sessions_controller.rb in janus-0.9.1

- old
+ new

@@ -25,11 +25,11 @@
       respond_with(resource)
     end
   end
 
   def create
-    self.resource = resource_class.find_for_database_authentication(params[resource_name])
+    self.resource = resource_class.find_for_database_authentication(resource_authentication_params)
 
     if resource && resource.valid_password?(params[resource_name][:password])
       janus.login(resource, :scope => janus_scope, :rememberable => params[:remember_me])
 
       respond_to do |format|
@@ -37,11 +37,11 @@
         format.any  { head :ok }
       end
     else
       respond_to do |format|
         format.html do
-          self.resource ||= resource_class.new(resource_params)
+          self.resource ||= resource_class.new(resource_authentication_params)
           resource.clean_up_passwords
           resource.errors.add(:base, :not_found)
           render "new", :status => :unauthorized
         end
         format.any { head :unauthorized }
@@ -69,11 +69,20 @@
   # signed out user to. Defaults to `root_url`.
   def after_sign_out_url(scope)
     root_url
   end
 
-  # Returns true if host is known and that we allow to redirect the user
+  # Returns true if host is request.host. You may want to overwrite this method
+  # to check if a user can access the current host and return false otherwise.
+  #
+  # For instance when a user signed in from a subdomain she can't access, and
+  # you want to redirect her to another subdomain.
+  def valid_host?(host)
+    host == request.host
+  end
+
+  # Must return true if host is known and we allow to redirect the user
   # with an auth_token.
   #
   # Warning: must be overwritten by child classes because it always
   # returns false by default!
   def valid_remote_host?(host)
@@ -106,35 +115,33 @@
   # If <tt>params[:return_to] is an absolute URL, and not just a path,
   # valid_remote_host? will be invoked to check wether we should redirect
   # to this URL or not, in order to secure auth tokens for
   # RemoteAuthenticatable to leak into the wild.
   def redirect_after_sign_in(user)
-    unless params[:return_to].blank?
+    if params[:return_to].present?
       return_to = Addressable::URI.parse(params[:return_to])
 
       unless never_return_to(user).include?(return_to.path)
-        if return_to.host.nil? || return_to.host == request.host
+        # path or same host redirection
+        if valid_host?(return_to.host || request.host)
           redirect_to params[:return_to]
           return
-        elsif valid_remote_host?(return_to.host)
+        end
+
+        # external host redirection
+        if valid_remote_host?(return_to.host)
           if user.class.include?(Janus::Models::RemoteAuthenticatable)
             query = return_to.query_values || {}
-            return_to.query_values = query.merge(user.class.remote_authentication_key => user.generate_remote_token!)
+            return_to.query_values = query.merge(
+              user.class.remote_authentication_key => user.generate_remote_token!
+            )
           end
 
           redirect_to return_to.to_s
           return
         end
       end
     end
 
     redirect_to after_sign_in_url(user)
-  end
-
-  def resource_params
-    if params.respond_to?(:permit)
-      params.require(janus_scope).permit(*resource_class.authentication_keys)
-    else
-      params[janus_scope].slice(*resource_class.authentication_keys)
-    end
   end
 end