diff options
| author | ThibG <thib@sitedethib.com> | 2019-09-30 23:29:55 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-09-30 23:29:55 +0200 |
| commit | 65db9df011a3e13efa79f4e56343aa69bdad7716 (patch) | |
| tree | 1941b85de1f0d1b6f56b73345cddf664a71faf20 /app/controllers/concerns/challengable_concern.rb | |
| parent | febcdad2e2c98aee62b55ee21bdf0debf7c6fd6b (diff) | |
| parent | 3b855b5c82362783969f748ad78bcaf85f938c9f (diff) | |
Merge pull request #1224 from ThibG/glitch-soc/merge-upstream
Merge upstream changes
Diffstat (limited to 'app/controllers/concerns/challengable_concern.rb')
| -rw-r--r-- | app/controllers/concerns/challengable_concern.rb | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/app/controllers/concerns/challengable_concern.rb b/app/controllers/concerns/challengable_concern.rb new file mode 100644 index 000000000..b29d90b3c --- /dev/null +++ b/app/controllers/concerns/challengable_concern.rb @@ -0,0 +1,65 @@ +# frozen_string_literal: true + +# This concern is inspired by "sudo mode" on GitHub. It +# is a way to re-authenticate a user before allowing them +# to see or perform an action. +# +# Add `before_action :require_challenge!` to actions you +# want to protect. +# +# The user will be shown a page to enter the challenge (which +# is either the password, or just the username when no +# password exists). Upon passing, there is a grace period +# during which no challenge will be asked from the user. +# +# Accessing challenge-protected resources during the grace +# period will refresh the grace period. +module ChallengableConcern + extend ActiveSupport::Concern + + CHALLENGE_TIMEOUT = 1.hour.freeze + + def require_challenge! + return if skip_challenge? + + if challenge_passed_recently? + session[:challenge_passed_at] = Time.now.utc + return + end + + @challenge = Form::Challenge.new(return_to: request.url) + + if params.key?(:form_challenge) + if challenge_passed? + session[:challenge_passed_at] = Time.now.utc + return + else + flash.now[:alert] = I18n.t('challenge.invalid_password') + render_challenge + end + else + render_challenge + end + end + + def render_challenge + @body_classes = 'lighter' + render template: 'auth/challenges/new', layout: 'auth' + end + + def challenge_passed? + current_user.valid_password?(challenge_params[:current_password]) + end + + def skip_challenge? + current_user.encrypted_password.blank? + end + + def challenge_passed_recently? + session[:challenge_passed_at].present? && session[:challenge_passed_at] >= CHALLENGE_TIMEOUT.ago + end + + def challenge_params + params.require(:form_challenge).permit(:current_password, :return_to) + end +end |