katalyst-koi 4.16.0 → 4.17.0

data/app/assets/stylesheets/koi/components/_query.scss

@@ -1,3 +1,4 @@
+@use "sass:meta";
 @use "sass:string";
 @use "../utils/typography";
 
@@ -77,7 +78,7 @@ $text-icon-color: #888;
   }
 
   li.suggestion.attribute::before {
-    background: url("data:image/svg+xml,%3Csvg width='14' height='16' viewBox='0 0 14 16' fill='none' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M13 3.1C13 4.2598 10.3137 5.2 7 5.2C3.68629 5.2 1 4.2598 1 3.1M13 3.1C13 1.9402 10.3137 1 7 1C3.68629 1 1 1.9402 1 3.1M13 3.1V12.9C13 14.062 10.3333 15 7 15C3.66667 15 1 14.062 1 12.9V3.1M13 8C13 9.162 10.3333 10.1 7 10.1C3.66667 10.1 1 9.162 1 8' stroke='%23#{string.slice(inspect($text-icon-color), 2)}' stroke-width='1.5' stroke-linecap='round' stroke-linejoin='round'/%3E%3C/svg%3E%0A")
+    background: url("data:image/svg+xml,%3Csvg width='14' height='16' viewBox='0 0 14 16' fill='none' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M13 3.1C13 4.2598 10.3137 5.2 7 5.2C3.68629 5.2 1 4.2598 1 3.1M13 3.1C13 1.9402 10.3137 1 7 1C3.68629 1 1 1.9402 1 3.1M13 3.1V12.9C13 14.062 10.3333 15 7 15C3.66667 15 1 14.062 1 12.9V3.1M13 8C13 9.162 10.3333 10.1 7 10.1C3.66667 10.1 1 9.162 1 8' stroke='%23#{string.slice(meta.inspect($text-icon-color), 2)}' stroke-width='1.5' stroke-linecap='round' stroke-linejoin='round'/%3E%3C/svg%3E%0A")
       no-repeat;
     top: 2px;
   }
@@ -85,13 +86,13 @@ $text-icon-color: #888;
   li.suggestion.database_value::before,
   li.suggestion.constant_value::before,
   li.suggestion.custom_value::before {
-    background: url("data:image/svg+xml,%3Csvg width='14' height='16' viewBox='0 0 16 18' fill='none' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M14.6111 5.16702L7.99998 8.99998M7.99998 8.99998L1.38886 5.16702M7.99998 8.99998L8 16.711M15 12.2943V5.70573C15 5.42761 15 5.28856 14.9607 5.16453C14.926 5.05481 14.8692 4.9541 14.7942 4.86912C14.7094 4.77307 14.5929 4.70553 14.3599 4.57047L8.60436 1.23354C8.38378 1.10565 8.27348 1.04171 8.15668 1.01664C8.05331 0.994453 7.94669 0.994453 7.84332 1.01664C7.72652 1.04171 7.61623 1.10565 7.39564 1.23354L1.64009 4.57047C1.40713 4.70554 1.29064 4.77307 1.20583 4.86912C1.13079 4.9541 1.074 5.05481 1.03927 5.16453C1 5.28856 1 5.42762 1 5.70573V12.2943C1 12.5724 1 12.7114 1.03927 12.8355C1.074 12.9452 1.13079 13.0459 1.20583 13.1309C1.29064 13.2269 1.40713 13.2945 1.64009 13.4295L7.39564 16.7665C7.61623 16.8943 7.72652 16.9583 7.84332 16.9834C7.94669 17.0055 8.05331 17.0055 8.15668 16.9834C8.27348 16.9583 8.38377 16.8943 8.60436 16.7665L14.3599 13.4295C14.5929 13.2945 14.7094 13.2269 14.7942 13.1309C14.8692 13.0459 14.926 12.9452 14.9607 12.8355C15 12.7114 15 12.5724 15 12.2943Z' stroke='%23#{string.slice(inspect($text-icon-color), 2)}' stroke-width='1.5' stroke-linecap='round' stroke-linejoin='round'/%3E%3C/svg%3E%0A")
+    background: url("data:image/svg+xml,%3Csvg width='14' height='16' viewBox='0 0 16 18' fill='none' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M14.6111 5.16702L7.99998 8.99998M7.99998 8.99998L1.38886 5.16702M7.99998 8.99998L8 16.711M15 12.2943V5.70573C15 5.42761 15 5.28856 14.9607 5.16453C14.926 5.05481 14.8692 4.9541 14.7942 4.86912C14.7094 4.77307 14.5929 4.70553 14.3599 4.57047L8.60436 1.23354C8.38378 1.10565 8.27348 1.04171 8.15668 1.01664C8.05331 0.994453 7.94669 0.994453 7.84332 1.01664C7.72652 1.04171 7.61623 1.10565 7.39564 1.23354L1.64009 4.57047C1.40713 4.70554 1.29064 4.77307 1.20583 4.86912C1.13079 4.9541 1.074 5.05481 1.03927 5.16453C1 5.28856 1 5.42762 1 5.70573V12.2943C1 12.5724 1 12.7114 1.03927 12.8355C1.074 12.9452 1.13079 13.0459 1.20583 13.1309C1.29064 13.2269 1.40713 13.2945 1.64009 13.4295L7.39564 16.7665C7.61623 16.8943 7.72652 16.9583 7.84332 16.9834C7.94669 17.0055 8.05331 17.0055 8.15668 16.9834C8.27348 16.9583 8.38377 16.8943 8.60436 16.7665L14.3599 13.4295C14.5929 13.2945 14.7094 13.2269 14.7942 13.1309C14.8692 13.0459 14.926 12.9452 14.9607 12.8355C15 12.7114 15 12.5724 15 12.2943Z' stroke='%23#{string.slice(meta.inspect($text-icon-color), 2)}' stroke-width='1.5' stroke-linecap='round' stroke-linejoin='round'/%3E%3C/svg%3E%0A")
       no-repeat;
     top: 2px;
   }
 
