module Authpwn::SessionController

Included by the controller that handles user authentication.

Right now, some parts of the codebase assume the controller will be named Session.

Public Instance Methods

api_token() click to toggle source

GET /api_token

# File lib/authpwn_rails/session_controller.rb, line 105
def api_token
  unless current_user
    bounce_user
    return
  end

  token = Tokens::Api.where(user_id: current_user.id).first ||
      Tokens::Api.random_for(current_user)
  @api_token = token.code
  respond_to do |format|
    format.html
    format.json { render json: { api_token: @api_token } }
  end
end
auth_controller?() click to toggle source

True for controllers belonging to the authentication implementation.

Controllers that return true here are responsible for performing their own authorization.

# File lib/authpwn_rails/session_controller.rb, line 332
def auth_controller?
  true
end
bounce_notice_text(reason) click to toggle source

Hook for customizing the bounce notification text.

# File lib/authpwn_rails/session_controller.rb, line 352
def bounce_notice_text(reason)
  case reason
  when :invalid
    'Invalid e-mail or password'
  when :expired
    'Password expired. Please click "Forget password"'
  when :blocked
    'Account blocked. Please verify your e-mail address'
  end
end
change_password() click to toggle source

POST /session/change_password

# File lib/authpwn_rails/session_controller.rb, line 249
def change_password
  unless current_user
    bounce_user
    return
  end

  @credential = current_user.credentials.
                             where(type:  'Credentials::Password').first
  if @credential
    # An old password is set, must verify it.
    if @credential.check_password params[:credential][:old_password]
      success = @credential.update_attributes change_password_params
    else
      success = false
      flash[:alert] = 'Incorrect old password. Please try again.'
    end
  else
    @credential = Credentials::Password.new change_password_params
    @credential.user = current_user
    success = @credential.save
  end
  respond_to do |format|
    if success
      format.html do
        redirect_to session_url, notice: 'Password updated'
      end
      format.json { head :no_content }
    else
      format.html { render action: :password_change }
      format.json { render json: { error: :invalid } }
    end
  end
end
create() click to toggle source

POST /session

# File lib/authpwn_rails/session_controller.rb, line 67
def create
  # Workaround for lack of browser support for the formaction attribute.
  return reset_password if params[:reset_password]

  @redirect_url = params[:redirect_url] || session_url
  @session = Session.from_params params
  auth = User.authenticate_signin @session
  unless auth.kind_of? Symbol
    set_session_current_user auth
    Tokens::SessionUid.remove_expired if auto_purge_sessions
  end

  respond_to do |format|
    if current_user
      format.html { redirect_to @redirect_url }
      format.json do
        user_data = current_user.as_json
        if current_user.class.include_root_in_json
          user_data = user_data['user']
        end
        render json: { user: user_data, csrf: form_authenticity_token }
      end
    else
      error_text = bounce_notice_text auth
      format.html do
        if params[:redirect_url]
          redirect_to new_session_url, flash: { alert: error_text,
              auth_redirect_url: @redirect_url }
        else
          redirect_to new_session_url, alert: error_text
        end
      end
      format.json { render json: { error: auth, text: error_text } }
    end
  end
end
destroy() click to toggle source

DELETE /session

# File lib/authpwn_rails/session_controller.rb, line 220
def destroy
  self.set_session_current_user nil
  respond_to do |format|
    format.html { redirect_to session_url }
    format.json { head :no_content }
  end
end
destroy_api_token() click to toggle source

DELETE /api_token

# File lib/authpwn_rails/session_controller.rb, line 121
def destroy_api_token
  unless current_user
    bounce_user
    return
  end

  api_token = Tokens::Api.where(user_id: current_user.id).first
  if api_token
    api_token.destroy
    respond_to do |format|
      format.html do
        redirect_to api_token_session_url,
                    notice: 'Your old API token has been revoked'
      end
      format.json { render json: {} }
    end
  else
    respond_to do |format|
      format.html do
        redirect_to api_token_session_url,
                    alert: 'You had no old API token to revoke'
      end
      format.json { head :not_found }
    end
  end
end
new() click to toggle source

GET /session/new

# File lib/authpwn_rails/session_controller.rb, line 34
def new
  @session = Session.from_params params
  @redirect_url = flash[:auth_redirect_url]
  redirect_to session_url if current_user
end
omniauth() click to toggle source

