Module: Auth::Concerns::DeviseConcern

Extended by:
ActiveSupport::Concern
Included in:
AdminCreateUsersController, AuthenticatedController, ProfilesController, SearchController, Shopping::CartItemsController, Shopping::CartsController, Shopping::DiscountsController, Shopping::PaymentsController, Shopping::ProductsController
Defined in:
app/controllers/auth/concerns/devise_concern.rb

Instance Method Summary collapse

Instance Method Details

#check_recaptchaObject

returns true if the recaptcha is not specified in the configuration returns true if the recaptcha is valid. expects the parameter ‘g-recaptcha-response’ in the params hash if the request is json, and has the header os-android, then it will use the android_recaptcha_api_key as the secret key, otherwise will use the default recaptch_secret key that should have been configured in the pre-initializer. it is currently being called in the registrations_controller on create and update, and in the otp action send_sms_otp,verify_sms_otp. so all these are protected by recaptcha, but not on iphone.



18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
 
# File 'app/controllers/auth/concerns/devise_concern.rb', line 18

def check_recaptcha
	
	return true unless Auth.configuration.recaptcha
    
   	recaptcha_options = {}
	if is_json_request?
		#puts "is json request."
		return true unless request.headers["OS-ANDROID"]
		#puts "android is there in headers."
		not_found("recaptcha validation error") unless Auth.configuration.third_party_api_keys[:android_recaptcha_secret_key]
		#puts "android key is there in config."
		recaptcha_options[:secret_key] = Auth.configuration.third_party_api_keys[:android_recaptcha_secret_key]
	end
	#puts "recaptcha_options are : #{recaptcha_options}"
	not_found("recaptcha validation error") unless verify_recaptcha(recaptcha_options)
end

#clear_client_and_redirect_urlObject

SHOULD WE OR NOT DELETE THE CLIENT AND REDIRECT URL? this was relevant only in the case of oauth visits suppose someone comes from remote with redir + client. these get set and stored in the session then he goes to oauth and comes back. by this time the instance variables are no more so we fall back on the session variables and redirect him the only worry was , that what if someone prompts the user to go to wordjelly with a redirect url of their choice. so what i do here right now is clear the instance redirect and client vars. then i set the client, if necessary from the session but while doing set_redirect_url i give first pref to the redir from the params, and then CHECK whether that is valid against the client already from the sessin. so basically they cannot be redirected to any url that is not stored against the client. so they can at the worst be redirected only to a url which was provided during client creation. so there is no need to delete the client from the session at every request, except if it is a json request.



61
62
63
64
65
66
67
 
# File 'app/controllers/auth/concerns/devise_concern.rb', line 61

def clear_client_and_redirect_url
    session.delete('omniauth.state')
    if is_json_request?
    	session.delete("client")
    	session.delete("redirect_url")
    end
end

#current_resource(resource) ⇒ Object

used only in render, redirect in DeviseController.class_eval



187
188
189
 
# File 'app/controllers/auth/concerns/devise_concern.rb', line 187

def current_resource(resource)
    send("current_#{resource.class.name.underscore.downcase}")
end

#do_before_requestObject 



174
175
176
177
178
179
180
181
182
183
184
 
# File 'app/controllers/auth/concerns/devise_concern.rb', line 174

def do_before_request
   #puts "came to do before request."
   clear_client_and_redirect_url
   
   set_client
   
   set_redirect_url

   protect_json_request

end

#ignore_json_requestObject 



40
41
42
43
44
 
# File 'app/controllers/auth/concerns/devise_concern.rb', line 40

def ignore_json_request
  if is_json_request?
    render :nothing => true, :status => 406 and return
  end
end

#is_json_request?Boolean

Returns:

  • (Boolean) 


121
122
123
124
 
# File 'app/controllers/auth/concerns/devise_concern.rb', line 121

def is_json_request?

     return (request.format.symbol == :json) ? true : false
end

#is_omniauth_callback?Boolean

Returns:

  • (Boolean) 


36
37
38
 
# File 'app/controllers/auth/concerns/devise_concern.rb', line 36

def is_omniauth_callback?	   
    controller_name == "omniauth_callbacks" 
end

#protect_json_requestObject 



126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
 
# File 'app/controllers/auth/concerns/devise_concern.rb', line 126

def protect_json_request
   	##should block any put action on the user
   	##and should render an error saying please do this on the server.
    if is_json_request? 
           #puts "it is a json request."
    	if action_name == "otp_verification_result"
    		##we let this action pass because, we make json ajax requests 
    		##from the web ui to this endpoint, and anyway it does
    		##not return anything sensitive.
               #puts "action name is otp verification result."
    	else
               #puts "action name is something else."
	    	if session[:client].nil?
                   #puts "cient is nil so rendering nothing."
	      		render :nothing => true , :status => :unauthorized
	      	else
                   #puts "client is not nil"
               end
      	end
    end
end

#set_clientObject 



69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
 
# File 'app/controllers/auth/concerns/devise_concern.rb', line 69

def set_client
 
 if session[:client]
   
   
   return true

 else
   #puts "params are: #{params.to_s}"
   #puts params[:state]
      #puts JSON.is_json?(params[:state])
      #puts "---- end --- "
      state = nil
   api_key = nil
   current_app_id = nil
   path = nil
   if params[:state] && JSON.is_json?(params[:state])
     state = JSON.parse(params[:state])
   end
   
   if state
     api_key = state["api_key"]
     current_app_id = state["current_app_id"]
     path = state["path"]
   elsif params[:api_key] && params[:current_app_id]
        #puts "the params api key and current app id are there."
     api_key = params[:api_key]
     current_app_id = params[:current_app_id]
   else
   end
   
   if api_key.nil? || current_app_id.nil?
     
   else
        #puts "api key:#{api_key}"
        #puts "current app id: #{current_app_id}"
        #puts "path is: #{path}"
        
     if session[:client] = Auth::Client.find_valid_api_key_and_app_id(api_key, current_app_id)
       	    
            #puts "found valid clinet."
            request.env["omniauth.model"] = path
            
            self.m_client = Auth::Client.find_valid_api_key_and_app_id(api_key, current_app_id)
            
       	return true
     end
   end
   return false
 end
end

#set_redirect_urlObject 



148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
 
# File 'app/controllers/auth/concerns/devise_concern.rb', line 148

def set_redirect_url
 
     # puts "the params redirect url is: #{params[:redirect_url]}"
     # puts "the session redirect url is: #{session[:redirect_url]}"
     redir_url = params[:redirect_url].nil? ? session[:redirect_url] : params[:redirect_url]

     #puts "redir url was: #{redir_url}"

     #puts "session[:client] is: #{session[:client]}"

     #puts "session[:client].redirect urls"
     #puts session[:client].redirect_urls
     
     #puts "does it contain the redirect url."
     #puts session[:client].contains_redirect_url?(redir_url)
     cli = session[:client]
     cli = Auth::Client.new(session[:client]) if session[:client].is_a? Hash

  if redir_url && session[:client] && cli.contains_redirect_url?(redir_url) && !(is_json_request?)
      
      session[:redirect_url] = redir_url
      
  end
end