maquina 0.1.0

data/app/models/concerns/maquina/multifactor.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+require "rotp"
+
+module Maquina
+  module Multifactor
+    extend ActiveSupport::Concern
+
+    included do
+      if has_attribute?(:otp_secret_key) && has_attribute?(:otp_recovery_codes)
+        encrypts :otp_secret_key, :otp_recovery_codes
+
+        def multifactor?
+          otp_secret_key.present?
+        end
+
+        def enable_multifactor!(multifactor_secret_key)
+          self.otp_secret_key = multifactor_secret_key
+          self.otp_recovery_codes = 10.times.map { SecureRandom.alphanumeric(12) }.join(" ")
+
+          save!
+        end
+
+        def disable_multifactor!
+          self.last_otp_at = nil
+          self.otp_secret_key = nil
+          self.otp_recovery_codes = nil
+
+          save!
+        end
+
+        def verify_multifactor_code!(multifactor_code, multifactor_secret_key = nil)
+          multifactor_secret_key ||= otp_secret_key
+
+          options = {drift_behind: 15}
+          options[:after] = last_otp_at.to_i if last_otp_at.present?
+
+          last_at = totp_instance(multifactor_secret_key).verify(multifactor_code, **options)
+
+          if last_at.present?
+            self.last_otp_at = Time.at(last_at).utc.to_datetime
+            save!
+          end
+
+          last_at
+        end
+
+        def verify_multifactor_recovery_code!(recovery_code)
+          return nil if !multifactor?
+
+          codes = otp_recovery_codes.split(" ")
+          valid_code = codes.detect do |code|
+            ActiveSupport::SecurityUtils.secure_compare(recovery_code.strip, code)
+          end
+
+          if valid_code.present?
+            codes.delete(recovery_code.strip)
+            self.otp_recovery_codes = codes.join(" ")
+            save!
+          end
+
+          valid_code
+        end
+
+        private
+
+        def totp_instance(multifactor_secret_key = nil)
+          multifactor_secret_key ||= otp_secret_key
+          @totp_instance ||= ROTP::TOTP.new(multifactor_secret_key, issuer: I18n.t(:application_name), default: "Maquina")
+        end
+      end
+    end
+
+    class_methods do
+      def generate_multifactor_secret
+        ROTP::Base32.random
+      end
+    end
+  end
+end

data/app/models/concerns/maquina/retain_passwords.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Maquina
+  module RetainPasswords
+    extend ActiveSupport::Concern
+
+    included do
+      validate :password_uniqueness, if: ->(user) { user.password_digest_changed? }
+      after_create :store_password_digest
+      after_update :store_password_digest, if: ->(user) { user.previous_changes.has_key?(:password_digest) }
+
+      private
+
+      def password_uniqueness
+        return if Maquina.configuration.password_retain_count.blank? || Maquina.configuration.password_retain_count.zero?
+
+        used_before = Maquina::UsedPassword.where(user: self).detect do |used_password|
+          bcrypt = ::BCrypt::Password.new(used_password.password_digest)
+          hashed_value = ::BCrypt::Engine.hash_secret(password, bcrypt.salt)
+
+          ActiveSupport::SecurityUtils.secure_compare(hashed_value, used_password.password_digest)
+        end
+
+        errors.add(:password, :password_already_used) if used_before.present?
+      end
+
+      def store_password_digest
+        Maquina::UsedPassword.store_password_digest(id, password_digest)
+      end
+    end
+  end
+end

data/app/models/concerns/maquina/searchable.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require "pg_search"
+
+module Maquina
+  module Searchable
+    extend ActiveSupport::Concern
+
+    included do
+      include PgSearch::Model
+    end
+
+    class_methods do
+      def search_scope(fields: [], options: {})
+        return if fields.empty?
+
+        default_options = {tsearch: {prefix: true, any_word: true}}
+        search_options = options.deep_merge(default_options)
+
+        pg_search_scope :search_full, against: fields, using: search_options # , ignoring: :accents
+      end
+    end
+  end
+end

data/app/models/maquina/active_session.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Maquina
+  class ActiveSession < ApplicationRecord
+    belongs_to :user, class_name: "Maquina::User", foreign_key: :maquina_user_id
+    delegate :blocked?, to: :user
+
+    after_initialize :configure_expiration
+
+    validates :expires_at, presence: true, comparison: {greater_than: Time.zone.now}, if: ->(session) { (session.new_record? || session.changed.includes?("expires_at")) && Maquina.configuration.session_expiration.present? }
+    validate :non_blocked_user
+
+    def expired?
+      return false if expires_at.blank?
+
+      !expires_at.future?
+    end
+
+    private
+
+    def non_blocked_user
+      return if user.blank? || !blocked?
+
+      errors.add(:user, :blocked)
+    end
+
+    def configure_expiration
+      if new_record? && expires_at.blank? && Maquina.configuration.session_expiration.present?
+        self.expires_at = Time.zone.now.since(Maquina.configuration.session_expiration)
+      end
+    end
+  end
+end

data/app/models/maquina/application_record.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require "pg_search"
+
+module Maquina
+  class ApplicationRecord < ActiveRecord::Base
+    self.abstract_class = true
+
+    include PgSearch::Model
+  end
+end

data/app/models/maquina/current.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Maquina
+  class Current < ActiveSupport::CurrentAttributes
+    attribute :active_session, :user
+
+    def signed_in?
+      return false if active_session.blank?
+      !active_session.expired? && !active_session.blocked?
+    end
+
+    def active_session=(value)
+      super
+      self.user = value&.user
+    end
+
+    def management?
+      user.management?
+    end
+  end
+end

data/app/models/maquina/invitation.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Maquina
+  class Invitation < ApplicationRecord
+    validates :email, presence: true, format: {with: URI::MailTo::EMAIL_REGEXP}
+
+    def accepted?
+      accepted_at.present?
+    end
+
+    def accept!
+      update!(accepted_at: Time.zone.now)
+    end
+  end
+end

data/app/models/maquina/plan.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Maquina
+  ##
+  # A class representing the Plan model in the Maquina module.
+  #
+  # == Attributes
+  #
+  # - +price+:: The price of the Plan, represented as a monetary value with currency.
+  # - +name+:: The name of the Plan.
+  #
+  # == Validations
+  #
+  # - +price+:: Must be greater than or equal to 0 if the Plan is marked as free.
+  # - +price+:: Must be greater than 0 if the Plan is not marked as free.
+  # - +name+:: Must be present and unique.
+  #
+  # == Scopes
+  #
+  # - +search_full+:: Provides a search scope for Plan model, allowing searching by name with options for prefix matching and matching any word.
+  #
+  # == Usage
+  #
+  # The Plan model represents a pricing plan in the Maquina module. To use the Plan model, create instances with valid
+  # attributes and use the provided methods and scopes for querying and manipulating plan data.
+
+  class Plan < ApplicationRecord
+    include Searchable
+
+    monetize :price_cents
+
+    validates :price, numericality: {greater_than_or_equal_to: 0}, if: ->(plan) { plan.free? }
+    validates :price, numericality: {greater_than: 0}, if: ->(plan) { !plan.free? }
+    validates :name, presence: true, uniqueness: true
+
+    search_scope(fields: [:name])
+  end
+end

data/app/models/maquina/used_password.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Maquina
+  class UsedPassword < ApplicationRecord
+    belongs_to :user, class_name: "Maquina::User", foreign_key: :maquina_user_id
+
+    encrypts :password_digest
+    validates :password_digest, presence: true
+
+    def self.store_password_digest(user_id, password_digest)
+      return if Maquina.configuration.password_retain_count.blank? || Maquina.configuration.password_retain_count.zero?
+
+      Maquina::UsedPassword.where(user: user_id).order(id: :desc).offset(2).delete_all
+      Maquina::UsedPassword.create(maquina_user_id: user_id, password_digest: password_digest)
+    end
+  end
+end

data/app/models/maquina/user.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Maquina
+  class User < ApplicationRecord
+    include Maquina::Searchable
+    include Maquina::RetainPasswords
+    include Maquina::AuthenticateBy
+    include Maquina::Blockeable
+    include Maquina::Multifactor
+
+    PASSWORD_COMPLEXITY_REGEX = /\A(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&#-=+])[A-Za-z\d@$!%*?&#-=+]{8,}\z/
+    has_secure_password
+
+    validates :email, presence: true, uniqueness: true, format: {with: URI::MailTo::EMAIL_REGEXP}
+    validates :password, format: {with: PASSWORD_COMPLEXITY_REGEX}, unless: ->(user) { user.password.blank? }
+
+    before_save :downcase_email
+
+    search_scope(fields: [:email])
+
+    def expired_password?
+      return false if password_expires_at.blank?
+
+      password_expires_at < Time.zone.now
+    end
+
+    private
+
+    def downcase_email
+      self.email = email.downcase
+    end
+  end
+end

data/app/policies/maquina/application_policy.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Maquina
+  class ApplicationPolicy < ActionPolicy::Base
+    def index?
+      false
+    end
+
+    def show?
+      false
+    end
+
+    def new?
+      false
+    end
+
+    def create?
+      new?
+    end
+
+    def edit?
+      false
+    end
+
+    def update?
+      edit?
+    end
+
+    def destroy?
+      false
+    end
+
+    def new_modal?
+      false
+    end
+
+    private
+
+    def management?
+      user.management?
+    end
+
+    # Define shared methods useful for most policies.
+    # For example:
+    #
+    #  def owner?
+    #    record.user_id == user.id
+    #  end
+  end
+end

data/app/policies/maquina/invitation_policy.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Maquina
+  class InvitationPolicy < ApplicationPolicy
+    def new?
+      management?
+    end
+
+    def create?
+      new?
+    end
+  end
+end

data/app/policies/maquina/navigation_policy.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Maquina
+  class NavigationPolicy < ApplicationPolicy
+    def plans?
+      user.management?
+    end
+
+    def users?
+      user.management?
+    end
+  end
+end

data/app/policies/maquina/plan_policy.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module Maquina
+  ##
+  # A class representing the authorization policy for the Plan model.
+  #
+  # == Methods
+  #
+  # - +index?+:: Returns true if the user has authorization to view the index page for Plan model.
+  # - +new?+:: Returns true if the user has authorization to view the new page for creating a new Plan object.
+  # - +create?+:: Returns the same result as new?, as it requires the same authorization to create a new Plan object.
+  # - +edit?+:: Returns true if the user has authorization to view the edit page for an existing Plan object.
+  # - +relation_scope+:: Provides a relation scope for Plan model, allowing customization of query scopes based on authorization policies.
+  #
+  # == Private Methods
+  #
+  # - +management?+:: Helper method to determine if the user is in a management role. This method exists in Maquina::ApplicationPolicy.
+  #
+  # == Usage
+  #
+  # To use PlanPolicy, define the relevant authorization methods, such as management? or any other custom authorization
+  # methods, in the Maquina module or in a related authorization system. Then, inherit from PlanPolicy in your
+  # Plan model's policy class, and use the provided authorization methods, such as index?, new?, create?, and edit?, to
+  # define the authorization policies for Plan model actions.
+
+  class PlanPolicy < ApplicationPolicy
+    def index?
+      management?
+    end
+
+    def new?
+      management?
+    end
+
+    def create?
+      new?
+    end
+
+    def edit?
+      management?
+    end
+
+    private
+
+    relation_scope do |scope|
+      scope
+    end
+  end
+end

data/app/policies/maquina/user_policy.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Maquina
+  class UserPolicy < ApplicationPolicy
+    def index?
+      management?
+    end
+
+    def new?
+      management?
+    end
+
+    def create?
+      new?
+    end
+
+    def new_modal?
+      new?
+    end
+
+    private
+
+    relation_scope do |scope|
+      scope.where(management: management?)
+    end
+  end
+end

data/app/views/layouts/maquina/application.html.erb

@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html class="h-full bg-gray-50">
+  <head>
+    <title><%= t("application_name") %></title>
+    <meta name="viewport" content="width=device-width,initial-scale=1">
+    <%= csrf_meta_tags %>
+    <%= csp_meta_tag %>
+
+    <%= stylesheet_link_tag "maquina/tailwind", "inter-font", "data-turbo-track": "reload" %>
+    <%= stylesheet_link_tag "maquina/application", "data-turbo-track": "reload", media: "all" %>
+
+    <%= maquina_importmap_tags %>
+  </head>
+
+  <body class="h-full">
+    <%= render partial: "navbar" %>
+
+    <%= turbo_frame_tag :alert do %>
+      <%= render Maquina::Application::Alert.new(flash) %>
+    <% end %>
+
+    <main class="container mx-auto mt-24">
+      <%= yield %>
+    </main>
+  </body>
+</html>