Skip to content

Pass along remember_me to #auto_login#136

Merged
Ch4s3 merged 1 commit intoSorcery:masterfrom
bzf:al-pass-should-remember-to-auto-login
Jul 18, 2018
Merged

Pass along remember_me to #auto_login#136
Ch4s3 merged 1 commit intoSorcery:masterfrom
bzf:al-pass-should-remember-to-auto-login

Conversation

@bzf
Copy link
Copy Markdown
Contributor

@bzf bzf commented Jul 17, 2018

When overriding the #auto_login method when implementing our own
session handling we never got passed the should_remember value from
the #login method.

The Sorcery::Controller::Submodules::RememberMe never used the value
of the should_remember arguments passed to the #auto_login method
and instead relied on a callback being executed.

This commits removes the callback and instead calls the #remember_me!
method from the #auto_login method instead.

@bzf
Pass along remember_me to #auto_login
5163401 
When overriding the `#auto_login` method when implementing our own
session handling we never got passed the `should_remember` value from
the `#login` method.

The `Sorcery::Controller::Submodules::RememberMe` never used the value
of the `should_remember` arguments passed to the `#auto_login` method
and instead relied on a callback being executed.

This commits removes the callback and instead calls the `#remember_me!`
method from the `#auto_login` method instead.
@Ch4s3
Copy link
Copy Markdown
Contributor

Ch4s3 commented Jul 18, 2018

Looks good. Thanks!

@Ch4s3 Ch4s3 merged commit 1a3c399 into Sorcery:master Jul 18, 2018
joshbuker
joshbuker reviewed Jul 19, 2018
View reviewed changes
Copy link
Copy Markdown
Member

@joshbuker joshbuker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Ch4s3 @bzf

I believe this will break the remember me functionality (although I'm not fully convinced it works as-is). We should definitely add some specs here to ensure the functionality.

Comment thread lib/sorcery/controller.rb
form_authenticity_token

auto_login(user)
auto_login(user, credentials[2])
Copy link
Copy Markdown
Member

@joshbuker joshbuker Jul 19, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The _should_remember param in auto_login appears to be unused, and doesn't actually kick off the remember me functionality.

Comment thread lib/sorcery/controller/submodules/remember_me.rb
merge_remember_me_defaults!
end
Config.login_sources << :login_from_cookie
Config.after_login << :remember_me_if_asked_to
Copy link
Copy Markdown
Member

@joshbuker joshbuker Jul 19, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this is still required, or its functionality needs to be added to the auto_login method.

Comment thread lib/sorcery/controller/submodules/remember_me.rb
# calls remember_me! if a third credential was passed to the login method.
# Runs as a hook after login.
def remember_me_if_asked_to(_user, credentials)
remember_me! if credentials.size == 3 && credentials[2] && credentials[2] != '0'
Copy link
Copy Markdown
Member

@joshbuker joshbuker Jul 19, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe the reason for using a hook here instead of injecting directly into the original login method is due to the submodule loading model. We can't guarantee that the remember_me functionality is always present.

Copy link
Copy Markdown

@jessedoyle jessedoyle Dec 2, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @athix - I know this is an older PR, I believe this did break the remember me functionality.

This change may introduce a security concern to those that use the remember_me_token_persist_globally configuration option implemented in NoamB/sorcery#690.

We use the option mentioned above, and due to the logic implemented here, any user with a remember_me_token persisted is automatically set to be remembered, even if the should_remember flag is false.

Would you accept a PR that brings back the remember_me_if_asked_to method?

joshbuker
joshbuker reviewed Sep 20, 2018
View reviewed changes
Copy link
Copy Markdown
Member

@joshbuker joshbuker left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like I never finished submitting my review here...

EDIT: Never-mind, github's interface is just a little non-intuitive.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joshbuker joshbuker joshbuker left review comments

+1 more reviewer

@jessedoyle jessedoyle jessedoyle left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@bzf @Ch4s3 @joshbuker @jessedoyle