Module: Sessions::Adapters::Warden

Defined in:
lib/sessions/adapters/warden.rb

Overview

The Devise/Warden adapter — four class-level Warden hooks, registered from the engine ONLY when ‘::Warden::Manager` is already loaded (Bundler.require precedes initializers, so the check is decisive; the gem never `require`s warden itself and stays inert in non-Warden apps).

The revocation mechanism generalizes devise-security’s proven ‘session_limitable` (a complete 55-line template whose only structural flaw is one-token-per-user): the token moves from a users-table column to a sessions-table ROW, turning “exactly one session” into “N devices, each individually revocable” (→ docs/research/04-devise-warden.md §5).

login  — mint a random token, store [row_id, raw_token] in the
         per-scope warden session (it survives Warden's :renew SID
         rotation and is deleted by Warden itself on logout; we
         never key on the Rack SID), persist only the SHA-256
         digest on the row.
fetch  — per-request liveness check: row exists + digest matches
         (constant-time) → throttled touch; row gone (revoked!) →
         the proven session_limitable kick: clear, logout, throw.
failure — record the failed attempt with the typed identity.
logout — destroy the row, labeled as a logout.

Constant Summary collapse

SESSION_KEY =

Key inside ‘warden.session(scope)` holding [row_id, raw_token].

"sessions"
SKIP_SESSION_KEY =

Sticky per-scope flag: a login recorded with ‘sessions_skip: true` must not be kicked by the fetch validation later (session_limitable’s third skip layer).

"sessions.skip"
SKIP_ENV_KEY =

Request-wide skip: ‘request.env = true`.

"sessions.skip"
THROW_MESSAGE =

The ‘throw :warden` message on revoked sessions — Devise’s failure app surfaces it like :timeout/:session_limited. The gem SHIPS the ‘devise.failure.session_revoked` copy (en + es, config/locales/); hosts override that key for custom wording.

:session_revoked

Class Method Summary collapse

Class Method Details

.adopt_preexisting_session(record, warden, scope) ⇒ Object

A session that predates the gem (no token in the warden session): adopt it so existing logged-in users appear on their devices page right after deploy — a row is minted with ‘auth_method: “unknown”` and NO login event (adoption isn’t a login; the trail stays honest). Never kicks anyone: adoption failures degrade to “untracked”.



185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
 
# File 'lib/sessions/adapters/warden.rb', line 185

def adopt_preexisting_session(record, warden, scope)
  Sessions.safely("warden.adopt") do
    next unless row_accepts?(record)

    # IDEMPOTENT, because a client that can't persist cookies re-enters
    # adoption on EVERY request: the SESSION_KEY we write rides a
    # Set-Cookie the client drops, so the next request adopts again —
    # unbounded rows (production-found: a native HTTP layer that
    # forwarded cookies read-only minted one adopted row per location
    # ping, hundreds per ride). Same user, same scope, same UA,
    # recently adopted → that's this same client: touch it, mint
    # nothing. No token rotation either — a sibling client sharing the
    # cookie jar (the app's WebView next to its native HTTP stack) may
    # hold a VALID key to this row, and rotating would kick it.
    if (row = recent_adopted_row(record, warden, scope))
      Sessions.safely("warden.adopt.touch") { row.touch_last_seen!(warden.request) }
      next
    end

    row = create_row_for(record, warden, scope, suppress_login_event: true)
    row&.update_columns(auth_detail: { "adopted" => true })
  end
end

.create_row_for(record, warden, scope, suppress_login_event: false) ⇒ Object 



111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
 
# File 'lib/sessions/adapters/warden.rb', line 111

def create_row_for(record, warden, scope, suppress_login_event: false)
  token = Sessions.generate_token
  request = warden.request

  row = Sessions.session_model.new(
    user: record,
    scope: scope.to_s,
    ip_address: Sessions::IpAddress.resolve(request),
    user_agent: request.user_agent,
    token_digest: Sessions.token_digest(token)
  )
  row. = 
  Sessions.with_request(request) { row.save! }

  warden.session(scope)[SESSION_KEY] = [row.id, token]
  row
end

.install!Object 



46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
 
# File 'lib/sessions/adapters/warden.rb', line 46

def install!
  return if @installed

  @installed = true

  ::Warden::Manager.after_set_user(except: :fetch) do |record, warden, opts|
    Sessions::Adapters::Warden.(record, warden, opts)
  end

  ::Warden::Manager.after_set_user(only: :fetch) do |record, warden, opts|
    Sessions::Adapters::Warden.validate_session(record, warden, opts)
  end

  ::Warden::Manager.before_failure do |env, opts|
    Sessions::Adapters::Warden.record_failure(env, opts)
  end

  ::Warden::Manager.before_logout do |record, warden, opts|
    Sessions::Adapters::Warden.record_logout(record, warden, opts)
  end
end

.installed?Boolean

Test seam.

