Sha256: f665a7f040ebef995dbe4b8c0a2a332406a92caba005009946f487030d6d8809

Contents?: true

Size: 1.83 KB

Versions: 43

Compression:

Stored size: 1.83 KB

Contents

require 'omniauth'

module TDiary
	module Rack
		class Auth
			class OmniAuth
				class Authorization
					def initialize(app, provider, &block)
						@app = app
						@provider = provider
						@authz = block
					end

					def call(env)
						if not authenticate?(env)
							# phase 1: request phase
							login(env)
						elsif env['REQUEST_PATH'].match(%r|auth/#{@provider}/callback|)
							# phase 2: callback phase
							callback(env)
						else
							# phase 3: authorization phase
							auth = env['rack.session']['auth']
							env['REMOTE_USER'] = "#{auth.uid}@#{auth.provider}"
							return forbidden unless @authz.call(auth)
							@app.call(env)
						end
					end

					def login(env)
						STDERR.puts "use #{@provider} authentication strategy"
						req = ::Rack::Request.new(env)
						env['rack.session']['tdiary.auth.redirect'] = "#{req.base_url}#{req.fullpath}"
						redirect = File.join("#{req.base_url}#{req.path}", "#{::OmniAuth.config.path_prefix}/#{@provider}")
						[302, {'Content-Type' => 'text/plain', 'Location' => redirect}, []]
					end

					def logout(env)
						env['rack.session']['user_id'] = nil
					end

					def forbidden
						[403, {'Content-Type' => 'text/plain'}, ['forbidden']]
					end

					def callback(env)
						# reset sesstion to prevend session fixation attack
						# see: http://www.ipa.go.jp/security/vuln/documents/website_security.pdf (section 1.4)
						env['rack.session.options'][:renew] = true
						auth = env['omniauth.auth']
						env['rack.session']['auth'] = auth
						env['REMOTE_USER'] = "#{auth.uid}@#{auth.provider}"
						redirect = env['rack.session']['tdiary.auth.redirect'] || '/'
						[302, {'Content-Type' => 'text/plain', 'Location' => redirect}, []]
					end

					def authenticate?(env)
						env['omniauth.auth'] || env['rack.session']['auth']
					end
				end
			end
		end
	end
end

Version data entries

43 entries across 32 versions & 1 rubygems

Version Path
tdiary-4.2.0 lib/tdiary/rack/auth/omniauth/authorization.rb
tdiary-4.1.3 lib/tdiary/rack/auth/omniauth/authorization.rb
tdiary-4.1.2 lib/tdiary/rack/auth/omniauth/authorization.rb