pages_core 3.13.0 → 3.14.0

data/app/assets/builds/pages_core/admin.css

@@ -8370,10 +8370,6 @@ main .login-form ul li {
       font-size: 1.2em;
     }
 
-.login-tab.hidden {
-    display: none;
-  }
-
 body.modal > .wrapper {
     transition: filter 1000ms linear;
     filter: blur(10px);
@@ -9081,6 +9077,33 @@ textarea.rich {
     box-shadow: 0px 1px 1px #fff;
   }
 
+.totp-enrollment .qr-code {
+    width: 20rem;
+    height: 20rem;
+    border: 1px solid #ddd;
+    border: 1px solid var(--border-color);
+    padding: 1rem;
+    border-radius: 5px;
+  }
+
+.totp-enrollment .qr-code svg {
+      width: 100%;
+      height: 100%;
+    }
+
+ul.recovery-codes {
+  list-style-type: none;
+  padding: 0rem;
+  margin: 2rem 0rem;
+  font-family: monospace;
+  display: flex;
+  flex-direction: column;
+  align-items: flex-start;
+  gap: 1rem;
+  font-size: 1.2em;
+  font-weight: bold;
+}
+
 .drag-handle {
   cursor: pointer;
   float: left;

data/app/assets/stylesheets/pages_core/admin/components/login.css

@@ -25,9 +25,3 @@ main .login-form {
     }
   }
 }
-
-.login-tab {
-  &.hidden {
-    display: none;
-  }
-}

data/app/assets/stylesheets/pages_core/admin/components/totp.css

@@ -0,0 +1,26 @@
+.totp-enrollment {
+  .qr-code {
+    width: 20rem;
+    height: 20rem;
+    border: 1px solid var(--border-color);
+    padding: 1rem;
+    border-radius: 5px;
+    svg {
+      width: 100%;
+      height: 100%;
+    }
+  }
+}
+
+ul.recovery-codes {
+  list-style-type: none;
+  padding: 0rem;
+  margin: 2rem 0rem;
+  font-family: monospace;
+  display: flex;
+  flex-direction: column;
+  align-items: flex-start;
+  gap: 1rem;
+  font-size: 1.2em;
+  font-weight: bold;
+}

data/app/controllers/admin/account_recoveries_controller.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+module Admin
+  class AccountRecoveriesController < Admin::AdminController
+    before_action :require_authentication, except: %i[new create show update]
+    before_action :find_by_token, only: %i[show update]
+    around_action :validate_otp, only: %i[update]
+
+    def show; end
+
+    def new; end
+
+    def create
+      @user = User.find_by_email(params[:email])
+      if @user
+        deliver_account_recovery(@user)
+        flash[:notice] = t("pages_core.account_recovery.sent")
+      else
+        flash[:notice] = t("pages_core.account_recovery.not_found")
+      end
+      redirect_to admin_login_url
+    end
+
+    def update
+      if user_params[:password].present? && @user.update(user_params)
+        authenticate!(@user)
+        flash[:notice] = t("pages_core.account_recovery.changed")
+        redirect_to admin_login_url
+      else
+        render action: :show
+      end
+    end
+
+    private
+
+    def deliver_account_recovery(user)
+      AdminMailer.account_recovery(
+        user,
+        admin_account_recovery_with_token_url(recovery_token(user))
+      ).deliver_later
+    end
+
+    def fail_recovery(message)
+      flash[:notice] = message
+      redirect_to new_admin_account_recovery_url
+    end
+
+    def find_by_token
+      @token = params[:token]
+      @user = User.find(message_verifier.verify(@token)[:id])
+      return if @user
+
+      fail_recovery(t("pages_core.account_recovery.invalid_request"))
+    rescue ActiveSupport::MessageVerifier::InvalidSignature
+      fail_recovery(t("pages_core.account_recovery.invalid_request"))
+    end
+
+    def message_verifier
+      Rails.application.message_verifier(:account_recovery)
+    end
+
+    def recovery_token(user)
+      message_verifier.generate({ id: user.id }, expires_in: 24.hours)
+    end
+
+    def user_params
+      params.require(:user).permit(:password, :password_confirmation)
+    end
+
+    def validate_otp
+      User.transaction do
+        if valid_otp(@user, params[:otp])
+          yield
+        else
+          flash.now[:notice] = t("pages_core.otp.invalid_code")
+          render action: :show
+        end
+      end
+    end
+
+    def valid_otp(user, otp)
+      return true unless user.otp_enabled?
+
+      OtpSecret.new(user).validate_otp_or_recovery_code!(otp)
+    end
+  end
+end

data/app/controllers/admin/invites_controller.rb

@@ -62,11 +62,12 @@ module Admin
       return if @invite && secure_compare(@invite.token, params[:token])
 
