class Devise::Strategies::Authenticatable

This strategy should be used as basis for authentication strategies. It retrieves parameters both from params or from http authorization headers. See database_authenticatable for an example.

Attributes

authentication_hash[RW]
authentication_type[RW]
password[RW]

Public Instance Methods

clean_up_csrf?() click to toggle source

Override and set to false for things like OmniAuth that technically run through Authentication (user_set) very often, which would normally reset CSRF data in the session

# File lib/devise/strategies/authenticatable.rb, line 22
def clean_up_csrf?
  true
end
store?() click to toggle source
# File lib/devise/strategies/authenticatable.rb, line 11
def store?
  super && !mapping.to.skip_session_storage.include?(authentication_type)
end
valid?() click to toggle source
# File lib/devise/strategies/authenticatable.rb, line 15
def valid?
  valid_for_params_auth? || valid_for_http_auth?
end

Private Instance Methods

authenticatable_name() click to toggle source

Holds the authenticatable name for this class. Devise::Strategies::DatabaseAuthenticatable becomes simply :database.

# File lib/devise/strategies/authenticatable.rb, line 169
def authenticatable_name
  @authenticatable_name ||=
    ActiveSupport::Inflector.underscore(self.class.name.split("::").last).
      sub("_authenticatable", "").to_sym
end
authentication_keys() click to toggle source
# File lib/devise/strategies/authenticatable.rb, line 134
def authentication_keys
  @authentication_keys ||= mapping.to.authentication_keys
end
decode_credentials() click to toggle source

Helper to decode credentials from HTTP.

# File lib/devise/strategies/authenticatable.rb, line 120
def decode_credentials
  return [] unless request.authorization && request.authorization =~ /^Basic (.*)/i
  Base64.decode64($1).split(/:/, 2)
end
http_auth_hash() click to toggle source

Extract a hash with attributes:values from the http params.

# File lib/devise/strategies/authenticatable.rb, line 96
def http_auth_hash
  keys = [http_authentication_key, :password]
  Hash[*keys.zip(decode_credentials).flatten]
end
http_authenticatable?() click to toggle source

Check if the model accepts this strategy as http authenticatable.

# File lib/devise/strategies/authenticatable.rb, line 81
def http_authenticatable?
  mapping.to.http_authenticatable?(authenticatable_name)
end
http_authentication_key() click to toggle source
# File lib/devise/strategies/authenticatable.rb, line 138
def http_authentication_key
  @http_authentication_key ||= mapping.to.http_authentication_key || case authentication_keys
    when Array then authentication_keys.first
    when Hash then authentication_keys.keys.first
  end
end
params_auth_hash() click to toggle source

Extract the appropriate subhash for authentication from params.

# File lib/devise/strategies/authenticatable.rb, line 91
def params_auth_hash
  params[scope]
end
params_authenticatable?() click to toggle source

Check if the model accepts this strategy as params authenticatable.

# File lib/devise/strategies/authenticatable.rb, line 86
def params_authenticatable?
  mapping.to.params_authenticatable?(authenticatable_name)
end
parse_authentication_key_values(hash, keys) click to toggle source
# File lib/devise/strategies/authenticatable.rb, line 155
def parse_authentication_key_values(hash, keys)
  keys.each do |key, enforce|
    value = hash[key].presence
    if value
      self.authentication_hash[key] = value
    else
      return false unless enforce == false
    end
  end
  true
end
remember_me(resource) click to toggle source

Get values from params and set in the resource.

# File lib/devise/strategies/authenticatable.rb, line 49
def remember_me(resource)
  resource.remember_me = remember_me? if resource.respond_to?(:remember_me=)
end
remember_me?() click to toggle source

Should this resource be marked to be remembered?

# File lib/devise/strategies/authenticatable.rb, line 54
def remember_me?
  valid_params? && Devise::TRUE_VALUES.include?(params_auth_hash[:remember_me])
end
request_keys() click to toggle source
# File lib/devise/strategies/authenticatable.rb, line 145
def request_keys
  @request_keys ||= mapping.to.request_keys
end
request_values() click to toggle source
# File lib/devise/strategies/authenticatable.rb, line 149
def request_values
  keys = request_keys.respond_to?(:keys) ? request_keys.keys : request_keys
  values = keys.map { |k| self.request.send(k) }
  Hash[keys.zip(values)]
end
valid_for_http_auth?() click to toggle source

Check if this is a valid strategy for http authentication by:

* Validating if the model allows http authentication;
* If any of the authorization headers were sent;
* If all authentication keys are present;
# File lib/devise/strategies/authenticatable.rb, line 64
def valid_for_http_auth?
  http_authenticatable? && request.authorization && with_authentication_hash(:http_auth, http_auth_hash)
end
valid_for_params_auth?() click to toggle source

Check if this is a valid strategy for params authentication by:

* Validating if the model allows params authentication;
* If the request hits the sessions controller through POST;
* If the params[scope] returns a hash with credentials;
* If all authentication keys are present;
# File lib/devise/strategies/authenticatable.rb, line 75
def valid_for_params_auth?
  params_authenticatable? && valid_params_request? &&
    valid_params? && with_authentication_hash(:params_auth, params_auth_hash)
end
valid_params?() click to toggle source

If the request is valid, finally check if #params_auth_hash returns a hash.

# File lib/devise/strategies/authenticatable.rb, line 107
def valid_params?
  params_auth_hash.is_a?(Hash)
end
valid_params_request?() click to toggle source

By default, a request is valid if the controller set the proper env variable.

# File lib/devise/strategies/authenticatable.rb, line 102
def valid_params_request?
  !!env["devise.allow_params_authentication"]
end
valid_password?() click to toggle source

Note: unlike `Model.valid_password?`, this method does not actually ensure that the password in the params matches the password stored in the database. It only checks if the password is present. Do not rely on this method for validating that a given password is correct.

# File lib/devise/strategies/authenticatable.rb, line 115
def valid_password?
  password.present?
end
validate(resource, &block) click to toggle source

Receives a resource and check if it is valid by calling valid_for_authentication? An optional block that will be triggered while validating can be optionally given as parameter. Check Devise::Models::Authenticatable#valid_for_authentication? for more information.

In case the resource can't be validated, it will fail with the given unauthenticated_message.

# File lib/devise/strategies/authenticatable.rb, line 35
def validate(resource, &block)
  result = resource && resource.valid_for_authentication?(&block)

  if result
    true
  else
    if resource
      fail!(resource.unauthenticated_message)
    end
    false
  end
end
with_authentication_hash(auth_type, auth_values) click to toggle source

Sets the authentication hash and the password from #params_auth_hash or http_auth_hash.

# File lib/devise/strategies/authenticatable.rb, line 126
def with_authentication_hash(auth_type, auth_values)
  self.authentication_hash, self.authentication_type = {}, auth_type
  self.password = auth_values[:password]

  parse_authentication_key_values(auth_values, authentication_keys) &&
  parse_authentication_key_values(request_values, request_keys)
end