j1_template_mde 2018.4.31 → 2018.4.32

data/lib/j1_app/j1_auth_manager/auth_manager.rb

@@ -68,17 +68,34 @@ module J1App
     # Base App and Warden Framework settings
     # ==========================================================================
 
-    j1_web_session = {
-        :authenticated       => 'false',
-        :requested_page      => '/',
-        :user_name           => 'unknown',
-        :users_allowed       => 'unknown',
-        :user_id             => 'unknown',
-        :provider            => 'unknown',
-        :provider_url        => '/',
-        :payment_info        => 'unknown',
-        :permissions         => 'unknown',
-        :writer              => 'middleware'
+    session_data = {}
+
+    # web_session_data = {
+    #     :authenticated       => 'false',
+    #     :requested_page      => '/',
+    #     :user_name           => 'unknown',
+    #     :users_allowed       => 'unknown',
+    #     :user_id             => 'unknown',
+    #     :provider            => 'unknown',
+    #     :provider_url        => '/',
+    #     :payment_info        => 'unknown',
+    #     :permissions         => 'unknown',
+    #     :writer              => 'middleware'
+    # }
+
+    web_session_data = {
+        :authenticated        => 'false',
+        :requested_page       => '/',
+        :user_name            => 'visitor',
+        :users_allowed        => 'all',
+        :user_id              => 'unknown',
+        :provider             => 'j1',
+        :provider_membership  => 'guest',
+        :provider_url         => 'https://jekyll.one',
+        :payment_info         => 'unknown',
+        :provider_permissions => 'public',        
+        :creator              => 'middleware',
+        :writer               => 'middleware'
     }
 
     # Enable SSL for the rack session if configured
@@ -90,10 +107,15 @@ module J1App
     # for the authentication service
     # --------------------------------------------------------------------------
     use Rack::Session::Cookie,
-        http_only: true,
+        http_only: true,   # if set to 'true', make session cookie visible to the browser (document) for HTTP
         key: 'j1.app.session',
         secret: ENV['J1_SESSION_SECRET'] || SecureRandom.hex
 
+    # use Rack::Cache do |config|
+    #   # 
+    #   # ------------------------------------------------------------------------
+    #   config.middleware.delete(Rack::Cache)
+    # end
 
     # ==========================================================================
     # Warden Framework initialisation
@@ -110,7 +132,6 @@ module J1App
       user
     end
 
-
     # ==========================================================================
     # OmniAuth|Warden Framework initialisation
     # ==========================================================================
@@ -225,17 +246,23 @@ module J1App
       log_info! "ROOT", "Prepare", 'Web Session'
 
       # read existing/current cookie 'j1.web.session' to update all data
-      # of j1_web_session (hash) otherwise set initial data
+      # of web_session_data (hash) otherwise set initial data
       # ------------------------------------------------------------------------
       unless env['HTTP_COOKIE'] == nil
-        if env['HTTP_COOKIE'].include? 'j1.web.session'
-          session_encoded = request.cookies['j1.web.session']
-          session_decoded = Base64.decode64(session_encoded)
-          j1_web_session = JSON.parse(session_decoded)
-        end
+        log_info! "ROOT", 'Cookie', 'Read current web session data'
+        web_session_data = readCookie('j1.web.session')
+        data_json = web_session_data.to_json
+        log_info! "ROOT", 'Cookie', 'Current web session data', "#{data_json}"
+
+        # if env['HTTP_COOKIE'].include? 'j1.web.session'
+        #   session_encoded = request.cookies['j1.web.session']
+        #   session_decoded = Base64.decode64(session_encoded)
+        #   web_session_data = JSON.parse(session_decoded)
+        # end
+
       else
         requested_page = env['REQUEST_URI']
-        j1_web_session['requested_page'] = "#{env['REQUEST_URI']}"
+        session_data['requested_page'] = "#{env['REQUEST_URI']}"
       end
 
       # Create|Initialize the J1 web session cookie
@@ -245,39 +272,40 @@ module J1App
 
         user = warden.user
         log_info! "ROOT", 'AuthCheck', 'User detected as signed in', "#{user[:provider]}"
-        j1_web_session['authenticated']   = 'true'
-        j1_web_session['requested_page']  = '/'
-        j1_web_session['users_allowed']   = providers["#{user[:provider]}"]['users']
-        j1_web_session['user_name']       = user[:info]['nickname']
-        j1_web_session['user_id']         = user[:uid]
-        j1_web_session['provider']        = user[:provider]
-        j1_web_session['provider_url']    = providers["#{user[:provider]}"]['home_url']
-        j1_web_session['permissions']     = providers["#{user[:provider]}"]['permissions']
-        j1_web_session['payment_status']  = user[:info][:payment_status]
+        session_data['authenticated']         = 'true'
+        session_data['requested_page']        = '/'
+        session_data['user_name']             = user[:info]['nickname']
+        session_data['users_allowed']         = providers["#{user[:provider]}"]['users']
+        session_data['user_id']               = user[:uid]
+        session_data['provider']              = user[:provider]
+        session_data['provider_membership']   = 'member'
+        session_data['provider_url']          = providers["#{user[:provider]}"]['provider_url']
+        session_data['provider_permissions']  = providers["#{user[:provider]}"]['permissions']
+        session_data['payment_status']        = user[:info][:payment_status]
       else
         log_info! "ROOT", 'AuthCheck', 'User detected', 'signed out'
-        j1_web_session['authenticated']   = 'false'
-        j1_web_session['requested_page']  = '/'
-        j1_web_session['users_allowed']   = 'all'
-        j1_web_session['user_name']       = 'unknown'
-        j1_web_session['user_id']         = 'unknown'
-        j1_web_session['payment_status']  = 'unknown'
-        j1_web_session['provider']        = 'unknown'
-        j1_web_session['provider_url']    = 'unknown'
-        j1_web_session['permissions']     = 'unknown'
+        session_data['authenticated']         = 'false'
+#       session_data['requested_page']        = '/'
+        session_data['users_allowed']         = 'all'
+        session_data['user_name']             = 'visitor'
+        session_data['user_id']               = 'unknown'
+        session_data['payment_status']        = 'unknown'
+        session_data['provider']              = 'j1'
+        session_data['provider_membership']   = 'guest'
+        session_data['provider_url']          = 'https://jekyll.one'
+        session_data['provider_permissions']  = 'public'
       end
-      j1_web_session['writer']            = 'middleware'
+      session_data['writer']                  = 'middleware'
+      session_data['creator']                 = 'middleware'
 
