lato 3.5.8 → 3.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b04945a750538aecdc08a8b8632aa661c3e08f7def4fad9b5b9fa1621dd09e80
-  data.tar.gz: 717437c493529ac4eb5da90ce0e38c917980e388e68bff2475ff37646d40fea9
+  metadata.gz: 124f38d5389e35689d3829980d788e5531af092d45fd378b5fbaabdc039ebe51
+  data.tar.gz: e6a938bc4549803deb41efd7df596e85148d84488d442f75ac46b9bb8c0191bd
 SHA512:
-  metadata.gz: 01d49b48a8bef85902bd4c0b1b21f1a5d7b06789f468b686972ade21546f5e5be6507a1d2fe592dc83b79d364d62576babbe306068febe815ef16604f5b40fcd
-  data.tar.gz: ac98e3240955cfb5a1c23b30c84c733480e9780d2747fc2ea9aea9a1c2a3828a9b59229c1cabd9d037237fd9350d8be7bcde4a72b0aeeccc4a8ffd13e35fc582
+  metadata.gz: fed883559fd4d1859aacc7ca6ca2dc2d65935c1d91d769c23ba71b940d2067cc8d320b84512a9adbd6b0a1540f7e3b33098664c89298a18277fda7fa548a7dc9
+  data.tar.gz: 9b87edd528d4c10bb7c82f4b8fa7769d6625560668657dea98b085661d22696c215d138fc3a5af0947d22cfb20c63b014503f472d99516bf6b0594398809e0ca

data/README.md

@@ -107,4 +107,3 @@ $ ruby ./bin/publish.rb
 
 ## License
 The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
-

data/app/controllers/concerns/lato/componentable.rb

@@ -37,7 +37,7 @@ module Lato
         if collection.respond_to?(:lato_index_search)
           collection = collection.lato_index_search(search)
         else
-          query = @_lato_index[key][:searchable_columns].map { |k| "lower(#{k}) LIKE :search" }
+          query = @_lato_index[key][:searchable_columns].map { |k| "#{k.to_s == 'id' ? k : "lower(#{k})"} LIKE :search" }
           collection = collection.where(query.join(' OR '), search: "%#{search.downcase.strip}%")
         end
       end

data/app/controllers/lato/account_controller.rb

@@ -55,6 +55,20 @@ module Lato
       end
     end
 
+    def update_authenticator_action
+      return respond_to_with_not_found unless Lato.config.authenticator_connection
+
+      respond_to do |format|
+        if @session.user.generate_authenticator_secret
+          format.html { redirect_to lato.account_path }
+          format.json { render json: @session.user }
+        else
+          format.html { render :index, status: :unprocessable_entity }
+          format.json { render json: @session.user.errors, status: :unprocessable_entity }
+        end
+      end
+    end
+
     def request_verify_email_action
       respond_to do |format|
         if @session.user.request_verify_email

data/app/controllers/lato/authentication_controller.rb

@@ -10,6 +10,7 @@ module Lato
     before_action :lock_signup_if_disabled, only: %i[signup signup_action]
     before_action :lock_recover_password_if_disabled, only: %i[recover_password recover_password_action update_password update_password_action]
     before_action :lock_web3_if_disabled, only: %i[web3_signin web3_signin_action]
+    before_action :lock_authenticator_if_disabled, only: %i[authenticator authenticator_action]
 
