katalyst-koi 5.3.1 → 5.5.0

data/app/controllers/admin/profiles_controller.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Admin
+  class ProfilesController < ApplicationController
+    include Koi::Controller::HasWebauthn
+
+    before_action :requires_session_authentication!
+
+    alias_method :admin_user, :current_admin
+
+    def show
+      render locals: { admin_user: }
+    end
+
+    def edit
+      render :edit, locals: { admin_user: }
+    end
+
+    def update
+      if admin_user.update(profile_params)
+        redirect_to admin_profile_path, status: :see_other
+      else
+        render :edit, locals: { admin_user: }, status: :unprocessable_content
+      end
+    end
+
+    private
+
+    def profile_params
+      params.expect(admin_user: %i[name email password])
+    end
+  end
+end

data/app/controllers/admin/sessions_controller.rb

@@ -8,10 +8,16 @@ module Admin
     before_action :redirect_authenticated, only: %i[new], if: :admin_signed_in?
     before_action :authenticate_local_admin, only: %i[new], if: -> { Koi.config.authenticate_local_admins }
 
-    layout "koi/login"
+    attr_reader :admin_user
 
     def new
-      render locals: { admin_user: Admin::User.new }
+      @admin_user = Admin::User.new
+
+      if (message = flash.alert || flash.notice)
+        admin_user.errors.add(:email, message)
+      end
+
+      render locals: { admin_user: }
     end
 
     def create
@@ -35,7 +41,7 @@ module Admin
     end
 
     def destroy
-      record_sign_out!(current_admin_user)
+      record_sign_out!(Koi::Current.admin_user)
 
       session[:admin_user_id] = nil
 
@@ -80,7 +86,7 @@ module Admin
     end
 
     def create_session_with_webauthn
-      if (admin_user = webauthn_authenticate!)
+      if (admin_user = webauthn_authenticate!(session_params[:response]))
         admin_sign_in(admin_user)
       else
         admin_user = Admin::User.new
@@ -97,11 +103,11 @@ module Admin
     def authenticate_local_admin
       return if admin_signed_in? || !Rails.env.development?
 
-      @current_admin_user = Admin::User.find_by(email: "#{ENV.fetch('USER', nil)}@katalyst.com.au")
+      Koi::Current.admin_user = Admin::User.find_by(email: "#{ENV.fetch('USER', nil)}@katalyst.com.au")
 
       return unless admin_signed_in?
 
-      session[:admin_user_id] = current_admin_user.id
+      session[:admin_user_id] = Koi::Current.admin_user.id
 
       flash.delete(:redirect) if (redirect = flash[:redirect])
 

data/app/controllers/admin/tokens_controller.rb

@@ -10,7 +10,7 @@ module Admin
 
     def show
       if (@admin_user = Admin::User.find_by_token_for(:password_reset, params[:token]))
-        render locals: { admin_user:, token: params[:token] }, layout: "koi/login"
+        render locals: { admin_user:, token: params[:token] }
       else
         redirect_to(new_admin_session_path, status: :see_other, notice: I18n.t("koi.auth.token_invalid"))
       end
@@ -26,7 +26,11 @@ module Admin
 
         session[:admin_user_id] = admin_user.id
 
-        redirect_to admin_admin_user_path(admin_user), status: :see_other, notice: t("koi.auth.token_consumed")
+        if admin_user.credentials.any?
+          redirect_to(admin_root_path, status: :see_other)
+        else
+          redirect_to(new_admin_profile_credential_path, status: :see_other)
+        end
       else
         redirect_to(new_admin_session_path, status: :see_other, notice: I18n.t("koi.auth.token_invalid"))
       end

data/app/controllers/concerns/koi/controller/has_admin_users.rb

@@ -14,23 +14,20 @@ module Koi
       end
 
       def admin_signed_in?
-        current_admin_user.present?
-      rescue ActiveRecord::RecordNotFound
-        false
+        Koi::Current.admin_user.present?
       end
 
       def current_admin_user
-        return @current_admin_user if instance_variable_defined?(:@current_admin_user)
-        return @current_admin_user = nil unless session.has_key?(:admin_user_id)
-
-        @current_admin_user = Admin::User.find(session[:admin_user_id])
-      ensure
-        session.delete(:admin_user_id) unless @current_admin_user
+        Koi::Current.admin_user
       end
 
