rails_base 0.51.0

data/app/controllers/rails_base/application_controller.rb

@@ -0,0 +1,153 @@
+module RailsBase
+  class ApplicationController < ActionController::Base
+    before_action :configure_permitted_parameters, if: :devise_controller?
+    before_action :set_time_zone
+    before_action :is_timeout_error?
+    before_action :admin_reset_impersonation_session!
+    before_action :footer_mode_case
+
+    before_action :populate_admin_actions, if: -> { RailsBase.config.admin.enable_actions? }
+    after_action :capture_admin_action
+
+    include ApplicationHelper
+    include AppearanceHelper
+    include CaptureReferenceHelper
+
+    def set_time_zone
+      return unless RailsBase.config.user.tz_user_defined?
+      return if current_user.nil?
+
+      # esape this since this is not signed
+      offset = cookies[TIMEZONE_OFFSET_COOKIE].to_i
+
+      cookie_tz = ActiveSupport::TimeZone[((offset * -1) / 60.0)]
+
+      if session_tz = session[TIMEZONE_SESSION_NAME]
+        # if session exists
+        if cookie_tz && session_tz != cookie_tz.name
+          # if cookie exists and cookie_tz does not match, update db and session
+          current_user.update_tz(tz_name: cookie_tz.name)
+          session[TIMEZONE_SESSION_NAME] = cookie_tz.name
+        end
+      else
+        # if session timezone does not exist, attempt to push to DB and set to session
+        current_user.update_tz(tz_name: cookie_tz.name)
+        session[TIMEZONE_SESSION_NAME] = cookie_tz.name
+      end
+      Thread.current[TIMEZONE_THREAD_NAME] = session[TIMEZONE_SESSION_NAME]
+    end
+
+    def is_timeout_error?
+      return if current_user || !params.keys.include?('timeout')
+
+      flash[:notice] = nil
+      flash[:alert] = 'Your session expired. Please sign in again to continue.'
+    end
+
+    def admin_impersonation_session?
+      return false if current_user.nil?
+      return false unless encrypted_val = session[RailsBase::Authentication::Constants::ADMIN_REMEMBER_REASON].presence
+
+      token = admin_get_token(encrypted_val: encrypted_val)
+      if token.failure?
+        logger.warn "Failed to parse encrypted token. Either expired or was not present"
+        flash[:alert] = 'Failed to retrieve Session token. Retry action'
+        redirect_to RailsBase.url_routes.admin_base_path
+        return false
+      else
+        logger.info "Found original_admin_user_id"
+        @original_admin_user_id = token.user_id
+      end
+      true
+    end
+
+    def admin_reset_impersonation_session!
+      return unless admin_impersonation_session?
+
+      # at this point we know there is an impersonation
+      admin_user = User.find @original_admin_user_id
+      admin_set_token_on_session(admin_user: admin_user, other_user: current_user)
+    end
+
+    def admin_user?
+      return if RailsBase.config.admin.view_admin_page?(current_user)
+
+      session.clear
+      sign_out(current_user)
+
+      flash[:alert] = 'Unauthorized action. You have been signed out'
+      redirect_to RailsBase.url_routes.unauthenticated_root_path
+    end
+
+    def populate_admin_actions
+      return if session[RailsBase::Authentication::Constants::ADMIN_REMEMBER_REASON].present?
+      return if current_user.nil?
+      return unless request.fullpath == RailsBase.url_routes.authenticated_root_path
+
+      @__admin_actions_array = AdminAction.get_cache_items(user: current_user, alltime: true)
+    end
+
+    def capture_admin_action
+      # ToDo: Turn this into a service
+      # ToDo: All admin actions come there here: Allow this to be confirugable on or off
+      _controller = ActiveSupport::Inflector.camelize("#{params[:controller]}_controller")
+      admin_user =
+        if _controller == RailsBase::AdminController.to_s
+          current_user
+        else
+          @original_admin_user_id ? User.find(@original_admin_user_id) : nil
+        end
+
+      # Means we are not in the admin controller or we are not impersonating
+      return if admin_user.nil? || @_admin_action_struct == false
+
+      # Admin action for all routes
+      (RailsBase::Admin::ActionHelper.actions.dig(RailsBase::Admin::ActionHelper::ACTIONS_KEY) || []).each do |helper|
+        Rails.logger.warn("Admin Action for every action")
+        helper.call(req: request, params: params, admin_user: admin_user, user: current_user, struct: @_admin_action_struct)
+      end
+
+      # Admin action for all controller routes
+      object = RailsBase::Admin::ActionHelper.actions.dig(_controller, RailsBase::Admin::ActionHelper::CONTROLLER_ACTIONS_KEY) || []
+      object.each do |helper|
+        Rails.logger.warn("Admin Action for #{_controller}")
+        helper.call(req: request, params: params, admin_user: admin_user, user: current_user, struct: @_admin_action_struct)
+      end
+
+      # Admin action for all controller action specific routes
+      (RailsBase::Admin::ActionHelper.actions.dig(_controller, params[:action].to_s) || []).each do |helper|
+        Rails.logger.warn("Admin Action for #{_controller}##{params[:action]}")
+        helper.call(req: request, params: params, admin_user: admin_user, user: current_user, struct: @_admin_action_struct)
+      end
+    end
+
+    protected
+
+    def admin_get_token(encrypted_val:)
+      params = {
+        mfa_randomized_token: encrypted_val,
+        purpose: RailsBase::Authentication::Constants::ADMIN_REMEMBER_REASON,
+      }
+      RailsBase::Authentication::SessionTokenVerifier.call(params)
+    end
+
+    def admin_set_token_on_session(admin_user:, other_user:)
+      if admin_user.id !=  other_user.id #dont do this if you are yourself
+        logger.warn { "Admin user [#{admin_user.id}] is impersonating user #{other_user.id}" }
+        params = {
+          user: admin_user,
+          purpose: RailsBase::Authentication::Constants::ADMIN_REMEMBER_REASON,
+          expires_at: RailsBase::Authentication::Constants::ADMIN_MAX_IDLE_TIME.from_now
+        }
+        encrpytion = RailsBase::Authentication::MfaSetEncryptToken.call(params)
+        session[RailsBase::Authentication::Constants::ADMIN_REMEMBER_REASON] = encrpytion.encrypted_val
+      end
+    end
+
+    def configure_permitted_parameters
+      added_attrs = [:phone_number, :email, :password, :password_confirmation, :remember_me]
+      devise_parameter_sanitizer.permit :sign_up, keys: added_attrs
+      devise_parameter_sanitizer.permit :account_update, keys: added_attrs
+    end
+  end
+end

