rsb-admin 0.9.1

data/app/views/rsb/admin/two_factor/new.html.erb

@@ -0,0 +1,53 @@
+<div class="max-w-lg mx-auto">
+  <div class="bg-rsb-card border border-rsb-border rounded-rsb-lg shadow-rsb-sm p-6">
+    <h2 class="text-xl font-bold mb-4">Set Up Two-Factor Authentication</h2>
+
+    <p class="mb-4 text-rsb-muted text-sm">
+      Scan the QR code below with your authenticator app (Google Authenticator, Authy, 1Password, etc.),
+      then enter the 6-digit code to confirm.
+    </p>
+
+    <% if flash[:alert] %>
+      <div class="mb-4 p-3 rounded-rsb bg-rsb-danger-bg border border-rsb-danger text-rsb-danger-text text-sm">
+        <%= flash[:alert] %>
+      </div>
+    <% end %>
+
+    <!-- QR Code -->
+    <div class="flex justify-center mb-4">
+      <div class="bg-white p-4 rounded">
+        <%= @qr_svg.html_safe %>
+      </div>
+    </div>
+
+    <!-- Manual entry key -->
+    <div class="mb-6">
+      <p class="text-sm font-medium mb-1">Can't scan? Enter this key manually:</p>
+      <code class="block p-2 bg-rsb-bg border border-rsb-border rounded-rsb text-sm font-mono break-all select-all">
+        <%= @otp_secret %>
+      </code>
+    </div>
+
+    <!-- Confirmation form -->
+    <%= form_tag(rsb_admin.profile_two_factor_path, method: :post) do %>
+      <%= hidden_field_tag :authenticity_token, form_authenticity_token %>
+
+      <div class="mb-4">
+        <label for="otp_code" class="block text-sm font-medium mb-1">Verification Code</label>
+        <input type="text" id="otp_code" name="otp_code"
+               class="w-full px-3 py-2 border border-rsb-border rounded-rsb text-sm focus:outline-none focus:border-rsb-primary focus:ring-2 focus:ring-rsb-primary/10"
+               placeholder="Enter 6-digit code"
+               autocomplete="one-time-code" inputmode="numeric" autofocus required />
+      </div>
+
+      <button type="submit"
+              class="w-full px-4 py-2 bg-rsb-primary text-rsb-primary-text rounded-rsb text-sm font-medium hover:bg-rsb-primary-hover">
+        Confirm & Enable 2FA
+      </button>
+    <% end %>
+
+    <div class="mt-4 text-center">
+      <a href="<%= rsb_admin.profile_path %>" class="text-sm text-rsb-muted hover:underline">Cancel</a>
+    </div>
+  </div>
+</div>

data/config/locales/en.yml

@@ -0,0 +1,140 @@
+en:
+  rsb:
+    admin:
+      shared:
+        dashboard: "Dashboard"
+        sign_out: "Sign out"
+        switch_language: "Switch language"
+        save: "Save"
+        cancel: "Cancel"
+        delete: "Delete"
+        edit: "Edit"
+        view: "View"
+        new: "New %{resource}"
+        back: "Back"
+        confirm_delete: "Are you sure you want to delete this %{resource}? This action cannot be undone."
+        no_results: "No %{resource} found"
+        no_results_message: "%{resource} will appear here once created."
+        showing: "Showing %{from}-%{to} of %{total}"
+        previous: "Previous"
+        next: "Next"
+        page: "Page %{number}"
+        filters: "Filters"
+        clear_filters: "Clear"
+        apply_filters: "Apply"
+        all: "All"
+        system: "System"
+        danger_zone: "Danger Zone"
+        required: "required"
+        no_access: "No access"
+        access_denied: "Access Denied"
+        access_denied_message: "You don't have permission to access this page."
+        go_to_dashboard: "Go to Dashboard"
+        sign_out_and_try: "Sign out"
+        panel_disabled: "Admin Panel Disabled"
+        panel_disabled_message: "The admin panel is temporarily disabled. Contact your system administrator or set RSB_ADMIN_ENABLED=true to re-enable."
+      sessions:
+        sign_in: "Sign in"
+        email: "Email"
+        password: "Password"
+        sign_in_button: "Sign in"
+        signed_out: "Signed out successfully."
+        invalid_credentials: "Invalid email or password."
+      settings:
+        title: "Settings"
+        locked: "Locked"
+        save: "Save Settings"
+        saved: "Setting updated."
+      admin_users:
+        title: "Admin Users"
+        you: "You"
+        no_role: "No Role"
+        leave_blank: "Leave blank to keep current password"
+        min_password: "Minimum 8 characters"
+        confirm_password: "Confirm Password"
+        role: "Role"
+        no_role_hint: "Admins without a role have no access to any admin features."
+        last_sign_in: "Last Sign In"
+        last_ip: "Last IP"
+        never: "Never"
+        never_signed_in: "Never signed in"
+        confirm_delete: "Are you sure you want to delete this admin user? This action cannot be undone."
+        actions: "Actions"
+      roles:
+        title: "Roles"
+        superadmin: "Superadmin"
+        custom: "Custom"
+        built_in: "Built-in"
+        full_access: "Full access to all resources"
+        no_permissions: "No permissions assigned"
+        permissions: "Permissions"
+        superadmin_toggle: "Grant full access to all resources"
+        admin_users_count: "Admin Users"
+        actions: "Actions"
+        confirm_delete: "Are you sure you want to delete this role? Admin users assigned to it will lose their permissions."
+        reassign_warning: "This role is assigned to %{count} admin user(s). You must reassign them before deleting."
+        pages: "Pages"
+        dashboard: "Dashboard"
+      dashboard:
+        title: "Dashboard"
+        guide_title: "Customize Your Dashboard"
+        guide_description: "This is the default dashboard. Register a custom dashboard page to replace it with your own content."
+        guide_step1: "1. Register your dashboard controller in an initializer:"
+        guide_step2: "2. Create your controller with the actions you need:"
+      resources:
+        created: "%{resource} created."
+        updated: "%{resource} updated."
+        deleted: "%{resource} deleted."
+        page_placeholder: "This page is provided by an extension. Implement the controller at %{controller} to customize it."
+      columns:
+        id: "ID"
+        email: "Email"
+        status: "Status"
+        created_at: "Created"
+        updated_at: "Updated"
+        name: "Name"
+      errors:
+        prohibited: "%{count} error(s) prohibited this record from being saved:"
+      theme:
+        toggle_dark: "Dark mode"
+        toggle_light: "Light mode"
+      footer:
+        powered_by: "Powered by RSB"
+      profile:
+        title: "Profile"
+        edit_title: "Edit Profile"
+        current_email: "Email"
+        current_role: "Role"
+        last_sign_in: "Last Sign In"
+        last_ip: "Last IP"
+        edit_button: "Edit Profile"
+        current_password: "Current Password"
+        current_password_hint: "Required to confirm changes"
+        new_password: "New Password"
+        new_password_hint: "Leave blank to keep current password"
+        confirm_password: "Confirm New Password"
+        password_incorrect: "Current password is incorrect"
+        updated: "Profile updated successfully."
+        verification_sent: "A verification email has been sent to your new email address."
+        verification_resent: "Verification email resent."
+        verification_invalid: "Verification link is invalid or has expired."
+        verification_expired: "Verification link has expired. Please request a new one from your profile."
+        email_verified: "Email verified and updated successfully."
+        pending_email: "Pending Email"
+        verification_sent_ago: "Verification sent %{time} ago"
+        resend_verification: "Resend"
+        pending_email_hint: "A verification email was sent to %{email}. Changing the email above will send a new verification."
+        sessions_title: "Active Sessions"
+        current_session: "Current"
+        "on": "on"
+        active_now: "Active now"
+        last_active: "Active %{time} ago"
+        revoke_session: "Revoke"
+        revoke_all_sessions: "Revoke all other sessions"
+        confirm_revoke_all: "Are you sure you want to revoke all other sessions? You will remain signed in on this device only."
+        session_revoked: "Session revoked."
+        all_sessions_revoked:
+          one: "1 session revoked."
+          other: "%{count} sessions revoked."
+        session_not_found: "Session not found."
+        cannot_revoke_current: "Cannot revoke your current session."

data/config/locales/seo.en.yml

@@ -0,0 +1,21 @@
+en:
+  rsb:
+    admin:
+      sessions:
+        new:
+          page_title: "Admin Sign In"
+      dashboard:
+        page_title: "Dashboard"
+      settings:
+        page_title: "Settings"
+      profile:
+        show:
+          page_title: "Profile"
+        edit:
+          page_title: "Edit Profile"
+      roles:
+        index:
+          page_title: "Roles"
+      admin_users:
+        index:
+          page_title: "Admin Users"

data/config/routes.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+RSB::Admin::Engine.routes.draw do
+  get  'login',  to: 'sessions#new', as: :login
+  post 'login',  to: 'sessions#create'
+  get  'login/two_factor', to: 'sessions#two_factor',        as: :two_factor_login
+  post 'login/two_factor', to: 'sessions#verify_two_factor', as: :verify_two_factor_login
+  delete 'logout', to: 'sessions#destroy', as: :logout
+
+  root to: 'dashboard#index', as: :dashboard
+
+  # Dashboard sub-actions (tab navigation for custom dashboard pages)
+  get    'dashboard/:action_key', to: 'dashboard#dashboard_action', as: :dashboard_action,
+                                  constraints: { action_key: /[a-z_]+/ }
+  post   'dashboard/:action_key', to: 'dashboard#dashboard_action', constraints: { action_key: /[a-z_]+/ }
+  patch  'dashboard/:action_key', to: 'dashboard#dashboard_action', constraints: { action_key: /[a-z_]+/ }
+  delete 'dashboard/:action_key', to: 'dashboard#dashboard_action', constraints: { action_key: /[a-z_]+/ }
+
+  get   'settings', to: 'settings#index', as: :settings
+  patch 'settings', to: 'settings#batch_update'
+  patch 'settings/:category/:key', to: 'settings#update', as: :setting
+
+  get   'profile',                      to: 'profile#show',              as: :profile
+  get   'profile/edit',                 to: 'profile#edit',              as: :edit_profile
+  patch 'profile',                      to: 'profile#update'
+  get   'profile/verify_email',         to: 'profile#verify_email', as: :verify_email_profile
+  post  'profile/resend_verification',  to: 'profile#resend_verification', as: :resend_verification_profile
+  get   'profile/two_factor/new',          to: 'two_factor#new',          as: :new_profile_two_factor
+  post  'profile/two_factor',              to: 'two_factor#create',       as: :profile_two_factor
+  get   'profile/two_factor/backup_codes', to: 'two_factor#backup_codes', as: :profile_two_factor_backup_codes
+  delete 'profile/two_factor',             to: 'two_factor#destroy'
+  delete 'profile/sessions',            to: 'profile_sessions#destroy_all', as: :profile_sessions
+  delete 'profile/sessions/:id',        to: 'profile_sessions#destroy',     as: :profile_session
+
+  resources :roles
+  resources :admin_users
+
+  # Dynamic resource routes for registered resources.
+  # These catch-all routes must be LAST so they don't override static routes above.
+  # Order matters: specific patterns before generic ':id' patterns.
+  get    ':resource_key/new',            to: 'resources#new'
+  post   ':resource_key',                to: 'resources#create'
+
+  # Static page sub-actions (must be before catch-all :id routes)
+  get    ':resource_key/:action_key', to: 'resources#page_action', constraints: { action_key: /[a-z_]+/ }
+  post   ':resource_key/:action_key', to: 'resources#page_action', constraints: { action_key: /[a-z_]+/ }
+  delete ':resource_key/:action_key', to: 'resources#page_action', constraints: { action_key: /[a-z_]+/ }
+  patch  ':resource_key/:action_key', to: 'resources#page_action', constraints: { action_key: /[a-z_]+/ }
+
+  get    ':resource_key/:id/edit',       to: 'resources#edit'
+  patch  ':resource_key/:id',            to: 'resources#update'
+  put    ':resource_key/:id',            to: 'resources#update'
+  delete ':resource_key/:id',            to: 'resources#destroy'
+  get    ':resource_key/:id/:custom_action', to: 'resources#custom_action'
+  post   ':resource_key/:id/:custom_action', to: 'resources#custom_action'
+  patch  ':resource_key/:id/:custom_action', to: 'resources#custom_action'
+  get    ':resource_key/:id',            to: 'resources#show'
+  get    ':resource_key',                to: 'resources#index'
+end

data/db/migrate/20260208000003_create_rsb_admin_tables.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+class CreateRSBAdminTables < ActiveRecord::Migration[8.0]
+  def change
+    create_table :rsb_admin_roles do |t|
+      t.string :name, null: false
+      t.json :permissions, null: false, default: {}
+      t.boolean :built_in, default: false
+      t.timestamps
+    end
+
+    add_index :rsb_admin_roles, :name, unique: true
+
+    create_table :rsb_admin_admin_users do |t|
+      t.string :email, null: false
+      t.string :password_digest, null: false
+      t.references :role, foreign_key: { to_table: :rsb_admin_roles }
+      t.datetime :last_sign_in_at
+      t.string :last_sign_in_ip
+      t.string :pending_email
+      t.string :email_verification_token
+      t.datetime :email_verification_sent_at
+      t.timestamps
+    end
+
+    add_index :rsb_admin_admin_users, :email, unique: true
+    add_index :rsb_admin_admin_users, :email_verification_token, unique: true
+
+    create_table :rsb_admin_admin_sessions do |t|
+      t.references :admin_user, null: false, foreign_key: { to_table: :rsb_admin_admin_users }
+      t.string :session_token, null: false
+      t.string :ip_address
+      t.text :user_agent
+      t.string :browser
+      t.string :os
+      t.string :device_type
+      t.datetime :last_active_at, null: false
+      t.timestamps
+    end
+
+    add_index :rsb_admin_admin_sessions, :session_token, unique: true
+  end
+end

data/db/migrate/20260214000001_add_otp_fields_to_rsb_admin_admin_users.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class AddOtpFieldsToRSBAdminAdminUsers < ActiveRecord::Migration[8.0]
+  def change
+    add_column :rsb_admin_admin_users, :otp_secret, :string
+    add_column :rsb_admin_admin_users, :otp_required, :boolean, null: false, default: false
+    add_column :rsb_admin_admin_users, :otp_backup_codes, :text
+  end
+end

data/lib/generators/rsb/admin/install/install_generator.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module RSB
+  module Admin
+    class InstallGenerator < Rails::Generators::Base
+      namespace 'rsb:admin:install'
+      source_root File.expand_path('templates', __dir__)
+
+      desc 'Install rsb-admin: copy migrations, mount routes, and create seed file.'
+
+      # Copies rsb-admin migrations to the host application.
+      # @return [void]
+      def copy_migrations
+        rake 'rsb_admin:install:migrations'
+      end
+
+      # Mounts the rsb-admin engine at /admin in the host application's routes.
+      # @return [void]
+      def mount_routes
+        route 'mount RSB::Admin::Engine => "/admin"'
+      end
+
+      # Copies the seed file template to db/seeds/rsb_admin.rb.
+      # Uses skip: true to avoid overwriting existing seed files.
+      # @return [void]
+      def copy_seed_file
+        copy_file 'rsb_admin_seeds.rb', 'db/seeds/rsb_admin.rb', skip: true
+      end
+
+      # Prints post-installation instructions.
+      # @return [void]
+      def print_post_install
+        say ''
+        say 'rsb-admin installed successfully!', :green
+        say ''
+        say 'Next steps:'
+        say '  1. rails db:migrate'
+        say '  2. rails rsb:create_admin EMAIL=admin@example.com PASSWORD=changeme'
+        say '     OR edit db/seeds/rsb_admin.rb and run: rails db:seed'
+        say '  3. Visit /admin/login'
+        say ''
+      end
+    end
+  end
+end

data/lib/generators/rsb/admin/install/templates/rsb_admin_seeds.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+# RSB Admin Seed Data
+#
+# This file creates a default Superadmin role and initial admin user.
+# Uncomment and customize the values below, then run:
+#
+#   rails db:seed
+#
+# Alternatively, use the rake task for a quick one-off setup:
+#
+#   rails rsb:create_admin EMAIL=admin@example.com PASSWORD=changeme
+#
+
+# role = RSB::Admin::Role.find_or_create_by!(name: "Superadmin") do |r|
+#   r.permissions = { "*" => ["*"] }
+#   r.built_in = true
+# end
+#
+# RSB::Admin::AdminUser.find_or_create_by!(email: "admin@example.com") do |u|
+#   u.password = "changeme123"
+#   u.password_confirmation = "changeme123"
+#   u.role = role
+# end

