discourse/app/controllers/session_controller.rb

class SessionController < ApplicationController

  skip_before_filter :redirect_to_login_if_required

  def csrf
    render json: {csrf: form_authenticity_token }
  end

  def create
    params.require(:login)
    params.require(:password)

    login = params[:login].strip
    login = login[1..-1] if login[0] == "@"

    if user = User.find_by_username_or_email(login)

      # If their password is correct
      unless user.confirm_password?(params[:password])
        invalid_credentials
        return
      end

      # If the site requires user approval and the user is not approved yet
      if login_not_approved_for?(user)
        login_not_approved
        return
      end
    end

    if user.suspended?
      failed_to_login(user)
      return
    end

    user.email_confirmed? ? login(user) : not_activated(user)
  end

  def forgot_password
    params.require(:login)

    user = User.find_by_username_or_email(params[:login])
    if user.present?
      email_token = user.email_tokens.create(email: user.email)
      Jobs.enqueue(:user_email, type: :forgot_password, user_id: user.id, email_token: email_token.token)
    end
    # always render of so we don't leak information
    render json: {result: "ok"}
  end

  def destroy
    reset_session
    log_off_user
    render nothing: true
  end

  private

  def login_not_approved_for?(user)
    SiteSetting.must_approve_users? && !user.approved? && !user.admin?
  end

  def invalid_credentials
    render json: {error: I18n.t("login.incorrect_username_email_or_password")}
  end

  def login_not_approved
    render json: {error: I18n.t("login.not_approved")}
  end

  def not_activated(user)
    render json: {
      error: I18n.t("login.not_activated"),
      reason: 'not_activated',
      sent_to_email: user.find_email || user.email,
      current_email: user.email
    }
  end

  def failed_to_login(user)
    message = user.suspend_reason ? "login.suspended_with_reason" : "login.suspended"

    render json: { error: I18n.t(message, { date: I18n.l(user.suspended_till, format: :date_only),
                                            reason: user.suspend_reason}) }
  end

  def login(user)
    log_on_user(user)
    render_serialized(user, UserSerializer)
  end

end
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`class SessionController < ApplicationController`
SECURITY: correct our CSRF implementation to be much more aggressive 2013-07-29 15:13:13 +10:00
Redirect all controllers to login if required We want to skip the filter for sessions controller so that we can login and we want to skip the filter for static pages because those should be visible to visitors. 2013-06-04 15:32:36 -07:00			`skip_before_filter :redirect_to_login_if_required`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
SECURITY: correct our CSRF implementation to be much more aggressive 2013-07-29 15:13:13 +10:00			`def csrf`
			`render json: {csrf: form_authenticity_token }`
			`end`

Initial release of Discourse 2013-02-05 14:16:51 -05:00			`def create`
Enabled strong_parameters across all models/controllers. All models are now using ActiveModel::ForbiddenAttributesProtection, which shifts the responsibility for parameter whitelisting for mass-assignments from the model to the controller. attr_accessible has been disabled and removed as this functionality replaces that. The require_parameters method in the ApplicationController has been removed in favor of strong_parameters' #require method. It is important to note that there is still some refactoring required to get all parameters to pass through #require and #permit so that we can guarantee that parameter values are scalar. Currently strong_parameters, in most cases, is only being utilized to require parameters and to whitelist the few places that do mass-assignments. 2013-06-06 00:14:32 -07:00			`params.require(:login)`
			`params.require(:password)`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
Refactor SessionController#create, reduce complexity. Don't compromise readablity 2013-11-15 20:57:43 +05:30			`login = params[:login].strip`
			`login = login[1..-1] if login[0] == "@"`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
Refactor SessionController#create, reduce complexity. Don't compromise readablity 2013-11-15 20:57:43 +05:30			`if user = User.find_by_username_or_email(login)`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
Refactor SessionController#create, reduce complexity. Don't compromise readablity 2013-11-15 20:57:43 +05:30			`# If their password is correct`
			`unless user.confirm_password?(params[:password])`
			`invalid_credentials`
			`return`
			`end`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
			`# If the site requires user approval and the user is not approved yet`
Refactor SessionController#create, reduce complexity. Don't compromise readablity 2013-11-15 20:57:43 +05:30			`if login_not_approved_for?(user)`
			`login_not_approved`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`return`
			`end`
Refactor SessionController#create, reduce complexity. Don't compromise readablity 2013-11-15 20:57:43 +05:30			`end`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
Refactor SessionController#create, reduce complexity. Don't compromise readablity 2013-11-15 20:57:43 +05:30			`if user.suspended?`
			`failed_to_login(user)`
			`return`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`end`

Refactor SessionController#create, reduce complexity. Don't compromise readablity 2013-11-15 20:57:43 +05:30			`user.email_confirmed? ? login(user) : not_activated(user)`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`end`

			`def forgot_password`
Enabled strong_parameters across all models/controllers. All models are now using ActiveModel::ForbiddenAttributesProtection, which shifts the responsibility for parameter whitelisting for mass-assignments from the model to the controller. attr_accessible has been disabled and removed as this functionality replaces that. The require_parameters method in the ApplicationController has been removed in favor of strong_parameters' #require method. It is important to note that there is still some refactoring required to get all parameters to pass through #require and #permit so that we can guarantee that parameter values are scalar. Currently strong_parameters, in most cases, is only being utilized to require parameters and to whitelist the few places that do mass-assignments. 2013-06-06 00:14:32 -07:00			`params.require(:login)`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
Utilize already existing method 'find_by_username_or_email' check presence of email using include, dont use =~ 2013-10-24 13:29:58 +05:30			`user = User.find_by_username_or_email(params[:login])`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`if user.present?`
			`email_token = user.email_tokens.create(email: user.email)`
			`Jobs.enqueue(:user_email, type: :forgot_password, user_id: user.id, email_token: email_token.token)`
			`end`
			`# always render of so we don't leak information`
Use consistent new-style hashes in render calls twitch 2013-03-22 14:08:11 -04:00			`render json: {result: "ok"}`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`end`

			`def destroy`
recover from bad CSRF tokens without requiring a hard refresh of the browser 2013-08-27 15:56:12 +10:00			`reset_session`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 15:10:37 +11:00			`log_off_user`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`render nothing: true`
			`end`

Refactor SessionController#create, reduce complexity. Don't compromise readablity 2013-11-15 20:57:43 +05:30			`private`

			`def login_not_approved_for?(user)`
			`SiteSetting.must_approve_users? && !user.approved? && !user.admin?`
			`end`

			`def invalid_credentials`
			`render json: {error: I18n.t("login.incorrect_username_email_or_password")}`
			`end`

			`def login_not_approved`
			`render json: {error: I18n.t("login.not_approved")}`
			`end`

			`def not_activated(user)`
			`render json: {`
			`error: I18n.t("login.not_activated"),`
			`reason: 'not_activated',`
			`sent_to_email: user.find_email \|\| user.email,`
			`current_email: user.email`
			`}`
			`end`

			`def failed_to_login(user)`
			`message = user.suspend_reason ? "login.suspended_with_reason" : "login.suspended"`

			`render json: { error: I18n.t(message, { date: I18n.l(user.suspended_till, format: :date_only),`
			`reason: user.suspend_reason}) }`
			`end`

			`def login(user)`
			`log_on_user(user)`
			`render_serialized(user, UserSerializer)`
			`end`

Initial release of Discourse 2013-02-05 14:16:51 -05:00			`end`
No results found.