rails_base 0.51.0

data/app/controllers/rails_base/switch_user_controller.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+module RailsBase
+  class SwitchUserController < ::SwitchUserController
+    before_action :admin_user?
+    before_action :admin_user
+    before_action :can_impersonate?
+    after_action :admin_set_impersonation_session!, only: [:set_current_user]
+
+    def admin_set_impersonation_session!
+      admin_set_token_on_session(admin_user: admin_user, other_user: provider.current_user)
+      session[RailsBase::Authentication::Constants::ADMIN_REMEMBER_USERID_KEY] = admin_user.id
+    end
+
+    def can_impersonate?
+      return if RailsBase.config.admin.impersonate_tile_users.call(admin_user)
+
+      flash[:alert] = "You do not have correct permissions to impersonate users"
+      redirect_to RailsBase.url_routes.admin_base
+    end
+
+    def admin_user
+      if session[RailsBase::Authentication::Constants::ADMIN_REMEMBER_USERID_KEY]
+        User.find session[RailsBase::Authentication::Constants::ADMIN_REMEMBER_USERID_KEY]
+      else
+        current_user
+      end
+    end
+  end
+end

data/app/controllers/rails_base/user_settings_controller.rb

@@ -0,0 +1,81 @@
+module RailsBase
+  class UserSettingsController < ApplicationController
+    before_action :authenticate_user!
+    before_action :confirm_password_flow, only: :confirm_password
+
+    include RailsBase::UserSettingsHelper
+
+    # GET user/settings
+    def index
+    end
+
+    # POST user/settings/edit/name
+    def edit_name
+      result = NameChange.call(
+        first_name: params[:user][:first_name],
+        last_name: params[:user][:last_name],
+        current_user: current_user
+      )
+
+      if result.failure?
+        flash[:alert] = result.message
+      else
+        @_admin_action_struct = RailsBase::AdminStruct.new(result.original_name, result.name_change)
+        flash[:notice] = "Name change succesful to #{result.name_change}"
+      end
+
+      redirect_to RailsBase.url_routes.user_settings_path
+    end
+
+    # POST user/settings/edit/password
+    # expected ajax POST
+    def edit_password
+      # current user is method and we will loose context if we are succesful in changing password
+      # store current user in current context
+      user = current_user
+      result = RailsBase::Authentication::ModifyPassword.call(password: params[:user][:password], password_confirmation: params[:user][:password_confirmation], current_user: current_user, flow: :user_settings)
+
+      if result.failure?
+        redirect_to RailsBase.url_routes.user_settings_path, alert: result.message
+        return
+      end
+
+      # password was changed so authentication will fail. Re-signin user
+      sign_out(current_user)
+      sign_in(user.reload)
+      redirect_to RailsBase.url_routes.user_settings_path, notice: 'Succesfully changed password'
+    end
+
+    # POST user/settings/confirm/password/:reason
+    def confirm_password
+      authenticate = RailsBase::Authentication::AuthenticateUser.call(email: current_user.email, current_user: current_user, password: params[:user][:password])
+
+      if authenticate.failure?
+        render json: { msg: authenticate.message }, status: 418
+      else
+        html = render_to_string partial: CONFIRM_PASSWORD_FLOW[params[:reason].to_sym]
+        render json: { html: html, datum: datum.data }
+      end
+    end
+
+    # POST user/settings/destroy
+    def destroy_user
+      destroy = RailsBase::Authentication::DestroyUser.call(data: params[:data], current_user: current_user)
+
+      if destroy.failure?
+        redirect_to RailsBase.url_routes.user_settings_path, alert: destroy.message
+      else
+        redirect_to RailsBase.url_routes.authenticated_root_path, notice: I18n.t('user_setting.destroy_user.soft')
+      end
+    end
+
+    private
+
+     def confirm_password_flow
+        return true if CONFIRM_PASSWORD_FLOW.keys.include?(params[:reason].to_sym)
+
+        render json: { msg: 'invalid parameter' }, status: 418
+        false
+     end
+  end
+end

data/app/controllers/rails_base/users/passwords_controller.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+class RailsBase::Users::PasswordsController < Devise::PasswordsController
+  # GET /resource/password/new
+  def new
+    self.resource = User.new
+    render template: 'rails_base/devise/passwords/new'
+  end
+
+  # POST /resource/password
+  def create
+    result = RailsBase::Authentication::SendForgotPassword.call(email: params[:user][:email])
+    if result.failure?
+      redirect_to RailsBase.url_routes.new_user_password_path, alert: result.message
+      return
+    end
+     redirect_to RailsBase.url_routes.new_user_password_path, notice: result.message
+  end
+end

