door_mat 0.0.5

data/app/controllers/door_mat/manage_email_controller.rb

@@ -0,0 +1,61 @@
+module DoorMat
+  class ManageEmailController < DoorMat::ApplicationController
+    before_action :require_password_reconfirm
+    before_action :require_confirmed_email
+    before_action :update_session_last_activity_time
+
+    def new
+      @email = DoorMat::Email.new
+    end
+
+    def create
+      @email = DoorMat::Email.for(manage_email_params[:address])
+
+      if DoorMat::Process::ManageEmail.add(@email, DoorMat::Session.current_session.actor, self)
+        flash[:notice] = I18n.t('door_mat.manage_email.email_added')
+
+        redirect_to config_url_redirect(:add_email_success_url)
+      else
+        render :new
+      end
+    end
+
+    def destroy
+      encoded_address = params[:email]
+      email = DoorMat::Session.current_session.actor.email_from_urlsafe_encoded(encoded_address)
+
+      if email.blank?
+        flash[:alert] = I18n.t('door_mat.manage_email.could_not_delete')
+      elsif 1 == DoorMat::Session.current_session.actor.emails.count
+        flash[:alert] = I18n.t('door_mat.manage_email.could_not_delete_only_email')
+      elsif email == DoorMat::Session.current_session.email
+        flash[:alert] = I18n.t('door_mat.manage_email.could_not_delete_current_email')
+      elsif email.primary?
+        flash[:alert] = I18n.t('door_mat.manage_email.can_not_delete_primary')
+      else
+        email.destroy!
+        flash[:notice] = I18n.t('door_mat.manage_email.email_deleted')
+      end
+
+      redirect_to config_url_redirect(:destroy_email_redirect_url)
+    end
+
+    def set_primary_email
+      encoded_address = params[:email]
+      if DoorMat::Process::ManageEmail.set_primary(encoded_address, DoorMat::Session.current_session.actor)
+        flash[:notice] = I18n.t('door_mat.manage_email.primary_email_updated')
+      else
+        flash[:alert] = I18n.t('door_mat.manage_email.could_not_update_primary_email')
+      end
+
+      redirect_to config_url_redirect(:set_primary_email_redirect_url)
+    end
+
+    private
+
+    def manage_email_params
+      params.require(:email).permit(:address)
+    end
+
+  end
+end

data/app/controllers/door_mat/password_less_session_controller.rb

@@ -0,0 +1,121 @@
+module DoorMat
+  class PasswordLessSessionController < DoorMat::ApplicationController
+    skip_before_action :require_valid_session, :only => [:new, :create, :access_token, :access_token_post]
+
+    def new
+      @access_token = DoorMat::AccessToken.new_with_token_for(params[:token_for], request)
+    end
+
+    def create
+      DoorMat::AccessToken.destroy_if_linked_to(cookies)
+
+      @access_token = DoorMat::AccessToken.create_from_params(params[:token_for],
+                                                              access_token_params[:identifier],
+                                                              access_token_params[:confirm_identifier],
+                                                              access_token_params[:name],
+                                                              access_token_params[:is_public],
+                                                              access_token_params[:remember_me],
+                                                              request)
+      if @access_token.errors.size > 0
+        render :new
+      else
+        @access_token.save!
+        deliver_token(@access_token)
+        redirect_to door_mat.access_token_token_for_token_url(@access_token.token_for)
+      end
+    end
+
+    def access_token
+      token_for = params[:token_for]
+      token = params[:token]
+
+      if token.blank?
+        @access_token = DoorMat::AccessToken.new_with_token_for(params[:token_for], request)
+        render :access_token
+      else
+        process_request(token_for, token)
+      end
+    end
+
+    def access_token_post
+      token_for = access_token_params[:token_for]
+      token = access_token_params[:identifier]
+      process_request(token_for, token)
+    end
+
+    private
+
+    def access_token_params
+      params.require(:access_token).permit(:identifier, :confirm_identifier, :token_for, :name, :is_public, :remember_me)
+    end
+
+    def process_request(token_for, token)
+      if process_token_request(token_for, token)
+        redirect_to session.delete(:redirect_to) || @access_token.default_success_url.inject(self) { |lhs, rhs| lhs.send(rhs) }
+      else
+        render_failed_token_request(token)
+      end
+
+    end
+
+    def render_failed_token_request(token)
+      if DoorMat::Regex.session_guid.match(token).blank?
+        flash.now[:alert] = "The format of your access token is invalid. Please verify there are no missing or extra characters."
+      else
+        flash.now[:alert] = "Something looks wrong with your access token. Please request a new one."
+      end
+      render :access_token
+    end
+
+    def process_token_request(token_for, token, klass = DoorMat::AccessToken)
+      klass.destroy_if_linked_to(cookies)
+      @access_token = nil
+
+      token_for_symbol = token_for.to_s.strip.to_sym
+      return false unless klass.token_for_is_valid(token_for_symbol)
+
+      @access_token = klass.validate_token(token, cookies, request)
+      unless @access_token.blank?
+        # This is a request so the token must have a status of :single_use or :multiple_use
+        if (@access_token.single_use? || @access_token.multiple_use?)
+
+          # mark single use tickets as used so they can't be reused
+          if @access_token.single_use?
+            @access_token.used!
+          end
+
+          validate = @access_token.session_parameters[:validate]
+          is_valid = true
+          is_valid = validate.call(@access_token.identifier) if validate
+
+          if is_valid
+            @access_token.set_up(cookies)
+            return true
+          else
+            DoorMat.configuration.logger.warn "WARN: #{request.remote_ip} Identifier #{@access_token.identifier} did not satisfy validation"
+            @access_token.destroy!
+          end
+
+        end
+      end
+
+      @access_token = klass.new_with_token_for(token_for_symbol, request)
+      return false
+    end
+
+    def deliver_token(access_token)
+      parameters = {
+          url_full: access_token_token_for_token_url(token_for: access_token.token_for, token: access_token.token, protocol: DoorMat::UrlProtocol.url_protocol),
+          url_short: access_token_token_for_token_url(token_for: access_token.token_for, protocol: DoorMat::UrlProtocol.url_protocol),
+          token: access_token.token,
+          address: access_token.identifier,
+          subject: "Your access token"
+      }
+      DoorMat::PasswordLessSessionMailer.send_token(parameters).deliver_now
+    rescue Exception => e
+      DoorMat.configuration.logger.error "ERROR: Failed to deliver access token to #{parameters[:address]} w #{parameters[:token]} - #{e}"
+      raise e
+    end
+
+  end
+end

data/app/controllers/door_mat/reconfirm_password_controller.rb

@@ -0,0 +1,27 @@
+module DoorMat
+  class ReconfirmPasswordController < DoorMat::ApplicationController
+    def new
+      @current_session_email = nil
+
+      # Following a
+      # require_password_reconfirm, provide the email associated with
+      # the current session.
+      # This convenience could be considered a leak of information
+      # so it is disabled by default.
+      if DoorMat.configuration.leak_email_address_at_reconfirm
+        @current_session_email = DoorMat::Session.current_session.email.address
+      end
+    end
+
+    def create
+      password = params[:password]
+      if DoorMat::Session.current_session.reconfirm_password(password)
+        destination_of_redirect = session.delete(:redirect_to) || config_url_redirect(:sign_in_success_url)
+        redirect_to destination_of_redirect
+      else
+        render :new
+      end
+    end
+
+  end
+end

data/app/controllers/door_mat/sessions_controller.rb

@@ -0,0 +1,17 @@
+module DoorMat
+  class SessionsController < DoorMat::ApplicationController
+    before_action :require_confirmed_email
+
+    # This is to let the user terminate an existing session from a different browser or device
+    # see sign_in#destroy for the termination of the current active session in use
+    def terminate
+      session_guid = params[:guid]
+      Session.current_session.actor.sessions.where(hashed_token: session_guid).each do |session|
+        session.destroy
+      end
+
+      redirect_to :back
+    end
+
+  end
+end

