lato 3.5.9 → 3.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2096e6aab4a75e7edce579a7a0864de28f146053291970b49099e8103427e050
-  data.tar.gz: 81b8ea778664362775b8beb2a095085eb5e0e32c94a2ded4ead6bf8a2fc9bde6
+  metadata.gz: 124f38d5389e35689d3829980d788e5531af092d45fd378b5fbaabdc039ebe51
+  data.tar.gz: e6a938bc4549803deb41efd7df596e85148d84488d442f75ac46b9bb8c0191bd
 SHA512:
-  metadata.gz: 7bbfd89a3199d1d1714050f1e5485b4ed3e54948322de3d409458e5c34cfdd59215ddac0a25d44b1cc0a750057c534d70346ba74c3d1eadce86ca4540288673c
-  data.tar.gz: 5c079279e86b805d1a072c6a1d1f01c50f9690b1073212cc70cc030652a4f1bb6ca03917f73e3f6cad74d5357730ebaa6955985583fbcc7c24bb1adbe54f8a57
+  metadata.gz: fed883559fd4d1859aacc7ca6ca2dc2d65935c1d91d769c23ba71b940d2067cc8d320b84512a9adbd6b0a1540f7e3b33098664c89298a18277fda7fa548a7dc9
+  data.tar.gz: 9b87edd528d4c10bb7c82f4b8fa7769d6625560668657dea98b085661d22696c215d138fc3a5af0947d22cfb20c63b014503f472d99516bf6b0594398809e0ca

data/README.md

@@ -107,4 +107,3 @@ $ ruby ./bin/publish.rb
 
 ## License
 The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
-

data/app/controllers/lato/account_controller.rb

@@ -55,6 +55,20 @@ module Lato
       end
     end
 
+    def update_authenticator_action
+      return respond_to_with_not_found unless Lato.config.authenticator_connection
+
+      respond_to do |format|
+        if @session.user.generate_authenticator_secret
+          format.html { redirect_to lato.account_path }
+          format.json { render json: @session.user }
+        else
+          format.html { render :index, status: :unprocessable_entity }
+          format.json { render json: @session.user.errors, status: :unprocessable_entity }
+        end
+      end
+    end
+
     def request_verify_email_action
       respond_to do |format|
         if @session.user.request_verify_email

data/app/controllers/lato/authentication_controller.rb

@@ -10,6 +10,7 @@ module Lato
     before_action :lock_signup_if_disabled, only: %i[signup signup_action]
     before_action :lock_recover_password_if_disabled, only: %i[recover_password recover_password_action update_password update_password_action]
     before_action :lock_web3_if_disabled, only: %i[web3_signin web3_signin_action]
+    before_action :lock_authenticator_if_disabled, only: %i[authenticator authenticator_action]
 
     before_action :hide_sidebar
 
@@ -28,10 +29,13 @@ module Lato
           ip_address: request.remote_ip,
           user_agent: request.user_agent
         ))
-          session_create(@user.id)
-
-          format.html { redirect_to lato.root_path }
-          format.json { render json: @user }
+          if create_session_or_start_authenticator(@user)
+            format.html { redirect_to lato.root_path }
+            format.json { render json: @user }
+          else
+            format.html { redirect_to lato.authentication_authenticator_path }
+            format.json { render json: @user }
+          end
         else
           format.html { render :signin, status: :unprocessable_entity }
           format.json { render json: @user.errors, status: :unprocessable_entity }
@@ -54,10 +58,13 @@ module Lato
           web3_nonce: session[:web3_nonce]
         ))
           session[:web3_nonce] = nil
-          session_create(@user.id)
-
-          format.html { redirect_to lato.root_path }
-          format.json { render json: @user }
+          if create_session_or_start_authenticator(@user)
+            format.html { redirect_to lato.root_path }
+            format.json { render json: @user }
+          else
+            format.html { redirect_to lato.authentication_authenticator_path }
+            format.json { render json: @user }
+          end
         else
           session[:web3_nonce] = nil
           format.html { render :web3_signin, status: :unprocessable_entity }
@@ -183,6 +190,31 @@ module Lato
       end
     end
 
