Class: Otto::Security::Authentication::AuthStrategy
- Inherits:
-
Object
- Object
- Otto::Security::Authentication::AuthStrategy
- Defined in:
- lib/otto/security/authentication/auth_strategy.rb
Overview
Base class for all authentication strategies
Direct Known Subclasses
Strategies::APIKeyStrategy, Strategies::NoAuthStrategy, Strategies::PermissionStrategy, Strategies::RoleStrategy, Strategies::SessionStrategy
Instance Method Summary collapse
-
#authenticate(env, requirement) ⇒ Otto::Security::Authentication::StrategyResult, Otto::Security::Authentication::AuthFailure
Check if the request meets the authentication requirements.
-
#authorization_failure(reason = nil) ⇒ Object
protected
Helper for authorization failure - return AuthorizationFailure.
-
#failure(reason = nil) ⇒ Object
protected
Helper for authentication failure - return AuthFailure.
-
#success(user:, session: {}, auth_method: nil, **metadata) ⇒ Object
protected
Helper to create successful strategy result.
Instance Method Details
#authenticate(env, requirement) ⇒ Otto::Security::Authentication::StrategyResult, Otto::Security::Authentication::AuthFailure
Check if the request meets the authentication requirements
19 20 21 |
# File 'lib/otto/security/authentication/auth_strategy.rb', line 19 def authenticate(env, requirement) raise NotImplementedError, 'Subclasses must implement #authenticate' end |
#authorization_failure(reason = nil) ⇒ Object (protected)
Helper for authorization failure - return AuthorizationFailure
Use when the credential is valid but the authenticated subject is not permitted (wrong role, missing permission). RouteAuthWrapper maps this to 403 Forbidden, letting clients distinguish “authenticate again” (401) from “you lack this permission” (403). See AuthorizationFailure.
59 60 61 62 63 64 65 |
# File 'lib/otto/security/authentication/auth_strategy.rb', line 59 def (reason = nil) Otto.logger.debug "[#{self.class}] Authorization denied: #{reason}" if reason Otto::Security::Authentication::AuthorizationFailure.new( failure_reason: reason || 'Authorization denied', auth_method: strategy_auth_method ) end |
#failure(reason = nil) ⇒ Object (protected)
Helper for authentication failure - return AuthFailure
Use for a missing, invalid, or expired credential. RouteAuthWrapper maps this to 401 Unauthorized. For a VALID credential that is not permitted, use #authorization_failure instead (403 Forbidden).
45 46 47 48 49 50 51 |
# File 'lib/otto/security/authentication/auth_strategy.rb', line 45 def failure(reason = nil) Otto.logger.debug "[#{self.class}] Authentication failed: #{reason}" if reason Otto::Security::Authentication::AuthFailure.new( failure_reason: reason || 'Authentication failed', auth_method: strategy_auth_method ) end |
#success(user:, session: {}, auth_method: nil, **metadata) ⇒ Object (protected)
Helper to create successful strategy result
NOTE: strategy_name will be injected by RouteAuthWrapper after strategy execution. Strategies don’t know their registered name, so we pass nil here and let the wrapper set it based on how the strategy was registered via add_auth_strategy(name, strategy).
30 31 32 33 34 35 36 37 38 |
# File 'lib/otto/security/authentication/auth_strategy.rb', line 30 def success(user:, session: {}, auth_method: nil, **) Otto::Security::Authentication::StrategyResult.new( session: session, user: user, auth_method: auth_method || strategy_auth_method, metadata: , strategy_name: nil # Will be set by RouteAuthWrapper ) end |