Sha256: 8642135001d447d34c1e4d83488ac522458a56e860c245c944be8d1c35841503
Contents?: true
Size: 1.09 KB
Versions: 1
Compression:
Stored size: 1.09 KB
Contents
module DeviseTokenAuth::Concerns::SetUserByToken
extend ActiveSupport::Concern
included do
before_action :set_user_by_token
after_action :update_auth_header
end
# user auth
def set_user_by_token
auth_header = request.headers["Authorization"]
# missing auth token
return false unless auth_header
token = auth_header[/token=(.*?) /,1]
uid = auth_header[/uid=(.*?)$/,1]
# mitigate timing attacks by finding by uid instead of auth token
@user = @current_user = uid && User.find_by_uid(uid)
if @user && @user.valid_password?(token)
sign_in(@user, store: false)
else
@user = @current_user = nil
end
end
def update_auth_header
if @user
# update user's auth token (should happen on each request)
token = SecureRandom.urlsafe_base64(nil, false)
@user.password = token
@user.password_confirmation = token
@user.save!
# update Authorization response header with new token
response.headers["Authorization"] = "token=#{token} uid=#{@user.uid}"
end
end
end
Version data entries
1 entries across 1 versions & 1 rubygems
| Version | Path |
|---|---|
| devise_token_auth-0.1.4 | app/controllers/devise_token_auth/concerns/set_user_by_token.rb |