rails_base 0.51.0

data/app/services/rails_base/authentication/authenticate_user.rb

@@ -0,0 +1,28 @@
+module RailsBase::Authentication
+	class AuthenticateUser < RailsBase::ServiceBase
+		delegate :email, to: :context
+		delegate :password, to: :context
+		delegate :current_user, to: :context
+
+		def call
+			user = current_user || User.find_for_authentication(email: email)
+			valid = user.present? && user.valid_password?(password)
+			if valid
+				log(level: :info, msg: "Correctly found valid user_id #{user.id}")
+				context.user = user
+			else
+				log(level: :warn, msg: "Failed to validate credentials")
+				log(level: :warn, msg: "Found user? #{user.present?}. Valid password?[#{user&.valid_password?(password)}]")
+				context.fail!(message: "Incorrect credentials. Please try again")
+			end
+		end
+
+		def validate!
+			raise "Expected email to be a String. Received #{email.class}" unless email.is_a? String
+			raise "Expected password to be a String. Received #{password.class}" unless password.is_a? String
+
+			return unless current_user
+			raise "Expected current_user to be a User. Received #{current_user.class}" unless current_user.is_a? User
+		end
+	end
+end

data/app/services/rails_base/authentication/constants.rb

@@ -0,0 +1,60 @@
+module RailsBase::Authentication
+	module Constants
+		# Shared
+		URL_HELPER = RailsBase.url_routes
+		BASE_URL = RailsBase.config.app.base_url
+		BASE_URL_PORT = RailsBase.config.app.base_port
+		MFA_REASON = :two_factor_mfa_code
+		MFA_LENGTH = RailsBase.config.mfa.mfa_length
+		EMAIL_LENGTH = 255 # MAX LENGTH we can insert into mysql
+
+		MIN_NAME = 2
+		MAX_NAME = 25
+		NAME_VALIDATION = "Must be #{MIN_NAME} to #{MAX_NAME} in length. Can contain characters [a-zA-Z ']"
+
+		# verify forgot password
+		VFP_PURPOSE = :forgot_password_flow
+		VFP_REASON = :email_sso_forgot_password
+
+		# mfa set encrypt token
+		MSET_PURPOSE = :mfa_session_token
+
+		# send login mfa to user
+		SLMTU_TTL = (5.minutes + 30.seconds)
+
+		# send verification email
+		SVE_TTL = 1.hour || 7.minutes
+		SVE_LOGIN_REASON = :email_sso_login_verify
+		SVE_FORGOT_REASON = :email_sso_forgot_password
+
+		# mfa validator
+		MV_BASE_NAME = 'mfa_pos_'
+		MV_FISHY = 'Kicked back to login. You are doing something fishy.'
+
+		# sso verifiy email
+		SSOVE_PURPOSE = :verify_email
+
+		# modify password
+		MP_MIN_LENGTH = 7
+		MP_MIN_NUMS = 1
+		MP_MIN_ALPHA = 6
+		var = []
+		var << "contain at least #{MP_MIN_NUMS} numerics [0-9]" if MP_MIN_NUMS > 0
+		var << "contain at least #{MP_MIN_ALPHA} letters [a-z,A-Z]" if MP_MIN_NUMS > 0
+		MP_REQ_MESSAGE = "Password must #{var.join(' and ')}. Minimum length is #{MP_MIN_LENGTH} and contain [1-9a-zA-Z] only"
+
+		STATIC_WAIT_FLASH = '"Check email inbox for verification email. Follow instructions to gain access"'
+
+		# SSO LOGIN Reason
+		SSO_LOGIN_REASON = 'sso_login_data'
+
+		ADMIN_REMEMBER_REASON = 'current_admin_user'
+		ADMIN_REMEMBER_USERID_KEY = 'admin_remember_me_via_coco'
+		ADMIN_MAX_IDLE_TIME = 3.minutes
+
+		SSO_SEND_LENGTH = 64
+		SSO_SEND_USES = 2
+		SSO_REASON = :sending_sso_to_user
+		SSO_EXPIRES = 2.hours
+	end
+end

