decidim-friendly_signup 0.3 → 0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 88bd76deb088270153f2b8d9dc3376d1f6333c0429e2433c2f896870027cbd30
-  data.tar.gz: d2e2efec13ef916c6835e8f09b4d50e8e20ddef3c05a1f41bf24b51a1054c074
+  metadata.gz: df7a2d3137cd72541b5d7e63878f022eebb44e0b115044425e727c4f0fe68d59
+  data.tar.gz: dd63fddf8a154b335369dcf87cae2aaff1c9b28c9bd58ad1910a97088283b75f
 SHA512:
-  metadata.gz: 4a23dbcb2623314b4fcfbe30b8025b97309049beb28a2ab66ab0bb070498624509805054e2fc476f04f078fd56ed3161f49c66accae5b5d06b9537547d1fcbdd
-  data.tar.gz: f5312068c52ccb019f87e1af5beabc72e7f85396aee34ab4b1799001dcb905e17962c042186c55b749af4a4a69bdb19b7b915cfad4581e17bccb8e96529e31fe
+  metadata.gz: a03470e2cb20fec61fe7106cd59d96293d9c9e490cd132570aa514a841c43587cbcf675ba25bfd272c5dec497db6c3f6a1922c170effb21f1ddeadeec252f331
+  data.tar.gz: 36919447d408e1a91f22b8d650b12db69ac00c08282fd5b07862bc074a344e9d99075d53fe53436af12ba80dc209b25e9085d3ca2bc0a219a1f47061d91566be

data/README.md

@@ -20,7 +20,7 @@ This module simply substitutes some pages to ease up the registration process in
  
 - [x] Remove the nickname field from the registration process and automatically create one on registering. ![Hide nickname](examples/nickname.png)
 - [x] Instant validate parameters when registering without having to send it for backend validation. ![Instant validation](examples/instant_validation.png)
-- [ ] Use checkout codes to validate the email instead of a link
+- [x] Use numeric, confirmation codes to validate the email instead of a link. ![Confirmation codes](examples/confirmation_codes.png)
 
 ## Installation
 
@@ -42,6 +42,18 @@ And then execute:
 bundle
 ```
 
+For security reasons, it is also recomended to set a expiration time on confirmation tokens, to do that, make sure your Devise initializer has the variable `confirm_within` to certain amount of time.
+
+For instance, you can do that by creating an initializer such as:
+
+```ruby
+# config/initializers/devise.rb
+
+Devise.setup do |config|
+  config.confirm_within = 12.hours
+end
+```
+
 **Note:**
 
 The correct version of FriendlySignup should resolved automatically by the Bundler.
@@ -51,6 +63,7 @@ Depending on your Decidim version, choose the corresponding FriendlySignup versi
 
 | FriendlySignup version | Compatible Decidim versions |
 |---|---|
+| 0.4.x | 0.26.x |
 | 0.3.x | 0.26.x |
 | 0.2.x | 0.26.x |
 | 0.1.x | 0.26.x |
@@ -71,6 +84,9 @@ Decidim::FriendlySignup.configure do |config|
 
   # Hide nickname field and create one automatically from user's name or email (default is true)
   config.hide_nickname = false
+
+  # Send the users a 4-digit number that needs to be entered in a confirmation page instead of a confirmation link (default is true)
+  config.use_confirmation_codes = false
 end
 ```
 

data/app/controllers/concerns/decidim/friendly_signup/registrations_redirect.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+
+module Decidim
+  module FriendlySignup
+    module RegistrationsRedirect
+      extend ActiveSupport::Concern
+
+      included do
+        def after_sign_up_path_for(user)
+          codes_confirmation_path(user) || super(user)
+        end
+
+        def after_inactive_sign_up_path_for(user)
+          codes_confirmation_path(user) || super(user)
+        end
+
+        def after_resending_confirmation_instructions_path_for(resource_name)
+          user = Decidim::User.find_by email: params.dig(:user, :email)
+          codes_confirmation_path(user) || super(resource_name)
+        end
+      end
+
+      private
+
+      def codes_confirmation_path(user)
+        return if Decidim::FriendlySignup.use_confirmation_codes.blank?
+        return if user.blank?
+        return unless user.inactive_message.to_s == "unconfirmed"
+
+        set_flash_message! :notice, :signed_up_but_code_required
+        decidim_friendly_signup.confirmation_codes_path(confirmation_token: user.confirmation_token)
+      end
+    end
+  end
+end

