Maybe/app/controllers/concerns/authentication.rb

module Authentication
  extend ActiveSupport::Concern

  included do
    before_action :set_request_details
    before_action :authenticate_user!
    before_action :set_sentry_user
  end

  class_methods do
    def skip_authentication(**options)
      skip_before_action :authenticate_user!, **options
      skip_before_action :set_sentry_user, **options
    end
  end

  private
    def authenticate_user!
      if session_record = find_session_by_cookie
        Current.session = session_record
      else
        if self_hosted_first_login?
          redirect_to new_registration_url
        else
          redirect_to new_session_url
        end
      end
    end

    def find_session_by_cookie
      cookie_value = cookies.signed[:session_token]
      Rails.logger.info "Looking for session with cookie value: #{cookie_value.present? ? 'present' : 'missing'}"
      session = Session.find_by(id: cookie_value)
      Rails.logger.info "Session found: #{session.present? ? 'yes' : 'no'}"
      session
    end

    def create_session_for(user)
      session = user.sessions.create!
      Rails.logger.info "Setting session cookie with value: #{session.id}"
      # Explicitly set SameSite attribute and ensure cookie is set properly
      cookies.signed.permanent[:session_token] = {
        value: session.id,
        httponly: true,
        same_site: :lax
      }
      session
    end

    def self_hosted_first_login?
      Rails.application.config.app_mode.self_hosted? && User.count.zero?
    end

    def set_request_details
      Current.user_agent = request.user_agent
      Current.ip_address = request.ip
    end

    def set_sentry_user
      return unless defined?(Sentry) && ENV["SENTRY_DSN"].present?

      if Current.user
        Sentry.set_user(
          id: Current.user.id,
          email: Current.user.email,
          username: Current.user.display_name,
          ip_address: Current.ip_address
        )
      end
    end
end
Split authentication concern from ApplicationController (#289) * Split authentication concern from ApplicationController * Remove empty space * Rubocop fixes 2024-02-05 06:05:13 +11:00			`module Authentication`
			`extend ActiveSupport::Concern`

			`included do`
Use DB for auth sessions (#1233) * DB sessions * Validations for profile image 2024-10-03 14:42:22 -04:00			`before_action :set_request_details`
Centralize auth (#598) 2024-04-03 10:35:55 -04:00			`before_action :authenticate_user!`
Add Sentry user context to authentication concern 2025-02-25 08:48:26 -06:00			`before_action :set_sentry_user`
Centralize auth (#598) 2024-04-03 10:35:55 -04:00			`end`

			`class_methods do`
			`def skip_authentication(**options)`
			`skip_before_action :authenticate_user!, **options`
Add Sentry user context to authentication concern 2025-02-25 08:48:26 -06:00			`skip_before_action :set_sentry_user, **options`
Centralize auth (#598) 2024-04-03 10:35:55 -04:00			`end`
Split authentication concern from ApplicationController (#289) * Split authentication concern from ApplicationController * Remove empty space * Rubocop fixes 2024-02-05 06:05:13 +11:00			`end`

