module SelfAuthRails class SessionsController < ApplicationController def new; end # Authenticates a user with the given token def create if session_params[:token].empty? # AJAX request SelfAuthRails.self_client.facts.request(session_params[:selfid], [:display_name], auth: true, cid: session_params[:connection_id], async: true) request.format = :json respond_to do |format| format.json { head :no_content } end else # Form submission reset_user_token(session_params[:token]) respond_to do |format| format.html { redirect_to SelfAuthRails.authenticated_path, notice: 'Welcome.' } end end end # Logs out the current user. def logout session[:user_id] = nil respond_to do |format| format.html { redirect_to new_url } format.json { head :no_content } end end # Generates a QR code for authenticating users. def qr if Rails.env.test? send_data("test") else uuid = "qr::#{params[:uuid]}" img = ::SelfClient.authentication.generate_qr( facts: SelfAuthRails.auth_facts, cid: uuid, exp_timeout: 86_400 ) send_data(img.as_png(border: 0, size: 400), type: 'image/png', disposition: 'inline') end end # Generates a dynamic link to authenticate users. def dl link = '#' unless Rails.env.test? uuid = "dl::#{params[:uuid]}" link = SelfAuthRails.self_client.facts.generate_deep_link(SelfAuthRails.auth_facts, SelfAuthRails.authenticated_path, cid: uuid, auth: true) end render json: { url: link } end protected # Never trust parameters from the scary internet, only allow the white list through. def session_params params.permit(:selfid, :token, :connection_id, :qr_url, :dl_url, :authenticity_token) end def auto_join_authenticated_users redirect_to SelfAuthRails.authenticated_path unless session[:user_id].nil? end def reset_user_token(token) @user = SelfAuthRails.session_class.find_by(token: token) if @user.nil? # The user is already created on a different tab @user = helpers.current_user else @user.token = '' @user.save! session[:user_id] = @user.id.to_s end end end end