data/app/controllers/decidim/friendly_signup/confirmation_codes_controller.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Decidim
+  module FriendlySignup
+    class ConfirmationCodesController < Decidim::Devise::ConfirmationsController
+      include Decidim::FormFactory
+      include NeedsHeaderSnippets
+
+      before_action :require_unconfirmed_user
+      helper_method :user, :confirmation_form
+
+      def index; end
+
+      def create
+        if confirmation_form.valid?
+          user.confirm
+          flash[:success] = I18n.t("confirmation_codes.create.user_confirmed", name: user.name, scope: "decidim.friendly_signup")
+          return sign_in_and_redirect user, event: :authentication
+        end
+
+        flash.now[:alert] = confirmation_form.errors.messages.values.flatten.join(" ")
+        render :index
+      end
+
+      private
+
+      def confirmation_form
+        @confirmation_form ||= form(ConfirmationCodeForm).from_params(params)
+      end
+
+      def user
+        @user ||= User.find_by(confirmation_token: params[:confirmation_token], organization: current_organization)
+      end
+
+      def require_unconfirmed_user
+        return redirect_to decidim.user_confirmation_path unless FriendlySignup.use_confirmation_codes
+
+        unless user.present? && !user.confirmed?
+          flash[:alert] = I18n.t("confirmation_code_form.invalid_token", scope: "decidim.friendly_signup")
+          return redirect_to decidim.new_user_session_path
+        end
+
+        if user.send(:confirmation_period_expired?)
+          flash[:alert] = I18n.t("confirmation_code_form.expired", scope: "decidim.friendly_signup")
+          redirect_to decidim.user_confirmation_path
+        end
+      end
+    end
+  end
+end

data/app/forms/decidim/friendly_signup/confirmation_code_form.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Decidim
+  module FriendlySignup
+    class ConfirmationCodeForm < Decidim::Form
+      attribute :confirmation_token, String
+      attribute :code, Integer
+      attribute :confirmation_numbers, Array[Integer]
+
+      validates :confirmation_token, presence: true
+      validate :code_matches_confirmation_token
+      validate :user_exists
+
+      def user_code
+        code || confirmation_numbers.map(&:to_s).join("").to_i
+      end
+
+      private
+
+      def code_matches_confirmation_token
+        return if FriendlySignup.confirmation_code(confirmation_token) == user_code
+
+        errors.add(:code, I18n.t("confirmation_code_form.invalid", scope: "decidim.friendly_signup"))
+      end
+
+      def user_exists
+        return if User.exists?(confirmation_token: confirmation_token, organization: current_organization)
+
+        errors.add(:code, I18n.t("confirmation_code_form.invalid_token", scope: "decidim.friendly_signup"))
+      end
+    end
+  end
+end

data/app/mailers/decidim/friendly_signup/confirmation_codes_mailer.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Decidim
+  module FriendlySignup
+    class ConfirmationCodesMailer < ApplicationMailer
+      include Decidim::LocalisedMailer
+
+      def confirmation_instructions(user, opts)
+        @user = user
+        @email = opts[:to] || user.email
+        @token = opts[:token]
+        @organization = user.organization
+        @code = FriendlySignup.confirmation_code(@token)
+        @expires_at = @user.confirmation_sent_at + @user.class.confirm_within if @user.class.confirm_within
+
+        with_user(user) do
+          mail(to: "#{user.name} <#{@email}>", subject: I18n.t("decidim.friendly_signup.confirmation_codes.mailer.subject", organization: @organization.name))
+        end
+      end
+    end
+  end
+end

