discourse/lib/auth/default_current_user_provider.rb

require_dependency "auth/current_user_provider"

class Auth::DefaultCurrentUserProvider

  CURRENT_USER_KEY ||= "_DISCOURSE_CURRENT_USER".freeze
  API_KEY ||= "api_key".freeze
  API_KEY_ENV ||= "_DISCOURSE_API".freeze
  TOKEN_COOKIE ||= "_t".freeze
  PATH_INFO ||= "PATH_INFO".freeze

  # do all current user initialization here
  def initialize(env)
    @env = env
    @request = Rack::Request.new(env)
  end

  # our current user, return nil if none is found
  def current_user
    return @env[CURRENT_USER_KEY] if @env.key?(CURRENT_USER_KEY)

    # bypass if we have the shared session header
    if shared_key = @env['HTTP_X_SHARED_SESSION_KEY']
      uid = $redis.get("shared_session_key_#{shared_key}")
      user = nil
      if uid
        user = User.find_by(id: uid.to_i)
      end
      @env[CURRENT_USER_KEY] = user
      return user
    end

    request = @request

    auth_token = request.cookies[TOKEN_COOKIE]

    current_user = nil

    if auth_token && auth_token.length == 32
      current_user = User.where(auth_token: auth_token).where('auth_token_created_at IS NULL OR auth_token_created_at > ?', SiteSetting.maximum_session_age.hours.ago).first
    end

    if current_user && (current_user.suspended? || !current_user.active)
      current_user = nil
    end

    if current_user && should_update_last_seen?
      u = current_user
      Scheduler::Defer.later "Updating Last Seen" do
        u.update_last_seen!
        u.update_ip_address!(request.ip)
      end
    end

    # possible we have an api call, impersonate
    if api_key = request[API_KEY]
      current_user = lookup_api_user(api_key, request)
      raise Discourse::InvalidAccess unless current_user
      @env[API_KEY_ENV] = true
    end

    @env[CURRENT_USER_KEY] = current_user
  end

  def log_on_user(user, session, cookies)
    user.auth_token = SecureRandom.hex(16)
    user.auth_token_created_at = Time.zone.now
    user.save!
    cookies[TOKEN_COOKIE] = { value: user.auth_token, httponly: true, expires: SiteSetting.maximum_session_age.hours.from_now }
    make_developer_admin(user)
    enable_bootstrap_mode(user)
    @env[CURRENT_USER_KEY] = user
  end

  def make_developer_admin(user)
    if  user.active? &&
        !user.admin &&
        Rails.configuration.respond_to?(:developer_emails) &&
        Rails.configuration.developer_emails.include?(user.email)
      user.admin = true
      user.save
    end
  end

  def enable_bootstrap_mode(user)
    Jobs.enqueue(:enable_bootstrap_mode, user_id: user.id) if user.admin && user.last_seen_at.nil? && !SiteSetting.bootstrap_mode_enabled && user.is_singular_admin?
  end

  def log_off_user(session, cookies)
    if SiteSetting.log_out_strict && (user = current_user)
      user.auth_token = nil
      user.save!

      if user.admin && defined?(Rack::MiniProfiler)
        # clear the profiling cookie to keep stuff tidy
        cookies["__profilin"] = nil
      end

      user.logged_out
    end
    cookies[TOKEN_COOKIE] = nil
  end


  # api has special rights return true if api was detected
  def is_api?
    current_user
    @env[API_KEY_ENV]
  end

  def has_auth_cookie?
    cookie = @request.cookies[TOKEN_COOKIE]
    !cookie.nil? && cookie.length == 32
  end

  def should_update_last_seen?
    !(@request.path =~ /^\/message-bus\//)
  end

  protected

  def lookup_api_user(api_key_value, request)
    if api_key = ApiKey.where(key: api_key_value).includes(:user).first
      api_username = request["api_username"]

      if api_key.allowed_ips.present? && !api_key.allowed_ips.any? { |ip| ip.include?(request.ip) }
        Rails.logger.warn("[Unauthorized API Access] username: #{api_username}, IP address: #{request.ip}")
        return nil
      end

      if api_key.user
        api_key.user if !api_username || (api_key.user.username_lower == api_username.downcase)
      elsif api_username
        User.find_by(username_lower: api_username.downcase)
      end
    end
  end

end
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00			`require_dependency "auth/current_user_provider"`

