ndr_authenticate 0.3.5

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: a6f8600ab0772b344fbc6cef5ec38cf7c49867eef46d0dfa041dea2e96ef3ab7
+  data.tar.gz: 87678c88bebb7656d589dab278d42bf1721bf0176db0995e086a80688ad32c5b
+SHA512:
+  metadata.gz: 1f7a72ddcee9bf7e853589c39061d73dc8a9a17503931fca31c989e9de0dd9377098c04bbee67c500fe7e8a560e2ddd23bc786156a5ce079194750292393a780
+  data.tar.gz: f6caaedff7462abbd36c72f2c160fb32f6e2e56772588959667923b73e7176a8eaeb940b26f0713e1b2162743cb819293736f77f7b59396e9d02fd8b5d7aceae

data/CHANGELOG.md

@@ -0,0 +1,58 @@
+## [Unreleased]
+* no unreleased changes *
+
+## 0.3.5 / 2025-11-07
+### Fixed
+* Support `ndr_ui` bootstrap 5
+* Support Ruby 3.4, Rails 8.0. Drop support for Rails 7.0, Ruby 3.1
+
+## 0.3.4 / 2024-11-19
+### Fixed
+* Support Ruby 3.2 and 3.3, Rails 7.1, 7.2
+* Drop support for Ruby 3.0, Rails 6.1
+* Update test application to latest Rails defaults
+
+## 0.3.3 / 2022-12-07
+### Fixed
+* Drop support for Ruby 2.6
+* Support Ruby 3.1, Rails 7.0
+* Replace Public Health England naming with NHS Digital
+
+## 0.3.2 / 2022-12-01
+### Fixed
+* Support Ruby 3.0
+* Resolve Rails engine autoload warnings
+
+## 0.3.1 / 2022-05-20
+### Fixed
+* Added temporary fix for issues around certificates following YubiCloud service changes.
+* Updated expired certificates
+
+## 0.3.0 / 2020-07-22
+### Fixed
+* Allow SSO routes to be disabled
+
+## 0.2.3.1 / 2020-09-09
+### Fixed
+* Updated expired certificates
+
+## 0.2.3 / 2020-03-10
+### Fixed
+* Added temporary fix for issues around certificates following YubiCloud service changes.
+
+## 0.2.2 / 2019-12-02
+### Fixed
+* Fixed issue with OTP field not clearing on bad challenge for AJAX requests.
+* Fixed issue with Turbolinks enabled applications causing ActionDispatch::Cookies::CookieOverflow
+  errors in certain situations.
+
+## 0.2.1 / 2019-11-08
+### Fixed
+* Fixed UJS driver compatibility issue with Yubikey protected action SJR.
+
+## 0.2.0 / 2019-10-25
+### Added
+* SAML authentication
+* Yubikey protected actions
+* Yubikey 2FA
+* Rails 6 support

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,13 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free experience for everyone, regardless of level of experience, gender, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, ethnicity, age, or religion.
+
+Examples of unacceptable behavior by participants include the use of sexual language or imagery, derogatory comments or personal attacks, trolling, public or private harassment, insults, or other unprofessional conduct.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct. Project maintainers who do not follow the Code of Conduct may be removed from the project team.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by opening an issue or contacting one or more of the project maintainers.
+
+This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.0.0, available at [http://contributor-covenant.org/version/1/0/0/](http://contributor-covenant.org/version/1/0/0/)