-      session_json = j1_web_session.to_json
-      log_info! "ROOT", 'Cookie', 'Update web session data'                     # "#{session_json}"
+      web_session_data = merge( web_session_data, session_data )
+      
+      data_json = session_data.to_json
+      log_info! "ROOT", 'Cookie', 'Merge current user data', "#{data_json}"
 
-      session_encoded = Base64.encode64(session_json)
-      response.set_cookie(
-          'j1.web.session',
-          domain: false,
-          value: session_encoded.to_s,
-          path: '/'
-      )
+      data_json = web_session_data.to_json
+      log_info! "ROOT", 'Cookie', 'Update web session data', "#{data_json}"
+      writeCookie('j1.web.session', data_json)
     end
 
     # General page detection (page auth pre-flight)
@@ -287,64 +315,79 @@ module J1App
       log_info! 'AuthManager', 'PreFlight', 'Initial checks initiated'
 
       # read existing/current cookie 'j1.web.session'
-      # to update all data of j1_web_session (hash)
+      # to update all data of web_session_data (hash)
       # if request.warden.user.respond_to?(:info)
       # ------------------------------------------------------------------------
+
+      #web_session_data = readCookie('j1.web.session')
+      
       if env['HTTP_COOKIE'].include? 'j1.web.session'
         session_encoded     = request.cookies['j1.web.session']
         session_decoded     = Base64.decode64(session_encoded)
-        j1_web_session      = JSON.parse(session_decoded)
+        # See: https://stackoverflow.com/questions/86653/how-can-i-pretty-format-my-json-output-in-ruby-on-rails
+        session_pretty      = JSON.pretty_generate(session_decoded)
+        web_session_data    = JSON.parse(session_decoded)
 
-        log_info! 'PreFlight', 'Cookie', 'Read web session data' # "#{session_decoded}"
+        log_info! 'PreFlight', 'Cookie', 'Read web session data', "#{session_decoded}"  #   ,"#{session_pretty}"
       else
         requested_page                    = env['REQUEST_URI']
-        j1_web_session['requested_page']  = "#{env['REQUEST_URI']}"
+        session_data['requested_page']  = "#{env['REQUEST_URI']}"
       end
 
       # Create|Initialize the J1 web session cookie
       # ------------------------------------------------------------------------
-      log_info! 'PreFlight', 'AuthCheck', 'Check authentication status'
+      log_info! 'PreFlight', 'AuthCheck', 'Check authentication state'
       if warden.authenticated?
         user = warden.user
-        j1_web_session['authenticated']   = 'true'
-        j1_web_session['user_name']       = user[:info]['nickname']
-        j1_web_session['user_id']         = user[:uid]
-        j1_web_session['provider']        = user[:provider]
-        j1_web_session['provider_url']    = providers["#{user[:provider]}"]['home_url']
-        j1_web_session['users_allowed']   = providers["#{user[:provider]}"]['users']#
-        j1_web_session['permissions']     = providers["#{user[:provider]}"]['permissions']
-        j1_web_session['payment_status']  = user[:info][:payment_status]
-        j1_web_session['writer']          = 'middleware'
-
+        session_data['authenticated']         = 'true'
+        session_data['user_name']             = user[:info]['nickname']
+        session_data['user_id']               = user[:uid]
+        session_data['provider']              = user[:provider]
+        session_data['provider_url']          = providers["#{user[:provider]}"]['provider_url']
+        session_data['users_allowed']         = providers["#{user[:provider]}"]['users']#
+        session_data['provider_permissions']  = providers["#{user[:provider]}"]['permissions']
+        session_data['provider_membership']   = 'member'
+        session_data['payment_status']        = user[:info][:payment_status]
+        session_data['writer']                = 'middleware'
+
+        web_session_data = merge( web_session_data, session_data )
         log_info! 'PreFlight', 'AuthCheck', 'User authenticated', "#{user[:info]['nickname']}"
 
-        session_json = j1_web_session.to_json
-        log_info! 'PreFlight', 'Cookie', 'Write web session data' # "#{session_json}"
+        session_json = web_session_data.to_json
+        log_info! 'PreFlight', 'Cookie', 'Write web session data', "#{session_json}"
+        writeCookie('j1.web.session', session_json)
 
-        session_encoded = Base64.encode64(session_json)
-        response.set_cookie(
-            'j1.web.session',
-            domain: false,
-            value: session_encoded.to_s,
-            path: '/'
-        )
       end
 
       # User state|content detection for implicit authentication
       # ------------------------------------------------------------------------
       log_info! 'PreFlight', 'CheckConfig', 'Authentication check', 'disabled' if authentication_enabled? == false
-      log_info! 'PreFlight', 'AuthCheck', 'Pass for all pages' if authentication_enabled? == false
+      log_info! 'PreFlight', 'AuthCheck', 'Pass for all pages' if authentication_enabled? == false    
       pass if authentication_enabled? == false
 
       log_info! 'PreFlight', 'CheckConfig', 'Authentication check', 'enabled'
-      log_info! 'PreFlight', 'DetectContent', 'Public content', 'YES' if public_content?
+      log_info! 'PreFlight', 'DetectContent', 'Public content detected' if public_content?
       log_info! 'PreFlight', 'DetectContent', 'Pass all public content' if public_content?
       pass if public_content?
 
