Class: Janus::SessionsController
- Inherits:
-
ApplicationController
- Object
- ApplicationController
- Janus::SessionsController
- Includes:
- InternalHelpers
- Defined in:
- lib/janus/controllers/sessions_controller.rb
Overview
This controller is responsible for creating and destroying authenticated user sessions.
The creation uses the DatabaseAuthenticatable strategy, while the destruction simply destroys any session, whatever strategy it was created with. Janus hooks will be called, of course, allowing to destroy any Rememberable cookies for instance, as well as any user defined behavior.
Instance Method Summary collapse
-
#after_sign_in_url(user) ⇒ Object
An overridable method that returns the default path to return the just signed in user to.
-
#after_sign_out_url(scope) ⇒ Object
An overridable method that returns the default path to return the just signed out user to.
- #create ⇒ Object
- #destroy ⇒ Object
-
#never_return_to(scope) ⇒ Object
Returns an Array of URL that we shouldn’t automatically return to.
-
#new ⇒ Object
skip_before_filter :authenticate_user!.
-
#redirect_after_sign_in(user) ⇒ Object
Either redirects the user to after_sign_in_url or to
params[:return_to]
. - #resource_params ⇒ Object
-
#valid_remote_host?(host) ⇒ Boolean
Returns true if host is known and that we allow to redirect the user with an auth_token.
Methods included from InternalHelpers
#authenticate!, #janus_scope, #mailer_class, #resource, #resource=, #resource_class, #resource_name
Instance Method Details
#after_sign_in_url(user) ⇒ Object
An overridable method that returns the default path to return the just signed in user to. Defaults to return the user object, which will be interpreted by rails as ‘user_path(user)`.
64 65 66 |
# File 'lib/janus/controllers/sessions_controller.rb', line 64 def after_sign_in_url(user) user end |
#after_sign_out_url(scope) ⇒ Object
An overridable method that returns the default path to return the just signed out user to. Defaults to ‘root_url`.
70 71 72 |
# File 'lib/janus/controllers/sessions_controller.rb', line 70 def after_sign_out_url(scope) root_url end |
#create ⇒ Object
29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
# File 'lib/janus/controllers/sessions_controller.rb', line 29 def create self.resource = resource_class.find_for_database_authentication(params[resource_name]) if resource && resource.valid_password?(params[resource_name][:password]) janus.login(resource, :scope => janus_scope, :rememberable => params[:remember_me]) respond_to do |format| format.html { redirect_after_sign_in(resource) } format.any { head :ok } end else respond_to do |format| format.html do self.resource ||= resource_class.new(resource_params) resource.clean_up_passwords resource.errors.add(:base, :not_found) render "new", :status => :unauthorized end format.any { head :unauthorized } end end end |
#destroy ⇒ Object
52 53 54 55 56 57 58 59 |
# File 'lib/janus/controllers/sessions_controller.rb', line 52 def destroy janus.logout(janus_scope) respond_to do |format| format.html { redirect_to after_sign_out_url(janus_scope) } format.any { head :ok } end end |
#never_return_to(scope) ⇒ Object
Returns an Array of URL that we shouldn’t automatically return to. It actually returns URL to prevent infinite loops. We must for instance never return to new_sesssion_path.
If you ever needd to override this method, don’t forget to call ‘super`. For instance:
def never_return_to(scope)
super + [ my_peculiar_path, another_path ]
end
94 95 96 97 98 99 100 101 102 |
# File 'lib/janus/controllers/sessions_controller.rb', line 94 def never_return_to(scope) scope = Janus.scope_for(scope) list = [new_session_path(scope)] begin list + [ destroy_session_path(scope), new_password_path(scope), edit_password_path(scope) ] rescue NoMethodError list end end |
#new ⇒ Object
skip_before_filter :authenticate_user!
18 19 20 21 22 23 24 25 26 27 |
# File 'lib/janus/controllers/sessions_controller.rb', line 18 def new params[:return_to] ||= request.env["HTTP_REFERER"] if signed_in?(janus_scope) redirect_after_sign_in(send("current_#{janus_scope}")) else self.resource = resource_class.new respond_with(resource) end end |
#redirect_after_sign_in(user) ⇒ Object
Either redirects the user to after_sign_in_url or to params[:return_to]
.
If <tt>params is an absolute URL, and not just a path, valid_remote_host? will be invoked to check wether we should redirect to this URL or not, in order to secure auth tokens for RemoteAuthenticatable to leak into the wild.
110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 |
# File 'lib/janus/controllers/sessions_controller.rb', line 110 def redirect_after_sign_in(user) unless params[:return_to].blank? return_to = Addressable::URI.parse(params[:return_to]) unless never_return_to(user).include?(return_to.path) if return_to.host.nil? || return_to.host == request.host redirect_to params[:return_to] return elsif valid_remote_host?(return_to.host) if user.class.include?(Janus::Models::RemoteAuthenticatable) query = return_to.query_values || {} return_to.query_values = query.merge(user.class.remote_authentication_key => user.generate_remote_token!) end redirect_to return_to.to_s return end end end redirect_to after_sign_in_url(user) end |
#resource_params ⇒ Object
133 134 135 136 137 138 139 |
# File 'lib/janus/controllers/sessions_controller.rb', line 133 def resource_params if params.respond_to?(:permit) params.require(janus_scope).permit(*resource_class.authentication_keys) else params[janus_scope].slice(*resource_class.authentication_keys) end end |
#valid_remote_host?(host) ⇒ Boolean
Returns true if host is known and that we allow to redirect the user with an auth_token.
Warning: must be overwritten by child classes because it always returns false by default!
79 80 81 |
# File 'lib/janus/controllers/sessions_controller.rb', line 79 def valid_remote_host?(host) false end |