Module: Authpwn::SessionController

Extended by:
ActiveSupport::Concern
Included in:
SessionController
Defined in:
lib/authpwn_rails/session_controller.rb

Overview

Included by the controller that handles user authentication.

Right now, some parts of the codebase assume the controller will be named Session.

Instance Method Summary collapse

Instance Method Details

#api_tokenObject

GET /api_token



105
106
107
108
109
110
111
112
113
114
115
116
117
118
 
# File 'lib/authpwn_rails/session_controller.rb', line 105

def api_token
  unless current_user
    bounce_user
    return
  end

  token = Tokens::Api.where(user_id: current_user.id).first ||
      Tokens::Api.random_for(current_user)
  @api_token = token.code
  respond_to do |format|
    format.html
    format.json { render json: { api_token: @api_token } }
  end
end

#auth_controller?Boolean

True for controllers belonging to the authentication implementation.

Controllers that return true here are responsible for performing their own authorization.

Returns:

  • (Boolean) 


332
333
334
 
# File 'lib/authpwn_rails/session_controller.rb', line 332

def auth_controller?
  true
end

#bounce_notice_text(reason) ⇒ Object

Hook for customizing the bounce notification text.



352
353
354
355
356
357
358
359
360
361
 
# File 'lib/authpwn_rails/session_controller.rb', line 352

def bounce_notice_text(reason)
  case reason
  when :invalid
    'Invalid e-mail or password'
  when :expired
    'Password expired. Please click "Forget password"'
  when :blocked
    'Account blocked. Please verify your e-mail address'
  end
end

#change_passwordObject

POST /session/change_password



249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
 
# File 'lib/authpwn_rails/session_controller.rb', line 249

def change_password
  unless current_user
    bounce_user
    return
  end

  @credential = current_user.credentials.
                             where(type:  'Credentials::Password').first
  if @credential
    # An old password is set, must verify it.
    if @credential.check_password params[:credential][:old_password]
      success = @credential.update_attributes change_password_params
    else
      success = false
      flash[:alert] = 'Incorrect old password. Please try again.'
    end
  else
    @credential = Credentials::Password.new change_password_params
    @credential.user = current_user
    success = @credential.save
  end
  respond_to do |format|
    if success
      format.html do
        redirect_to session_url, notice: 'Password updated'
      end
      format.json { head :no_content }
    else
      format.html { render action: :password_change }
      format.json { render json: { error: :invalid } }
    end
  end
end

#createObject

POST /session



67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
 
# File 'lib/authpwn_rails/session_controller.rb', line 67

def create
  # Workaround for lack of browser support for the formaction attribute.
  return reset_password if params[:reset_password]

  @redirect_url = params[:redirect_url] || session_url
  @session = Session.from_params params
  auth = User. @session
  unless auth.kind_of? Symbol
    set_session_current_user auth
    Tokens::SessionUid.remove_expired if auto_purge_sessions
  end

  respond_to do |format|
    if current_user
      format.html { redirect_to @redirect_url }
      format.json do
        user_data = current_user.as_json
        if current_user.class.include_root_in_json
          user_data = user_data['user']
        end
        render json: { user: user_data, csrf: form_authenticity_token }
      end
    else
      error_text = bounce_notice_text auth
      format.html do
        if params[:redirect_url]
          redirect_to new_session_url, flash: { alert: error_text,
              auth_redirect_url: @redirect_url }
        else
          redirect_to new_session_url, alert: error_text
        end
      end
      format.json { render json: { error: auth, text: error_text } }
    end
  end
end

#destroyObject

DELETE /session



220
221
222
223
224
225
226
 
# File 'lib/authpwn_rails/session_controller.rb', line 220

def destroy
  self.set_session_current_user nil
  respond_to do |format|
    format.html { redirect_to session_url }
    format.json { head :no_content }
  end
end

#destroy_api_tokenObject

DELETE /api_token



121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
 
# File 'lib/authpwn_rails/session_controller.rb', line 121

def destroy_api_token
  unless current_user
    bounce_user
    return
  end

  api_token = Tokens::Api.where(user_id: current_user.id).first
  if api_token
    api_token.destroy
    respond_to do |format|
      format.html do
        redirect_to api_token_session_url,
                    notice: 'Your old API token has been revoked'
      end
      format.json { render json: {} }
    end
  else
    respond_to do |format|
      format.html do
        redirect_to api_token_session_url,
                    alert: 'You had no old API token to revoke'
      end
      format.json { head :not_found }
    end
  end
end