+      log_info! 'PreFlight', 'DetectCookieConsent', 'Cookie Consent', "#{web_session_data['cookies_accepted']}"
+
+      # if web_session_data['cookies_accepted'] === 'declined'
+      #   requested_page = env['REQUEST_URI']
+      #   requested_page.scan(/(protected|private)/) do |match|
+      #     category = match[0]
+      #     log_info! 'PreFlight', 'DetectContent', 'Content detected as', "#{category}"
+      #     log_info! 'PreFlight', 'Redirect', 'Pass to dialog page (Cookie Consent)'
+      #     description_title = "Cookie consent declined"
+      #     redirect "/cookie_consent?provider=#{web_session_data['provider']}&user=#{web_session_data['user_name']}&category=#{category}&requested_page=#{requested_page}&title=#{description_title}"
+      #     #redirect requested_page
+      #   end
+      # end
+
       log_info! 'PreFlight', 'DetectContent', 'Check content type'
 
       requested_page = env['REQUEST_URI']
-      requested_page.scan(/(private|premium)/) do |match|
+      requested_page.scan(/(protected|private)/) do |match|
 
         category = match[0]
         log_info! 'PreFlight', 'DetectContent', 'Content type detected', "#{category}"
@@ -360,11 +403,11 @@ module J1App
           strategy          = providers["#{current_provider}"]['strategy']
           provider_strategy = :"#{strategy}"
 
-          j1_web_session['user_name']       = user_name
-          j1_web_session['provider_url']    = providers["#{current_provider}"]['home_url']
-          j1_web_session['users_allowed']   = providers["#{current_provider}"]['users']
-          j1_web_session['permissions']     = providers["#{user[:provider]}"]['permissions']
-          j1_web_session['requested_page']  = requested_page
+          web_session_data['user_name']             = user_name
+          web_session_data['provider_url']          = providers["#{current_provider}"]['provider_url']
+          web_session_data['users_allowed']         = providers["#{current_provider}"]['users']
+          web_session_data['provider_permissions']  = providers["#{user[:provider]}"]['permissions']
+          web_session_data['requested_page']        = requested_page
 
           log_info! 'PreFlight', 'ContentCheck', 'Check permissions'
           if permissions[:"#{category}"].include? current_provider
@@ -413,8 +456,8 @@ module J1App
             warden.logout
             session.clear
 
-            session_json = j1_web_session.to_json
-            log_info! 'PreFlight', 'Cookie', 'Write web session data' # "#{session_json}"
+            session_json = web_session_data.to_json
+            log_info! 'PreFlight', 'Cookie', 'Write web session data', "#{session_json}"
 
             session_encoded = Base64.encode64(session_json)
             response.set_cookie(
@@ -428,7 +471,16 @@ module J1App
             allowed_users = providers["#{provider}"]['users'].join(',')
             redirect "/page_validation?provider=#{provider}&category=#{category}&page=#{requested_page}&allowed_users=#{allowed_users}"
           end
+
+          time = Time.now.ctime.to_s
           log_info! 'PreFlight', 'AuthCheck', 'Pass to requested page', "#{requested_page}"
+          log_info! 'PreFlight', 'AuthCheck', 'Set X-Response-Headers'
+          
+          # See: https://stackoverflow.com/questions/10438276/how-to-disable-static-file-caching-in-rails-3-thin-on-windows
+          # response.headers["Cache-Control"]   = 'no-cache, no-store, max-age=0, must-revalidate'
+          # response.headers["Pragma"]          = 'no-cache'
+          # response.headers["Expires"]         = 'Fri, 01 Jan 1990 00:00:00 GMT'
+          response.headers['X-J1-AuthManager']  = "page-validated;category=#{category};called=" +  time
           pass
         else
           log_info! 'PreFlight', 'AuthCheck', 'User detected', 'signed out'
@@ -446,17 +498,17 @@ module J1App
           when :org
             warden.authenticate!
             github_organization_authenticate! ENV['GITHUB_ORG_NAME']
-            logger.info "Hi There, #{j1_web_session[:user_name]}! You have access to the #{params['id']} organization"
+            logger.info "Hi There, #{web_session_data[:user_name]}! You have access to the #{params['id']} organization"
 
           when :team
             warden.authenticate!
             github_team_authenticate! ENV['GITHUB_TEAM_ID']
-            logger.info "Hi There, #{j1_web_session[:user_name]}! You have access to the #{params['id']} team"
+            logger.info "Hi There, #{web_session_data[:user_name]}! You have access to the #{params['id']} team"
 
           when :teams
             warden.authenticate!
             github_teams_authenticate! ENV['GITHUB_TEAM_IDS'].split(',')
-            logger.info "Hi There, #{j1_web_session[:user_name]}! You have access to the #{params['id']} team"
+            logger.info "Hi There, #{web_session_data[:user_name]}! You have access to the #{params['id']} team"
 
           when :member
             log_info! 'PreFlight', 'AuthCheck', 'Process authentication strategy'
@@ -465,34 +517,27 @@ module J1App
               session_encoded   = request.cookies['j1.web.session']
               session_decoded   = Base64.decode64(session_encoded)
               log_info! 'PreFlight', 'Cookie', 'Read web session data'          # "#{session_decoded}"
-              j1_web_session    = JSON.parse(session_decoded)
+              web_session_data    = JSON.parse(session_decoded)
             end
 