       # @deprecated Use current_admin_user instead
       alias_method :current_admin, :current_admin_user
 
+      def requires_session_authentication!
+        head(:forbidden) if session[:admin_user_id].blank?
+      end
+
       module Test
         # Include in view specs to stub out the current admin user
         module ViewHelper
@@ -40,11 +37,11 @@ module Koi
             before do
               view.singleton_class.module_eval do
                 def admin_signed_in?
-                  current_admin_user.present?
+                  Koi::Current.admin_user.present?
                 end
 
                 def current_admin_user
-                  respond_to?(:admin_user) ? admin_user : nil
+                  Koi::Current.admin_user = (respond_to?(:admin_user) ? admin_user : nil)
                 end
 
                 alias_method :current_admin, :current_admin_user

data/app/controllers/concerns/koi/controller/has_webauthn.rb

@@ -6,7 +6,7 @@ module Koi
       extend ActiveSupport::Concern
 
       included do
-        helper_method :webauthn_auth_options
+        helper Helper
       end
 
       def webauthn_relying_party
@@ -17,20 +17,41 @@ module Koi
           )
       end
 
-      def webauthn_auth_options
-        options = webauthn_relying_party.options_for_authentication
+      module Helper
+        def webauthn_authentication_options_value
+          options = controller.webauthn_relying_party.options_for_authentication
 
-        session[:authentication_challenge] = options.challenge
+          session[:authentication_challenge] = options.challenge
 
-        options
+          options
+        end
+
+        def webauthn_registration_options_value
+          user = Koi::Current.admin_user.tap do |u|
+            u.update!(webauthn_id: WebAuthn.generate_user_id) unless u.webauthn_id
+          end
+
+          options = controller.webauthn_relying_party.options_for_registration(
+            user:    {
+              id:           user.webauthn_id,
+              name:         user.email,
+              display_name: user.name,
+            },
+            exclude: user.credentials.pluck(:external_id),
+          )
+
+          session[:registration_challenge] = options.challenge
+
+          options
+        end
       end
 
-      def webauthn_authenticate!
-        return if session_params[:response].blank?
+      def webauthn_authenticate!(response)
+        return if response.blank?
 
         webauthn_credential, stored_credential = webauthn_relying_party.verify_authentication(
-          JSON.parse(session_params[:response]),
-          session[:authentication_challenge],
+          JSON.parse(response),
+          session.delete(:authentication_challenge),
         ) do |credential|
           Admin::Credential.find_by!(external_id: credential.id)
         end
@@ -44,6 +65,30 @@ module Koi
       rescue ActiveRecord::RecordNotFound, WebAuthn::VerificationError
         false
       end
+
+      def webauthn_register!(response)
+        return if response.blank?
+
+        webauthn_credential = webauthn_relying_party.verify_registration(
+          JSON.parse(response),
+          session.delete(:registration_challenge),
+        )
+
+        Koi::Current
+          .admin_user
+          .credentials
+          .create_with(nickname:   webauthn_nickname,
+                       public_key: webauthn_credential.public_key,
+                       sign_count: webauthn_credential.sign_count)
+          .create_or_find_by!(
+            external_id: webauthn_credential.id,
+          )
+      end
+
+      def webauthn_nickname
+        user_agent = UserAgent.parse(request.user_agent)
+        "#{user_agent.browser} (#{user_agent.platform})"
+      end
     end
   end
 end

data/app/controllers/concerns/koi/controller.rb

@@ -38,6 +38,13 @@ module Koi
       layout -> { turbo_frame_request? ? "koi/frame" : "koi/application" }
 
       protect_from_forgery with: :exception
+      skip_forgery_protection if: :bearer_token_request?
+    end
+
+    private
+
+    def bearer_token_request?
+      request.authorization.to_s.match?(/\ABearer .+\z/)
     end
   end
 end

data/app/javascript/koi/controllers/webauthn_authentication_controller.js

@@ -17,7 +17,7 @@ export default class WebauthnAuthenticationController extends Controller {
   get options() {
     return {
       publicKey: PublicKeyCredential.parseRequestOptionsFromJSON(
-        this.optionsValue.publicKey,
+        this.optionsValue,
       ),
     };
   }

data/app/javascript/koi/controllers/webauthn_registration_controller.js

@@ -1,39 +1,29 @@
 import { Controller } from "@hotwired/stimulus";
 
 export default class WebauthnRegistrationController extends Controller {
+  static targets = ["response"];
   static values = {
     options: Object,
-    response: Object,
   };
-  static targets = ["intro", "nickname", "response"];
 
   submit(e) {
-    if (
-      this.responseTarget.value === "" &&
-      e.submitter.formMethod !== "dialog"
-    ) {
-      e.preventDefault();
-      this.createCredential().then();
-    }
+    if (this.responseTarget.value) return;
+
+    e.preventDefault();
+    this.createCredential().then(() => {
+      e.target.submit();
+    });
   }
 
   async createCredential() {
     const credential = await navigator.credentials.create(this.options);
-
-    this.responseValue = credential.toJSON();
     this.responseTarget.value = JSON.stringify(credential.toJSON());
   }
 