data/app/controllers/door_mat/sign_in_controller.rb

@@ -0,0 +1,60 @@
+module DoorMat
+  class SignInController < DoorMat::ApplicationController
+    skip_before_action :require_valid_session, :only => [:new, :create, :destroy]
+
+    def new
+      @sign_in = DoorMat::SignIn.new
+    end
+
+    def create
+      before_sign_in
+      @sign_in = DoorMat::SignIn.new(sign_in_params)
+
+      if @sign_in.valid? && DoorMat::Process::ActorSignIn.with(@sign_in.email, @sign_in.password, @sign_in.is_public?, @sign_in.remember_me?, request, cookies)
+        destination_of_redirect = session.delete(:redirect_to) || config_url_redirect(:sign_in_success_url)
+        reset_session
+
+        redirect_to destination_of_redirect
+        after_sign_in
+      else
+        @sign_in.add_generic_error_msg
+        render :new
+        after_failed_sign_in
+      end
+    end
+
+    def destroy
+      before_sign_out
+      DoorMat::Session.clear_current_session
+      DoorMat::Session.destroy_if_linked_to(cookies)
+
+      reset_session
+      redirect_to config_url_redirect(:sign_out_success_url)
+      after_sign_out
+
+    end
+
+    private
+
+    def sign_in_params
+      params.require(:sign_in).permit(:email, :password, :is_public, :remember_me)
+    end
+
+    def before_sign_in
+      DoorMat.configuration.event_hook_before_sign_in.each {|prc| prc.call}
+    end
+    def after_sign_in
+      DoorMat.configuration.event_hook_after_sign_in.each {|prc| prc.call}
+    end
+    def after_failed_sign_in
+      DoorMat.configuration.event_hook_after_failed_sign_in.each {|prc| prc.call}
+    end
+    def before_sign_out
+      DoorMat.configuration.event_hook_before_sign_out.each {|prc| prc.call}
+    end
+    def after_sign_out
+      DoorMat.configuration.event_hook_after_sign_out.each {|prc| prc.call}
+    end
+
+  end
+end

data/app/controllers/door_mat/sign_up_controller.rb

@@ -0,0 +1,59 @@
+module DoorMat
+  class SignUpController < DoorMat::ApplicationController
+    skip_before_action :require_valid_session, :only => [:new, :create]
+
+    def new
+      @sign_up = DoorMat::SignUp.new
+    end
+
+    def create
+      before_sign_up
+      @sign_up = DoorMat::SignUp.new(sign_up_params)
+      sign_up_failed = true
+
+      if DoorMat.configuration.allow_sign_up && @sign_up.valid?
+
+        if DoorMat.configuration.allow_sign_in_from_sign_up_form && DoorMat::Process::ActorSignIn.with(@sign_up.email, @sign_up.password, true, false, request, cookies)
+          destination_of_redirect = session.delete(:redirect_to) || config_url_redirect(:sign_in_success_url)
+          reset_session
+
+          redirect_to destination_of_redirect
+          after_sign_in
+          sign_up_failed = false
+        elsif DoorMat::Process::ActorSignUp.with(@sign_up.email, @sign_up.password, request, cookies, self)
+          reset_session
+          redirect_to config_url_redirect(:sign_up_success_url)
+          after_sign_up
+          sign_up_failed = false
+        end
+
+      end
+
+      if sign_up_failed
+        @sign_up.add_generic_error_msg
+        render :new
+        after_failed_sign_up
+      end
+    end
+
+    private
+
+    def sign_up_params
+      params.require(:sign_up).permit(:email, :password, :password_confirmation)
+    end
+
+    def after_sign_in
+      DoorMat.configuration.event_hook_after_sign_in.each {|prc| prc.call}
+    end
+    def before_sign_up
+      DoorMat.configuration.event_hook_before_sign_up.each {|prc| prc.call}
+    end
+    def after_sign_up
+      DoorMat.configuration.event_hook_after_sign_up.each {|prc| prc.call}
+    end
+    def after_failed_sign_up
+      DoorMat.configuration.event_hook_after_failed_sign_up.each {|prc| prc.call}
+    end
+
+  end
+end

data/app/controllers/door_mat/static_controller.rb

@@ -0,0 +1,5 @@
+module DoorMat
+  class StaticController < DoorMat::ApplicationController
+    skip_before_action :require_valid_session, :only => [:sign_out_success, :forgot_password_verification_mail_sent]
+  end
+end

