Using a module plug, I fetch the current users information from the database and store it in Plug.Conn.assigns as current_user. By inspecting the connection I see the current users details in the assigns but I'm unable to access any details.
For example, I would like to display the current user's name, as in, "you are logged in as #conn.assigns.current_user.name " but Phoenix is showing the current user is nil.
Please view the accompanying screenshot.
There is certainly a current_user object in the Plug.Conn.assigns. I should be able to access the name, "cooldude77#aol.com". So, why is Phoenix telling me the current_user is nil?
EDIT:
Adding the current user plug:
def call(conn, _params) do
if conn.assigns[:current_user] do
conn
else
user_id = get_session(conn, :user_id)
cond do
user = Repo.get_by(User, auth_id: user_id) ->
conn
|> assign(:current_user, user)
|> assign(:user_signed_in?, true)
true ->
conn
|> assign(:current_user, nil)
|> assign(:user_signed_in?, false)
end
end
end
So, here I'm using Auth0 for authentication. The user logs in at Auth0 and is redirected back to app with 3 attributes that I track, a unique auth_id, a name, and an avatar. Upon logging in I check if this is a new user by checking if their auth_id is saved in my database, if it is then I know they are a returning user and I assign the current_user object to the user. If they are a new user I add them to my database (where they are given some additional attributes) and assign the current_user object to the user.
Still experiencing this problem where I have a current_user in the connection but I cannot access the user's attributes - they are showing as nil
You should be able to just use #current_user.name in the template to get the user.
Also, since the value of current_user is set to nil in the plug when nobody is logged in, you can just do !!#current_user instead of #conn.assigns[:user_signed_in?] up above.
The assumptions of #Badu lead me to discover the issue. In my controller code I originally passed the current_user from the session to the render function like so:
def index(conn, _params) do
render(conn, "index.html", current_user: get_session(conn, :current_user))
end
As the application grew and I added more pages I had to keep grabbing the current user out of the session so I decided to replace this behavior with a plug, the code of which I posted above. However, I forgot to delete the current_user object I was storing in the connection from the controller. So, while a current_user object did exist in my connection, my view_template was accessing an older deprecated version of current_user, which did not have the same attributes, hence the nil values.
Related
I have an application where I save some information on the session that later I assign to the model when I save it to the DB.
For example I have the following model saved by User1:
...
MyModel model = new MyModel();
model.name = mypostedModel.name;
model.type = HttpContext.Session.GetString("UniqueTypeForThisUser");
...
After I save the model in my DB, at the end of the post method, I clear the session with this line:
HttpContext.Session.Clear();
Let's say at the same time there's a User2 creating a new model and I have saved another value in the session with a unique key for User2. Same way as before, at the end of the post method I clear the session with the Clear() method.
Does this clear session method clear the session for all users, or only for one user. If for example User1 saves the model first and clears the session for all users, then the User2 will get his session variable cleared (lost) and will assign a null value to my 'type' column for the model.
For the documentation this was not clear for me. Thanks
You Can remove specific keys
HttpContext.Session.Remove("YourSessionKey");
The session object that you can access for example through HttpContext.Session is specific to a single user. Everything you do there will only affect the user that belongs to this session and there is no mix between sessions of other users.
That also means that you do not need to choose session configuration key names that are somewhat specific to a user. So instead of using GetString("UniqueTypeForThisUser"), you can just refer to the values using a general constant name:
var value1 = HttpContext.Session.GetString("Value1");
var value2 = HttpContext.Session.GetString("Value2");
Each user session will then have these values independently. As a result, calling Session.Clear() will also only clear the session storage for that session that is specific to its user.
If you actually do need different means for storing state, be sure to check out the docs on application state. For example, things that should be stored independently of the user can be stored using an in-memory cache.
Does this clear session method clear the session for all users, or only for one user.
The HttpContext is the one for the current request. Since every user has a different request, it follows that clearing the session on the current request only clears it for that request's user, not all users.
We are using Doorkeeper gem to authenticate our users through an API. Everything is working fine since we've implemented it few years ago, we are using the password grant flow as in the example:
resource_owner_from_credentials do |_routes|
user = User.active.find_for_database_authentication(email: params[:username])
if user&.valid_password?(params[:password])
sign_in(user, force: true)
user
end
end
Doorkeeper is coupled with Devise, which enable reconfirmable strategy. As you can see in the code above, we are only allowing active users (a.k.a users with a confirmed email) to connect:
User.active.find_.....
Problem
Our specifications changed and now we want to return a different error on login (against /oauth/token) depending if the user has confirmed its email or not.
Right now, if login fails, Doorkeeper is returning the following JSON:
{
"error": "invalid_grant",
"error_description": "The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."
}
Ideally, we want to be able to return a custom description if and only if the current email trying to login is unconfirmed
We've checked the documentation on Doorkeeper but it does not seems to have an easy way (if any at all) to do this. The fact that resource_owner_from_credentials method is located in the config adds too much magic and not enough flexibility.
Any ideas ?
