diff options
Diffstat (limited to 'app/controllers')
13 files changed, 8 insertions, 105 deletions
diff --git a/app/controllers/admin/sign_in_token_authentications_controller.rb b/app/controllers/admin/sign_in_token_authentications_controller.rb deleted file mode 100644 index e620ab292..000000000 --- a/app/controllers/admin/sign_in_token_authentications_controller.rb +++ /dev/null @@ -1,27 +0,0 @@ -# frozen_string_literal: true - -module Admin - class SignInTokenAuthenticationsController < BaseController - before_action :set_target_user - - def create - authorize @user, :enable_sign_in_token_auth? - @user.update(skip_sign_in_token: false) - log_action :enable_sign_in_token_auth, @user - redirect_to admin_account_path(@user.account_id) - end - - def destroy - authorize @user, :disable_sign_in_token_auth? - @user.update(skip_sign_in_token: true) - log_action :disable_sign_in_token_auth, @user - redirect_to admin_account_path(@user.account_id) - end - - private - - def set_target_user - @user = User.find(params[:user_id]) - end - end -end diff --git a/app/controllers/api/v1/admin/account_actions_controller.rb b/app/controllers/api/v1/admin/account_actions_controller.rb index 15af50822..6c9e04402 100644 --- a/app/controllers/api/v1/admin/account_actions_controller.rb +++ b/app/controllers/api/v1/admin/account_actions_controller.rb @@ -1,8 +1,6 @@ # frozen_string_literal: true class Api::V1::Admin::AccountActionsController < Api::BaseController - protect_from_forgery with: :exception - before_action -> { authorize_if_got_token! :'admin:write', :'admin:write:accounts' } before_action :require_staff! before_action :set_account diff --git a/app/controllers/api/v1/admin/accounts_controller.rb b/app/controllers/api/v1/admin/accounts_controller.rb index 4b6dab208..dc9d3402f 100644 --- a/app/controllers/api/v1/admin/accounts_controller.rb +++ b/app/controllers/api/v1/admin/accounts_controller.rb @@ -1,8 +1,6 @@ # frozen_string_literal: true class Api::V1::Admin::AccountsController < Api::BaseController - protect_from_forgery with: :exception - include Authorization include AccountableConcern diff --git a/app/controllers/api/v1/admin/dimensions_controller.rb b/app/controllers/api/v1/admin/dimensions_controller.rb index b1f738990..49a5be1c3 100644 --- a/app/controllers/api/v1/admin/dimensions_controller.rb +++ b/app/controllers/api/v1/admin/dimensions_controller.rb @@ -1,8 +1,6 @@ # frozen_string_literal: true class Api::V1::Admin::DimensionsController < Api::BaseController - protect_from_forgery with: :exception - before_action -> { authorize_if_got_token! :'admin:read' } before_action :require_staff! before_action :set_dimensions diff --git a/app/controllers/api/v1/admin/measures_controller.rb b/app/controllers/api/v1/admin/measures_controller.rb index d64c3cdf7..da95d3422 100644 --- a/app/controllers/api/v1/admin/measures_controller.rb +++ b/app/controllers/api/v1/admin/measures_controller.rb @@ -1,8 +1,6 @@ # frozen_string_literal: true class Api::V1::Admin::MeasuresController < Api::BaseController - protect_from_forgery with: :exception - before_action -> { authorize_if_got_token! :'admin:read' } before_action :require_staff! before_action :set_measures diff --git a/app/controllers/api/v1/admin/reports_controller.rb b/app/controllers/api/v1/admin/reports_controller.rb index fbfd0ee12..865ba3d23 100644 --- a/app/controllers/api/v1/admin/reports_controller.rb +++ b/app/controllers/api/v1/admin/reports_controller.rb @@ -1,8 +1,6 @@ # frozen_string_literal: true class Api::V1::Admin::ReportsController < Api::BaseController - protect_from_forgery with: :exception - include Authorization include AccountableConcern diff --git a/app/controllers/api/v1/admin/retention_controller.rb b/app/controllers/api/v1/admin/retention_controller.rb index 4af5a5c4d..98d1a3d81 100644 --- a/app/controllers/api/v1/admin/retention_controller.rb +++ b/app/controllers/api/v1/admin/retention_controller.rb @@ -1,8 +1,6 @@ # frozen_string_literal: true class Api::V1::Admin::RetentionController < Api::BaseController - protect_from_forgery with: :exception - before_action -> { authorize_if_got_token! :'admin:read' } before_action :require_staff! before_action :set_cohorts diff --git a/app/controllers/api/v1/admin/trends/links_controller.rb b/app/controllers/api/v1/admin/trends/links_controller.rb index 63b3d9358..0a191fe4b 100644 --- a/app/controllers/api/v1/admin/trends/links_controller.rb +++ b/app/controllers/api/v1/admin/trends/links_controller.rb @@ -1,8 +1,6 @@ # frozen_string_literal: true class Api::V1::Admin::Trends::LinksController < Api::BaseController - protect_from_forgery with: :exception - before_action -> { authorize_if_got_token! :'admin:read' } before_action :require_staff! before_action :set_links diff --git a/app/controllers/api/v1/admin/trends/statuses_controller.rb