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2019-2022 NHS Digital
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,227 @@
+# NdrAuthenticate
+This is the Public Health England (PHE) National Disease Registers (NDR) Authenticate ruby gem.
+It is a Rails engine that provides domain authentication and verification capabilities.
+
+## Installation
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'ndr_authenticate'
+```
+
+And then execute:
+```bash
+$ bundle
+```
+
+Or install it yourself as:
+```bash
+$ gem install ndr_authenticate
+```
+
+## Configuration
+
+Run the installation generator:
+```bash
+$ bin/rails g ndr_authenticate:install
+```
+
+This will install an initializer for NdrAuthenticate and some configuration files used for
+single sign on via SAML.
+
+Mount the engine in the hosting application's `config/routes.rb` file:
+```ruby
+mount NdrAuthenticate::Engine, at: '/auth'
+```
+
+Set some basic configuration information:
+
+| Configuration | Description | Type | Default |
+| ------------- | ----------- | ---- | ------- |
+| `user_class`  | Class name of the user model within the hosting application. | String          | `'User'` |
+| `sso_enabled` | Determines SAML Authentication availability.                 | Callable object | `->(_request) { Rails.env.production? }` |
+| `yubikey_api_id` | API credentials for Yubico Web Services. | String | `nil` |
+| `yubikey_api_key` | API credentials for Yubico Web Services. | String | `nil` |
+| `invalid_otp_reasons` | Strategies for testing the validity of YubiKey one-time passwords. | Hash | `{ ... }` (omitted for brevity) |
+
+## View Helpers
+
+NdrAuthenticate provides view helper methods for generating login/logout links. To use these
+include the following in the hosting application's `ApplicationController`
+(or other suitable location):
+
+```rails
+helper NdrAuthenticate::ApplicationHelper
+```
+
+## Devise
+
+NdrAuthenticate uses Devise for authentication. Given the highly configurable nature of Devise
+this gem leaves (most) configuration up to the hosting application. To configure Devise for the
+hosting application run the Devise installer and tweak the resultant initializer file as required.
+See https://github.com/plataformatec/devise/#getting-started for more.
+
+NdrAuthenticate will configure some Devise settings relating to engine behaviour and SAML
+configuration. The hosting application is free to alter SAML settings as required
+but `parent_controller` and `router_name` should typically be left alone.
+
+It is not required to configure Devise routes (via e.g. `devise_for :users`) within the hosting
+application as Devise is mounted within NdrAuthenticate. Run `bin/rails routes` to see the
+available/generated routes.
+
+## Single Sign On / SAML Authentication
+
+NdrAuthenticate provides domain authentication/SSO functionality via SAML request/response cycle.
+
+This requires a little bit of configuration to be done within the hosting application:
+* Firstly, configure Identity Provider (IdP) and Service Provider (SP) information.
+
+  For convenience, NdrAuthenticate can apply a PHE ADFS specific configuration. If you have run
+  the install then this will have been done automatically. Otherwise, add the following to
+  your NdrAuthenticate initializer:
+  ```ruby
+  NdrAuthenticate.configure do |config|
+    ...
+    config.load_defaults :phe
+  ```
+
+  NdrAuthenticate will configure SP information automatically. By default, the SP
+  `issuer`, `assertion_consumer_service_url` and `assertion_consumer_logout_service_url`
+  settings will be set to the respective `saml_metadata_url`, `saml_user_session_url` and
+  `idp_destroy_saml_user_session_url` values. Automatic IdP configuration is possible
+  by populating the `NdrAuthenticate#idp_metadata_url` setting and ensuring that the endpoint is
+  reachable from the app server.
+
+  Additional settings should be manually configured as required in an appropriate initializer:
+
+  ```ruby
+  Devise.saml_configure do |settings|
+    ...
+  end
+  ```
+
+  For further information on IdP/SP configuration see:
+  * https://github.com/apokalipto/devise_saml_authenticatable
+  * https://github.com/onelogin/ruby-saml
+
+
+* Define how the attributes received from the IdP map to the attributes of the SP user
+  model in `config/attribute-map.yml`.
+
+  The IdP metadata should contain 0..n `<Attribute>` elements nested under the `<IDPSSODescriptor`
+  element, each of which should have a `Name` attribute/property; use the value of this when
+  mapping attributes between IdP and SP. Also note that every attribute provided by the IdP does
+  not need to be mapped, only those that are to be stored on the user model within the SP.
+
+  For example, an IdP providing the following attributes:
+
+  ```xml
+  <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail Address"/>
+  <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Given Name"/>
+  <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Surname"/>
+  <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name"/>
+  ```
+
+  ...and an SP with the following user resource:
+
+  ```ruby
+  class User < ApplicationRecord
+    attribute :email
+    attribute :first_name
+    attribute :last_name
+
+    ...
+  end
+  ```
+
+  ...may have an `attribute-map.yml` file like this:
+
+  ```yaml
+  ...
+  production:
+    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": email
+    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": first_name
+    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": last_name
+  ```
+
+* Finally, add `:saml_authenticatable` to the `devise` call within the SP user model, e.g.
+
+  ```ruby
+  class User < ApplicationRecord
+      devise :saml_authenticatable,
+             :trackable,
+             ...
+  end
+  ```
+
+## Database Authentication
+NdrAuthenticate has been set up such that the `:saml_authenticatable` and
+`:database_authenticatable` Devise/Warden strategies should not be mutually exclusive. This should
+allow hosting applications to use SAML SSO as a progressive enhancement or local database accounts
+as a fallback (particularly useful in development environments).
+
+## Two Factor Authentication (2FA)
+NdrAuthenticate uses Yubico YubiKeys as a second factor in authentication mechanisms.
+
+#### 2FA Protected Actions
+_To use this functionality please ensure that `yubikey_api_id` and `yubikey_api_key` values have
+been configured with your Yubico Web Services credentials.
+Visit <https://upgrade.yubico.com/getapikey/> to obtain an API key if you do not already have one._
+
+Second factor authentication can be required for controller actions. To do this, call the
+`yubikey_protected` macro in your controller class, passing in the actions that should require a
+valid YubiKey one-time password to perform:
+
+```ruby
+class PostsController < ApplicationController
+  yubikey_protected :create, :update, :destroy
+
+  ...
+end
+```
+
+By default, only basic validity checks are performed. These include guards against:
+* blank values
+* invalid format/structure
+* replayed OTPWs
+
+Host applications are encouraged to include additional challenges as required and production ready systems should almost certainly implement a check of OTPW/user combination (i.e. could this OTPW
+have been generated from the submitting user's YubiKey?).
+
+Challenges can be configured via the `invalid_otp_reasons` setting and should be callable objects
+that accept `otp`, `user` and `context` parameters and return boolean values.
+
+YubiKey protection is bypassed in the Rails development environment; add the debug flag to enable:
+
+```ruby
+class PostsController < ApplicationController
+  yubikey_protected :create, :update, :destroy, debug: true
+
+  ...
+end
+```
+
+## Contributing
+
+1. Fork it ( https://github.com/PublicHealthEngland/ndr_authenticate/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request
+
+### RuboCop
+This project is configured to use RuboCop. Please ensure any contributions meet style guides,
+wherever possible. You can run RuboCop with:
+
+    $ rubocop .
+
+### Coverage
+Test coverage is measured by `simplecov` as part of the test suite. Its output can be viewed with:
+
+    $ open coverage/index.html
+
+Please note that this project is released with a Contributor Code of Conduct. By participating
+in this project you agree to abide by its terms.
+
+## License
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,33 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'NdrAuthenticate'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path('test/dummy/Rakefile', __dir__)
+load 'rails/tasks/engine.rake'
+
+load 'rails/tasks/statistics.rake'
+
+require 'bundler/gem_tasks'
+
+require 'rake/testtask'
+require 'ndr_dev_support/tasks'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+task default: :test

data/app/assets/config/ndr_authenticate_manifest.js

@@ -0,0 +1,2 @@
+//= link_directory ../javascripts/ndr_authenticate .js
+//= link_directory ../stylesheets/ndr_authenticate .css

data/app/assets/javascripts/ndr_authenticate/ndr_authenticate.js

@@ -0,0 +1,14 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or any plugin's vendor/assets/javascripts directory can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file. JavaScript code in this file should be added after the last require_* statement.
+//
+// Read Sprockets README (https://github.com/rails/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require_tree .
+//= require ndr_ui

data/app/assets/stylesheets/ndr_authenticate/ndr_authenticate.scss

@@ -0,0 +1 @@
+@import "ndr_ui/index";

data/app/controllers/concerns/ndr_authenticate/authenticatable.rb

@@ -0,0 +1,21 @@
+module NdrAuthenticate
+  # Shared logic for controllers dealing with sessions.
+  module Authenticatable
+    extend ActiveSupport::Concern
+
+    included do
+      after_action :store_winning_strategy, only: :create
+    end
+
+    private
+
+    def sso_enabled?
+      NdrAuthenticate.sso_enabled&.call(request)
+    end
+
+    def store_winning_strategy
+      strategy = warden.winning_strategies[:user]
+      warden.session(:user)[:strategy] = strategy.class.name.demodulize.underscore.to_sym
+    end
+  end
+end

data/app/controllers/concerns/ndr_authenticate/devise_helpers.rb

@@ -0,0 +1,17 @@
+module NdrAuthenticate
+  # Additional Devise helper methods. Mixed into ActionController.
+  module DeviseHelpers
+    extend ActiveSupport::Concern
+
+    included do
+      helper_method :user_authenticated_with?
+    end
+
+    def user_authenticated_with?(strategy)
+      return false unless user_signed_in?
+
+      winning_strategy = user_session.with_indifferent_access[:strategy]
+      winning_strategy&.to_sym == strategy.to_sym
+    end
+  end
+end

data/app/controllers/concerns/ndr_authenticate/turbolinks.rb

@@ -0,0 +1,31 @@
+module NdrAuthenticate
+  # Patch to prevent cookie overflow errors in applications running Turbolinks.
+  module Turbolinks
+    extend ActiveSupport::Concern
+
+    HEADER = 'Turbolinks-Referrer'.freeze
+
+    included do
+      around_action :skip_store_turbolinks_location_in_session
+    end
+
+    private
+
+    # Turbolinks will try to store referrer locations in the session when :redirect_to is called.
+    # This can be problematic if that location is particularly long, such as in the case of
+    # redirects to an IdP with a large SAML payload in the query string. We can temporarily
+    # manipulate request headers to bypass that session storage...
+    def skip_store_turbolinks_location_in_session
+      if request.headers.key?(HEADER)
+        turbolinks_referrer     = request.headers[HEADER]
+        request.headers[HEADER] = nil
+
+        yield
+
+        request.headers[HEADER] = turbolinks_referrer
+      else
+        yield
+      end
+    end
+  end
+end

data/app/controllers/concerns/ndr_authenticate/yubikey/authenticatable.rb

@@ -0,0 +1,94 @@
+module NdrAuthenticate
+  module Yubikey
+    # Adds support for yubikey 2FA, using http_basic auth.
+    # Actual OTPW verification is done by an mod_authn_yubikey,
+    # in apache on an auth server. Those credentials are still
+    # passed through to the application as HTTP headers, which
+    # enables the yubikey to be tested against an application
+    # user.
+    #
+    # Some of this logic could be added to a custom warden strategy,
+    # but by modifying the controller we can (for example) pre-fill
+    # the username field if a yubikey is used.
+    module Authenticatable
+      extend ActiveSupport::Concern
+
+      # Expect yubikeys to be used in production. In the test environment,
+      # we enable the codepath, but are more lenient (see #should_check_current_yubikey?)
+      # - we can test yubikey behaviour using integration tests if we
+      # choose, but are not forced use them in functional tests.
+      PERFORM_2FA = Rails.env.test? || Rails.env.production?
+
+      included do
+        class_attribute :invalid_key_reasons, default: NdrAuthenticate.invalid_key_reasons
+
+        helper_method :current_yubikey
+      end
+
+      private
+
+      # If a user has got through the auth server with a yubikey
+      # that shouldn't be allowed to sign in (i.e. the keyfile is stale),
+      # fail any login attempts.
+      #
+      # The keyfile will sync regularly, but not instantly.
+      def check_current_yubikey!
+        return unless should_check_current_yubikey?
+
+        problem, _checker = invalid_key_reasons.detect do |_reason, checker|
+          checker.call(current_yubikey, current_user, self)
+        end
+
+        return unless problem
+
+        # Provide a hook for host application to do any custom logic (e.g. logging), if required.
+        failed_current_yubikey_check(problem)
+
+        sign_out(current_user)
+        throw(:warden, message: :second_factor_failure)
+      end
+
+      def failed_current_yubikey_check(problem); end
+
+      # If there is a signed-in user, in what circumstances should
+      # we verify they have submitted an appropriate yubikey too?
+      def should_check_current_yubikey?
+        # In tests, we generally don't submit the header every time; therefore,
+        # only test if it is explicitly given. This isn't ideal.
+        return if Rails.env.test? && request.authorization.nil?
+
+        # If 2FA auth is enabled, and we have a user with whom
+        # we can try and check the association of a yubikey with:
+        perform_2fa? && user_signed_in?
+      end
+
+      # Returns the yubikey in use, or nil.
+      def current_yubikey
+        public_id = http_basic_otpw.to_s[0, 12]
+        public_id.presence
+      end
+
+      def perform_2fa?
+        PERFORM_2FA
+      end
+
+      def http_basic_username
+        username = nil
+        authenticate_with_http_basic do |user, _p|
+          username = user
+          true
+        end
+        username
+      end
+
+      def http_basic_otpw
+        otpw = nil
+        authenticate_with_http_basic do |_u, password|
+          otpw = password
+          true
+        end
+        otpw
+      end
+    end
+  end
+end

data/app/controllers/concerns/ndr_authenticate/yubikey/protectable.rb

@@ -0,0 +1,103 @@
+module NdrAuthenticate
+  module Yubikey
+    # Adds functionality to require a second factor check before peforming specified actions.
+    module Protectable
+      extend ActiveSupport::Concern
+
+      included do
+        class_attribute :invalid_otp_reasons, default: NdrAuthenticate.invalid_otp_reasons
+      end
+
+      class_methods do
+        def yubikey_protected(*actions)
+          options = actions.extract_options!
+          debug   = options.delete(:debug)
+
+          before_action :challenge_yubikey, only: actions, unless: lambda {
+            Rails.env.development? && !debug
+          }
+        end
+      end
+
+      private
+
+      # For general usage instructions see the README.
+      #
+      # Yubikey protected actions work by leveraging a `before_action`s ability to halt the
+      # request cycle via a `render` call. When a request arrives for a protected action we check
+      # the request params for a valid OTPW in the request. If one is not found then we issue a
+      # response and present the client with a form requesting a OTPW. This form will submit back
+      # to the originally requested endpoint and will contain a hidden field in which the original
+      # request's params are serialized/encoded for re-submission on the return trip. On receipt
+      # of a valid OTPW we restore the relayed params and allow the request to continue as normal.
+
+      def ndr_authenticate_params
+        params.fetch(:ndr_authenticate, {}).permit(:otp, :relay)
+      end
+
+      # NOTE: The custom header (`yubikey-required`) is a hacky fix to give the (default) JS
+      # response template a way of knowing if a challange was good/bad (thus providing a way to
+      # trigger modal lifecycle events). We could close the modal on sumbit but if the challenge
+      # is bad then we end up with modals popping in and out which is jarring.
+      def challenge_yubikey
+        if valid_otp?
+          restore_params
+        else
+          response.set_header('Cache-Control',    'no-store')
+          response.set_header('yubikey-required', 'required')
+
+          issue_challenge_to_user
+        end
+      end
+
+      def valid_otp?
+        return true  if invalid_otp_reasons.empty?
+        return false unless ndr_authenticate_params.key?(:otp)
+
+        problem, _checker = invalid_otp_reasons.detect do |_reason, checker|
+          checker.call(ndr_authenticate_params[:otp], current_user, self)
+        end
+
+        return true unless problem
+
+        # Provide a hook for host application to do any custom logic (e.g. logging), if required.
+        failed_otp_challenge(problem)
+
+        false
+      end
+
+      def failed_otp_challenge(problem); end
+
+      def issue_challenge_to_user
+        # TODO: Add support for multipart forms. The current round-tripping approach would be
+        # costly in terms of network IO, not to mention the complexity of marshalling params.
+        raise 'Multipart forms are not currently supported' if multipart_form?
+
+        respond_to do |format|
+          format.any(:html, :js) do
+            template = 'ndr_authenticate/yubikey/protectable/challenge'
+            layout   = 'ndr_authenticate/ndr_authenticate'
+
+            render template, layout: layout
+          end
+
+          format.any { head :forbidden }
+        end
+      end
+
+      def restore_params
+        return unless ndr_authenticate_params.key?(:relay)
+
+        relayed_params = JSON.parse(
+          Base64.urlsafe_decode64(ndr_authenticate_params.delete(:relay))
+        )
+        params.reverse_merge!(relayed_params)
+      end
+
+      def multipart_form?
+        content_type = request.headers['Content-Type']
+        content_type&.match?(/\Amultipart/)
+      end
+    end
+  end
+end

data/app/controllers/ndr_authenticate/application_controller.rb

@@ -0,0 +1,22 @@
+module NdrAuthenticate
+  class ApplicationController < ActionController::Base
+    protect_from_forgery with: :exception
+
+    # Ensure Rails doesn't find any host layouts first:
+    layout 'ndr_authenticate/ndr_authenticate'
+
+    helper NdrUi::BootstrapHelper
+
+    private
+
+    # TODO: Make configurable (preferably in line with Devise documentation).
+    def after_sign_in_path_for(_resource)
+      main_app.root_path
+    end
+
+    # TODO: Make configurable (preferably in line with Devise documentation).
+    def after_sign_out_path_for(_resource)
+      main_app.root_path
+    end
+  end
+end