data/app/services/rails_base/authentication/decision_twofa_type.rb

@@ -0,0 +1,76 @@
+module RailsBase::Authentication
+	class DecisionTwofaType < RailsBase::ServiceBase
+		delegate :user, to: :context
+
+	  include ActionView::Helpers::DateHelper
+
+		def call
+			# default return values
+			context.set_mfa_randomized_token = false
+			context.sign_in_user = false
+
+			mfa_decision =
+				if user.email_validated
+					if RailsBase.config.mfa.enable? && user.mfa_enabled
+						mfa_enabled_context!
+					else
+						# user has signed up and validated email
+						# user does not have mfa enabled
+						sign_in_user_context!
+						context.flash = { notice: "Welcome. You have succesfully signed in. We suggest enabling 2fa authentication to secure your account" }
+						nil
+					end
+				else
+					validate_email_context!
+				end
+
+			if mfa_decision && mfa_decision.failure?
+				log(level: :error, msg: "Service error bubbled up. Failing with: #{mfa_decision.message}")
+				context.fail!(message: mfa_decision.message)
+			end
+
+			log(level: :info, msg: "User #{user.id}: redirect_url: #{context.redirect_url}, sign_in_user: #{context.sign_in_user}, flash: #{context.flash}")
+		end
+
+		def validate_email_context!
+			# user has signed up but have not validated their email
+			context.redirect_url = Constants::URL_HELPER.auth_static_path
+			context.set_mfa_randomized_token = true
+			context.mfa_purpose = Constants::SSOVE_PURPOSE
+			context.flash = { notice: Constants::STATIC_WAIT_FLASH }
+			context.token_ttl = Time.zone.now + 5.minutes
+			SendVerificationEmail.call(user: user, reason: Constants::SVE_LOGIN_REASON)
+		end
+
+		def sign_in_user_context!
+			log(level: :warn, msg: "Will log in user #{user.id} and bypass 2fa")
+			context.redirect_url = Constants::URL_HELPER.authenticated_root_path
+			context.sign_in_user = true
+		end
+
+		def mfa_enabled_context!
+			if user.past_mfa_time_duration?
+				# user has signed up and validated email
+				# user has mfa enabled
+				log(level: :warn, msg: "User needs to go through mfa flow. #{user.last_mfa_login} < #{User.time_bound}")
+				context.redirect_url = Constants::URL_HELPER.mfa_code_path
+				context.set_mfa_randomized_token = true
+				context.mfa_purpose = nil # use default
+				context.flash = { notice: "Please check your mobile device. We sent an SMS for 2fa verification" }
+				result = SendLoginMfaToUser.call(user: user)
+				context.token_ttl = result.short_lived_data.death_time if result.success?
+				result
+			else
+				sign_in_user_context!
+				mfa_free_words = distance_of_time_in_words(user.last_mfa_login, User.time_bound)
+				context.flash = { notice: "Welcome. You have succesfully signed in. You will be mfa free for another #{mfa_free_words}" }
+				log(level: :info, msg: "User is mfa free for another #{mfa_free_words}")
+				nil
+			end
+		end
+
+		def validate!
+			raise "Expected user to be a User. Received #{user.class}" unless user.is_a? User
+		end
+	end
+end

