Class: Janus::SessionsController

Inherits:

ApplicationController

• Object
• ApplicationController
• Janus::SessionsController

Includes:

InternalHelpers

Defined in:

lib/janus/controllers/sessions_controller.rb

Overview

This controller is responsible for creating and destroying user sessions.

The creation uses the DatabaseAuthenticatable strategy, while the destruction simply destroys any session, whatever strategy it was created with. Janus hooks will be called, allowing to destroy any Rememberable cookies as well as any user defined behavior.

Instance Method Summary

• #add_remote_authentication_key(return_to, user) ⇒ Object
• #after_sign_in_url(user) ⇒ Object

  An overridable method that returns the default path to return the just signed in user to.

• #after_sign_out_url(scope) ⇒ Object

  An overridable method that returns the default path to return the just signed out user to.

• #create ⇒ Object
• #destroy ⇒ Object
• #never_return_to(scope) ⇒ Object

  Returns an Array of URL that we shouldn’t automatically return to.

• #new ⇒ Object
• #redirect_after_sign_in(user) ⇒ Object

  Either redirects the user to after_sign_in_url or to params[:return_to].

• #valid_host?(host) ⇒ Boolean

  Returns true if host is request.host.

• #valid_remote_host?(host) ⇒ Boolean

  Must return true if host is known and we allow to redirect the user with an auth_token.

Methods included from InternalHelpers

#authenticate!, #janus_scope, #mailer_class, #resource, #resource=, #resource_authentication_params, #resource_class, #resource_name, #respond_with_failure, #respond_with_success

Instance Method Details

#add_remote_authentication_key(return_to, user) ⇒ Object

# File 'lib/janus/controllers/sessions_controller.rb', line 126

def add_remote_authentication_key(return_to, user)
  query = return_to.query_values || {}
  return_to.query_values = query.merge(
    user.class.remote_authentication_key => user.generate_remote_token!
  )
end

#after_sign_in_url(user) ⇒ Object

An overridable method that returns the default path to return the just signed in user to. Defaults to return the user object, which will be interpreted by rails as ‘user_path(user)`.

# File 'lib/janus/controllers/sessions_controller.rb', line 45

def after_sign_in_url(user)
  user
end

#after_sign_out_url(scope) ⇒ Object

An overridable method that returns the default path to return the just signed out user to. Defaults to ‘root_url`.

# File 'lib/janus/controllers/sessions_controller.rb', line 51

def after_sign_out_url(scope)
  root_url
end

#create ⇒ Object

# File 'lib/janus/controllers/sessions_controller.rb', line 28

def create
  if valid_resource?
    janus.login(resource, :scope => janus_scope, :rememberable => params[:remember_me])
    respond_with_success { redirect_after_sign_in(resource) }
  else
    respond_with_failure :not_found, :status => :unauthorized
  end
end

#destroy ⇒ Object

# File 'lib/janus/controllers/sessions_controller.rb', line 37

def destroy
  janus.logout(janus_scope)
  respond_with_success { redirect_to after_sign_out_url(janus_scope) }
end

#never_return_to(scope) ⇒ Object

Returns an Array of URL that we shouldn’t automatically return to. It actually returns URL to prevent infinite loops. We must for instance never return to new_sesssion_path.

If you ever need to override this method, don’t forget to call ‘super`. For instance:

def never_return_to(scope)
  super + [ my_peculiar_path, another_path ]
end

# File 'lib/janus/controllers/sessions_controller.rb', line 84

def never_return_to(scope)
  scope = Janus.scope_for(scope)
  list = [new_session_path(scope)]

  begin
    list + [
      destroy_session_path(scope),
      new_password_path(scope),
      edit_password_path(scope)
    ]
  rescue NoMethodError
    list
  end
end

#new ⇒ Object

# File 'lib/janus/controllers/sessions_controller.rb', line 17

def new
  params[:return_to] ||= request.env["HTTP_REFERER"]

  if signed_in?(janus_scope)
    redirect_after_sign_in(send("current_#{janus_scope}"))
  else
    self.resource = resource_class.new
    respond_with(resource)
  end
end

#redirect_after_sign_in(user) ⇒ Object

Either redirects the user to after_sign_in_url or to params[:return_to].

If <tt>params is an absolute URL, and not just a path, valid_remote_host? will be invoked to check wether we should redirect to this URL or not, in order to secure auth tokens for RemoteAuthenticatable to leak into the wild.

# File 'lib/janus/controllers/sessions_controller.rb', line 105

def redirect_after_sign_in(user)
  if params[:return_to].present?
    return_to = Addressable::URI.parse(params[:return_to])

    unless never_return_to(user).include?(return_to.path)
      # path or same host redirection
      if valid_host?(return_to.host || request.host)
        redirect_to params[:return_to] and return
      end

      # external host redirection
      if valid_remote_host?(return_to.host)
        add_remote_authentication_key(return_to, user) if user.class.include?(Janus::Models::RemoteAuthenticatable)
        redirect_to return_to.to_s and return
      end
    end
  end

  redirect_to after_sign_in_url(user)
end

#valid_host?(host) ⇒ Boolean

Returns true if host is request.host. You may want to overwrite this method to check if a user can access the current host and return false otherwise.

For instance when a user signed in from a subdomain she can’t access, and you want to redirect her to another subdomain.

Returns:

• (Boolean)

# File 'lib/janus/controllers/sessions_controller.rb', line 60

def valid_host?(host)
  host == request.host
end

#valid_remote_host?(host) ⇒ Boolean

Must return true if host is known and we allow to redirect the user with an auth_token.

Warning: must be overwritten by child classes because it always returns false by default!

Returns:

• (Boolean)

# File 'lib/janus/controllers/sessions_controller.rb', line 69

def valid_remote_host?(host)
  false
end