aikotoba 0.1.0

data/app/controllers/aikotoba/sessions_controller.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+module Aikotoba
+  class SessionsController < ApplicationController
+    include Authenticatable
+
+    def new
+      return redirect_to after_sign_in_path if aikotoba_current_account
+      @account = build_account({email: "", password: ""})
+    end
+
+    def create
+      @account = authenticate_account(session_params.to_h.symbolize_keys)
+      if @account
+        before_sign_in_process
+        aikotoba_sign_in(@account)
+        after_sign_in_process
+        redirect_to after_sign_in_path, notice: successed_message
+      else
+        failed_sign_in_process
+        @account = build_account({email: "", password: ""})
+        flash[:alert] = failed_message
+        render :new, status: :unprocessable_entity
+      end
+    end
+
+    def destroy
+      aikotoba_sign_out if aikotoba_current_account
+      redirect_to after_sign_out_path, notice: signed_out_message
+    end
+
+    private
+
+    def session_params
+      params.require(:account).permit(:email, :password)
+    end
+
+    def build_account(params)
+      Account.build_by(attributes: params)
+    end
+
+    def authenticate_account(params)
+      Account.authenticate_by(attributes: params)
+    end
+
+    def after_sign_in_path
+      Aikotoba.after_sign_in_path
+    end
+
+    def after_sign_out_path
+      Aikotoba.after_sign_out_path
+    end
+
+    def successed_message
+      I18n.t(".aikotoba.messages.authentication.success")
+    end
+
+    def failed_message
+      I18n.t(".aikotoba.messages.authentication.failed")
+    end
+
+    def signed_out_message
+      I18n.t(".aikotoba.messages.authentication.sign_out")
+    end
+
+    # NOTE: Methods to override if you want to do something before sign in.
+    def before_sign_in_process
+    end
+
+    # NOTE: Methods to override if you want to do something after sign in.
+    def after_sign_in_process
+    end
+
+    # NOTE: Methods to override if you want to do something failed sign in.
+    def failed_sign_in_process(e = nil)
+    end
+  end
+end

data/app/controllers/aikotoba/unlocks_controller.rb

@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+
+module Aikotoba
+  class UnlocksController < ApplicationController
+    include Protection::TimingAtack
+
+    before_action :prevent_timing_atack, only: [:update]
+
+    def new
+      @account = build_account({email: "", password: ""})
+    end
+
+    def create
+      account = find_by_send_token_account!(unlock_accounts_params)
+      before_send_unlock_token_process
+      send_token_account!(account)
+      after_send_unlock_token_process
+      redirect_to success_send_unlock_token_path, flash: {notice: success_send_unlock_token_message}
+    rescue ActiveRecord::RecordNotFound => e
+      failed_send_unlock_token_process(e)
+      @account = build_account({email: "", password: ""})
+      flash[:alert] = failed_send_unlock_token_message
+      render :new, status: :unprocessable_entity
+    end
+
+    def update
+      account = find_by_has_token_account!(params)
+      before_unlock_process
+      unlock_account!(account)
+      after_unlock_process
+      redirect_to after_unlocked_path, flash: {notice: unlocked_message}
+    end
+
+    private
+
+    def unlock_accounts_params
+      params.require(:account).permit(:email)
+    end
+
+    def build_account(params)
+      Account.build_by(attributes: params)
+    end
+
+    def find_by_send_token_account!(params)
+      Account.locked.find_by!(email: params[:email])
+    end
+
+    def send_token_account!(account)
+      Account::Service::Lock.create_unlock_token!(account: account, notify: true)
+    end
+
+    def find_by_has_token_account!(params)
+      Account::UnlockToken.active.find_by!(token: params[:token]).account
+    end
+
+    def unlock_account!(account)
+      # NOTE: Unlocking is done using URL tokens, so it is done in the writing role.
+      ActiveRecord::Base.connected_to(role: :writing) do
+        Account::Service::Lock.unlock!(account: account)
+      end
+    end
+
+    def after_unlocked_path
+      aikotoba.new_session_path
+    end
+
+    def success_send_unlock_token_path
+      aikotoba.new_session_path
+    end
+
+    def unlocked_message
+      I18n.t(".aikotoba.messages.unlocking.success")
+    end
+
+    def success_send_unlock_token_message
+      I18n.t(".aikotoba.messages.unlocking.sent")
+    end
+
+    def failed_send_unlock_token_message
+      I18n.t(".aikotoba.messages.unlocking.failed")
+    end
+
+    # NOTE: Methods to override if you want to do something before send unlock token.
+    def before_send_unlock_token_process
+    end
+
+    # NOTE: Methods to override if you want to do something after send unlock token.
+    def after_send_unlock_token_process
+    end
+
+    # NOTE: Methods to override if you want to do something failed send unlock token.
+    def failed_send_unlock_token_process(e)
+    end
+
+    # NOTE: Methods to override if you want to do something before unlock.
+    def before_unlock_process
+    end
+
+    # NOTE: Methods to override if you want to do something after unlock.
+    def after_unlock_process
+    end
+  end
+end