data/app/mailers/door_mat/activity_mailer.rb

@@ -0,0 +1,18 @@
+module DoorMat
+  class ActivityMailer < ActionMailer::Base
+    default from: DoorMat.configuration.mailer_from_address
+
+    def confirm_email(parameters)
+      @parameters = parameters
+
+      mail to: @parameters[:address], subject: (@parameters[:subject] || I18n.t("door_mat.activity_mailer.confirm_email.subject"))
+    end
+
+    def reset_password(parameters)
+      @parameters = parameters
+
+      mail to: @parameters[:address], subject: (@parameters[:subject] || I18n.t("door_mat.activity_mailer.reset_password.subject"))
+    end
+
+  end
+end

data/app/mailers/door_mat/password_less_session_mailer.rb

@@ -0,0 +1,12 @@
+module DoorMat
+  class PasswordLessSessionMailer < ActionMailer::Base
+    default from: DoorMat.configuration.mailer_from_address
+
+    def send_token(parameters)
+      @parameters = parameters
+
+      mail to: @parameters[:address], subject: (@parameters[:subject] || I18n.t("door_mat.password_less_session_mailer.send_token.subject"))
+    end
+
+  end
+end

data/app/models/door_mat/access_token.rb

@@ -0,0 +1,315 @@
+module DoorMat
+  class AccessToken < ActiveRecord::Base
+
+    include DoorMat::AttrSymmetricStore
+
+    belongs_to :actor, class_name: 'DoorMat::Actor'
+
+    attr_symmetric_store :name, :identifier, :data
+
+    enum token_for: (k = DoorMat.configuration.password_less_sessions.keys; k.delete(:password_less_defaults); k)
+    enum status: [:single_use, :multiple_use, :used]
+    enum rating: [:public_computer, :private_computer, :remember_me]
+
+    attr_accessor :token, :is_public, :remember_me
+
+    after_initialize :init
+
+    def init
+      self.is_public = true if self.is_public.nil?
+      self.remember_me = false if self.remember_me.nil?
+    end
+
+    validate :initialization_performed?
+
+    def initialization_performed?
+      if self.actor.blank? || self.hashed_token.blank?
+        errors.add(:base, "Access token invalid")
+      end
+    end
+
+    def self.current_access_token
+      RequestStore.store[:current_access_token] ||= self.new
+    end
+
+    def self.clear_current_access_token
+      access_token = current_access_token
+      RequestStore.store[:current_access_token] = nil
+
+      access_token.destroy if access_token.persisted?
+      nil
+    end
+
+    def self.token_for_is_valid(token_for_symbol)
+      DoorMat.configuration.password_less_sessions.has_key? token_for_symbol
+    end
+
+    def self.new_with_token_for(token_for, request)
+      access_token = self.new
+      token_for_symbol = token_for.to_s.strip.to_sym
+      if token_for_is_valid(token_for_symbol)
+        access_token.token_for = self.token_fors[token_for_symbol]
+      else
+        DoorMat.configuration.logger.warn "WARN: #{request.remote_ip} Attempted to use inexistent token_for #{token_for}"
+        access_token.errors[:base] << I18n.t("door_mat.password_less_session.create_failed")
+      end
+      access_token
+    end
+
+    def self.create_from_params(token_for, identifier, confirm_identifier, name, is_public, remember_me, request)
+      clear_current_access_token
+      is_public = '1' == is_public.to_s
+      remember_me = '1' == remember_me.to_s
+
+      access_token = new_with_token_for(token_for, request)
+      return access_token unless access_token.errors.blank?
+
+      access_token.identifier = identifier
+      access_token.name = name || 'access token'
+
+      if access_token.identifier.blank?
+        access_token.errors[:identifier] << I18n.t("door_mat.password_less_session.blank_identifier")
+        return access_token
+      end
+
+      if access_token.session_parameters[:challenge].include? :email
+        if DoorMat::Regex.simple_email.match(access_token.identifier).blank?
+          access_token.errors[:identifier] << I18n.t("door_mat.password_less_session.expect_email_identifier")
+          return access_token
+        end
+      end
+
+      unless identifier == confirm_identifier
+        access_token.errors[:identifier] << I18n.t("door_mat.password_less_session.identifier_error")
+        return access_token
+      end
+
+      unless [:single_use, :multiple_use].include? access_token.session_parameters[:status]
