masks 0.2.0

data/app/views/masks/sessions/new.html.erb

@@ -0,0 +1,153 @@
+<div data-controller="session">
+  <%= form_with url: session_path, method: :post do |form| %>
+    <div role="alert" class="alert mb-4 text-left" data-session-target="flash">
+      <% if flash[:errors]&.any? && !factor2_required? %>
+        <div class="flex items-center gap-4">
+          <%= lucide_icon("shield-x", class: "stroke-error") %>
+          <span><%= flash[:errors][0] %></span>
+        </div>
+      <% elsif logged_in? %>
+        <div class="flex items-center gap-4">
+          <%= lucide_icon("check", class: "stroke-success") %>
+          <span><%= t(".logged_in") %></span>
+        </div>
+      <% else %>
+        <div data-flash="enter-factor2" class="hidden flex items-center gap-4">
+          <%= lucide_icon("key-square", class: "stroke-warning") %>
+          <span><%= t(".enter_factor2") %></span>
+        </div>
+        <div data-flash="enter-credentials" class="flex items-center gap-4">
+          <%= lucide_icon("shield-alert", class: "stroke-warning") %>
+          <span><%= t(".enter_credentials") %></span>
+        </div>
+        <div data-flash="enter-password" class="hidden flex items-center gap-4">
+          <%= lucide_icon("shield-ellipsis", class: "stroke-warning") %>
+          <span><%= t(".enter_password") %></span>
+        </div>
+        <div data-flash="continue" class="hidden flex items-center gap-4">
+          <%= lucide_icon("shield-question", class: "stroke-accent") %>
+          <span><%= t(".continue") %></span>
+        </div>
+      <% end %>
+    </div>
+
+    <% if factor2_required? %>
+      <div class="w-full">
+        <div role="tablist" class="tabs tabs-bordered mb-4">
+          <% if @actor.totp_secret %>
+            <input
+              checked
+              name="factor2"
+              type="radio"
+              role="tab"
+              class="tab whitespace-nowrap"
+              aria-label="<%= t('.tab.one_time_code') %>"
+            />
+            <div role="tabpanel" class="tab-content p-4 bg-base-100 rounded-b">
+              <p class="flex items-center gap-4 text-sm mb-4">
+                <%= lucide_icon("qr-code") %>
+                <%= t(".one_time_code") %>
+              </p>
+              <label class="form-control w-full">
+                <input
+                  type="text"
+                  data-action="session#updateCode"
+                  data-session-target="oneTimeCode"
+                  placeholder="<%= t('.placeholder.one_time_code') %>"
+                  name="session[one_time_code]"
+                  class="input input-bordered w-full"
+                />
+              </label>
+            </div>
+          <% end %>
+
+          <% if @actor.saved_backup_codes? %>
+            <input
+              type="radio"
+              name="factor2"
+              role="tab"
+              class="tab whitespace-nowrap"
+              aria-label="<%= t('.tab.backup_code') %>"
+            />
+            <div role="tabpanel" class="tab-content p-4 bg-base-100 rounded-b">
+              <p class="flex items-center gap-4 text-sm mb-4">
+                <%= lucide_icon("rotate-cw") %>
+                <%= t(".backup_code") %>
+              </p>
+              <label class="form-control w-full">
+                <input
+                  type="text"
+                  data-action="session#updateCode"
+                  data-session-target="backupCode"
+                  placeholder="<%= t('.placeholder.backup_code') %>"
+                  name="session[backup_code]"
+                  class="input input-bordered w-full"
+                />
+              </label>
+            </div>
+          <% end %>
+        </div>
+      </div>
+    <% elsif !logged_in? %>
+      <div class="flex flex-col gap-2">
+        <label class="form-control w-full">
+          <input
+            type="text"
+            data-action="session#updateNickname"
+            data-session-target="nickname"
+            placeholder="<%= t('.placeholder.nickname') %>"
+            name="session[nickname]"
+            class="input input-bordered w-full"
+          />
+        </label>
+        <label class="form-control w-full">
+          <input
+            type="password"
+            data-action="session#updatePassword"
+            data-session-target="password"
+            placeholder="<%= t('.placeholder.password') %>"
+            name="session[password]"
+            class="input input-bordered w-full"
+          />
+          <% if @config.site_links[:recover] %>
+            <div class="label">
+              <span class="label-text-alt opacity-60 hover:opacity-100"><a
+                  class="hover:underline"
+                  href="<%= @config.site_links[:recover] %>"
+                ><%= t(".recover_credentials") %></a></span>
+            </div>
+          <% end %>
+        </label>
+      </div>
+    <% end %>
+
+
+    <% unless logged_in? %>
+    <div class="flex items-center gap-4">
+      <%= form.submit t(".submit"),
+                  class: "btn btn-active",
+                  data: {
+                    session_target: "submit",
+                  } %>
+      <div class="form-control" data-session-target="remember">
+        <label class="label cursor-pointer">
+          <input type="checkbox" name="session[remember_me]" class="toggle toggle-sm"/>
+          <span class="label-text pl-2"><%= t(".remember_me") %></span>
+        </label>
+      </div>
+    </div>
+    <% end %>
+  <% end %>
+
+  <% if factor2_required? %>
+    <div class="mt-2 opacity-60 hover:opacity-100">
+      <%= form_with url: session_path, method: :delete do |form| %>
+        <span class="text-xs">
+          <%= t(".start_over.text") %>
+          <%= form.submit t(".start_over.link"), class: "cursor-pointer underline" %>
+        </span>
+
+      <% end %>
+    </div>
+  <% end %>
+</div>

