tracks/app/controllers/login_controller.rb

class LoginController < ApplicationController
  
  layout 'login'
  skip_before_filter :set_session_expiration
  skip_before_filter :login_required
  before_filter :login_optional
  before_filter :get_current_user

  protect_from_forgery :except => [:check_expiry, :login]

  def login
    @page_title = "TRACKS::Login"
    cookies[:preferred_auth] = prefered_auth? unless cookies[:preferred_auth]
    case request.method
    when 'POST'
      if @user = User.authenticate(params['user_login'], params['user_password'])
        session['user_id'] = @user.id
        # If checkbox on login page checked, we don't expire the session after 1 hour
        # of inactivity and we remember this user for future browser sessions
        session['noexpiry'] = params['user_noexpiry']
        msg = (should_expire_sessions?) ? "will expire after 1 hour of inactivity." : "will not expire."
        notify :notice, "Login successful: session #{msg}"
        cookies[:tracks_login] = { :value => @user.login, :expires => Time.now + 1.year, :secure => SITE_CONFIG['secure_cookies'] }
        unless should_expire_sessions?
          @user.remember_me
          cookies[:auth_token] = { :value => @user.remember_token , :expires => @user.remember_token_expires_at, :secure => SITE_CONFIG['secure_cookies'] }
        end
        redirect_back_or_home
        return
      else
        @login = params['user_login']
        notify :warning, t('login.unsuccessful')
      end
    when 'GET'
      if User.no_users_yet?
        redirect_to signup_path
        return
      end
    end
    respond_to do |format|
      format.html
      format.m   { render :action => 'login_mobile.html.erb', :layout => 'mobile' }
    end
  end
  
  def logout
    logout_user
  end

  def expire_session
    # this is a hack to enable cucumber to expire a session by calling this
    # method. The method will be unavailable for production environment
    
    @user.forget_me if logged_in?
    cookies.delete :auth_token
    session['user_id'] = nil
    reset_session
    
    unless Rails.env.production?
      session['expiry_time'] = Time.now
      respond_to do |format|
        format.html { render :text => "Session expired for test purposes"}
        format.js { render :text => "" }
      end
    else
      respond_to do |format|
        format.html { render :text => "Not available for production use"}
        format.js { render :text => "" }
      end
    end
  end
  
  def check_expiry
    # Gets called by periodically_call_remote to check whether
    # the session has timed out yet
    unless session == nil
      if session
        return unless should_expire_sessions?
        # Get expiry time (allow ten seconds window for the case where we have none)
        expiry_time = session['expiry_time'] || Time.now + 10
        time_left = expiry_time - Time.now
        @session_expired = ( time_left < (10*60) ) # Session will time out before the next check
      end
    end
    respond_to do |format|
      format.js
    end
  end
  
  private
      
  def should_expire_sessions?
    session['noexpiry'] != "on"
  end
  
end
And here's the copy step. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@501 a4c988fc-2ded-0310-b66e-134b36920a42 2007-03-30 04:36:52 +00:00			`class LoginController < ApplicationController`

