class Authie::Session

Attributes

session[R]

The underlying session model instance

@return [Authie::SessionModel]

Public Class Methods

new(controller, session) click to toggle source

Initialize a new session object

@param controller [ActionController::Base] any controller @param session [Authie::SessionModel] an Authie session model instance @return [Authie::Session]

# File lib/authie/session.rb, line 43
def initialize(controller, session)
  @controller = controller
  @session = session
end

Private Class Methods

get_session(controller) click to toggle source

Lookup a session for a given controller and return the session object.

@param controller [ActionController::Base] @return [Authie::Session]

# File lib/authie/session.rb, line 267
def get_session(controller)
  cookies = controller.send(:cookies)
  return nil if cookies[:user_session].blank?

  session = SessionModel.find_session_by_token(cookies[:user_session])
  return nil if session.blank?

  session.temporary_token = cookies[:user_session]
  new(controller, session)
end
start(controller, user:, persistent: false, see_password: false, **params) click to toggle source

Create a new session within the given controller for the

@param controller [ActionController::Base] @param user [ActiveRecord::Base] user @param persistent [Boolean] create a persistent session @return [Authie::Session]

# File lib/authie/session.rb, line 243
def start(controller, user:, persistent: false, see_password: false, **params)
  cookies = controller.send(:cookies)
  SessionModel.active.where(browser_id: cookies[:browser_id]).each(&:invalidate!)

  session = SessionModel.new(params)
  session.user = user
  session.browser_id = cookies[:browser_id]
  session.login_at = Time.now
  session.login_ip = controller.request.ip
  session.login_ip_country = Authie.config.lookup_ip_country(session.login_ip)
  session.host = controller.request.host
  session.user_agent = controller.request.user_agent
  session.expires_at = Time.now + Authie.config.persistent_session_length if persistent
  session.password_seen_at = Time.now if see_password
  session.save!

  new(controller, session).start
end

Public Instance Methods

invalidate() click to toggle source

Invalidates the current session by marking it inactive and removing the current cookie.

@raises [ActiveRecord::RecordInvalid] @return [Authie::Session]

# File lib/authie/session.rb, line 80
def invalidate
  @session.invalidate!
  cookies.delete(:user_session)
  self
end
Also aliased as: invalidate!
mark_as_two_factored(skip: nil) click to toggle source

Mark this request as two factored by setting the time and the current IP address.

@raises [ActiveRecord::RecordInvalid] @return [Authie::Session]

# File lib/authie/session.rb, line 128
def mark_as_two_factored(skip: nil)
  @session.two_factored_at = Time.now
  @session.two_factored_ip = @controller.request.ip
  @session.two_factored_ip_country = Authie.config.lookup_ip_country(@controller.request.ip)
  @session.skip_two_factor = skip unless skip.nil?
  @session.save!
  Authie.notify(:mark_as_two_factor, session: self)
  self
end
Also aliased as: mark_as_two_factored!
persist() click to toggle source

Mark the current session as persistent. Will set the expiry time of the underlying session and update the cookie.

@raises [ActiveRecord::RecordInvalid] @return [Authie::Session]

# File lib/authie/session.rb, line 69
def persist
  @session.expires_at = Authie.config.persistent_session_length.from_now
  @session.save!
  set_cookie
  self
end
Also aliased as: persist!
reset_token() click to toggle source

Resets the token for the currently active session to a new string

@return [Authie::Session]

# File lib/authie/session.rb, line 152
def reset_token
  @session.reset_token
  set_cookie
  self
end
see_password() click to toggle source

Mark the session’s password as seen at the current time

@raises [ActiveRecord::RecordInvalid] @return [Authie::Session]

# File lib/authie/session.rb, line 116
def see_password
  @session.password_seen_at = Time.now
  @session.save!
  Authie.notify(:see_password, session: self)
  self
end
Also aliased as: see_password!
start() click to toggle source

Starts a new session by setting the cookie. This should be invoked whenever a new session begins. It usually does not need to be called directly as it will be taken care of by the class-level start method.

