diff --git a/Gemfile b/Gemfile index 934fb02a..3c239070 100644 --- a/Gemfile +++ b/Gemfile @@ -16,6 +16,9 @@ group :test do platforms :mri_18 do gem "ruby-debug", ">= 0.10.3" end + platforms :mri_19 do + gem 'debugger' + end end platforms :jruby do diff --git a/Gemfile.lock b/Gemfile.lock index fdadc96a..de48c8c0 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -44,6 +44,13 @@ GEM bson_ext (1.3.1) builder (3.0.0) columnize (0.3.5) + debugger (1.1.4) + columnize (>= 0.3.1) + debugger-linecache (~> 1.1.1) + debugger-ruby_core_source (~> 1.1.3) + debugger-linecache (1.1.2) + debugger-ruby_core_source (>= 1.1.1) + debugger-ruby_core_source (1.1.3) erubis (2.7.0) faraday (0.7.5) addressable (~> 2.2.6) @@ -149,6 +156,7 @@ DEPENDENCIES activerecord-jdbc-adapter activerecord-jdbcsqlite3-adapter bson_ext (~> 1.3.0) + debugger devise! jruby-openssl mocha diff --git a/config/locales/en.yml b/config/locales/en.yml index 7783a744..a533f90c 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -10,6 +10,7 @@ en: not_saved: one: "1 error prohibited this %{resource} from being saved:" other: "%{count} errors prohibited this %{resource} from being saved:" + confirmation_period_expired: "needs to be confirmed within %{period}, please request a new one" devise: failure: diff --git a/lib/devise.rb b/lib/devise.rb index 713c5c7e..71ec385c 100644 --- a/lib/devise.rb +++ b/lib/devise.rb @@ -104,6 +104,10 @@ module Devise mattr_accessor :allow_unconfirmed_access_for @@allow_unconfirmed_access_for = 0.days + # Time interval the confirmation token is valid. nil = unlimited + mattr_accessor :confirm_within + @@confirm_within = nil + # Defines which key will be used when confirming an account. mattr_accessor :confirmation_keys @@confirmation_keys = [ :email ] @@ -199,7 +203,7 @@ module Devise # to provide custom routes. mattr_accessor :router_name @@router_name = nil - + # Set the omniauth path prefix so it can be overriden when # Devise is used in a mountable engine mattr_accessor :omniauth_path_prefix diff --git a/lib/devise/models/confirmable.rb b/lib/devise/models/confirmable.rb index afcda349..cf01f8ff 100644 --- a/lib/devise/models/confirmable.rb +++ b/lib/devise/models/confirmable.rb @@ -19,6 +19,8 @@ module Devise # db field to be setup (t.reconfirmable in migrations). Until confirmed new email is # stored in unconfirmed email column, and copied to email column on successful # confirmation. + # * +confirm_within+: the time before a sent confirmation token becomes invalid. + # You can use this to force the user to confirm within a set period of time. # # == Examples # @@ -28,6 +30,7 @@ module Devise # module Confirmable extend ActiveSupport::Concern + include ActionView::Helpers::DateHelper included do before_create :generate_confirmation_token, :if => :confirmation_required? @@ -118,7 +121,6 @@ module Devise end headers end - protected # A callback method used to deliver confirmation @@ -156,12 +158,40 @@ module Devise confirmation_sent_at && confirmation_sent_at.utc >= self.class.allow_unconfirmed_access_for.ago end + + # Checks if the user confirmation happens before the token becomes invalid + # Examples: + # + # # confirm_within = 3.days and confirmation_sent_at = 2.days.ago + # confirmation_period_expired? # returns false + # + # # confirm_within = 3.days and confirmation_sent_at = 4.days.ago + # confirmation_period_expired? # returns true + # + # # confirm_within = nil + # confirmation_period_expired? # will always return false + # + def confirmation_period_expired? + if @confirmation_period_expired.nil? + @confirmation_period_expired = self.class.confirm_within && (Time.now > self.confirmation_sent_at + self.class.confirm_within ) + @confirmation_period_expired + else + @confirmation_period_expired + end + end + # Checks whether the record requires any confirmation. def pending_any_confirmation - if !confirmed? || pending_reconfirmation? + @confirmation_period_expired = confirmation_period_expired? + + if (!confirmed? || pending_reconfirmation?) && !@confirmation_period_expired yield else - self.errors.add(:email, :already_confirmed) + if @confirmation_period_expired + self.errors.add(:email, :confirmation_period_expired, :period => time_ago_in_words(self.class.confirm_within.ago)) + else + self.errors.add(:email, :already_confirmed) + end false end end @@ -235,7 +265,7 @@ module Devise find_or_initialize_with_errors(unconfirmed_required_attributes, unconfirmed_attributes, :not_found) end - Devise::Models.config(self, :allow_unconfirmed_access_for, :confirmation_keys, :reconfirmable) + Devise::Models.config(self, :allow_unconfirmed_access_for, :confirmation_keys, :reconfirmable, :confirm_within) end end end diff --git a/lib/generators/templates/devise.rb b/lib/generators/templates/devise.rb index b4980e35..42284364 100644 --- a/lib/generators/templates/devise.rb +++ b/lib/generators/templates/devise.rb @@ -92,6 +92,14 @@ Devise.setup do |config| # the user cannot access the website without confirming his account. # config.allow_unconfirmed_access_for = 2.days + # A period that the user is allowed to confirm their account before their token + # becomes invalid. For example, if set to 3.days, the user can confirm their account + # within 3 days after the mail was sent, but on the fourth day their account can't be + # confirmed with the token any more. + # Default is nil, meaning there is no restriction on how long a user can take before + # confirming their account. + # config.confirm_within = 3.days + # If true, requires any email changes to be