Refactor ID card sign-in

- Extract to Devise custom strategy - Use `SSL_CLIENT_S_DN_CN` env variable instead of `SSL_CLIENT_S_DN` to get ID card data - Remove `database_authenticatable` strategy from `RegistrantUser` Closes #1047
2025-06-10 14:44:47 +02:00 · 2019-01-30 19:08:29 +02:00 · 2019-01-30 19:08:29 +02:00 · a08f063640
commit a08f063640
parent 27976c3fbd
20 changed files with 266 additions and 89 deletions
--- a/app/controllers/registrant/sessions_controller.rb
+++ b/app/controllers/registrant/sessions_controller.rb
@ -1,26 +1,6 @@
 class Registrant::SessionsController < Devise::SessionsController
  layout 'registrant/application'

-  def new; end
-
-  def id
-    client_certificate_subject = request.env['SSL_CLIENT_S_DN']
-    client_certificate_issuer = request.env['SSL_CLIENT_I_DN_O']
-
-    if Rails.env.development?
-      client_certificate_subject = 'test'
-      client_certificate_issuer = RegistrantUser::ACCEPTED_ISSUER
-    end
-
-    @user = RegistrantUser.find_or_create_by_idc_data(client_certificate_subject, client_certificate_issuer)
-    if @user
-      sign_in_and_redirect(:registrant_user, @user, event: :authentication)
-    else
-      flash[:alert] = t('login_failed_check_id_card')
-      redirect_to new_registrant_user_session_url
-    end
-  end
-
  def login_mid
    @user = User.new
  end
--- a/app/controllers/registrar/sessions_controller.rb
+++ b/app/controllers/registrar/sessions_controller.rb
@ -48,15 +48,22 @@ class Registrar
      end
    end

-    def id
-      @user = ApiUser.find_by_idc_data_and_allowed(request.env['SSL_CLIENT_S_DN'], request.ip)
+    def id_card
+      self.resource = warden.authenticate!(auth_options)

-      if @user
-        sign_in_and_redirect(:registrar_user, @user, event: :authentication)
-      else
-        flash[:alert] = t('no_such_user')
-        redirect_to new_registrar_user_session_url
+      restricted_ip = Authorization::RestrictedIP.new(request.ip)
+      ip_allowed = restricted_ip.can_access_registrar_area?(resource.registrar)
+
+      unless ip_allowed
+        render text: t('registrar.authorization.ip_not_allowed', ip: request.ip)
+        warden.logout(:registrar_user)
+        return
      end
+
+      set_flash_message!(:notice, :signed_in)
+      sign_in(resource_name, resource)
+      yield resource if block_given?
+      respond_with resource, location: after_sign_in_path_for(resource)
    end

    def login_mid