-
Notifications
You must be signed in to change notification settings - Fork 18
Expand file tree
/
Copy pathlogin_dot_gov_controller.rb
More file actions
95 lines (80 loc) · 3.42 KB
/
login_dot_gov_controller.rb
File metadata and controls
95 lines (80 loc) · 3.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
# frozen_string_literal: true
# Handles interactions with login.gov
class LoginDotGovController < Devise::OmniauthCallbacksController
skip_before_action :verify_authenticity_token, only: :openid_connect
def openid_connect
auth = request.env['omniauth.auth']
user = User.find_by(provider: auth.provider, uid: auth.uid)
if user
sign_in(:user, user)
session[:logged_in_at] = Time.now
Rails.logger.info(['User logged in',
{ actionContext: LoggingConstants::ActionContext::Authentication,
actionType: LoggingConstants::ActionType::UserLoggedIn }])
end
ial_2_actions(user, auth)
redirect_to path(user, auth)
end
def no_account
render(Page::Utility::ErrorComponent.new(nil, 'no_account'),
status: :forbidden)
end
def failure
invitation_flow_match = session[:user_return_to]&.match(%r{/organizations/([0-9]+)/invitations/([0-9]+)})
if invitation_flow_match
handle_invitation_flow_failure(invitation_flow_match[2])
elsif params[:code]
logger.error 'Login.gov Configuration error'
render(Page::Utility::ErrorComponent.new(nil, 'login_gov_signin_fail'))
else
Rails.logger.info(['User cancelled login',
{ actionContext: LoggingConstants::ActionContext::Authentication,
actionType: LoggingConstants::ActionType::UserCancelledLogin }])
render(Page::Utility::ErrorComponent.new(nil, 'login_gov_signin_cancel'))
end
end
def logout
if params[:invitation_id].present?
invitation = Invitation.find(params[:invitation_id])
session[:user_return_to] = organization_invitation_url(invitation.provider_organization.id, invitation.id)
end
redirect_to url_for_login_dot_gov_logout, allow_other_host: true
end
# Return from login.gov
def logged_out
redirect_to session.delete(:user_return_to) || new_user_session_path
end
private
def handle_invitation_flow_failure(invitation_id)
Rails.logger.info(['Failed invitation flow',
{ actionContext: LoggingConstants::ActionContext::Registration,
actionType: LoggingConstants::ActionType::FailedLogin }])
invitation = Invitation.find(invitation_id)
if invitation.credential_delegate?
render(Page::Utility::ErrorComponent.new(invitation, 'fail_to_proof'),
status: :forbidden)
else
render(Page::Invitations::AoFlowFailComponent.new(invitation, 'fail_to_proof', 1),
status: :forbidden)
end
end
def maybe_update_user(user, data)
user&.update(given_name: data.given_name, family_name: data.family_name)
end
def ial_2_actions(user, auth)
data = auth.extra.raw_info
return unless data.ial == 'http://idmanagement.gov/ns/assurance/ial/2'
maybe_update_user(user, data)
session[:login_dot_gov_token] = auth.credentials.token
session[:login_dot_gov_token_exp] = auth.credentials.expires_in.seconds.from_now
end
def path(user, auth)
if user.blank? && auth.extra.raw_info.ial == 'http://idmanagement.gov/ns/assurance/ial/1'
Rails.logger.info(['User logged in without account',
{ actionContext: LoggingConstants::ActionContext::Authentication,
actionType: LoggingConstants::ActionType::UserLoginWithoutAccount }])
return no_account_url
end
session.delete(:user_return_to) || organizations_path
end
end