metadata_presenter 3.3.23 → 3.3.25

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6854382610b99865f2af30a38c5807393211a160d3ab4af1000964daf082caa9
-  data.tar.gz: 6c9cd5e2ecd9c4057cb59f12fdc34fb551398b490f52f020cea167838011f6f8
+  metadata.gz: 347d89c1a6cf428040954bdf744f2fd80ff50b8b85648f83a38b53efd21beb33
+  data.tar.gz: a864615ca521f51976b454f4a3c13b7f0ab06859405317ed3ff81bb04fee96df
 SHA512:
-  metadata.gz: b9924fc2c8e9b45e8f75468b474c166f78251faa4083d060acacff409c0a96da4b3be773d87970f13affa03d81ebda56c06a071dc7d897ca90254c395ebedf13
-  data.tar.gz: 0261d65fac2f0f0a07236abe4cfad1fdf06b3199ddebb4ad2c408597ae90bf2c46f08ff7ab1af18137f177ed7cd40d64c393e4599f7f167236032a1e0398b40f
+  metadata.gz: 045eab0af5c54c631ea1a5783270fa2ce154a467c9db61082022fd0800f4b6a376c70d676bfdbd874fc31d1d6b9b75dc932dcbe4f3ef48b39b4bf100848c3c4e
+  data.tar.gz: 1693be15f68a6c59d597379e4dbc51930a09dc527d25bf787322ea72645e3517723b2303b25d5054bf495e6c75ffbd78d9067ce35a9938eece7884d2c901c2c3

data/app/controllers/metadata_presenter/auth_controller.rb

@@ -0,0 +1,48 @@
+module MetadataPresenter
+  class AuthController < EngineController
+    PRODUCTION_ENVS = %w[test-production live-production].freeze
+
+    skip_before_action :require_basic_auth
+    before_action :check_session_is_authorised
+
+    def show
+      @auth_form = AuthForm.new
+    end
+
+    def create
+      @auth_form = AuthForm.new(auth_params)
+
+      if @auth_form.valid?
+        authorised_session!
+        redirect_to root_path
+      else
+        render :show
+      end
+    end
+
+    private
+
+    def allow_analytics?
+      false
+    end
+
+    def show_cookie_request?
+      false
+    end
+
+    def check_session_is_authorised
+      redirect_to root_path if session_authorised?
+    end
+
+    def production_env?
+      PRODUCTION_ENVS.include?("#{ENV['PLATFORM_ENV']}-#{ENV['DEPLOYMENT_ENV']}")
+    end
+    helper_method :production_env?
+
+    def auth_params
+      params.require(:auth_form).permit(
+        :username, :password
+      )
+    end
+  end
+end

data/app/controllers/metadata_presenter/engine_controller.rb

@@ -6,7 +6,11 @@ module MetadataPresenter
     default_form_builder GOVUKDesignSystemFormBuilder::FormBuilder
 
     around_action :switch_locale
-    before_action :show_maintenance_page
+    before_action :show_maintenance_page, :require_basic_auth
+
+    def require_basic_auth
+      redirect_to auth_path unless session_authorised?
+    end
 
     def reload_user_data
       # :nocov:
@@ -124,6 +128,18 @@ module MetadataPresenter
       ENV['MAINTENANCE_MODE'].present? && ENV['MAINTENANCE_MODE'] == '1'
     end
 
+    def session_authorised?
+      return true if ENV['BASIC_AUTH_USER'].blank? || ENV['BASIC_AUTH_PASS'].blank?
+
+      !!cookies.signed[:_fb_authorised]
+    end
+
+    def authorised_session!
+      cookies.signed[:_fb_authorised] = {
+        value: 1, same_site: :strict, httponly: true
+      }
+    end
+
     def external_or_relative_link(link)
       uri = URI.parse(link)
       return link if uri.scheme.present? && uri.host.present?

data/app/controllers/metadata_presenter/resume_controller.rb

@@ -4,6 +4,8 @@ module MetadataPresenter
 
     helper_method :get_service_name, :get_uuid, :pages_presenters
 
+    skip_before_action :require_basic_auth
+
     def return
       response = get_saved_progress(get_uuid)
 
@@ -49,6 +51,9 @@ module MetadataPresenter
 
         invalidate_record(@saved_form.id)
 
