Make remember_device account specific

lib/devise-authy/controllers/helpers.rb

@@ -9,21 +9,30 @@ module Helpers
 
       private
       def remember_device
+        id = @resource.id
         cookies.signed[:remember_device] = {
-          :value => Time.now.to_i,
+          :value => {expires: Time.now.to_i, id: id}.to_json
           :secure => !(Rails.env.test? || Rails.env.development?),
           :expires => resource_class.authy_remember_device.from_now
         }
       end
 
       def require_token?
-        if cookies.signed[:remember_device].present? &&
-          (Time.now.to_i - cookies.signed[:remember_device].to_i) < \
-          resource_class.authy_remember_device.to_i
-          return false
+        id = warden.session(resource_name)[:id]
+        cookie = cookies.signed[:remember_device]
+
+        return true if cookie.blank?
+
+        # backwords compatibility for old cookies which just have expiration
+        # time and no id
+        if cookie.to_s =~ %r{\A\d+\Z}
+          return (Time.now.to_i - cookie.to_i) > \
+                 resource_class.authy_remember_device.to_i
         end
 
-        return true
+        cookie = JSON.parse(cookie)
+        return cookie.blank? || (Time.now.to_i - cookie['expires'].to_i) > \
+               resource_class.authy_remember_device.to_i
       end
 
       def is_devise_sessions_controller?
@@ -51,6 +60,7 @@ def check_request_and_redirect_to_verify_token
           return_to = session["#{resource_name}_return_to"]
           warden.logout
           warden.reset_session! # make sure the session resetted
+          warden.clear_strategies_cache! # stop devise from signing in the user again
 
           session["#{resource_name}_id"] = id
           # this is safe to put in the session because the cookie is signed