impress/app/controllers/application_controller.rb

require 'async'
require 'async/container'
require 'ipaddr'

class ApplicationController < ActionController::Base
  include FragmentLocalization
  
  protect_from_forgery

  helper_method :current_user, :user_signed_in?
  
  before_action :set_locale

  before_action :configure_permitted_parameters, if: :devise_controller?
  before_action :save_return_to_path,
    if: ->(c) { c.controller_name == 'sessions' && c.action_name == 'new' }

  # Enable profiling tools if logged in as admin.
  before_action do
    if current_user && current_user.admin?
      Rack::MiniProfiler.authorize_request
    end
  end

  class AccessDenied < StandardError; end
  rescue_from AccessDenied, with: :on_access_denied
  rescue_from Async::Stop, Async::Container::Terminate,
    with: :on_request_stopped

  def authenticate_user!
    redirect_to(new_auth_user_session_path) unless user_signed_in?
  end

  def authorize_user!
    raise AccessDenied unless user_signed_in? && current_user.id == params[:user_id].to_i
  end

  def current_user
    if auth_user_signed_in?
      User.where(remote_id: current_auth_user.id).first
    else
      nil
    end
  end

  def user_signed_in?
    auth_user_signed_in?
  end
  
  def infer_locale
    return params[:locale] if valid_locale?(params[:locale])
    return cookies[:locale] if valid_locale?(cookies[:locale])
    Rails.logger.debug "Preferred languages: #{http_accept_language.user_preferred_languages}"
    http_accept_language.language_region_compatible_from(I18n.public_locales.map(&:to_s)) ||
      I18n.default_locale
  end
  
  def not_found(record_name='record')
    raise ActionController::RoutingError.new("#{record_name} not found")
  end

  def on_access_denied
    render file: 'public/403.html', layout: false, status: :forbidden
  end

  def on_request_stopped
    render file: 'public/stopped.html', layout: false,
      status: :internal_server_error
  end

  def redirect_back!(default=:back)
    redirect_to(params[:return_to] || default)
  end
  
  def set_locale
    I18n.locale = infer_locale || I18n.default_locale
  end
  
  def valid_locale?(locale)
    locale && I18n.usable_locales.include?(locale.to_sym)
  end

  def configure_permitted_parameters
    # Devise will automatically permit the authentication key (username) and
    # the password, but we need to let the email field through ourselves.
    devise_parameter_sanitizer.permit(:sign_up, keys: [:email])
    devise_parameter_sanitizer.permit(:account_update, keys: [:email])
  end

  def save_return_to_path
    if params[:return_to]
      Rails.logger.debug "Saving return_to path: #{params[:return_to].inspect}"
      session[:devise_return_to] = params[:return_to]
    end
  end

  def after_sign_in_path_for(user)
    return_to = session.delete(:devise_return_to)
    Rails.logger.debug "Using return_to path: #{return_to.inspect}"
    return_to || root_path
  end

  def after_sign_out_path_for(user)
    return_to = params[:return_to]
    Rails.logger.debug "Using return_to path: #{return_to.inspect}"
    return_to || root_path
  end
end
Add handlers for requests that were stopped during the reboot process According to our GlitchTip error tracker, every time we deploy, a couple instances of `Async::Stop` and `Async::Container::Terminate` come in, presumably because: 1. systemd sends a STOP signal to the `falcon host` process. 2. `falcon host` gives the in-progress requests some time to finish up 3. Sometimes some requests take too long, and so something happens. (either a timer in Falcon or a KILL signal from systemd, not sure!) that leads the ongoing requests to finally be terminated by raising an `Async::Stop` or `Async::Container::Terminate`. (I'm not sure when each happens, and maybe they happen at different points in the process? Maybe one happens for the actual long-running ones, vs the other happens if more requests come in during the meantime but get caught in the spin-down process?) 4. Rails bubbles up the errors, our Sentry library notices them and sends them to GlitchTip, the user presumably receives the generic 500 error, and the app can finally close down gracefully. It's hard for me to validate that this is exactly what's happening here or that my mitigation makes sense, but my logic here is basically, if these exceptions are bubbling up as "uncaught exceptions" and spamming up our error log, then the best solution would be to catch them! So in this change, we add an error handler for these two error classes, which hopefully will 1) give users a better experience when this happens, and 2) no longer send these errors to our logging 🤞❗️ That strange phenomenon where the best way to get a noisy bug out of your logs is to fix it lmao 2024-02-28 13:50:13 -08:00			`require 'async'`
			`require 'async/container'`
allow pet data submissions from private-block IPs, not just 127.0.0.1 2015-07-17 22:04:53 -07:00			`require 'ipaddr'`

