JuzerShakir · JuzerShakir · Dec 22, 2024 · Dec 20, 2024 · Dec 20, 2024 · Dec 21, 2024
diff --git a/app/channels/application_cable/connection.rb b/app/channels/application_cable/connection.rb
@@ -1,4 +1,17 @@
 module ApplicationCable
   class Connection < ActionCable::Connection::Base
+    identified_by :current_user
+
+    def connect
+      set_current_user || reject_unauthorized_connection
+    end
+
+    private
+
+    def set_current_user
+      if session ||= Session.find_by(id: cookies.signed[:session_id])
+        self.current_user = session.user
+      end
+    end
   end
 end
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -1,28 +1,12 @@
 class ApplicationController < ActionController::Base
+  include Authentication
   # Only allow modern browsers supporting webp images, web push, badges, import maps, CSS nesting, and CSS :has.
   allow_browser versions: :modern
 
   include Pagy::Backend
   add_flash_types :success, :notice
-  helper_method :current_user
 
   rescue_from CanCan::AccessDenied do
-    flash[:alert] = t("flash.un_authorize")
-
-    if current_user.nil?
-      redirect_to login_path
-    else
-      redirect_to request.referer || thaalis_all_path(CURR_YR)
-    end
-  end
-
-  private
-
-  def current_user
-    @current_user ||= User.select(:id, :slug).find(session[:user_id]) if session[:user_id]
-  end
-
-  def logged_in?
-    redirect_to thaalis_all_path(CURR_YR), notice: t("flash.active_session") if session[:user_id]
+    return_to_default_path(type: :alert, msg: "flash.un_authorize")
   end
 end
diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb
@@ -0,0 +1,64 @@
+module Authentication
+  extend ActiveSupport::Concern
+
+  included do
+    before_action :require_authentication
+    helper_method :authenticated?, :current_user
+  end
+
+  class_methods do
+    def allow_unauthenticated_access(**options)
+      skip_before_action :require_authentication, **options
+    end
+  end
+
+  private
+
+  def authenticated?
+    resume_session
+  end
+
+  def require_authentication
+    resume_session || request_authentication
+  end
+
+  def resume_session
+    Current.session ||= find_session_by_cookie
+  end
+
+  def find_session_by_cookie
+    Session.find_by(id: cookies.signed[:session_id]) if cookies.signed[:session_id]
+  end
+
+  def request_authentication
+    session[:return_to_after_authenticating] = request.url
+    redirect_to login_path, alert: t("flash.un_authorize")
+  end
+
+  def after_authentication_url
+    return_to_url = session.delete(:return_to_after_authenticating)
+    return_to_url.present? ? "#{return_to_url}.html" : thaalis_all_path(CURR_YR, format: :html)
+  end
+
+  def start_new_session_for(user)
+    user.sessions.create!(user_agent: request.user_agent, ip_address: request.remote_ip).tap do |session|
+      Current.session = session
+      cookies.signed.permanent[:session_id] = {value: session.id, httponly: true, same_site: :lax}
+    end
+  end
+
+  def terminate_session
+    Rails.cache.delete("user_#{current_user.id}_role")
+    Current.session.destroy
+    cookies.delete(:session_id)
+  end
+
+  def return_to_default_path(type: :notice, msg: "flash.active_session")
+    flash[type] = t(msg)
+    redirect_to thaalis_all_path(CURR_YR)
+  end
+
+  def current_user
+    @current_user ||= Current.user
+  end
+end
diff --git a/app/controllers/pages_controller.rb b/app/controllers/pages_controller.rb
@@ -1,5 +1,6 @@
 class PagesController < ApplicationController
-  before_action :logged_in?
+  allow_unauthenticated_access
+  before_action :return_to_default_path, if: -> { authenticated? }
 
   def home
   end

diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
@@ -1,26 +1,25 @@
 class SessionsController < ApplicationController
-  before_action :logged_in?, only: :new
+  allow_unauthenticated_access only: %i[new create]
+  before_action :return_to_default_path, only: %i[new create], if: -> { authenticated? }
+  # rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_session_url, alert: "Try again later." }
 
   def new
   end
 
   def create
-    user = User.authenticate_by(user_params)
-    if user
-      session[:user_id] = user.id
+    if user ||= User.authenticate_by(user_params)
+      start_new_session_for user
 
       respond_to do |format|
-        format.all { redirect_to thaalis_all_path(CURR_YR, format: :html), success: t(".success") }
+        format.all { redirect_to after_authentication_url, success: t(".success") }
       end
     else
-      flash.now.alert = t(".error")
-      render :new, status: :not_found
+      redirect_to login_path, alert: t(".error")
     end
   end
 
   def destroy
-    Rails.cache.delete("user_#{current_user.id}_role")
-    session[:user_id] = nil
+    terminate_session
     redirect_to login_path, success: t(".success")
   end
 

