j1_template_mde 2018.4.31 → 2018.4.32

data/lib/j1_app/j1_auth_manager/_unused/auth_manager.update.web_cookie.rb

@@ -0,0 +1,1333 @@
+# RuboCops - Documentation
+# ------------------------------------------------------------------------------
+# See: https://rubocop.readthedocs.io/en/latest/
+
+# RuboCops - Disabled Cops
+# ------------------------------------------------------------------------------
+# rubocop:disable Metrics/BlockLength
+# rubocop:disable Metrics/ClassLength
+# rubocop:disable Metrics/LineLength
+# rubocop:disable Style/StringLiterals
+# rubocop:disable Style/Documentation
+# rubocop:disable Metrics/BlockNesting
+# rubocop:disable Layout/ClosingParenthesisIndentation
+# rubocop:disable Layout/LeadingCommentSpace
+# rubocop:disable Layout/EmptyLines
+# rubocop:disable Layout/EmptyLinesAroundBlockBody
+# rubocop:disable Layout/FirstParameterIndentation
+# rubocop:disable Layout/CommentIndentation
+# rubocop:disable Layout/AlignParameters
+# rubocop:disable Layout/AlignHash
+# rubocop:disable Layout/TrailingWhitespace
+# rubocop:disable Layout/IndentHash
+# rubocop:disable Layout/SpaceAroundOperators
+# rubocop:disable Layout/ExtraSpacing
+# rubocop:disable Style/UnlessElse
+# rubocop:disable Style/HashSyntax
+
+
+# ------------------------------------------------------------------------------
+#  ~/lib/j1_auth_manager/auth_manager/.rb
+#
+#  Provides authentication services based on Warden|OmniAuth
+#
+#  Product/Info:
+#  https://jekyll-one.com
+#
+#  Copyright (C) 2019 Juergen Adams
+#
+#  J1 Template is licensed under the MIT License.
+#  See: https://github.com/jekyll-one/j1_template_mde/blob/master/LICENSE
+#
+# ------------------------------------------------------------------------------
+# NOTES
+#
+# ------------------------------------------------------------------------------
+# frozen_string_literal: true
+
+module J1App
+  class AuthManager < Sinatra::Base
+
+    include J1App::Helpers
+    include J1App::GithubHelpers
+
+    # ==========================================================================
+    # Sinatra Framework settings
+    # ==========================================================================
+
+    # NOTE: https://stackoverflow.com/questions/7847536/sinatra-in-facebook-iframe
+    #
+    #set :protection, :except => :frame_options
+
+    # Check: http://sinatrarb.com/intro.html
+    #
+    #set :static_cache_control, [:public, :max_age => 10]
+
+
+    # ==========================================================================
+    # Base App and Warden Framework settings
+    # ==========================================================================
+
+    session_data = {}
+
+    # web_session_data = {
+    #     :authenticated       => 'false',
+    #     :requested_page      => '/',
+    #     :user_name           => 'unknown',
+    #     :users_allowed       => 'unknown',
+    #     :user_id             => 'unknown',
+    #     :provider            => 'unknown',
+    #     :provider_url        => '/',
+    #     :payment_info        => 'unknown',
+    #     :permissions         => 'unknown',
+    #     :writer              => 'middleware'
+    # }
+
+    web_session_data = {
+        :authenticated        => 'false',
+        :requested_page       => '/',
+        :user_name            => 'visitor',
+        :users_allowed        => 'all',
+        :user_id              => 'unknown',
+        :provider             => 'j1',
+        :provider_membership  => 'guest',
+        :provider_url         => 'https://jekyll.one',
+        :payment_info         => 'unknown',
+        :provider_permissions => 'public',        
+        :creator              => 'middleware',
+        :writer               => 'middleware'
+    }
+
+    # Enable SSL for the rack session if configured
+    # --------------------------------------------------------------------------
+    require 'rack-ssl-enforcer' if J1App.ssl?
+    use Rack::SslEnforcer if J1App.ssl?
+
+    # Set the session cookie used by Rack to track all relevant data
+    # for the authentication service
+    # --------------------------------------------------------------------------
+    use Rack::Session::Cookie,
+        http_only: true,   # if set to 'true', make session cookie visible to the browser (document) for HTTP
+        key: 'j1.app.session',
+        secret: ENV['J1_SESSION_SECRET'] || SecureRandom.hex
+
+    # use Rack::Cache do |config|
+    #   # 
+    #   # ------------------------------------------------------------------------
+    #   config.middleware.delete(Rack::Cache)
+    # end
+
+    # ==========================================================================
+    # Warden Framework initialisation
+    # ==========================================================================
+
+    # Define what (user) data should be put (serialized) into the session
+    # on requests and responses from Rack environment into the warden
+    # environment (env['warden']).
+    # --------------------------------------------------------------------------
+    Warden::Manager.serialize_into_session do |user|
+      user
+    end
+    Warden::Manager.serialize_from_session do |user|
+      user
+    end
+
+    # ==========================================================================
+    # OmniAuth|Warden Framework initialisation
+    # ==========================================================================
+
+    # Set the 'default' authentication strategy and exception handler
+    # (for warden) if the user was not explicitly signed in (signin dialog).
+    # If 'signin' fails, the default exception 'signin_failure' is thrown
+    # (used for all OmniAuth strategies registered).
+    # --------------------------------------------------------------------------
+    signin_failure = ->(_e) { Rack::Response.new("Can't login", 401).finish }
+    use Warden::Manager do |config|
+      # OmniAuth strategies are name-spaced by 'omni' (see: warden_omniauth.rb)
+      # ------------------------------------------------------------------------
+      config.default_strategies :"omni_#{J1App.default_provider}"
+      config.failure_app = signin_failure
+    end
+
+    use OmniAuth::Builder do |config|
+      # Workaround to rescue OmniAuth::Strategies::OAuth2::CallbackError?
