katalyst-koi 4.13.2 → 4.14.1

data/app/assets/javascripts/koi/controllers/webauthn_registration_controller.js

@@ -6,8 +6,11 @@ import {
 } from "@github/webauthn-json/browser-ponyfill";
 
 export default class WebauthnRegistrationController extends Controller {
-  static values = { options: Object };
-  static targets = ["response"];
+  static values = {
+    options: Object,
+    response: String,
+  };
+  static targets = ["intro", "nickname", "response"];
 
   submit(e) {
     if (this.responseTarget.value === "") {
@@ -16,12 +19,17 @@ export default class WebauthnRegistrationController extends Controller {
     }
   }
 
-  createCredential() {
-    create(this.options).then((response) => {
-      this.responseTarget.value = JSON.stringify(response);
+  async createCredential() {
+    const response = await create(this.options);
 
-      this.element.requestSubmit();
-    });
+    this.responseValue = JSON.stringify(response);
+    this.responseTarget.value = JSON.stringify(response);
+  }
+
+  responseValueChanged(response) {
+    const responsePresent = response !== "";
+    this.introTarget.toggleAttribute("hidden", responsePresent);
+    this.nicknameTarget.toggleAttribute("hidden", !responsePresent);
   }
 
   get options() {

data/app/assets/stylesheets/koi/base/_flow.scss

@@ -0,0 +1,8 @@
+/*
+FLOW COMPOSITION
+Like the Every Layout stack: https://every-layout.dev/layouts/stack/
+Info about this implementation: https://piccalil.li/quick-tip/flow-utility/
+*/
+.flow > * + * {
+  margin-top: var(--flow-space, 1em);
+}

data/app/assets/stylesheets/koi/base/_index.scss

@@ -1,8 +1,10 @@
 @use "button";
 @use "icon";
 @use "input";
+@use "flow";
 @use "link";
 @use "list";
+@use "repel";
 @use "tables";
 @use "typography";
 

data/app/assets/stylesheets/koi/base/_repel.scss

@@ -0,0 +1,23 @@
+/*
+REPEL
+A little layout that pushes items away from each other where
+there is space in the viewport and stacks on small viewports
+
+CUSTOM PROPERTIES AND CONFIGURATION
+--gutter (var(--space-s-m)): This defines the space
+between each item.
+
+--repel-vertical-alignment How items should align vertically.
+Can be any acceptable flexbox alignment value.
+*/
+.repel {
+  display: flex;
+  flex-wrap: wrap;
+  justify-content: space-between;
+  align-items: var(--repel-vertical-alignment, center);
+  gap: var(--gutter, var(--space-s-m));
+}
+
+.repel[data-nowrap] {
+  flex-wrap: nowrap;
+}

data/app/controllers/admin/admin_users_controller.rb

@@ -72,6 +72,8 @@ module Admin
 
     def set_admin
       @admin = Admin::User.with_archived.find(params[:id])
+
+      request.variant << :self if @admin == current_admin_user
     end
 
     def admin_user_params

data/app/controllers/admin/credentials_controller.rb

@@ -70,7 +70,11 @@ module Admin
     def set_admin_user
       @admin_user = Admin::User.find(params[:admin_user_id])
 
-      head(:forbidden) unless current_admin == @admin_user
+      if current_admin == @admin_user
+        request.variant = :self
+      else
+        head(:forbidden)
+      end
     end
   end
 end

data/app/controllers/admin/sessions_controller.rb

@@ -4,14 +4,13 @@ module Admin
   class SessionsController < ApplicationController
     include Koi::Controller::HasWebauthn
 
-    skip_before_action :authenticate_admin, only: %i[new create]
+    before_action :redirect_authenticated, only: %i[new], if: :admin_signed_in?
+    before_action :authenticate_local_admin, only: %i[new], if: :authenticate_local_admins?
 