             # Update cookie data
             # ----------------------------------------------------------------------
-            j1_web_session['provider_url']    = providers["#{default_provider}"]['home_url']
-            j1_web_session['users_allowed']   = providers["#{default_provider}"]['users']
-            j1_web_session['permissions']     = providers["#{default_provider}"]['permissions']
-            j1_web_session['requested_page']  = env['REQUEST_URI']
-            j1_web_session['writer']          = 'middleware'
+            web_session_data['provider_url']          = providers["#{default_provider}"]['provider_url']
+            web_session_data['users_allowed']         = providers["#{default_provider}"]['users']
+            web_session_data['provider_permissions']  = providers["#{default_provider}"]['permissions']
+            web_session_data['requested_page']        = env['REQUEST_URI']
+            web_session_data['writer']                = 'middleware'
 
             # write updated J1 session cookie
             #
-            session_json = j1_web_session.to_json
-            session_encoded = Base64.encode64(session_json)
-            log_info! 'PreFlight', 'Cookie', 'Write web session data' # "#{session_json}"
+            session_json = web_session_data.to_json
+            log_info! 'PreFlight', 'Cookie', 'Write web session data', "#{session_json}"
+            writeCookie('j1.web.session', session_json)
 
-            response.set_cookie(
-                'j1.web.session',
-                domain: false,
-                value: session_encoded.to_s,
-                path: '/'
-            )
+            log_info! 'PreFlight', 'Redirect', 'Call API request', 'PageValidate'
 
             allowed_users   = providers["#{default_provider}"]['users'].join(',')
             requested_page  = env['REQUEST_URI']
-
-            log_info! 'PreFlight', 'Redirect', 'Call API request', 'PageValidate'
             redirect "/page_validation?provider=#{default_provider}&category=#{category}&page=#{requested_page}&allowed_users=#{allowed_users}"
           else
             raise J1App::ConfigError
@@ -527,13 +572,13 @@ module J1App
         # ----------------------------------------------------------------------
         allowed_users                   =  params.fetch('allowed_users')
 
-        j1_web_session['users_allowed'] = allowed_users
-        j1_web_session['writer']        = 'middleware'
+        web_session_data['users_allowed'] = allowed_users
+        web_session_data['writer']        = 'middleware'
 
         # Write updated J1 session data to cookie
         # --------------------------------------------------------------------
-        session_json = j1_web_session.to_json
-        log_info! 'Authentication', 'Cookie', 'Write web session data' # #{session_json}"
+        session_json = web_session_data.to_json
+        log_info! 'Authentication', 'Cookie', 'Write web session data', "#{session_json}"
 
         session_encoded = Base64.encode64(session_json)
         response.set_cookie(
@@ -561,117 +606,106 @@ module J1App
         provider_signout = params.fetch('provider_signout')
         log_info! 'Authentication', 'SignOut', 'Called for provider', #{provider}"
 