+        # authorise user as to not ask them again for credentials, if set
+        authorised_session! unless session_authorised?
+
         if @saved_form.service_version == service.version_id
           redirect_to '/resume_progress' and return
         else

data/app/controllers/metadata_presenter/session_controller.rb

@@ -1,5 +1,7 @@
 module MetadataPresenter
   class SessionController < EngineController
+    skip_before_action :require_basic_auth
+
     def expired; end
 
     def complete; end

data/app/models/metadata_presenter/auth_form.rb

@@ -0,0 +1,33 @@
+module MetadataPresenter
+  class AuthForm
+    include ActiveModel::Model
+
+    attr_accessor :username, :password
+
+    validates :username, :password,
+              presence: true, allow_blank: false
+
+    validate :valid_credentials
+
+    private
+
+    def valid_credentials
+      errors.add(:base, :unauthorised) unless errors.any? || authorised?
+    end
+
+    def authorised?
+      # This comparison uses & so that it doesn't short circuit and
+      # uses `secure_compare` so that length information isn't leaked.
+      ActiveSupport::SecurityUtils.secure_compare(env_username, username) &
+        ActiveSupport::SecurityUtils.secure_compare(env_password, password)
+    end
+
+    def env_username
+      ENV['BASIC_AUTH_USER'].to_s
+    end
+
+    def env_password
+      ENV['BASIC_AUTH_PASS'].to_s
+    end
+  end
+end

data/app/models/metadata_presenter/page_answers.rb

@@ -146,7 +146,7 @@ module MetadataPresenter
     end
 
     def sanitize_filename(answer)
-      sanitize(filename(update_filename(answer)))
+      sanitize(filename(normalise_file_extension(answer)))
     end
 
     def filename(path)
@@ -165,15 +165,17 @@ module MetadataPresenter
       filename
     end
 
-    def update_filename(answer)
-      jfif_or_jpg_extension?(answer) ? "#{File.basename(answer, '.*')}.jpeg" : answer
-    end
-
-    def jfif_or_jpg_extension?(answer)
-      return false if answer.nil?
+    def normalise_file_extension(answer)
+      return if answer.nil?
 
       file_extension = File.extname(answer)
-      %w[.jfif .jpg].include?(file_extension)
+      file_basename  = answer.delete_suffix(file_extension)
+
+      # Handle less common `image/jpeg` MIME type extensions
+      file_extension.downcase!
+      file_extension = '.jpeg' if %w[.jpg .jpe .jif .jfif].include?(file_extension)
+
+      [file_basename, file_extension].join
     end
 
     # NOTE: Address component is different to other components in the sense it can

data/app/views/metadata_presenter/auth/show.html.erb

@@ -0,0 +1,37 @@
+<div class="fb-main-grid-wrapper">
+  <div class="govuk-grid-row">
+    <div class="govuk-grid-column-two-thirds">
+      <%= form_for @auth_form, url: { action: :create } do |f| %>
+        <%= f.govuk_error_summary(t('presenter.errors.summary_heading'), link_base_errors_to: :username) %>
+
+        <h1 id="page-heading" class="govuk-heading-xl">
+          <%= t('presenter.authorisation.heading') %>
+        </h1>
+
+        <p class="govuk-body">
+          <%= t('presenter.authorisation.lede') %>
+        </p>
+
+        <% unless production_env? %>
+          <div class="govuk-warning-text">
+            <span class="govuk-warning-text__icon" aria-hidden="true">!</span>
+            <strong class="govuk-warning-text__text">
+              <span class="govuk-visually-hidden"><%= t('presenter.notification_banners.warning') %></span>
+              <%= t('presenter.authorisation.warning') %>
+            </strong>
+          </div>
+        <% end %>
+
+        <%= f.govuk_text_field :username, width: 'one-third', autocorrect: 'off',
+                               label: { text: t('presenter.authorisation.labels.username') } %>
+
+        <%= f.govuk_password_field :password, width: 'one-third', autocorrect: 'off',
+                                   label: { text: t('presenter.authorisation.labels.password') } %>
+
+        <div class="govuk-button-group">
+          <%= f.govuk_submit t('presenter.actions.sign_in') %>
+        </div>
+      <% end %>
+    </div>
+  </div>
+</div>

data/app/views/metadata_presenter/page/multiplequestions.html.erb

@@ -8,11 +8,11 @@
       <%= render partial:'metadata_presenter/component/conditional_component_banner'%>
 