     layout "koi/login"
 
     def new
-      return redirect_to admin_dashboard_path if admin_signed_in?
-
-      render :new, locals: { admin_user: Admin::User.new }
+      render locals: { admin_user: Admin::User.new }
     end
 
     def create
@@ -20,12 +19,12 @@ module Admin
 
         session[:admin_user_id] = admin_user.id
 
-        redirect_to admin_dashboard_path, notice: I18n.t("koi.auth.login")
+        redirect_to(url_from(params[:redirect].presence) || admin_dashboard_path, status: :see_other)
       else
         admin_user = Admin::User.new(session_params.slice(:email, :password))
         admin_user.errors.add(:email, "Invalid email or password")
 
-        render :new, status: :unprocessable_content, locals: { admin_user: }
+        render(:new, status: :unprocessable_content, locals: { admin_user: })
       end
     end
 
@@ -34,11 +33,15 @@ module Admin
 
       session[:admin_user_id] = nil
 
-      redirect_to admin_dashboard_path, notice: I18n.t("koi.auth.logout")
+      redirect_to new_admin_session_path
     end
 
     private
 
+    def redirect_authenticated
+      redirect_to(admin_dashboard_path, status: :see_other)
+    end
+
     def session_params
       params.require(:admin).permit(:email, :password, :response)
     end
@@ -65,6 +68,8 @@ module Admin
     end
 
     def record_sign_out!(admin_user)
+      return unless admin_user
+
       update_last_sign_in(admin_user)
 
       admin_user.current_sign_in_at = nil

data/app/controllers/admin/tokens_controller.rb

@@ -4,49 +4,54 @@ module Admin
   class TokensController < ApplicationController
     include Koi::Controller::JsonWebToken
 
-    skip_before_action :authenticate_admin, only: %i[show update]
+    before_action :set_admin, only: %i[create]
     before_action :set_token, only: %i[show update]
+    before_action :invalid_token, only: %i[show update], unless: :token_valid?
 
     def show
-      return redirect_to new_admin_session_path, notice: I18n.t("koi.auth.token_invalid") if @token.blank?
-
-      admin = Admin::User.find(@token[:admin_id])
-
-      if token_utilised?(admin, @token)
-        return redirect_to new_admin_session_path, notice: I18n.t("koi.auth.token_invalid")
-      end
-
-      render locals: { admin:, token: params[:token] }, layout: "koi/login"
+      render locals: { admin: @admin, token: params[:token] }, layout: "koi/login"
     end
 
     def create
-      admin = Admin::User.find(params[:id])
-      token = encode_token(admin_id: admin.id, exp: 5.minutes.from_now.to_i, iat: Time.current.to_i)
+      token = encode_token(admin_id: @admin.id, exp: 30.minutes.from_now.to_i, iat: Time.current.to_i)
 
       render locals: { token: }
     end
 
     def update
-      return redirect_to admin_dashboard_path, status: :see_other if admin_signed_in?
-
-      if @token.blank?
-        return redirect_to new_admin_session_path, status: :see_other, notice: I18n.t("koi.auth.token_invalid")
-      end
-
-      admin = Admin::User.find(@token[:admin_id])
-      sign_in_admin(admin)
+      sign_in_admin(@admin)
 
-      redirect_to admin_admin_user_path(admin)
+      redirect_to admin_admin_user_path(@admin), status: :see_other, notice: t("koi.auth.token_consumed")
     end
 
     private
 
+    def set_admin
+      @admin = Admin::User.find(params[:admin_user_id])
+    end
+
     def set_token
       @token = decode_token(params[:token])
+
+      # constant time token validation requires that we always try to retrieve a user
+      @admin = Admin::User.find_by(id: @token&.fetch(:admin_id) || "")
+    end
+
+    def token_valid?
+      return false unless @token.present? && @admin.present?
+
+      # Ensure that the user has not signed in since the token was generated
+      if @admin.current_sign_in_at.present?
+        @admin.current_sign_in_at.to_i < @token[:iat]
+      elsif @admin.last_sign_in_at.present?
+        @admin.last_sign_in_at.to_i < @token[:iat]
+      else
+        true # first sign in
+      end
     end
 
