diff --git a/.env.example b/.env.example index 19c9e0d2..08b086de 100644 --- a/.env.example +++ b/.env.example @@ -10,3 +10,4 @@ MAILGUN_PASSWORD=smtp_pass MAILGUN_USERNAME=postmaster@myawesomeapp.mailgun.org MAILGUN_API_KEY=key-mailgunapikey SECRET_TOKEN=secrettoken +DEVISE_SECRET_KEY=secrettoken diff --git a/Gemfile b/Gemfile index 00e4f802..aa651c81 100644 --- a/Gemfile +++ b/Gemfile @@ -8,7 +8,7 @@ gem 'unicorn' gem 'foreman' gem 'crowdtilt', github: 'Crowdtilt/crowdtilt-gem' -gem 'devise', '~> 3.0.0' +gem 'devise', '~> 3.1.0' gem 'nokogiri' gem 'friendly_id', '~> 4.0.9' gem 'iso_country_codes' diff --git a/Gemfile.lock b/Gemfile.lock index 8d0ad428..e33831b0 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -45,6 +45,7 @@ GEM asset_sync (0.5.4) activemodel fog + atomic (1.1.14) aws-sdk (1.11.0) json (~> 1.4) nokogiri (>= 1.4.4) @@ -73,10 +74,11 @@ GEM coffee-script-source execjs coffee-script-source (1.6.2) - devise (3.0.4) + devise (3.1.2) bcrypt-ruby (~> 3.0) orm_adapter (~> 0.1) railties (>= 3.2.6, < 5) + thread_safe (~> 0.1) warden (~> 1.2.3) diff-lcs (1.2.4) dotenv (0.7.0) @@ -216,6 +218,8 @@ GEM rack (~> 1.0) tilt (~> 1.1, != 1.3.0) thor (0.18.1) + thread_safe (0.1.3) + atomic tilt (1.4.1) treetop (1.4.14) polyglot @@ -246,7 +250,7 @@ DEPENDENCIES ckeditor coffee-rails (~> 3.2.1) crowdtilt! - devise (~> 3.0.0) + devise (~> 3.1.0) email_spec factory_girl_rails faker diff --git a/README.md b/README.md index eef8da00..366fb747 100644 --- a/README.md +++ b/README.md @@ -98,15 +98,15 @@ $ cp .env.example .env ``` -Then open up the .env file and fill in the variables with your app_name and credentials. Leave ```ENABLE_ASSET_SYNC``` set to 'true' if you plan to use AWS to host your assets (recommended). The bucket for asset syncing should be in the US Standard (us-east-1) zone. +Then open up the .env file and fill in the variables with your app_name and credentials. Leave `ENABLE_ASSET_SYNC` set to 'true' if you plan to use AWS to host your assets (recommended). The bucket for asset syncing should be in the US Standard (us-east-1) zone. -The ```SECRET_TOKEN``` variable should be at least 30 characters and all random, no regular words or you'll be exposed to dictionary attacks. You can generate a new one by running this command from the root of your project directory: +The `SECRET_TOKEN` and `DEVISE_SECRET_KEY` variables should be at least 30 characters and all random, no regular words or you'll be exposed to dictionary attacks. Do NOT reuse the same secret token - you'll need to generate it twice. You can generate a new one by running this command from the root of your project directory: ``` -$ rake secret +$ foreman run rake secret ``` -Important: Your ```APP_NAME``` must not have a space in it. Underscores and hypens are accepted. +Important: Your `APP_NAME` must not have a space in it. Underscores and hypens are accepted. ``` APP_NAME=myawesomeapp @@ -120,6 +120,7 @@ MAILGUN_DOMAIN=myawesomeapp.mailgun.org MAILGUN_PASSWORD=mailgunpassword MAILGUN_USERNAME=postmaster@myawesomeapp.mailgun.org SECRET_TOKEN=secrettoken +DEVISE_SECRET_KEY=secrettoken ``` Install the gems diff --git a/app/assets/stylesheets/devise.css.scss b/app/assets/stylesheets/devise.css.scss index 937028fa..dd375bbb 100644 --- a/app/assets/stylesheets/devise.css.scss +++ b/app/assets/stylesheets/devise.css.scss @@ -1,4 +1,4 @@ -#signin { +#devise-mini { padding: 50px 0; .well { @@ -24,25 +24,6 @@ } } -#signup { - padding: 50px 0; - - .well { - width: 400px; - margin: 0 auto; - padding: 35px; - - form { - margin-bottom: 0px; - - button { - display: inline-block; - margin: 10px 0px; - } - } - } -} - #error_explanation { h2 { margin-bottom: 0px; @@ -58,4 +39,4 @@ #password { padding: 50px 0; -} \ No newline at end of file +} diff --git a/app/views/devise/mailer/confirmation_instructions.html.erb b/app/views/devise/mailer/confirmation_instructions.html.erb index 5b04a725..36670f91 100644 --- a/app/views/devise/mailer/confirmation_instructions.html.erb +++ b/app/views/devise/mailer/confirmation_instructions.html.erb @@ -2,4 +2,4 @@

