authie 3.3.2 → 4.0.0.rc3

data/lib/authie/session.rb

@@ -1,337 +1,290 @@
-require 'secure_random_string'
+# frozen_string_literal: true
+
+require 'authie/session_model'
+require 'authie/error'
+require 'authie/config'
+require 'active_support/core_ext/module/delegation'
 
 module Authie
-  class Session < ActiveRecord::Base
+  class Session
+    # The underlying session model instance
+    #
+    # @return [Authie::SessionModel]
+    attr_reader :session
 
-    # Errors which will be raised when there's an issue with a session's
-    # validity in the request.
+    # A parent class that encapsulates all session validity errors.
     class ValidityError < Error; end
-    class InactiveSession < ValidityError; end
-    class ExpiredSession < ValidityError; end
-    class BrowserMismatch < ValidityError; end
-    class HostMismatch < ValidityError; end
-
-    class NoParentSessionForRevert < Error; end
-
-    # Set table name
-    self.table_name = "authie_sessions"
-
-    # Relationships
-    parent_options = {:class_name => "Authie::Session"}
-    parent_options[:optional] = true if ActiveRecord::VERSION::MAJOR >= 5
-    belongs_to :parent, parent_options
-
-    # Scopes
-    scope :active, -> { where(:active => true) }
-    scope :asc, -> { order(:last_activity_at => :desc) }
-    scope :for_user, -> (user) { where(:user_type => user.class.name, :user_id => user.id) }
-
-    # Attributes
-    serialize :data, Hash
-    attr_accessor :controller
-    attr_accessor :temporary_token
 
-    before_validation do
-      if self.user_agent.is_a?(String)
-        self.user_agent = self.user_agent[0,255]
-      end
+    # Raised when a session is used but it is no longer active
+    class InactiveSession < ValidityError; end
 
-      if self.last_activity_path.is_a?(String)
-        self.last_activity_path = self.last_activity_path[0,255]
-      end
-    end
+    # Raised when a session is used but it has expired
+    class ExpiredSession < ValidityError; end
 
-    before_create do
-      self.temporary_token = SecureRandomString.new(44)
-      self.token_hash = self.class.hash_token(self.temporary_token)
-      if controller
-        self.user_agent = controller.request.user_agent
-        set_cookie!
-      end
-    end
+    # Raised when a session is used but the browser ID does not match
+    class BrowserMismatch < ValidityError; end
 
-    before_destroy do
-      cookies.delete(:user_session) if controller
-    end
+    # Raised when a session is used but the hostname does not match
+    # the session hostname
+    class HostMismatch < ValidityError; end
 
-    # Return the user that
-    def user
-      if self.user_id && self.user_type
-        @user ||= self.user_type.constantize.find_by(:id => self.user_id) || :none
-        @user == :none ? nil : @user
-      end
+    # Initialize a new session object
+    #
+    # @param controller [ActionController::Base] any controller
+    # @param session [Authie::SessionModel] an Authie session model instance
+    # @return [Authie::Session]
+    def initialize(controller, session)
+      @controller = controller
+      @session = session
+    end
+
+    # Validate that the session is valid and raise and error if not
+    #
+    # @raises [Authie::Session::BrowserMismatch]
+    # @raises [Authie::Session::InactiveSession]
+    # @raises [Authie::Session::ExpiredSession]
+    # @raises [Authie::Session::HostMismatch]
+    # @return [Authie::Session]
+    def validate
+      validate_browser_id
+      validate_active
+      validate_expiry
+      validate_inactivity
+      validate_host
+      self
+    end
+
+    # Mark the current session as persistent. Will set the expiry time of the underlying
+    # session and update the cookie.
+    #
+    # @raises [ActiveRecord::RecordInvalid]
+    # @return [Authie::Session]
+    def persist
+      @session.expires_at = Authie.config.persistent_session_length.from_now
+      @session.save!
+      set_cookie
+      self
+    end
+
+    # Invalidates the current session by marking it inactive and removing the current cookie.
+    #
+    # @raises [ActiveRecord::RecordInvalid]
+    # @return [Authie::Session]
+    def invalidate
+      @session.invalidate!
+      cookies.delete(:user_session)
+      self
+    end
+
+    # Touches the current session to ensure it is currently valid and to update attributes
+    # which should be updatd on each request. This will raise the same errors as the #validate
+    # method. It will set the last activity time, IP and path as well as incrementing
+    # the request counter.
+    #
+    # @raises [Authie::Session::BrowserMismatch]
+    # @raises [Authie::Session::InactiveSession]
+    # @raises [Authie::Session::ExpiredSession]
+    # @raises [Authie::Session::HostMismatch]
+    # @raises [ActiveRecord::RecordInvalid]
+    # @return [Authie::Session]
+    def touch
+      validate
+      @session.last_activity_at = Time.now
+      @session.last_activity_ip = @controller.request.ip
+      @session.last_activity_path = @controller.request.path
+      @session.requests += 1
+      @session.save!
+      Authie.config.events.dispatch(:session_touched, self)
+      self
     end
 
