discourse/lib/auth/current_user_provider.rb

# frozen_string_literal: true

module Auth; end
class Auth::CurrentUserProvider

  # do all current user initialization here
  def initialize(env)
    raise NotImplementedError
  end

  # our current user, return nil if none is found
  def current_user
    raise NotImplementedError
  end

  # log on a user and set cookies and session etc.
  def log_on_user(user, session, cookies, opts = {})
    raise NotImplementedError
  end

  # optional interface to be called to refresh cookies etc if needed
  def refresh_session(user, session, cookies)
  end

  # api has special rights return true if api was detected
  def is_api?
    raise NotImplementedError
  end

  def is_user_api?
    raise NotImplementedError
  end

  # we may need to know very early on in the middleware if an auth token
  # exists, to optimise caching
  def has_auth_cookie?
    raise NotImplementedError
  end

  def log_off_user(session, cookies)
    raise NotImplementedError
  end
end
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-03 06:17:27 +08:00			`# frozen_string_literal: true`

add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 12:10:37 +08:00			`module Auth; end`
			`class Auth::CurrentUserProvider`

			`# do all current user initialization here`
			`def initialize(env)`
			`raise NotImplementedError`
			`end`

			`# our current user, return nil if none is found`
			`def current_user`
			`raise NotImplementedError`
			`end`

			`# log on a user and set cookies and session etc.`
FIX: Do not check for suspicious login when impersonating. (#6534) * FIX: Do not check for suspicious login when impersonating. * DEV: Add 'impersonate' parameter to log_on_user. 2018-11-12 22:34:12 +08:00			`def log_on_user(user, session, cookies, opts = {})`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 12:10:37 +08:00			`raise NotImplementedError`
			`end`

FEATURE: refresh session cookie at most once an hour This feature ensures session cookie lifespan is extended when user is online. Also decreases session timeout from 90 to 60 days. Ensures all users (including logged on ones) get expiring sessions. 2016-07-25 10:07:31 +08:00			`# optional interface to be called to refresh cookies etc if needed`
			`def refresh_session(user, session, cookies)`
			`end`

add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 12:10:37 +08:00			`# api has special rights return true if api was detected`
			`def is_api?`
			`raise NotImplementedError`
			`end`

SECURITY: don't grant same privileges to user_api and api access User API is no longer gets bypasses that standard API gets. Only bypasses are CSRF and XHR requirements. 2016-12-16 09:05:20 +08:00			`def is_user_api?`
			`raise NotImplementedError`
			`end`

add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 12:10:37 +08:00			`# we may need to know very early on in the middleware if an auth token`
			`# exists, to optimise caching`
			`def has_auth_cookie?`
			`raise NotImplementedError`
			`end`

			`def log_off_user(session, cookies)`
			`raise NotImplementedError`
			`end`
			`end`