module Authpwn::HttpTokenControllerInstanceMethods

Included in controllers that call authenticates_using_http_token.

Public Instance Methods

bounce_to_http_token() click to toggle source

Inform the user that their request is forbidden.

If a user is logged on, this renders the session/forbidden view with a HTTP 403 code.

If no user is logged in, a HTTP 403 code is returned, together with an HTTP Authentication header causing the user-agent (browser) to initiate http token authentication.

# File lib/authpwn_rails/http_token.rb, line 50
def bounce_to_http_token()
  unless current_user
    request_http_token_authentication
    return
  end

  respond_to do |format|
    format.html do
      render 'session/forbidden', layout: false, status: :forbidden
    end
    format.json do
      render json: { error: "You're not allowed to access that" }
    end
  end
end

Private Instance Methods

authenticate_using_http_token() click to toggle source

The before_action that implements authenticates_using_http_token.

If your ApplicationController contains authenticates_using_http_token, you can opt out in individual controllers using skip_before_action.

skip_before_action :authenticate_using_http_token
# File lib/authpwn_rails/http_token.rb, line 29
def authenticate_using_http_token
  return if current_user
  authenticate_with_http_token do |token_code, options|
    auth = Tokens::Api.authenticate token_code

    # NOTE: Setting the instance variable directly bypasses the session
    #       setup. Tokens are generally used in API contexts, so the session
    #       cookie would get ignored anyway.
    @current_user = auth unless auth.kind_of? Symbol
  end
end