katalyst-koi 4.14.3 → 4.15.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ca202222a19590b4f0cba29726cd07fe14f1e76f96f539eb791601cc318ed2fc
-  data.tar.gz: afd204af464f4f1d6fcd7d51396ad0579aed1c16d2f6078f6388199cc4d8abf4
+  metadata.gz: 7aec5f5d47bb5a92a43d88caa502800d7bf13926a49872ef56850fe14f40a7d8
+  data.tar.gz: 81eb88b30f1d7e4d098a176dd49c4083cc0b00cbb3e883094e1f099588d255fc
 SHA512:
-  metadata.gz: 56e6b34f520bff068ae96808e7daa71baebca78b650a2b7a651bb46255e7dd299511f3ebf62f9b5545ca5ee5b1a34be9d5d08441141e4952c9b20d9c3af7a406
-  data.tar.gz: 8af77dc82477591ce562ba497c208e48b1665d78e75d550db0c8b60dc464961a4bc7835c08a06da7a80612e42e0191f8fcbe37589751c5bcb3762900d28f308a
+  metadata.gz: c6a696cddf20fe65037a052c08564dc668408ad6cc7c3bd333ecee29e1ce260f1ef49e9ed0dacb4c61e7619b6561627143ebb3e035dae6329da3d2395cdbfd12
+  data.tar.gz: 2f3f2e33b5c16da0a4dd517791c5580b791178f0fe30dca7d39cb2c94c0d0c1896fa227a535fe92fb32c81cc72c4b861e3ce4aa53b90b74c6a0c39f2450e6bee

data/app/controllers/admin/admin_users_controller.rb

@@ -88,6 +88,8 @@ module Admin
       attribute :email, :string
       attribute :last_sign_in_at, :date
       attribute :sign_in_count, :integer
+      attribute :passkey, :boolean, scope: :has_passkey
+      attribute :mfa, :boolean, scope: :has_otp
     end
   end
 end

data/app/controllers/admin/otps_controller.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module Admin
+  class OtpsController < ApplicationController
+    before_action :set_admin_user
+
+    def new
+      @admin_user.otp_secret = ROTP::Base32.random
+
+      render :new, locals: { admin: @admin_user }
+    end
+
+    def create
+      @admin_user.otp_secret = otp_params[:otp_secret]
+
+      if @admin_user.otp.verify(otp_params[:token])
+        @admin_user.save
+
+        redirect_to admin_admin_user_path(@admin_user), status: :see_other
+      else
+        @admin_user.errors.add(:token, :invalid)
+
+        respond_to do |format|
+          format.html { redirect_to admin_admin_user_path(@admin_user), status: :see_other }
+          format.turbo_stream { render locals: { admin: @admin_user } }
+        end
+      end
+    end
+
+    def destroy
+      @admin_user.update!(otp_secret: nil)
+
+      redirect_to admin_admin_user_path(@admin_user), status: :see_other
+    end
+
+    private
+
+    def otp_params
+      params.require(:admin).permit(:otp_secret, :token)
+    end
+
+    def set_admin_user
+      @admin_user = Admin::User.find(params[:admin_user_id])
+
+      if current_admin == @admin_user
+        request.variant = :self
+      else
+        head(:forbidden)
+      end
+    end
+  end
+end

data/app/controllers/admin/sessions_controller.rb

@@ -14,15 +14,20 @@ module Admin
     end
 
     def create
-      if (admin_user = webauthn_authenticate! || params_authenticate!)
-        record_sign_in!(admin_user)
-
-        session[:admin_user_id] = admin_user.id
-
-        redirect_to(url_from(params[:redirect].presence) || admin_dashboard_path, status: :see_other)
+      if session_params[:response].present?
+        create_session_with_webauthn
+      elsif session_params[:token].present?
+        create_session_with_token
+      elsif session_params[:password].present?
+        create_session_with_password
+      elsif session_params[:email].present?
+        # conversational flow, ask for password regardless of email
+        admin_user = Admin::User.new(session_params.slice(:email))
+
+        render(:password, status: :unprocessable_content, locals: { admin_user: })
       else
-        admin_user = Admin::User.new(session_params.slice(:email, :password))
-        admin_user.errors.add(:email, "Invalid email or password")
+        # invalid request, re-render new
+        admin_user = Admin::User.new
 
