Upgrades to Devise 3.4

This includes a new `alchemy:devise:install` generator to improve security and transparency in the host app.

NOTE: If you are upgrading from Alchemy::Devise 2.0 or older and have overwritten the mailer views, you need to upgrade them! See: https://github.com/plataformatec/devise/blob/master/CHANGELOG.md#310---2013-09-05

README.md

@@ -1,4 +1,4 @@
-## Devise based authentication for Alchemy 3.0
+## Devise based authentication for Alchemy 3.1
 
 [![Build Status](https://secure.travis-ci.org/magiclabs/alchemy-devise.svg?branch=master)](http://travis-ci.org/magiclabs/alchemy-devise) [![Coverage Status](https://coveralls.io/repos/magiclabs/alchemy-devise/badge.png?branch=master)](https://coveralls.io/r/magiclabs/alchemy-devise?branch=master) [![Code Climate](https://codeclimate.com/github/magiclabs/alchemy-devise.svg)](https://codeclimate.com/github/magiclabs/alchemy-devise)
 
@@ -21,26 +21,19 @@ gem 'alchemy-devise', github: 'magiclabs/alchemy-devise', branch: 'master'
 
 and run `bundle install`.
 
-Migrate the database:
+Then run the installer:
 
 ```shell
-$ bin/rake alchemy_devise:install:migrations
-$ bin/rake db:migrate
+$ bin/rails g alchemy_devise:install
 ```
 
 ## Upgrading
 
-After updating the gem, please also check if new migrations have been added.
+After updating the gem, please run the installer again.
 
 ```shell
 $ bundle update alchemy-devise
-$ bin/rake alchemy_devise:install:migrations
-```
-
-and if new migrations have been added then migrate your database:
-
-```shell
-$ bin/rake db:migrate
+$ bin/rails g alchemy_devise:install
 ```
 
 ## Testing
@@ -55,19 +48,19 @@ Clone the repo to your local harddrive. Then
 
 ```shell
 $ bundle install
-$ rake alchemy:spec:prepare
+$ bin/rake alchemy:spec:prepare
 ```
 
 ### 2. Run the tests with:
 
 ```shell
-$ rspec
+$ bundle exec rspec
 ```
 
 _Optional:_ Even shorter
 
 ```shell
-$ rake
+$ bin/rake
 ```
 
 That prepares the database and runs the Rspec task in one step.

Rakefile

@@ -31,8 +31,7 @@ namespace :alchemy do
 
     desc "Prepares database for testing Alchemy"
     task :prepare do
-      system 'cd spec/dummy && RAILS_ENV=test bundle exec rake db:migrate:reset && cd -'
+      system 'cd spec/dummy && RAILS_ENV=test bundle exec rake db:migrate:reset && RAILS_ENV=test bundle exec rails g alchemy:devise:install --force && cd -'
     end
-
   end
 end

alchemy-devise.gemspec

@@ -13,13 +13,24 @@ Gem::Specification.new do |s|
   s.summary     = "Devise based user authentication for Alchemy CMS."
   s.description = "Devise based user authentication for Alchemy CMS."
 
-  s.files = Dir["{app,config,db,lib}/**/*", "MIT-LICENSE", "Rakefile", "README.rdoc"]
+  s.files = Dir["{app,config,db,lib}/**/*", "LICENSE", "Rakefile", "README.md"]
+  s.test_files = Dir["spec/**/*"]
 
   s.add_dependency "alchemy_cms", [">= 3.1.0.beta2", "< 3.2"]
-  s.add_dependency "devise",      "~> 3.0.0"
+  s.add_dependency "devise",      ["~> 3.4"]
 
   s.add_development_dependency "capybara"
   s.add_development_dependency "factory_girl_rails"
   s.add_development_dependency "rspec-activemodel-mocks", "~> 1.0"
   s.add_development_dependency "rspec-rails",             "~> 3.1"
+
+  s.post_install_message =<<-MSG
+In order to complete the installation or the upgrade of Alchemy::Devise run:
+
+  $ bin/rails g alchemy:devise:install
+
+NOTE: If you are upgrading from Alchemy::Devise 2.0 or older and have overwritten the mailer views, you need to upgrade them!
+See: https://github.com/plataformatec/devise/blob/master/CHANGELOG.md#310---2013-09-05
+
+  MSG
 end

app/controllers/alchemy/user_sessions_controller.rb

@@ -1,8 +1,11 @@
 module Alchemy
   class UserSessionsController < ::Devise::SessionsController
-    include Locale
+    include Alchemy::Locale
+
+    before_action except: 'destroy' do
+      enforce_ssl if ssl_required? && !request.ssl?
+    end
 
