Permalink
Browse files

new cookie to redirect logged in users to https

signed_in? can't be used anymore to detect if the
user is logged in, because if you access the site
via http the auth cookie will not be available,
since it's marked as secure

session/new removed from routes because the method
itself isn't actually overridden in the
controller, only the template is
  • Loading branch information...
1 parent b8f5008 commit 5b4247aca4217ac6abc960cc87448834b9f2ffd5 @mackuba mackuba committed Mar 25, 2013
View
6 app/controllers/application_controller.rb
@@ -5,7 +5,7 @@ class ApplicationController < ActionController::Base
helper :announcements
protect_from_forgery :only => [:create, :update, :destroy]
- ssl_required :if => :signed_in?
+ ssl_required :if => :ssl_required?
before_filter :set_locale
@@ -42,6 +42,10 @@ def verify_authenticated_user
end
end
+ def ssl_required?
+ cookies[:ssl]
+ end
+
def find_rubygem
@rubygem = Rubygem.find_by_name(params[:rubygem_id] || params[:id])
if @rubygem.blank?
View
6 app/controllers/sessions_controller.rb
@@ -9,10 +9,16 @@ def create
render :template => 'sessions/new', :status => :unauthorized
else
sign_in(@user)
+ cookies[:ssl] = true
redirect_back_or(url_after_create)
end
end
+ def destroy
+ cookies.delete(:ssl)
+ super
+ end
+
private
def url_after_create
View
4 config/routes.rb
@@ -128,7 +128,9 @@
################################################################################
# Clearance Overrides
- resource :session, :only => [:new, :create]
+ resource :session, :only => [:create, :destroy]
+
+ match 'sign_out' => 'sessions#destroy', :via => :delete, :as => 'sign_out'
resources :passwords, :only => [:new, :create]
View
9 features/step_definitions/cookie_steps.rb
@@ -0,0 +1,9 @@
+Then /^a cookie named "(\w+)" should( not)? be set$/ do |cookie_name, should_not|
+ cookie = Capybara.current_session.driver.request.cookies[cookie_name]
+
+ if should_not
+ assert_nil cookie
+ else
+ assert_not_nil cookie
+ end
+end
View
2 features/visitor_signs_in.feature
@@ -26,9 +26,11 @@ Feature: Sign in
Then I should see a login field
And I sign in as "email@example.com"
Then I should be signed in
+ And a cookie named "ssl" should be set
Scenario: Visitor signs in successfully with uppercase email
Given I am signed up as "email@example.com"
When I go to the sign in page
And I sign in as "Email@example.com"
Then I should be signed in
+ And a cookie named "ssl" should be set
View
1 features/visitor_signs_out.feature
@@ -10,3 +10,4 @@ Feature: Sign out
Then I should be signed in
And I sign out
Then I should be signed out
+ And a cookie named "ssl" should not be set
View
2 test/functional/home_controller_test.rb
@@ -55,7 +55,7 @@ class HomeControllerTest < ActionController::TestCase
context "on GET to index with a non-ssl request when signed in" do
setup do
- sign_in_as(create(:user))
+ cookies[:ssl] = true
@request.env['HTTPS'] = nil
get :index
end
View
59 test/functional/sessions_controller_test.rb
@@ -0,0 +1,59 @@
+require 'test_helper'
+
+class SessionsControllerTest < ActionController::TestCase
+ context "on POST to create" do
+ context "when login and password are correct" do
+ setup do
+ mock(User).authenticate('login', 'pass') { User.new }
+ post :create, :session => { :who => 'login', :password => 'pass' }
+ end
+
+ should respond_with :redirect
+ should redirect_to('the dashboard') { dashboard_url }
+
+ should "set the ssl cookie" do
+ assert_not_nil cookies[:ssl]
+ end
+
+ should "sign in the user" do
+ assert @controller.signed_in?
+ end
+ end
+
+ context "when login and password are incorrect" do
+ setup do
+ mock(User).authenticate('login', 'pass') { nil }
+ post :create, :session => { :who => 'login', :password => 'pass' }
+ end
+
+ should respond_with :unauthorized
+ should render_template 'sessions/new'
+ should set_the_flash.now[:notice]
+
+ should "not set the ssl cookie" do
+ assert_nil cookies[:ssl]
+ end
+
+ should "not sign in the user" do
+ assert !@controller.signed_in?
+ end
+ end
+ end
+
+ context "on DELETE to destroy" do
+ setup do
+ delete :destroy
+ end
+
+ should respond_with :redirect
+ should redirect_to('login page') { sign_in_url }
+
+ should "clear the ssl cookie" do
+ assert_nil cookies[:ssl]
+ end
+
+ should "sign out the user" do
+ assert !@controller.signed_in?
+ end
+ end
+end

0 comments on commit 5b4247a

Please sign in to comment.