easy-admin-rails 0.2.4 → 0.2.6

data/app/components/easy_admin/two_factor/setup_component.rb

@@ -0,0 +1,124 @@
+module EasyAdmin
+  module TwoFactor
+    class SetupComponent < BaseComponent
+      def initialize(user:)
+        @user = user
+      end
+      
+      def view_template
+        return render_unavailable unless @user.two_factor_available?
+        
+        if @user.otp_secret.blank?
+          render_initial_setup
+        else
+          render_verification_step
+        end
+      end
+      
+      private
+      
+      def render_unavailable
+        div(class: "max-w-md mx-auto bg-white p-6 rounded-lg shadow") do
+          div(class: "text-center") do
+            div(class: "w-12 h-12 mx-auto mb-4 text-gray-400") do
+              unsafe_raw '<svg fill="none" stroke="currentColor" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-2.5L13.732 4c-.77-.833-1.996-.833-2.764 0L3.732 16.5c-.77.833.192 2.5 1.732 2.5z"></path></svg>'
+            end
+            h3(class: "text-lg font-medium text-gray-900 mb-2") { "2FA Not Available" }
+            p(class: "text-gray-600 mb-4") do
+              "To enable Two-Factor Authentication, please install the required gems:"
+            end
+            div(class: "bg-gray-100 p-3 rounded text-sm font-mono mb-4") do
+              p { "gem 'rotp', '~> 6.3'" }
+              p { "gem 'rqrcode', '~> 2.2'" }
+            end
+            p(class: "text-sm text-gray-500") { "Then restart your server to enable 2FA features." }
+          end
+        end
+      end
+      
+      def render_initial_setup
+        div(class: "text-center mb-6") do
+          div(class: "w-16 h-16 mx-auto mb-4 text-blue-500") do
+            unsafe_raw '<svg fill="none" stroke="currentColor" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 0 00-8 0v4h8z"></path></svg>'
+          end
+          p(class: "text-gray-600") { "Secure your account with an additional layer of protection." }
+        end
+        
+        a(
+          href: EasyAdmin::Engine.routes.url_helpers.two_factor_setup_path,
+          class: "w-full bg-blue-600 text-white py-2 px-4 rounded-lg hover:bg-blue-700 transition-colors block text-center"
+        ) { "Continue Setup" }
+      end
+      
+      def render_verification_step
+        div do
+          div(class: "text-center mb-6") do
+            h3(class: "text-lg font-medium mb-2") { "Scan QR Code" }
+            p(class: "text-sm text-gray-600 mb-4") do
+              "Use Google Authenticator, Authy, or any TOTP app to scan this code:"
+            end
+            
+            # QR Code
+            div(class: "bg-white p-4 rounded-lg inline-block border") do
+              if @user.qr_code_svg.present?
+                div(class: "w-48 h-48", style: "svg { width: 100%; height: 100%; }") do
+                  unsafe_raw(@user.qr_code_svg)
+                end
+              else
+                div(class: "w-48 h-48 bg-gray-100 rounded flex items-center justify-center") do
+                  p(class: "text-gray-500 text-sm") { "QR code unavailable" }
+                end
+              end
+            end
+          end
+          
+          div(class: "mb-6") do
+            h4(class: "text-sm font-medium mb-2") { "Manual Entry Key:" }
+            div(class: "bg-gray-100 p-3 rounded-lg") do
+              code(class: "text-sm font-mono break-all") { @user.otp_secret }
+            end
+            p(class: "text-xs text-gray-500 mt-1") do
+              "Enter this key manually if you can't scan the QR code"
+            end
+          end
+          
+          render_verification_form
+        end
+      end
+      
+      def render_verification_form
+        form(action: EasyAdmin::Engine.routes.url_helpers.two_factor_enable_path, method: :post) do
+          input(type: "hidden", name: "authenticity_token", value: helpers.form_authenticity_token) if helpers.respond_to?(:form_authenticity_token)
+          
+          div(class: "mb-4") do
+            label(for: "otp_code", class: "block text-sm font-medium mb-2") { "Enter 6-digit code from your authenticator app:" }
+            input(
+              type: "text",
+              name: "otp_code",
+              id: "otp_code",
+              class: "w-full p-3 border border-gray-300 rounded-lg text-center text-2xl font-mono tracking-wider",
+              placeholder: "000000",
+              maxlength: 6,
+              pattern: "[0-9]{6}",
+              autocomplete: "one-time-code",
+              required: true
+            )
+          end
+          
+          div(class: "flex space-x-3") do
+            input(
+              type: "submit",
+              value: "Enable 2FA",
+              class: "flex-1 bg-green-600 text-white py-2 px-4 rounded-lg hover:bg-green-700 transition-colors cursor-pointer"
+            )
+            
+            a(
+              href: EasyAdmin::Engine.routes.url_helpers.profile_path,
+              class: "flex-1 bg-gray-300 text-gray-700 py-2 px-4 rounded-lg hover:bg-gray-400 transition-colors text-center"
+            ) { "Cancel" }
+          end
+        end
+      end
+    end
+  end
+end

