RubyGems - pages_core - Versions diffs - 3.13.0 → 3.14.0 - Mend

pages_core 3.13.0 → 3.14.0

Files changed (52) hide show

checksums.yaml +4 -4
data/VERSION +1 -1
data/app/assets/builds/pages_core/admin-dist.js +1 -1
data/app/assets/builds/pages_core/admin-dist.js.map +4 -4
data/app/assets/builds/pages_core/admin.css +27 -4
data/app/assets/stylesheets/pages_core/admin/components/login.css +0 -6
data/app/assets/stylesheets/pages_core/admin/components/totp.css +26 -0
data/app/controllers/admin/account_recoveries_controller.rb +87 -0
data/app/controllers/admin/invites_controller.rb +3 -2
data/app/controllers/admin/otp_secrets_controller.rb +45 -0
data/app/controllers/admin/recovery_codes_controller.rb +32 -0
data/app/controllers/admin/sessions_controller.rb +65 -0
data/app/controllers/admin/users_controller.rb +2 -8
data/app/controllers/concerns/pages_core/authentication.rb +12 -10
data/app/controllers/pages_core/admin_controller.rb +1 -1
data/app/helpers/pages_core/admin/admin_helper.rb +11 -0
data/app/javascript/index.ts +0 -2
data/app/mailers/admin_mailer.rb +2 -2
data/app/models/concerns/pages_core/has_otp.rb +27 -0
data/app/models/otp_secret.rb +101 -0
data/app/models/user.rb +15 -37
data/app/policies/user_policy.rb +4 -0
data/app/views/admin/account_recoveries/new.html.erb +22 -0
data/app/views/admin/account_recoveries/show.html.erb +37 -0
data/app/views/admin/invites/show.html.erb +1 -1
data/app/views/admin/otp_secrets/create.html.erb +7 -0
data/app/views/admin/otp_secrets/new.html.erb +60 -0
data/app/views/admin/recovery_codes/_codes.html.erb +14 -0
data/app/views/admin/recovery_codes/create.html.erb +7 -0
data/app/views/admin/recovery_codes/new.html.erb +11 -0
data/app/views/admin/sessions/_otp_form.html.erb +13 -0
data/app/views/admin/sessions/new.html.erb +33 -0
data/app/views/admin/sessions/verify_otp.html.erb +19 -0
data/app/views/admin/users/edit.html.erb +31 -1
data/app/views/admin/users/new.html.erb +1 -1
data/app/views/admin_mailer/account_recovery.text.erb +10 -0
data/app/views/layouts/admin/_header.html.erb +1 -1
data/app/views/layouts/admin/_toast.html.erb +12 -0
data/app/views/layouts/admin.html.erb +1 -1
data/config/locales/en.yml +11 -3
data/config/routes.rb +11 -6
data/db/migrate/20240126160700_add_2fa_fields.rb +22 -0
data/db/migrate/20240129201300_remove_password_reset_tokens.rb +13 -0
data/lib/pages_core.rb +6 -0
metadata +51 -9
data/app/controllers/admin/password_resets_controller.rb +0 -85
data/app/controllers/sessions_controller.rb +0 -27
data/app/javascript/controllers/LoginController.ts +0 -32
data/app/models/password_reset_token.rb +0 -34
data/app/views/admin/password_resets/show.html.erb +0 -21
data/app/views/admin/users/login.html.erb +0 -65
data/app/views/admin_mailer/password_reset.text.erb +0 -11

data/app/controllers/admin/password_resets_controller.rb DELETED Viewed

@@ -1,85 +0,0 @@
-# frozen_string_literal: true
-module Admin
-  class PasswordResetsController < Admin::AdminController
-    before_action :find_password_reset_token, only: %i[show update]
-    before_action :check_for_expired_token, only: %i[show update]
-    before_action :require_authentication, except: %i[create show update]
-    layout "admin"
-    def show
-      @user = @password_reset_token.user
-    end
-    def create
-      @user = find_user_by_email(params[:email])
-      if @user
-        @password_reset_token = @user.password_reset_tokens.create
-        deliver_password_reset(@user, @password_reset_token)
-        flash[:notice] = t("pages_core.password_reset.sent")
-      else
-        flash[:notice] = t("pages_core.password_reset.not_found")
-      end
-      redirect_to login_admin_users_url
-    end
-    def update
-      @user = @password_reset_token.user
-      if user_params[:password].present? && @user.update(user_params)
-        @password_reset_token.destroy
-        authenticate!(@user)
-        flash[:notice] = t("pages_core.password_reset.changed")
-        redirect_to login_admin_users_url
-      else
-        render action: :show
-      end
-    end
-    private
-    def deliver_password_reset(user, password_reset)
-      AdminMailer.password_reset(
-        user,
-        admin_password_reset_with_token_url(
-          password_reset, password_reset.token
-        )
-      ).deliver_later
-    end
-    def find_user_by_email(email)
-      return unless email
-      User.find_by_email(params[:email])
-    end
-    def user_params
-      params.require(:user).permit(:password, :confirm_password)
-    end
-    def valid_token?(reset)
-      reset && secure_compare(reset.token, params[:token])
-    end
-    def find_password_reset_token
-      @password_reset_token = begin
-        PasswordResetToken.find(params[:id])
-      rescue ActiveRecord::RecordNotFound
-        nil
-      end
-      return if valid_token?(@password_reset_token)
-      flash[:notice] = t("pages_core.password_reset.invalid_request")
-      redirect_to(login_admin_users_url) && return
-    end
-    def check_for_expired_token
-      return unless @password_reset_token.expired?
-      @password_reset_token.destroy
-      flash[:notice] = t("pages_core.password_reset.expired")
-      redirect_to(login_admin_users_url)
-    end
-  end
-end

