Class: QuoVadis::Controller::QuoVadisWrapper

Inherits:

Object

• Object
• QuoVadis::Controller::QuoVadisWrapper

Defined in:

lib/quo_vadis/controller.rb

Instance Method Summary

• #clear_session_id ⇒ Object
• #initialize(controller) ⇒ QuoVadisWrapper constructor

  A new instance of QuoVadisWrapper.

• #lifetime_expires_at(browser_session) ⇒ Object
• #log(account, action, metadata = {}) ⇒ Object
• #logout ⇒ Object
• #logout_other_sessions ⇒ Object
• #path_after_authentication ⇒ Object
• #path_after_password_change ⇒ Object
• #path_after_signup ⇒ Object
• #prevent_rails_session_fixation ⇒ Object
• #replace_session ⇒ Object
• #second_factor_authenticated? ⇒ Boolean
• #second_factor_required? ⇒ Boolean

  Assumes user is logged in.

• #session ⇒ Object

  Returns the current QuoVadis session or nil.

• #session_authenticated_with_second_factor ⇒ Object
• #session_id ⇒ Object
• #store_session_id(id, expires_at) ⇒ Object

  Store the session id in an encrypted cookie.

• #touch_session_last_seen_at ⇒ Object

Constructor Details

#initialize(controller) ⇒ QuoVadisWrapper

Returns a new instance of QuoVadisWrapper.

# File 'lib/quo_vadis/controller.rb', line 106

def initialize(controller)
  @controller = controller
end

Instance Method Details

#clear_session_id ⇒ Object

# File 'lib/quo_vadis/controller.rb', line 136

def clear_session_id
  cookies.delete QuoVadis.cookie_name
end

#lifetime_expires_at(browser_session) ⇒ Object

# File 'lib/quo_vadis/controller.rb', line 172

def lifetime_expires_at(browser_session)
  return nil if browser_session
  return nil if QuoVadis.session_lifetime == :session

  t = ActiveSupport::Duration.build(QuoVadis.session_lifetime).from_now
  QuoVadis.session_lifetime_extend_to_end_of_day ? t.end_of_day : t
end

#log(account, action, metadata = {}) ⇒ Object

# File 'lib/quo_vadis/controller.rb', line 191

def log(account, action, metadata = {})
  Log.create account: account, action: action, ip: request.remote_ip, metadata: metadata
end

#logout ⇒ Object

# File 'lib/quo_vadis/controller.rb', line 180

def logout
  session&.destroy
  clear_session_id
  reset_session
  controller.instance_variable_set :@authenticated_model, nil
end

#logout_other_sessions ⇒ Object

# File 'lib/quo_vadis/controller.rb', line 187

def logout_other_sessions
  session.logout_other_sessions
end

#path_after_authentication ⇒ Object

Raises:

• (RuntimeError)

# File 'lib/quo_vadis/controller.rb', line 202

def path_after_authentication
  if (bookmark = rails_session[:qv_bookmark])
    rails_session.delete :qv_bookmark
    return bookmark
  end
  return main_app.after_login_path if main_app.respond_to?(:after_login_path)
  return main_app.root_path        if main_app.respond_to?(:root_path)
  raise RuntimeError, 'Missing routes: after_login_path, root_path; define at least one of them.'
end

#path_after_password_change ⇒ Object

Raises:

• (RuntimeError)

# File 'lib/quo_vadis/controller.rb', line 212

def path_after_password_change
  return main_app.after_password_change_path if main_app.respond_to?(:after_password_change_path)
  return main_app.root_path                  if main_app.respond_to?(:root_path)
  raise RuntimeError, 'Missing routes: after_password_change_path, root_path; define at least one of them.'
end

#path_after_signup ⇒ Object

Raises:

• (RuntimeError)

# File 'lib/quo_vadis/controller.rb', line 195

def path_after_signup
  return main_app.after_signup_path if main_app.respond_to?(:after_signup_path)
  return main_app.after_login_path  if main_app.respond_to?(:after_login_path)
  return main_app.root_path         if main_app.respond_to?(:root_path)
  raise RuntimeError, 'Missing routes: after_signup_path, after_login_path, root_path; define at least one of them.'
end

#prevent_rails_session_fixation ⇒ Object

# File 'lib/quo_vadis/controller.rb', line 140

def prevent_rails_session_fixation
  old_session = rails_session.to_hash
  reset_session
  old_session.each { |k,v| rails_session[k] = v }
end

#replace_session ⇒ Object

# File 'lib/quo_vadis/controller.rb', line 163

def replace_session
  prevent_rails_session_fixation

  sess = session.replace
  store_session_id sess.id, sess.lifetime_expires_at

  controller.instance_variable_set :@authenticated_model, sess.account.model
end

#second_factor_authenticated? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/quo_vadis/controller.rb', line 151

def second_factor_authenticated?
  session.second_factor_authenticated?
end

#second_factor_required? ⇒ Boolean

Assumes user is logged in.

Returns:

• (Boolean)

# File 'lib/quo_vadis/controller.rb', line 147

def second_factor_required?
  QuoVadis.two_factor_authentication_mandatory || authenticated_model.qv_account.has_two_factors?
end

#session ⇒ Object

Returns the current QuoVadis session or nil.

# File 'lib/quo_vadis/controller.rb', line 111

def session
  return nil unless session_id
  QuoVadis::Session.find_by id: session_id
end

#session_authenticated_with_second_factor ⇒ Object

# File 'lib/quo_vadis/controller.rb', line 159

def session_authenticated_with_second_factor
  session.authenticated_with_second_factor
end

#session_id ⇒ Object

# File 'lib/quo_vadis/controller.rb', line 116

def session_id
  cookies.encrypted[QuoVadis.cookie_name]
end

#store_session_id(id, expires_at) ⇒ Object

Store the session id in an encrypted cookie.

Given that the cookie is encrypted, it is safe to store the database primary key of the session rather than a random-value candidate key.

expires_at - the end of the QuoVadis session's lifetime (regardless of the idle timeout)

# File 'lib/quo_vadis/controller.rb', line 126

def store_session_id(id, expires_at)
  cookies.encrypted[QuoVadis.cookie_name] = {
    value:     id,
    httponly:  true,
    secure:    Rails.env.production?,
    same_site: :lax,
    expires:   expires_at  # setting expires_at to nil has the same effect as not setting it
  }
end

#touch_session_last_seen_at ⇒ Object

# File 'lib/quo_vadis/controller.rb', line 155

def touch_session_last_seen_at
  session&.touch :last_seen_at
end