+        DoorMat.configuration.logger.error "ERROR: #{request.remote_ip} Status must be either :single_use or :multiple_use check your configuration - found #{access_token.session_parameters[:status]}"
+        access_token.errors[:base] << I18n.t("door_mat.password_less_session.create_failed")
+        return access_token
+      end
+      access_token.status = access_token.session_parameters[:status]
+
+      unless access_token.load_sub_session
+        access_token.errors[:base] << I18n.t("door_mat.password_less_session.actor_missing")
+        return access_token
+      end
+
+      access_token.generate_new_token
+
+      if is_public
+        access_token.public_computer!
+      else
+        access_token.private_computer!
+      end
+
+      # User asked to be remembered
+      if DoorMat.configuration.allow_remember_me_feature && remember_me
+        access_token.remember_me! unless (
+        DoorMat.configuration.remember_me_require_private_computer_confirmation &&
+            access_token.public_computer?
+        )
+      end
+
+      access_token
+    end
+
+    def form_submit_path(controller)
+      session_parameters.fetch(:form_submit_path).inject(controller) { |lhs, rhs| lhs.send(rhs) }
+    end
+
+    def generate_new_token
+      @token = SecureRandom.uuid
+      self.hashed_token = DoorMat::Crypto::FastHash.sha256(@token)
+    end
+
+    def session_parameters
+      @session_params ||= DoorMat.configuration.password_less_sessions[self.token_for.to_sym]
+    end
+
+    def default_parameters
+      @default_parameters ||= DoorMat.configuration.password_less_sessions[:password_less_defaults]
+    end
+
+    def default_failure_url
+      session_parameters.fetch(:default_failure_url, generic_redirect_url)
+    end
+
+    def default_success_url
+      session_parameters.fetch(:default_success_url, generic_redirect_url)
+    end
+
+    def generic_redirect_url
+      default_parameters.fetch(:generic_redirect_url, [:main_app, :root_url])
+    end
+
+    def load_actor_for_session
+      self.actor ||= DoorMat::Actor.authenticate_with(self.session_parameters[:actor][:email], self.session_parameters[:actor][:password])
+      if self.actor.nil?
+        DoorMat.configuration.logger.error "ERROR: Could not authenticate actor #{self.session_parameters[:actor][:email]} is it in your database?"
+        return false
+      end
+      true
+    end
+
+    def load_sub_session
+      return false unless load_actor_for_session
+
+      unless DoorMat::Session.current_session.session_for_actor_loaded? self.actor
+        sub_session = DoorMat::Session.new_sub_session_for_actor(self.actor, self.session_parameters[:actor][:password])
+        DoorMat::Session.current_session.append_sub_session(sub_session)
+      end
+      true
+    end
+
+    def self.swap_token!(cookies, valid_current_session_tokens, new_session_token, force_new_token_generation = false)
+      access_token = current_access_token
+
+      # Our current access token is in order
+      return unless access_token.valid?
+
+      valid_transitions = access_token.session_parameters.fetch(:transitions, [])
+      # The current access token is for one of the valid_current_session_tokens
+      return unless Array(valid_current_session_tokens).include? access_token.token_for.to_sym
+      # The transition is valid
+      return unless valid_transitions.include? new_session_token
+
+      blank_new_session_access_token = self.new
+      blank_new_session_access_token.token_for = self.token_fors[new_session_token]
+      return unless blank_new_session_access_token.load_actor_for_session
+      issue_new_token = force_new_token_generation || access_token.multiple_use? || (access_token.actor_id != blank_new_session_access_token.actor_id)
+
+      if issue_new_token
+        RequestStore.store[:current_access_token] = blank_new_session_access_token
+
+        if access_token.used?
+          access_token.destroy!
+        end
+
+        blank_new_session_access_token.renew_token(cookies)
+        blank_new_session_access_token.name = access_token.name
+        blank_new_session_access_token.identifier = access_token.identifier
+        blank_new_session_access_token.data = access_token.data
+        blank_new_session_access_token.reference_id = access_token.reference_id
