pseudo_kiosk 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: d55fa93717efba52a0ed428d4fc4ac23f25321792f7ab517fa5f25c6e516be3c
+  data.tar.gz: 36cad7483842d86cb7a394d06ff291d1ce96aa042bff143867721735fb1a1705
+SHA512:
+  metadata.gz: 4a9bb2ea15dee2086fe4f73e0df30e5ed1b912f8782ea870f18c60c83501c59d7e8d85d1c4215c76d31af6755aedfdea51bdae9dc086db4744da950d649773b2
+  data.tar.gz: 6f610505ff484a4f85aaae880eb0064767dceedad968e48877a14510b143352b3b34c29a136f0fb5566d120661788859875bac6264a3abe640aeec960612713a

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2019 
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,94 @@
+# PseudoKiosk
+
+![Build Status](https://travis-ci.org/jonmchan/pseudo_kiosk.svg?branch=master)
+
+PseudoKiosk is a play on words on the unix sudo command and the idea to provide a fake kiosk terminal. Instead of granting elevated privileges, PseudoKiosk gives the ability to limit access to the application during workflows which involve physically passing a device with elevated permissions to an unknown or untrusted user. PseudoKiosk provides the ability to lock down a rails application to only a specified whitelist of endpoints during a session. The kiosk can be quickly and easily unlocked by passing a kiosk passcode.
+
+The motivating user scenario for this is a mobile, tablet, or kiosk device where data input must be received from an untrusted user while the device is mainly used by a privileged user (such as a cashier in a POS system). With PseudoKiosk, the device can be safely passed to the end customer to input his/her own information without fear of accidently or malicously utilizing the main user's elevated privileges. 
+
+After the form has been successfully submitted, a simple friendly unlock screen is provided for the privileged user to quickly unlock the kiosk and continue the workflow. 
+
+## Demo
+
+![](doc/pseudo_kiosk_demo.gif)
+
+You can also clone this repository and run the test application.
+
+```
+git clone https://github.com/jonmchan/pseudo_kiosk.git
+cd pseudo_kiosk
+bundle install
+bundle exec rails s
+```
+
+Open http://localhost:3000 and you should see the same demo above. Passcode is `abc`.
+
+
+## Installation
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'pseudo_kiosk'
+```
+
+And then execute:
+```bash
+$ bundle
+```
+
+Or install it yourself as:
+```bash
+$ gem install pseudo_kiosk 
+```
+
+## Usage
+
+Add the PseudoKiosk::Engine to your `config/routes.rb`:
+
+```
+mount PseudoKiosk::Engine => "/pseudo_kiosk"
+```
+
+Add the before_action script to check all requests if it is in protected or not by putting it in your `app/controller/application_controller.rb` file:
+
+```
+before_action :secure_pseudo_kiosk
+```
+
+Create an initializer to configure pseudo_kiosk in `config/initializers/pseudo_kiosk.rb`:
+
+The unlock mechanism can be a simple unlock string such as:
+```
+PseudoKiosk::Config.configure do |config|
+  config.unlock_mechanism = "abc"
+end
+```
+
+Or it can be a lambda function:
+```
+PseudoKiosk::Config.configure do |config|
+  config.unlock_mechanism = ->(controller_context, params) {
+    return Digest::SHA256.base64digest(params[:passcode]) == controller_context.current_user.passcode_hash ? true : false
+  } 
+end
+```
+
+The lambda function receives an instance of the controller which can be used to call functions such as current_user or session and all the params passed from the authentication unlock action. By default, the only parameter passed is `passcode`.
+
+
+If you wish to override the default unlock screen, copy the [built in view](https://github.com/jonmchan/pseudo_kiosk/blob/master/app/views/pseudo_kiosk/authentication/unlock.html.erb) and put it in `app/views/pseudo_kiosk/authentication/unlock.html.erb`. Edit it to your heart's content.
+
+### Core Functions
+
+You can call any of these functions to go in and out of kiosk mode (refer to [code documentation](https://github.com/jonmchan/pseudo_kiosk/blob/master/lib/pseudo_kiosk/controller.rb)) 
+
+* pseudo_kiosk_start(url_whitelist, unauthorized_endpoint_redirect_url)
+* pseudo_kiosk_exit(unlock_redirect_url)
+* clear_pseudo_kiosk_session
+
+
+## Contributing
+Feel free to submit PRs or Issues to the project's github page - https://github.com/jonmchan/pseudo_kiosk.
+
+## License
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,27 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'PseudoKiosk'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path("spec/dummy/Rakefile", __dir__)
+load 'rails/tasks/engine.rake'
+
+load 'rails/tasks/statistics.rake'
+
+require 'bundler/gem_tasks'
+
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/app/assets/config/pseudo_kiosk_manifest.js