data/config/brakeman.ignore

@@ -0,0 +1,28 @@
+{
+  "ignored_warnings": [
+    {
+      "warning_type": "Cross-Site Request Forgery",
+      "warning_code": 7,
+      "fingerprint": "2c0ec97f978f7a612f1fa0567846c86ec02c072be7784e4c707fd4ba81fe5021",
+      "check_name": "ForgerySetting",
+      "message": "`protect_from_forgery` should be called in `ApplicationController`",
+      "file": "dummy/app/controllers/application_controller.rb",
+      "line": 1,
+      "link": "https://brakemanscanner.org/docs/warning_types/cross-site_request_forgery/",
+      "code": null,
+      "render_path": null,
+      "location": {
+        "type": "controller",
+        "controller": "ApplicationController"
+      },
+      "user_input": null,
+      "confidence": "High",
+      "cwe_id": [
+        352
+      ],
+      "note": ""
+    }
+  ],
+  "updated": "2024-02-07 16:03:41 -0500",
+  "brakeman_version": "6.1.2"
+}

data/config/locales/en.yml

@@ -0,0 +1,286 @@
+# Files in the config/locales directory are used for internationalization and
+# are automatically loaded by Rails. If you want to use locales other than
+# English, add the necessary files in this directory.
+#
+# To use the locales, use `I18n.t`:
+#
+#     I18n.t "hello"
+#
+# In views, this is aliased to just `t`:
+#
+#     <%= t("hello") %>
+#
+# To use a different locale, set it with `I18n.locale`:
+#
+#     I18n.locale = :es
+#
+# This would use the information in config/locales/es.yml.
+#
+# To learn more about the API, please read the Rails Internationalization guide
+# at https://guides.rubyonrails.org/i18n.html.
+#
+# Be aware that YAML interprets the following case-insensitive strings as
+# booleans: `true`, `false`, `on`, `off`, `yes`, `no`. Therefore, these strings
+# must be quoted to be interpreted as strings. For example:
+#
+#     en:
+#       "yes": yup
+#       enabled: "ON"
+
+en:
+  layouts:
+    masks:
+      application:
+        meta:
+          title: masks
+      manage:
+        meta:
+          title: masks
+  masks:
+    application:
+      header:
+        logged_in: welcome
+    actor_mailer:
+      recover_credentials:
+        recover: reset password
+        nickname: your nickname
+        subheading: hey there, you recently requested help recovering your credentials...
+        call_to_action: your username is listed above. you can reset your password if you forgot it.
+        sign_off: reply to this email if you need more help. cheers
+      verify_email:
+        subject: verify your email - things
+        heading: verify your email
+        subheading: |
+          hey there, you recently added this email to your account. you must verify it's yours by pressing the button below...
+        subheading_plain: |
+          hey there, you recently added this email to your account. you must verify it's yours by visiting the link below...
+        call_to_action: once verified, this email will be usable future logins and account recovery.
+        sign_off: thanks
+        verify: "verify"
+        verify_plain: "verify here — "
+        added: added
+    actors:
+      current:
+        emails:
+          zero: no emails found
+          one: "%{email}"
+          other: "%{email}"
+        add_email: add...
+        add_more_email: add more...
+        change_password: change your password...
+        credentials: credentials
+        password: password
+        one_time_codes: one-time code
+        backup_codes: backup codes
+        created: created
+        manage: manage...
+        enable: enable...
+        logout: logout
+        never_logged_in: never...
+        last_accessed: last accessed
+        last_login: last login
+        ago: ago
+        devices: devices
+        change: change...
+        keys: keys
+        add_key: add...
+        add_more_key: add more...
+
+    passwords:
+      edit:
+        placeholder:
+          password: your current password...
+          change: your new password...
+        submit: change
+    one_time_code:
+      new:
+        tfa: secondary credential
+        disabled: disabled
+        enabled: enabled
+        enable_qr: to enable, scan this qr code into your authenticator app.
+        enable_manual: you can also enter the secret manually.
+        heading: one-time code
+        empty_detail: you must enable two-factor authentication to use backup codes.
+        disabled_heading: add a one-time password
+        placeholder:
+          otp: one-time code...
+          password: your password...
+          delete: enter your password...
+        secret: secret
+        submit: enable
+        delete: disable
+        delete_div: disable one-time code
+        backup_codes: save backup codes...
+        reset_codes: view backup codes...
+    backup_codes:
+      new:
+        tfa: secondary credential
+        disabled: disabled
+        enabled: enabled
+        heading: backup codes
+        empty_detail: backup codes are available once you add a secondary credential, like a one-time code.
+        disabled_heading: backup codes are disabled
+        save_codes: save your 10-digit backup codes somewhere safe, then press enable to use them as another secondary credential...
+        reset_codes: press delete to disable backup codes. afterward you can generate a new set of codes.
+        download: download
+        enable: enable
+        delete: delete
+        placeholder:
+          password: enter your password...
+    emails:
+      verify:
+        verified: verified!
+        verification_expired: email verification link expired
+        card_title: how verified emails work...
+        details: |
+          you can use your newly verified email:
+        list_html: |
+          <li>instead of your nickname during login
