Module: Sessions::Adapters::Warden

Defined in:

lib/sessions/adapters/warden.rb

Overview

The Devise/Warden adapter — four class-level Warden hooks, registered from the engine ONLY when ‘::Warden::Manager` is already loaded (Bundler.require precedes initializers, so the check is decisive; the gem never `require`s warden itself and stays inert in non-Warden apps).

The revocation mechanism generalizes devise-security’s proven ‘session_limitable` (a complete 55-line template whose only structural flaw is one-token-per-user): the token moves from a users-table column to a sessions-table ROW, turning “exactly one session” into “N devices, each individually revocable” (→ docs/research/04-devise-warden.md §5).

login  — mint a random token, store [row_id, raw_token] in the
         per-scope warden session (it survives Warden's :renew SID
         rotation and is deleted by Warden itself on logout; we
         never key on the Rack SID), persist only the SHA-256
         digest on the row.
fetch  — per-request liveness check: row exists + digest matches
         (constant-time) → throttled touch; row gone (revoked!) →
         the proven session_limitable kick: clear, logout, throw.
failure — record the failed attempt with the typed identity.
logout — destroy the row, labeled as a logout.

Constant Summary

SESSION_KEY =

Key inside ‘warden.session(scope)` holding [row_id, raw_token].

"sessions"

SKIP_SESSION_KEY =

Sticky per-scope flag: a login recorded with ‘sessions_skip: true` must not be kicked by the fetch validation later (session_limitable’s third skip layer).

"sessions.skip"

SKIP_ENV_KEY =

Request-wide skip: ‘request.env = true`.

"sessions.skip"

THROW_MESSAGE =

The ‘throw :warden` message on revoked sessions — Devise’s failure app surfaces it like :timeout/:session_limited. The gem SHIPS the ‘devise.failure.session_revoked` copy (en + es, config/locales/); hosts override that key for custom wording.

:session_revoked

Class Method Summary

• .adopt_preexisting_session(record, warden, scope) ⇒ Object

  A session that predates the gem (no token in the warden session): adopt it so existing logged-in users appear on their devices page right after deploy — a row is minted with ‘auth_method: “unknown”` and NO login event (adoption isn’t a login; the trail stays honest).

• .adopted_row(record, scope, adoption_key:) ⇒ Object
• .adopted_row?(row) ⇒ Boolean
• .adoption_key_column?(model = Sessions.session_model) ⇒ Boolean
• .adoption_key_for(record, scope) ⇒ Object
• .claim_adoption_key(row, adoption_key) ⇒ Object
• .create_adopted_row(record, warden, scope, adoption_key:) ⇒ Object
• .create_row_for(record, warden, scope, suppress_login_event: false, attributes: {}) ⇒ Object
• .install! ⇒ Object
• .installed? ⇒ Boolean

  Test seam.

• .kick!(warden, scope) ⇒ Object

  SCOPE-PRECISE teardown: only this scope’s warden entries go (the serialized user key and our token stash) — an admin scope riding the same rack session, and unrelated host session data (carts, locale, return-to paths), survive a user-scope kick.

• .record_failure(env, opts) ⇒ Object

  — Hook 3: failed logins ————————————————.

• .record_login(record, warden, opts) ⇒ Object

  — Hook 1: any fresh login (form, remember-me, OmniAuth, sign-up auto-login, post-password-reset) —————————————-.

• .record_logout(_record, warden, opts) ⇒ Object

  Fires once per scope (including forced logouts: timeout, lockout, our own revocation kick).

• .reset_installation! ⇒ Object
• .row_accepts?(record) ⇒ Boolean

  Multi-scope safety: with a plain (non-polymorphic) ‘user` association, rows can only hold the matching class — a second Devise scope on another model stays silently untracked (re-run the install generator with –polymorphic to track every scope).

• .validate_session(record, warden, opts) ⇒ Object

  — Hook 2: per-request resume — validate, expire, touch —————.

• .warden_default_scope(env) ⇒ Object

Class Method Details

.adopt_preexisting_session(record, warden, scope) ⇒ Object

A session that predates the gem (no token in the warden session): adopt it so existing logged-in users appear on their devices page right after deploy — a row is minted with ‘auth_method: “unknown”` and NO login event (adoption isn’t a login; the trail stays honest). Never kicks anyone: adoption failures degrade to “untracked”.

