| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138 |
- module AuthenticationHelper
- # Create a new Session and set the relevant cookies.
- def log_in(user, remember, new_session = true)
- reset_session
- expiry = 6.hours.since
- session[:user_id] = user.id
- session[:expires] = expiry
- return unless new_session
- if remember == 1
- token = Session.new_token
- expiry = 1.year.since
- cookies.signed.permanent[:remember_token] = {
- value: token,
- httponly: true
- }
- cookies.signed.permanent[:user_id] = {
- value: user.id,
- httponly: true
- }
- else
- token = nil
- end
- s = Session.create!(
- user: user,
- ip: request.remote_ip,
- expires: expiry,
- remember_digest: token ? Session.digest(token) : nil
- )
- if remember
- cookies.signed.permanent[:session_id] = {
- value: s.id,
- httponly: true
- }
- else
- session[:session_id] = s.id
- end
- end
- # Determine whether the user is logged in, and if so, disable the Session, then flush session cookies.
- def log_out(session_broken: false)
- if !session_broken && logged_in? && @user_session
- user_session
- @user_session.update!(active: false)
- end
- cookies.delete(:user_id)
- cookies.delete(:remember_token)
- cookies.delete(:session_id)
- reset_session
- end
- # Determine whether the current request is from a user with a non-expired session.
- # Makes @user_session available as a side effect if the user is not.
- def logged_in?
- # Case 1: User has an active session inside the cookie.
- # We verify that the session hasn't expired yet.
- if session[:user_id] && session[:expires]&.to_datetime&.future?
- user_session
- return false if !@user_session.active || @user_session.expires.past?
- true
- else
- # Case 2: User is returning and has a remember token saved.
- # We get the Session, check the token and expiry, and log the user in.
- if cookies.signed.permanent[:remember_token] && cookies.signed.permanent[:user_id] &&
- cookies.signed.permanent[:session_id]
- user_session
- return false if @user_session.nil? || @user_session.remember_digest.nil?
- session_password = BCrypt::Password.new @user_session.remember_digest
- if @user_session.expires.future? &&
- session_password == cookies.signed.permanent[:remember_token]
- log_in @user_session.user, false, false
- return true
- end
- return false
- end
- false
- end
- end
- # Get the Session object representing the current user's session.
- def user_session
- if @user_session
- @user_session
- else
- id = cookies.signed.permanent[:session_id] || session[:session_id]
- @user_session ||= Session.find_by(id: id)
- end
- # Edge case if a session no longer exists in the database
- log_out(session_broken: true) unless @user_session
- end
- def current_user
- user_session
- @user_session&.user
- end
- def current_person
- current_user&.person
- end
- def require_login!
- unless logged_in?
- flash_message(:warning, I18n.t('authentication.login_required'))
- redirect_to controller: 'authentication', action: 'login_form'
- return false
- end
- Raven.user_context(
- user_firstname: current_person.first_name
- )
- true
- end
- def require_admin!
- return if current_person.is_admin?
- flash_message(:danger, I18n.t('authentication.admin_required'))
- redirect_to '/dashboard'
- end
- end
|