-                  if warden.authenticated?
-                    user         = warden.user[:info]['nickname']
-                    provider     = warden.user[:provider]
-                    provider_url = j1_web_session['provider_url']
-                    log_info! 'Authentication', 'SignOut', 'Sign out user', "#{user}"
-                    warden.logout
-                    session.clear
-
-                    # Read current J1 web session cookie
-                    # --------------------------------------------------------------------
-                    if env['HTTP_COOKIE'].include? 'j1.web.session'
-                      session_encoded = env['rack.request.cookie_hash']['j1.web.session']
-                      session_decoded = Base64.decode64(session_encoded)
-                      log_info! 'Authentication', 'Cookie', 'Read web session data' # #{session_decoded}"
-                      j1_web_session = JSON.parse(session_decoded)
-                    else
-                      j1_web_session['requested_page'] = env['REQUEST_URI']
-                    end
-
-                    # Update J1 web session data
-                    # --------------------------------------------------------------------
-                    j1_web_session['user_name']       = 'unknown'
-                    j1_web_session['user_id']         = 'unknown'
-                    j1_web_session['users_allowed']   = 'unknown'
-                    j1_web_session['payment_status']  = 'unknown'
-                    j1_web_session['provider']        = 'unknown'
-                    j1_web_session['provider_url']    = 'unknown'
-                    j1_web_session['permissions']     = 'unknown'
-                    j1_web_session['authenticated']   = 'false'
-                    j1_web_session['writer']          = 'middleware'
-
-                    # Write updated J1 session data to cookie
-                    # --------------------------------------------------------------------
-                    session_json = j1_web_session.to_json
-                    log_info! 'Authentication', 'Cookie', 'Write web session data' # #{session_json}"
-
-                    session_encoded = Base64.encode64(session_json)
-                    response.set_cookie(
-                        'j1.web.session',
-                        domain: false,
-                        value: session_encoded.to_s,
-                        path: '/'
-                    )
-
-                    if provider_signout === 'true'
-                      log_info! 'Authentication', 'SignOut', 'Sign out user', "#{user}"
-                      log_info! 'Authentication', 'SignOut', 'Sign out from', "#{provider}"
-                      log_info! 'Authentication', 'Redirect', 'Pass to provider', "#{provider_url}"
-                      redirect "#{provider_url}"
-                    else
-                      log_info! 'Authentication', 'SignOut', 'Sign out user', "#{user}"
-                      log_info! 'Authentication', 'SignOut', 'Sign out from', "session"
-
-                      # If signed out, redirect ONLY for PUBLIC pages
-                      # ------------------------------------------------------------------
-                      if redirect_whitelisted?j1_web_session['requested_page']
-                        log_info! 'Authentication', 'Redirect', 'Pass to page', "#{j1_web_session['requested_page']}"
-                        redirect j1_web_session['requested_page']
-                      else
-                        log_info! 'Authentication', 'Redirect', 'Redirect NOT whitelisted'
-                        log_info! 'Authentication', 'Redirect', 'Pass to page', "/"
-                        redirect '/'
-                      end
-                    end
-                  else
-                    # THIS condition should NEVER REACHED because NO logout dialog
-                    # (modal) is provided by the auth client if a user isn't signed in.
-                    # Kept this alternative for cases something went wrong.
-                    # --------------------------------------------------------------------
-                    log_info! 'Authentication', 'API', 'DEAD PATH: Called for sign out', 'NOT signed in'
-
-                    # Read current J1 session cookie
-                    # --------------------------------------------------------------------
-                    if env['HTTP_COOKIE'].include? 'j1.web.session'
-                      session_encoded   = env['rack.request.cookie_hash']['j1.web.session']
-                      session_decoded   = Base64.decode64(session_encoded)
-                      j1_web_session  = JSON.parse(session_decoded)
-
-                      log_info! 'Authentication', 'Cookie', 'DEAD PATH. Read web session data' # #{session_decoded}"
-                    else
-                      j1_web_session['requested_page'] = env['REQUEST_URI']
-                    end
-
-                    # Update J1 web session data
-                    # --------------------------------------------------------------------
-                    j1_web_session['user_name']       = 'unknown'
-                    j1_web_session['user_id']         = 'unknown'
-                    j1_web_session['users_allowed']   = 'unknown'
-                    j1_web_session['payment_status']  = 'unknown'
-                    j1_web_session['provider']        = 'unknown'
-                    j1_web_session['provider_url']    = 'unknown'
-                    j1_web_session['permissions']     = 'unknown'
-                    j1_web_session['authenticated']   = 'false'
-                    j1_web_session['writer']          = 'middleware'
-
-                    # Write updated J1 session data to cookie
-                    # --------------------------------------------------------------------
-                    session_json = j1_web_session.to_json
-                    log_info! 'Authentication', 'Cookie', 'DEAD PATH. Write web session data' # #{session_json}"
-
-                    session_encoded = Base64.encode64(session_json)
-                    response.set_cookie(
-                        'j1.web.session',
-                        domain: false,
-                        value: session_encoded.to_s,
-                        path: '/'
-                    )
-
-                    log_info! 'Post Authentication', 'Redirect', 'DEAD PATH: Pass to requested page', "#{j1_web_session['requested_page']}"
-                    redirect j1_web_session['requested_page']
-                  end
+        if warden.authenticated?
+          user         = warden.user[:info]['nickname']
+          provider     = warden.user[:provider]
+          provider_url = web_session_data['provider_url']
+          log_info! 'Authentication', 'SignOut', 'Sign out user', "#{user}"
+          warden.logout
+          session.clear
+
+          # Read current J1 web session cookie
+          # --------------------------------------------------------------------
+          if env['HTTP_COOKIE'].include? 'j1.web.session'
+            session_encoded = env['rack.request.cookie_hash']['j1.web.session']
+            session_decoded = Base64.decode64(session_encoded)
+            log_info! 'Authentication', 'Cookie', 'Read web session data' # #{session_decoded}"
+            web_session_data = JSON.parse(session_decoded)
+          else
+            web_session_data['requested_page'] = env['REQUEST_URI']
+          end
+
+          # Update J1 web session data
+          # --------------------------------------------------------------------
+          web_session_data['user_name']             = 'visitor'
+          web_session_data['user_id']               = 'unknown'
+          web_session_data['users_allowed']         = 'all'
+          web_session_data['payment_status']        = 'unknown'
+          web_session_data['provider']              = 'j1'
+          web_session_data['provider_url']          = 'https://jekyll.one'
+          web_session_data['provider_membership']   = 'guest'
+          web_session_data['provider_permissions']  = 'public'
+          web_session_data['authenticated']         = 'false'
+          web_session_data['writer']                = 'middleware'
+
+          # Write updated J1 session data to cookie
+          # --------------------------------------------------------------------
+          session_json = web_session_data.to_json
+          log_info! 'Authentication', 'SignOut', 'Write web session data', "#{session_json}"
+          writeCookie('j1.web.session', session_json)
+
+          if provider_signout === 'true'
+            log_info! 'Authentication', 'SignOut', 'Sign out user', "#{user}"
+            log_info! 'Authentication', 'SignOut', 'Sign out from', "#{provider}"
+            log_info! 'Authentication', 'Redirect', 'Pass to provider', "#{provider_url}"
+            redirect "#{provider_url}"
+          else
+            log_info! 'Authentication', 'SignOut', 'Sign out user', "#{user}"
+            log_info! 'Authentication', 'SignOut', 'Sign out from', "session"
+
+            # If signed out, redirect ONLY for PUBLIC pages
+            # ------------------------------------------------------------------
+            if redirect_whitelisted?web_session_data['requested_page']
+              log_info! 'Authentication', 'Redirect', 'Pass to page', "#{web_session_data['requested_page']}"
+              redirect web_session_data['requested_page']
+            else
+              log_info! 'Authentication', 'Redirect', 'Redirect NOT whitelisted'
+              log_info! 'Authentication', 'Redirect', 'Pass to page', "/"
+              redirect '/'
+            end
+          end
+        else
+          # THIS condition should NEVER REACHED because NO logout dialog
+          # (modal) is provided by the auth client if a user isn't signed in.
+          # Kept this alternative for cases something went wrong.
+          # --------------------------------------------------------------------
+          log_info! 'Authentication', 'API', 'DEAD PATH: Called for sign out', 'NOT signed in'
+
+          # Read current J1 session cookie
+          # --------------------------------------------------------------------
+          if env['HTTP_COOKIE'].include? 'j1.web.session'
+            session_encoded   = env['rack.request.cookie_hash']['j1.web.session']
+            session_decoded   = Base64.decode64(session_encoded)
+            web_session_data  = JSON.parse(session_decoded)
+
+            log_info! 'Authentication', 'Cookie', 'DEAD PATH. Read web session data' # #{session_decoded}"
+          else
+            web_session_data['requested_page'] = env['REQUEST_URI']
+          end
+
+          # Update J1 web session data
+          # --------------------------------------------------------------------
+          web_session_data['user_name']             = 'visitor'
+          web_session_data['user_id']               = 'unknown'
+          web_session_data['users_allowed']         = 'all'
+          web_session_data['payment_status']        = 'unknown'
+          web_session_data['provider']              = 'j1'
+          web_session_data['provider_url']          = 'https://jekyll.one'
+          web_session_data['provider_membership']   = 'guest'
+          web_session_data['provider_permissions']  = 'public'
+          web_session_data['provider_membership']   = 'member'
+          web_session_data['authenticated']         = 'false'
+          web_session_data['writer']                = 'middleware'
+
+          # Write updated J1 session data to cookie
+          # --------------------------------------------------------------------
+          session_json = web_session_data.to_json
+          log_info! 'Authentication', 'Cookie', 'DEAD PATH. Write web session data', "#{session_json}"
+          writeCookie('j1.web.session', session_json)
+
+          log_info! 'Post Authentication', 'Redirect', 'DEAD PATH: Pass to requested page', "#{web_session_data['requested_page']}"
+          redirect web_session_data['requested_page']
+        end
       else
         raise J1App::ConfigError
       end
@@ -697,7 +731,7 @@ module J1App
       log_info! 'Post Authentication',  'Cookie', 'Read web session data'
       session_encoded   = request.cookies['j1.web.session']
       session_decoded   = Base64.decode64(session_encoded)
-      j1_web_session    = JSON.parse(session_decoded)
+      web_session_data    = JSON.parse(session_decoded)
 
