Class: Janus::SessionsController

Inherits:
ApplicationController
  • Object
show all
Includes:
InternalHelpers
Defined in:
lib/janus/controllers/sessions_controller.rb

Overview

This controller is responsible for creating and destroying authenticated user sessions.

The creation uses the DatabaseAuthenticatable strategy, while the destruction simply destroys any session, whatever strategy it was created with. Janus hooks will be called, of course, allowing to destroy any Rememberable cookies for instance, as well as any user defined behavior.

Instance Method Summary collapse

Methods included from InternalHelpers

#authenticate!, #janus_scope, #mailer_class, #resource, #resource=, #resource_authentication_params, #resource_class, #resource_name

Instance Method Details

#after_sign_in_url(user) ⇒ Object

An overridable method that returns the default path to return the just signed in user to. Defaults to return the user object, which will be interpreted by rails as ‘user_path(user)`.



64
65
66
 
# File 'lib/janus/controllers/sessions_controller.rb', line 64

def (user)
  user
end

#after_sign_out_url(scope) ⇒ Object

An overridable method that returns the default path to return the just signed out user to. Defaults to ‘root_url`.



70
71
72
 
# File 'lib/janus/controllers/sessions_controller.rb', line 70

def after_sign_out_url(scope)
  root_url
end

#createObject 



29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
 
# File 'lib/janus/controllers/sessions_controller.rb', line 29

def create
  self.resource = resource_class.find_for_database_authentication(resource_authentication_params)

  if resource && resource.valid_password?(params[resource_name][:password])
    janus.(resource, :scope => janus_scope, :rememberable => params[:remember_me])

    respond_to do |format|
      format.html { (resource) }
      format.any  { head :ok }
    end
  else
    respond_to do |format|
      format.html do
        self.resource ||= resource_class.new(resource_authentication_params)
        resource.clean_up_passwords
        resource.errors.add(:base, :not_found)
        render "new", :status => :unauthorized
      end
      format.any { head :unauthorized }
    end
  end
end

#destroyObject 



52
53
54
55
56
57
58
59
 
# File 'lib/janus/controllers/sessions_controller.rb', line 52

def destroy
  janus.logout(janus_scope)

  respond_to do |format|
    format.html { redirect_to after_sign_out_url(janus_scope) }
    format.any  { head :ok }
  end
end

#never_return_to(scope) ⇒ Object

Returns an Array of URL that we shouldn’t automatically return to. It actually returns URL to prevent infinite loops. We must for instance never return to new_sesssion_path.

If you ever needd to override this method, don’t forget to call ‘super`. For instance:

def never_return_to(scope)
  super + [ my_peculiar_path, another_path ]
end



103
104
105
106
107
108
109
110
111
 
# File 'lib/janus/controllers/sessions_controller.rb', line 103

def never_return_to(scope)
  scope = Janus.scope_for(scope)
  list = [new_session_path(scope)]
  begin
    list + [ destroy_session_path(scope), new_password_path(scope), edit_password_path(scope) ]
  rescue NoMethodError
    list
  end
end

#newObject

skip_before_filter :authenticate_user!



18
19
20
21
22
23
24
25
26
27
 
# File 'lib/janus/controllers/sessions_controller.rb', line 18

def new
  params[:return_to] ||= request.env["HTTP_REFERER"]

  if signed_in?(janus_scope)
    (send("current_#{janus_scope}"))
  else
    self.resource = resource_class.new
    respond_with(resource)
  end
end

#redirect_after_sign_in(user) ⇒ Object

Either redirects the user to after_sign_in_url or to params[:return_to].

If <tt>params is an absolute URL, and not just a path, valid_remote_host? will be invoked to check wether we should redirect to this URL or not, in order to secure auth tokens for RemoteAuthenticatable to leak into the wild.



119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
 
# File 'lib/janus/controllers/sessions_controller.rb', line 119

def (user)
  if params[:return_to].present?
    return_to = Addressable::URI.parse(params[:return_to])

    unless never_return_to(user).include?(return_to.path)
      # path or same host redirection
      if valid_host?(return_to.host || request.host)
        redirect_to params[:return_to]
        return
      end

      # external host redirection
      if valid_remote_host?(return_to.host)
        if user.class.include?(Janus::Models::RemoteAuthenticatable)
          query = return_to.query_values || {}
          return_to.query_values = query.merge(
            user.class.remote_authentication_key => user.generate_remote_token!
          )
        end

        redirect_to return_to.to_s
        return
      end
    end
  end

  redirect_to (user)
end

#valid_host?(host) ⇒ Boolean

Returns true if host is request.host. You may want to overwrite this method to check if a user can access the current host and return false otherwise.

For instance when a user signed in from a subdomain she can’t access, and you want to redirect her to another subdomain.

Returns:

  • (Boolean) 


79
80
81
 
# File 'lib/janus/controllers/sessions_controller.rb', line 79

def valid_host?(host)
  host == request.host
end

#valid_remote_host?(host) ⇒ Boolean

Must return true if host is known and we allow to redirect the user with an auth_token.

Warning: must be overwritten by child classes because it always returns false by default!

Returns:

  • (Boolean) 


88
89
90
 
# File 'lib/janus/controllers/sessions_controller.rb', line 88

def valid_remote_host?(host)
  false
end