refactor security system

2012-12-11 11:27:41 +01:00
parent f19044ae6a
commit 009b84f7cd
10 changed files with 151 additions and 103 deletions
@@ -1,6 +1,6 @@
 // This is a manifest file that'll be compiled into application.js, which will include all the files
 // listed below.
-// a
+// 
 // Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
 // or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
 //
@@ -39,7 +39,7 @@ var path_mapping = {
  list_products: '/list_products',
  active_list: '/active_list',
  history_list: '/history_list',
-  obtain_user_token: '/obtain_token',
+  obtain_token: '/obtain_token',
  lists_history: '/list_history'
 }
 var $translations = {
@@ -119,7 +119,7 @@ function redirect_to(mapping, variables){
  var vars = [];
  for(var name in variables){
    vars.push(name + '=' +variables[name]);
-    Qstorage[name] = variables[name];
+    Qstorage.setItem(name, variables[name]);
  }
  window.location = QMobile.root_url() + path_mapping[mapping] + '.html'
 }
@@ -154,22 +154,21 @@ function t(path, vars){
 $.ajaxSetup({
  error: function(xhr, ajaxOptions, error, another){
    if(xhr.status == 401){
-      direct_to_site('obtain_user_token');
+      redirect_to('obtain_token');
    }else if(xhr.status == 0){
      QMobile.connection_problem();
    }
  }
 });
-var Qstorage = sessionStorage;
 $(function(){
-  $locale = QMobile.locale();
-  if(Qstorage.message){
+  $locale = Qstorage.getItem('locale') || 'en';
+  if(Qstorage.getItem('message')){
    var container = $('.alert-success');
-    container.find('div').text($translations[$locale]['messages'][Qstorage.message]);
+    container.find('div').text($translations[$locale]['messages'][Qstorage.getItem('message')]);
    container.show();
    Qstorage.removeItem('message');
  }
-  if(Qstorage.list_closed){
+  if(Qstorage.getItem('list_closed')){
    var container = $('.alert-error');
    container.find('div').text($translations[$locale]['messages']['the_list_has_been_closed']);
    container.show();
@@ -178,7 +177,7 @@ $(function(){
  setTranslations();
 });
 function setLocale(locale){
-  QMobile.setLocale(locale);
+  Qstorage.setItem('locale', locale);
  $locale = locale;
  setTranslations();
 }
@@ -1,5 +1,5 @@
-authentication_string = QMobile.authentication_string()
-authentication_object = $.parseJSON(QMobile.authentication_object())
+#authentication_string = QMobile.authentication_string()
+#authentication_object = $.parseJSON(QMobile.authentication_object())
 class Quser
  format_date: (utc) ->
    formatted = ''
@@ -9,7 +9,9 @@ class Quser
    formatted
  watch_events: ->
    faye = new Faye.Client(event_host)
-    faye.subscribe "/user/"+QMobile.user_id(), (e)=>
+    user_id = Qstorage.getItem('user_id')
+    return unless user_id && user_id.length > 0
+    faye.subscribe "/user/"+user_id, (e)=>
      if(e.event == 'list_closed')
        #redirect_to 'user_root', {list_closed: 'true'}
        redirect_to 'history_list', {list_id: e.data.id, list_closed: true}
@@ -39,23 +41,49 @@ class Quser
        $('.list-total-amount').html(currency(e.data.total_amount))
      console.log(e)
    false
-  home_loader: ->
-    $.getJSON(data_host + '/user/list_info.json?' + authentication_string, (res) => @handle_active_list_default_actions(res))
-  handle_active_list: (callback) ->
-    $.getJSON(data_host + '/user/list_info.json?' + authentication_string, (res) =>
-      if(res.ok == false && res.status && res.status == 401)
-        direct_to_site('obtain_user_token') 
-      else if !res.list_active
-        redirect_to 'user_root', {list_closed: 'true'}
-        return
-      window.active_list = res
-      callback.call() if callback
-      @handle_active_list_default_actions(res)
+  reset_user: ->
+    Qstorage.removeItem('auth_token')
+    Qstorage.removeItem('user_id')
+  authenticate_user: ->
+    email = $('#user-email')
+    password = $('#user-password')
+    return unless email.length && password.length
+    return email.focus() unless email.val() && email.val().length > 0
+    return password.focus() unless password.val() && password.val().length > 0
+    $.post(data_host + '/user/obtain_token.json', {"user[email]": email.val(), "user[password]": password.val()}, (res)=>
+      if res.auth_token
+        Qstorage.setItem('auth_token', res.auth_token)
+        Qstorage.setItem('user_id', res.user_id)
+        redirect_to 'user_root'
+      else
+        $('.user-alert').html(t('obtain_token.invalid_combination')).show()
    )
+
+    false
+  ensure_token: (callback)->
+    redirect_to('obtain_token') unless Qstorage.getItem('auth_token') && typeof(Qstorage.getItem('auth_token')) == 'string' && Qstorage.getItem('auth_token').length > 0
+    @authentication_string = 'auth_token='+Qstorage.getItem('auth_token')
+    @authentication_object = {auth_token: Qstorage.getItem('auth_token')}
+    callback.call() if callback
+  home_loader: ->
+    @ensure_token =>
+      $.getJSON(data_host + '/user/list_info.json?' + @authentication_string, (res) => @handle_active_list_default_actions(res))
+  handle_active_list: (callback) ->
+    @ensure_token =>
+      $.getJSON(data_host + '/user/list_info.json?' + @authentication_string, (res) =>
+        if(res.ok == false && res.status && res.status == 401)
+          redirect_to('obtain_token') 
+        else if !res.list_active
+          redirect_to 'user_root', {list_closed: 'true'}
+          return
+        window.active_list = res
+        callback.call() if callback
+        @handle_active_list_default_actions(res)
+      )
  handle_active_list_default_actions: (response)->
    response ||= {}
    if(response.ok == false && response.status && response.status == 401)
-      direct_to_site('obtain_user_token')
+      redirect_to('obtain_token')
      return
    
