switch to OmniAuth

The Rack endpoint-model of facebook-login and twitter-login libraries
had its flaws; namely heavy reliance on payloads persisted in session.

This refactoring also improves the general flow of authentication,
connecting accounts, updating social connections etc.

Gemfile

@@ -19,15 +19,16 @@ gem 'mingo', '>= 0.3.0' #, :path => '/Users/mislav/Projects/mingo'
 gem 'mongo_ext', '>= 0.19.3', :require => nil
 gem 'mongo-rails-instrumentation'
 gem 'bson_ext', '>= 1.1.1', :require => nil
-gem 'twitter-login', '~> 0.4.0', :require => 'twitter/login' #, :path => '/Users/mislav/Projects/twitter-login'
 gem 'will_paginate', '~> 3.0' #, :path => '/Users/mislav/.coral/will_paginate-mislav'
-gem 'facebook-login', '~> 0.3.0', :require => 'facebook/login' #, :path => '/Users/mislav/Projects/facebook-login'
 gem 'escape_utils'
 gem 'choices' #, :path => '/Users/mislav/Projects/choices'
 gem 'never-forget' #, :path => '/Users/mislav/Projects/never-forget'
 gem 'twin' #, :path => '/Users/mislav/Projects/twin'
 gem 'rails-behaviors'
 
+gem 'omniauth-twitter'
+gem 'omniauth-facebook'
+
 group :extras do
   gem 'nokogiri', '~> 1.4.1'
   gem 'nibbler', '~> 1.3' #, :path => '/Users/mislav/Projects/nibbler'

Gemfile.lock

@@ -67,11 +67,6 @@ GEM
     eventmachine (0.12.10)
     execjs (1.3.0)
       multi_json (~> 1.0)
-    facebook-login (0.3.0)
-      addressable (~> 2.1)
-      hashie (>= 0.2.0)
-      oauth2 (>= 0.0.6)
-      rack (~> 1.2)
     faraday (0.8.0.rc2)
       multipart-post (~> 1.1)
     faraday_middleware (0.8.4)
@@ -82,7 +77,7 @@ GEM
     gem_plugin (0.2.3)
     gherkin (2.4.21)
       json (>= 1.4.6)
-    hashie (1.1.0)
+    hashie (1.2.0)
     hike (1.2.1)
     i18n (0.6.0)
     journey (1.0.1)
@@ -116,9 +111,22 @@ GEM
     nibbler (1.3.0)
     nokogiri (1.4.7)
     oauth (0.4.5)
-    oauth2 (0.5.0)
-      faraday (>= 0.6.1, < 0.8)
-      multi_json (~> 1.0.0)
+    oauth2 (0.5.2)
+      faraday (~> 0.7)
+      multi_json (~> 1.0)
+    omniauth (1.0.2)
+      hashie (~> 1.2)
+      rack
+    omniauth-facebook (1.2.0)
+      omniauth-oauth2 (~> 1.0.0)
+    omniauth-oauth (1.0.0)
+      oauth
+      omniauth (~> 1.0)
+    omniauth-oauth2 (1.0.0)
+      oauth2 (~> 0.5.0)
+      omniauth (~> 1.0)
+    omniauth-twitter (0.0.7)
+      omniauth-oauth (~> 1.0)
     rack (1.4.1)
     rack-cache (1.1)
       rack (>= 0.4)
@@ -193,10 +201,6 @@ GEM
     tilt (1.3.3)
     twin (0.1.3)
       activesupport (>= 2.3)
-    twitter-login (0.4.3)
-      hashie (>= 0.2.2)
-      oauth (~> 0.4.2)
-      yajl-ruby (>= 0.7.7)
     tzinfo (0.3.29)
     uglifier (1.2.2)
       execjs (>= 0.3.0)
@@ -207,7 +211,6 @@ GEM
     will_paginate (3.0.1)
     xpath (0.1.4)
       nokogiri (~> 1.3)
-    yajl-ruby (0.8.3)
 
 PLATFORMS
   ruby
@@ -222,7 +225,6 @@ DEPENDENCIES
   cucumber-rails
   dalli
   escape_utils
-  facebook-login (~> 0.3.0)
   faraday (~> 0.8.0.rc)
   faraday_middleware
   launchy
@@ -233,6 +235,8 @@ DEPENDENCIES
   never-forget
   nibbler (~> 1.3)
   nokogiri (~> 1.4.1)
+  omniauth-facebook
+  omniauth-twitter
   rails-behaviors
   railties (~> 3.2)
   rspec-rails (~> 2.8.0)
@@ -243,7 +247,6 @@ DEPENDENCIES
   therubyracer-heroku (~> 0.8.1.pre3)
   thin
   twin
-  twitter-login (~> 0.4.0)
   tzinfo
   uglifier
   webmock

app/controllers/application_controller.rb

@@ -1,7 +1,7 @@
 class ApplicationController < ActionController::Base
   protect_from_forgery
 
