I'm writing a portal that will be open only to people who work at my company. I'm using the Devise framework to handle authentication, but there's a requirement that only employees should be able to sign up. HR will issue each employee a randomly generated access code, and then that employee will use his or her employee number and access code to gain initial access to the site. Once the user has been authenticated, functionality for completing the sign up can can be handled by Devise.
We looked into devise_invitable but decided not to use it because we don't want to collect email addresses from employees.
I have implemented this by creating a custom authorizations view and controller to check the employee number/access code combination. Here's what I've done:
In the custom controller, if the employee number and access code combination is correct, set an authentication token in a tokens table, set a matching token in the user's session, and redirect flow to the registrations/new method of Devise. Here's some pseudocode:
def check_authorization
if employee number and code are correct
token = SecureRandom.base58(36)
set database value to token
session[:authentication_token] = token
redirect_to devise_new_user_registration_path
else
render 'authorize'
end
end
In the registrations controller of Devise, check for a session token that matches one in the database, if not found redirect flow to my custom authorization controller. I also wrote a helper method to clean up authorizations once control has passed to Devise. I made changes to the new and create methods and left everything else as is. More pseudocode:
def new
if( get_authorization( session[:ot_authorization_token] ) == nil )
redirect_to custom_authorization_path
else
super
end
end
def create
authorization = get_authorization( session[:ot_authorization_token] )
if( authorization == nil )
redirect_to custom_authorization_path
else
super do |authorization|
clean_up( authorization )
end
end
end
Will this work? Am I missing anything? Thanks in advance for the help.