+    # Authenticator
+    ##
+
+    def authenticator
+      @user = Lato::User.find_by_id(session[:authenticator_user_id])
+      return respond_to_with_not_found unless @user
+    end
+
+    def authenticator_action
+      @user = Lato::User.find_by_id(session[:authenticator_user_id])
+
+      respond_to do |format|
+        if @user.authenticator(params.require(:user).permit(:authenticator_code))
+          session[:authenticator_user_id] = nil
+          session_create(@user.id)
+
+          format.html { redirect_to lato.root_path }
+          format.json { render json: @user }
+        else
+          format.html { render :authenticator, status: :unprocessable_entity }
+          format.json { render json: @user.errors, status: :unprocessable_entity }
+        end
+      end
+    end
+
     private
 
     def registration_params
@@ -199,6 +231,16 @@ module Lato
       respond_to_with_not_found unless @invitation
     end
 
+    def create_session_or_start_authenticator(user)
+      if !Lato.config.authenticator_connection || Lato.config.auth_disable_authenticator || !user.authenticator_enabled?
+        session_create(user.id)
+        return true
+      end
+
+      session[:authenticator_user_id] = user.id
+      false
+    end
+
     def lock_signup_if_disabled
       return unless Lato.config.auth_disable_signup
 
@@ -215,6 +257,12 @@ module Lato
       return if Lato.config.web3_connection && !Lato.config.auth_disable_web3
 
 
+      respond_to_with_not_found
+    end
+
+    def lock_authenticator_if_disabled
+      return if Lato.config.authenticator_connection && !Lato.config.auth_disable_authenticator
+
       respond_to_with_not_found
     end
   end

data/app/models/lato/user.rb

@@ -54,6 +54,10 @@ module Lato
       @valid_accepted_terms_and_conditions_version ||= accepted_terms_and_conditions_version >= Lato.config.legal_terms_and_conditions_version
     end
 
+    def authenticator_enabled?
+      !authenticator_secret.blank?
+    end
+
     # Helpers
     ##
 
@@ -65,6 +69,10 @@ module Lato
       @gravatar_image_url ||= "https://www.gravatar.com/avatar/#{Digest::MD5.hexdigest(email)}?s=#{size}"
     end
 
+    def authenticator_qr_code_base64(size = 200)
+      "data:image/png;base64,#{Base64.strict_encode64(RQRCode::QRCode.new(ROTP::TOTP.new(authenticator_secret, :issuer => Lato.config.application_title).provisioning_uri(email).to_s).as_png(size: size, border_modules: 0).to_s)}"
+    end
+
     # Operations
     ##
 
@@ -224,7 +232,9 @@ module Lato
 
       c_password_update_code('')
 
-      update(params.permit(:password, :password_confirmation))
+      update(params.permit(:password, :password_confirmation).merge(
+        authenticator_secret: nil # Reset authenticator secret when password is updated
+      ))
     end
 
     def update_accepted_privacy_policy_version(params)
@@ -292,6 +302,23 @@ module Lato
       true
     end
 
+    def generate_authenticator_secret
+      update(authenticator_secret: ROTP::Base32.random)
+    end
+
+    def authenticator(params)
+      return false unless authenticator_enabled?
+
+      totp = ROTP::TOTP.new(authenticator_secret)
+      result = totp.verify(params[:authenticator_code])
+      unless result
+        errors.add(:base, :authenticator_code_invalid)
+        return
+      end
+
+      true
+    end
+
     # Cache
     ##
 