rails 3 2010-05-14 15:12:31 -07:00			`class ApplicationController < ActionController::Base`
i18n for outfits#new (and layouts#application), including caching 2012-12-29 22:46:36 -08:00			`include FragmentLocalization`

rails 3 2010-05-14 15:12:31 -07:00			`protect_from_forgery`
image mode 2011-06-27 12:33:34 -07:00
Remove old OpenNeo ID auth code This removes login/logout/session logic for integrating with OpenNeo ID, replacing them with stubs that just redirect to `/?TODO` when you click login, and helpers that act as if you're not logged in. This gives us a clean slate to plug in new Devise logic to integrate with the `openneo_id` database directly! 2023-08-03 17:40:52 -07:00			`helper_method :current_user, :user_signed_in?`
i18n for outfits#new (and layouts#application), including caching 2012-12-29 22:46:36 -08:00
Upgrade to Rails 5.2.8.1 Some important little upgrades but mostly straightforward! Note that there's still a known issue where item searches crash, I was hoping that this was a bug in Rails 4.2 that would be fixed on upgading to 5, but nope, oh well! Also uhh I just got a bit silly and didn't actually mean to go all the way to 5.2 in one go, I had meant to start at 5.0… but tbh the 5.1 and 5.2 changes seem small, and this seems to be working, so. Yeah ok let's roll! 2023-08-02 16:05:02 -07:00			`before_action :set_locale`
image mode 2011-06-27 12:33:34 -07:00
Signup and settings page for OpenNeo ID accounts Hey nice!! Note that I removed an account delete button from the settings page. You can still send a DELETE request to the right endpoint to do it, but it's not gonna delete all the associated records, and I wanna think a bit about how to handle that better before exposing that button. 2023-08-06 17:26:56 -07:00			`before_action :configure_permitted_parameters, if: :devise_controller?`
Login/logout returns you to the same page In the login case, we save the `return_to` parameter in the session, because login can be a multi-step process. In the logout case, we just read it directly from the form params. Note that you could end up in a weird scenario where an old return_to value sticks around for a bit? But we have the sense to delete it when we use it on a successful sign-in, and most links to the login page come with a `return_to` param which should reset it. So, you'd have to 1) have started but not finished a sign-in, 2) during the same session, and 3) get to the login page by an unusual means. Probably fine! 2023-08-06 18:24:23 -07:00			`before_action :save_return_to_path,`
			`if: ->(c) { c.controller_name == 'sessions' && c.action_name == 'new' }`
Signup and settings page for OpenNeo ID accounts Hey nice!! Note that I removed an account delete button from the settings page. You can still send a DELETE request to the right endpoint to do it, but it's not gonna delete all the associated records, and I wanna think a bit about how to handle that better before exposing that button. 2023-08-06 17:26:56 -07:00
Add mini profiler to each page It shows up in development always, and if you're logged in as Me Specifically in production! I'm using this to poke at memory usage for pages that seem suspicious. I don't know why our app reliably grows so large in RAM, but my hunch is that maybe there are some pages that just use a truly large amount to begin with - and I've learned Ruby doesn't release memory back after it's GC'd, it just grows the process and keeps the free space to itself in its own heap! So I'm just eyeing pages that I know can have a lot going on, and seeing what I find! 2023-10-27 19:38:49 -07:00			`# Enable profiling tools if logged in as admin.`
			`before_action do`
			`if current_user && current_user.admin?`
			`Rack::MiniProfiler.authorize_request`
			`end`
			`end`

Add handlers for requests that were stopped during the reboot process According to our GlitchTip error tracker, every time we deploy, a couple instances of `Async::Stop` and `Async::Container::Terminate` come in, presumably because: 1. systemd sends a STOP signal to the `falcon host` process. 2. `falcon host` gives the in-progress requests some time to finish up 3. Sometimes some requests take too long, and so something happens. (either a timer in Falcon or a KILL signal from systemd, not sure!) that leads the ongoing requests to finally be terminated by raising an `Async::Stop` or `Async::Container::Terminate`. (I'm not sure when each happens, and maybe they happen at different points in the process? Maybe one happens for the actual long-running ones, vs the other happens if more requests come in during the meantime but get caught in the spin-down process?) 4. Rails bubbles up the errors, our Sentry library notices them and sends them to GlitchTip, the user presumably receives the generic 500 error, and the app can finally close down gracefully. It's hard for me to validate that this is exactly what's happening here or that my mitigation makes sense, but my logic here is basically, if these exceptions are bubbling up as "uncaught exceptions" and spamming up our error log, then the best solution would be to catch them! So in this change, we add an error handler for these two error classes, which hopefully will 1) give users a better experience when this happens, and 2) no longer send these errors to our logging 🤞❗️ That strange phenomenon where the best way to get a noisy bug out of your logs is to fix it lmao 2024-02-28 13:50:13 -08:00			`class AccessDenied < StandardError; end`
			`rescue_from AccessDenied, with: :on_access_denied`
			`rescue_from Async::Stop, Async::Container::Terminate,`
			`with: :on_request_stopped`