   li.suggestion.search_value::before {
-    background: url("data:image/svg+xml,%3Csvg width='14' height='16' viewBox='0 0 24 24' fill='none' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M21 21L15.0001 15M17 10C17 13.866 13.866 17 10 17C6.13401 17 3 13.866 3 10C3 6.13401 6.13401 3 10 3C13.866 3 17 6.13401 17 10Z' stroke='%23#{string.slice(inspect($text-icon-color), 2)}' stroke-width='3' stroke-linecap='round' stroke-linejoin='round'/%3E%3C/svg%3E%0A")
+    background: url("data:image/svg+xml,%3Csvg width='14' height='16' viewBox='0 0 24 24' fill='none' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M21 21L15.0001 15M17 10C17 13.866 13.866 17 10 17C6.13401 17 3 13.866 3 10C3 6.13401 6.13401 3 10 3C13.866 3 17 6.13401 17 10Z' stroke='%23#{string.slice(meta.inspect($text-icon-color), 2)}' stroke-width='3' stroke-linecap='round' stroke-linejoin='round'/%3E%3C/svg%3E%0A")
       no-repeat;
     top: 2px;
   }

data/app/assets/stylesheets/koi/layouts/_header.scss

@@ -1,30 +1,34 @@
-@mixin list($separator, $space: 1rem) {
+$inset: 2rem !default;
+
+$title: 4rem;
+$breadcrumbs: 3rem;
+$actions: 3rem;
+$height: $title + $breadcrumbs + $actions;
+
+@mixin list($separator, $margin: 1em, $padding: 0.5em) {
   display: flex;
+  align-items: center;
   list-style-position: outside;
+  margin-inline: $inset;
 
   > * {
     display: list-item;
-    margin-left: $space;
+    margin-inline-start: $margin;
+    padding-inline-start: $padding;
   }
 
   > *::marker {
-    content: " " + $separator + " ";
+    content: $separator;
     color: rgba(0, 0, 0, 0.4);
   }
 
