wordjelly-auth 0.0.1

data/app/controllers/auth/concerns/devise_concern.rb

@@ -0,0 +1,193 @@
+module Auth::Concerns::DeviseConcern
+
+    extend ActiveSupport::Concern
+
+    included do
+		
+	    #skip_before_action :verify_authenticity_token, if: :is_json_request?
+        protect_from_forgery with: :null_session
+        attr_accessor :m_client
+    end
+
+    ##returns true if the recaptcha is not specified in the configuration
+    ##returns true if the recaptcha is valid.
+    ##expects the parameter 'g-recaptcha-response' in the params hash
+    ##if the request is json, and has the header os-android, then it will use the android_recaptcha_api_key as the secret key, otherwise will use the default recaptch_secret key that should have been configured in the pre-initializer.
+    ##it is currently being called in the registrations_controller on create and update, and in the otp action send_sms_otp,verify_sms_otp.
+    ##so all these are protected by recaptcha, but not on iphone.
+    def check_recaptcha
+    	
+    	return true unless Auth.configuration.recaptcha
+        
+       	recaptcha_options = {}
+    	if is_json_request?
+    		#puts "is json request."
+    		return true unless request.headers["OS-ANDROID"]
+    		#puts "android is there in headers."
+    		not_found("recaptcha validation error") unless Auth.configuration.third_party_api_keys[:android_recaptcha_secret_key]
+    		#puts "android key is there in config."
+    		recaptcha_options[:secret_key] = Auth.configuration.third_party_api_keys[:android_recaptcha_secret_key]
+    	end
+    	#puts "recaptcha_options are : #{recaptcha_options}"
+    	not_found("recaptcha validation error") unless verify_recaptcha(recaptcha_options)
+    end
+
+
+	def is_omniauth_callback?	   
+	    controller_name == "omniauth_callbacks" 
+	end
+
+    def ignore_json_request
+      if is_json_request?
+        render :nothing => true, :status => 406 and return
+      end
+    end
+
+
+    ##SHOULD WE OR NOT DELETE THE CLIENT AND REDIRECT URL?
+    ##this was relevant only in the case of oauth visits
+    ##suppose someone comes from remote with redir + client.
+    ##these get set and stored in the session
+    ##then he goes to oauth and comes back.
+    ##by this time the instance variables are no more
+    ##so we fall back on the session variables and redirect him
+    ##the only worry was , that what if someone prompts the user to go to wordjelly with a redirect url of their choice.
+    ##so what i do here right now is clear the instance redirect and client vars.
+    ##then i set the client, if necessary from the session
+    ##but while doing set_redirect_url i give first pref to the redir from the params, and then CHECK whether that is valid against the client already from the sessin.
+    ##so basically they cannot be redirected to any url that is not stored against the client.
+    ##so they can at the worst be redirected only to a url which was provided during client creation.
+    ##so there is no need to delete the client from the session at every request, except if it is a json request.
+	def clear_client_and_redirect_url
+	    session.delete('omniauth.state')
+	    if is_json_request?
+	    	session.delete("client")
+	    	session.delete("redirect_url")
+	    end
+	end
+
+    def set_client
+	    
+	    if session[:client]
+	      
+	      
+	      return true
+
+	    else
+	      puts "params are: #{params.to_s}"
+	      puts params[:state]
+          puts JSON.is_json?(params[:state])
+          puts "---- end --- "
+          state = nil
+	      api_key = nil
+	      current_app_id = nil
+	      path = nil
+	      if params[:state] && JSON.is_json?(params[:state])
+	        state = JSON.parse(params[:state])
+	      end
+	      
+	      if state
+	        api_key = state["api_key"]
+	        current_app_id = state["current_app_id"]
+	        path = state["path"]
+	      elsif params[:api_key] && params[:current_app_id]
+            puts "the params api key and current app id are there."
+	        api_key = params[:api_key]
+	        current_app_id = params[:current_app_id]
+	      else
+	      end
+	      
+	      if api_key.nil? || current_app_id.nil?
+	        
+	      else
+            puts "api key:#{api_key}"
+            puts "current app id: #{current_app_id}"
+            puts "path is: #{path}"
+            
+	        if session[:client] = Auth::Client.find_valid_api_key_and_app_id(api_key, current_app_id)
+	          	    
+                puts "found valid clinet."
