Class: TokensController

Inherits:
ActionController::Base
  • Object
show all
Defined in:
app/controllers/tokens_controller.rb

Instance Method Summary collapse

Instance Method Details

#acceptObject 



30
31
32
33
34
35
36
37
38
39
40
 
# File 'app/controllers/tokens_controller.rb', line 30

def accept
	dev = TrustedDevice.where('user_id = ? AND control_system_id = ? AND one_time_key = ? AND (expires IS NULL OR expires > ?)', 
			session[:token], session[:system], session[:key], Time.now).first

	if dev.present?
		dev.accept_key
		render :nothing => true	# success!
	else
		render :nothing => true, :status => :forbidden	# 403
	end
end

#authenticateObject

Allowed through by application controller



10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
 
# File 'app/controllers/tokens_controller.rb', line 10

def authenticate	# Allowed through by application controller
	#
	# Auth(gen)
	# check the system matches (set user and system in session)
	# respond with success
	#
	dev = TrustedDevice.(params[:key], true)	# true means gen the next key
	if params[:system].present? && dev.present? && params[:system].to_i == dev.control_system_id
		session[:token] = dev.user_id
		session[:system] = dev.control_system_id
		session[:key] = params[:key]
		cookies.permanent[:next_key] = {:value => dev.next_key, :path => URI.parse(request.referer).path}

		render :nothing => true	# success!
	else
		render :nothing => true, :status => :forbidden	# 403
	end
end

#createObject 



55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
 
# File 'app/controllers/tokens_controller.rb', line 55

def create
	#
	# Application controller ensures we are logged in as real user
	# Ensure the user can access the control system requested (the control system does this too)
	# Generate key, populate the session
	#
	user = session[:user].present? ? User.find(session[:user]) : nil	# We have to be authed to get here
	sys = user.control_systems.where('control_systems.id = ?', params[:system]).first unless user.nil?
	if user.present? && sys.present?

		dev = TrustedDevice.new
		dev.reason = params[:trusted_device][:reason]
		dev.user = user
		dev.control_system = sys
		dev.save

		if !dev.new_record?
			cookies.permanent[:next_key] = {:value => dev.one_time_key, :path => URI.parse(request.referer).path}
			render :json => {}	# success!
		else
			render :json => dev.errors.messages, :status => :not_acceptable	# 406
		end
	else
		if user.present?
			render :json => {:control => 'could not find the system selected'}, :status => :forbidden	# 403
		else
			render :json => {:you => 'are not authorised'}, :status => :forbidden	# 403
		end
	end
end

#newObject

Build a new session for the interface if the existing one has expired This maintains the csrf security We don’t want to reset the session if a valid user is already authenticated either



48
49
50
51
52
 
# File 'app/controllers/tokens_controller.rb', line 48

def new
	reset_session unless session[:user].present?

	render :text => form_authenticity_token
end

#serversObject 



87
88
89
 
# File 'app/controllers/tokens_controller.rb', line 87

def servers
	render :json => Server.where(:online => true).all
end