GET /auth/twitter/callback POST /auth/twitter/callback

# File lib/authpwn_rails/session_controller.rb, line 292
def omniauth
  @redirect_url = params[:redirect_url] || session_url
  omni_auth = request.env['omniauth.auth']
  auth = Credentials::OmniAuthUid.authenticate omni_auth
  unless auth.kind_of? Symbol
    set_session_current_user auth
    Tokens::SessionUid.remove_expired if auto_purge_sessions
  end

  respond_to do |format|
    if current_user
      format.html { redirect_to @redirect_url }
    else
      error_text = bounce_notice_text auth
      format.html do
        if params[:redirect_url]
          redirect_to new_session_url, flash: { alert: error_text,
              auth_redirect_url: @redirect_url }
        else
          redirect_to new_session_url, alert: error_text
        end
      end
    end
  end
end
omniauth_failure() click to toggle source

GET /auth/failure

# File lib/authpwn_rails/session_controller.rb, line 319
def omniauth_failure
  respond_to do |format|
    format.html do
      redirect_to new_session_url,
                  alert: 'Authentication failed. Please try again.'
      end
  end
end
password_change() click to toggle source

GET /session/change_password

# File lib/authpwn_rails/session_controller.rb, line 229
def password_change
  unless current_user
    bounce_user
    return
  end

  respond_to do |format|
    format.html do
      @credential = current_user.credentials.
                                 where(type:  'Credentials::Password').first
      unless @credential
        @credential = Credentials::Password.new
        @credential.user = current_user
      end
      # Renders session/password_change.html.erb
    end
  end
end
reset_password() click to toggle source

POST /session/reset_password

# File lib/authpwn_rails/session_controller.rb, line 149
def reset_password
  email = params[:session] && params[:session][:email]
  credential = Credentials::Email.with email

  if user = (credential && credential.user)
    token = Tokens::PasswordReset.random_for user
    email = ::SessionMailer.reset_password_email(email, token, root_url)
    # TODO(pwnall): fix the serialization errors blocking deliver_later
    email.deliver_now
  end

  respond_to do |format|
    if user
      format.html do
        redirect_to new_session_url, alert:
            'Please check your e-mail for instructions'
      end
      format.json { render json: { } }
    else
      error_text = 'Invalid e-mail'
      format.html do
        redirect_to new_session_url, alert: error_text
      end
      format.json do
        render json: { error: :not_found, text: notice }
      end
    end
  end
end
show() click to toggle source

GET /session

# File lib/authpwn_rails/session_controller.rb, line 41
def show
  @user = current_user || User.new
  if @user.new_record?
    welcome
    unless performed?
      respond_to do |format|
        format.html { render action: :welcome }
        format.json { render json: {} }
      end
    end
  else
    home
    unless performed?
      respond_to do |format|
        format.html { render action: :home }
        format.json do
          user_data = @user.as_json
          user_data = user_data['user'] if @user.class.include_root_in_json
          render json: { user: user_data, csrf: form_authenticity_token }
        end
      end
    end
  end
end
token() click to toggle source

GET /session/token/token-code

# File lib/authpwn_rails/session_controller.rb, line 180
def token
  # NOTE: We don't use Tokens::Base here because we don't want users to abuse
  #       API tokens to build permanent login links.
  #
  # This repeats the code in Token::Base.authenticate, because we need the
  # token.
  if token = Tokens::OneTime.with_code(params[:code]).first
    auth = token.authenticate
  else
    auth = :invalid
  end

  if auth.is_a? Symbol
    error_text = bounce_notice_text auth
    respond_to do |format|
      format.html do
        redirect_to new_session_url, flash: { alert: error_text,
            auth_redirect_url: session_url }
      end
      format.json { render json: { error: auth, text: error_text } }
    end
  else
    self.set_session_current_user auth
    home_with_token token
    unless performed?
      respond_to do |format|
        format.html { redirect_to session_url }
        format.json do
          user_data = current_user.as_json
          if current_user.class.include_root_in_json
            user_data = user_data['user']
          end
          render json: { user: user_data, csrf: form_authenticity_token }
        end
      end
    end
  end
end

Private Instance Methods

change_password_params() click to toggle source

Parameters used to change the user's password.

# File lib/authpwn_rails/session_controller.rb, line 284
def change_password_params
  params.require(:credential).permit :old_password, :password,
                                     :password_confirmation
end
home() click to toggle source

Hook for setting up the home view.

# File lib/authpwn_rails/session_controller.rb, line 337
def home
end
home_with_token(token) click to toggle source

Hook for setting up the home view after token-based authentication.

# File lib/authpwn_rails/session_controller.rb, line 347
def home_with_token(token)
end
welcome() click to toggle source

Hook for setting up the welcome view.

# File lib/authpwn_rails/session_controller.rb, line 342
def welcome
end