By default, just require e-mail on recover and lockable.

CHANGELOG.rdoc

@@ -43,7 +43,7 @@
 * bugfix
   * after_sign_in_path_for always receives a resource
   * Do not execute Warden::Callbacks on Devise::TestHelpers (by github.com/sgronblo)
-  * Password recovery and account unlocking takes into account authentication keys (by github.com/RStankov)
+  * Allow password recovery and account unlocking to change used keys (by github.com/RStankov)
   * FailureApp now properly handles nil request.format
   * Fix a bug causing FailureApp to return with HTTP Auth Headers for IE7
   * Ensure namespaces has proper scoped views

lib/devise/models/lockable.rb

@@ -132,7 +132,7 @@ module ClassMethods
         # with an email not found error.
         # Options must contain the user email
         def send_unlock_instructions(attributes={})
-         lockable = find_or_initialize_with_errors(authentication_keys, attributes, :not_found)
+         lockable = find_or_initialize_with_errors(unlock_keys, attributes, :not_found)
          lockable.resend_unlock_token if lockable.persisted?
          lockable
         end
@@ -161,6 +161,10 @@ def unlock_token
           Devise.friendly_token
         end
 
+        def unlock_keys
+          [:email]
+        end
+
         Devise::Models.config(self, :maximum_attempts, :lock_strategy, :unlock_strategy, :unlock_in)
       end
     end

lib/devise/models/recoverable.rb

@@ -57,7 +57,7 @@ module ClassMethods
         # with an email not found error.
         # Attributes must contain the user email
         def send_reset_password_instructions(attributes={})
-          recoverable = find_or_initialize_with_errors(authentication_keys, attributes, :not_found)
+          recoverable = find_or_initialize_with_errors(reset_password_keys, attributes, :not_found)
           recoverable.send_reset_password_instructions if recoverable.persisted?
           recoverable
         end
@@ -67,6 +67,10 @@ def reset_password_token
           generate_token(:reset_password_token)
         end
 
+        def reset_password_keys
+          [:email]
+        end
+
         # Attempt to find a user by it's reset_password_token to reset it's
         # password. If a user is found, reset it's password and automatically
         # try saving the record. If not user is found, returns a new user

test/models/lockable_test.rb

@@ -186,15 +186,6 @@ def setup
     end
   end
 
-  test 'should require all authentication_keys' do
-    swap Devise, :authentication_keys => [:username, :email] do
-      user = create_user
-      unlock_user = User.send_unlock_instructions(:email => user.email)
-      assert_not unlock_user.persisted?
-      assert_equal "can't be blank", unlock_user.errors[:username].join
-    end
-  end
-
   test 'should not be able to send instructions if the user is not locked' do
     user = create_user
     assert_not user.resend_unlock_token

test/models/recoverable_test.rb

@@ -85,23 +85,14 @@ def setup
     assert_not reset_password_user.persisted?
     assert_equal "not found", reset_password_user.errors[:email].join
   end
-  
+
   test 'should find a user to send instructions by authentication_keys' do
     swap Devise, :authentication_keys => [:username, :email] do
       user = create_user
       reset_password_user = User.send_reset_password_instructions(:email => user.email, :username => user.username)
       assert_equal reset_password_user, user
     end
   end
-
-  test 'should require all authentication_keys' do
-    swap Devise, :authentication_keys => [:username, :email] do
-      user = create_user
-      reset_password_user = User.send_reset_password_instructions(:email => user.email)
-      assert_not reset_password_user.persisted?
-      assert_equal "can't be blank", reset_password_user.errors[:username].join
-    end
-  end
 
   test 'should reset reset_password_token before send the reset instructions email' do
     user = create_user