j1_template_mde 2018.4.11 → 2018.4.12

data/_includes/themes/j1/procedures/global/get_page_path.proc

@@ -58,9 +58,11 @@
 
 {% comment %} extend path for posts|collections if collections_dir is used|set
 -------------------------------------------------------------------------------- {% endcomment %}
-{% if page.collection and site.collections_dir.size > 0 %}
-  {% capture collections_dir %}{% endcapture %}
-  {% capture page_path %}{{source_path | remove_first:'/'}}/{{_page_path | prepend: site.collections_dir}}{% endcapture %}
+{% if page.collection == 'posts' and site.collections_dir.size > 0 %}
+  {% capture page_path %}{{site.collections_dir}}{{_page_path}}{% endcapture %}
+  {% comment %} {% capture page_path %}{{source_path | remove_first:'/'}}/{{_page_path | prepend: site.collections_dir}}{% endcapture %} {% endcomment %}
+{% elsif mode == 'absolute' %}
+  {% assign page_path=_page_path %}
 {% else %}
   {% capture page_path %}{{source_path | remove_first:'/'}}{{_page_path}}{% endcapture %}
 {% endif %}

data/lib/j1/commands/generate.rb

@@ -38,7 +38,7 @@ module J1
 
         def create_blank_site(path)
           Dir.chdir(path) do
-            FileUtils.mkdir(%w(_layouts posts/featured/_posts _drafts))
+            FileUtils.mkdir(%w(_layouts posts/public/featured/_posts _drafts))
             FileUtils.touch('index.html')
           end
         end
@@ -51,7 +51,7 @@ module J1
         #
         # Returns the filename of the sample post, as a String
         def initialized_post_name
-          "collections/posts/featured/_posts/#{Time.now.strftime("%Y-%m-%d")}-welcome-to-j1-template.adoc"
+          "collections/posts/public/featured/_posts/#{Time.now.strftime("%Y-%m-%d")}-welcome-to-j1-template.adoc"
         end
 
         private
@@ -118,7 +118,7 @@ module J1
         end
 
         def scaffold_path
-          'collections/posts/featured/_posts/0000-00-00-welcome-to-j1-template.adoc.erb'
+          'collections/posts/public/featured/_posts/0000-00-00-welcome-to-j1-template.adoc.erb'
         end
 
         # After a generate blog has been created, print a success notification and

data/lib/j1/version.rb

@@ -1,3 +1,3 @@
 module J1
-  VERSION = '2018.4.11'
+  VERSION = '2018.4.12'
 end

data/lib/j1_app/j1_auth_manager/auth_manager.rb

@@ -4,21 +4,36 @@ module J1App
   class AuthManager < Sinatra::Base
 
     include J1App::Helpers
+    include J1App::GithubHelpers
+
+    # ==========================================================================
+    # Sinatra Framework settings
+    # ==========================================================================
+
+    # NOTE: https://stackoverflow.com/questions/7847536/sinatra-in-facebook-iframe
+    #
+    set :protection, :except => :frame_options
+
+    # Check: http://sinatrarb.com/intro.html
+    #
+    set :static_cache_control, [:public, :max_age => 10]
 
 
     # ==========================================================================
-    # Base App and Framework settings
+    # Base App and Warden Framework settings
     # ==========================================================================
 
     j1_web_session = {
-        'authenticated'   => 'unknown',
+        'authenticated'   => 'false',
         'requested_page'  => '/',
+        'users_allowed'   => 'unknown',
         'user_name'       => 'unknown',
         'user_id'         => 'unknown',
         'user_details'    => 'unknown',
         'user_pledges'    => 'unknown',
         'provider'        => 'unknown',
         'provider_url'    => '/',
+        'permissions'     => 'unknown',
         'writer'          => 'middleware'
     }
 
@@ -129,14 +144,90 @@ module J1App
     # --------------------------------------------------------------------------
     use Rack::Logger
 
