require 'action_controller' # :nodoc: adds authenticates_using_session class ActionController::Base # Keeps track of the currently authenticated user via the session. # # Assumes the existence of a User model. A bare ActiveModel model will do the # trick. Model instances must implement id, and the model class must implement # find_by_id. def self.authenticates_using_session(options = {}) include Authpwn::ControllerInstanceMethods before_filter :authenticate_using_session, options end # True for controllers belonging to the authentication implementation. # # Controllers that return true here are responsible for performing their own # authorization. def auth_controller? false end end # :nodoc: namespace module Authpwn # Included in controllers that call authenticates_using_session. module ControllerInstanceMethods include Authpwn::CurrentUser # Sets up the session so that it will authenticate the given user. def set_session_current_user(user) self.current_user = user # Try to reuse existing sessions. if session[:authpwn_suid] token = Tokens::SessionUid.with_code(session[:authpwn_suid]).first if token if token.user == user token.touch return user else token.destroy end end end if user session[:authpwn_suid] = Tokens::SessionUid.random_for(user, request.remote_ip, request.user_agent || 'N/A').suid else session.delete :authpwn_suid end end # Filter that implements authenticates_using_session. # # If your ApplicationController contains authenticates_using_session, you # can opt out in individual controllers using skip_before_filter. # # skip_before_filter :authenticate_using_session def authenticate_using_session return if current_user session_uid = session[:authpwn_suid] user = session_uid && Tokens::SessionUid.authenticate(session_uid) self.current_user = user if user && !user.instance_of?(Symbol) end private :authenticate_using_session # Inform the user that their request is forbidden. # # If a user is logged on, this renders the session/forbidden view with a HTTP # 403 code. # # If no user is logged in, the user is redirected to session/new, and the # current request's URL is saved in flash[:auth_redirect_url]. def bounce_user(redirect_url = request.url) # NOTE: this is tested in CookieControllerTest respond_to do |format| format.html do @redirect_url = redirect_url if current_user render 'session/forbidden', layout: false, status: :forbidden else flash[:auth_redirect_url] = redirect_url render 'session/forbidden', layout: false, status: :forbidden end end format.json do message = current_user ? "You're not allowed to access that" : 'Please sign in' render json: { error: message } end end end end # module Authpwn::ControllerInstanceMethods end # namespace Authpwn