From ca293d17ba9c3870cdadb96fe08a3f396c1598fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Valim?= <jose.valim@gmail.com>
Date: Tue, 15 Feb 2011 10:58:38 +0100
Subject: [PATCH] Implement Rails' handle unverified request.

---
 lib/devise/controllers/helpers.rb     |  7 +++++++
 test/integration/rememberable_test.rb | 10 ++++++++++
 2 files changed, 17 insertions(+)

diff --git a/lib/devise/controllers/helpers.rb b/lib/devise/controllers/helpers.rb
index d401179d..4c22e988 100644
--- a/lib/devise/controllers/helpers.rb
+++ b/lib/devise/controllers/helpers.rb
@@ -136,6 +136,7 @@ module Devise
       # Sign out all active users or scopes. This helper is useful for signing out all roles
       # in one click. This signs out ALL scopes in warden.
       def sign_out_all_scopes
+        Devise.mappings.keys.each { |s| warden.user(s) }
         warden.raw_session.inspect
         warden.logout
       end
@@ -222,6 +223,12 @@ module Devise
       def expire_session_data_after_sign_in!
         session.keys.grep(/^devise\./).each { |k| session.delete(k) }
       end
+
+      # Overwrite Rails' handle unverified request to sign out all scopes.
+      def handle_unverified_request
+        sign_out_all_scopes
+        super # call the default behaviour which resets the session
+      end
     end
   end
 end
diff --git a/test/integration/rememberable_test.rb b/test/integration/rememberable_test.rb
index 24fadf47..199bab97 100644
--- a/test/integration/rememberable_test.rb
+++ b/test/integration/rememberable_test.rb
@@ -72,6 +72,16 @@ class RememberMeTest < ActionController::IntegrationTest
     assert_match /remember_user_token[^\n]*HttpOnly\n/, response.headers["Set-Cookie"], "Expected Set-Cookie header in response to set HttpOnly flag on remember_user_token cookie."
   end
 
+  test 'cookies are destroyed on unverified requests' do
+    swap ApplicationController, :allow_forgery_protection => true do
+      user = create_user_and_remember
+      get users_path
+      assert warden.authenticated?(:user)
+      post root_path, :authenticity_token => 'INVALID'
+      assert_not warden.authenticated?(:user)
+    end
+  end
+
   test 'does not extend remember period through sign in' do
     swap Devise, :extend_remember_period => true, :remember_for => 1.year do
       user = create_user