From 796e7c98229487c5144ae12df3c5cee1d47f24b2 Mon Sep 17 00:00:00 2001 From: zmagod Date: Tue, 24 Apr 2018 15:42:31 +0200 Subject: [PATCH 1/4] sign_out user after 7 days [fixes SCI-2323] --- app/controllers/application_controller.rb | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index ce83efeb4..890cea781 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -6,6 +6,7 @@ class ApplicationController < ActionController::Base # For APIs, you may want to use :null_session instead. protect_from_forgery with: :exception, prepend: true before_action :authenticate_user! + before_action :check_max_session_time helper_method :current_team before_action :update_current_team, if: :user_signed_in? around_action :set_time_zone, if: :current_user @@ -65,6 +66,13 @@ class ApplicationController < ActionController::Base private + def check_max_session_time + if current_user && current_user.current_sign_in_at + 7.days < Time.now + sign_out current_user + redirect_to new_user_session_path + end + end + def update_current_team if current_user.current_team_id.blank? && current_user.teams.count > 0 From 589389fa8e7b42c570bcbe3d881b60ba7cef5348 Mon Sep 17 00:00:00 2001 From: zmagod Date: Wed, 25 Apr 2018 11:00:22 +0200 Subject: [PATCH 2/4] fixex failing specs --- spec/factories/users.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/spec/factories/users.rb b/spec/factories/users.rb index 0b5ee982f..dcdd9a9cf 100644 --- a/spec/factories/users.rb +++ b/spec/factories/users.rb @@ -5,5 +5,6 @@ FactoryBot.define do email 'admin_test@scinote.net' password 'asdf1243' password_confirmation 'asdf1243' + current_sign_in_at DateTime.now end end From 05844535753beaf7f6b28e1d40ac88b8bb2bcb69 Mon Sep 17 00:00:00 2001 From: zmagod Date: Thu, 26 Apr 2018 17:18:03 +0200 Subject: [PATCH 3/4] fixes per @okriuchykhin 's request --- app/controllers/application_controller.rb | 8 -------- app/models/user.rb | 3 ++- config/initializers/devise.rb | 4 ++-- 3 files changed, 4 insertions(+), 11 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 890cea781..ce83efeb4 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -6,7 +6,6 @@ class ApplicationController < ActionController::Base # For APIs, you may want to use :null_session instead. protect_from_forgery with: :exception, prepend: true before_action :authenticate_user! - before_action :check_max_session_time helper_method :current_team before_action :update_current_team, if: :user_signed_in? around_action :set_time_zone, if: :current_user @@ -66,13 +65,6 @@ class ApplicationController < ActionController::Base private - def check_max_session_time - if current_user && current_user.current_sign_in_at + 7.days < Time.now - sign_out current_user - redirect_to new_user_session_path - end - end - def update_current_team if current_user.current_team_id.blank? && current_user.teams.count > 0 diff --git a/app/models/user.rb b/app/models/user.rb index eaaaf23b3..5728aed2e 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -5,7 +5,8 @@ class User < ApplicationRecord acts_as_token_authenticatable devise :invitable, :confirmable, :database_authenticatable, :registerable, :async, :recoverable, :rememberable, :trackable, :validatable, - :omniauthable, omniauth_providers: Extends::OMNIAUTH_PROVIDERS, + :rememberable, :timeoutable, :omniauthable, + omniauth_providers: Extends::OMNIAUTH_PROVIDERS, stretches: Constants::PASSWORD_STRETCH_FACTOR has_attached_file :avatar, styles: { diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index 8b7f0ac96..b98c3bea1 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -176,7 +176,7 @@ Devise.setup do |config| # ==> Configuration for :rememberable # The time the user will be remembered without asking for credentials again. - # config.remember_for = 2.weeks + config.remember_for = 1.weeks # Invalidates all the remember me tokens when the user signs out. config.expire_all_remember_me_on_sign_out = true @@ -200,7 +200,7 @@ Devise.setup do |config| # ==> Configuration for :timeoutable # The time you want to timeout the user session without activity. After this # time the user will be asked for credentials again. Default is 30 minutes. - # config.timeout_in = 30.minutes + config.timeout_in = 3.hours # If true, expires auth token on session timeout. # config.expire_auth_token_on_timeout = false From 19d5c687efa178b22a80374eef30764a5ccbf4c7 Mon Sep 17 00:00:00 2001 From: Zmago Devetak Date: Thu, 3 May 2018 14:35:59 +0200 Subject: [PATCH 4/4] remove unneeded :rememberable module --- app/models/user.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/models/user.rb b/app/models/user.rb index 5728aed2e..a5b925c35 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -5,7 +5,7 @@ class User < ApplicationRecord acts_as_token_authenticatable devise :invitable, :confirmable, :database_authenticatable, :registerable, :async, :recoverable, :rememberable, :trackable, :validatable, - :rememberable, :timeoutable, :omniauthable, + :timeoutable, :omniauthable, omniauth_providers: Extends::OMNIAUTH_PROVIDERS, stretches: Constants::PASSWORD_STRETCH_FACTOR has_attached_file :avatar,