Class: AuthController

Inherits:
ApplicationController
  • Object
show all
Defined in:
lib/generators/auth/templates/controllers/auth_controller.rb

Instance Method Summary collapse

Instance Method Details

#loginObject 



7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
 
# File 'lib/generators/auth/templates/controllers/auth_controller.rb', line 7

def 
  user = User.find_by!(username: params[:username])
  if user.authenticate(params[:password])
    access_token  = encode_token({ user_id: user.id }, 15.minutes.from_now)
    refresh_raw   = user.generate_refresh_token

    set_refresh_cookie(refresh_raw, 7.days.from_now)

    render json: {
      user: UserSerializer.new(user),
      access_token: access_token
      # (we're NOT returning refresh in JSON for security)
    }, status: :ok
  else
    render json: { error: "Invalid credentials" }, status: :unauthorized
  end
end

#logoutObject 



53
54
55
56
57
58
59
60
61
 
# File 'lib/generators/auth/templates/controllers/auth_controller.rb', line 53

def logout
  raw = cookies.encrypted[:refresh_token] || params[:refresh_token]
  if raw.present?
    digest = Digest::SHA256.hexdigest(raw)
    RefreshToken.find_by(token_digest: digest)&.destroy
    cookies.delete(:refresh_token)
  end
  render json: { message: "Logged out" }, status: :ok
end

#refreshObject 



25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
 
# File 'lib/generators/auth/templates/controllers/auth_controller.rb', line 25

def refresh
  raw = cookies.encrypted[:refresh_token] || params[:refresh_token]
  return render json: { error: "missing refresh token" }, status: :unauthorized if raw.blank?

  digest = Digest::SHA256.hexdigest(raw)
  rt = RefreshToken.find_by(token_digest: digest)

  if rt.nil? || rt.revoked_at.present? || rt.expires_at.past?
    rt&.user&.revoke_all_refresh_tokens!
    cookies.delete(:refresh_token)
    return render json: { error: "Invalid or reused refresh token. Logged out everywhere." }, status: :unauthorized
  end

  # Issue new access + refresh token
  new_access_token  = encode_token({ user_id: rt.user_id })
  new_refresh_token = rt.user.generate_refresh_token

  # revoke the old token
  rt.update!(revoked_at: Time.current)

  # 🔑 store new refresh token in HttpOnly cookie
  set_refresh_cookie(new_refresh_token, 7.days.from_now)

  render json: { access_token: new_access_token }, status: :ok
end