data/app/views/lato/account/_form-authenticator.html.erb

@@ -0,0 +1,41 @@
+<%
+
+user ||= Lato::User.new
+
+%>
+
+<%= turbo_frame_tag 'account_form-authenticator' do %>
+  <%= form_with model: user, url: lato.account_update_authenticator_action_path, data: { turbo_frame: '_self', controller: 'lato-form' } do |form| %>
+    <%= lato_form_notices class: %w[mb-3] %>
+    <%= lato_form_errors user, class: %w[mb-3] %>
+
+    <% if user.authenticator_secret %>
+      <div class="d-block d-md-flex align-items-stretch">
+        <div class="text-center mb-3 mb-md-0 me-md-3">
+          <img src="<%= user.authenticator_qr_code_base64 %>" />
+        </div>
+        <div class="d-flex flex-column justify-content-between">
+          <div class="alert alert-light">
+            <p>
+              <%= raw I18n.t('lato.account_authenticator_ready_qr') %>
+            </p>
+          </div>
+
+          <div class="d-flex justify-content-end">
+            <%= lato_form_submit form, I18n.t('lato.reset_qr_code'), class: %w[btn-danger] %>
+          </div>
+        </div>
+      </div>
+    <% else %>
+      <div class="alert alert-light mb-0">
+        <h4 class="alert-heading"><%= I18n.t('lato.account_authenticator_start_title') %></h4>
+        <p>
+          <%= raw I18n.t('lato.account_authenticator_start_description') %>
+        </p>
+        <p class="mb-0">
+          <%= lato_form_submit form, I18n.t('lato.generate_qr_code'), class: %w[btn-primary] %>
+        </p>
+      </div>
+    <% end %>
+  <% end %>
+<% end %>

data/app/views/lato/account/index.html.erb

@@ -32,6 +32,17 @@
 </div>
 <% end %>
 
+<% if Lato.config.authenticator_connection %>
+<div class="card mb-4">
+  <div class="card-header">
+    <h2 class="fs-4 mb-0"><%= I18n.t('lato.account_authenticator') %></h2>
+  </div>
+  <div class="card-body">
+    <%= render 'lato/account/form-authenticator', user: @session.user %>
+  </div>
+</div>
+<% end %>
+
 <div class="card mb-4">
   <div class="card-header">
     <h2 class="fs-4 mb-0"><%= I18n.t('lato.account_delete') %></h2>

data/app/views/lato/authentication/_form-authenticator.html.erb

@@ -0,0 +1,28 @@
+<%
+
+user ||= Lato::User.new
+
+%>
+
+<%= turbo_frame_tag 'authentication_form-authenticator' do %>
+  <%= form_with model: user, url: lato.authentication_authenticator_action_path, method: :post, data: { turbo_frame: '_self', controller: 'lato-form' } do |form| %>
+    <%= lato_form_notices class: %w[mb-3] %>
+    <%= lato_form_errors user, class: %w[mb-3] %>
+
+    <div class="mb-3 text-center">
+      <p><%= raw I18n.t('lato.authenticator_code_help', email: user.email) %></p>
+    </div>
+    
+    <div class="mb-3">
+      <%= lato_form_item_input_text form, :authenticator_code, required: true %>
+    </div>
+
+    <div>
+      <%= lato_form_submit form, I18n.t('lato.confirm'), class: %w[d-block w-100] %>
+    </div>
+
+    <div class="text-center mt-3 mb-3">
+      <%= I18n.t('lato.or').downcase %> <%= link_to I18n.t('lato.reset_password').downcase, lato.authentication_recover_password_path %>
+    </div>
+  <% end %>
+<% end %>

data/app/views/lato/authentication/authenticator.html.erb

@@ -0,0 +1,10 @@
+<div class="w-100 h-100 d-flex justify-content-center align-items-center" style="min-height: calc(100vh - 54px - 2rem)">
+  <div class="card w-100" style="max-width: 400px">
+    <div class="card-header">
+      <h1 class="fs-3 mb-0 text-center"><%= I18n.t('lato.authenticator') %></h1>
+    </div>
+    <div class="card-body">
+      <%= render 'lato/authentication/form-authenticator', user: @user %>
+    </div>
+  </div>
+</div>

