rails_base 0.75.5 → 0.80.0

data/app/controllers/rails_base/user_settings_controller.rb

@@ -7,6 +7,16 @@ module RailsBase
 
     # GET user/settings
     def index
+      @type = :rest
+      @endpoint = RailsBase.url_routes.totp_register_validate_path
+
+      if current_user.mfa_sms_enabled
+        clear_mfa_event_from_session!(event_name: RailsBase::MfaEvent::ENABLE_SMS_EVENT)
+        add_mfa_event_to_session(event: RailsBase::MfaEvent.sms_disable(user: current_user))
+      else
+        clear_mfa_event_from_session!(event_name: RailsBase::MfaEvent::DISABLE_SMS_EVENT)
+        add_mfa_event_to_session(event: RailsBase::MfaEvent.sms_enable(user: current_user))
+      end
     end
 
     # POST user/settings/edit/name
@@ -14,7 +24,7 @@ module RailsBase
       result = NameChange.call(
         first_name: params[:user][:first_name],
         last_name: params[:user][:last_name],
-        current_user: current_user
+        current_user: current_user,
       )
 
       if result.failure?

data/app/controllers/rails_base/users/registrations_controller.rb

@@ -50,7 +50,7 @@ class RailsBase::Users::RegistrationsController < Devise::RegistrationsControlle
       end
       session[:mfa_randomized_token] = nil
       session[:mfa_randomized_token] =
-        RailsBase::Authentication::MfaSetEncryptToken.call(purpose: RailsBase::Authentication::Constants::SSOVE_PURPOSE, user: resource, expires_at: Time.zone.now + 20.minutes).encrypted_val
+        RailsBase::Mfa::EncryptToken.call(purpose: RailsBase::Authentication::Constants::SSOVE_PURPOSE, user: resource, expires_at: Time.zone.now + 20.minutes).encrypted_val
       redirect_to RailsBase.url_routes.auth_static_path, notice: "Check email for verification email."
     else
       flash[:error] = resource.errors.messages

data/app/controllers/rails_base/users/sessions_controller.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'twilio_helper'
+
 class RailsBase::Users::SessionsController < Devise::SessionsController
   prepend_before_action :protect_heartbeat, only: [:hearbeat_without_auth, :hearbeat_with_auth]
   prepend_before_action :skip_timeout, only: [:hearbeat_without_auth]
@@ -13,7 +15,7 @@ class RailsBase::Users::SessionsController < Devise::SessionsController
   # POST /user/sign_in
   def create
     # Warden/Devise will try to sign the user in before we explicitly do
-    # Sign ou the user when this happens so we can sign them back in later
+    # Sign out the user when this happens so we can sign them back in later
     sign_out(current_user) if current_user
 
     authenticate = RailsBase::Authentication::AuthenticateUser.call(email: params[:user][:email], password: params[:user][:password])
@@ -33,25 +35,26 @@ class RailsBase::Users::SessionsController < Devise::SessionsController
 
     if mfa_decision.set_mfa_randomized_token
       session[:mfa_randomized_token] =
-        RailsBase::Authentication::MfaSetEncryptToken.call(
+        RailsBase::Mfa::EncryptToken.call(
           user: authenticate.user,
           expires_at: mfa_decision.token_ttl,
           purpose: mfa_decision.mfa_purpose,
         ).encrypted_val
     end
 
-    redirect =
-      if mfa_decision.sign_in_user
-        sign_in(authenticate.user)
-        # only referentially redirect when we know the user should sign in
-        redirect_from_reference
-      end
-
-    redirect ||= mfa_decision.redirect_url
-
-    logger.info { "Successful sign in: Redirecting to #{redirect}" }
+    if mfa_decision.sign_in_user
+      sign_in(authenticate.user)
+      session.merge!(mfa_decision.session || {})
+      # only referentially redirect when we know the user should sign in
+      redirect_to(redirect_from_reference || RailsBase.url_routes.authenticated_root_path, mfa_decision.flash)
+      return
+    end
 
-    redirect_to(redirect, mfa_decision.flash)
+    ####
+    # User needs MFA
+    ####
+    add_mfa_event_to_session(event: RailsBase::MfaEvent.login_event(user: authenticate.user))
+    redirect_to(mfa_decision.redirect_url, mfa_decision.flash)
   end
 
   # DELETE /user/sign_out

data/app/controllers/rails_base_application_controller.rb

@@ -6,6 +6,7 @@ class RailsBaseApplicationController < ActionController::Base
   before_action :is_timeout_error?
   before_action :admin_reset_impersonation_session!
   before_action :footer_mode_case
+  after_action :clear_expired_mfa_events_from_session!
 
