Module: HubSsoLib::Core

Defined in:

lib/hub_sso_lib.rb

Overview

Module: Core #

Various authors                                            #
                                                           #

Purpose: The barely recognisable core of acts_as_authenticated’s #

AuthenticatedSystem module, modified to work with the      #
other parts of HubSsoLib. You should include this module   #
to use its facilities.                                     #
                                                           #

Author: Various; adaptation by A.D.Hodgkinson #

#

History: 20-Oct-2006 (ADH): Integrated into HubSsoLib. #

Class Method Summary

• .included(base) ⇒ Object

  Inclusion hook to make various methods available as ActionView helpers.

Instance Method Summary

• #hubssolib_account_link ⇒ Object

  Returns markup for a link that leads to Hub’s login or logout link, using pure HTML + CSS for styling.

• #hubssolib_afterwards ⇒ Object

  Mandatory controller “after_action” callback method to tidy up after Hub actions during a request.

• #hubssolib_authorized?(action = action_name, classname = self.class) ⇒ Boolean

  Check if the user is authorized to perform the current action.

• #hubssolib_beforehand ⇒ Object

  Mandatory controller “before_action” callback method which activates HubSsoLib permissions management, session expiry and so-on.

• #hubssolib_clear_flash ⇒ Object

  Clears the hub flash for logged-in users, but not the local application session flash.

• #hubssolib_current_user ⇒ Object

  Accesses the current user, via the DRb server if necessary.

• #hubssolib_current_user=(user) ⇒ Object

  Sets the currently signed in user.

• #hubssolib_destroy_user_sessions(hub_user_id) ⇒ Object

  WARNING: Comparatively slow.

• #hubssolib_ensure_https ⇒ Object

  Ensure the current request is carried out over HTTPS by redirecting back to the current URL with the HTTPS protocol if it isn’t.

• #hubssolib_enumerate_users ⇒ Object

  WARNING: Slow.

• #hubssolib_flash_data ⇒ Object

  Return flash data for known keys, then all remaining keys, from both the cross-application and standard standard flash hashes.

• #hubssolib_flash_markup ⇒ Object

  A companion to #hubssolib_flash_data which returns standardised Flash markup for your view.

• #hubssolib_get_exception_message(id_data) ⇒ Object

  Retrieve the message of an exception stored as an object in the given string.

• #hubssolib_get_flash ⇒ Object

  Flash data can be carried across the Hub session, stored in the DRb server as a result, and is thus cleared automatically if a session gets dropped.

• #hubssolib_get_user_address ⇒ Object

  Public read-only accessor methods for common user activities: return the current user’s e-mail address, or nil if there’s no user.

• #hubssolib_get_user_id ⇒ Object

  Public read-only accessor methods for common user activities: return the Hub database ID of the current user account, or nil if there’s no user.

• #hubssolib_get_user_name ⇒ Object

  Public read-only accessor methods for common user activities: return the current user’s name as a string, or nil if there’s no user.

• #hubssolib_get_user_roles ⇒ Object

  Public read-only accessor methods for common user activities: return the current user’s roles as a Roles object, or nil if there’s no user.

• #hubssolib_log_in(user) ⇒ Object

  Log in the user.

• #hubssolib_log_out ⇒ Object

  Log out the user.

• #hubssolib_logged_in? ⇒ Boolean

  Returns true or false if a user is logged in or not, respectively.

• #hubssolib_privileged? ⇒ Boolean

  Is the current user privileged? Anything other than normal user privileges will suffice.

• #hubssolib_promote_uri_to_ssl(uri_str, host = nil) ⇒ Object

  Take a URI and pass an optional host parameter.

• #hubssolib_redirect_back_or_default(default) ⇒ Object

  Deprecated.

• #hubssolib_register_user_change_handler(app_name:, app_root:, task_name:) ⇒ Object

  If an application needs to know about changes of a user e-mail address or display name (e.g. because of sync to a local relational store of users related to other application-managed resources, with therefore a desire to keep that store up to date), it can register a task to run on-change here.

• #hubssolib_registered_user_change_handlers ⇒ Object

  Returns all change handlers registered by prior calls made to #hubssolib_register_user_change_handler.

• #hubssolib_retrieve_action(**args) ⇒ Object

  The equivalent of #hubssolib_review_action, but for retrieving details of an action when Hub invokes your callback via POST request.

• #hubssolib_retrieve_user_sessions(hub_user_id) ⇒ Object

  WARNING: Comparatively slow.