Remove old OpenNeo ID auth code This removes login/logout/session logic for integrating with OpenNeo ID, replacing them with stubs that just redirect to `/?TODO` when you click login, and helpers that act as if you're not logged in. This gives us a clean slate to plug in new Devise logic to integrate with the `openneo_id` database directly! 2023-08-03 17:40:52 -07:00			`def authenticate_user!`
Can log into OpenNeo ID accounts directly! A lot of rough edges here (e.g. no styles on the flash messages), but it's working and that's good!! I tested this by temporarily switching to the production database and logging in as matchu! Still missing a lot of big features too, like registration, password resets, settings page, etc. 2023-08-06 15:52:05 -07:00			`redirect_to(new_auth_user_session_path) unless user_signed_in?`
import closet page 2011-07-12 21:25:14 -07:00			`end`

first pass at closet lists, including form 2011-07-26 17:27:23 -07:00			`def authorize_user!`
			`raise AccessDenied unless user_signed_in? && current_user.id == params[:user_id].to_i`
			`end`

Remove old OpenNeo ID auth code This removes login/logout/session logic for integrating with OpenNeo ID, replacing them with stubs that just redirect to `/?TODO` when you click login, and helpers that act as if you're not logged in. This gives us a clean slate to plug in new Devise logic to integrate with the `openneo_id` database directly! 2023-08-03 17:40:52 -07:00			`def current_user`
Can log into OpenNeo ID accounts directly! A lot of rough edges here (e.g. no styles on the flash messages), but it's working and that's good!! I tested this by temporarily switching to the production database and logging in as matchu! Still missing a lot of big features too, like registration, password resets, settings page, etc. 2023-08-06 15:52:05 -07:00			`if auth_user_signed_in?`
			`User.where(remote_id: current_auth_user.id).first`
			`else`
			`nil`
			`end`
Remove old OpenNeo ID auth code This removes login/logout/session logic for integrating with OpenNeo ID, replacing them with stubs that just redirect to `/?TODO` when you click login, and helpers that act as if you're not logged in. This gives us a clean slate to plug in new Devise logic to integrate with the `openneo_id` database directly! 2023-08-03 17:40:52 -07:00			`end`

			`def user_signed_in?`
Can log into OpenNeo ID accounts directly! A lot of rough edges here (e.g. no styles on the flash messages), but it's working and that's good!! I tested this by temporarily switching to the production database and logging in as matchu! Still missing a lot of big features too, like registration, password resets, settings page, etc. 2023-08-06 15:52:05 -07:00			`auth_user_signed_in?`
image mode 2011-06-27 12:33:34 -07:00			`end`
create /start/:species_name/:color_name route 2012-06-05 09:44:11 -07:00
i18n for outfits#new (and layouts#application), including caching 2012-12-29 22:46:36 -08:00			`def infer_locale`
infer locale from params, then cookies, then Accept-Language header 2013-01-11 09:07:11 -08:00			`return params[:locale] if valid_locale?(params[:locale])`
			`return cookies[:locale] if valid_locale?(cookies[:locale])`
			`Rails.logger.debug "Preferred languages: #{http_accept_language.user_preferred_languages}"`
oops: only infer public locales from language header 2013-01-26 22:35:22 -08:00			`http_accept_language.language_region_compatible_from(I18n.public_locales.map(&:to_s)) \|\|`
infer locale from params, then cookies, then Accept-Language header 2013-01-11 09:07:11 -08:00			`I18n.default_locale`
i18n for outfits#new (and layouts#application), including caching 2012-12-29 22:46:36 -08:00			`end`

