We already have 3 authentication schemes — password, Google OAuth, and Http Header — and all of these are stored in the user model. However, I want to add API authentication (Http Bearer token) and auth for multiple Google tools (gmail, google calendar, and google tasks).
This PR refactors the authentication code. The main things it does are:
Better organize the Authenticate module so it's broken up by auth type
Rather than simply storing a user_id in the session to consider someone logged in, I introduced a Client model which corresponds with each browser. I didn't call it Browser because we'll eventually consider iOS and Android app installs to be clients and very soon we'll create an client for API access
Add a Credential model which is STI and move the existing auth to PasswordCredential, GoogleCredential, and HttpHeaderCredential
Add an Authentication model. When credentials are verified an authentication is created for the current client, linking it to the credentials which just used. A client can be forced to logout from the server by deleting it's authentication.
I went ahead and added a GmailCredential to ensure the architecture works well. I will follow up with a separate PR to add the APICredential
We already have 3 authentication schemes — password, Google OAuth, and Http Header — and all of these are stored in the user model. However, I want to add API authentication (Http Bearer token) and auth for multiple Google tools (gmail, google calendar, and google tasks).
This PR refactors the authentication code. The main things it does are:
Client
model which corresponds with each browser. I didn't call it Browser because we'll eventually consider iOS and Android app installs to be clients and very soon we'll create an client for API accessCredential
model which is STI and move the existing auth toPasswordCredential
,GoogleCredential
, andHttpHeaderCredential
Authentication
model. When credentials are verified an authentication is created for the current client, linking it to the credentials which just used. A client can be forced to logout from the server by deleting it's authentication.GmailCredential
to ensure the architecture works well. I will follow up with a separate PR to add the APICredential