tracks/app/controllers/login_controller.rb

class LoginController < ApplicationController
  
  layout 'login'
  filter_parameter_logging :user_password 
  skip_before_filter :set_session_expiration
  skip_before_filter :login_required
  before_filter :login_optional
  before_filter :get_current_user

  def login
    if cas_enabled?
      @username = session[:cas_user]
      @login_url = CASClient::Frameworks::Rails::Filter.login_url(self)
    end
    if openid_enabled? && using_open_id?
      login_openid
    elsif cas_enabled? && session[:cas_user]
      login_cas
    else
      @page_title = "TRACKS::Login"
      case request.method
        when :post
          if @user = User.authenticate(params['user_login'], params['user_password'])
            session['user_id'] = @user.id
            # If checkbox on login page checked, we don't expire the session after 1 hour
            # of inactivity and we remember this user for future browser sessions
            session['noexpiry'] = params['user_noexpiry']
            msg = (should_expire_sessions?) ? "will expire after 1 hour of inactivity." : "will not expire." 
            notify :notice, "Login successful: session #{msg}"
            cookies[:tracks_login] = { :value => @user.login, :expires => Time.now + 1.year, :secure => SITE_CONFIG['secure_cookies'] }
            unless should_expire_sessions?
              @user.remember_me
              cookies[:auth_token] = { :value => @user.remember_token , :expires => @user.remember_token_expires_at, :secure => SITE_CONFIG['secure_cookies'] }
            end
            redirect_back_or_home
            return
          else
            @login = params['user_login']
            notify :warning, "Login unsuccessful"
          end
        when :get
          if User.no_users_yet?
            redirect_to :controller => 'users', :action => 'new'
            return
          end
      end
      respond_to do |format|
        format.html
        format.m   { render :action => 'login_mobile.html.erb', :layout => 'mobile' }
      end
    end
  end
  
  def logout
    @user.forget_me if logged_in?
    cookies.delete :auth_token
    session['user_id'] = nil
    reset_session
    if ( SITE_CONFIG['authentication_schemes'].include? 'cas')
      CASClient::Frameworks::Rails::Filter.logout(self)
    else
      notify :notice, "You have been logged out of Tracks."
      redirect_to_login
    end
  end
  
  def check_expiry
    # Gets called by periodically_call_remote to check whether 
    # the session has timed out yet
    unless session == nil
      if session
        return unless should_expire_sessions?
        # Get expiry time (allow ten seconds window for the case where we have none)
        expiry_time = session['expiry_time'] || Time.now + 10
        @time_left = expiry_time - Time.now
        if @time_left < (10*60) # Session will time out before the next check
          @msg = "Session has timed out. Please "
        else
          @msg = ""
        end
      end
    end
    respond_to do |format|
      format.js
    end
  end
  
  private
      
  def redirect_to_login
    respond_to do |format|
      format.html { redirect_to login_path }
      format.m { redirect_to login_path(:format => 'm') }
    end
  end
  
  def should_expire_sessions?
    session['noexpiry'] != "on"
  end
  
  protected
  
  def login_openid
    # If checkbox on login page checked, we don't expire the session after 1 hour
    # of inactivity and we remember this user for future browser sessions
    session['noexpiry'] ||= params['user_noexpiry']
    authenticate_with_open_id do |result, identity_url|
      if result.successful?
        if @user = User.find_by_open_id_url(identity_url)
          session['user_id'] = @user.id
          msg = (should_expire_sessions?) ? "will expire after 1 hour of inactivity." : "will not expire." 
          notify :notice, "Login successful: session #{msg}"
          cookies[:tracks_login] = { :value => @user.login, :expires => Time.now + 1.year, :secure => SITE_CONFIG['secure_cookies'] }
          unless should_expire_sessions?
            @user.remember_me
            cookies[:auth_token] = { :value => @user.remember_token , :expires => @user.remember_token_expires_at, :secure => SITE_CONFIG['secure_cookies'] }
          end
          redirect_back_or_home
        else
          notify :warning, "Sorry, no user by that identity URL exists (#{identity_url})"
        end
      else
        notify :warning, result.message
      end
    end
  end

