tootlab-mastodon/app/controllers/auth/sessions_controller.rb

# frozen_string_literal: true

class Auth::SessionsController < Devise::SessionsController
  include Devise::Controllers::Rememberable

  layout 'auth'

  skip_before_action :require_no_authentication, only: [:create]
  skip_before_action :check_suspension, only: [:destroy]
  prepend_before_action :authenticate_with_two_factor, if: :two_factor_enabled?, only: [:create]
  before_action :set_instance_presenter, only: [:new]
  before_action :set_body_classes

  def new
    Devise.omniauth_configs.each do |provider, config|
      return redirect_to(omniauth_authorize_path(resource_name, provider)) if config.strategy.redirect_at_sign_in
    end

    super
  end

  def create
    super do |resource|
      remember_me(resource)
      flash.delete(:notice)
    end
  end

  def destroy
    super
    flash.delete(:notice)
  end

  protected

  def find_user
    if session[:otp_user_id]
      User.find(session[:otp_user_id])
    elsif user_params[:email]
      if use_seamless_external_login? && Devise.check_at_sign && user_params[:email].index('@').nil?
        User.joins(:account).find_by(accounts: { username: user_params[:email] })
      else
        User.find_for_authentication(email: user_params[:email])
      end
    end
  end

  def user_params
    params.require(:user).permit(:email, :password, :otp_attempt)
  end

  def after_sign_in_path_for(resource)
    last_url = stored_location_for(:user)

    if home_paths(resource).include?(last_url)
      root_path
    else
      last_url || root_path
    end
  end

  def after_sign_out_path_for(_resource_or_scope)
    Devise.omniauth_configs.each_value do |config|
      return root_path if config.strategy.redirect_at_sign_in
    end

    super
  end

  def two_factor_enabled?
    find_user.try(:otp_required_for_login?)
  end

  def valid_otp_attempt?(user)
    user.validate_and_consume_otp!(user_params[:otp_attempt]) ||
      user.invalidate_otp_backup_code!(user_params[:otp_attempt])
  rescue OpenSSL::Cipher::CipherError => _error
    false
  end

  def authenticate_with_two_factor
    user = self.resource = find_user

    if user_params[:otp_attempt].present? && session[:otp_user_id]
      authenticate_with_two_factor_via_otp(user)
    elsif user&.valid_password?(user_params[:password])
      prompt_for_two_factor(user)
    end
  end

  def authenticate_with_two_factor_via_otp(user)
    if valid_otp_attempt?(user)
      session.delete(:otp_user_id)
      remember_me(user)
      sign_in(user)
    else
      flash.now[:alert] = I18n.t('users.invalid_otp_token')
      prompt_for_two_factor(user)
    end
  end

  def prompt_for_two_factor(user)
    session[:otp_user_id] = user.id
    render :two_factor
  end

  private

  def set_instance_presenter
    @instance_presenter = InstancePresenter.new
  end

  def set_body_classes
    @body_classes = 'lighter'
  end

  def home_paths(resource)
    paths = [about_path]
    if single_user_mode? && resource.is_a?(User)
      paths << short_account_path(username: resource.account)
    end
    paths
  end
end
Fix rubocop issues, introduce usage of frozen literal to improve performance 2016-11-15 10:56:29 -05:00			`# frozen_string_literal: true`

Customizing devise views and controllers 2016-03-05 16:43:05 -05:00			`class Auth::SessionsController < Devise::SessionsController`
Remember me enabled by default 2016-03-27 18:06:52 -04:00			`include Devise::Controllers::Rememberable`

Customizing devise views and controllers 2016-03-05 16:43:05 -05:00			`layout 'auth'`
Remember me enabled by default 2016-03-27 18:06:52 -04:00
Split 2FA login into two prompts 2017-01-28 14:43:38 -05:00			`skip_before_action :require_no_authentication, only: [:create]`
Auth sign out (#2511) * Add a spec for signing out * Add spec showing that suspended user gets a 403 forbidden on sign out * Allow suspended account users to sign out 2017-05-02 17:37:58 -04:00			`skip_before_action :check_suspension, only: [:destroy]`
Split 2FA login into two prompts 2017-01-28 14:43:38 -05:00			`prepend_before_action :authenticate_with_two_factor, if: :two_factor_enabled?, only: [:create]`
sign_in and sign_up views present og meta infos (#5308) 2017-10-10 18:52:25 -04:00			`before_action :set_instance_presenter, only: [:new]`
Compensate for scrollbar disappearing when media modal visible (#8100) * Compensate for scrollbar disappearing when media modal visible Make auth pages backgrounds lighter * Fix typo 2018-07-30 19:14:33 -04:00			`before_action :set_body_classes`
Added optional two-factor authentication 2017-01-27 14:28:46 -05:00
New variable OAUTH_REDIRECT_AT_SIGN_IN + Ref #6538 (not only SAML strategies) (#6540) 2018-02-22 19:16:17 -05:00			`def new`
			`Devise.omniauth_configs.each do \|provider, config\|`
If login redirects to omniauth, redirect logout to root_path (#6694) Fix #6670 2018-03-08 05:18:26 -05:00			`return redirect_to(omniauth_authorize_path(resource_name, provider)) if config.strategy.redirect_at_sign_in`
New variable OAUTH_REDIRECT_AT_SIGN_IN + Ref #6538 (not only SAML strategies) (#6540) 2018-02-22 19:16:17 -05:00			`end`
If login redirects to omniauth, redirect logout to root_path (#6694) Fix #6670 2018-03-08 05:18:26 -05:00
New variable OAUTH_REDIRECT_AT_SIGN_IN + Ref #6538 (not only SAML strategies) (#6540) 2018-02-22 19:16:17 -05:00			`super`
			`end`