@@ -0,0 +1,2 @@
+//= link_directory ../javascripts/pseudo_kiosk .js
+//= link_directory ../stylesheets/pseudo_kiosk .css

data/app/assets/javascripts/pseudo_kiosk/application.js

@@ -0,0 +1,14 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or any plugin's vendor/assets/javascripts directory can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file. JavaScript code in this file should be added after the last require_* statement.
+//
+// Read Sprockets README (https://github.com/rails/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require rails-ujs
+//= require_tree .

data/app/assets/javascripts/pseudo_kiosk/authentication.js

@@ -0,0 +1,2 @@
+// Place all the behaviors and hooks related to the matching controller here.
+// All this logic will automatically be available in application.js.

data/app/assets/stylesheets/pseudo_kiosk/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
+ * files in this directory. Styles in this file should be added after the last require_* statement.
+ * It is generally better to create a new file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/app/assets/stylesheets/pseudo_kiosk/authentication.css

@@ -0,0 +1,4 @@
+/*
+  Place all the styles related to the matching controller here.
+  They will automatically be included in application.css.
+*/

data/app/controllers/pseudo_kiosk/application_controller.rb

@@ -0,0 +1,5 @@
+module PseudoKiosk 
+  class ApplicationController < ActionController::Base
+    protect_from_forgery with: :exception, prepend: true
+  end
+end

data/app/controllers/pseudo_kiosk/authentication_controller.rb

@@ -0,0 +1,37 @@
+class PseudoKiosk::AuthenticationController < ApplicationController
+  skip_before_action :verify_authenticity_token
+  def unlock
+    unless session[:pseudo_kiosk_enabled]
+      redirect_back(fallback_location: root_path) 
+      return
+    end
+    render :layout => false
+  end
+
+  def process_submit
+    unless session[:pseudo_kiosk_enabled]
+      redirect_back(fallback_location: root_path) 
+      return
+    end
+    if PseudoKiosk::Config.unlock_mechanism.nil?
+      raise "PseudoKiosk::Config.unlock_mechanism is missing!"
+    elsif PseudoKiosk::Config.unlock_mechanism.is_a? String
+      PseudoKiosk::Config.unlock_mechanism == params[:passcode] ? unlock_success : unlock_fail
+    elsif PseudoKiosk::Config.unlock_mechanism.is_a? Proc 
+      PseudoKiosk::Config.unlock_mechanism.call(self, params) ? unlock_success : unlock_fail
+    else 
+      raise "No clue how to use an PseudoKiosk::Config.unlock_mechanism that is a #{PseudoKiosk::Config.unlock_mechanism.class}!"
+    end
+  end
+
+  private
+  def unlock_success
+    redirect_url = session[:pseudo_kiosk_unlock_redirect_url]
+    clear_pseudo_kiosk_session
+    redirect_to redirect_url
+  end
+
+  def unlock_fail
+    redirect_to(PseudoKiosk::Engine.routes.url_helpers.pseudo_kiosk_authentication_unlock_path(failed: "true"))
+  end
+end

