metadata_presenter 3.3.24 → 3.3.25

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c820cccd9aed599a87d7f383a7464504fb73470e11ea2aa47c107d8660474833
-  data.tar.gz: d73786672c233b5ca1371c65d24844eae9c9f63cbe7e144ed59d3dad71575a48
+  metadata.gz: 347d89c1a6cf428040954bdf744f2fd80ff50b8b85648f83a38b53efd21beb33
+  data.tar.gz: a864615ca521f51976b454f4a3c13b7f0ab06859405317ed3ff81bb04fee96df
 SHA512:
-  metadata.gz: 60cd34263a60622ede633dad425c2049b6df5d2dd1163674cc22eb82a68e6eaf07664bb435b93cb31af2c48aacfc3023a387fee84b170ca9b7d3a57d8bbee270
-  data.tar.gz: 4dd4eef3fe6c479c1e962bc41ca4f7db41a1e8959a19e9974319d30afa801b7e0e1352248d7184e131b44c4858cdd30a18cc02e443e0397345b14bb0c9296988
+  metadata.gz: 045eab0af5c54c631ea1a5783270fa2ce154a467c9db61082022fd0800f4b6a376c70d676bfdbd874fc31d1d6b9b75dc932dcbe4f3ef48b39b4bf100848c3c4e
+  data.tar.gz: 1693be15f68a6c59d597379e4dbc51930a09dc527d25bf787322ea72645e3517723b2303b25d5054bf495e6c75ffbd78d9067ce35a9938eece7884d2c901c2c3

data/app/controllers/metadata_presenter/auth_controller.rb

@@ -0,0 +1,48 @@
+module MetadataPresenter
+  class AuthController < EngineController
+    PRODUCTION_ENVS = %w[test-production live-production].freeze
+
+    skip_before_action :require_basic_auth
+    before_action :check_session_is_authorised
+
+    def show
+      @auth_form = AuthForm.new
+    end
+
+    def create
+      @auth_form = AuthForm.new(auth_params)
+
+      if @auth_form.valid?
+        authorised_session!
+        redirect_to root_path
+      else
+        render :show
+      end
+    end
+
+    private
+
+    def allow_analytics?
+      false
+    end
+
+    def show_cookie_request?
+      false
+    end
+
+    def check_session_is_authorised
+      redirect_to root_path if session_authorised?
+    end
+
+    def production_env?
+      PRODUCTION_ENVS.include?("#{ENV['PLATFORM_ENV']}-#{ENV['DEPLOYMENT_ENV']}")
+    end
+    helper_method :production_env?
+
+    def auth_params
+      params.require(:auth_form).permit(
+        :username, :password
+      )
+    end
+  end
+end

data/app/controllers/metadata_presenter/engine_controller.rb

@@ -6,7 +6,11 @@ module MetadataPresenter
     default_form_builder GOVUKDesignSystemFormBuilder::FormBuilder
 
     around_action :switch_locale
-    before_action :show_maintenance_page
+    before_action :show_maintenance_page, :require_basic_auth
+
+    def require_basic_auth
+      redirect_to auth_path unless session_authorised?
+    end
 
     def reload_user_data
       # :nocov:
@@ -124,6 +128,18 @@ module MetadataPresenter
       ENV['MAINTENANCE_MODE'].present? && ENV['MAINTENANCE_MODE'] == '1'
     end
 
+    def session_authorised?
+      return true if ENV['BASIC_AUTH_USER'].blank? || ENV['BASIC_AUTH_PASS'].blank?
+
+      !!cookies.signed[:_fb_authorised]
+    end
+
+    def authorised_session!
+      cookies.signed[:_fb_authorised] = {
+        value: 1, same_site: :strict, httponly: true
+      }
+    end
+
     def external_or_relative_link(link)
       uri = URI.parse(link)
       return link if uri.scheme.present? && uri.host.present?

data/app/controllers/metadata_presenter/resume_controller.rb

@@ -4,6 +4,8 @@ module MetadataPresenter
 
     helper_method :get_service_name, :get_uuid, :pages_presenters
 
+    skip_before_action :require_basic_auth
+
     def return
       response = get_saved_progress(get_uuid)
 
@@ -49,6 +51,9 @@ module MetadataPresenter
 
         invalidate_record(@saved_form.id)
 