   > *:first-child {
     display: block;
-    margin-left: 0;
+    margin-inline-start: 0;
+    padding-inline-start: 0;
   }
 }
 
-$inset: 2rem !default;
-
-$title: 4rem;
-$breadcrumbs: 3rem;
-$actions: 3rem;
-$height: $title + $breadcrumbs + $actions;
-
 %header {
   border-bottom: 1px solid #ececec;
   color: #b2b2b2;
@@ -44,20 +48,14 @@ $height: $title + $breadcrumbs + $actions;
 
   .breadcrumbs {
     grid-area: breadcrumbs;
-    display: flex;
-    align-items: center;
-    margin: 0 $inset;
 
-    @include list("› ", 1.2rem);
+    @include list("›");
   }
 
   .actions {
     grid-area: actions;
-    display: flex;
-    align-items: center;
-    margin: 0 $inset;
+    gap: 0;
 
-    @include list("|", 0.5rem);
-    list-style-type: square;
+    @include list("|", $margin: 0.8em);
   }
 }

data/app/assets/stylesheets/koi/pages/_login.scss

@@ -11,7 +11,7 @@
 
 .admin-login > main {
   flex: 1 1 auto;
-  max-width: 20rem;
+  max-width: 24rem;
   background: white;
   border-radius: 0.25rem;
   height: unset;

data/app/assets/stylesheets/koi/themes/_govuk.scss

@@ -1,42 +1,24 @@
 @use "../utils/typography" as *;
 
-@function govuk-definition($size) {
-  @return (
-    null: (
-      font-size: font-size($size, mobile, px),
-      line-height: line-height($size, mobile, px),
-    ),
-    tablet: (
-      font-size: font-size($size, tablet, px),
-      line-height: line-height($size, tablet, px),
-    ),
-    print: (
-      font-size: font-size($size, print, px),
-      line-height: line-height($size, print, px),
-    )
-  );
-}
-
-$govuk-font-family: "Inter";
-$govuk-text-colour: #{var(--site-text-color)};
-$govuk-typography-scale: (
-  80: govuk-definition(h1),
-  48: govuk-definition(h2),
-  36: govuk-definition(h3),
-  27: govuk-definition(h4),
-  24: govuk-definition(h5),
-  19: govuk-definition(h6),
-  16: govuk-definition(paragraph),
-  14: govuk-definition(small),
+@use "katalyst/govuk/formbuilder" with (
+  $govuk-font-family: "Inter",
+  $govuk-text-colour: #{var(--site-text-color)},
+  $govuk-typography-scale: (
+    80: govuk-definition(h1),
+    48: govuk-definition(h2),
+    36: govuk-definition(h3),
+    27: govuk-definition(h4),
+    24: govuk-definition(h5),
+    19: govuk-definition(h6),
+    16: govuk-definition(paragraph),
+    14: govuk-definition(small),
+  ),
+  $govuk-input-border-colour: #{var(--site-text-color)}
 );
 
-$govuk-input-border-colour: #{var(--site-text-color)};
-
-@import "katalyst/govuk/formbuilder";
-
 .govuk-input,
 .govuk-textarea {
-  color: $govuk-text-colour;
+  color: var(--site-text-color);
 }
 
 .govuk-hint {
@@ -50,3 +32,25 @@ $govuk-input-border-colour: #{var(--site-text-color)};
   margin-left: -18px;
   padding-left: 13px;
 }
+
+// add some koi styling to the govuk show/hide password button
+[data-govuk-password-input-init] {
+  max-width: var(--text-width);
+
+  .govuk-password-input__wrapper {
+    gap: 0.5rem;
+  }
+
+  .govuk-button {
+    min-width: 4em;
+    background: none;
+    cursor: pointer;
+    border: 2px solid var(--site-text-color);
+  }
+
+  .govuk-button:focus-visible,
+  .govuk-button:hover {
+    color: var(--site-primary);
+    border-color: var(--site-primary);
+  }
+}

data/app/assets/stylesheets/koi/utils/_typography.scss

@@ -1,10 +1,11 @@
+@use "sass:map";
 @use "sass:math";
 
