Home Explore Help
Sign In
SMusatov
/
zammad
mirror of https://github.com/zammad/zammad.git
1
0
Fork 0
Files
Browse Source

- Refactored authentication_check_only.
- Replaced session[:request_type] with session[:persistent].

Thorsten Eckel 9 years ago
parent
c49792513e
commit
e91553d164
5 changed files with 85 additions and 76 deletions
Split View Show Diff Stats
  1. 49 70
      app/controllers/application_controller.rb
  2. 4 0
      app/controllers/sessions_controller.rb
  3. 7 5
      app/models/observer/session.rb
  4. 24 0
      db/migrate/20150623145511_session_changes.rb
  5. 1 1
      lib/session_helper.rb

+ 49 - 70
app/controllers/application_controller.rb
View File 

@@ -98,122 +98,98 @@ class ApplicationController < ActionController::Base
 
   def authentication_check_only(auth_param)
 
 
     logger.debug 'authentication_check'
 
-    session[:request_type] = 1
 
     #logger.debug params.inspect
 
     #logger.debug session.inspect
 
     #logger.debug cookies.inspect
 
 
-    # check http basic auth
 
-    authenticate_with_http_basic do |username, password|
 
-      logger.debug 'http basic auth check'
 
-      session[:request_type] = 2
 
+    # already logged in, early exit
 
+    if session.id && session[:user_id]
 
+      userdata = User.find( session[:user_id] )
 
+      current_user_set(userdata)
 
 
-      userdata = User.authenticate( username, password )
 
-      message = ''
 
-      if !userdata
 
-        message = 'authentication failed'
 
-      end
 
+      return {
 
+        auth: true
 
+      }
 
+    end
 
 
-      # return auth ok
 
-      if message == ''
 
+    error_message = 'authentication failed'
 
 
-        # remember user
 
-        session[:user_id] = userdata.id
 
+    # check logon session
 
+    if params['logon_session']
 
+      logon_session = ActiveRecord::SessionStore::Session.where( session_id: params['logon_session'] ).first
 
 
-        # set basic auth user to current user
 
+      # set logon session user to current user
 
+      if logon_session
 
+        userdata = User.find( logon_session.data[:user_id] )
 
         current_user_set(userdata)
 
+
 
+        session[:persistent] = true
 
+
 
         return {
 
           auth: true
 
         }
 
       end
 
 
-      # return auth not ok
 
-      return {
 
-        auth: false,
 
-        message: message,
 
-      }
 
+      error_message = 'no valid session, user_id'
 
     end
 
 
-    # check logon session
 
-    if params['logon_session']
 
-      logon_session = ActiveRecord::SessionStore::Session.where( session_id: params['logon_session'] ).first
 
-      if logon_session
 
-        userdata = User.find( logon_session.data[:user_id] )
 
-      end
 
+    # check sso
 
+    sso_userdata = User.sso(params)
 
+    if sso_userdata
 
 
-      session[:request_type] = 3
 
+      current_user_set(sso_userdata)
 
+
 
+      session[:persistent] = true
 
 
-      # set logon session user to current user
 
-      current_user_set(userdata)
 
       return {
 
         auth: true
 
       }
 
     end
 
 
-    # check sso
 
-    if !session[:user_id]
 
+    # check http basic auth
 
+    authenticate_with_http_basic do |username, password|
 
+      logger.debug "http basic auth check '#{username}'"
 
+
 
+      userdata = User.authenticate( username, password )
 
 
-      user = User.sso(params)
 
+      next if !userdata
 
 
-      # Log the authorizing user in.
 
-      if user
 
-        session[:user_id] = user.id
 
-      end
 
+      # set basic auth user to current user
 
+      current_user_set(userdata)
 
+      return {
 
+        auth: true
 
+      }
 
     end
 
 
     # check token
 
     if auth_param[:token_action]
 
-      authenticate_with_http_token do |token, options|
 
-        logger.debug 'token auth check'
 
-        session[:request_type] = 4
 
+      authenticate_with_http_token do |token, _options|
 
+        logger.debug "token auth check #{token}"
 
 
         userdata = Token.check(
 
           action: auth_param[:token_action],
 
           name: token,
 
         )
 
 
-        message = ''
 
