199 lines
7.0 KiB
Ruby
199 lines
7.0 KiB
Ruby
# this is not a jam session - this is an 'auth session'
|
|
class SessionsController < ApplicationController
|
|
|
|
layout "web"
|
|
|
|
def signin
|
|
@login_error = false
|
|
@sso = params[:sso]
|
|
@send_back_to = request.headers['REFERER']
|
|
params[:send_back_to] = @send_back_to
|
|
|
|
if current_user
|
|
# send them on their way
|
|
complete_sign_in(current_user)
|
|
return
|
|
end
|
|
|
|
render :layout => "landing"
|
|
end
|
|
|
|
def create
|
|
user = User.authenticate(params[:session][:email], params[:session][:password])
|
|
|
|
if user.nil?
|
|
@login_error = true
|
|
@sso = params[:sso]
|
|
@send_back_to = params[:send_back_to]
|
|
render 'signin', :layout => "landing"
|
|
else
|
|
|
|
if jkclient_agent?
|
|
user.update_progression_field(:first_ran_client_at)
|
|
end
|
|
|
|
@session_only_cookie = !jkclient_agent? && !params[:user].nil? && 0 == params[:user][:remember_me].to_i
|
|
complete_sign_in user
|
|
end
|
|
end
|
|
|
|
|
|
# OAuth docs
|
|
# http://net.tutsplus.com/tutorials/ruby/how-to-use-omniauth-to-authenticate-your-users/
|
|
def create_oauth
|
|
auth_hash = request.env['omniauth.auth']
|
|
authorization = UserAuthorization.find_by_provider_and_uid(auth_hash["provider"], auth_hash["uid"])
|
|
if authorization
|
|
# Sign in for a user who has already registered.
|
|
complete_sign_in authorization.user
|
|
else
|
|
# Sign up for a completely new user.
|
|
# First/last name: auth_hash["info"]["first_name"] and auth_hash["info"]["last_name"]
|
|
# token: auth_hash["credentials"]["token"] -- "expires_at"
|
|
#
|
|
# For debugging - to see what all is there:
|
|
# render :text => auth_hash.to_yaml
|
|
#FbGraph.debug!
|
|
token = auth_hash[:credentials][:token]
|
|
|
|
# FIXME:
|
|
# This should probably be in a transaction somehow, meaning the user
|
|
# create and the authorization create. Concern is UserManager.new.signup sends
|
|
# an email and whatnot.
|
|
#
|
|
# Also, should we grab their photo from facebook?
|
|
user = UserManager.new.signup(remote_ip: remote_ip(),
|
|
first_name: auth_hash[:info][:first_name],
|
|
last_name: auth_hash[:info][:last_name],
|
|
email: auth_hash[:info][:email])
|
|
|
|
# Users who sign up using oauth are presumed to have valid email adddresses.
|
|
user.confirm_email!
|
|
|
|
auth = user.user_authorizations.build :provider => auth_hash[:provider],
|
|
:uid => auth_hash[:uid],
|
|
:token => auth_hash[:credentials][:token],
|
|
:token_expiration => Time.at(auth_hash[:credentials][:expires_at])
|
|
user.save
|
|
complete_sign_in user
|
|
end
|
|
end
|
|
|
|
|
|
# https://github.com/intridea/omniauth/wiki/Saving-User-Location
|
|
def oauth_callback
|
|
|
|
auth_hash = request.env['omniauth.auth']
|
|
|
|
provider = auth_hash[:provider]
|
|
|
|
if provider == 'twitter'
|
|
@user_authorization = current_user.build_twitter_authorization(auth_hash)
