quo_vadis 1.4.2 → 2.0.0

data/lib/quo_vadis/controller.rb

@@ -0,0 +1,227 @@
+# frozen_string_literal: true
+
+module QuoVadis
+  module Controller
+
+    def self.included(base)
+      base.before_action { CurrentRequestDetails.request = request }
+
+      base.helper_method :authenticated_model, :logged_in?
+
+      # Remember the last activity time so we can timeout idle sessions.
+      # This has to be done after that timestamp is checked (in `#authenticated_model`)
+      # otherwise sessions could never look idle.
+      base.after_action { |controller| controller.qv.touch_session_last_seen_at }
+    end
+
+
+    def require_password_authentication
+      return if logged_in?
+      flash[:notice] = QuoVadis.translate 'flash.require_authentication'
+      session[:qv_bookmark] = request.original_fullpath
+      redirect_to quo_vadis.login_path
+    end
+    alias_method :require_authentication, :require_password_authentication
+
+
+    # implies require_password_authentication
+    def require_two_factor_authentication
+      return require_authentication unless logged_in?
+      return unless qv.second_factor_required?
+      return if qv.second_factor_authenticated?
+      redirect_to quo_vadis.challenge_totps_path and return
+    end
+
+
+    # To be called with a model which has authenticated with a password.
+    #
+    # browser_session - true: login only for duration of browser session
+    #                   false: login for QuoVadis.session_lifetime (which may be browser session anyway)
+    def login(model, browser_session = true)
+      qv.log model.qv_account, Log::LOGIN_SUCCESS
+
+      qv.prevent_rails_session_fixation
+
+      lifetime_expires_at = qv.lifetime_expires_at browser_session
+
+      qv_session = model.qv_account.sessions.create!(
+        ip:                  request.remote_ip,
+        user_agent:          (request.user_agent || ''),
+        lifetime_expires_at: lifetime_expires_at
+      )
+
+      qv.store_session_id qv_session.id, lifetime_expires_at
+
+      # It is not necessary to set the instance variable here -- the
+      # `authenticated_model` method will figure it out from the qv.session --
+      # but doing so saves that method a couple of database calls.
+      @authenticated_model = model
+    end
+
+
+    def logged_in?
+      !authenticated_model.nil?
+    end
+
+
+    # Returns the model instance which has been authenticated by password,
+    # or nil.
+    def authenticated_model
+      return @authenticated_model if defined? @authenticated_model
+
+      # Was not logged in so no need to log out.
+      return (@authenticated_model = nil) unless qv.session_id
+
+      _qv_session = qv.session
+
+      # If _qv_session is nil: user was logged in (because qv.session_id is not nil)
+      # but now isn't (because there is no corresponding record in the database).  This
+      # means the user has remotely logged out this session from another.
+      if _qv_session.nil? || _qv_session.expired?
+        qv.logout
+        return (@authenticated_model = nil)
+      end
+
+      @authenticated_model = _qv_session.account.model
+    end
+
+
+    def request_confirmation(model)
+      token = QuoVadis::AccountConfirmationToken.generate model.qv_account
+      QuoVadis.deliver :account_confirmation, email: model.email, url: quo_vadis.edit_confirmation_url(token)
+
+      flash[:notice] = QuoVadis.translate 'flash.confirmation.create'
+    end
+
+
+    def qv
+      @qv_wrapper ||= QuoVadisWrapper.new self
+    end
+
+
+    private
+
+
+    class QuoVadisWrapper
+      def initialize(controller)
+        @controller = controller
+      end
+
+      # Returns the current QuoVadis session or nil.
+      def session
+        return nil unless session_id
+        QuoVadis::Session.find_by id: session_id
+      end
+
+      def session_id
+        cookies.encrypted[QuoVadis.cookie_name]
+      end
+
+      # Store the session id in an encrypted cookie.
+      #
+      # Given that the cookie is encrypted, it is safe to store the database primary key of the
+      # session rather than a random-value candidate key.
+      #
+      # expires_at - the end of the QuoVadis session's lifetime (regardless of the idle timeout)
+      def store_session_id(id, expires_at)
+        cookies.encrypted[QuoVadis.cookie_name] = {
+          value:     id,
+          httponly:  true,
+          secure:    Rails.env.production?,
+          same_site: :lax,
+          expires:   expires_at  # setting expires_at to nil has the same effect as not setting it
+        }
+      end
+
+      def clear_session_id
+        cookies.delete QuoVadis.cookie_name
+      end
+
+      def prevent_rails_session_fixation
+        old_session = rails_session.to_hash
+        reset_session
+        old_session.each { |k,v| rails_session[k] = v }
+      end
+
+      # Assumes user is logged in.
+      def second_factor_required?
+        QuoVadis.two_factor_authentication_mandatory || authenticated_model.qv_account.has_two_factors?
+      end
+
+      def second_factor_authenticated?
+        session.second_factor_authenticated?
+      end
+
+      def touch_session_last_seen_at
+        session&.touch :last_seen_at
+      end
+
+      def session_authenticated_with_second_factor
+        session.authenticated_with_second_factor
+      end
+
+      def replace_session
+        prevent_rails_session_fixation
+
+        sess = session.replace
+        store_session_id sess.id, sess.lifetime_expires_at
+
+        controller.instance_variable_set :@authenticated_model, sess.account.model
+      end
+
+      def lifetime_expires_at(browser_session)
+        return nil if browser_session
+        return nil if QuoVadis.session_lifetime == :session
+
+        t = ActiveSupport::Duration.build(QuoVadis.session_lifetime).from_now
+        QuoVadis.session_lifetime_extend_to_end_of_day ? t.end_of_day : t
+      end
+
+      def logout
+        session&.destroy
+        clear_session_id
+        reset_session
+        controller.instance_variable_set :@authenticated_model, nil
+      end
+
+      def logout_other_sessions
+        session.logout_other_sessions
+      end
+
+      def log(account, action, metadata = {})
+        Log.create account: account, action: action, ip: request.remote_ip, metadata: metadata
+      end
+
+      def path_after_authentication
+        if (bookmark = rails_session[:qv_bookmark])
+          rails_session.delete :qv_bookmark
+          return bookmark
+        end
+        return main_app.after_login_path if main_app.respond_to?(:after_login_path)
+        return main_app.root_path        if main_app.respond_to?(:root_path)
+        raise RuntimeError, 'Missing routes: after_login_path, root_path; define at least one of them.'
+      end
+
+      def path_after_password_change
+        return main_app.after_password_change_path if main_app.respond_to?(:after_password_change_path)
+        return main_app.root_path                  if main_app.respond_to?(:root_path)
+        raise RuntimeError, 'Missing routes: after_password_change_path, root_path; define at least one of them.'
+      end
+
+      private
+
+      attr_reader :controller
+
+      delegate :request, :reset_session, :authenticated_model, :main_app, to: :controller
+
+      def cookies
+        controller.send :cookies  # private method
+      end
+
+      def rails_session
+        controller.session
+      end
+    end
+
+  end
+end