+          <li>for password-less login via email links
+          <li>to recover your nickname or password
+        privacy: your emails will never be shared.
+        manage: to manage it and others...
+        manage_expired: to try again...
+        added: manage it in
+        emails: view your emails
+      new:
+        page: your email
+        placeholder:
+          email:
+            zero: enter a new email address...
+            one: enter another email address...
+            other: enter another email address...
+          password: enter your password...
+        heading: no emails found
+        no_emails: no emails added
+        no_emails_detail: your email can act as an alternate way to access and recover your account.
+        heading_new:
+          zero: no emails found
+          one: your email
+          other: your emails
+        help_title: how it works
+        help_body: if you enter valid information you will be contacted with instructions to recover your credentials.
+        help_more: need more help?
+        help_contact: contact support
+        help_button: "help"
+        support_url:
+        submit: add
+        back: go back...
+        email_verified: verified %{ago} ago
+        email_taken: email already taken.
+        pending_verification: awaiting verification...
+        expired_verification: verification expired.
+        add: add an email...
+    keys:
+      new:
+        heading: your keys
+        added: allow automated tools to act on your behalf...
+        page: your key
+        placeholder:
+          name: enter a name...
+          password: enter your password...
+          secret: leave blank to generate a secret...
+        no_keys_detail: keys allow automated tools to act on your behalf...
+        heading_new:
+          zero: no keys found
+          one: your key
+          other: your keys
+        help_title: how it works
+        help_body: if you enter valid information you will be contacted with instructions to recover your credentials.
+        help_more: need more help?
+        help_contact: contact support
+        help_button: "help"
+        support_url:
+        submit: make key
+        back: go back...
+        key_verified: verified %{ago} ago
+        key_taken: key already taken.
+        pending_verification: awaiting verification...
+        expired_verification: verification expired.
+        add: add key
+    recoveries:
+      password:
+        placeholder: new password...
+        heading: reset your password
+        heading_success: password reset
+        heading_expired: password reset expired
+        subheading: enter a new password. you can use it to login to your account after it's changed...
+        subheading_success: your password has been changed. you can login using the password you just entered.
+        subheading_expired: this password reset link is expired or invalid.
+        help_title: how it works
+        help_body: if you enter valid information you will be contacted with instructions to recover your credentials.
+        help_more: need more help?
+        help_contact: contact support
+        help_button: "help"
+        support_url:
+        submit: reset
+        login: back to login
+      new:
+        placeholder: nickname, email or phone...
+        heading: recover your credentials
+        subheading: enter a nickname, email, or phone number associated with your account to recover your credentials...
+        help_title: how it works
+        help_body: if you enter valid information you will be contacted with instructions to recover your credentials.
+        help_more: need more help?
+        help_contact: contact support
+        help_button: "help"
+        support_url:
+        submit: recover
+        back: go back...
+        submitted:
+          heading: check your notifications...
+          description: if you have an account with us you'll receive an email or message on your phone with instructions on how to recover your account.
+    sessions:
+      new:
+        submit: continue
+        remember_me: remember me
+        start_over:
+          text: or
+          link: start over...
+        or_start_over: or
+        recover_credentials: "forgot your credentials?"
+        enter_factor2: enter a secondary credential to continue...
+        enter_credentials: "enter your credentials to continue..."
+        enter_password: "enter your password to continue..."
+        continue: "press continue to access things..."
+        one_time_code: enter a 6-digit one-time code from your authenticator app...
+        backup_code: enter one of your saved 10-digit backup codes...
+        logged_in: welcome!
+        tab:
+          one_time_code: one-time code
+          backup_code: backup code
+        placeholder:
+          nickname: nickname, email, or phone number...
+          password: password...
+          one_time_code: one-time code...
+          backup_code: backup code...
+  activerecord:
+    attributes:
+      masks/rails/actor:
+        nickname: nickname
+        password: password
+        signup: invalid
+      masks/rails/email:
+        email: email
+      masks/rails/key:
+        name: name
+        secret: secret
+        scopes: scopes
+    errors:
+      models:
+        masks/rails/actor:
+          format: is invalid
+          attributes:
+            signup:
+              disabled: credentials...
+  activemodel:
+    attributes:
+      masks/credentials/password:
+        password: password
+      masks/credentials/nickname:
+        nickname: nickname
+    errors:
+      models:
+        masks/session:
+          credentials: invalid credentials...
+          access: invalid access...