+    # Load user profiles, permissions, conditions and strategies
+    # --------------------------------------------------------------------------
+    # provider_permission =  J1App.get_provider_permissions "disqus"
+    users = J1App.users
+    permissions = J1App.permissions
+    conditions = J1App.conditions
+    strategies = J1App.strategies
+
 
     # ==========================================================================
     # Sinatra (before) FILTER to preprocess all page requests
     # ==========================================================================
 
-    # Check auth status for content of type "pages"
+    # Prepare root (index) page for app detection
+    #
+    before '/' do
+      logger.info "ROOT PAGE: Prepare J1 web session data"
+
+      # read existing/current cookie 'j1.web.session' to update all data
+      # of j1_web_session (hash) otherwise set initial data
+      # ------------------------------------------------------------------------
+      unless env['HTTP_COOKIE'] == nil
+        if env['HTTP_COOKIE'].include? 'j1.web.session'
+          session_encoded = request.cookies['j1.web.session']
+          session_decoded = Base64.decode64(session_encoded)
+          j1_web_session = JSON.parse(session_decoded)
+        end
+      else
+        requested_page = env['REQUEST_URI']
+        j1_web_session['requested_page'] = "#{env['REQUEST_URI']}"
+      end
+
+      # Create|Initialize the J1 web session cookie
+      # ------------------------------------------------------------------------
+      if warden.authenticated?
+        user = warden.user
+        logger.info "ROOT PAGE: User detected as signed in at provider: #{user[:provider]}"
+        j1_web_session['authenticated']   = 'true'
+        j1_web_session['requested_page']  = '/'
+        j1_web_session['users_allowed']   = users["#{user[:provider]}"]
+        j1_web_session['user_name']       = user[:info]['nickname']
+        j1_web_session['user_id']         = user[:uid]
+        j1_web_session['provider']        = user[:provider]
+        j1_web_session['provider_url']    = J1App.provider_url user[:provider]
+        j1_web_session['permissions']     = J1App.get_provider_permissions "#{user[:provider]}"
+        if user[:provider] == 'patreon'
+          j1_web_session['user_details']  = user[:extra]['raw_info']['data']['attributes']
+          j1_web_session['user_pledges']  = user[:extra]['raw_info']['data']['relationships']['pledges'] unless user[:extra]['raw_info']['data']['relationships'].nil?
+        else
+          j1_web_session['user_pledges']  = 'unknown'
+          j1_web_session['provider']      = 'unknown'
+        end
+      else
+        logger.info "ROOT PAGE: User detected as signed out"
+        j1_web_session['authenticated']   = 'false'
+        j1_web_session['requested_page']  = '/'
+        j1_web_session['users_allowed']   = 'all'
+        j1_web_session['user_name']       = 'unknown'
+        j1_web_session['user_id']         = 'unknown'
+        j1_web_session['user_details']    = 'unknown'
+        j1_web_session['user_pledges']    = 'unknown'
+        j1_web_session['provider']        = 'unknown'        
+        j1_web_session['provider_url']    = 'unknown'
+        j1_web_session['permissions']     = 'unknown'
+      end
+      j1_web_session['writer']            = 'middleware'
+
+      session_json = j1_web_session.to_json
+      session_encoded = Base64.encode64(session_json)
+      logger.info "ROOT PAGE: Write J1 web session data to cookie"
+      #logger.info "ROOT PAGE: write J1 web session data as: #{session_json}"
+      response.set_cookie(
+          'j1.web.session',
+          domain: false,
+          value: session_encoded.to_s,
+          path: '/'
+      )
+    end
+
+    # Check auth status for content of type "private" or "premium"
     # --------------------------------------------------------------------------
-    before '/pages/*' do
+    #before '/*' do
+    #before /\/\w+\/(public|private|premium)/ do
+    before '/(pages|posts)/*' do
 
