Sha256: 8b36a7d67f1c9f311354859e2786dc658b861c6ed95674fd259ccf29b9d49339
Contents?: true
Size: 1.32 KB
Versions: 4
Compression:
Stored size: 1.32 KB
Contents
# frozen_string_literal: true
# After each sign in, update unique_session_id.
# This is only triggered when the user is explicitly set (with set_user)
# and on authentication. Retrieving the user from session (:fetch) does
# not trigger it.
Warden::Manager.after_set_user except: :fetch do |record, warden, options|
if record.respond_to?(:update_unique_session_id!) && warden.authenticated?(options[:scope])
unique_session_id = Devise.friendly_token
warden.session(options[:scope])['unique_session_id'] = unique_session_id
record.update_unique_session_id!(unique_session_id)
end
end
# Each time a record is fetched from session we check if a new session from another
# browser was opened for the record or not, based on a unique session identifier.
# If so, the old account is logged out and redirected to the sign in page on the next request.
Warden::Manager.after_set_user only: :fetch do |record, warden, options|
scope = options[:scope]
env = warden.request.env
if record.respond_to?(:unique_session_id) && warden.authenticated?(scope) && options[:store] != false
if record.unique_session_id != warden.session(scope)['unique_session_id'] && !env['devise.skip_session_limitable']
warden.raw_session.clear
warden.logout(scope)
throw :warden, scope: scope, message: :session_limited
end
end
end
Version data entries
4 entries across 4 versions & 1 rubygems