mastodon/app/controllers/auth/sessions_controller.rb

# frozen_string_literal: true

class Auth::SessionsController < Devise::SessionsController
  include Devise::Controllers::Rememberable

  layout 'auth'

  skip_before_action :require_no_authentication, only: [:create]
  skip_before_action :require_functional!

  include TwoFactorAuthenticationConcern
  include SignInTokenAuthenticationConcern

  before_action :set_instance_presenter, only: [:new]
  before_action :set_body_classes

  def new
    Devise.omniauth_configs.each do |provider, config|
      return redirect_to(omniauth_authorize_path(resource_name, provider)) if config.strategy.redirect_at_sign_in
    end

    super
  end

  def create
    super do |resource|
      remember_me(resource)
      flash.delete(:notice)
    end
  end

  def destroy
    tmp_stored_location = stored_location_for(:user)
    super
    session.delete(:challenge_passed_at)
    flash.delete(:notice)
    store_location_for(:user, tmp_stored_location) if continue_after?
  end

  protected

  def find_user
    if session[:attempt_user_id]
      User.find(session[:attempt_user_id])
    else
      user   = User.authenticate_with_ldap(user_params) if Devise.ldap_authentication
      user ||= User.authenticate_with_pam(user_params) if Devise.pam_authentication
      user ||= User.find_for_authentication(email: user_params[:email])
      user
    end
  end

  def user_params
    params.require(:user).permit(:email, :password, :otp_attempt, :sign_in_token_attempt)
  end

  def after_sign_in_path_for(resource)
    last_url = stored_location_for(:user)

    if home_paths(resource).include?(last_url)
      root_path
    else
      last_url || root_path
    end
  end

  def after_sign_out_path_for(_resource_or_scope)
    Devise.omniauth_configs.each_value do |config|
      return root_path if config.strategy.redirect_at_sign_in
    end

    super
  end

  def require_no_authentication
    super
    # Delete flash message that isn't entirely useful and may be confusing in
    # most cases because /web doesn't display/clear flash messages.
    flash.delete(:alert) if flash[:alert] == I18n.t('devise.failure.already_authenticated')
  end

  private

  def set_instance_presenter
    @instance_presenter = InstancePresenter.new
  end

  def set_body_classes
    @body_classes = 'lighter'
  end

  def home_paths(resource)
    paths = [about_path]
    if single_user_mode? && resource.is_a?(User)
      paths << short_account_path(username: resource.account)
    end
    paths
  end

  def continue_after?
    truthy_param?(:continue)
  end
end
Fix rubocop issues, introduce usage of frozen literal to improve performance 2016-11-15 16:56:29 +01:00			`# frozen_string_literal: true`

Customizing devise views and controllers 2016-03-05 22:43:05 +01:00			`class Auth::SessionsController < Devise::SessionsController`
Remember me enabled by default 2016-03-28 00:06:52 +02:00			`include Devise::Controllers::Rememberable`

Customizing devise views and controllers 2016-03-05 22:43:05 +01:00			`layout 'auth'`
Remember me enabled by default 2016-03-28 00:06:52 +02:00
Split 2FA login into two prompts 2017-01-28 20:43:38 +01:00			`skip_before_action :require_no_authentication, only: [:create]`
Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication. 2019-07-22 10:48:50 +02:00			`skip_before_action :require_functional!`

Add e-mail-based sign in challenge for users with disabled 2FA (#14013) 2020-06-09 10:23:06 +02:00			`include TwoFactorAuthenticationConcern`
			`include SignInTokenAuthenticationConcern`
Fix authentication before 2FA challenge (#11943) Regression from #11831 2019-09-24 04:35:36 +02:00
sign_in and sign_up views present og meta infos (#5308) 2017-10-11 00:52:25 +02:00			`before_action :set_instance_presenter, only: [:new]`
Compensate for scrollbar disappearing when media modal visible (#8100) * Compensate for scrollbar disappearing when media modal visible Make auth pages backgrounds lighter * Fix typo 2018-07-31 01:14:33 +02:00			`before_action :set_body_classes`
Added optional two-factor authentication 2017-01-27 20:28:46 +01:00
New variable OAUTH_REDIRECT_AT_SIGN_IN + Ref #6538 (not only SAML strategies) (#6540) 2018-02-23 01:16:17 +01:00			`def new`
			`Devise.omniauth_configs.each do \|provider, config\|`
If login redirects to omniauth, redirect logout to root_path (#6694) Fix #6670 2018-03-08 11:18:26 +01:00			`return redirect_to(omniauth_authorize_path(resource_name, provider)) if config.strategy.redirect_at_sign_in`
New variable OAUTH_REDIRECT_AT_SIGN_IN + Ref #6538 (not only SAML strategies) (#6540) 2018-02-23 01:16:17 +01:00			`end`
If login redirects to omniauth, redirect logout to root_path (#6694) Fix #6670 2018-03-08 11:18:26 +01:00
New variable OAUTH_REDIRECT_AT_SIGN_IN + Ref #6538 (not only SAML strategies) (#6540) 2018-02-23 01:16:17 +01:00			`super`
			`end`

Remember me enabled by default 2016-03-28 00:06:52 +02:00			`def create`
Fix authentication before 2FA challenge (#11943) Regression from #11831 2019-09-24 04:35:36 +02:00			`super do \|resource\|`
			`remember_me(resource)`
			`flash.delete(:notice)`
Remember me enabled by default 2016-03-28 00:06:52 +02:00			`end`
			`end`
Replace logo, fix #57 - delete/unreblog/unfavourite API, fix #45 - app registration API 2016-09-26 23:55:21 +02:00
Split 2FA login into two prompts 2017-01-28 20:43:38 +01:00			`def destroy`
Add force_login option to OAuth authorize page (#8655) * Add force_login option to OAuth authorize page For when a user needs to sign into an app from multiple accounts on the same server * When logging out from modal header, redirect back after re-login 2018-09-09 04:10:44 +02:00			`tmp_stored_location = stored_location_for(:user)`
Split 2FA login into two prompts 2017-01-28 20:43:38 +01:00			`super`
Add password challenge to 2FA settings, e-mail notifications (#11878) Fix #3961 2019-09-18 16:37:27 +02:00			`session.delete(:challenge_passed_at)`
Fix empty flash message on the settings page (#3345) 2017-05-27 13:04:28 +02:00			`flash.delete(:notice)`
Add force_login option to OAuth authorize page (#8655) * Add force_login option to OAuth authorize page For when a user needs to sign into an app from multiple accounts on the same server * When logging out from modal header, redirect back after re-login 2018-09-09 04:10:44 +02:00			`store_location_for(:user, tmp_stored_location) if continue_after?`
Split 2FA login into two prompts 2017-01-28 20:43:38 +01:00			`end`

Replace logo, fix #57 - delete/unreblog/unfavourite API, fix #45 - app registration API 2016-09-26 23:55:21 +02:00			`protected`

Fix authentication before 2FA challenge (#11943) Regression from #11831 2019-09-24 04:35:36 +02:00			`def find_user`
Add e-mail-based sign in challenge for users with disabled 2FA (#14013) 2020-06-09 10:23:06 +02:00			`if session[:attempt_user_id]`
			`User.find(session[:attempt_user_id])`
Fix authentication before 2FA challenge (#11943) Regression from #11831 2019-09-24 04:35:36 +02:00			`else`
			`user = User.authenticate_with_ldap(user_params) if Devise.ldap_authentication`
			`user \|\|= User.authenticate_with_pam(user_params) if Devise.pam_authentication`
			`user \|\|= User.find_for_authentication(email: user_params[:email])`
Fix rubocop warning (#14288) * Fix rubocop warning * use limit variable * use ContextCreatingMethods option 2020-07-14 19:05:07 +02:00			`user`
Fix authentication before 2FA challenge (#11943) Regression from #11831 2019-09-24 04:35:36 +02:00			`end`
			`end`

Split 2FA login into two prompts 2017-01-28 20:43:38 +01:00			`def user_params`
Add e-mail-based sign in challenge for users with disabled 2FA (#14013) 2020-06-09 10:23:06 +02:00			`params.require(:user).permit(:email, :password, :otp_attempt, :sign_in_token_attempt)`
Added optional two-factor authentication 2017-01-27 20:28:46 +01:00			`end`

