Upgrade devise to 4.x and extensions

This is a required step to upgrade Ruby.
Blocked by this extension: phatworx/devise_security_extension#192
Possible solution: forked gem `devise-security`: https://github.com/devise-security/devise-security

Also fixes devise translation in tests:
It's being humanized internally now: heartcombo/devise@b6e4586

Relevant things changed:

`devise`:

* https://github.com/plataformatec/devise/tree/6edbeb82cdaaed8cd6c041ebe7a62534c71fd0e3#strong-parameters

* https://www.rubydoc.info/gems/devise/4.5.0/Devise/Test/ControllerHelpers

`devise-security`:

* devise-security/devise-security@e2f7f8f

Gemfile

@@ -16,9 +16,9 @@ gem 'active_model_serializers', '~> 0.10.1'
 gem 'azure-storage'
 gem 'bootstrap-sass'
 gem 'bowndler', github: 'moneyadviceservice/bowndler'
-gem 'devise', '3.5.10'
+gem 'devise', '~> 4.5.0'
+gem 'devise-security', '~> 0.13'
 gem 'devise_invitable', '1.6.1'
-gem 'devise_security_extension'
 # Dough assets are loaded from a CDN instead of from the Gem. Do make sure that
 # the CDN version is the same as the Gem version.
 gem 'dough-ruby',

Gemfile.lock

@@ -77,7 +77,7 @@ GEM
       faraday_middleware (~> 0.10)
       nokogiri (~> 1.6, >= 1.6.8)
     backports (3.11.1)
-    bcrypt (3.1.11)
+    bcrypt (3.1.12)
     better_errors (2.4.0)
       coderay (>= 1.0.0)
       erubi (>= 1.0.0)
@@ -118,11 +118,11 @@ GEM
       timers (>= 4.1.1)
     cliver (0.3.2)
     coderay (1.1.2)
-    concurrent-ruby (1.0.5)
+    concurrent-ruby (1.1.4)
     connection_pool (2.2.1)
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
-    crass (1.0.3)
+    crass (1.0.4)
     cucumber (3.1.0)
       builder (>= 2.1.2)
       cucumber-core (~> 3.1.0)
@@ -147,19 +147,18 @@ GEM
     cucumber-wire (0.0.1)
     database_cleaner (1.6.2)
     debug_inspector (0.0.3)
-    devise (3.5.10)
+    devise (4.5.0)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (>= 3.2.6, < 5)
+      railties (>= 4.1.0, < 6.0)
       responders
-      thread_safe (~> 0.1)
       warden (~> 1.2.3)
+    devise-security (0.13.0)
+      devise (>= 4.2.0, < 5.0)
+      rails (>= 4.2.0, < 6.0)
     devise_invitable (1.6.1)
       actionmailer (>= 3.2.6)
       devise (>= 3.2.0)
-    devise_security_extension (0.10.0)
-      devise (>= 3.0.0, < 4.0)
-      railties (>= 3.2.6, < 5.0)
     diff-lcs (1.3)
     domain_name (0.5.20170404)
       unf (>= 0.0.5, < 1.0.0)
@@ -217,7 +216,7 @@ GEM
       addressable (~> 2.3)
     letter_opener (1.6.0)
       launchy (~> 2.2)
-    loofah (2.2.2)
+    loofah (2.2.3)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.0)
@@ -231,14 +230,14 @@ GEM
       mime-types-data (~> 3.2015)
     mime-types-data (3.2016.0521)
     mini_mime (1.0.0)
-    mini_portile2 (2.3.0)
+    mini_portile2 (2.4.0)
     minitest (5.11.3)
     multi_json (1.13.1)
     multi_test (0.1.2)
     multipart-post (2.0.0)
     netrc (0.11.0)
-    nokogiri (1.8.2)
-      mini_portile2 (~> 2.3.0)
+    nokogiri (1.10.0)
+      mini_portile2 (~> 2.4.0)
     oga (2.14)
       ast
       ruby-ll (~> 2.1)
@@ -263,7 +262,7 @@ GEM
     pry-rails (0.3.6)
       pry (>= 0.10.4)
     public_suffix (3.0.2)
-    rack (1.6.9)
+    rack (1.6.11)
     rack-protection (1.5.5)
       rack
     rack-test (0.6.3)
@@ -390,7 +389,7 @@ GEM
       activesupport (>= 3.0)
       sprockets (>= 2.8, < 4.0)
     statsd-ruby (1.4.0)
-    thor (0.20.0)
+    thor (0.20.3)
     thread_safe (0.3.6)
     tilt (1.4.1)
     timecop (0.9.1)
@@ -439,9 +438,9 @@ DEPENDENCIES
   capybara
   cucumber-rails
   database_cleaner
-  devise (= 3.5.10)
+  devise (~> 4.5.0)
+  devise-security (~> 0.13)
   devise_invitable (= 1.6.1)
-  devise_security_extension
   dough-ruby!
   factory_girl_rails
   faker

