Merge branch 'upgrade_devise' into 'master'

Upgrade devise from 3.0.4 to 3.2.4 See merge request !960

Merge branch 'upgrade_devise' into 'master'
Upgrade devise from 3.0.4 to 3.2.4 See merge request !960
6bc32fe4 · Dmitriy Zaporozhets · 7a914e5a · 60cc1d8e · 6bc32fe4 · 6bc32fe4
Commit 6bc32fe4 authored Jul 10, 2014 by Dmitriy Zaporozhets
11 changed files
--- a/Gemfile
+++ b/Gemfile
@@ -21,8 +21,8 @@ gem "mysql2", group: :mysql
 gem "pg", group: :postgres
 # Auth
-gem "devise", '3.0.4'
+gem "devise", '3.2.4'
-gem "devise-async", '0.8.0'
+gem "devise-async", '0.9.0'
 gem 'omniauth', "~> 1.1.3"
 gem 'omniauth-google-oauth2'
 gem 'omniauth-twitter'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -40,7 +40,7 @@ GEM
    axiom-types (0.0.5)
      descendants_tracker (~> 0.0.1)
      ice_nine (~> 0.9)
-    bcrypt-ruby (3.1.2)
+    bcrypt (3.1.7)
    better_errors (1.0.1)
      coderay (>= 1.0.0)
      erubis (>= 2.6.6)
@@ -94,13 +94,14 @@ GEM
    default_value_for (3.0.0)
      activerecord (>= 3.2.0, < 5.0)
    descendants_tracker (0.0.3)
-    devise (3.0.4)
+    devise (3.2.4)
-      bcrypt-ruby (~> 3.0)
+      bcrypt (~> 3.0)
      orm_adapter (~> 0.1)
      railties (>= 3.2.6, < 5)
+      thread_safe (~> 0.1)
      warden (~> 1.2.3)
-    devise-async (0.8.0)
+    devise-async (0.9.0)
-      devise (>= 2.2, < 3.2)
+      devise (~> 3.2)
    diff-lcs (1.2.5)
    diffy (3.0.3)
    docile (1.1.1)
@@ -584,8 +585,8 @@ DEPENDENCIES
  d3_rails (~> 3.1.4)
  database_cleaner
  default_value_for (~> 3.0.0)
-  devise (= 3.0.4)
+  devise (= 3.2.4)
-  devise-async (= 0.8.0)
+  devise-async (= 0.9.0)
  diffy (~> 3.0.3)
  dropzonejs-rails
  email_spec

--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
 require 'gon'
 class ApplicationController < ActionController::Base
+  before_filter :authenticate_user_from_token!
  before_filter :authenticate_user!
  before_filter :reject_blocked!
  before_filter :check_password_expiration
@@ -28,6 +29,25 @@ class ApplicationController < ActionController::Base
  protected
+  # From https://github.com/plataformatec/devise/wiki/How-To:-Simple-Token-Authentication-Example
+  # https://gist.github.com/josevalim/fb706b1e933ef01e4fb6
+  def authenticate_user_from_token!
+    user_token = if params[:authenticity_token].presence
+                   params[:authenticity_token].presence
+                 elsif params[:private_token].presence
+                   params[:private_token].presence
+                 end
+    user = user_token && User.find_by_authentication_token(user_token.to_s)
+    if user
+      # Notice we are passing store false, so the user is not
+      # actually stored in the session and a token is needed
+      # for every request. If you want the token to work as a
+      # sign in token, you can simply remove store: false.
+      sign_in user, store: false
+    end
+  end
  def log_exception(exception)
    application_trace = ActionDispatch::ExceptionWrapper.new(env, exception).application_trace
    application_trace.map!{ |t| "  #{t}\n" }
@@ -226,8 +246,7 @@ class ApplicationController < ActionController::Base
  end
  def configure_permitted_parameters
-    devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:username, :email, :password, :login, :remember_me) }
+    devise_parameter_sanitizer.sanitize(:sign_in) { |u| u.permit(:username, :email, :password, :login, :remember_me) }
-    devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:username, :email, :name, :password, :password_confirmation) }
  end
  def hexdigest(string)