       flash[:notice] = t("pages_core.invite_expired")
-      redirect_to(login_admin_users_url) && return
+      redirect_to(admin_login_url)
     end
 
     def user_params
-      params.require(:user).permit(:name, :email, :password, :confirm_password)
+      params.require(:user)
+            .permit(:name, :email, :password, :password_confirmation)
     end
 
     def invite_params

data/app/controllers/admin/otp_secrets_controller.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Admin
+  class OtpSecretsController < Admin::AdminController
+    before_action :require_otp_disabled, only: %i[new create]
+    before_action :find_otp_secret
+
+    def new
+      @otp_secret.generate
+    end
+
+    def create
+      if @otp_secret.verify(otp_secret_params)
+        @recovery_codes = @otp_secret.generate_recovery_codes
+        @otp_secret.enable!(@recovery_codes)
+      else
+        flash[:error] = t("pages_core.otp.invalid_code")
+        redirect_to new_admin_otp_secret_path
+      end
+    end
+
+    def destroy
+      @otp_secret.disable!
+      flash[:notice] = t("pages_core.otp.disabled")
+      redirect_to edit_admin_user_path(current_user)
+    end
+
+    private
+
+    def find_otp_secret
+      @otp_secret = OtpSecret.new(current_user)
+    end
+
+    def otp_secret_params
+      params.permit(:signed_message, :otp)
+    end
+
+    def require_otp_disabled
+      return unless current_user.otp_enabled?
+
+      flash[:notice] = t("pages_core.otp.already_enabled")
+      redirect_to edit_admin_user_path(current_user)
+    end
+  end
+end

data/app/controllers/admin/recovery_codes_controller.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Admin
+  class RecoveryCodesController < Admin::AdminController
+    before_action :require_otp_enabled
+    before_action :find_otp_secret
+
+    def new; end
+
+    def create
+      if @otp_secret.validate_otp!(params[:otp])
+        @recovery_codes = @otp_secret.regenerate_recovery_codes!
+      else
+        flash[:error] = t("pages_core.otp.invalid_code")
+        redirect_to new_admin_recovery_codes_path
+      end
+    end
+
+    private
+
+    def find_otp_secret
+      @otp_secret = OtpSecret.new(current_user)
+    end
+
+    def require_otp_enabled
+      return if current_user.otp_enabled?
+
+      flash[:notice] = t("pages_core.otp.required")
+      redirect_to edit_admin_user_path(current_user)
+    end
+  end
+end

data/app/controllers/admin/sessions_controller.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module Admin
+  class SessionsController < Admin::AdminController
+    before_action :require_authentication, only: %i[destroy]
+    before_action :find_user, only: %i[create]
+    before_action :find_signed_user, only: %i[verify_otp]
+    before_action :require_user, only: %i[create verify_otp]
+
+    def new
+      redirect_to admin_default_url if logged_in?
+    end
+
+    def create
+      if @user.otp_enabled?
+        @signed_user_id = message_verifier.generate(
+          @user.id, expires_in: 1.hour
+        )
+        render template: "admin/sessions/verify_otp"
+      else
+        authenticate!(@user)
+        redirect_to admin_default_url
+      end
+    end
+
+    def destroy
+      flash[:notice] = t("pages_core.logged_out")
+      deauthenticate!
+      redirect_to admin_login_url
+    end
+
+    def verify_otp
+      @otp_secret = OtpSecret.new(@user)
+      if @otp_secret.validate_otp!(params[:otp])
+        authenticate!(@user)
+        redirect_to admin_default_url
+      else
+        flash[:notice] = t("pages_core.otp.invalid_code")
+        render template: "admin/sessions/verify_otp"
+      end
+    end
+
+    private
+
+    def find_signed_user
+      @signed_user_id = params[:signed_user_id]
+      @user = User.find(message_verifier.verify(@signed_user_id))
+    end
+
+    def find_user
+      @user = User.authenticate(params[:email], password: params[:password])
+    end
+
+    def message_verifier
+      Rails.application.message_verifier(:session)
+    end
+
+    def require_user
+      return if @user
+
+      flash[:notice] = t("pages_core.invalid_login")
+      redirect_to admin_login_url
+    end
+  end
+end

data/app/controllers/admin/users_controller.rb

@@ -2,7 +2,7 @@
 
 module Admin
   class UsersController < Admin::AdminController
-    before_action :require_authentication, except: %i[new create login]
+    before_action :require_authentication, except: %i[new create]
     before_action :require_no_users, only: %i[new create]
     before_action(
       :find_user,
@@ -19,12 +19,6 @@ module Admin
       @invites = []
     end
 
-    def login
-      return unless logged_in?
-
-      redirect_to admin_default_url
-    end
-
     def show; end
 
     def new
@@ -81,7 +75,7 @@ module Admin
                              { role_names: [] }]
       end
       if User.none? || (@user && policy(@user).change_password?)
-        permitted_params += %i[password confirm_password]
+        permitted_params += %i[password password_confirmation]
       end
       params.require(:user).permit(permitted_params)
     end

data/app/controllers/concerns/pages_core/authentication.rb

@@ -35,20 +35,22 @@ module PagesCore
       @current_user = user
     end
 
-    def start_authenticated_session
-      if session[:current_user_id]
-        user = User.where(id: session[:current_user_id]).first
-      end
-
-      return unless user&.can_login?
+    def finalize_authenticated_session
+      return unless logged_in?
 
