- Refactored authentication_check_only.

- Replaced session[:request_type] with session[:persistent].
2015-06-24 10:48:48 +02:00 · 2015-06-24 10:48:48 +02:00 · e91553d164
commit e91553d164
parent c49792513e
5 changed files with 86 additions and 77 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -98,27 +98,61 @@ class ApplicationController < ActionController::Base
  def authentication_check_only(auth_param)
    logger.debug 'authentication_check'
    session[:request_type] = 1
    #logger.debug params.inspect
    #logger.debug session.inspect
    #logger.debug cookies.inspect
-    # check http basic auth
+    # already logged in, early exit
-    authenticate_with_http_basic do |username, password|
+    if session.id && session[:user_id]
-      logger.debug 'http basic auth check'
+      userdata = User.find( session[:user_id] )
-      session[:request_type] = 2
+      current_user_set(userdata)
-      userdata = User.authenticate( username, password )
+      return {
-      message = ''
+        auth: true
-      if !userdata
+      }
        message = 'authentication failed'
    end
-      # return auth ok
+    error_message = 'authentication failed'
      if message == ''
-        # remember user
+    # check logon session
-        session[:user_id] = userdata.id
+    if params['logon_session']
      logon_session = ActiveRecord::SessionStore::Session.where( session_id: params['logon_session'] ).first
      # set logon session user to current user
      if logon_session
        userdata = User.find( logon_session.data[:user_id] )
        current_user_set(userdata)
        session[:persistent] = true
        return {
          auth: true
        }
      end
      error_message = 'no valid session, user_id'
    end
    # check sso
    sso_userdata = User.sso(params)
    if sso_userdata
      current_user_set(sso_userdata)
      session[:persistent] = true
      return {
        auth: true
      }
    end
    # check http basic auth
    authenticate_with_http_basic do |username, password|
      logger.debug "http basic auth check '#{username}'"
      userdata = User.authenticate( username, password )
      next if !userdata
      # set basic auth user to current user
      current_user_set(userdata)
@ -127,93 +161,35 @@ class ApplicationController < ActionController::Base
      }
    end
      # return auth not ok
      return {
        auth: false,
        message: message,
      }
    end
    # check logon session
    if params['logon_session']
      logon_session = ActiveRecord::SessionStore::Session.where( session_id: params['logon_session'] ).first
      if logon_session
        userdata = User.find( logon_session.data[:user_id] )
      end
      session[:request_type] = 3
      # set logon session user to current user
      current_user_set(userdata)
      return {
        auth: true
      }
    end
    # check sso
    if !session[:user_id]
      user = User.sso(params)
      # Log the authorizing user in.
      if user
        session[:user_id] = user.id
      end
    end
    # check token
    if auth_param[:token_action]
-      authenticate_with_http_token do |token, options|
+      authenticate_with_http_token do |token, _options|
-        logger.debug 'token auth check'
+        logger.debug "token auth check #{token}"
        session[:request_type] = 4
        userdata = Token.check(
          action: auth_param[:token_action],
          name: token,
        )
-        message = ''
+        next if !userdata
        if !userdata
          message = 'authentication failed'
        end
        # return auth ok
        if message == ''
          # remember user
          session[:user_id] = userdata.id
        # set token user to current user
        current_user_set(userdata)
        return {
          auth: true
        }
      end
        # return auth not ok
        return {
          auth: false,
          message: message,
        }
      end
    end
    # return auth not ok (no session exists)
    if !session[:user_id]
      logger.debug 'no valid session, user_id'
      message = 'no valid session, user_id'
      return {
        auth: false,
        message: message,
      }
    end
    logger.debug error_message
    {
-      auth: true
+      auth: false,
      message: error_message,
    }
  end
-  def authentication_check( auth_param = { basic_auth_promt: false } )
+  def authentication_check( auth_param = {} )
    result = authentication_check_only(auth_param)
    # check if basic_auth fallback is possible
@ -233,6 +209,9 @@ class ApplicationController < ActionController::Base
      return false
    end
    # store current user id into the session
    session[:user_id] = current_user.id
    # return auth ok
    true
  end
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@ -54,6 +54,10 @@ class SessionsController < ApplicationController
      #      )
    end
    # sessions created via this
    # controller are persistent
    session[:persistent] = true
    # return new session data
    render  status: :created,
            json: {
--- a/app/models/observer/session.rb
+++ b/app/models/observer/session.rb
@ -13,15 +13,17 @@ class Observer::Session < ActiveRecord::Observer
    check(record)
  end
  # move the persistent attribute from the sub structure
  # to the first level so it gets stored in the database
  # column to make the cleanup lookup more performant
  def check(record)
    return if !record.data
-    return if record[:request_type]
+    return if record[:persistent]
-    # remember request type
+    return if !record.data['persistent']
    return if !record.data['request_type']
-    record[:request_type] = record.data['request_type']
+    record[:persistent] = record.data['persistent']
-    record.data.delete('request_type')
+    record.data.delete('persistent')
  end
 end
--- a/db/migrate/20150623145511_session_changes.rb
+++ b/db/migrate/20150623145511_session_changes.rb
@ -0,0 +1,24 @@
 class SessionChanges < ActiveRecord::Migration
  def up
    ActiveRecord::SessionStore::Session.delete_all
    remove_index :sessions, :request_type
    remove_column :sessions, :request_type
    add_column :sessions, :persistent, :boolean, null: true
    add_index :sessions, :persistent
  end
  def down
    ActiveRecord::SessionStore::Session.delete_all
    remove_index :sessions, :persistent
    remove_column :sessions, :persistent
    add_column :sessions, :request_type, :integer, null: true
    add_index :sessions, :request_type
  end
 end
--- a/lib/session_helper.rb
+++ b/lib/session_helper.rb
@ -29,7 +29,7 @@ module SessionHelper
  def self.cleanup_expired
    # delete temp. sessions
-    ActiveRecord::SessionStore::Session.where('request_type IS NULL AND updated_at < ?', Time.zone.now - 1.days ).delete_all
+    ActiveRecord::SessionStore::Session.where('persistent IS NULL AND updated_at < ?', Time.zone.now - 1.days ).delete_all
    # web sessions older the x days
    ActiveRecord::SessionStore::Session.where('updated_at < ?', Time.zone.now - 90.days ).delete_all