rails_base 0.51.0

data/app/services/rails_base/authentication/send_verification_email.rb

@@ -0,0 +1,103 @@
+require 'velocity_limiter'
+
+module RailsBase::Authentication
+	class SendVerificationEmail < RailsBase::ServiceBase
+		include ActionView::Helpers::DateHelper
+		include VelocityLimiter
+
+		delegate :user, to: :context
+		delegate :reason, to: :context
+
+		MAX_USE_COUNT = 1.freeze
+		DATA_USE = :alphanumeric
+		VELOCITY_MAX = 5
+		VELOCITY_MAX_IN_FRAME = 10.minutes
+		VELOCITY_FRAME = 1.hour
+
+		REASON_MAPPER = {
+			Constants::SVE_LOGIN_REASON => { method: :email_verification, url_method: :email_verification_url },
+			Constants::SVE_FORGOT_REASON => { method: :forgot_password, url_method: :forgot_password_auth_url }
+		}
+
+		def call
+			velocity = velocity_limit_reached?
+			if velocity[:reached]
+				context.fail!(message: velocity[:msg])
+			end
+
+			data_point = create_short_lived_data
+			begin
+				url = assign_url(data_point.data)
+			rescue StandardError => e
+				log(level: :error, msg: "Error: #{e.class}")
+				log(level: :error, msg: "Error: #{e.message}")
+				log(level: :error, msg: "Failed to get url for #{url_method}")
+				log(level: :error, msg: "Swallowing Error. Returning to user")
+				context.fail!(message: "Unknown error occurred. Please log in with credentials to restart process")
+				return
+			end
+			log(level: :info, msg: "SSO url for user #{user.id}: #{url}")
+
+			begin
+				RailsBase::EmailVerificationMailer.public_send(method, user: user, url: url).deliver_me
+			rescue StandardError => e
+				log(level: :error, msg: "Unkown error occured when sending EmailVerificationMailer.#{method}")
+				log(level: :error, msg: "Params: #{method}, #{reason}, user: #{user.id}")
+				context.fail!(message: "Unknown error occurred. Please log in with credentials to restart process")
+				return
+			end
+			log(level: :info, msg: "Succesfully sent EmailVerificationMailer.#{method} to #{user.id} @ #{user.email}")
+		end
+
+		def assign_url(data)
+			params = {
+				data: data,
+				host: Constants::BASE_URL,
+			}
+			params[:port] = Constants::BASE_URL_PORT if Constants::BASE_URL_PORT
+			Constants::URL_HELPER.public_send(url_method, params)
+		end
+
+		def create_short_lived_data
+			params = {
+				user: user,
+				max_use: MAX_USE_COUNT,
+				reason: reason,
+				data_use: DATA_USE,
+				ttl: Constants::SVE_TTL,
+				length: Constants::EMAIL_LENGTH,
+			}
+			ShortLivedData.create_data_key(params)
+		end
+
+		def velocity_max_in_frame
+			VELOCITY_MAX_IN_FRAME
+		end
+
+		def velocity_max
+			VELOCITY_MAX
+		end
+
+		def velocity_frame
+			VELOCITY_FRAME
+		end
+
+		def cache_key
+			"#{self.class.name.downcase}.#{user.id}"
+		end
+
+		def method
+			REASON_MAPPER[reason][:method]
+		end
+
+		def url_method
+			REASON_MAPPER[reason][:url_method]
+		end
+
+		def validate!
+			raise "Expected user to be a User. Received #{user.class}" unless user.is_a? User
+			raise "Expected reason to be a symbol. Received #{reason.class}" unless reason.is_a? Symbol
+			raise "Expected #{reason} to be in #{REASON_MAPPER.keys}" unless REASON_MAPPER.keys.include?(reason)
+		end
+	end
+end

data/app/services/rails_base/authentication/session_token_verifier.rb

@@ -0,0 +1,31 @@
+require 'json'
+
+module RailsBase::Authentication
+	class SessionTokenVerifier < RailsBase::ServiceBase
+		delegate :mfa_randomized_token, to: :context
+		delegate :purpose, to: :context
+
+		def call
+			if mfa_randomized_token.nil?
+				context.fail!(message: "Authorization token not present. Please Log in")
+			end
+
+			decoded = RailsBase::Encryption.decode(value: mfa_randomized_token, purpose: purpose || Constants::MSET_PURPOSE)
+			if decoded.nil?
+				context.fail!(message: "Authorization token has expired. Please Log in")
+			end
+
+			begin
+				json_decoded = JSON.parse(decoded)
+			rescue StandardError => e
+				log(level: :fatal, msg: "Json parse error. [#{decoded}] could not be parsed.")
+				context.fail!(message: "Authorization token has failed. Please Log in")
+			end
+
+			log(level: :info, msg: "Decoded message: #{json_decoded}")
+
+			context.user_id = json_decoded['user_id']
+			context.expires_at = json_decoded['expires_at']
+		end
+	end
+end