data/app/controllers/concerns/aikotoba/authenticatable.rb

@@ -0,0 +1,40 @@
+module Aikotoba
+  module Authenticatable
+    extend ActiveSupport::Concern
+    include Protection::SessionFixationAttack
+
+    def aikotoba_current_account
+      unless defined?(@aikotoba_current_account)
+        @aikotoba_current_account ||= aikotoba_authenticate_by_session
+      end
+      @aikotoba_current_account
+    end
+
+    def aikotoba_sign_in(account)
+      prevent_session_fixation_attack
+      session[aikotoba_session_key] = account.id
+    end
+
+    def aikotoba_sign_out
+      @aikotoba_current_account = nil
+      reset_session
+    end
+
+    # NOTE: Even if there is already a session, verify that it can be authenticated, and if not, reset the session,
+    # in case the session is created and then locked by another browser etc.
+    def aikotoba_authenticate_by_session
+      account = Account.authenticatable.find_by(id: session[aikotoba_session_key])
+      account.tap { |account| reset_aikotoba_session unless account }
+    end
+
+    private
+
+    def reset_aikotoba_session
+      session[aikotoba_session_key] = nil
+    end
+
+    def aikotoba_session_key
+      Aikotoba.session_key
+    end
+  end
+end

data/app/controllers/concerns/aikotoba/protection/session_fixation_attack.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+# NOTE:  Provides the ability to refresh session before sign_in for session fixation attacks.
+# https://owasp.org/www-community/attacks/Session_fixation
+module Aikotoba
+  module Protection::SessionFixationAttack
+    extend ActiveSupport::Concern
+
+    def prevent_session_fixation_attack
+      reflesh_session
+    end
+
+    private
+
+    def reflesh_session
+      old_session = session.dup.to_hash
+      reset_session
+      old_session.each_pair { |k, v| session[k.to_sym] = v }
+    end
+  end
+end

data/app/controllers/concerns/aikotoba/protection/timing_atack.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+# NOTE: Add random delay for Timing attack.
+# https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/04-Test_for_Process_Timing
+module Aikotoba
+  module Protection::TimingAtack
+    extend ActiveSupport::Concern
+
+    def prevent_timing_atack
+      random_delay if aikotoba_prevent_timing_atack
+    end
+
+    private
+
+    def aikotoba_prevent_timing_atack
+      Aikotoba.prevent_timing_atack
+    end
+
+    def random_delay
+      sleep (1..5).to_a.sample / 100.0
+    end
+  end
+end

data/app/mailers/aikotoba/account_mailer.rb

@@ -0,0 +1,24 @@
+module Aikotoba
+  class AccountMailer < ApplicationMailer
+    def confirm
+      @account = params[:account]
+      @token = @account.confirmation_token
+      @confirm_url = aikotoba.confirm_account_url(token: @token.token)
+      mail(to: @account.email, subject: I18n.t(".aikotoba.mailers.confirm.subject"))
+    end
+
+    def unlock
+      @account = params[:account]
+      @token = @account.unlock_token
+      @unlock_url = aikotoba.unlock_account_url(token: @token.token)
+      mail(to: @account.email, subject: I18n.t(".aikotoba.mailers.unlock.subject"))
+    end
+
+    def recover
+      @account = params[:account]
+      @token = @account.recovery_token
+      @recover_url = aikotoba.edit_account_password_url(token: @token.token)
+      mail(to: @account.email, subject: I18n.t(".aikotoba.mailers.recover.subject"))
+    end
+  end
+end

data/app/mailers/aikotoba/application_mailer.rb

@@ -0,0 +1,5 @@
+module Aikotoba
+  class ApplicationMailer < Aikotoba.parent_mailer.constantize
+    default from: Aikotoba.mailer_sender
+  end
+end