-    def token_utilised?(admin, token)
-      admin.current_sign_in_at.present? || (admin.last_sign_in_at.present? && admin.last_sign_in_at.to_i > token[:iat])
+    def invalid_token
+      redirect_to(new_admin_session_path, status: :see_other, notice: I18n.t("koi.auth.token_invalid"))
     end
 
     def sign_in_admin(admin)

data/app/controllers/concerns/koi/controller/has_webauthn.rb

@@ -36,7 +36,8 @@ module Koi
           Admin::Credential.find_by!(external_id: credential.id)
         end
 
-        stored_credential.update!(sign_count: webauthn_credential.sign_count)
+        stored_credential.update(sign_count: webauthn_credential.sign_count)
+        stored_credential.touch
 
         stored_credential.admin
       end

data/app/controllers/concerns/koi/controller/is_admin_controller.rb

@@ -31,9 +31,6 @@ module Koi
         helper :all
 
         layout -> { turbo_frame_layout || "koi/application" }
-
-        before_action :authenticate_local_admin, if: -> { Koi::Controller::IsAdminController.authenticate_local_admins }
-        before_action :authenticate_admin, unless: :admin_signed_in?
       end
 
       class << self
@@ -47,10 +44,14 @@ module Koi
 
         session[:admin_user_id] =
           Admin::User.where(email: %W[#{ENV.fetch('USER', nil)}@katalyst.com.au admin@katalyst.com.au]).first&.id
+
+        flash.delete(:redirect) if (redirect = flash[:redirect])
+
+        redirect_to(redirect || admin_dashboard_path, status: :see_other)
       end
 
-      def authenticate_admin
-        redirect_to new_admin_session_path, status: :temporary_redirect
+      def authenticate_local_admins?
+        IsAdminController.authenticate_local_admins
       end
 
       def turbo_frame_layout

data/app/views/admin/admin_users/_fields.html+self.erb

@@ -0,0 +1,3 @@
+<%= form.govuk_text_field :email %>
+<%= form.govuk_text_field :name %>
+<%= form.govuk_password_field :password, label: { text: "Password (optional)" } %>

data/app/views/admin/admin_users/_fields.html.erb

@@ -1,4 +1,3 @@
 <%= form.govuk_text_field :email %>
 <%= form.govuk_text_field :name %>
-<%= form.govuk_password_field :password, label: { text: "Password#{' (optional)' if form.object.persisted?}" } %>
 <%= form.govuk_check_box_field :archived if form.object.persisted? %>

data/app/views/admin/admin_users/index.html.erb

@@ -15,6 +15,9 @@
   <% row.select %>
   <% row.link :name, url: :admin_admin_user_path %>
   <% row.text :email %>
+  <% row.boolean :credentials, label: "Passkey" do |cell| %>
+    <%= cell.value.any? ? "Yes" : "No" %>
+  <% end %>
 <% end %>
 
 <%= table_pagination_with(collection:) %>

data/app/views/admin/admin_users/show.html+self.erb

@@ -0,0 +1,19 @@
+<%# locals: (admin:) %>
+
+<% content_for :header do %>
+  <%= render Koi::Header::ShowComponent.new(resource: admin) %>
+<% end %>
+
+<%= render Koi::SummaryListComponent.new(model: admin, class: "item-table") do |builder| %>
+  <%= builder.text :name %>
+  <%= builder.text :email %>
+  <%= builder.date :created_at %>
+  <%= builder.date :last_sign_in_at, label: { text: "Last sign in" } %>
+<% end %>
+
+<div class="repel">
+  <h3>Passkeys</h3>
+  <%= kpop_link_to "New passkey", new_admin_admin_user_credential_path(admin), class: "button button--primary" %>
+</div>
+
+<%= render "admin/credentials/credentials", admin: %>