data/app/controllers/rails_base/errors_controller.rb

@@ -0,0 +1,29 @@
+module RailsBase
+  class ErrorsController < ApplicationController
+    before_action :set_variable
+
+    def not_found
+      @status = 404
+      @message = "The Page can't be found"
+      render template: 'rails_base/errors/not_found'
+    end
+
+    def unacceptable
+      @status = 422
+      @message = "Client Error. Please retry"
+      render template: 'rails_base/errors/unacceptable'
+    end
+
+    def internal_error
+      @status = 500
+      @message = "An Internal Error has occured"
+      render template: 'rails_base/errors/internal_error'
+    end
+
+    private
+
+    def set_variable
+      @error_page = true
+    end
+  end
+end

data/app/controllers/rails_base/mfa_auth_controller.rb

@@ -0,0 +1,50 @@
+module RailsBase
+  class MfaAuthController < ApplicationController
+    before_action :validate_token, only: [:mfa_code, :mfa_code_verify, :resend_mfa]
+
+    # GET /mfa_verify
+    def mfa_code
+      @masked_phone = User.find(@token_verifier.user_id).masked_phone
+    end
+
+    # POST /mfa_verify
+    def mfa_code_verify
+      mfa_validity = RailsBase::Authentication::MfaValidator.call(params: params, session_mfa_user_id: @token_verifier.user_id)
+      if mfa_validity.failure?
+        redirect_to(mfa_validity.redirect_url, alert: mfa_validity.message)
+        return
+      end
+
+      mfa_validity.user.set_last_mfa_login!
+
+      sign_in(mfa_validity.user)
+      redirect_to RailsBase.url_routes.authenticated_root_path, notice: "Welcome #{mfa_validity.user.full_name}"
+    end
+
+    # POST /mfa_verify
+    def resend_mfa
+      user = User.find(@token_verifier.user_id)
+      mfa_token = RailsBase::Authentication::SendLoginMfaToUser.call(user: user)
+      if mfa_token.failure?
+        flash[:error] = mfa_token.message
+        session[:mfa_randomized_token] = nil
+        redirect_to RailsBase.url_routes.new_user_session_path, email: params.dig(:user,:email), alert: mfa_token.message
+        return
+      end
+      expired_at = Time.zone.parse(@token_verifier.expires_at)
+      session[:mfa_randomized_token] =
+        RailsBase::Authentication::MfaSetEncryptToken.call(user: user, expires_at: expired_at).encrypted_val
+
+      redirect_to RailsBase.url_routes.mfa_code_path, notice: "MFA has been sent via SMS to number on file"
+    end
+
+    def validate_token
+      @token_verifier =
+        RailsBase::Authentication::SessionTokenVerifier.call(mfa_randomized_token: session[:mfa_randomized_token])
+      return if @token_verifier.success?
+
+      redirect_to RailsBase.url_routes.new_user_session_path, alert: @token_verifier.message
+      return false
+    end
+  end
+end

