- Refactored authentication_check_only.

- Replaced session[:request_type] with session[:persistent].

app/controllers/application_controller.rb

@@ -98,122 +98,98 @@ class ApplicationController < ActionController::Base
   def authentication_check_only(auth_param)
 
     logger.debug 'authentication_check'
-    session[:request_type] = 1
     #logger.debug params.inspect
     #logger.debug session.inspect
     #logger.debug cookies.inspect
 
-    # check http basic auth
+    # already logged in, early exit
-    authenticate_with_http_basic do |username, password|
+    if session.id && session[:user_id]
-      logger.debug 'http basic auth check'
+      userdata = User.find( session[:user_id] )
-      session[:request_type] = 2
+      current_user_set(userdata)
 
-      userdata = User.authenticate( username, password )
+      return {
-      message = ''
+        auth: true
-      if !userdata
+      }
-        message = 'authentication failed'
+    end
-      end
 
-      # return auth ok
+    error_message = 'authentication failed'
-      if message == ''
 
-        # remember user
+    # check logon session
-        session[:user_id] = userdata.id
+    if params['logon_session']
+      logon_session = ActiveRecord::SessionStore::Session.where( session_id: params['logon_session'] ).first
 
-        # set basic auth user to current user
+      # set logon session user to current user
+      if logon_session
+        userdata = User.find( logon_session.data[:user_id] )
         current_user_set(userdata)
+
+        session[:persistent] = true
+
         return {
           auth: true
         }
       end
 
-      # return auth not ok
+      error_message = 'no valid session, user_id'
+    end
+
+    # check sso
+    sso_userdata = User.sso(params)
+    if sso_userdata
+
+      current_user_set(sso_userdata)
+
+      session[:persistent] = true
+
       return {
-        auth: false,
+        auth: true
-        message: message,
       }
     end
 
-    # check logon session
+    # check http basic auth
-    if params['logon_session']
+    authenticate_with_http_basic do |username, password|
-      logon_session = ActiveRecord::SessionStore::Session.where( session_id: params['logon_session'] ).first
+      logger.debug "http basic auth check '#{username}'"
-      if logon_session
-        userdata = User.find( logon_session.data[:user_id] )
-      end
 
-      session[:request_type] = 3
+      userdata = User.authenticate( username, password )
 
-      # set logon session user to current user
+      next if !userdata
+
+      # set basic auth user to current user
       current_user_set(userdata)
       return {
         auth: true
       }
     end
 
-    # check sso
-    if !session[:user_id]
-
-      user = User.sso(params)
-
-      # Log the authorizing user in.
-      if user
-        session[:user_id] = user.id
-      end
-    end
-
     # check token
     if auth_param[:token_action]
-      authenticate_with_http_token do |token, options|
+      authenticate_with_http_token do |token, _options|
-        logger.debug 'token auth check'
+        logger.debug "token auth check #{token}"
-        session[:request_type] = 4
 
         userdata = Token.check(
           action: auth_param[:token_action],
           name: token,
         )
 
-        message = ''
+        next if !userdata
-        if !userdata
-          message = 'authentication failed'
-        end
 
-        # return auth ok
+        # set token user to current user
-        if message == ''
+        current_user_set(userdata)
 
-          # remember user
-          session[:user_id] = userdata.id
-
-          # set token user to current user
-          current_user_set(userdata)
-          return {
-            auth: true
-          }
-        end
-
-        # return auth not ok
         return {
-          auth: false,
+          auth: true
-          message: message,
         }
       end
     end
 
-    # return auth not ok (no session exists)
+    logger.debug error_message
-    if !session[:user_id]
-      logger.debug 'no valid session, user_id'
-      message = 'no valid session, user_id'
-      return {
-        auth: false,
-        message: message,
-      }
-    end
-
     {
-      auth: true
+      auth: false,
+      message: error_message,
     }
   end
 
-  def authentication_check( auth_param = { basic_auth_promt: false } )
+  def authentication_check( auth_param = {} )
     result = authentication_check_only(auth_param)
 
     # check if basic_auth fallback is possible
@@ -233,6 +209,9 @@ class ApplicationController < ActionController::Base
       return false
     end
 
+    # store current user id into the session
+    session[:user_id] = current_user.id
+
     # return auth ok
     true
   end

app/controllers/sessions_controller.rb

@@ -54,6 +54,10 @@ class SessionsController < ApplicationController
       #      )
     end
 
+    # sessions created via this
+    # controller are persistent
+    session[:persistent] = true
+
     # return new session data
     render  status: :created,
             json: {

app/models/observer/session.rb

@@ -13,15 +13,17 @@ class Observer::Session < ActiveRecord::Observer
     check(record)
   end
 
+  # move the persistent attribute from the sub structure
+  # to the first level so it gets stored in the database
+  # column to make the cleanup lookup more performant
   def check(record)
     return if !record.data
-    return if record[:request_type]
+    return if record[:persistent]
 
-    # remember request type
+    return if !record.data['persistent']
-    return if !record.data['request_type']
 
-    record[:request_type] = record.data['request_type']
+    record[:persistent] = record.data['persistent']
-    record.data.delete('request_type')
+    record.data.delete('persistent')
   end
 
 end

db/migrate/20150623145511_session_changes.rb

@@ -0,0 +1,24 @@
+class SessionChanges < ActiveRecord::Migration
+  def up
+
+    ActiveRecord::SessionStore::Session.delete_all
+
+    remove_index :sessions, :request_type
+    remove_column :sessions, :request_type
+
+    add_column :sessions, :persistent, :boolean, null: true
+    add_index :sessions, :persistent
+  end
+
+  def down
+
+    ActiveRecord::SessionStore::Session.delete_all
+
+    remove_index :sessions, :persistent
+    remove_column :sessions, :persistent
+
+    add_column :sessions, :request_type, :integer, null: true
+    add_index :sessions, :request_type
+  end
+
+end

lib/session_helper.rb

@@ -29,7 +29,7 @@ module SessionHelper
   def self.cleanup_expired
 
     # delete temp. sessions
-    ActiveRecord::SessionStore::Session.where('request_type IS NULL AND updated_at < ?', Time.zone.now - 1.days ).delete_all
+    ActiveRecord::SessionStore::Session.where('persistent IS NULL AND updated_at < ?', Time.zone.now - 1.days ).delete_all
 
     # web sessions older the x days
     ActiveRecord::SessionStore::Session.where('updated_at < ?', Time.zone.now - 90.days ).delete_all