data/app/services/rails_base/authentication/destroy_user.rb

@@ -0,0 +1,45 @@
+module RailsBase::Authentication
+  class DestroyUser < RailsBase::ServiceBase
+    delegate :current_user, to: :context
+    delegate :data, to: :context
+
+    include RailsBase::UserSettingsHelper
+
+    def call
+      datum = get_short_lived_datum(data)
+      validate_datum?(datum)
+      # sign_out(current_user)
+      destroy_user!
+    end
+
+    def destroy_user!
+      log(level: :warn, msg: "Destroying user: #{current_user.id}")
+
+      # delete the user
+      current_user.soft_destroy_user!
+    end
+
+    def validate_datum?(datum)
+      return true if datum[:valid]
+
+      if datum[:found]
+        msg = "Errors with Destroy User token: #{datum[:invalid_reason].join(", ")}. Please try again"
+        log(level: :warn, msg: msg)
+        context.fail!(message: msg)
+      end
+
+      log(level: :warn, msg: "Could not find datum code. User may be doing Fishyyyyy things")
+
+      context.fail!(message: "Invalid Data Code. Please retry action")
+    end
+
+    def get_short_lived_datum(data)
+      ShortLivedData.find_datum(data: data, reason: DATUM_REASON)
+    end
+
+    def validate!
+      raise "Expected data to be a String. Received #{data.class}" unless data.is_a? String
+      raise "Expected current_user to be a User. Received #{current_user.class}" unless current_user.is_a? User
+    end
+  end
+end

data/app/services/rails_base/authentication/mfa_set_encrypt_token.rb

@@ -0,0 +1,32 @@
+module RailsBase::Authentication
+	class MfaSetEncryptToken < RailsBase::ServiceBase
+		delegate :user, to: :context
+		delegate :expires_at, to: :context
+		delegate :purpose, to: :context
+
+		def call
+			params = {
+				value: value,
+				purpose: purpose || Constants::MSET_PURPOSE,
+				expires_at: expires_at
+			}
+
+			context.encrypted_val = RailsBase::Encryption.encode(params)
+		end
+
+		def value
+			# user_id with the same expires_at will return the same Encryption token
+			# to overcome this, do 2 things
+			# 1: Rotate the secret on every boot (ensures tplem changes on semi regular basis)
+			# 2: Add rand strings to the hash -- Ensures the token is different every time
+			{ user_id: user.id, rand: rand.to_s, expires_at: expires_at }.to_json
+		end
+
+		def validate!
+			raise "Expected user to be a User. Received #{user.class}" unless user.is_a? User
+
+			time_class = ActiveSupport::TimeWithZone
+			raise "Expected expires_at to be a Received #{time_class}. Received #{expires_at.class}" unless expires_at.is_a? time_class
+		end
+	end
+end

data/app/services/rails_base/authentication/mfa_validator.rb

@@ -0,0 +1,88 @@
+module RailsBase::Authentication
+	class MfaValidator < RailsBase::ServiceBase
+		delegate :params, to: :context
+		delegate :session_mfa_user_id, to: :context
+		delegate :current_user, to: :context
+		delegate :input_reason, to: :context
+
+		def call
+			array = convert_to_array
+			if array.length != Constants::MFA_LENGTH
+				log(level: :warn, msg: "Not enough params for MFA code. Given #{array}. Expected of length #{Constants::MFA_LENGTH}")
+				context.fail!(message: Constants::MV_FISHY, redirect_url: Constants::URL_HELPER.new_user_session_path, level: :alert)
+			end
+
+			mfa_code = array.join
+			log(level: :info, msg: "mfa code received: #{mfa_code}")
+			datum = get_short_lived_datum(mfa_code)
+			log(level: :info, msg: "Datum returned with: #{datum}")
+
+			validate_datum?(datum)
+			validate_user_consistency?(datum)
+			validate_current_user?(datum) if current_user
+
+			context.user = datum[:user]
+		end
+
+		def validate_current_user?(datum)
+			return true if current_user.id == datum[:user].id
+
+			# User MFA for a different user matched the session token
+			# However, those did not match the current user signed in
+			# Something is very 🐟
+			log(level: :error, msg: "Someone is a teapot. Current logged in user does not equal mfa code.")
+			context.fail!(message: 'You are a teapot', redirect_url: Constants::URL_HELPER.signout_path, level: :warn)
+		end
+
+		def validate_datum?(datum)
+			return true if datum[:valid]
+
+			if datum[:found]
+				# MFA is either expired or the incorrect reason. Either way it does not match
+				msg = "Errors with MFA: #{datum[:invalid_reason].join(", ")}. Please login again"
+				log(level: :warn, msg: msg)
+				context.fail!(message: msg, redirect_url: Constants::URL_HELPER.new_user_session_path, level: :warn)
+			end
+
+			# MFA does not exist for any reason type
+			log(level: :warn, msg: "Could not find MFA code. Incorrect MFA code")
+
+			context.fail!(message: "Incorrect MFA code.", redirect_url: Constants::URL_HELPER.mfa_code_path, level: :warn)
+		end
+
+		def validate_user_consistency?(datum)
+			return true if datum[:user].id == session_mfa_user_id.to_i
+			log(level: :warn, msg: "Datum user does not match session user. [#{datum[:user].id}, #{session_mfa_user_id.to_i}]")
+
+			# MFA session token user does not match the datum user
+			# Something is very 🐟
+			context.fail!(message: Constants::MV_FISHY, redirect_url: Constants::URL_HELPER.new_user_session_path, level: :alert)
+		end
+
+		def get_short_lived_datum(mfa_code)
+			log(level: :debug, msg: "Looking for #{mfa_code} with reason #{reason}")
+			ShortLivedData.find_datum(data: mfa_code, reason: reason)
+		end
+
+		def convert_to_array
+			array = []
+			return array unless params.dig(:mfa).respond_to? :keys
+
+			Constants::MFA_LENGTH.times do |index|
+				var_name = "#{Constants::MV_BASE_NAME}#{index}".to_sym
+				array << params[:mfa][var_name]
+			end
+
+			array.compact
+		end
+
+		def reason
+			input_reason || Constants::MFA_REASON
+		end
+
+		def validate!
+			raise 'Expected the params passed' if params.nil?
+			raise 'session_mfa_user_id is not present' if session_mfa_user_id.nil?
+		end
+	end
+end

