defmodule LivebookWeb.UserPlug do # Initializes the session and cookies with user-related info. # # The first time someone visits Livebook # this plug stores a new random user id or the ZTA user # in the session under `:identity_data`. # # Additionally the cookies are checked for the presence # of `"user_data"` and if there is none, a new user # attributes are stored there. This makes sure # the client-side can always access some `"user_data"` # for `connect_params` of the socket connection. @behaviour Plug import Plug.Conn import Phoenix.Controller alias Livebook.Users.User @impl true def init(opts), do: opts @impl true def call(conn, _opts) do conn |> ensure_user_identity() |> ensure_user_data() |> mirror_user_data_in_session() end defp ensure_user_identity(conn) do {_type, module, _key} = Livebook.Config.identity_provider() {conn, identity_data} = module.authenticate(LivebookWeb.ZTA, conn, []) if identity_data do put_session(conn, :identity_data, identity_data) else conn |> put_status(:forbidden) |> put_view(LivebookWeb.ErrorHTML) |> render("403.html", %{status: 403}) |> halt() end end defp ensure_user_data(conn) when conn.halted, do: conn defp ensure_user_data(conn) do if Map.has_key?(conn.req_cookies, "lb:user_data") do conn else identity_data = get_session(conn, :identity_data) user_data = User.new() |> client_user_data() |> Map.merge(identity_data) encoded = user_data |> Jason.encode!() |> Base.encode64() # We disable HttpOnly, so that it can be accessed on the client # and set expiration to 5 years opts = [http_only: false, max_age: 157_680_000] ++ LivebookWeb.Endpoint.cookie_options() put_resp_cookie(conn, "lb:user_data", encoded, opts) end end defp client_user_data(user) do user |> Map.from_struct() |> Map.delete(:id) |> Map.delete(:payload) end # Copies user_data from cookie to session, so that it's # accessible to LiveViews defp mirror_user_data_in_session(conn) when conn.halted, do: conn defp mirror_user_data_in_session(conn) do user_data = conn.cookies["lb:user_data"] |> Base.decode64!() |> Jason.decode!() put_session(conn, :user_data, user_data) end end