2016-10-19 03:11:36 +00:00
|
|
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
2013-06-12 15:59:58 +00:00
|
|
|
|
2012-04-10 14:06:46 +00:00
|
|
|
class SessionsController < ApplicationController
|
2020-03-19 09:39:51 +00:00
|
|
|
prepend_before_action -> { authentication_check && authorize! }, only: %i[switch_to_user list delete]
|
2019-09-05 14:02:31 +00:00
|
|
|
skip_before_action :verify_csrf_token, only: %i[show destroy create_omniauth failure_omniauth]
|
2019-09-30 17:34:13 +00:00
|
|
|
skip_before_action :user_device_check, only: %i[create_sso]
|
2012-04-10 14:06:46 +00:00
|
|
|
|
|
|
|
# "Create" a login, aka "log the user in"
|
|
|
|
def create
|
2019-09-05 14:02:31 +00:00
|
|
|
user = authenticate_with_password
|
|
|
|
initiate_session_for(user)
|
2015-06-24 08:48:48 +00:00
|
|
|
|
2012-04-11 06:37:54 +00:00
|
|
|
# return new session data
|
2019-09-05 14:02:31 +00:00
|
|
|
render status: :created,
|
|
|
|
json: SessionHelper.json_hash(user).merge(config: config_frontend)
|
2012-04-10 14:06:46 +00:00
|
|
|
end
|
|
|
|
|
2019-09-30 17:34:13 +00:00
|
|
|
def create_sso
|
2021-02-04 08:28:41 +00:00
|
|
|
raise Exceptions::Forbidden, 'SSO authentication disabled!' if !Setting.get('auth_sso')
|
2020-08-26 13:21:17 +00:00
|
|
|
|
|
|
|
user = begin
|
2020-09-30 09:07:01 +00:00
|
|
|
login = request.env['REMOTE_USER'] ||
|
|
|
|
request.env['HTTP_REMOTE_USER'] ||
|
|
|
|
request.headers['X-Forwarded-User']
|
2020-08-26 13:21:17 +00:00
|
|
|
|
2020-09-30 09:07:01 +00:00
|
|
|
User.lookup(login: login&.downcase)
|
|
|
|
end
|
2020-08-26 13:21:17 +00:00
|
|
|
|
|
|
|
raise Exceptions::NotAuthorized, 'Missing SSO ENV REMOTE_USER or X-Forwarded-User header' if login.blank?
|
|
|
|
raise Exceptions::NotAuthorized, "No such user '#{login}' found!" if user.blank?
|
|
|
|
|
|
|
|
session.delete(:switched_from_user_id)
|
|
|
|
authentication_check_prerequesits(user, 'SSO', {})
|
2019-09-30 17:34:13 +00:00
|
|
|
|
|
|
|
redirect_to '/#'
|
|
|
|
end
|
|
|
|
|
2012-04-10 14:06:46 +00:00
|
|
|
def show
|
2019-09-30 17:34:13 +00:00
|
|
|
user = authentication_check_only
|
|
|
|
raise Exceptions::NotAuthorized, 'no valid session' if user.blank?