       user                              = warden.user
       user_json                         = user.to_json
@@ -764,19 +798,20 @@ module J1App
         redirect "/access_denied?provider=unknown&user=unknown&category=unknown&title=#{description_title}"
       else
         log_info! 'Post Authentication', 'Identification', 'User identified successfully'
-        log_info! 'Post Authentication',  'Cookie', 'Update web session data'    # "#{j1_web_session}"
-        j1_web_session['user_name']       = user[:info]['nickname']
-        j1_web_session['user_id']         = user[:uid]
-        j1_web_session['provider']        = user[:provider]
-        j1_web_session['permissions']     = providers["#{user[:provider]}"]['permissions']
-        j1_web_session['authenticated']   = 'true'
-        j1_web_session['payment_status']  = user[:info][:payment_status]
-        j1_web_session['writer']          = 'middleware'
+        log_info! 'Post Authentication',  'Cookie', 'Update web session data'    # "#{web_session_data}"
+        web_session_data['user_name']             = user[:info]['nickname']
+        web_session_data['user_id']               = user[:uid]
+        web_session_data['provider']              = user[:provider]
+        web_session_data['provider_membership']   = 'member'
+        web_session_data['provider_permissions']  = providers["#{user[:provider]}"]['permissions']
+        web_session_data['authenticated']         = 'true'
+        web_session_data['payment_status']        = user[:info][:payment_status]
+        web_session_data['writer']                = 'middleware'
 
-        current_user                      = user[:info]['nickname']  = user[:info]['nickname']
-        current_provider                  = user[:provider]
+        current_user                            = user[:info]['nickname']  = user[:info]['nickname']
+        current_provider                        = user[:provider]
 
-        j1_web_session['requested_page'].scan(/(private|premium)/) do |match|
+        web_session_data['requested_page'].scan(/(protected|private)/) do |match|
 
           # Set category from requested page
           #
@@ -786,10 +821,10 @@ module J1App
           # Check if user is allowed to access protected content in GENERAL
           #
           log_info! 'Post Authentication', 'Identification', 'Check for allowed users'
-          unless j1_web_session['users_allowed'].include? 'all'
-            unless j1_web_session['users_allowed'].include? "#{current_user}"
+          unless web_session_data['users_allowed'].include? 'all'
+            unless web_session_data['users_allowed'].include? "#{current_user}"
               log_info! 'Post Authentication', 'Identification', 'User not allowed', "#{current_user}"
-              log_info! 'Post Authentication', 'Identification', 'Allowed users', "#{j1_web_session['users_allowed']}"
+              log_info! 'Post Authentication', 'Identification', 'Allowed users', "#{web_session_data['users_allowed']}"
               log_info! 'Post Authentication', 'Identification', 'Logout user from current session', "#{current_user}"
               warden.logout
               session.clear
@@ -798,7 +833,7 @@ module J1App
               redirect "/access_denied?provider=#{current_provider}&user=#{current_user}&category=#{category}&title=#{description_title}"
             end
           end
-          log_info! 'Post Authentication', 'Identification', 'Allowed users', "#{j1_web_session['users_allowed']}"
+          log_info! 'Post Authentication', 'Identification', 'Allowed users', "#{web_session_data['users_allowed']}"
 
