has_many :codes

Manage active sessions in Rails

Published  

In an app I’m working on, I wanted users to be able to manage active sessions and sign out from any device they are signed in on, by invalidating logins. There’s a gem called authie that does this so you may want to check it out; here I’ll show a very simple implementation I went with which works well enough for me. The goal is to:

  • create a login whenever a user signs in, with IP address, user agent and a unique device ID;
  • at each request, check whether a login exists for the given user/device ID combination and if it doesn’t, force sign in;
  • update the login at each authenticated request just in case the IP address (thus the location) changes while a session is active (optional);
  • delete the login when the user signs out from the device;
  • list all the active logins in the user’s account page with browser/OS info, IP address, and approximate location (city & country);
  • allow the user to delete any of those logins to sign out from the respective device.

I like doing authentication from scratch (see this Railscast) so that’s what I am using here but if you use something like Devise instead, it won’t be very different.

Manage active sessions in Rails

The first thing we need for this simple implementation is to generate a Login model:

rails g model Login user:belongs_to ip_address user_agent device_id:index

The Login model will be basically empty as it will only do persistence:

class Login < ApplicationRecord
  belongs_to :user
end

Then in the create action of my SessionsController I have something like this:

def create
  @sign_in_form = SignInForm.new

  if user = @sign_in_form.submit(params[:sign_in_form])
    device_id = SecureRandom.uuid

    if params[:sign_in_form][:remember_me]
      cookies.permanent[:auth_token] = user.auth_token
      cookies.permanent[:device_id] = device_id
    else
      cookies[:auth_token] = user.auth_token
      cookies[:device_id] = device_id
    end

    user.logins.create!(ip_address: request.remote_ip,
                        user_agent: request.user_agent,
                        device_id: device_id)

    redirect_to ...
  else
    redirect_to sign_in_path, alert: "Invalid email or password."
  end
end

So each time a user successfully signs in from a device we create a login with a unique device ID.

In the ApplicationController, I have:

def current_user
  @current_user ||= begin
    if cookies[:auth_token].present? and cookies[:device_id].present?
      if user = User.find_by(auth_token: cookies[:auth_token])
        if login = user.logins.find_by(device_id: cookies[:device_id])
          # optional
          login.update!(ip_address: request.remote_ip, user_agent: request.user_agent, updated_at: Time.now.utc)
          user
        end
      end
    end
  end
end
helper_method :current_user

def authenticate
  redirect_to sign_in_path unless current_user
end

I didn’t bother here but perhaps you can prettify the current_user method. So, in order to assume the user is successfully authenticated for the request, we expect:

  • both the auth_token and device_id cookies to be present;
  • the auth_token to be associated with an existing user;
  • a login to exist for the user with the device_id stored in the cookies;

otherwise we redirect the user to the sign in page.

Finally, in the SessionsController I have a destroy action which deletes both the login and the cookies from the browser:

def destroy
  current_user.logins.find_by(device_id: cookies[:device_id]).destroy
  cookies.delete(:auth_token)
  cookies.delete(:device_id)
  flash.now[:notice] = "Successfully signed out."
  redirect_to sign_in_path
end

Remember to add a route for the destroy action, e.g.:

resources :logins, only: [:destroy]

Next, we want to list the active logins for the user in their account page so that they can sign out from any of those devices. So that the user can easily tell logins apart I am using:

  • the device_detector gem to identify browser and operating system;
  • the Maxmind GeoIP2 API with the geoip2 gem to geolocate IP addresses so we can display the approximate location for each login. This is just one of many ways you can geolocate IP addresses; I am using Maxmind for other things too so using the Maxmind API works fine for me but you may want to use a different service or a local database (for performance). Also see the geocoder gem for another option.

In the LoginsHelper I have:

module LoginsHelper
  def device_description(user_agent)
    device = DeviceDetector.new(user_agent)
    "#{ device.name } #{ device.full_version } on #{ device.os_name } #{ device.os_full_version }"
  end

  def device_location(ip_address)
    if ip = Ip.find_by(address: ip_address)
      "#{ ip.city }, #{ ip.country }"
    else
      location = Geoip2.city(ip_address)
      if location.error
        Ip.create!(address: ip_address, city: "Unknown", country: "Unknown")
        "Unknown"
      else
        Ip.create!(address: ip_address, city: location.city.names[:en],
                   country: location.country.names[:en])
                   "#{ location.city.names[:en] }, #{ location.country.names[:en] }"
      end
    end
  end
end

I am leaving these methods in the helper but you may want to move them into a class or something. device_description, as you can see, shows the browser/OS info, for example for my Chrome on Gentoo it shows Chrome 52.0.2743.116 on GNU/Linux; then device_location shows city and country like Espoo, Finland if the IP address is in the Maxmind database. If the IP address is invalid or it is something like 127.0.0.1 or a private IP address, the Maxmind API will return an error so we’ll just show “Unknown” instead. This is an example, you may want to avoid the API call (if using an API) when the IP is a private IP address; another optimisation could be performing the geolocation asynchronously with a background job when the user signs in, instead of performing it while rendering the view. Also, you can see another model here, Ip. This is a simple way to cache IP addresses with their locations so we don’t have to make the same API request twice for a given IP address. So next we need to generate this model:

rails g model Ip address:index country city

Again, I am showing here an example, you may want to move the geolocation logic to the Ip model or to a separate class, up to you.

We can now add something like the following to the user’s account page:

<h2>Active sessions</h2>
These are the devices currently signed in to your account:
<table id="logins">
  <thead>
    <tr>
      <th>Device</th>
      <th>IP Address</th>
      <th>Approximate location</th>
      <th>Most recent activity</th>
      <th></th>
    </tr>
  </thead>
  <tbody>
    <%= render @logins %>
  </tbody>
</table>

where @logins is assigned in the controller:

@logins = current_user.logins.order(updated_at: :desc)

The _login.html.erb partial contains:

<tr id="<%= dom_id(login) %>" class="login">
  <td><%= device_description(login.user_agent) %></td>
  <td><%= login.ip_address %></td>
  <td><%= device_location(login.ip_address) %></td>
  <td><%= time_ago_in_words(login.updated_at) %></td>
  <td>
    <% if login.device_id == cookies[:device_id] %>
      (Current session)
    <% else %>
      <%= link_to "<i class='fa fa-remove'></i>".html_safe, login_path(login), method: :delete, remote: true, title: "Sign out", data: { confirm: "Are you sure you want to sign out from this device?" } %>
    <% end %>
  </td>
</li>

Besides browser/OS/IP/location we also show an X button to sign out from devices unless it’s the current session. It looks like this:

Finally, a little CoffeeScript view to actually delete the login when clicking on the X:

$("#login_<%= @login.id %>").hide ->
$(@).remove()

and the destroy action:

class LoginsController < ApplicationController
  def destroy
    current_user.logins.find(params[:id]).destroy
  end
end

That’s it! Now if the user removes any of the logins from the list, the respective device will be signed out.

© Vito Botta