Remove deprecated token lookups

Author: José Valim

CHANGELOG.md

@@ -1,3 +1,8 @@
+== 3.2.0-dev
+
+* enchancements
+  * Previously deprecated token authenticatable and insecure lookups have been removed
+
 == 3.1.0
 
 Security announcement: http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/

app/controllers/devise/confirmations_controller.rb

@@ -20,12 +20,7 @@ def show
     self.resource = resource_class.confirm_by_token(params[:confirmation_token])
 
     if resource.errors.empty?
-      if Devise.allow_insecure_sign_in_after_confirmation
-        set_flash_message(:notice, :confirmed_and_signed_in) if is_navigational_format?
-        sign_in(resource_name, resource)
-      else
-        set_flash_message(:notice, :confirmed) if is_navigational_format?
-      end
+      set_flash_message(:notice, :confirmed) if is_navigational_format?
       respond_with_navigational(resource){ redirect_to after_confirmation_path_for(resource_name, resource) }
     else
       respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render :new }
@@ -41,10 +36,6 @@ def after_resending_confirmation_instructions_path_for(resource_name)
 
     # The path used after confirmation.
     def after_confirmation_path_for(resource_name, resource)
-      if Devise.allow_insecure_sign_in_after_confirmation
-        after_sign_in_path_for(resource)
-      else
-        new_session_path(resource_name)
-      end
+      new_session_path(resource_name)
     end
 end

config/locales/en.yml

@@ -4,7 +4,6 @@ en:
   devise:
     confirmations:
       confirmed: "Your account was successfully confirmed. Please sign in."
-      confirmed_and_signed_in: "Your account was successfully confirmed. You are now signed in."
       send_instructions: "You will receive an email with instructions about how to confirm your account in a few minutes."
       send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions about how to confirm your account in a few minutes."
     failure:

lib/devise.rb

@@ -50,15 +50,21 @@ module Strategies
   mattr_accessor :secret_key
   @@secret_key = nil
 
-  # Allow insecure token lookup. Must be used
-  # temporarily just for migration.
-  mattr_accessor :allow_insecure_token_lookup
-  @@allow_insecure_tokens_lookup = false
+  [ :allow_insecure_token_lookup,
+    :allow_insecure_sign_in_after_confirmation,
+    :token_authentication_key ].each do |method|
+    class_eval <<-RUBY
+    def self.#{method}
+      ActiveSupport::Deprecation.warn "Devise.#{method} is deprecated " \
+        "and has no effect"
+    end
 
-  # Allow insecure sign in after confirmation. Must be used
-  # temporarily just for migration.
-  mattr_accessor :allow_insecure_sign_in_after_confirmation
-  @@allow_insecure_sign_in_after_confirmation = false
+    def self.#{method}=(val)
+      ActiveSupport::Deprecation.warn "Devise.#{method}= is deprecated " \
+        "and has no effect"
+    end
+    RUBY
+  end
 
   # Custom domain or key for cookies. Not set by default
   mattr_accessor :rememberable_options
@@ -195,10 +201,6 @@ module Strategies
   mattr_accessor :mailer_sender
   @@mailer_sender = nil
 
-  # Authentication token params key name of choice. E.g. /users/sign_in?some_key=...
-  mattr_accessor :token_authentication_key
-  @@token_authentication_key = :auth_token
-
   # Skip session storage for the following strategies
   mattr_accessor :skip_session_storage
   @@skip_session_storage = []

lib/devise/models/confirmable.rb

@@ -275,10 +275,6 @@ def confirm_by_token(confirmation_token)
           confirmation_token = Devise.token_generator.digest(self, :confirmation_token, confirmation_token)
 
           confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
-          if !confirmable.persisted? && Devise.allow_insecure_token_lookup
-            confirmable = find_or_initialize_with_error_by(:confirmation_token, original_token)
-          end
-
           confirmable.confirm! if confirmable.persisted?
           confirmable.confirmation_token = original_token
           confirmable

lib/devise/models/lockable.rb

@@ -165,10 +165,6 @@ def unlock_access_by_token(unlock_token)
           unlock_token   = Devise.token_generator.digest(self, :unlock_token, unlock_token)
 
           lockable = find_or_initialize_with_error_by(:unlock_token, unlock_token)
-          if !lockable.persisted? && Devise.allow_insecure_token_lookup
-            lockable = find_or_initialize_with_error_by(:unlock_token, original_token)
-          end
-
           lockable.unlock_access! if lockable.persisted?
           lockable.unlock_token = original_token
           lockable

lib/devise/models/recoverable.rb

@@ -116,9 +116,6 @@ def reset_password_by_token(attributes={})
           reset_password_token = Devise.token_generator.digest(self, :reset_password_token, original_token)
 
           recoverable = find_or_initialize_with_error_by(:reset_password_token, reset_password_token)
-          if !recoverable.persisted? && Devise.allow_insecure_token_lookup
-            recoverable = find_or_initialize_with_error_by(:reset_password_token, original_token)
-          end
 
           if recoverable.persisted?
             if recoverable.reset_password_period_valid?

test/integration/confirmable_test.rb

@@ -62,27 +62,6 @@ def resend_confirmation
     end
   end
 
-  test 'user should be signed in after confirmation if allow_insecure_sign_in_after_confirmation is enabled' do
-    swap Devise, :confirm_within => 3.days, :allow_insecure_sign_in_after_confirmation => true do
-      user = create_user(:confirm => false, :confirmation_sent_at => 2.days.ago)
-      assert_not user.confirmed?
-      visit_user_confirmation_with_token(user.raw_confirmation_token)
-
-      assert_contain 'Your account was successfully confirmed. You are now signed in.'
-      assert_current_url root_url
-      assert user.reload.confirmed?
-    end
-  end
-
-  test 'user should be redirected to a custom path after confirmation' do
-    Devise::ConfirmationsController.any_instance.stubs(:after_confirmation_path_for).returns("/?custom=1")
-
-    user = create_user(:confirm => false)
-    visit_user_confirmation_with_token(user.raw_confirmation_token)
-
-    assert_current_url "/?custom=1"
-  end
-
   test 'already confirmed user should not be able to confirm the account again' do
     user = create_user(:confirm => false)
     user.confirmed_at = Time.now

test/models/confirmable_test.rb

@@ -51,15 +51,6 @@ def setup
     assert_equal "was already confirmed, please try signing in", user.errors[:email].join
   end
 
-  test 'DEPRECATED: should find and confirm a user automatically' do
-    swap Devise, allow_insecure_token_lookup: true do
-      user = create_user
-      confirmed_user = User.confirm_by_token(user.confirmation_token)
-      assert_equal confirmed_user, user
-      assert user.reload.confirmed?
-    end
-  end
-
   test 'should find and confirm a user automatically based on the raw token' do
     user = create_user
     raw  = user.raw_confirmation_token

test/models/lockable_test.rb

@@ -139,16 +139,6 @@ def setup
     end
   end
 
-  test 'DEPRECATED: should find and unlock a user automatically' do
-    swap Devise, allow_insecure_token_lookup: true do
-      user = create_user
-      user.lock_access!
-      locked_user = User.unlock_access_by_token(user.unlock_token)
-      assert_equal locked_user, user
-      assert_not user.reload.access_locked?
-    end
-  end
-
   test 'should find and unlock a user automatically based on raw token' do
     user = create_user
     raw  = user.send_unlock_instructions