data/app/helpers/pseudo_kiosk/application_helper.rb

@@ -0,0 +1,4 @@
+module PseudoKiosk
+  module ApplicationHelper
+  end
+end

data/app/helpers/pseudo_kiosk/authentication_helper.rb

@@ -0,0 +1,2 @@
+module PseudoKiosk::AuthenticationHelper
+end

data/app/views/layouts/pseudo_kiosk/application.html.erb

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Kiosk lock</title>
+  <%= csrf_meta_tags %>
+  <%= csp_meta_tag %>
+
+  <%= stylesheet_link_tag    "pseudo_kiosk/application", media: "all" %>
+  <%= javascript_include_tag "pseudo_kiosk/application" %>
+</head>
+<body>
+
+<%= yield %>
+
+</body>
+</html>

data/app/views/pseudo_kiosk/authentication/process_submit.html.erb

@@ -0,0 +1,2 @@
+<h1>PseudoKiosk::Authentication#process_submit</h1>
+<p>Find me in app/views/pseudo_kiosk/authentication/process_submit.html.erb</p>

data/app/views/pseudo_kiosk/authentication/unlock.html.erb

@@ -0,0 +1,259 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+
+<%= csrf_meta_tags %>
+<%= csp_meta_tag %>
+<title>Operator Unlock</title>
+
+<meta name="viewport" content="width=device-width">
+<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css">
+
+<style>
+  .pullee {
+  width: 10rem;
+  appearance: none;
+}
+.pullee:active::-webkit-slider-thumb {
+  appearance: none;
+  transform: scale(1.1);
+  cursor: -webkit-grabbing;
+  cursor: -moz-grabbing;
+}
+.pullee:active::-moz-range-thumb {
+  border: 0;
+  transform: scale(1.1);
+  cursor: -webkit-grabbing;
+  cursor: -moz-grabbing;
+}
+.pullee:active::-ms-thumb {
+  transform: scale(1.1);
+  cursor: -webkit-grabbing;
+  cursor: -moz-grabbing;
+}
+.pullee:focus {
+  outline: none;
+}
+.pullee::-webkit-slider-thumb {
+  appearance: none;
+  display: block;
+  width: 1rem;
+  height: 1rem;
+  border-radius: 50%;
+  background: #5990DD;
+  transform-origin: 50% 50%;
+  transform: scale(1);
+  transition: transform ease-out 100ms;
+  cursor: -webkit-grab;
+  cursor: -moz-grab;
+}
+.pullee::-moz-range-thumb {
+  border: 0;
+  display: block;
+  width: 1rem;
+  height: 1rem;
+  border-radius: 50%;
+  background: #5990DD;
+  transform-origin: 50% 50%;
+  transform: scale(1);
+  transition: transform ease-out 100ms;
+  cursor: -webkit-grab;
+  cursor: -moz-grab;
+}
+.pullee::-ms-thumb {
+  display: block;
+  width: 1rem;
+  height: 1rem;
+  border-radius: 50%;
+  background: #5990DD;
+  transform-origin: 50% 50%;
+  transform: scale(1);
+  transition: transform ease-out 100ms;
+  cursor: -webkit-grab;
+  cursor: -moz-grab;
+}
+.pullee::-webkit-slider-runnable-track {
+  height: 1rem;
+  padding: .25rem;
+  box-sizing: content-box;
+  border-radius: 1rem;
+  background-color: #DDE0E3;
+}
+.pullee::-moz-range-track {
+  height: 1rem;
+  padding: .25rem;
+  box-sizing: content-box;
+  border-radius: 1rem;
+  background-color: #DDE0E3;
+}
+.pullee::-moz-focus-outer {
+  border: 0;
+}
+.pullee::-ms-track {
+  border: 0;
+  height: 1rem;
+  padding: .25rem;
+  box-sizing: content-box;
+  border-radius: 1rem;
+  background-color: #DDE0E3;
+  color: transparent;
+}
+.pullee::-ms-fill-lower, .pullee::-ms-fill-upper {
+  background-color: transparent;
+}
+.pullee::-ms-tooltip {
+  display: none;
+}
+
+html {
+  font-size: 32px;
+  text-align: center;
+}
+
+h1 {
+  font-size: 0.8rem;
+  text-transform: uppercase;
+  letter-spacing: 1.25px;
+}
+
+h2 {
+  font-size: 0.6rem;
+  text-transform: uppercase;
+  letter-spacing: 1.25px;
+}
+
+input[type=submit] {
+  font-size: 0.8rem;
+  text-transform: uppercase;