       # read existing/current cookie 'j1.web.session'
       # to update all data of j1_web_session (hash)
@@ -145,7 +236,8 @@ module J1App
       if env['HTTP_COOKIE'].include? 'j1.web.session'
         session_encoded = request.cookies['j1.web.session']
         session_decoded = Base64.decode64(session_encoded)
-        logger.info "BEFORE: read J1 web session data as: #{session_decoded}"
+        logger.info "BEFORE AUTHENTICATION: Read J1 web session data"
+        #logger.info "BEFORE AUTHENTICATION: Read J1 web session data as: #{session_decoded}"
         j1_web_session = JSON.parse(session_decoded)
       else
         requested_page = env['REQUEST_URI']
@@ -154,9 +246,25 @@ module J1App
 
       # Create|Initialize the J1 web session cookie
       # ------------------------------------------------------------------------
-      j1_web_session['authenticated'] = warden.authenticated? ? 'true' : 'false'
+      if warden.authenticated?
+        user = warden.user
+        j1_web_session['authenticated']   = 'true'
+        j1_web_session['user_name']       = user[:info]['nickname']
+        j1_web_session['user_id']         = user[:uid]
+        j1_web_session['provider']        = user[:provider]
+        j1_web_session['provider_url']    = J1App.provider_url user[:provider]
+        j1_web_session['users_allowed']   = users["#{user[:provider]}"]
+        j1_web_session['permissions']     = J1App.get_provider_permissions "#{user[:provider]}"
+        if user[:provider] == 'patreon'
+          j1_web_session['user_details']  = user[:extra]['raw_info']['data']['attributes']
+          j1_web_session['user_pledges']  = user[:extra]['raw_info']['data']['relationships']['pledges'] unless user[:extra]['raw_info']['data']['relationships'].nil?
+        end
+        j1_web_session['writer']          = 'middleware'
+      end
+
       session_json = j1_web_session.to_json
       session_encoded = Base64.encode64(session_json)
+      logger.info "INITIALISATION: Write J1 web session data to cookie"
       response.set_cookie(
           'j1.web.session',
           domain: false,
@@ -164,56 +272,104 @@ module J1App
           path: '/'
       )
 
-      # Content and user detection schema (page and authentication logic)
+      # User state|content detection for implicit authentication
       # ------------------------------------------------------------------------
-      #
-      # j1_web_session['provider_url']    = J1App.provider_url warden.user[:provider]
-
-      if warden.authenticated?
-        my_provider                     = warden.user[:provider]
-        provider_url                    = J1App.provider_url my_provider
-        j1_web_session['provider_url']  = provider_url
-      end
-
       pass if authentication_enabled? == false
+      logger.info "AUTORISATION: Authentication enabled. Check for public content."
       pass if public_content?
-      pass if warden.authenticated?
-
-      logger.info "STRATEGY: #{authentication_strategy}"
-
-      case authentication_strategy
-        when :org
-          warden.authenticate!
-          github_organization_authenticate! ENV['GITHUB_ORG_NAME']
-          logger.info "Hi There, #{j1_web_session[:user_name]}! You have access to the #{params['id']} organization."
-        when :team
-          warden.authenticate!
-          github_team_authenticate! ENV['GITHUB_TEAM_ID']
-          logger.info "Hi There, #{j1_web_session[:user_name]}! You have access to the #{params['id']} team."
-        when :teams
-          warden.authenticate!
-          github_teams_authenticate! ENV['GITHUB_TEAM_IDS'].split(',')
-          logger.info "Hi There, #{j1_web_session[:user_name]}! You have access to the #{params['id']} team."
-        when :member
-          logger.info 'STRATEGY: go for authentication'
-
-        # Set selected page for redirect
-        # ----------------------------------------------------------------------
-        logger.info "STRATEGY: set redirect to: #{j1_web_session['requested_page']}"
-        #j1_web_session['provider_url']    = J1App.provider_url warden.user[:provider]
-        j1_web_session['requested_page']  = env['REQUEST_URI']
-        j1_web_session['writer']          = 'middleware'
-        # write updated J1 session cookie
-        # session_json = j1_web_session.to_json
-        # session_encoded = Base64.encode64(session_json)
-        # logger.info "STRATEGY: write J1 web session data as: #{session_json}"
-        # response.set_cookie('j1.web.session', value: session_encoded.to_s)        
-        warden.authenticate!
+      logger.info "AUTORISATION: Protected content detected. Check for authorisation."
 
