forget-passwords 0.2.9

data/behaviour.org

@@ -0,0 +1,112 @@
+#+STARTUP: showall hidestars
+* behaviours
+** forgetpw authenticator
+   - [ ] if the request has a cookie with the specified key (eg ~forgetpw~)
+     - [ ] if it matches a valid (ie matching, non-expired) entry in the database
+       - [ ] set REMOTE_USER to whatever the user is
+         - [ ] email address ?
+     - [ ] otherwise return 403
+       - [ ] (give the user an opportunity to reenter)
+   - [ ] if the request-uri has the specified query parameter (eg ~knock~)
+     - [ ] if it matches an active nonce
+       - [ ] set-cookie to a new nonce
+       - [ ] redirect to itself
+     - [ ] otherwise return 403
+   - [ ] return 401 for all residual requests
+     - [ ] 401 page should say something like "this site is restricted to
+       people with certain email addresses; please enter your email
+       address"
+       - [ ] provide form input
+     - [ ] if the entry is found in the database
+       - [ ] go to confirmation page
+         - [ ] confirmation page is same url as whatever url was POSTed
+         - [ ] confirmation page says something like "check your
+           $EMAIL; you can close this window."
+     - [ ] otherwise return 403 (different 403 page)
+       - [ ] don't give anything away
+       - [ ] "your email address $EMAIL was not found on the access
+         list. if you think this is an error, contact $WHOEVER"
+*** confirmation process (that returns confirmation page)
+    - [ ] internally pipes out to whatever sends the email
+    - [ ] gonna need to know:
+      - [ ] the email address
+      - [ ] the domain
+      - [ ] the template
+    - [ ] gonna need to have some braking/throttling mechanism 
+** state mechanism
+   - [ ] store all the state information beyond the most basic
+     configuration that you would pass in on the command line
+*** user
+    - [ ] email should be the unique thing
+    - [ ] principal may be different but otherwise is same as email
+      - [ ] principal should also be unique
+    - [ ] 
+*** token
+    - [ ] map the tokens to the user
+*** usage
+    - [ ] log the ip of which token gets used by whom and when
+*** acl
+    - [ ] associate ~Host:~ header domain name with user
+      - [ ] via email address or domain
+    - [ ] 
+** cli
+   - [ ] runs the authenticator
+   - [ ] wraps the email drop thing whatever
+   - [ ] marshals operations on the state database 
+* components
+** template processor
+   - [ ] ideally this should be pluggable
+   - [ ] defaults packaged with and sourced from forgetpw package
+     - [ ] defaults can be overridden in command-line config
+     - [ ] command to disgorge copies of defaults into a directory
+       - (so they can be edited)
+*** (x?)html
+    - [ ] variables are processing instructions
+      - <?var EMAIL?>
+*** markdown?
+    - XXX how do we express variable substitutions?
+** email preparer
+   - make (x?)html and parallel text version
+   - wrap in mime whatever
+   - embed any images (godddddd)
+     - where do we put images?
+* templates
+  - [X] obtaining a magic link
+    - [X] put in your email (basic 401)
+    - [X] email wasn't on the list (403?)
+    - [X] problem sending email (500)
+    - [X] email sent, you can close this window and follow the link in
+      the email
+  - [X] bad token, you're gonna have to generate a new one (409)
+    - do we care about announcing the distinction between a bad token
+      in the query vs in the cookie?
+  - [ ] token doesn't match a user (403)
+    - likewise, do we care about the distinction between a malformed
+      token and a well-formed token that isn't in the database?
+    - what about if the token /did/ match a user?
+    - anyway you're gonna have to generate a new one so give the form
+  - [X] token expired/invalidated (401)
+    - you'll have to generate a new one
+  - [-] you have been logged out
+    - [X] your other sessions remain open
+    - [ ] all your other sessions are logged out as well
+    - log back in?
+  - [-] the email itself
+    - [X] html version
+    - [ ] text version
+* issues
+  - rack seems to have a problem transmitting error body content, i
+    hope to god it isn't some kind of i/o voodoo
+    - okay it has to do with ~Rack::Handler::FastCGI~ running
+      ~out.flush~ when vanilla fcgi can just...not do that
+    - *HOWEVER* it is not unreasonable for rack to do this so the bad
+      actor here is ~mod_authnz_fcgi~
+    - https://bz.apache.org/bugzilla/show_bug.cgi?id=65984
+  - ~mod_authnz_fcgi~ kinda sucks but it's *almost* good
+    - i mean it's just a barely-fitting solution
+    - also fastcgi is out of style with the kids
+    - so is apache for that matter
+  - also the error handler seems to overwrite ~Content-Type~ with
+    whatever is in the standard error page
+    - so that'll have to get overwritten in config
+    - 