+      # for chromium based browsers (e.g. google-chrome)
+      # ------------------------------------------------------------------------
+      config.on_failure do
+        new_path = '/redirect_requested_page'
+        Rack::Response.new(['302 Moved'], 302, 'Location' => new_path).finish
+      end
+
+      # Detect and set supported authentication strategies for OmniAuth
+      # ------------------------------------------------------------------------
+
+      # Additional (strategy) option skip_extra, default: true
+      #
+      # If true, skips the collection of raw data (extra) to NOT blow
+      # up the session cookie (as it is limited to 4K)
+      skip_extra = true
+
+      if J1App.active_providers.include? 'patreon'
+        scope             = J1App.auth_config['providers']['patreon']['scope'].join(',')
+        data_collection   = J1App.auth_config['providers']['patreon']['data_fields'].join(',')
+        skip_extra        = false if data_collection =~ /raw/i
+        provider :patreon,
+                 ENV['PATREON_CLIENT_ID'],
+                 ENV['PATREON_CLIENT_SECRET'],
+                 scope: "#{scope}",
+                 skip_extra: skip_extra
+      end
+      if J1App.active_providers.include? 'disqus'
+        scope             = J1App.auth_config['providers']['disqus']['scope'].join(',')
+        data_collection   = J1App.auth_config['providers']['disqus']['data_fields'].join(',')
+        skip_extra        = false if data_collection =~ /raw/i
+        provider :disqus,
+                 ENV['DISQUS_CLIENT_ID'],
+                 ENV['DISQUS_CLIENT_SECRET'],
+                 scope: "#{scope}",
+                 skip_extra: skip_extra
+      end
+      if J1App.active_providers.include? 'facebook'
+        scope             = J1App.auth_config['providers']['facebook']['scope'].join(',')
+        data_collection   = J1App.auth_config['providers']['facebook']['data_fields'].join(',')
+        skip_extra        = false if data_collection =~ /raw/i
+        provider :facebook,
+                 ENV['FACEBOOK_CLIENT_ID'],
+                 ENV['FACEBOOK_CLIENT_SECRET'],
+                 scope: "#{scope}",
+                 skip_extra: skip_extra
+      end
+      if J1App.active_providers.include? 'github'
+        scope             = J1App.auth_config['providers']['github']['scope'].join(',')
+        data_collection   = J1App.auth_config['providers']['github']['data_fields'].join(',')
+        skip_extra        = false if data_collection =~ /raw/i
+        provider :github,
+                 ENV['GITHUB_CLIENT_ID'],
+                 ENV['GITHUB_CLIENT_SECRET'],
+                 scope: "#{scope}",
+                 skip_extra: skip_extra
+      end
+      if J1App.active_providers.include? 'twitter'
+        scope             = J1App.auth_config['providers']['twitter']['scope'].join(',')
+        data_collection   = J1App.auth_config['providers']['twitter']['data_fields'].join(',')
+        skip_extra        = false if data_collection =~ /raw/i
+        provider :twitter,
+                 ENV['TWITTER_CLIENT_ID'],
+                 ENV['TWITTER_CLIENT_SECRET'],
+                 scope: "#{scope}",
+                 skip_extra: skip_extra
+      end
+    end
+
+    # Set the (internal) endpoint if a user is successfully authenticated
+    # --------------------------------------------------------------------------
+    use J1WardenOmniAuth do |config|
+      config.redirect_after_callback = '/post_authentication'
+    end
+
+    # Add the internal logger from Rack to the middleware's of the stack
+    # --------------------------------------------------------------------------
+    use Rack::Logger
+
+    # Load user profiles, permissions, conditions and strategies
+    # --------------------------------------------------------------------------
+
+    providers   = J1App.auth_config['providers']
+    permissions = J1App.permissions
+
+
+    # ==========================================================================
+    # Sinatra (before) FILTER to preprocess all page requests
+    # ==========================================================================
+
+    # Prepare root (index) page for app detection
+    #
+    before '/' do
+      log_info! "ROOT", "Prepare", 'Web Session'
+
+      # read existing/current cookie 'j1.web.session' to update all data
+      # of web_session_data (hash) otherwise set initial data
+      # ------------------------------------------------------------------------
+      unless env['HTTP_COOKIE'] == nil
+        log_info! "ROOT", 'Cookie', 'Read current web session data'
+        web_session_data = readCookie('j1.web.session')
+        data_json = web_session_data.to_json
+        log_info! "ROOT", 'Cookie', 'Current web session data', "#{data_json}"
+
+        # if env['HTTP_COOKIE'].include? 'j1.web.session'
+        #   session_encoded = request.cookies['j1.web.session']
+        #   session_decoded = Base64.decode64(session_encoded)
+        #   web_session_data = JSON.parse(session_decoded)
+        # end
+
+      else
+        requested_page = env['REQUEST_URI']
+        session_data['requested_page'] = "#{env['REQUEST_URI']}"
+      end
+
+      # Create|Initialize the J1 web session cookie
+      # ------------------------------------------------------------------------
+      if warden.authenticated?
+        log_info! "ROOT", 'Cookie', 'Update current user data'
+
+        user = warden.user
+        log_info! "ROOT", 'AuthCheck', 'User detected as signed in', "#{user[:provider]}"
+        session_data['authenticated']         = 'true'
+        session_data['requested_page']        = '/'
+        session_data['user_name']             = user[:info]['nickname']
+        session_data['users_allowed']         = providers["#{user[:provider]}"]['users']
+        session_data['user_id']               = user[:uid]
+        session_data['provider']              = user[:provider]
+        session_data['provider_membership']   = 'member'
+        session_data['provider_url']          = providers["#{user[:provider]}"]['provider_url']
+        session_data['provider_permissions']  = providers["#{user[:provider]}"]['permissions']
+        session_data['payment_status']        = user[:info][:payment_status]
+      else
+        log_info! "ROOT", 'AuthCheck', 'User detected', 'signed out'
+        session_data['authenticated']         = 'false'
+#       session_data['requested_page']        = '/'
+        session_data['users_allowed']         = 'all'
+        session_data['user_name']             = 'visitor'
+        session_data['user_id']               = 'unknown'
+        session_data['payment_status']        = 'unknown'
+        session_data['provider']              = 'j1'
+        session_data['provider_membership']   = 'guest'
+        session_data['provider_url']          = 'https://jekyll.one'
+        session_data['provider_permissions']  = 'public'
+      end
+      session_data['writer']                  = 'middleware'
+      session_data['creator']                 = 'middleware'
+
+      web_session_data = merge( web_session_data, session_data )
+      
+      data_json = session_data.to_json
+      log_info! "ROOT", 'Cookie', 'Merge current user data', "#{data_json}"
+
+      data_json = web_session_data.to_json
+      log_info! "ROOT", 'Cookie', 'Update web session data', "#{data_json}"
+      writeCookie('j1.web.session', data_json)
+    end
+
+    # General page detection (page auth pre-flight)
+    # --------------------------------------------------------------------------
+    before '/(pages|posts)/*' do
+
+      log_info! 'AuthManager', 'PreFlight', 'Initial checks initiated'
+
+      # read existing/current cookie 'j1.web.session'
+      # to update all data of web_session_data (hash)
+      # if request.warden.user.respond_to?(:info)
+      # ------------------------------------------------------------------------
+
+      #web_session_data = readCookie('j1.web.session')
+      
+      if env['HTTP_COOKIE'].include? 'j1.web.session'
+        session_encoded     = request.cookies['j1.web.session']
+        session_decoded     = Base64.decode64(session_encoded)
+        # See: https://stackoverflow.com/questions/86653/how-can-i-pretty-format-my-json-output-in-ruby-on-rails
+        session_pretty      = JSON.pretty_generate(session_decoded)
+        web_session_data    = JSON.parse(session_decoded)
+
+        log_info! 'PreFlight', 'Cookie', 'Read web session data', "#{session_decoded}"  #   ,"#{session_pretty}"
+      else
+        requested_page                    = env['REQUEST_URI']
+        session_data['requested_page']  = "#{env['REQUEST_URI']}"
+      end
+
+      # Create|Initialize the J1 web session cookie
+      # ------------------------------------------------------------------------
+      log_info! 'PreFlight', 'AuthCheck', 'Check authentication state'
+      if warden.authenticated?