+                request.env["omniauth.model"] = path
+                
+                self.m_client = Auth::Client.find_valid_api_key_and_app_id(api_key, current_app_id)
+                
+	          	return true
+	        end
+	      end
+	      return false
+	    end
+    end
+
+    def is_json_request?
+
+         return (request.format.symbol == :json) ? true : false
+    end
+
+	def protect_json_request
+	   	##should block any put action on the user
+	   	##and should render an error saying please do this on the server.
+	    if is_json_request? 
+            puts "it is a json request."
+	    	if action_name == "otp_verification_result"
+	    		##we let this action pass because, we make json ajax requests 
+	    		##from the web ui to this endpoint, and anyway it does
+	    		##not return anything sensitive.
+                #puts "action name is otp verification result."
+	    	else
+                #puts "action name is something else."
+		    	if session[:client].nil?
+                    puts "cient is nil so rendering nothing."
+		      		render :nothing => true , :status => :unauthorized
+		      	else
+                    #puts "client is not nil"
+                end
+	      	end
+	    end
+	end
+
+    def set_redirect_url
+    
+        # puts "the params redirect url is: #{params[:redirect_url]}"
+        # puts "the session redirect url is: #{session[:redirect_url]}"
+        redir_url = params[:redirect_url].nil? ? session[:redirect_url] : params[:redirect_url]
+
+        #puts "redir url was: #{redir_url}"
+
+        #puts "session[:client] is: #{session[:client]}"
+
+        #puts "session[:client].redirect urls"
+        #puts session[:client].redirect_urls
+        
+        #puts "does it contain the redirect url."
+        #puts session[:client].contains_redirect_url?(redir_url)
+        cli = session[:client]
+        cli = Auth::Client.new(session[:client]) if session[:client].is_a? Hash
+
+	    if redir_url && session[:client] && cli.contains_redirect_url?(redir_url) && !(is_json_request?)
+	        
+	        session[:redirect_url] = redir_url
+	        
+	    end
+  	end
+
+  
+    def do_before_request
+       puts "came to do before request."
+       clear_client_and_redirect_url
+   
+       set_client
+   
+       set_redirect_url
+
+       protect_json_request
+
+    end
+
+    ##used only in render, redirect in DeviseController.class_eval
+    def current_resource(resource)
+        send("current_#{resource.class.name.underscore.downcase}")
+    end
+
+
+
+end

data/app/controllers/auth/concerns/omni_concern.rb

@@ -0,0 +1,310 @@
+module Auth::Concerns::OmniConcern
+
+  extend ActiveSupport::Concern
+
+  included do
+    prepend_before_action :set_devise_mapping_for_omniauth, only: [:omni_common]
+    prepend_before_action :do_before_request, only: [:omni_common]
+    attr_accessor :resource
+    helper_method :omniauth_failed_path_for
+  end
+
+  
+
+
+  def set_devise_mapping_for_omniauth
+    model = nil
+    if !request.env["omniauth.model"].blank?