-      else
-        raise J1App::ConfigError
-      end
+      env['REQUEST_URI'].scan(/(private|premium)/) do |match|
+
+        category = match[0]
+        logger.info "AUTORISATION: Content category detected: #{category}"
+
+        if warden.authenticated?
+          logger.info "AUTORISATION: User detected as signed in."
+
+          current_provider                  = warden.user[:provider]
+          provider_strategy                 = strategies["#{current_provider}"]
+          provider_url                      = J1App.provider_url current_provider
+          j1_web_session['provider_url']    = provider_url
+          j1_web_session['users_allowed']   = users["#{current_provider}"]
+          j1_web_session['permissions']     = J1App.get_provider_permissions "#{user[:provider]}"
+
+          logger.info "AUTORISATION: Current provider detected: #{current_provider}"
+          if permissions[category].include? current_provider
+            logger.info "AUTORISATION: Current provider #{current_provider} support category: #{category}"
+          else
+            logger.info "AUTORISATION: SignIn to provider #{permissions[category][0]} for category: #{category}"
+            warden.logout
+            session.clear
+
+            allowed_users = users["#{current_provider}"].join(',')
+
+            redirect "/access_protected_content?provider=#{permissions[category][0]}&category=#{category}&page=#{env['REQUEST_URI']}&allowed_users=#{allowed_users}"
+            # warden.authenticate! :"omni_#{permissions[category][0]}"
+          end
+          pass
+        else
+          logger.info "AUTORISATION: User detected as signed out."
+          default_provider = permissions[category][0]
+          logger.info "AUTORISATION: Set default provider: #{default_provider}"
+
+          authentication_strategy = strategies["#{default_provider}"]
+          logger.info "AUTHENTICATION: Set authentication strategy: #{authentication_strategy}"
+          logger.info "AUTHENTICATION: SignIn provider #{permissions[category][0]} for category: #{category}"
+
+          case authentication_strategy
+          when :org
+            warden.authenticate!
+            github_organization_authenticate! ENV['GITHUB_ORG_NAME']
+            logger.info "Hi There, #{j1_web_session[:user_name]}! You have access to the #{params['id']} organization."
+          when :team
+            warden.authenticate!
+            github_team_authenticate! ENV['GITHUB_TEAM_ID']
+            logger.info "Hi There, #{j1_web_session[:user_name]}! You have access to the #{params['id']} team."
+          when :teams
+            warden.authenticate!
+            github_teams_authenticate! ENV['GITHUB_TEAM_IDS'].split(',')
+            logger.info "Hi There, #{j1_web_session[:user_name]}! You have access to the #{params['id']} team."
+          when :member
+
+            if env['HTTP_COOKIE'].include? 'j1.web.session'
+              session_encoded = request.cookies['j1.web.session']
+              session_decoded = Base64.decode64(session_encoded)
+              logger.info "BEFORE AUTHENTICATION: Read J1 web session data"
+              #logger.info "BEFORE AUTHENTICATION: Read J1 web session data as: #{session_decoded}"
+              j1_web_session = JSON.parse(session_decoded)
+            end
+
+            # Get access to protected content
+            # ----------------------------------------------------------------------
+            logger.info "STRATEGY: set redirect to: #{j1_web_session['requested_page']}"
+            j1_web_session['provider_url']    = J1App.provider_url default_provider
+            j1_web_session['users_allowed']   = users["#{default_provider}"]
+            j1_web_session['permissions']     = J1App.get_provider_permissions "#{default_provider}"
+            j1_web_session['requested_page']  = env['REQUEST_URI']
+            j1_web_session['writer']          = 'middleware'
+
+            # write updated J1 session cookie
+            #
+            session_json = j1_web_session.to_json
+            session_encoded = Base64.encode64(session_json)
+            logger.info "STRATEGY: Write J1 web session data to cookie"
+            #logger.info "STRATEGY: write J1 web session data as: #{session_json}"
+            response.set_cookie(
+                'j1.web.session',
+                domain: false,
+                value: session_encoded.to_s,
+                path: '/'
+            )
+
+            allowed_users = users["#{default_provider}"].join(',')
+            redirect "/access_protected_content?provider=#{permissions[category][0]}&category=#{category}&page=#{env['REQUEST_URI']}&allowed_users=#{allowed_users}"
+          else
+            raise J1App::ConfigError
+          end
+        end
 