-    before_action(except: 'destroy') { enforce_ssl if ssl_required? && !request.ssl? }
     before_action :check_user_count, :only => :new
 
     helper 'Alchemy::Admin::Base', 'Alchemy::Pages'
@@ -15,6 +18,7 @@ def new
 
     def create
       authenticate_user!
+
       if user_signed_in?
         store_screen_size
         if session[:redirect_path].blank?
@@ -23,7 +27,8 @@ def create
           # We have to strip double slashes from beginning of path, because of strange rails/rack bug.
           redirect_path = session[:redirect_path].gsub(/\A\/{2,}/, '/')
         end
-        redirect_to redirect_path, :notice => t(:signed_in, :scope => 'devise.sessions')
+        redirect_to redirect_path,
+          notice: t(:signed_in, scope: 'devise.sessions')
       else
         super
       end
@@ -56,6 +61,5 @@ def after_sign_out_path_for(resource_or_scope)
         request.referer
       end
     end
-
   end
 end

app/mailers/alchemy/notifications.rb

@@ -21,13 +21,13 @@ def alchemy_user_created(user)
       )
     end
 
-    def reset_password_instructions(user, opts={})
+    def reset_password_instructions(user, token, opts={})
       @user = user
+      @token = token
       mail(
         to: user.email,
         subject: I18n.t("Reset password instructions")
       )
     end
-
   end
 end

app/models/alchemy/user.rb

@@ -1,5 +1,6 @@
-require 'userstamp'
+require 'devise/orm/active_record'
 require 'acts-as-taggable-on'
+require 'userstamp'
 
 module Alchemy
   class User < ActiveRecord::Base

app/views/alchemy/notifications/reset_password_instructions.de.text.erb

@@ -2,7 +2,7 @@ Hallo <%= @user.fullname %>.
 
 Sie haben angefordert Ihr Passwort zurückzusetzen. Dies kann durch anklicken des nachfolgenden Links bestätigt werden.
 
-<%= alchemy.edit_password_url(@user, reset_password_token: @user.reset_password_token) %>
+<%= alchemy.edit_password_url(@user, reset_password_token: @token) %>
 
 Wenn Sie diese Zurücksetzung nicht angefragt haben, dann können Sie diese E-Mail einfach ignorieren.
 Ihr Passwort wird erst dann zurückgesetzt, wenn Sie den Link anklicken.

app/views/alchemy/notifications/reset_password_instructions.en.text.erb

@@ -2,7 +2,7 @@ Hello <%= @user.name %>.
 
 You have requested to change your password. Please confirm this by clicking the link below.
 
-<%= alchemy.edit_password_url(@user, reset_password_token: @user.reset_password_token) %>
+<%= alchemy.edit_password_url(@user, reset_password_token: @token) %>
 
 If you didn't request this, please ignore this email.
 Your password won't change until you access the link above and create a new one.

app/views/alchemy/notifications/reset_password_instructions.es.text.erb

@@ -2,7 +2,7 @@ Hola <%= @user.name %>.
 
 Has solicitado modificar tu contraseña. Por favor, confírmalo pulsando en el siguiente enlace.
 
-<%= alchemy.edit_password_url(@user, reset_password_token: @user.reset_password_token) %>
+<%= alchemy.edit_password_url(@user, reset_password_token: @token) %>
 
 Si no has sido tu el que ha hecho la solicitud, ignora este correo.
 Tu contraseña no cambiará hasta que no accedas al enlace de arriba y generes una nueva.

app/views/alchemy/notifications/reset_password_instructions.ru.text.erb

@@ -2,7 +2,7 @@
 
 Вы сделали запрос на смену пароля. Пожалуйста подтвердите это, нажав на ссылку ниже.
 