-        if !userdata
 
-          message = 'authentication failed'
 
-        end
 
+        next if !userdata
 
 
-        # return auth ok
 
-        if message == ''
 
-
 
-          # remember user
 
-          session[:user_id] = userdata.id
 
-
 
-          # set token user to current user
 
-          current_user_set(userdata)
 
-          return {
 
-            auth: true
 
-          }
 
-        end
 
+        # set token user to current user
 
+        current_user_set(userdata)
 
 
-        # return auth not ok
 
         return {
 
-          auth: false,
 
-          message: message,
 
+          auth: true
 
         }
 
       end
 
     end
 
 
-    # return auth not ok (no session exists)
 
-    if !session[:user_id]
 
-      logger.debug 'no valid session, user_id'
 
-      message = 'no valid session, user_id'
 
-      return {
 
-        auth: false,
 
-        message: message,
 
-      }
 
-    end
 
-
 
+    logger.debug error_message
 
     {
 
-      auth: true
 
+      auth: false,
 
+      message: error_message,
 
     }
 
   end
 
 
-  def authentication_check( auth_param = { basic_auth_promt: false } )
 
+  def authentication_check( auth_param = {} )
 
     result = authentication_check_only(auth_param)
 
 
     # check if basic_auth fallback is possible
 
@@ -233,6 +209,9 @@ class ApplicationController < ActionController::Base
 
       return false
 
     end
 
 
+    # store current user id into the session
 
+    session[:user_id] = current_user.id
 
+
 
     # return auth ok
 
     true
 
   end

+ 4 - 0
app/controllers/sessions_controller.rb
View File 

@@ -54,6 +54,10 @@ class SessionsController < ApplicationController
 
       #      )
 
     end
 
 
+    # sessions created via this
 
+    # controller are persistent
 
+    session[:persistent] = true
 
+
 
     # return new session data
 
     render  status: :created,
 
             json: {

+ 7 - 5
app/models/observer/session.rb
View File 

@@ -13,15 +13,17 @@ class Observer::Session < ActiveRecord::Observer
 
     check(record)
 
   end
 
 
+  # move the persistent attribute from the sub structure
 
+  # to the first level so it gets stored in the database
 
+  # column to make the cleanup lookup more performant
 
   def check(record)
 
     return if !record.data
 
-    return if record[:request_type]
 
+    return if record[:persistent]
 
 
-    # remember request type
 
-    return if !record.data['request_type']
 
+    return if !record.data['persistent']
 
 
-    record[:request_type] = record.data['request_type']
 
-    record.data.delete('request_type')
 
+    record[:persistent] = record.data['persistent']
 
+    record.data.delete('persistent')
 
   end
 
 
 end

+ 24 - 0
db/migrate/20150623145511_session_changes.rb
View File 

@@ -0,0 +1,24 @@
 
+class SessionChanges < ActiveRecord::Migration
 
+  def up
 
+
 
+    ActiveRecord::SessionStore::Session.delete_all
 
+
 
+    remove_index :sessions, :request_type
 
+    remove_column :sessions, :request_type
 
+
 
+    add_column :sessions, :persistent, :boolean, null: true
 
+    add_index :sessions, :persistent
 
+  end
 
+
 
+  def down
 
+
 
+    ActiveRecord::SessionStore::Session.delete_all
 
+
 
+    remove_index :sessions, :persistent
 
+    remove_column :sessions, :persistent
 
+
 
+    add_column :sessions, :request_type, :integer, null: true
 
+    add_index :sessions, :request_type
 
+  end
 
+
 
+end

+ 1 - 1
lib/session_helper.rb
View File 

@@ -29,7 +29,7 @@ module SessionHelper
 
   def self.cleanup_expired
 
 
     # delete temp. sessions
 
-    ActiveRecord::SessionStore::Session.where('request_type IS NULL AND updated_at < ?', Time.zone.now - 1.days ).delete_all
 
+    ActiveRecord::SessionStore::Session.where('persistent IS NULL AND updated_at < ?', Time.zone.now - 1.days ).delete_all
 
 
     # web sessions older the x days
 
     ActiveRecord::SessionStore::Session.where('updated_at < ?', Time.zone.now - 90.days ).delete_all