-    # Set the user
-    def user=(user)
-      if user
-        self.user_type = user.class.name
-        self.user_id = user.id
-      else
-        self.user_type = nil
-        self.user_id = nil
-      end
+    # Mark the session's password as seen at the current time
+    #
+    # @raises [ActiveRecord::RecordInvalid]
+    # @return [Authie::Session]
+    def see_password
+      @session.password_seen_at = Time.now
+      @session.save!
+      Authie.config.events.dispatch(:seen_password, self)
+      self
+    end
+
+    # Mark this request as two factored by setting the time and the current
+    # IP address.
+    #
+    # @raises [ActiveRecord::RecordInvalid]
+    # @return [Authie::Session]
+    def mark_as_two_factored
+      @session.two_factored_at = Time.now
+      @session.two_factored_ip = @controller.request.ip
+      @session.save!
+      Authie.config.events.dispatch(:marked_as_two_factor, self)
+      self
+    end
+
+    # Starts a new session by setting the cookie. This should be invoked whenever
+    # a new session begins. It usually does not need to be called directly as it
+    # will be taken care of by the class-level start method.
+    #
+    # @return [Authie::Session]
+    def start
+      set_cookie
+      Authie.config.events.dispatch(:start_session, session)
+      self
     end
 
-    # This method should be called each time a user performs an
-    # action while authenticated with this session.
-    def touch!
-      self.check_security!
-      self.last_activity_at = Time.now
-      self.last_activity_ip = controller.request.ip
-      self.last_activity_path = controller.request.path
-      self.requests += 1
-      self.save!
-      Authie.config.events.dispatch(:session_touched, self)
-      true
-    end
+    private
 
-    # Sets the cookie on the associated controller.
-    def set_cookie!(value = self.temporary_token)
+    # rubocop:disable Naming/AccessorMethodName
+    def set_cookie(value = @session.temporary_token)
       cookies[:user_session] = {
-        :value => value,
-        :secure => controller.request.ssl?,
-        :httponly => true,
-        :expires => self.expires_at
+        value: value,
+        secure: @controller.request.ssl?,
+        httponly: true,
+        expires: @session.expires_at
       }
       Authie.config.events.dispatch(:session_cookie_updated, self)
       true
     end
+    # rubocop:enable Naming/AccessorMethodName
 
-    # Sets the cookie for the parent session on the associated controller.
-    def set_parent_cookie!
-      cookies[:parent_user_session] = {
-        :value => cookies[:user_session],
-        :secure => controller.request.ssl?,
-        :httponly => true,
-        :expires => self.expires_at
-      }
-      Authie.config.events.dispatch(:parent_session_cookie_updated, self)
-      true
+    def cookies
+      @controller.send(:cookies)
     end
 
-    # Check the security of the session to ensure it can be used.
-    def check_security!
-      if controller
-        if cookies[:browser_id] != self.browser_id
-          invalidate!
-          Authie.config.events.dispatch(:browser_id_mismatch_error, self)
-          raise BrowserMismatch, "Browser ID mismatch"
-        end
-
-        unless self.active?
-          invalidate!
-          Authie.config.events.dispatch(:invalid_session_error, self)
-          raise InactiveSession, "Session is no longer active"
-        end
-
-        if self.expired?
-          invalidate!
-          Authie.config.events.dispatch(:expired_session_error, self)
-          raise ExpiredSession, "Persistent session has expired"
-        end
-
-        if self.inactive?
-          invalidate!
-          Authie.config.events.dispatch(:inactive_session_error, self)
-          raise InactiveSession, "Non-persistent session has expired"
-        end
-
-        if self.host && self.host != controller.request.host
-          invalidate!
-          Authie.config.events.dispatch(:host_mismatch_error, self)
-          raise HostMismatch, "Session was created on #{self.host} but accessed using #{controller.request.host}"
-        end
+    def validate_browser_id
+      if cookies[:browser_id] != @session.browser_id
+        invalidate
+        Authie.config.events.dispatch(:browser_id_mismatch_error, self)
+        raise BrowserMismatch, 'Browser ID mismatch'
       end
-    end
-
-    # Has this persistent session expired?
-    def expired?
-      self.expires_at &&
-      self.expires_at < Time.now
-    end
-
-    # Has a non-persistent session become inactive?
-    def inactive?
-      self.expires_at.nil? &&
-      self.last_activity_at &&
-      self.last_activity_at < Authie.config.session_inactivity_timeout.ago
-    end
-
-    # Allow this session to persist rather than expiring at the end of the
-    # current browser session
-    def persist!
-      self.expires_at = Authie.config.persistent_session_length.from_now
-      self.save!
-      set_cookie!
-    end
 