• #hubssolib_returnable_account_url(universal: false, logged_in: self.hubssolib_logged_in?, return_to: nil) ⇒ Object

  Return a URL that leads to a Hub “log in” page if the user is not logged in currently, else an “account” page for logged-in users.

• #hubssolib_review_action(**args) ⇒ Object

  Convenience accessor to HubSsoLib::Trust.get_trust_object().review_action - see that method for details.

• #hubssolib_set_flash(symbol, message) ⇒ Object

  Set Flash information under the given symbol with the given text message, using the Hub cross-application flash store if logged in, else the this-application local session flash store otherwise.

• #hubssolib_store_location(uri_str = request.url) ⇒ Object

  Deprecated.

• #hubssolib_trusted? ⇒ Boolean

  Convenience method that returns true if there’s a currently logged-in Hub user that has been flagged as trusted, else - whether there is no current user, or they haven’t been flagged as trusted - returns false.

• #hubssolib_unique_name ⇒ Object

  Return a human-readable unique ID for a user.

• #hubssolib_update_user_sessions(hub_user_id, hub_user) ⇒ Object

  WARNING: Comparatively slow.

Class Method Details

.included(base) ⇒ Object

Inclusion hook to make various methods available as ActionView helpers.

# File 'lib/hub_sso_lib.rb', line 1739

def self.included(base)
  if base.respond_to?(:helper_method)
    base.send(
      :helper_method,

      :hubssolib_current_user,
      :hubssolib_unique_name,
      :hubssolib_returnable_account_url,
      :hubssolib_account_link,
      :hubssolib_flash_data,
      :hubssolib_flash_markup,

      :hubssolib_logged_in?,
      :hubssolib_authorized?,
      :hubssolib_privileged?,
      :hubssolib_trusted?
    )
  end
end

Instance Method Details

#hubssolib_account_link ⇒ Object

Returns markup for a link that leads to Hub’s login or logout link, using pure HTML + CSS for styling. A universal “conditional login” link is used since page data may be old due to e.g. a “back” button being used, after the user either logged in or out elsewhere. This possibility is also why JavaScript is used, updating the button styling the correct login state if needed. This requires the “pageshow” event to be supported. NOSCRIPT browsers use the a no-cache image-based fallback, which is much less efficient, but works.

Although the JavaScript-powered option could use the non-conditional link for log in/out and swap those, it’s simpler just to use generate the same link for all states - script-capable or otherwise, logged in or out,

# File 'lib/hub_sso_lib.rb', line 1119

def hubssolib_account_link
  logged_in_url    = self.hubssolib_returnable_account_url(universal: false, logged_in: true)
  logged_out_url   = self.hubssolib_returnable_account_url(universal: false, logged_in: false)
  universal_url    = self.hubssolib_returnable_account_url(universal: true)

  noscript_img_src = "#{HUB_PATH_PREFIX}/account/login_indication.png"
  noscript_img_tag = helpers.image_tag(noscript_img_src, size: '90x22', border: '0', alt: 'Log in or out')

  logged_in_link   = helpers.link_to('Account',        logged_in_url,  id: 'hubssolib_logged_in_link')
  logged_out_link  = helpers.link_to('Log in',         logged_out_url, id: 'hubssolib_logged_out_link')
  noscript_link    = helpers.link_to(noscript_img_tag, universal_url,  id: 'hubssolib_login_noscript')

  # Yes, it's ugly, but yes, it works and it's a lot better for the server
  # to avoid the repeated image fetches. It probably works out as overall
  # more efficient for clients too - despite all the JS etc. work, there's
  # no network fetch overhead or image rendering. On mobile in particular,
  # the JS solution is likely to use less battery power.
  #
  safe_markup = <<~HTML
    <div id="hubssolib_login_indication">
      <noscript>
        #{noscript_link}
      </noscript>
    </div>
    <script type="text/javascript">
      const logged_in_html  = "#{helpers.j(logged_in_link)}";
      const logged_out_html = "#{helpers.j(logged_out_link)}";
      const container       = document.getElementById('hubssolib_login_indication')

