Module: Devise::Models::Authenticatable
- Extended by:
- ActiveSupport::Concern
- Defined in:
- lib/devise/models/authenticatable.rb
Overview
Authenticatable module. Holds common settings for authentication.
Options
Authenticatable adds the following options to devise_for:
* +authentication_keys+: parameters used for authentication. By default [:email].
* +http_authentication_key+: map the username passed via HTTP Auth to this parameter. Defaults to
the first element in +authentication_keys+.
* +request_keys+: parameters from the request object used for authentication.
By specifying a symbol (which should be a request method), it will automatically be
passed to find_for_authentication method and considered in your model lookup.
For instance, if you set :request_keys to [:subdomain], :subdomain will be considered
as key on authentication. This can also be a hash where the value is a boolean specifying
if the value is required or not.
* +http_authenticatable+: if this model allows http authentication. By default false.
It also accepts an array specifying the strategies that should allow http.
* +params_authenticatable+: if this model allows authentication through request params. By default true.
It also accepts an array specifying the strategies that should allow params authentication.
* +skip_session_storage+: By default Devise will store the user in session.
By default is set to skip_session_storage: [:http_auth].
active_for_authentication?
After authenticating a user and in each request, Devise checks if your model is active by calling model.active_for_authentication?. This method is overwritten by other devise modules. For instance, :confirmable overwrites .active_for_authentication? to only return true if your model was confirmed.
You can overwrite this method yourself, but if you do, don’t forget to call super:
def active_for_authentication?
super && special_condition_is_valid?
end
Whenever active_for_authentication? returns false, Devise asks the reason why your model is inactive using the inactive_message method. You can overwrite it as well:
def
special_condition_is_valid? ? super : :special_condition_is_not_valid
end
Defined Under Namespace
Modules: ClassMethods
Constant Summary collapse
- BLACKLIST_FOR_SERIALIZATION =
[:encrypted_password, :reset_password_token, :reset_password_sent_at, :remember_created_at, :sign_in_count, :current_sign_in_at, :last_sign_in_at, :current_sign_in_ip, :last_sign_in_ip, :password_salt, :confirmation_token, :confirmed_at, :confirmation_sent_at, :remember_token, :unconfirmed_email, :failed_attempts, :unlock_token, :locked_at]
Class Method Summary collapse
Instance Method Summary collapse
- #active_for_authentication? ⇒ Boolean
- #apply_to_attribute_or_variable(attr, method) ⇒ Object protected
- #authenticatable_salt ⇒ Object
- #devise_mailer ⇒ Object protected
- #downcase_keys ⇒ Object protected
- #inactive_message ⇒ Object
-
#inspect ⇒ Object
Redefine inspect using serializable_hash, to ensure we don’t accidentally leak passwords into exceptions.
-
#send_devise_notification(notification, *args) ⇒ Object
protected
This is an internal method called every time Devise needs to send a notification/mail.
-
#serializable_hash(options = nil) ⇒ Object
Redefine serializable_hash in models for more secure defaults.
- #strip_whitespace ⇒ Object protected
- #unauthenticated_message ⇒ Object
-
#valid_for_authentication? ⇒ Boolean
Check if the current object is valid for authentication.
Class Method Details
.required_fields(klass) ⇒ Object
72 73 74 |
# File 'lib/devise/models/authenticatable.rb', line 72 def self.required_fields(klass) [] end |
Instance Method Details
#active_for_authentication? ⇒ Boolean
90 91 92 |
# File 'lib/devise/models/authenticatable.rb', line 90 def active_for_authentication? true end |
#apply_to_attribute_or_variable(attr, method) ⇒ Object (protected)
207 208 209 210 211 212 213 214 215 216 217 218 219 |
# File 'lib/devise/models/authenticatable.rb', line 207 def apply_to_attribute_or_variable(attr, method) if self[attr] self[attr] = self[attr].try(method) # Use respond_to? here to avoid a regression where globally # configured strip_whitespace_keys or case_insensitive_keys were # attempting to strip or downcase when a model didn't have the # globally configured key. elsif respond_to?(attr) && respond_to?("#{attr}=") new_value = send(attr).try(method) send("#{attr}=", new_value) end end |
#authenticatable_salt ⇒ Object
98 99 |
# File 'lib/devise/models/authenticatable.rb', line 98 def authenticatable_salt end |
#devise_mailer ⇒ Object (protected)
130 131 132 |
# File 'lib/devise/models/authenticatable.rb', line 130 def devise_mailer Devise.mailer end |
#downcase_keys ⇒ Object (protected)
199 200 201 |
# File 'lib/devise/models/authenticatable.rb', line 199 def downcase_keys self.class.case_insensitive_keys.each { |k| apply_to_attribute_or_variable(k, :downcase) } end |
#inactive_message ⇒ Object
94 95 96 |
# File 'lib/devise/models/authenticatable.rb', line 94 def :inactive end |
#inspect ⇒ Object
Redefine inspect using serializable_hash, to ensure we don’t accidentally leak passwords into exceptions.
121 122 123 124 125 126 |
# File 'lib/devise/models/authenticatable.rb', line 121 def inspect inspection = serializable_hash.collect do |k,v| "#{k}: #{respond_to?(:attribute_for_inspect) ? attribute_for_inspect(k) : v.inspect}" end "#<#{self.class} #{inspection.join(", ")}>" end |
#send_devise_notification(notification, *args) ⇒ Object (protected)
This is an internal method called every time Devise needs to send a notification/mail. This can be overridden if you need to customize the e-mail delivery logic. For instance, if you are using a queue to deliver e-mails (delayed job, sidekiq, resque, etc), you must add the delivery to the queue just after the transaction was committed. To achieve this, you can override send_devise_notification to store the deliveries until the after_commit callback is triggered:
class User
devise :database_authenticatable, :confirmable
after_commit :send_pending_notifications
protected
def send_devise_notification(notification, *args)
# If the record is new or changed then delay the
# delivery until the after_commit callback otherwise
# send now because after_commit will not be called.
if new_record? || changed?
pending_notifications << [notification, args]
else
message = devise_mailer.send(notification, self, *args)
Remove once we move to Rails 4.2+ only.
if message.respond_to?(:deliver_now)
message.deliver_now
else
message.deliver
end
end
end
def send_pending_notifications
pending_notifications.each do |notification, args|
message = devise_mailer.send(notification, self, *args)
Remove once we move to Rails 4.2+ only.
if message.respond_to?(:deliver_now)
message.deliver_now
else
message.deliver
end
end
# Empty the pending notifications array because the
# after_commit hook can be called multiple times which
# could cause multiple emails to be sent.
pending_notifications.clear
end
def pending_notifications
@pending_notifications ||= []
end
end
189 190 191 192 193 194 195 196 197 |
# File 'lib/devise/models/authenticatable.rb', line 189 def send_devise_notification(notification, *args) = devise_mailer.send(notification, self, *args) # Remove once we move to Rails 4.2+ only. if .respond_to?(:deliver_now) .deliver_now else .deliver end end |
#serializable_hash(options = nil) ⇒ Object
Redefine serializable_hash in models for more secure defaults. By default, it removes from the serializable model all attributes that are not accessible. You can remove this default by using :force_except and passing a new list of attributes you want to exempt. All attributes given to :except will simply add names to exempt to Devise internal list.
106 107 108 109 110 111 112 113 114 115 116 117 |
# File 'lib/devise/models/authenticatable.rb', line 106 def serializable_hash( = nil) = .try(:dup) || {} [:except] = Array([:except]) if [:force_except] [:except].concat Array([:force_except]) else [:except].concat BLACKLIST_FOR_SERIALIZATION end super() end |
#strip_whitespace ⇒ Object (protected)
203 204 205 |
# File 'lib/devise/models/authenticatable.rb', line 203 def strip_whitespace self.class.strip_whitespace_keys.each { |k| apply_to_attribute_or_variable(k, :strip) } end |
#unauthenticated_message ⇒ Object
86 87 88 |
# File 'lib/devise/models/authenticatable.rb', line 86 def :invalid end |
#valid_for_authentication? ⇒ Boolean
Check if the current object is valid for authentication. This method and find_for_authentication are the methods used in a Warden::Strategy to check if a model should be signed in or not.
However, you should not overwrite this method, you should overwrite active_for_authentication? and inactive_message instead.
82 83 84 |
# File 'lib/devise/models/authenticatable.rb', line 82 def valid_for_authentication? block_given? ? yield : true end |