# this is not a jam session - this is an 'auth session' class SessionsController < ApplicationController before_filter :api_signed_in_user, only: :paypal_express_checkout layout "web" def signin @login_error = false @sso = params[:sso] @send_back_to = request.headers['REFERER'] params[:send_back_to] = @send_back_to if current_user # send them on their way complete_sign_in(current_user) return end render :layout => "landing" end def create email = params[:session][:email] password = params[:session][:password] email.strip! if email password.strip! if password user = User.authenticate(email, password) if user.nil? @login_error = true @sso = params[:sso] @send_back_to = params[:send_back_to] render 'signin', :layout => "landing" else if jkclient_agent? user.update_progression_field(:first_ran_client_at) end @session_only_cookie = !jkclient_agent? && !params[:user].nil? && 0 == params[:user][:remember_me].to_i complete_sign_in user end end def paypal_express_checkout # should get 'token' and 'PayerID' on success # on failure, cancel=1 if params[:cancel] == '1' || params[:cancel] == 1 #redirect_to params[:path] ? params[:path] : '/client#/jamtrack' redirect_to params[:path] ? params[:path] : ApplicationHelper.spa_base_uri return end authorization = current_user.paypal_auth if authorization authorization.delete authorization = nil end # Always make and save a new authorization. This is because they expire, and honestly there's no cost # to just making and saving it. user_auth_hash = { :provider => 'paypal', :uid => params[:PayerID], :token => params[:token], :refresh_token => nil, :token_expiration => 3.hours.from_now, # according to paypal docs, a token is good for 3 hours :secret => nil } # delete existing authorization if exists; useful if N users sharing same paypal: authorization = UserAuthorization.find_by_provider_and_uid(user_auth_hash[:provider], user_auth_hash[:uid]) if authorization puts "deleting existing paypal authorization" authorization.delete authorization = nil end authorization = current_user.user_authorizations.build(user_auth_hash) if !authorization.save puts "Paypal authorization errors for user #{current_user.email} #{authorization.errors.inspect}" puts "Paypal params: #{params.inspect}" end #redirect_to '/client#/paypal/confirm' redirect_to ApplicationHelper.spa_base_uri + '/checkout/paypal/confirm' end # OAuth docs # http://net.tutsplus.com/tutorials/ruby/how-to-use-omniauth-to-authenticate-your-users/ def create_oauth puts "OMG" auth_hash = request.env['omniauth.auth'] authorization = UserAuthorization.find_by_provider_and_uid(auth_hash["provider"], auth_hash["uid"]) if authorization # Sign in for a user who has already registered. complete_sign_in authorization.user else # Sign up for a completely new user. # First/last name: auth_hash["info"]["first_name"] and auth_hash["info"]["last_name"] # token: auth_hash["credentials"]["token"] -- "expires_at" # # For debugging - to see what all is there: # render :text => auth_hash.to_yaml #FbGraph.debug! token = auth_hash[:credentials][:token] # FIXME: # This should probably be in a transaction somehow, meaning the user # create and the authorization create. Concern is UserManager.new.signup sends # an email and whatnot. # # Also, should we grab their photo from facebook? user = UserManager.new.signup(remote_ip: remote_ip(), first_name: auth_hash[:info][:first_name], last_name: auth_hash[:info][:last_name], email: auth_hash[:info][:email], timezone: current_timezone, affiliate_referral_id: cookies[:affiliate_visitor], origin: origin_cookie, facebook_click_id: cookies[:_fbc], facebook_browser_id: cookies[:_fbp]) # Users who sign up using oauth are presumed to have valid email adddresses. user.confirm_email! auth = user.user_authorizations.build :provider => auth_hash[:provider], :uid => auth_hash[:uid], :token => auth_hash[:credentials][:token], :token_expiration => Time.at(auth_hash[:credentials][:expires_at]) user.save complete_sign_in user end end # https://github.com/intridea/omniauth/wiki/Saving-User-Location def oauth_callback auth_hash = request.env['omniauth.auth'] provider = auth_hash[:provider] provider = provider.to_s provider.strip! if provider == 'google_login' elsif provider == 'stripe_connect' oauth_callback_stripe_connect(auth_hash) return elsif provider == 'twitter' @user_authorization = current_user.build_twitter_authorization(auth_hash) if !@user_authorization.save # this is a very poorly styled page, but it's better than a server error. # the only reason this happens is because some other account has authed this twitter acct render "twitter_oauth_failure" return end redirect_to request.env['omniauth.origin'] || '/' return elsif provider == 'facebook' fb_uid = auth_hash[:uid] token = auth_hash[:credentials][:token] token_expiration = Time.at(auth_hash[:credentials][:expires_at]) first_name = auth_hash[:extra][:raw_info][:first_name] last_name = auth_hash[:extra][:raw_info][:last_name] email = auth_hash[:extra][:raw_info][:email] gender = auth_hash[:extra][:raw_info][:gender] fb_signup = FacebookSignup.new fb_signup.uid = fb_uid fb_signup.token = token fb_signup.token_expires_at = token_expiration fb_signup.first_name = first_name fb_signup.last_name = last_name fb_signup.email = email if gender == 'male' fb_signup.gender = 'M' elsif gender == 'female' fb_signup.gender = 'F' end fb_signup.save! # see if we can find a SignupHint for a JamTrack; if so, bounce them back to the redeemComplete page to let them know we bought it if anonymous_user signup_hint = anonymous_user.signup_hint if signup_hint && signup_hint.redirect_location options = { first_name: first_name, last_name: last_name, email: email, terms_of_service: true, location: {:country => nil, :state => nil, :city => nil}, affiliate_referral_id: cookies[:affiliate_visitor], origin: origin_cookie, timezone: current_timezone, facebook_click_id: cookies[:_fbc], facebook_browser_id: cookies[:_fbp] } options = User.musician_defaults(request.remote_ip, ApplicationHelper.base_uri(request) + "/confirm", any_user, options) user = UserManager.new.signup(options) if user.errors.any? redirect_to signup_hint.redirect_location return end sign_in(user) new_user(user, signup_hint) redirect_to signup_hint.redirect_location return else redirect_to "#{signup_path}?facebook_signup=#{fb_signup.lookup_id}" return end else redirect_to "#{signup_path}?facebook_signup=#{fb_signup.lookup_id}" return end end if current_user.nil? render :nothing => true, :status => 404 return end authorization = UserAuthorization.find_by_provider_and_uid(auth_hash["provider"], auth_hash["uid"]) # Always make and save a new authorization. This is because they expire, and honestly there's no cost # to just making and saving it. user_auth_hash = { :provider => auth_hash[:provider], :uid => auth_hash[:uid], :token => auth_hash[:credentials][:token], :refresh_token => auth_hash[:credentials][:refresh_token], :token_expiration => Time.at(auth_hash[:credentials][:expires_at]), :secret => auth_hash[:credentials][:secret] } if authorization.nil? authorization = current_user.user_authorizations.build(user_auth_hash) authorization.save else authorization.token = auth_hash[:credentials][:token] authorization.token_expiration = Time.at(auth_hash[:credentials][:expires_at]) authorization.save end render 'oauth_complete', :layout => "landing" end def oauth_callback_stripe_connect(auth_hash) if current_user.nil? redirect_to '/signin' return end # https://github.com/isaacsanders/omniauth-stripe-connect #request.env['omniauth.auth'] =begin { "provider"=>"stripe_connect", "uid"=>"", "info"=> { "scope"=>"read_write", # or "read_only" "livemode"=>false, "stripe_publishable_key"=>"", }, "credentials"=> { "token"=>"", "expires"=>false }, "extra"=> { "raw_info"=> { "token_type"=>"bearer", "stripe_user_id"=>"", "scope"=>"read_only", "stripe_publishable_key"=>"", "livemode"=>false } } } =end # puts "AUTH HASH #{auth_hash.inspect}" # AUTH HASH # # extra=#> # info=# provider="stripe_connect" uid="acct_17dIjBCHBELYys1s"> authorization = UserAuthorization.find_by_provider_and_uid(auth_hash["provider"], auth_hash["uid"]) # Always make and save a new authorization. This is because they expire, and honestly there's no cost # to just making and saving it. user_auth_hash = { :provider => auth_hash[:provider], :uid => auth_hash[:uid], :token => auth_hash[:credentials][:token], :refresh_token => auth_hash[:credentials][:refresh_token], :token_expiration => auth_hash[:credentials][:expires], :secret => auth_hash[:credentials][:secret] } # 'false' just means really far into the future if !user_auth_hash[:token_expiration] user_auth_hash[:token_expiration] = Date.new(2050, 1, 1) else user_auth_hash[:token_expiration] = Time.at(user_auth_hash[:token_expiration]) end if authorization.nil? authorization = current_user.user_authorizations.build(user_auth_hash) authorization.save else authorization.token = auth_hash[:credentials][:token] authorization.token_expiration = Date.new(2050, 1, 1) authorization.save end # request.env['omniauth.origin'] redirect_to SignupHint.most_recent_redirect(current_user, '/client#/jamclass',{"stripe-success" => "true"}) end def has_google_auth render :json => {has_google_auth: (!!current_user && !!UserAuthorization.google_auth(current_user).first)} end def passthrough if params['stoken'] # should be a remember_me cookie. log them in and redirect user = User.find_by_remember_token(params['stoken']) if !user.nil? sign_in user end end redirect_after_signin('/') end def redirect_after_signin(default) redirect_to(params['redirect-to'].blank? ? default : params['redirect-to']) end def redirect_to_forums_after_signin redirect_to("#{Rails.application.config.vanilla_login_url}?client_id=#{Rails.application.config.vanilla_client_id}&Target=#{ERB::Util.url_encode(params[:send_back_to].blank? ? '/' : params[:send_back_to])}") end def redirect_to_support_after_signin(user) # generate multipass token and sign it multipass = DeskMultipass.new(user) callback_url = Rails.application.config.multipass_callback_url redirect_to "#{callback_url}?multipass=#{multipass.token}&signature=#{multipass.signature}" end def destroy # earlier, code here would delete the connection using client_id from cookies # however, we should never try to delete the client_id cookie (make it as permanent as possible) # also, because the client will stop heartbeating and close the connection to gateway, # in any case the server will notice after 10 seconds that the user is gone. # if we really want someone to know right away that the client is gone, then just make sure the client calls # leave session before it calls delete (VRFS-617 should solve that) sign_out redirect_to client_url end def failure strategy = params['strategy'] if strategy == 'stripe_connect' puts env['omniauth.error.type'] redirect_to SignupHint.most_recent_redirect(current_user, '/client#/jamclass', {"stripe-success" => "false"}) return end redirect_to request.query_parameters['origin'] || '/' end def connection_state if (defined?(TEST_CONNECT_STATES) && TEST_CONNECT_STATES) || 'development'==Rails.env @prefix = defined?(TEST_CONNECT_STATE_JS_LOG_PREFIX) ? TEST_CONNECT_STATE_JS_LOG_PREFIX : '*** ' render('connection_state', :layout => 'client') && return end render :nothing => true, :status => 404 end end