@return [Authie::Session]

# File lib/authie/session.rb, line 143
def start
  set_cookie
  Authie.notify(:session_start, session: self)
  self
end
touch() click to toggle source

Touches the current session to ensure it is currently valid and to update attributes which should be updatd on each request. This will raise the same errors as the validate method. It will set the last activity time, IP and path as well as incrementing the request counter.

@raises [Authie::Session::BrowserMismatch] @raises [Authie::Session::InactiveSession] @raises [Authie::Session::ExpiredSession] @raises [Authie::Session::HostMismatch] @raises [ActiveRecord::RecordInvalid] @return [Authie::Session]

# File lib/authie/session.rb, line 97
def touch
  @session.last_activity_at = Time.now
  if @controller.request.ip != @session.last_activity_ip
    @session.last_activity_ip_country = Authie.config.lookup_ip_country(@controller.request.ip)
  end
  @session.last_activity_ip = @controller.request.ip

  @session.last_activity_path = @controller.request.path
  @session.requests += 1
  extend_session_expiry_if_appropriate
  @session.save!
  Authie.notify(:touch, session: self)
  self
end
Also aliased as: touch!
validate() click to toggle source

Validate that the session is valid and raise and error if not

@raises [Authie::Session::BrowserMismatch] @raises [Authie::Session::InactiveSession] @raises [Authie::Session::ExpiredSession] @raises [Authie::Session::HostMismatch] @return [Authie::Session]

# File lib/authie/session.rb, line 55
def validate
  validate_browser_id
  validate_active
  validate_expiry
  validate_inactivity
  validate_host
  self
end
Also aliased as: check_security!

Private Instance Methods

check_security!()

Backwards compatibility with Authie < 4.0. These methods were all available on sessions in previous versions of Authie. They have been maintained for backwards-compatibility but will be removed entirely in Authie 5.0.

Alias for: validate
cookies() click to toggle source
# File lib/authie/session.rb, line 171
def cookies
  @controller.send(:cookies)
end
extend_session_expiry_if_appropriate() click to toggle source
# File lib/authie/session.rb, line 226
def extend_session_expiry_if_appropriate
  return if @session.expires_at.nil?
  return unless Authie.config.extend_session_expiry_on_touch

  # If enabled, sessions with an expiry time will automatiaclly be incremented
  # whenever a page is touched. The cookie will also be updated as appropriate.
  @session.expires_at = Authie.config.persistent_session_length.from_now
  set_cookie
end
invalidate!()
Alias for: invalidate
mark_as_two_factored!(skip: nil)
persist!()
Alias for: persist
see_password!()
Alias for: see_password
touch!()
Alias for: touch
validate_active() click to toggle source
# File lib/authie/session.rb, line 185
def validate_active
  unless @session.active?
    invalidate
    Authie.notify(:invalid_session_error, session: self)
    raise InactiveSession.new('Session is no longer active', self)
  end

  self
end
validate_browser_id() click to toggle source
# File lib/authie/session.rb, line 175
def validate_browser_id
  if cookies[:browser_id] != @session.browser_id
    Authie.notify(:browser_id_mismatch_error, session: self)
    invalidate
    raise BrowserMismatch.new('Browser ID mismatch', self)
  end

  self
end
validate_expiry() click to toggle source
# File lib/authie/session.rb, line 195
def validate_expiry
  if @session.expired?
    invalidate
    Authie.notify(:expired_session_error, session: self)
    raise ExpiredSession.new('Persistent session has expired', self)
  end

  self
end
validate_host() click to toggle source
# File lib/authie/session.rb, line 215
def validate_host
  if @session.host && @session.host != @controller.request.host
    invalidate
    Authie.notify(:host_mismatch_error, session: self)
    raise HostMismatch.new("Session was created on #{@session.host} but accessed using #{@controller.request.host}",
                           self)
  end

  self
end
validate_inactivity() click to toggle source
# File lib/authie/session.rb, line 205
def validate_inactivity
  if @session.inactive?
    invalidate
    Authie.notify(:inactive_session_error, session: self)
    raise InactiveSession.new('Non-persistent session has expired', self)
  end

  self
end