Module: SignIn::Authentication

Extended by:

ActiveSupport::Concern

Included in:

AuthenticationAndSSOConcerns, Instrumentation, ApplicationController, ServiceAccountApplicationController

Defined in:

app/controllers/concerns/sign_in/authentication.rb

Constant Summary

BEARER_PATTERN =

/^Bearer /

Instance Method Summary

• #access_token ⇒ Object private
• #access_token_authenticate(skip_error_handling: false) ⇒ Object protected
• #authenticate ⇒ Object protected
• #authenticate_access_token(with_validation: true) ⇒ Object private
• #bearer_token ⇒ Object private
• #cookie_access_token(access_token_cookie_name: Constants::Auth::ACCESS_TOKEN_COOKIE_NAME) ⇒ Object private
• #handle_authenticate_error(error, access_token_cookie_name: Constants::Auth::ACCESS_TOKEN_COOKIE_NAME) ⇒ Object private
• #load_user(skip_expiration_check: false) ⇒ Object protected
• #load_user_object ⇒ Object private
• #scrub_bearer_token ⇒ Object private
• #validate_request_ip ⇒ Object private

Instance Method Details

#access_token ⇒ Object (private)

# File 'app/controllers/concerns/sign_in/authentication.rb', line 47

def access_token
  @access_token ||= authenticate_access_token
end

#access_token_authenticate(skip_error_handling: false) ⇒ Object (protected)

# File 'app/controllers/concerns/sign_in/authentication.rb', line 37

def access_token_authenticate(skip_error_handling: false)
  access_token.present?
rescue Errors::AccessTokenExpiredError => e
  render json: { errors: e }, status: :forbidden unless skip_error_handling
rescue Errors::StandardError => e
  handle_authenticate_error(e) unless skip_error_handling
end

#authenticate ⇒ Object (protected)

# File 'app/controllers/concerns/sign_in/authentication.rb', line 17

def authenticate
  @current_user = load_user_object
  validate_request_ip
  @current_user.present?
rescue Errors::AccessTokenExpiredError => e
  render json: { errors: e }, status: :forbidden
rescue Errors::StandardError => e
  handle_authenticate_error(e)
end

#authenticate_access_token(with_validation: true) ⇒ Object (private)

# File 'app/controllers/concerns/sign_in/authentication.rb', line 62

def authenticate_access_token(with_validation: true)
  access_token_jwt = bearer_token || cookie_access_token
  AccessTokenJwtDecoder.new(access_token_jwt:).perform(with_validation:)
end

#bearer_token ⇒ Object (private)

# File 'app/controllers/concerns/sign_in/authentication.rb', line 51

def bearer_token
  header = request.authorization
  header.gsub(BEARER_PATTERN, '') if header&.match(BEARER_PATTERN)
end

#cookie_access_token(access_token_cookie_name: Constants::Auth::ACCESS_TOKEN_COOKIE_NAME) ⇒ Object (private)

# File 'app/controllers/concerns/sign_in/authentication.rb', line 56

def cookie_access_token(access_token_cookie_name: Constants::Auth::ACCESS_TOKEN_COOKIE_NAME)
  return unless defined?(cookies)

  cookies[access_token_cookie_name]
end

#handle_authenticate_error(error, access_token_cookie_name: Constants::Auth::ACCESS_TOKEN_COOKIE_NAME) ⇒ Object (private)

# File 'app/controllers/concerns/sign_in/authentication.rb', line 71

def handle_authenticate_error(error, access_token_cookie_name: Constants::Auth::ACCESS_TOKEN_COOKIE_NAME)
  context = {
    access_token_authorization_header: scrub_bearer_token,
    access_token_cookie: cookie_access_token(access_token_cookie_name:)
  }.compact

  log_message_to_sentry(error.message, :error, context) if context.present?
  render json: { errors: error }, status: :unauthorized
end

#load_user(skip_expiration_check: false) ⇒ Object (protected)

# File 'app/controllers/concerns/sign_in/authentication.rb', line 27

def load_user(skip_expiration_check: false)
  @current_user = load_user_object
  validate_request_ip
  @current_user.present?
rescue Errors::AccessTokenExpiredError => e
  render json: { errors: e }, status: :forbidden unless skip_expiration_check
rescue Errors::StandardError
  nil
end

#load_user_object ⇒ Object (private)

# File 'app/controllers/concerns/sign_in/authentication.rb', line 67

def load_user_object
  UserLoader.new(access_token:, request_ip: request.remote_ip).perform
end

#scrub_bearer_token ⇒ Object (private)

# File 'app/controllers/concerns/sign_in/authentication.rb', line 81

def scrub_bearer_token
  bearer_token == 'undefined' ? nil : bearer_token
end

#validate_request_ip ⇒ Object (private)

# File 'app/controllers/concerns/sign_in/authentication.rb', line 85

def validate_request_ip
  return if @current_user.fingerprint == request.remote_ip

  log_context = { request_ip: request.remote_ip, fingerprint: @current_user.fingerprint }
  Rails.logger.warn('[SignIn][Authentication] fingerprint mismatch', log_context)
  @current_user.fingerprint = request.remote_ip
  @current_user.save
end