+        log_info! 'PreFlight', 'AuthCheck', 'Fick dich'
+        user = warden.user
+        session_data['authenticated']         = 'true'
+        session_data['user_name']             = user[:info]['nickname']
+        session_data['user_id']               = user[:uid]
+        session_data['provider']              = user[:provider]
+        session_data['provider_url']          = providers["#{user[:provider]}"]['provider_url']
+        session_data['users_allowed']         = providers["#{user[:provider]}"]['users']
+        session_data['provider_permissions']  = providers["#{user[:provider]}"]['permissions']
+        session_data['provider_membership']   = 'member'
+        session_data['payment_status']        = user[:info][:payment_status]
+        session_data['writer']                = 'middleware'
+
+        web_session_data = merge( web_session_data, session_data )
+        log_info! 'PreFlight', 'AuthCheck', 'User authenticated', "#{user[:info]['nickname']}"
+
+        session_json = web_session_data.to_json
+        log_info! 'PreFlight', 'Cookie', 'Write web session data', "#{session_json}"
+
+        session_encoded = Base64.encode64(session_json)
+        response.set_cookie(
+            'j1.web.session',
+            domain: false,
+            value: session_encoded.to_s,
+            path: '/'
+        )
+      end
+
+      # User state|content detection for implicit authentication
+      # ------------------------------------------------------------------------
+      log_info! 'PreFlight', 'CheckConfig', 'Authentication check', 'disabled' if authentication_enabled? == false
+      log_info! 'PreFlight', 'AuthCheck', 'Pass for all pages' if authentication_enabled? == false    
+      pass if authentication_enabled? == false
+
+      log_info! 'PreFlight', 'CheckConfig', 'Authentication check', 'enabled'
+      log_info! 'PreFlight', 'DetectContent', 'Public content detected' if public_content?
+      log_info! 'PreFlight', 'DetectContent', 'Pass all public content' if public_content?
+      pass if public_content?
+
+      log_info! 'PreFlight', 'DetectCookieConsent', 'Cookie Consent', "#{web_session_data['cookies_accepted']}"
+
+      # if web_session_data['cookies_accepted'] === 'declined'
+      #   requested_page = env['REQUEST_URI']
+      #   requested_page.scan(/(protected|private)/) do |match|
+      #     category = match[0]
+      #     log_info! 'PreFlight', 'DetectContent', 'Content detected as', "#{category}"
+      #     log_info! 'PreFlight', 'Redirect', 'Pass to dialog page (Cookie Consent)'
+      #     description_title = "Cookie consent declined"
+      #     redirect "/cookie_consent?provider=#{web_session_data['provider']}&user=#{web_session_data['user_name']}&category=#{category}&requested_page=#{requested_page}&title=#{description_title}"
+      #     #redirect requested_page
+      #   end
+      # end
+
+      log_info! 'PreFlight', 'DetectContent', 'Check content type'
+
+      requested_page = env['REQUEST_URI']
+      requested_page.scan(/(protected|private)/) do |match|
+
+        category = match[0]
+        log_info! 'PreFlight', 'DetectContent', 'Content type detected', "#{category}"
+
+        log_info! 'PreFlight', 'AuthCheck', 'Check authorisation status'
+        if warden.authenticated?
+          user_name = user[:info]['nickname']
+          log_info! 'PreFlight', 'AuthCheck', 'User detected', "#{user_name}"
+
+          current_provider  = warden.user[:provider]
+
+          # provider_strategy = strategies["#{default_provider}"]
+          strategy          = providers["#{current_provider}"]['strategy']
+          provider_strategy = :"#{strategy}"
+
+          web_session_data['user_name']             = user_name
+          web_session_data['provider_url']          = providers["#{current_provider}"]['provider_url']
+          web_session_data['users_allowed']         = providers["#{current_provider}"]['users']
+          web_session_data['provider_permissions']  = providers["#{user[:provider]}"]['permissions']
+          web_session_data['requested_page']        = requested_page
+
+          log_info! 'PreFlight', 'ContentCheck', 'Check permissions'
+          if permissions[:"#{category}"].include? current_provider
+            log_info! 'PreFlight', 'ContentCheck', 'Provider detected', "#{current_provider}"
+            log_info! 'PreFlight', 'ContentCheck', 'Category detected', "#{category}"
+            log_info! 'PreFlight', 'ContentCheck', 'Category support', 'enabled'
+
+            # Check permissions
+            #
+            #log_info! 'Authorisation', 'ConditionCheck', 'Check permissions for provider', "#{current_provider}"
+            #conditions = J1App.conditions current_provider
+            # if conditions["#{category}"]
+            #   log_info! 'Authorisation', 'ConditionCheck', 'Conditions detected', "#{category}"
+            #   conditions["#{category}"].each do |k, v|
+            #     case k
+            #     when 'enabled'
+            #       log_info! 'Authorisation', 'ConditionCheck', "#{k}", "#{v}"
+            #     when 'users'
+            #       log_info! 'Authorisation', 'ConditionCheck', 'users'
+            #       v.each do |k, v|
+            #         log_info! 'Authorisation', 'ConditionCheck', "users - #{k}", "#{v}"
+            #       end
+            #     when 'payment'
+            #       log_info! 'Authorisation', 'ConditionCheck', 'payment'
+            #       v.each do |k, v|
+            #         case k
+            #         when 'tiers'
+            #           log_info! 'Authorisation', 'ConditionCheck', "payment - #{k}", "#{v}"
+            #         when 'tier'
+            #           v.each do |k, v|
+            #             log_info! 'Authorisation', 'ConditionCheck', 'payment - tiers - tier : ' "#{k}", "#{v}"
+            #           end
+            #         end
+            #       end
+            #     end
+            #   end
+            # end
+          else
+            provider  = permissions[:"#{category}"][0]
+            log_info! 'PreFlight', 'ContentCheck', 'Provider detected', "#{current_provider}"
+            log_info! 'PreFlight', 'ContentCheck', 'Category detected', "#{category}"
+            log_info! 'PreFlight', 'ContentCheck', 'Category supported', 'NO'
+            log_info! 'PreFlight', 'AuthCheck', 'Authorisation failed for user', "#{user_name}"
+
+            log_info! 'PreFlight', 'SignOut', 'Sign out user', "#{user_name}"
+            warden.logout
+            session.clear
+
+            session_json = web_session_data.to_json
+            log_info! 'PreFlight', 'Cookie', 'Write web session data', "#{session_json}"
+
+            session_encoded = Base64.encode64(session_json)
+            response.set_cookie(
+                'j1.web.session',
+                domain: false,
+                value: session_encoded.to_s,
+                path: '/'
+            )
+
+            log_info! 'PreFlight', 'Redirect', 'Call API request', 'PageValidate'
+            allowed_users = providers["#{provider}"]['users'].join(',')
+            redirect "/page_validation?provider=#{provider}&category=#{category}&page=#{requested_page}&allowed_users=#{allowed_users}"
+          end
+
+          time = Time.now.ctime.to_s
+          log_info! 'PreFlight', 'AuthCheck', 'Pass to requested page', "#{requested_page}"
+          log_info! 'PreFlight', 'AuthCheck', 'Set X-Response-Headers'
+          
+          # See: https://stackoverflow.com/questions/10438276/how-to-disable-static-file-caching-in-rails-3-thin-on-windows
+          # response.headers["Cache-Control"]   = 'no-cache, no-store, max-age=0, must-revalidate'
+          # response.headers["Pragma"]          = 'no-cache'
+          # response.headers["Expires"]         = 'Fri, 01 Jan 1990 00:00:00 GMT'
+          response.headers['X-J1-AuthManager']  = "page-validated;category=#{category};called=" +  time
+          pass
+        else
+          log_info! 'PreFlight', 'AuthCheck', 'User detected', 'signed out'
+          default_provider = permissions[:"#{category}"][0]
+          log_info! 'PreFlight', 'AuthCheck', 'Set default provider', "#{default_provider}"
+
+          strategy          = providers["#{default_provider}"]['strategy']
+          provider_strategy = :"#{strategy}"
+
+          log_info! 'PreFlight', 'AuthCheck', 'Start processing provider', "#{default_provider}"
+          log_info! 'PreFlight', 'AuthCheck', 'Authentication strategy', "#{provider_strategy}"
+
+          case provider_strategy
+
+          when :org
+            warden.authenticate!
