Class: TokensController

Inherits:
ActionController::Base
  • Object
show all
Defined in:
app/controllers/tokens_controller.rb

Instance Method Summary collapse

Instance Method Details

#acceptObject 



30
31
32
33
34
35
36
37
38
39
40
 
# File 'app/controllers/tokens_controller.rb', line 30

def accept
  dev = TrustedDevice.where('user_id = ? AND control_system_id = ? AND one_time_key = ? AND (expires IS NULL OR expires > ?)', 
      session[:token], session[:system], session[:key], Time.now).first

  if dev.present?
    dev.accept_key
    render :nothing => true # success!
  else
    render :nothing => true, :status => :forbidden  # 403
  end
end

#authenticateObject

Allowed through by application controller



10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
 
# File 'app/controllers/tokens_controller.rb', line 10

def authenticate  # Allowed through by application controller
  #
  # Auth(gen)
  # check the system matches (set user and system in session)
  # respond with success
  #
  dev = TrustedDevice.(params[:key], true) # true means gen the next key
  if params[:system].present? && dev.present? && params[:system].to_i == dev.control_system_id
    session[:token] = dev.user_id
    session[:system] = dev.control_system_id
    session[:key] = params[:key]
    cookies.permanent[:next_key] = {:value => dev.next_key, :path => URI.parse(request.referer).path}

    render :nothing => true # success!
  else
    render :nothing => true, :status => :forbidden  # 403
  end
end

#createObject 



55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
 
# File 'app/controllers/tokens_controller.rb', line 55

def create
  #
  # Application controller ensures we are logged in as real user
  # Ensure the user can access the control system requested (the control system does this too)
  # Generate key, populate the session
  #
  user = session[:user].present? ? User.find(session[:user]) : nil # We have to be authed to get here
  sys = user.control_systems.where('control_systems.id = ?', params[:system]).first unless user.nil?
  if user.present? && sys.present?

    dev = TrustedDevice.new
    dev.reason = params[:trusted_device][:reason]
    dev.user = user
    dev.control_system = sys
    dev.save

    if !dev.new_record?
      cookies.permanent[:next_key] = {:value => dev.one_time_key, :path => URI.parse(request.referer).path}
      render :json => {} # success!
    else
      render :json => dev.errors.messages, :status => :not_acceptable  # 406
    end
  else
    if user.present?
      render :json => {:control => 'could not find the system selected'}, :status => :forbidden  # 403
    else
      render :json => {:you => 'are not authorised'}, :status => :forbidden  # 403
    end
  end
end

#newObject

Build a new session for the interface if the existing one has expired This maintains the csrf security We don’t want to reset the session if a valid user is already authenticated either



48
49
50
51
52
 
# File 'app/controllers/tokens_controller.rb', line 48

def new
  reset_session unless session[:user].present?

  render :text => form_authenticity_token
end

#serversObject 



87
88
89
 
# File 'app/controllers/tokens_controller.rb', line 87

def servers
  render :json => Server.where(:online => true).all
end