#newObject

GET /session/new



34
35
36
37
38
 
# File 'lib/authpwn_rails/session_controller.rb', line 34

def new
  @session = Session.from_params params
  @redirect_url = flash[:auth_redirect_url]
  redirect_to session_url if current_user
end

#omniauthObject

GET /auth/twitter/callback POST /auth/twitter/callback



292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
 
# File 'lib/authpwn_rails/session_controller.rb', line 292

def omniauth
  @redirect_url = params[:redirect_url] || session_url
  omni_auth = request.env['omniauth.auth']
  auth = Credentials::OmniAuthUid.authenticate omni_auth
  unless auth.kind_of? Symbol
    set_session_current_user auth
    Tokens::SessionUid.remove_expired if auto_purge_sessions
  end

  respond_to do |format|
    if current_user
      format.html { redirect_to @redirect_url }
    else
      error_text = bounce_notice_text auth
      format.html do
        if params[:redirect_url]
          redirect_to new_session_url, flash: { alert: error_text,
              auth_redirect_url: @redirect_url }
        else
          redirect_to new_session_url, alert: error_text
        end
      end
    end
  end
end

#omniauth_failureObject

GET /auth/failure



319
320
321
322
323
324
325
326
 
# File 'lib/authpwn_rails/session_controller.rb', line 319

def omniauth_failure
  respond_to do |format|
    format.html do
      redirect_to new_session_url,
                  alert: 'Authentication failed. Please try again.'
      end
  end
end

#password_changeObject

GET /session/change_password



229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
 
# File 'lib/authpwn_rails/session_controller.rb', line 229

def password_change
  unless current_user
    bounce_user
    return
  end

  respond_to do |format|
    format.html do
      @credential = current_user.credentials.
                                 where(type:  'Credentials::Password').first
      unless @credential
        @credential = Credentials::Password.new
        @credential.user = current_user
      end
      # Renders session/password_change.html.erb
    end
  end
end

#reset_passwordObject

POST /session/reset_password



149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
 
# File 'lib/authpwn_rails/session_controller.rb', line 149

def reset_password
  email = params[:session] && params[:session][:email]
  credential = Credentials::Email.with email

  if user = (credential && credential.user)
    token = Tokens::PasswordReset.random_for user
    email = ::SessionMailer.reset_password_email(email, token, root_url)
    # TODO(pwnall): fix the serialization errors blocking deliver_later
    email.deliver_now
  end

  respond_to do |format|
    if user
      format.html do
        redirect_to new_session_url, alert:
            'Please check your e-mail for instructions'
      end
      format.json { render json: { } }
    else
      error_text = 'Invalid e-mail'
      format.html do
        redirect_to new_session_url, alert: error_text
      end
      format.json do
        render json: { error: :not_found, text: notice }
      end
    end
  end
end

#showObject

GET /session



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
 
# File 'lib/authpwn_rails/session_controller.rb', line 41

def show
  @user = current_user || User.new
  if @user.new_record?
    welcome
    unless performed?
      respond_to do |format|
        format.html { render action: :welcome }
        format.json { render json: {} }
      end
    end
  else
    home
    unless performed?
      respond_to do |format|
        format.html { render action: :home }
        format.json do
          user_data = @user.as_json
          user_data = user_data['user'] if @user.class.include_root_in_json
          render json: { user: user_data, csrf: form_authenticity_token }
        end
      end
    end
  end
end

#tokenObject

GET /session/token/token-code



180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
 
# File 'lib/authpwn_rails/session_controller.rb', line 180

def token
  # NOTE: We don't use Tokens::Base here because we don't want users to abuse
  #       API tokens to build permanent login links.
  #
  # This repeats the code in Token::Base.authenticate, because we need the
  # token.
  if token = Tokens::OneTime.with_code(params[:code]).first
    auth = token.authenticate
  else
    auth = :invalid
  end

  if auth.is_a? Symbol
    error_text = bounce_notice_text auth
    respond_to do |format|
      format.html do
        redirect_to new_session_url, flash: { alert: error_text,
            auth_redirect_url: session_url }
      end
      format.json { render json: { error: auth, text: error_text } }
    end
  else
    self.set_session_current_user auth
    home_with_token token
    unless performed?
      respond_to do |format|
        format.html { redirect_to session_url }
        format.json do
          user_data = current_user.as_json
          if current_user.class.include_root_in_json
            user_data = user_data['user']
          end
          render json: { user: user_data, csrf: form_authenticity_token }
        end
      end
    end
  end
end