+  letter-spacing: 1.25px;
+  margin: .65em;
+}
+
+.center-xy {
+  position: absolute;
+  top: 50%;
+  left: 50%;
+  transform: translate(-50%, -50%);
+}
+
+<% if params[:failed] %>
+#pass_window {
+  display: initial;
+}
+#invalid {
+  display: initial;
+  font-size: 0.55rem;
+  color: red;
+  text-transform: uppercase;
+  letter-spacing: 1.25px;
+}
+
+#explanation_window {
+  display: none;
+}
+<% else %>
+#pass_window {
+  display: none;
+}
+#invalid {
+  display: none;
+}
+
+#explanation_window {
+  display: initial;
+}
+<% end %>
+</style>
+<script>
+  window.console = window.console || function(t) {};
+</script>
+<script src="https://cdnjs.cloudflare.com/ajax/libs/prefixfree/1.0.7/prefixfree.min.js"></script>
+<script>
+  if (document.location.search.match(/type=embed/gi)) {
+    window.parent.postMessage("resize", "*");
+  }
+</script>
+</head>
+
+<body translate="no">
+<div id="explanation_window" class="center-xy">
+    <h1>Thank you for your input!</h1>
+    <h2>Please pass the device back to the operator</h2>
+    <h1>Slide to Unlock</h1>
+    <input type="range" value="0" class="pullee" />
+</div>
+<% # This is bad... I am having a problem using the named routes within the rails engine plugin %>
+<%= form_tag 'process_submit', authenticity_token: true do %>
+<div id="pass_window" class="center-xy">
+    <h1>Passcode:</h1>
+    <div id="invalid">Invalid Passcode! Please try again.</div>
+    <div><input type="password" name="passcode" style="text-align: center;"></div>
+    <div><input type="submit"></div>
+<% end %>
+</div>
+<script id="rendered-js">
+var inputRange = document.getElementsByClassName('pullee')[0],
+    maxValue = 150, // the higher the smoother when dragging
+    speed = 12, // thanks to @pixelass for this
+    currValue, rafID;
+
+// set min/max value
+inputRange.min = 0;
+inputRange.max = maxValue;
+
+// listen for unlock
+function unlockStartHandler() {
+    // clear raf if trying again
+    window.cancelAnimationFrame(rafID);
+    
+    // set to desired value
+    currValue = +this.value;
+}
+
+function unlockEndHandler() {
+    
+    // store current value
+    currValue = +this.value;
+    
+    // determine if we have reached success or not
+    if(currValue >= maxValue) {
+        successHandler();
+    }
+    else {
+        rafID = window.requestAnimationFrame(animateHandler);
+    }
+}
+
+// handle range animation
+function animateHandler() {
+    
+    // update input range
+    inputRange.value = currValue;
+    
+    // determine if we need to continue
+    if(currValue > -1) {
+    	window.requestAnimationFrame(animateHandler);   
+    }
+    
+    // decrement value
+    currValue = currValue - speed;
+}
+
+// handle successful unlock
+function successHandler() {
+          document.getElementById("pass_window").style.display = "block";
+    document.getElementById("explanation_window").style.display = "none";
+    
+    // reset input range
+    inputRange.value = 0;
+};
+
+// bind events
+inputRange.addEventListener('mousedown', unlockStartHandler, false);
+inputRange.addEventListener('mousestart', unlockStartHandler, false);
+inputRange.addEventListener('mouseup', unlockEndHandler, false);
+inputRange.addEventListener('touchend', unlockEndHandler, false);
+</script>
+</body>
+</html>

data/config/routes.rb

@@ -0,0 +1,6 @@
+PseudoKiosk::Engine.routes.draw do
+  namespace :pseudo_kiosk, path: '' do
+    get 'authentication/unlock'
+    post 'authentication/process_submit'
+  end
+end