Returns:

  • (Boolean) 


69
70
71
 
# File 'lib/sessions/adapters/warden.rb', line 69

def installed?
  !!@installed
end

.kick!(warden, scope) ⇒ Object

SCOPE-PRECISE teardown: only this scope’s warden entries go (the serialized user key and our token stash) — an admin scope riding the same rack session, and unrelated host session data (carts, locale, return-to paths), survive a user-scope kick. Deleting the keys BEFORE logout matters: our before_logout hook then finds no token and records nothing (a kick is not a logout — the revocation event was already written by whoever destroyed the row).



228
229
230
231
232
233
 
# File 'lib/sessions/adapters/warden.rb', line 228

def kick!(warden, scope)
  warden.raw_session.delete("warden.user.#{scope}.key")
  warden.raw_session.delete("warden.user.#{scope}.session")
  warden.logout(scope)
  throw :warden, scope: scope, message: THROW_MESSAGE
end

.recent_adopted_row(record, warden, scope) ⇒ Object 



209
210
211
212
213
214
215
216
217
218
219
 
# File 'lib/sessions/adapters/warden.rb', line 209

def recent_adopted_row(record, warden, scope)
  model = Sessions.session_model
  rows = model.where(user: record)
  rows = rows.where(scope: scope.to_s) if model.column_names.include?("scope")
  rows = rows.where(user_agent: warden.request.user_agent) if model.column_names.include?("user_agent")

  rows.where(model.arel_table[:created_at].gt(24.hours.ago))
      .order(created_at: :desc)
      .limit(10)
      .detect { |row| row.try(:auth_detail).to_h["adopted"] }
end

.record_failure(env, opts) ⇒ Object

— Hook 3: failed logins ————————————————



237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
 
# File 'lib/sessions/adapters/warden.rb', line 237

def record_failure(env, opts)
  Sessions.safely("warden.failure") do
    next unless Sessions.config.track_failed_logins
    next if env[SKIP_ENV_KEY]

    request = ActionDispatch::Request.new(env)
    # `before_failure` fires for EVERY warden failure, including plain
    # unauthenticated page-hits and timeouts. A real credential
    # failure is a POST carrying the scope's credentials hash
    # (→ research/04 §3). The password key is never read.
    next unless request.post?

    # Devise passes scope: explicitly in auth_options; a bare
    # `warden.authenticate!` throws opts WITHOUT it — fall back to the
    # stack's default scope, like Warden itself does.
    scope = opts[:scope] || warden_default_scope(env)
    credentials = request.params[scope.to_s]
    next unless credentials.is_a?(Hash)

    # `email_address` included: it's the omakase-era key, and Devise
    # apps configure `authentication_keys = [:email_address]` too.
    identity = credentials.values_at("email", "email_address", "login", "username", "phone").compact.first

    Sessions::Event.record_failure(
      request,
      scope: scope,
      identity: identity,
      # Devise's message symbol, verbatim — under paranoid mode this
      # stays :invalid; we never infer (or leak) account existence.
      reason: opts[:message],
      metadata: { attempted_path: opts[:attempted_path] }.compact
    )
  end
end

.record_login(record, warden, opts) ⇒ Object

— Hook 1: any fresh login (form, remember-me, OmniAuth, sign-up auto-login, post-password-reset) —————————————-



80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
 
# File 'lib/sessions/adapters/warden.rb', line 80

def (record, warden, opts)
  Sessions.safely("warden.login") do
    scope = opts[:scope]
    # Guard set lifted from Devise's own hooks. The `store: false`
    # check is CRITICAL: token/HTTP-Basic strategies fire this hook on
    # EVERY request with store: false — without it we'd mint a session
    # row per API call.
    next unless warden.authenticated?(scope)
    next if opts[:store] == false
    next if warden.request.env[SKIP_ENV_KEY]
    next if record.respond_to?(:sessions_skip?) && record.sessions_skip?
    # Reauthentication (sudo-style confirms) re-runs sign_in
    # MID-SESSION — devise-passkeys' `reauthenticate` calls
    # `sign_in(..., event: :passkey_reauthentication)` (see its
    # controllers/reauthentication_controller_concern.rb), which fires
    # after_set_user like any login. That's the same person proving
    # presence on an already-tracked session, not a new device:
    # minting a row here would orphan the live one mid-request.
    next if opts[:event].to_s.match?(/reauth/i)

    if opts[:sessions_skip]
      warden.session(scope)[SKIP_SESSION_KEY] = true
      next
    end

    next unless row_accepts?(record)

    create_row_for(record, warden, scope)
  end
end

.record_logout(_record, warden, opts) ⇒ Object

Fires once per scope (including forced logouts: timeout, lockout, our own revocation kick). If the row is already gone — revoked from another device — there’s nothing to do; the ‘revoked` event was written by whoever destroyed it.

