Sha256: b178d653557bedf01bef406f01d19982179008b2f2f7c6b577192bae3f24f12c

Contents?: true

Size: 1.28 KB

Versions: 3

Compression:

Stored size: 1.28 KB

Contents

module DeviseTokenAuth::Concerns::SetUserByToken
  extend ActiveSupport::Concern

  included do
    before_action :set_user_by_token
    after_action :update_auth_header
  end

  # user auth
  def set_user_by_token
    auth_header = request.headers["Authorization"]

    # missing auth token
    return false unless auth_header

    token      = auth_header[/token=(.*?) /,1]
    uid        = auth_header[/uid=(.*?)$/,1]
    @client_id = auth_header[/client=(.*?) /,1]

    @client_id ||= 'default'

    # mitigate timing attacks by finding by uid instead of auth token
    @user = @current_user = uid && User.find_by_uid(uid)

    if @user && @user.valid_token?(@client_id, token)
      sign_in(@user, store: false)
    else
      @user = @current_user = nil
    end
  end

  def update_auth_header
    if @user
      # update user's auth token (should happen on each request)
      token                    = SecureRandom.urlsafe_base64(nil, false)
      token_hash               = BCrypt::Password.create(token)
      @user.tokens[@client_id] = {
        token:  token_hash,
        expiry: Time.now + 2.weeks
      }
      @user.save

      # update Authorization response header with new token
      response.headers["Authorization"] = "token=#{token} client=#{@client_id} uid=#{@user.uid}"
    end
  end
end

Version data entries

3 entries across 3 versions & 1 rubygems

Version Path
devise_token_auth-0.1.7 app/controllers/devise_token_auth/concerns/set_user_by_token.rb
devise_token_auth-0.1.6 app/controllers/devise_token_auth/concerns/set_user_by_token.rb
devise_token_auth-0.1.5 app/controllers/devise_token_auth/concerns/set_user_by_token.rb