adamcooke / authie Goto Github PK

Hi there,

I've got a question regarding to using the current_user in a route constraint of Rails. I've got a route constraint in which I check the role of the authenticated user (if any) and adjust the root_path according to their role.

The code looks something like this;

class UserTypeConstraint
  def initialize(user_type)
    @user_type = user_type
  end

  def matches?(request)
    controller = Authie::RackController.new(request.env)
    current_user = controller.current_user
    current_user && current_user.send("#{@user_type}?".to_sym)
  end
end

But it seems the Authie::RackController can't be loaded. Any ideas why this happens, whether it's intended or am I just doing something wrong?

Cheers

I notice this gem doesn't act as a drop in replacement, i.e. ActiveRecord Session Store alternative. What do we do with existing Rails session management? For instance, the default Rails project will have:

# config/initialisers/ session_store.rb
Rails.application.config.session_store :cookie_store, key: '_my_app_session'

Would you remove ActionDispatch::Session::CookieStore Rack middleware?

Nice work btw.

If I try to run the migrations task, I get the following error (Rails 6.0.3.4, Ruby 2.7.2)

rake aborted!
NoMethodError: undefined method `helper_method' for ActionController::API:Class
/home/mkrs/pdms/config/environment.rb:5:in `<main>'
Tasks: TOP => railties:install:migrations => db:load_config => environment

EDIT

The problem seems to occur in this piece of code:

module Authie
  module ControllerExtension

    def self.included(base)
      base.helper_method :logged_in?, :current_user, :auth_session
      before_action_method = base.respond_to?(:before_action) ? :before_action : :before_filter
      base.public_send(before_action_method, :set_browser_id, :touch_auth_session)
    end

It happens the second time this function is called, when base is equal to ActionController::API
Seems to be an incompatibility issue with some inheritance.
Can I fix this on my side or has it to be fixed on the gem side?

This commit, which changed auto-loading behaviour, bumped the version to 3.3.0 but that hasn’t been released to RubyGems yet (the latest is 3.2.0).

I assume that that change also closes #17, as it completely removes the line in question. That would be great because I could install authie regularly instead of pointing to master when upgrading to Rails 6.

So:

1. Release 3.3.0 to RubyGems
2. Close #17 (?)

Thank you!

I have implemented the "user impersonation" feature as described in the readme and while the first step (impersonating as a user) works great, returning to the parent session does not.

After calling auth_session.revert_to_parent! i am completely logged out instead.

When logging in in a second browser window (inkognito) and looking at all sessions for the admin user, I can see that the session from which the impersonation is started is marked inactive once the impersonation starts and also marked active again when it ends, but in the browser where i end the impersonation i have no active session anymore.

Here’s the code (in a controller), which is pretty much exactly as it is in the readme:

def impersonate_user
  auth_session.impersonate!(User.find(params[:user_id]))
  redirect_to root_path
end

def revert_impersonation
  auth_session.revert_to_parent!
  redirect_to root_path
end

I hope that makes sense. Is there anything I’m missing?

Update: I can get it to work by grabbing the user off the parent session, destroying the parent session, and then starting a new session for the user. Seems a bit unnecessary though, I’d prefer to just properly activate the parent again.

def revert_impersonation
  parent_session = auth_session.revert_to_parent!
  parent_session.destroy!
  create_auth_session(parent_session.user)

  redirect_to root_path
end

Thanks for writing this gem.

Under Sudo functions I think the configuration setting
Authie.config.sudo_timeout = 30.minutes
should be
Authie.config.sudo_session_timeout = 30.minutes

We have some controllers for a public api that we would like to turn off authie for. Is this possible to do this cleanly? I tried doing a skip_before_action with set_browser_id and touch_auth_session but it still runs some of the code. We would like to be able to disable it completely for all but 1 or 2 of the endpoints as they don't need any kind of session checking (some of the endpoints still rely on cookie authentication).

Currently id type columns are created as integers, Since Rails 5.1 the default has been bigint, so it would make sense to update the Authie migrations to use bigint as well

After upgrading to rails 6 and enabling the new autoloader, it seems rails is no longer able to find authie session properly throwing this error: uninitialized constant Authie::Session (NameError). The error is specifically being thrown because of this line rescue_from Authie::Session::ValidityError, with: :auth_session_error. If I turn back on the classic autoloader then no errors are thrown.

Let me know if you need anymore info from me about this.

Hi, how to make it work with uuid?
because its error "Operand type clash: int is incompatible with uniqueidentifier "

This is good, but it would be better to bypass ActiveRecord and use SQL directly. I've found the following, but I don't know how up-to-date or secure or reliable they are. Rails would benefit from an up-to-date fast cookie/sql session store with the features you have here. Also I would like to see more adoption to convince me it's secure before I bet the business on it.

http://apidock.com/rails/v3.2.8/ActiveRecord/SessionStore/SqlBypass included in Rails 3.2
http://archive.railsforum.com/viewtopic.php?id=42802
http://kovyrin.net/2008/02/06/fastsessions-rails-plugin-released/
https://code.google.com/p/rails-fast-sessions/
http://railsexpress.de/blog/articles/2005/12/19/roll-your-own-sql-session-store/
https://gist.github.com/robertsosinski/3869435
https://github.com/nateware/sql_session_store
https://github.com/skaes/sql_session_store

Hi @adamcooke , thanks for this great gem! 🙂 💯

In an existing project I would like to upgrade from authie version 2 to 3.

Can you provide some advices/instructions on how to do so?
The errors I get have to do with undefined method token_hash=' `. Is the solution to simply add a migration?

Thanks for your efforts!

Hi @adamcooke. I think d315875 is incomplete. I use version 1.2.4 of this gem on a project at work (thanks so much for your work on this) and required this fix after hitting the same issue that you undoubtedly did but I'm not quite ready to upgrade to the next major version.

The before_create above, where it assigns AuthieSession#user_agent in a controller context is still able to throw the same error.

Locally, I've implemented a fix for this by overriding AuthieSession#user_agent= like so:

module Authie
  class Session < ActiveRecord::Base

    def user_agent=(value)
      super value[0,255]
    rescue
      super
    end

  end
end

This seems to take care of the issue and allows me to save Authie::Session instances again.

I couldn't override the before_create as it's implemented with an anonymous block and wasn't sure I could guarantee the callback order if I'd added another before_create. before_create is the last callback in the stack before a record is persisted so I couldn't add another (different) one.

Just wanted to bring this to your attention. Hope this is helpful.