+            github_organization_authenticate! ENV['GITHUB_ORG_NAME']
+            logger.info "Hi There, #{web_session_data[:user_name]}! You have access to the #{params['id']} organization"
+
+          when :team
+            warden.authenticate!
+            github_team_authenticate! ENV['GITHUB_TEAM_ID']
+            logger.info "Hi There, #{web_session_data[:user_name]}! You have access to the #{params['id']} team"
+
+          when :teams
+            warden.authenticate!
+            github_teams_authenticate! ENV['GITHUB_TEAM_IDS'].split(',')
+            logger.info "Hi There, #{web_session_data[:user_name]}! You have access to the #{params['id']} team"
+
+          when :member
+            log_info! 'PreFlight', 'AuthCheck', 'Process authentication strategy'
+
+            if env['HTTP_COOKIE'].include? 'j1.web.session'
+              session_encoded   = request.cookies['j1.web.session']
+              session_decoded   = Base64.decode64(session_encoded)
+              log_info! 'PreFlight', 'Cookie', 'Read web session data'          # "#{session_decoded}"
+              web_session_data    = JSON.parse(session_decoded)
+            end
+
+            # Update cookie data
+            # ----------------------------------------------------------------------
+            web_session_data['provider_url']          = providers["#{default_provider}"]['provider_url']
+            web_session_data['users_allowed']         = providers["#{default_provider}"]['users']
+            web_session_data['provider_permissions']  = providers["#{default_provider}"]['permissions']
+            web_session_data['requested_page']        = env['REQUEST_URI']
+            web_session_data['writer']                = 'middleware'
+
+            # write updated J1 session cookie
+            #
+            session_json = web_session_data.to_json
+            session_encoded = Base64.encode64(session_json)
+            log_info! 'PreFlight', 'Cookie', 'Write web session data', "#{session_json}"
+
+            response.set_cookie(
+                'j1.web.session',
+                domain: false,
+                value: session_encoded.to_s,
+                path: '/'
+            )
+
+            allowed_users   = providers["#{default_provider}"]['users'].join(',')
+            requested_page  = env['REQUEST_URI']
+
+            log_info! 'PreFlight', 'Redirect', 'Call API request', 'PageValidate'
+            redirect "/page_validation?provider=#{default_provider}&category=#{category}&page=#{requested_page}&allowed_users=#{allowed_users}"
+          else
+            raise J1App::ConfigError
+          end
+
+        end
+      end
+    end
+
+
+    # ==========================================================================
+    # API ENDPOINTS (Sinatra HANDLERS)
+    # ==========================================================================
+
+    # ENDPOINT authentication (called from WEB by auth client)
+    # --------------------------------------------------------------------------
+    get '/authentication' do
+      # collect (common) GET parameter|s
+      #
+      request   = params.fetch('request')
+      provider  = params.fetch('provider')
+
+      log_info! 'API', 'Authentication', 'Authentication request received'
+
+      # SignIn
+      # ------------------------------------------------------------------------
+      if request === 'signin'
+
+        log_info! 'Authentication', 'SignIn', 'Called for provider', "#{provider}"
+
+        # collect (additional) GET parameter|s
+        # ----------------------------------------------------------------------
+        allowed_users                   =  params.fetch('allowed_users')
+
+        web_session_data['users_allowed'] = allowed_users
+        web_session_data['writer']        = 'middleware'
+
+        # Write updated J1 session data to cookie
+        # --------------------------------------------------------------------
+        session_json = web_session_data.to_json
+        log_info! 'Authentication', 'Cookie', 'Write web session data', "#{session_json}"
+
+        session_encoded = Base64.encode64(session_json)
+        response.set_cookie(
+            'j1.web.session',
+            domain: false,
+            value: session_encoded.to_s,
+            path: '/'
+        )
+
+        if warden.authenticated?
+          log_info! 'Authentication', 'SignIn', 'User already signed in', "#{warden.user[:info]['nickname']} "
+        else
+          log_info! 'Authentication', 'SignIn', 'Initiate OmniAuth authentication'
+
+          # Make (really) sure that old session is cleared before login
+          # --------------------------------------------------------------------
+          warden.logout
+          session.clear
+          warden.authenticate! :"omni_#{provider}"
+        end
+        # SignOut
+        # ------------------------------------------------------------------------
+      elsif request === 'signout'
+        # collect (additional) GET parameter|s
+        provider_signout = params.fetch('provider_signout')
+        log_info! 'Authentication', 'SignOut', 'Called for provider', #{provider}"
+
+                  if warden.authenticated?
+                    user         = warden.user[:info]['nickname']
+                    provider     = warden.user[:provider]
+                    provider_url = web_session_data['provider_url']
+                    log_info! 'Authentication', 'SignOut', 'Sign out user', "#{user}"
+                    warden.logout
+                    session.clear
+
+                    # Read current J1 web session cookie
+                    # --------------------------------------------------------------------
+                    if env['HTTP_COOKIE'].include? 'j1.web.session'
+                      session_encoded = env['rack.request.cookie_hash']['j1.web.session']
+                      session_decoded = Base64.decode64(session_encoded)
+                      log_info! 'Authentication', 'Cookie', 'Read web session data' # #{session_decoded}"
+                      web_session_data = JSON.parse(session_decoded)
+                    else
+                      web_session_data['requested_page'] = env['REQUEST_URI']
+                    end
+
+                    # Update J1 web session data
+                    # --------------------------------------------------------------------
+                    web_session_data['user_name']             = 'visitor'
+                    web_session_data['user_id']               = 'unknown'
+                    web_session_data['users_allowed']         = 'all'
+                    web_session_data['payment_status']        = 'unknown'
+                    web_session_data['provider']              = 'j1'
+                    web_session_data['provider_url']          = 'https://jekyll.one'
+                    web_session_data['provider_permissions']  = 'public'
+                    web_session_data['authenticated']         = 'false'
+                    web_session_data['writer']                = 'middleware'
+
+                    # Write updated J1 session data to cookie
+                    # --------------------------------------------------------------------
+                    session_json = web_session_data.to_json
+                    log_info! 'Authentication', 'Cookie', 'Write web session data', "#{session_json}"
+
+                    session_encoded = Base64.encode64(session_json)
+                    response.set_cookie(
+                        'j1.web.session',
+                        domain: false,
+                        value: session_encoded.to_s,
+                        path: '/'
+                    )
+
+                    if provider_signout === 'true'
+                      log_info! 'Authentication', 'SignOut', 'Sign out user', "#{user}"
+                      log_info! 'Authentication', 'SignOut', 'Sign out from', "#{provider}"
+                      log_info! 'Authentication', 'Redirect', 'Pass to provider', "#{provider_url}"
+                      redirect "#{provider_url}"
+                    else
+                      log_info! 'Authentication', 'SignOut', 'Sign out user', "#{user}"
+                      log_info! 'Authentication', 'SignOut', 'Sign out from', "session"
+
+                      # If signed out, redirect ONLY for PUBLIC pages
+                      # ------------------------------------------------------------------
+                      if redirect_whitelisted?