  def login_cas
    # If checkbox on login page checked, we don't expire the session after 1 hour
    # of inactivity and we remember this user for future browser sessions
    session['noexpiry'] ||= params['user_noexpiry']
    if session[:cas_user]
      if @user = User.find_by_login(session[:cas_user])
        session['user_id'] = @user.id
        msg = (should_expire_sessions?) ? "will expire after 1 hour of inactivity." : "will not expire."
        notify :notice, "Login successful: session #{msg}"
        cookies[:tracks_login] = { :value => @user.login, :expires => Time.now + 1.year, :secure => SITE_CONFIG['secure_cookies'] }
        unless should_expire_sessions?
          @user.remember_me
          cookies[:auth_token] = { :value => @user.remember_token, :expires => @user.remember_token_expires_at, :secure => SITE_CONFIG['secure_cookies'] }
        end
        redirect_back_or_home
      else
        notify :warning, "Sorry, no user by that CAS username exists (#{session[:cas_user]})"
      end
    else
      notify :warning, result.message
    end
  end
end
And here's the copy step. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@501 a4c988fc-2ded-0310-b66e-134b36920a42 2007-03-30 04:36:52 +00:00			`class LoginController < ApplicationController`

Fix #498 (cannot login using mobile interface) by introducing a login page specialized for mobile devices. To support this, I added named routes for the login paths and pulled up the mobile content negotiation code to the ApplicationController. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@531 a4c988fc-2ded-0310-b66e-134b36920a42 2007-04-16 02:19:20 +00:00			`layout 'login'`
Applied James Kebinger's patch to remove the password from the logs emitted by LoginController. Closes #521. Thanks, James! git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@552 a4c988fc-2ded-0310-b66e-134b36920a42 2007-06-08 04:01:11 +00:00			`filter_parameter_logging :user_password`
And here's the copy step. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@501 a4c988fc-2ded-0310-b66e-134b36920a42 2007-03-30 04:36:52 +00:00			`skip_before_filter :set_session_expiration`
			`skip_before_filter :login_required`
This changeset adds real "remember me" functionality. The checkbox on the login page "Stay logged in" previously prevented an inactive session from expiring. Now, it also functions to remember that a user is logged in across browser sessions (i.e. a user exits the browser, and reopens it). I've also ensured that all tests (including selenium tests) are passing on my machine. This changeset should be back to stable and usable. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@561 a4c988fc-2ded-0310-b66e-134b36920a42 2007-07-08 06:41:10 +00:00			`before_filter :login_optional`
And here's the copy step. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@501 a4c988fc-2ded-0310-b66e-134b36920a42 2007-03-30 04:36:52 +00:00			`before_filter :get_current_user`
properly insert CAS as another auth method 2009-11-22 14:39:39 -08:00
And here's the copy step. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@501 a4c988fc-2ded-0310-b66e-134b36920a42 2007-03-30 04:36:52 +00:00			`def login`
properly insert CAS as another auth method 2009-11-22 14:39:39 -08:00			`if cas_enabled?`
			`@username = session[:cas_user]`
			`@login_url = CASClient::Frameworks::Rails::Filter.login_url(self)`
			`end`
Re-write OpenID code to use new authentication plugin. Tested to work! 2008-12-08 00:52:57 -05:00			`if openid_enabled? && using_open_id?`
			`login_openid`
properly insert CAS as another auth method 2009-11-22 14:39:39 -08:00			`elsif cas_enabled? && session[:cas_user]`
make cas work 2009-11-20 19:06:07 -08:00			`login_cas`
Re-write OpenID code to use new authentication plugin. Tested to work! 2008-12-08 00:52:57 -05:00			`else`
			`@page_title = "TRACKS::Login"`
			`case request.method`
			`when :post`
			`if @user = User.authenticate(params['user_login'], params['user_password'])`
			`session['user_id'] = @user.id`
			`# If checkbox on login page checked, we don't expire the session after 1 hour`
			`# of inactivity and we remember this user for future browser sessions`
			`session['noexpiry'] = params['user_noexpiry']`
			`msg = (should_expire_sessions?) ? "will expire after 1 hour of inactivity." : "will not expire."`
			`notify :notice, "Login successful: session #{msg}"`
