Class: Otto::Security::Authentication::AuthStrategy

Inherits:
Object
  • Object
show all
Defined in:
lib/otto/security/authentication/auth_strategy.rb

Overview

Base class for all authentication strategies

Instance Method Summary collapse

Instance Method Details

#authenticate(env, requirement) ⇒ Otto::Security::Authentication::StrategyResult, Otto::Security::Authentication::AuthFailure

Check if the request meets the authentication requirements

Parameters:

  • env (Hash)

    Rack environment

  • requirement (String)

    Authentication requirement string

Returns:

Raises:

  • (NotImplementedError)


19
20
21
# File 'lib/otto/security/authentication/auth_strategy.rb', line 19

def authenticate(env, requirement)
  raise NotImplementedError, 'Subclasses must implement #authenticate'
end

#authorization_failure(reason = nil) ⇒ Object (protected)

Helper for authorization failure - return AuthorizationFailure

Use when the credential is valid but the authenticated subject is not permitted (wrong role, missing permission). RouteAuthWrapper maps this to 403 Forbidden, letting clients distinguish “authenticate again” (401) from “you lack this permission” (403). See AuthorizationFailure.



59
60
61
62
63
64
65
# File 'lib/otto/security/authentication/auth_strategy.rb', line 59

def authorization_failure(reason = nil)
  Otto.logger.debug "[#{self.class}] Authorization denied: #{reason}" if reason
  Otto::Security::Authentication::AuthorizationFailure.new(
    failure_reason: reason || 'Authorization denied',
    auth_method: strategy_auth_method
  )
end

#failure(reason = nil) ⇒ Object (protected)

Helper for authentication failure - return AuthFailure

Use for a missing, invalid, or expired credential. RouteAuthWrapper maps this to 401 Unauthorized. For a VALID credential that is not permitted, use #authorization_failure instead (403 Forbidden).



45
46
47
48
49
50
51
# File 'lib/otto/security/authentication/auth_strategy.rb', line 45

def failure(reason = nil)
  Otto.logger.debug "[#{self.class}] Authentication failed: #{reason}" if reason
  Otto::Security::Authentication::AuthFailure.new(
    failure_reason: reason || 'Authentication failed',
    auth_method: strategy_auth_method
  )
end

#success(user:, session: {}, auth_method: nil, **metadata) ⇒ Object (protected)

Helper to create successful strategy result

NOTE: strategy_name will be injected by RouteAuthWrapper after strategy execution. Strategies don’t know their registered name, so we pass nil here and let the wrapper set it based on how the strategy was registered via add_auth_strategy(name, strategy).



30
31
32
33
34
35
36
37
38
# File 'lib/otto/security/authentication/auth_strategy.rb', line 30

def success(user:, session: {}, auth_method: nil, **)
  Otto::Security::Authentication::StrategyResult.new(
    session: session,
    user: user,
    auth_method: auth_method || strategy_auth_method,
    metadata: ,
    strategy_name: nil # Will be set by RouteAuthWrapper
  )
end