+                        # Update J1 web session data
+                        # --------------------------------------------------------------------
+                        web_session_data['requested_page']
+                        web_session_data['user_name']             = 'visitor'
+                        web_session_data['user_id']               = 'unknown'
+                        web_session_data['users_allowed']         = 'all'
+                        web_session_data['payment_status']        = 'unknown'
+                        web_session_data['provider']              = 'j1'
+                        web_session_data['provider_url']          = 'https://jekyll.one'
+                        web_session_data['provider_permissions']  = 'public'
+                        web_session_data['authenticated']         = 'false'
+                        web_session_data['writer']                = 'middleware'
+
+                        # Write updated J1 session data to cookie
+                        # --------------------------------------------------------------------
+                        session_json = web_session_data.to_json
+                        log_info! 'Authentication', 'Redirect', 'Write web session data', "#{session_json}"
+
+                        session_encoded = Base64.encode64(session_json)
+                        response.set_cookie(
+                            'j1.web.session',
+                            domain: false,
+                            value: session_encoded.to_s,
+                            path: '/'
+                        )
+                       log_info! 'Authentication', 'Redirect', 'Pass to page', "#{web_session_data['requested_page']}"
+                       redirect web_session_data['requested_page']
+                      else
+                        log_info! 'Authentication', 'Redirect', 'Redirect NOT whitelisted'
+                        # Update J1 web session data
+                        # --------------------------------------------------------------------
+                        web_session_data['user_name']             = 'visitor'
+                        web_session_data['user_id']               = 'unknown'
+                        web_session_data['users_allowed']         = 'all'
+                        web_session_data['payment_status']        = 'unknown'
+                        web_session_data['provider']              = 'j1'
+                        web_session_data['provider_url']          = 'https://jekyll.one'
+                        web_session_data['provider_permissions']  = 'public'
+                        web_session_data['authenticated']         = 'false'
+                        web_session_data['writer']                = 'middleware'
+
+                        # Write updated J1 session data to cookie
+                        # --------------------------------------------------------------------
+                        session_json = web_session_data.to_json
+                        log_info! 'Authentication', 'Redirect', 'Write web session data', "#{session_json}"
+
+                        session_encoded = Base64.encode64(session_json)
+                        response.set_cookie(
+                            'j1.web.session',
+                            domain: false,
+                            value: session_encoded.to_s,
+                            path: '/'
+                        )
+                        log_info! 'Authentication', 'Redirect', 'Pass to page', "/"
+                        redirect '/'
+                      end
+                    end
+                  else
+                    # THIS condition should NEVER REACHED because NO logout dialog
+                    # (modal) is provided by the auth client if a user isn't signed in.
+                    # Kept this alternative for cases something went wrong.
+                    # --------------------------------------------------------------------
+                    log_info! 'Authentication', 'API', 'DEAD PATH: Called for sign out', 'NOT signed in'
+
+                    # Read current J1 session cookie
+                    # --------------------------------------------------------------------
+                    if env['HTTP_COOKIE'].include? 'j1.web.session'
+                      session_encoded   = env['rack.request.cookie_hash']['j1.web.session']
+                      session_decoded   = Base64.decode64(session_encoded)
+                      web_session_data  = JSON.parse(session_decoded)
+
+                      log_info! 'Authentication', 'Cookie', 'DEAD PATH. Read web session data' # #{session_decoded}"
+                    else
+                      web_session_data['requested_page'] = env['REQUEST_URI']
+                    end
+
+                    # Update J1 web session data
+                    # --------------------------------------------------------------------
+                    web_session_data['user_name']             = 'visitor'
+                    web_session_data['user_id']               = 'unknown'
+                    web_session_data['users_allowed']         = 'all'
+                    web_session_data['payment_status']        = 'unknown'
+                    web_session_data['provider']              = 'j1'
+                    web_session_data['provider_url']          = 'https://jekyll.one'
+                    web_session_data['provider_permissions']  = 'public'
+                    web_session_data['authenticated']         = 'false'
+                    web_session_data['writer']                = 'middleware'
+
+                    # Write updated J1 session data to cookie
+                    # --------------------------------------------------------------------
+                    session_json = web_session_data.to_json
+                    log_info! 'Authentication', 'Cookie', 'DEAD PATH. Write web session data', "#{session_json}"
+
+                    session_encoded = Base64.encode64(session_json)
+                    response.set_cookie(
+                        'j1.web.session',
+                        domain: false,
+                        value: session_encoded.to_s,
+                        path: '/'
+                    )
+
+                    log_info! 'Post Authentication', 'Redirect', 'DEAD PATH: Pass to requested page', "#{web_session_data['requested_page']}"
+                    redirect web_session_data['requested_page']
+                  end
+      else
+        raise J1App::ConfigError
+      end
+    end
+    # END: get '/authentication'
+    # --------------------------------------------------------------------------
+
+    # ENDPOINT post_authentication (called after a user is back from OAuth Provider)
+    # --------------------------------------------------------------------------
+    get '/post_authentication' do
+      reward = {
+          :id    => 'unknown',
+          :name  => 'unknown',
+          :link  => '#'
+      }
+      campaign = {
+          :id    => 'unknown',
+          :link  => '#'
+      }
+
+      log_info! 'API', 'Post Authentication', 'Identification request received'
+
+      log_info! 'Post Authentication',  'Cookie', 'Read web session data'
+      session_encoded   = request.cookies['j1.web.session']
+      session_decoded   = Base64.decode64(session_encoded)
+      web_session_data    = JSON.parse(session_decoded)
+
+      user                              = warden.user
+      user_json                         = user.to_json
+
+      if user[:provider] === 'disqus'
+        user[:info][:urls][:site]       = "https://disqus.com"
+        user[:info][:urls][:home]       = user[:info]['urls']['profileUrl']
+        user[:info][:urls][:blog]       = "https://disqus.com/by/juergen_adams/"
+        user[:info][:urls][:member]     = user[:info]['urls']['profileUrl']
+      end
+
+      if user[:provider] === 'github'
+        user[:info][:urls][:site]       = "https://github.com"
+        user[:info][:urls][:home]       = user[:info]['urls']['GitHub']
+        user[:info][:urls][:blog]       = "https://github.com/jekyll-one"
+        user[:info][:urls][:member]     = user[:info]['urls']['Blog']
+      end
+
+      if user[:provider] === 'patreon'
+
+        user[:info][:urls][:site]       = "https://patreon.com"
+        user[:info][:urls][:home]       = "https://patreon.com/home"
+        user[:info][:urls][:blog]       = "https://patreon.com/jekyll_one"
+
+        unless user[:info]['payment_info'].empty?
