Module: Auth::Concerns::DeviseConcern
- Extended by:
- ActiveSupport::Concern
- Included in:
- AdminCreateUsersController, AuthenticatedController, Auth::ConfirmationsController, EndpointsController, OmniauthCallbacksController, PasswordsController, ProfilesController, RegistrationsController, SearchController, SessionsController, Shopping::BarCodesController, Shopping::CartItemsController, Shopping::CartsController, Shopping::DiscountsController, Shopping::PaymentsController, Shopping::PersonalitiesController, Shopping::PlacesController, Shopping::ProductsController, UnlocksController, Work::CommunicationsController, Work::InstructionsController
- Defined in:
- app/controllers/auth/concerns/devise_concern.rb
Instance Method Summary collapse
-
#check_recaptcha ⇒ Object
returns true if the recaptcha is not specified in the configuration returns true if the recaptcha is valid.
-
#clear_client_and_redirect_url ⇒ Object
SHOULD WE OR NOT DELETE THE CLIENT AND REDIRECT URL? this was relevant only in the case of oauth visits suppose someone comes from remote with redir + client.
-
#current_resource(resource) ⇒ Object
used only in render, redirect in DeviseController.class_eval.
- #do_before_request ⇒ Object
- #ignore_json_request ⇒ Object
- #is_json_request? ⇒ Boolean
- #is_omniauth_callback? ⇒ Boolean
- #protect_json_request ⇒ Object
- #set_client ⇒ Object
- #set_redirect_url ⇒ Object
Instance Method Details
#check_recaptcha ⇒ Object
returns true if the recaptcha is not specified in the configuration returns true if the recaptcha is valid. expects the parameter ‘g-recaptcha-response’ in the params hash if the request is json, and has the header os-android, then it will use the android_recaptcha_api_key as the secret key, otherwise will use the default recaptch_secret key that should have been configured in the pre-initializer. it is currently being called in the registrations_controller on create and update, and in the otp action send_sms_otp,verify_sms_otp. so all these are protected by recaptcha, but not on iphone.
22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
# File 'app/controllers/auth/concerns/devise_concern.rb', line 22 def check_recaptcha return true unless Auth.configuration.recaptcha = {} if is_json_request? #puts "is json request." return true unless request.headers["OS-ANDROID"] #puts "android is there in headers." not_found("recaptcha validation error") unless Auth.configuration.third_party_api_keys[:android_recaptcha_secret_key] #puts "android key is there in config." [:secret_key] = Auth.configuration.third_party_api_keys[:android_recaptcha_secret_key] end #puts "recaptcha_options are : #{recaptcha_options}" not_found("recaptcha validation error") unless verify_recaptcha() end |
#clear_client_and_redirect_url ⇒ Object
SHOULD WE OR NOT DELETE THE CLIENT AND REDIRECT URL? this was relevant only in the case of oauth visits suppose someone comes from remote with redir + client. these get set and stored in the session then he goes to oauth and comes back. by this time the instance variables are no more so we fall back on the session variables and redirect him the only worry was , that what if someone prompts the user to go to wordjelly with a redirect url of their choice. so what i do here right now is clear the instance redirect and client vars. then i set the client, if necessary from the session but while doing set_redirect_url i give first pref to the redir from the params, and then CHECK whether that is valid against the client already from the sessin. so basically they cannot be redirected to any url that is not stored against the client. so they can at the worst be redirected only to a url which was provided during client creation. so there is no need to delete the client from the session at every request, except if it is a json request.
65 66 67 68 69 70 71 |
# File 'app/controllers/auth/concerns/devise_concern.rb', line 65 def clear_client_and_redirect_url session.delete('omniauth.state') if is_json_request? session.delete("client") session.delete("redirect_url") end end |
#current_resource(resource) ⇒ Object
used only in render, redirect in DeviseController.class_eval
196 197 198 |
# File 'app/controllers/auth/concerns/devise_concern.rb', line 196 def current_resource(resource) send("current_#{resource.class.name.underscore.downcase}") end |
#do_before_request ⇒ Object
183 184 185 186 187 188 189 190 191 192 193 |
# File 'app/controllers/auth/concerns/devise_concern.rb', line 183 def do_before_request clear_client_and_redirect_url set_client set_redirect_url protect_json_request end |
#ignore_json_request ⇒ Object
44 45 46 47 48 |
# File 'app/controllers/auth/concerns/devise_concern.rb', line 44 def ignore_json_request if is_json_request? head 406 end end |
#is_json_request? ⇒ Boolean
123 124 125 126 |
# File 'app/controllers/auth/concerns/devise_concern.rb', line 123 def is_json_request? return (request.format.symbol == :json) ? true : false end |
#is_omniauth_callback? ⇒ Boolean
40 41 42 |
# File 'app/controllers/auth/concerns/devise_concern.rb', line 40 def is_omniauth_callback? controller_name == "omniauth_callbacks" end |
#protect_json_request ⇒ Object
128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 |
# File 'app/controllers/auth/concerns/devise_concern.rb', line 128 def protect_json_request ##should block any put action on the user ##and should render an error saying please do this on the server. ## if its an html or js request, then authentication token verification should be checked. ## if its a json request, then that doesnt need to be done if is_json_request? if action_name == "otp_verification_result" ##we let this action pass because, we make json ajax requests ##from the web ui to this endpoint, and anyway it does ##not return anything sensitive. #puts "action name is otp verification result." else #puts "action name is something else." if session[:client].nil? puts "cient is nil so rendering nothing." #render :nothing => true , :status => :unauthorized head :unauthorized else puts " -------- have A VALID CLIENT WITH JSON --------- " end end else if verify_authenticity_token == false head :unauthorized end end end |
#set_client ⇒ Object
73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 |
# File 'app/controllers/auth/concerns/devise_concern.rb', line 73 def set_client puts "came to set client -------!!!!!!!!!!!!! " if session[:client] return true else #puts "params are: #{params.to_s}" #puts params[:state] #puts JSON.is_json?(params[:state]) #puts "---- end --- " state = nil api_key = nil current_app_id = nil path = nil if params[:state] && JSON.is_json?(params[:state]) state = JSON.parse(params[:state]) end if state api_key = state["api_key"] current_app_id = state["current_app_id"] path = state["path"] elsif params[:api_key] && params[:current_app_id] #puts "the params api key and current app id are there." api_key = params[:api_key] current_app_id = params[:current_app_id] else end if api_key.nil? || current_app_id.nil? else if session[:client] = Auth::Client.find_valid_api_key_and_app_id(api_key, current_app_id) puts "found valid client." request.env["omniauth.model"] = path self.m_client = Auth::Client.find_valid_api_key_and_app_id(api_key, current_app_id) return true end end return false end end |
#set_redirect_url ⇒ Object
157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 |
# File 'app/controllers/auth/concerns/devise_concern.rb', line 157 def set_redirect_url # puts "the params redirect url is: #{params[:redirect_url]}" # puts "the session redirect url is: #{session[:redirect_url]}" redir_url = params[:redirect_url].nil? ? session[:redirect_url] : params[:redirect_url] #puts "redir url was: #{redir_url}" #puts "session[:client] is: #{session[:client]}" #puts "session[:client].redirect urls" #puts session[:client].redirect_urls #puts "does it contain the redirect url." #puts session[:client].contains_redirect_url?(redir_url) cli = session[:client] cli = Auth::Client.new(session[:client]) if session[:client].is_a? Hash if redir_url && session[:client] && cli.contains_redirect_url?(redir_url) && !(is_json_request?) session[:redirect_url] = redir_url end end |