CRITICAL: read the RAW session here, never ‘warden.session(scope)`. Warden’s logout deletes ‘@users` BEFORE running before_logout callbacks (proxy.rb#logout), so Proxy#session’s authenticated? check would re-deserialize the user → re-fire after_set_user → and when the logout came from a hook that logs out and throws (Devise’s activatable on unconfirmed/locked accounts, timeoutable) that loops: activatable → logout → us → re-auth → activatable → … SystemStackError.



286
287
288
289
290
291
292
293
294
295
296
297
298
299
 
# File 'lib/sessions/adapters/warden.rb', line 286

def record_logout(_record, warden, opts)
  Sessions.safely("warden.logout") do
    scope = opts[:scope]
    data = warden.raw_session["warden.user.#{scope}.session"]&.dig(SESSION_KEY)
    next unless data

    id, token = data
    row = Sessions.session_model.find_by(id: id)
    next unless row&.sessions_token_matches?(token)

    row.revocation_reason ||= :logout
    row.destroy
  end
end

.reset_installation!Object 



73
74
75
 
# File 'lib/sessions/adapters/warden.rb', line 73

def reset_installation!
  @installed = false
end

.row_accepts?(record) ⇒ Boolean

Multi-scope safety: with a plain (non-polymorphic) ‘user` association, rows can only hold the matching class — a second Devise scope on another model stays silently untracked (re-run the install generator with –polymorphic to track every scope).

Returns:

  • (Boolean) 


312
313
314
315
316
317
318
319
320
 
# File 'lib/sessions/adapters/warden.rb', line 312

def row_accepts?(record)
  reflection = Sessions.session_model.reflect_on_association(:user)
  return false unless reflection
  return true if reflection.polymorphic?

  record.is_a?(reflection.klass)
rescue StandardError
  false
end

.validate_session(record, warden, opts) ⇒ Object

— Hook 2: per-request resume — validate, expire, touch —————



131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
 
# File 'lib/sessions/adapters/warden.rb', line 131

def validate_session(record, warden, opts)
  scope = opts[:scope]
  return if opts[:store] == false
  return if warden.request.env[SKIP_ENV_KEY]
  return if record.respond_to?(:sessions_skip?) && record.sessions_skip?

  data = Sessions.safely("warden.fetch") do
    session_data = warden.session(scope)
    next :skip if session_data[SKIP_SESSION_KEY]

    session_data[SESSION_KEY]
  end
  return if data == :skip

  if data.nil?
    adopt_preexisting_session(record, warden, scope)
    return
  end

  # The lookup is NOT wrapped in `safely`: an ERRORED lookup and a
  # MISSING row must be distinguishable. A row that's genuinely gone
  # (or a token that doesn't match) means revocation → kick. A raised
  # lookup — the sessions table unreachable, a timeout, a migration
  # mid-deploy — means the TRACKING layer is down, and tracking must
  # never break authentication: fail OPEN, let the request through
  # untracked, try again next request.
  begin
    id, token = data
    found = Sessions.session_model.find_by(id: id)
    row = found if found&.sessions_token_matches?(token)
  rescue StandardError => e
    Sessions.warn("warden.fetch failed open: #{e.class}: #{e.message}")
    return
  end

  if row.nil?
    # Revoked (the row is gone) or tampered (digest mismatch): the
    # proven session_limitable sequence — log the scope out and hand
    # control to the failure app. NOT wrapped in `safely`: the throw
    # is control flow, not an error.
    kick!(warden, scope)
  elsif Sessions.safely("warden.expired?") { row.sessions_expired? }
    Sessions.safely("warden.expire") { row.revoke!(reason: :expired) }
    kick!(warden, scope)
  else
    Sessions.safely("warden.touch") { row.touch_last_seen!(warden.request) }
  end
end

.warden_default_scope(env) ⇒ Object 



301
302
303
304
305
306
 
# File 'lib/sessions/adapters/warden.rb', line 301

def warden_default_scope(env)
  warden = env["warden"]
  warden.respond_to?(:config) ? warden.config.default_scope : nil
rescue StandardError
  nil
end