Class: Decidim::Mpassid::OmniauthCallbacksController

Inherits:

Devise::OmniauthRegistrationsController

• Object
• Devise::OmniauthRegistrationsController
• Decidim::Mpassid::OmniauthCallbacksController

Defined in:

app/controllers/decidim/mpassid/omniauth_callbacks_controller.rb

Instance Method Summary

• #failure ⇒ Object
• #mpassid ⇒ Object

  This is called always after the user returns from the authentication flow from the MPASSid identity provider.

• #sign_in_and_redirect(resource_or_scope, *args) ⇒ Object

  This is overridden method from the Devise controller helpers This is called when the user is successfully authenticated which means that we also need to add the authorization for the user automatically because a succesful MPASSid authentication means the user has been successfully authorized as well.

Instance Method Details

#failure ⇒ Object

# File 'app/controllers/decidim/mpassid/omniauth_callbacks_controller.rb', line 62

def failure
  strategy = failed_strategy
  saml_response = strategy.response_object if strategy
  return super unless saml_response

  # In case we want more info about the returned status codes, use the
  # code below.
  #
  # Status codes:
  #   Requester = A problem with the request OR the user cancelled the
  #               request at the identity provider.
  #   Responder = The handling of the request failed.
  #   VersionMismatch = Wrong version in the request.
  #
  # Additional state codes:
  #   AuthnFailed = The authentication failed OR the user cancelled
  #                 the process at the identity provider.
  #   RequestDenied = The authenticating endpoint (which the
  #                   identity provider redirects to) rejected the
  #                   authentication.
  # if !saml_response.send(:validate_success_status) && !saml_response.status_code.nil?
  #   codes = saml_response.status_code.split(" | ").map do |full_code|
  #     full_code.split(":").last
  #   end
  # end

  # Some extra validation checks
  validations = [
    # The success status validation fails in case the response status
    # code is something else than "Success". This is most likely because
    # of one the reasons explained above. In general there are few
    # possible explanations for this:
    # 1. The user cancelled the request and returned to the service.
    # 2. The underlying identity service the IdP redirects to rejected
    #    the request for one reason or another. E.g. the user cancelled
    #    the request at the identity service.
    # 3. There is some technical problem with the identity provider
    #    service or the XML request sent to there is malformed.
    :success_status,
    # Checks if the local session should be expired, i.e. if the user
    # took too long time to go through the authorization endpoint.
    :session_expiration,
    # The NotBefore and NotOnOrAfter conditions failed, i.e. whether the
    # request is handled within the allowed timeframe by the IdP.
    :conditions
  ]
  validations.each do |key|
    next if saml_response.send("validate_#{key}")

    flash[:alert] = t(".#{key}")
    return redirect_to after_omniauth_failure_path_for(resource_name)
  end

  super
end

#mpassid ⇒ Object

This is called always after the user returns from the authentication flow from the MPASSid identity provider.

# File 'app/controllers/decidim/mpassid/omniauth_callbacks_controller.rb', line 15

def mpassid
  if user_signed_in?
    # The user is most likely returning from an authorization request
    # because they are already signed in. In this case, add the
    # authorization and redirect the user back to the authorizations view.

    # Make sure the user has an identity created in order to aid future
    # MPASSid sign ins.
    identity = current_user.identities.find_by(
      organization: current_organization,
      provider: oauth_data[:provider],
      uid: user_identifier
    )
    unless identity
      # Check that the identity is not already bound to another user.
      id = Decidim::Identity.find_by(
        organization: current_organization,
        provider: oauth_data[:provider],
        uid: user_identifier
      )
      return fail_authorize(:identity_bound_to_other_user) if id

      current_user.identities.create!(
        organization: current_organization,
        provider: oauth_data[:provider],
        uid: user_identifier
      )
    end

    # Add the authorization for the user
    return fail_authorize unless authorize_user(current_user)

    # Show the success message and redirect back to the authorizations
    flash[:notice] = t(
      "authorizations.create.success",
      scope: "decidim.mpassid.verification"
    )
    return redirect_to(
      stored_location_for(resource || :user) ||
      decidim_verifications.authorizations_path
    )
  end

  # Normal authentication request, proceed with Decidim's internal logic.
  send(:create)
end

#sign_in_and_redirect(resource_or_scope, *args) ⇒ Object

This is overridden method from the Devise controller helpers This is called when the user is successfully authenticated which means that we also need to add the authorization for the user automatically because a succesful MPASSid authentication means the user has been successfully authorized as well.

# File 'app/controllers/decidim/mpassid/omniauth_callbacks_controller.rb', line 123

def sign_in_and_redirect(resource_or_scope, *args)
  # Add authorization for the user
  if resource_or_scope.is_a?(::Decidim::User)
    return fail_authorize unless authorize_user(resource_or_scope)
  end

  super
end