# File 'lib/sessions/adapters/warden.rb', line 190

def adopt_preexisting_session(record, warden, scope)
  Sessions.safely("warden.adopt") do
    next unless row_accepts?(record)

    # IDEMPOTENT, because a client that can't persist cookies re-enters
    # adoption on EVERY request: the SESSION_KEY we write rides a
    # Set-Cookie the client drops, so the next request adopts again.
    #
    # Adoption is intentionally coarse: it is a low-fidelity marker for
    # "this owner already had an authenticated session when the gem
    # arrived", not a real login. One owner+scope marker is enough. Do
    # not key it on UA (Hotwire Native devices legitimately use WebView
    # and native-client UAs) or time (cookie-dropping clients would mint
    # one per day forever). When the adoption_key column is present, the
    # unique index makes the first concurrent burst atomic.
    adoption_key = adoption_key_for(record, scope)
    if (row = adopted_row(record, scope, adoption_key: adoption_key))
      Sessions.safely("warden.adopt.touch") { row.touch_last_seen!(warden.request) }
      next
    end

    create_adopted_row(record, warden, scope, adoption_key: adoption_key)
  end
end

.adopted_row(record, scope, adoption_key:) ⇒ Object

# File 'lib/sessions/adapters/warden.rb', line 226

def adopted_row(record, scope, adoption_key:)
  model = Sessions.session_model
  rows = model.where(user: record)
  rows = rows.where(scope: scope.to_s) if model.column_names.include?("scope")

  row = model.find_by(adoption_key: adoption_key) if adoption_key_column?(model) && adoption_key.present?
  row = nil unless adopted_row?(row)
  row ||= rows.order(created_at: :desc).detect { |candidate| adopted_row?(candidate) }

  claim_adoption_key(row, adoption_key)
end

.adopted_row?(row) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/sessions/adapters/warden.rb', line 238

def adopted_row?(row)
  row && row.try(:auth_detail).to_h["adopted"]
end

.adoption_key_column?(model = Sessions.session_model) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/sessions/adapters/warden.rb', line 267

def adoption_key_column?(model = Sessions.session_model)
  model.column_names.include?("adoption_key")
end

.adoption_key_for(record, scope) ⇒ Object

# File 'lib/sessions/adapters/warden.rb', line 254

def adoption_key_for(record, scope)
  owner_id = record.respond_to?(:to_key) ? Array(record.to_key).join("/") : record.try(:id)
  return if owner_id.blank?

  owner_type = if record.class.respond_to?(:polymorphic_name)
                 record.class.polymorphic_name
               else
                 record.class.name
               end

  "adopt:#{Sessions.token_digest([owner_type, owner_id, scope.to_s].join("\0"))}"
end

.claim_adoption_key(row, adoption_key) ⇒ Object

# File 'lib/sessions/adapters/warden.rb', line 242

def claim_adoption_key(row, adoption_key)
  return row unless row
  return row unless adoption_key_column?(row.class)
  return row if adoption_key.blank? || row.try(:adoption_key).present?

  row.update_columns(adoption_key: adoption_key)
  row.adoption_key = adoption_key
  row
rescue ActiveRecord::RecordNotUnique
  row.class.find_by(adoption_key: adoption_key) || row
end

.create_adopted_row(record, warden, scope, adoption_key:) ⇒ Object

# File 'lib/sessions/adapters/warden.rb', line 215

def create_adopted_row(record, warden, scope, adoption_key:)
  attributes = { auth_detail: { "adopted" => true } }
  attributes[:adoption_key] = adoption_key if adoption_key_column?

  create_row_for(record, warden, scope, suppress_login_event: true, attributes: attributes)
rescue ActiveRecord::RecordNotUnique
  adopted_row(record, scope, adoption_key: adoption_key)&.tap do |row|
    Sessions.safely("warden.adopt.touch") { row.touch_last_seen!(warden.request) }
  end
end

.create_row_for(record, warden, scope, suppress_login_event: false, attributes: {}) ⇒ Object

# File 'lib/sessions/adapters/warden.rb', line 111

def create_row_for(record, warden, scope, suppress_login_event: false, attributes: {})
  token = Sessions.generate_token
  request = warden.request
  model = Sessions.session_model

  row = model.new(
    user: record,
    scope: scope.to_s,
    ip_address: Sessions::IpAddress.resolve(request),
    user_agent: request.user_agent,
    token_digest: Sessions.token_digest(token)
  ).tap do |session|
    attributes.each do |column, value|
      session[column] = value if model.column_names.include?(column.to_s)
    end
  end
  row.sessions_suppress_login_event = suppress_login_event
  Sessions.with_request(request) { row.save! }

  warden.session(scope)[SESSION_KEY] = [row.id, token]
  row
end

.install! ⇒ Object

# File 'lib/sessions/adapters/warden.rb', line 46

def install!
  return if @installed

  @installed = true

  ::Warden::Manager.after_set_user(except: :fetch) do |record, warden, opts|
    Sessions::Adapters::Warden.record_login(record, warden, opts)
  end

