Class: Solrengine::Auth::SessionsController

Inherits:
ApplicationController show all
Defined in:
app/controllers/solrengine/auth/sessions_controller.rb

Instance Method Summary collapse

Instance Method Details

#createObject 



52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
 
# File 'app/controllers/solrengine/auth/sessions_controller.rb', line 52

def create
  wallet_address = params[:wallet_address].to_s

  unless session_nonce_valid?(wallet_address)
    return render json: { error: "Could not sign in", code: "nonce_expired" },
                  status: :unprocessable_entity
  end

  verifier = SiwsVerifier.new(
    wallet_address: wallet_address,
    message: params[:message],
    signature: params[:signature],
    expected_nonce: session[:siws_nonce]
  )

  unless verifier.verify
    return render json: { error: "Could not sign in", code: "verification_failed" },
                  status: :unauthorized
  end

  # Key ownership proven — only now do we touch the database.
  user = _user_class.find_or_create_by!(wallet_address: wallet_address)

  # reset_session clears the (now-consumed) nonce, making it single-use,
  # and rotates the session id to prevent fixation.
  reset_session
  session[:user_id] = user.id
  render json: { success: true, wallet_address: user.wallet_address }
end

#destroyObject 



82
83
84
85
86
87
88
 
# File 'app/controllers/solrengine/auth/sessions_controller.rb', line 82

def destroy
  reset_session
  respond_to do |format|
    format.html { redirect_to Solrengine::Auth.configuration.after_sign_out_path, notice: "Disconnected" }
    format.json { head :no_content }
  end
end

#newObject 



21
22
23
 
# File 'app/controllers/solrengine/auth/sessions_controller.rb', line 21

def new
  # Renders the wallet connect view
end

#nonceObject

Issues a SIWS challenge. The nonce lives in the signed-cookie session, NOT the database — an unauthenticated request must never write a row. The user record is created later, in #create, and only after the wallet proves ownership of the key by signing this nonce.



29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
 
# File 'app/controllers/solrengine/auth/sessions_controller.rb', line 29

def nonce
  wallet_address = params[:wallet_address].to_s

  unless wallet_address.match?(Solrengine::Auth::Concerns::Authenticatable::SOLANA_ADDRESS_FORMAT)
    return render json: { error: "Invalid wallet address", code: "invalid_wallet_address" },
                  status: :unprocessable_entity
  end

  nonce = SecureRandom.hex(16)
  session[:siws_nonce] = nonce
  session[:siws_wallet] = wallet_address
  session[:siws_nonce_expires_at] = Solrengine::Auth.configuration.nonce_ttl.from_now.iso8601

  message = SiwsMessageBuilder.new(
    domain: Solrengine::Auth.configuration.domain,
    wallet_address: wallet_address,
    nonce: nonce,
    uri: request.base_url
  ).build

  render json: { message: message, nonce: nonce }
end