data/app/views/admin/admin_users/show.html.erb

@@ -1,3 +1,5 @@
+<%# locals: (admin:) %>
+
 <% content_for :header do %>
   <%= render Koi::Header::ShowComponent.new(resource: admin) %>
 <% end %>
@@ -5,11 +7,15 @@
 <%= render Koi::SummaryListComponent.new(model: admin, class: "item-table") do |builder| %>
   <%= builder.text :name %>
   <%= builder.text :email %>
-  <%= builder.datetime :created_at %>
-  <%= builder.datetime :last_sign_in_at, label: { text: "Last sign in" } %>
+  <%= builder.date :created_at %>
+  <%= builder.date :last_sign_in_at, label: { text: "Last sign in" } %>
   <%= builder.boolean :archived? %>
 <% end %>
 
+<h3>Passkeys</h3>
+
+<%= render "admin/credentials/credentials", admin: %>
+
 <div class="actions">
   <% if admin.archived? %>
     <%= button_to "Delete", admin_admin_user_path(admin),
@@ -17,15 +23,5 @@
                   method: :delete,
                   form:   { data: { turbo_confirm: "Are you sure?" } } %>
   <% end %>
-  <%= button_to "Generate login link", invite_admin_admin_user_path(admin), class: "button button--primary", form: { id: "invite" } %>
+  <%= button_to "Generate login link", admin_admin_user_tokens_path(admin), class: "button button--primary", form: { id: "invite" } %>
 </div>
-
-<h2>Authentication</h2>
-
-<%= render "admin/credentials/credentials", admin: %>
-
-<% if admin == current_admin %>
-  <div class="actions-group">
-    <%= kpop_link_to "Add this device", new_admin_admin_user_credential_path(admin), class: "button button--primary" %>
-  </div>
-<% end %>

data/app/views/admin/credentials/_credentials.html+self.erb

@@ -0,0 +1,10 @@
+<%= table_with(id: dom_id(admin, :credentials), collection: admin.credentials) do |t, c| %>
+  <% t.text :nickname, label: "Name" %>
+  <% t.date :updated_at, label: "Last use" do |date| %>
+    <%= date unless c.created_at == c.updated_at %>
+  <% end %>
+  <% t.cell :actions, label: "" do %>
+    <%= link_to("Remove passkey", admin_admin_user_credential_path(admin, c),
+                data: { turbo_method: :delete }) %>
+  <% end %>
+<% end %>

data/app/views/admin/credentials/_credentials.html.erb

@@ -1,7 +1,6 @@
 <%= table_with(id: dom_id(admin, :credentials), collection: admin.credentials) do |t, c| %>
-  <% t.text :nickname %>
-  <% t.number :sign_count %>
-  <% t.cell :actions, label: "" do %>
-    <%= button_to "Remove device", admin_admin_user_credential_path(admin, c), method: :delete, class: "button button--text" %>
-  <% end if admin == current_admin %>
+  <% t.text :nickname, label: "Name" %>
+  <% t.date :updated_at, label: "Last use" do |date| %>
+    <%= date unless c.created_at == c.updated_at %>
+  <% end %>
 <% end %>

data/app/views/admin/credentials/new.html.erb

@@ -1,14 +1,37 @@
-<%= render Kpop::ModalComponent.new(title: "Register device") do %>
+<%= render Kpop::ModalComponent.new(title: "New passkey") do %>
   <%= form_with model: admin.credentials.new,
                 url:   admin_admin_user_credentials_path(admin),
+                class: "flow prose",
                 data:  {
                   controller:                          "webauthn-registration",
                   action:                              "submit->webauthn-registration#submit",
                   webauthn_registration_options_value: { publicKey: options },
                 } do |form| %>
-    <%= form.govuk_text_field :nickname %>
     <%= form.hidden_field :response, data: { webauthn_registration_target: "response" } %>
-
-    <%= form.admin_save %>
+    <section class="flow prose" data-webauthn-registration-target="intro">
+      <p>
+        Passkeys are secure secrets that are stored by your device.
+        You will need the device where your passkey is stored to log in.
+      </p>
+      <p>
+        Unlike a password, your password doesn't get sent to the server when you log
+        in and can't be stolen in a data breach. When you log in with a passkey,
+        your operating system will prompt you for permission to use the passkey
+        secret to authenticate the login attempt.
+      </p>
+      <p>
+        We recommend that you store your passkey on your phone or cloud account.
+        Depending on your browser, you may need to choose "more options" to see
+        a QR code that you can scan with your phone.
+      </p>
+    </section>
+    <section class="flow" data-webauthn-registration-target="nickname" hidden>
+      <%= form.govuk_text_field :nickname, label: { text: "Passkey name" } do %>
+        Enter a name for this passkey to help you distinguish it from other passkeys you may have for this site.
+        <br>
+        Example: My Phone, Chrome, iCloud, 1Password
+      <% end %>
+    </section>
+    <%= form.admin_save("Next") %>
   <% end %>
 <% end %>