data/lib/quo_vadis/crypt.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module QuoVadis
+  class Crypt
+
+    def self.encrypt(value)
+      return nil if value.nil?
+      return '' if value == ''
+
+      salt = SecureRandom.hex KEY_LENGTH
+      crypt = encryptor key(salt)
+      ciphertext = crypt.encrypt_and_sign value
+      [salt, ciphertext].join SEPARATOR
+    end
+
+    def self.decrypt(value)
+      return nil if value.nil?
+      return '' if value == ''
+
+      salt, data = value.split SEPARATOR
+      crypt = encryptor key(salt)
+      crypt.decrypt_and_verify(data)
+    end
+
+    private
+
+    KEY_LENGTH = ActiveSupport::MessageEncryptor.key_len
+    SEPARATOR = '$$'
+
+    def self.encryptor(key)
+      ActiveSupport::MessageEncryptor.new(key)
+    end
+
+    def self.key(salt)
+      ActiveSupport::KeyGenerator.new(secret).generate_key(salt, KEY_LENGTH)
+    end
+
+    def self.secret
+      Rails.application.secret_key_base
+    end
+
+  end
+end

data/lib/quo_vadis/current_request_details.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module QuoVadis
+  class CurrentRequestDetails < ActiveSupport::CurrentAttributes
+    attribute :ip
+
+    def request=(request)
+      self.ip = request.remote_ip
+    end
+  end
+end

data/lib/quo_vadis/defaults.rb

@@ -0,0 +1,18 @@
+require 'active_support/core_ext'
+
+QuoVadis.configure do
+  password_minimum_length               12
+  mask_ips                              false
+  cookie_name                           '__Host-qv'
+  session_lifetime                      :session
+  session_lifetime_extend_to_end_of_day false
+  session_idle_timeout                  :lifetime
+  password_reset_token_lifetime         10.minutes
+  accounts_require_confirmation         false
+  account_confirmation_token_lifetime   10.minutes
+  mail_headers                          ({ from: 'Example App <support@example.com>' })
+  enqueue_transactional_emails          true
+  app_name                              Rails.app_class.to_s.deconstantize  # for the TOTP QR code
+  two_factor_authentication_mandatory   true
+  mount_point                           '/'
+end

data/lib/quo_vadis/encrypted_type.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module QuoVadis
+  class EncryptedType < ActiveRecord::Type::Value
+
+    def deserialize(value)
+      Crypt.decrypt(value)
+    end
+
+    def serialize(value)
+      Crypt.encrypt(value)
+    end
+
+  end
+end
+
+ActiveRecord::Type.register :qv_encrypted, QuoVadis::EncryptedType

