Module: Clearance::Authentication

Extended by:

ActiveSupport::Concern

Included in:

Controller

Defined in:

lib/clearance/authentication.rb

Instance Method Summary

• #authenticate(params) ⇒ User^?

  Authenticate a user with a provided email and password.

• #current_user ⇒ User^?

  Get the user from the current clearance session.

• #handle_unverified_request ⇒ Object

  CSRF protection in Rails >= 3.0.4.

• #sign_in(user, &block) ⇒ Object

  Sign in the provided user.

• #sign_out ⇒ Object

  Destroy the current user's Clearance session.

• #signed_in? ⇒ Boolean

  True if there is a currently-signed-in user.

• #signed_out? ⇒ Boolean

  True if there is no currently-signed-in user.

Instance Method Details

#authenticate(params) ⇒ User^?

Authenticate a user with a provided email and password

Parameters:

• params (ActionController::Parameters) —

  The parameters from the sign in form. params[:session][:email] and params[:session][:password] are required.

Returns:

• (User, nil) —

  The user or nil if authentication fails.

# File 'lib/clearance/authentication.rb', line 26

def authenticate(params)
  session_params = params.require(:session)

  Clearance.configuration.user_model.authenticate(
    session_params[:email], session_params[:password]
  )
end

#current_user ⇒ User^?

Get the user from the current clearance session. Exposed as a helper_method, making it visible to views. Prefer #signed_in? or #signed_out? if you only want to check for the presence of a current user rather than access the actual user.

Returns:

• (User, nil) —

  The user if one is signed in or nil otherwise.

# File 'lib/clearance/authentication.rb', line 40

def current_user
  clearance_session.current_user
end

#handle_unverified_request ⇒ Object

CSRF protection in Rails >= 3.0.4

http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails

# File 'lib/clearance/authentication.rb', line 111

def handle_unverified_request
  super
  sign_out
end

#sign_in(user, &block) ⇒ Object

Sign in the provided user. Signing in will run the stack of Configuration#sign_in_guards.

You can provide a block to this method to handle the result of that stack. Your block will receive either a SuccessStatus or FailureStatus

sign_in(user) do |status|
  if status.success?
    # ...
  else
    # ...
  end
end

For an example of how clearance uses this internally, see SessionsController#create.

Signing in will also regenerate the CSRF token for the current session, provided Configuration#rotate_csrf_on_sign_in? is set.

Parameters:

• user (User)

# File 'lib/clearance/authentication.rb', line 65

def sign_in(user, &block)
  clearance_session.sign_in(user, &block)

  if signed_in? && Clearance.configuration.rotate_csrf_on_sign_in?
    if request.respond_to?(:reset_csrf_token)
      # Rails 7.1+
      request.reset_csrf_token
    else
      request.session.try(:delete, :_csrf_token)
    end
    form_authenticity_token
  end
end

#sign_out ⇒ Object

Destroy the current user's Clearance session. See Session#sign_out for specifics.

# File 'lib/clearance/authentication.rb', line 81

def sign_out
  clearance_session.sign_out
end

#signed_in? ⇒ Boolean

True if there is a currently-signed-in user. Exposed as a helper_method, making it available to views.

Using signed_in? is preferable to checking #current_user against nil as it will allow you to introduce a null user object more simply at a later date.

Returns:

• (Boolean)

# File 'lib/clearance/authentication.rb', line 93

def signed_in?
  clearance_session.signed_in?
end

#signed_out? ⇒ Boolean

True if there is no currently-signed-in user. Exposed as a helper_method, making it available to views.

Usings signed_out? is preferable to checking for presence of #current_user as it will allow you to introduce a null user object more simply at a later date.

Returns:

• (Boolean)

# File 'lib/clearance/authentication.rb', line 103

def signed_out?
  !signed_in?
end