masks 0.2.0

data/app/assets/javascripts/application.js

@@ -0,0 +1,2 @@
+import "@hotwired/turbo-rails";
+import "./controllers";

data/app/assets/javascripts/controllers/application.js

@@ -0,0 +1,9 @@
+import { Application } from "@hotwired/stimulus";
+
+const application = Application.start();
+
+// Configure Stimulus development experience
+application.debug = false;
+window.Stimulus = application;
+
+export { application };

data/app/assets/javascripts/controllers/emails_controller.js

@@ -0,0 +1,28 @@
+import { Controller } from "@hotwired/stimulus";
+
+export default class extends Controller {
+  static get targets() {
+    return ["email", "password", "submit"];
+  }
+
+  connect() {
+    this.email = this.emailTarget.value;
+    this.pass = this.passwordTarget.value;
+
+    this.syncState();
+  }
+
+  updateEmail(e) {
+    this.email = e.target.value;
+    this.syncState();
+  }
+
+  updatePassword(e) {
+    this.pass = e.target.value;
+    this.syncState();
+  }
+
+  syncState() {
+    this.submitTarget.disabled = !this.email?.includes("@") || !this.pass;
+  }
+}

data/app/assets/javascripts/controllers/index.js

@@ -0,0 +1,12 @@
+import { application } from "./application";
+
+import SessionController from "./session_controller";
+import RecoverController from "./recover_controller";
+import RecoverPasswordController from "./recover_password_controller";
+import EmailsController from "./emails_controller";
+import KeysController from "./keys_controller";
+application.register("session", SessionController);
+application.register("recover", RecoverController);
+application.register("recover-password", RecoverPasswordController);
+application.register("emails", EmailsController);
+application.register("keys", KeysController);

data/app/assets/javascripts/controllers/keys_controller.js

@@ -0,0 +1,20 @@
+import { Controller } from "@hotwired/stimulus";
+
+export default class extends Controller {
+  static get targets() {
+    return ["settings"];
+  }
+
+  connect() {
+    // this.email = this.;emailTarget.value;
+    // this.pass = this.passwordTarget.value;
+    // this.syncState();
+  }
+
+  toggleSettings(e) {
+    this.settingsTarget.classList.toggle("hidden");
+
+    e.preventDefault();
+    e.stopPropagation();
+  }
+}

data/app/assets/javascripts/controllers/recover_controller.js

@@ -0,0 +1,21 @@
+import { Controller } from "@hotwired/stimulus";
+
+export default class extends Controller {
+  static get targets() {
+    return ["input", "submit"];
+  }
+
+  connect() {
+    this.input = this.inputTarget.value;
+    this.syncState();
+  }
+
+  updateInput(e) {
+    this.input = e.target.value;
+    this.syncState();
+  }
+
+  syncState() {
+    this.submitTarget.disabled = !this.input?.length;
+  }
+}

data/app/assets/javascripts/controllers/recover_password_controller.js

@@ -0,0 +1,21 @@
+import { Controller } from "@hotwired/stimulus";
+
+export default class extends Controller {
+  static get targets() {
+    return ["password", "submit"];
+  }
+
+  connect() {
+    this.password = this.passwordTarget.value;
+    this.syncState();
+  }
+
+  updatePassword(e) {
+    this.password = e.target.value;
+    this.syncState();
+  }
+
+  syncState() {
+    this.submitTarget.disabled = !this.password?.length;
+  }
+}