    $('.table-number').text(response.table_number) if response.table_number
@@ -163,41 +191,46 @@ class Quser
    return unless window.active_list && !window.active_list.needs_payment
    $.post(data_host + '/user/list_needs_payment.json', authentication_object, (res) => window.active_list = res; window.Quser.list_needs_payment_default_action(res))
  load_active_list: () ->
-    $.getJSON(data_host + '/user/active_list.json?'+authentication_string, (res) =>
-      window.active_list = res if res._id
-      unless res.list_active
-        redirect_to 'history_list', {list_id: window.active_list._id, list_closed: true}
-        return
-      @handle_active_list_default_actions(res)
-      body = $('#active-list-table tbody')
-      foot = $('#active-list-table tfoot')
-      @build_list_table(body, foot, res)
-    )
+    @ensure_token =>
+      $.getJSON(data_host + '/user/active_list.json?'+@authentication_string, (res) =>
+        if(res.ok == false && res.status && res.status == 401)
+          redirect_to('obtain_token') 
+        window.active_list = res if res._id
+        unless res.list_active
+          redirect_to 'history_list', {list_id: window.active_list._id, list_closed: true}
+          return
+        @handle_active_list_default_actions(res)
+        body = $('#active-list-table tbody')
+        foot = $('#active-list-table tfoot')
+        @build_list_table(body, foot, res)
+      )
  load_history_list: () ->
    return unless list_id = Qstorage.list_id
-    $.getJSON(data_host + '/user/history_list.json?list_id='+list_id+'&'+ authentication_string, (res) =>
-      body = $('#history-list-table tbody')
-      foot = $('#history-list-table tfoot')
-      @build_list_table(body, foot, res)
-      $('.list-created-at').text(@format_date(res.created_at))
-      $('.list-closed-at').text(@format_date(res.closed_at))
-      $('.supplier-name').text(res.supplier_name)
-    )
+    @ensure_token =>
+      $.getJSON(data_host + '/user/history_list.json?list_id='+list_id+'&'+ @authentication_string, (res) =>
+        body = $('#history-list-table tbody')
+        foot = $('#history-list-table tfoot')
+        @build_list_table(body, foot, res)
+        $('.list-created-at').text(@format_date(res.created_at))
+        $('.list-closed-at').text(@format_date(res.closed_at))
+        $('.supplier-name').text(res.supplier_name)
+      )
  load_list_history: ->
-    page = Qstorage.page || 1
-    page = parseInt(page)
-    $.getJSON(data_host + '/user/list_history.json?'+authentication_string+'&page='+page, (res) =>
-      @paginate(res, @load_list_history)
-      container = $('#list-history-container').html('')
-      for list in res.lists
-        li = $('<li></li>').appendTo(container)
-        link = $('<a href="#"></a>').appendTo(li)
-        link.click(-> redirect_to 'history_list', list_id: list._id)
-        txt = list.supplier_name
-        txt += ' - '
-        txt += @format_date(list.created_at)
-        link.text(txt)
-    )
+    @ensure_token =>
+      page = Qstorage.getItem('page') || 1
+      page = parseInt(page)
+      $.getJSON(data_host + '/user/list_history.json?'+@authentication_string+'&page='+page, (res) =>
+        @paginate(res, @load_list_history)
+        container = $('#list-history-container').html('')
+        for list in res.lists
+          li = $('<li></li>').appendTo(container)
+          link = $('<a href="#"></a>').appendTo(li)
+          link.click(-> redirect_to 'history_list', list_id: list._id)
+          txt = list.supplier_name
+          txt += ' - '
+          txt += @format_date(list.created_at)
+          link.text(txt)
+      )
  paginate: (wrapper, callback) ->
    container = $('nav.pagination')
    container.html('')
@@ -235,12 +268,13 @@ class Quser
    $('.list-total-amount').html(currency(m_obj.total_amount))

