nyastodon/app/controllers/auth/sessions_controller.rb

# frozen_string_literal: true

class Auth::SessionsController < Devise::SessionsController
  include Devise::Controllers::Rememberable

  layout 'auth'

  skip_before_action :require_no_authentication, only: [:create]
  skip_before_action :check_suspension, only: [:destroy]
  prepend_before_action :authenticate_with_two_factor, if: :two_factor_enabled?, only: [:create]
  prepend_before_action :set_pack
  before_action :set_instance_presenter, only: [:new]

  def create
    super do |resource|
      remember_me(resource)
      flash.delete(:notice)
    end
  end

  def destroy
    super
    flash.delete(:notice)
  end

  protected

  def find_user
    if session[:otp_user_id]
      User.find(session[:otp_user_id])
    elsif user_params[:email]
      User.find_for_authentication(email: user_params[:email])
    end
  end

  def user_params
    params.require(:user).permit(:email, :password, :otp_attempt)
  end

  def after_sign_in_path_for(resource)
    last_url = stored_location_for(:user)

    if home_paths(resource).include?(last_url)
      root_path
    else
      last_url || root_path
    end
  end

  def two_factor_enabled?
    find_user.try(:otp_required_for_login?)
  end

  def valid_otp_attempt?(user)
    user.validate_and_consume_otp!(user_params[:otp_attempt]) ||
      user.invalidate_otp_backup_code!(user_params[:otp_attempt])
  rescue OpenSSL::Cipher::CipherError => _error
    false
  end

  def authenticate_with_two_factor
    user = self.resource = find_user

    if user_params[:otp_attempt].present? && session[:otp_user_id]
      authenticate_with_two_factor_via_otp(user)
    elsif user&.valid_password?(user_params[:password])
      prompt_for_two_factor(user)
    end
  end

  def authenticate_with_two_factor_via_otp(user)
    if valid_otp_attempt?(user)
      session.delete(:otp_user_id)
      remember_me(user)
      sign_in(user)
    else
      flash.now[:alert] = I18n.t('users.invalid_otp_token')
      prompt_for_two_factor(user)
    end
  end

  def prompt_for_two_factor(user)
    session[:otp_user_id] = user.id
    render :two_factor
  end

  private

  def set_pack
    use_pack 'auth'
  end

  def set_instance_presenter
    @instance_presenter = InstancePresenter.new
  end

  def home_paths(resource)
    paths = [about_path]
    if single_user_mode? && resource.is_a?(User)
      paths << short_account_path(username: resource.account)
    end
    paths
  end
end
Fix rubocop issues, introduce usage of frozen literal to improve performance 2016-11-15 16:56:29 +01:00			`# frozen_string_literal: true`

Customizing devise views and controllers 2016-03-05 22:43:05 +01:00			`class Auth::SessionsController < Devise::SessionsController`
Remember me enabled by default 2016-03-28 00:06:52 +02:00			`include Devise::Controllers::Rememberable`

Customizing devise views and controllers 2016-03-05 22:43:05 +01:00			`layout 'auth'`
Remember me enabled by default 2016-03-28 00:06:52 +02:00
Split 2FA login into two prompts 2017-01-28 20:43:38 +01:00			`skip_before_action :require_no_authentication, only: [:create]`
Auth sign out (#2511) * Add a spec for signing out * Add spec showing that suspended user gets a 403 forbidden on sign out * Allow suspended account users to sign out 2017-05-02 23:37:58 +02:00			`skip_before_action :check_suspension, only: [:destroy]`
Split 2FA login into two prompts 2017-01-28 20:43:38 +01:00			`prepend_before_action :authenticate_with_two_factor, if: :two_factor_enabled?, only: [:create]`
Set packs on 2FA-related pages. Fixes #271. Specifically, this commit: - changes S::TFA::{Confirmations,RecoveryCodes}Controller to derive from S::BaseController, because this gives us the necessary actions and packs - prepends set_pack to Auth::SessionsController's action chain so that it takes effect in time for render :two_factor 2017-12-20 10:15:54 +01:00			`prepend_before_action :set_pack`
sign_in and sign_up views present og meta infos (#5308) 2017-10-11 00:52:25 +02:00			`before_action :set_instance_presenter, only: [:new]`
Added optional two-factor authentication 2017-01-27 20:28:46 +01:00
Remember me enabled by default 2016-03-28 00:06:52 +02:00			`def create`
			`super do \|resource\|`
			`remember_me(resource)`
Fix empty flash message on the settings page (#3345) 2017-05-27 13:04:28 +02:00			`flash.delete(:notice)`
Remember me enabled by default 2016-03-28 00:06:52 +02:00			`end`
			`end`
Replace logo, fix #57 - delete/unreblog/unfavourite API, fix #45 - app registration API 2016-09-26 23:55:21 +02:00
Split 2FA login into two prompts 2017-01-28 20:43:38 +01:00			`def destroy`
			`super`
Fix empty flash message on the settings page (#3345) 2017-05-27 13:04:28 +02:00			`flash.delete(:notice)`
Split 2FA login into two prompts 2017-01-28 20:43:38 +01:00			`end`

Replace logo, fix #57 - delete/unreblog/unfavourite API, fix #45 - app registration API 2016-09-26 23:55:21 +02:00			`protected`

Split 2FA login into two prompts 2017-01-28 20:43:38 +01:00			`def find_user`
			`if session[:otp_user_id]`
			`User.find(session[:otp_user_id])`
			`elsif user_params[:email]`
Make sure email is case insensitive on all places (#3688) When case insensitivity is enabled via devise's `config.case_insensitive_keys` then `.find_for_authentication` method needs to be used instead of `.find_by` because second mentioned returns `nil` when valid email with different cases is passed. More info https://github.com/plataformatec/devise/wiki/How-To:-Use-case-insensitive-emails 2017-06-11 02:29:08 +02:00			`User.find_for_authentication(email: user_params[:email])`
Split 2FA login into two prompts 2017-01-28 20:43:38 +01:00			`end`
			`end`

