + end + + def account_update_params + devise_parameter_sanitizer.sanitize(:account_update) + end + + def translation_scope + 'devise.registrations' + end + + private + + def set_flash_message_for_update(resource, prev_unconfirmed_email) + return unless is_flashing_format? + + flash_key = if update_needs_confirmation?(resource, prev_unconfirmed_email) + :update_needs_confirmation + elsif sign_in_after_change_password? + :updated + else + :updated_but_not_signed_in + end + set_flash_message :notice, flash_key + end + + def sign_in_after_change_password? + return true if account_update_params[:password].blank? + + Devise.sign_in_after_change_password + end end diff --git a/app/controllers/devise/sessions_controller.rb b/app/controllers/devise/sessions_controller.rb index 2cbd671b33..41b74f39cb 100644 --- a/app/controllers/devise/sessions_controller.rb +++ b/app/controllers/devise/sessions_controller.rb @@ -1,50 +1,83 @@ +# frozen_string_literal: true + class Devise::SessionsController < DeviseController - prepend_before_filter :require_no_authentication, :only => [ :new, :create ] - prepend_before_filter :allow_params_authentication!, :only => :create - prepend_before_filter { request.env["devise.skip_timeout"] = true } + prepend_before_action :require_no_authentication, only: [:new, :create] + prepend_before_action :allow_params_authentication!, only: :create + prepend_before_action :verify_signed_out_user, only: :destroy + prepend_before_action(only: [:create, :destroy]) { request.env["devise.skip_timeout"] = true } # GET /resource/sign_in def new - resource = build_resource(nil, :unsafe => true) + self.resource = resource_class.new(sign_in_params) clean_up_passwords(resource) + yield resource if block_given? respond_with(resource, serialize_options(resource)) end # POST /resource/sign_in def create - resource = warden.authenticate!(auth_options) - set_flash_message(:notice, :signed_in) if is_navigational_format? + self.resource = warden.authenticate!(auth_options) + set_flash_message!(:notice, :signed_in) sign_in(resource_name, resource) - respond_with resource, :location => after_sign_in_path_for(resource) + yield resource if block_given? + respond_with resource, location: after_sign_in_path_for(resource) end # DELETE /resource/sign_out def destroy - redirect_path = after_sign_out_path_for(resource_name) signed_out = (Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name)) - set_flash_message :notice, :signed_out if signed_out && is_navigational_format? - - # We actually need to hardcode this as Rails default responder doesn't - # support returning empty response on GET request - respond_to do |format| - format.any(*navigational_formats) { redirect_to redirect_path } - format.all do - head :no_content - end - end + set_flash_message! :notice, :signed_out if signed_out + yield if block_given? + respond_to_on_destroy(non_navigational_status: :no_content) end protected + def sign_in_params + devise_parameter_sanitizer.sanitize(:sign_in) + end + def serialize_options(resource) methods = resource_class.authentication_keys.dup methods = methods.keys if methods.is_a?(Hash) methods << :password if resource.respond_to?(:password) - { :methods => methods, :only => [:password] } + { methods: methods, only: [:password] } end def auth_options - { :scope => resource_name, :recall => "#{controller_path}#new" } + { scope: resource_name, recall: "#{controller_path}#new", locale: I18n.locale } end -end + def translation_scope + 'devise.sessions' + end + + private + + # Check if there is no signed in user before doing the sign out. + # + # If there is no signed in user, it will set the flash message and redirect + # to the after_sign_out path. + def verify_signed_out_user + if all_signed_out? + set_flash_message! :notice, :already_signed_out + + respond_to_on_destroy(non_navigational_status: :unauthorized) + end + end + + def all_signed_out? + users = Devise.mappings.keys.map { |s| warden.user(scope: s, run_callbacks: false) } + + users.all?(&:blank?) + end + + def respond_to_on_destroy(non_navigational_status: :no_content) + # We actually need to hardcode this as Rails default responder doesn't + # support returning empty response on GET request + respond_to do |format| + format.all { head non_navigational_status } + format.any(*navigational_formats) { redirect_to after_sign_out_path_for(resource_name), status: Devise.responder.redirect_status } + end + end +end diff --git a/app/controllers/devise/unlocks_controller.rb b/app/controllers/devise/unlocks_controller.rb index 45f6b2c1d7..8cff126c96 100644 --- a/app/controllers/devise/unlocks_controller.rb +++ b/app/controllers/devise/unlocks_controller.rb @@ -1,17 +1,20 @@ +# frozen_string_literal: true + class Devise::UnlocksController < DeviseController - prepend_before_filter :require_no_authentication + prepend_before_action :require_no_authentication # GET /resource/unlock/new def new - build_resource({}) + self.resource = resource_class.new end # POST /resource/unlock def create self.resource = resource_class.send_unlock_instructions(resource_params) + yield resource if block_given? if successfully_sent?