data/config/routes.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+Masks::Engine.routes.draw do
+  get "/debug", to: "debug#show" if Rails.env.development?
+
+  # signup/login
+  get "session", to: "sessions#new", as: :session
+  post "session", to: "sessions#create"
+  delete "session", to: "sessions#destroy"
+
+  # recover credentials
+  get "recover", to: "recoveries#new", as: :recover
+  post "recover", to: "recoveries#create"
+  get "recovery", to: "recoveries#password", as: :recover_password
+  post "recovery", to: "recoveries#reset"
+
+  # manage account details, password, etc
+  get "me", to: "actors#current", as: :current
+  get "password", to: "passwords#edit", as: :password
+  post "password", to: "passwords#update"
+  post "device/:key", to: "devices#update", as: :device
+
+  # manage emails
+  get "emails", to: "emails#new", as: :emails
+  post "emails", to: "emails#create"
+  patch "emails", to: "emails#notify"
+  delete "emails", to: "emails#delete"
+  get "email/:email/verify", to: "emails#verify", as: :email_verify
+
+  # keys
+  get "keys", to: "keys#new", as: :keys
+  post "keys", to: "keys#create"
+  delete "keys", to: "keys#delete"
+
+  # manage 2nd factor options
+  get "one-time-codes", to: "one_time_code#new", as: :one_time_code
+  post "one-time-codes", to: "one_time_code#create"
+  delete "one-time-codes", to: "one_time_code#destroy"
+  get "backup-codes", to: "backup_codes#new", as: :backup_codes
+  post "backup-codes", to: "backup_codes#create"
+
+  # managers-only section
+  get "actors", to: "manage/actors#index", as: :actors
+  get "actors/:actor", to: "manage/actor#show", as: :actor
+  patch "actors/:actor", to: "manage/actor#update"
+end