data/lib/pseudo_kiosk.rb

@@ -0,0 +1,13 @@
+require "pseudo_kiosk/engine"
+
+module PseudoKiosk
+  autoload(:Config, 'pseudo_kiosk/config')
+  require 'pseudo_kiosk/controller'
+  module TestHelpers
+    require 'pseudo_kiosk/test_helpers/internal'
+
+    module Internal
+      require 'pseudo_kiosk/test_helpers/internal/rails'
+    end
+  end
+end

data/lib/pseudo_kiosk/config.rb

@@ -0,0 +1,46 @@
+module PseudoKiosk
+  module Config
+    class << self
+      # accepts a lambda function or string
+      # if lambda function is passed, instance of controller
+      # is passed to lambda for access to helper functions like
+      # current_user
+      attr_accessor :unlock_mechanism
+
+      def init!
+        @defaults = {
+          :@unlock_mechanism                     => nil,
+        }
+      end
+
+      # Resets all configuration options to their default values.
+      def reset!
+        @defaults.each do |k, v|
+          instance_variable_set(k, v)
+        end
+      end
+
+      def update!
+        @defaults.each do |k, v|
+          instance_variable_set(k, v) unless instance_variable_defined?(k)
+        end
+      end
+
+      def user_config(&blk)
+        block_given? ? @user_config = blk : @user_config
+      end
+
+      def configure(&blk)
+        @configure_blk = blk
+        @configure_blk.call(self) 
+      end
+
+      def configure!
+        @configure_blk.call(self) if @configure_blk
+      end
+    end
+
+    init!
+    reset!
+  end
+end

data/lib/pseudo_kiosk/controller.rb

@@ -0,0 +1,88 @@
+module PseudoKiosk
+  module Controller
+    # code borrowed from Sorcery (https://github.com/Sorcery/sorcery/blob/ae83ac3181aed9696bf78ceabcce96bf735fd7ea/lib/sorcery/controller.rb)
+    def self.included(klass)
+      klass.class_eval do
+        include InstanceMethods
+      end
+      #Config.update!
+      #Config.configure!
+    end
+
+    module InstanceMethods
+      # To be used in before_action in the application_controller.
+      # If pseudo_kiosk enabled, all endpoints that are not in the kiosk_whitelist 
+      # will not allowed to be accessed
+      def secure_pseudo_kiosk
+        #  this needs to go to the unlock screen
+        # binding.pry if request.path_info == test_work_flow_complete_step3_privilege_path
+        if session[:pseudo_kiosk_enabled]
+          whitelist = session[:pseudo_kiosk_whitelist].is_a?(Array) ? session[:pseudo_kiosk_whitelist] : [session[:pseudo_kiosk_whitelist]]
+
+          return if session[:pseudo_kiosk_unauthorized_endpoint_redirect_url].nil? && (params['controller'] == 'pseudo_kiosk/authentication')
+          whitelist.each do |allowed_url|
+            next if allowed_url.nil?
+            if allowed_url.is_a? Regexp
+              return if allowed_url =~ request.path_info
+            elsif allowed_url.start_with? "(?-mix:"
+              return if Regexp.new(allowed_url) =~ request.path_info
+            else
+              return if allowed_url == request.path_info
+            end
+          end
+
+          # need to either redirect to unauthorized_endpoint_redirect_url or allow user to break out
+          if session[:pseudo_kiosk_unauthorized_endpoint_redirect_url].nil?
+            session[:pseudo_kiosk_unlock_redirect_url] = request.path_info
+            
+            redirect_to(pseudo_kiosk_engine.routes.url_helpers.pseudo_kiosk_authentication_unlock_path)
+          else
+            redirect_to(session[:pseudo_kiosk_unauthorized_endpoint_redirect_url])
+          end
+        end
+      end
+
+      # Locks the session down for unprivileged usage
+      #
+      # Params:
+      # url_whitelist - an array of url strings or regex searches 
+      # of endpoints allowed to be visited during kiosk lock mode
+      #
+      # unauthorized_endpoint_redirect - url to redirect to if user navigates
+      # to a url outside of the url_whitelist. 
+      # If nil, the unlock screen will be shown when navigating to urls 
+      # outside of the whitelist; upon successful authentication, the user 
+      # will be redirected to current endpoint
+      def pseudo_kiosk_start(url_whitelist, unauthorized_endpoint_redirect_url)
+        session[:pseudo_kiosk_enabled] = true
+        session[:pseudo_kiosk_whitelist] = url_whitelist
+        session[:pseudo_kiosk_unauthorized_endpoint_redirect_url] = unauthorized_endpoint_redirect_url
+      end
+
+
+      # redirects to pseudo_kiosk unlock screen. When successfully unlocked, the browser is 
+      # redirected to the unlock_redirect_url
+      def pseudo_kiosk_exit(unlock_redirect_url)
+        session[:pseudo_kiosk_unlock_redirect_url] = unlock_redirect_url
+ 
+        # clear the whitelist here, because we want to only allow 
+        # the session to be given back to the privileged user and
+        # for no further operations to be done in the whitelist area
+        session.delete(:pseudo_kiosk_whitelist)
+        session.delete(:pseudo_kiosk_unauthorized_endpoint_redirect_url)
+
+        redirect_to(PseudoKiosk::Engine.routes.url_helpers.pseudo_kiosk_authentication_unlock_path)
+      end
+
+      # clear all pseudo_kiosk session variables; this is an internal function
+      # Most likely pseudo_kiosk_exit is what should be used, unless there is some usecase
+      # where you want to instantly exit the pseudo_kiosk session without going through authentication
+      def clear_pseudo_kiosk_session
+        session.delete(:pseudo_kiosk_enabled)
+        session.delete(:pseudo_kiosk_whitelist)
+        session.delete(:pseudo_kiosk_unauthorized_endpoint_redirect_url)
+        session.delete(:pseudo_kiosk_unlock_redirect_url)
+      end
+    end
+  end
+end