     before_action :hide_sidebar
 
@@ -28,10 +29,13 @@ module Lato
           ip_address: request.remote_ip,
           user_agent: request.user_agent
         ))
-          session_create(@user.id)
-
-          format.html { redirect_to lato.root_path }
-          format.json { render json: @user }
+          if create_session_or_start_authenticator(@user)
+            format.html { redirect_to lato.root_path }
+            format.json { render json: @user }
+          else
+            format.html { redirect_to lato.authentication_authenticator_path }
+            format.json { render json: @user }
+          end
         else
           format.html { render :signin, status: :unprocessable_entity }
           format.json { render json: @user.errors, status: :unprocessable_entity }
@@ -54,10 +58,13 @@ module Lato
           web3_nonce: session[:web3_nonce]
         ))
           session[:web3_nonce] = nil
-          session_create(@user.id)
-
-          format.html { redirect_to lato.root_path }
-          format.json { render json: @user }
+          if create_session_or_start_authenticator(@user)
+            format.html { redirect_to lato.root_path }
+            format.json { render json: @user }
+          else
+            format.html { redirect_to lato.authentication_authenticator_path }
+            format.json { render json: @user }
+          end
         else
           session[:web3_nonce] = nil
           format.html { render :web3_signin, status: :unprocessable_entity }
@@ -183,6 +190,31 @@ module Lato
       end
     end
 
+    # Authenticator
+    ##
+
+    def authenticator
+      @user = Lato::User.find_by_id(session[:authenticator_user_id])
+      return respond_to_with_not_found unless @user
+    end
+
+    def authenticator_action
+      @user = Lato::User.find_by_id(session[:authenticator_user_id])
+
+      respond_to do |format|
+        if @user.authenticator(params.require(:user).permit(:authenticator_code))
+          session[:authenticator_user_id] = nil
+          session_create(@user.id)
+
+          format.html { redirect_to lato.root_path }
+          format.json { render json: @user }
+        else
+          format.html { render :authenticator, status: :unprocessable_entity }
+          format.json { render json: @user.errors, status: :unprocessable_entity }
+        end
+      end
+    end
+
     private
 
     def registration_params
@@ -199,6 +231,16 @@ module Lato
       respond_to_with_not_found unless @invitation
     end
 
+    def create_session_or_start_authenticator(user)
+      if !Lato.config.authenticator_connection || Lato.config.auth_disable_authenticator || !user.authenticator_enabled?
+        session_create(user.id)
+        return true
+      end
+
+      session[:authenticator_user_id] = user.id
+      false
+    end
+
     def lock_signup_if_disabled
       return unless Lato.config.auth_disable_signup
 
@@ -215,6 +257,12 @@ module Lato
       return if Lato.config.web3_connection && !Lato.config.auth_disable_web3
 
 
+      respond_to_with_not_found
+    end
+
+    def lock_authenticator_if_disabled
+      return if Lato.config.authenticator_connection && !Lato.config.auth_disable_authenticator
+
       respond_to_with_not_found
     end
   end

data/app/models/lato/user.rb

@@ -1,5 +1,6 @@
 module Lato
   class User < ApplicationRecord
+    include Lato::DependencyHelper
     include LatoUserApplication
 
     has_secure_password
@@ -53,6 +54,10 @@ module Lato
       @valid_accepted_terms_and_conditions_version ||= accepted_terms_and_conditions_version >= Lato.config.legal_terms_and_conditions_version
     end
 
+    def authenticator_enabled?
+      !authenticator_secret.blank?
+    end
+
     # Helpers
     ##
 
@@ -64,6 +69,10 @@ module Lato
       @gravatar_image_url ||= "https://www.gravatar.com/avatar/#{Digest::MD5.hexdigest(email)}?s=#{size}"
     end
 
+    def authenticator_qr_code_base64(size = 200)
+      "data:image/png;base64,#{Base64.strict_encode64(RQRCode::QRCode.new(ROTP::TOTP.new(authenticator_secret, :issuer => Lato.config.application_title).provisioning_uri(email).to_s).as_png(size: size, border_modules: 0).to_s)}"
+    end
+
     # Operations
     ##
 
@@ -112,6 +121,8 @@ module Lato
     end
 
     def web3_signin(params)
+      depends_on('eth')
+
       self.web3_address = params[:web3_address]
 
       user = Lato::User.find_by(web3_address: params[:web3_address].downcase)
@@ -221,7 +232,9 @@ module Lato
 
       c_password_update_code('')
 