|
|
if !@user_authorization.save
|
|
# this is a very poorly styled page, but it's better than a server error.
|
|
# the only reason this happens is because some other account has authed this twitter acct
|
|
render "twitter_oauth_failure"
|
|
return
|
|
end
|
|
|
|
redirect_to request.env['omniauth.origin'] || '/'
|
|
return
|
|
elsif provider == 'facebook'
|
|
fb_uid = auth_hash[:uid]
|
|
token = auth_hash[:credentials][:token]
|
|
token_expiration = Time.at(auth_hash[:credentials][:expires_at])
|
|
first_name = auth_hash[:extra][:raw_info][:first_name]
|
|
last_name = auth_hash[:extra][:raw_info][:last_name]
|
|
email = auth_hash[:extra][:raw_info][:email]
|
|
gender = auth_hash[:extra][:raw_info][:gender]
|
|
|
|
fb_signup = FacebookSignup.new
|
|
fb_signup.uid = fb_uid
|
|
fb_signup.token = token
|
|
fb_signup.token_expires_at = token_expiration
|
|
fb_signup.first_name = first_name
|
|
fb_signup.last_name = last_name
|
|
fb_signup.email = email
|
|
if gender == 'male'
|
|
fb_signup.gender = 'M'
|
|
elsif gender == 'female'
|
|
fb_signup.gender = 'F'
|
|
end
|
|
fb_signup.save!
|
|
|
|
redirect_to "#{signup_path}?facebook_signup=#{fb_signup.lookup_id}"
|
|
return
|
|
end
|
|
|
|
if current_user.nil?
|
|
render :nothing => true, :status => 404
|
|
return
|
|
end
|
|
|
|
#authorization = UserAuthorization.find_by_provider_and_uid(auth_hash["provider"], auth_hash["uid"])
|
|
|
|
# Always make and save a new authorization. This is because they expire, and honestly there's no cost
|
|
# to just making and saving it.
|
|
#if authorization.nil?
|
|
authorization = current_user.user_authorizations.build :provider => auth_hash[:provider],
|
|
:uid => auth_hash[:uid],
|
|
:token => auth_hash[:credentials][:token],
|
|
:token_expiration => Time.at(auth_hash[:credentials][:expires_at])
|
|
authorization.save
|
|
#end
|
|
|
|
render 'oauth_complete', :layout => "landing"
|
|
end
|
|
|
|
def redirect_after_signin(default)
|
|
redirect_to(params['redirect-to'].blank? ? default : params['redirect-to'])
|
|
end
|
|
|
|
def redirect_to_forums_after_signin
|
|
redirect_to("#{Rails.application.config.vanilla_login_url}?client_id=#{Rails.application.config.vanilla_client_id}&Target=#{ERB::Util.url_encode(params[:send_back_to].blank? ? '/' : params[:send_back_to])}")
|
|
end
|
|
|
|
def redirect_to_support_after_signin(user)
|
|
# generate multipass token and sign it
|
|
multipass = DeskMultipass.new(user)
|
|
callback_url = Rails.application.config.multipass_callback_url
|
|
redirect_to "#{callback_url}?multipass=#{multipass.token}&signature=#{multipass.signature}"
|
|
end
|
|
|
|
def complete_sign_in(user)
|
|
sign_in user
|
|
|
|
if params[:sso] == "desk"
|
|
redirect_to_support_after_signin(user)
|
|
elsif params[:sso] == 'forums'
|
|
redirect_to_forums_after_signin
|
|
else
|
|
redirect_after_signin(client_path)
|
|
end
|
|
end
|
|
|
|
def destroy
|
|
# earlier, code here would delete the connection using client_id from cookies
|
|
# however, we should never try to delete the client_id cookie (make it as permanent as possible)
|
|
# also, because the client will stop heartbeating and close the connection to gateway,
|
|
# in any case the server will notice after 10 seconds that the user is gone.
|
|
# if we really want someone to know right away that the client is gone, then just make sure the client calls
|
|
# leave session before it calls delete (VRFS-617 should solve that)
|
|
sign_out
|
|
redirect_to client_url
|
|
end
|
|
|
|
def failure
|
|
redirect_to request.query_parameters['origin'] || '/'
|
|
end
|
|
|
|
def connection_state
|
|
if (defined?(TEST_CONNECT_STATES) && TEST_CONNECT_STATES) || 'development'==Rails.env
|
|
@prefix = defined?(TEST_CONNECT_STATE_JS_LOG_PREFIX) ? TEST_CONNECT_STATE_JS_LOG_PREFIX : '*** '
|
|
render('connection_state', :layout => 'client') && return
|
|
end
|
|
render :nothing => true, :status => 404
|
|
end
|
|
|
|
end
|