data/app/services/rails_base/authentication/single_sign_on_create.rb

@@ -0,0 +1,44 @@
+module RailsBase::Authentication
+  class SingleSignOnCreate < RailsBase::ServiceBase
+    delegate :user, to: :context
+    delegate :token_length, to: :context
+    delegate :uses, to: :context
+    delegate :expires_at, to: :context
+    delegate :reason, to: :context
+    delegate :token_type, to: :context
+    delegate :url_redirect, to: :context
+
+    def call
+      msg = "Creating SSO token [#{reason}]: user_id:#{user.id}; "\
+        "uses:#{uses.nil? ? 'unlimited' : uses}; expires_at:#{expires_at}"
+      log(level: :info, msg: msg)
+      context.data = create_sso_token
+    end
+
+    def create_sso_token
+      params = {
+        user: user,
+        max_use: uses,
+        data_use: data_type,
+        expires_at: expires_at,
+        reason: reason,
+        length: token_length,
+        extra: url_redirect,
+      }.compact
+      ShortLivedData.create_data_key(params)
+    end
+
+    def data_type
+      ShortLivedData::VALID_DATA_USE_LENGTH.include?(token_type&.to_sym) ? token_type.to_sym : nil
+    end
+
+    def validate!
+      raise "Expected user to be a User. Received #{user.class}" unless user.is_a? User
+      raise "Expected token_length to be a Int. Received #{token_length.class}" unless token_length.is_a? Integer
+      raise "Expected reason to be present." if reason.nil?
+
+      time_class = ActiveSupport::TimeWithZone
+      raise "Expected expires_at to be a Received #{time_class}. Received #{expires_at.class}" unless expires_at.is_a? time_class
+    end
+  end
+end

data/app/services/rails_base/authentication/single_sign_on_send.rb

@@ -0,0 +1,101 @@
+require 'twilio_helper'
+
+module RailsBase::Authentication
+  class SingleSignOnSend < RailsBase::ServiceBase
+    delegate :user, to: :context
+    delegate :token_length, to: :context
+    delegate :uses, to: :context
+    delegate :expires_at, to: :context
+    delegate :reason, to: :context
+    delegate :token_type, to: :context
+    delegate :url_redirect, to: :context
+
+    SSO_DECISION_TWILIO = :twilio
+    SSO_DECISION_EMAIL = :email
+    VALID_SSO_DECISIONS = [SSO_DECISION_TWILIO, SSO_DECISION_EMAIL].freeze
+
+    def call
+      # :nocov:
+      # redundant check, unless user overwrites `sso_decision_type`
+      unless VALID_SSO_DECISIONS.include?(sso_decision_type)
+        context.fail!(message: "Invalid sso decision. Given [#{sso_decision_type}]. Expected [#{VALID_SSO_DECISIONS}]")
+      end
+      # :nocov:
+
+      params = {
+        user: user,
+        token_length: token_length,
+        uses: uses,
+        expires_at: expires_at,
+        reason: reason || RailsBase::Authentication::Constants::SSO_LOGIN_REASON,
+        token_type: token_type,
+        url_redirect: url_redirect
+      }
+      datum = SingleSignOnCreate.call(params)
+      context.fail!(message: 'Failed to create SSO token. Try again') if datum.failure?
+
+      url = sso_url(data: datum.data.data)
+      case sso_decision_type
+      when SSO_DECISION_TWILIO
+        context.sso_destination = :sms
+        send_to_twilio!(message: message(url: url))
+      when SSO_DECISION_EMAIL
+        context.sso_destination = :email
+        send_to_email!(message: message(url: url))
+      end
+    end
+
+    # This method is expected to be overridden by the main app
+    # This is the default message
+    # Might consider shipping this to a locales that can be easily overridden in downstream app
+    def message(url:)
+      "Hello #{user.full_name}. This is your SSO link to your favorite site.\n#{url}"
+    end
+
+    # This method is expected to be overridden by the main app
+    # This is expected default behavior if SSO is available
+    def sso_decision_type
+      if user.phone_number.present?
+        SSO_DECISION_TWILIO
+      elsif user.email_validated
+        SSO_DECISION_EMAIL
+      else
+        log(level: :error, msg: "No SSO will be sent for user #{user.id}. No email/phone available to send to at this time")
+        context.fail!(message: "User does not have a validated email nor phone number. Unable to do SSO")
+      end
+    end
+
+    def send_to_twilio!(message:)
+      TwilioJob.perform_later(message: message, to: user.phone_number)
+      log(level: :info, msg: "Sent twilio message to #{user.phone_number}")
+    rescue StandardError => e
+      log(level: :error, msg: "Error caught #{e.class.name}")
+      log(level: :error, msg: "Error caught #{e.message}")
+      log(level: :error, msg: "Failed to send sms to #{user.phone_number}")
+      context.fail!(message: "Failed to send sms to user. Try again.")
+    end
+
+    def send_to_email!(message:)
+      RailsBase::EventMailer.send_sso(user: user, message: message).deliver_me
+    rescue StandardError => e
+      log(level: :error, msg: "Error caught #{e.class.name}")
+      log(level: :error, msg: "Failed to send email to #{user.email}")
+      context.fail!(message: "Failed to send email to user. Try again.")
+    end
+
+    def sso_url(data:)
+      params = {
+        data: data,
+        host: Constants::BASE_URL,
+      }
+      params[:port] = Constants::BASE_URL_PORT if Constants::BASE_URL_PORT
+      Constants::URL_HELPER.sso_retrieve_url(params)
+    end
+
+    def validate!
+      raise "Expected user to be a User. Received #{user.class}" unless user.is_a? User
+
+      # Other validations take place in SingleSignOnCreate class
+    end
+  end
+end