data/app/views/admin/sessions/new.html.erb

@@ -7,19 +7,22 @@
         webauthn_authentication_options_value: { publicKey: webauthn_auth_options },
       },
     ) do |f| %>
+  <% (redirect = flash[:redirect] || params[:redirect]) && flash.delete(:redirect) %>
   <% unless flash.empty? %>
     <div class="govuk-error-summary">
       <ul class="govuk-error-summary__list">
-        <% flash.each do |_, message| %>
+        <% flash.each do |type, message| %>
           <%= tag.li message %>
         <% end %>
       </ul>
     </div>
   <% end %>
   <%= f.govuk_fieldset legend: nil do %>
-    <%= f.govuk_email_field :email, autofocus: true, autocomplete: "email" %>
-    <%= f.govuk_password_field :password, autocomplete: "current-password" %>
+    <%# note, autocomplete off is ignored by browsers but required by PCI-DSS %>
+    <%= f.govuk_email_field :email, autofocus: true, autocomplete: "off" %>
+    <%= f.govuk_password_field :password, autocomplete: "off" %>
     <%= f.hidden_field :response, data: { webauthn_authentication_target: "response" } %>
+    <%= hidden_field_tag(:redirect, redirect) %>
   <% end %>
   <div class="actions-group">
     <%= f.admin_save "Log in" %>

data/app/views/admin/tokens/create.turbo_stream.erb

@@ -1,6 +1,6 @@
 <%= turbo_stream.replace "invite" do %>
   <div class="action copy-to-clipboard govuk-input__wrapper" data-controller="clipboard" data-clipboard-supported-class="clipboard--supported">
-    <%= text_field_tag :invite_link, admin_token_url(token), readonly: true, data: { clipboard_target: "source" } %>
+    <%= text_field_tag :invite_link, admin_session_token_url(token), readonly: true, data: { clipboard_target: "source" } %>
     <button class="govuk-input__suffix clipboard-button" aria-hidden="true" data-action="clipboard#copy">
       Copy link
     </button>

data/app/views/admin/tokens/show.html.erb

@@ -1,7 +1,6 @@
 <%= render "layouts/koi/navigation_header" %>
 
-<%= form_with(url: accept_admin_session_path) do |form| %>
-  <%= tag.input name: :token, type: :hidden, value: token %>
+<%= form_with(url: admin_session_token_path(token), method: :patch) do |form| %>
   <p>Welcome to Koi Admin</p>
   <%= render Koi::SummaryListComponent.new(model: admin, class: "item-table") do |builder| %>
     <%= builder.text :name %>

data/app/views/layouts/koi/_navigation.html.erb

@@ -9,6 +9,15 @@
            data-action="input->navigation#filter change->navigation#filter
                         keydown.enter->navigation#go keydown.esc->navigation#clear">
   </div>
+  <ul role="list">
+    <li>
+      <span><%= current_admin_user.name %></span>
+      <ul role="list">
+        <li><%= link_to("Profile", admin_admin_user_path(current_admin_user)) %></li>
+        <li><%= link_to("Log out", admin_session_path, data: { turbo_method: :delete }) %></li>
+      </ul>
+    </li>
+  </ul>
   <%= navigation_menu_with(menu: Koi::Menu.admin_menu(self)) %>
 </nav>
 <%= render "layouts/koi/navigation_collapse" %>

