quo_vadis 1.3.2 → 2.0.1

data/Rakefile

@@ -1,22 +1,20 @@
-require 'bundler'
-Bundler::GemHelper.install_tasks
+require 'bundler/setup'
 
-require 'rake/testtask'
-require 'rake/rdoctask'
+APP_RAKEFILE = File.expand_path('test/dummy/Rakefile', __dir__)
+load 'rails/tasks/engine.rake'
+
+load 'rails/tasks/statistics.rake'
+
+require "bundler/gem_tasks"
+
+require "rake/testtask"
 
 Rake::TestTask.new(:test) do |t|
-  t.libs << 'lib'
-  t.libs << 'test'
-  t.pattern = 'test/**/*_test.rb'
-  t.verbose = false
+  t.libs << "test"
+  # t.libs << "lib"
+  t.test_files = FileList["test/**/*_test.rb"]
+  # t.warning = false
 end
 
-Rake::RDocTask.new(:rdoc) do |rdoc|
-  rdoc.rdoc_dir = 'rdoc'
-  rdoc.title    = 'Quo Vadis'
-  rdoc.options << '--line-numbers' << '--inline-source'
-  rdoc.rdoc_files.include('README.md')
-  rdoc.rdoc_files.include('app/**/*.rb')
-end
+task default: :test
 
-task :default => :test

data/app/controllers/quo_vadis/confirmations_controller.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module QuoVadis
+  class ConfirmationsController < ApplicationController
+
+    # holding page
+    def index
+    end
+
+
+    # form for requesting new confirmation email
+    def new
+    end
+
+
+    # send new confirmation email form submits here
+    def create
+      account = QuoVadis.find_account_by_identifier_in_params params
+
+      unless account
+        redirect_to new_confirmation_path, alert: QuoVadis.translate('flash.confirmation.identifier') and return
+      end
+
+      request_confirmation account.model
+      redirect_to confirmations_path
+    end
+
+
+    # emailed confirmation link points here
+    def edit
+      account = AccountConfirmationToken.find_account params[:token]
+
+      unless account  # expired or already confirmed
+        redirect_to new_confirmation_path, alert: QuoVadis.translate('flash.confirmation.unknown') and return
+      end
+    end
+
+
+    # confirm the account (and login)
+    def update
+      account = AccountConfirmationToken.find_account params[:token]
+
+      unless account  # expired or already confirmed
+        redirect_to new_confirmation_path, alert: QuoVadis.translate('flash.confirmation.unknown') and return
+      end
+
+      account.confirmed!
+
+      qv.log account, Log::ACCOUNT_CONFIRMATION
+
+      login account.model, true
+      redirect_to qv.path_after_authentication, notice: QuoVadis.translate('flash.confirmation.confirmed')
+    end
+
+  end
+end

data/app/controllers/quo_vadis/logs_controller.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module QuoVadis
+  class LogsController < ApplicationController
+    before_action :require_password_authentication
+
+    PER_PAGE = 25
+
+    def index
+      logs = authenticated_model.qv_account.logs
+
+      page = params[:page] ? params[:page].to_i : 1
+      @logs = logs.new_to_old.page(page, PER_PAGE)
+
+      @prev_page = page - 1 if page > 1
+      @next_page = page + 1 if logs.count > page * PER_PAGE
+    end
+
+  end
+end

data/app/controllers/quo_vadis/password_resets_controller.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module QuoVadis
+  class PasswordResetsController < ApplicationController
+
+    # holding page for after the create action
+    def index
+    end
+
+
+    def new
+    end
+
+
+    def create
+      flash[:notice] = QuoVadis.translate 'flash.password_reset.create'
+
+      account = QuoVadis.find_account_by_identifier_in_params params
+      return unless account
+
+      token = QuoVadis::PasswordResetToken.generate account
+      QuoVadis.deliver :reset_password, email: account.model.email, url: quo_vadis.edit_password_reset_url(token)
+
+      redirect_to password_resets_path
+    end
+
+
+    # emailed password-reset link points here
+    def edit
+      account = PasswordResetToken.find_account params[:token]
+
+      unless account  # expired or password already changed
+        redirect_to new_password_reset_path, alert: QuoVadis.translate('flash.password_reset.unknown') and return
+      end
+
+      @password = QuoVadis::Password.new
+    end
+
+
+    # really reset the password
+    def update
+      account = PasswordResetToken.find_account params[:token]
+
+      unless account  # expired or password already changed
+        redirect_to new_password_reset_path, alert: QuoVadis.translate('flash.password_reset.unknown') and return
+      end
+
+      @password = account.password
+      if @password.reset params[:password], params[:password_confirmation]
+        # Logout account's sessions because password has changed.
+        # Note model is not logged in here.
+        @password.account.sessions.destroy_all
+
+        qv.log @password.account, Log::PASSWORD_RESET
+        QuoVadis.notify :password_reset_notification, email: @password.account.model.email
+
+        login @password.account.model, true
+        redirect_to qv.path_after_authentication, notice: QuoVadis.translate('flash.password_reset.reset')
+      else
+        render :edit
+      end
+    end
+
+  end
+end

