Expire all /_oauth_token$/ keys in session after sign in, so if two users create accounts in the same session, the facebook account will be linked just to the first one.

2022-11-09 12:18:31 -05:00 · 2010-07-14 17:55:14 +02:00 · 2010-07-14 17:55:14 +02:00 · 17ec0c08ed
commit 17ec0c08ed
parent b31d60ce7c
5 changed files with 34 additions and 21 deletions
--- a/lib/devise/controllers/helpers.rb
+++ b/lib/devise/controllers/helpers.rb
@ -92,6 +92,7 @@ module Devise
        options  = args.extract_options!
        scope    = Devise::Mapping.find_scope!(resource_or_scope)
        resource = args.last || resource_or_scope
+        expire_session_data_after_sign_in!
        warden.set_user(resource, options.merge!(:scope => scope))
      end

@ -234,6 +235,11 @@ module Devise
      def redirect_for_sign_out(scope) #:nodoc:
        redirect_to after_sign_out_path_for(scope)
      end
+
+      # A hook called to expire session data after sign up/in. This is used
+      # by a few extensions, like oauth, to expire tokens stored in session.
+      def expire_session_data_after_sign_in!
+      end
    end
  end
 end
--- a/lib/devise/failure_app.rb
+++ b/lib/devise/failure_app.rb
@ -89,7 +89,7 @@ module Devise
    end

    def scope
-      @scope ||= warden_options[:scope]
+      @scope ||= warden_options[:scope] || Devise.default_scope
    end

    def attempted_path
@ -101,7 +101,7 @@ module Devise
    # yet, but we still need to store the uri based on scope, so different scopes
    # would never use the same uri to redirect.
    def store_location!
-      session[:"#{scope}_return_to"] = attempted_path if request.get? && !http_auth?
+      session["#{scope}_return_to"] = attempted_path if request.get? && !http_auth?
    end
  end
 end
--- a/lib/devise/oauth/helpers.rb
+++ b/lib/devise/oauth/helpers.rb
@ -13,6 +13,13 @@ module Devise
        nil
      end
      alias :oauth_provider :oauth_callback
+
+    protected
+
+      def expire_session_data_after_sign_in!
+        super
+        session.keys.grep(/_oauth_token$/).each { |k| session.delete(k) }
+      end
    end
  end
 end
--- a/lib/devise/oauth/internal_helpers.rb
+++ b/lib/devise/oauth/internal_helpers.rb
@ -73,7 +73,7 @@ module Devise

      # The session key to store the token.
      def oauth_session_key #:nodoc:
-        "#{resource_name}_#{oauth_callback}_token"
+        "#{resource_name}_#{oauth_callback}_oauth_token"
      end

      # The callback redirect uri. Used to request the access token.
--- a/test/rails_app/db/migrate/20100401102949_create_tables.rb
+++ b/test/rails_app/db/migrate/20100401102949_create_tables.rb
@ -1,27 +1,27 @@
 class CreateTables < ActiveRecord::Migration
  def self.up
-    [:users, :admins, :accounts].each do |table|
-      create_table table do |t|
-        t.database_authenticatable :null => (table == :admins)
+    create_table :users do |t|
+      t.string :username
+      t.database_authenticatable :null => false
+      t.confirmable
+      t.recoverable
+      t.rememberable
+      t.trackable
+      t.lockable
+      t.token_authenticatable
+      t.timestamps
+    end

-        if table != :admin
-          t.string :username
-          t.confirmable
-          t.recoverable
-          t.rememberable
-          t.trackable
-          t.lockable
-          t.token_authenticatable
-        end
-
-        t.timestamps
-      end
+    create_table :admins do |t|
+      t.database_authenticatable :null => true, :encryptor => :bcrypt
+      t.recoverable
+      t.lockable
+      t.timestamps
    end
  end

  def self.down
-    [:users, :admins, :accounts].each do |table|
-      drop_table table
-    end
+    drop_table :users
+    drop_table :admins
  end
 end