Sha256: f665a7f040ebef995dbe4b8c0a2a332406a92caba005009946f487030d6d8809
Contents?: true
Size: 1.83 KB
Versions: 43
Compression:
Stored size: 1.83 KB
Contents
require 'omniauth' module TDiary module Rack class Auth class OmniAuth class Authorization def initialize(app, provider, &block) @app = app @provider = provider @authz = block end def call(env) if not authenticate?(env) # phase 1: request phase login(env) elsif env['REQUEST_PATH'].match(%r|auth/#{@provider}/callback|) # phase 2: callback phase callback(env) else # phase 3: authorization phase auth = env['rack.session']['auth'] env['REMOTE_USER'] = "#{auth.uid}@#{auth.provider}" return forbidden unless @authz.call(auth) @app.call(env) end end def login(env) STDERR.puts "use #{@provider} authentication strategy" req = ::Rack::Request.new(env) env['rack.session']['tdiary.auth.redirect'] = "#{req.base_url}#{req.fullpath}" redirect = File.join("#{req.base_url}#{req.path}", "#{::OmniAuth.config.path_prefix}/#{@provider}") [302, {'Content-Type' => 'text/plain', 'Location' => redirect}, []] end def logout(env) env['rack.session']['user_id'] = nil end def forbidden [403, {'Content-Type' => 'text/plain'}, ['forbidden']] end def callback(env) # reset sesstion to prevend session fixation attack # see: http://www.ipa.go.jp/security/vuln/documents/website_security.pdf (section 1.4) env['rack.session.options'][:renew] = true auth = env['omniauth.auth'] env['rack.session']['auth'] = auth env['REMOTE_USER'] = "#{auth.uid}@#{auth.provider}" redirect = env['rack.session']['tdiary.auth.redirect'] || '/' [302, {'Content-Type' => 'text/plain', 'Location' => redirect}, []] end def authenticate?(env) env['omniauth.auth'] || env['rack.session']['auth'] end end end end end end
Version data entries
43 entries across 32 versions & 1 rubygems
Version | Path |
---|---|
tdiary-4.2.0 | lib/tdiary/rack/auth/omniauth/authorization.rb |
tdiary-4.1.3 | lib/tdiary/rack/auth/omniauth/authorization.rb |
tdiary-4.1.2 | lib/tdiary/rack/auth/omniauth/authorization.rb |