Commit a2bcf9c9 authored by mh's avatar mh
Browse files

make controller more readable

* actions are public
* helpers on top of private
* everything else is an implementation detail in a controller.

makes it clear what is for what
parent 306a071c
......@@ -5,50 +5,14 @@ require 'jsobfu'
class SessionsController < ApplicationController
CountIpFails = false
def client_auth_key
ip = "#{request.remote_ip} #{request.headers['X-Forwarded-For']}"
"auth_fail_#{Digest::SHA256::hexdigest(ip)}"
end
def horde_handoff_auth
str = "#{@user}#{Config['horde_shared_secret']}#{Time.now.to_i/100}"
Digest::SHA256.hexdigest(str)
end
helper_method :horde_handoff_auth
def pre_auth
u = params[:user_id]
return nil unless EmailValidation.immerda_email_conform(u)
session[:pre_auth] ||= ApiBackend::pre_auth(u)
rescue
nil
def destroy
reset_user_session
redirect_to '/login'
end
def security_level
u = pre_auth || {'auth_failures' => 0, 'locked' => false}
client_fails =
if CountIpFails
Rails.cache.read(client_auth_key) || 0
else
0
end
session_fails = session[:auth_failures] || 0
total_fails = client_fails + session_fails + u['auth_failures']
captcha = u['locked'] || total_fails > 5
wait = [4, total_fails/4.0].min
wait += rand()*3 if wait > 0.5
redirects = [2, total_fails/2].min
redirects += [0,1].sample if redirects > 0
{
# how many pow do we want from the client
redirects: redirects,
# how many seconds to throttle between pow
wait: wait,
# how hard are the pow
pow_factor: [3, (total_fails/4)+1].min + [0,1].sample,
# do we want an additional captcha
enable_captcha: captcha
}
def new
flash[:notice] = nil
new_login_session
end
def create
......@@ -161,6 +125,39 @@ class SessionsController < ApplicationController
return login_failed
end
private
def horde_handoff_auth
str = "#{@user}#{Config['horde_shared_secret']}#{Time.now.to_i/100}"
Digest::SHA256.hexdigest(str)
end
helper_method :horde_handoff_auth
def handoff_url
has_instance = !!params[:handoff_instance]
instance = params[:handoff_instance].to_i
case @handoff
when 'webmail'
if request.host =~ /ysp4gfuhnmj6b4mb\.onion/
'https://webmail.ysp4gfuhnmj6b4mb.onion/'
else
if has_instance
"https://horde-prod-#{instance}.immerda.ch/"
else
'https://webmail.immerda.ch/'
end
end
when 'webmail-dev'
if has_instance
"https://horde-dev-#{instance}.immerda.ch/"
else
'https://horde-dev.immerda.ch/'
end
end
end
helper_method :handoff_url
def new_login_session
f = flash[:notice]
fails = session[:auth_failures] || 0
......@@ -184,16 +181,45 @@ class SessionsController < ApplicationController
session[:auth_failures] += 1
end
def destroy
reset_user_session
redirect_to '/login'
def client_auth_key
ip = "#{request.remote_ip} #{request.headers['X-Forwarded-For']}"
"auth_fail_#{Digest::SHA256::hexdigest(ip)}"
end
def new
flash[:notice] = nil
new_login_session
def security_level
u = pre_auth || {'auth_failures' => 0, 'locked' => false}
client_fails =
if CountIpFails
Rails.cache.read(client_auth_key) || 0
else
0
end
session_fails = session[:auth_failures] || 0
total_fails = client_fails + session_fails + u['auth_failures']
captcha = u['locked'] || total_fails > 5
wait = [4, total_fails/4.0].min
wait += rand()*3 if wait > 0.5
redirects = [2, total_fails/2].min
redirects += [0,1].sample if redirects > 0
{
# how many pow do we want from the client
redirects: redirects,
# how many seconds to throttle between pow
wait: wait,
# how hard are the pow
pow_factor: [3, (total_fails/4)+1].min + [0,1].sample,
# do we want an additional captcha
enable_captcha: captcha
}
end
def pre_auth
u = params[:user_id]
return nil unless EmailValidation.immerda_email_conform(u)
session[:pre_auth] ||= ApiBackend::pre_auth(u)
rescue
nil
end
private
# We require the client to do some work, to discourage bruteforceing the pw
# using this form. The client is expected to return a proof such that
......@@ -214,9 +240,6 @@ class SessionsController < ApplicationController
['webmail', 'webmail-dev']
end
def authorize
end
def allowed_user?(user)
if Admin::Enabled
Admin::Admins.include?(user)
......@@ -297,28 +320,7 @@ EOF
end
end
def handoff_url
has_instance = !!params[:handoff_instance]
instance = params[:handoff_instance].to_i
case @handoff
when 'webmail'
if request.host =~ /ysp4gfuhnmj6b4mb\.onion/
'https://webmail.ysp4gfuhnmj6b4mb.onion/'
else
if has_instance
"https://horde-prod-#{instance}.immerda.ch/"
else
'https://webmail.immerda.ch/'
end
end
when 'webmail-dev'
if has_instance
"https://horde-dev-#{instance}.immerda.ch/"
else
'https://horde-dev.immerda.ch/'
end
end
def authorize
# we do not authorize this controller
end
helper_method :handoff_url
end
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment