rails_base 0.75.6 → 0.81.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7be240ad162cad85b3a70e4163f99eea08a0eec55d8ce97ab6a9e83f59d6559a
-  data.tar.gz: 8357b2607d6eae820b73be0e794ad6cab80912d7cf02d6524f4ba95d47626caf
+  metadata.gz: 2e6dfb9b0dfa087ba1c2378c08703360360da41dfc5f676feb29c94a3542cfaf
+  data.tar.gz: 0bae19f4b8e3b06b42b3b7d91fd407028676034f5cb4c102898848747238d205
 SHA512:
-  metadata.gz: 11ff5f552ba5e901555fdfd4df622a0c3bccef9e0e1f169fcfd50778143814ba7796483c2876121c67885ffc7dc9145c5ebc12954f47016497924a53c5c43d0a
-  data.tar.gz: 2ae800d156442306b2f34374c1e0c5ab417e233c57c1aa341c516da5df110c2af3c0227dcee5112fb28ba51ed549b8cd598b0f15e38b77a3bad5c4f27d7bb02d
+  metadata.gz: e4c16fdf660ed93e2672208de8b86c0b766f374defb44cd3259ee96441071b8e1821246a766d6b2237c95250c6e3c21c1858eeeeb714079f1993aa13016676fd
+  data.tar.gz: fe5cd28864e828717ddf81a3fbfc3c0af190e4ca888154ad3af177fc8ca67e2bc9c908e29e6215e7e675533fdc005082a30de09bd27f25f25ad997adede714c5

data/app/assets/javascripts/rails_base/rails_base_query_checker.js

@@ -0,0 +1,36 @@
+
+function _railsBase_urlParams(param){
+  urlParams = new URLSearchParams(window.location.search);
+  return urlParams.get(param);
+}
+
+function _railsBase_goToStandardizedCollapse(q_param, identifier, function_base_name, function_yield){
+  param = _railsBase_urlParams(q_param)
+  if(param==null){
+    return false
+  }
+
+  // Let callee decide if they want to continue
+  if(typeof(function_yield) === "function") {
+    if (function_yield(param) != true) {
+      // Callee does not want to continue
+      return
+    }
+  } else {
+    // No function provided. Since the param was present, we will continue as expected
+  }
+
+  // Scroll to top of provided class
+  $('html, body').animate({
+    scrollTop: $(`${identifier}`).offset().top
+  }, 'slow');
+
+
+  // function name declared for the collapsable options
+  // Toggle it and open it up
+  console.log(`trying to open ${function_base_name}_collapse_toggle()`)
+  eval(`${function_base_name}_collapse_toggle()`)
+
+  return param
+}
+

data/app/controllers/rails_base/admin_controller.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module RailsBase
   class AdminController < RailsBaseApplicationController
     before_action :authenticate_user!, except: [:sso_retrieve]
@@ -9,9 +11,10 @@ module RailsBase
 
     # GET admin
     def index
+      add_mfa_event_to_session(event: RailsBase::MfaEvent.admin_actions(user: current_user))
     end
 
-    # GET admin
+    # GET admin/config
     def show_config
       unless RailsBase.config.admin.config_page?(current_user)
         flash[:alert] = 'You do not have correct permissions to view admin config'
@@ -36,7 +39,7 @@ module RailsBase
         uses: Authentication::Constants::SSO_SEND_USES,
         reason: Authentication::Constants::SSO_REASON,
         expires_at: Authentication::Constants::SSO_EXPIRES.from_now,
-        url_redirect: RailsBase.url_routes.user_settings_path
+        url_redirect: RailsBase.url_routes.authenticated_root_path
       }
 
       status = RailsBase::Authentication::SingleSignOnSend.call(local_params)
@@ -50,6 +53,7 @@ module RailsBase
       redirect_to RailsBase.url_routes.admin_base_path
     end
 
+    # TODO: Move this to a different controller
     #GET auth/sso/:data
     def sso_retrieve
       local_params = {
@@ -153,6 +157,14 @@ module RailsBase
 
     # POST admin/update
     def update_attribute
+      unless RailsBase.config.admin.view_admin_page?(current_user)
+        session.clear
+        sign_out(current_user)
+        logger.warn("Unauthorized user has tried to update attributes. Fail Quickly!")
+        render json: { success: false, message: "Unauthorized action. You have been signed out" }, status: 404
+        return
+      end
+
       update = RailsBase::AdminUpdateAttribute.call(params: params, admin_user: admin_user)
       if update.success?
         @_admin_action_struct = RailsBase::AdminStruct.new(update.original_attribute, update.attribute, update.model)
@@ -161,12 +173,17 @@ module RailsBase
         @_admin_action_struct = false
         render json: { success: false, message: update.message }, status: 404
       end
+
+      session[:mfa_randomized_token] = nil
     end
 
+    # POST admin/update/name
     def update_name
       unless RailsBase.config.admin.name_tile_users?(admin_user)
-        flash[:alert] = 'You do not have correct permissions to change a users name'
-        redirect_to RailsBase.url_routes.admin_base_path
+        session.clear
+        sign_out(current_user)
+        logger.warn("Unauthorized user has tried to update attributes. Fail Quickly!")
+        render json: { success: false, message: "Unauthorized action. You have been signed out" }, status: 404
         return
       end
       user = User.find(params[:id])
@@ -186,12 +203,17 @@ module RailsBase
         @_admin_action_struct = false
         render json: { success: false, message: "Failed to change #{user.id} name" }, status: 404
       end
+
+      session[:mfa_randomized_token] = nil
     end
 
+    # POST admin/update/email
     def update_email
       unless RailsBase.config.admin.email_tile_users?(admin_user)
-        flash[:alert] = 'You do not have correct permissions to change a users name'
-        redirect_to RailsBase.url_routes.admin_base_path
+        session.clear
+        sign_out(current_user)
+        logger.warn("Unauthorized user has tried to update emai. Fail Quickly!")
+        render json: { success: false, message: "Unauthorized action. You have been signed out" }, status: 404
         return
       end
 
@@ -205,9 +227,20 @@ module RailsBase
         @_admin_action_struct = false
         render json: { success: false, message: result.message }, status: 404
       end
+
+      session[:mfa_randomized_token] = nil
     end
 
+    # POST admin/update/phone
     def update_phone
+      unless RailsBase.config.admin.view_admin_page?(current_user)
+        session.clear
+        sign_out(current_user)
+        logger.warn("Unauthorized user has tried to update phone. Fail Quickly!")
+        render json: { success: false, message: "Unauthorized action. You have been signed out" }, status: 400
+        return
+      end
+
       begin
         params[:value] = params[:phone_number].gsub(/\D/,'')
       rescue
@@ -220,6 +253,14 @@ module RailsBase
 
     # POST admin/validate_intent/send
     def send_2fa
+      unless RailsBase.config.admin.view_admin_page?(current_user)
+        session.clear
+        sign_out(current_user)
+        logger.warn("Unauthorized user has tried to send 2fa. Fail Quickly!")
+        render json: { success: false, message: "Unauthorized action. You have been signed out" }, status: 404
+        return
+      end
+
       reason = "#{SESSION_REASON_BASE}-#{SecureRandom.uuid}"
       result = AdminRiskyMfaSend.call(user: admin_user, reason: reason)
       if result.success?
@@ -232,6 +273,8 @@ module RailsBase
 
     # POST admin/validate_intent/verify
     def verify_2fa
+      return unless validate_mfa_with_event_json!(mfa_event_name: RailsBase::MfaEvent::ADMIN_VERIFY)
+
       unless modify_id = params[:modify_id]
         logger.warn("Failed to find #{modify_id} in payload")
         render json: { success: false, message: 'Hmm. Something fishy happend. Failed to find text to modify' }, status: 404
@@ -251,13 +294,14 @@ module RailsBase
       end
 
       params = {
+        mfa_event: @__rails_base_mfa_event,
         session_mfa_user_id: admin_user.id,
         current_user: admin_user,
         input_reason: session_reason,
         params: parse_mfa_to_obj
       }
-      result = RailsBase::Authentication::MfaValidator.call(params)
-      encrypt = RailsBase::Authentication::MfaSetEncryptToken.call(user: admin_user, purpose: session_reason, expires_at: 1.minute.from_now)
+      result = RailsBase::Mfa::Sms::Validate.call(params)
+      encrypt = RailsBase::Mfa::EncryptToken.call(user: admin_user, purpose: session_reason, expires_at: 1.minute.from_now)
 
       begin
         html = render_to_string(partial: render_partial, locals: { user: user, modify_id: modify_id })
@@ -266,9 +310,10 @@ module RailsBase
         logger.warn("Failed to render html correctly")
         html = nil
       end
+
       if html.nil?
         logger.warn("Failed to find render html correctly")
-        render json: { success: false, message: 'Apologies. Wee are struggling to render the page. Please try again later' }, status: 500
+        render json: { success: false, message: 'Apologies. We are struggling to render the page. Please try again later' }, status: 500
         return
       end
 

data/app/controllers/rails_base/mfa/evaluation_controller.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module RailsBase::Mfa
+  class EvaluationController < RailsBaseApplicationController
+    before_action :authenticate_user!, only: [:mfa_evaluate_authenticated]
+    before_action :validate_mfa_with_event!
+    OTP_TEMPLATE = "rails_base/mfa/validate/totp/totp_event_input"
+    SMS_TEMPLATE = "rails_base/mfa/validate/sms/sms_event_input"
+
+    # GET mfa/:event
+    def mfa_with_event
+      user = User.find(@__rails_base_mfa_event.user_id)
+      decision = RailsBase::Mfa::Decision.(user: user)
+      mfa_type = mfa_decision(provided: params[:type], default: decision.mfa_type, allowed: decision.mfa_options)
+
+      if @__rails_base_mfa_event.phone_number
+        phone_number = @__rails_base_mfa_event.phone_number
+      else
+        phone_number = User.find(@__rails_base_mfa_event.user_id).phone_number
+      end
+
+      @masked_phone = User.masked_number(phone_number)
+      @mfa_options = decision.mfa_options.map do |type|
+        next if type == mfa_type
+
+        {
+          text: "Switch MFA to #{type}",
+          ** RailsBase::Mfa.mfa_link(mfa_event: @__rails_base_mfa_event.event, mfa: type)
+        }
+      end.compact
+
+      case mfa_type
+      when RailsBase::Mfa::OTP
+        render OTP_TEMPLATE
+      when RailsBase::Mfa::SMS
+        render SMS_TEMPLATE
+      end
+    end
+
+    private
+
+    def mfa_decision(provided:, default:, allowed:)
+      if Array === @__rails_base_mfa_event.only_mfa
+        logger.warn("MFA Event is forcing one of #{@__rails_base_mfa_event.only_mfa}")
+        return @__rails_base_mfa_event.only_mfa.sample.to_sym
+      end
+
+      # Nothing was provided by the user
+      return default if provided.nil?
+
+      # Provided input is an allowed type for the current user
+      return provided.to_sym if allowed.include?(provided.to_sym)
+
+      flash[:alert] = "Unknown MFA type #{provided}. Using #{default} instead"
+
+      return default
+    end
+  end
+end

data/app/controllers/rails_base/mfa/register/sms_controller.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module RailsBase::Mfa::Register
+  class SmsController < RailsBaseApplicationController
+    before_action :authenticate_user!
+    before_action ->() { validate_mfa_with_event!(mfa_event_name: RailsBase::MfaEvent::ENABLE_SMS_EVENT) }, only: [:sms_confirmation]
+    before_action ->() { validate_mfa_with_event!(mfa_event_name: RailsBase::MfaEvent::DISABLE_SMS_EVENT) }, only: [:sms_removal]
+    before_action :json_validate_current_user!, only: [:sms_registration]
+
+    # POST mfa/register/sms
+    def sms_registration
+      result = RailsBase::Authentication::UpdatePhoneSendVerification.call(user: current_user, phone_number: params[:phone_number])
+      if result.failure?
+        render :json => { error: I18n.t('request_response.teapot.fail'), msg: result.message }.to_json, :status => 418
+        return
+      end
+      session[:mfa_randomized_token] = result.mfa_randomized_token
+      render :json => { status: :success, message: I18n.t('request_response.teapot.valid') }
+    end
+
+    # POST mfa/register/sms/validate
+    def sms_confirmation
+      mfa_validity = RailsBase::Mfa::Sms::Validate.call(mfa_event: @__rails_base_mfa_event, current_user: current_user, params: params, session_mfa_user_id: @__rails_base_mfa_event.user_id)
+      if mfa_validity.failure?
+        redirect_to RailsBase.url_routes.user_settings_path, alert: I18n.t('authentication.confirm_phone_registration.fail', message: mfa_validity.message)
+        return
+      end
+
+      current_user.update!(mfa_sms_enabled: true)
+      redirect_to RailsBase.url_routes.user_settings_path, notice: "Successfully added SMS as an MFA option on your account"
+    end
+
+    # DELETE mfa/register/sms
+    def sms_removal
+      result = RailsBase::Mfa::Sms::Remove.(mfa_event: @__rails_base_mfa_event, current_user: current_user, session_mfa_user_id: @__rails_base_mfa_event.user_id, password: params[:password], sms_code: params[:sms_code])
+      if result.success?
+        flash[:notice] = "Successfully removed SMS as an MFA option on your account"
+      else
+        flash[:alert] = result.message
+      end
+
+      redirect_to RailsBase.url_routes.user_settings_path
+    end
+  end
+end

data/app/controllers/rails_base/mfa/register/totp_controller.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module RailsBase::Mfa::Register
+  class TotpController < RailsBaseApplicationController
+    before_action :authenticate_user!
+
+    # DELETE mfa/register/totp
+    def totp_remove
+      result = RailsBase::Mfa::Totp::Remove.(password: params[:password], user: current_user, otp_code: params[:totp_code])
+
+      if result.success?
+        flash[:notice] = "Successfully Removed TOTP Authentication to #{RailsBase.app_name}"
+      else
+        flash[:alert] = "Something Went Wrong! #{result.message}"
+      end
+
+      redirect_to RailsBase.url_routes.user_settings_path
+    end
+
+    # POST mfa/register/totp
+    def totp_secret
+      result = RailsBase::Mfa::Totp::OtpMetadata.(user: current_user)
+      if result.success?
+        render json: result.metadata
+      else
+        render json: { status: result.message }, status: 400
+      end
+    end
+
+    # POST mfa/register/totp/validate
+    def totp_validate
+      result = RailsBase::Mfa::Totp::ValidateTemporaryCode.(user: current_user, otp_code: params[:totp_code])
+      if result.success?
+        flash[:notice] = "Successfully added an Authenticator for TOTP to #{RailsBase.app_name}"
+      else
+        flash[:alert] = "Something Went Wrong! Failed to add an Authenticator for TOTP to #{RailsBase.app_name}. Please try again"
+      end
+
+      redirect_to RailsBase.url_routes.user_settings_path
+    end
+  end
+end

data/app/controllers/rails_base/mfa/validate/sms_controller.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+module RailsBase::Mfa::Validate
+  class SmsController < RailsBaseApplicationController
+    before_action :validate_mfa_with_event!, only: [:sms_event_input, :sms_event]
+
+    # POST mfa/validate/sms/:mfa_event/send
+    def sms_event_send
+      if soft_mfa_with_event
+        user = User.find(@__rails_base_mfa_event.user_id)
+      else
+        if request.format.json?
+          render json: { message: @__rails_base_mfa_event_invalid_reason }, status: 400
+        else
+          flash[:alert] = @__rails_base_mfa_event_invalid_reason
+          redirect = @__rails_base_mfa_event&.invalid_redirect || RailsBase.url_routes.new_user_session_path
+
+          redirect_to redirect, email: params.dig(:user,:email)
+        end
+        return
+      end
+
+      if request.format.json?
+        # When json, this will always come from an authenticated user
+        # otherwise kick them out now!
+        return unless authenticate_user!
+
+        user = current_user
+      end
+
+      result = RailsBase::Mfa::Sms::Send.call(expires_at: 5.minutes.from_now, phone_number: @__rails_base_mfa_event.phone_number, user: user)
+
+      if result.success?
+        flash[:notice] = msg = "SMS Code succesfully sent. Please check messages"
+        status = 200
+      else
+        flash[:alert] = msg = "Unable to complete Request. #{result.message}"
+        status = 400
+      end
+
+      if request.format.json?
+        render json: { message: msg }, status: status
+        flash.clear
+      else
+        redirect_to RailsBase.url_routes.mfa_with_event_path(mfa_event: @__rails_base_mfa_event.event, type: RailsBase::Mfa::SMS)
+      end
+    end
+
+    # GET mfa/validate/sms/:mfa_event
+    def sms_event_input
+      if @__rails_base_mfa_event.phone_number
+        phone_number = @__rails_base_mfa_event.phone_number
+      else
+        phone_number = User.find(@__rails_base_mfa_event.user_id).phone_number
+      end
+
+      @masked_phone = User.masked_number(phone_number)
+    end
+
+    # POST mfa/validate/sms/:mfa_event
+    def sms_event
+      mfa_validity = RailsBase::Mfa::Sms::Validate.call(mfa_event: @__rails_base_mfa_event, params: params, session_mfa_user_id: @__rails_base_mfa_event.user_id)
+      if mfa_validity.failure?
+        redirect_to(mfa_validity.redirect_url, alert: mfa_validity.message)
+        return
+      end
+
+      mfa_validity.user.set_last_mfa_sms_login!
+      if @__rails_base_mfa_event.sign_in_user
+        logger.info("Logging User in")
+        sign_in(mfa_validity.user)
+      end
+
+      if @__rails_base_mfa_event.set_satiated_on_success
+        logger.info("Satiating MFA Event")
+        @__rails_base_mfa_event.satiated!
+      end
+
+      add_mfa_event_to_session(event: @__rails_base_mfa_event)
+      redirect_to @__rails_base_mfa_event.redirect, notice: @__rails_base_mfa_event.flash_notice
+    end
+  end
+end

data/app/controllers/rails_base/mfa/validate/totp_controller.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module RailsBase::Mfa::Validate
+  class TotpController < RailsBaseApplicationController
+    before_action :validate_mfa_with_event!
+
+    # GET mfa/validate/totp/:event
+    def totp_event_input; end
+
+    # POST mfa/validate/totp/:event
+    def totp_event
+      user = User.find(@__rails_base_mfa_event.user_id)
+      mfa_validity = ::RailsBase::Mfa::Totp::ValidateCode.(user: user, otp_code: params[:totp_code])
+      if mfa_validity.failure?
+        redirect_to(RailsBase.url_routes.mfa_with_event_path(mfa_event: @__rails_base_mfa_event.event, type: RailsBase::Mfa::OTP), alert: mfa_validity.message)
+        return
+      end
+
+      user.set_last_mfa_otp_login!
+
+      if @__rails_base_mfa_event.sign_in_user
+        logger.info("Logging User in")
+        sign_in(mfa_validity.user)
+      end
+
+      if @__rails_base_mfa_event.set_satiated_on_success
+        logger.info("Satiating MFA Event")
+        @__rails_base_mfa_event.satiated!
+      end
+
+      add_mfa_event_to_session(event: @__rails_base_mfa_event)
+      redirect_to @__rails_base_mfa_event.redirect, notice: @__rails_base_mfa_event.flash_notice
+    end
+  end
+end

data/app/controllers/rails_base/secondary_authentication_controller.rb

@@ -2,13 +2,11 @@ module RailsBase
   class SecondaryAuthenticationController < RailsBaseApplicationController
     before_action :authenticate_user!, only: [:remove_phone_mfa, :confirm_phone_registration]
 
-    before_action :validate_token!, only: [:resend_email, :wait, :confirm_phone_registration]
-
-    before_action :json_validate_current_user!, only: [:phone_registration]
+    before_action :validate_mfa_token!, only: [:resend_email, :wait, :confirm_phone_registration]
 
     # GET auth/wait
     def static
-      return unless validate_token!(purpose: Authentication::Constants::SSOVE_PURPOSE)
+      return unless validate_mfa_token!(purpose: Authentication::Constants::SSOVE_PURPOSE)
 
       if flash[:notice].nil? && flash[:alert].nil?
         flash[:notice] = Authentication::Constants::STATIC_WAIT_FLASH
@@ -18,11 +16,6 @@ module RailsBase
     def remove_me
     end
 
-    def testing_route
-      Rails.logger.error("This will cause an error to be thrown")
-      raise ArgumentError, 'Boo'
-    end
-
     # POST auth/resend_email
     def resend_email
       user = User.find @token_verifier.user_id
@@ -51,7 +44,7 @@ module RailsBase
 
     # GET auth/login
     def after_email_login_session_new
-      return unless validate_token!(purpose: Authentication::Constants::SSOVE_PURPOSE)
+      return unless validate_mfa_token!(purpose: Authentication::Constants::SSOVE_PURPOSE)
 
       @user = User.new
       if flash[:alert].nil? && flash[:notice].nil?
@@ -61,7 +54,7 @@ module RailsBase
 
     # POST auth/login
     def after_email_login_session_create
-      return unless validate_token!(purpose: Authentication::Constants::SSOVE_PURPOSE)
+      return unless validate_mfa_token!(purpose: Authentication::Constants::SSOVE_PURPOSE)
 
       flash[:notice] = nil
       flash[:alert] = nil
@@ -78,37 +71,6 @@ module RailsBase
       redirect_to RailsBase.url_routes.authenticated_root_path
     end
 
-    # POST auth/phone
-    def phone_registration
-      result = Authentication::UpdatePhoneSendVerification.call(user: current_user, phone_number: params[:phone_number])
-      if result.failure?
-        render :json => { error: I18n.t('request_response.teapot.fail'), msg: result.message }.to_json, :status => 418
-        return
-      end
-      session[:mfa_randomized_token] = result.mfa_randomized_token
-
-      render :json => { status: :success, message: I18n.t('request_response.teapot.valid') }
-    end
-
-    # POST auth/phone/mfa
-    def confirm_phone_registration
-      mfa_validity = Authentication::MfaValidator.call(current_user: current_user, params: params, session_mfa_user_id: @token_verifier.user_id)
-      if mfa_validity.failure?
-        redirect_to RailsBase.url_routes.authenticated_root_path, alert: I18n.t('authentication.confirm_phone_registration.fail', message: mfa_validity.message)
-        return
-      end
-
-      current_user.update!(mfa_enabled: true)
-
-      redirect_to RailsBase.url_routes.authenticated_root_path, notice: I18n.t('authentication.confirm_phone_registration.valid')
-    end
-
-    # DELETE auth/phone/disable
-    def remove_phone_mfa
-      current_user.update!(mfa_enabled: false, last_mfa_login: nil)
-      redirect_to RailsBase.url_routes.authenticated_root_path, notice: I18n.t('authentication.remove_phone_mfa')
-    end
-
     # GET auth/email/forgot/:data
     def forgot_password
       result = Authentication::VerifyForgotPassword.call(data: params[:data])
@@ -117,52 +79,52 @@ module RailsBase
         redirect_to result.redirect_url, alert: result.message
         return
       end
-      session[:mfa_randomized_token] = result.encrypted_val
-      flash[:notice] =
-        if @mfa_flow = result.mfa_flow
-          I18n.t('authentication.forgot_password.2fa')
-        else
-          I18n.t('authentication.forgot_password.base')
-        end
-      @user = result.user
-      @data = params[:data]
-    end
 
-    # POST auth/email/forgot/:data
-    def forgot_password_with_mfa
-      return unless validate_token!(purpose: Authentication::Constants::VFP_PURPOSE)
+      event = RailsBase::MfaEvent.forgot_password(user: result.user, data: params[:data])
+      if result.mfa_flow
+        flash[:notice] = "MFA required to reset password"
+        redirect_to(RailsBase.url_routes.mfa_with_event_path(mfa_event: event.event))
+      else
+        # Requirements to continue were satiatet..we can let the user reset their password
+        event.satiated!
+        flash[:notice] = "Datum valid. Reset your password"
+        redirect_to(RailsBase.url_routes.reset_password_input_path(data: params[:data]))
+      end
 
-      # datum is expired because it was used with #forgot_password method
-      # we dont care, we just want to ensure the correct user (multiple verification ways)
-      # -- validate user by datum
-      # -- validate user by short lived token
-      # -- validate user by mfa_token
-      # -- When all match by user and within the lifetime of the short lived token... we b gucci uber super secure/over engineered
-      expired_datum = ShortLivedData.get_by_data(data: params[:data], reason: Authentication::Constants::VFP_REASON)
+      # Upload event to the session as a last step to ensure we capture if it was satiated or not
+      add_mfa_event_to_session(event:)
+    end
 
-      unless expired_datum
-        redirect_to(RailsBase.url_routes.new_user_password_path, alert: I18n.t('authentication.forgot_password_with_mfa.expired_datum'))
-        return
-      end
+    # GET auth/password/reset/:data
+    def reset_password_input
+      return unless validate_mfa_with_event!(mfa_event_name: RailsBase::MfaEvent::FORGOT_PASSWORD)
 
-      result = Authentication::MfaValidator.call(params: params, session_mfa_user_id: @token_verifier.user_id, current_user: expired_datum.user)
-      if result.failure?
-        redirect_to(RailsBase.url_routes.new_user_password_path, alert: result.message)
-        return
+      if @__rails_base_mfa_event.satiated?
+        @data = params[:data]
+        @user = User.find(@__rails_base_mfa_event.user_id)
+      else
+        logger.error("MFA Event was not satiated. Kicking user back to root")
+        clear_mfa_event_from_session!(event_name: @__rails_base_mfa_event.event)
+        session.clear
+        flash[:alert] = "Unauthorized access"
+        redirect_to(RailsBase.url_routes.unauthenticated_root_path)
       end
-
-      @mfa_flow = false
-      @data = params[:data]
-      @user = result.user
-      flash[:notice] = I18n.t('authentication.forgot_password_with_mfa.valid_mfa')
-      render :forgot_password
     end
 
     # POST auth/email/reset/:data
     def reset_password
-      return unless validate_token!(purpose: Authentication::Constants::VFP_PURPOSE)
+      return unless validate_mfa_with_event!(mfa_event_name: RailsBase::MfaEvent::FORGOT_PASSWORD)
+
+      unless @__rails_base_mfa_event.satiated?
+        logger.error("MFA Event was not satiated. Kicking user back to root")
+        clear_mfa_event_from_session!(event_name: @__rails_base_mfa_event.event)
+        session.clear
+        flash[:alert] = "Unauthorized access"
+        redirect_to(RailsBase.url_routes.unauthenticated_root_path)
+        return
+      end
 
-      result = Authentication::ModifyPassword.call(password: params[:user][:password], password_confirmation: params[:user][:password_confirmation], data: params[:data], user_id: @token_verifier.user_id, flow: :forgot_password)
+      result = Authentication::ModifyPassword.call(password: params[:user][:password], password_confirmation: params[:user][:password_confirmation], data: params[:data], user_id: @__rails_base_mfa_event.user_id, flow: :forgot_password)
       if result.failure?
         redirect_to RailsBase.url_routes.new_user_password_path, alert: result.message
         return
@@ -202,23 +164,5 @@ module RailsBase
       flash[:notice] = I18n.t('authentication.sso_login.valid')
       redirect_to url
     end
-
-    private
-
-    def json_validate_current_user!
-      return if current_user
-
-      render json: { error: "Unauthorized" }.to_json, :status => 401
-      return false
-    end
-
-    def validate_token!(purpose: Authentication::Constants::MSET_PURPOSE)
-      @token_verifier =
-        Authentication::SessionTokenVerifier.call(purpose: purpose, mfa_randomized_token: session[:mfa_randomized_token])
-      return true if @token_verifier.success?
-
-      redirect_to RailsBase.url_routes.new_user_session_path, alert: @token_verifier.message
-      return false
-    end
   end
 end