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "forget-passwords"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/content/basic-401.xhtml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8"?>
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <title>Protected Area</title>
+  </head>
+  <body>
+    <h1>Protected Area</h1>
+    <p>This website is only available to certain people. If you're one of them, your e-mail address&#x2014;most likely the one associated with your workplace&#x2014;will be on the list. Enter it here and we'll send you a special link that will grant you access.</p>
+    <form method="post" action="$LOGIN" accept-charset="utf-8">
+      <input type="hidden" name="forward" value="$FORWARD"/>
+      <input type="email" name="email" placeholder="e.g. you@yourcompany.biz"/>
+      <input type="submit" value="Send Link"/>
+    </form>
+  </body>
+</html>

data/content/basic-404.xhtml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <title>Not Found</title>
+  </head>
+  <body>
+    <h1>Not Found</h1>
+    <p>There is no known resource at this address. <a href="javascript:history.go(-1)">Go back?</a></p>
+  </body>
+</html>

data/content/basic-409.xhtml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="utf-8"?>
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <title>Something is Scrambled Under the Hood</title>
+  </head>
+  <body>
+    <h1>Something is Scrambled Under the Hood</h1>
+    <p>There's a problem in the plumbing responsible for keeping you logged in, and we're not sure what to make of it from here. The most expedient thing to do is send you a new link to refresh your session.</p>
+    <form method="post" action="" accept-charset="utf-8">
+      <input type="email" name="email" placeholder="e.g. you@yourcompany.biz"/>
+      <input type="submit" value="Send Link"/>
+    </form>
+  </body>
+</html>

data/content/basic-500.xhtml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <title>Something Broke in the Process</title>
+  </head>
+  <body>
+    <h1>Something Broke in the Process</h1>
+    <p>If you see this message, it's because some piece of the system necessary to serve you this website has failed. It probably just needs to be kicked in the pants, but somebody is going to have to do that manually. Please contact the person who runs this site and let them know.</p>
+  </body>
+</html>

data/content/cookie-expired.xhtml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8"?>
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <title>Your Session Has Run Out</title>
+  </head>
+  <body>
+    <h1>Your Session Has Run Out</h1>
+    <p>The token associated with the link that logged you in has either expired or otherwise been invalidated (e.g. by logging out). To log back in, we can e-mail you another link.</p>
+    <form method="post" action="$LOGIN" accept-charset="utf-8">
+      <input type="hidden" name="forward" value="$FORWARD"/>
+      <input type="email" name="email" placeholder="e.g. you@yourcompany.biz"/>
+      <input type="submit" value="Send Link"/>
+    </form>
+  </body>
+</html>

data/content/email-409.xhtml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8"?>
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <title>We Had A Problem With Your E-Mail Address</title>
+  </head>
+  <body>
+    <h1>We Had A Problem With Your E-Mail Address</h1>
+    <p>We weren't able to use <strong><?var $EMAIL?></strong> as an e-mail address. Please try another.</p>
+    <form method="post" action="$LOGIN" accept-charset="utf-8">
+      <input type="hidden" name="forward" value="$FORWARD"/>
+      <input type="email" name="email" placeholder="e.g. you@yourcompany.biz"/>
+      <input type="submit" value="Send Link"/>
+    </form>
+  </body>
+</html>

data/content/email-sent.xhtml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8"?>
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <title>Check Your E-Mail</title>
+  </head>
+  <body>
+    <h1>Check Your E-Mail</h1>
+    <p>We (<code><?var $FROM?></code>) just sent you (<code><?var $EMAIL?></code>) a link that will log you in and send you back to <code><?var FORWARD?></code>. If you don't see it in your inbox shortly, check the usual places (spam/junk mail).</p>
+    <p>There is nothing left to do on this page, so close it at your leisure.</p>
+  </body>
+</html>

data/content/email.xhtml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <title>Your Link to Access <?var $DOMAIN?></title>
+  </head>
+  <body>
+    <p><a href="$KNOCK_URL">Proceed to <?var $PRETTY_URL?></a></p>
+    <p>You can delete this e-mail once you've used the link, because clicking it will cause it to expire. If you need to log in again, or log in from another device, <a href="$URL">visit the site</a> on that device to generate a new e-mail with a new link&#x2014;and of course, follow the new link from whichever device you intend to access the site with.</p>
+  </body>
+</html>

data/content/logged-out-all.xhtml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <title>You Are Logged Out</title>
+  </head>
+  <body>
+    <h1>You Are Logged Out</h1>
+    <p>You are logged out on this browser.</p>
+  </body>
+</html>

