Prepare for API v1 (PR #570)

2018-10-13 20:16:35 +02:00 · 2018-10-13 20:16:35 +02:00 · fd96b6ccc1
commit fd96b6ccc1
parent d9ae0d11b0
21 changed files with 536 additions and 217 deletions
--- a/app/controllers/concerns/auth.rb
+++ b/app/controllers/concerns/auth.rb
@ -0,0 +1,148 @@
+# Controller concern for authentication methods
+#
+# Split off from main +ApplicationController+ to allow e.g.
+# Doorkeeper to use it too.
+module Concerns::Auth
+  extend ActiveSupport::Concern
+
+  protected
+
+  def current_user
+    # check if there is a valid session and return the logged-in user (its object)
+    if session[:user_id] && params[:foodcoop]
+      # for shared-host installations. check if the cookie-subdomain fits to request.
+      @current_user ||= User.undeleted.find_by_id(session[:user_id]) if session[:scope] == FoodsoftConfig.scope
+    end
+  end
+
+  def deny_access
+    session[:return_to] = request.original_url
+    redirect_to root_url, alert: I18n.t('application.controller.error_denied', sign_in: ActionController::Base.helpers.link_to(t('application.controller.error_denied_sign_in'), login_path))
+  end
+
+  private
+
+  def login(user)
+    session[:user_id] = user.id
+    session[:scope] = FoodsoftConfig.scope  # Save scope in session to not allow switching between foodcoops with one account
+    session[:locale] = user.locale
+  end
+
+  def login_and_redirect_to_return_to(user, *args)
+    login user
+    if session[:return_to].present?
+      redirect_to_url = session[:return_to]
+      session[:return_to] = nil
+    else
+      redirect_to_url = root_url
+    end
+    redirect_to redirect_to_url, *args
+  end
+
+  def logout
+    session[:user_id] = nil
+    session[:return_to] = nil
+    expire_access_tokens
+  end
+
+  def authenticate(role = 'any')
+    # Attempt to retrieve authenticated user from controller instance or session...
+    if !current_user
+      # No user at all: redirect to login page.
+      logout
+      session[:return_to] = request.original_url
+      redirect_to_login :alert => I18n.t('application.controller.error_authn')
+    else
+      # We have an authenticated user, now check role...
+      # Roles gets the user through his memberships.
+      hasRole = case role
+      when 'admin'             then current_user.role_admin?
+      when 'finance'           then current_user.role_finance?
+      when 'article_meta'      then current_user.role_article_meta?
+      when 'pickups'           then current_user.role_pickups?
+      when 'suppliers'         then current_user.role_suppliers?
+      when 'orders'            then current_user.role_orders?
+      when 'finance_or_orders' then (current_user.role_finance? || current_user.role_orders?)
+      when 'pickups_or_orders' then (current_user.role_pickups? || current_user.role_orders?)
+      when 'any'               then true  # no role required
+      else false                          # any unknown role will always fail
+      end
+      if hasRole
+        current_user
+      else
+        deny_access
+      end
+    end
+  end
+
+  def authenticate_admin
+    authenticate('admin')
+  end
+
+  def authenticate_finance
+    authenticate('finance')
+  end
+
+  def authenticate_article_meta
+    authenticate('article_meta')
+  end
+
+  def authenticate_pickups
+    authenticate('pickups')
+  end
+
+  def authenticate_suppliers
+    authenticate('suppliers')
+  end
+
+  def authenticate_orders
+    authenticate('orders')
+  end
+
+  def authenticate_finance_or_orders
+    authenticate('finance_or_orders')
+  end
+
+  def authenticate_pickups_or_orders
+    authenticate('pickups_or_orders')
+  end
+
+  # checks if the current_user is member of given group.
+  # if fails the user will redirected to startpage
+  def authenticate_membership_or_admin(group_id = params[:id])
+    @group = Group.find(group_id)
+    unless @group.member?(@current_user) || @current_user.role_admin?
+      redirect_to root_path, alert: I18n.t('application.controller.error_members_only')
+    end
+  end
+
+  def authenticate_or_token(prefix, role = 'any')
+    if not params[:token].blank?
+      begin
+        TokenVerifier.new(prefix).verify(params[:token])
+      rescue ActiveSupport::MessageVerifier::InvalidSignature
+        redirect_to root_path, alert: I18n.t('application.controller.error_token')
+      end
+    else
+      authenticate(role)
+    end
+  end
+
+  # Expires any access tokens for the current user (unless they have the 'offline_access' scope)
+  # @see https://github.com/doorkeeper-gem/doorkeeper/issues/71#issuecomment-5471317
+  def expire_access_tokens
+    return unless @current_user
+    Doorkeeper::AccessToken.transaction do
+      token_scope = Doorkeeper::AccessToken.where(revoked_at: nil, resource_owner_id: @current_user.id)
+      token_scope.each do |token|
+        token.destroy! unless token.scopes.include?('offline_access')
+      end
+    end
+  end
+
+  # Redirect to the login page, used in authenticate, plugins can override this.
+  def redirect_to_login(options={})
+    redirect_to login_url, options
+  end
+
+end