  order_selected_products: ()->
-    return if $.isEmptyObject(window.active_products_list)
-    h = {}
-    h['table_id'] = Qstorage.getItem('table_id') if Qstorage.getItem('table_id')
-    for product_id, number of window.active_products_list
-      h['products['+product_id+']'] = number
-    $.post(data_host + '/user/order_selected_products', $.extend(h, authentication_object), ((res) => @handle_response(res)), 'json')
+    @ensure_token =>
+      return if $.isEmptyObject(window.active_products_list)
+      h = {}
+      h['table_id'] = Qstorage.getItem('table_id') if Qstorage.getItem('table_id')
+      for product_id, number of window.active_products_list
+        h['products['+product_id+']'] = number
+      $.post(data_host + '/user/order_selected_products', $.extend(h, @authentication_object), ((res) => @handle_response(res)), 'json')
  handle_response: (res) ->
    if(typeof(res) == 'string')
      return unless res.length
@@ -268,10 +302,11 @@ class Quser
    Qupdate('#active-order-container')

  load_active_list_products: ->
-    @populate_products_table('/user/list_products.json?'+authentication_string)
+    @populate_products_table('/user/list_products.json?'+@authentication_string)
  load_table_products: ->
-    return redirect_to 'user_root', {message: 'cannot_identify_table'} unless Qstorage.table_id
-    @populate_products_table('/user/list_products_for_table.json?'+authentication_string+'&table_id='+Qstorage.table_id)
+    @ensure_token =>
+      return redirect_to 'user_root', {message: 'cannot_identify_table'} unless Qstorage.table_id
+      @populate_products_table('/user/list_products_for_table.json?'+@authentication_string+'&table_id='+Qstorage.table_id)
  populate_products_table: (src)->
    $.getJSON(data_host + src, (res) =>
      include_order_buttons = res.my_list || !res.table_occupied
@@ -317,7 +352,7 @@ class Quser
  actions_for_table: (table)->
    table = JSON.parse(table) if typeof(table) == 'string'
    Qstorage.table_id = table.table_id
-    $.getJSON(data_host + '/user/table_info.json?'+authentication_string+'&table_id='+table.table_id, (res)=>
+    $.getJSON(data_host + '/user/table_info.json?'+@authentication_string+'&table_id='+table.table_id, (res)=>
      if res.current_table_id
        if res.other_supplier
          redirect_to 'user_root', {message: 'table_is_from_other_supplier'}
@@ -337,7 +372,7 @@ class Quser
            ## Offer to move table
            Qwaiter.confirm(
              ok: ->
-                $.post(data_host + '/user/move_table', $.extend({table_id: table.table_id}, authentication_object), (res2)->
+                $.post(data_host + '/user/move_table', $.extend({table_id: table.table_id}, @authentication_object), (res2)->
                  if res2.occupied
                    redirect_to 'user_root', {message: 'move_table.cannot_move_to_occupied_tabe'}
                  else
@@ -371,7 +406,7 @@ class Quser
    cont.html('')
    cont.append $($('<img />').attr('src', "#{$asset_path}spinner.gif"))
    cont.append $($('<p>').html(t('join_request.waiting_for_confirmation')))
-    $.post(data_host + '/user/join_occupied_table', $.extend({table_id: table_id}, authentication_object))
+    $.post(data_host + '/user/join_occupied_table', $.extend({table_id: table_id}, @authentication_object))
    #setInterval('Quser.check_if_can_join_occupied_table("'+table_id+'")', 7500)
  add_product: (product_id, count) ->
    count ||= 1
@@ -1,6 +1,6 @@
 class UserController < ApplicationController
  before_filter :allow_mobile
-  before_filter :user_authentication #, except: :obtain_token
+  before_filter :user_authentication, except: :obtain_token
  layout 'phone'

  def user_authentication
@@ -19,12 +19,20 @@ class UserController < ApplicationController
    end
  end

