standard_id 0.24.0 → 0.25.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/standard_id/version.rb +1 -1
- data/lib/standard_id/web/session_manager.rb +18 -2
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 99d7cfa49958800d64f4798faa9811f7bbb5b2b48a15259dc175c69530bd6891
|
|
4
|
+
data.tar.gz: 915aecf6b38851c2d8858c541a999571923bd11749aa2f45e315cceb263bf0a1
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 9b1a05470a63051f476189c8a8bafabb271e34754cc59774a0cc6aa8e361fd01a217882504ab41f8c01ee58dea69f5ac437948e02d0abfb71db8b643e8837e77
|
|
7
|
+
data.tar.gz: 7da0cdaf7b12dcbbc1a7c17d808c0c803857448f56b929336f09c8591a7c1b602ecf32381c58d785ec0ff274d5167524a47837a9fbc7141630d7f9fc75265e2e
|
data/lib/standard_id/version.rb
CHANGED
|
@@ -35,7 +35,7 @@ module StandardId
|
|
|
35
35
|
# Store in both session and encrypted cookie for backward compatibility
|
|
36
36
|
# Action Cable will use the encrypted cookie
|
|
37
37
|
session[:session_token] = browser_session.token
|
|
38
|
-
|
|
38
|
+
write_session_cookie(browser_session)
|
|
39
39
|
if scope_name
|
|
40
40
|
scopes = Array(session[:standard_id_scopes])
|
|
41
41
|
scopes << scope_name.to_s unless scopes.include?(scope_name.to_s)
|
|
@@ -71,6 +71,22 @@ module StandardId
|
|
|
71
71
|
|
|
72
72
|
private
|
|
73
73
|
|
|
74
|
+
# Persist the session token in an encrypted cookie whose lifetime matches
|
|
75
|
+
# the DB session's expires_at, so an authenticated session survives a full
|
|
76
|
+
# browser restart (a bare session cookie would be cleared on browser close,
|
|
77
|
+
# logging the user out well before the BrowserSession actually expires).
|
|
78
|
+
# httponly/secure/same_site harden the cookie; httponly does not affect
|
|
79
|
+
# Action Cable, which reads the cookie server-side.
|
|
80
|
+
def write_session_cookie(browser_session)
|
|
81
|
+
cookies.encrypted[:session_token] = {
|
|
82
|
+
value: browser_session.token,
|
|
83
|
+
expires: browser_session.expires_at,
|
|
84
|
+
httponly: true,
|
|
85
|
+
secure: request.ssl?,
|
|
86
|
+
same_site: :lax
|
|
87
|
+
}
|
|
88
|
+
end
|
|
89
|
+
|
|
74
90
|
def load_current_account
|
|
75
91
|
if StandardId.config.account_scope
|
|
76
92
|
account_id = current_session&.account_id
|
|
@@ -121,7 +137,7 @@ module StandardId
|
|
|
121
137
|
token_manager.create_browser_session(password_credential.account, remember_me: true).tap do |browser_session|
|
|
122
138
|
# Store in both session and encrypted cookie for backward compatibility
|
|
123
139
|
session[:session_token] = browser_session.token
|
|
124
|
-
|
|
140
|
+
write_session_cookie(browser_session)
|
|
125
141
|
cookies[:remember_token] = token_manager.create_remember_token(password_credential)
|
|
126
142
|
end
|
|
127
143
|
end
|