require 'addressable/uri' # This controller is responsible for creating and destroying user sessions. # # The creation uses the DatabaseAuthenticatable strategy, while the destruction # simply destroys any session, whatever strategy it was created with. Janus # hooks will be called, allowing to destroy any Rememberable cookies as well as # any user defined behavior. # class Janus::SessionsController < ApplicationController include Janus::InternalHelpers helper JanusHelper before_filter :load_resource_from_authentication_params, :only => :create def new params[:return_to] ||= request.env["HTTP_REFERER"] if signed_in?(janus_scope) redirect_after_sign_in(send("current_#{janus_scope}")) else self.resource = resource_class.new respond_with(resource) end end def create if valid_resource? janus.login(resource, :scope => janus_scope, :rememberable => params[:remember_me]) respond_with_success { redirect_after_sign_in(resource) } else respond_with_failure :unauthorized end end def destroy janus.logout(janus_scope) respond_with_success { redirect_to after_sign_out_url(janus_scope) } end # An overridable method that returns the default path to return the just # signed in user to. Defaults to return the user object, which will be # interpreted by rails as `user_path(user)`. def after_sign_in_url(user) user end # An overridable method that returns the default path to return the just # signed out user to. Defaults to `root_url`. def after_sign_out_url(scope) root_url end # Returns true if host is request.host. You may want to overwrite this method # to check if a user can access the current host and return false otherwise. # # For instance when a user signed in from a subdomain she can't access, and # you want to redirect her to another subdomain. def valid_host?(host) host == request.host end # Must return true if host is known and we allow to redirect the user # with an auth_token. # # Warning: must be overwritten by child classes because it always # returns false by default! def valid_remote_host?(host) false end # Returns an Array of URL that we shouldn't automatically return to. It # actually returns URL to prevent infinite loops. We must for instance # never return to new_sesssion_path. # # If you ever need to override this method, don't forget to call `super`. # For instance: # # def never_return_to(scope) # super + [ my_peculiar_path, another_path ] # end # def never_return_to(scope) scope = Janus.scope_for(scope) list = [new_session_path(scope)] begin list + [ destroy_session_path(scope), new_password_path(scope), edit_password_path(scope) ] rescue NoMethodError list end end # Either redirects the user to after_sign_in_url or to params[:return_to]. # # If params[:return_to] is an absolute URL, and not just a path, # valid_remote_host? will be invoked to check wether we should redirect # to this URL or not, in order to secure auth tokens for # RemoteAuthenticatable to leak into the wild. def redirect_after_sign_in(user) if params[:return_to].present? return_to = Addressable::URI.parse(params[:return_to]) unless never_return_to(user).include?(return_to.path) # path or same host redirection if valid_host?(return_to.host || request.host) redirect_to params[:return_to] and return end # external host redirection if valid_remote_host?(return_to.host) add_remote_authentication_key(return_to, user) if user.class.include?(Janus::Models::RemoteAuthenticatable) redirect_to return_to.to_s and return end end end redirect_to after_sign_in_url(user) end def add_remote_authentication_key(return_to, user) query = return_to.query_values || {} return_to.query_values = query.merge( user.class.remote_authentication_key => user.generate_remote_token! ) end private def valid_resource? resource && resource.valid_password?(params[resource_name][:password]) end def initialize_resource resource_class .new(resource_authentication_params) .tap(&:clean_up_passwords) end def load_resource_from_authentication_params self.resource = resource_class.find_for_database_authentication(resource_authentication_params) respond_with_failure :unauthorized unless resource end end