   before_action :populate_admin_actions, if: -> { RailsBase.config.admin.enable_actions? }
   after_action :capture_admin_action
@@ -128,6 +129,100 @@ class RailsBaseApplicationController < ActionController::Base
 
   protected
 
+  def add_mfa_event_to_session(event:)
+    unless RailsBase::MfaEvent === event
+      logger.error("Failed to add MFA event to session. Unexpected event passed")
+      return false
+    end
+
+    session[:"__#{RailsBase.app_name}_mfa_events"] ||= {}
+    # nested hashes in the session are string keys -- ensure it gets converted to a string during assignment to avoid confusion
+    session[:"__#{RailsBase.app_name}_mfa_events"][event.event.to_s] = event.to_hash.to_json
+  end
+
+  def clear_mfa_event_from_session!(event_name:)
+    session[:"__#{RailsBase.app_name}_mfa_events"] ||= {}
+    session[:"__#{RailsBase.app_name}_mfa_events"].delete(event_name.to_s)
+
+    true
+  end
+
+  def clear_expired_mfa_events_from_session!
+    mfa_events = session.delete(:"__#{RailsBase.app_name}_mfa_events")
+    return true if mfa_events.nil?
+
+    mfa_events.each do |event_name, metadata|
+      event_object = RailsBase::MfaEvent.new(**JSON.parse(metadata).deep_symbolize_keys)
+      if event_object.valid_by_death_time?
+        add_mfa_event_to_session(event: event_object)
+      else
+        logger.warn("MFA event: [#{event_name}] is no longer valid. Ejecting from session ")
+      end
+
+    end
+  rescue => e
+    logger.error("Oh know! We may have just removed all MFA events. Re-Auth is now required")
+    true
+  end
+
+  def validate_mfa_with_event_json!(mfa_event_name: params[:mfa_event])
+    return true if soft_mfa_with_event(mfa_event_name:)
+
+    render json: { error: "Unauthorized. Incorrect Event" }.to_json, :status => 401
+    false
+  end
+
+  def validate_mfa_with_event!(mfa_event_name: params[:mfa_event])
+    return true if soft_mfa_with_event(mfa_event_name:)
+
+    redirect = @__rails_base_mfa_event&.invalid_redirect || RailsBase.url_routes.unauthenticated_root_path
+    redirect_to(redirect, alert: @__rails_base_mfa_event_invalid_reason)
+    false
+  end
+
+  def soft_mfa_with_event(mfa_event_name: params[:mfa_event])
+    # nested hashes in the session are string keys -- ensure it gets converted to a string during lookup
+    mfa_event = session.dig(:"__#{RailsBase.app_name}_mfa_events", mfa_event_name.to_s)
+    if mfa_event.nil?
+      @__rails_base_mfa_event_invalid_reason = "Unauthorized MFA event"
+      return false
+    end
+    @__rails_base_mfa_event = RailsBase::MfaEvent.new(**JSON.parse(mfa_event).deep_symbolize_keys)
+
+    if @__rails_base_mfa_event.valid?
+      @__rails_base_mfa_event.increase_access_count!
+      return true
+    end
+    @__rails_base_mfa_event_invalid_reason = "MFA event for #{mfa_event_name} is invalid. #{@__rails_base_mfa_event.event}"
+
+    false
+  end
+
+  def json_validate_current_user!
+    return if current_user
+
+    render json: { error: "Unauthorized" }.to_json, :status => 401
+    return false
+  end
+
+  def validate_mfa_token!(purpose: RailsBase::Authentication::Constants::MSET_PURPOSE)
+    return true if soft_validate_mfa_token(token: session[:mfa_randomized_token], purpose: purpose)
+
+    if user_signed_in?
+      redirect_to RailsBase.url_routes.user_settings_path, alert: @token_verifier.message
+    else
+      redirect_to RailsBase.url_routes.new_user_session_path, alert: @token_verifier.message
+    end
+    return false
+  end
+
+  def soft_validate_mfa_token(token:, purpose: RailsBase::Authentication::Constants::MSET_PURPOSE)
+    @token_verifier =
+      RailsBase::Authentication::SessionTokenVerifier.call(purpose: purpose, mfa_randomized_token: token)
+
+    @token_verifier.success?
+  end
+
   def admin_get_token(encrypted_val:)
     params = {
       mfa_randomized_token: encrypted_val,
@@ -144,7 +239,7 @@ class RailsBaseApplicationController < ActionController::Base
         purpose: RailsBase::Authentication::Constants::ADMIN_REMEMBER_REASON,
         expires_at: RailsBase::Authentication::Constants::ADMIN_MAX_IDLE_TIME.from_now
       }
-      encrpytion = RailsBase::Authentication::MfaSetEncryptToken.call(params)
+      encrpytion = RailsBase::Mfa::EncryptToken.call(params)
       session[RailsBase::Authentication::Constants::ADMIN_REMEMBER_REASON] = encrpytion.encrypted_val
     end
   end