-<%= alchemy.edit_password_url(@user, reset_password_token: @user.reset_password_token) %>
+<%= alchemy.edit_password_url(@user, reset_password_token: @token) %>
 
 Если вы не делали запрос, просто проигнорируйте это письмо.
 Ваш пароль не изменится до тех пор, пока вы не перейдете по ссылке и сами не измените его.

config/locales/devise.en.yml

@@ -1,60 +1,60 @@
 # Additional translations at https://github.com/plataformatec/devise/wiki/I18n
 
 en:
+  devise:
+    confirmations:
+      confirmed: "Your email address has been successfully confirmed."
+      send_instructions: "You will receive an email with instructions for how to confirm your email address in a few minutes."
+      send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions for how to confirm your email address in a few minutes."
+    failure:
+      already_authenticated: "You are already signed in."
+      inactive: "Your account is not activated yet."
+      invalid: "Invalid %{authentication_keys} or password."
+      locked: "Your account is locked."
+      last_attempt: "You have one more attempt before your account is locked."
+      not_found_in_database: "Invalid %{authentication_keys} or password."
+      timeout: "Your session expired. Please sign in again to continue."
+      unauthenticated: "You need to sign in or sign up before continuing."
+      unconfirmed: "You have to confirm your email address before continuing."
+    mailer:
+      confirmation_instructions:
+        subject: "Confirmation instructions"
+      reset_password_instructions:
+        subject: "Reset password instructions"
+      unlock_instructions:
+        subject: "Unlock instructions"
+    omniauth_callbacks:
+      failure: "Could not authenticate you from %{kind} because \"%{reason}\"."
+      success: "Successfully authenticated from %{kind} account."
+    passwords:
+      no_token: "You can't access this page without coming from a password reset email. If you do come from a password reset email, please make sure you used the full URL provided."
+      send_instructions: "You will receive an email with instructions on how to reset your password in a few minutes."
+      send_paranoid_instructions: "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes."
+      updated: "Your password has been changed successfully. You are now signed in."
+      updated_not_active: "Your password has been changed successfully."
+    registrations:
+      destroyed: "Bye! Your account has been successfully cancelled. We hope to see you again soon."
+      signed_up: "Welcome! You have signed up successfully."
+      signed_up_but_inactive: "You have signed up successfully. However, we could not sign you in because your account is not yet activated."
+      signed_up_but_locked: "You have signed up successfully. However, we could not sign you in because your account is locked."
+      signed_up_but_unconfirmed: "A message with a confirmation link has been sent to your email address. Please follow the link to activate your account."
+      update_needs_confirmation: "You updated your account successfully, but we need to verify your new email address. Please check your email and follow the confirm link to confirm your new email address."
+      updated: "Your account has been updated successfully."
+    sessions:
+      signed_in: "Signed in successfully."
+      signed_out: "Signed out successfully."
+      already_signed_out: "Signed out successfully."
+    unlocks:
+      send_instructions: "You will receive an email with instructions for how to unlock your account in a few minutes."
+      send_paranoid_instructions: "If your account exists, you will receive an email with instructions for how to unlock it in a few minutes."
+      unlocked: "Your account has been unlocked successfully. Please sign in to continue."
   errors:
     messages:
+      already_confirmed: "was already confirmed, please try signing in"
+      confirmation_period_expired: "needs to be confirmed within %{period}, please request a new one"
       expired: "has expired, please request a new one"
       not_found: "not found"
-      already_confirmed: "was already confirmed, please try signing in"
       not_locked: "was not locked"
       not_saved:
         one: "1 error prohibited this %{resource} from being saved:"
         other: "%{count} errors prohibited this %{resource} from being saved:"
-      confirmation_period_expired: "needs to be confirmed within %{period}, please request a new one"
-
-  devise:
-    failure:
-      already_authenticated: 'You are already signed in.'
-      unauthenticated: 'You need to sign in or sign up before continuing.'
-      unconfirmed: 'You have to confirm your account before continuing.'
-      locked: 'Your account is locked.'
-      not_found_in_database: 'Invalid email or password.'
-      invalid: 'Invalid email or password.'
-      invalid_token: 'Invalid authentication token.'
-      timeout: 'Your session expired, please sign in again to continue.'
-      inactive: 'Your account was not activated yet.'
-    sessions:
-      signed_in: 'Signed in successfully.'
-      signed_out: 'Signed out successfully.'
-    passwords:
-      send_instructions: 'You will receive an email with instructions about how to reset your password in a few minutes.'
-      updated: 'Your password was changed successfully. You are now signed in.'
-      updated_not_active: 'Your password was changed successfully.'
-      send_paranoid_instructions: "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes."
-      no_token: "You can't access this page without coming from a password reset email. If you do come from a password reset email, please make sure you used the full URL provided."
-    confirmations:
-      send_instructions: 'You will receive an email with instructions about how to confirm your account in a few minutes.'
-      send_paranoid_instructions: 'If your email address exists in our database, you will receive an email with instructions about how to confirm your account in a few minutes.'
-      confirmed: 'Your account was successfully confirmed. You are now signed in.'
-    registrations:
-      signed_up: 'Welcome! You have signed up successfully.'
-      signed_up_but_unconfirmed: 'A message with a confirmation link has been sent to your email address. Please open the link to activate your account.'
-      signed_up_but_inactive: 'You have signed up successfully. However, we could not sign you in because your account is not yet activated.'
-      signed_up_but_locked: 'You have signed up successfully. However, we could not sign you in because your account is locked.'
-      updated: 'You updated your account successfully.'
-      update_needs_confirmation: "You updated your account successfully, but we need to verify your new email address. Please check your email and click on the confirm link to finalize confirming your new email address."
-      destroyed: 'Bye! Your account was successfully cancelled. We hope to see you again soon.'
-    unlocks:
-      send_instructions: 'You will receive an email with instructions about how to unlock your account in a few minutes.'
-      unlocked: 'Your account has been unlocked successfully. Please sign in to continue.'
-      send_paranoid_instructions: 'If your account exists, you will receive an email with instructions about how to unlock it in a few minutes.'
-    omniauth_callbacks:
-      success: 'Successfully authenticated from %{kind} account.'
-      failure: 'Could not authenticate you from %{kind} because "%{reason}".'
-    mailer:
-      confirmation_instructions:
-        subject: 'Confirmation instructions'
-      reset_password_instructions:
-        subject: 'Reset password instructions'
-      unlock_instructions:
-        subject: 'Unlock Instructions'