data/app/services/rails_base/authentication/single_sign_on_verify.rb

@@ -0,0 +1,42 @@
+module RailsBase::Authentication
+  class SingleSignOnVerify < RailsBase::ServiceBase
+    delegate :data, to: :context
+    delegate :reason, to: :context
+    delegate :bypass, to: :context
+
+    def call
+      datum = find_data_point
+      context.data = datum
+      if bypass
+        context.should_fail = !datum[:valid]
+        context.url_redirect = datum[:extra] || RailsBase.url_routes.authenticated_root_path
+        log(level: :info, msg: "sending full data point. bypass set to true")
+        return
+      end
+
+      context.sign_in = false
+      if datum[:valid]
+        context.sign_in = true
+        context.url_redirect = datum[:extra] || RailsBase.url_routes.authenticated_root_path
+        context.user = datum[:user]
+      else
+        context.url_redirect = datum[:extra] || RailsBase.url_routes.unauthenticated_root_path
+        context.fail!(message: "Authorization token error: #{datum[:invalid_reason].join(',')}")
+      end
+    end
+
+    def find_data_point
+      params = {
+        data: data,
+        reason: reason,
+        access_count: !(bypass || false)
+      }
+      ShortLivedData.find_datum(params)
+    end
+
+    def validate!
+      raise "Expected data to be a String. Received #{data.class}" unless data.is_a? String
+      raise "Expected reason to be a String. Received #{reason.class}" unless reason.is_a? String
+    end
+  end
+end

data/app/services/rails_base/authentication/sso_verify_email.rb

@@ -0,0 +1,43 @@
+module RailsBase::Authentication
+	class SsoVerifyEmail < RailsBase::ServiceBase
+		delegate :verification, to: :context
+
+		def call
+			datum = get_short_lived_datum(verification)
+			validate_datum?(datum)
+
+			user = datum[:user]
+			user.update(email_validated: true)
+
+			context.user = datum[:user]
+			params = {
+				expires_at: Time.zone.now + Constants::SVE_TTL,
+				user: user,
+				purpose: Constants::SSOVE_PURPOSE
+			}
+			context.encrypted_val = MfaSetEncryptToken.call(params).encrypted_val
+		end
+
+		def validate_datum?(datum)
+			return true if datum[:valid]
+
+			if datum[:found]
+				msg = "Errors with Email Verification: #{datum[:invalid_reason].join(", ")}. Please login again"
+				log(level: :warn, msg: msg)
+				context.fail!(message: msg, redirect_url: Constants::URL_HELPER.new_user_session_path, level: :warn)
+			end
+
+			log(level: :warn, msg: "Could not find MFA code. Incorrect Email verification code. User may be doing Fishyyyyy things")
+
+			context.fail!(message: "Invalid Email Verification Code. Log in again.", redirect_url: Constants::URL_HELPER.new_user_session_path, level: :warn)
+		end
+
+		def get_short_lived_datum(mfa_code)
+			ShortLivedData.find_datum(data: mfa_code, reason: Constants::SVE_LOGIN_REASON)
+		end
+
+		def validate!
+			raise "verification is expected" if verification.nil?
+		end
+	end
+end