(resource) - respond_with({}, :location => after_sending_unlock_instructions_path_for(resource)) + respond_with({}, location: after_sending_unlock_instructions_path_for(resource)) else respond_with(resource) end @@ -20,12 +23,14 @@ def create # GET /resource/unlock?unlock_token=abcdef def show self.resource = resource_class.unlock_access_by_token(params[:unlock_token]) + yield resource if block_given? if resource.errors.empty? - set_flash_message :notice, :unlocked if is_navigational_format? + set_flash_message! :notice, :unlocked respond_with_navigational(resource){ redirect_to after_unlock_path_for(resource) } else - respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render :new } + # TODO: use `error_status` when the default changes to `:unprocessable_entity` / `:unprocessable_content`. + respond_with_navigational(resource.errors, status: :unprocessable_entity){ render :new } end end @@ -33,12 +38,15 @@ def show # The path used after sending unlock password instructions def after_sending_unlock_instructions_path_for(resource) - new_session_path(resource) + new_session_path(resource) if is_navigational_format? end # The path used after unlocking the resource def after_unlock_path_for(resource) - new_session_path(resource) + new_session_path(resource) if is_navigational_format? end + def translation_scope + 'devise.unlocks' + end end diff --git a/app/controllers/devise_controller.rb b/app/controllers/devise_controller.rb index 38b7be9ad0..1c3b41626d 100644 --- a/app/controllers/devise_controller.rb +++ b/app/controllers/devise_controller.rb @@ -1,16 +1,52 @@ +# frozen_string_literal: true + # All Devise controllers are inherited from here. class DeviseController < Devise.parent_controller.constantize include Devise::Controllers::ScopedViews - helper DeviseHelper + if respond_to?(:helper) + helper DeviseHelper + end + + if respond_to?(:helper_method) + helpers = %w(resource scope_name resource_name signed_in_resource + resource_class resource_params devise_mapping) + helper_method(*helpers) + end - helpers = %w(resource scope_name resource_name signed_in_resource - resource_class resource_params devise_mapping) - hide_action *helpers - helper_method *helpers + prepend_before_action :assert_is_devise_resource! + self.responder = Devise.responder + respond_to :html if mimes_for_respond_to.empty? - prepend_before_filter :assert_is_devise_resource! - respond_to *Mime::SET.map(&:to_sym) if mimes_for_respond_to.empty? + # Override prefixes to consider the scoped view. + # Notice we need to check for the request due to a bug in + # Action Controller tests that forces _prefixes to be + # loaded before even having a request object. + # + # This method should be public as it is in ActionPack + # itself. Changing its visibility may break other gems. + def _prefixes #:nodoc: + @_prefixes ||= if self.class.scoped_views? && request && devise_mapping + ["#{devise_mapping.scoped_path}/#{controller_name}"] + super + else + super + end + end + + # Override internal methods to exclude `_prefixes` from action methods since + # we override it above. + # + # There was an intentional change in Rails 7.1 that will allow it to become + # an action method because it's a public method of a non-abstract controller, + # but we also can't make this abstract because it can affect potential actions + # defined in the parent controller, so instead we ensure `_prefixes` is going + # to be considered internal. (and thus, won't become an action method.) + # Ref: https://github.com/rails/rails/pull/48699 + def self.internal_methods #:nodoc: + super << :_prefixes + end + + protected # Gets the actual resource stored in the instance variable def resource @@ -28,13 +64,9 @@ def resource_class devise_mapping.to end - def resource_params - params[resource_name] - end - # Returns a signed in resource from session (if one exists) def signed_in_resource - warden.authenticate(:scope => resource_name) + warden.authenticate(scope: resource_name) end # Attempt to find the mapped route for devise based on request path @@ -42,22 +74,6 @@ def devise_mapping @devise_mapping ||= request.env["devise.mapping"] end - # Override prefixes to consider the scoped view. - # Notice we need to check for the request due to a bug in - # Action Controller tests that forces _prefixes to be - # loaded before even having a request object. - def _prefixes #:nodoc: - @_prefixes ||= if self.class.scoped_views? && request && devise_mapping - super.unshift("#{devise_mapping.scoped_path}/#{controller_name}") - else - super - end - end - - hide_action :_prefixes - - protected - # Checks whether it's a devise mapped resource or not. def assert_is_devise_resource! #:nodoc: unknown_action! <<-MESSAGE unless devise_mapping @@ -67,7 +83,7 @@ def assert_is_devise_resource! #:nodoc: 1) You forgot to wrap your route inside the scope block. For example: devise_scope :user do - match "/some/route" => "some_devise_controller" + get "/some/route" => "some_devise_controller" end 2) You are testing a Devise controller bypassing the router. @@ -93,41 +109,24 @@ def resource=(new_resource) instance_variable_set(:"@#{resource_name}", new_resource) end - # Build a devise resource. - # Assignment bypasses attribute protection when :unsafe option is passed - def build_resource(hash = nil, options = {}) - hash ||= resource_params || {} - - if options[:unsafe] - self.resource = resource_class.new.tap do |resource| - hash.each do |key, value| - setter = :"#{key}=" - resource.send(setter, value) if resource.respond_to?(setter) - end - end - else - self.resource = resource_class.new(hash) - end - end - - # Helper for use in before_filters where no authentication is required. + # Helper for use in before_actions where no authentication is required. # # Example: - # before_filter :require_no_authentication, :only => :new + # before_action :require_no_authentication, only: :new def require_no_authentication assert_is_devise_resource! return unless is_navigational_format? no_input = devise_mapping.no_input_strategies authenticated = if no_input.present? - args = no_input.dup.push :scope => resource_name + args = no_input.dup.push scope: resource_name warden.authenticate?(*args) else warden.authenticated?(resource_name) end if authenticated && resource = warden.user(resource_name) - flash[:alert] = I18n.t("devise.failure.already_authenticated") + set_flash_message(:alert, 'already_authenticated', scope: 'devise.failure') redirect_to after_sign_in_path_for(resource) end end @@ -144,14 +143,17 @@ def successfully_sent?