gitlab-org--gitlab-foss/app/controllers/sessions_controller.rb

class SessionsController < Devise::SessionsController
  prepend_before_action :authenticate_with_two_factor, only: :create

  def new
    redirect_path =
      if request.referer.present? && (params['redirect_to_referer'] == 'yes')
        referer_uri = URI(request.referer)
        if referer_uri.host == Gitlab.config.gitlab.host
          referer_uri.path
        else
          request.fullpath
        end
      else
        request.fullpath
      end

    # Prevent a 'you are already signed in' message directly after signing:
    # we should never redirect to '/users/sign_in' after signing in successfully.
    unless redirect_path == new_user_session_path
      store_location_for(:redirect, redirect_path)
    end

    if Gitlab.config.ldap.enabled
      @ldap_servers = Gitlab::LDAP::Config.servers
    end

    super
  end

  def create
    super do |resource|
      # Remove any lingering user data from login
      session.delete(:user)

      # User has successfully signed in, so clear any unused reset tokens
      if resource.reset_password_token.present?
        resource.update_attributes(reset_password_token: nil,
                                   reset_password_sent_at: nil)
      end
    end
  end

  private

  def user_params
    params.require(:user).permit(:login, :password, :remember_me, :otp_attempt)
  end

  def authenticate_with_two_factor
    @user = User.by_login(user_params[:login])

    if user_params[:otp_attempt].present? && session[:user]
      if valid_otp_attempt?
        # Insert the saved params from the session into the request parameters
        # so they're available to Devise::Strategies::DatabaseAuthenticatable
        request.params[:user].merge!(session[:user])
      else
        @error = 'Invalid two-factor code'
        render :two_factor and return
      end
    else
      if @user && @user.valid_password?(user_params[:password])
        self.resource = @user

        if resource.otp_required_for_login
          # Login is valid, save the values to the session so we can prompt the
          # user for a one-time password.
          session[:user] = user_params
          render :two_factor and return
        end
      end
    end
  end

  def valid_otp_attempt?
    @user.valid_otp?(user_params[:otp_attempt]) ||
    @user.invalidate_otp_backup_code!(user_params[:otp_attempt])
  end
end
Use devise stored_location to redirect after signing for both public and private pages. 2014-07-11 10:24:11 +00:00			`class SessionsController < Devise::SessionsController`
Make two-factor login work and add a feature spec 2015-05-06 02:16:45 +00:00			`prepend_before_action :authenticate_with_two_factor, only: :create`
Turn 2-factor authentication into 2 steps process. Disabled 2fa UI for ldap users since it is not supported 2015-03-31 01:19:01 +00:00
Use devise stored_location to redirect after signing for both public and private pages. 2014-07-11 10:24:11 +00:00			`def new`
Improve application settings and write tests 2015-01-08 17:53:35 +00:00			`redirect_path =`
			`if request.referer.present? && (params['redirect_to_referer'] == 'yes')`
			`referer_uri = URI(request.referer)`
			`if referer_uri.host == Gitlab.config.gitlab.host`
			`referer_uri.path`
			`else`
			`request.fullpath`
			`end`
			`else`
			`request.fullpath`
			`end`
Call store_location_for once. 2014-07-22 06:34:16 +00:00
Only redirect to referrer from public GitLab pages 2014-07-25 16:30:25 +00:00			`# Prevent a 'you are already signed in' message directly after signing:`
			`# we should never redirect to '/users/sign_in' after signing in successfully.`
Don't use hard-coded sign_in path 2015-05-04 18:18:32 +00:00			`unless redirect_path == new_user_session_path`
Only redirect to referrer from public GitLab pages 2014-07-25 16:30:25 +00:00			`store_location_for(:redirect, redirect_path)`
			`end`
Use devise stored_location to redirect after signing for both public and private pages. 2014-07-11 10:24:11 +00:00
Add refactoring for multiple LDAP server support These changes are ported from EE to CE. Apply changes for app directory 2014-10-13 11:39:54 +00:00			`if Gitlab.config.ldap.enabled`
Use Hash syntax for LDAP server declaration 2014-10-14 11:11:53 +00:00			`@ldap_servers = Gitlab::LDAP::Config.servers`
Add refactoring for multiple LDAP server support These changes are ported from EE to CE. Apply changes for app directory 2014-10-13 11:39:54 +00:00			`end`

Use devise stored_location to redirect after signing for both public and private pages. 2014-07-11 10:24:11 +00:00			`super`
			`end`

			`def create`
Upon successful login, clear `reset_password_token` field Closes #1942 2015-04-08 18:26:04 +00:00			`super do \|resource\|`
Make two-factor login work and add a feature spec 2015-05-06 02:16:45 +00:00			`# Remove any lingering user data from login`
			`session.delete(:user)`

Upon successful login, clear `reset_password_token` field Closes #1942 2015-04-08 18:26:04 +00:00			`# User has successfully signed in, so clear any unused reset tokens`
			`if resource.reset_password_token.present?`
			`resource.update_attributes(reset_password_token: nil,`
			`reset_password_sent_at: nil)`
			`end`
			`end`
Use devise stored_location to redirect after signing for both public and private pages. 2014-07-11 10:24:11 +00:00			`end`
Turn 2-factor authentication into 2 steps process. Disabled 2fa UI for ldap users since it is not supported 2015-03-31 01:19:01 +00:00
			`private`

Make two-factor login work and add a feature spec 2015-05-06 02:16:45 +00:00			`def user_params`
			`params.require(:user).permit(:login, :password, :remember_me, :otp_attempt)`
			`end`

			`def authenticate_with_two_factor`
Turn 2-factor authentication into 2 steps process. Disabled 2fa UI for ldap users since it is not supported 2015-03-31 01:19:01 +00:00			`@user = User.by_login(user_params[:login])`

Make two-factor login work and add a feature spec 2015-05-06 02:16:45 +00:00			`if user_params[:otp_attempt].present? && session[:user]`
			`if valid_otp_attempt?`
			`# Insert the saved params from the session into the request parameters`
			`# so they're available to Devise::Strategies::DatabaseAuthenticatable`
			`request.params[:user].merge!(session[:user])`
			`else`
Turn 2-factor authentication into 2 steps process. Disabled 2fa UI for ldap users since it is not supported 2015-03-31 01:19:01 +00:00			`@error = 'Invalid two-factor code'`
			`render :two_factor and return`
			`end`
			`else`
Make two-factor login work and add a feature spec 2015-05-06 02:16:45 +00:00			`if @user && @user.valid_password?(user_params[:password])`
Turn 2-factor authentication into 2 steps process. Disabled 2fa UI for ldap users since it is not supported 2015-03-31 01:19:01 +00:00			`self.resource = @user`

			`if resource.otp_required_for_login`
Make two-factor login work and add a feature spec 2015-05-06 02:16:45 +00:00			`# Login is valid, save the values to the session so we can prompt the`
			`# user for a one-time password.`
			`session[:user] = user_params`
Turn 2-factor authentication into 2 steps process. Disabled 2fa UI for ldap users since it is not supported 2015-03-31 01:19:01 +00:00			`render :two_factor and return`
			`end`
			`end`
			`end`
			`end`
Make two-factor login work and add a feature spec 2015-05-06 02:16:45 +00:00
			`def valid_otp_attempt?`
			`@user.valid_otp?(user_params[:otp_attempt]) \|\|`
			`@user.invalidate_otp_backup_code!(user_params[:otp_attempt])`
			`end`
Use devise stored_location to redirect after signing for both public and private pages. 2014-07-11 10:24:11 +00:00			`end`