+          reward_url                    = user[:info]['payment_info']['relationships']['reward']['links']['related']
+          reward_json                   = RestClient.get "#{reward_url}", {:content_type => :json, :accept => :json}
+          reward_data                   = JSON.parse(reward_json)
+          user[:info][:urls][:member]   = "https://patreon.com" + reward_data['data']['attributes']['url']
+          user[:info][:payment_status]  = user[:info]['payment_info']['attributes']['declined_since'].nil? ? 'true' : 'false'
+        else
+          reward_url                    = ""
+          reward_json                   = ""
+          reward_data                   = ""
+          user[:info][:payment_status]  = 'false'
+        end
+
+        unless reward_data.empty?
+          reward[:id]                   = reward_data['data']['id']
+          reward[:name]                 = reward_data['data']['attributes']['title']
+          reward[:link]                 = "https://patreon.com" + reward_data['data']['attributes']['url']
+          campaign[:id]                 = reward_data['data']['relationships']['campaign']['data']['id']
+          campaign[:link]               = reward_data['data']['relationships']['campaign']['links']['related']
+        else
+          reward[:id]                   = ""
+          reward[:name]                 = "no tiers"
+          reward[:link]                 = ""
+          campaign[:id]                 = ""
+          campaign[:link]               = ""
+        end
+      end
+
+      user[:extra][:reward]             = reward
+      user[:extra][:campaign]           = campaign
+
+      if user.nil?
+        # Collection of session data failed (e.g cookie > 4K)
+        #
+        log_info! 'Post Authentication', 'Identification', 'Internal error', 'User identification failed'
+        warden.logout
+        session.clear
+        log_info! 'Post Authentication', 'Redirect', 'Pass to error page (access_denied)'
+        description_title = "Access Denied"
+        redirect "/access_denied?provider=unknown&user=unknown&category=unknown&title=#{description_title}"
+      else
+        log_info! 'Post Authentication', 'Identification', 'User identified successfully'
+        log_info! 'Post Authentication',  'Cookie', 'Update web session data'    # "#{web_session_data}"
+        web_session_data['user_name']             = user[:info]['nickname']
+        web_session_data['user_id']               = user[:uid]
+        web_session_data['provider']              = user[:provider]
+        web_session_data['provider_membership']   = 'member'
+        web_session_data['provider_permissions']  = providers["#{user[:provider]}"]['permissions']
+        web_session_data['authenticated']         = 'true'
+        web_session_data['payment_status']        = user[:info][:payment_status]
+        web_session_data['writer']                = 'middleware'
+
+        current_user                            = user[:info]['nickname']  = user[:info]['nickname']
+        current_provider                        = user[:provider]
+
+        web_session_data['requested_page'].scan(/(protected|private)/) do |match|
+
+          # Set category from requested page
+          #
+          category = match[0]
+          log_info! 'Post Authentication', 'Identification', 'Process content type', "#{category}"
+
+          # Check if user is allowed to access protected content in GENERAL
+          #
+          log_info! 'Post Authentication', 'Identification', 'Check for allowed users'
+          unless web_session_data['users_allowed'].include? 'all'
+            unless web_session_data['users_allowed'].include? "#{current_user}"
+              log_info! 'Post Authentication', 'Identification', 'User not allowed', "#{current_user}"
+              log_info! 'Post Authentication', 'Identification', 'Allowed users', "#{web_session_data['users_allowed']}"
+              log_info! 'Post Authentication', 'Identification', 'Logout user from current session', "#{current_user}"
+              warden.logout
+              session.clear
+              log_info! 'Post Authentication', 'Redirect', 'Pass to error page (access_denied)'
+              description_title = "Access Denied"
+              redirect "/access_denied?provider=#{current_provider}&user=#{current_user}&category=#{category}&title=#{description_title}"
+            end
+          end
+          log_info! 'Post Authentication', 'Identification', 'Allowed users', "#{web_session_data['users_allowed']}"
+
+          # Check conditions to access protected content (if any)
+          #
+          log_info! 'Post Authentication', 'Identification', 'Check for conditions', "#{current_provider}"
+          check_conditions = providers["#{user[:provider]}"]['conditions'][category]['enabled']
+          if check_conditions
+
+            if providers["#{user[:provider]}"]['conditions'][category]['users']['whitelist'].nil?
+              category_whitelist = 'all'
+            else
+              category_whitelist = providers["#{user[:provider]}"]['conditions'][category]['users']['whitelist']
+            end
+
+            # Check if user is BLACKLISTED
+            #
+            blacklist = providers["#{user[:provider]}"]['conditions'][category]['users']['blacklist']
+            if blacklist.include? "#{current_user}"
+              log_info! 'Post Authentication', 'Identification', 'Check blacklisting'
+              log_info! 'Post Authentication', 'Identification', 'User blacklisted', "#{current_user}"
+              user[:info][:blacklisted] = 'true'
+              log_info! 'Post Authentication', 'Identification', 'Logout user from current session', "#{current_user}"
+              warden.logout
+              session.clear
+              log_info! 'Post Authentication', 'Redirect', 'Pass to error page (access_denied)'
+              description_title = "Access Denied"
+              redirect "/access_denied?provider=#{current_provider}&user=#{current_user}&category=#{category}&title=#{description_title}"
+            end
+
+            log_info! 'Post Authentication', 'Identification', 'Check whitelisting'
+            if category_whitelisted? category_whitelist, current_user
+              user[:info][:whitelisted]   = 'true'
+              reward[:name]               = 'whitelisted'
+              log_info! 'Post Authentication', 'Identification', 'User whitelisted', "#{current_user}"
+              log_info! 'Post Authentication', 'Identification', 'Reward set to', 'Whitelisted'
+            else
+              log_info! 'Post Authentication', 'Identification', 'No whitelisting found', "#{current_user}"
+            end
+
+            log_info! 'Post Authentication', 'Identification', 'Check conditions'
+            unless category_whitelisted? category_whitelist, current_user
+              log_info! 'Post Authentication', 'Identification', 'Check rewards'
+              payment_tiers = providers["#{user[:provider]}"]['conditions'][category]['payment']['activated']
+              log_info! 'Post Authentication', 'Identification', 'Check rewards', "#{current_user}"
+              if payment_activated? payment_tiers
+                log_info! 'Post Authentication', 'Identification', 'Reward found', "#{reward[:name]}"
+
+                # Check if any payment exists for that user
+                #
+                log_info! 'Post Authentication', 'Identification', 'Check payment status'
+                if user[:info]['payment_info'].empty?
