Keep sensitive signup data in session

app/controllers/sessions_controller.rb

@@ -9,6 +9,7 @@ class SessionsController < ApplicationController
       User.create_with_omniauth(@auth)
 
     unless @user.persisted?
+      store_sensitive_user_data_in_session
       render 'users/new', :status => 422
     else
       self.current_user = @user
@@ -31,4 +32,9 @@ class SessionsController < ApplicationController
     @auth = request.env["omniauth.auth"]
   end
 
+  def store_sensitive_user_data_in_session
+    session[:provider] = @user.provider
+    session[:uid] = @user.uid
+  end
+
 end

app/controllers/users_controller.rb

@@ -9,11 +9,25 @@ class UsersController < ApplicationController
 
   def create
     @user = User.new(params[:user])
+    load_sensitive_user_data_from_session
     if @user.save
+      clear_sensitive_session_user_data
       self.current_user = @user
       redirect_back_or_to root_url, :notice => "Signed in!"
     else
       render 'users/new', :status => 422
     end
   end
+
+  private
+
+  def load_sensitive_user_data_from_session
+    @user.provider = session[:provider]
+    @user.uid = session[:uid]
+  end
+
+  def clear_sensitive_session_user_data
+    session[:provider] = nil
+    session[:uid] = nil
+  end
 end

app/views/users/new.html.erb

@@ -1,8 +1,6 @@
 <%= simple_form_for @user do |f| %>
   <%= f.input :nickname, :input_html => { :class => 'special' } %>
 
-  <%= f.input :provider, :as => :hidden %>
-  <%= f.input :uid, :as => :hidden %>
   <%= f.input :name, :as => :hidden %>
   <%= f.input :avatar_url, :as => :hidden %>
 

spec/controllers/sessions_controller_spec.rb

@@ -58,13 +58,25 @@ describe SessionsController do
 
       context "when nicknamne is taken" do
         let(:not_saved_user) {
-          stub_model(User, :persisted? => false, :valid? => false)
+          stub_model( User,
+            :persisted? => false,
+            :valid?     => false,
+            :uid        => uid,
+            :provider   => provider
+          )
         }
 
         before do
           User.stub(:create_with_omniauth).and_return(not_saved_user)
         end
 
+        it "puts uid and provider in session " do
+          post :create
+
+          session[:uid].should == uid
+          session[:provider].should == provider
+        end
+
         it "renders user/new" do
           post :create
           should render_template('users/new')

spec/controllers/users_controller_spec.rb

@@ -3,22 +3,42 @@ require 'spec_helper'
 describe UsersController do
 
   describe "POST create" do
-    let(:user) { mock_model(User) }
+    let(:user) { mock_model(User).as_null_object }
 
     before do
       User.stub(:new).and_return(user)
     end
 
     context "when user saved" do
+      let(:provider) { 'foo' }
+      let(:uid) { '123' }
+
       before do
+        session[:provider] = provider
+        session[:uid] = uid
+
         user.stub!(:save => true)
       end
 
+      it "assigns provider and uid" do
+        user.should_receive(:provider=).with(provider).and_return(true)
+        user.should_receive(:uid=).with(uid).and_return(true)
+
+        post :create
+      end
+
       it "sets current_user" do
         post :create
         @controller.current_user.should_not be_nil
       end
 
+      it "clears user session data" do
+        post :create
+
+        session[:provider].should be_nil
+        session[:uid].should be_nil
+      end
+
       it "redirects back" do
         post :create
         should redirect_to(root_url)
@@ -35,8 +55,6 @@ describe UsersController do
         post :create
         should render_template('users/new')
       end
-
     end
-
   end
 end

spec/views/users/new.html.erb_spec.rb

@@ -10,8 +10,6 @@ describe "users/new" do
   it "renders form with attr" do
     render
     rendered.should =~ /user\[nickname\]/
-    rendered.should =~ /user\[provider\]/
-    rendered.should =~ /user\[uid\]/
     rendered.should =~ /user\[name\]/
     rendered.should =~ /user\[avatar_url\]/
   end