rails_base 0.51.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 2e9681ee6d443c2be30ecaf88c45d4f6d90983af39e79f1c7ca7caaac0d74887
+  data.tar.gz: 0ad7ffa1d15d9c7b63f1965f94d766d3ea8aadc64a48edc9ed899234b02f8030
+SHA512:
+  metadata.gz: 695939c8b3ae5c89d7106fd7e9de827de327a8837c16b22275976c53c6736e94d92c3aa344293ce863a3e0c2cc60deef69cf2227396be3cf27011c7618c7cac8
+  data.tar.gz: ef5b03099e37b93a569d260def718202e18029eb4ffa22b33d70766338ae7cd05bf70ad7759d388384362f4d3740d05b16c12e86d2ef16bdc2c1509981705c3d

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2021 Matt Taylor
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,32 @@
+<a href="https://fury.co/f/partner">
+  <img src="//badge.fury.io/fp/gemfury.svg" alt="Private Repository">
+</a>
+
+# RailsBase
+Short description and motivation.
+
+## Usage
+How to use my plugin.
+
+## Installation
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'rails_base'
+```
+
+And then execute:
+```bash
+$ bundle
+```
+
+Or install it yourself as:
+```bash
+$ gem install rails_base
+```
+
+## Contributing
+Contribution directions go here.
+
+## License
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,32 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'RailsBase'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path("test/dummy/Rakefile", __dir__)
+load 'rails/tasks/engine.rake'
+
+load 'rails/tasks/statistics.rake'
+
+require 'bundler/gem_tasks'
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+task default: :test

data/app/assets/config/rails_base/manifest.js

@@ -0,0 +1,3 @@
+//= link_tree ../../images/rails_base/
+//= link_directory ../../javascripts/rails_base .js
+//= link_directory ../../stylesheets/rails_base .css

data/app/assets/javascripts/rails_base/admin.js

@@ -0,0 +1,2 @@
+// Place all the behaviors and hooks related to the matching controller here.
+// All this logic will automatically be available in application.js.

data/app/assets/javascripts/rails_base/application.js

@@ -0,0 +1,22 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, or any plugin's
+// vendor/assets/javascripts directory can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file. JavaScript code in this file should be added after the last require_* statement.
+//
+// Read Sprockets README (https://github.com/rails/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+// = require rails-ujs
+// = require activestorage
+// = require turbolinks
+// = require_tree .
+
+// = require jquery3
+// = require popper
+// = require bootstrap-sprockets
+// = require allow_numeric
+// = require jquery.mask

data/app/assets/javascripts/rails_base/cable.js

@@ -0,0 +1,13 @@
+// Action Cable provides the framework to deal with WebSockets in Rails.
+// You can generate new channels where WebSocket features live using the `rails generate channel` command.
+//
+//= require action_cable
+//= require_self
+//= require_tree ./channels
+
+(function() {
+  this.App || (this.App = {});
+
+  App.cable = ActionCable.createConsumer();
+
+}).call(this);

data/app/assets/javascripts/rails_base/mfa_auth.coffee

@@ -0,0 +1,3 @@
+# Place all the behaviors and hooks related to the matching controller here.
+# All this logic will automatically be available in application.js.
+# You can use CoffeeScript in this file: http://coffeescript.org/

data/app/assets/javascripts/rails_base/secondary_authentication.coffee

@@ -0,0 +1,3 @@
+# Place all the behaviors and hooks related to the matching controller here.
+# All this logic will automatically be available in application.js.
+# You can use CoffeeScript in this file: http://coffeescript.org/