config/routes.rb

@@ -9,15 +9,26 @@
   resources :users, only: [:create]
 
   devise_scope :user do
-    get '/admin/signup' => 'users#new', :as => :signup
-    get '/admin/login' => 'user_sessions#new', :as => :login
+    get '/admin/dashboard' => 'admin/dashboard#index',
+      :as => :user_root
+
+    get '/admin/signup' => 'users#new',
+      :as => :signup
+
+    get '/admin/login' => 'user_sessions#new',
+      :as => :login
     post '/admin/login' => 'user_sessions#create'
-    delete '/admin/logout' => 'user_sessions#destroy', :as => :logout
-    get '/admin/dashboard' => 'admin/dashboard#index', :as => :user_root
-    get '/admin/passwords' => 'passwords#new', :as => :new_password
-    get '/admin/passwords/:id/edit/:reset_password_token' => 'passwords#edit', :as => :edit_password
-    post '/admin/passwords' => 'passwords#create', :as => :reset_password
-    patch '/admin/passwords' => 'passwords#update', :as => :update_password
+    delete '/admin/logout' => 'user_sessions#destroy',
+      :as => :logout
+
+    get '/admin/passwords' => 'passwords#new',
+      :as => :new_password
+    get '/admin/passwords/:id/edit/:reset_password_token' => 'passwords#edit',
+      :as => :edit_password
+    post '/admin/passwords' => 'passwords#create',
+      :as => :reset_password
+    patch '/admin/passwords' => 'passwords#update',
+      :as => :update_password
   end
 
   namespace :admin do

lib/alchemy/devise/version.rb

@@ -1,5 +1,5 @@
 module Alchemy
   module Devise
-    VERSION = "2.1.0.beta2"
+    VERSION = "2.1.0.beta3"
   end
 end

lib/generators/alchemy/devise/install/install_generator.rb

@@ -0,0 +1,22 @@
+module Alchemy
+  module Devise
+    module Generators
+      class InstallGenerator < Rails::Generators::Base
+        desc "Installs Alchemy Devise based authentication into your app."
+        source_root File.expand_path('templates', File.dirname(__FILE__))
+
+        def copy_devise_config
+          template 'devise.rb.tt', 'config/initializers/devise.rb'
+        end
+
+        def add_migrations
+          run 'bundle exec rake alchemy_devise:install:migrations'
+        end
+
+        def run_migrations
+          run 'bundle exec rake db:migrate'
+        end
+      end
+    end
+  end
+end