openproject/app/controllers/concerns/omniauth_login.rb

require 'uri'

##
# Intended to be used by the AccountController to handle omniauth logins
module Concerns::OmniauthLogin
  def self.included(base)
    # disable CSRF protection since that should be covered by the omniauth strategy
    base.skip_before_filter :verify_authenticity_token, :only => [:omniauth_login]
  end

  def omniauth_login
    auth_hash = request.env['omniauth.auth']

    return render_400 unless auth_hash.valid?

    # Set back url to page the omniauth login link was clicked on
    params[:back_url] = request.env['omniauth.origin']
    user = User.find_or_initialize_by_identity_url identity_url_from_omniauth(auth_hash)

    decision = OpenProject::OmniAuth::Authorization.authorized? auth_hash
    if decision.approve?
      authorization_successful user, auth_hash
    else
      authorization_failed user, decision.message
    end
  end

  def omniauth_failure
    logger.warn(params[:message]) if params[:message]
    show_error I18n.t(:error_external_authentication_failed)
  end

  def self.direct_login?
    direct_login_provider.is_a? String
  end

  ##
  # Per default the user may choose the usual password login as well as several omniauth providers
  # on the login page and in the login drop down menu.
  #
  # With his configuration option you can set a specific omniauth provider to be
  # used for direct login. Meaning that the login provider selection is skipped and
  # the configured provider is used directly instead.
  #
  # If this option is active /login will lead directly to the configured omniauth provider
  # and so will a click on 'Sign in' (as opposed to opening the drop down menu).
  def self.direct_login_provider
    OpenProject::Configuration['omniauth_direct_login_provider']
  end

  def self.direct_login_provider_url(params = {})
    url_with_params "/auth/#{direct_login_provider}", params if direct_login?
  end

  private

  def authorization_successful(user, auth_hash)
    if user.new_record?
      create_user_from_omniauth user, auth_hash
    else
      if user.active?
        user.log_successful_login
        OpenProject::OmniAuth::Authorization.after_login! user, auth_hash
      end
      login_user_if_active(user)
    end
  end

  def authorization_failed(user, error)
    logger.warn "Authorization for User #{user.id} failed: #{error}"
    show_error error
  end

  def show_error(error)
    flash[:error] = error
    redirect_to :action => 'login'
  end

  # a user may login via omniauth and (if that user does not exist
  # in our database) will be created using this method.
  def create_user_from_omniauth(user, auth_hash)
    # Self-registration off
    return self_registration_disabled unless Setting.self_registration?

    fill_user_fields_from_omniauth user, auth_hash

    opts = { after_login: ->(u) { OpenProject::OmniAuth::Authorization.after_login! u, auth_hash } }

    # Create on the fly
    register_user_according_to_setting(user, opts) do
      # Allow registration form to show provider-specific title
      @omniauth_strategy = auth_hash[:provider]

      # Store a timestamp so we can later make sure that authentication information can
      # only be reused for a short time.
      session_info = auth_hash.merge(omniauth: true, timestamp: Time.new)

      onthefly_creation_failed(user, session_info)
    end
  end

  def register_via_omniauth(user, session, permitted_params)
    auth = session[:auth_source_registration]
    return if handle_omniauth_registration_expired(auth)

    fill_user_fields_from_omniauth(user, auth)
    user.update_attributes(permitted_params.user_register_via_omniauth)

    opts = { after_login: ->(u) { OpenProject::OmniAuth::Authorization.after_login! u, auth } }
    register_user_according_to_setting user, opts
  end

  def fill_user_fields_from_omniauth(user, auth)
    user.update_attributes omniauth_hash_to_user_attributes(auth)
    user.register
    user
  end

  def omniauth_hash_to_user_attributes(auth)
    info = auth[:info]
    {
      login:        info[:email],
      mail:         info[:email],
      firstname:    info[:first_name] || info[:name],
      lastname:     info[:last_name],
      identity_url: identity_url_from_omniauth(auth)
    }
  end

  def identity_url_from_omniauth(auth)
    "#{auth[:provider]}:#{auth[:uid]}"
  end