+        # authorise user as to not ask them again for credentials, if set
+        authorised_session! unless session_authorised?
+
         if @saved_form.service_version == service.version_id
           redirect_to '/resume_progress' and return
         else

data/app/controllers/metadata_presenter/session_controller.rb

@@ -1,5 +1,7 @@
 module MetadataPresenter
   class SessionController < EngineController
+    skip_before_action :require_basic_auth
+
     def expired; end
 
     def complete; end

data/app/models/metadata_presenter/auth_form.rb

@@ -0,0 +1,33 @@
+module MetadataPresenter
+  class AuthForm
+    include ActiveModel::Model
+
+    attr_accessor :username, :password
+
+    validates :username, :password,
+              presence: true, allow_blank: false
+
+    validate :valid_credentials
+
+    private
+
+    def valid_credentials
+      errors.add(:base, :unauthorised) unless errors.any? || authorised?
+    end
+
+    def authorised?
+      # This comparison uses & so that it doesn't short circuit and
+      # uses `secure_compare` so that length information isn't leaked.
+      ActiveSupport::SecurityUtils.secure_compare(env_username, username) &
+        ActiveSupport::SecurityUtils.secure_compare(env_password, password)
+    end
+
+    def env_username
+      ENV['BASIC_AUTH_USER'].to_s
+    end
+
+    def env_password
+      ENV['BASIC_AUTH_PASS'].to_s
+    end
+  end
+end

data/app/views/metadata_presenter/auth/show.html.erb

@@ -0,0 +1,37 @@
+<div class="fb-main-grid-wrapper">
+  <div class="govuk-grid-row">
+    <div class="govuk-grid-column-two-thirds">
+      <%= form_for @auth_form, url: { action: :create } do |f| %>
+        <%= f.govuk_error_summary(t('presenter.errors.summary_heading'), link_base_errors_to: :username) %>
+
+        <h1 id="page-heading" class="govuk-heading-xl">
+          <%= t('presenter.authorisation.heading') %>
+        </h1>
+
+        <p class="govuk-body">
+          <%= t('presenter.authorisation.lede') %>
+        </p>
+
+        <% unless production_env? %>
+          <div class="govuk-warning-text">
+            <span class="govuk-warning-text__icon" aria-hidden="true">!</span>
+            <strong class="govuk-warning-text__text">
+              <span class="govuk-visually-hidden"><%= t('presenter.notification_banners.warning') %></span>
+              <%= t('presenter.authorisation.warning') %>
+            </strong>
+          </div>
+        <% end %>
+
+        <%= f.govuk_text_field :username, width: 'one-third', autocorrect: 'off',
+                               label: { text: t('presenter.authorisation.labels.username') } %>
+
+        <%= f.govuk_password_field :password, width: 'one-third', autocorrect: 'off',
+                                   label: { text: t('presenter.authorisation.labels.password') } %>
+
+        <div class="govuk-button-group">
+          <%= f.govuk_submit t('presenter.actions.sign_in') %>
+        </div>
+      <% end %>
+    </div>
+  </div>
+</div>

data/config/locales/cy.yml

@@ -14,6 +14,7 @@ cy:
       start: Dechrau nawr
       continue: Parhau
       submit: Cyflwyno
+      sign_in: Sign in
       upload_options: Llwytho opsiynau
       change_html: Newid <span class="govuk-visually-hidden">eich ateb ar gyfer %{question}</span>
     errors:
@@ -38,6 +39,13 @@ cy:
     maintenance:
       maintenance_page_heading: Mae’n ddrwg gennym, nid yw’r ffurflen hon ar gael
       maintenance_page_content: "Os oeddech chi yng nghanol llenwi’r ffurflen, nid yw eich data wedi’i chadw.\r\n\r\nBydd y ffurflen ar gael eto o 9am ar ddydd Llun 19 Tachwedd.\r\n\r\n\r\n\r\n### Other ways to apply\r\n\r\nCysylltwch â ni os yw eich cais yn frys \r\n\r\nEmail:  \r\nTelephone:  \r\nDydd Llun i ddydd Gwener, 9am i 5pm  \r\n[Gwybodaeth am gost galwadau](https://www.gov.uk/costau-galwadau)"
+    authorisation:
+      heading: Sign in
+      lede: This form has its own username and password. Contact the form owner if you are unsure what these are.
+      warning: This is a Test version of the form and should not be shared without the form owner’s permission.
+      labels:
+        username: Username
+        password: Password
     session_timeout_warning:
       heading: Ydych chi eisiau mwy o amser?
       timer: Byddwn yn ailosod eich ffurflen ac yn dileu eich gwybodaeth os na fyddwch yn parhau mewn
@@ -169,6 +177,15 @@ cy:
     errors:
       messages:
         blank: 'Rhowch ateb i "%{attribute}"'
+      models:
+        metadata_presenter/auth_form:
+          attributes:
+            base:
+              unauthorised: The username and password do not match. Try again
+            username:
+              blank: Enter a username
+            password:
+              blank: Enter a password
     attributes:
       metadata_presenter/saved_form:
         secret_question: Cwestiwn cudd

