From 58c49cf1900eabd708352504cbe7e73c45688b74 Mon Sep 17 00:00:00 2001 From: Rubem Azenha Date: Wed, 20 Mar 2013 15:18:18 -0300 Subject: [PATCH] adding :skip_session_data_restoration config --- lib/sorcery/controller.rb | 45 ++++++++++++++++------------- spec/Gemfile.lock | 2 +- spec/rails3/spec/controller_spec.rb | 18 ++++++++++++ 3 files changed, 44 insertions(+), 21 deletions(-) diff --git a/lib/sorcery/controller.rb b/lib/sorcery/controller.rb index 695ef5a9..09a0b3b0 100644 --- a/lib/sorcery/controller.rb +++ b/lib/sorcery/controller.rb @@ -28,14 +28,17 @@ def require_login # Takes credentials and returns a user on successful authentication. # Runs hooks after login or failed login. - def login(*credentials) + def login(*credentials) @current_user = nil user = user_class.authenticate(*credentials) if user - old_session = session.dup.to_hash + + old_session = session.dup.to_hash unless Config.skip_session_data_restoration reset_session # protect from session fixation attacks - old_session.each_pair do |k,v| - session[k.to_sym] = v + if !Config.skip_session_data_restoration + old_session.each_pair do |k,v| + session[k.to_sym] = v + end end form_authenticity_token @@ -159,22 +162,24 @@ class << self :after_login, :after_failed_login, :before_logout, - :after_logout - - def init! - @defaults = { - :@user_class => nil, - :@submodules => [], - :@not_authenticated_action => :not_authenticated, - :@login_sources => [], - :@after_login => [], - :@after_failed_login => [], - :@before_logout => [], - :@after_logout => [], - :@save_return_to_url => true, - :@cookie_domain => nil - } - end + :after_logout, + :skip_session_data_restoration + + def init! + @defaults = { + :@user_class => nil, + :@submodules => [], + :@not_authenticated_action => :not_authenticated, + :@login_sources => [], + :@after_login => [], + :@after_failed_login => [], + :@before_logout => [], + :@after_logout => [], + :@save_return_to_url => true, + :@cookie_domain => nil, + :@skip_session_data_restoration => false + } + end # Resets all configuration options to their default values. def reset! diff --git a/spec/Gemfile.lock b/spec/Gemfile.lock index 73f12c90..aada5e64 100644 --- a/spec/Gemfile.lock +++ b/spec/Gemfile.lock @@ -7,7 +7,7 @@ PATH oauth2 (~> 0.8.0) GEM - remote: http://rubygems.org/ + remote: https://rubygems.org/ specs: abstract (1.0.0) actionmailer (3.0.3) diff --git a/spec/rails3/spec/controller_spec.rb b/spec/rails3/spec/controller_spec.rb index 0552d185..7dad55ad 100644 --- a/spec/rails3/spec/controller_spec.rb +++ b/spec/rails3/spec/controller_spec.rb @@ -103,6 +103,24 @@ session[:user_id].should == @user.id end + it "login(username,password) should return the user when success, set the session with user.id and maintain the old session data" do + session[:foo] = "Bar" + get :test_login, :username => 'gizmo', :password => 'secret' + assigns[:user].should == @user + session[:user_id].should == @user.id + session[:foo].should == "Bar" + end + + + it "login(username,password) should return the user when success, set the session with user.id and discard the old session data when :skip_session_data_restoration config is true" do + session[:foo] = "Bar" + Sorcery::Controller::Config.skip_session_data_restoration = true + get :test_login, :username => 'gizmo', :password => 'secret' + assigns[:user].should == @user + session[:user_id].should == @user.id + session[:foo].should be_nil + end + it "logout should clear the session" do cookies[:remember_me_token] = nil session[:user_id] = @user.id