|
|
|
|
|
2019-09-05 14:02:31 +00:00
|
|
|
initiate_session_for(user)
|
2014-09-09 23:42:20 +00:00
|
|
|
|
2012-04-11 06:37:54 +00:00
|
|
|
# return current session
|
2019-09-05 14:02:31 +00:00
|
|
|
render json: SessionHelper.json_hash(user).merge(config: config_frontend)
|
|
|
|
rescue Exceptions::NotAuthorized => e
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: {
|
2019-09-05 14:02:31 +00:00
|
|
|
error: e.message,
|
2018-12-19 17:31:51 +00:00
|
|
|
config: config_frontend,
|
2019-09-05 14:02:31 +00:00
|
|
|
models: SessionHelper.models,
|
|
|
|
collections: { Locale.to_app_model => Locale.where(active: true) }
|
2012-04-11 06:37:54 +00:00
|
|
|
}
|
2012-04-10 14:06:46 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# "Delete" a login, aka "log the user out"
|
|
|
|
def destroy
|
2012-04-20 12:24:37 +00:00
|
|
|
|
2018-06-26 07:26:19 +00:00
|
|
|
reset_session
|
|
|
|
|
2012-04-10 14:06:46 +00:00
|
|
|
# Remove the user id from the session
|
2017-02-15 12:29:25 +00:00
|
|
|
@_current_user = nil
|
2012-04-11 06:37:54 +00:00
|
|
|
|
2017-02-15 12:29:25 +00:00
|
|
|
# reset session
|
|
|
|
request.env['rack.session.options'][:expire_after] = nil
|
2012-04-20 12:24:37 +00:00
|
|
|
|
2015-04-27 14:47:58 +00:00
|
|
|
render json: {}
|
2012-04-10 14:06:46 +00:00
|
|
|
end
|
2012-09-20 12:08:02 +00:00
|
|
|
|
2012-04-10 14:06:46 +00:00
|
|
|
def create_omniauth
|
2014-09-15 20:55:06 +00:00
|
|
|
|
|
|
|
# in case, remove switched_from_user_id
|
|
|
|
session[:switched_from_user_id] = nil
|
|
|
|
|
2012-04-10 14:06:46 +00:00
|
|
|
auth = request.env['omniauth.auth']
|
|
|
|
|
|
|
|
if !auth
|
2015-04-27 13:20:16 +00:00
|
|
|
logger.info('AUTH IS NULL, SERVICE NOT LINKED TO ACCOUNT')
|
2012-04-18 08:33:42 +00:00
|
|
|
|
|
|
|
# redirect to app
|
2013-02-17 18:28:32 +00:00
|
|
|
redirect_to '/'
|
2012-04-10 14:06:46 +00:00
|
|
|
end
|
2012-04-18 08:33:42 +00:00
|
|
|
|
|
|
|
# Create a new user or add an auth to existing user, depending on
|
|
|
|
# whether there is already a user signed in.
|
2012-04-18 12:36:30 +00:00
|
|
|
authorization = Authorization.find_from_hash(auth)
|
|
|
|
if !authorization
|
2012-04-18 08:33:42 +00:00
|
|
|
authorization = Authorization.create_from_hash(auth, current_user)
|
2012-04-10 14:06:46 +00:00
|
|
|
end
|
2012-04-18 08:33:42 +00:00
|
|
|
|
2019-09-05 14:02:31 +00:00
|
|
|
if in_maintenance_mode?(authorization.user)
|
2016-05-25 07:19:45 +00:00
|
|
|
redirect_to '/#'
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2013-09-30 01:41:45 +00:00
|
|
|
# set current session user
|
|
|
|
current_user_set(authorization.user)
|
|
|
|
|
|
|
|
# log new session
|
2015-11-30 10:50:02 +00:00
|
|
|
authorization.user.activity_stream_log('session started', authorization.user.id, true)
|
2013-09-30 01:41:45 +00:00
|
|
|
|
2012-10-18 08:10:12 +00:00
|
|
|
# remember last login date
|
2013-02-12 22:49:52 +00:00
|
|
|
authorization.user.update_last_login
|
2012-10-18 08:10:12 +00:00
|
|
|
|
2012-04-10 14:06:46 +00:00
|
|
|
# redirect to app
|
2013-02-17 18:28:32 +00:00
|
|
|
redirect_to '/'
|
|
|
|
end
|
|
|
|
|
2018-07-17 08:35:51 +00:00
|
|
|
def failure_omniauth
|
|
|
|
raise Exceptions::UnprocessableEntity, "Message from #{params[:strategy]}: #{params[:message]}"