       <%= render 'metadata_presenter/attribute/section_heading' %>
-      <%= render 'metadata_presenter/attribute/heading' %>
 
       <%= form_for @page_answers, as: :answers, url: @page.url, method: :post, authenticity_token: false do |f| %>
         <%= hidden_field_tag :authenticity_token, form_authenticity_token -%>
         <%= f.govuk_error_summary(t('presenter.errors.summary_heading')) %>
+        <%= render 'metadata_presenter/attribute/heading' %>
 
           <%= render partial: 'metadata_presenter/component/components', locals: {
               f: f,

data/app/views/metadata_presenter/save_and_return/email_confirmation.html.erb

@@ -7,7 +7,7 @@
         <div class="govuk-form-group">
           <%=
           f.govuk_email_field :email_confirmation,
-            label: { size: 'l', text: t('presenter.save_and_return.confirm_email.heading') },
+            label: { tag: 'h1', size: 'l', text: t('presenter.save_and_return.confirm_email.heading') },
             name: "email_confirmation",
             spellcheck: "false",
             autocomplete: "email"

data/app/views/metadata_presenter/save_and_return/show.html.erb

@@ -1,11 +1,12 @@
 <div class="fb-main-grid-wrapper">
   <div class="govuk-grid-row">
     <div class="govuk-grid-column-two-thirds">
-    <h1 id="page-heading" class="govuk-heading-xl"><%= t('presenter.save_and_return.show.heading') %></h1>
-    <p class="mojf-settings-screen__description"><%= t('presenter.save_and_return.show.description') %></p>
-
       <%= form_for @saved_form do |f| %>
         <%= f.govuk_error_summary(t('presenter.errors.summary_heading')) %>
+
+        <h1 id="page-heading" class="govuk-heading-xl"><%= t('presenter.save_and_return.show.heading') %></h1>
+        <p class="mojf-settings-screen__description"><%= t('presenter.save_and_return.show.description') %></p>
+
         <div class="govuk-form-group">
         <%= f.hidden_field(:page_slug, value: page_slug) %>
           <%=

data/config/locales/cy.yml

@@ -14,6 +14,7 @@ cy:
       start: Dechrau nawr
       continue: Parhau
       submit: Cyflwyno
+      sign_in: Sign in
       upload_options: Llwytho opsiynau
       change_html: Newid <span class="govuk-visually-hidden">eich ateb ar gyfer %{question}</span>
     errors:
@@ -38,6 +39,13 @@ cy:
     maintenance:
       maintenance_page_heading: Mae’n ddrwg gennym, nid yw’r ffurflen hon ar gael
       maintenance_page_content: "Os oeddech chi yng nghanol llenwi’r ffurflen, nid yw eich data wedi’i chadw.\r\n\r\nBydd y ffurflen ar gael eto o 9am ar ddydd Llun 19 Tachwedd.\r\n\r\n\r\n\r\n### Other ways to apply\r\n\r\nCysylltwch â ni os yw eich cais yn frys \r\n\r\nEmail:  \r\nTelephone:  \r\nDydd Llun i ddydd Gwener, 9am i 5pm  \r\n[Gwybodaeth am gost galwadau](https://www.gov.uk/costau-galwadau)"
+    authorisation:
+      heading: Sign in
+      lede: This form has its own username and password. Contact the form owner if you are unsure what these are.
+      warning: This is a Test version of the form and should not be shared without the form owner’s permission.
+      labels:
+        username: Username
+        password: Password
     session_timeout_warning:
       heading: Ydych chi eisiau mwy o amser?
       timer: Byddwn yn ailosod eich ffurflen ac yn dileu eich gwybodaeth os na fyddwch yn parhau mewn
@@ -169,6 +177,15 @@ cy:
     errors:
       messages:
         blank: 'Rhowch ateb i "%{attribute}"'
+      models:
+        metadata_presenter/auth_form:
+          attributes:
+            base:
+              unauthorised: The username and password do not match. Try again
+            username:
+              blank: Enter a username
+            password:
+              blank: Enter a password
     attributes:
       metadata_presenter/saved_form:
         secret_question: Cwestiwn cudd