(resource) end if notice - set_flash_message :notice, notice if is_navigational_format? + set_flash_message! :notice, notice true end end # Sets the flash message with :key, using I18n. By default you are able - # to setup your messages using specific resource scope, and if no one is - # found we look to default scope. + # to set up your messages using specific resource scope, and if no message is + # found we look to the default scope. Set the "now" options key to a true + # value to populate the flash.now hash in lieu of the default flash hash (so + # the flash message will be available to the current action instead of the + # next action). # Example (i18n locale file): # # en: @@ -163,13 +165,47 @@ def successfully_sent?(resource) # # Please refer to README or en.yml locale file to check what messages are # available. - def set_flash_message(key, kind, options={}) - options[:scope] = "devise.#{controller_name}" + def set_flash_message(key, kind, options = {}) + message = find_message(kind, options) + if options[:now] + flash.now[key] = message if message.present? + else + flash[key] = message if message.present? + end + end + + # Sets flash message if is_flashing_format? equals true + def set_flash_message!(key, kind, options = {}) + if is_flashing_format? + set_flash_message(key, kind, options) + end + end + + # Sets minimum password length to show to user + def set_minimum_password_length + if devise_mapping.validatable? + @minimum_password_length = resource_class.password_length.min + end + end + + def devise_i18n_options(options) + options + end + + # Get message for given + def find_message(kind, options = {}) + options[:scope] ||= translation_scope options[:default] = Array(options[:default]).unshift(kind.to_sym) options[:resource_name] = resource_name - options = devise_i18n_options(options) if respond_to?(:devise_i18n_options, true) - message = I18n.t("#{resource_name}.#{kind}", options) - flash[key] = message if message.present? + options = devise_i18n_options(options) + I18n.t("#{options[:resource_name]}.#{kind}", **options) + end + + # Controllers inheriting DeviseController are advised to override this + # method so that other controllers inheriting from them would use + # existing translations. + def translation_scope + "devise.#{controller_name}" end def clean_up_passwords(object) @@ -182,11 +218,9 @@ def respond_with_navigational(*args, &block) end end - def request_format - @request_format ||= request.format.try(:ref) + def resource_params + params.fetch(resource_name, {}) end - def is_navigational_format? - Devise.navigational_formats.include?(request_format) - end + ActiveSupport.run_load_hooks(:devise_controller, self) end diff --git a/app/helpers/devise_helper.rb b/app/helpers/devise_helper.rb index cfcbc82181..0bfcb06308 100644 --- a/app/helpers/devise_helper.rb +++ b/app/helpers/devise_helper.rb @@ -1,25 +1,5 @@ -module DeviseHelper - # A simple way to show error messages for the current devise resource. If you need - # to customize this method, you can either overwrite it in your application helpers or - # copy the views to your application. - # - # This method is intended to stay simple and it is unlikely that we are going to change - # it to add more behavior or options. - def devise_error_messages! - return "" if resource.errors.empty? - - messages = resource.errors.full_messages.map { |msg| content_tag(:li, msg) }.join - sentence = I18n.t("errors.messages.not_saved", - :count => resource.errors.count, - :resource => resource.class.model_name.human.downcase) +# frozen_string_literal: true - html = <<-HTML -
<%= f.label :email %>
+<%= f.email_field :email, autofocus: true, autocomplete: "email", value: (resource.pending_reconfirmation? ? resource.unconfirmed_email : resource.email) %>
+Welcome <%= @resource.email %>!
+Welcome <%= @email %>!
You can confirm your account email through the link below:
-<%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @resource.confirmation_token) %>
+<%= link_to 'Confirm my account', confirmation_url(@resource, confirmation_token: @token) %>
diff --git a/app/views/devise/mailer/email_changed.html.erb b/app/views/devise/mailer/email_changed.html.erb new file mode 100644 index 0000000000..32f4ba8038 --- /dev/null +++ b/app/views/devise/mailer/email_changed.html.erb @@ -0,0 +1,7 @@ +Hello <%= @email %>!
+ +<% if @resource.try(:unconfirmed_email?) %> +We're contacting you to notify you that your email is being changed to <%= @resource.unconfirmed_email %>.
+<% else %> +We're contacting you to notify you that your email has been changed to <%= @resource.email %>.
+<% end %> diff --git a/app/views/devise/mailer/password_change.html.erb b/app/views/devise/mailer/password_change.html.erb new file mode 100644 index 0000000000..b41daf476a --- /dev/null +++ b/app/views/devise/mailer/password_change.html.erb @@ -0,0 +1,3 @@ +Hello <%= @resource.email %>!
+ +We're contacting you to notify you that your password has been changed.
diff --git a/app/views/devise/mailer/reset_password_instructions.html.erb b/app/views/devise/mailer/reset_password_instructions.html.erb index ae9e888abb..f667dc12fe 100644 --- a/app/views/devise/mailer/reset_password_instructions.html.erb +++ b/app/views/devise/mailer/reset_password_instructions.html.erb @@ -1,8 +1,8 @@Hello <%= @resource.email %>!
-Someone has requested a link to change your password, and you can do this through the link below.
+Someone has requested a link to change your password. You can do this through the link below.
-<%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @resource.reset_password_token) %>
+<%= link_to 'Change my password', edit_password_url(@resource, reset_password_token: @token) %>
If you didn't request this, please ignore this email.
Your password won't change until you access the link above and create a new one.
diff --git a/app/views/devise/mailer/unlock_instructions.html.erb b/app/views/devise/mailer/unlock_instructions.html.erb index 2263c21952..41e148bf2a 100644 --- a/app/views/devise/mailer/unlock_instructions.html.erb +++ b/app/views/devise/mailer/unlock_instructions.html.erb @@ -1,7 +1,7 @@Hello <%= @resource.email %>!
-Your account has been locked due to an excessive amount of unsuccessful sign in attempts.
+Your account has been locked due to an excessive number of unsuccessful sign in attempts.
