Module: AuthenticatedSystem

Inclusion hook to make current_user and logged_in? available as ActionView helper methods.

     # File lib/authenticated_system.rb, line 98
 98:     def self.included(base)
 99:       base.send :helper_method, :current_user, :logged_in?, :authorized? if base.respond_to? :helper_method
100:     end

access_denied()

Redirect as appropriate when an access request fails.

The default action is to redirect to the login screen.

Override this method in your controllers if you want to have special behavior in case the user is not authorized to access the requested action. For example, a popup window might simply close itself.

[Source]

    # File lib/authenticated_system.rb, line 64
64:     def access_denied
65:       respond_to do |format|
66:         format.html do
67:           store_location
68:           redirect_to new_session_path
69:         end
70:         # format.any doesn't work in rails version < http://dev.rubyonrails.org/changeset/8987
71:         # Add any other API formats here.  (Some browsers, notably IE6, send Accept: */* and trigger 
72:         # the 'format.any' block incorrectly. See http://bit.ly/ie6_borken or http://bit.ly/ie6_borken2
73:         # for a workaround.)
74:         format.any(:json, :xml) do
75:           request_http_basic_authentication 'Web Password'
76:         end
77:       end
78:     end

authorized?(action = action_name, resource = nil)

Check if the user is authorized

Override this method in your controllers if you want to restrict access to only a few actions or if you want to check if the user has the correct rights.

Example:

 # only allow nonbobs
 def authorized?
   current_user.login != "bob"
 end

[Source]

    # File lib/authenticated_system.rb, line 34
34:     def authorized?(action = action_name, resource = nil)
35:       logged_in?
36:     end

current_user()

Accesses the current user from the session. Future calls avoid the database because nil is not equal to false.

[Source]

    # File lib/authenticated_system.rb, line 11
11:     def current_user
12:       @current_user ||= (login_from_session || login_from_basic_auth || login_from_cookie) unless @current_user == false
13:     end

current_user=(new_user)

Store the given user id in the session.

[Source]

    # File lib/authenticated_system.rb, line 16
16:     def current_user=(new_user)
17:       session[:user_id] = new_user ? new_user.id : nil
18:       @current_user = new_user || false
19:     end

handle_remember_cookie!(new_cookie_flag)

Refresh the cookie auth token if it exists, create it otherwise

[Source]

     # File lib/authenticated_system.rb, line 169
169:     def handle_remember_cookie!(new_cookie_flag)
170:       return unless @current_user
171:       case
172:       when valid_remember_cookie? then @current_user.refresh_token # keeping same expiry date
173:       when new_cookie_flag        then @current_user.remember_me 
174:       else                             @current_user.forget_me
175:       end
176:       send_remember_cookie!
177:     end

kill_remember_cookie!()

[Source]

     # File lib/authenticated_system.rb, line 179
179:     def kill_remember_cookie!
180:       cookies.delete :auth_token
181:     end

logged_in?()

Returns true or false if the user is logged in. Preloads @current_user with the user model if they‘re logged in.

[Source]

   # File lib/authenticated_system.rb, line 5
5:     def logged_in?
6:       !!current_user
7:     end

login_from_basic_auth()

Called from current_user. Now, attempt to login by basic authentication information.

[Source]

     # File lib/authenticated_system.rb, line 112
112:     def login_from_basic_auth
113:       authenticate_with_http_basic do |login, password|
114:         self.current_user = User.authenticate(login, password)
115:       end
116:     end

login_from_cookie()

Called from current_user. Finaly, attempt to login by an expiring token in the cookie. for the paranoid: we should be storing user_token = hash(cookie_token, request IP)

[Source]

     # File lib/authenticated_system.rb, line 124
124:     def login_from_cookie
125:       user = cookies[:auth_token] && User.find_by_remember_token(cookies[:auth_token])
126:       if user && user.remember_token?
127:         self.current_user = user
128:         handle_remember_cookie! false # freshen cookie token (keeping date)
129:         self.current_user
130:       end
131:     end

login_from_session()

Called from current_user. First attempt to login by the user id stored in the session.

[Source]

     # File lib/authenticated_system.rb, line 107
107:     def login_from_session
108:       self.current_user = User.find_by_id(session[:user_id]) if session[:user_id]
109:     end

login_required()

Filter method to enforce a login requirement.

To require logins for all actions, use this in your controllers:

  before_filter :login_required

To require logins for specific actions, use this in your controllers:

  before_filter :login_required, :only => [ :edit, :update ]

To skip this in a subclassed controller:

  skip_before_filter :login_required

[Source]

    # File lib/authenticated_system.rb, line 52
52:     def login_required
53:       authorized? || access_denied
54:     end

logout_keeping_session!()

This is ususally what you want; resetting the session willy-nilly wreaks havoc with forgery protection, and is only strictly necessary on login. However, **all session state variables should be unset here**.

[Source]

     # File lib/authenticated_system.rb, line 136
136:     def logout_keeping_session!
137:       # Kill server-side auth cookie
138:       @current_user.forget_me if @current_user.is_a? User
139:       @current_user = false     # not logged in, and don't do it for me
140:       kill_remember_cookie!     # Kill client-side auth cookie
141:       session[:user_id] = nil   # keeps the session but kill our variable
142:       # explicitly kill any other session variables you set
143:     end

logout_killing_session!()

The session should only be reset at the tail end of a form POST — otherwise the request forgery protection fails. It‘s only really necessary when you cross quarantine (logged-out to logged-in).

[Source]

     # File lib/authenticated_system.rb, line 148
148:     def logout_killing_session!
149:       logout_keeping_session!
150:       reset_session
151:     end

redirect_back_or_default(default)

Redirect to the URI stored by the most recent store_location call or to the passed default. Set an appropriately modified

  after_filter :store_location, :only => [:index, :new, :show, :edit]

for any controller you want to be bounce-backable.

[Source]

    # File lib/authenticated_system.rb, line 91
91:     def redirect_back_or_default(default)
92:       redirect_to(session[:return_to] || default)
93:       session[:return_to] = nil
94:     end

send_remember_cookie!()

[Source]

     # File lib/authenticated_system.rb, line 183
183:     def send_remember_cookie!
184:       cookies[:auth_token] = {
185:         :value   => @current_user.remember_token,
186:         :expires => @current_user.remember_token_expires_at }
187:     end

store_location()

Store the URI of the current request in the session.

We can return to this location by calling redirect_back_or_default.

[Source]

    # File lib/authenticated_system.rb, line 83
83:     def store_location
84:       session[:return_to] = request.request_uri
85:     end

valid_remember_cookie?()

Cookies shouldn‘t be allowed to persist past their freshness date, and they should be changed at each login

[Source]

     # File lib/authenticated_system.rb, line 162
162:     def valid_remember_cookie?
163:       return nil unless @current_user
164:       (@current_user.remember_token?) && 
165:         (cookies[:auth_token] == @current_user.remember_token)
166:     end

Methods

Protected Class methods

Protected Instance methods