+      end
     end
 
 
@@ -226,14 +382,33 @@ module J1App
     get '/authentication' do
       # collect (common) GET parameter|s
       #
-      request  =  params.fetch('request')
-      provider =  params.fetch('provider')
+      request       =  params.fetch('request')
+      provider      =  params.fetch('provider')
 
       if request === 'signin'
+        # collect (additional) GET parameter|s
+        # ----------------------------------------------------------------------
+        allowed_users =  params.fetch('allowed_users')
+
+        j1_web_session['users_allowed'] = allowed_users
+        j1_web_session['writer']        = 'middleware'
+
+        # Write updated J1 session data to cookie
+        # --------------------------------------------------------------------
+        session_json = j1_web_session.to_json
+        session_encoded = Base64.encode64(session_json)
+        logger.info "SIGNIN: Write J1 web session data to cookie"
+        response.set_cookie(
+            'j1.web.session',
+            domain: false,
+            value: session_encoded.to_s,
+            path: '/'
+        )
+
         if warden.authenticated?
           logger.info "SIGNIN: #{warden.user[:info]['nickname']} already signed in"
         else
-          logger.info "SIGNIN: going for signing in at: #{provider}"
+          logger.info "SIGNIN: going for authentication at: #{provider}"
           # Make (really) sure that old session is cleared before login
           # --------------------------------------------------------------------
           warden.logout
@@ -259,7 +434,8 @@ module J1App
           if env['HTTP_COOKIE'].include? 'j1.web.session'
             session_encoded = env['rack.request.cookie_hash']['j1.web.session']
             session_decoded = Base64.decode64(session_encoded)
-            logger.info "SIGNOUT: read J1 web session data as: #{session_decoded}"
+            #logger.info "SIGNOUT: read J1 web session data as: #{session_decoded}"
+            logger.info "SIGNOUT: read J1 web session data"
             j1_web_session = JSON.parse(session_decoded)
           else
             j1_web_session['requested_page'] = env['REQUEST_URI']
@@ -270,9 +446,11 @@ module J1App
           j1_web_session['user_name']     = 'unknown'
           j1_web_session['user_id']       = 'unknown'
           j1_web_session['user_details']  = 'unknown'
+          j1_web_session['users_allowed'] = 'unknown'
           j1_web_session['user_pledges']  = 'unknown'
           j1_web_session['provider']      = 'unknown'
           j1_web_session['provider_url']  = 'unknown'
+          j1_web_session['permissions']   = 'unknown'
           j1_web_session['authenticated'] = 'false'
           j1_web_session['writer']        = 'middleware'
 
@@ -280,13 +458,22 @@ module J1App
           # --------------------------------------------------------------------
           session_json = j1_web_session.to_json
           session_encoded = Base64.encode64(session_json)
-          response.set_cookie('j1.web.session', value: session_encoded.to_s)
+          logger.info "SIGNOUT: Write J1 web session data to cookie"
+          response.set_cookie(
+              'j1.web.session',
+              domain: false,
+              value: session_encoded.to_s,
+              path: '/'
+          )
 
           if provider_signout === 'true'
             logger.info "SIGNOUT: for #{user} completely at provider: #{provider}"
             redirect "#{provider_url}"
           else
             logger.info "SIGNOUT: for #{user} from current session at provider: #{provider}"
+
+            # If signed out, redirect ONLY for PUBLIC pages
+            # ------------------------------------------------------------------
             if redirect_whitelisted?j1_web_session['requested_page']
               logger.info 'SIGNOUT: redirect whitelisted'
               logger.info "SIGNOUT: redirect to #{j1_web_session['requested_page']}"
@@ -302,14 +489,15 @@ module J1App
           # (modal) is provided by the auth client if a user isn't signed in.
           # Kept this alternative for cases something went wrong.
           # --------------------------------------------------------------------
-          logger.info 'SIGNOUT: not signed in'
+          logger.info 'DEAD PATH SIGNOUT: not signed in'
 