data/app/models/concerns/decidim/friendly_signup/needs_registration_codes.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+
+module Decidim
+  module FriendlySignup
+    module NeedsRegistrationCodes
+      extend ActiveSupport::Concern
+
+      included do
+        def send_confirmation_instructions
+          return super if Decidim::FriendlySignup.use_confirmation_codes.blank?
+          return super unless inactive_message.to_s == "unconfirmed"
+
+          generate_confirmation_token! unless @raw_confirmation_token
+
+          opts = pending_reconfirmation? ? { to: unconfirmed_email } : {}
+          opts[:token] = @raw_confirmation_token
+          ConfirmationCodesMailer.confirmation_instructions(self, opts).deliver_now
+        end
+      end
+    end
+  end
+end

data/app/packs/entrypoints/decidim_friendly_signup.js

@@ -1,5 +1,6 @@
 import "src/decidim/friendly_signup/setup_password"
 import "src/decidim/friendly_signup/setup_validations"
+import "src/decidim/friendly_signup/setup_confirmations"
 
 // CSS
 import "entrypoints/decidim_friendly_signup.scss";

data/app/packs/entrypoints/decidim_friendly_signup.scss

@@ -1,2 +1,3 @@
 /* css for decidim_friendly_signup */
 @import "stylesheets/decidim/friendly_signup/input-groups";
+@import "stylesheets/decidim/friendly_signup/confirmation-codes";

data/app/packs/src/decidim/friendly_signup/lib/instant_validator.js

@@ -15,6 +15,9 @@ export default class InstantValidator {
   }
 
   init() {
+    if (!this.url || !this.$form.length) {
+      return;
+    }
     this.$form.foundation("disableValidation");
     // this final validation prevents abide from resetting the field when user loses focus
     this.$inputs.on("blur", (evt) => {

data/app/packs/src/decidim/friendly_signup/setup_confirmations.js

@@ -0,0 +1,57 @@
+$(() => {
+  const $inputs = $('.confirmation-code-inputs input[type="number"]');
+  const $form = $inputs.closest("form");
+  const intRegex = /^\d+$/;
+  let disableManual = false;
+
+  // Parses the individual digits into the individual boxes.
+  const pasteValues = (element, $first) => {
+    const values = element.split("");
+    let $inputBox = $first;
+
+    $(values).each((index) => {
+      $inputBox.val(values[index]);
+      $inputBox = $inputBox.next('input[type="number"]');
+      if ($inputBox.length === 0) {
+        $form.submit();
+      }
+    });
+  };
+
+  $inputs.on("focus", (e) => {
+    $(e.target).select();
+  });
+
+  // Prevents user from manually entering non-digits.
+  $inputs.on("input.fromManual", (e) => {
+    if (disableManual) {
+      return;
+    }
+    const $this = $(e.target);
+    if (intRegex.test($this.val())) {
+      pasteValues($this.val(), $this);
+      $this.next('input[type="number"]').focus();
+    } else {
+      $this.val("");
+    }
+  });
+
+  $inputs.on("paste", (evt) => {
+    const $this = $(evt.target);
+    const originalValue = $this.val();
+    $this.val("");
+    disableManual = true;
+    $this.one("input.fromPaste", (e) => {
+      const $currentInputBox = $(e.target);
+
+      const pastedValue = $currentInputBox.val();
+      if (intRegex.test(pastedValue)) {
+        pasteValues(pastedValue, $inputs.eq(0));
+      }
+      else {
+        $this.val(originalValue);
+      }
+      disableManual = false;
+    });
+  });
+});