data/app/components/easy_admin/two_factor/status_component.rb

@@ -0,0 +1,92 @@
+module EasyAdmin
+  module TwoFactor
+    class StatusComponent < BaseComponent
+      def initialize(user:)
+        @user = user
+      end
+      
+      def view_template
+        return render_unavailable unless @user.two_factor_available?
+        
+        if @user.two_factor_enabled?
+          render_enabled_status
+        else
+          render_disabled_status
+        end
+      end
+      
+      private
+      
+      def render_unavailable
+        div(class: "bg-gray-50 p-4 rounded-lg border") do
+          div(class: "flex items-center") do
+            div(class: "w-8 h-8 text-gray-400 mr-3") do
+              unsafe_raw '<svg fill="none" stroke="currentColor" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-2.5L13.732 4c-.77-.833-1.996-.833-2.764 0L3.732 16.5c-.77.833.192 2.5 1.732 2.5z"></path></svg>'
+            end
+            div do
+              h4(class: "font-medium text-gray-900") { "2FA Unavailable" }
+              p(class: "text-sm text-gray-600") { "Contact System Administrator to enable 2FA" }
+            end
+          end
+        end
+      end
+      
+      def render_enabled_status
+        div(class: "bg-green-50 p-4 rounded-lg border border-green-200") do
+          div(class: "flex items-start justify-between") do
+            div(class: "flex items-center") do
+              div(class: "w-8 h-8 text-green-500 mr-3") do
+                unsafe_raw '<svg fill="none" stroke="currentColor" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z"></path></svg>'
+              end
+              div do
+                h4(class: "font-medium text-green-900") { "Two-Factor Authentication Enabled" }
+                p(class: "text-sm text-green-700") do
+                  "Your account is protected with 2FA"
+                end
+                p(class: "text-xs text-green-600 mt-1") do
+                  "#{@user.backup_codes_remaining} backup codes remaining"
+                end
+              end
+            end
+            
+            div do
+              a(
+                href: EasyAdmin::Engine.routes.url_helpers.two_factor_backup_codes_path,
+                class: "text-sm bg-green-100 text-green-800 px-3 py-1 rounded-md hover:bg-green-200 transition-colors",
+                data: { turbo_frame: "modal" }
+              ) { "Backup Codes" }
+            end
+          end
+        end
+      end
+      
+      def render_disabled_status
+        div(class: "bg-yellow-50 p-4 rounded-lg border border-yellow-200") do
+          div(class: "flex items-start justify-between") do
+            div(class: "flex items-center") do
+              div(class: "w-8 h-8 text-yellow-500 mr-3") do
+                unsafe_raw '<svg fill="none" stroke="currentColor" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 0 00-8 0v4h8z"></path></svg>'
+              end
+              div do
+                h4(class: "font-medium text-yellow-900") { "Two-Factor Authentication Disabled" }
+                p(class: "text-sm text-yellow-700") do
+                  if @user.two_factor_required?
+                    "Two-factor authentication is required for your role"
+                  else
+                    "Add an extra layer of security to your account"
+                  end
+                end
+              end
+            end
+            
+            a(
+              href: EasyAdmin::Engine.routes.url_helpers.two_factor_setup_path,
+              class: "bg-blue-600 text-white px-4 py-2 rounded-md text-sm hover:bg-blue-700 transition-colors",
+              data: { turbo_frame: "modal" }
+            ) { "Enable 2FA" }
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/concerns/easy_admin/two_factor.rb

