Check FB Connect session expire using facebooker - ruby-on-rails

how to check whether FB Connect session is still valid or not using rails facebooker plugin ? Are there any helper or module that can check the session ? I figure out that if I open up 2 tab in browser, one login with facebook, another is with my site and login using FB Connect. When user trying to logout in my site, facebook will erase both cookie, but when user logout through facebook, it will erase cookie in facebook site only, so the cookie in my site still left behind and I need to check whether the cookie still valid or not...

Using Facebooker, you'll get an exception when you try to use the exception, which can be rescue_from'd in application.rb
rescue_from Facebooker::Session::SessionExpired, :with => :facebook_session_expired
def facebook_session_expired
clear_fb_cookies!
clear_facebook_session_information
reset_session # remove your cookies!
flash[:error] = "Your facebook session has expired."
redirect_to root_url
end

I can't upvote things yet, but the answer that adds the line:
page.redirect_to url
is correct. I'd recommend adding it to Facebooker if Mike is reading.

The fb_logout_link method does not redirect when Facebook session is invalid. Add a redirect callback to your logout_path and it will do the job for you.
def fb_logout_link(text,url,*args)
js = update_page do |page|
page.call "FB.Connect.logoutAndRedirect",url
# When session is valid, this call is meaningless, since we already redirect
# When session is invalid, it will log the user out of the system.
page.redirect_to url # You can use any *string* based path here
end
link_to_function text, js, *args
end

Related

omniauth - session empty after auth token returned

I'm hoping someone can help me figure out what's going wrong with an auth I'm adding into an app. The app itself uses normal authentication (username/password) using devise. Once a user is logged in, they are supposed to be able to connect to their email provider using OAuth (currently working on Microsoft365) which is what I'm working on right now.
I'm using the omniauth-oauth2 gem to implement the authentication, and as far as I can tell everything is working - the user is presented the MS login page, a POST request is returned with the token. All looks good, however when the callback comes in, the original user session is completely empty, and when I then redirect the user back to another page, they are kicked back to the login screen.
My callback is really simple at the moment
def auth_callback
# data = request.env['omniauth.auth']
if has_permission?
flash[:notice] = 'YAY!'
redirect_to root_url
else
flash[:alert] = "Could not authenticate with your mailbox"
redirect_to new_mailbox_path
end
end
I'm not doing anything with the data, and I know in a normal authentication system this is where I'd be getting/creating the user and signing in - but the user should already be signed in. And since they weren't created by oauth, I can't really use the MS user ID to find them anyway.
The only solution I can think of, is to send the user ID in the state when requesting auth from MS, so that when it is returned I can match that up and the "sign in" the user again but that feels wrong.
I am already bypassing CSRF so it shouldn't be that wiping it out
skip_before_action :verify_authenticity_token, only: %i[auth_callback]
skip_before_action :authenticate_user!, only: %i[auth_callback]
Is there anything else that would cause the session to be lost like this?

logout from application but can not able to logout from google account while using google authentication

I do login authentication with google in rails app,I had problem with when I logout it will redirect to my index page but can not able to logout from google account
I was doing first time login authentication,Please can any one help me
Thank you in advance
Here I write my code where i was wrong
def create
#user = Authentication.find_or_create_from_auth_hash(request.env["omniauth.auth"])
session[:user_id] = #user.id
redirect_to '/'
end
def destroy
session[:user_id] = nil
redirect_to '/login'
end
This is not how it works.
Consider doing this: Open your rails app -> Login with Google -> You'll see your rails app dashboard -> Now open a new tab and open google.com -> Logout from there -> Now switch back to your rails app and reload the page.
Even though you're logged out of Google, you're still signed in to your Rails app.
This means that your rails app is not exactly your google account. They both are independent. Your rails app(through Omniauth) just requests the Google data with an OAuth API, which will authorize the app and then sends the access token, and with this token, you get the google data(like email), etc.
However, if you still want to log out the user from the Google account, You can use alternatives like in this answer and multiple answers from this thread.

Devise - redirecting to resend confirmation instruction page after confirmation

I am using Ruby 2.0, Rails 4.0 and Devise 3.0.3
I have changed my app to new domain, so I changed the host in development.rb file as below,
config.action_mailer.default_url_options = { :host => 'xxxxx.com' }
After this,
After signup, when I click confirmation link in mail, my account get confirmed but it takes me to resend cofirmation instruction page.
This is my after confirmation path,
def after_confirmation_path_for(resource_or_scope)
new_order_path
end
I want to go to new_order_path
Where am I making mistake, should I change it in any other place?
Please some one help me in this.
Note: in my old domain it was working fine.
Usually this occurs due to session persistence.
Once you send the invitation, sign out of your website (I assume you have a link "sign out" at the top of your page).
Then view the confirmation mail that was sent and click on the link. This way when the browser opens the page it will use the token in the url of the confirmation link to authenticate the new user.

ROR user authentication

In my web app after a user logs in a new session is created so until he closes the browser he stays logged in. The problem appears when admin wants to ban the user who's browser is still open. Even though the user is banned and cannot log in anymore, he still stays logged in until he closes the browser or manually logs out. This definitely should be fixed.
Is it possible to add a verifying method to every action of every controller? Of course I mean a smart way - not copy/paste 100 times.
add the following to your application controller:
before_filter :sign_out_banned_user
def sign_out_banned_user
if current_user.banned?
session[:current_user_id] = nil
redirect_to root_path, :notice => "You are banned"
return false
end
end
You must reset the session also i think.

Rails: sign out logged in user on event

I'm using Rail3 with Devise gem. It does a great job when you need to lock user from signing in.
But it works just for new login attempts.
If he is already logged in - it won't sign him out immediately.
Here's is the typical use case:
Given admin user
when detects suspicious activity of certain user he locks it with malicious_user.lock('locking-reason')
% can config/initializers/session_store.rb
AppFoo::Application.config.session_store :cookie_store, :key => '_foo_session'
Given HTTP's statelessness, you can't immediately log out a user because you will need to wait until they make another request to your server. You could get around this via a push service I suppose, but that would be overkill.
My solution would be to add that person to a blacklist and then check if they're on the blacklist whenever they try to access a section intended for logged-on users only. This will render them unable to log on until you decide whether or not their activity is suspicious.
Example:
User is suspected of intolerable activity
Admin wants to check this out, so they temporarily add the user to the blacklist.
User clicks on an area of the page they were currently on when added to the blacklist.
Code checks for loggin status and blacklisted users.
Since the user is blacklisted, they are informed that they need to sign in to access the content
Once the user tries to sign in again you can inform them that their account has been temporarily disabled (or you can do this in the previous step).
perhaps the easiest way would be to redirect the user to the logout action when you lock them so:
malicious_user.lock('locking-reason')
redirect_to '/logout' and return
I'm not familiar with Devise so this may not be the best solution or even possible but it's how I would approach the problem
Use a before_filter in the ApplicationController that will do the following
before_filter :kick_out_blocked_user
protected
def kick_out_blocked_user
unless current_user.try(:active?)
redirect_to destroy_user_session_path
end
end

Resources