 $-font-sizes: () !default;
 $-line-heights: () !default;
 
 @function font-size($size, $breakpoint: null, $unit: rem) {
-  $font-size: map-get($-font-sizes, $size);
+  $font-size: map.get($-font-sizes, $size);
 
   @if $unit == rem {
     @return $font-size;
@@ -14,7 +15,7 @@ $-line-heights: () !default;
 }
 
 @function line-height($size, $breakpoint: null, $unit: em) {
-  $line-height: map-get($-line-heights, $size);
+  $line-height: map.get($-line-heights, $size);
 
   @if $unit == em {
     @return $line-height;
@@ -22,3 +23,20 @@ $-line-heights: () !default;
     @return math.div($line-height, 1em) * 16px;
   }
 }
+
+@function govuk-definition($size) {
+  @return (
+    null: (
+      font-size: font-size($size, mobile, px),
+      line-height: line-height($size, mobile, px),
+    ),
+    tablet: (
+      font-size: font-size($size, tablet, px),
+      line-height: line-height($size, tablet, px),
+    ),
+    print: (
+      font-size: font-size($size, print, px),
+      line-height: line-height($size, print, px),
+    )
+  );
+}

data/app/controllers/admin/sessions_controller.rb

@@ -3,6 +3,7 @@
 module Admin
   class SessionsController < ApplicationController
     include Koi::Controller::HasWebauthn
+    include Koi::Controller::RecordsAuthentication
 
     before_action :redirect_authenticated, only: %i[new], if: :admin_signed_in?
     before_action :authenticate_local_admin, only: %i[new], if: :authenticate_local_admins?
@@ -104,33 +105,5 @@ module Admin
     def session_params
       params.expect(admin: %i[email password token response])
     end
-
-    def update_last_sign_in(admin_user)
-      return if admin_user.current_sign_in_at.blank?
-
-      admin_user.last_sign_in_at = admin_user.current_sign_in_at
-      admin_user.last_sign_in_ip = admin_user.current_sign_in_ip
-    end
-
-    def record_sign_in!(admin_user)
-      update_last_sign_in(admin_user)
-
-      admin_user.current_sign_in_at = Time.current
-      admin_user.current_sign_in_ip = request.remote_ip
-      admin_user.sign_in_count      = admin_user.sign_in_count + 1
-
-      admin_user.save!
-    end
-
-    def record_sign_out!(admin_user)
-      return unless admin_user
-
-      update_last_sign_in(admin_user)
-
-      admin_user.current_sign_in_at = nil
-      admin_user.current_sign_in_ip = nil
-
-      admin_user.save!
-    end
   end
 end

data/app/controllers/admin/tokens_controller.rb

@@ -2,66 +2,40 @@
 
 module Admin
   class TokensController < ApplicationController
-    include Koi::Controller::JsonWebToken
+    include Koi::Controller::RecordsAuthentication
 
-    before_action :set_admin, only: %i[create]
-    before_action :set_token, only: %i[show update]
-    before_action :invalid_token, only: %i[show update], unless: :token_valid?
+    before_action :set_admin_user, only: %i[create]
+
+    attr_reader :admin_user
 
     def show
-      render locals: { admin: @admin, token: params[:token] }, layout: "koi/login"
+      if (@admin_user = Admin::User.find_by_token_for(:password_reset, params[:token]))
+        render locals: { admin_user:, token: params[:token] }, layout: "koi/login"
+      else
+        redirect_to(new_admin_session_path, status: :see_other, notice: I18n.t("koi.auth.token_invalid"))
+      end
     end
 
     def create
-      token = encode_token(admin_id: @admin.id, exp: 30.minutes.from_now.to_i, iat: Time.current.to_i)
-
-      render locals: { token: }
+      render locals: { token: admin_user.generate_token_for(:password_reset) }
     end
 
     def update
-      sign_in_admin(@admin)
-
-      redirect_to admin_admin_user_path(@admin), status: :see_other, notice: t("koi.auth.token_consumed")
-    end
-
-    private
+      if (@admin_user = Admin::User.find_by_token_for(:password_reset, params[:token]))
+        record_sign_in!(admin_user)
 
