Remember the user only if the remember token has not expired.

2026-04-28 03:00:29 -04:00 · 2009-10-22 09:09:34 -02:00
parent bbca9e830e
commit 5631b8dacd
5 changed files with 112 additions and 11 deletions
--- a/lib/devise/migrations.rb
+++ b/lib/devise/migrations.rb
@@ -40,11 +40,11 @@ module Devise
      string :reset_password_token, :limit => 20
    end

-    # Creates remember_token and remember_expires_at.
+    # Creates remember_token and remember_created_at.
    #
    def rememberable
      string   :remember_token, :limit => 20
-      datetime :remember_expires_at
+      datetime :remember_created_at
    end

  end
--- a/lib/devise/models/rememberable.rb
+++ b/lib/devise/models/rememberable.rb
@@ -22,6 +22,7 @@ module Devise
    #   # lookup the user based on the incoming cookie information
    #   User.serialize_from_cookie(cookie_string)
    module Rememberable
+      Devise.model_config(self, :remember_for, 0)

      def self.included(base)
        base.class_eval do
@@ -36,6 +37,7 @@ module Devise
      # Generate a new remember token and save the record without validations.
      def remember_me!
        self.remember_token = friendly_token
+        self.remember_created_at = Time.now
        save(false)
      end

@@ -44,27 +46,38 @@ module Devise
      def forget_me!
        if remember_token?
          self.remember_token = nil
+          self.remember_created_at = nil
          save(false)
        end
      end

      # Checks whether the incoming token matches or not with the record token.
      def valid_remember_token?(token)
-        remember_token.present? && remember_token == token
+        !remember_expired? && remember_token == token
+      end
+
+      # Remember token should be expired if expiration time not overpass now.
+      def remember_expired?
+        !remember_token? || remember_expires_at <= Time.now.utc
+      end
+
+      # Remember token expires at created time + remember_for configuration
+      def remember_expires_at
+        remember_created_at + remember_for
      end

      module ClassMethods

        # Create the cookie key using the record id and remember_token
-        def serialize_into_cookie(record)
-          "#{record.id}::#{record.remember_token}"
+        def serialize_into_cookie(rememberable)
+          "#{rememberable.id}::#{rememberable.remember_token}"
        end

        # Recreate the user based on the stored cookie
        def serialize_from_cookie(cookie)
-          record_id, remember_token = cookie.split('::')
-          record = find_by_id(record_id)
-          record if record.try(:valid_remember_token?, remember_token)
+          rememberable_id, remember_token = cookie.split('::')
+          rememberable = find_by_id(rememberable_id) if rememberable_id
+          rememberable if rememberable.try(:valid_remember_token?, remember_token)
        end

      end