Fix #498 (cannot login using mobile interface) by introducing a login page specialized for mobile devices. To support this, I added named routes for the login paths and pulled up the mobile content negotiation code to the ApplicationController. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@531 a4c988fc-2ded-0310-b66e-134b36920a42 2007-04-16 02:19:20 +00:00			`layout 'login'`
And here's the copy step. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@501 a4c988fc-2ded-0310-b66e-134b36920a42 2007-03-30 04:36:52 +00:00			`skip_before_filter :set_session_expiration`
			`skip_before_filter :login_required`
This changeset adds real "remember me" functionality. The checkbox on the login page "Stay logged in" previously prevented an inactive session from expiring. Now, it also functions to remember that a user is logged in across browser sessions (i.e. a user exits the browser, and reopens it). I've also ensured that all tests (including selenium tests) are passing on my machine. This changeset should be back to stable and usable. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@561 a4c988fc-2ded-0310-b66e-134b36920a42 2007-07-08 06:41:10 +00:00			`before_filter :login_optional`
And here's the copy step. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@501 a4c988fc-2ded-0310-b66e-134b36920a42 2007-03-30 04:36:52 +00:00			`before_filter :get_current_user`
hopefully fix #1109 where I think the csrf change in rails 2.3.11 messes up our expiry checking 2011-02-25 22:43:18 +01:00
fix #1138 where openid login was broken because of csrf changes in rails 2011-04-14 12:52:41 +02:00			`protect_from_forgery :except => [:check_expiry, :login]`
hopefully fix #1109 where I think the csrf change in rails 2.3.11 messes up our expiry checking 2011-02-25 22:43:18 +01:00
And here's the copy step. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@501 a4c988fc-2ded-0310-b66e-134b36920a42 2007-03-30 04:36:52 +00:00			`def login`
get the first cucumber feature running: calendar 2012-04-30 13:51:42 +02:00			`@page_title = "TRACKS::Login"`
			`cookies[:preferred_auth] = prefered_auth? unless cookies[:preferred_auth]`
			`case request.method`
			`when 'POST'`
			`if @user = User.authenticate(params['user_login'], params['user_password'])`
			`session['user_id'] = @user.id`
			`# If checkbox on login page checked, we don't expire the session after 1 hour`
			`# of inactivity and we remember this user for future browser sessions`
			`session['noexpiry'] = params['user_noexpiry']`
			`msg = (should_expire_sessions?) ? "will expire after 1 hour of inactivity." : "will not expire."`
			`notify :notice, "Login successful: session #{msg}"`
			`cookies[:tracks_login] = { :value => @user.login, :expires => Time.now + 1.year, :secure => SITE_CONFIG['secure_cookies'] }`
			`unless should_expire_sessions?`
			`@user.remember_me`
			`cookies[:auth_token] = { :value => @user.remember_token , :expires => @user.remember_token_expires_at, :secure => SITE_CONFIG['secure_cookies'] }`
add a cucumber test to simulate expiration of a session Signed-off-by: Reinier Balt <lrbalt@gmail.com> 2010-11-10 23:48:56 +01:00			`end`
get the first cucumber feature running: calendar 2012-04-30 13:51:42 +02:00			`redirect_back_or_home`
			`return`
			`else`
			`@login = params['user_login']`
			`notify :warning, t('login.unsuccessful')`
Re-write OpenID code to use new authentication plugin. Tested to work! 2008-12-08 00:52:57 -05:00			`end`
get the first cucumber feature running: calendar 2012-04-30 13:51:42 +02:00			`when 'GET'`
			`if User.no_users_yet?`
			`redirect_to signup_path`
			`return`
Re-write OpenID code to use new authentication plugin. Tested to work! 2008-12-08 00:52:57 -05:00			`end`
And here's the copy step. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@501 a4c988fc-2ded-0310-b66e-134b36920a42 2007-03-30 04:36:52 +00:00			`end`
get the first cucumber feature running: calendar 2012-04-30 13:51:42 +02:00			`respond_to do \|format\|`
			`format.html`
			`format.m { render :action => 'login_mobile.html.erb', :layout => 'mobile' }`
			`end`
And here's the copy step. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@501 a4c988fc-2ded-0310-b66e-134b36920a42 2007-03-30 04:36:52 +00:00			`end`
Re-write OpenID code to use new authentication plugin. Tested to work! 2008-12-08 00:52:57 -05:00
And here's the copy step. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@501 a4c988fc-2ded-0310-b66e-134b36920a42 2007-03-30 04:36:52 +00:00			`def logout`
Logut user after password change, Closes #1047 2011-10-24 21:47:15 +02:00			`logout_user`
And here's the copy step. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@501 a4c988fc-2ded-0310-b66e-134b36920a42 2007-03-30 04:36:52 +00:00			`end`
add a cucumber test to simulate expiration of a session Signed-off-by: Reinier Balt <lrbalt@gmail.com> 2010-11-10 23:48:56 +01:00
			`def expire_session`
			`# this is a hack to enable cucumber to expire a session by calling this`
			`# method. The method will be unavailable for production environment`
fix #1167 2011-05-08 15:03:55 +02:00
			`@user.forget_me if logged_in?`
			`cookies.delete :auth_token`
			`session['user_id'] = nil`
			`reset_session`