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
@@ -38,7 +38,7 @@ def destroy
     if current_user.is?("admin") && current_user.id != @user&.id
       redirect_to users_path, success: t(".success")
     else
-      session[:user_id] = nil
+      terminate_session
       redirect_to login_path, success: t(".success")
     end
   end

diff --git a/app/models/current.rb b/app/models/current.rb
@@ -0,0 +1,4 @@
+class Current < ActiveSupport::CurrentAttributes
+  attribute :session
+  delegate :user, to: :session, allow_nil: true
+end
diff --git a/app/models/session.rb b/app/models/session.rb
@@ -0,0 +1,3 @@
+class Session < ApplicationRecord
+  belongs_to :user
+end
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -1,6 +1,7 @@
 class User < ApplicationRecord
   rolify
   has_secure_password
+  has_many :sessions, dependent: :destroy
 
   # * Callbacks
   include NameCallback

diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
@@ -27,7 +27,7 @@
   <body onselectstart="return false">
     <%= render "shared/flash_messages" if flash.present? %>
 
-    <% if current_user.present? %>
+    <% if authenticated? %>
       <header class="heading">
         <%= render "shared/navbar/navbar" %>
 
@@ -39,6 +39,6 @@
       <%= yield %>
     </main>
 
-    <%= render "shared/footer" if current_user.blank? %>
+    <%= render "shared/footer" unless authenticated? %>
   </body>
 </html>
diff --git a/db/migrate/20241220050110_create_sessions.rb b/db/migrate/20241220050110_create_sessions.rb
@@ -0,0 +1,11 @@
+class CreateSessions < ActiveRecord::Migration[8.0]
+  def change
+    create_table :sessions do |t|
+      t.references :user, null: false, foreign_key: true
+      t.string :ip_address
+      t.string :user_agent
+
+      t.timestamps
+    end
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
diff --git a/spec/factories/sessions.rb b/spec/factories/sessions.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :session do
+    user
+    ip_address { Faker::Internet.public_ip_v4_address }
+    user_agent { Faker::Internet.user_agent }
+  end
+end
diff --git a/spec/features/layout/navbar_spec.rb b/spec/features/layout/navbar_spec.rb
@@ -3,10 +3,10 @@
 require "rails_helper"
 
 RSpec.describe "Navbar" do
-  # * Accessibile by logged-in user
+  # * Accessible by logged-in user
   describe "logged in" do
     before do
-      page.set_rack_session(user_id: user.id)
+      sign_in(user)
       visit thaalis_all_path(CURR_YR)
     end
 

diff --git a/spec/features/sabeels/active_spec.rb b/spec/features/sabeels/active_spec.rb
@@ -9,7 +9,7 @@
   let!(:sabeels) { create_list(:burhani_sabeel_taking_thaali, 2) }
 
   before do
-    page.set_rack_session(user_id: user.id)
+    sign_in(user)
     visit sabeels_active_path(apt.downcase)
   end
 

diff --git a/spec/features/sabeels/destroy_spec.rb b/spec/features/sabeels/destroy_spec.rb
@@ -7,7 +7,7 @@
   let(:sabeel) { create(:sabeel) }
 
   before do
-    page.set_rack_session(user_id: user.id)
+    sign_in(user)
     visit sabeel_path(sabeel)
     click_on "Delete"
   end

diff --git a/spec/features/sabeels/edit_spec.rb b/spec/features/sabeels/edit_spec.rb
@@ -7,7 +7,7 @@
   let(:sabeel) { create(:sabeel) }
 
   before do
-    page.set_rack_session(user_id: user.id)
+    sign_in(user)
     visit edit_sabeel_path(sabeel)
   end
 