You can confirm your account email through the link below:

-

<%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @resource.confirmation_token) %>

+

<%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @token) %>

diff --git a/app/views/devise/mailer/reset_password_instructions.html.erb b/app/views/devise/mailer/reset_password_instructions.html.erb index 27130348..93de6d05 100644 --- a/app/views/devise/mailer/reset_password_instructions.html.erb +++ b/app/views/devise/mailer/reset_password_instructions.html.erb @@ -2,7 +2,7 @@

Someone has requested a link to change your password. You can do this through the link below.

-

<%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @resource.reset_password_token) %>

+

<%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @token) %>

If you didn't request this, please ignore this email.

Your password won't change until you access the link above and create a new one.

diff --git a/app/views/devise/mailer/unlock_instructions.html.erb b/app/views/devise/mailer/unlock_instructions.html.erb index a4152e13..f59615fe 100644 --- a/app/views/devise/mailer/unlock_instructions.html.erb +++ b/app/views/devise/mailer/unlock_instructions.html.erb @@ -4,4 +4,4 @@

Click the link below to unlock your account:

-

<%= link_to 'Unlock my account', unlock_url(@resource, :unlock_token => @resource.unlock_token) %>

+

<%= link_to 'Unlock my account', unlock_url(@resource, :unlock_token => @token) %>

diff --git a/app/views/devise/passwords/edit.html.erb b/app/views/devise/passwords/edit.html.erb index 857ab143..005cdf67 100644 --- a/app/views/devise/passwords/edit.html.erb +++ b/app/views/devise/passwords/edit.html.erb @@ -1,18 +1,22 @@ -
-
-

Change your password

+
+
+
- <%= form_for(resource, :as => resource_name, :url => password_path(resource_name), :html => { :method => :put }) do |f| %> - <%= devise_error_messages! %> - <%= f.hidden_field :reset_password_token %> +

Change your password

-
<%= f.label :password, "New password" %> - <%= f.password_field :password, :autofocus => true %>
+ <%= form_for(resource, :as => resource_name, :url => password_path(resource_name), :html => { :method => :put }) do |f| %> + <%= devise_error_messages! %> + <%= f.hidden_field :reset_password_token %> -
<%= f.label :password_confirmation, "Confirm new password" %> - <%= f.password_field :password_confirmation %>
+
<%= f.label :password, "New password" %> + <%= f.password_field :password, :autofocus => true %>
-
<%= f.submit "Change my password", class: "btn btn-primary" %>
- <% end %> +
<%= f.label :password_confirmation, "Confirm new password" %> + <%= f.password_field :password_confirmation %>
+ +
<%= f.submit "Change my password", class: "btn btn-primary" %>
+ <% end %> + +
diff --git a/app/views/devise/passwords/new.html.erb b/app/views/devise/passwords/new.html.erb index 162b0d65..8fc840be 100644 --- a/app/views/devise/passwords/new.html.erb +++ b/app/views/devise/passwords/new.html.erb @@ -1,14 +1,20 @@ -
-
-

Forgot your password?

+
+
+
- <%= form_for(resource, :as => resource_name, :url => password_path(resource_name), :html => { :method => :post }) do |f| %> - <%= devise_error_messages! %> +

Forgot your password?

-
<%= f.label :email, "Please enter your email:" %> - <%= f.email_field :email, :autofocus => true %>
+

Please enter your email below.

