Module: Auth::Concerns::DeviseConcern

Extended by:
ActiveSupport::Concern
Included in:
AdminCreateUsersController, AuthenticatedController, Auth::ConfirmationsController, EndpointsController, OmniauthCallbacksController, PasswordsController, ProfilesController, RegistrationsController, SearchController, SessionsController, Shopping::BarCodesController, Shopping::CartItemsController, Shopping::CartsController, Shopping::DiscountsController, Shopping::PaymentsController, Shopping::PersonalitiesController, Shopping::PlacesController, Shopping::ProductsController, UnlocksController, Work::CommunicationsController, Work::InstructionsController
Defined in:
app/controllers/auth/concerns/devise_concern.rb

Instance Method Summary collapse

Instance Method Details

#check_recaptchaObject

returns true if the recaptcha is not specified in the configuration returns true if the recaptcha is valid. expects the parameter ‘g-recaptcha-response’ in the params hash if the request is json, and has the header os-android, then it will use the android_recaptcha_api_key as the secret key, otherwise will use the default recaptch_secret key that should have been configured in the pre-initializer. it is currently being called in the registrations_controller on create and update, and in the otp action send_sms_otp,verify_sms_otp. so all these are protected by recaptcha, but not on iphone.



22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
 
# File 'app/controllers/auth/concerns/devise_concern.rb', line 22

def check_recaptcha
	
	return true unless Auth.configuration.recaptcha
    
   	recaptcha_options = {}
	if is_json_request?
		#puts "is json request."
		return true unless request.headers["OS-ANDROID"]
		#puts "android is there in headers."
		not_found("recaptcha validation error") unless Auth.configuration.third_party_api_keys[:android_recaptcha_secret_key]
		#puts "android key is there in config."
		recaptcha_options[:secret_key] = Auth.configuration.third_party_api_keys[:android_recaptcha_secret_key]
	end
	#puts "recaptcha_options are : #{recaptcha_options}"
	not_found("recaptcha validation error") unless verify_recaptcha(recaptcha_options)
end

#clear_client_and_redirect_urlObject

SHOULD WE OR NOT DELETE THE CLIENT AND REDIRECT URL? this was relevant only in the case of oauth visits suppose someone comes from remote with redir + client. these get set and stored in the session then he goes to oauth and comes back. by this time the instance variables are no more so we fall back on the session variables and redirect him the only worry was , that what if someone prompts the user to go to wordjelly with a redirect url of their choice. so what i do here right now is clear the instance redirect and client vars. then i set the client, if necessary from the session but while doing set_redirect_url i give first pref to the redir from the params, and then CHECK whether that is valid against the client already from the sessin. so basically they cannot be redirected to any url that is not stored against the client. so they can at the worst be redirected only to a url which was provided during client creation. so there is no need to delete the client from the session at every request, except if it is a json request.



65
66
67
68
69
70
71
 
# File 'app/controllers/auth/concerns/devise_concern.rb', line 65

def clear_client_and_redirect_url
    session.delete('omniauth.state')
    if is_json_request?
    	session.delete("client")
    	session.delete("redirect_url")
    end
end

#current_resource(resource) ⇒ Object

used only in render, redirect in DeviseController.class_eval



196
197
198
 
# File 'app/controllers/auth/concerns/devise_concern.rb', line 196

def current_resource(resource)
    send("current_#{resource.class.name.underscore.downcase}")
end

#do_before_requestObject 



183
184
185
186
187
188
189
190
191
192
193
 
# File 'app/controllers/auth/concerns/devise_concern.rb', line 183

def do_before_request
   
   clear_client_and_redirect_url
   
   set_client

   set_redirect_url

   protect_json_request

end

#ignore_json_requestObject 



44
45
46
47
48
 
# File 'app/controllers/auth/concerns/devise_concern.rb', line 44

def ignore_json_request
  if is_json_request?
    head 406
  end
end

#is_json_request?Boolean

Returns:

  • (Boolean) 


123
124
125
126
 
# File 'app/controllers/auth/concerns/devise_concern.rb', line 123

def is_json_request?

     return (request.format.symbol == :json) ? true : false
end

#is_omniauth_callback?Boolean

Returns:

  • (Boolean) 


40
41
42
 
# File 'app/controllers/auth/concerns/devise_concern.rb', line 40

def is_omniauth_callback?	   
    controller_name == "omniauth_callbacks" 
end

#protect_json_requestObject 



128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
 
# File 'app/controllers/auth/concerns/devise_concern.rb', line 128

def protect_json_request
   	##should block any put action on the user
   	##and should render an error saying please do this on the server.
       ## if its an html or js request, then authentication token verification should be checked.
       ## if its a json request, then that doesnt need to be done
    if is_json_request? 
    	if action_name == "otp_verification_result"
    		##we let this action pass because, we make json ajax requests 
    		##from the web ui to this endpoint, and anyway it does
    		##not return anything sensitive.
               #puts "action name is otp verification result."
    	else
               #puts "action name is something else."
	    	if session[:client].nil?
                   puts "cient is nil so rendering nothing."
	      		#render :nothing => true , :status => :unauthorized
	      	    head :unauthorized
               else
                   puts " -------- have A VALID CLIENT WITH JSON --------- "
               end
      	end
       else
           
           if verify_authenticity_token == false
               head :unauthorized
           end
       end
end

#set_clientObject 



73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
 
# File 'app/controllers/auth/concerns/devise_concern.rb', line 73

def set_client
 
    puts "came to set client -------!!!!!!!!!!!!! "
 if session[:client]
   
   
   return true

 else
   #puts "params are: #{params.to_s}"
   #puts params[:state]
      #puts JSON.is_json?(params[:state])
      #puts "---- end --- "
      state = nil
   api_key = nil
   current_app_id = nil
   path = nil
   if params[:state] && JSON.is_json?(params[:state])
     state = JSON.parse(params[:state])
   end
   
   if state
     api_key = state["api_key"]
     current_app_id = state["current_app_id"]
     path = state["path"]
   elsif params[:api_key] && params[:current_app_id]
        #puts "the params api key and current app id are there."
     api_key = params[:api_key]
     current_app_id = params[:current_app_id]
   else
   end
   
   if api_key.nil? || current_app_id.nil?
     
   else
        
     if session[:client] = Auth::Client.find_valid_api_key_and_app_id(api_key, current_app_id)
       	    
            puts "found valid client."
            request.env["omniauth.model"] = path
            
            self.m_client = Auth::Client.find_valid_api_key_and_app_id(api_key, current_app_id)
            
       	return true
     end
   end
   return false
 end
end

#set_redirect_urlObject 



157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
 
# File 'app/controllers/auth/concerns/devise_concern.rb', line 157

def set_redirect_url
 
     # puts "the params redirect url is: #{params[:redirect_url]}"
     # puts "the session redirect url is: #{session[:redirect_url]}"
     redir_url = params[:redirect_url].nil? ? session[:redirect_url] : params[:redirect_url]

     #puts "redir url was: #{redir_url}"

     #puts "session[:client] is: #{session[:client]}"

     #puts "session[:client].redirect urls"
     #puts session[:client].redirect_urls
     
     #puts "does it contain the redirect url."
     #puts session[:client].contains_redirect_url?(redir_url)
     cli = session[:client]
     cli = Auth::Client.new(session[:client]) if session[:client].is_a? Hash

  if redir_url && session[:client] && cli.contains_redirect_url?(redir_url) && !(is_json_request?)
      
      session[:redirect_url] = redir_url
      
  end
end