data/config/locales/koi.en.yml

@@ -9,9 +9,8 @@ en:
       admin: "%e %B %Y"
   koi:
     auth:
-      login: "You have been logged in"
-      logout: "You have been logged out"
       token_invalid: "Token invalid or consumed already"
+      token_consumed: "Please create a password or passkey"
     labels:
       new: New
       search: Search

data/config/routes.rb

@@ -3,22 +3,19 @@
 Rails.application.routes.draw do
   namespace :admin do
     resource :session, only: %i[new create destroy] do
-      post :accept, to: "tokens#update"
+      # JWT tokens contain periods
+      resources :tokens, param: :token, only: %i[show update], token: /[^\/]+/
     end
 
     resources :url_rewrites
     resources :admin_users do
       resources :credentials, only: %i[new create destroy]
-      post :invite, on: :member, to: "tokens#create"
+      resources :tokens, only: %i[create]
       get :archived, on: :collection
       put :archive, on: :collection
       put :restore, on: :collection
     end
 
-    # JWT tokens have dots(represents the 3 parts of data) in them, so we need to allow them in the URL
-    # can by pass if we use token as a query param
-    get "token/:token", to: "tokens#show", as: :token, token: /[^\/]+/
-
     resource :cache, only: %i[destroy]
     resource :dashboard, only: %i[show]
 
@@ -26,10 +23,8 @@ Rails.application.routes.draw do
   end
 
   scope :admin do
-    constraints ->(req) { req.session[:admin_user_id].present? } do
-      mount Katalyst::Content::Engine, at: "content"
-      mount Katalyst::Navigation::Engine, at: "navigation"
-      mount Flipper::UI.app(Flipper) => "flipper" if Object.const_defined?("Flipper::UI")
-    end
+    mount Katalyst::Content::Engine, at: "content"
+    mount Katalyst::Navigation::Engine, at: "navigation"
+    mount Flipper::UI.app(Flipper) => "flipper" if Object.const_defined?("Flipper::UI")
   end
 end

data/lib/koi/engine.rb

@@ -58,6 +58,7 @@ module Koi
     end
 
     initializer "koi.middleware" do |app|
+      app.middleware.use Koi::Middleware::AdminAuthentication
       app.middleware.use ::ActionDispatch::Static, root.join("public").to_s
       app.middleware.insert_before Rack::Sendfile, Koi::Middleware::UrlRedirect
     end

data/lib/koi/menu.rb

@@ -17,7 +17,6 @@ module Koi
         b.add_link(title: "View site", url: "/", target: :blank)
         b.add_link(title: "Dashboard", url: context.main_app.admin_dashboard_path)
         b.add_items(priority)
-        b.add_button(title: "Logout", url: context.main_app.admin_session_path, http_method: :delete)
       end
       builder.add_menu(title: "Modules") do |b|
         b.add_items(modules)

data/lib/koi/middleware/admin_authentication.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module Koi
+  module Middleware
+    class AdminAuthentication
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        if env["PATH_INFO"].starts_with?("/admin")
+          admin_call(env)
+        else
+          @app.call(env)
+        end
+      end
+
+      def admin_call(env)
+        request = ActionDispatch::Request.new(env)
+        session = ActionDispatch::Request::Session.find(request)
+
+        if requires_authentication?(request) && !authenticated?(session)
+          # Set the redirection path for returning the user to their requested path after login
+          if request.get?
+            request.flash[:redirect] = request.fullpath
+            request.commit_flash
+          end
+
+          [303, { "Location" => "/admin/session/new" }, []]
+        else
+          @app.call(env)
+        end
+      end
+
+      private
+
+      def requires_authentication?(request)
+        !request.path.starts_with?("/admin/session")
+      end
+
+      def authenticated?(session)
+        session[:admin_user_id].present?
+      end
+    end
+  end
+end