-  responseValueChanged(response) {
-    const responsePresent = response !== "";
-    this.introTarget.toggleAttribute("hidden", responsePresent);
-    this.nicknameTarget.toggleAttribute("hidden", !responsePresent);
-  }
-
   get options() {
     return {
       publicKey: PublicKeyCredential.parseCreationOptionsFromJSON(
-        this.optionsValue.publicKey,
+        this.optionsValue,
       ),
     };
   }

data/app/jobs/admin/device_authorizations_cleanup_job.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Admin
+  class DeviceAuthorizationsCleanupJob < Koi::ApplicationJob
+    def perform
+      Admin::DeviceAuthorization.where(created_at: ...7.days.ago).delete_all
+    end
+  end
+end

data/app/models/admin/credential.rb

@@ -10,5 +10,9 @@ module Admin
     validates :external_id, uniqueness: true
     validates :sign_count,
               numericality: { only_integer: true, greater_than_or_equal_to: 0 }
+
+    def to_s
+      nickname
+    end
   end
 end

data/app/models/admin/device_authorization.rb

@@ -0,0 +1,113 @@
+# frozen_string_literal: true
+
+module Admin
+  class DeviceAuthorization < ApplicationRecord
+    EXPIRES_IN = 10.minutes
+
+    class TokenError < StandardError
+      attr_reader :code
+
+      def initialize(code)
+        @code = code
+        super
+      end
+    end
+
+    self.table_name = :admin_device_authorizations
+
+    belongs_to :admin_user, class_name: "Admin::User", optional: true
+
+    enum :status, %w[pending approved denied consumed].index_with(&:to_s)
+
+    validates :device_code_digest, presence: true, uniqueness: true
+    validates :request_expires_at, presence: true
+    validates :status, presence: true, inclusion: { in: statuses.values }
+    validates :user_code, presence: true, uniqueness: true
+
+    def self.issue!(requested_ip:, user_agent:)
+      device_code = SecureRandom.urlsafe_base64(32)
+
+      device_authorization = create!(
+        device_code_digest: digest(device_code),
+        user_code:          generate_user_code,
+        request_expires_at: EXPIRES_IN.from_now,
+        requested_ip:,
+        user_agent:,
+      )
+
+      [device_authorization, device_code]
+    end
+
+    def self.digest(device_code)
+      Digest::SHA256.hexdigest(device_code)
+    end
+
+    def self.generate_user_code
+      "#{SecureRandom.alphanumeric(4).upcase}-#{SecureRandom.alphanumeric(4).upcase}"
+    end
+
+    def self.issue_access_token!(device_code:, token_expires_in: 12.hours)
+      device_authorization = find_by(device_code_digest: digest(device_code.to_s))
+      raise TokenError.new("invalid_grant") unless device_authorization
+
+      device_authorization.with_lock do
+        device_authorization.reload
+
+        if (error = device_authorization.token_error)
+          raise TokenError.new(error)
+        end
+
+        access_token = device_authorization.admin_user.generate_token_for(:api_access)
+        device_authorization.consume!(token_expires_in:)
+
+        {
+          access_token:,
+          token_type:   "Bearer",
+          expires_in:   token_expires_in.to_i,
+        }
+      end
+    end
+
+    def expired?
+      request_expires_at <= Time.current
+    end
+
+    def issuable?
+      approved? && !expired?
+    end
+
+    def token_error
+      return "authorization_pending" if pending?
+      return "access_denied" if denied?
+
+      "invalid_grant" if consumed? || expired?
+    end
+
+    def consume!(token_expires_in:)
+      update!(
+        status:           "consumed",
+        consumed_at:      Time.current,
+        token_expires_at: token_expires_in.from_now,
+      )
+    end
+
+    def approve!(admin_user:)
+      update!(
+        status:      "approved",
+        approved_at: Time.current,
+        admin_user:,
+      )
+    end
+
+    def deny!(admin_user:)
+      update!(
+        status:     "denied",
+        admin_user:,
+      )
+    end
+
+    def actionable?
+      pending? && !expired?
+    end
+  end
+end

data/app/models/admin/user.rb

@@ -14,6 +14,7 @@ module Admin
     # disable validations for password_digest
     has_secure_password validations: false
 
