matthewford · January 28, 2025 22:39
diff --git a/warden_hooks.rb b/warden_hooks.rb
 # frozen_string_literal: true

 class SessionLeakError < StandardError
 end

 Warden::Manager.after_authentication do |record, warden, opts|
  request = ActionDispatch::Request.new(warden.env)
  SessionActivityTracker.clear(request, opts)

  warden.cookies.signed["#{opts[:scope]}.id"] = warden.session["signed_user_id"] = record.id
  identity = SessionActivityTracker.identify.(request, opts, record)

  SessionActivityTracker.track(
    type: "#{opts[:scope]}.login",
    identifier: identity,
    success: true,
    request: request,
    failure_reason: nil,
    metadata: opts
  )
 end

 Warden::Manager.after_set_user do |record, warden, opts|
  warden.cookies.signed["#{opts[:scope]}.id"] = record.id unless record.nil?

  # if for some reason the user who signed out is not the same
  # as the one we've fetched - sign out that user


  if record && warden.session["signed_user_id"].present?

    attrs = warden.env["action_dispatch.request.parameters"]
    is_password_reset = attrs["controller"] == "users/passwords"

    if warden.session["signed_user_id"] != record.id && !is_password_reset
      request = ActionDispatch::Request.new(warden.env)

      Appsignal.send_error(SessionLeakError.new("User misidentification: signed in as #{warden.session['signed_user_id']}, became: #{record.id}. referrer: #{request.referrer}")) do |transaction|
        transaction.set_action(request.original_fullpath)
        transaction.params = {
          violation: attrs
        }
      end

      warden.logout(opts[:scope])
    end

    # if it's a password reset page and the emails match (in case user got deleted before)
    # update the signed user id
    if is_password_reset && User.unscoped.find_by(id: warden.session["signed_user_id"]).try(:email) == record.email
      warden.session["signed_user_id"] = record.id
    end
  end
 end

 Warden::Manager.before_logout do |record, warden, opts|
  request = ActionDispatch::Request.new(warden.env)
  identity = SessionActivityTracker.identify.(request, opts, record)

  unless identity.nil?
    SessionActivityTracker.track(
      type: "#{opts[:scope]}.logout",
      identifier: identity,
      success: true,
      request: request,
      failure_reason: nil,
      metadata: opts
    )
  end

  SessionActivityTracker.clear(request, opts)
 end

 Warden::Manager.before_failure do |env, opts|
  request = ActionDispatch::Request.new(env)
  identity = SessionActivityTracker.identify.(request, opts, nil)

  unless identity.nil?
    SessionActivityTracker.track(
      type: "#{opts[:scope]}.failure",
      identifier: identity,
      success: false,
      request: request,
      failure_reason: opts[:message].to_s,
      metadata: opts
    )
  end

  SessionActivityTracker.clear(request, opts)
 end

 module SessionActivityTracker
  class << self
    attr_accessor :identify
  end

  self.identify = lambda do |request, opts, user|
    identifier = if user
                   user&.id
                 else
                   cookies = request.env.dig("warden")&.cookies
                   cookies.signed["#{opts[:scope]}.id"] rescue nil
                 end

    return identifier if identifier.present?

    scope = opts[:scope].to_s.classify.safe_constantize
    user = scope.where_assoc_exists([:session_activities], {request_id: request.uuid}).first

    return user&.id
  end

  def self.clear(request, opts)
    cookies = request.env.dig("warden")&.cookies
    cookies.delete("#{opts[:scope]}.id")
  end

  def self.track(type:, success:, request:, identifier: nil, failure_reason: nil, metadata: {})
    data = {
      type: type,
      success: success,
      failure_reason: failure_reason,
      user_id: identifier,
      request_id: request.uuid,
      ip: request.remote_ip,
      user_agent: request.user_agent,
      referrer: request.referrer,
      metadata: metadata
    }

    if request.params[:controller]
      data[:context] = "#{request.params[:controller]}##{request.params[:action]}"
    end

