Merge branch '33408-upgrade-devise' into 'master'

Upgrade devise and dependencies

Closes #20175

See merge request gitlab-org/gitlab!18225

Gemfile.lock

@@ -95,7 +95,7 @@ GEM
     babosa (1.0.2)
     base32 (0.3.2)
     batch-loader (1.4.0)
-    bcrypt (3.1.12)
+    bcrypt (3.1.13)
     bcrypt_pbkdf (1.0.0)
     benchmark-ips (2.3.0)
     benchmark-memory (0.1.2)
@@ -209,10 +209,10 @@ GEM
     descendants_tracker (0.0.4)
       thread_safe (~> 0.3, >= 0.3.1)
     device_detector (1.0.0)
-    devise (4.6.2)
+    devise (4.7.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 4.1.0, < 6.0)
+      railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
     devise-two-factor (3.0.0)
@@ -488,7 +488,7 @@ GEM
       mime-types (~> 3.0)
       multi_xml (>= 0.5.2)
     httpclient (2.8.3)
-    i18n (1.6.0)
+    i18n (1.7.0)
       concurrent-ruby (~> 1.0)
     i18n_data (0.8.0)
     icalendar (2.4.1)
@@ -770,8 +770,8 @@ GEM
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.2.0)
-      loofah (~> 2.2, >= 2.2.2)
+    rails-html-sanitizer (1.3.0)
+      loofah (~> 2.3)
     rails-i18n (5.1.1)
       i18n (>= 0.7, < 2)
       railties (>= 5.0, < 6)
@@ -824,9 +824,9 @@ GEM
       declarative-option (< 0.2.0)
       uber (< 0.2.0)
     request_store (1.3.1)
-    responders (2.4.0)
-      actionpack (>= 4.2.0, < 5.3)
-      railties (>= 4.2.0, < 5.3)
+    responders (2.4.1)
+      actionpack (>= 4.2.0, < 6.0)
+      railties (>= 4.2.0, < 6.0)
     rest-client (2.0.2)
       http-cookie (>= 1.0.2, < 2.0)
       mime-types (>= 1.16, < 4.0)
@@ -1058,8 +1058,8 @@ GEM
       descendants_tracker (~> 0.0, >= 0.0.3)
       equalizer (~> 0.0, >= 0.0.9)
     vmstat (2.3.0)
-    warden (1.2.7)
-      rack (>= 1.0)
+    warden (1.2.8)
+      rack (>= 2.0.6)
     webfinger (1.1.0)
       activesupport
       httpclient (>= 2.4)

spec/requests/openid_connect_spec.rb

@@ -148,34 +148,25 @@ describe 'OpenID Connect requests' do
       end
     end
 
-    # These 2 calls shouldn't actually throw, they should be handled as an
-    # unauthorized request, so we should be able to check the response.
-    #
-    # This was not possible due to an issue with Warden:
-    # https://github.com/hassox/warden/pull/162
-    #
-    # When the patch gets merged and we update Warden, these specs will need to
-    # updated to check the response instead of a raised exception.
-    # https://gitlab.com/gitlab-org/gitlab-foss/issues/40218
     context 'when user is blocked' do
-      it 'returns authentication error' do
+      it 'redirects to login page' do
         access_grant
         user.block!
 
-        expect do
-          request_access_token!
-        end.to raise_error UncaughtThrowError
+        request_access_token!
+
+        expect(response).to redirect_to('/users/sign_in')
       end
     end
 
     context 'when user is ldap_blocked' do
-      it 'returns authentication error' do
+      it 'redirects to login page' do
         access_grant
         user.ldap_block!
 
-        expect do
-          request_access_token!
-        end.to raise_error UncaughtThrowError
+        request_access_token!
+
+        expect(response).to redirect_to('/users/sign_in')
       end
     end
   end