data/app/assets/javascripts/controllers/session_controller.js

@@ -0,0 +1,94 @@
+import { Controller } from "@hotwired/stimulus";
+
+export default class extends Controller {
+  static get targets() {
+    return [
+      "nickname",
+      "oneTimeCode",
+      "backupCode",
+      "password",
+      "submit",
+      "remember",
+      "flash",
+    ];
+  }
+
+  connect() {
+    this.session = this.hasNicknameTarget
+      ? {
+          nickname: this.nicknameTarget.value,
+          password: this.passwordTarget.value,
+        }
+      : {};
+
+    if (this.hasOneTimeCodeTarget) {
+      this.session.code = this.oneTimeCodeTarget.value;
+      this.session.factor2 = true;
+    }
+
+    if (this.hasBackupCodeTarget) {
+      this.session.code = this.backupCodeTarget.value;
+      this.session.factor2 = true;
+    }
+
+    this.syncState();
+  }
+
+  updateCode(e) {
+    this.session.code = e.target.value;
+    this.syncState();
+  }
+
+  updateNickname(e) {
+    this.session.nickname = e.target.value;
+    this.syncState();
+  }
+
+  updatePassword(e) {
+    this.session.password = e.target.value;
+    this.syncState();
+  }
+
+  syncState() {
+    this.submitTarget.classList.add("btn-accent");
+
+    let flash;
+
+    if (this.session.nickname && this.session.password) {
+      this.submitTarget.disabled = false;
+      this.rememberTarget.classList.remove("hidden");
+
+      flash = "continue";
+    } else if (this.session.factor2) {
+      const disabled = (this.session.code?.length || 0) < 6;
+      this.submitTarget.disabled = disabled;
+
+      if (disabled) {
+        this.rememberTarget.classList.add("hidden");
+      } else {
+        this.rememberTarget.classList.remove("hidden");
+      }
+
+      flash = "enter-factor2";
+    } else {
+      this.submitTarget.disabled = true;
+      this.rememberTarget.classList.add("hidden");
+
+      if (this.session.nickname) {
+        flash = "enter-password";
+      } else {
+        flash = "enter-credentials";
+      }
+    }
+
+    if (flash) {
+      for (let el of this.flashTarget.querySelectorAll("[data-flash]")) {
+        if (el.dataset.flash == flash) {
+          el.classList.remove("hidden");
+        } else {
+          el.classList.add("hidden");
+        }
+      }
+    }
+  }
+}

data/app/assets/manifest.js

@@ -0,0 +1,2 @@
+//= link_tree ../builds
+//= link_tree ../images

data/app/assets/masks_manifest.js

@@ -0,0 +1,2 @@
+//= link_tree ../builds
+//= link_tree ../images

data/app/assets/stylesheets/application.css

@@ -0,0 +1,26 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
+ * files in this directory. Styles in this file should be added after the last require_* statement.
+ * It is generally better to create a new file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */
+@tailwind base;
+@tailwind components;
+@tailwind utilities;
+
+.pagination {
+  @apply flex gap-2 items-center justify-center p-4;
+}
+
+.pagination .page {
+  @apply btn btn-sm;
+}

data/app/controllers/concerns/masks/controller.rb

@@ -0,0 +1,114 @@
+# frozen_string_literal: true
+
+module Masks
+  # Helpers for interacting with Masks in Rails controllers.
+  #
+  # @see ClassMethods
+  module Controller
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      # Require a session masked by the type passed.
+      #
+      # If this fails +unathorized_access+ is called.
+      #
+      # @param [Symbol|String] type
+      # @param [Hash] opts forwarded to +before_action+
+      def require_mask(type: nil, **opts)
+        before_action(
+          :unauthorized_access,
+          unless: -> { masked?(type:) },
+          **opts
+        )
+      end
+
+      # Builds an access object by the passed name, if allowed.
+      #
+      # If this succeeds, the controller instance's +current_access+ will return
+      # the constructed access class.  Otherwise, on failure the
+      # +unathorized_access+ method is called.
+      #
+      # @example
+      #   class MyController < ApplicationController
+      #     include Masks::Controller
+      #
+      #     require_access 'my.example', only: :index
+      #
+      #     # this action is only called if the session is
+      #     # able to build the "my.example" access class.
+      #     def index
+      #       render json: {
+      #         foobar: current_access.foo_bar
+      #       }
+      #     end
+      #   end
+      #
+      # @param [Symbol|String] name
+      # @param [Hash] opts forwarded to +before_action+
+      def require_access(name, **opts)
+        before_action(
+          :unauthorized_access,
+          unless: -> { build_access(name) },
+          **opts
+        )
+      end
+    end
+
+    protected
+
+    def passed?
+      current_actor && masked_session.passed?
+    end
+
+    def unauthorized_access
+      render plain: "", status: :unauthorized
+    end
+
+    # Returns the current masks session for the request.
+    #
+    # @return [Masks::Session]
+    # @visibility public
+    def masked_session
+      @masked_session ||= request.env[Masks::Middleware::SESSION_KEY]
+    end
+
+    # Returns the mask for the request.
+    #
+    # @return [Masks::Mask]
+    # @visibility public
+    def current_mask
+      masked_session.mask
+    end
+
+    # Returns the mask for the request.
+    #
+    # @return [Masks::Actor]
+    # @visibility public
+    def current_actor
+      masked_session.scoped
+    end
+
+    # Returns the mask for the request.
+    #
+    # @return [Masks::Access]
+    # @visibility public
+    def current_access
+      @current_access
+    end
+
+    def build_access(name)
+      @current_access = Masks.access(name, masked_session)
+    rescue Masks::Error::Unauthorized
+      false
+    end
+
+    def masked?(type: nil)
+      if type &&
+           !Array.wrap(type).map(&:to_s).include?(masked_session.mask.type)
+        false
+      else
+        masked_session.passed?
+      end
+    end
+  end
+end