data/db/migrate/20231205173845_create_actors.rb

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+class CreateActors < ActiveRecord::Migration[7.1]
+  def change
+    create_table :actors do |t|
+      t.string :type
+      t.string :nickname
+      t.string :version
+      t.string :password_digest
+      t.string :phone_number
+      t.string :totp_secret
+      t.text :backup_codes
+
+      t.timestamps
+      t.datetime :last_login_at
+      t.datetime :changed_password_at
+      t.datetime :added_phone_number_at
+      t.datetime :added_totp_secret_at
+      t.datetime :saved_backup_codes_at
+      t.datetime :notified_inactive_at
+
+      t.index :nickname, unique: true
+    end
+
+    create_table :scopes do |t|
+      t.string :name
+      t.references :actor, polymorphic: true
+      t.index %i[name actor_id], unique: true
+      t.timestamps
+    end
+
+    create_table :roles do |t|
+      t.string :type
+      t.references :actor, polymorphic: true
+      t.references :record, polymorphic: true
+      t.timestamps
+    end
+
+    add_index :roles,
+              %i[type actor_id actor_type record_id record_type],
+              unique: true
+
+    create_table :emails do |t|
+      t.string :email
+      t.string :token
+      t.references :actor
+      t.boolean :verified, null: true
+      t.datetime :verified_at
+      t.datetime :notified_at
+      t.timestamps
+
+      t.index %i[email verified], unique: true
+      t.index %i[token], unique: true
+    end
+
+    create_table :recoveries do |t|
+      t.string :token
+      t.string :nickname, null: true
+      t.string :email, null: true
+      t.string :phone, null: true
+      t.references :actor
+      t.datetime :notified_at
+      t.timestamps
+
+      t.index %i[token actor_id], unique: true
+    end
+
+    create_table :devices do |t|
+      t.string :key
+      t.string :user_agent
+      t.string :ip_address
+      t.string :fingerprint
+      t.string :version
+
+      t.references :actor
+      t.datetime :accessed_at
+      t.timestamps
+
+      t.index %i[key actor_id], unique: true
+    end
+
+    create_table :keys do |t|
+      t.string :name
+      t.string :sha
+      t.text :scopes
+
+      t.references :actor
+      t.timestamps
+      t.datetime :accessed_at
+
+      t.index %i[sha], unique: true
+    end
+  end
+end

data/lib/generators/masks/install/USAGE

@@ -0,0 +1,8 @@
+Description:
+    Explain the generator
+
+Example:
+    bin/rails generate install Thing
+
+    This will create:
+        what/will/it/create

data/lib/generators/masks/install/install_generator.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Masks
+  # Generator for +rails g masks:install+.
+  class InstallGenerator < ::Rails::Generators::Base
+    source_root File.expand_path("templates", __dir__)
+
+    def add_routing
+      route 'mount Masks::Engine => "/"'
+    end
+
+    def copy_initializer_file
+      copy_file "initializer.rb", "config/initializers/masks.rb"
+    end
+
+    def copy_masks_json
+      copy_file "masks.json", "masks.json"
+    end
+
+    def add_migrations
+      if yes?("generate migrations for masks?")
+        rails_command "masks:install:migrations"
+      else
+        puts
+        puts 'run "rails masks:install:migrations" to add them later on...'
+      end
+
+      puts
+      puts "[masks] welcome!"
+      puts "[masks] visit https://masks.geiger.to for more information."
+    end
+  end
+end

data/lib/generators/masks/install/templates/initializer.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+Masks.configure do |config|
+  # see https://masks.geiger.to/get-started for configuration options
+end

data/lib/generators/masks/install/templates/masks.json

@@ -0,0 +1,6 @@
+{
+  "name": "<%= Rails.application.name %>",
+  "url": "http://localhost:3000",
+  "extend": "masks",
+  "masks": []
+}