--- a/app/controllers/registrations_controller.rb
+++ b/app/controllers/registrations_controller.rb
@@ -28,4 +28,8 @@ class RegistrationsController < Devise::RegistrationsController
  def signup_enabled?
    redirect_to new_user_session_path unless Gitlab.config.gitlab.signup_enabled
  end
+  def sign_up_params
+    params.require(:user).permit(:username, :email, :name, :password, :password_confirmation)
+  end
 end
--- a/app/models/concerns/token_authenticatable.rb
+++ b/app/models/concerns/token_authenticatable.rb
+module TokenAuthenticatable
+  extend ActiveSupport::Concern
+  module ClassMethods
+    def find_by_authentication_token(authentication_token = nil)
+      if authentication_token
+        where(authentication_token: authentication_token).first
+      end
+    end
+  end
+  def ensure_authentication_token
+    if authentication_token.blank?
+      self.authentication_token = generate_authentication_token
+    end
+  end
+  def reset_authentication_token!
+    self.authentication_token = generate_authentication_token
+    save
+  end
+  private
+  def generate_authentication_token
+    loop do
+      token = Devise.friendly_token
+      break token unless self.class.unscoped.where(authentication_token: token).first
+    end
+  end
+end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -52,6 +52,7 @@ require 'file_size_validator'
 class User < ActiveRecord::Base
  include Gitlab::ConfigHelper
  extend Gitlab::ConfigHelper
+  include TokenAuthenticatable
  default_value_for :admin, false
  default_value_for :can_create_group, gitlab_config.default_can_create_group
@@ -60,7 +61,7 @@ class User < ActiveRecord::Base
  default_value_for :projects_limit, gitlab_config.default_projects_limit
  default_value_for :theme_id, gitlab_config.default_theme
-  devise :database_authenticatable, :token_authenticatable, :lockable, :async,
+  devise :database_authenticatable, :lockable, :async,
         :recoverable, :rememberable, :trackable, :validatable, :omniauthable, :confirmable, :registerable
  attr_accessor :force_random_password

--- a/app/views/devise/mailer/confirmation_instructions.html.erb
+++ b/app/views/devise/mailer/confirmation_instructions.html.erb
@@ -6,4 +6,4 @@
  <p>You can confirm your account through the link below:</p>
 <% end %>
-<p><%= link_to 'Confirm my account', confirmation_url(@resource, confirmation_token: @resource.confirmation_token) %></p>
+<p><%= link_to 'Confirm my account', confirmation_url(@resource, confirmation_token: @token) %></p>
--- a/app/views/devise/mailer/reset_password_instructions.html.erb
+++ b/app/views/devise/mailer/reset_password_instructions.html.erb
@@ -2,7 +2,7 @@
 <p>Someone has requested a link to change your password, and you can do this through the link below.</p>
-<p><%= link_to 'Change my password', edit_password_url(@resource, reset_password_token: @resource.reset_password_token) %></p>
+<p><%= link_to 'Change my password', edit_password_url(@resource, reset_password_token: @token) %></p>
 <p>If you didn't request this, please ignore this email.</p>
 <p>Your password won't change until you access the link above and create a new one.</p>
--- a/app/views/devise/mailer/unlock_instructions.html.erb
+++ b/app/views/devise/mailer/unlock_instructions.html.erb
@@ -4,4 +4,4 @@
 <p>Click the link below to unlock your account:</p>
-<p><%= link_to 'Unlock my account', unlock_url(@resource, unlock_token: @resource.unlock_token) %></p>
+<p><%= link_to 'Unlock my account', unlock_url(@resource, unlock_token: @token) %></p>
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -155,10 +155,6 @@ Devise.setup do |config|
  # REST_AUTH_SITE_KEY to pepper)
  # config.encryptor = :sha512
-  # ==> Configuration for :token_authenticatable
-  # Defines name of the authentication token params key
-  config.token_authentication_key = :private_token
  # Authentication through token does not store user in session and needs
  # to be supplied on each request. Useful if you are using the token as API token.
  config.skip_session_storage << :token_auth

--- a/config/locales/devise.en.yml
+++ b/config/locales/devise.en.yml
@@ -25,6 +25,9 @@ en:
    sessions:
      signed_in: 'Signed in successfully.'
      signed_out: 'Signed out successfully.'
+    users_sessions:
+      user:
+        signed_in: 'Signed in successfully.'
    passwords:
      send_instructions: 'You will receive an email with instructions about how to reset your password in a few minutes.'
      updated: 'Your password was changed successfully. You are now signed in.'