data/app/controllers/masks/actors_controller.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Masks
+  # @visibility private
+  class ActorsController < ApplicationController
+    require_mask type: %i[session api], only: :current
+
+    def current
+      respond_to do |format|
+        format.json { render json: ActorResource.new(current_actor) }
+        format.html { render(:current) }
+      end
+    end
+  end
+end

data/app/controllers/masks/application_controller.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Masks
+  # @visibility private
+  class ApplicationController < ActionController::Base
+    include Masks::Controller
+    include Pagy::Backend
+
+    before_action :assign_session
+
+    skip_before_action :verify_authenticity_token, if: :json_request?
+
+    protect_from_forgery with: :exception
+
+    private
+
+    def json_request?
+      request.format.symbol == :json
+    end
+
+    def assign_session
+      @session = masked_session
+      @config = @session.config
+      @actor = @session.actor
+    end
+
+    def require_sudo(redirect)
+      return if current_mask.type == "sudo" && passed?
+
+      flash[:errors] = ["enter a valid password"]
+
+      redirect_to redirect
+    end
+  end
+end

data/app/controllers/masks/backup_codes_controller.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Masks
+  # @visibility private
+  class BackupCodesController < ApplicationController
+    require_mask type: :session, only: :new
+    before_action only: %i[create] do
+      require_sudo(backup_codes_path)
+    end
+
+    def new
+      respond_to { |format| format.html { render(:new) } }
+    end
+
+    def create
+      if create_params[:reset]
+        @actor.saved_backup_codes_at = nil
+        @actor.backup_codes = nil
+        @actor.save
+      elsif create_params[:enable]
+        @actor.saved_backup_codes_at = Time.current
+        @actor.save
+      end
+
+      respond_to { |format| format.html { redirect_to backup_codes_path } }
+    end
+
+    private
+
+    def create_params
+      params.require(:backup_codes).permit(:reset, :enable)
+    end
+  end
+end

data/app/controllers/masks/debug_controller.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Masks
+  class DebugController < ApplicationController
+    def show
+      render json: { session: session.to_h }
+    end
+  end
+end

data/app/controllers/masks/devices_controller.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Masks
+  # @visibility private
+  class DevicesController < ApplicationController
+    require_mask type: :session, only: :update
+
+    def update
+      device =
+        masked_session.config.find_device(masked_session, key: params[:key])
+
+      if device&.persisted? && params[:reset]
+        device.reset_version
+        device.save!
+      end
+
+      redirect_back_or_to "/"
+    end
+  end
+end

