kotovalexarian-likes-github/heartcombo--devise
1
0
Fork 0
mirror of https://github.com/heartcombo/devise.git synced 2022-11-09 12:18:31 -05:00
Code Releases Activity

Ensure timeoutable hook respects Devise.sign_out_all_scopes configuration

Browse source 
Closes #2606
This commit is contained in:
José Valim 2013-11-06 21:07:38 +01:00
parent 4f1bf8f3f9
commit 27bcefcf54
4 changed files with 25 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -12,6 +12,7 @@
* A GET to sign_in page shouldn't extend the session (by @drewish) * A GET to sign_in page shouldn't extend the session (by @drewish)
* Splat the arguments to `strong_parameters#permit` to work around a limitation in the `strong_parameters` gem (by @memberful) * Splat the arguments to `strong_parameters#permit` to work around a limitation in the `strong_parameters` gem (by @memberful)
* Omniauth now uses `mapping.fullpath` when generating routes. This means if you call `devise_for :users` inside a scope, like `scope "/api"`, the scope will now apply to the omniauth route (by @AlexanderZaytsev) * Omniauth now uses `mapping.fullpath` when generating routes. This means if you call `devise_for :users` inside a scope, like `scope "/api"`, the scope will now apply to the omniauth route (by @AlexanderZaytsev)
* Ensure timeoutable hook respects `Devise.sign_out_all_scopes` configuration
* deprecations * deprecations
* `expire_session_data_after_sign_in!` has been deprecated in favor of `expire_data_after_sign_in!` * `expire_session_data_after_sign_in!` has been deprecated in favor of `expire_data_after_sign_in!`

7
lib/devise/hooks/proxy.rb
View file

@ -6,11 +6,16 @@ module Devise
include Devise::Controllers::Rememberable include Devise::Controllers::Rememberable
include Devise::Controllers::SignInOut include Devise::Controllers::SignInOut
delegate :cookies, :env, :session, :to => :@warden attr_reader :warden
delegate :cookies, :env, :to => :warden
def initialize(warden) def initialize(warden)
@warden = warden @warden = warden
end end
def session
warden.request.session
end
end end
end end
end end

5
lib/devise/hooks/timeoutable.rb
View file

@ -9,12 +9,15 @@ Warden::Manager.after_set_user do |record, warden, options|
if record && record.respond_to?(:timedout?) && warden.authenticated?(scope) && options[:store] != false if record && record.respond_to?(:timedout?) && warden.authenticated?(scope) && options[:store] != false
last_request_at = warden.session(scope)['last_request_at'] last_request_at = warden.session(scope)['last_request_at']
proxy = Devise::Hooks::Proxy.new(warden)
if record.timedout?(last_request_at) && !env['devise.skip_timeout'] if record.timedout?(last_request_at) && !env['devise.skip_timeout']
warden.logout(scope) Devise.sign_out_all_scopes ? proxy.sign_out : sign_out(scope)
if record.respond_to?(:expire_auth_token_on_timeout) && record.expire_auth_token_on_timeout if record.respond_to?(:expire_auth_token_on_timeout) && record.expire_auth_token_on_timeout
record.reset_authentication_token! record.reset_authentication_token!
end end
throw :warden, :scope => scope, :message => :timeout throw :warden, :scope => scope, :message => :timeout
end end

14
test/integration/timeoutable_test.rb
View file

@ -45,6 +45,20 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
assert_not warden.authenticated?(:user) assert_not warden.authenticated?(:user)
end end
test 'time out all sessions after default limit time when sign_out_all_scopes is true' do
swap Devise, sign_out_all_scopes: true do
sign_in_as_admin
user = sign_in_as_user
get expire_user_path(user)
assert_not_nil last_request_at
get root_path
assert_not warden.authenticated?(:user)
assert_not warden.authenticated?(:admin)
end
end
test 'time out user session after deault limit time and redirect to latest get request' do test 'time out user session after deault limit time and redirect to latest get request' do
user = sign_in_as_user user = sign_in_as_user
visit edit_form_user_path(user) visit edit_form_user_path(user)