data/app/assets/javascripts/rails_base/sessions.js

@@ -0,0 +1,152 @@
+// TODO: ADD a readme about how this works
+// TODO: Clean this up
+var SessionsSingleton = function () {
+  var SessionsClass = function SessionsClass() {
+    return {
+      sessionTimoutClock: undefined,
+      reminderClock: undefined,
+      reminderTime: 60000, // 1min prior to expiration
+      timeout: undefined,
+      url_get: undefined,
+      url_post: undefined,
+      ajax_timing: undefined,
+
+      init: function init(timeout, url_get, url_post, csrf, show_warning) {
+        var _self = this;
+        _self.timeout = timeout * 1000;
+        _self.url_get = url_get;
+        _self.url_post = url_post;
+        _self.csrf = csrf;
+        _self.show_warning = show_warning;
+
+        _self.logging(`Initialized. timeout ${_self.timeout}`)
+
+        _self.sessionTimoutClock = window.setTimeout(function () {
+          return _self.checkForWarning();
+        }, _self.timeout + 500);
+
+        if(!_self.show_warning){
+          return;
+        }
+        return _self.reminderClock = window.setTimeout(function () {
+          return _self.checkForWarning();
+        }, _self.timeout - _self.reminderTime);
+      },
+      checkForWarning: function checkForWarning() {
+        var _self = this;
+        _self.ajax_timing = new Date();
+        _self.logging(`Heartbeat warning`)
+        $.ajax({
+          type: 'GET',
+          url: _self.url_get,
+          success: function success(result) {
+            _self.logging(`TTL check success: ${JSON.stringify(result)}`)
+            _self.warningHeartbeatSuccess(result);
+          },
+          error: function error() {
+            _self.logging(`TTL check failed. Reloading page`)
+            return _self.doRedirect();
+          }
+        });
+      },
+      checkForSessionHeartbeat: function checkForSessionHeartbeat(){
+        var _self = this;
+        _self.ajax_timing = new Date()
+        $.ajax({
+          type: 'GET',
+          url: _self.url_get,
+          success: function success(result) {
+            _self.logging(`TTL check success: ${JSON.stringify(result)}`)
+            _self.ajaxPollTtlServer(result);
+          },
+          error: function error() {
+            _self.logging(`TTL check failed. Reloading page`)
+            return _self.doRedirect();
+          }
+        });
+      },
+      latency: function latency() {
+        var _self = this;
+        // milliseconds difference
+        return ((new Date() - _self.ajax_timing));
+      },
+      warningHeartbeatSuccess: function warningHeartbeatSuccess(result) {
+        var _self = this;
+        var ttlMs = result.ttl * 1000
+        var latency = _self.latency();
+        var skew = (ttlMs - _self.reminderTime);
+        _self.logging(`latency ${latency}ms`)
+        _self.logging(`skew ${skew}ms`)
+        // if the skew more than 5 seconds
+        // reset the clock to that time
+        if(skew>5000) {
+          _self.logging(`Skew is high. Resetting clock`)
+          _self.resetClock(ttlMs)
+          closeSessionWarning();
+        } else {
+          _self.logging(`Within skew. Showing countdown`)
+
+          showSessionWarning(result.ttl);
+        }
+      },
+      ajaxPollTtlServer: function ajaxPollTtlServer() {
+        var _self = this;
+        _self.ajax_timing = new Date()
+        $.ajax({
+          type: 'POST',
+          url: _self.url_post,
+          headers: { 'X-CSRF-Token': _self.csrf },
+          success: function success(result) {
+            _self.logging(`POST Heartbeat success: ${JSON.stringify(result)}`)
+            // TTL comes from server as seconds -- convert to ms
+            closeSessionWarning();
+            return _self.resetClock(result.ttl * 1000);
+          },
+          error: function error() {
+            _self.logging(`POST TTL check failed. Reloading page`)
+            return _self.doRedirect();
+          }
+        });
+      },
+      doRedirect: function doRedirect() {
+        return window.location.search += '&timeout';
+      },
+      resetClock: function resetClock(timeout) {
+        var _self = this;
+        var timeout = timeout / 1000;
+        _self.logging(`Clock Reset timout: ${timeout}`)
+        var url_get = _self.url_get;
+        var url_post = _self.url_post;
+        var csrf = _self.csrf;
+        var show_warning = _self.show_warning;
+        _self.destroy();
+        return _self.init(timeout, url_get, url_post, csrf, show_warning);
+      },
+      destroy: function destroy() {
+        var _self = this;
+        window.clearTimeout(_self.reminderClock);
+        window.clearTimeout(_self.sessionTimoutClock);
+        _self.sessionTimoutClock = undefined;
+        _self.reminderClock = undefined;
+        _self.timeout = undefined;
+        return;
+      },
+      logging: function logging(msg){
+        console.log(`${new Date().toJSON()}: SessionManager - ${msg}`)
+      }
+    };
+  };
+
+  var instance = undefined;
+  return {
+    getInstance: function getInstance() {
+      if (instance == null) {
+        instance = new SessionsClass();
+        instance.constructor = null;
+      }
+      return instance;
+    }
+  };
+}();
+
+var sessionManager = SessionsSingleton.getInstance();