|
|
|
|
end
|
|
|
|
|
2013-10-07 03:38:07 +00:00
|
|
|
# "switch" to user
|
|
|
|
def switch_to_user
|
|
|
|
# check user
|
|
|
|
if !params[:id]
|
|
|
|
render(
|
2018-12-19 17:31:51 +00:00
|
|
|
json: { message: 'no user given' },
|
2015-04-27 13:42:53 +00:00
|
|
|
status: :not_found
|
2013-10-07 03:38:07 +00:00
|
|
|
)
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
|
2015-11-30 10:50:02 +00:00
|
|
|
user = User.find(params[:id])
|
2013-10-07 03:38:07 +00:00
|
|
|
if !user
|
|
|
|
render(
|
2018-12-19 17:31:51 +00:00
|
|
|
json: {},
|
2015-04-27 13:42:53 +00:00
|
|
|
status: :not_found
|
2013-10-07 03:38:07 +00:00
|
|
|
)
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
|
2020-12-17 06:14:17 +00:00
|
|
|
# remember original user
|
|
|
|
session[:switched_from_user_id] ||= current_user.id
|
2014-09-15 20:55:06 +00:00
|
|
|
|
2013-10-07 03:38:07 +00:00
|
|
|
# log new session
|
2015-11-30 10:50:02 +00:00
|
|
|
user.activity_stream_log('switch to', current_user.id, true)
|
2013-10-07 03:38:07 +00:00
|
|
|
|
|
|
|
# set session user
|
|
|
|
current_user_set(user)
|
|
|
|
|
2016-01-26 06:00:25 +00:00
|
|
|
render(
|
|
|
|
json: {
|
2018-12-19 17:31:51 +00:00
|
|
|
success: true,
|
2016-01-26 06:00:25 +00:00
|
|
|
location: '',
|
|
|
|
},
|
|
|
|
)
|
2013-10-07 03:38:07 +00:00
|
|
|
end
|
|
|
|
|
2014-09-15 20:55:06 +00:00
|
|
|
# "switch" back to user
|
|
|
|
def switch_back_to_user
|
|
|
|
|
2019-07-31 08:23:48 +00:00
|
|
|
# check if it's a switch back
|
2021-02-04 08:28:41 +00:00
|
|
|
raise Exceptions::Forbidden if !session[:switched_from_user_id]
|
2014-09-15 20:55:06 +00:00
|
|
|
|
2015-11-30 10:50:02 +00:00
|
|
|
user = User.lookup(id: session[:switched_from_user_id])
|
2014-09-15 20:55:06 +00:00
|
|
|
if !user
|
|
|
|
render(
|
2018-12-19 17:31:51 +00:00
|
|
|
json: {},
|
2015-04-27 13:42:53 +00:00
|
|
|
status: :not_found
|
2014-09-15 20:55:06 +00:00
|
|
|
)
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
|
2019-07-31 08:23:48 +00:00
|
|
|
# remember current user
|
2014-09-21 13:19:28 +00:00
|
|
|
current_session_user = current_user
|
2014-09-15 20:55:06 +00:00
|
|
|
|
|
|
|
# remove switched_from_user_id
|
|
|
|
session[:switched_from_user_id] = nil
|
|
|
|
|
|
|
|
# set old session user again
|
|
|
|
current_user_set(user)
|
|
|
|
|
2014-09-21 13:19:28 +00:00
|
|
|
# log end session
|
2015-11-30 10:50:02 +00:00
|
|
|
current_session_user.activity_stream_log('ended switch to', user.id, true)
|
2014-09-21 13:19:28 +00:00
|
|
|
|
2016-01-26 06:00:25 +00:00
|
|
|
render(
|
|
|
|
json: {
|
2018-12-19 17:31:51 +00:00
|
|
|
success: true,
|
2016-01-26 06:00:25 +00:00
|
|
|
location: '',
|
|
|
|
},
|
|
|
|
)
|
2014-09-15 20:55:06 +00:00
|
|
|
end
|
|
|
|
|
2016-05-26 21:40:10 +00:00
|
|
|
def available
|
|
|
|
render json: {
|
|
|
|
app_version: AppVersion.get
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
2013-07-26 21:45:16 +00:00
|
|
|
def list
|
2013-10-01 18:31:03 +00:00
|
|
|
assets = {}
|
2013-07-26 21:45:16 +00:00
|
|
|
sessions_clean = []
|
2017-10-01 12:25:52 +00:00
|
|
|
SessionHelper.list.each do |session|
|
2017-07-24 07:06:15 +00:00
|
|
|
next if session.data['user_id'].blank?