Move site-specific configuration out of environment.rb into a YAML file. This allows us to ship environment.rb with Tracks. Fixes #813. 2009-01-23 13:13:28 -05:00			`cookies[:tracks_login] = { :value => @user.login, :expires => Time.now + 1.year, :secure => SITE_CONFIG['secure_cookies'] }`
Re-write OpenID code to use new authentication plugin. Tested to work! 2008-12-08 00:52:57 -05:00			`unless should_expire_sessions?`
			`@user.remember_me`
Move site-specific configuration out of environment.rb into a YAML file. This allows us to ship environment.rb with Tracks. Fixes #813. 2009-01-23 13:13:28 -05:00			`cookies[:auth_token] = { :value => @user.remember_token , :expires => @user.remember_token_expires_at, :secure => SITE_CONFIG['secure_cookies'] }`
Re-write OpenID code to use new authentication plugin. Tested to work! 2008-12-08 00:52:57 -05:00			`end`
			`redirect_back_or_home`
			`return`
			`else`
			`@login = params['user_login']`
			`notify :warning, "Login unsuccessful"`
This changeset adds real "remember me" functionality. The checkbox on the login page "Stay logged in" previously prevented an inactive session from expiring. Now, it also functions to remember that a user is logged in across browser sessions (i.e. a user exits the browser, and reopens it). I've also ensured that all tests (including selenium tests) are passing on my machine. This changeset should be back to stable and usable. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@561 a4c988fc-2ded-0310-b66e-134b36920a42 2007-07-08 06:41:10 +00:00			`end`
Re-write OpenID code to use new authentication plugin. Tested to work! 2008-12-08 00:52:57 -05:00			`when :get`
			`if User.no_users_yet?`
			`redirect_to :controller => 'users', :action => 'new'`
			`return`
This changeset adds real "remember me" functionality. The checkbox on the login page "Stay logged in" previously prevented an inactive session from expiring. Now, it also functions to remember that a user is logged in across browser sessions (i.e. a user exits the browser, and reopens it). I've also ensured that all tests (including selenium tests) are passing on my machine. This changeset should be back to stable and usable. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@561 a4c988fc-2ded-0310-b66e-134b36920a42 2007-07-08 06:41:10 +00:00			`end`
Re-write OpenID code to use new authentication plugin. Tested to work! 2008-12-08 00:52:57 -05:00			`end`
			`respond_to do \|format\|`
			`format.html`
			`format.m { render :action => 'login_mobile.html.erb', :layout => 'mobile' }`
			`end`
And here's the copy step. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@501 a4c988fc-2ded-0310-b66e-134b36920a42 2007-03-30 04:36:52 +00:00			`end`
			`end`
Re-write OpenID code to use new authentication plugin. Tested to work! 2008-12-08 00:52:57 -05:00
And here's the copy step. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@501 a4c988fc-2ded-0310-b66e-134b36920a42 2007-03-30 04:36:52 +00:00			`def logout`
This changeset adds real "remember me" functionality. The checkbox on the login page "Stay logged in" previously prevented an inactive session from expiring. Now, it also functions to remember that a user is logged in across browser sessions (i.e. a user exits the browser, and reopens it). I've also ensured that all tests (including selenium tests) are passing on my machine. This changeset should be back to stable and usable. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@561 a4c988fc-2ded-0310-b66e-134b36920a42 2007-07-08 06:41:10 +00:00			`@user.forget_me if logged_in?`
			`cookies.delete :auth_token`
And here's the copy step. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@501 a4c988fc-2ded-0310-b66e-134b36920a42 2007-03-30 04:36:52 +00:00			`session['user_id'] = nil`
when CAS is switched app functions as normal but does not use any other auth methods. 2009-11-24 13:09:29 -08:00			`reset_session`
make cas work 2009-11-20 19:06:07 -08:00			`if ( SITE_CONFIG['authentication_schemes'].include? 'cas')`
			`CASClient::Frameworks::Rails::Filter.logout(self)`
when CAS is switched app functions as normal but does not use any other auth methods. 2009-11-24 13:09:29 -08:00			`else`
			`notify :notice, "You have been logged out of Tracks."`
			`redirect_to_login`
make cas work 2009-11-20 19:06:07 -08:00			`end`
And here's the copy step. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@501 a4c988fc-2ded-0310-b66e-134b36920a42 2007-03-30 04:36:52 +00:00			`end`