+        blank_new_session_access_token.used!
+      else
+        # For a single user ticket, just update the token_for value
+        if access_token.used?
+          access_token.token_for = self.token_fors[new_session_token]
+          access_token.save!
+        end
+      end
+    end
+
+    def self.is_cookie_present?(cookies)
+      !cookies.encrypted[:token].blank?
+    end
+
+    def self.load_token(token, request, verbose=true)
+      token = token.to_s.strip
+      if DoorMat::Regex.session_guid.match(token).blank?
+        DoorMat.configuration.logger.warn "WARN: #{request.remote_ip} Attempted to use token with invalid format #{token}" if verbose
+        return nil
+      end
+
+      access_token = self.find_by_hashed_token DoorMat::Crypto::FastHash.sha256(token)
+      if access_token.blank?
+        DoorMat.configuration.logger.warn "WARN: #{request.remote_ip} Attempted to use inexistent token #{token}" if verbose
+        return nil
+      end
+
+      return nil unless access_token.load_sub_session
+
+      # Reload the token using find now that the sub_session is loaded
+      # to allow the encrypted field to be decrypted
+      # the request hits the cache so there is no additional round trip to the DB
+      access_token = self.find(access_token.id)
+      access_token.token = token
+      access_token
+    end
+
+    def renew_token(cookies)
+      generate_new_token
+
+      set_up(cookies)
+    end
+
+    def self.validate_token(token, cookies, request)
+      access_token = load_token(token, request)
+
+      access_token = case
+        when access_token.blank?
+          nil
+        # For an unused token, check if the link has expired against access_token.session_parameters[:expiration_delay].ago
+        when access_token.single_use?, access_token.multiple_use?
+          if access_token.created_at < access_token.session_parameters[:expiration_delay].ago
+            DoorMat.configuration.logger.info "INFO: #{request.remote_ip} Attempted to use expired token #{token}"
+            access_token.destroy!
+            nil
+          else
+            access_token
+          end
+        # otherwise, for an ongoing session, use public / private / remember_me expiration delay
+        when access_token.public_computer?
+          if access_token.updated_at < DoorMat.configuration.public_computer_access_session_timeout.minutes.ago
+            access_token.destroy!
+            nil
+          else
+            access_token
+          end
+        when access_token.private_computer?
+          if access_token.updated_at < DoorMat.configuration.private_computer_access_session_timeout.minutes.ago
+            access_token.destroy!
+            nil
+          else
+            access_token
+          end
+        when access_token.remember_me?
+          if access_token.created_at < DoorMat.configuration.remember_me_max_day_count.days.ago
+            access_token.destroy!
+            nil
+          else
+            if access_token.updated_at < DoorMat.configuration.private_computer_access_session_timeout.minutes.ago
+              access_token.renew_token(cookies)
+              access_token.save
+            end
+            access_token
+          end
+      end
+
+      access_token
+    end
+
+    def self.validate_from_cookie(cookies, request)
+      token = cookies.encrypted[:token]
+      RequestStore.store[:current_access_token] = validate_token(token, cookies, request)
+      clean_up(cookies) if RequestStore.store[:current_access_token].nil?
+    end
+
+    def self.destroy_if_linked_to(cookies)
+      token = cookies.encrypted[:token] || ''
+      clean_up(cookies)
+
+      access_token = load_token(token, nil, false)
+      return false if access_token.blank?
+
+      access_token.destroy! unless access_token.multiple_use?
+      true
+    end
+
+    def set_up(cookies)
+      options = {
+          secure: DoorMat.configuration.transmit_cookies_only_over_https,
+          httponly: true
+      }
+      options.merge!({ expires: DoorMat.configuration.remember_me_max_day_count.days.since(self.created_at) }) unless self.public_computer?
+      cookies.encrypted[:token] = options.merge({value: self.token})
+    end
+
+    def self.clean_up(cookies)
+      cookies.delete(:token)
+    end
+
+  end
+end