           # Check conditions to access protected content (if any)
           #
@@ -818,7 +853,7 @@ module J1App
             if blacklist.include? "#{current_user}"
               log_info! 'Post Authentication', 'Identification', 'Check blacklisting'
               log_info! 'Post Authentication', 'Identification', 'User blacklisted', "#{current_user}"
-              user[:info][:blacklisted]   = 'true'
+              user[:info][:blacklisted] = 'true'
               log_info! 'Post Authentication', 'Identification', 'Logout user from current session', "#{current_user}"
               warden.logout
               session.clear
@@ -876,6 +911,16 @@ module J1App
 
             end
             # end category_whitelisted
+          else
+            category_condition_state = providers["#{user[:provider]}"]['conditions'][category]['enabled']
+            log_info! 'Post Authentication', 'Identification', 'Category check failed for', "#{current_provider}"
+            log_info! 'Post Authentication', 'Identification', "Category checked", "#{category}"
+            log_info! 'Post Authentication', 'Identification', "Category support", "#{category_condition_state}"
+            warden.logout
+            session.clear
+            log_info! 'Post Authentication', 'Redirect', 'Pass to error page (access_denied)'
+            description_title = "Access Denied"
+            redirect "/access_denied?provider=#{current_provider}&user=#{current_user}&category=#{category}&title=#{description_title}"
           end
           # end check conditions
 
@@ -886,15 +931,15 @@ module J1App
 
       # redirect authenticated|validated user to requested page
       #
-      j1_web_session['provider']      = current_provider
-      j1_web_session['users_allowed'] = providers["#{current_provider}"]['users']
+      web_session_data['provider']      = current_provider
+      web_session_data['users_allowed'] = providers["#{current_provider}"]['users']
 
       # TODO: Add membership|product specific data for the SideBar
 
       # write updated J1 session data to cookie
       #
-      session_json = j1_web_session.to_json
-      log_info! 'Post Authentication', 'Cookie', 'Write web session data' # "#{session_json}"
+      session_json = web_session_data.to_json
+      log_info! 'Post Authentication', 'Cookie', 'Write web session data', "#{session_json}"
 
       session_encoded = Base64.encode64(session_json)
       response.set_cookie(
@@ -904,10 +949,17 @@ module J1App
           path: '/'
       )
 
+      time = Time.now.ctime.to_s
+
       log_info! 'Post Authentication', 'Identification', 'Provider', "#{user[:provider]}"
       log_info! 'Post Authentication', 'Identification', 'User', "#{user[:info]['nickname']}"
-      log_info! 'Post Authentication', 'Redirect', 'Pass to requested page', "#{j1_web_session['requested_page']}"
-      redirect j1_web_session['requested_page']
+      log_info! 'Post Authentication', 'Redirect', 'Set Last-Modified', "#{time}"
+      log_info! 'Post Authentication', 'Redirect', 'Pass to requested page', "#{web_session_data['requested_page']}"
+
+      
+      response.headers['Last-Modified'] = time
+      response.headers['Cache-Control'] = 'private,max-age=0,must-revalidate,no-store'
+      redirect web_session_data['requested_page']
 
     end
     # END: get /post_authentication
@@ -919,7 +971,7 @@ module J1App
     get '/status' do
       session_encoded   = request.cookies['j1.web.session']
       session_decoded   = Base64.decode64(session_encoded)
-      j1_web_session    = JSON.parse(session_decoded)
+      web_session_data    = JSON.parse(session_decoded)
 
       log_info! 'API', 'Status Request', 'Info request received'
 
@@ -929,7 +981,7 @@ module J1App
         user_name               = warden.user[:info]['nickname']
         user_id                 = warden.user[:uid]
         provider                = warden.user[:provider]
-        provider_permissions    = j1_web_session['permissions']
+        provider_permissions    = web_session_data['provider_permissions']
         provider_site_url       = warden.user[:info][:urls][:site]
         provider_home_url       = warden.user[:info][:urls][:home]
         provider_blog_url       = warden.user[:info][:urls][:blog]
@@ -939,7 +991,7 @@ module J1App
           provider_membership   = warden.user[:extra][:reward][:name]
           provider_member_url   = warden.user[:extra][:reward][:link]
         else
-          provider_membership   = 'unknown'
+          provider_membership   = 'member'
           provider_member_url   = '#'
         end
 
@@ -970,11 +1022,11 @@ module J1App
         log_info! 'API', 'Status Request', 'Send data', 'SIGNED_OUT'
         content_type 'application/json'
         {
-            user_name:                'unknown',
+            user_name:                'visitor',
             user_id:                  'unknown',
-            provider:                 'unknown',
-            provider_membership:      'unknown',
-            provider_permissions:     'unknown',
+            provider:                 'j1',
+            provider_membership:      'guest',
+            provider_permissions:     'public',
             provider_site_url:        '#',
             provider_home_url:        '#',
             provider_blog_url:        '#',
@@ -986,6 +1038,40 @@ module J1App
     # END: get /status
     # --------------------------------------------------------------------------
 
