| Class | ServerController |
| In: |
app/controllers/server_controller.rb
|
| Parent: | ApplicationController |
Cancels the current OpenID request
# File app/controllers/server_controller.rb, line 92
92: def cancel
93: redirect_to checkid_request.cancel_url
94: end
This action is called by submitting the decision form, the information entered by the user is used to answer the request. If the user decides to always trust the relying party, a new site according to the release policies the will be created.
# File app/controllers/server_controller.rb, line 72
72: def complete
73: if params[:cancel]
74: cancel
75: else
76: if params[:always]
77: @site = current_account.sites.find_or_create_by_persona_id_and_url(params[:site][:persona_id], params[:site][:url])
78: @site.update_attributes(params[:site])
79: elsif sreg_request || ax_fetch_request
80: @site = current_account.sites.find_or_initialize_by_persona_id_and_url(params[:site][:persona_id], params[:site][:url])
81: @site.attributes = params[:site]
82: end
83: resp = checkid_request.answer(true, nil, identifier(current_account))
84: resp = add_pape(resp, auth_policies, auth_level, auth_time)
85: resp = add_sreg(resp, @site.sreg_properties) if sreg_request && @site.sreg_properties
86: resp = add_ax(resp, @site.ax_properties) if ax_fetch_request && @site.ax_properties
87: render_response(resp)
88: end
89: end
Displays the decision page on that the user can confirm the request and choose which data should be transfered to the relying party.
# File app/controllers/server_controller.rb, line 64
64: def decide
65: @site = current_account.sites.find_or_initialize_by_url(checkid_request.trust_root)
66: @site.persona = current_account.personas.find(params[:persona_id] || :first) if sreg_request || ax_fetch_request
67: end
This is the server endpoint which handles all incoming OpenID requests. Associate and CheckAuth requests are answered directly - functionality therefor is provided by the ruby-openid gem. Handling of CheckId requests dependents on the users login state (see handle_checkid_request). Yadis requests return information about this endpoint.
# File app/controllers/server_controller.rb, line 20
20: def index
21: clear_checkid_request
22: respond_to do |format|
23: format.html do
24: if openid_request.is_a?(OpenID::Server::CheckIDRequest)
25: handle_checkid_request
26: elsif openid_request
27: handle_non_checkid_request
28: else
29: render :text => 'This is an OpenID server endpoint, not a human readable resource.'
30: end
31: end
32: format.xrds
33: end
34: end
This action decides how to process the current request and serves as dispatcher and re-entry in case the request could not be processed directly (for instance if the user had to log in first). When the user has already trusted the relying party, the request will be answered based on the users release policy. If the request is immediate (relying party wants no user interaction, used e.g. for ajax requests) the request can only be answered if no further information (like simple registration data) is requested. Otherwise the user will be redirected to the decision page.
# File app/controllers/server_controller.rb, line 45
45: def proceed
46: identity = identifier(current_account)
47: if @site = current_account.sites.find_by_url(checkid_request.trust_root)
48: resp = checkid_request.answer(true, nil, identity)
49: resp = add_sreg(resp, @site.sreg_properties) if sreg_request
50: resp = add_ax(resp, @site.ax_properties) if ax_fetch_request
51: resp = add_pape(resp, auth_policies, auth_level, auth_time)
52: render_response(resp)
53: elsif checkid_request.immediate && (sreg_request || ax_fetch_request)
54: render_response(checkid_request.answer(false))
55: elsif checkid_request.immediate
56: render_response(checkid_request.answer(true, nil, identity))
57: else
58: redirect_to decide_path
59: end
60: end
The user must be logged in, he must be the owner of the claimed identifier and the PAPE requirements must be met if applicable.
# File app/controllers/server_controller.rb, line 150
150: def allow_verification?
151: logged_in? && correct_identifier? && pape_requirements_met?(auth_time)
152: end
Deletes the old request when a new one comes in.
# File app/controllers/server_controller.rb, line 123
123: def clear_checkid_request
124: unless session[:request_token].blank?
125: OpenIdRequest.destroy_all :token => session[:request_token]
126: session[:request_token] = nil
127: end
128: end
Is the user allowed to verify the claimed identifier? The user must be logged in, so that we know his identifier or the identifier has to be selected by the server (id_select).
# File app/controllers/server_controller.rb, line 157
157: def correct_identifier?
158: (openid_request.identity == identifier(current_account) || openid_request.id_select)
159: end
Use this as before_filter for every CheckID request based action. Loads the current openid request and cancels if none can be found. The user has to log in, if he has not verified his ownership of the identifier, yet.
# File app/controllers/server_controller.rb, line 134
134: def ensure_valid_checkid_request
135: self.openid_request = checkid_request
136: if !openid_request.is_a?(OpenID::Server::CheckIDRequest)
137: flash[:error] = 'The identity verification request is invalid.'
138: redirect_to home_path
139: elsif !allow_verification?
140: flash[:notice] = logged_in? && !pape_requirements_met?(auth_time) ?
141: 'The Service Provider requires reauthentication, because your last login is too long ago.' :
142: 'Please log in to verify your identity.'
143: session[:return_to] = proceed_path
144: redirect_to login_path
145: end
146: end
Decides how to process an incoming checkid request. If the user is already logged in he will be forwarded to the proceed action. If the user is not logged in and the request is immediate, the request cannot be answered successfully. In case the user is not logged in, the request will be stored and the user is asked to log in.
# File app/controllers/server_controller.rb, line 103
103: def handle_checkid_request
104: if allow_verification?
105: save_checkid_request
106: redirect_to proceed_path
107: elsif openid_request.immediate
108: render_response(openid_request.answer(false))
109: else
110: save_checkid_request
111: session[:return_to] = proceed_path
112: redirect_to safe_login_path
113: end
114: end
Renders the exception message as text output
# File app/controllers/server_controller.rb, line 180
180: def render_openid_error(exception)
181: error = case exception
182: when OpenID::Server::MalformedTrustRoot: "Malformed trust root '#{exception.to_s}'"
183: else exception.to_s
184: end
185: render :text => "Invalid OpenID request: #{error}", :status => 500
186: end
Clears the stored request and answers
# File app/controllers/server_controller.rb, line 162
162: def render_response(resp)
163: clear_checkid_request
164: render_openid_response(resp)
165: end
Stores the current OpenID request
# File app/controllers/server_controller.rb, line 117
117: def save_checkid_request
118: clear_checkid_request
119: session[:request_token] = OpenIdRequest.create(:parameters => openid_params).token
120: end
Transforms the parameters from the form to valid AX response values
# File app/controllers/server_controller.rb, line 168
168: def transform_ax_data(parameters)
169: data = {}
170: parameters.each_pair do |key, details|
171: if details['value']
172: data["type.#{key}"] = details['type']
173: data["value.#{key}"] = details['value']
174: end
175: end
176: data
177: end