         render(:new, status: :unprocessable_content, locals: { admin_user: })
       end
@@ -38,16 +43,66 @@ module Admin
 
     private
 
+    def create_session_with_password
+      # constant time lookup for user with password verification
+      admin_user = Admin::User.authenticate_by(session_params.slice(:email, :password))
+
+      if admin_user.present? && admin_user.requires_otp?
+        session[:pending_admin_user_id] = admin_user.id
+
+        render(:otp, status: :unprocessable_content, locals: { admin_user: })
+      elsif admin_user.present?
+        admin_sign_in(admin_user)
+      else
+        admin_user = Admin::User.new(session_params.slice(:email, :password))
+        admin_user.errors.add(:email, :invalid)
+
+        render(:new, status: :unprocessable_content, locals: { admin_user: })
+      end
+    end
+
+    def create_session_with_token
+      # assume that the previous step injected the user's ID into the session and remove it regardless of outcome
+      admin_user = Admin::User.find_by(id: session.delete(:pending_admin_user_id))
+
+      if admin_user&.otp&.verify(session_params[:token],
+                                 drift_ahead:  15,
+                                 drift_behind: 15,
+                                 after:        admin_user.current_sign_in_at)
+        admin_sign_in(admin_user)
+      else
+        admin_user = Admin::User.new
+        admin_user.errors.add(:email, :invalid)
+
+        render(:new, status: :unprocessable_content, locals: { admin_user: })
+      end
+    end
+
+    def create_session_with_webauthn
+      if (admin_user = webauthn_authenticate!)
+        admin_sign_in(admin_user)
+      else
+        admin_user = Admin::User.new
+        admin_user.errors.add(:email, :invalid)
+
+        render(:new, status: :unprocessable_content, locals: { admin_user: })
+      end
+    end
+
     def redirect_authenticated
       redirect_to(admin_dashboard_path, status: :see_other)
     end
 
-    def session_params
-      params.require(:admin).permit(:email, :password, :response)
+    def admin_sign_in(admin_user)
+      record_sign_in!(admin_user)
+
+      session[:admin_user_id] = admin_user.id
+
+      redirect_to(url_from(params[:redirect].presence) || admin_dashboard_path, status: :see_other)
     end
 
-    def params_authenticate!
-      Admin::User.authenticate_by(session_params.slice(:email, :password))
+    def session_params
+      params.require(:admin).permit(:email, :password, :token, :response)
     end
 
     def update_last_sign_in(admin_user)

data/app/models/admin/user.rb

@@ -3,6 +3,7 @@
 module Admin
   class User < ApplicationRecord
     include Koi::Model::Archivable
+    include Koi::Model::OTP
 
     def self.model_name
       ActiveModel::Name.new(self, nil, "Admin")
@@ -27,5 +28,26 @@ module Admin
         where("email LIKE :query OR name LIKE :query", query: "%#{query}%")
       end
     end
+
+    scope :has_otp, ->(otp) do
+      if otp
+        where.not(otp_secret: nil)
+      else
+        where(otp_secret: nil)
+      end
+    end
+
+    scope :has_passkey, ->(passkey) do
+      if passkey
+        where(id: Admin::Credential.select(:admin_id))
+      else
+        where.not(id: Admin::Credential.select(:admin_id))
+      end
+    end
+
+    def passkey
+      credentials.any?
+    end
+    alias passkey? passkey
   end
 end

data/app/models/concerns/koi/model/otp.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Koi
+  module Model
+    module OTP
+      extend ActiveSupport::Concern
+
+      included do
+        attribute :token, :string
+      end
+
+      def requires_otp?
+        otp_secret.present?
+      end
+
+      def otp
+        ROTP::TOTP.new(otp_secret) if otp_secret.present?
+      end
+    end
+  end
+end

data/app/views/admin/admin_users/index.html.erb

@@ -18,6 +18,9 @@
   <% row.boolean :credentials, label: "Passkey" do |cell| %>
     <%= cell.value.any? ? "Yes" : "No" %>
   <% end %>
+  <% row.boolean :otp, label: "MFA" do |cell| %>
+    <%= cell.value.present? ? "Yes" : "No" %>
+  <% end %>
 <% end %>
 