+    # ENDPOINT  cookie_consent (exception, called from the app|auth manager)
+    # --------------------------------------------------------------------------
+    get '/cookie_consent' do
+      provider          = params.fetch('provider')
+      category          = params.fetch('category')
+      user              = params.fetch('user')
+      requested_page    = params.fetch('requested_page')
+      description_title = params.fetch('title')
+
+      log_info! 'API', 'ExceptionHandler', 'Request received'
+      log_info! 'ExceptionHandler', 'ERROR', 'Cookies declined'
+      log_info! 'ExceptionHandler', 'Redirect', 'Pass to dialog page', 'Cookie Consent'
+
+      # Capitalize first char
+      provider                = provider.sub(/^./, &:upcase)
+      route                   = requested_page
+
+      @route                  = route
+      @provider               = provider
+      @modal                  = "centralCookieConsent"
+      @info_type              = "danger"
+      @modal_icon             = "cookie"
+      @modal_agreed_text      = "Yes, please"
+      @modal_disagreed_text   = "No, thanks"
+      @modal_title            = "Authentication Manager"
+      # @modal_description    = "<h4>#{description_title}</h4><br /><br />User <b>#{user}</b> from provider <b>#{provider}</b> requested access on <b>#{category}</b> pages.<br /> In order to continue, you need to accept on <b>Cookies</b>."
+      @modal_description      = "<h4>#{description_title}</h4><br /><br /> In order to continue, you need to accept on <b>Cookies</b>."
+
+      erb :auth_manager_ui
+    end
+    # END: get /cookies_rejected
+    # --------------------------------------------------------------------------
+
+
     #  ENDPOINT access_denied (exception, called from the app|auth manager)
     # --------------------------------------------------------------------------
     get '/access_denied' do
@@ -999,25 +1085,25 @@ module J1App
 
       session_encoded = request.cookies['j1.web.session']
       session_decoded = Base64.decode64(session_encoded)
-      j1_web_session  = JSON.parse(session_decoded)
+      web_session_data  = JSON.parse(session_decoded)
 
       # Update J1 web session data
       # --------------------------------------------------------------------
-      j1_web_session['user_name']       = 'unknown'
-      j1_web_session['user_id']         = 'unknown'
-      j1_web_session['users_allowed']   = 'unknown'
-      j1_web_session['payment_status']  = 'unknown'
-      j1_web_session['provider']        = 'unknown'
-      j1_web_session['provider_url']    = 'unknown'
-      j1_web_session['permissions']     = 'unknown'
-      j1_web_session['authenticated']   = 'false'
-      j1_web_session['writer']          = 'middleware'
-
-      log_info! 'ExceptionHandler', 'Cookie', 'Write web session data'          # "#{session_json}"
+      web_session_data['user_name']             = user
+      # web_session_data['user_id']               = 'unknown'
+      # web_session_data['users_allowed']         = 'unknown'
+      # web_session_data['payment_status']        = 'unknown'
+      web_session_data['provider']              = provider
+      # web_session_data['provider_url']          = 'unknown'
+      # web_session_data['provider_permissions']  = 'unknown'
+      # web_session_data['authenticated']         = 'false'
+      web_session_data['writer']                = 'middleware'
+
+      log_info! 'ExceptionHandler', 'Cookie', 'Write web session data', "#{session_json}"
 
       # write updated J1 session data to cookie
       #
-      session_json = j1_web_session.to_json
+      session_json = web_session_data.to_json
       session_encoded = Base64.encode64(session_json)
       response.set_cookie(
           'j1.web.session',
@@ -1060,26 +1146,26 @@ module J1App
 
       session_encoded = request.cookies['j1.web.session']
       session_decoded = Base64.decode64(session_encoded)
-      j1_web_session  = JSON.parse(session_decoded)
+      web_session_data  = JSON.parse(session_decoded)
 
       # Update J1 web session data
       # --------------------------------------------------------------------
-      j1_web_session['user_name']       = 'unknown'
-      j1_web_session['user_id']         = 'unknown'
-      j1_web_session['users_allowed']   = 'unknown'
-      j1_web_session['payment_status']  = 'unknown'
-      j1_web_session['provider']        = 'unknown'
-      j1_web_session['provider_url']    = 'unknown'
-      j1_web_session['permissions']     = 'unknown'
-      j1_web_session['authenticated']   = 'false'
-      j1_web_session['writer']          = 'middleware'
-
-      log_info! 'ExceptionHandler', 'Cookie', 'Write web session data'          # "#{session_json}"
+      web_session_data['user_name']             = user
+      # web_session_data['user_id']               = 'unknown'
+      # web_session_data['users_allowed']         = 'unknown'
+      # web_session_data['payment_status']        = 'unknown'
+      web_session_data['provider']              = provider
+      # web_session_data['provider_url']          = 'unknown'
+      # web_session_data['provider_permissions']  = 'unknown'
+      # web_session_data['authenticated']         = 'false'
+      web_session_data['writer']                = 'middleware'
+
+      log_info! 'ExceptionHandler', 'Cookie', 'Write web session data', "#{session_json}"
 
       # write updated J1 session data to cookie
       #
       log_info! 'API', 'Exception Handler', 'ERROR', 'Invalid Funds'
-      session_json = j1_web_session.to_json
+      session_json = web_session_data.to_json
       session_encoded = Base64.encode64(session_json)
       response.set_cookie(
           'j1.web.session',
@@ -1164,8 +1250,8 @@ module J1App
     # for chromium based browsers (e.g. google-chrome)
     # ------------------------------------------------------------------------
     get '/redirect_requested_page' do
-      log_info! 'Fallback', 'Redirect', 'Pass to requested page', "#{j1_web_session['requested_page']}"
-      redirect j1_web_session['requested_page']
+      log_info! 'Fallback', 'Redirect', 'Pass to requested page', "#{web_session_data['requested_page']}"
+      redirect web_session_data['requested_page']
     end
     # END: get /iframe
     # --------------------------------------------------------------------------