			`private`
Rubocop updates (#1118) * Minimal code style enforcement * Formatting and lint code updates (no change in functionality) 2024-08-23 10:06:24 -04:00			`def authenticate_user!`
Impersonation (#1325) * Initial impersonation * Impersonation audit * Keep super admin separate * Remove vscode settings * Comment cleanup * Comment out impersonation fixtures for now * Remove unused controlelr * Add impersonation testing (#1326) * Add impersonation testing * Remove unused method * Update schema.rb * Update brakeman --------- Co-authored-by: Zach Gollwitzer <zach@maybe.co> 2024-10-18 11:26:58 -05:00			`if session_record = find_session_by_cookie`
Use DB for auth sessions (#1233) * DB sessions * Validations for profile image 2024-10-03 14:42:22 -04:00			`Current.session = session_record`
Rubocop updates (#1118) * Minimal code style enforcement * Formatting and lint code updates (no change in functionality) 2024-08-23 10:06:24 -04:00			`else`
Add basic self hosted onboarding (#1177) * Add basic self hosted onboarding * Lint fix * Normalize translations 2024-09-13 17:24:19 -04:00			`if self_hosted_first_login?`
			`redirect_to new_registration_url`
			`else`
			`redirect_to new_session_url`
			`end`
Rubocop updates (#1118) * Minimal code style enforcement * Formatting and lint code updates (no change in functionality) 2024-08-23 10:06:24 -04:00			`end`
Opt-in to Current fully (#297) 2024-02-05 10:36:46 +11:00			`end`
Split authentication concern from ApplicationController (#289) * Split authentication concern from ApplicationController * Remove empty space * Rubocop fixes 2024-02-05 06:05:13 +11:00
Impersonation (#1325) * Initial impersonation * Impersonation audit * Keep super admin separate * Remove vscode settings * Comment cleanup * Comment out impersonation fixtures for now * Remove unused controlelr * Add impersonation testing (#1326) * Add impersonation testing * Remove unused method * Update schema.rb * Update brakeman --------- Co-authored-by: Zach Gollwitzer <zach@maybe.co> 2024-10-18 11:26:58 -05:00			`def find_session_by_cookie`
Another attempt at fixing MFA issues 2025-03-05 13:10:53 -06:00			`cookie_value = cookies.signed[:session_token]`
			`Rails.logger.info "Looking for session with cookie value: #{cookie_value.present? ? 'present' : 'missing'}"`
			`session = Session.find_by(id: cookie_value)`
			`Rails.logger.info "Session found: #{session.present? ? 'yes' : 'no'}"`
			`session`
Impersonation (#1325) * Initial impersonation * Impersonation audit * Keep super admin separate * Remove vscode settings * Comment cleanup * Comment out impersonation fixtures for now * Remove unused controlelr * Add impersonation testing (#1326) * Add impersonation testing * Remove unused method * Update schema.rb * Update brakeman --------- Co-authored-by: Zach Gollwitzer <zach@maybe.co> 2024-10-18 11:26:58 -05:00			`end`

Use DB for auth sessions (#1233) * DB sessions * Validations for profile image 2024-10-03 14:42:22 -04:00			`def create_session_for(user)`
			`session = user.sessions.create!`
Another attempt at fixing MFA issues 2025-03-05 13:10:53 -06:00			`Rails.logger.info "Setting session cookie with value: #{session.id}"`
			`# Explicitly set SameSite attribute and ensure cookie is set properly`
			`cookies.signed.permanent[:session_token] = {`
			`value: session.id,`
			`httponly: true,`
			`same_site: :lax`
			`}`
Use DB for auth sessions (#1233) * DB sessions * Validations for profile image 2024-10-03 14:42:22 -04:00			`session`
Rubocop updates (#1118) * Minimal code style enforcement * Formatting and lint code updates (no change in functionality) 2024-08-23 10:06:24 -04:00			`end`
Add basic self hosted onboarding (#1177) * Add basic self hosted onboarding * Lint fix * Normalize translations 2024-09-13 17:24:19 -04:00
			`def self_hosted_first_login?`
			`Rails.application.config.app_mode.self_hosted? && User.count.zero?`
			`end`
Use DB for auth sessions (#1233) * DB sessions * Validations for profile image 2024-10-03 14:42:22 -04:00
			`def set_request_details`
			`Current.user_agent = request.user_agent`
			`Current.ip_address = request.ip`
			`end`
Add Sentry user context to authentication concern 2025-02-25 08:48:26 -06:00
			`def set_sentry_user`
			`return unless defined?(Sentry) && ENV["SENTRY_DSN"].present?`

			`if Current.user`
			`Sentry.set_user(`
			`id: Current.user.id,`
			`email: Current.user.email,`
			`username: Current.user.display_name,`
			`ip_address: Current.ip_address`
			`)`
			`end`
			`end`
Split authentication concern from ApplicationController (#289) * Split authentication concern from ApplicationController * Remove empty space * Rubocop fixes 2024-02-05 06:05:13 +11:00			`end`