From a29809f3bcdf4bb37d2d543ccb6f432f51a4512f Mon Sep 17 00:00:00 2001 From: Jeremy Friesen Date: Wed, 13 Sep 2023 12:43:15 -0400 Subject: [PATCH] =?UTF-8?q?=F0=9F=8E=81=20Ensure=20non-admin=20user=20frie?= =?UTF-8?q?ndly=20routing=20for=20SSO?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We are trying to serve two types of users: - Admins - Not-admins Given that admins are a small subset, we can train and document how they can sign in. In other words, favor workflows that impact the less trained folk to help them accomplish their tasks. Prior to this commit, given the site had an SSO provider, when I (an unauthenticated user) went to a private work, then it would redirect me to the `/user/sign_in` route. At that route I had the following option: 1. Providing a username and password 2. Selecting one of the SSO providers to use for sign-in. The problem with this behavior was that a user who was given a Controlled Digital Lending (CDL) URL would see a username/password and likely attempt to authenticate with their CDL username/password (which was managed by the SSO provider). The end result is that the authentication page most likely would create confusion. With this commit, I'm setting things up such that when the application uses calls `new_user_session_path` we make a decision on what URL to resolve. Related to: - https://github.com/scientist-softserv/palni-palci/pull/766 - https://github.com/scientist-softserv/palni-palci/pull/647 - https://github.com/scientist-softserv/palni-palci/issues/633 --- app/controllers/application_controller.rb | 47 +++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index c450f6d85..a97f24951 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -185,4 +185,51 @@ def guest_email_authentication_key key key &&= nil unless key.to_s.match(/^guest/) key ||= "guest_" + SecureRandom.uuid + "@example.com" end + + ## + # OVERRIDE Hyrax::Controller#deny_access_for_anonymous_user + # + # We are trying to serve two types of users: + # + # - Admins + # - Not-admins + # + # Given that admins are a small subset, we can train and document how they can sign in. In other + # words, favor workflows that impact the less trained folk to help them accomplish their tasks. + # + # Without this change, given the site had an SSO provider, when I (an unauthenticated user) went + # to a private work, then it would redirect me to the `/user/sign_in` route. + # + # At that route I had the following option: + # + # 1. Providing a username and password + # 2. Selecting one of the SSO providers to use for sign-in. + # + # The problem with this behavior was that a user who was given a Controlled Digital Lending (CDL) + # URL would see a username/password and likely attempt to authenticate with their CDL + # username/password (which was managed by the SSO provider). + # + # The end result is that the authentication page most likely would create confusion. + # + # With this function change, I'm setting things up such that when the application uses calls + # `new_user_session_path` we make a decision on what URL to resolve. + def deny_access_for_anonymous_user(exception, json_message) + session['user_return_to'] = request.url + respond_to do |wants| + wants.html do + # See ./app/views/single_signon/index.html.erb for our 1 provider logic. + path = case IdentityProvider.count + when 1 + ip = IdentityProvider.first + omniauth_authorize_path(:user, ip.provider, ip.id) + when 0 + main_app.new_user_session_path + else + main_app.single_signon_index_path + end + redirect_to path, alert: exception.message + end + wants.json { render_json_response(response_type: :unauthorized, message: json_message) } + end + end end