data/app/assets/javascripts/rails_base/user_settings.coffee

@@ -0,0 +1,3 @@
+# Place all the behaviors and hooks related to the matching controller here.
+# All this logic will automatically be available in application.js.
+# You can use CoffeeScript in this file: http://coffeescript.org/

data/app/assets/stylesheets/rails_base/admin.css

@@ -0,0 +1,4 @@
+/*
+  Place all the styles related to the matching controller here.
+  They will automatically be included in application.css.
+*/

data/app/assets/stylesheets/rails_base/application.scss

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, or any plugin's
+ * vendor/assets/stylesheets directory can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
+ * files in this directory. Styles in this file should be added after the last require_* statement.
+ * It is generally better to create a new file per style scope.
+ *
+ */
+
+@import "bootstrap";

data/app/assets/stylesheets/rails_base/mfa_auth.scss

@@ -0,0 +1,3 @@
+// Place all the styles related to the mfa_auth controller here.
+// They will automatically be included in application.css.
+// You can use Sass (SCSS) here: http://sass-lang.com/

data/app/assets/stylesheets/rails_base/scaffolds.scss

@@ -0,0 +1,84 @@
+body {
+  background-color: #fff;
+  color: #333;
+  margin: 33px;
+  font-family: verdana, arial, helvetica, sans-serif;
+  font-size: 13px;
+  line-height: 18px;
+}
+
+p, ol, ul, td {
+  font-family: verdana, arial, helvetica, sans-serif;
+  font-size: 13px;
+  line-height: 18px;
+}
+
+pre {
+  background-color: #eee;
+  padding: 10px;
+  font-size: 11px;
+}
+
+a {
+  color: #000;
+
+  &:visited {
+    color: #666;
+  }
+
+  &:hover {
+    color: #fff;
+    background-color: #000;
+  }
+}
+
+th {
+  padding-bottom: 5px;
+}
+
+td {
+  padding: 0 5px 7px;
+}
+
+div {
+  &.field, &.actions {
+    margin-bottom: 10px;
+  }
+}
+
+#notice {
+  color: green;
+}
+
+.field_with_errors {
+  padding: 2px;
+  background-color: red;
+  display: table;
+}
+
+#error_explanation {
+  width: 450px;
+  border: 2px solid red;
+  padding: 7px 7px 0;
+  margin-bottom: 20px;
+  background-color: #f0f0f0;
+
+  h2 {
+    text-align: left;
+    font-weight: bold;
+    padding: 5px 5px 5px 15px;
+    font-size: 12px;
+    margin: -7px -7px 0;
+    background-color: #c00;
+    color: #fff;
+  }
+
+  ul li {
+    font-size: 12px;
+    list-style: square;
+  }
+}
+
+label {
+  display: block;
+}

data/app/assets/stylesheets/rails_base/secondary_authentication.scss

@@ -0,0 +1,3 @@
+// Place all the styles related to the secondary_authentication controller here.
+// They will automatically be included in application.css.
+// You can use Sass (SCSS) here: http://sass-lang.com/