@@ -0,0 +1,110 @@
+module EasyAdmin
+  module TwoFactor
+    extend ActiveSupport::Concern
+    
+    def two_factor_setup
+      unless current_admin_user.two_factor_available?
+        respond_to do |format|
+          format.turbo_stream { render "easy_admin/profile/two_factor_unavailable" }
+          format.html { redirect_to profile_path, alert: "2FA is not available" }
+        end
+        return
+      end
+      
+      # Generate secret if not already present
+      unless current_admin_user.otp_secret.present?
+        current_admin_user.generate_otp_secret!
+        current_admin_user.save!
+      end
+
+      respond_to do |format|
+        format.html { render "two_factor_setup", layout: !turbo_frame_request? }
+      end
+    end
+    
+    def two_factor_enable
+      unless current_admin_user.two_factor_available?
+        respond_to do |format|
+          format.turbo_stream { render "easy_admin/profile/two_factor_unavailable" }
+        end
+        return
+      end
+      
+      @otp_code = params[:otp_code]
+      
+      if current_admin_user.validate_and_consume_otp!(@otp_code)
+        current_admin_user.update!(otp_required_for_login: true)
+        current_admin_user.generate_backup_codes!
+        
+        respond_to do |format|
+          format.turbo_stream { render "easy_admin/profile/two_factor_enabled" }
+        end
+      else
+        respond_to do |format|
+          format.turbo_stream { render "easy_admin/profile/two_factor_invalid_code" }
+        end
+      end
+    end
+    
+    
+    def two_factor_backup_codes
+      unless current_admin_user.two_factor_enabled?
+        respond_to do |format|
+          format.turbo_stream { render "easy_admin/profile/two_factor_not_enabled" }
+        end
+        return
+      end
+      
+      respond_to do |format|
+        format.html { render "two_factor_backup_codes", layout: !turbo_frame_request? }
+      end
+    end
+    
+    def regenerate_backup_codes
+      unless current_admin_user.two_factor_enabled?
+        respond_to do |format|
+          format.turbo_stream { render "easy_admin/profile/two_factor_not_enabled" }
+        end
+        return
+      end
+      
+      current_admin_user.generate_backup_codes!
+      
+      respond_to do |format|
+        format.turbo_stream { render "easy_admin/profile/backup_codes_regenerated" }
+      end
+    end
+    
+    def change_password
+      respond_to do |format|
+        format.html { render "change_password", layout: !turbo_frame_request? }
+      end
+    end
+    
+    def update_password
+      if current_admin_user.valid_password?(params[:admin_user][:current_password])
+        if current_admin_user.update_with_password(password_params.merge(current_password: params[:admin_user][:current_password]))
+          # Bypass auto sign out by signing the user back in
+          bypass_sign_in(current_admin_user)
+          respond_to do |format|
+            format.turbo_stream { render "easy_admin/profile/password_updated" }
+          end
+        else
+          respond_to do |format|
+            format.turbo_stream { render "easy_admin/profile/password_error" }
+          end
+        end
+      else
+        respond_to do |format|
+          format.turbo_stream { render "easy_admin/profile/password_invalid_current" }
+        end
+      end
+    end
+    
+    private
+    
+    def password_params
+      params.require(:admin_user).permit(:password, :password_confirmation)
+    end
+  end
+end

data/app/controllers/easy_admin/application_controller.rb

@@ -17,6 +17,7 @@ module EasyAdmin
     helper EasyAdmin::PagyHelper
     
     before_action :authenticate_easy_admin_admin_user!
+    before_action :check_pending_2fa!
     before_action :set_active_storage_url_options
     before_action :set_feature_toggles
     before_action :set_paper_trail_whodunnit
@@ -54,6 +55,15 @@ module EasyAdmin
       redirect_to new_admin_user_session_path, alert: 'You need to sign in to access this page.'
     end
     