data/lib/generators/rsb/admin/theme/templates/theme.css.tt

@@ -0,0 +1,66 @@
+/* <%= theme_name.titleize %> Theme for RSB Admin
+ *
+ * This file defines all CSS variables required by RSB Admin.
+ * Every --rsb-admin-* variable MUST be defined — there is no
+ * inheritance from the default theme. Missing variables will
+ * produce empty values, which may break layout.
+ *
+ * Customize the values below to create your theme.
+ */
+
+:root {
+  /* ── Background ─────────────────────────────────── */
+  --rsb-admin-bg: #f9fafb;                /* Page background */
+  --rsb-admin-bg-secondary: #f3f4f6;      /* Secondary/alternate background */
+  --rsb-admin-card-bg: #ffffff;            /* Card/panel background */
+
+  /* ── Text ───────────────────────────────────────── */
+  --rsb-admin-text: #111827;               /* Primary text color */
+  --rsb-admin-text-muted: #6b7280;         /* Muted/secondary text */
+
+  /* ── Borders ────────────────────────────────────── */
+  --rsb-admin-border: #e5e7eb;             /* Default border color */
+
+  /* ── Primary action ─────────────────────────────── */
+  --rsb-admin-primary: #4f46e5;            /* Primary buttons, links */
+  --rsb-admin-primary-hover: #4338ca;      /* Primary hover state */
+  --rsb-admin-primary-text: #ffffff;       /* Text on primary backgrounds */
+
+  /* ── Status: Success ────────────────────────────── */
+  --rsb-admin-success: #16a34a;            /* Success accent */
+  --rsb-admin-success-bg: #ecfdf5;         /* Success background */
+  --rsb-admin-success-text: #065f46;       /* Success text */
+
+  /* ── Status: Warning ────────────────────────────── */
+  --rsb-admin-warning: #d97706;            /* Warning accent */
+  --rsb-admin-warning-bg: #fffbeb;         /* Warning background */
+  --rsb-admin-warning-text: #92400e;       /* Warning text */
+
+  /* ── Status: Danger ─────────────────────────────── */
+  --rsb-admin-danger: #dc2626;             /* Danger accent */
+  --rsb-admin-danger-bg: #fef2f2;          /* Danger background */
+  --rsb-admin-danger-text: #991b1b;        /* Danger text */
+
+  /* ── Status: Info ───────────────────────────────── */
+  --rsb-admin-info: #2563eb;               /* Info accent */
+  --rsb-admin-info-bg: #eff6ff;            /* Info background */
+  --rsb-admin-info-text: #1e40af;          /* Info text */
+
+  /* ── Sidebar ────────────────────────────────────── */
+  --rsb-admin-sidebar-bg: #1f2937;         /* Sidebar background */
+  --rsb-admin-sidebar-text: #d1d5db;       /* Sidebar text */
+  --rsb-admin-sidebar-active: #4f46e5;     /* Sidebar active indicator */
+  --rsb-admin-sidebar-hover-bg: rgba(255,255,255,0.05); /* Sidebar hover */
+
+  /* ── Shape ──────────────────────────────────────── */
+  --rsb-admin-radius-sm: 0.25rem;          /* Small border radius */
+  --rsb-admin-radius: 0.375rem;            /* Default border radius */
+  --rsb-admin-radius-lg: 0.5rem;           /* Large border radius */
+
+  /* ── Shadows ────────────────────────────────────── */
+  --rsb-admin-shadow-sm: 0 1px 2px rgba(0,0,0,0.05);
+  --rsb-admin-shadow: 0 1px 3px rgba(0,0,0,0.1), 0 1px 2px rgba(0,0,0,0.06);
+
+  /* ── Transitions ────────────────────────────────── */
+  --rsb-admin-transition: 0.15s;           /* Default transition duration */
+}