data/app/controllers/sessions_controller.rb DELETED Viewed

@@ -1,27 +0,0 @@
-# frozen_string_literal: true
-class SessionsController < ApplicationController
-  def create
-    user = find_user(params[:email], params[:password])
-    authenticate!(user) if user
-    if logged_in?
-      redirect_to admin_default_url
-    else
-      flash[:notice] = t("pages_core.invalid_login")
-      redirect_to login_admin_users_url
-    end
-  end
-  def destroy
-    flash[:notice] = t("pages_core.logged_out")
-    deauthenticate!
-    redirect_to login_admin_users_url
-  end
-  protected
-  def find_user(email, password)
-    User.authenticate(email, password:) if email && password
-  end
-end

data/app/javascript/controllers/LoginController.ts DELETED Viewed

@@ -1,32 +0,0 @@
-import { Controller } from "@hotwired/stimulus";
-export default class LoginController extends Controller {
-  declare readonly tabTargets: HTMLDivElement[];
-  static get targets() {
-    return ["tab"];
-  }
-  connect() {
-    if (this.tabTargets.length > 0) {
-      this.showTab(this.tabTargets[0].dataset.tab);
-    }
-  }
-  changeTab(evt: Event) {
-    evt.preventDefault();
-    if ("dataset" in evt.target && "tab" in evt.target.dataset) {
-      this.showTab(evt.target.dataset.tab);
-    }
-  }
-  showTab(tab: string) {
-    this.tabTargets.forEach((t) => {
-      if (t.dataset.tab == tab) {
-        t.classList.remove("hidden");
-      } else {
-        t.classList.add("hidden");
-      }
-    });
-  }
-}

data/app/models/password_reset_token.rb DELETED Viewed

@@ -1,34 +0,0 @@
-# frozen_string_literal: true
-class PasswordResetToken < ApplicationRecord
-  belongs_to :user
-  before_create :ensure_token
-  before_create :ensure_expiration
-  scope :active,  -> { where("expires_at >= ?", Time.now.utc) }
-  scope :expired, -> { where("expires_at < ?", Time.now.utc) }
-  class << self
-    def default_expiration
-      24.hours
-    end
-    def expire!
-      expired.delete_all
-    end
-  end
-  def expired?
-    expires_at < Time.now.utc
-  end
-  private
-  def ensure_expiration
-    self.expires_at ||= Time.now.utc + self.class.default_expiration
-  end
-  def ensure_token
-    self.token ||= SecureRandom.hex(32)
-  end
-end

data/app/views/admin/password_resets/show.html.erb DELETED Viewed

@@ -1,21 +0,0 @@
-<% content_for :page_title, "Reset password" %>
-<% content_for :page_description, "Please choose a new password to proceed" %>
-<% content_for :body_class, "login" %>
-<div class="login-form">
-  <%= form_for(@user,
-               url: admin_password_reset_path(@password_reset_token, token: @password_reset_token.token),
-               builder: PagesCore::Admin::FormBuilder,
-               class: 'form') do |f| %>
-    <%= f.labelled_password_field(:password,
-                                  autocomplete: "new-password") %>
-    <%= f.labelled_password_field(:confirm_password,
-                                  autocomplete: "new-password") %>
-    <p>
-      <button type="submit">
-        Change Password
-      </button>
-      or <%= link_to "Return to login screen", login_admin_users_path %>
-    </p>
-  <% end %>
-</div>

data/app/views/admin/users/login.html.erb DELETED Viewed

@@ -1,65 +0,0 @@
-<% content_for :page_title, "Sign in" %>
-<% content_for(:page_description,
-               "Please enter your email address and password to sign in") %>
-<% content_for :body_class, "login" %>
-<% content_for :sidebar do %>
-  <h2>Please note</h2>
-  <p>
-    Please contact support if you experience problems logging in or using Pages.
-  </p>
-<% end %>
-<div class="login-form"
-     data-controller="login">
-  <div class="login-tab password"
-       data-login-target="tab"
-       data-tab="password">
-    <%= form_tag session_path do %>
-      <p>
-        <label>Email address</label>
-        <%= text_field_tag(:email, "", autocomplete: "email") %>
-      </p>
-      <p>
-        <label>Password</label>
-        <%= password_field_tag(:password, "", autocomplete: "current-password") %>
-      </p>
-      <p>
-        <button type="submit">Sign in</button>
-      </p>
-      <ul>
-        <li>
-          <%= link_to("<b>Help!</b> I forgot my password!".html_safe,
-                      login_admin_users_path,
-                      data: {
-                        action: "click->login#changeTab",
-                        tab: "password-reset"
-          }) %>
-        </li>
-      </ul>
-    <% end %>
-  </div>
-  <div class="login-tab password-reset"
-       data-login-target="tab"
-       data-tab="password-reset">
-    <%= form_tag admin_password_resets_path do %>
-      <h2>
-        Forgot your password?
-      </h2>
-      <p>
-        Don't worry, it happens.
-        Enter your email address below,
-        and we'll send you a link where you can reset your password.
-      </p>
-      <p>
-        <%= text_field_tag(:email, "", autocomplete: "email") %>
-      </p>
-      <p>
-        <button type="submit">
-          Send
-        </button>
-      </p>
-    <% end %>
-  </div>
-</div>

data/app/views/admin_mailer/password_reset.text.erb DELETED Viewed

@@ -1,11 +0,0 @@
-Hi, <%= @user.name %>!
-We've received a request to reset the password for your account on <%= PagesCore.config(:site_name) %>.
-If you want to reset your password, please click the following link:
-<%= @url %>
-This will take you to a web page where you can set a new password of your choosing. The link will expire in 24 hours.
-If you do not want to change your password, please ignore this email.