data/app/controllers/rails_base/users/registrations_controller.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+class RailsBase::Users::RegistrationsController < Devise::RegistrationsController
+  include RailsBase::UserFieldValidators
+  before_action :configure_sign_up_params, only: [:create]
+  # before_action :configure_account_update_params, only: [:update]
+
+  # GET /resource/sign_up
+  def new
+    # super
+    @resource = User.new
+    @resource_name = :user
+    render template: 'rails_base/devise/registrations/new'
+  end
+
+  # POST /users/create
+  def create
+    # Finds the resource by email and updates tha attributes ... or creates new resource
+    resource = (User.find_by_email(params[:user][:email])) || User.new
+    if resource.encrypted_password.present?
+      @email = params[:user][:email]
+      redirect_to RailsBase.url_routes.new_user_session_path, notice: 'Credentials exist. Please login or click forgot Password'
+      return
+    end
+
+    user_form_validation = validate_complement?(user_params: params[:user])
+
+    unless user_form_validation[:status]
+      resource.assign_attributes(sign_up_params.except(:password, :password_confirmation))
+      @resource = resource
+      @resource_name = resource_name
+      @alert_errors = user_form_validation[:errors]
+      flash[:error] = @alert_errors.values.join('</br>')
+      render :new, notice: "Failure shit"
+      return
+    end
+
+    resource.admin = RailsBase.config.admin.default_admin_type
+    resource.assign_attributes(sign_up_params)
+
+    if resource.save
+      resource.reload
+      sign_up(resource_name, resource)
+      sign_out(resource)
+
+      email_verification = RailsBase::Authentication::SendVerificationEmail.call(user: resource, reason: RailsBase::Authentication::Constants::SVE_LOGIN_REASON)
+      if email_verification.failure?
+        render RailsBase.url_routes.auth_static_path, alert: email_verification.message
+        return
+      end
+      session[:mfa_randomized_token] = nil
+      session[:mfa_randomized_token] =
+        RailsBase::Authentication::MfaSetEncryptToken.call(purpose: RailsBase::Authentication::Constants::SSOVE_PURPOSE, user: resource, expires_at: Time.zone.now + 20.minutes).encrypted_val
+      redirect_to RailsBase.url_routes.auth_static_path, notice: "Check email for verification email."
+    else
+      flash[:error] = resource.errors.messages
+      email = params[:email] if !resource.errors.details.keys.include?(:email)
+      @resource = resource
+      @resource_name = resource_name
+      render :new, notice: 'Unknown failure. Please try again'
+    end
+  end
+
+  # GET /resource/edit
+  def edit
+    raise
+  end
+
+  # PUT /resource
+  def update
+    raise
+  end
+
+  protected
+
+  # If you have extra params to permit, append them to the sanitizer.
+  def configure_sign_up_params
+    devise_parameter_sanitizer.permit(:sign_up, keys: [:first_name, :last_name])
+  end
+end