-    # Is this a persistent session?
-    def persistent?
-      !!expires_at
+      self
     end
 
-    # Activate an old session
-    def activate!
-      self.active = true
-      self.save!
-    end
-
-    # Mark this session as invalid
-    def invalidate!
-      self.active = false
-      self.save!
-      if controller
-        cookies.delete(:user_session)
+    def validate_active
+      unless @session.active?
+        invalidate
+        Authie.config.events.dispatch(:invalid_session_error, self)
+        raise InactiveSession, 'Session is no longer active'
       end
-      Authie.config.events.dispatch(:session_invalidated, self)
-      true
-    end
-
-    # Set some additional data in this session
-    def set(key, value)
-      self.data ||= {}
-      self.data[key.to_s] = value
-      self.save!
-    end
 
-    # Get some additional data from this session
-    def get(key)
-      (self.data ||= {})[key.to_s]
+      self
     end
 
-    # Invalidate all sessions but this one for this user
-    def invalidate_others!
-      self.class.where("id != ?", self.id).for_user(self.user).each do |s|
-        s.invalidate!
+    def validate_expiry
+      if @session.expired?
+        invalidate
+        Authie.config.events.dispatch(:expired_session_error, self)
+        raise ExpiredSession, 'Persistent session has expired'
       end
-    end
 
-    # Note that we have just seen the user enter their password.
-    def see_password!
-      self.password_seen_at = Time.now
-      self.save!
-      Authie.config.events.dispatch(:seen_password, self)
-      true
+      self
     end
 
-    # Have we seen the user's password recently in this sesion?
-    def recently_seen_password?
-      !!(self.password_seen_at && self.password_seen_at >= Authie.config.sudo_session_timeout.ago)
-    end
-
-    # Is two factor authentication required for this request?
-    def two_factored?
-      !!(two_factored_at || self.parent_id)
-    end
-
-    # Mark this request as two factor authoritsed
-    def mark_as_two_factored!
-      self.two_factored_at = Time.now
-      self.two_factored_ip = controller.request.ip
-      self.save!
-      Authie.config.events.dispatch(:marked_as_two_factored, self)
-      true
-    end
-
-    # Create a new session for impersonating for the given user
-    def impersonate!(user)
-      set_parent_cookie!
-      self.class.start(controller, :user => user, :parent => self)
-    end
-
-    # Revert back to the parent session
-    def revert_to_parent!
-      if self.parent && cookies[:parent_user_session]
-        self.invalidate!
-        self.parent.activate!
-        self.parent.controller = self.controller
-        self.parent.set_cookie!(cookies[:parent_user_session])
-        cookies.delete(:parent_user_session)
-        self.parent
-      else
-        raise NoParentSessionForRevert, "Session does not have a parent therefore cannot be reverted."
+    def validate_inactivity
+      if @session.inactive?
+        invalidate
+        Authie.config.events.dispatch(:inactive_session_error, self)
+        raise InactiveSession, 'Non-persistent session has expired'
       end
-    end
 
-    # Is this the first session for this session's browser?
-    def first_session_for_browser?
-      self.class.where("id < ?", self.id).for_user(self.user).where(:browser_id => self.browser_id).empty?
+      self
     end
 
-    # Is this the first session for the IP?
-    def first_session_for_ip?
-      self.class.where("id < ?", self.id).for_user(self.user).where(:login_ip => self.login_ip).empty?
-    end
-
-    # Find a session from the database for the given controller instance.
-    # Returns a session object or :none if no session is found.
-    def self.get_session(controller)
-      cookies = controller.send(:cookies)
-      if cookies[:user_session] && session = self.find_session_by_token(cookies[:user_session])
-        session.temporary_token = cookies[:user_session]
-        session.controller = controller
-        session
-      else
-        :none
+    def validate_host
+      if @session.host && @session.host != @controller.request.host
+        invalidate
+        Authie.config.events.dispatch(:host_mismatch_error, self)
+        raise HostMismatch, "Session was created on #{@session.host} but accessed using #{@controller.request.host}"
       end
-    end
 