-    def set_admin
-      @admin = Admin::User.find(params[:admin_user_id])
-    end
-
-    def set_token
-      @token = decode_token(params[:token])
-
-      # constant time token validation requires that we always try to retrieve a user
-      @admin = Admin::User.find_by(id: @token&.fetch(:admin_id) || "")
-    end
+        session[:admin_user_id] = admin_user.id
 
-    def token_valid?
-      return false unless @token.present? && @admin.present?
-
-      # Ensure that the user has not signed in since the token was generated
-      if @admin.current_sign_in_at.present?
-        @admin.current_sign_in_at.to_i < @token[:iat]
-      elsif @admin.last_sign_in_at.present?
-        @admin.last_sign_in_at.to_i < @token[:iat]
+        redirect_to admin_admin_user_path(admin_user), status: :see_other, notice: t("koi.auth.token_consumed")
       else
-        true # first sign in
+        redirect_to(new_admin_session_path, status: :see_other, notice: I18n.t("koi.auth.token_invalid"))
       end
     end
 
-    def invalid_token
-      redirect_to(new_admin_session_path, status: :see_other, notice: I18n.t("koi.auth.token_invalid"))
-    end
-
-    def sign_in_admin(admin)
-      admin.current_sign_in_at = Time.current
-      admin.current_sign_in_ip = request.remote_ip
-      admin.sign_in_count      = 1
+    private
 
-      # disable validations to allow saving without password or passkey credentials
-      admin.save!(validate: false)
-      session[:admin_user_id] = admin.id
+    def set_admin_user
+      @admin_user = Admin::User.find(params[:admin_user_id])
     end
   end
 end

data/app/controllers/concerns/koi/controller/has_webauthn.rb

@@ -12,15 +12,14 @@ module Koi
       def webauthn_relying_party
         @webauthn_relying_party ||=
           WebAuthn::RelyingParty.new(
-            name:   Koi.config.admin_name,
-            origin: request.base_url,
+            name:            Koi.config.admin_name,
+            allowed_origins: [request.base_url],
           )
       end
 
       def webauthn_auth_options
-        options = webauthn_relying_party.options_for_authentication(
-          allow: Admin::Credential.pluck(:external_id),
-        )
+        options = webauthn_relying_party.options_for_authentication
+
         session[:authentication_challenge] = options.challenge
 
         options
@@ -42,6 +41,8 @@ module Koi
         )
 
         stored_credential.admin
+      rescue ActiveRecord::RecordNotFound
+        false
       end
     end
   end

data/app/controllers/concerns/koi/controller/records_authentication.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Koi
+  module Controller
+    module RecordsAuthentication
+      def update_last_sign_in(admin_user)
+        return if admin_user.current_sign_in_at.blank?
+
+        admin_user.last_sign_in_at = admin_user.current_sign_in_at
+        admin_user.last_sign_in_ip = admin_user.current_sign_in_ip
+      end
+
+      def record_sign_in!(admin_user)
+        update_last_sign_in(admin_user)
+
+        admin_user.current_sign_in_at = Time.current
+        admin_user.current_sign_in_ip = request.remote_ip
+        admin_user.sign_in_count += 1
+
+        admin_user.save!
+      end
+
+      def record_sign_out!(admin_user)
+        return unless admin_user
+
+        update_last_sign_in(admin_user)
+
+        admin_user.current_sign_in_at = nil
+        admin_user.current_sign_in_ip = nil
+
+        admin_user.save!
+      end
+    end
+  end
+end

data/app/models/admin/user.rb

@@ -12,6 +12,8 @@ module Admin
     # disable validations for password_digest
     has_secure_password validations: false
 
