update security handling for user namespace

app/controllers/user_controller.rb

@@ -1,14 +1,30 @@
 class UserController < ApplicationController
-  before_filter :allow_mobile, :authenticate_user!
+  before_filter :allow_mobile
+  before_filter :user_authentication #, except: :obtain_token
   layout 'phone'
 
+  def user_authentication
+    if params[:auth_token].present?
+      user = User.find_by_authentication_token(params[:auth_token])
+      sign_in user if user
+      sign_out current_user if current_user && !user # Other token attempt of logged in user
+    else
+      authenticate_user!
+    end
+    unless current_user.present?
+      respond_to do |format|
+        format.html {redirect_to new_user_session_path}
+        format.json {render json: json_response(ok: false, status: 401)}
+      end
+    end
+  end
+
   def authenticate_user_wrapper!
     authenticate_user! unless request.format.html?
     authenticate_user! if params[:action] == 'obtain_token'
   end
 
   def obtain_token
-
   end
 
   alias :list :active_list
@@ -178,14 +194,14 @@ class UserController < ApplicationController
         if list.present?
           if !list.try(:active?)
             current_user.list_is_closed!
-            render json: {list_active: false}
+            render json: json_response(list_active: false)
             return
           else
             list_obj = list.as_json.merge(list_active: list.active? ).merge(list.join_requests_as_json)
-            render json: list_obj
+            render json: json_response(list_obj)
           end
         else
-          render json: {not_present: true}
+          render json: json_response(not_present: true)
         end
       end
     end
@@ -292,4 +308,9 @@ class UserController < ApplicationController
     flash.now[:notice] = t('messages.the_list_has_been_closed', list: List.model_name.human) if params[:list_closed].present?
     flash.now[:notice] = t("messages.#{params[:message]}", list: List.model_name.human, supplier: Supplier.model_name.human) if params[:message].present? && params[:message] =~ /^\w+$/
   end
+
+  def json_response(obj = {})
+    obj[:ok] = true unless obj.has_key?(:ok)
+    obj
+  end
 end