lib/devise/hooks/rememberable.rb in devise-1.1.pre4 vs lib/devise/hooks/rememberable.rb in devise-1.1.rc0

@@ -1,32 +1,41 @@
-# After authenticate hook to verify if the user in the given scope asked to be
-# remembered while he does not sign out. Generates a new remember token for
-# that specific user and adds a cookie with this user info to sign in this user
-# automatically without asking for credentials. Refer to rememberable strategy
-# for more info.
-Warden::Manager.prepend_after_authentication do |record, warden, options|
-  scope = options[:scope]
-  remember_me = warden.params[scope].try(:fetch, :remember_me, nil)
+# Before logout hook to forget the user in the given scope, if it responds
+# to forget_me! Also clear remember token to ensure the user won't be
+# remembered again. Notice that we forget the user unless the record is frozen.
+# This avoids forgetting deleted users.
+Warden::Manager.before_logout do |record, warden, scope|
+  if record.respond_to?(:forget_me!)
+    record.forget_me! unless record.frozen?
+    warden.cookies.delete "remember_#{scope}_token"
+  end
+end
 
-  if Devise::TRUE_VALUES.include?(remember_me) &&
-     warden.authenticated?(scope) && record.respond_to?(:remember_me!)
-    record.remember_me!
+module Devise
+  module Hooks
+    # Overwrite success! in authentication strategies allowing users to be remembered.
+    # We choose to implement this as an strategy hook instead of a Devise hook to avoid users
+    # giving a remember_me access in strategies that should not create remember me tokens.
+    module Rememberable #:nodoc:
+      def success!(resource)
+        super
 
-    warden.response.set_cookie "remember_#{scope}_token", {
-      :value => record.class.serialize_into_cookie(record),
-      :expires => record.remember_expires_at,
-      :path => "/"
-    }
+        if succeeded? && resource.respond_to?(:remember_me!) && remember_me?
+          resource.remember_me!
+
+          cookies.signed["remember_#{scope}_token"] = {
+            :value => resource.class.serialize_into_cookie(resource),
+            :expires => resource.remember_expires_at,
+            :path => "/"
+          }
+        end
+      end
+
+      protected
+
+      def remember_me?
+        valid_params? && Devise::TRUE_VALUES.include?(params_auth_hash[:remember_me])
+      end
+    end
   end
 end
 
-# Before logout hook to forget the user in the given scope, only if rememberable
-# is activated for this scope. Also clear remember token to ensure the user
-# won't be remembered again.
-# Notice that we forget the user if the record is frozen. This usually means the
-# user was just deleted.
-Warden::Manager.before_logout do |record, warden, scope|
-  if record.respond_to?(:forget_me!)
-    record.forget_me! unless record.frozen?
-    warden.response.delete_cookie "remember_#{scope}_token"
-  end
-end
+Devise::Strategies::Authenticatable.send :include, Devise::Hooks::Rememberable
\ No newline at end of file