data/app/jobs/twilio_job.rb

@@ -1,7 +1,7 @@
 require 'twilio_helper'
 
 class TwilioJob < RailsBase::ApplicationJob
-  queue_as RailsBase.config.mfa.active_job_queue
+  queue_as RailsBase.config.twilio.active_job_queue
 
   def perform(message:, to:)
     TwilioHelper.send_sms(message: message, to: to)

data/app/mailers/rails_base/email_verification_mailer.rb

@@ -1,22 +1,24 @@
 class RailsBase::EmailVerificationMailer < RailsBase::ApplicationMailer
 	default from: Rails.configuration.mail_from
 
-	def email_verification(user:, url:)
+	def email_verification(user, url)
 	  @user = user
 	  @sso_url_for_user = url
 	  mail(to: @user.email, subject: "Welcome to #{RailsBase.app_name}")
 	end
 
-	def forgot_password(user:, url:)
+	def forgot_password(user, url)
 	  @user = user
 	  @sso_url_for_user = url
 	  mail(to: @user.email, subject: "#{RailsBase.app_name}: Forgot Password")
 	end
 
-	def event(user:, event:, msg: nil)
-	  @user = user
+	def event(user, event, msg = nil)
+		@user = user
 	  @event = event
 	  @msg = msg
 	  mail(to: @user.email, subject: "#{RailsBase.app_name}: #{event}")
 	end
+
+	include ::RailsBase::MailerKwargInject
 end

data/app/mailers/rails_base/event_mailer.rb

@@ -1,16 +1,18 @@
 class RailsBase::EventMailer < RailsBase::ApplicationMailer
   default from: Rails.configuration.mail_from
 
-  def send_sso(user:, message:)
+  def send_sso(user, message)
     @user = user
     @message = message
     mail(to: user.email, subject: "#{RailsBase.app_name}: SSO login", template_name: 'event')
     # event(user: user, event: 'SSO login', message: message)
   end
 
-  def event(user:, event:, message:)
+  def event(user, event, message)
     @user = user
     @message = message
     mail(to: @user.email, subject: "#{RailsBase.app_name}: #{event}", template_name: 'event')
   end
+
+  include ::RailsBase::MailerKwargInject
 end

data/app/mailers/rails_base/mailer_kwarg_inject.rb

@@ -0,0 +1,31 @@
+module RailsBase::MailerKwargInject
+
+  def self.included(base)
+    base.extend(ClassMethods)
+    base.inject_safety_net!
+  end
+
+  module ClassMethods
+    def inject_safety_net!
+      action_methods.each do |method_name|
+        alias_method_name = "__rails_base__kwarg_inject_#{method_name}__"
+        self.alias_method(alias_method_name, method_name)
+
+        self.define_method(method_name) do |*args, **kwargs, &block|
+          parameter_name_order = method(alias_method_name).parameters.map(&:second)
+          begin
+            self.send(alias_method_name, *args, **kwargs, &block)
+          rescue ArgumentError => e
+            if Hash === args[0]
+              new_arg_list = parameter_name_order.map { args[0][_1] }
+              self.send(alias_method_name, *new_arg_list, &block)
+              ActiveSupport::Deprecation.warn("Method Signature of `#{self.class}.#{method_name}` will change from KWargs to ARGs. Please modify your code.")
+            else
+              raise
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/app/models/rails_base/user_constants.rb

@@ -8,9 +8,11 @@ module RailsBase
     ]
 