data/app/controllers/rails_base/secondary_authentication_controller.rb

@@ -0,0 +1,224 @@
+module RailsBase
+  class SecondaryAuthenticationController < ApplicationController
+    before_action :authenticate_user!, only: [:remove_phone_mfa, :confirm_phone_registration]
+
+    before_action :validate_token!, only: [:resend_email, :wait, :confirm_phone_registration]
+
+    before_action :json_validate_current_user!, only: [:phone_registration]
+
+    # GET auth/wait
+    def static
+      return unless validate_token!(purpose: Authentication::Constants::SSOVE_PURPOSE)
+
+      if flash[:notice].nil? && flash[:alert].nil?
+        flash[:notice] = Authentication::Constants::STATIC_WAIT_FLASH
+      end
+    end
+
+    def remove_me
+    end
+
+    def testing_route
+      Rails.logger.error("This will cause an error to be thrown")
+      raise ArgumentError, 'Boo'
+    end
+
+    # POST auth/resend_email
+    def resend_email
+      user = User.find @token_verifier.user_id
+      email_verification = Authentication::SendVerificationEmail.call(user: user, reason: Authentication::Constants::SVE_LOGIN_REASON)
+      params =
+        if email_verification.failure?
+          { alert: email_verification.message }
+        else
+          { notice: I18n.t('authentication.resend_email', email: user.email) }
+        end
+      redirect_to RailsBase.url_routes.auth_static_path, params
+    end
+
+    # GET auth/email/:data
+    def email_verification
+      verify = Authentication::SsoVerifyEmail.call(verification: params[:data])
+
+      if verify.failure?
+        redirect_to(verify.redirect_url, alert: verify.message)
+        return
+      end
+
+      session[:mfa_randomized_token] = verify.encrypted_val
+      redirect_to RailsBase.url_routes.login_after_email_path
+    end
+
+    # GET auth/login
+    def after_email_login_session_new
+      return unless validate_token!(purpose: Authentication::Constants::SSOVE_PURPOSE)
+
+      @user = User.new
+      if flash[:alert].nil? && flash[:notice].nil?
+        flash[:notice] = I18n.t('authentication.after_email_login_session_new')
+      end
+    end
+
+    # POST auth/login
+    def after_email_login_session_create
+      return unless validate_token!(purpose: Authentication::Constants::SSOVE_PURPOSE)
+
+      flash[:notice] = nil
+      flash[:alert] = nil
+      authenticate = Authentication::AuthenticateUser.call(email: params[:user][:email], password: params[:user][:password])
+      if authenticate.failure?
+        flash[:alert] = authenticate.message
+        @user = User.new(email: params[:user][:email])
+        render :after_email_login_session_new
+        return
+      end
+
+      sign_in(authenticate.user)
+      flash[:notice] = I18n.t('authentication.after_email_login_session_create')
+      redirect_to RailsBase.url_routes.authenticated_root_path
+    end
+
+    # POST auth/phone
+    def phone_registration
+      result = Authentication::UpdatePhoneSendVerification.call(user: current_user, phone_number: params[:phone_number])
+      if result.failure?
+        render :json => { error: I18n.t('request_response.teapot.fail'), msg: result.message }.to_json, :status => 418
+        return
+      end
+      session[:mfa_randomized_token] = result.mfa_randomized_token
+
+      render :json => { status: :success, message: I18n.t('request_response.teapot.valid') }
+    end
+
+    # POST auth/phone/mfa
+    def confirm_phone_registration
+      mfa_validity = Authentication::MfaValidator.call(current_user: current_user, params: params, session_mfa_user_id: @token_verifier.user_id)
+      if mfa_validity.failure?
+        redirect_to RailsBase.url_routes.authenticated_root_path, alert: I18n.t('authentication.confirm_phone_registration.fail', message: mfa_validity.message)
+        return
+      end
+
+      current_user.update!(mfa_enabled: true)
+
+      redirect_to RailsBase.url_routes.authenticated_root_path, notice: I18n.t('authentication.confirm_phone_registration.valid')
+    end
+
+    # DELETE auth/phone/disable
+    def remove_phone_mfa
+      current_user.update!(mfa_enabled: false, last_mfa_login: nil)
+      redirect_to RailsBase.url_routes.authenticated_root_path, notice: I18n.t('authentication.remove_phone_mfa')
+    end
+
