Module: Authpwn::SessionController
- Extended by:
- ActiveSupport::Concern
- Included in:
- SessionController
- Defined in:
- lib/authpwn_rails/session_controller.rb
Overview
Included by the controller that handles user authentication.
Right now, some parts of the codebase assume the controller will be named Session.
Instance Method Summary collapse
-
#api_token ⇒ Object
GET /api_token.
-
#auth_controller? ⇒ Boolean
True for controllers belonging to the authentication implementation.
-
#bounce_notice_text(reason) ⇒ Object
Hook for customizing the bounce notification text.
-
#change_password ⇒ Object
POST /session/change_password.
-
#create ⇒ Object
POST /session.
-
#destroy ⇒ Object
DELETE /session.
-
#destroy_api_token ⇒ Object
DELETE /api_token.
-
#new ⇒ Object
GET /session/new.
-
#omniauth ⇒ Object
GET /auth/twitter/callback POST /auth/twitter/callback.
-
#omniauth_failure ⇒ Object
GET /auth/failure.
-
#password_change ⇒ Object
GET /session/change_password.
-
#reset_password ⇒ Object
POST /session/reset_password.
-
#show ⇒ Object
GET /session.
-
#token ⇒ Object
GET /session/token/token-code.
Instance Method Details
#api_token ⇒ Object
GET /api_token
105 106 107 108 109 110 111 112 113 114 115 116 117 118 |
# File 'lib/authpwn_rails/session_controller.rb', line 105 def api_token unless current_user bounce_user return end token = Tokens::Api.where(user_id: current_user.id).first || Tokens::Api.random_for(current_user) @api_token = token.code respond_to do |format| format.html format.json { render json: { api_token: @api_token } } end end |
#auth_controller? ⇒ Boolean
True for controllers belonging to the authentication implementation.
Controllers that return true here are responsible for performing their own authorization.
332 333 334 |
# File 'lib/authpwn_rails/session_controller.rb', line 332 def auth_controller? true end |
#bounce_notice_text(reason) ⇒ Object
Hook for customizing the bounce notification text.
352 353 354 355 356 357 358 359 360 361 |
# File 'lib/authpwn_rails/session_controller.rb', line 352 def bounce_notice_text(reason) case reason when :invalid 'Invalid e-mail or password' when :expired 'Password expired. Please click "Forget password"' when :blocked 'Account blocked. Please verify your e-mail address' end end |
#change_password ⇒ Object
POST /session/change_password
249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 |
# File 'lib/authpwn_rails/session_controller.rb', line 249 def change_password unless current_user bounce_user return end @credential = current_user.credentials. where(type: 'Credentials::Password').first if @credential # An old password is set, must verify it. if @credential.check_password params[:credential][:old_password] success = @credential.update_attributes change_password_params else success = false flash[:alert] = 'Incorrect old password. Please try again.' end else @credential = Credentials::Password.new change_password_params @credential.user = current_user success = @credential.save end respond_to do |format| if success format.html do redirect_to session_url, notice: 'Password updated' end format.json { head :no_content } else format.html { render action: :password_change } format.json { render json: { error: :invalid } } end end end |
#create ⇒ Object
POST /session
67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 |
# File 'lib/authpwn_rails/session_controller.rb', line 67 def create # Workaround for lack of browser support for the formaction attribute. return reset_password if params[:reset_password] @redirect_url = params[:redirect_url] || session_url @session = Session.from_params params auth = User.authenticate_signin @session unless auth.kind_of? Symbol set_session_current_user auth Tokens::SessionUid.remove_expired if auto_purge_sessions end respond_to do |format| if current_user format.html { redirect_to @redirect_url } format.json do user_data = current_user.as_json if current_user.class.include_root_in_json user_data = user_data['user'] end render json: { user: user_data, csrf: form_authenticity_token } end else error_text = bounce_notice_text auth format.html do if params[:redirect_url] redirect_to new_session_url, flash: { alert: error_text, auth_redirect_url: @redirect_url } else redirect_to new_session_url, alert: error_text end end format.json { render json: { error: auth, text: error_text } } end end end |
#destroy ⇒ Object
DELETE /session
220 221 222 223 224 225 226 |
# File 'lib/authpwn_rails/session_controller.rb', line 220 def destroy self.set_session_current_user nil respond_to do |format| format.html { redirect_to session_url } format.json { head :no_content } end end |
#destroy_api_token ⇒ Object
DELETE /api_token
121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 |