			`def user_params`
			`params.require(:user).permit(:email, :password, :otp_attempt)`
Added optional two-factor authentication 2017-01-27 20:28:46 +01:00			`end`

Go to root after login in single user mode (#3289) In single user mode, visitors are redirected to the single user's profile page. So, if you are the owner without a session, you start from that page, click the login button and authenticate yourself expecting you'll soon get started with the home page, but in reality you'll get redirected back to where you started from -- your own profile page. This fixes the behavior by redirecting you home after login if you have started from your own profile page. 2017-05-26 14:14:03 +02:00			`def after_sign_in_path_for(resource)`
Adding e-mail confirmations 2016-10-03 16:38:22 +02:00			`last_url = stored_location_for(:user)`

Go to root after login in single user mode (#3289) In single user mode, visitors are redirected to the single user's profile page. So, if you are the owner without a session, you start from that page, click the login button and authenticate yourself expecting you'll soon get started with the home page, but in reality you'll get redirected back to where you started from -- your own profile page. This fixes the behavior by redirecting you home after login if you have started from your own profile page. 2017-05-26 14:14:03 +02:00			`if home_paths(resource).include?(last_url)`
Adding e-mail confirmations 2016-10-03 16:38:22 +02:00			`root_path`
			`else`
			`last_url \|\| root_path`
			`end`
Replace logo, fix #57 - delete/unreblog/unfavourite API, fix #45 - app registration API 2016-09-26 23:55:21 +02:00			`end`
Split 2FA login into two prompts 2017-01-28 20:43:38 +01:00
			`def two_factor_enabled?`
			`find_user.try(:otp_required_for_login?)`
			`end`

			`def valid_otp_attempt?(user)`
Add recovery code support for two-factor auth (#1773) * Add recovery code support for two-factor auth When users enable two-factor auth, the app now generates ten single-use recovery codes. Users are encouraged to print the codes and store them in a safe place. The two-factor prompt during login now accepts both OTP codes and recovery codes. The two-factor settings UI allows users to regenerated lost recovery codes. Users who have set up two-factor auth prior to this feature being added can use it to generate recovery codes for the first time. Fixes #563 and fixes #987 * Set OTP_SECRET in test enviroment * add missing .html to view file names 2017-04-15 13:26:03 +02:00			`user.validate_and_consume_otp!(user_params[:otp_attempt]) \|\|`
			`user.invalidate_otp_backup_code!(user_params[:otp_attempt])`
Fix Rubocop offences (#2630) * disable Bundler/OrderedGems * fix rubocop Lint/UselessAssignment * fix rubocop Style/BlockDelimiters * fix rubocop Style/AlignHash * fix rubocop Style/AlignParameters, Style/EachWithObject * fix rubocop Style/SpaceInLambdaLiteral 2017-05-01 16:31:02 +02:00			`rescue OpenSSL::Cipher::CipherError => _error`
Catch error when server decryption fails on 2FA (#2512) 2017-04-27 15:18:21 +02:00			`false`
Split 2FA login into two prompts 2017-01-28 20:43:38 +01:00			`end`

			`def authenticate_with_two_factor`
			`user = self.resource = find_user`

			`if user_params[:otp_attempt].present? && session[:otp_user_id]`
			`authenticate_with_two_factor_via_otp(user)`
Fix some rubocop style issues (#5730) 2017-11-17 02:06:26 +01:00			`elsif user&.valid_password?(user_params[:password])`
Split 2FA login into two prompts 2017-01-28 20:43:38 +01:00			`prompt_for_two_factor(user)`
			`end`
			`end`

			`def authenticate_with_two_factor_via_otp(user)`
			`if valid_otp_attempt?(user)`
			`session.delete(:otp_user_id)`
			`remember_me(user)`
			`sign_in(user)`
			`else`
			`flash.now[:alert] = I18n.t('users.invalid_otp_token')`
			`prompt_for_two_factor(user)`
			`end`
			`end`

			`def prompt_for_two_factor(user)`
			`session[:otp_user_id] = user.id`
			`render :two_factor`
			`end`
Go to root after login in single user mode (#3289) In single user mode, visitors are redirected to the single user's profile page. So, if you are the owner without a session, you start from that page, click the login button and authenticate yourself expecting you'll soon get started with the home page, but in reality you'll get redirected back to where you started from -- your own profile page. This fixes the behavior by redirecting you home after login if you have started from your own profile page. 2017-05-26 14:14:03 +02:00
			`private`

Finalized theme loading and stuff 2017-11-21 07:13:37 +01:00			`def set_pack`
			`use_pack 'auth'`
			`end`

sign_in and sign_up views present og meta infos (#5308) 2017-10-11 00:52:25 +02:00			`def set_instance_presenter`
			`@instance_presenter = InstancePresenter.new`
			`end`

Go to root after login in single user mode (#3289) In single user mode, visitors are redirected to the single user's profile page. So, if you are the owner without a session, you start from that page, click the login button and authenticate yourself expecting you'll soon get started with the home page, but in reality you'll get redirected back to where you started from -- your own profile page. This fixes the behavior by redirecting you home after login if you have started from your own profile page. 2017-05-26 14:14:03 +02:00			`def home_paths(resource)`
			`paths = [about_path]`
			`if single_user_mode? && resource.is_a?(User)`
			`paths << short_account_path(username: resource.account)`
			`end`
			`paths`
			`end`
Customizing devise views and controllers 2016-03-05 22:43:05 +01:00			`end`