data/config/locales/en.yml

@@ -5,6 +5,7 @@ en:
       start: Start now
       continue: Continue
       submit: Submit
+      sign_in: Sign in
       upload_options: Upload options
       change_html: Change <span class="govuk-visually-hidden">Your answer for %{question}</span>
     errors:
@@ -29,6 +30,13 @@ en:
     maintenance:
       maintenance_page_heading: 'Sorry, this form is unavailable'
       maintenance_page_content: "If you were in the middle of completing the form, your data has not been saved.\r\n\r\nThe form will be available again from 9am on Monday 19 November 2018.\r\n\r\n\r\n\r\n### Other ways to apply\r\n\r\nContact us if your application is urgent \r\n\r\nEmail:  \r\nTelephone:  \r\nMonday to Friday, 9am to 5pm  \r\n[Find out about call charges](https://www.gov.uk/call-charges)"
+    authorisation:
+      heading: Sign in
+      lede: This form has its own username and password. Contact the form owner if you are unsure what these are.
+      warning: This is a Test version of the form and should not be shared without the form owner’s permission.
+      labels:
+        username: Username
+        password: Password
     session_timeout_warning:
       heading: Do you need more time?
       timer: We will reset your form and delete your information if you do not continue in
@@ -205,6 +213,15 @@ en:
     errors:
       messages:
         blank: 'Enter an answer for "%{attribute}"'
+      models:
+        metadata_presenter/auth_form:
+          attributes:
+            base:
+              unauthorised: The username and password do not match. Try again
+            username:
+              blank: Enter a username
+            password:
+              blank: Enter a password
     attributes:
       metadata_presenter/saved_form:
         secret_question: Secret question

data/config/routes.rb

@@ -1,6 +1,9 @@
 MetadataPresenter::Engine.routes.draw do
   root to: 'service#start'
 
+  get  '/auth', to: 'auth#show'
+  post '/auth', to: 'auth#create'
+
   post '/reserved/submissions', to: 'submissions#create', as: :reserved_submissions
   get '/reserved/change-answer', to: 'change_answer#create', as: :change_answer
 

data/lib/metadata_presenter/version.rb

@@ -1,3 +1,3 @@
 module MetadataPresenter
-  VERSION = '3.3.23'.freeze
+  VERSION = '3.3.25'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: metadata_presenter
 version: !ruby/object:Gem::Version
-  version: 3.3.23
+  version: 3.3.25
 platform: ruby
 authors:
 - MoJ Forms
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-03-08 00:00:00.000000000 Z
+date: 2024-03-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: govuk_design_system_formbuilder
@@ -330,6 +330,7 @@ files:
 - app/assets/config/metadata_presenter_manifest.js
 - app/assets/stylesheets/metadata_presenter/application.css
 - app/controllers/metadata_presenter/answers_controller.rb
+- app/controllers/metadata_presenter/auth_controller.rb
 - app/controllers/metadata_presenter/change_answer_controller.rb
 - app/controllers/metadata_presenter/concerns/save_and_return.rb
 - app/controllers/metadata_presenter/engine_controller.rb
@@ -345,6 +346,7 @@ files:
 - app/helpers/metadata_presenter/default_text.rb
 - app/jobs/metadata_presenter/application_job.rb
 - app/models/metadata_presenter/address_fieldset.rb
+- app/models/metadata_presenter/auth_form.rb
 - app/models/metadata_presenter/autocomplete_item.rb
 - app/models/metadata_presenter/branch_destinations.rb
 - app/models/metadata_presenter/column_number.rb
@@ -432,6 +434,7 @@ files:
 - app/views/metadata_presenter/attribute/_heading.html.erb
 - app/views/metadata_presenter/attribute/_lede.html.erb
 - app/views/metadata_presenter/attribute/_section_heading.html.erb
+- app/views/metadata_presenter/auth/show.html.erb
 - app/views/metadata_presenter/component/_address.html.erb
 - app/views/metadata_presenter/component/_autocomplete.html.erb
 - app/views/metadata_presenter/component/_checkboxes.html.erb