      #{
        # No '?.' support in NetSurf's JS engine, so can't do the match
        # and pop in a single line via "?.pop() || ''".
      }
      function hubSsoLibLoginStateWriteLink() {
        const regexp = '#{helpers.j(HUB_LOGIN_INDICATOR_COOKIE)}\\s*=\\s*([^;]+)';
        const match  = document.cookie.match(regexp);
        const flag   = (match ? match.pop() : null) || '';

        if (flag === '#{HUB_LOGIN_INDICATOR_COOKIE_VALUE}') {
          container.innerHTML = logged_in_html;
        } else {
          container.innerHTML = logged_out_html;
        }
      }
      #{
        # Immediate update, plus on-load update - including fully cached
        # loads in the browser when the "Back" button is used. No stale
        # login indications should thus arise from cached data.
      }
      hubSsoLibLoginStateWriteLink();
      window.addEventListener('load',     hubSsoLibLoginStateWriteLink);
      window.addEventListener('pageshow', hubSsoLibLoginStateWriteLink);
    </script>
  HTML

  return safe_markup.html_safe()
end

#hubssolib_afterwards ⇒ Object

Mandatory controller “after_action” callback method to tidy up after Hub actions during a request. Usually invoked in ApplicationController.

# File 'lib/hub_sso_lib.rb', line 1547

def hubssolib_afterwards
  begin
    DRb.current_server
  rescue DRb::DRbServerNotFound
    # Nothing to do; no service is running.
  end
end

#hubssolib_authorized?(action = action_name, classname = self.class) ⇒ Boolean

Check if the user is authorized to perform the current action. If calling from a helper, pass the action name and class name; otherwise by default, the current action name and ‘self.class’ will be used.

Override this method in your controllers if you want to restrict access to a different set of actions. Presently, the current user’s roles are compared against the caller’s permissions hash and the action name.

Returns:

• (Boolean)

# File 'lib/hub_sso_lib.rb', line 1185

def hubssolib_authorized?(action = action_name, classname = self.class)

  # Classes with no permissions object always authorise everything.
  # Otherwise, ask the permissions object for its opinion.

  if (classname.respond_to? :hubssolib_permissions)
    return classname.hubssolib_permissions.permitted?(hubssolib_get_user_roles, action)
  else
    return true
  end
end

#hubssolib_beforehand ⇒ Object

Mandatory controller “before_action” callback method which activates HubSsoLib permissions management, session expiry and so-on. Usually invoked in ApplicationController.

# File 'lib/hub_sso_lib.rb', line 1458

def hubssolib_beforehand

  # Does this action require a logged in user?
  #
  if (self.class.respond_to? :hubssolib_permissions)
    login_is_required = !self.class.hubssolib_permissions.permitted?('', action_name)
  else
    login_is_required = false
  end

  # If we require login but we're logged out, redirect to Hub login.
  # NOTE EARLY EXIT
  #
  logged_in = hubssolib_logged_in?

  if logged_in == false
    cookies.delete(HUB_LOGIN_INDICATOR_COOKIE, domain: :all, path: '/')

    if login_is_required
      return hubssolib_must_login()
    else
      return true
    end
  end

  cookies[HUB_LOGIN_INDICATOR_COOKIE] = {
    value:    HUB_LOGIN_INDICATOR_COOKIE_VALUE,
    path:     '/',
    domain:   :all,
    expires:  1.year, # I.e. *not* session-scope
    secure:   ! hub_bypass_ssl?,
    httponly: false
  }

  # So we reach here knowing we're logged in, but the action may or
  # may not require authorisation.

  if (login_is_required)

    # Login *is* required for this action. If the session expires,
    # redirect to Hub's login page via its expiry action. Otherwise
    # check authorisation and allow action processing to continue
    # if OK, else indicate that access is denied.

    if (hubssolib_session_expired?)
      hubssolib_log_out()
      hubssolib_set_flash(:attention, 'Sorry, your session timed out; you need to log in again to continue.')

      redirect_to hubssolib_returnable_account_url(logged_in: false)
    else
      hubssolib_set_last_used(Time.now.utc)
      return hubssolib_authorized? ? true : hubssolib_access_denied()
    end

  else

    # We have to update session expiry even for actions that don't
    # need us to be logged in, since we *are* logged in and need to
    # maintain that state. If, though, the session expires, we just
    # quietly log out and let action processing carry on.

    if (hubssolib_session_expired?)
      hubssolib_log_out()
      hubssolib_set_flash(:attention, 'Your session timed out, so you are no longer logged in.')
    else
      hubssolib_set_last_used(Time.now.utc)
    end

    return true # true -> let action processing continue

  end

rescue Exception => e
  Sentry.capture_exception(e) if defined?(Sentry) && Sentry.respond_to?(:capture_exception)

  # At this point there tends to be no Session data, so we're going to have
  # to encode the exception data into the URI... It must be escaped twice,
  # as many servers treat "%2F" in a URI as a "/". Apache can then fail to
  # serve the page, raising a 404 error unless "AllowEncodedSlashes on" is
  # specified in its configuration.
  #
  suffix   = '/' + CGI::escape(CGI::escape(hubssolib_set_exception_data(e)))
  new_path = HUB_PATH_PREFIX + '/tasks/service'
  redirect_to(new_path + suffix) unless request.path.include?(new_path)
end

#hubssolib_clear_flash ⇒ Object

Clears the hub flash for logged-in users, but not the local application session flash.

# File 'lib/hub_sso_lib.rb', line 1625

def hubssolib_clear_flash
  session = self.hubssolib_get_session()
  session.session_flash = {} unless session.nil?
end

#hubssolib_current_user ⇒ Object

Accesses the current user, via the DRb server if necessary. Returns a HubSsoLib::User object, or nil if none is available (this indicates that nobody is logged in, but #hubssolib_logged_in? should be used to check that, to allow for possible future more advanced logic within).

# File 'lib/hub_sso_lib.rb', line 1017

def hubssolib_current_user
  hub_session = self.hubssolib_get_session()
  user        = hub_session&.session_user

  return (user&.user_id.nil? ? nil : user)
end

#hubssolib_current_user=(user) ⇒ Object

Sets the currently signed in user. Note that although this works and is maintained, it is recommended that #hubssolib_log_in gets called instead.

user

A valid HubSsoLib::User. This will replace any existing logged in user. If there is no session yet, one will be created.

# File 'lib/hub_sso_lib.rb', line 1030

def hubssolib_current_user=(user)
  if user.nil?
    self.hubssolib_destroy_session!
  else
    hub_session = self.hubssolib_create_session()
    hub_session.session_user = user
  end
end

#hubssolib_destroy_user_sessions(hub_user_id) ⇒ Object

WARNING: Comparatively slow.

Remove all sessions under a given ID.

For information about performance limitations, see HubSsoLib::SessionFactory#destroy_sessions_by_user_id.

# File 'lib/hub_sso_lib.rb', line 1351

def hubssolib_destroy_user_sessions(hub_user_id)
  hubssolib_factory().destroy_sessions_by_user_id(hub_user_id) unless hub_user_id.nil?
end

#hubssolib_ensure_https ⇒ Object

Ensure the current request is carried out over HTTPS by redirecting back to the current URL with the HTTPS protocol if it isn’t. Returns ‘true’ if not redirected (already HTTPS), else ‘false’.

# File 'lib/hub_sso_lib.rb', line 1585

def hubssolib_ensure_https
  if request.ssl? || hub_bypass_ssl?
    return true
  else
    redirect_to(hubssolib_promote_uri_to_ssl(request.original_url))
    return false
  end
end

#hubssolib_enumerate_users ⇒ Object

WARNING: Slow.

Return an Array of HubSsoLib::User objects for all logged-in users, in an array. If a user is logged into more than one browser and thus has more than one session active, they will accordingly appear more than once in the returned data. This can also happen if a user loses key rotation and leaves an old, but not yet expired session behind when they log in anew.

In accordance with HubSsoLib::SessionFactory#enumerate_hub_session_ids documentation, a maximum of HUB_SESSION_ENUMERATION_KEY_MAX users can be returned here. If this is exceeded, an empty array is returned. If you are processing this information for display in a UI which itself requires a logged in user of some sort (which is very likely) and therefore know that at least one session does exist, you can treat an empty array as confirmation of “lots of sessions”. If you can’t be sure of at least one logged in user, then there is obvious arising ambiguity and this method does not solve it for you - it’s just “zero, or very many users”.

Users are ordered by least-recently-active first, most-recent last.

For information about performance limitations, see HubSsoLib::SessionFactory#enumerate_hub_session_ids.