data/app/models/aikotoba/account/confirmation_token.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Aikotoba
+  class Account::ConfirmationToken < ApplicationRecord
+    include TokenEncryptable
+    belongs_to :account, class_name: "Aikotoba::Account", foreign_key: "aikotoba_account_id"
+    validates :token, presence: true
+    validates :expired_at, presence: true
+
+    scope :active, ->(now: Time.current) { where("expired_at >= ?", now) }
+
+    after_initialize do |record|
+      token = Account::Value::Token.new(extipry: Aikotoba.confirmation_token_expiry)
+      record.token ||= token.value
+      record.expired_at ||= token.expired_at
+    end
+
+    def notify
+      AccountMailer.with(account: account).confirm.deliver_now
+    end
+  end
+end

data/app/models/aikotoba/account/recovery_token.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Aikotoba
+  class Account::RecoveryToken < ApplicationRecord
+    include TokenEncryptable
+    belongs_to :account, class_name: "Aikotoba::Account", foreign_key: "aikotoba_account_id"
+    validates :token, presence: true
+    validates :expired_at, presence: true
+
+    scope :active, ->(now: Time.current) { where("expired_at >= ?", now) }
+
+    after_initialize do |record|
+      token = Account::Value::Token.new(extipry: Aikotoba.recovery_token_expiry)
+      record.token ||= token.value
+      record.expired_at ||= token.expired_at
+    end
+
+    def notify
+      AccountMailer.with(account: account).recover.deliver_now
+    end
+  end
+end

data/app/models/aikotoba/account/service/authentication.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module Aikotoba
+  class Account::Service::Authentication
+    def self.call!(email:, password:)
+      new(email: email, password: password).call!
+    end
+
+    def initialize(email:, password:)
+      @account_class = Account
+      @lock_service = Account::Service::Lock
+      @lockable = @account_class.lockable?
+      @email = email
+      @password = password
+    end
+
+    def call!
+      account = find_by_identifier
+      return prevent_timing_atack && nil unless account
+
+      authenticate(account).tap do |result|
+        ActiveRecord::Base.transaction do
+          result ? success_callback(account) : failed_callback(account)
+        end
+      end
+    end
+
+    private
+
+    # NOTE: Verify passwords even when accounts are not found to prevent timing attacks.
+    def prevent_timing_atack
+      return true unless aikotoba_prevent_timing_atack
+      account = @account_class.build_by(attributes: {email: @email, password: @password})
+      account.password_match?(@password)
+      true
+    end
+
+    def aikotoba_prevent_timing_atack
+      Aikotoba.prevent_timing_atack
+    end
+
+    def success_callback(account)
+      account.authentication_success!
+    end
+
+    def failed_callback(account)
+      account.authentication_failed!
+      lock_when_should_lock!(account) if @lockable
+    end
+
+    def find_by_identifier
+      @account_class.authenticatable.find_by(email: @email)
+    end
+
+    def authenticate(account)
+      account.password_match?(@password) ? account : nil
+    end
+
+    concerning :Lockable do
+      def lock_when_should_lock!(account)
+        @lock_service.lock!(account: account, notify: true) if account.should_lock?
+      end
+    end
+  end
+end

data/app/models/aikotoba/account/service/confirmation.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Aikotoba
+  class Account::Service::Confirmation
+    def self.create_token!(account:, notify: false)
+      new(account: account).create_token!(notify: notify)
+    end
+
+    def self.confirm!(account:)
+      new(account: account).confirm!
+    end
+
+    def initialize(account:)
+      @account = account
+    end
+
+    def create_token!(notify:)
+      ActiveRecord::Base.transaction do
+        @account.build_confirmation_token.save!
+        @account.confirmation_token.notify if notify
+      end
+    end
+
+    def confirm!
+      ActiveRecord::Base.transaction do
+        @account.confirm!
+        @account.confirmation_token&.destroy!
+      end
+    end
+  end
+end

data/app/models/aikotoba/account/service/lock.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module Aikotoba
+  class Account::Service::Lock
+    def self.lock!(account:, notify: false)
+      new(account: account).lock!(notify: notify)
+    end
+
+    def self.unlock!(account:)
+      new(account: account).unlock!
+    end
+
+    def self.create_unlock_token!(account:, notify: false)
+      new(account: account).create_unlock_token!(notify: notify)
+    end
+
+    def initialize(account:)
+      @account = account
+    end
+
+    def lock!(notify:)
+      ActiveRecord::Base.transaction do
+        @account.lock!
+        create_unlock_token!(notify: notify)
+      end
+    end
+
+    def unlock!
+      ActiveRecord::Base.transaction do
+        @account.unlock!
+        @account.unlock_token&.destroy!
+      end
+    end
+
+    def create_unlock_token!(notify:)
+      ActiveRecord::Base.transaction do
+        @account.build_unlock_token.save!
+        @account.unlock_token.notify if notify
+      end
+    end
+  end
+end

