Class: Spree::Api::V3::Store::AuthController

Inherits:

BaseController

• Object
• ActionController::API
• BaseController
• BaseController
• Spree::Api::V3::Store::AuthController

Defined in:

app/controllers/spree/api/v3/store/auth_controller.rb

Constant Summary

Constants included from ChannelResolution

ChannelResolution::CHANNEL_HEADER

Constants inherited from BaseController

BaseController::RATE_LIMIT_RESPONSE

Constants included from Idempotent

Idempotent::IDEMPOTENCY_HEADER, Idempotent::IDEMPOTENCY_TTL, Idempotent::MAX_KEY_LENGTH, Idempotent::MUTATING_METHODS

Constants included from ErrorHandler

ErrorHandler::ERROR_CODES

Constants included from JwtAuthentication

JwtAuthentication::JWT_AUDIENCE_ADMIN, JwtAuthentication::JWT_AUDIENCE_STORE, JwtAuthentication::JWT_ISSUER, JwtAuthentication::USER_TYPE_ADMIN, JwtAuthentication::USER_TYPE_CUSTOMER

Instance Method Summary

• #create ⇒ Object

  POST /api/v3/store/auth/login Supports multiple authentication providers via :provider param Example: { “provider”: “email”, “email”: “…”, “password”: “…” }.

• #logout ⇒ Object

  POST /api/v3/store/auth/logout Accepts: { “refresh_token”: “rt_xxx” } Revokes the submitted refresh token.

• #refresh ⇒ Object

  POST /api/v3/store/auth/refresh Accepts: { “refresh_token”: “rt_xxx” } Returns new access JWT + rotated refresh token.

Methods included from ApiKeyAuthentication

#authenticate_api_key!, #authenticate_secret_key!

Methods included from JwtAuthentication

#authenticate_user, #require_authentication!

Instance Method Details

#create ⇒ Object

POST /api/v3/store/auth/login Supports multiple authentication providers via :provider param Example:

{ "provider": "email", "email": "...", "password": "..." }

# File 'app/controllers/spree/api/v3/store/auth_controller.rb', line 17

def create
  strategy = authentication_strategy
  return unless strategy # Error already rendered by determine_strategy

  result = strategy.authenticate

  if result.success?
    user = result.value
    render json: auth_response(user)
  else
    render_error(
      code: ERROR_CODES[:authentication_failed],
      message: result.error,
      status: :unauthorized
    )
  end
end

#logout ⇒ Object

POST /api/v3/store/auth/logout Accepts: { “refresh_token”: “rt_xxx” } Revokes the submitted refresh token. The token itself is the credential — no access JWT is required, so clients with an expired access token can still log out.

# File 'app/controllers/spree/api/v3/store/auth_controller.rb', line 74

def logout
  refresh_token_value = params[:refresh_token]

  Spree::RefreshToken.find_by(token: refresh_token_value)&.destroy if refresh_token_value.present?

  head :no_content
end

#refresh ⇒ Object

POST /api/v3/store/auth/refresh Accepts: { “refresh_token”: “rt_xxx” } Returns new access JWT + rotated refresh token

# File 'app/controllers/spree/api/v3/store/auth_controller.rb', line 38

def refresh
  refresh_token_value = params[:refresh_token]

  if refresh_token_value.blank?
    return render_error(
      code: ERROR_CODES[:invalid_refresh_token],
      message: 'refresh_token is required',
      status: :unauthorized
    )
  end

  refresh_token = Spree::RefreshToken.active.find_by(token: refresh_token_value)

  if refresh_token.nil?
    return render_error(
      code: ERROR_CODES[:invalid_refresh_token],
      message: 'Invalid or expired refresh token',
      status: :unauthorized
    )
  end

  user = refresh_token.user
  new_refresh_token = refresh_token.rotate!(request_env: request_env_for_token)

  render json: {
    token: generate_jwt(user),
    refresh_token: new_refresh_token.token,
    user: user_serializer.new(user, params: serializer_params).to_h
  }
end