data/app/packs/stylesheets/decidim/friendly_signup/_confirmation-codes.scss

@@ -0,0 +1,23 @@
+.confirmation-code-inputs {
+  display: flex;
+  justify-content: center;
+  margin: 2rem;
+
+  input[type="number"] {
+    width: 15%;
+    font-size: 5em;
+    height: 1.2em;
+    line-height: 1;
+    padding: 0;
+    margin: 0 2%;
+    text-align: center;
+    box-shadow: 1px 3px 3px #bbb;
+    -moz-appearance: textfield;
+
+    &::-webkit-inner-spin-button,
+    &::-webkit-outer-spin-button {
+      -webkit-appearance: none;
+      margin: 0;
+    }
+  }
+}

data/app/views/decidim/friendly_signup/confirmation_codes/index.html.erb

@@ -0,0 +1,38 @@
+<% add_decidim_page_title(t(".enter_code")) %>
+
+<div class="wrapper">
+<div class="row collapse">
+  <div class="row collapse">
+    <div class="columns large-8 large-centered text-center page-title">
+      <h1><%= t(".title") %></h1>
+      <h6><%= t(".subtitle") %></h6>
+    </div>
+  </div>
+
+  <div class="row">
+    <div class="columns medium-10 large-8 medium-centered">
+      <div class="card">
+        <div class="card__content">
+          <p class="text-center"><%= t(".description", email: "<strong>#{user.email}</strong>").html_safe %></p>
+          <%= decidim_form_for(confirmation_form, url: decidim_friendly_signup.confirmation_codes_path(confirmation_token: confirmation_form.confirmation_token)) do |f| %>
+            <div class="field confirmation-code-inputs">
+              <%= number_field_tag "confirmation_numbers[0]", "", autofocus: true, autocomplete: :off %>
+              <%= number_field_tag "confirmation_numbers[1]", "", autocomplete: :off %>
+              <%= number_field_tag "confirmation_numbers[2]", "", autocomplete: :off %>
+              <%= number_field_tag "confirmation_numbers[3]", "", autocomplete: :off %>
+            </div>
+
+            <div class="actions text-center">
+              <%= f.submit t(".verify"), class: "button text-uppercase" %>
+            </div>
+          <% end %>
+
+          <p class="text-center">
+            <%= link_to t(".code_not_received"), decidim.user_confirmation_path(confirmation_token: confirmation_form.confirmation_token, "user[email]": user.email), method: :post, data: { confirm: t(".confirm_send_code", email: user.email) } %>
+          </p>
+        </div>
+      </div>
+    </div>
+  </div>
+</div>
+</div>

data/app/views/decidim/friendly_signup/confirmation_codes_mailer/confirmation_instructions.html.erb

@@ -0,0 +1,13 @@
+<h1 class="text-center"><%= t(".title") %></h1>
+
+<p class="email-instructions text-center"><%= t(".subtitle", organization: link_to(@organization.name, decidim_friendly_signup.confirmation_codes_path(confirmation_token: @token))).html_safe %></p>
+
+<h3 class="email-instruction text-center" style="margin:1em 0 0.2em 0;"><%= t(".copy") %></h3>
+
+<% if @expires_at %>
+  <p class="email-small text-center"><%= t(".expires_in", time: distance_of_time_in_words(Time.now, @expires_at, scope: "decidim.friendly_signup.datetime.distance_in_words")) %></p>
+<% end %>
+
+<p class="stat text-center" style="margin:1em 0;"><b style="font-size: 2em"><%= @code %></b></p>
+
+<p class="email-small email-closing text-center"><%= t(".ignore").html_safe %></p>

