Add warning about default config change

This change add warnings for these configurations:

* strip_whitespace_keys - It is already explicit on config template, now
it will be the same of the template.
* email_regexp - In the new version this regexp will be more
permissive.
* reconfirmable - It is already explicit on config template, now
it will be the same of the template.
* skip_session_storage - It is already explicit on config template, now
it will be the same of the template.
* sign_out_via - It is already explicit on config template, now
it will be the same of the template.

These ones is important to change, since the configuration says current
explicit value are the default. It can lead to misunderstanging if users
remove the explicit configuration.

It also updates the template explicit values:

* Warns the `config.mailer_sender` is nil by default
* Update `config.password_length` to use the current default
* Make the e-mail configuration explicit

lib/devise.rb

@@ -53,6 +53,12 @@ module Devise
   # True values used to check params
   TRUE_VALUES = [true, 1, '1', 't', 'T', 'true', 'TRUE']
 
+  # Track the configs that user explicit changed the default value. It is
+  # helpfull to not warn users about default values changing when they willing
+  # changed.
+  mattr_accessor :app_set_configs
+  @@app_set_configs = Set.new
+
   # Secret key used by the key generator
   mattr_accessor :secret_key
   @@secret_key = nil
@@ -82,9 +88,20 @@ module Devise
   @@case_insensitive_keys = [:email]
 
   # Keys that should have whitespace stripped.
-  mattr_accessor :strip_whitespace_keys
+  # TODO: 4.1 Do: @@strip_whitespace_keys = [:email]
+  mattr_reader :strip_whitespace_keys
   @@strip_whitespace_keys = []
 
+  def self.strip_whitespace_keys=(strip_whitespace_keys)
+    app_set_configs << :strip_whitespace_keys
+    @@strip_whitespace_keys = strip_whitespace_keys
+  end
+
+  def strip_whitespace_keys=(strip_whitespace_keys)
+    app_set_configs << :strip_whitespace_keys
+    @@strip_whitespace_keys = strip_whitespace_keys
+  end
+
   # If http authentication is enabled by default.
   mattr_accessor :http_authenticatable
   @@http_authenticatable = false
@@ -104,9 +121,20 @@ module Devise
   # Email regex used to validate email formats. It simply asserts that
   # an one (and only one) @ exists in the given string. This is mainly
   # to give user feedback and not to assert the e-mail validity.
-  mattr_accessor :email_regexp
+  # TODO: 4.1 Do: @@email_regexp = [/\A[^@\s]+@[^@\s]+\z/]
+  mattr_reader :email_regexp
   @@email_regexp = /\A[^@\s]+@([^@\s]+\.)+[^@\W]+\z/
 
+  def self.email_regexp=(email_regexp)
+    app_set_configs << :email_regexp
+    @@email_regexp = email_regexp
+  end
+
+  def email_regexp=(email_regexp)
+    app_set_configs << :email_regexp
+    @@email_regexp = email_regexp
+  end
+
   # Range validation for password length
   mattr_accessor :password_length
   @@password_length = 6..128
@@ -139,9 +167,20 @@ module Devise
 
   # Defines if email should be reconfirmable.
   # False by default for backwards compatibility.
-  mattr_accessor :reconfirmable
+  # TODO: 4.1 Do: @@reconfirmable = true
+  mattr_reader :reconfirmable
   @@reconfirmable = false
 
+  def self.reconfirmable=(reconfirmable)
+    app_set_configs << :reconfirmable
+    @@reconfirmable = reconfirmable
+  end
+
+  def reconfirmable=(reconfirmable)
+    app_set_configs << :reconfirmable
+    @@reconfirmable = reconfirmable
+  end
+
   # Time interval to timeout the user session without activity.
   mattr_accessor :timeout_in
   @@timeout_in = 30.minutes
@@ -202,9 +241,20 @@ module Devise
   @@mailer_sender = nil
 
   # Skip session storage for the following strategies
-  mattr_accessor :skip_session_storage
+  # TODO: 4.1 Do: @@skip_session_storage = [:http_auth]
+  mattr_reader :skip_session_storage
   @@skip_session_storage = []
 