add a cucumber test to simulate expiration of a session Signed-off-by: Reinier Balt <lrbalt@gmail.com> 2010-11-10 23:48:56 +01:00			`unless Rails.env.production?`
			`session['expiry_time'] = Time.now`
			`respond_to do \|format\|`
			`format.html { render :text => "Session expired for test purposes"}`
			`format.js { render :text => "" }`
			`end`
			`else`
			`respond_to do \|format\|`
			`format.html { render :text => "Not available for production use"}`
			`format.js { render :text => "" }`
			`end`
			`end`
			`end`
And here's the copy step. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@501 a4c988fc-2ded-0310-b66e-134b36920a42 2007-03-30 04:36:52 +00:00
			`def check_expiry`
add a cucumber test to simulate expiration of a session Signed-off-by: Reinier Balt <lrbalt@gmail.com> 2010-11-10 23:48:56 +01:00			`# Gets called by periodically_call_remote to check whether`
And here's the copy step. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@501 a4c988fc-2ded-0310-b66e-134b36920a42 2007-03-30 04:36:52 +00:00			`# the session has timed out yet`
			`unless session == nil`
			`if session`
			`return unless should_expire_sessions?`
			`# Get expiry time (allow ten seconds window for the case where we have none)`
			`expiry_time = session['expiry_time'] \|\| Time.now + 10`
replace old prototype/jrails code for periodic checks and start work on autocomplete and edit projects Signed-off-by: Reinier Balt <lrbalt@gmail.com> 2010-10-05 21:27:00 +02:00			`time_left = expiry_time - Time.now`
			`@session_expired = ( time_left < (10*60) ) # Session will time out before the next check`
And here's the copy step. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@501 a4c988fc-2ded-0310-b66e-134b36920a42 2007-03-30 04:36:52 +00:00			`end`
			`end`
Merged rails2-branch back into trunk. Trunk Tracks is now using Rails 2.0.2. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@837 a4c988fc-2ded-0310-b66e-134b36920a42 2008-04-28 05:53:24 +00:00			`respond_to do \|format\|`
			`format.js`
			`end`
This allows CAS to work side by side with other Auth methods. This is at least one issue with this to logout of CAS you need session information but the logout method blows this away so I do the cas log out before the session is killed so the session persistest in rails. Because I needed to move the CAS before filters into login_cas and out of the application to make it work side by side. The user will still be logined into tracks even though their CAS session is closed as the session will still be there. def logout @user.forget_me if logged_in? cookies.delete :auth_token session['user_id'] = nil if ( SITE_CONFIG['authentication_schemes'].include? 'cas') && session[:cas_user] CASClient::Frameworks::Rails::Filter.logout(self) else reset_session notify :notice, "You have been logged out of Tracks." redirect_to_login end end The other issue I have with this is that: I could not find a use case for having mixed auth when using CAS. The reason to move to CAS is that all your users use CAS all the time. Even for admin accounts. Moodle is a good example of this in that when you activate CAS the default is that you can now only access moodle via CAS. By allowing mixed auth and self signup you end up with a anyone (the public) being able to sign up for accounts. 2009-12-29 12:22:44 -08:00			`end`
And here's the copy step. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@501 a4c988fc-2ded-0310-b66e-134b36920a42 2007-03-30 04:36:52 +00:00
			`private`

			`def should_expire_sessions?`
			`session['noexpiry'] != "on"`
			`end`
Re-write OpenID code to use new authentication plugin. Tested to work! 2008-12-08 00:52:57 -05:00
And here's the copy step. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@501 a4c988fc-2ded-0310-b66e-134b36920a42 2007-03-30 04:36:52 +00:00			`end`