module Authpwn::SessionController
Included by the controller that handles user authentication.
Right now, some parts of the codebase assume the controller will be named Session
.
Public Instance Methods
GET /api_token
# File lib/authpwn_rails/session_controller.rb, line 105 def api_token unless current_user bounce_user return end token = Tokens::Api.where(user_id: current_user.id).first || Tokens::Api.random_for(current_user) @api_token = token.code respond_to do |format| format.html format.json { render json: { api_token: @api_token } } end end
True for controllers belonging to the authentication implementation.
Controllers that return true here are responsible for performing their own authorization.
# File lib/authpwn_rails/session_controller.rb, line 332 def auth_controller? true end
Hook for customizing the bounce notification text.
# File lib/authpwn_rails/session_controller.rb, line 352 def bounce_notice_text(reason) case reason when :invalid 'Invalid e-mail or password' when :expired 'Password expired. Please click "Forget password"' when :blocked 'Account blocked. Please verify your e-mail address' end end
POST /session/change_password
# File lib/authpwn_rails/session_controller.rb, line 249 def change_password unless current_user bounce_user return end @credential = current_user.credentials. where(type: 'Credentials::Password').first if @credential # An old password is set, must verify it. if @credential.check_password params[:credential][:old_password] success = @credential.update_attributes change_password_params else success = false flash[:alert] = 'Incorrect old password. Please try again.' end else @credential = Credentials::Password.new change_password_params @credential.user = current_user success = @credential.save end respond_to do |format| if success format.html do redirect_to session_url, notice: 'Password updated' end format.json { head :no_content } else format.html { render action: :password_change } format.json { render json: { error: :invalid } } end end end
POST /session
# File lib/authpwn_rails/session_controller.rb, line 67 def create # Workaround for lack of browser support for the formaction attribute. return reset_password if params[:reset_password] @redirect_url = params[:redirect_url] || session_url @session = Session.from_params params auth = User.authenticate_signin @session unless auth.kind_of? Symbol set_session_current_user auth Tokens::SessionUid.remove_expired if auto_purge_sessions end respond_to do |format| if current_user format.html { redirect_to @redirect_url } format.json do user_data = current_user.as_json if current_user.class.include_root_in_json user_data = user_data['user'] end render json: { user: user_data, csrf: form_authenticity_token } end else error_text = bounce_notice_text auth format.html do if params[:redirect_url] redirect_to new_session_url, flash: { alert: error_text, auth_redirect_url: @redirect_url } else redirect_to new_session_url, alert: error_text end end format.json { render json: { error: auth, text: error_text } } end end end
DELETE /session
# File lib/authpwn_rails/session_controller.rb, line 220 def destroy self.set_session_current_user nil respond_to do |format| format.html { redirect_to session_url } format.json { head :no_content } end end
DELETE /api_token
# File lib/authpwn_rails/session_controller.rb, line 121 def destroy_api_token unless current_user bounce_user return end api_token = Tokens::Api.where(user_id: current_user.id).first if api_token api_token.destroy respond_to do |format| format.html do redirect_to api_token_session_url, notice: 'Your old API token has been revoked' end format.json { render json: {} } end else respond_to do |format| format.html do redirect_to api_token_session_url, alert: 'You had no old API token to revoke' end format.json { head :not_found } end end end
GET /session/new
# File lib/authpwn_rails/session_controller.rb, line 34 def new @session = Session.from_params params @redirect_url = flash[:auth_redirect_url] redirect_to session_url if current_user end
GET /auth/twitter/callback POST /auth/twitter/callback
# File lib/authpwn_rails/session_controller.rb, line 292 def omniauth @redirect_url = params[:redirect_url] || session_url omni_auth = request.env['omniauth.auth'] auth = Credentials::OmniAuthUid.authenticate omni_auth unless auth.kind_of? Symbol set_session_current_user auth Tokens::SessionUid.remove_expired if auto_purge_sessions end respond_to do |format| if current_user format.html { redirect_to @redirect_url } else error_text = bounce_notice_text auth format.html do if params[:redirect_url] redirect_to new_session_url, flash: { alert: error_text, auth_redirect_url: @redirect_url } else redirect_to new_session_url, alert: error_text end end end end end
GET /auth/failure
# File lib/authpwn_rails/session_controller.rb, line 319 def omniauth_failure respond_to do |format| format.html do redirect_to new_session_url, alert: 'Authentication failed. Please try again.' end end end
GET /session/change_password
# File lib/authpwn_rails/session_controller.rb, line 229 def password_change unless current_user bounce_user return end respond_to do |format| format.html do @credential = current_user.credentials. where(type: 'Credentials::Password').first unless @credential @credential = Credentials::Password.new @credential.user = current_user end # Renders session/password_change.html.erb end end end
POST /session/reset_password
# File lib/authpwn_rails/session_controller.rb, line 149 def reset_password email = params[:session] && params[:session][:email] credential = Credentials::Email.with email if user = (credential && credential.user) token = Tokens::PasswordReset.random_for user email = ::SessionMailer.reset_password_email(email, token, root_url) # TODO(pwnall): fix the serialization errors blocking deliver_later email.deliver_now end respond_to do |format| if user format.html do redirect_to new_session_url, alert: 'Please check your e-mail for instructions' end format.json { render json: { } } else error_text = 'Invalid e-mail' format.html do redirect_to new_session_url, alert: error_text end format.json do render json: { error: :not_found, text: notice } end end end end
GET /session
# File lib/authpwn_rails/session_controller.rb, line 41 def show @user = current_user || User.new if @user.new_record? welcome unless performed? respond_to do |format| format.html { render action: :welcome } format.json { render json: {} } end end else home unless performed? respond_to do |format| format.html { render action: :home } format.json do user_data = @user.as_json user_data = user_data['user'] if @user.class.include_root_in_json render json: { user: user_data, csrf: form_authenticity_token } end end end end end
GET /session/token/token-code
# File lib/authpwn_rails/session_controller.rb, line 180 def token # NOTE: We don't use Tokens::Base here because we don't want users to abuse # API tokens to build permanent login links. # # This repeats the code in Token::Base.authenticate, because we need the # token. if token = Tokens::OneTime.with_code(params[:code]).first auth = token.authenticate else auth = :invalid end if auth.is_a? Symbol error_text = bounce_notice_text auth respond_to do |format| format.html do redirect_to new_session_url, flash: { alert: error_text, auth_redirect_url: session_url } end format.json { render json: { error: auth, text: error_text } } end else self.set_session_current_user auth home_with_token token unless performed? respond_to do |format| format.html { redirect_to session_url } format.json do user_data = current_user.as_json if current_user.class.include_root_in_json user_data = user_data['user'] end render json: { user: user_data, csrf: form_authenticity_token } end end end end end
Private Instance Methods
Parameters used to change the user's password.
# File lib/authpwn_rails/session_controller.rb, line 284 def change_password_params params.require(:credential).permit :old_password, :password, :password_confirmation end
Hook for setting up the home view.
# File lib/authpwn_rails/session_controller.rb, line 337 def home end
Hook for setting up the home view after token-based authentication.
# File lib/authpwn_rails/session_controller.rb, line 347 def home_with_token(token) end
Hook for setting up the welcome view.
# File lib/authpwn_rails/session_controller.rb, line 342 def welcome end