Class: Securial::SessionsController

Inherits:
ApplicationController show all
Defined in:
app/controllers/securial/sessions_controller.rb

Overview

SessionsController

Controller for managing user authentication sessions.

This controller handles session-related operations including:

- User  and token issuance
- Session listing and management
- Token refresh
- Session revocation and logout

Session management is a critical security component, providing users with the ability to authenticate and manage their active sessions.

Routes typically mounted at Securial/sessions/* in the host application.

Instance Method Summary collapse

Methods inherited from ApplicationController

#render_400, #render_404

Instance Method Details

#indexvoid

This method returns an undefined value.

Lists all active sessions for the current user.

Retrieves all active sessions belonging to the authenticated user, enabling users to monitor their login activity across devices.



29
30
31
 
# File 'app/controllers/securial/sessions_controller.rb', line 29

def index
  @securial_sessions = Current.user.sessions
end

#loginvoid

This method returns an undefined value.

Authenticates a user and creates a new session.

Validates the provided credentials and, if successful, creates a new session and returns access and refresh tokens.

Parameters:

  • params[:email_address] (String)

    The user’s email address

  • params[:password] (String)

    The user’s password



50
51
52
53
54
55
56
57
58
59
60
61
 
# File 'app/controllers/securial/sessions_controller.rb', line 50

def 
  params.require([:email_address, :password])
  if user = User.authenticate_by(params.permit([:email_address, :password]))
    (user)
  else
    render status: :unauthorized,
           json: {
             errors: ["Invalid email address or password."],
             instructions: "Make sure to send the correct 'email_address' and 'password' in the payload",
           }
  end
end

#logoutvoid

This method returns an undefined value.

Ends the current user’s session.

Revokes the active session token, effectively logging the user out.



68
69
70
71
72
 
# File 'app/controllers/securial/sessions_controller.rb', line 68

def logout
  @securial_session.revoke!
  Current.session = nil
  head :no_content
end

#refreshvoid

This method returns an undefined value.

Issues new tokens using a valid refresh token.

Validates the provided refresh token and, if valid, issues new access and refresh tokens to extend the user’s session.

Parameters:

  • params[:refresh_token] (String)

    The refresh token to validate



81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
 
# File 'app/controllers/securial/sessions_controller.rb', line 81

def refresh
  if Current.session = Securial::Session.find_by(refresh_token: params[:refresh_token])
    if Current.session.is_valid_session_request?(request)
      Current.session.refresh!
      render status: :created,
             json: {
               access_token: Securial::Auth::AuthEncoder.encode(Current.session),
               refresh_token: Current.session.refresh_token,
               refresh_token_expires_at: Current.session.refresh_token_expires_at,
             }
      return
    end
  end
  render status: :unprocessable_entity, json: {
    error: "Invalid or expired token.",
    instructions: "Please log in again to obtain a new access token.",
  }
end

#render_login_response(user) ⇒ void (private)

This method returns an undefined value.

Renders the appropriate response after successful authentication.

Checks if the user’s password has expired and either prompts for reset or creates a new session with tokens for the authenticated user.

Parameters:

  • user (User)

    The authenticated user



142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
 
# File 'app/controllers/securial/sessions_controller.rb', line 142

def (user)
  if user.password_expired?
    render status: :forbidden,
           json: {
             errors: ["Password expired"],
             instructions: "Please reset your password before logging in.",
           }
  else
    Securial::Auth::SessionCreator.create_session!(user, request)
    render status: :created,
           json: {
             access_token: Securial::Auth::AuthEncoder.encode(Current.session),
             refresh_token: Current.session.refresh_token,
             refresh_token_expires_at: Current.session.refresh_token_expires_at,
           }
  end
end

#revokevoid

This method returns an undefined value.

Revokes a specific session.

Invalidates the specified session, preventing further use of its tokens.

Parameters:

  • params[:id] (Integer)

    The ID of the session to revoke



106
107
108
109
110
 
# File 'app/controllers/securial/sessions_controller.rb', line 106

def revoke
  @securial_session.revoke!
  Current.session = nil if @securial_session == Current.session
  head :no_content
end

#revoke_allvoid

This method returns an undefined value.

Revokes all of the current user’s sessions.

Invalidates all active sessions for the current user, forcing logout across all devices.



117
118
119
120
121
 
# File 'app/controllers/securial/sessions_controller.rb', line 117

def revoke_all
  Current.user.sessions.each(&:revoke!)
  Current.session = nil
  head :no_content
end

#set_sessionvoid (private)

This method returns an undefined value.

Finds and sets the session to be manipulated.

Uses the provided ID or defaults to the current session if no ID is provided.



130
131
132
133
 
# File 'app/controllers/securial/sessions_controller.rb', line 130

def set_session
  id = params[:id]
  @securial_session = id ? Current.user.sessions.find(params[:id]) : Current.session
end

#showvoid

This method returns an undefined value.

Shows details for a specific session.

Retrieves and displays information for a single session.

Parameters:

  • params[:id] (Integer)

    The ID of the session to display



39
40
 
# File 'app/controllers/securial/sessions_controller.rb', line 39

def show
end