Sha256: 30f1bc79b93b0c588eaf8dad2e4b8a1f4eb2f95eeb71ed352c34699cd058ada2
Contents?: true
Size: 1.24 KB
Versions: 2
Compression:
Stored size: 1.24 KB
Contents
class UserTasks < Volt::Task
# Login a user, takes a login and password. Login can be either a username
# or an e-mail based on Volt.config.public.auth.use_username
#
# login_info is a key with login and password (login may be e-mail)
def login(login_info)
login = login_info['login']
password = login_info['password']
query = { User.login_field => login }
# During login we need access to the user's info even though we aren't the user
Volt.skip_permissions do
store._users.where(query).fetch_first do |user|
fail VoltUserError, 'User could not be found' unless user
match_pass = BCrypt::Password.new(user._hashed_password)
fail 'Password did not match' unless match_pass == password
fail 'app_secret is not configured' unless Volt.config.app_secret
# TODO: returning here should be possible, but causes some issues
# Salt the user id with the app_secret so the end user can't
# tamper with the cookie
signature = Digest::SHA256.hexdigest(salty_user_id(user.id))
# Return user_id:hash on user id
next "#{user.id}:#{signature}"
end
end
end
private
def salty_user_id(user_id)
"#{Volt.config.app_secret}::#{user_id}"
end
end
Version data entries
2 entries across 2 versions & 1 rubygems
| Version | Path |
|---|---|
| volt-0.9.3.pre3 | app/volt/tasks/user_tasks.rb |
| volt-0.9.3.pre2 | app/volt/tasks/user_tasks.rb |