data/app/services/rails_base/authentication/update_phone_send_verification.rb

@@ -0,0 +1,46 @@
+module RailsBase::Authentication
+	class UpdatePhoneSendVerification < RailsBase::ServiceBase
+		delegate :user, to: :context
+		delegate :phone_number, to: :context
+
+		EXPECTED_LENGTH = 10
+
+		def call
+			if sanitized_phone_number.nil?
+				context.fail!(message: "Unexpected params passed")
+			end
+
+			# should be after successful twilio MFA send
+			# requires a bit of a restructure that I dont have time for
+			update_user_number!
+
+			twilio_sms = SendLoginMfaToUser.call(user: user.reload)
+
+			if twilio_sms.failure?
+				log(level: :error, msg: "Failed with #{twilio_sms.message}")
+				context.fail!(message: twilio_sms.message)
+			end
+			context.expires_at = twilio_sms.short_lived_data.death_time
+			context.mfa_randomized_token =
+			  MfaSetEncryptToken.call(user: user, expires_at: context.expires_at, purpose: Constants::MSET_PURPOSE).encrypted_val
+		end
+
+		def update_user_number!
+			log(level: :info, msg: "Received: #{phone_number}. Sanitized to #{sanitized_phone_number}")
+			user.update!(phone_number: sanitized_phone_number)
+		end
+
+		def sanitized_phone_number
+			@sanitized_phone_number ||= begin
+				sanitized = phone_number.tr('^0-9', '')
+				log(level: :debug, msg: "Sanitized phone number to: #{sanitized}. Given: #{sanitized.length} Expected? #{EXPECTED_LENGTH} ")
+				sanitized.length == EXPECTED_LENGTH ? sanitized : nil
+			end
+		end
+
+		def validate!
+			raise "Expected user to be a User. Received #{user.class}" unless user.is_a? User
+			raise "Expected phone_number to be a String. Received #{phone_number.class}" unless phone_number.is_a? String
+		end
+	end
+end

data/app/services/rails_base/authentication/verify_forgot_password.rb

@@ -0,0 +1,46 @@
+module RailsBase::Authentication
+	class VerifyForgotPassword < RailsBase::ServiceBase
+		delegate :data, to: :context
+
+		def call
+			mfa_flow = false
+			data_point = short_lived_data
+			validate_datum?(data_point)
+
+			log(level: :info, msg: "Validated user 2fa email #{data_point[:user].full_name}")
+			context.user = data_point[:user]
+			context.encrypted_val =
+				MfaSetEncryptToken.call(user: data_point[:user], expires_at: Time.zone.now + 10.minutes, purpose: Constants::VFP_PURPOSE).encrypted_val
+			return unless data_point[:user].mfa_enabled
+
+			result = SendLoginMfaToUser.call(user: data_point[:user], expires_at: Time.zone.now + 10.minutes)
+			if result.failure?
+				log(level: :warn, msg: "Attempted to send MFA to user from #{self.class.name}: Exiting with #{result.message}")
+				context.fail!(message: result.message, redirect_url: Constants::URL_HELPER.new_user_password_path, level: :warn)
+			end
+			context.mfa_flow = true
+		end
+
+		def validate_datum?(datum)
+			return true if datum[:valid]
+
+			if datum[:found]
+				msg = "Errors with email validation: #{datum[:invalid_reason].join(", ")}. Please go through forget password flow again."
+				log(level: :warn, msg: msg)
+				context.fail!(message: msg, redirect_url: Constants::URL_HELPER.new_user_password_path, level: :warn)
+			end
+
+			log(level: :warn, msg: "Could not find MFA code. Incorrect MFA code. User is doing something fishy.")
+
+			context.fail!(message: Constants::MV_FISHY, redirect_url: Constants::URL_HELPER.authenticated_root_path, level: :warn)
+		end
+
+		def short_lived_data
+			ShortLivedData.find_datum(data: data, reason: Constants::VFP_REASON)
+		end
+
+		def validate!
+			raise "Expected data to be a String. Received #{data.class}" unless data.is_a? String
+		end
+	end
+end