# File 'lib/hub_sso_lib.rb', line 1304

def hubssolib_enumerate_users
  hub_session_info = hubssolib_factory().enumerate_hub_session_ids()
  hub_users        = []

  unless hub_session_info[:keys].nil? # (keyset too large, enumeration prohibited)
    hub_session_info[:keys].each do | key |
      session_user = hubssolib_factory().retrieve_session_by_key(key)&.session_user
      hub_users << session_user unless session_user&.user_id.nil?
    end
  end

  return hub_users
end

#hubssolib_flash_data ⇒ Object

Return flash data for known keys, then all remaining keys, from both the cross-application and standard standard flash hashes. The returned Hash is of the form:

{ 'hub' => ...data..., 'standard' => ...data... }

…where “…data…” is itself a Hash of flash keys yielding flash values. This allows both the Hub and standard flashes to have values inside them under the same key. All keys are strings.

You may well prefer to use #hubssolib_flash_markup to obtain something that can be written straight into a view, unless it doesn’t meet your markup requirements.

# File 'lib/hub_sso_lib.rb', line 1644

def hubssolib_flash_data

  # These known key values are used to guarantee an order in the output
  # for cases where multiple messages are defined.
  #
  compiled_data = { 'hub' => {}, 'standard' => {} }
  ordered_keys  = [
    'notice',
    'attention',
    'alert'
  ]

  # Get an array of keys for the Hub flash with the ordered key items
  # first and store data from that flash; same again for standard.

  hash = hubssolib_get_flash() || {}
  keys = ordered_keys | hash.keys

  keys.each do | key |
    compiled_data['hub'][key] = hash[key] if hash.key?(key)
  end

  if self.respond_to?( :flash )
    hash = flash.to_h()
    keys = ordered_keys | hash.keys

    keys.each do | key |
      compiled_data['standard'][key] = hash[key] if hash.key?(key)
    end
  end

  hubssolib_clear_flash()
  flash.clear()

  return compiled_data
end

#hubssolib_flash_markup ⇒ Object

A companion to #hubssolib_flash_data which returns standardised Flash markup for your view. THIS MUST ONLY BE USED IN A VIEW / HELPER, or at least somewhere that ActionView::Helpers::TagHelper#tag is available.

• An outer DIV with class “flash” wraps the content.

• Within that, H2 tags wrap each message in the flash data. These tags also have class “flash”, along with an additional tag which is equal to the key under which the message was found - so if adding a flash message under, say, :alert, the rendered result would be <h2 class="flash alert">...</h2>.

• As a special case, a key with the suffix _html_safe is taken to contain HTML-safe strings and potential markup, so you could do things like add emphasis, other classes or styles to the data written inside the H2 tag. Be very careful to make sure any non-markup data is properly escaped first. The key-related class in the arising H2 tag excludes the suffix, so e.g. :notice_html_safe will lead to class notice.

Hub session-sourced and Rails local app session-sourced flash data is treated the same, with Hub-sourced data listed first. The other is otherwise undefined (it’s rare for there to be more than one thing in the flash at any given time, though).

# File 'lib/hub_sso_lib.rb', line 1706

def hubssolib_flash_markup
  data = hubssolib_flash_data()
  proc = Proc.new do | key, value |
    key = key.to_s

    if key.end_with?( '_html_safe' )
      value = value.html_safe()
      key   = key.chomp( '_html_safe' )
    end

    helpers.tag.h2(value, class: "flash #{ key }")
  end

  return helpers.tag.div(class: 'flash') do
    data['hub'].each do | key, value |
      helpers.concat(proc.call(key, value))
    end

    data['standard'].each do | key, value |
      helpers.concat(proc.call(key, value))
    end
  end
end

#hubssolib_get_exception_message(id_data) ⇒ Object

Retrieve the message of an exception stored as an object in the given string.

# File 'lib/hub_sso_lib.rb', line 1733

def hubssolib_get_exception_message(id_data)
  hubssolib_get_exception_data(CGI::unescape(id_data))
end

#hubssolib_get_flash ⇒ Object

Flash data can be carried across the Hub session, stored in the DRb server as a result, and is thus cleared automatically if a session gets dropped. However, we also want this to work without being logged in, so in that case it uses the normal flash as a backup when writing.

This method returns the Hub flash if logged in, else nil.

# File 'lib/hub_sso_lib.rb', line 1601

def hubssolib_get_flash
  session = self.hubssolib_get_session()
  session&.session_flash
end

#hubssolib_get_user_address ⇒ Object

Public read-only accessor methods for common user activities: return the current user’s e-mail address, or nil if there’s no user.

# File 'lib/hub_sso_lib.rb', line 1265

def hubssolib_get_user_address
  self.hubssolib_current_user&.user_email
end

#hubssolib_get_user_id ⇒ Object

Public read-only accessor methods for common user activities: return the Hub database ID of the current user account, or nil if there’s no user. See also hubssolib_unique_name.

# File 'lib/hub_sso_lib.rb', line 1257

def hubssolib_get_user_id
  self.hubssolib_current_user&.user_id
end

#hubssolib_get_user_name ⇒ Object

Public read-only accessor methods for common user activities: return the current user’s name as a string, or nil if there’s no user. See also hubssolib_unique_name.

# File 'lib/hub_sso_lib.rb', line 1249

def hubssolib_get_user_name
  self.hubssolib_current_user&.user_real_name
end

#hubssolib_get_user_roles ⇒ Object

Public read-only accessor methods for common user activities: return the current user’s roles as a Roles object, or nil if there’s no user.

# File 'lib/hub_sso_lib.rb', line 1241

def hubssolib_get_user_roles
  self.hubssolib_current_user&.user_roles&.to_authenticated_roles
end

#hubssolib_log_in(user) ⇒ Object

Log in the user. This is just syntax sugar for setting the current user via #hubssolib_current_user, really. You can freely use either approach according to your preferred aesthetics, but this method is preferred.

user

A valid HubSsoLib::User instance. If this has a nil value for user_id, or if user is itself nil, you’ll cause the same effect as if explicitly logging out.

# File 'lib/hub_sso_lib.rb', line 993

def hubssolib_log_in(user)
  self.hubssolib_current_user = user # (which deals with all related session and cookie consequences)
end

#hubssolib_log_out ⇒ Object

Log out the user. Very few applications should ever need to call this, though Hub certainly does and it gets used internally too.

# File 'lib/hub_sso_lib.rb', line 1000

def hubssolib_log_out
  self.hubssolib_current_user = nil # (which deals with all related session and cookie consequences)
  @hubssolib_session = nil
  cookies.delete(HUB_LOGIN_INDICATOR_COOKIE, domain: :all, path: '/')
end

#hubssolib_logged_in? ⇒ Boolean

Returns true or false if a user is logged in or not, respectively.

Returns:

• (Boolean)

# File 'lib/hub_sso_lib.rb', line 1008

def hubssolib_logged_in?
  !!self.hubssolib_current_user
end

#hubssolib_privileged? ⇒ Boolean

Is the current user privileged? Anything other than normal user privileges will suffice. Can be called if not logged in. Returns ‘false’ for logged out or normal user privileges only, else ‘true’.

Returns:

• (Boolean)

# File 'lib/hub_sso_lib.rb', line 1201

def hubssolib_privileged?
  return false unless hubssolib_logged_in?

  pnormal = HubSsoLib::Roles.new(false).to_s
  puser   = hubssolib_get_user_roles().to_s

  return (puser && !puser.empty? && puser != pnormal)
end

#hubssolib_promote_uri_to_ssl(uri_str, host = nil) ⇒ Object

Take a URI and pass an optional host parameter. Decomposes the URI, sets the host you provide (or leaves it alone if you omit the parameter), then forces the scheme to ‘https’. Returns the result as a flat string.

# File 'lib/hub_sso_lib.rb', line 1573

def hubssolib_promote_uri_to_ssl(uri_str, host = nil)
  uri        = URI.parse(uri_str)
  uri.host   = host if host
  uri.scheme = hub_bypass_ssl? ? 'http' : 'https'

  return uri.to_s
end

#hubssolib_redirect_back_or_default(default) ⇒ Object

Deprecated. Don’t use this. See #hubssolib_returnable_account_url.

# File 'lib/hub_sso_lib.rb', line 1563

def hubssolib_redirect_back_or_default(default)
  Rails.logger.warn('hubssolib_redirect_back_or_default: DEPRECATED (always redirects to default)') rescue nil
  redirect_to(default)
end

#hubssolib_register_user_change_handler(app_name:, app_root:, task_name:) ⇒ Object

If an application needs to know about changes of a user e-mail address or display name (e.g. because of sync to a local relational store of users related to other application-managed resources, with therefore a desire to keep that store up to date), it can register a task to run on-change here. When a user edits their information, Hub runs through all such commands, allowing external applications to manage their own state with no need for coupled configuration or other duplication.

