3d01febcf7
Require the user to re-enter their password before they can view, create, update, or delete their API keys. This works by tracking the timestamp of the user's last password re-entry in a `last_authenticated_at` session cookie, and redirecting the user to a password confirmation page if they haven't re-entered their password in the last hour. This is modeled after Github's Sudo mode.
34 lines
799 B
Ruby
34 lines
799 B
Ruby
class SessionsController < ApplicationController
|
|
respond_to :html, :json
|
|
skip_forgery_protection only: :create, if: -> { !request.format.html? }
|
|
|
|
def new
|
|
@user = User.new
|
|
end
|
|
|
|
def confirm_password
|
|
end
|
|
|
|
def create
|
|
name, password, url = params.fetch(:session, params).slice(:name, :password, :url).values
|
|
user = SessionLoader.new(request).login(name, password)
|
|
|
|
if user
|
|
url = posts_path unless url&.start_with?("/")
|
|
respond_with(user, location: url, methods: [:api_token])
|
|
else
|
|
flash.now[:notice] = "Password was incorrect"
|
|
raise SessionLoader::AuthenticationFailure
|
|
end
|
|
end
|
|
|
|
def destroy
|
|
SessionLoader.new(request).logout
|
|
redirect_to(posts_path, :notice => "You are now logged out")
|
|
end
|
|
|
|
def sign_out
|
|
destroy
|
|
end
|
|
end
|