data/app/controllers/rails_base/users/sessions_controller.rb

@@ -0,0 +1,108 @@
+# frozen_string_literal: true
+
+class RailsBase::Users::SessionsController < Devise::SessionsController
+  prepend_before_action :protect_heartbeat, only: [:hearbeat_without_auth, :hearbeat_with_auth]
+  prepend_before_action :skip_timeout, only: [:hearbeat_without_auth]
+
+  # GET /user/sign_in
+  def new
+    @user = User.new
+    render template: 'rails_base/devise/sessions/new'
+  end
+
+  # POST /user/sign_in
+  def create
+    # Warden/Devise will try to sign the user in before we explicitly do
+    # Sign ou the user when this happens so we can sign them back in later
+    sign_out(current_user) if current_user
+
+    authenticate = RailsBase::Authentication::AuthenticateUser.call(email: params[:user][:email], password: params[:user][:password])
+
+    if authenticate.failure?
+      @user = User.new(email: params[:user][:email])
+      flash[:alert] = authenticate.message
+      render template: 'rails_base/devise/sessions/new'
+      return
+    end
+
+    mfa_decision = RailsBase::Authentication::DecisionTwofaType.call(user: authenticate.user)
+    if mfa_decision.failure?
+      redirect_to RailsBase.url_routes.new_user_session_path, email: params[:user][:email], alert: mfa_decision.message
+      return
+    end
+
+    if mfa_decision.set_mfa_randomized_token
+      session[:mfa_randomized_token] =
+        RailsBase::Authentication::MfaSetEncryptToken.call(
+          user: authenticate.user,
+          expires_at: mfa_decision.token_ttl,
+          purpose: mfa_decision.mfa_purpose,
+        ).encrypted_val
+    end
+
+    redirect =
+      if mfa_decision.sign_in_user
+        sign_in(authenticate.user)
+        # only referentially redirect when we know the user should sign in
+        redirect_from_reference
+      end
+
+    redirect ||= mfa_decision.redirect_url
+
+    logger.info { "Successful sign in: Redirecting to #{redirect}" }
+
+    redirect_to(redirect, mfa_decision.flash)
+  end
+
+  # DELETE /user/sign_out
+  def destroy
+    session[:mfa_randomized_token] = nil
+
+    # force the user to sign out
+    sign_out(current_user)
+    reset_session
+
+    admin_reset_session!
+
+    flash[:notice] = 'You have been succesfully signed out'
+    redirect_to RailsBase.url_routes.unauthenticated_root_path
+  end
+
+  # GET /heartbeat
+  def hearbeat_without_auth
+    skip_capture_reference!
+    heartbeat
+  end
+
+  # POST /heartbeat
+  def hearbeat_with_auth
+    heartbeat
+  end
+
+  private
+
+  def heartbeat
+    if current_user
+      last_request = session['warden.user.user.session']['last_request_at']
+      ttd = last_request + Devise.timeout_in.to_i
+      ttl = ttd - Time.zone.now.to_i
+      render json: { success: true, ttd: ttd, ttl: ttl, last_request: last_request }
+    else
+      render json: { success: false }, status: 401
+    end
+  end
+
+  # ensure session is present before we try and do anything
+  # proects the site by not querying for current_user
+  # would be better to do this at edge layer
+  def protect_heartbeat
+    return true if session.keys.present? || browser.bot?
+
+    logger.warn { "Hack attempt. Checking the heartbeat bad user agent. bot?:[#{browser.bot}]" }
+    render json: { success: false }, status: 401
+  end
+
+  def skip_timeout
+    request.env["devise.skip_trackable"] = true
+  end
+end

data/app/helpers/rails_base/admin_helper.rb

@@ -0,0 +1,107 @@
+module RailsBase
+  module AdminHelper
+
+    SESSION_REASON_BASE = 'admin_random'
+    SESSION_REASON_KEY = 'admin_2fa_verify'
+
+    SECOND_MODAL_MAPPING = {
+      phone_number: 'rails_base/shared/admin_modify_phone',
+      email: 'rails_base/shared/admin_modify_email'
+    }
+
+    def filtered_classes(user, admin)
+      RailsBase.config.admin.admin_page_filter.map do |object|
+        object[:id] if object[:proc].call(user, admin)
+      end.compact.join(' ')
+    end
+
+    def users_for_proc(proc)
+      User.all.select do |user|
+        proc.call(user)
+      end.map(&:inspect_name)
+    end
+
+    def array_for_proc(proc, array)
+      array.map do |instance|
+        proc.call(instance)
+      end
+    end
+
+    def paginated_records
+      AdminAction.paginate_records(page: @starting_page, count_on_page: @count_on_page, user_id: @starting_user[1], admin_id: @starting_admin[1])
+    end
+
+    def fullsized_paginated_count
+      AdminAction.paginate_records(page: @starting_page, count_on_page: @count_on_page, user_id: @starting_user[1], admin_id: @starting_admin[1], count: true)
+    end
+
+    def paginate_admin_what_page
+      return params[:page].to_i if params[:pagination_count].to_i == params[:prev_count].to_i
+
+      prev_page = params[:prev_page].to_i > 0 ? (params[:prev_page].to_i - 1) : 1
+      start_prev = prev_page * params[:prev_count].to_i
+      page = (start_prev / params[:pagination_count].to_i)
+      page > 0 ? page : 1
+    end
+
+    def paginate_admin_history_range(start:)
+      ((start-AdminAction::DEFAULT_PAGE_RANGE)..(start+AdminAction::DEFAULT_PAGE_RANGE))
+    end
+
+    def paginante_class_names(curr_page:, page_number:, count_on_page:)
+      bootstrap_class = 'disabled' unless paginate_can_view_page?(page_number: page_number, count_on_page: count_on_page)
+      bootstrap_class = 'active' if curr_page == page_number
+      bootstrap_class || ''
+    end
+
+    def paginate_can_view_page?(page_number:, count_on_page:)
+      min_size = (page_number-1) * count_on_page
+      fullsized_paginated_count >= min_size
+    end
+
+    def paginate_admin_can_next?(page_number:, count_on_page:)
+      min_size = (page_number) * count_on_page
+      fullsized_paginated_count >= min_size
+    end
+
+    def paginate_admin_can_prev?(page_number:, count_on_page:)
+      return false if (page_number - 1) < 1
+
+      min_size = (page_number - 1) * count_on_page
+      fullsized_paginated_count > min_size
+    end
+
+    def paginate_get_users_array
+      @paginate_get_users_array ||= User.where(active: true).map { |u| [u.full_name, u.id] } << ['All Users', -1]
+    end
+
+    def paginate_get_admins_array
+      @paginate_get_admins_array ||= User.where.not(admin: :none).map { |u| [u.full_name, u.id] } << ['All Admins', -1]
+    end
+
+    def paginate_diff_id?(type:)
+      session[:"rails_base_paginate_start_#{type}"] != params[type].to_i
+    end
+
+    def accurate_admin_user
+      session[RailsBase::Authentication::Constants::ADMIN_REMEMBER_USERID_KEY] ||
+        current_user.id
+    end
+
+    def admin_user
+      @admin_user ||= User.find(accurate_admin_user)
+    end
+
+    def session_reason
+      session[SESSION_REASON_KEY]
+    end
+
+    def parse_mfa_to_obj
+      arr = []
+      params[:mfa_input].split('').each_with_index do |code, i|
+        arr << ["#{RailsBase::Authentication::Constants::MV_BASE_NAME}#{i}", code]
+      end
+      { mfa: arr.to_h.symbolize_keys }
+    end
+  end
+end