data/app/services/rails_base/authentication/modify_password.rb

@@ -0,0 +1,67 @@
+module RailsBase::Authentication
+	class ModifyPassword < RailsBase::ServiceBase
+		include RailsBase::UserFieldValidators
+
+		delegate :password, to: :context
+		delegate :password_confirmation, to: :context
+		delegate :data, to: :context # the same datum used in the reset password url
+		delegate :user_id, to: :context
+		delegate :flow, to: :context
+		delegate :current_user, to: :context
+
+		FLOW_TYPES = [:forgot_password, :user_settings]
+
+		def call
+			valid_password = validate_password?(password: password, password_confirmation: password_confirmation)
+			unless valid_password[:status]
+				context.fail!(message: valid_password[:msg])
+			end
+
+			if user.nil?
+				log(level: :error, msg: "Could not find [#{user_id}]. 5xx error with user deletion most likely")
+				context.fail!(message: "Unknown error. Please try again")
+			end
+
+			case flow
+			when :forgot_password
+				forgot_password
+			else
+			end
+
+			unless user.update(password: password, password_confirmation: password_confirmation)
+				context.fail!(message: "Failed to update user. Please try again")
+			end
+			log(level: :info, msg: "Successfully update users password")
+		end
+
+		def forgot_password
+			return if  valid_short_term_data_point?
+
+			context.fail!(message: Constants::MV_FISHY)
+		end
+
+		def valid_short_term_data_point?
+			raise 'Expected data to be defined' if data.nil?
+
+			data_point = ShortLivedData.get_by_data(data: data, reason: Constants::VFP_REASON)
+			datum_user_id = data_point&.user_id
+
+			log(level: :info, msg: "Found ShortLivedData with data #{data[0..15]}... attached to user [#{datum_user_id}]")
+
+			datum_user_id && (datum_user_id.to_i == user_id.to_i)
+		end
+
+		def user
+			@user ||= current_user || User.find_by_id(user_id)
+		end
+
+		def validate!
+			raise "Expected Flow to be present and a Symbol" unless flow.is_a? Symbol
+			raise "Expected Flow to be in #{FLOW_TYPES}" unless FLOW_TYPES.include?(flow)
+			raise "Expected password to be a String. Received #{password.class}" unless password.is_a? String
+			raise "Expected password_confirmation to be a String. Received #{password_confirmation.class}" unless password_confirmation.is_a? String
+			raise "Expected user_id to be present." if current_user.nil? && user_id.nil?
+			raise "Expected data to be present." if current_user.nil? && data.nil?
+		end
+	end
+end