data/app/assets/stylesheets/rails_base/user_settings.scss

@@ -0,0 +1,3 @@
+// Place all the styles related to the user_settings controller here.
+// They will automatically be included in application.css.
+// You can use Sass (SCSS) here: http://sass-lang.com/

data/app/controllers/rails_base/admin_controller.rb

@@ -0,0 +1,315 @@
+module RailsBase
+  class AdminController < ApplicationController
+    before_action :authenticate_user!, except: [:sso_retrieve]
+    before_action :admin_user?, only: [:index, :config, :sso_send]
+    before_action :validate_token!, only: [:update_email, :update_phone]
+    skip_before_action :admin_reset_impersonation_session!
+
+    include AdminHelper
+
+    # GET admin
+    def index
+    end
+
+    # GET admin
+    def show_config
+      unless RailsBase.config.admin.config_page?(current_user)
+        flash[:alert] = 'You do not have correct permissions to view admin config'
+        redirect_to RailsBase.url_routes.authenticated_root_path
+        return
+      end
+    end
+
+    #POST admin/sso/:id
+    def sso_send
+      unless RailsBase.config.admin.sso_tile_users.call(admin_user)
+        flash[:alert] = 'You do not have correct permissions to Send an SSO'
+        redirect_to RailsBase.url_routes.admin_base_path
+        return
+      end
+
+      user = User.find params[:id]
+
+      local_params = {
+        user: user,
+        token_length: Authentication::Constants::SSO_SEND_LENGTH,
+        uses: Authentication::Constants::SSO_SEND_USES,
+        reason: Authentication::Constants::SSO_REASON,
+        expires_at: Authentication::Constants::SSO_EXPIRES.from_now,
+        url_redirect: RailsBase.url_routes.user_settings_path
+      }
+
+      status = RailsBase::Authentication::SingleSignOnSend.call(local_params)
+      if status.failure?
+        @_admin_action_struct = false
+        flash[:alert] = "Failed to send SSO to user via #{status.sso_destination}. #{status.message}"
+      else
+        @_admin_action_struct = RailsBase::AdminStruct.new(nil, nil, user)
+        flash[:notice] = "Successfully sent SSO to user via #{status.sso_destination}."
+      end
+      redirect_to RailsBase.url_routes.admin_base_path
+    end
+
+    #GET auth/sso/:data
+    def sso_retrieve
+      local_params = {
+        data: params[:data],
+        reason: Authentication::Constants::SSO_REASON.to_s,
+      }
+      local_params[:bypass] = true if current_user
+
+      status = RailsBase::Authentication::SingleSignOnVerify.call(local_params)
+
+      if status.failure? && current_user.nil?
+        flash[:alert] = "SSO login failed. #{status.message}"
+        redirect_to RailsBase.url_routes.unauthenticated_root_path
+        return
+      end
+
+      if status.should_fail
+        flash[:notice] = "SSO failed but you are already logged in."
+        redirect_to status.url_redirect
+        return
+      end
+
+      if current_user
+        flash[:notice] = "SSO success. You are already logged in."
+      else
+        sign_in(status.user)
+        flash[:notice] = "SSO success. You are now logged in."
+      end
+      redirect_to status.url_redirect
+    end
+
+    # POST admin/ack
+    def ack
+      success = true
+      begin
+        time = Time.at params[:time].to_i
+        RailsBase::Admin::ActionCache.instance.delete_actions_since!(user: current_user, time: time)
+        RailsBase::Admin::ActionCache.instance.update_last_viewed(user: current_user, time: time)
+      rescue StandardError => e
+        logger.error(e.message)
+        logger.error('Failed to acknowledge users admion actions')
+        success = false
+      end
+      if success
+        render json: { success: true }
+      else
+        render json: { success: false }, status: 500
+      end
+    end
+
+    # GET admin/history
+    def history
+      unless RailsBase.config.admin.enable_history_by_user?(current_user)
+        flash[:alert] = 'You do not have correct permissions to view admin history'
+        redirect_to RailsBase.url_routes.authenticated_root_path
+        return
+      end
+
+      @starting_admin = paginate_get_admins_array.last