data/app/helpers/rails_base/appearance_helper.rb

@@ -0,0 +1,58 @@
+module RailsBase::AppearanceHelper
+  APPEARANCE_MODE_COOKIE = "_#{Rails.application.class.parent_name}_appearance_mode".gsub(' ', '-').downcase
+  APPEARANCE_MODE_ACTUAL_COOKIE = "_#{Rails.application.class.parent_name}_appearance_actual_mode".gsub(' ', '-').downcase
+  APPEARANCE_TEXT_CLASS = RailsBase::Configuration::Display::Text::APPEARANCE_TEXT_CLASS
+
+  VIEWPORT_EXTRA_SMALL = 'xs'.freeze
+  VIEWPORT_SMALL = 'sm'.freeze
+  VIEWPORT_MEDIUM = 'md'.freeze
+  VIEWPORT_LARGE = 'lg'.freeze
+  VIEWPORT_EXTRA_LARGE = 'xl'.freeze
+
+  VIEWPORT_MOBILE_MAX = VIEWPORT_MEDIUM
+
+  VIEWPORT_SIZES = {
+    VIEWPORT_EXTRA_SMALL => 576,
+    VIEWPORT_SMALL => 768,
+    VIEWPORT_MEDIUM => 992,
+    VIEWPORT_LARGE => 1200,
+    VIEWPORT_EXTRA_LARGE => nil,
+  }
+
+  def footer_mode_case
+    return :sticky if @_sticky_mode
+
+    return :bottom if RailsBase.appearance.footer.content_bottom_or_sticky
+
+    sticky_pages = RailsBase.appearance.footer.sticky_pages
+    return if sticky_pages.empty?
+
+    full_controller_path = "#{controller_path.camelize}Controller"
+    return unless pages = sticky_pages[full_controller_path]
+
+    return :sticky if pages.include?(action_name.to_sym)
+    nil
+  end
+
+  def force_sticky_mode!
+    @_sticky_mode = true
+  end
+
+  def appearance_text_class
+    APPEARANCE_TEXT_CLASS
+  end
+
+  def appearance_mode_drop_down
+    @appearance_mode_drop_down ||= begin
+      current = cookies[APPEARANCE_MODE_COOKIE]
+      actual = cookies[APPEARANCE_MODE_ACTUAL_COOKIE]
+      raw_types = RailsBase::Configuration::Appearance::APPEARANCE_TYPES
+      types_a = raw_types.map(&:to_a).map(&:flatten).map(&:reverse)
+      types = raw_types.keys
+      unless types.include?(current&.to_sym)
+        cookies[APPEARANCE_MODE_COOKIE] = current = RailsBase.appearance.default_mode
+      end
+      { types: types, current: current, types_a: types_a, actual: actual }
+    end
+  end
+end