data/app/controllers/masks/emails_controller.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+module Masks
+  # @visibility private
+  class EmailsController < ApplicationController
+    require_mask type: :session, only: :new
+    before_action :require_sudo, only: :create
+
+    def new
+      @emails = current_actor.emails
+
+      respond_to { |format| format.html { render(:new) } }
+    end
+
+    def create
+      @email = current_actor.emails.build(email: email_param.strip)
+
+      if @email.valid?
+        @email.notify!(masked_session)
+      else
+        flash[:errors] = @email.errors.full_messages
+      end
+
+      respond_to { |format| format.html { redirect_to emails_path } }
+    end
+
+    def notify
+      @email = current_actor.emails.find_by(email: email_param.strip)
+      @email.notify!(masked_session) if @email.expired?
+
+      respond_to { |format| format.html { redirect_to emails_path } }
+    end
+
+    def delete
+      @email = current_actor.emails.find_by(email: email_param)
+      @email&.destroy
+
+      respond_to { |format| format.html { redirect_to emails_path } }
+    end
+
+    def verify
+      @email = current_actor.emails.find_by(token: params[:email])
+      @email&.verify! if @email&.valid?
+    end
+
+    private
+
+    def email_param
+      params.dig(:email, :value)
+    end
+
+    def require_sudo
+      return if current_mask.type == "sudo" && passed?
+
+      flash[:errors] = ["enter a valid password"]
+
+      redirect_to emails_path
+    end
+  end
+end

data/app/controllers/masks/error_controller.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Masks
+  # @visibility private
+  class ErrorController < ApplicationController
+    def render_unauthorized
+      render plain: "", status: 401
+    end
+
+    def redirect
+      redirect_to masked_session.mask.fail
+    end
+  end
+end

data/app/controllers/masks/keys_controller.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Masks
+  # @visibility private
+  class KeysController < ApplicationController
+    require_mask type: :session
+
+    def new
+      @keys = current_actor.keys
+    end
+
+    def create
+      key =
+        current_actor.keys.build(
+          name: create_params[:name],
+          secret: create_params[:secret]&.presence,
+          scopes: create_params[:scopes]
+        )
+      key.save
+
+      if key.valid?
+        flash[:key] = { name: key.name, secret: key.secret }
+      else
+        flash[:error] = key.errors.full_messages.first
+      end
+
+      redirect_back_or_to keys_path
+    end
+
+    def delete
+      key = current_actor.keys.find(params[:id])
+      key.destroy
+
+      flash[:notice] = "#{key.name} destroyed" if key.destroyed?
+
+      redirect_back_or_to "/"
+    end
+
+    private
+
+    def create_params
+      params.require(:key).permit(:name, :secret, scopes: [])
+    end
+  end
+end

data/app/controllers/masks/manage/actor_controller.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Masks
+  # @visibility private
+  module Manage
+    class ActorController < BaseController
+      before_action :find_actor
+
+      def update
+        Masks::Rails::Actor.transaction do
+          if params[:add_scope]
+            @actor.assign_scopes!(params[:add_scope])
+            flash[:info] = "added scope"
+          elsif params[:remove_scope]
+            @actor.remove_scopes!(params[:remove_scope])
+            flash[:info] = "removed scope"
+          elsif params[:remove_factor2]
+            @actor.remove_factor2! if params[:remove_factor2]
+            flash[:info] = "removed second factor authentication"
+          end
+
+          redirect_to actor_path(@actor)
+        end
+
+        @actor
+      end
+
+      private
+
+      def find_actor
+        @actor = Masks::Rails::Actor.find(params[:actor])
+      end
+    end
+  end
+end

data/app/controllers/masks/manage/actors_controller.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module Masks
+  # @visibility private
+  module Manage
+    class ActorsController < BaseController
+      def index
+        @pagy, @actors = pagy(Masks::Rails::Actor.all)
+      end
+    end
+  end
+end

data/app/controllers/masks/manage/base_controller.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module Masks
+  # @visibility private
+  module Manage
+    class BaseController < ApplicationController
+      # require_mask type: :manage
+
+      layout "masks/manage"
+    end
+  end
+end