confirmed (exactly the same way as # initial account confirmation) to be applied. Requires additional unconfirmed_email # db field (see migrations). Until confirmed new email is stored in @@ -125,7 +133,7 @@ Devise.setup do |config| # The time you want to timeout the user session without activity. After this # time the user will be asked for credentials again. Default is 30 minutes. # config.timeout_in = 30.minutes - + # If true, expires auth token on session timeout. # config.expire_auth_token_on_timeout = false diff --git a/test/integration/confirmable_test.rb b/test/integration/confirmable_test.rb index 1bbd4db0..9acd99ea 100644 --- a/test/integration/confirmable_test.rb +++ b/test/integration/confirmable_test.rb @@ -16,7 +16,7 @@ class ConfirmationTest < ActionController::IntegrationTest fill_in 'email', :with => user.email click_button 'Resend confirmation instructions' end - + test 'user should be able to request a new confirmation' do resend_confirmation @@ -50,6 +50,30 @@ class ConfirmationTest < ActionController::IntegrationTest assert user.reload.confirmed? end + test 'user with valid confirmation token should not be able to confirm an account after the token has expired' do + swap Devise, :confirm_within => 3.days do + user = create_user(:confirm => false, :confirmation_sent_at => 4.days.ago) + assert_not user.confirmed? + visit_user_confirmation_with_token(user.confirmation_token) + + assert_have_selector '#error_explanation' + assert_contain /needs to be confirmed within 3 days/ + assert_not user.reload.confirmed? + end + end + + test 'user with valid confirmation token should be able to confirm an account before the token has expired' do + swap Devise, :confirm_within => 3.days do + user = create_user(:confirm => false, :confirmation_sent_at => 2.days.ago) + assert_not user.confirmed? + visit_user_confirmation_with_token(user.confirmation_token) + + assert_contain 'Your account was successfully confirmed.' + assert_current_url '/' + assert user.reload.confirmed? + end + end + test 'user should be redirected to a custom path after confirmation' do Devise::ConfirmationsController.any_instance.stubs(:after_confirmation_path_for).returns("/?custom=1") @@ -239,7 +263,7 @@ class ConfirmationOnChangeTest < ActionController::IntegrationTest assert admin.reload.confirmed? assert_not admin.reload.pending_reconfirmation? end - + test 'admin with previously valid confirmation token should not be able to confirm email after email changed again' do admin = create_admin admin.update_attributes(:email => 'first_test@example.com') @@ -247,11 +271,11 @@ class ConfirmationOnChangeTest < ActionController::IntegrationTest confirmation_token = admin.confirmation_token admin.update_attributes(:email => 'second_test@example.com') assert_equal 'second_test@example.com', admin.unconfirmed_email - + visit_admin_confirmation_with_token(confirmation_token) assert_have_selector '#error_explanation' assert_contain /Confirmation token(.*)invalid/ - + visit_admin_confirmation_with_token(admin.confirmation_token) assert_contain 'Your account was successfully confirmed.' assert_current_url '/admin_area/home' diff --git a/test/models/confirmable_test.rb b/test/models/confirmable_test.rb index ae6ded5f..e4d260b4 100644 --- a/test/models/confirmable_test.rb +++ b/test/models/confirmable_test.rb @@ -235,6 +235,30 @@ class ConfirmableTest < ActiveSupport::TestCase assert_equal "can't be blank", confirm_user.errors[:username].join end end + + def confirm_user_by_token_with_confirmation_sent_at(confirmation_sent_at) + user = create_user + user.update_attribute(:confirmation_sent_at, confirmation_sent_at) + confirmed_user = User.confirm_by_token(user.confirmation_token) + assert_equal confirmed_user, user + user.reload.confirmed? + end + + test 'should accept confirmation email token even after 5 years when no expiration is set' do + assert confirm_user_by_token_with_confirmation_sent_at(5.years.ago) + end + + test 'should accept confirmation email token after 2 days when expiration is set to 3 days' do + swap Devise, :confirm_within => 3.days do + assert confirm_user_by_token_with_confirmation_sent_at(2.days.ago) + end + end + + test 'should not accept confirmation email token after 4 days when expiration is set to 3 days' do + swap Devise, :confirm_within => 3.days do + assert_not confirm_user_by_token_with_confirmation_sent_at(4.days.ago) + end + end end class ReconfirmableTest < ActiveSupport::TestCase diff --git a/test/rails_app/lib/shared_user.rb b/test/rails_app/lib/shared_user.rb index 6f5ba230..29c26231 100644 --- a/test/rails_app/lib/shared_user.rb +++ b/test/rails_app/lib/shared_user.rb @@ -7,7 +7,7 @@ module SharedUser :trackable, :validatable, :omniauthable attr_accessor :other_key - attr_accessible :username, :email, :password, :password_confirmation, :remember_me + attr_accessible :username, :email, :password, :password_confirmation, :remember_me, :confirmation_sent_at # They need to be included after Devise is called. extend ExtendMethods diff --git a/test/support/integration.rb b/test/support/integration.rb index 9c6f7d25..9a451c53 100644 --- a/test/support/integration.rb +++ b/test/support/integration.rb @@ -14,6 +14,7 @@ class ActionDispatch::IntegrationTest :password_confirmation => options[:password] || '12345678', :created_at => Time.now.utc ) + user.update_attribute(:confirmation_sent_at, options[:confirmation_sent_at]) if options[:confirmation_sent_at] user.confirm! unless options[:confirm] == false user.lock_access! if options[:locked] == true user