Remember me enabled by default 2016-03-27 18:06:52 -04:00			`def create`
			`super do \|resource\|`
			`remember_me(resource)`
Fix empty flash message on the settings page (#3345) 2017-05-27 07:04:28 -04:00			`flash.delete(:notice)`
Remember me enabled by default 2016-03-27 18:06:52 -04:00			`end`
			`end`
Replace logo, fix #57 - delete/unreblog/unfavourite API, fix #45 - app registration API 2016-09-26 17:55:21 -04:00
Split 2FA login into two prompts 2017-01-28 14:43:38 -05:00			`def destroy`
			`super`
Fix empty flash message on the settings page (#3345) 2017-05-27 07:04:28 -04:00			`flash.delete(:notice)`
Split 2FA login into two prompts 2017-01-28 14:43:38 -05:00			`end`

Replace logo, fix #57 - delete/unreblog/unfavourite API, fix #45 - app registration API 2016-09-26 17:55:21 -04:00			`protected`

Split 2FA login into two prompts 2017-01-28 14:43:38 -05:00			`def find_user`
			`if session[:otp_user_id]`
			`User.find(session[:otp_user_id])`
			`elsif user_params[:email]`
Fix #942: Seamless LDAP login (#6556) 2018-02-28 13:04:53 -05:00			`if use_seamless_external_login? && Devise.check_at_sign && user_params[:email].index('@').nil?`
pam authentication (#5303) * add pam support, without extra column * bugfixes for pam login * document options * fix code style * fix codestyle * fix tests * don't call remember_me without password * fix codestyle * improve checks for pam usage (should fix tests) * fix remember_me part 1 * add remember_token column because :rememberable requires either a password or this column. * migrate db for remember_token * move pam_authentication to the right place, fix logic bug in edit.html.haml * fix tests * fix pam authentication, improve username lookup, add comment * valid? is sometimes not honored, return nil instead trying to authenticate with pam * update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests * update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user * codeconvention fixes * code convention fixes * fix idention * update dependency, explicit conflict check * fix disabled password updates if in pam mode * fix check password if password is present, fix templates * block registration if account is maintained by pam * Revert "block registration if account is maintained by pam" This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20. * fix identation error introduced by rebase * block usernames maintained by pam * document pam settings better * fix code style 2018-02-02 04:18:55 -05:00			`User.joins(:account).find_by(accounts: { username: user_params[:email] })`
			`else`
			`User.find_for_authentication(email: user_params[:email])`
			`end`
Split 2FA login into two prompts 2017-01-28 14:43:38 -05:00			`end`
			`end`

			`def user_params`
			`params.require(:user).permit(:email, :password, :otp_attempt)`
Added optional two-factor authentication 2017-01-27 14:28:46 -05:00			`end`

Go to root after login in single user mode (#3289) In single user mode, visitors are redirected to the single user's profile page. So, if you are the owner without a session, you start from that page, click the login button and authenticate yourself expecting you'll soon get started with the home page, but in reality you'll get redirected back to where you started from -- your own profile page. This fixes the behavior by redirecting you home after login if you have started from your own profile page. 2017-05-26 08:14:03 -04:00			`def after_sign_in_path_for(resource)`
Adding e-mail confirmations 2016-10-03 10:38:22 -04:00			`last_url = stored_location_for(:user)`