b/app/controllers/api/v1/admin/trends/statuses_controller.rb index 86633cc74..cb145f165 100644 --- a/app/controllers/api/v1/admin/trends/statuses_controller.rb +++ b/app/controllers/api/v1/admin/trends/statuses_controller.rb @@ -1,8 +1,6 @@ # frozen_string_literal: true class Api::V1::Admin::Trends::StatusesController < Api::BaseController - protect_from_forgery with: :exception - before_action -> { authorize_if_got_token! :'admin:read' } before_action :require_staff! before_action :set_statuses diff --git a/app/controllers/api/v1/admin/trends/tags_controller.rb b/app/controllers/api/v1/admin/trends/tags_controller.rb index 5cc4c269d..9c28b0412 100644 --- a/app/controllers/api/v1/admin/trends/tags_controller.rb +++ b/app/controllers/api/v1/admin/trends/tags_controller.rb @@ -1,8 +1,6 @@ # frozen_string_literal: true class Api::V1::Admin::Trends::TagsController < Api::BaseController - protect_from_forgery with: :exception - before_action -> { authorize_if_got_token! :'admin:read' } before_action :require_staff! before_action :set_tags diff --git a/app/controllers/api/v1/trends/tags_controller.rb b/app/controllers/api/v1/trends/tags_controller.rb index d77857871..329ef5ae7 100644 --- a/app/controllers/api/v1/trends/tags_controller.rb +++ b/app/controllers/api/v1/trends/tags_controller.rb @@ -16,7 +16,7 @@ class Api::V1::Trends::TagsController < Api::BaseController def set_tags @tags = begin if Setting.trends - Trends.tags.query.allowed.limit(limit_param(DEFAULT_TAGS_LIMIT)) + Trends.tags.query.allowed.offset(offset_param).limit(limit_param(DEFAULT_TAGS_LIMIT)) else [] end diff --git a/app/controllers/auth/sessions_controller.rb b/app/controllers/auth/sessions_controller.rb index 8607077f7..056f8a9f1 100644 --- a/app/controllers/auth/sessions_controller.rb +++ b/app/controllers/auth/sessions_controller.rb @@ -10,7 +10,6 @@ class Auth::SessionsController < Devise::SessionsController prepend_before_action :set_pack include TwoFactorAuthenticationConcern - include SignInTokenAuthenticationConcern before_action :set_instance_presenter, only: [:new] before_action :set_body_classes @@ -68,7 +67,7 @@ class Auth::SessionsController < Devise::SessionsController end def user_params - params.require(:user).permit(:email, :password, :otp_attempt, :sign_in_token_attempt, credential: {}) + params.require(:user).permit(:email, :password, :otp_attempt, credential: {}) end def after_sign_in_path_for(resource) @@ -148,6 +147,12 @@ class Auth::SessionsController < Devise::SessionsController ip: request.remote_ip, user_agent: request.user_agent ) + + UserMailer.suspicious_sign_in(user, request.remote_ip, request.user_agent, Time.now.utc).deliver_later! if suspicious_sign_in?(user) + end + + def suspicious_sign_in?(user) + SuspiciousSignInDetector.new(user).suspicious?(request) end def on_authentication_failure(user, security_measure, failure_reason) diff --git a/app/controllers/concerns/sign_in_token_authentication_concern.rb b/app/controllers/concerns/sign_in_token_authentication_concern.rb deleted file mode 100644 index 4eb3d7181..000000000 --- a/app/controllers/concerns/sign_in_token_authentication_concern.rb +++ /dev/null @@ -1,57 +0,0 @@ -# frozen_string_literal: true - -module SignInTokenAuthenticationConcern - extend ActiveSupport::Concern - - included do - prepend_before_action :authenticate_with_sign_in_token, if: :sign_in_token_required?, only: [:create] - end - - def sign_in_token_required? - find_user&.suspicious_sign_in?(request.remote_ip) - end - - def valid_sign_in_token_attempt?(user) - Devise.secure_compare(user.sign_in_token, user_params[:sign_in_token_attempt]) - end - - def authenticate_with_sign_in_token - if user_params[:email].present? - user = self.resource = find_user_from_params - prompt_for_sign_in_token(user) if user&.external_or_valid_password?(user_params[:password]) - elsif session[:attempt_user_id] - user = self.resource = User.find_by(id: session[:attempt_user_id]) - return if user.nil? - - if session[:attempt_user_updated_at] != user.updated_at.to_s - restart_session - elsif user_params.key?(:sign_in_token_attempt) - authenticate_with_sign_in_token_attempt(user) - end - end - end - - def authenticate_with_sign_in_token_attempt(user) - if valid_sign_in_token_attempt?(user) - on_authentication_success(user, :sign_in_token) - else - on_authentication_failure(user, :sign_in_token, :invalid_sign_in_token) - flash.now[:alert] = I18n.t('users.invalid_sign_in_token') - prompt_for_sign_in_token(user) - end - end - - def prompt_for_sign_in_token(user) - if user.sign_in_token_expired? - user.generate_sign_in_token && user.save - UserMailer.sign_in_token(user, request.remote_ip, request.user_agent, Time.now.utc.to_s).deliver_later! - end - - set_attempt_session(user) - use_pack 'auth' - - @body_classes = 'lighter' - - set_locale { render :sign_in_token } - end -end |