Module: SessionsHelper

Includes:

Gitlab::Utils::StrongMemoize

Included in:

ApplicationController, Gitlab::BaseDoorkeeperController

Defined in:

app/helpers/sessions_helper.rb

Instance Method Summary

• #ensure_authenticated_session_time ⇒ Object
• #limit_session_time ⇒ Object

  By default, all sessions are given the same expiration time configured in the session store (e.g. 1 week).

• #obfuscated_email(email) ⇒ Object
• #recently_confirmed_com? ⇒ Boolean
• #send_rate_limited?(user) ⇒ Boolean
• #set_session_time(expiry_s) ⇒ Object
• #unconfirmed_email? ⇒ Boolean

Methods included from Gitlab::Utils::StrongMemoize

#clear_memoization, #strong_memoize, #strong_memoized?

Instance Method Details

#ensure_authenticated_session_time ⇒ Object

# File 'app/helpers/sessions_helper.rb', line 28

def ensure_authenticated_session_time
  set_session_time(nil)
end

#limit_session_time ⇒ Object

By default, all sessions are given the same expiration time configured in the session store (e.g. 1 week). However, unauthenticated users can generate a lot of sessions, primarily for CSRF verification. It makes sense to reduce the TTL for unauthenticated to something much lower than the default (e.g. 1 hour) to limit Redis memory. In addition, Rails creates a new session after login, so the short TTL doesn't even need to be extended.

# File 'app/helpers/sessions_helper.rb', line 24

def limit_session_time
  set_session_time(Settings.gitlab['unauthenticated_session_expire_delay'])
end

#obfuscated_email(email) ⇒ Object

# File 'app/helpers/sessions_helper.rb', line 47

def obfuscated_email(email)
  regex = ::Gitlab::UntrustedRegexp.new('^(..?)(.*)(@.?)(.*)(\..*)$')
  match = regex.match(email)
  return email unless match

  match[1] + '*' * match[2].length + match[3] + '*' * match[4].length + match[5]
end

#recently_confirmed_com? ⇒ Boolean

Returns:

• (Boolean)

# File 'app/helpers/sessions_helper.rb', line 6

def recently_confirmed_com?
  strong_memoize(:recently_confirmed_com) do
    ::Gitlab.com? &&
      !!flash[:notice]&.include?(t(:confirmed, scope: [:devise, :confirmations]))
  end
end

#send_rate_limited?(user) ⇒ Boolean

Returns:

• (Boolean)

# File 'app/helpers/sessions_helper.rb', line 43

def send_rate_limited?(user)
  Gitlab::ApplicationRateLimiter.peek(:email_verification_code_send, scope: user)
end

#set_session_time(expiry_s) ⇒ Object

# File 'app/helpers/sessions_helper.rb', line 32

def set_session_time(expiry_s)
  # Rack sets this header, but not all tests may have it: https://github.com/rack/rack/blob/fdcd03a3c5a1c51d1f96fc97f9dfa1a9deac0c77/lib/rack/session/abstract/id.rb#L251-L259
  return unless request.env['rack.session.options']

  # This works because Rack uses these options every time a request is handled, and redis-store
  # uses the Rack setting first:
  # 1. https://github.com/rack/rack/blob/fdcd03a3c5a1c51d1f96fc97f9dfa1a9deac0c77/lib/rack/session/abstract/id.rb#L342
  # 2. https://github.com/redis-store/redis-store/blob/3acfa95f4eb6260c714fdb00a3d84be8eedc13b2/lib/redis/store/ttl.rb#L32
  request.env['rack.session.options'][:expire_after] = expiry_s
end

#unconfirmed_email? ⇒ Boolean

Returns:

• (Boolean)

# File 'app/helpers/sessions_helper.rb', line 13

def unconfirmed_email?
  flash[:alert] == t(:unconfirmed, scope: [:devise, :failure])
end