Sprankelprachtig aan/afmeldsysteem

authentication_helper.rb 3.4KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138
  1. module AuthenticationHelper
  2. # Create a new Session and set the relevant cookies.
  3. def log_in(user, remember, new_session = true)
  4. reset_session
  5. expiry = 6.hours.since
  6. session[:user_id] = user.id
  7. session[:expires] = expiry
  8. return unless new_session
  9. if remember == 1
  10. token = Session.new_token
  11. expiry = 1.year.since
  12. cookies.signed.permanent[:remember_token] = {
  13. value: token,
  14. httponly: true
  15. }
  16. cookies.signed.permanent[:user_id] = {
  17. value: user.id,
  18. httponly: true
  19. }
  20. else
  21. token = nil
  22. end
  23. s = Session.create!(
  24. user: user,
  25. ip: request.remote_ip,
  26. expires: expiry,
  27. remember_digest: token ? Session.digest(token) : nil
  28. )
  29. if remember
  30. cookies.signed.permanent[:session_id] = {
  31. value: s.id,
  32. httponly: true
  33. }
  34. else
  35. session[:session_id] = s.id
  36. end
  37. end
  38. # Determine whether the user is logged in, and if so, disable the Session, then flush session cookies.
  39. def log_out(session_broken: false)
  40. if !session_broken && logged_in? && @user_session
  41. user_session
  42. @user_session.update!(active: false)
  43. end
  44. cookies.delete(:user_id)
  45. cookies.delete(:remember_token)
  46. cookies.delete(:session_id)
  47. reset_session
  48. end
  49. # Determine whether the current request is from a user with a non-expired session.
  50. # Makes @user_session available as a side effect if the user is not.
  51. def logged_in?
  52. # Case 1: User has an active session inside the cookie.
  53. # We verify that the session hasn't expired yet.
  54. if session[:user_id] && session[:expires]&.to_datetime&.future?
  55. user_session
  56. return false if !@user_session.active || @user_session.expires.past?
  57. true
  58. else
  59. # Case 2: User is returning and has a remember token saved.
  60. # We get the Session, check the token and expiry, and log the user in.
  61. if cookies.signed.permanent[:remember_token] && cookies.signed.permanent[:user_id] &&
  62. cookies.signed.permanent[:session_id]
  63. user_session
  64. return false if @user_session.nil? || @user_session.remember_digest.nil?
  65. session_password = BCrypt::Password.new @user_session.remember_digest
  66. if @user_session.expires.future? &&
  67. session_password == cookies.signed.permanent[:remember_token]
  68. log_in @user_session.user, false, false
  69. return true
  70. end
  71. return false
  72. end
  73. false
  74. end
  75. end
  76. # Get the Session object representing the current user's session.
  77. def user_session
  78. if @user_session
  79. @user_session
  80. else
  81. id = cookies.signed.permanent[:session_id] || session[:session_id]
  82. @user_session ||= Session.find_by(id: id)
  83. end
  84. # Edge case if a session no longer exists in the database
  85. log_out(session_broken: true) unless @user_session
  86. end
  87. def current_user
  88. user_session
  89. @user_session&.user
  90. end
  91. def current_person
  92. current_user&.person
  93. end
  94. def require_login!
  95. unless logged_in?
  96. flash_message(:warning, I18n.t('authentication.login_required'))
  97. redirect_to controller: 'authentication', action: 'login_form'
  98. return false
  99. end
  100. Raven.user_context(
  101. user_firstname: current_person.first_name
  102. )
  103. true
  104. end
  105. def require_admin!
  106. return if current_person.is_admin?
  107. flash_message(:danger, I18n.t('authentication.admin_required'))
  108. redirect_to '/dashboard'
  109. end
  110. end