 <%= table_pagination_with(collection:) %>

data/app/views/admin/admin_users/show.html+self.erb

@@ -4,11 +4,25 @@
   <%= render Koi::Header::ShowComponent.new(resource: admin) %>
 <% end %>
 
-<%= render Koi::SummaryListComponent.new(model: admin, class: "item-table") do |builder| %>
+<%= render Koi::SummaryTableComponent.new(model: admin) do |builder| %>
   <%= builder.text :name %>
   <%= builder.text :email %>
   <%= builder.date :created_at %>
-  <%= builder.date :last_sign_in_at, label: { text: "Last sign in" } %>
+  <%= builder.date :last_sign_in_at, label: "Last sign in" %>
+  <%= builder.boolean :passkey %>
+  <%= builder.boolean :otp, label: "MFA" do |otp| %>
+    <span class="repel">
+      <%= otp %>
+      <% if otp.value %>
+        <%= button_to("Remove", admin_admin_user_otp_path(admin),
+                      class:  "button button--text",
+                      method: :delete,
+                      form:   { data: { turbo_confirm: "Are you sure?" } }) %>
+      <% else %>
+        <%= kpop_link_to "Add", new_admin_admin_user_otp_path(admin) %>
+      <% end %>
+    </span>
+  <% end %>
 <% end %>
 
 <div class="repel">

data/app/views/admin/admin_users/show.html.erb

@@ -4,18 +4,16 @@
   <%= render Koi::Header::ShowComponent.new(resource: admin) %>
 <% end %>
 
-<%= render Koi::SummaryListComponent.new(model: admin, class: "item-table") do |builder| %>
+<%= render Koi::SummaryTableComponent.new(model: admin, class: "item-table") do |builder| %>
   <%= builder.text :name %>
   <%= builder.text :email %>
   <%= builder.date :created_at %>
-  <%= builder.date :last_sign_in_at, label: { text: "Last sign in" } %>
+  <%= builder.date :last_sign_in_at, label: "Last sign in" %>
+  <%= builder.boolean :passkey %>
+  <%= builder.boolean :otp, label: "MFA" %>
   <%= builder.boolean :archived? %>
 <% end %>
 
-<h3>Passkeys</h3>
-
-<%= render "admin/credentials/credentials", admin: %>
-
 <div class="actions">
   <% if admin.archived? %>
     <%= button_to "Delete", admin_admin_user_path(admin),

data/app/views/admin/otps/_form.html.erb

@@ -0,0 +1,32 @@
+<%# locals: (admin:) %>
+
+<%= form_with(id:     dom_id(admin, :otp),
+              model:  admin,
+              url:    admin_admin_user_otp_path(admin),
+              method: :post,
+              class:  "flow") do |form| %>
+  <section class="flow prose">
+    <p>MFA protects your account by requiring you to enter a six-digit
+      token that changes every 30 seconds. If someone knows or guesses your
+      password they also need to know the current token to log in.</p>
+    <p>In general, we recommend using Passkeys over MFA. Passkeys offer better
+      security than a password + MFA, and they are easier to use.</p>
+    <p><strong>Add an MFA authenticator to your account</strong></p>
+    <ol class="flow">
+      <li>Install an MFA app. Most password managers support MFA.</li>
+      <li>Scan this code using your mobile device or password manager:<br>
+        <% otp_app_name = t("koi.auth.otp_app_name", host: URI.parse(root_url).host, email: admin.email) %>
+        <%== RQRCode::QRCode.new(admin.otp.provisioning_uri(otp_app_name)).as_svg(
+               color:           "000",
+               shape_rendering: "crispEdges",
+               module_size:     3,
+               use_path:        true,
+             ) %>
+      </li>
+      <li>Enter the token shown in your app into the field below:</li>
+    </ol>
+  </section>
+  <%= form.hidden_field :otp_secret %>
+  <%= form.govuk_text_field :token %>
+  <%= form.admin_save %>
+<% end %>

