This strategy should be used as basis for authentication strategies. It retrieves parameters both from params or from http authorization headers. See database_authenticatable for an example.
Override and set to false for things like OmniAuth that technically run through Authentication (user_set) very often, which would normally reset CSRF data in the session
# File lib/devise/strategies/authenticatable.rb, line 22 def clean_up_csrf? true end
# File lib/devise/strategies/authenticatable.rb, line 11 def store? super && !mapping.to.skip_session_storage.include?(authentication_type) end
# File lib/devise/strategies/authenticatable.rb, line 15 def valid? valid_for_params_auth? || valid_for_http_auth? end
Holds the authenticatable name for this class. Devise::Strategies::DatabaseAuthenticatable becomes simply :database.
# File lib/devise/strategies/authenticatable.rb, line 169 def authenticatable_name @authenticatable_name ||= ActiveSupport::Inflector.underscore(self.class.name.split("::").last). sub("_authenticatable", "").to_sym end
# File lib/devise/strategies/authenticatable.rb, line 134 def authentication_keys @authentication_keys ||= mapping.to.authentication_keys end
Helper to decode credentials from HTTP.
# File lib/devise/strategies/authenticatable.rb, line 120 def decode_credentials return [] unless request.authorization && request.authorization =~ /^Basic (.*)/i Base64.decode64($1).split(/:/, 2) end
Extract a hash with attributes:values from the http params.
# File lib/devise/strategies/authenticatable.rb, line 96 def http_auth_hash keys = [http_authentication_key, :password] Hash[*keys.zip(decode_credentials).flatten] end
Check if the model accepts this strategy as http authenticatable.
# File lib/devise/strategies/authenticatable.rb, line 81 def http_authenticatable? mapping.to.http_authenticatable?(authenticatable_name) end
# File lib/devise/strategies/authenticatable.rb, line 138 def http_authentication_key @http_authentication_key ||= mapping.to.http_authentication_key || case authentication_keys when Array then authentication_keys.first when Hash then authentication_keys.keys.first end end
Extract the appropriate subhash for authentication from params.
# File lib/devise/strategies/authenticatable.rb, line 91 def params_auth_hash params[scope] end
Check if the model accepts this strategy as params authenticatable.
# File lib/devise/strategies/authenticatable.rb, line 86 def params_authenticatable? mapping.to.params_authenticatable?(authenticatable_name) end
# File lib/devise/strategies/authenticatable.rb, line 155 def parse_authentication_key_values(hash, keys) keys.each do |key, enforce| value = hash[key].presence if value self.authentication_hash[key] = value else return false unless enforce == false end end true end
Get values from params and set in the resource.
# File lib/devise/strategies/authenticatable.rb, line 49 def remember_me(resource) resource.remember_me = remember_me? if resource.respond_to?(:remember_me=) end
Should this resource be marked to be remembered?
# File lib/devise/strategies/authenticatable.rb, line 54 def remember_me? valid_params? && Devise::TRUE_VALUES.include?(params_auth_hash[:remember_me]) end
# File lib/devise/strategies/authenticatable.rb, line 145 def request_keys @request_keys ||= mapping.to.request_keys end
# File lib/devise/strategies/authenticatable.rb, line 149 def request_values keys = request_keys.respond_to?(:keys) ? request_keys.keys : request_keys values = keys.map { |k| self.request.send(k) } Hash[keys.zip(values)] end
Check if this is a valid strategy for http authentication by:
* Validating if the model allows http authentication; * If any of the authorization headers were sent; * If all authentication keys are present;
# File lib/devise/strategies/authenticatable.rb, line 64 def valid_for_http_auth? http_authenticatable? && request.authorization && with_authentication_hash(:http_auth, http_auth_hash) end
Check if this is a valid strategy for params authentication by:
* Validating if the model allows params authentication; * If the request hits the sessions controller through POST; * If the params[scope] returns a hash with credentials; * If all authentication keys are present;
# File lib/devise/strategies/authenticatable.rb, line 75 def valid_for_params_auth? params_authenticatable? && valid_params_request? && valid_params? && with_authentication_hash(:params_auth, params_auth_hash) end
If the request is valid, finally check if #params_auth_hash returns a hash.
# File lib/devise/strategies/authenticatable.rb, line 107 def valid_params? params_auth_hash.is_a?(Hash) end
By default, a request is valid if the controller set the proper env variable.
# File lib/devise/strategies/authenticatable.rb, line 102 def valid_params_request? !!env["devise.allow_params_authentication"] end
Note: unlike `Model.valid_password?`, this method does not actually ensure that the password in the params matches the password stored in the database. It only checks if the password is present. Do not rely on this method for validating that a given password is correct.
# File lib/devise/strategies/authenticatable.rb, line 115 def valid_password? password.present? end
Receives a resource and check if it is valid by calling valid_for_authentication? An optional block that will be triggered while validating can be optionally given as parameter. Check Devise::Models::Authenticatable#valid_for_authentication? for more information.
In case the resource can't be validated, it will fail with the given unauthenticated_message.
# File lib/devise/strategies/authenticatable.rb, line 35 def validate(resource, &block) result = resource && resource.valid_for_authentication?(&block) if result true else if resource fail!(resource.unauthenticated_message) end false end end
Sets the authentication hash and the password from #params_auth_hash or http_auth_hash.
# File lib/devise/strategies/authenticatable.rb, line 126 def with_authentication_hash(auth_type, auth_values) self.authentication_hash, self.authentication_type = {}, auth_type self.password = auth_values[:password] parse_authentication_key_values(auth_values, authentication_keys) && parse_authentication_key_values(request_values, request_keys) end