  # if the omni auth registration happened too long ago,
  # we don't accept it anymore.
  def handle_omniauth_registration_expired(auth)
    if auth['timestamp'] < Time.now - 30.minutes
      flash[:error] = I18n.t(:error_omniauth_registration_timed_out)
      redirect_to(signin_url)
    end
  end

  def self.url_with_params(url, params = {})
    URI.parse(url).tap do |uri|
      query = URI.decode_www_form(uri.query || '')
      params.each do |key, value|
        query << [key, value]
      end
      uri.query = URI.encode_www_form(query) unless query.empty?
    end.to_s
  end
end
redirect to last URL after direct omniauth login 10 years ago			`require 'uri'`

extract omniauth logic from AccountController into separate omniauth concern 11 years ago			`##`
			`# Intended to be used by the AccountController to handle omniauth logins`
fixes references to OmniauthLogin 10 years ago			`module Concerns::OmniauthLogin`
make omniauth developer strategy work again 10 years ago			`def self.included(base)`
			`# disable CSRF protection since that should be covered by the omniauth strategy`
			`base.skip_before_filter :verify_authenticity_token, :only => [:omniauth_login]`
			`end`

extract omniauth logic from AccountController into separate omniauth concern 11 years ago			`def omniauth_login`
			`auth_hash = request.env['omniauth.auth']`
Omniauth: Return 400 on invalid auth_hash 11 years ago
honor timestamp in auth_hash 11 years ago			`return render_400 unless auth_hash.valid?`
extract omniauth logic from AccountController into separate omniauth concern 11 years ago
			`# Set back url to page the omniauth login link was clicked on`
			`params[:back_url] = request.env['omniauth.origin']`
OmniAuth Authorization API 10 years ago			`user = User.find_or_initialize_by_identity_url identity_url_from_omniauth(auth_hash)`
extract omniauth logic from AccountController into separate omniauth concern 11 years ago
spell out decision variable's name 10 years ago			`decision = OpenProject::OmniAuth::Authorization.authorized? auth_hash`
			`if decision.approve?`
OmniAuth Authorization API 10 years ago			`authorization_successful user, auth_hash`
extract omniauth logic from AccountController into separate omniauth concern 11 years ago			`else`
spell out decision variable's name 10 years ago			`authorization_failed user, decision.message`
extract omniauth logic from AccountController into separate omniauth concern 11 years ago			`end`
			`end`

			`def omniauth_failure`
			`logger.warn(params[:message]) if params[:message]`
OmniAuth Authorization API 10 years ago			`show_error I18n.t(:error_external_authentication_failed)`
extract omniauth logic from AccountController into separate omniauth concern 11 years ago			`end`

omniauth direct login 10 years ago			`def self.direct_login?`
			`direct_login_provider.is_a? String`
			`end`

			`##`
			`# Per default the user may choose the usual password login as well as several omniauth providers`
			`# on the login page and in the login drop down menu.`
			`#`
			`# With his configuration option you can set a specific omniauth provider to be`
			`# used for direct login. Meaning that the login provider selection is skipped and`
			`# the configured provider is used directly instead.`
			`#`
			`# If this option is active /login will lead directly to the configured omniauth provider`
			`# and so will a click on 'Sign in' (as opposed to opening the drop down menu).`
			`def self.direct_login_provider`
			`OpenProject::Configuration['omniauth_direct_login_provider']`
			`end`

redirect to last URL after direct omniauth login 10 years ago			`def self.direct_login_provider_url(params = {})`
			`url_with_params "/auth/#{direct_login_provider}", params if direct_login?`
omniauth direct login 10 years ago			`end`

extract omniauth logic from AccountController into separate omniauth concern 11 years ago			`private`

made rest of support methods private 10 years ago			`def authorization_successful(user, auth_hash)`
			`if user.new_record?`
			`create_user_from_omniauth user, auth_hash`
			`else`
on_success callback for Authorization 10 years ago			`if user.active?`
			`user.log_successful_login`
Omniauth: Add after_login, remove on_success After a successfull login seems to be a much clearer description of when the callback will be executed than "on successful authorization". E.g. it's not clear whether ending up on the registration page also indicates successful authorization (which it does in the OmniAuth sense, but not in the OpenProject sense). The after login callback is called each time a user is logged in, no matter whether that happens via regular Omniauth login or after completing the registration process and being automatically logged in (when automated account activation is enabled). 10 years ago			`OpenProject::OmniAuth::Authorization.after_login! user, auth_hash`
on_success callback for Authorization 10 years ago			`end`
made rest of support methods private 10 years ago			`login_user_if_active(user)`
			`end`
			`end`

			`def authorization_failed(user, error)`
			`logger.warn "Authorization for User #{user.id} failed: #{error}"`
			`show_error error`
			`end`