+    generates_token_for(:api_access, expires_in: 12.hours) { current_sign_in_at }
     generates_token_for(:password_reset, expires_in: 30.minutes) { current_sign_in_at }
 
     has_many :credentials, inverse_of: :admin, class_name: "Admin::Credential", dependent: :destroy

data/app/models/koi/current.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module Koi
+  class Current < ActiveSupport::CurrentAttributes
+    # @return [Admin::User]
+    attribute :admin_user
+  end
+end

data/app/views/admin/admin_users/edit.html.erb

@@ -9,7 +9,9 @@
   <h1>Edit admin user</h1>
 
   <%= actions_list do %>
-    <li><%= link_to_archive_or_delete(admin_user) %></li>
+    <% unless admin_user == current_admin %>
+      <li><%= link_to_archive_or_delete(admin_user) %></li>
+    <% end %>
   <% end %>
 <% end %>
 

data/app/views/admin/admin_users/show.html.erb

@@ -8,6 +8,9 @@
   <h1><%= admin_user %></h1>
 
   <%= actions_list do %>
+    <% if admin_user == current_admin %>
+      <li><%= link_to("Profile", admin_profile_path) %></li>
+    <% end %>
     <li><%= link_to("Edit", edit_admin_admin_user_path(admin_user)) %></li>
   <% end %>
 <% end %>

data/app/views/admin/credentials/_credentials.html.erb

@@ -1,8 +1,11 @@
-<%# locals: (admin_user:) %>
+<%# locals: (admin_user:, collection: admin_user.credentials) %>
 
-<%= table_with(id: dom_id(admin_user, :credentials), collection: admin_user.credentials) do |t, c| %>
-  <% t.text :nickname, label: "Name" %>
-  <% t.date :updated_at, label: "Last use" do |date| %>
-    <%= date unless c.created_at == c.updated_at %>
+<%= table_with(id: dom_id(admin_user, :credentials), collection:) do |row, credential| %>
+  <% row.text(:nickname, label: "Name") do |cell| %>
+    <%= link_to(cell, admin_credential_path(credential)) %>
+  <% end %>
+  <% row.date(:created_at, label: "Created") %>
+  <% row.date(:updated_at, label: "Last use") do |date| %>
+    <%= date unless credential.created_at == credential.updated_at %>
   <% end %>
 <% end %>

data/app/views/admin/credentials/new.html.erb

@@ -1,43 +1,34 @@
-<%# locals: (admin_user:, credential:, options:) %>
+<%# locals: (admin_user:) %>
 
-<%= koi_modal_tag("edit", title: "New passkey") do %>
-  <%= koi_modal_header(title: "New passkey", form_id: dom_id(credential, :form)) %>
-  <main>
-    <%= form_with(model: credential,
-                  url:   admin_admin_user_credentials_path(admin_user),
-                  id:    dom_id(credential, :form),
-                  class: "flow prose",
-                  data:  {
-                    controller:                          "webauthn-registration",
-                    action:                              "submit->webauthn-registration#submit",
-                    webauthn_registration_options_value: { publicKey: options },
-                  }) do |form| %>
-      <%= form.hidden_field :response, data: { webauthn_registration_target: "response" } %>
-      <section class="flow prose" data-webauthn-registration-target="intro">
-        <p>
-          Passkeys are secure secrets that are stored by your device.
-          You will need the device where your passkey is stored to log in.
-        </p>
-        <p>
-          Unlike a password, your password doesn't get sent to the server when you log
-          in and can't be stolen in a data breach. When you log in with a passkey,
-          your operating system will prompt you for permission to use the passkey
-          secret to authenticate the login attempt.
-        </p>
-        <p>
-          We recommend that you store your passkey on your phone or cloud account.
-          Depending on your browser, you may need to choose "more options" to see
-          a QR code that you can scan with your phone.
-        </p>
-      </section>
-      <section class="flow" data-webauthn-registration-target="nickname" hidden>
-        <%= form.govuk_text_field :nickname, label: { text: "Passkey name" } do %>
-          Enter a name for this passkey to help you distinguish it from other passkeys you may have for this site.
-          <br>
-          Example: My Phone, Chrome, iCloud, 1Password
-        <% end %>
-      </section>
-    <% end %>
-  </main>
-  <%= koi_modal_footer("Next", nil, form_id: dom_id(credential, :form)) %>
+<%= content_for(:roadblock) do %>
+  <header>
+    <icon aria-hidden="true" class="icon" data-icon="fingerprint"></icon>
+    <h1>Create a passkey</h1>
+  </header>
+  <p>
+    Passkeys are secure secrets that are stored by your device.
+    You will need the device where your passkey is stored to log in.
+  </p>
+  <p>
+    Unlike a password, your password doesn't get sent to the server when you log
+    in and can't be stolen in a data breach. When you log in with a passkey,
+    your operating system will prompt you for permission to use the passkey
+    secret to authenticate the login attempt.
+  </p>
+  <p>
+    We recommend that you store your passkey on your phone or cloud account.
+    Depending on your browser, you may need to choose "more options" to see
+    a QR code that you can scan with your phone.
+  </p>
+
+  <%= form_with(model: Admin::Credential.new,
+                url:   admin_profile_credentials_path,
+                data:  {
+                  controller:                          "webauthn-registration",
+                  action:                              "submit->webauthn-registration#submit",
+                  webauthn_registration_options_value:,
+                }) do |form| %>
+    <%= form.hidden_field :response, data: { webauthn_registration_target: "response" } %>
+    <%= form.button("Next", type: :submit, class: "button") %>
+  <% end %>
 <% end %>