data/config/locales/en.yml

@@ -49,6 +49,15 @@ en:
     web3_signin: Web3 Login
     retry: Retry
     back: Go back
+    account_authenticator: Google Authenticator
+    account_authenticator_start_title: Enable Google Authenticator
+    account_authenticator_start_description: Generate a QR code by clicking the button below and scan it with the Google Authenticator app on your phone.<br>This will allow you to use the protect your account with a second factor authentication.
+    account_authenticator_ready_qr: Scan the QR code with the Google Authenticator app to use the account protection with a second factor authentication.
+    generate_qr_code: Generate QR code
+    reset_qr_code: Reset QR code
+    authenticator: Two-factor authentication
+    authenticator_code_help: Insert the code generated by the Google Authenticator app for the account <b>%{email}</b>
+    reset_password: Reset your password
 
     account_controller:
       update_user_action_notice: Account information properly updated
@@ -82,6 +91,7 @@ en:
               terms_and_conditions_invalid: To accept the terms and conditions you must select the confirmation checkbox
               web3_address_invalid: The address you send is not corretly signed
               web3_connection_error: Impossible to connect the wallet
+              authenticator_code_invalid: The code you inserted is not correct
             password:
               not_correct: not correct
             email:

data/config/locales/it.yml

@@ -51,6 +51,15 @@ it:
     web3_signin: Accedi con Web3
     retry: Riprova
     back: Torna indietro
+    account_authenticator: Google Authenticator
+    account_authenticator_start_title: Abilita Google Authenticator
+    account_authenticator_start_description: Genera un codice QR cliccando il pulsante sottostante e scansionalo con l'app Google Authenticator sul tuo telefono.<br>Questo ti permetterà di proteggere il tuo account con un'autenticazione a due fattori.
+    account_authenticator_ready_qr: Scansiona il codice QR con l'app Google Authenticator per utilizzare la protezione dell'account con un'autenticazione a due fattori.
+    generate_qr_code: Genera codice QR
+    reset_qr_code: Resetta codice QR
+    authenticator: Autenticazione a due fattori
+    authenticator_code_help: Inserisci il codice generato dall'app Google Authenticator per l'account <b>%{email}</b>
+    reset_password: Reimposta la tua password
 
     account_controller:
       update_user_action_notice: Informazioni account aggiornate correttamente
@@ -90,6 +99,7 @@ it:
               invitation_invalid: Invito non valido
               web3_address_invalid: L'inidirizzo inviato non è correttamente firmato
               web3_connection_error: Impossibile connettere il wallet
+              authenticator_code_invalid: Il codice inserito non è corretto
             password:
               not_correct: non corretta
             password_confirmation:

data/config/routes.rb

@@ -26,6 +26,8 @@ Lato::Engine.routes.draw do
     patch 'update_password_action', to: 'authentication#update_password_action', as: :authentication_update_password_action
     get 'accept_invitation', to: 'authentication#accept_invitation', as: :authentication_accept_invitation
     post 'accept_invitation_action', to: 'authentication#accept_invitation_action', as: :authentication_accept_invitation_action
+    get 'authenticator', to: 'authentication#authenticator', as: :authentication_authenticator
+    post 'authenticator_action', to: 'authentication#authenticator_action', as: :authentication_authenticator_action
   end
 
   # Account
@@ -35,6 +37,7 @@ Lato::Engine.routes.draw do
     get '', to: 'account#index', as: :account
     patch 'update_user_action', to: 'account#update_user_action', as: :account_update_user_action
     patch 'update_web3_action', to: 'account#update_web3_action', as: :account_update_web3_action
+    patch 'update_authenticator_action', to: 'account#update_authenticator_action', as: :account_update_authenticator_action
     patch 'request_verify_email_action', to: 'account#request_verify_email_action', as: :account_request_verify_email_action
     patch 'update_password_action', to: 'account#update_password_action', as: :account_update_password_action
     delete 'destroy_action', to: 'account#destroy_action', as: :account_destroy_action

data/db/migrate/20240318074025_add_authenticator_secret_to_user.rb

@@ -0,0 +1,5 @@
+class AddAuthenticatorSecretToUser < ActiveRecord::Migration[7.1]
+  def change
+    add_column :lato_users, :authenticator_secret, :string
+  end
+end

data/lib/lato/config.rb

@@ -10,7 +10,7 @@ module Lato
     attr_accessor :session_lifetime, :session_root_path
 