data/config/locales/en.yml

@@ -5,6 +5,7 @@ en:
       start: Start now
       continue: Continue
       submit: Submit
+      sign_in: Sign in
       upload_options: Upload options
       change_html: Change <span class="govuk-visually-hidden">Your answer for %{question}</span>
     errors:
@@ -29,6 +30,13 @@ en:
     maintenance:
       maintenance_page_heading: 'Sorry, this form is unavailable'
       maintenance_page_content: "If you were in the middle of completing the form, your data has not been saved.\r\n\r\nThe form will be available again from 9am on Monday 19 November 2018.\r\n\r\n\r\n\r\n### Other ways to apply\r\n\r\nContact us if your application is urgent \r\n\r\nEmail:  \r\nTelephone:  \r\nMonday to Friday, 9am to 5pm  \r\n[Find out about call charges](https://www.gov.uk/call-charges)"
+    authorisation:
+      heading: Sign in
+      lede: This form has its own username and password. Contact the form owner if you are unsure what these are.
+      warning: This is a Test version of the form and should not be shared without the form owner’s permission.
+      labels:
+        username: Username
+        password: Password
     session_timeout_warning:
       heading: Do you need more time?
       timer: We will reset your form and delete your information if you do not continue in
@@ -205,6 +213,15 @@ en:
     errors:
       messages:
         blank: 'Enter an answer for "%{attribute}"'
+      models:
+        metadata_presenter/auth_form:
+          attributes:
+            base:
+              unauthorised: The username and password do not match. Try again
+            username:
+              blank: Enter a username
+            password:
+              blank: Enter a password
     attributes:
       metadata_presenter/saved_form:
         secret_question: Secret question

data/config/routes.rb

@@ -1,6 +1,9 @@
 MetadataPresenter::Engine.routes.draw do
   root to: 'service#start'
 
+  get  '/auth', to: 'auth#show'
+  post '/auth', to: 'auth#create'
+
   post '/reserved/submissions', to: 'submissions#create', as: :reserved_submissions
   get '/reserved/change-answer', to: 'change_answer#create', as: :change_answer
 

data/lib/metadata_presenter/version.rb

@@ -1,3 +1,3 @@
 module MetadataPresenter
-  VERSION = '3.3.24'.freeze
+  VERSION = '3.3.25'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: metadata_presenter
 version: !ruby/object:Gem::Version
-  version: 3.3.24
+  version: 3.3.25
 platform: ruby
 authors:
 - MoJ Forms
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-03-11 00:00:00.000000000 Z
+date: 2024-03-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: govuk_design_system_formbuilder
@@ -330,6 +330,7 @@ files:
 - app/assets/config/metadata_presenter_manifest.js
 - app/assets/stylesheets/metadata_presenter/application.css
 - app/controllers/metadata_presenter/answers_controller.rb
+- app/controllers/metadata_presenter/auth_controller.rb
 - app/controllers/metadata_presenter/change_answer_controller.rb
 - app/controllers/metadata_presenter/concerns/save_and_return.rb
 - app/controllers/metadata_presenter/engine_controller.rb
@@ -345,6 +346,7 @@ files:
 - app/helpers/metadata_presenter/default_text.rb
 - app/jobs/metadata_presenter/application_job.rb
 - app/models/metadata_presenter/address_fieldset.rb
+- app/models/metadata_presenter/auth_form.rb
 - app/models/metadata_presenter/autocomplete_item.rb
 - app/models/metadata_presenter/branch_destinations.rb
 - app/models/metadata_presenter/column_number.rb
@@ -432,6 +434,7 @@ files:
 - app/views/metadata_presenter/attribute/_heading.html.erb
 - app/views/metadata_presenter/attribute/_lede.html.erb
 - app/views/metadata_presenter/attribute/_section_heading.html.erb
+- app/views/metadata_presenter/auth/show.html.erb
 - app/views/metadata_presenter/component/_address.html.erb
 - app/views/metadata_presenter/component/_autocomplete.html.erb
 - app/views/metadata_presenter/component/_checkboxes.html.erb