+    def check_pending_2fa!
+      # Skip check for sessions controller
+      return if controller_name == 'sessions'
+      return unless session[:pending_2fa_user_id]
+      
+      # If user has pending 2FA, redirect them to complete it
+      redirect_to two_factor_verification_path, alert: 'Please complete two-factor authentication to continue.'
+    end
+    
     def set_active_storage_url_options
       ActiveStorage::Current.url_options = { host: request.base_url } if defined?(ActiveStorage::Current)
     end

data/app/controllers/easy_admin/profile_controller.rb

@@ -0,0 +1,25 @@
+module EasyAdmin
+  class ProfileController < ApplicationController
+    include TwoFactor
+    
+    def index
+      @user = current_admin_user
+    end
+    
+    def update
+      @user = current_admin_user
+      
+      if @user.update(profile_params)
+        redirect_to profile_path, notice: 'Profile updated successfully'
+      else
+        redirect_to profile_path, alert: 'Failed to update profile'
+      end
+    end
+    
+    private
+    
+    def profile_params
+      params.require(:admin_user).permit(:first_name, :last_name, :email)
+    end
+  end
+end

data/app/controllers/easy_admin/sessions_controller.rb

@@ -4,16 +4,116 @@ module EasyAdmin
     
     # GET /easy_admin/sign_in
     def new
+      # Clear any pending 2FA session
+      session.delete(:pending_2fa_user_id)
       super
     end
 
     # POST /easy_admin/sign_in
     def create
+      # First, try to authenticate with email/password
+      self.resource = warden.authenticate!(auth_options)
+      
+      if resource
+        # Check if 2FA is required for this user
+        if resource.two_factor_enabled?
+          # Store user ID in session for 2FA verification
+          session[:pending_2fa_user_id] = resource.id
+          
+          # Don't sign in yet - redirect to 2FA verification page
+          redirect_to two_factor_verification_path
+        else
+          # No 2FA required, proceed with normal sign in
+          set_flash_message!(:notice, :signed_in)
+          sign_in(resource_name, resource)
+          yield resource if block_given?
+          respond_with resource, location: after_sign_in_path_for(resource)
+        end
+      else
+        # Authentication failed
+        super
+      end
+    rescue => e
+      # Handle authentication errors
       super
     end
+    
+    # GET /easy_admin/two_factor_verification
+    def two_factor_verification
+      user_id = session[:pending_2fa_user_id]
+      
+      unless user_id
+        redirect_to new_admin_user_session_path, alert: "Session expired. Please sign in again."
+        return
+      end
+      
+      @user = EasyAdmin::AdminUser.find_by(id: user_id)
+      
+      unless @user&.two_factor_enabled?
+        session.delete(:pending_2fa_user_id)
+        redirect_to new_admin_user_session_path, alert: "Invalid session. Please sign in again."
+        return
+      end
+    end
+    
+    # GET /easy_admin/cancel_2fa
+    def cancel_2fa
+      # Clear the pending 2FA session
+      session.delete(:pending_2fa_user_id)
+      
+      # Sign out the user completely
+      sign_out(current_admin_user) if current_admin_user
+      
+      # Redirect to sign in with a message
+      redirect_to new_admin_user_session_path, notice: "2FA verification cancelled. Please sign in again."
+    end
+    
+    # POST /easy_admin/verify_2fa
+    def verify_2fa
+      user_id = session[:pending_2fa_user_id]
+      
+      unless user_id
+        redirect_to new_admin_user_session_path, alert: "Session expired. Please sign in again."
+        return
+      end
+      
+      user = EasyAdmin::AdminUser.find_by(id: user_id)
+      
+      unless user&.two_factor_enabled?
+        session.delete(:pending_2fa_user_id)
+        redirect_to new_admin_user_session_path, alert: "Invalid session. Please sign in again."
+        return
+      end
+      
+      otp_code = params[:otp_code]&.strip
+      
+      if otp_code.present? && user.validate_and_consume_otp!(otp_code)
+        # 2FA verification successful
+        session.delete(:pending_2fa_user_id)
+        set_flash_message!(:notice, :signed_in)
+        sign_in(resource_name, user)
+        
+        redirect_to after_sign_in_path_for(user)
+      else
+        # 2FA verification failed
+        @user = user # Make sure @user is available for the view
+        
+        respond_to do |format|
+          format.html do
+            flash.now[:alert] = "Invalid authentication code. Please try again."
+            render :two_factor_verification
+          end
+          format.turbo_stream do
+            render "verify_2fa_error"
+          end
+        end
+      end
+    end
 