+    # GET auth/email/forgot/:data
+    def forgot_password
+      result = Authentication::VerifyForgotPassword.call(data: params[:data])
+
+      if result.failure?
+        redirect_to result.redirect_url, alert: result.message
+        return
+      end
+      session[:mfa_randomized_token] = result.encrypted_val
+      flash[:notice] =
+        if @mfa_flow = result.mfa_flow
+          I18n.t('authentication.forgot_password.2fa')
+        else
+          I18n.t('authentication.forgot_password.base')
+        end
+      @user = result.user
+      @data = params[:data]
+    end
+
+    # POST auth/email/forgot/:data
+    def forgot_password_with_mfa
+      return unless validate_token!(purpose: Authentication::Constants::VFP_PURPOSE)
+
+      # datum is expired because it was used with #forgot_password method
+      # we dont care, we just want to ensure the correct user (multiple verification ways)
+      # -- validate user by datum
+      # -- validate user by short lived token
+      # -- validate user by mfa_token
+      # -- When all match by user and within the lifetime of the short lived token... we b gucci uber super secure/over engineered
+      expired_datum = ShortLivedData.get_by_data(data: params[:data], reason: Authentication::Constants::VFP_REASON)
+
+      unless expired_datum
+        redirect_to(RailsBase.url_routes.new_user_password_path, alert: I18n.t('authentication.forgot_password_with_mfa.expired_datum'))
+        return
+      end
+
+      result = Authentication::MfaValidator.call(params: params, session_mfa_user_id: @token_verifier.user_id, current_user: expired_datum.user)
+      if result.failure?
+        redirect_to(RailsBase.url_routes.new_user_password_path, alert: result.message)
+        return
+      end
+
+      @mfa_flow = false
+      @data = params[:data]
+      @user = result.user
+      flash[:notice] = I18n.t('authentication.forgot_password_with_mfa.valid_mfa')
+      render :forgot_password
+    end
+
+    # POST auth/email/reset/:data
+    def reset_password
+      return unless validate_token!(purpose: Authentication::Constants::VFP_PURPOSE)
+
+      result = Authentication::ModifyPassword.call(password: params[:user][:password], password_confirmation: params[:user][:password_confirmation], data: params[:data], user_id: @token_verifier.user_id, flow: :forgot_password)
+      if result.failure?
+        redirect_to RailsBase.url_routes.new_user_password_path, alert: result.message
+        return
+      end
+
+      redirect_to RailsBase.url_routes.authenticated_root_path, notice: I18n.t('authentication.reset_password')
+    end
+
+    # GET auth/validate/:data
+    def sso_login
+      input_params = {
+        data: params[:data],
+        reason: RailsBase::Authentication::Constants::SSO_LOGIN_REASON
+      }
+      sso_decision = RailsBase::Authentication::SingleSignOnVerify.call(input_params)
+      if sso_decision.failure?
+        if current_user.nil?
+          flash[:alert] = I18n.t('authentication.sso_login.fail') + sso_decision.message
+          redirect_to RailsBase.url_routes.unauthenticated_root_path
+          return
+        else
+          logger.info('User is logged in but failed the SSO login')
+        end
+      end
+
+
+      sign_in(sso_decision.user) if current_user.nil?
+
+      url =
+        if RailsBase.route_exist?(sso_decision.url_redirect)
+          sso_decision.url_redirect
+        else
+          logger.debug("Failed to find #{sso_decision.url_redirect}. Redirecing to root")
+          RailsBase.url_routes.authenticated_root_path
+        end
+
+      flash[:notice] = I18n.t('authentication.sso_login.valid')
+      redirect_to url
+    end
+
+    private
+
+    def json_validate_current_user!
+      return if current_user
+
+      render json: { error: "Unauthorized" }.to_json, :status => 401
+      return false
+    end
+
+    def validate_token!(purpose: Authentication::Constants::MSET_PURPOSE)
+      @token_verifier =
+        Authentication::SessionTokenVerifier.call(purpose: purpose, mfa_randomized_token: session[:mfa_randomized_token])
+      return true if @token_verifier.success?
+
+      redirect_to RailsBase.url_routes.new_user_session_path, alert: @token_verifier.message
+      return false
+    end
+  end
+end