     SOFT_DESTROY_PARAMS = {
-      mfa_enabled: false,
+      mfa_sms_enabled: false,
+      mfa_otp_enabled: false,
       email_validated: false,
-      last_mfa_login: nil,
+      last_mfa_sms_login: nil,
+      last_mfa_otp_login: nil,
       encrypted_password: '',
       phone_number: nil,
     }
@@ -20,7 +22,8 @@ module RailsBase
       admin: ->(user) { RailsBase.config.admin.admin_type_tile_users?(user) } ,
       email: ->(user) { RailsBase.config.admin.email_tile_users?(user) } ,
       email_validated: ->(user) { RailsBase.config.admin.email_validate_tile_users?(user) } ,
-      mfa_enabled: ->(user) { RailsBase.config.admin.mfa_tile_users?(user) } ,
+      mfa_sms_enabled: ->(user) { RailsBase.config.admin.mfa_tile_users?(user) } ,
+      mfa_otp_enabled: ->(user) { RailsBase.config.admin.mfa_tile_users?(user) } ,
       phone_number: ->(user) { RailsBase.config.admin.phone_tile_users?(user) } ,
       last_known_timezone: ->(user) { RailsBase.config.admin.modify_timezone_tile_users?(user) }
     }

data/app/models/rails_base/user_helper/totp/backup_method_options.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module RailsBase
+  module UserHelper
+    module Totp
+      module BackupMethodOptions
+        def generate_otp_backup_codes!
+          codes = User.generate_backup_codes
+          self.otp_backup_codes = codes
+          save!
+
+          codes
+        end
+
+        def invalidate_otp_backup_code!(code)
+          codes = self.otp_backup_codes || []
+
+          return false unless codes.include?(code)
+
+          codes.delete(code)
+
+          self.otp_backup_codes = codes
+
+          save!
+        end
+
+        def totp_config
+          RailsBase.config.totp
+        end
+      end
+    end
+  end
+end

data/app/models/rails_base/user_helper/totp/class_options.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module RailsBase
+  module UserHelper
+    module Totp
+      module ClassOptions
+        def totp_drift_ahead
+          RailsBase.config.totp.allowed_drift_ahead || RailsBase.config.totp.allowed_drift
+        end
+
+        def totp_drift_behind
+          RailsBase.config.totp.allowed_drift_behind || RailsBase.config.totp.allowed_drift
+        end
+
+        def generate_otp_secret(otp_secret_length = RailsBase.config.totp.secret_code_length)
+          ROTP::Base32.random_base32(otp_secret_length)
+        end
+
+        def generate_backup_codes
+          number_of_codes = RailsBase.config.totp.backup_code_count
+          code_length = RailsBase.config.totp.backup_code_length
+          codes = []
+          number_of_codes.times do
+            codes << SecureRandom.hex(code_length / 2) # Hexstring has length 2*n
+          end
+
+          codes
+        end
+      end
+    end
+  end
+end
+
+
+

data/app/models/rails_base/user_helper/totp/consume_method_options.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require "rqrcode"
+
+module RailsBase
+  module UserHelper
+    module Totp
+      module ConsumeMethodOptions
+        def persist_otp_metadata!
+          reload # Ensure the user is relaoded to use the correct data for the secret
+          metadata = otp_metadata(safe: true, use_existing_temp: true)
+
+          self.otp_secret = self.otp_secret || self.temp_otp_secret
+          self.temp_otp_secret = nil
+          self.mfa_otp_enabled = true
+          save!
+        end
+
+        def otp_provisioning_uri(options = {})
+          label = options.delete(:label) || "#{RailsBase.app_name}:#{self.email}"
+          otp_secret = options[:otp_secret] || self.otp_secret
+
+          ROTP::TOTP.new(otp_secret, options).provisioning_uri(label)
+        end
+
+        def otp_metadata(safe: false, use_existing_temp: false)
+          secret ||= self.otp_secret
+          secret ||= self.temp_otp_secret if safe && use_existing_temp
+          secret ||= temporary_otp! if safe
+
+          uri = otp_provisioning_uri({ otp_secret: secret })
+          { secret: secret, uri: uri, qr_code: qr_code(uri) }
+        end
+
+        protected
+
+        def qr_code(uri)
+          qrcode = RQRCode::QRCode.new(uri)
+          qrcode.as_svg(
+            color: "000",
+            shape_rendering: "crispEdges",
+            module_size: 4,
+            standalone: true,
+            use_path: true
+          )
+        end
+
+        def temporary_otp!(otp_secret_length = RailsBase.config.totp.secret_code_length)
+          otp_secret = User.generate_otp_secret(otp_secret_length)
+
+          self.temp_otp_secret = otp_secret
+          save!
+
+          otp_secret
+        end
+      end
+    end
+  end
+end
+