data/app/views/admin/otps/create.turbo_stream.erb

@@ -0,0 +1,5 @@
+<%# locals: (admin:) %>
+
+<%= turbo_stream.replace(dom_id(admin, :otp)) do %>
+  <%= render("form", admin:) %>
+<% end %>

data/app/views/admin/otps/new.html.erb

@@ -0,0 +1,5 @@
+<%# locals: (admin:) %>
+
+<%= render Kpop::ModalComponent.new(title: "Configure MFA") do %>
+  <%= render("form", admin:) %>
+<% end %>

data/app/views/admin/sessions/new.html.erb

@@ -1,4 +1,7 @@
+<%# locals: (admin_user:) %>
+
 <%= render "layouts/koi/navigation_header" %>
+
 <%= form_with(
       model: admin_user,
       url:   admin_session_path,
@@ -6,7 +9,7 @@
         controller:                            "webauthn-authentication",
         webauthn_authentication_options_value: { publicKey: webauthn_auth_options },
       },
-    ) do |f| %>
+    ) do |form| %>
   <% (redirect = flash[:redirect] || params[:redirect]) && flash.delete(:redirect) %>
   <% unless flash.empty? %>
     <div class="govuk-error-summary">
@@ -17,15 +20,12 @@
       </ul>
     </div>
   <% end %>
-  <%= f.govuk_fieldset legend: nil do %>
-    <%# note, autocomplete off is ignored by browsers but required by PCI-DSS %>
-    <%= f.govuk_email_field :email, autofocus: true, autocomplete: "off" %>
-    <%= f.govuk_password_field :password, autocomplete: "off" %>
-    <%= f.hidden_field :response, data: { webauthn_authentication_target: "response" } %>
-    <%= hidden_field_tag(:redirect, redirect) %>
-  <% end %>
+  <%# note, autocomplete off is ignored by browsers but required by PCI-DSS %>
+  <%= form.govuk_email_field :email, autofocus: true, autocomplete: "off" %>
+  <%= form.hidden_field :response, data: { webauthn_authentication_target: "response" } %>
+  <%= hidden_field_tag(:redirect, redirect) %>
   <div class="actions-group">
-    <%= f.admin_save "Log in" %>
-    <%= f.button "🔑", type: :button, class: "button button--secondary", data: { action: "webauthn-authentication#authenticate" } %>
+    <%= form.admin_save "Next" %>
+    <%= form.button "🔑", type: :button, class: "button button--secondary", data: { action: "webauthn-authentication#authenticate" } %>
   </div>
 <% end %>

data/app/views/admin/sessions/otp.html.erb

@@ -0,0 +1,10 @@
+<%# locals: (admin_user:) %>
+
+<%= render "layouts/koi/navigation_header" %>
+
+<%= form_with(model: admin_user, url: admin_session_path, method: :post) do |form| %>
+  <%# note, autocomplete off is ignored by browsers but required by PCI-DSS %>
+  <%= form.govuk_text_field :token, autofocus: true, autocomplete: "off" %>
+  <%= hidden_field_tag(:redirect, params[:redirect]) %>
+  <%= form.admin_save "Next" %>
+<% end %>

data/app/views/admin/sessions/password.html.erb

@@ -0,0 +1,11 @@
+<%# locals: (admin_user:) %>
+
+<%= render "layouts/koi/navigation_header" %>
+
+<%= form_with(model: admin_user, url: admin_session_path) do |form| %>
+  <%= form.hidden_field(:email) %>
+  <%# note, autocomplete off is ignored by browsers but required by PCI-DSS %>
+  <%= form.govuk_password_field :password, autofocus: true, autocomplete: "off" %>
+  <%= hidden_field_tag(:redirect, params[:redirect]) %>
+  <%= form.admin_save "Next" %>
+<% end %>

data/config/initializers/inflections.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+ActiveSupport::Inflector.inflections do |inflect|
+  inflect.acronym "MFA"
+  inflect.acronym "OTP"
+end

