allow empty stings as no timestamp

Devise checks existence of timestamps at various places by testing i.e.

    confirmation_sent_at && confirmation_sent_at.utc >= ...

If an ORM returns empty stings on no timestamp (i.e. when using JSON) this fails. Check response to :utc instead (works for several Time / Date / DateTime values.

lib/devise/models/confirmable.rb

@@ -104,7 +104,7 @@ def confirm(args = {})
 
       # Verifies whether a user is confirmed or not
       def confirmed?
-        !!confirmed_at
+        confirmed_at.respond_to?(:utc)
       end
 
       def pending_reconfirmation?
@@ -214,7 +214,7 @@ def confirmation_period_valid?
           return true if self.class.allow_unconfirmed_access_for.nil?
           return false if self.class.allow_unconfirmed_access_for == 0.days
 
-          confirmation_sent_at && confirmation_sent_at.utc >= self.class.allow_unconfirmed_access_for.ago
+          confirmation_sent_at.respond_to?(:utc) && confirmation_sent_at.utc >= self.class.allow_unconfirmed_access_for.ago
         end
 
         # Checks if the user confirmation happens before the token becomes invalid
@@ -230,7 +230,7 @@ def confirmation_period_valid?
         #   confirmation_period_expired?  # will always return false
         #
         def confirmation_period_expired?
-          self.class.confirm_within && self.confirmation_sent_at && (Time.now.utc > self.confirmation_sent_at.utc + self.class.confirm_within)
+          self.class.confirm_within && self.confirmation_sent_at.respond_to?(:utc) && (Time.now.utc > self.confirmation_sent_at.utc + self.class.confirm_within)
         end
 
         # Checks whether the record requires any confirmation.

lib/devise/models/lockable.rb

@@ -67,7 +67,7 @@ def reset_failed_attempts!
 
       # Verifies whether a user is locked or not.
       def access_locked?
-        !!locked_at && !lock_expired?
+        locked_at.respond_to?(:utc) && !lock_expired?
       end
 
       # Send unlock instructions by email
@@ -151,7 +151,7 @@ def last_attempt?
         # Tells if the lock is expired if :time unlock strategy is active
         def lock_expired?
           if unlock_strategy_enabled?(:time)
-            locked_at && locked_at < self.class.unlock_in.ago
+            locked_at.respond_to?(:utc) && locked_at < self.class.unlock_in.ago
           else
             false
           end

lib/devise/models/recoverable.rb

@@ -75,7 +75,7 @@ def send_reset_password_instructions
       #   reset_password_period_valid?   # will always return false
       #
       def reset_password_period_valid?
-        reset_password_sent_at && reset_password_sent_at.utc >= self.class.reset_password_within.ago.utc
+        reset_password_sent_at.respond_to?(:utc) && reset_password_sent_at.utc >= self.class.reset_password_within.ago.utc
       end
 
       protected

lib/devise/models/timeoutable.rb

@@ -28,7 +28,7 @@ def self.required_fields(klass)
 
       # Checks whether the user session has expired based on configured time.
       def timedout?(last_access)
-        !timeout_in.nil? && last_access && last_access <= timeout_in.ago
+        !timeout_in.nil? && last_access.respond_to?(:utc) && last_access <= timeout_in.ago
       end
 
       def timeout_in

lib/devise/models/trackable.rb

@@ -19,7 +19,7 @@ def self.required_fields(klass)
 
       def update_tracked_fields(request)
         old_current, new_current = self.current_sign_in_at, Time.now.utc
-        self.last_sign_in_at     = old_current || new_current
+        self.last_sign_in_at     = old_current.respond_to?(:utc) ? old_current : new_current
         self.current_sign_in_at  = new_current
 
         old_current, new_current = self.current_sign_in_ip, extract_ip_from(request)