data/app/models/rails_base/user_helper/totp.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require "rotp"
+
+####
+#
+# Copied with love from https://github.com/devise-two-factor/devise-two-factor
+#
+####
+
+module RailsBase
+  module UserHelper
+    module Totp
+      extend ActiveSupport::Concern
+
+      class Error < StandardError; end
+      class NotRequired < Error; end
+
+      included do
+        serialize :otp_backup_codes, Array
+      end
+
+      def self.included(base)
+        base.include(ConsumeMethodOptions)
+        base.include(BackupMethodOptions)
+        base.extend(ClassOptions)
+      end
+
+      def reset_otp!
+        self.otp_secret = nil
+        self.temp_otp_secret = nil
+        self.consumed_timestep = nil
+        self.mfa_otp_enabled = false
+        self.otp_backup_codes = []
+        self.last_mfa_otp_login = nil
+
+        save!
+      end
+    end
+  end
+end

data/app/models/user.rb

@@ -6,9 +6,9 @@
 #  first_name                 :string(255)      default(""), not null
 #  last_name                  :string(255)      default(""), not null
 #  phone_number               :string(255)
-#  last_mfa_login             :datetime
+#  last_mfa_sms_login         :datetime
 #  email_validated            :boolean          default(FALSE)
-#  mfa_enabled                :boolean          default(FALSE), not null
+#  mfa_sms_enabled            :boolean          default(FALSE), not null
 #  active                     :boolean          default(TRUE), not null
 #  admin                      :string(255)
 #  last_known_timezone        :string(255)
@@ -25,6 +25,12 @@
 #  last_sign_in_ip            :string(255)
 #  created_at                 :datetime         not null
 #  updated_at                 :datetime         not null
+#  otp_secret                 :string(255)
+#  temp_otp_secret            :string(255)
+#  consumed_timestep          :integer
+#  mfa_otp_enabled            :boolean          default(FALSE)
+#  otp_backup_codes           :text(65535)
+#  last_mfa_otp_login         :datetime
 #
 class User < RailsBase::ApplicationRecord
   # Include default devise modules. Others available are:
@@ -33,13 +39,14 @@ class User < RailsBase::ApplicationRecord
          :recoverable, :rememberable, :validatable, :timeoutable, :trackable
 
   include RailsBase::UserConstants
+  include RailsBase::UserHelper::Totp
 
   validate :enforce_owner, if: :will_save_change_to_admin?
   validate :enforce_admin_type, if: :will_save_change_to_admin?
 
   def self._def_admin_convenience_method!(admin_method:)
     types = RailsBase.config.admin.admin_types
-    #### metods on the instance
+    #### methods on the instance
     define_method("at_least_#{admin_method}?") do
       i = types.find_index(admin.to_sym)
       i >= types.find_index(admin_method.to_sym)
@@ -65,8 +72,16 @@ class User < RailsBase::ApplicationRecord
     end
   end
 
-  def self.time_bound
-    Time.zone.now - RailsBase.config.auth.mfa_time_duration
+  def self.masked_number(phone_number)
+    return nil unless phone_number
+
+    "(#{phone_number[0]}**) ****-**#{phone_number[-2..-1]}"
+  end
+
+  def self.readable_phone_number(phone_number)
+    return nil unless phone_number
+
+    "(#{phone_number[0..2]}) #{phone_number[3..5]}-#{phone_number[6..-1]}"
   end
 
   def admin
@@ -77,20 +92,20 @@ class User < RailsBase::ApplicationRecord
   	"#{first_name} #{last_name}"
   end
 
-  def past_mfa_time_duration?
-    return true if last_mfa_login.nil?
-
-    last_mfa_login < self.class.time_bound
+  def set_last_mfa_sms_login!(time: Time.zone.now)
+    update(last_mfa_sms_login: time)
   end
 
-  def set_last_mfa_login!(time: Time.zone.now)
-    update(last_mfa_login: time)
+  def set_last_mfa_otp_login!(time: Time.zone.now)
+    update(last_mfa_otp_login: time)
   end
 
   def masked_phone
-    return nil unless phone_number
+    User.masked_number(phone_number)
+  end
 
-    "(#{phone_number[0]}**) ****-**#{phone_number[-2..-1]}"
+  def readable_phone
+     User.readable_phone_number(phone_number)
   end
 
   def soft_destroy_user!

data/app/services/rails_base/authentication/constants.rb

@@ -5,7 +5,7 @@ module RailsBase::Authentication
 		BASE_URL = RailsBase.config.app.base_url
 		BASE_URL_PORT = RailsBase.config.app.base_port
 		MFA_REASON = :two_factor_mfa_code
-		MFA_LENGTH = RailsBase.config.mfa.mfa_length
+		MFA_LENGTH = RailsBase.config.twilio.mfa_length
 		EMAIL_LENGTH = 255 # MAX LENGTH we can insert into mysql
 
 		MIN_NAME = 2