-      update(params.permit(:password, :password_confirmation))
+      update(params.permit(:password, :password_confirmation).merge(
+        authenticator_secret: nil # Reset authenticator secret when password is updated
+      ))
     end
 
     def update_accepted_privacy_policy_version(params)
@@ -269,6 +282,8 @@ module Lato
     end
 
     def add_web3_connection(params)
+      depends_on('eth')
+
       signature_pubkey = Eth::Signature.personal_recover(params[:web3_nonce], params[:web3_signed_nonce])
       signature_address = Eth::Util.public_key_to_address signature_pubkey
       unless signature_address.to_s.downcase == params[:web3_address].downcase
@@ -287,6 +302,23 @@ module Lato
       true
     end
 
+    def generate_authenticator_secret
+      update(authenticator_secret: ROTP::Base32.random)
+    end
+
+    def authenticator(params)
+      return false unless authenticator_enabled?
+
+      totp = ROTP::TOTP.new(authenticator_secret)
+      result = totp.verify(params[:authenticator_code])
+      unless result
+        errors.add(:base, :authenticator_code_invalid)
+        return
+      end
+
+      true
+    end
+
     # Cache
     ##
 

data/app/views/lato/account/_form-authenticator.html.erb

@@ -0,0 +1,41 @@
+<%
+
+user ||= Lato::User.new
+
+%>
+
+<%= turbo_frame_tag 'account_form-authenticator' do %>
+  <%= form_with model: user, url: lato.account_update_authenticator_action_path, data: { turbo_frame: '_self', controller: 'lato-form' } do |form| %>
+    <%= lato_form_notices class: %w[mb-3] %>
+    <%= lato_form_errors user, class: %w[mb-3] %>
+
+    <% if user.authenticator_secret %>
+      <div class="d-block d-md-flex align-items-stretch">
+        <div class="text-center mb-3 mb-md-0 me-md-3">
+          <img src="<%= user.authenticator_qr_code_base64 %>" />
+        </div>
+        <div class="d-flex flex-column justify-content-between">
+          <div class="alert alert-light">
+            <p>
+              <%= raw I18n.t('lato.account_authenticator_ready_qr') %>
+            </p>
+          </div>
+
+          <div class="d-flex justify-content-end">
+            <%= lato_form_submit form, I18n.t('lato.reset_qr_code'), class: %w[btn-danger] %>
+          </div>
+        </div>
+      </div>
+    <% else %>
+      <div class="alert alert-light mb-0">
+        <h4 class="alert-heading"><%= I18n.t('lato.account_authenticator_start_title') %></h4>
+        <p>
+          <%= raw I18n.t('lato.account_authenticator_start_description') %>
+        </p>
+        <p class="mb-0">
+          <%= lato_form_submit form, I18n.t('lato.generate_qr_code'), class: %w[btn-primary] %>
+        </p>
+      </div>
+    <% end %>
+  <% end %>
+<% end %>

data/app/views/lato/account/index.html.erb

@@ -32,6 +32,17 @@
 </div>
 <% end %>
 
+<% if Lato.config.authenticator_connection %>
+<div class="card mb-4">
+  <div class="card-header">
+    <h2 class="fs-4 mb-0"><%= I18n.t('lato.account_authenticator') %></h2>
+  </div>
+  <div class="card-body">
+    <%= render 'lato/account/form-authenticator', user: @session.user %>
+  </div>
+</div>
+<% end %>
+
 <div class="card mb-4">
   <div class="card-header">
     <h2 class="fs-4 mb-0"><%= I18n.t('lato.account_delete') %></h2>

