-
-
Notifications
You must be signed in to change notification settings - Fork 454
/
authentication.rb
123 lines (110 loc) · 3.55 KB
/
authentication.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
module Clearance
module Authentication
extend ActiveSupport::Concern
included do
if respond_to?(:helper_method)
helper_method :current_user, :signed_in?, :signed_out?
end
private(
:authenticate,
:current_user,
:handle_unverified_request,
:sign_in,
:sign_out,
:signed_in?,
:signed_out?
)
end
# Authenticate a user with a provided email and password
# @param [ActionController::Parameters] params The parameters from the
# sign in form. `params[:session][:email]` and
# `params[:session][:password]` are required.
# @return [User, nil] The user or nil if authentication fails.
def authenticate(params)
session_params = params.require(:session)
Clearance.configuration.user_model.authenticate(
session_params[:email], session_params[:password]
)
end
# Get the user from the current clearance session. Exposed as a
# `helper_method`, making it visible to views. Prefer {#signed_in?} or
# {#signed_out?} if you only want to check for the presence of a current
# user rather than access the actual user.
#
# @return [User, nil] The user if one is signed in or nil otherwise.
def current_user
clearance_session.current_user
end
# Sign in the provided user.
# @param [User] user
#
# Signing in will run the stack of {Configuration#sign_in_guards}.
#
# You can provide a block to this method to handle the result of that stack.
# Your block will receive either a {SuccessStatus} or {FailureStatus}
#
# sign_in(user) do |status|
# if status.success?
# # ...
# else
# # ...
# end
# end
#
# For an example of how clearance uses this internally, see
# {SessionsController#create}.
#
# Signing in will also regenerate the CSRF token for the current session,
# provided {Configuration#rotate_csrf_on_sign_in?} is set.
def sign_in(user, &block)
clearance_session.sign_in(user, &block)
if signed_in? && Clearance.configuration.rotate_csrf_on_sign_in?
if request.respond_to?(:reset_csrf_token)
# Rails 7.1+
request.reset_csrf_token
else
request.session.try(:delete, :_csrf_token)
end
form_authenticity_token
end
end
# Destroy the current user's Clearance session.
# See {Session#sign_out} for specifics.
def sign_out
clearance_session.sign_out
end
# True if there is a currently-signed-in user. Exposed as a `helper_method`,
# making it available to views.
#
# Using `signed_in?` is preferable to checking {#current_user} against nil
# as it will allow you to introduce a null user object more simply at a
# later date.
#
# @return [Boolean]
def signed_in?
clearance_session.signed_in?
end
# True if there is no currently-signed-in user. Exposed as a
# `helper_method`, making it available to views.
#
# Usings `signed_out?` is preferable to checking for presence of
# {#current_user} as it will allow you to introduce a null user object more
# simply at a later date.
def signed_out?
!signed_in?
end
# CSRF protection in Rails >= 3.0.4
#
# http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
# @private
def handle_unverified_request
super
sign_out
end
protected
# @api private
def clearance_session
request.env[:clearance]
end
end
end