Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Reset the remember_token on sign out instead of sign in

* Allows for the same user to sign in from two locations at once
* Added support for setting User#remember_token on creation
* Addresses this thread:
  http://groups.google.com/group/thoughtbot-clearance/browse_thread/thread/d071ae84573e40ff
  • Loading branch information...
commit 51051538f085c951eb14ef527af5763a8636798b 1 parent 1448735
@rmm5t rmm5t authored
View
2  lib/clearance/authentication.rb
@@ -62,7 +62,6 @@ def authenticate
# sign_in(@user)
def sign_in(user)
if user
- user.reset_remember_token!
cookies[:remember_token] = {
:value => user.remember_token,
:expires => 1.year.from_now.utc
@@ -77,6 +76,7 @@ def sign_in(user)
# sign_out
def sign_out
cookies.delete(:remember_token)
+ current_user.reset_remember_token! if current_user
current_user = nil
end
View
3  lib/clearance/user.rb
@@ -67,7 +67,8 @@ def self.included(model)
model.class_eval do
before_save :initialize_salt,
:encrypt_password
- before_create :generate_confirmation_token
+ before_create :generate_confirmation_token,
+ :generate_remember_token
after_create :send_confirmation_email, :unless => :email_confirmed?
end
end
View
10 test/controllers/sessions_controller_test.rb
@@ -35,6 +35,7 @@ class SessionsControllerTest < ActionController::TestCase
context "on POST to #create with good credentials" do
setup do
@user = Factory(:email_confirmed_user)
+ @user.update_attribute(:remember_token, "old-token")
post :create, :session => {
:email => @user.email,
:password => @user.password }
@@ -47,8 +48,8 @@ class SessionsControllerTest < ActionController::TestCase
assert ! cookies['remember_token'].empty?
end
- should 'set the token in users table' do
- assert_not_nil @user.reload.remember_token
+ should "not change the remember token" do
+ assert_equal "old-token", @user.reload.remember_token
end
end
@@ -121,6 +122,7 @@ class SessionsControllerTest < ActionController::TestCase
context "on DELETE to #destroy with a cookie" do
setup do
@user = Factory(:email_confirmed_user)
+ @user.update_attribute(:remember_token, "old-token")
cookies['remember_token'] = CGI::Cookie.new('token', 'value')
sign_in_as @user
delete :destroy
@@ -133,8 +135,8 @@ class SessionsControllerTest < ActionController::TestCase
assert_nil cookies['remember_token']
end
- should "delete the database token" do
- assert_nil @user.reload.remember_token
+ should "reset the remember token" do
+ assert_not_equal "old-token", @user.reload.remember_token
end
end
View
6 test/models/user_test.rb
@@ -125,12 +125,12 @@ def @user.initialize_salt; end
context "When resetting authentication with reset_remember_token!" do
setup do
@user = Factory(:email_confirmed_user)
- assert_nil @user.remember_token
+ @user.remember_token = "old-token"
@user.reset_remember_token!
end
- should "set the remember token" do
- assert_not_nil @user.remember_token
+ should "change the remember token" do
+ assert_not_equal "old-token", @user.remember_token
end
end

3 comments on commit 5105153

@masterkain

mm, I don't like this.. my site doesn't allow more than one concurrent login per user. I tried also writing on google groups but my post never appeared. Any safe way to override?

@rmm5t

Claudio, Sorry, I think your requirements are more of an edge case than what the rest of us have, but yes, it is very easy to override. You should be able to just override the sign_in method in your ApplicationController. It would probably look something like this:

class ApplicationController < ActionController::Base
  include Clearance::Authentication

  def sign_in(user)
    user.reset_remember_token! if user
    super
  end
end

This will regenerate a new remember_token upon every sign in -- giving you the desired behavior of signing out anyone with the same credentials.

@masterkain

ah yes, I'm already overriding sign_in so no harm in adding only one line. thanks!

Please sign in to comment.
Something went wrong with that request. Please try again.