Refactoring timeoutable module and confirmable tests.

generators/devise_install/templates/devise.rb

@@ -34,7 +34,8 @@ Devise.setup do |config|
   # The time the user will be remembered without asking for credentials again.
   # config.remember_for = 2.weeks
 
-  # The time interval to timeout the user session without activity.
+  # The time you want to timeout the user session without activity. After this
+  # time the user will be asked for credentials again.
   # config.timeout = 10.minutes
 
   # Configure the e-mail address which will be shown in DeviseMailer.

lib/devise/hooks/timeoutable.rb

@@ -7,7 +7,7 @@ Warden::Manager.after_set_user do |record, warden, options|
     # is logged out by any of them.
     if warden.authenticated?(scope)
       last_request_at = warden.session(scope)['last_request_at']
-      if last_request_at && last_request_at <= 10.minutes.ago.utc
+      if record.timeout?(last_request_at)
         warden.logout(scope)
         throw :warden, :scope => scope, :message => :timeout
       end

lib/devise/models/timeoutable.rb

@@ -7,9 +7,12 @@ module Devise
     module Timeoutable
 
       def self.included(base)
-        base.class_eval do
-          extend ClassMethods
+        base.extend ClassMethods
       end
+
+      # Checks whether the user session has expired based on configured time.
+      def timeout?(last_access)
+        last_access && last_access <= timeout.ago.utc
       end
 
       module ClassMethods

test/integration/confirmable_test.rb

@@ -59,20 +59,22 @@ class ConfirmationTest < ActionController::IntegrationTest
   end
 
   test 'not confirmed user with setup to block without confirmation should not be able to sign in' do
-    Devise.confirm_within = 0
+    swap Devise, :confirm_within => 0.days do
       sign_in_as_user(:confirm => false)
 
       assert_contain 'You have to confirm your account before continuing'
       assert_not warden.authenticated?(:user)
     end
+  end
 
   test 'not confirmed user but configured with some days to confirm should be able to sign in' do
-    Devise.confirm_within = 1
+    swap Devise, :confirm_within => 1.day do
       sign_in_as_user(:confirm => false)
 
       assert_response :success
       assert warden.authenticated?(:user)
     end
+  end
 
   test 'error message is configurable by resource name' do
     begin

test/integration/timeoutable_test.rb

@@ -41,4 +41,20 @@ class SessionTimeoutTest < ActionController::IntegrationTest
     assert warden.authenticated?(:user)
   end
 
+  test 'user configured timeout limit' do
+    swap Devise, :timeout => 8.minutes do
+      user = sign_in_as_user
+
+      # Setup last_request_at to timeout
+      get edit_user_path(user)
+      assert_not_nil last_request_at
+      assert_response :success
+      assert warden.authenticated?(:user)
+
+      get users_path
+      assert_redirected_to new_user_session_path(:timeout => true)
+      assert_not warden.authenticated?(:user)
+    end
+  end
+
 end

test/models/timeoutable_test.rb

@@ -2,4 +2,26 @@ require 'test/test_helper'
 
 class TimeoutableTest < ActiveSupport::TestCase
 
+  test 'should be expired' do
+    assert new_user.timeout?(11.minutes.ago)
+  end
+
+  test 'should not be expired' do
+    assert_not new_user.timeout?(9.minutes.ago)
+  end
+
+  test 'should not be expired when params is nil' do
+    assert_not new_user.timeout?(nil)
+  end
+
+  test 'fallback to Devise config option' do
+    swap Devise, :timeout => 1.minute do
+      user = new_user
+      assert user.timeout?(2.minutes.ago)
+      assert_not user.timeout?(30.seconds.ago)
+      Devise.timeout = 5.minutes
+      assert_not user.timeout?(2.minutes.ago)
+      assert user.timeout?(6.minutes.ago)
+    end
+  end
 end