The registered name must be a Rake task and the application must specify its location in the filesystem so that the PWD can be changed there, in order to execute the Rake task via “bundle exec”. The task is passed the following parameters, in the specified order:

• User’s old e-mail address

• User’s old unique display name (as returned by #hubssolib_unique_name)

• User’s new e-mail address (which might be the same as the old)

• User’s old unique display name (which might be unchanged too)

This is a newer Hub interface which uses named parameters rather than positional:

app_name

Application name, e.g. “beast”; make sure this is unique.

app_root

Application’s Rails root, e.g. “/home/fred/rails/beast”.

task_name

Rake task name, e.g. “hub:update_user”.

An example invocation in “config/application.rb” might look like this:

module Foo
  class Application < Rails::Application

  require HubSsoLib::Core

    hubssolib_register_user_change_handler(
      app_name:  Rails.application.name,
      app_root:  Rails.root,
      task_name: 'hub:update_user'
    )

    config.load_defaults 8.0 # ...etc...
  end
end

# File 'lib/hub_sso_lib.rb', line 1408

def hubssolib_register_user_change_handler(app_name:, app_root:, task_name:)
  File.open(HUB_COMMAND_REGISTRY, File::RDWR | File::CREAT) do |file|
    file.flock(File::LOCK_EX)

    commands_json   = file.read()
    commands_hash   = (JSON.parse(commands_json) rescue nil) if commands_json.present?
    commands_hash ||= {}

    file.rewind()

    commands_hash[app_name] = {
      root: app_root,
      task: task_name
    }

    file.write(JSON.fast_generate(commands_hash))
    file.truncate(file.pos)
  end
end

#hubssolib_registered_user_change_handlers ⇒ Object

Returns all change handlers registered by prior calls made to #hubssolib_register_user_change_handler. Returns a Hash, keyed by Rails application name, with values of another Hash:

• root => Rails application root

• task => Name of Rake task to be run

All keys are Strings.

This is usually called by the Hub application only, when it is processing a user’s request to change their information.

# File 'lib/hub_sso_lib.rb', line 1440

def hubssolib_registered_user_change_handlers
  commands_hash = {}

  File.open(HUB_COMMAND_REGISTRY, File::RDWR | File::CREAT) do |file|
    file.flock(File::LOCK_EX)

    commands_json   = file.read()
    commands_hash   = (JSON.parse(commands_json) rescue nil) if commands_json.present?
    commands_hash ||= {}
  end

  return commands_hash
end

#hubssolib_retrieve_action(**args) ⇒ Object

The equivalent of #hubssolib_review_action, but for retrieving details of an action when Hub invokes your callback via POST request.

# File 'lib/hub_sso_lib.rb', line 1233

def hubssolib_retrieve_action(**args)
  HubSsoLib::Trust.get_trust_object().retrieve_action(**args)
end

#hubssolib_retrieve_user_sessions(hub_user_id) ⇒ Object

WARNING: Comparatively slow.

For a given HubSsoLib::User’s user ID, return any known sessions held by the DRb server, as an Hash of session keys with HubSsoLib::Session instances as values.

Returns an empty Hash if the given ID is nil.

Note that Hub sessions can disappear at any moment, so the session keys you find in the Hash might refer to extinct sessions by the time you get to do something with them. You can still access the data, but if you were to try and ask the DRb server for that key, it’d return nil.

Sessions are ordered by least-recently-active first, most-recent last.

For information about performance limitations, see HubSsoLib::SessionFactory#retrieve_sessions_by_user_id.

# File 'lib/hub_sso_lib.rb', line 1336

def hubssolib_retrieve_user_sessions(hub_user_id)
  if hub_user_id.nil?
    {}
  else
    hubssolib_factory().retrieve_sessions_by_user_id(hub_user_id)
  end
end

#hubssolib_returnable_account_url(universal: false, logged_in: self.hubssolib_logged_in?, return_to: nil) ⇒ Object

Return a URL that leads to a Hub “log in” page if the user is not logged in currently, else an “account” page for logged-in users.

universal

Use true if concerned that a “Back” browser button action might cause a page to appear that’s got a cached link which may no longer reflect the current state. This jumps to Hub and redirects to the “log in” or “account” destinations depending on current state. If using this, bear in mind that the link text must be ambiguous, because the eventual destination isn’t known.

It’s often better to just use #hubssolib_account_link to create markup for this in a navigation area.