-      authenticated(user)
+      session[:current_user] =
+        { id: current_user.id, token: current_user.session_token }
     end
 
-    def finalize_authenticated_session
-      return unless current_user
+    def start_authenticated_session
+      user_session = session.fetch(:current_user, nil)&.symbolize_keys
+
+      return unless user_session
 
-      session[:current_user_id] = current_user.id
+      user = User.find_by(id: user_session[:id])
+      return unless user && user.session_token == user_session[:token]
+
+      authenticated(user)
     end
   end
 end

data/app/controllers/pages_core/admin_controller.rb

@@ -48,7 +48,7 @@ module PagesCore
       if User.count < 1
         redirect_to(new_admin_user_url)
       else
-        redirect_to(login_admin_users_url)
+        redirect_to(admin_login_url)
       end
     end
 

data/app/helpers/pages_core/admin/admin_helper.rb

@@ -33,6 +33,17 @@ module PagesCore
         %w[January February March April May June July August September October
            November December][month - 1]
       end
+
+      def qr_code(url)
+        ActiveSupport::SafeBuffer.new(
+          RQRCode::QRCode.new(url)
+                         .as_svg({ color: "000",
+                                   shape_rendering: "crispEdges",
+                                   module_size: 10,
+                                   use_path: true,
+                                   viewbox: true })
+        )
+      end
     end
   end
 end

data/app/javascript/index.ts

@@ -7,7 +7,6 @@ import * as Components from "./components";
 
 import EditPageController from "./controllers/EditPageController";
 import MainController from "./controllers/MainController";
-import LoginController from "./controllers/LoginController";
 import PageOptionsController from "./controllers/PageOptionsController";
 
 import RichText from "./features/RichText";
@@ -26,7 +25,6 @@ export default function startPages() {
   const application = Application.start();
   application.register("edit-page", EditPageController);
   application.register("main", MainController);
-  application.register("login", LoginController);
   application.register("page-options", PageOptionsController);
 }
 

data/app/mailers/admin_mailer.rb

@@ -4,12 +4,12 @@ class AdminMailer < ApplicationMailer
   default from: proc { "\"Pages\" <no-reply@anyone.no>" }
   layout false
 
-  def password_reset(user, url)
+  def account_recovery(user, url)
     @user = user
     @url = url
     mail(
       to: @user.email,
-      subject: "Reset your password on #{PagesCore.config(:site_name)}"
+      subject: "Recover your account on #{PagesCore.config(:site_name)}"
     )
   end
 

data/app/models/concerns/pages_core/has_otp.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module PagesCore
+  module HasOtp
+    extend ActiveSupport::Concern
+
+    included do
+      validates :otp_secret, presence: true, if: :otp_enabled?
+    end
+
+    def recovery_codes=(codes)
+      self.hashed_recovery_codes = codes.map do |c|
+        BCrypt::Password.create(c, cost: 8)
+      end
+    end
+
+    def use_recovery_code!(code)
+      valid_hashes = hashed_recovery_codes.select do |c|
+        BCrypt::Password.new(c) == code
+      end
+      return false unless valid_hashes.any?
+
+      update(hashed_recovery_codes: hashed_recovery_codes - valid_hashes)
+      true
+    end
+  end
+end