    ::SessionActivity.create!(data)
  rescue StandardError => e
    nil
  end
 end
	# frozen_string_literal: true

	class SessionLeakError < StandardError
	end

	Warden::Manager.after_authentication do \|record, warden, opts\|
	request = ActionDispatch::Request.new(warden.env)
	SessionActivityTracker.clear(request, opts)

	warden.cookies.signed["#{opts[:scope]}.id"] = warden.session["signed_user_id"] = record.id
	identity = SessionActivityTracker.identify.(request, opts, record)

	SessionActivityTracker.track(
	type: "#{opts[:scope]}.login",
	identifier: identity,
	success: true,
	request: request,
	failure_reason: nil,
	metadata: opts
	)
	end

	Warden::Manager.after_set_user do \|record, warden, opts\|
	warden.cookies.signed["#{opts[:scope]}.id"] = record.id unless record.nil?

	# if for some reason the user who signed out is not the same
	# as the one we've fetched - sign out that user


	if record && warden.session["signed_user_id"].present?

	attrs = warden.env["action_dispatch.request.parameters"]
	is_password_reset = attrs["controller"] == "users/passwords"

	if warden.session["signed_user_id"] != record.id && !is_password_reset
	request = ActionDispatch::Request.new(warden.env)

	Appsignal.send_error(SessionLeakError.new("User misidentification: signed in as #{warden.session['signed_user_id']}, became: #{record.id}. referrer: #{request.referrer}")) do \|transaction\|
	transaction.set_action(request.original_fullpath)
	transaction.params = {
	violation: attrs
	}
	end

	warden.logout(opts[:scope])
	end

	# if it's a password reset page and the emails match (in case user got deleted before)
	# update the signed user id
	if is_password_reset && User.unscoped.find_by(id: warden.session["signed_user_id"]).try(:email) == record.email
	warden.session["signed_user_id"] = record.id
	end
	end
	end

	Warden::Manager.before_logout do \|record, warden, opts\|
	request = ActionDispatch::Request.new(warden.env)
	identity = SessionActivityTracker.identify.(request, opts, record)

	unless identity.nil?
	SessionActivityTracker.track(
	type: "#{opts[:scope]}.logout",
	identifier: identity,
	success: true,
	request: request,
	failure_reason: nil,
	metadata: opts
	)
	end

	SessionActivityTracker.clear(request, opts)
	end

	Warden::Manager.before_failure do \|env, opts\|
	request = ActionDispatch::Request.new(env)
	identity = SessionActivityTracker.identify.(request, opts, nil)

	unless identity.nil?
	SessionActivityTracker.track(
	type: "#{opts[:scope]}.failure",
	identifier: identity,
	success: false,
	request: request,
	failure_reason: opts[:message].to_s,
	metadata: opts
	)
	end

	SessionActivityTracker.clear(request, opts)
	end

	module SessionActivityTracker
	class << self
	attr_accessor :identify
	end

	self.identify = lambda do \|request, opts, user\|
	identifier = if user
	user&.id
	else
	cookies = request.env.dig("warden")&.cookies
	cookies.signed["#{opts[:scope]}.id"] rescue nil
	end

	return identifier if identifier.present?

	scope = opts[:scope].to_s.classify.safe_constantize
	user = scope.where_assoc_exists([:session_activities], {request_id: request.uuid}).first

	return user&.id
	end

	def self.clear(request, opts)
	cookies = request.env.dig("warden")&.cookies
	cookies.delete("#{opts[:scope]}.id")
	end

	def self.track(type:, success:, request:, identifier: nil, failure_reason: nil, metadata: {})
	data = {
	type: type,
	success: success,
	failure_reason: failure_reason,
	user_id: identifier,
	request_id: request.uuid,
	ip: request.remote_ip,
	user_agent: request.user_agent,
	referrer: request.referrer,
	metadata: metadata
	}

	if request.params[:controller]
	data[:context] = "#{request.params[:controller]}##{request.params[:action]}"
	end

	::SessionActivity.create!(data)
	rescue StandardError => e
	nil
	end
	end