Class: Tep::AuthSessionCookie

Inherits:

Object

• Object
• Tep::AuthSessionCookie

Defined in:

lib/tep/auth_session_cookie.rb

Class Method Summary

• .clear(req) ⇒ Object

  Drop the identity fields from req.session.

• .format_caps(caps) ⇒ Object

  :read, :write, :post_summary

  -> “read,write,post_summary”.

• .format_delegate(deleg) ⇒ Object

  AgentDelegation -> “agent_id|issued_at|expires_at|origin”.

• .set(req, identity, exp) ⇒ Object

  Write an Identity into req.session.

• .try(req) ⇒ Object

  Attempt to recover an Identity from req.session.

Class Method Details

.clear(req) ⇒ Object

Drop the identity fields from req.session. The session itself stays valid (signed cookie continues to round-trip), but any subsequent try() returns nil because identity_sub is empty.

# File 'lib/tep/auth_session_cookie.rb', line 75

def self.clear(req)
  req.session.set("identity_sub", "")
  req.session.set("identity_caps", "")
  req.session.set("identity_delegate", "")
  req.session.set("identity_exp", "")
  0
end

.format_caps(caps) ⇒ Object

:read, :write, :post_summary

-> “read,write,post_summary”

# File 'lib/tep/auth_session_cookie.rb', line 110

def self.format_caps(caps)
  out = ""
  first = true
  caps.each do |c|
    if !first
      out = out + ","
    end
    out = out + c.to_s
    first = false
  end
  out
end

.format_delegate(deleg) ⇒ Object

AgentDelegation -> “agent_id|issued_at|expires_at|origin”. Inverse of Tep::AuthBearerToken.parse_delegate.

# File 'lib/tep/auth_session_cookie.rb', line 125

def self.format_delegate(deleg)
  deleg.agent_id + "|" +
    deleg.issued_at.to_s + "|" +
    deleg.expires_at.to_s + "|" +
    deleg.origin.to_s
end

.set(req, identity, exp) ⇒ Object

Write an Identity into req.session. Caller is responsible for ensuring Tep.session_secret is configured – otherwise the response cookie won’t get signed and the next request can’t round-trip the identity back.

‘exp` is unix epoch seconds; nil disables expiry (the cookie itself still expires per its own Max-Age / Expires headers or browser session lifetime).

# File 'lib/tep/auth_session_cookie.rb', line 53

def self.set(req, identity, exp)
  req.session.set("identity_sub", identity.principal_id)
  req.session.set("identity_caps",
    Tep::AuthSessionCookie.format_caps(identity.capabilities))
  delegate = identity.acting_via
  if delegate == nil
    req.session.set("identity_delegate", "")
  else
    req.session.set("identity_delegate",
      Tep::AuthSessionCookie.format_delegate(delegate))
  end
  if exp > 0
    req.session.set("identity_exp", exp.to_s)
  else
    req.session.set("identity_exp", "")
  end
  0
end

.try(req) ⇒ Object

Attempt to recover an Identity from req.session. Returns nil if the session has no identity (no prior #set call, or after #clear) or the stored identity is expired.

# File 'lib/tep/auth_session_cookie.rb', line 86

def self.try(req)
  sub = req.session.get("identity_sub")
  if sub.length == 0
    return nil
  end

  exp_str = req.session.get("identity_exp")
  if exp_str.length > 0
    exp = exp_str.to_i
    if exp > 0 && Time.now.to_i >= exp
      return nil
    end
  end

  caps_str = req.session.get("identity_caps")
  caps = Tep::AuthBearerToken.parse_caps(caps_str)

  delegate_str = req.session.get("identity_delegate")
  delegation = Tep::AuthBearerToken.parse_delegate(delegate_str)

  Tep::Identity.new(sub, delegation, caps)
end