data/app/models/aikotoba/account/service/recovery.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Aikotoba
+  class Account::Service::Recovery
+    def self.create_token!(account:, notify: false)
+      new(account: account).create_token!(notify: notify)
+    end
+
+    def self.recover!(account:, new_password:)
+      new(account: account).recover!(new_password: new_password)
+    end
+
+    def initialize(account:)
+      @account = account
+    end
+
+    def create_token!(notify:)
+      ActiveRecord::Base.transaction do
+        @account.build_recovery_token.save!
+        @account.recovery_token.notify if notify
+      end
+    end
+
+    def recover!(new_password:)
+      ActiveRecord::Base.transaction do
+        @account.recover!(new_password: new_password)
+        @account.recovery_token&.destroy!
+      end
+    end
+  end
+end

data/app/models/aikotoba/account/service/registration.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Aikotoba
+  class Account::Service::Registration
+    def self.call!(account:)
+      new.call!(account: account)
+    end
+
+    def initialize
+      @account_class = Account
+      @confirm_service = Account::Service::Confirmation
+      @confirmable = @account_class.confirmable?
+    end
+
+    def call!(account:)
+      ActiveRecord::Base.transaction do
+        account.save!
+        send_confirmation_token!(account) if @confirmable
+      end
+    end
+
+    private
+
+    concerning :Confirmable do
+      def send_confirmation_token!(account)
+        @confirm_service.create_token!(account: account, notify: true)
+      end
+    end
+  end
+end

data/app/models/aikotoba/account/unlock_token.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Aikotoba
+  class Account::UnlockToken < ApplicationRecord
+    include TokenEncryptable
+    belongs_to :account, class_name: "Aikotoba::Account", foreign_key: "aikotoba_account_id"
+    validates :token, presence: true
+    validates :expired_at, presence: true
+
+    scope :active, ->(now: Time.current) { where("expired_at >= ?", now) }
+
+    after_initialize do |record|
+      token = Account::Value::Token.new(extipry: Aikotoba.unlock_token_expiry)
+      record.token ||= token.value
+      record.expired_at ||= token.expired_at
+    end
+
+    def notify
+      AccountMailer.with(account: account).unlock.deliver_now
+    end
+  end
+end

data/app/models/aikotoba/account/value/password.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require "argon2"
+
+module Aikotoba
+  class Account::Value::Password
+    LENGTH_RENGE = Aikotoba.password_length_range
+
+    def initialize(
+      value:,
+      pepper: Aikotoba.password_pepper
+    )
+      @value = value
+      @pepper = pepper
+    end
+
+    attr_reader :value
+
+    def match?(digest:)
+      verify_password?(password_with_pepper(value), digest)
+    end
+
+    def digest
+      return "" if value.blank?
+      generate_hash(password_with_pepper(value))
+    end
+
+    private
+
+    def verify_password?(password, digest)
+      Argon2::Password.verify_password(password, digest)
+    rescue Argon2::ArgonHashFail # NOTE: If an invalid digest is passed, consider it a mismatch.
+      false
+    end
+
+    def password_with_pepper(password)
+      "#{password}-#{@pepper}"
+    end
+
+    def generate_hash(password)
+      # NOTE: Adjusted to be OWASAP's recommended value by default.
+      # > Use Argon2id with a minimum configuration of 15 MiB of memory, an iteration count of 2, and 1 degree of parallelism.
+      # > https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#introduction
+      argon = Argon2::Password.new(t_cost: 2, m_cost: 14, p_cost: 1)
+      argon.create(password)
+    end
+  end
+end

data/app/models/aikotoba/account/value/token.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Aikotoba
+  class Account::Value::Token
+    def initialize(extipry:)
+      @value = build_token
+      @expired_at = extipry.since
+    end
+
+    attr_reader :value, :expired_at
+
+    private
+
+    def build_token
+      SecureRandom.urlsafe_base64(32)
+    end
+  end
+end