			`def check_expiry`
			`# Gets called by periodically_call_remote to check whether`
			`# the session has timed out yet`
			`unless session == nil`
			`if session`
			`return unless should_expire_sessions?`
			`# Get expiry time (allow ten seconds window for the case where we have none)`
			`expiry_time = session['expiry_time'] \|\| Time.now + 10`
			`@time_left = expiry_time - Time.now`
			`if @time_left < (10*60) # Session will time out before the next check`
			`@msg = "Session has timed out. Please "`
			`else`
			`@msg = ""`
			`end`
			`end`
			`end`
Merged rails2-branch back into trunk. Trunk Tracks is now using Rails 2.0.2. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@837 a4c988fc-2ded-0310-b66e-134b36920a42 2008-04-28 05:53:24 +00:00			`respond_to do \|format\|`
			`format.js`
			`end`
And here's the copy step. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@501 a4c988fc-2ded-0310-b66e-134b36920a42 2007-03-30 04:36:52 +00:00			`end`

			`private`

Fix #498 (cannot login using mobile interface) by introducing a login page specialized for mobile devices. To support this, I added named routes for the login paths and pulled up the mobile content negotiation code to the ApplicationController. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@531 a4c988fc-2ded-0310-b66e-134b36920a42 2007-04-16 02:19:20 +00:00			`def redirect_to_login`
			`respond_to do \|format\|`
			`format.html { redirect_to login_path }`
Missed some formatted_ helpers not covered by tests Selenium tests now passing completely 2009-12-07 23:16:21 -05:00			`format.m { redirect_to login_path(:format => 'm') }`
Fix #498 (cannot login using mobile interface) by introducing a login page specialized for mobile devices. To support this, I added named routes for the login paths and pulled up the mobile content negotiation code to the ApplicationController. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@531 a4c988fc-2ded-0310-b66e-134b36920a42 2007-04-16 02:19:20 +00:00			`end`
			`end`

And here's the copy step. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@501 a4c988fc-2ded-0310-b66e-134b36920a42 2007-03-30 04:36:52 +00:00			`def should_expire_sessions?`
			`session['noexpiry'] != "on"`
			`end`
Re-write OpenID code to use new authentication plugin. Tested to work! 2008-12-08 00:52:57 -05:00
			`protected`

			`def login_openid`
			`# If checkbox on login page checked, we don't expire the session after 1 hour`
			`# of inactivity and we remember this user for future browser sessions`
			`session['noexpiry'] \|\|= params['user_noexpiry']`
			`authenticate_with_open_id do \|result, identity_url\|`
			`if result.successful?`
No point in changing the name of the OpenID identity column in users table. Use the existing one. 2008-12-08 18:51:33 -05:00			`if @user = User.find_by_open_id_url(identity_url)`
Re-write OpenID code to use new authentication plugin. Tested to work! 2008-12-08 00:52:57 -05:00			`session['user_id'] = @user.id`
			`msg = (should_expire_sessions?) ? "will expire after 1 hour of inactivity." : "will not expire."`
			`notify :notice, "Login successful: session #{msg}"`
Move site-specific configuration out of environment.rb into a YAML file. This allows us to ship environment.rb with Tracks. Fixes #813. 2009-01-23 13:13:28 -05:00			`cookies[:tracks_login] = { :value => @user.login, :expires => Time.now + 1.year, :secure => SITE_CONFIG['secure_cookies'] }`
Re-write OpenID code to use new authentication plugin. Tested to work! 2008-12-08 00:52:57 -05:00			`unless should_expire_sessions?`
			`@user.remember_me`
Move site-specific configuration out of environment.rb into a YAML file. This allows us to ship environment.rb with Tracks. Fixes #813. 2009-01-23 13:13:28 -05:00			`cookies[:auth_token] = { :value => @user.remember_token , :expires => @user.remember_token_expires_at, :secure => SITE_CONFIG['secure_cookies'] }`
Re-write OpenID code to use new authentication plugin. Tested to work! 2008-12-08 00:52:57 -05:00			`end`
			`redirect_back_or_home`
			`else`
			`notify :warning, "Sorry, no user by that identity URL exists (#{identity_url})"`
			`end`
			`else`
			`notify :warning, result.message`
			`end`
			`end`
			`end`
make cas work 2009-11-20 19:06:07 -08:00
			`def login_cas`
			`# If checkbox on login page checked, we don't expire the session after 1 hour`
			`# of inactivity and we remember this user for future browser sessions`
			`session['noexpiry'] \|\|= params['user_noexpiry']`
			`if session[:cas_user]`
			`if @user = User.find_by_login(session[:cas_user])`
			`session['user_id'] = @user.id`
			`msg = (should_expire_sessions?) ? "will expire after 1 hour of inactivity." : "will not expire."`
			`notify :notice, "Login successful: session #{msg}"`
			`cookies[:tracks_login] = { :value => @user.login, :expires => Time.now + 1.year, :secure => SITE_CONFIG['secure_cookies'] }`
			`unless should_expire_sessions?`
			`@user.remember_me`
			`cookies[:auth_token] = { :value => @user.remember_token, :expires => @user.remember_token_expires_at, :secure => SITE_CONFIG['secure_cookies'] }`
			`end`
			`redirect_back_or_home`
			`else`
properly insert CAS as another auth method 2009-11-22 14:39:39 -08:00			`notify :warning, "Sorry, no user by that CAS username exists (#{session[:cas_user]})"`
make cas work 2009-11-20 19:06:07 -08:00			`end`
			`else`
			`notify :warning, result.message`
			`end`
			`end`
And here's the copy step. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@501 a4c988fc-2ded-0310-b66e-134b36920a42 2007-03-30 04:36:52 +00:00			`end`