sessions: raise exception on failed login attempts.

* Allow both xml and json authentication in sessions controller. * Raise an exception if a login attempt fails so that a) we return a proper error for json/xml requests and b) failed login attempts get reported to NewRelic (for monitoring abuse).
2019-10-07 22:27:38 -05:00
parent a5ab25d0ba
commit cc4e39b88b
2 changed files with 4 additions and 11 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -51,7 +51,7 @@ class ApplicationController < ActionController::Base
    when ActionController::BadRequest
      render_error_page(400, exception)
    when SessionLoader::AuthenticationFailure
-      render_error_page(401, exception)
+      render_error_page(401, exception, template: "sessions/new")
    when ActionController::InvalidAuthenticityToken, ActionController::UnpermittedParameters, ActionController::InvalidCrossOriginRequest
      render_error_page(403, exception)
    when User::PrivilegeError
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -1,6 +1,6 @@
 class SessionsController < ApplicationController
  respond_to :html, :json
-  skip_forgery_protection only: :create, if: -> { request.format.json? }
+  skip_forgery_protection only: :create, if: -> { !request.format.html? }

  def new
    @user = User.new
@@ -14,15 +14,8 @@ class SessionsController < ApplicationController
      url = posts_path if url.nil?
      respond_with(session_creator.user, location: url, methods: [:api_token])
    else
-      respond_with("password was incorrect", location: new_session_path) do |fmt|
-        fmt.json do
-          render json: { error: true, message: "password was incorrect"}.to_json, status: 401
-        end
-
-        fmt.html do
-          flash[:notice] = "Password was incorrect"
-        end
-      end
+      flash.now[:notice] = "Password was incorrect"
+      raise SessionLoader::AuthenticationFailure
    end
  end