data/app/views/admin/credentials/show.html.erb

@@ -0,0 +1,19 @@
+<%# locals: (credential:) %>
+
+<% content_for(:header) do %>
+  <%= breadcrumb_list do %>
+    <li><%= link_to(credential.admin, admin_profile_path) %></li>
+  <% end %>
+
+  <h1>Passkey</h1>
+
+  <%= actions_list do %>
+    <li><%= link_to_delete(credential, url: admin_credential_path(credential)) %></li>
+  <% end %>
+<% end %>
+
+<%= form_with(model: credential, url: admin_credential_path(credential)) do |form| %>
+  <%= form.govuk_text_field(:nickname) %>
+
+  <%= form.button(type: :submit, class: "button") %>
+<% end %>

data/app/views/admin/device_authorizations/show.html.erb

@@ -0,0 +1,38 @@
+<%# locals: (device_authorization:) %>
+
+<%= content_for(:roadblock) do %>
+  <header>
+    <icon aria-hidden="true" class="icon" data-icon="koi">&nbsp;</icon>
+    <h1>API access request</h1>
+  </header>
+
+  <% if device_authorization.pending? && !device_authorization.expired? %>
+    <p>
+      A device is requesting a short-lived API token.
+    </p>
+    <dl>
+      <dt>Code</dt><dd><%= device_authorization.user_code %></dd>
+    </dl>
+
+    <div class="actions">
+      <%= button_to("Approve",
+                    admin_device_authorization_path(device_authorization.user_code),
+                    method: :patch,
+                    params: { decision: "approve" },
+                    class:  "button") %>
+      <%= button_to("Deny",
+                    admin_device_authorization_path(device_authorization.user_code),
+                    method: :patch,
+                    params: { decision: "deny" },
+                    class:  "button button--secondary") %>
+    </div>
+  <% end %>
+
+  <%= summary_table_with(model: device_authorization) do |row| %>
+    <% row.enum(:status) %>
+    <% row.text(:requested_ip) %>
+    <% row.text(:user_agent) %>
+    <% row.datetime(:request_expires_at) %>
+    <% row.datetime(:token_expires_at) %>
+  <% end %>
+<% end %>

data/app/views/admin/otps/_form.html.erb

@@ -2,7 +2,7 @@
 
 <%= form_with(id:     dom_id(admin_user, :otp),
               model:  admin_user,
-              url:    admin_admin_user_otp_path(admin_user),
+              url:    admin_profile_otp_path,
               method: :post,
               class:  "flow") do |form| %>
   <section class="flow prose">

data/app/views/admin/{admin_users/_form.html+self.erb → profiles/_form.html.erb}

@@ -1,6 +1,6 @@
 <%# locals: (admin_user:) %>
 
-<%= form_with(model: admin_user) do |form| %>
+<%= form_with(model: admin_user, url: admin_profile_path) do |form| %>
   <%= form.govuk_text_field :email %>
   <%= form.govuk_text_field :name %>
   <%= form.govuk_password_field :password, label: { text: "Password (optional)" } %>