data/config/locales/en.yml

@@ -1,10 +1,89 @@
 ---
 en:
+  activemodel:
+    attributes:
+      confirmation_code:
+        code: Confirmation code
   decidim:
     friendly_signup:
+      confirmation_code_form:
+        expired: Sorry, this code has expired, please generate a new one.
+        invalid: Code is invalid, please make sure to copy the code emailed to you.
+        invalid_token: Invalid token.
+      confirmation_codes:
+        create:
+          user_confirmed: Welcome %{name}! Your account has been succesfully confirmed!
+        index:
+          code_not_received: Didn't receive the code?
+          confirm_send_code: Do you want to resend the confirmation code to %{email}?<br>Be
+            sure to check the spam folder just in case!
+          description: You should receive a 4 digit code at %{email}.<br>If you can't
+            find it, please check your spam folder or wait  up to 10 minutes.
+          enter_code: Enter code
+          subtitle: You need to confirm your email address to be able to submit proposals,
+            comment and vote.
+          title: One last step...
+          verify: Verify
+        mailer:
+          subject: Confirm your account at %{organization}
+        resend_code:
+          sent: The confirmation code has been sent to %{email}.
+      confirmation_codes_mailer:
+        confirmation_instructions:
+          copy: 'Copy this code:'
+          expires_in: It will expire in %{time}.
+          ignore: |-
+            If you didn't request this comunication, please ignore this email.<br />
+            Your account won't be active until your account is fully confirmed.
+          subtitle: To finalize the registration you just need to copy the 4 digit
+            code below, go back to the %{organization} signup page and paste it!
+          title: You're almost there!
+      datetime:
+        distance_in_words:
+          about_x_hours:
+            one: about 1 hour
+            other: about %{count} hours
+          about_x_months:
+            one: about 1 month
+            other: about %{count} months
+          about_x_years:
+            one: about 1 year
+            other: about %{count} years
+          almost_x_years:
+            one: almost 1 year
+            other: almost %{count} years
+          half_a_minute: half a minute
+          less_than_x_minutes:
+            one: less than a minute
+            other: less than %{count} minutes
+          less_than_x_seconds:
+            one: less than 1 second
+            other: less than %{count} seconds
+          over_x_years:
+            one: over 1 year
+            other: over %{count} years
+          x_days:
+            one: 1 day
+            other: "%{count} days"
+          x_minutes:
+            one: 1 minute
+            other: "%{count} minutes"
+          x_months:
+            one: 1 month
+            other: "%{count} months"
+          x_seconds:
+            one: 1 second
+            other: "%{count} seconds"
       shared:
         password_fields:
           hidden_password: Your password is hidden
           hide_password: Hide password
           show_password: Show password
           shown_password: Your password is shown
+  devise:
+    confirmations:
+      signed_up_but_code_required: A message with a code has been sent to your email
+        address. Please copy and paste the received code in this page.
+    registrations:
+      signed_up_but_code_required: A message with a code has been sent to your email
+        address. Please copy and paste the received code in this page.

data/lib/decidim/friendly_signup/engine.rb

@@ -2,6 +2,7 @@
 
 require "rails"
 require "decidim/core"
+require "rack/attack"
 
 module Decidim
   module FriendlySignup
@@ -10,6 +11,9 @@ module Decidim
       isolate_namespace Decidim::FriendlySignup
 
       routes do
+        devise_scope :user do
+          resources :confirmation_codes, only: [:index, :create]
+        end
         post :validate, to: "validator#validate"
       end
 
@@ -18,13 +22,24 @@ module Decidim
       # overrides
       config.after_initialize do
         Decidim::Devise::RegistrationsController.include(Decidim::FriendlySignup::NeedsHeaderSnippets)
+        Decidim::Devise::RegistrationsController.include(Decidim::FriendlySignup::RegistrationsRedirect)
+        Decidim::Devise::ConfirmationsController.include(Decidim::FriendlySignup::RegistrationsRedirect)
         Decidim::Devise::InvitationsController.include(Decidim::FriendlySignup::NeedsHeaderSnippets)
         Decidim::Devise::PasswordsController.include(Decidim::FriendlySignup::NeedsHeaderSnippets)
         Decidim::AccountController.include(Decidim::FriendlySignup::NeedsHeaderSnippets)
         Decidim::RegistrationForm.include(Decidim::FriendlySignup::AutoNickname)
+        Decidim::User.include(Decidim::FriendlySignup::NeedsRegistrationCodes)
       end
 