data/content/logged-out.xhtml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <title>You Are Logged Out</title>
+  </head>
+  <body>
+    <h1>You Are Logged Out</h1>
+    <p>You are logged out on this browser.</p>
+  </body>
+</html>

data/content/nonce-expired.xhtml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8"?>
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <title>The Link Has Expired</title>
+  </head>
+  <body>
+    <h1>The Link Has Expired</h1>
+    <p>The link you followed to complete the sign-in process has expired. We'll have to send you another one.</p>
+    <form method="post" action="$LOGIN" accept-charset="utf-8">
+      <input type="hidden" name="forward" value="$FORWARD"/>
+      <input type="email" name="email" placeholder="e.g. you@yourcompany.biz"/>
+      <input type="submit" value="Send Link"/>
+    </form>
+  </body>
+</html>

data/content/not-on-list.xhtml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8"?>
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <title>We Don't Have This E-Mail Address (Yet)</title>
+  </head>
+  <body>
+    <h1>We Don't Have This E-Mail Address (Yet)</h1>
+    <p>The e-mail address you entered doesn't appear to be on the list. Feel free to try another one, or contact the person who shared this site with you to make sure we have your preferred address for accessing this website.</p>
+    <form method="post" action="$LOGIN" accept-charset="utf-8">
+      <input type="hidden" name="forward" value="$FORWARD"/>
+      <input type="email" name="email" placeholder="e.g. other-you@different.place"/>
+      <input type="submit" value="Send Link"/>
+    </form>
+  </body>
+</html>

data/content/post-405.xhtml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <title>POST Only</title>
+  </head>
+  <body>
+    <h1><code>POST</code> Only</h1>
+    <p>This resource only responds to <code>POST</code> requests.</p>
+  </body>
+</html>

data/content/uri-409.xhtml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <title>We Had a Problem With the Forwarding Address</title>
+  </head>
+  <body>
+    <h1>We Had a Problem With the Forwarding Address</h1>
+    <p>A valid Web address to forward to should have been sent along in the request that got you here. <a href="javascript:history.go(-1)">Go back</a> and try again.</p>
+  </body>
+</html>

data/etc/text-only.xsl

@@ -0,0 +1,105 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0"
+   xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+   xmlns:html="http://www.w3.org/1999/xhtml"
+   xmlns:x="urn:x-dummy"
+   exclude-result-prefixes="html x">
+
+<xsl:output method="text" media-type="text/plain" omit-xml-declaration="yes"/>
+
+<xsl:strip-space elements="*"/>
+
+<xsl:template name="repeat">
+  <xsl:param name="string" select="''"/>
+  <xsl:param name="n" select="1"/>
+  <xsl:value-of select="$string"/>
+  <xsl:if test="$n &gt; 1">
+    <xsl:call-template name="repeat">
+      <xsl:with-param name="string" select="$string"/>
+      <xsl:with-param name="n" select="$n - 1"/>
+    </xsl:call-template>
+  </xsl:if>
+</xsl:template>
+
+<xsl:template match="/">
+<xsl:apply-templates select="/html/body|/html:html/html:body"/>
+</xsl:template>
+
+<xsl:template match="body|html:body">
+<xsl:apply-templates select="*"/>
+</xsl:template>
+
+<!-- link text <https://...> -->
+<xsl:template match="a[@href]|html:a[@href]">
+<xsl:apply-templates/>
+<xsl:text disable-output-escaping="yes"> &lt;</xsl:text>
+<xsl:value-of select="normalize-space(@href)"/>
+<xsl:text disable-output-escaping="yes">&gt; </xsl:text>
+</xsl:template>
+
+<x:headings>
+  <x:h1>#</x:h1>
+  <x:h2>=</x:h2>
+  <x:h3>~</x:h3>
+  <x:h4>-</x:h4>
+  <x:h5>-</x:h5>
+  <x:h6>-</x:h6>
+</x:headings>
+
+<xsl:variable name="headings" select="document('')/xsl:stylesheet/x:headings/*"/>
+
+<xsl:template match="html:p[normalize-space(.) != '']">
+<xsl:apply-templates/>
+<xsl:text>
+
+</xsl:text>
+</xsl:template>
+
+<xsl:template match="html:h1|html:h2|html:h3|html:h4|html:h5|html:h6">
+<xsl:variable name="text">
+  <xsl:apply-templates/>
+</xsl:variable>
+<xsl:value-of select="$text" disable-output-escaping="yes"/>
+<xsl:if test="string-length(normalize-space($text))">
+<xsl:text>
+</xsl:text>
+<xsl:variable name="ln" select="local-name()"/>
+
+<xsl:call-template name="repeat">
+  <xsl:with-param name="string"
+                  select="normalize-space($headings[local-name(.) = $ln])"/>
+  <xsl:with-param name="n" select="string-length($text)"/>
+</xsl:call-template>
+<xsl:text>
+
+</xsl:text>
+</xsl:if>
+</xsl:template>
+
+<!-- stuff that we never want to render in text -->
+<xsl:template match="html:img|html:object|html:iframe|html:form"/>
+
+<xsl:variable name="vws"
+  select="'&#x09;&#x0a;&#x0d;&#x85;&#xa0;&#x2028;&#x2029;'"/>
+
+<xsl:template match="text()">
+<xsl:variable name="_" select="translate(., $vws, ' ')"/>
+<xsl:variable name="starts-with-ws" select="starts-with($_, ' ')"/>
+<xsl:variable name="ends-with-ws"
+              select="substring($_, string-length($_)) = ' '"/>
+
+<xsl:if test="$starts-with-ws">
+<xsl:text> </xsl:text>
+</xsl:if>
+<xsl:value-of select="normalize-space($_)" disable-output-escaping="yes"/>
+<xsl:if test="$ends-with-ws">
+<xsl:text> </xsl:text>
+</xsl:if>
+
+</xsl:template>
+
+<xsl:template match="*">
+<xsl:apply-templates select="text()|*"/>
+</xsl:template>
+
+</xsl:stylesheet>