  ::Warden::Manager.after_set_user(only: :fetch) do |record, warden, opts|
    Sessions::Adapters::Warden.validate_session(record, warden, opts)
  end

  ::Warden::Manager.before_failure do |env, opts|
    Sessions::Adapters::Warden.record_failure(env, opts)
  end

  ::Warden::Manager.before_logout do |record, warden, opts|
    Sessions::Adapters::Warden.record_logout(record, warden, opts)
  end
end

.installed? ⇒ Boolean

Test seam.

Returns:

• (Boolean)

# File 'lib/sessions/adapters/warden.rb', line 69

def installed?
  !!@installed
end

.kick!(warden, scope) ⇒ Object

SCOPE-PRECISE teardown: only this scope’s warden entries go (the serialized user key and our token stash) — an admin scope riding the same rack session, and unrelated host session data (carts, locale, return-to paths), survive a user-scope kick. Deleting the keys BEFORE logout matters: our before_logout hook then finds no token and records nothing (a kick is not a logout — the revocation event was already written by whoever destroyed the row).

# File 'lib/sessions/adapters/warden.rb', line 278

def kick!(warden, scope)
  warden.raw_session.delete("warden.user.#{scope}.key")
  warden.raw_session.delete("warden.user.#{scope}.session")
  warden.logout(scope)
  throw :warden, scope: scope, message: THROW_MESSAGE
end

.record_failure(env, opts) ⇒ Object

— Hook 3: failed logins ————————————————

# File 'lib/sessions/adapters/warden.rb', line 287

def record_failure(env, opts)
  Sessions.safely("warden.failure") do
    next unless Sessions.config.track_failed_logins
    next if env[SKIP_ENV_KEY]

    request = ActionDispatch::Request.new(env)
    # `before_failure` fires for EVERY warden failure, including plain
    # unauthenticated page-hits and timeouts. A real credential
    # failure is a POST carrying the scope's credentials hash
    # (→ research/04 §3). The password key is never read.
    next unless request.post?

    # Devise passes scope: explicitly in auth_options; a bare
    # `warden.authenticate!` throws opts WITHOUT it — fall back to the
    # stack's default scope, like Warden itself does.
    scope = opts[:scope] || warden_default_scope(env)
    credentials = request.params[scope.to_s]
    next unless credentials.is_a?(Hash)

    # `email_address` included: it's the omakase-era key, and Devise
    # apps configure `authentication_keys = [:email_address]` too.
    identity = credentials.values_at("email", "email_address", "login", "username", "phone").compact.first

    Sessions::Event.record_failure(
      request,
      scope: scope,
      identity: identity,
      # Devise's message symbol, verbatim — under paranoid mode this
      # stays :invalid; we never infer (or leak) account existence.
      reason: opts[:message],
      metadata: { attempted_path: opts[:attempted_path] }.compact
    )
  end
end

.record_login(record, warden, opts) ⇒ Object

— Hook 1: any fresh login (form, remember-me, OmniAuth, sign-up auto-login, post-password-reset) —————————————-

# File 'lib/sessions/adapters/warden.rb', line 80

def record_login(record, warden, opts)
  Sessions.safely("warden.login") do
    scope = opts[:scope]
    # Guard set lifted from Devise's own hooks. The `store: false`
    # check is CRITICAL: token/HTTP-Basic strategies fire this hook on
    # EVERY request with store: false — without it we'd mint a session
    # row per API call.
    next unless warden.authenticated?(scope)
    next if opts[:store] == false
    next if warden.request.env[SKIP_ENV_KEY]
    next if record.respond_to?(:sessions_skip?) && record.sessions_skip?
    # Reauthentication (sudo-style confirms) re-runs sign_in
    # MID-SESSION — devise-passkeys' `reauthenticate` calls
    # `sign_in(..., event: :passkey_reauthentication)` (see its
    # controllers/reauthentication_controller_concern.rb), which fires
    # after_set_user like any login. That's the same person proving
    # presence on an already-tracked session, not a new device:
    # minting a row here would orphan the live one mid-request.
    next if opts[:event].to_s.match?(/reauth/i)

    if opts[:sessions_skip]
      warden.session(scope)[SKIP_SESSION_KEY] = true
      next
    end

    next unless row_accepts?(record)

    create_row_for(record, warden, scope)
  end
end

.record_logout(_record, warden, opts) ⇒ Object

Fires once per scope (including forced logouts: timeout, lockout, our own revocation kick). If the row is already gone — revoked from another device — there’s nothing to do; the ‘revoked` event was written by whoever destroyed it.

CRITICAL: read the RAW session here, never ‘warden.session(scope)`. Warden’s logout deletes ‘@users` BEFORE running before_logout callbacks (proxy.rb#logout), so Proxy#session’s authenticated? check would re-deserialize the user → re-fire after_set_user → and when the logout came from a hook that logs out and throws (Devise’s activatable on unconfirmed/locked accounts, timeoutable) that loops: activatable → logout → us → re-auth → activatable → … SystemStackError.

# File 'lib/sessions/adapters/warden.rb', line 336

def record_logout(_record, warden, opts)
  Sessions.safely("warden.logout") do
    scope = opts[:scope]
    data = warden.raw_session["warden.user.#{scope}.session"]&.dig(SESSION_KEY)
    next unless data

    id, token = data
    row = Sessions.session_model.find_by(id: id)
    next unless row&.sessions_token_matches?(token)

    row.revocation_reason ||= :logout
    row.destroy
  end
end

.reset_installation! ⇒ Object

# File 'lib/sessions/adapters/warden.rb', line 73

def reset_installation!
  @installed = false
end

.row_accepts?(record) ⇒ Boolean

Multi-scope safety: with a plain (non-polymorphic) ‘user` association, rows can only hold the matching class — a second Devise scope on another model stays silently untracked (re-run the install generator with –polymorphic to track every scope).

Returns:

• (Boolean)

# File 'lib/sessions/adapters/warden.rb', line 362

def row_accepts?(record)
  reflection = Sessions.session_model.reflect_on_association(:user)
  return false unless reflection
  return true if reflection.polymorphic?

  record.is_a?(reflection.klass)
rescue StandardError
  false
end

.validate_session(record, warden, opts) ⇒ Object

— Hook 2: per-request resume — validate, expire, touch —————

# File 'lib/sessions/adapters/warden.rb', line 136

def validate_session(record, warden, opts)
  scope = opts[:scope]
  return if opts[:store] == false
  return if warden.request.env[SKIP_ENV_KEY]
  return if record.respond_to?(:sessions_skip?) && record.sessions_skip?

  data = Sessions.safely("warden.fetch") do
    session_data = warden.session(scope)
    next :skip if session_data[SKIP_SESSION_KEY]

    session_data[SESSION_KEY]
  end
  return if data == :skip

  if data.nil?
    adopt_preexisting_session(record, warden, scope)
    return
  end

  # The lookup is NOT wrapped in `safely`: an ERRORED lookup and a
  # MISSING row must be distinguishable. A row that's genuinely gone
  # (or a token that doesn't match) means revocation → kick. A raised
  # lookup — the sessions table unreachable, a timeout, a migration
  # mid-deploy — means the TRACKING layer is down, and tracking must
  # never break authentication: fail OPEN, let the request through
  # untracked, try again next request.
  begin
    id, token = data
    found = Sessions.session_model.find_by(id: id)
    row = found if found&.sessions_token_matches?(token)
  rescue StandardError => e
    Sessions.warn("warden.fetch failed open: #{e.class}: #{e.message}")
    return
  end

  if row.nil?
    # Revoked (the row is gone) or tampered (digest mismatch): the
    # proven session_limitable sequence — log the scope out and hand
    # control to the failure app. NOT wrapped in `safely`: the throw
    # is control flow, not an error.
    kick!(warden, scope)
  elsif Sessions.safely("warden.expired?") { row.sessions_expired? }
    Sessions.safely("warden.expire") { row.revoke!(reason: :expired) }
    kick!(warden, scope)
  else
    Sessions.safely("warden.touch") { row.touch_last_seen!(warden.request) }
  end
end

.warden_default_scope(env) ⇒ Object

# File 'lib/sessions/adapters/warden.rb', line 351

def warden_default_scope(env)
  warden = env["warden"]
  warden.respond_to?(:config) ? warden.config.default_scope : nil
rescue StandardError
  nil
end