diff --git a/spec/features/sabeels/inactive_spec.rb b/spec/features/sabeels/inactive_spec.rb
@@ -11,7 +11,7 @@
   # rubocop:enable RSpec/LetSetup
 
   before do
-    page.set_rack_session(user_id: user.id)
+    sign_in(user)
     visit sabeels_inactive_path(apt.downcase)
   end
 

diff --git a/spec/features/sabeels/index_spec.rb b/spec/features/sabeels/index_spec.rb
@@ -7,7 +7,7 @@
   let(:user) { create(:user) }
 
   before do
-    page.set_rack_session(user_id: user.id)
+    sign_in(user)
     create_list(:sabeel, 2)
     visit sabeels_path
   end

diff --git a/spec/features/sabeels/new_spec.rb b/spec/features/sabeels/new_spec.rb
@@ -4,7 +4,7 @@
 
 RSpec.describe "Sabeel New template" do
   before do
-    page.set_rack_session(user_id: user.id)
+    sign_in(user)
     visit new_sabeel_path
   end
 

diff --git a/spec/features/sabeels/show_spec.rb b/spec/features/sabeels/show_spec.rb
@@ -9,7 +9,7 @@
   let(:thaali) { sabeel.thaalis.first }
 
   before do
-    page.set_rack_session(user_id: user.id)
+    sign_in(user)
     visit sabeel_path(sabeel)
   end
 

diff --git a/spec/features/sessions/destroy_spec.rb b/spec/features/sessions/destroy_spec.rb
@@ -6,7 +6,7 @@
   let(:user) { create(:user) }
 
   before do
-    page.set_rack_session(user_id: user.id)
+    sign_in(user)
     visit thaalis_all_path(CURR_YR)
     click_on "Log out"
   end

diff --git a/spec/features/statistics/sabeels_spec.rb b/spec/features/statistics/sabeels_spec.rb
@@ -6,7 +6,7 @@
   let(:user) { create(:user) }
 
   before do
-    page.set_rack_session(user_id: user.id)
+    sign_in(user)
     create_list(:burhani_sabeel_taking_thaali, 2)
     create_list(:burhani_sabeel_took_thaali, 2)
     visit statistics_sabeels_path

diff --git a/spec/features/statistics/thaalis_spec.rb b/spec/features/statistics/thaalis_spec.rb
@@ -7,7 +7,7 @@
   let(:thaalis) { Thaali.for_year(CURR_YR) }
 
   before do
-    page.set_rack_session(user_id: user.id)
+    sign_in(user)
     create_list(:taking_thaali, 2)
     create_list(:taking_thaali_dues_cleared, 2)
     visit statistics_thaalis_path

diff --git a/spec/features/thaalis/all_spec.rb b/spec/features/thaalis/all_spec.rb
@@ -9,7 +9,7 @@
   let(:thaalis) { Thaali.first(2) }
 
   before do
-    page.set_rack_session(user_id: user.id)
+    sign_in(user)
     create_list(:thaali, 2, year:)
 
     visit thaalis_all_path(year)

diff --git a/spec/features/thaalis/complete_spec.rb b/spec/features/thaalis/complete_spec.rb
@@ -8,7 +8,7 @@
   let(:thaalis) { Thaali.dues_cleared_in(CURR_YR) }
 
   before do
-    page.set_rack_session(user_id: user.id)
+    sign_in(user)
     create_list(:taking_thaali_dues_cleared, 2)
 
     visit thaalis_complete_path(CURR_YR)

diff --git a/spec/features/thaalis/destroy_spec.rb b/spec/features/thaalis/destroy_spec.rb
@@ -7,7 +7,7 @@
   let(:thaali) { create(:thaali) }
 
   before do
-    page.set_rack_session(user_id: user.id)
+    sign_in(user)
     visit thaali_path(thaali)
     click_on "Delete"
   end

diff --git a/spec/features/thaalis/edit_spec.rb b/spec/features/thaalis/edit_spec.rb
@@ -7,7 +7,7 @@
   let(:thaali) { create(:thaali) }
 
   before do
-    page.set_rack_session(user_id: user.id)
+    sign_in(user)
     visit edit_thaali_path(thaali)
   end