+      @starting_user = paginate_get_users_array.last
+      session[:rails_base_paginate_start_user] = @starting_user[1]
+      session[:rails_base_paginate_start_admin] = @starting_admin[1]
+      @starting_page = 1
+      @count_on_page = AdminAction::DEFAULT_PAGE_COUNT
+    end
+
+    # POST admin/history
+    def history_paginate
+      unless RailsBase.config.admin.enable_history_by_user?(current_user)
+        render json: { success: false, msg: 'Incorrect permissions to view this page' }, status: 403
+        return
+      end
+
+      @starting_admin = paginate_get_admins_array.find { |u| u[1] == params[:admin].to_i } || paginate_get_admins_array.last
+      @starting_user = paginate_get_users_array.find { |u| u[1] == params[:user].to_i } || paginate_get_users_array.last
+
+      @starting_page = paginate_admin_what_page
+      @count_on_page = params[:pagination_count].to_i
+
+      if paginate_diff_id?(type: :admin) || paginate_diff_id?(type: :user)
+        logger.warn "Admin or User has been selected. paginating from first page"
+        @starting_page = 1
+      end
+
+      session[:rails_base_paginate_start_user] = @starting_user[1]
+      session[:rails_base_paginate_start_admin] = @starting_admin[1]
+      begin
+        html = render_to_string(partial: 'rails_base/shared/admin_history')
+      rescue StandardError => e
+        logger.error(e.message)
+        logger.error('Failed to render html for history')
+        html
+      end
+
+      if html
+        render json: { success: true, html: html, per_page: @count_on_page, page: @starting_page }
+      else
+        render json: { success: false }, status: 500
+      end
+    end
+
+    # POST admin/update
+    def update_attribute
+      update = RailsBase::AdminUpdateAttribute.call(params: params, admin_user: admin_user)
+      if update.success?
+        @_admin_action_struct = RailsBase::AdminStruct.new(update.original_attribute, update.attribute, update.model)
+        render json: { success: true, message: update.message, attribute: update.attribute }
+      else
+        @_admin_action_struct = false
+        render json: { success: false, message: update.message }, status: 404
+      end
+    end
+
+    def update_name
+      unless RailsBase.config.admin.name_tile_users?(admin_user)
+        flash[:alert] = 'You do not have correct permissions to change a users name'
+        redirect_to RailsBase.url_routes.admin_base_path
+        return
+      end
+      user = User.find(params[:id])
+
+      result = NameChange.call(
+        first_name: params[:first_name],
+        last_name: params[:last_name],
+        current_user: user,
+        admin_user_id: accurate_admin_user
+      )
+
+      if result.success?
+        @_admin_action_struct = RailsBase::AdminStruct.new(result.original_name, result.name_change, user)
+        msg = "Successfully changed name from [#{result.original_name}] to [#{result.name_change}]"
+        render json: { success: true, message: msg, full_name: result.name_change }
+      else
+        @_admin_action_struct = false
+        render json: { success: false, message: "Failed to change #{user.id} name" }, status: 404
+      end
+    end
+
+    def update_email
+      unless RailsBase.config.admin.email_tile_users?(admin_user)
+        flash[:alert] = 'You do not have correct permissions to change a users name'
+        redirect_to RailsBase.url_routes.admin_base_path
+        return
+      end
+
+      user = User.find(params[:id])
+      result = EmailChange.call(email: params[:email], user: user)
+      if result.success?
+        @_admin_action_struct = RailsBase::AdminStruct.new(result.original_email, result.new_email, user)
+        msg = "Successfully changed email from [#{result.original_email}] to [#{result.new_email}]"
+        render json: { success: true, message: msg, email: result.new_email }
+      else
+        @_admin_action_struct = false
+        render json: { success: false, message: result.message }, status: 404
+      end
+    end
+
+    def update_phone
+      begin
+        params[:value] = params[:phone_number].gsub(/\D/,'')