data/app/views/lato/authentication/_form-authenticator.html.erb

@@ -0,0 +1,28 @@
+<%
+
+user ||= Lato::User.new
+
+%>
+
+<%= turbo_frame_tag 'authentication_form-authenticator' do %>
+  <%= form_with model: user, url: lato.authentication_authenticator_action_path, method: :post, data: { turbo_frame: '_self', controller: 'lato-form' } do |form| %>
+    <%= lato_form_notices class: %w[mb-3] %>
+    <%= lato_form_errors user, class: %w[mb-3] %>
+
+    <div class="mb-3 text-center">
+      <p><%= raw I18n.t('lato.authenticator_code_help', email: user.email) %></p>
+    </div>
+    
+    <div class="mb-3">
+      <%= lato_form_item_input_text form, :authenticator_code, required: true %>
+    </div>
+
+    <div>
+      <%= lato_form_submit form, I18n.t('lato.confirm'), class: %w[d-block w-100] %>
+    </div>
+
+    <div class="text-center mt-3 mb-3">
+      <%= I18n.t('lato.or').downcase %> <%= link_to I18n.t('lato.reset_password').downcase, lato.authentication_recover_password_path %>
+    </div>
+  <% end %>
+<% end %>

data/app/views/lato/authentication/authenticator.html.erb

@@ -0,0 +1,10 @@
+<div class="w-100 h-100 d-flex justify-content-center align-items-center" style="min-height: calc(100vh - 54px - 2rem)">
+  <div class="card w-100" style="max-width: 400px">
+    <div class="card-header">
+      <h1 class="fs-3 mb-0 text-center"><%= I18n.t('lato.authenticator') %></h1>
+    </div>
+    <div class="card-body">
+      <%= render 'lato/authentication/form-authenticator', user: @user %>
+    </div>
+  </div>
+</div>

data/config/locales/en.yml

@@ -49,6 +49,15 @@ en:
     web3_signin: Web3 Login
     retry: Retry
     back: Go back
+    account_authenticator: Google Authenticator
+    account_authenticator_start_title: Enable Google Authenticator
+    account_authenticator_start_description: Generate a QR code by clicking the button below and scan it with the Google Authenticator app on your phone.<br>This will allow you to use the protect your account with a second factor authentication.
+    account_authenticator_ready_qr: Scan the QR code with the Google Authenticator app to use the account protection with a second factor authentication.
+    generate_qr_code: Generate QR code
+    reset_qr_code: Reset QR code
+    authenticator: Two-factor authentication
+    authenticator_code_help: Insert the code generated by the Google Authenticator app for the account <b>%{email}</b>
+    reset_password: Reset your password
 
     account_controller:
       update_user_action_notice: Account information properly updated
@@ -82,6 +91,7 @@ en:
               terms_and_conditions_invalid: To accept the terms and conditions you must select the confirmation checkbox
               web3_address_invalid: The address you send is not corretly signed
               web3_connection_error: Impossible to connect the wallet
+              authenticator_code_invalid: The code you inserted is not correct
             password:
               not_correct: not correct
             email:

data/config/locales/it.yml

@@ -51,6 +51,15 @@ it:
     web3_signin: Accedi con Web3
     retry: Riprova
     back: Torna indietro
+    account_authenticator: Google Authenticator
+    account_authenticator_start_title: Abilita Google Authenticator
+    account_authenticator_start_description: Genera un codice QR cliccando il pulsante sottostante e scansionalo con l'app Google Authenticator sul tuo telefono.<br>Questo ti permetterà di proteggere il tuo account con un'autenticazione a due fattori.
+    account_authenticator_ready_qr: Scansiona il codice QR con l'app Google Authenticator per utilizzare la protezione dell'account con un'autenticazione a due fattori.
+    generate_qr_code: Genera codice QR
+    reset_qr_code: Resetta codice QR
+    authenticator: Autenticazione a due fattori
+    authenticator_code_help: Inserisci il codice generato dall'app Google Authenticator per l'account <b>%{email}</b>
+    reset_password: Reimposta la tua password
 
     account_controller:
       update_user_action_notice: Informazioni account aggiornate correttamente
@@ -90,6 +99,7 @@ it:
               invitation_invalid: Invito non valido
               web3_address_invalid: L'inidirizzo inviato non è correttamente firmato
               web3_connection_error: Impossibile connettere il wallet
+              authenticator_code_invalid: Il codice inserito non è corretto
             password:
               not_correct: non corretta
             password_confirmation:

data/config/routes.rb

@@ -26,6 +26,8 @@ Lato::Engine.routes.draw do
     patch 'update_password_action', to: 'authentication#update_password_action', as: :authentication_update_password_action
     get 'accept_invitation', to: 'authentication#accept_invitation', as: :authentication_accept_invitation
     post 'accept_invitation_action', to: 'authentication#accept_invitation_action', as: :authentication_accept_invitation_action
+    get 'authenticator', to: 'authentication#authenticator', as: :authentication_authenticator
+    post 'authenticator_action', to: 'authentication#authenticator_action', as: :authentication_authenticator_action
   end
 
   # Account
@@ -35,6 +37,7 @@ Lato::Engine.routes.draw do
     get '', to: 'account#index', as: :account
     patch 'update_user_action', to: 'account#update_user_action', as: :account_update_user_action
     patch 'update_web3_action', to: 'account#update_web3_action', as: :account_update_web3_action
+    patch 'update_authenticator_action', to: 'account#update_authenticator_action', as: :account_update_authenticator_action
     patch 'request_verify_email_action', to: 'account#request_verify_email_action', as: :account_request_verify_email_action
     patch 'update_password_action', to: 'account#update_password_action', as: :account_update_password_action
     delete 'destroy_action', to: 'account#destroy_action', as: :account_destroy_action

data/db/migrate/20240318074025_add_authenticator_secret_to_user.rb

@@ -0,0 +1,5 @@
+class AddAuthenticatorSecretToUser < ActiveRecord::Migration[7.1]
+  def change
+    add_column :lato_users, :authenticator_secret, :string
+  end
+end

data/lib/lato/config.rb

@@ -10,7 +10,7 @@ module Lato
     attr_accessor :session_lifetime, :session_root_path
 
     # Authentication configs
-    attr_accessor :auth_disable_signup, :auth_disable_recover_password, :auth_disable_web3
+    attr_accessor :auth_disable_signup, :auth_disable_recover_password, :auth_disable_web3, :auth_disable_authenticator
 
     # Assets configs
     attr_accessor :assets_stylesheet_entry
@@ -22,8 +22,12 @@ module Lato
     attr_accessor :legal_privacy_policy_url, :legal_privacy_policy_version, :legal_terms_and_conditions_url, :legal_terms_and_conditions_version
 
     # Web3 connection
+    # NOTE: It requires the gem 'eth' to be installed in the application Gemfile
     attr_accessor :web3_connection
 
+    # Authenticator connection
+    attr_accessor :authenticator_connection
+
     def initialize
       @application_title = 'Lato'
       @application_version = '1.0.0'
@@ -34,6 +38,7 @@ module Lato
       @auth_disable_signup = false
       @auth_disable_recover_password = false
       @auth_disable_web3 = false
+      @auth_disable_authenticator = false
 
       @assets_stylesheet_entry = 'application'
 
@@ -48,6 +53,7 @@ module Lato
       @legal_terms_and_conditions_version = 1
 
       @web3_connection = false
+      @authenticator_connection = false
     end
   end
 end