-      initializer "FriendlySignup.webpacker.assets_path" do
+      initializer "friendly_signup.confirmation_throttling" do
+        # Throttle confirmation attempts for a given code parameter to 6 reqs/minute
+        # Return the confirmation_token as a discriminator on POST /users/sign_in requests
+        Rack::Attack.throttle("limit confirmations attempts per code", limit: 5, period: 60.seconds) do |request|
+          request.params["confirmation_token"] if request.path == "/friendly_signup/confirmation_codes" && request.post?
+        end
+      end
+
+      initializer "friendly_signup.webpacker.assets_path" do
         Decidim.register_assets_path File.expand_path("app/packs", root)
       end
     end

data/lib/decidim/friendly_signup/version.rb

@@ -5,6 +5,6 @@ module Decidim
   module FriendlySignup
     DECIDIM_VERSION = "0.26.2"
     COMPAT_DECIDIM_VERSION = "~> 0.26.0"
-    VERSION = "0.3"
+    VERSION = "0.4"
   end
 end

data/lib/decidim/friendly_signup.rb

@@ -23,6 +23,18 @@ module Decidim
     config_accessor :hide_nickname do
       true
     end
+
+    # Use confirmation codes instead of confirmation links
+    config_accessor :use_confirmation_codes do
+      true
+    end
+
+    # Generates a secure code from a string
+    def self.confirmation_code(hash)
+      num = Decidim::Tokenizer.new(salt: Rails.application.secret_key_base).int_digest(hash).to_s[0..3]
+      num += "0" while num.size < 4
+      num.to_i
+    end
   end
 end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: decidim-friendly_signup
 version: !ruby/object:Gem::Version
-  version: '0.3'
+  version: '0.4'
 platform: ruby
 authors:
 - Ivan Vergés
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-07-14 00:00:00.000000000 Z
+date: 2022-07-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: decidim-core
@@ -49,21 +49,30 @@ files:
 - README.md
 - Rakefile
 - app/controllers/concerns/decidim/friendly_signup/needs_header_snippets.rb
+- app/controllers/concerns/decidim/friendly_signup/registrations_redirect.rb
 - app/controllers/decidim/friendly_signup/application_controller.rb
+- app/controllers/decidim/friendly_signup/confirmation_codes_controller.rb
 - app/controllers/decidim/friendly_signup/validator_controller.rb
 - app/forms/concerns/decidim/friendly_signup/auto_nickname.rb
+- app/forms/decidim/friendly_signup/confirmation_code_form.rb
+- app/mailers/decidim/friendly_signup/confirmation_codes_mailer.rb
+- app/models/concerns/decidim/friendly_signup/needs_registration_codes.rb
 - app/packs/entrypoints/decidim_friendly_signup.js
 - app/packs/entrypoints/decidim_friendly_signup.scss
 - app/packs/images/decidim/friendly_signup/icon.svg
 - app/packs/src/decidim/friendly_signup/lib/instant_validator.js
 - app/packs/src/decidim/friendly_signup/lib/password_toggler.js
+- app/packs/src/decidim/friendly_signup/setup_confirmations.js
 - app/packs/src/decidim/friendly_signup/setup_password.js
 - app/packs/src/decidim/friendly_signup/setup_validations.js
+- app/packs/stylesheets/decidim/friendly_signup/_confirmation-codes.scss
 - app/packs/stylesheets/decidim/friendly_signup/_input-groups.scss
 - app/views/decidim/account/_password_fields.html.erb
 - app/views/decidim/devise/invitations/edit.html.erb
 - app/views/decidim/devise/passwords/edit.html.erb
 - app/views/decidim/devise/registrations/new.html.erb
+- app/views/decidim/friendly_signup/confirmation_codes/index.html.erb
+- app/views/decidim/friendly_signup/confirmation_codes_mailer/confirmation_instructions.html.erb
 - app/views/decidim/friendly_signup/shared/_password_fields.html.erb
 - config/assets.rb
 - config/i18n-tasks.yml