The default is false, which means that a bespoke link for the exact current instantaneous log in state is generated; the logged_in parameter applies (see below).

logged_in

If universal is false, then this parameter defaults to the current user logged-in state, but can be overridden with true (act as if someone is logged in) or false (act as if someone is not logged in).

return_to

Overrides the use of request.original_url to give an alternative return-after-logging-in URL. Will be of no use for users already logged in. This is rarely used, but might be helpful if you (say) want them to return to the current page, but with a specific fragment added (“#foo”). Specify as a String, Symbol or URI, at your preference.

Note that the universal links, or a not-logged-in state link will include a query string which takes the value of request.original_url or, if not defined, tries request.referrer (else is absent). This is a URL used for the redirection after successful login. The logged-in state link does not require this addition so omits it for brevity.

# File 'lib/hub_sso_lib.rb', line 1075

def hubssolib_returnable_account_url(
  universal: false,
  logged_in: self.hubssolib_logged_in?,
  return_to: nil
)
  account_url = if universal
    "#{HUB_PATH_PREFIX}/account/login_conditional"
  else
    "#{HUB_PATH_PREFIX}/#{'account/login' unless logged_in}"
  end

  # Attach a return-to URL always for the universal case which needs to
  # work regardless of login state; else we only need it when logged out,
  # so that we can return to the originating location after logging in.
  # There's no functional difference - just a simpler URL that omits what
  # would otherwise be an unused query string parameter.
  #
  if universal or not logged_in
    if return_to.nil?
      request_obj = self.try(:request)
      return_to   = request_obj.try(:original_url) || request_obj.try(:referrer)
    end

    if return_to.present?
      account_url << "?return_to_url=#{CGI.escape(return_to.to_s)}"
    end
  end

  return account_url
end

#hubssolib_review_action(**args) ⇒ Object

Convenience accessor to HubSsoLib::Trust.get_trust_object().review_action

• see that method for details. Note that the Trust object is implemented

in the Hub application, not here; see:

HubSsoLib::Trust::Server::review_action

…in “app/hub/lib/hub_sso_lib/trust/server.rb”.

# File 'lib/hub_sso_lib.rb', line 1226

def hubssolib_review_action(**args)
  HubSsoLib::Trust.get_trust_object().review_action(**args)
end

#hubssolib_set_flash(symbol, message) ⇒ Object

Set Flash information under the given symbol with the given text message, using the Hub cross-application flash store if logged in, else the this-application local session flash store otherwise.

# File 'lib/hub_sso_lib.rb', line 1610

def hubssolib_set_flash(symbol, message)
  session = self.hubssolib_get_session()

  f   = hubssolib_get_flash()
  f ||= self.flash if self.respond_to?(:flash)
  f ||= {}

  f[symbol] = message

  session.session_flash = f unless session.nil?
end

#hubssolib_store_location(uri_str = request.url) ⇒ Object

Deprecated. Don’t use this. See #hubssolib_returnable_account_url.

# File 'lib/hub_sso_lib.rb', line 1557

def hubssolib_store_location(uri_str = request.url)
  Rails.logger.warn('hubssolib_store_location: DEPRECATED (no-op)') rescue nil
end

#hubssolib_trusted? ⇒ Boolean

Convenience method that returns true if there’s a currently logged-in Hub user that has been flagged as trusted, else - whether there is no current user, or they haven’t been flagged as trusted - returns false.

Returns:

• (Boolean)

# File 'lib/hub_sso_lib.rb', line 1214

def hubssolib_trusted?
  self.hubssolib_current_user&.user_trusted == 'true'
end

#hubssolib_unique_name ⇒ Object

Return a human-readable unique ID for a user. We don’t want to have e-mail addresses all over the place, but don’t want to rely on real names as unique - they aren’t. Instead, produce a composite of the user’s account database ID (which must be unique by definition) and their real name. See also hubssolib_get_name.

# File 'lib/hub_sso_lib.rb', line 1276

def hubssolib_unique_name
  user = self.hubssolib_current_user
  user ? "#{user.user_real_name} (#{user.user_id})" : 'Anonymous'
end

#hubssolib_update_user_sessions(hub_user_id, hub_user) ⇒ Object

WARNING: Comparatively slow.

If a Hub user record changes, make sure their session records reflect the updated demographics according to the HubSsoLib::User provided.

For information about performance limitations, see HubSsoLib::SessionFactory#destroy_sessions_by_user_id.

# File 'lib/hub_sso_lib.rb', line 1363

def hubssolib_update_user_sessions(hub_user_id, hub_user)
  hubssolib_factory().update_sessions_by_user_id(hub_user_id, hub_user) unless hub_user_id.nil?
end