data/config/locales/koi.en.yml

@@ -9,11 +9,17 @@ en:
       admin: "%e %B %Y"
   koi:
     auth:
+      otp_app_name: "%{host}/admin"
       token_invalid: "Token invalid or consumed already"
       token_consumed: "Please create a password or passkey"
     labels:
       new: New
       search: Search
+  activerecord:
+    errors:
+      models:
+        admin:
+          invalid: "Invalid login credentials"
   helpers:
     hint:
       default:

data/config/routes.rb

@@ -10,6 +10,7 @@ Rails.application.routes.draw do
     resources :url_rewrites
     resources :admin_users do
       resources :credentials, only: %i[new create destroy]
+      resource :otp, only: %i[new create destroy]
       resources :tokens, only: %i[create]
       get :archived, on: :collection
       put :archive, on: :collection

data/db/migrate/20241214060913_add_otp_secret_to_admin_users.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class AddOTPSecretToAdminUsers < ActiveRecord::Migration[8.0]
+  def change
+    add_column :admins, :otp_secret, :string
+  end
+end

data/lib/koi/engine.rb

@@ -7,6 +7,8 @@ require "katalyst/kpop"
 require "katalyst/navigation"
 require "katalyst/tables"
 require "pagy"
+require "rotp"
+require "rqrcode"
 require "stimulus-rails"
 require "turbo-rails"
 require "webauthn"

data/spec/factories/admins.rb

@@ -5,5 +5,6 @@ FactoryBot.define do
     email { Faker::Internet.email }
     name { Faker::Name.name }
     password { Faker::Internet.password }
+    otp_secret { ROTP::Base32.random }
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: katalyst-koi
 version: !ruby/object:Gem::Version
-  version: 4.14.3
+  version: 4.15.1
 platform: ruby
 authors:
 - Katalyst Interactive
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-12-11 00:00:00.000000000 Z
+date: 2024-12-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -80,6 +80,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rotp
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rqrcode
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: webauthn
   requirement: !ruby/object:Gem::Requirement
@@ -343,6 +371,7 @@ files:
 - app/controllers/admin/caches_controller.rb
 - app/controllers/admin/credentials_controller.rb
 - app/controllers/admin/dashboards_controller.rb
+- app/controllers/admin/otps_controller.rb
 - app/controllers/admin/sessions_controller.rb
 - app/controllers/admin/tokens_controller.rb
 - app/controllers/admin/url_rewrites_controller.rb
@@ -363,6 +392,7 @@ files:
 - app/models/admin/user.rb
 - app/models/application_record.rb
 - app/models/concerns/koi/model/archivable.rb
+- app/models/concerns/koi/model/otp.rb
 - app/models/url_rewrite.rb
 - app/views/admin/admin_users/_fields.html+self.erb
 - app/views/admin/admin_users/_fields.html.erb
@@ -378,7 +408,12 @@ files:
 - app/views/admin/credentials/destroy.turbo_stream.erb
 - app/views/admin/credentials/new.html.erb
 - app/views/admin/dashboards/show.html.erb
+- app/views/admin/otps/_form.html.erb
+- app/views/admin/otps/create.turbo_stream.erb
+- app/views/admin/otps/new.html.erb
 - app/views/admin/sessions/new.html.erb
+- app/views/admin/sessions/otp.html.erb
+- app/views/admin/sessions/password.html.erb
 - app/views/admin/shared/icons/_close.html.erb
 - app/views/admin/shared/icons/_cross.html.erb
 - app/views/admin/shared/icons/_menu.html.erb
@@ -418,6 +453,7 @@ files:
 - config/importmap.rb
 - config/initializers/extensions.rb
 - config/initializers/flipper.rb
+- config/initializers/inflections.rb
 - config/locales/koi.en.yml
 - config/locales/pagy.en.yml
 - config/routes.rb
@@ -428,6 +464,7 @@ files:
 - db/migrate/20230531063707_update_admin_users.rb
 - db/migrate/20230602033610_add_archived_to_admin_users.rb
 - db/migrate/20231211005214_add_status_code_to_url_rewrites.rb
+- db/migrate/20241214060913_add_otp_secret_to_admin_users.rb
 - db/seeds.rb
 - lib/generators/koi/active_record/active_record_generator.rb
 - lib/generators/koi/admin/USAGE