+                  log_info! 'Post Authentication', 'Identification', 'Payment status: NOT AVAILABLE', "#{current_user}"
+                  log_info! 'Post Authentication', 'Identification', 'Logout user from current session', "#{current_user}"
+                  warden.logout
+                  session.clear
+                  log_info! 'Post Authentication', 'Redirect', 'Pass to error page (access_denied)'
+                  description_title = "Access Denied"
+                  redirect "/access_denied?provider=#{current_provider}&user=#{current_user}&category=#{category}&title=#{description_title}"
+                end
+
+                # Check for VALID payments (scope: pledge-to-me)
+                #
+                payment_status = user[:info]['payment_info']['attributes']['declined_since']
+                unless payment_valid? payment_status
+                  log_info! 'Post Authentication', 'Identification', 'Payment status INVALID', "#{current_user}"
+                  log_info! 'Post Authentication', 'Identification', 'Logout user from current session', "#{current_user}"
+                  warden.logout
+                  session.clear
+                  log_info! 'Post Authentication', 'Redirect', 'Pass to error page (access_denied)'
+                  description_title = "Access Denied"
+                  redirect "/access_denied?provider=#{current_provider}&user=#{current_user}&category=#{category}&title=#{description_title}"
+                else
+                  log_info! 'Post Authentication', 'Identification', 'Payment status VALID', "#{current_user}"
+                end
+              end
+
+            end
+            # end category_whitelisted
+          else
+            category_condition_state = providers["#{user[:provider]}"]['conditions'][category]['enabled']
+            log_info! 'Post Authentication', 'Identification', 'Category check failed for', "#{current_provider}"
+            log_info! 'Post Authentication', 'Identification', "Category checked", "#{category}"
+            log_info! 'Post Authentication', 'Identification', "Category support", "#{category_condition_state}"
+            warden.logout
+            session.clear
+            log_info! 'Post Authentication', 'Redirect', 'Pass to error page (access_denied)'
+            description_title = "Access Denied"
+            redirect "/access_denied?provider=#{current_provider}&user=#{current_user}&category=#{category}&title=#{description_title}"
+          end
+          # end check conditions
+
+        end
+        # end protected content
+      end
+      # end user.nil?
+
+      # redirect authenticated|validated user to requested page
+      #
+      web_session_data['provider']      = current_provider
+      web_session_data['users_allowed'] = providers["#{current_provider}"]['users']
+
+      # TODO: Add membership|product specific data for the SideBar
+
+      # write updated J1 session data to cookie
+      #
+      session_json = web_session_data.to_json
+      log_info! 'Post Authentication', 'Cookie', 'Write web session data', "#{session_json}"
+
+      session_encoded = Base64.encode64(session_json)
+      response.set_cookie(
+          'j1.web.session',
+          domain: false,
+          value: session_encoded.to_s,
+          path: '/'
+      )
+
+      time = Time.now.ctime.to_s
+
+      log_info! 'Post Authentication', 'Identification', 'Provider', "#{user[:provider]}"
+      log_info! 'Post Authentication', 'Identification', 'User', "#{user[:info]['nickname']}"
+      log_info! 'Post Authentication', 'Redirect', 'Set Last-Modified', "#{time}"
+      log_info! 'Post Authentication', 'Redirect', 'Pass to requested page', "#{web_session_data['requested_page']}"
+
+      
+      response.headers['Last-Modified'] = time
+      response.headers['Cache-Control'] = 'private,max-age=0,must-revalidate,no-store'
+      redirect web_session_data['requested_page']
+
+    end
+    # END: get /post_authentication
+    # --------------------------------------------------------------------------
+
+
+    # ENDPOINT status (called from WEB to get current state of an user)
+    # --------------------------------------------------------------------------
+    get '/status' do
+      session_encoded   = request.cookies['j1.web.session']
+      session_decoded   = Base64.decode64(session_encoded)
+      web_session_data    = JSON.parse(session_decoded)
+
+      log_info! 'API', 'Status Request', 'Info request received'
+
+      # if request.warden.user.respond_to?(:info)
+      #
+      if warden.authenticated?
+        user_name               = warden.user[:info]['nickname']
+        user_id                 = warden.user[:uid]
+        provider                = warden.user[:provider]
+        provider_permissions    = web_session_data['provider_permissions']
+        provider_site_url       = warden.user[:info][:urls][:site]
+        provider_home_url       = warden.user[:info][:urls][:home]
+        provider_blog_url       = warden.user[:info][:urls][:blog]
+        provider_member_url     = warden.user[:info][:urls][:member]
+
+        if provider == 'patreon'
+          provider_membership   = warden.user[:extra][:reward][:name]
+          provider_member_url   = warden.user[:extra][:reward][:link]
+        else
+          provider_membership   = 'member'
+          provider_member_url   = '#'
+        end
+
+        log_info! 'API', 'Status Request', 'User detected as signed in', "#{user_name}"
+      else
+        user_name = 'unknown'
+        log_info! 'API', 'Status Request', 'User detected', 'signed out'
+      end
+
+      # if request.warden.authenticated?
+      #
+      if user_name != 'unknown'
+        log_info! 'API', 'Status Request', 'Send data', 'SIGNED_IN'
+        content_type 'application/json'
+        {
+            user_name:                user_name,
+            user_id:                  user_id,
+            provider:                 provider,
+            provider_membership:      provider_membership,
+            provider_permissions:     provider_permissions,
+            provider_site_url:        provider_site_url,
+            provider_home_url:        provider_home_url,
+            provider_blog_url:        provider_blog_url,
+            provider_member_url:      provider_member_url,
+            status:                   'signed in'
+        }.to_json
+      else
+        log_info! 'API', 'Status Request', 'Send data', 'SIGNED_OUT'
+        content_type 'application/json'
+        {
+            user_name:                'visitor',
+            user_id:                  'unknown',
+            provider:                 'j1',
+            provider_membership:      'guest',
+            provider_permissions:     'public',
+            provider_site_url:        '#',
+            provider_home_url:        '#',
+            provider_blog_url:        '#',
+            provider_member_url:      '#',
+            status:                   'signed out'
+        }.to_json
+      end
+    end
+    # END: get /status
+    # --------------------------------------------------------------------------
+
+    # ENDPOINT  cookie_consent (exception, called from the app|auth manager)
+    # --------------------------------------------------------------------------
+    get '/cookie_consent' do
+      provider          = params.fetch('provider')
+      category          = params.fetch('category')
+      user              = params.fetch('user')
+      requested_page    = params.fetch('requested_page')
+      description_title = params.fetch('title')
+
+      log_info! 'API', 'ExceptionHandler', 'Request received'
+      log_info! 'ExceptionHandler', 'ERROR', 'Cookies declined'
+      log_info! 'ExceptionHandler', 'Redirect', 'Pass to dialog page', 'Cookie Consent'
+
+      # Capitalize first char
+      provider                = provider.sub(/^./, &:upcase)
+      route                   = requested_page
+
+      @route                  = route
+      @provider               = provider
+      @modal                  = "centralCookieConsent"
+      @info_type              = "danger"
+      @modal_icon             = "cookie"
+      @modal_agreed_text      = "Yes, please"
+      @modal_disagreed_text   = "No, thanks"
+      @modal_title            = "Authentication Manager"
+      # @modal_description    = "<h4>#{description_title}</h4><br /><br />User <b>#{user}</b> from provider <b>#{provider}</b> requested access on <b>#{category}</b> pages.<br /> In order to continue, you need to accept on <b>Cookies</b>."
+      @modal_description      = "<h4>#{description_title}</h4><br /><br /> In order to continue, you need to accept on <b>Cookies</b>."