data/exe/forgetpw

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+# -*- mode: enh-ruby -*-
+
+# code is here
+require 'forget-passwords/cli'
+
+ForgetPasswords::CLI.run

data/forget-passwords.gemspec

@@ -0,0 +1,67 @@
+# -*- mode: enh-ruby -*-
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'forget-passwords/version'
+
+Gem::Specification.new do |spec|
+  spec.name        = "forget-passwords"
+  spec.version     = ForgetPasswords::VERSION
+  spec.authors     = ["Dorian Taylor"]
+  spec.email       = ["code@doriantaylor.com"]
+  spec.license     = 'Apache-2.0'
+  spec.homepage    = 'https://github.com/doriantaylor/rb-forget-passwords'
+  spec.summary     = 'Web authentication module for the extremely lazy'
+  spec.description = <<-DESC
+This little module (and attendant command line tool and rackup app)
+exists for the purpose of providing rudimentary access control to a
+website when the prospective users are both small in number, and very
+busy. It circumvents schmucking around provisioning passwords by
+generating a link which you can pass to each of your users through
+some other mechanism, that when visited logs them in and keeps them
+logged in as long as you want. This is basically the equivalent of
+having a "forgot password" link without anybody having to click on
+"forgot password", and is perfectly adequate security in certain
+contexts, namely the ones the author of this gem is interested in.
+DESC
+
+  # switch based on whether we're a git or hg repository
+  wd = File.dirname lib
+  spec.files = if File.exists?("#{wd}/.git")
+                 `git ls-files -z`
+               elsif File.exists?("#{wd}/.hg")
+                 `hg files -0`
+               else
+                 raise "Can't find a git or hg repository!"
+               end.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  # ruby
+  spec.required_ruby_version = '>= 2'
+
+  # dev/test dependencies
+  spec.add_development_dependency 'bundler', '>= 2.1'
+  spec.add_development_dependency 'rake',    '>= 13.0'
+  spec.add_development_dependency 'rspec',   '>= 3.9'
+
+  # stuff we use
+  spec.add_runtime_dependency 'commander',  '>= 4.4'
+  spec.add_runtime_dependency 'deep_merge', '>= 1.2'
+  spec.add_runtime_dependency 'dry-schema', '>= 1.9.1'
+  spec.add_runtime_dependency 'dry-types',  '>= 1.5.1'
+  spec.add_runtime_dependency 'fcgi',       '>= 0.9.2.1'
+  spec.add_runtime_dependency 'iso8601',    '>= 0.12'
+  spec.add_runtime_dependency 'mail',       '>= 2.7.1'
+  spec.add_runtime_dependency 'rack',       '>= 2.0'
+  spec.add_runtime_dependency 'sequel',     '>= 5.20'
+  spec.add_runtime_dependency 'uuidtools',  '>= 2.1'
+
+  # stuff i wrote
+  spec.add_runtime_dependency 'http-negotiate', '>= 0.1.3'
+  spec.add_runtime_dependency 'uuid-ncname',    '>= 0.2'
+  spec.add_runtime_dependency 'xml-mixup',      '>= 0.1.13'
+end