app/controllers/application_controller.rb

@@ -9,10 +9,10 @@ def after_sign_in_path_for(user)
   end
 
   def configure_permitted_parameters
-    devise_parameter_sanitizer.for(:sign_in) do |u|
+    devise_parameter_sanitizer.permit(:sign_in) do |u|
       u.permit(:login, :password, :remember_me)
     end
-    devise_parameter_sanitizer.for(:account_update) do |u|
+    devise_parameter_sanitizer.permit(:account_update) do |u|
       u.permit(:email, :password, :password_confirmation, :current_password)
     end
   end

config/initializers/devise.rb

@@ -302,8 +302,8 @@
   # Should the password expire (e.g 3.months)
   config.expire_password_after = 180.days
 
-  # Need 1 char of A-Z, a-z, 0-9 and a symbol
-  config.password_regex = /(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\W])/
+  # Need 1 char each of: A-Z, a-z, 0-9, and a punctuation mark or symbol
+  password_complexity = { digit: 1, lower: 1, symbol: 1, upper: 1 }
 
   # How many passwords to keep in archive
   config.password_archiving_count = 12

spec/features/principal_sign_in_spec.rb

@@ -70,6 +70,10 @@ def they_see_the_sign_in_page
 
   def and_they_see_a_notice_that_their_details_were_incorrect
     expect(sign_in_page.devise_form_errors).to have_text(
-      I18n.t('devise.failure.invalid', authentication_keys: 'login'))
+      I18n.t(
+        'devise.failure.invalid',
+        authentication_keys: 'Firm Reference Number'
+      )
+    )
   end
 end

spec/features/sign_in_panel_spec.rb

@@ -68,7 +68,11 @@ def they_see_the_sign_in_page
 
   def and_they_see_a_notice_that_their_details_were_incorrect
     expect(sign_in_page.devise_form_errors).to have_text(
-      I18n.t('devise.failure.invalid', authentication_keys: 'login'))
+      I18n.t(
+        'devise.failure.invalid',
+        authentication_keys: 'Firm Reference Number'
+      )
+    )
   end
 
   def when_the_principal_clicks_the_forgotten_password_link

spec/models/firm_factory_spec.rb

@@ -1,12 +1,10 @@
 RSpec.describe 'Firm factory' do
   subject do
-    begin
-      FactoryGirl.create(factory)
-    rescue ActiveRecord::RecordInvalid
-      # If create fails we fall back to a build. We can then explicitly test
-      # what we expect to have happened using the `be_persisted` matcher.
-      FactoryGirl.build(factory)
-    end
+    FactoryGirl.create(factory)
+  rescue ActiveRecord::RecordInvalid
+    # If create fails we fall back to a build. We can then explicitly test
+    # what we expect to have happened using the `be_persisted` matcher.
+    FactoryGirl.build(factory)
   end
 
   describe 'factory :firm (default factory)' do

spec/spec_helper.rb

@@ -36,7 +36,7 @@
     end
   end
 
-  c.include Devise::TestHelpers, type: :controller
+  c.include Devise::Test::ControllerHelpers, type: :controller
   c.include Warden::Test::Helpers
   c.include FcaTestHelpers
   c.before :suite do