Go to root after login in single user mode (#3289) In single user mode, visitors are redirected to the single user's profile page. So, if you are the owner without a session, you start from that page, click the login button and authenticate yourself expecting you'll soon get started with the home page, but in reality you'll get redirected back to where you started from -- your own profile page. This fixes the behavior by redirecting you home after login if you have started from your own profile page. 2017-05-26 08:14:03 -04:00			`if home_paths(resource).include?(last_url)`
Adding e-mail confirmations 2016-10-03 10:38:22 -04:00			`root_path`
			`else`
			`last_url \|\| root_path`
			`end`
Replace logo, fix #57 - delete/unreblog/unfavourite API, fix #45 - app registration API 2016-09-26 17:55:21 -04:00			`end`
Split 2FA login into two prompts 2017-01-28 14:43:38 -05:00
If login redirects to omniauth, redirect logout to root_path (#6694) Fix #6670 2018-03-08 05:18:26 -05:00			`def after_sign_out_path_for(_resource_or_scope)`
			`Devise.omniauth_configs.each_value do \|config\|`
			`return root_path if config.strategy.redirect_at_sign_in`
			`end`

			`super`
			`end`

Split 2FA login into two prompts 2017-01-28 14:43:38 -05:00			`def two_factor_enabled?`
			`find_user.try(:otp_required_for_login?)`
			`end`

			`def valid_otp_attempt?(user)`
Add recovery code support for two-factor auth (#1773) * Add recovery code support for two-factor auth When users enable two-factor auth, the app now generates ten single-use recovery codes. Users are encouraged to print the codes and store them in a safe place. The two-factor prompt during login now accepts both OTP codes and recovery codes. The two-factor settings UI allows users to regenerated lost recovery codes. Users who have set up two-factor auth prior to this feature being added can use it to generate recovery codes for the first time. Fixes #563 and fixes #987 * Set OTP_SECRET in test enviroment * add missing .html to view file names 2017-04-15 07:26:03 -04:00			`user.validate_and_consume_otp!(user_params[:otp_attempt]) \|\|`
			`user.invalidate_otp_backup_code!(user_params[:otp_attempt])`
Fix Rubocop offences (#2630) * disable Bundler/OrderedGems * fix rubocop Lint/UselessAssignment * fix rubocop Style/BlockDelimiters * fix rubocop Style/AlignHash * fix rubocop Style/AlignParameters, Style/EachWithObject * fix rubocop Style/SpaceInLambdaLiteral 2017-05-01 10:31:02 -04:00			`rescue OpenSSL::Cipher::CipherError => _error`
Catch error when server decryption fails on 2FA (#2512) 2017-04-27 09:18:21 -04:00			`false`
Split 2FA login into two prompts 2017-01-28 14:43:38 -05:00			`end`

			`def authenticate_with_two_factor`
			`user = self.resource = find_user`

			`if user_params[:otp_attempt].present? && session[:otp_user_id]`
			`authenticate_with_two_factor_via_otp(user)`
Fix some rubocop style issues (#5730) 2017-11-16 20:06:26 -05:00			`elsif user&.valid_password?(user_params[:password])`
Split 2FA login into two prompts 2017-01-28 14:43:38 -05:00			`prompt_for_two_factor(user)`
			`end`
			`end`

			`def authenticate_with_two_factor_via_otp(user)`
			`if valid_otp_attempt?(user)`
			`session.delete(:otp_user_id)`
			`remember_me(user)`
			`sign_in(user)`
			`else`
			`flash.now[:alert] = I18n.t('users.invalid_otp_token')`
			`prompt_for_two_factor(user)`
			`end`
			`end`

			`def prompt_for_two_factor(user)`
			`session[:otp_user_id] = user.id`
			`render :two_factor`
			`end`
Go to root after login in single user mode (#3289) In single user mode, visitors are redirected to the single user's profile page. So, if you are the owner without a session, you start from that page, click the login button and authenticate yourself expecting you'll soon get started with the home page, but in reality you'll get redirected back to where you started from -- your own profile page. This fixes the behavior by redirecting you home after login if you have started from your own profile page. 2017-05-26 08:14:03 -04:00
			`private`

sign_in and sign_up views present og meta infos (#5308) 2017-10-10 18:52:25 -04:00			`def set_instance_presenter`
			`@instance_presenter = InstancePresenter.new`
			`end`

Compensate for scrollbar disappearing when media modal visible (#8100) * Compensate for scrollbar disappearing when media modal visible Make auth pages backgrounds lighter * Fix typo 2018-07-30 19:14:33 -04:00			`def set_body_classes`
			`@body_classes = 'lighter'`
			`end`

Go to root after login in single user mode (#3289) In single user mode, visitors are redirected to the single user's profile page. So, if you are the owner without a session, you start from that page, click the login button and authenticate yourself expecting you'll soon get started with the home page, but in reality you'll get redirected back to where you started from -- your own profile page. This fixes the behavior by redirecting you home after login if you have started from your own profile page. 2017-05-26 08:14:03 -04:00			`def home_paths(resource)`
			`paths = [about_path]`
			`if single_user_mode? && resource.is_a?(User)`
			`paths << short_account_path(username: resource.account)`
			`end`
			`paths`
			`end`
Customizing devise views and controllers 2016-03-05 16:43:05 -05:00			`end`