+      puts "the request env is:"
+      puts request.env["omniauth.model"]
+      request.env["omniauth.model"].scan(/omniauth\/(?<model>[a-zA-Z]+)\//) do |ll|
+        jj = Regexp.last_match
+        model = jj[:model]
+      end
+      model = model.singularize
+      request.env["devise.mapping"] = Devise.mappings[model.to_sym]
+    end
+  end
+
+  def passthru
+    
+  end
+
+  def failure
+    f = failure_message
+    flash[:omniauth_error] = f.blank? ? notice : f
+    respond_to do |format|
+        format.json { render json: {"failure_message" => flash[:omniauth_error]}, status: :unprocessible_entity}
+        format.html { render "auth/omniauth_callbacks/failure.html.erb" }
+    end
+
+  end
+
+
+  def get_omni_hash
+    request.env["omniauth.auth"]
+  end
+
+  
+
+  def failed_strategy
+    request.respond_to?(:get_header) ? request.get_header("omniauth.error.strategy") : env["omniauth.error.strategy"]
+  end
+
+  def failure_message
+    exception = request.respond_to?(:get_header) ? request.get_header("omniauth.error") : env["omniauth.error"]
+    error   = exception.error_reason if exception.respond_to?(:error_reason)
+    error ||= exception.error        if exception.respond_to?(:error)
+    error ||= (request.respond_to?(:get_header) ? request.get_header("omniauth.error.type") : env["omniauth.error.type"]).to_s
+
+    error.to_s.humanize if error
+  end
+
+  def after_omniauth_failure_path_for(scope)
+    new_session_path(scope)
+  end
+
+  def omniauth_failed_path_for(res)
+    omniauth_failure_path(res)
+  end
+
+
+  def translation_scope
+    'devise.omniauth_callbacks'
+  end
+
+
+  def update_identity_information(identity_info,provider)
+      @resource.identities.map{|i|
+        if(i["provider"] && i["provider"] == provider)
+          i["access_token"] = identity_info["access_token"]
+          i["token_expires_at"] = identity_info["token_expires_at"]
+        end
+      }
+  end
+
+  ## @return[Boolean] : true if the update was successfull, false otherwise
+  ## method from_view is taken from Auth::ApplicationController
+  def update_access_token_and_expires_at(existing_oauth_resources,resource_klazz,identity_info,provider)
+    @resource = from_view(existing_oauth_resources,resource_klazz)
+    @resource.m_client = self.m_client
+    ##identity_info should be a key -> value hash, 
+    update_identity_information(identity_info,provider)
+
+    @resource.versioned_update({"identities" => 1})
+
+    if @resource.op_success
+                                        
+      sign_in @resource
+
+      true
+      
+    else
+
+
+      false
+
+    end
+  end
+  
+  
+  ############################################################
+  ## Working:
+  ## First searches for an account with the oauth identity.
+  ## Found : tries to update it with a new access token, failing update -> retursn failure.
+  ## Not Found : tries to create an account with the email of the oauth identity, and identities = [oauth_identity]
+  ## if op_success : return success
+  ##
+  ## elsif matched_count == 1 : it means an account already exists with this email . Here there are two possibilities.
+  ## a. The earlier account was created by using another oauth provider -> in this case its version will have been set as '1', and we now execute a versioned_update -> pushing in the identity of the other oauth account. Thus two oauth providers are merged into one if they share the same email address.
+  ## b. the earlier account was created by the normal sign up process: in this case its version will be '0', the versioned updated to push in the oauth identity will fail. If the earlier account is a confirmed account, error will say accoutn in user, if not, then error will say, "there was some errro..."
+  ##
+  ## else 
+  ## there was no matched count, and op failed, so we return failure.
+  ##
+  ##
+  ## ** To prevent oauth account merger, set the configuration option :prevent_oauth_merger to true, it is false by default.
+  ##
+  ############################################################
+  def omni_common
+        
+        success = false
+        failure = false
+        failure_message = "There was an error processing your request"
+
+        begin
+          
+          model_class = request.env["devise.mapping"]
+          if model_class.nil?
+          
+           redirect_to omniauth_failed_path_for("no_resource"), :notice => "No resource was specified in the omniauth callback request." and return 
+          else
+            resource_klazz = request.env["devise.mapping"].to
+           
+            omni_hash = get_omni_hash
+            
+            puts "the omni hash is:"
+            puts omni_hash
+            
+            identity = Auth::Identity.new.build_from_omnihash(omni_hash)
+
+            ##this index is used for the first query during oauth, to check whether the user already has registered using oauth with us.
+            puts "identity is:"
+            puts identity
+            existing_oauth_resources = 
+            resource_klazz.collection.find(
+              {"identities" =>
+                     {"$elemMatch" => 
+                            {"provider" => identity.provider, "uid" => identity.uid}
+                     }
+              })
+              
+           
+
+            if existing_oauth_resources.count == 1
+              
+              puts "found matching identity."
+                
+              if  update_access_token_and_expires_at(existing_oauth_resources,resource_klazz,identity.attributes.except("_id","provider","uid"),identity.provider)
+                 puts "updated access token."     
+                 success = true
+                  #respond_with @resource, location: after_sign_in_path_for(@resource)               
+              else
+                  puts "failed to update access token."
+                  success = false
+                #redirect_to omniauth_failed_path_for(resource_klazz.name),:notice => "Failed to update the acceess token and token expires at"
+
+              end
+
+            
+            elsif signed_in?
+
+              puts("it is a current user trying to sign up with oauth.")
+              
+              after_sign_in_path_for(current_res)        
+
+            else 
+              
+              puts("no such user exists, trying to create a new user by merging the fields.")
+                
+              @resource = resource_klazz.new
+              @resource.email = identity.email
+              @resource.password = Devise.friendly_token(20)
+              @resource.regenerate_token
+              @resource.identities = [identity.attributes.except("_id")]
+              if @resource.respond_to?(:confirmed_at)
+                @resource.confirmed_at = Time.now.utc  
+              end
+                
+              ## skip_email_unique_validation is set to true in omni_concern in the situation:
+              ##1.there is no user with the given identity.
+              ## however it is possible that a user with this email exists.
+              ## in that case, if we try to do versioned_create, then the prepare_insert block in mongoid_versioned_atomic, runs validations. these include, checking if the email is unique, and in this case, if a user with this email already exists, then the versioned_create doesnt happen at all. We don't want to first check if there is already an account with this email, and in another step then try to do a versioned_update, because in the time in between another user could be created. So instead we simply just set #skip_email_unique_validation to true, and as a result the unique validation is skipped.
+              @resource.skip_email_unique_validation = true
+              
+
+              @resource.m_client = self.m_client
+              
+              ## end.
+              @resource.versioned_create({"email" => @resource.email})
+              ##reset so that no other issues crop up later.
+              @resource.skip_email_unique_validation = false
+              
+              #puts "@resource email is:"
+              #puts @resource.email.to_s              
+
+              if @resource.op_success
+                puts "create was successfull"
+                  sign_in @resource
+                  puts "signed in resource."
+                  #respond_with @resource, location: after_sign_in_path_for(@resource)
+                   success = true
+                    #respond_to do |format|
+                    #  format.html { redirect_to after_sign_in_path_for(@resource) and return}
+                    #  format.json  { render json: @resource, status: :updated and return}
+                    #end      
+                    puts "came after the response."
+
+                ##do the update.
+              elsif @resource.matched_count == 1
+                  #puts "found such a resource."    
+                  
+                  ## this means a resource with this email account was found.
+                  ## if the account is not confirmed, then we can push the identity.
+                  ## and we can reset the password.
+
+                  @resource = resource_klazz.where(:email => @resource.email).first
+                  @resource.m_client = self.m_client
+                  
+                  if @resource.confirmed?
+                    failure_message = "That email is in use by another account"
+                  end
+
+                  if Auth.configuration.prevent_oauth_merger == true
+
+                    success = false
+                    
+                  else
+
+                    @resource.identities.push(identity.attributes.except("_id"))
+
+                    @resource.versioned_update({"identities" => 1})
+
+                    if @resource.op_success
+                      puts "succeeded and signed in user."
+                      sign_in @resource
+                      
+                      success = true
+
+                      #respond_with @resource, location: after_sign_in_path_for(@resource)
+
+                    else
+                      puts "op success failure"
+                      success = false
+                      #redirect_to omniauth_failed_path_for(resource_klazz.name),:notice => "Failed to create new identity"
+                    end
+
+                  end
+               
+              else
+                
+                puts "resource create failed."
+                puts @resource.errors.full_messages.to_s
+                success = false
+                #redirect_to omniauth_failed_path_for(resource_klazz.name),:notice => "Failed to create new identity"
+              end
+
+
+
+            end
+
+          end
+              
+        
+
+        rescue => e
+          puts "SOME OTHER ERROR"
+          puts e.to_s
+          puts e.backtrace
+          redirect_to omniauth_failed_path_for("error"), :notice => "error" and return
+          success = false
+        end
+
+        puts "Success is :#{success.to_s}"
+
+        
+          respond_to do |format|
+            if success == true
+              format.html { redirect_to after_sign_in_path_for(@resource) and return}
+              format.json  { render json: @resource, status: :updated and return}
+            else
+              #@resource.errors.add(:_id,"failed")
+              format.html { redirect_to omniauth_failed_path_for(failure_message), :notice => failure_message and return}
+              format.json  { render json: {:errors => failure_message}, status: :unprocessible_entity and return}
+            end
+          end   
+        
+
+  end
+
+end