module QuoVadis::Controller

Public Class Methods

included(base) click to toggle source
# File lib/quo_vadis/controller.rb, line 6
def self.included(base)
  base.before_action { CurrentRequestDetails.request = request }

  base.helper_method :authenticated_model, :logged_in?

  # Remember the last activity time so we can timeout idle sessions.
  # This has to be done after that timestamp is checked (in `#authenticated_model`)
  # otherwise sessions could never look idle.
  base.after_action { |controller| controller.qv.touch_session_last_seen_at }
end

Public Instance Methods

authenticated_model() click to toggle source

Returns the model instance which has been authenticated by password, or nil.

# File lib/quo_vadis/controller.rb, line 68
def authenticated_model
  return @authenticated_model if defined? @authenticated_model

  # Was not logged in so no need to log out.
  return (@authenticated_model = nil) unless qv.session_id

  _qv_session = qv.session

  # If _qv_session is nil: user was logged in (because qv.session_id is not nil)
  # but now isn't (because there is no corresponding record in the database).  This
  # means the user has remotely logged out this session from another.
  if _qv_session.nil? || _qv_session.expired?
    qv.logout
    return (@authenticated_model = nil)
  end

  @authenticated_model = _qv_session.account.model
end
logged_in?() click to toggle source
# File lib/quo_vadis/controller.rb, line 61
def logged_in?
  !authenticated_model.nil?
end
login(model, browser_session = true) click to toggle source

To be called with a model which has authenticated with a password.

browser_session - true: login only for duration of browser session

false: login for QuoVadis.session_lifetime (which may be browser session anyway)
# File lib/quo_vadis/controller.rb, line 39
def login(model, browser_session = true)
  qv.log model.qv_account, Log::LOGIN_SUCCESS

  qv.prevent_rails_session_fixation

  lifetime_expires_at = qv.lifetime_expires_at browser_session

  qv_session = model.qv_account.sessions.create!(
    ip:                  request.remote_ip,
    user_agent:          (request.user_agent || ''),
    lifetime_expires_at: lifetime_expires_at
  )

  qv.store_session_id qv_session.id, lifetime_expires_at

  # It is not necessary to set the instance variable here -- the
  # `authenticated_model` method will figure it out from the qv.session --
  # but doing so saves that method a couple of database calls.
  @authenticated_model = model
end
qv() click to toggle source
# File lib/quo_vadis/controller.rb, line 97
def qv
  @qv_wrapper ||= QuoVadisWrapper.new self
end
request_confirmation(model) click to toggle source
# File lib/quo_vadis/controller.rb, line 88
def request_confirmation(model)
  token = QuoVadis::AccountConfirmationToken.generate model.qv_account
  QuoVadis.deliver :account_confirmation, email: model.email, url: quo_vadis.confirmation_url(token)
  session[:account_pending_confirmation] = model.qv_account.id

  flash[:notice] = QuoVadis.translate 'flash.confirmation.create'
end
require_authentication()
require_password_authentication() click to toggle source
# File lib/quo_vadis/controller.rb, line 18
def require_password_authentication
  return if logged_in?
  session[:qv_bookmark] = request.original_fullpath
  redirect_to quo_vadis.login_path, notice: QuoVadis.translate('flash.require_authentication')
end
Also aliased as: require_authentication
require_two_factor_authentication() click to toggle source

implies require_password_authentication

# File lib/quo_vadis/controller.rb, line 27
def require_two_factor_authentication
  return require_authentication unless logged_in?
  return unless qv.second_factor_required?
  return if qv.second_factor_authenticated?
  redirect_to quo_vadis.challenge_totps_path and return
end