data/lib/pseudo_kiosk/engine.rb

@@ -0,0 +1,13 @@
+module PseudoKiosk
+  class Engine < ::Rails::Engine
+    #config.pseudo_kiosk = PseudoKiosk::Config
+    # Do we need this for what we're doing?
+    # isolate_namespace PseudoKiosk
+
+    initializer 'extend Controller with PseudoKiosk' do
+      if defined?(ActionController::Base)
+        ActionController::Base.send(:include, PseudoKiosk::Controller)
+      end
+    end
+  end
+end

data/lib/pseudo_kiosk/test_helpers/internal.rb

@@ -0,0 +1,79 @@
+module PseudoKiosk
+  module TestHelpers
+    # Internal TestHelpers are used to test the gem, internally, and should not be used to test apps *using* sorcery.
+    # This file will be included in the spec_helper file.
+    module Internal
+      def self.included(_base)
+        # # reducing default cost for specs speed
+        # CryptoProviders::BCrypt.class_eval do
+        #   class << self
+        #     def cost
+        #       1
+        #     end
+        #   end
+        # end
+      end
+
+      # a patch to fix a bug in testing that happens when you 'destroy' a session twice.
+      # After the first destroy, the session is an ordinary hash, and then when destroy
+      # is called again there's an exception.
+      class ::Hash # rubocop:disable Style/ClassAndModuleChildren
+        def destroy
+          clear
+        end
+      end
+
+      def build_new_user(attributes_hash = nil)
+        user_attributes_hash = attributes_hash || { username: 'gizmo', email: 'bla@bla.com', password: 'secret' }
+        @user = User.new(user_attributes_hash)
+      end
+
+      def create_new_user(attributes_hash = nil)
+        @user = build_new_user(attributes_hash)
+        @user.sorcery_adapter.save(raise_on_failure: true)
+        @user
+      end
+
+      def create_new_external_user(provider, attributes_hash = nil)
+        user_attributes_hash = attributes_hash || { username: 'gizmo' }
+        @user = User.new(user_attributes_hash)
+        @user.sorcery_adapter.save(raise_on_failure: true)
+        @user.authentications.create!(provider: provider, uid: 123)
+        @user
+      end
+
+      def custom_create_new_external_user(provider, authentication_class, attributes_hash = nil)
+        authentication_association = authentication_class.name.underscore.pluralize
+
+        user_attributes_hash = attributes_hash || { username: 'gizmo' }
+        @user = User.new(user_attributes_hash)
+        @user.sorcery_adapter.save(raise_on_failure: true)
+        @user.send(authentication_association).create!(provider: provider, uid: 123)
+        @user
+      end
+
+      def sorcery_model_property_set(property, *values)
+        User.class_eval do
+          sorcery_config.send(:"#{property}=", *values)
+        end
+      end
+
+      def update_model(&block)
+        User.class_exec(&block)
+      end
+
+      private
+
+      # reload user class between specs
+      # so it will be possible to test the different submodules in isolation
+      def reload_user_class
+        User && Object.send(:remove_const, 'User')
+        load 'user.rb'
+
+        return unless User.respond_to?(:reset_column_information)
+
+        User.reset_column_information
+      end
+    end
+  end
+end