OmniAuth Authorization API 10 years ago			`def show_error(error)`
			`flash[:error] = error`
			`redirect_to :action => 'login'`
			`end`

extract omniauth logic from AccountController into separate omniauth concern 11 years ago			`# a user may login via omniauth and (if that user does not exist`
			`# in our database) will be created using this method.`
			`def create_user_from_omniauth(user, auth_hash)`
			`# Self-registration off`
Show error on attempt to register with disabled self registration This happens for normal registration as well as registration via omniauth. This also changes the redirect to not go to / and go to signin_url instead. 11 years ago			`return self_registration_disabled unless Setting.self_registration?`
extract omniauth logic from AccountController into separate omniauth concern 11 years ago
OmniAuth Authorization API 10 years ago			`fill_user_fields_from_omniauth user, auth_hash`
extract omniauth logic from AccountController into separate omniauth concern 11 years ago
Omniauth: Add after_login, remove on_success After a successfull login seems to be a much clearer description of when the callback will be executed than "on successful authorization". E.g. it's not clear whether ending up on the registration page also indicates successful authorization (which it does in the OmniAuth sense, but not in the OpenProject sense). The after login callback is called each time a user is logged in, no matter whether that happens via regular Omniauth login or after completing the registration process and being automatically logged in (when automated account activation is enabled). 10 years ago			`opts = { after_login: ->(u) { OpenProject::OmniAuth::Authorization.after_login! u, auth_hash } }`
extract omniauth logic from AccountController into separate omniauth concern 11 years ago
OmniAuth Authorization API 10 years ago			`# Create on the fly`
on_success callback for Authorization 10 years ago			`register_user_according_to_setting(user, opts) do`
extract omniauth logic from AccountController into separate omniauth concern 11 years ago			`# Allow registration form to show provider-specific title`
			`@omniauth_strategy = auth_hash[:provider]`

			`# Store a timestamp so we can later make sure that authentication information can`
			`# only be reused for a short time.`
			`session_info = auth_hash.merge(omniauth: true, timestamp: Time.new)`

			`onthefly_creation_failed(user, session_info)`
			`end`
			`end`

			`def register_via_omniauth(user, session, permitted_params)`
			`auth = session[:auth_source_registration]`
honor timestamp in auth_hash 11 years ago			`return if handle_omniauth_registration_expired(auth)`
extract omniauth logic from AccountController into separate omniauth concern 11 years ago
on_success callback for Authorization 10 years ago			`fill_user_fields_from_omniauth(user, auth)`
			`user.update_attributes(permitted_params.user_register_via_omniauth)`
pass auth_hash to #on_success. Call it upon bumpy registration too. 10 years ago
Omniauth: Add after_login, remove on_success After a successfull login seems to be a much clearer description of when the callback will be executed than "on successful authorization". E.g. it's not clear whether ending up on the registration page also indicates successful authorization (which it does in the OmniAuth sense, but not in the OpenProject sense). The after login callback is called each time a user is logged in, no matter whether that happens via regular Omniauth login or after completing the registration process and being automatically logged in (when automated account activation is enabled). 10 years ago			`opts = { after_login: ->(u) { OpenProject::OmniAuth::Authorization.after_login! u, auth } }`
pass auth_hash to #on_success. Call it upon bumpy registration too. 10 years ago			`register_user_according_to_setting user, opts`
extract omniauth logic from AccountController into separate omniauth concern 11 years ago			`end`

			`def fill_user_fields_from_omniauth(user, auth)`
OmniAuth Authorization API 10 years ago			`user.update_attributes omniauth_hash_to_user_attributes(auth)`
extract omniauth logic from AccountController into separate omniauth concern 11 years ago			`user.register`
			`user`
			`end`

OmniAuth Authorization API 10 years ago			`def omniauth_hash_to_user_attributes(auth)`
			`info = auth[:info]`
			`{`
			`login: info[:email],`
			`mail: info[:email],`
			`firstname: info[:first_name] \|\| info[:name],`
			`lastname: info[:last_name],`
			`identity_url: identity_url_from_omniauth(auth)`
			`}`
			`end`

extract omniauth logic from AccountController into separate omniauth concern 11 years ago			`def identity_url_from_omniauth(auth)`
			`"#{auth[:provider]}:#{auth[:uid]}"`
			`end`
honor timestamp in auth_hash 11 years ago
			`# if the omni auth registration happened too long ago,`
			`# we don't accept it anymore.`
			`def handle_omniauth_registration_expired(auth)`
			`if auth['timestamp'] < Time.now - 30.minutes`
			`flash[:error] = I18n.t(:error_omniauth_registration_timed_out)`
			`redirect_to(signin_url)`
			`end`
			`end`
redirect to last URL after direct omniauth login 10 years ago
			`def self.url_with_params(url, params = {})`
			`URI.parse(url).tap do \|uri\|`
			`query = URI.decode_www_form(uri.query \|\| '')`
			`params.each do \|key, value\|`
			`query << [key, value]`
			`end`
			`uri.query = URI.encode_www_form(query) unless query.empty?`
			`end.to_s`
			`end`
extract omniauth logic from AccountController into separate omniauth concern 11 years ago			`end`