# File 'lib/authpwn_rails/session_controller.rb', line 121 def destroy_api_token unless current_user bounce_user return end api_token = Tokens::Api.where(user_id: current_user.id).first if api_token api_token.destroy respond_to do |format| format.html do redirect_to api_token_session_url, notice: 'Your old API token has been revoked' end format.json { render json: {} } end else respond_to do |format| format.html do redirect_to api_token_session_url, alert: 'You had no old API token to revoke' end format.json { head :not_found } end end end |
#new ⇒ Object
GET /session/new
34 35 36 37 38 |
# File 'lib/authpwn_rails/session_controller.rb', line 34 def new @session = Session.from_params params @redirect_url = flash[:auth_redirect_url] redirect_to session_url if current_user end |
#omniauth ⇒ Object
GET /auth/twitter/callback POST /auth/twitter/callback
292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 |
# File 'lib/authpwn_rails/session_controller.rb', line 292 def omniauth @redirect_url = params[:redirect_url] || session_url omni_auth = request.env['omniauth.auth'] auth = Credentials::OmniAuthUid.authenticate omni_auth unless auth.kind_of? Symbol set_session_current_user auth Tokens::SessionUid.remove_expired if auto_purge_sessions end respond_to do |format| if current_user format.html { redirect_to @redirect_url } else error_text = bounce_notice_text auth format.html do if params[:redirect_url] redirect_to new_session_url, flash: { alert: error_text, auth_redirect_url: @redirect_url } else redirect_to new_session_url, alert: error_text end end end end end |
#omniauth_failure ⇒ Object
GET /auth/failure
319 320 321 322 323 324 325 326 |
# File 'lib/authpwn_rails/session_controller.rb', line 319 def omniauth_failure respond_to do |format| format.html do redirect_to new_session_url, alert: 'Authentication failed. Please try again.' end end end |
#password_change ⇒ Object
GET /session/change_password
229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 |
# File 'lib/authpwn_rails/session_controller.rb', line 229 def password_change unless current_user bounce_user return end respond_to do |format| format.html do @credential = current_user.credentials. where(type: 'Credentials::Password').first unless @credential @credential = Credentials::Password.new @credential.user = current_user end # Renders session/password_change.html.erb end end end |
#reset_password ⇒ Object
POST /session/reset_password
149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 |
# File 'lib/authpwn_rails/session_controller.rb', line 149 def reset_password email = params[:session] && params[:session][:email] credential = Credentials::Email.with email if user = (credential && credential.user) token = Tokens::PasswordReset.random_for user email = ::SessionMailer.reset_password_email(email, token, root_url) # TODO(pwnall): fix the serialization errors blocking deliver_later email.deliver_now end respond_to do |format| if user format.html do redirect_to new_session_url, alert: 'Please check your e-mail for instructions' end format.json { render json: { } } else error_text = 'Invalid e-mail' format.html do redirect_to new_session_url, alert: error_text end format.json do render json: { error: :not_found, text: notice } end end end end |
#show ⇒ Object
GET /session
41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
# File 'lib/authpwn_rails/session_controller.rb', line 41 def show @user = current_user || User.new if @user.new_record? welcome unless performed? respond_to do |format| format.html { render action: :welcome } format.json { render json: {} } end end else home unless performed? respond_to do |format| format.html { render action: :home } format.json do user_data = @user.as_json user_data = user_data['user'] if @user.class.include_root_in_json render json: { user: user_data, csrf: form_authenticity_token } end end end end end |
#token ⇒ Object
GET /session/token/token-code
180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 |
# File 'lib/authpwn_rails/session_controller.rb', line 180 def token # NOTE: We don't use Tokens::Base here because we don't want users to abuse # API tokens to build permanent login links. # # This repeats the code in Token::Base.authenticate, because we need the # token. if token = Tokens::OneTime.with_code(params[:code]).first auth = token.authenticate else auth = :invalid end if auth.is_a? Symbol error_text = bounce_notice_text auth respond_to do |format| format.html do redirect_to new_session_url, flash: { alert: error_text, auth_redirect_url: session_url } end format.json { render json: { error: auth, text: error_text } } end else self.set_session_current_user auth home_with_token token unless performed? respond_to do |format| format.html { redirect_to session_url } format.json do user_data = current_user.as_json if current_user.class.include_root_in_json user_data = user_data['user'] end render json: { user: user_data, csrf: form_authenticity_token } end end end end end |