+
+      erb :auth_manager_ui
+    end
+    # END: get /cookies_rejected
+    # --------------------------------------------------------------------------
+
+
+    #  ENDPOINT access_denied (exception, called from the app|auth manager)
+    # --------------------------------------------------------------------------
+    get '/access_denied' do
+      provider          = params.fetch('provider')
+      category          = params.fetch('category')
+      user              = params.fetch('user')
+      description_title = params.fetch('title')
+
+      log_info! 'API', 'ExceptionHandler', 'Request received'
+      log_info! 'ExceptionHandler', 'ERROR', 'Access Denied'
+
+      session_encoded = request.cookies['j1.web.session']
+      session_decoded = Base64.decode64(session_encoded)
+      web_session_data  = JSON.parse(session_decoded)
+
+      # Update J1 web session data
+      # --------------------------------------------------------------------
+      web_session_data['user_name']             = user
+      # web_session_data['user_id']               = 'unknown'
+      # web_session_data['users_allowed']         = 'unknown'
+      # web_session_data['payment_status']        = 'unknown'
+      web_session_data['provider']              = provider
+      # web_session_data['provider_url']          = 'unknown'
+      # web_session_data['provider_permissions']  = 'unknown'
+      # web_session_data['authenticated']         = 'false'
+      web_session_data['writer']                = 'middleware'
+
+      log_info! 'ExceptionHandler', 'Cookie', 'Write web session data', "#{session_json}"
+
+      # write updated J1 session data to cookie
+      #
+      session_json = web_session_data.to_json
+      session_encoded = Base64.encode64(session_json)
+      response.set_cookie(
+          'j1.web.session',
+          domain: false,
+          value: session_encoded.to_s,
+          path: '/'
+      )
+
+      log_info! 'ExceptionHandler', 'Redirect', 'Pass to error page', "Access Denied"
+
+      # Capitalize first char
+      provider  =  provider.sub(/^./, &:upcase)
+      route     = '/'
+
+      @route                  = route
+      @provider               = provider
+      @modal                  = "centralModalInfo"
+      @info_type              = "danger"
+      @modal_icon             = "account-off"
+      @modal_ok_text          = "Ok, understood"
+      @modal_title            = "Authentication Manager"
+      @modal_description      = "<h4>#{description_title}</h4></br></br> User <b>#{user}</b> from provider <b>#{provider}</b> is not allowed to access <b>#{category}</b> pages."
+
+      erb :auth_manager_ui
+    end
+    # END: get '/access_denied'
+    # --------------------------------------------------------------------------
+
+
+    # ENDPOINT  invalid_funds (exception, called from the app|auth manager)
+    # --------------------------------------------------------------------------
+    get '/invalid_funds' do
+      provider          = params.fetch('provider')
+      category          = params.fetch('category')
+      user              = params.fetch('user')
+      description_title = params.fetch('title')
+
+      log_info! 'API', 'ExceptionHandler', 'Request received'
+      log_info! 'ExceptionHandler', 'ERROR', 'Invalid Funds'
+
+      session_encoded = request.cookies['j1.web.session']
+      session_decoded = Base64.decode64(session_encoded)
+      web_session_data  = JSON.parse(session_decoded)
+
+      # Update J1 web session data
+      # --------------------------------------------------------------------
+      web_session_data['user_name']             = user
+      # web_session_data['user_id']               = 'unknown'
+      # web_session_data['users_allowed']         = 'unknown'
+      # web_session_data['payment_status']        = 'unknown'
+      web_session_data['provider']              = provider
+      # web_session_data['provider_url']          = 'unknown'
+      # web_session_data['provider_permissions']  = 'unknown'
+      # web_session_data['authenticated']         = 'false'
+      web_session_data['writer']                = 'middleware'
+
+      log_info! 'ExceptionHandler', 'Cookie', 'Write web session data', "#{session_json}"
+
+      # write updated J1 session data to cookie
+      #
+      log_info! 'API', 'Exception Handler', 'ERROR', 'Invalid Funds'
+      session_json = web_session_data.to_json
+      session_encoded = Base64.encode64(session_json)
+      response.set_cookie(
+          'j1.web.session',
+          domain: false,
+          value: session_encoded.to_s,
+          path: '/'
+      )
+
+      log_info! 'ExceptionHandler', 'Redirect', 'Pass to error page', 'Invalid Funds'
+
+      # Capitalize first char
+      provider  =  provider.sub(/^./, &:upcase)
+      route     = '/'
+
+      @route                  = route
+      @provider               = provider
+      @modal                  = "centralModalInfo"
+      @info_type              = "danger"
+      @modal_icon             = "account-off"
+      @modal_ok_text          = "Ok, understood"
+      @modal_title            = "Authentication Manager"
+      @modal_description      = "<h4>#{description_title}</h4></br></br> User <b>#{user}</b> from provider <b>#{provider}</b> is not allowed to access <b>#{category}</b> pages."
+
+      erb :auth_manager_ui
+    end
+    # END: get /invalid_funds
+    # --------------------------------------------------------------------------
+
+
+    # access_protected_content ENDPOINT called from the app (auth manager)
+    # --------------------------------------------------------------------------
+    get '/page_validation' do
+      provider        = params.fetch('provider')
+      allowed_users   = params.fetch('allowed_users')
+      page            = params.fetch('page')
+      category        = params.fetch('category')
+
+      log_info! 'API', 'PageAccessControl', 'PageValidate request received'
+
+      # Capitalize first char
+      # provider        =  provider.sub(/^./, &:upcase)
+
+      log_info! 'PageAccessControl', 'AuthCheck', 'Check provider', "#{provider}"
+      # jadams, 2019-03-16: Hier ist das Problem
+      #
+      if warden.authenticated?
+        log_info! 'PageAccessControl', 'AuthCheck', 'Grant access for', "#{provider}"
+        log_info! 'PageAccessControl', 'Redirect', 'Pass to page', "#{page}"
+        route = page
+      else
+        log_info! 'PageAccessControl', 'AuthCheck', 'Authentication failed', "#{provider}"
+        route = "/authentication?request=signin&provider=#{provider}&allowed_users=#{allowed_users}"
+      end
+
+      log_info! 'PageAccessControl', 'Redirect', 'Pass to SignIn dialog, page', "#{page}"
+      # Capitalize first char
+      provider                =  provider.sub(/^./, &:upcase)
+
+      @provider               = provider
+      @route                  = route
+      @modal                  = "signInProtectedContent"
+      @modal_icon             = "login"
+      @modal_agreed_text      = "Yes, please"
+      @modal_disagreed_text   = "No, thanks"
+      @modal_title            = "SignIn"
+      @modal_image            = "/assets/images/master_header/admin-dashboard-bootstrap-1280x600.png"
+      @modal_description      = "The page <b>#{page}</b> you requested belongs to <b>#{category}</b> content. You'll be redirected to authenticate with the provider <b>#{provider}</b>. If signed in successfully, you get access to all <b>#{category} pages</b>."
+
+      erb :auth_manager_ui
+    end
+    # END: get '/page_validation
+    # --------------------------------------------------------------------------
+
+    # ENDPOINT iframe
+    # --------------------------------------------------------------------------
+    get '/iframe' do
+      @website_url = "https://jekyll-one.github.io/"
+      erb :iframe
+    end
+
+    # Workaround to rescue OmniAuth::Strategies::OAuth2::CallbackError?
+    # for chromium based browsers (e.g. google-chrome)
+    # ------------------------------------------------------------------------
+    get '/redirect_requested_page' do
+      log_info! 'Fallback', 'Redirect', 'Pass to requested page', "#{web_session_data['requested_page']}"
+      redirect web_session_data['requested_page']
+    end
+    # END: get /iframe
+    # --------------------------------------------------------------------------
+  end
+end