Sha256: 35e44c9743a6ecb4589f35883853bb36268bf781dc20a23f28c78cbcce4f00dc

Contents?: true

Size: 1.1 KB

Versions: 3

Compression:

Stored size: 1.1 KB

Contents

class UserTasks < Volt::TaskHandler
  # Login a user, takes a login and password.  Login can be either a username
  # or an e-mail based on Volt.config.public.auth.use_username
  def login(login, password)
    query = { User.login_field => login }

    # During login we need access to the user's info even though we aren't the user
    Volt.skip_permissions do
      store._users.find(query).fetch_first do |user|
        fail 'User could not be found' unless user

        match_pass = BCrypt::Password.new(user._hashed_password)
        fail 'Password did not match' unless  match_pass == password
        fail 'app_secret is not configured' unless Volt.config.app_secret

        # TODO: returning here should be possible, but causes some issues
        # Salt the user id with the app_secret so the end user can't
        # tamper with the cookie
        signature = Digest::SHA256.hexdigest(salty_user_id(user._id))

        # Return user_id:hash on user id
        next "#{user._id}:#{signature}"
      end
    end
  end

  private

  def salty_user_id(user_id)
    "#{Volt.config.app_secret}::#{user_id}"
  end
end

Version data entries

3 entries across 3 versions & 1 rubygems

Version Path
volt-0.8.27.beta6 app/volt/tasks/user_tasks.rb
volt-0.8.27.beta5 app/volt/tasks/user_tasks.rb
volt-0.8.27.beta4 app/volt/tasks/user_tasks.rb