data/app/services/rails_base/authentication/send_forgot_password.rb

@@ -0,0 +1,26 @@
+module RailsBase::Authentication
+	class SendForgotPassword < RailsBase::ServiceBase
+		delegate :email, to: :context
+
+		def call
+			user = User.find_for_authentication(email: email)
+
+			if user.nil?
+				log(level: :warn, msg: "Failed to find email assocaited to #{email}. Not sending email")
+				context.fail!(message: "Failed to send forget password to #{email}", redirect_url: '')
+			end
+			email_send = SendVerificationEmail.call(user: user, reason: Constants::VFP_REASON)
+
+			if email_send.failure?
+				log(level: :error, msg: "Failed to send forget password: #{email_send.message}")
+				context.fail!(message: email_send.message, redirect_url: '/')
+			end
+
+			context.message = 'You should receive an email shortly.'
+		end
+
+		def validate!
+			raise "Expected email to be a String. Received #{email.class}" unless email.is_a? String
+		end
+	end
+end

data/app/services/rails_base/authentication/send_login_mfa_to_user.rb

@@ -0,0 +1,77 @@
+require 'twilio_helper'
+require 'velocity_limiter'
+
+module RailsBase::Authentication
+  class SendLoginMfaToUser < RailsBase::ServiceBase
+    include ActionView::Helpers::DateHelper
+    include VelocityLimiter
+
+    class NoPhoneNumber < StandardError; end
+
+    MAX_USE_COUNT = 1.freeze
+    DATA_USE = :numeric
+
+    delegate :user, to: :context
+    delegate :expires_at, to: :context
+
+    def call
+      velocity = velocity_limit_reached?
+      context.fail!(message: velocity[:msg]) if velocity[:reached]
+
+      data_point = create_short_lived_data
+      send_twilio!(data_point.data)
+      context.short_lived_data = data_point
+    end
+
+    def send_twilio!(code)
+      TwilioJob.perform_later(message: message(code), to: user.phone_number)
+      log(level: :info, msg: "Sent twilio message to #{user.phone_number}")
+    rescue StandardError => e
+      log(level: :error, msg: "Error caught #{e.class.name}")
+      log(level: :error, msg: "Failed to send sms to #{user.phone_number}")
+      context.fail!(message: "Failed to send sms. Please retry logging in.")
+    end
+
+    def message(code)
+      "Hello #{user.full_name}. Here is your verification code #{code}."
+    end
+
+    def create_short_lived_data
+      params = {
+        user: user,
+        max_use: MAX_USE_COUNT,
+        reason: Constants::MFA_REASON,
+        data_use: DATA_USE,
+        ttl: Constants::SLMTU_TTL,
+        expires_at: expires_at,
+        length: Constants::MFA_LENGTH,
+      }
+      ShortLivedData.create_data_key(params)
+    end
+
+    def velocity_max_in_frame
+      RailsBase.config.mfa.twilio_velocity_max_in_frame
+    end
+
+    def velocity_max
+      RailsBase.config.mfa.twilio_velocity_max
+    end
+
+    def velocity_frame
+      RailsBase.config.mfa.twilio_velocity_frame
+    end
+
+    def cache_key
+      "#{self.class.name.downcase}.#{user.id}"
+    end
+
+    def validate!
+      raise "Expected user to be a User. Received #{user.class}" unless user.is_a? User
+      if expires_at && !(expires_at.is_a?(ActiveSupport::TimeWithZone))
+        raise "Expected expires_at to be a ActiveSupport::TimeWithZone. Given #{expires_at.class}"
+      end
+
+      raise NoPhoneNumber, "No phone for user [#{user.id}] [#{user.phone_number}]" if user.phone_number.nil?
+    end
+  end
+end