data/lib/quo_vadis/engine.rb

@@ -1,15 +1,13 @@
+# frozen_string_literal: true
+
 module QuoVadis
+
+  def self.table_name_prefix
+    'qv_'
+  end
+
+
   class Engine < ::Rails::Engine
-    initializer 'quo_vadis.model' do |app|
-      ActiveSupport.on_load(:active_record) do
-        include ModelMixin
-      end
-    end
-
-    initializer 'quo_vadis.controller' do |app|
-      ActiveSupport.on_load(:action_controller) do
-        include ControllerMixin
-      end
-    end
+    isolate_namespace QuoVadis
   end
 end

data/lib/quo_vadis/hmacable.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require 'openssl'
+
+
+# Much of this comes from Rodauth.
+module QuoVadis
+  module Hmacable
+
+    def compute_hmac(data)
+      OpenSSL::HMAC.hexdigest 'SHA256', hmac_secret, data
+    end
+
+    def timing_safe_eql?(provided, actual)
+      provided = provided.to_s
+      Rack::Utils.secure_compare(provided.ljust(actual.length), actual) && provided.length == actual.length
+    end
+
+    private
+
+    def hmac_secret
+      Rails.application.secret_key_base
+    end
+
+  end
+end

data/lib/quo_vadis/ip_masking.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'ipaddr'
+
+module QuoVadis
+  module IpMasking
+
+    def self.included(base)
+      base.extend ClassMethods
+      base.before_validation :mask_ip, if: -> { QuoVadis.mask_ips }
+    end
+
+    def mask_ip
+      self.ip = self.class.mask_ip ip
+    end
+
+    module ClassMethods
+      # Based on Google Analytics masking
+      # https://support.google.com/analytics/answer/2763052
+      def mask_ip(ip)
+        addr = IPAddr.new ip
+        if addr.ipv4?
+          addr.mask(24).to_s  # set last octet to 0
+        else
+          addr.mask(48).to_s  # set last 80 bits to 0
+        end
+      end
+    end
+
+  end
+end

data/lib/quo_vadis/model.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+module QuoVadis
+  module Model
+
+    def self.included(base)
+      base.send :extend, ClassMethods
+    end
+
+
+    module ClassMethods
+      def authenticates(identifier: :email)
+        include InstanceMethodsOnActivation
+
+        has_one :qv_account, as: :model, class_name: 'QuoVadis::Account', dependent: :destroy, autosave: true
+
+        before_validation :qv_build_account_and_password, on: :create
+        before_validation :qv_copy_identifier_to_account
+
+        # Enable a new-user form to set a password.
+        validate :qv_copy_password_errors, on: :create
+
+        unless validators_on(identifier).any? { |v| ActiveRecord::Validations::UniquenessValidator === v }
+          raise NotImplementedError, <<~END
+            Missing uniqueness validation on #{name}##{identifier}.
+            Try adding: `validates :#{identifier}, uniqueness: {case_sensitive: false}`
+          END
+        end
+
+        define_method :qv_copy_identifier_to_account do
+          qv_account.identifier = send identifier
+        end
+
+        after_update :qv_log_email_change, if: :saved_change_to_email?
+        after_update :qv_notify_email_change, if: :saved_change_to_email?
+
+        QuoVadis.register_model self.name, identifier
+      end
+    end
+
+
+    module InstanceMethodsOnActivation
+      attr_reader :password, :password_confirmation
+
+      def password=(val)
+        @password = val
+        self.qv_account ||= build_qv_account
+        raise PasswordExistsError if qv_account.password&.persisted?
+        (qv_account.password || qv_account.build_password).password = val
+      end
+
+      def password_confirmation=(val)
+        @password_confirmation = val
+        self.qv_account ||= build_qv_account
+        (qv_account.password || qv_account.build_password).password_confirmation = val
+      end
+
+      private
+
+      def qv_build_account_and_password
+        self.qv_account ||= build_qv_account
+        qv_account.password || qv_account.build_password
+      end
+
+      def qv_copy_password_errors
+        qv_account.password.valid?  # force qv_account.password to validate
+        qv_account.password.errors[:password             ].each { |message| errors.add :password,              message }
+        qv_account.password.errors[:password_confirmation].each { |message| errors.add :password_confirmation, message }
+      end
+
+      def qv_log_email_change
+        from, to = saved_change_to_email
+        Log.create(
+          account:  qv_account,
+          action:   Log::EMAIL_CHANGE,
+          ip:       (CurrentRequestDetails.ip || ''),
+          metadata: {from: from, to: to}
+        )
+      end
+
+      def qv_notify_email_change
+        QuoVadis.notify :email_change_notification, email: saved_change_to_email[0]
+      end
+    end
+  end
+end