Ok so after digging a little bit, we found an easy way to work around this issue by overriding Doorkeeper::TokensController.
# frozen_string_literal: true
class TokensController < Doorkeeper::TokensController
before_action :check_if_account_is_pending, only: :create
private
def check_if_account_is_pending
user = User.find_by(email: params['username'])
render json: unconfirmed_account_error if user && !user.confirmed?
end
def unconfirmed_account_error
{ error: 'invalid', error_description: 'You must validate your email address before login' }
end
end
We also needed to make sure the routes were pointing to the custom controller:
use_doorkeeper do
controllers tokens: 'tokens'
end
Hope it can helps someone in the future
From this Simple authentication tutorial
I am looking to test routes of the app inside the :login_required pipeline (which simply checks if the client has called Guardian.Plug.sign_in(conn, user))
As the user_path show action needs to have been piped through the :login_required pipeline, I would have thought that to test this route I would simply need to write the following:
Auth.login_by_email_and_pass(conn, user.email, #password)
and then pipe the conn that comes out of that into:
get conn, user_path(conn, :show, user.id)
and check that I get a 200 status code.
But I can't get past the Auth.login_by_email_and_pass(conn, email, password) line and get the error:
session not fetched, call fetch_session/2
Where should I fetch the session?
I have tried bypass_through(conn, [:browser, :with_session])
I would have thought that the :browser pipeline invokes fetch_session which would have solved this issue.
I have also tried as calling fetch_session before and after, but still get the same error
You can use Plug.Test.init_test_session/2 to initialize the session. Since you don't need to put any data, you can pass an empty map as the second argument.
conn = conn
|> init_test_session(%{})
|> Auth.login_by_email_and_pass(user.email, #password)
I am wondering how to limit the connection to a channel or the streaming of messages over a channel in rails5. Currently I groups with users in the groups working with pundit and the connection to the websocket happens within that group. If a malicious user randomly guessed groups they could potentially read a message over a socket they shouldn't.
When you create a new message the following code is run in my controller:
if message.save
ActionCable.server.broadcast(
"messages_{message.groupchat_id}_channel",
message: message.content,
user: message.user.email
)
head :ok
end
I have no idea what I'm doing.
Here's the solution I found to use Pundit with Activecable.
First we need access to the user model. You can do that by following the instructions in the Action Cable Overview - Connection Setup. Mainly you need to change the code in connection.rb
# app/channels/application_cable/connection.rb
module ApplicationCable
class Connection < ActionCable::Connection::Base
identified_by :current_user
def connect
self.current_user = find_verified_user
end
private
def find_verified_user
if verified_user = User.find_by(id: cookies.encrypted[:user_id])
verified_user
else
reject_unauthorized_connection
end
end
end
end
Note: you may need to use a different way of finding your user. I'm using devise_token_auth and so needed to pass the uid, token, and client_id to the connection.rb and then got the user via this code:
if user && user.valid_token?(token, client_id)
user
else
reject_unauthorized_connection
end
I mention this just because how you get your user may vary. The main thing is that you need to use identified_by current_user and set it.
Another thing which I did not immediately find in the documentation, is that the current_user is now accessible by your channels. Since the user name may be different than your pundit_user name, I found it easiest to manually pass the user to Pundit at that point. So in subscribing with my channel file, I had this code:
def subscribed
message = MessagePolicy::Scope.new(self.current_user, Project).resolve.find(params[:message])
stream_for message
end
You could of course also manually authorize this way, instead of using Scope:
MessagePolicy.new(self.current_user, message).show?
You can add another layer of security for actioncable connections in app/channels/application_cable/connection.rb file.
You can follow this tutorial. I think this give you some idea:
https://www.learnenough.com/action-cable-tutorial#sec-login_protection
HEllo,
I'm using nhibernate and have problems regarding user registration on my site.
When user wants to register I create new user record in the database and immidiatelly after that the system is logging the user in.
Well here lies the problem... When creating user record I'm using
NHibernateSession.Save(entity); //does not saves user object immediately to the database. It's kept in the session.
And when I want to log the user in, i load the user by his user name, and then I get null user object.
Why am I getting a null object and how can I make it work?
Thanks
Ok, I just tested this :
ISession session = s.CreateSession();
User user = new User();
user.Number = 122;
user.UserName = "u";
user.Id = 1;
session.Save(user);
User user1 = session.CreateCriteria<User>().Add(Restrictions.Eq("UserName", "u")).UniqueResult<User>();
session.Flush();
First the Select is being executed from the CreateCriteria and then on Flush the insert. So that's why it's not finding anything.
I also tested with Get<User>(1) and it returns the entity passed to the Save method - no query is executed.
Still - why query the database since you have the entity right there ?
Also, you say you use Get and then say you want to load by the UserName - is the UserName the primary key ? Get tries to load by the primary key.
If your Save and Get are done from different sessions then the Get will return null because the object only exists in the other sessions internal cache until it is flushed.
I'm not sure if an L2 cache would make a difference (I don't if L2 cache is written at Save or Flush).