Class: QuoVadis::Controller::QuoVadisWrapper

Inherits:

Object

• Object
• QuoVadis::Controller::QuoVadisWrapper

Defined in:

lib/quo_vadis/controller.rb

Instance Method Summary

• #clear_session_id ⇒ Object
• #initialize(controller) ⇒ QuoVadisWrapper constructor

  A new instance of QuoVadisWrapper.

• #lifetime_expires_at(browser_session) ⇒ Object
• #log(account, action, metadata = {}) ⇒ Object
• #logout ⇒ Object
• #logout_other_sessions ⇒ Object
• #path_after_authentication ⇒ Object
• #path_after_password_change ⇒ Object
• #prevent_rails_session_fixation ⇒ Object
• #replace_session ⇒ Object
• #request_confirmation(model) ⇒ Object
• #require_confirmation ⇒ Object
• #second_factor_authenticated? ⇒ Boolean
• #second_factor_required? ⇒ Boolean

  Assumes user is logged in.

• #session ⇒ Object

  Returns the current QuoVadis session or nil.

• #session_authenticated_with_second_factor ⇒ Object
• #session_id ⇒ Object
• #store_session_id(id, expires_at) ⇒ Object

  Store the session id in an encrypted cookie.

• #touch_session_last_seen_at ⇒ Object

Constructor Details

#initialize(controller) ⇒ QuoVadisWrapper

Returns a new instance of QuoVadisWrapper.

# File 'lib/quo_vadis/controller.rb', line 116

def initialize(controller)
  @controller = controller
end

Instance Method Details

#clear_session_id ⇒ Object

# File 'lib/quo_vadis/controller.rb', line 146

def clear_session_id
  cookies.delete QuoVadis.cookie_name
end

#lifetime_expires_at(browser_session) ⇒ Object

# File 'lib/quo_vadis/controller.rb', line 205

def lifetime_expires_at(browser_session)
  return nil if browser_session
  return nil if QuoVadis.session_lifetime == :session

  t = ActiveSupport::Duration.build(QuoVadis.session_lifetime).from_now
  QuoVadis.session_lifetime_extend_to_end_of_day ? t.end_of_day : t
end

#log(account, action, metadata = {}) ⇒ Object

# File 'lib/quo_vadis/controller.rb', line 224

def log(account, action, metadata = {})
  Log.create account: account, action: action, ip: request.remote_ip, metadata: metadata
end

#logout ⇒ Object

# File 'lib/quo_vadis/controller.rb', line 213

def logout
  session&.destroy
  clear_session_id
  prevent_rails_session_fixation
  controller.instance_variable_set :@authenticated_model, nil
end

#logout_other_sessions ⇒ Object

# File 'lib/quo_vadis/controller.rb', line 220

def logout_other_sessions
  session.logout_other_sessions
end

#path_after_authentication ⇒ Object

Raises:

• (RuntimeError)

# File 'lib/quo_vadis/controller.rb', line 228

def path_after_authentication
  if (bookmark = rails_session[:qv_bookmark])
    rails_session.delete :qv_bookmark
    return bookmark
  end
  return main_app.after_login_path if main_app.respond_to?(:after_login_path)
  return main_app.root_path        if main_app.respond_to?(:root_path)
  raise RuntimeError, 'Missing routes: after_login_path, root_path; define at least one of them.'
end

#path_after_password_change ⇒ Object

Raises:

• (RuntimeError)

# File 'lib/quo_vadis/controller.rb', line 238

def path_after_password_change
  return main_app.after_password_change_path if main_app.respond_to?(:after_password_change_path)
  return main_app.root_path                  if main_app.respond_to?(:root_path)
  raise RuntimeError, 'Missing routes: after_password_change_path, root_path; define at least one of them.'
end

#prevent_rails_session_fixation ⇒ Object

# File 'lib/quo_vadis/controller.rb', line 150

def prevent_rails_session_fixation
  old_session = rails_session.to_hash
  reset_session
  old_session.each { |k,v| rails_session[k] = v }
end

#replace_session ⇒ Object

# File 'lib/quo_vadis/controller.rb', line 196

def replace_session
  prevent_rails_session_fixation

  sess = session.replace
  store_session_id sess.id, sess.lifetime_expires_at

  controller.instance_variable_set :@authenticated_model, sess.account.model
end

#request_confirmation(model) ⇒ Object

# File 'lib/quo_vadis/controller.rb', line 166

def request_confirmation(model)
  rails_session[:account_pending_confirmation] = model.qv_account.id

  expiration = QuoVadis.account_confirmation_otp_lifetime.from_now.to_i
  rails_session[:account_confirmation_expires_at] = expiration

  otp = model.qv_account.otp_for_confirmation(expiration)

  QuoVadis.deliver :account_confirmation, {email: model.email, otp: otp}

  controller.flash[:notice] = QuoVadis.translate 'flash.confirmation.sent'
end

#require_confirmation ⇒ Object

# File 'lib/quo_vadis/controller.rb', line 156

def require_confirmation
  return if ! QuoVadis.accounts_require_confirmation
  return if ! controller.logged_in?
  return if controller.authenticated_model.qv_account.confirmed?

  request_confirmation controller.authenticated_model
  rails_session[:qv_bookmark] = controller.request.original_fullpath
  controller.redirect_to controller.quo_vadis.confirm_path
end

#second_factor_authenticated? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/quo_vadis/controller.rb', line 184

def second_factor_authenticated?
  session.second_factor_authenticated?
end

#second_factor_required? ⇒ Boolean

Assumes user is logged in.

Returns:

• (Boolean)

# File 'lib/quo_vadis/controller.rb', line 180

def second_factor_required?
  QuoVadis.two_factor_authentication_mandatory || authenticated_model.qv_account.has_two_factors?
end

#session ⇒ Object

Returns the current QuoVadis session or nil.

# File 'lib/quo_vadis/controller.rb', line 121

def session
  return nil unless session_id
  QuoVadis::Session.find_by id: session_id
end

#session_authenticated_with_second_factor ⇒ Object

# File 'lib/quo_vadis/controller.rb', line 192

def session_authenticated_with_second_factor
  session.authenticated_with_second_factor
end

#session_id ⇒ Object

# File 'lib/quo_vadis/controller.rb', line 126

def session_id
  cookies.encrypted[QuoVadis.cookie_name]
end

#store_session_id(id, expires_at) ⇒ Object

Store the session id in an encrypted cookie.

Given that the cookie is encrypted, it is safe to store the database primary key of the session rather than a random-value candidate key.

expires_at - the end of the QuoVadis session’s lifetime (regardless of the idle timeout)

# File 'lib/quo_vadis/controller.rb', line 136

def store_session_id(id, expires_at)
  cookies.encrypted[QuoVadis.cookie_name] = {
    value:     id,
    httponly:  true,
    secure:    Rails.env.production?,
    same_site: :lax,
    expires:   expires_at  # setting expires_at to nil has the same effect as not setting it
  }
end

#touch_session_last_seen_at ⇒ Object

# File 'lib/quo_vadis/controller.rb', line 188

def touch_session_last_seen_at
  session&.touch :last_seen_at
end