-    # Find a session by a token (either from a hash or from the raw token)
-    def self.find_session_by_token(token)
-      return nil if token.blank?
-      self.active.where("token = ? OR token_hash = ?", token, self.hash_token(token)).first
-    end
+      self
+    end
+
+    class << self
+      # Create a new session within the given controller for the
+      #
+      # @param controller [ActionController::Base]
+      # @option params [ActiveRecord::Base] user
+      # @return [Authie::Session]
+      def start(controller, params = {})
+        cookies = controller.send(:cookies)
+        SessionModel.active.where(browser_id: cookies[:browser_id]).each(&:invalidate!)
+        user_object = params.delete(:user)
+
+        session = SessionModel.new(params)
+        session.user = user_object
+        session.browser_id = cookies[:browser_id]
+        session.login_at = Time.now
+        session.login_ip = controller.request.ip
+        session.host = controller.request.host
+        session.user_agent = controller.request.user_agent
+        session.save!
+
+        new(controller, session).start
+      end
 
-    # Create a new session and return the newly created session object.
-    # Any other sessions for the browser will be invalidated.
-    def self.start(controller, params = {})
-      cookies = controller.send(:cookies)
-      self.active.where(:browser_id => cookies[:browser_id]).each(&:invalidate!)
-      user_object = params.delete(:user)
-
-      session = self.new(params)
-      session.user = user_object
-      session.controller = controller
-      session.browser_id = cookies[:browser_id]
-      session.login_at = Time.now
-      session.login_ip = controller.request.ip
-      session.host = controller.request.host
-      session.save!
-      Authie.config.events.dispatch(:start_session, session)
-      session
-    end
+      # Lookup a session for a given controller and return the session
+      # object.
+      #
+      # @param controller [ActionController::Base]
+      # @return [Authie::Session]
+      def get_session(controller)
+        cookies = controller.send(:cookies)
+        return nil if cookies[:user_session].blank?
 
-    # Cleanup any old sessions.
-    def self.cleanup
-      Authie.config.events.dispatch(:before_cleanup)
-      # Invalidate transient sessions that haven't been used
-      self.active.where("expires_at IS NULL AND last_activity_at < ?", Authie.config.session_inactivity_timeout.ago).each(&:invalidate!)
-      # Invalidate persistent sessions that have expired
-      self.active.where("expires_at IS NOT NULL AND expires_at < ?", Time.now).each(&:invalidate!)
-      Authie.config.events.dispatch(:after_cleanup)
-      true
-    end
+        session = SessionModel.find_session_by_token(cookies[:user_session])
+        return nil if session.blank?
 
-    # Return a hash of a given token
-    def self.hash_token(token)
-      Digest::SHA256.hexdigest(token)
-    end
-
-    # Convert all existing active sessions to store their tokens in the database
-    def self.convert_tokens_to_hashes
-      active.where(:token_hash => nil).where("token is not null").each do |s|
-        hash = self.hash_token(s.token)
-        self.where(:id => s.id).update_all(:token_hash => hash, :token => nil)
+        session.temporary_token = cookies[:user_session]
+        new(controller, session)
       end
-    end
-
-    private
-
-    # Return all cookies on the associated controller
-    def cookies
-      controller.send(:cookies)
-    end
 
+      delegate :hash_token, to: SessionModel
+    end
+
+    # Backwards compatibility with Authie < 4.0. These methods were all available on sessions
+    # in previous versions of Authie. They have been maintained for backwards-compatibility but
+    # will be removed entirely in Authie 5.0.
+    alias check_security! validate
+    alias persist! persist
+    alias invalidate! invalidate
+    alias touch! touch
+    alias set_cookie! set_cookie
+    alias see_password! see_password
+    alias mark_as_two_factored! mark_as_two_factored
+
+    # Delegate key methods back to the underlying session model. Previous behaviour in Authie
+    # exposed all methods on the session model. It is useful that these methods can be accessed
+    # easily from this session proxy model so these are maintained as delegated methods.
+    delegate :active?, to: :session
+    delegate :browser_id, to: :session
+    delegate :expired?, to: :session
+    delegate :first_session_for_browser?, to: :session
+    delegate :first_session_for_ip?, to: :session
+    delegate :get, to: :session
+    delegate :inactive?, to: :session
+    delegate :invalidate_others!, to: :session
+    delegate :last_activity_at, to: :session
+    delegate :last_activity_ip, to: :session
+    delegate :last_activity_path, to: :session
+    delegate :login_at, to: :session
+    delegate :login_ip, to: :session
+    delegate :password_seen_at, to: :session
+    delegate :persisted?, to: :session
+    delegate :persistent?, to: :session
+    delegate :recently_seen_password?, to: :session
+    delegate :requests, to: :session
+    delegate :set, to: :session
+    delegate :temporary_token, to: :session
+    delegate :token_hash, to: :session
+    delegate :two_factored_at, to: :session
+    delegate :two_factored_ip, to: :session
+    delegate :two_factored?, to: :session
+    delegate :update, to: :session
+    delegate :update!, to: :session
+    delegate :user_agent, to: :session
+    delegate :user, to: :session
   end
 end