+      rescue
+        params[:value] = ''
+        params[:_fail_] = true
+      end
+      params[:attribute] = :phone_number
+      update_attribute
+    end
+
+    # POST admin/validate_intent/send
+    def send_2fa
+      reason = "#{SESSION_REASON_BASE}-#{SecureRandom.uuid}"
+      result = AdminRiskyMfaSend.call(user: admin_user, reason: reason)
+      if result.success?
+        session[SESSION_REASON_KEY] = reason
+        render json: { success: true, message: result.message }
+      else
+        render json: { success: false, message: result.message }, status: 404
+      end
+    end
+
+    # POST admin/validate_intent/verify
+    def verify_2fa
+      unless modify_id = params[:modify_id]
+        logger.warn("Failed to find #{modify_id} in payload")
+        render json: { success: false, message: 'Hmm. Something fishy happend. Failed to find text to modify' }, status: 404
+        return
+      end
+
+      unless render_partial = SECOND_MODAL_MAPPING[params[:modal_mapping].to_sym] rescue nil
+        logger.warn("Mapping [#{params[:modal_mapping]}] is not defined. Expected part of #{SECOND_MODAL_MAPPING.keys}")
+        render json: { success: false, message: 'Hmm. Something fishy happend. Failed to find modal mapping' }, status: 404
+        return
+      end
+
+      unless user = User.find(params[:id]) rescue nil
+        logger.warn("Failed to find id:[#{params[:id]}] ")
+        render json: { success: false, message: 'Hmm. Something fishy happend. Failed to find associated id' }, status: 404
+        return
+      end
+
+      params = {
+        session_mfa_user_id: admin_user.id,
+        current_user: admin_user,
+        input_reason: session_reason,
+        params: parse_mfa_to_obj
+      }
+      result = RailsBase::Authentication::MfaValidator.call(params)
+      encrypt = RailsBase::Authentication::MfaSetEncryptToken.call(user: admin_user, purpose: session_reason, expires_at: 1.minute.from_now)
+
+      begin
+        html = render_to_string(partial: render_partial, locals: { user: user, modify_id: modify_id })
+      rescue StandardError => e
+        logger.warn("#{e.message}")
+        logger.warn("Failed to render html correctly")
+        html = nil
+      end
+      if html.nil?
+        logger.warn("Failed to find render html correctly")
+        render json: { success: false, message: 'Apologies. Wee are struggling to render the page. Please try again later' }, status: 500
+        return
+      end
+
+      if result.success?
+        session[:mfa_randomized_token] = encrypt.encrypted_val
+        render json: { success: true, message: result.message, html: html }
+      else
+        render json: { success: false, message: result.message }, status: 404
+      end
+    end
+
+    # POST admin/impersonate
+    def switch_back
+      unless original_user_id = session[RailsBase::Authentication::Constants::ADMIN_REMEMBER_USERID_KEY]
+        # something wonky happend to the session. Kick user back to homepage and relogin
+        warden.logout(:user)
+        flash[:alert] = 'Unknown failure. Please log in again'
+        redirect_to RailsBase.url_routes.unauthenticated_root_path
+        session.clear
+        return
+      end
+
+      # use warden here so that we dont add to devise signin/out hooks
+      warden.set_user(User.find(original_user_id), scope: :user)
+
+      # Critical step to ensure subsequent apps dont think we are an impersonation
+      session.delete(RailsBase::Authentication::Constants::ADMIN_REMEMBER_REASON)
+
+      flash[:notice] = 'You no longer have an identity crisis. You are back to normal.'
+      redirect_to RailsBase.url_routes.admin_base_path
+    end
+
+    private
+
+    def validate_token!
+      @token_verifier =
+        RailsBase::Authentication::SessionTokenVerifier.call(mfa_randomized_token: session[:mfa_randomized_token], purpose: session_reason)
+      return if @token_verifier.success?
+
+      render json: { success: false, message: 'Authorization token has expired or not present. Try again' }, status: 403
+      return false
+    end
+  end
+end