     # Authentication configs
-    attr_accessor :auth_disable_signup, :auth_disable_recover_password, :auth_disable_web3
+    attr_accessor :auth_disable_signup, :auth_disable_recover_password, :auth_disable_web3, :auth_disable_authenticator
 
     # Assets configs
     attr_accessor :assets_stylesheet_entry
@@ -25,6 +25,9 @@ module Lato
     # NOTE: It requires the gem 'eth' to be installed in the application Gemfile
     attr_accessor :web3_connection
 
+    # Authenticator connection
+    attr_accessor :authenticator_connection
+
     def initialize
       @application_title = 'Lato'
       @application_version = '1.0.0'
@@ -35,6 +38,7 @@ module Lato
       @auth_disable_signup = false
       @auth_disable_recover_password = false
       @auth_disable_web3 = false
+      @auth_disable_authenticator = false
 
       @assets_stylesheet_entry = 'application'
 
@@ -49,6 +53,7 @@ module Lato
       @legal_terms_and_conditions_version = 1
 
       @web3_connection = false
+      @authenticator_connection = false
     end
   end
 end

data/lib/lato/version.rb

@@ -1,3 +1,3 @@
 module Lato
-  VERSION = "3.5.9"
+  VERSION = "3.6.0"
 end

data/lib/lato.rb

@@ -1,6 +1,8 @@
 require "kaminari"
 require "bootstrap"
 require "browser"
+require "rotp"
+require "rqrcode"
 
 require "lato/version"
 require "lato/engine"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: lato
 version: !ruby/object:Gem::Version
-  version: 3.5.9
+  version: 3.6.0
 platform: ruby
 authors:
 - Gregorio Galante
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-03-22 00:00:00.000000000 Z
+date: 2024-03-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -94,6 +94,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rqrcode
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rotp
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: eth
   requirement: !ruby/object:Gem::Requirement
@@ -162,6 +190,7 @@ files:
 - app/models/lato/user.rb
 - app/views/lato/account/_alert-accepted-privacy-policy-version.html.erb
 - app/views/lato/account/_alert-accepted-terms-and-conditions-version.html.erb
+- app/views/lato/account/_form-authenticator.html.erb
 - app/views/lato/account/_form-destroy.html.erb
 - app/views/lato/account/_form-password.html.erb
 - app/views/lato/account/_form-user.html.erb
@@ -169,6 +198,7 @@ files:
 - app/views/lato/account/index.html.erb
 - app/views/lato/authentication/_fields-registration.html.erb
 - app/views/lato/authentication/_form-accept-invitation.html.erb
+- app/views/lato/authentication/_form-authenticator.html.erb
 - app/views/lato/authentication/_form-recover-password.html.erb
 - app/views/lato/authentication/_form-signin.html.erb
 - app/views/lato/authentication/_form-signup.html.erb
@@ -176,6 +206,7 @@ files:
 - app/views/lato/authentication/_form-verify-email.html.erb
 - app/views/lato/authentication/_form-web3-signin.html.erb
 - app/views/lato/authentication/accept_invitation.html.erb
+- app/views/lato/authentication/authenticator.html.erb
 - app/views/lato/authentication/recover_password.html.erb
 - app/views/lato/authentication/signin.html.erb
 - app/views/lato/authentication/signout.html.erb
@@ -226,6 +257,7 @@ files:
 - db/migrate/20230823165716_create_lato_log_user_signups.rb
 - db/migrate/20240222125124_add_web3_to_lato_users.rb
 - db/migrate/20240222171418_add_indexes_on_lato_users_email.rb
+- db/migrate/20240318074025_add_authenticator_secret_to_user.rb
 - lib/lato.rb
 - lib/lato/btstrap.rb
 - lib/lato/config.rb