-  before_filter :login_from_token, :authentication_denied_notice
+  before_filter :login_from_token
 
   def self.admin_actions(options)
     before_filter :check_admin, options
@@ -28,7 +28,12 @@ def current_user=(user)
       nil
     end
   end
-
+
+  def login_path(provider)
+    "/auth/#{provider}"
+  end
+  helper_method :login_path
+
   protected
 
   def login_from_token
@@ -39,15 +44,6 @@ def login_from_token
     end
   end
 
-  def authentication_denied_notice
-    %w[twitter facebook].detect do |service|
-      if session[:"#{service}_error"] == 'user_denied'
-        session.delete(:"#{service}_error")
-        flash.now[:warning] = "You have refused to connect with #{service.titleize}"
-      end
-    end
-  end
-
   def check_admin
     unless logged_in? and current_user.admin?
       head :forbidden

app/controllers/sessions_controller.rb

@@ -1,51 +1,55 @@
-class SessionsController < ApplicationController
+require 'omniauth/auth_hash'
+require 'ostruct'
 
-  include Twitter::Login::Helpers
-  include Facebook::Login::Helpers
+class SessionsController < ApplicationController
 
   skip_before_filter :login_from_token
 
   # for offline testing purposes only
   def instant_login
     user = Rails.configuration.twitter.test_user
-    session[:twitter_user] = user
-    signup_user
-    redirect_to watched_path(current_user)
+    signup_user OmniAuth::AuthHash.new(provider: 'twitter',
+      uid: user.id,
+      info: { name: user.name, nickname: user.screen_name },
+      extra: { raw_info: user })
+
+    redirect_to watched_url(current_user)
   end
 
   def connect
     session[:connecting_with] = params[:network] # facebook or twitter
     session[:following_count] = current_user.friends.count
 
-    redirect_to polymorphic_path([params[:network], 'login'])
+    redirect_to login_path(params[:network])
   end
 
   def finalize
-    signup_user
-
-    unless Movies.offline?
-      current_user.fetch_twitter_info(twitter_client) if twitter_user
-      current_user.fetch_facebook_info(facebook_client) if facebook_user
-    end
-
+    signup_user request.env['omniauth.auth']
+
     if network = session[:connecting_with]
       new_friends = current_user.friends.count - session[:following_count]
       if new_friends.zero?
         message = "Successfully connected #{network.capitalize}"
       else
         message = "Successfully connected with #{new_friends} people from #{network.capitalize}"
       end
-
+
+      session.delete(:connecting_with)
+      session.delete(:following_count)
+
       redirect_to following_url, notice: message
     else
       redirect_to watched_url(current_user)
     end
   end
 
-  def logout
-    twitter_logout
-    facebook_logout
+  def auth_failure
+    render 'shared/error', status: 500, locals: {
+      error: OpenStruct.new(message: params[:message])
+    }
+  end
 
+  def logout
     if logged_in? and cookies[:login_token].present?
       current_user.delete_login_token cookies[:login_token]
       cookies.delete :login_token
@@ -56,11 +60,14 @@ def logout
   end
 
   private
-  
-  def signup_user
-    if self.current_user = User.login_from_twitter_or_facebook(twitter_user, facebook_user)
+
+  def signup_user(auth)
+    if self.current_user = User.login_from_provider(auth, current_user)
       if cookies[:login_token].blank? or !current_user.has_login_token?(cookies[:login_token])
-        cookies.permanent[:login_token] = current_user.generate_login_token
+        cookies.signed.permanent[:login_token] = {
+          value: current_user.generate_login_token,
+          httponly: true
+        }
       end
     end
   end

app/models/user/friends.rb

@@ -15,11 +15,13 @@ module User::Friends
     # cast twitter ids to integers
     def twitter_friends=(ids)
       super ids.map { |id| id.to_i }
+      self['twitter_friends_updated_at'] = Time.now
     end
 
     # cast facebook ids to strings
     def facebook_friends=(ids)
       super ids.map { |id| id.to_s }
+      self['facebook_friends_updated_at'] = Time.now
     end
   end