Extract verified session logic into a concern

It was being duplicated a lot
rubygems · Nov 22, 2023 · 488077f · 488077f
1 parent d630c5e
commit 488077f
Show file tree

Hide file tree

Showing 7 changed files with 73 additions and 47 deletions.
diff --git a/app/controllers/adoptions_controller.rb b/app/controllers/adoptions_controller.rb
@@ -1,7 +1,9 @@
 class AdoptionsController < ApplicationController
+  include SessionVerifiable
+
   before_action :find_rubygem
   before_action :verify_ownership_requestable
-  before_action :redirect_to_verify, if: :current_user_is_owner?
+  before_action :redirect_to_verify, if: -> { current_user_is_owner? && !password_session_active? }
 
   def index
     @ownership_call     = @rubygem.ownership_call
@@ -18,10 +20,4 @@ def verify_ownership_requestable
   def current_user_is_owner?
     @rubygem.owned_by?(current_user)
   end
-
-  def redirect_to_verify
-    return if password_session_active?
-    session[:redirect_uri] = rubygem_adoptions_path(@rubygem.slug)
-    redirect_to verify_session_path
-  end
 end
diff --git a/app/controllers/api_keys_controller.rb b/app/controllers/api_keys_controller.rb
@@ -1,9 +1,8 @@
 class ApiKeysController < ApplicationController
   include ApiKeyable
-  before_action :redirect_to_signin, unless: :signed_in?
-  before_action :redirect_to_new_mfa, if: :mfa_required_not_yet_enabled?
-  before_action :redirect_to_settings_strong_mfa_required, if: :mfa_required_weak_level_enabled?
-  before_action :redirect_to_verify, unless: :password_session_active?
+
+  include SessionVerifiable
+  verify_session_before
 
   def index
     @api_key  = session.delete(:api_key)
@@ -84,12 +83,20 @@ def reset
 
   private
 
-  def api_key_params
-    params.require(:api_key).permit(:name, *ApiKey::API_SCOPES, :mfa, :rubygem_id)
+  def verify_session_redirect_path
+    case action_name
+    when "reset", "destroy"
+      profile_api_keys_path
+    when "create"
+      new_profile_api_key_path
+    when "update"
+      edit_profile_api_key_path(params.require(:id))
+    else
+      super
+    end
   end
 
-  def redirect_to_verify
-    session[:redirect_uri] = profile_api_keys_path
-    redirect_to verify_session_path
+  def api_key_params
+    params.require(:api_key).permit(:name, *ApiKey::API_SCOPES, :mfa, :rubygem_id)
   end
 end
diff --git a/app/controllers/concerns/session_verifiable.rb b/app/controllers/concerns/session_verifiable.rb
@@ -0,0 +1,29 @@
+module SessionVerifiable
+  extend ActiveSupport::Concern
+
+  class_methods do
+    def verify_session_before(**opts)
+      before_action :redirect_to_signin, **opts, unless: :signed_in?
+      before_action :redirect_to_new_mfa, **opts, if: :mfa_required_not_yet_enabled?
+      before_action :redirect_to_settings_strong_mfa_required, **opts, if: :mfa_required_weak_level_enabled?
+      before_action :redirect_to_verify, **opts, unless: :password_session_active?
+    end
+  end
+
+  private
+
+  def verify_session_redirect_path
+    redirect_uri = request.path_info
+    redirect_uri += "?#{request.query_string}" if request.query_string.present?
+    redirect_uri
+  end
+
+  included do
+    private
+
+    def redirect_to_verify
+      session[:redirect_uri] = verify_session_redirect_path
+      redirect_to verify_session_path
+    end
+  end
+end
diff --git a/app/controllers/oidc/api_key_roles_controller.rb b/app/controllers/oidc/api_key_roles_controller.rb
@@ -1,12 +1,11 @@
 class OIDC::ApiKeyRolesController < ApplicationController
   include ApiKeyable
 
