Use DB for auth sessions (#1233)

* DB sessions

* Validations for profile image

app/controllers/concerns/authentication.rb

@@ -2,6 +2,7 @@ module Authentication
   extend ActiveSupport::Concern
 
   included do
+    before_action :set_request_details
     before_action :authenticate_user!
   end
 
@@ -12,10 +13,9 @@ module Authentication
   end
 
   private
-
     def authenticate_user!
-      if user = User.find_by(id: session[:user_id])
-        Current.user = user
+      if session_record = Session.find_by_id(cookies.signed[:session_token])
+        Current.session = session_record
       else
         if self_hosted_first_login?
           redirect_to new_registration_url
@@ -25,23 +25,18 @@ module Authentication
       end
     end
 
-    def login(user)
-      Current.user = user
-      reset_session
-      session[:user_id] = user.id
-      set_last_login_at
-    end
-
-    def logout
-      Current.user = nil
-      reset_session
-    end
-
-    def set_last_login_at
-      Current.user.update(last_login_at: DateTime.now)
+    def create_session_for(user)
+      session = user.sessions.create!
+      cookies.signed.permanent[:session_token] = { value: session.id, httponly: true }
+      session
     end
 
     def self_hosted_first_login?
       Rails.application.config.app_mode.self_hosted? && User.count.zero?
     end
+
+    def set_request_details
+      Current.user_agent = request.user_agent
+      Current.ip_address = request.ip
+    end
 end

app/controllers/registrations_controller.rb

@@ -17,7 +17,7 @@ class RegistrationsController < ApplicationController
 
     if @user.save
       Category.create_default_categories(@user.family)
-      login @user
+      @session = create_session_for(@user)
       flash[:notice] = t(".success")
       redirect_to root_path
     else

app/controllers/sessions_controller.rb

@@ -1,4 +1,5 @@
 class SessionsController < ApplicationController
+  before_action :set_session, only: :destroy
   skip_authentication only: %i[new create]
 
   layout "auth"
@@ -8,7 +9,7 @@ class SessionsController < ApplicationController
 
   def create
     if user = User.authenticate_by(email: params[:email], password: params[:password])
-      login user
+      @session = create_session_for(user)
       redirect_to root_path
     else
       flash.now[:alert] = t(".invalid_credentials")
@@ -17,7 +18,12 @@ class SessionsController < ApplicationController
   end
 
   def destroy
-    logout
+    @session.destroy
     redirect_to root_path, notice: t(".logout_successful")
   end
+
+  private
+    def set_session
+      @session = Current.user.sessions.find(params[:id])
+    end
 end

app/controllers/settings/profiles_controller.rb

@@ -23,7 +23,7 @@ class Settings::ProfilesController < SettingsController
 
   def destroy
     if Current.user.deactivate
-      logout
+      Current.session.destroy
       redirect_to root_path, notice: t(".success")
     else
       redirect_to settings_profile_path, alert: Current.user.errors.full_messages.to_sentence
@@ -31,7 +31,6 @@ class Settings::ProfilesController < SettingsController
   end
 
   private
-
     def user_params
       params.require(:user).permit(:first_name, :last_name, :profile_image,
                                    family_attributes: [ :name, :id ])