			`class Auth::DefaultCurrentUserProvider`

Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433. 2014-05-22 18:13:25 -04:00			`CURRENT_USER_KEY \|\|= "_DISCOURSE_CURRENT_USER".freeze`
			`API_KEY \|\|= "api_key".freeze`
			`API_KEY_ENV \|\|= "_DISCOURSE_API".freeze`
			`TOKEN_COOKIE \|\|= "_t".freeze`
			`PATH_INFO \|\|= "PATH_INFO".freeze`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00
			`# do all current user initialization here`
			`def initialize(env)`
			`@env = env`
			`@request = Rack::Request.new(env)`
			`end`

			`# our current user, return nil if none is found`
			`def current_user`
			`return @env[CURRENT_USER_KEY] if @env.key?(CURRENT_USER_KEY)`

FEATURE: allow long polling to go to a different url Added the site setting long_polling_base_url , this allows you to farm long polling to a different server. This setting is very important if a CDN is serving dynamic content. 2014-10-23 22:38:00 -04:00			`# bypass if we have the shared session header`
			`if shared_key = @env['HTTP_X_SHARED_SESSION_KEY']`
			`uid = $redis.get("shared_session_key_#{shared_key}")`
			`user = nil`
			`if uid`
			`user = User.find_by(id: uid.to_i)`
			`end`
			`@env[CURRENT_USER_KEY] = user`
			`return user`
			`end`

Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433. 2014-05-22 18:13:25 -04:00			`request = @request`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00
			`auth_token = request.cookies[TOKEN_COOKIE]`

			`current_user = nil`

			`if auth_token && auth_token.length == 32`
FEATURE: configure session time via site setting for all the users (#4343) 2016-07-22 17:27:30 -04:00			`current_user = User.where(auth_token: auth_token).where('auth_token_created_at IS NULL OR auth_token_created_at > ?', SiteSetting.maximum_session_age.hours.ago).first`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00			`end`

FIX: deactivated users shouldn't be able to log in 2014-04-28 13:46:28 -04:00			`if current_user && (current_user.suspended? \|\| !current_user.active)`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00			`current_user = nil`
			`end`

Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433. 2014-05-22 18:13:25 -04:00			`if current_user && should_update_last_seen?`
FEATURE: add a simple queue Scheduler::Defer.later {} For quick jobs that do not need to be sent to sidekiq, runs inline in a single thread but does not block 2014-03-16 20:59:34 -04:00			`u = current_user`
Start passing more context to Discourse.handle_exception 2014-07-17 16:22:46 -04:00			`Scheduler::Defer.later "Updating Last Seen" do`
FEATURE: add a simple queue Scheduler::Defer.later {} For quick jobs that do not need to be sent to sidekiq, runs inline in a single thread but does not block 2014-03-16 20:59:34 -04:00			`u.update_last_seen!`
			`u.update_ip_address!(request.ip)`
			`end`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00			`end`

			`# possible we have an api call, impersonate`
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433. 2014-05-22 18:13:25 -04:00			`if api_key = request[API_KEY]`
			`current_user = lookup_api_user(api_key, request)`
			`raise Discourse::InvalidAccess unless current_user`
			`@env[API_KEY_ENV] = true`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00			`end`

			`@env[CURRENT_USER_KEY] = current_user`
			`end`

			`def log_on_user(user, session, cookies)`
FEATURE: configure session time via site setting for all the users (#4343) 2016-07-22 17:27:30 -04:00			`user.auth_token = SecureRandom.hex(16)`
			`user.auth_token_created_at = Time.zone.now`
			`user.save!`
			`cookies[TOKEN_COOKIE] = { value: user.auth_token, httponly: true, expires: SiteSetting.maximum_session_age.hours.from_now }`
automatically make developers admins on account creation, this solves the user #1 problem you can simply set the DEVELOPER_EMAILS to a comma delimited list and the users will be auto admined 2013-11-01 19:25:43 -04:00			`make_developer_admin(user)`
FEATURE: new bootstrap mode settings for brand new Discourse community (#4193) * FEATURE: new bootstrap mode settings for brand new Discourse community * new SiteSetting.set_and_log method 2016-04-26 13:08:19 -04:00			`enable_bootstrap_mode(user)`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00			`@env[CURRENT_USER_KEY] = user`
			`end`