create /start/:species_name/:color_name route 2012-06-05 09:44:11 -07:00			`def not_found(record_name='record')`
			`raise ActionController::RoutingError.new("#{record_name} not found")`
			`end`
restructure backend of closet hanger quantity updates 2011-07-15 13:15:57 -07:00
			`def on_access_denied`
Fix AccessDenied error handler I don't think people see this very often visually, but it's showing up in our error logging! The Rails API changed here long ago and we didn't notice: to render public files, we should use the `file` argument instead of `template`. 2024-02-28 13:20:41 -08:00			`render file: 'public/403.html', layout: false, status: :forbidden`
restructure backend of closet hanger quantity updates 2011-07-15 13:15:57 -07:00			`end`
simplify closet hangers view, replace user_is?(@user) with !public_perspective? 2011-07-20 09:39:18 -07:00
Add handlers for requests that were stopped during the reboot process According to our GlitchTip error tracker, every time we deploy, a couple instances of `Async::Stop` and `Async::Container::Terminate` come in, presumably because: 1. systemd sends a STOP signal to the `falcon host` process. 2. `falcon host` gives the in-progress requests some time to finish up 3. Sometimes some requests take too long, and so something happens. (either a timer in Falcon or a KILL signal from systemd, not sure!) that leads the ongoing requests to finally be terminated by raising an `Async::Stop` or `Async::Container::Terminate`. (I'm not sure when each happens, and maybe they happen at different points in the process? Maybe one happens for the actual long-running ones, vs the other happens if more requests come in during the meantime but get caught in the spin-down process?) 4. Rails bubbles up the errors, our Sentry library notices them and sends them to GlitchTip, the user presumably receives the generic 500 error, and the app can finally close down gracefully. It's hard for me to validate that this is exactly what's happening here or that my mitigation makes sense, but my logic here is basically, if these exceptions are bubbling up as "uncaught exceptions" and spamming up our error log, then the best solution would be to catch them! So in this change, we add an error handler for these two error classes, which hopefully will 1) give users a better experience when this happens, and 2) no longer send these errors to our logging 🤞❗️ That strange phenomenon where the best way to get a noisy bug out of your logs is to fix it lmao 2024-02-28 13:50:13 -08:00			`def on_request_stopped`
			`render file: 'public/stopped.html', layout: false,`
			`status: :internal_server_error`
			`end`

neomail link on closets 2011-07-20 12:16:22 -07:00			`def redirect_back!(default=:back)`
			`redirect_to(params[:return_to] \|\| default)`
			`end`
i18n for outfits#new (and layouts#application), including caching 2012-12-29 22:46:36 -08:00
			`def set_locale`
			`I18n.locale = infer_locale \|\| I18n.default_locale`
			`end`
infer locale from params, then cookies, then Accept-Language header 2013-01-11 09:07:11 -08:00
			`def valid_locale?(locale)`
locale metadata, including hidden locales for item loading and selection 2013-01-17 20:16:34 -08:00			`locale && I18n.usable_locales.include?(locale.to_sym)`
infer locale from params, then cookies, then Accept-Language header 2013-01-11 09:07:11 -08:00			`end`
Signup and settings page for OpenNeo ID accounts Hey nice!! Note that I removed an account delete button from the settings page. You can still send a DELETE request to the right endpoint to do it, but it's not gonna delete all the associated records, and I wanna think a bit about how to handle that better before exposing that button. 2023-08-06 17:26:56 -07:00
			`def configure_permitted_parameters`
			`# Devise will automatically permit the authentication key (username) and`
			`# the password, but we need to let the email field through ourselves.`
			`devise_parameter_sanitizer.permit(:sign_up, keys: [:email])`
			`devise_parameter_sanitizer.permit(:account_update, keys: [:email])`
			`end`
Login/logout returns you to the same page In the login case, we save the `return_to` parameter in the session, because login can be a multi-step process. In the logout case, we just read it directly from the form params. Note that you could end up in a weird scenario where an old return_to value sticks around for a bit? But we have the sense to delete it when we use it on a successful sign-in, and most links to the login page come with a `return_to` param which should reset it. So, you'd have to 1) have started but not finished a sign-in, 2) during the same session, and 3) get to the login page by an unusual means. Probably fine! 2023-08-06 18:24:23 -07:00
			`def save_return_to_path`
			`if params[:return_to]`
			`Rails.logger.debug "Saving return_to path: #{params[:return_to].inspect}"`
			`session[:devise_return_to] = params[:return_to]`
			`end`
			`end`

			`def after_sign_in_path_for(user)`
			`return_to = session.delete(:devise_return_to)`
			`Rails.logger.debug "Using return_to path: #{return_to.inspect}"`
			`return_to \|\| root_path`
			`end`

			`def after_sign_out_path_for(user)`
			`return_to = params[:return_to]`
			`Rails.logger.debug "Using return_to path: #{return_to.inspect}"`
			`return_to \|\| root_path`
			`end`
rails 3 2010-05-14 15:12:31 -07:00			`end`
image mode 2011-06-27 12:33:34 -07:00