           # Read current J1 session cookie
           # --------------------------------------------------------------------
           if env['HTTP_COOKIE'].include? 'j1.web.session'
             session_encoded = env['rack.request.cookie_hash']['j1.web.session']
             session_decoded = Base64.decode64(session_encoded)
-            logger.info "SIGNOUT: read J1 web session data as: #{session_decoded}"
+            # logger.info "DEAD PATH SIGNOUT: read J1 web session data as: #{session_decoded}"
+            logger.info "DEAD PATH SIGNOUT: read J1 web session data"
             j1_web_session = JSON.parse(session_decoded)
           else
             j1_web_session['requested_page'] = env['REQUEST_URI']
@@ -320,9 +508,11 @@ module J1App
           j1_web_session['user_name']     = 'unknown'
           j1_web_session['user_id']       = 'unknown'
           j1_web_session['user_details']  = 'unknown'
+          j1_web_session['users_allowed'] = 'unknown'
           j1_web_session['user_pledges']  = 'unknown'
           j1_web_session['provider']      = 'unknown'
           j1_web_session['provider_url']  = 'unknown'
+          j1_web_session['permissions']   = 'unknown'
           j1_web_session['authenticated'] = 'false'
           j1_web_session['writer']        = 'middleware'
 
@@ -330,8 +520,14 @@ module J1App
           # --------------------------------------------------------------------
           session_json = j1_web_session.to_json
           session_encoded = Base64.encode64(session_json)
-          response.set_cookie('j1.web.session', value: session_encoded.to_s)
-          logger.info "SIGNOUT: redirect to #{j1_web_session['requested_page']}"
+          logger.info "DEAD PATH SIGNOUT: Write J1 web session data to cookie"
+          response.set_cookie(
+              'j1.web.session',
+              domain: false,
+              value: session_encoded.to_s,
+              path: '/'
+          )
+          logger.info "DEAD PATH SIGNOUT: redirect to #{j1_web_session['requested_page']}"
           redirect j1_web_session['requested_page']
         end
       else
@@ -342,35 +538,82 @@ module J1App
     # Post-processing ENDPOINT called after a user is authenticated
     # --------------------------------------------------------------------------
     get '/redirect_after_callback' do
-      user = warden.user
 
-      # update web session data
-      #
+      session_encoded = request.cookies['j1.web.session']
+      session_decoded = Base64.decode64(session_encoded)
+      j1_web_session = JSON.parse(session_decoded)
+
+      #logger.info "AFTER AUTHENTICATION: read J1 web session data as: #{j1_web_session}"
+      logger.info "AFTER AUTHENTICATION: read J1 web session data"
+      user = warden.user
       j1_web_session['user_name']       = user[:info]['nickname']
       j1_web_session['user_id']         = user[:uid]
+      j1_web_session['provider']        = user[:provider]
+      j1_web_session['permissions']     = J1App.get_provider_permissions "#{user[:provider]}"
+      j1_web_session['authenticated']   = 'true'
       if user[:provider] == 'patreon'
         j1_web_session['user_details']  = user[:extra]['raw_info']['data']['attributes']
         j1_web_session['user_pledges']  = user[:extra]['raw_info']['data']['relationships']['pledges'] unless user[:extra]['raw_info']['data']['relationships'].nil?
+      else
+        j1_web_session['user_pledges']  = 'unknown'
+        j1_web_session['provider']      = 'unknown'
       end
-      j1_web_session['provider']        = user[:provider]
-      j1_web_session['authenticated']   = warden.authenticated? ? 'true' : 'false'
       j1_web_session['writer']          = 'middleware'
 