data/lib/lato/dependency_helper.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+# NOTE: Taken from https://github.com/andreibondarev/langchainrb/blob/main/lib/langchain/dependency_helper.rb
+# Thanks to Andrei Bondarev for the inspiration!!
+
+module Lato
+  module DependencyHelper
+    class LoadError < ::LoadError; end
+
+    class VersionError < ScriptError; end
+
+    # This method requires and loads the given gem, and then checks to see if the version of the gem meets the requirements listed in `lato.gemspec`
+    # This solution was built to avoid auto-loading every single gem in the Gemfile when the developer will mostly likely be only using a few of them.
+    #
+    # @param gem_name [String] The name of the gem to load
+    # @return [Boolean] Whether or not the gem was loaded successfully
+    # @raise [LoadError] If the gem is not installed
+    # @raise [VersionError] If the gem is installed, but the version does not meet the requirements
+    #
+    def depends_on(gem_name, req: true)
+      gem(gem_name) # require the gem
+
+      return(true) unless defined?(Bundler) # If we're in a non-bundler environment, we're no longer able to determine if we'll meet requirements
+
+      gem_version = Gem.loaded_specs[gem_name].version
+      gem_requirement = Bundler.load.dependencies.find { |g| g.name == gem_name }&.requirement
+
+      raise LoadError unless gem_requirement
+
+      unless gem_requirement.satisfied_by?(gem_version)
+        raise VersionError, "The #{gem_name} gem is installed, but version #{gem_requirement} is required. You have #{gem_version}."
+      end
+
+      lib_name = gem_name if req == true
+      lib_name = req if req.is_a?(String)
+
+      require(lib_name) if lib_name
+
+      true
+    rescue ::LoadError
+      raise LoadError, "Could not load #{gem_name}. Please ensure that the #{gem_name} gem is installed."
+    end
+  end
+end

data/lib/lato/version.rb

@@ -1,3 +1,3 @@
 module Lato
-  VERSION = "3.5.8"
+  VERSION = "3.6.0"
 end

data/lib/lato.rb

@@ -1,12 +1,14 @@
 require "kaminari"
 require "bootstrap"
 require "browser"
-require "eth"
+require "rotp"
+require "rqrcode"
 
 require "lato/version"
 require "lato/engine"
 require "lato/config"
 require "lato/btstrap"
+require "lato/dependency_helper"
 
 module Lato
   class << self

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: lato
 version: !ruby/object:Gem::Version
-  version: 3.5.8
+  version: 3.6.0
 platform: ruby
 authors:
 - Gregorio Galante
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-03-21 00:00:00.000000000 Z
+date: 2024-03-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -95,7 +95,21 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: eth
+  name: rqrcode
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rotp
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -108,6 +122,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: eth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: A Rails engine that includes what you need to build a new project!
 email:
 - me@gregoriogalante.com
@@ -162,6 +190,7 @@ files:
 - app/models/lato/user.rb
 - app/views/lato/account/_alert-accepted-privacy-policy-version.html.erb
 - app/views/lato/account/_alert-accepted-terms-and-conditions-version.html.erb
+- app/views/lato/account/_form-authenticator.html.erb
 - app/views/lato/account/_form-destroy.html.erb
 - app/views/lato/account/_form-password.html.erb
 - app/views/lato/account/_form-user.html.erb
@@ -169,6 +198,7 @@ files:
 - app/views/lato/account/index.html.erb
 - app/views/lato/authentication/_fields-registration.html.erb
 - app/views/lato/authentication/_form-accept-invitation.html.erb
+- app/views/lato/authentication/_form-authenticator.html.erb
 - app/views/lato/authentication/_form-recover-password.html.erb
 - app/views/lato/authentication/_form-signin.html.erb
 - app/views/lato/authentication/_form-signup.html.erb
@@ -176,6 +206,7 @@ files:
 - app/views/lato/authentication/_form-verify-email.html.erb
 - app/views/lato/authentication/_form-web3-signin.html.erb
 - app/views/lato/authentication/accept_invitation.html.erb
+- app/views/lato/authentication/authenticator.html.erb
 - app/views/lato/authentication/recover_password.html.erb
 - app/views/lato/authentication/signin.html.erb
 - app/views/lato/authentication/signout.html.erb
@@ -226,9 +257,11 @@ files:
 - db/migrate/20230823165716_create_lato_log_user_signups.rb
 - db/migrate/20240222125124_add_web3_to_lato_users.rb
 - db/migrate/20240222171418_add_indexes_on_lato_users_email.rb
+- db/migrate/20240318074025_add_authenticator_secret_to_user.rb
 - lib/lato.rb
 - lib/lato/btstrap.rb
 - lib/lato/config.rb
+- lib/lato/dependency_helper.rb
 - lib/lato/engine.rb
 - lib/lato/version.rb
 - lib/tasks/lato_tasks.rake