It's Riseup's twentieth year, help keep us going! If you can afford it, please contribute to our winter fundraising drive.

Commit 43238a2d authored by azul's avatar azul

cleanup: unused controller auth mechanisms

parent c2e3cc87
......@@ -22,7 +22,6 @@ module Common::Application::Authentication
def current_user=(new_user)
new_user = nil unless new_user.respond_to? :id
session[:user] = new_user.nil? ? nil : new_user.id
session[:logged_in_since] = Time.now
@current_user = new_user
end
......@@ -42,74 +41,8 @@ module Common::Application::Authentication
session[:language_code] = language
end
def logged_in_since
session[:logged_in_since]
end
def process_login
unless current_user
# auth using http headers
username, passwd = get_auth_data
if username and passwd
self.current_user = User.authenticate(username, passwd) || User::Unknown.new
end
end
current_user
end
# Store the URI of the current request in the session.
#
# We can return to this location by calling #redirect_back_or_default.
def store_location
session[:return_to] = (request.request_uri unless request.xhr?)
end
# Redirect to the URI stored by the most recent store_location call or
# to the passed default.
def redirect_back_or_default(default)
session[:return_to] ? redirect_to_url(session[:return_to]) : redirect_to(default)
session[:return_to] = nil
end
# When called with before_action :login_from_cookie will check for an :auth_token
# cookie and log the user back in if apropriate
def login_from_cookie
return unless cookies[:auth_token] && !logged_in?
user = User.find_by_remember_token(cookies[:auth_token])
if user && user.remember_token?
user.remember_me
self.current_user = user
cookies[:auth_token] = { value: current_user.remember_token, expires: current_user.remember_token_expires_at }
flash[:notice] = 'Logged in successfully'
end
end
# note: this method is not automatically called. if you want to enable HTTP
# authentication for some action(s), you must put a prepend_before_action in
# place.
# however, a user who successfully uses HTTP auth on an action for which it
# was enabled will stay logged in and can then go and see other things.
# this is kind of lame. but only exploitable by people who could log in
# anyway, so presumabbly not *too* big a security hole.
def login_with_http_auth
unless logged_in?
authenticate_or_request_with_http_basic do |user, password|
founduser = User.authenticate(user, password)
self.current_user = founduser unless founduser.nil?
end
end
end
private
@@http_auth_headers = %w[X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION Authorization]
# gets BASIC auth info
def get_auth_data
auth_key = @@http_auth_headers.detect { |h| request.env.key?(h) }
auth_data = request.env[auth_key].to_s.split unless auth_key.blank?
auth_data && auth_data[0] == 'Basic' ? Base64.decode64(auth_data[1]).split(':')[0..1] : [nil, nil]
end
def load_user(id)
user = User.find_by_id(id)
user.seen! if user
......
......@@ -54,7 +54,6 @@ module Common::Application::BeforeFilters
# skip_before_action :login_required
#
def login_required
process_login
raise AuthenticationRequired unless logged_in?
end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment