pages_core 3.12.7 → 3.14.0

data/app/helpers/pages_core/admin/locales_helper.rb

@@ -6,7 +6,7 @@ module PagesCore
       def locales_with_dir
         locales = PagesCore.config.locales || {}
         locales.each_with_object({}) do |(key, name), hash|
-          hash[key] = { name: name, dir: locale_direction(key) }
+          hash[key] = { name:, dir: locale_direction(key) }
         end
       end
 

data/app/helpers/pages_core/application_helper.rb

@@ -21,10 +21,10 @@ module PagesCore
       end
     end
 
-    def unique_page(page_name, &block)
+    def unique_page(page_name, &)
       page = Page.where(unique_name: page_name).first
       if page && block_given?
-        output = capture(page.localize(content_locale), &block)
+        output = capture(page.localize(content_locale), &)
         concat(output)
       end
       page&.localize(content_locale)
@@ -44,7 +44,7 @@ module PagesCore
 
     def page_link_path(locale, page)
       if page.redirects?
-        page.redirect_path(locale: locale)
+        page.redirect_path(locale:)
       else
         page_path(locale, page)
       end

data/app/helpers/pages_core/head_tags_helper.rb

@@ -50,9 +50,9 @@ module PagesCore
     #    <%= feed_tags %>
     #  <% end %>
     #
-    def head_tag(&block)
+    def head_tag(&)
       # The block output must be captured first
-      block_output = block_given? ? capture(&block) : nil
+      block_output = block_given? ? capture(&) : nil
 
       tag.head { safe_join(head_tag_contents(block_output), "\n") }
     end
@@ -64,34 +64,33 @@ module PagesCore
     def rss_link_tag(title, href)
       tag.link(rel: "alternate",
                type: "application/rss+xml",
-               title: title,
-               href: href)
+               title:,
+               href:)
     end
 
     private
 
     def head_tag_contents(block_output)
       [tag.meta(charset: "utf-8"),
-       tag.meta("http-equiv" => "X-UA-Compatible", "content" => "IE=edge"),
        tag.title(document_title),
        meta_description_tag,
        meta_keywords_tag,
        (tag.link(rel: "image_src", href: meta_image) if meta_image?),
        open_graph_tags,
-       csrf_meta_tags,
-       block_output]
+       (csrf_meta_tags unless static_cached?),
+       block_output].compact_blank
     end
 
     def meta_description_tag
       return unless meta_description?
 
-      tag.meta(name: "description", content: meta_description)
+      tag.meta(name: "description", content: meta_description&.strip)
     end
 
     def meta_keywords_tag
       return unless meta_keywords?
 
-      tag.meta(name: "keywords", content: meta_keywords)
+      tag.meta(name: "keywords", content: meta_keywords&.strip)
     end
   end
 end

data/app/helpers/pages_core/images_helper.rb

@@ -57,12 +57,12 @@ module PagesCore
     def picture_tag(image, ratio: nil, sizes: "100vw")
       tag.picture do
         safe_join(
-          [webp_source(image, ratio: ratio, sizes: sizes || "100vw"),
+          [webp_source(image, ratio:, sizes: sizes || "100vw"),
            dynamic_image_tag(image,
                              size: image_size(1050, ratio),
                              crop: (ratio ? true : false),
-                             sizes: sizes,
-                             srcset: srcset(image, ratio: ratio))]
+                             sizes:,
+                             srcset: srcset(image, ratio:))]
         )
       end
     end
@@ -106,11 +106,11 @@ module PagesCore
       size ||= default_image_size
       size = fit_ratio(size, ratio) if ratio
 
-      dynamic_image_tag(image, size: size, crop: ratio && true, upscale: false)
+      dynamic_image_tag(image, size:, crop: ratio && true, upscale: false)
     end
 
     def image_link_to(content, href)
-      tag.a(content, href: href)
+      tag.a(content, href:)
     end
 
     def image_size(width, ratio)
@@ -139,8 +139,8 @@ module PagesCore
       return unless webp_compatible?(image)
 
       tag.source(type: "image/webp",
-                 srcset: srcset(image, ratio: ratio, format: :webp),
-                 sizes: sizes)
+                 srcset: srcset(image, ratio:, format: :webp),
+                 sizes:)
     end
 
     def webp_compatible?(image)

data/app/helpers/pages_core/open_graph_tags_helper.rb

@@ -13,7 +13,7 @@ module PagesCore
         properties
           .compact
           .map do |name, content|
-          tag.meta(property: "og:#{name}", content: content)
+          tag.meta(property: "og:#{name}", content:)
         end,
         "\n"
       )
@@ -42,7 +42,7 @@ module PagesCore
         site_name: PagesCore.config(:site_name),
         title: default_open_graph_title,
         image: (meta_image if meta_image?),
-        description: default_open_graph_description,
+        description: default_open_graph_description&.strip,
         url: request.url }
     end
   end

data/app/helpers/pages_core/page_path_helper.rb

@@ -30,7 +30,7 @@ module PagesCore
     private
 
     def page_redirect_url(locale, page)
-      redirect = page.redirect_path(locale: locale)
+      redirect = page.redirect_path(locale:)
       return redirect if redirect =~ %r{^https?://}
 
       base_page_url + redirect
@@ -54,7 +54,7 @@ module PagesCore
       ActiveSupport::Deprecation.warn(
         "Calling page_url without locale is deprecated"
       )
-      [(opts[:locale] || content_locale), page_or_locale]
+      [opts[:locale] || content_locale, page_or_locale]
     end
 
     def paginated_section(opts)

data/app/javascript/index.ts

@@ -7,7 +7,6 @@ import * as Components from "./components";
 
 import EditPageController from "./controllers/EditPageController";
 import MainController from "./controllers/MainController";
-import LoginController from "./controllers/LoginController";
 import PageOptionsController from "./controllers/PageOptionsController";
 
 import RichText from "./features/RichText";
@@ -26,7 +25,6 @@ export default function startPages() {
   const application = Application.start();
   application.register("edit-page", EditPageController);
   application.register("main", MainController);
-  application.register("login", LoginController);
   application.register("page-options", PageOptionsController);
 }
 

data/app/jobs/pages_core/autopublish_job.rb

@@ -4,6 +4,8 @@ module PagesCore
   class AutopublishJob < ApplicationJob
     queue_as :pages_core
 
+    retry_on StandardError, attempts: 10, wait: :polynomially_longer
+
     def perform
       Autopublisher.run!
     end

data/app/mailers/admin_mailer.rb

@@ -4,12 +4,12 @@ class AdminMailer < ApplicationMailer
   default from: proc { "\"Pages\" <no-reply@anyone.no>" }
   layout false
 
-  def password_reset(user, url)
+  def account_recovery(user, url)
     @user = user
     @url = url
     mail(
       to: @user.email,
-      subject: "Reset your password on #{PagesCore.config(:site_name)}"
+      subject: "Recover your account on #{PagesCore.config(:site_name)}"
     )
   end
 

data/app/models/concerns/pages_core/has_otp.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module PagesCore
+  module HasOtp
+    extend ActiveSupport::Concern
+
+    included do
+      validates :otp_secret, presence: true, if: :otp_enabled?
+    end
+
+    def recovery_codes=(codes)
+      self.hashed_recovery_codes = codes.map do |c|
+        BCrypt::Password.create(c, cost: 8)
+      end
+    end
+
+    def use_recovery_code!(code)
+      valid_hashes = hashed_recovery_codes.select do |c|
+        BCrypt::Password.new(c) == code
+      end
+      return false unless valid_hashes.any?
+
+      update(hashed_recovery_codes: hashed_recovery_codes - valid_hashes)
+      true
+    end
+  end
+end

data/app/models/concerns/pages_core/has_roles.rb

@@ -16,9 +16,9 @@ module PagesCore
     def role_names=(names)
       self.roles = names.map do |name|
         if role?(name)
-          roles.find_by(name: name)
+          roles.find_by(name:)
         else
-          roles.new(name: name)
+          roles.new(name:)
         end
       end
     end

data/app/models/concerns/pages_core/page_model/dated_page.rb

@@ -90,7 +90,7 @@ module PagesCore
       def siblings_by_date
         siblings.reorder("starts_at ASC, pages.id DESC")
                 .where
-                .not(id: id)
+                .not(id:)
       end
     end
   end

data/app/models/concerns/pages_core/page_model/searchable.rb

@@ -8,7 +8,7 @@ module PagesCore
       def search_document_attributes
         super.merge(
           published: published?,
-          name: name,
+          name:,
           description: try(&:meta_description?) ? meta_description : excerpt,
           # content: "",
           tags: tag_names.join(" ")

data/app/models/concerns/pages_core/page_model/templateable.rb

@@ -7,6 +7,8 @@ module PagesCore
 
       included do
         before_validation :ensure_template
+
+        delegate :enabled_blocks, to: :template_config
       end
 
       def template_config
@@ -27,8 +29,28 @@ module PagesCore
           template
       end
 
+      def unconfigured_blocks
+        blocks = (localizations.where(locale:).pluck(:name)
+                               .map(&:to_sym) -
+                  configured_blocks) &
+                 PagesCore::Templates::TemplateConfiguration.all_blocks
+
+        if block_given?
+          blocks.each do |block_name|
+            yield block_name, template_config.block(block_name)
+          end
+        end
+
+        blocks
+      end
+
       private
 
+      def configured_blocks
+        enabled_blocks + %i[name path_segment meta_title meta_description
+                            open_graph_title open_graph_description]
+      end
+
       def singularized_subtemplate
         singularized = ActiveSupport::Inflector.singularize(base_template)
         return if base_template == singularized

data/app/models/concerns/pages_core/searchable_document.rb

@@ -18,7 +18,7 @@ module PagesCore
 
       class << self
         def index_all!(scope)
-          scope.all.find_each { |r| new(r).index! }
+          scope.find_each { |r| new(r).index! }
         end
       end
 
@@ -53,7 +53,7 @@ module PagesCore
       end
 
       def update_index(locale, attrs)
-        record.search_documents.create_or_find_by!(locale: locale).update(attrs)
+        record.search_documents.create_or_find_by!(locale:).update(attrs)
       end
     end
 
@@ -61,7 +61,7 @@ module PagesCore
       return {} unless respond_to?(:localized_attributes)
 
       content = localized_attributes.keys.map { |a| localizer.get(a) }.join(" ")
-      { content: content }
+      { content: }
     end
 
     def update_search_documents!

data/app/models/otp_secret.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+class OtpSecret
+  attr_reader :user, :secret
+
+  def initialize(user)
+    @user = user
+    @secret = user.otp_secret
+  end
+
+  def account_name
+    user.email
+  end
+
+  def disable!
+    user.update(otp_enabled: false,
+                otp_secret: nil,
+                last_otp_at: nil,
+                recovery_codes: [])
+  end
+
+  def enable!(recovery_codes)
+    user.update(otp_enabled: true,
+                otp_secret: secret,
+                last_otp_at: Time.zone.now,
+                recovery_codes:)
+  end
+
+  def generate
+    @secret = ROTP::Base32.random
+  end
+
+  def generate_recovery_codes
+    10.times.map { SecureRandom.alphanumeric(16) }
+  end
+
+  def provisioning_uri
+    totp.provisioning_uri(account_name)
+  end
+
+  def regenerate_recovery_codes!
+    generate_recovery_codes.tap do |recovery_codes|
+      user.update(recovery_codes:)
+    end
+  end
+
+  def signed_message
+    message_verifier.generate(
+      { user_id: user.id, secret: }, expires_in: 1.hour
+    )
+  end
+
+  def validate_otp!(code)
+    return false unless valid_otp?(code)
+
+    user.update(last_otp_at: Time.zone.now)
+    true
+  end
+
+  def validate_otp_or_recovery_code!(code)
+    if code =~ /^[\d]{6}$/
+      validate_otp!(code)
+    else
+      validate_recovery_code!(code)
+    end
+  end
+
+  def validate_recovery_code!(code)
+    user.use_recovery_code!(code)
+  end
+
+  def verify(params)
+    @secret = verify_secret(params[:signed_message])
+    valid_otp?(params[:otp])
+  end
+
+  private
+
+  def message_verifier
+    Rails.application.message_verifier(:otp_secret)
+  end
+
+  def totp
+    ROTP::TOTP.new(secret)
+  end
+
+  def valid_otp?(otp)
+    if user.otp_enabled?
+      totp.verify(otp, after: user.last_otp_at, drift_behind: 10)
+    else
+      totp.verify(otp, drift_behind: 10)
+    end
+  end
+
+  def verify_secret(signed)
+    payload = message_verifier.verify(signed)
+    raise "Wrong user" unless payload[:user_id] == user.id
+
+    payload[:secret]
+  end
+end

data/app/models/page.rb

@@ -78,7 +78,7 @@ class Page < ApplicationRecord
 
   def move(parent:, position:)
     Page.transaction do
-      update(parent: parent) unless self.parent == parent
+      update(parent:) unless self.parent == parent
       insert_at(position)
     end
   end

data/app/models/page_builder.rb

@@ -19,7 +19,7 @@ class PageBuilder
 
   class << self
     def build(user, locale: nil, parent: nil, &block)
-      new(user, locale: locale, parent: parent)
+      new(user, locale:, parent:)
         .run(&block)
     end
   end
@@ -30,20 +30,20 @@ class PageBuilder
     @parent = parent
   end
 
-  def page(name, options = {}, &block)
+  def page(name, options = {}, &)
     page = Page.create(
-      { name: name }.merge(default_options).merge(options)
+      { name: }.merge(default_options).merge(options)
     )
     if block_given?
       self.class
-          .new(user, locale: locale, parent: page)
-          .run(&block)
+          .new(user, locale:, parent: page)
+          .run(&)
     end
     page
   end
 
-  def run(&block)
-    instance_eval(&block)
+  def run(&)
+    instance_eval(&)
   end
 
   private
@@ -51,9 +51,9 @@ class PageBuilder
   def default_options
     {
       author: user,
-      parent: parent,
+      parent:,
       status: 2,
-      locale: locale
+      locale:
     }
   end
 end

data/app/models/page_exporter.rb

@@ -88,7 +88,7 @@ class PageExporter
   def text_page(page)
     PagesCore::Templates::TemplateConfiguration
       .all_blocks
-      .select { |attr| page.send("#{attr}?".to_sym) }
+      .select { |attr| page.send(:"#{attr}?") }
       .map { |attr| ["-- #{attr}: --", page.send(attr).strip].join("\n\n") }
       .join("\n\n\n")
   end

data/app/models/page_image.rb

@@ -15,7 +15,7 @@ class PageImage < ApplicationRecord
 
   class << self
     def cleanup!
-      all.find_each do |page_image|
+      find_each do |page_image|
         page_image.destroy unless page_image.image
       end
     end

data/app/models/page_path.rb

@@ -28,7 +28,7 @@ class PagePath < ApplicationRecord
     end
 
     def get(locale, path)
-      find_by(locale: locale, path: path)
+      find_by(locale:, path:)
     end
 
     def associate(page, locale: nil, path: nil)
@@ -39,14 +39,14 @@ class PagePath < ApplicationRecord
       raise NoPathError unless path
 
       page_path = get_or_create(locale, path, page)
-      page_path.update(page: page) unless page_path.page_id == page.id
+      page_path.update(page:) unless page_path.page_id == page.id
       page_path
     end
 
     private
 
     def get_or_create(locale, path, page)
-      get(locale, path) || create(locale: locale, path: path, page: page)
+      get(locale, path) || create(locale:, path:, page:)
     end
   end
 end

data/app/models/search_document.rb

@@ -15,12 +15,12 @@ class SearchDocument < ApplicationRecord
   pg_search_scope :full_text_search_scope, lambda { |query, dictionary|
     { against: %i[name description content tags],
       using: { tsearch: { prefix: true,
-                          dictionary: dictionary,
+                          dictionary:,
                           tsvector_column: "tsv" },
                trigram: { only: %i[name] } },
       ignoring: :accents,
       order_within_rank: "search_documents.record_updated_at DESC",
-      query: query }
+      query: }
   }
 
   class << self
@@ -31,7 +31,7 @@ class SearchDocument < ApplicationRecord
 
     def search(query, locale: nil)
       locale ||= I18n.locale
-      where(locale: locale)
+      where(locale:)
         .includes(:searchable)
         .full_text_search_scope(query, search_configuration(locale))
     end

data/app/models/tag.rb

@@ -57,7 +57,7 @@ class Tag < ApplicationRecord
   end
 
   def on(taggable)
-    taggings.create(taggable: taggable)
+    taggings.create(taggable:)
   end
 
   def ==(other)

data/app/models/user.rb

@@ -1,9 +1,10 @@
 # frozen_string_literal: true
 
 class User < ApplicationRecord
+  include PagesCore::HasOtp
   include PagesCore::HasRoles
 
-  attr_accessor :password, :confirm_password
+  has_secure_password
 
   belongs_to(:creator,
              class_name: "User",
@@ -16,7 +17,6 @@ class User < ApplicationRecord
            dependent: :nullify,
            inverse_of: :creator)
   has_many :pages, dependent: :nullify
-  has_many :password_reset_tokens, dependent: :destroy
   has_many :roles, dependent: :destroy
   has_many :invites, dependent: :destroy
   belongs_to_image :image, foreign_key: :image_id, optional: true
@@ -30,12 +30,14 @@ class User < ApplicationRecord
             format: { with: /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\Z/i },
             uniqueness: { case_sensitive: false }
 
-  validates :password, presence: true, on: :create
-  validates :password, length: { minimum: 8 }, allow_blank: true
+  validates :password,
+            length: {
+              minimum: 8,
+              maximum: ActiveModel::SecurePassword::MAX_PASSWORD_LENGTH_ALLOWED,
+              allow_blank: true
+            }
 
-  validate :confirm_password_must_match
-
-  before_validation :hash_password
+  before_save :update_session_token
   before_create :ensure_first_user_has_all_roles
 
   scope :by_name,     -> { order("name ASC") }
@@ -44,12 +46,11 @@ class User < ApplicationRecord
 
   class << self
     def authenticate(email, password:)
-      user = User.find_by_email(email)
-      user if user.try { |u| u.authenticate!(password) }
+      User.find_by_email(email).try(:authenticate, password)
     end
 
     def find_by_email(str)
-      find_by("LOWER(email) = ?", str.to_s.downcase)
+      find_by("LOWER(email) = ?", str.to_s.downcase.strip)
     end
   end
 
@@ -84,16 +85,6 @@ class User < ApplicationRecord
 
   private
 
-  def confirm_password_must_match
-    return if password.blank? || password == confirm_password
-
-    errors.add(:confirm_password, "does not match")
-  end
-
-  def encrypt_password(password)
-    BCrypt::Password.create(password)
-  end
-
   def ensure_first_user_has_all_roles
     return if User.any?
 
@@ -103,23 +94,10 @@ class User < ApplicationRecord
     end
   end
 
-  def hash_password
-    self.hashed_password = encrypt_password(password) if password.present?
-  end
-
-  def password_needs_rehash?
-    hashed_password.length <= 40
-  end
+  def update_session_token
+    return unless !session_token? || password_digest_changed? ||
+                  otp_enabled_changed?
 
-  def rehash_password!(password)
-    update(hashed_password: encrypt_password(password))
-  end
-
-  def valid_password?(password)
-    if hashed_password.length <= 40
-      hashed_password == Digest::SHA1.hexdigest(password)
-    else
-      BCrypt::Password.new(hashed_password) == password
-    end
+    self.session_token = SecureRandom.hex(32)
   end
 end

data/app/policies/user_policy.rb

@@ -48,4 +48,8 @@ class UserPolicy < Policy
   def change_password?
     user == record
   end
+
+  def otp?
+    user == record
+  end
 end