Click the link below to unlock your account:
-<%= link_to 'Unlock my account', unlock_url(@resource, :unlock_token => @resource.unlock_token) %>
+<%= link_to 'Unlock my account', unlock_url(@resource, unlock_token: @token) %>
diff --git a/app/views/devise/passwords/edit.html.erb b/app/views/devise/passwords/edit.html.erb index 34a49604a8..3f1dbc72e0 100644 --- a/app/views/devise/passwords/edit.html.erb +++ b/app/views/devise/passwords/edit.html.erb @@ -1,16 +1,25 @@<%= f.label :password, "New password" %>
+ <% if @minimum_password_length %> +(<%= @minimum_password_length %> characters minimum)
+ <% end %> +<%= f.password_field :password, autofocus: true, autocomplete: "new-password" %>
+<%= f.label :password_confirmation, "Confirm new password" %>
+<%= f.password_field :password_confirmation, autocomplete: "new-password" %>
+<%= f.label :email %>
+<%= f.email_field :email, autofocus: true, autocomplete: "email" %>
+<%= f.label :email %>
+<%= f.email_field :email, autofocus: true, autocomplete: "email" %>
+<%= f.label :password %> (leave blank if you don't want to change it)
+<%= f.password_field :password, autocomplete: "new-password" %>
+ <% if @minimum_password_length %> +<%= @minimum_password_length %> characters minimum
+ <% end %> +<%= f.label :password_confirmation %>
+<%= f.password_field :password_confirmation, autocomplete: "new-password" %>
+<%= f.label :current_password %> (we need your current password to confirm your changes)
+<%= f.password_field :current_password, autocomplete: "current-password" %>
+Unhappy? <%= link_to "Cancel my account", registration_path(resource_name), :data => { :confirm => "Are you sure?" }, :method => :delete %>.
+<%= f.label :email %>
+<%= f.email_field :email, autofocus: true, autocomplete: "email" %>
+<%= f.label :password %>
+ <% if @minimum_password_length %> +(<%= @minimum_password_length %> characters minimum)
+ <% end %> +<%= f.password_field :password, autocomplete: "new-password" %>
+<%= f.label :password_confirmation %>
+<%= f.password_field :password_confirmation, autocomplete: "new-password" %>
+<%= f.label :email %>
+<%= f.email_field :email, autofocus: true, autocomplete: "email" %>
+<%= f.label :password %>
+<%= f.password_field :password, autocomplete: "current-password" %>
+<%= f.check_box :remember_me %>
+<%= f.label :remember_me %>
+<%= link_to "Log in", new_session_path(resource_name) %>
+<% end %> + +<%- if devise_mapping.registerable? && controller_name != 'registrations' %> +<%= link_to "Sign up", new_registration_path(resource_name) %>
+<% end %> + +<%- if devise_mapping.recoverable? && controller_name != 'passwords' && controller_name != 'registrations' %> +<%= link_to "Forgot your password?", new_password_path(resource_name) %>
+<% end %> + +<%- if devise_mapping.confirmable? && controller_name != 'confirmations' %> +<%= link_to "Didn't receive confirmation instructions?", new_confirmation_path(resource_name) %>
+<% end %> + +<%- if devise_mapping.lockable? && resource_class.unlock_strategy_enabled?(:email) && controller_name != 'unlocks' %> +<%= link_to "Didn't receive unlock instructions?", new_unlock_path(resource_name) %>
+<% end %> + +<%- if devise_mapping.omniauthable? %> + <%- resource_class.omniauth_providers.each do |provider| %> +<%= button_to "Sign in with #{OmniAuth::Utils.camelize(provider)}", omniauth_authorize_path(resource_name, provider), data: { turbo: false } %>
+ <% end %> +<% end %> diff --git a/app/views/devise/unlocks/new.html.erb b/app/views/devise/unlocks/new.html.erb index 020787f8ea..6b68d724cb 100644 --- a/app/views/devise/unlocks/new.html.erb +++ b/app/views/devise/unlocks/new.html.erb @@ -1,12 +1,16 @@<%= f.label :email %>
+<%= f.email_field :email, autofocus: true, autocomplete: "email" %>
+<%= notice %>
<%= alert %>
- 4. If you are deploying Rails 3.1 on Heroku, you may want to set: + * Not required for API-only Applications * - config.assets.initialize_on_precompile = false + 4. You can copy Devise views (for customization) to your app by running: - On config/application.rb forcing your application to not access the DB - or load models when precompiling your assets. + rails g devise:views + + * Not required * =============================================================================== diff --git a/lib/generators/templates/controllers/README b/lib/generators/templates/controllers/README new file mode 100644 index 0000000000..8671bbb280 --- /dev/null +++ b/lib/generators/templates/controllers/README @@ -0,0 +1,14 @@ +=============================================================================== + +Some setup you must do manually if you haven't yet: + + Ensure you have overridden routes for generated controllers in your routes.rb. + For example: + + Rails.application.routes.draw do + devise_for :users, controllers: { + sessions: 'users/sessions' + } + end + +=============================================================================== diff --git a/lib/generators/templates/controllers/confirmations_controller.rb b/lib/generators/templates/controllers/confirmations_controller.rb new file mode 100644 index 0000000000..e0466111c8 --- /dev/null +++ b/lib/generators/templates/controllers/confirmations_controller.rb @@ -0,0 +1,30 @@ +# frozen_string_literal: true + +class <%= @scope_prefix %>ConfirmationsController < Devise::ConfirmationsController + # GET /resource/confirmation/new + # def new + # super + # end + + # POST /resource/confirmation + # def create + # super + # end + + # GET /resource/confirmation?confirmation_token=abcdef + # def show + # super + # end + + # protected + + # The path used after resending confirmation instructions. + # def after_resending_confirmation_instructions_path_for(resource_name) + # super(resource_name) + # end + + # The path used after confirmation. + # def after_confirmation_path_for(resource_name, resource) + # super(resource_name, resource) + # end +end diff --git a/lib/generators/templates/controllers/omniauth_callbacks_controller.rb b/lib/generators/templates/controllers/omniauth_callbacks_controller.rb new file mode 100644 index 0000000000..29556cf6e9 --- /dev/null +++ b/lib/generators/templates/controllers/omniauth_callbacks_controller.rb @@ -0,0 +1,30 @@ +# frozen_string_literal: true + +class <%= @scope_prefix %>OmniauthCallbacksController < Devise::OmniauthCallbacksController + # You should configure your model like this: + # devise :omniauthable, omniauth_providers: [:twitter] + + # You should also create an action method in this controller like this: + # def twitter + # end + + # More info at: + # https://github.com/heartcombo/devise#omniauth + + # GET|POST /resource/auth/twitter + # def passthru + # super + # end + + # GET|POST /users/auth/twitter/callback + # def failure + # super + # end + + # protected + + # The path used when OmniAuth fails + # def after_omniauth_failure_path_for(scope) + # super(scope) + # end +end diff --git a/lib/generators/templates/controllers/passwords_controller.rb b/lib/generators/templates/controllers/passwords_controller.rb new file mode 100644 index 0000000000..afd468cc1d --- /dev/null +++ b/lib/generators/templates/controllers/passwords_controller.rb @@ -0,0 +1,34 @@ +# frozen_string_literal: true + +class <%= @scope_prefix %>PasswordsController < Devise::PasswordsController + # GET /resource/password/new + # def new + # super + # end + + # POST /resource/password + # def create + # super + # end + + # GET /resource/password/edit?reset_password_token=abcdef + # def edit + # super + # end + + # PUT /resource/password + # def update + # super + # end + + # protected + + # def after_resetting_password_path_for(resource) + # super(resource) + # end + + # The path used after sending reset password instructions + # def after_sending_reset_password_instructions_path_for(resource_name) + # super(resource_name) + # end +end diff --git a/lib/generators/templates/controllers/registrations_controller.rb b/lib/generators/templates/controllers/registrations_controller.rb new file mode 100644 index 0000000000..cdd91acc12 --- /dev/null +++ b/lib/generators/templates/controllers/registrations_controller.rb @@ -0,0 +1,62 @@ +# frozen_string_literal: true + +class <%= @scope_prefix %>RegistrationsController < Devise::RegistrationsController + # before_action :configure_sign_up_params, only: [:create] + # before_action :configure_account_update_params, only: [:update] + + # GET /resource/sign_up + # def new + # super + # end + + # POST /resource + # def create + # super + # end + + # GET /resource/edit + # def edit + # super + # end + + # PUT /resource + # def update + # super + # end + + # DELETE /resource + # def destroy + # super + # end + + # GET /resource/cancel + # Forces the session data which is usually expired after sign + # in to be expired now. This is useful if the user wants to + # cancel oauth signing in/up in the middle of the process, + # removing all OAuth session data. + # def cancel + # super + # end + + # protected + + # If you have extra params to permit, append them to the sanitizer. + # def configure_sign_up_params + # devise_parameter_sanitizer.permit(:sign_up, keys: [:attribute]) + # end + + # If you have extra params to permit, append them to the sanitizer. + # def configure_account_update_params + # devise_parameter_sanitizer.permit(:account_update, keys: [:attribute]) + # end + + # The path used after sign up. + # def after_sign_up_path_for(resource) + # super(resource) + # end + + # The path used after sign up for inactive accounts. + # def after_inactive_sign_up_path_for(resource) + # super(resource) + # end +end diff --git a/lib/generators/templates/controllers/sessions_controller.rb b/lib/generators/templates/controllers/sessions_controller.rb new file mode 100644 index 0000000000..f229c9b4a0 --- /dev/null +++ b/lib/generators/templates/controllers/sessions_controller.rb @@ -0,0 +1,27 @@ +# frozen_string_literal: true + +class <%= @scope_prefix %>SessionsController < Devise::SessionsController + # before_action :configure_sign_in_params, only: [:create] + + # GET /resource/sign_in + # def new + # super + # end + + # POST /resource/sign_in + # def create + # super + # end + + # DELETE /resource/sign_out + # def destroy + # super + # end + + # protected + + # If you have extra params to permit, append them to the sanitizer. + # def configure_sign_in_params + # devise_parameter_sanitizer.permit(:sign_in, keys: [:attribute]) + # end +end diff --git a/lib/generators/templates/controllers/unlocks_controller.rb b/lib/generators/templates/controllers/unlocks_controller.rb new file mode 100644 index 0000000000..0eadbbf65b --- /dev/null +++ b/lib/generators/templates/controllers/unlocks_controller.rb @@ -0,0 +1,30 @@ +# frozen_string_literal: true + +class <%= @scope_prefix %>UnlocksController < Devise::UnlocksController + # GET /resource/unlock/new + # def new + # super + # end + + # POST /resource/unlock + # def create + # super + # end + + # GET /resource/unlock?unlock_token=abcdef + # def show + # super + # end + + # protected + + # The path used after sending unlock password instructions + # def after_sending_unlock_instructions_path_for(resource) + # super(resource) + # end + + # The path used after unlocking the resource + # def after_unlock_path_for(resource) + # super(resource) + # end +end diff --git a/lib/generators/templates/devise.rb b/lib/generators/templates/devise.rb index 3836a61c66..b36f281f25 100644 --- a/lib/generators/templates/devise.rb +++ b/lib/generators/templates/devise.rb @@ -1,13 +1,36 @@ +# frozen_string_literal: true + +# Assuming you have not yet modified this file, each configuration option below +# is set to its default value. Note that some are commented out while others +# are not: uncommented lines are intended to protect your configuration from +# breaking changes in upgrades (i.e., in the event that future versions of +# Devise change the default values for those options). +# # Use this hook to configure devise mailer, warden hooks and so forth. # Many of these configuration options can be set straight in your model. Devise.setup do |config| + # The secret key used by Devise. Devise uses this key to generate + # random tokens. Changing this key will render invalid all existing + # confirmation, reset password and unlock tokens in the database. + # Devise will use the `secret_key_base` as its `secret_key` + # by default. You can change it below and use your own secret key. + # config.secret_key = '<%= SecureRandom.hex(64) %>' + + # ==> Controller configuration + # Configure the parent class to the devise controllers. + # config.parent_controller = 'DeviseController' + # ==> Mailer Configuration # Configure the e-mail address which will be shown in Devise::Mailer, - # note that it will be overwritten if you use your own mailer class with default "from" parameter. - config.mailer_sender = "please-change-me-at-config-initializers-devise@example.com" + # note that it will be overwritten if you use your own mailer class + # with default "from" parameter. + config.mailer_sender = 'please-change-me-at-config-initializers-devise@example.com' # Configure the class responsible to send e-mails. - # config.mailer = "Devise::Mailer" + # config.mailer = 'Devise::Mailer' + + # Configure the parent class responsible to send e-mails. + # config.parent_mailer = 'ActionMailer::Base' # ==> ORM configuration # Load and configure the ORM. Supports :active_record (default) and @@ -23,7 +46,7 @@ # session. If you need permissions, you should implement that in a before filter. # You can also supply a hash where the value is a boolean determining whether # or not authentication should be aborted when the value is not present. - # config.authentication_keys = [ :email ] + # config.authentication_keys = [:email] # Configure parameters from the request object used for authentication. Each entry # given should be a request method and it will automatically be passed to the @@ -35,12 +58,12 @@ # Configure which authentication keys should be case-insensitive. # These keys will be downcased upon creating or modifying a user and when used # to authenticate or find a user. Default is :email. - config.case_insensitive_keys = [ :email ] + config.case_insensitive_keys = [:email] # Configure which authentication keys should have whitespace stripped. # These keys will have whitespace before and after removed upon creating or # modifying a user and when used to authenticate or find a user. Default is :email. - config.strip_whitespace_keys = [ :email ] + config.strip_whitespace_keys = [:email] # Tell if authentication through request.params is enabled. True by default. # It can be set to an array that will enable params authentication only for the @@ -48,17 +71,21 @@ # enable it only for database (email + password) authentication. # config.params_authenticatable = true - # Tell if authentication through HTTP Basic Auth is enabled. False by default. + # Tell if authentication through HTTP Auth is enabled. False by default. # It can be set to an array that will enable http authentication only for the - # given strategies, for example, `config.http_authenticatable = [:token]` will - # enable it only for token authentication. + # given strategies, for example, `config.http_authenticatable = [:database]` will + # enable it only for database authentication. + # For API-only applications to support authentication "out-of-the-box", you will likely want to + # enable this with :database unless you are using a custom strategy. + # The supported strategies are: + # :database = Support basic authentication with authentication key + password # config.http_authenticatable = false - # If http headers should be returned for AJAX requests. True by default. + # If 401 status code should be returned for AJAX requests. True by default. # config.http_authenticatable_on_xhr = true - # The realm used in Http Basic Authentication. "Application" by default. - # config.http_authentication_realm = "Application" + # The realm used in Http Basic Authentication. 'Application' by default. + # config.http_authentication_realm = 'Application' # It will change confirmation, password recovery and other workflows # to behave the same regardless if the e-mail provided was right or wrong. @@ -66,30 +93,56 @@ # config.paranoid = true # By default Devise will store the user in session. You can skip storage for - # :http_auth and :token_auth by adding those symbols to the array below. + # particular strategies by setting this option. # Notice that if you are skipping storage for all authentication paths, you # may want to disable generating routes to Devise's sessions controller by - # passing :skip => :sessions to `devise_for` in your config/routes.rb + # passing skip: :sessions to `devise_for` in your config/routes.rb config.skip_session_storage = [:http_auth] + # By default, Devise cleans up the CSRF token on authentication to + # avoid CSRF token fixation attacks. This means that, when using AJAX + # requests for sign in and sign up, you need to get a new CSRF token + # from the server. You can disable this option at your own risk. + # config.clean_up_csrf_token_on_authentication = true + + # When false, Devise will not attempt to reload routes on eager load. + # This can reduce the time taken to boot the app but if your application + # requires the Devise mappings to be loaded during boot time the application + # won't boot properly. + # config.reload_routes = true + # ==> Configuration for :database_authenticatable - # For bcrypt, this is the cost for hashing the password and defaults to 10. If - # using other encryptors, it sets how many times you want the password re-encrypted. + # For bcrypt, this is the cost for hashing the password and defaults to 12. If + # using other algorithms, it sets how many times you want the password to be hashed. + # The number of stretches used for generating the hashed password are stored + # with the hashed password. This allows you to change the stretches without + # invalidating existing passwords. # # Limiting the stretches to just one in testing will increase the performance of # your test suite dramatically. However, it is STRONGLY RECOMMENDED to not use - # a value less than 10 in other environments. - config.stretches = Rails.env.test? ? 1 : 10 + # a value less than 10 in other environments. Note that, for bcrypt (the default + # algorithm), the cost increases exponentially with the number of stretches (e.g. + # a value of 20 is already extremely slow: approx. 60 seconds for 1 calculation). + config.stretches = Rails.env.test? ? 