-  def authenticate_user_wrapper!
-    authenticate_user! unless request.format.html?
-    authenticate_user! if params[:action] == 'obtain_token'
-  end
-
  def obtain_token
+    respond_to do |format|
+      format.html
+      format.json do
+        render json: json_response(ok: false, status: 401) and return unless params[:user].present? && params[:user][:email].present? && params[:user][:password].present?
+        user = User.find_by_email(params[:user][:email])
+        render json: json_response(ok: false, status: 401) and return unless user
+        render json: json_response(ok: false, status: 401) and return unless user.valid_password?(params[:user][:password])
+        user.ensure_authentication_token
+        sign_in user
+        render json: json_response(ok: true, auth_token: user.authentication_token, user_id: user.id)
+      end
+
+    end
  end

  alias :list :active_list
@@ -23,6 +23,7 @@ html lang="en"
        var event_host = '#{event_host}';
        var $locale = 'en';
        var $asset_path = '##assets_path##';
+        var Qstorage = localStorage;
    - else
      javascript:
        var QMobile, Qwaiter, Quser;
@@ -30,6 +31,7 @@ html lang="en"
        var event_host = '#{event_host}';
        var $locale = 'en';
        var $asset_path = '/assets/';
+        var Qstorage = localStorage;
        #{Rails.env.production? ? '' : "data_host = 'http://qwaiter.dev';"}
        //var data_host = 'http://localhost:3000';
        QMobile || (QMobile = {
@@ -54,7 +56,6 @@ html lang="en"
          user_id: function(){return this.stored_user_id },
          log: function(str){console.log(str)}
        });
-        QMobile.setAuthToken('#{current_user.authentication_token}');QMobile.setUserId('#{current_user.id}');

  body class=action_name
    - unless ENV['QWAITER_MOBILE_EXPORT'] == 'yes'
@@ -82,8 +83,8 @@ html lang="en"
          .span12
            = yield
    = javascript_include_tag "user/application"
-    script#alert-template[type="text/html"]= render 'user/alert.mustache'
-    script#join-request-template[type="text/html"]= render 'user/join_request.mustache'
+    script#alert-template[type="text/html"]= mustache_template 'user/alert'
+    script#join-request-template[type="text/html"]= mustache_template 'user/join_request'
    = yield :footer
    javascript:
      jQuery(function(){#{onload_javascript}});
@@ -18,12 +18,4 @@
 script#products-category-template[type="text/html"]= mustache_template 'products_category'
 script#products-category-for-order-template[type="text/html"]= mustache_template 'products_category_for_order'
 script#active-order-template[type="text/html"]= mustache_template 'active_order'
- content_for :footer do
-  javascript:
-    jQuery(function(){
-      Quser.handle_active_list(function(){
-        Quser.load_active_list_products();
-        Quser.watch_events();
-      })
-    })
-  
+- onload_javascript 'Quser.handle_active_list(function(){Quser.load_active_list_products();Quser.watch_events()})'
@@ -8,13 +8,7 @@
      tr
        td= slider_image
  #active-order-container
-script#products-category-template[type="text/html"]= render 'products_category.mustache'
-script#products-category-for-order-template[type="text/html"]= render 'products_category_for_order.mustache'
-script#active-order-template[type="text/html"]= render 'active_order.mustache'
- content_for :footer do
-  javascript:
-    jQuery(function(){
-      Quser.load_table_products();
-      QMobile.activateRotation();
-    })
-  
+script#products-category-template[type="text/html"]= mustache_template 'products_category'
+script#products-category-for-order-template[type="text/html"]= mustache_template 'products_category_for_order'
+script#active-order-template[type="text/html"]= mustache_template 'active_order'
+- onload_javascript 'Quser.load_table_products()'
@@ -1,5 +1,17 @@
- content_for :footer do
-  javascript:
-    QMobile.setAuthToken('#{current_user.authentication_token}');
-    QMobile.setUserId('#{current_user.id}');
-    QMobile.goHome();
+= top_bar title: 'obtain_token.title' do
+  span
+ 
+.well
+  .alert.alert-warming.user-alert.hide
+  form.form-horizontal
+    .control-group
+      label.control-label data-t='attributes.user.email' Email
+      .controls
+        input#user-email.email type="email" placeholder="Email"
+    .control-group
+      label.control-label data-t='attributes.user.password' Password
+      .controls
+        input#user-password.password type="password" placeholder="Password"
+    .control-group
+      .controls
+        button.btn.btn-primary data-t="obtain_token.obtain" onclick="Quser.authenticate_user(); return false"