Update devise 3.5

CHANGELOG.md

@@ -8,6 +8,14 @@ This file follows the best practices from [keepchangelog.com](http://keepachange
 
 ## [Unreleased]
 
+### Removed
+
+- Removed environment variable `devise_allow_insecure_token_lookup`. [#1675](https://github.com/sharetribe/sharetribe/pull/1675)
+
+### Security
+
+- Updated Devise gem to version 3.5 [#1675](https://github.com/sharetribe/sharetribe/pull/1675)
+
 ## [5.2.0] - 2016-01-29
 
 ### Added

Gemfile

@@ -63,7 +63,7 @@ gem 'json', "~>1.8.3"
 gem 'multi_json', "~>1.7.9" # 1.8.0 caused "invalid byte sequence in UTF-8" at heroku
 gem 'web_translate_it', "~>2.1.8"
 gem 'rails-i18n', '~> 4.0.8'
-gem 'devise', "~>3.1.0"
+gem 'devise', "~>3.5.0"
 gem 'devise-encryptable', '~> 0.2.0'
 gem "omniauth-facebook", "~> 3.0.0"
 

Gemfile.lock

@@ -69,8 +69,6 @@ GEM
       json (~> 1.4)
       nokogiri (>= 1.4.4)
     bcrypt (3.1.10)
-    bcrypt-ruby (3.1.5)
-      bcrypt (>= 3.1.3)
     better_errors (2.1.1)
       coderay (>= 1.0.0)
       erubis (>= 2.6.6)
@@ -141,10 +139,11 @@ GEM
     delayed_paperclip (2.9.1)
       paperclip (>= 3.3)
     demoji (0.0.5)
-    devise (3.1.2)
-      bcrypt-ruby (~> 3.0)
+    devise (3.5.5)
+      bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
+      responders
       thread_safe (~> 0.1)
       warden (~> 1.2.3)
     devise-encryptable (0.2.0)
@@ -366,6 +365,8 @@ GEM
     rb-fsevent (0.9.7)
     rb-inotify (0.9.5)
       ffi (>= 0.5.0)
+    responders (1.1.2)
+      railties (>= 3.2, < 4.2)
     rest-client (1.8.0)
       http-cookie (>= 1.0.2, < 2.0)
       mime-types (>= 1.16, < 3.0)
@@ -482,7 +483,7 @@ DEPENDENCIES
   delayed_job_active_record (= 4.0.3)
   delayed_paperclip (~> 2.9.1)
   demoji (~> 0.0.5)
-  devise (~> 3.1.0)
+  devise (~> 3.5.0)
   devise-encryptable (~> 0.2.0)
   dynamic_form (~> 1.1.4)
   email_spec (~> 1.6.0)

config/config.defaults.yml

@@ -257,11 +257,6 @@ default: &default_settings
   # Delayed job maximum run time in seconds
   delayed_job_max_run_time: 180
 
-  # Set this variable to `true` for seamless migration when upgrading.
-  # This variable is only meant for making the migration easier and
-  # this will be deleted in the future.
-  devise_allow_insecure_token_lookup: false
-
 production: &production_settings
   <<: *default_settings
 

config/initializers/devise.rb

@@ -2,11 +2,6 @@
 # Many of these configuration options can be set straight in your model.
 Devise.setup do |config|
 
-  # secret_key_base will be the default in version 3.2.3
-  # TODO Remove this when updating to 3.2.3
-  config.secret_key = APP_CONFIG.secret_key_base
-  # TODO Remove this when updating to 3.2.3
-
   # ==> Mailer Configuration
   # Configure the e-mail address which will be shown in Devise::Mailer,
   # note that it will be overwritten if you use your own mailer class with default "from" parameter.
@@ -205,21 +200,6 @@
   # It allows dynamic configuring on community basis
   config.omniauth :facebook, :setup => true
 
-  # Devise version 3.1.0 changed the way how tokens are stored to the database. Due to this,
-  # tokens that were created with old version are invalid. Setting this setting true will make
-  # those tokens valid again.
-  #
-  # When upgrading, you should set this to `true` and change it to `false` after a couple of days.
-  insecure_token = APP_CONFIG.devise_allow_insecure_token_lookup
-  config.allow_insecure_token_lookup =
-    if insecure_token == true || insecure_token == false
-      insecure_token
-    elsif insecure_token == "true"
-      true
-    else
-      false
-    end
-
   # ==> Warden configuration
   # If you want to use other strategies, that are not supported by Devise, or
   # change the failure app, you can configure them inside the config.warden block.

config/routes.rb

@@ -65,6 +65,9 @@
 
   resources :communities, only: [:new, :create]
 
+
+  devise_for :people, only: :omniauth_callbacks, controllers: { omniauth_callbacks: "sessions" }
+
   # Adds locale to every url right after the root path
   scope "(/:locale)", :constraints => { :locale => locale_matcher } do
 
@@ -270,7 +273,7 @@
       get :message_arrived
     end
 
-    devise_for :people, :controllers => { :confirmations => "confirmations", :registrations => "people", :omniauth_callbacks => "sessions"}, :path_names => { :sign_in => 'login'}
+    devise_for :people, skip: :omniauth_callbacks, controllers: { confirmations: "confirmations", registrations: "people", omniauth_callbacks: "sessions"}, :path_names => { :sign_in => 'login'}
     devise_scope :person do
       # these matches need to be before the general resources to have more priority
       get "/people/confirmation" => "confirmations#show", :as => :confirmation