1 : 12 + + # Set up a pepper to generate the hashed password. + # config.pepper = '<%= SecureRandom.hex(64) %>' + + # Send a notification to the original email when the user's email is changed. + # config.send_email_changed_notification = false - # Setup a pepper to generate the encrypted password. - # config.pepper = <%= SecureRandom.hex(64).inspect %> + # Send a notification email when the user's password is changed. + # config.send_password_change_notification = false # ==> Configuration for :confirmable # A period that the user is allowed to access the website even without - # confirming his account. For instance, if set to 2.days, the user will be - # able to access the website for two days without confirming his account, - # access will be blocked just in the third day. Default is 0.days, meaning - # the user cannot access the website without confirming his account. + # confirming their account. For instance, if set to 2.days, the user will be + # able to access the website for two days without confirming their account, + # access will be blocked just in the third day. + # You can also set it to nil, which will allow the user to access the website + # without confirming their account. + # Default is 0.days, meaning the user cannot access the website without + # confirming their account. # config.allow_unconfirmed_access_for = 2.days # A period that the user is allowed to confirm their account before their @@ -102,41 +155,44 @@ # If true, requires any email changes to be confirmed (exactly the same way as # initial account confirmation) to be applied. Requires additional unconfirmed_email - # db field (see migrations). Until confirmed new email is stored in - # unconfirmed email column, and copied to email column on successful confirmation. + # db field (see migrations). Until confirmed, new email is stored in + # unconfirmed_email column, and copied to email column on successful confirmation. + # Also, when used in conjunction with `send_email_changed_notification`, + # the notification is sent to the original email when the change is requested, + # not when the unconfirmed email is confirmed. config.reconfirmable = true # Defines which key will be used when confirming an account - # config.confirmation_keys = [ :email ] + # config.confirmation_keys = [:email] # ==> Configuration for :rememberable # The time the user will be remembered without asking for credentials again. # config.remember_for = 2.weeks + # Invalidates all the remember me tokens when the user signs out. + config.expire_all_remember_me_on_sign_out = true + # If true, extends the user's remember period when remembered via cookie. # config.extend_remember_period = false # Options to be passed to the created cookie. For instance, you can set - # :secure => true in order to force SSL only cookies. + # secure: true in order to force SSL only cookies. # config.rememberable_options = {} # ==> Configuration for :validatable - # Range for password length. Default is 8..128. - config.password_length = 8..128 + # Range for password length. + config.password_length = 6..128 # Email regex used to validate email formats. It simply asserts that - # an one (and only one) @ exists in the given string. This is mainly + # one (and only one) @ exists in the given string. This is mainly # to give user feedback and not to assert the e-mail validity. - # config.email_regexp = /\A[^@]+@[^@]+\z/ + config.email_regexp = /\A[^@\s]+@[^@\s]+\z/ # ==> Configuration for :timeoutable # The time you want to timeout the user session without activity. After this # time the user will be asked for credentials again. Default is 30 minutes. # config.timeout_in = 30.minutes - # If true, expires auth token on session timeout. - # config.expire_auth_token_on_timeout = false - # ==> Configuration for :lockable # Defines which strategy will be used to lock an account. # :failed_attempts = Locks an account after a number of failed attempts to sign in. @@ -144,7 +200,7 @@ # config.lock_strategy = :failed_attempts # Defines which key will be used when locking and unlocking an account - # config.unlock_keys = [ :email ] + # config.unlock_keys = [:email] # Defines which strategy will be used to unlock an account. # :email = Sends an unlock link to the user email @@ -160,28 +216,33 @@ # Time interval to unlock the account if :time is enabled as unlock_strategy. # config.unlock_in = 1.hour + # Warn on the last attempt before the account is locked. + # config.last_attempt_warning = true + # ==> Configuration for :recoverable # # Defines which key will be used when recovering the password for an account - # config.reset_password_keys = [ :email ] + # config.reset_password_keys = [:email] # Time interval you can reset your password with a reset password key. # Don't put a too small interval or your users won't have the time to # change their passwords. config.reset_password_within = 6.hours + # When set to false, does not sign a user in automatically after their password is + # reset. Defaults to true, so a user is signed in automatically after a reset. + # config.sign_in_after_reset_password = true + # ==> Configuration for :encryptable - # Allow you to use another encryption algorithm besides bcrypt (default). You can use - # :sha1, :sha512 or encryptors from others authentication tools as :clearance_sha1, - # :authlogic_sha512 (then you should set stretches above to 20 for default behavior) - # and :restful_authentication_sha1 (then you should set stretches to 10, and copy - # REST_AUTH_SITE_KEY to pepper) + # Allow you to use another hashing or encryption algorithm besides bcrypt (default). + # You can use :sha1, :sha512 or algorithms from others authentication tools as + # :clearance_sha1, :authlogic_sha512 (then you should set stretches above to 20 + # for default behavior) and :restful_authentication_sha1 (then you should set + # stretches to 10, and copy REST_AUTH_SITE_KEY to pepper). + # + # Require the `devise-encryptable` gem when using anything other than bcrypt # config.encryptor = :sha512 - # ==> Configuration for :token_authenticatable - # Defines name of the authentication token params key - # config.token_authentication_key = :auth_token - # ==> Scopes configuration # Turn scoped views on. Before rendering "sessions/new", it will first check for # "users/sessions/new". It's turned off by default because it's slower if you @@ -198,14 +259,14 @@ # ==> Navigation configuration # Lists the formats that should be treated as navigational. Formats like - # :html, should redirect to the sign in page when the user does not have + # :html should redirect to the sign in page when the user does not have # access, but formats like :xml or :json, should return 401. # # If you have any extra navigational formats, like :iphone or :mobile, you # should add them to the navigational formats lists. # # The "*/*" below is required to match Internet Explorer requests. - # config.navigational_formats = ["*/*", :html] + # config.navigational_formats = ['*/*', :html, :turbo_stream] # The default HTTP method used to sign out a resource. Default is :delete. config.sign_out_via = :delete @@ -213,15 +274,15 @@ # ==> OmniAuth # Add a new OmniAuth provider. Check the wiki for more information on setting # up on your models and hooks. - # config.omniauth :github, 'APP_ID', 'APP_SECRET', :scope => 'user,public_repo' + # config.omniauth :github, 'APP_ID', 'APP_SECRET', scope: 'user,public_repo' # ==> Warden configuration # If you want to use other strategies, that are not supported by Devise, or # change the failure app, you can configure them inside the config.warden block. # - # config.warden do |manager| - # manager.intercept_401 = false - # manager.default_strategies(:scope => :user).unshift :some_external_strategy + # config.warden do |warden_config| + # warden_config.intercept_401 = false + # warden_config.default_strategies(scope: :user).unshift :some_external_strategy # end # ==> Mountable engine configurations @@ -229,12 +290,27 @@ # is mountable, there are some extra configurations to be taken into account. # The following options are available, assuming the engine is mounted as: # - # mount MyEngine, at: "/my_engine" + # mount MyEngine, at: '/my_engine' # # The router that invoked `devise_for`, in the example above, would be: # config.router_name = :my_engine # - # When using omniauth, Devise cannot automatically set Omniauth path, + # When using OmniAuth, Devise cannot automatically set OmniAuth path, # so you need to do it manually. For the users scope, it would be: - # config.omniauth_path_prefix = "/my_engine/users/auth" + # config.omniauth_path_prefix = '/my_engine/users/auth' + + # ==> Hotwire/Turbo configuration + # When using Devise with Hotwire/Turbo, the http status for error responses + # and some redirects must match the following. The default in Devise for existing + # apps is `200 OK` and `302 Found` respectively, but new apps are generated with + # these new defaults that match Hotwire/Turbo behavior. + # Note: These might become the new default in future versions of Devise. + config.responder.error_status = <%= Rack::Utils::SYMBOL_TO_STATUS_CODE.key(422).inspect %> + config.responder.redirect_status = :see_other + + # ==> Configuration for :registerable + + # When set to false, does not sign a user in automatically after their password is + # changed. Defaults to true, so a user is signed in automatically after changing a password. + # config.sign_in_after_change_password = true end diff --git a/lib/generators/templates/markerb/confirmation_instructions.markerb b/lib/generators/templates/markerb/confirmation_instructions.markerb index 84665383ec..48ebb86739 100644 --- a/lib/generators/templates/markerb/confirmation_instructions.markerb +++ b/lib/generators/templates/markerb/confirmation_instructions.markerb @@ -1,5 +1,5 @@ -Welcome <%= @resource.email %>! +Welcome <%= @email %>! You can confirm your account through the link below: -<%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @resource.confirmation_token) %> +[Confirm my account](<%= confirmation_url(@resource, confirmation_token: @token) %>) diff --git a/lib/generators/templates/markerb/email_changed.markerb b/lib/generators/templates/markerb/email_changed.markerb new file mode 100644 index 0000000000..5416b2a534 --- /dev/null +++ b/lib/generators/templates/markerb/email_changed.markerb @@ -0,0 +1,7 @@ +Hello <%= @email %>! + +<% if @resource.try(:unconfirmed_email?) %> +We're contacting you to notify you that your email is being changed to <%= @resource.unconfirmed_email %>. +<% else %> +We're contacting you to notify you that your email has been changed to <%= @resource.email %>. +<% end %> diff --git a/lib/generators/templates/markerb/password_change.markerb b/lib/generators/templates/markerb/password_change.markerb new file mode 100644 index 0000000000..4f9f96203a --- /dev/null +++ b/lib/generators/templates/markerb/password_change.markerb @@ -0,0 +1,3 @@ +Hello <%= @resource.email %>! + +We're contacting you to notify you that your password has been changed. diff --git a/lib/generators/templates/markerb/reset_password_instructions.markerb b/lib/generators/templates/markerb/reset_password_instructions.markerb index 5587598d89..eead40a09a 100644 --- a/lib/generators/templates/markerb/reset_password_instructions.markerb +++ b/lib/generators/templates/markerb/reset_password_instructions.markerb @@ -2,7 +2,7 @@ Hello <%= @resource.email %>! Someone has requested a link to change your password, and you can do this through the link below. -<%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @resource.reset_password_token) %> +[Change my password](<%= edit_password_url(@resource, reset_password_token: @token) %>) If you didn't request this, please ignore this email. Your password won't change until you access the link above and create a new one. diff --git a/lib/generators/templates/markerb/unlock_instructions.markerb b/lib/generators/templates/markerb/unlock_instructions.markerb index 9bab190438..ff0d9c38dd 100644 --- a/lib/generators/templates/markerb/unlock_instructions.markerb +++ b/lib/generators/templates/markerb/unlock_instructions.markerb @@ -1,7 +1,7 @@ Hello <%= @resource.email %>! -Your account has been locked due to an excessive amount of unsuccessful sign in attempts. +Your account has been locked due to an excessive number of unsuccessful sign in attempts. Click the link below to unlock your account: -<%= link_to 'Unlock my account', unlock_url(@resource, :unlock_token => @resource.unlock_token) %> +[Unlock my account](<%= unlock_url(@resource, unlock_token: @token) %>) diff --git a/lib/generators/templates/simple_form_for/confirmations/new.html.erb b/lib/generators/templates/simple_form_for/confirmations/new.html.erb index c2387ac49a..f7b4a65c50 100644 --- a/lib/generators/templates/simple_form_for/confirmations/new.html.erb +++ b/lib/generators/templates/simple_form_for/confirmations/new.html.erb @@ -1,10 +1,15 @@Currently waiting confirmation for: <%= resource.unconfirmed_email %>
+ <% end %> + + <%= f.input :password, + hint: "leave it blank if you don't want to change it", + required: false, + input_html: { autocomplete: "new-password" } %> + <%= f.input :password_confirmation, + required: false, + input_html: { autocomplete: "new-password" } %> + <%= f.input :current_password, + hint: "we need your current password to confirm your changes", + required: true, + input_html: { autocomplete: "current-password" } %>Unhappy? <%= link_to "Cancel my account", registration_path(resource_name), :data => { :confirm => "Are you sure?" }, :method => :delete %>.
+