Go to root after login in single user mode (#3289) In single user mode, visitors are redirected to the single user's profile page. So, if you are the owner without a session, you start from that page, click the login button and authenticate yourself expecting you'll soon get started with the home page, but in reality you'll get redirected back to where you started from -- your own profile page. This fixes the behavior by redirecting you home after login if you have started from your own profile page. 2017-05-26 14:14:03 +02:00			`def after_sign_in_path_for(resource)`
Adding e-mail confirmations 2016-10-03 16:38:22 +02:00			`last_url = stored_location_for(:user)`

Go to root after login in single user mode (#3289) In single user mode, visitors are redirected to the single user's profile page. So, if you are the owner without a session, you start from that page, click the login button and authenticate yourself expecting you'll soon get started with the home page, but in reality you'll get redirected back to where you started from -- your own profile page. This fixes the behavior by redirecting you home after login if you have started from your own profile page. 2017-05-26 14:14:03 +02:00			`if home_paths(resource).include?(last_url)`
Adding e-mail confirmations 2016-10-03 16:38:22 +02:00			`root_path`
			`else`
			`last_url \|\| root_path`
			`end`
Replace logo, fix #57 - delete/unreblog/unfavourite API, fix #45 - app registration API 2016-09-26 23:55:21 +02:00			`end`
Split 2FA login into two prompts 2017-01-28 20:43:38 +01:00
If login redirects to omniauth, redirect logout to root_path (#6694) Fix #6670 2018-03-08 11:18:26 +01:00			`def after_sign_out_path_for(_resource_or_scope)`
			`Devise.omniauth_configs.each_value do \|config\|`
			`return root_path if config.strategy.redirect_at_sign_in`
			`end`

			`super`
			`end`

Remove confusing “You are already signed in.” flash message (#13547) When attempting to access the log-in page while already logged in, Devise's `require_no_authentication` kicks in and sets a flash message “You are already signed in.” In almost all cases, this also causes a redirect to /web, which does not display or clear flash messages, thus leaving the message to a potentially much later date, like for instance, accessing /preferences several minutes after being redirected to /web. 2020-05-10 10:16:39 +02:00			`def require_no_authentication`
			`super`
			`# Delete flash message that isn't entirely useful and may be confusing in`
			`# most cases because /web doesn't display/clear flash messages.`
			`flash.delete(:alert) if flash[:alert] == I18n.t('devise.failure.already_authenticated')`
			`end`

Go to root after login in single user mode (#3289) In single user mode, visitors are redirected to the single user's profile page. So, if you are the owner without a session, you start from that page, click the login button and authenticate yourself expecting you'll soon get started with the home page, but in reality you'll get redirected back to where you started from -- your own profile page. This fixes the behavior by redirecting you home after login if you have started from your own profile page. 2017-05-26 14:14:03 +02:00			`private`

sign_in and sign_up views present og meta infos (#5308) 2017-10-11 00:52:25 +02:00			`def set_instance_presenter`
			`@instance_presenter = InstancePresenter.new`
			`end`

Compensate for scrollbar disappearing when media modal visible (#8100) * Compensate for scrollbar disappearing when media modal visible Make auth pages backgrounds lighter * Fix typo 2018-07-31 01:14:33 +02:00			`def set_body_classes`
			`@body_classes = 'lighter'`
			`end`

Go to root after login in single user mode (#3289) In single user mode, visitors are redirected to the single user's profile page. So, if you are the owner without a session, you start from that page, click the login button and authenticate yourself expecting you'll soon get started with the home page, but in reality you'll get redirected back to where you started from -- your own profile page. This fixes the behavior by redirecting you home after login if you have started from your own profile page. 2017-05-26 14:14:03 +02:00			`def home_paths(resource)`
			`paths = [about_path]`
			`if single_user_mode? && resource.is_a?(User)`
			`paths << short_account_path(username: resource.account)`
			`end`
			`paths`
			`end`
feat(auth/session_controller): Send Clear-Site-Data when logging out (#8627) Will clear the browser's cache, cookies and storage. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data https://w3c.github.io/webappsec-clear-site-data/ 2018-09-07 05:42:16 +02:00
Add force_login option to OAuth authorize page (#8655) * Add force_login option to OAuth authorize page For when a user needs to sign into an app from multiple accounts on the same server * When logging out from modal header, redirect back after re-login 2018-09-09 04:10:44 +02:00			`def continue_after?`
			`truthy_param?(:continue)`
			`end`
Customizing devise views and controllers 2016-03-05 22:43:05 +01:00			`end`