+      current_user = user[:info]['nickname'] = user[:info]['nickname']
+      current_provider = user[:provider]
+
+      j1_web_session['requested_page'].scan(/(private|premium)/) do |match|
+        category = match[0]
+        unless j1_web_session['users_allowed'].include? 'all'
+          unless j1_web_session['users_allowed'].include? "#{current_user}"
+            logger.info "AFTER AUTHENTICATION: User #{current_user} not allowed. Allowed users: #{j1_web_session['users_allowed']}"
+            warden.logout
+            session.clear
+            logger.info "AFTER AUTHENTICATION: User #{current_user} signed out."
+            redirect "/access_denied?provider=#{current_provider}&user=#{current_user}&category=#{category}"
+          end
+        end
+      end
+
+      j1_web_session['provider']      = current_provider
+      j1_web_session['users_allowed'] = users["#{current_provider}"]
+
+      if j1_web_session['requested_page'] == '/'
+        category = 'any protected content'
+        unless j1_web_session['users_allowed'].include? 'all'
+          unless j1_web_session['users_allowed'].include? "#{current_user}"
+            logger.info "AFTER AUTHENTICATION: User #{current_user} not allowed. Allowed users: #{j1_web_session['users_allowed']}"
+            warden.logout
+            session.clear
+            logger.info "AFTER AUTHENTICATION: User #{current_user} signed out."
+            redirect "/access_denied?provider=#{current_provider}&user=#{current_user}&category=#{category}"
+          end
+        end
+      end
+
       # write updated J1 session data to cookie
       #
       session_json = j1_web_session.to_json
       session_encoded = Base64.encode64(session_json)
-      logger.info "AFTER AUTHENTICATION: write J1 web session data as: #{session_json}"
-      response.set_cookie('j1.web.session', value: session_encoded.to_s)
+      logger.info "AFTER AUTHENTICATION: Write J1 web session data to cookie"
+      #logger.info "AFTER AUTHENTICATION: Write J1 web session data as: #{session_json}"
+      response.set_cookie(
+          'j1.web.session',
+          domain: false,
+          value: session_encoded.to_s,
+          path: '/'
+      )
 
-      # redirect to selected page
+      # redirect to requested page
       #
-      logger.info "AFTER AUTHENTICATION: redirect to #{j1_web_session['requested_page']}"
+      logger.info "AFTER AUTHENTICATION: Signed in at provider #{user[:provider]} as user: #{user[:info]['nickname']}"
+      logger.info "AFTER AUTHENTICATION: Redirect to requested page:  #{j1_web_session['requested_page']}"
       redirect j1_web_session['requested_page']
     end
 
     get '/redirect_requested_page' do
-      logger.info "REDIRECT REQUESTED PAGE: redirect to #{j1_web_session['requested_page']}"
+      logger.info "AFTER AUTHENTICATION: Redirect to #{j1_web_session['requested_page']}"
       redirect j1_web_session['requested_page']
     end
 
@@ -379,13 +622,20 @@ module J1App
     get '/status' do
       logger.info 'STATUS: info request detected'
 