data/lib/pseudo_kiosk/test_helpers/internal/rails.rb

@@ -0,0 +1,22 @@
+module PseudoKiosk
+  module TestHelpers
+    module Internal
+      module Rails
+        def pseudo_kiosk_reload!
+          PseudoKiosk::Config.init!
+          PseudoKiosk::Config.reset!
+
+          ActionController::Base.send(:include, PseudoKiosk::Controller)
+        end
+
+        def pseudo_kiosk_config_property_set(property, value)
+          ::PseudoKiosk::Config.send(:"#{property}=", value)
+        end
+
+        # def pseudo_kiosk_config_external_property_set(provider, property, value)
+        #   ::PseudoKiosk::Config.send(provider).send(:"#{property}=", value)
+        # end
+      end
+    end
+  end
+end

data/lib/pseudo_kiosk/version.rb

@@ -0,0 +1,3 @@
+module PseudoKiosk
+  VERSION = '0.1.0'
+end

data/lib/tasks/pseudo_kiosk_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :pseudo_kiosk do
+#   # Task goes here
+# end

metadata

@@ -0,0 +1,127 @@
+--- !ruby/object:Gem::Specification
+name: pseudo_kiosk
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Jonathan Chan
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-10-26 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.2.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.2.3
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: PseudoKiosk gives the ability to limit access to the application during
+  workflows which involve physically passing a device with elevated permissions to
+  an unknown or untrusted user.
+email:
+- jc@jmccc.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- app/assets/config/pseudo_kiosk_manifest.js
+- app/assets/javascripts/pseudo_kiosk/application.js
+- app/assets/javascripts/pseudo_kiosk/authentication.js
+- app/assets/stylesheets/pseudo_kiosk/application.css
+- app/assets/stylesheets/pseudo_kiosk/authentication.css
+- app/controllers/pseudo_kiosk/application_controller.rb
+- app/controllers/pseudo_kiosk/authentication_controller.rb
+- app/helpers/pseudo_kiosk/application_helper.rb
+- app/helpers/pseudo_kiosk/authentication_helper.rb
+- app/views/layouts/pseudo_kiosk/application.html.erb
+- app/views/pseudo_kiosk/authentication/process_submit.html.erb
+- app/views/pseudo_kiosk/authentication/unlock.html.erb
+- config/routes.rb
+- lib/pseudo_kiosk.rb
+- lib/pseudo_kiosk/config.rb
+- lib/pseudo_kiosk/controller.rb
+- lib/pseudo_kiosk/engine.rb
+- lib/pseudo_kiosk/test_helpers/internal.rb
+- lib/pseudo_kiosk/test_helpers/internal/rails.rb
+- lib/pseudo_kiosk/version.rb
+- lib/tasks/pseudo_kiosk_tasks.rake
+homepage: https://github.com/jonmchan/pseudo_kiosk
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: PseudoKiosk provides the ability to lock down a rails application to only
+  a specified whitelist of endpoints during a session.
+test_files: []