Module: DeviseTokenAuth::Concerns::SetUserByToken
- Extended by:
- ActiveSupport::Concern
- Included in:
- ApplicationController, SessionsController
- Defined in:
- app/controllers/devise_token_auth/concerns/set_user_by_token.rb
Instance Method Summary collapse
Instance Method Details
#set_user_by_token ⇒ Object
user auth
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
# File 'app/controllers/devise_token_auth/concerns/set_user_by_token.rb', line 10 def set_user_by_token auth_header = request.headers["Authorization"] # missing auth token return false unless auth_header token = auth_header[/token=(.*?) /,1] uid = auth_header[/uid=(.*?)$/,1] @client_id = auth_header[/client=(.*?) /,1] @client_id ||= 'default' # mitigate timing attacks by finding by uid instead of auth token @user = @current_user = uid && User.find_by_uid(uid) if @user && @user.valid_token?(@client_id, token) sign_in(:user, @user, store: false, bypass: true) else @user = @current_user = nil end end |
#update_auth_header ⇒ Object
32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
# File 'app/controllers/devise_token_auth/concerns/set_user_by_token.rb', line 32 def update_auth_header if @user # update user's auth token (should happen on each request) token = SecureRandom.urlsafe_base64(nil, false) token_hash = BCrypt::Password.create(token) @user.tokens[@client_id] = { token: token_hash, expiry: Time.now + 2.weeks } @user.save # update Authorization response header with new token response.headers["Authorization"] = "token=#{token} client=#{@client_id} uid=#{@user.uid}" end end |