data/app/models/otp_secret.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+class OtpSecret
+  attr_reader :user, :secret
+
+  def initialize(user)
+    @user = user
+    @secret = user.otp_secret
+  end
+
+  def account_name
+    user.email
+  end
+
+  def disable!
+    user.update(otp_enabled: false,
+                otp_secret: nil,
+                last_otp_at: nil,
+                recovery_codes: [])
+  end
+
+  def enable!(recovery_codes)
+    user.update(otp_enabled: true,
+                otp_secret: secret,
+                last_otp_at: Time.zone.now,
+                recovery_codes:)
+  end
+
+  def generate
+    @secret = ROTP::Base32.random
+  end
+
+  def generate_recovery_codes
+    10.times.map { SecureRandom.alphanumeric(16) }
+  end
+
+  def provisioning_uri
+    totp.provisioning_uri(account_name)
+  end
+
+  def regenerate_recovery_codes!
+    generate_recovery_codes.tap do |recovery_codes|
+      user.update(recovery_codes:)
+    end
+  end
+
+  def signed_message
+    message_verifier.generate(
+      { user_id: user.id, secret: }, expires_in: 1.hour
+    )
+  end
+
+  def validate_otp!(code)
+    return false unless valid_otp?(code)
+
+    user.update(last_otp_at: Time.zone.now)
+    true
+  end
+
+  def validate_otp_or_recovery_code!(code)
+    if code =~ /^[\d]{6}$/
+      validate_otp!(code)
+    else
+      validate_recovery_code!(code)
+    end
+  end
+
+  def validate_recovery_code!(code)
+    user.use_recovery_code!(code)
+  end
+
+  def verify(params)
+    @secret = verify_secret(params[:signed_message])
+    valid_otp?(params[:otp])
+  end
+
+  private
+
+  def message_verifier
+    Rails.application.message_verifier(:otp_secret)
+  end
+
+  def totp
+    ROTP::TOTP.new(secret)
+  end
+
+  def valid_otp?(otp)
+    if user.otp_enabled?
+      totp.verify(otp, after: user.last_otp_at, drift_behind: 10)
+    else
+      totp.verify(otp, drift_behind: 10)
+    end
+  end
+
+  def verify_secret(signed)
+    payload = message_verifier.verify(signed)
+    raise "Wrong user" unless payload[:user_id] == user.id
+
+    payload[:secret]
+  end
+end

data/app/models/user.rb

@@ -1,9 +1,10 @@
 # frozen_string_literal: true
 
 class User < ApplicationRecord
+  include PagesCore::HasOtp
   include PagesCore::HasRoles
 
-  attr_accessor :password, :confirm_password
+  has_secure_password
 
   belongs_to(:creator,
              class_name: "User",
@@ -16,7 +17,6 @@ class User < ApplicationRecord
            dependent: :nullify,
            inverse_of: :creator)
   has_many :pages, dependent: :nullify
-  has_many :password_reset_tokens, dependent: :destroy
   has_many :roles, dependent: :destroy
   has_many :invites, dependent: :destroy
   belongs_to_image :image, foreign_key: :image_id, optional: true
@@ -30,12 +30,14 @@ class User < ApplicationRecord
             format: { with: /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\Z/i },
             uniqueness: { case_sensitive: false }
 
-  validates :password, presence: true, on: :create
-  validates :password, length: { minimum: 8 }, allow_blank: true
+  validates :password,
+            length: {
+              minimum: 8,
+              maximum: ActiveModel::SecurePassword::MAX_PASSWORD_LENGTH_ALLOWED,
+              allow_blank: true
+            }
 
-  validate :confirm_password_must_match
-
-  before_validation :hash_password
+  before_save :update_session_token
   before_create :ensure_first_user_has_all_roles
 
   scope :by_name,     -> { order("name ASC") }
@@ -44,12 +46,11 @@ class User < ApplicationRecord
 
   class << self
     def authenticate(email, password:)
-      user = User.find_by_email(email)
-      user if user.try { |u| u.authenticate!(password) }
+      User.find_by_email(email).try(:authenticate, password)
     end
 
     def find_by_email(str)
-      find_by("LOWER(email) = ?", str.to_s.downcase)
+      find_by("LOWER(email) = ?", str.to_s.downcase.strip)
     end
   end
 
@@ -84,16 +85,6 @@ class User < ApplicationRecord
 
   private
 
-  def confirm_password_must_match
-    return if password.blank? || password == confirm_password
-
-    errors.add(:confirm_password, "does not match")
-  end
-
-  def encrypt_password(password)
-    BCrypt::Password.create(password)
-  end
-
   def ensure_first_user_has_all_roles
     return if User.any?
 
@@ -103,23 +94,10 @@ class User < ApplicationRecord
     end
   end
 
-  def hash_password
-    self.hashed_password = encrypt_password(password) if password.present?
-  end
-
-  def password_needs_rehash?
-    hashed_password.length <= 40
-  end
+  def update_session_token
+    return unless !session_token? || password_digest_changed? ||
+                  otp_enabled_changed?
 
-  def rehash_password!(password)
-    update(hashed_password: encrypt_password(password))
-  end
-
-  def valid_password?(password)
-    if hashed_password.length <= 40
-      hashed_password == Digest::SHA1.hexdigest(password)
-    else
-      BCrypt::Password.new(hashed_password) == password
-    end
+    self.session_token = SecureRandom.hex(32)
   end
 end

data/app/policies/user_policy.rb

@@ -48,4 +48,8 @@ class UserPolicy < Policy
   def change_password?
     user == record
   end
+
+  def otp?
+    user == record
+  end
 end