data/app/controllers/quo_vadis/passwords_controller.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module QuoVadis
+  class PasswordsController < ApplicationController
+
+    before_action :require_authentication
+
+    def edit
+      @password = QuoVadis::Password.new
+    end
+
+    def update
+      @password = authenticated_model.qv_account.password
+      if @password.change params[:password], params[:new_password], params[:new_password_confirmation]
+        qv.log authenticated_model.qv_account, Log::PASSWORD_CHANGE
+        QuoVadis.notify :password_change_notification, email: authenticated_model.email
+        qv.logout_other_sessions
+        qv.replace_session
+        redirect_to qv.path_after_password_change, notice: QuoVadis.translate('flash.password.update')
+      else
+        render :edit
+      end
+    end
+
+  end
+end

data/app/controllers/quo_vadis/recovery_codes_controller.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module QuoVadis
+  class RecoveryCodesController < ApplicationController
+    before_action :require_password_authentication
+
+
+    def index
+      @codes = flash[:recovery_codes]
+      @recovery_code_count = account.recovery_codes.count
+    end
+
+
+    def challenge
+    end
+
+
+    def authenticate
+      if account.recovery_codes.detect { |rc| rc.authenticate_code params[:code] }
+        qv.log account, Log::RECOVERY_CODE_SUCCESS
+        qv.replace_session
+        qv.session_authenticated_with_second_factor
+        reset_totp
+        redirect_to qv.path_after_authentication,
+          notice: QuoVadis.translate('flash.recovery_code.success',
+                                     count: account.recovery_codes.count)
+      else
+        qv.log account, Log::RECOVERY_CODE_FAILURE
+        flash.now[:alert] = QuoVadis.translate('flash.recovery_code.unverified')
+        render :challenge
+      end
+    end
+
+
+    def generate
+      qv.log account, Log::RECOVERY_CODE_GENERATE
+      QuoVadis.notify :recovery_codes_generation_notification, email: authenticated_model.email
+      account.recovery_codes.delete_all
+      flash[:recovery_codes] = account.generate_recovery_codes
+      redirect_to quo_vadis.recovery_codes_path
+    end
+
+
+    private
+
+    def account
+      authenticated_model.qv_account
+    end
+
+    def reset_totp
+      account.totp&.destroy
+    end
+  end
+end

data/app/controllers/quo_vadis/sessions_controller.rb

@@ -1,153 +1,71 @@
-class QuoVadis::SessionsController < ApplicationController
-  skip_filter :authenticate, :except => [:destroy]
-  layout :quo_vadis_layout
+# frozen_string_literal: true
 
-  # GET sign_in_path
-  def new
-    render 'sessions/new'
-  end
+module QuoVadis
+  class SessionsController < ApplicationController
+
+    # Don't require authentication for the :destroy action so that someone
+    # who has logged in via password but not completed 2fa can still log out.
+    before_action :require_authentication, except: [:new, :create, :destroy]
 
-  # POST sign_in_path
-  def create
-    if blocked?
-      flash_if_present :alert, 'quo_vadis.flash.sign_in.blocked', :now
-      render 'sessions/new'
-    elsif user = QuoVadis.model_class.authenticate(params[:username], params[:password])
-      flash_if_present :notice, 'quo_vadis.flash.sign_in.after'
-      sign_in user
-    else
-      QuoVadis.failed_sign_in_hook self
-      flash_if_present :alert, 'quo_vadis.flash.sign_in.failed', :now
-      render 'sessions/new'
+    def index
+      @qv_session = qv.session
+      @qv_sessions = @qv_session.account.sessions
     end
-  end
 
-  # GET sign_out_path
-  def destroy
-    QuoVadis.signed_out_hook send(:"current_#{QuoVadis.model_instance_name}"), self
-    self.send :"current_#{QuoVadis.model_instance_name}=", nil
-    flash_if_present :notice, 'quo_vadis.flash.sign_out'
-    redirect_to QuoVadis.signed_out_url(self)
-  end
 
-  # GET forgotten_sign_in_path
-  # POST forgotten_sign_in_path
-  def forgotten
-    if request.get?
-      render 'sessions/forgotten'
-    elsif request.post?
-      if params[:username].present? &&
-          (user = QuoVadis.model_class.where(:username => params[:username]).first)
-        if user.email.present?
-          user.generate_token!
-          QuoVadis::Notifier.change_password(user).deliver
-          flash_if_present :notice, 'quo_vadis.flash.forgotten.sent_email'
-          redirect_to :root
-        else
-          flash_if_present :alert, 'quo_vadis.flash.forgotten.no_email', :now
-          render 'sessions/forgotten'
-        end
-      else
-        flash_if_present :alert, 'quo_vadis.flash.forgotten.unknown', :now
-        render 'sessions/forgotten'
-      end
+    def new
     end
-  end
 