+      session_encoded = request.cookies['j1.web.session']
+      session_decoded = Base64.decode64(session_encoded)
+      j1_web_session = JSON.parse(session_decoded)
+
       # if request.warden.user.respond_to?(:info)
       #
       if warden.authenticated?
+        user_json = warden.user.to_json
         user = warden.user[:info]['nickname']
         user_id = warden.user[:uid]
         user_info = warden.user[:info]
         provider = warden.user[:provider]
+        provider_permissions = j1_web_session['permissions']
+        # provider_permissions = J1App.get_provider_permissions "#{provider}"
         logger.info "Detected #{user} as: signed in"
       else
         user = 'unknown'
@@ -398,21 +648,110 @@ module J1App
         logger.info 'STATUS: send SIGNED_IN data'
         content_type 'application/json'
         {
-            provider:   provider,
-            user:       user,
-            user_id:    user_id,
-            status:     'signed in'
+            provider:     provider,
+            user:         user,
+            user_id:      user_id,
+            permissions:  provider_permissions,
+            status:       'signed in'
         }.to_json
       else
         logger.info 'STATUS: send SIGNED_OUT data'
         content_type 'application/json'
         {
-            provider:   'unknown',
-            user:       'unknown',
-            user_id:    'unknown',
-            status:     'signed out'
+            provider:     'unknown',
+            user:         'unknown',
+            user_id:      'unknown',
+            permissions:  'unknown',
+            status:       'signed out'
         }.to_json
       end
     end
+
+    # access_protected_content ENDPOINT called from the app (auth manager)
+    # --------------------------------------------------------------------------
+    get '/access_denied' do
+
+      provider      =  params.fetch('provider')
+      category      =  params.fetch('category')
+      user          =  params.fetch('user')
+
+      session_encoded = request.cookies['j1.web.session']
+      session_decoded = Base64.decode64(session_encoded)
+      j1_web_session = JSON.parse(session_decoded)
+
+      # Update J1 web session data
+      # --------------------------------------------------------------------
+      j1_web_session['user_name']     = 'unknown'
+      j1_web_session['user_id']       = 'unknown'
+      j1_web_session['user_details']  = 'unknown'
+      j1_web_session['users_allowed'] = 'unknown'
+      j1_web_session['user_pledges']  = 'unknown'
+      j1_web_session['provider']      = 'unknown'
+      j1_web_session['provider_url']  = 'unknown'
+      j1_web_session['permissions']   = 'unknown'
+      j1_web_session['authenticated'] = 'false'
+      j1_web_session['writer']        = 'middleware'
+
+      # write updated J1 session data to cookie
+      #
+      session_json = j1_web_session.to_json
+      session_encoded = Base64.encode64(session_json)
+      logger.info "ACCESS DENIED: Write J1 web session data to cookie"
+#     logger.info "ACCESS DENIED: Write J1 web session data as: #{session_json}"
+      response.set_cookie(
+          'j1.web.session',
+          domain: false,
+          value: session_encoded.to_s,
+          path: '/'
+      )
+
+      route = '/'
+
+      @route                  = route
+      @provider               = provider
+      @modal                  = "centralModalInfo"
+      @info_type              = "danger"
+      @modal_icon             = "account-off"
+      @modal_ok_text          = "Ok, understood"
+      @modal_title            = "Authentication Manager"
+      @modal_description      = "<h4>Access denied</h4></br></br> User <b>#{user}</b> from provider <b>#{provider}</b> is not allowed to access <b>#{category}</b> pages."
+
+      erb :auth_manager_ui
+
+    end
+
+    # access_protected_content ENDPOINT called from the app (auth manager)
+    # --------------------------------------------------------------------------
+    get '/access_protected_content' do
+
+      provider      =  params.fetch('provider')
+      allowed_users =  params.fetch('allowed_users')
+      page          =  params.fetch('page')
+      category      =  params.fetch('category')
+
+      if warden.authenticated?
+        route = page
+      else
+        route = "/authentication?request=signin&provider=#{provider}&allowed_users=#{allowed_users}"
+      end
+
+      @provider               = provider
+      @route                  = route
+      @modal                  = "signInProtectedContent"
+      @modal_icon             = "login"
+      @modal_agreed_text      = "Yes, please"
+      @modal_disagreed_text   = "No, thanks"
+      @modal_title            = "Authentication Manager"
+      @modal_image            = "/assets/images/master_header/admin-dashboard-bootstrap.1280x600.png"
+      @modal_description      = "The page <b>#{page}</b> you requested belongs to <b>#{category}</b> content. You'll be redirected to authenticate with the provider <b>#{provider}</b>. If signed in successfully, you get access to all <b>#{category} pages</b>."
+
+      erb :auth_manager_ui
+    end
+
+    get '/iframe' do
+      @website_url = "https://jekyll-one.github.io/"
+      erb :iframe
+    end
+
   end
 end