|
2018-10-09 06:17:41 +00:00
|
|
|
|
2013-07-26 21:45:16 +00:00
|
|
|
sessions_clean.push session
|
2017-07-24 07:06:15 +00:00
|
|
|
next if session.data['user_id']
|
2018-10-09 06:17:41 +00:00
|
|
|
|
2017-07-24 07:06:15 +00:00
|
|
|
user = User.lookup(id: session.data['user_id'])
|
|
|
|
next if !user
|
2018-10-09 06:17:41 +00:00
|
|
|
|
2017-07-24 07:06:15 +00:00
|
|
|
assets = user.assets(assets)
|
2017-10-01 12:25:52 +00:00
|
|
|
end
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: {
|
|
|
|
sessions: sessions_clean,
|
2018-12-19 17:31:51 +00:00
|
|
|
assets: assets,
|
2013-07-26 21:45:16 +00:00
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
def delete
|
2015-11-30 10:50:02 +00:00
|
|
|
SessionHelper.destroy(params[:id])
|
2015-04-27 13:42:53 +00:00
|
|
|
render json: {}
|
2013-07-26 21:45:16 +00:00
|
|
|
end
|
2014-11-17 10:39:35 +00:00
|
|
|
|
2017-03-09 11:44:51 +00:00
|
|
|
private
|
|
|
|
|
2019-09-05 14:02:31 +00:00
|
|
|
def initiate_session_for(user)
|
|
|
|
request.env['rack.session.options'][:expire_after] = 1.year if params[:remember_me]
|
|
|
|
session[:persistent] = true
|
|
|
|
user.activity_stream_log('session started', user.id, true)
|
|
|
|
end
|
|
|
|
|
2017-03-09 11:44:51 +00:00
|
|
|
def config_frontend
|
|
|
|
|
|
|
|
# config
|
|
|
|
config = {}
|
2017-10-01 12:25:52 +00:00
|
|
|
Setting.select('name, preferences').where(frontend: true).each do |setting|
|
2017-03-09 11:44:51 +00:00
|
|
|
next if setting.preferences[:authentication] == true && !current_user
|
2018-10-09 06:17:41 +00:00
|
|
|
|
2017-03-09 11:44:51 +00:00
|
|
|
value = Setting.get(setting.name)
|
|
|
|
next if !current_user && (value == false || value.nil?)
|
2018-10-09 06:17:41 +00:00
|
|
|
|
2017-03-09 11:44:51 +00:00
|
|
|
config[setting.name] = value
|
2017-10-01 12:25:52 +00:00
|
|
|
end
|
2017-03-09 11:44:51 +00:00
|
|
|
|
2019-07-31 08:23:48 +00:00
|
|
|
# remember if we can switch back to user
|
2017-03-09 11:44:51 +00:00
|
|
|
if session[:switched_from_user_id]
|
|
|
|
config['switch_back_to_possible'] = true
|
|
|
|
end
|
|
|
|
|
|
|
|
# remember session_id for websocket logon
|
|
|
|
if current_user
|
|
|
|
config['session_id'] = session.id
|
|
|
|
end
|
|
|
|
|
|
|
|
config
|
|
|
|
end
|
2019-09-05 14:02:31 +00:00
|
|
|
|
2015-04-27 14:15:29 +00:00
|
|
|
end
|