-  # GET change_password_path /sign-in/change-password/:token
-  def edit
-    if QuoVadis.model_class.valid_token(params[:token]).first
-      render 'sessions/edit'
-    else
-      invalid_token :forgotten
-    end
-  end
 
-  # PUT change_password_path /sign-in/change-password/:token
-  def update
-    if (user = QuoVadis.model_class.valid_token(params[:token]).first)
-      if params[:password].present?
-        user.password = params[:password]
-        if user.save
-          user.clear_token
-          flash_if_present :notice, 'quo_vadis.flash.forgotten.password_changed'
-          sign_in user
-        else
-          render 'sessions/edit'
-        end
-      else
-        render 'sessions/edit'
+    def create
+      account = QuoVadis.find_account_by_identifier_in_params params
+
+      unless account
+        qv.log nil, Log::LOGIN_UNKNOWN
+        flash.now[:alert] = QuoVadis.translate 'flash.login.failed'
+        render :new
+        return
       end
-    else
-      invalid_token :forgotten
-    end
-  end
 
-  # GET invitation_path /sign-in/invite/:token
-  def invite
-    if (@user = QuoVadis.model_class.valid_token(params[:token]).first)
-      # When we create a user who must activate their account, we give them
-      # a random username and password.  However we want to treat them as if
-      # they weren't set at all.
-      @user.username = nil
-      render 'sessions/invite'
-    else
-      invalid_token :activation
-    end
-  end
+      unless account.password.authenticate params[:password]
+        qv.log account, Log::LOGIN_FAILURE
+        flash.now[:alert] = QuoVadis.translate 'flash.login.failed'
+        render :new
+        return
+      end
 
-  # POST activation_path /sign-in/accept/:token
-  def accept
-    if (@user = QuoVadis.model_class.valid_token(params[:token]).first)
-      @user.username, @user.password = params[:username], params[:password]
-      # When we create a user who must activate their account, we give them
-      # a random username and password.  However we want to treat them as if
-      # they weren't set at all.
-      @user.password_digest = nil if params[:password].blank?
-      if @user.save
-        @user.clear_token
-        flash_if_present :notice, 'quo_vadis.flash.activation.accepted'
-        sign_in @user
-      else
-        flash_if_present :alert, 'quo_vadis.flash.activation.invalid_credentials', :now
-        render 'sessions/invite'
+      if QuoVadis.accounts_require_confirmation && !account.confirmed?
+        redirect_to new_confirmation_path, notice: QuoVadis.translate('flash.confirmation.required')
+        return
       end
-    else
-      invalid_token :activation
-    end
-  end
 
-  # Invites a user to set up their sign-in credentials.
-  def invite_to_activate(user, data = {})
-    return false if user.email.blank?
-    user.generate_token!
-    QuoVadis::Notifier.invite(user, data).deliver
-    true
-  end
-  hide_action :send_invitation
+      # no params[:remember]      => use QuoVadis.session_lifetime
+      #    params[:remember] == 0 => use :session
+      #    params[:remember] == 1 => use QuoVadis.session_lifetime
+      browser_session = params[:remember] == '0'
+
+      flash[:notice] = QuoVadis.translate 'flash.login.success'
 
-  private
+      login account.model, browser_session
 
-  def invalid_token(workflow) # :nodoc:
-    if workflow == :activation
-      flash_if_present :alert, 'quo_vadis.flash.activation.invalid_token'
-      redirect_to root_path
-    else
-      flash_if_present :alert, 'quo_vadis.flash.forgotten.invalid_token'
-      redirect_to forgotten_sign_in_url
+      redirect_to qv.path_after_authentication
     end
-  end
 
-  def quo_vadis_layout # :nodoc:
-    QuoVadis.layout
-  end
 
-  def flash_if_present(key, i18n_key, now = false)
-    if now
-      flash.now[key] = t(i18n_key) if t(i18n_key).present?
-    else
-      flash[key] = t(i18n_key) if t(i18n_key).present?
+    def destroy
+      if params[:id]  # other session
+        current_qv_session = qv.session
+        current_qv_session.account.sessions.destroy params[:id]
+        qv.log current_qv_session.account, Log::LOGOUT_OTHER
+        flash[:notice] = QuoVadis.translate 'flash.logout.other'
+        redirect_to action: :index
+      else  # this session
+        qv.log authenticated_model.qv_account, Log::LOGOUT
+        qv.logout
+        flash[:notice] = QuoVadis.translate 'flash.logout.self'
+        redirect_to main_app.root_path
+      end
     end
-  end
 
+  end
 end