+  def self.skip_session_storage=(skip_session_storage)
+    app_set_configs << :skip_session_storage
+    @@skip_session_storage = skip_session_storage
+  end
+
+  def skip_session_storage=(skip_session_storage)
+    app_set_configs << :skip_session_storage
+    @@skip_session_storage = skip_session_storage
+  end
+
   # Which formats should be treated as navigational.
   mattr_accessor :navigational_formats
   @@navigational_formats = ["*/*", :html]
@@ -214,9 +264,20 @@ module Devise
   @@sign_out_all_scopes = true
 
   # The default method used while signing out
-  mattr_accessor :sign_out_via
+  # TODO: 4.1 Do: @@sign_out_via = :delete
+  mattr_reader :sign_out_via
   @@sign_out_via = :get
 
+  def self.sign_out_via=(sign_out_via)
+    app_set_configs << :sign_out_via
+    @@sign_out_via = sign_out_via
+  end
+
+  def sign_out_via=(sign_out_via)
+    app_set_configs << :sign_out_via
+    @@sign_out_via = sign_out_via
+  end
+
   # The parent controller all Devise controllers inherits from.
   # Defaults to ApplicationController. This should be set early
   # in the initialization process and should be set to a string.
@@ -280,6 +341,32 @@ module Devise
   # a fresh initializer with all configuration values.
   def self.setup
     yield self
+
+    warn_default_config_changed(:email_regexp, '/\A[^@\s]+@([^@\s]+\.)+[^@\W]+\z/', '/\A[^@\s]+@[^@\s]+\z/')
+    warn_default_config_changed(:reconfirmable, 'false', 'true')
+    warn_default_config_changed(:sign_out_via, ':get', ':delete')
+    warn_default_config_changed(:skip_session_storage, '[]', '[:http_auth]')
+    warn_default_config_changed(:strip_whitespace_keys, '[]', '[:email]')
+  end
+
+  def self.warn_default_config_changed(config, current_default, new_default)
+    unless app_set_configs.include?(config)
+      warn = <<-MESSAGE.strip_heredoc
+        [Devise] config.#{config} will have a new default on Devise 4.1
+        To keep the current behavior please set in your config/initializers/devise.rb the following:
+
+          Devise.setup do |config|
+            config.#{config} = #{current_default}
+          end
+
+        If you want to use the new default:
+
+          Devise.setup do |config|
+            config.#{config} = #{new_default}
+          end
+      MESSAGE
+      ActiveSupport::Deprecation.warn(warn)
+    end
   end
 
   class Getter

lib/generators/templates/devise.rb

@@ -148,12 +148,12 @@ Devise.setup do |config|
 
   # ==> Configuration for :validatable
   # Range for password length.
-  config.password_length = 8..72
+  config.password_length = 6..128
 
   # Email regex used to validate email formats. It simply asserts that
   # one (and only one) @ exists in the given string. This is mainly
   # to give user feedback and not to assert the e-mail validity.
-  # config.email_regexp = /\A[^@]+@[^@]+\z/
+  config.email_regexp = /\A[^@]+@[^@]+\z/
 
   # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this

test/devise_test.rb

@@ -35,6 +35,33 @@ class DeviseTest < ActiveSupport::TestCase
     end
   end
 
+  test 'setup block warns about defaults changing' do
+    Devise.app_set_configs = Set.new
+
+    ActiveSupport::Deprecation.expects(:warn).with() { |value| value =~ /email_regexp/ }
+    ActiveSupport::Deprecation.expects(:warn).with() { |value| value =~ /reconfirmable/ }
+    ActiveSupport::Deprecation.expects(:warn).with() { |value| value =~ /sign_out_via/ }
+    ActiveSupport::Deprecation.expects(:warn).with() { |value| value =~ /skip_session_storage/ }
+    ActiveSupport::Deprecation.expects(:warn).with() { |value| value =~ /strip_whitespace_keys/ }
+
+    Devise.setup do
+    end
+  end
+
+  test 'setup block doest not warns when the change is explicit set' do
+    ActiveSupport::Deprecation.expects(:warn).never
+
+    swap Devise,
+        email_regexp: /@/,
+        reconfirmable: false,
+        sign_out_via: :get,
+        skip_session_storage: [],
+        strip_whitespace_keys: [] do
+        Devise.setup do
+        end
+    end
+  end
+
   test 'stores warden configuration' do
     assert_kind_of Devise::Delegator, Devise.warden_config.failure_app
     assert_equal :user, Devise.warden_config.default_scope