automatically make developers admins on account creation, this solves the user #1 problem you can simply set the DEVELOPER_EMAILS to a comma delimited list and the users will be auto admined 2013-11-01 19:25:43 -04:00			`def make_developer_admin(user)`
			`if user.active? &&`
			`!user.admin &&`
			`Rails.configuration.respond_to?(:developer_emails) &&`
			`Rails.configuration.developer_emails.include?(user.email)`
FEATURE: on initial boot hint users on how to get admin 2014-03-24 03:03:39 -04:00			`user.admin = true`
			`user.save`
automatically make developers admins on account creation, this solves the user #1 problem you can simply set the DEVELOPER_EMAILS to a comma delimited list and the users will be auto admined 2013-11-01 19:25:43 -04:00			`end`
			`end`

FEATURE: new bootstrap mode settings for brand new Discourse community (#4193) * FEATURE: new bootstrap mode settings for brand new Discourse community * new SiteSetting.set_and_log method 2016-04-26 13:08:19 -04:00			`def enable_bootstrap_mode(user)`
			`Jobs.enqueue(:enable_bootstrap_mode, user_id: user.id) if user.admin && user.last_seen_at.nil? && !SiteSetting.bootstrap_mode_enabled && user.is_singular_admin?`
			`end`

add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00			`def log_off_user(session, cookies)`
FEATURE: logging out logs you out everywhere can be disabled by changing the setting "log_out_strict" to false 2015-01-27 20:56:25 -05:00			`if SiteSetting.log_out_strict && (user = current_user)`
			`user.auth_token = nil`
			`user.save!`
clear mini profiler cookie when admin logs off 2016-05-18 03:27:54 -04:00
			`if user.admin && defined?(Rack::MiniProfiler)`
			`# clear the profiling cookie to keep stuff tidy`
			`cookies["__profilin"] = nil`
			`end`

FEATURE: Add event trigger when a user is logged out. 2016-07-04 05:20:30 -04:00			`user.logged_out`
FEATURE: logging out logs you out everywhere can be disabled by changing the setting "log_out_strict" to false 2015-01-27 20:56:25 -05:00			`end`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00			`cookies[TOKEN_COOKIE] = nil`
			`end`


			`# api has special rights return true if api was detected`
			`def is_api?`
			`current_user`
BUGFIX: missed a key rename BUGFIX: API spec not enabling CSRF 2014-05-22 18:42:58 -04:00			`@env[API_KEY_ENV]`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00			`end`

			`def has_auth_cookie?`
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433. 2014-05-22 18:13:25 -04:00			`cookie = @request.cookies[TOKEN_COOKIE]`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00			`!cookie.nil? && cookie.length == 32`
			`end`
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433. 2014-05-22 18:13:25 -04:00
			`def should_update_last_seen?`
			`!(@request.path =~ /^\/message-bus\//)`
			`end`

			`protected`

			`def lookup_api_user(api_key_value, request)`
FEATURE: sendgrid webhooks 2016-06-01 15:48:06 -04:00			`if api_key = ApiKey.where(key: api_key_value).includes(:user).first`
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433. 2014-05-22 18:13:25 -04:00			`api_username = request["api_username"]`
FEATURE: allow restricting API keys to a particular range 2014-11-19 23:21:49 -05:00
FEATURE: sendgrid webhooks 2016-06-01 15:48:06 -04:00			`if api_key.allowed_ips.present? && !api_key.allowed_ips.any? { \|ip\| ip.include?(request.ip) }`
			`Rails.logger.warn("[Unauthorized API Access] username: #{api_username}, IP address: #{request.ip}")`
FEATURE: allow restricting API keys to a particular range 2014-11-19 23:21:49 -05:00			`return nil`
			`end`

Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433. 2014-05-22 18:13:25 -04:00			`if api_key.user`
			`api_key.user if !api_username \|\| (api_key.user.username_lower == api_username.downcase)`
			`elsif api_username`
			`User.find_by(username_lower: api_username.downcase)`
			`end`
			`end`
			`end`

add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00			`end`