     # DELETE /easy_admin/sign_out
     def destroy
+      # Clear any pending 2FA session on sign out
+      session.delete(:pending_2fa_user_id)
       super
     end
 
@@ -28,5 +128,11 @@ module EasyAdmin
     def after_sign_out_path_for(resource_or_scope)
       new_admin_user_session_path
     end
+    
+    private
+    
+    def auth_options
+      { scope: resource_name, recall: "#{controller_path}#new" }
+    end
   end
-end
+end

data/app/javascript/easy_admin/controllers/collapsible_filters_controller.js

@@ -4,12 +4,15 @@ import { Controller } from "@hotwired/stimulus"
 export default class extends Controller {
   static targets = ["content", "icon"]
   static values = { 
-    expanded: { type: Boolean, default: true }
+    expanded: { type: Boolean, default: true },
+    persistState: { type: Boolean, default: true }
   }
 
   connect() {
-    // Load saved state
-    this.loadState()
+    // Load saved state only if persistence is enabled
+    if (this.persistStateValue) {
+      this.loadState()
+    }
     
     // Set initial state
     if (this.expandedValue) {
@@ -50,8 +53,10 @@ export default class extends Controller {
     // Update icon rotation
     this.updateIconRotation()
     
-    // Save state
-    this.saveState(true)
+    // Save state only if persistence is enabled
+    if (this.persistStateValue) {
+      this.saveState(true)
+    }
   }
 
   collapse(animate = true) {
@@ -78,8 +83,10 @@ export default class extends Controller {
     // Update icon rotation
     this.updateIconRotation()
     
-    // Save state
-    this.saveState(false)
+    // Save state only if persistence is enabled
+    if (this.persistStateValue) {
+      this.saveState(false)
+    }
   }
 
   saveState(expanded) {

data/app/javascript/easy_admin/controllers/permission_toggle_controller.js

@@ -7,31 +7,7 @@ export default class extends Controller {
   }
 
   connect() {
-    console.log("🎯 PermissionToggleController connected")
-    console.log("🎯 User ID:", this.userIdValue)
-    
-    // Debug: Log all permission cards found
-    const cards = this.permissionCardTargets
-    console.log("🎯 Found", cards.length, "permission cards")
-    
-    cards.forEach((card, index) => {
-      console.log(`🎯 Card ${index}:`, {
-        permission: card.dataset.permissionName,
-        granted: card.dataset.granted,
-        resourceType: card.dataset.resourceType
-      })
-    })
-    
-    // Debug: Log all hidden inputs found
     const hiddenInputs = this.element.querySelectorAll('input[type="hidden"][data-permission-toggle-target="hiddenInput"]')
-    console.log("🎯 Found", hiddenInputs.length, "hidden inputs")
-    
-    hiddenInputs.forEach((input, index) => {
-      console.log(`🎯 Hidden input ${index}:`, {
-        name: input.name,
-        value: input.value
-      })
-    })
   }
 
   togglePermission(event) {
@@ -42,16 +18,8 @@ export default class extends Controller {
     const currentlyGranted = card.dataset.granted === "true"
     const newGrantedState = !currentlyGranted
 
-    console.log("🎯 Toggling permission:", {
-      permission: permissionName,
-      wasGranted: currentlyGranted,
-      nowGranted: newGrantedState
-    })
-
-    // Update the card UI immediately
     this.updateCardUI(card, newGrantedState)
-    
-    // Update the hidden input field for form submission
+
     this.updateHiddenInput(card, newGrantedState)
     
     // Show notification for feedback
@@ -63,6 +31,7 @@ export default class extends Controller {
 
   toggleAllForResource(event) {
     event.preventDefault()
+    event.stopPropagation() // Prevent triggering parent collapsible toggle
     
     const resourceType = event.currentTarget.dataset.resourceType
     const resourceCards = this.permissionCardTargets.filter(card =>