+  include SessionVerifiable
+  verify_session_before
+
   helper RubygemsHelper
 
-  before_action :redirect_to_signin, unless: :signed_in?
-  before_action :redirect_to_new_mfa, if: :mfa_required_not_yet_enabled?
-  before_action :redirect_to_settings_strong_mfa_required, if: :mfa_required_weak_level_enabled?
-  before_action :redirect_to_verify, unless: :password_session_active?
   before_action :find_api_key_role, except: %i[index new create]
   before_action :redirect_for_deleted, only: %i[edit update destroy]
   before_action :set_page, only: :index
@@ -90,17 +89,23 @@ def destroy
 
   private
 
+  def verify_session_redirect_path
+    case action_name
+    when "create"
+      new_profile_api_key_path
+    when "update"
+      edit_profile_api_key_path
+    else
+      super
+    end
+  end
+
   def find_api_key_role
     @api_key_role = current_user.oidc_api_key_roles
       .includes(:provider)
       .find_by!(token: params.require(:token))
   end
 
-  def redirect_to_verify
-    session[:redirect_uri] = request.path_info + (request.query_string.present? ? "?#{request.query_string}" : "")
-    redirect_to verify_session_path
-  end
-
   def redirect_for_deleted
     redirect_to profile_oidc_api_key_roles_path, flash: { error: t(".deleted") } if @api_key_role.deleted_at?
   end

diff --git a/app/controllers/oidc/id_tokens_controller.rb b/app/controllers/oidc/id_tokens_controller.rb
@@ -3,10 +3,9 @@
 class OIDC::IdTokensController < ApplicationController
   include ApiKeyable
 
-  before_action :redirect_to_signin, unless: :signed_in?
-  before_action :redirect_to_new_mfa, if: :mfa_required_not_yet_enabled?
-  before_action :redirect_to_settings_strong_mfa_required, if: :mfa_required_weak_level_enabled?
-  before_action :redirect_to_verify, unless: :password_session_active?
+  include SessionVerifiable
+  verify_session_before
+
   before_action :find_id_token, except: %i[index]
   before_action :set_page, only: :index
 
@@ -26,9 +25,4 @@ def show
   def find_id_token
     @id_token = current_user.oidc_id_tokens.find(params.require(:id))
   end
-
-  def redirect_to_verify
-    session[:redirect_uri] = request.path_info
-    redirect_to verify_session_path
-  end
 end
diff --git a/app/controllers/oidc/providers_controller.rb b/app/controllers/oidc/providers_controller.rb
@@ -1,10 +1,9 @@
 # frozen_string_literal: true
 
 class OIDC::ProvidersController < ApplicationController
-  before_action :redirect_to_signin, unless: :signed_in?
-  before_action :redirect_to_new_mfa, if: :mfa_required_not_yet_enabled?
-  before_action :redirect_to_settings_strong_mfa_required, if: :mfa_required_weak_level_enabled?
-  before_action :redirect_to_verify, unless: :password_session_active?
+  include SessionVerifiable
+  verify_session_before
+
   before_action :find_provider, except: %i[index]
   before_action :set_page, only: :index
 
@@ -22,9 +21,4 @@ def show
   def find_provider
     @provider = OIDC::Provider.find(params.require(:id))
   end
-
-  def redirect_to_verify
-    session[:redirect_uri] = request.path_info
-    redirect_to verify_session_path
-  end
 end
diff --git a/app/controllers/owners_controller.rb b/app/controllers/owners_controller.rb
@@ -1,7 +1,9 @@
 class OwnersController < ApplicationController
+  include SessionVerifiable
+
   before_action :find_rubygem, except: :confirm
   before_action :render_forbidden, unless: :owner?, except: %i[confirm resend_confirmation]
-  before_action :redirect_to_verify, unless: :password_session_active?, only: %i[index create destroy]
+  verify_session_before only: %i[index create destroy]
   before_action :verify_mfa_requirement, only: %i[create destroy]
 
   def confirm
@@ -53,9 +55,8 @@ def destroy
 
   private
 
-  def redirect_to_verify
-    session[:redirect_uri] = rubygem_owners_url(@rubygem.slug)
-    redirect_to verify_session_path
+  def verify_session_redirect_path
+    rubygem_owners_url(params[:rubygem_id])
   end
 
   def token_params