+    generates_token_for(:password_reset, expires_in: 30.minutes) { current_sign_in_at }
+
     has_many :credentials, inverse_of: :admin, class_name: "Admin::Credential", dependent: :destroy
 
     validates :name, :email, presence: true

data/app/views/admin/sessions/password.html.erb

@@ -8,4 +8,7 @@
   <%= form.govuk_password_field :password, autofocus: true, autocomplete: "off" %>
   <%= hidden_field_tag(:redirect, params[:redirect]) %>
   <%= form.admin_save "Next" %>
+
+  <%# init govuk js to provide the show/hide button %>
+  <%= govuk_formbuilder_init %>
 <% end %>

data/app/views/admin/tokens/create.turbo_stream.erb

@@ -1,3 +1,5 @@
+<%# locals: (token:) %>
+
 <%= turbo_stream.replace "invite" do %>
   <div class="action copy-to-clipboard govuk-input__wrapper" data-controller="clipboard" data-clipboard-supported-class="clipboard--supported">
     <%= text_field_tag :invite_link, admin_session_token_url(token), readonly: true, data: { clipboard_target: "source" } %>

data/app/views/admin/tokens/show.html.erb

@@ -1,8 +1,10 @@
+<%# locals: (admin_user:, token:) %>
+
 <%= render "layouts/koi/navigation_header" %>
 
 <%= form_with(url: admin_session_token_path(token), method: :patch) do |form| %>
   <p>Welcome to Koi Admin</p>
-  <%= render Koi::SummaryListComponent.new(model: admin, class: "item-table") do |builder| %>
+  <%= render Koi::SummaryListComponent.new(model: admin_user, class: "item-table") do |builder| %>
     <%= builder.text :name %>
     <%= builder.text :email %>
   <% end %>

data/lib/generators/koi/admin_route/admin_route_generator.rb

@@ -27,7 +27,8 @@ module Koi
 
     def add_navigation
       gsub_file("config/initializers/koi.rb", /Koi::Menu.modules = ({}|{\n(?:\s+.*\n)*})\n/) do |match|
-        config        = eval(match) # rubocop:disable Security/Eval # we know that this only during generation
+        # Safe because we know that this only called during code generation
+        config        = eval(match) # rubocop:disable Security/Eval
         label         = [*regular_class_path.map(&:humanize), human_name.pluralize].join(" ")
         path          = "/admin#{route_url}"
         config[label] = path

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: katalyst-koi
 version: !ruby/object:Gem::Version
-  version: 4.16.0
+  version: 4.17.0
 platform: ruby
 authors:
 - Katalyst Interactive
 bindir: bin
 cert_chain: []
-date: 2025-02-04 00:00:00.000000000 Z
+date: 2025-02-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -113,14 +113,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 3.4.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 3.4.0
 - !ruby/object:Gem::Dependency
   name: katalyst-govuk-formbuilder
   requirement: !ruby/object:Gem::Requirement
@@ -378,7 +378,7 @@ files:
 - app/controllers/concerns/koi/controller/has_attachments.rb
 - app/controllers/concerns/koi/controller/has_webauthn.rb
 - app/controllers/concerns/koi/controller/is_admin_controller.rb
-- app/controllers/concerns/koi/controller/json_web_token.rb
+- app/controllers/concerns/koi/controller/records_authentication.rb
 - app/controllers/well_knowns_controller.rb
 - app/helpers/koi/application_helper.rb
 - app/helpers/koi/date_helper.rb

data/app/controllers/concerns/koi/controller/json_web_token.rb

@@ -1,22 +0,0 @@
-# frozen_string_literal: true
-
-module Koi
-  module Controller
-    module JsonWebToken
-      extend ActiveSupport::Concern
-
-      SECRET_KEY = Rails.application.secret_key_base
-
-      def encode_token(**payload)
-        JWT.encode(payload, SECRET_KEY)
-      end
-
-      def decode_token(token)
-        payload = JWT.decode(token, SECRET_KEY)[0]
-        ActiveSupport::HashWithIndifferentAccess.new(payload)
-      rescue JWT::DecodeError
-        nil
-      end
-    end
-  end
-end