discourse/app/controllers/session_controller.rb

class SessionController < ApplicationController
  # we need to allow account login with bad CSRF tokens, if people are caching, the CSRF token on the
  #  page is going to be empty, this means that server will see an invalid CSRF and blow the session
  #  once that happens you can't log in with social
  skip_before_filter :verify_authenticity_token, only: [:create]
  skip_before_filter :redirect_to_login_if_required

  def create
    params.require(:login)
    params.require(:password)

    login = params[:login].strip
    login = login[1..-1] if login[0] == "@"

    if login =~ /@/
      @user = User.where(email: Email.downcase(login)).first
    else
      @user = User.where(username_lower: login.downcase).first
    end

    if @user.present?

      # If the site requires user approval and the user is not approved yet
      if SiteSetting.must_approve_users? && !@user.approved?
        render json: {error: I18n.t("login.not_approved")}
        return
      end

      # If their password is correct
      if @user.confirm_password?(params[:password])

        if @user.is_banned?
          render json: { error: I18n.t("login.banned", {date: I18n.l(@user.banned_till, format: :date_only)}) }
          return
        end

        if @user.email_confirmed?
          log_on_user(@user)
          render_serialized(@user, UserSerializer)
          return
        else
          render json: {
            error: I18n.t("login.not_activated"),
            reason: 'not_activated',
            sent_to_email: @user.email_logs.where(email_type: 'signup').order('created_at DESC').first.try(:to_address) || @user.email,
            current_email: @user.email
          }
          return
        end
      end
    end

    render json: {error: I18n.t("login.incorrect_username_email_or_password")}
  end

  def forgot_password
    params.require(:login)

    user = User.where('username_lower = :username or email = :email', username: params[:login].downcase, email: Email.downcase(params[:login])).first
    if user.present?
      email_token = user.email_tokens.create(email: user.email)
      Jobs.enqueue(:user_email, type: :forgot_password, user_id: user.id, email_token: email_token.token)
    end
    # always render of so we don't leak information
    render json: {result: "ok"}
  end

  def destroy
    session[:current_user_id] = nil
    cookies[:_t] = nil
    render nothing: true
  end

end
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`class SessionController < ApplicationController`
we need to be able to do username checks for registration to work 2013-06-04 22:50:42 -04:00			`# we need to allow account login with bad CSRF tokens, if people are caching, the CSRF token on the`
we can't trust CSRF for anon the way it is designed. The page they have loaded may be cached we need a different way of delivering the CSRF potentially 2013-05-03 02:43:11 -04:00			`# page is going to be empty, this means that server will see an invalid CSRF and blow the session`
			`# once that happens you can't log in with social`
			`skip_before_filter :verify_authenticity_token, only: [:create]`
Redirect all controllers to login if required We want to skip the filter for sessions controller so that we can login and we want to skip the filter for static pages because those should be visible to visitors. 2013-06-04 18:32:36 -04:00			`skip_before_filter :redirect_to_login_if_required`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
			`def create`
Enabled strong_parameters across all models/controllers. All models are now using ActiveModel::ForbiddenAttributesProtection, which shifts the responsibility for parameter whitelisting for mass-assignments from the model to the controller. attr_accessible has been disabled and removed as this functionality replaces that. The require_parameters method in the ApplicationController has been removed in favor of strong_parameters' #require method. It is important to note that there is still some refactoring required to get all parameters to pass through #require and #permit so that we can guarantee that parameter values are scalar. Currently strong_parameters, in most cases, is only being utilized to require parameters and to whitelist the few places that do mass-assignments. 2013-06-06 03:14:32 -04:00			`params.require(:login)`
			`params.require(:password)`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
Strip leading/trailing spaces from login 2013-07-23 23:02:42 -04:00			`login = params[:login].strip`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`login = login[1..-1] if login[0] == "@"`

			`if login =~ /@/`
better consistency around email case sensitivity 2013-04-14 20:20:33 -04:00			`@user = User.where(email: Email.downcase(login)).first`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`else`
better consistency around email case sensitivity 2013-04-14 20:20:33 -04:00			`@user = User.where(username_lower: login.downcase).first`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`end`

Fix all the trailing whitespace 2013-02-07 10:45:24 -05:00			`if @user.present?`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
			`# If the site requires user approval and the user is not approved yet`
enforce coding convention replaced every `and` by `&&` and every `or` by `\|\|` 2013-03-04 19:42:44 -05:00			`if SiteSetting.must_approve_users? && !@user.approved?`
Use consistent new-style hashes in render calls twitch 2013-03-22 14:08:11 -04:00			`render json: {error: I18n.t("login.not_approved")}`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`return`
			`end`

			`# If their password is correct`
			`if @user.confirm_password?(params[:password])`
Show a useful message when a banned user tries to log in 2013-06-27 15:14:42 -04:00
			`if @user.is_banned?`
Show date with year in message to banned users who try to log in 2013-06-30 12:49:34 -04:00			`render json: { error: I18n.t("login.banned", {date: I18n.l(@user.banned_till, format: :date_only)}) }`
Show a useful message when a banned user tries to log in 2013-06-27 15:14:42 -04:00			`return`
			`end`

Prevent login until email is confirmed 2013-02-11 11:18:26 -05:00			`if @user.email_confirmed?`
			`log_on_user(@user)`
			`render_serialized(@user, UserSerializer)`
			`return`
			`else`
Fix a problem where you might see missing {{sentTo}} value after a failed login 2013-04-18 16:44:56 -04:00			`render json: {`
			`error: I18n.t("login.not_activated"),`
			`reason: 'not_activated',`
			`sent_to_email: @user.email_logs.where(email_type: 'signup').order('created_at DESC').first.try(:to_address) \|\| @user.email,`
			`current_email: @user.email`
			`}`
Prevent login until email is confirmed 2013-02-11 11:18:26 -05:00			`return`
			`end`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`end`
			`end`

Use consistent new-style hashes in render calls twitch 2013-03-22 14:08:11 -04:00			`render json: {error: I18n.t("login.incorrect_username_email_or_password")}`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`end`

			`def forgot_password`
Enabled strong_parameters across all models/controllers. All models are now using ActiveModel::ForbiddenAttributesProtection, which shifts the responsibility for parameter whitelisting for mass-assignments from the model to the controller. attr_accessible has been disabled and removed as this functionality replaces that. The require_parameters method in the ApplicationController has been removed in favor of strong_parameters' #require method. It is important to note that there is still some refactoring required to get all parameters to pass through #require and #permit so that we can guarantee that parameter values are scalar. Currently strong_parameters, in most cases, is only being utilized to require parameters and to whitelist the few places that do mass-assignments. 2013-06-06 03:14:32 -04:00			`params.require(:login)`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
better consistency around email case sensitivity 2013-04-14 20:20:33 -04:00			`user = User.where('username_lower = :username or email = :email', username: params[:login].downcase, email: Email.downcase(params[:login])).first`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`if user.present?`
			`email_token = user.email_tokens.create(email: user.email)`
			`Jobs.enqueue(:user_email, type: :forgot_password, user_id: user.id, email_token: email_token.token)`
			`end`
			`# always render of so we don't leak information`
Use consistent new-style hashes in render calls twitch 2013-03-22 14:08:11 -04:00			`render json: {result: "ok"}`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`end`

			`def destroy`
			`session[:current_user_id] = nil`
			`cookies[:_t] = nil`
			`render nothing: true`
			`end`

			`end`