1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
|
# frozen_string_literal: true
require 'devise/strategies/base'
module Devise
module Strategies
# This strategy should be used as basis for authentication strategies. It retrieves
# parameters both from params or from http authorization headers. See database_authenticatable
# for an example.
class Authenticatable < Base
attr_accessor :authentication_hash, :authentication_type, :password
def store?
super && !mapping.to.skip_session_storage.include?(authentication_type)
end
def valid?
valid_for_params_auth? || valid_for_http_auth?
end
# Override and set to false for things like OmniAuth that technically
# run through Authentication (user_set) very often, which would normally
# reset CSRF data in the session
def clean_up_csrf?
true
end
private
# Receives a resource and check if it is valid by calling valid_for_authentication?
# A block that will be triggered while validating can be optionally
# given as parameter. Check Devise::Models::Authenticatable.valid_for_authentication?
# for more information.
#
# In case the resource can't be validated, it will fail with the given
# unauthenticated_message.
def validate(resource, &block)
result = resource && resource.valid_for_authentication?(&block)
if result
true
else
if resource
fail!(resource.unauthenticated_message)
end
false
end
end
# Get values from params and set in the resource.
def remember_me(resource)
resource.remember_me = remember_me? if resource.respond_to?(:remember_me=)
end
# Should this resource be marked to be remembered?
def remember_me?
valid_params? && Devise::TRUE_VALUES.include?(params_auth_hash[:remember_me])
end
# Check if this is a valid strategy for http authentication by:
#
# * Validating if the model allows http authentication;
# * If any of the authorization headers were sent;
# * If all authentication keys are present;
#
def valid_for_http_auth?
http_authenticatable? && request.authorization && with_authentication_hash(:http_auth, http_auth_hash)
end
# Check if this is a valid strategy for params authentication by:
#
# * Validating if the model allows params authentication;
# * If the request hits the sessions controller through POST;
# * If the params[scope] returns a hash with credentials;
# * If all authentication keys are present;
#
def valid_for_params_auth?
params_authenticatable? && valid_params_request? &&
valid_params? && with_authentication_hash(:params_auth, params_auth_hash)
end
# Check if the model accepts this strategy as http authenticatable.
def http_authenticatable?
mapping.to.http_authenticatable?(authenticatable_name)
end
# Check if the model accepts this strategy as params authenticatable.
def params_authenticatable?
mapping.to.params_authenticatable?(authenticatable_name)
end
# Extract the appropriate subhash for authentication from params.
def params_auth_hash
params[scope]
end
# Extract a hash with attributes:values from the http params.
def http_auth_hash
keys = [http_authentication_key, :password]
Hash[*keys.zip(decode_credentials).flatten]
end
# By default, a request is valid if the controller set the proper env variable.
def valid_params_request?
!!env["devise.allow_params_authentication"]
end
# If the request is valid, finally check if params_auth_hash returns a hash.
def valid_params?
params_auth_hash.is_a?(Hash)
end
# Note: unlike `Model.valid_password?`, this method does not actually
# ensure that the password in the params matches the password stored in
# the database. It only checks if the password is *present*. Do not rely
# on this method for validating that a given password is correct.
def valid_password?
password.present?
end
# Helper to decode credentials from HTTP.
def decode_credentials
return [] unless request.authorization && request.authorization =~ /^Basic (.*)/mi
Base64.decode64($1).split(/:/, 2)
end
# Sets the authentication hash and the password from params_auth_hash or http_auth_hash.
def with_authentication_hash(auth_type, auth_values)
self.authentication_hash, self.authentication_type = {}, auth_type
self.password = auth_values[:password]
parse_authentication_key_values(auth_values, authentication_keys) &&
parse_authentication_key_values(request_values, request_keys)
end
def authentication_keys
@authentication_keys ||= mapping.to.authentication_keys
end
def http_authentication_key
@http_authentication_key ||= mapping.to.http_authentication_key || case authentication_keys
when Array then authentication_keys.first
when Hash then authentication_keys.keys.first
end
end
def request_keys
@request_keys ||= mapping.to.request_keys
end
def request_values
keys = request_keys.respond_to?(:keys) ? request_keys.keys : request_keys
values = keys.map { |k| self.request.send(k) }
Hash[keys.zip(values)]
end
def parse_authentication_key_values(hash, keys)
keys.each do |key, enforce|
value = hash[key].presence
if value
self.authentication_hash[key] = value
else
return false unless enforce == false
end
end
true
end
# Holds the authenticatable name for this class. Devise::Strategies::DatabaseAuthenticatable
# becomes simply :database.
def authenticatable_name
@authenticatable_name ||=
ActiveSupport::Inflector.underscore(self.class.name.split("::").last).
sub("_authenticatable", "").to_sym
end
end
end
end
|