-
<%= f.submit "Send me reset password instructions", class: "btn btn-primary" %>
- <% end %> + <%= form_for(resource, :as => resource_name, :url => password_path(resource_name), :html => { :method => :post }) do |f| %> + <%= devise_error_messages! %> + +
<%= f.label :email %> + <%= f.email_field :email, :autofocus => true %>
+ +
<%= f.submit "Send password reset email", class: "btn btn-primary" %>
+ <% end %> + +
-
\ No newline at end of file +
diff --git a/app/views/devise/registrations/edit.html.erb b/app/views/devise/registrations/edit.html.erb index 1e79a011..2018bc9d 100644 --- a/app/views/devise/registrations/edit.html.erb +++ b/app/views/devise/registrations/edit.html.erb @@ -1,5 +1,7 @@ -
-
+
+
+
+

Account: <%= current_user.fullname %> @@ -14,19 +16,25 @@
<%= f.label :email %> <%= f.email_field :email, :autofocus => true %>
+ <% if devise_mapping.confirmable? && resource.pending_reconfirmation? %> +
Currently waiting confirmation for: <%= resource.unconfirmed_email %>
+ <% end %> + +

Change your password:

<%= f.label :password, "Enter your new password" %> <%= f.password_field :password, :autocomplete => "off" %>
<%= f.label :password_confirmation, "Re-enter your new password" %> <%= f.password_field :password_confirmation %>
-

+ +

<%= f.label :current_password, "Current Password (we need this to confirm your changes)" %> <%= f.password_field :current_password %>
- +
<%= f.submit "Update", class: "btn btn-primary" %>
<% end %> +

- diff --git a/app/views/devise/registrations/new.html.erb b/app/views/devise/registrations/new.html.erb index cbaf03e7..e71acc33 100644 --- a/app/views/devise/registrations/new.html.erb +++ b/app/views/devise/registrations/new.html.erb @@ -1,13 +1,12 @@ -
+
-
<% if @settings.initialized_flag %> -

New User?

+

New User?

Please create an account to continue.

<% else %> -

New Crowdhoster App

+

New Crowdhoster App

Looks like this is a new Crowdhoster App! Go ahead and create a user that will serve as your site admin:

<% end %> @@ -32,6 +31,5 @@
<%= link_to "Already have an account?", new_session_path(resource_name) %>
-
-
\ No newline at end of file +
diff --git a/app/views/devise/sessions/new.html.erb b/app/views/devise/sessions/new.html.erb index 9ccde424..9f840d35 100644 --- a/app/views/devise/sessions/new.html.erb +++ b/app/views/devise/sessions/new.html.erb @@ -1,8 +1,8 @@ -
+
-
-

Sign In

+ +

Sign In

Please sign in to continue.

<%= form_for(resource, :as => resource_name, :url => session_path(resource_name)) do |f| %> @@ -26,6 +26,5 @@ Don't have an account? <%= link_to "Sign up", new_registration_path(resource_name) %>
-
-
\ No newline at end of file +
diff --git a/app/views/devise/shared/_links.erb b/app/views/devise/shared/_links.erb index eab783a4..d84bdde9 100644 --- a/app/views/devise/shared/_links.erb +++ b/app/views/devise/shared/_links.erb @@ -6,7 +6,7 @@ <%= link_to "Sign up", new_registration_path(resource_name) %>
<% end -%> -<%- if devise_mapping.recoverable? && controller_name != 'passwords' %> +<%- if devise_mapping.recoverable? && controller_name != 'passwords' && controller_name != 'registrations' %> <%= link_to "Forgot your password?", new_password_path(resource_name) %>
<% end -%> @@ -22,4 +22,4 @@ <%- resource_class.omniauth_providers.each do |provider| %> <%= link_to "Sign in with #{provider.to_s.titleize}", omniauth_authorize_path(resource_name, provider) %>
<% end -%> -<% end -%> \ No newline at end of file +<% end -%> diff --git a/config/initializers/check_env.rb b/config/initializers/check_env.rb index dbd94f3c..ef381559 100644 --- a/config/initializers/check_env.rb +++ b/config/initializers/check_env.rb @@ -1,9 +1,9 @@ ## Check for env file errors on startup -# Only read the first 12 lines of the file into the array (in case the file has +# Only read the first 13 lines of the file into the array (in case the file has # issues), then convert the array to a hash filename = File.join(Rails.root, ".env.example") -env_array = File.open(filename) { |f| (1..12).map { |x| f.readline.strip.split('=') } } +env_array = File.open(filename) { |f| (1..13).map { |x| f.readline.strip.split('=') } } # remove asset sync b/c checking against default value doesn't make sense here env_hash = Hash[*env_array.flatten].except('ENABLE_ASSET_SYNC') diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index 85d2dbe2..a18adf59 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -1,13 +1,19 @@ # Use this hook to configure devise mailer, warden hooks and so forth. # Many of these configuration options can be set straight in your model. Devise.setup do |config| + # The secret key used by Devise. Devise uses this key to generate + # random tokens. Changing this key will render invalid all existing + # confirmation, reset password and unlock tokens in the database. + config.secret_key = ENV['DEVISE_SECRET_KEY'] + # ==> Mailer Configuration # Configure the e-mail address which will be shown in Devise::Mailer, - # note that it will be overwritten if you use your own mailer class with default "from" parameter. - config.mailer_sender = "no-reply@crowdhoster.com" + # note that it will be overwritten if you use your own mailer class + # with default "from" parameter. + config.mailer_sender = 'no-reply@crowdhoster.com' # Configure the class responsible to send e-mails. - # config.mailer = "Devise::Mailer" + # config.mailer = 'Devise::Mailer' # ==> ORM configuration # Load and configure the ORM. Supports :active_record (default) and @@ -61,8 +67,8 @@ # If http headers should be returned for AJAX requests. True by default. # config.http_authenticatable_on_xhr = true - # The realm used in Http Basic Authentication. "Application" by default. - # config.http_authentication_realm = "Application" + # The realm used in Http Basic Authentication. 'Application' by default. + # config.http_authentication_realm = 'Application' # It will change confirmation, password recovery and other workflows # to behave the same regardless if the e-mail provided was right or wrong. @@ -92,7 +98,7 @@ config.stretches = Rails.env.test? ? 1 : 10 # Setup a pepper to generate the encrypted password. - # config.pepper = "bce28301f3fd7e1b6c3ddce3b95d432efa469df1e87d5ba56f8e2826e35bcdb58db429f355a6a7fe960503a2ca17b8ac70259c0b475db5e5dc6ef1317b407ebf" + # config.pepper = '0a405e37fcba59f73262e8812e48c8e854cf991d0a9ce1e6822e3db088202d6ccf7ce325e620df73cbe4eddd381f43afa2ed39a78c60299775c161d4bc5b5f57' # ==> Configuration for :confirmable # A period that the user is allowed to access the website even without @@ -217,7 +223,7 @@ # should add them to the navigational formats lists. # # The "*/*" below is required to match Internet Explorer requests. - # config.navigational_formats = ["*/*", :html] + # config.navigational_formats = ['*/*', :html] # The default HTTP method used to sign out a resource. Default is :delete. config.sign_out_via = :delete @@ -241,12 +247,12 @@ # is mountable, there are some extra configurations to be taken into account. # The following options are available, assuming the engine is mounted as: # - # mount MyEngine, at: "/my_engine" + # mount MyEngine, at: '/my_engine' # # The router that invoked `devise_for`, in the example above, would be: # config.router_name = :my_engine # # When using omniauth, Devise cannot automatically set Omniauth path, # so you need to do it manually. For the users scope, it would be: - # config.omniauth_path_prefix = "/my_engine/users/auth" + # config.omniauth_path_prefix = '/my_engine/users/auth' end diff --git a/config/locales/devise.en.yml b/config/locales/devise.en.yml index d01f375c..d5b4520c 100644 --- a/config/locales/devise.en.yml +++ b/config/locales/devise.en.yml @@ -3,17 +3,18 @@ en: devise: confirmations: - confirmed: "Your account was successfully confirmed. You are now signed in." + confirmed: "Your account was successfully confirmed." + confirmed_and_signed_in: "Your account was successfully confirmed. You are now signed in." send_instructions: "You will receive an email with instructions about how to confirm your account in a few minutes." send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions about how to confirm your account in a few minutes." failure: already_authenticated: "You are already signed in." - inactive: "Your account was not activated yet." + inactive: "Your account is not activated yet." invalid: "Invalid email or password." invalid_token: "Invalid authentication token." locked: "Your account is locked." not_found_in_database: "Invalid email or password." - timeout: "Your session expired, please sign in again to continue." + timeout: "Your session expired. Please sign in again to continue." unauthenticated: "You need to sign in or sign up before continuing." unconfirmed: "You have to confirm your account before continuing." mailer: